From patchwork Wed Dec 11 14:47:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 53939 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63814E7717D for ; Wed, 11 Dec 2024 14:47:45 +0000 (UTC) Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) by mx.groups.io with SMTP id smtpd.web10.12657.1733928464713874960 for ; Wed, 11 Dec 2024 06:47:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Jr8+Df0Z; spf=softfail (domain: sakoman.com, ip: 209.85.210.175, mailfrom: steve@sakoman.com) Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-728ec840a8aso1248435b3a.0 for ; Wed, 11 Dec 2024 06:47:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1733928464; x=1734533264; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=6G4xMyJkHH8JcYUk6BgwjFRVSNI6QfiyF9TuDZMIKVY=; b=Jr8+Df0ZGlOZIB5lmVNFcC+LNOSdI7ISReBjpsZ8Bis3Bl8khsrnewG/XBwih8Z/8T nS8OTL5cpHXin0Eh/3oxjBdHs9l+aGRQdlE4Xoe7ZyNCvTKoM/ot7SH8gB6QHqpNJXhj Mzu7e6Z7M1hc2d46KUKcOP9r2mpO28p4fSfKp/kW+rELJ+t3BTZc605/L0OlGzPpyPJP RUOgsLzeWUpClHuZ91AdSTsZkDpE1sb3Pj68LzqHxiCu46SGKvJJ35JYn/ol79NLYZoe Rzw8L9uN4fBj0Ya2Jw5KamvM7cXkmBeXGgCnngZHWZPk3svuW3gC5ejII7o3PWfUhuqZ yRRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733928464; x=1734533264; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6G4xMyJkHH8JcYUk6BgwjFRVSNI6QfiyF9TuDZMIKVY=; b=AiZnG0Es1KAHWOw0RzfUqb2Kv94Zea/lfd5YvFdzscp3IXtcb7RfcG6yejiCGCsrY3 ePNR4GUvvrTAvT6Oe3tTCcycPBjG6Rd34lKhmOIRtBNgreore+HSIRJQ5jjQwXWDYRSI qKY0n89y7qiJW1qIvqUzd7aUP+spbNUtbnIsYy+euzXoLiXUuCcEG1BxtnWIEuVOGiIF AbKjQ5sQxD1cMB9XCeQksvi5wxfVbBedj0L12QPyfknBQ9cgNn1EW08KoLO60oFFs5ln ej67W6CXqS/IlXhlay5pSx6mDhEuBXMFBXn/R+2Txelc7Nh6EHicujlT+Sr5OUFHK7VT 5mSA== X-Gm-Message-State: AOJu0YwBdclaSuOX9qWbXLO8DYScS/5e86IwkZz9zJLfGpc41UTn/9nh fc+uT1L0s4jEndrDRcRE579VoqMNKhNTALq8IVwXeH+Ahubipet/ajZ5u6qJN8YJTtWJETMwlem s X-Gm-Gg: ASbGncv/K5ahLUDrq95mnnNtsFRj1Az2eAknpYT3BC3B4kEcXGr8KqEAUgSol8SVMZj ze7blyE1GbVnCS/0wOGis9C9/yHA08gaT96440h4AeJPJ0HM9CAnBmur+MpVeT2uBTHsNVjHLyy pig8h8tYGcnYIaPc3nrhMm9Uo94pH4PV2DS/Kr7Ouwuq8fAfYrx5Artrk3JU9230dKhh+vET15R 3UvEG8UiLRXtYvZyZXDaAiTD/VFWBLH3eahAcUFp2Q= X-Google-Smtp-Source: AGHT+IGHwoCPHLAfwk6HhwfnPJByiHxczmL1lCCxvRiZcvHKL1uBiRq0M/dgNlESma5MfLqy3o6OKw== X-Received: by 2002:a05:6a21:788b:b0:1e1:9f57:eaaf with SMTP id adf61e73a8af0-1e1cda88e69mr302834637.6.1733928463743; Wed, 11 Dec 2024 06:47:43 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-7fd3891dc95sm7494377a12.42.2024.12.11.06.47.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Dec 2024 06:47:43 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 1/7] libsdl2: ignore CVE-2020-14409 and CVE-2020-14410 Date: Wed, 11 Dec 2024 06:47:31 -0800 Message-Id: <3079d562b4df69ab0ac20ec8d13a4240ce0a3514.1733928291.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 11 Dec 2024 14:47:45 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/208586 From: Peter Marko This was fixed in 2.0.14, but NVD DB lists > 2.0.20 causing false positives in CVE metrics. NVD entries [1] and [2] list commit [3] which redirects to commit [4]. Also Debian 10 uses this commit, while Debian 11 with 2.0.14 does not patch it and claims it's fixed. Trying to apply the patch shows it's already applied. Following shows git history of this commit wrt tags. SDL$ git describe a7ff6e96155f550a5597621ebeddd03c98aa9294 --tags release-2.0.12-305-ga7ff6e961 SDL$ git describe release-2.0.14 --tags --match=release-2.0.12 release-2.0.12-873-g4cd981609 SDL$ git describe release-2.0.20 --tags --match=release-2.0.12 release-2.0.12-3126-gb424665e0 [1] https://nvd.nist.gov/vuln/detail/CVE-2020-14409 [2] https://nvd.nist.gov/vuln/detail/CVE-2020-14410 [3] https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9 [4] https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb index abcf232e25..6d30d0baa8 100644 --- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb +++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.20.bb @@ -82,3 +82,6 @@ PACKAGECONFIG[x11] = "-DSDL_X11=ON,-DSDL_X11=OFF,virtual/libx11 libxext l CFLAGS:append:class-native = " -DNO_SHARED_MEMORY" BBCLASSEXTEND = "native nativesdk" + +# These are fixed since 2.0.14, NVD DB incorrectly lists > 20.0.20 +CVE_CHECK_IGNORE += "CVE-2020-14409 CVE-2020-14410" From patchwork Wed Dec 11 14:47:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 53941 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 59D55E7717D for ; Wed, 11 Dec 2024 14:47:55 +0000 (UTC) Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) by mx.groups.io with SMTP id smtpd.web10.12658.1733928466245395964 for ; Wed, 11 Dec 2024 06:47:46 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=T4cdAr9r; spf=softfail (domain: sakoman.com, ip: 209.85.210.170, mailfrom: steve@sakoman.com) Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-724d23df764so6223563b3a.1 for ; Wed, 11 Dec 2024 06:47:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1733928465; x=1734533265; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=RYjMkaoGEaKt/q4iK2mzdmEZcsVOPf1Xvrsj8fXtqVU=; b=T4cdAr9rWYRXSWiEojuW5j6mB/hd5Jwx/Gj1gEMFx5Qjh2sR4qZ9ad4ORH1I4o03Kf WJeR9xKoe5n5sTjHuFQ7FOM4CddnoC+0NWjPriFBbMTtR976H87RsSNBC0E7DAG3bJ9g MOlmy345/f9fIBbaWycSn7uDrabvQj/M2itiV28d92vPEzCTP3bzAf0uZbGwMJ9I3pNi NdaUuowUhfK6FNiIP5bck+iQIvDJHm4v28+SxQXhKjasdEDRseBD30gJ7LhOL+3kISHl ySd9KfyJdqr3v8L/I1eN3PL5OxTY5apyuWxw8wT/rGOx3hgfAazXM9+WaVwyvpUk/oAJ BAgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733928465; x=1734533265; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RYjMkaoGEaKt/q4iK2mzdmEZcsVOPf1Xvrsj8fXtqVU=; b=A5uv9ia5alAO2YpZStH/jQzzXmh6GiYVP5xP16lNpKWL6q+3L9hrqXQt1YdbIINW0S pQjfohpZSxh1cUv6SSu5drgYE8V40l8aT7mWBZd4EalKz9goW9/zE94cNAUoVoATilbI Erqo8zv3Qjr2IFL4fbQsY9o1N+AYRMtjVV0NbE2q0Mk5kckPVx+deRSPjZ29n4YA/LyE ulow/9C59IJ4j2ZhlJxRNshXgH/FhVjSOXxWuh8J9N1hDtoIu43rEjVfZ2Mjz8bZDgLL LamUVkcv2pw4HBVHOxnM1RwGjdHjFdxFv491JqaKX7o/HEQEsf9c2abE2m1jbTTbfBY+ 7uaw== X-Gm-Message-State: AOJu0YwakfiZyXyyU2o1QcuDkDBMcMcmZCGkMhhGHfxTRWTCO9xzOvQz /fo+DJk9jn+DVbmHEsNNNutxNZklu+cUfGS0tCQ8n9dkigFsSCVgmeygiItL77zWCjQR/L4jaMH 9 X-Gm-Gg: ASbGncsh5oy71N+iasm79qP4HmFD4ypBqTi1Cd263BPoT2CUWQdZzAvItmVfJhpl7Mx 8xt/DeSPMMb34iY4/kjyMHJp8pTiuKRiONim096Qz2A5Sr1BtKy5krCFuOCnk9vjMx0mGgYN3Wt wx59qydLG8vQ+rcuMMeixs28hDTnX1iZKUMrby895ebAyQEZNMvRh3hwgVAnsvmMXP3e1ysR22q +wewWBS7KylE0Xk5ePbkYGTqIFTAYqHj+5cKrdkIv8= X-Google-Smtp-Source: AGHT+IEdZ2+BtKQjpdJXIadOof1h9E5qAqLEvPjmkuADVXMK10WHgQdcF1l8aWMFpUfKBfrcGhB3Rw== X-Received: by 2002:a05:6a20:ad0c:b0:1e1:9662:a6f2 with SMTP id adf61e73a8af0-1e1cdb210ddmr227588637.35.1733928465368; Wed, 11 Dec 2024 06:47:45 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-7fd3891dc95sm7494377a12.42.2024.12.11.06.47.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Dec 2024 06:47:44 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 2/7] libpam: fix CVE-2024-10041 Date: Wed, 11 Dec 2024 06:47:32 -0800 Message-Id: <3422c2533caaa2664944315580c52a2272815305.1733928291.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 11 Dec 2024 14:47:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/208587 From: Divya Chellam A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications. References: https://security-tracker.debian.org/tracker/CVE-2024-10041 Upstream patches: https://github.com/linux-pam/linux-pam/commit/b3020da7da384d769f27a8713257fbe1001878be Signed-off-by: Divya Chellam Signed-off-by: Steve Sakoman --- .../pam/libpam/CVE-2024-10041.patch | 98 +++++++++++++++++++ meta/recipes-extended/pam/libpam_1.5.2.bb | 1 + 2 files changed, 99 insertions(+) create mode 100644 meta/recipes-extended/pam/libpam/CVE-2024-10041.patch diff --git a/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch b/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch new file mode 100644 index 0000000000..cb0490299b --- /dev/null +++ b/meta/recipes-extended/pam/libpam/CVE-2024-10041.patch @@ -0,0 +1,98 @@ +From b3020da7da384d769f27a8713257fbe1001878be Mon Sep 17 00:00:00 2001 +From: "Dmitry V. Levin" +Date: Mon, 1 Jan 2024 12:00:00 +0000 +Subject: [PATCH] pam_unix/passverify: always run the helper to obtain shadow + password file entries + +Initially, when pam_unix.so verified the password, it used to try to +obtain the shadow password file entry for the given user by invoking +getspnam(3), and only when that didn't work and the effective uid +was nonzero, pam_unix.so used to invoke the helper as a fallback. + +When SELinux support was introduced by commit +67aab1ff5515054341a438cf9804e9c9b3a88033, the fallback was extended +also for the case when SELinux was enabled. + +Later, commit f220cace205332a3dc34e7b37a85e7627e097e7d extended the +fallback conditions for the case when pam_modutil_getspnam() failed +with EACCES. + +Since commit 470823c4aacef5cb3b1180be6ed70846b61a3752, the helper is +invoked as a fallback when pam_modutil_getspnam() fails for any reason. + +The ultimate solution for the case when pam_unix.so does not have +permissions to obtain the shadow password file entry is to stop trying +to use pam_modutil_getspnam() and to invoke the helper instead. +Here are two recent examples. + +https://github.com/linux-pam/linux-pam/pull/484 describes a system +configuration where libnss_systemd is enabled along with libnss_files +in the shadow entry of nsswitch.conf, so when libnss_files is unable +to obtain the shadow password file entry for the root user, e.g. when +SELinux is enabled, NSS falls back to libnss_systemd which returns +a synthesized shadow password file entry for the root user, which +in turn locks the root user out. + +https://bugzilla.redhat.com/show_bug.cgi?id=2150155 describes +essentially the same problem in a similar system configuration. + +This commit is the final step in the direction of addressing the issue: +for password verification pam_unix.so now invokes the helper instead of +making the pam_modutil_getspnam() call. + +* modules/pam_unix/passverify.c (get_account_info) [!HELPER_COMPILE]: +Always return PAM_UNIX_RUN_HELPER instead of trying to obtain +the shadow password file entry. + +Complements: https://github.com/linux-pam/linux-pam/pull/386 +Resolves: https://github.com/linux-pam/linux-pam/pull/484 +Link: https://github.com/authselect/authselect/commit/1e78f7e048747024a846fd22d68afc6993734e92 + +CVE: CVE-2024-10041 + +Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/b3020da7da384d769f27a8713257fbe1001878be] + +Signed-off-by: Divya Chellam +--- + modules/pam_unix/passverify.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c +index f2474a5..b300522 100644 +--- a/modules/pam_unix/passverify.c ++++ b/modules/pam_unix/passverify.c +@@ -237,20 +237,21 @@ PAMH_ARG_DECL(int get_account_info, + return PAM_UNIX_RUN_HELPER; + #endif + } else if (is_pwd_shadowed(*pwd)) { ++#ifdef HELPER_COMPILE + /* +- * ...and shadow password file entry for this user, ++ * shadow password file entry for this user, + * if shadowing is enabled + */ +- *spwdent = pam_modutil_getspnam(pamh, name); +- if (*spwdent == NULL) { +-#ifndef HELPER_COMPILE +- /* still a chance the user can authenticate */ +- return PAM_UNIX_RUN_HELPER; +-#endif +- return PAM_AUTHINFO_UNAVAIL; +- } +- if ((*spwdent)->sp_pwdp == NULL) ++ *spwdent = getspnam(name); ++ if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) + return PAM_AUTHINFO_UNAVAIL; ++#else ++ /* ++ * The helper has to be invoked to deal with ++ * the shadow password file entry. ++ */ ++ return PAM_UNIX_RUN_HELPER; ++#endif + } + } else { + return PAM_USER_UNKNOWN; +-- +2.40.0 + diff --git a/meta/recipes-extended/pam/libpam_1.5.2.bb b/meta/recipes-extended/pam/libpam_1.5.2.bb index 20745aa837..05fe232f6a 100644 --- a/meta/recipes-extended/pam/libpam_1.5.2.bb +++ b/meta/recipes-extended/pam/libpam_1.5.2.bb @@ -27,6 +27,7 @@ SRC_URI = "https://github.com/linux-pam/linux-pam/releases/download/v${PV}/Linux file://CVE-2022-28321-0002.patch \ file://0001-pam_motd-do-not-rely-on-all-filesystems-providing-a-.patch \ file://CVE-2024-22365.patch \ + file://CVE-2024-10041.patch \ " SRC_URI[sha256sum] = "e4ec7131a91da44512574268f493c6d8ca105c87091691b8e9b56ca685d4f94d" From patchwork Wed Dec 11 14:47:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 53944 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F1A9E77182 for ; Wed, 11 Dec 2024 14:47:55 +0000 (UTC) Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) by mx.groups.io with SMTP id smtpd.web10.12660.1733928468071616747 for ; Wed, 11 Dec 2024 06:47:48 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=3M87AFys; spf=softfail (domain: sakoman.com, ip: 209.85.210.174, mailfrom: steve@sakoman.com) Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-723f37dd76cso6072240b3a.0 for ; Wed, 11 Dec 2024 06:47:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1733928467; x=1734533267; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=0Ir4bspaLnjgR82fHCLD+3S+SNhxc/A9J9w7RHENIVA=; b=3M87AFysbojnghQJBrCryl/MRwQCZg9z0Y5bM7Q3GCNjAStrg+oUdrssFlJ5q2oI3B faRl5vMrmWapY7mPCvNI/kEiVDWsC+PntMwtNoJese6G/ij1ZndAf0EwYT/fInutuprT qDNj267sB9ZuVwlMtIY6NFqfLxs/fTSdVw4P6dpvSY8SG2YQM1pIZtvELd7hTBCO5Rzc XFRDf/OflHGATaE/0Y+8LU4b9ofbUWMYAz1mWqNmv137h+0+24t53tzTC5jJr5aIN4nq PVABuVGK1s31KKu9htIVFeSUFGsw2p1g2i4B+puKlSKrAPFj37ruo3ipgkb1U06srewu 6z6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733928467; x=1734533267; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=0Ir4bspaLnjgR82fHCLD+3S+SNhxc/A9J9w7RHENIVA=; b=VzRjodSbv1lCR8HNeLZ20hgmiXWu4FlBIlXH35EUJ4Z8gyzegN5AJwRWvbbsLRDTkR zvYvh1oRyo62uULAB5c7/u/bzwzi0NV23U6IK0K77zYSu97lFdksUj8PsrweYprPPEPt f2DP9YfhrqE3SSuTJvXL2HjM8Etv+m3x+6wvTdndrA3IuWIrUuvb+xKk25v2ER2ejsM8 LJO60E1wCKILYSHUPGUui3mEGHdd9aIkEEnPbxvAvouslcvgPKe0jlv3DMfKqDuC2dDB UBm1703h4cvyGTx10PNOZBrTwg7h4VX2Xkb3RhWlDLS5a30BXcGdFwNIy/iGd1IPscd3 /Naw== X-Gm-Message-State: AOJu0Yx/BsJ5Y0K6eHKYsN8QXTIHDORncPIZZHIGVFGEshotL5RoQVKg ETP8RFT/gwZH8y6T+7EdYWx92v2+ZvKgBWN9xD4Jeyja8Ov36IjiOj7JCbsHpMm5pyfA/5fFM7E y X-Gm-Gg: ASbGnctW2BqR2kWhWdDLPne0NcDbp4jW7KumUwOTQcg+RoChVGpmIU0cacO1Yej+Vyn k1sMdJ7bko6HqAxLUkB5kub/CEl6TIiZGfjZ+ZHmN/qfCbcW6wR6hWnYRPiblNCSs3QvTCrpSDS PEJ0ec/7mpb6yH7amVYrk70QNdy2wWdyshIE3Vt8eW1rmHSrkvFHlo3Df8Qkjkc7WZ1TSfhIG9I PgSxdJ0AzoFPW/CHTKOB9WECqz1CLdeMzW728Uh2C0= X-Google-Smtp-Source: AGHT+IEfgw5Yfv/h9/SlxNznMS+C/eDDyTyG059Dejuwqvd0BoANq205gSsOlvp/szJkF7XORjYAiw== X-Received: by 2002:a05:6a21:78a6:b0:1e1:aef4:9cdd with SMTP id adf61e73a8af0-1e1c126e58bmr4808500637.1.1733928467164; Wed, 11 Dec 2024 06:47:47 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-7fd3891dc95sm7494377a12.42.2024.12.11.06.47.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Dec 2024 06:47:46 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 3/7] python3-requests: fix CVE-2024-35195 Date: Wed, 11 Dec 2024 06:47:33 -0800 Message-Id: <8bc8d316a6e8ac08b4eb2b9e2ec30b1f2309c31c.1733928291.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 11 Dec 2024 14:47:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/208588 From: Jiaying Song Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to the value of `verify`. This behavior will continue for the lifecycle of the connection in the connection pool. This vulnerability is fixed in 2.32.0. References: https://nvd.nist.gov/vuln/detail/CVE-2024-35195 Upstream patches: https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac Signed-off-by: Jiaying Song Signed-off-by: Steve Sakoman --- .../python3-requests/CVE-2024-35195.patch | 121 ++++++++++++++++++ .../python/python3-requests_2.27.1.bb | 4 +- 2 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch diff --git a/meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch b/meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch new file mode 100644 index 0000000000..4e2605b922 --- /dev/null +++ b/meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch @@ -0,0 +1,121 @@ +From 5bedf76da0f76ab2d489972055a5d62066013427 Mon Sep 17 00:00:00 2001 +From: Ian Stapleton Cordasco +Date: Sun, 3 Mar 2024 07:00:49 -0600 +Subject: [PATCH] Use TLS settings in selecting connection pool + +Previously, if someone made a request with `verify=False` then made a +request where they expected verification to be enabled to the same host, +they would potentially reuse a connection where TLS had not been +verified. + +This fixes that issue. + +Upstream-Status: Backport +[https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac] + +CVE: CVE-2024-35195 + +Signed-off-by: Jiaying Song +--- + requests/adapters.py | 58 +++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 57 insertions(+), 1 deletion(-) + +diff --git a/requests/adapters.py b/requests/adapters.py +index fe22ff4..7ff6998 100644 +--- a/requests/adapters.py ++++ b/requests/adapters.py +@@ -10,6 +10,7 @@ and maintain connections. + + import os.path + import socket ++import typing + + from urllib3.poolmanager import PoolManager, proxy_from_url + from urllib3.response import HTTPResponse +@@ -47,12 +48,38 @@ except ImportError: + def SOCKSProxyManager(*args, **kwargs): + raise InvalidSchema("Missing dependencies for SOCKS support.") + ++if typing.TYPE_CHECKING: ++ from .models import PreparedRequest ++ ++ + DEFAULT_POOLBLOCK = False + DEFAULT_POOLSIZE = 10 + DEFAULT_RETRIES = 0 + DEFAULT_POOL_TIMEOUT = None + + ++def _urllib3_request_context( ++ request: "PreparedRequest", verify: "bool | str | None" ++) -> "(typing.Dict[str, typing.Any], typing.Dict[str, typing.Any])": ++ host_params = {} ++ pool_kwargs = {} ++ parsed_request_url = urlparse(request.url) ++ scheme = parsed_request_url.scheme.lower() ++ port = parsed_request_url.port ++ cert_reqs = "CERT_REQUIRED" ++ if verify is False: ++ cert_reqs = "CERT_NONE" ++ if isinstance(verify, str): ++ pool_kwargs["ca_certs"] = verify ++ pool_kwargs["cert_reqs"] = cert_reqs ++ host_params = { ++ "scheme": scheme, ++ "host": parsed_request_url.hostname, ++ "port": port, ++ } ++ return host_params, pool_kwargs ++ ++ + class BaseAdapter(object): + """The Base Transport Adapter""" + +@@ -290,6 +317,35 @@ class HTTPAdapter(BaseAdapter): + + return response + ++ def _get_connection(self, request, verify, proxies=None): ++ # Replace the existing get_connection without breaking things and ++ # ensure that TLS settings are considered when we interact with ++ # urllib3 HTTP Pools ++ proxy = select_proxy(request.url, proxies) ++ try: ++ host_params, pool_kwargs = _urllib3_request_context(request, verify) ++ except ValueError as e: ++ raise InvalidURL(e, request=request) ++ if proxy: ++ proxy = prepend_scheme_if_needed(proxy, "http") ++ proxy_url = parse_url(proxy) ++ if not proxy_url.host: ++ raise InvalidProxyURL( ++ "Please check proxy URL. It is malformed " ++ "and could be missing the host." ++ ) ++ proxy_manager = self.proxy_manager_for(proxy) ++ conn = proxy_manager.connection_from_host( ++ **host_params, pool_kwargs=pool_kwargs ++ ) ++ else: ++ # Only scheme should be lower case ++ conn = self.poolmanager.connection_from_host( ++ **host_params, pool_kwargs=pool_kwargs ++ ) ++ ++ return conn ++ + def get_connection(self, url, proxies=None): + """Returns a urllib3 connection for the given URL. This should not be + called from user code, and is only exposed for use when subclassing the +@@ -410,7 +466,7 @@ class HTTPAdapter(BaseAdapter): + """ + + try: +- conn = self.get_connection(request.url, proxies) ++ conn = self._get_connection(request, verify, proxies) + except LocationValueError as e: + raise InvalidURL(e, request=request) + +-- +2.25.1 + diff --git a/meta/recipes-devtools/python/python3-requests_2.27.1.bb b/meta/recipes-devtools/python/python3-requests_2.27.1.bb index 635a6af31f..689a1dffb7 100644 --- a/meta/recipes-devtools/python/python3-requests_2.27.1.bb +++ b/meta/recipes-devtools/python/python3-requests_2.27.1.bb @@ -3,7 +3,9 @@ HOMEPAGE = "http://python-requests.org" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=34400b68072d710fecd0a2940a0d1658" -SRC_URI += "file://CVE-2023-32681.patch" +SRC_URI += "file://CVE-2023-32681.patch \ + file://CVE-2024-35195.patch \ + " SRC_URI[sha256sum] = "68d7c56fd5a8999887728ef304a6d12edc7be74f1cfa47714fc8b414525c9a61" From patchwork Wed Dec 11 14:47:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 53945 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 857D8E77185 for ; Wed, 11 Dec 2024 14:47:55 +0000 (UTC) Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by mx.groups.io with SMTP id smtpd.web10.12661.1733928469660156940 for ; Wed, 11 Dec 2024 06:47:49 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=N4wftRYF; spf=softfail (domain: sakoman.com, ip: 209.85.210.180, mailfrom: steve@sakoman.com) Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-725f4025e25so2761573b3a.1 for ; Wed, 11 Dec 2024 06:47:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1733928469; x=1734533269; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=uPbysC1W8g6qiD3W7l5Qkg6SohC9W1O8ukvJXbBbfcY=; b=N4wftRYFNnAoGVHpVcUCD6fzRPlbCUsd0DV7FJE458X/wuo0zNyQczhQ7k1yHVZdnS wNtkDQSfBqOfvcqMYcodMP/mOXHp8biJ+N/JlttjMYNqX/sRXBSt1mZY3LiJ3OjyHONT dImUAmHqRKLHaYvEBXqsyQA+MOegKhDEjMCjL6Yb+ZgUMBjuCpLSb7U34m+V3FYZ2OLz 1zS6N3GwniQ+b2xPLhi+UAR64P2INsicNp8qvD2QwA8+cO35EsdouEhx43Rfig0+W/Qd TQK3ES5bwFTjlb0AHA2M5L4Qg9fzlUXgpoh7vQ2r1LQJjQvilhyC85JSuo/mELcW09hT wxfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733928469; x=1734533269; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uPbysC1W8g6qiD3W7l5Qkg6SohC9W1O8ukvJXbBbfcY=; b=HF9VsMsWOPHMQefi4lsjzyc+qQuYeS4TE2gTlZJJU6V4DnzG2j1ztLlYbaWcttitCH E2exHcHT8eZfKB63xAVn2OzJUrwzK4Ufp5M1cbbG1rWP2fYkjDHHY0ApElLH/vSuDWLQ bO0NrqE9I0hmVeFfriRi7zrRMAo4e6NOBqc+YRAPwFuUXLBVO+wsYtXOuGEvFSUxfUBF JQeTeYHjc+ZeR3cg5GZ0vu0pm0divww4kQ7qefEK91xyWtDM9QlH1B5FYPNjIUlhx3Mu aaPR/RrYysHKxiPR2RTqmsiSlcGvePFr7X19RESB7AxBXgg0bP86jjSArOlMpy5SW7Zw DYXg== X-Gm-Message-State: AOJu0Yw3bLV25FYFMZOpcS6kZWeMfDkvVs0qV2bqBfnt5ZgUG1pY0osK 2MMpPqij3KyEU9LPLxuDZBg+cEA8QmMIvpWJSRyuPeR7mJ9l490e48LuGKF5tuofIvPH0q+uzGV k X-Gm-Gg: ASbGncsLAKEoOwCUmvF40Jw5n3ScwynpUh/Eym651HtPkqZGFX6LD0W/NWItwK82diJ cZ7UhFGU3iCwIcr/iTfevbTZGSMzg08C2GQoOPVlJnaGndocx4ciTWDGhj5NKbvMdyV+VGBzQwL kW2mqGeRljANRzZTCVubxSIbXtr7oqqNmBZINXl0KtnOC8sRDf6YOi8SDbq2+U4jJaGd9VEDn+h jhM16rGIWbKxQfwI+LLM6XEEbn0Iz3Mtlz/wxw5BBY= X-Google-Smtp-Source: AGHT+IHGxXT0JzipYlktB1uaOxhDZNkhExu0v51QUCyIp1QjUn6pchkiRuhvrlkmqacFs1Ii1VhCUg== X-Received: by 2002:a05:6a20:1581:b0:1e0:d1c3:97d1 with SMTP id adf61e73a8af0-1e1c139aa67mr5795255637.29.1733928468844; Wed, 11 Dec 2024 06:47:48 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-7fd3891dc95sm7494377a12.42.2024.12.11.06.47.48 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Dec 2024 06:47:48 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 4/7] rootfs-postcommands.bbclass: make opkg status reproducible Date: Wed, 11 Dec 2024 06:47:34 -0800 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 11 Dec 2024 14:47:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/208589 From: Peter Marko opkg stores the current time as Installed-Time in its status file when installing packages to the rootfs. Make this reproducible by replacing Installed-Time with ${REPRODUCIBLE_TIMESTAMP_ROOTFS}, which then also matches the files' datestamps. Based on OpenWrt's approach for the issue [1]. [1] https://github.com/openwrt/openwrt/blob/main/include/rootfs.mk#L103 (From OE-Core rev: 61a9b1b1cb618ce90ba7886036f41263075c07df) Signed-off-by: Jonas Gorski Signed-off-by: Richard Purdie Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/classes/rootfs-postcommands.bbclass | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass index f7517c66dc..83bf265a68 100644 --- a/meta/classes/rootfs-postcommands.bbclass +++ b/meta/classes/rootfs-postcommands.bbclass @@ -377,6 +377,10 @@ rootfs_reproducible () { find ${IMAGE_ROOTFS}${sysconfdir}/gconf -name '%gconf.xml' -print0 | xargs -0r \ sed -i -e 's@\bmtime="[0-9][0-9]*"@mtime="'${REPRODUCIBLE_TIMESTAMP_ROOTFS}'"@g' fi + + if [ -f ${IMAGE_ROOTFS}${localstatedir}/lib/opkg/status ]; then + sed -i 's/^Installed-Time: .*/Installed-Time: ${REPRODUCIBLE_TIMESTAMP_ROOTFS}/' ${IMAGE_ROOTFS}${localstatedir}/lib/opkg/status + fi fi } From patchwork Wed Dec 11 14:47:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 53942 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6AAE5E77184 for ; Wed, 11 Dec 2024 14:47:55 +0000 (UTC) Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by mx.groups.io with SMTP id smtpd.web11.12562.1733928471185474965 for ; Wed, 11 Dec 2024 06:47:51 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=yhhOq5Kv; spf=softfail (domain: sakoman.com, ip: 209.85.216.52, mailfrom: steve@sakoman.com) Received: by mail-pj1-f52.google.com with SMTP id 98e67ed59e1d1-2eeb4d643a5so6034078a91.3 for ; Wed, 11 Dec 2024 06:47:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1733928470; x=1734533270; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=juBbflJAJuBDuhsBGBYtBcEbijKYxIrliCxaw0UNTLM=; b=yhhOq5Kv+TL7Uzy2sxxPWPkclSPOQ8YK2jZTnwU9A4QBI6WoNJasdYPeEuxbkeWGl5 tKizPmRpUVUr2w+Tym9g8/MAF9fdnfoFN8mLV1bLsYQ+yRFa4jQXpRgA4yj433EUCOtT zQAza1AobkxwLQls46qpuZ4zKn87Fvw2s5vVSp3K/rLnCKgG/Uqts0V+QkAyEOULN68V mpvHtZOtXbeoDtbTYNzxfVryGpYu/ZY1OtnBXDSS2Kg15N5ndayF2xZId6GnBFJu0I6Q KtiDjCYIM8OaBevPkkOY5wyN9aS+6SDPGxbx395o0mmN51El37wIKyu5b2t6tDG2ObyA uIRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733928470; x=1734533270; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=juBbflJAJuBDuhsBGBYtBcEbijKYxIrliCxaw0UNTLM=; b=I2TQLIBw2oWOGT2Zoj1Plq+DlPIvUySnUkdBkZdDs/GRKfT9J9mFZVB671nuCmxL2d P5NVue1WkWEDMevbL4KZiekvFET2xqLE+8omcJtJxACZjdCvLWAKA3FGldD7gPUaw5cs QlIzcRlXGILW6rKos5aCsdN86hFLV2s4NQksyK9Ehat27MUhk6ORBuR42tQuTj+zS0Gb O5X7mZ/9xFfjO9oMA95eDmv3Qo3nGyigwbHbdanHcfFVXfACYOJ6sd2Ucq0xCHZfog/F IWm4+m4KXtdXkTFHnY0NQ7Eb34XDx5kf3xTK6cKm58rVXbUtqCmZLRmu84hemwi9tVOM MYcQ== X-Gm-Message-State: AOJu0YwG1P6q5Kv/992Vr29iQzDESaOA0JCwkkDHYLT/pKqZSkD288f9 U5Qzwlc3tH+y3U2QEDTD6vQXg0MuTiWVgbyvujarx47YAEDH6sEnj9vPwsH/dRlXcqUlow1PJU0 + X-Gm-Gg: ASbGncshy6T79HwV7eqkyDXATGoPQPl0MPJBbQLNiLdZ2rK4xhQLaCXa0tFyV3nWmu1 DdlVrNvd7IOgXBW92uv4Q4xanY1Oq18sAMT/eKXhA2T8F6UlZ3MS6xsdrhS+Qioqqo/zgRlkv/o ykq6bL6JhNWv0Q4/k6p13xU+GsL6qNLCznM8d/1C7qloPDJtD/y/9t3Bxk3EiM3/cqALjsznZlu rqYZ75Ez3sy4dHE96zfl8FEEMQufmLtkvQMfcZSMO0= X-Google-Smtp-Source: AGHT+IFeWNsGz60TEzjuxIB7X7vDAoNlYZ1D2aa3bSZ/tnN10RIOkKAw5hvhzrG6m4jlOPcNuGlOEw== X-Received: by 2002:a17:90b:49:b0:2ee:a127:ba8b with SMTP id 98e67ed59e1d1-2f128048ea9mr4396485a91.36.1733928470418; Wed, 11 Dec 2024 06:47:50 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-7fd3891dc95sm7494377a12.42.2024.12.11.06.47.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Dec 2024 06:47:50 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 5/7] sanity: check for working user namespaces Date: Wed, 11 Dec 2024 06:47:35 -0800 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 11 Dec 2024 14:47:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/208590 From: Ross Burton If user namespaces are not available (typically because AppArmor is blocking them), alert the user. We consider network isolation sufficiently important that this is a fatal error, and the user will need to configure AppArmor to allow bitbake to create a user namespace. [ YOCTO #15592 ] Signed-off-by: Ross Burton Signed-off-by: Richard Purdie (cherry picked from commit b6af956fe6e876957a49d4abf425e8c789bf0459) Signed-off-by: Steve Sakoman --- meta/classes/sanity.bbclass | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass index 293e405f62..3b13ba647e 100644 --- a/meta/classes/sanity.bbclass +++ b/meta/classes/sanity.bbclass @@ -469,6 +469,29 @@ def check_wsl(d): bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space") return None +def check_userns(): + """ + Check that user namespaces are functional, as they're used for network isolation. + """ + + # There is a known failure case with AppAmrmor where the unshare() call + # succeeds (at which point the uid is nobody) but writing to the uid_map + # fails (so the uid isn't reset back to the user's uid). We can detect this. + parentuid = os.getuid() + pid = os.fork() + if not pid: + try: + bb.utils.disable_network() + except: + pass + os._exit(parentuid != os.getuid()) + + ret = os.waitpid(pid, 0)[1] + if ret: + bb.fatal("User namespaces are not usable by BitBake, possibly due to AppArmor.\n" + "See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.") + + # Require at least gcc version 7.5. # # This can be fixed on CentOS-7 with devtoolset-6+ @@ -634,6 +657,7 @@ def check_sanity_version_change(status, d): status.addresult(check_git_version(d)) status.addresult(check_perl_modules(d)) status.addresult(check_wsl(d)) + status.addresult(check_userns()) missing = "" From patchwork Wed Dec 11 14:47:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 53943 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A9C0E77183 for ; Wed, 11 Dec 2024 14:47:55 +0000 (UTC) Received: from mail-pf1-f175.google.com (mail-pf1-f175.google.com [209.85.210.175]) by mx.groups.io with SMTP id smtpd.web10.12663.1733928472741270078 for ; Wed, 11 Dec 2024 06:47:52 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=azouvueM; spf=softfail (domain: sakoman.com, ip: 209.85.210.175, mailfrom: steve@sakoman.com) Received: by mail-pf1-f175.google.com with SMTP id d2e1a72fcca58-723f37dd76cso6072354b3a.0 for ; Wed, 11 Dec 2024 06:47:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1733928472; x=1734533272; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=8xPmtiSQLs3xBqEHyRTw+QGs5Qegq0wRzY2CllMc1TY=; b=azouvueMI9LouO7A3tdnHg9mU/q9MBcekESSh4vTmJSfMTADWundKBplW2Ajqr2fht hUpD7g3w8VzGldBPTQzW9YOJJDeTigrNagtKtgTtB2bGrEFDpthmsUmmRLW5/sxWWItd IveYwG+7wIiyniS+h84ViM236MgaqxiP/Z6xfbNOSg4FW06Iso7+56bzkyZF9Y6RECO2 srmspx+oFSoHdBp+zLuNedKkThIereDKnVCFpcMVSwjPjMVIDYjbJz1euIL3c/NOmmVg EXfpSthMFbeBswsFGyKfk4WKuTSvBtCMntkHykVpy85F5SEB7BC+wGPz7QMSEFsz+8x+ QyYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733928472; x=1734533272; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8xPmtiSQLs3xBqEHyRTw+QGs5Qegq0wRzY2CllMc1TY=; b=NrvpZ4JpFf2g6w34Uk6xRMKHMjxNsApeDTgVR+DlfP/UWMqtV/tr3WMK6Auv+F7YWF jR737EyOphxt1pHUWSVaXzczDjgJ7v+P1/bvp/9D3JNQtACzBmw0MrZT9bKhpb1C5Zd7 rzq3XcYjoNCVYCihY5PEjxjGs+Tfle8Cqsv8wLGTUxGoeztEQovOmrPE3c38csgwxqBQ cauNuhpIaeBnHszSB4RNSqDW7DukD+3L+TD11PcsNyQlzsNZh0ldUkEeA5H2MS+C1RVG hQmHqPsH3lj7Du1NI8ULEr2YEk7HKy7t1rnQ/91AgMJuLx3YmK7mCHg6fPDGt8bOeOUA Jubg== X-Gm-Message-State: AOJu0YwihVC4PgMjBaXOcN8x2laYMMY5MZW6VW+hwkWkHq9yr/gQeXkE N28U4JYVCQlO5GIPkwUuKeJwrI4VzB+Q9AvCBJNl086l8sG10eIi8bxxlOsSF6AZ1egVDEic4ZQ d X-Gm-Gg: ASbGncvAsf4fJkQ+2VbYkbheQ4fsDr0IFokS9cObtr8ckv5j8eiaj6ULiFlywP1a3Y1 6uCZdyCkbTi5iaVi5awCOHyiHp/NhkfqxeNDXdrHjRf0tJkXaNHhVGiNqnEVZWWhZaOxosmd19A uiI705UmoFd//gsZAMYbZA8DUf58appfYD+wi69yi2vOnqulVRW/9O2LDdggt+ADFcvJKR8kgjF UnP+3Bnl32oRvDv98bCNRuWv0OWPVyhOLw1kBysN9w= X-Google-Smtp-Source: AGHT+IHpqF6mvIgXg1yjfhGUrCHV2zcMnkNoXAMQitGLBpV1uT2xldHWCpxuFEg/IcKXPQYG6/evrw== X-Received: by 2002:a05:6a20:72a4:b0:1e1:a434:2959 with SMTP id adf61e73a8af0-1e1c126dcbamr5562192637.6.1733928471940; Wed, 11 Dec 2024 06:47:51 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-7fd3891dc95sm7494377a12.42.2024.12.11.06.47.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Dec 2024 06:47:51 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 6/7] unzip: Fix configure tests to use modern C Date: Wed, 11 Dec 2024 06:47:36 -0800 Message-Id: <61bd7eccd8e305e2dd95f0b0b86b09d72e99fc1a.1733928291.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 11 Dec 2024 14:47:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/208591 From: Khem Raj Newer compilers end up with errors while compiling these test snippets and build results in failures. Signed-off-by: Khem Raj Signed-off-by: Alexandre Belloni Signed-off-by: Martin Jansa Signed-off-by: Steve Sakoman --- ...rrect-system-headers-and-prototypes-.patch | 112 ++++++++++++++++++ meta/recipes-extended/unzip/unzip_6.0.bb | 1 + 2 files changed, 113 insertions(+) create mode 100644 meta/recipes-extended/unzip/unzip/0001-configure-Add-correct-system-headers-and-prototypes-.patch diff --git a/meta/recipes-extended/unzip/unzip/0001-configure-Add-correct-system-headers-and-prototypes-.patch b/meta/recipes-extended/unzip/unzip/0001-configure-Add-correct-system-headers-and-prototypes-.patch new file mode 100644 index 0000000000..f7e0854cd9 --- /dev/null +++ b/meta/recipes-extended/unzip/unzip/0001-configure-Add-correct-system-headers-and-prototypes-.patch @@ -0,0 +1,112 @@ +From 5ac5885d35257888d0e4a9dda903405314f9fc84 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Wed, 10 Aug 2022 17:53:13 -0700 +Subject: [PATCH] configure: Add correct system headers and prototypes to tests + +Newer compilers e.g. clang-15+ have turned stricter towards these +warnings and turned them into errors which results in subtle failures +during build, therefore make the testcases use the needed headers and +modern C + +Upstream-Status: Inactive-Upstream + +Signed-off-by: Khem Raj +--- + unix/configure | 51 +++++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 40 insertions(+), 11 deletions(-) + +diff --git a/unix/configure b/unix/configure +index 49579f3..8fd82dd 100755 +--- a/unix/configure ++++ b/unix/configure +@@ -379,14 +379,37 @@ $CC $CFLAGS -c conftest.c >/dev/null 2>/dev/null + + # Check for missing functions + # add NO_'function_name' to flags if missing +-for func in fchmod fchown lchown nl_langinfo +-do +- echo Check for $func +- echo "int main(){ $func(); return 0; }" > conftest.c +- $CC $BFLAG $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null +- [ $? -ne 0 ] && CFLAGSR="${CFLAGSR} -DNO_`echo $func | tr '[a-z]' '[A-Z]'`" +-done ++echo Check for fchmod ++cat > conftest.c << _EOF_ ++#include ++int main(){ fchmod(0,0); return 0; } ++_EOF_ ++$CC $BFLAG $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null ++[ $? -ne 0 ] && CFLAGSR="${CFLAGSR} -DNO_FCHMOD" + ++echo Check for fchown ++cat > conftest.c << _EOF_ ++#include ++int main(){ fchown(0,0,0); return 0; } ++_EOF_ ++$CC $BFLAG $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null ++[ $? -ne 0 ] && CFLAGSR="${CFLAGSR} -DNO_FCHOWN" ++ ++echo Check for lchown ++cat > conftest.c << _EOF_ ++#include ++int main(){ lchown(NULL,0,0); return 0; } ++_EOF_ ++$CC $BFLAG $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null ++[ $? -ne 0 ] && CFLAGSR="${CFLAGSR} -DNO_LCHOWN" ++ ++echo Check for nl_langinfo ++cat > conftest.c << _EOF_ ++#include ++int main(){ nl_langinfo(0); return 0; } ++_EOF_ ++$CC $BFLAG $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null ++[ $? -ne 0 ] && CFLAGSR="${CFLAGSR} -DNO_NL_LANGINFO" + # Check (seriously) for a working lchmod. + echo 'Check for lchmod' + temp_file="/tmp/unzip_test_$$" +@@ -401,14 +424,17 @@ ln -s "${temp_link}" "${temp_file}" && \ + rm -f "${temp_file}" + + echo Check for memset +-echo "int main(){ char k; memset(&k,0,0); return 0; }" > conftest.c ++cat > conftest.c << _EOF_ ++#include ++int main(){ char k; memset(&k,0,0); return 0; } ++_EOF_ + $CC $CFLAGS $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null + [ $? -ne 0 ] && CFLAGSR="${CFLAGSR} -DZMEM" + + echo Check for errno declaration + cat > conftest.c << _EOF_ + #include +-main() ++int main() + { + errno = 0; + return 0; +@@ -419,6 +445,8 @@ $CC $CFLAGS -c conftest.c >/dev/null 2>/dev/null + + echo Check for directory libraries + cat > conftest.c << _EOF_ ++#include ++#include + int main() { return closedir(opendir(".")); } + _EOF_ + +@@ -523,10 +551,11 @@ fi + # needed for AIX (and others ?) when mmap is used + echo Check for valloc + cat > conftest.c << _EOF_ +-main() ++#include ++int main() + { + #ifdef MMAP +- valloc(); ++ valloc(0); + #endif + } + _EOF_ +-- +2.37.1 + diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index cf532c09d6..0f73cfaa22 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb @@ -32,6 +32,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/ file://CVE-2022-0529.patch \ file://CVE-2022-0530.patch \ file://0001-unix-configure-fix-detection-for-cross-compilation.patch \ + file://0001-configure-Add-correct-system-headers-and-prototypes-.patch \ " UPSTREAM_VERSION_UNKNOWN = "1" From patchwork Wed Dec 11 14:47:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 53940 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 59D90E77180 for ; Wed, 11 Dec 2024 14:47:55 +0000 (UTC) Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) by mx.groups.io with SMTP id smtpd.web11.12567.1733928474007704905 for ; Wed, 11 Dec 2024 06:47:54 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=fFSERBMn; spf=softfail (domain: sakoman.com, ip: 209.85.210.181, mailfrom: steve@sakoman.com) Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-725f4025e25so2761684b3a.1 for ; Wed, 11 Dec 2024 06:47:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1733928473; x=1734533273; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=uiuRkYLn5G2/Z4BSKES3ES/jaggfFFis7eUvK8YZhz0=; b=fFSERBMnxfYCcHFJuZCvlS8SIdl5tqNRKlFgjN8JNfmIp6iQ7tW/y/rEC8lbVezBlp qFskk5hJANP96OJna/1bBjXSJ9wPVfxssXuw1E+EaKb2F51NQnvWZ1XFN1fYmiS2z83Y ztC/5TjTbluu6WdF3W1nEVyqeRrjrQJuF9t/fuvzEyTWvYLxDwD4b4ZlLsPqyxa32zn+ 3APjMh/h8q6qOyILCxPbyfCwARFz5EwDkEr6YkWr38WqhEER5XnJilBfqBN8NFZyfj43 o60HnTPSms6CBT9Crwnlu+XCBZTIj335UZlvtJzhyAZvESINcC5uXdx80EuM+rxVSObs hnAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733928473; x=1734533273; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uiuRkYLn5G2/Z4BSKES3ES/jaggfFFis7eUvK8YZhz0=; b=QEZVJkN6bhsT0FWZLYKL1l/QDQHOz6mYGrqEeFKS3e5Uy6Rt5H0XUb1F+ggw938yqo I1XmfaXBtjL18iv+r6x1dImU5zA+bg9+R032/eEf31GY6toJ4xkQY5t9sLYaCHXVSXvW VeT+j5Q2l6nUjBiu0cWZ2cbJFR6iI7KUkVHBMeg2XrKND3rZiyoBma8MkhJCVyL987f4 jUk6VoFKL7bX/7K2m7+52HvJRvrBQ6iL5M3kXFlDzkomwqmpeB2mrdky/6gLSip7R4Ya 4Jmi1yHvOXyyF7BCWCxPu7/j79ng07QIMTxw0hZvh1PTRKz79ZrjfS3Qr5R98CotXvih 22UA== X-Gm-Message-State: AOJu0YyWFQq7+Fgy9FlGbnIv7EAAMP2thLy2p7ILKIKBkRQ8zO//cKwu WIlip/i8UGwP1v4XwdvKTIVcaZODrZaOMYLFnotQhDkYFN2LNC8i7hw27vM5b2rNguGbNdta0im X X-Gm-Gg: ASbGncuVNx2tngsMtc+6VfBJ16+J+19ITT10vga0N0gP70zhQbLL27JR+2nMTm2OzDQ EYtcQ2I+7DybY6D0a0iTtpHLOz8pkpWKeXJCQNqVZp6ohMLvelkKMDmJzR0+Ccz2gQAiaBywM8j NLTOlxwsYq3hxBFbBhkW61UHiZ//DFxnkAmYSJa3lcZI4P8/zLAmg8YPIEIuZ7Kn3JSZscvM0FK +bPQ8FbBSECG5u3lLGxr5BPYMg+HyDFYz5B85d2E7w= X-Google-Smtp-Source: AGHT+IGyw+ITDi40jntgW+4EmfDOk/E7Y6sXVsEqIQuespJLjjtcSRphKsHAvpL6KN6vCHTIyTuQ0A== X-Received: by 2002:a05:6a20:1590:b0:1e0:d45d:645f with SMTP id adf61e73a8af0-1e1c13ce076mr5881934637.39.1733928473286; Wed, 11 Dec 2024 06:47:53 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-7fd3891dc95sm7494377a12.42.2024.12.11.06.47.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Dec 2024 06:47:52 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 7/7] dbus: disable assertions and enable only modular tests Date: Wed, 11 Dec 2024 06:47:37 -0800 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 11 Dec 2024 14:47:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/208592 From: Alexander Kanavin There was a report that enabling assertions and all tests results in notices in log.do_configure: NOTE: building with unit tests increases the size of the installed library and renders it insecure. NOTE: building with assertions increases library size and decreases performance. This was overlooked when dbus and dbus-tests recipes were merged; enabling all tests and assertions still requires a special, separate build of dbus. If those tests are useful this could be revisited. Until then, we should use productions settings for the main recipe. Buildhistory-diff: packages/core2-64-poky-linux/dbus/dbus-dbg: PKGSIZE changed from 9958176 to 8627824 (-13%) packages/core2-64-poky-linux/dbus/dbus-lib: PKGSIZE changed from 544347 to 346339 (-36%) packages/core2-64-poky-linux/dbus/dbus-ptest: PKGSIZE changed from 3524983 to 3116951 (-12%) packages/core2-64-poky-linux/dbus/dbus-ptest: FILELIST: removed "/usr/share/installed-tests/dbus/test-dbus-launch-eval.sh_with_config.test /usr/share/installed-tests/dbus/test-counter_with_config.test /usr/libexec/installed-tests/dbus/test-dbus-launch-eval.sh /usr/libexec/installed-tests/dbus/test-dbus-launch-x11.sh /usr/share/installed-tests/dbus/test-counter.test /usr/libexec/installed-tests/dbus/test-counter /usr/share/installed-tests/dbus/test-dbus-launch-x11.sh.test /usr/share/installed-tests/dbus/test-dbus-launch-x11.sh_with_config.test /usr/share/installed-tests/dbus/test-dbus-launch-eval.sh.test" packages/core2-64-poky-linux/dbus/dbus: PKGSIZE changed from 510939 to 350331 (-31%) (From OE-Core rev: 054ce01ae84eb10e055a41ec8dd85ebce9ea23c8) Signed-off-by: Alexander Kanavin Signed-off-by: Richard Purdie Signed-off-by: Steve Sakoman --- meta/recipes-core/dbus/dbus_1.14.8.bb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/meta/recipes-core/dbus/dbus_1.14.8.bb b/meta/recipes-core/dbus/dbus_1.14.8.bb index f03e5c2d2e..6f4d8ae92e 100644 --- a/meta/recipes-core/dbus/dbus_1.14.8.bb +++ b/meta/recipes-core/dbus/dbus_1.14.8.bb @@ -22,9 +22,8 @@ EXTRA_OECONF = "--disable-xml-docs \ --disable-doxygen-docs \ --enable-largefile \ --with-system-socket=/run/dbus/system_bus_socket \ - --enable-tests \ + --enable-modular-tests \ --enable-checks \ - --enable-asserts \ --runstatedir=/run \ " EXTRA_OECONF:append:class-target = " SYSTEMCTL=${base_bindir}/systemctl"