[OE-core][PATCH 2/2] ncurses: Upgrade 6.4 -> 6.5

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Removed 4 backported patched included in this release.
Updated patches by devtool.

License-Update: copyright years refreshed

Signed-off-by: Peter Marko 
---
 .../files/0001-Fix-CVE-2023-29491.patch   | 462 
 ...eset-code-ncurses-6.4-patch-20231104.patch | 499 --
 .../ncurses/files/0001-tic-hang.patch |  11 +-
 .../files/0002-configure-reproducible.patch   |   7 +-
 ...-Do-not-include-LDFLAGS-in-generated.patch |   5 +-
 .../ncurses/files/CVE-2023-45918.patch| 180 ---
 .../ncurses/files/CVE-2023-50495.patch| 301 ---
 .../ncurses/files/exit_prototype.patch|  11 +-
 meta/recipes-core/ncurses/ncurses.inc |   2 +-
 .../{ncurses_6.4.bb => ncurses_6.5.bb}|   6 +-
 10 files changed, 16 insertions(+), 1468 deletions(-)
 delete mode 100644 
meta/recipes-core/ncurses/files/0001-Fix-CVE-2023-29491.patch
 delete mode 100644 
meta/recipes-core/ncurses/files/0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch
 delete mode 100644 meta/recipes-core/ncurses/files/CVE-2023-45918.patch
 delete mode 100644 meta/recipes-core/ncurses/files/CVE-2023-50495.patch
 rename meta/recipes-core/ncurses/{ncurses_6.4.bb => ncurses_6.5.bb} (68%)

diff --git a/meta/recipes-core/ncurses/files/0001-Fix-CVE-2023-29491.patch 
b/meta/recipes-core/ncurses/files/0001-Fix-CVE-2023-29491.patch
deleted file mode 100644
index 1232c8c2a8..00
--- a/meta/recipes-core/ncurses/files/0001-Fix-CVE-2023-29491.patch
+++ /dev/null
@@ -1,462 +0,0 @@
-From 3d54a41f12e9aa059f06e66e72d872f2283395b6 Mon Sep 17 00:00:00 2001
-From: Chen Qi 
-Date: Sun, 30 Jul 2023 21:14:00 -0700
-Subject: [PATCH] Fix CVE-2023-29491
-
-CVE: CVE-2023-29491
-
-Upstream-Status: Backport 
[http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56]
-
-Signed-off-by: Chen Qi 

- ncurses/tinfo/lib_tgoto.c  |  10 +++-
- ncurses/tinfo/lib_tparm.c  | 116 -
- ncurses/tinfo/read_entry.c |   3 +
- progs/tic.c|   6 ++
- progs/tparm_type.c |   9 +++
- progs/tparm_type.h |   2 +
- progs/tput.c   |  61 ---
- 7 files changed, 185 insertions(+), 22 deletions(-)
-
-diff --git a/ncurses/tinfo/lib_tgoto.c b/ncurses/tinfo/lib_tgoto.c
-index 9cf5e100..c50ed4df 100644
 a/ncurses/tinfo/lib_tgoto.c
-+++ b/ncurses/tinfo/lib_tgoto.c
-@@ -207,6 +207,14 @@ tgoto(const char *string, int x, int y)
-   result = tgoto_internal(string, x, y);
- else
- #endif
--  result = TIPARM_2(string, y, x);
-+if ((result = TIPARM_2(string, y, x)) == NULL) {
-+  /*
-+   * Because termcap did not provide a more general solution such as
-+   * tparm(), it was necessary to handle single-parameter capabilities
-+   * using tgoto().  The internal _nc_tiparm() function returns a NULL
-+   * for that case; retry for the single-parameter case.
-+   */
-+  result = TIPARM_1(string, y);
-+}
- returnPtr(result);
- }
-diff --git a/ncurses/tinfo/lib_tparm.c b/ncurses/tinfo/lib_tparm.c
-index d9bdfd8f..a10a3877 100644
 a/ncurses/tinfo/lib_tparm.c
-+++ b/ncurses/tinfo/lib_tparm.c
-@@ -1086,6 +1086,64 @@ tparam_internal(TPARM_STATE *tps, const char *string, 
TPARM_DATA *data)
- return (TPS(out_buff));
- }
- 
-+#ifdef CUR
-+/*
-+ * Only a few standard capabilities accept string parameters.  The others that
-+ * are parameterized accept only numeric parameters.
-+ */
-+static bool
-+check_string_caps(TPARM_DATA *data, const char *string)
-+{
-+bool result = FALSE;
-+
-+#define CHECK_CAP(name) (VALID_STRING(name) && !strcmp(name, string))
-+
-+/*
-+ * Disallow string parameters unless we can check them against a terminal
-+ * description.
-+ */
-+if (cur_term != NULL) {
-+  int want_type = 0;
-+
-+  if (CHECK_CAP(pkey_key))
-+  want_type = 2;  /* function key #1, type string #2 */
-+  else if (CHECK_CAP(pkey_local))
-+  want_type = 2;  /* function key #1, execute string #2 */
-+  else if (CHECK_CAP(pkey_xmit))
-+  want_type = 2;  /* function key #1, transmit string #2 */
-+  else if (CHECK_CAP(plab_norm))
-+  want_type = 2;  /* label #1, show string #2 */
-+  else if (CHECK_CAP(pkey_plab))
-+  want_type = 6;  /* function key #1, type string #2, show string 
#3 */
-+#if NCURSES_XNAMES
-+  else {
-+  char *check;
-+
-+  check = tigetstr("Cs");
-+  if (CHECK_CAP(check))
-+  want_type = 1;  /* style #1 */
-+
-+  check = tigetstr("Ms");
-+  if (CHECK_CAP(check))
-+  want_type = 3;  /* storage unit #1, content #2 */
-+  }
-+#endif
-+
-+  if (want_type == data->tparm_type) {
-+  result = TRUE;
-+  } else {
-+  T(("unexpected string-parameter"));
-+  }
-+}
-+return result;
-+}
-+
-+#define ValidCap() 

[OE-core][PATCH 1/2] ncurses: switch to new mirror

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

github.com/mirror/ncurses is not updated for over a year.
Switch to new mirror from Thomas Dickey (ncurses maintainer).

Sources are identical.

Updated upstream check regex by:
* changed dot to underscore as this repo is tagged like this
* added v prefix to not propose updates to some old tags
* removed third part to not propose updates to development snapshots

Signed-off-by: Peter Marko 
---
 meta/recipes-core/ncurses/ncurses.inc| 2 +-
 meta/recipes-core/ncurses/ncurses_6.4.bb | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-core/ncurses/ncurses.inc 
b/meta/recipes-core/ncurses/ncurses.inc
index 761b6a3d31..3b72f3efdd 100644
--- a/meta/recipes-core/ncurses/ncurses.inc
+++ b/meta/recipes-core/ncurses/ncurses.inc
@@ -13,7 +13,7 @@ BINCONFIG = "${bindir}/ncurses5-config 
${bindir}/ncursesw5-config \
 inherit autotools binconfig-disabled multilib_header pkgconfig
 
 # Upstream has useful patches at times at ftp://invisible-island.net/ncurses/
-SRC_URI = "git://github.com/mirror/ncurses.git;protocol=https;branch=master"
+SRC_URI = 
"git://github.com/ThomasDickey/ncurses-snapshots.git;protocol=https;branch=master"
 
 EXTRA_AUTORECONF = "-I m4"
 
diff --git a/meta/recipes-core/ncurses/ncurses_6.4.bb 
b/meta/recipes-core/ncurses/ncurses_6.4.bb
index 97130c06d6..61558ecfa8 100644
--- a/meta/recipes-core/ncurses/ncurses_6.4.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.4.bb
@@ -10,10 +10,10 @@ SRC_URI += "file://0001-tic-hang.patch \
file://CVE-2023-45918.patch \
"
 # commit id corresponds to the revision in package version
-SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f"
+SRCREV = "1003914e200fd622a27237abca155ce6bf2e6030"
 S = "${WORKDIR}/git"
 EXTRA_OECONF += "--with-abi-version=5"
-UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+(\.\d+)+)$"
+UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d+_\d+)$"
 
 # This is needed when using patchlevel versions like 6.1+20181013
 #CVE_VERSION = 
"${@d.getVar("PV").split('+')[0]}.${@d.getVar("PV").split('+')[1]}"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199538): 
https://lists.openembedded.org/g/openembedded-core/message/199538
Mute This Topic: https://lists.openembedded.org/mt/106178307/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] openssl: patch CVE-2024-4603

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46

Signed-off-by: Peter Marko 
---
 .../openssl/openssl/CVE-2024-4603.patch   | 179 ++
 .../openssl/openssl_3.3.0.bb  |   1 +
 2 files changed, 180 insertions(+)
 create mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch 
b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
new file mode 100644
index 00..cdc3d0d503
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
@@ -0,0 +1,179 @@
+From 53ea06486d296b890d565fb971b2764fcd826e7e Mon Sep 17 00:00:00 2001
+From: Tomas Mraz 
+Date: Wed, 8 May 2024 15:23:45 +0200
+Subject: [PATCH] Check DSA parameters for excessive sizes before validating
+
+This avoids overly long computation of various validation
+checks.
+
+Fixes CVE-2024-4603
+
+Reviewed-by: Paul Dale 
+Reviewed-by: Matt Caswell 
+Reviewed-by: Neil Horman 
+Reviewed-by: Shane Lontis 
+(Merged from https://github.com/openssl/openssl/pull/24346)
+
+(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)
+
+
+
+CVE: CVE-2024-4603
+Upstream-Status: Backport 
[https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e]
+Signed-off-by: Peter Marko 
+---
+ crypto/dsa/dsa_check.c| 44 --
+ .../invalid/p10240_q256_too_big.pem   | 57 +++
+ 2 files changed, 97 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c
+index 7b6d7df88f..e1375dfad9 100644
+--- a/crypto/dsa/dsa_check.c
 b/crypto/dsa/dsa_check.c
+@@ -19,8 +19,34 @@
+ #include "dsa_local.h"
+ #include "crypto/dsa.h"
+ 
++static int dsa_precheck_params(const DSA *dsa, int *ret)
++{
++if (dsa->params.p == NULL || dsa->params.q == NULL) {
++ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
++*ret = FFC_CHECK_INVALID_PQ;
++return 0;
++}
++
++if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
++ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
++*ret = FFC_CHECK_INVALID_PQ;
++return 0;
++}
++
++if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
++ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
++*ret = FFC_CHECK_INVALID_PQ;
++return 0;
++}
++
++return 1;
++}
++
+ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
+ {
++if (!dsa_precheck_params(dsa, ret))
++return 0;
++
+ if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
+ return ossl_ffc_params_simple_validate(dsa->libctx, >params,
+FFC_PARAM_TYPE_DSA, ret);
+@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int 
*ret)
+  */
+ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+ {
++if (!dsa_precheck_params(dsa, ret))
++return 0;
++
+ return ossl_ffc_validate_public_key(>params, pub_key, ret)
+&& *ret == 0;
+ }
+@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM 
*pub_key, int *ret)
+  */
+ int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int 
*ret)
+ {
++if (!dsa_precheck_params(dsa, ret))
++return 0;
++
+ return ossl_ffc_validate_public_key_partial(>params, pub_key, ret)
+&& *ret == 0;
+ }
+@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM 
*priv_key, int *ret)
+ {
+ *ret = 0;
+ 
+-return (dsa->params.q != NULL
+-&& ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
++if (!dsa_precheck_params(dsa, ret))
++return 0;
++
++return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
+ }
+ 
+ /*
+@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *dsa)
+ BN_CTX *ctx = NULL;
+ BIGNUM *pub_key = NULL;
+ 
+-if (dsa->params.p == NULL
+-|| dsa->params.g == NULL
++if (!dsa_precheck_params(dsa, ))
++return 0;
++
++if (dsa->params.g == NULL
+ || dsa->priv_key == NULL
+ || dsa->pub_key == NULL)
+ return 0;
+diff --git 
a/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem 
b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+new file mode 100644
+index 00..e85e2953b7
+--- /dev/null
 b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+@@ -0,0 +1,57 @@
++-BEGIN DSA PARAMETERS-
++MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja
++p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil
++XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF
++x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk
++oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW

[OE-core][scarthgap][PATCH] openssl: patch CVE-2024-4603

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46

Signed-off-by: Peter Marko 
---
 .../openssl/openssl/CVE-2024-4603.patch   | 179 ++
 .../openssl/openssl_3.2.1.bb  |   1 +
 2 files changed, 180 insertions(+)
 create mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch 
b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
new file mode 100644
index 00..50fb969c03
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
@@ -0,0 +1,179 @@
+From da343d0605c826ef197aceedc67e8e04f065f740 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz 
+Date: Wed, 8 May 2024 15:23:45 +0200
+Subject: [PATCH] Check DSA parameters for excessive sizes before validating
+
+This avoids overly long computation of various validation
+checks.
+
+Fixes CVE-2024-4603
+
+Reviewed-by: Paul Dale 
+Reviewed-by: Matt Caswell 
+Reviewed-by: Neil Horman 
+Reviewed-by: Shane Lontis 
+(Merged from https://github.com/openssl/openssl/pull/24346)
+
+(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)
+
+
+
+CVE: CVE-2024-4603
+Upstream-Status: Backport 
[https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740]
+Signed-off-by: Peter Marko 
+---
+ crypto/dsa/dsa_check.c| 44 --
+ .../invalid/p10240_q256_too_big.pem   | 57 +++
+ 2 files changed, 97 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c
+index fb0e9129a2..122449a7bf 100644
+--- a/crypto/dsa/dsa_check.c
 b/crypto/dsa/dsa_check.c
+@@ -19,8 +19,34 @@
+ #include "dsa_local.h"
+ #include "crypto/dsa.h"
+ 
++static int dsa_precheck_params(const DSA *dsa, int *ret)
++{
++if (dsa->params.p == NULL || dsa->params.q == NULL) {
++ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
++*ret = FFC_CHECK_INVALID_PQ;
++return 0;
++}
++
++if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
++ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
++*ret = FFC_CHECK_INVALID_PQ;
++return 0;
++}
++
++if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
++ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
++*ret = FFC_CHECK_INVALID_PQ;
++return 0;
++}
++
++return 1;
++}
++
+ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
+ {
++if (!dsa_precheck_params(dsa, ret))
++return 0;
++
+ if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
+ return ossl_ffc_params_simple_validate(dsa->libctx, >params,
+FFC_PARAM_TYPE_DSA, ret);
+@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int 
*ret)
+  */
+ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+ {
++if (!dsa_precheck_params(dsa, ret))
++return 0;
++
+ return ossl_ffc_validate_public_key(>params, pub_key, ret)
+&& *ret == 0;
+ }
+@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM 
*pub_key, int *ret)
+  */
+ int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int 
*ret)
+ {
++if (!dsa_precheck_params(dsa, ret))
++return 0;
++
+ return ossl_ffc_validate_public_key_partial(>params, pub_key, ret)
+&& *ret == 0;
+ }
+@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM 
*priv_key, int *ret)
+ {
+ *ret = 0;
+ 
+-return (dsa->params.q != NULL
+-&& ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
++if (!dsa_precheck_params(dsa, ret))
++return 0;
++
++return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
+ }
+ 
+ /*
+@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *dsa)
+ BN_CTX *ctx = NULL;
+ BIGNUM *pub_key = NULL;
+ 
+-if (dsa->params.p == NULL
+-|| dsa->params.g == NULL
++if (!dsa_precheck_params(dsa, ))
++return 0;
++
++if (dsa->params.g == NULL
+ || dsa->priv_key == NULL
+ || dsa->pub_key == NULL)
+ return 0;
+diff --git 
a/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem 
b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+new file mode 100644
+index 00..e85e2953b7
+--- /dev/null
 b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+@@ -0,0 +1,57 @@
++-BEGIN DSA PARAMETERS-
++MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja
++p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil
++XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF
++x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk
++oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW

[OE-core][kirkstone][PATCH] openssl: patch CVE-2024-4603

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46

Signed-off-by: Peter Marko 
---
 .../openssl/openssl/CVE-2024-4603.patch   | 180 ++
 .../openssl/openssl_3.0.13.bb |   1 +
 2 files changed, 181 insertions(+)
 create mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch 
b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
new file mode 100644
index 00..b8e0b9fb7d
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
@@ -0,0 +1,180 @@
+From 3559e868e58005d15c6013a0c1fd832e51c73397 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz 
+Date: Wed, 8 May 2024 15:23:45 +0200
+Subject: [PATCH] Check DSA parameters for excessive sizes before validating
+
+This avoids overly long computation of various validation
+checks.
+
+Fixes CVE-2024-4603
+
+Reviewed-by: Paul Dale 
+Reviewed-by: Matt Caswell 
+Reviewed-by: Neil Horman 
+Reviewed-by: Shane Lontis 
+(Merged from https://github.com/openssl/openssl/pull/24346)
+
+(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)
+
+
+
+CVE: CVE-2024-4603
+Upstream-Status: Backport 
[https://github.com/openssl/openssl/commit/3559e868e58005d15c6013a0c1fd832e51c73397]
+Signed-off-by: Peter Marko 
+---
+ crypto/dsa/dsa_check.c| 44 --
+ .../invalid/p10240_q256_too_big.pem   | 57 +++
+ 2 files changed, 97 insertions(+), 4 deletions(-)
+ create mode 100644 
test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+
+diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c
+index fb0e9129a2..122449a7bf 100644
+--- a/crypto/dsa/dsa_check.c
 b/crypto/dsa/dsa_check.c
+@@ -19,8 +19,34 @@
+ #include "dsa_local.h"
+ #include "crypto/dsa.h"
+ 
++static int dsa_precheck_params(const DSA *dsa, int *ret)
++{
++if (dsa->params.p == NULL || dsa->params.q == NULL) {
++ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
++*ret = FFC_CHECK_INVALID_PQ;
++return 0;
++}
++
++if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
++ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
++*ret = FFC_CHECK_INVALID_PQ;
++return 0;
++}
++
++if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
++ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
++*ret = FFC_CHECK_INVALID_PQ;
++return 0;
++}
++
++return 1;
++}
++
+ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
+ {
++if (!dsa_precheck_params(dsa, ret))
++return 0;
++
+ if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
+ return ossl_ffc_params_simple_validate(dsa->libctx, >params,
+FFC_PARAM_TYPE_DSA, ret);
+@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int 
*ret)
+  */
+ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+ {
++if (!dsa_precheck_params(dsa, ret))
++return 0;
++
+ return ossl_ffc_validate_public_key(>params, pub_key, ret)
+&& *ret == 0;
+ }
+@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM 
*pub_key, int *ret)
+  */
+ int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int 
*ret)
+ {
++if (!dsa_precheck_params(dsa, ret))
++return 0;
++
+ return ossl_ffc_validate_public_key_partial(>params, pub_key, ret)
+&& *ret == 0;
+ }
+@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM 
*priv_key, int *ret)
+ {
+ *ret = 0;
+ 
+-return (dsa->params.q != NULL
+-&& ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
++if (!dsa_precheck_params(dsa, ret))
++return 0;
++
++return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
+ }
+ 
+ /*
+@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *dsa)
+ BN_CTX *ctx = NULL;
+ BIGNUM *pub_key = NULL;
+ 
+-if (dsa->params.p == NULL
+-|| dsa->params.g == NULL
++if (!dsa_precheck_params(dsa, ))
++return 0;
++
++if (dsa->params.g == NULL
+ || dsa->priv_key == NULL
+ || dsa->pub_key == NULL)
+ return 0;
+diff --git 
a/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem 
b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+new file mode 100644
+index 00..e85e2953b7
+--- /dev/null
 b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+@@ -0,0 +1,57 @@
++-BEGIN DSA PARAMETERS-
++MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja
++p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil
++XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF
++x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk

Re: [OE-core] [scarthgap][PATCH] glibc: stable 2.39 branch updates.

[Peter Marko via lists.openembedded.org]

This will not apply to scarthgap-nut as that already has the same version as 
master...


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199525): 
https://lists.openembedded.org/g/openembedded-core/message/199525
Mute This Topic: https://lists.openembedded.org/mt/106156894/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][PATCH v2] glibc: correct license

[Peter Marko via lists.openembedded.org]

Hi Martin,

license handling is a very complicated topic, especially for historical 
projects like glibc with ton of files with diverse origin.
License scanning programs will find 15+ different licenses here and some of 
them may not be even available in yocto license list.
I submitted this particular commit because I was responsible for an update with 
commit which was asking for it.

The discussion you linked about adding SPDX identifiers is something which 
would really help.
It would enable license discovery without need of big data software and allow 
to accurately set the LICENSE field also by SW developers.

Peter

-Original Message-
From: Martin Jansa  
Sent: Thursday, May 16, 2024 7:30
To: Marko, Peter (ADV D EU SK BFS1) 
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH v2] glibc: correct license

> Hi Peter,
>
> what about BSD-4-Clause-UC, BSD-3-Clause, ISC licenses included in glibc.
>
> I've suggested to add them long time ago in:
> https://lists.openembedded.org/g/openembedded-core/topic/91285771#msg166005
> which resulted in:
> https://sourceware.org/bugzilla/show_bug.cgi?id=28007
> https://sourceware.org/pipermail/libc-alpha/2022-May/139167.html
> but the discussion upstream stopped shortly after and the oe-core change was 
> never merged because of that. Maybe it's time to re-check and ping upstream 
> again after 2 years.
>
> Cheers,
>
> On Mon, May 6, 2024 at 9:46 AM Peter Marko via lists.openembedded.org 
>  wrote:
> ...

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199496): 
https://lists.openembedded.org/g/openembedded-core/message/199496
Mute This Topic: https://lists.openembedded.org/mt/105935723/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [yocto-security] CVE status for scathgap on 2024-05-16 and ask for help

[Peter Marko via lists.openembedded.org]

Hello Marta,

Glibc fixes are already staged in scarthgap-nut.
Interesting would be to check why the prototype does not list glib-2.0 
CVE-2024-34397 which is staged there, too.

Peter

From: yocto-secur...@lists.yoctoproject.org 
 On Behalf Of Marta Rybczynska via 
lists.yoctoproject.org
Sent: Thursday, May 16, 2024 15:21
To: yocto-secur...@lists.yoctoproject.org; OE-core 

Cc: Richard Purdie ; Steve Sakoman 
; liezhi.y...@windriver.com; wan...@fujitsu.com; Khem Raj 

Subject: [yocto-security] CVE status for scathgap on 2024-05-16 and ask for help

> Hello all,
> The prototype CVE check via the MITRE database is giving the following for 
> scathgap today (adding maintainers of affected packages in copy):
>
> CVE-2024-32002.json: affected: git 2.44.0
> CVE-2024-32004.json: affected: git 2.44.0
> CVE-2024-32020.json: affected: git 2.44.0
> CVE-2024-32021.json: affected: git 2.44.0
> CVE-2024-3205.json: affected: libyaml 0.2.5
> CVE-2024-32465.json: affected: git 2.44.0
> CVE-2024-33599.json: affected glibc 2.39
> CVE-2024-33600.json: affected: glibc 2.39
> CVE-2024-33601.json: affected: glibc 2.39
> CVE-2024-33602.json: affected: glibc 2.39
>
> I would also like to ask for volunteers to help with looking up the following 
> CVEs and submitting fixes to 
> https://github.com/mrybczyn/cvelistV5-overrides/tree/overrides if they are 
> malformed:
> go: CVE-2024-24788, CVE=2024-24787
> aiohttp: CVE-2024-30251
> x server: CVE-2024-31053, CVE-2024-31082
> bluez: CVE-2023-27349, CVE-2023-50229, CVE-2023-50230
> gstreamer: CVE-2023-50186, CVE-2023-6
> less: CVE-2024-32407
> ncurses: CVE-2023-45988
> ofono: CVE-2023-4234, CVE-2023-4233
>
> If you have any question on how to do that, ask me.
>
> Kind regards,
> Marta

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199487): 
https://lists.openembedded.org/g/openembedded-core/message/199487
Mute This Topic: https://lists.openembedded.org/mt/106134282/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][scarthgap][PATCH] glib-2.0: Upgrade 2.78.5 -> 2.78.6

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Handle regression of CVE-2024-34397 fix.

News 
(https://gitlab.gnome.org/GNOME/glib/-/commit/d40f72e98e4734ba826ba9a278814530720ba760):

Overview of changes in GLib 2.78.6, 2024-05-08
==
* Fix a regression with IBus caused by the fix for CVE-2024-34397 (#3353,
  work by Simon McVittie)
* Bugs fixed:
  - #3353 Fixing CVE-2024-34397 caused regressions for ibus (Simon McVittie)
  - !4056 Backport !4053 “gdbusconnection: Allow name owners to have the syntax
of a well-known name” to glib-2-78

Signed-off-by: Peter Marko 
---
 .../glib-2.0/{glib-2.0_2.78.5.bb => glib-2.0_2.78.6.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-core/glib-2.0/{glib-2.0_2.78.5.bb => glib-2.0_2.78.6.bb} 
(96%)

diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.5.bb 
b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
similarity index 96%
rename from meta/recipes-core/glib-2.0/glib-2.0_2.78.5.bb
rename to meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
index d0aac737f7..1a4278b1bc 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.5.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
@@ -22,7 +22,7 @@ SRC_URI:append:class-native = " file://relocate-modules.patch 
\
 
file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \
   "
 
-SRC_URI[sha256sum] = 
"39b26044bd44dc30f427202add4997f554723c30017e92ff36da4197a2c916aa"
+SRC_URI[sha256sum] = 
"244854654dd82c7ebcb2f8e246156d2a05eb9cd1ad07ed7a779659b4602c9fae"
 
 # Find any meson cross files in FILESPATH that are relevant for the current
 # build (using siteinfo) and add them to EXTRA_OEMESON.
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199184): 
https://lists.openembedded.org/g/openembedded-core/message/199184
Mute This Topic: https://lists.openembedded.org/mt/106009468/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][scarthgap][PATCH] glib-2.0: Upgrade 2.78.4 -> 2.78.5

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Handle CVE-2024-34397

Remove backported patch included in this release.

News 
(https://gitlab.gnome.org/GNOME/glib/-/commit/d18807b5ffc6dedc2db5225b044063f65720bf56):
Overview of changes in GLib 2.78.5, 2024-05-07
==
* Fix CVE-2024-34397: GDBus signal subscriptions for well-known names are
  vulnerable to unicast spoofing (#3268, work by Simon McVittie, reported by
  Alicia Boya García)
* Bugs fixed:
  - #3168 gvfs-udisks2-volume-monitor SIGSEGV in g_content_type_guess_for_tree()
due to filename with bad encoding (Ondrej Holy)
  - #3268 CVE-2024-34397: GDBus signal subscriptions for well-known names are
vulnerable to unicast spoofing (Simon McVittie)
  - !3825 glib-2-78: ci: Drop FreeBSD 12 CI runner as it’s EOL
  - !3960 gcontenttype: Make filename valid utf-8 string before processing
  - !4040 Backport !4038 “gdbusconnection: Don't deliver signals if the sender
doesn't match” to glib-2-78
  - !4043 CI: Ignore MSYS2 CI failures for this older stable-branch
* Translation updates:
  - English (United Kingdom) (Andi Chandler)
  - Georgian (Ekaterine Papava)
  - Portuguese (Brazil) (Juliano de Souza Camargo)

Signed-off-by: Peter Marko 
---
 .../glib-2.0/glib-2.0/fix-regex.patch | 54 ---
 ...{glib-2.0_2.78.4.bb => glib-2.0_2.78.5.bb} |  3 +-
 2 files changed, 1 insertion(+), 56 deletions(-)
 delete mode 100644 meta/recipes-core/glib-2.0/glib-2.0/fix-regex.patch
 rename meta/recipes-core/glib-2.0/{glib-2.0_2.78.4.bb => glib-2.0_2.78.5.bb} 
(95%)

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/fix-regex.patch 
b/meta/recipes-core/glib-2.0/glib-2.0/fix-regex.patch
deleted file mode 100644
index bdfbd55899..00
--- a/meta/recipes-core/glib-2.0/glib-2.0/fix-regex.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From cce3ae98a2c1966719daabff5a4ec6cf94a846f6 Mon Sep 17 00:00:00 2001
-From: Philip Withnall 
-Date: Mon, 26 Feb 2024 16:55:44 +
-Subject: [PATCH] tests: Remove variable-length lookbehind tests for GRegex
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-PCRE2 10.43 has now introduced support for variable-length lookbehind,
-so these tests now fail if GLib is built against PCRE2 10.43 or higher.
-
-See
-https://github.com/PCRE2Project/pcre2/blob/e8db6fa7137f4c6f66cb87e0a3c9467252ec1ef7/ChangeLog#L94.
-
-Rather than making the tests conditional on the version of PCRE2 in use,
-just remove them. They are mostly testing the PCRE2 code rather than
-any code in GLib, so don’t have much value.
-
-This should fix CI runs on msys2-mingw32, which updated to PCRE2 10.43 2
-days ago.
-
-Signed-off-by: Philip Withnall 
-
-Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/glib/-/commit/cce3ae98a2c1966719daabff5a4ec6cf94a846f6]
-Signed-off-by: Alexander Kanavin 

- glib/tests/regex.c | 10 --
- 1 file changed, 10 deletions(-)
-
-diff --git a/glib/tests/regex.c b/glib/tests/regex.c
-index 1082526292..d7a698ec67 100644
 a/glib/tests/regex.c
-+++ b/glib/tests/regex.c
-@@ -1885,16 +1885,6 @@ test_lookbehind (void)
-   g_match_info_free (match);
-   g_regex_unref (regex);
- 
--  regex = g_regex_new ("(?
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199116): 
https://lists.openembedded.org/g/openembedded-core/message/199116
Mute This Topic: https://lists.openembedded.org/mt/105979059/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH v2] glibc: correct license

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

The license per [1] is LGPL-2.1-or-later and
[2] converted last LGPL-2.1-only references.

License-Update: corrected from LGPL-2.1-only to LGPL-2.1-or-later based on [1] 
and [2]

[1] https://www.gnu.org/software/libc/
[2] 
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=273a835fe7c685cc54266bb8b502787bad5e9bae

Signed-off-by: Peter Marko 
---
 meta/recipes-core/glibc/glibc-common.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/glibc/glibc-common.inc 
b/meta/recipes-core/glibc/glibc-common.inc
index b9516e77f0..91a3f5bcd5 100644
--- a/meta/recipes-core/glibc/glibc-common.inc
+++ b/meta/recipes-core/glibc/glibc-common.inc
@@ -2,7 +2,7 @@ SUMMARY = "GLIBC (GNU C Library)"
 DESCRIPTION = "The GNU C Library is used as the system C library in most 
systems with the Linux kernel."
 HOMEPAGE = "http://www.gnu.org/software/libc/libc.html;
 SECTION = "libs"
-LICENSE = "GPL-2.0-only & LGPL-2.1-only"
+LICENSE = "GPL-2.0-only & LGPL-2.1-or-later"
 
 LIC_FILES_CHKSUM ?= "file://LICENSES;md5=f77e878d320e99e94ae9a4aea7f491d1 \
   file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199036): 
https://lists.openembedded.org/g/openembedded-core/message/199036
Mute This Topic: https://lists.openembedded.org/mt/105935723/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][PATCH] glibc: correct license

[Peter Marko via lists.openembedded.org]

From: Khem Raj  
Sent: Sunday, May 5, 2024 21:22
To: Marko, Peter (ADV D EU SK BFS1) 
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] glibc: correct license

> On Sun, May 5, 2024 at 2:18 AM Peter Marko via http://lists.openembedded.org 
> mailto:siemens@lists.openembedded.org> wrote:
> > From: Peter Marko 
> >
> > The license per https://www.gnu.org/software/libc/ is LGPL-2.1-or-later.
> > https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=273a835fe7c685cc54266bb8b502787bad5e9bae
> > converted last LGPL-2.1-only references.
> >
> > License-Update: correction
>
> This should reflect reason but overall the patch is ok
>

Could you please be more specific what should I write?
The long reason is written above the License-Update field, I just added the 
field to satisfy the patch checker bot.
Putting the whole text to this field doesn't look right.

I don't know the history of glibc license to be able to assess if they migrated 
recently or if these were just wrongly committed licenses.
I just noticed the commit when updating glibc to the latest hash and decided to 
correct the recipe LICENSE field according to this hint.
So "correction" looks to me like a good short statement wrt the recipe LICENSE 
field.

Thanks,
  Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199026): 
https://lists.openembedded.org/g/openembedded-core/message/199026
Mute This Topic: https://lists.openembedded.org/mt/105919323/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] glibc: correct license

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

The license per https://www.gnu.org/software/libc/ is LGPL-2.1-or-later.
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=273a835fe7c685cc54266bb8b502787bad5e9bae
converted last LGPL-2.1-only references.

License-Update: correction

Signed-off-by: Peter Marko 
---
 meta/recipes-core/glibc/glibc-common.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/glibc/glibc-common.inc 
b/meta/recipes-core/glibc/glibc-common.inc
index b9516e77f0..91a3f5bcd5 100644
--- a/meta/recipes-core/glibc/glibc-common.inc
+++ b/meta/recipes-core/glibc/glibc-common.inc
@@ -2,7 +2,7 @@ SUMMARY = "GLIBC (GNU C Library)"
 DESCRIPTION = "The GNU C Library is used as the system C library in most 
systems with the Linux kernel."
 HOMEPAGE = "http://www.gnu.org/software/libc/libc.html;
 SECTION = "libs"
-LICENSE = "GPL-2.0-only & LGPL-2.1-only"
+LICENSE = "GPL-2.0-only & LGPL-2.1-or-later"
 
 LIC_FILES_CHKSUM ?= "file://LICENSES;md5=f77e878d320e99e94ae9a4aea7f491d1 \
   file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#199017): 
https://lists.openembedded.org/g/openembedded-core/message/199017
Mute This Topic: https://lists.openembedded.org/mt/105919323/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] glibc: Update to latest on stable 2.35 branch

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Adresses CVEs: CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602

Changes:
54a666dc5c elf: Disable some subtests of ifuncmain1, ifuncmain5 for !PIE
3a38600cc7 malloc: Exit early on test failure in tst-realloc
924a98402a nscd: Use time_t for return type of addgetnetgrentX
396f065496 login: structs utmp, utmpx, lastlog _TIME_BITS independence (bug 
30701)
77d8f49058 login: Check default sizes of structs utmp, utmpx, lastlog
8e7f0eba01 sparc: Remove 64 bit check on sparc32 wordsize (BZ 27574)
55771aba9d elf: Also compile dl-misc.os with $(rtld-early-cflags)
7a5864cac6 CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in 
addgetnetgrentX (bug 31680)
bafadc589f CVE-2024-33600: nscd: Avoid null pointer crashes after notfound 
response (bug 31678)
4370bef52b CVE-2024-33600: nscd: Do not send missing not-found response in 
addgetnetgrentX (bug 31678)
7a95873543 CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache 
(bug 31677)

Since glibc introduced file sysdeps/arm/bits/wordsize.h
our multilib patch needed to be updated.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/glibc/glibc-version.inc |  2 +-
 ...y-the-header-between-arm-and-aarch64.patch | 64 +++
 meta/recipes-core/glibc/glibc_2.35.bb |  5 +-
 3 files changed, 41 insertions(+), 30 deletions(-)

diff --git a/meta/recipes-core/glibc/glibc-version.inc 
b/meta/recipes-core/glibc/glibc-version.inc
index cd8c7ecf94..1a8d51ef63 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.35/master"
 PV = "2.35"
-SRCREV_glibc ?= "36280d1ce5e245aabefb877fe4d3c6cff95dabfa"
+SRCREV_glibc ?= "54a666dc5c94897dab63856ba264ab2c53503303"
 SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
diff --git 
a/meta/recipes-core/glibc/glibc/0018-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch
 
b/meta/recipes-core/glibc/glibc/0018-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch
index 3b2d638b5f..789d2edf23 100644
--- 
a/meta/recipes-core/glibc/glibc/0018-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch
+++ 
b/meta/recipes-core/glibc/glibc/0018-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch
@@ -11,16 +11,15 @@ Upstream-Status: Inappropriate [ OE-Specific ]
 
 Signed-off-by: Khem Raj 
 ---
- sysdeps/aarch64/bits/wordsize.h  |  8 ++--
- sysdeps/{aarch64 => arm}/bits/wordsize.h | 10 +++---
- 2 files changed, 13 insertions(+), 5 deletions(-)
- copy sysdeps/{aarch64 => arm}/bits/wordsize.h (80%)
+ sysdeps/aarch64/bits/wordsize.h | 11 +--
+ sysdeps/arm/bits/wordsize.h | 16 +++-
+ 2 files changed, 24 insertions(+), 3 deletions(-)
 
 diff --git a/sysdeps/aarch64/bits/wordsize.h b/sysdeps/aarch64/bits/wordsize.h
-index 4635431f0e..5ef0ed21f3 100644
+index 4635431f0e..1639bcb063 100644
 --- a/sysdeps/aarch64/bits/wordsize.h
 +++ b/sysdeps/aarch64/bits/wordsize.h
-@@ -17,12 +17,16 @@
+@@ -17,12 +17,19 @@
 License along with the GNU C Library; if not, see
 .  */
  
@@ -33,38 +32,47 @@ index 4635431f0e..5ef0ed21f3 100644
  # define __WORDSIZE32_SIZE_ULONG  1
  # define __WORDSIZE32_PTRDIFF_LONG1
 +#else
-+# define __WORDSIZE   32
-+# define __WORDSIZE32_SIZE_ULONG  0
-+# define __WORDSIZE32_PTRDIFF_LONG0
++#define __WORDSIZE32
++#define __WORDSIZE_TIME64_COMPAT321
++#define __WORDSIZE32_SIZE_ULONG   0
++#define __WORDSIZE32_PTRDIFF_LONG 0
  #endif
  
++#ifdef __aarch64__
  #define __WORDSIZE_TIME64_COMPAT320
-diff --git a/sysdeps/aarch64/bits/wordsize.h b/sysdeps/arm/bits/wordsize.h
-similarity index 80%
-copy from sysdeps/aarch64/bits/wordsize.h
-copy to sysdeps/arm/bits/wordsize.h
-index 4635431f0e..34fcdef1f1 100644
 a/sysdeps/aarch64/bits/wordsize.h
++#endif
+diff --git a/sysdeps/arm/bits/wordsize.h b/sysdeps/arm/bits/wordsize.h
+index 6ecbfe7c86..1639bcb063 100644
+--- a/sysdeps/arm/bits/wordsize.h
 +++ b/sysdeps/arm/bits/wordsize.h
-@@ -17,12 +17,16 @@
+@@ -1,4 +1,6 @@
+-/* Copyright (C) 1999-2024 Free Software Foundation, Inc.
++/* Determine the wordsize from the preprocessor defines.
++
++   Copyright (C) 2016-2022 Free Software Foundation, Inc.
+This file is part of the GNU C Library.
+ 
+The GNU C Library is free software; you can redistribute it and/or
+@@ -15,7 +17,19 @@
 License along with the GNU C Library; if not, see
 .  */
  
--#ifdef __LP64__
 +#if defined (__aarch64__) && defined (__LP64__)
- # define __WORDSIZE   64
--#else
++# define __WORDSIZE   64
 +#elif defined (__aarch64__)
- # define __WORDSIZE   32
- # define __WORDSIZE32_SIZE_ULONG  1
- # define __WORDSIZE32_PTRDIFF_LONG1
-+#else
 +# define __WORDSIZE   32
-+# 

[OE-core][master][scarthgap][PATCH] glibc: Update to latest on stable 2.39 branch

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Adresses CVEs: CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602

Changes:
273a835fe7 time: Allow later version licensing.
acc56074b0 nscd: Use time_t for return type of addgetnetgrentX
836d43b989 login: structs utmp, utmpx, lastlog _TIME_BITS independence (bug 
30701)
9831f98c26 login: Check default sizes of structs utmp, utmpx, lastlog
fd658f026f elf: Also compile dl-misc.os with $(rtld-early-cflags)
a9a8d3eebb CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in 
addgetnetgrentX (bug 31680)
c99f886de5 CVE-2024-33600: nscd: Avoid null pointer crashes after notfound 
response (bug 31678)
5a508e0b50 CVE-2024-33600: nscd: Do not send missing not-found response in 
addgetnetgrentX (bug 31678)
1263d583d2 CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache 
(bug 31677)
2f8f157eb0 x86: Define MINIMUM_X86_ISA_LEVEL in config.h [BZ #31676]
e701c7d761 i386: ulp update for SSE2 --disable-multi-arch configurations
e828914cf9 nptl: Fix tst-cancel30 on kernels without ppoll_time64 support

Since glibc introduced file sysdeps/arm/bits/wordsize.h
our multilib patch needed to be updated.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/glibc/glibc-version.inc |  2 +-
 ...y-the-header-between-arm-and-aarch64.patch | 47 +++
 meta/recipes-core/glibc/glibc_2.39.bb |  2 +-
 3 files changed, 40 insertions(+), 11 deletions(-)

diff --git a/meta/recipes-core/glibc/glibc-version.inc 
b/meta/recipes-core/glibc/glibc-version.inc
index 4fc6986ffc..1e4a323d64 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.39/master"
 PV = "2.39+git"
-SRCREV_glibc ?= "31da30f23cddd36db29d5b6a1c7619361b271fb4"
+SRCREV_glibc ?= "273a835fe7c685cc54266bb8b502787bad5e9bae"
 SRCREV_localedef ?= "fab74f31b3811df543e24b6de47efdf45b538abc"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https"
diff --git 
a/meta/recipes-core/glibc/glibc/0016-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch
 
b/meta/recipes-core/glibc/glibc/0016-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch
index 066c3b1ea2..9bdfa76318 100644
--- 
a/meta/recipes-core/glibc/glibc/0016-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch
+++ 
b/meta/recipes-core/glibc/glibc/0016-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch
@@ -11,16 +11,15 @@ Upstream-Status: Inappropriate [ OE-Specific ]
 
 Signed-off-by: Khem Raj 
 ---
- sysdeps/aarch64/bits/wordsize.h | 8 ++--
- sysdeps/arm/bits/wordsize.h | 1 +
- 2 files changed, 7 insertions(+), 2 deletions(-)
- create mode 12 sysdeps/arm/bits/wordsize.h
+ sysdeps/aarch64/bits/wordsize.h | 11 +--
+ sysdeps/arm/bits/wordsize.h | 22 +-
+ 2 files changed, 10 insertions(+), 23 deletions(-)
 
 diff --git a/sysdeps/aarch64/bits/wordsize.h b/sysdeps/aarch64/bits/wordsize.h
-index 118e59172d..b4b0692eb5 100644
+index 118e59172d..ff86359fe8 100644
 --- a/sysdeps/aarch64/bits/wordsize.h
 +++ b/sysdeps/aarch64/bits/wordsize.h
-@@ -17,12 +17,16 @@
+@@ -17,12 +17,19 @@
 License along with the GNU C Library; if not, see
 .  */
  
@@ -33,12 +32,42 @@ index 118e59172d..b4b0692eb5 100644
  # define __WORDSIZE32_SIZE_ULONG  1
  # define __WORDSIZE32_PTRDIFF_LONG1
 +#else
-+# define __WORDSIZE   32
-+# define __WORDSIZE32_SIZE_ULONG  0
-+# define __WORDSIZE32_PTRDIFF_LONG0
++#define __WORDSIZE32
++#define __WORDSIZE_TIME64_COMPAT321
++#define __WORDSIZE32_SIZE_ULONG   0
++#define __WORDSIZE32_PTRDIFF_LONG 0
  #endif
  
++#ifdef __aarch64__
  #define __WORDSIZE_TIME64_COMPAT320
++#endif
+diff --git a/sysdeps/arm/bits/wordsize.h b/sysdeps/arm/bits/wordsize.h
+deleted file mode 100644
+index 6ecbfe7c86..00
+--- a/sysdeps/arm/bits/wordsize.h
 /dev/null
+@@ -1,21 +0,0 @@
+-/* Copyright (C) 1999-2024 Free Software Foundation, Inc.
+-   This file is part of the GNU C Library.
+-
+-   The GNU C Library is free software; you can redistribute it and/or
+-   modify it under the terms of the GNU Lesser General Public
+-   License as published by the Free Software Foundation; either
+-   version 2.1 of the License, or (at your option) any later version.
+-
+-   The GNU C Library is distributed in the hope that it will be useful,
+-   but WITHOUT ANY WARRANTY; without even the implied warranty of
+-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+-   Lesser General Public License for more details.
+-
+-   You should have received a copy of the GNU Lesser General Public
+-   License along with the GNU C Library; if not, see
+-   .  */
+-
+-#define __WORDSIZE32
+-#define __WORDSIZE_TIME64_COMPAT321
+-#define __WORDSIZE32_SIZE_ULONG   0
+-#define __WORDSIZE32_PTRDIFF_LONG 0
 diff --git 

Re: [OE-core] [PATCH 1/4] base/bitbake.conf: Introduce UNPACKDIR

[Peter Marko via lists.openembedded.org]

I wonder if it we could name it "U" instead of "UNPACKDIR".
It will be mostly used on the same places as all the other short names like 
S/B/T...

Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198900): 
https://lists.openembedded.org/g/openembedded-core/message/198900
Mute This Topic: https://lists.openembedded.org/mt/105852186/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] libarchive: fix multiple security vulnerabilities in pax writer

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

There was no CVE assigned but the commit message is clear.

Signed-off-by: Peter Marko 
---
 ...ix-multiple-security-vulnerabilities.patch | 107 ++
 .../libarchive/libarchive_3.6.2.bb|   4 +-
 2 files changed, 110 insertions(+), 1 deletion(-)
 create mode 100644 
meta/recipes-extended/libarchive/libarchive/0001-pax-writer-fix-multiple-security-vulnerabilities.patch

diff --git 
a/meta/recipes-extended/libarchive/libarchive/0001-pax-writer-fix-multiple-security-vulnerabilities.patch
 
b/meta/recipes-extended/libarchive/libarchive/0001-pax-writer-fix-multiple-security-vulnerabilities.patch
new file mode 100644
index 00..0fec6a9b8c
--- /dev/null
+++ 
b/meta/recipes-extended/libarchive/libarchive/0001-pax-writer-fix-multiple-security-vulnerabilities.patch
@@ -0,0 +1,107 @@
+From 1b4e0d0f9d445ba3e4d0c7db7ce0b30300572fe8 Mon Sep 17 00:00:00 2001
+From: Martin Matuska 
+Date: Fri, 18 Aug 2023 00:28:39 +0200
+Subject: [PATCH] pax writer: fix multiple security vulnerabilities
+
+Security vulnerabilities:
+1. Heap overflow in url_encode() in archive_write_set_format_pax.c
+2. NULL dereference in archive_write_pax_header_xattrs()
+3. Another NULL dereference in archive_write_pax_header_xattrs()
+4. NULL dereference in archive_write_pax_header_xattr()
+
+The vulnerabilities can be triggered when writing pax archives
+with extended attributes (SCHILY or LIBARCHIVE) by feeding attribute
+names longer than INT_MAX or attribute names that fail to be encoded
+properly.
+
+Reported-by: Bahaa Naamneh of Crosspoint Labs
+
+Upstream-Status: Backport 
[https://github.com/libarchive/libarchive/commit/1b4e0d0f9d445ba3e4d0c7db7ce0b30300572fe8]
+Signed-off-by: Peter Marko 
+---
+ libarchive/archive_write_set_format_pax.c | 35 ---
+ 1 file changed, 25 insertions(+), 10 deletions(-)
+
+diff --git a/libarchive/archive_write_set_format_pax.c 
b/libarchive/archive_write_set_format_pax.c
+index c9c15916..1eb9a9a4 100644
+--- a/libarchive/archive_write_set_format_pax.c
 b/libarchive/archive_write_set_format_pax.c
+@@ -367,10 +367,12 @@ archive_write_pax_header_xattr(struct pax *pax, const 
char *encoded_name,
+   struct archive_string s;
+   char *encoded_value;
+ 
++  if (encoded_name == NULL)
++  return;
++
+   if (pax->flags & WRITE_LIBARCHIVE_XATTR) {
+   encoded_value = base64_encode((const char *)value, value_len);
+-
+-  if (encoded_name != NULL && encoded_value != NULL) {
++  if (encoded_value != NULL) {
+   archive_string_init();
+   archive_strcpy(, "LIBARCHIVE.xattr.");
+   archive_strcat(, encoded_name);
+@@ -403,17 +405,22 @@ archive_write_pax_header_xattrs(struct archive_write *a,
+ 
+   archive_entry_xattr_next(entry, , , );
+   url_encoded_name = url_encode(name);
+-  if (url_encoded_name != NULL) {
++  if (url_encoded_name == NULL)
++  goto malloc_error;
++  else {
+   /* Convert narrow-character to UTF-8. */
+   r = archive_strcpy_l(&(pax->l_url_encoded_name),
+   url_encoded_name, pax->sconv_utf8);
+   free(url_encoded_name); /* Done with this. */
+   if (r == 0)
+   encoded_name = pax->l_url_encoded_name.s;
+-  else if (errno == ENOMEM) {
+-  archive_set_error(>archive, ENOMEM,
+-  "Can't allocate memory for Linkname");
+-  return (ARCHIVE_FATAL);
++  else if (r == -1)
++  goto malloc_error;
++  else {
++  archive_set_error(>archive,
++  ARCHIVE_ERRNO_MISC,
++  "Error encoding pax extended attribute");
++  return (ARCHIVE_FAILED);
+   }
+   }
+ 
+@@ -422,6 +429,9 @@ archive_write_pax_header_xattrs(struct archive_write *a,
+ 
+   }
+   return (ARCHIVE_OK);
++malloc_error:
++  archive_set_error(>archive, ENOMEM, "Can't allocate memory");
++  return (ARCHIVE_FATAL);
+ }
+ 
+ static int
+@@ -1904,14 +1914,19 @@ url_encode(const char *in)
+ {
+   const char *s;
+   char *d;
+-  int out_len = 0;
++  size_t out_len = 0;
+   char *out;
+ 
+   for (s = in; *s != '\0'; s++) {
+-  if (*s < 33 || *s > 126 || *s == '%' || *s == '=')
++  if (*s < 33 || *s > 126 || *s == '%' || *s == '=') {
++  if (SIZE_MAX - out_len < 4)
++  return (NULL);
+   out_len += 3;
+-  else
++  } else {
++  if (SIZE_MAX - out_len < 2)
++  

[OE-core][kirkstone][PATCH] python3: Upgrade 3.10.13 -> 3.10.14

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Addresses CVEs:
* CVE-2023-52425 (bundled expat)
* CVE-2023-6597 (https://github.com/python/cpython/pull/112840)

News: https://github.com/python/cpython/blob/3.10/Misc/NEWS.d/3.10.14.rst

Signed-off-by: Peter Marko 
---
 .../python/{python3_3.10.13.bb => python3_3.10.14.bb}   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-devtools/python/{python3_3.10.13.bb => python3_3.10.14.bb} 
(99%)

diff --git a/meta/recipes-devtools/python/python3_3.10.13.bb 
b/meta/recipes-devtools/python/python3_3.10.14.bb
similarity index 99%
rename from meta/recipes-devtools/python/python3_3.10.13.bb
rename to meta/recipes-devtools/python/python3_3.10.14.bb
index 76e37e42a1..31c458c09a 100644
--- a/meta/recipes-devtools/python/python3_3.10.13.bb
+++ b/meta/recipes-devtools/python/python3_3.10.14.bb
@@ -44,7 +44,7 @@ SRC_URI:append:class-native = " \
file://12-distutils-prefix-is-inside-staging-area.patch \
file://0001-Don-t-search-system-for-headers-libraries.patch \
"
-SRC_URI[sha256sum] = 
"5c88848668640d3e152b35b4536ef1c23b2ca4bd2c957ef1ecbb053f571dd3f6"
+SRC_URI[sha256sum] = 
"9c50481faa8c2832329ba0fc8868d0a606a680fc4f60ec48d26ce8e076751fda"
 
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P\d+(\.\d+)+).tar"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198763): 
https://lists.openembedded.org/g/openembedded-core/message/198763
Mute This Topic: https://lists.openembedded.org/mt/105828377/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] Yocto-5.0 tag on master instead of scarthgap

[Peter Marko via lists.openembedded.org]

Looks like yocto-5.0 tag in openembedded-core repository was done on master 
instead of scarthgap branch.
Tag in poky repository seems to be fine.

Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198756): 
https://lists.openembedded.org/g/openembedded-core/message/198756
Mute This Topic: https://lists.openembedded.org/mt/105817337/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][master][scarthgap][PATCH] glibc: Update to latest on stable 2.39 branch

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Adresses CVE-2024-2961

Remove backported patch included in hash update.

Changes:
31da30f23c iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape 
sequence (CVE-2024-2961)
423099a032 x86_64: Exclude SSE, AVX and FMA4 variants in libm multiarch
04df8652eb Apply the Makefile sorting fix
edb9a76e30 powerpc: Fix ld.so address determination for PCREL mode (bug 31640)
7b92f46f04 x86-64: Simplify minimum ISA check ifdef conditional with if
9883f4304c x86-64: Don't use SSE resolvers for ISA level 3 or above
9d92452c70 AArch64: Check kernel version for SVE ifuncs
395a89f61e aarch64: fix check for SVE support in assembler
b0e0a07018 aarch64/fpu: Sync libmvec routines from 2.39 and before with AOR
31c7d69af5 i386: Use generic memrchr in libc (bug 31316)
5d070d12b3 x86: Expand the comment on when REP STOSB is used on memset
6484a92698 x86: Do not prefer ERMS for memset on Zen3+
aa4249266e x86: Fix Zen3/Zen4 ERMS selection (BZ 30994)
5a461f2949 Add tst-gnu2-tls2mod1 to test-internal-extras
aded2fc004 elf: Enable TLS descriptor tests on aarch64
a8ba52bde5 arm: Update _dl_tlsdesc_dynamic to preserve caller-saved registers 
(BZ 31372)
15aebdbada Ignore undefined symbols for -mtls-dialect=gnu2
354cabcb26 x86-64: Allocate state buffer space for RDI, RSI and RBX
853e915fdd x86-64: Update _dl_tlsdesc_dynamic to preserve AMX registers
a364304718 x86: Update _dl_tlsdesc_dynamic to preserve caller-saved registers
7fc8242bf8 x86-64: Save APX registers in ld.so trampoline
983f34a125 LoongArch: Correct {__ieee754, _}_scalb -> {__ieee754, _}_scalbf
aad45c8ac3 powerpc: Placeholder and infrastructure/build support to add Power11 
related changes.
ee7f4c54e1 powerpc: Add HWCAP3/HWCAP4 data to TCB for Power Architecture.
71fcdba577 linux: Use rseq area unconditionally in sched_getcpu (bug 31479)

Signed-off-by: Peter Marko 
---
 meta/recipes-core/glibc/glibc-version.inc |  2 +-
 ...e-Pass-mcpu-along-with-march-to-dete.patch | 62 ---
 ...ss.patch => 0023-qemu-stale-process.patch} |  0
 meta/recipes-core/glibc/glibc_2.39.bb |  7 ++-
 4 files changed, 6 insertions(+), 65 deletions(-)
 delete mode 100644 
meta/recipes-core/glibc/glibc/0023-aarch64-configure-Pass-mcpu-along-with-march-to-dete.patch
 rename meta/recipes-core/glibc/glibc/{0024-qemu-stale-process.patch => 
0023-qemu-stale-process.patch} (100%)

diff --git a/meta/recipes-core/glibc/glibc-version.inc 
b/meta/recipes-core/glibc/glibc-version.inc
index 618a574566..4fc6986ffc 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.39/master"
 PV = "2.39+git"
-SRCREV_glibc ?= "1b9c1a0047fb26a65a9b2a7b8cd977243f7d353c"
+SRCREV_glibc ?= "31da30f23cddd36db29d5b6a1c7619361b271fb4"
 SRCREV_localedef ?= "fab74f31b3811df543e24b6de47efdf45b538abc"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https"
diff --git 
a/meta/recipes-core/glibc/glibc/0023-aarch64-configure-Pass-mcpu-along-with-march-to-dete.patch
 
b/meta/recipes-core/glibc/glibc/0023-aarch64-configure-Pass-mcpu-along-with-march-to-dete.patch
deleted file mode 100644
index f6523c5498..00
--- 
a/meta/recipes-core/glibc/glibc/0023-aarch64-configure-Pass-mcpu-along-with-march-to-dete.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 73c26018ed0ecd9c807bb363cc2c2ab4aca66a82 Mon Sep 17 00:00:00 2001
-From: Szabolcs Nagy 
-Date: Wed, 13 Mar 2024 14:34:14 +
-Subject: [PATCH] aarch64: fix check for SVE support in assembler
-
-Due to GCC bug 110901 -mcpu can override -march setting when compiling
-asm code and thus a compiler targetting a specific cpu can fail the
-configure check even when binutils gas supports SVE.
-
-The workaround is that explicit .arch directive overrides both -mcpu
-and -march, and since that's what the actual SVE memcpy uses the
-configure check should use that too even if the GCC issue is fixed
-independently.
-
-Upstream-Status: Backport 
[https://sourceware.org/git/?p=glibc.git;a=commit;h=73c26018ed0ecd9c807bb363cc2c2ab4aca66a82]
-Signed-off-by: Khem Raj 
-Reviewed-by: Florian Weimer 

- sysdeps/aarch64/configure| 5 +++--
- sysdeps/aarch64/configure.ac | 5 +++--
- 2 files changed, 6 insertions(+), 4 deletions(-)
- mode change 100644 => 100755 sysdeps/aarch64/configure
-
-diff --git a/sysdeps/aarch64/configure b/sysdeps/aarch64/configure
-old mode 100644
-new mode 100755
-index ca57edce47..9606137e8d
 a/sysdeps/aarch64/configure
-+++ b/sysdeps/aarch64/configure
-@@ -325,9 +325,10 @@ then :
-   printf %s "(cached) " >&6
- else $as_nop
-   cat > conftest.s <<\EOF
--ptrue p0.b
-+  .arch armv8.2-a+sve
-+  ptrue p0.b
- EOF
--if { ac_try='${CC-cc} -c -march=armv8.2-a+sve conftest.s 1>&5'
-+if { ac_try='${CC-cc} -c conftest.s 1>&5'
-   { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
-   (eval $ac_try) 2>&5
-   ac_status=$?
-diff --git a/sysdeps/aarch64/configure.ac b/sysdeps/aarch64/configure.ac

[OE-core][kirkstone][PATCH] glibc: Update to latest on stable 2.35 branch

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Adresses CVE-2024-2961

Changes:
36280d1ce5 iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape 
sequence (CVE-2024-2961)
4a7de5e215 powerpc: Fix ld.so address determination for PCREL mode (bug 31640)
f4a45af368 AArch64: Check kernel version for SVE ifuncs
7f3c143381 aarch64: fix check for SVE support in assembler
9112cda4c6 aarch64: correct CFI in rawmemchr (bug 31113)
153012dda2 AArch64: Remove Falkor memcpy
90b03336d9 AArch64: Add memset_zva64
d166309459 AArch64: Cleanup emag memset
650300d233 AArch64: Cleanup ifuncs
5bfa9f4369 AArch64: Add support for MOPS memcpy/memmove/memset
c4e222334b Add HWCAP2_MOPS from Linux 6.5 to AArch64 bits/hwcap.h
b9e93c5ff7 AArch64: Improve SVE memcpy and memmove
115c2c7717 AArch64: Improve strrchr
06fad28274 AArch64: Optimize strnlen
3a1557efef AArch64: Optimize strlen
6f2ca6aab9 AArch64: Optimize strcpy
249fff42a8 AArch64: Improve strchrnul
1c1313dbdd AArch64: Optimize strchr
80ad6cd302 AArch64: Improve strlen_asimd
65c4bb41b6 AArch64: Optimize memrchr
23be6f897e AArch64: Optimize memchr
28e40b3909 aarch64: Use memcpy_simd as the default memcpy
c503e2206e aarch64: Cleanup memset ifunc
577bd1e049 AArch64: Fix typo in sve configure check (BZ# 29394)
ea25fe5599 aarch64: Optimize string functions with shrn instruction
2c4ae9faa5 AArch64: Sort makefile entries
2c92d94407 AArch64: Add SVE memcpy
d6d295a95b linux: Use rseq area unconditionally in sched_getcpu (bug 31479)
dda5faa65e Include sys/rseq.h in tst-rseq-disable.c
c9ee9cc8b8 nptl: Unconditionally use a 32-byte rseq area
3cd02612e8 make ‘struct pthread’ a complete type
a24adf3572 support: use 64-bit time_t (bug 30111)
d47c5e4db7 malloc: Use __get_nprocs on arena_get2 (BZ 30945)
1a3326df93 x86_64: Optimize ffsll function code size.
914af4fcca NEWS: Mention bug fixes for 29039/30745/30843
5d1fe26b49 x86-64: Fix the tcb field load for x32 [BZ #31185]
2d87262c1c x86-64: Fix the dtv field load for x32 [BZ #31184]
5f08ec08d0 elf: Fix TLS modid reuse generation assignment (BZ 29039)
01ea8d9dde Revert "elf: Move l_init_called_next to old place of l_text_end in 
link map"
0222f2392d Revert "elf: Always call destructors in reverse constructor order 
(bug 30785)"
6aa8380cf5 Revert "elf: Remove unused l_text_end field from struct link_map"

Signed-off-by: Peter Marko 
---
 meta/recipes-core/glibc/glibc-version.inc | 2 +-
 meta/recipes-core/glibc/glibc_2.35.bb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-core/glibc/glibc-version.inc 
b/meta/recipes-core/glibc/glibc-version.inc
index e0d47f283b..cd8c7ecf94 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.35/master"
 PV = "2.35"
-SRCREV_glibc ?= "c84018a05aec80f5ee6f682db0da1130b0196aef"
+SRCREV_glibc ?= "36280d1ce5e245aabefb877fe4d3c6cff95dabfa"
 SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
diff --git a/meta/recipes-core/glibc/glibc_2.35.bb 
b/meta/recipes-core/glibc/glibc_2.35.bb
index 751427517f..74d7f753d8 100644
--- a/meta/recipes-core/glibc/glibc_2.35.bb
+++ b/meta/recipes-core/glibc/glibc_2.35.bb
@@ -24,7 +24,7 @@ CVE_CHECK_IGNORE += "CVE-2019-1010025"
 CVE_CHECK_IGNORE += "CVE-2023-4527"
 
 # To avoid these in cve-check reports since the recipe version did not change
-CVE_CHECK_IGNORE += "CVE-2023-0687 CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 
CVE-2023-5156"
+CVE_CHECK_IGNORE += "CVE-2023-0687 CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 
CVE-2023-5156 CVE-2024-2961"
 
 DEPENDS += "gperf-native bison-native"
 
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198632): 
https://lists.openembedded.org/g/openembedded-core/message/198632
Mute This Topic: https://lists.openembedded.org/mt/105696785/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][kirkstone][PATCH 1/1] util-linux: Fix CVE-2024-28085

[Peter Marko via lists.openembedded.org]

Identical patch was already submitted and then requested to be ignored because 
the issue is apparently introduced by one of the added patches.
https://lists.openembedded.org/g/openembedded-core/message/197670

Since the vulnerability report claims that our version IS vulnerable, it would 
be interesting to know where the truth is...
https://github.com/skyler-ferrante/CVE-2024-28085 -> The vulnerable code was 
introduced in commit cdd3cc7fa4 (2013).

Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198557): 
https://lists.openembedded.org/g/openembedded-core/message/198557
Mute This Topic: https://lists.openembedded.org/mt/105617913/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] ttyrun: define CVE_PRODUCT

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Single executable ttyrun is taken ouf of s390-tools repository
containing ton of other helper tools.
CVEs are not assigned to executables, but to whole components.
Historically there also already exists one CVE for s390-tools.

Most of the CVEs will not be for ttyrun, but this is the way
how to get notified even if most we get will have to be ignored.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/ttyrun/ttyrun_2.31.0.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-core/ttyrun/ttyrun_2.31.0.bb 
b/meta/recipes-core/ttyrun/ttyrun_2.31.0.bb
index 122dd9d8e7..fac11d6310 100644
--- a/meta/recipes-core/ttyrun/ttyrun_2.31.0.bb
+++ b/meta/recipes-core/ttyrun/ttyrun_2.31.0.bb
@@ -9,6 +9,8 @@ LIC_FILES_CHKSUM = 
"file://LICENSE;md5=f5118f167b055bfd7c3450803f1847af"
 SRC_URI = 
"git://github.com/ibm-s390-linux/s390-tools;protocol=https;branch=master"
 SRCREV = "6f15ed326491a17d83ca60cd2bda47fb5e8a0175"
 
+CVE_PRODUCT = "s390-tools"
+
 S = "${WORKDIR}/git"
 
 EXTRA_OEMAKE = "\
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198232): 
https://lists.openembedded.org/g/openembedded-core/message/198232
Mute This Topic: https://lists.openembedded.org/mt/105533464/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][PATCH] openssl: openssl: patch CVE-2024-2511

[Peter Marko via lists.openembedded.org]

I think that sending this patch was correct, see comments below.
Peter

From: openembedded-core@lists.openembedded.org 
 On Behalf Of Tim Orling via 
lists.openembedded.org
Sent: Sunday, April 14, 2024 6:45
To: Marko, Peter (ADV D EU SK BFS1) 
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] openssl: openssl: patch CVE-2024-2511

> Looks like when 3.2.2 is released it will include this. So 3.2.2 should be 
> applied to scarthgap.

Sure, once it is available, it will be used.
But waiting for it could take months.

> “master” will be moving to 3.3.0 soon for styhead

Currently both scarthgap and styhead use the same master-next branch for 
staging/testing patches.
So sending update to 3.3.0 would prevent patching styhead until the branches 
are separated.


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198205): 
https://lists.openembedded.org/g/openembedded-core/message/198205
Mute This Topic: https://lists.openembedded.org/mt/105508900/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] openssl: openssl: patch CVE-2024-2511

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Patch: 
https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08
News: 
https://github.com/openssl/openssl/commit/b7acb6731a96b073d6150465bd090e2052a595c2

Signed-off-by: Peter Marko 
---
 .../openssl/openssl/CVE-2024-2511.patch   | 120 ++
 .../openssl/openssl_3.2.1.bb  |   1 +
 2 files changed, 121 insertions(+)
 create mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch 
b/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch
new file mode 100644
index 00..8772f716d5
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch
@@ -0,0 +1,120 @@
+From e9d7083e241670332e0443da0f0d4ffb52829f08 Mon Sep 17 00:00:00 2001
+From: Matt Caswell 
+Date: Tue, 5 Mar 2024 15:43:53 +
+Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
+
+In TLSv1.3 we create a new session object for each ticket that we send.
+We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
+use then the new session will be added to the session cache. However, if
+early data is not in use (and therefore anti-replay protection is being
+used), then multiple threads could be resuming from the same session
+simultaneously. If this happens and a problem occurs on one of the threads,
+then the original session object could be marked as not_resumable. When we
+duplicate the session object this not_resumable status gets copied into the
+new session object. The new session object is then added to the session
+cache even though it is not_resumable.
+
+Subsequently, another bug means that the session_id_length is set to 0 for
+sessions that are marked as not_resumable - even though that session is
+still in the cache. Once this happens the session can never be removed from
+the cache. When that object gets to be the session cache tail object the
+cache never shrinks again and grows indefinitely.
+
+CVE-2024-2511
+
+Reviewed-by: Neil Horman 
+Reviewed-by: Tomas Mraz 
+(Merged from https://github.com/openssl/openssl/pull/24043)
+
+CVE: CVE-2024-2511
+Upstream-Status: Backport 
[https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08]
+Signed-off-by: Peter Marko 
+---
+ ssl/ssl_lib.c|  5 +++--
+ ssl/ssl_sess.c   | 28 ++--
+ ssl/statem/statem_srvr.c |  5 ++---
+ 3 files changed, 27 insertions(+), 11 deletions(-)
+
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 4afb43bc86e54..c51529ddab5bb 100644
+--- a/ssl/ssl_lib.c
 b/ssl/ssl_lib.c
+@@ -4457,9 +4457,10 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode)
+ 
+ /*
+  * If the session_id_length is 0, we are not supposed to cache it, and it
+- * would be rather hard to do anyway :-)
++ * would be rather hard to do anyway :-). Also if the session has already
++ * been marked as not_resumable we should not cache it for later reuse.
+  */
+-if (s->session->session_id_length == 0)
++if (s->session->session_id_length == 0 || s->session->not_resumable)
+ return;
+ 
+ /*
+diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
+index 3dcc4d81e5bc6..1fa6d17c46863 100644
+--- a/ssl/ssl_sess.c
 b/ssl/ssl_sess.c
+@@ -127,16 +127,11 @@ SSL_SESSION *SSL_SESSION_new(void)
+ return ss;
+ }
+ 
+-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
+-{
+-return ssl_session_dup(src, 1);
+-}
+-
+ /*
+  * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
+  * ticket == 0 then no ticket information is duplicated, otherwise it is.
+  */
+-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
+ {
+ SSL_SESSION *dest;
+ 
+@@ -265,6 +260,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int 
ticket)
+ return NULL;
+ }
+ 
++SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
++{
++return ssl_session_dup_intern(src, 1);
++}
++
++/*
++ * Used internally when duplicating a session which might be already shared.
++ * We will have resumed the original session. Subsequently we might have 
marked
++ * it as non-resumable (e.g. in another thread) - but this copy should be ok 
to
++ * resume from.
++ */
++SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++{
++SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
++
++if (sess != NULL)
++sess->not_resumable = 0;
++
++return sess;
++}
++
+ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int 
*len)
+ {
+ if (len)
+diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
+index 853af8c0aa9f9..d5f0ab091dacc 100644
+--- a/ssl/statem/statem_srvr.c
 b/ssl/statem/statem_srvr.c
+@@ -2445,9 +2445,8 @@ CON_FUNC_RETURN 
tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
+  * so the following won't overwrite an 

[OE-core][kirkstone][PATCH] openssl: patch CVE-2024-2511

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Patch: 
https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d
News: 
https://github.com/openssl/openssl/commit/daee101e39073d4b65a68faeb2f2de5ad7b05c36

Signed-off-by: Peter Marko 
---
 .../openssl/openssl/CVE-2024-2511.patch   | 122 ++
 .../openssl/openssl_3.0.13.bb |   1 +
 2 files changed, 123 insertions(+)
 create mode 100644 
meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch 
b/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch
new file mode 100644
index 00..8aea686205
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch
@@ -0,0 +1,122 @@
+From b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d Mon Sep 17 00:00:00 2001
+From: Matt Caswell 
+Date: Tue, 5 Mar 2024 15:43:53 +
+Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
+
+In TLSv1.3 we create a new session object for each ticket that we send.
+We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
+use then the new session will be added to the session cache. However, if
+early data is not in use (and therefore anti-replay protection is being
+used), then multiple threads could be resuming from the same session
+simultaneously. If this happens and a problem occurs on one of the threads,
+then the original session object could be marked as not_resumable. When we
+duplicate the session object this not_resumable status gets copied into the
+new session object. The new session object is then added to the session
+cache even though it is not_resumable.
+
+Subsequently, another bug means that the session_id_length is set to 0 for
+sessions that are marked as not_resumable - even though that session is
+still in the cache. Once this happens the session can never be removed from
+the cache. When that object gets to be the session cache tail object the
+cache never shrinks again and grows indefinitely.
+
+CVE-2024-2511
+
+Reviewed-by: Neil Horman 
+Reviewed-by: Tomas Mraz 
+(Merged from https://github.com/openssl/openssl/pull/24044)
+
+(cherry picked from commit 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce)
+
+CVE: CVE-2024-2511
+Upstream-Status: Backport 
[https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d]
+Signed-off-by: Peter Marko 
+---
+ ssl/ssl_lib.c|  5 +++--
+ ssl/ssl_sess.c   | 28 ++--
+ ssl/statem/statem_srvr.c |  5 ++---
+ 3 files changed, 27 insertions(+), 11 deletions(-)
+
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 2c8479eb5fc69..eed649c6fdee9 100644
+--- a/ssl/ssl_lib.c
 b/ssl/ssl_lib.c
+@@ -3736,9 +3736,10 @@ void ssl_update_cache(SSL *s, int mode)
+ 
+ /*
+  * If the session_id_length is 0, we are not supposed to cache it, and it
+- * would be rather hard to do anyway :-)
++ * would be rather hard to do anyway :-). Also if the session has already
++ * been marked as not_resumable we should not cache it for later reuse.
+  */
+-if (s->session->session_id_length == 0)
++if (s->session->session_id_length == 0 || s->session->not_resumable)
+ return;
+ 
+ /*
+diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
+index d836b33ed0e81..75adbd9e52b40 100644
+--- a/ssl/ssl_sess.c
 b/ssl/ssl_sess.c
+@@ -152,16 +152,11 @@ SSL_SESSION *SSL_SESSION_new(void)
+ return ss;
+ }
+ 
+-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
+-{
+-return ssl_session_dup(src, 1);
+-}
+-
+ /*
+  * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
+  * ticket == 0 then no ticket information is duplicated, otherwise it is.
+  */
+-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
+ {
+ SSL_SESSION *dest;
+ 
+@@ -285,6 +280,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int 
ticket)
+ return NULL;
+ }
+ 
++SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
++{
++return ssl_session_dup_intern(src, 1);
++}
++
++/*
++ * Used internally when duplicating a session which might be already shared.
++ * We will have resumed the original session. Subsequently we might have 
marked
++ * it as non-resumable (e.g. in another thread) - but this copy should be ok 
to
++ * resume from.
++ */
++SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
++{
++SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
++
++if (sess != NULL)
++sess->not_resumable = 0;
++
++return sess;
++}
++
+ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int 
*len)
+ {
+ if (len)
+diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
+index a9e67f9d32a77..6c942e6bcec29 100644
+--- a/ssl/statem/statem_srvr.c
 b/ssl/statem/statem_srvr.c
+@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
+  * 

Re: [OE-core][PATCH 2/3] kbd: remove non-free Agafari fonts

[Peter Marko via lists.openembedded.org]

That surprises me but fine.
I'm sending a v2 moving the file removal to the recipe.
But you could also hand-craft the patch again locally.

Peter

-Original Message-
From: Khem Raj  
Sent: Saturday, April 13, 2024 2:26
To: Marko, Peter (ADV D EU SK BFS1) 
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH 2/3] kbd: remove non-free Agafari fonts

> On Fri, Apr 12, 2024 at 10:02 AM Peter Marko via lists.openembedded.org 
>  wrote:
> >
> > I know that binary patches are problematic over mailing list.
> > Here the patch as zipped attachment just in case.
> >
>
> This does not help either, This patch is deleting files so why not just do 
> the delete operation in do_compile:prepend
>
> rm -rf ${S}/data/consolefonts/Agafari-1*
>
> until the mentioned patch is part of a future kbd release.
>
> > Peter
> >
> > 
> >

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198192): 
https://lists.openembedded.org/g/openembedded-core/message/198192
Mute This Topic: https://lists.openembedded.org/mt/105486424/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] ncurses: patch CVE-2023-50495

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

backport relevant parts from
https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz

Signed-off-by: Peter Marko 
---
 .../ncurses/files/CVE-2023-50495.patch| 81 +++
 .../ncurses/ncurses_6.3+20220423.bb   |  1 +
 2 files changed, 82 insertions(+)
 create mode 100644 meta/recipes-core/ncurses/files/CVE-2023-50495.patch

diff --git a/meta/recipes-core/ncurses/files/CVE-2023-50495.patch 
b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch
new file mode 100644
index 00..3d92974227
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch
@@ -0,0 +1,81 @@
+commit ebc08cff36689eec54edc1ce2de6ebac826bd6cd
+Author: Peter Marko 
+Date:   Fri Apr 12 23:56:25 2024 +0200
+
+check return value of _nc_save_str(), in special case for tic where
+extended capabilities are processed but the terminal description was
+not initialized (report by Ziqiao Kong).
+
+Only parts relevant for this CVE was extracted from upstream patch.
+
+CVE: CVE-2023-45853
+Upstream-Status: Backport 
[https://invisible-island.net/archives/ncurses/6.4/ncurses-6.4-20230424.patch.gz]
+
+Signed-off-by: Peter Marko 
+
+---
+ ncurses/tinfo/parse_entry.c | 23 ---
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
+index a77cd0b..8ac02ac 100644
+--- a/ncurses/tinfo/parse_entry.c
 b/ncurses/tinfo/parse_entry.c
+@@ -110,7 +110,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int 
token_type)
+   /* Well, we are given a cancel for a name that we don't recognize */
+   return _nc_extend_names(entryp, name, STRING);
+ default:
+-  return 0;
++  return NULL;
+ }
+ 
+ /* Adjust the 'offset' (insertion-point) to keep the lists of extended
+@@ -142,6 +142,11 @@ _nc_extend_names(ENTRY * entryp, const char *name, int 
token_type)
+   for (last = (unsigned) (max - 1); last > tindex; last--)
+ 
+ if (!found) {
++  char *saved;
++
++  if ((saved = _nc_save_str(name)) == NULL)
++  return NULL;
++
+   switch (token_type) {
+   case BOOLEAN:
+   tp->ext_Booleans++;
+@@ -169,7 +174,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int 
token_type)
+   TYPE_REALLOC(char *, actual, tp->ext_Names);
+   while (--actual > offset)
+   tp->ext_Names[actual] = tp->ext_Names[actual - 1];
+-  tp->ext_Names[offset] = _nc_save_str(name);
++  tp->ext_Names[offset] = saved;
+ }
+ 
+ temp.nte_name = tp->ext_Names[offset];
+@@ -337,6 +342,8 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+   bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0);
+   bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0);
+   if (is_use || is_tc) {
++  char *saved;
++
+   if (!VALID_STRING(_nc_curr_token.tk_valstring)
+   || _nc_curr_token.tk_valstring[0] == '\0') {
+   _nc_warning("missing name for use-clause");
+@@ -350,11 +357,13 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+   _nc_curr_token.tk_valstring);
+   continue;
+   }
+-  entryp->uses[entryp->nuses].name = 
_nc_save_str(_nc_curr_token.tk_valstring);
+-  entryp->uses[entryp->nuses].line = _nc_curr_line;
+-  entryp->nuses++;
+-  if (entryp->nuses > 1 && is_tc) {
+-  BAD_TC_USAGE
++  if ((saved = _nc_save_str(_nc_curr_token.tk_valstring)) != NULL) {
++  entryp->uses[entryp->nuses].name = saved;
++  entryp->uses[entryp->nuses].line = _nc_curr_line;
++  entryp->nuses++;
++  if (entryp->nuses > 1 && is_tc) {
++  BAD_TC_USAGE
++  }
+   }
+   } else {
+   /* normal token lookup */
diff --git a/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb 
b/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb
index a34a7bdfdc..da1e6d838d 100644
--- a/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.3+20220423.bb
@@ -4,6 +4,7 @@ SRC_URI += "file://0001-tic-hang.patch \
file://0002-configure-reproducible.patch \

file://0003-gen-pkgconfig.in-Do-not-include-LDFLAGS-in-generated.patch \
file://CVE-2023-29491.patch \
+   file://CVE-2023-50495.patch \
"
 # commit id corresponds to the revision in package version
 SRCREV = "a0bc708bc6954b5d3c0a38d92b683c3ec3135260"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198188): 
https://lists.openembedded.org/g/openembedded-core/message/198188
Mute This Topic: https://lists.openembedded.org/mt/105491705/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]

Re: [OE-core][PATCH] systemd: make predictable name mac policy opt-out

[Peter Marko via lists.openembedded.org]

-Original Message-
From: Richard Purdie  
Sent: Friday, April 12, 2024 18:41
To: Marko, Peter (ADV D EU SK BFS1) ; Ross Burton 
; Kanavin, Alexander (EXT) (Linutronix GmbH) 
; joe.sla...@windriver.com
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] systemd: make predictable name mac policy opt-out

> On Fri, 2024-04-12 at 13:47 +, Marko, Peter wrote:
> > -Original Message-
> > From: Ross Burton 
> > Sent: Wednesday, April 10, 2024 18:00
> > To: Marko, Peter (ADV D EU SK BFS1) 
> > Cc: openembedded-core@lists.openembedded.org
> > Subject: Re: [OE-core][PATCH] systemd: make predictable name mac 
> > policy opt-out
> > 
> > > On 8 Apr 2024, at 08:04, Peter Marko via lists.openembedded.org 
> > >  wrote:
> > > > +   ${@bb.utils.contains('PACKAGECONFIG', 'predictable-
> > > > if-mac', 'file://0001-NamePolicy.patch', '', d)} \
> > > 
> > > There’s a few other places which use the pni-names DISTRO_FEATURE 
> > > (which probably needs to be documented), this should respect that I 
> > > guess.
> > 
> > Sent a v2, maybe it's more acceptable as it uses distro feature and 
> > does not conditionally patch the sources.
>
> FWIW I much prefer it thanks.
>
> > Note that I have added the pni-names condition only to the systemd 
> > part.
> > If this is accepted, the components from the other 4 patches should 
> > follow this.
>
> I'm struggling to keep track of all the details but I think this is an 
> improvement so I've queued it.

I have checked and I think we should be good now.
The 5 commits introducing the pni changes were:
- "init-ifupdown: add predictable interface names" - does not enable pni, just 
handles if it's enabled
- found problems were fixed by "init-ifupdown: modify interfaces for 
busybox" and "packagegroup-core-boot: recommend ifupdown"
- "eudev: modify predictable network if name search" - does not enable pmi, 
just handles if it's enabled
- "eudev: allow for predictable network interface names" - guarded by pni-names
- "qemuboot: predictable network interface names" - guarded by pni-names
- "systemd: enable mac based names in NamePolicy" - guarded by pni-names now 
after my commit

Peter

> Cheers,
>
> Richard

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198186): 
https://lists.openembedded.org/g/openembedded-core/message/198186
Mute This Topic: https://lists.openembedded.org/mt/105396950/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][PATCH 2/3] kbd: remove non-free Agafari fonts

[Peter Marko via lists.openembedded.org]

I know that binary patches are problematic over mailing list.
Here the patch as zipped attachment just in case.

Peter
<>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198182): 
https://lists.openembedded.org/g/openembedded-core/message/198182
Mute This Topic: https://lists.openembedded.org/mt/105486424/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH 1/3] kbd: split gpl-3 keymap to separate package

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Pine keymap was added with GPL-3 license.
https://github.com/legionus/kbd/commit/1589e9e1019756b5287b41dddcd7285271c5990e

Split this GPL-3 keymap and install it via recommendation
so it is easy to remove it by excluding recommendations.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/kbd/kbd_2.6.4.bb | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/kbd/kbd_2.6.4.bb 
b/meta/recipes-core/kbd/kbd_2.6.4.bb
index 790055aa96..1a7b6b552b 100644
--- a/meta/recipes-core/kbd/kbd_2.6.4.bb
+++ b/meta/recipes-core/kbd/kbd_2.6.4.bb
@@ -24,13 +24,16 @@ PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 
'pam', d)} \
 
 PACKAGECONFIG[pam] = "--enable-vlock, --disable-vlock, libpam,"
 
-PACKAGES += "${PN}-consolefonts ${PN}-keymaps ${PN}-unimaps ${PN}-consoletrans"
+PACKAGES += "${PN}-consolefonts ${PN}-keymaps-pine ${PN}-keymaps ${PN}-unimaps 
${PN}-consoletrans"
 
 FILES:${PN}-consolefonts = "${datadir}/consolefonts"
 FILES:${PN}-consoletrans = "${datadir}/consoletrans"
+FILES:${PN}-keymaps-pine = "${datadir}/keymaps/pine"
 FILES:${PN}-keymaps = "${datadir}/keymaps"
 FILES:${PN}-unimaps = "${datadir}/unimaps"
 
+RRECOMMENDS:${PN}-keymaps = "${PN}-keymaps-pine"
+
 do_install:append () {
 if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'yes', 'no', d)}" = 
"yes" ] \
 && [ -f ${D}${sysconfdir}/pam.d/vlock ]; then
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198179): 
https://lists.openembedded.org/g/openembedded-core/message/198179
Mute This Topic: https://lists.openembedded.org/mt/105486422/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH 2/3] kbd: remove non-free Agafari fonts

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Its license makes it impossible to distribute kbd
in any commercial products.
Backport commit which removes it.

Signed-off-by: Peter Marko 
---
 .../0001-Remove-non-free-Agafari-fonts.patch  | 336 ++
 meta/recipes-core/kbd/kbd_2.6.4.bb|   3 +
 2 files changed, 339 insertions(+)
 create mode 100644 
meta/recipes-core/kbd/kbd/0001-Remove-non-free-Agafari-fonts.patch

diff --git a/meta/recipes-core/kbd/kbd/0001-Remove-non-free-Agafari-fonts.patch 
b/meta/recipes-core/kbd/kbd/0001-Remove-non-free-Agafari-fonts.patch
new file mode 100644
index 00..99a8fec9d8
--- /dev/null
+++ b/meta/recipes-core/kbd/kbd/0001-Remove-non-free-Agafari-fonts.patch
@@ -0,0 +1,336 @@
+From b757e6842f9631757f0d1a6b3833aabffa9ffeee Mon Sep 17 00:00:00 2001
+From: Alexey Gladkov 
+Date: Thu, 29 Feb 2024 17:38:37 +0100
+Subject: [PATCH] Remove non-free Agafari fonts
+
+Based on legal analysis, we are removing non-free fonts for now. If we
+can change the license of these fonts, we will return them back.
+
+From: Stanislav Brabec 
+Date: Wed, 28 Feb 2024 16:47:54 +0100
+Subject: kbd: Legal problems of Agafari fonts
+
+The data/consolefonts/README.Ethiopic contains a notice:
+Agafari:
+  Donated by the Ethiopian Science and Technology Commission
+   or  and may be redistributed
+  for non-commercial use under Unix environments only.
+
+According to our legal review, it makes impossible to distribute these
+fonts as part of any commercial products, and even makes it impossible to
+distribute kbd sources as part of any commercial product services.
+
+Additionally, it makes the whole kbd package incompatible with GPL, so the
+COPYING file (created during build of the tarball) cannot declare GPL
+version 2. It also violates section 6 of GPL (no further restrictions).
+
+That is why several GNU/Linux distributions exclude Agafari from the
+release. To be on a safe side, SUSE even decided to repack any source
+tarballs before putting it to their servers.
+
+This was probably reported to the former kbd maintainer about 20 years ago,
+but nothing changed over years.
+
+That is why I recommend removing Agafari fonts and removing the reference
+to them from README.Ethiopic. Alternatively, you can ask the Ethiopian
+Science and Technology Commission for re-licensing.
+
+Signed-off-by: Alexey Gladkov 
+
+Upstream-Status: Backport 
[https://github.com/legionus/kbd/commit/b757e6842f9631757f0d1a6b3833aabffa9ffeee]
+
+Signed-off-by: Peter Marko 
+---
+ data/consolefonts/Agafari-12.psfu | Bin 7989 -> 0 bytes
+ data/consolefonts/Agafari-14.psfu | Bin 9013 -> 0 bytes
+ data/consolefonts/Agafari-16.psfu | Bin 10037 -> 0 bytes
+ data/consolefonts/README.Ethiopic |   5 -
+ 4 files changed, 5 deletions(-)
+ delete mode 100644 data/consolefonts/Agafari-12.psfu
+ delete mode 100644 data/consolefonts/Agafari-14.psfu
+ delete mode 100644 data/consolefonts/Agafari-16.psfu
+
+diff --git a/data/consolefonts/Agafari-12.psfu 
b/data/consolefonts/Agafari-12.psfu
+deleted file mode 100644
+index 
3c8e796b19e676b2d9addc540e1d9507da620c02..
+GIT binary patch
+literal 0
+HcmV?d1
+
+literal 7989
+zcmZvhYmgk*RmVG87>P<-D+(_D*IOSr`KW1`k;cFrF0(BoG{89^qkLgA|WKGS)73
+zSSDyPnmCTK{UV8+*jk)m@F{O-MdyL)u^v+q4((Ppr>h}dFTHh;vnVa=80$Hp5LHT4I?DsFN_qE+S0!sKelAe(8|oqW^MgjOZ**on^AQ8B8tCGD2&gzMa#-&)4G^wCoj#B3Fo$5dJ?
+zM#ZEA$AMB3#!aG(j1rgm8%N22nsIA%I-MTY;J8zdM+l8yVmi{l(aB^=nT(FHv!z-$
+zB0v79-EI$Kf1`tr^F-2Bn#t3Vb4Y+l=EOBZW@G5u>GMU6{-#ful(vN(!0P7q<}VYOOqU_*4NN}=s`wS?ZR;jC6`o9L)osWd8;s+=O$l?^mG
+z+wF6vX0qv^C{dF*1P(=8x?8$bk0uawW!x)bS0*9_3C#no;xR6
+z#zC5liLR3#@p;AFYh+@7y;i-dmJAFr
+z0xoq+{ZS`ide55q)ipB~_${lghgwuaRvS(HPN^!cH#L>bCNpJ@)a^$10=
+z(D-F}=sL5c>(XStXpK%3`)Bj{Axoxi{EG~KQ;5k^TO^N+1BYPXzk;ZtTD5#BV-z7
+zCYeY*4)LanKkcWZ_%&^W_QzU#OyKwY*8b@+SFE*Pt`(X-8f)!{Pp$o@y=Hc$Dz!HINsFc;Ni-A>Yb0Z_=omT{#bJG)mY1C

[OE-core][PATCH 3/3] kbd: update license

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

GPL-3 is used for keymaps-pine

LGPL2 is used in all C source files under src/libkfont/
which generate binaries included in main kbd package.
This is seen in their SPDX headers.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/kbd/kbd_2.6.4.bb | 16 +---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-core/kbd/kbd_2.6.4.bb 
b/meta/recipes-core/kbd/kbd_2.6.4.bb
index 3bc7d1c6b4..1295bca2a0 100644
--- a/meta/recipes-core/kbd/kbd_2.6.4.bb
+++ b/meta/recipes-core/kbd/kbd_2.6.4.bb
@@ -1,9 +1,19 @@
 SUMMARY = "Keytable files and keyboard utilities"
 HOMEPAGE = "http://www.kbd-project.org/;
 DESCRIPTION = "The kbd project contains tools for managing Linux console 
(Linux console, virtual terminals, keyboard, etc.) – mainly, what they do is 
loading console fonts and keyboard maps."
-# everything minus console-fonts is GPL-2.0-or-later
-LICENSE = "GPL-2.0-or-later"
-LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+
+# consolefonts and keymaps contain also some public domain and author notice 
licenses
+LICENSE = "GPL-2.0-or-later & LGPL-2.0-or-later & GPL-3.0-or-later"
+LIC_FILES_CHKSUM = " \
+file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
+
file://data/keymaps/pine/en.map;beginline=2;endline=15;md5=20914a59c0546a7b77ebf959bc88ad5d
 \
+"
+LICENSE:${PN} = "GPL-2.0-or-later & LGPL-2.0-or-later"
+LICENSE:${PN}-consolefonts = "GPL-2.0-or-later"
+LICENSE:${PN}-consoletrans = "GPL-2.0-or-later"
+LICENSE:${PN}-keymaps-pine = "GPL-3.0-or-later"
+LICENSE:${PN}-keymaps = "GPL-2.0-or-later"
+LICENSE:${PN}-unimaps = "GPL-2.0-or-later"
 
 inherit autotools gettext pkgconfig
 
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198180): 
https://lists.openembedded.org/g/openembedded-core/message/198180
Mute This Topic: https://lists.openembedded.org/mt/105486423/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH 0/3] kbd: update-license

[Peter Marko via lists.openembedded.org]

kbd consists of many parts with different licenses which
are not properly documented/handled.

This series tries to fix the most problematic issues,
which are non-commercial and gpl-3 licenses.

Peter Marko (3):
  kbd: split gpl-3 keymap to separate package
  kbd: remove non-free Agafari fonts
  kbd: update license

 .../0001-Remove-non-free-Agafari-fonts.patch  | 336 ++
 meta/recipes-core/kbd/kbd_2.6.4.bb|  24 +-
 2 files changed, 356 insertions(+), 4 deletions(-)
 create mode 100644 
meta/recipes-core/kbd/kbd/0001-Remove-non-free-Agafari-fonts.patch

-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198178): 
https://lists.openembedded.org/g/openembedded-core/message/198178
Mute This Topic: https://lists.openembedded.org/mt/105486420/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][PATCH] systemd: make predictable name mac policy opt-out

[Peter Marko via lists.openembedded.org]

-Original Message-
From: Ross Burton  
Sent: Wednesday, April 10, 2024 18:00
To: Marko, Peter (ADV D EU SK BFS1) 
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] systemd: make predictable name mac policy opt-out

> On 8 Apr 2024, at 08:04, Peter Marko via lists.openembedded.org 
>  wrote:
> > +   ${@bb.utils.contains('PACKAGECONFIG', 'predictable-if-mac', 
> > 'file://0001-NamePolicy.patch', '', d)} \
>
> There’s a few other places which use the pni-names DISTRO_FEATURE (which 
> probably needs to be documented), this should respect that I guess.

Sent a v2, maybe it's more acceptable as it uses distro feature and does not 
conditionally patch the sources.

Note that I have added the pni-names condition only to the systemd part.
If this is accepted, the components from the other 4 patches should follow this.

Peter

>
> Ross


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198168): 
https://lists.openembedded.org/g/openembedded-core/message/198168
Mute This Topic: https://lists.openembedded.org/mt/105396950/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH v2] systemd: make predictable name mac policy opt-out

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Even the patch says it's inappropriate for upstream,
and it's also inappropriate for some downstream projects, too.
So make it possible to opt-out on it by replacing
the patch by sed and depend on distro feature pni-names.

Signed-off-by: Peter Marko 
---
 .../systemd/systemd/0001-NamePolicy.patch | 33 ---
 meta/recipes-core/systemd/systemd_255.4.bb| 13 ++--
 2 files changed, 11 insertions(+), 35 deletions(-)
 delete mode 100644 meta/recipes-core/systemd/systemd/0001-NamePolicy.patch

diff --git a/meta/recipes-core/systemd/systemd/0001-NamePolicy.patch 
b/meta/recipes-core/systemd/systemd/0001-NamePolicy.patch
deleted file mode 100644
index 46955cbcbb..00
--- a/meta/recipes-core/systemd/systemd/0001-NamePolicy.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 9bb09886320eb286108fb370b2634a66b3e3b9ff Mon Sep 17 00:00:00 2001
-From: Joe Slater 
-Date: Thu, 21 Mar 2024 16:28:31 +
-Subject: [PATCH] systemd: enable mac based names in NamePolicy
-
-The default NamePolicy for network interface names does not
-include names based on mac addresses.  Some BSPs, though, do
-not provide information to compute other names, so we enable
-mac names as a last resort.
-
-Upstream-Status: Inappropriate [enable feature]
-
-Signed-off-by: Joe Slater 

- network/99-default.link | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/network/99-default.link b/network/99-default.link
-index 429ac31e80..543ce54661 100644
 a/network/99-default.link
-+++ b/network/99-default.link
-@@ -15,6 +15,6 @@
- OriginalName=*
- 
- [Link]
--NamePolicy=keep kernel database onboard slot path
--AlternativeNamesPolicy=database onboard slot path
-+NamePolicy=keep kernel database onboard slot path mac
-+AlternativeNamesPolicy=database onboard slot path mac
- MACAddressPolicy=persistent
--- 
-2.35.5
-
diff --git a/meta/recipes-core/systemd/systemd_255.4.bb 
b/meta/recipes-core/systemd/systemd_255.4.bb
index 8a816c4bc1..e7498c802d 100644
--- a/meta/recipes-core/systemd/systemd_255.4.bb
+++ b/meta/recipes-core/systemd/systemd_255.4.bb
@@ -28,7 +28,6 @@ SRC_URI += " \
file://systemd-pager.sh \

file://0002-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
file://0008-implment-systemd-sysv-install-for-OE.patch \
-   file://0001-NamePolicy.patch \
"
 
 # patches needed by musl
@@ -66,7 +65,7 @@ PAM_PLUGINS = " \
 "
 
 PACKAGECONFIG ??= " \
-${@bb.utils.filter('DISTRO_FEATURES', 'acl audit efi ldconfig pam selinux 
smack usrmerge polkit seccomp', d)} \
+${@bb.utils.filter('DISTRO_FEATURES', 'acl audit efi ldconfig pam 
pni-names selinux smack usrmerge polkit seccomp', d)} \
 ${@bb.utils.contains('DISTRO_FEATURES', 'minidebuginfo', 'coredump 
elfutils', '', d)} \
 ${@bb.utils.contains('DISTRO_FEATURES', 'wifi', 'rfkill', '', d)} \
 ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'xkbcommon', '', d)} \
@@ -197,6 +196,7 @@ PACKAGECONFIG[polkit] = "-Dpolkit=true,-Dpolkit=false"
 PACKAGECONFIG[polkit_hostnamed_fallback] = "dbus-broker,polkit"
 PACKAGECONFIG[portabled] = "-Dportabled=true,-Dportabled=false"
 PACKAGECONFIG[pstore] = "-Dpstore=true,-Dpstore=false"
+PACKAGECONFIG[pni-names] = ",,,"
 PACKAGECONFIG[qrencode] = "-Dqrencode=true,-Dqrencode=false,qrencode,,qrencode"
 PACKAGECONFIG[quotacheck] = "-Dquotacheck=true,-Dquotacheck=false"
 PACKAGECONFIG[randomseed] = "-Drandomseed=true,-Drandomseed=false"
@@ -389,6 +389,15 @@ do_install() {
 sed -i -e 
's/#RebootWatchdogSec=10min/RebootWatchdogSec=${WATCHDOG_TIMEOUT}/' \
 ${D}/${sysconfdir}/systemd/system.conf
 fi
+
+   if ${@bb.utils.contains('PACKAGECONFIG', 'pni-names', 'true', 'false', 
d)}; then
+   if ! grep -q '^NamePolicy=.*mac' 
${D}${rootlibexecdir}/systemd/network/99-default.link; then
+   sed -i '/^NamePolicy=/s/$/ mac/' 
${D}${rootlibexecdir}/systemd/network/99-default.link
+   fi
+   if ! grep -q 'AlternativeNamesPolicy=.*mac' 
${D}${rootlibexecdir}/systemd/network/99-default.link; then
+   sed -i '/AlternativeNamesPolicy=/s/$/ mac/' 
${D}${rootlibexecdir}/systemd/network/99-default.link
+   fi
+   fi
 }
 
 python populate_packages:prepend (){
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198167): 
https://lists.openembedded.org/g/openembedded-core/message/198167
Mute This Topic: https://lists.openembedded.org/mt/105482495/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] bitbake.conf: remove comment about oldincludedir

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

oldincludedir was removed by 506c91cbc6a604a84e37e53ccff430436369802e

Signed-off-by: Peter Marko 
---
 meta/conf/bitbake.conf | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 6f180d18b0..ba8bd5f975 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -383,8 +383,7 @@ FILESEXTRAPATHS ?= "__default:"
 # the builtin definitions will be used.  Builtin definitions included:
 #  base_prefix, prefix, exec_prefix, base_bindir, base_sbindir, base_libdir,
 #  datadir, sysconfdir, servicedir, sharedstatedir, localstatedir, infodir,
-#  mandir, docdir, bindir, sbindir, libexecdir, libdir, includedir and
-#  oldincludedir
+#  mandir, docdir, bindir, sbindir, libexecdir, libdir and includedir
 FILESYSTEM_PERMS_TABLES ?= "${@'files/fs-perms.txt' if 
oe.types.boolean(d.getVar('VOLATILE_LOG_DIR')) else 
'files/fs-perms-persistent-log.txt'}"
 
 ##
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198166): 
https://lists.openembedded.org/g/openembedded-core/message/198166
Mute This Topic: https://lists.openembedded.org/mt/105481450/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][PATCH] systemd: make predictable name mac policy opt-out

[Peter Marko via lists.openembedded.org]

-Original Message-
From: Ross Burton  
Sent: Wednesday, April 10, 2024 18:18
To: Marko, Peter (ADV D EU SK BFS1) 
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] systemd: make predictable name mac policy opt-out

> On 8 Apr 2024, at 08:04, Peter Marko via lists.openembedded.org 
>  wrote:
> > 
> > From: Peter Marko 
> > 
> > Even the patch says it's inappropriate for upstream, and it's also 
> > inappropriate for some downstream projects, too.
> > So make it possible to opt-out on it.
>
> I’m looking at these patches because of the fallout from the use of matches 
> in the interfaces file.   Presumably you want to make this opt-out for 
> concrete reasons, can you explain what broke?
>
> Ross

Basically, we have networkmanager and firewalld configuration matching 
interface names.
In addition, also our applications are hardcoding the interface names to be 
able to configure interfaces on demand.
Switching to dynamic names is not realistic.

After upgrading from 5.0_M3 to 5.0_M4 our wlan0 interface gets renamed by udev 
and thus networking breaks.
Unlike our ethernet ports with names defined in device tree, wifi chip uses 
external vendor kernel module so I'm not sure if I'm able to configure a stable 
kernel name for it.

Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198105): 
https://lists.openembedded.org/g/openembedded-core/message/198105
Mute This Topic: https://lists.openembedded.org/mt/105396950/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] update-rc.d: add +git to PV

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This hash is ahead of the tag, so adapt PV accordingly.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/update-rc.d/update-rc.d_0.8.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb 
b/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
index ba622fe716..27723c88ef 100644
--- a/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
+++ b/meta/recipes-core/update-rc.d/update-rc.d_0.8.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = 
"file://update-rc.d;beginline=5;endline=15;md5=d40a07c27f5354
 
 SRC_URI = "git://git.yoctoproject.org/update-rc.d;branch=master;protocol=https"
 SRCREV = "b8f950105010270a768aa12245d6abf166346015"
+PV .= "+git"
 
 UPSTREAM_CHECK_COMMITS = "1"
 
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198084): 
https://lists.openembedded.org/g/openembedded-core/message/198084
Mute This Topic: https://lists.openembedded.org/mt/105437813/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][PATCH] systemd: make predictable name mac policy opt-out

[Peter Marko via lists.openembedded.org]

-Original Message-
From: Alexander Kanavin  
Sent: Tuesday, April 9, 2024 11:16
To: Marko, Peter (ADV D EU SK BFS1) 
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] systemd: make predictable name mac policy opt-out

> On Mon, 8 Apr 2024 at 09:06, Peter Marko via lists.openembedded.org 
>  wrote:
> > -   file://0001-NamePolicy.patch \
> > +   ${@bb.utils.contains('PACKAGECONFIG', 
> > + 'predictable-if-mac', 'file://0001-NamePolicy.patch', '', d)} \
>
> Conditional patches are terrible for maintainability. Please make it a proper 
> meson option, and submit upstream.
>
> Alex

This patch has status upstream inappropriate.
Pushing something like that to upstream doesn't sound like a good plan.

What about reverting the inappropriate patch completely instead?

Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198061): 
https://lists.openembedded.org/g/openembedded-core/message/198061
Mute This Topic: https://lists.openembedded.org/mt/105396950/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] systemd: make predictable name mac policy opt-out

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Even the patch says it's inappropriate for upstream,
and it's also inappropriate for some downstream projects, too.
So make it possible to opt-out on it.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/systemd/systemd_255.4.bb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/systemd/systemd_255.4.bb 
b/meta/recipes-core/systemd/systemd_255.4.bb
index 8a816c4bc1..17f28a9897 100644
--- a/meta/recipes-core/systemd/systemd_255.4.bb
+++ b/meta/recipes-core/systemd/systemd_255.4.bb
@@ -28,7 +28,7 @@ SRC_URI += " \
file://systemd-pager.sh \

file://0002-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
file://0008-implment-systemd-sysv-install-for-OE.patch \
-   file://0001-NamePolicy.patch \
+   ${@bb.utils.contains('PACKAGECONFIG', 'predictable-if-mac', 
'file://0001-NamePolicy.patch', '', d)} \
"
 
 # patches needed by musl
@@ -88,6 +88,7 @@ PACKAGECONFIG ??= " \
 nss \
 nss-mymachines \
 nss-resolve \
+predictable-if-mac \
 quotacheck \
 randomseed \
 resolved \
@@ -197,6 +198,7 @@ PACKAGECONFIG[polkit] = "-Dpolkit=true,-Dpolkit=false"
 PACKAGECONFIG[polkit_hostnamed_fallback] = "dbus-broker,polkit"
 PACKAGECONFIG[portabled] = "-Dportabled=true,-Dportabled=false"
 PACKAGECONFIG[pstore] = "-Dpstore=true,-Dpstore=false"
+PACKAGECONFIG[predictable-if-mac] = ",,,"
 PACKAGECONFIG[qrencode] = "-Dqrencode=true,-Dqrencode=false,qrencode,,qrencode"
 PACKAGECONFIG[quotacheck] = "-Dquotacheck=true,-Dquotacheck=false"
 PACKAGECONFIG[randomseed] = "-Drandomseed=true,-Drandomseed=false"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#198005): 
https://lists.openembedded.org/g/openembedded-core/message/198005
Mute This Topic: https://lists.openembedded.org/mt/105396950/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][PATCH] meta-ide-support: depend recursively on populate_sysroot

[Peter Marko via lists.openembedded.org]

-Original Message-
From: Richard Purdie  
Sent: Wednesday, March 13, 2024 23:04
To: Marko, Peter (ADV D EU SK BFS1) ; 
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] meta-ide-support: depend recursively on 
populate_sysroot

> On Wed, 2024-03-13 at 18:48 +0100, Peter Marko via
> lists.openembedded.org wrote:
> > From: Peter Marko 
> > 
> > Following workflow is broken when built from sstate-cache:
> > https://docs.yoctoproject.org/singleindex.html#setting-up-the-extensible-sdk-environment-directly-in-a-yocto-build
> > This is already broken in kirkstone.
> > 
> > Reproducer:
> > $ bitbake meta-ide-support && bitbake build-sysroots -c
> > build_native_sysroot
> > $ ls -1 build/tmp/sysroots/*/*gdb-cross* && echo OK || echo FAIL #
> > succeeds from scratch
> > build/tmp/sysroots/x86_64/manifest-x86_64-gdb-cross-
> > x86_64.populate_sysroot
> > OK
> > $ rm -rf build/tmp
> > $ bitbake meta-ide-support && bitbake build-sysroots -c
> > build_native_sysroot
> > $ ls -1 build/tmp/sysroots/*/*gdb-cross* && echo OK || echo FAIL #
> > fails from sstate-cache
> > ls: cannot access 'build/tmp/sysroots/*/*gdb-cross*': No such file or
> > directory
> > FAIL
> > 
> > build-sysroot populates sysroot with recipes which run
> > populate_sysroot or populate_sysroot_setscene.
> > Dependency on its own populate_sysroot does not seem to work when
> > building from sstate-cache as this task is not executed.
> > This seem to becaused by inheriting nopackages class which deletes
> > tasks
> > thus messing the setscene dependencies.
> > 
> > Depend explicitly recursively on prepare_recipe_sysroot.
> > 
> > Signed-off-by: Peter Marko 
> > ---
> >  meta/recipes-core/meta/meta-ide-support.bb | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/meta/recipes-core/meta/meta-ide-support.bb
> > b/meta/recipes-core/meta/meta-ide-support.bb
> > index d85aa120c0..9aa87f3056 100644
> > --- a/meta/recipes-core/meta/meta-ide-support.bb
> > +++ b/meta/recipes-core/meta/meta-ide-support.bb
> > @@ -37,4 +37,4 @@ do_deploy () {
> >  
> >  addtask deploy before do_build
> >  
> > -do_build[deptask] += "do_prepare_recipe_sysroot"
> > +do_build[recrdeptask] += "do_populate_sysroot"
>
> Whilst I can agree there is likely a problem, this does not look like
> the right fix. This is running a lot of other sstate task
> do_populate_sysroot tasks which we simply don't care about in the
> context of this recipe.
>
> Which tasks is nopackages deleting which this recipe needs? Can we add
> in the missing dependencies that are needed?
>
> Cheers,
>
> Richard

Unfortunately, I still can see the problem when I remove nopackages class.
I could swear that it worked for me before, but most probably I didn't run from 
sstate-cache.

Thinking about it again, I think that deptask is different from task ordering 
by addtask before/after.
It is not run because it's covered by do_package_setscene.
This statement is based on fact that following patch also fixes this problem:
-do_build[deptask] += "do_prepare_recipe_sysroot"
+addtask prepare_recipe_sysroot after do_patch before do_build

I agree that root of this problem is hidden deeper in bitbake/setscene code, 
but I have no idea how to fix it at that level.
So I could just offer to resubmit with an updated commit message if that would 
be acceptable (temporary) solution.

Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197094): 
https://lists.openembedded.org/g/openembedded-core/message/197094
Mute This Topic: https://lists.openembedded.org/mt/104910980/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] expat: patch CVE-2024-28757

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Picked patch from https://github.com/libexpat/libexpat/pull/842
which is referenced in the NVD CVE report.

Signed-off-by: Peter Marko 
---
 .../expat/expat/CVE-2024-28757.patch  | 58 +++
 meta/recipes-core/expat/expat_2.5.0.bb|  1 +
 2 files changed, 59 insertions(+)
 create mode 100755 meta/recipes-core/expat/expat/CVE-2024-28757.patch

diff --git a/meta/recipes-core/expat/expat/CVE-2024-28757.patch 
b/meta/recipes-core/expat/expat/CVE-2024-28757.patch
new file mode 100755
index 00..768dab0c84
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2024-28757.patch
@@ -0,0 +1,58 @@
+From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping 
+Date: Mon, 4 Mar 2024 23:49:06 +0100
+Subject: [PATCH] lib/xmlparse.c: Detect billion laughs attack with isolated
+ external parser
+
+When parsing DTD content with code like ..
+
+  XML_Parser parser = XML_ParserCreate(NULL);
+  XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
+  enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), 
XML_TRUE);
+
+.. there are 0 bytes accounted as direct input and all input from `doc` 
accounted
+as indirect input.  Now function accountingGetCurrentAmplification cannot 
calculate
+the current amplification ratio as "(direct + indirect) / direct", and it did 
refuse
+to divide by 0 as one would expect, but it returned 1.0 for this case to 
indicate
+no amplification over direct input.  As a result, billion laughs attacks from
+DTD-only input were not detected with this isolated way of using an external 
parser.
+
+The new approach is to assume direct input of length not 0 but 22 -- derived 
from
+ghost input "", the shortest possible way to include an 
external
+DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 
22".
+
+GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
+finding 66812.
+
+CVE: CVE-2024-28757
+Upstream-Status: Backport 
[https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8]
+
+Signed-off-by: Peter Marko 
+---
+ lib/xmlparse.c | 6 +-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index b884d82b5..d44baa68d 100644
+--- a/lib/xmlparse.c
 b/lib/xmlparse.c
+@@ -7655,6 +7655,8 @@ copyString(const XML_Char *s, const 
XML_Memory_Handling_Suite *memsuite) {
+ 
+ static float
+ accountingGetCurrentAmplification(XML_Parser rootParser) {
++  //  1.1.12 => 22
++  const size_t lenOfShortestInclude = sizeof("") - 1;
+   const XmlBigCount countBytesOutput
+   = rootParser->m_accounting.countBytesDirect
+ + rootParser->m_accounting.countBytesIndirect;
+@@ -7662,7 +7664,9 @@ accountingGetCurrentAmplification(XML_Parser rootParser) 
{
+   = rootParser->m_accounting.countBytesDirect
+ ? (countBytesOutput
+/ (float)(rootParser->m_accounting.countBytesDirect))
+-: 1.0f;
++: ((lenOfShortestInclude
+++ rootParser->m_accounting.countBytesIndirect)
++   / (float)lenOfShortestInclude);
+   assert(! rootParser->m_parentParser);
+   return amplificationFactor;
+ }
diff --git a/meta/recipes-core/expat/expat_2.5.0.bb 
b/meta/recipes-core/expat/expat_2.5.0.bb
index 7080f934d1..eb7ce1436e 100644
--- a/meta/recipes-core/expat/expat_2.5.0.bb
+++ b/meta/recipes-core/expat/expat_2.5.0.bb
@@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
 
 SRC_URI = 
"https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2
  \
file://run-ptest \
+   file://CVE-2024-28757.patch \
"
 
 UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/;
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197093): 
https://lists.openembedded.org/g/openembedded-core/message/197093
Mute This Topic: https://lists.openembedded.org/mt/104916404/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] meta-ide-support: depend recursively on populate_sysroot

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Following workflow is broken when built from sstate-cache:
https://docs.yoctoproject.org/singleindex.html#setting-up-the-extensible-sdk-environment-directly-in-a-yocto-build
This is already broken in kirkstone.

Reproducer:
$ bitbake meta-ide-support && bitbake build-sysroots -c build_native_sysroot
$ ls -1 build/tmp/sysroots/*/*gdb-cross* && echo OK || echo FAIL # succeeds 
from scratch
build/tmp/sysroots/x86_64/manifest-x86_64-gdb-cross-x86_64.populate_sysroot
OK
$ rm -rf build/tmp
$ bitbake meta-ide-support && bitbake build-sysroots -c build_native_sysroot
$ ls -1 build/tmp/sysroots/*/*gdb-cross* && echo OK || echo FAIL # fails from 
sstate-cache
ls: cannot access 'build/tmp/sysroots/*/*gdb-cross*': No such file or directory
FAIL

build-sysroot populates sysroot with recipes which run
populate_sysroot or populate_sysroot_setscene.
Dependency on its own populate_sysroot does not seem to work when
building from sstate-cache as this task is not executed.
This seem to becaused by inheriting nopackages class which deletes tasks
thus messing the setscene dependencies.

Depend explicitly recursively on prepare_recipe_sysroot.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/meta/meta-ide-support.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/meta/meta-ide-support.bb 
b/meta/recipes-core/meta/meta-ide-support.bb
index d85aa120c0..9aa87f3056 100644
--- a/meta/recipes-core/meta/meta-ide-support.bb
+++ b/meta/recipes-core/meta/meta-ide-support.bb
@@ -37,4 +37,4 @@ do_deploy () {
 
 addtask deploy before do_build
 
-do_build[deptask] += "do_prepare_recipe_sysroot"
+do_build[recrdeptask] += "do_populate_sysroot"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197075): 
https://lists.openembedded.org/g/openembedded-core/message/197075
Mute This Topic: https://lists.openembedded.org/mt/104910980/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [yocto-security] OE-core CVE metrics for master on Sun 03 Mar 2024 01:00:01 AM HST

[Peter Marko via lists.openembedded.org]

I already mentioned this last week.
https://lists.openembedded.org/g/openembedded-core/message/196199

I think that partial NVD DB update is not working properly as things which were 
corrected by NVD are still showing up in patchmetrics but not in email reports.

For example:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6779
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-6780
kirkstone has glibc 2.35 and nvd recently fixed these to >= 2.37 and these ate 
still in patchmetrics.

Email reports maybe use different (not-broken yet) NVD DB cache or make full 
update instead of incremental?

Peter

-Original Message-
From: yocto-secur...@lists.yoctoproject.org 
 On Behalf Of Richard Purdie via 
lists.yoctoproject.org
Sent: Sunday, March 3, 2024 13:36
To: Simone Weiß ; Steve Sakoman ; 
openembedded-core@lists.openembedded.org; yocto-secur...@lists.yoctoproject.org
Subject: Re: [yocto-security] OE-core CVE metrics for master on Sun 03 Mar 2024 
01:00:01 AM HST

> On Sun, 2024-03-03 at 11:49 +, Simone Weiß wrote:
> > quick check: No news for any old issue, except cpio, which is disputed 
> > by the maintainer.
>
> Thanks, that is really useful to know!
>
> > 
> > > Full list:  Found 41 unpatched CVEs
>
> I'm a bit puzzled/worried that our patch metrics page says 50 rather than 41:
>
> https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-master.txt
>
>:/
>
> Does anyone know why?
>
> Cheers,
>
> Richard

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196562): 
https://lists.openembedded.org/g/openembedded-core/message/196562
Mute This Topic: https://lists.openembedded.org/mt/104701002/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [yocto-security] OE-core CVE metrics for kirkstone on Sun 25 Feb 2024 03:00:01 AM HST

[Peter Marko via lists.openembedded.org]

Hello,

It looks like
graph in https://autobuilder.yocto.io/pub/non-release/patchmetrics/
and list in 
https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-kirkstone.txt
are no longer updated properly and show old status compared to this email.

Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196199): 
https://lists.openembedded.org/g/openembedded-core/message/196199
Mute This Topic: https://lists.openembedded.org/mt/104579827/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] cve-check: Log if CVE_STATUS set but not reported for component

[Peter Marko via lists.openembedded.org]

Hello,

This change looks like the right way forward, but it will need two things first:
* dissolve cve-extra-exclusions.inc into recipes, as every exclusion in that 
file will generate a warning in all components except the one for which the 
exclusion actually is meant
* create a (per-recipe) variable to disable it, especially for kernels where we 
have auto-generated exclusion lists which do not match NVD DB state

Best Regards,
  Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196131): 
https://lists.openembedded.org/g/openembedded-core/message/196131
Mute This Topic: https://lists.openembedded.org/mt/104536878/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] glibc: ignore CVE-2023-0687

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This CVE was backported to glibc 2.35 branch 9 months ago.
NVD recently updated CPE and it appeared in kirkstone cve reports.

https://sourceware.org/git/?p=glibc.git;a=log;h=refs/heads/release/2.35/master
gmon: Fix allocated buffer overflow (bug 29444)
https://sourceware.org/git/?p=glibc.git;a=commit;h=f2820e478c68a73a38f81512cc38b220212a

Signed-off-by: Peter Marko 
---
 meta/recipes-core/glibc/glibc_2.35.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/glibc/glibc_2.35.bb 
b/meta/recipes-core/glibc/glibc_2.35.bb
index 21cd99dfdd..3ec6610d01 100644
--- a/meta/recipes-core/glibc/glibc_2.35.bb
+++ b/meta/recipes-core/glibc/glibc_2.35.bb
@@ -24,7 +24,7 @@ CVE_CHECK_IGNORE += "CVE-2019-1010025"
 CVE_CHECK_IGNORE += "CVE-2023-4527"
 
 # To avoid these in cve-check reports since the recipe version did not change
-CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156"
+CVE_CHECK_IGNORE += "CVE-2023-0687 CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 
CVE-2023-5156"
 
 DEPENDS += "gperf-native bison-native"
 
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196125): 
https://lists.openembedded.org/g/openembedded-core/message/196125
Mute This Topic: https://lists.openembedded.org/mt/104544466/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][nanbield][PATCH 2/2] sqlite: drop obsolete CVE ignore

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

CVE-2023-36191 is now rejected in NVD DB so it won't shoup up in
cve-check report anymore.

Signed-off-by: Peter Marko 
---
 meta/recipes-support/sqlite/sqlite3_3.43.2.bb | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/meta/recipes-support/sqlite/sqlite3_3.43.2.bb 
b/meta/recipes-support/sqlite/sqlite3_3.43.2.bb
index 64c1013625..66d6255ac0 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.43.2.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.43.2.bb
@@ -5,6 +5,3 @@ LIC_FILES_CHKSUM = 
"file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
 
 SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz;
 SRC_URI[sha256sum] = 
"6d422b6f62c4de2ca80d61860e3a3fb693554d2f75bb1aaca743ccc4d6f609f0"
-
-CVE_STATUS[CVE-2023-36191] = "disputed: The error is a bug. It has been fixed 
upstream. But it is not a vulnerability"
-
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#194447): 
https://lists.openembedded.org/g/openembedded-core/message/194447
Mute This Topic: https://lists.openembedded.org/mt/104014856/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][nanbield][PATCH 1/2] sqlite3: upgrade 3.43.1 -> 3.43.2

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This fixes CVE-2024-0232

Signed-off-by: Peter Marko 
---
 .../sqlite/{sqlite3_3.43.1.bb => sqlite3_3.43.2.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-support/sqlite/{sqlite3_3.43.1.bb => sqlite3_3.43.2.bb} 
(78%)

diff --git a/meta/recipes-support/sqlite/sqlite3_3.43.1.bb 
b/meta/recipes-support/sqlite/sqlite3_3.43.2.bb
similarity index 78%
rename from meta/recipes-support/sqlite/sqlite3_3.43.1.bb
rename to meta/recipes-support/sqlite/sqlite3_3.43.2.bb
index 93146358c7..64c1013625 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.43.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.43.2.bb
@@ -4,7 +4,7 @@ LICENSE = "PD"
 LIC_FILES_CHKSUM = 
"file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66"
 
 SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz;
-SRC_URI[sha256sum] = 
"39116c94e76630f22d54cd82c3cea308565f1715f716d1b2527f1c9c969ba4d9"
+SRC_URI[sha256sum] = 
"6d422b6f62c4de2ca80d61860e3a3fb693554d2f75bb1aaca743ccc4d6f609f0"
 
 CVE_STATUS[CVE-2023-36191] = "disputed: The error is a bug. It has been fixed 
upstream. But it is not a vulnerability"
 
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#194446): 
https://lists.openembedded.org/g/openembedded-core/message/194446
Mute This Topic: https://lists.openembedded.org/mt/104014852/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] sqlite3: ignore CVE-2024-0232

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This CVE reports bug which was fixed in 3.43.2 by [1].
Code analysis shows that it is fixing caching issue
and this cache was introduced by [2].
This landed only in 3.43.0 so 3.85.5 is not affected.

[1] https://sqlite.org/src/info/5b09212ac05615fc
[2] https://sqlite.org/src/info/2dbb22c75e86f2e3

Signed-off-by: Peter Marko 
---
 meta/recipes-support/sqlite/sqlite3_3.38.5.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb 
b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
index cece207eae..f061b0aa48 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
@@ -17,3 +17,5 @@ CVE_CHECK_IGNORE += "CVE-2019-19242"
 CVE_CHECK_IGNORE += "CVE-2015-3717"
 # Issue in an experimental extension we don't have/use. Fixed by 
https://sqlite.org/src/info/b1e0c22ec981cf5f
 CVE_CHECK_IGNORE += "CVE-2021-36690"
+# This was introduced in 3.43.0, 3.38.5 is not yet affected
+CVE_CHECK_IGNORE += "CVE-2024-0232"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#194445): 
https://lists.openembedded.org/g/openembedded-core/message/194445
Mute This Topic: https://lists.openembedded.org/mt/104014812/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] sqlite3: ignore CVE-2024-0232

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This CVE reports bug which was fixed in 3.43.2 by [1].
Code analysis shows that it is fixing caching issue
and this cache was introduced by [2].
This landed only in 3.43.0 so 3.85.5 is not affected.

[1] https://sqlite.org/src/info/5b09212ac05615fc
[2] https://sqlite.org/src/info/2dbb22c75e86f2e3

Signed-off-by: Peter Marko 
---
 meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb 
b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
index ef12ef0db2..b2d8f9f1dd 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb
@@ -25,3 +25,5 @@ SRC_URI[sha256sum] = 
"62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b5
 CVE_CHECK_WHITELIST += "CVE-2019-19242"
 # This is believed to be iOS specific 
(https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
 CVE_CHECK_WHITELIST += "CVE-2015-3717"
+# This was introduced in 3.43.0, 3.31.1 is not yet affected
+CVE_CHECK_WHITELIST += "CVE-2024-0232"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#19): 
https://lists.openembedded.org/g/openembedded-core/message/19
Mute This Topic: https://lists.openembedded.org/mt/104014792/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992

[Peter Marko via lists.openembedded.org]

-Original Message-
From: Ross Burton  
Sent: Monday, January 22, 2024 15:27
To: Marko, Peter (ADV D EU SK BFS1) 
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992

> On 22 Jan 2024, at 14:16, Marko, Peter  wrote:
> > 
> > Hi Ross,
> > 
> > I think this one is better - 
> > https://lists.openembedded.org/g/openembedded-core/message/193603
> > I'm not sure why it was not picked up yet after 9 days, but It's CPE which 
> > is not matching, not our configuration options…
>
> Ah I didn’t see that.
>
> However the CPE _is_ correct, its our matching which is not.  I assumed there 
> wasn’t enough consistency in the zlib CPEs that we could set one with a 
> vendor.

Yes, it’s inconsistency on our side but still in CPE field. Current CVE status 
option do not offer better selection.
My commit message explains why I have chosen the way to ignore it although it 
will be in the recipe forever (as version 2023-11-16 will be always higher than 
PV)
But I can also resubmit with changing CVE_PRODUCT to "gnu:zlib zlib:zlib" if 
that is the preferred option to go forward.

Peter

>
> Ross


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#194173): 
https://lists.openembedded.org/g/openembedded-core/message/194173
Mute This Topic: https://lists.openembedded.org/mt/103886356/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992

[Peter Marko via lists.openembedded.org]

Hi Ross,

I think this one is better - 
https://lists.openembedded.org/g/openembedded-core/message/193603
I'm not sure why it was not picked up yet after 9 days, but It's CPE which is 
not matching, not our configuration options...

Peter

-Original Message-
From: openembedded-core@lists.openembedded.org 
 On Behalf Of Ross Burton via 
lists.openembedded.org
Sent: Monday, January 22, 2024 15:04
To: openembedded-core@lists.openembedded.org
Subject: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992

> From: Ross Burton 
>
> This issue is specific to the Cloudflare fork of zlib.
>
> Signed-off-by: Ross Burton 
> ---
>  meta/recipes-core/zlib/zlib_1.3.bb | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/meta/recipes-core/zlib/zlib_1.3.bb 
> b/meta/recipes-core/zlib/zlib_1.3.bb
> index 1ed18172faa..9db5588d66a 100644
> --- a/meta/recipes-core/zlib/zlib_1.3.bb
> +++ b/meta/recipes-core/zlib/zlib_1.3.bb
> @@ -47,3 +47,4 @@ do_install_ptest() {
>  BBCLASSEXTEND = "native nativesdk"
>  
>  CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip"
> +CVE_STATUS[CVE-2023-6992] = "not-applicable-config: specific to the 
> Cloudflare fork"
> -- 
> 2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#194167): 
https://lists.openembedded.org/g/openembedded-core/message/194167
Mute This Topic: https://lists.openembedded.org/mt/103886356/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] dropbear: backport patch for CVE-2023-48795

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Documentation for this patch is under
https://github.com/mkj/dropbear/commit/66bc1fcdee594c6cb1139df0ef8a6c9c5fc3fde3

Signed-off-by: Peter Marko 
---
 meta/recipes-core/dropbear/dropbear.inc   |   1 +
 .../dropbear/dropbear/CVE-2023-48795.patch| 234 ++
 2 files changed, 235 insertions(+)
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2023-48795.patch

diff --git a/meta/recipes-core/dropbear/dropbear.inc 
b/meta/recipes-core/dropbear/dropbear.inc
index e61930f7db..a32242949b 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -30,6 +30,7 @@ SRC_URI = 
"http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 
'file://dropbear-disable-weak-ciphers.patch', '', d)} \
   file://CVE-2021-36369.patch \
   file://CVE-2023-36328.patch \
+  file://CVE-2023-48795.patch \
   "
 
 PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
diff --git a/meta/recipes-core/dropbear/dropbear/CVE-2023-48795.patch 
b/meta/recipes-core/dropbear/dropbear/CVE-2023-48795.patch
new file mode 100644
index 00..6800672ab0
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/CVE-2023-48795.patch
@@ -0,0 +1,234 @@
+From 6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 Mon Sep 17 00:00:00 2001
+From: Matt Johnston 
+Date: Mon, 20 Nov 2023 14:02:47 +0800
+Subject: [PATCH] Implement Strict KEX mode
+
+As specified by OpenSSH with kex-strict-c-...@openssh.com and
+kex-strict-s-...@openssh.com.
+
+CVE: CVE-2023-48795
+Upstream-Status: Backport 
[https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356]
+
+Signed-off-by: Peter Marko 
+---
+ cli-session.c| 11 +++
+ common-algo.c|  6 ++
+ common-kex.c | 26 +-
+ kex.h|  3 +++
+ process-packet.c | 34 +++---
+ ssh.h|  4 
+ svr-session.c|  3 +++
+ 7 files changed, 71 insertions(+), 16 deletions(-)
+
+diff --git a/cli-session.c b/src/cli-session.c
+index 5981b2470..d261c8f82 100644
+--- a/cli-session.c
 b/cli-session.c
+@@ -46,6 +46,7 @@ static void cli_finished(void) ATTRIB_NORETURN;
+ static void recv_msg_service_accept(void);
+ static void cli_session_cleanup(void);
+ static void recv_msg_global_request_cli(void);
++static void cli_algos_initialise(void);
+ 
+ struct clientsession cli_ses; /* GLOBAL */
+ 
+@@ -114,6 +115,7 @@ void cli_session(int sock_in, int sock_out, struct 
dropbear_progress_connection
+   }
+ 
+   chaninitialise(cli_chantypes);
++  cli_algos_initialise();
+ 
+   /* Set up cli_ses vars */
+   cli_session_init(proxy_cmd_pid);
+@@ -473,3 +475,12 @@ void cli_dropbear_log(int priority, const char* format, 
va_list param) {
+   fflush(stderr);
+ }
+ 
++static void cli_algos_initialise(void) {
++  algo_type *algo;
++  for (algo = sshkex; algo->name; algo++) {
++  if (strcmp(algo->name, SSH_STRICT_KEX_S) == 0) {
++  algo->usable = 0;
++  }
++  }
++}
++
+diff --git a/common-algo.c b/src/common-algo.c
+index 378f0ca8e..f9d46ebb6 100644
+--- a/common-algo.c
 b/common-algo.c
+@@ -332,6 +332,12 @@ algo_type sshkex[] = {
+   /* Set unusable by svr_algos_initialise() */
+   {SSH_EXT_INFO_C, 0, NULL, 1, NULL},
+ #endif
++#endif
++#if DROPBEAR_CLIENT
++  {SSH_STRICT_KEX_C, 0, NULL, 1, NULL},
++#endif
++#if DROPBEAR_SERVER
++  {SSH_STRICT_KEX_S, 0, NULL, 1, NULL},
+ #endif
+   {NULL, 0, NULL, 0, NULL}
+ };
+diff --git a/common-kex.c b/src/common-kex.c
+index ac8844246..8e33b12a6 100644
+--- a/common-kex.c
 b/common-kex.c
+@@ -183,6 +183,10 @@ void send_msg_newkeys() {
+   gen_new_keys();
+   switch_keys();
+ 
++  if (ses.kexstate.strict_kex) {
++  ses.transseq = 0;
++  }
++
+   TRACE(("leave send_msg_newkeys"))
+ }
+ 
+@@ -193,7 +197,11 @@ void recv_msg_newkeys() {
+ 
+   ses.kexstate.recvnewkeys = 1;
+   switch_keys();
+-  
++
++  if (ses.kexstate.strict_kex) {
++  ses.recvseq = 0;
++  }
++
+   TRACE(("leave recv_msg_newkeys"))
+ }
+ 
+@@ -551,6 +559,10 @@ void recv_msg_kexinit() {
+ 
+   ses.kexstate.recvkexinit = 1;
+ 
++  if (ses.kexstate.strict_kex && !ses.kexstate.donefirstkex && 
ses.recvseq != 1) {
++  dropbear_exit("First packet wasn't kexinit");
++  }
++
+   TRACE(("leave recv_msg_kexinit"))
+ }
+ 
+@@ -861,6 +873,18 @@ static void read_kex_algos() {
+   }
+ #endif
+ 
++  if (!ses.kexstate.donefirstkex) {
++  const char* strict_name;
++  if (IS_DROPBEAR_CLIENT) {
++  strict_name = SSH_STRICT_KEX_S;
++  } else {
++  strict_name = SSH_STRICT_KEX_C;
++  }
++  if (buf_has_algo(ses.payload, strict_name) == DROPBEAR_SUCCESS) 
{
++  

[OE-core][kirkstone][PATCH] sqlite3: backport patch for CVE-2023-7104

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Backport https://sqlite.org/src/info/0e4e7a05c4204b47

Signed-off-by: Peter Marko 
---
 .../sqlite/files/CVE-2023-7104.patch  | 44 +++
 meta/recipes-support/sqlite/sqlite3_3.38.5.bb |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2023-7104.patch

diff --git a/meta/recipes-support/sqlite/files/CVE-2023-7104.patch 
b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch
new file mode 100644
index 00..25c6ba017c
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2023-7104.patch
@@ -0,0 +1,44 @@
+From 09f1652f36c5c4e8a6a640ce887f9ea0f48a7958 Mon Sep 17 00:00:00 2001
+From: dan 
+Date: Thu, 7 Sep 2023 13:53:09 +
+Subject: [PATCH] Fix a buffer overread in the sessions extension that could
+ occur when processing a corrupt changeset.
+
+Upstream-Status: Backport [https://sqlite.org/src/info/0e4e7a05c4204b47]
+CVE: CVE-2022-46908
+Signed-off-by: Peter Marko 
+---
+ sqlite3.c | 18 +++---
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/ext/session/sqlite3session.c b/ext/session/sqlite3session.c
+index 9f862f2465..0491549231 100644
+--- a/sqlite3.c
 b/sqlite3.c
+@@ -213482,15 +213482,19 @@ static int sessionReadRecord(
+ }
+   }
+   if( eType==SQLITE_INTEGER || eType==SQLITE_FLOAT ){
+-sqlite3_int64 v = sessionGetI64(aVal);
+-if( eType==SQLITE_INTEGER ){
+-  sqlite3VdbeMemSetInt64(apOut[i], v);
++if( (pIn->nData-pIn->iNext)<8 ){
++  rc = SQLITE_CORRUPT_BKPT;
+ }else{
+-  double d;
+-  memcpy(, , 8);
+-  sqlite3VdbeMemSetDouble(apOut[i], d);
++  sqlite3_int64 v = sessionGetI64(aVal);
++  if( eType==SQLITE_INTEGER ){
++sqlite3VdbeMemSetInt64(apOut[i], v);
++  }else{
++double d;
++memcpy(, , 8);
++sqlite3VdbeMemSetDouble(apOut[i], d);
++  }
++  pIn->iNext += 8;
+ }
+-pIn->iNext += 8;
+   }
+ }
+   }
diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb 
b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
index 55cc514412..cece207eae 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
@@ -7,6 +7,7 @@ SRC_URI = 
"http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \

file://0001-sqlite-Increased-the-size-of-loop-variables-in-the-printf-implementation.patch
 \
file://CVE-2022-46908.patch \
file://CVE-2023-36191.patch \
+   file://CVE-2023-7104.patch \
 "
 SRC_URI[sha256sum] = 
"5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
 
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#193607): 
https://lists.openembedded.org/g/openembedded-core/message/193607
Mute This Topic: https://lists.openembedded.org/mt/103707069/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell][PATCH] zlib: ignore CVE-2023-6992

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This CVE is for iCPE cloudflare:zlib.

Alternative to ignoring would be to limit CVE_PRODUCT, but
historic CVEs already have two - gnu:zlib and zlib:zlib.
So limiting it could miss future CVEs.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/zlib/zlib_1.2.11.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-core/zlib/zlib_1.2.11.bb 
b/meta/recipes-core/zlib/zlib_1.2.11.bb
index 910fc2ec17..9355f0556e 100644
--- a/meta/recipes-core/zlib/zlib_1.2.11.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.11.bb
@@ -53,3 +53,6 @@ do_install_append_class-target() {
 }
 
 BBCLASSEXTEND = "native nativesdk"
+
+# this CVE is for cloudflare zlib
+CVE_CHECK_WHITELIST += "CVE-2023-6992"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#193605): 
https://lists.openembedded.org/g/openembedded-core/message/193605
Mute This Topic: https://lists.openembedded.org/mt/103706225/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] zlib: ignore CVE-2023-6992

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This CVE is for iCPE cloudflare:zlib.

Alternative to ignoring would be to limit CVE_PRODUCT, but
historic CVEs already have two - gnu:zlib and zlib:zlib.
So limiting it could miss future CVEs.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/zlib/zlib_1.2.11.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-core/zlib/zlib_1.2.11.bb 
b/meta/recipes-core/zlib/zlib_1.2.11.bb
index d75474dcb6..393ac61e3d 100644
--- a/meta/recipes-core/zlib/zlib_1.2.11.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.11.bb
@@ -54,3 +54,6 @@ do_install:append:class-target() {
 }
 
 BBCLASSEXTEND = "native nativesdk"
+
+# this CVE is for cloudflare zlib
+CVE_CHECK_IGNORE += "CVE-2023-6992"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#193604): 
https://lists.openembedded.org/g/openembedded-core/message/193604
Mute This Topic: https://lists.openembedded.org/mt/103706181/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] zlib: ignore CVE-2023-6992

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This CVE is for iCPE cloudflare:zlib.

Alternative to ignoring would be to limit CVE_PRODUCT, but
historic CVEs already have two - gnu:zlib and zlib:zlib.
So limiting it could miss future CVEs.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/zlib/zlib_1.3.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-core/zlib/zlib_1.3.bb 
b/meta/recipes-core/zlib/zlib_1.3.bb
index 1ed18172fa..ede75f90bd 100644
--- a/meta/recipes-core/zlib/zlib_1.3.bb
+++ b/meta/recipes-core/zlib/zlib_1.3.bb
@@ -47,3 +47,4 @@ do_install_ptest() {
 BBCLASSEXTEND = "native nativesdk"
 
 CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip"
+CVE_STATUS[CVE-2023-6992] = "cpe-incorrect: this CVE is for cloudflare zlib"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#193603): 
https://lists.openembedded.org/g/openembedded-core/message/193603
Mute This Topic: https://lists.openembedded.org/mt/103706155/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH 13/21] alsa-utils-scripts: merge into alsa-utils

[Peter Marko via lists.openembedded.org]

Hi Alex,

I'm upgrading my layer from kirkstone to scarthgap and observed that my image 
failed due to gpl3 license.

I want to conveniently install whole alsa-utils except for parts where license 
forbids me to do it.
After your path I would need to list all alsa-utils subpackages except the 
scripts.
And on top of that during every core layer update I'd have to check if there is 
not a new one.

So from this point of view, your statement
"There is no reason to keep the recipe separate: bash dependency is not a 
problem until the alsa-utils-scripts package is explicitly installed into a 
target image."
Is not true, it's a problem for maintenance.

Would something like this be accepted when I'd submit it?
This would return alsa-utils package installation to status before your commit, 
while still keeping alsa-utils single recipe.

diff --git a/meta/recipes-multimedia/alsa/alsa-utils_1.2.10.bb 
b/meta/recipes-multimedia/alsa/alsa-utils_1.2.10.bb
index 4e5ed8dfa0..5f4048938f 100644
--- a/meta/recipes-multimedia/alsa/alsa-utils_1.2.10.bb
+++ b/meta/recipes-multimedia/alsa/alsa-utils_1.2.10.bb
@@ -56,10 +56,10 @@ ALSA_UTILS_PKGS = "\
  alsa-utils-alsactl \
  alsa-utils-alsaloop \
  alsa-utils-alsaucm \
- alsa-utils-scripts \
  alsa-utils-nhltdmicinfo \
 "
 
+PACKAGES += "alsa-utils-scripts"
 PACKAGES += "${ALSA_UTILS_PKGS}"
 RDEPENDS:${PN} += "${ALSA_UTILS_PKGS}"

Thanks,
  Peter

-Original Message-
From: openembedded-core@lists.openembedded.org 
 On Behalf Of Alexander Kanavin via 
lists.openembedded.org
Sent: Monday, June 6, 2022 14:01
To: openembedded-core@lists.openembedded.org
Cc: Kanavin, Alexander (EXT) (Linutronix GmbH) 
Subject: [OE-core] [PATCH 13/21] alsa-utils-scripts: merge into alsa-utils

> There is no reason to keep the recipe separate: bash dependency is not a 
> problem until the alsa-utils-scripts package is explicitly installed into a 
> target image.
>
> Signed-off-by: Alexander Kanavin 
> ---

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#193573): 
https://lists.openembedded.org/g/openembedded-core/message/193573
Mute This Topic: https://lists.openembedded.org/mt/91575161/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: Patchtest results for [OE-core][kirkstone][PATCH] openssl: Backport fix for CVE-2023-6129

[Peter Marko via lists.openembedded.org]

CVE_STATUS was not backported to kirkstone.
Any idea how to skip some tests for old branches?

Peter

-Original Message-
From: openembedded-core@lists.openembedded.org 
 On Behalf Of Patchtest via 
lists.openembedded.org
Sent: Wednesday, January 10, 2024 12:48
To: Vivek Kumbhar 
Cc: openembedded-core@lists.openembedded.org
Subject: Patchtest results for [OE-core][kirkstone][PATCH] openssl: Backport 
fix for CVE-2023-6129

> Thank you for your submission. Patchtest identified one or more issues with 
> the patch. Please see the log below for more information:
>
> ---
> Testing patch 
> /home/patchtest/share/mboxes/kirkstone-openssl-Backport-fix-for-CVE-2023-6129.patch
>
> FAIL: test CVE check ignore: CVE_CHECK_IGNORE is deprecated and should be 
> replaced by CVE_STATUS (test_metadata.TestMetadata.test_cve_check_ignore)
>
> PASS: pretest src uri left files 
> (test_metadata.TestMetadata.pretest_src_uri_left_files)
> PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
> PASS: test Signed-off-by presence 
> (test_mbox.TestMbox.test_signed_off_by_presence)
> PASS: test Signed-off-by presence 
> (test_patch.TestPatch.test_signed_off_by_presence)
> PASS: test Upstream-Status presence 
> (test_patch.TestPatch.test_upstream_status_presence_format)
> PASS: test author valid (test_mbox.TestMbox.test_author_valid)
> PASS: test commit message presence 
> (test_mbox.TestMbox.test_commit_message_presence)
> PASS: test lic files chksum modified not mentioned 
> (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned)
> PASS: test max line length (test_metadata.TestMetadata.test_max_line_length)
> PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
> PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
> PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
> PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
> PASS: test src uri left files 
> (test_metadata.TestMetadata.test_src_uri_left_files)
>
> SKIP: pretest pylint: No python related patches, skipping test 
> (test_python_pylint.PyLint.pretest_pylint)
> SKIP: test bugzilla entry format: No bug ID found 
> (test_mbox.TestMbox.test_bugzilla_entry_format)
> SKIP: test lic files chksum presence: No added recipes, skipping test 
> (test_metadata.TestMetadata.test_lic_files_chksum_presence)
> SKIP: test license presence: No added recipes, skipping test 
> (test_metadata.TestMetadata.test_license_presence)
> SKIP: test pylint: No python related patches, skipping test 
> (test_python_pylint.PyLint.test_pylint)
> SKIP: test series merge on head: Merge test is disabled for now 
> (test_mbox.TestMbox.test_series_merge_on_head)
> SKIP: test summary presence: No added recipes, skipping test 
> (test_metadata.TestMetadata.test_summary_presence)
> SKIP: test target mailing list: Series merged, no reason to check other 
> mailing lists (test_mbox.TestMbox.test_target_mailing_list)
>
> ---
>
> Please address the issues identified and submit a new revision of the patch, 
> or alternatively, reply to this email with an explanation of why the patch 
> should be accepted. If you believe these results are due to an error in 
> patchtest, please submit a bug at https://bugzilla.yoctoproject.org/ (use the 
> 'Patchtest' category > under 'Yocto Project Subprojects'). For more 
> information on specific failures, see: 
> https://wiki.yoctoproject.org/wiki/Patchtest. Thank you!

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#193496): 
https://lists.openembedded.org/g/openembedded-core/message/193496
Mute This Topic: https://lists.openembedded.org/mt/103639021/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][PATCH] dtc: pass version as parameter instead of querying git

[Peter Marko via lists.openembedded.org]

-Original Message-
From: Richard Purdie  
Sent: Wednesday, December 13, 2023 22:58
To: Marko, Peter (ADV D EU SK BFS1) ; 
openembedded-core@lists.openembedded.org; Kanavin, Alexander (EXT) (Linutronix 
GmbH) 
Subject: Re: [OE-core][PATCH] dtc: pass version as parameter instead of 
querying git

> On Wed, 2023-12-13 at 21:53 +, Marko, Peter wrote:
> > 
> > I actually think that building from shallow clones is very non-standard 
> > scenario.
> > Usual builds are either from full clones or from release tarballs.
> > And meson nicely handles these two scenarios.
> > Shallow tarball is an incomplete thing which has storage benefits but also 
> > misses things that buildsystems are relying on.
> > And I don't think I can win a discussion with meson maintainers about this.
> > The vcs functions are standard and have good fallbacks (e.g. to hash) 
> > I could maybe convince them to add option to disable fall back to git hash, 
> > but that would be a long-runner.
>
> They might be more receptive to adding an argument to allow the value to be 
> forced though, particularly if you can explain scenarios where this is the 
> only option and the code get it wrong?
>
> I do think we need to raise these issues with the upstreams and only carry 
> patches if we can't convince them of these challenges.
>
> > Maybe I could add an option to bitbake git fetcher to remove .git folder if 
> > needed?
>
> I'm not sure we want to encourage it. That is actually more maintainable even 
> in the recipe though.
>
> Cheers,
>
> Richard

I reworked this completely, sent it to upstream and submitted as new patch to 
oe-core.
Let's see what is the reaction.

Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192568): 
https://lists.openembedded.org/g/openembedded-core/message/192568
Mute This Topic: https://lists.openembedded.org/mt/103158226/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] dtc: preserve version also from shallow git clones

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Since switch from Makefile to meson based build,
the version is no longer hardcoded but queried from git tag.

This works only if git history is available.
When shallow tarballs are used, tag is not available.

Example error for trusted-firmware-a from meta-arm:
dtc version too old (039a994), you need at least version 1.4.4

Backport also patch to fix version in meson file.

Signed-off-by: Peter Marko 
---
 ...01-meson.build-bump-version-to-1.7.0.patch | 29 ++
 ...n-allow-building-from-shallow-clones.patch | 38 +++
 meta/recipes-kernel/dtc/dtc_1.7.0.bb  |  6 ++-
 3 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 
meta/recipes-kernel/dtc/dtc/0001-meson.build-bump-version-to-1.7.0.patch
 create mode 100644 
meta/recipes-kernel/dtc/dtc/0002-meson-allow-building-from-shallow-clones.patch

diff --git 
a/meta/recipes-kernel/dtc/dtc/0001-meson.build-bump-version-to-1.7.0.patch 
b/meta/recipes-kernel/dtc/dtc/0001-meson.build-bump-version-to-1.7.0.patch
new file mode 100644
index 00..79a3b92b44
--- /dev/null
+++ b/meta/recipes-kernel/dtc/dtc/0001-meson.build-bump-version-to-1.7.0.patch
@@ -0,0 +1,29 @@
+From 9153522103bd4ed7e3299c4d073f66bb37cb2d42 Mon Sep 17 00:00:00 2001
+From: Nikolay Letov 
+Date: Wed, 22 Feb 2023 13:36:07 +0300
+Subject: [PATCH 1/2] meson.build: bump version to 1.7.0
+
+[This was botched in the actual 1.7.0 release :( - David Gibson]
+
+Upstream-Status: Backport 
[https://git.kernel.org/pub/scm/utils/dtc/dtc.git/commit/?id=64a907f08b9bedd89833c1eee674148cff2343c6]
+
+Signed-off-by: Nikolay Letov 
+Signed-off-by: Peter Marko 
+---
+ meson.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index 78251eb..d88cd9f 100644
+--- a/meson.build
 b/meson.build
+@@ -1,5 +1,5 @@
+ project('dtc', 'c',
+-  version: '1.6.0',
++  version: '1.7.0',
+   license: ['GPL2+', 'BSD-2'],
+   default_options: 'werror=true',
+ )
+-- 
+2.30.2
+
diff --git 
a/meta/recipes-kernel/dtc/dtc/0002-meson-allow-building-from-shallow-clones.patch
 
b/meta/recipes-kernel/dtc/dtc/0002-meson-allow-building-from-shallow-clones.patch
new file mode 100644
index 00..0284905913
--- /dev/null
+++ 
b/meta/recipes-kernel/dtc/dtc/0002-meson-allow-building-from-shallow-clones.patch
@@ -0,0 +1,38 @@
+From 4415b0baece3c4351a6d3637c2754abbefd4795d Mon Sep 17 00:00:00 2001
+From: Peter Marko 
+Date: Sat, 16 Dec 2023 18:58:31 +0100
+Subject: [PATCH 2/2] meson: allow building from shallow clones
+
+When building from shallow clone, tag is not available
+and version defaults to git hash.
+Problem is that some builds check DTC version and fail the comparison.
+Example is https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git
+Which fails to build with following error:
+dtc version too old (039a994), you need at least version 1.4.4
+
+Drop --always from git describe command, see
+https://github.com/mesonbuild/meson/blob/1.3.0/mesonbuild/utils/universal.py#L773
+This will make it more closer to build via Makefile.
+
+Upstream-Status: Submitted [https://github.com/dgibson/dtc/pull/122]
+
+Signed-off-by: Peter Marko 
+---
+ meson.build | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/meson.build b/meson.build
+index 78251eb..fc0c92a 100644
+--- a/meson.build
 b/meson.build
+@@ -56,6 +56,7 @@ py = py.find_installation(required: get_option('python'))
+ swig = find_program('swig', required: get_option('python'))
+ 
+ version_gen_h = vcs_tag(
++  command: ['git', 'describe', '--dirty=+'],
+   input: 'version_gen.h.in',
+   output: 'version_gen.h',
+ )
+-- 
+2.30.2
+
diff --git a/meta/recipes-kernel/dtc/dtc_1.7.0.bb 
b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
index 1a78a0c079..0702fc16df 100644
--- a/meta/recipes-kernel/dtc/dtc_1.7.0.bb
+++ b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
@@ -8,7 +8,11 @@ LIC_FILES_CHKSUM = 
"file://GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 file://BSD-2-Clause;md5=5d6306d1b08f8df623178dfd81880927 \
 file://README.license;md5=a1eb22e37f09df5b5511b8a278992d0e"
 
-SRC_URI = 
"git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https" 
+SRC_URI = " \
+git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https \
+file://0001-meson.build-bump-version-to-1.7.0.patch \
+file://0002-meson-allow-building-from-shallow-clones.patch \
+"
 SRCREV = "039a99414e778332d8f9c04cbd3072e1dcc62798"
 
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d+(\.\d+)+)"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192567): 
https://lists.openembedded.org/g/openembedded-core/message/192567
Mute This Topic: https://lists.openembedded.org/mt/103213179/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][PATCH] dtc: pass version as parameter instead of querying git

[Peter Marko via lists.openembedded.org]

-Original Message-
From: Richard Purdie  
Sent: Wednesday, December 13, 2023 22:11
To: Marko, Peter (ADV D EU SK BFS1) ; 
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] dtc: pass version as parameter instead of 
querying git

> On Wed, 2023-12-13 at 22:07 +0100, Peter Marko via lists.openembedded.org 
> wrote:
> > From: Peter Marko 
> > 
> > Since switch from Makefile to meson based build, the version is no 
> > longer hardcoded but queried from git tag.
> > 
> > This works only if git history is available.
> > When shallow tarballs are used, tag is not available.
> > 
> > Example error for trusted-firmware-a from meta-arm:
> > dtc version too old (039a994), you need at least version 1.4.4
> > 
> > Signed-off-by: Peter Marko 
> > ---
> >  ...n-as-parameter-instead-of-querying-g.patch | 49 +++
> >  meta/recipes-kernel/dtc/dtc_1.7.0.bb  |  7 ++-
> >  2 files changed, 54 insertions(+), 2 deletions(-)  create mode 100644 
> > meta/recipes-kernel/dtc/dtc/0001-meson-get-version-as-parameter-instea
> > d-of-querying-g.patch
> > 
> > diff --git 
> > a/meta/recipes-kernel/dtc/dtc/0001-meson-get-version-as-parameter-inst
> > ead-of-querying-g.patch 
> > b/meta/recipes-kernel/dtc/dtc/0001-meson-get-version-as-parameter-inst
> > ead-of-querying-g.patch
> > new file mode 100644
> > index 00..d7906bd6f9
> > --- /dev/null
> > +++ b/meta/recipes-kernel/dtc/dtc/0001-meson-get-version-as-parameter-
> > +++ instead-of-querying-g.patch
> > @@ -0,0 +1,49 @@
> > +From f32056f825b926b5820d43478d11e92eee1ec91f Mon Sep 17 00:00:00 
> > +2001
> > +From: Peter Marko 
> > +Date: Wed, 13 Dec 2023 21:18:14 +0100
> > +Subject: [PATCH] meson: get version as parameter instead of querying 
> > +git
> > +
> > +When using shallow tarballs, git tag is not available.
> > +This causes version to be git hash.
> > +This prevents application from checking minimal required version.
> > +
> > +Example error for trusted-firmware-a from meta-arm:
> > +dtc version too old (039a994), you need at least version 1.4.4
> > +
> > +Upstream-Status: Inappropriate [oe specific]
> > +
> > +Signed-off-by: Peter Marko 
> > +---
> > + meson.build   | 3 ++-
> > + meson_options.txt | 2 ++
> > + 2 files changed, 4 insertions(+), 1 deletion(-)
> > +
>
> I'm not sure that is inappropriate. Has anyone talked to upstream about 
> builds failing from shallow clones?
>
> Cheers,
>
> Richard
> 

I actually think that building from shallow clones is very non-standard 
scenario.
Usual builds are either from full clones or from release tarballs.
And meson nicely handles these two scenarios.
Shallow tarball is an incomplete thing which has storage benefits but also 
misses things that buildsystems are relying on.
And I don't think I can win a discussion with meson maintainers about this.
The vcs functions are standard and have good fallbacks (e.g. to hash)
I could maybe convince them to add option to disable fall back to git hash, but 
that would be a long-runner.

Maybe I could add an option to bitbake git fetcher to remove .git folder if 
needed?

Thanks for review,
Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192329): 
https://lists.openembedded.org/g/openembedded-core/message/192329
Mute This Topic: https://lists.openembedded.org/mt/103158226/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] dtc: pass version as parameter instead of querying git

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Since switch from Makefile to meson based build,
the version is no longer hardcoded but queried from git tag.

This works only if git history is available.
When shallow tarballs are used, tag is not available.

Example error for trusted-firmware-a from meta-arm:
dtc version too old (039a994), you need at least version 1.4.4

Signed-off-by: Peter Marko 
---
 ...n-as-parameter-instead-of-querying-g.patch | 49 +++
 meta/recipes-kernel/dtc/dtc_1.7.0.bb  |  7 ++-
 2 files changed, 54 insertions(+), 2 deletions(-)
 create mode 100644 
meta/recipes-kernel/dtc/dtc/0001-meson-get-version-as-parameter-instead-of-querying-g.patch

diff --git 
a/meta/recipes-kernel/dtc/dtc/0001-meson-get-version-as-parameter-instead-of-querying-g.patch
 
b/meta/recipes-kernel/dtc/dtc/0001-meson-get-version-as-parameter-instead-of-querying-g.patch
new file mode 100644
index 00..d7906bd6f9
--- /dev/null
+++ 
b/meta/recipes-kernel/dtc/dtc/0001-meson-get-version-as-parameter-instead-of-querying-g.patch
@@ -0,0 +1,49 @@
+From f32056f825b926b5820d43478d11e92eee1ec91f Mon Sep 17 00:00:00 2001
+From: Peter Marko 
+Date: Wed, 13 Dec 2023 21:18:14 +0100
+Subject: [PATCH] meson: get version as parameter instead of querying git
+
+When using shallow tarballs, git tag is not available.
+This causes version to be git hash.
+This prevents application from checking minimal required version.
+
+Example error for trusted-firmware-a from meta-arm:
+dtc version too old (039a994), you need at least version 1.4.4
+
+Upstream-Status: Inappropriate [oe specific]
+
+Signed-off-by: Peter Marko 
+---
+ meson.build   | 3 ++-
+ meson_options.txt | 2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index 78251eb..8a25163 100644
+--- a/meson.build
 b/meson.build
+@@ -55,9 +55,10 @@ py = import('python')
+ py = py.find_installation(required: get_option('python'))
+ swig = find_program('swig', required: get_option('python'))
+ 
+-version_gen_h = vcs_tag(
++version_gen_h = configure_file(
+   input: 'version_gen.h.in',
+   output: 'version_gen.h',
++  configuration: { 'VCS_TAG': get_option('PV')},
+ )
+ 
+ subdir('libfdt')
+diff --git a/meson_options.txt b/meson_options.txt
+index 82621c3..c313d32 100644
+--- a/meson_options.txt
 b/meson_options.txt
+@@ -10,3 +10,5 @@ option('python', type: 'feature', value: 'auto',
+description: 'Build pylibfdt Python library')
+ option('static-build', type: 'boolean', value: false,
+description: 'Build static binaries')
++option('PV', type: 'string', value: 'undefined',
++   description: 'version string to be used instead of getting it from 
git')
+-- 
+2.30.2
+
diff --git a/meta/recipes-kernel/dtc/dtc_1.7.0.bb 
b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
index 1a78a0c079..586a5f91bd 100644
--- a/meta/recipes-kernel/dtc/dtc_1.7.0.bb
+++ b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
@@ -8,7 +8,10 @@ LIC_FILES_CHKSUM = 
"file://GPL;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
 file://BSD-2-Clause;md5=5d6306d1b08f8df623178dfd81880927 \
 file://README.license;md5=a1eb22e37f09df5b5511b8a278992d0e"
 
-SRC_URI = 
"git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https" 
+SRC_URI = " \
+git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https \
+file://0001-meson-get-version-as-parameter-instead-of-querying-g.patch \
+"
 SRCREV = "039a99414e778332d8f9c04cbd3072e1dcc62798"
 
 UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d+(\.\d+)+)"
@@ -17,7 +20,7 @@ S = "${WORKDIR}/git"
 
 inherit meson pkgconfig
 
-EXTRA_OEMESON = "-Dpython=disabled -Dvalgrind=disabled"
+EXTRA_OEMESON = "-Dpython=disabled -Dvalgrind=disabled -DPV=v${PV}"
 
 PACKAGECONFIG ??= "tools"
 PACKAGECONFIG[tools] = "-Dtools=true,-Dtools=false,flex-native bison-native"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192325): 
https://lists.openembedded.org/g/openembedded-core/message/192325
Mute This Topic: https://lists.openembedded.org/mt/103158226/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [PATCH] [OE-Core] tzdata: only the timezone subpackage tzdata-core is retained

[Peter Marko via lists.openembedded.org]

I don't think that this is a good idea.
Currently you have a possibility to add to your IMAGE_INSTALL either tzdata (to 
install all data) or tzdata-core (to install minimal subset),
After this change, you can add tzdata or tzdata-core to install minimal subset 
(these packages will be now equal) or dozens of packages to install all without 
a good way to track changes in packages.

Also, this change would require analyzing all components in all layers which 
depend just on tzdata if their dependencies need to be adapted.

Much more reasonable is that you install tzdata-core in your images and let the 
option to install all via just one package to the others.
Or alternatively change the depends to rrecommends and exclude the 
recommendations in your images.
Or add RDEPENDS:${PN}:pn-tzdata = "tzdata-core" to your distro config.

Peter

-Original Message-
From: openembedded-core@lists.openembedded.org 
 On Behalf Of Xu, Lizhi via 
lists.openembedded.org
Sent: Monday, December 11, 2023 4:39
To: openembedded-core@lists.openembedded.org
Cc: anca.mihala...@windriver.com
Subject: [PATCH] [OE-Core] tzdata: only the timezone subpackage tzdata-core is 
retained

> To reduce the size of rootfs, the subpackages contained in tzdata.bb will now 
> default to only retaining tzdata-core.
>
> tzdata.bb by default pulls in all possible timezone data packages which 
> increases size of the final root filesystem considerably.
> The customer would like to have extra timezones configurable so that only 
> tzdata-core is chosen by default and rest of the zones are optional.
>
> Signed-off-by: Lizhi Xu 
> ---
>  meta/recipes-extended/timezone/tzdata.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-extended/timezone/tzdata.bb 
> b/meta/recipes-extended/timezone/tzdata.bb
> index dd1960ffa7..7b1d4fd460 100644
> --- a/meta/recipes-extended/timezone/tzdata.bb
> +++ b/meta/recipes-extended/timezone/tzdata.bb
> @@ -201,4 +201,4 @@ CONFFILES:tzdata-core = "${sysconfdir}/localtime 
> ${sysconfdir}/timezone"
>  
>  ALLOW_EMPTY:${PN} = "1"
>  
> -RDEPENDS:${PN} = "${TZ_PACKAGES}"
> +RDEPENDS:${PN} = "tzdata-core"
> --
> 2.43.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#192273): 
https://lists.openembedded.org/g/openembedded-core/message/192273
Mute This Topic: https://lists.openembedded.org/mt/103102817/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] json-c: fix icecc compilation

[Peter Marko via lists.openembedded.org]

-Original Message-
From: openembedded-core@lists.openembedded.org 
 On Behalf Of Marco Felsch via 
lists.openembedded.org
Sent: Tuesday, November 28, 2023 23:48
To: openembedded-core@lists.openembedded.org
Cc: yo...@pengutronix.de; m...@pengutronix.de
Subject: [OE-core] [PATCH] json-c: fix icecc compilation

> Skip -Werror to make it possible to compile this recipe with ICECC else all 
> fallthrough comments will be removed since we pre-process the files on the 
> host before sending them to the compile nodes which then cause errors because 
> of default -Werror switch.
>
> Fixes: caf64f85b5c5 ("json-c: update 0.13.1 - > 0.14")
> Signed-off-by: Marco Felsch 
> ---
> Hi,
>
> I'm not familar with the stable material but IMHO this would be somthing for 
> kirkstone.

You need to send a separate patch for kirkstone as this one does not apply 
there.

>
> Regards,
>   Marco
>
>  meta/recipes-devtools/json-c/json-c_0.17.bb | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-devtools/json-c/json-c_0.17.bb 
> b/meta/recipes-devtools/json-c/json-c_0.17.bb
> index f4b7a32cea01..20bcece7685d 100644
> --- a/meta/recipes-devtools/json-c/json-c_0.17.bb
> +++ b/meta/recipes-devtools/json-c/json-c_0.17.bb
> @@ -17,6 +17,9 @@ UPSTREAM_CHECK_REGEX = "json-c-(?P\d+(\.\d+)+)-\d+"
>  
>  RPROVIDES:${PN} = "libjson"
>  
> +# Required for ICECC builds
> +EXTRA_OECMAKE = "-DDISABLE_WERROR=ON"

I don't like removing WERROR unconditionally which decreases quality checks.
Can we do it only in case ICECC is used?
Something like "${@'-DDISABLE_WERROR=ON' if bb.data.inherits_class(icecc, d) 
else ''}"

> +
>  inherit cmake ptest
>  
>  do_install_ptest() {
--
2.39.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191430): 
https://lists.openembedded.org/g/openembedded-core/message/191430
Mute This Topic: https://lists.openembedded.org/mt/102861457/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [PATCH V2] [OE-core] tzdata: Reduced time zone configuration

[Peter Marko via lists.openembedded.org]

-Original Message-
From: openembedded-core@lists.openembedded.org 
 On Behalf Of Xu, Lizhi via 
lists.openembedded.org
Sent: Tuesday, November 28, 2023 9:45
To: Marko, Peter (ADV D EU SK BFS1) 
Cc: alex.kier...@gmail.com; openembedded-core@lists.openembedded.org
Subject: Re: [PATCH V2] [OE-core] tzdata: Reduced time zone configuration

> On Tue, 28 Nov 2023 08:13:57 +, Marko, Peter wrote:
> > > > > > tzdata.bb by default pulls in all possible timezone data 
> > > > > > packages which increases size of the final root filesystem 
> > > > > > considerably.
> > > > > > The customer would like to have extra timezones configurable 
> > > > > > so that only tzdata-core is chosen by default and rest of the zones 
> > > > > > are optional.
> > > > > > This change would make the fs size a lot smaller.
> > > > > >
> > > > > > Comparison of customized package volume before and after:
> > > > > > When TZ_PACKAGES contains all tzdata packets, the image size of 
> > > > > > tzdata is 7.4MB.
> > > > > > The difference in mirror size between the two is 7MB.
> > > > > >
> > > > > > When TZ_PACKAGES only retains one tzdata-core, the image size 
> > > > > > generated by tzdata is 320KB.
> > > > > >
> > > > > > Signed-off-by: Lizhi Xu 
> > > > >
> > > > > I get what you're trying to do, but this looks horrid. How about 
> > > > > splitting into multiple packages based on top level directory 
> > > > > (plus the few which sit in the top level directory) using a new 
> > > > > PACKAGESPLITFUNCS so you don't have to hardcode the list of packages?
> > > > >
> > > >
> > > > Foolishly, I didn't actually look at what was in the tzdata recipe 
> > > > first and it already splits things... I'm lost, can't you just 
> > > > remove things from TZ_PACKAGES to get what you're after?
> > > To achieve a final reduction in the size of the tzdata package, simply 
> > > configuring TZ_PACKAGES is not enough. It is also necessary to delete the 
> > > corresponding zoneinfo when generating the final package, this requires 
> > > performing the corresponding deletion operation in the do_install() task 
> > > simultaneously, which is too complex for users.
> > >
> > > Therefore, this patch is provided to simplify the step of reducing 
> > > package size.
> > > After applying this patch, users only need to modify the OP_TZ in tzd.inc 
> > > to determine which time zones are needed in the final generated package, 
> > > in order to facilitate customization of the final size of the tzdata 
> > > package.
> > >
> > > Thanks,
> > > Lizhi
> > 
> > This is the wrong way how to achieve smaller rootfs.
> > If you grep oe-core and meta-oe for tzdata, you'll see that you break 
> > things (e.g. glib-2.0 ptest depends on specific tzdata you're trying to 
> > remove).
> If the default value of "OP_TZ" is adjusted to the following value, the 
> problem you described will not occur:
> OP_TZ = "tzdata-misc tzdata-posix tzdata-right tzdata-africa \
> tzdata-americas tzdata-antarctica tzdata-arctic tzdata-asia \
> tzdata-atlantic tzdata-australia tzdata-europe tzdata-pacific \  "
> > 
> > Yocto has concept of packages and tzdata is good example how to use them.
> > Just install packages you need instead of generic tzdata package which 
> > pulls all.
> > If you need the empty main tzdata package because of its postinst, then 
> > just reduce the list what is pulled here:
> > RDEPENDS:${PN} = "${TZ_PACKAGES}"
> I didn't understand what you said. 
> If we don't adjust tzdata.bb and instead adjust all packages that depend on 
> tzdata at runtime, the customer may lose patience.
>
> Lizhi

I meant that your patch can be probably reduced to following:
- RDEPENDS:${PN} = "${TZ_PACKAGES}"
+ MAIN_TZ_PACKAGES ?= "${TZ_PACKAGES}"
+ RDEPENDS:${PN} = "${MAIN_TZ_PACKAGES}"
And they you can just do following in your distro:
MAIN_TZ_PACKAGES:pn-tzdata = "tzdata-americas tzdata-europe"

Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191348): 
https://lists.openembedded.org/g/openembedded-core/message/191348
Mute This Topic: https://lists.openembedded.org/mt/102777104/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [PATCH V2] [OE-core] tzdata: Reduced time zone configuration

[Peter Marko via lists.openembedded.org]

-Original Message-
From: openembedded-core@lists.openembedded.org 
 On Behalf Of Xu, Lizhi via 
lists.openembedded.org
Sent: Tuesday, November 28, 2023 3:38
To: alex.kier...@gmail.com
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH V2] [OE-core] tzdata: Reduced time zone configuration

> On Fri, 24 Nov 2023 16:50:04 +, Alex Kiernan wrote:
> > > > tzdata.bb by default pulls in all possible timezone data packages 
> > > > which increases size of the final root filesystem considerably.
> > > > The customer would like to have extra timezones configurable so 
> > > > that only tzdata-core is chosen by default and rest of the zones are 
> > > > optional.
> > > > This change would make the fs size a lot smaller.
> > > >
> > > > Comparison of customized package volume before and after:
> > > > When TZ_PACKAGES contains all tzdata packets, the image size of tzdata 
> > > > is 7.4MB.
> > > > The difference in mirror size between the two is 7MB.
> > > >
> > > > When TZ_PACKAGES only retains one tzdata-core, the image size 
> > > > generated by tzdata is 320KB.
> > > >
> > > > Signed-off-by: Lizhi Xu 
> > >
> > > I get what you're trying to do, but this looks horrid. How about 
> > > splitting into multiple packages based on top level directory (plus 
> > > the few which sit in the top level directory) using a new 
> > > PACKAGESPLITFUNCS so you don't have to hardcode the list of packages?
> > >
> > 
> > Foolishly, I didn't actually look at what was in the tzdata recipe 
> > first and it already splits things... I'm lost, can't you just remove 
> > things from TZ_PACKAGES to get what you're after?
> To achieve a final reduction in the size of the tzdata package, simply 
> configuring TZ_PACKAGES is not enough. It is also necessary to delete the 
> corresponding zoneinfo when generating the final package, this requires 
> performing the corresponding deletion operation in the do_install() task 
> simultaneously, which is too complex for users. 
>
> Therefore, this patch is provided to simplify the step of reducing package 
> size.
> After applying this patch, users only need to modify the OP_TZ in tzd.inc to 
> determine which time zones are needed in the final generated package, in 
> order to facilitate customization of the final size of the tzdata package.
>
> Thanks,
> Lizhi

This is the wrong way how to achieve smaller rootfs.
If you grep oe-core and meta-oe for tzdata, you'll see that you break things 
(e.g. glib-2.0 ptest depends on specific tzdata you're trying to remove).

Yocto has concept of packages and tzdata is good example how to use them.
Just install packages you need instead of generic tzdata package which pulls 
all.
If you need the empty main tzdata package because of its postinst, then just 
reduce the list what is pulled here:
RDEPENDS:${PN} = "${TZ_PACKAGES}"

Peter


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191345): 
https://lists.openembedded.org/g/openembedded-core/message/191345
Mute This Topic: https://lists.openembedded.org/mt/102777104/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH v2 2/2] cve-update-nvd2-native: make number of fetch attemtps configurable

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Sometimes NVD servers are unstable and return too many errors.

Last time we increased number of attempts from 3 to 5, but
further increasing is not reasonable as in normal case
too many retries is just abusive.

Keep retries low as default and allow to increase as needed.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/meta/cve-update-nvd2-native.bb | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb 
b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 64a96a46f0..dab0b69edc 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -26,6 +26,9 @@ NVDCVE_API_KEY ?= ""
 # Use a negative value to skip the update
 CVE_DB_UPDATE_INTERVAL ?= "86400"
 
+# Number of attmepts for each http query to nvd server before giving up
+CVE_DB_UPDATE_ATTEMPTS ?= "5"
+
 CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db"
 
 CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db"
@@ -111,7 +114,7 @@ def cleanup_db_download(db_file, db_tmp_file):
 if os.path.exists(db_tmp_file):
 os.remove(db_tmp_file)
 
-def nvd_request_next(url, api_key, args):
+def nvd_request_next(url, attempts, api_key, args):
 """
 Request next part of the NVD dabase
 """
@@ -127,7 +130,7 @@ def nvd_request_next(url, api_key, args):
 request.add_header("apiKey", api_key)
 bb.note("Requesting %s" % request.full_url)
 
-for attempt in range(5):
+for attempt in range(attempts):
 try:
 r = urllib.request.urlopen(request)
 
@@ -183,10 +186,11 @@ def update_db_file(db_tmp_file, d, database_time):
 index = 0
 url = d.getVar("NVDCVE_URL")
 api_key = d.getVar("NVDCVE_API_KEY") or None
+attempts = int(d.getVar("CVE_DB_UPDATE_ATTEMPTS"))
 
 while True:
 req_args['startIndex'] = index
-raw_data = nvd_request_next(url, api_key, req_args)
+raw_data = nvd_request_next(url, attempts, api_key, req_args)
 if raw_data is None:
 # We haven't managed to download data
 return False
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191324): 
https://lists.openembedded.org/g/openembedded-core/message/191324
Mute This Topic: https://lists.openembedded.org/mt/102836849/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH v2 1/2] cve-update-nvd2-native: remove unused variable CVE_SOCKET_TIMEOUT

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This variable is not referenced in oe-core anymore.

Signed-off-by: Peter Marko 
---
v2: typo in commit message

 meta/recipes-core/meta/cve-update-nvd2-native.bb | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb 
b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 67d76f75dd..64a96a46f0 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -26,9 +26,6 @@ NVDCVE_API_KEY ?= ""
 # Use a negative value to skip the update
 CVE_DB_UPDATE_INTERVAL ?= "86400"
 
-# Timeout for blocking socket operations, such as the connection attempt.
-CVE_SOCKET_TIMEOUT ?= "60"
-
 CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db"
 
 CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191323): 
https://lists.openembedded.org/g/openembedded-core/message/191323
Mute This Topic: https://lists.openembedded.org/mt/102836847/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH 2/2] cve-update-nvd2-native: make number of fetch attemtps configurable

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Sometimes NVD servers are unstable and return too many errors.

Last time we increased number of attempts from 3 to 5, but
further increasing is not reasonable as in normal case
too many retries is just abusive.

Keep retries low as default and allow to increase as needed.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/meta/cve-update-nvd2-native.bb | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb 
b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 64a96a46f0..dab0b69edc 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -26,6 +26,9 @@ NVDCVE_API_KEY ?= ""
 # Use a negative value to skip the update
 CVE_DB_UPDATE_INTERVAL ?= "86400"
 
+# Number of attmepts for each http query to nvd server before giving up
+CVE_DB_UPDATE_ATTEMPTS ?= "5"
+
 CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db"
 
 CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db"
@@ -111,7 +114,7 @@ def cleanup_db_download(db_file, db_tmp_file):
 if os.path.exists(db_tmp_file):
 os.remove(db_tmp_file)
 
-def nvd_request_next(url, api_key, args):
+def nvd_request_next(url, attempts, api_key, args):
 """
 Request next part of the NVD dabase
 """
@@ -127,7 +130,7 @@ def nvd_request_next(url, api_key, args):
 request.add_header("apiKey", api_key)
 bb.note("Requesting %s" % request.full_url)
 
-for attempt in range(5):
+for attempt in range(attempts):
 try:
 r = urllib.request.urlopen(request)
 
@@ -183,10 +186,11 @@ def update_db_file(db_tmp_file, d, database_time):
 index = 0
 url = d.getVar("NVDCVE_URL")
 api_key = d.getVar("NVDCVE_API_KEY") or None
+attempts = int(d.getVar("CVE_DB_UPDATE_ATTEMPTS"))
 
 while True:
 req_args['startIndex'] = index
-raw_data = nvd_request_next(url, api_key, req_args)
+raw_data = nvd_request_next(url, attempts, api_key, req_args)
 if raw_data is None:
 # We haven't managed to download data
 return False
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191319): 
https://lists.openembedded.org/g/openembedded-core/message/191319
Mute This Topic: https://lists.openembedded.org/mt/102836501/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH 1/2] cve-update-nvd2-native: remove unused variable CVE_DB_UPDATE_RETRIES

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This variable is not referenced in oe-core anymore.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/meta/cve-update-nvd2-native.bb | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb 
b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 67d76f75dd..64a96a46f0 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -26,9 +26,6 @@ NVDCVE_API_KEY ?= ""
 # Use a negative value to skip the update
 CVE_DB_UPDATE_INTERVAL ?= "86400"
 
-# Timeout for blocking socket operations, such as the connection attempt.
-CVE_SOCKET_TIMEOUT ?= "60"
-
 CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db"
 
 CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191318): 
https://lists.openembedded.org/g/openembedded-core/message/191318
Mute This Topic: https://lists.openembedded.org/mt/102836497/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [yocto-security] OE-core CVE metrics for nanbield on Sun 26 Nov 2023 05:00:01 AM HST

[Peter Marko via lists.openembedded.org]

Yes, nvd servers are in really bad state currently.
I need up to 12 retries on http calls to get trough...

I will contribute to make the retry count value (currently hardcoded to 5) 
configurable via variable.
I'm planning to run it at low default and increase temporarily when quality 
decreases.

Peter

-Original Message-
From: yocto-secur...@lists.yoctoproject.org 
 On Behalf Of Steve Sakoman via 
lists.yoctoproject.org
Sent: Monday, November 27, 2023 15:33
To: openembedded-core@lists.openembedded.org; 
yocto-secur...@lists.yoctoproject.org
Subject: Re: [yocto-security] OE-core CVE metrics for nanbield on Sun 26 Nov 
2023 05:00:01 AM HST

> You may have noticed that these reports weren't sent on the normal schedule.
>
> This is due to repeated failures in updating the database:
>
> WARNING: cve-update-nvd2-native-1.0-r0 do_fetch: CVE database update failed
>
> I tried many times yesterday, but was largely unsuccessful. I was able to get 
> nanbield and master to complete, but in both cases it took longer than two 
> hours for the database to update! Every other attempt also had extremely slow 
> updates and then would fail an hour or so into the process.
>
> Is anyone else experiencing this issue?
>
> Steve


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191306): 
https://lists.openembedded.org/g/openembedded-core/message/191306
Mute This Topic: https://lists.openembedded.org/mt/102829796/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] init-manager-mdev-busybox: Keep sysvinit distro feature on

[Peter Marko via lists.openembedded.org]

From: openembedded-core@lists.openembedded.org 
 On Behalf Of Khem Raj via 
lists.openembedded.org

> The rcS script that busybox-init provides is able to run scripts that
> are available as part of sysvinit, therefore its fine to keep sysvinit
> distro feature enabled so that we can build complex systems with
> busybox as init system.
>
> Signed-off-by: Khem Raj 
> ---
>  meta/conf/distro/include/init-manager-mdev-busybox.inc | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/meta/conf/distro/include/init-manager-mdev-busybox.inc 
> b/meta/conf/distro/include/init-manager-mdev-busybox.inc
> index 12091cba68c..a5a61bbe4d2 100644
> --- a/meta/conf/distro/include/init-manager-mdev-busybox.inc
> +++ b/meta/conf/distro/include/init-manager-mdev-busybox.inc
> @@ -1,5 +1,6 @@
>  # enable mdev/busybox for init
> -DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " systemd sysvinit"
> +DISTRO_FEATURES:append = " sysvinit"

I don't think that this append is a good idea.
I want a small, lean, controllable init system, not a complex one.
This probably belongs to distro or to a new INIT_MANAGER type.

> +DISTRO_FEATURES_BACKFILL_CONSIDERED:append = " systemd"
>  VIRTUAL-RUNTIME_dev_manager ??= "busybox-mdev"
>  VIRTUAL-RUNTIME_init_manager ??= "busybox"
>  VIRTUAL-RUNTIME_initscripts ??= "initscripts"
> -- 
> 2.43.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191126): 
https://lists.openembedded.org/g/openembedded-core/message/191126
Mute This Topic: https://lists.openembedded.org/mt/102757523/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] go: ignore CVE-2023-45283 and CVE-2023-45284

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

These CVEs affect path handling on Windows.

Signed-off-by: Peter Marko 
---
 meta/recipes-devtools/go/go-1.17.13.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-devtools/go/go-1.17.13.inc 
b/meta/recipes-devtools/go/go-1.17.13.inc
index 461819d80f..a0974629fb 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -54,5 +54,5 @@ SRC_URI[main.sha256sum] = 
"a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784
 # https://github.com/golang/go/issues/30999#issuecomment-910470358
 CVE_CHECK_IGNORE += "CVE-2021-29923"
 
-# This is specific to Microsoft Windows
-CVE_CHECK_IGNORE += "CVE-2022-41716"
+# This are specific to Microsoft Windows
+CVE_CHECK_IGNORE += "CVE-2022-41716 CVE-2023-45283 CVE-2023-45284"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190938): 
https://lists.openembedded.org/g/openembedded-core/message/190938
Mute This Topic: https://lists.openembedded.org/mt/102717209/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] goarch: Move Go architecture mapping to a library

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Other spaces uses the Go architecture definitions as their own (for
example, container arches are defined to be Go arches). To make it
easier for other places to use this mapping, move the code that does the
translation of OpenEmbedded arches to Go arches to a library.

(From oe-core rev: 3e86f72fc2e1cc2e5ea4b4499722d736941167ce)

This commit together with meta-virtualization commit
115f6367f37095415f289fb6981cda9608ac72ff
broke meta-virtualization master used with
meta-lts-mixins kirkstone/go which is our primary
usecase for having kirkstone/go mixin layer

Manually crafted since cherry-pick had too many conflicts:
* different path to classes
* additional architecture loongarch64
* different way how to import library

Signed-off-by: Peter Marko 
Cc: Joshua Watt 
Cc: Bruce Ashfield 
Cc: Jose Quaresma 
---
 meta/classes/base.bbclass   |  2 +-
 meta/classes/goarch.bbclass | 27 +++
 meta/lib/oe/go.py   | 32 
 3 files changed, 36 insertions(+), 25 deletions(-)
 create mode 100644 meta/lib/oe/go.py

diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass
index b15c5839b6..ee26ee5597 100644
--- a/meta/classes/base.bbclass
+++ b/meta/classes/base.bbclass
@@ -12,7 +12,7 @@ inherit logging
 
 OE_EXTRA_IMPORTS ?= ""
 
-OE_IMPORTS += "os sys time oe.path oe.utils oe.types oe.package 
oe.packagegroup oe.sstatesig oe.lsb oe.cachedpath oe.license oe.qa 
oe.reproducible oe.rust ${OE_EXTRA_IMPORTS}"
+OE_IMPORTS += "os sys time oe.path oe.utils oe.types oe.package 
oe.packagegroup oe.sstatesig oe.lsb oe.cachedpath oe.license oe.qa 
oe.reproducible oe.rust oe.go ${OE_EXTRA_IMPORTS}"
 OE_IMPORTS[type] = "list"
 
 PACKAGECONFIG_CONFARGS ??= ""
diff --git a/meta/classes/goarch.bbclass b/meta/classes/goarch.bbclass
index 92fec16b82..394c0c5d84 100644
--- a/meta/classes/goarch.bbclass
+++ b/meta/classes/goarch.bbclass
@@ -61,31 +61,10 @@ SECURITY_NOPIE_CFLAGS ??= ""
 CCACHE_DISABLE ?= "1"
 
 def go_map_arch(a, d):
-import re
-if re.match('i.86', a):
-return '386'
-elif a == 'x86_64':
-return 'amd64'
-elif re.match('arm.*', a):
-return 'arm'
-elif re.match('aarch64.*', a):
-return 'arm64'
-elif re.match('mips64el.*', a):
-return 'mips64le'
-elif re.match('mips64.*', a):
-return 'mips64'
-elif a == 'mips':
-return 'mips'
-elif a == 'mipsel':
-return 'mipsle'
-elif re.match('p(pc|owerpc)(64le)', a):
-return 'ppc64le'
-elif re.match('p(pc|owerpc)(64)', a):
-return 'ppc64'
-elif a == 'riscv64':
-return 'riscv64'
-else:
+arch = oe.go.map_arch(a)
+if not arch:
 raise bb.parse.SkipRecipe("Unsupported CPU architecture: %s" % a)
+return arch
 
 def go_map_arm(a, d):
 if a.startswith("arm"):
diff --git a/meta/lib/oe/go.py b/meta/lib/oe/go.py
new file mode 100644
index 00..9996057f12
--- /dev/null
+++ b/meta/lib/oe/go.py
@@ -0,0 +1,32 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: MIT
+#
+
+import re
+
+def map_arch(a):
+if re.match('i.86', a):
+return '386'
+elif a == 'x86_64':
+return 'amd64'
+elif re.match('arm.*', a):
+return 'arm'
+elif re.match('aarch64.*', a):
+return 'arm64'
+elif re.match('mips64el.*', a):
+return 'mips64le'
+elif re.match('mips64.*', a):
+return 'mips64'
+elif a == 'mips':
+return 'mips'
+elif a == 'mipsel':
+return 'mipsle'
+elif re.match('p(pc|owerpc)(64le)', a):
+return 'ppc64le'
+elif re.match('p(pc|owerpc)(64)', a):
+return 'ppc64'
+elif a == 'riscv64':
+return 'riscv64'
+return ''
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#190384): 
https://lists.openembedded.org/g/openembedded-core/message/190384
Mute This Topic: https://lists.openembedded.org/mt/102484351/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [yocto] Yocto Project Status 07 November 2023 (WW45)

[Peter Marko via lists.openembedded.org]

The new website looks nice, just https://yoctoproject.org/development/releases/ 
is populated by:
Plugin JSON Content Importer Pro not running: Check Licence! Check that a 
Licence is active for https://yoctoproject.org
Instead of actual release data.

Peter

From: yo...@lists.yoctoproject.org  On Behalf Of 
Neal Caidin via lists.yoctoproject.org
Sent: Tuesday, November 7, 2023 16:53
To: yo...@lists.yoctoproject.org; openembedded-core@lists.openembedded.org
Cc: Stephen Jolley 
Subject: [yocto] Yocto Project Status 07 November 2023 (WW45)


Current Dev Position: YP 4.3 (Final Release)

Next Deadline: 27th October 2023 YP 4.3 Final Release


Next Team Meetings:

  *   Bug Triage meeting Thursday November 9, 7:30 am PDT 
(https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09)
  *   Weekly Project Engineering Sync Tuesday November 7th at 8 am PDT 
(https://zoom.us/j/990892712?pwd=cHU1MjhoM2x6ck81bkcrYjRrcmJsUT09)
  *   Twitch -  See https://www.twitch.tv/theyoctojester


Key Status/Updates:

  *   The YP 4.3 release now has documentation completed and is likely to be 
released in the next few days.
  *   Patchtest is now replying live on the mailing list for OE-Core and the 
threading issues were resolved. We are continuing to tweak some of the tests to 
best suit our needs and address issues.
  *   Meta-openembedded now has patch metrics and CVE reporting: 
https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/
  *   Meta-openembedded has had automatic upgrade emails being sent to the 
openembedded-devel list. These can be manually triggered from the autobuilder.
  *   Recipetool is now able to better handle go modules.
  *   The 32bit x86 non-kvm 6.5 kernel early boot crash investigation is 
ongoing, upstream are aware.
  *   The Yocto Project website has had a refresh 
(www.yoctoproject.org)


Ways to contribute:

  *   As people are likely aware, the project has a number of components which 
are either unmaintained, or have people with little to no time trying to keep 
them alive. These components include: patchtest, layerindex, devtool, toaster, 
wic, oeqa, autobuilder, CROPs containers, pseudo and more. Many have open bugs. 
Help is welcome in trying to better look after these components!
  *   There are bugs identified as possible for newcomers to the project: 
https://wiki.yoctoproject.org/wiki/Newcomers
  *   There are bugs that are currently unassigned for YP 4.3. See: 
https://wiki.yoctoproject.org/wiki/Bug_Triage#Medium.2B_4.3_Unassigned_Enhancements.2FBugs
  *   We’d welcome new maintainers for recipes in OE-Core. Please see the list 
at: 
http://git.yoctoproject.org/cgit.cgi/poky/tree/meta/conf/distro/include/maintainers.inc
 and discuss with the existing maintainer, or ask on the OE-Core mailing list. 
We will likely move a chunk of these to “Unassigned” soon to help facilitate 
this.
  *   Help is very much welcome in trying to resolve our autobuilder 
intermittent issues. You can see the list of failures we’re continuing to see 
by searching for the “AB-INT” tag in bugzilla: 
https://bugzilla.yoctoproject.org/buglist.cgi?quicksearch=AB-INT.
  *   Help us resolve CVE issues: CVE 
metrics
  *   We have a growing number of bugs in bugzilla, any help with them is 
appreciated.


YP 4.3 Milestone Dates:

  *   YP 4.3 M3 was released.
  *   YP 4.3 M4 build date  2023/10/02
  *   YP 4.3 M4 Release date 2023/10/27


YP 5.0 Milestone Dates:

  *   YP 5.0 M1 build date 2023/12/04
  *   YP 5.0 M1 Release date 2023/12/15
  *   YP 5.0 M2 build date  2024/01/15
  *   YP 5.0 M2 Release date 2024/01/24
  *   YP 5.0 M3 build date  2024/02/19
  *   YP 5.0 M3 Release date 2024/03/01
  *   YP 5.0 M4 build date  2024/04/01
  *   YP 5.0 M4 Release date 2024/04/30


Upcoming dot releases:

  *   YP 3.1.29 build date 2023/10/30
  *   YP 3.1.29 Release date 2023/11/10
  *   YP 4.0.14 build date 2023/11/06
  *   YP 4.0.14 Release date 2023/11/17
  *   YP 4.2.4 build date 2023/11/13
  *   YP 4.2.4 Release date 2023/11/24
  *   YP 4.3.1 build date 2023/11/27
  *   YP 4.3.1 Release date 2023/12/08
  *   YP 3.1.30 build date 2023/12/11
  *   YP 3.1.30 Release date 2023/12/22
  *   YP 4.0.15 build date 2023/12/18
  *   YP 4.0.15 Release date 2023/12/29
  *   YP 4.3.2 build date 2024/01/08
  *   YP 4.3.2 Release date 2024/01/19
  *   YP 3.1.31 build date 2024/01/22
  *   YP 3.1.31 Release date 2024/02/02
  *   YP 4.0.16 build date 2024/01/29
  *   YP 4.0.16 Release date 2024/02/09
  *   YP 4.3.3 build date 2024/02/12
  *   YP 4.3.3 Release date 2024/02/23
  *   YP 3.1.32 build date 2024/03/04
  *   YP 3.1.32 Release date 2024/03/15
  *   YP 4.0.17 build date 2024/03/11
  *   YP 4.0.17 Release date 2024/03/22
  *   YP 4.3.4 build date 2024/03/25
  *   YP 4.3.4 Release date 2024/04/05
  *   YP 3.1.33 build date 2024/04/15
  *   YP 3.1.33 Release date 2024/04/26
  *   YP 4.0.18 build date 

[OE-core][dunfell][PATCH] glibc: ignore CVE-2023-4527

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This vulnerability was introduced in 2.36, so 2.31 is not vulnerable.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/glibc/glibc_2.31.bb | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/meta/recipes-core/glibc/glibc_2.31.bb 
b/meta/recipes-core/glibc/glibc_2.31.bb
index 1862586749..8298088323 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -29,6 +29,13 @@ CVE_CHECK_WHITELIST += "CVE-2019-1010025"
 # 
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?h=dunfell=e1e89ff7d75c3d2223f9e3bd875b9b0c5e15836b
 CVE_CHECK_WHITELIST += "CVE-2021-35942"
 
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4527
+# This vulnerability was introduced in 2.36 by commit
+# f282cdbe7f436c75864e5640a409a10485e9abb2 resolv: Implement no- stub 
resolver option
+# so our version is not yet vulnerable
+# See https://sourceware.org/bugzilla/show_bug.cgi?id=30842
+CVE_CHECK_WHITELIST += "CVE-2023-4527"
+
 DEPENDS += "gperf-native bison-native make-native"
 
 NATIVESDKFIXES ?= ""
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189866): 
https://lists.openembedded.org/g/openembedded-core/message/189866
Mute This Topic: https://lists.openembedded.org/mt/102303419/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] glibc: ignore CVE-2023-4527

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

This vulnerability was introduced in 2.36, so 2.35 is not vulnerable.

Signed-off-by: Peter Marko 
---
 meta/recipes-core/glibc/glibc_2.35.bb | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/meta/recipes-core/glibc/glibc_2.35.bb 
b/meta/recipes-core/glibc/glibc_2.35.bb
index 271520f76b..21cd99dfdd 100644
--- a/meta/recipes-core/glibc/glibc_2.35.bb
+++ b/meta/recipes-core/glibc/glibc_2.35.bb
@@ -16,6 +16,13 @@ CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 
CVE-2019-1010024"
 # Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
 CVE_CHECK_IGNORE += "CVE-2019-1010025"
 
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4527
+# This vulnerability was introduced in 2.36 by commit
+# f282cdbe7f436c75864e5640a409a10485e9abb2 resolv: Implement no- stub 
resolver option
+# so our version is not yet vulnerable
+# See https://sourceware.org/bugzilla/show_bug.cgi?id=30842
+CVE_CHECK_IGNORE += "CVE-2023-4527"
+
 # To avoid these in cve-check reports since the recipe version did not change
 CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156"
 
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189865): 
https://lists.openembedded.org/g/openembedded-core/message/189865
Mute This Topic: https://lists.openembedded.org/mt/102303256/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] libxml2: Patch CVE-2023-45322

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Backport patch for gitlab issue mentioned in NVD CVE report.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
Backport also one of 14 patches for older issue with similar errors
to have clean cherry-pick without patch fuzz.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/344

The CVE is disputed because the maintainer does not think that
errors after memory allocation failures are not critical enough
to warrant a CVE ID.
This patch will formally fix reported error case, trying to backport
another 13 patches and resolve conflicts would be probably overkill
due to disputed state.
This CVE was ignored on master branch (as diputed).

Signed-off-by: Peter Marko 
---
 .../libxml/libxml2/CVE-2023-45322-1.patch | 49 
 .../libxml/libxml2/CVE-2023-45322-2.patch | 79 +++
 meta/recipes-core/libxml/libxml2_2.9.14.bb|  2 +
 3 files changed, 130 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
new file mode 100644
index 00..5f1cb72534
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-1.patch
@@ -0,0 +1,49 @@
+From a22bd982bf10291deea8ba0c61bf75b898c604ce Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Wed, 2 Nov 2022 15:44:42 +0100
+Subject: [PATCH] malloc-fail: Fix memory leak in xmlStaticCopyNodeList
+
+Found with libFuzzer, see #344.
+
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/a22bd982bf10291deea8ba0c61bf75b898c604ce]
+
+Signed-off-by: Peter Marko 
+---
+ tree.c | 7 +--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 507869efe..647288ce3 100644
+--- a/tree.c
 b/tree.c
+@@ -4461,7 +4461,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, 
xmlNodePtr parent) {
+   }
+   if (doc->intSubset == NULL) {
+   q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-  if (q == NULL) return(NULL);
++  if (q == NULL) goto error;
+   q->doc = doc;
+   q->parent = parent;
+   doc->intSubset = (xmlDtdPtr) q;
+@@ -4473,7 +4473,7 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, 
xmlNodePtr parent) {
+   } else
+ #endif /* LIBXML_TREE_ENABLED */
+   q = xmlStaticCopyNode(node, doc, parent, 1);
+-  if (q == NULL) return(NULL);
++  if (q == NULL) goto error;
+   if (ret == NULL) {
+   q->prev = NULL;
+   ret = p = q;
+@@ -4486,6 +4486,9 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, 
xmlNodePtr parent) {
+   node = node->next;
+ }
+ return(ret);
++error:
++xmlFreeNodeList(ret);
++return(NULL);
+ }
+ 
+ /**
+-- 
+GitLab
+
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch 
b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
new file mode 100644
index 00..845fd70c66
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2023-45322-2.patch
@@ -0,0 +1,79 @@
+From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer 
+Date: Wed, 23 Aug 2023 20:24:24 +0200
+Subject: [PATCH] tree: Fix copying of DTDs
+
+- Don't create multiple DTD nodes.
+- Fix UAF if malloc fails.
+- Skip DTD nodes if tree module is disabled.
+
+Fixes #583.
+
+CVE: CVE-2023-45322
+Upstream-Status: Backport 
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9]
+
+Signed-off-by: Peter Marko 
+---
+ tree.c | 31 ---
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/tree.c b/tree.c
+index 6c8a875b9..02c1b5791 100644
+--- a/tree.c
 b/tree.c
+@@ -4471,29 +4471,28 @@ xmlNodePtr
+ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) {
+ xmlNodePtr ret = NULL;
+ xmlNodePtr p = NULL,q;
++xmlDtdPtr newSubset = NULL;
+ 
+ while (node != NULL) {
+-#ifdef LIBXML_TREE_ENABLED
+   if (node->type == XML_DTD_NODE ) {
+-  if (doc == NULL) {
++#ifdef LIBXML_TREE_ENABLED
++  if ((doc == NULL) || (doc->intSubset != NULL)) {
+   node = node->next;
+   continue;
+   }
+-  if (doc->intSubset == NULL) {
+-  q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
+-  if (q == NULL) goto error;
+-  q->doc = doc;
+-  q->parent = parent;
+-  doc->intSubset = (xmlDtdPtr) q;
+-  xmlAddChild(parent, q);
+-  } else {
+-  q = (xmlNodePtr) doc->intSubset;
+-  xmlAddChild(parent, q);
+-  }
+-  } else
++q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node );
++if (q == NULL) goto error;
++q->doc = doc;
++q->parent = parent;
++ 

Re: [oe-core][kirkstone][PATCH 1/2] curl: fix CVE-2023-38545

[Peter Marko via lists.openembedded.org]

Gentle ping.
It would be great to have this in next kirkstone release which will be built in 
a week.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189769): 
https://lists.openembedded.org/g/openembedded-core/message/189769
Mute This Topic: https://lists.openembedded.org/mt/101936671/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH v2] cve-check: Classify patched CVEs into 3 statuses

[Peter Marko via lists.openembedded.org]

Hello Marta,

Major reason why we introduced CVE_STATUS was exactly to avoid patch like this.
There were ideas to introduce 5 or 10 or 15 different statuses and we decided 
to keep 3 and introduce “sub-statuses”.
These sub-statuses are listed in cve reports, too.

Currently we have three main statuses:
Patched – common status for all sub-statuses which indicate that component is 
not vulnerable
Unpatched - common status for all sub-statuses which indicate that component is 
vulnerable
Ignored - common status for all sub-statuses which indicate that component is 
vulnerable but not in yocto configuration context

If we don’t like “Patched” we can rename it (e.g. to  “Unaffected”) and have 
additional sub-statuses under this new name.
Otherwise we start exploding the statuses as someone will “need” additional one 
soon.

If we really want to introduce these new statues (I hope not), please modify 
this patch to handle its CVE_STATUS flags, too.
Additionally, I’d drop “Undecidable” and map it to “Unpatched” (so someone 
needs to analyze as any other open vulnerability report)

Best Regards,
  Peter

From: Marta Rybczynska 
Sent: Wednesday, October 25, 2023 14:44
To: Andrej Valek 
Cc: Matsunaga-Shinji ; Richard Purdie 
; OE-core 
; Shunsuke Tokumoto 
; Marko, Peter (ADV D EU SK BFS1) 

Subject: Re: [OE-core] [PATCH v2] cve-check: Classify patched CVEs into 3 
statuses

Hello Andrej,
This patch is splitting the Patched state, not the ignore one. This is not 
incorrect CPE or anything else.

Currently Patched means one of two situations: either this issue has never 
affected the code base (example: we have version 1.0, issue was introduced in 
2.0 and fixed in 2.1), or the issue has been fixed.

Yes, another reason to say ignore, not affected is a manual analysis showing a 
thing like: the issue affects only windows.

Regards,
Marta

On Wed, 25 Oct 2023, 12:18 Andrej Valek, 
mailto:andre...@skyrain.eu>> wrote:
Hi Marta,

That's fine, as I said we designed the "ignore" with status
"cpe-incorrect" or "ignored" exactly for those purposes. Extending the
option with "not affected" doesn't make any sense.

You have to set the status to "why is not affected" = "ignored". Which
completely covers the requested case.

Regards,
Andrej

On 25.10.2023 11:33, Marta Rybczynska wrote:
> Hi Andrej,
> This is more complex. "Not affected" is also an issue that isn't present in 
> the
> code - like when we have a version that has never had the vulnerability.
> Those are also currently 'Patched' in cve-check.
>
> This work is in sync with what VEX is doing, is it the use-case
> Matsanaga-Shinji?
>
> Regards,
> Marta
>
> On Wed, Oct 25, 2023 at 8:44 AM Andrej Valek 
> mailto:andre...@skyrain.eu>> wrote:
>> Hi all,
>>
>> Do we really need a new "not_affected" state? I guess the ignore state
>> is exactly designed for those purposes.
>>
>> Regards,
>> Andrej
>>
>> On 25.10.2023 07:13, Matsunaga-Shinji wrote:
>>> CVEs that are currently considered "Patched" are classified into the 
>>> following 3 statuses:
>>> 1. "Patched"  - means that a patch file that fixed the vulnerability 
>>> has been applied
>>> 2. "Not affected" - means that the package version (PV) is not affected by 
>>> the vulnerability
>>> 3. "Undecidable"  - means that versions cannot be compared to determine if 
>>> they are affected by the vulnerability
>>>
>>> Signed-off-by: Shinji Matsunaga 
>>> mailto:shin.matsun...@fujitsu.com>>
>>> Signed-off-by: Shunsuke Tokumoto 
>>> mailto:s-tokum...@fujitsu.com>>
>>> ---
>>>
>>> Changes for v2:
>>>  - Fix the status "Out of range" to "Not affected"
>>>
>>>meta/classes/cve-check.bbclass | 55 +++---
>>>1 file changed, 38 insertions(+), 17 deletions(-)
>>>
>>> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
>>> index b55f4299da..502db324df 100644
>>> --- a/meta/classes/cve-check.bbclass
>>> +++ b/meta/classes/cve-check.bbclass
>>> @@ -185,10 +185,10 @@ python do_cve_check () {
>>>patched_cves = get_patched_cves(d)
>>>except FileNotFoundError:
>>>bb.fatal("Failure in searching patches")
>>> -ignored, patched, unpatched, status = check_cves(d, 
>>> patched_cves)
>>> -if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == 
>>> "1" and status):
>>> -cve_data = get_cve_info(d, patched + unpatched + ignored)
>>> -cve_write_data(d, patched, unpatched, ignored, cve_data, 
>>> status)
>>> +ignored, patched, unpatched, not_affected, undecidable, status 
>>> = check_cves(d, patched_cves)
>>> +if patched or unpatched or not_affected or undecidable or 
>>> (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
>>> +cve_data = get_cve_info(d, patched + unpatched + ignored + 
>>> not_affected + undecidable)
>>> +cve_write_data(d, patched, unpatched, ignored, 
>>> not_affected, undecidable, cve_data, 

[OE-core][kirkstone][PATCH] openssl: Upgrade 3.0.11 -> 3.0.12

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

https://github.com/openssl/openssl/blob/openssl-3.0/NEWS.md#major-changes-between-openssl-3011-and-openssl-3012-24-oct-2023

Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [24 Oct 2023]
* Mitigate incorrect resize handling for symmetric cipher keys and IVs. 
(CVE-2023-5363)

Signed-off-by: Peter Marko 
---
 .../openssl/{openssl_3.0.11.bb => openssl_3.0.12.bb}| 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssl/{openssl_3.0.11.bb => 
openssl_3.0.12.bb} (99%)

diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.11.bb 
b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
similarity index 99%
rename from meta/recipes-connectivity/openssl/openssl_3.0.11.bb
rename to meta/recipes-connectivity/openssl/openssl_3.0.12.bb
index 22eaa3af33..d8c9b073a2 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.11.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
@@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"
 
-SRC_URI[sha256sum] = 
"b3425d3bb4a2218d0697eb41f7fc0cdede016ed19ca49d168b78e8d947887f55"
+SRC_URI[sha256sum] = 
"f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b61"
 
 inherit lib_package multilib_header multilib_script ptest perlnative
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189657): 
https://lists.openembedded.org/g/openembedded-core/message/189657
Mute This Topic: https://lists.openembedded.org/mt/102166581/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][master][mickledore][PATCH] openssl: Upgrade 3.1.3 -> 3.1.4

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-313-and-openssl-314-24-oct-2023

Major changes between OpenSSL 3.1.3 and OpenSSL 3.1.4 [24 Oct 2023]
* Mitigate incorrect resize handling for symmetric cipher keys and IVs. 
(CVE-2023-5363)

Signed-off-by: Peter Marko 
---
 .../openssl/{openssl_3.1.3.bb => openssl_3.1.4.bb}  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssl/{openssl_3.1.3.bb => 
openssl_3.1.4.bb} (99%)

diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.3.bb 
b/meta/recipes-connectivity/openssl/openssl_3.1.4.bb
similarity index 99%
rename from meta/recipes-connectivity/openssl/openssl_3.1.3.bb
rename to meta/recipes-connectivity/openssl/openssl_3.1.4.bb
index 9fd8a205c6..01d477f506 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.1.3.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.4.bb
@@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"
 
-SRC_URI[sha256sum] = 
"f0316a2ebd89e7f2352976445458689f80302093788c466692fb2a188b2eacf6"
+SRC_URI[sha256sum] = 
"840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3"
 
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189655): 
https://lists.openembedded.org/g/openembedded-core/message/189655
Mute This Topic: https://lists.openembedded.org/mt/102163365/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] zlib: patch CVE-2023-45853

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Backport commit merged to develop branch from PR linked in NVD report:
* https://nvd.nist.gov/vuln/detail/CVE-2023-45853
* https://github.com/madler/zlib/pull/843

Signed-off-by: Peter Marko 
---
 .../zlib/zlib/CVE-2023-45853.patch| 42 +++
 meta/recipes-core/zlib/zlib_1.2.11.bb |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 meta/recipes-core/zlib/zlib/CVE-2023-45853.patch

diff --git a/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch 
b/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch
new file mode 100644
index 00..ba3709249b
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2023-45853.patch
@@ -0,0 +1,42 @@
+From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001
+From: Hans Wennborg 
+Date: Fri, 18 Aug 2023 11:05:33 +0200
+Subject: [PATCH] Reject overflows of zip header fields in minizip.
+
+This checks the lengths of the file name, extra field, and comment
+that would be put in the zip headers, and rejects them if they are
+too long. They are each limited to 65535 bytes in length by the zip
+format. This also avoids possible buffer overflows if the provided
+fields are too long.
+
+CVE: CVE-2023-45853
+Upstream-Status: Backport 
[https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c]
+
+Signed-off-by: Peter Marko 
+
+---
+ contrib/minizip/zip.c | 11 +++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c
+index 3d3d4cadd..0446109b2 100644
+--- a/contrib/minizip/zip.c
 b/contrib/minizip/zip.c
+@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile 
file, const char* filename, c
+   return ZIP_PARAMERROR;
+ #endif
+ 
++// The filename and comment length must fit in 16 bits.
++if ((filename!=NULL) && (strlen(filename)>0x))
++return ZIP_PARAMERROR;
++if ((comment!=NULL) && (strlen(comment)>0x))
++return ZIP_PARAMERROR;
++// The extra field length must fit in 16 bits. If the member also requires
++// a Zip64 extra block, that will also need to fit within that 16-bit
++// length, but that will be checked for later.
++if ((size_extrafield_local>0x) || (size_extrafield_global>0x))
++return ZIP_PARAMERROR;
++
+ zi = (zip64_internal*)file;
+ 
+ if (zi->in_opened_file_inzip == 1)
diff --git a/meta/recipes-core/zlib/zlib_1.2.11.bb 
b/meta/recipes-core/zlib/zlib_1.2.11.bb
index f768b41988..d75474dcb6 100644
--- a/meta/recipes-core/zlib/zlib_1.2.11.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.11.bb
@@ -12,6 +12,7 @@ SRC_URI = 
"${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
file://CVE-2018-25032.patch \
file://run-ptest \
file://CVE-2022-37434.patch \
+   file://CVE-2023-45853.patch \
"
 UPSTREAM_CHECK_URI = "http://zlib.net/;
 
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189480): 
https://lists.openembedded.org/g/openembedded-core/message/189480
Mute This Topic: https://lists.openembedded.org/mt/102066305/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][kirkstone][PATCH] glibc: Update to latest on stable 2.35 branch

[Peter Marko via lists.openembedded.org]

-Original Message-
From: Vincent Prince  
Sent: Monday, October 9, 2023 21:09
To: Marko, Peter (ADV D EU SK BFS1) 
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][kirkstone][PATCH] glibc: Update to latest on stable 2.35 
branch

> Hello,
>
> I have a small question concerning glibc source handling.
>
> I have a machine connected to the Internet that runs
> bitbake -k -f --runall=fetch universe
> and another offline machine that uses the previous fetch as a source mirror.
> When I bitbake my image, it fails to use this with
>
> ERROR: cross-localedef-native-2.35-r0 do_fetch: Bitbake Fetcher Error:
> NetworkAccess('git://sourceware.org/git/glibc.git;branch=release/2.35/master;name=glibc',
> 'LANG=C git -c core.fsyncobjectfiles=0 -c gc.autoDetach=false -c
> core.pager=cat fetch -f --progress git://sourceware.org/git/glibc.git
> refs/heads/*:refs/heads/* refs/tags/*:refs/tags/*')
> It seems git archives seem corrupted?
>
> Do you know what could be causing this?
> Best regards,
> Vincent

Fetch works for me and since it was merged also on autobuilder.
What I can imagine is that your fetch on networked machine failed (e.g. due to 
temporary network problem).
Did you check log on the networked machine?

Peter

>
> Le ven. 6 oct. 2023 à 22:10, Peter Marko via lists.openembedded.org
>  a écrit :
> >
> > From: Peter Marko 
> >
> > Adresses CVE-2023-4911.
> >
> > Single commit bump:
> > * c84018a05ae tunables: Terminate if end of input is reached (CVE-2023-4911)
> >
> > Signed-off-by: Peter Marko 
> > ---
> >  meta/recipes-core/glibc/glibc-version.inc | 2 +-
> >  meta/recipes-core/glibc/glibc_2.35.bb | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/meta/recipes-core/glibc/glibc-version.inc 
> > b/meta/recipes-core/glibc/glibc-version.inc
> > index c23a43576c..e0d47f283b 100644
> > --- a/meta/recipes-core/glibc/glibc-version.inc
> > +++ b/meta/recipes-core/glibc/glibc-version.inc
> > @@ -1,6 +1,6 @@
> >  SRCBRANCH ?= "release/2.35/master"
> >  PV = "2.35"
> > -SRCREV_glibc ?= "73d4ce728a59deb2fd18969e559769b3f590fac9"
> > +SRCREV_glibc ?= "c84018a05aec80f5ee6f682db0da1130b0196aef"
> >  SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
> >
> >  GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
> > diff --git a/meta/recipes-core/glibc/glibc_2.35.bb 
> > b/meta/recipes-core/glibc/glibc_2.35.bb
> > index b4bad5b7ac..271520f76b 100644
> > --- a/meta/recipes-core/glibc/glibc_2.35.bb
> > +++ b/meta/recipes-core/glibc/glibc_2.35.bb
> > @@ -17,7 +17,7 @@ CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 
> > CVE-2019-1010024"
> >  CVE_CHECK_IGNORE += "CVE-2019-1010025"
> >
> >  # To avoid these in cve-check reports since the recipe version did not 
> > change
> > -CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-5156"
> > +CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 
> > CVE-2023-5156"
> >
> >  DEPENDS += "gperf-native bison-native"
> >
> > --
> > 2.30.2
> >
> >
> > 
> >

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188867): 
https://lists.openembedded.org/g/openembedded-core/message/188867
Mute This Topic: https://lists.openembedded.org/mt/101805676/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491

[Peter Marko via lists.openembedded.org]

-Original Message-
From: Marek Vasut  
Sent: Monday, October 9, 2023 21:28
To: Marko, Peter (ADV D EU SK BFS1) ; 
richard.pur...@linuxfoundation.org
Cc: Alexandre Belloni ; st...@sakoman.com; 
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491

> 
>  Should the patch add a CVE_STATUS entry as well so the cve tooling can 
>  tell we've mitigated this?
> >>>
> >>> ncurses 6.4 is not affected and not shown in CVE report, not sure why 
> >>> this is submitted for master.
> >>> Peter
> >>
> >> Just wanted to make sure the configuration is consistent across all the 
> >> releases.
> > 
> > I think that the commit message should be changed.
> > It's misleading when it only says that it mitigates already fixed CVE.
>
> Will do, how does this sound:
>
> "
>  ncurses: disallow loading of custom terminfo entries in setuid/setgid 
> programs
>
>  Configure with "--disable-root-environ" to disallow loading of
>  custom terminfo entries in setuid/setgid programs. This is related
>  to CVE-2023-29491, even though CVE-2023-29491 itself is fixed in
>  this OE release by a backport patch.
>
>  This is taken from debian:
>  
> https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac

Parent commit - 
https://salsa.debian.org/debian/ncurses/-/commit/93a383681e3da9f385536f9bc98266c5dd7e42cf

> "
> 
> ?

The commit message seems to be fine now, but...

...looking at Debian, they first changed behavior of "--disable-root-environ" 
option via custom patch and only afterwards used it.
Since Yocto is not changing the behavior of this option, it is probably a wrong 
thing to enable it by default.
This would need a much deeper analysis imho, for all three branches where this 
is submitted.

Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188866): 
https://lists.openembedded.org/g/openembedded-core/message/188866
Mute This Topic: https://lists.openembedded.org/mt/101856335/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491

[Peter Marko via lists.openembedded.org]

-Original Message-
From: Marek Vasut  
Sent: Monday, October 9, 2023 18:57
To: Marko, Peter (ADV D EU SK BFS1) ; 
richard.pur...@linuxfoundation.org
Cc: Alexandre Belloni ; st...@sakoman.com; 
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491

> On 10/9/23 18:51, Marko, Peter wrote:
> > -Original Message-
> > From: openembedded-core@lists.openembedded.org 
> >  On Behalf Of Richard Purdie 
> > via lists.openembedded.org
> > Sent: Monday, October 9, 2023 18:44
> > To: Marek Vasut ; st...@sakoman.com; 
> > openembedded-core@lists.openembedded.org
> > Cc: Alexandre Belloni 
> > Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491
> > 
> >> On Mon, 2023-10-09 at 18:31 +0200, Marek Vasut wrote:
> >>> Configure with "--disable-root-environ" to disallow loading of 
> >>> custom terminfo entries in setuid/setgid programs, mitigating the 
> >>> impact of CVE-2023-29491.
> >>>
> >>> This is taken from debian:
> >>> https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef03
> >>> 9b
> >>> 8780d51cd09bd5a08ac
> >>>
> >>> Signed-off-by: Marek Vasut 
> >>> ---
> >>> Cc: Alexandre Belloni 
> >>> Cc: Richard Purdie 
> >>> ---
> >>>   meta/recipes-core/ncurses/ncurses.inc | 1 +
> >>>   1 file changed, 1 insertion(+)
> >>>
> >>> diff --git a/meta/recipes-core/ncurses/ncurses.inc
> >>> b/meta/recipes-core/ncurses/ncurses.inc
> >>> index 367f3b19f4..1bc07ec2d4 100644
> >>> --- a/meta/recipes-core/ncurses/ncurses.inc
> >>> +++ b/meta/recipes-core/ncurses/ncurses.inc
> >>> @@ -87,6 +87,7 @@ ncurses_configure() {
> >>>   --enable-sigwinch \
> >>>   --enable-pc-files \
> >>>   --disable-rpath-hack \
> >>> + --disable-root-environ \
> >>>   ${EXCONFIG_ARGS} \
> >>>   --with-manpage-format=normal \
> >>>   --without-manpage-renames \
> >>
> >> Should the patch add a CVE_STATUS entry as well so the cve tooling can 
> >> tell we've mitigated this?
> > 
> > ncurses 6.4 is not affected and not shown in CVE report, not sure why this 
> > is submitted for master.
> > Peter
>
> Just wanted to make sure the configuration is consistent across all the 
> releases.

I think that the commit message should be changed.
It's misleading when it only says that it mitigates already fixed CVE.

Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188858): 
https://lists.openembedded.org/g/openembedded-core/message/188858
Mute This Topic: https://lists.openembedded.org/mt/101856335/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491

[Peter Marko via lists.openembedded.org]

-Original Message-
From: openembedded-core@lists.openembedded.org 
 On Behalf Of Richard Purdie via 
lists.openembedded.org
Sent: Monday, October 9, 2023 18:44
To: Marek Vasut ; st...@sakoman.com; 
openembedded-core@lists.openembedded.org
Cc: Alexandre Belloni 
Subject: Re: [OE-core] [PATCH] ncurses: Mitigate CVE-2023-29491

> On Mon, 2023-10-09 at 18:31 +0200, Marek Vasut wrote:
> > Configure with "--disable-root-environ" to disallow loading of custom 
> > terminfo entries in setuid/setgid programs, mitigating the impact of 
> > CVE-2023-29491.
> > 
> > This is taken from debian:
> > https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b
> > 8780d51cd09bd5a08ac
> > 
> > Signed-off-by: Marek Vasut 
> > ---
> > Cc: Alexandre Belloni 
> > Cc: Richard Purdie 
> > ---
> >  meta/recipes-core/ncurses/ncurses.inc | 1 +
> >  1 file changed, 1 insertion(+)
> > 
> > diff --git a/meta/recipes-core/ncurses/ncurses.inc 
> > b/meta/recipes-core/ncurses/ncurses.inc
> > index 367f3b19f4..1bc07ec2d4 100644
> > --- a/meta/recipes-core/ncurses/ncurses.inc
> > +++ b/meta/recipes-core/ncurses/ncurses.inc
> > @@ -87,6 +87,7 @@ ncurses_configure() {
> > --enable-sigwinch \
> > --enable-pc-files \
> > --disable-rpath-hack \
> > +   --disable-root-environ \
> > ${EXCONFIG_ARGS} \
> > --with-manpage-format=normal \
> > --without-manpage-renames \
>
> Should the patch add a CVE_STATUS entry as well so the cve tooling can tell 
> we've mitigated this?

ncurses 6.4 is not affected and not shown in CVE report, not sure why this is 
submitted for master.
Peter

>
> Cheers,
>
> Richard

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188853): 
https://lists.openembedded.org/g/openembedded-core/message/188853
Mute This Topic: https://lists.openembedded.org/mt/101856335/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [kirkstone][PATCH] ncurses: Mitigate CVE-2023-29491

[Peter Marko via lists.openembedded.org]

Hi Marek,

Could you please describe why you add this configuration in kirkstone branch?
This CVE is already patched:
https://git.openembedded.org/openembedded-core/tree/meta/recipes-core/ncurses/files/CVE-2023-29491.patch?h=kirkstone

Peter

-Original Message-
From: openembedded-core@lists.openembedded.org 
 On Behalf Of Marek Vasut via 
lists.openembedded.org
Sent: Monday, October 9, 2023 18:32
To: st...@sakoman.com; openembedded-core@lists.openembedded.org
Cc: Marek Vasut 
Subject: [OE-core] [kirkstone][PATCH] ncurses: Mitigate CVE-2023-29491

> Configure with "--disable-root-environ" to disallow loading of custom 
> terminfo entries in setuid/setgid programs, mitigating the impact of 
> CVE-2023-29491.
>
> This is taken from debian:
> https://salsa.debian.org/debian/ncurses/-/commit/1c530aad772f7aeef039b8780d51cd09bd5a08ac
>
> Signed-off-by: Marek Vasut 
> ---
>  meta/recipes-core/ncurses/ncurses.inc | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/meta/recipes-core/ncurses/ncurses.inc 
> b/meta/recipes-core/ncurses/ncurses.inc
> index 1abcfae1fe..7e85044bdb 100644
> --- a/meta/recipes-core/ncurses/ncurses.inc
> +++ b/meta/recipes-core/ncurses/ncurses.inc
> @@ -87,6 +87,7 @@ ncurses_configure() {
>   --enable-sigwinch \
>   --enable-pc-files \
>   --disable-rpath-hack \
> + --disable-root-environ \
>   ${EXCONFIG_ARGS} \
>   --with-manpage-format=normal \
>   --without-manpage-renames \
> --
> 2.40.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188852): 
https://lists.openembedded.org/g/openembedded-core/message/188852
Mute This Topic: https://lists.openembedded.org/mt/101856357/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] glibc: Update to latest on stable 2.35 branch

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Adresses CVE-2023-4911.

Single commit bump:
* c84018a05ae tunables: Terminate if end of input is reached (CVE-2023-4911)

Signed-off-by: Peter Marko 
---
 meta/recipes-core/glibc/glibc-version.inc | 2 +-
 meta/recipes-core/glibc/glibc_2.35.bb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-core/glibc/glibc-version.inc 
b/meta/recipes-core/glibc/glibc-version.inc
index c23a43576c..e0d47f283b 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.35/master"
 PV = "2.35"
-SRCREV_glibc ?= "73d4ce728a59deb2fd18969e559769b3f590fac9"
+SRCREV_glibc ?= "c84018a05aec80f5ee6f682db0da1130b0196aef"
 SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
diff --git a/meta/recipes-core/glibc/glibc_2.35.bb 
b/meta/recipes-core/glibc/glibc_2.35.bb
index b4bad5b7ac..271520f76b 100644
--- a/meta/recipes-core/glibc/glibc_2.35.bb
+++ b/meta/recipes-core/glibc/glibc_2.35.bb
@@ -17,7 +17,7 @@ CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 
CVE-2019-1010024"
 CVE_CHECK_IGNORE += "CVE-2019-1010025"
 
 # To avoid these in cve-check reports since the recipe version did not change
-CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-5156"
+CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156"
 
 DEPENDS += "gperf-native bison-native"
 
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188784): 
https://lists.openembedded.org/g/openembedded-core/message/188784
Mute This Topic: https://lists.openembedded.org/mt/101805676/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] cve-check: Classify patched CVEs into 3 statuses

[Peter Marko via lists.openembedded.org]

Yes, that's how we designed this feature.
Peter

-Original Message-
From: Shinji Matsunaga (Fujitsu)  
Sent: Wednesday, October 4, 2023 4:19
To: Marko, Peter (ADV D EU SK BFS1) ; 
richard.pur...@linuxfoundation.org
Cc: openembedded-core@lists.openembedded.org
Subject: RE: [OE-core] [PATCH] cve-check: Classify patched CVEs into 3 statuses

> Sorry for the late reply.
>
> In addition to the changes to meta/classes/cve-check.bbclass, Does it mean 
> that the following processing needs to be added to 
> meta/conf/cve-check-map.conf?
> CVE_CHECK_STATUSMAP[out-of-range] = "Patched"
> CVE_CHECK_STATUSMAP[undecidable] = "Unpatched"
>
> Shinji
>
> -Original Message-
> From: Marko, Peter 
> Sent: Thursday, September 21, 2023 6:46 PM
> To: Matsunaga, Shinji/松永 慎司 ; 
> richard.pur...@linuxfoundation.org
> Cc: openembedded-core@lists.openembedded.org
> Subject: RE: [OE-core] [PATCH] cve-check: Classify patched CVEs into 3 
> statuses
>
> We have recently introduced CVE_CHECK_STATUSMAP which should be used to 
> declare more detailed status information instead of introducing additional 
> statuses.
> In this case, "out of range" should be subtype of patched and "undecidable" 
> subtype of unpatched I think.
>
> Peter
>
> -Original Message-
> From: openembedded-core@lists.openembedded.org 
>  On Behalf Of Matsunaga-Shinji via 
> lists.openembedded.org
> Sent: Thursday, September 21, 2023 11:03
> To: richard.pur...@linuxfoundation.org
> Cc: openembedded-core@lists.openembedded.org; shin.matsun...@fujitsu.com
> Subject: [OE-core] [PATCH] cve-check: Classify patched CVEs into 3 statuses
>
> > CVEs that are currently considered "Patched" are classified into the 
> > following 3 statuses:
> > 1. "Patched"  - means that a patch file that fixed the vulnerability 
> > has been applied
> > 2. "Out of range" - means that the package version (PV) is not subject 
> > to the vulnerability 3. "Undecidable"  - means that versions cannot be 
> > compared to determine if they are affected by the vulnerability
> > 
> > Signed-off-by: Shinji Matsunaga 

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188671): 
https://lists.openembedded.org/g/openembedded-core/message/188671
Mute This Topic: https://lists.openembedded.org/mt/101496298/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] json-c: define CVE_VERSION

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Recently NVD updated all CVEs for json-c and old fixed
cves are reported in some older yocto branches.
NVD match clause now includes full tag name including
date which is "greater" than tag without additional numbers.

Define CVE_VERSION identical to full tag also on master to
avoid future CVEs to be reported incorrectly.
Put it close to hash so recipe update patch includes this line.

Signed-off-by: Peter Marko 
---
 meta/recipes-devtools/json-c/json-c_0.17.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-devtools/json-c/json-c_0.17.bb 
b/meta/recipes-devtools/json-c/json-c_0.17.bb
index b7b596212f..f4b7a32cea 100644
--- a/meta/recipes-devtools/json-c/json-c_0.17.bb
+++ b/meta/recipes-devtools/json-c/json-c_0.17.bb
@@ -9,6 +9,9 @@ SRC_URI = 
"https://s3.amazonaws.com/json-c_releases/releases/${BP}.tar.gz \
"
 SRC_URI[sha256sum] = 
"7550914d58fb63b2c3546f3ccfbe11f1c094147bd31a69dcd23714d7956159e6"
 
+# NVD uses full tag name including date
+CVE_VERSION = "0.17-20230812"
+
 UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/tags;
 UPSTREAM_CHECK_REGEX = "json-c-(?P\d+(\.\d+)+)-\d+"
 
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188344): 
https://lists.openembedded.org/g/openembedded-core/message/188344
Mute This Topic: https://lists.openembedded.org/mt/101626352/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] json-c: define CVE_VERSION

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

Recently NVD updated all CVEs for json-c and old fixed
CVE-2020-12762 is reported by cve_check now.
NVD match clause now includes full tag name including
date which is "greater" than tag without additional numbers.

Fix it by defining CVE_VERSION identical to full tag.
Put it close to hash so recipe update patch includes this line.

Signed-off-by: Peter Marko 
---
 meta/recipes-devtools/json-c/json-c_0.15.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-devtools/json-c/json-c_0.15.bb 
b/meta/recipes-devtools/json-c/json-c_0.15.bb
index 4da30bc50c..b3679e0135 100644
--- a/meta/recipes-devtools/json-c/json-c_0.15.bb
+++ b/meta/recipes-devtools/json-c/json-c_0.15.bb
@@ -12,6 +12,9 @@ SRC_URI = " \
 
 SRC_URI[sha256sum] = 
"b8d80a1ddb718b3ba7492916237bbf86609e9709fb007e7f7d4322f02341a4c6"
 
+# NVD uses full tag name including date
+CVE_VERSION = "0.15-20200726"
+
 UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/tags;
 UPSTREAM_CHECK_REGEX = "json-c-(?P\d+(\.\d+)+)-\d+"
 
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188343): 
https://lists.openembedded.org/g/openembedded-core/message/188343
Mute This Topic: https://lists.openembedded.org/mt/101626335/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][kirkstone][PATCH 1/1] glibc: Update to latest on stable 2.35 branch

[Peter Marko via lists.openembedded.org]

-Original Message-
From: openembedded-core@lists.openembedded.org 
 On Behalf Of Peter Marko via 
lists.openembedded.org
Sent: Wednesday, September 27, 2023 16:21
To: soumya.sa...@windriver.com
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][kirkstone][PATCH 1/1] glibc: Update to latest on stable 
2.35 branch

> -Original Message-
> From: openembedded-core@lists.openembedded.org 
>  On Behalf Of Soumya via 
> lists.openembedded.org
> Sent: Wednesday, September 27, 2023 9:46
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core][kirkstone][PATCH 1/1] glibc: Update to latest on stable 
> 2.35 branch
>
> > From: Soumya Sambu 
> >
> > Adresses CVE-2023-4813, CVE-2023-4806
>
> Could you also add these to CVE_CHECK_IGNORE?
> Otherwise they will stay in cve-check reports since the recipe version did 
> not change.

Additionally, this fixes CVE-2023-5156

>
> Thanks,
> Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188328): 
https://lists.openembedded.org/g/openembedded-core/message/188328
Mute This Topic: https://lists.openembedded.org/mt/101613417/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][kirkstone][PATCH 1/1] glibc: Update to latest on stable 2.35 branch

[Peter Marko via lists.openembedded.org]

-Original Message-
From: openembedded-core@lists.openembedded.org 
 On Behalf Of Soumya via 
lists.openembedded.org
Sent: Wednesday, September 27, 2023 9:46
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone][PATCH 1/1] glibc: Update to latest on stable 2.35 
branch

> From: Soumya Sambu 
>
> Adresses CVE-2023-4813, CVE-2023-4806

Could you also add these to CVE_CHECK_IGNORE?
Otherwise they will stay in cve-check reports since the recipe version did not 
change.

Thanks,
Peter

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188326): 
https://lists.openembedded.org/g/openembedded-core/message/188326
Mute This Topic: https://lists.openembedded.org/mt/101613417/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] cve-check: Classify patched CVEs into 3 statuses

[Peter Marko via lists.openembedded.org]

We have recently introduced CVE_CHECK_STATUSMAP which should be used to declare 
more detailed status information instead of introducing additional statuses.
In this case, "out of range" should be subtype of patched and "undecidable" 
subtype of unpatched I think.

Peter

-Original Message-
From: openembedded-core@lists.openembedded.org 
 On Behalf Of Matsunaga-Shinji via 
lists.openembedded.org
Sent: Thursday, September 21, 2023 11:03
To: richard.pur...@linuxfoundation.org
Cc: openembedded-core@lists.openembedded.org; shin.matsun...@fujitsu.com
Subject: [OE-core] [PATCH] cve-check: Classify patched CVEs into 3 statuses

> CVEs that are currently considered "Patched" are classified into the 
> following 3 statuses:
> 1. "Patched"  - means that a patch file that fixed the vulnerability has 
> been applied
> 2. "Out of range" - means that the package version (PV) is not subject to the 
> vulnerability
> 3. "Undecidable"  - means that versions cannot be compared to determine if 
> they are affected by the vulnerability
> 
> Signed-off-by: Shinji Matsunaga 

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187985): 
https://lists.openembedded.org/g/openembedded-core/message/187985
Mute This Topic: https://lists.openembedded.org/mt/101496298/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] openssl: Upgrade 3.1.2 -> 3.1.3

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-312-and-openssl-313-19-sep-2023
Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [19 Sep 2023]
* Fix POLY1305 MAC implementation corrupting XMM registers on Windows 
(CVE-2023-4807)

Signed-off-by: Peter Marko 
---
 .../openssl/{openssl_3.1.2.bb => openssl_3.1.3.bb}  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssl/{openssl_3.1.2.bb => 
openssl_3.1.3.bb} (99%)

diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.2.bb 
b/meta/recipes-connectivity/openssl/openssl_3.1.3.bb
similarity index 99%
rename from meta/recipes-connectivity/openssl/openssl_3.1.2.bb
rename to meta/recipes-connectivity/openssl/openssl_3.1.3.bb
index 3f77c218c8..cc9452c8ab 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.1.2.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.3.bb
@@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"
 
-SRC_URI[sha256sum] = 
"a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539"
+SRC_URI[sha256sum] = 
"f0316a2ebd89e7f2352976445458689f80302093788c466692fb2a188b2eacf6"
 
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187939): 
https://lists.openembedded.org/g/openembedded-core/message/187939
Mute This Topic: https://lists.openembedded.org/mt/101484177/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone][PATCH] openssl: Upgrade 3.0.10 -> 3.0.11

[Peter Marko via lists.openembedded.org]

From: Peter Marko 

https://github.com/openssl/openssl/blob/openssl-3.0/NEWS.md#major-changes-between-openssl-3010-and-openssl-3011-19-sep-2023
Major changes between OpenSSL 3.0.10 and OpenSSL 3.0.11 [19 Sep 2023]
* Fix POLY1305 MAC implementation corrupting XMM registers on Windows 
(CVE-2023-4807)

Signed-off-by: Peter Marko 
---
 .../openssl/{openssl_3.0.10.bb => openssl_3.0.11.bb}| 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-connectivity/openssl/{openssl_3.0.10.bb => 
openssl_3.0.11.bb} (99%)

diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.10.bb 
b/meta/recipes-connectivity/openssl/openssl_3.0.11.bb
similarity index 99%
rename from meta/recipes-connectivity/openssl/openssl_3.0.10.bb
rename to meta/recipes-connectivity/openssl/openssl_3.0.11.bb
index c770f1c712..22eaa3af33 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.10.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.11.bb
@@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"
 
-SRC_URI[sha256sum] = 
"1761d4f5b13a1028b9b6f3d4b8e17feb0cedc9370f6afe61d7193d2cdce83323"
+SRC_URI[sha256sum] = 
"b3425d3bb4a2218d0697eb41f7fc0cdede016ed19ca49d168b78e8d947887f55"
 
 inherit lib_package multilib_header multilib_script ptest perlnative
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187938): 
https://lists.openembedded.org/g/openembedded-core/message/187938
Mute This Topic: https://lists.openembedded.org/mt/101484157/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-