Building busybox with CONFIG_LSATTR=y and installing that in the same
filesystem as e2fsprogs breaks:
ERROR: ... do_rootfs: Postinstall scriptlets of ['busybox'] have failed. If the intention is to defer them to first boot,
then please place them into pkg_postinst_ontarget:${PN} ().
Deferring to first boot via 'exit 1' is no longer supported.
Fix that by also alternatifying lsattr just as chattr already is.
(From OE-Core rev: 28090d32c88d99ea36a03f3bb723838746001e4b)
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 96703961eeb3460e9da26503d7942cc965d1e573)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When multilib enabled and add layers/meta-openembedded/meta-oe in
conf/bblayers.conf, it reports below error when run oe-selftest.
$ oe-selftest -r oescripts
[snip]
[20:36:33-0700] 2022-05-16 03:36:33,494 - oe-selftest - INFO - RESULTS - oescripts.OEListPackageconfigTests.test_packageconfig_flags_option_flags: FAILED (585.37s)
[snip]
It is because the output of "list-packageconfig-flags.py -f" as below:
$ ../scripts/contrib/list-packageconfig-flags.py -f
[snip]
qt lib32-pinentry lib32-wxwidgets nativesdk-pinentry pinentry pinentry-native wxwidgets wxwidgets-native
secret lib32-pinentry nativesdk-pinentry pinentry pinentry-native
[snip]
But the check logic as below:
class OEListPackageconfigTests(OEScriptTests):
#oe-core.scripts.List_all_the_PACKAGECONFIG's_flags
def check_endlines(self, results, expected_endlines):
for line in results.output.splitlines():
for el in expected_endlines:
if line.split() == el.split():
expected_endlines.remove(el)
break
def test_packageconfig_flags_option_flags(self):
results = runCmd('%s/contrib/list-packageconfig-flags.py -f' % self.scripts_dir)
expected_endlines = []
expected_endlines.append("PACKAGECONFIG FLAG RECIPE NAMES")
expected_endlines.append("qt nativesdk-pinentry pinentry pinentry-native")
expected_endlines.append("secret nativesdk-pinentry pinentry pinentry-native")
self.check_endlines(results, expected_endlines)
And the test will fail as line.split() doesn't equal el.split() as
line.split() is ['lib32-pinentry', 'lib32-wxwidgets', 'nativesdk-pinentry',
'pinentry', 'pinentry-native', 'wxwidgets', 'wxwidgets-native'] and
el.split() is ['nativesdk-pinentry', 'pinentry', 'pinentry-native'].
So change the compare logic to fix the gap.
(From OE-Core rev: 9eecfbfc957359b7933f1e1bde3aba1780dde202)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 239f22847bcae0cb31769adb0a42b5440173a7c5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ensure that begin_idx (i.e., beginline - 1) and end_idx (i.e.,
endline) are positive numbers in copy_license_files(). This makes sure
the same lines are copied as populate_lic_qa_checksum() uses when it
calculates the checksum. Before, beginline=0 would typically lead to
that no lines were copied at all.
(From OE-Core rev: 27cd074d747c5ef4b475c8a62a8ede2bbe58f996)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ab3cc3651d08d226675c461da760cda0bb6c0ce0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix PACKAGECONFIG to refer to libavtp instead of avtp as this is what
the project and everything is really called everywhere.
(From OE-Core rev: a1b73bc6ba90fb079e514e4eeda8e231a950b9f4)
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8824d91fe2063195014c38c134b97946d3b429c2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Several tasks deactivate exiting on non-zero return codes via set +e because
they run subcommands that have legitimate non-zero return codes. However when
appending to those tasks, this behavior is not expected and can lead to builds
silently proceeding in case of an error. Therefore reset the default behavior
at the end of the respective tasks via set -e.
(From OE-Core rev: 7777cc853db7200b819095be6f6a3561738ac94d)
Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 83a6f28d2e464f00202090e998a63045adba9e4e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In scheduler/cert.c the previous algorithm didn't expect the strings can
have a different length, so one string can be a substring of the other
and such substring was reported as equal to the longer string.
Backport patch from upstream to fix:
de4f8c1961
CVE: CVE-2022-26691
(From OE-Core rev: cc657868d31cc8b4218a07aa10fa098c379e473c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Updating to the latest korg -stable release that comprises
the following commits:
04b092e4a01a Linux 5.4.196
dba1941f5bc3 afs: Fix afs_getattr() to refetch file status if callback break occurred
ef5374d532ca i2c: mt7621: fix missing clk_disable_unprepare() on error in mtk_i2c_probe()
10a221e2d3d8 x86/xen: Mark cpu_bringup_and_idle() as dead_end_function
a12884ff4340 x86/xen: fix booting 32-bit pv guest
b2f140a9f980 Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE""
060f38b1dfb4 ARM: dts: imx7: Use audio_mclk_post_div instead audio_mclk_root_clk
b38cf3cb17df firmware_loader: use kernel credentials when reading firmware
e14e3856e94d net: stmmac: disable Split Header (SPH) for Intel platforms
9ea8e6a8323e block: return ELEVATOR_DISCARD_MERGE if possible
36ac6caf742d Input: ili210x - fix reset timing
1c450bdf2e8c net: atlantic: verify hw_head_ lies within TX buffer ring
e5307704c4ad net: stmmac: fix missing pci_disable_device() on error in stmmac_pci_probe()
91d8d7edf192 ethernet: tulip: fix missing pci_disable_device() on error in tulip_init_one()
dd5de66f5c8a selftests: add ping test with ping_group_range tuned
9919585e5f41 mac80211: fix rx reordering with non explicit / psmp ack policy
19e2cd737c16 scsi: qla2xxx: Fix missed DMA unmap for aborted commands
74168c2207a5 perf bench numa: Address compiler error on s390
d1915d9c9fa3 gpio: mvebu/pwm: Refuse requests with inverted polarity
3fdd67e83c42 gpio: gpio-vf610: do not touch other bits when set the target bit
1fe6dc5f5d19 net: bridge: Clear offload_fwd_mark when passing frame up bridge interface.
622be11fa385 igb: skip phy status check where unavailable
eb92a8ecce23 ARM: 9197/1: spectre-bhb: fix loop8 sequence for Thumb2
463a7b957db0 ARM: 9196/1: spectre-bhb: enable for Cortex-A15
1b93631c77c9 net: af_key: add check for pfkey_broadcast in function pfkey_process
c0be5fec786b net/mlx5e: Properly block LRO when XDP is enabled
3277789f332e NFC: nci: fix sleep in atomic context bugs caused by nci_skb_alloc
b368e07fb44d net/qla3xxx: Fix a test in ql_reset_work()
d672eee9e404 clk: at91: generated: consider range when calculating best rate
8cb1a05fe38b ice: fix possible under reporting of ethtool Tx and Rx statistics
dc64e8874e87 net: vmxnet3: fix possible NULL pointer dereference in vmxnet3_rq_cleanup()
32f779e6fbbe net: vmxnet3: fix possible use-after-free bugs in vmxnet3_rq_alloc_rx_buf()
1eb2d7858155 net/sched: act_pedit: sanitize shift argument before usage
50f70ee30236 net: macb: Increment rx bd head after allocating skb and buffer
a42ffe88332c ARM: dts: aspeed-g6: fix SPI1/SPI2 quad pin group
6493ff94c022 ARM: dts: aspeed-g6: remove FWQSPID group in pinctrl dtsi
fe2a9469eca0 dma-buf: fix use of DMA_BUF_SET_NAME_{A,B} in userspace
8cf6c24ed488 drm/dp/mst: fix a possible memory leak in fetch_monitor_name()
8be06f62b426 crypto: qcom-rng - fix infinite loop on requests not multiple of WORD_SZ
f4a093215b8e KVM: x86/mmu: Update number of zapped pages even if page list is stable
de8745182749 PCI/PM: Avoid putting Elo i2 PCIe Ports in D3cold
3a12b2c413b2 Fix double fget() in vhost_net_set_backend()
dd0ea88b0a0f perf: Fix sys_perf_event_open() race against self
c8a5e14cb407 ALSA: wavefront: Proper check of get_user() error
2f8f6c393b11 SUNRPC: Ensure we flush any closed sockets before xs_xprt_free()
975a0f14d5cd SUNRPC: Don't call connect() more than once on a TCP socket
aa4d71edd609 SUNRPC: Prevent immediate close+reconnect
2d6f096476e6 SUNRPC: Clean up scheduling of autoclose
f3fe8d13ac89 mmc: core: Default to generic_cmd6_time as timeout in __mmc_switch()
def047ae1266 mmc: block: Use generic_cmd6_time when modifying INAND_CMD38_ARG_EXT_CSD
f10260f35992 mmc: core: Specify timeouts for BKOPS and CACHE_FLUSH for eMMC
1e93f939927d nilfs2: fix lockdep warnings during disk space reclamation
307d021b1a7f nilfs2: fix lockdep warnings in page operations for btree nodes
77b71a4c8767 ARM: 9191/1: arm/stacktrace, kasan: Silence KASAN warnings in unwind_frame()
54f7358be14d platform/chrome: cros_ec_debugfs: detach log reader wq from devm
232128f6e60f drbd: remove usage of list iterator variable after loop
83abb076f473 MIPS: lantiq: check the return value of kzalloc()
e7947c031ffe rtc: mc146818-lib: Fix the AltCentury for AMD platforms
7be785032c05 nvme-multipath: fix hang when disk goes live over reconnect
ee0323cc8bbb ALSA: hda/realtek: Enable headset mic on Lenovo P360
c0d86f2a3c03 crypto: x86/chacha20 - Avoid spurious jumps to other functions
f0213894337a crypto: stm32 - fix reference leak in stm32_crc_remove
8c015cd52442 Input: stmfts - fix reference leak in stmfts_input_open
bb83a744bc67 Input: add bounds checking to input_set_capability()
4fd396695646 um: Cleanup syscall_handler_t definition/cast, fix warning
0c319b998835 rtc: fix use-after-free on device removal
05df3bdbc259 x86/xen: Make the secondary CPU idle tasks reliable
0d3817cb4ebe x86/xen: Make the boot CPU idle task reliable
67e2b62461b5 floppy: use a statically allocated error counter
0187300e6aa6 Linux 5.4.195
8fcefb43ecfc tty/serial: digicolor: fix possible null-ptr-deref in digicolor_uart_probe()
6d80857c4fc7 ping: fix address binding wrt vrf
7845532adb53 arm[64]/memremap: don't abuse pfn_valid() to ensure presence of linear map
c0b735fef2af net: phy: Fix race condition on link status change
a60def756821 MIPS: fix build with gcc-12
a3112d5da17c drm/vmwgfx: Initialize drm_mode_fb_cmd2
463c7431490d cgroup/cpuset: Remove cpus_allowed/mems_allowed setup in cpuset_init_smp()
f25145c37c4e i40e: i40e_main: fix a missing check on list iterator
17c744716af5 drm/nouveau/tegra: Stop using iommu_present()
c8f567c46543 serial: 8250_mtk: Fix register address for XON/XOFF character
aa3ea7451bd6 serial: 8250_mtk: Fix UART_EFR register address
031fda28d0a6 slimbus: qcom: Fix IRQ check in qcom_slim_probe
7de6f3059629 USB: serial: option: add Fibocom MA510 modem
65732f62f730 USB: serial: option: add Fibocom L610 modem
6c78537f3e29 USB: serial: qcserial: add support for Sierra Wireless EM7590
e40d00494712 USB: serial: pl2303: add device id for HP LM930 Display
056a56f8fbfe usb: typec: tcpci: Don't skip cleanup in .remove() on error
457d9401b8c1 usb: cdc-wdm: fix reading stuck on device close
4d93303fd877 tty: n_gsm: fix mux activation issues in gsm_config()
6e34ee5b5b92 tcp: resalt the secret every 10 seconds
39c26fe93c76 net: emaclite: Don't advertise 1000BASE-T and do auto negotiation
638bfbc84cca s390: disable -Warray-bounds
f66d3fa5089f ASoC: ops: Validate input values in snd_soc_put_volsw_range()
13b850a6cc80 ASoC: max98090: Generate notifications on changes for custom control
5c766c000a64 ASoC: max98090: Reject invalid values in custom control put()
22f6c68b4927 hwmon: (f71882fg) Fix negative temperature
208200e573bd gfs2: Fix filesystem block deallocation for short writes
42daae7d845c net: sfc: ef10: fix memory leak in efx_ef10_mtd_probe()
e038c457bd12 net/smc: non blocking recvmsg() return -EAGAIN when no data and signal_pending
2ec2dd7d51a9 net/sched: act_pedit: really ensure the skb is writable
48c6a40e2f25 s390/lcs: fix variable dereferenced before check
467ddbbe7e74 s390/ctcm: fix potential memory leak
2cbce0110070 s390/ctcm: fix variable dereferenced before check
1c40e85d0aa0 hwmon: (ltq-cputemp) restrict it to SOC_XWAY
0a778db9319f dim: initialize all struct fields
522986cc39c1 mac80211_hwsim: call ieee80211_tx_prepare_skb under RCU protection
0729594cb788 netlink: do not reset transport header in netlink_recvmsg()
33ce32587c44 drm/nouveau: Fix a potential theorical leak in nouveau_get_backlight_name()
5809a1c53049 ipv4: drop dst in multicast routing path
c9d75e87f45b net: Fix features skip in for_each_netdev_feature()
5c9057670504 mac80211: Reset MBSSID parameters upon connection
cfe74fd41f18 hwmon: (tmp401) Add OF device ID table
3915341a935f batman-adv: Don't skb_split skbuffs with frag_list
90659487578c Linux 5.4.194
2f4e0bf651e3 mm: userfaultfd: fix missing cache flush in mcopy_atomic_pte() and __mcopy_atomic()
e4db0c3ce0c5 mm: hugetlb: fix missing cache flush in copy_huge_page_from_user()
ea9cad1c5d95 mm: fix missing cache flush for all tail pages of compound page
45c05171d6e3 Bluetooth: Fix the creation of hdev->name
f52c4c067aa5 KVM: x86/svm: Account for family 17h event renumberings in amd_pmc_perf_hw_id
c1bdf1e6e706 x86: kprobes: Prohibit probing on instruction which has emulate prefix
6af6427a9600 x86: xen: insn: Decode Xen and KVM emulate-prefix signature
c67a4a91f5e1 x86: xen: kvm: Gather the definition of emulate prefixes
4c39e1ace3dc x86/asm: Allow to pass macros to __ASM_FORM()
29afcd5af012 KVM: x86/pmu: Refactoring find_arch_event() to pmc_perf_hw_id()
ea65a7d76c00 arm: remove CONFIG_ARCH_HAS_HOLES_MEMORYMODEL
5755f946a89f can: grcan: only use the NAPI poll budget for RX
caba5c13a892 can: grcan: grcan_probe(): fix broken system id check for errata workaround needs
76b64c690f03 nfp: bpf: silence bitwise vs. logical OR warning
86ccefb83ede drm/i915: Cast remain to unsigned long in eb_relocate_vma
de542bd76541 drm/amd/display/dc/gpio/gpio_service: Pass around correct dce_{version, environment} types
e6ff94d31c53 block: drbd: drbd_nl: Make conversion to 'enum drbd_ret_code' explicit
f668da98ad83 MIPS: Use address-of operator on section symbols
01565c91b789 Linux 5.4.193
8a7f92053dc9 mmc: rtsx: add 74 Clocks in power on flow
d789b9891761 PCI: aardvark: Fix reading MSI interrupt number
253bc43ca5b7 PCI: aardvark: Clear all MSIs at setup
786dc86c8434 dm: interlock pending dm_io and dm_wait_for_bios_completion
ad1393b92e50 dm: fix mempool NULL pointer race when completing IO
40bcd39a0093 tcp: make sure treq->af_specific is initialized
9661bf674d6a ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock
37b12c16beb6 ALSA: pcm: Fix races among concurrent prealloc proc writes
2a559eec81ac ALSA: pcm: Fix races among concurrent prepare and hw_params/hw_free calls
08d1807f097a ALSA: pcm: Fix races among concurrent read/write and buffer changes
fbeb492694ce ALSA: pcm: Fix races among concurrent hw_params and hw_free calls
f098f8b9820f mm: fix unexpected zeroed page mapping with zram swap
c7337efd1d11 block-map: add __GFP_ZERO flag for alloc_page in function bio_copy_kern
9588ac2eddc2 net: ipv6: ensure we call ipv6_mc_down() at most once
367b49086b41 KVM: LAPIC: Enable timer posted-interrupt only when mwait/hlt is advertised
c2fadf2d0ab4 x86/kvm: Preserve BSP MSR_KVM_POLL_CONTROL across suspend/resume
8b78939f4b0b kvm: x86/cpuid: Only provide CPUID leaf 0xA if host has architectural PMU
f455c8e657e3 NFSv4: Don't invalidate inode attributes on delegation return
89e7a625ec5c drm/amdkfd: Use drm_priv to pass VM from KFD to amdgpu
1d14c1c7a3bd net: igmp: respect RCU rules in ip_mc_source() and ip_mc_msfilter()
2b99ff4c3e3e btrfs: always log symlinks in full mode
dc4784489426 smsc911x: allow using IRQ0
cff6cb162f7a bnxt_en: Fix possible bnxt_open() failure caused by wrong RFS flag
64ece01adb42 selftests: mirror_gre_bridge_1q: Avoid changing PVID while interface is operational
52401926c863 net: emaclite: Add error handling for of_address_to_resource()
354cac1e392b net: stmmac: dwmac-sun8i: add missing of_node_put() in sun8i_dwmac_register_mdio_mux()
0510b6ccfb4f net: ethernet: mediatek: add missing of_node_put() in mtk_sgmii_init()
102986592ffd RDMA/siw: Fix a condition race issue in MPA request processing
e6ae21eb948a ASoC: dmaengine: Restore NULL prepare_slave_config() callback
df3ea6cc1af5 hwmon: (adt7470) Fix warning on module removal
01d4363dd717 NFC: netlink: fix sleep in atomic bug when firmware download timeout
33d3e76fc7a7 nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs
85aecdef77f9 nfc: replace improper check device_is_registered() in netlink related functions
da9eb43b9a56 can: grcan: use ofdev->dev when allocating DMA memory
8b451b7d7e95 can: grcan: grcan_close(): fix deadlock
8f4246450a95 s390/dasd: Fix read inconsistency for ESE DASD devices
91193a2c2f4f s390/dasd: Fix read for ESE with blksize < 4k
1aa75808edd8 s390/dasd: prevent double format of tracks for ESE devices
061a424dd1c4 s390/dasd: fix data corruption for ESE devices
860db6cdc5be ASoC: meson: Fix event generation for G12A tohdmi mux
d4864e8c4ba8 ASoC: wm8958: Fix change notifications for DSP controls
6723ab2ed8bb ASoC: da7219: Fix change notifications for tone generator frequency
ac5894fb8626 genirq: Synchronize interrupt thread startup
8624e2c5af95 ACPICA: Always create namespace nodes using acpi_ns_create_node()
27183539cfac firewire: core: extend card->lock in fw_core_handle_bus_reset
2fefc6259861 firewire: remove check of list iterator against head past the loop body
34b9b9182911 firewire: fix potential uaf in outbound_phy_packet_callback()
f6b6e9336936 Revert "SUNRPC: attempt AF_LOCAL connect on setup"
d403ff32e566 gpiolib: of: fix bounds check for 'gpio-reserved-ranges'
94842485b4ec ALSA: fireworks: fix wrong return count shorter than expected by 4 bytes
73ce49fa59a7 parisc: Merge model and model name into one line in /proc/cpuinfo
0d5bb59858c6 MIPS: Fix CP0 counter erratum detection for R4k CPUs
(From OE-Core rev: 7e056e79a5acce8261cb5124c172cc40ad608b82)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Make it possible to disable the database update completely by using
a negative update interval CVE_DB_UPDATE_INTERVAL.
Disabling the update is useful when running multiple parallel builds
when we want to have a control on the database version. This allows
coherent cve-check results without an database update for only
some of the builds.
(From OE-Core rev: 487a53522a739b9a52720c4c40b93f88ad77d242)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b5c2269240327c2a8f93b9e55354698f52c976f3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Until now the CVE checker was giving information about CVEs found for
a product (or more products) contained in a recipe. However, there was
no easy way to find out which products or recipes have no CVEs. Having
no reported CVEs might mean there are simply none, but can also mean
a product name (CPE) mismatch.
This patch adds CVE_CHECK_COVERAGE option enabling a new type of
statistics. Then we use the new JSON format to report the information.
The legacy text mode report does not contain it.
This option is expected to help with an identification of recipes with
mismatched CPEs, issues in the database and more.
This work is based on [1], but adding the JSON format makes it easier
to implement, without additional result files.
[1] https://lists.openembedded.org/g/openembedded-core/message/159873
(From OE-Core rev: c63d06becc340270573bdef2630749db1f5230d4)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit d1849a1facd64fa0bcf8336a0ed5fbf71b2e3cb5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In the cve-check text mode output, we didn't write fragment
files if there are no CVEs (if CVE_CHECK_REPORT_PATCHED is 1),
or no unpached CVEs otherwise.
However, in a system after multiple builds,
cve_check_write_rootfs_manifest might find older files and use
them as current, what leads to incorrect reporting.
Fix it by always writing a fragment file, even if empty.
(From OE-Core rev: 4c10ee956f21ea2f805403704ac3c54b7f1be78c)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f1b7877acd0f6e3626faa57d9f89809cfcdfd0f1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We have libxml2 2.9.10 and we don't link statically against libxml2 anyway
so the CVE doesn't apply to libxslt.
(From OE-Core rev: c6315d8a2a1429a0fb7563b1d6352ceee7bc222c)
(From OE-Core rev: 9c736c9dcf5f18b8db082a0903be0acb3fbb51c2)
Signed-off-by: Omkar Patil <Omkar.Patil@kpit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ad63694e6d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We are getting an additional ptest failure after fixing the expired certificates.
Backport a patch from upstream to fix this.
(From OE-Core rev: 3af161acc13189cb68549f898f3964d83d00ce56)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ptests in in openssl have started failing as test certificates have
expired. Backport a fix for this from upstream, replacing the test
certificates to allow the ptests to pass again.
(From OE-Core rev: 40858a05989d45b0c772fdec837d3dc95d4df59d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Version 1.1.1 requires additional changes
This reverts commit 4051d1a3aa5f70da96c381f9dea5f52cd9306939.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ptests in in openssl have started failing as one of the test certificates has
expired. Backport a fix for this from upstream, replacing the test
certificate to allow the ptests to pass again.
(From OE-Core rev: 4051d1a3aa5f70da96c381f9dea5f52cd9306939)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f26f0b34f12bbca2beed153da402a3594d127374)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When running CVE checks in CI we're usually not interested in warnings on the
console for any CVEs present. Add a configuration option CVE_CHECK_SHOW_WARNINGS
to allow this to be disabled (it is left enabled by default).
(From OE-Core rev: d009233f36fb866f6bdaa12fb6deedf5e253e9c9)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1054d3366ba528f2ad52585cf951e508958c5c68)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 8fd6a9f521ea6b1e10c80fe33968943db30991ba)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Before this the rootfs manifest and the summary were identical.
We should separate the summary and rootfs manifest more clearly,
now the summary is for all CVEs and the rootfs manifest is only for
things in that image. This is even more useful if you build multiple
images.
(From OE-Core rev: 2bacd7cc67b2f624885ce9c9c9e48950b359387d)
Signed-off-by: Ernst Sjöstrand <ernstp@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3b8cc6fc45f0ea5677729ee2b1819bdc7a441ab1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 65498411d73e8008d5550c2d0a1148f990717587)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As product, sdk should do cve check as well as rootfs.
(From OE-Core rev: df09cd71b4cd3f830fced9ce91aa202c1609bfc5)
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit cc17753935c5f9e08aaa6c5886f059303147c07b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ncurses 6.3 before patch 20220416 has an out-of-bounds read and
segmentation violation in convert_strings in tinfo/read_entry.c in the
terminfo library.
Backported from the link below, extracting only the relevant changes.
9d1d651878
(From OE-Core rev: 2287d591cf32f5580ea6679805d04c3a5146ecd5)
Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com>
Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a test to verify that the JSON reports are generated correctly for
both single recipe builds and image builds.
More tests are needed, but this is better than nothing.
(From OE-Core rev: add860e1a69f848097bbc511137a62d5746e5019)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit df0f35555b09c4bc75470eb45ec9c74e6587d460)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The addition of summary output caused two issues: error when building
an image and the fact that JSON output was generated even when
CVE_CHECK_FORMAT_JSON.
When generating an image it caused an error like:
ERROR: core-image-minimal-1.0-r0 do_rootfs: Error executing a python function in exec_func_python() autogenerated:
The stack trace of python calls that resulted in this exception/failure was:
File: 'exec_func_python() autogenerated', lineno: 2, function: <module>
0001:
*** 0002:cve_check_write_rootfs_manifest(d)
0003:
File: '/home/alexk/poky/meta/classes/cve-check.bbclass', lineno: 213, function: cve_check_write_rootfs_manifest
0209:
0210: link_path = os.path.join(deploy_dir, "%s.json" % link_name)
0211: manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON")
0212: bb.note("Generating JSON CVE manifest")
*** 0213: generate_json_report(json_summary_name, json_summary_link_name)
0214: bb.plain("Image CVE JSON report stored in: %s" % link_path)
0215:}
0216:
0217:ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
Exception: NameError: name 'json_summary_name' is not defined
The fix is to pass the d variable to the pure python function generate_json_report
to get correct values of variables and add conditions for the JSON
output where needed.
In addition clarify the message presenting the summary JSON file,
which isn't related to an image.
Uses partial fixes from Alex Kiernan, Ernst Sjöstrand (ernstp),
and Davide Gardenal.
Fixes: f2987891d315 ("cve-check: add JSON format to summary output")
(From OE-Core rev: 665f981fccbb09d51349c4bd4cfe4ca91001e3bd)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9015dec93233c7d45fd0c9885ff5d4ec23ad377d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This test will fail any time the host has libdrm > 2.4.107
(From OE-Core rev: 48ce924dc82aa959fb897ec36873db7dc3813b71)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
if a setup is using RPM for packaging and there are multiple
recipes that install to ${nonarch_base_libdir}/firmware by using
install -d ${nonarch_base_libdir}/firmware, it will create installation
clashes on image install, as linux-firmware in before this patch
used mkdir -p, which creates different file mode bits (depending
on the current user's settings).
In a particular example
linux-fimware created /lib/firmware with 0600
while other-firmware-package created it with 0644
making the combination not installable by rpm backend
(From OE-Core rev: c89bc0fc7f8afdf8ff0e93c3ebd7538987170a0c)
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 98bf3f427702687bf81ed759e7cde5d6d15e77eb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
