The CPE data in the NVD database is now complete, so these overrides are
no longer needed.
This reverts commit e3419fbaf2999a821e1890a12ab27285cc25b577.
(From OE-Core rev: 252b52ce3fd51acda6ab9108ea6354cb0885a4f7)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These are tracked as versionless redhat CVEs in NVD DB.
(From OE-Core rev: e3419fbaf2999a821e1890a12ab27285cc25b577)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For reasons we have explicit xorg.conf files for a number of the qemu
machines, but not all of them. These mainly disabled screen blanking
(which is now down with a separate fragment) but also explictly set the
device driver to fbdev which meant they didn't use the modesettings
driver as they should (with the virtio framebuffer from qemu).
This is the root cause of why the xserver 21.1.16 upgrade doesn't work
on a number of machines: the /sys probing changed and the fbdev driver
now refuses to use the PCI framebuffer device as there are better
drivers, but we've explictly told xorg to use the wrong driver.
For more details, see https://gitlab.freedesktop.org/xorg/xserver/-/issues/1798.
(From OE-Core rev: 8c8039bf4c2d011e3d12c970ce45036b184902a9)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a configuration fragment that disables screen blanking, and add it
to all qemu machines.
(From OE-Core rev: 780a5ccaa51d5aed18200883a686387e70847e4b)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This was motivated by remembering that both xserver-xorg and xorgxrdp
need to ignore the xorg-driver-abi test in do_package_qa because the
logic to generate the required dependencies is contained in
xorg-driver-common.inc, so can't be reused easily by the xserver (which
ships the modesetting driver) or xorgxrdp (which ships drivers and more).
Merge both the RPROVIDES (xserver) and RDEPENDS (driver) functions into a
single xserver-abi.inc to ensure that their logic remains in sync.
Generalise the names: instead of hardcoding 'input' and 'video' extract
the ABI names from the pkg-config file directly. This means 'input' is
now 'xinput' and 'video' is now 'videodrv', also 'ansic' and 'extension'
are new ABIs exposed.
Rewrite the RDEPENDS generation so that it is more flexible, and can be
used from inside the xserver-xorg recipe to generate RDEPENDS for the
modesetting driver. This means that recipe can remove the INSANE_SKIP.
There's an argument that this new .inc file could be a bbclass, I'm
undecided on this myself right now and this patch is essentially a
rationalisation of the existing code.
(From OE-Core rev: f40b36fb089f6ccd4fb25373ed4cb57fae78a79f)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If XvFB is enabled, the CVE_STATUS for CVE-2023-5574 should be
'unpatched' rather than the empty string. Otherwise SDPX checker
complains:
xserver-xorg-2_21.1.13-r0 do_create_spdx: Unknown CVE status
(From OE-Core rev: 0ec5dcbdd7c922df25ce90b04902d9c7c749a8c0)
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Where recipes use S = ${WORKDIR}, change them to set UNPACKDIR to
a subdir of WORKDIR and make S point at this instead.
I've chosen not to force S into any standard UNPACKDIR we may pick in
future just so the S = UNPACKDIR case is clearly visible by the
directory naming under WORKDIR as that should aid usability.
(From OE-Core rev: d9328e3b0b062f0621de3d114584b44f384a1c02)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Where recipes use S = ${WORKDIR}, ensure they are referencing ${S} correctly
to access files as soon we want to stop doing this in WORKDIR at which point
they would break unless corrected.
(From OE-Core rev: f25dd633fffe6560f191526d1869e657e129bad9)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Disable BlankTime, StandbyTime, SuspendTime and OffTime in X default for QEMU images
This fix addresses the issue of Xserver screensaver blanking being enabled on QEMU images by
disabling BlankTime, StandbyTime, SuspendTime, and OffTime in the Xorg default settings for QEMU images.
Reference : https://www.x.org/archive/X11R6.8.0/doc/xorg.conf.5.html
[YOCTO #15436]
Reported-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 173fb4247fdb2b7b5e6a1a604ddbbc8727b3d3bb)
Signed-off-by: K Sanjay Nayak <nayakksanjay@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
xvfb has limited use, so to mitigate CVE-2023-5574 out of the box we can
disable the xvfb PACKAGECONFIG.
(From OE-Core rev: bfbcb28f032b2609f0cd15df70f35353adf326e5)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Xvfb is pretty niche and has outstanding unsolved security issues, so
let people disable it and add a conditional CVE_STATUS to reflect this.
(From OE-Core rev: 5d47474f6eb6b4441154c7de7261f8e0ab47333d)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These patches are not yet merged (so they're not backports) because they
have outstanding (undescribed) issues[1]. As this issue only affects
Xvfb and is a use-after-free with only a hypothetical attack, revert the
patches until the compromise is understood.
This reverts commit a193c0224a.
[1] https://lists.x.org/archives/xorg-announce/2023-October/003430.html
(From OE-Core rev: 1ed1c4f48203a8366519b40a094c7d9719c3ae32)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
-present: Send a PresentConfigureNotify event for destroyed windows
-Switch to libbsd-overlay
-Xi/randr: fix handling of PropModeAppend/Prepend
-mi: reset the PointerWindows reference on screen switch
(From OE-Core rev: 82e87caedf84dcf5a933dbfc92718ac1cdd29734)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We've been removing PR values from recipes at upgrade time for a while. In general
anyone maintaining a binary distro would end up having to curate these themselves
so the values in OE-Core aren't really that useful anymore. In many ways it makes
sense to clear out the remaining ones (which are mostly for 'config' recipes that
are unlikely to increase in PV) and leave a clean slate for anyone implementing
a binary distro config.
References are left in meta-selftest since the tests there do involve them and
their removal upon upgrade.
(From OE-Core rev: d4c346e8ab8f3cae25d1b01c7331ed9f6d4f96ef)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Otherwise, xserver will no longer start when NO_RECOMMENDATIONS = “1”,
because dependencies in XSERVER_RRECOMMENDS are missing.
(From OE-Core rev: bc7bd3953f3896af0db036250cda34bc9ecbb3ac)
Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade xserver-xorg from 21.1.2 to 21.1.3. And adjust indent as well.
(From OE-Core rev: c32dfebbab45122dc005c1ae9c49dc15a4f350b2)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2011-4613 is specific to Debian/Ubuntu.
CVE-2020-25697 is a non-trivial attack that may not actually be feasible
considering the default behaviour for clients is to exit if the
connection is lost.
(From OE-Core rev: afa2e6c31a79f75ff4113d53f618bbb349cd6c17)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some of the CVEs have x_server as the product name.
(From OE-Core rev: 4d5d63cf8605515bb659b6b732683d7fe6540728)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This wasn't a problem in poky, but was exposed with a nodistro build.
(From OE-Core rev: 0afc9fdb93bb62a78ec6d3aaf870587f52c5a7a4)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Not every option was carried over, drop them accordingly.
(From OE-Core rev: e05abd87ee5d23750c641d0129d9c83db68ee2e8)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libxcvt is a new dependency (thanks Oleksandr!).
Include ${libdir}/xorg/modules/input/*.so into the main
package (if for someone separate packaging matters, please
investigate what they do).
Remove options no longer present upstream.
Remove patches available upstream; drop a chunk as well.
(From OE-Core rev: fe501ae1f6bea73882707c944c4fab5c5657a551)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
