* [OE-core][dunfell 00/17] Patch review
@ 2021-08-13 14:29 Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 01/17] aspell: fix CVE-2019-25051 Steve Sakoman
` (16 more replies)
0 siblings, 17 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
Please review this next set of patches for dunfell and have comments back by
end of day Monday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/2441
The following changes since commit bae9c6482271d53dc28d3c801fba467e268003bd:
sstate: Fix rebuilds when changing layer config (2021-08-04 09:57:23 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut
Jose Quaresma (1):
sstate.bbclass: fix error handling when sstate mirrors is ro
Lee Chee Yang (2):
aspell: fix CVE-2019-25051
libsolv: fix CVE-2021-3200
Matthias Klein (1):
runqemu: Fix typo in error message
Michael Opdenacker (4):
cve-check: fix comments
cve-check: update link to NVD website for CVE details
cve-check: improve comment about CVE patch file names
cve-check: remove deprecated CVE_CHECK_CVE_WHITELIST
Minjae Kim (1):
ruby: 2.7.3 -> 2.7.4
Paul Barker (1):
kernel-yocto: Simplify no git repo case in do_kernel_checkout
Ralph Siemsen (1):
glibc: Document and whitelist CVE-2021-35942
Ranjitsinh Rathod (1):
systemd: Add fix for CVE-2020-13529 and CVE-2021-33910
Richard Purdie (2):
license: Exclude COPYING.MIT from pseudo
image: Drop COMPRESS_CMD
Ross Burton (2):
e2fsprogs: ensure small images have 256-byte inodes
wic: don't forcibly pass -T default
akuster (1):
cve-check: add include/exclude layers
meta/classes/cve-check.bbclass | 37 +++++--
meta/classes/image.bbclass | 3 +-
meta/classes/kernel-yocto.bbclass | 30 +++---
meta/classes/license.bbclass | 4 +-
meta/classes/sstate.bbclass | 2 +
meta/recipes-core/glibc/glibc_2.31.bb | 10 ++
.../systemd/systemd/CVE-2020-13529.patch | 42 ++++++++
.../systemd/systemd/CVE-2021-33910.patch | 67 ++++++++++++
meta/recipes-core/systemd/systemd_244.5.bb | 2 +
.../e2fsprogs/big-inodes-for-small-fs.patch | 22 ++++
.../e2fsprogs/e2fsprogs_1.45.4.bb | 1 +
.../ruby/{ruby_2.7.3.bb => ruby_2.7.4.bb} | 4 +-
.../libsolv/files/CVE-2021-3200.patch | 67 ++++++++++++
.../libsolv/libsolv_0.7.10.bb | 1 +
meta/recipes-support/aspell/aspell_0.60.8.bb | 4 +-
.../aspell/files/CVE-2019-25051.patch | 101 ++++++++++++++++++
scripts/lib/wic/canned-wks/common.wks.inc | 2 +-
scripts/lib/wic/canned-wks/directdisk-gpt.wks | 2 +-
scripts/lib/wic/canned-wks/mkefidisk.wks | 2 +-
scripts/runqemu | 2 +-
20 files changed, 369 insertions(+), 36 deletions(-)
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
create mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch
rename meta/recipes-devtools/ruby/{ruby_2.7.3.bb => ruby_2.7.4.bb} (95%)
create mode 100644 meta/recipes-extended/libsolv/files/CVE-2021-3200.patch
create mode 100644 meta/recipes-support/aspell/files/CVE-2019-25051.patch
--
2.25.1
^ permalink raw reply [flat|nested] 20+ messages in thread
* [OE-core][dunfell 01/17] aspell: fix CVE-2019-25051
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 02/17] systemd: Add fix for CVE-2020-13529 and CVE-2021-33910 Steve Sakoman
` (15 subsequent siblings)
16 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 297f8c4eb4ff209b5ea69910902d216d86dbe2bf)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/aspell/aspell_0.60.8.bb | 4 +-
.../aspell/files/CVE-2019-25051.patch | 101 ++++++++++++++++++
2 files changed, 104 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/aspell/files/CVE-2019-25051.patch
diff --git a/meta/recipes-support/aspell/aspell_0.60.8.bb b/meta/recipes-support/aspell/aspell_0.60.8.bb
index 6548c54b64..9147c820e7 100644
--- a/meta/recipes-support/aspell/aspell_0.60.8.bb
+++ b/meta/recipes-support/aspell/aspell_0.60.8.bb
@@ -13,7 +13,9 @@ HOMEPAGE = "http://aspell.net/"
LICENSE = "LGPLv2 | LGPLv2.1"
LIC_FILES_CHKSUM = "file://COPYING;md5=7fbc338309ac38fefcd64b04bb903e34"
-SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz"
+SRC_URI = "${GNU_MIRROR}/aspell/aspell-${PV}.tar.gz \
+ file://CVE-2019-25051.patch \
+"
SRC_URI[md5sum] = "012fa9209203ae4e5a61c2a668fd10e3"
SRC_URI[sha256sum] = "f9b77e515334a751b2e60daab5db23499e26c9209f5e7b7443b05235ad0226f2"
diff --git a/meta/recipes-support/aspell/files/CVE-2019-25051.patch b/meta/recipes-support/aspell/files/CVE-2019-25051.patch
new file mode 100644
index 0000000000..8513f6de79
--- /dev/null
+++ b/meta/recipes-support/aspell/files/CVE-2019-25051.patch
@@ -0,0 +1,101 @@
+From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001
+From: Kevin Atkinson <kevina@gnu.org>
+Date: Sat, 21 Dec 2019 20:32:47 +0000
+Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk
+ to prevent a buffer overflow
+
+Bug found using OSS-Fuze.
+
+Upstream-Status: Backport
+[https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a]
+CVE: CVE-2019-25051
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ common/objstack.hpp | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/common/objstack.hpp b/common/objstack.hpp
+index 3997bf7..bd97ccd 100644
+--- a/common/objstack.hpp
++++ b/common/objstack.hpp
+@@ -5,6 +5,7 @@
+ #include "parm_string.hpp"
+ #include <stdlib.h>
+ #include <assert.h>
++#include <stddef.h>
+
+ namespace acommon {
+
+@@ -26,6 +27,12 @@ class ObjStack
+ byte * temp_end;
+ void setup_chunk();
+ void new_chunk();
++ bool will_overflow(size_t sz) const {
++ return offsetof(Node,data) + sz > chunk_size;
++ }
++ void check_size(size_t sz) {
++ assert(!will_overflow(sz));
++ }
+
+ ObjStack(const ObjStack &);
+ void operator=(const ObjStack &);
+@@ -56,7 +63,7 @@ class ObjStack
+ void * alloc_bottom(size_t size) {
+ byte * tmp = bottom;
+ bottom += size;
+- if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;}
++ if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;}
+ return tmp;
+ }
+ // This alloc_bottom will insure that the object is aligned based on the
+@@ -66,7 +73,7 @@ class ObjStack
+ align_bottom(align);
+ byte * tmp = bottom;
+ bottom += size;
+- if (bottom > top) {new_chunk(); goto loop;}
++ if (bottom > top) {check_size(size); new_chunk(); goto loop;}
+ return tmp;
+ }
+ char * dup_bottom(ParmString str) {
+@@ -79,7 +86,7 @@ class ObjStack
+ // always be aligned as such.
+ void * alloc_top(size_t size) {
+ top -= size;
+- if (top < bottom) {new_chunk(); top -= size;}
++ if (top < bottom) {check_size(size); new_chunk(); top -= size;}
+ return top;
+ }
+ // This alloc_top will insure that the object is aligned based on
+@@ -88,7 +95,7 @@ class ObjStack
+ {loop:
+ top -= size;
+ align_top(align);
+- if (top < bottom) {new_chunk(); goto loop;}
++ if (top < bottom) {check_size(size); new_chunk(); goto loop;}
+ return top;
+ }
+ char * dup_top(ParmString str) {
+@@ -117,6 +124,7 @@ class ObjStack
+ void * alloc_temp(size_t size) {
+ temp_end = bottom + size;
+ if (temp_end > top) {
++ check_size(size);
+ new_chunk();
+ temp_end = bottom + size;
+ }
+@@ -131,6 +139,7 @@ class ObjStack
+ } else {
+ size_t s = temp_end - bottom;
+ byte * p = bottom;
++ check_size(size);
+ new_chunk();
+ memcpy(bottom, p, s);
+ temp_end = bottom + size;
+@@ -150,6 +159,7 @@ class ObjStack
+ } else {
+ size_t s = temp_end - bottom;
+ byte * p = bottom;
++ check_size(size);
+ new_chunk();
+ memcpy(bottom, p, s);
+ temp_end = bottom + size;
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][dunfell 02/17] systemd: Add fix for CVE-2020-13529 and CVE-2021-33910
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 01/17] aspell: fix CVE-2019-25051 Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 03/17] glibc: Document and whitelist CVE-2021-35942 Steve Sakoman
` (14 subsequent siblings)
16 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Added fix for below CVEs from below Link
http://archive.ubuntu.com/ubuntu/pool/main/s/systemd/systemd_237-3ubuntu10.50.debian.tar.xz
1. CVE-2020-13529
Upstream-Status: Backport [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5]
Hunk #1 refreshed to resolve patch-fuzz
2. CVE-2021-33910
Upstream-Status: Backport [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9]
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../systemd/systemd/CVE-2020-13529.patch | 42 ++++++++++++
.../systemd/systemd/CVE-2021-33910.patch | 67 +++++++++++++++++++
meta/recipes-core/systemd/systemd_244.5.bb | 2 +
3 files changed, 111 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
diff --git a/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
new file mode 100644
index 0000000000..6b499efbd8
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2020-13529.patch
@@ -0,0 +1,42 @@
+From 38e980a6a5a3442c2f48b1f827284388096d8ca5 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 24 Jun 2021 01:22:07 +0900
+Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command
+
+This makes DHCP client ignore FORCERENEW requests, as unauthenticated
+FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529).
+
+Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
+and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.
+
+Fixes #16774.
+
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/38e980a6a5a3442c2f48b1f827284388096d8ca5]
+CVE: CVE-2020-13529
+
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/src/libsystemd-network/sd-dhcp-client.c
++++ b/src/libsystemd-network/sd-dhcp-client.c
+@@ -1392,9 +1392,17 @@ static int client_handle_forcerenew(sd_dhcp_client *client, DHCPMessage *force,
+ if (r != DHCP_FORCERENEW)
+ return -ENOMSG;
+
++#if 0
+ log_dhcp_client(client, "FORCERENEW");
+
+ return 0;
++#else
++ /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP
++ * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW
++ * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */
++ log_dhcp_client(client, "Received FORCERENEW, ignoring.");
++ return -ENOMSG;
++#endif
+ }
+
+ static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) {
diff --git a/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
new file mode 100644
index 0000000000..e92d721d3d
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2021-33910.patch
@@ -0,0 +1,67 @@
+Backport of:
+
+From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 23 Jun 2021 11:46:41 +0200
+Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path
+
+The path may have unbounded length, for example through a fuse mount.
+
+CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
+ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
+and each mountpoint is passed to mount_setup_unit(), which calls
+unit_name_path_escape() underneath. A local attacker who is able to mount a
+filesystem with a very long path can crash systemd and the whole system.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1970887
+
+The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
+can't easily check the length after simplification before doing the
+simplification, which in turns uses a copy of the string we can write to.
+So we can't reject paths that are too long before doing the duplication.
+Hence the most obvious solution is to switch back to strdup(), as before
+7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
+
+Upstream-Status: Backport [https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9]
+CVE: CVE-2021-33910
+
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+
+---
+ src/basic/unit-name.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/src/basic/unit-name.c
++++ b/src/basic/unit-name.c
+@@ -369,12 +369,13 @@ int unit_name_unescape(const char *f, char **ret) {
+ }
+
+ int unit_name_path_escape(const char *f, char **ret) {
+- char *p, *s;
++ _cleanup_free_ char *p = NULL;
++ char *s;
+
+ assert(f);
+ assert(ret);
+
+- p = strdupa(f);
++ p = strdup(f);
+ if (!p)
+ return -ENOMEM;
+
+@@ -386,13 +387,9 @@ int unit_name_path_escape(const char *f, char **ret) {
+ if (!path_is_normalized(p))
+ return -EINVAL;
+
+- /* Truncate trailing slashes */
++ /* Truncate trailing slashes and skip leading slashes */
+ delete_trailing_chars(p, "/");
+-
+- /* Truncate leading slashes */
+- p = skip_leading_chars(p, "/");
+-
+- s = unit_name_escape(p);
++ s = unit_name_escape(skip_leading_chars(p, "/"));
+ }
+ if (!s)
+ return -ENOMEM;
diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb
index 8c95648ca0..7a7eddcd45 100644
--- a/meta/recipes-core/systemd/systemd_244.5.bb
+++ b/meta/recipes-core/systemd/systemd_244.5.bb
@@ -20,6 +20,8 @@ SRC_URI += "file://touchscreen.rules \
file://99-default.preset \
file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
file://0003-implment-systemd-sysv-install-for-OE.patch \
+ file://CVE-2021-33910.patch \
+ file://CVE-2020-13529.patch \
"
# patches needed by musl
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][dunfell 03/17] glibc: Document and whitelist CVE-2021-35942
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 01/17] aspell: fix CVE-2019-25051 Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 02/17] systemd: Add fix for CVE-2020-13529 and CVE-2021-33910 Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 04/17] libsolv: fix CVE-2021-3200 Steve Sakoman
` (13 subsequent siblings)
16 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: Ralph Siemsen <ralph.siemsen@linaro.org>
This CVE is fixed in the upstream glibc-2.31 branch, and dunfell already
includes an update to this version in commit e1e89ff7d75c3d22 ("glibc:
update to lastest 2.31 release HEAD")
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/glibc/glibc_2.31.bb | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index 23242fff76..8742efc36f 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -18,6 +18,16 @@ CVE_CHECK_WHITELIST += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
# Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
CVE_CHECK_WHITELIST += "CVE-2019-1010025"
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35942
+# The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash
+# or read arbitrary memory in parse_param (in posix/wordexp.c) when called with
+# an untrusted, crafted pattern, potentially resulting in a denial of service
+# or disclosure of information. Patch was backported to 2.31 branch already:
+# https://sourceware.org/git/?p=glibc.git;a=commit;h=4f0a61f75385c9a5879cbe7202042e88f692a3c8
+# which is already included in the dunfell branch of poky:
+# https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?h=dunfell&id=e1e89ff7d75c3d2223f9e3bd875b9b0c5e15836b
+CVE_CHECK_WHITELIST += "CVE-2021-35942"
+
DEPENDS += "gperf-native bison-native make-native"
NATIVESDKFIXES ?= ""
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][dunfell 04/17] libsolv: fix CVE-2021-3200
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
` (2 preceding siblings ...)
2021-08-13 14:29 ` [OE-core][dunfell 03/17] glibc: Document and whitelist CVE-2021-35942 Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 05/17] ruby: 2.7.3 -> 2.7.4 Steve Sakoman
` (12 subsequent siblings)
16 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libsolv/files/CVE-2021-3200.patch | 67 +++++++++++++++++++
.../libsolv/libsolv_0.7.10.bb | 1 +
2 files changed, 68 insertions(+)
create mode 100644 meta/recipes-extended/libsolv/files/CVE-2021-3200.patch
diff --git a/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch b/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch
new file mode 100644
index 0000000000..74164ab495
--- /dev/null
+++ b/meta/recipes-extended/libsolv/files/CVE-2021-3200.patch
@@ -0,0 +1,67 @@
+From 0077ef29eb46d2e1df2f230fc95a1d9748d49dec Mon Sep 17 00:00:00 2001
+From: Michael Schroeder <mls@suse.de>
+Date: Mon, 14 Dec 2020 11:12:00 +0100
+Subject: [PATCH] testcase_read: error out if repos are added or the system is
+ changed too late
+
+We must not add new solvables after the considered map was created, the solver
+was created, or jobs were added. We may not changed the system after jobs have
+been added.
+
+(Jobs may point inside the whatproviedes array, so we must not invalidate this
+area.)
+
+Upstream-Status: Backport
+https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec
+CVE: CVE-2021-3200
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ ext/testcase.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/ext/testcase.c b/ext/testcase.c
+index 0be7a213..8fb6d793 100644
+--- a/ext/testcase.c
++++ b/ext/testcase.c
+@@ -1991,6 +1991,7 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res
+ Id *genid = 0;
+ int ngenid = 0;
+ Queue autoinstq;
++ int oldjobsize = job ? job->count : 0;
+
+ if (resultp)
+ *resultp = 0;
+@@ -2065,6 +2066,21 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res
+ int prio, subprio;
+ const char *rdata;
+
++ if (pool->considered)
++ {
++ pool_error(pool, 0, "testcase_read: cannot add repos after packages were disabled");
++ continue;
++ }
++ if (solv)
++ {
++ pool_error(pool, 0, "testcase_read: cannot add repos after the solver was created");
++ continue;
++ }
++ if (job && job->count != oldjobsize)
++ {
++ pool_error(pool, 0, "testcase_read: cannot add repos after jobs have been created");
++ continue;
++ }
+ prepared = 0;
+ if (!poolflagsreset)
+ {
+@@ -2125,6 +2141,11 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res
+ int i;
+
+ /* must set the disttype before the arch */
++ if (job && job->count != oldjobsize)
++ {
++ pool_error(pool, 0, "testcase_read: cannot change the system after jobs have been created");
++ continue;
++ }
+ prepared = 0;
+ if (strcmp(pieces[2], "*") != 0)
+ {
diff --git a/meta/recipes-extended/libsolv/libsolv_0.7.10.bb b/meta/recipes-extended/libsolv/libsolv_0.7.10.bb
index 1cf5e2eb29..eadf04aa5a 100644
--- a/meta/recipes-extended/libsolv/libsolv_0.7.10.bb
+++ b/meta/recipes-extended/libsolv/libsolv_0.7.10.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.BSD;md5=62272bd11c97396d4aaf1c41bc11f7d8"
DEPENDS = "expat zlib"
SRC_URI = "git://github.com/openSUSE/libsolv.git \
+ file://CVE-2021-3200.patch \
"
SRCREV = "605dd2645ef899e2b7c95709476fb51e28d7e378"
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][dunfell 05/17] ruby: 2.7.3 -> 2.7.4
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
` (3 preceding siblings ...)
2021-08-13 14:29 ` [OE-core][dunfell 04/17] libsolv: fix CVE-2021-3200 Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 06/17] license: Exclude COPYING.MIT from pseudo Steve Sakoman
` (11 subsequent siblings)
16 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: Minjae Kim <flowergom@gmail.com>
This release includes security fixes.
CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
CVE-2021-31799: A command injection vulnerability in RDoc
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-devtools/ruby/{ruby_2.7.3.bb => ruby_2.7.4.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-devtools/ruby/{ruby_2.7.3.bb => ruby_2.7.4.bb} (95%)
diff --git a/meta/recipes-devtools/ruby/ruby_2.7.3.bb b/meta/recipes-devtools/ruby/ruby_2.7.4.bb
similarity index 95%
rename from meta/recipes-devtools/ruby/ruby_2.7.3.bb
rename to meta/recipes-devtools/ruby/ruby_2.7.4.bb
index 318b9acdae..dafa7d2f6b 100644
--- a/meta/recipes-devtools/ruby/ruby_2.7.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_2.7.4.bb
@@ -9,8 +9,8 @@ SRC_URI += " \
file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
"
-SRC_URI[md5sum] = "72ef97685008981de3ddb748d0dab31f"
-SRC_URI[sha256sum] = "8925a95e31d8f2c81749025a52a544ea1d05dad18794e6828709268b92e55338"
+SRC_URI[md5sum] = "823cd21d93c69e4168b03dd127369343"
+SRC_URI[sha256sum] = "3043099089608859fc8cce7f9fdccaa1f53a462457e3838ec3b25a7d609fbc5b"
PACKAGECONFIG ??= ""
PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][dunfell 06/17] license: Exclude COPYING.MIT from pseudo
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
` (4 preceding siblings ...)
2021-08-13 14:29 ` [OE-core][dunfell 05/17] ruby: 2.7.3 -> 2.7.4 Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 07/17] image: Drop COMPRESS_CMD Steve Sakoman
` (10 subsequent siblings)
16 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Along with the other license exclusions, we need to exclude the
top level COPYING.MIT file else when:
COPY_LIC_DIRS = "1"
COPY_LIC_MANIFEST = "1"
is set, we see eSDK failures from a pseudo abort.
[YOCTO #14366]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3eb580843de3f055e42fcce60b0f15c4190c0542)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/license.bbclass | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/classes/license.bbclass b/meta/classes/license.bbclass
index dc91118340..73f99e87a8 100644
--- a/meta/classes/license.bbclass
+++ b/meta/classes/license.bbclass
@@ -31,8 +31,8 @@ python do_populate_lic() {
f.write("%s: %s\n" % (key, info[key]))
}
-PSEUDO_IGNORE_PATHS .= ",${@','.join(((d.getVar('COMMON_LICENSE_DIR') or '') + ' ' + (d.getVar('LICENSE_PATH') or '')).split())}"
-# it would be better to copy them in do_install_append, but find_license_filesa is python
+PSEUDO_IGNORE_PATHS .= ",${@','.join(((d.getVar('COMMON_LICENSE_DIR') or '') + ' ' + (d.getVar('LICENSE_PATH') or '') + ' ' + d.getVar('COREBASE') + '/meta/COPYING').split())}"
+# it would be better to copy them in do_install:append, but find_license_filesa is python
python perform_packagecopy_prepend () {
enabled = oe.data.typed_value('LICENSE_CREATE_PACKAGE', d)
if d.getVar('CLASSOVERRIDE') == 'class-target' and enabled:
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][dunfell 07/17] image: Drop COMPRESS_CMD
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
` (5 preceding siblings ...)
2021-08-13 14:29 ` [OE-core][dunfell 06/17] license: Exclude COPYING.MIT from pseudo Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
2021-08-13 21:56 ` Richard Purdie
2021-08-13 14:29 ` [OE-core][dunfell 08/17] kernel-yocto: Simplify no git repo case in do_kernel_checkout Steve Sakoman
` (9 subsequent siblings)
16 siblings, 1 reply; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
This was replaced by CONVERSION_CMD a long time ago and is no longer referenced
in core. Remove the references to it.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 576d52cdaca047d290c3b10b26aa2244da230dbb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/image.bbclass | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 1900eff412..0e252e99ff 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -460,11 +460,10 @@ python () {
# Create input image first.
gen_conversion_cmds(type)
localdata.setVar('type', type)
- cmd = "\t" + (localdata.getVar("CONVERSION_CMD_" + ctype) or localdata.getVar("COMPRESS_CMD_" + ctype))
+ cmd = "\t" + localdata.getVar("CONVERSION_CMD_" + ctype)
if cmd not in cmds:
cmds.append(cmd)
vardeps.add('CONVERSION_CMD_' + ctype)
- vardeps.add('COMPRESS_CMD_' + ctype)
subimage = type + "." + ctype
if subimage not in subimages:
subimages.append(subimage)
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][dunfell 08/17] kernel-yocto: Simplify no git repo case in do_kernel_checkout
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
` (6 preceding siblings ...)
2021-08-13 14:29 ` [OE-core][dunfell 07/17] image: Drop COMPRESS_CMD Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 09/17] runqemu: Fix typo in error message Steve Sakoman
` (8 subsequent siblings)
16 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: Paul Barker <paul@pbarker.dev>
If the kernel sources are not fetched via git, a local git repository is
created in do_kernel_checkout. In this case we know that there will be
no remote branches and we will already be on the correct branch (since
only one branch will exist). So we can simplify things by skipping these
steps.
This also removes the assumption that the default git branch name will
be "master". Prior to this change, the final git checkout command in
do_kernel_checkout could fail if a local git repo was created and the
user had changed init.defaultBranch in their gitconfig.
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit af2a9c92d4498492ca23388c7b4bbed48abdc4d7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/kernel-yocto.bbclass | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/meta/classes/kernel-yocto.bbclass b/meta/classes/kernel-yocto.bbclass
index 66cce92362..a1a073b738 100644
--- a/meta/classes/kernel-yocto.bbclass
+++ b/meta/classes/kernel-yocto.bbclass
@@ -320,6 +320,21 @@ do_kernel_checkout() {
fi
fi
cd ${S}
+
+ # convert any remote branches to local tracking ones
+ for i in `git branch -a --no-color | grep remotes | grep -v HEAD`; do
+ b=`echo $i | cut -d' ' -f2 | sed 's%remotes/origin/%%'`;
+ git show-ref --quiet --verify -- "refs/heads/$b"
+ if [ $? -ne 0 ]; then
+ git branch $b $i > /dev/null
+ fi
+ done
+
+ # Create a working tree copy of the kernel by checking out a branch
+ machine_branch="${@ get_machine_branch(d, "${KBRANCH}" )}"
+
+ # checkout and clobber any unimportant files
+ git checkout -f ${machine_branch}
else
# case: we have no git repository at all.
# To support low bandwidth options for building the kernel, we'll just
@@ -341,21 +356,6 @@ do_kernel_checkout() {
git commit -q -m "baseline commit: creating repo for ${PN}-${PV}"
git clean -d -f
fi
-
- # convert any remote branches to local tracking ones
- for i in `git branch -a --no-color | grep remotes | grep -v HEAD`; do
- b=`echo $i | cut -d' ' -f2 | sed 's%remotes/origin/%%'`;
- git show-ref --quiet --verify -- "refs/heads/$b"
- if [ $? -ne 0 ]; then
- git branch $b $i > /dev/null
- fi
- done
-
- # Create a working tree copy of the kernel by checking out a branch
- machine_branch="${@ get_machine_branch(d, "${KBRANCH}" )}"
-
- # checkout and clobber any unimportant files
- git checkout -f ${machine_branch}
}
do_kernel_checkout[dirs] = "${S}"
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][dunfell 09/17] runqemu: Fix typo in error message
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
` (7 preceding siblings ...)
2021-08-13 14:29 ` [OE-core][dunfell 08/17] kernel-yocto: Simplify no git repo case in do_kernel_checkout Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 10/17] cve-check: add include/exclude layers Steve Sakoman
` (7 subsequent siblings)
16 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: Matthias Klein <matthias@extraklein.de>
Signed-off-by: Matthias Klein <matthias@extraklein.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5cc0051d50974e198313f9513b24fd7ae9a96dd4)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
scripts/runqemu | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/runqemu b/scripts/runqemu
index 63e533a934..10880ba6bb 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -764,7 +764,7 @@ class BaseConfig(object):
raise RunQemuError('BIOS not found: %s' % bios_match_name)
if not os.path.exists(self.bios):
- raise RunQemuError("KERNEL %s not found" % self.bios)
+ raise RunQemuError("BIOS %s not found" % self.bios)
def check_mem(self):
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][dunfell 10/17] cve-check: add include/exclude layers
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
` (8 preceding siblings ...)
2021-08-13 14:29 ` [OE-core][dunfell 09/17] runqemu: Fix typo in error message Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 11/17] cve-check: fix comments Steve Sakoman
` (6 subsequent siblings)
16 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: akuster <akuster808@gmail.com>
There are times when exluding or including a layer
may be desired. This provide the framwork for that via
two variables. The default is all layers in bblayers.
CVE_CHECK_LAYER_INCLUDELIST
CVE_CHECK_LAYER_EXCLUDELIST
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5fdde65ef58b4c1048839e4f9462b34bab36fc22)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/cve-check.bbclass | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 8086cf05e9..8e7e3c60ff 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -53,6 +53,13 @@ CVE_CHECK_PN_WHITELIST ?= ""
#
CVE_CHECK_WHITELIST ?= ""
+# Layers to be excluded
+CVE_CHECK_LAYER_EXCLUDELIST ??= ""
+
+# Layers to be included
+CVE_CHECK_LAYER_INCLUDELIST ??= ""
+
+
# set to "alphabetical" for version using single alphabetical character as increament release
CVE_VERSION_SUFFIX ??= ""
@@ -334,10 +341,20 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
CVE manifest if enabled.
"""
+
cve_file = d.getVar("CVE_CHECK_LOG")
fdir_name = d.getVar("FILE_DIRNAME")
layer = fdir_name.split("/")[-3]
+ include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
+ exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
+
+ if exclude_layers and layer in exclude_layers:
+ return
+
+ if include_layers and layer not in include_layers:
+ return
+
nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
write_string = ""
unpatched_cves = []
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][dunfell 11/17] cve-check: fix comments
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
` (9 preceding siblings ...)
2021-08-13 14:29 ` [OE-core][dunfell 10/17] cve-check: add include/exclude layers Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 12/17] cve-check: update link to NVD website for CVE details Steve Sakoman
` (5 subsequent siblings)
16 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: Michael Opdenacker <michael.opdenacker@bootlin.com>
This implements various fixes in comments in cve-check.bbclass
In particular, the "whitlisted" typo is important as the "whitelisted"
word is going to be replaced in a near future.
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5eecd2bf942254d08c252388594e5ec7ae330f45)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/cve-check.bbclass | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 8e7e3c60ff..03aafc5a54 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -20,7 +20,7 @@
# the only method to check against CVEs. Running this tool
# doesn't guarantee your packages are free of CVEs.
-# The product name that the CVE database uses. Defaults to BPN, but may need to
+# The product name that the CVE database uses defaults to BPN, but may need to
# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
CVE_PRODUCT ??= "${BPN}"
CVE_VERSION ??= "${PV}"
@@ -56,11 +56,11 @@ CVE_CHECK_WHITELIST ?= ""
# Layers to be excluded
CVE_CHECK_LAYER_EXCLUDELIST ??= ""
-# Layers to be included
+# Layers to be included
CVE_CHECK_LAYER_INCLUDELIST ??= ""
-# set to "alphabetical" for version using single alphabetical character as increament release
+# set to "alphabetical" for version using single alphabetical character as increment release
CVE_VERSION_SUFFIX ??= ""
python cve_save_summary_handler () {
@@ -230,7 +230,7 @@ def check_cves(d, patched_cves):
return ([], [], [])
pv = d.getVar("CVE_VERSION").split("+git")[0]
- # If the recipe has been whitlisted we return empty lists
+ # If the recipe has been whitelisted we return empty lists
if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split():
bb.note("Recipe has been whitelisted, skipping check")
return ([], [], [])
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][dunfell 12/17] cve-check: update link to NVD website for CVE details
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
` (10 preceding siblings ...)
2021-08-13 14:29 ` [OE-core][dunfell 11/17] cve-check: fix comments Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 13/17] cve-check: improve comment about CVE patch file names Steve Sakoman
` (4 subsequent siblings)
16 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: Michael Opdenacker <michael.opdenacker@bootlin.com>
The old URL schema
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-ID
now redirects to
https://nvd.nist.gov/vuln/detail/CVE-ID
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 57adb57a9d9b08c08ab606ec7b561792e4f4ff2d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/cve-check.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 03aafc5a54..df6ebfd29d 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -355,7 +355,7 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
if include_layers and layer not in include_layers:
return
- nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
+ nvd_link = "https://nvd.nist.gov/vuln/detail/"
write_string = ""
unpatched_cves = []
bb.utils.mkdirhier(os.path.dirname(cve_file))
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][dunfell 13/17] cve-check: improve comment about CVE patch file names
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
` (11 preceding siblings ...)
2021-08-13 14:29 ` [OE-core][dunfell 12/17] cve-check: update link to NVD website for CVE details Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 14/17] cve-check: remove deprecated CVE_CHECK_CVE_WHITELIST Steve Sakoman
` (3 subsequent siblings)
16 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8aa613480663e11ecc62278d8c57ca719eb23899)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/cve-check.bbclass | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index df6ebfd29d..f9e5cfa451 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -166,9 +166,12 @@ def get_patches_cves(d):
pn = d.getVar("PN")
cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
- # Matches last CVE-1234-211432 in the file name, also if written
- # with small letters. Not supporting multiple CVE id's in a single
- # file name.
+ # Matches the last "CVE-YYYY-ID" in the file name, also if written
+ # in lowercase. Possible to have multiple CVE IDs in a single
+ # file name, but only the last one will be detected from the file name.
+ # However, patch files contents addressing multiple CVE IDs are supported
+ # (cve_match regular expression)
+
cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
patched_cves = set()
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][dunfell 14/17] cve-check: remove deprecated CVE_CHECK_CVE_WHITELIST
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
` (12 preceding siblings ...)
2021-08-13 14:29 ` [OE-core][dunfell 13/17] cve-check: improve comment about CVE patch file names Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 15/17] e2fsprogs: ensure small images have 256-byte inodes Steve Sakoman
` (2 subsequent siblings)
16 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: Michael Opdenacker <michael.opdenacker@bootlin.com>
This variable has been deprecated since Yocto Project version 3.0.
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f8ac58568b2dceef54a743369460019b3a3eeccd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/cve-check.bbclass | 3 ---
1 file changed, 3 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index f9e5cfa451..b6df2c31da 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -238,9 +238,6 @@ def check_cves(d, patched_cves):
bb.note("Recipe has been whitelisted, skipping check")
return ([], [], [])
- old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST")
- if old_cve_whitelist:
- bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.")
cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
import sqlite3
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][dunfell 15/17] e2fsprogs: ensure small images have 256-byte inodes
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
` (13 preceding siblings ...)
2021-08-13 14:29 ` [OE-core][dunfell 14/17] cve-check: remove deprecated CVE_CHECK_CVE_WHITELIST Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 16/17] wic: don't forcibly pass -T default Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 17/17] sstate.bbclass: fix error handling when sstate mirrors is ro Steve Sakoman
16 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: Ross Burton <ross@burtonini.com>
e2fsprogs calls filesystems larger than 3MB but smaller than 512MB
"small", which has some implications:
- blocksize 1024 instead of 4096
- inode_ratio 4096 instead of 16384
- inode_size 128 instead of 256
The outcome of the inode size dropping to 128 bytes is that they cannot
store 64-bit timestamps, so are not Y2038-safe.
A previous attempt to solve this problem[1] changed some of the canned
wic files to pass -T default to mkfs.ext4, but this only covered wic
images and not traditional images. Also, actually small filesystems,
for example a core-image-minimal, will happily be tens of megabytes and
with the "default" options will result in an image which runs out of
blocks before it runs out of space:
mkfs.ext4: Could not allocate block in ext2 filesystem while populating file system
Considering that many OpenEmbedded images are in fact "small", being
2038-safe is worth the marginal increase is disk usage. This patch
alters the small configuration in native builds so that it also has
256-byte inodes. Target is unchanged so that standard behaviour is
maintained outside of the build.
This is actually the same underlying patch that Mathieu Dubois-Briand
sent in April, but the wic change in [1] was accepted instead. I believe
that is the wrong approach and this approach covers more cases.
[ YOCTO #14478 ]
[1] openembedded-core eecbe62
[2] https://lists.openembedded.org/g/openembedded-core/message/150298
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9ab0ae83a24ee99e69f8ac54256b253a122aef8a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../e2fsprogs/big-inodes-for-small-fs.patch | 22 +++++++++++++++++++
.../e2fsprogs/e2fsprogs_1.45.4.bb | 1 +
2 files changed, 23 insertions(+)
create mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch
new file mode 100644
index 0000000000..caeb560d32
--- /dev/null
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch
@@ -0,0 +1,22 @@
+Ensure "small" file systems also have the default inode size (256 bytes) so that
+can store 64-bit timestamps and work past 2038.
+
+The "small" type is any size >3MB and <512MB, which covers a lot of relatively
+small filesystems built by OE, especially when they're sized to fit the contents
+and expand to the storage on boot.
+
+Upstream-Status: Inappropriate
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+diff --git a/misc/mke2fs.conf.in b/misc/mke2fs.conf.in
+index 01e35cf8..29f41dc0 100644
+--- a/misc/mke2fs.conf.in
++++ b/misc/mke2fs.conf.in
+@@ -16,7 +16,6 @@
+ }
+ small = {
+ blocksize = 1024
+- inode_size = 128
+ inode_ratio = 4096
+ }
+ floppy = {
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb
index 439928e433..2eae9cd892 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.4.bb
@@ -14,6 +14,7 @@ SRC_URI += "file://remove.ldconfig.call.patch \
SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \
file://quiet-debugfs.patch \
+ file://big-inodes-for-small-fs.patch \
"
SRCREV = "984ff8d6a0a1d5dc300505f67b38ed5047d51dac"
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][dunfell 16/17] wic: don't forcibly pass -T default
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
` (14 preceding siblings ...)
2021-08-13 14:29 ` [OE-core][dunfell 15/17] e2fsprogs: ensure small images have 256-byte inodes Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 17/17] sstate.bbclass: fix error handling when sstate mirrors is ro Steve Sakoman
16 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: Ross Burton <ross@burtonini.com>
This reverts part of oe-core eecbe62555, which was a previous attempt
to solve the Y2038 problem. This is now solved centrally in e2fsprogs,
so doesn't need to be dealt with in wic.
We don't revert the commit entirely, to retain the warning if a
filesystem has small inodes.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7e8017208bed98b6c90735cb641fc9d7aedf9140)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
scripts/lib/wic/canned-wks/common.wks.inc | 2 +-
scripts/lib/wic/canned-wks/directdisk-gpt.wks | 2 +-
scripts/lib/wic/canned-wks/mkefidisk.wks | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/scripts/lib/wic/canned-wks/common.wks.inc b/scripts/lib/wic/canned-wks/common.wks.inc
index 4fd29fa8c1..89880b417b 100644
--- a/scripts/lib/wic/canned-wks/common.wks.inc
+++ b/scripts/lib/wic/canned-wks/common.wks.inc
@@ -1,3 +1,3 @@
# This file is included into 3 canned wks files from this directory
part /boot --source bootimg-pcbios --ondisk sda --label boot --active --align 1024
-part / --source rootfs --use-uuid --fstype=ext4 --mkfs-extraopts "-T default" --label platform --align 1024
+part / --source rootfs --use-uuid --fstype=ext4 --label platform --align 1024
diff --git a/scripts/lib/wic/canned-wks/directdisk-gpt.wks b/scripts/lib/wic/canned-wks/directdisk-gpt.wks
index cf16c0c30b..8d7d8de6ea 100644
--- a/scripts/lib/wic/canned-wks/directdisk-gpt.wks
+++ b/scripts/lib/wic/canned-wks/directdisk-gpt.wks
@@ -4,7 +4,7 @@
part /boot --source bootimg-pcbios --ondisk sda --label boot --active --align 1024
-part / --source rootfs --ondisk sda --fstype=ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --use-uuid
+part / --source rootfs --ondisk sda --fstype=ext4 --label platform --align 1024 --use-uuid
bootloader --ptable gpt --timeout=0 --append="rootwait rootfstype=ext4 video=vesafb vga=0x318 console=tty0 console=ttyS0,115200n8"
diff --git a/scripts/lib/wic/canned-wks/mkefidisk.wks b/scripts/lib/wic/canned-wks/mkefidisk.wks
index d1878e23e5..9f534fe184 100644
--- a/scripts/lib/wic/canned-wks/mkefidisk.wks
+++ b/scripts/lib/wic/canned-wks/mkefidisk.wks
@@ -4,7 +4,7 @@
part /boot --source bootimg-efi --sourceparams="loader=grub-efi" --ondisk sda --label msdos --active --align 1024
-part / --source rootfs --ondisk sda --fstype=ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --use-uuid
+part / --source rootfs --ondisk sda --fstype=ext4 --label platform --align 1024 --use-uuid
part swap --ondisk sda --size 44 --label swap1 --fstype=swap
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][dunfell 17/17] sstate.bbclass: fix error handling when sstate mirrors is ro
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
` (15 preceding siblings ...)
2021-08-13 14:29 ` [OE-core][dunfell 16/17] wic: don't forcibly pass -T default Steve Sakoman
@ 2021-08-13 14:29 ` Steve Sakoman
16 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 14:29 UTC (permalink / raw
To: openembedded-core
From: Jose Quaresma <quaresma.jose@gmail.com>
The commit dd555537fc35c5f934af09d601d70772eb5955ae
'sstate.bbclass: fix errors about read-only sstate mirrors'
adds an additional exception handler to silently mask read
only rootfs errors thrown during the touch.
The exception handler checks the error type with the python module errno
but this module needs to be imported as it don't exist.
Example of the error:
File: 'exec_python_func() autogenerated', lineno: 2, function: <module>
0001:
*** 0002:sstate_task_postfunc(d)
0003:
File: '/home/builder/src/base/poky/meta/classes/sstate.bbclass', lineno: 778, function: sstate_task_postfunc
0774:
0775: omask = os.umask(0o002)
0776: if omask != 0o002:
0777: bb.note("Using umask 0o002 (not %0o) for sstate packaging" % omask)
*** 0778: sstate_package(shared_state, d)
0779: os.umask(omask)
0780:
0781: sstateinst = d.getVar("SSTATE_INSTDIR")
0782: d.setVar('SSTATE_FIXMEDIR', shared_state['fixmedir'])
File: '/home/builder/src/base/poky/meta/classes/sstate.bbclass', lineno: 708, function: sstate_package
0704: except PermissionError:
0705: pass
0706: except OSError as e:
0707: # Handle read-only file systems gracefully
*** 0708: if e.errno != errno.EROFS:
0709: raise e
0710:
0711: return
0712:
Exception: NameError: name 'errno' is not defined
Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 15f30ad144fbe25e9a5e71bc7e42e746d2039992)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/sstate.bbclass | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index c148fc9edd..2ff0d6850c 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -705,6 +705,7 @@ def sstate_package(ss, d):
pass
except OSError as e:
# Handle read-only file systems gracefully
+ import errno
if e.errno != errno.EROFS:
raise e
@@ -1148,6 +1149,7 @@ python sstate_eventhandler() {
pass
except OSError as e:
# Handle read-only file systems gracefully
+ import errno
if e.errno != errno.EROFS:
raise e
--
2.25.1
^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [OE-core][dunfell 07/17] image: Drop COMPRESS_CMD
2021-08-13 14:29 ` [OE-core][dunfell 07/17] image: Drop COMPRESS_CMD Steve Sakoman
@ 2021-08-13 21:56 ` Richard Purdie
2021-08-13 22:00 ` Steve Sakoman
0 siblings, 1 reply; 20+ messages in thread
From: Richard Purdie @ 2021-08-13 21:56 UTC (permalink / raw
To: Steve Sakoman, openembedded-core
On Fri, 2021-08-13 at 04:29 -1000, Steve Sakoman wrote:
> From: Richard Purdie <richard.purdie@linuxfoundation.org>
>
> This was replaced by CONVERSION_CMD a long time ago and is no longer referenced
> in core. Remove the references to it.
>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit 576d52cdaca047d290c3b10b26aa2244da230dbb)
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
> meta/classes/image.bbclass | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
> index 1900eff412..0e252e99ff 100644
> --- a/meta/classes/image.bbclass
> +++ b/meta/classes/image.bbclass
> @@ -460,11 +460,10 @@ python () {
> # Create input image first.
> gen_conversion_cmds(type)
> localdata.setVar('type', type)
> - cmd = "\t" + (localdata.getVar("CONVERSION_CMD_" + ctype) or localdata.getVar("COMPRESS_CMD_" + ctype))
> + cmd = "\t" + localdata.getVar("CONVERSION_CMD_" + ctype)
> if cmd not in cmds:
> cmds.append(cmd)
> vardeps.add('CONVERSION_CMD_' + ctype)
> - vardeps.add('COMPRESS_CMD_' + ctype)
> subimage = type + "." + ctype
> if subimage not in subimages:
> subimages.append(subimage)
Not sure this is appropriate for a stable series?
Yes, we got rid of this a while ago and there are no core references but
there is a small chance other layers might.
Cheers,
Richard
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [OE-core][dunfell 07/17] image: Drop COMPRESS_CMD
2021-08-13 21:56 ` Richard Purdie
@ 2021-08-13 22:00 ` Steve Sakoman
0 siblings, 0 replies; 20+ messages in thread
From: Steve Sakoman @ 2021-08-13 22:00 UTC (permalink / raw
To: Richard Purdie; +Cc: Patches and discussions about the oe-core layer
On Fri, Aug 13, 2021 at 11:57 AM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Fri, 2021-08-13 at 04:29 -1000, Steve Sakoman wrote:
> > From: Richard Purdie <richard.purdie@linuxfoundation.org>
> >
> > This was replaced by CONVERSION_CMD a long time ago and is no longer referenced
> > in core. Remove the references to it.
> >
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > (cherry picked from commit 576d52cdaca047d290c3b10b26aa2244da230dbb)
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> > meta/classes/image.bbclass | 3 +--
> > 1 file changed, 1 insertion(+), 2 deletions(-)
> >
> > diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
> > index 1900eff412..0e252e99ff 100644
> > --- a/meta/classes/image.bbclass
> > +++ b/meta/classes/image.bbclass
> > @@ -460,11 +460,10 @@ python () {
> > # Create input image first.
> > gen_conversion_cmds(type)
> > localdata.setVar('type', type)
> > - cmd = "\t" + (localdata.getVar("CONVERSION_CMD_" + ctype) or localdata.getVar("COMPRESS_CMD_" + ctype))
> > + cmd = "\t" + localdata.getVar("CONVERSION_CMD_" + ctype)
> > if cmd not in cmds:
> > cmds.append(cmd)
> > vardeps.add('CONVERSION_CMD_' + ctype)
> > - vardeps.add('COMPRESS_CMD_' + ctype)
> > subimage = type + "." + ctype
> > if subimage not in subimages:
> > subimages.append(subimage)
>
> Not sure this is appropriate for a stable series?
>
> Yes, we got rid of this a while ago and there are no core references but
> there is a small chance other layers might.
Good point! I'll drop this patch when I send the pull request.
Steve
^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2021-08-13 22:00 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-13 14:29 [OE-core][dunfell 00/17] Patch review Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 01/17] aspell: fix CVE-2019-25051 Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 02/17] systemd: Add fix for CVE-2020-13529 and CVE-2021-33910 Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 03/17] glibc: Document and whitelist CVE-2021-35942 Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 04/17] libsolv: fix CVE-2021-3200 Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 05/17] ruby: 2.7.3 -> 2.7.4 Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 06/17] license: Exclude COPYING.MIT from pseudo Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 07/17] image: Drop COMPRESS_CMD Steve Sakoman
2021-08-13 21:56 ` Richard Purdie
2021-08-13 22:00 ` Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 08/17] kernel-yocto: Simplify no git repo case in do_kernel_checkout Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 09/17] runqemu: Fix typo in error message Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 10/17] cve-check: add include/exclude layers Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 11/17] cve-check: fix comments Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 12/17] cve-check: update link to NVD website for CVE details Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 13/17] cve-check: improve comment about CVE patch file names Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 14/17] cve-check: remove deprecated CVE_CHECK_CVE_WHITELIST Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 15/17] e2fsprogs: ensure small images have 256-byte inodes Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 16/17] wic: don't forcibly pass -T default Steve Sakoman
2021-08-13 14:29 ` [OE-core][dunfell 17/17] sstate.bbclass: fix error handling when sstate mirrors is ro Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.