CVE is effectively disputed - yes there is stack exhaustion but no bug and it
is building the parser, not running it, effectively similar to a compiler ICE.
Upstream no plans to address and there is no security issue.
https://github.com/westes/flex/issues/414
(From OE-Core rev: e2de2e5e977d84dab6cb1461800d4c29436da5c9)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0cae5d7a24bedf6784781b62cbb3795a44bab4d1)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2021-31810:
A malicious FTP server can use the PASV response to trick Net::FTP into
connecting back to a given IP address and port. This potentially makes
Net::FTP extract information about services that are otherwise private
and not disclosed (e.g., the attacker can conduct port scans and service
banner extractions).
CVE-2021-32066:
Net::IMAP does not raise an exception when StartTLS fails with an
unknown response, which might allow man-in-the-middle attackers to
bypass the TLS protections by leveraging a network position between the
client and the registry to block the StartTLS command, aka a “StartTLS
stripping attack.”
References:
https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
Patches from:
bf4d05173ce2ac25d0eb
(From OE-Core rev: e14761916290c01683d72eb8e3de530f944fdfab)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It is not safe to call the 'file' command from multiple threads. When a
file is checked with multiple threads in parallel, the file descriptors
might get shared which makes the pipe handling lock up, leading to lock
up in rpmbuild. And may lead to rarely deadlock on random recipes's
do_package task.
(From OE-Core rev: 167814b81ddac3934077b0ee91c0c6015fc02bfe)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
e2fsprogs calls filesystems larger than 3MB but smaller than 512MB
"small", which has some implications:
- blocksize 1024 instead of 4096
- inode_ratio 4096 instead of 16384
- inode_size 128 instead of 256
The outcome of the inode size dropping to 128 bytes is that they cannot
store 64-bit timestamps, so are not Y2038-safe.
A previous attempt to solve this problem[1] changed some of the canned
wic files to pass -T default to mkfs.ext4, but this only covered wic
images and not traditional images. Also, actually small filesystems,
for example a core-image-minimal, will happily be tens of megabytes and
with the "default" options will result in an image which runs out of
blocks before it runs out of space:
mkfs.ext4: Could not allocate block in ext2 filesystem while populating file system
Considering that many OpenEmbedded images are in fact "small", being
2038-safe is worth the marginal increase is disk usage. This patch
alters the small configuration in native builds so that it also has
256-byte inodes. Target is unchanged so that standard behaviour is
maintained outside of the build.
This is actually the same underlying patch that Mathieu Dubois-Briand
sent in April, but the wic change in [1] was accepted instead. I believe
that is the wrong approach and this approach covers more cases.
[ YOCTO #14478 ]
[1] openembedded-core eecbe62
[2] https://lists.openembedded.org/g/openembedded-core/message/150298
(From OE-Core rev: e89bac87c91e943060662be04775a1ff8e4c4f22)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9ab0ae83a24ee99e69f8ac54256b253a122aef8a)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix a slew of CVEs (CVE-2021-3544, CVE-2021-3545, CVE-2021-3546) by
backporting the relevant patches from qemu's git.
(From OE-Core rev: ce850a5ce84f949d3114024c89ae3dd98fcbef41)
(From OE-Core rev: 8eb55f9eba667ab509baeb4328f9a080aa10e3fe)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ce850a5ce84f949d3114024c89ae3dd98fcbef41)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In sdk, call createrepo-c failed with:
...
$ createrepo_c --update ./test_repo/rpm
Directory walk started Critical: Failed to detect compression for file
./test_repo/rpm/cortexa72/hello-2.10-r0.cortexa72.rpm: magic_load() failed: could not find any valid magic files!
...
Since commit [ea666fbc74 createrepo-c: set path to magic database for
native and nativesdk] applied, the MAGIC is incorrectly assigned.
The variable datadir will be expanded automatically for nativesdk,
do not need to add prefix ${SDKPATHNATIVE} to MAGIC
(From OE-Core rev: d99b4dac74add826aa63ecb20c427d2884985329)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 54368f1b02e1ac4aa068515730a8c8bcd3683eb3)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Recently, the none/tests/amd64/fb_test_amd64 test had been flaky and
causing failures on the auto-builder. Until we can get to the root cause
of the issue, we are going to skip the test to reduce the noise from the
ptests.
(From OE-Core rev: 697eb7f2a5d20aa0ad7389efd68420ec59daca32)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a365cd7a358db96791033e6dc6e45d2e816d3e4c)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This updates to the latest pseudo version which includes:
Revert "client: Fix some compiler warnings"
ports/linux: Always build statx support
makewrappers: Handle parameters marked as nonnull
client: Fix some compiler warnings
wrappers: Avoid -Wcast-function-type warning
In particular, this pseudo version always has statx enabled which means
we can then remove the need to make pseudo-native host distro specific
which fixes an eSDK issue.
(From OE-Core rev: bcf74e0d048754ed46bda90cd582320d0df2a4ad)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 58cc70940ff998be49a9b89e1ad0538242cb7998)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When building pseudo-native to work with uninative, we need to ensure the
configuration will work on all supported target systems. This means
"new clone" semantics, xattr and statvfs support in particular. It is
extremely unlikely we'd run on a system without any of these but add
a check just to be sure when uninative is enabled.
(From OE-Core rev: 496f0cd63aaeedbff625eb687f20ace951faf6f1)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ea5b208ee25752bea6037cd0f3b28da7d2c9905e)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport the body of a fix for CVE-2021-3572 since hardknott carries
20.0.2, and the delta between it and the latest 21.1.3 is more than just
bugfixes.
CVE: CVE-2021-3572
(From OE-Core rev: fb7a2af241795b82f121381cea6f4b56ce948ebf)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We use dwarfsrcfiles in package.bbclass to list the source files used by a binary.
This is done before they're stripped and linked to debug symbols in separate files.
It is possible a binary may already have a link to separate debug symbols, e.g.
some of the test binaries in lttng-tools ptest. In those cases, the linked binary
may be changed by package.bbclass code whilst dwarfsrcfiles is reading it. That
would result in a rare SIGBUS race causing the binary to fail.
To avoid this, break the debug file search path so no other binaries are found.
Also fix a segfault if no binary is specified while here.
[YOCTO #14400]
(From OE-Core rev: 52382a03c10a6985ecb6ada24523cb9daf9c6201)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit efef732859e265533acf16f2f4da3b29d50e0df4)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Previouly there is a logic as below used to set libpth in config.sh.
libpth='@LIBDIR@ @BASELIBDIR@'
But after the below commits introduced, the above logic is dropped.
52f2828314 perl: add a version that builds the recipe using perl-cross, and update to 5.28.1
68552c3532 perl: remove the previous version of the recipe
So correct the value of libpth and glibpth to add the dropped logic
back to avoid confusing.
Before the patch(on 64bits system):
# perl -V:libpth
libpth='/usr/lib /lib';
After the patch(on 64bits system):
# perl -V:libpth
libpth='/usr/lib64 /lib64';
(From OE-Core rev: afe58be55b4efc360420a00cbcf60dd5d99ed556)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a494de43c3ccdcf7af988765ae5c3a95bc20c567)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Install list of non-deterministic threaded ptests to be run using taskset
to force them to a single core. This commit works with b318944d7, which
updated the testing script to run the non-deterministic tests separately
but didn't install the list of tests, so these tests were being run
without taskset.
The taskset_nondeterministic_tests file is the list of tests that will
be run separately with taskset, and ignored during the other tests. This
is installed to /usr/lib/valgrind/ptest similar to the 2 existing lists
for tests to skip on ARM and all architectures.
Removed bar_bad and bar_bad_xml to be included separately as they cause
issues on non-kvm QEMU instances.
See:
b318944dd7 valgrind: Improve non-deterministic ptest reliability
for more info.
(From OE-Core rev: f076edb7515ba2ecfc0adbfdf30ae5a9aa96e231)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3d23985d0d653844863ed513d75d93a36359992f)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit removes the stack_changes ptest from aarch64 devices.
This test is buggy and fails almost 100% of the time in qemuarm64.
In general, many of the valgrind tests are more likely to fail on
qemuarm64 vs native x86_64.
This test previously worked on gatesgarth and dunfell, but has
been failing since hardknott. It might be due to a recent change
in the cross-compiler or glibc.
The test runs fine when running natively on arm on a Raspberry Pi.
Until we can find the root cause for the failures, this shorter
term solution should clear up some of the noise from the autobuilder
from a known failure.
(From OE-Core rev: 731d0e9c6921a3ac82e5172e5c7a6088e80243ef)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 82d6411b80a46d8ec0258ca75c3c80dc6128d44e)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Several of the valgrind tests (particulaly helgrind) are unreliable and
can fail with a different output.
Particularly, there is a higher chance of failure on QEMU instances with
SMP enabled and on systems with more interrupts such as laptops on powersave.
The tests have been reported upstream as being unreliable dating back
over 5 years, due in part to the ordering of threads during
an "unwinding" process in helgrind.
https://bugs.kde.org/show_bug.cgi?id=345121https://bugs.kde.org/show_bug.cgi?id=430321
A workaround to improve the reliability of such tests is to force them
to run on a single CPU core using taskset. This greatly reduces the
chance of a failure.
>From my testing, I have found it can help reduce the rate of failures
on both a laptop and QEMU by over 5x. Stress-testing in QEMU for several
hours did not result in a failure while running the test normally did.
The flaky or undeterministic thread-based tests are defined in the
taskset_nondeterministic_tests file. These test cases will be run with
taskset 0x00000001 to run on a single CPU core rather then the regular
test.
The edited run-ptest executes the flaky tests first, then ignores them
to not duplicate the results from the main tests. Everything modified is
restored when testing is complete.
The drawback is that this isn't a foolproof solution. It helps the tests
fail much less frequently, and considering how this issue has been documented
for a long time, a workaround such as this is needed.
(From OE-Core rev: 79ec1d73a107277586d3d8e9c0d46dfc0ac2b0d8)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b318944dd72ca7b0408e955f3599381ab3ac3ba8)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The git repo for pkg-config was changed, so update the
SRC_URI accordingly with the new link.
(From OE-Core rev: 07f223048a5b8ac3cb828a68b6069825c8d656ae)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
License-Update: Corrected license information
flex package is under two licenses:
- "BSD-3-Clause" is provided in top-level COPYING file; the license
actually include third obligation (without the actual "3" numbering)
- "LGPL-2.0+" is explained by src/gettext.h
(From OE-Core rev: f5c5763ae530f6c6b53d0ab510b62b9ae77a5f81)
Signed-off-by: Dmitry Kisil <d.kisil@inango-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE's affect ESP (NCR53C90) part of chip STP2000 (Master I/O).
On Sparc32 it is the NCR89C100 part of the chip.
On Macintosh Quadra it is NCR53C96.
Both are not supported by yocto.
(From OE-Core rev: e3ded54f9fd089382e6304604ca02d2305f16f21)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Before, ccache's configure stage built HTML documentation and man pages
depending on if asciidoc is installed. This patch makes it configurable.
Pass the new cmake option ENABLE_DOCUMENTATION along and add the
asciidoc dependency if necessary.
This fixes an issue when ccache's configure stage found asciidoc/a2x on
the system outside of the sysroot (e.g. installed via 'apt install
asciidoc'). ccache would then decide to build docs and manual pages, but
would fail during compilation: the system's a2x could not find the
system's asciidoc because it did not reside in the set PATH.
By enabling/disabling docs/man page generation explicitly and adding
asciidoc to DEPENDS as necessary, this is no longer an issue.
[ This corresponds to commit b0aedd74 and parts of commit 1eedc5f8,
with the patch replaced by the upstream version. ]
(From OE-Core rev: 3ca3c890834152597d8440b77e3d2767ca72c7a6)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE is non-specific and depends on the users of jquery, doesn't
make sense to have this flagged against jquery as there is nothing we can
do about it.
(From OE-Core rev: 6f422e966fdc1e62ff0e48d3382ec246ff8bd998)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The issues were investigated and found not to be an issue therefore
exclude from checks.
(From OE-Core rev: 7c7c3f3dd3bf7dc34f26d931acf562e93c45e807)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE applies to the built-in VNC server but we don't enable this by default.
(From OE-Core rev: 9ac9f2709a45fc7ce5b3b9a1a5e4f2e116ec2bb7)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE applies to virglrender before 0.6.0 which we don't have.
(From OE-Core rev: d8df88018fc90b2ff039ef58249f8581d22b1cc6)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9b5355375d028577de0b98e05992de6a088cb972)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
runtest return an error due to missing expect on the target.
Add expect as runtime dependency.
(From OE-Core rev: 9dc044fdbd20085dfa99fd4a7189763365334ede)
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d9a3a08edc1efcbe7b02e80be98370792d3c6cc2)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The previous fix was in the right direction but needed to account
for the section alignment of the current section. Tweak the patch
to handle this.
(From OE-Core rev: 69e5a81ceeba3104ba5954dadc7c65cfa4b1be9b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e464efc07a8997c43998a9c6a9544be11ab4f303)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Improve note section normalization was added to patchelf in recent versions
however if fails if there are two note sections which aren't sized to match
section alignment. Tweak the code to account for section alignment.
This fixes patchelf failures on the autobuilder, particularly to ccache-native.
(From OE-Core rev: 8a051bf055623f1ef5ca94d9291162ac7ce871c6)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fee8dde0d597b511b37d8dcf215e8355980d5f2b)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport a patch from upstream to fix an error:
patchelf: cannot normalize PT_NOTE segment: non-contiguous SHT_NOTE sections
seen on our ubuntu1604 autobuilder worker.
(From OE-Core rev: 738530b30c2538f7ecd151c0f0f5283075230bab)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 80e8f7d34d7032cc94b61bf155eac7648e6b6c74)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
