There's a fairly constant flow of CVEs being fixed in Vim, which are
getting increasing non-trivial to backport.
Instead of trying to backport (and potentially introduce more bugs), or
just ignoring them entirely, upgrade vim to the latest patch in the hope
that vim 8.3 will be released before we release Kirkstone.
(From OE-Core rev: 7b8b096000759357aa251a58a756e770a54590ad)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 78a4796de27d710f97c336d288d797557a58694e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Don't set an empty default value and them immediately assign to it.
(From OE-Core rev: ad373242381feec72d0c257031da7671281c0321)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d7565241437487618a57d8f3f21da6fed69f6b8a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Prepare to cherry-pick CVE fixes from master
This reverts commit 9db3b4ac4018bcaedb995bc77a9e675c2bca468f.
(From OE-Core rev: 519f30e697f14d6a3864a22ec2e12544a9d3a107)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Make the license more accurate by specifying the specific variant of BSD
license instead of the generic one. This helps with SPDX license
attribution as "BSD" is not a valid SPDX license.
(From OE-Core rev: 9e8b2bc55792932e23d3b053b393b7ff88bffd6b)
(From OE-Core rev: 8f374ea044d5c3d2ea81917b3480149ca036674c)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Nisha Parrakat <nisha.m.parrakat@bmw.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Version 10.34 tarball is no longer available at current URL,
use downloads.yoctoproject.org mirror instead
(From OE-Core rev: b24838b8173c6853cdcbff6512a12557e479df86)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Use After Free in vim/vim
Upstream-Status: Backport [e031fe90cf]
CVE: CVE-2021-4069
(From OE-Core rev: 9db3b4ac4018bcaedb995bc77a9e675c2bca468f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This change fixes patches for two issues reported in a research
paper [1]: a side channel attack (*) and a cross-configuration
attack (**).
In this commit we add a fix for (*) that wasn't marked as a CVE
initially upstream. A fix of (**) previosly available in OE
backports is in fact fixing CVE-2021-40528, not CVE-2021-33560
as marked in the commit message.
We commit the accual fix for CVE-2021-33560 and rename the
existing fix with the correct CVE-2021-40528.
For details of the mismatch and the timeline see [2] (fix of the
documentation) and [3] (the related ticket upstream).
[1] https://eprint.iacr.org/2021/923.pdf
[2] https://dev.gnupg.org/rCb118681ebc4c9ea4b9da79b0f9541405a64f4c13
[3] https://dev.gnupg.org/T5328#149606
(From OE-Core rev: 0ce5c68933b52d2cfe9eea967d24d57ac82250c3)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Khem Raj]
defaults for gcc is to use -fno-common this ensures that it keeps
building with gcc -fno-common
Fixes
src/arm/Ginit.c:60: multiple definition of `_U_dyn_info_list'; mi/.libs/dyn-info-list.o:/usr/src/debug/libunwind/1.4.0-r0/build/src/../../libunwind-1.4.0/src/mi/dyn-info-list.c:28: first defined here
[Philippe Coval]
Change and related patch ported to dunfell branch on 1.3.1 version
(From OE-Core rev: 0c12a3a3008ec1202dff3b4986029dd1a4e8f9a7)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Origin: 6cd2cf6525
Signed-off-by: Philippe Coval <philippe.coval@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport a fix for -3972, and whitelist -3968: it isn't valid as it
fixes a bug which was introduced after 8.2.
(From OE-Core rev: ba1ae7dcd2eeb57a6e288449a26a6121c6ccac5c)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bec5caadfb53638748d8c41ce7230c2bf7808d27)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This reverts commit 53ce5f292fd8d65fd89c977364ea6f7d813c7566.
Reverting in preparation for fixes from master
(From OE-Core rev: bf489893714d1c2d2e4694a5a1e313b661c9fdc4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This update was made with the convert-scruri.py script in scripts/contrib
This script handles two emerging issues:
1. There is uncertainty about the default branch name in git going forward.
To try and cover the different possible outcomes, add branch names to all
git:// and gitsm:// SRC_URI entries.
2. Github are dropping support for git:// protocol fetching, so remap github
urls as needed. For more details see:
https://github.blog/2021-09-01-improving-git-protocol-security-github/
(From OE-Core rev: 827a805349f9732b2a5fa9184dc7922af36de327)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
vim is vulnerable to Use After Free
Problem: Checking first character of url twice.
reference:
35a9a00afc
(From OE-Core rev: 53ce5f292fd8d65fd89c977364ea6f7d813c7566)
Signed-off-by: Minjae Kim <flowergom@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Set a path to where sendmail would exist making the output deterministic
as it no longer depends on the build host and the presense of sendmail
there.
(From OE-Core rev: a8ec8c9eaed898c3cc719efd87a2f4296c6304a6)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 32e03a430f13960fe07f08c04eaa58017d977f6c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Based on d22d87b9c4ac85ffb3506e2acaf2a8a627f55e8e, but kept idn2
as default.
(From OE-Core rev: c912cd493f02458d22c78791fc3175f613b8108e)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
rngd needs to start after `systemd-udev-settle` in order for the kernel
modules of the random source hardware to be loaded before it is started.
However, since the `rngd.service` does not require or want
`systemd-udev-settle.service` it might not be scheduled for start and
the `After=systemd-udev-settle.service` there has no effect.
Adding `Wants=systemd-udev-settle.service` provides a weak requirement
to it, so that the `rngd` is started after it, if possible.
(From OE-Core rev: 006b5221ed6dac9964f49a03a55de2e847118dc1)
Signed-off-by: Claudius Heine <ch@denx.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e9715d4234eb7b45dee8b323799014646f0a1b07)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
vim is vulnerable to Heap-based Buffer Overflow
reference:
65b6056659
(From OE-Core rev: 0fb9be3925f258a7e8009c581c1cf93ace2a498b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
curl v7.79.0 contained fixes for three CVEs:
The description of CVE-2021-22945[1] contains:
> This flaw was introduced in commit 2522903b79 but since MQTT support
> was marked 'experimental' then and not enabled in the build by default
> until curl 7.73.0 (October 14, 2020) we count that as the first flawed
> version.
which I believe means that curl v7.69.1 is not vulnerable.
curl v7.69.1 is vulnerable to both CVE-2021-22946[2] and CVE-22947[3].
These patches are from Ubuntu 20.04's curl 7.68.0 package. The patches
applied without conflicts, but I used devtool to regenerate them to
avoid fuzz warnings.
[1] https://curl.se/docs/CVE-2021-22945.html
[2] https://curl.se/docs/CVE-2021-22946.html
[3] https://curl.se/docs/CVE-2021-22947.html
(From OE-Core rev: b9b343704afc28a6182f699ef17943afacd482a8)
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: https://dist.apache.org
MR: 112793
Type: Security Fix
Disposition: Backport from https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch
ChangeID: c8247210204ffcc7d1425e3d60f077ad3dd54ebc
Description:
An out-of-bounds array read in the apr_time_exp*() functions was fixed in the
Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue
was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed
compared to 1.6.3 and is vulnerable to the same issue.
(From OE-Core rev: 315262830bfe2bc8b2a9259541bb3a0bc83a2cdd)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Some distributions with UTF-8 locale have problem when National Language
Support is enabled. Add there an option to disable it.
(From OE-Core rev: 9224b01eaa46986b1c363a541e88f20387d8c30b)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit da630d6d81a396c3e1635fbd7b8103df47ed2732)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
lzo was missing CVE_PRODUCT and related CVEs (at least CVE-2014-4607) were
not reported.
(From OE-Core rev: 69e33b9eee6ae97208e766fd96353dfcb8c20bd5)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 366cf8201e36df1ac836e49de04ccda1f763ca9e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: poky.org
MR: 105607
Type: Security Fix
Disposition: Backport from http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-support/gnupg?h=hardknott&id=0c06506d42f9e1f43a54a178cda47cfea3f12f81
ChangeID: 4341d0331368d6cd51d635d2c70555b3dce61792
Description:
This addresses CVE-2020-25125 and provides some other minor
updates and translations.
Updated commits for reference:
e234d04c3 Werner Koch Release 2.2.23
aeb8272ca Werner Koch gpg: Fix AEAD preference list overflow
038314665 Werner Koch po: auto update
1a4b0fd79 Yuri Chornoivan po: Update Ukrainian translation
93d10403a Jakub Bogusz po: Update Polish translation
a8a8105bc Werner Koch po: Add key-check.c to the list of translatable sources.
cad9955ac Petr Pisar po: Update Czech translation.
896c528ba Werner Koch gpg: Fix segv importing certain keys.
0a9665187 NIIBE Yutaka scd: Fix a regression for OpenPGP card.
bcae9cd4e Nagy Ferenc László po: Minor update to the Hungarian translation.
d2fe2ffd7 Werner Koch sm: Fix a bug in the rfc2253 parser
f799b3ddb Werner Koch Post release updates
(From OE-Core rev: 965683336816eba7cb0548e59faf224f74b306b1)
(From OE-Core rev: 4079feb6dc2876cc7f2d0a5582be98e01188c2d7)
Signed-off-by: Saul Wold <saul.wold@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0c06506d42)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update CVE_PRODUCT to also include 'berkeley_db'. For example,
CVE-2020-2981 uses 'berkeley_db'.
(From OE-Core rev: 753e6510df01fb4d71f46639bef06e1361f87170)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adjusting the tolerance to a more reasonable time
given the load on the AB and given the high amount(100) of
events some of the tests like `common_timeout` generates.
[YOCTO #14163]
(From OE-Core rev: 3c59989b7a09f412704f90480c3726a0cb7df746)
Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 38b36d2b90d570149e63816e68f457aea28a5092)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Reversal of global setting in previous commit necessitates
a local fix, otherwise, this happens:
File "/home/pokybuild/yocto-worker/reproducible-debian/build/build-st-52142/tmp/work/x86_64-linux/diffoscope-native/172-r0/recipe-sysroot-native/usr/lib/python3.9/ctypes/__init__.py", line 392, in __getitem__
func = self._FuncPtr((name_or_ordinal, self))
AttributeError: nativepython3: undefined symbol: archive_errno
(From OE-Core rev: 0f4531275c1e332de81b31b89e52f588fc34b14a)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 87884d9938829d5ae5d250f483c749e00cd83322)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This only affects glibc systems and have been
found on runqemu core-image-minimal with gstreamer ptest-runner
STOP: ptest-runner
libgcc_s.so.1 must be installed for pthread_cancel to work
Aborted
(From OE-Core rev: b7435fae07c7f6859e951d4796486b4cc65d44bc)
Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1cb679e6a4528a2cef16f65342d5e65adb14cb16)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
