Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7,
2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding
specially crafted input to `git apply --reject`, a path outside the working
tree can be overwritten with partially controlled contents (corresponding to
the rejected hunk(s) from the given patch). A fix is available in versions
2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3,
and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying
patches from an untrusted source. Use `git apply --stat` to inspect a patch before
applying; avoid applying one that create a conflict where a link corresponding to
the `*.rej` file exists.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-25652
Upstream-Status: Backport from 9db05711c9
(From OE-Core rev: 6747482316b8f7839a09bf041d8c11b559f84b44)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8,
2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted
`.gitmodules` file with submodule URLs that are longer than 1024 characters can used
to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug
can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when
attempting to remove the configuration section associated with that submodule. When the
attacker injects configuration values which specify executables to run (such as
`core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code
execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8,
2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running
`git submodule deinit` on untrusted repositories or without prior inspection of any
submodule sections in `$GIT_DIR/config`.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29007
Upstream patches:
528290f8c629198213c9a5bb10fd5ee91cfe60853bb3d6bac5
(From OE-Core rev: db4c152441aebe4c04a7bb7aceb88d8941a6576b)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Security release, fixes CVE-2021-21300, so remove that patch.
22539ec3b5 unpack_trees(): start with a fresh lstat cache
0d58fef58a run-command: invalidate lstat cache after a command finished
684dd4c2b4 checkout: fix bug that makes checkout follow symlinks in leading path
(From OE-Core rev: 8606d99041c3c1a002b2300c59afc116050c73cc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Everyone I've talked to doesn't see this as a major issue. The CVE
asks for a documentation improvement on the --mirror option to
git clone as deleted content could be leaked into a mirror. For OE's
general users/use cases, we wouldn't build or ship docs so this wouldn't
affect us.
(From OE-Core rev: f35500a442d6a4564d52e23f9602a3f90a4ceee5)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5dfe2dd5482c9a446f8e722fe51903d205e6770d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character,
which may result in unexpected cross-protocol requests,
as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring.
Upstream-Status: Backport [a02ea57717]
CVE: CVE-2021-40330
(From OE-Core rev: ea0d7ef4a8c9bba94bd603ebd19e502faa86293b)
Signed-off-by: Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
checkout: fix bug that makes checkout follow symlinks in leading path
Upstream-Status: Acepted [684dd4c2b4]
CVE: CVE-2021-21300
(From OE-Core rev: 8293d5d1529629bd13028bdde1fa99da30313bac)
Signed-off-by: Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Added HOMEPAGE and DESCRIPTION for recipes with missing decriptions or homepage
[YOCTO #13471]
(From OE-Core rev: bd3352880322598b0ba6dc439ff08c2e4c592e36)
Signed-off-by: Dorinda Bassey <dorindabassey@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bb05814335e7101bfd8df0a11dc18a044e867bed)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
On a system with selinux turned on, trying to access a directory
that is in a tree that doesn't exist returns the error permission
denined rather then no such file or directory, which causes git
to die.
git clone git://git.yoctoproject.org/poky
Cloning into 'poky'...
fatal: unable to access '/opt/poky/3.0+snapshot/sysroots/x86_64-pokysdk-linux/etc/gitconfig': Permission denied
Switch to using the system gitconfig of the host.
(From OE-Core rev: 5e44fb4dd106e3c4b9f072b25a93e54fa7bb1bce)
Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some tools are not written in Perl anymore, so they should be in PN no PN-perltools.
(From OE-Core rev: 8a2e4dac4f5086fbfc094fb1f16e91108ee1b247)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Removed code for "${D}${exec_prefix}/lib/perl-native/perl" since there is no
such a directory now.
* Fixed perl related code.
(From OE-Core rev: 416a8c241aff0dca6b8b123e52cf8e2d40c74c8d)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add /usr/share/git-core/templates/hooks/fsmonitor-watchman.sample to PERLTOOLS to fix:
ERROR: git-2.16.1-r0 do_package_qa: QA Issue: /usr/share/git-core/templates/hooks/fsmonitor-watchman.sample contained in package git requires /usr/bin/perl, but no providers found in RDEPENDS_git? [file-rdeps]
ERROR: git-2.16.1-r0 do_package_qa: QA run found fatal errors. Please consider fixing them.
(From OE-Core rev: d8a93d75c75bf8df40f3e167eca2fcef4f76e240)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These git commands require Perl modules that do not exist in OE-Core.
Add PACKAGECONFIGs to enable them. Be aware though that if you enable
them you must also provide the missing dependencies.
(From OE-Core rev: d7909007b2a912ae5adf01edfabaa8b8646369cd)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Remove git-relink from PERLTOOLS:
git-2.13.2/Documentation/RelNotes/2.12.0.txt:
* An ancient script "git relink" has been removed.
(From OE-Core rev: f759420ad2a60d0be4ca15f4c9294086ecc86e59)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.
Search made with the following regex: getVar ?\(( ?[^,()]*), True\)
(From OE-Core rev: 7c552996597faaee2fbee185b250c0ee30ea3b5f)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since commit set default libexecdir to $prefix/libexec
...
commit f35b2e29d9
Author: Ross Burton <ross.burton@intel.com>
Date: Tue Apr 30 20:35:54 2013 +0100
bitbake: set default libexecdir to $prefix/libexec
...
It casued '${D}${libdir}' does not exist, and the following
move operation incorrect which triggered QA Issue:
...
ERROR: git-2.7.0-r0 do_package: QA Issue: git: Files/directories were installed but not shipped in any package:
/usr/lib64
/usr/lib64/site_perl
/usr/lib64/site_perl/5.22.1
...
(From OE-Core rev: 2b82a475a7c8310f432b872e9d1e5eca262a03ee)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With the autodebug package generation logic, specifically setting FILES_${PN}-dbg
isn't needed in most cases, we can remove them.
(From OE-Core rev: 3ab59d49dd7c18e194b58d1248b4b87709b5a738)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Trying to use git w/o tab completion is especially annoying if
you are used to using it elsewhere -- "whatchanged" is simply
too annoying to type out in full more than once.
(From OE-Core rev: 3c5285237dece0af594e74926e6f4f02ca81f715)
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These could be created from scratch from git itself, but it
requires asciidoc, xsltproc, python bits and too much other
baggage. Since the git folks issue a tarball with the manpages
for each release, it is simpler to just go get that.
(From OE-Core rev: 9aba4bf2143c228d58aac06764f87ace5dd21d02)
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixed when MACHINE = qemux86-64 and libdir = /usr/lib64:
mv: cannot stat `/path/to/image/usr/lib64/perl-native/perl': No such file or directory
The perl-native files are always installed to /usr/lib on both 32/64
bits targets.
(From OE-Core rev: fad6d25e548cb82c2106eb30ccdc0b8f3408de0a)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Git perl tools such as add--interactive load the Git module at runtime.
A previous patch to eliminate a QA error by deleting it instead of
packaging it was incorrect.
beaglebone[62]$ git add -i
Can't locate Git.pm in @INC (you may need to install the Git module) (@INC contains: /usr/lib/perl/5.20.0 /prj/pab/Utils/lib/perl5/linux-arm/5.020000 /prj/pab/Utils/lib/perl5/ /prj/pab/Utils/lib/perl5/site_perl/linux-arm /prj/pab/Utils/lib/perl5/site_perl /etc/perl /usr/lib/perl/site_perl/5.20.0/ /usr/lib/perl/site_perl/5.20.0 /usr/lib/perl/vendor_perl/5.20.0/ /usr/lib/perl/vendor_perl/5.20.0 /usr/lib/perl/5.20.0/ /usr/local/lib/site_perl .) at /usr/lib/git/git-core/git-add--interactive line 7.
BEGIN failed--compilation aborted at /usr/lib/git/git-core/git-add--interactive line 7.
[YOCTO#3780]
(From OE-Core rev: 804f8e650f433d00907ec04282c22aaff2e5c044)
Signed-off-by: Peter A. Bigot <pab@pabigot.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Hardcoded paths to perl don't make sense, use from the environment instead.
[Patch taken from meta-mentor by RP]
(From OE-Core rev: 8072f26f7304ff5367d5be357037644cb1f6241e)
Signed-off-by: Christopher Larson <kergoth@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It seems that there are multiple problems with the upstream RUNTIME_PREFIX
mechanism at this time. It doesn't canonicalize argv[0] to an absolute path,
breaking calls via the PATH, for example. In addition, it doesn't seem to
locate template_dir via the runtime prefix even when specified as relative.
Revert this for now to the previous wrapper-based mechanism, but tweaked
slightly to avoid hardcoding the sysroot path into the wrapper (based on the
bits in the rpm recipe).
[YOCTO #6211]
[Pulled from meta-mentor by RP]
(From OE-Core rev: 85ce11e7b5402cc443adb8007c0e5d01f914fa74)
Signed-off-by: Christopher Larson <kergoth@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We need to pass CFLAGS and LDFLAGS to the makefile correctly so we
need to list them as part of EXTRA_OEMAKE.
We also have a problem where git hardlinks binaries in bindir with
those in its libexecdir. If we change the RPATH in one of them, it
breaks the other. We therefore set the no cross dir hardlinking flag
git already has for this kind of issue. This ensures the RPATHS for
the git-core binaries works correctly. Its pure luck this has
sometimes worked so far.
(From OE-Core rev: 64c6ae6a69215b659b82c67e238bc0fbc09a3eab)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
References to "perl-native" were slipping into the target packages. These
changes ensure those references are cleaned up and that tools using perl
are packaged in the correct perltools package. The same issues affected
the nativesdk-git output so are also applied there.
[YOCTO #5918]
(From OE-Core rev: fd4a6b0cd275931e552cd23233c178e9ec54bdbb)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch goes through the OE-Core recipes and marks those which use autotools
but don't support a separate build directory (${S} != ${B}). A new class,
autotools-brokensep is used for this purpose.
This doesn't introduce any change in behaviour in its own right.
(From OE-Core rev: 006b8a7808a58713af16c326dc37d07765334b12)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Upgrade to 1.8.5.2
* Remove the SRC_URI from the git.inc since we use the one in
git_1.8.5.2.bb
(From OE-Core rev: 89e721830f2b2840d62e613c4bc89eca1fffd03a)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A lot of our recipes had short one-line DESCRIPTION values and no
SUMMARY value set. In this case it's much better to just set SUMMARY
since DESCRIPTION is defaulted from SUMMARY anyway and then the SUMMARY
is at least useful. I also took the opportunity to fix up a lot of the
new SUMMARY values, making them concisely explain the function of the
recipe / package where possible.
(From OE-Core rev: b8feee3cf21f70ba4ec3b822d2f596d4fc02a292)
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We need to be able to generate a standalone tarball containing tar/git so
add nativesdk versions of the appropriate recipes to allow this to be possible.
Tweak the git perl paths to avoid warnings when building the nativesdk version,
ensure the binaries are wrapped correctly and avoid update-alternatives in
nativesdk-tar.
(From OE-Core rev: c91bb8c76e3bd45690e66f3de79cd3adfe45f600)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
${libdir} is not applicable for the install path of perl-native files,
files are always installed to /usr/lib no matter the target is 32/64
bits. After installing, remove unpackaged and unneeded perl-native
files to prevent warnings.
Fix warning:
WARNING: For recipe git, the following files/directories were \
installed but not shipped in any package:
...
WARNING: /usr/lib/perl-native/perl/5.14.2/Git.pm
WARNING: /usr/lib/perl-native/perl/5.14.2/perllocal.pod
WARNING: /usr/lib/perl-native/perl/5.14.2/Error.pm
WARNING: /usr/lib/perl-native/perl/5.14.2/auto
[YOCTO#3780]
(From OE-Core rev: cc6b8261fa47a049e501882e9bfc40f61e603b6f)
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The overrides virtclass-native and virtclass-nativesdk are deprecated,
which should be replaced by class-native and class-nativesdk.
[YOCTO #3297]
(From OE-Core rev: bb67ddeb2eed3e25c626a279ef53a7e8c7bfe6f2)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Git requires python by default as an included script to link git
to perforce is written in Python. Define NO_PYTHON to stop the
script being included and thus remove the dependancy on Python.
(From OE-Core rev: 602538e1c8403e8b188109ce94a906a1d9090d7e)
Signed-off-by: Jack Mitchell <jack.mitchell@dbbroadcast.co.uk>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We require git version 1.7.5 or later for the git remote --mirror=xxx syntax.
If we have an older version of git, this patch ensure we build git-replacement-native.
We add an alternative PROVIDES in the same way as tar-native to allow this script
to trigger the build whilst still allowing git-native in ASSUME_PROVIDED.
(From OE-Core rev: 269f3b3cfacaf229d5e45177ee01b16561370ee3)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
