| Message ID | 20250511150526.2787050-1-peter.marko@siemens.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v4] sqlite3: upgrade 3.48.0 -> 3.49.1 | expand |
On Sun May 11, 2025 at 5:05 PM CEST, Peter Marko via lists.openembedded.org wrote: > From: Peter Marko <peter.marko@siemens.com> > > Handle CVE-2025-3277, CVE-2025-29087 and CVE-2025-29088. > > This update includes major change in how it is built. > Instead of autotools, autosetup is used. > > Autosetup (https://msteveb.github.io/autosetup/) claims to be > * Replacement for autoconf in many situations > However it also claims NOT to > * Intended to replace all possible uses of autoconf > This means that some autoconf features are not available. > > Recipe changes: > * stop inheriting autotools and define B, do_configure and do_install > * depend on zlib unconditionally, autoconf cannot be preconfigured in > similar way as autotools > * update packageconfig options to match new syntax > * libedit is detected with ncurses linking options (as seen in > do_configure log) > * backport rpaths fix > * define soname to avoid file-rdeps QA error due to wrong library name > * add hack to force cross-compilation in native case to link against > zlib in sysroot and thus avoid crashes when sstate-cache from different > distro is used > * clean B for do_configure as the new Makefiles do not seem to properly > retrigger build if configuration changes > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- Hi Peter, Thanks for the new version. However I believe we still have an error, in oe-selftest and build on ARM hosts: 2025-05-12 08:01:13,149 - oe-selftest - INFO - buildoptions.ArchiverTest.test_arch_work_dir_and_export_source (subunit.RemotedTestCase) 2025-05-12 08:01:13,150 - oe-selftest - INFO - ... FAIL ... 2025-05-12 08:01:13,150 - oe-selftest - INFO - testtools.testresult.real._StringException: Traceback (most recent call last): File "/srv/pokybuild/yocto-worker/oe-selftest-debian/build/meta/lib/oeqa/selftest/cases/buildoptions.py", line 191, in test_arch_work_dir_and_export_source self.assertEqual(res.status, 0, "\nCouldn't build xcursortransparenttheme.\nbitbake output %s" % res.output) File "/usr/lib/python3.9/unittest/case.py", line 831, in assertEqual assertion_func(first, second, msg=msg) File "/usr/lib/python3.9/unittest/case.py", line 824, in _baseAssertEqual raise self.failureException(msg) AssertionError: 1 != 0 : Couldn't build xcursortransparenttheme. https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/1541 https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/1482 https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/1482
> -----Original Message----- > From: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> > Sent: Monday, May 12, 2025 14:05 > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com>; > openembedded-core@lists.openembedded.org > Subject: Re: [OE-core][PATCH v4] sqlite3: upgrade 3.48.0 -> 3.49.1 > > On Sun May 11, 2025 at 5:05 PM CEST, Peter Marko via lists.openembedded.org > wrote: > > From: Peter Marko <peter.marko@siemens.com> > > > > Handle CVE-2025-3277, CVE-2025-29087 and CVE-2025-29088. > > > > This update includes major change in how it is built. > > Instead of autotools, autosetup is used. > > > > Autosetup (https://msteveb.github.io/autosetup/) claims to be > > * Replacement for autoconf in many situations > > However it also claims NOT to > > * Intended to replace all possible uses of autoconf > > This means that some autoconf features are not available. > > > > Recipe changes: > > * stop inheriting autotools and define B, do_configure and do_install > > * depend on zlib unconditionally, autoconf cannot be preconfigured in > > similar way as autotools > > * update packageconfig options to match new syntax > > * libedit is detected with ncurses linking options (as seen in > > do_configure log) > > * backport rpaths fix > > * define soname to avoid file-rdeps QA error due to wrong library name > > * add hack to force cross-compilation in native case to link against > > zlib in sysroot and thus avoid crashes when sstate-cache from different > > distro is used > > * clean B for do_configure as the new Makefiles do not seem to properly > > retrigger build if configuration changes > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > --- > > Hi Peter, > > Thanks for the new version. However I believe we still have an error, in > oe-selftest and build on ARM hosts: > > 2025-05-12 08:01:13,149 - oe-selftest - INFO - > buildoptions.ArchiverTest.test_arch_work_dir_and_export_source > (subunit.RemotedTestCase) > 2025-05-12 08:01:13,150 - oe-selftest - INFO - ... FAIL > ... > 2025-05-12 08:01:13,150 - oe-selftest - INFO - > testtools.testresult.real._StringException: Traceback (most recent call last): > File "/srv/pokybuild/yocto-worker/oe-selftest- > debian/build/meta/lib/oeqa/selftest/cases/buildoptions.py", line 191, in > test_arch_work_dir_and_export_source > self.assertEqual(res.status, 0, "\nCouldn't build > xcursortransparenttheme.\nbitbake output %s" % res.output) > File "/usr/lib/python3.9/unittest/case.py", line 831, in assertEqual > assertion_func(first, second, msg=msg) > File "/usr/lib/python3.9/unittest/case.py", line 824, in _baseAssertEqual > raise self.failureException(msg) > AssertionError: 1 != 0 : > Couldn't build xcursortransparenttheme. > > https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/1541 > https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/1482 > https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/1482 Just wanted to say I have not missed this, but I currently don't have time to work on this update. If someone else wants to pick it up, please go ahead. Otherwise, I'll try to find some time in June. Peter > > -- > Mathieu Dubois-Briand, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com
I looked a bit into this today. I am using 3.49.2 specifically. On that release I see no way to disable rpaths. FYI: I posted a question in their forum https://sqlite.org/forum/forumpost/13cac3b565 ERROR: sqlite3-5_3.49.2-r0 do_package_qa: QA Issue: libsqlite3: /usr/lib/libsqlite3.so.3.49.2 contains probably-redundant RPATH /usr/lib [useless-rpaths] ERROR: sqlite3-5_3.49.2-r0 do_package_qa: QA Issue: sqlite3: /usr/bin/sqlite3 contains probably-redundant RPATH /usr/lib [useless-rpaths] After 3.49.1 the --disable-rpath option was removed which seems strange to me.
diff --git a/meta/recipes-support/sqlite/sqlite3.inc b/meta/recipes-support/sqlite/sqlite3.inc index d093ec5859..9e4c2713b7 100644 --- a/meta/recipes-support/sqlite/sqlite3.inc +++ b/meta/recipes-support/sqlite/sqlite3.inc @@ -14,34 +14,37 @@ def sqlite_download_version(d): SQLITE_PV = "${@sqlite_download_version(d)}" S = "${WORKDIR}/sqlite-autoconf-${SQLITE_PV}" +B = "${WORKDIR}/build" UPSTREAM_CHECK_URI = "http://www.sqlite.org/" UPSTREAM_CHECK_REGEX = "releaselog/(?P<pver>(\d+[\.\-_]*)+)\.html" CVE_PRODUCT = "sqlite" -inherit autotools pkgconfig siteinfo +inherit pkgconfig siteinfo + +# zlib is autodetected and gets to sysroots as transitive dependency, make this deterministic +DEPENDS = "zlib" # enable those which are enabled by default in configure PACKAGECONFIG ?= "fts4 fts5 rtree dyn_ext" PACKAGECONFIG:class-native ?= "fts4 fts5 rtree dyn_ext" -PACKAGECONFIG[editline] = "--enable-editline,--disable-editline,libedit" -PACKAGECONFIG[readline] = "--enable-readline,--disable-readline,readline ncurses" +PACKAGECONFIG[editline] = "--enable-editline --with-readline-header=${includedir}/editline/readline.h,--disable-editline,libedit ncurses" +PACKAGECONFIG[readline] = "--enable-readline --with-readline-header=${includedir}/readline/readline.h,--disable-readline,readline ncurses" PACKAGECONFIG[fts3] = "--enable-fts3,--disable-fts3" PACKAGECONFIG[fts4] = "--enable-fts4,--disable-fts4" PACKAGECONFIG[fts5] = "--enable-fts5,--disable-fts5" PACKAGECONFIG[rtree] = "--enable-rtree,--disable-rtree" PACKAGECONFIG[session] = "--enable-session,--disable-session" -PACKAGECONFIG[dyn_ext] = "--enable-dynamic-extensions,--disable-dynamic-extensions" -PACKAGECONFIG[zlib] = ",,zlib" - -CACHED_CONFIGUREVARS += "${@bb.utils.contains('PACKAGECONFIG', 'zlib', '', 'ac_cv_search_deflate=no',d)}" +PACKAGECONFIG[dyn_ext] = "--enable-load-extension,--disable-load-extension" EXTRA_OECONF = " \ --enable-shared \ --enable-threadsafe \ --disable-static-shell \ + --disable-rpath \ + --soname=${PV} \ " # pread() is in POSIX.1-2001 so any reasonable system must surely support it @@ -65,4 +68,31 @@ FILES:lib${BPN}-staticdev = "${libdir}/lib*.a" AUTO_LIBNAME_PKGS = "${MLPREFIX}lib${BPN}" +do_configure() { + # native build links against host zlib which is problem when reusing sstate-cache from different host distro + # so "destroy" BUILD_SYS to force cross-compilation and thus honor flags/paths provided by the recipe + # as cross-compilation is detecded by comparing build and host defines + if [ "${BUILD_SYS}" = "${TARGET_SYS}" ]; then + BUILD_SYS=${BUILD_ARCH}-native-${BUILD_OS} + else + BUILD_SYS=${BUILD_SYS} + fi + + ${S}/configure \ + --build=$BUILD_SYS \ + --host=${TARGET_SYS} \ + --prefix=${prefix} \ + --bindir=${bindir} \ + --libdir=${libdir} \ + --includedir=${includedir} \ + --mandir=${mandir} \ + ${EXTRA_OECONF} \ + ${PACKAGECONFIG_CONFARGS} +} +do_configure[cleandirs] = "${B}" + +do_install() { + oe_runmake DESTDIR=${D} install +} + BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-support/sqlite/sqlite3/0001-configure-automatically-fail-the-check-for-rpath-on-.patch b/meta/recipes-support/sqlite/sqlite3/0001-configure-automatically-fail-the-check-for-rpath-on-.patch new file mode 100644 index 0000000000..0eaa06d908 --- /dev/null +++ b/meta/recipes-support/sqlite/sqlite3/0001-configure-automatically-fail-the-check-for-rpath-on-.patch @@ -0,0 +1,102 @@ +From f9f6410c31de9f6b377c7d8cd6d56548d3f20551 Mon Sep 17 00:00:00 2001 +From: stephan <stephan@noemail.net> +Date: Thu, 20 Feb 2025 17:15:37 +0000 +Subject: [PATCH] configure: automatically fail the check for rpath on AIX + systems and provide a --disable-rpath flag as a fallback for use on platforms + which pass the configure-time rpath check but then fail at link-time. Based + on discussion in [forum:ae5bd8a84b|forum thread ae5bd8a84b]. + +FossilOrigin-Name: b6603986e621918525312130996c298135ad27af293df9bb9f99e1fc87844379 + +Upstream-Status: Backport [https://github.com/sqlite/sqlite/commit/f9f6410c31de9f6b377c7d8cd6d56548d3f20551] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + auto.def | 2 +- + autosetup/proj.tcl | 18 ++++++++++++++---- + autosetup/sqlite-config.tcl | 14 ++++++++++++++ + 3 files changed, 29 insertions(+), 5 deletions(-) + +diff --git a/auto.def b/auto.def +index 9df87f579a..84dfa824c2 100644 +--- a/auto.def ++++ b/auto.def +@@ -11,7 +11,7 @@ use sqlite-config + sqlite-config-bootstrap autoconf + sqlite-check-common-bins + sqlite-check-common-system-deps +-proj-check-rpath ++sqlite-handle-rpath + sqlite-handle-soname + sqlite-setup-default-cflags + sqlite-handle-debug +diff --git a/autosetup/proj.tcl b/autosetup/proj.tcl +index 6a1960f603..6b49dcdae0 100644 +--- a/autosetup/proj.tcl ++++ b/autosetup/proj.tcl +@@ -921,9 +921,20 @@ proc proj-check-emsdk {} { + # + # Achtung: we have seen platforms which report that a given option + # checked here will work but then fails at build-time, and the current +-# order of checks reflects that. ++# order of checks reflects that. Similarly, platforms which are known ++# to report success here but fail to handle this flag at link-time are ++# special-cased here to behave as if the check failed. + proc proj-check-rpath {} { +- set rc 1 ++ switch -glob -- [get-define host] { ++ *-*-aix* { ++ # Skip this check on platform(s) where we know it to pass at ++ # this step but fail at build-time, as a workaround for ++ # https://sqlite.org/forum/forumpost/ae5bd8a84b until we can ++ # find a more reliable approach. ++ define LDFLAGS_RPATH "" ++ return 0 ++ } ++ } + if {[proj-opt-was-provided libdir] + || [proj-opt-was-provided exec-prefix]} { + set lp "[get-define libdir]" +@@ -945,10 +956,9 @@ proc proj-check-rpath {} { + define LDFLAGS_RPATH "-Wl,-R$lp" + } else { + define LDFLAGS_RPATH "" +- set rc 0 + } + } +- return $rc ++ expr {"" ne [get-define LDFLAGS_RPATH]} + } + + ######################################################################## +diff --git a/autosetup/sqlite-config.tcl b/autosetup/sqlite-config.tcl +index 7d9a9ea84b..be2522fb12 100644 +--- a/autosetup/sqlite-config.tcl ++++ b/autosetup/sqlite-config.tcl +@@ -244,6 +244,9 @@ proc sqlite-config-bootstrap {buildMode} { + static-shell=1 => {Link the sqlite3 shell app against the DLL instead of embedding sqlite3.c} + } + {*} { ++ # rpath: https://sqlite.org/forum/forumpost/fa3a6ed858 ++ rpath=1 ++ => {Disable checking for rpath support} + # soname: https://sqlite.org/src/forumpost/5a3b44f510df8ded + soname:=legacy + => {SONAME for libsqlite3.so. "none", or not using this flag, sets no +@@ -644,6 +647,17 @@ proc sqlite-handle-debug {} { + } + } + ++######################################################################## ++# If the --disable-rpath flag is used, this [define]s LDFLAGS_RPATH to ++# an empty string, else it invokes [proj-check-rpath]. ++proc sqlite-handle-rpath {} { ++ proj-if-opt-truthy rpath { ++ proj-check-rpath ++ } { ++ define LDFLAGS_RPATH "" ++ } ++} ++ + ######################################################################## + # "soname" for libsqlite3.so. See discussion at: + # https://sqlite.org/src/forumpost/5a3b44f510df8ded diff --git a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb b/meta/recipes-support/sqlite/sqlite3_3.49.1.bb similarity index 53% rename from meta/recipes-support/sqlite/sqlite3_3.48.0.bb rename to meta/recipes-support/sqlite/sqlite3_3.49.1.bb index bd2ac6614d..c3c0670884 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.48.0.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.49.1.bb @@ -4,5 +4,6 @@ LICENSE = "PD" LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed00c66" SRC_URI = "http://www.sqlite.org/2025/sqlite-autoconf-${SQLITE_PV}.tar.gz" -SRC_URI[sha256sum] = "ac992f7fca3989de7ed1fe99c16363f848794c8c32a158dafd4eb927a2e02fd5" +SRC_URI[sha256sum] = "106642d8ccb36c5f7323b64e4152e9b719f7c0215acf5bfeac3d5e7f97b59254" +SRC_URI += "file://0001-configure-automatically-fail-the-check-for-rpath-on-.patch"