summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
Commit message (Collapse)AuthorAgeFilesLines
...
* e2fsprogs: fix ptest bug for second runningQiu Tingting2023-06-172-0/+4
| | | | | | | | | | | | | | | At second running, there are four new failed case: d_loaddump f_bigalloc_badinode f_bigalloc_orphan_list f_dup_resize The test_data.tmp is necessary, but it is deleted by run-ptest. So it should be restored after testing. (From OE-Core rev: 496dc586446d09a77923bc191e5305ba06c8f59e) Signed-off-by: Qiu Tingting <qiutt@fujitsu.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit d0d08dd9a8a179e25b9cfcbac696c1d212a1910c) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Security fix CVE-2023-24540Vijay Anusuri2023-06-132-0/+91
| | | | | | | | | Upstream-Status: Backport [https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797] (From OE-Core rev: e569586ac9095d344967c5b9c4bfb07f70948936) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* golang: Fix CVE-2023-24539Ashish Sharma2023-06-132-0/+61
| | | | | | | | | Improper sanitization of CSS values in html/template (From OE-Core rev: 737333d41d245154eb4b26ec8db79a2f9823c873) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* git: fix CVE-2023-25652Hitendra Prajapati2023-05-252-0/+95
| | | | | | | | | | | | | | | | | | | | | | | Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. References: https://nvd.nist.gov/vuln/detail/CVE-2023-25652 Upstream-Status: Backport from https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b (From OE-Core rev: 6747482316b8f7839a09bf041d8c11b559f84b44) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* git: fix CVE-2023-29007Hitendra Prajapati2023-05-252-0/+160
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. References: https://nvd.nist.gov/vuln/detail/CVE-2023-29007 Upstream patches: https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4 https://github.com/git/git/commit/29198213c9163c1d552ee2bdbf78d2b09ccc98b8 https://github.com/git/git/commit/a5bb10fd5e74101e7c07da93e7c32bbe60f6173a https://github.com/git/git/commit/e91cfe6085c4a61372d1f800b473b73b8d225d0d https://github.com/git/git/commit/3bb3d6bac5f2b496dfa2862dc1a84cbfa9b4449a (From OE-Core rev: db4c152441aebe4c04a7bb7aceb88d8941a6576b) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* run-postinsts: Set dependency for ldconfig to avoid boot issuesArturo Buzarra2023-05-161-1/+1
| | | | | | | | | | | | | | | | | | | | | If a package with a postsints script requires ldconfig, the package class adds a ldconfig postinst fragment to initialize it before. Systemd has its own ldconfig.service to initialize it and sometimes if both services are running at the same time in the first boot, the first one will work, but the second one will fail with the following error: ldconfig[141]: /sbin/ldconfig: Renaming of /etc/ld.so.cache~ to /etc/ld.so.cache failed: No such file or directory This commit adds a ordering dependency between them to make sure that only one service is running at the same time. (From OE-Core rev: 1bc254e7969f3d5470bacf9ad9f065d38b7b7fde) Signed-off-by: Arturo Buzarra <arturo.buzarra@digi.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 4e9d812e127dc6743f52f4881e509e8e2e833afe) Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Security fix for CVE-2023-24538Shubham Kulkarni2023-05-164-0/+532
| | | | | | | | | | | html/template: disallow actions in JS template literals Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b (From OE-Core rev: c8a597b76505dab7649f4c9b18e1e14b0e3d57af) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2023-24534 denial of service from excessive memory allocationVivek Kumbhar2023-05-032-0/+201
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A parsed MIME header is a map[string][]string. In the common case, a header contains many one-element []string slices. To avoid allocating a separate slice for each key, ReadMIMEHeader looks ahead in the input to predict the number of keys that will be parsed, and allocates a single []string of that length. The individual slices are then allocated out of the larger one. The prediction of the number of header keys was done by counting newlines in the input buffer, which does not take into account header continuation lines (where a header key/value spans multiple lines) or the end of the header block and the start of the body. This could lead to a substantial amount of overallocation, for example when the body consists of nothing but a large block of newlines. Fix header key count prediction to take into account the end of the headers (indicated by a blank line) and continuation lines (starting with whitespace). Thanks to Jakob Ackermann (@das7pad) for reporting this issue. Fixes CVE-2023-24534 For #58975 Fixes #59267 (From OE-Core rev: daa6aa9c7198a07322f1828a9db457fec86191cf) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: Whitelist CVE-2023-0664Virendra Thakur2023-05-031-0/+5
| | | | | | | | | | | This CVE is related to Windows. Link: https://nvd.nist.gov/vuln/detail/CVE-2023-0664 (From OE-Core rev: 8efb0fc7e7db4bad3dbc40d8f890a6c2e7be38fa) Signed-off-by: Virendra Thakur <virendrak@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Ignore CVE-2022-1705Shubham Kulkarni2023-05-031-0/+3
| | | | | | | | | | | | The vulnerability was introduced in go1.15beta1 with commit d5734d4. Dunfell uses go1.14 version which does not contain the affected code. Ref: https://security-tracker.debian.org/tracker/CVE-2022-1705 (From OE-Core rev: 6e4a952efc94a3bb94216db1cbd738f4fb70217f) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: fix CVE-2023-24537 Infinite loop in parsingVivek Kumbhar2023-04-262-0/+77
| | | | | | | | | | | | | Setting a large line or column number using a //line directive can cause integer overflow even in small source files. Limit line and column numbers in //line directives to 2^30-1, which is small enough to avoid int32 overflow on all reasonbly-sized files. (From OE-Core rev: d1943e6a0ec00653c81cd4c0bb0d6b7e0909094c) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Security fix for CVE-2020-29510Shubham Kulkarni2023-04-262-0/+66
| | | | | | | | | | | encoding/xml: replace comments inside directives with a space Backport from https://github.com/golang/go/commit/a9cfd55e2b09735a25976d1b008a0a3c767494f8 (From OE-Core rev: 76d855f3d2c250ac85ca6f24bf0e178fb32607f9) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: ignore CVE-2022-41716Peter Marko2023-04-261-0/+3
| | | | | | | | | | | | | | This CVE is specific to Microsoft Windows, ignore it. Patch fixing it (https://go-review.googlesource.com/c/go/+/446916) also adds a redundant check to generic os/exec which could be backported but it should not be necessary as backport always takes a small risk to break old code. (From OE-Core rev: 4263f3fda59aacb4f159d2dffb52e5f66249b5e4) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go-runtime: Security fix for CVE-2022-41722Shubham Kulkarni2023-04-263-0/+159
| | | | | | | | | | | path/filepath: do not Clean("a/../c:/b") into c:\b on Windows Backport from https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c (From OE-Core rev: 70135bf04eb7173434a7240ddf11639d13aab003) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: CVE-2023-28756 ReDoS vulnerability in TimeHitendra Prajapati2023-04-192-0/+62
| | | | | | | | | Upstream-Status: Backport from https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e (From OE-Core rev: 52d26edffdd0444588ecad56b40a65e225889a01) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: fix build error introduced by CVE-2021-3929 fixGaurav Gupta2023-04-194-15/+221
| | | | | | | | | | | | | | | | | | | | | | The patch for CVE-2021-3929 applied on dunfell returns a value for a void function. This results in the following compiler warning/error: hw/block/nvme.c:77:6: error: void function 'nvme_addr_read' should not return a value [-Wreturn-type] return NVME_DATA_TRAS_ERROR; ^ ~~~~~~~~~~~~~~~~~~~~ In newer versions of qemu, the functions is changed to have a return value, but that is not present in the version of qemu used in “dunfell”. Backport some of the patches to correct this. (From OE-Core rev: 4ad98f0b27615ad59ae61110657cf69004c61ef4) Signed-off-by: Gaurav Gupta <gauragup@cisco.com> Signed-off-by: Gaurav Gupta <gauragup@cisco.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: fix compile error which imported by CVE-2022-4144Hitendra Prajapati2023-04-142-0/+237
| | | | | | | | | Upstream-Status: Backport from https://github.com/qemu/qemu/commit/61c34fc && https://gitlab.com/qemu-project/qemu/-/commit/8efec0ef8bbc1e75a7ebf6e325a35806ece9b39f (From OE-Core rev: d17f4c741c66268ce54ff89be2be9b0402c98df2) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* git: Security fix for CVE-2023-22490 and CVE-2023-23946Vijay Anusuri2023-04-145-0/+643
| | | | | | | | | | | | | Upstream-Status: Backport from https://github.com/git/git/commit/58325b93c5b6212697b088371809e9948fee8052 & https://github.com/git/git/commit/cf8f6ce02a13f4d1979a53241afbee15a293fce9 & https://github.com/git/git/commit/bffc762f87ae8d18c6001bf0044a76004245754c (From OE-Core rev: 071fb3b177bcbdd02ae2c28aad97af681c091e42) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go-runtime: Security fix for CVE-2022-41723Shubham Kulkarni2023-04-142-0/+157
| | | | | | | | | | | | Disable cmd/internal/moddeps test, since this update includes PRIVATE track fixes. Backport from https://github.com/golang/go/commit/5c3e11bd0b5c0a86e5beffcd4339b86a902b21c3 (From OE-Core rev: 53a303fb5908edaf29e35abb08fff93e7c0ff92c) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* git: ignore CVE-2023-22743Chee Yang Lee2023-04-011-0/+2
| | | | | | | | | | (From OE-Core rev: 3f106ad3ebafbf850e42bcb46661cc0b6e40e4cc) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit 70adf86b515934168a6185dcff4a8edb39a40017) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: fix multple CVEsChee Yang Lee2023-04-0118-0/+1039
| | | | | | | | | | | | | | | | | | | | | | import patches from ubuntu to fix CVE-2020-15469 CVE-2020-15859 CVE-2020-17380 CVE-2020-35504 CVE-2020-35505 CVE-2021-3409 CVE-2022-26354 https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches?h=ubuntu/focal-security Combine patches for both CVE-2020-25085 and CVE-2021-3409 also fix CVE-2020-17380. so mark CVE-2020-17380 fixed by CVE-2021-3409 patches. CVE-2020-17380 patch backported since oecore rev 6b4c58a31ec11e557d40c31f2532985dd53e61eb. (From OE-Core rev: 3ee2e9027d57dd5ae9f8795436c1acd18a9f1e24) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* QEMU: CVE-2022-4144 QXL: qxl_phys2virt unsafe address translation can lead ↵Hitendra Prajapati2023-03-252-4/+108
| | | | | | | | | | | | | | | | | to out-of-bounds read Upstream-Status: Backport from https://gitlab.com/qemu-project/qemu/-/commit/6dbbf055148c6f1b7d8a3251a65bd6f3d1e1f622 (From OE-Core rev: 754cce68614c7985d5848134635a6b318f4505ab) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Replace the tabs with spaces to correct the indent. Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gcc: Fix inconsistent noexcept specifier for valarray in libstdc++Virendra Thakur2023-03-142-0/+45
| | | | | | | | | | | | Backport of gcc upstream commit 2b2d97fc545635a0f6aa9c9ee3b017394bc494bf to gcc release 9.5.0. This fix is available to all release-branches except releases/gcc-9 because upstream do not support gcc-9 now. (From OE-Core rev: 9779b66162a014f26594bdde43afdc4332617240) Signed-off-by: Virendra Thakur <virendrak@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* git: Security fix for CVE-2022-41903Vijay Anusuri2023-03-1413-0/+1387
| | | | | | | | | | | | | | | Upstream-Status: Backport from https://github.com/git/git/commit/a244dc5b & https://github.com/git/git/commit/81dc898d & https://github.com/git/git/commit/b49f309a & https://github.com/git/git/commit/f6e0b9f3 & https://github.com/git/git/commit/1de69c0c & https://github.com/git/git/commit/48050c42 & https://github.com/git/git/commit/522cc87f & https://github.com/git/git/commit/17d23e8a & https://github.com/git/git/commit/937b71cc & https://github.com/git/git/commit/81c2d4c3 & https://github.com/git/git/commit/f930a239 & https://github.com/git/git/commit/304a50ad (From OE-Core rev: d591ac4dfeff7b69086a47c7e88a8127f1d31299) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: remove True option to getVar and getVarFlag calls (again)Martin Jansa2023-02-241-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * True is default since 2016 and most layers were already updated not to pass this parameter where not necessary, e.g. oe-core was updated couple times, first in: https://git.openembedded.org/openembedded-core/commit/?id=7c552996597faaee2fbee185b250c0ee30ea3b5f Updated with the same regexp as later oe-core update: https://git.openembedded.org/openembedded-core/commit/?id=9f551d588693328e4d99d33be94f26684eafcaba with small modification to replace not only d.getVar, but also data.getVar as in e.g.: e.data.getVar('ERR_REPORT_USERNAME', True) and for getVarFlag: sed -e 's|\(d\.getVarFlag \?\)( \?\([^,()]*, \?[^,()]*\), \?True)|\1(\2)|g' \ -i $(git grep -E 'getVarFlag ?\( ?([^,()]*), ?([^,()]*), ?True\)' \ | cut -d':' -f1 \ | sort -u) (From OE-Core rev: 4ec04d14899cb7725ce908e3ef6302838275f0a8) Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 26c74fd10614582e177437608908eb43688ab510) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit 24a86d0c55ee89ae0dc77975e1d0ee02898d2289) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit de7bf6689a19dc614ce4b39c84ffd825bee1b962) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* git: ignore CVE-2022-41953Ross Burton2023-02-241-0/+2
| | | | | | | | | | | | This is specific to Git-for-Windows. (From OE-Core rev: dfb042a6159d128aa4ee8d899c447cf33a2be7ae) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c8849af809e0213d43e18e5d01067eeeb61b330d) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* quilt: use upstreamed faildiff.test fixRoss Burton2023-02-241-17/+30
| | | | | | | | | | | (From OE-Core rev: 444494290c349d481a164b865ef97db7f84ffd44) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 50b81a263187af4452d3b99967bffd01c6ddb476) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* quilt: fix intermittent failure in faildiff.testRoss Burton2023-02-242-0/+29
| | | | | | | | | | | | | | | | | | | This test assumes that if a child process writes one line to stderr and then another line to stdout, and stderr is redirected to stdout, that the order the lines will be read is stable. This isn't the case and occasionally the lines will be read in a different order. Change the test to ignore line ordering. [ YOCTO #14469 ] (From OE-Core rev: 2c9fe8c3bb1cc1883c7bd445d019b2107e85ab2b) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 1ddbe4d2bd8d8da10dac8a054f130fcd1d242219) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* git: CVE-2022-23521 gitattributes parsing integer overflowHitendra Prajapati2023-02-242-1/+368
| | | | | | | | | | | | | | | | | | | | | Backport from: https://github.com/git/git/commit/eb22e7dfa23da6bd9aed9bd1dad69e1e8e167d24 https://github.com/git/git/commit/8d0d48cf2157cfb914db1f53b3fe40785b86f3aa https://github.com/git/git/commit/24557209500e6ed618f04a8795a111a0c491a29c https://github.com/git/git/commit/34ace8bad02bb14ecc5b631f7e3daaa7a9bba7d9 https://github.com/git/git/commit/447ac906e189535e77dcb1f4bbe3f1bc917d4c12 https://github.com/git/git/commit/e1e12e97ac73ded85f7d000da1063a774b3cc14f https://github.com/git/git/commit/a60a66e409c265b2944f18bf43581c146812586d https://github.com/git/git/commit/d74b1fd54fdbc45966d12ea907dece11e072fb2b https://github.com/git/git/commit/dfa6b32b5e599d97448337ed4fc18dd50c90758f https://github.com/git/git/commit/3c50032ff5289cc45659f21949c8d09e52164579 (From OE-Core rev: 4f4baa56656291b259b9474a3637cf31f6569ff3) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: fix CVE-2021-3929 nvme DMA reentrancy issue leads to use-after-freeVivek Kumbhar2023-02-242-0/+79
| | | | | | | | (From OE-Core rev: 18056190f72eef9a44397cd87d79022dd2a9d4e3) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: Fix slirp determinism issueSteve Sakoman2023-02-243-3/+5
| | | | | | | | | | | | | | | | | | | | | | Add a PACKAGECONFIG option for slirp, defaulting to internal. This avoids the presence of libslirp on the host causing qemu to link against that instead breaking reproducibility and usability of the binary on hosts where the library isn't present. We need to add it to PACKAGECONFIG by default since users do expect slirp to be enabled in the wider community. Note: qemu version 4.2.0 doesn't support an "internal" option for enable-slirp, so use "git" instead which uses the same configure code path, avoids host libslirp contamination and forces use of the qemu internal slirp implementation. (From OE-Core rev: e5dc03e4a3b71ff144896a8ce56a34b8677e8e27) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 5a9a64132bf5ecac9d611d29751226a466c4a2c1) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: fix CVE-2022-1962 go/parser stack exhaustion in all Parse* functionsVivek Kumbhar2023-02-132-0/+358
| | | | | | | | (From OE-Core rev: 3126830360ca431fb5eecf3d1e5fde7e928b1365) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: fix packaging of Windows distutils installer stubsSteve Sakoman2023-02-131-1/+3
| | | | | | | | | | | | | | | The python3 Windows distutils installer stubs were split into a separate package in poky commit dc1ab6482cfb30c714e7cbb421920943439a3fd6. This has regressed during the upgrade to Python 3.8.2 in yocto-3.1 [YOCTO #13889] https://bugzilla.yoctoproject.org/show_bug.cgi?id=13889 (From OE-Core rev: 4f069121ddb99bb6e2f186724cd60ca07f74f503) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go-crosssdk: avoid host contamination by GOCACHERobert Andersson2023-01-061-0/+2
| | | | | | | | | | | | | | | | | | By default GOCACHE is set to $HOME/.cache. Same issue for all other go recipes had been fixed by commit 9a6d208b: [ go: avoid host contamination by GOCACHE ] but that commit missed go-crosssdk recipe. (From OE-Core rev: 22fef4e278beae60d1a6afbe4645fb36732bc736) Signed-off-by: Robert Andersson <robert.m.andersson@atlascopco.com> Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit e5fd10c647ac4baad65f9efa964c3380aad7dd10) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: fix CVE-2021-3507 fdc heap buffer overflow in DMA read data transfersVivek Kumbhar2023-01-062-0/+88
| | | | | | | | (From OE-Core rev: 39a9f2056d4794dc75390b9a4a903c1745545095) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* rsync: fix CVE-2022-29154 remote arbitrary files write inside the ↵Vivek Kumbhar2023-01-062-0/+335
| | | | | | | | | | directories of connecting peers (From OE-Core rev: d92312146832cd14963422b8c14b2f2c409821c7) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: fix CVE-2022-41717 Excessive memory use in got serverVivek Kumbhar2023-01-062-0/+76
| | | | | | | | (From OE-Core rev: a483f182676d87b7035e37fac8e21226fbd9fd63) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* opkg: Set correct info_dir and status_file in opkg.confHarald Seiler2022-12-231-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | Distros can customize the location of OPKG data using OPKGLIBDIR. In OE-Core commit 11f1956cf5d7 ("package_manager.py: define info_dir and status_file when OPKGLIBDIR isn't the default"), a fix was applied to correctly set the info_dir and status_file options relative to OPKGLIBDIR. However, as the commit message notes, the opkg.conf file deployed as part of the opkg package must also be adjusted to correctly reflect the changed location. Otherwise, opkg running inside the image cannot find its data. Fix this by also setting the info_dir and status_file options in opkg.conf to the correct location relative to OPKGLIBDIR. Fixes: 11f1956cf5d7 ("package_manager.py: define info_dir and status_file when OPKGLIBDIR isn't the default") (From OE-Core rev: 38224b19bda2592705ef4274c28cb250d9e980dc) Signed-off-by: Harald Seiler <hws@denx.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit adb939ae3635de6e02208859fbf29cf0ed39f565) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: Fix CVE-2022-37454Pawan Badganchi2022-12-232-0/+106
| | | | | | | | | | | | | | | Add below patch to fix CVE-2022-37454 CVE-2022-37454.patch Link: https://security-tracker.debian.org/tracker/CVE-2022-37454 Link: https://github.com/python/cpython/commit/948c6794711458fd148a3fa62296cadeeb2ed631 (From OE-Core rev: 6a8ef6cc3604008860dcb6aa5d7155b914d7c391) Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> Signed-off-by: pawan <badganchipv@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: CVE-2022-41715 regexp/syntax: limit memory used by parsing regexpsHitendra Prajapati2022-12-232-0/+272
| | | | | | | | | | Upstream-Status: Backport from https://github.com/golang/go/commit/e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997 (From OE-Core rev: 2470c52db633f206dbfcd049fcca828d1ff5f82a) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* rpm: Fix rpm CVE CVE-2021-3521Riyaz Khan2022-12-235-0/+483
| | | | | | | | | | | | | | | | | | | Links: Dependent Patches: CVE-2021-3521-01 https://github.com/rpm-software-management/rpm/commit/b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8 CVE-2021-3521-02 https://github.com/rpm-software-management/rpm/commit/9f03f42e2614a68f589f9db8fe76287146522c0c CVE-2021-3521-03 https://github.com/rpm-software-management/rpm/commit/5ff86764b17f31535cb247543a90dd739076ec38 CVE-2021-3521 https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8 (From OE-Core rev: ddb4f775a86855e4ddc6c0d0d1f24a55e0ecbfe0) Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: fix CVE-2021-20196 block fdc null pointer dereference may lead to ↵Vivek Kumbhar2022-12-072-0/+63
| | | | | | | | | | | | guest crash Upstream-Status: Backport [https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233] (From OE-Core rev: 1523fcbb6fef60d30c07377673fca265c5c9781c) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gcc: upgrade to v9.5Sundeep KOKKONDA2022-12-0755-1636/+4
| | | | | | | | | | | | | gcc stable version upgraded from v9.3 to v9.5 Below is the bug fix list for v9.5 https://gcc.gnu.org/bugzilla/buglist.cgi?bug_status=RESOLVED&resolution=FIXED&target_milestone=9.5 (From OE-Core rev: 698c3323fd95592e815345acd9070e5089a1bd00) Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: ignore CVE-2022-30630Ralph Siemsen2022-12-071-0/+3
| | | | | | | | | | | | | | The CVE is in the io/fs package, which first appeared in go1.16. Since dunfell is using go1.14, this issue does not apply. CVE was fixed in fa2d41d0ca736f3ad6b200b2a4e134364e9acc59 Original code in b64202bc29b9c1cf0118878d1c0acc9cdb2308f6 (From OE-Core rev: 1e258940e9a6fabda6e7e60841082c113fdf9500) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: ignore CVE-2022-30580Ralph Siemsen2022-12-071-0/+1
| | | | | | | | | | | | | | | | Only affects Windows platform, as per the release announcement [1]: "If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput are executed when Cmd.Path is unset and, in the working directory, there are binaries named either "..com" or "..exe", they will be executed." [1] https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ (From OE-Core rev: 54c40730bc54aa2b2c12b37decbcc99bbcafd07a) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: ignore CVE-2021-41772Ralph Siemsen2022-12-071-0/+3
| | | | | | | | | | | | | | | | | Dunfell uses golang 1.14 which does not contain the affected code (it was introduced in golang 1.16). From the golang announcement [1] "Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made to panic by an attacker providing either a crafted ZIP archive containing completely invalid names or an empty filename argument. [1] https://groups.google.com/g/golang-announce/c/0fM21h43arc (From OE-Core rev: 2329902f994b631d6b77e8bd501d5599db6d5306) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: ignore CVE-2021-33194Ralph Siemsen2022-12-071-0/+3
| | | | | | | | | | | | | This is a bug in golang.org/x/net/html/parse.go. The golang compiler includes a partial copy of this under src/vendor/golang.org/x/net/ however the "html" subdirectory is not included. So this bug does not apply to the compiler itself. (From OE-Core rev: b8a851faef9990ccb41ded875fc79cf28abd4a4e) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: ignore CVE-2022-29804Ralph Siemsen2022-12-071-0/+1
| | | | | | | | | | | | | | | The issue only affects Windows per the golang announcement [1]: On Windows, the filepath.Clean function could convert an invalid path to a valid, absolute path. For example, Clean(`.\c:`) returned `c:`. [1] https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg (From OE-Core rev: bca720eca95929752436b56aa01e7fddfa1c834f) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: fix CVE-2022-28327Ralph Siemsen2022-12-072-0/+37
| | | | | | | | | | Upstream-Status: Backport [https://github.com/golang/go/commit/7139e8b024604ab168b51b99c6e8168257a5bf58] CVE: CVE-2022-28327 (From OE-Core rev: aab2a343be4b0b21dcaf22a7fbf77007d48c08d6) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: fix CVE-2022-28131Ralph Siemsen2022-12-072-0/+105
| | | | | | | | | | Upstream-Status: Backport [https://github.com/golang/go/commit/58facfbe7db2fbb9afed794b281a70bdb12a60ae] CVE: CVE-2022-28131 (From OE-Core rev: 09a820fe21d7884c6733d569f6560ef1ded5435d) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>