Kernel commit:
commit 3d4b396a616d0d67bf95d6823ad1197f6247292e
Author: Christian Brauner <christian.brauner@ubuntu.com>
Date: Mon Oct 11 15:37:04 2021 +0200
landlock: Use square brackets around "landlock-ruleset"
commit aea0b9f2486da8497f35c7114b764bf55e17c7ea upstream.
Make the name of the anon inode fd "[landlock-ruleset]" instead of
"landlock-ruleset". This is minor but most anon inode fds already
carry square brackets around their name:
[eventfd]
[eventpoll]
[fanotify]
[fscontext]
[io_uring]
[pidfd]
[signalfd]
[timerfd]
[userfaultfd]
For the sake of consistency lets do the same for the landlock-ruleset anon
inode fd that comes with landlock. We did the same in
1cdc415f1083 ("uapi, fsopen: use square brackets around "fscontext" [ver #2]")
for the new mount api.
Cc: linux-security-module@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Link: https://lore.kernel.org/r/20211011133704.1704369-1-brauner@kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Changed the format of the landlock tracing. We need to update the strace
expected string to match.
Upstream-Status: Submitted [https://lists.strace.io/pipermail/strace-devel/2022-April/011064.html]
(From OE-Core rev: 0268bc1ed04212acdb5b08e57334ed367042c1a2)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bf7d885aef06f6208533dd5fab45ee8e92d6d6d7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
its in auto mode, which is troublesome particularly on native recipe
where it pokes at build host to find this library if its not in native
sysroot and when build host has libbpf installed it enables it silently
otherwise disables the support. so lets make it deterministic, and if
one needs to enable this feature then enable the packageconfig
intentionally, It was found when trying to solve this QA warning
Skipping RPATH /usr/lib64 as is a standard search path for /mnt/b/yoe/master/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-
r0/sysroot-destdir/mnt/b/yoe/master/build/tmp/work/x86_64-linux/qemu-system-native/6.2.0-r0/recipe-sysroot-native/usr/bin/qemu-system-x86_64
This is becasue qemu's build system adds the needed flags to -rpath for
the libraries it needs and in this case it has found libbpf.so in
/usr/lib64 on build host.
(From OE-Core rev: 2f97e2d92982b9cffaccdf251c1b6d47de0258c2)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3d493928b7c98ab11b5d8c50924b1a2c464bf7f5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This release is primarily to fix two CVEs:
- CVE-2021-28544
- CVE-2022-24070
It also rewrites the macOS autoconf macros to be cross-compile friendly,
so we don't need to delete them anymore.
(From OE-Core rev: 76a74a8f22021e60326c001ccdd9b6ca200cd28e)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ecfbc2ef45a76ab96d215954ca0a109545e6ff02)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
apt (2.4.5) release notes:
* Only protect two kernels, not last installed one (LP: #1968154)
* Fix segfault in CacheSetHelperAPTGet::tryVirtualPackage()
(From OE-Core rev: 76f4471a26bf457d1f0816b2b5ba92d0d6474e14)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6a6462fd0ab140b554f4bda260e26b938cd44dc2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2015-20107 describes an arbitrary command execution in the mailcap
module, but this is by design in mailcap and needs to be worked around
by the calling application.
Upstream Python will be documenting this flaw in the library reference,
and it is likely that the mailcap module will be deprecated and removed
in the future.
(From OE-Core rev: f525745af38b0e5ea26693849cd4f19c627efd46)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 85fac8408baf92d8b71946f5bfea92952b7eab01)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ruby 3.1.2 has been released.
This release includes security fixes.
CVE-2022-28738: Double free in Regexp compilation
CVE-2022-28739: Buffer overrun in String-to-Float conversion
(From OE-Core rev: ca1c990df62f1b3d53b2114a387f192efe7e38e8)
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1306c732a39070e12306b0b7a393e2a482c8b326)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
by default git pulls in several code fragments not being licensed
under just GPL-2.0-only.
obstack and poll are licensed under GPL-2.0-or-later
reftable being BSD-3-Clause
sha1dc and inet_ntop being MIT
netmalloc being Bosst-1.0 aka BSL-1.0
regex being LGPL-2.1-or-later
(From OE-Core rev: d12513f066baca13a5be0c00792b1bd7d8b07c17)
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5184e651651ed949d198882a10f406cef5939b7b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup
call, leading to a heap-based buffer over-read that might affect a system that
compiles untrusted Lua code.
https://nvd.nist.gov/vuln/detail/CVE-2022-28805
(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This includes a fix for CVE-2022-24765
(From OE-Core rev: a17dc42d82b12d7f891c903a02a0302b31829c88)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
in target and native variant a different set of vendored libraries
is pulled from the cmake sources.
Add those licenses and there texts
(From OE-Core rev: fc6c1951dd7e53791a9d92610dfc2eefab4c2a4a)
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
as described in src/pip/_vendor/README.rst pip ships plenty
of vendored copies of other python modules.
Correct the license of the resulting package and
reference all the vendor copy license files correctly
(From OE-Core rev: 1c192304b2b2ff8c909836d2c78826192e7d21ca)
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Everyone I've talked to doesn't see this as a major issue. The CVE
asks for a documentation improvement on the --mirror option to
git clone as deleted content could be leaked into a mirror. For OE's
general users/use cases, we wouldn't build or ship docs so this wouldn't
affect us.
(From OE-Core rev: 5dfe2dd5482c9a446f8e722fe51903d205e6770d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a fix queued upstream for the issue in this CVE:
"""
Guest driver might execute HW commands when shared buffers are not yet
allocated.
This might happen on purpose (malicious guest) or because some other
guest/host address mapping.
We need to protect againts such case.
"""
(From OE-Core rev: 1b8513c1abdcd6430f9311efd04d785488f79d7d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This was a long standing problem seen on aarch64 build hosts when
compiling python3 with clang cross compiler. The issue is not seen with
gcc because native glibc headers are still compatible with gcc cross compiler
(From OE-Core rev: 407744b00d702e3133304e1b43064a5634ca02cf)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Ross Burton <ross.burton@arm.com>
Cc: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The leaking test case has been fixed upstream, so backport the patch.
(From OE-Core rev: 4705b8a724fe288a20f1a080e2796ea90f46c9fb)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update to a version of pseudo which has a fix for absolute links,
evaluating them from the chroot path.
(From OE-Core rev: 33147b89bc3c9e9bdd53a942a5551d8a1d06130c)
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This reverts commit ef49f89c89889466ee3696ab680f8e10c961a677.
This appears to cause build failures which didn't originally show up in
testing, reverting for now.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch is needed in order to support recent glibc (2.34).
libsanitizer/ChangeLog:
PR sanitizer/101749
* sanitizer_common/sanitizer_posix_libcdep.cpp: Prevent
generation of dependency on _cxa_guard for static
initialization.
(From OE-Core rev: c44c4e7fb3c860d9fcb2aada0c9d4acb1e1e8101)
Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
meson would fail to detect compiler type in some rare care where
specific substring '-xt' is detected in compiler --version output and
it so happens that this string can be generated by clang --version if
clang is installed into a directory containing 'xt-' in its name. with
recipe specific sysroots, this is quite likely to happen in OE build
system as we are seeing the issue with newly proposed gnome-text-editor
recipe
https://lists.openembedded.org/g/openembedded-devel/topic/90150031#96301
(From OE-Core rev: ff75909f2a9e970aaf389e0012888c29f02376e3)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch creates ${MULTIMACH_TARGET_SYS}-toolchain.cmake file
at ${SDK_INSTALL_DIR}/sysroots/${SDK_SYS}/usr/share/cmake/, which is
per-toolchain CMake toolchain file containing arch-specific values
and independent of OE environment variables.
The file gets created after installing SDK toolchain installer
ined by running "bitbake -c populate_sdk <image>".
The changes are similar to meson-setup.py which is used to
create arch-specific
${SDK_INSTALL_DIR}/sysroots/${SDK_SYS}/usr/share/meson/*-meson.cross
[YOCTO #14644]
Tested-by: Jan Dorniak <jaskij@gmail.com>
(From OE-Core rev: 42e68397ec74b3cd8ae5df45355c8f6254b48cd8)
Signed-off-by: Jagadeesh Krishnanjanappa <workjagadeesh@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It can be useful to use git on target (e.g. with some wrapper like
etckeeper for keeping track of changes to /etc), and for such cases,
it is likely one has no need for pulling from/pushing to http[s]
repositories. From the INSTALL file:
- "libcurl" library ... If you do not use http:// or https://
repositories, and do not want to put patches into an IMAP
mailbox, you do not have to have them (use NO_CURL).
- "expat" library; git-http-push uses it for remote lock
management over DAV. Similar to "curl" above, this is
optional (with NO_EXPAT).
Setting --without-expat and --without-curl reduces the size of the
installed "git" package from 18M to 12M, in addition to avoiding
pulling those libraries into the rootfs.
(From OE-Core rev: 49f81198c5d233a9a2612c3b8366681dd85bea59)
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
- Changed urllib3[brotli] extra to favor installing Brotli libraries that are
still receiving updates like brotli and brotlicffi instead of brotlipy.
This change does not impact behavior of urllib3, only which dependencies are
installed.
- Fixed a socket leaking when HTTPSConnection.connect() raises an exception.
- Fixed server_hostname being forwarded from PoolManager to HTTPConnectionPool
when requesting an HTTP URL. Should only be forwarded when requesting an HTTPS URL.
(From OE-Core rev: 1c44078db4e8fc3ed992ede38708bea0dcf87f11)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
=========
Fixed support for pytest 7.0, and pytest>=7.0 is now required.
(From OE-Core rev: 34f6bc8ca0cfc310fd6ba494b995fa86d28b5a6e)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
=========
Improve error detection and message when Hypothesis is
run on a Python implementation without support for "-0.0", which is
required for the "floats()" strategy but can be disabled by unsafe
compiler options (issue #3265).
If the "shrink" phase is disabled, stop the "generate" phase as
soon as an error is found regardless of the value of the
"report_multiple_examples" setting, since that's probably what you
wanted (issue #3244).
(From OE-Core rev: 56702a6c8e066d3730dd336eeb98d10534226601)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
License-Update: year updated to 2022
Changelog:
=========
- Handle RSASSA-PSS in keys.PrivateKeyInfo.bit_size and
keys.PublicKeyInfo.bit_size
- Handle RSASSA-PSS in keys.PrivateKeyInfo.wrap and keys.PublicKeyInfo.wrap
- Updated docs for keys.PrivateKeyInfo.algorithm and
keys.PublicKeyInfo.algorithm to reflect that they can return "rsassa_pss"
(From OE-Core rev: 8fbe3bd4aca7a8906e342bcc9f27e205398919c3)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This avoids the following configuration error:
The necessary bits to build these optional modules were not found:
_curses _curses_panel
which happens if the "readline" PACKAGECONFIG is disabled.
(From OE-Core rev: 70e0641069ca1e0e460000fe19662d6b3753b2ba)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This avoids the following configuration error:
-- Checking for module 'smartcols'
-- No package 'smartcols' found
CMake Error at .../usr/share/cmake-3.22/Modules/FindPkgConfig.cmake:603 (message):
A required package was not found
which happens if glib-2.0 is configured without the libmount
PACKAGECONFIG that otherwise depends on util-linux.
(From OE-Core rev: e9bbbe72221e56a82892981a5ff254e559795ac6)
Signed-off-by: Peter Kjellerstedt <pkj@axis.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
TCLIBC is only valid for TARGET, not for HOST or NATIVESDK.
Fixes build of rust-crosssdk if TCLIBC is set to musl.
(From OE-Core rev: c0b353d19d4cd796e5e63c6bec72962854fe81f4)
Signed-off-by: Christian Eggers <ceggers@arri.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- This abstracts on GL/GLES implementations
- Rename packageconfig to epoxy to match what code it doing underneath
(From OE-Core rev: 0ded646a83768868a1cc4dceb962ee707348af1b)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The git repo for gnu-config was changed, so update the
SRC_URI accordingly with the new link.
(From OE-Core rev: 6d0133c38fcb9b5ac3bdeaf65ef4d2cca2fc0586)
Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
