This update was made with the convert-scruri.py script in scripts/contrib
This script handles two emerging issues:
1. There is uncertainty about the default branch name in git going forward.
To try and cover the different possible outcomes, add branch names to all
git:// and gitsm:// SRC_URI entries.
2. Github are dropping support for git:// protocol fetching, so remap github
urls as needed. For more details see:
https://github.blog/2021-09-01-improving-git-protocol-security-github/
(From OE-Core rev: 827a805349f9732b2a5fa9184dc7922af36de327)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We're seeing pthread being linked sometimes and not others leading to
non-reproducible target binaries. The reason is mixing the native python
config with the target one. We should use the target one.
(From OE-Core rev: e570efa43d5655afa041bd4ab52fec2de2216e4d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1bc5378db760963e2ad46542f2907dd6a592eb66)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Sort the list of files to ensure the pkgdata output is deterministic.
(From OE-Core rev: c6a5c4a72de7590b4ac8f5e1bd4c1e83567ef468)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3a55194f90e11da5671b24391a4aaf2b86a8e1e6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
raw.h has been dropped in linux-libc-headers-5.14 leading to:
configure: error: raw selected, but required raw.h header file not available
WARNING: exit code 1 from a shell command.
(From OE-Core rev: 7c2de7211d8c8790851a87d949d29c6e0e140dc2)
Signed-off-by: MarkusVolk <f_l_k@t-online.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7f577c10913104860121f682b9b3754870c4db23)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We are observing systemd-network service crash during link down
while freeing link->ifname pointer
Backtrace:
(gdb) bt
0 __GI_abort () at abort.c:107
1 0x0000007f861d32b4 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f8628d500 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
2 0x0000007f861da51c in malloc_printerr (str=str@entry=0x7f86289070 "free(): invalid next size (fast)") at malloc.c:5347
3 0x0000007f861dbd58 in _int_free (av=0x7f862c9a28 <main_arena>, p=0x558aa28eb0, have_lock=0) at malloc.c:4249
4 0x0000005569249cf0 in link_free (link=0x558aa1c0d0) at ../git/src/network/networkd-link.c:715
5 link_unref (p=0x558aa1c0d0) at ../git/src/network/networkd-link.c:734
6 0x000000556920f34c in manager_rtnl_process_link (rtnl=<optimized out>, message=0x558aa2a430, userdata=0x558a9fc630)
While checking upstream code change with regards to link->ifname
memory allocation and free, we found below PR which also fixes
random systemd-networkd crash:
https://github.com/systemd/systemd/pull/19631https://github.com/systemd/systemd/issues/19629
(From OE-Core rev: adca61c61d84f022fdedd2d616e7c2df00661af8)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
dbus and dbus-test share the same source code and base configuration options,
so factor out the common parts into dbus.inc.
This way we can eliminate the need to keep the two recipes in sync. When they
are not properly in sync (e.g. when dbus recipe has extra patches/config
options that are not duplicated in dbus-test) ptest testsuite will actually
test a slightly different codebase. This is due to the fact that dbus-test does
not run the testsuite against the system libdbus library, but instead it
generates a local libdbus.so that needs to configured/compiled as close as
possible to the system one.
(From OE-Core rev: 1cde2935526d2eec7d6b17a6c622647b0c132439)
(From OE-Core rev: 6c90e4dd59eb06058d14deeb9aa87717fd88ab09)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 44ae5d8d6f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 8d33a2a4e4b6ff8f831523e5b1b16ead6b29cc79)
(From OE-Core rev: 7337d7e4faf20a513c065c44d7d9d472334452b2)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a62471f064)
[Bug fix only update, drop cve patch now included
a0926ef86f (tag: dbus-1.12.18) Prepare 1.12.18
8bc1381819 fdpass test: Assert that we don't leak file descriptors
272d484283 sysdeps-unix: On MSG_CTRUNC, close the fds we did receive <- cve fix
31297172f1 Update NEWS
041d579139 dbus-daemon test: Don't test fd limits if in an unprivileged container
55b3f71376 Update NEWS
ced04aabc7 doxygen: fix example for dbus_message_append_args
3e40637b10 Update NEWS
3e0ea34966 cmake: Add X11 include path for tools
d0992805d7 doc: replace dbus-send's --address with --peer and --bus
dd32f6b617 Update NEWS
d251fe7850 Merge branch 'cherry-pick-b034b83b' into 'dbus-1.12'
2c6b0ad7f6 bus: Don't explicitly clear BusConnections.monitors
df0c675b93 Merge branch 'cherry-pick-bf71a58e' into 'dbus-1.12'
beb79b94fb doc: Fix environment variable name in dbus-daemon(1)
eab5d4a420 Start 1.12.18 development]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The OVMF target binaries are (currently) x86-specific, but the native
tools to build them are not.
Make the COMPATIBLE_HOST assignment target-specific, so that the native
tools can be built on an arm64 build server.
(From OE-Core rev: 94f5c2d51ec8033e00b52ef2d4e0e4c334c14163)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 58ebb47688fc98fdaeb78b4033bd31100218d5d6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This CVE is fixed in the upstream glibc-2.31 branch, and dunfell already
includes an update to this version in commit e1e89ff7d7 ("glibc:
update to lastest 2.31 release HEAD")
(From OE-Core rev: c1d49cee0a3a7391708b19647889f48036d7e4e8)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When dhclient is used with ifupdown and in the /etc/network/interfaces
file is something like e.g. "iface eth0 inet6 dhcp" the system does not
boot but hangs at the after dhcp configuration of IPv4 at the stage
where IPv6 should be configured.
The reason seems to be, that ifupdown calls the dhclient in a blocking
way which leads to a permanent block of the boot when no DHCPv6 server
is available.
A similar bug in Redhat:
https://bugzilla.redhat.com/show_bug.cgi?id=585047
[YOCTO #14117]
(From OE-Core rev: 6d8bf12bffa146cb51153a79a4b96b05298c4fbf)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A flaw was found in libxml2. Exponential entity expansion attack
is possible bypassing all existing protection mechanisms and leading
to denial of service.
https://nvd.nist.gov/vuln/detail/CVE-2021-3541
CVE: 2021-3541
(From OE-Core rev: 1699293a7011797895c284d6ad664c66badba426)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Includes the following fixes:
4f0a61f753 wordexp: handle overflow in positional parameter number (bug 28011)
8e88c0d888 Fix SXID_ERASE behavior in setuid programs (BZ #27471)
74a4425fae Enhance setuid-tunables test
bb5bb87959 tst-env-setuid: Use support_capture_subprogram_self_sgid
700264179c support: Add capability to fork an sgid child
7fa6d30eea support: Typo and formatting fixes
0de2b69c31 support: Pass environ to child process
0c92f409a7 S390: Also check vector support in memmove ifunc-selector [BZ #27511]
(From OE-Core rev: eb03d3f72472539b10de49a32bdd3c68c34b658e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
Upstream-Status: Backport [from fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1954243]
(From OE-Core rev: ef2a81a473e7c36a36facb209ca907a7439d36f2)
Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
expat < 4.0 is vulnerable to billion laughs attacks (see
[https://github.com/libexpat/libexpat/issues/34]). This patch backports
the commits b1d039607d3d8a042bf0466bfcc1c0f104e353c8
and 60959f2b491876199879d97c8ed956eabb0c2e73 from upstream.
Additionally, the SRC_URI had to be adjusted due to renaming of the
source archive
(From OE-Core rev: b0b843797321360693172c57f2400b9c56ca51cf)
Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This reverts commit e990a9ec5d6eaf2c328d61c4de73ea6c270cfa15.
Patch not in master, erroneously applied
(From OE-Core rev: 090452c5284181f18c32dc33887f4dda20c48004)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We've noticed that:
MACHINE=qemuarm oe-selftest -r glibc.GlibcSelfTest.test_glibc
ends up with one process growing to about the size of system memory
and triggering the OOM killer. This has been taking out other builds
running on the system on the autobuilders and is one cause of our
intermittent failures.
This was tracked down to:
WORKDIR=XXX/tmp/work/armv7vet2hf-neon-poky-linux-gnueabi/glibc-testsuite/2.33-r0
BUILDDIR=$WORKDIR/build-arm-poky-linux-gnueabi QEMU_SYSROOT=$WORKDIR/recipe-sysroot
QEMU_OPTIONS="$WORKDIR/recipe-sysroot-native/usr/bin/qemu-arm -r 3.2.0" \
$WORKDIR/check-test-wrapper user env GCONV_PATH=$BUILDDIR/iconvdata LOCPATH=$BUILDDIR/localedata LC_ALL=C $BUILDDIR/elf/ld-linux-armhf.so.3 \
--library-path $BUILDDIR:$BUILDDIR/math:$BUILDDIR/elf:$BUILDDIR/dlfcn:$BUILDDIR/nss:$BUILDDIR/nis:$BUILDDIR/rt:$BUILDDIR/resolv:$BUILDDIR/mathvec:$BUILDDIR/support:$BUILDDIR/nptl \
$BUILDDIR/nptl/tst-pthread-timedlock-lockloop
although other glibc tests appear to use 16GB of memory before failing
anyway. By capping the VM size to 8GB, we see the same number of failures
but no OOM situations. There may be some issue in qemu or the test which
could be improved to avoid this entirely but this provides a necessary
and useful safeguard to other builds and doensn't appear to make the
situation worse.
On a loaded system OOM may not occur as the test timeout may be triggered
first. An experiment with a 5GB limit showed an additional 7 failures.
(From OE-Core rev: 4926a16d4fc075ea486536427e99dd6dcaace583)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 58d4f669bd46805669daf87626350fe9359feca5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Before, running ptests on core-image-minimal would result in
an error due to missing /bin/bash:
[ -d test ] || ln -s ../libxml2-2.9.10/test .
make: /bin/bash: No such file or directory
make: *** [Makefile:2105: runtests] Error 127
Changing the Makefile to use /bin/sh results in some of the
tests failing, so I have added the missing dependancy on bash.
(From OE-Core rev: bc1d05429da1101d910b4ccf3de5407ddfbedc92)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d2e81298c446aec8d7fcf61fd5023ac30350f205)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Reformatted runtest.patch to allow it to be applied using git am.
This makes it easier to apply the series of patches to the original git repo.
There are no changes to the code of the patch other than the reformat.
Previously, the patch claimed to be a backport, but I have not found an
upstream commit so I've changed the Upstream-Status to pending.
(From OE-Core rev: 5f01e69b6e7b7f734882a30146cca89dbdb99705)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0361d625e1573e846a2f03ed90a8b897bc405160)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
syslog.cfg is added to the list of sources for busybox
independent of the VIRTUAL-RUNTIME_base-utils-syslog variable. So even
if VIRTUAL-RUNTIME_base-utils-syslog being set e.g. to empty, syslogd will
be enabled. So only include syslog.cfg in SRC_URI if
VIRTUAL-RUNTIME_base-utils-syslog is set to busybox-syslog.
(From OE-Core rev: e990a9ec5d6eaf2c328d61c4de73ea6c270cfa15)
Signed-off-by: Volker Vogelhuber <v.vogelhuber@digitalendoscopy.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream database uses both "expat" and "libexpat" to report CVEs
(From OE-Core rev: f89b497800fb3a3ecd77b7a868a02800b6c86d92)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 706bdcaec5fd7c59d7877bbefa5ed4ce5b4f3da1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These CVEs are disputed by upstream and there is no plan to fix/address them. No
other distros are carrying patches for them. There is a patch for 1010025
however it isn't merged upstream and probably carries more risk of other bugs
than not having it.
(From OE-Core rev: 2afbfc1eb6bc7613da4a7f06ac267ea561b5470e)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b238db678083cc15313b98d2e33f83cccab03fc6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Recently an entry in the NVD DB appeared that looks like that
{'vulnerable': True, 'cpe_name': []}.
As besides all the vulnerable flag no data is present we would get
a KeyError exception on acccess.
Use get method on dictionary and return if no meta data is present
Also quit if the length of the array after splitting is less than 6
(From OE-Core rev: 45148918628ba797755f3cbb52f065ec6dbbcfd2)
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 00ce2796d97de2bc376b038d0ea7969088791d34)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
some record from NVD can merge or split suffix from version, for
example:
CVE-2017-15906
"cpe23Uri" : "cpe:2.3🅰️openbsd:openssh:5.0:p1:*:*:*:*:*:*"
"cpe23Uri" : "cpe:2.3🅰️openbsd:openssh:4.7p1:*:*:*:*:*:*:*"
in such case include the suffix into version when update local CVE db.
(From OE-Core rev: b8d3e1754faea3ba0b6e07d5a830fbab12b5f53d)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 13cc68197f81bb7c76fa1abecc5dd720b8bdb8d5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently the install script copy only few hard coded item while
setting up target ESP, kernel artifacts, all .efi in EFI/BOOT,
grub & boot cfg and loader.conf.
While ESP can be much complex, eg: contain multiple initrd.
Add a ESP folder to carry any other files to setup onto ESP.
(From OE-Core rev: 3be53035c567c06a09a36d68c41393482bd4789b)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6eaca9cf20c42501fba27dea3a6446bad948e859)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In cases where we configure the IP address and more on the kernel
command line with ip= we should not ask for DHCP with systemd-networkd
later on. We have such a setup with our runqemu script.
With this match in place we can also deploy this unit on qemu systems.
(From OE-Core rev: c88bb3db92d0650a560d7cbc1f0f42ae8faf15e1)
Signed-off-by: Stefan Schmidt <stefan.schmidt@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8c4981e740c0e630200dbc77c9e3dfd3e43b790b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
kernel-devsrc is a dependency of the image so we no longer need the symlink
creation code or the module-base inherit/dependency as it is included in
that recipe. The KERNEL_VERSION usage was broken anyway as the module
usage would have needed a:
do_image[depends] += "build-appliance-image:do_configure"
which wasn't present so it was indeterminate if KERNEL_VERSION was set
correctly.
(From OE-Core rev: b5bcbe1835ad95a65c2c01212a35f9388ac0dffc)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a46b43bb67b2f87ec370480e50a2e2d111555b75)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
