From patchwork Tue Nov 25 20:58:39 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75387 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44E49D0EE34 for ; Tue, 25 Nov 2025 20:59:00 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.4345.1764104339372724217 for ; Tue, 25 Nov 2025 12:58:59 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=t9vCu3Dd; spf=softfail (domain: sakoman.com, ip: 209.85.210.172, mailfrom: steve@sakoman.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-7b80fed1505so6811716b3a.3 for ; Tue, 25 Nov 2025 12:58:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764104338; x=1764709138; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=cdY1il5UvyQEzA7wmazVWCfDU0Kq1Gh3y8KGxQRZiO0=; b=t9vCu3DdX/7kPB0JDDiQ3UfLwvtdHwBF+8s6JQEKgs9AXntjitcwwoDM+OLYapY8E4 fpJRkZ46DXJ/APWVnmR1NH7ZETHRxI1Khw/YOd4D/8FqvwhWUKrWWv41XR3Yl7+fMqbP LlesRZD8ZHyfib0F+h4aa5UIxTo4x1C+oi9MJCmEc9z07TkIA84n+N7nQ1O5mRQvYWgw bGpuFfT80vGXuOVZ5NLiMWK8ElT9unZJJ+6zMWH2/JFxScyg2/6DqAOKA9O6niNkTBwa 3CUjkFeqym1lYCuNY7D5CY3e5mRoOfyA+NbsolAMzhQI271c84Trlb0/yfdaBvgvGhhM XHDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764104338; x=1764709138; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=cdY1il5UvyQEzA7wmazVWCfDU0Kq1Gh3y8KGxQRZiO0=; b=L0UztlTKrmUamqd3PG/NzINjUfYmYFIgGNhT1t2QO60SGY/fbF0tN4G2tlIL4uF9+f kXKZVKDV1Ubu1jt9wa0tpLINZMuPbXGCY29riwHcT6mUSf+NCshcrRJkdVABjdv6gkop kZ9XGyjexfcooU48JXTOyCKTPaVdIfU2fES+lwrZfe3AHjKleC9itmLWDn6yhlmDbKde mFHs9iZ41yOo1qv0m11wjwQJ+SUv2FvS0kgB4MirOicNU5HA1MTA/EHexSWf4cC1QvSl SyOcXLlls2Vw/1HKQPJpdEU37Af/R9iNw8bnuzSw6H3QY1MNYLXHnqbN6KF2j/FYy188 mt5w== X-Gm-Message-State: AOJu0YxvkV0M4kFOacmLKeBGPR28Ic72Hs1ei75WleYkUr61x/4gHn5r aZckQ+ZszeLN0Jhi8sWiI6d2B8Q8xURBe1ZaHKCZQzj/seoCTmdsAPYMT6X/oQfqrBIS8xKbV4F 80faE X-Gm-Gg: ASbGncsDNdgWwdG3tthhzg7u1VlgrLa8YFTsLnWvJlo7wnzFRn3ScOODHNgSKuCvo1O +wXJjEB5Uda9lJEWgjL0kFmld38r0mn/xHsLzGVXxOWAy9Iu4gp41p0bQtEoDXpJN1PTcJ5F5r+ GySJSAwakSJXiFr2jvmrzBGZKoYsC4isB3QHT5c8pVe2t4bAHRSI+xVA/981IrT6Qe0Oz/2y1A+ BVXpsfqzjstUElT8Ktjw7pxCGNtX2++Hs0UEP3NBT6XKahf9Iq3ZjwYcJ+dyM/jk6Ln7iu6dfzf q31pD/ExMgGY8Z4MvkG0CJeH2wXnDZE15UrEuHcRaTEab5XruvojZ/w2es74qYq2GDY7oqD5oR0 ReVo2NIWYVqZ5suz7t9+Cigi1p7qHBFSWy5F6zsFI0LmEwmYT4643JqgO0VH9bgjXOVPHm7sZpc Kc8w== X-Google-Smtp-Source: AGHT+IFDAcH9shxYPY3IRuZ+/XhayE2OMc3oqsPSIJ4vUfhqBuOfZX8WVS3mKqe+hkebl5/I2zLrNg== X-Received: by 2002:a05:6a20:7d8b:b0:35d:b5a1:a61d with SMTP id adf61e73a8af0-3614eb58328mr19346439637.26.1764104338470; Tue, 25 Nov 2025 12:58:58 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-bd75def6346sm17340755a12.4.2025.11.25.12.58.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Nov 2025 12:58:58 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 1/9] Revert "spdx: Update for bitbake changes" Date: Tue, 25 Nov 2025 12:58:39 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Nov 2025 20:59:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226786 From: Kai Kang This reverts part of commit 4859cdf97fd9a260036e148e25f0b78eb393df1e. Modification of meta/classes/create-spdx-2.2.bbclass is not backported, so no need to consider it. In the commit, it updates spdx according to bitbake change. But the bitbake commit * 2515fbd10 fetch: Drop multiple branch/revision support for single git urls doesn't backport for scarthgap. So revert the other parts of the commit 4859cdf97fd9a260036e148e25f0b. Signed-off-by: Kai Kang Signed-off-by: Steve Sakoman --- meta/lib/oe/spdx30_tasks.py | 125 ++++++++++++++++++------------------ meta/lib/oe/spdx_common.py | 2 +- 2 files changed, 64 insertions(+), 63 deletions(-) diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index a2d316301f..0fa9a7d724 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -356,77 +356,78 @@ def add_download_files(d, objset): for download_idx, src_uri in enumerate(urls): fd = fetch.ud[src_uri] - file_name = os.path.basename(fetch.localpath(src_uri)) - if oe.patch.patch_path(src_uri, fetch, "", expand=False): - primary_purpose = oe.spdx30.software_SoftwarePurpose.patch - else: - primary_purpose = oe.spdx30.software_SoftwarePurpose.source - - if fd.type == "file": - if os.path.isdir(fd.localpath): - walk_idx = 1 - for root, dirs, files in os.walk(fd.localpath, onerror=walk_error): - dirs.sort() - files.sort() - for f in files: - f_path = os.path.join(root, f) - if os.path.islink(f_path): - # TODO: SPDX doesn't support symlinks yet - continue + for name in fd.names: + file_name = os.path.basename(fetch.localpath(src_uri)) + if oe.patch.patch_path(src_uri, fetch, "", expand=False): + primary_purpose = oe.spdx30.software_SoftwarePurpose.patch + else: + primary_purpose = oe.spdx30.software_SoftwarePurpose.source + + if fd.type == "file": + if os.path.isdir(fd.localpath): + walk_idx = 1 + for root, dirs, files in os.walk(fd.localpath, onerror=walk_error): + dirs.sort() + files.sort() + for f in files: + f_path = os.path.join(root, f) + if os.path.islink(f_path): + # TODO: SPDX doesn't support symlinks yet + continue + + file = objset.new_file( + objset.new_spdxid( + "source", str(download_idx + 1), str(walk_idx) + ), + os.path.join( + file_name, os.path.relpath(f_path, fd.localpath) + ), + f_path, + purposes=[primary_purpose], + ) - file = objset.new_file( - objset.new_spdxid( - "source", str(download_idx + 1), str(walk_idx) - ), - os.path.join( - file_name, os.path.relpath(f_path, fd.localpath) - ), - f_path, - purposes=[primary_purpose], - ) + inputs.add(file) + walk_idx += 1 - inputs.add(file) - walk_idx += 1 + else: + file = objset.new_file( + objset.new_spdxid("source", str(download_idx + 1)), + file_name, + fd.localpath, + purposes=[primary_purpose], + ) + inputs.add(file) else: - file = objset.new_file( - objset.new_spdxid("source", str(download_idx + 1)), - file_name, - fd.localpath, - purposes=[primary_purpose], - ) - inputs.add(file) - - else: - dl = objset.add( - oe.spdx30.software_Package( - _id=objset.new_spdxid("source", str(download_idx + 1)), - creationInfo=objset.doc.creationInfo, - name=file_name, - software_primaryPurpose=primary_purpose, - software_downloadLocation=oe.spdx_common.fetch_data_to_uri( - fd, fd.names[0] - ), + dl = objset.add( + oe.spdx30.software_Package( + _id=objset.new_spdxid("source", str(download_idx + 1)), + creationInfo=objset.doc.creationInfo, + name=file_name, + software_primaryPurpose=primary_purpose, + software_downloadLocation=oe.spdx_common.fetch_data_to_uri( + fd, name + ), + ) ) - ) - if fd.method.supports_checksum(fd): - # TODO Need something better than hard coding this - for checksum_id in ["sha256", "sha1"]: - expected_checksum = getattr( - fd, "%s_expected" % checksum_id, None - ) - if expected_checksum is None: - continue + if fd.method.supports_checksum(fd): + # TODO Need something better than hard coding this + for checksum_id in ["sha256", "sha1"]: + expected_checksum = getattr( + fd, "%s_expected" % checksum_id, None + ) + if expected_checksum is None: + continue - dl.verifiedUsing.append( - oe.spdx30.Hash( - algorithm=getattr(oe.spdx30.HashAlgorithm, checksum_id), - hashValue=expected_checksum, + dl.verifiedUsing.append( + oe.spdx30.Hash( + algorithm=getattr(oe.spdx30.HashAlgorithm, checksum_id), + hashValue=expected_checksum, + ) ) - ) - inputs.add(dl) + inputs.add(dl) return inputs diff --git a/meta/lib/oe/spdx_common.py b/meta/lib/oe/spdx_common.py index 4caefc7673..e1b26edaaf 100644 --- a/meta/lib/oe/spdx_common.py +++ b/meta/lib/oe/spdx_common.py @@ -239,6 +239,6 @@ def fetch_data_to_uri(fd, name): uri = uri + "://" + fd.host + fd.path if fd.method.supports_srcrev(): - uri = uri + "@" + fd.revision + uri = uri + "@" + fd.revisions[name] return uri From patchwork Tue Nov 25 20:58:40 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75392 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 35F03D0EE1C for ; Tue, 25 Nov 2025 20:59:10 +0000 (UTC) Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4279.1764104340775484961 for ; Tue, 25 Nov 2025 12:59:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=1ocLpHIn; spf=softfail (domain: sakoman.com, ip: 209.85.210.178, mailfrom: steve@sakoman.com) Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-7a9cdf62d31so7194167b3a.3 for ; Tue, 25 Nov 2025 12:59:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764104340; x=1764709140; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=RgResOp9jEEAaIVq8oR9Ci0XzoKiBG9Q+c7V5Q03t3Q=; b=1ocLpHInu9CkCX9jyZa2F19m/9kpxQiMkZLJRSYZrkdQugTVvzyLdP4FRHVAg6dBSq 502gmnkEVFqJcStee1zbMjX9jo87RsEabQ3OLUXUbMAuS8qjcTBkuIF1A9WFNqs73zR6 gRCEjmirpgQlFmEab4WxmCnzUrU9oGdCM0Jk5mv/lt8V7vX1xELhHtXlxmD370IuEKCA rtaTdmjsEFixfoTRJC0QdDrSc/bvhPhwImdc9X4wDNI09uhSf83zPQb1P5oQ375N4cMo tft10m+ud9sbyQfLyq6W5PG5Pqg2PX9MyI3r9NGsbnAtFQpfWUJ3tJIoIuhQQ3pK80yu X5nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764104340; x=1764709140; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=RgResOp9jEEAaIVq8oR9Ci0XzoKiBG9Q+c7V5Q03t3Q=; b=Abv5b+hCp7m4DdS3L9KYFdCfk3JW0iR64cdcpatEyDB+k07/7b7/3qwkHivY/VG2uX Cpz8wbIAgg3tDjIa6j896xfFl1MSnvB7CCDzxXiekdPen2qbguzWD2JV3WZi6zCQmxRq EtzqNu6pOxcL1G5kmSR7QDGRp8RsJ0YRsRRfnoW8mGSfCIVoVTKJfC51TIvH2OlbkD4U dGF3lKPqXyGizkZhrLpFsj4XvCAjRiIgCDx+965IASS2beEMKXFXUG+odICF871Zc7wB 155VjpeXl8Q1mo89veNiRvnVwJ2E3VPQ/mk89AxlwPxtIbfaPa/Nxq11kfKo2z95DH/w IYfA== X-Gm-Message-State: AOJu0YxXHRrDJrigsXQ8ei3eMB/ITmuwjmIFwY6sx2MNPse1PiVvUvt6 4a3LoWxgUOzk12BbDpIl9SQpVnwB7+L++ChWLGbpqG3gmc+7CZ8p6YtjyictdbLzuuSC2a0IEjG ern/F X-Gm-Gg: ASbGncueDD4vGJXs7+YhJJqy1wny2RKgaJx01K3eR1E9mO64/M0OzGjDEzU3xizj/xF x+0DHoy/ZCZ6C5gfW8F1adsa64/zW1lZyg6k3A9CC2dtnF3/wHLSjrDii+sjvIlw5aT0OiGaNWY q0GG5Fz+3lO5e+X3cfUgk+OZjZCosS7Aw8BnMOjf9bJHh6IqWCcoSNpPVXK8bJMog5fh+FrijUy Wti3/QkSlC+DVmE+GuX9VbfLddqgT6y+sz5eukwML2RS4Z8FaJF0NQpgeZ06dqHTo2uJ+TLn8Py N11rKkRzA5ExVgjwjmdI8Jqmk8GZsgJnQFjpHkGVAcQy3VhTtnQ1FDVCv27eCg7suWFOOzMPJIN ysjJjkwqITjMNlQyR0wNXsvzlAWSonMB8hG5n6PZwduJDFzq59PMTeeEgLM2OkEfPGF9nUvw6ul sdnw== X-Google-Smtp-Source: AGHT+IElbLOT466zjdSUaEzuMkmToe4EojZUBDWZlYqwH7lj4P7+m0PlMfLNthsBuRciJ3s2+tH7NQ== X-Received: by 2002:a05:6a20:a12a:b0:342:e2ef:332d with SMTP id adf61e73a8af0-3614edf0345mr18764125637.40.1764104339951; Tue, 25 Nov 2025 12:58:59 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-bd75def6346sm17340755a12.4.2025.11.25.12.58.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Nov 2025 12:58:59 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 2/9] spdx30: provide all CVE_STATUS, not only Patched status Date: Tue, 25 Nov 2025 12:58:40 -0800 Message-ID: <9a204670b1c0daedf1ed8ff944f8e5443b39c8f7.1764104199.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Nov 2025 20:59:10 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226787 From: "Benjamin Robin (Schneider Electric)" In scarthgap, the `oe.cve_check.get_patched_cves()` method only returns CVEs with a "Patched" status. We want to retrieve all annotations, including those with an "Ignored" status. Therefore, to avoid modifying the current API, we integrate the logic for retrieving all CVE_STATUS values ​​directly into `spdx30_task`. Signed-off-by: Benjamin Robin (Schneider Electric) Signed-off-by: Steve Sakoman --- meta/lib/oe/spdx30_tasks.py | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 0fa9a7d724..e425958991 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -453,6 +453,22 @@ def set_purposes(d, element, *var_names, force_purposes=[]): ] +def _get_cves_info(d): + patched_cves = oe.cve_check.get_patched_cves(d) + for cve_id in (d.getVarFlags("CVE_STATUS") or {}): + mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id) + if not mapping or not detail: + bb.warn(f"Skipping {cve_id} — missing or unknown CVE status") + continue + yield cve_id, mapping, detail, description + patched_cves.discard(cve_id) + + # decode_cve_status is decoding CVE_STATUS, so patch files need to be hardcoded + for cve_id in patched_cves: + # fix-file-included is not available in scarthgap + yield cve_id, "Patched", "backported-patch", None + + def create_spdx(d): def set_var_field(var, obj, name, package=None): val = None @@ -502,20 +518,7 @@ def create_spdx(d): # Add CVEs cve_by_status = {} if include_vex != "none": - patched_cves = oe.cve_check.get_patched_cves(d) - for cve_id in patched_cves: - # decode_cve_status is decoding CVE_STATUS, so patch files need to be hardcoded - if cve_id in (d.getVarFlags("CVE_STATUS") or {}): - mapping, detail, description = oe.cve_check.decode_cve_status(d, cve_id) - else: - mapping = "Patched" - detail = "backported-patch" # fix-file-included is not available in scarthgap - description = None - - if not mapping or not detail: - bb.warn(f"Skipping {cve_id} — missing or unknown CVE status") - continue - + for cve_id, mapping, detail, description in _get_cves_info(d): # If this CVE is fixed upstream, skip it unless all CVEs are # specified. if ( From patchwork Tue Nov 25 20:58:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75389 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30962D0EE38 for ; Tue, 25 Nov 2025 20:59:10 +0000 (UTC) Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4280.1764104342540326542 for ; Tue, 25 Nov 2025 12:59:02 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=G4kPm4BM; spf=softfail (domain: sakoman.com, ip: 209.85.210.176, mailfrom: steve@sakoman.com) Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-7b9215e55e6so4040620b3a.2 for ; Tue, 25 Nov 2025 12:59:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764104342; x=1764709142; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=O+cxfcEUAmmSXU7NN+0j+xiQGEgoJY15kh7ZNLdhWkI=; b=G4kPm4BMJTiFFcuRpsTsS5a6DlYoKdUETbnLE7Iw2HlBiwpeVabOpCceF+TzblEtCb Qr5v2y4PvfkNEzuHV1WpvYF5LcbrzbHB2AWtL0NjzpKGS4o1uPNoEB7ByLfuW2vsLKIT pNCvrsYuboTYQ5iKL8vyUYqDRKKlpK2CIzrt80Zl0d6O5cjdUoqaB537Iv+Y8yXvzjO8 cPxZgib8bui0fNCUc2g5HxwT6KuiACML22H+TIEDiII2MY7uCMn8IVu5NGaQzl6or+AU vkfhjX3h40JDdllSodSTuOlCSyZvpH4zM/2+sXi3dNRZ7/X77nyX+5ggNa6dxxkcvEkp pcvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764104342; x=1764709142; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=O+cxfcEUAmmSXU7NN+0j+xiQGEgoJY15kh7ZNLdhWkI=; b=V1ngR/A1nw80T1WmH1hLuLjr9zeN2KNqxbCC2szKAZjQIHzFYvpUlvfDz30i3srlED RfozY1ZU5OkZPlWa8W7NN1Ihvjm0+VgEq8dqSc51711BwBOaLUJRzQRhBgIBXqpuVmo4 ZJ02yNaGn3AI540s8hQVhUOaCgEEz3JvbhpeFccFPNCvaMyTnzQjG0UA4Q7gx8qxFbLD EK2psboSn8ZHaWs/Nizt4MubJQSHYF5ewQ6J/LzJMGb0yDVp/eZYEaUT8NhNcLlFVpAq Tm8sDaZIt/7WKeDO/SrhOjn0asDX57xZrlrhh9CzRSqjqkljYOCmcp23t798WaJi2yeP QX7w== X-Gm-Message-State: AOJu0YzbOfQIdY3E3RqjXhZ0VIdDhrnNCLXNWNr90CFbG/Uevypk4a3H 7pEOmpWKMQtISx0v8/DEz25yj0L6epER5LzcZnGL5sSdoKH8AjwcXln7dXIaGDYrjVeV6bZumI3 TWX4u X-Gm-Gg: ASbGncugF4JNCBhMp5CZhL8f1j6UCQR28rIQL3DRpnw3TxbeVtACpy1jpI1cyB3WR8p j1rFg8JJRgtVuAJ9n5NHwsqTAevDv2Cb498pHOWgY43KM1f4bbS2ZdYpVqQiAAblk+/0eSNEQDI 4CV9yWuHp+Dp+QwL0t3rreDfGk5gUGu9f/8h5eSajx8zaJRT/J85cqFBANZcp0KhWkUw2AVPtIv JiMok87DzKkgsy5sswFCc3VZ4kQmzSlie9dsA5FJy9fn3zOnuBtAHNsNbgr4bOqIPCSMnDUBRBH tqhd/72LCQJtjo66z1/SicfPGchrfyVBfM8o9xE39Ty0u1RTJE0luFgRGz+qRW2IXPWg1MDWWZp E65FkdZyzBqRvF7W4uu6ztGB6GucCNDagsxakUL16UrlKKsqplOGCxyj8BX+68F4sJj0Ej4pOMS pqKw== X-Google-Smtp-Source: AGHT+IECRz1IS+vM1GZrvQ+UDmgbLoppq7w5bFyga7dC5RmM00APwfiJHQ6eG90pKYiPML3vklgIUg== X-Received: by 2002:a05:6a21:32a5:b0:342:873d:7e62 with SMTP id adf61e73a8af0-3637dea5b4emr4580064637.29.1764104341489; Tue, 25 Nov 2025 12:59:01 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-bd75def6346sm17340755a12.4.2025.11.25.12.59.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Nov 2025 12:59:01 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 3/9] vex.bbclass: add a new class Date: Tue, 25 Nov 2025 12:58:41 -0800 Message-ID: <123a60bc19987e99d511b1f515e118022949be7e.1764104199.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Nov 2025 20:59:10 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226788 From: "Benjamin Robin (Schneider Electric)" The "vex" class generates the minimum information that is necessary for VEX generation by an external CVE checking tool. It is a drop-in replacement of "cve-check". It uses the same variables from recipes to make the migration and backporting easier. The goal of this class is to allow generation of the CVE list of an image or distribution on-demand, including the latest information from vulnerability databases. Vulnerability data changes every day, so a status generated at build becomes out-of-date very soon. Research done for this work shows that the current VEX formats (CSAF and OpenVEX) do not provide enough information to generate such rolling information. Instead, we extract the needed data from recipe annotations (package names, CPEs, versions, CVE patches applied...) and store for later use in the format that is an extension of the CVE-check JSON output format. This output can be then used (separately or with SPDX of the same build) by an external tool to generate the vulnerability annotation and VEX statements in standard formats. When back-porting this feature, the do_generate_vex() had to be modified to use the "old" get_patched_cves() API. Signed-off-by: Marta Rybczynska Signed-off-by: Samantha Jalabert Signed-off-by: Richard Purdie (cherry picked from commit 6352ad93a72e67d6dfa82e870222518a97c426fa) Signed-off-by: Benjamin Robin (Schneider Electric) Signed-off-by: Steve Sakoman --- meta/classes/vex.bbclass | 327 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 327 insertions(+) create mode 100644 meta/classes/vex.bbclass diff --git a/meta/classes/vex.bbclass b/meta/classes/vex.bbclass new file mode 100644 index 0000000000..73dd9338a1 --- /dev/null +++ b/meta/classes/vex.bbclass @@ -0,0 +1,327 @@ +# +# Copyright OpenEmbedded Contributors +# +# SPDX-License-Identifier: MIT +# + +# This class is used to generate metadata needed by external +# tools to check for vulnerabilities, for example CVEs. +# +# In order to use this class just inherit the class in the +# local.conf file and it will add the generate_vex task for +# every recipe. If an image is build it will generate a report +# in DEPLOY_DIR_IMAGE for all the packages used, it will also +# generate a file for all recipes used in the build. +# +# Variables use CVE_CHECK prefix to keep compatibility with +# the cve-check class +# +# Example: +# bitbake -c generate_vex openssl +# bitbake core-image-sato +# bitbake -k -c generate_vex universe +# +# The product name that the CVE database uses defaults to BPN, but may need to +# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff). +CVE_PRODUCT ??= "${BPN}" +CVE_VERSION ??= "${PV}" + +CVE_CHECK_SUMMARY_DIR ?= "${LOG_DIR}/cve" + +CVE_CHECK_SUMMARY_FILE_NAME_JSON = "cve-summary.json" +CVE_CHECK_SUMMARY_INDEX_PATH = "${CVE_CHECK_SUMMARY_DIR}/cve-summary-index.txt" + +CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve" +CVE_CHECK_RECIPE_FILE_JSON ?= "${CVE_CHECK_DIR}/${PN}_cve.json" +CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.json" + +# Skip CVE Check for packages (PN) +CVE_CHECK_SKIP_RECIPE ?= "" + +# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned +# separately with optional detail and description for this status. +# +# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows" +# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally" +# +# Settings the same status and reason for multiple CVEs is possible +# via CVE_STATUS_GROUPS variable. +# +# CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED" +# +# CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0003" +# CVE_STATUS_WIN[status] = "not-applicable-platform: Issue only applies on Windows" +# CVE_STATUS_PATCHED = "CVE-1234-0002 CVE-1234-0004" +# CVE_STATUS_PATCHED[status] = "fixed-version: Fixed externally" +# +# All possible CVE statuses could be found in cve-check-map.conf +# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" +# CVE_CHECK_STATUSMAP[fixed-version] = "Patched" +# +# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead. +# Keep CVE_CHECK_IGNORE until other layers migrate to new variables +CVE_CHECK_IGNORE ?= "" + +# Layers to be excluded +CVE_CHECK_LAYER_EXCLUDELIST ??= "" + +# Layers to be included +CVE_CHECK_LAYER_INCLUDELIST ??= "" + + +# set to "alphabetical" for version using single alphabetical character as increment release +CVE_VERSION_SUFFIX ??= "" + +python () { + if bb.data.inherits_class("cve-check", d): + raise bb.parse.SkipRecipe("Skipping recipe: found incompatible combination of cve-check and vex enabled at the same time.") + + # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS + cve_check_ignore = d.getVar("CVE_CHECK_IGNORE") + if cve_check_ignore: + bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS") + for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split(): + d.setVarFlag("CVE_STATUS", cve, "ignored") + + # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once + for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split(): + cve_group = d.getVar(cve_status_group) + if cve_group is not None: + for cve in cve_group.split(): + d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status")) + else: + bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group) +} + +def generate_json_report(d, out_path, link_path): + if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")): + import json + from oe.cve_check import cve_check_merge_jsons, update_symlinks + + bb.note("Generating JSON CVE summary") + index_file = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH") + summary = {"version":"1", "package": []} + with open(index_file) as f: + filename = f.readline() + while filename: + with open(filename.rstrip()) as j: + data = json.load(j) + cve_check_merge_jsons(summary, data) + filename = f.readline() + + summary["package"].sort(key=lambda d: d['name']) + + with open(out_path, "w") as f: + json.dump(summary, f, indent=2) + + update_symlinks(out_path, link_path) + +python vex_save_summary_handler () { + import shutil + import datetime + from oe.cve_check import update_symlinks + + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") + + bb.utils.mkdirhier(cvelogpath) + timestamp = datetime.datetime.now().strftime('%Y%m%d%H%M%S') + + json_summary_link_name = os.path.join(cvelogpath, d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON")) + json_summary_name = os.path.join(cvelogpath, "cve-summary-%s.json" % (timestamp)) + generate_json_report(d, json_summary_name, json_summary_link_name) + bb.plain("Complete CVE JSON report summary created at: %s" % json_summary_link_name) +} + +addhandler vex_save_summary_handler +vex_save_summary_handler[eventmask] = "bb.event.BuildCompleted" + +python do_generate_vex () { + """ + Generate metadata needed for vulnerability checking for + the current recipe + """ + from oe.cve_check import get_patched_cves, decode_cve_status + + cves_status = [] + products = d.getVar("CVE_PRODUCT").split() + for product in products: + if ":" in product: + _, product = product.split(":", 1) + cves_status.append([product, False]) + + patched_cves = get_patched_cves(d) + cve_data = {} + for cve_id in (d.getVarFlags("CVE_STATUS") or {}): + mapping, detail, description = decode_cve_status(d, cve_id) + if not mapping or not detail: + bb.warn(f"Skipping {cve_id} — missing or unknown CVE status") + continue + cve_data[cve_id] = { + "abbrev-status": mapping, + "status": detail, + "justification": description + } + patched_cves.discard(cve_id) + + # decode_cve_status is decoding CVE_STATUS, so patch files need to be hardcoded + for cve_id in patched_cves: + # fix-file-included is not available in scarthgap + cve_data[cve_id] = { + "abbrev-status": "Patched", + "status": "backported-patch", + } + + cve_write_data_json(d, cve_data, cves_status) +} + +addtask generate_vex before do_build + +python vex_cleanup () { + """ + Delete the file used to gather all the CVE information. + """ + bb.utils.remove(e.data.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")) +} + +addhandler vex_cleanup +vex_cleanup[eventmask] = "bb.event.BuildCompleted" + +python vex_write_rootfs_manifest () { + """ + Create VEX/CVE manifest when building an image + """ + + import json + from oe.rootfs import image_list_installed_packages + from oe.cve_check import cve_check_merge_jsons, update_symlinks + + deploy_file_json = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") + if os.path.exists(deploy_file_json): + bb.utils.remove(deploy_file_json) + + # Create a list of relevant recipies + recipies = set() + for pkg in list(image_list_installed_packages(d)): + pkg_info = os.path.join(d.getVar('PKGDATA_DIR'), + 'runtime-reverse', pkg) + pkg_data = oe.packagedata.read_pkgdatafile(pkg_info) + recipies.add(pkg_data["PN"]) + + bb.note("Writing rootfs VEX manifest") + deploy_dir = d.getVar("IMGDEPLOYDIR") + link_name = d.getVar("IMAGE_LINK_NAME") + + json_data = {"version":"1", "package": []} + text_data = "" + + save_pn = d.getVar("PN") + + for pkg in recipies: + # To be able to use the CVE_CHECK_RECIPE_FILE_JSON variable we have to evaluate + # it with the different PN names set each time. + d.setVar("PN", pkg) + + pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") + if os.path.exists(pkgfilepath): + with open(pkgfilepath) as j: + data = json.load(j) + cve_check_merge_jsons(json_data, data) + + d.setVar("PN", save_pn) + + link_path = os.path.join(deploy_dir, "%s.json" % link_name) + manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON") + + with open(manifest_name, "w") as f: + json.dump(json_data, f, indent=2) + + update_symlinks(manifest_name, link_path) + bb.plain("Image VEX JSON report stored in: %s" % manifest_name) +} + +ROOTFS_POSTPROCESS_COMMAND:prepend = "vex_write_rootfs_manifest; " +do_rootfs[recrdeptask] += "do_generate_vex " +do_populate_sdk[recrdeptask] += "do_generate_vex " + +def cve_write_data_json(d, cve_data, cve_status): + """ + Prepare CVE data for the JSON format, then write it. + Done for each recipe. + """ + + from oe.cve_check import get_cpe_ids + import json + + output = {"version":"1", "package": []} + nvd_link = "https://nvd.nist.gov/vuln/detail/" + + fdir_name = d.getVar("FILE_DIRNAME") + layer = fdir_name.split("/")[-3] + + include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split() + exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split() + + if exclude_layers and layer in exclude_layers: + return + + if include_layers and layer not in include_layers: + return + + product_data = [] + for s in cve_status: + p = {"product": s[0], "cvesInRecord": "Yes"} + if s[1] == False: + p["cvesInRecord"] = "No" + product_data.append(p) + product_data = list({p['product']:p for p in product_data}.values()) + + package_version = "%s%s" % (d.getVar("EXTENDPE"), d.getVar("PV")) + cpes = get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION")) + package_data = { + "name" : d.getVar("PN"), + "layer" : layer, + "version" : package_version, + "products": product_data, + "cpes": cpes + } + + cve_list = [] + + for cve in sorted(cve_data): + issue_link = "%s%s" % (nvd_link, cve) + + cve_item = { + "id" : cve, + "status" : cve_data[cve]["abbrev-status"], + "link": issue_link, + } + if 'NVD-summary' in cve_data[cve]: + cve_item["summary"] = cve_data[cve]["NVD-summary"] + cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"] + cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"] + cve_item["vector"] = cve_data[cve]["NVD-vector"] + cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"] + if 'status' in cve_data[cve]: + cve_item["detail"] = cve_data[cve]["status"] + if 'justification' in cve_data[cve]: + cve_item["description"] = cve_data[cve]["justification"] + if 'resource' in cve_data[cve]: + cve_item["patch-file"] = cve_data[cve]["resource"] + cve_list.append(cve_item) + + package_data["issue"] = cve_list + output["package"].append(package_data) + + deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") + + write_string = json.dumps(output, indent=2) + + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") + index_path = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH") + bb.utils.mkdirhier(cvelogpath) + fragment_file = os.path.basename(deploy_file) + fragment_path = os.path.join(cvelogpath, fragment_file) + with open(fragment_path, "w") as f: + f.write(write_string) + with open(index_path, "a+") as f: + f.write("%s\n" % fragment_path) From patchwork Tue Nov 25 20:58:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75390 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D186D0EE39 for ; Tue, 25 Nov 2025 20:59:10 +0000 (UTC) Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4282.1764104344015406052 for ; Tue, 25 Nov 2025 12:59:04 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=PqvoNsal; spf=softfail (domain: sakoman.com, ip: 209.85.210.177, mailfrom: steve@sakoman.com) Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-7b22ffa2a88so5632969b3a.1 for ; Tue, 25 Nov 2025 12:59:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764104343; x=1764709143; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=l8JYDIKS1OfC4RX3gjy4wwAnmgWYmfS/Etae2tgQXFQ=; b=PqvoNsalyiXX8tGEusNJsAEJWC0zFTIBLuOIbMRbvYuxj4mUP5o97fhEEIk/4Ueyt/ RhFUb/iQTtWiQBHONN8Wk6biaujtKN6JVoR4D7YbLzZXm7GJgqz78oe81P5xAiT3336o GNLjsmGdbTzLaFr3M+o+rnTnWr+hFAH8CLXo1wHQ4opbC5wXnD9otAkkP8UKE3JI0z0f tkaclcK7oMp4Kn4R+rHvsTpYz92veS1qYRGR5dMblZF1ndHLiN9tNqOOVlcdSMUutBQJ 4QtMunwAO0PuDoT3vRtzfJ+L+bS/dVbrbL2L/GuFqKsY/lbiskqL2CogMA9x4fAtXQCe oKbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764104343; x=1764709143; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=l8JYDIKS1OfC4RX3gjy4wwAnmgWYmfS/Etae2tgQXFQ=; b=cu3IMnbHECvF8nKx8zLkJTGZp1t9mq9oSYuwx0J+EowsHgAlFur+YptIUNiJXHvb1A R2sxWSvLmxY7IVfhBSwJDzvYnOQB3KRcG3O1VsuMHmYFQcp76OR5xG2ULnw7xmtjeCwb jW05K5vS7bz02AFr1g6tn1iKun/92Q3NMWu7PbiU0cvviSygX4PJEAJvlts1kztG84QF P//UA9lK/n8QSPM0w4q/GDnrt1w4LByZiB92Y+SaQ8pJu/EJKMyvhhYs9AURwvR9sDCb 2M2VMMBwAajjHf9eDtb5DDcaGeiAvpbDWsR63REFaK6xz3+tqsOV/t+7L96+110zFhnA mApA== X-Gm-Message-State: AOJu0YwobFPk2luQnCl+wquFaf3KtGW3JlNCurMCTdFOowCOEZ/zONsi Wls9U4d/Sa6c3xJdC9UdtftXipIYxjSt7vH2UGhSrVwCTuLeVItYNN9axvpbH8pO0RdzLWKLTMi t9SsW X-Gm-Gg: ASbGnctf72SiW/6tnLO+193lAEUR7dkgcFiFqPkis1jQlKZ0n65fFX8eZYpDfS/COxm BexOi0Kdrpr+SJDChYlELRdv3eH54oCFe/YiDAC5hvPZg2vERJb1nkOAPslcsR6NAx0H5yL1D8J Ee1b3OBbQYOLRBQ0BbAZj+se0TFbG5M0RmMXk1l00cprTGyPz9tMpAUnEBqsUvnxbMbn29XcFS9 DvqyA2dMZMPmE/Xjj4Mrhbkc23X4Gpy678TZDaRfaBmdCm223/Gt9cGfsesNByY37pfTUttWsNw bwn/uIqxfFNcTEA4vau0myheyu+MDFVlSOCm+NGEBFmciRIdkrAwnNQAV7Q2gmZXLVDfYy5qKYf aP8n4B+QgGpK2r9WhIWCg+jgHI2dotEE1jbrRngWL0PueWGR8NdaSOrsM2MF21J08cNmAPQ2P9y 9lfg== X-Google-Smtp-Source: AGHT+IG6ieu/RddaDlK/oua28UsPwezlQ+eAH9McaLgp0RhHxIZlV2Yy174azrxwwZSXVodNjUX6sw== X-Received: by 2002:a05:6a21:339b:b0:35b:c903:1db3 with SMTP id adf61e73a8af0-36150e2b548mr20619043637.6.1764104343232; Tue, 25 Nov 2025 12:59:03 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-bd75def6346sm17340755a12.4.2025.11.25.12.59.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Nov 2025 12:59:02 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 4/9] cve-check: extract extending CVE_STATUS to library function Date: Tue, 25 Nov 2025 12:58:42 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Nov 2025 20:59:10 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226789 From: "Benjamin Robin (Schneider Electric)" The same code for extending CVE_STATUS by CVE_CHECK_IGNORE and CVE_STATUS_GROUPS is used on multiple places. Create a library function to have the code on single place and ready for reuse by additional classes. Conflicts: meta/classes/cve-check.bbclass meta/lib/oe/cve_check.py Signed-off-by: Peter Marko Signed-off-by: Richard Purdie (cherry picked from commit 45e18f4270d084d81c21b1e5a4a601ce975d8a77) Signed-off-by: Benjamin Robin (Schneider Electric) Signed-off-by: Steve Sakoman --- meta/classes/cve-check.bbclass | 17 ++--------------- meta/classes/vex.bbclass | 17 ++--------------- meta/lib/oe/cve_check.py | 22 ++++++++++++++++++++++ 3 files changed, 26 insertions(+), 30 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index d08c6ac670..f5bbaa5d15 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -107,21 +107,8 @@ CVE_CHECK_LAYER_INCLUDELIST ??= "" CVE_VERSION_SUFFIX ??= "" python () { - # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS - cve_check_ignore = d.getVar("CVE_CHECK_IGNORE") - if cve_check_ignore: - bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS") - for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split(): - d.setVarFlag("CVE_STATUS", cve, "ignored") - - # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once - for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split(): - cve_group = d.getVar(cve_status_group) - if cve_group is not None: - for cve in cve_group.split(): - d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status")) - else: - bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group) + from oe.cve_check import extend_cve_status + extend_cve_status(d) } def generate_json_report(d, out_path, link_path): diff --git a/meta/classes/vex.bbclass b/meta/classes/vex.bbclass index 73dd9338a1..c447b37db8 100644 --- a/meta/classes/vex.bbclass +++ b/meta/classes/vex.bbclass @@ -76,21 +76,8 @@ python () { if bb.data.inherits_class("cve-check", d): raise bb.parse.SkipRecipe("Skipping recipe: found incompatible combination of cve-check and vex enabled at the same time.") - # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS - cve_check_ignore = d.getVar("CVE_CHECK_IGNORE") - if cve_check_ignore: - bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS") - for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split(): - d.setVarFlag("CVE_STATUS", cve, "ignored") - - # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once - for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split(): - cve_group = d.getVar(cve_status_group) - if cve_group is not None: - for cve in cve_group.split(): - d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status")) - else: - bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group) + from oe.cve_check import extend_cve_status + extend_cve_status(d) } def generate_json_report(d, out_path, link_path): diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index ed5c714cb8..7c09b78242 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -243,3 +243,25 @@ def decode_cve_status(d, cve): status_mapping = "Unpatched" return (status_mapping, detail, description) + +def extend_cve_status(d): + # do this only once in case multiple classes use this + if d.getVar("CVE_STATUS_EXTENDED"): + return + d.setVar("CVE_STATUS_EXTENDED", "1") + + # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS + cve_check_ignore = d.getVar("CVE_CHECK_IGNORE") + if cve_check_ignore: + bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS") + for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split(): + d.setVarFlag("CVE_STATUS", cve, "ignored") + + # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once + for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split(): + cve_group = d.getVar(cve_status_group) + if cve_group is not None: + for cve in cve_group.split(): + d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status")) + else: + bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group) From patchwork Tue Nov 25 20:58:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75391 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4775DD0EE3F for ; Tue, 25 Nov 2025 20:59:10 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4284.1764104345508830461 for ; Tue, 25 Nov 2025 12:59:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=j8lCK3g5; spf=softfail (domain: sakoman.com, ip: 209.85.210.179, mailfrom: steve@sakoman.com) Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-7acd9a03ba9so6755674b3a.1 for ; Tue, 25 Nov 2025 12:59:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764104345; x=1764709145; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=mXQ1yuzpz9Xr8hV6LAfh4wzgeP5oeRv/hqE889XOeqg=; b=j8lCK3g5nAHNnmxK5v1KZLJ2CGsZnArrjaNM1Kix8TrYpVNSXMEqhYeoigFtGXYRzX IPHQDj5AE4+yT8l390JbkRBiMzO3ZnRb40qpm+FMj7uA71+qC6eZd5r5b2SyPdY6U4QT rWe0JZui6ztex+niYXAyCHPNcJdYeVa5TB9LT5TyNFI/pKAhH1rKVoIlNIIIDrGWQxFC 8fvEr4bx7AYzaoCGcDjY6aKexjNrgBcRv7CcmZoQJ4+bqx+dg5EUl8II58u05OVk7Jyl cCGU2JKje/cFjNPV5rtXCN/qXIWWgtnWrRMh8Vrnjd9q83sk1DFt1cOS/cv444X4XUsK cgtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764104345; x=1764709145; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=mXQ1yuzpz9Xr8hV6LAfh4wzgeP5oeRv/hqE889XOeqg=; b=ZIMprSP3PD3qctEcdfFGA06tZjvvvoqplbOV2AVPsULXXboAjWnEYsVZtO96X77BeM NCpZbTHhQbKAdvmD1g+ilpTtEQazB+1pVf6tw2fRPu9bhDIUNlLPKZMl7OJZ3cOKsq+r dPOsCEJ39ZrOGUQUMAc3CWt4n2l060fZxocZHppuWblIimjFX7XM17t7h9RuGF0KXTM/ ickIo+ufER8IBIT48RHuAteHtW5/AaA9/0BO1AtvqUT0c1UsDX4eT7nQd5ymrnclITUe 5O9/GHb+InhvsLOWOK//92v1OFBEtt7HuAJj2CQhihrVqh09OSR8Jq1kWFDMn6cPm+Ga U88g== X-Gm-Message-State: AOJu0Yy7oPEyAXr8zFT1FQaiMmw+Z8W5g2HgYjn3gA5Mo9Be1QzhNcN5 0I5Uw4S47QJnwODwWa3jXPv3OrzpbZE1Y6trYFEM6c/R07HyHSe6brVBO1nih6yrqMK4cgOpt2v ZIEnu X-Gm-Gg: ASbGncvFSdoQ85FLfPqYbsvhGcGgdPcy73vd9C9ZZzO+2rLhman8sKqU6Nhy68Tf+mA yDHjQYgvBkzGsXv/DRwCV7npE4BeW72QLX0irO7nQZ1gS8lZe+zbzGquFxZreKv1pPdcsi7Gln2 UCiv9pSwhxOdHd1DV3yLd7V/wMzhaJAhoz2wmOdqDC2cLAA8s8fy04HXE/3LshJG2sH6v+RwTkc fMAiM+32gtrpw8auhTsQKPfs7wnhtxQML3LBumPneLvkh4BwOK/2yfXYIUszecmZq482op6wQjv 2Y8RB/ezlIqxINFsmcHrLPHGKXjSeFfMuB7DxQx7pNe4pAOOy+EXOGYUBOjF8CI8Po6PGNx/tDG 2wQyor4Qr27uFyzpzFm7lhFafeSITq0KlWDMzGf4W45jx6f4Hez3KcBCtp99c9mYJWTM+HCgs+Y rKfg== X-Google-Smtp-Source: AGHT+IH0z+ZTOrvkXWI/rV2WRjvV1ffk4X0Un2TyS13vrQcbZNNSuWJmP2E3VmG1Ee0Tp7YlBdlyuw== X-Received: by 2002:a05:6a20:9389:b0:35d:8881:e6c6 with SMTP id adf61e73a8af0-3614eb0ff86mr18165268637.19.1764104344762; Tue, 25 Nov 2025 12:59:04 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-bd75def6346sm17340755a12.4.2025.11.25.12.59.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Nov 2025 12:59:04 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 5/9] spdx: extend CVE_STATUS variables Date: Tue, 25 Nov 2025 12:58:43 -0800 Message-ID: <23a4e02542252657fa45fd4a605aec0af9178e0b.1764104199.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Nov 2025 20:59:10 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226790 From: "Benjamin Robin (Schneider Electric)" If spdx is generated without inheriting cve/vex classes (which is poky default), only explicitly set CVE_STATUS fields are handled. Calculated ones (e.g. from CVE_STATUS_GROUPS) are ignored. Fix this by expanding the CVE_STATUS in spdx classes. Signed-off-by: Peter Marko Signed-off-by: Richard Purdie (cherry picked from commit ead9c6a8770463c21210a57cc5320f44f7754dd3) Signed-off-by: Benjamin Robin (Schneider Electric) Signed-off-by: Steve Sakoman --- meta/classes/spdx-common.bbclass | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass index 36feb56807..713a7fc651 100644 --- a/meta/classes/spdx-common.bbclass +++ b/meta/classes/spdx-common.bbclass @@ -37,6 +37,11 @@ SPDX_CUSTOM_ANNOTATION_VARS ??= "" SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}" +python () { + from oe.cve_check import extend_cve_status + extend_cve_status(d) +} + def create_spdx_source_deps(d): import oe.spdx_common From patchwork Tue Nov 25 20:58:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75388 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D1DED0EE3D for ; Tue, 25 Nov 2025 20:59:10 +0000 (UTC) Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.4354.1764104346773483879 for ; Tue, 25 Nov 2025 12:59:06 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Kt+W9K9j; spf=softfail (domain: sakoman.com, ip: 209.85.210.173, mailfrom: steve@sakoman.com) Received: by mail-pf1-f173.google.com with SMTP id d2e1a72fcca58-7ade456b6abso4839948b3a.3 for ; Tue, 25 Nov 2025 12:59:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764104346; x=1764709146; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=T4VlydmI6xZO0FwGkoO1t2nwyxOA6zLQkRmSLwb7gs0=; b=Kt+W9K9jVlBMuHWi2lOJv7ltqsD/GiZFZaY47Uo1cHK6i2v8w+0h9azsltu8eTG3ed cpF9fHvgeKliyfrvmKUvVsSt4Ff2y9yjVwBdQbxOwcdJKXsDyMUUxxf07SRrrOLL39s4 T3tYknxrBm00SKYdCwzKpR68iuTGqAtR6rDxHPLhpFmhnnlkDT8wIB44/rXlQ9+N4Qw+ UaxoB0nkyl+TqWnOZUHZrQZS2eXzYW//n5UIsK7i/ieJxEZw32Nwk8zcX3CKdrtBxG2Y HJ2543zB5quH6TIQOotS4tEUHMS/X8AErPFu/6Ukt7xyNjGetEl4E8tDMuLraYqcuTn3 9FaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764104346; x=1764709146; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=T4VlydmI6xZO0FwGkoO1t2nwyxOA6zLQkRmSLwb7gs0=; b=HlRM2FubbWS8vPgw6+86n8KlTjyx0jh/0tl1ZpEV9Eo1IlCrUfBPy5j2CaSxo07tDR dJGVJEsiEveuQI4DlT8R06LcR/JEDiE5dthKumF++AU79t4xiQ9URpIlSxYgeWgPBx/J L02SlG4FV5S6M0eT65ia2Z9W0quA1zJv9hMAkI0cSOqL6aJzdqbCK3lji4tYfY0Aw3Qv MQZtT+m7+7O79vcgQqh49LqkyM47bUH8q1j56RODxF+tLhZzQYeiU6V4IOkyDpqCLBec Ozh+QFaBmdpAzuiJ7L6pNvsTyPee4huDXUJuo7ymbIXsYPOTofPrpPX6AfR0Q/pgWv0r nN0Q== X-Gm-Message-State: AOJu0Yxwcmd8d8kPrwl70mB9b6X09VsP8lPw3GuzBfPVhprOKWkzkr+Z sXbXyF8fSdC52dELlTi0TsrUp0IUsx5KaHhTGUsXSyHaizYVidb8YqilvCAnrTzhNW/0gjMfIfG +eJEx X-Gm-Gg: ASbGnct3GsHrbufrA/4OYi4V/XGy3m6Q0yVPr33LBCWT5mzgtLOLH9wuczLU5T543bS rdHdVJMos9WyXDHbCokbVbw1Y+xWRBA91ihnFoimam1rgt6ZMez8ULOXcI7b1JNlbDLoBImFcAv xXRiviFDHa41Orgv7CijJJFgeUrr93Q91Zb3Gh6amU8yEmBWgCRXs/sabJLPZU53RtSMqacO9Oa RZxnnVUayxxQqAEp5P0hTEhvnnxpkhWTzAP/aC0Kpf+b0Tc/3L//RwRPFuQPmPfz9SRceWyMMPz 8hObbxxMaKah7yYY1c/E9jeY8Sx3zpY9No+u/S/js38V9OWkbwEyyzU+yXsIK59omylsLNayOw1 nrS5aLL3LvcE2s+UAeC8H9IGnrZwXpiWw24CuMz2UfRkovJq9uW6UafAdagInr3TDWNG99vgDS3 TcHA== X-Google-Smtp-Source: AGHT+IFPxEGKNLdvzukELz2S+EL1dtA6owKzZZYA57hOERTdSwfgU5NI7nbKGMchy4ZO03aYuRgjgA== X-Received: by 2002:a05:6a21:9994:b0:360:1b2e:5257 with SMTP id adf61e73a8af0-36150e1fcb2mr19134933637.2.1764104346033; Tue, 25 Nov 2025 12:59:06 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-bd75def6346sm17340755a12.4.2025.11.25.12.59.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Nov 2025 12:59:05 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 6/9] vex: fix rootfs manifest Date: Tue, 25 Nov 2025 12:58:44 -0800 Message-ID: <7493eeed6d53bc704f558a0ccf8a0b5195381873.1764104199.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Nov 2025 20:59:10 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226791 From: "Benjamin Robin (Schneider Electric)" Rootfs VEX file is created by gathering files from CVE_CHECK_DIR (deploy directory), however recipes generate the files only in CVE_CHECK_DIR (log directory). This make the rootfs VEX be always empty without any message. The code is copied from cve_check class, which writes to both, so let keep them aligned and make also vex write both files. Also add a warning for case that a cve file would be still missing. Signed-off-by: Peter Marko Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie (cherry picked from commit ee6541d0940c65685aaafd7d41a59a9406392e7d) Signed-off-by: Benjamin Robin (Schneider Electric) Signed-off-by: Steve Sakoman --- meta/classes/vex.bbclass | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/classes/vex.bbclass b/meta/classes/vex.bbclass index c447b37db8..707e6f45a1 100644 --- a/meta/classes/vex.bbclass +++ b/meta/classes/vex.bbclass @@ -213,6 +213,8 @@ python vex_write_rootfs_manifest () { with open(pkgfilepath) as j: data = json.load(j) cve_check_merge_jsons(json_data, data) + else: + bb.warn("Missing cve file for %s" % pkg) d.setVar("PN", save_pn) @@ -306,9 +308,12 @@ def cve_write_data_json(d, cve_data, cve_status): cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") index_path = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH") bb.utils.mkdirhier(cvelogpath) + bb.utils.mkdirhier(os.path.dirname(deploy_file)) fragment_file = os.path.basename(deploy_file) fragment_path = os.path.join(cvelogpath, fragment_file) with open(fragment_path, "w") as f: f.write(write_string) + with open(deploy_file, "w") as f: + f.write(write_string) with open(index_path, "a+") as f: f.write("%s\n" % fragment_path) From patchwork Tue Nov 25 20:58:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75393 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 546F8D0EE3E for ; Tue, 25 Nov 2025 20:59:10 +0000 (UTC) Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.4286.1764104349000742144 for ; Tue, 25 Nov 2025 12:59:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=HARfbrMf; spf=softfail (domain: sakoman.com, ip: 209.85.216.52, mailfrom: steve@sakoman.com) Received: by mail-pj1-f52.google.com with SMTP id 98e67ed59e1d1-343774bd9b4so4539111a91.2 for ; Tue, 25 Nov 2025 12:59:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764104348; x=1764709148; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=FP15iH1LVufL+LF4u9h+h/5I85U/PyC8qtbf63BqQpU=; b=HARfbrMfMPhKQriFXihgO5cMQVt/c8rXe+ljIBLnlb0o2AwzxzZOAIHidtuCrp0aZU VSLSex49+xEv2pgcbNhhskFep6jKhHzTFQ7Me9BZkAcurmJbPI8/KV2pTJLpQVAMHlsd xmKiW4flGOka3rJnXu18rVhqhRV8q7lL8Gz3U4b5+UppG1RY8yIzfaRzljm/YVH2ojxw YJSbwObKPyeAfdFPTfrenp2spJyuv27oTuSGmQUdp6Vk2hS8nlQSx0q4emWo1GCpDmx3 SUnq4+UK6WzP4uo7Vi5DLzQaZy0UiVVCAwX4gjl1giu9ePDLajbfatdaxDlwB6OfmwFn Qk+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764104348; x=1764709148; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=FP15iH1LVufL+LF4u9h+h/5I85U/PyC8qtbf63BqQpU=; b=wzE0M7Sph9H0BdsYbKwOkKP43fJ0D22M5Dy8YcsmR5WXtRftAxv+i8EW79JcEAWX9L 5XQmB9iNDS/gfFDvfRCW1sUhUTBI0IyAldaOSNVvOOGm9lXj3vjwE9+Ol0ecZm+wbkBP d6wYc2gU4dzfYzJ9BIXKqNpfvGIqRQ3FWbJ/oT0ef0SaXmKj+Bioc2XPDmK9nBt1UzbP O6irJA9fAN9x1f5ZMIsNZZh2W1zi9/lHYN5SzjUIglGqsPJqSbHkXUB0ajtctk9E+bRB XBgfd4g6KSmvUBHrFWVaWJIOSiTFXtSU5aUQ8zuZA0NprhRArJwi+Jr+o18VyoJul2Rh apIQ== X-Gm-Message-State: AOJu0Yx4eaJUqUM8ueVBDNilM5SAA+lgK6IH1UHsGxGv4XFYXjbSliLZ UkJtnbmWfRki+kr7M83Z7pvG+sK6P048C3sGUnLS4hbVNrQeYBaoUHCSmz56uVV5/zT2kyoeqRa F0EwC X-Gm-Gg: ASbGncspnBBqA8l9YXgP8Z4JamFnGHN29ajYAsPeR+2NmWAQWnjuOzvcecNrb3Qv/2t EJMCZ5lxTG2oNmkAYrxFo3jRVZ+mxfOEL93vveqd/EAbNphcxMcG+A/D+iS4K2vcKHXPykniRUU L7Bbj8QFRfbqfNlj5KFyyRXLYm8MNgsFH+6TQKHhG0WsNgrcgcCOJkiM1r3b6UXIVDYDPTETvC7 mcEB5O7nMqIeEaq21Qbao4iHl2uXd6j1R1jgz9j3KVyeNEg18MhsPPucxpKeGob9/oEpqjqbivf 3knHE24+OQt1LbjZ97XbaPg3CXkP4BKC263DWEGRXWY0iJ0nt91XbCLlSty7fAXSFCsKmfeZdsF x/XqC0gfDUW85KqGNjNynpKxhXAAc7iSDznwZD2+GG4JEysHpOWhIsop/CqKtwoq3tnJ5TcSxE5 91/Q== X-Google-Smtp-Source: AGHT+IHMCAEFRc4ZgphBikL/LYCeIRykCwHnyIWFprM70uO7HKSHQ5Kom2omHo+8TzhhftEBfEgebQ== X-Received: by 2002:a17:90b:2cce:b0:343:a631:28a8 with SMTP id 98e67ed59e1d1-34733f5d400mr17399841a91.37.1764104347903; Tue, 25 Nov 2025 12:59:07 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-bd75def6346sm17340755a12.4.2025.11.25.12.59.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Nov 2025 12:59:07 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 7/9] libarchive: patch 3.8.3 security issue 1 Date: Tue, 25 Nov 2025 12:58:45 -0800 Message-ID: <11f782c1ae9962a2faa98bff3566e49fbf6db017.1764104199.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Nov 2025 20:59:10 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226792 From: Peter Marko Pick patch [2] as listed in [1]. To apply it cleanly, add two additional patches from branch patch/3.8. [1] https://github.com/libarchive/libarchive/releases/tag/v3.8.3 [2] https://github.com/libarchive/libarchive/pull/2753 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- ...request-2696-from-al3xtjames-mkstemp.patch | 28 +++ ...st-2749-from-KlaraSystems-des-tempdi.patch | 186 +++++++++++++++++ ...st-2753-from-KlaraSystems-des-temp-f.patch | 190 ++++++++++++++++++ .../libarchive/libarchive_3.7.9.bb | 3 + 4 files changed, 407 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2696-from-al3xtjames-mkstemp.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2749-from-KlaraSystems-des-tempdi.patch create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2753-from-KlaraSystems-des-temp-f.patch diff --git a/meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2696-from-al3xtjames-mkstemp.patch b/meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2696-from-al3xtjames-mkstemp.patch new file mode 100644 index 0000000000..c6a4c026d1 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2696-from-al3xtjames-mkstemp.patch @@ -0,0 +1,28 @@ +From 53d2bc4f89fcbd7414b92bd242f6cdc901941f55 Mon Sep 17 00:00:00 2001 +From: Tim Kientzle +Date: Sat, 16 Aug 2025 10:27:11 -0600 +Subject: [PATCH] Merge pull request #2696 from al3xtjames/mkstemp + +Fix mkstemp path in setup_mac_metadata + +(cherry picked from commit 892f33145093d1c9b962b6521a6480dfea66ae00) + +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/53d2bc4f89fcbd7414b92bd242f6cdc901941f55] +Signed-off-by: Peter Marko +--- + libarchive/archive_read_disk_entry_from_file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_disk_entry_from_file.c b/libarchive/archive_read_disk_entry_from_file.c +index 19d04977..87389642 100644 +--- a/libarchive/archive_read_disk_entry_from_file.c ++++ b/libarchive/archive_read_disk_entry_from_file.c +@@ -364,7 +364,7 @@ setup_mac_metadata(struct archive_read_disk *a, + tempdir = _PATH_TMP; + archive_string_init(&tempfile); + archive_strcpy(&tempfile, tempdir); +- archive_strcat(&tempfile, "tar.md.XXXXXX"); ++ archive_strcat(&tempfile, "/tar.md.XXXXXX"); + tempfd = mkstemp(tempfile.s); + if (tempfd < 0) { + archive_set_error(&a->archive, errno, diff --git a/meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2749-from-KlaraSystems-des-tempdi.patch b/meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2749-from-KlaraSystems-des-tempdi.patch new file mode 100644 index 0000000000..cab8e5e651 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2749-from-KlaraSystems-des-tempdi.patch @@ -0,0 +1,186 @@ +From 82e31ba4a9afcce0c7c19e591ccd8653196d84a0 Mon Sep 17 00:00:00 2001 +From: Tim Kientzle +Date: Mon, 13 Oct 2025 10:57:18 -0700 +Subject: [PATCH] Merge pull request #2749 from KlaraSystems/des/tempdir + +Unify temporary directory handling + +(cherry picked from commit d207d816d065c79dc2cb992008c3ba9721c6a276) + +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/82e31ba4a9afcce0c7c19e591ccd8653196d84a0] +Signed-off-by: Peter Marko +--- + CMakeLists.txt | 6 ++- + configure.ac | 6 ++- + libarchive/archive_private.h | 1 + + .../archive_read_disk_entry_from_file.c | 14 +++---- + libarchive/archive_read_disk_posix.c | 3 -- + libarchive/archive_util.c | 38 ++++++++++++++++--- + 6 files changed, 49 insertions(+), 19 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index f44adc77..fc9aca4e 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -1455,15 +1455,19 @@ CHECK_FUNCTION_EXISTS_GLIBC(ftruncate HAVE_FTRUNCATE) + CHECK_FUNCTION_EXISTS_GLIBC(futimens HAVE_FUTIMENS) + CHECK_FUNCTION_EXISTS_GLIBC(futimes HAVE_FUTIMES) + CHECK_FUNCTION_EXISTS_GLIBC(futimesat HAVE_FUTIMESAT) ++CHECK_FUNCTION_EXISTS_GLIBC(getegid HAVE_GETEGID) + CHECK_FUNCTION_EXISTS_GLIBC(geteuid HAVE_GETEUID) + CHECK_FUNCTION_EXISTS_GLIBC(getgrgid_r HAVE_GETGRGID_R) + CHECK_FUNCTION_EXISTS_GLIBC(getgrnam_r HAVE_GETGRNAM_R) + CHECK_FUNCTION_EXISTS_GLIBC(getline HAVE_GETLINE) ++CHECK_FUNCTION_EXISTS_GLIBC(getpid HAVE_GETPID) + CHECK_FUNCTION_EXISTS_GLIBC(getpwnam_r HAVE_GETPWNAM_R) + CHECK_FUNCTION_EXISTS_GLIBC(getpwuid_r HAVE_GETPWUID_R) +-CHECK_FUNCTION_EXISTS_GLIBC(getpid HAVE_GETPID) ++CHECK_FUNCTION_EXISTS_GLIBC(getresgid HAVE_GETRESGID) ++CHECK_FUNCTION_EXISTS_GLIBC(getresuid HAVE_GETRESUID) + CHECK_FUNCTION_EXISTS_GLIBC(getvfsbyname HAVE_GETVFSBYNAME) + CHECK_FUNCTION_EXISTS_GLIBC(gmtime_r HAVE_GMTIME_R) ++CHECK_FUNCTION_EXISTS_GLIBC(issetugid HAVE_ISSETUGID) + CHECK_FUNCTION_EXISTS_GLIBC(lchflags HAVE_LCHFLAGS) + CHECK_FUNCTION_EXISTS_GLIBC(lchmod HAVE_LCHMOD) + CHECK_FUNCTION_EXISTS_GLIBC(lchown HAVE_LCHOWN) +diff --git a/configure.ac b/configure.ac +index aae0f381..a1a8f380 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -810,8 +810,10 @@ AC_CHECK_FUNCS([arc4random_buf chflags chown chroot ctime_r]) + AC_CHECK_FUNCS([fchdir fchflags fchmod fchown fcntl fdopendir fnmatch fork]) + AC_CHECK_FUNCS([fstat fstatat fstatfs fstatvfs ftruncate]) + AC_CHECK_FUNCS([futimens futimes futimesat]) +-AC_CHECK_FUNCS([geteuid getline getpid getgrgid_r getgrnam_r]) +-AC_CHECK_FUNCS([getpwnam_r getpwuid_r getvfsbyname gmtime_r]) ++AC_CHECK_FUNCS([getegid geteuid getline getpid getresgid getresuid]) ++AC_CHECK_FUNCS([getgrgid_r getgrnam_r getpwnam_r getpwuid_r]) ++AC_CHECK_FUNCS([getvfsbyname gmtime_r]) ++AC_CHECK_FUNCS([issetugid]) + AC_CHECK_FUNCS([lchflags lchmod lchown link linkat localtime_r lstat lutimes]) + AC_CHECK_FUNCS([mbrtowc memmove memset]) + AC_CHECK_FUNCS([mkdir mkfifo mknod mkstemp]) +diff --git a/libarchive/archive_private.h b/libarchive/archive_private.h +index 050fc63c..3a926c68 100644 +--- a/libarchive/archive_private.h ++++ b/libarchive/archive_private.h +@@ -158,6 +158,7 @@ int __archive_check_magic(struct archive *, unsigned int magic, + __LA_NORETURN void __archive_errx(int retvalue, const char *msg); + + void __archive_ensure_cloexec_flag(int fd); ++int __archive_get_tempdir(struct archive_string *); + int __archive_mktemp(const char *tmpdir); + #if defined(_WIN32) && !defined(__CYGWIN__) + int __archive_mkstemp(wchar_t *templates); +diff --git a/libarchive/archive_read_disk_entry_from_file.c b/libarchive/archive_read_disk_entry_from_file.c +index 87389642..42af4034 100644 +--- a/libarchive/archive_read_disk_entry_from_file.c ++++ b/libarchive/archive_read_disk_entry_from_file.c +@@ -338,7 +338,7 @@ setup_mac_metadata(struct archive_read_disk *a, + int ret = ARCHIVE_OK; + void *buff = NULL; + int have_attrs; +- const char *name, *tempdir; ++ const char *name; + struct archive_string tempfile; + + (void)fd; /* UNUSED */ +@@ -357,14 +357,12 @@ setup_mac_metadata(struct archive_read_disk *a, + if (have_attrs == 0) + return (ARCHIVE_OK); + +- tempdir = NULL; +- if (issetugid() == 0) +- tempdir = getenv("TMPDIR"); +- if (tempdir == NULL) +- tempdir = _PATH_TMP; + archive_string_init(&tempfile); +- archive_strcpy(&tempfile, tempdir); +- archive_strcat(&tempfile, "/tar.md.XXXXXX"); ++ if (__archive_get_tempdir(&tempfile) != ARCHIVE_OK) { ++ ret = ARCHIVE_WARN; ++ goto cleanup; ++ } ++ archive_strcat(&tempfile, "tar.md.XXXXXX"); + tempfd = mkstemp(tempfile.s); + if (tempfd < 0) { + archive_set_error(&a->archive, errno, +diff --git a/libarchive/archive_read_disk_posix.c b/libarchive/archive_read_disk_posix.c +index ba0046d7..54a8e661 100644 +--- a/libarchive/archive_read_disk_posix.c ++++ b/libarchive/archive_read_disk_posix.c +@@ -1578,9 +1578,6 @@ setup_current_filesystem(struct archive_read_disk *a) + # endif + #endif + int r, xr = 0; +-#if !defined(HAVE_STRUCT_STATFS_F_NAMEMAX) +- long nm; +-#endif + + t->current_filesystem->synthetic = -1; + t->current_filesystem->remote = -1; +diff --git a/libarchive/archive_util.c b/libarchive/archive_util.c +index 900abd0c..d048bbc9 100644 +--- a/libarchive/archive_util.c ++++ b/libarchive/archive_util.c +@@ -443,11 +443,39 @@ __archive_mkstemp(wchar_t *template) + #else + + static int +-get_tempdir(struct archive_string *temppath) ++__archive_issetugid(void) + { +- const char *tmp; ++#ifdef HAVE_ISSETUGID ++ return (issetugid()); ++#elif HAVE_GETRESUID ++ uid_t ruid, euid, suid; ++ gid_t rgid, egid, sgid; ++ if (getresuid(&ruid, &euid, &suid) != 0) ++ return (-1); ++ if (ruid != euid || ruid != suid) ++ return (1); ++ if (getresgid(&ruid, &egid, &sgid) != 0) ++ return (-1); ++ if (rgid != egid || rgid != sgid) ++ return (1); ++#elif HAVE_GETEUID ++ if (geteuid() != getuid()) ++ return (1); ++#if HAVE_GETEGID ++ if (getegid() != getgid()) ++ return (1); ++#endif ++#endif ++ return (0); ++} + +- tmp = getenv("TMPDIR"); ++int ++__archive_get_tempdir(struct archive_string *temppath) ++{ ++ const char *tmp = NULL; ++ ++ if (__archive_issetugid() == 0) ++ tmp = getenv("TMPDIR"); + if (tmp == NULL) + #ifdef _PATH_TMP + tmp = _PATH_TMP; +@@ -474,7 +502,7 @@ __archive_mktemp(const char *tmpdir) + + archive_string_init(&temp_name); + if (tmpdir == NULL) { +- if (get_tempdir(&temp_name) != ARCHIVE_OK) ++ if (__archive_get_tempdir(&temp_name) != ARCHIVE_OK) + goto exit_tmpfile; + } else { + archive_strcpy(&temp_name, tmpdir); +@@ -536,7 +564,7 @@ __archive_mktempx(const char *tmpdir, char *template) + if (template == NULL) { + archive_string_init(&temp_name); + if (tmpdir == NULL) { +- if (get_tempdir(&temp_name) != ARCHIVE_OK) ++ if (__archive_get_tempdir(&temp_name) != ARCHIVE_OK) + goto exit_tmpfile; + } else + archive_strcpy(&temp_name, tmpdir); diff --git a/meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2753-from-KlaraSystems-des-temp-f.patch b/meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2753-from-KlaraSystems-des-temp-f.patch new file mode 100644 index 0000000000..a5e0595776 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2753-from-KlaraSystems-des-temp-f.patch @@ -0,0 +1,190 @@ +From c3593848067cea3b41bc11eec15f391318675cb4 Mon Sep 17 00:00:00 2001 +From: Tim Kientzle +Date: Tue, 28 Oct 2025 17:13:18 -0700 +Subject: [PATCH] Merge pull request #2753 from KlaraSystems/des/temp-files + +Create temporary files in the target directory + +(cherry picked from commit d2e861769c25470427656b36a14b535f17d47d03) + +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/c3593848067cea3b41bc11eec15f391318675cb4] +Signed-off-by: Peter Marko +--- + .../archive_read_disk_entry_from_file.c | 10 ++--- + libarchive/archive_string.c | 20 ++++++++++ + libarchive/archive_string.h | 4 ++ + libarchive/archive_write_disk_posix.c | 20 ++++++---- + libarchive/test/test_archive_string.c | 38 +++++++++++++++++++ + 5 files changed, 79 insertions(+), 13 deletions(-) + +diff --git a/libarchive/archive_read_disk_entry_from_file.c b/libarchive/archive_read_disk_entry_from_file.c +index 42af4034..121af198 100644 +--- a/libarchive/archive_read_disk_entry_from_file.c ++++ b/libarchive/archive_read_disk_entry_from_file.c +@@ -358,12 +358,10 @@ setup_mac_metadata(struct archive_read_disk *a, + return (ARCHIVE_OK); + + archive_string_init(&tempfile); +- if (__archive_get_tempdir(&tempfile) != ARCHIVE_OK) { +- ret = ARCHIVE_WARN; +- goto cleanup; +- } +- archive_strcat(&tempfile, "tar.md.XXXXXX"); +- tempfd = mkstemp(tempfile.s); ++ archive_strcpy(&tempfile, name); ++ archive_string_dirname(&tempfile); ++ archive_strcat(&tempfile, "/tar.XXXXXXXX"); ++ tempfd = __archive_mkstemp(tempfile.s); + if (tempfd < 0) { + archive_set_error(&a->archive, errno, + "Could not open extended attribute file"); +diff --git a/libarchive/archive_string.c b/libarchive/archive_string.c +index 3bb97833..740308b6 100644 +--- a/libarchive/archive_string.c ++++ b/libarchive/archive_string.c +@@ -2039,6 +2039,26 @@ archive_strncat_l(struct archive_string *as, const void *_p, size_t n, + return (r); + } + ++struct archive_string * ++archive_string_dirname(struct archive_string *as) ++{ ++ /* strip trailing separators */ ++ while (as->length > 1 && as->s[as->length - 1] == '/') ++ as->length--; ++ /* strip final component */ ++ while (as->length > 0 && as->s[as->length - 1] != '/') ++ as->length--; ++ /* empty path -> cwd */ ++ if (as->length == 0) ++ return (archive_strcat(as, ".")); ++ /* strip separator(s) */ ++ while (as->length > 1 && as->s[as->length - 1] == '/') ++ as->length--; ++ /* terminate */ ++ as->s[as->length] = '\0'; ++ return (as); ++} ++ + #if HAVE_ICONV + + /* +diff --git a/libarchive/archive_string.h b/libarchive/archive_string.h +index e8987867..d5f5c03a 100644 +--- a/libarchive/archive_string.h ++++ b/libarchive/archive_string.h +@@ -192,6 +192,10 @@ void archive_string_vsprintf(struct archive_string *, const char *, + void archive_string_sprintf(struct archive_string *, const char *, ...) + __LA_PRINTF(2, 3); + ++/* Equivalent to dirname(3) */ ++struct archive_string * ++archive_string_dirname(struct archive_string *); ++ + /* Translates from MBS to Unicode. */ + /* Returns non-zero if conversion failed in any way. */ + int archive_wstring_append_from_mbs(struct archive_wstring *dest, +diff --git a/libarchive/archive_write_disk_posix.c b/libarchive/archive_write_disk_posix.c +index 6fcf3929..cd256203 100644 +--- a/libarchive/archive_write_disk_posix.c ++++ b/libarchive/archive_write_disk_posix.c +@@ -412,12 +412,14 @@ static ssize_t _archive_write_disk_data_block(struct archive *, const void *, + static int + la_mktemp(struct archive_write_disk *a) + { ++ struct archive_string *tmp = &a->_tmpname_data; + int oerrno, fd; + mode_t mode; + +- archive_string_empty(&a->_tmpname_data); +- archive_string_sprintf(&a->_tmpname_data, "%s.XXXXXX", a->name); +- a->tmpname = a->_tmpname_data.s; ++ archive_strcpy(tmp, a->name); ++ archive_string_dirname(tmp); ++ archive_strcat(tmp, "/tar.XXXXXXXX"); ++ a->tmpname = tmp->s; + + fd = __archive_mkstemp(a->tmpname); + if (fd == -1) +@@ -4283,8 +4285,10 @@ create_tempdatafork(struct archive_write_disk *a, const char *pathname) + int tmpfd; + + archive_string_init(&tmpdatafork); +- archive_strcpy(&tmpdatafork, "tar.md.XXXXXX"); +- tmpfd = mkstemp(tmpdatafork.s); ++ archive_strcpy(&tmpdatafork, pathname); ++ archive_string_dirname(&tmpdatafork); ++ archive_strcat(&tmpdatafork, "/tar.XXXXXXXX"); ++ tmpfd = __archive_mkstemp(tmpdatafork.s); + if (tmpfd < 0) { + archive_set_error(&a->archive, errno, + "Failed to mkstemp"); +@@ -4363,8 +4367,10 @@ set_mac_metadata(struct archive_write_disk *a, const char *pathname, + * silly dance of writing the data to disk just so that + * copyfile() can read it back in again. */ + archive_string_init(&tmp); +- archive_strcpy(&tmp, "tar.mmd.XXXXXX"); +- fd = mkstemp(tmp.s); ++ archive_strcpy(&tmp, pathname); ++ archive_string_dirname(&tmp); ++ archive_strcat(&tmp, "/tar.XXXXXXXX"); ++ fd = __archive_mkstemp(tmp.s); + + if (fd < 0) { + archive_set_error(&a->archive, errno, +diff --git a/libarchive/test/test_archive_string.c b/libarchive/test/test_archive_string.c +index 30f7a800..bf822c0d 100644 +--- a/libarchive/test/test_archive_string.c ++++ b/libarchive/test/test_archive_string.c +@@ -353,6 +353,43 @@ test_archive_string_sprintf(void) + archive_string_free(&s); + } + ++static void ++test_archive_string_dirname(void) ++{ ++ static struct pair { const char *str, *exp; } pairs[] = { ++ { "", "." }, ++ { "/", "/" }, ++ { "//", "/" }, ++ { "///", "/" }, ++ { "./", "." }, ++ { ".", "." }, ++ { "..", "." }, ++ { "foo", "." }, ++ { "foo/", "." }, ++ { "foo//", "." }, ++ { "foo/bar", "foo" }, ++ { "foo/bar/", "foo" }, ++ { "foo/bar//", "foo" }, ++ { "foo//bar", "foo" }, ++ { "foo//bar/", "foo" }, ++ { "foo//bar//", "foo" }, ++ { "/foo", "/" }, ++ { "//foo", "/" }, ++ { "//foo/", "/" }, ++ { "//foo//", "/" }, ++ { 0 }, ++ }; ++ struct pair *pair; ++ struct archive_string s; ++ ++ archive_string_init(&s); ++ for (pair = pairs; pair->str; pair++) { ++ archive_strcpy(&s, pair->str); ++ archive_string_dirname(&s); ++ assertEqualString(pair->exp, s.s); ++ } ++} ++ + DEFINE_TEST(test_archive_string) + { + test_archive_string_ensure(); +@@ -364,6 +401,7 @@ DEFINE_TEST(test_archive_string) + test_archive_string_concat(); + test_archive_string_copy(); + test_archive_string_sprintf(); ++ test_archive_string_dirname(); + } + + static const char *strings[] = diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index f4b1be2337..88e9fbf8e9 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb @@ -38,6 +38,9 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://CVE-2025-5918-0001.patch \ file://CVE-2025-5918-0002.patch \ file://CVE-2025-5918-0003.patch \ + file://0001-Merge-pull-request-2696-from-al3xtjames-mkstemp.patch \ + file://0001-Merge-pull-request-2749-from-KlaraSystems-des-tempdi.patch \ + file://0001-Merge-pull-request-2753-from-KlaraSystems-des-temp-f.patch \ " UPSTREAM_CHECK_URI = "http://libarchive.org/" From patchwork Tue Nov 25 20:58:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75394 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 501A8D0EE3D for ; Tue, 25 Nov 2025 20:59:20 +0000 (UTC) Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.4355.1764104350866139892 for ; Tue, 25 Nov 2025 12:59:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=hrjobnpN; spf=softfail (domain: sakoman.com, ip: 209.85.216.54, mailfrom: steve@sakoman.com) Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-3437ea05540so5120352a91.0 for ; Tue, 25 Nov 2025 12:59:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764104350; x=1764709150; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=0xcad1Br49b/voGtcI61/1Uhwd60QXjpgPerOvUMJ+A=; b=hrjobnpNH3+EuBjjDBirfIEFdnHzEERaszREyWl1gVcJPOYvHIzQ/P/XeJHsHX1vX7 gGuz8euVB90SFascprJvkVeXYpHKZtjvZQxUHN2ZegFFryfKmAOpwtIORjIENNOBPkke gO1HdaDy48b7qil8HfSkQg2qDfjk594X0S+m5Bs1+xaJDkP4zJ7vsiUM9764QA44w346 Q3yJ00sZUphhLjaKunSJEWQmj1urx6104bE1175lbMAXCIF2NaYnnYfKMS/uTJAgP+xN 2hFfUto4wLkPbI1uWGs9gzEd7/mtEbV/RxVpekZjuMXbBLFYS8OuEpTgGc8sMClrzOHz HAtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764104350; x=1764709150; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=0xcad1Br49b/voGtcI61/1Uhwd60QXjpgPerOvUMJ+A=; b=MQ2Fiy3qBoBmCDjO4xtVuzLb2skWSGOYNqwQXDGPeSY1OzY8wkaJuGs1k2207VnqV3 BvEcsgUa7U2De+Ay/lSFiKafCjzB83dKqx4MfuA2mzX403FMG9g7SZGHhVxvJDaSx0IX scJEXYO1fk73N+EUVB5X7++ARCS1Z1gjugrpFC46euGHdBw27gZ3BqXwLFbQ60aHWu1+ CTa8XNUex9uxr/4ByztHKgsKSHOy4nXT0RbM095yKPSqj6So2ME3amW76texWgWSF0JM IVeCkYjaB13bh9M4XOGJyICuX3Xj8zaxsx8pT36elm43m0k6oDUNam5Umq5E2WBgbwin YC6A== X-Gm-Message-State: AOJu0Yy7UU+6hamArELM7TlMgRCcOgugGFQuJX7FoxkCdXW+JNmOUXuP 8lQPDOu/jA7WXioQCfPY7+gMsAWVVIvhbBnJ5n+2DK/5QJcUrsM//lUOK3Se0BUeOpFsE5lKlgq qu5mC X-Gm-Gg: ASbGncu1I16Bp3OttbfFBEduTateJaAibd7PI0PAQBnzYgkvahcbhP2QEaldeYeVz/S siiD2JHC+9/cwoimZc+HTTCH+3BoPUUf6zGxuNIt2XOkD+AZyy4U8X21/Lq2bwaIn8PZ58x2I/E z73Mgz+76mIWmfUmQ6PB27vFxqngqv2CM8sTo83A/YQlEb+p77tGrzNF4ECgFDdAf5xdHXVd/vs KCt55oNqfUM6FuSxJgkMdMxkZ0Mh3c5nd06vGncpF7JLnSUr2NaIPGtsDGk/gavCsSNKpvmZdc3 ZKA8Hho3z5bZ5RwcaRkR7Gj4YL4q/MWXrnA5KF0jtkm7YjWYoolx2LAU/1OFGsIeR16YTl1Qlvb dbfOY4deV3BiRMG+HGHI4ZXcEAtizKUcyMi9mwtDmwPg3NiJRaNkwSMuAX84R/NjrQjH/5EH1So /fLAXSHcn2JSwB X-Google-Smtp-Source: AGHT+IHonmHlaOUVaUtkeqiLb+MsmbjaanzhOlgQW43WQiwIVdfxXaorm/rLEcBrqSpu2ToXxEcmOQ== X-Received: by 2002:a17:90b:2cce:b0:343:a631:28a8 with SMTP id 98e67ed59e1d1-34733f5d400mr17399956a91.37.1764104350051; Tue, 25 Nov 2025 12:59:10 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-bd75def6346sm17340755a12.4.2025.11.25.12.59.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Nov 2025 12:59:09 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 8/9] libarchive: patch 3.8.3 security issue 2 Date: Tue, 25 Nov 2025 12:58:46 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Nov 2025 20:59:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226793 From: Peter Marko Pick patch [2] as listed in [1]. [1] https://github.com/libarchive/libarchive/releases/tag/v3.8.3 [2] https://github.com/libarchive/libarchive/pull/2768 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- ...-request-2768-from-Commandoss-master.patch | 28 +++++++++++++++++++ .../libarchive/libarchive_3.7.9.bb | 1 + 2 files changed, 29 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2768-from-Commandoss-master.patch diff --git a/meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2768-from-Commandoss-master.patch b/meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2768-from-Commandoss-master.patch new file mode 100644 index 0000000000..66e88c91b4 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2768-from-Commandoss-master.patch @@ -0,0 +1,28 @@ +From 82b57a9740aa6d084edcf4592a3b8e49f63dec98 Mon Sep 17 00:00:00 2001 +From: Tim Kientzle +Date: Fri, 31 Oct 2025 22:07:19 -0700 +Subject: [PATCH] Merge pull request #2768 from Commandoss/master + +Fix for an out-of-bounds buffer overrun when using p[H_LEVEL_OFFSET] + +(cherry picked from commit ce614c65246158bcb0dc1f9c1dce5a5af65f9827) + +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/82b57a9740aa6d084edcf4592a3b8e49f63dec98] +Signed-off-by: Peter Marko +--- + libarchive/archive_read_support_format_lha.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libarchive/archive_read_support_format_lha.c b/libarchive/archive_read_support_format_lha.c +index 2a84ad9d..abf8b879 100644 +--- a/libarchive/archive_read_support_format_lha.c ++++ b/libarchive/archive_read_support_format_lha.c +@@ -690,7 +690,7 @@ archive_read_format_lha_read_header(struct archive_read *a, + * a pathname and a symlink has '\' character, a directory + * separator in DOS/Windows. So we should convert it to '/'. + */ +- if (p[H_LEVEL_OFFSET] == 0) ++ if (lha->level == 0) + lha_replace_path_separator(lha, entry); + + archive_entry_set_mode(entry, lha->mode); diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index 88e9fbf8e9..da11e052a7 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb @@ -41,6 +41,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://0001-Merge-pull-request-2696-from-al3xtjames-mkstemp.patch \ file://0001-Merge-pull-request-2749-from-KlaraSystems-des-tempdi.patch \ file://0001-Merge-pull-request-2753-from-KlaraSystems-des-temp-f.patch \ + file://0001-Merge-pull-request-2768-from-Commandoss-master.patch \ " UPSTREAM_CHECK_URI = "http://libarchive.org/" From patchwork Tue Nov 25 20:58:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 75395 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 501EAD0EE3E for ; Tue, 25 Nov 2025 20:59:20 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.4357.1764104353367518253 for ; Tue, 25 Nov 2025 12:59:13 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=mbNl2Stb; spf=softfail (domain: sakoman.com, ip: 209.85.214.182, mailfrom: steve@sakoman.com) Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-299d40b0845so95995005ad.3 for ; Tue, 25 Nov 2025 12:59:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1764104353; x=1764709153; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=MI6oJswh6ZcPS6Bh64+cNgMndatdKjuIBJ8dmsNzYL0=; b=mbNl2Stbc4XbpRGLqu3rSHMquzUTfclGJ9luFjIuj7x76t1u/fjDijV11e6UrQwtVg HRQaPPII/TB/V7da4dUaIbas5zL3AiAvNzFCgrkM/aGw9c7/Qo2i7Af14740aItwvzG7 GiRTs0Y2t+B7Pjiz/4nEBHtIWhTGNdCgJ328YNvWhJNnr2EWw7ehznFir526nRddpQ0a ns7XgadzeuDCBndP3rNkbc4blxJQdupKkXSz45Gv82C7ucG7l/C7WIMA5k7gmVJRHaG/ YKj867T7SCGZjAUlWsXjh32zdxtz8r9J91gIVjlCGph1Gze6WGpsKDlp+GMOs+vsgV4r DAaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764104353; x=1764709153; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=MI6oJswh6ZcPS6Bh64+cNgMndatdKjuIBJ8dmsNzYL0=; b=kLXM1YDhW8Mzh9BvBy6oMPQPLE57Ahb2vSbs9nzJX0ehfhO6K/1TwPhFeegUHzXdIb 58uInD8BrxDDNP3N03RJLm5neSCG9U0pbWtI5jkR+aFqymvD1s7844xXPdr8l2VAZtWK tKuSZ4JUDC0UDJyAMGBoIaEjxk2vfhZl/AZh3memf8UOKpIus3FrI/lFMuj/FykCjkqF FoN3EZfg6JPcm+8IaKuYwjQTsoWoIWJaEswTbs6xA8nDImBhFGUVUX2ZdK8B17UErHad 3PdXKKPRK75+7DbSHey64LpnTyVGiQLzukWtLwvMPllshJSniznCvPCQZMLkNn6NAvyB ZjmQ== X-Gm-Message-State: AOJu0YwG1lhJPOQ+0kxfIf/7zxn96g19dUqnBV1EkDE90llPB7YyiLIY maMA6J1ZLDxY5ATGvoUjCViJGTVhIUt3XP0Ut58zw2J6+5ceUWUvP42xk26tfIR+WY0l0uaJGp9 e+fAo X-Gm-Gg: ASbGncubFRMLVfmbwSO3J/w5Ke2PF9bAsMHih24kEcl8Bmj9Swgi7JVVVkCyAxU0y2/ sctpf8CRoU3UwzACCTCCQEeoO48ngIbJzkEHEWj54LmgtCQ0JPEtyBz9xsZyVtLffCgN1FZVOJj GVO0Ql8S2jwLcJc8He4QYnN1VsJ55gCaGwG5wUA4zhgJId0mS5mWK5CNHumHACxQ+0/PGpjOTg7 hiVPs1OLwV8Y4u0O2Lxr5afP38cb5SR/XLQS2eaD5GqtlDT7KsEuS2jXEDRoLvPjfHzY7x5ZVCK /rdZVoVEorRVU9W3AinSmoiyBYLnHXhoXxpbO/PBI1CtV0h8EteBT9fOlucDiIU1wOlRz01PCnx 771VrAAjqAoybv4xFOjjMsuAaOwjUHYaUwjAQGe3Pj1NnU/4rmnFKhXq5WkUoiPRLXrj+/uEU2C EkLA== X-Google-Smtp-Source: AGHT+IEv413NYy77PRyJL3hYa1gT8npjRWV/8srNXeMqcrCbda2Z/F2VMZK6mIerNDSzCA+B+0FAoQ== X-Received: by 2002:a17:902:db0e:b0:295:3d5d:fe37 with SMTP id d9443c01a7336-29bab198021mr43163565ad.41.1764104352570; Tue, 25 Nov 2025 12:59:12 -0800 (PST) Received: from hexa.. ([2602:feb4:3b:2100:5e34:462b:e2f0:5898]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-bd75def6346sm17340755a12.4.2025.11.25.12.59.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 25 Nov 2025 12:59:12 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 9/9] libarchive: patch CVE-2025-60753 Date: Tue, 25 Nov 2025 12:58:47 -0800 Message-ID: <1fbd9eddbdf0da062df0510cabff6f6ee33d5752.1764104199.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 25 Nov 2025 20:59:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/226794 From: Peter Marko Pick patch from [3] marked in [2] mentioned in [1]. [1] https://nvd.nist.gov/vuln/detail/CVE-2025-60753 [2] https://github.com/libarchive/libarchive/issues/2725 [3] https://github.com/libarchive/libarchive/pull/2787 Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../libarchive/CVE-2025-60753.patch | 76 +++++++++++++++++++ .../libarchive/libarchive_3.7.9.bb | 1 + 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-60753.patch diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-60753.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-60753.patch new file mode 100644 index 0000000000..730a6128c3 --- /dev/null +++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-60753.patch @@ -0,0 +1,76 @@ +From 3150539edb18690c2c5f81c37fd2d3a35c69ace5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?ARJANEN=20Lo=C3=AFc=20Jean=20David?= +Date: Fri, 14 Nov 2025 20:34:48 +0100 +Subject: [PATCH] Fix bsdtar zero-length pattern issue. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Uses the sed-like way (and Java-like, and .Net-like, and Javascript-like…) to fix this issue of advancing the string to be processed by one if the match is zero-length. + +Fixes libarchive/libarchive#2725 and solves libarchive/libarchive#2438. + +CVE: CVE-2025-60753 +Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/3150539edb18690c2c5f81c37fd2d3a35c69ace5] +Signed-off-by: Peter Marko +--- + tar/subst.c | 19 ++++++++++++------- + tar/test/test_option_s.c | 8 +++++++- + 2 files changed, 19 insertions(+), 8 deletions(-) + +diff --git a/tar/subst.c b/tar/subst.c +index 9747abb9..902a4d64 100644 +--- a/tar/subst.c ++++ b/tar/subst.c +@@ -235,7 +235,9 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result, + (*result)[0] = 0; + } + +- while (1) { ++ char isEnd = 0; ++ do { ++ isEnd = *name == '\0'; + if (regexec(&rule->re, name, 10, matches, 0)) + break; + +@@ -290,12 +292,15 @@ apply_substitution(struct bsdtar *bsdtar, const char *name, char **result, + } + + realloc_strcat(result, rule->result + j); +- +- name += matches[0].rm_eo; +- +- if (!rule->global) +- break; +- } ++ if (matches[0].rm_eo > 0) { ++ name += matches[0].rm_eo; ++ } else { ++ // We skip a character because the match is 0-length ++ // so we need to add it to the output ++ realloc_strncat(result, name, 1); ++ name += 1; ++ } ++ } while (rule->global && !isEnd); // Testing one step after because sed et al. run 0-length patterns a last time on the empty string at the end + } + + if (got_match) +diff --git a/tar/test/test_option_s.c b/tar/test/test_option_s.c +index 564793b9..90b4c471 100644 +--- a/tar/test/test_option_s.c ++++ b/tar/test/test_option_s.c +@@ -42,7 +42,13 @@ DEFINE_TEST(test_option_s) + systemf("%s -cf test1_2.tar -s /d1/d2/ in/d1/foo", testprog); + systemf("%s -xf test1_2.tar -C test1", testprog); + assertFileContents("foo", 3, "test1/in/d2/foo"); +- ++ systemf("%s -cf test1_3.tar -s /o/#/g in/d1/foo", testprog); ++ systemf("%s -xf test1_3.tar -C test1", testprog); ++ assertFileContents("foo", 3, "test1/in/d1/f##"); ++ // For the 0-length pattern check, remember that "test1/" isn't part of the string affected by the regexp ++ systemf("%s -cf test1_4.tar -s /f*/\\<~\\>/g in/d1/foo", testprog); ++ systemf("%s -xf test1_4.tar -C test1", testprog); ++ assertFileContents("foo", 3, "test1/<>i<>n<>/<>d<>1<>/<>o<>o<>"); + /* + * Test 2: Basic substitution when extracting archive. + */ diff --git a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb index da11e052a7..86ba53aaf2 100644 --- a/meta/recipes-extended/libarchive/libarchive_3.7.9.bb +++ b/meta/recipes-extended/libarchive/libarchive_3.7.9.bb @@ -42,6 +42,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \ file://0001-Merge-pull-request-2749-from-KlaraSystems-des-tempdi.patch \ file://0001-Merge-pull-request-2753-from-KlaraSystems-des-temp-f.patch \ file://0001-Merge-pull-request-2768-from-Commandoss-master.patch \ + file://CVE-2025-60753.patch \ " UPSTREAM_CHECK_URI = "http://libarchive.org/"