The addition of summary output caused two issues: error when building
an image and the fact that JSON output was generated even when
CVE_CHECK_FORMAT_JSON.
When generating an image it caused an error like:
ERROR: core-image-minimal-1.0-r0 do_rootfs: Error executing a python function in exec_func_python() autogenerated:
The stack trace of python calls that resulted in this exception/failure was:
File: 'exec_func_python() autogenerated', lineno: 2, function: <module>
0001:
*** 0002:cve_check_write_rootfs_manifest(d)
0003:
File: '/home/alexk/poky/meta/classes/cve-check.bbclass', lineno: 213, function: cve_check_write_rootfs_manifest
0209:
0210: link_path = os.path.join(deploy_dir, "%s.json" % link_name)
0211: manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON")
0212: bb.note("Generating JSON CVE manifest")
*** 0213: generate_json_report(json_summary_name, json_summary_link_name)
0214: bb.plain("Image CVE JSON report stored in: %s" % link_path)
0215:}
0216:
0217:ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
Exception: NameError: name 'json_summary_name' is not defined
The fix is to pass the d variable to the pure python function generate_json_report
to get correct values of variables and add conditions for the JSON
output where needed.
In addition clarify the message presenting the summary JSON file,
which isn't related to an image.
Uses partial fixes from Alex Kiernan, Ernst Sjöstrand (ernstp),
and Davide Gardenal.
Fixes: f2987891d315 ("cve-check: add JSON format to summary output")
(From OE-Core rev: 2fcc696e27d7f8c70ba60f5c7de8c48030a938d3)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9015dec93233c7d45fd0c9885ff5d4ec23ad377d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
strace ptests can run successfully with root user, there is no need to
run as "nobody". The ptest results are the same.
(From OE-Core rev: c20a5f83e9f0483f5458513eeaaec60436dd9d68)
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5ab213178c011152e29dfb0a80251c5e5ab79900)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ptest testsuite/panic-tests.sh of sed need to be run as a non-root user
so that the expected "sed: couldn't open temporary file <filename>:
Permission denied" error can be generated. After disabling default
shell for "nobody", a shell needs to be specified for running ptest.
(From OE-Core rev: 175001feb3b0e5b29cba94a8cdac18b429f84645)
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c6d7216772f76af4429fdaaca518858cf014293f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since the commit fe26b2379ecd ("image.bbclass: Depend on
virtual/kernel:do_deploy"), the image.bbclass made building images
depend on virtual/kernel. For some images, including small initramfs,
this is not the case. Allow overriding this dependency in case
developers knows what they are doing.
(From OE-Core rev: 4caf244256e150fea19cd4f2ca04c13d95d49fee)
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 55875f68212657167ac6dc26f5fd93eac24b098e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add some documentation about skipping the QA check related to missing
fstab entries or mount units for base mount points where the overlayfs
is mounted from.
Also add a short paragraph about adding a systemd unit dependency to
services in recipes, so that they are started only after the overlayfs
is mounted and ready.
No functional change.
(From OE-Core rev: 4611cbab3e9593937b64b6db48ef269de37c74db)
Signed-off-by: Claudius Heine <ch@denx.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7adc49fa6fdbdf118f74e95193e80ae7ef019e27)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Status updated but using the existing patch since it is functionally identical.
(From OE-Core rev: 9f2d85b383daeca5bbed601e4ff9ff01a8c3403f)
Signed-off-by: Aryaman Gupta <aryaman.gupta@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit aab854a94e73e5035eb82fe1aafe970aaa296a54)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE product name for PyPI packages is (usually) the same as the PyPI
package name (and not our recipe name), so use that as the default.
(From OE-Core rev: 80a1de36bc86a864d52292ef9770b77480f3c67b)
Signed-off-by: Alex Kiernan <alexk@zuma.ai>
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 61f6b0ad09bf87cdc2d3f08770b7c44cad1d0e58)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The trace tools are licensed under GPL-3.0-or-later but this wasn't
listed in LIC_FILES_CHKSUM. Fix that.
Ultimately we could disable that license if the trace PACKAGECONFIG is
disabled but I'll leave that to someone else if they're keen.
(From OE-Core rev: a27a0c3bceedf06de7ff8cae4a8fe4d2f6f514b8)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f763b906ea10705d519c9eebb5ef1ebe87d49d7c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
if a setup is using RPM for packaging and there are multiple
recipes that install to ${nonarch_base_libdir}/firmware by using
install -d ${nonarch_base_libdir}/firmware, it will create installation
clashes on image install, as linux-firmware in before this patch
used mkdir -p, which creates different file mode bits (depending
on the current user's settings).
In a particular example
linux-fimware created /lib/firmware with 0600
while other-firmware-package created it with 0644
making the combination not installable by rpm backend
(From OE-Core rev: e16b9768a2e3eb931d11558f448149c16afa490b)
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 98bf3f427702687bf81ed759e7cde5d6d15e77eb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Includes fixes for CVE-2022-1381, CVE-2022-1420.
(From OE-Core rev: d1c0db32383812531b857729c585b3305e781cd9)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 77d745bd49c979de987c75fd7a3af116e99db82b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Security
[CVE-2022-29824] Integer overflow in xmlBuf and xmlBuffer
Fix potential double-free in xmlXPtrStringRangeFunction
Fix memory leak in xmlFindCharEncodingHandler
Normalize XPath strings in-place
Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars() (David Kilzer)
Fix leak of xmlElementContent (David Kilzer)
Bug fixes
Fix parsing of subtracted regex character classes
Fix recursion check in xinclude.c
Reset last error in xmlCleanupGlobals
Fix certain combinations of regex range quantifiers
Fix range quantifier on subregex
Improvements
Fix recovery from invalid HTML start tags
Build system, portability
Define LFS macros before including system headers
Initialize XPath floating-point globals
configure: check for icu DEFS (James Hilliard)
configure.ac: produce tar.xz only (GNOME policy) (David Seifert)
CMakeLists.txt: Fix LIBXML_VERSION_NUMBER
Fix build with older Python versions
Fix --without-valid build
(From OE-Core rev: 393b81058f3b970eb906a7f9daa842d8a0747700)
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c4ba21f4012e8859fc793bec7df76e56eb8058ec)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes in XWayland 22.1.1 include:
- Not mapping the composite overlay window by default when running in rootless
mode. This is being done since a client trying to get the COW, the X Server
will map the window and block all pointer events.
- A change to the XWayland present queue code due to some Vulkan games/apps
running in windowed mode only running at 58 FPS when in fact at 60 FPS for
matching a 60Hz refresh rate. Incorrect calculation handling led to the MSC
ticking at ~58Hz.
- Fixing use-after-free bugs.
(From OE-Core rev: 8b8f53ebf6bc265d495154fea3050fe8d7fbd256)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit aa0028e19651665f6671d7c57646cfc97c7ba763)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the first bug fix release in the stable 2.36 series.
What’s new in the WebKitGTK 2.36.1 release?
- Fix the build with accessibility disabled.
- Fix several crashes and rendering issues.
- Translation updates: Croatian.
(From OE-Core rev: cf336712afc3899ef45c7f2ef5f6b081223a1269)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4ed608d33fe5f38bc172e0cc6d938ffab184a47a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2022-04-27 - Version 3.38.3
Version 3.38.3 fixes a bug in the automatic-index and Bloom filter construction
logic that might cause SQLite to be overly aggressive in the use of ON clause
constraints, resulting in a incorret automatic-index or Bloom filter that excludes
some valid rows from output. The bug was introduced in version 3.38.0.
Other minor changes were tossed in to complete the patch.
(From OE-Core rev: c78ac7ef2d14a8b6167922a12e8c7f35c4b11bfb)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1efd89a4572bb2f39728fd53a1d4db944b06ff38)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
version 5.0.1:
- avcodec/exr: Avoid signed overflow in displayWindow
- avcodec/diracdec: avoid signed integer overflow in global mv
- avcodec/takdsp: Fix integer overflow in decorrelate_sf()
- avcodec/apedec: fix a integer overflow in long_filter_high_3800()
- avdevice/dshow: fix regression
- avfilter/vf_subtitles: pass storage size to libass
- avcodec/vp9_superframe_split_bsf: Don't read inexistent data
- avcodec/vp9_superframe_split_bsf: Discard invalid zero-sized frames
- avcodec/vp9_superframe_bsf: Check for existence of data before reading it
- avcodec/vp9_raw_reorder_bsf: Check for existence of data before reading it
- avformat/imf: fix packet pts, dts and muxing
- avformat/imf: open resources only when first needed
- avformat/imf: cosmetics
- avformat/imf_cpl: do not use filesize when reading XML file
- avformat/imfdec: Use proper logcontext
- avformat/imfdec: do not use filesize when reading XML file
- doc/utils: add missing 22.2 layout entry
- avcodec/av1: only set the private context pix_fmt field if get_pixel_format() succeeds
- avformat/aqtitledec: Skip unrepresentable durations
- avformat/cafdec: Do not store empty keys in read_info_chunk()
- avformat/mxfdec: Do not clear array in mxf_read_strong_ref_array() before writing
- avformat/mxfdec: Check for avio_read() failure in mxf_read_strong_ref_array()
- avformat/mxfdec: Check count in mxf_read_strong_ref_array()
- avformat/hls: Check target_duration
- avcodec/pixlet: Avoid signed integer overflow in scaling in filterfn()
- avformat/matroskadec: Check pre_ns
- avcodec/sonic: Use unsigned for predictor_k to avoid undefined behavior
- avcodec/libuavs3d: Check ff_set_dimensions() for failure
- avcodec/speexdec: Align some comments
- avcodec/speexdec: Use correct doxygen comments
- avcodec/mjpegbdec: Set buf_size
- avformat/matroskadec: Use rounded down duration in get_cue_desc() check
- avcodec/argo: Check packet size
- avcodec/g729_parser: Check channels
- avformat/avidec: Check height
- avformat/rmdec: Better duplicate tags check
- avformat/mov: Disallow empty sidx
- avformat/argo_cvg:: Fix order of operations in error check in argo_cvg_write_trailer()
- avformat/argo_asf: Fix order of operations in error check in argo_asf_write_trailer()
- avcodec/movtextdec: add () to CMP() macro to avoid unexpected behavior
- avformat/matroskadec: Check duration
- avformat/mov: Corner case encryption error cleanup in mov_read_senc()
- avcodec/jpeglsdec: Fix if( code style
- avcodec/jpeglsdec: Check get_ur_golomb_jpegls() for error
- avcodec/motion_est: fix indention of ff_get_best_fcode()
- avcodec/motion_est: Fix xy indexing on range violation in ff_get_best_fcode()
- avformat/hls: Use unsigned for iv computation
- avcodec/jpeglsdec: Increase range for N in ls_get_code_runterm() by using unsigned
- avformat/matroskadec: Check desc_bytes
- avformat/utils: Fix invalid NULL pointer operation in ff_parse_key_value()
- avformat/matroskadec: Fix infinite loop with bz decompression
- avformat/utils: keep chapter monotonicity on chapter updates
- avformat/mov: Check size before subtraction
- avcodec/cfhd: Avoid signed integer overflow in coeff
- avcodec/libdav1d: free the Dav1dData packet on dav1d_send_data() failure
- avcodec/h264_parser: don't alter decoder private data
- configure: link to libatomic when it's present
- fate/ffmpeg: add missing samples dependency to fate-shortest
(From OE-Core rev: ccb87ec2f13b72c1f43a2ad96cd446533da4a666)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 90f35ceb209a51dfe0cd29e1d8646fcc501b7269)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update to latest stable branch release
Bug Fixes
- Previously, zone maintenance DNS queries retried forever if the destination
server was unreachable. These queries included outgoing NOTIFY messages,
refresh SOA queries, parental DS checks, and stub zone NS queries. For example,
if a zone had any nameservers with IPv6 addresses and a secondary server without
IPv6 connectivity, that server would keep trying to send a growing amount of
NOTIFY traffic over IPv6. This futile traffic was not logged. This excessive
retry behavior has been fixed. [GL #3242]
- A number of crashes and hangs which could be triggered in dig were identified and
addressed. [GL #3020] [GL #3128] [GL #3145] [GL #3184] [GL #3205] [GL #3244] [GL #3248]
- Invalid dnssec-policy definitions, where the defined keys did not cover both KSK
and ZSK roles for a given algorithm, were being accepted. These are now checked,
and the dnssec-policy is rejected if both roles are not present for all algorithms
in use. [GL #3142]
- Handling of TCP write timeouts has been improved to track the timeout for each TCP
write separately, leading to a faster connection teardown in case the other party
is not reading the data. [GL #3200]
(From OE-Core rev: 297215735613b1c9512780580da2f84cf013a603)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5398263c8e070110a045a5f8999712ba4be628de)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Mesa 22.0.1 is a bug fix release which fixes bugs found since the 22.0.0 release:
freedreno: crash in PUBG
MSVC: Build failure in libmesa_util when targeting x86 32-bit
A crash in radeonsi driver
freedreno: deqp cts fails
Mesa 22.0.2 is a bug fix release which fixes bugs found since the 22.0.1 release:
Vulkan::Calling vkWaitForFences Timeout
Intel (CHT) - Uplink text rendering bugged out in Mesa 22.0
gen9atom gpu hang on dEQP-VK.spirv_assembly.instruction.graphics.float16.arithmetic_1
bad memory managment on panfrost RK3399 - cannot alocate more ram - fury unleashed
Broken rendering in Ryujinx on Tigerlake
intel: integer_mad_hi / integer_mad_sat / integer_mul_hi produce invalid results
Textures colors distortion in “Black Geyser: Couriers of Darkness” with radeonsi
ShaderStorageBlocksWriteAccess not set for spir-v shaders?
radeonsi dEQP-GLES3.functional.buffer.map.write.explicit_flush.* flake crashes
radv: nir validation error with invalid array access
Intel Iris Xe Geometry Flickering/Assets Disappearing
Rendering artifacts when playing Outer Wilds [Reproducible with latest ANV driver built from main]
Vulkan wsi leaks vk_sync object on every wsi_AcquireNextImageKHR call
panfrost(RK3399/T860): Emulationstation: broken, black or missing menus with v22.0.0
Plasma/KDE settings menus disappear on daily build
Square Artifacts Dragons Dogma
r300: Anmesia the dark descent corruption
Error compiling with LLVM-git/15
(From OE-Core rev: 34f6d4763fc3bad1382551fd863f96e556b5f6cc)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f3e9444968fd47b3c8e0b2ee7b1b17f43a6bd56b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Latest stable branch update
Drop 0029-network-enable-KeepConfiguration-when-running-on-net.patch as
patch merged upstream.
Changes:
4a31fa2fb0 (tag: v250.5) hwdb: run "update-hwdb-autosuspend"
e92e2d0e3b hwdb: run "update-hwdb"
e1e4395775 hwdb: make sure "ninja update-hwdb" works on f35
1fe496fc3b hwdb: fix parser to work with newer pyparsing
32e7c65372 manager: prohibit clone3() in seccomp filters
45335a3eed nspawn: fix --ephemeral with --machine
79b86adcbd nspawn: fix locating config files with --ephemeral
c202d402d9 resolve: fix typo in dns_class_is_pseudo()
9f689fda54 sd-ipv4acd: actually drop the arp packet from one of the host interface
e3d57bc301 sd-event: make inotify event work after the process is forked
a5fc32fa34 sd-event: do not kill a child process from another child
c36ab05b4f sd-event: do not update signal fd after PID is changed
e006b56c18 sd-event: set pid to event source after all setup processes finished
d2e3b5a841 sd-event: rebreak comments
6673131917 core: fix dm-verity auto-discovery in MountImageUnit()
10ee46a2ca analyze: Fix verify exit status regression
df6253cbda hwdb: fix parsing options
9727b9ee7b core: command argument can be longer than PATH_MAX
12f05b856c network: ignore all errors in loading .network files
b5dfdf0301 analyze: fix offline check for syscal filter
8ed1490de6 analyze: fix offline check for 'native' syscall architecture
72d0c6b171 missing-syscall: define MOVE_MOUNT_T_EMPTY_PATH if missing
bba396d78c journal-remote: refuse to specify --trust option when gnutls is disabled
8d4c0d2383 calendarspec: fix possibly skips next elapse
d9ea8dab6d copy: use FLAGS_SET() in copy_xattr()
077ca08b38 journal: preserve acls when rotating user journals with NOCOW attribute set
25b3c48ec5 macro: account for negative values in DECIMAL_STR_WIDTH()
8f2f6a94d8 network: enable KeepConfiguration= when running on network filesystem
61649fbada stat-util: introduce path_is_network_fs()
3f6e62eccb network-generator: rename DHCP_TYPE_DHCP -> DHCP_TYPE_DHCP4
a7585a3a38 hwdb: Add AV production access to Elgado Stream Deck devices
18c0096ec2 Add AV production controllers to hwdb and add uaccess
2298094b2c packit: drop bfq patch
7cda67d4f4 packit: build on and use Fedora 36 spec file
056bae9f1b Packit: build SRPMs in Copr
6253eb576c journal-file: if we are going down, don't use event loop to schedule post
c901bc8680 journald: make sure SIGTERM handling doesn't get starved out
ed46ff2bd6 random-seed: hash together old seed and new seed before writing out file
6d3e2f0188 resolved: Allow test-resolved-stream to run concurrently
781b2b2e66 resolved: Read as much as possible per stream EPOLLIN event
03692af607 resolved: Avoid multiple SSL writes per DoT packet
3227f542a7 resolved: Make event flags logic robust for DoT
9c710c66c3 resolve: llmnr: fix never hit condition
d65808ef7e resolve: mention that dns_stream_update() needs to be called after dns_stream_take_read_packet()
b2f82f643a resolve: call dns_stream_take_read_packet() in on_stream_io()
fe4c208c98 resolve: make dns_stream_new() take on_packet and complete callbacks
f447648ae4 resolved: Test for DnsStream (plain TCP DNS and DoT)
88b4e8f74e resolved: Fix DoT timeout on multiple answer records
d5b871bdfe test: increase image size
c3aead5568 random-util: unify RANDOM_ALLOW_INSECURE and !RANDOM_BLOCK and simplify
(From OE-Core rev: 43e2cd211230ea32e4903f9891fda2e4b0f63cc4)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e07ba76fc78b44f338e574644a8ae3b6cddc9f08)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This minor version include fixes for several CVEs
CVE: CVE-2022-1292
CVE: CVE-2022-1343
CVE: CVE-2022-1434
CVE: CVE-2022-1473
(From OE-Core rev: 62bc43a8ca705384fb60742f2f044f4355aaabca)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As a centos 8 spinoff, it lacks the same vgem kernel module.
(From OE-Core rev: 451605aa40482516c18cd1534feacb796516a785)
(From OE-Core rev: 66622dac0ed987162c740536f56973f17879198a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The autobuilder sstate was corrupted via incorrect equiavlences caused by
the security fix to git and the poor interaction that had with SCM version
checks under fakeroot/pseudo. Bump the versions to enable a clean slate
to work off.
(From OE-Core rev: 69f2d0822462e77d09b4781dcec41a0747e4d387)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3b6672730372e130d4d72b683fc3150911964745)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently the signatures for do_packagedata don't reflect whether PRServ
was active or not. This means that if you have mxiing of PRServ usage and
non PRServ usage against the same sstate cache it can rarely become
corrupted with one referencing the other.
This likely doesn't happen in general but does on the autobuilder as PRServ
is tested. Add in some variables to ensure the binary state of PRServ being
enabled or disabled is tracked (but not the server value). We continue to
assume one PRServ is used per sstate cache.
(From OE-Core rev: 4c2f429d6876c29b17931daa039c4899aacd7234)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dd660e5c3fb74f7c4b7b8e863f7143066ae22813)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Turns out this doesn't actually work, as git doesn't respect the environment
when reading the safe.directory configuration variable.
This reverts commit d4a5862ce8.
(From OE-Core rev: 73087e3c4bf6792c37f0a9d8d006c09856d36b13)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e28dd48ffb84c8bb4356d889b70a4b876c8bbaf3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We'd like to intercept git calls but we don't want circular references
and HOSTTOOLS currently sets them up. Tweak to avoid them.
(From OE-Core rev: 9f4acb8d8b47349e7a4adbb25842a94c0947469a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 52c37e133fa55846aca2248ffcf3a10648dbb8d7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The fix for CVE-2022-24765 in git[1] breaks any use of git inside
pseudo. Add a simple test case to oe-selftest to verify that at least
basic uses of git work fine under pseudo.
[1] 8959555cee
(From OE-Core rev: 3fafd22233be8961801fa541969383b5b8444dee)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 46822268040a23dbb81f71fe35aee8c2663a31f6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When creating the manifest and the testdata.json links, if the link
name is equal to the output name the link is not created, otherwise
it is. This prevents a link-to-self in the first case.
(From OE-Core rev: e69a1533dfb8ceb5b91610f2ab8b3da575fcc36e)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bed63756c56f296ff3d5a7eef66e978bd19f1008)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An if statement now checks if the link and output path are
the same, if they are then the link is not created,
otherwise it is.
(From OE-Core rev: 2fd7f3b7dc964b59b268dd4a34761f9f71f61c25)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 2f024c0236c4806f0e59e4ce51a42f6b80fdf1b3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Create generate_json_report including all the code used to generate the JSON
manifest file.
Add to cve_save_summary_handler the ability to create the summary in JSON format.
(From OE-Core rev: 8a79c476706b25e5c707c65b4e46b6e940874bd6)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit f2987891d315466b7ef180ecce81d15320ce8487)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a new variable CVE_DB_UPDATE_INTERVAL allowing the user to set
the database update interval.
- a positive value sets an interval (in seconds)
- a zero ("0") forces the database update
(From OE-Core rev: 0007dd0edb39123201a46886a4e71d001c118ddf)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fe7bc6f16184d5ebdb1dd914b6dcb75c9e5e0c9c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The update of the NVD database was expected to happen once per hour.
However, the database file date changes only if the content was actually
updated. In practice, the check worked for the first hour after the
new download.
As the NVD database changes usually only once a day, we can just
update it less frequently.
(From OE-Core rev: 27b1cb83ec666cc91930f2a7b5a6282fde77c730)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 35bccdedadeaba820d58b69fe74ce5e4c1f577e3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The only part of the cve-check task which needs files is the patch
examination, and typically these patches are local so fetch isn't needed.
(From OE-Core rev: a76b642736d78cd4dec0ae264da6d0ffd4e9aaf7)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c9b3186d3b7c18cbea239ab9b06e85b7c243b54)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Kernel commit:
commit 3d4b396a616d0d67bf95d6823ad1197f6247292e
Author: Christian Brauner <christian.brauner@ubuntu.com>
Date: Mon Oct 11 15:37:04 2021 +0200
landlock: Use square brackets around "landlock-ruleset"
commit aea0b9f2486da8497f35c7114b764bf55e17c7ea upstream.
Make the name of the anon inode fd "[landlock-ruleset]" instead of
"landlock-ruleset". This is minor but most anon inode fds already
carry square brackets around their name:
[eventfd]
[eventpoll]
[fanotify]
[fscontext]
[io_uring]
[pidfd]
[signalfd]
[timerfd]
[userfaultfd]
For the sake of consistency lets do the same for the landlock-ruleset anon
inode fd that comes with landlock. We did the same in
1cdc415f1083 ("uapi, fsopen: use square brackets around "fscontext" [ver #2]")
for the new mount api.
Cc: linux-security-module@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20211011133704.1704369-1-brauner@kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Changed the format of the landlock tracing. We need to update the strace
expected string to match.
Upstream-Status: Submitted [https://lists.strace.io/pipermail/strace-devel/2022-April/011064.html]
(From OE-Core rev: 0268bc1ed04212acdb5b08e57334ed367042c1a2)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bf7d885aef06f6208533dd5fab45ee8e92d6d6d7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
During the cleanup/refactoring of qemuarm* we dropped a PCI option
that is required for graphical boot. The configuration is fixed to
create a separate fragment, which just enabled the minimim and we
include it into qemuarma15 standard/preempt-rt.
Integrating the following commit(s) to linux-yocto/5.15:
fcf48627ea5 qemuarma15: include pci-of-generic support
(From OE-Core rev: ccd27ea8b8e179b7eb0526ed1416ca674c9d295e)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 375366bd16619b14f718f96a9235d0936cae97ac)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
