Debian 12 no longer supports replacing dash with bash as default shell.
Therefore to achieve compatibility with Debian 12, all bashisms need
to be removed.
Shell comparison via == gives an error with dash and thus the condition
is always false.
(From OE-Core rev: 3723b26f82219ff71823335d550dbf29086d63d4)
(From OE-Core rev: c6cafd2aa50357c80fbab79741d575ff567c5766)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
PEAP client: Update Phase 2 authentication requirements. Also see
https://www.top10vpn.com/research/wifi-vulnerabilities/
Patch is copied from scarthgap, the recipes differ too much for
cherry-pick even if they have the same version.
(From OE-Core rev: 5e1283f0afeaf0d0aa5e1c96fc571f69897e1ca8)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Commit 60774248a5 solves issues when i or j
have been set in other shell functions.
Since j is not unset after the inner loop, the image will only be copied
for the first configuration.
Unsetting i and j after the loops also prevents index issues in other functions.
(From OE-Core rev: f6de96c9fa8d0b6c81c32016f342ad93c8940d9e)
Signed-off-by: Florian Amstutz <florian.amstutz@scs.ch>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Switch to use flit core since upstream changed.
They also changed the capitalisation under pypi.
The license didn't change but the file was renamed, probably as it wasn't
rst.
(From OE-Core rev: 58ee84c274b0c93902aad5d4f434daec5da55134)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e352680528b18c3cdae26233bef7cddc2771d42d)
Upgrade fixes CVE-2024-34064
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport patch for CVE-2021-42380.
Move if before patch for CVE-2023-42363 because they touch the same code
and they are in this order in git history so we avoid fuzz modifications.
This will remove fuzz modifications from CVE-2023-42363 and both will
apply cleanly without modifications (except line number changes and the
first one also has little fuzz fix in tests).
This will also make it equal to master/scarthgap patch order/content.
(From OE-Core rev: af3c8ff64054e131b009545883cb87454ce04b64)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The script has a bashism and needs bash to execute correctly. Mark it
as such and add the missing bash dependency so it executes in minimal
images.
(From OE-Core rev: a1b5afac108d9c94e8fc2ad8cfebfee16f6f243b)
(From OE-Core rev: 8e650506885bc4465f9569b3ccdc327eb83d90db)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 28b8d57a88)
Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The tests are packaged into the main glibc-tests package which is fine,
but then glibc-tests-ptest package needs to depend on that.
Which is what this commit addresses.
(From OE-Core rev: d37c2d428b09b9d0cbb875f083c6a1e9883a7fed)
(From OE-Core rev: c09335a23025ff78a6d3eb41c483b5a479b1c3be)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 644914efa8)
Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There are two types of soft FPU options for arm, soft and softfp, and if
using the latter the wrong dynamic loader will be used.
E.g. go will link against ld-linux-armhf.so.3, but libc6 will only ship
a ld-linux.so.3, so go programs will fail to start.
Fix this by instead checking for TARGET_FPU being 'hard' and then
applying the suffix.
(From OE-Core rev: c7426629245db2ea8d9f3cf25b575ac31b5a83b0)
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 07b4c7a2bd23f8645810e13439e814caaaf9cd94)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive).
Race condition resulting in potential remote code execution.
A race condition in sshd(8) could allow remote code execution as root on non-OpenBSD systems.
This attack could be prevented by disabling the login grace timeout (LoginGraceTime=0 in sshd_config)
though this makes denial-of service against sshd(8) considerably easier.
For more information, please refer to the release notes [1] and the
report from the Qualys Security Advisory Team [2] who discovered the bug.
[1] https://www.openssh.com/txt/release-9.8
[2] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt
References:
https://www.openssh.com/security.html
(From OE-Core rev: ddb998d16fd869acb00a1cd8038ada20fd32aa8b)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
v2: include the missing cve tag: CVE: CVE-2024-6387
v3: add the Signed-off-by on the CVE-2024-6387.patch
Signed-off-by: Steve Sakoman <steve@sakoman.com>
GStreamer EXIF Metadata Parsing Integer Overflow Remote Code Execution Vulnerability.
This vulnerability allows remote attackers to execute arbitrary code on affected
installations of GStreamer. Interaction with this library is required to exploit this
vulnerability but attack vectors may vary depending on the implementation. The specific
flaw exists within the parsing of EXIF metadata. The issue results from the lack of
proper validation of user-supplied data, which can result in an integer overflow before
allocating a buffer. An attacker can leverage this vulnerability to execute code in the
context of the current process. . Was ZDI-CAN-23896.
(From OE-Core rev: 6708631c89d1cb0d7e0e1b888c51826b3939f8af)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Remove the pages which libxcrypt and shadow already have to avoid
following conflicts during install man-pages and libxcrypt/shadow at the
same time.
Error: Transaction test error:
file /usr/share/man/man3/crypt.3 from install of
libcrypt-doc-4.4.33-r0.x86_64 conflicts with file from package
man-pages-6.04-r0.x86_64
(From OE-Core rev: fbc8f5381e8e1da0d06f7f8e5b8c63a49b1858c2)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 605b4a91dc44d33bd4742841e71645275bc039e8)
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Use OBJDUMP variable in the script, this helps in using the lddwrapper
with recipes which maybe using different objdump tools e.g.l
llvm-objdump or vice-versa
(From OE-Core rev: bbbb515f7df240b8679567cd3e04d6b4ccc65f6d)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c04b3e0e371859c159b76bff87a5b1299b51d0c8)
Signed-off-by: Daiane Angolini <daiane.angolini@foundries.io>
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE's Fixed by upgrade:
CVE-2024-4741: Fixed potential use after free after SSL_free_buffers() is called
CVE-2024-4603: Fixed an issue where checking excessively long DSA keys or parameters may be very slow
CVE-2024-2511: Fixed unbounded memory growth with session handling in TLSv1.3
Removed backports of CVE-2024-2511 and CVE-2024-4603 as they are already
fixed.
Detailed Information:
https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-3013-and-3014-4-jun-2024
(From OE-Core rev: 8f51bac2a05747ea186e928eda2358f2e6295883)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Below commit on glibc-2.35 stable branch is updated.
72abffe225 Force DT_RPATH for --enable-hardcoded-path-in-tests
(From OE-Core rev: 8accff90a850265ecc8570cfa15e8e5963d2a5d7)
Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A buffer-overread issue was discovered in StringIO 3.0.1, as
distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through
3.1.4. The ungetbyte and ungetc methods on a StringIO can
read past the end of a string, and a subsequent call to
StringIO.gets may return the memory value. 3.0.3 is the main
fixed version; however, for Ruby 3.0 users, a fixed version
is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version
is stringio 3.0.1.2.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-27280
(From OE-Core rev: 729310d17310dff955c51811ff3339fdbc017b95)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The memory allocation function ACPI_ALLOCATE_ZEROED does not
guarantee a successful allocation, but the subsequent code
directly dereferences the pointer that receives it, which may
lead to null pointer dereference. To fix this issue, a null
pointer check should be added. If it is null, return exception
code AE_NO_MEMORY.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-24856
(From OE-Core rev: 0920aacb2a042e10e54db949428471ef9b20c96d)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2024-32002:
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4,
2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be
crafted in a way that exploits a bug in Git whereby it can be fooled into
writing files not into the submodule's worktree but into a `.git/` directory.
This allows writing a hook that will be executed while the clone operation
is still running, giving the user no opportunity to inspect the code that is
being executed. The problem has been patched in versions 2.45.1, 2.44.1,
2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is
disabled in Git (e.g. via `git config --global core.symlinks false`), the
described attack won't work. As always, it is best to avoid cloning
repositories from untrusted sources.
CVE-2024-32004:
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4,
2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository
in such a way that, when cloned, will execute arbitrary code during the
operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4,
2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories
from untrusted sources.
CVE-2024-32020:
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4,
2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files
into the target repository's object database when source and target repository
reside on the same disk. If the source repository is owned by a different user,
then those hardlinked files may be rewritten at any point in time by the
untrusted user. Cloning local repositories will cause Git to either copy or
hardlink files of the source repository into the target repository. This
significantly speeds up such local clones compared to doing a "proper" clone and
saves both disk space and compute time. When cloning a repository located on the
same disk that is owned by a different user than the current user we also end up
creating such hardlinks. These files will continue to be owned and controlled by
the potentially-untrusted user and can be rewritten by them at will in the
future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2,
2.41.1, 2.40.2, and 2.39.4.
CVE-2024-32021:
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4,
2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that
contains symlinks via the filesystem, Git may create hardlinks to arbitrary
user-readable files on the same filesystem as the target repository in the
`objects/` directory. Cloning a local repository over the filesystem may
creating hardlinks to arbitrary user-owned files on the same filesystem in the
target Git repository's `objects/` directory. When cloning a repository over the
filesystem (without explicitly specifying the `file://` protocol or `--no-local`),
the optimizations for local cloning will be used, which include attempting to
hard link the object files instead of copying them. While the code includes checks
against symbolic links in the source repository, which were added during the fix
for CVE-2022-39253, these checks can still be raced because the hard link
operation ultimately follows symlinks. If the object on the filesystem appears as
a file during the check, and then a symlink during the operation, this will allow
the adversary to bypass the check and create hardlinks in the destination objects
directory to arbitrary, user-readable files. The problem has been patched in
versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.
CVE-2024-32465:
Git is a revision control system. The Git project recommends to avoid working in
untrusted repositories, and instead to clone it first with `git clone --no-local`
to obtain a clean copy. Git has specific protections to make that a safe
operation even with an untrusted source repository, but vulnerabilities allow
those protections to be bypassed. In the context of cloning local repositories
owned by other users, this vulnerability has been covered in CVE-2024-32004. But
there are circumstances where the fixes for CVE-2024-32004 are not enough: For
example, when obtaining a `.zip` file containing a full copy of a Git repository,
it should not be trusted by default to be safe, as e.g. hooks could be configured
to run within the context of that repository. The problem has been patched in
versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a
workaround, avoid using Git in repositories that have been obtained via archives
from untrusted sources.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-32002https://nvd.nist.gov/vuln/detail/CVE-2024-32004https://nvd.nist.gov/vuln/detail/CVE-2024-32020https://nvd.nist.gov/vuln/detail/CVE-2024-32021https://nvd.nist.gov/vuln/detail/CVE-2024-32465
(From OE-Core rev: 209c41377abf6853455b00af3923f1b244a3766b)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
wall in util-linux through 2.40, often installed with setgid
tty permissions, allows escape sequences to be sent to other
users' terminals through argv. (Specifically, escape sequences
received from stdin are blocked, but escape sequences received
from argv are not blocked.) There may be plausible scenarios
where this leads to account takeover.
CVE-2024-28085-0005 is the CVE fix and CVE-2024-28085-0001,
CVE-2024-28085-0002, CVE-2024-28085-0003, CVE-2024-28085-0004
are dependent commits to fix the CVE.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-28085
(From OE-Core rev: 28d9f948536dfee2330e4cfd225c932d20d688f1)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Adds bitbake variable to set additional mount flags for the /var/lib
overlayfs or bind mount when using a read-only root filesystem. This
can be used to set additional options like "-o nodev".
(From OE-Core rev: c3109e40e2c2c881996dd3fcc95fca74f098646d)
(From OE-Core rev: e0a1ed7aa1f2b12d985414db9a75d6e151ae8d21)
Signed-off-by: Colin McAllister <colin.mcallister@garmin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
An empty string assignment to WantedBy should clear all prior WantedBy
settings. This matches behavior of the current systemd implementation.
(From OE-Core rev: 8ede0083c28fadf1e83c9256618190b931edd306)
(From OE-Core rev: 9e3a2e143ef2aaab335439ddbe1ab976aeeed35d)
Signed-off-by: Bob Henz <robert_henz@jabil.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c653bfc68b)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Building native Go tools results in the tool pointing to the wrong
location of dynamic linker (see below). The linker is looked up in the
temporary dir, which can be removed if rm_work is inherited. This
results in being unable to execute the program with the 'No such file or
directory' error. Override linker specificiation for native recipes (and
let Go build environment to pick up a correct one on it's own).
The error is observed in case the distro doesn't use uninative.bbclass.
If uninative.bbclass is used, the binary will be patched automatically
to use the uninative loader instead of the system one.
Without this patch:
$ ldd tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man
linux-vdso.so.1 (0x00007ffe945ec000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3a7490e000)
/home/lumag/Projects/RPB/build-rpb/tmp-rpb-glibc/work/x86_64-linux/go-md2man-native/1.0.10+gitAUTOINC+f79a8a8ca6-r0/recipe-sysroot-native/usr/lib/ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2 (0x00007f3a74d13000)
$ tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man --help
-bash: tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man: No such file or directory
With the patch
$ ldd tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man
linux-vdso.so.1 (0x00007ffd19dbf000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2d44181000)
/lib64/ld-linux-x86-64.so.2 (0x00007f2d44586000)
$ tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man --help
Usage of tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man:
-in string
Path to file to be processed (default: stdin)
-out string
Path to output processed file (default: stdout)
(From OE-Core rev: b611c77e4883ad81a8f40cbee3fea006500735ed)
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 44b397daa68b4d0a461225fe9ff7db8b5fcfdb7b)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When gos internal linker is used, it uses hardcoded paths to the
interpreter (dynamic linker). For x86_64 this hardcoded path is
/lib64/ld-linux-x86-64.so.2, but yocto's default dynamic linker path
is /lib64/ld-linux-x86-64.so.2.
Most of the time, the internal linker is not used and binutils linker
sets the correct path, but sometimes the internal linker is used and
the resulting binary will not work on x86_64.
To ensure the path is always correct, pass it to the linker.
(From OE-Core rev: 69128ca66991b13358f2552fcd5a7cfa6dda4952)
Signed-off-by: Joerg Vehlow <joerg.vehlow@aox.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6b54215074d7f3dbba07f096f16b9c0acf51527c)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
We have been seeing obscure failures in devtool, particularly on newer
autobuilder workers where it appears the cache is assumed to be valid
when it shouldn't be.
We're using the 'seconds' granulation mtime field which is not really
a good way of telling if a file has changed. We can switch to the "ns"
version which is better however also add in inode number and size as
precautions. We already have all this data and tuples are fast so there
isn't really any cost to do so.
This hopefully fixes [YOCTO #15318].
(Bitbake rev: 5a90927f31c4f9fccbe5d9d07d08e6e69485baa8)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d9e5d313c79500e3c70ab9c3239b6b2180194f67)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
