summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
Commit message (Collapse)AuthorAgeFilesLines
...
* golang: fix CVE-2022-24291Ralph Siemsen2022-12-072-0/+199
| | | | | | | | | | Upstream-Status: Backport [https://github.com/golang/go/commit/2b65cde5868d8245ef8a0b8eba1e361440252d3b] CVE: CVE-2022-24921 (From OE-Core rev: a2d3d80a7df5b8f57105ef2b680e9e01a9da6486) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: fix CVE-2021-44716Ralph Siemsen2022-12-072-0/+94
| | | | | | | | | | Upstream-Status: Backport [https://github.com/golang/go/commit/d0aebe3e74fe14799f97ddd3f01129697c6a290a] CVE: CVE-2021-44716 (From OE-Core rev: c5ec3e8701a1b81d8e5b17d2521530345892a09b) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: fix CVE-2021-33198Ralph Siemsen2022-12-072-0/+114
| | | | | | | | | | Upstream-Status: Backport [https://github.com/golang/go/commit/df9ce19db6df32d94eae8760927bdfbc595433c3] CVE: CVE-2021-33198 (From OE-Core rev: 078260dd63e205d3a433b03357f2332f44daa397) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: fix CVE-2021-33195Ralph Siemsen2022-12-072-0/+374
| | | | | | | | | | Upstream-Status: Backport [https://github.com/golang/go/commit/31d60cda1f58b7558fc5725d2b9e4531655d980e] CVE: CVE-2021-33195 (From OE-Core rev: f1051e11fd0eb5b0e9924a0acdcb078ddc8f9772) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: Fix CVE-2022-45061Omkar2022-12-072-0/+101
| | | | | | | | | | | | | Fix CVE-2022-45061, referenced as https://github.com/python/cpython/issues/98433 patch taken from https://github.com/python/cpython/pull/99231/commits/064ec20bf7a181ba5fa961aaa12973812aa6ca5d (From OE-Core rev: 4498ca9a299bd5d9a7173ec67daf17cb66b6d286) Signed-off-by: Omkar <omkarpatil10.93@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* binutils: stable 2.34 branch updatesSundeep KOKKONDA2022-11-203-45/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Below commits on binutils-2.34 stable branch are updated. c4e78c0868a PR27755, powerpc-ld infinite loop 33973d228c9 gas, arm: PR26858 Fix availability of single precision vmul/vmla in arm mode 0c8652fe288 x86: Update GNU property tests 5c1bd3f52c6 x86: Properly merge -z ibt and -z shstk 93b9bf1651a PowerPC TPREL_HA/LO optimisation 58950a3bfd4 Date update e3b314d3a61 aarch64: set sh_entsize of .plt to 0 26b6ab7a0e4 S/390: z13: Accept vector alignment hints 7324292cd94 gas: Fix checking for backwards .org with negative offset 463ec189fe9 Prevent a potential use-after-fee memory corruption bug in the linker (for PE format files). ef2826c0fdb Fix the ARM assembler to generate a Realtime profile for armv8-r. 8524bb5bd28 Re: Fix tight loop on recursively-defined symbols 5768460022b Fix tight loop on recursively-defined symbols a72427b1ae0 gas: PR 25863: Fix scalar vmul inside it block when assembling for MVE 9f57ab49b32 BFD: Exclude sections with no content from compress check. aaf3f0599a2 Arm: Fix LSB of GOT for Thumb2 only PLT. 97f92b3e90a Arm: Fix thumb2 PLT branch offsets. 3053d7a163c include: Sync plugin-api.h with GCC f7aec2b8e09 PR25745, powerpc64-ld overflows string buffer in --stats mode 1b2bf0f65c1 include: Sync plugin-api.h with GCC 5e8619b9597 include: Sync lto-symtab.h and plugin-api.h with GCC 23820109ced plugin: Don't invoke LTO-wrapper 64f5c0afcc4 plugin: Use LDPT_ADD_SYMBOLS_V2 to get symbol type aaa1e160040 Silence warnings due to plugin API change e7c0ee5110c Include: Sync lto-symtab.h and plugin-api.h with GCC b6520be37fd Fix dwarf.c build with GCC 10 a560c29ca5a bfd: Change num_group to unsigned int 3ca4cd1ebde gas, arm: Fix bad backport b3174859c4b gas, arm: PR25660L Fix vadd/vsub with lt and le condition codes for MVE de9c1b7cfe6 powerpc64-ld infinite loop 0318fc4e18e Adjust PR25355 testcase 40bfb976274 Re: PR24511, nm should not mark symbols in .init_array as "t" 42b2380cdce Don't call lto-wrapper for ar and ranlib acc4a8b8ac8 PR25585, PHDR segment not covered by LOAD segment (From OE-Core rev: ad15d44b6c56ccbbe8e4c12717e7dfe3492a659a) Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: fix CVE-2021-3638 ati-vga: inconsistent check in ati_2d_blt() may lead ↵Vivek Kumbhar2022-11-202-0/+81
| | | | | | | | | | | | to out-of-bounds write Upstream-Status: Backport from https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html (From OE-Core rev: 8b5d38abdbfd3bdeb175c793b4d33f9054e89f77) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: Security Fix for CVE-2022-2879Sunil Kumar2022-11-202-0/+112
| | | | | | | | | | | | | | | | archive/tar: limit size of headers Set a 1MiB limit on special file blocks (PAX headers, GNU long names, GNU link names), to avoid reading arbitrarily large amounts of data into memory. Link: https://github.com/golang/go/commit/0a723816cd2 (From OE-Core rev: a8e2f91edfe2df5204a482c4e53fbdd08f80e878) Signed-off-by: Sunil Kumar <sukumar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: CVE-2022-2880 ReverseProxy should not forward unparseable query ↵Hitendra Prajapati2022-11-092-0/+165
| | | | | | | | | | | | parameters Upstream-Status: Backport from https://github.com/golang/go/commit/9d2c73a9fd69e45876509bb3bdb2af99bf77da1e (From OE-Core rev: f977d712455411c091aeee04ea7096d9e8c5b563) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: Avoid accidental librdmacm linkageRichard Purdie2022-10-271-0/+1
| | | | | | | | | | | | | Avoid accidentally linking to the rdma library from the host by adding a PACKAGECONFIG for the option. This was found on new Fedora 36 autobuilder workers. (From OE-Core rev: aa9d0c2b777c10bb6c68b0232d54cbcd1af1493f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 2a0f3cb225e4d5471155abbcd05d09bd6bf1620f) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: Add PACKAGECONFIG for rbdSteve Sakoman2022-10-271-0/+1
| | | | | | | | | | Avoid accidentally linking to the rbd library from the host by adding a PACKAGECONFIG for the option. (From OE-Core rev: bb32854dbe68335d834aaa80e42d6a524ea4e1b2) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: Avoid accidental libvdeplug linkageSteve Sakoman2022-10-271-0/+1
| | | | | | | | | | | | | Avoid accidentally linking to the vde library from the host by adding a PACKAGECONFIG for the option. (From OE-Core rev: cc979908beec8a40a636d00a1fdcf2769358377f) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8839e9540528b0b46c4fb4f95e508f038bcef8b9) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: upgrade 3.8.13 -> 3.8.14Tim Orling2022-10-272-138/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Security and bug fixes. * Drop CVE-2021-28861.patch as it was merged in 3.8.14 release. Fixes: * CVE-2020-10735 https://nvd.nist.gov/vuln/detail/CVE-2020-10735 * CVE-2021-28861 https://nvd.nist.gov/vuln/detail/CVE-2021-28861 * CVE-2018-25032 https://nvd.nist.gov/vuln/detail/CVE-2018-25032 Python 3.8.14 Release Date: Sept. 6, 2022 This is a security release of Python 3.8 Note: The release you're looking at is Python 3.8.14, a security bugfix release for the legacy 3.8 series. Python 3.10 is now the latest feature release series of Python 3. Security content in this release CVE-2020-10735: converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees to avoid a potential crash of the interpreter. gh-90355: Fix ensurepip environment isolation for the subprocess running pip. gh-80254: Raise ProgrammingError instead of segfaulting on recursive usage of cursors in sqlite3 converters. (From OE-Core rev: 25fafd35a4698daa0d4abb814a91601e68223128) Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: CVE-2021-3750 hcd-ehci: DMA reentrancy issue leads to use-after-freeHitendra Prajapati2022-10-272-0/+181
| | | | | | | | | | | | | | | | Source: https://git.qemu.org/?p=qemu.git MR: 117886 Type: Security Fix Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=b9d383ab797f54ae5fa8746117770709921dc529 && https://git.qemu.org/?p=qemu.git;a=commit;h=3ab6fdc91b72e156da22848f0003ff4225690ced && https://git.qemu.org/?p=qemu.git;a=commit;h=58e74682baf4e1ad26b064d8c02e5bc99c75c5d9 ChangeID: 3af901d20ad8ff389468eda2c53b4943e3a77bb8 Description: CVE-2021-3750 QEMU: hcd-ehci: DMA reentrancy issue leads to use-after-free. (From OE-Core rev: 0f4b1db4fdc655e880ec66525eb7642978529e82) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: Add fix for CVE-2022-32190Shubham Kulkarni2022-09-305-0/+244
| | | | | | | | | | Link: https://github.com/golang/go/commit/28335508913a46e05ef0c04a18e8a1a6beb775ec (From OE-Core rev: 3362bbb1a1ce599418dc8377043f7549f9327315) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: CVE-2022-27664 net/http: handle server errors after sending GOAWAYHitendra Prajapati2022-09-302-0/+69
| | | | | | | | | | | | | | | | Source: https://github.com/golang/go MR: 121912 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/5bc9106458fc07851ac324a4157132a91b1f3479 ChangeID: 0b76a92a774279d7bffc9d6fa05564dfd8371e8c Description: CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY. (From OE-Core rev: 4e2f723a4288ad4839fac2769e487612252b1d40) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* subversion: fix CVE-2021-28544Lee Chee Yang2022-09-232-0/+147
| | | | | | | | (From OE-Core rev: 7fdd4d2dc019071525349fbb153e2e80f6583217) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: Add PACKAGECONFIG for brlapiRichard Purdie2022-09-231-0/+1
| | | | | | | | | (From OE-Core rev: f547c9610f8c17c3da9ca3f7a79902d2ffbfca49) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 482471a617e5f682416b7ec1a920dfaeac65f1a3) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: Define libnfs PACKAGECONFIGAndrei Gherzan2022-09-231-0/+2
| | | | | | | | | | | | | | | | | | | | The upstream qemu recipe uses host's pkg-config files as a solution to detecting host's SDL. This has a side effect of using other host libraries that are later queried by the configure script. This can get into a situation when the host provides libnfs (for example) and because later this dependency is not in place anymore, qemu will fail at runtime. This change adds a PACKAGECONFIG definition for libnfs that is disabled by default, in turn disabling the pkgconfig autodetection in configure. (From OE-Core rev: 9badcf0261f6b735d65a5498bb8fbb9979d7a07f) Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 42b364a25fdbc987c85dd46b8427045033924d99) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: fix and ignore several CVEsChee Yang Lee2022-09-2312-0/+748
| | | | | | | | | | | | | | | | | | | | | | | backport fixes: CVE-2020-13754, backport patches as debian security tracker notes https://security-tracker.debian.org/tracker/CVE-2020-13754 CVE-2021-3713 CVE-2021-3748 CVE-2021-3930 CVE-2021-4206 CVE-2021-4207 CVE-2022-0216, does not include qtest in patches, the qtest code were not available in v4.2. Ignore: CVE-2020-27661, issue introduced in v5.1.0-rc0 https://security-tracker.debian.org/tracker/CVE-2020-27661 (From OE-Core rev: 16a6e8530c4820f070973a1b4d64764c20706087) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: fix and ignore several CVEsChee Yang Lee2022-09-165-0/+467
| | | | | | | | | | | | | | | | | | backport fixes: CVE-2021-27918 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 ignore: CVE-2022-29526 CVE-2022-30634 (From OE-Core rev: ddb09ccc3caebbd3cf643bb3bb3c198845050c69) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* binutils : CVE-2022-38533Florin Diaconescu2022-09-162-0/+38
| | | | | | | | | | | Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ef186fe54aa6d281a3ff8a9528417e5cc614c797] (From OE-Core rev: 2cf26e2e5a83d2b2efd01de34c11da07eeb9c8f9) Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: Fix CVE-2021-28861 for python3Khan@kpit.com2022-09-162-0/+136
| | | | | | | | | | | | | Add patch to fix CVE-2021-28861 CVE-2021-28861.patch Link: https://github.com/python/cpython/commit/4dc2cae3abd75f386374d0635d00443b897d0672 (From OE-Core rev: cbf57b25c78ea9d56863d9546b51fc2c88adb8cf) Signed-off-by: Riyaz Khan <rak3033@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: CVE-2022-32189 a denial of serviceHitendra Prajapati2022-09-032-0/+114
| | | | | | | | | | | | | | | | Source: https://github.com/golang/go MR: 120634 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/703c8ab7e5ba75c95553d4e249309297abad7102 ChangeID: 3ade323dd52a6b654358f6738a0b3411ccc6d3f8 Description: CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service. (From OE-Core rev: 9b3420c9a91059eb55754078bb1e733972e94489) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: fix CVE-2022-30635 and CVE-2022-32148Hitendra Prajapati2022-09-033-0/+171
| | | | | | | | | | | | | | | | | | Source: https://github.com/golang/go MR: 120628, 120631 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/ed2f33e1a7e0d18f61bd56f7ee067331d612c27e && https://github.com/golang/go/commit/ed2f33e1a7e0d18f61bd56f7ee067331d612c27e ChangeID: fbd8d61bdc2e9cb0cdbe9879e02aed218ee93dbe Description: Fixed CVE: 1. CVE-2022-30635 2. CVE-2022-32148 (From OE-Core rev: 2c4fb77f417464d9cd40f0ebd8cc52e6e6ca689e) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: fix CVE-2022-30632 and CVE-2022-30633Hitendra Prajapati2022-09-033-0/+204
| | | | | | | | | | | | | | | | | | Source: https://github.com/golang/go MR: 120622, 120625 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/76f8b7304d1f7c25834e2a0cc9e88c55276c47df && https://github.com/golang/go/commit/2678d0c957193dceef336c969a9da74dd716a827 ChangeID: aabb29a6dd6a89842f451c95af228aaf66e58bb5 Description: Fixed CVE: 1. CVE-2022-30632 2. CVE-2022-30633 (From OE-Core rev: 9ffaae887743d77839fb758657b1dec71a9b8880) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: fix CVE-2022-30629 and CVE-2022-30631Hitendra Prajapati2022-09-033-0/+165
| | | | | | | | | | | | | | | | | | Source: https://github.com/golang/go MR: 120613, 120613 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/c15a8e2dbb5ac376a6ed890735341b812d6b965c && https://github.com/golang/go/commit/0117dee7dccbbd7803d88f65a2ce8bd686219ad3 ChangeID: 366db775dec045d7b312b8da0436af36ab322046 Description: Fixed CVE: 1. CVE-2022-30629 2. CVE-2022-30631 (From OE-Core rev: 6813a265c7c21e24636d07a6a8df16ef0cf7da50) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: CVE-2020-27821 heap buffer overflow in msix_table_mmio_writeHitendra Prajapati2022-08-222-0/+74
| | | | | | | | | | | | | | | | Source: https://git.qemu.org/?p=qemu.git; MR: 107558 Type: Security Fix Disposition: Backport from https://git.qemu.org/?p=qemu.git;a=commit;h=4bfb024bc76973d40a359476dc0291f46e435442 ChangeID: c5d25422f43edb7d8728118eb482eba09474ef2c Description: CVE-2020-27821 qemu: heap buffer overflow in msix_table_mmio_write() in hw/pci/msix.c. (From OE-Core rev: 198bd53bdc77d2b01dae19993bde79f03f4dd02c) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libmodule-build-perl: Use env utility to find perl interpreterKhem Raj2022-08-181-0/+1
| | | | | | | | | | | | | | Fixes ERROR: QA Issue: : /work/x86_64-linux/libmodule-build-perl-native/0.4231-r0/sysroot-destdir/work/x86_64-linux/libmodule-build-perl-native/0.4231-r0/recipe-sysroot-native/usr/bin/config_data maximum shebang size exceeded, the maximum size is 128. [shebang-size] (From OE-Core rev: f11ed8c8fd78b88a50f382df419afff6ccde02a0) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 54ecb2d3f2523293383103cbe590ebdd037ee483) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: CVE-2022-35414 can perform an uninitialized read on the translate_fail ↵Hitendra Prajapati2022-08-082-0/+54
| | | | | | | | | | | | | | | | | | path, leading to an io_readx or io_writex crash Source: https://github.com/qemu/qemu MR: 119832 Type: Security Fix Disposition: Backport from https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c ChangeID: 1246afd7bb950d2d5fe2e198961797c0fa14ac00 Description: CVE-2022-35414 qemu: can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. (From OE-Core rev: 7c3043df56b3090138fe56f8c06df5ca08cafd26) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: add PACKAGECONFIG for capstoneSteve Sakoman2022-07-151-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Autobuilder workers were non-deterministically enabling capstone depending on whether the worker had libcapstone installed. Add PACKAGECONFIG for capstone with default off, since qemu does not require capstone support. Qemu version in dunfell has capstone in the source tree as a submodule and has configure options to enable it using that source code or using the system libcapstone. Qemu versions in master and kirkstone have removed the capstone submodule and configure options, but added libcapstone autodetection to meson. In all cases using PACKAGECONFIG will allow a deterministic build. (From OE-Core rev: af25fff399fa623b4fd6efbca21e01ea6b4d1fd7) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 052ef1f14d1e6a5ee34f742f65e51b20b416f79f) Signed-off-by: Steve Sakoman <steve@sakoman.com Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: CVE-2021-31525 net/http: panic in ReadRequest and ReadResponse when ↵Hitendra Prajapati2022-07-082-0/+39
| | | | | | | | | | | | | | | | | | reading a very large header Source: https://github.com/argoheyard/lang-net MR: 114874 Type: Security Fix Disposition: Backport from https://github.com/argoheyard/lang-net/commit/701957006ef151feb43f86aa99c8a1f474f69282 ChangeID: bd3c4f9f44dd1c45e810172087004778522d28eb Description: CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header. (From OE-Core rev: 2850ef58f2a39a5ab19b1062d1b50160fec4daa8) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: CVE-2022-24675 encoding/pem: fix stack overflow in DecodeHitendra Prajapati2022-07-082-0/+272
| | | | | | | | | | | | | | | | Source: https://go-review.googlesource.com/c/go MR: 117551 Type: Security Fix Disposition: Backport from https://go-review.googlesource.com/c/go/+/399816/ ChangeID: 347f22f93e8eaecb3d39f8d6c0fe5a70c5cf7b7c Description: CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode. (From OE-Core rev: 6625e24a6143765ce2e4e08d25e3fe021bc2cdf6) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* dpkg: update to 1.19.8Chee Yang Lee2022-06-241-2/+2
| | | | | | | | | | update include fixes for CVE-2022-1664. (From OE-Core rev: 12169c1104adbfd9f5196fdbdab16536e98fd43f) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: CVE-2021-44717 syscall: don't close fd 0 on ForkExec errorHitendra Prajapati2022-06-242-0/+84
| | | | | | | | | | | | | | | Source: https://github.com/golang/go MR: 114884 Type: Security Fix Disposition: Backport from https://github.com/golang/go/commit/44a3fb49 ChangeID: 7b28553d4e23828b20c3357b1cca79ee3ca18058 Description: CVE-2021-44717 golang: syscall: don't close fd 0 on ForkExec error. (From OE-Core rev: b835c65845b1445e1bb547c192cb22c2db4c7e6f) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python-pip: CVE-2021-3572 Incorrect handling of unicode separators in git ↵Hitendra Prajapati2022-06-242-0/+49
| | | | | | | | | | | | | | | | | | references Source: https://github.com/pypa/pip MR: 113864 Type: Security Fix Disposition: Backport from https://github.com/pypa/pip/commit/e46bdda9711392fec0c45c1175bae6db847cb30b ChangeID: 717948e217d6219d1f03afb4d984342d7dea4636 Description: CVE-2021-3572 python-pip: Incorrect handling of unicode separators in git references. (From OE-Core rev: 841a8fb5b6351f79a4d756232a544d1a6480c562) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gcc-source: Fix incorrect task dependencies from ${B}Richard Purdie2022-06-222-1/+2
| | | | | | | | | | | | | | | | | | | Some tasks may reference ${B} for gcc-source which in general would not exist. It has dependencies on HOST_SYS and TARGET_SYS which are not appropriate for a shared recipe like gcc-source. This causes problems for the archiver and multiconfigs in particlar. Set B to something else to avoid these task hash issues. Acked-by: Jose Quaresma <jose.quaresma@foundries.io> (From OE-Core rev: 14aa189c2e47a2c5a4a0099235a2605666651f74) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit beb2a76c591e985c6fc7ed473abd1bee27f955a2) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* e2fsprogs: add alternatives handling of lsattr as wellRasmus Villemoes2022-06-221-1/+4
| | | | | | | | | | | | | | | | | | | | Building busybox with CONFIG_LSATTR=y and installing that in the same filesystem as e2fsprogs breaks: ERROR: ... do_rootfs: Postinstall scriptlets of ['busybox'] have failed. If the intention is to defer them to first boot, then please place them into pkg_postinst_ontarget:${PN} (). Deferring to first boot via 'exit 1' is no longer supported. Fix that by also alternatifying lsattr just as chattr already is. (From OE-Core rev: 28090d32c88d99ea36a03f3bb723838746001e4b) Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 96703961eeb3460e9da26503d7942cc965d1e573) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* e2fsprogs: CVE-2022-1304 out-of-bounds read/write via crafted filesystemHitendra Prajapati2022-06-112-0/+43
| | | | | | | | | | | | | | | Source: https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git MR: 117430 Type: Security Fix Disposition: Backport from https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint&id=ab51d587bb9b229b1fade1afd02e1574c1ba5c76 ChangeID: e6db00c6e8375a2e869fd2e4ead61ca9149eb8fa Description: CVE-2022-1304 e2fsprogs: out-of-bounds read/write via crafted filesystem. (From OE-Core rev: b4f9ba859ed1fe5e1d42258fee1dd2e8e85e7eba) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ruby: Whitelist CVE-2021-28966 as this affects Windows OS onlyRanjitsinh Rathod2022-06-041-0/+4
| | | | | | | | | | | | As per below debian link, CVE-2021-28966 affects Windows only Link: https://security-tracker.debian.org/tracker/CVE-2021-28966 (From OE-Core rev: df6242b72b0477fb61c7dc18ad52a1f147ec7d07) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ruby: Upgrade ruby to 2.7.6 for security fixRanjitsinh Rathod2022-06-041-2/+2
| | | | | | | | | | | | | Upgrade ruby to 2.7.6 Link: https://www.ruby-lang.org/en/news/2022/04/12/ruby-2-7-6-released/ This includes CVE-2022-28739 security fix (From OE-Core rev: 4514b1b8cacb92b1790b636b111c071190b2e4b2) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* git: Use CVE_CHECK_WHITELIST instead of CVE_CHECK_IGNORERanjitsinh Rathod2022-05-201-1/+1
| | | | | | | | | | | Use CVE_CHECK_WHITELIST as CVE_CHECK_IGNORE is not valid on dunfell branch (From OE-Core rev: 970743af349e21a399da6241587b849b14933bc5) Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: ignore CVE-2015-20107Ross Burton2022-05-091-0/+3
| | | | | | | | | | | | | | | | | | | CVE-2015-20107 describes an arbitrary command execution in the mailcap module, but this is by design in mailcap and needs to be worked around by the calling application. Upstream Python will be documenting this flaw in the library reference, and it is likely that the mailcap module will be deprecated and removed in the future. (From OE-Core rev: 1ed7bb74d35f08af3babf73c68ee01af5f28a50b) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 85fac8408baf92d8b71946f5bfea92952b7eab01) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* git update from 2.24.3 to 2.24.4Steve Sakoman2022-04-223-308/+2
| | | | | | | | | | | | | Security release, fixes CVE-2021-21300, so remove that patch. 22539ec3b5 unpack_trees(): start with a fresh lstat cache 0d58fef58a run-command: invalidate lstat cache after a command finished 684dd4c2b4 checkout: fix bug that makes checkout follow symlinks in leading path (From OE-Core rev: 8606d99041c3c1a002b2300c59afc116050c73cc) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* apt: add -fno-strict-aliasing to CXXFLAGS to fix SHA256 bugRalph Siemsen2022-04-211-0/+4
| | | | | | | | | | | | | | | Recently we've begun seeing issues with apt SHA256 generation/checking on some distros (fedora 35, alma 8). The version of apt in dunfell uses its own SHA256 code, not a standard library. Investigation reveals that the issue is related to -fstrict-aliasing enabled by -O2 optimization, so turn it off with -fno-strict-aliasing (From OE-Core rev: dc61dfd7791976c70c93e0d253a8fdbd40d27f3b) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* pseudo: Fix handling of absolute linksAlexandre Belloni2022-04-211-1/+1
| | | | | | | | | | | | | Update to a version of pseudo which has a fix for absolute links, evaluating them from the chroot path. (From OE-Core rev: 4e79b3fa07d6b8d044f2fb21e691ff3683aee1ea) Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 33147b89bc3c9e9bdd53a942a5551d8a1d06130c) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* pseudo: Add patch to workaround paths with crazy lengthsRichard Purdie2022-04-211-1/+1
| | | | | | | | | | | | Update to a version of pseudo which includes a workaround for crazy long paths, as shown by the libfm failures from the libtool upgrade. (From OE-Core rev: 5cac1e855e397b58c3c2b251a9794f3d480c8ad6) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 67dfa32d82b8862e6e543c37315f211aba3ec28b) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* git: Ignore CVE-2022-24975Richard Purdie2022-04-211-0/+5
| | | | | | | | | | | | | | | Everyone I've talked to doesn't see this as a major issue. The CVE asks for a documentation improvement on the --mirror option to git clone as deleted content could be leaked into a mirror. For OE's general users/use cases, we wouldn't build or ship docs so this wouldn't affect us. (From OE-Core rev: f35500a442d6a4564d52e23f9602a3f90a4ceee5) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 5dfe2dd5482c9a446f8e722fe51903d205e6770d) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3-jinja2: Correct HOMEPAGEPeter Kjellerstedt2022-04-091-1/+1
| | | | | | | | | | | (From OE-Core rev: 7d429e8385ca01728d797abe8ab9575140734476) Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 261778c1e3665b34c0d4e49bda63b520d5335587) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: backport patch fix for CVE-2021-38297Davide Gardenal2022-04-092-0/+99
| | | | | | | | | | | | | | | | Patch taken from https://github.com/golang/go/commit/4548fcc8dfd933c237f29bba6f90040a85922564 from the following issue https://github.com/golang/go/issues/48797 Original repo https://go.googlesource.com/go/+/77f2750f4398990eed972186706f160631d7dae4 (From OE-Core rev: e9e3c3969544d18f0da90a10156c40da84d5b549) Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-08-08 06:21:17 +0000