Replace the sockopt disable patch with a fix from upstream
(From OE-Core rev: cef730284b8616ba07c1b062c992c36af730580e)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ac921989991c319ecad01bec37c4ccaa15a7b58f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit c1beb73526e3ade75bd6dae5f9310107c50f1226)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Both patches change the same paths to gawk, merge them together
as we only need one patch for this.
(From OE-Core rev: 81af8c6fdc6f0b6617b7258c9b3e2e26a76db5c8)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 79c0b18e29cad337640860f57683f0a170f6daab)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 6080138fd0c27db7029b5a76e69b8dc241ad8dc3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This test is failing for uncertain reasons. We have reported upstream, disable
it until we can work out why this happened. The point it started failing is
unclear due to other test framework issues.
(From OE-Core rev: fc32e725a0c73772a2ad4e31e1aa1d61f72f9da1)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2e9165a854c7b83f163479e9dbd3cb183a9d71f5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The go command may generate unexpected code at build time when using cgo.
This may result in unexpected behavior when running a go program which uses cgo.
This may occur when running an untrusted module which contains directories
with newline characters in their names. Modules which are retrieved using the go
command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode,
i.e. GO111MODULE=off, may be affected).
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29402
Upstream patches:
4dae3bbe0e
(From OE-Core rev: aeb0829e52c60a77a2135af8332435b6e2db5b3d)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The go command may execute arbitrary code at build time when using cgo.
This may occur when running "go get" on a malicious module, or when running
any other command which builds untrusted code. This is can by triggered by
linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing
embedded spaces are mishandled, allowing disallowed flags to be smuggled
through the LDFLAGS sanitization by including them in the argument of
another flag. This only affects usage of the gccgo compiler.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29405
Upstream patches:
6d8af00a63
(From OE-Core rev: 7ce6d0029effc06cff500271a124150f1a7db7b3)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The go command may execute arbitrary code at build time when using cgo.
This may occur when running "go get" on a malicious module, or when running
any other command which builds untrusted code. This is can by triggered by
linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a
number of flags which are non-optional are incorrectly considered optional,
allowing disallowed flags to be smuggled through the LDFLAGS sanitization.
This affects usage of both the gc and gccgo compilers.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29404
Upstream patches:
bbeb55f5fa
(From OE-Core rev: 3e51122f8e2b4a7cd2a1c711175e6daf59b8368b)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
At second running, there are four new failed case:
d_loaddump f_bigalloc_badinode f_bigalloc_orphan_list f_dup_resize
The test_data.tmp is necessary, but it is deleted by run-ptest.
So it should be restored after testing.
(From OE-Core rev: 3a5ce6f8090f912bb9744e8cc8f3f2510f351a33)
Signed-off-by: Qiu Tingting <qiutt@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit d0d08dd9a8a179e25b9cfcbac696c1d212a1910c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking
Proxy-Authorization headers to destination servers when redirected to an HTTPS
endpoint. This is a product of how we use `rebuild_proxies` to reattach the
`Proxy-Authorization` header to requests. For HTTP connections sent through the
tunnel, the proxy will identify the header in the request itself and remove it
prior to forwarding to the destination server. However when sent over HTTPS,
the `Proxy-Authorization` header must be sent in the CONNECT request as the proxy
has no visibility into the tunneled request. This results in Requests forwarding
proxy credentials to the destination server unintentionally, allowing a malicious
actor to potentially exfiltrate sensitive information. This issue has been patched
in version 2.31.0.
Reference: https://github.com/advisories/GHSA-j8r2-6x86-q33q
(From OE-Core rev: e806c625d9a7eb08079a3268d2d8b20b582d0b6c)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CPAN.pm before 2.35 does not verify TLS certificates when downloading
distributions over HTTPS.
(From OE-Core rev: b093db144b35e7c140ac830dbe67cabfaac69f73)
Signed-off-by: Soumya <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Angle brackets should not appear in CSS contexts, as they may affect
token boundaries (such as closing a <style> tag, resulting in
injection). Instead emit filterFailsafe, matching the behavior for other
dangerous characters.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
For #59720Fixes#59811
Fixes CVE-2023-24539
(From OE-Core rev: 0a09194f3d4ad98d0cf0d070ec0c99e7a6c8a158)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This is consistently seen with musl and grep from busybox
Therefore backport a patch from upstream to fix it
(From OE-Core rev: 769290794fc23894211c56b1878a73634fd20283)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 511bcd965af658e6bb0c61d9f2adb1af75af773b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* needed for llvm-native on hosts with gcc-13
(From OE-Core rev: 3382759cb6c5cee42151e72fd94e99a3060317f5)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
some standalone targets e.g. riscv64-elf disable shared linking for
baremetal ELF ABI in ld, therefore lets make it a static library
(From OE-Core rev: 3c6219dfcbcbde314648ba8cc54a90b32ea1c952)
(From OE-Core rev: 4ee9d5839669560ec10f23445fa8bbc03a4c5406)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This is specific to Git-for-Windows.
(From OE-Core rev: 472a3e05270deace2862973dee2e65e60f9c0c19)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding
specially crafted input to `git apply --reject`, a path outside the working
tree can be overwritten with partially controlled contents (corresponding to
the rejected hunk(s) from the given patch). A fix is available in versions
2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3,
and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying
patches from an untrusted source. Use `git apply --stat` to inspect a patch before
applying; avoid applying one that create a conflict where a link corresponding to
the `*.rej` file exists.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-25652
Upstream patches:
9db05711c9
(From OE-Core rev: 335ad8a6d795cd94b872370e44a033ce3fbf4890)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8,
2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted
`.gitmodules` file with submodule URLs that are longer than 1024 characters can used
to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug
can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when
attempting to remove the configuration section associated with that submodule. When the
attacker injects configuration values which specify executables to run (such as
`core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code
execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8,
2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running
`git submodule deinit` on untrusted repositories or without prior inspection of any
submodule sections in `$GIT_DIR/config`.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29007
Upstream patches:
528290f8c629198213c9a5bb10fd5ee91cfe60853bb3d6bac5
(From OE-Core rev: 1b55343b6346437b80b8a8180ae1bc9f480d92ef)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If a package with a postsints script requires ldconfig, the package class adds
a ldconfig postinst fragment to initialize it before. Systemd has its own
ldconfig.service to initialize it and sometimes if both services are running
at the same time in the first boot, the first one will work, but the second
one will fail with the following error:
ldconfig[141]: /sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache failed: No such file or directory
This commit adds a ordering dependency between them to make sure that only one
service is running at the same time.
(From OE-Core rev: 5fca673d8fe0ee97dc37ed2c9941696842cd667a)
Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4e9d812e127dc6743f52f4881e509e8e2e833afe)
Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
cryptography is a package designed to expose cryptographic primitives
and recipes to Python developers. In affected versions `Cipher.update_into`
would accept Python objects which implement the buffer protocol, but
provide only immutable buffers. This would allow immutable objects
(such as `bytes`) to be mutated, thus violating fundamental rules of
Python and resulting in corrupted output. This now correctly raises
an exception. This issue has been present since `update_into` was
originally introduced in cryptography 1.8.
(From OE-Core rev: 368e450c2d800790a05924519f34c579e28e9cbb)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A parsed MIME header is a map[string][]string. In the common case,
a header contains many one-element []string slices. To avoid
allocating a separate slice for each key, ReadMIMEHeader looks
ahead in the input to predict the number of keys that will be
parsed, and allocates a single []string of that length.
The individual slices are then allocated out of the larger one.
The prediction of the number of header keys was done by counting
newlines in the input buffer, which does not take into account
header continuation lines (where a header key/value spans multiple
lines) or the end of the header block and the start of the body.
This could lead to a substantial amount of overallocation, for
example when the body consists of nothing but a large block of
newlines.
Fix header key count prediction to take into account the end of
the headers (indicated by a blank line) and continuation lines
(starting with whitespace).
Thanks to Jakob Ackermann (@das7pad) for reporting this issue.
Fixes CVE-2023-24534
For #58975Fixes#59267
(From OE-Core rev: 28bfa033ce965d7316a8b4296d10f3ad74d711db)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Setting a large line or column number using a //line directive can cause
integer overflow even in small source files.
Limit line and column numbers in //line directives to 2^30-1, which
is small enough to avoid int32 overflow on all reasonbly-sized files.
Fixes CVE-2023-24537
Fixes#59273
For #59180
(From OE-Core rev: 15c07dff384ce4fb0e90f4f32c182a82101a1c82)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This CVE is specific to Microsoft Windows, ignore it.
Patch fixing it (https://go-review.googlesource.com/c/go/+/446916)
also adds a redundant check to generic os/exec which
could be backported but it should not be necessary as
backport always takes a small risk to break old code.
(From OE-Core rev: ae8167754ff1c02f2d92af03de804754ea77a3e5)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
Backport from bdf07c2e16
(From OE-Core rev: f60637b3c9045656047d6ffcfaadbef5ad1d3d06)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport from go-1.19. The godebug package is needed by
the fix to CVE-2022-41725.
Mostly a cherry-pick but exceptions are noted in comments
marked "backport".
(From OE-Core rev: e5cf04f55b4849ae6db1253b39ad8b037cf01af4)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.
Backport from 5c3e11bd0b
(From OE-Core rev: 7440ebac50813e5df73da2d660a50fa97de650de)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This helps in building rsync without autoconf patch, since it will be a
while that the round trip is made, better to apply this patch here until
next release of autoconf.
(From OE-Core rev: 11522b98697befcf13076a90cec4f8ade1fa0645)
(From OE-Core rev: 3eeab90fd45a1e8de6d9d16dfdec79c72639614b)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8d6b8fb086)
Signed-off-by: pawan <badganchipv@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This function is referencing '${S}/..'.
It uses ${S} only as good known directory path to start
traversing from, and it does not need it to exist or be populated.
If ${S} does not exist yet, the function will fail because
it cannot evaluate path .. from non-existing directory.
Reproducer (verified in master and kirkstone):
bitbake gcc -c deploy_source_date_epoch
bitbake gcc -c cleansstate
rm -rf build/tmp
bitbake gcc -c deploy_source_date_epoch
(From OE-Core rev: 728018bbfe1de53661881a05e0359083ad544f97)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 42661a59cda164b2d236ffc35b4d8cf43312b677)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport appropriate patches to fix CVE-2022-2879 and CVE-2022-41720.
Modified the original fix for CVE-2022-2879 to remove a testdata tarball
and any references to it since git binary diffs are not supported in
quilt.
(From OE-Core rev: a896cebe1ce2363b501723475154350acf0e0783)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It fails to import anything from git/remote.py:
File "/path_to/python3-git-native/3.1.27-r0/GitPython-3.1.27/git/remote.py", line 700
url = Git.polish_url(url)
^
IndentationError: unexpected indent
(From OE-Core rev: 48633d8920210e55e0b9ee3004f0502f9f0eec48)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Error: Transaction test error:
file /usr/bin/vala-gen-introspect-0.56 conflicts between attempted installs of lib32-vala-0.56.3-r0.armv7ahf_neon and vala-0.56.3-r0.aarch64
file /usr/bin/vapigen-wrapper conflicts between attempted installs
of lib32-vala-0.56.3-r0.armv7ahf_neon and vala-0.56.3-r0.aarch64
The differences of vala-gen-introspect-0.56 are as follows:
@@ -2,7 +2,7 @@
prefix=/usr
exec_prefix=/usr
-libdir=/usr/lib64
+libdir=/usr/lib
pkglibdir=${libdir}/vala-0.56
if [ $# -ne 2 ]
The wrapper isn't used on target so we can simply delete it.
(From OE-Core rev: 8b41b5d2e423636942e34723ad940f6f143640c9)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3cf894b8a9c4fa14fcc7c7445e85e9ae3192b398)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
