Older seccomp-based filters used in container frameworks will block faccessat2
calls as it's a relatively new syscall. This isn't a big problem with
glibc <2.33 but 2.33 will call faccessat2 itself, get EPERM, and thenn be confused
about what to do as EPERM isn't an expected error code.
(From OE-Core rev: 4d6ad6d611834c2648d6bf9791cb8140967e2529)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The current recipe unconditionally RDEPENDS on nodejs (the target one).
When building on the "-native recipe" of "BBCLASSEXTEND native" recipe,
the target nodejs is unnecessarily built.
This patch fixes this by only RDEPENDS on nodejs when building for the target.
(From OE-Core rev: 92a9a86df9e3bcffb13d2f8b5dcbe7822170f734)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adding -O can be troublesome in some packages where it may override the
O<n> specified by CFLAGS, this can be due to configure processing of
CFLAGS and munging them into new values in Makefiles, which is
contructed from CC and CFLAGS passed by bitbake environment. Problem
arises if the sequence is altered, which seems to be the case in some
packages e.g. ncurses, where the value from CC variable is added last
and thus overrides -O<n> coming from CFLAGS,
Therefore grok the value from SELECTED_OPTIMIZATION and append the
appropriate -O<level> flag to lcl_maybe_fortify so the level does not
change inaderdantly.
Since we do not use -O0 anymore there is no point of checking for
DEBUG_BUILD since it uses -Og now which works fine with
-D_FORTIFY_SOURCE=2, so check for optlevel O0 instead
(From OE-Core rev: 9571a18f7d15b3bffafc2e277ab90a21d6763697)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Bug fix only and includes two security fixes:
CVE-2021-26675
CVE-2021-26676
Changelog:
- Fix issue with scanning state synchronization and iwd.
- Fix issue with invalid key with 4-way handshake offloading.
- Fix issue with DNS proxy length checks to prevent buffer overflow.
- Fix issue with DHCP leaking stack data via uninitialized variable.
[Yocto #14231]
(From OE-Core rev: eb20fd47d738f469f7bbeb4b8d85040f9163722b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Pull in:
ports/rename/renameat: Avoid race when renaming files
ports/unix: Add faccessat and faccessat2
ports/access.c: Use EACCES, not EPERM
which includes a fix for rename race issues causing pseudo aborts.
(From OE-Core rev: 330c232e4f756296331f9026e91ac26fd45f0315)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Tinfoil doesn't behave well if environment is not initialized, this check ensures a proper error log if environment is not initialized.
[YOCTO #12096]
(From OE-Core rev: e88073e16f1b4cfd0f97c81a988640a84adad674)
Signed-off-by: Dorinda Bassey <dorindabassey@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Support added to configure mpg123 for FPU-less targets. Building for
fixed-point arithmetic increases performance on such devices.
(From OE-Core rev: 55a65571d19407befd3c2d152680573d7318c279)
Signed-off-by: Robert Rosengren <robert.rosengren@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The original patch contained some text which shouldn't have been there
and used brackets in configure which isn't a great idea. Tweak the patch
to resolve this.
(From OE-Core rev: 63cbf187fe189c99645fe3afee8a6361a9a32cdc)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
0001-Move-python-helper-scripts-used-only-in-tests-to-Pyt.patch
0001-libparted-fs-add-sourcedir-lib-to-include-paths.patch
0002-tests-use-skip_-rather-than-skip_test_-which-is-unde.patch
removed since they are included in 3.4
Add python3-core to RDEPENDS_parted-ptest
since /usr/lib/parted/ptest/tests/msdos-overlap contained in package parted-ptest requires /usr/bin/python3
(From OE-Core rev: c7d7e5f8177cdebd580ca7ff8f4412596567aff1)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Bitbake changed the debug() logging call to make it compatible with
standard python logging by no longer including a debug level as the
first argument. Fix up the few places this was being used.
Tweaked version of a patch from Joshua Watt.
(From OE-Core rev: 5aecb6df67b876aa12eec54998f209d084579599)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The bitbake logger overrode the definition of the debug() logging call
to include a debug level, but this causes problems with code that may
be using standard python logging, since the extra argument is
interpreted differently.
Instead, change the bitbake loggers debug() call to match the python
logger call and add a debug2() and debug3() API to replace calls that
were logging to a different debug level.
[RP: Small fix to ensure bb.debug calls bbdebug()]
(Bitbake rev: f68682a79d83e6399eb403f30a1f113516575f51)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When adding a layer, parse error can occur, raising BBHandledException.
Catch this and error, aborting the layer add to meet user expectations.
[YOCTO #14054]
(Bitbake rev: ceddb5b3d229b83c172656053cd29aeb521fcce0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
From tinfoil, if you edit bblayers.conf and break it, then call
parseConfiguration (e.g. by adding a bad layer with bitbake-layers),
the system doens't show any parse error yet it should.
Add in a call to the updateCache function so that things really
are reparsed when requested.
Partially fixes [YOCTO #14054]
(Bitbake rev: e655f9361b9c3b77906b8e06b5cc76bc5180640e)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If shell function name starts with 'python' or 'fakeroot' parser wrongly
assumes it's python/fakeroot function.
[YOCTO #14204]
Use regex lookahead assertions to check if 'python' expression is
followed by whitespace or '(' and if 'fakeroot' is followed by
whitespace.
(Bitbake rev: b07b226d5d1b3acd3f76d8365bc8002293365999)
Signed-off-by: Tomasz Dziendzielski <tomasz.dziendzielski@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The get-outhash message can be sent via the get_outhash client method.
This works in a similar way to the get message but looks up a db entry
by outhash rather than by taskhash. It is intended to be used as a
read-only form of the report message.
As both handle_get_outhash and handle_report use the same query string
we can factor this out.
(Bitbake rev: dc19606ada29a4d8afde4fcecd8ec986b47b867e)
Signed-off-by: Paul Barker <pbarker@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Use the new get-outhash message to perform a read-only query against an
upstream server (if present) when a reported taskhash/outhash
combination is not found in the current database. If a matching entry is
found upstream it is copied into the current database so it can be found
by future queries.
(Bitbake rev: 2be4f7f0d2ccb09917398289e8140e1467e84bb2)
Signed-off-by: Paul Barker <pbarker@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Short form arguments are added for convenience.
(Bitbake rev: 921199a4923ce383b27e23c9b7e34eb785c8bae3)
Signed-off-by: Paul Barker <pbarker@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The hashserv server already implements support for pulling hash data
from another "upstream" server. Add the -u/--upstream argument to the
bitbake-hashserv app to expose this functionality to users.
(Bitbake rev: 8de510f1de35e581bcd5858edf23619c6a4cf923)
Signed-off-by: Paul Barker <pbarker@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The -r/--readonly argument is added to the bitbake-hashserv app. If this
argument is given then clients may only perform read operations against
the server. The read-only mode is implemented by simply not installing
handlers for write operations, this keeps the permission model simple
and reduces the risk of accidentally allowing write operations.
As a sqlite database can be safely opened by multiple processes in
parallel, it's possible to start two hashserv instances against a single
database if you wish to export both a read-only port and a read-write
port.
(Bitbake rev: 492bb02eb0e071c792407ac3113f92492da1a9cc)
Signed-off-by: Paul Barker <pbarker@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
files in wic tmp directory can be usefull for debugging, so do not remove
tmp directory when wic create run with debugging mode (-D or --debug).
also update wic.Wic.test_debug_short and wic.Wic.test_debug_long to
check for tmp directory.
[YOCTO#14216]
(From OE-Core rev: a122e2418b67d38f691edcf8dd846c167d6b4fa9)
Signed-off-by: Lee Chee Yang <Chee.Yang.Lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Currently the install script copy only few hard coded item while
setting up target ESP, kernel artifacts, all .efi in EFI/BOOT,
grub & boot cfg and loader.conf.
While ESP can be much complex, eg: contain multiple initrd.
Add a ESP folder to carry any other files to setup onto ESP.
(From OE-Core rev: 6eaca9cf20c42501fba27dea3a6446bad948e859)
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There are times when exluding or including a layer
may be desired. This provide the framwork for that via
two variables. The default is all layers in bblayers.
CVE_CHECK_LAYER_INCLUDELIST
CVE_CHECK_LAYER_EXCLUDELIST
(From OE-Core rev: 5fdde65ef58b4c1048839e4f9462b34bab36fc22)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Lets include whcih layer a package belongs to and
add it to the cve logs
(From OE-Core rev: 00d965bb42dc427749a4c3985af56ceffff80457)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
20.9 - 2021-01-29
~~~~~~~~~~~~~~~~~
* Run [isort](https://pypi.org/project/isort/) over the code base (:issue:`377`)
* Add support for the ``macosx_10_*_universal2`` platform tags (:issue:`379`)
* Introduce ``packaging.utils.parse_wheel_filename()`` and ``parse_sdist_filename()``
(:issue:`387` and :issue:`389`)
(From OE-Core rev: 6199c71030d527c57a1cb8496a377afb503d7670)
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add 0001-meson-Also-search-for-rst2man.py.patch to fix bug of program rst2man cannot be found.
Add dependency python3-docutils-native to manpages.
(From OE-Core rev: 600b75cef2807ccb3f89f24c77d02cd6e0a99e1f)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
rename directory of patches
-License-Update: Copyright year updated to 2021.
(From OE-Core rev: 316f9602c633fdf52009b4567ccf598d1c716acd)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop musl fix as upstream fixed the issue.
(From OE-Core rev: 9ac95af964876752e7dae819f5b678ae4b510064)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop 0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch
as files removed upstream.
License-Update: formatting
Drop autoconf270.patch, as no longer needed with 3.0.0
(I verified against master-next which has the new autoconf).
(From OE-Core rev: 8fbf04053845aac24e0c0f1395051b60294e02a3)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
include "missing_stdlib.h" is needed for strndupa()
(From OE-Core rev: 87c9ed35fce8c9358d8a5dda20ece0a46cbff325)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
compiler can only use fortify options when some level of optimization is
on, otherwise it ends up sending some warnings.
warning: _FORTIFY_SOURCE requires compiling with optimization (-O) [-W#warnings]
this is usually OK, since -O<level> would be added via CFLAGS to
compiler cmdline in normal compile stages, however during configure
there are problems when CC,CPP,CXX are probed alone in configure tests
which results in above warning, which confuses the configure results and
autotools 2.70+ detects it as error e.g.
configure:17292: error: C preprocessor "riscv32-yoe-linux-clang -target riscv32-yoe-linux -mlittle-endian -mno-relax -Qunused-arguments -fstack-protector-strong -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security -Werror=format-security --sysroot=/mnt/b/yoe/master/build/tmp/work/riscv32-yoe-linux/ndpi/3.4-r0/recipe-sysroot -E" fails sanity check
See `config.log' for more details
therefore adding a -O ( which actually is -O1 ) to lcl_maybe_fortify
means we can properly test these configure tests and real -O<level> will
still override -O added here, so overrall behavior improves
(From OE-Core rev: b6113dd68caa46d56cf3c8293119f2b9d8b137fd)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
