Below commits on binutils-2.34 stable branch are updated.
c4e78c0868a PR27755, powerpc-ld infinite loop
33973d228c9 gas, arm: PR26858 Fix availability of single precision vmul/vmla in arm mode
0c8652fe288 x86: Update GNU property tests
5c1bd3f52c6 x86: Properly merge -z ibt and -z shstk
93b9bf1651a PowerPC TPREL_HA/LO optimisation
58950a3bfd4 Date update
e3b314d3a61 aarch64: set sh_entsize of .plt to 0
26b6ab7a0e4 S/390: z13: Accept vector alignment hints
7324292cd94 gas: Fix checking for backwards .org with negative offset
463ec189fe9 Prevent a potential use-after-fee memory corruption bug in the linker (for PE format files).
ef2826c0fdb Fix the ARM assembler to generate a Realtime profile for armv8-r.
8524bb5bd28 Re: Fix tight loop on recursively-defined symbols
5768460022b Fix tight loop on recursively-defined symbols
a72427b1ae0 gas: PR 25863: Fix scalar vmul inside it block when assembling for MVE
9f57ab49b32 BFD: Exclude sections with no content from compress check.
aaf3f0599a2 Arm: Fix LSB of GOT for Thumb2 only PLT.
97f92b3e90a Arm: Fix thumb2 PLT branch offsets.
3053d7a163c include: Sync plugin-api.h with GCC
f7aec2b8e09 PR25745, powerpc64-ld overflows string buffer in --stats mode
1b2bf0f65c1 include: Sync plugin-api.h with GCC
5e8619b9597 include: Sync lto-symtab.h and plugin-api.h with GCC
23820109ced plugin: Don't invoke LTO-wrapper
64f5c0afcc4 plugin: Use LDPT_ADD_SYMBOLS_V2 to get symbol type
aaa1e160040 Silence warnings due to plugin API change
e7c0ee5110c Include: Sync lto-symtab.h and plugin-api.h with GCC
b6520be37fd Fix dwarf.c build with GCC 10
a560c29ca5a bfd: Change num_group to unsigned int
3ca4cd1ebde gas, arm: Fix bad backport
b3174859c4b gas, arm: PR25660L Fix vadd/vsub with lt and le condition codes for MVE
de9c1b7cfe6 powerpc64-ld infinite loop
0318fc4e18e Adjust PR25355 testcase
40bfb976274 Re: PR24511, nm should not mark symbols in .init_array as "t"
42b2380cdce Don't call lto-wrapper for ar and ranlib
acc4a8b8ac8 PR25585, PHDR segment not covered by LOAD segment
(From OE-Core rev: ad15d44b6c56ccbbe8e4c12717e7dfe3492a659a)
Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
archive/tar: limit size of headers
Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
GNU link names), to avoid reading arbitrarily large amounts of data
into memory.
Link: https://github.com/golang/go/commit/0a723816cd2
(From OE-Core rev: a8e2f91edfe2df5204a482c4e53fbdd08f80e878)
Signed-off-by: Sunil Kumar <sukumar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Avoid accidentally linking to the rdma library from the host by
adding a PACKAGECONFIG for the option. This was found on new
Fedora 36 autobuilder workers.
(From OE-Core rev: aa9d0c2b777c10bb6c68b0232d54cbcd1af1493f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2a0f3cb225e4d5471155abbcd05d09bd6bf1620f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Avoid accidentally linking to the rbd library from the host by
adding a PACKAGECONFIG for the option.
(From OE-Core rev: bb32854dbe68335d834aaa80e42d6a524ea4e1b2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Avoid accidentally linking to the vde library from the host by
adding a PACKAGECONFIG for the option.
(From OE-Core rev: cc979908beec8a40a636d00a1fdcf2769358377f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8839e9540528b0b46c4fb4f95e508f038bcef8b9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Security and bug fixes.
* Drop CVE-2021-28861.patch as it was merged in 3.8.14 release.
Fixes:
* CVE-2020-10735
https://nvd.nist.gov/vuln/detail/CVE-2020-10735
* CVE-2021-28861
https://nvd.nist.gov/vuln/detail/CVE-2021-28861
* CVE-2018-25032
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
Python 3.8.14
Release Date: Sept. 6, 2022
This is a security release of Python 3.8
Note: The release you're looking at is Python 3.8.14, a security bugfix
release for the legacy 3.8 series. Python 3.10 is now the latest
feature release series of Python 3.
Security content in this release
CVE-2020-10735: converting between int and str in bases other than
2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base
10 (decimal) now raises a ValueError if the number of digits in string
form is above a limit to avoid potential denial of service attacks due
to the algorithmic complexity.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP
server when an URI path starts with //.
gh-93065: Fix contextvars HAMT implementation to handle iteration over
deep trees to avoid a potential crash of the interpreter.
gh-90355: Fix ensurepip environment isolation for the subprocess running
pip.
gh-80254: Raise ProgrammingError instead of segfaulting on recursive usage
of cursors in sqlite3 converters.
(From OE-Core rev: 25fafd35a4698daa0d4abb814a91601e68223128)
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The upstream qemu recipe uses host's pkg-config files as a solution to
detecting host's SDL. This has a side effect of using other host
libraries that are later queried by the configure script. This can get
into a situation when the host provides libnfs (for example) and because
later this dependency is not in place anymore, qemu will fail at
runtime.
This change adds a PACKAGECONFIG definition for libnfs that is disabled
by default, in turn disabling the pkgconfig autodetection in configure.
(From OE-Core rev: 9badcf0261f6b735d65a5498bb8fbb9979d7a07f)
Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 42b364a25fdbc987c85dd46b8427045033924d99)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: https://github.com/golang/go
MR: 120634
Type: Security Fix
Disposition: Backport from 703c8ab7e5
ChangeID: 3ade323dd52a6b654358f6738a0b3411ccc6d3f8
Description:
CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service.
(From OE-Core rev: 9b3420c9a91059eb55754078bb1e733972e94489)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: https://github.com/qemu/qemu
MR: 119832
Type: Security Fix
Disposition: Backport from 418ade7849
ChangeID: 1246afd7bb950d2d5fe2e198961797c0fa14ac00
Description:
CVE-2022-35414 qemu: can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash.
(From OE-Core rev: 7c3043df56b3090138fe56f8c06df5ca08cafd26)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Autobuilder workers were non-deterministically enabling capstone
depending on whether the worker had libcapstone installed.
Add PACKAGECONFIG for capstone with default off, since qemu does not
require capstone support.
Qemu version in dunfell has capstone in the source tree as a submodule
and has configure options to enable it using that source code or using
the system libcapstone.
Qemu versions in master and kirkstone have removed the capstone
submodule and configure options, but added libcapstone autodetection to
meson.
In all cases using PACKAGECONFIG will allow a deterministic build.
(From OE-Core rev: af25fff399fa623b4fd6efbca21e01ea6b4d1fd7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 052ef1f14d1e6a5ee34f742f65e51b20b416f79f)
Signed-off-by: Steve Sakoman <steve@sakoman.com
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: https://github.com/argoheyard/lang-net
MR: 114874
Type: Security Fix
Disposition: Backport from 701957006e
ChangeID: bd3c4f9f44dd1c45e810172087004778522d28eb
Description:
CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header.
(From OE-Core rev: 2850ef58f2a39a5ab19b1062d1b50160fec4daa8)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some tasks may reference ${B} for gcc-source which in general would not exist.
It has dependencies on HOST_SYS and TARGET_SYS which are not appropriate for a
shared recipe like gcc-source. This causes problems for the archiver and
multiconfigs in particlar.
Set B to something else to avoid these task hash issues.
Acked-by: Jose Quaresma <jose.quaresma@foundries.io>
(From OE-Core rev: 14aa189c2e47a2c5a4a0099235a2605666651f74)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit beb2a76c591e985c6fc7ed473abd1bee27f955a2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Building busybox with CONFIG_LSATTR=y and installing that in the same
filesystem as e2fsprogs breaks:
ERROR: ... do_rootfs: Postinstall scriptlets of ['busybox'] have failed. If the intention is to defer them to first boot,
then please place them into pkg_postinst_ontarget:${PN} ().
Deferring to first boot via 'exit 1' is no longer supported.
Fix that by also alternatifying lsattr just as chattr already is.
(From OE-Core rev: 28090d32c88d99ea36a03f3bb723838746001e4b)
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 96703961eeb3460e9da26503d7942cc965d1e573)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2015-20107 describes an arbitrary command execution in the mailcap
module, but this is by design in mailcap and needs to be worked around
by the calling application.
Upstream Python will be documenting this flaw in the library reference,
and it is likely that the mailcap module will be deprecated and removed
in the future.
(From OE-Core rev: 1ed7bb74d35f08af3babf73c68ee01af5f28a50b)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 85fac8408baf92d8b71946f5bfea92952b7eab01)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Security release, fixes CVE-2021-21300, so remove that patch.
22539ec3b5 unpack_trees(): start with a fresh lstat cache
0d58fef58a run-command: invalidate lstat cache after a command finished
684dd4c2b4 checkout: fix bug that makes checkout follow symlinks in leading path
(From OE-Core rev: 8606d99041c3c1a002b2300c59afc116050c73cc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Recently we've begun seeing issues with apt SHA256 generation/checking on some
distros (fedora 35, alma 8). The version of apt in dunfell uses its own
SHA256 code, not a standard library.
Investigation reveals that the issue is related to -fstrict-aliasing enabled by
-O2 optimization, so turn it off with -fno-strict-aliasing
(From OE-Core rev: dc61dfd7791976c70c93e0d253a8fdbd40d27f3b)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update to a version of pseudo which has a fix for absolute links,
evaluating them from the chroot path.
(From OE-Core rev: 4e79b3fa07d6b8d044f2fb21e691ff3683aee1ea)
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 33147b89bc3c9e9bdd53a942a5551d8a1d06130c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update to a version of pseudo which includes a workaround for crazy
long paths, as shown by the libfm failures from the libtool upgrade.
(From OE-Core rev: 5cac1e855e397b58c3c2b251a9794f3d480c8ad6)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 67dfa32d82b8862e6e543c37315f211aba3ec28b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Everyone I've talked to doesn't see this as a major issue. The CVE
asks for a documentation improvement on the --mirror option to
git clone as deleted content could be leaked into a mirror. For OE's
general users/use cases, we wouldn't build or ship docs so this wouldn't
affect us.
(From OE-Core rev: f35500a442d6a4564d52e23f9602a3f90a4ceee5)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5dfe2dd5482c9a446f8e722fe51903d205e6770d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The git repo for gnu-config was changed, so update the
SRC_URI accordingly with the new link.
(From OE-Core rev: 4ee75d865b34f615bc649004e9dd0460eaf42dbf)
Signed-off-by:Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This CVE is specific to Microsoft Windows, so we can ignore it.
(From OE-Core rev: d966a07d1f04aa76a4970d4af141f817197be0d2)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 2bd3c5a93988140d9927340b3af68785ae03db65)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
