Backport the fix for CVE-2022-22707, a buffer overflow in mod_extforward.
(From OE-Core rev: d54d7e7b43da621be8e6fcca34feb7b3d49b8160)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7758596613cc442f647fd4625b36532f30e6129f)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The packageconfig needs to be --disable-systemd as documented in
configure file for cups. With the current value "--without-systemd" the
SYSTEM_DIR variable ends up being set to "no"
It is caused by the --without-* section in configure file resulting in
eval with_$ac_useropt=no ;;
$ac_useropt is "systemd" causing the variable $with_systemd to be set
to "no", because of below test
if test ${with_systemd+y}
then :
withval=$with_systemd; SYSTEMD_DIR="$withval"
else $as_nop
SYSTEMD_DIR=""
fi
cups configure test for i if SYSTEMD_DIR is empty to decide if the init
scripts need to be installed. A value of "no" results in that no init
scripts is installed.
With --disable-systemd it works as expected - installing the init files.
Though cups should properly improve their configure script.
(From OE-Core rev: d748ebb61d4dd355265f4a78790b4c30c3ec1a61)
Signed-off-by: Claus Stovgaard <clst@ambu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 967fdd2ba12f22d8e46600ff085833993a32cfeb)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
(cherry picked from commit e2518c2eba8c6e486aee3273dc2cba9ab51ffb69)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add branch name explicitly to SRC_URI where it's not defined and switch
to using https protocol for Github projects.
The change was made using convert-srcuri script in scripts/contrib.
(From OE-Core rev: ab781d4e3fa7425d96ea770ddfd0f01f62018c5b)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport a patch file from upstream, since doing an uprev of the recipe
to the version with the fix (9.55) would introduce functional changes.
CVE: CVE-2021-3781
(From OE-Core rev: db413a3a4fa42ac05824c2217f633a0af7ab50cd)
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We're seeing pthread being linked sometimes and not others leading to
non-reproducible target binaries. The reason is mixing the native python
config with the target one. We should use the target one.
(From OE-Core rev: 47bfa148667fb223affd7ba85d73764f5d795e7c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3fe5101b335384ef83e96ccc58687fd631164075)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Bash keeps a count of the number of times make was invoked on a directory
and changes the output versioning accordingly. We want deterministic output
so disable this behaviour.
(From OE-Core rev: 97d6a8452779fe511a354a70a72dd338f52a92cb)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 13a039e03195a47c750d5901e96fe81cf523481f)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Set shared library name as libbz2.so.1.0.8, version in configure.ac
already synced via do_configure PV substitution.
(From OE-Core rev: 5a6e647335df4a46d88a263977577948f370e072)
Signed-off-by: Tom Pollard <tom.pollard@codethink.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 07e3abc9d282a54add69a6905ec4248f3104219f)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These three CVEs are specific to the Node package node-tar.
exclude: CVE-2021-37701 CVE-2021-37712 CVE-2021-37713
(From OE-Core rev: a84267dfe713b85f039c35549a00708d92654ded)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9f9317a02d73c1e5aea026683a037e52c996c7bb)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
At the time of writing the qemu kernels don't support vfat filesystems.
There are patches on the list to add that, but as two tests fail without
vfat support, make them skip if vfat isn't available.
[ YOCTO #14470 ]
(From OE-Core rev: 414288ee0c96253b0714e10cd3be6c1366f4b10a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 17ecb3552cb7d7e7f82cc8b2e1b83f276525cbda)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Delete the right log files in run-ptest so the tests can be executed
more than once.
Install config.h so the tests which examine the build configuration will
do the right thing, specifically this causes the tests using libblkid to
execute instead of skip.
Add missing RDEPENDS: mkswap and tune2fs binaries, loop and vfat kernel
modules.
(From OE-Core rev: 4395acee739e09249ca5cdab77322c49616fc0c6)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 43bd50cbf902ce92ea613d142fae2524011b8f55)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We use the SUSE mirror of xinetd. The CVE fix was added to the main repo
after the latest release but is included in the version from the SUSE repo.
(From OE-Core rev: 14477263562fe683f914ae640e0ff30a4d54977a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We've seen three hangs in cgroup_xattr and two in proc01 so far. The new
plan is just to disable any tests seen to hang. I've had enough of these
causing problems on our testing infrastructure.
(From OE-Core rev: 622b1a409aaa8fd895821a53ee5db33206b98825)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This CVE relates to bad ownership of /var/log/cups, which we don't have.
(From OE-Core rev: 60bca0789b9830fa27694c5d65042d1206a07fe2)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE is in the jpeg sources included with ghostscript. We use our own
external jpeg library so this doesn't affect us.
(From OE-Core rev: e19caff111bcbd70e5e7507388a4aaea2d10f7e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Issue applies to use of cpio in SUSE/OBS, doesn't apply to us.
(From OE-Core rev: a175059e678bf9a5e843d00ac1bbf65b49f97f32)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch mentioned as the fix for the CVE is applied to the 6.0 source
code. Zip versioning makes CPE entry changes hard.
(From OE-Core rev: f816be9387d4691dbacd17673749809fe125d35c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These CVEs apply to the way logrotate was installed on Gentoo, Debian
and SUSE, exclude from cve-check as they don't apply to OE.
(From OE-Core rev: 55b53c501e911df04bdff6fca54b11c3e54770c9)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently the headers are not installed and the ltp-dev package is
empty.
This patch adds an include-install make target in the do_install step to
install them in sysroot which ends up as a working ltp-dev package.
(From OE-Core rev: c4419fb58b6ab5f4fbdcd65e5b6d2e7742c8d66f)
Signed-off-by: Jonas Höppner <jonas.hoeppner@garz-fricke.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f6943da4444cd71053650be0c9212bc25ac53137)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
grap2graph which converts a GRAP diagram into a cropped image fails
to run as below:
$ grap2graph
/usr/bin/grap2graph: line 89: convert: command not found
/usr/bin/grap2graph: warning: falling back to old '-crop 0x0' trim method
/usr/bin/grap2graph: line 104: convert: command not found
/usr/bin/grap2graph: line 103: grap: command not found
Considering we don't often need to convert a GRAP diagram into
a cropped image and the recipe ImageMagick which provides convert
command is in meta-oe layer, so don't ship the related files to
avoid the confusion about the above run time error.
(From OE-Core rev: b096417b9635c5a790616d20f0490bc15b9d7c0f)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 251be7279a475ee18c0c53fe9795bb37bffc2b45)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>From go 1.16, module-aware mode is enabled by default, regardless of
whether a go.mod file is present in the current working directory or a
parent directory.
Above change makes go-helloworld build fail when doing offline build or
proxy.golang.org is not accessible.
This fix is kind of workaround, as from go1.17, GOPATH mode will be
dropped, and GO111MODULE is ignored.
(From OE-Core rev: a0dc36d60809a0a937bbb02ec27ba768ef177063)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE_VERSION_SUFFIX in "patch" to treat version string with suffix "pX"
or "patchX" as patched release.
also update testcases to cover this changes and set CVE_VERSION_SUFFIX
for sudo.
(From OE-Core rev: 8076815fc2ffc8f632e73527ce2b7d158a29e9ea)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Replace the libswapon reproducibility workaround with the solution
preferred by upstream.
(From OE-Core rev: 5fc7d4a4c428d5be7103d8e9345d23038dae4247)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There was still a remaining issue with reporoducibility based upon the
make version from the host system. Some versions added whitespace for
XXX+=<tab> (e.g. 4.1) and some versions do not (e.g. 4.3).
Replace the determinism patches with those submitted upstream both
for this issue and the previous one.
The LC_ALL setting for sort is dropped as it didn't fix an issue as hoped.
(From OE-Core rev: fda178ace0f4acad931c69300f6af54556472a06)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Further issues were highlighted by autobuilder testing, extend the second patch
to cover them.
(From OE-Core rev: 3cf69fba8542e6ebbdb754c7616cf2ad44eec6ff)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Added HOMEPAGE and DESCRIPTION for recipes with missing decriptions or homepage
[YOCTO #13471]
(From OE-Core rev: cc6c7af900ae0196a62b7fa1375c55bbcd8e68b4)
Signed-off-by: Dorinda Bassey <dorindabassey@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This CVE is about TOCTOU (time-of-check time-of-use)
race condition when copying and removing directory trees
which had very low severity problem and marked as closed
and won't fix. Therefore whitelisted CVE-2013-4235.
Master, gatesgarth and dunfell all have shadow version 4.81.
Hence, this is applicable for master, gatesgarth and dunfell.
Link: https://bugzilla.redhat.com/show_bug.cgi?id=884658
(From OE-Core rev: b1c6cd87bee6b019619dc5728fd6c36bc87ed696)
Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
After the other fixes there remained occasional problems. Fix another makefile
sorting problem affecting the disktest binary.
(From OE-Core rev: 636f4d1f6ed8a95e3a583abc5904ab8dbc6184af)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a patch adding sorting to a couple of points in the Makefiles
which removes most of the determinism issues in ltp.
Build swapon before the main build to ensure libswapon.o is built
deterministically as it races with swapoff.
All issues reported on the upstream mailing list.
(From OE-Core rev: 0f51f9a37e5d058bce28cfe7b9a32a895f83c091)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add libcap-native to libcap PACKAGECONFIG making native setcap available
during the build. This assures its availability during install and prevents
meson from searching absolute paths and the resulting possible host
contamination.
Move -DNO_SETCAP_OR_SUID=true to the libcap PACKAGECONFIG negative case
This will prevent possible non-determinism for the setuid case.
(From OE-Core rev: 6b31f6b9a6a12a12d1d10b8634012e50ef778ec4)
Signed-off-by: Jate Sujjavanich <jatedev@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We don't use tbe BUILDINFO line of host information in the Makefile
so remove it for reproducibility.
(From OE-Core rev: a9742595fa90d4977fdd8129a4fe4932ddb96a18)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
