summaryrefslogtreecommitdiffstats
path: root/meta
Commit message (Collapse)AuthorAgeFilesLines
...
* ghostscript: ignore CVE-2024-46954Peter Marko2025-01-091-1/+1
| | | | | | | | | | | | | | | Issue in the GhostPCL. GhostPCL not part of this GhostScript recipe. [1] points to [2] as patch, while file base/gp_utf8.c is not part of ghostscript source tarball. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-46954 [2] https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=55f587dd039282316f512e1bea64218fd991f934 (From OE-Core rev: 7f1b174b8f12fcf377c45c27022bac99b6652823) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsndfile1: Backport fix for CVE-2022-33065Vijay Anusuri2025-01-0914-1/+916
| | | | | | | | | | | | Added missing commits for complete CVE fix Ref: https://github.com/libsndfile/libsndfile/issues/833 https://ubuntu.com/security/CVE-2022-33065 (From OE-Core rev: fc34dde58e8be19d703479c8e025e27294cdb579) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* base-passwd: Add the sgx groupAlex Kiernan2024-12-202-0/+31
| | | | | | | | | | | | | | | | To avoid errors from eudev/udev we need an sgx group, but if we add it via groupadd that causes shadow login to be brought into an image, which causes images which have CONFIG_MULTIUSER unset to fail with `setgid: Function not implemented` as shadow's login doesn't implement the heuristics which busybox has to handle this kernel configuration. (From OE-Core rev: a20b02fdfe64c005f7587a1d9077bdc282f7b6b1) Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit a1c81ac4a869cc57394071ace2ca086eb8ac47a4) Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* base-passwd: fix patchreview warningAlexandre Belloni2024-12-201-1/+1
| | | | | | | | | | | | | | | Fix: Malformed Upstream-Status 'Upstream status' (meta/recipes-core/base-passwd/base-passwd/0007-Add-wheel-group.patch) Unknown Upstream-Status value 'says' (meta/recipes-core/base-passwd/base-passwd/0007-Add-wheel-group.patch) (From OE-Core rev: 2e251b4ebefe825e7ccf7e3110e8b7fce2296032) Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 7b62b32fe154ca40a3bf731eaa5994ec351cf507) Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* base-passwd: add the wheel groupLouis Rannou2024-12-202-0/+21
| | | | | | | | | | | | | | | | The wheel group is not declared while it can be used to access the systemd journal and to configure printers in CUPS. It can also be used for su and sudo permissions. So far it was created later in the rootfs postcommand systemd_create_users. (From OE-Core rev: 4cafad1a0ef5506151656fd644dcdf3193245173) Signed-off-by: Louis Rannou <lrannou@baylibre.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit bebe52ae9576393ebb9d7405fc77fba21e84ba5b) Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* base-passwd: Update the status for two patchesPeter Kjellerstedt2024-12-202-2/+2
| | | | | | | | | | | | | | The two patches to disable use of debconf and generation of documentation have been merged upstream. (From OE-Core rev: f68617115d3518368db16bc16bcf4578619999fe) Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit aca8844d7c05b4ba937625e59275d3f7953d3da7) Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* base-passwd: Update to 3.5.52Peter Kjellerstedt2024-12-207-101/+194
| | | | | | | | | | | | | | | | | | | | | * Add a patch to allow the use of debconf to be disabled. * Replace 0007-Disable-generation-of-the-documentation.patch with a new patch to disable the generation of the documentation using a configuration option. * Replace 0006-Disable-shell-for-default-users.patch with a sed expression that uses a variable, NOLOGIN, to specify what command to use for users that are not expected to login. This allows to use some other command than "nologin", e.g., "false". Also, by using ${base_sbindir}, it adheres to usrmerge being configured. (From OE-Core rev: 65f01b1e94d956c5591850deb6abc469e05138eb) Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e7abf63cc8bdc61c8d978b3c21a38e17716fc292) Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* base-passwd: Regenerate the patchesPeter Kjellerstedt2024-12-2013-106/+134
| | | | | | | | | | | (From OE-Core rev: 1742f47e1388fcbe9681f8d74b9476d213b4eb0a) Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 6515d96c12b080b9e7f344799e26dba3b98e17e2) Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* package.bbclass: Use shlex instead of deprecated pipesErnst Persson2024-12-201-2/+2
| | | | | | | | | | The pipes library is deprecated in Python 3.11 and will be removed in Python 3.13. pipes.quote is just an import of shlex.quote anyway. (From OE-Core rev: d167661bceebebafb04dca3bf6a888003f46e6c9) Signed-off-by: Ernst Persson <ernst.persson@non.se.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* subversion: fix CVE-2024-46901Jiaying Song2024-12-202-1/+163
| | | | | | | | | | | | | | | | | | | | | | Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, leading to disruption for users of the repository. All versions of Subversion up to and including Subversion 1.14.4 are affected if serving repositories via mod_dav_svn. Users are recommended to upgrade to version 1.14.5, which fixes this issue. Repositories served via other access methods are not affected. References: https://nvd.nist.gov/vuln/detail/CVE-2024-46901 Upstream patches: https://subversion.apache.org/security/CVE-2024-46901-advisory.txt (From OE-Core rev: 2082038de00090e4b10a151068876f83c83f94c7) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: fix CVE-2024-9632Yogita Urade2024-12-202-0/+59
| | | | | | | | | | | | | | | | | | | | A flaw was found in the X.org server. Due to improperly tracked allocation size in _XkbSetCompatMap, a local attacker may be able to trigger a buffer overflow condition via a specially crafted payload, leading to denial of service or local privilege escalation in distributions where the X.org server is run with root privileges. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-9632 Upstream patch: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0 (From OE-Core rev: 95027410dba7a2a7e9b93f76279272f22445399b) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-update-nvd2-native: Tweak to work better with NFS DL_DIRRichard Purdie2024-12-181-0/+2
| | | | | | | | | | | | | | | | | After much debugging, the corruption issues on the autobuilder appear to be due to the way sqlite accesses database files. It doesn't change the file timestamp after making changes, which for reasons unknown, confuses NFS. As soon as the file is touched, NFS becomes fine again accross the whole cluster, as if by magic. We could try and debug further but putting a "touch" call into the code is easy and harmless. Lets hope this removes this annoying source of errors. (From OE-Core rev: c73af2d77f4c3eb474237fa8d5e340be4aefeb67) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dbus: disable assertions and enable only modular testsAlexander Kanavin2024-12-161-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | There was a report that enabling assertions and all tests results in notices in log.do_configure: NOTE: building with unit tests increases the size of the installed library and renders it insecure. NOTE: building with assertions increases library size and decreases performance. This was overlooked when dbus and dbus-tests recipes were merged; enabling all tests and assertions still requires a special, separate build of dbus. If those tests are useful this could be revisited. Until then, we should use productions settings for the main recipe. Buildhistory-diff: packages/core2-64-poky-linux/dbus/dbus-dbg: PKGSIZE changed from 9958176 to 8627824 (-13%) packages/core2-64-poky-linux/dbus/dbus-lib: PKGSIZE changed from 544347 to 346339 (-36%) packages/core2-64-poky-linux/dbus/dbus-ptest: PKGSIZE changed from 3524983 to 3116951 (-12%) packages/core2-64-poky-linux/dbus/dbus-ptest: FILELIST: removed "/usr/share/installed-tests/dbus/test-dbus-launch-eval.sh_with_config.test /usr/share/installed-tests/dbus/test-counter_with_config.test /usr/libexec/installed-tests/dbus/test-dbus-launch-eval.sh /usr/libexec/installed-tests/dbus/test-dbus-launch-x11.sh /usr/share/installed-tests/dbus/test-counter.test /usr/libexec/installed-tests/dbus/test-counter /usr/share/installed-tests/dbus/test-dbus-launch-x11.sh.test /usr/share/installed-tests/dbus/test-dbus-launch-x11.sh_with_config.test /usr/share/installed-tests/dbus/test-dbus-launch-eval.sh.test" packages/core2-64-poky-linux/dbus/dbus: PKGSIZE changed from 510939 to 350331 (-31%) (From OE-Core rev: 054ce01ae84eb10e055a41ec8dd85ebce9ea23c8) (From OE-Core rev: b132b817f5931b290e5348dd4a17fbfdc5c6e2c4) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* unzip: Fix configure tests to use modern CKhem Raj2024-12-162-0/+113
| | | | | | | | | | | | Newer compilers end up with errors while compiling these test snippets and build results in failures. (From OE-Core rev: 61bd7eccd8e305e2dd95f0b0b86b09d72e99fc1a) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sanity: check for working user namespacesRoss Burton2024-12-161-0/+24
| | | | | | | | | | | | | | | | | | If user namespaces are not available (typically because AppArmor is blocking them), alert the user. We consider network isolation sufficiently important that this is a fatal error, and the user will need to configure AppArmor to allow bitbake to create a user namespace. [ YOCTO #15592 ] (From OE-Core rev: a069b9f9ee6708022e12970d53262d966ee806ba) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b6af956fe6e876957a49d4abf425e8c789bf0459) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rootfs-postcommands.bbclass: make opkg status reproduciblePeter Marko2024-12-161-0/+4
| | | | | | | | | | | | | | | | | | | | opkg stores the current time as Installed-Time in its status file when installing packages to the rootfs. Make this reproducible by replacing Installed-Time with ${REPRODUCIBLE_TIMESTAMP_ROOTFS}, which then also matches the files' datestamps. Based on OpenWrt's approach for the issue [1]. [1] https://github.com/openwrt/openwrt/blob/main/include/rootfs.mk#L103 (From OE-Core rev: 61a9b1b1cb618ce90ba7886036f41263075c07df) (From OE-Core rev: bfa9c2f15ac275fceccf22084bed9a064304eb6e) Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-requests: fix CVE-2024-35195Jiaying Song2024-12-162-1/+124
| | | | | | | | | | | | | | | | | | | | | Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0. References: https://nvd.nist.gov/vuln/detail/CVE-2024-35195 Upstream patches: https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac (From OE-Core rev: 8bc8d316a6e8ac08b4eb2b9e2ec30b1f2309c31c) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libpam: fix CVE-2024-10041Divya Chellam2024-12-162-0/+99
| | | | | | | | | | | | | | | | | | | | | A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications. References: https://security-tracker.debian.org/tracker/CVE-2024-10041 Upstream patches: https://github.com/linux-pam/linux-pam/commit/b3020da7da384d769f27a8713257fbe1001878be (From OE-Core rev: 3422c2533caaa2664944315580c52a2272815305) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsdl2: ignore CVE-2020-14409 and CVE-2020-14410Peter Marko2024-12-161-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This was fixed in 2.0.14, but NVD DB lists > 2.0.20 causing false positives in CVE metrics. NVD entries [1] and [2] list commit [3] which redirects to commit [4]. Also Debian 10 uses this commit, while Debian 11 with 2.0.14 does not patch it and claims it's fixed. Trying to apply the patch shows it's already applied. Following shows git history of this commit wrt tags. SDL$ git describe a7ff6e96155f550a5597621ebeddd03c98aa9294 --tags release-2.0.12-305-ga7ff6e961 SDL$ git describe release-2.0.14 --tags --match=release-2.0.12 release-2.0.12-873-g4cd981609 SDL$ git describe release-2.0.20 --tags --match=release-2.0.12 release-2.0.12-3126-gb424665e0 [1] https://nvd.nist.gov/vuln/detail/CVE-2020-14409 [2] https://nvd.nist.gov/vuln/detail/CVE-2020-14410 [3] https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9 [4] https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294 (From OE-Core rev: 3079d562b4df69ab0ac20ec8d13a4240ce0a3514) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* oeqa/utils/gitarchive: Return tag name and improve exclude handlingRichard Purdie2024-12-091-1/+3
| | | | | | | | | | | | | Tweak the gitarchive exclude handling not to error if excluded files don't match. Also return the tagname created so that other code can then use it. (From OE-Core rev: 2df9c2248ac4996ad1fd1fe9f492eb2d71b758cb) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 1adba3430faffdf6217b6a00533a3b48a9388abc) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* resulttool: Use single space indentation in json outputRichard Purdie2024-12-091-1/+1
| | | | | | | | | | | | | Using 4 space indentation in resulted in hundreds of megabytes of extra file size in general use. Reduce this to make filesizes more managable and reduce the processing cost. Some level of indentation and spacing does make the files more readable and allows use of git diff so we need to retain some of it. (From OE-Core rev: cae6106f152c8c44e2d85179ad7e6831b974ffd5) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit a274cdcaf852cca9497f0358f44dda99c06aacbe) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* selftest/reproducible: Clean up pathnamesRichard Purdie2024-12-091-1/+1
| | | | | | | | | | | | | | | | | | | There are several problems with these paths. Firstly they contain full system paths which depend upon where the test was run. These are pretty pointless and just take up a lot of space making the results files large. Secondly, they contain the same path twice. The reference and target path will always be the same thing in two different locations. Strip off the prefix and remove the duplication. This does change the output data but that can't really be avoided. It does shrink the results data and makes it more readable. (From OE-Core rev: 13d844b15deba49a54676fa6f83ab4526ec74b9a) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 81a44de36e864b08687451fd85aeba7c529fd7f7) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* selftest/reproducible: Drop rawlogsRichard Purdie2024-12-091-6/+0
| | | | | | | | | | | | | | | The "rawlogs" data consists of a long string of results data which is already in a structured data format. I can't see this is adding much value in duplciating the data but it does create a huge string with a lot of long problematic pathnames and inflates the results data size. I suggest we drop this data as obsolete and not necessary. (From OE-Core rev: 8e6210530042b722a4f7fea17e5d10cddcd8dfab) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 5b2c70fab2ffa409b861d83f048b65d458d03a90) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rxvt-unicode.inc: disable the terminfo installation by setting TIC to :Changqing Li2024-12-091-1/+2
| | | | | | | | | | | | | | | | | | | Without this change, TIC is the native tic in recipe-sysroot-native. By default, native tic has set its default terminfo path to native path: ${datadir}/terminfo; $HOME/.terminfo When sstate cache is used, the cached native tic's terminfo path could be a path not exist on current host, then native tic will try to install terminfo to HOME dir, cause host contamination. Disable the terminfo installation by setting TIC to : (From OE-Core rev: 33069a688930ccb98a66f02feac40382ecf6cf85) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit fe35ead2c3135a18c346e7baa31d34b15c3e2d95) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* do_package/sstate/sstatesig: Change timestamp clamping to hash output onlyRichard Purdie2024-12-092-17/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The code was changing the timestamps of the files in the do_package output, particularly the files added for debug sources. This was to do two things: a) make do_package sstate more reproducible b) ensure better hash equivalence matching Unfortuately the debug source files are hardlinks into the source tree for efficiency so touching these, touches a lot of files in ${B} and ${S}. This causes unpredictable effects if compile is run again for example, or could cause compiling in the install task. The hash equivalence matching is of key importance but we can mimic that using clamping of the file timestamps in the depsig output used to generate the hashes. This patch drops the global timestamp clamping, instead allowing the files to retain their creation timestamps into sstate. This makes do_package sstate slightly less reproducibile. We could clamp the sstate timestamps but that would lead to two different sets of timestamps depending on whether the data came from sstate or not. I'd prefer to have consistent code behaviour, rather than differing behavhour depending on whether data came from sstate or not. If we wanted to have reproducibiliy and fix the "corruption" of S/B and have consistent codepaths, the only other option would be two copies of the sources, which could end up huge and seems the least desireable option. This patch therefore drops the timestamp clamping in the sstate files and tweaks the depsig data generation to clamp the timestamps for do_package instead since this seems the best compromise. I validated that rpm/deb/ipk files still generate correctly as before. (From OE-Core rev: 0c93bb692b39af51f0ca109dfd1f949abe7eea9c) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 475759fdab7200488b2a568b2ba1aa31a456d113) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* diffoscope: fix CVE-2024-25711Jiaying Song2024-12-092-0/+117
| | | | | | | | | | | | | | | | | | diffoscope before 256 allows directory traversal via an embedded filename in a GPG file. Contents of any file, such as ../.ssh/id_rsa, may be disclosed to an attacker. This occurs because the value of the gpg --use-embedded-filenames option is trusted. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-25711 Upstream patches: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/458f7f04bc053a0066aa7d2fd3251747d4899476 (From OE-Core rev: da4977e9414361a30eb322d1456a664515b35693) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: fix CVE-2024-3447Yogita Urade2024-12-092-0/+138
| | | | | | | | | | | | | | | | | | | | A heap-based buffer overflow was found in the SDHCI device emulation of QEMU. The bug is triggered when both `s->data_count` and the size of `s->fifo_buffer` are set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-3447 Upstream patch: https://gitlab.com/qemu-project/qemu/-/commit/2429cb7a9f460b544f4b07bcf02dbdedfc4dcb39 (From OE-Core rev: 01d7ac9244364b7f89cd2f99fff11c2417bcad03) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: fix CVE-2024-3446Divya Chellam2024-12-097-0/+948
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A double free vulnerability was found in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. This issue could allow a malicious privileged guest to crash the QEMU process on the host, resulting in a d enial of service or allow arbitrary code execution within the context of the QEMU process on the host. CVE-2024-3446-0004, CVE-2024-3446-0005, CVE-2024-3446-0006 are CVE fix and CVE-2024-3446-0001, CVE-2024-3446-0002, CVE-2024-3446-0003 are dependent commits to fix the CVE. References: https://nvd.nist.gov/vuln/detail/CVE-2024-3446 Upstream patches: https://gitlab.com/qemu-project/qemu/-/commit/9c86c97f12c060bf7484dd931f38634e166a81f0 https://gitlab.com/qemu-project/qemu/-/commit/f63192b0544af5d3e4d5edfd85ab520fcf671377 https://gitlab.com/qemu-project/qemu/-/commit/ec0504b989ca61e03636384d3602b7bf07ffe4da https://gitlab.com/qemu-project/qemu/-/commit/ba28e0ff4d95b56dc334aac2730ab3651ffc3132 https://gitlab.com/qemu-project/qemu/-/commit/b4295bff25f7b50de1d9cc94a9c6effd40056bca https://gitlab.com/qemu-project/qemu/-/commit/f4729ec39ad97a42ceaa7b5697f84f440ea6e5dc (From OE-Core rev: db7e3a56656db0bc61ec2e35ccc149e9b90a389b) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: patch CVE-2024-6505Peter Marko2024-12-092-0/+41
| | | | | | | | | | | | | Backport patch [3] as linked from [1] via [2]. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-6505 [2] https://bugzilla.redhat.com/show_bug.cgi?id=2295760 [3] https://gitlab.com/qemu-project/qemu/-/commit/f1595ceb (From OE-Core rev: 7e725e126689cc44055e27a05efafb7b52e89192) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* pixman: ignore CVE-2023-37769Peter Marko2024-12-091-0/+3
| | | | | | | | | | Same was done in newer Yocto releases. See commit 72f2d4cf44b795f766ecdee0b8362c7e162c5efc (From OE-Core rev: 390421edf8b6eb6031de657cdcaf0c7d50b605be) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* grub: ignore CVE-2024-1048 and CVE-2023-4001Peter Marko2024-12-091-0/+2
| | | | | | | | | | | Same was done in newer Yocto releases. See commit: f99b25355133fe8f65a55737270e67ea10b79d52 See commit: 40cd768368167f81de5bb55e9ff0584035f4c1b4 (From OE-Core rev: 823f7ab85cff010c777616ed5db0e0c41f6cc4e6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: ignore CVE-2022-36648Peter Marko2024-12-091-0/+5
| | | | | | | | | The CVE has disputed flag in NVD DB. (From OE-Core rev: bd01091c33c1de6ae7e1605301e3f73350ee7e7e) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gnupg: ignore CVE-2022-3515Peter Marko2024-12-091-0/+2
| | | | | | | | | | This is vulnerability of libksba and we use fixed libksba version (currently 1.6.4). (From OE-Core rev: 12007a6d19db220e6540948de9818332192ecde1) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cpio: ignore CVE-2023-7216Peter Marko2024-12-091-0/+2
| | | | | | | | | | Same was done in newer Yocto releases. See commit See commit 0f2cd2bbaddba3b8c80d71db274bbcd941d0e60e (From OE-Core rev: 50d8a653104abb9b5cd8a708a7bd97446e894bcf) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup-2.4: Backport fix for CVE-2024-52531Vijay Anusuri2024-12-093-0/+169
| | | | | | | | | | | | | | | | | | | | import patch from ubuntu to fix CVE-2024-52531 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/libsoup2.4/tree/debian/patches?h=ubuntu/jammy-security Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283 & https://gitlab.gnome.org/GNOME/libsoup/-/commit/825fda3425546847b42ad5270544e9388ff349fe] Reference: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/ https://ubuntu.com/security/CVE-2024-52531 (From OE-Core rev: 763af055ccb1cbcc4f8fa0944815ec02e3bff87c) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-zipp: fix CVE-2024-5569Hongxu Jia2024-12-096-0/+300
| | | | | | | | | | | | | | | | | | According to [1] which provided the fix link [2], but upstream author reworked it later [3][4][5] Backport and rebase all the patches for tracing [1] https://nvd.nist.gov/vuln/detail/CVE-2024-5569 [2] https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd [3] https://github.com/jaraco/zipp/commit/3cb5609002263eb19f7b5efda82d96f1f57fe876 [4] https://github.com/jaraco/zipp/commit/f89b93f0370dd85d23d243e25dfc1f99f4d8de48 [5] https://github.com/jaraco/zipp/commit/cc61e6140f0dfde2ff372db932442cf6df890f09 (From OE-Core rev: 13bd99e17f0aca108839e81e9aa0b14351116fdf) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: fix CVE-2024-52531Changqing Li2024-12-094-0/+295
| | | | | | | | | | | | | | | | CVE-2024-52531: GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. Input received over the network cannot trigger this. Refer: https://nvd.nist.gov/vuln/detail/CVE-2024-52531 https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407/ (From OE-Core rev: 1159c7ef071fa2849f44e921c9b7c27fcbb6bfb3) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf: fix CVE-2024-1298Hongxu Jia2024-12-092-0/+52
| | | | | | | | | | | Backport a fix from upstream to resolve CVE-2024-1298 https://github.com/tianocore/edk2/commit/284dbac43da752ee34825c8b3f6f9e8281cb5a19 (From OE-Core rev: af65d3e221fb239c2dd769ce109e78c720e35793) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf: fix CVE-2024-38796Hongxu Jia2024-12-092-0/+38
| | | | | | | | | | | Backport a fix from upstream to resolve CVE-2024-38796 https://github.com/tianocore/edk2/commit/c95233b8525ca6828921affd1496146cff262e65 (From OE-Core rev: c3d1be52b4dc18e6980bf6c3f2e2cb7fba9f986e) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf: Fix CVE-2022-36765Soumya Sambu2024-12-094-0/+474
| | | | | | | | | | | | | | | | | | | | | EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability. References: https://nvd.nist.gov/vuln/detail/CVE-2022-36765 Upstream-patches: https://github.com/tianocore/edk2/commit/59f024c76ee57c2bec84794536302fc770cd6ec2 https://github.com/tianocore/edk2/commit/aeaee8944f0eaacbf4cdf39279785b9ba4836bb6 https://github.com/tianocore/edk2/commit/9a75b030cf27d2530444e9a2f9f11867f79bf679 (From OE-Core rev: 260fc2182e6a83d7c93b2e8efd95255cd9168a79) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf: Fix CVE-2023-45236Soumya Sambu2024-12-092-0/+830
| | | | | | | | | | | | | | | | | | EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. References: https://nvd.nist.gov/vuln/detail/CVE-2023-45236 Upstream-patch: https://github.com/tianocore/edk2/commit/1904a64bcc18199738e5be183d28887ac5d837d7 (From OE-Core rev: a9cd3321558e95f61ed4c5eca0dcf5a3f4704925) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf: Fix CVE-2023-45237Soumya Sambu2024-12-093-0/+1368
| | | | | | | | | | | | | | | | | | EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. References: https://nvd.nist.gov/vuln/detail/CVE-2023-45237 Upstream-patches: https://github.com/tianocore/edk2/commit/cf07238e5fa4f8b1138ac1c9e80530b4d4e59f1c https://github.com/tianocore/edk2/commit/4c4ceb2ceb80c42fd5545b2a4bd80321f07f4345 (From OE-Core rev: 6f8bdaad9d22e65108f859a695277ce1b20ef7c6) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf: Fix CVE-2023-45229Soumya Sambu2024-12-095-0/+1548
| | | | | | | | | | | | | | | | | | | | | | EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. References: https://nvd.nist.gov/vuln/detail/CVE-2023-45229 Upstream-patches: https://github.com/tianocore/edk2/commit/1dbb10cc52dc8ef49bb700daa1cefc76b26d52e0 https://github.com/tianocore/edk2/commit/07362769ab7a7d74dbea1c7a7a3662c7b5d1f097 https://github.com/tianocore/edk2/commit/1c440a5eceedc64e892877eeac0f1a4938f5abbb https://github.com/tianocore/edk2/commit/1d0b95f6457d225c5108302a9da74b4ed7aa5a38 (From OE-Core rev: 23a87c571ae4cdd285a96af0d458906aaf8c4571) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf: Fix CVE-2023-45235Soumya Sambu2024-12-093-0/+624
| | | | | | | | | | | | | | | | | | | | EDK2's Network Package is susceptible to a buffer overflow vulnerability when handling Server ID option from a DHCPv6 proxy Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability. References: https://nvd.nist.gov/vuln/detail/CVE-2023-45235 Upstream-patches: https://github.com/tianocore/edk2/commit/fac297724e6cc343430cd0104e55cd7a96d1151e https://github.com/tianocore/edk2/commit/ff2986358f75d8f58ef08a66fe673539c9c48f41 (From OE-Core rev: dd26902517c30f34cc661cf9f79fc589d0358412) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf: Fix CVE-2023-45234Soumya Sambu2024-12-093-0/+641
| | | | | | | | | | | | | | | | | | | | EDK2's Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers option from a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability. References: https://nvd.nist.gov/vuln/detail/CVE-2023-45234 Upstream-patches: https://github.com/tianocore/edk2/commit/1b53515d53d303166b2bbd31e2cc7f16fd0aecd7 https://github.com/tianocore/edk2/commit/458c582685fc0e8057d2511c5a0394078d988c17 (From OE-Core rev: d9d9e66349ac0a2e58f54b104fb1b30f1633c1ab) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf: Fix CVE-2023-45232, CVE-2023-45233Soumya Sambu2024-12-093-0/+779
| | | | | | | | | | | | | | | | | | | | | | | | | | | CVE-2023-45232: EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability. CVE-2023-45233: EDK2's Network Package is susceptible to an infinite lop vulnerability when parsing a PadN option in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability. References: https://nvd.nist.gov/vuln/detail/CVE-2023-45232 https://nvd.nist.gov/vuln/detail/CVE-2023-45233 Upstream-patches: https://github.com/tianocore/edk2/commit/4df0229ef992d4f2721a8508787ebf9dc81fbd6e https://github.com/tianocore/edk2/commit/c9c87f08dd6ace36fa843424522c3558a8374cac (From OE-Core rev: c84eb03f07687d2e0df1e2033599fa2cf79c6b4d) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf: Fix CVE-2023-45231Soumya Sambu2024-12-093-0/+317
| | | | | | | | | | | | | | | | | | | EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing Neighbor Discovery Redirect message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. References: https://nvd.nist.gov/vuln/detail/CVE-2023-45231 Upstream-patches: https://github.com/tianocore/edk2/commit/bbfee34f4188ac00371abe1389ae9c9fb989a0cd https://github.com/tianocore/edk2/commit/6f77463d72807ec7f4ed6518c3dac29a1040df9f (From OE-Core rev: bdff14d8e6f4dad7b873442c813672ef0ec6fb01) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf: Fix CVE-2023-45230Soumya Sambu2024-12-093-0/+2223
| | | | | | | | | | | | | | | | | | | EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability. References: https://nvd.nist.gov/vuln/detail/CVE-2023-45230 Upstream-patches: https://github.com/tianocore/edk2/commit/f31453e8d6542461d92d835e0b79fec8b039174d https://github.com/tianocore/edk2/commit/5f3658197bf29c83b3349b0ab1d99cdb0c3814bc (From OE-Core rev: 50b50174f057a9a5fb9773e67b4f183ae942ff10) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf: Fix CVE-2022-36764Soumya Sambu2024-12-094-0/+603
| | | | | | | | | | | | | | | | | | | | EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability. References: https://nvd.nist.gov/vuln/detail/CVE-2022-36764 Upstream-patches: https://github.com/tianocore/edk2/commit/c7b27944218130cca3bbb20314ba5b88b5de4aa4 https://github.com/tianocore/edk2/commit/0d341c01eeabe0ab5e76693b36e728b8f538a40e https://github.com/tianocore/edk2/commit/8f6d343ae639fba8e4b80e45257275e23083431f (From OE-Core rev: aba14824159e549fd77cb90e3a9a327c527b366f) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf: Fix CVE-2022-36763Soumya Sambu2024-12-094-0/+1932
| | | | | | | | | | | | | | | | | | | | EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability. References: https://nvd.nist.gov/vuln/detail/CVE-2022-36763 Upstream-patches: https://github.com/tianocore/edk2/commit/224446543206450ddb5830e6abd026d61d3c7f4b https://github.com/tianocore/edk2/commit/4776a1b39ee08fc45c70c1eab5a0195f325000d3 https://github.com/tianocore/edk2/commit/1ddcb9fc6b4164e882687b031e8beacfcf7df29e (From OE-Core rev: 26db24533f9f32c32189e4621102b628a9ea6729) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>