Update dbus to 1.14.8 to fix CVE-2023-34969 and serveral bugs
changes:
f90d4f1693/NEWS
commits:
55d11f57 doc/dbus-api-design: fix wrong closing tag
a96f417f CI: Run a detached pipeline for merge requests
9e0477fc CI: Only run for pushes to dbus
077f7e43 CI: Remove an obsolete workaround
07fe44f4 CI: Update Windows runners
ec708d55 CI: Avoid using a no-op download location that gives a 403 error
45e6e93e dbus_message_iter_get_signature: Fix two memory leaks on OOM
0bb1942e dbus-internals: use `_DBUS_FUNCTION_NAME` in `_dbus_verbose()`
8df1b8be dbus-sysdeps-win: do not log function name twice
5c3a4e81 dbus-spawn-win: use `_DBUS_FUNCTION_NAME` instead of `__FUNCTION__`
8e457296 Update NEWS
e1ffce17 Revert "CI: Remove an obsolete workaround"
40c0802f monitor test: Log the messages that we monitored
a70c8f2f bus: Assign a serial number for messages from the driver
39b5c617 monitor test: Reproduce #457
f99e5de1 Update NEWS
21414587 AUTHORS: Update
f90d4f16 Release v1.14.8
(From OE-Core rev: fc3067f163c21434d3f79d03b26b21165be6927a)
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Refactor _process_deps to expand systemd instance specifier "%i" to the
template instance.
This change expands on prior commit e510222b57 ("systemd-systemctl: fix
instance template WantedBy symlink construction") by substituting every
"%i" pattern-match with the instance name.
The regexp handles the following cases:
* svc-wants@%i.service
* sys-subsystem-net-devices-%i.device
(From OE-Core rev: 11d3f1c8252592c377ea6b92bba77ef6d9c75464)
Signed-off-by: Ian Ray <ian.ray@ge.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 9356276137267a29ae2289d796a2940918375308)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add new fetcher for the NVD database using the 2.0 API [1].
The implementation changes as little as possible, keeping the current
database format (but using a different database file for the transition
period), with a notable exception of not using the META table.
Minor changes that could be visible:
- the database starts in 1999 instead of 2002
- the complete fetch is longer (30 minutes typically)
[1] https://nvd.nist.gov/developers/vulnerabilities
(From OE-Core rev: b8ae26aabe825c1bc8d84fd7e0ee197695f1dee7)
Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit fb62c4c3dbca4e58f7ce6cf29d4b630a06411a97)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Upstream v250 of systemd-newtorkd contains a race which will drop the
config of unmanaged wireless interfaces during reconfigure or carrier
loss. This bug is fixed in v251 by this commit:
commit a0e99a377a2f22c0ba460d3e7228214008714c14
Author: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon Jan 31 19:08:27 2022 +0900
network: remove only managed configs on reconfigure or carrier lost
Otherwise, if the carrir of the non-managed interface is lost, the
configs such as addresses or routes on the interface will be removed by
networkd.
A bug was filed upstream on v250 to have upstream backport but was
rejected as "version-too-ancient", so backport this commit as a patch to
systemd-networkd for kirkstone.
Fixes: [YOCTO #15134]
(From OE-Core rev: 56fdf57d99900b8dfb75bf915fcab45d4c1a458e)
Signed-off-by: C. Andy Martin <cam@myfastmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fix issue of the below instance template systemd service dependency
[Install]
WantedBy=svc-wants@%i.service
creating the symlink (instance "a" example)
/etc/systemd/system/svc-wants@%i.service.wants/svc-wanted-by@a.service
which should be
/etc/systemd/system/svc-wants@a.service.wants/svc-wanted-by@a.service
as implemented by this change.
The functionality appears regressed just after "thud" baseline when the
logic was refactored from shell script into python (commit
925e30cb10)
(From OE-Core rev: 308397f0bb3d6f3d4e9ec2c6a10823184049c9b5)
(From OE-Core rev: e572d096e81bb7dba8a07ee9dba93d0944857212)
Signed-off-by: Martin Siegumfeldt <mns@gomspace.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 372b29c8ad270d4d430c26a4e614976c7029afaf)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The environment-setup script generated by the recipe was not quoting the
user existing PATH when updating it causing the export command to fail.
Add necessary double quotes around $PATH.
(From OE-Core rev: c9bf05d819fc27cb2943d138e2376b69140727b4)
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 2d4c032bf3187aaa953a0c33a999074e695f54bb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
glibc has it's dependencies handled more manually due to it's place
in the toolchain bootstrap. It depends upon the compiler and indirectly
through that to binutils. This did mean that if binutils changes and the
compiler does not, sstate and hash equivalence could mean that glibc
wouldn't rebuild.
Add a direct dependency on binutils that if it changes, it forces glibc
to rebuild, as it should.
(From OE-Core rev: de967efc52b858fd51b857d8de731692287430d7)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c4a7b3decff636292f5e76e95406a22b6fe4a994)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>From NEWS for v250:
* Device nodes for the Software Guard eXtension enclaves (sgx_vepc) are
now also owned by the system group "sgx".
>From NEWS for v248:
* Intel SGX enclave device nodes (which expose a security feature of
newer Intel CPUs) will now be owned by a new system group "sgx".
Fixes following journal error entry during startup:
/lib/udev/rules.d/50-udev-default.rules:43 Unknown group 'sgx', ignoring
This is seen already on kirkstone.
(From OE-Core rev: 3fd47697df858d4093d9cb4c6a378fc07aa4d064)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bab455cd9b1b82e778f8523a767eb281edf6689e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The original patch was actually allowing .debug modules
though which was in-correct. This change blocks the
parsing of .debug modules (which is correct). As noted in
[YOCTO #15022] this should address the empty modules.dep
when using the BusyBox depmod.
(From OE-Core rev: 49bddef864768bbf339513414b42a820f861bdb7)
Signed-off-by: Saul Wold <saul.wold@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 339c3c3abe8d405cfe7b3f34db9b3547bcaaf878)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Denial of service fixes:
• Fix an incorrect assertion that could be used to crash dbus-daemon or
other users of DBusServer prior to authentication, if libdbus was compiled
with assertions enabled.
We recommend that production builds of dbus, for example in OS distributions,
should be compiled with checks but without assertions.
(dbus#421, Ralf Habacker; thanks to Evgeny Vereshchagin)
Other fixes:
• When connected to a dbus-broker, stop dbus-monitor from incorrectly
replying to Peer method calls that were sent to the dbus-broker with
a NULL destination (dbus#301, Kai A. Hiller)
• Fix out-of-bounds varargs read in the dbus-daemon's config-parser.
This is not attacker-triggerable and appears to be harmless in practice,
but is technically undefined behaviour and is detected as such by
AddressSanitizer. (dbus!357, Evgeny Vereshchagin)
• Avoid a data race in multi-threaded use of DBusCounter
(dbus#426, Ralf Habacker)
• Fix a crash with some glibc versions when non-auditable SELinux events
are logged (dbus!386, Jeremi Piotrowski)
• If dbus_message_demarshal() runs out of memory while validating a message,
report it as NoMemory rather than InvalidArgs (dbus#420, Simon McVittie)
• Use C11 _Alignof if available, for better standards-compliance
(dbus!389, Khem Raj)
• Stop including an outdated copy of pkg.m4 in the git tree
(dbus!365, Simon McVittie)
• Documentation:
· Consistently use Gitlab bug reporting URL (dbus!372, Marco Trevisan)
• Tests fixes:
· Fix the test-apparmor-activation test after dbus#416
(dbus!380, Dave Jones)
Internal changes:
• Fix CI builds with recent git versions (dbus#447, Simon McVittie)
(From OE-Core rev: be5d5919242d6d26bdb1e70b83aab88949ffe0eb)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 31245df3061c1a913bffe5e11ad6ac7fa9c83915)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 83e9bd1507fd5f79c680dde30b0f66df84cde6b0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The buildtools-tarball includes a native sysroot with .pc files, and
in the case of buildtools-extended-tarball a pkg-config binary too.
If we're using the host pkg-config then it doesn't know to search in the
native sysroot. If we're using our pkg-config then it searches in the
build-time prefix and not the actual SDK installation location.
Neither of these are correct, so set PKG_CONFIG_LIBDIR to search:
- The native sysroot
- The host pkg-config's default search path, if present
- Falling back to /usr/lib/pkgconfig, if not
In an ideal world this would be handled by the generic toolchain script,
but that is slightly more involved.
[ YOCTO #15007 ]
(From OE-Core rev: 9a110453f6b4b2c2d86af4ae20860037796a284d)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8f768a3f4c7ff477e994d60800e5a1b83891615a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
To avoid working with undeterministic config files, remove all the
temporary files to start from scratch.
(From OE-Core rev: a1cd0c804b974ae100cfe8cb34ddd400e3c8206b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 74cd440c4e3df0ed3b81cf5c60a3f92e0dd3fe6c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When compiling busybox a second time (e.g. with `compile -f`), busybox
can use an altered autoconf.h file for compiling, which can ultimately
produces different and unwanted binaries.
This can produce errors like this one:
ERROR: busybox-1.35.0-r0 do_package: Error executing a python function in exec_func_python() autogenerated:
The stack trace of python calls that resulted in this exception/failure was:
File: 'exec_func_python() autogenerated', lineno: 2, function: <module>
0001:
*** 0002:ptest_update_alternatives(d)
0003:
File: '…/poky/meta/classes/ptest.bbclass', lineno: 100, function: ptest_update_alternatives
0096: for alt_name, alt_link, alt_target, _ in alternatives:
0097: # Some alternatives are for man pages,
0098: # check if the alternative is in PATH
0099: if os.path.dirname(alt_link) in bin_paths:
*** 0100: os.symlink(alt_target, os.path.join(ptest_bindir, alt_name))
0101:}
0102:
0103:do_configure_ptest_base[dirs] = "${B}"
0104:do_compile_ptest_base[dirs] = "${B}"
Exception: FileExistsError: [Errno 17] File exists: '/bin/busybox.suid' -> '…/busybox/1.35.0-r0/package/usr/lib/busybox/ptest/bin/login'
This happens because ALTERNATIVE:busybox contains `/bin/login` twice,
initially that's because `/bin/login` is present in both
busybox.links.suid and busybox.links.nosuid. The reason for that is
because of the altered autoconf.h.
Steps to reproduce above error:
<add ptest to distro configs>
bitbake busybox -c clean
bitbake busybox -c package -f
bitbake busybox -c compile -f
bitbake busybox -c package -f
This patch guards against potential bugs by:
- making a backup of .config and autoconf.h that have matching
timestamps.
- make sure do_compile always starts with these files.
- restore .config and autoconf.h at the end of do_compile.
(From OE-Core rev: 7e94d0563fadb858aca60d1b1cc3a23e995a500d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6b4a0f063edcfe0a5a4f418842e86ac0c46d9cad)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We get random SSL failures when fetching the CVE database, and it's
notable that the NVD server is behind a DNS round-robin or geographically
diverse servers.
On a hunch that there is one misconfigured server, dump the IP that we
connected to.
(From OE-Core rev: 99f1a8971192f85fefad3cbc993b23a59627eb4c)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 91f46d431dc8f40e8c6475c800bb61cb08b82b0a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The database update has been done on the original file. In case of
network connection issues, temporary outage of the NVD server or
a similar situation, the function could exit with incomplete data
in the database. This patch solves the issue by performing the update
on a copy of the database. It replaces the main one only if the whole
update was successful.
See https://bugzilla.yoctoproject.org/show_bug.cgi?id=14929
Reported-by: Alberto Pianon <alberto@pianon.eu>
(From OE-Core rev: 878988a67b488a01f53658bcc528b5d0422672ae)
Signed-off-by: Marta Rybczynska <marta.rybczynska@linaro.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8efe99214d8b005f0ecac690ce5ba17b31758f92)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Below commits on glibc-2.35 stable branch are updated.
293211b6fd time: Use 64 bit time on tzfile
26c8278889 nscd: Use 64 bit time_t on libc nscd routines (BZ# 29402)
f75f61b659 nis: Build libnsl with 64 bit time_t
ca97201c24 Apply asm redirections in syslog.h before first use [BZ #27087]
cad7947db7 elf: Fix wrong fscanf usage on tst-pldd
e9eb987894 Allow for unpriviledged nested containers
2636fbb7ef elf: Fix wrong fscanf usage on tst-pldd
e7019eeeb5 x86: Fix wcsnlen-avx2 page cross length comparison [BZ #29591]
fb73a40981 elf: Fix rtld-audit trampoline for aarch64
(From OE-Core rev: 4db5727a0b44d471382c95c3897b68af5ab1a3b4)
Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* CVE-2022-45873.patch was backported from systemd/main, but it doesn't
build without another change from v252 when elfutils PACKAGECONFIG is
enabled.
* fixes:
| ../git/src/shared/elf-util.c: In function 'parse_elf_object':
| ../git/src/shared/elf-util.c:792:27: error: void value not ignored as it ought to be
| 792 | r = json_variant_dump(package_metadata, JSON_FORMAT_FLUSH, json_out, NULL);
| | ^
(From OE-Core rev: bc8501a5a2ffc5673bad50f744d78822525bea9d)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* switch from tar.gz to tar, because the tar.gz archives upstream are regular tar as well now
https://www.w3.org/XML/Test/ still has 3 separate URLs for .zip, .tar
and .tar.gz, but both tar links return the same file:
xmlts20080827.tar: POSIX tar archive (GNU)
xmlts20080827.tar.gz: POSIX tar archive (GNU)
-rw-r--r-- 1 martin martin 5.7M Sep 1 2008 xmlts20080827.tar
-rw-r--r-- 1 martin martin 5.7M Sep 1 2008 xmlts20080827.tar.gz
9b2c865aba66c6429ca301a7ef048d7eca2cdb7a9106184416710853c7b37d0d xmlts20080827.tar
9b2c865aba66c6429ca301a7ef048d7eca2cdb7a9106184416710853c7b37d0d xmlts20080827.tar.gz
96151685cec997e1f9f3387e3626d61e6284d4d6e66e0e440c209286c03e9cc7 /OE/build/downloads/xmlts20080827.tar.gz
(From OE-Core rev: 55f37f90dc2039fda085c66bb8c6095374b2947f)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
* Fix -Werror=sign-conversion in lib/alg-yescrypt-platform.c.
With commit 894aee75433b4dc8d9724b126da6e79fa5f6814b we introduced some
changes to huge page handling, that show this error when building with
GCC v12.2.1, and thus need a small fix.
(From OE-Core rev: fbad6f482d2c3213eff12bda4020d14bbe4df288)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 6918477ad121f9c7335c661433a909e948f66d51)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In current psplash framework, the psplash might not exist at all.
For example, in case DSITRO is set to nodistro, the psplash does
not exist.
In our psplash recipe, we have:
SPLASH_IMAGES = "file://psplash-poky-img.h;outsuffix=default"
This variable is parsed to if psplash-poky-img.h exists, a package
named psplash-default is created and is added to RDEPENDS:${PN}.
We can see that the psplash-poky-img.h resides in meta-poky,
and in psplash_git.bbappend file in meta-poky, we have:
FILESEXTRAPATHS:prepend:poky := "${THISDIR}/files:"
So this file is only available in case poky distro is used.
To fix this issue, add condition check in the corresponding systemd
services.
(From OE-Core rev: c1d57880c786b3650f29afb89530941797e85560)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 7a62ff9ed39c179d2b9b0c40f4f8423ced413063)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
From NEWS for v236:
* The "uaccess" udev tag has been dropped from /dev/kvm and
/dev/dri/renderD*. These devices now have the 0666 permissions by
default (but this may be changed at build-time). /dev/dri/renderD*
will now be owned by the "render" group along with /dev/kfd.
Without the group systemd-udevd startup logs:
/lib/udev/rules.d/50-udev-default.rules:39 Unknown group 'render', ignoring
/lib/udev/rules.d/50-udev-default.rules:40 Unknown group 'render', ignoring
(From OE-Core rev: f902338f312cf5c55b2857e5c7e980cb11a26a9c)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 84efd72d48616405dbe4d73ec95917077144ed09)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since RRECOMMENDS declaration implictly induces building the recipes
that provide the runtime recommended packages, conditionalize adding
such values according to associated PACKAGECONFIG settings in order
to avoid redundant building.
(From OE-Core rev: 41ecfff7a413fff178364d67c1bf96c8e6d31c30)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit a1989add927f7805378fe4d5afbde780b747ba77)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The glibc-locale recipe already partially depends on the base depends in
order to satisfy the do_package dependency on binutils. However since
commit d6ffd683bf6 NM has defaulted to gcc-nm, meaning do_package
depends on gcc (for minidebuginfo).
Whilst the do_package task could handle having the dependencies
explicitly defined (either in glibc-locale or in package.bbclass),
setting these would require some amount of conditional dependency
configuration (cross/crosssdk/etc.). Since both binutils and gcc are
already dependencies of virtual/libc (although compilerlibs is not),
having glibc-locale not inhibit the default depends simplifies the
handling of this situation for both glibc-locale and package.bbclass.
(From OE-Core rev: 97020ee9912663196a7e8a524a23b0b70d8cf686)
Signed-off-by: Nathan Rossi <nathan.rossi@digi.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 8a40d0a6039e87a5b4b26a0e84dd797fe5c75cba)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
==========
* configure: Restore ucontext api functionality check.
In c3f01c72b303cbbb0cc8983120677edee2f3fa4b the use of the ucontext api
in the main program was removed, and with it the configure check for it.
However, the ucontext api is still used in the "explicit_bzero" test and
thus this test still needs to be in place.
See also: https://bugs.gentoo.org/838172
* configure: Restore the functionality of the '--disable-symvers' switch.
Without this fix the build was simply broken, if symbol versioning was
disabled for any reason, e.g. whether the compiler nor the linker
supporting it, or if disabled on purpose by the user (issue #142).
* Fix variable name in crypt(3) for a datamember of 'struct crypt_data'
(issue #153).
* Add glibc-on-loongarch-lp64 (Loongson LA464 / LA664) entry to
libcrypt.minver. This was added in GNU libc 2.36.
(From OE-Core rev: 061a969a6d7a8d3a7009190a18c1564cae4ad990)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 7da5dd3b43718b876645602b1a23c739cbe8016d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Release 2.5.0 Tue October 25 2022
Security fixes:
#616#649#650 CVE-2022-43680 -- Fix heap use-after-free after overeager
destruction of a shared DTD in function
XML_ExternalEntityParserCreate in out-of-memory situations.
Expected impact is denial of service or potentially
arbitrary code execution.
Bug fixes:
#612#645 Fix curruption from undefined entities
#613#654 Fix case when parsing was suspended while processing nested
entities
#616#652#653 Stop leaking opening tag bindings after a closing tag
mismatch error where a parser is reset through
XML_ParserReset and then reused to parse
#656 CMake: Fix generation of pkg-config file
#658 MinGW|CMake: Fix static library name
Other changes:
#663 Protect header expat_config.h from multiple inclusion
#666 examples: Make use of XML_GetBuffer and be more
consistent across examples
#648 Address compiler warnings
#667#668 Version info bumped from 9:9:8 to 9:10:8;
see https://verbump.de/ for what these numbers do
Includes a fix for CVE-2022-43680.
(From OE-Core rev: 8dda30a9c64a4ad1f8eee11deb2e5143ba5fd719)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a257a674272dc638f09167e9b9202adfb477ef1e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Prepare for version bump which includes this fix
This reverts commit 791fe354e5887af3fa3d3f772fafacc5eaedca21.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport a patch from upstream[1] to fix CVE-2022-42011 dbus-daemon can be crashed by messages with array length inconsistent with element type
[1] b9e6a75230
(From OE-Core rev: 5d96a3c244388623d87a2999dafaa25d0bd216b6)
Signed-off-by: Xiangyu Chen <xiangyu.chen@eng.windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The custom path of the ca-certificates.crt within the buildtools-tarball requires more
environment variables to be exported. Namely REQUESTS_CA_BUNDLE for the python requests library
and CURL_CA_BUNDLE for curl.
(From OE-Core rev: a38eab48fa1ccd6ae3ba0bd8ed30f5a9bdf9b661)
Signed-off-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 5c249db9de8ad8cfe0996ff4fee4c575a5ff1e34)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
