From patchwork Wed Sep 4 21:32:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48664 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AAAFDCD4F35 for ; Wed, 4 Sep 2024 21:33:10 +0000 (UTC) Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by mx.groups.io with SMTP id smtpd.web11.62086.1725485587650309089 for ; Wed, 04 Sep 2024 14:33:07 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=sQ6dzAIU; spf=softfail (domain: sakoman.com, ip: 209.85.216.52, mailfrom: steve@sakoman.com) Received: by mail-pj1-f52.google.com with SMTP id 98e67ed59e1d1-2d8b679d7f2so25027a91.1 for ; Wed, 04 Sep 2024 14:33:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725485587; x=1726090387; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=A5k8+vtBHh20F7ltPtXueM+Q0kCJKzpBtnS6BH/CdYY=; b=sQ6dzAIUrFJSYhxLa+keiF7qYnaRr2Qull35TyuJ7HY11x31oPzDR9CxqcjWSnBtZe z+sFjQMt9BjVgn2hVjIpF2QdBd10ACHBeaTsHJbzcs1NBPsS/HU4howwkvPaCs52ysJx Qwlt7VEq24TQbKK6L+xiDDTjMX3BQhQBXdg1vHFrt7J2Y9zY1jUz+qLR9lhK7htGo+1t NIl8V+ITDU+eCI871C1aJ6+n/XTMXmPcOTTiIBk0gfjKxKtGg4fifL6wt7TEfK77i/bt Qxng0QD/zzbH+sqoU/S2zPUf23WiNT8LA5DGd3wCJ4ryP8yPaaZD6+e8X59mrNw4rXxc F8/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725485587; x=1726090387; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=A5k8+vtBHh20F7ltPtXueM+Q0kCJKzpBtnS6BH/CdYY=; b=we0P5F4115TZ7RaKlWUdwlF5EAIgG06nRE3rkyQk66Tn1d4ypErRF5Bd68ps8rzBNJ +sF7ugp6Ud0B9HilTk4Jm4gafjVdebvICXOy99J0J98ByDJ04ewdnkG/EX8zYb4xdcGL bOy5m69QuZAm3UKHycgkY9tHxfYhsMqeiFYEchyF4+SSkI3HaX8Ye3+GWeTktQ8DbkEv 26txB46/O6b6ia3SGsBpb8PmjAdBCNDFr9PsCaIQbMrkodoI3PQ5p21CymjAOvi1y6ST N5w7OY4hO/NXvyg7dMnjjZBRUeeI9GYeVjI8PFfOffQZCAlPNE+aYapX98Tw8lr+itmX ChOw== X-Gm-Message-State: AOJu0YzQqeclII+HKmXbw4hFwwasAnNyX0wqvKawIcL3SqU7FnjTc6K9 4SsjuWi9uBtWkvdNjahI0dgEeXfK0Xqh4X/I9aBMUL/CI1P0MuOVVIsz1kN9hj0YbyPFq56Kzmj zZwg= X-Google-Smtp-Source: AGHT+IFXCutTyeViMpF91Yi+GV5z5L+7lh8amdwXfRzBD9tVRMuZgxNdm/Y51eAxBOz6ipmmU8C28w== X-Received: by 2002:a17:90a:5806:b0:2d8:ee39:465 with SMTP id 98e67ed59e1d1-2da7482d904mr6648740a91.1.1725485586742; Wed, 04 Sep 2024 14:33:06 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2d8e3e8c580sm6693767a91.40.2024.09.04.14.33.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Sep 2024 14:33:06 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 01/14] python3-setuptools: Fix CVE-2024-6345 Date: Wed, 4 Sep 2024 14:32:42 -0700 Message-Id: <468c5a4e12b9d38768b00151c55fd27b2b504f3b.1725456307.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Sep 2024 21:33:10 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204213 From: Soumya Sambu A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. References: https://nvd.nist.gov/vuln/detail/CVE-2024-6345 Upstream-patch: https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0 Signed-off-by: Soumya Sambu Signed-off-by: Steve Sakoman --- .../python3-setuptools/CVE-2024-6345.patch | 312 ++++++++++++++++++ .../python/python3-setuptools_69.1.1.bb | 4 +- 2 files changed, 315 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch diff --git a/meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch b/meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch new file mode 100644 index 0000000000..ac520be74a --- /dev/null +++ b/meta/recipes-devtools/python/python3-setuptools/CVE-2024-6345.patch @@ -0,0 +1,312 @@ +From 88807c7062788254f654ea8c03427adc859321f0 Mon Sep 17 00:00:00 2001 +From: Jason R. Coombs +Date: Mon Apr 29 20:01:38 2024 -0400 +Subject: [PATCH] Merge pull request #4332 from pypa/debt/package-index-vcs + +Modernize package_index VCS handling + +CVE: CVE-2024-6345 + +Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0] + +Signed-off-by: Soumya Sambu +--- + setup.cfg | 1 + + setuptools/package_index.py | 145 ++++++++++++++------------ + setuptools/tests/test_packageindex.py | 56 +++++----- + 3 files changed, 106 insertions(+), 96 deletions(-) + +diff --git a/setup.cfg b/setup.cfg +index edf9798..238d00a 100644 +--- a/setup.cfg ++++ b/setup.cfg +@@ -65,6 +65,7 @@ testing = + sys_platform != "cygwin" + jaraco.develop >= 7.21; python_version >= "3.9" and sys_platform != "cygwin" + pytest-home >= 0.5 ++ pytest-subprocess + testing-integration = + pytest + pytest-xdist +diff --git a/setuptools/package_index.py b/setuptools/package_index.py +index 271aa97..00a972d 100644 +--- a/setuptools/package_index.py ++++ b/setuptools/package_index.py +@@ -1,6 +1,7 @@ + """PyPI and direct package downloading.""" + + import sys ++import subprocess + import os + import re + import io +@@ -585,7 +586,7 @@ class PackageIndex(Environment): + scheme = URL_SCHEME(spec) + if scheme: + # It's a url, download it to tmpdir +- found = self._download_url(scheme.group(1), spec, tmpdir) ++ found = self._download_url(spec, tmpdir) + base, fragment = egg_info_for_url(spec) + if base.endswith('.py'): + found = self.gen_setup(found, fragment, tmpdir) +@@ -814,7 +815,7 @@ class PackageIndex(Environment): + else: + raise DistutilsError("Download error for %s: %s" % (url, v)) from v + +- def _download_url(self, scheme, url, tmpdir): ++ def _download_url(self, url, tmpdir): + # Determine download filename + # + name, fragment = egg_info_for_url(url) +@@ -829,19 +830,59 @@ class PackageIndex(Environment): + + filename = os.path.join(tmpdir, name) + +- # Download the file +- # +- if scheme == 'svn' or scheme.startswith('svn+'): +- return self._download_svn(url, filename) +- elif scheme == 'git' or scheme.startswith('git+'): +- return self._download_git(url, filename) +- elif scheme.startswith('hg+'): +- return self._download_hg(url, filename) +- elif scheme == 'file': +- return urllib.request.url2pathname(urllib.parse.urlparse(url)[2]) +- else: +- self.url_ok(url, True) # raises error if not allowed +- return self._attempt_download(url, filename) ++ return self._download_vcs(url, filename) or self._download_other(url, filename) ++ ++ @staticmethod ++ def _resolve_vcs(url): ++ """ ++ >>> rvcs = PackageIndex._resolve_vcs ++ >>> rvcs('git+http://foo/bar') ++ 'git' ++ >>> rvcs('hg+https://foo/bar') ++ 'hg' ++ >>> rvcs('git:myhost') ++ 'git' ++ >>> rvcs('hg:myhost') ++ >>> rvcs('http://foo/bar') ++ """ ++ scheme = urllib.parse.urlsplit(url).scheme ++ pre, sep, post = scheme.partition('+') ++ # svn and git have their own protocol; hg does not ++ allowed = set(['svn', 'git'] + ['hg'] * bool(sep)) ++ return next(iter({pre} & allowed), None) ++ ++ def _download_vcs(self, url, spec_filename): ++ vcs = self._resolve_vcs(url) ++ if not vcs: ++ return ++ if vcs == 'svn': ++ raise DistutilsError( ++ f"Invalid config, SVN download is not supported: {url}" ++ ) ++ ++ filename, _, _ = spec_filename.partition('#') ++ url, rev = self._vcs_split_rev_from_url(url) ++ ++ self.info(f"Doing {vcs} clone from {url} to {filename}") ++ subprocess.check_call([vcs, 'clone', '--quiet', url, filename]) ++ ++ co_commands = dict( ++ git=[vcs, '-C', filename, 'checkout', '--quiet', rev], ++ hg=[vcs, '--cwd', filename, 'up', '-C', '-r', rev, '-q'], ++ ) ++ if rev is not None: ++ self.info(f"Checking out {rev}") ++ subprocess.check_call(co_commands[vcs]) ++ ++ return filename ++ ++ def _download_other(self, url, filename): ++ scheme = urllib.parse.urlsplit(url).scheme ++ if scheme == 'file': # pragma: no cover ++ return urllib.request.url2pathname(urllib.parse.urlparse(url).path) ++ # raise error if not allowed ++ self.url_ok(url, True) ++ return self._attempt_download(url, filename) + + def scan_url(self, url): + self.process_url(url, True) +@@ -857,64 +898,36 @@ class PackageIndex(Environment): + os.unlink(filename) + raise DistutilsError(f"Unexpected HTML page found at {url}") + +- def _download_svn(self, url, _filename): +- raise DistutilsError(f"Invalid config, SVN download is not supported: {url}") +- + @staticmethod +- def _vcs_split_rev_from_url(url, pop_prefix=False): +- scheme, netloc, path, query, frag = urllib.parse.urlsplit(url) ++ def _vcs_split_rev_from_url(url): ++ """ ++ Given a possible VCS URL, return a clean URL and resolved revision if any. ++ >>> vsrfu = PackageIndex._vcs_split_rev_from_url ++ >>> vsrfu('git+https://github.com/pypa/setuptools@v69.0.0#egg-info=setuptools') ++ ('https://github.com/pypa/setuptools', 'v69.0.0') ++ >>> vsrfu('git+https://github.com/pypa/setuptools#egg-info=setuptools') ++ ('https://github.com/pypa/setuptools', None) ++ >>> vsrfu('http://foo/bar') ++ ('http://foo/bar', None) ++ """ ++ parts = urllib.parse.urlsplit(url) + +- scheme = scheme.split('+', 1)[-1] ++ clean_scheme = parts.scheme.split('+', 1)[-1] + + # Some fragment identification fails +- path = path.split('#', 1)[0] +- +- rev = None +- if '@' in path: +- path, rev = path.rsplit('@', 1) +- +- # Also, discard fragment +- url = urllib.parse.urlunsplit((scheme, netloc, path, query, '')) +- +- return url, rev +- +- def _download_git(self, url, filename): +- filename = filename.split('#', 1)[0] +- url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True) +- +- self.info("Doing git clone from %s to %s", url, filename) +- os.system("git clone --quiet %s %s" % (url, filename)) +- +- if rev is not None: +- self.info("Checking out %s", rev) +- os.system( +- "git -C %s checkout --quiet %s" +- % ( +- filename, +- rev, +- ) +- ) ++ no_fragment_path, _, _ = parts.path.partition('#') + +- return filename ++ pre, sep, post = no_fragment_path.rpartition('@') ++ clean_path, rev = (pre, post) if sep else (post, None) + +- def _download_hg(self, url, filename): +- filename = filename.split('#', 1)[0] +- url, rev = self._vcs_split_rev_from_url(url, pop_prefix=True) ++ resolved = parts._replace( ++ scheme=clean_scheme, ++ path=clean_path, ++ # discard the fragment ++ fragment='', ++ ).geturl() + +- self.info("Doing hg clone from %s to %s", url, filename) +- os.system("hg clone --quiet %s %s" % (url, filename)) +- +- if rev is not None: +- self.info("Updating to %s", rev) +- os.system( +- "hg --cwd %s up -C -r %s -q" +- % ( +- filename, +- rev, +- ) +- ) +- +- return filename ++ return resolved, rev + + def debug(self, msg, *args): + log.debug(msg, *args) +diff --git a/setuptools/tests/test_packageindex.py b/setuptools/tests/test_packageindex.py +index 41b9661..e4cd91a 100644 +--- a/setuptools/tests/test_packageindex.py ++++ b/setuptools/tests/test_packageindex.py +@@ -2,7 +2,6 @@ import distutils.errors + import urllib.request + import urllib.error + import http.client +-from unittest import mock + + import pytest + +@@ -171,49 +170,46 @@ class TestPackageIndex: + assert dists[0].version == '' + assert dists[1].version == vc + +- def test_download_git_with_rev(self, tmpdir): ++ def test_download_git_with_rev(self, tmp_path, fp): + url = 'git+https://github.example/group/project@master#egg=foo' + index = setuptools.package_index.PackageIndex() + +- with mock.patch("os.system") as os_system_mock: +- result = index.download(url, str(tmpdir)) ++ expected_dir = tmp_path / 'project@master' ++ fp.register([ ++ 'git', ++ 'clone', ++ '--quiet', ++ 'https://github.example/group/project', ++ expected_dir, ++ ]) ++ fp.register(['git', '-C', expected_dir, 'checkout', '--quiet', 'master']) + +- os_system_mock.assert_called() ++ result = index.download(url, tmp_path) + +- expected_dir = str(tmpdir / 'project@master') +- expected = ( +- 'git clone --quiet ' 'https://github.example/group/project {expected_dir}' +- ).format(**locals()) +- first_call_args = os_system_mock.call_args_list[0][0] +- assert first_call_args == (expected,) ++ assert result == str(expected_dir) ++ assert len(fp.calls) == 2 + +- tmpl = 'git -C {expected_dir} checkout --quiet master' +- expected = tmpl.format(**locals()) +- assert os_system_mock.call_args_list[1][0] == (expected,) +- assert result == expected_dir +- +- def test_download_git_no_rev(self, tmpdir): ++ def test_download_git_no_rev(self, tmp_path, fp): + url = 'git+https://github.example/group/project#egg=foo' + index = setuptools.package_index.PackageIndex() + +- with mock.patch("os.system") as os_system_mock: +- result = index.download(url, str(tmpdir)) +- +- os_system_mock.assert_called() +- +- expected_dir = str(tmpdir / 'project') +- expected = ( +- 'git clone --quiet ' 'https://github.example/group/project {expected_dir}' +- ).format(**locals()) +- os_system_mock.assert_called_once_with(expected) +- +- def test_download_svn(self, tmpdir): ++ expected_dir = tmp_path / 'project' ++ fp.register([ ++ 'git', ++ 'clone', ++ '--quiet', ++ 'https://github.example/group/project', ++ expected_dir, ++ ]) ++ index.download(url, tmp_path) ++ ++ def test_download_svn(self, tmp_path): + url = 'svn+https://svn.example/project#egg=foo' + index = setuptools.package_index.PackageIndex() + + msg = r".*SVN download is not supported.*" + with pytest.raises(distutils.errors.DistutilsError, match=msg): +- index.download(url, str(tmpdir)) ++ index.download(url, tmp_path) + + + class TestContentCheckers: +-- +2.40.0 + diff --git a/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb b/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb index 67475b68eb..7b9b02059f 100644 --- a/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb +++ b/meta/recipes-devtools/python/python3-setuptools_69.1.1.bb @@ -9,7 +9,9 @@ inherit pypi python_setuptools_build_meta SRC_URI:append:class-native = " file://0001-conditionally-do-not-fetch-code-by-easy_install.patch" SRC_URI += " \ - file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch" + file://0001-_distutils-sysconfig.py-make-it-possible-to-substite.patch \ + file://CVE-2024-6345.patch \ +" SRC_URI[sha256sum] = "5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8" From patchwork Wed Sep 4 21:32:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48663 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6CF7CD4F37 for ; Wed, 4 Sep 2024 21:33:10 +0000 (UTC) Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) by mx.groups.io with SMTP id smtpd.web11.62087.1725485588888050242 for ; Wed, 04 Sep 2024 14:33:08 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=zO+O9oAL; spf=softfail (domain: sakoman.com, ip: 209.85.216.48, mailfrom: steve@sakoman.com) Received: by mail-pj1-f48.google.com with SMTP id 98e67ed59e1d1-2da4e84c198so35072a91.0 for ; Wed, 04 Sep 2024 14:33:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725485588; x=1726090388; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=6Sf9dwCvtrwBOA7io+xMsSeMOlVDCcybKAYvH6teFnc=; b=zO+O9oALbCPvCPpLi6WyD0GiWS8EmTZdqU2K/X+RFH5BjtYTjytRF89yNYUhOyFnUH /f3N9pe9H/LCfwirAVZNY8SADabsBzFfWk2H3q4bdpMZAdm7lMLY8zKQiVOQEUndxEp2 uFhMmtYxG/hmRXTdk4qecDZ3z9uQrzq5MueCYCWL4RJUUydc2I7X9692iCuTKWFb8mFE xWnYYi/7aRIRj3Nh6/BC1bJaGXSl16QeWg4mHfTYE7MVMk1ug0yZjBukvcUoo2SASrAG h2lPt0ZJkrFYJmyh6dS8PLO6Emkekm2SSrQEzp3CMZlQUmnDRrhdztOMTcRy39uQlVoK hfLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725485588; x=1726090388; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6Sf9dwCvtrwBOA7io+xMsSeMOlVDCcybKAYvH6teFnc=; b=THOFK2WRgGBU9HVF1qdRY47Ig+O7abc7/47jrl5zVVu5CCfwqouf5x/ldiICqrtTuI +aOWe65xbzqnJYHrhSxNGwG3zYb/6DtESB7wETYB/O+bSdpmM4Qbhtow11/0ifsRgsX6 d0DfgjSmiNyRNqO4AO2XrgSvv40ityDIq7AUQPZYQuVqzkSUCXartJw1WUhYGdnBOwUg TDjwqo3J0QypEf+dGngSJ/S4hvx3BoWi2anLjOiFPDJGgYNQu2Waeyw6xTZGStfGB/MK ZoyHdCVvt7zG7Tf6+wvv5UKqJwmPSwYDDb4IgwjcKlUwzfwGy8zChr2vu9jqpIyXTwU4 miKg== X-Gm-Message-State: AOJu0YzhjAjJX00sr5H1Syt8oCNMzAqut1r2c4OVY05cX24VvdNx42GF CmhZz71RH35dyVrx4D+7enzoMj8yoGCnrYNdBtvaEtYv0zkniK8sfxyn045tkO927S3z+NtLHwd 9K4o= X-Google-Smtp-Source: AGHT+IE4jyZFjhDaD66j1hVebs5zTubxH7+5qqSODwjBaF2IzB83F69L4i6Jn5qQNLqP/UuIeB7Lhw== X-Received: by 2002:a17:90b:88b:b0:2d8:94d6:3499 with SMTP id 98e67ed59e1d1-2d894d6356bmr16823497a91.37.1725485588073; Wed, 04 Sep 2024 14:33:08 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2d8e3e8c580sm6693767a91.40.2024.09.04.14.33.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Sep 2024 14:33:07 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 02/14] python3: Fix CVE-2024-7592 Date: Wed, 4 Sep 2024 14:32:43 -0700 Message-Id: <3bb9684eef5227e7b1280ee9051884310b0d0b7f.1725456307.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Sep 2024 21:33:10 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204214 From: Soumya Sambu There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. References: https://nvd.nist.gov/vuln/detail/CVE-2024-7592 Upstream-Patch: https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1 Signed-off-by: Soumya Sambu Signed-off-by: Steve Sakoman --- .../python/python3/CVE-2024-7592.patch | 143 ++++++++++++++++++ .../recipes-devtools/python/python3_3.12.4.bb | 1 + 2 files changed, 144 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2024-7592.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2024-7592.patch b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch new file mode 100644 index 0000000000..7a6d63005c --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2024-7592.patch @@ -0,0 +1,143 @@ +From dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Sun, 25 Aug 2024 00:37:11 +0200 +Subject: [PATCH] gh-123067: Fix quadratic complexity in parsing "-quoted + cookie values with backslashes (GH-123075) (#123104) + +gh-123067: Fix quadratic complexity in parsing "-quoted cookie values with backslashes (GH-123075) + +This fixes CVE-2024-7592. +(cherry picked from commit 44e458357fca05ca0ae2658d62c8c595b048b5ef) + +Co-authored-by: Serhiy Storchaka + +CVE: CVE-2024-7592 + +Upstream-Status: Backport [https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1] + +Signed-off-by: Soumya Sambu +--- + Lib/http/cookies.py | 34 ++++------------- + Lib/test/test_http_cookies.py | 38 +++++++++++++++++++ + ...-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst | 1 + + 3 files changed, 47 insertions(+), 26 deletions(-) + create mode 100644 Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst + +diff --git a/Lib/http/cookies.py b/Lib/http/cookies.py +index 35ac2dc..2c1f021 100644 +--- a/Lib/http/cookies.py ++++ b/Lib/http/cookies.py +@@ -184,8 +184,13 @@ def _quote(str): + return '"' + str.translate(_Translator) + '"' + + +-_OctalPatt = re.compile(r"\\[0-3][0-7][0-7]") +-_QuotePatt = re.compile(r"[\\].") ++_unquote_sub = re.compile(r'\\(?:([0-3][0-7][0-7])|(.))').sub ++ ++def _unquote_replace(m): ++ if m[1]: ++ return chr(int(m[1], 8)) ++ else: ++ return m[2] + + def _unquote(str): + # If there aren't any doublequotes, +@@ -205,30 +210,7 @@ def _unquote(str): + # \012 --> \n + # \" --> " + # +- i = 0 +- n = len(str) +- res = [] +- while 0 <= i < n: +- o_match = _OctalPatt.search(str, i) +- q_match = _QuotePatt.search(str, i) +- if not o_match and not q_match: # Neither matched +- res.append(str[i:]) +- break +- # else: +- j = k = -1 +- if o_match: +- j = o_match.start(0) +- if q_match: +- k = q_match.start(0) +- if q_match and (not o_match or k < j): # QuotePatt matched +- res.append(str[i:k]) +- res.append(str[k+1]) +- i = k + 2 +- else: # OctalPatt matched +- res.append(str[i:j]) +- res.append(chr(int(str[j+1:j+4], 8))) +- i = j + 4 +- return _nulljoin(res) ++ return _unquote_sub(_unquote_replace, str) + + # The _getdate() routine is used to set the expiration time in the cookie's HTTP + # header. By default, _getdate() returns the current time in the appropriate +diff --git a/Lib/test/test_http_cookies.py b/Lib/test/test_http_cookies.py +index 925c869..8879902 100644 +--- a/Lib/test/test_http_cookies.py ++++ b/Lib/test/test_http_cookies.py +@@ -5,6 +5,7 @@ import unittest + import doctest + from http import cookies + import pickle ++from test import support + + + class CookieTests(unittest.TestCase): +@@ -58,6 +59,43 @@ class CookieTests(unittest.TestCase): + for k, v in sorted(case['dict'].items()): + self.assertEqual(C[k].value, v) + ++ def test_unquote(self): ++ cases = [ ++ (r'a="b=\""', 'b="'), ++ (r'a="b=\\"', 'b=\\'), ++ (r'a="b=\="', 'b=='), ++ (r'a="b=\n"', 'b=n'), ++ (r'a="b=\042"', 'b="'), ++ (r'a="b=\134"', 'b=\\'), ++ (r'a="b=\377"', 'b=\xff'), ++ (r'a="b=\400"', 'b=400'), ++ (r'a="b=\42"', 'b=42'), ++ (r'a="b=\\042"', 'b=\\042'), ++ (r'a="b=\\134"', 'b=\\134'), ++ (r'a="b=\\\""', 'b=\\"'), ++ (r'a="b=\\\042"', 'b=\\"'), ++ (r'a="b=\134\""', 'b=\\"'), ++ (r'a="b=\134\042"', 'b=\\"'), ++ ] ++ for encoded, decoded in cases: ++ with self.subTest(encoded): ++ C = cookies.SimpleCookie() ++ C.load(encoded) ++ self.assertEqual(C['a'].value, decoded) ++ ++ @support.requires_resource('cpu') ++ def test_unquote_large(self): ++ n = 10**6 ++ for encoded in r'\\', r'\134': ++ with self.subTest(encoded): ++ data = 'a="b=' + encoded*n + ';"' ++ C = cookies.SimpleCookie() ++ C.load(data) ++ value = C['a'].value ++ self.assertEqual(value[:3], 'b=\\') ++ self.assertEqual(value[-2:], '\\;') ++ self.assertEqual(len(value), n + 3) ++ + def test_load(self): + C = cookies.SimpleCookie() + C.load('Customer="WILE_E_COYOTE"; Version=1; Path=/acme') +diff --git a/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst +new file mode 100644 +index 0000000..6a23456 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2024-08-16-19-13-21.gh-issue-123067.Nx9O4R.rst +@@ -0,0 +1 @@ ++Fix quadratic complexity in parsing ``"``-quoted cookie values with backslashes by :mod:`http.cookies`. +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3_3.12.4.bb b/meta/recipes-devtools/python/python3_3.12.4.bb index e4c3fbb673..9199edce3d 100644 --- a/meta/recipes-devtools/python/python3_3.12.4.bb +++ b/meta/recipes-devtools/python/python3_3.12.4.bb @@ -34,6 +34,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch \ file://0001-test_deadlock-skip-problematic-test.patch \ file://0001-test_active_children-skip-problematic-test.patch \ + file://CVE-2024-7592.patch \ " SRC_URI:append:class-native = " \ From patchwork Wed Sep 4 21:32:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48666 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91E96CD4F36 for ; Wed, 4 Sep 2024 21:33:20 +0000 (UTC) Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by mx.groups.io with SMTP id smtpd.web11.62088.1725485590600845448 for ; Wed, 04 Sep 2024 14:33:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=MQbUV0d9; spf=softfail (domain: sakoman.com, ip: 209.85.215.182, mailfrom: steve@sakoman.com) Received: by mail-pg1-f182.google.com with SMTP id 41be03b00d2f7-7d50a42ce97so73593a12.0 for ; Wed, 04 Sep 2024 14:33:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725485590; x=1726090390; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=M/K+FQUftPGh5K12SXf+IxgF+2lN3mbEdZmZu+PVBR8=; b=MQbUV0d9mXq5DIRP+muVst1An8QFJvpiOnE24F9TzPlE7iEnrd953tt5vnoR8WzQLh KuFPyB4yHJm4qr7MQHxoRXVSc8yh5cy/UmKbwY0TwrKfr48SRpg06SWiGfRADkTcmqmp LgM6CTkFUq+a+NpOwDa9sJhcwe5aJYJcxKqHZj7Eow3GzGZ0698TKLfvDuNkXsBNbAQ+ BZ7V75pOB6+dUO3mzkp92OyiaqZraSut1muvayxp0GQlalZPIgedWE1Wo91CxNSDLJbS R0gldp0ApB9Fm83DrCsL+ErzIcU1HQXcK1/e1iICdBjDEIR0W2TMgfC7MBjHvyshR29r X22A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725485590; x=1726090390; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=M/K+FQUftPGh5K12SXf+IxgF+2lN3mbEdZmZu+PVBR8=; b=umubxD06tVJH7JluwNUswPOp8I/S+cT+ve1FUeuXmGcvv2inxEgzrkM2Piuezq4gI/ +Jw68V5aHEjFHBdSwYvLYF2mxHafxlF6jqzzwh9lL69jXpismlUVKLOvMVBLc90DRdjJ x5fFUUewzPrmV8z++ibbPeKnU2JeGN18gy58v5pS+lA+KOznks/24eUf4YhOKrQgBeNV jynJRr3tqoAY4Gn21L7AsRXWNH2TuF4HypufdMyHqC+cZdFlhuvlza9BqA8REs+1xwFz vRfLLxbwpiya3OkCWkuuaogvJgWuwdaLj5i8NxVUzh0xE9e0ZHlCDahJ+aVvSAxjuqnO WpDw== X-Gm-Message-State: AOJu0YxtNAqiWRGh8YnY0mmbM7VhJgUvlXdZ6CAYBruzD+Ec87FrBbSf ux6kDaqJVJLmUr0laif6jg7FlB3VXS9EnRVV6wsl79PTMCSTqvTe41pjfr6BX9UnLkYBct16lcn kXz4= X-Google-Smtp-Source: AGHT+IHXnkUASMBgVd/iguL63MhPTyvbE1lMVr8hKzXut2S9pwzToCes0eoc4COajRfIDX8C92Hy6Q== X-Received: by 2002:a17:90a:2c9:b0:2c9:7219:1db0 with SMTP id 98e67ed59e1d1-2d85616ed48mr25678365a91.3.1725485589665; Wed, 04 Sep 2024 14:33:09 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2d8e3e8c580sm6693767a91.40.2024.09.04.14.33.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Sep 2024 14:33:09 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 03/14] python3: Fix CVE-2024-8088 Date: Wed, 4 Sep 2024 14:32:44 -0700 Message-Id: <2d98276ba70ed6c44afecd42a7352f1b3030438f.1725456307.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Sep 2024 21:33:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204215 From: Soumya Sambu There is a HIGH severity vulnerability affecting the CPython "zipfile" module. When iterating over names of entries in a zip archive (for example, methodsof "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. References: https://nvd.nist.gov/vuln/detail/CVE-2024-8088 Upstream-Patch: https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec Signed-off-by: Soumya Sambu Signed-off-by: Steve Sakoman --- .../python/python3/CVE-2024-8088.patch | 128 ++++++++++++++++++ .../recipes-devtools/python/python3_3.12.4.bb | 1 + 2 files changed, 129 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/CVE-2024-8088.patch diff --git a/meta/recipes-devtools/python/python3/CVE-2024-8088.patch b/meta/recipes-devtools/python/python3/CVE-2024-8088.patch new file mode 100644 index 0000000000..13836f1ccc --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2024-8088.patch @@ -0,0 +1,128 @@ +From dcc5182f27c1500006a1ef78e10613bb45788dea Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 12 Aug 2024 02:35:17 +0200 +Subject: [PATCH] gh-122905: Sanitize names in zipfile.Path. (GH-122906) + (#122923) + +CVE: CVE-2024-8088 + +Upstream-Status: Backport [https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea] + +Signed-off-by: Soumya Sambu +--- + Lib/test/test_zipfile/_path/test_path.py | 17 +++++ + Lib/zipfile/_path/__init__.py | 64 ++++++++++++++++++- + ...-08-11-14-08-04.gh-issue-122905.7tDsxA.rst | 1 + + 3 files changed, 81 insertions(+), 1 deletion(-) + create mode 100644 Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst + +diff --git a/Lib/test/test_zipfile/_path/test_path.py b/Lib/test/test_zipfile/_path/test_path.py +index 06d5aab..90885db 100644 +--- a/Lib/test/test_zipfile/_path/test_path.py ++++ b/Lib/test/test_zipfile/_path/test_path.py +@@ -577,3 +577,20 @@ class TestPath(unittest.TestCase): + zipfile.Path(alpharep) + with self.assertRaises(KeyError): + alpharep.getinfo('does-not-exist') ++ ++ def test_malformed_paths(self): ++ """ ++ Path should handle malformed paths. ++ """ ++ data = io.BytesIO() ++ zf = zipfile.ZipFile(data, "w") ++ zf.writestr("/one-slash.txt", b"content") ++ zf.writestr("//two-slash.txt", b"content") ++ zf.writestr("../parent.txt", b"content") ++ zf.filename = '' ++ root = zipfile.Path(zf) ++ assert list(map(str, root.iterdir())) == [ ++ 'one-slash.txt', ++ 'two-slash.txt', ++ 'parent.txt', ++ ] +diff --git a/Lib/zipfile/_path/__init__.py b/Lib/zipfile/_path/__init__.py +index 78c4135..42f9fde 100644 +--- a/Lib/zipfile/_path/__init__.py ++++ b/Lib/zipfile/_path/__init__.py +@@ -83,7 +83,69 @@ class InitializedState: + super().__init__(*args, **kwargs) + + +-class CompleteDirs(InitializedState, zipfile.ZipFile): ++class SanitizedNames: ++ """ ++ ZipFile mix-in to ensure names are sanitized. ++ """ ++ ++ def namelist(self): ++ return list(map(self._sanitize, super().namelist())) ++ ++ @staticmethod ++ def _sanitize(name): ++ r""" ++ Ensure a relative path with posix separators and no dot names. ++ ++ Modeled after ++ https://github.com/python/cpython/blob/bcc1be39cb1d04ad9fc0bd1b9193d3972835a57c/Lib/zipfile/__init__.py#L1799-L1813 ++ but provides consistent cross-platform behavior. ++ ++ >>> san = SanitizedNames._sanitize ++ >>> san('/foo/bar') ++ 'foo/bar' ++ >>> san('//foo.txt') ++ 'foo.txt' ++ >>> san('foo/.././bar.txt') ++ 'foo/bar.txt' ++ >>> san('foo../.bar.txt') ++ 'foo../.bar.txt' ++ >>> san('\\foo\\bar.txt') ++ 'foo/bar.txt' ++ >>> san('D:\\foo.txt') ++ 'D/foo.txt' ++ >>> san('\\\\server\\share\\file.txt') ++ 'server/share/file.txt' ++ >>> san('\\\\?\\GLOBALROOT\\Volume3') ++ '?/GLOBALROOT/Volume3' ++ >>> san('\\\\.\\PhysicalDrive1\\root') ++ 'PhysicalDrive1/root' ++ ++ Retain any trailing slash. ++ >>> san('abc/') ++ 'abc/' ++ ++ Raises a ValueError if the result is empty. ++ >>> san('../..') ++ Traceback (most recent call last): ++ ... ++ ValueError: Empty filename ++ """ ++ ++ def allowed(part): ++ return part and part not in {'..', '.'} ++ ++ # Remove the drive letter. ++ # Don't use ntpath.splitdrive, because that also strips UNC paths ++ bare = re.sub('^([A-Z]):', r'\1', name, flags=re.IGNORECASE) ++ clean = bare.replace('\\', '/') ++ parts = clean.split('/') ++ joined = '/'.join(filter(allowed, parts)) ++ if not joined: ++ raise ValueError("Empty filename") ++ return joined + '/' * name.endswith('/') ++ ++ ++class CompleteDirs(InitializedState, SanitizedNames, zipfile.ZipFile): + """ + A ZipFile subclass that ensures that implied directories + are always included in the namelist. +diff --git a/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst +new file mode 100644 +index 0000000..1be44c9 +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2024-08-11-14-08-04.gh-issue-122905.7tDsxA.rst +@@ -0,0 +1 @@ ++:class:`zipfile.Path` objects now sanitize names from the zipfile. +-- +2.40.0 diff --git a/meta/recipes-devtools/python/python3_3.12.4.bb b/meta/recipes-devtools/python/python3_3.12.4.bb index 9199edce3d..3ac83166ac 100644 --- a/meta/recipes-devtools/python/python3_3.12.4.bb +++ b/meta/recipes-devtools/python/python3_3.12.4.bb @@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-test_deadlock-skip-problematic-test.patch \ file://0001-test_active_children-skip-problematic-test.patch \ file://CVE-2024-7592.patch \ + file://CVE-2024-8088.patch \ " SRC_URI:append:class-native = " \ From patchwork Wed Sep 4 21:32:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48665 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 91EE5CD4F38 for ; Wed, 4 Sep 2024 21:33:20 +0000 (UTC) Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by mx.groups.io with SMTP id smtpd.web11.62089.1725485592057666535 for ; Wed, 04 Sep 2024 14:33:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=0PvXP3vr; spf=softfail (domain: sakoman.com, ip: 209.85.216.49, mailfrom: steve@sakoman.com) Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-2d88c5d76eeso20228a91.2 for ; Wed, 04 Sep 2024 14:33:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725485591; x=1726090391; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=uF1OJeu0fqxU0AppkZDvIk5br+qZPYlzWLmPzzDxj64=; b=0PvXP3vrg2pleL/QtfK/Sr6Cj4RWGIXlZJsaSfAqhj5ZMhWg0s2h6QBiSuNcDPH4o4 QVNQCWsTePLZckMqCqJ5otgjnqrvlUmFw1rc+/oECEi8mdLOtiN+oRQyi1dGh/3UM3IY owVKAhn27PNsSrSlooK6HUIc+CnvWOmsP3Dh+XxlqPVkMTyN2/8XwV1pFeFhdDJXztZq IeWeUd4OUjUtVUrS88oQDix/ii6ol95T5lswbfILr4s+OFt6i29GTEJOz8huoP24+isF 0cxnyiLf00trHqUan9ObPCSwOTqb/Qs/1sIuICZfNq2tvXKLUVurEbn/Pi/UqeGLXLD1 haYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725485591; x=1726090391; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uF1OJeu0fqxU0AppkZDvIk5br+qZPYlzWLmPzzDxj64=; b=kU/wR7oZApAD2tc6WbVPvxMrd1dFpJZEOjBPa27qJrWH9g/Rragsawb4UqBagy2MJ7 AV+jhxjy0aP9l51/m4sw2nB3sUs7rebuDEMCwVN1Joj+DRuEaY0OFyNxmj0yiGqT2JgE qEALor2g7fog1W503h3tgyPqOYkxUjOaY7vIk4LSoHo8zSDNoPGHX+2K98LiFDg/GY22 8Ttn5eVTJPQhm2g0nMxaPHVYx3KM/hVzvY1JXpgMaxFG1FH1jFWlwJxojGxqhD7RFOk5 wnF2jaTSUFWxPPv/UdLNVvxf3KSgkOyUu3QCJAt/SNM7oiyG099Xi2JAsB0RHRnJjgH9 V7IQ== X-Gm-Message-State: AOJu0YyGg1XuUcJcryaVtdtukQpUTFr7bfnVQLflN4Gvo/DjZxYyfteE 0s6jBTM4h5mrXMTjgXJSbePIxyDe/C+pIxdSmwyA06A3Eo+ls3YGTTIb+bvQjSRfwcSx1H6C1Ql Jojs= X-Google-Smtp-Source: AGHT+IF9L/jJxfO9sAu42Q+PQ7geNPLmRZNSud10EdHUht7PQmWvi/2da/Ao4+Qmk+drG4LC3M2esw== X-Received: by 2002:a17:90a:6fa1:b0:2cb:4c32:a7e4 with SMTP id 98e67ed59e1d1-2da55950c60mr8999304a91.15.1725485591287; Wed, 04 Sep 2024 14:33:11 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2d8e3e8c580sm6693767a91.40.2024.09.04.14.33.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Sep 2024 14:33:10 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 04/14] xserver-xorg: fix CVE-2023-5574 status Date: Wed, 4 Sep 2024 14:32:45 -0700 Message-Id: <9965028d74b3c480f7556d299d616999822b79bf.1725456307.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Sep 2024 21:33:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204216 From: Dmitry Baryshkov If XvFB is enabled, the CVE_STATUS for CVE-2023-5574 should be 'unpatched' rather than the empty string. Otherwise SDPX checker complains: xserver-xorg-2_21.1.13-r0 do_create_spdx: Unknown CVE status Signed-off-by: Dmitry Baryshkov Signed-off-by: Richard Purdie (cherry picked from commit 0ec5dcbdd7c922df25ce90b04902d9c7c749a8c0) Signed-off-by: Steve Sakoman --- meta/recipes-graphics/xorg-xserver/xserver-xorg.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc index 22f7d9a8ad..e2754426cf 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc @@ -176,4 +176,4 @@ python populate_packages:prepend() { d.appendVar("RPROVIDES:" + pn, " " + get_abi("video")) } -CVE_STATUS[CVE-2023-5574] = "${@bb.utils.contains('PACKAGECONFIG', 'xvfb', '', 'not-applicable-config: specific to Xvfb', d)}" +CVE_STATUS[CVE-2023-5574] = "${@bb.utils.contains('PACKAGECONFIG', 'xvfb', 'unpatched', 'not-applicable-config: specific to Xvfb', d)}" From patchwork Wed Sep 4 21:32:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48668 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A06D8CD4F3C for ; Wed, 4 Sep 2024 21:33:20 +0000 (UTC) Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) by mx.groups.io with SMTP id smtpd.web11.62090.1725485593524767907 for ; Wed, 04 Sep 2024 14:33:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=p48z8Zlw; spf=softfail (domain: sakoman.com, ip: 209.85.210.174, mailfrom: steve@sakoman.com) Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-7178df70f28so20697b3a.2 for ; Wed, 04 Sep 2024 14:33:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725485593; x=1726090393; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=KfZ6VdwNK29Ii2DqAA8QglWLE46xgE2hz4tBr75z+wM=; b=p48z8ZlwghcIrIfdmowJmw2IrgCJYJzekU1a8JbcET2K9ylyapOj/YQSoqPfOC1X8b d3m9dUyQLPHNGaM64IbSNC9WTdqrJI6HKbPYyL/ev1COsZ/Uk09gi1HgHuckPFrKgW7J vT+vyYGMlznq9t9/Z6wBgsIJGodG/vHm+Z8otVsnDSDZiPfzItXjCK6HkeSFS7DSnEDU iFMAnW6Y0UiJjeq+EkeZNN48wYDTmaTndrKj3QrEzmC1YMwCudwk1kKbdub4MAItaAbj VE71BJuQCCd6dnYhdf4rvmSYZD9uoxob2n5ZwYMquDLmhSQwmF4bDnlaoATr5qEnRpkh 0PSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725485593; x=1726090393; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KfZ6VdwNK29Ii2DqAA8QglWLE46xgE2hz4tBr75z+wM=; b=JKS304b4w5JWdWiTlk2n+se4KNxlPHcwDUACHzLMQXQUrTxrcSUz6uN19XqtEl+ugw jvkZ9IqebVXI+cyBUpc5KVQv76906zmpqn22G+M6evp85jjRE5WhaPI+BmEp8wkkM9IN yaXWOQJ2qXKCrcnwAL2ObGaIlyVZ+EXpXlHkTTUh+ZRcXSgtQyrIKyGlDCge5hdOjzZh u6b96wLIsrNJ/l6JyRM40w+Ipjbn5V8OH1i79APpPYphAfMoeUTls7ezBZT4Ytmku/ER oweNOmSRITn+/qYOovcHONtP4OK4e5kVgeNe3ANVO68I4K6B+g3Wfd3eRO4KXI8WSb4i i2mw== X-Gm-Message-State: AOJu0YzNSN88LC77R0ycxj8s12kQUOJpVuygUubnxTKmDQYylCA8HRnP nAL5lKnrf+gikd6srMIOxLcwPBsmWSWavNdJaky1955pkBRwQ5YZLNwZ77GyCJjjBtGiHCIu3GO sciQ= X-Google-Smtp-Source: AGHT+IFxfZJ7hPnlUEMQvyfwgf0uZCp0UX2+eKwJbTFVzVy1eGYsLig45dpx5qTA6aFmcdyVrTB4hQ== X-Received: by 2002:a05:6a20:e196:b0:1cc:dfd1:2453 with SMTP id adf61e73a8af0-1cce1016eebmr21682328637.30.1725485592737; Wed, 04 Sep 2024 14:33:12 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2d8e3e8c580sm6693767a91.40.2024.09.04.14.33.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Sep 2024 14:33:12 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 05/14] apr: drop 0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch Date: Wed, 4 Sep 2024 14:32:46 -0700 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Sep 2024 21:33:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204217 From: Alexander Kanavin At some point this became unnecessary, as tested by building apr with DISTRO_FEATURES:append = " ld-is-gold" The logs do confirm that (previously) problematic binary links without errors. Signed-off-by: Alexander Kanavin Signed-off-by: Richard Purdie (cherry picked from commit c041932f14cf552b0446732ce0cca6537f3286ab) Signed-off-by: Steve Sakoman --- ...libapr-against-phtread-to-make-gold-.patch | 50 ------------------- meta/recipes-support/apr/apr_1.7.4.bb | 1 - 2 files changed, 51 deletions(-) delete mode 100644 meta/recipes-support/apr/apr/0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch diff --git a/meta/recipes-support/apr/apr/0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch b/meta/recipes-support/apr/apr/0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch deleted file mode 100644 index 8760b0140c..0000000000 --- a/meta/recipes-support/apr/apr/0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch +++ /dev/null @@ -1,50 +0,0 @@ -From c6afc4a4a766478cb6aa6b43a50051881b6318d7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Andreas=20M=C3=BCller?= -Date: Fri, 3 Mar 2017 22:24:17 +0100 -Subject: [PATCH 7/7] explicitly link libapr against phtread to make gold happy - on test -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -| ../.libs/libapr-1.so: error: undefined reference to 'pthread_mutexattr_init' -| ../.libs/libapr-1.so: error: undefined reference to 'pthread_mutexattr_settype' -| ../.libs/libapr-1.so: error: undefined reference to 'pthread_mutexattr_destroy' -| ../.libs/libapr-1.so: error: undefined reference to 'pthread_mutex_trylock' -| ../.libs/libapr-1.so: error: undefined reference to 'pthread_attr_setstacksize' -| ../.libs/libapr-1.so: error: undefined reference to 'pthread_create' -| ../.libs/libapr-1.so: error: undefined reference to 'pthread_join' -| ../.libs/libapr-1.so: error: undefined reference to 'pthread_detach' -| ../.libs/libapr-1.so: error: undefined reference to 'pthread_sigmask' -| ../.libs/libapr-1.so: error: undefined reference to 'pthread_once' -| ../.libs/libapr-1.so: error: undefined reference to 'pthread_key_create' -| ../.libs/libapr-1.so: error: undefined reference to 'pthread_getspecific' -| ../.libs/libapr-1.so: error: undefined reference to 'pthread_key_delete' -| ../.libs/libapr-1.so: error: undefined reference to 'pthread_setspecific' -| collect2: error: ld returned 1 exit status -| Makefile:114: recipe for target 'globalmutexchild' failed -| make[1]: *** [globalmutexchild] Error 1 -| make[1]: Leaving directory '/home/superandy/tmp/oe-core-glibc/work/cortexa7t2hf-neon-vfpv4-angstrom-linux-gnueabi/apr/1.5.2-r0/apr-1.5.2/test' - -Upstream-Status: Pending - -Signed-off-by: Andreas Müller ---- - configure.in | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/configure.in b/configure.in -index a227e72..cbc0f90 100644 ---- a/configure.in -+++ b/configure.in -@@ -784,6 +784,7 @@ else - APR_PTHREADS_CHECK_RESTORE ] ) - fi - if test "$pthreadh" = "1"; then -+ APR_ADDTO(LIBS,[-lpthread]) - APR_CHECK_PTHREAD_GETSPECIFIC_TWO_ARGS - APR_CHECK_PTHREAD_ATTR_GETDETACHSTATE_ONE_ARG - APR_CHECK_PTHREAD_RECURSIVE_MUTEX --- -1.8.3.1 - diff --git a/meta/recipes-support/apr/apr_1.7.4.bb b/meta/recipes-support/apr/apr_1.7.4.bb index d322629b66..4df741c766 100644 --- a/meta/recipes-support/apr/apr_1.7.4.bb +++ b/meta/recipes-support/apr/apr_1.7.4.bb @@ -18,7 +18,6 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \ file://0002-apr-Remove-workdir-path-references-from-installed-ap.patch \ file://0004-Fix-packet-discards-HTTP-redirect.patch \ file://0005-configure.in-fix-LTFLAGS-to-make-it-work-with-ccache.patch \ - file://0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch \ file://libtoolize_check.patch \ file://0001-Add-option-to-disable-timed-dependant-tests.patch \ file://0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch \ From patchwork Wed Sep 4 21:32:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48667 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9FBFFCD4F3B for ; Wed, 4 Sep 2024 21:33:20 +0000 (UTC) Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) by mx.groups.io with SMTP id smtpd.web11.62091.1725485594992818284 for ; Wed, 04 Sep 2024 14:33:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=InW9MECJ; spf=softfail (domain: sakoman.com, ip: 209.85.215.173, mailfrom: steve@sakoman.com) Received: by mail-pg1-f173.google.com with SMTP id 41be03b00d2f7-7cd835872ceso102457a12.3 for ; Wed, 04 Sep 2024 14:33:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725485594; x=1726090394; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=hvJ9aIGB/ctjPuukm4kbxKlLBXKodLnwnq2xYoHXMdg=; b=InW9MECJPlzTpULJgQZbIZ6f3jwwcngO3NN8b96uy03g6yxHwsC0lFmvnTSun5yV13 s+qDY4IDFbw+iyS+WPvVGk2Z47AII7uIVdIzb8s4aUNlfHn932Ahbn8fbfFyy8IJXVOK v3XNdJArr73VVwTixPdK+QrPxORAEgRQPwXW+I+97rI9o1TdSu81JOcHxfafTzXR//7+ 6aAacnbPimKBsipaDr7fc6lIcZdCRiuLQmriCldTuN2e+UFVPbW51sw3kT1K8+mCPcDd an24egTIFfIAawzj/lwI1fZOeZiRMOQ0XbUEfd9+NDAYjoxvWyffzUkDbtGOXHZf5zti brLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725485594; x=1726090394; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hvJ9aIGB/ctjPuukm4kbxKlLBXKodLnwnq2xYoHXMdg=; b=Yg47UJfqY90NF+IdWtZeqhahy2lsW14WfvS7SjOEwvcFcWO///rFLdwYNJ1YXv26i8 uQYU4efFwDtwhwi7zmit0ThYsWDyFhWd2sdztpZmW1iWZ9Woe5Zz4BUv7mePJpnPyzN1 pY5EPCRygg2otVOup1TN5Hehx2jsl5yxSCj8jX8g6IHQds0JDUjtQr8+leQqZJIntmr/ pZBNkYowbQU2B7w2hy7/pUuN1D/s0BoaWZwr00jVOARJh2V3ynm+FXEu/kOPurC2Fuux BWVrTEUasZOkE9kBLOfxA4JsYpHEWy5Ko71ZaRVllTPS2zk7xqOATD1WttFGk0MAj8nP ZaHg== X-Gm-Message-State: AOJu0Yy1KN9UieZGsGQZTHqCx++ZyajNvQEbZ5iZvTKqzCglNdjY03Sq xyPXzplLOTZwY8hMVd+J/Per+bNVk0lrbXncCIU8RJSRplW+UMnddviY33qVHBnfiVCSRr59Ues gHUk= X-Google-Smtp-Source: AGHT+IFKds8sQgPwhOMdNy2o0ZiPAzkUiyytdMd6u77wxTyZ0dbwxKXTLjYuQ5H5PRF7kiRxNp8jKw== X-Received: by 2002:a17:90a:12ce:b0:2d3:b643:8386 with SMTP id 98e67ed59e1d1-2d893284e4emr15271685a91.9.1725485594194; Wed, 04 Sep 2024 14:33:14 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2d8e3e8c580sm6693767a91.40.2024.09.04.14.33.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Sep 2024 14:33:13 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 06/14] apr: upgrade 1.7.4 -> 1.7.5 Date: Wed, 4 Sep 2024 14:32:47 -0700 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Sep 2024 21:33:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204218 From: Vijay Anusuri Refreshed patch 0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch Includes security fix CVE-2023-49582 changelog: https://downloads.apache.org/apr/CHANGES-APR-1.7 Signed-off-by: Vijay Anusuri Signed-off-by: Richard Purdie (cherry picked from commit c5d9498466526451910fa02862f8860b2bb81df8) Signed-off-by: Steve Sakoman --- ...1-configure-Remove-runtime-test-for-mmap-that-can-map-.patch | 2 +- meta/recipes-support/apr/{apr_1.7.4.bb => apr_1.7.5.bb} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-support/apr/{apr_1.7.4.bb => apr_1.7.5.bb} (98%) diff --git a/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch b/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch index a78b16284f..3480deaa4d 100644 --- a/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch +++ b/meta/recipes-support/apr/apr/0001-configure-Remove-runtime-test-for-mmap-that-can-map-.patch @@ -34,7 +34,7 @@ index 3663220..dce9789 100644 -#ifdef HAVE_SYS_MMAN_H -#include -#endif -- int main() +- int main(int argc, const char *argv[]) - { - int fd; - void *m; diff --git a/meta/recipes-support/apr/apr_1.7.4.bb b/meta/recipes-support/apr/apr_1.7.5.bb similarity index 98% rename from meta/recipes-support/apr/apr_1.7.4.bb rename to meta/recipes-support/apr/apr_1.7.5.bb index 4df741c766..78796476e2 100644 --- a/meta/recipes-support/apr/apr_1.7.4.bb +++ b/meta/recipes-support/apr/apr_1.7.5.bb @@ -25,7 +25,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \ file://0001-dso-Check-for-NULL-handle-in-apr_dso_sym.patch \ " -SRC_URI[sha256sum] = "fc648de983f3a2a6c9e78dea1f180639bd2fad6c06d556d4367a701fe5c35577" +SRC_URI[sha256sum] = "cd0f5d52b9ab1704c72160c5ee3ed5d3d4ca2df4a7f8ab564e3cb352b67232f2" inherit autotools-brokensep lib_package binconfig multilib_header ptest multilib_script From patchwork Wed Sep 4 21:32:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48672 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BAE2FCD4F3E for ; Wed, 4 Sep 2024 21:33:30 +0000 (UTC) Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by mx.groups.io with SMTP id smtpd.web11.62096.1725485601511822602 for ; Wed, 04 Sep 2024 14:33:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=hKxhNUsv; spf=softfail (domain: sakoman.com, ip: 209.85.216.49, mailfrom: steve@sakoman.com) Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-2d8f06c2459so33786a91.0 for ; Wed, 04 Sep 2024 14:33:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725485596; x=1726090396; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=oMAiQIdBuxWRGKRRhqAwgLjTxkdFww86iMA0tjH6eZc=; b=hKxhNUsvyIjeKuUy4ef3cSAryAkCrKjja3DoHyvV4b3VGi6ebJ0jYaHCk9sgP78O8b uCzWJqfUMbG30Wf7KSlDX4/zNAZEzEiMKN5EcH7ok6HP7yg17aQgT/VAu05Vstz/HGH/ fGVzBqaMhCdFQp4i2b0thle8WPYdbChk1zumFNEq4/xkjhLPoAaiRPp+/2ix6Scg7mL9 AUQY0dGoK6OQobSNJnyWETYxhCdqMGMwLNt8Fe/KjDvaznOCQ8y1Y08rG9zifDzCUHv7 OrlgbEHTyKgL9rFAkhJ0uTNDsyH5raNPlcF6ihsGwEXjzbHfUIJ18y2yDVlI0Jzpx4r/ DePA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725485596; x=1726090396; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oMAiQIdBuxWRGKRRhqAwgLjTxkdFww86iMA0tjH6eZc=; b=ihYgmqXOuGHIcvFV5Xrn9ZlGwbzNoUijyLfX1C8lI7BlMzirE7zersi3YCoge9dkgL VS1F6TdFLdqjQZ02/xP02oijqLFUdFoSGbSUh29LfjMuTZ3rc+r80ilnyBf+30Vh642x VnFC+YgknzUNYS440ntRAelgzFFk7/0FCP+oZAD5zOCG+QuKc+wAAdpAE7zxj+JkIHnM D/aBQxV8nRaWNYYXr7TBh5tlWGZcz9m1J6Zp5awpubxZ1KG5pMwzy9S9khnD+0duq5np WQ7fRQkCDb95i8mjJcGlAMVpIZqph0IVyhz+iYJ+tstpuN956uQvpu8gvjrIE0hTxneM uLsQ== X-Gm-Message-State: AOJu0YzHc6ndZ328INk+bFWTyitwKSsV3tDlMxJLFeShM2GOM4OMEC5H 0D0GYQ6Oo7Z3E8e65atKe8I8WPmNC268x+wrIJ1y4jqkAXwCDbNlQWgjJee4mL2Y1pPJCWnbg7M FSZQ= X-Google-Smtp-Source: AGHT+IGD7VveeYM+igS0QRGJ0Jk4HBNSWxqRj38OGCFAx22pui13o6QOf891BusyAXpq7BTUJWrtvQ== X-Received: by 2002:a17:90a:c28a:b0:2d8:8ead:f013 with SMTP id 98e67ed59e1d1-2da55929d85mr8242526a91.7.1725485595879; Wed, 04 Sep 2024 14:33:15 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2d8e3e8c580sm6693767a91.40.2024.09.04.14.33.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Sep 2024 14:33:15 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 07/14] cups: upgrade 2.4.9 -> 2.4.10 Date: Wed, 4 Sep 2024 14:32:48 -0700 Message-Id: <01039c35a89de4bbd1410b3ee08a99cf325adf2b.1725456307.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Sep 2024 21:33:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204221 From: Wang Mingyu Changelog: =========== - Fixed error handling when reading a mixed "1setOf" attribute. - Fixed scheduler start if there is only domain socket to listen on 0001-use-echo-only-in-init.patch 0002-don-t-try-to-run-generated-binaries.patch 0004-cups-fix-multilib-install-file-conflicts.patch refreshed for 2.4.10. Signed-off-by: Wang Mingyu Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit dd7a978d2d7feb11f6c265ba812c8ca29912ebc6) Signed-off-by: Steve Sakoman --- .../cups/cups/0001-use-echo-only-in-init.patch | 11 ++++------- ...002-don-t-try-to-run-generated-binaries.patch | 16 ++++++---------- ...ups-fix-multilib-install-file-conflicts.patch | 12 ++++-------- .../cups/{cups_2.4.9.bb => cups_2.4.10.bb} | 2 +- 4 files changed, 15 insertions(+), 26 deletions(-) rename meta/recipes-extended/cups/{cups_2.4.9.bb => cups_2.4.10.bb} (51%) diff --git a/meta/recipes-extended/cups/cups/0001-use-echo-only-in-init.patch b/meta/recipes-extended/cups/cups/0001-use-echo-only-in-init.patch index 80bbad0a44..e6bd400779 100644 --- a/meta/recipes-extended/cups/cups/0001-use-echo-only-in-init.patch +++ b/meta/recipes-extended/cups/cups/0001-use-echo-only-in-init.patch @@ -1,7 +1,7 @@ -From a3f4d8ba97f4669a95943a7e65eb61aa44ce7999 Mon Sep 17 00:00:00 2001 +From ddfe6ed6a89226985e8c9f0751c026aabc0927a0 Mon Sep 17 00:00:00 2001 From: Saul Wold Date: Thu, 13 Dec 2012 19:03:52 -0800 -Subject: [PATCH 1/4] use echo only in init +Subject: [PATCH] use echo only in init Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Alexander Kanavin @@ -10,10 +10,10 @@ Signed-off-by: Alexander Kanavin 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scheduler/cups.sh.in b/scheduler/cups.sh.in -index 89ac36d..6618a0f 100644 +index 74cce18..c57f0db 100644 --- a/scheduler/cups.sh.in +++ b/scheduler/cups.sh.in -@@ -50,7 +50,7 @@ case "`uname`" in +@@ -51,7 +51,7 @@ case "`uname`" in ECHO_ERROR=: ;; @@ -22,6 +22,3 @@ index 89ac36d..6618a0f 100644 IS_ON=/bin/true if test -f /etc/init.d/functions; then . /etc/init.d/functions --- -2.17.1 - diff --git a/meta/recipes-extended/cups/cups/0002-don-t-try-to-run-generated-binaries.patch b/meta/recipes-extended/cups/cups/0002-don-t-try-to-run-generated-binaries.patch index 2bc26edbfc..75270cb0cb 100644 --- a/meta/recipes-extended/cups/cups/0002-don-t-try-to-run-generated-binaries.patch +++ b/meta/recipes-extended/cups/cups/0002-don-t-try-to-run-generated-binaries.patch @@ -1,21 +1,20 @@ -From 3e9a965dcd65ab2d40b753b6f792a1a4559182aa Mon Sep 17 00:00:00 2001 +From ff6c7168c3f26094b3a18298208a28831d1c1fd5 Mon Sep 17 00:00:00 2001 From: Koen Kooi Date: Sun, 30 Jan 2011 16:37:27 +0100 -Subject: [PATCH 2/4] don't try to run generated binaries +Subject: [PATCH] don't try to run generated binaries Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Koen Kooi - --- - ppdc/Makefile | 32 ++++++++++++++++---------------- - 1 file changed, 16 insertions(+), 16 deletions(-) + ppdc/Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ppdc/Makefile b/ppdc/Makefile -index 32e2e0b..f1478d4 100644 +index e36ed11..3fe97e1 100644 --- a/ppdc/Makefile +++ b/ppdc/Makefile -@@ -186,8 +186,8 @@ genstrings: genstrings.o libcupsppdc.a ../cups/$(LIBCUPSSTATIC) \ +@@ -187,8 +187,8 @@ genstrings: genstrings.o libcupsppdc.a ../cups/$(LIBCUPSSTATIC) \ $(LD_CXX) $(ARCHFLAGS) $(ALL_LDFLAGS) -o genstrings genstrings.o \ libcupsppdc.a $(LINKCUPSSTATIC) $(CODE_SIGN) -s "$(CODE_SIGN_IDENTITY)" $@ @@ -26,6 +25,3 @@ index 32e2e0b..f1478d4 100644 # --- -2.17.1 - diff --git a/meta/recipes-extended/cups/cups/0004-cups-fix-multilib-install-file-conflicts.patch b/meta/recipes-extended/cups/cups/0004-cups-fix-multilib-install-file-conflicts.patch index bc9260307c..d49fb8f2c2 100644 --- a/meta/recipes-extended/cups/cups/0004-cups-fix-multilib-install-file-conflicts.patch +++ b/meta/recipes-extended/cups/cups/0004-cups-fix-multilib-install-file-conflicts.patch @@ -1,7 +1,7 @@ -From 7dbda1887aa19ab720aff22312f4caff2d575f62 Mon Sep 17 00:00:00 2001 +From 6e286b582571ffca3f7874076d70eec6fd5713f6 Mon Sep 17 00:00:00 2001 From: Kai Kang Date: Wed, 3 Oct 2018 00:27:11 +0800 -Subject: [PATCH 4/4] cups: fix multilib install file conflicts +Subject: [PATCH] cups: fix multilib install file conflicts @CUPS_SERVERBIN@ is ${libdir} related that causes multilib install file conflict. Remove @CUPS_SERVERBIN@ from the comment line of cups-files.conf to @@ -10,16 +10,15 @@ avoid the conflict. Upstream-Status: Inappropriate [OE specific] Signed-off-by: Kai Kang - --- conf/cups-files.conf.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/cups-files.conf.in b/conf/cups-files.conf.in -index 4a78ba6..03c6582 100644 +index 93584a1..65b7052 100644 --- a/conf/cups-files.conf.in +++ b/conf/cups-files.conf.in -@@ -73,7 +73,7 @@ PageLog @CUPS_LOGDIR@/page_log +@@ -67,7 +67,7 @@ PageLog @CUPS_LOGDIR@/page_log #RequestRoot @CUPS_REQUESTS@ # Location of helper programs... @@ -28,6 +27,3 @@ index 4a78ba6..03c6582 100644 # SSL/TLS keychain for the scheduler... #ServerKeychain @CUPS_SERVERKEYCHAIN@ --- -2.17.1 - diff --git a/meta/recipes-extended/cups/cups_2.4.9.bb b/meta/recipes-extended/cups/cups_2.4.10.bb similarity index 51% rename from meta/recipes-extended/cups/cups_2.4.9.bb rename to meta/recipes-extended/cups/cups_2.4.10.bb index e0a3522004..e16ad47cf5 100644 --- a/meta/recipes-extended/cups/cups_2.4.9.bb +++ b/meta/recipes-extended/cups/cups_2.4.10.bb @@ -2,4 +2,4 @@ require cups.inc LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRC_URI[sha256sum] = "38fbf4535a10554113e013d54fedda03ee88007ea6a9761d626a04e1e4489e8c" +SRC_URI[sha256sum] = "d75757c2bc0f7a28b02ee4d52ca9e4b1aa1ba2affe16b985854f5336940e5ad7" From patchwork Wed Sep 4 21:32:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48670 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B036DCD4F3E for ; Wed, 4 Sep 2024 21:33:20 +0000 (UTC) Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) by mx.groups.io with SMTP id smtpd.web11.62094.1725485598867376142 for ; Wed, 04 Sep 2024 14:33:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=BaiTdJex; spf=softfail (domain: sakoman.com, ip: 209.85.215.172, mailfrom: steve@sakoman.com) Received: by mail-pg1-f172.google.com with SMTP id 41be03b00d2f7-7c6b4222fe3so93856a12.3 for ; Wed, 04 Sep 2024 14:33:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725485598; x=1726090398; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=hPcDsrIAhva7E1ccu47a6PbxC+xhxaj7YiRCdXY5TtY=; b=BaiTdJexglHangUPLsrETOoiL0UOokC4WNHj0wrYEPyDFD7nzF0gx775MNw9o982z+ IXi1DUf2hJtT9+NhZOTgoeox0jgWx688A6zLn56c+qu2ZbUAshAfz9tKmpFdj7gyf+Nd czV1pf+/U0lk570SHru5G9m5qGv4e3CZh8Y1Tq4m2wj8QKnz7oHZ6Ce1mert1P+oW3P8 pMPHQSW/kFWpQIqt6JURiPGGlJCAriFId9bpt86UIka68CoF1Q8CxiCcgvEDc4ywKhPu t7lZ6T7KujkP81wjCemTe34fdyRB+IpKvOgKBZrqHbvQ1Do0Crz7u9yVK8nulI8Z2TvR EUUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725485598; x=1726090398; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hPcDsrIAhva7E1ccu47a6PbxC+xhxaj7YiRCdXY5TtY=; b=gFKHYEbZ0LLFhnm2cKSGQrchk56DM7Uy9qh9FUt8UM6pv+8JAPULJygORKmiw+nIxC qtnli9umfg1b+5WyVe9K2uoFOykDAiTPbAnjRIWiRu60u9pXPt/9F6FvMgQZ+ULlgjXE zS3FynGHG2rRESeqzNa1+gDPP7aXlGzEHSUiWpIzc9CvCeIUssa22iotPtyb6ymoYTNG B8sUT/06JppSRPhpcwvvnp9e9AyMIJssuW+pPFCe4zFxE33vG1eK6eligBAjIRhzhbWo VP+VaeWIGAnFRO3Hy6MKZURnz3LJHtxVgqb+mukkkOAVK/Pu0y6ert7KC90r2dOIlICT d5Dg== X-Gm-Message-State: AOJu0Yxar0rdkURQjb48fIbhNiqZbgnxNjjNr7Gfl9acvOiLLn3Lj6Dn 20FczWtIIKuDNR8oF0Ecbqw1u3fGHd0Fst7Hi2k4FLtRsVFtehdpqW3PGs90xAPP45uh/0ptyPl HjUQ= X-Google-Smtp-Source: AGHT+IHnTCCmGy6Ic2RdKFnFhVLeQwviSf8jMvcAB+oGAgzxsSNZChj6K5nwycUWY7bH8/WpOIFA3w== X-Received: by 2002:a17:90a:db0b:b0:2d3:c0b9:7c2a with SMTP id 98e67ed59e1d1-2d8905201f9mr15479510a91.20.1725485597894; Wed, 04 Sep 2024 14:33:17 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2d8e3e8c580sm6693767a91.40.2024.09.04.14.33.17 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Sep 2024 14:33:17 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 08/14] wpa-supplicant: Upgrade 2.10 -> 2.11 Date: Wed, 4 Sep 2024 14:32:49 -0700 Message-Id: <35c2b5f56bca789b9723a144fda0a130a67a860c.1725456307.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Sep 2024 21:33:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204219 From: Siddharth Doshi License-Update: =============== - README: Change in copyright years as per https://w1.fi/cgit/hostap/commit/README?id=d945ddd368085f255e68328f2d3b020ceea359af - wpa_supplicant/wpa_supplicant.c: Change in copyright years as per https://w1.fi/cgit/hostap/commit/wpa_supplicant/wpa_supplicant.c?id=d945ddd368085f255e68328f2d3b020ceea359af CVE's Fixed: =========== - CVE-2024-5290 wpa_supplicant: wpa_supplicant loading arbitrary shared objects allowing privilege escalation - CVE-2023-52160 wpa_supplicant: potential authorization bypass Changes between 2.10 -> 2.11: ============================ https://w1.fi/cgit/hostap/commit/wpa_supplicant/ChangeLog?id=d945ddd368085f255e68328f2d3b020ceea359af Note: ===== Patches 0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch, 0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch, 0001-Install-wpa_passphrase-when-not-disabled.patch, 0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch (CVE-2023-52160) are already fixed and hence removing them. Signed-off-by: Siddharth Doshi Signed-off-by: Richard Purdie (cherry picked from commit 824eb0641dc6001a5e9ad7a685e60c472c9fdce8) Signed-off-by: Steve Sakoman --- ...all-wpa_passphrase-when-not-disabled.patch | 33 --- ...te-Phase-2-authentication-requiremen.patch | 213 ------------------ ...options-for-libwpa_client.so-and-wpa.patch | 73 ------ ...oval-of-wpa_passphrase-on-make-clean.patch | 26 --- ...plicant_2.10.bb => wpa-supplicant_2.11.bb} | 10 +- 5 files changed, 3 insertions(+), 352 deletions(-) delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch delete mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch rename meta/recipes-connectivity/wpa-supplicant/{wpa-supplicant_2.10.bb => wpa-supplicant_2.11.bb} (90%) diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch deleted file mode 100644 index c04c608bde..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-Install-wpa_passphrase-when-not-disabled.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 57b12a1e43605f71239a21488cb9b541f0751dda Mon Sep 17 00:00:00 2001 -From: Alex Kiernan -Date: Thu, 21 Apr 2022 10:15:29 +0100 -Subject: [PATCH] Install wpa_passphrase when not disabled - -As part of fixing CONFIG_NO_WPA_PASSPHRASE, whilst wpa_passphrase gets -built, its not installed during `make install`. - -Fixes: cb41c214b78d ("build: Re-enable options for libwpa_client.so and wpa_passphrase") -Signed-off-by: Alex Kiernan -Signed-off-by: Alex Kiernan -Upstream-Status: Submitted [http://lists.infradead.org/pipermail/hostap/2022-April/040448.html] ---- - wpa_supplicant/Makefile | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile -index 0bab313f2355..12787c0c7d0f 100644 ---- a/wpa_supplicant/Makefile -+++ b/wpa_supplicant/Makefile -@@ -73,6 +73,9 @@ $(DESTDIR)$(BINDIR)/%: % - - install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL)) - $(MAKE) -C ../src install -+ifndef CONFIG_NO_WPA_PASSPHRASE -+ install -D wpa_passphrase $(DESTDIR)/$(BINDIR)/wpa_passphrase -+endif - ifdef CONFIG_BUILD_WPA_CLIENT_SO - install -m 0644 -D libwpa_client.so $(DESTDIR)/$(LIBDIR)/libwpa_client.so - install -m 0644 -D ../src/common/wpa_ctrl.h $(DESTDIR)/$(INCDIR)/wpa_ctrl.h --- -2.35.1 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch deleted file mode 100644 index 620560d3c7..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch +++ /dev/null @@ -1,213 +0,0 @@ -From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Sat, 8 Jul 2023 19:55:32 +0300 -Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements - -The previous PEAP client behavior allowed the server to skip Phase 2 -authentication with the expectation that the server was authenticated -during Phase 1 through TLS server certificate validation. Various PEAP -specifications are not exactly clear on what the behavior on this front -is supposed to be and as such, this ended up being more flexible than -the TTLS/FAST/TEAP cases. However, this is not really ideal when -unfortunately common misconfiguration of PEAP is used in deployed -devices where the server trust root (ca_cert) is not configured or the -user has an easy option for allowing this validation step to be skipped. - -Change the default PEAP client behavior to be to require Phase 2 -authentication to be successfully completed for cases where TLS session -resumption is not used and the client certificate has not been -configured. Those two exceptions are the main cases where a deployed -authentication server might skip Phase 2 and as such, where a more -strict default behavior could result in undesired interoperability -issues. Requiring Phase 2 authentication will end up disabling TLS -session resumption automatically to avoid interoperability issues. - -Allow Phase 2 authentication behavior to be configured with a new phase1 -configuration parameter option: -'phase2_auth' option can be used to control Phase 2 (i.e., within TLS -tunnel) behavior for PEAP: - * 0 = do not require Phase 2 authentication - * 1 = require Phase 2 authentication when client certificate - (private_key/client_cert) is no used and TLS session resumption was - not used (default) - * 2 = require Phase 2 authentication in all cases - -Signed-off-by: Jouni Malinen - -CVE: CVE-2023-52160 -Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c] - -Signed-off-by: Claus Stovgaard - ---- - src/eap_peer/eap_config.h | 8 ++++++ - src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++--- - src/eap_peer/eap_tls_common.c | 6 +++++ - src/eap_peer/eap_tls_common.h | 5 ++++ - wpa_supplicant/wpa_supplicant.conf | 7 ++++++ - 5 files changed, 63 insertions(+), 3 deletions(-) - -diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h -index 3238f74..047eec2 100644 ---- a/src/eap_peer/eap_config.h -+++ b/src/eap_peer/eap_config.h -@@ -469,6 +469,14 @@ struct eap_peer_config { - * 1 = use cryptobinding if server supports it - * 2 = require cryptobinding - * -+ * phase2_auth option can be used to control Phase 2 (i.e., within TLS -+ * tunnel) behavior for PEAP: -+ * 0 = do not require Phase 2 authentication -+ * 1 = require Phase 2 authentication when client certificate -+ * (private_key/client_cert) is no used and TLS session resumption was -+ * not used (default) -+ * 2 = require Phase 2 authentication in all cases -+ * - * EAP-WSC (WPS) uses following options: pin=Device_Password and - * uuid=Device_UUID - * -diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c -index 12e30df..6080697 100644 ---- a/src/eap_peer/eap_peap.c -+++ b/src/eap_peer/eap_peap.c -@@ -67,6 +67,7 @@ struct eap_peap_data { - u8 cmk[20]; - int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) - * is enabled. */ -+ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth; - }; - - -@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data, - wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); - } - -+ if (os_strstr(phase1, "phase2_auth=0")) { -+ data->phase2_auth = NO_AUTH; -+ wpa_printf(MSG_DEBUG, -+ "EAP-PEAP: Do not require Phase 2 authentication"); -+ } else if (os_strstr(phase1, "phase2_auth=1")) { -+ data->phase2_auth = FOR_INITIAL; -+ wpa_printf(MSG_DEBUG, -+ "EAP-PEAP: Require Phase 2 authentication for initial connection"); -+ } else if (os_strstr(phase1, "phase2_auth=2")) { -+ data->phase2_auth = ALWAYS; -+ wpa_printf(MSG_DEBUG, -+ "EAP-PEAP: Require Phase 2 authentication for all cases"); -+ } - #ifdef EAP_TNC - if (os_strstr(phase1, "tnc=soh2")) { - data->soh = 2; -@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm) - data->force_peap_version = -1; - data->peap_outer_success = 2; - data->crypto_binding = OPTIONAL_BINDING; -+ data->phase2_auth = FOR_INITIAL; - - if (config && config->phase1) - eap_peap_parse_phase1(data, config->phase1); -@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, - } - - -+static bool peap_phase2_sufficient(struct eap_sm *sm, -+ struct eap_peap_data *data) -+{ -+ if ((data->phase2_auth == ALWAYS || -+ (data->phase2_auth == FOR_INITIAL && -+ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) && -+ !data->ssl.client_cert_conf) || -+ data->phase2_eap_started) && -+ !data->phase2_eap_success) -+ return false; -+ return true; -+} -+ -+ - /** - * eap_tlv_process - Process a received EAP-TLV message and generate a response - * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() -@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, - " - force failed Phase 2"); - resp_status = EAP_TLV_RESULT_FAILURE; - ret->decision = DECISION_FAIL; -+ } else if (!peap_phase2_sufficient(sm, data)) { -+ wpa_printf(MSG_INFO, -+ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed"); -+ resp_status = EAP_TLV_RESULT_FAILURE; -+ ret->decision = DECISION_FAIL; - } else { - resp_status = EAP_TLV_RESULT_SUCCESS; - ret->decision = DECISION_UNCOND_SUCC; -@@ -887,8 +921,7 @@ continue_req: - /* EAP-Success within TLS tunnel is used to indicate - * shutdown of the TLS channel. The authentication has - * been completed. */ -- if (data->phase2_eap_started && -- !data->phase2_eap_success) { -+ if (!peap_phase2_sufficient(sm, data)) { - wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " - "Success used to indicate success, " - "but Phase 2 EAP was not yet " -@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, - static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) - { - struct eap_peap_data *data = priv; -+ - return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && -- data->phase2_success; -+ data->phase2_success && data->phase2_auth != ALWAYS; - } - - -diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c -index c1837db..a53eeb1 100644 ---- a/src/eap_peer/eap_tls_common.c -+++ b/src/eap_peer/eap_tls_common.c -@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, - - sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK); - -+ if (!phase2) -+ data->client_cert_conf = params->client_cert || -+ params->client_cert_blob || -+ params->private_key || -+ params->private_key_blob; -+ - return 0; - } - -diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h -index 9ac0012..3348634 100644 ---- a/src/eap_peer/eap_tls_common.h -+++ b/src/eap_peer/eap_tls_common.h -@@ -79,6 +79,11 @@ struct eap_ssl_data { - * tls_v13 - Whether TLS v1.3 or newer is used - */ - int tls_v13; -+ -+ /** -+ * client_cert_conf: Whether client certificate has been configured -+ */ -+ bool client_cert_conf; - }; - - -diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf -index 6619d6b..d63f73c 100644 ---- a/wpa_supplicant/wpa_supplicant.conf -+++ b/wpa_supplicant/wpa_supplicant.conf -@@ -1321,6 +1321,13 @@ fast_reauth=1 - # * 0 = do not use cryptobinding (default) - # * 1 = use cryptobinding if server supports it - # * 2 = require cryptobinding -+# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS -+# tunnel) behavior for PEAP: -+# * 0 = do not require Phase 2 authentication -+# * 1 = require Phase 2 authentication when client certificate -+# (private_key/client_cert) is no used and TLS session resumption was -+# not used (default) -+# * 2 = require Phase 2 authentication in all cases - # EAP-WSC (WPS) uses following options: pin= or - # pbc=1. - # diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch deleted file mode 100644 index 6e930fc98d..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch +++ /dev/null @@ -1,73 +0,0 @@ -From cb41c214b78d6df187a31950342e48a403dbd769 Mon Sep 17 00:00:00 2001 -From: Sergey Matyukevich -Date: Tue, 22 Feb 2022 11:52:19 +0300 -Subject: [PATCH 1/2] build: Re-enable options for libwpa_client.so and - wpa_passphrase - -Commit a41a29192e5d ("build: Pull common fragments into a build.rules -file") introduced a regression into wpa_supplicant build process. The -build target libwpa_client.so is not built regardless of whether the -option CONFIG_BUILD_WPA_CLIENT_SO is set or not. This happens because -this config option is used before it is imported from the configuration -file. Moving its use after including build.rules does not help: the -variable ALL is processed by build.rules and further changes are not -applied. Similarly, option CONFIG_NO_WPA_PASSPHRASE also does not work -as expected: wpa_passphrase is always built regardless of whether the -option is set or not. - -Re-enable these options by adding both build targets to _all -dependencies. - -Fixes: a41a29192e5d ("build: Pull common fragments into a build.rules file") -Signed-off-by: Sergey Matyukevich -Upstream-Status: Backport -Signed-off-by: Alex Kiernan -Signed-off-by: Alex Kiernan ---- - wpa_supplicant/Makefile | 19 ++++++++++++------- - 1 file changed, 12 insertions(+), 7 deletions(-) - -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile -index cb66defac7c8..c456825ae75f 100644 ---- a/wpa_supplicant/Makefile -+++ b/wpa_supplicant/Makefile -@@ -1,24 +1,29 @@ - BINALL=wpa_supplicant wpa_cli - --ifndef CONFIG_NO_WPA_PASSPHRASE --BINALL += wpa_passphrase --endif -- - ALL = $(BINALL) - ALL += systemd/wpa_supplicant.service - ALL += systemd/wpa_supplicant@.service - ALL += systemd/wpa_supplicant-nl80211@.service - ALL += systemd/wpa_supplicant-wired@.service - ALL += dbus/fi.w1.wpa_supplicant1.service --ifdef CONFIG_BUILD_WPA_CLIENT_SO --ALL += libwpa_client.so --endif - - EXTRA_TARGETS=dynamic_eap_methods - - CONFIG_FILE=.config - include ../src/build.rules - -+ifdef CONFIG_BUILD_WPA_CLIENT_SO -+# add the dependency this way to allow CONFIG_BUILD_WPA_CLIENT_SO -+# being set in the config which is read by build.rules -+_all: libwpa_client.so -+endif -+ -+ifndef CONFIG_NO_WPA_PASSPHRASE -+# add the dependency this way to allow CONFIG_NO_WPA_PASSPHRASE -+# being set in the config which is read by build.rules -+_all: wpa_passphrase -+endif -+ - ifdef LIBS - # If LIBS is set with some global build system defaults, clone those for - # LIBS_c and LIBS_p to cover wpa_passphrase and wpa_cli as well. --- -2.35.1 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch deleted file mode 100644 index 53b0fcdf53..0000000000 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch +++ /dev/null @@ -1,26 +0,0 @@ -From d001b301ba7987f4b39453a211631b85c48f2ff8 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen -Date: Thu, 3 Mar 2022 13:26:42 +0200 -Subject: [PATCH 2/2] Fix removal of wpa_passphrase on 'make clean' - -Fixes: 0430bc8267b4 ("build: Add a common-clean target") -Signed-off-by: Jouni Malinen -Upstream-Status: Backport -Signed-off-by: Alex Kiernan -Signed-off-by: Alex Kiernan ---- - wpa_supplicant/Makefile | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile -index c456825ae75f..4b4688931b1d 100644 ---- a/wpa_supplicant/Makefile -+++ b/wpa_supplicant/Makefile -@@ -2077,3 +2077,4 @@ clean: common-clean - rm -f libwpa_client.a - rm -f libwpa_client.so - rm -f libwpa_test1 libwpa_test2 -+ rm -f wpa_passphrase --- -2.35.1 - diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb similarity index 90% rename from meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb rename to meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb index 22028ce957..03e4571cfb 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb @@ -5,8 +5,8 @@ BUGTRACKER = "http://w1.fi/security/" SECTION = "network" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=5ebcb90236d1ad640558c3d3cd3035df \ - file://README;beginline=1;endline=56;md5=e3d2f6c2948991e37c1ca4960de84747 \ - file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=76306a95306fee9a976b0ac1be70f705" + file://README;beginline=1;endline=56;md5=6e4b25e7d74bfc44a32ba37bdf5210a6 \ + file://wpa_supplicant/wpa_supplicant.c;beginline=1;endline=12;md5=f5ccd57ea91e04800edb88267bf8eae4" DEPENDS = "dbus libnl" @@ -15,12 +15,8 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://wpa_supplicant.conf \ file://wpa_supplicant.conf-sane \ file://99_wpa_supplicant \ - file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch \ - file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \ - file://0001-Install-wpa_passphrase-when-not-disabled.patch \ - file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \ " -SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f" +SRC_URI[sha256sum] = "912ea06f74e30a8e36fbb68064d6cdff218d8d591db0fc5d75dee6c81ac7fc0a" S = "${WORKDIR}/wpa_supplicant-${PV}" From patchwork Wed Sep 4 21:32:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48669 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CD743CD4F40 for ; Wed, 4 Sep 2024 21:33:20 +0000 (UTC) Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) by mx.groups.io with SMTP id smtpd.web11.62095.1725485600438001404 for ; Wed, 04 Sep 2024 14:33:20 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Xat3ZAs7; spf=softfail (domain: sakoman.com, ip: 209.85.216.51, mailfrom: steve@sakoman.com) Received: by mail-pj1-f51.google.com with SMTP id 98e67ed59e1d1-2daaa9706a9so26676a91.1 for ; Wed, 04 Sep 2024 14:33:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725485600; x=1726090400; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=UTSCfR+aP4j9O2Z44/u4qgkBBxuc8D5O8THrdI+G4aE=; b=Xat3ZAs7zt3Ech55i9KbIyZwlxBv0bgv4ZYxlm4QNwsNL85Nq/Q/pSeyYKgGaIyZFt xOkpFAS3m7PGs6/z4mv7xf3sLyuWg0NNSu9zZN1cPzyBMNUYmssRLygSBPNUn21gZ1oa wYSHhBZEZIh1oWDciC2ogTLvMKKnLP+htYP7QvmIJ0+Ji8Zim1u6RC/RrSlQqL8podzy YHQe5ID1V5ziWfRIRBQz3J2T6rT9m7B8X5S/MLf0jdAtbGxGXnB0d+X4B7lR8TdrDYi5 XGReo5kwetDTi/+tHX+qHXuZgN7WNs0Ieq4bkmFaHwzNSXkMsm66bwW2Js/k2OKfeKzZ RiUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725485600; x=1726090400; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UTSCfR+aP4j9O2Z44/u4qgkBBxuc8D5O8THrdI+G4aE=; b=pXYXl6GbLecCR4h2jWY5Qo09YYFn4c4zR/f2vXjwpekeFhbrpV2SVS+1o8GfX71guu 0C2Z7EukYA41ZRHvJjCvQLiblMo505kqF1N1df1L21439T46ND9G/0486hgDMnsgAEyP XS4xvQWcE02x6NFutkPkE03n7ulizz1SH+UDiXYA+dO6AsscBN02KeAYCnHUslRxc1l1 Jd62RdiXlnUJgpYkMY1UEtGYUSWIMzp9Y8HqO2UShdzvd5/LUGBWnDYUDkJ4Novcj8kE /g91kgiHcgvHJC5YGZdqZ2AsfRMvecxRYCtzDv3/c/CFQ1L0gmQQOrUP+vzDAG4snL+Y vikw== X-Gm-Message-State: AOJu0Yw1++bvbyUnehyzDKuQEP9ls3SB+A7mX71Hd0siDKKS+8zs0CYf TUJMJWD4bSEZUFdUiiYlOKhYXBThr1OVkZBTAuc1qR+y00AOOHEog9R5/HhFNtJ6T+pOk+/WVhL LwgE= X-Google-Smtp-Source: AGHT+IG1yiRewVTjp76il+ujk59MrZ9vlMkukTvxegm+dQ02ndvw0GVrx953TSussnQAmpDZ+pihXQ== X-Received: by 2002:a17:90a:6fc5:b0:2d3:c638:ec67 with SMTP id 98e67ed59e1d1-2da62031ae7mr8489855a91.0.1725485599644; Wed, 04 Sep 2024 14:33:19 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2d8e3e8c580sm6693767a91.40.2024.09.04.14.33.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Sep 2024 14:33:19 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 09/14] libadwaita: upgrade 1.5.1 -> 1.5.2 Date: Wed, 4 Sep 2024 14:32:50 -0700 Message-Id: <5cc094b5ba1a6e685b01ff35130c4e69fdc7e0ec.1725456307.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Sep 2024 21:33:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204220 From: Wang Mingyu Changelog: ========== - AdwAlertDialog - Fix unmatched va_start() - Fix setting default widget when removing a response - AdwBreakpointCondition - Fix leaks when parsing - AdwBreakpointBin - Fix a leak - AdwDialog - Fix toggling presentation mode - Fix close button ignoring :can-close - Fix ::close-attempt not emitting in some cases - Fix swipe area for bottom sheets - Leak fixes - AdwHeaderBar - Fix initial focus for the back button - Fix split view links in docs - AdwMessageDialog - Fix unmatched va_start() - AdwSpinRow - Fix ::input handling - AdwTabButton - Fix needs-attention badge on RTL - AdwTabView - Accessibility fixes - AdwViewStack - Accessibility fixes - Translation updates - Nepali Signed-off-by: Wang Mingyu Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit 25b8f5059061bf52257117ba7d54031a31388fb1) Signed-off-by: Steve Sakoman --- .../libadwaita/{libadwaita_1.5.1.bb => libadwaita_1.5.2.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-gnome/libadwaita/{libadwaita_1.5.1.bb => libadwaita_1.5.2.bb} (88%) diff --git a/meta/recipes-gnome/libadwaita/libadwaita_1.5.1.bb b/meta/recipes-gnome/libadwaita/libadwaita_1.5.2.bb similarity index 88% rename from meta/recipes-gnome/libadwaita/libadwaita_1.5.1.bb rename to meta/recipes-gnome/libadwaita/libadwaita_1.5.2.bb index 6cb67c0db0..078f81c677 100644 --- a/meta/recipes-gnome/libadwaita/libadwaita_1.5.1.bb +++ b/meta/recipes-gnome/libadwaita/libadwaita_1.5.2.bb @@ -10,7 +10,7 @@ DEPENDS = " \ inherit gnomebase gobject-introspection gi-docgen vala features_check -SRC_URI[archive.sha256sum] = "7f144c5887d6dd2d99517c00fd42395ee20abc13ce55958a4fda64e6d7e473f8" +SRC_URI[archive.sha256sum] = "c9faee005cb4912bce34f69f1af26b01a364534e12ede5d9bac44d8226d72c16" ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}" REQUIRED_DISTRO_FEATURES = "opengl" From patchwork Wed Sep 4 21:32:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48671 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BAD61CD4F38 for ; Wed, 4 Sep 2024 21:33:30 +0000 (UTC) Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) by mx.groups.io with SMTP id smtpd.web11.62097.1725485602041485232 for ; Wed, 04 Sep 2024 14:33:22 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=zBaRByTd; spf=softfail (domain: sakoman.com, ip: 209.85.215.181, mailfrom: steve@sakoman.com) Received: by mail-pg1-f181.google.com with SMTP id 41be03b00d2f7-7cd835872ceso102539a12.3 for ; Wed, 04 Sep 2024 14:33:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725485601; x=1726090401; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+R4jGtEBnZieA4BUDGqD7z+KuWLk9Yodljqa5gUqJSw=; b=zBaRByTdv3xp4HHP6rOHJrBuH5jXwSHAbUecwDJ9Il+VtuTvZnmzhvo9F3qcwY8+Ts XGsMD3rOCnid7gXvrYTtt91zaRJAkMTK/r/Ohkl/Gy80JhVLo8Wemhoieh9WEah3u8/U mZ7ZUc0Vvc7tX31l+eL8gyD7MbLfs2lclX2Kgqekyc5OEkuQtlP9bLyDD15n6MCs73ko K6R6n2RDguFNr1IatCAxsjYmL5lEmBJMnkfu4t4FSQ0GRPC3xXV1u3gIzvAHbk34Cm42 CXEvhkjErK87AuT4KzpU0YGOWEDNjHVSZ8vNEfaS6W99NnL5C8g0TwxITnQh2OWPdHOw 7m4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725485601; x=1726090401; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+R4jGtEBnZieA4BUDGqD7z+KuWLk9Yodljqa5gUqJSw=; b=u0vuth4jj4tUFcheS7SjeLGhq8juLQebQRYjkngcP8ZVxOpDV3MqePPiGtbWZS0Qoc mYmgRAOtJWu2uP8B0L6oVxFqXe21ndd9EXVKUekBlV2q1Agw9296i0IsPKQAH/RQ1Da4 3wfB7qwiHHF9/E/ZiH3sjpWvbaQvKA6j6Sx3jjJc7RTXAAmIicpUgV5SltZVaLfvY132 rPRbbx5+5AnGamQF7xandgJw0fTFcHGRhjDgk0Uu9Oo6NvC5+YmYR/m1HLGqnzpP3jMR ie4o3WgxmYMBdBgmMTV6Td8UnZO/xZwuqzrfUbSmHiy+CRB3YsVD8E/qAuSQEJnMRaMn ZGCA== X-Gm-Message-State: AOJu0YyuPrmWztP9PE2gUFJ2rorHOqdRVupLuAmMiJLp8R7BYjVZZWaA 2OWgx42akWyYB/hF+JE0Mn+zbAFj4DkQbgQcuyE/o0sUKWz4lQKX1PMubNsmpTQwHS4POMCScam fDes= X-Google-Smtp-Source: AGHT+IE5sG68hzY8/A1OYvAX3dTqKghqGgsOYbEg5eYdYvRB+3Sdv0urtw4jM0HQo+3US/0UA74UmA== X-Received: by 2002:a17:90b:300e:b0:2d8:27c3:87d7 with SMTP id 98e67ed59e1d1-2d893284ebdmr13958479a91.8.1725485601321; Wed, 04 Sep 2024 14:33:21 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2d8e3e8c580sm6693767a91.40.2024.09.04.14.33.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Sep 2024 14:33:21 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 10/14] libdnf: upgrade 0.73.1 -> 0.73.2 Date: Wed, 4 Sep 2024 14:32:51 -0700 Message-Id: <20b67ad71cfa3eac35b2514067f87d79d9c3da2e.1725456307.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Sep 2024 21:33:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204222 From: Wang Mingyu Changelog: ========== - context: use rpmtsAddReinstallElement() when doing a reinstall - MergedTransaction: Fix invalid memory access when dropping items - ConfigParser: fix use-out-of-scope leaks - Since we use rpmtsAddReinstallElement rpm also uninstalls the package - Fix countme bucket calculation Signed-off-by: Wang Mingyu Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit 9cf8330068503a5721640763309c4c74f293a94d) Signed-off-by: Steve Sakoman --- .../libdnf/{libdnf_0.73.1.bb => libdnf_0.73.2.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-devtools/libdnf/{libdnf_0.73.1.bb => libdnf_0.73.2.bb} (97%) diff --git a/meta/recipes-devtools/libdnf/libdnf_0.73.1.bb b/meta/recipes-devtools/libdnf/libdnf_0.73.2.bb similarity index 97% rename from meta/recipes-devtools/libdnf/libdnf_0.73.1.bb rename to meta/recipes-devtools/libdnf/libdnf_0.73.2.bb index 3ab840b1b0..ed433d4a9f 100644 --- a/meta/recipes-devtools/libdnf/libdnf_0.73.1.bb +++ b/meta/recipes-devtools/libdnf/libdnf_0.73.2.bb @@ -13,7 +13,7 @@ SRC_URI = "git://github.com/rpm-software-management/libdnf;branch=dnf-4-master;p file://armarch.patch \ " -SRCREV = "0120e70747dcf05e716792e2e846c62eccd44319" +SRCREV = "86bbb159732e43dd6dff98c96e99382843f7c63b" UPSTREAM_CHECK_GITTAGREGEX = "(?P(?!4\.90)\d+(\.\d+)+)" S = "${WORKDIR}/git" From patchwork Wed Sep 4 21:32:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48675 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C9381CD4F3C for ; Wed, 4 Sep 2024 21:33:30 +0000 (UTC) Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171]) by mx.groups.io with SMTP id smtpd.web11.62098.1725485603658890118 for ; Wed, 04 Sep 2024 14:33:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=jb8pmr58; spf=softfail (domain: sakoman.com, ip: 209.85.215.171, mailfrom: steve@sakoman.com) Received: by mail-pg1-f171.google.com with SMTP id 41be03b00d2f7-7c691c8f8dcso99467a12.1 for ; Wed, 04 Sep 2024 14:33:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725485603; x=1726090403; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=VZIAXRx5pEh2wU8lQRQ2d2P1fhhOzTLFhVrZtYFclNg=; b=jb8pmr58T3FfCBDVPMGCJJMX4u3ghOdMMDSgmYLfxlb39mL32mg3abiPs+MGkSwwcE ZAqhPWwDYNmObykbUGpPwShNl3U+jcHNvnTAXuT2fyNT0CcyjZoaM9aqG0DUEbndGLiC DMk/vrv2gJgMBnS/fAmFXnhTcHl2b28WNTg7xpDq5Lg7/iDqYdQMYnBfEiRXoZ/xWXRR i1NICIdjQmGX/aNmdToSpyqQfS88SH6FcqiNIZjLn/5DAlL9xAh5RRkoD4wY0fgkMlu7 /enGymVgAHHzSAdx2nSCvadW436G5Fxrj+eExSYtJcv5eOqSlVucG7YSSSLWf9VulpPY luDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725485603; x=1726090403; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VZIAXRx5pEh2wU8lQRQ2d2P1fhhOzTLFhVrZtYFclNg=; b=Gqq6F/rjaw5uMjIw39mC94ymy07fvCueVZ2igoapz5u+9syX4qTUKlyAsZlNBA7Gf0 TKmAcSSdopu1dyFLkeZfXq2wvQ7U+3d+yrto9/H83ijWbzgwJHPb4b4o10kyKN7Y9rEB wGsMI+68SkFKZeWWC1qOlcfsETACFH/FZcT9UsH19n6/MvVspfOJQxmsw6T/R1nGgHBY afSgCpl9t4zQ5OowhTNURQ9F35w6SDvP9C/PTAwjAzJ0ooChw4POl/IMku2X786b5J6H d9xlK+qqS8AFshly+xIlWzfmIfLJpJsAtKYn7kDISyywqlDSPwQjyXUxJHevA8RHKbk4 fvOg== X-Gm-Message-State: AOJu0YyCmHkMuqBVvLimSw/00mtdMMgUA5yyuXea9kKYQ2lcsz0e90Yg TrhoByp8bd0oQHc4qsgtwPKU+SmJ+lslpYT15OZ0VtBx885fEccPa3azM/6pLt6aBzvPnt0Xa6l WqtI= X-Google-Smtp-Source: AGHT+IHbZRWaMmfcQL5Hmz3IGnEC82Oj3y1G15X3Kf0IQSZJm2YVW1+K13Ob+1BoSPZS1+PALLofCA== X-Received: by 2002:a17:90b:23c6:b0:2c9:9658:d704 with SMTP id 98e67ed59e1d1-2d890624cfbmr13047808a91.40.1725485602929; Wed, 04 Sep 2024 14:33:22 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2d8e3e8c580sm6693767a91.40.2024.09.04.14.33.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Sep 2024 14:33:22 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 11/14] wireless-regdb: upgrade 2024.05.08 -> 2024.07.04 Date: Wed, 4 Sep 2024 14:32:52 -0700 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Sep 2024 21:33:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204223 From: Wang Mingyu Signed-off-by: Wang Mingyu Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit b460d2d55a35450564ea04255153b0a3bf715530) Signed-off-by: Steve Sakoman --- ...ireless-regdb_2024.05.08.bb => wireless-regdb_2024.07.04.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2024.05.08.bb => wireless-regdb_2024.07.04.bb} (94%) diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.05.08.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.07.04.bb similarity index 94% rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.05.08.bb rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.07.04.bb index 95e33d9fb1..daf5e6dfcd 100644 --- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.05.08.bb +++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.07.04.bb @@ -5,7 +5,7 @@ LICENSE = "ISC" LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c" SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz" -SRC_URI[sha256sum] = "9aee1d86ebebb363b714bec941b2820f31e3b7f1a485ddc9fcbd9985c7d3e7c4" +SRC_URI[sha256sum] = "9832a14e1be24abff7be30dee3c9a1afb5fdfcf475a0d91aafef039f8d85f5eb" inherit bin_package allarch From patchwork Wed Sep 4 21:32:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48673 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D48C2CD4F40 for ; Wed, 4 Sep 2024 21:33:30 +0000 (UTC) Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by mx.groups.io with SMTP id smtpd.web10.62254.1725485606420597771 for ; Wed, 04 Sep 2024 14:33:26 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=g+P8tvdU; spf=softfail (domain: sakoman.com, ip: 209.85.215.182, mailfrom: steve@sakoman.com) Received: by mail-pg1-f182.google.com with SMTP id 41be03b00d2f7-7d4f85766f0so99776a12.2 for ; Wed, 04 Sep 2024 14:33:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725485606; x=1726090406; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=N++C1OMQ+PQk3A7ikvc7+ldMde+V83j5RVRJNUKt9rg=; b=g+P8tvdUe+7wqEENyZrhxylLmURRXhxW95aZ8c5o4bAhEWzf4oYpXIOHf28xNdGysG PJ3yC7TSJSlFWuR4CELaW0qNgzNzWxIJ5ImOmgnda8WYKoanebxi3KvBJkFbJVrTBcR7 kaCBwB/GdCKZ895n0/YH33M+kJSHLnhwLDkiCXB1FrwqkawNiuzle+QWmiNcbDs8G7MF /WlHnqFkTi+rOn6Qo/FCOY2fgY+kPj2omGyBEbwaq3ivgUmDZoU3kWG5foQk3nTElN6Y A0V5W6eLrgoJYgXqxbCdvTdXpf0Ix/B0dDmLiVBJMN9P9ML+Ep5EayMCGmiOHcn+Efaw hpgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725485606; x=1726090406; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=N++C1OMQ+PQk3A7ikvc7+ldMde+V83j5RVRJNUKt9rg=; b=ImvIJNuM5fA0cuad9QTBWheCc8jmj3SbwLIBTSociLcfhlxTTr8BaQnOmUgFP48n+u Ukta91j6ftdKcTCpIpPkkCsanbsfyjbL+e+qc+pf9r80CcHqLUoiEEvb47gSzmgvgQ8J T2vKplzkQxUl1w5yiS9wfpcN8GbZ7Niaa1EtcrIaxCYJGRIM9DRyoLLI3z5VLFdVINS9 DfhMKTiRY1ooZxv6oRW9OGjPa2DAmjsbiFlyOhi01coAyKGQv7UOclcp+gffZrhlN4A6 ixpcfZE2QeeBWrNnBU0ACqJP5o7YTsFGSr6b1ZsIenNNnu8QQXgr7SqH6OFbolTlDc9v abBQ== X-Gm-Message-State: AOJu0YwhZaVhaW+HfrGoYfsPhmQmKeJb92CXYkAgVYALJYcPTolss8U9 KWYdNK3pkyNJltukqspTNTR8NSjkmlwIt5HtnSVAhmg8ipyaYfEuEUFiJJnr7HS/DdTt3j7eaPp wPJY= X-Google-Smtp-Source: AGHT+IGIEHUoDtsDBbZM7bjvRhN8q9n+TLGsknuuvW0+XqW/hT7VrGsglLXXImGvtErRp09U8hCJSg== X-Received: by 2002:a17:90a:ec16:b0:2da:6812:c1bd with SMTP id 98e67ed59e1d1-2da6812c3e9mr6557195a91.15.1725485605729; Wed, 04 Sep 2024 14:33:25 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2d8e3e8c580sm6693767a91.40.2024.09.04.14.33.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Sep 2024 14:33:25 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 12/14] oeqa/runtime/ssh: increase the number of attempts Date: Wed, 4 Sep 2024 14:32:53 -0700 Message-Id: <4581b5793f310d2f1f0c80bfe1a5f8743416c4fc.1725456307.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Sep 2024 21:33:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204224 From: Jon Mason Under high load, the ssh test is hitting the amount of retries. Increase it to 20 to avoid this issue. This would increase the maximum failure time from 50 seconds (5 * 10) to 100 seconds. Signed-off-by: Jon Mason Signed-off-by: Richard Purdie (cherry picked from commit c796438eec5dd6b4671b798f85506bc89ff402ab) Signed-off-by: Steve Sakoman --- meta/lib/oeqa/runtime/cases/ssh.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/lib/oeqa/runtime/cases/ssh.py b/meta/lib/oeqa/runtime/cases/ssh.py index 08430ae9db..b86428002f 100644 --- a/meta/lib/oeqa/runtime/cases/ssh.py +++ b/meta/lib/oeqa/runtime/cases/ssh.py @@ -16,7 +16,7 @@ class SSHTest(OERuntimeTestCase): @OETestDepends(['ping.PingTest.test_ping']) @OEHasPackage(['dropbear', 'openssh-sshd']) def test_ssh(self): - for i in range(10): + for i in range(20): status, output = self.target.run("uname -a", timeout=5) if status == 0: break From patchwork Wed Sep 4 21:32:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48674 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DAC83CD4F44 for ; Wed, 4 Sep 2024 21:33:30 +0000 (UTC) Received: from mail-pj1-f50.google.com (mail-pj1-f50.google.com [209.85.216.50]) by mx.groups.io with SMTP id smtpd.web10.62256.1725485608142033302 for ; Wed, 04 Sep 2024 14:33:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=0Yh5YMKc; spf=softfail (domain: sakoman.com, ip: 209.85.216.50, mailfrom: steve@sakoman.com) Received: by mail-pj1-f50.google.com with SMTP id 98e67ed59e1d1-2da4ea59658so36708a91.0 for ; Wed, 04 Sep 2024 14:33:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725485607; x=1726090407; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+PSxVDKldkfaBqlpFMUFPtsCp/IcCx1CjI8oj5Em4hs=; b=0Yh5YMKcIMHwBi28XN88N1Fqzu14VSPr8xtwVGH4mJzQZJjZs1zK5hTDJhHDM1Lbd0 W/crJ4j6MriOOtILaZ7xK6RpJ6NSJUCwyiHQ5iEvkxJ552vFczCeRQRw8KF6pqa2i94O BPFhurSkJTeOgEyyHyXbNJBWLUfnEy86+H0B1ftd2tPVJ9oYd1VjD6RSf8AcCqc6isJ7 nSgyYfabPqMsBPi1J4Dw3psyhv9c0GVJZc79HLukWzUZBXdmVbgsYdShuJt7BjeXvqJ5 zBC/0woPXvVOqQWywlkW5O02UZw9N0dWTNjMWsl7F6PQu4oa9j+2YvsJ5Pch1h/Ip8C/ vMJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725485607; x=1726090407; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+PSxVDKldkfaBqlpFMUFPtsCp/IcCx1CjI8oj5Em4hs=; b=tkW4CIULNEc+F8jWl0ftM+92aQbm5kSy9Nkst6tUXtqv8XKIjtfSz0Q46UeO7hFJOD ae94oQnU/LcEPIFrpzDR8Awkfprt/9reyzmXx54jQeoaFjlYC0MWMgE8K7wKIwrp1mzB YoKUUJyxo5PzkMeTwC9ZrNvMFRzar4YJhXlmpw33WoVczUS6VCROjcPyt6Uz4jKuNfo4 kyU4QE6XBDVbHQS+4RU0XKfAbwavwiE4opfWFcW2G1R0aPxVWKDlPzWrdWhCuGkp5vvd 9q5eFQZPHajq1rFeurQzHVP/3Yv928wNv3G3U+JjINU/JIa/N9friL64Y4U4XRA2THoA bG2A== X-Gm-Message-State: AOJu0Yx2mudpFBr+3Hyn8LCLPGqy6v0jTE0dxIV4ppa/7jCMwJ+T6nUB l7bqo5vQ+Ld5Hkvpw3qwWa0YKNI3wsRwH6O9TtlXVGRWb+PCsk03evW5aoyn1ODMI4LSjB5m4hv 811g= X-Google-Smtp-Source: AGHT+IER62xpw3fXcFSeE0zF6OgLMrp7bi3sWkkNz1Jyco0RT7hod4iUzb/ym0tNRl+Z0BR/mkUjsQ== X-Received: by 2002:a17:90a:1285:b0:2d3:df93:1e5f with SMTP id 98e67ed59e1d1-2d88d667cacmr18644168a91.6.1725485607211; Wed, 04 Sep 2024 14:33:27 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2d8e3e8c580sm6693767a91.40.2024.09.04.14.33.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Sep 2024 14:33:26 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 13/14] openssh: add backported header file include Date: Wed, 4 Sep 2024 14:32:54 -0700 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Sep 2024 21:33:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204225 From: Jon Mason Backport upstream patch to add a missing header. The patch says it is for systemd, but I am seeing build issues when building openssh with clang and musl. The issue being seen is: #warning usage of non-standard #include is deprecated And similar deprecated warnings. This patch resolves the issue. Original patch can be found at https://github.com/openssh/openssh-portable/commit/88351eca17dcc55189991ba60e50819b6d4193c1 This issue was introduced with OE-Core 1c9d3c22718bf49ae85c2d06e0ee60ebdc2fd0c1 https://github.com/openembedded/openembedded-core/commit/1c9d3c22718bf49ae85c2d06e0ee60ebdc2fd0c1 Patch suggested by Khem Raj. Signed-off-by: Jon Mason Signed-off-by: Steve Sakoman --- ...sing-header-for-systemd-notification.patch | 27 +++++++++++++++++++ .../openssh/openssh_9.6p1.bb | 1 + 2 files changed, 28 insertions(+) create mode 100644 meta/recipes-connectivity/openssh/openssh/0001-Fix-missing-header-for-systemd-notification.patch diff --git a/meta/recipes-connectivity/openssh/openssh/0001-Fix-missing-header-for-systemd-notification.patch b/meta/recipes-connectivity/openssh/openssh/0001-Fix-missing-header-for-systemd-notification.patch new file mode 100644 index 0000000000..2baa4a6fe5 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-Fix-missing-header-for-systemd-notification.patch @@ -0,0 +1,27 @@ +From 88351eca17dcc55189991ba60e50819b6d4193c1 Mon Sep 17 00:00:00 2001 +From: 90 +Date: Fri, 5 Apr 2024 19:36:06 +0100 +Subject: [PATCH] Fix missing header for systemd notification + +Upstream-Status: Backport [88351eca17dcc55189991ba60e50819b6d4193c1] +Signed-off-by: Jon Mason + +--- + openbsd-compat/port-linux.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c +index df7290246df6..4c024c6d2d61 100644 +--- a/openbsd-compat/port-linux.c ++++ b/openbsd-compat/port-linux.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + + #include "log.h" + #include "xmalloc.h" +-- +2.39.2 + diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb index 042acffe6a..3c507cf911 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb @@ -28,6 +28,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://0001-notify-systemd-on-listen-and-reload.patch \ file://CVE-2024-6387.patch \ file://CVE-2024-39894.patch \ + file://0001-Fix-missing-header-for-systemd-notification.patch \ " SRC_URI[sha256sum] = "910211c07255a8c5ad654391b40ee59800710dd8119dd5362de09385aa7a777c" From patchwork Wed Sep 4 21:32:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 48676 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8070CD4F46 for ; Wed, 4 Sep 2024 21:33:30 +0000 (UTC) Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by mx.groups.io with SMTP id smtpd.web10.62257.1725485610198562417 for ; Wed, 04 Sep 2024 14:33:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Y4CdAQ85; spf=softfail (domain: sakoman.com, ip: 209.85.216.49, mailfrom: steve@sakoman.com) Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-2d885019558so21046a91.2 for ; Wed, 04 Sep 2024 14:33:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1725485609; x=1726090409; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=T3o9d2xg1j6dMKTl0Y6Ehna25C4Op3K0piSPQbx9cOI=; b=Y4CdAQ85MIgkdC+LVcLweAbiq9xZAjIvMqgXdAXWt+ace6mEMpwcMpMHsXOq6+oEWQ dJeqppPaUjDKxth48bK3V6bnWunKUWo4Ps+I282CNli2Y0eu22UPbhCKRy/4T6iocCT2 F6GejcPfAQQp2clSsyUinpJneheUVAUL5J1zkgPmb2q+SX9JrivDyJ8RiK7h7udNJKBo d41OWVan1an9ZOC6Rm0af5C8jsxwMJbU1HOcwyj7N0Nh4IPt7o+ghW7y21LuucdX7VXw +yH/0yl+ulmhXLGO/Im2fyipYaAjj8MN2z2V/Dmt0MlMPAeLc8AGxIhv0lGCu6KemZWj K4rg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725485609; x=1726090409; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=T3o9d2xg1j6dMKTl0Y6Ehna25C4Op3K0piSPQbx9cOI=; b=plV9vRpVT3BuylthJRsKeuBn5w/BwDJ/45TfB3MqeQ9fVUbnasTaUF4gTxO+Yy67X6 0XALqZbMf2CeJ+VwrQpqx+ykiuCY01gEXjel1UXPSOf1Z3vhnakegIGpwlSTuOfbPBZI I4ky8YTUJejYpmDuxXtfU70xFGVeXTT7Mk0jFTxulukC7Pq6Ud0lNjkF9VZCNlQAbNrQ JPZSPdEmqyPzSVxbUxXfb50tj1pruyjjtmJLAGaS3iAtQCYlg06n5G5cDP/U9z/VQGEw LdAibj1jmEqhN+B1/DlS7fhPFAjJjbn5+RH/zsS9bbt0mvtGDU7bu8YHW9UYhH3Tl/wd YsCg== X-Gm-Message-State: AOJu0YyWpk0pSam0MGUXhDzp6dzGNY7dLvWdKdILw6J4rS1iNYQb6pkH pjtRZDPI6BSjzHnmwcXeyzj8GQBCkyHWmnnhfyCuH4Qk8cO63lPPl1k5dVJsbYLMGPUWNh94CeO wMgY= X-Google-Smtp-Source: AGHT+IEULdzAnBhR1E+I9PKriPHGQiQW8wN5/j0iaMWlR0QS5IUkwb9eMtT4Lsb5YvvmB43MBdCj8g== X-Received: by 2002:a17:90b:611:b0:2d8:8d62:a0b with SMTP id 98e67ed59e1d1-2d893a9c666mr15829996a91.23.1725485609001; Wed, 04 Sep 2024 14:33:29 -0700 (PDT) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2d8e3e8c580sm6693767a91.40.2024.09.04.14.33.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Sep 2024 14:33:28 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 14/14] mc: fix source URL Date: Wed, 4 Sep 2024 14:32:55 -0700 Message-Id: <7e11701698a9f38a5e3e0499c0c2edd98d32a85d.1725456307.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Sep 2024 21:33:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204226 From: Benjamin Szőke new URL for sources: http://ftp.midnight-commander.org/ Signed-off-by: Benjamin Szőke Signed-off-by: Richard Purdie (cherry picked from commit 03c4052718a9b8392b25e1770630317b8cf29fbe) Signed-off-by: Steve Sakoman --- meta/recipes-extended/mc/mc_4.8.31.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-extended/mc/mc_4.8.31.bb b/meta/recipes-extended/mc/mc_4.8.31.bb index 69c32887a2..5f8257f71f 100644 --- a/meta/recipes-extended/mc/mc_4.8.31.bb +++ b/meta/recipes-extended/mc/mc_4.8.31.bb @@ -8,7 +8,7 @@ DEPENDS = "ncurses glib-2.0 util-linux file-replacement-native" RDEPENDS:${PN} = "ncurses-terminfo-base" RRECOMMENDS:${PN} = "ncurses-terminfo" -SRC_URI = "http://www.midnight-commander.org/downloads/${BPN}-${PV}.tar.bz2 \ +SRC_URI = "http://ftp.midnight-commander.org/${BPN}-${PV}.tar.bz2 \ file://nomandate.patch \ " SRC_URI[sha256sum] = "f42f4114ed42f6cf9995f1d896fa6c797ccb36dac57760dda8dd9f78ac462841"