| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the cve-check text mode output, we didn't write fragment
files if there are no CVEs (if CVE_CHECK_REPORT_PATCHED is 1),
or no unpached CVEs otherwise.
However, in a system after multiple builds,
cve_check_write_rootfs_manifest might find older files and use
them as current, what leads to incorrect reporting.
Fix it by always writing a fragment file, even if empty.
(From OE-Core rev: 4c10ee956f21ea2f805403704ac3c54b7f1be78c)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f1b7877acd0f6e3626faa57d9f89809cfcdfd0f1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the function to a library, it could be useful in other places.
(From OE-Core rev: c8a0e7ecee15985f7eed10ce9c86c48a77c5b7c5)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit debd37abcdde8788761ebdb4a05bc61f7394cbb8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Fix typo to properly whitelist CVE-2021-22945.
(From OE-Core rev: 7b2a1d908d3b63da5e9f072b61dd3c5fa91c7b8f)
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Backport patches to address CVE-2022-27774, CVE-2022-27781, and
CVE-2022-27782.
(From OE-Core rev: f8cdafc0ef54ab203164366ad96288fd10144b30)
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We have libxml2 2.9.10 and we don't link statically against libxml2 anyway
so the CVE doesn't apply to libxslt.
(From OE-Core rev: c6315d8a2a1429a0fb7563b1d6352ceee7bc222c)
(From OE-Core rev: 9c736c9dcf5f18b8db082a0903be0acb3fbb51c2)
Signed-off-by: Omkar Patil <Omkar.Patil@kpit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ad63694e6df4f284879f7220962a821f97928eb0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
CVE: CVE-2021-30560
(From OE-Core rev: 3e01aa47b85ebeba26443fc3293c341b5ef72817)
Signed-off-by: omkar patil <omkar.patil@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://github.com/PCRE2Project/pcre2
MR: 118031
Type: Security Fix
Disposition: Backport from https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0
ChangeID: 8fbc562b3e6b6a3674f435f6527a62afc67ef933
Description:
CVE-2022-1587 pcre2: Out-of-bounds read in get_recurse_data_length in pcre2_jit_compile.c.
(From OE-Core rev: 46323b9e0f44f58f6aae242ebf5a0101d8c36654)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git
MR: 117430
Type: Security Fix
Disposition: Backport from https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint&id=ab51d587bb9b229b1fade1afd02e1574c1ba5c76
ChangeID: e6db00c6e8375a2e869fd2e4ead61ca9149eb8fa
Description:
CVE-2022-1304 e2fsprogs: out-of-bounds read/write via crafted filesystem.
(From OE-Core rev: b4f9ba859ed1fe5e1d42258fee1dd2e8e85e7eba)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
We are getting an additional ptest failure after fixing the expired certificates.
Backport a patch from upstream to fix this.
(From OE-Core rev: 3af161acc13189cb68549f898f3964d83d00ce56)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
ptests in in openssl have started failing as test certificates have
expired. Backport a fix for this from upstream, replacing the test
certificates to allow the ptests to pass again.
(From OE-Core rev: 40858a05989d45b0c772fdec837d3dc95d4df59d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
Version 1.1.1 requires additional changes
This reverts commit 4051d1a3aa5f70da96c381f9dea5f52cd9306939.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ptests in in openssl have started failing as one of the test certificates has
expired. Backport a fix for this from upstream, replacing the test
certificate to allow the ptests to pass again.
(From OE-Core rev: 4051d1a3aa5f70da96c381f9dea5f52cd9306939)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f26f0b34f12bbca2beed153da402a3594d127374)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
| |
(From meta-yocto rev: 215cfdaeb88bbfdb995d0a09685271d586558af6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From yocto-docs rev: 8dd19c901813263554ac2bc6bda2cf9a1c3c1e58)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running CVE checks in CI we're usually not interested in warnings on the
console for any CVEs present. Add a configuration option CVE_CHECK_SHOW_WARNINGS
to allow this to be disabled (it is left enabled by default).
(From OE-Core rev: d009233f36fb866f6bdaa12fb6deedf5e253e9c9)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1054d3366ba528f2ad52585cf951e508958c5c68)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 8fd6a9f521ea6b1e10c80fe33968943db30991ba)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this the rootfs manifest and the summary were identical.
We should separate the summary and rootfs manifest more clearly,
now the summary is for all CVEs and the rootfs manifest is only for
things in that image. This is even more useful if you build multiple
images.
(From OE-Core rev: 2bacd7cc67b2f624885ce9c9c9e48950b359387d)
Signed-off-by: Ernst Sjöstrand <ernstp@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3b8cc6fc45f0ea5677729ee2b1819bdc7a441ab1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 65498411d73e8008d5550c2d0a1148f990717587)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 8a178a728f2318c55d5ecaef0ef9e0fd8ebc333b)
Signed-off-by: Ernst Sjöstrand <ernstp@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5046d54df2c3057be2afa4143a2833183fca0d67)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
As product, sdk should do cve check as well as rootfs.
(From OE-Core rev: df09cd71b4cd3f830fced9ce91aa202c1609bfc5)
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit cc17753935c5f9e08aaa6c5886f059303147c07b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Address CVE-2022-1621, CVE-2022-1629, CVE-2022-1674, CVE-2022-1733, CVE-2022-1735
CVE-2022-1769, CVE-2022-1771, CVE-2022-1785, CVE-2022-1796
(From OE-Core rev: cd259a00503af360524f58c9cea51aa142dee250)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fafce97bd440150ac5c586b53b887ee70a5b66bd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add patch for CVE issue: CVE-2022-29824
CVE-2022-29824
Link: [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a2408e09f13652049e5ffb0d26196b02ebab]
Dependent patch: [https://gitlab.gnome.org/GNOME/libxml2/-/commit/b07251215ef48c70c6e56f7351406c47cfca4d5b]
(From OE-Core rev: 096ca5fa8cc4672e5e9b25dffe81b176b252d570)
Signed-off-by: Riyaz <Riyaz.Khan@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ncurses 6.3 before patch 20220416 has an out-of-bounds read and
segmentation violation in convert_strings in tinfo/read_entry.c in the
terminfo library.
Backported from the link below, extracting only the relevant changes.
https://github.com/ThomasDickey/ncurses-snapshots/commit/9d1d651878d4bf0695872a64cc65ba0acb825f36
(From OE-Core rev: 2287d591cf32f5580ea6679805d04c3a5146ecd5)
Signed-off-by: Gustavo Lima Chaves <gustavo.chaves@microsoft.com>
Signed-off-by: Dan Tran <dantran@microsoft.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
| |
Add patch to fix CVE-2022-1475
(From OE-Core rev: 2a97ba89f236b751b333622fbbc14180e9b72245)
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add patch to fix CVE-2021-33657 issue for libsdl2
Link: https://security-tracker.debian.org/tracker/CVE-2021-33657
(From OE-Core rev: 1cc84e4c51c9afaa5dcb5011e6511496e00d2c8a)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
As per below debian link, CVE-2021-28966 affects Windows only
Link: https://security-tracker.debian.org/tracker/CVE-2021-28966
(From OE-Core rev: df6242b72b0477fb61c7dc18ad52a1f147ec7d07)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upgrade ruby to 2.7.6
Link: https://www.ruby-lang.org/en/news/2022/04/12/ruby-2-7-6-released/
This includes CVE-2022-28739 security fix
(From OE-Core rev: 4514b1b8cacb92b1790b636b111c071190b2e4b2)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a test to verify that the JSON reports are generated correctly for
both single recipe builds and image builds.
More tests are needed, but this is better than nothing.
(From OE-Core rev: add860e1a69f848097bbc511137a62d5746e5019)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit df0f35555b09c4bc75470eb45ec9c74e6587d460)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
(From OE-Core rev: 9d5b4fdc7ce0458577af5a16b6d7277e3d812e36)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f14c8094e7a049ac1b04c45b76855d0503559932)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Source: https://github.com/PCRE2Project/pcre2
MR: 118027
Type: Security Fix
Disposition: Backport from https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a
ChangeID: e9b448d96a7e58b34b2c4069757a6f3ca0917713
Description:
CVE-2022-1586: pcre2: Out-of-bounds read in compile_xclass_matchingpath in pcre2_jit_compile.c.
(From OE-Core rev: 7f4daf88b71f486ddc7140500d2b44181a99222f)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The addition of summary output caused two issues: error when building
an image and the fact that JSON output was generated even when
CVE_CHECK_FORMAT_JSON.
When generating an image it caused an error like:
ERROR: core-image-minimal-1.0-r0 do_rootfs: Error executing a python function in exec_func_python() autogenerated:
The stack trace of python calls that resulted in this exception/failure was:
File: 'exec_func_python() autogenerated', lineno: 2, function: <module>
0001:
*** 0002:cve_check_write_rootfs_manifest(d)
0003:
File: '/home/alexk/poky/meta/classes/cve-check.bbclass', lineno: 213, function: cve_check_write_rootfs_manifest
0209:
0210: link_path = os.path.join(deploy_dir, "%s.json" % link_name)
0211: manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON")
0212: bb.note("Generating JSON CVE manifest")
*** 0213: generate_json_report(json_summary_name, json_summary_link_name)
0214: bb.plain("Image CVE JSON report stored in: %s" % link_path)
0215:}
0216:
0217:ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
Exception: NameError: name 'json_summary_name' is not defined
The fix is to pass the d variable to the pure python function generate_json_report
to get correct values of variables and add conditions for the JSON
output where needed.
In addition clarify the message presenting the summary JSON file,
which isn't related to an image.
Uses partial fixes from Alex Kiernan, Ernst Sjöstrand (ernstp),
and Davide Gardenal.
Fixes: f2987891d315 ("cve-check: add JSON format to summary output")
(From OE-Core rev: 665f981fccbb09d51349c4bd4cfe4ca91001e3bd)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9015dec93233c7d45fd0c9885ff5d4ec23ad377d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
| |
(From yocto-docs rev: 447be1d6b8f770171799c2275edb65cbdc0fee2d)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Reported-by: Quentin Schulz <foss@0leil.net>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
| |
This test will fail any time the host has libdrm > 2.4.107
(From OE-Core rev: 48ce924dc82aa959fb897ec36873db7dc3813b71)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
License-Update: additional files
(From OE-Core rev: 1ec7c6f0f048482ae902fd15beab5cdfc7b50c7b)
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 85b1fef733683be09a1efdb2d8b8ffe543053ace)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
if a setup is using RPM for packaging and there are multiple
recipes that install to ${nonarch_base_libdir}/firmware by using
install -d ${nonarch_base_libdir}/firmware, it will create installation
clashes on image install, as linux-firmware in before this patch
used mkdir -p, which creates different file mode bits (depending
on the current user's settings).
In a particular example
linux-fimware created /lib/firmware with 0600
while other-firmware-package created it with 0644
making the combination not installable by rpm backend
(From OE-Core rev: c89bc0fc7f8afdf8ff0e93c3ebd7538987170a0c)
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 98bf3f427702687bf81ed759e7cde5d6d15e77eb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This security upgrade fixes CVE-2022-1292 as per below link
Link: https://www.openssl.org/news/cl111.txt
(From OE-Core rev: de0cafc01804a8d43b4b97e22fdc9a6b0adb8a48)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Use CVE_CHECK_WHITELIST as CVE_CHECK_IGNORE is not valid on dunfell
branch
(From OE-Core rev: 970743af349e21a399da6241587b849b14933bc5)
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apply below patches to fix the CVEs for freetype:
CVE-2022-27404.patch
Link: https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db.patch
CVE-2022-27405.patch
Link: https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5.patch
CVE-2022-27406.patch
Link: https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2.patch
(From OE-Core rev: 51a92860bdbab28a2b487be3b054f103a54b86ac)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add patches to fix below CVE issues
CVE-2022-0865
CVE-2022-0907
CVE-2022-0908
CVE-2022-0909
CVE-2022-0924
(From OE-Core rev: 7c71434832caf6a15f8fb884d028a8c1bf4090a9)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix below listed CVEs:
CVE-2022-22576
Link: https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425.patch
CVE-2022-27775
Link: https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705.patch
CVE-2022-27776
Link: https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258.patch
(From OE-Core rev: bbbd258a1c56d75ccb7e07ddc3bc1beb11d48a3a)
Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com>
Signed-off-by: Sana Kazi <sanakazisk19@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Includes fixes for CVE-2022-1381, CVE-2022-1420.
(From OE-Core rev: c7d43000ce137e1f9302b4b6cec149adb1435f47)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 77d745bd49c979de987c75fd7a3af116e99db82b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is horrible but I'm running out of better ideas. We hit circular reference
issues which we were trying to avoid in the core HOSTTOOLS code. When building
the eSDK, there can be two copies of the script.
Therefore assume git will never be in a directory called scripts. This
fixes eSDK build failures.
(From OE-Core rev: 0f6ae13d76129d96f788b7ede312cfc361ee2bda)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 27de610ac30d4c81352efc794df7e9b1060f7a68)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous minimially invasive git intercept simply isn't enough. For example,
meson used in the igt-gpu-tools recipe hardcodes the path to git in the configure
step so at install time, changing PATH has no effect.
There are lots of interesting things we could do to try and avoid problems but
making the git intercept and dropping fakeroot privs for git global is probably
the least worst solution at this point. It will add slight overhead to git calls
but we don't make many so the overall impact is likely minimal.
(From OE-Core rev: ce6e606ba8b975a33df2f3dc6104abed9cfa7a36)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit af27c81eaf68ee681dcd9456a74cca6a9ab40bf6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
We'd like to intercept git calls but we don't want circular references
and HOSTTOOLS currently sets them up. Tweak to avoid them.
(From OE-Core rev: 1567b7cec5ccbe198bfd0cca9ee8a2b1cf6dbf42)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 52c37e133fa55846aca2248ffcf3a10648dbb8d7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When creating the manifest and the testdata.json links, if the link
name is equal to the output name the link is not created, otherwise
it is. This prevents a link-to-self in the first case.
(From OE-Core rev: e3672b5ccd6e0f130b1657017802db130a859d20)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bed63756c56f296ff3d5a7eef66e978bd19f1008)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The systemd-unit parameter DefaultDependencies changed from true/false
to yes/no. This changed in systemd in v242.
(From OE-Core rev: 00db62342e67b916213c3b54db23c8090621462f)
Signed-off-by: Portia Stephens <stephensportia@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit add4dcb03dc7b034253db05f0023cb97cab8b26d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 9da23a2b912edd043037a8e2e1047f7f3ba6886a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An if statement now checks if the link and output path are
the same, if they are then the link is not created,
otherwise it is.
(From OE-Core rev: 62965ca8ca7077c12d75dac37efe204d7159cddd)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 2f024c0236c4806f0e59e4ce51a42f6b80fdf1b3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create generate_json_report including all the code used to generate the JSON
manifest file.
Add to cve_save_summary_handler the ability to create the summary in JSON format.
(From OE-Core rev: d8ef964ffeb92684d01d71c983af9dbb1e1b0c4f)
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit f2987891d315466b7ef180ecce81d15320ce8487)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new variable CVE_DB_UPDATE_INTERVAL allowing the user to set
the database update interval.
- a positive value sets an interval (in seconds)
- a zero ("0") forces the database update
(From OE-Core rev: ce79a724dc0f9baac480cbadc05894ffcaf48eb7)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fe7bc6f16184d5ebdb1dd914b6dcb75c9e5e0c9c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The update of the NVD database was expected to happen once per hour.
However, the database file date changes only if the content was actually
updated. In practice, the check worked for the first hour after the
new download.
As the NVD database changes usually only once a day, we can just
update it less frequently.
(From OE-Core rev: d0a56ad3a278e18e766f833619cf97869bdf6a4c)
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 35bccdedadeaba820d58b69fe74ce5e4c1f577e3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 88f2fb1581a17b2cf59a694ca9afb89e38ed40b5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The only part of the cve-check task which needs files is the patch
examination, and typically these patches are local so fetch isn't needed.
(From OE-Core rev: 72e5204bc7272414cc7bcfba18f52a177242ed79)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c9b3186d3b7c18cbea239ab9b06e85b7c243b54)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 3dc8edd6611e7ad4abcece44ca4701eda7aeff94)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updating to the latest korg -stable release that comprises
the following commits:
1d72b776f6dc Linux 5.4.192
aa2a047b5842 mm, hugetlb: allow for "high" userspace addresses
6a79b2433eb1 hugetlbfs: get unmapped area below TASK_UNMAPPED_BASE for hugetlbfs
b69e60f6fc00 tty: n_gsm: fix incorrect UA handling
0f4be29febdc tty: n_gsm: fix wrong command frame length field encoding
21cc640385b4 tty: n_gsm: fix wrong command retry handling
49c40febd45c tty: n_gsm: fix missing explicit ldisc flush
85522dcf0053 tty: n_gsm: fix insufficient txframe size
563bb0f794ca netfilter: nft_socket: only do sk lookups when indev is available
fae209521000 tty: n_gsm: fix malformed counter for out of frame data
cec2d0782a7b tty: n_gsm: fix wrong signal octet encoding in convergence layer type 2
a6d9847a4f82 x86/cpu: Load microcode during restore_processor_state()
9e9d12b81df6 net: ethernet: stmmac: fix write to sgmii_adapter_base
10ba1ac9a22a drivers: net: hippi: Fix deadlock in rr_close()
a8275219759e cifs: destage any unwritten data to the server before calling copychunk_write
5335370366a3 x86: __memcpy_flushcache: fix wrong alignment if size > 2^32
0ecc5304e80a ip6_gre: Avoid updating tunnel->tun_hlen in __gre6_xmit()
781571034993 ASoC: wm8731: Disable the regulator when probing fails
a71df406a6a5 tcp: fix F-RTO may not work correctly when receiving DSACK
a4ed61e30e32 ixgbe: ensure IPsec VF<->PF compatibility
406aaef0feae bnx2x: fix napi API usage sequence
c3e7ea58608a tls: Skip tls_append_frag on zero copy size
cd5cec3a0c8f drm/amd/display: Fix memory leak in dcn21_clock_source_create
ffce11a39102 net: dsa: lantiq_gswip: Don't set GSWIP_MII_CFG_RMII_CLK
3a179538bfd7 net: bcmgenet: hide status block before TX timestamping
8ef6d60aa2f1 clk: sunxi: sun9i-mmc: check return value after calling platform_get_resource()
194f474ad9b4 bus: sunxi-rsb: Fix the return value of sunxi_rsb_device_create()
e80054ea0cde tcp: fix potential xmit stalls caused by TCP_NOTSENT_LOWAT
685ff7d24487 ip_gre: Make o_seqno start from 0 in native mode
69555bb27b2e net/smc: sync err code when tcp connection was refused
daca23846eb3 net: hns3: add validity check for message data length
7763a7956632 cpufreq: fix memory leak in sun50i_cpufreq_nvmem_probe
f5bb5940d754 pinctrl: pistachio: fix use of irq_of_parse_and_map()
d22fc603694b arm64: dts: imx8mn-ddr4-evk: Describe the 32.768 kHz PMIC clock
68f5200a1f60 ARM: dts: imx6ull-colibri: fix vqmmc regulator
c45180375afd sctp: check asoc strreset_chunk in sctp_generate_reconf_event
2cba635570d8 tcp: ensure to use the most recently sent skb when filling the rate sample
3ea6190be92f tcp: md5: incorrect tcp_header_len for incoming connections
2b9a13d98dfc bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt hook
2e7f70d324ef mtd: rawnand: Fix return value check of wait_for_completion_timeout
2a36ba067b36 ipvs: correctly print the memory size of ip_vs_conn_tab
abe86a10dc5c ARM: dts: logicpd-som-lv: Fix wrong pinmuxing on OMAP35
54212850e38f ARM: dts: am3517-evm: Fix misc pinmuxing
bba67fe6b022 ARM: dts: Fix mmc order for omap3-gta04
416e0f890732 phy: ti: Add missing pm_runtime_disable() in serdes_am654_probe
6ff7c1b827c8 phy: mapphone-mdm6600: Fix PM error handling in phy_mdm6600_probe
59bdaed5dd73 ARM: dts: at91: Map MCLK for wm8731 on at91sam9g20ek
dbce8fc16a08 phy: ti: omap-usb2: Fix error handling in omap_usb2_enable_clocks
b7fc45354be6 ARM: OMAP2+: Fix refcount leak in omap_gic_of_init
dd99939b70c4 phy: samsung: exynos5250-sata: fix missing device put in probe error paths
6331b77fdc17 phy: samsung: Fix missing of_node_put() in exynos_sata_phy_probe
fccbc3168e5e ARM: dts: imx6qdl-apalis: Fix sgtl5000 detection issue
b8f0c19d4864 USB: Fix xhci event ring dequeue pointer ERDP update issue
1f47c2625773 mtd: rawnand: fix ecc parameters for mt7622
0405bd7f1888 arm64: dts: meson: remove CPU opps below 1GHz for SM1 boards
5f80b5c5f406 arm64: dts: meson: remove CPU opps below 1GHz for G12B boards
f6db63819db6 video: fbdev: udlfb: properly check endpoint type
c00f3892f4f0 hex2bin: fix access beyond string end
15b78a8e38e8 hex2bin: make the function hex_to_bin constant-time
73f4668ee875 arch_topology: Do not set llc_sibling if llc_id is invalid
a3cdd33ca163 serial: 8250: Correct the clock for EndRun PTP/1588 PCIe device
89a5728b053c serial: 8250: Also set sticky MCR bits in console restoration
42f749f2232a serial: imx: fix overrun interrupts in DMA mode
d29c197df7fa usb: dwc3: gadget: Return proper request status
0f3d081315c5 usb: dwc3: core: Fix tx/rx threshold settings
e2ec7b1f6a06 usb: gadget: configfs: clear deactivation flag in configfs_composite_unbind()
debb276670b0 usb: gadget: uvc: Fix crash when encoding data for usb request
324e67c3b2fc usb: typec: ucsi: Fix role swapping
0366beb40239 usb: misc: fix improper handling of refcount in uss720_probe()
2c97a2b5ef84 iio: magnetometer: ak8975: Fix the error handling in ak8975_power_on()
e82c726c94ec iio: dac: ad5446: Fix read_raw not returning set value
1aea30f87c65 iio: dac: ad5592r: Fix the missing return value.
1e8716a5c087 xhci: increase usb U3 -> U0 link resume timeout from 100ms to 500ms
b8d3a4681f28 xhci: stop polling roothubs after shutdown
c8fbc2f875b6 USB: serial: option: add Telit 0x1057, 0x1058, 0x1075 compositions
68088dec9b3c USB: serial: option: add support for Cinterion MV32-WA/MV32-WB
56cbdb9d958a USB: serial: cp210x: add PIDs for Kamstrup USB Meter Reader
6b10dd966c12 USB: serial: whiteheat: fix heap overflow in WHITEHEAT_GET_DTR_RTS
890fc65448ea USB: quirks: add STRING quirk for VCOM device
c4b31d41f5f2 USB: quirks: add a Realtek card reader
5666334ce3bf usb: mtu3: fix USB 3.0 dual-role-switch from device to host
b2589647008f lightnvm: disable the subsystem
c9af90f0c6b8 hamradio: remove needs_free_netdev to avoid UAF
7361a35bf330 hamradio: defer 6pack kfree after unregister_netdev
7dea5913000c floppy: disable FDRAWCMD by default
4426e6017f73 Linux 5.4.191
3c946909a3ed Revert "net: micrel: fix KS8851_MLL Kconfig"
c028b81d062e block/compat_ioctl: fix range check in BLKGETSIZE
27da8d16e4f0 staging: ion: Prevent incorrect reference counting behavour
cb158b152ea6 spi: atmel-quadspi: Fix the buswidth adjustment between spi-mem and controller
1b6ad2421084 jbd2: fix a potential race while discarding reserved buffers after an abort
0b1ba14ab263 ext4: force overhead calculation if the s_overhead_cluster makes no sense
425301ef608a ext4: fix overhead calculation to account for the reserved gdt blocks
ea9c206111ea ext4, doc: fix incorrect h_reserved size
259dc49deaa2 ext4: limit length to bitmap_maxbytes - blocksize in punch_hole
faadbf7ac4f2 ext4: fix use-after-free in ext4_search_dir
0309665eb244 ext4: fix symlink file size not match to file content
ddfe3babc546 arm_pmu: Validate single/group leader events
852b02d1f808 ARC: entry: fix syscall_trace_exit argument
016ba7cbed57 e1000e: Fix possible overflow in LTR decoding
1217cf141b24 ASoC: soc-dapm: fix two incorrect uses of list iterator
aa7070556087 openvswitch: fix OOB access in reserve_sfa_size()
d24e0d9d691b xtensa: fix a7 clobbering in coprocessor context load/store
4c26a96d0c29 xtensa: patch_text: Fixup last cpu should be master
8d6937c1e093 powerpc/perf: Fix power9 event alternatives
0dafb826ed70 drm/vc4: Use pm_runtime_resume_and_get to fix pm_runtime_get_sync() usage
013231f75fce KVM: PPC: Fix TCE handling for VFIO
9cf05812cb10 drm/panel/raspberrypi-touchscreen: Initialise the bridge in prepare
4f08e85ca0fc drm/panel/raspberrypi-touchscreen: Avoid NULL deref if not initialised
23f0ba5585a5 dma: at_xdmac: fix a missing check on list iterator
a22f3c99268c ata: pata_marvell: Check the 'bmdma_addr' beforing reading
0441d3e95bca oom_kill.c: futex: delay the OOM reaper to allow time for proper futex cleanup
530d32ac52f7 EDAC/synopsys: Read the error count from the correct register
91367af460da stat: fix inconsistency between struct stat and struct compat_stat
837e319ebe62 scsi: qedi: Fix failed disconnect handling
4b813ce289ed net: macb: Restart tx only if queue pointer is lagging
a1419bee4dde drm/msm/mdp5: check the return of kzalloc()
80b188da30aa dpaa_eth: Fix missing of_node_put in dpaa_get_ts_info()
46f9fa0a6632 brcmfmac: sdio: Fix undefined behavior due to shift overflowing the constant
12a753edd963 mt76: Fix undefined behavior due to shift overflowing the constant
7c48a6e62ddb cifs: Check the IOCB_DIRECT flag, not O_DIRECT
435142fbdcc0 vxlan: fix error return code in vxlan_fdb_append
99c2d9a52f37 ALSA: usb-audio: Fix undefined behavior due to shift overflowing the constant
3e28d157e5f2 platform/x86: samsung-laptop: Fix an unsigned comparison which can never be negative
54be94d33660 reset: tegra-bpmp: Restore Handle errors in BPMP response
0cb2c00dd1ab ARM: vexpress/spc: Avoid negative array index when !SMP
3a5ad1b8db9f selftests: mlxsw: vxlan_flooding: Prevent flooding of unwanted packets
d37295129efa netlink: reset network and mac headers in netlink_dump()
4c4f2a019ff9 l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
8c5ca6492a86 net/sched: cls_u32: fix possible leak in u32_init_knode()
f883def54654 net/packet: fix packet_sock xmit return value checking
e1bc684c81f1 net/smc: Fix sock leak when release after smc_shutdown()
f10e5c9f226c rxrpc: Restore removed timer deletion
9a9c48159365 igc: Fix BUG: scheduling while atomic
f9d5d17d234f igc: Fix infinite loop in release_swfw_sync
6d6271dbbbe5 dmaengine: mediatek:Fix PM usage reference leak of mtk_uart_apdma_alloc_chan_resources
65c36555bd7d dmaengine: imx-sdma: Fix error checking in sdma_event_remap
ccf554d148eb ASoC: msm8916-wcd-digital: Check failure for devm_snd_soc_register_component
6a20bf46c625 ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek
6a54979c7830 ALSA: usb-audio: Clear MIDI port active flag after draining
9c99aacfb4c6 tcp: Fix potential use-after-free due to double kfree()
5a4f3eba211a net/sched: cls_u32: fix netns refcount changes in u32_change()
b01b700e0c5a tcp: fix race condition when creating child sockets from syncookies
ebb3b84596bd gfs2: assign rgrp glock before compute_bitstructs
660784e7194a can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error path
2da11442a1e3 tracing: Dump stacktrace trigger to the corresponding instance
bad7ed55756f mm: page_alloc: fix building error on -Werror=array-compare
ac94e87675b2 etherdevice: Adjust ether_addr* prototypes to silence -Wstringop-overead
(From OE-Core rev: 9784b5a0629cd223865a21a9b72641116d332cf0)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|