The CVE product name for PyPI packages is (usually) the same as the PyPI
package name (and not our recipe name), so use that as the default.
(From OE-Core rev: 1c37b96cd4fdfad21bf24b8b883e371c3bca56de)
Signed-off-by: Alex Kiernan <alexk@zuma.ai>
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 61f6b0ad09bf87cdc2d3f08770b7c44cad1d0e58)
Signed-off-by: Sanjay Chitroda <schitrod@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The upstream patch for CVE-2023-27534 does three things:
1) creates new path with dynbuf(dynamic buffer)
2) solves the tilde error which causes CVE-2023-27534
3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf.
dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions.
This patch completes the 3rd task of the patch which was implemented without using dynbuf
Upstream-Status: Backport from [6c51adeb71]
(From OE-Core rev: df489f644e41108cf0e2ff55af7ce5e9bca40471)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding
specially crafted input to `git apply --reject`, a path outside the working
tree can be overwritten with partially controlled contents (corresponding to
the rejected hunk(s) from the given patch). A fix is available in versions
2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3,
and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying
patches from an untrusted source. Use `git apply --stat` to inspect a patch before
applying; avoid applying one that create a conflict where a link corresponding to
the `*.rej` file exists.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-25652
Upstream-Status: Backport from 9db05711c9
(From OE-Core rev: 6747482316b8f7839a09bf041d8c11b559f84b44)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8,
2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted
`.gitmodules` file with submodule URLs that are longer than 1024 characters can used
to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug
can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when
attempting to remove the configuration section associated with that submodule. When the
attacker injects configuration values which specify executables to run (such as
`core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code
execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8,
2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running
`git submodule deinit` on untrusted repositories or without prior inspection of any
submodule sections in `$GIT_DIR/config`.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29007
Upstream patches:
528290f8c629198213c9a5bb10fd5ee91cfe60853bb3d6bac5
(From OE-Core rev: db4c152441aebe4c04a7bb7aceb88d8941a6576b)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If a package with a postsints script requires ldconfig, the package class adds
a ldconfig postinst fragment to initialize it before. Systemd has its own
ldconfig.service to initialize it and sometimes if both services are running
at the same time in the first boot, the first one will work, but the second
one will fail with the following error:
ldconfig[141]: /sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache failed: No such file or directory
This commit adds a ordering dependency between them to make sure that only one
service is running at the same time.
(From OE-Core rev: 1bc254e7969f3d5470bacf9ad9f065d38b7b7fde)
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4e9d812e127dc6743f52f4881e509e8e2e833afe)
Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
BSD-4-Clause is only applicable to the {PN}-doc package as when I
check for the source code I find below files which only uses the
license BSD-4-Clause
~/sources/libbsd$ grep -rl "All advertising materials mentioning features or use of this software" *|grep -v \.1|grep -v \.5|grep -v \.8 | sort
COPYING
man/arc4random.3bsd
man/getprogname.3bsd
man/tree.3bsd
~/sources/libbsd$ grep -rnB6 "BSD-4"
COPYING-9-Files:
COPYING-10- man/arc4random.3bsd
COPYING-11- man/tree.3bsd
COPYING-12-Copyright:
COPYING-13- Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de>
COPYING-14- All rights reserved.
COPYING:15:License: BSD-4-clause-Niels-Provos
(From OE-Core rev: 187f1588240a0eb5cc753c2114fd6c0cef66e14f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Exclude CVEs that are fixed in current linux-yocto version v5.4.237.
To get the commit fixing a CVE, I used the Debian kernel-sec repo [1].
[1]: 86d5040aee
(From OE-Core rev: ec0f3e5869c596a308a164f93cb031e04034a8ed)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Avoid overwriting the read packet length after the initial test. Thus
move all the length checks which depends on the total length first
and do not use the total lenght from the IP packet afterwards.
Fixes CVE-2023-28488
Reported by Polina Smirnova <moe.hwr@gmail.com>
(From OE-Core rev: 47a9ae5592392bd10740e4571b06c8c739705058)
Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fix An integer overflow vulnerability was discovered in Freetype in tt_hvadvance_adjust() function in src/truetype/ttgxvar.c
(From OE-Core rev: 24c87e674db9c1d4a8922c3af78a0004c061e70f)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add SDK_ZIP_OPTIONS to remove symbolic link creation in zip archive or add options, e.g. for encryption of the zip archive.
(From OE-Core rev: 04b62f9459b401c276255f166d0738b6f902a576)
(From OE-Core rev: b9e0c3ced645cab74b2488a26b8f656a94b2a6f5)
Signed-off-by: Christoph Lauer <christoph.lauer@xtronic.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A parsed MIME header is a map[string][]string. In the common case,
a header contains many one-element []string slices. To avoid
allocating a separate slice for each key, ReadMIMEHeader looks
ahead in the input to predict the number of keys that will be
parsed, and allocates a single []string of that length.
The individual slices are then allocated out of the larger one.
The prediction of the number of header keys was done by counting
newlines in the input buffer, which does not take into account
header continuation lines (where a header key/value spans multiple
lines) or the end of the header block and the start of the body.
This could lead to a substantial amount of overallocation, for
example when the body consists of nothing but a large block of
newlines.
Fix header key count prediction to take into account the end of
the headers (indicated by a blank line) and continuation lines
(starting with whitespace).
Thanks to Jakob Ackermann (@das7pad) for reporting this issue.
Fixes CVE-2023-24534
For #58975Fixes#59267
(From OE-Core rev: daa6aa9c7198a07322f1828a9db457fec86191cf)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fix CVE-2023-0464 for openssl
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit
this vulnerability by creating a malicious certificate chain that
triggers exponential use of computational resources, leading
to a denial-of-service(DoS) attack on affected systems.
Link: https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b
(From OE-Core rev: 0c50550e2c8fca3263776c2bb985a8c58b920b99)
Signed-off-by: Nikhil R <nikhil.r@kpit.com>
Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Setting a large line or column number using a //line directive can cause
integer overflow even in small source files.
Limit line and column numbers in //line directives to 2^30-1, which
is small enough to avoid int32 overflow on all reasonbly-sized files.
(From OE-Core rev: d1943e6a0ec00653c81cd4c0bb0d6b7e0909094c)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
encoding/xml: replace comments inside directives with a space
Backport from a9cfd55e2b
(From OE-Core rev: 76d855f3d2c250ac85ca6f24bf0e178fb32607f9)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This CVE is specific to Microsoft Windows, ignore it.
Patch fixing it (https://go-review.googlesource.com/c/go/+/446916)
also adds a redundant check to generic os/exec which
could be backported but it should not be necessary as
backport always takes a small risk to break old code.
(From OE-Core rev: 4263f3fda59aacb4f159d2dffb52e5f66249b5e4)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Below patch files to fix CVE-2023-26604
CVE-2023-26604-1.patch, CVE-2023-26604-2.patch and
CVE-2023-26604-3.patch and CVE-2023-26604-4.patch
make pager secure when under euid is changed or explicitly
requested
Reference:
CVE-2023-26604-1.patch:
612ebf6c91
CVE-2023-26604-2.patch:
1b5b507cd2
CVE-2023-26604-3.patch:
0a42426d79
CVE-2023-26604-4.patch:
b8f736b30e
(From OE-Core rev: 7880eb801dcee44a9e8920d249057492d1de6b12)
Signed-off-by: rajmohan r <rajmohan.r@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
Backport from bdf07c2e16
(From OE-Core rev: 70135bf04eb7173434a7240ddf11639d13aab003)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The patch for CVE-2021-3929 applied on dunfell returns a value for a
void function. This results in the following compiler warning/error:
hw/block/nvme.c:77:6: error: void function
'nvme_addr_read' should not return a value [-Wreturn-type]
return NVME_DATA_TRAS_ERROR;
^ ~~~~~~~~~~~~~~~~~~~~
In newer versions of qemu, the functions is changed to have a return
value, but that is not present in the version of qemu used in “dunfell”.
Backport some of the patches to correct this.
(From OE-Core rev: 4ad98f0b27615ad59ae61110657cf69004c61ef4)
Signed-off-by: Gaurav Gupta <gauragup@cisco.com>
Signed-off-by: Gaurav Gupta <gauragup@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
NVD DB store version and update in the same value, separated by '_'.
The proposed patch check if the version from NVD DB contains a "_",
ie 9.2.0_p1 is convert to 9.2.0p1 before version comparison.
[YOCTO #14127]
Reviewed-by: Yoann CONGAL <yoann.congal@smile.fr>
(From OE-Core rev: eb439b1283b60e6665694ff28c89fbd633eda6b0)
Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 7d00f6ec578084a0a0e5caf36241d53036d996c4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.
Backport from 5c3e11bd0b
(From OE-Core rev: 53a303fb5908edaf29e35abb08fff93e7c0ff92c)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The master version of extended package data uses zstd for efficient
compression, but it relies on the zstd tool to be present on the host
system. Since dunfell supports older distros, we don't want to add this
tool as an additional requirement so switch to using gzip instead.
(From OE-Core rev: 1c7d555379c4b0962bccd018870989050d87675f)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The master version of the SPDX classes uses zstd for efficient
compression, but it relies on the zstd tool to be present on the host
system. Since dunfell supports older distros, we don't want to add this
tool as an additional requirement so switch to using gzip instead.
(From OE-Core rev: 55b08fd641767a3d2e080727828ca37d9e610109)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adds some missing licenses mappings related to the "+" versions of the
GPL licenses
(From OE-Core rev: 5f9a8809acf1ab4e73c3085b8fd100f4568ebd86)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adds extended package data which is encoded as JSON which allows it to
encode more structure than the "flat" package data files. The extended
data might be much larger than the standard package data, so it is not
read by default and instead requires
oe.packagedata.read_subpkgdata_extended() to be called
Currently, the file sizes and ELF debug sources are saved off into the
extended package data
(cherry picked from commit db9cf430e54ae68da80fbc3fba80ce88d8df164d)
(From OE-Core rev: 2318cb79ef1652fb19d696a8d43826e39c22834e)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Reviewed-by: Saul Wold <saul.wold@windriver.com>
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backports the create-spdx classes from the latest versions on master.
This backport is a simple copy with no modifications, as its too
complex to cherry-pick all the corresponding changes. This will give an
appropriate base commit for subsequent changes and if necessary
additional backport cherry-picks from master in the future.
(From OE-Core rev: 48fbddf32ffa3ec44a788f42895c1730a84b5a91)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix:
scripts/pybootchartgui/pybootchartgui/parsing.py:134: SyntaxWarning: "is" with a literal. Did you mean "=="?
if pid is 0:
(From OE-Core rev: 413523515dbb064680841fffa2cfdba8b2bac6f6)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c9a6511ae618035b8efad01646e37ba28ce1e3f8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ptestresult_get_log() looked for a key called 'ptestresuls.sections',
which should be 'ptestresult.sections'
(From OE-Core rev: 288609a3bb2760b5bb9d86e9c130b227f9bd5039)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7c8c9f7283e54bf8b1521fbaad7dceb66a8fcdbb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
