Concept of gcc-source prevents cve-check to detect existing
CVE patch file.
So whitelist this CVE in all recipes using gcc-source via this
include file.
(From OE-Core rev: 04511734c6dc8c7dda3a943b385cd273d012d8c7)
(From OE-Core rev: 037f640b9272ba055ee41eeb1e6e9b002faefe36)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit d803ca6531)
Signed-off-by: Dnyandev Padalkar <padalkards17082001@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
As discussion in [YOCTO #14717] cmake contains a OEToolchainConfig.cmake
file to configure the toolchain correctly in cross-compile build for recipes
using cmake.
The variable CMAKE_CXX_IMPLICIT_INCLUDE_DIRECTORIES value updates incorrectly
during do_compile the code. Due to this getting sporadic error like below,
fatal error: stdlib.h: No such file or directory
| 75 | #include_next <stdlib.h>
| | ^~~~~~~~~~
| compilation terminated.
| ninja: build stopped: subcommand failed.
| WARNING: exit code 1 from a shell command.
As cmake already correctly initializes the variable from environment,
So we have to unset it in the toolchain file to avoid overwriting the
variable definition again.
(From OE-Core rev: 7ab6087536bc67c63094f08f863dcd3d5e35b8e7)
Signed-off-by: aszh07 <mail2szahir@gmail.com>
Signed-off-by: Zahir Hussain <zahir.basha@kpit.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5aeada5793af53e8c93940952d4f314474dca4c2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fixes [YOCTO #15383]
This bug was introduced into upstream when fixing CVE-2022-29154. It was
later discovered and fixed upstream but this fix didn't make it into
poky yet.
The added patch is taken from upstreams git repository:
fabef23bea
(From OE-Core rev: fb448f87c0b3906b91d453451083dc003ac94ebe)
Signed-off-by: Matthias Schmitz <matthias.schmitz@port4949.net>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The original CVE-2023-29406.patch is not complete, causing docker
failures at runtime, backport a complementary fix from golang upstream.
(From OE-Core rev: bff621d5399e5ff2930d21f403bb2f274febd2e4)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In the case of a zero length string being returned by fgets(), the condition
checking for a trailing new line would perform a bad memory access outside
of `buf`. This might happen when line with a leading null byte is read.
Avoid this case by checking that the string has a length of at least one
byte.
Link: 8b45a3c4ca
(From OE-Core rev: 32e3618891295cec1ee5d4195998aa97f93b2207)
Signed-off-by: virendra thakur <virendrak@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A bug in QEMU could cause a guest I/O operation otherwise
addressed to an arbitrary disk offset to be targeted to
offset 0 instead (potentially overwriting the VM's boot code).
This change is to fix CVE-2023-5088.
Link: 7d7512019f
(From OE-Core rev: df9e2d40c52b752940de61388997e485da56de0c)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A malicious HTTP sender can use chunk extensions to cause a receiver
reading from a request or response body to read many more bytes from
the network than are in the body. A malicious HTTP client can further
exploit this to cause a server to automatically read a large amount
of data (up to about 1GiB) when a handler fails to read the entire
body of a request. Chunk extensions are a little-used HTTP feature
which permit including additional metadata in a request or response
body sent using the chunked encoding. The net/http chunked encoding
reader discards this metadata. A sender can exploit this by inserting
a large metadata segment with each byte transferred. The chunk reader
now produces an error if the ratio of real body to encoded bytes grows
too small.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39326https://security-tracker.debian.org/tracker/CVE-2023-39326
(From OE-Core rev: 5b55648f3142762c9563289c1b19aa3b7de27164)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Ignore RHEL specific CVE-2021-20295 CVE-2023-2680.
(From OE-Core rev: 2c0822d9e7b8e7d013ef89c7e82e19fff39228a9)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
import patch from ubuntu setuptools_45.2.0-1ubuntu0.1 .
(From OE-Core rev: a939696d7c70c42e404ec30a9d75e5ea4f742c78)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This reverts commit 45ce9885351a2344737170e6e810dc67ab3e7ea9.
Unfortunately this backport results in qemuarmv5 failing to boot with
a qemu lsi hw error.
[YOCTO #15274]
See discussion: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15274
(From OE-Core rev: 14aa11aecf503cef08e43c90cf0bd574721ca965)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Use autotools-brokensep as new version needs that.
upgrade include fix for CVE-2020-21686 and CVE-2022-29654
(cherry picked from commit c9c724ffa36757b56e70bc8d7b880c0c5777b153)
(From OE-Core rev: ed262f94b81cbf78e6a335912875bee8a65ca7c6)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
https://docs.python.org/release/3.8.18/whatsnew/changelog.html#changelog
Release date: 2023-08-24
Security
gh-108310: Fixed an issue where instances of ssl.SSLSocket were
vulnerable to a bypass of the TLS handshake and included protections
(like certificate verification) and treating sent unencrypted data as if
it were post-handshake TLS encrypted data. Security issue reported as
CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith.
Library
gh-107845: tarfile.data_filter() now takes the location of symlinks into
account when determining their target, so it will no longer reject some
valid tarballs with LinkOutsideDestinationError.
Tools/Demos
gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL
1.1.1v, 3.0.10, and 3.1.2.
(From OE-Core rev: 9205496344bede4a16372ca7a02c2819a976640b)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(From OE-Core rev: 93efa56fb87217035275dcb04c4a19b79b95ccaf)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A DMA-MMIO reentrancy problem may lead to memory corruption bugs
like stack overflow or use-after-free.
Summary of the problem from Peter Maydell:
https://lore.kernel.org/qemu-devel/CAFEAcA_23vc7hE3iaM-JVA6W38LK4hJoWae5KcknhPRD5fPBZA@mail.gmail.com
Reference:
https://gitlab.com/qemu-project/qemu/-/issues/556
qemu.git$ git log --no-merges --oneline --grep CVE-2023-0330
b987718bbb hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI controller (CVE-2023-0330)
a2e1753b80 memory: prevent dma-reentracy issues
Included second commit as well as commit log of a2e1753b80 says it
resolves CVE-2023-0330
(From OE-Core rev: 45ce9885351a2344737170e6e810dc67ab3e7ea9)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This CVE shouldn't have been filed as the "exploit" is described in the
documentation as how the library behaves.
(From OE-Core rev: b66a677b76c7f15eb5c426f8dc7ac42e1e2e3f40)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c652f094d86c4efb7ff99accba63b8169493ab18)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The runpath in the cc1 binary is:
Library runpath: [$ORIGIN/../../../recipe-sysroot-native/usr/lib:$ORIGIN/../../../recipe-sysroot-native/lib]
This does not match the actual location of the libraries, which would require:
Library runpath: [$ORIGIN/../../recipe-sysroot-native/usr/lib:$ORIGIN/../../recipe-sysroot-native/lib]
Prior to gcc 9.1 the recipe set B explicity with:
B = "${WORKDIR}/gcc-${PV}/build.${HOST_SYS}.${TARGET_SYS}"
and this build directory structure matches the runpath in cc1, so there is no issue.
This line was commented out in versions 9.1 through 11.3. The upgrade to 12.1 once
again uncommented this line.
As a result the runpath is incorrect in version 9.1 through 11.3 and cc1 defaults
to using host libraries.
This patch restores setting B as done in master and versions prior to 9.1
(From OE-Core rev: 43d5ebde6d609898064ea70c89a7eba002e5fd74)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When building using an SDK, cmake complains that the target
architecture 'cortexa53-crypto' is unknown. The same build in bitbake
uses the target architecture 'aarch64'.
Set CMAKE_SYSTEM_PROCESSOR the same as for bitbake.
(From OE-Core rev: 7a7ef9d73affc23fa14712d56f1a40d0c46569cb)
Signed-off-by: Tom Hochstein <tom.hochstein@nxp.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d32a6225eefce2073a1cd401034b5b4c68351bfe)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
License-Update: update year to 2023
30afa75ad8
Release Notes for 3.8.15:
Security content in this release
CVE-2022-40674: bundled libexpat was upgraded from 2.4.7 to 2.4.9 which
fixes a heap use-after-free vulnerability in function doContent
gh-97616: a fix for a possible buffer overflow in list *= int
gh-97612: a fix for possible shell injection in the example script
get-remote-certificate.py (this issue originally had a CVE assigned to
it, which its author withdrew)
gh-96577: a fix for a potential buffer overrun in msilib
https://www.python.org/downloads/release/python-3815/
Release Notes for 3.8.16:
Security content in this release
gh-98739: Updated bundled libexpat to 2.5.0 to fix CVE-2022-43680 (heap
use-after-free).
gh-98517: Port XKCP’s fix for the buffer overflows in SHA-3 to fix
CVE-2022-37454.
gh-98433: The IDNA codec decoder used on DNS hostnames by socket or
asyncio related name resolution functions no longer involves a quadratic
algorithm to fix CVE-2022-45061. This prevents a potential CPU denial of
service if an out-of-spec excessive length hostname involving
bidirectional characters were decoded. Some protocols such as urllib
http 3xx redirects potentially allow for an attacker to supply such a
name.
gh-68966: The deprecated mailcap module now refuses to inject unsafe
text (filenames, MIME types, parameters) into shell commands to address
CVE-2015-20107. Instead of using such text, it will warn and act as if a
match was not found (or for test commands, as if the test failed).
gh-100001: python -m http.server no longer allows terminal control
characters sent within a garbage request to be printed to the stderr
server log.
gh-87604: Avoid publishing list of active per-interpreter audit hooks
via the gc module.
https://www.python.org/downloads/release/python-3816/
Release Notes for 3.8.17:
Security content in this release
gh-103142: The version of OpenSSL used in Windows and Mac installers has
been upgraded to 1.1.1u to address CVE-2023-2650, CVE-2023-0465,
CVE-2023-0466, CVE-2023-0464, as well as CVE-2023-0286, CVE-2022-4303,
and CVE-2022-4303 fixed previously in 1.1.1t (gh-101727).
gh-102153: urllib.parse.urlsplit() now strips leading C0 control and
space characters following the specification for URLs defined by WHATWG
in response to CVE-2023-24329.
gh-99889: Fixed a security in flaw in uu.decode() that could allow for
directory traversal based on the input if no out_file was specified.
gh-104049: Do not expose the local on-disk location in directory indexes
produced by http.client.SimpleHTTPRequestHandler.
gh-103935: trace.__main__ now uses io.open_code() for files to be
executed instead of raw open().
gh-101283: subprocess.Popen now uses a safer approach to find cmd.exe
when launching with shell=True.
gh-102953: The extraction methods in tarfile, and
shutil.unpack_archive(), have a new filter argument that allows limiting
tar features than may be surprising or dangerous, such as creating files
outside the destination directory. See Extraction filters for details.
https://www.python.org/downloads/release/python-3817/
(From OE-Core rev: 01a1f016a6558566a36098a993adaf4b40e30c78)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
At second running, there are four new failed case:
d_loaddump f_bigalloc_badinode f_bigalloc_orphan_list f_dup_resize
The test_data.tmp is necessary, but it is deleted by run-ptest.
So it should be restored after testing.
(From OE-Core rev: 496dc586446d09a77923bc191e5305ba06c8f59e)
Signed-off-by: Qiu Tingting <qiutt@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit d0d08dd9a8a179e25b9cfcbac696c1d212a1910c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
