The html/template package does not apply the proper rules for handling
occurrences of "<script", "<!--", and "</script" within JS literals in
<script> contexts. This may cause the template parser to improperly
consider script contexts to be terminated early, causing actions to be
improperly escaped. This could be leveraged to perform an XSS attack.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39319
(From OE-Core rev: afdc322ecff4cfd8478c89a03f7fce748a132b48)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add in stable updates to glibc 2.38 to fix malloc bugs
(From OE-Core rev: 26309ba6ef5b776d6bc45b984261b91e6c8c5a94)
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 39f987fcb20ad7c0e45425b9f508d463c50ce0c1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Buffer Overflow vulnerability in function bitwriter_grow_ in flac before
1.4.0 allows remote attackers to run arbitrary code via crafted input to
the encoder.
(From OE-Core rev: 29c6287287c9f26c1d6f9fddf8d2852409bbbbec)
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Xmlsoft Libxml2 v2.11.0 was discovered to contain a global buffer overflow via
the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability
allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML
file.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39615
(From OE-Core rev: 9a2ad95caffae37014fa27d9b20d45f9779d0fbf)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2022-40896:
A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments
through 2.15.0 via SmithyLexer.
The CVE issue is fixed by 3 different commits between the releases 2.14.0
(for Smithy lexer), 2.15.0 (for SQL+Jinja lexers) and 2.15.1 (for Java
properties) as per: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/
1. Smithy lexer commit from 2.14.0 release applies successfully on 2.11.2 version.
Commit: dd52102c38
Hence, backported the patch as CVE-2022-40896.patch.
2. SQL+Jinja lexers commit from 2.15.0 release doesn't apply on 2.11.2 version.
Commit: 97eb3d5ec7
Actually, this code doesn't exist in 2.11.2 version and it has been introduce by
python3-pygments 2.13.0 version. Hence, this is not vulnerable for 2.11.2 version.
SQL+Jinja lexers is introduced by: 0bdbd5992b
3. Java properties commit from 2.15.1 release also doesn't apply on 2.11.2 version.
Commit: fdf182a7af
Actually, this code also doesn't exist in 2.11.2 version as the code has been modified
in python3-pygments 2.14.0 by: a38cb38e93
Hence, this is also not vulnerable for 2.11.2 version.
(From OE-Core rev: ebb224e65a7e1402ccf0d9517bd72748c18e012e)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
- Update according to changes in SANITY_TESTED_DISTROS
(meta-poky/conf/distro/poky.conf)
- No longer declare as "Supported" the distributions versions
which are End of Life for their vendors, as some of them
(Ubuntu for example) ship updates to subscribers only,
which the Yocto Project has no access to.
- List distribution versions which were previously tested
for the branch of the Yocto Project being considered.
(From yocto-docs rev: 84d7f2e2a218502b4af4fc2e7de1761e489f86f4)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fix an issue with early log messages being lost when running in systemd.
(From OE-Core rev: 47a1dd7f389e3cf4ac2dc5fc21dccc870aafab4a)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Depending on the host gcc version, libdnf fails to compile due to
missing cstdint inclusions. These issue have already been addressed
upstream, add the patches to resolve this for older versions of the
library.
These commits are taken directly from the libdnf project at
https://github.com/rpm-software-management/libdnf
(From OE-Core rev: e1d9bc1f88bd989bafc20063938d7a70e1da104f)
Signed-off-by: Abe Kohandel <abe.kohandel@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* LDFLAGS += "-fuse-ld=bfd" in the recipe doesn't work and
it still fails to build with ld-is-gold in DISTRO_FEATURES
removal of this line sent to master in:
https://lists.openembedded.org/g/openembedded-core/message/185167
* the most important ones are the 1st which removes --add-needed
and the last which removes src/include/workarounds.mk completely
while 2-4 patches just update src/include/workarounds.mk for the
last one to apply cleanly
* alternatively we can bump SRCREV to latest 38 as master did in:
https://git.openembedded.org/openembedded-core/commit/?id=4df808c616f847d90203582fd950a49bb8360dd0
which brings 23 commits, but instead of adding 5 more patches
allows to remove 5
(From OE-Core rev: d5c7ec0be32aa75fa7973840adf5251d22018766)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Release date: 2023-08-24
Security
gh-108310: Fixed an issue where instances of ssl.SSLSocket were
vulnerable to a bypass of the TLS handshake and included protections
(like certificate verification) and treating sent unencrypted data as if
it were post-handshake TLS encrypted data. Security issue reported as
CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith.
Library
gh-107845: tarfile.data_filter() now takes the location of symlinks into
account when determining their target, so it will no longer reject some
valid tarballs with LinkOutsideDestinationError.
Tools/Demos
gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL
1.1.1v, 3.0.10, and 3.1.2.
C API
gh-99612: Fix PyUnicode_DecodeUTF8Stateful() for ASCII-only data:
*consumed was not set.
(From OE-Core rev: a30e51b8d13912f0d68bfffcd2d8ae6431d2b863)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A Segmentation Fault issue discovered in in ieee_segment function in outieee.c
in nasm 2.14.03 and 2.15 allows remote attackers to cause a denial of service
via crafted assembly file.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-21528
Upstream patches:
93c774d482
(From OE-Core rev: 87c4ec2d73ac2e52005e16e38a9a12affb8d51bd)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
ignore changes to FILE_RCSID part.
(From OE-Core rev: 20b5ead99d4904e70ea22f573bfefec8c6e862a2)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(From OE-Core rev: a0b41511766130883e93b5b8a07801a836beeb67)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport and rebase patch to fix CVE-2023-23529.
CVE: CVE-2023-23529
(From OE-Core rev: f8bce477ad88da70c3a4196912ba72049b2aa765)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There is a stack overflow vulnerability in ash.c:6030 in busybox
vbefore 1.35. In the environment of Internet of Vehicles, this
vulnerability can be executed from command to arbitrary code execution.
(From OE-Core rev: 56b90b5f2da661bfac3f2d751fc09e918429ec87)
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This is a read past end of buffer issue in the json_parse test app,
which can happened with malformed json data. It's not an issue with the
library itself. For what ever reason this CVE has a base score of 9.8.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-32292
Upstream issue:
https://github.com/json-c/json-c/issues/654
The CVE is fixed with version 0.16 (which is already in all active
branches of poky).
(From OE-Core rev: a7b93651028b55d71b8db53ea831eee7fd539f33)
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The delta between 3.1.27 & 3.1.32 contains the CVE-2022-24439 &
CVE-2023-40267 fixes and other bugfixes.
Changelog:
https://github.com/gitpython-developers/GitPython/releases/tag/3.1.32https://gitpython.readthedocs.io/en/stable/changes.html#id5
- Bump cygwin/cygwin-install-action from 3 to 4 by @dependabot in #1572
- Fix up the commit trailers functionality by @itsluketwist in #1576
- Name top-level exceptions as private variables by @Hawk777 in #1590
- fix pypi long description by @eUgEntOptIc44 in #1603
- Don't rely on del by @r-darwish in #1606
- Block insecure non-multi options in clone/clone_from by @Beuc in #1609
- Fix Sphinx rendering errors by @stephan-cr in #1524
- tests: Use command -v instead of third-party which program by @mgorny in #1525
- fix/add allow_unsafe_* params in docstrings + fix typo by @obfusk in #1530
- use tempfile.TemporaryDirectory & fix clone_from_unsafe_protocol tests by @obfusk in #1531
- Fix some resource leaks by open file handles by @marlamb in #1532
- fix files list on file rename by @teknoraver in #1537
- Declare support for Python 3.11 by @hugovk in #1541
- Fix ignored by @Lightborne in #1545
- Fix timezone parsing functions for non-hour timezones by @jcowgill in #1547
- Enable user to override default diff -M arg by @mellowed100 in #1551
- Remove optional from two member variables by @Sineaggi in #1550
- Fix RecursionError when iterating streams by @eric-wieser in #1554
- Fix get_values() so it correctly loads section names by @Codym48 in #1555
- Add datetime.datetime type to commit_date and author_date by @SergeantMenacingGarlic in #1501
- Bump cygwin/cygwin-install-action from 2 to 3 by @dependabot in #1514
- Fix command injection by @stsewd in #1518
- Document PushInfoList by @skinitimski in #1522
- Fix type hint on create_tag by @drewcassidy in #1523
- Block insecure options and protocols by default by @stsewd in #1521
- Make the git.__version__ re-appear.
(From OE-Core rev: 8ceaeff90023e51c7e874464f026b30d24035bda)
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Run generate-cve-exclusions.py to generate the ignore lists. This file
is maintained separately from the existing manual ignore entries.
(From OE-Core rev: fc506efa5c84b45b063678098131031f52bb3c16)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Instead of manually looking up new CVEs and determining what point
releases the fixes are incorporated into, add a script to generate the
CVE_CHECK_IGNORE data automatically.
First, note that this is very much an interim solution until the
cve-check class fetches data from www.linuxkernelcves.com directly.
The script should be passed the path to a local clone of the
linuxkernelcves repository[1] and the kernel version number. It will
then write to standard output the CVE_STATUS entries for every known
kernel CVE.
The script should be periodically reran as CVEs are backported and
kernels upgraded frequently.
[1] https://github.com/nluedtke/linux_kernel_cves
Note: for the backport this is not a cherry-pick of the commit in master
as the variable names are different. This incorporates the following
commits:
linux/generate-cve-exclusions: add version check warning
linux/generate-cve-exclusions.py: fix comparison
linux-yocto: add script to generate kernel CVE_STATUS entries
(From OE-Core rev: c7a71692b7ed4cc2187f4c82bf11e32e0ce32cb6)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Envoy is a cloud-native high-performance edge/middle/service
proxy. Envoy’s HTTP/2 codec may leak a header map and
bookkeeping structures upon receiving `RST_STREAM` immediately
followed by the `GOAWAY` frames from an upstream server. In
nghttp2, cleanup of pending requests due to receipt of the
`GOAWAY` frame skips de-allocation of the bookkeeping structure
and pending compressed header. The error return [code path] is
taken if connection is already marked for not sending more
requests due to `GOAWAY` frame. The clean-up code is right after
the return statement, causing memory leak. Denial of service
through memory exhaustion. This vulnerability was patched in
versions(s) 1.26.3, 1.25.8, 1.24.9, 1.23.11.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-35945https://github.com/envoyproxy/envoy/security/advisories/GHSA-jfxv-29pc-x22r
(From OE-Core rev: 0e6eb0f417079eaf76b003973c9d93338e6363b5)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The commit [9bd4ddeb4b] backports fix for CVE-2023-2861 for version 6.2.0.
The 'qemu_fstat' in `do_create_others' is not defined which leads to the undefined symbol error on certain architectures.
Also, the commit message says "(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used)". So either the wrapper has to be dropped or it has to be defined.
Hence, backported the main patch rather than the cherry picked one.
(From OE-Core rev: 983d19dfdad361f8b3275b404f1ac0b9befc9f6c)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Extremely large RSA keys in certificate chains can cause a
client/server to expend significant CPU time verifying
signatures. With fix, the size of RSA keys transmitted
during handshakes is restricted to <= 8192 bits. Based on
a survey of publicly trusted RSA keys, there are currently
only three certificates in circulation with keys larger than
this, and all three appear to be test certificates that are
not actively deployed. It is possible there are larger keys
in use in private PKIs, but we target the web PKI, so causing
breakage here in the interests of increasing the default
safety of users of crypto/tls seems reasonable.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-29409
(From OE-Core rev: 51c2fee0e4bb4b3131c61d91510394cd4b4f9eb9)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This resolves two issues:
1. metapackages were depending on themselves (except -binaries which wouldn't match against 'glibc-binary').
2. for the nativesdk variant, due to a non-empty dependency list at parsing time caused by
issue 1, map_depends_variable() from meta/lib/oe/classextend.py was forcibly setting PACKAGES
to the initial parse-time value (e.g. missing the dynamically created packages). This meant that
three out of four nativesdk- metapackages were entireyly missing the dependencies on the
respective dynamic package sets.
(From OE-Core rev: ea920e3c8075f3a1b79039341f8c889f6197a07f)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a90fd3afe9184aa1870b34a826e3ba0563477d4b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
It looks like there were further cases where orphaned processes may be left
behind since the .kill() calls may be unsuccessful if the process terminated
due to the terminate or through normal exit. In that situation .wait()
wouldn't have been called.
Further tweak the exit code paths to ensure .wait() is called to update the
returncode value before returning in all cases.
(From OE-Core rev: e1e038ab01a599fcdd4aa6211b6d15cd01a5e2e3)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0a0a1731e38edfa72a141e8fd8f2de52be562e94)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
As spotted by Joshua Watt, the returncode isn't set until .poll() or .wait()
is called so we need to call this after the .kill() call.
This fixes return code reporting so that timeouts for example now return an
exit code when they didn't before.
(From OE-Core rev: c70b05ea667e7bd280470b0b6ca10efb0f648e0f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3924e94214b5135369be2551d54fb92097d35e95)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
On our slower arm server, the tests currently timeout leading to inconsistent test
results. Increase the timeout to avoid this and aim to make the test results
consistent.
(From OE-Core rev: b161af52b9454e07435dc9737b0a2522295f3e4d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9a8b49208f3c99e184eab426360b137bc773aa31)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
We have a suspicion that the read() call may return EAGAIN on the non-blocking
fd and this may truncate test output leading to some of our intermittent failures.
Tweak the code to avoid this potential issue.
(From OE-Core rev: 4c02f7407d7afaefe1bc72aea25087b3f2271ac2)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a8920c105725431e989cceb616bd04eaa52127ec)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This provides a more reliable test execution when running tests that
write a large buffer/file and significantly reduces the localedata test
failures.
(From OE-Core rev: 8d0c669d3d04cf5bc645978afb22ba6c3f3d53e6)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 97a7612e3959bc9c75116a4e696f47cc31aea75d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Allows setting up NFS over TCP as well.
(From OE-Core rev: 2727a0cb8d026e0c47aedd91f7c02e24b056f37b)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e1ff9b9a3b7f7924aea67d2024581bea2e916036)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Some of the tests trigger OOM and fail. Increase the amount of memory
available so we dont run into these issues.
(From OE-Core rev: 060030ac9d00bf22ae3a2695d7ea060f0f69dfa8)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4d22dba482cb19ffcff5abee73f24526ea9d1c2a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Dont fill up the test log with ssh warning about having added the host
to list of known hosts.
Also helps fix a test case failure where stderr log was being compared
to a known value.
(From OE-Core rev: 265ba5138bb5859b9f5915f99a818a45df88a279)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 63b31ff7e54a171c4c02fca2e6b07aec64a410af)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
07revert-inplace test logs contain the following:
func.sh: line 335: /sbin/blockdev: No such file or directory
Add the missing util-linux-blockdev dependency.
(From OE-Core rev: 7190ea3b70a9b36ecf48f948e792ac2ce6eca1e3)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit a15cd04f528d137d428a572f15d1ec5ebbbd81f0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Due to an oversight in the do_symlink_kernsrc function, the path
comparison between "S" and "STAGING_KERNEL_DIR" is broken. The code
obtains both variables, but modifies the local copy of "S" before
comparing them, causing the comparison to always return false.
This can cause the build to fail when the EXTERNALSRC flag is enabled,
since the code will try to create a symlink even if one already exists.
This patch resolves the issue by comparing the variables before they are
modified.
(From OE-Core rev: cf2267f80ec44b24c627347df7efbd492a07dcfa)
Signed-off-by: Staffan Rydén <staffan.ryden@axis.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit afd2038ef8a66a5e6433be31a14e1eb0d9f9a1d3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Rather than copying the entire /etc hierarchy, specify the pieces we
actually need.
(From OE-Core rev: 007a57ce36a06f9a78675563020f24e1afa3caa1)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit f0fea55ab02b013484282177a636795a254e7986)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When copying the package database files for the debugfs, add individual
file copy as well as tree copying. After the debug rootfs has been
created, cleanup the package files.
This then allows us to avoid a problem where (for rpm at least)
extraneous files in the debug rootfs would cause failures during
oe-selftest because some files existed in both regular and debugfs
images.
(From OE-Core rev: 96c79c54f282497eb1521b1d5da648ae83fcfe8b)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit ce49ea435ce55eb5b6da442c12e03a806534c38d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fix the override so we actually pass the correct value to glibc.
(From OE-Core rev: 60ca407ce3113d8b507aaa0876b28902aab7ed5b)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 38fd2120f0f48512091ddad6205ce19839eaf589)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add check_PROGRAMS as a dependency of buildtest-TESTS target.
This is required because according to the official automake
documentation [1]:
* TESTS: contains all the tests files
* check_PROGRAMS: contains the programs used by the tests
* check_PROGRAMS is not automatically added to TESTS
So, by using only TESTS as a dependency for buildtest-TESTS we may end
up having runtime errors because of missing program required by the
tests.
[1]: https://www.gnu.org/software/automake/manual/html_node/Scripts_002dbased-Testsuites.html
(From OE-Core rev: 5859a4143a1495198af323cedf06248c9b363060)
Signed-off-by: Julien Stephan <jstephan@baylibre.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ee3e2af4f8ed95b4fd0f7cec52ae4e169401b719)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
