Update for changes in nanbield. Note that I am documenting what is set
by poky.conf here (since this is Yocto Project documentation), which is
slightly different from what is done in meta/conf/bitbake.conf.
(From yocto-docs rev: 4273dc298aba67fe07f19b52e5f8fa1d183d054c)
Signed-off-by: Paul Eggleton <bluelightning@bluelightning.org>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Create a Map to detail how BitBake handles a recipe's tasks
and its compile/runtime dependencies along with detailed comments.
(From yocto-docs rev: 529c7bf6c434166f4d372166868d46f275eb5bea)
Signed-off-by: Talel BELHAJSALEM <bhstalel@gmail.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Other spaces uses the Go architecture definitions as their own (for
example, container arches are defined to be Go arches). To make it
easier for other places to use this mapping, move the code that does the
translation of OpenEmbedded arches to Go arches to a library.
(From oe-core rev: 3e86f72fc2e1cc2e5ea4b4499722d736941167ce)
This commit together with meta-virtualization commit
115f6367f37095415f289fb6981cda9608ac72ff
broke meta-virtualization master used with
meta-lts-mixins kirkstone/go which is our primary
usecase for having kirkstone/go mixin layer
Manually crafted since cherry-pick had too many conflicts:
* different path to classes
* additional architecture loongarch64
* different way how to import library
(From OE-Core rev: 8726ae02d760270f9e7fe7ef5715d8f7553371ce)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Cc: Joshua Watt <JPEWhacker@gmail.com>
Cc: Bruce Ashfield <bruce.ashfield@gmail.com>
Cc: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This change adds a patch that is a partial backport of an upstream
commit[1].
It fixes a bug in go's DNS resolver that was causing a docker issue
where the first "docker pull" always fails after system boot if docker
daemon is started before networking is completely up.
[1] d52883f443
(From OE-Core rev: 8c8b01e84844a7e721c668d5ffbc7161e67f0862)
Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
License-update: file removed upstream
Drop patch as issue fixed upstream.
Changelog:
===========
1.9.15p2
* Fixed a bug on BSD systems where sudo would not restore the
terminal settings on exit if the terminal had parity enabled.
GitHub issue #326.
1.9.15p1
* Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based
sudoers from being able to read the ldap.conf file.
GitHub issue #325.
1.9.15
* Fixed an undefined symbol problem on older versions of macOS
when "intercept" or "log_subcmds" are enabled in sudoers.
GitHub issue #276.
* Fixed "make check" failure related to getpwent(3) wrapping
on NetBSD.
* Fixed the warning message for "sudo -l command" when the command
is not permitted. There was a missing space between "list" and
the actual command due to changes in sudo 1.9.14.
* Fixed a bug where output could go to the wrong terminal if
"use_pty" is enabled (the default) and the standard input, output
or error is redirected to a different terminal. Bug #1056.
* The visudo utility will no longer create an empty file when the
specified sudoers file does not exist and the user exits the
editor without making any changes. GitHub issue #294.
* The AIX and Solaris sudo packages on www.sudo.ws now support
"log_subcmds" and "intercept" with both 32-bit and 64-bit
binaries. Previously, they only worked when running binaries
with the same word size as the sudo binary. GitHub issue #289.
* The sudoers source is now logged in the JSON event log. This
makes it possible to tell which rule resulted in a match.
* Running "sudo -ll command" now produces verbose output that
includes matching rule as well as the path to the sudoers file
the matching rule came from. For LDAP sudoers, the name of the
matching sudoRole is printed instead.
* The embedded copy of zlib has been updated to version 1.3.
* The sudoers plugin has been modified to make it more resilient
to ROWHAMMER attacks on authentication and policy matching.
This addresses CVE-2023-42465.
* The sudoers plugin now constructs the user time stamp file path
name using the user-ID instead of the user name. This avoids a
potential problem with user names that contain a path separator
('/') being interpreted as part of the path name. A similar
issue in sudo-rs has been assigned CVE-2023-42456.
* A path separator ('/') in a user, group or host name is now
replaced with an underbar character ('_') when expanding escapes
in @include and @includedir directives as well as the "iolog_file"
and "iolog_dir" sudoers Default settings.
* The "intercept_verify" sudoers option is now only applied when
the "intercept" option is set in sudoers. Previously, it was
also applied when "log_subcmds" was enabled. Sudo 1.9.14
contained an incorrect fix for this. Bug #1058.
* Changes to terminal settings are now performed atomically, where
possible. If the command is being run in a pseudo-terminal and
the user's terminal is already in raw mode, sudo will not change
the user's terminal settings. This prevents concurrent sudo
processes from restoring the terminal settings to the wrong values.
GitHub issue #312.
* Reverted a change from sudo 1.9.4 that resulted in PAM session
modules being called with the environment of the command to be
run instead of the environment of the invoking user.
GitHub issue #318.
* New Indonesian translation from translationproject.org.
* The sudo_logsrvd server will now raise its open file descriptor
limit to the maximum allowed value when it starts up. Each
connection can require up to nine open file descriptors so the
default soft limit may be too low.
* Better log message when rejecting a command if the "intercept"
option is enabled and the "intercept_allow_setid" option is
disabled. Previously, "command not allowed" would be logged and
the user had no way of knowing what the actual problem was.
* Sudo will now log the invoking user's environment as "submitenv"
in the JSON logs. The command's environment ("runenv") is no
longer logged for commands rejected by the sudoers file or an
approval plugin.
1.9.14p3
* Fixed a crash with Python 3.12 when the sudo Python plugin is
unloaded. This only affects "make check" for the Python plugin.
* Adapted the sudo Python plugin test output to match Python 3.12.
1.9.14p2
* Fixed a crash on Linux systems introduced in version 1.9.14 when
running a command with a NULL argv[0] if "log_subcmds" or
"intercept" is enabled in sudoers.
* Fixed a problem with "stair-stepped" output when piping or
redirecting the output of a sudo command that takes user input.
* Fixed a bug introduced in sudo 1.9.14 that affects matching
sudoers rules containing a Runas_Spec with an empty Runas user.
These rules should only match when sudo's -g option is used but
were matching even without the -g option. GitHub issue #290.
1.9.14p1
* Fixed an invalid free bug in sudo_logsrvd that was introduced
in version 1.9.14 which could cause sudo_logsrvd to crash.
* The sudoers plugin no longer tries to send the terminal name
to the log server when no terminal is present. This bug was
introduced in version 1.9.14.
1.9.14
* Fixed a bug where if the "intercept" or "log_subcmds" sudoers
option was enabled and a sub-command was run where the first
entry of the argument vector didn't match the command being run.
This resulted in commands like "sudo su -" being killed due to
the mismatch. Bug #1050.
* The sudoers plugin now canonicalizes command path names before
matching (where possible). This fixes a bug where sudo could
execute the wrong path if there are multiple symbolic links with
the same target and the same base name in sudoers that a user is
allowed to run. GitHub issue #228.
* Improved command matching when a chroot is specified in sudoers.
The sudoers plugin will now change the root directory id needed
before performing command matching. Previously, the root directory
was simply prepended to the path that was being processed.
* When NETGROUP_BASE is set in the ldap.conf file, sudo will now
perform its own netgroup lookups of the host name instead of
using the system innetgr(3) function. This guarantees that user
and host netgroup lookups are performed using the same LDAP
server (or servers).
* Fixed a bug introduced in sudo 1.9.13 that resulted in a missing
" ; " separator between environment variables and the command
in log entries.
* The visudo utility now displays a warning when it ignores a file
in an include dir such as /etc/sudoers.d.
* When running a command in a pseudo-terminal, sudo will initialize
the terminal settings even if it is the background process.
Previously, sudo only initialized the pseudo-terminal when running
in the foreground. This fixes an issue where a program that
checks the window size would read the wrong value when sudo was
running in the background.
* Fixed a bug where only the first two digits of the TSID field
being was logged. Bug #1046.
* The "use_pty" sudoers option is now enabled by default. To
restore the historic behavior where a command is run in the
user's terminal, add "Defaults !use_pty" to the sudoers file.
GitHub issue #258.
* Sudo's "-b" option now works when the command is run in a
pseudo-terminal.
* When disabling core dumps, sudo now only modifies the soft limit
and leaves the hard limit as-is. This avoids problems on Linux
when sudo does not have CAP_SYS_RESOURCE, which may be the case
when run inside a container. GitHub issue #42.
* Sudo configuration file paths have been converted to colon-separated
lists of paths. This makes it possible to have configuration
files on a read-only file system while still allowing for local
modifications in a different (writable) directory. The new
--enable-adminconf configure option can be used to specify a
directory that is searched for configuration files in preference
to the sysconfdir (which is usually /etc).
* The NETGROUP_QUERY ldap.conf parameter can now be disabled for
LDAP servers that do not support querying the nisNetgroup object
by its nisNetgroupTriple attribute, while still allowing sudo to
query the LDAP server directly to determine netgroup membership.
* Fixed a long-standing bug where a sudoers rule without an explicit
runas list allowed the user to run a command as root and any
group instead of just one of the groups that root is a member
of. For example, a rule such as "myuser ALL = ALL" would permit
"sudo -u root -g othergroup" even if root did not belong to
"othergroup".
* Fixed a bug where a sudoers rule with an explicit runas list
allowed a user to run sudo commands as themselves. For example,
a rule such as "myuser ALL = (root) ALL", "myuser" should only
allow commands to be run as root (optionally using one of root's
groups). However, the rule also allowed the user to run
"sudo -u myuser -g myuser command".
* Fixed a bug that prevented the user from specifying a group on
the command line via "sudo -g" if the rule's Runas_Spec contained
a Runas_Alias.
* Sudo now requires a C compiler that conforms to ISO C99 or higher
to build.
(From OE-Core rev: 55f1437e2e7f11724ace489677ae214611244faf)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These CVEs affect path handling on Windows.
(From OE-Core rev: 60f75fd6a671fcbfeefb634fe88f6faa17b446b7)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
issue in GhostPCL.
GhostPCL not part of this GhostScript recipe.
(From OE-Core rev: 7c4b4daeeca8fab257475eacb83c58b7e5dfee24)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability was found in Avahi. A reachable assertion
exists in the avahi_alternative_host_name() function.
(From OE-Core rev: 3a9b67f222d6e004a8b56eedca6ff869e9aba710)
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability was found in Avahi. A reachable assertion
exists in the avahi_rdata_parse() function.
(From OE-Core rev: 1b699ac1e8519cd488ee033919b9205283b7b465)
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability was found in Avahi, where a reachable assertion
exists in avahi_dns_packet_append_record.
(From OE-Core rev: 8bd1980fd4175be3dd68987f8c5653409b76f544)
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability was found in Avahi. A reachable assertion exists
in the avahi_escape_label() function.
(From OE-Core rev: bc211ae0e597d40f938f9a25bfc0fcbb228d90b6)
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability was found in Avahi. A reachable assertion exists
in the dbus_set_host_name function.
(From OE-Core rev: f4286c3a3070fd50e334a48f1b7c068d34747115)
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
An out-of-bounds write flaw was found in grub2's NTFS filesystem driver.
This issue may allow an attacker to present a specially crafted NTFS
filesystem image, leading to grub's heap metadata corruption. In some
circumstances, the attack may also corrupt the UEFI firmware heap metadata.
As a result, arbitrary code execution and secure boot protection bypass
may be achieved.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4692https://bugzilla.redhat.com/show_bug.cgi?id=2236613
(From OE-Core rev: c89835b37366dde6c74f8221fd5a295ecabf8225)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There was an extra space between the result and ':'.
After removing extra space, the ptest result will be:
result : testname -> result: testname
(From OE-Core rev: 4bb6373e5f4a1330a063d1afe855d6c24d5461e7)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
We don't make do_cve_check depend on do_unpack because that would be a
waste of time 99% of the time. The compromise here is that we can't
scan remote patches for issues, but this isn't a problem so downgrade
the warning to a note.
Also move the check for CVEs in the filename before the local file check
so that even with remote patches, we still check for CVE references in
the name.
(From OE-Core rev: b4e5e02ab5dcc6b32810aa88c371799777dd8821)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0251cad677579f5b4dcc25fa2f8552c6040ac2cf)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Occasionally the cve-check tool will warn that it is adding the same
package twice. Knowing what this package is might be the first step
towards understanding where this message comes from.
(From OE-Core rev: 4b449d5dcbaebb0690a55cf45e3a735c2d8df101)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c1179faec8583a8b7df192cf1cbf221f0e3001fc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The JSON report generated by the cve-check class is basically a huge
list of packages. This list of packages is, however, unsorted.
To make things easier for people comparing the JSON, or more
specifically for git when archiving the JSON over time in a git
repository, we can sort the list by package name.
(From OE-Core rev: 1245649fd2725915154648a98584c908da07af18)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e9861be0e5020830c2ecc24fd091f4f5b05da036)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Error occured while running bitbake on cephfs:
WARNING: The free inode of path is running low (-0.001K left)
ERROR: Immediately halt since the disk space monitor action is "HALT"!
(Bitbake rev: a7f6c3e67bd9170e93b2b94676e84018faf0df91)
Signed-off-by: Samantha Jalabert <samantha.jalabert@syslinbit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Using multiconfig to target baremetal pieces of the system and building
corresponding toolchains for them results in hundreds and hundreds of
"Deferring %s after %s" and "Deferred task %s now buildable".
To clean up the output and to reduce risk of missing important warnings,
convert these notice messages to debug messages.
(Bitbake rev: 3505d8d8c02b041946670ab6bc5751e54fe292ff)
Signed-off-by: Denys Dmytriyenko <denis@denix.org>
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 64bc00a46d1aacc23fe7e8d9a46a126f3a4bc318)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If Tinfoil is initialized with setup_logging = False and
Tinfoil.prepare() is called with config_only = False, then it fails
because self.localhandlers is only initialized when
setup_logging = True.
This is seen with, e.g., `bitbake-getvar -q -r busybox MACHINE`:
Traceback (most recent call last):
File ".../bitbake/bin/bitbake-getvar", line 41, in <module>
tinfoil.prepare(quiet=2)
File ".../bitbake/lib/bb/tinfoil.py", line 390, in prepare
for handler in self.localhandlers:
AttributeError: 'Tinfoil' object has no attribute 'localhandlers'.
Did you mean: 'oldhandlers'?
(Bitbake rev: e452c6d7ba5bb4f78a1d2bfb742794efdf171dbc)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 616101ddb630e2c9975022068b52a87c4cf647f6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Initializing Tinfoil with setup_logging = False only has an effect when
recipe parsing is not needed. To make it work regardless of if --recipe
is used, manipulate the quiet parameter to Tinfoil.prepare() instead.
(Bitbake rev: 161ab0d5bab74732e12d490cee50e14295be0a9f)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 71ee69a20f21f3d37f4f060a7d8e87d9f1dc6aa1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This vulnerability was introduced in 2.36, so 2.35 is not vulnerable.
(From OE-Core rev: bf60773c882483f4bfe49e89be8e2f85f78b212b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport patch for gitlab issue mentioned in NVD CVE report.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
Backport also one of 14 patches for older issue with similar errors
to have clean cherry-pick without patch fuzz.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/344
The CVE is disputed because the maintainer does not think that
errors after memory allocation failures are not critical enough
to warrant a CVE ID.
This patch will formally fix reported error case, trying to backport
another 13 patches and resolve conflicts would be probably overkill
due to disputed state.
This CVE was ignored on master branch (as diputed).
(From OE-Core rev: d29a89412b37995857269d617e16ada116f14270)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This is backport of commit dfb7d2c426 from poky master.
This is in continuation of earlier commit:
3ddddfc14f
linux-firmware: create separate package for cirrus and cnm firmwares
And creates separate sub packages for firmwares corresponding to following list of
licenses:
LICENSE.amphion_vpu
LICENCE.cw1200
LICENSE.ice_enhanced
LICENCE.mediatek
LICENCE.microchip
LICENCE.moxa
LICENSE.nxp_mc_firmware
LICENCE.OLPC
LICENCE.phanfw
LICENCE.qla2xxx
LICENCE.ti-keystone
LICENCE.wl1251
LICENCE.xc4000
LICENCE.xc5000
LICENCE.xc5000c
(From OE-Core rev: c110e5708465a6becc611acf97f166302a17ebdf)
(From OE-Core rev: 56503e3e80603de3b69acef2f6d32836bc9e5e5d)
Signed-off-by: Fahad Arslan <fahad.arslan@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This is cherry-pick of commit 3ddddfc14f from
poky master.
Some licenses only allow usage of corresponding firmwares when a specific
hardware is present. This requires split of such firmwares from linux-firmware
package to firmware specific sub package. As this split is based off of
licensing, it makes sense to group firmware blobs having the same license in the
same package. This commit is a first step in this direction, and creates
separate packages for cirrus and cnm firmware.
(From OE-Core rev: 53d9d8789efc701609a5a1e985287344c2209d62)
(From OE-Core rev: 9b556e63ba3e89e83ba6e2647656a1fa6def87a4)
Signed-off-by: Fahad Arslan <fahad.arslan@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Commit 4a4d5f78a6 ("package_rpm: use zstd
instead of xz") changed the rpm package compressor from 'xz' to 'zstd'
which results in decompression failure with BusyBox-provided 'rpm2cpio'
applet and 'rpm' applet when given the '-i' (Install package) option:
rpm2cpio: no gzip/bzip2/xz magic
Introduce a variable which makes it possible to use a different
compression mode, making it possible to override the default value for
example like
RPMBUILD_COMPMODE = "${@'w6T%d.xzdio' % int(d.getVar('XZ_THREADS'))}"
to enable rpm decompression without including the full rpm package in
the resulting root filesystem.
(From OE-Core rev: a40d9258148e28cbee2168c93179cd4c1232fb62)
(From OE-Core rev: ad4ea9f225b0dd6396088cc70b34f886c5fa62b4)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in the Curl package. This flaw allows an attacker to insert
cookies into a running program using libcurl if the specific series of conditions are met.
(From OE-Core rev: 9c0c09b81594979aafd74511366316419d23046e)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.
(From OE-Core rev: 44971c945a615d07c91100f514377f7247796334)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Remove a reference to a web resource which is clearly marked as obsolete.
Replace the unnecessarily verbose note by just links to the mentioned tools.
[YOCTO #15233]
(From yocto-docs rev: b2db385b859faa775f7c92072ba9bbeebb90e713)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Reported-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
