Concept of gcc-source prevents cve-check to detect existing
CVE patch file.
So whitelist this CVE in all recipes using gcc-source via this
include file.
(From OE-Core rev: 04511734c6dc8c7dda3a943b385cd273d012d8c7)
(From OE-Core rev: 037f640b9272ba055ee41eeb1e6e9b002faefe36)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit d803ca6531)
Signed-off-by: Dnyandev Padalkar <padalkards17082001@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add the hint to the test setup that runqemu-gen-tapdevs will need the
iptables package installed.
(From yocto-docs rev: f703ac90d4fe6f004997e963c0cfc98c223bc146)
Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
As discussion in [YOCTO #14717] cmake contains a OEToolchainConfig.cmake
file to configure the toolchain correctly in cross-compile build for recipes
using cmake.
The variable CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES value updates incorrectly
during do_compile the code. Due to this getting sporadic error like below,
fatal error: stdlib.h: No such file or directory
| 75 | #include_next <stdlib.h>
| | ^~~~~~~~~~
| compilation terminated.
| ninja: build stopped: subcommand failed.
| WARNING: exit code 1 from a shell command.
As cmake already correctly initializes the variable from environment,
So we have to unset it in the toolchain file to avoid overwriting the
variable definition again.
(From OE-Core rev: 7ab6087536bc67c63094f08f863dcd3d5e35b8e7)
Signed-off-by: aszh07 <mail2szahir@gmail.com>
Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5aeada5793af53e8c93940952d4f314474dca4c2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fixes [YOCTO #15383]
This bug was introduced into upstream when fixing CVE-2022-29154. It was
later discovered and fixed upstream but this fix didn't make it into
poky yet.
The added patch is taken from upstreams git repository:
fabef23bea
(From OE-Core rev: fb448f87c0b3906b91d453451083dc003ac94ebe)
Signed-off-by: Matthias Schmitz <matthias.schmitz@port4949.net>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
memory corruption when processing malformed terminfo data entries
loaded by setuid/setgid programs
CVE-2023-29491.patch change the --disable-root-environ configure option
behavior.
set --disable-root-environ in configuration options.
--disable-root-environ option with a few additional changes
to the code allows us to mitigate CVE-2023-29491 and avoid
other issues that involve the possibility of malicious use of
environment variables through setuid applications, and, therefore,
it was the fix chosen in order to resolve this vulnerability.
Reference:
https://ubuntu.com/security/CVE-2023-29491https://launchpad.net/ubuntu/+source/ncurses/6.2-0ubuntu2.1
(From OE-Core rev: 041433f0767ae9112f6a74a7d7c93ce9b411792c)
Signed-off-by: virendra thakur <virendrak@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The original CVE-2023-29406.patch is not complete, causing docker
failures at runtime, backport a complementary fix from golang upstream.
(From OE-Core rev: bff621d5399e5ff2930d21f403bb2f274febd2e4)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This CVE reports that apple had to upgrade curl because of other
already reported CVEs:
* CVE-2023-38039: not affected, introduced in 7.84.0
* CVE-2023-38545: patch already backported
* CVE-2023-38546: patch already backported
* CVE-2023-42915: reference to itself
(From OE-Core rev: 067740c834a98cd8f5cfff7f73418d18b8e1249a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In the case of a zero length string being returned by fgets(), the condition
checking for a trailing new line would perform a bad memory access outside
of `buf`. This might happen when line with a leading null byte is read.
Avoid this case by checking that the string has a length of at least one
byte.
Link: 8b45a3c4ca
(From OE-Core rev: 32e3618891295cec1ee5d4195998aa97f93b2207)
Signed-off-by: virendra thakur <virendrak@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2024-0553
A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.
Upstream-Status: Backport [40dbbd8de4]
(From OE-Core rev: a07cc0b6fa4a485f318fd2957e434b63f5907d7e)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Running 'bitbake-layers layerindex-show-depends meta-filesystems' fails with:
```
Traceback (most recent call last):
File "<...>/poky/bitbake/bin/bitbake-layers", line 93, in <module>
ret = main()
File "<...>/poky/bitbake/bin/bitbake-layers", line 86, in main
return args.func(args)
File "<...>/poky/bitbake/lib/bblayers/layerindex.py", line 209, in do_layerindex_show_depends
self.do_layerindex_fetch(args)
File "<...>/poky/bitbake/lib/bblayers/layerindex.py", line 182, in do_layerindex_fetch
args.shallow)
AttributeError: 'Namespace' object has no attribute 'shallow'
```
Initialize the shallow attribute to fix it.
(Bitbake rev: 146cd25252ef065d09df0980b7dc670cb7e7b109)
Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The yocto website has changed its structure. Update the section for
Accessing the Downloads page to match the new structure.
(From yocto-docs rev: f9a3b59c130d498c02dfdc016958c92ac74737a7)
Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This CVE is for iCPE cloudflare:zlib.
Alternative to ignoring would be to limit CVE_PRODUCT, but
historic CVEs already have two - gnu:zlib and zlib:zlib.
So limiting it could miss future CVEs.
(From OE-Core rev: 5dc87309639e78195eb1283afc193f6eac63b044)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport patch for gitlab issue mentioned in NVD CVE report.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
Backport also one of 14 patches for older issue with similar errors
to have clean cherry-pick without patch fuzz.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/344
The CVE is disputed because the maintainer does not think that
errors after memory allocation failures are not critical enough
to warrant a CVE ID.
This patch will formally fix reported error case, trying to backport
another 13 patches and resolve conflicts would be probably overkill
due to disputed state.
This CVE was ignored on master branch (as diputed).
(From OE-Core rev: 03b766e42beb42a2085285308acbcf941f346b06)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Sometimes NVD servers are unstable and return too many errors.
There is an option to have higher fetch attempts to increase the chances
of successfully fetching the CVE data.
Additionally, it also makes sense to progressively increase the delay
after a failed request to an already unstable or busy server.
The increase in delay is reset after every successful request and
the maximum delay is limited to 30 seconds.
Also, the logs are improved to give more clarity.
(From OE-Core rev: 9e03b7a9879fd16e32f4eccb78b438f6fa9db74d)
Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 7101d654635b707e56b0dbae8c2146b312d211ea)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
As per NVD, the public rate limit is 5 requests in 30s (6s delay).
Using an API key increases the limit to 50 requests in 30s (0.6s delay).
However, NVD still recommends sleeping for several seconds so that the
other legitimate requests are serviced without denial or interruption.
Keeping the default sleep at 6 seconds and 2 seconds with an API key.
For failures, the wait time is unchanged (6 seconds).
Reference: https://nvd.nist.gov/developers/start-here#RateLimits
(From OE-Core rev: eb5ab00be33a503205401541e88c32ba9da1d75c)
Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 5c32e2941d1dc3d04a799a1b7cbd275c1ccc9e79)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Sometimes NVD servers are unstable and return too many errors.
Last time we increased number of attempts from 3 to 5, but
further increasing is not reasonable as in normal case
too many retries is just abusive.
Keep retries low as default and allow to increase as needed.
(From OE-Core rev: ee2a6ade703317d09f7df60ef7ce300d8f868f54)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6b6fd8043d83b99000054ab6ad2c745d07c6bcc1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This variable is not referenced in oe-core anymore.
(From OE-Core rev: 70676801f1f8fe498ff34fc1db72b6a3bf438d4a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 905b45a814cb33327503b793741c19b44c8550b3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A bug in QEMU could cause a guest I/O operation otherwise
addressed to an arbitrary disk offset to be targeted to
offset 0 instead (potentially overwriting the VM's boot code).
This change is to fix CVE-2023-5088.
Link: 7d7512019f
(From OE-Core rev: df9e2d40c52b752940de61388997e485da56de0c)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A malicious HTTP sender can use chunk extensions to cause a receiver
reading from a request or response body to read many more bytes from
the network than are in the body. A malicious HTTP client can further
exploit this to cause a server to automatically read a large amount
of data (up to about 1GiB) when a handler fails to read the entire
body of a request. Chunk extensions are a little-used HTTP feature
which permit including additional metadata in a request or response
body sent using the chunked encoding. The net/http chunked encoding
reader discards this metadata. A sender can exploit this by inserting
a large metadata segment with each byte transferred. The chunk reader
now produces an error if the ratio of real body to encoded bytes grows
too small.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39326https://security-tracker.debian.org/tracker/CVE-2023-39326
(From OE-Core rev: 5b55648f3142762c9563289c1b19aa3b7de27164)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A recipe variable handles its dependencies even on the "contains"
variables within the "inline Python expressions" like bb.utils.filter().
And it also handles those in the append operator correctly, but the
problem is that it does not so in the remove operator.
Fix it by adding the missing dependencies every time the remove
operator has been handled.
Also add a test case to check if the override operators handle
dependencies correctly.
(Bitbake rev: 48799c68b69b7921c809e0fc970303866643eb2a)
Signed-off-by: Insu Park <insu0.park@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Cherry-picked from master: b90520eedb1dbc7f6a3928d089fe74fafb864eb5
- Conflicts in data.py are resolved as the master branch moved
handle_contains() and handle_remove() out of the try block
and added the 3rd argument, "exclusions", to handle_contains().
- The test code in codeparser.py are modified as the master branch
added three more arguments to the build_dependencies().
Signed-off-by: Insu Park <insu0.park@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The target_dumper code is basically broken. It has been reading binary files
over the text base serial communication and runs at every command failure which
makes no sense. Each run might overwrite files from the previous run and the
output appears corrupted due to confusion from the binary data.
It isn't possible to cherry-pick "testimage: Drop target_dumper and most of monitor_dumper"
from master, so just make target_dumper and host_dumper empty functions.
For further details see:
https://lists.openembedded.org/g/openembedded-architecture/message/1888
(From OE-Core rev: 94e9019d2f170a26206c2774381a1d183313ecaa)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
wtmp is filled with binary data which the run_serial command can't cope with.
Catting this results in confusion of the serial interface and potentially large
backlogs of data in the buffers which can hang qemu.
Exclude the problematic files from the command.
(From OE-Core rev: 05d9f9c6b27c0216fa4e349109ef42cf91bb4084)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 599ac08a6f6fb3f6a89a897c8e06367c63c2f979)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
