When making checkouts from git, the timestamps can vary and occasionally two files
can end up with the same stamp. This triggers make to regenerate ru.cp1251.po from
ru.po for example. If it isn't regenerated, the output isn't quite the same leading
to reproducibility issues (CP1251 vs cp1251).
Since we added all locales to buildtools tarball now, we can drop the locale
restrictions too. We need to generate a native binary for the sjis conversion
tool so also tweak that.
(From OE-Core rev: 14982eabcdb96c2f7ef9e28d6c0daedb53aa96c4)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
import patch from ubuntu curl_7.68.0-1ubuntu2.20.
minor change to CVE-2023-28321.patch tests/data/test1397 part
so the patch can be apply.
(From OE-Core rev: 5cc1f487928df04c58709dd88ef6c17c171da7a5)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The fix of CVE-2023-29383.patch contains a bug that it rejects all
characters that are not control ones, so backup another patch named
"0001-Overhaul-valid_field.patch" from upstream to fix it.
(From OE-Core rev: ab48ab23de6f6bb1f05689c97724140d4bef8faa)
Upstream-Status: Backport
[e5905c4b84
&
2eaea70111]
(From OE-Core rev: a53d446c289f07854e286479cd7e4843ddd0ee8c)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
import patch from ubuntu setuptools_45.2.0-1ubuntu0.1 .
(From OE-Core rev: a939696d7c70c42e404ec30a9d75e5ea4f742c78)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
take CVE-2021-3782.patch from OE-core rev 09b8ff8d2361b2db001bc963f481db294ccf2170.
(From OE-Core rev: 9c3f494bf54c4d4b7ec776ab18d900bf9fbd042a)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This test will fail any time the host has libdrm > 2.4.107
(From OE-Core rev: ff7dbcc0206203e2ece68ca91a37050a4bc822a2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There are cached reproducibility issues on the autobuilder due to CFLAGS
issues, flush the bad data out the system by bumping the versions.
(From OE-Core rev: f398c84405913bd8038c007f43f991f54d136571)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Currently lz4 uses it's own defaults which include O3 optimization.
Switch from O3 to bitbake default O2 reduces binary package size
from 467056 to 331888 bytes. Enables also building with Os if needed.
(From OE-Core rev: af571c0841265dfa4bd87546080e499336a37fcc)
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit abaaf8c6bcd368728d298937a9406eb2aebc7a7d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Branch 'master' renamed to 'unstable', which causing following failure.
Error:
Fetcher failure: Unable to find revision cb19bbfbe7e52174332f68bf2f295b39d119fad3 in branch master even from upstream
Switch to 'unstanble' branch.
(From OE-Core rev: d4b96dc1e457b4e68c5bad685ffcfd2f250162e7)
Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Branch 'assimp_5.0_release' is not present in repo.
Error:
assimp-5.0.1-r0 do_fetch: Fetcher failure: Unable to find revision 8f0c6b04b2257a520aaab38421b2e090204b69df in branch assimp_5.0_release even from upstream
Set nobranch=1, to fetch from v5.0.1 tag.
(From OE-Core rev: 4bd92b9621909b8b528b648529baaaa48bc1c424)
Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
We don't make do_cve_check depend on do_unpack because that would be a
waste of time 99% of the time. The compromise here is that we can't
scan remote patches for issues, but this isn't a problem so downgrade
the warning to a note.
Also move the check for CVEs in the filename before the local file check
so that even with remote patches, we still check for CVE references in
the name.
(From OE-Core rev: 32a19dfbaac38cd4864281a1131ac65e1216318f)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0251cad677579f5b4dcc25fa2f8552c6040ac2cf)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Occasionally the cve-check tool will warn that it is adding the same
package twice. Knowing what this package is might be the first step
towards understanding where this message comes from.
(From OE-Core rev: e3574760ee59c1ca7d2698f09ddd37ee568f04f3)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c1179faec8583a8b7df192cf1cbf221f0e3001fc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The JSON report generated by the cve-check class is basically a huge
list of packages. This list of packages is, however, unsorted.
To make things easier for people comparing the JSON, or more
specifically for git when archiving the JSON over time in a git
repository, we can sort the list by package name.
(From OE-Core rev: 5a509bc6f26247cc7561189d582c91816042fd91)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e9861be0e5020830c2ecc24fd091f4f5b05da036)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This reverts commit 45ce9885351a2344737170e6e810dc67ab3e7ea9.
Unfortunately this backport results in qemuarmv5 failing to boot with
a qemu lsi hw error.
[YOCTO #15274]
See discussion: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15274
(From OE-Core rev: 14aa11aecf503cef08e43c90cf0bd574721ca965)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This vulnerability was introduced in 2.36, so 2.31 is not vulnerable.
(From OE-Core rev: 3471922461627c0f0487feb09cfdc4cfeeb3f3ca)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(From OE-Core rev: d34567be6e87afdec55973f8f75be8d44b4acd1b)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Error occured while running bitbake on cephfs:
WARNING: The free inode of path is running low (-0.001K left)
ERROR: Immediately halt since the disk space monitor action is "HALT"!
(Bitbake rev: 3c7b210e9599058a48d0c38ce8034b94e2d0f781)
Signed-off-by: Samantha Jalabert <samantha.jalabert@syslinbit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The pipe library is deprecated in Python 3.11 and will be removed in
Python 3.13. pipe.quote is just an import of shlex.quote anyway.
Clean up imports while we're at it.
(From OE-Core rev: a6ef13bdad40826d76a3331cd0878bb22510f375)
Signed-off-by: Ola x Nilsson <olani@axis.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 5f33c7b99a991c380d1813da8248ba5470ca4d4e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Avoid a divide by zero traceback if unfortunate test counts are encountered.
(From OE-Core rev: 33d3374a7149ad1afe86d86c0dc2a948f70e26bd)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c5aeea53dfacb53dedb8445cb3523dc3a8cb6dca)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This includes CVE fix for CVE-2023-5535.
(From OE-Core rev: 35fc341402f38619922dcfc4dc9e58b00be26259)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add a SECURITY.md file with hints for security researchers and other
parties who might report potential security vulnerabilities.
(From meta-yocto rev: d8b84cfded9137a74ab0052ff2d7710887f29f10)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add a SECURITY.md file with hints for security researchers and other
parties who might report potential security vulnerabilities.
(Bitbake rev: dd826595414c5dc1a649f45a9dd2430bf6d4699b)
Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Widely accepted certificates for IP addresses are expensive and only
affordable for larger organizations. Therefore if the user provides
the hostname in the DNS= option, we should use it instead of the IP
address.
This fixes https://nvd.nist.gov/vuln/detail/CVE-2018-21029 per
suggestion https://github.com/systemd/systemd-stable/issues/72 .
CVE: CVE-2018-21029
(From OE-Core rev: 6b4a583169ae40a8d51e7ffa33785409b5111a81)
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The latest 6.5 kernels do not appear to create the source file in
${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/source so the
recipe errors out when trying to remove it. Simple fix is to add the
-f (force) flag to the call.
(From OE-Core rev: 2e669bf797b15d803e7d6a700e449bdc467a4bcc)
(From OE-Core rev: 844faa7c51ae8ec0966e9c5c3f70a1dbf2222c21)
Signed-off-by: Ryan Eatmon <reatmon@ti.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backported from kirkstone commit 7e177848f97e.
Signed-off-by: Paul Barker <paul.barker.ct@bp.renesas.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
- This upgrade includes multiple security fixes.
CVE-2022-4883
CVE-2022-44617
CVE-2022-46285
CVE-2022-44617
CVE-2023-43788
CVE-2023-43789
- Removed CVE-2022-46285 as it is already fixed by this upgrade.
- License-update: additional copyright holders
f0857c0 man pages: Correct Copyright/License notices
Due to this commit LIC_FILES_CHKSUM is changed
- Disable reading compressed files as that requires compress/uncompress executables.
Following the approach in oe-core/master:
7de4084634 libxpm: upgrade 3.5.14 -> 3.5.15
- Add XORG_EXT to specify tar.xz as upstream has switched from bz2 to xz compression.
(From OE-Core rev: 47e270a4fd2e086b5ee9f38891f326ce505f2319)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Upstream has switched some new releases from bz2 to xz compression. Add
an XORG_EXT variable so recipes can set the file name extension needed
for the compression type.
Following the approach in oe-core/master: 6a8068e036b4b2a40b38896275b936916b4db76e
xorg-lib-common: Add variable to set tarball type use a variable for the tarball suffix/compression format.
(From OE-Core rev: ff386fb5632c26ceb12d2381e9128b0546aef795)
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This includes CVE fix for CVE-2023-5441.
(From OE-Core rev: 624081236d5554dbc7c044396caabc3464b1b3ac)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE's Fixed:
CVE-2023-29499: glib: GVariant offset table entry size is not checked in is_normal()
CVE-2023-32611: glib: g_variant_byteswap() can take a long time with some non-normal inputs
CVE-2023-32636: glib: Timeout in fuzz_variant_text
CVE-2023-32643: glib: Heap-buffer-overflow in g_variant_serialised_get_child
CVE-2023-32665: glib: GVariant deserialisation does not match spec for non-normal data
(From OE-Core rev: b576beba80d44e67762d46bf3bc2f14c05bc0f6b)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Take patch from Debian 7.64.0-4+deb10u7.
(From OE-Core rev: 364a9e46f167c2501785cd55a71cf9a614e64710)
Signed-off-by: Mike Crowe <mac@mcrowe.com>
CVE: CVE-2023-38546
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backporting this change required tweaking the error value since the
two-level CURLE_PROXY error reporting was introduced after curl
7.69.1. The test required some tweaks to not rely on more-recent
improvements to the test infrastructure too.
(From OE-Core rev: ccec26b1437f1ece4cb4f27581b0df904297358f)
Signed-off-by: Mike Crowe <mac@mcrowe.com>
CVE: CVE-2023-38545
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add fix for tiffcrop tool CVE-2023-1916 [1].
A flaw was found in tiffcrop, a program distributed by the libtiff
package. A specially crafted tiff file can lead to an out-of-bounds
read in the extractImageSection function in tools/tiffcrop.c, resulting
in a denial of service and limited information disclosure. This issue
affects libtiff versions 4.x.
The tool is no longer part of newer libtiff distributions, hence the
fix is rejected by upstream in [2]. The backport is still applicable
to older versions of libtiff, pick the CVE fix from ubuntu 20.04 [3].
[1] https://nvd.nist.gov/vuln/detail/CVE-2023-1916
[2] https://gitlab.com/libtiff/libtiff/-/merge_requests/535
[3] https://packages.ubuntu.com/source/focal-updates/tiff
(From OE-Core rev: 28ad0fdd30f490612aca6cc96ee503e5f92360a8)
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Replace the original "Wrong CRC with ASCII CRC for large files"
patch with upstream backport, and add additional fix on top of
the same problem which upstream detected and fixed.
(From OE-Core rev: 0e167ef0eb7ac62ddb991ce80c27882863d8ee7c)
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
