CVE-2015-20107 describes an arbitrary command execution in the mailcap
module, but this is by design in mailcap and needs to be worked around
by the calling application.
Upstream Python will be documenting this flaw in the library reference,
and it is likely that the mailcap module will be deprecated and removed
in the future.
(From OE-Core rev: f525745af38b0e5ea26693849cd4f19c627efd46)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 85fac8408baf92d8b71946f5bfea92952b7eab01)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This prevented variables from being substituted through the
code in yocto-vars.py, at least in the files included this way.
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
(From yocto-docs rev: ac4e4b167964dd4548fb3d90cf9c63580a70b6e3)
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ruby 3.1.2 has been released.
This release includes security fixes.
CVE-2022-28738: Double free in Regexp compilation
CVE-2022-28739: Buffer overrun in String-to-Float conversion
(From OE-Core rev: ca1c990df62f1b3d53b2114a387f192efe7e38e8)
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1306c732a39070e12306b0b7a393e2a482c8b326)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
=========
Validate repository directory ownership (v1.4)
midx: Fix an undefined behavior (left-shift signed overflow)
fetch: support OID refspec without dst
Fix crash when regenerating a patch with unquoted spaces in filename
(From OE-Core rev: e6541bd09289abc87b7e81716bea774c80285bc0)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bef09c61ee32df214fb8cf6000e0314ff3a38156)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
* Fix regression with transfer free's after closing device
* Fix regression with destroyed context if API is misused
* Workaround for applications using missing default context
* Fix hotplog enumeration regression
* Fix Windows isochronous transfer regression since 1.0.24
* Fix macOS exit crash in some multi-context cases
* Build fixes for various platforms and configurations
* Fix Windows HID multi-interface product string retrieval
* Update isochronous OUT packet actual lengths on Windows
* Add interface bound checking for broken devices
* Add umockdev tests on Linux
(From OE-Core rev: 0c5828713ad1716d2032986f4156cfbc83a53674)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7353489980600af07d0771654da6a8a3b0df7572)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
License-Update:
Version of driver files updated
Added files for some drivers
(From OE-Core rev: 332dcf0fbce5d851e4d75216ed204ba6b7bd6a21)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 01684df3a51be476081ee21eb54c24fef00acb3f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It duplicates udevadm in systemd recipe to make it could run
update_udev_hwdb with multilib enabled. Since systemd last update,
it deploys a shared library libsystemd-shared-250.so in /lib/systemd/.
The library will be overwritten when multilib enabled. Then if both
udev-hwdb and lib32-udev-hwdb are installed, it fails to run the
multilib version postinstall intercept update_udev_hwdb:
| /path/to/build/tmp-glibc/work/intel_x86_64-wrs-linux/wrlinux-image-small/1.0-r1/rootfs/usr/libexec/lib32-udevadm:
error while loading shared libraries: libsystemd-shared-250.so: wrong ELF class: ELFCLASS64
`udevadm hwdb --update` just concatenates .hwdb files in dirs
/etc/udev/hwdb.d and /lib/udev/hwdb.d. The output file hwdb.bin is
identical with the one created by lib32-udevadm. So do NOT duplicate
lib32-udevadm in systemd and eudev. And update intercept script
update_udev_hwdb that re-run udevadm with same arch qemuwrapper if run
${binprefix}qemuwrapper failed.
(From OE-Core rev: 74fe1b5af064f644a7d555b61527bb7d02cc30b8)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3dba872a42c2be7d0865a30118984ab013850292)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
pkg-config is used by the Makefiles, and thus pkgconfig needs to be
inherited.
(From OE-Core rev: 91bfc749de1530065d2cd8ecb4c8d16c458ade56)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6148ac9bc5d3e0d0ffdbbd6695acd96ca1836b78)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If IMAGE_NAME and IMAGE_LINK_NAME are the same an
exception is raised in image_combine_spdx because
it cannot create a symlink with the same exact
path of the original file. In that case there is
no point in creating a link in the first place.
Refactor image_combine_spdx to avoid code duplication
(From OE-Core rev: dfb49be6b586e3901a4398b46c914d80dcdd029b)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 88f76bba705007a7fcda506c79f743060d8f2e52)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
by default git pulls in several code fragments not being licensed
under just GPL-2.0-only.
obstack and poll are licensed under GPL-2.0-or-later
reftable being BSD-3-Clause
sha1dc and inet_ntop being MIT
netmalloc being Bosst-1.0 aka BSL-1.0
regex being LGPL-2.1-or-later
(From OE-Core rev: d12513f066baca13a5be0c00792b1bd7d8b07c17)
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5184e651651ed949d198882a10f406cef5939b7b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When signing the deb package feed gpg tools are a soft requirement. If gnupg-native
is not declared a dependancy the version from hosttools is used. Unfortunately the
gpg-agent version from Ubuntu 16.04 on the autobuilders is incompatible with the package_index task
and fails during oe-selftest. Fix by making gnupg-native a dependency.
Fixes: 0b4231b5 "package_manager: sign DEB package feeds"
Reported-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Suggested-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 74725c9f7e7ed4172781891001e85b64bfb206b8)
Signed-off-by: Ferry Toth <ftoth@exalondelft.nl>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c063b658e30a24be9214abc23cd2a16c0260e93e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow unsigned repositories by default.
Currently when building images this requirement is worked around by using [allow-insecure=yes] and
equivalently when performing selftest.
Patches "gpg-sign: Add parameters to gpg signature function" and "package_manager: sign DEB package feeds"
enable signed DEB package feeds. This patch adds a runtime test for apt derived from the test_testimage_dnf
test. It creates a signed deb package feed, runs a qemu image to install the key and performs some package
management. To be able to install the key the gnupg package is added to the testimage.
(From OE-Core rev: 10fd76e6dfd97b57a9e2f592677c7e47b622e6b5)
Signed-off-by: Ferry Toth <ftoth@exalondelft.nl>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3ec30490d09d6639eea2638cf12a323948f221cc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These settings are good for developers/maintainers but for distributions
generally disabling them turns out to be better especially when there is
a knob to do so. This fixes build with gcc-12 which find additional
warnings
inlined from 'bt_ctf_object_set_parent' at ../../../git/src/ctf-writer/object.h:120:6,
inlined from 'bt_ctf_trace_common_add_stream_class' at ../../../git/src/ctf-writer/trace.c:1243:3:
../../../git/src/ctf-writer/object.h:141:26: error: null pointer dereference [-Werror=null-dereference]
141 | if (child->parent) {
| ~~~~~^~~~~~~~
../../../git/src/ctf-writer/object.h:141:26: error: null pointer dereference [-Werror=null-dereference]
cc1: all warnings being treated as errors
(From OE-Core rev: bdf428b3b91d43eb61a6a4b83fc0f108745d45b7)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1898d10dd4d4372823e6c8b8c4ed28604e692365)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Users may or may not include the certificates in buildtools. Only set the
appropriate variables if they're present.
(From OE-Core rev: f3b1699afcd35494e972e7b5b575c318a196909f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0945a2a5d7c41af22e222a116aafacb4beee54d2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A fix is being added to bitbake to correctly handle spaces inside
checksum filenames. Add a test to oe-selftest to ensure this is
tested and doesn't regress in future.
(From OE-Core rev: 4146d30d06233c299b280d0e99ac5f51aab63ad4)
Signed-off-by: Paulo Neves <ptsneves@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 324109f034f069ee3e91a1a705b3449911a448de)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The virtio PCI devices seemed to be required for this machine for some
versions of qemu (based on errors from running qemu saying that the
devices don't exist). Changes to the entries here is all that is needed
to get it working.
(From OE-Core rev: 291940f12c319e74351ff97811919c8c03477c27)
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 217deeb43036d1a046d6c5ea2c1ccdb94d3d605a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If I am not mistaken, the only kernel recipe to have a new PACKAGECONFIG
option is linux-yocto-dev, in commit 1bac831fba
"linux-yocto-dev: introduce dt-validation PACKAGECONFIG".
Therefore, let's replace (kernel) by the one kernel recipe that has this
change.
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: 1882954924cef9f17caad0f83973afe08f4db764)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Plaintext/clear passwords are not supported anymore but hashed passwords
still are. Mention that in the migration guide and point to the
appropriate location of documentation.
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: f8b9697ec7bcc188db5ce9e5067bc82c023b79d9)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
extlinks captions support using %s substitution but only from sphinx 4.0
onwards.
c.f. https://www.sphinx-doc.org/en/master/usage/extensions/extlinks.html#confval-extlinks
Weirdly enough, on older sphinx versions, the caption is just a prefix
to the actual text passed to the extlink. Therefore, in that specific
case, CVE- or CVE-%s are identical in meaning for sphinx >=4.0 and since
only CVE- caption works on sphinx <4.0, let's go with CVE- caption
prefix.
Fixes: b311070d866cf "manuals: add 3.4 and 3.4.1 release notes after migration information"
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: c9922076f5c1285d9cfd6aff8ce5b6635d88222f)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
XZ_THREADS and XZ_MEMLIMIT were introduced in dunfell.
[RP improved an original patch from Paul]
(From yocto-docs rev: 96defb66b775093b5270bd1ebad0461c2bba1e5b)
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Generated from commits in the kirkstone branch, as well as a few entries
from the migration guide.
(Note that the "Repositories / Downloads" section still needs to be
filled in.)
(From yocto-docs rev: 0c66638e61d3e16ac8d4b7ebc4ec6fb35625bf4f)
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Make some corrections to preliminary set of entries
* Move out entries that were more appropriate for the release notes
(i.e. that are more additions rather than changes that require the
user to make changes)
* Add new entries based on commits in the kirkstone branch
(From yocto-docs rev: bea2da80e7c5338dc5abefe95ce27b80ed4ee98a)
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add this since the INCOMPATIBLE_LICENSE wildcard support has changed in
the 4.0 release.
(From yocto-docs rev: c7946863e5a9d62a49131b92cc9549da9b799bbd)
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It seems prudent to point out that hard-coding passwords in the manner
detailed in the example is not a good idea in production. This type of
mistake has unfortunately been made by many device vendors (outside of
the Yocto Project context) leading to security vulnerabilities.
(From yocto-docs rev: 1d07dba9423ae0a841eccb58c297e31b63c3965d)
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We missed noting this in 3.4 but I noticed the documentation was
recently updated, so note the removal.
(From yocto-docs rev: f661e62d6faf48dbb6c6fd9a61a6448ec339d2bf)
Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The switcher expects URL subpath to match the "release" used by sphinx
to build the documentation. Branches, however, are put in a subpath
after their name (e.g. dunfell) while sphinx sets the "release" to
X.Y.999. This means the switcher cannot replace correctly the path to
switch between releases/versions.
Let set_versions.py inject the list of release names into the
switchers.js.in file so it can check whether the subpath is one of the
release names in which case it needs to be stripped.
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: 5ef3d129b8d0d8ae98a694103930988a46285525)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
