summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
Commit message (Collapse)AuthorAgeFilesLines
...
* rust-cross/rust-common: Merge arm target handling code to fix cross-canadianRichard Purdie2023-12-122-6/+7
| | | | | | | | | | | | | | | | rust-cross had special handling for armv7 targets but we also need this for cross-canadian. Merge the code into the main function so everything is consistent. Also then fix the arm definition to be arm-eabi since ABI is correctly being looked up. (From OE-Core rev: 0adada8111c17e8e5a7c32cef86bdb8e7dfd79d3) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ff3c3dbbd2bf1bb7bb70b55cca203e9eedcf14a8) Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rust-cross-canadian: Fix ordering of target json config generationRichard Purdie2023-12-121-2/+3
| | | | | | | | | | | | | | Based upon a patch from Otavio Salvador <otavio@ossystems.com.br>, ensure the target json files are written in the correct order with the most specific last incase it overwrites earlier files if the prefixes match. (From OE-Core rev: d8c030ef90272e42a1697f5195f887d09878aa01) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 1912c4e9e0ecf9655f3b3a41588b54d7956f5899) Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rust-common: Set llvm-target correctly for cross SDK targetsRichard Purdie2023-12-121-1/+5
| | | | | | | | | | | | | | | | | | | | | When a 'BUILD' target is requested we shouldn't be looking at TARGET_SYS but at BUILD_SYS. Due to the way rust mangles triplets, we need the HOST_SYS triplet to work with existing code - fixing that issue is a separate patch. Also drop the arch_abi argument, it doens't make any sense to a getVar() call and was a copy and paste error. Based on a patch from Otavio Salvador <otavio@ossystems.com.br> but separated out and tweaked. Fixes: bd36593ba3 ("rust-common: Drop LLVM_TARGET and simplify") (From OE-Core rev: cccbb8358be830b83a43fe1ff8a88932dee1c228) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit d554161a045d12411f288394e253c54aa4c1257c) Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rust-llvm: Allow overriding LLVM target archsNiko Mauno2023-12-121-1/+3
| | | | | | | | | | | | | | Move the default value into a variable which can be overridden to match more accurately the use case specific scenario. (From OE-Core rev: 645370e85d8742d0614cd52ca7507b5df2d38ad8) (From OE-Core rev: 93458c302938bf704e8e9f14dfdfee57454adf7a) Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-cryptography: fix CVE-2023-49083Narpat Mali2023-12-122-0/+54
| | | | | | | | | | | | | | | | | | | | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6. References: https://nvd.nist.gov/vuln/detail/CVE-2023-49083 https://security-tracker.debian.org/tracker/CVE-2023-49083 (From OE-Core rev: 2d104f78cd13a10640bc284c7fc8358bf305279c) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix issue in DNS resolverChaitanya Vadrevu2023-11-282-0/+52
| | | | | | | | | | | | | | | | This change adds a patch that is a partial backport of an upstream commit[1]. It fixes a bug in go's DNS resolver that was causing a docker issue where the first "docker pull" always fails after system boot if docker daemon is started before networking is completely up. [1] https://github.com/golang/go/commit/d52883f443e1d564b0300acdd382af1769bf0477 (From OE-Core rev: 8c8b01e84844a7e721c668d5ffbc7161e67f0862) Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: ignore CVE-2023-45283 and CVE-2023-45284Peter Marko2023-11-281-2/+2
| | | | | | | | | These CVEs affect path handling on Windows. (From OE-Core rev: 60f75fd6a671fcbfeefb634fe88f6faa17b446b7) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2022-48064Deepthi Hemraj2023-11-282-0/+58
| | | | | | | (From OE-Core rev: 88cbf5eb4a075e677b1f9e6444ec6378a5949978) Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2022-47007Deepthi Hemraj2023-11-282-0/+35
| | | | | | | (From OE-Core rev: 03e6ea59d82e613ba3b5d388fa87317cef982f2b) Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu 6.2.0: Fix CVE-2023-1544Niranjan Pradhan2023-11-282-0/+71
| | | | | | | | | | | | | | | Upstream Repository: https://gitlab.com/qemu-project/qemu.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1544 Type: Security Fix CVE: CVE-2023-1544 Score: 6.3 Patch: https://gitlab.com/qemu-project/qemu/-/commit/85fc35afa93c (From OE-Core rev: d019fcc99c542d49be6e1615a5c75f88f8ff5a52) Signed-off-by: Niranjan Pradhan <nirpradh@cisco.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-jinja2: Fixed ptest result output as per the standardNarpat Mali2023-11-141-1/+1
| | | | | | | | | | | There was an extra space between the result and ':'. After removing extra space, the ptest result will be: result : testname -> result: testname (From OE-Core rev: 4bb6373e5f4a1330a063d1afe855d6c24d5461e7) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2022-47010Sanjana2023-11-142-0/+39
| | | | | | | (From OE-Core rev: 3fd5701a861aa263ad1d912bfd44d4d5826d11a1) Signed-off-by: Sanjana <Sanjana.Venkatesh@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: ignore RHEL specific CVE-2023-2680Lee Chee Yang2023-10-251-0/+4
| | | | | | | (From OE-Core rev: a1256b8fa415002eee78427cc292b866570ee267) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: CVE-2022-48063Armin Kuster2023-10-212-0/+49
| | | | | | | | | | | | | | | | Source: Binutils MR: 128800 Type: Security Fix Disposition: Backport from https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75393a2d54bcc40053e5262a3de9d70c5ebfbbfd ChangeID: ab04e4ec62d054c90d94f82230adb2342ce1ee1b Description: Affects binutils < 2.40 (From OE-Core rev: 80a8d16a4038868469b4583404b6f73e12bae0f1) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2022-47011Deepthi Hemraj2023-10-212-0/+36
| | | | | | | (From OE-Core rev: 5ff2e3c880705c2e920a4a61a5165810fadd7b84) Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2022-47008Deepthi Hemraj2023-10-212-0/+68
| | | | | | | (From OE-Core rev: 3a299d1610bf085790017569de090b0a41cf809b) Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Mark CVE-2022-47696 as patchedChaitanya Vadrevu2023-10-211-0/+2
| | | | | | | (From OE-Core rev: bc480221d8091be460a1b8c4d023b9841e1df3c2) Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Mark CVE-2022-47673 as patchedChaitanya Vadrevu2023-10-211-0/+2
| | | | | | | (From OE-Core rev: 96fe4b522a35f75a7d2b597d7e650dfc7ae82e27) Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2022-47695Chaitanya Vadrevu2023-10-212-0/+59
| | | | | | | | | Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=3d3af4ba39e892b1c544d667ca241846bc3df386] (From OE-Core rev: 4d4732c2e295fea610d266fa12bae3cc01f93dfa) Signed-off-by: Chaitanya Vadrevu <chaitanya.vadrevu@ni.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* apt: add missing <cstdint> for uint16_tKhem Raj2023-10-182-0/+36
| | | | | | | | | | (From OE-Core rev: 2572b32e729831762790ebfbf930a1140657faea) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8c46ded67df2d830c8bbf5f7b82d75db81d797e2) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: 1.26.15 -> 1.26.17Lee Chee Yang2023-10-181-1/+1
| | | | | | | | | | | | | | | | | 1.26.17 (2023-10-02) Added the Cookie header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via Retry.remove_headers_on_redirect. (CVE-2023-43804) 1.26.16 (2023-05-23) Fixed thread-safety issue where accessing a PoolManager with many distinct origins would cause connection pools to be closed while requests are in progress (#2954) (From OE-Core rev: 27a1de55a46b7b313eb2a6370e9d779a7cd49154) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: upgrade 1.26.14 -> 1.26.15Wang Mingyu2023-10-181-1/+1
| | | | | | | | | | | | | | | | | Changelog: ========== * Fix socket timeout value when "HTTPConnection" is reused ('#2645 <https://github.com/urllib3/urllib3/issues/2645>'__) * Remove "!" character from the unreserved characters in IPv6 Zone ID parsing ('#2899 <https://github.com/urllib3/urllib3/issues/2899>'__) * Fix IDNA handling of '\x80' byte ('#2901 <https://github.com/urllib3/urllib3/issues/2901>'__) (From OE-Core rev: a335ccbcc9913e79bfe958c41690b7efa189ae93) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8e062efbac29a81831c3060bcae601dc533d65dd) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: upgrade 1.26.13 -> 1.26.14Tim Orling2023-10-181-1/+1
| | | | | | | | | | | | | | | | https://github.com/urllib3/urllib3/blob/1.26.14/CHANGES.rst#12614-2023-01-11 1.26.14 (2023-01-11) Fixed parsing of port 0 (zero) returning None, instead of 0. (#2850) Removed deprecated getheaders() calls in contrib module. (From OE-Core rev: aefb7af6b56269d45170beb99e6c878bf2448b78) Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 55ab1bf20e6893088acb6460e9004dac8e205559) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: upgrade 1.26.12 -> 1.26.13Alexander Kanavin2023-10-181-1/+1
| | | | | | | | | | | (From OE-Core rev: e8ae3247795d9333f6252bbec85a8e09c0c9cb48) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b18552f69a2eb8900981a10ba386dc4f862b29c3) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: upgrade 1.26.11 -> 1.26.12wangmy2023-10-181-1/+1
| | | | | | | | | | (From OE-Core rev: 69a610b440b5e9e92931e43bd1c75230bb99f03e) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit cb05578af3ace6e3983f93e16d9ad1ac2a65fbe2) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: upgrade 1.26.10 -> 1.26.11Alexander Kanavin2023-10-181-1/+1
| | | | | | | | | | | (From OE-Core rev: d83b4afc17839b6c11b540aabf056647ddacb587) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit dbe07ff87e2cb1a8276e69a43c7cdbb9ae6e5493) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: upgrade 1.26.9 -> 1.26.10wangmy2023-10-181-1/+2
| | | | | | | | | | | | | | | | | | Add dependence python3-logging. Changelog: ========= * Removed support for Python 3.5 * Fixed an issue where a "ProxyError" recommending configuring the proxy as HTTP instead of HTTPS could appear even when an HTTPS proxy wasn't configured. (From OE-Core rev: d9f200b931e48d957b721005f0140ef3fff55af3) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit a8a26a92dfe367472daf086a33a1b30ff6d17540) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2022-45703Yash Shinde2023-10-183-0/+180
| | | | | | | (From OE-Core rev: b2fa5b29462a16b238f8a6a40886b45aa483e963) Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2022-44840Yash Shinde2023-10-182-0/+152
| | | | | | | (From OE-Core rev: 7a42ae332ebde565cc7c6fca568563f076bd26ba) Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-jinja2: fix for the ptest result formatNarpat Mali2023-10-051-1/+1
| | | | | | | | | | | | | The output of python3-jinja2 ptest should follow a unified format as below result: testname Reference: https://wiki.yoctoproject.org/wiki/Ptest (From OE-Core rev: edfed23716e6240a65f53630bbaf8b7319f0d1ce) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ccache: fix build with gcc-13Martin Jansa2023-10-052-1/+95
| | | | | | | | | * needed on hosts with gcc-13 for ccache-native (From OE-Core rev: 6618e5bf994f49ed93bebc4280980e297be6af98) Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Update fix for CVE-2023-24538 & CVE-2023-39318Shubham Kulkarni2023-10-054-17/+802
| | | | | | | | | | | | | Add missing files in fix for CVE-2023-24538 & CVE-2023-39318 Upstream Link - CVE-2023-24538: https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b CVE-2023-39318: https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c (From OE-Core rev: 0d8f7062d4fb5525f34427b1a7304f165bee0cfc) Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* json-c: define CVE_VERSIONPeter Marko2023-10-051-0/+3
| | | | | | | | | | | | | | | Recently NVD updated all CVEs for json-c and old fixed CVE-2020-12762 is reported by cve_check now. NVD match clause now includes full tag name including date which is "greater" than tag without additional numbers. Fix it by defining CVE_VERSION identical to full tag. Put it close to hash so recipe update patch includes this line. (From OE-Core rev: 55e9ff0fe1de70f226557529f73c28f34f6956ed) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-git: upgrade 3.1.32 -> 3.1.37Narpat Mali2023-09-301-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The delta between 3.1.32 & 3.1.37 contains the CVE-2023-40590 and CVE-2023-41040 fixes and other bugfixes. Changelog: ========== - WIP Quick doc by @LeoDaCoda in #1608 - Partial clean up wrt mypy and black by @bodograumann in #1617 - Disable merge_includes in config writers by @bodograumann in #1618 - feat: full typing for "progress" parameter in Repo class by @madebylydia in #1634 - Fix CVE-2023-40590 by @EliahKagan in #1636 - #1566 Creating a lock now uses python built-in "open()" method to work arou… by @HageMaster3108 in #1619 - util: close lockfile after opening successfully by @skshetry in #1639 - Bump actions/checkout from 3 to 4 by @dependabot in #1643 - Fix 'Tree' object has no attribute '_name' when submodule path is normal path by @CosmosAtlas in #1645 - Fix CVE-2023-41040 by @facutuesca in #1644 - Only make config more permissive in tests that need it by @EliahKagan in #1648 - Added test for PR #1645 submodule path by @CosmosAtlas in #1647 - Fix Windows environment variable upcasing bug by @EliahKagan in #1650 - Improve Python version and OS compatibility, fixing deprecations by @EliahKagan in #1654 - Better document env_case test/fixture and cwd by @EliahKagan in #1657 - Remove spurious executable permissions by @EliahKagan in #1658 - Fix up checks in Makefile and make them portable by @EliahKagan in #1661 - Fix URLs that were redirecting to another license by @EliahKagan in #1662 - Assorted small fixes/improvements to root dir docs by @EliahKagan in #1663 - Use venv instead of virtualenv in test_installation by @EliahKagan in #1664 - Omit py_modules in setup by @EliahKagan in #1665 - Don't track code coverage temporary files by @EliahKagan in #1666 - Configure tox by @EliahKagan in #1667 - Format tests with black and auto-exclude untracked paths by @EliahKagan in #1668 - Upgrade and broaden flake8, fixing style problems and bugs by @EliahKagan in #1673 - Fix rollback bug in SymbolicReference.set_reference by @EliahKagan in #1675 - Remove @NoEffect annotations by @EliahKagan in #1677 - Add more checks for the validity of refnames by @facutuesca in #1672 Note that the changes to the license file are just removal of excess whitespace (the extra blank line at the end, and spaces appearing at the end of lines). References: https://github.com/gitpython-developers/GitPython/releases https://github.com/gitpython-developers/GitPython/blob/main/doc/source/changes.rst https://github.com/gitpython-developers/GitPython/commit/e1af18377fd69f9c1007f8abf6ccb95b3c5a6558 (From OE-Core rev: 35cb21d6c8076428c0c60f03bb1b8f6945e2a07c) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: fix CVE-2023-36617Meenali Gupta2023-09-303-0/+101
| | | | | | | | | Backport two patches [1] [2] to fix CVE-2023-36617 (From OE-Core rev: 7a40082e4e080eaf5f88bd24f7169b7731028529) Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix CVE-2023-39318Siddharth Doshi2023-09-302-0/+239
| | | | | | | | | Upstream-Status: Backport from [https://github.com/golang/go/commit/023b542edf38e2a1f87fcefb9f75ff2f99401b4c] CVE: CVE-2023-39318 (From OE-Core rev: 35fa5c12f86bda2c8542bdb57074f55808697a42) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tcl: prevent installing another copy of tzdataMartin Jansa2023-09-231-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It checks build host filesystem and if it doesn't find UTC or GMT files it installs another copy of tzdata files in: /usr/lib/tcl8.6/tzdata Buildhistory shows the difference: -PKGSIZE = 2227075 +PKGSIZE = 3433088 See the autodetection in configure.in: #------------------------------------------------------------------------ # Check whether the timezone data is supplied by the OS or has # to be installed by Tcl. The default is autodetection, but can # be overridden on the configure command line either way. #------------------------------------------------------------------------ AC_MSG_CHECKING([for timezone data]) AC_ARG_WITH(tzdata, AC_HELP_STRING([--with-tzdata], [install timezone data (default: autodetect)]), [tcl_ok=$withval], [tcl_ok=auto]) # # Any directories that get added here must also be added to the # search path in ::tcl::clock::Initialize (library/clock.tcl). # case $tcl_ok in no) AC_MSG_RESULT([supplied by OS vendor]) ;; yes) # nothing to do here ;; auto*) AC_CACHE_VAL([tcl_cv_dir_zoneinfo], [ for dir in /usr/share/zoneinfo \ /usr/share/lib/zoneinfo \ /usr/lib/zoneinfo do if test -f $dir/UTC -o -f $dir/GMT then tcl_cv_dir_zoneinfo="$dir" break fi done]) if test -n "$tcl_cv_dir_zoneinfo"; then tcl_ok=no AC_MSG_RESULT([$dir]) else tcl_ok=yes fi ;; *) AC_MSG_ERROR([invalid argument: $tcl_ok]) ;; esac if test $tcl_ok = yes then AC_MSG_RESULT([supplied by Tcl]) INSTALL_TZDATA=install-tzdata fi (From OE-Core rev: 79498ea0e9eb88ad0175f7376c57efb46217a4a4) Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 3ace9fbfeb42ebf920812e3dd6d665b8b20a1ca0) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* pseudo: Fix to work with glibc 2.38Richard Purdie2023-09-232-0/+73
| | | | | | | | | | | | | | | | | This adds a horrible hack to get pseudo working with glibc 2.38. We can't drop _GNU_SOURCE to something like _DEFAULT_SOURCE since we need the defines the gnu options bring in. That leaves using internal glibc defines to disable the c23 versions of strtol/fscanf and friends. Which would break pseudo build with 2.38 from running on hosts with older glibc. We'll probably need to come up with something better but this gets glibc 2.38 and working and avoids autobuilder failures. (From OE-Core rev: 909fd25c2ebd25f5d3bc560e26f9df6862e033d0) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 596fb699d470d7779bfa694e04908929ffeabcf7) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: stable 2.38 branch updatesSanjana2023-09-231-1/+1
| | | | | | | | | | | Below commits on binutils-2.38 stable branch are updated. ea5fe5d01e5 PR30697, ppc32 mix of local-dynamic and global-dynamic TLS (From OE-Core rev: e8becc003d6926cc347ec42c0f13dcd5d9042b4d) Signed-off-by: Sanjana <sanjanasanju1608@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gcc: Fix -fstack-protector issue on aarch64Ross Burton2023-09-232-0/+2894
| | | | | | | | | | | | | | | | This series of patches fixes deficiencies in GCC's -fstack-protector implementation for AArch64 when using dynamically allocated stack space. This is CVE-2023-4039. See: https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64 https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf for more details. (From OE-Core rev: e6592fc8308240872300a6295162e14d54c5a905) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2022-48065Sanjana2023-09-234-0/+271
| | | | | | | (From OE-Core rev: 860ecdbbf5cfd8737c914522af16dbc8bee0f72f) Signed-off-by: Sanjana <sanjanasanju1608@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Fix CVE-2023-39319Soumya Sambu2023-09-232-1/+256
| | | | | | | | | | | | | | | | The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. References: https://nvd.nist.gov/vuln/detail/CVE-2023-39319 (From OE-Core rev: afdc322ecff4cfd8478c89a03f7fce748a132b48) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gdb: Fix CVE-2023-39128Siddharth Doshi2023-09-182-0/+76
| | | | | | | | | | | | Note: The Fix needs to be pushed in gdb rather than bintuils-gdb as we are disabling gdb in binutils configure. Upstream-Status: Backport from [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=033bc52bb6190393c8eed80925fa78cc35b40c6d] CVE: CVE-2023-39128 (From OE-Core rev: 1a19a101cecc578aac84e365a361b76f129fe655) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: fix CVE-2021-3638Yogita Urade2023-09-182-0/+89
| | | | | | | | | | | | | | QEMU: ati-vga: inconsistent check in ati_2d_blt() may lead to out-of-bounds write. Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-3638 https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg01682.html (From OE-Core rev: ebbdbb68a7804accd5430dd05f7899599ddbacd8) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-pygments: Fix CVE-2022-40896Narpat Mali2023-09-182-0/+126
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE-2022-40896: A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer. The CVE issue is fixed by 3 different commits between the releases 2.14.0 (for Smithy lexer), 2.15.0 (for SQL+Jinja lexers) and 2.15.1 (for Java properties) as per: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/ 1. Smithy lexer commit from 2.14.0 release applies successfully on 2.11.2 version. Commit: https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04 Hence, backported the patch as CVE-2022-40896.patch. 2. SQL+Jinja lexers commit from 2.15.0 release doesn't apply on 2.11.2 version. Commit: https://github.com/pygments/pygments/commit/97eb3d5ec7c1b3ea4fcf9dee30a2309cf92bd194 Actually, this code doesn't exist in 2.11.2 version and it has been introduce by python3-pygments 2.13.0 version. Hence, this is not vulnerable for 2.11.2 version. SQL+Jinja lexers is introduced by: https://github.com/pygments/pygments/commit/0bdbd5992baca32d18e01f0ec65337e06abf9456 3. Java properties commit from 2.15.1 release also doesn't apply on 2.11.2 version. Commit: https://github.com/pygments/pygments/commit/fdf182a7af85b1deeeb637ca970d31935e7c9d52 Actually, this code also doesn't exist in 2.11.2 version as the code has been modified in python3-pygments 2.14.0 by: https://github.com/pygments/pygments/commit/a38cb38e93c9635240b3ae89d78d38cf182745da Hence, this is also not vulnerable for 2.11.2 version. (From OE-Core rev: ebb224e65a7e1402ccf0d9517bd72748c18e012e) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libdnf: resolve cstdint inclusion for newer gcc versionsAbe Kohandel2023-09-084-0/+128
| | | | | | | | | | | | | | | Depending on the host gcc version, libdnf fails to compile due to missing cstdint inclusions. These issue have already been addressed upstream, add the patches to resolve this for older versions of the library. These commits are taken directly from the libdnf project at https://github.com/rpm-software-management/libdnf (From OE-Core rev: e1d9bc1f88bd989bafc20063938d7a70e1da104f) Signed-off-by: Abe Kohandel <abe.kohandel@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: upgrade to 3.10.13Chee Yang Lee2023-09-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Release date: 2023-08-24 Security gh-108310: Fixed an issue where instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake and included protections (like certificate verification) and treating sent unencrypted data as if it were post-handshake TLS encrypted data. Security issue reported as CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith. Library gh-107845: tarfile.data_filter() now takes the location of symlinks into account when determining their target, so it will no longer reject some valid tarballs with LinkOutsideDestinationError. Tools/Demos gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL 1.1.1v, 3.0.10, and 3.1.2. C API gh-99612: Fix PyUnicode_DecodeUTF8Stateful() for ASCII-only data: *consumed was not set. (From OE-Core rev: a30e51b8d13912f0d68bfffcd2d8ae6431d2b863) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* nasm: fix CVE-2020-21528Archana Polampalli2023-09-082-0/+48
| | | | | | | | | | | | | | | | | A Segmentation Fault issue discovered in in ieee_segment function in outieee.c in nasm 2.14.03 and 2.15 allows remote attackers to cause a denial of service via crafted assembly file. References: https://nvd.nist.gov/vuln/detail/CVE-2020-21528 Upstream patches: https://github.com/netwide-assembler/nasm/commit/93c774d482694643cafbc82578ac8b729fb5bc8b (From OE-Core rev: 87c4ec2d73ac2e52005e16e38a9a12affb8d51bd) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* file: fix CVE-2022-48554Chee Yang Lee2023-09-082-1/+38
| | | | | | | | | ignore changes to FILE_RCSID part. (From OE-Core rev: 20b5ead99d4904e70ea22f573bfefec8c6e862a2) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* json-c: fix CVE-2021-32292Adrian Freihofer2023-09-082-0/+31
| | | | | | | | | | | | | | | | | | | | This is a read past end of buffer issue in the json_parse test app, which can happened with malformed json data. It's not an issue with the library itself. For what ever reason this CVE has a base score of 9.8. Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-32292 Upstream issue: https://github.com/json-c/json-c/issues/654 The CVE is fixed with version 0.16 (which is already in all active branches of poky). (From OE-Core rev: a7b93651028b55d71b8db53ea831eee7fd539f33) Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>