diff options
203 files changed, 6255 insertions, 1447 deletions
diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass index 7d5e3eb8fd..726f17a946 100644 --- a/meta/classes/buildhistory.bbclass +++ b/meta/classes/buildhistory.bbclass @@ -674,13 +674,16 @@ IMAGE_POSTPROCESS_COMMAND[vardepsexclude] += "buildhistory_get_imageinfo" POPULATE_SDK_POST_TARGET_COMMAND_append = " buildhistory_list_installed_sdk_target;" POPULATE_SDK_POST_TARGET_COMMAND_append = " buildhistory_get_sdk_installed_target;" POPULATE_SDK_POST_TARGET_COMMAND[vardepvalueexclude] .= "| buildhistory_list_installed_sdk_target;| buildhistory_get_sdk_installed_target;" +POPULATE_SDK_POST_TARGET_COMMAND[vardepsexclude] += "buildhistory_list_installed_sdk_target buildhistory_get_sdk_installed_target" POPULATE_SDK_POST_HOST_COMMAND_append = " buildhistory_list_installed_sdk_host;" POPULATE_SDK_POST_HOST_COMMAND_append = " buildhistory_get_sdk_installed_host;" POPULATE_SDK_POST_HOST_COMMAND[vardepvalueexclude] .= "| buildhistory_list_installed_sdk_host;| buildhistory_get_sdk_installed_host;" +POPULATE_SDK_POST_HOST_COMMAND[vardepsexclude] += "buildhistory_list_installed_sdk_host buildhistory_get_sdk_installed_host" SDK_POSTPROCESS_COMMAND_append = " buildhistory_get_sdkinfo ; buildhistory_get_extra_sdkinfo; " SDK_POSTPROCESS_COMMAND[vardepvalueexclude] .= "| buildhistory_get_sdkinfo ; buildhistory_get_extra_sdkinfo; " +SDK_POSTPROCESS_COMMAND[vardepsexclude] += "buildhistory_get_sdkinfo buildhistory_get_extra_sdkinfo" python buildhistory_write_sigs() { if not "task" in (d.getVar('BUILDHISTORY_FEATURES') or "").split(): @@ -855,7 +858,7 @@ END } python buildhistory_eventhandler() { - if e.data.getVar('BUILDHISTORY_FEATURES').strip(): + if (e.data.getVar('BUILDHISTORY_FEATURES') or "").strip(): reset = e.data.getVar("BUILDHISTORY_RESET") olddir = e.data.getVar("BUILDHISTORY_OLD_DIR") if isinstance(e, bb.event.BuildStarted): diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index d843e7c4ac..112ee3379d 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -53,6 +53,16 @@ CVE_CHECK_PN_WHITELIST ?= "" # CVE_CHECK_WHITELIST ?= "" +# Layers to be excluded +CVE_CHECK_LAYER_EXCLUDELIST ??= "" + +# Layers to be included +CVE_CHECK_LAYER_INCLUDELIST ??= "" + + +# set to "alphabetical" for version using single alphabetical character as increament release +CVE_VERSION_SUFFIX ??= "" + python cve_save_summary_handler () { import shutil import datetime @@ -206,10 +216,11 @@ def check_cves(d, patched_cves): """ Connect to the NVD database and find unpatched cves. """ - from distutils.version import LooseVersion + from oe.cve_check import Version pn = d.getVar("PN") real_pv = d.getVar("PV") + suffix = d.getVar("CVE_VERSION_SUFFIX") cves_unpatched = [] # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) @@ -263,8 +274,8 @@ def check_cves(d, patched_cves): else: if operator_start: try: - vulnerable_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start)) - vulnerable_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start)) + vulnerable_start = (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix)) + vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix)) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_start, version_start, cve)) @@ -274,8 +285,8 @@ def check_cves(d, patched_cves): if operator_end: try: - vulnerable_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end)) - vulnerable_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end)) + vulnerable_end = (operator_end == '<=' and Version(pv,suffix) <= Version(version_end,suffix) ) + vulnerable_end |= (operator_end == '<' and Version(pv,suffix) < Version(version_end,suffix) ) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_end, version_end, cve)) @@ -330,7 +341,20 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): CVE manifest if enabled. """ + cve_file = d.getVar("CVE_CHECK_LOG") + fdir_name = d.getVar("FILE_DIRNAME") + layer = fdir_name.split("/")[-3] + + include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split() + exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split() + + if exclude_layers and layer in exclude_layers: + return + + if include_layers and layer not in include_layers: + return + nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId=" write_string = "" unpatched_cves = [] @@ -340,6 +364,7 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): is_patched = cve in patched if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"): continue + write_string += "LAYER: %s\n" % layer write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) write_string += "CVE: %s\n" % cve diff --git a/meta/classes/devshell.bbclass b/meta/classes/devshell.bbclass index fdf7dc100f..76dd0b42ee 100644 --- a/meta/classes/devshell.bbclass +++ b/meta/classes/devshell.bbclass @@ -128,6 +128,7 @@ def devpyshell(d): more = i.runsource(source, "<pyshell>") if not more: buf = [] + sys.stderr.flush() prompt(more) except KeyboardInterrupt: i.write("\nKeyboardInterrupt\n") diff --git a/meta/classes/distutils3-base.bbclass b/meta/classes/distutils3-base.bbclass index 7dbf07ac4b..a277d1c7bc 100644 --- a/meta/classes/distutils3-base.bbclass +++ b/meta/classes/distutils3-base.bbclass @@ -1,5 +1,5 @@ DEPENDS += "${@["${PYTHON_PN}-native ${PYTHON_PN}", ""][(d.getVar('PACKAGES') == '')]}" RDEPENDS_${PN} += "${@['', '${PYTHON_PN}-core']['${CLASSOVERRIDE}' == 'class-target']}" -inherit distutils-common-base python3native +inherit distutils-common-base python3native python3targetconfig diff --git a/meta/classes/externalsrc.bbclass b/meta/classes/externalsrc.bbclass index dd09395788..3d6b80bee2 100644 --- a/meta/classes/externalsrc.bbclass +++ b/meta/classes/externalsrc.bbclass @@ -68,6 +68,7 @@ python () { url_data = fetch.ud[url] parm = url_data.parm if (url_data.type == 'file' or + url_data.type == 'npmsw' or 'type' in parm and parm['type'] == 'kmeta'): local_srcuri.append(url) @@ -190,6 +191,7 @@ def srctree_hash_files(d, srcdir=None): import shutil import subprocess import tempfile + import hashlib s_dir = srcdir or d.getVar('EXTERNALSRC') git_dir = None @@ -197,6 +199,10 @@ def srctree_hash_files(d, srcdir=None): try: git_dir = os.path.join(s_dir, subprocess.check_output(['git', '-C', s_dir, 'rev-parse', '--git-dir'], stderr=subprocess.DEVNULL).decode("utf-8").rstrip()) + top_git_dir = os.path.join(s_dir, subprocess.check_output(['git', '-C', d.getVar("TOPDIR"), 'rev-parse', '--git-dir'], + stderr=subprocess.DEVNULL).decode("utf-8").rstrip()) + if git_dir == top_git_dir: + git_dir = None except subprocess.CalledProcessError: pass @@ -210,7 +216,17 @@ def srctree_hash_files(d, srcdir=None): env = os.environ.copy() env['GIT_INDEX_FILE'] = tmp_index.name subprocess.check_output(['git', 'add', '-A', '.'], cwd=s_dir, env=env) - sha1 = subprocess.check_output(['git', 'write-tree'], cwd=s_dir, env=env).decode("utf-8") + git_sha1 = subprocess.check_output(['git', 'write-tree'], cwd=s_dir, env=env).decode("utf-8") + submodule_helper = subprocess.check_output(['git', 'submodule--helper', 'list'], cwd=s_dir, env=env).decode("utf-8") + for line in submodule_helper.splitlines(): + module_dir = os.path.join(s_dir, line.rsplit(maxsplit=1)[1]) + if os.path.isdir(module_dir): + proc = subprocess.Popen(['git', 'add', '-A', '.'], cwd=module_dir, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) + proc.communicate() + proc = subprocess.Popen(['git', 'write-tree'], cwd=module_dir, env=env, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL) + stdout, _ = proc.communicate() + git_sha1 += stdout.decode("utf-8") + sha1 = hashlib.sha1(git_sha1.encode("utf-8")).hexdigest() with open(oe_hash_file, 'w') as fobj: fobj.write(sha1) ret = oe_hash_file + ':True' diff --git a/meta/classes/image-live.bbclass b/meta/classes/image-live.bbclass index 9ea5ddc312..47c44b4aad 100644 --- a/meta/classes/image-live.bbclass +++ b/meta/classes/image-live.bbclass @@ -30,7 +30,7 @@ do_bootimg[depends] += "dosfstools-native:do_populate_sysroot \ virtual/kernel:do_deploy \ ${MLPREFIX}syslinux:do_populate_sysroot \ syslinux-native:do_populate_sysroot \ - ${PN}:do_image_${@d.getVar('LIVE_ROOTFS_TYPE').replace('-', '_')} \ + ${@'%s:do_image_%s' % (d.getVar('PN'), d.getVar('LIVE_ROOTFS_TYPE').replace('-', '_')) if d.getVar('ROOTFS') else ''} \ " diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass index 045f4494c8..2f1d5cfb46 100644 --- a/meta/classes/image.bbclass +++ b/meta/classes/image.bbclass @@ -112,7 +112,7 @@ def rootfs_command_variables(d): 'IMAGE_PREPROCESS_COMMAND','RPM_PREPROCESS_COMMANDS','RPM_POSTPROCESS_COMMANDS','DEB_PREPROCESS_COMMANDS','DEB_POSTPROCESS_COMMANDS'] python () { - variables = rootfs_command_variables(d) + sdk_command_variables(d) + variables = rootfs_command_variables(d) for var in variables: if d.getVar(var, False): d.setVarFlag(var, 'func', '1') @@ -180,6 +180,8 @@ IMAGE_LOCALES_ARCHIVE ?= '1' # aren't yet available. PSEUDO_PASSWD = "${IMAGE_ROOTFS}:${STAGING_DIR_NATIVE}" +PSEUDO_IGNORE_PATHS .= ",${WORKDIR}/intercept_scripts,${WORKDIR}/oe-rootfs-repo,${WORKDIR}/sstate-build-image_complete" + PACKAGE_EXCLUDE ??= "" PACKAGE_EXCLUDE[type] = "list" diff --git a/meta/classes/image_types.bbclass b/meta/classes/image_types.bbclass index 286009057e..30951ae366 100644 --- a/meta/classes/image_types.bbclass +++ b/meta/classes/image_types.bbclass @@ -110,7 +110,7 @@ IMAGE_CMD_squashfs-lz4 = "mksquashfs ${IMAGE_ROOTFS} ${IMGDEPLOYDIR}/${IMAGE_NAM IMAGE_CMD_TAR ?= "tar" # ignore return code 1 "file changed as we read it" as other tasks(e.g. do_image_wic) may be hardlinking rootfs -IMAGE_CMD_tar = "${IMAGE_CMD_TAR} --sort=name --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.tar -C ${IMAGE_ROOTFS} . || [ $? -eq 1 ]" +IMAGE_CMD_tar = "${IMAGE_CMD_TAR} --sort=name --format=posix --numeric-owner -cf ${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.tar -C ${IMAGE_ROOTFS} . || [ $? -eq 1 ]" do_image_cpio[cleandirs] += "${WORKDIR}/cpio_append" IMAGE_CMD_cpio () { diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass index c6dff9659c..44dbed875b 100644 --- a/meta/classes/insane.bbclass +++ b/meta/classes/insane.bbclass @@ -175,7 +175,7 @@ def package_qa_check_useless_rpaths(file, name, d, elf, messages): if rpath_eq(rpath, libdir) or rpath_eq(rpath, base_libdir): # The dynamic linker searches both these places anyway. There is no point in # looking there again. - package_qa_add_message(messages, "useless-rpaths", "%s: %s contains probably-redundant RPATH %s" % (name, package_qa_clean_path(file, d), rpath)) + package_qa_add_message(messages, "useless-rpaths", "%s: %s contains probably-redundant RPATH %s" % (name, package_qa_clean_path(file, d, name), rpath)) QAPATHTEST[dev-so] = "package_qa_check_dev" def package_qa_check_dev(path, name, d, elf, messages): @@ -184,8 +184,8 @@ def package_qa_check_dev(path, name, d, elf, messages): """ if not name.endswith("-dev") and not name.endswith("-dbg") and not name.endswith("-ptest") and not name.startswith("nativesdk-") and path.endswith(".so") and os.path.islink(path): - package_qa_add_message(messages, "dev-so", "non -dev/-dbg/nativesdk- package contains symlink .so: %s path '%s'" % \ - (name, package_qa_clean_path(path,d))) + package_qa_add_message(messages, "dev-so", "non -dev/-dbg/nativesdk- package %s contains symlink .so '%s'" % \ + (name, package_qa_clean_path(path, d, name))) QAPATHTEST[dev-elf] = "package_qa_check_dev_elf" def package_qa_check_dev_elf(path, name, d, elf, messages): @@ -195,8 +195,8 @@ def package_qa_check_dev_elf(path, name, d, elf, messages): install link-time .so files that are linker scripts. """ if name.endswith("-dev") and path.endswith(".so") and not os.path.islink(path) and elf: - package_qa_add_message(messages, "dev-elf", "-dev package contains non-symlink .so: %s path '%s'" % \ - (name, package_qa_clean_path(path,d))) + package_qa_add_message(messages, "dev-elf", "-dev package %s contains non-symlink .so '%s'" % \ + (name, package_qa_clean_path(path, d, name))) QAPATHTEST[staticdev] = "package_qa_check_staticdev" def package_qa_check_staticdev(path, name, d, elf, messages): @@ -209,7 +209,7 @@ def package_qa_check_staticdev(path, name, d, elf, messages): if not name.endswith("-pic") and not name.endswith("-staticdev") and not name.endswith("-ptest") and path.endswith(".a") and not path.endswith("_nonshared.a") and not '/usr/lib/debug-static/' in path and not '/.debug-static/' in path: package_qa_add_message(messages, "staticdev", "non -staticdev package contains static .a library: %s path '%s'" % \ - (name, package_qa_clean_path(path,d))) + (name, package_qa_clean_path(path,d, name))) QAPATHTEST[mime] = "package_qa_check_mime" def package_qa_check_mime(path, name, d, elf, messages): diff --git a/meta/classes/kernel-devicetree.bbclass b/meta/classes/kernel-devicetree.bbclass index 81dda8003f..3c5def1041 100644 --- a/meta/classes/kernel-devicetree.bbclass +++ b/meta/classes/kernel-devicetree.bbclass @@ -1,8 +1,11 @@ # Support for device tree generation -PACKAGES_append = " \ - ${KERNEL_PACKAGE_NAME}-devicetree \ - ${@[d.getVar('KERNEL_PACKAGE_NAME') + '-image-zimage-bundle', ''][d.getVar('KERNEL_DEVICETREE_BUNDLE') != '1']} \ -" +python () { + if not bb.data.inherits_class('nopackages', d): + d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-devicetree") + if d.getVar('KERNEL_DEVICETREE_BUNDLE') == '1': + d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-image-zimage-bundle") +} + FILES_${KERNEL_PACKAGE_NAME}-devicetree = "/${KERNEL_IMAGEDEST}/*.dtb /${KERNEL_IMAGEDEST}/*.dtbo" FILES_${KERNEL_PACKAGE_NAME}-image-zimage-bundle = "/${KERNEL_IMAGEDEST}/zImage-*.dtb.bin" diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass index 1a444efabf..b03a286ed4 100644 --- a/meta/classes/kernel.bbclass +++ b/meta/classes/kernel.bbclass @@ -90,6 +90,8 @@ python __anonymous () { imagedest = d.getVar('KERNEL_IMAGEDEST') for type in types.split(): + if bb.data.inherits_class('nopackages', d): + continue typelower = type.lower() d.appendVar('PACKAGES', ' %s-image-%s' % (kname, typelower)) d.setVar('FILES_' + kname + '-image-' + typelower, '/' + imagedest + '/' + type + '-${KERNEL_VERSION_NAME}' + ' /' + imagedest + '/' + type) @@ -743,7 +745,7 @@ kernel_do_deploy() { fi if [ ! -z "${INITRAMFS_IMAGE}" -a x"${INITRAMFS_IMAGE_BUNDLE}" = x1 ]; then - for imageType in ${KERNEL_IMAGETYPES} ; do + for imageType in ${KERNEL_IMAGETYPE_FOR_MAKE} ; do if [ "$imageType" = "fitImage" ] ; then continue fi diff --git a/meta/classes/license_image.bbclass b/meta/classes/license_image.bbclass index 119c8dfc86..6f478ce22c 100644 --- a/meta/classes/license_image.bbclass +++ b/meta/classes/license_image.bbclass @@ -210,7 +210,8 @@ def license_deployed_manifest(d): os.unlink(lic_manifest_symlink_dir) # create the image dir symlink - os.symlink(lic_manifest_dir, lic_manifest_symlink_dir) + if lic_manifest_dir != lic_manifest_symlink_dir: + os.symlink(lic_manifest_dir, lic_manifest_symlink_dir) def get_deployed_dependencies(d): """ diff --git a/meta/classes/linuxloader.bbclass b/meta/classes/linuxloader.bbclass index 720e5dfad4..b161c51a50 100644 --- a/meta/classes/linuxloader.bbclass +++ b/meta/classes/linuxloader.bbclass @@ -1,6 +1,6 @@ def get_musl_loader_arch(d): import re - ldso_arch = None + ldso_arch = "NotSupported" targetarch = d.getVar("TARGET_ARCH") if targetarch.startswith("microblaze"): @@ -32,7 +32,7 @@ def get_musl_loader(d): def get_glibc_loader(d): import re - dynamic_loader = None + dynamic_loader = "NotSupported" targetarch = d.getVar("TARGET_ARCH") if targetarch in ["powerpc", "microblaze"]: dynamic_loader = "${base_libdir}/ld.so.1" @@ -58,7 +58,7 @@ def get_linuxloader(d): overrides = d.getVar("OVERRIDES").split(":") if "libc-baremetal" in overrides: - return None + return "NotSupported" if "libc-musl" in overrides: dynamic_loader = get_musl_loader(d) diff --git a/meta/classes/npm.bbclass b/meta/classes/npm.bbclass index 068032a1e5..55a6985fb0 100644 --- a/meta/classes/npm.bbclass +++ b/meta/classes/npm.bbclass @@ -17,8 +17,10 @@ # NPM_INSTALL_DEV: # Set to 1 to also install devDependencies. +inherit python3native + DEPENDS_prepend = "nodejs-native " -RDEPENDS_${PN}_prepend = "nodejs " +RDEPENDS_${PN}_append_class-target = " nodejs" NPM_INSTALL_DEV ?= "0" @@ -130,11 +132,17 @@ python npm_do_configure() { cached_manifest.pop("dependencies", None) cached_manifest.pop("devDependencies", None) - with open(orig_shrinkwrap_file, "r") as f: - orig_shrinkwrap = json.load(f) + has_shrinkwrap_file = True + + try: + with open(orig_shrinkwrap_file, "r") as f: + orig_shrinkwrap = json.load(f) + except IOError: + has_shrinkwrap_file = False - cached_shrinkwrap = copy.deepcopy(orig_shrinkwrap) - cached_shrinkwrap.pop("dependencies", None) + if has_shrinkwrap_file: + cached_shrinkwrap = copy.deepcopy(orig_shrinkwrap) + cached_shrinkwrap.pop("dependencies", None) # Manage the dependencies progress = OutOfProgressHandler(d, r"^(\d+)/(\d+)$") @@ -165,8 +173,10 @@ python npm_do_configure() { progress.write("%d/%d" % (progress_done, progress_total)) dev = bb.utils.to_boolean(d.getVar("NPM_INSTALL_DEV"), False) - foreach_dependencies(orig_shrinkwrap, _count_dependency, dev) - foreach_dependencies(orig_shrinkwrap, _cache_dependency, dev) + + if has_shrinkwrap_file: + foreach_dependencies(orig_shrinkwrap, _count_dependency, dev) + foreach_dependencies(orig_shrinkwrap, _cache_dependency, dev) # Configure the main package with tempfile.TemporaryDirectory() as tmpdir: @@ -181,16 +191,19 @@ python npm_do_configure() { cached_manifest[depkey] = {} cached_manifest[depkey][name] = version - _update_manifest("dependencies") + if has_shrinkwrap_file: + _update_manifest("dependencies") if dev: - _update_manifest("devDependencies") + if has_shrinkwrap_file: + _update_manifest("devDependencies") with open(cached_manifest_file, "w") as f: json.dump(cached_manifest, f, indent=2) - with open(cached_shrinkwrap_file, "w") as f: - json.dump(cached_shrinkwrap, f, indent=2) + if has_shrinkwrap_file: + with open(cached_shrinkwrap_file, "w") as f: + json.dump(cached_shrinkwrap, f, indent=2) } python npm_do_compile() { @@ -237,9 +250,7 @@ python npm_do_compile() { sysroot = d.getVar("RECIPE_SYSROOT_NATIVE") nodedir = os.path.join(sysroot, d.getVar("prefix_native").strip("/")) configs.append(("nodedir", nodedir)) - bindir = os.path.join(sysroot, d.getVar("bindir_native").strip("/")) - pythondir = os.path.join(bindir, "python-native", "python") - configs.append(("python", pythondir)) + configs.append(("python", d.getVar("PYTHON"))) # Add node-pre-gyp configuration args.append(("target_arch", d.getVar("NPM_ARCH"))) diff --git a/meta/classes/package.bbclass b/meta/classes/package.bbclass index 247bdc7bbf..5a32e5c2e3 100644 --- a/meta/classes/package.bbclass +++ b/meta/classes/package.bbclass @@ -2446,6 +2446,7 @@ python do_packagedata () { bb.build.exec_func("packagedata_translate_pr_autoinc", d) } +do_packagedata[cleandirs] += "${WORKDIR}/pkgdata-pdata-input" # Translate the EXTENDPRAUTO and AUTOINC to the final values packagedata_translate_pr_autoinc() { diff --git a/meta/classes/package_rpm.bbclass b/meta/classes/package_rpm.bbclass index 53b4700cdd..89b4c6bbfc 100644 --- a/meta/classes/package_rpm.bbclass +++ b/meta/classes/package_rpm.bbclass @@ -687,6 +687,7 @@ python do_package_rpm () { cmd = cmd + " --define '_binary_payload w6T.xzdio'" cmd = cmd + " --define '_source_payload w6T.xzdio'" cmd = cmd + " --define 'clamp_mtime_to_source_date_epoch 1'" + cmd = cmd + " --define 'use_source_date_epoch_as_buildtime 1'" cmd = cmd + " --define '_buildhost reproducible'" if perfiledeps: cmd = cmd + " --define '__find_requires " + outdepends + "'" diff --git a/meta/classes/populate_sdk_base.bbclass b/meta/classes/populate_sdk_base.bbclass index 49b1833265..635b3a6b80 100644 --- a/meta/classes/populate_sdk_base.bbclass +++ b/meta/classes/populate_sdk_base.bbclass @@ -178,7 +178,7 @@ do_populate_sdk[sstate-inputdirs] = "${SDKDEPLOYDIR}" do_populate_sdk[sstate-outputdirs] = "${SDK_DEPLOY}" do_populate_sdk[stamp-extra-info] = "${MACHINE_ARCH}${SDKMACHINE}" -PSEUDO_IGNORE_PATHS .= ",${SDKDEPLOYDIR}" +PSEUDO_IGNORE_PATHS .= ",${SDKDEPLOYDIR},${WORKDIR}/oe-sdk-repo,${WORKDIR}/sstate-build-populate_sdk" fakeroot create_sdk_files() { cp ${COREBASE}/scripts/relocate_sdk.py ${SDK_OUTPUT}/${SDKPATH}/ @@ -329,6 +329,13 @@ def sdk_variables(d): do_populate_sdk[vardeps] += "${@sdk_variables(d)}" +python () { + variables = sdk_command_variables(d) + for var in variables: + if d.getVar(var, False): + d.setVarFlag(var, 'func', '1') +} + do_populate_sdk[file-checksums] += "${TOOLCHAIN_SHAR_REL_TMPL}:True \ ${TOOLCHAIN_SHAR_EXT_TMPL}:True" diff --git a/meta/classes/populate_sdk_ext.bbclass b/meta/classes/populate_sdk_ext.bbclass index e6bf27cf38..14689ec6ac 100644 --- a/meta/classes/populate_sdk_ext.bbclass +++ b/meta/classes/populate_sdk_ext.bbclass @@ -251,7 +251,9 @@ python copy_buildsystem () { # Create a layer for new recipes / appends bbpath = d.getVar('BBPATH') - bb.process.run(['devtool', '--bbpath', bbpath, '--basepath', baseoutpath, 'create-workspace', '--create-only', os.path.join(baseoutpath, 'workspace')]) + env = os.environ.copy() + env['PYTHONDONTWRITEBYTECODE'] = '1' + bb.process.run(['devtool', '--bbpath', bbpath, '--basepath', baseoutpath, 'create-workspace', '--create-only', os.path.join(baseoutpath, 'workspace')], env=env) # Create bblayers.conf bb.utils.mkdirhier(baseoutpath + '/conf') @@ -364,6 +366,9 @@ python copy_buildsystem () { # Hide the config information from bitbake output (since it's fixed within the SDK) f.write('BUILDCFG_HEADER = ""\n\n') + # Write METADATA_REVISION + f.write('METADATA_REVISION = "%s"\n\n' % d.getVar('METADATA_REVISION')) + f.write('# Provide a flag to indicate we are in the EXT_SDK Context\n') f.write('WITHIN_EXT_SDK = "1"\n\n') diff --git a/meta/classes/python3native.bbclass b/meta/classes/python3native.bbclass index d98fb4c758..2e3a88c126 100644 --- a/meta/classes/python3native.bbclass +++ b/meta/classes/python3native.bbclass @@ -17,8 +17,6 @@ export STAGING_LIBDIR export PYTHON_LIBRARY="${STAGING_LIBDIR}/lib${PYTHON_DIR}${PYTHON_ABI}.so" export PYTHON_INCLUDE_DIR="${STAGING_INCDIR}/${PYTHON_DIR}${PYTHON_ABI}" -export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata" - # suppress host user's site-packages dirs. export PYTHONNOUSERSITE = "1" diff --git a/meta/classes/python3targetconfig.bbclass b/meta/classes/python3targetconfig.bbclass new file mode 100644 index 0000000000..fc1025c207 --- /dev/null +++ b/meta/classes/python3targetconfig.bbclass @@ -0,0 +1,17 @@ +inherit python3native + +EXTRA_PYTHON_DEPENDS ?= "" +EXTRA_PYTHON_DEPENDS_class-target = "python3" +DEPENDS_append = " ${EXTRA_PYTHON_DEPENDS}" + +do_configure_prepend_class-target() { + export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata" +} + +do_compile_prepend_class-target() { + export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata" +} + +do_install_prepend_class-target() { + export _PYTHON_SYSCONFIGDATA_NAME="_sysconfigdata" +} diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass index 1a12db1206..9cb6b0bd31 100644 --- a/meta/classes/report-error.bbclass +++ b/meta/classes/report-error.bbclass @@ -6,6 +6,8 @@ # # Licensed under the MIT license, see COPYING.MIT for details +inherit base + ERR_REPORT_DIR ?= "${LOG_DIR}/error-report" def errorreport_getdata(e): @@ -64,6 +66,8 @@ python errorreport_handler () { data['failures'] = [] data['component'] = " ".join(e.getPkgs()) data['branch_commit'] = str(base_detect_branch(e.data)) + ": " + str(base_detect_revision(e.data)) + data['bitbake_version'] = e.data.getVar("BB_VERSION") + data['layer_version'] = get_layers_branch_rev(e.data) data['local_conf'] = get_conf_data(e, 'local.conf') data['auto_conf'] = get_conf_data(e, 'auto.conf') lock = bb.utils.lockfile(datafile + '.lock') diff --git a/meta/classes/rootfs_deb.bbclass b/meta/classes/rootfs_deb.bbclass index ef616da229..0469ba7059 100644 --- a/meta/classes/rootfs_deb.bbclass +++ b/meta/classes/rootfs_deb.bbclass @@ -32,4 +32,8 @@ python () { d.setVar('DEB_SDK_ARCH', 'amd64') elif darch == "arm": d.setVar('DEB_SDK_ARCH', 'armel') + elif darch == "aarch64": + d.setVar('DEB_SDK_ARCH', 'arm64') + else: + bb.fatal("Unhandled SDK_ARCH %s" % darch) } diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass index 3262d08fbf..03a9792f68 100644 --- a/meta/classes/sanity.bbclass +++ b/meta/classes/sanity.bbclass @@ -703,6 +703,23 @@ def check_sanity_version_change(status, d): if (tmpdirmode & stat.S_ISUID): status.addresult("TMPDIR is setuid, please don't build in a setuid directory") + # Check that a user isn't building in a path in PSEUDO_IGNORE_PATHS + pseudoignorepaths = d.getVar('PSEUDO_IGNORE_PATHS', expand=True).split(",") + workdir = d.getVar('WORKDIR', expand=True) + for i in pseudoignorepaths: + if i and workdir.startswith(i): + status.addresult("You are building in a path included in PSEUDO_IGNORE_PATHS " + str(i) + " please locate the build outside this path.\n") + + # Check if PSEUDO_IGNORE_PATHS and and paths under pseudo control overlap + pseudoignorepaths = d.getVar('PSEUDO_IGNORE_PATHS', expand=True).split(",") + pseudo_control_dir = "${D},${PKGD},${PKGDEST},${IMAGEROOTFS},${SDK_OUTPUT}" + pseudocontroldir = d.expand(pseudo_control_dir).split(",") + for i in pseudoignorepaths: + for j in pseudocontroldir: + if i and j: + if j.startswith(i): + status.addresult("A path included in PSEUDO_IGNORE_PATHS " + str(i) + " and the path " + str(j) + " overlap and this will break pseudo permission and ownership tracking. Please set the path " + str(j) + " to a different directory which does not overlap with pseudo controlled directories. \n") + # Some third-party software apparently relies on chmod etc. being suid root (!!) import stat suid_check_bins = "chown chmod mknod".split() @@ -787,6 +804,11 @@ def check_sanity_everybuild(status, d): if "." in paths or "./" in paths or "" in paths: status.addresult("PATH contains '.', './' or '' (empty element), which will break the build, please remove this.\nParsed PATH is " + str(paths) + "\n") + #Check if bitbake is present in PATH environment variable + bb_check = bb.utils.which(d.getVar('PATH'), 'bitbake') + if not bb_check: + bb.warn("bitbake binary is not found in PATH, did you source the script?") + # Check whether 'inherit' directive is found (used for a class to inherit) # in conf file it's supposed to be uppercase INHERIT inherit = d.getVar('inherit') @@ -860,13 +882,18 @@ def check_sanity_everybuild(status, d): except: pass - oeroot = d.getVar('COREBASE') - if oeroot.find('+') != -1: - status.addresult("Error, you have an invalid character (+) in your COREBASE directory path. Please move the installation to a directory which doesn't include any + characters.") - if oeroot.find('@') != -1: - status.addresult("Error, you have an invalid character (@) in your COREBASE directory path. Please move the installation to a directory which doesn't include any @ characters.") - if oeroot.find(' ') != -1: - status.addresult("Error, you have a space in your COREBASE directory path. Please move the installation to a directory which doesn't include a space since autotools doesn't support this.") + for checkdir in ['COREBASE', 'TMPDIR']: + val = d.getVar(checkdir) + if val.find('..') != -1: + status.addresult("Error, you have '..' in your %s directory path. Please ensure the variable contains an absolute path as this can break some recipe builds in obtuse ways." % checkdir) + if val.find('+') != -1: + status.addresult("Error, you have an invalid character (+) in your %s directory path. Please move the installation to a directory which doesn't include any + characters." % checkdir) + if val.find('@') != -1: + status.addresult("Error, you have an invalid character (@) in your %s directory path. Please move the installation to a directory which doesn't include any @ characters." % checkdir) + if val.find(' ') != -1: + status.addresult("Error, you have a space in your %s directory path. Please move the installation to a directory which doesn't include a space since autotools doesn't support this." % checkdir) + if val.find('%') != -1: + status.addresult("Error, you have an invalid character (%) in your %s directory path which causes problems with python string formatting. Please move the installation to a directory which doesn't include any % characters." % checkdir) # Check the format of MIRRORS, PREMIRRORS and SSTATE_MIRRORS import re diff --git a/meta/classes/scons.bbclass b/meta/classes/scons.bbclass index 6b171ca8df..4f3ae502ef 100644 --- a/meta/classes/scons.bbclass +++ b/meta/classes/scons.bbclass @@ -5,7 +5,6 @@ DEPENDS += "python3-scons-native" EXTRA_OESCONS ?= "" do_configure() { - unset _PYTHON_SYSCONFIGDATA_NAME if [ -n "${CONFIGURESTAMPFILE}" ]; then if [ -e "${CONFIGURESTAMPFILE}" -a "`cat ${CONFIGURESTAMPFILE}`" != "${BB_TASKHASH}" -a "${CLEANBROKEN}" != "1" ]; then ${STAGING_BINDIR_NATIVE}/scons --clean PREFIX=${prefix} prefix=${prefix} ${EXTRA_OESCONS} @@ -17,13 +16,11 @@ do_configure() { } scons_do_compile() { - unset _PYTHON_SYSCONFIGDATA_NAME ${STAGING_BINDIR_NATIVE}/scons ${PARALLEL_MAKE} PREFIX=${prefix} prefix=${prefix} ${EXTRA_OESCONS} || \ die "scons build execution failed." } scons_do_install() { - unset _PYTHON_SYSCONFIGDATA_NAME ${STAGING_BINDIR_NATIVE}/scons install_root=${D}${prefix} PREFIX=${prefix} prefix=${prefix} ${EXTRA_OESCONS} install || \ die "scons install execution failed." } diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass index f0a619b35b..8165ab268e 100644 --- a/meta/classes/staging.bbclass +++ b/meta/classes/staging.bbclass @@ -27,11 +27,15 @@ SYSROOT_DIRS_BLACKLIST = " \ ${mandir} \ ${docdir} \ ${infodir} \ + ${datadir}/X11/locale \ ${datadir}/applications \ + ${datadir}/bash-completion \ ${datadir}/fonts \ ${datadir}/gtk-doc/html \ + ${datadir}/installed-tests \ ${datadir}/locale \ ${datadir}/pixmaps \ + ${datadir}/terminfo \ ${libdir}/${BPN}/ptest \ " diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf index 8e0a0ec4b4..eb282d1741 100644 --- a/meta/conf/bitbake.conf +++ b/meta/conf/bitbake.conf @@ -685,7 +685,10 @@ SRC_URI = "" PSEUDO_LOCALSTATEDIR ?= "${WORKDIR}/pseudo/" PSEUDO_PASSWD ?= "${STAGING_DIR_TARGET}:${PSEUDO_SYSROOT}" PSEUDO_SYSROOT = "${COMPONENTS_DIR}/${BUILD_ARCH}/pseudo-native" -PSEUDO_IGNORE_PATHS = "/usr/,/etc/,/lib,/dev/,/run/,${T},${WORKDIR}/recipe-sysroot,${SSTATE_DIR},${STAMPS_DIR},${WORKDIR}/pkgdata-sysroot,${TMPDIR}/sstate-control,${DEPLOY_DIR},${WORKDIR}/deploy-,${TMPDIR}/buildstats,${WORKDIR}/sstate-build-package_,${WORKDIR}/sstate-install-package_,${WORKDIR}/sstate-build-image_complete,${TMPDIR}/sysroots-components,${BUILDHISTORY_DIR},${TMPDIR}/pkgdata,${TOPDIR}/cache,${COREBASE}/scripts,${CCACHE_DIR}" +PSEUDO_IGNORE_PATHS = "/usr/,/etc/,/lib,/dev/,/run/,${T},${WORKDIR}/recipe-sysroot,${SSTATE_DIR},${STAMPS_DIR}" +PSEUDO_IGNORE_PATHS .= ",${TMPDIR}/sstate-control,${TMPDIR}/buildstats,${TMPDIR}/sysroots-components,${TMPDIR}/pkgdata" +PSEUDO_IGNORE_PATHS .= ",${WORKDIR}/deploy-,${WORKDIR}/sstate-build-package_,${WORKDIR}/sstate-install-package_,${WORKDIR}/pkgdata-sysroot" +PSEUDO_IGNORE_PATHS .= ",${DEPLOY_DIR},${BUILDHISTORY_DIR},${TOPDIR}/cache,${COREBASE}/scripts,${CCACHE_DIR}" export PSEUDO_DISABLED = "1" #export PSEUDO_PREFIX = "${STAGING_DIR_NATIVE}${prefix_native}" @@ -696,6 +699,7 @@ FAKEROOTCMD = "${PSEUDO_SYSROOT}${bindir_native}/pseudo" FAKEROOTENV = "PSEUDO_PREFIX=${PSEUDO_SYSROOT}${prefix_native} PSEUDO_LOCALSTATEDIR=${PSEUDO_LOCALSTATEDIR} PSEUDO_PASSWD=${PSEUDO_PASSWD} PSEUDO_NOSYMLINKEXP=1 PSEUDO_IGNORE_PATHS=${@oe.path.canonicalize(d.getVar('PSEUDO_IGNORE_PATHS'))} PSEUDO_DISABLED=0" FAKEROOTNOENV = "PSEUDO_UNLOAD=1" FAKEROOTDIRS = "${PSEUDO_LOCALSTATEDIR}" +FAKEROOTLOGS = "${WORKDIR}/pseudo/pseudo.log" PREFERRED_PROVIDER_virtual/fakeroot-native ?= "pseudo-native" ################################################################## diff --git a/meta/conf/distro/include/ptest-packagelists.inc b/meta/conf/distro/include/ptest-packagelists.inc index ce13368c2e..e0a876dbdc 100644 --- a/meta/conf/distro/include/ptest-packagelists.inc +++ b/meta/conf/distro/include/ptest-packagelists.inc @@ -60,6 +60,7 @@ PTESTS_FAST_remove_mips64 = "qemu-ptest" # bash-ptest \ # Test outcomes are non-deterministic by design # ifupdown-ptest \ # Tested separately in lib/oeqa/selftest/cases/imagefeatures.py # mdadm-ptest \ # Tests rely on non-deterministic sleep() amounts +# libinput-ptest \ # Tests need an unloaded system to be reliable #" PTESTS_SLOW = "\ @@ -72,7 +73,6 @@ PTESTS_SLOW = "\ glib-2.0-ptest \ gstreamer1.0-ptest \ libevent-ptest \ - libinput-ptest \ lttng-tools-ptest \ openssh-ptest \ openssl-ptest \ diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc index 69b6edee5f..a2a2dd18ec 100644 --- a/meta/conf/distro/include/yocto-uninative.inc +++ b/meta/conf/distro/include/yocto-uninative.inc @@ -6,9 +6,9 @@ # to the distro running on the build machine. # -UNINATIVE_MAXGLIBCVERSION = "2.32" +UNINATIVE_MAXGLIBCVERSION = "2.33" -UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/2.9/" -UNINATIVE_CHECKSUM[aarch64] ?= "9f25a667aee225b1dd65c4aea73e01983e825b1cb9b56937932a1ee328b45f81" -UNINATIVE_CHECKSUM[i686] ?= "cae5d73245d95b07cf133b780ba3f6c8d0adca3ffc4e7e7fab999961d5e24d36" -UNINATIVE_CHECKSUM[x86_64] ?= "d07916b95c419c81541a19c8ef0ed8cbd78ae18437ff28a4c8a60ef40518e423" +UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/3.0/" +UNINATIVE_CHECKSUM[aarch64] ?= "1c668909098c5b56132067adc69a249cb771f4560428e5822de903a12d97bf33" +UNINATIVE_CHECKSUM[i686] ?= "e6cc2fc056234cffa6a2ff084cce27d544ea3f487a62b5e253351cefd4421900" +UNINATIVE_CHECKSUM[x86_64] ?= "5ec5a9276046e7eceeac749a18b175667384e1f445cd4526300a41404d985a5b" diff --git a/meta/conf/local.conf.sample b/meta/conf/local.conf.sample index 22d43b20d4..985bab19f8 100644 --- a/meta/conf/local.conf.sample +++ b/meta/conf/local.conf.sample @@ -185,7 +185,7 @@ BB_DISKMON_DIRS ??= "\ # # Shared-state files from other locations # -# As mentioned above, shared state files are prebuilt cache data objects which can +# As mentioned above, shared state files are prebuilt cache data objects which can be # used to accelerate build time. This variable can be used to configure the system # to search other mirror locations for these objects before it builds the data itself. # diff --git a/meta/conf/local.conf.sample.extended b/meta/conf/local.conf.sample.extended index 420b09b7d7..5b04be8892 100644 --- a/meta/conf/local.conf.sample.extended +++ b/meta/conf/local.conf.sample.extended @@ -331,7 +331,7 @@ # The INITRAMFS_IMAGE image variable will cause an additional recipe to # be built as a dependency to the what ever rootfs recipe you might be # using such as core-image-sato. The initramfs might be needed for -# the initial boot of of the target system such as to load kernel +# the initial boot of the target system such as to load kernel # modules prior to mounting the root file system. # # INITRAMFS_IMAGE_BUNDLE variable controls if the image recipe @@ -371,23 +371,12 @@ # # -# Use busybox/mdev for system initialization +# System initialization # -#VIRTUAL-RUNTIME_dev_manager = "busybox-mdev" -#VIRTUAL-RUNTIME_login_manager = "busybox" -#VIRTUAL-RUNTIME_init_manager = "busybox" -#VIRTUAL-RUNTIME_initscripts = "initscripts" -#VIRTUAL-RUNTIME_keymaps = "keymaps" -#DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit" - -# -# Use systemd for system initialization -# -#DISTRO_FEATURES_append = " systemd" -#DISTRO_FEATURES_BACKFILL_CONSIDERED += "sysvinit" -#VIRTUAL-RUNTIME_login_manager = "shadow-base" -#VIRTUAL-RUNTIME_init_manager = "systemd" -#VIRTUAL-RUNTIME_initscripts = "systemd-compat-units" +#INIT_MANAGER = "none" +#INIT_MANAGER = "sysvinit" +#INIT_MANAGER = "systemd" +#INIT_MANAGER = "mdev-busybox" # # Use a full set of packages instead of busybox for base utils diff --git a/meta/conf/machine/include/qemu.inc b/meta/conf/machine/include/qemu.inc index 8dedb1a42d..7d0a6fe458 100644 --- a/meta/conf/machine/include/qemu.inc +++ b/meta/conf/machine/include/qemu.inc @@ -21,7 +21,7 @@ RDEPENDS_${KERNEL_PACKAGE_NAME}-base = "" # Use a common kernel recipe for all QEMU machines PREFERRED_PROVIDER_virtual/kernel ??= "linux-yocto" -EXTRA_IMAGEDEPENDS += "qemu-native qemu-helper-native" +EXTRA_IMAGEDEPENDS += "qemu-system-native qemu-helper-native" # Provide the nfs server kernel module for all qemu images KERNEL_FEATURES_append_pn-linux-yocto = " features/nfsd/nfsd-enable.scc" diff --git a/meta/lib/oe/copy_buildsystem.py b/meta/lib/oe/copy_buildsystem.py index 31a84f5b06..d97bf9d1b9 100644 --- a/meta/lib/oe/copy_buildsystem.py +++ b/meta/lib/oe/copy_buildsystem.py @@ -20,7 +20,7 @@ def _smart_copy(src, dest): mode = os.stat(src).st_mode if stat.S_ISDIR(mode): bb.utils.mkdirhier(dest) - cmd = "tar --exclude='.git' --xattrs --xattrs-include='*' -chf - -C %s -p . \ + cmd = "tar --exclude='.git' --exclude='__pycache__' --xattrs --xattrs-include='*' -chf - -C %s -p . \ | tar --xattrs --xattrs-include='*' -xf - -C %s" % (src, dest) subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT) else: @@ -259,7 +259,7 @@ def create_locked_sstate_cache(lockedsigs, input_sstate_cache, output_sstate_cac bb.note('Generating sstate-cache...') nativelsbstring = d.getVar('NATIVELSBSTRING') - bb.process.run("gen-lockedsig-cache %s %s %s %s %s" % (lockedsigs, input_sstate_cache, output_sstate_cache, nativelsbstring, filterfile or '')) + bb.process.run("PYTHONDONTWRITEBYTECODE=1 gen-lockedsig-cache %s %s %s %s %s" % (lockedsigs, input_sstate_cache, output_sstate_cache, nativelsbstring, filterfile or '')) if fixedlsbstring and nativelsbstring != fixedlsbstring: nativedir = output_sstate_cache + '/' + nativelsbstring if os.path.isdir(nativedir): @@ -286,7 +286,7 @@ def check_sstate_task_list(d, targets, filteroutfile, cmdprefix='', cwd=None, lo logparam = '-l %s' % logfile else: logparam = '' - cmd = "%sBB_SETSCENE_ENFORCE=1 PSEUDO_DISABLED=1 oe-check-sstate %s -s -o %s %s" % (cmdprefix, targets, filteroutfile, logparam) + cmd = "%sPYTHONDONTWRITEBYTECODE=1 BB_SETSCENE_ENFORCE=1 PSEUDO_DISABLED=1 oe-check-sstate %s -s -o %s %s" % (cmdprefix, targets, filteroutfile, logparam) env = dict(d.getVar('BB_ORIGENV', False)) env.pop('BUILDDIR', '') env.pop('BBPATH', '') diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py new file mode 100644 index 0000000000..a1d7c292af --- /dev/null +++ b/meta/lib/oe/cve_check.py @@ -0,0 +1,65 @@ +import collections +import re +import itertools +import functools + +_Version = collections.namedtuple( + "_Version", ["release", "patch_l", "pre_l", "pre_v"] +) + +@functools.total_ordering +class Version(): + + def __init__(self, version, suffix=None): + + suffixes = ["alphabetical", "patch"] + + if str(suffix) == "alphabetical": + version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" + elif str(suffix) == "patch": + version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" + else: + version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" + regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE) + + match = regex.search(version) + if not match: + raise Exception("Invalid version: '{0}'".format(version)) + + self._version = _Version( + release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")), + patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "", + pre_l=match.group("pre_l"), + pre_v=match.group("pre_v") + ) + + self._key = _cmpkey( + self._version.release, + self._version.patch_l, + self._version.pre_l, + self._version.pre_v + ) + + def __eq__(self, other): + if not isinstance(other, Version): + return NotImplemented + return self._key == other._key + + def __gt__(self, other): + if not isinstance(other, Version): + return NotImplemented + return self._key > other._key + +def _cmpkey(release, patch_l, pre_l, pre_v): + # remove leading 0 + _release = tuple( + reversed(list(itertools.dropwhile(lambda x: x == 0, reversed(release)))) + ) + + _patch = patch_l.upper() + + if pre_l is None and pre_v is None: + _pre = float('inf') + else: + _pre = float(pre_v) if pre_v else float('-inf') + return _release, _patch, _pre diff --git a/meta/lib/oe/package_manager/__init__.py b/meta/lib/oe/package_manager/__init__.py index 42225a3b2e..26f9f82aaa 100644 --- a/meta/lib/oe/package_manager/__init__.py +++ b/meta/lib/oe/package_manager/__init__.py @@ -189,7 +189,7 @@ class PackageManager(object, metaclass=ABCMeta): bb.utils.remove(self.intercepts_dir, True) bb.utils.mkdirhier(self.intercepts_dir) for intercept in postinst_intercepts: - bb.utils.copyfile(intercept, os.path.join(self.intercepts_dir, os.path.basename(intercept))) + shutil.copy(intercept, os.path.join(self.intercepts_dir, os.path.basename(intercept))) @abstractmethod def _handle_intercept_failure(self, failed_script): diff --git a/meta/lib/oe/package_manager/deb/__init__.py b/meta/lib/oe/package_manager/deb/__init__.py index 26157f591a..0f9b27f831 100644 --- a/meta/lib/oe/package_manager/deb/__init__.py +++ b/meta/lib/oe/package_manager/deb/__init__.py @@ -312,6 +312,12 @@ class DpkgPM(OpkgDpkgPM): if not pkgs: return + os.environ['D'] = self.target_rootfs + os.environ['OFFLINE_ROOT'] = self.target_rootfs + os.environ['IPKG_OFFLINE_ROOT'] = self.target_rootfs + os.environ['OPKG_OFFLINE_ROOT'] = self.target_rootfs + os.environ['INTERCEPT_DIR'] = self.intercepts_dir + if with_dependencies: os.environ['APT_CONFIG'] = self.apt_conf_file cmd = "%s purge %s" % (self.apt_get_cmd, ' '.join(pkgs)) diff --git a/meta/lib/oe/package_manager/deb/sdk.py b/meta/lib/oe/package_manager/deb/sdk.py index b25eb70b00..76548b06f0 100644 --- a/meta/lib/oe/package_manager/deb/sdk.py +++ b/meta/lib/oe/package_manager/deb/sdk.py @@ -65,6 +65,8 @@ class DpkgSdk(Sdk): self.target_pm.install_complementary(self.d.getVar('SDKIMAGE_INSTALL_COMPLEMENTARY')) + self.target_pm.run_pre_post_installs() + self.target_pm.run_intercepts(populate_sdk='target') execute_pre_post_process(self.d, self.d.getVar("POPULATE_SDK_POST_TARGET_COMMAND")) @@ -78,6 +80,8 @@ class DpkgSdk(Sdk): self._populate_sysroot(self.host_pm, self.host_manifest) self.install_locales(self.host_pm) + self.host_pm.run_pre_post_installs() + self.host_pm.run_intercepts(populate_sdk='host') execute_pre_post_process(self.d, self.d.getVar("POPULATE_SDK_POST_HOST_COMMAND")) diff --git a/meta/lib/oe/patch.py b/meta/lib/oe/patch.py index 40755fbb03..8ad70f53f1 100644 --- a/meta/lib/oe/patch.py +++ b/meta/lib/oe/patch.py @@ -38,15 +38,19 @@ def runcmd(args, dir = None): args = [ pipes.quote(str(arg)) for arg in args ] cmd = " ".join(args) # print("cmd: %s" % cmd) - (exitstatus, output) = subprocess.getstatusoutput(cmd) + proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) + stdout, stderr = proc.communicate() + stdout = stdout.decode('utf-8') + stderr = stderr.decode('utf-8') + exitstatus = proc.returncode if exitstatus != 0: - raise CmdError(cmd, exitstatus >> 8, output) - if " fuzz " in output and "Hunk " in output: + raise CmdError(cmd, exitstatus >> 8, "stdout: %s\nstderr: %s" % (stdout, stderr)) + if " fuzz " in stdout and "Hunk " in stdout: # Drop patch fuzz info with header and footer to log file so # insane.bbclass can handle to throw error/warning - bb.note("--- Patch fuzz start ---\n%s\n--- Patch fuzz end ---" % format(output)) + bb.note("--- Patch fuzz start ---\n%s\n--- Patch fuzz end ---" % format(stdout)) - return output + return stdout finally: if dir: diff --git a/meta/lib/oe/prservice.py b/meta/lib/oe/prservice.py index 2d3c9c7e50..fcdbe66c19 100644 --- a/meta/lib/oe/prservice.py +++ b/meta/lib/oe/prservice.py @@ -3,10 +3,6 @@ # def prserv_make_conn(d, check = False): - # Otherwise this fails when called from recipes which e.g. inherit python3native (which sets _PYTHON_SYSCONFIGDATA_NAME) with: - # No module named '_sysconfigdata' - if '_PYTHON_SYSCONFIGDATA_NAME' in os.environ: - del os.environ['_PYTHON_SYSCONFIGDATA_NAME'] import prserv.serv host_params = list([_f for _f in (d.getVar("PRSERV_HOST") or '').split(':') if _f]) try: diff --git a/meta/lib/oe/recipeutils.py b/meta/lib/oe/recipeutils.py index ef69ef207f..407d168894 100644 --- a/meta/lib/oe/recipeutils.py +++ b/meta/lib/oe/recipeutils.py @@ -409,7 +409,7 @@ def copy_recipe_files(d, tgt_dir, whole_dir=False, download=True, all_variants=F fetch.download() for pth in fetch.localpaths(): if pth not in localpaths: - localpaths.append(pth) + localpaths.append(os.path.abspath(pth)) uri_values.append(srcuri) fetch_urls(d) diff --git a/meta/lib/oe/sstatesig.py b/meta/lib/oe/sstatesig.py index 34558a6672..31a6140984 100644 --- a/meta/lib/oe/sstatesig.py +++ b/meta/lib/oe/sstatesig.py @@ -557,9 +557,11 @@ def OEOuthashBasic(path, sigfile, task, d): try: update_hash(" %10s" % pwd.getpwuid(s.st_uid).pw_name) update_hash(" %10s" % grp.getgrgid(s.st_gid).gr_name) - except KeyError: + except KeyError as e: bb.warn("KeyError in %s" % path) - raise + msg = ("KeyError: %s\nPath %s is owned by uid %d, gid %d, which doesn't match " + "any user/group on target. This may be due to host contamination." % (e, path, s.st_uid, s.st_gid)) + raise Exception(msg).with_traceback(e.__traceback__) if include_timestamps: update_hash(" %10d" % s.st_mtime) diff --git a/meta/lib/oe/terminal.py b/meta/lib/oe/terminal.py index eb10a6e33e..2ac39df9e1 100644 --- a/meta/lib/oe/terminal.py +++ b/meta/lib/oe/terminal.py @@ -163,7 +163,12 @@ class Tmux(Terminal): # devshells, if it's already there, add a new window to it. window_name = 'devshell-%i' % os.getpid() - self.command = 'tmux new -c "{{cwd}}" -d -s {0} -n {0} "{{command}}"'.format(window_name) + self.command = 'tmux new -c "{{cwd}}" -d -s {0} -n {0} "{{command}}"' + if not check_tmux_version('1.9'): + # `tmux new-session -c` was added in 1.9; + # older versions fail with that flag + self.command = 'tmux new -d -s {0} -n {0} "{{command}}"' + self.command = self.command.format(window_name) Terminal.__init__(self, sh_cmd, title, env, d) attach_cmd = 'tmux att -t {0}'.format(window_name) @@ -253,13 +258,18 @@ def spawn(name, sh_cmd, title=None, env=None, d=None): except OSError: return +def check_tmux_version(desired): + vernum = check_terminal_version("tmux") + if vernum and LooseVersion(vernum) < desired: + return False + return vernum + def check_tmux_pane_size(tmux): import subprocess as sub # On older tmux versions (<1.9), return false. The reason # is that there is no easy way to get the height of the active panel # on current window without nested formats (available from version 1.9) - vernum = check_terminal_version("tmux") - if vernum and LooseVersion(vernum) < '1.9': + if not check_tmux_version('1.9'): return False try: p = sub.Popen('%s list-panes -F "#{?pane_active,#{pane_height},}"' % tmux, diff --git a/meta/lib/oeqa/runtime/cases/df.py b/meta/lib/oeqa/runtime/cases/df.py index 89fd0fb901..bb155c9cf9 100644 --- a/meta/lib/oeqa/runtime/cases/df.py +++ b/meta/lib/oeqa/runtime/cases/df.py @@ -4,12 +4,14 @@ from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends +from oeqa.core.decorator.data import skipIfDataVar, skipIfInDataVar from oeqa.runtime.decorator.package import OEHasPackage class DfTest(OERuntimeTestCase): @OETestDepends(['ssh.SSHTest.test_ssh']) @OEHasPackage(['coreutils', 'busybox']) + @skipIfInDataVar('IMAGE_FEATURES', 'read-only-rootfs', 'Test case df requires a writable rootfs') def test_df(self): cmd = "df -P / | sed -n '2p' | awk '{print $4}'" (status,output) = self.target.run(cmd) diff --git a/meta/lib/oeqa/runtime/cases/pam.py b/meta/lib/oeqa/runtime/cases/pam.py index 271a1943e3..a482ded945 100644 --- a/meta/lib/oeqa/runtime/cases/pam.py +++ b/meta/lib/oeqa/runtime/cases/pam.py @@ -8,11 +8,14 @@ from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends from oeqa.core.decorator.data import skipIfNotFeature +from oeqa.runtime.decorator.package import OEHasPackage class PamBasicTest(OERuntimeTestCase): @skipIfNotFeature('pam', 'Test requires pam to be in DISTRO_FEATURES') @OETestDepends(['ssh.SSHTest.test_ssh']) + @OEHasPackage(['shadow']) + @OEHasPackage(['shadow-base']) def test_pam(self): status, output = self.target.run('login --help') msg = ('login command does not work as expected. ' diff --git a/meta/lib/oeqa/selftest/cases/buildoptions.py b/meta/lib/oeqa/selftest/cases/buildoptions.py index e91f0bd18f..b1b9ea7e55 100644 --- a/meta/lib/oeqa/selftest/cases/buildoptions.py +++ b/meta/lib/oeqa/selftest/cases/buildoptions.py @@ -57,15 +57,15 @@ class ImageOptionsTests(OESelftestTestCase): class DiskMonTest(OESelftestTestCase): def test_stoptask_behavior(self): - self.write_config('BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},100000G,100K"') + self.write_config('BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"') res = bitbake("delay -c delay", ignore_status = True) self.assertTrue('ERROR: No new tasks can be executed since the disk space monitor action is "STOPTASKS"!' in res.output, msg = "Tasks should have stopped. Disk monitor is set to STOPTASK: %s" % res.output) self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output)) - self.write_config('BB_DISKMON_DIRS = "ABORT,${TMPDIR},100000G,100K"') + self.write_config('BB_DISKMON_DIRS = "ABORT,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"') res = bitbake("delay -c delay", ignore_status = True) self.assertTrue('ERROR: Immediately abort since the disk space monitor action is "ABORT"!' in res.output, "Tasks should have been aborted immediatelly. Disk monitor is set to ABORT: %s" % res.output) self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output)) - self.write_config('BB_DISKMON_DIRS = "WARN,${TMPDIR},100000G,100K"') + self.write_config('BB_DISKMON_DIRS = "WARN,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"') res = bitbake("delay -c delay") self.assertTrue('WARNING: The free space' in res.output, msg = "A warning should have been displayed for disk monitor is set to WARN: %s" %res.output) diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py new file mode 100644 index 0000000000..d1947baffc --- /dev/null +++ b/meta/lib/oeqa/selftest/cases/cve_check.py @@ -0,0 +1,44 @@ +from oe.cve_check import Version +from oeqa.selftest.case import OESelftestTestCase + +class CVECheck(OESelftestTestCase): + + def test_version_compare(self): + result = Version("100") > Version("99") + self.assertTrue( result, msg="Failed to compare version '100' > '99'") + result = Version("2.3.1") > Version("2.2.3") + self.assertTrue( result, msg="Failed to compare version '2.3.1' > '2.2.3'") + result = Version("2021-01-21") > Version("2020-12-25") + self.assertTrue( result, msg="Failed to compare version '2021-01-21' > '2020-12-25'") + result = Version("1.2-20200910") < Version("1.2-20200920") + self.assertTrue( result, msg="Failed to compare version '1.2-20200910' < '1.2-20200920'") + + result = Version("1.0") >= Version("1.0beta") + self.assertTrue( result, msg="Failed to compare version '1.0' >= '1.0beta'") + result = Version("1.0-rc2") > Version("1.0-rc1") + self.assertTrue( result, msg="Failed to compare version '1.0-rc2' > '1.0-rc1'") + result = Version("1.0.alpha1") < Version("1.0") + self.assertTrue( result, msg="Failed to compare version '1.0.alpha1' < '1.0'") + result = Version("1.0_dev") <= Version("1.0") + self.assertTrue( result, msg="Failed to compare version '1.0_dev' <= '1.0'") + + # ignore "p1" and "p2", so these should be equal + result = Version("1.0p2") == Version("1.0p1") + self.assertTrue( result ,msg="Failed to compare version '1.0p2' to '1.0p1'") + # ignore the "b" and "r" + result = Version("1.0b") == Version("1.0r") + self.assertTrue( result ,msg="Failed to compare version '1.0b' to '1.0r'") + + # consider the trailing alphabet as patched level when comparing + result = Version("1.0b","alphabetical") < Version("1.0r","alphabetical") + self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' < '1.0r'") + result = Version("1.0b","alphabetical") > Version("1.0","alphabetical") + self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' > '1.0'") + + # consider the trailing "p" and "patch" as patched released when comparing + result = Version("1.0","patch") < Version("1.0p1","patch") + self.assertTrue( result ,msg="Failed to compare version with suffix '1.0' < '1.0p1'") + result = Version("1.0p2","patch") > Version("1.0p1","patch") + self.assertTrue( result ,msg="Failed to compare version with suffix '1.0p2' > '1.0p1'") + result = Version("1.0_patch2","patch") < Version("1.0_patch3","patch") + self.assertTrue( result ,msg="Failed to compare version with suffix '1.0_patch2' < '1.0_patch3'") diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py b/meta/lib/oeqa/selftest/cases/reproducible.py index a7ef336143..cd7be7d436 100644 --- a/meta/lib/oeqa/selftest/cases/reproducible.py +++ b/meta/lib/oeqa/selftest/cases/reproducible.py @@ -68,7 +68,7 @@ def compare_file(reference, test, diffutils_sysroot): result.status = MISSING return result - r = runCmd(['cmp', '--quiet', reference, test], native_sysroot=diffutils_sysroot, ignore_status=True) + r = runCmd(['cmp', '--quiet', reference, test], native_sysroot=diffutils_sysroot, ignore_status=True, sync=False) if r.status: result.status = DIFFERENT @@ -184,9 +184,10 @@ class ReproducibleTests(OESelftestTestCase): # mirror, forcing a complete build from scratch config += textwrap.dedent('''\ SSTATE_DIR = "${TMPDIR}/sstate" - SSTATE_MIRROR = "" + SSTATE_MIRRORS = "" ''') + self.logger.info("Building %s (sstate%s allowed)..." % (name, '' if use_sstate else ' NOT')) self.write_config(config) d = get_bb_vars(capture_vars) bitbake(' '.join(self.images)) @@ -213,6 +214,7 @@ class ReproducibleTests(OESelftestTestCase): self.logger.info('Non-reproducible packages will be copied to %s', save_dir) vars_A = self.do_test_build('reproducibleA', self.build_from_sstate) + vars_B = self.do_test_build('reproducibleB', False) # NOTE: The temp directories from the reproducible build are purposely @@ -227,6 +229,7 @@ class ReproducibleTests(OESelftestTestCase): deploy_A = vars_A['DEPLOY_DIR_' + c.upper()] deploy_B = vars_B['DEPLOY_DIR_' + c.upper()] + self.logger.info('Checking %s packages for differences...' % c) result = self.compare_packages(deploy_A, deploy_B, diffutils_sysroot) self.logger.info('Reproducibility summary for %s: %s' % (c, result)) diff --git a/meta/lib/oeqa/selftest/cases/tinfoil.py b/meta/lib/oeqa/selftest/cases/tinfoil.py index 206168ed00..a51c6048d3 100644 --- a/meta/lib/oeqa/selftest/cases/tinfoil.py +++ b/meta/lib/oeqa/selftest/cases/tinfoil.py @@ -100,9 +100,11 @@ class TinfoilTests(OESelftestTestCase): eventreceived = False commandcomplete = False start = time.time() - # Wait for 10s in total so we'd detect spurious heartbeat events for example + # Wait for maximum 60s in total so we'd detect spurious heartbeat events for example # The test is IO load sensitive too - while time.time() - start < 10: + while (not (eventreceived == True and commandcomplete == True) + and (time.time() - start < 60)): + # if we received both events (on let's say a good day), we are done event = tinfoil.wait_event(1) if event: if isinstance(event, bb.command.CommandCompleted): diff --git a/meta/lib/oeqa/selftest/cases/wic.py b/meta/lib/oeqa/selftest/cases/wic.py index 714637ec1e..39c6828f59 100644 --- a/meta/lib/oeqa/selftest/cases/wic.py +++ b/meta/lib/oeqa/selftest/cases/wic.py @@ -318,6 +318,7 @@ class Wic(WicTestCase): "--image-name=core-image-minimal " "-D -o %s" % self.resultdir) self.assertEqual(1, len(glob(self.resultdir + "wictestdisk-*.direct"))) + self.assertEqual(1, len(glob(self.resultdir + "tmp.wic*"))) def test_debug_long(self): """Test --debug option""" @@ -325,6 +326,7 @@ class Wic(WicTestCase): "--image-name=core-image-minimal " "--debug -o %s" % self.resultdir) self.assertEqual(1, len(glob(self.resultdir + "wictestdisk-*.direct"))) + self.assertEqual(1, len(glob(self.resultdir + "tmp.wic*"))) def test_skip_build_check_short(self): """Test -s option""" @@ -588,6 +590,9 @@ part / --source rootfs --fstype=ext4 --include-path %s --include-path core-imag def test_permissions(self): """Test permissions are respected""" + # prepare wicenv and rootfs + bitbake('core-image-minimal core-image-minimal-mtdutils -c do_rootfs_wicenv') + oldpath = os.environ['PATH'] os.environ['PATH'] = get_bb_var("PATH", "wic-tools") @@ -621,6 +626,19 @@ part /etc --source rootfs --fstype=ext4 --change-directory=etc res = runCmd("debugfs -R 'ls -p' %s 2>/dev/null" % (part)) self.assertEqual(True, files_own_by_root(res.output)) + config = 'IMAGE_FSTYPES += "wic"\nWKS_FILE = "%s"\n' % wks_file + self.append_config(config) + bitbake('core-image-minimal') + tmpdir = os.path.join(get_bb_var('WORKDIR', 'core-image-minimal'),'build-wic') + + # check each partition for permission + for part in glob(os.path.join(tmpdir, 'temp-*.direct.p*')): + res = runCmd("debugfs -R 'ls -p' %s 2>/dev/null" % (part)) + self.assertTrue(files_own_by_root(res.output) + ,msg='Files permission incorrect using wks set "%s"' % test) + + # clean config and result directory for next cases + self.remove_config(config) rmtree(self.resultdir, ignore_errors=True) finally: @@ -961,14 +979,18 @@ class Wic2(WicTestCase): @only_for_arch(['i586', 'i686', 'x86_64']) def test_rawcopy_plugin_qemu(self): """Test rawcopy plugin in qemu""" - # build ext4 and wic images - for fstype in ("ext4", "wic"): - config = 'IMAGE_FSTYPES = "%s"\nWKS_FILE = "test_rawcopy_plugin.wks.in"\n' % fstype - self.append_config(config) - self.assertEqual(0, bitbake('core-image-minimal').status) - self.remove_config(config) + # build ext4 and then use it for a wic image + config = 'IMAGE_FSTYPES = "ext4"\n' + self.append_config(config) + self.assertEqual(0, bitbake('core-image-minimal').status) + self.remove_config(config) - with runqemu('core-image-minimal', ssh=False, image_fstype='wic') as qemu: + config = 'IMAGE_FSTYPES = "wic"\nWKS_FILE = "test_rawcopy_plugin.wks.in"\n' + self.append_config(config) + self.assertEqual(0, bitbake('core-image-minimal-mtdutils').status) + self.remove_config(config) + + with runqemu('core-image-minimal-mtdutils', ssh=False, image_fstype='wic') as qemu: cmd = "grep sda. /proc/partitions |wc -l" status, output = qemu.run_serial(cmd) self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output)) diff --git a/meta/lib/oeqa/utils/commands.py b/meta/lib/oeqa/utils/commands.py index 8b3e12038d..a71c16ab14 100644 --- a/meta/lib/oeqa/utils/commands.py +++ b/meta/lib/oeqa/utils/commands.py @@ -125,11 +125,11 @@ class Command(object): def stop(self): for thread in self.threads: - if thread.isAlive(): + if thread.is_alive(): self.process.terminate() # let's give it more time to terminate gracefully before killing it thread.join(5) - if thread.isAlive(): + if thread.is_alive(): self.process.kill() thread.join() diff --git a/meta/recipes-connectivity/bind/bind-9.16.7/CVE-2020-8625.patch b/meta/recipes-connectivity/bind/bind-9.16.7/CVE-2020-8625.patch new file mode 100644 index 0000000000..98b8623139 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.16.7/CVE-2020-8625.patch @@ -0,0 +1,29 @@ +From 5b671538216af78a0a7ef7464dc52ab2241ea7db Mon Sep 17 00:00:00 2001 +From: Minjae Kim <flowergom@gmail.com> +Date: Tue, 2 Mar 2021 14:03:49 +0000 +Subject: [PATCH] BIND Operational Notification: Zone journal (.jnl) file + incompatibility + +Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch] +CVE: CVE-2020-8625 +Signed-off-by: Minjae Kim <flowergom@gmail.com> +--- + lib/dns/spnego.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c +index 671838c..82fd49a 100644 +--- a/lib/dns/spnego.c ++++ b/lib/dns/spnego.c +@@ -846,7 +846,7 @@ der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) { + return (ASN1_OVERRUN); + } + +- data->components = malloc(len * sizeof(*data->components)); ++ data->components = malloc((len + 1) * sizeof(*data->components)); + if (data->components == NULL) { + return (ENOMEM); + } +-- +2.17.1 + diff --git a/meta/recipes-connectivity/bind/bind_9.16.7.bb b/meta/recipes-connectivity/bind/bind_9.16.7.bb index 5fc2c1d3cd..82c1bb66df 100644 --- a/meta/recipes-connectivity/bind/bind_9.16.7.bb +++ b/meta/recipes-connectivity/bind/bind_9.16.7.bb @@ -17,6 +17,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ file://bind-ensure-searching-for-json-headers-searches-sysr.patch \ file://0001-named-lwresd-V-and-start-log-hide-build-options.patch \ file://0001-avoid-start-failure-with-bind-user.patch \ + file://CVE-2020-8625.patch \ " SRC_URI[sha256sum] = "9f7d1812ebbd26a699f62b6fa8522d5dec57e4bf43af0042a0d60d39ed8314d1" diff --git a/meta/recipes-connectivity/connman/connman_1.38.bb b/meta/recipes-connectivity/connman/connman_1.39.bb index 027c41e9af..df42e9ffb8 100644 --- a/meta/recipes-connectivity/connman/connman_1.38.bb +++ b/meta/recipes-connectivity/connman/connman_1.39.bb @@ -9,8 +9,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" -SRC_URI[md5sum] = "1ed8745354c7254bdfd4def54833ee94" -SRC_URI[sha256sum] = "cb30aca97c2f79ccaed8802aa2909ac5100a3969de74c0af8a9d73b85fc4932b" +SRC_URI[sha256sum] = "9f62a7169b7491c670a1ff2e335b0d966308fb2f62e285c781105eb90f181af3" RRECOMMENDS_${PN} = "connman-conf" RCONFLICTS_${PN} = "networkmanager" diff --git a/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch b/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch new file mode 100644 index 0000000000..b88bc18f12 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0f90440ca70abab947acbd77795e9f130967956c.patch @@ -0,0 +1,28 @@ +From 0f90440ca70abab947acbd77795e9f130967956c Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtucker@dtucker.net> +Date: Fri, 20 Nov 2020 13:37:54 +1100 +Subject: [PATCH] Add new pselect6_time64 syscall on ARM. + +This is apparently needed on armhfp/armv7hl. bz#3232, patch from +jjelen at redhat.com. +--- + sandbox-seccomp-filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +Upstream-Status: Backport +[fixes issues on 32bit IA and probably other 32 bit platforms too with glibc 2.33] + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index e0768c063..5065ae7ef 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_pselect6 + SC_ALLOW(__NR_pselect6), + #endif ++#ifdef __NR_pselect6_time64 ++ SC_ALLOW(__NR_pselect6_time64), ++#endif + #ifdef __NR_read + SC_ALLOW(__NR_read), + #endif diff --git a/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch new file mode 100644 index 0000000000..0046ee1a51 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/CVE-2020-14145.patch @@ -0,0 +1,90 @@ +From b3855ff053f5078ec3d3c653cdaedefaa5fc362d Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Fri, 18 Sep 2020 05:23:03 +0000 +Subject: [PATCH] upstream: tweak the client hostkey preference ordering + algorithm to + +prefer the default ordering if the user has a key that matches the +best-preference default algorithm. + +feedback and ok markus@ + +OpenBSD-Commit-ID: a92dd7d7520ddd95c0a16786a7519e6d0167d35f + +Upstream-Status: Backport +[https://github.com/openssh/openssh-portable/commit/b3855ff053f5078ec3d3c653cdaedefaa5fc362d] +CVE: CVE-2020-14145 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + sshconnect2.c | 41 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 37 insertions(+), 2 deletions(-) + +diff --git a/sshconnect2.c b/sshconnect2.c +index 347e348c60..f64aae66af 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -102,12 +102,25 @@ verify_host_key_callback(struct sshkey *hostkey, struct ssh *ssh) + return 0; + } + ++/* Returns the first item from a comma-separated algorithm list */ ++static char * ++first_alg(const char *algs) ++{ ++ char *ret, *cp; ++ ++ ret = xstrdup(algs); ++ if ((cp = strchr(ret, ',')) != NULL) ++ *cp = '\0'; ++ return ret; ++} ++ + static char * + order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) + { +- char *oavail, *avail, *first, *last, *alg, *hostname, *ret; ++ char *oavail = NULL, *avail = NULL, *first = NULL, *last = NULL; ++ char *alg = NULL, *hostname = NULL, *ret = NULL, *best = NULL; + size_t maxlen; +- struct hostkeys *hostkeys; ++ struct hostkeys *hostkeys = NULL; + int ktype; + u_int i; + +@@ -119,6 +132,26 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) + for (i = 0; i < options.num_system_hostfiles; i++) + load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]); + ++ /* ++ * If a plain public key exists that matches the type of the best ++ * preference HostkeyAlgorithms, then use the whole list as is. ++ * Note that we ignore whether the best preference algorithm is a ++ * certificate type, as sshconnect.c will downgrade certs to ++ * plain keys if necessary. ++ */ ++ best = first_alg(options.hostkeyalgorithms); ++ if (lookup_key_in_hostkeys_by_type(hostkeys, ++ sshkey_type_plain(sshkey_type_from_name(best)), NULL)) { ++ debug3("%s: have matching best-preference key type %s, " ++ "using HostkeyAlgorithms verbatim", __func__, best); ++ ret = xstrdup(options.hostkeyalgorithms); ++ goto out; ++ } ++ ++ /* ++ * Otherwise, prefer the host key algorithms that match known keys ++ * while keeping the ordering of HostkeyAlgorithms as much as possible. ++ */ + oavail = avail = xstrdup(options.hostkeyalgorithms); + maxlen = strlen(avail) + 1; + first = xmalloc(maxlen); +@@ -159,6 +192,8 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port) + if (*first != '\0') + debug3("%s: prefer hostkeyalgs: %s", __func__, first); + ++ out: ++ free(best); + free(first); + free(last); + free(hostname); diff --git a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb index 2aa1df20bd..a1e34a9379 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.3p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.3p1.bb @@ -24,6 +24,8 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ file://sshd_check_keys \ file://add-test-support-for-busybox.patch \ + file://0f90440ca70abab947acbd77795e9f130967956c.patch \ + file://CVE-2020-14145.patch \ " SRC_URI[sha256sum] = "f2befbe0472fe7eb75d23340eb17531cb6b3aac24075e2066b41f814e12387b2" diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1k.bb index c2db596f03..5f281197c9 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1k.bb @@ -23,7 +23,7 @@ SRC_URI_append_class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242" +SRC_URI[sha256sum] = "892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5" inherit lib_package multilib_header multilib_script ptest MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" @@ -210,6 +210,8 @@ BBCLASSEXTEND = "native nativesdk" CVE_PRODUCT = "openssl:openssl" +CVE_VERSION_SUFFIX = "alphabetical" + # Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 # Apache in meta-webserver is already recent enough CVE_CHECK_WHITELIST += "CVE-2019-0190" diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch new file mode 100644 index 0000000000..8c90fa3421 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-0326.patch @@ -0,0 +1,45 @@ +From 947272febe24a8f0ea828b5b2f35f13c3821901e Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Mon, 9 Nov 2020 11:43:12 +0200 +Subject: [PATCH] P2P: Fix copying of secondary device types for P2P group + client + +Parsing and copying of WPS secondary device types list was verifying +that the contents is not too long for the internal maximum in the case +of WPS messages, but similar validation was missing from the case of P2P +group information which encodes this information in a different +attribute. This could result in writing beyond the memory area assigned +for these entries and corrupting memory within an instance of struct +p2p_device. This could result in invalid operations and unexpected +behavior when trying to free pointers from that corrupted memory. + +Upstream-Status: Backport +CVE: CVE-2021-0326 + +Reference to upstream patch: +[https://w1.fi/cgit/hostap/commit/?id=947272febe24a8f0ea828b5b2f35f13c3821901e] + +Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269 +Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers") +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + src/p2p/p2p.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/p2p/p2p.c b/src/p2p/p2p.c +index a08ba02..079270f 100644 +--- a/src/p2p/p2p.c ++++ b/src/p2p/p2p.c +@@ -453,6 +453,8 @@ static void p2p_copy_client_info(struct p2p_device *dev, + dev->info.config_methods = cli->config_methods; + os_memcpy(dev->info.pri_dev_type, cli->pri_dev_type, 8); + dev->info.wps_sec_dev_type_list_len = 8 * cli->num_sec_dev_types; ++ if (dev->info.wps_sec_dev_type_list_len > WPS_SEC_DEV_TYPE_MAX_LEN) ++ dev->info.wps_sec_dev_type_list_len = WPS_SEC_DEV_TYPE_MAX_LEN; + os_memcpy(dev->info.wps_sec_dev_type_list, cli->sec_dev_types, + dev->info.wps_sec_dev_type_list_len); + } +-- +2.17.1 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch new file mode 100644 index 0000000000..004b1dbd19 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-27803.patch @@ -0,0 +1,58 @@ +From 8460e3230988ef2ec13ce6b69b687e941f6cdb32 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@codeaurora.org> +Date: Tue, 8 Dec 2020 23:52:50 +0200 +Subject: [PATCH] P2P: Fix a corner case in peer addition based on PD Request + +p2p_add_device() may remove the oldest entry if there is no room in the +peer table for a new peer. This would result in any pointer to that +removed entry becoming stale. A corner case with an invalid PD Request +frame could result in such a case ending up using (read+write) freed +memory. This could only by triggered when the peer table has reached its +maximum size and the PD Request frame is received from the P2P Device +Address of the oldest remaining entry and the frame has incorrect P2P +Device Address in the payload. + +Fix this by fetching the dev pointer again after having called +p2p_add_device() so that the stale pointer cannot be used. + +Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") +Signed-off-by: Jouni Malinen <jouni@codeaurora.org> + +Upstream-Status: Backport +CVE: CVE-2021-27803 + +Reference to upstream patch: +[https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + src/p2p/p2p_pd.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/src/p2p/p2p_pd.c b/src/p2p/p2p_pd.c +index 3994ec0..05fd593 100644 +--- a/src/p2p/p2p_pd.c ++++ b/src/p2p/p2p_pd.c +@@ -595,14 +595,12 @@ void p2p_process_prov_disc_req(struct p2p_data *p2p, const u8 *sa, + goto out; + } + ++ dev = p2p_get_device(p2p, sa); + if (!dev) { +- dev = p2p_get_device(p2p, sa); +- if (!dev) { +- p2p_dbg(p2p, +- "Provision Discovery device not found " +- MACSTR, MAC2STR(sa)); +- goto out; +- } ++ p2p_dbg(p2p, ++ "Provision Discovery device not found " ++ MACSTR, MAC2STR(sa)); ++ goto out; + } + } else if (msg.wfd_subelems) { + wpabuf_free(dev->info.wfd_subelems); +-- +2.17.1 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch new file mode 100644 index 0000000000..e2540fc26b --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch @@ -0,0 +1,123 @@ +From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 13 Mar 2021 18:19:31 +0200 +Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters + +The supported hash algorithms do not use AlgorithmIdentifier parameters. +However, there are implementations that include NULL parameters in +addition to ones that omit the parameters. Previous implementation did +not check the parameters value at all which supported both these cases, +but did not reject any other unexpected information. + +Use strict validation of digest algorithm parameters and reject any +unexpected value when validating a signature. This is needed to prevent +potential forging attacks. + +Signed-off-by: Jouni Malinen <j@w1.fi> + +Upstream-Status: Backport +CVE: CVE-2021-30004 + +Reference to upstream patch: +[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + src/tls/pkcs1.c | 21 +++++++++++++++++++++ + src/tls/x509v3.c | 20 ++++++++++++++++++++ + 2 files changed, 41 insertions(+) + +diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c +index 141ac50..e09db07 100644 +--- a/src/tls/pkcs1.c ++++ b/src/tls/pkcs1.c +@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo", ++ hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "PKCS #1: Unexpected digest algorithm parameters"); ++ os_free(decrypted); ++ return -1; ++ } + + if (!asn1_oid_equal(&oid, hash_alg)) { + char txt[100], txt2[100]; +diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c +index 1bd5aa0..bf2289f 100644 +--- a/src/tls/x509v3.c ++++ b/src/tls/x509v3.c +@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "X509: Unexpected digest algorithm parameters"); ++ os_free(data); ++ return -1; ++ } + + if (x509_sha1_oid(&oid)) { + if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) { +-- +2.17.1 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb index 7cc03fef7d..915b326b81 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb @@ -29,6 +29,9 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch \ file://0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch \ file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \ + file://CVE-2021-0326.patch \ + file://CVE-2021-27803.patch \ + file://CVE-2021-30004.patch \ " SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190" SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17" diff --git a/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch new file mode 100644 index 0000000000..67c9f189cc --- /dev/null +++ b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch @@ -0,0 +1,58 @@ +From fe791386ebc270219ca00406c9fdadc5130b64ee Mon Sep 17 00:00:00 2001 +From: Samuel Sapalski <samuel.sapalski@nokia.com> +Date: Wed, 3 Mar 2021 16:31:22 +0100 +Subject: [PATCH] decompress_gunzip: Fix DoS if gzip is corrupt + +On certain corrupt gzip files, huft_build will set the error bit on +the result pointer. If afterwards abort_unzip is called huft_free +might run into a segmentation fault or an invalid pointer to +free(p). + +In order to mitigate this, we check in huft_free if the error bit +is set and clear it before the linked list is freed. + +Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com> +Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com> +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> + +Upstream-Status: Backport +CVE: CVE-2021-28831 +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + archival/libarchive/decompress_gunzip.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c +index eb3b64930..e93cd5005 100644 +--- a/archival/libarchive/decompress_gunzip.c ++++ b/archival/libarchive/decompress_gunzip.c +@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = { + * each table. + * t: table to free + */ ++#define BAD_HUFT(p) ((uintptr_t)(p) & 1) ++#define ERR_RET ((huft_t*)(uintptr_t)1) + static void huft_free(huft_t *p) + { + huft_t *q; + ++ /* ++ * If 'p' has the error bit set we have to clear it, otherwise we might run ++ * into a segmentation fault or an invalid pointer to free(p) ++ */ ++ if (BAD_HUFT(p)) { ++ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET)); ++ } ++ + /* Go through linked list, freeing from the malloced (t[-1]) address. */ + while (p) { + q = (--p)->v.t; +@@ -289,8 +299,6 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current + * or a valid pointer to a Huffman table, ORed with 0x1 if incompete table + * is given: "fixed inflate" decoder feeds us such data. + */ +-#define BAD_HUFT(p) ((uintptr_t)(p) & 1) +-#define ERR_RET ((huft_t*)(uintptr_t)1) + static huft_t* huft_build(const unsigned *b, const unsigned n, + const unsigned s, const struct cp_ext *cp_ext, + unsigned *m) diff --git a/meta/recipes-core/busybox/busybox_1.32.0.bb b/meta/recipes-core/busybox/busybox_1.32.0.bb index 8e23b0d4a2..b91f7cf711 100644 --- a/meta/recipes-core/busybox/busybox_1.32.0.bb +++ b/meta/recipes-core/busybox/busybox_1.32.0.bb @@ -46,7 +46,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://0001-hwclock-make-glibc-2.31-compatible.patch \ file://rev.cfg \ file://pgrep.cfg \ -" + file://0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch \ + " SRC_URI_append_libc-musl = " file://musl.cfg " SRC_URI[tarball.md5sum] = "9576986f1a960da471d03b72a62f13c7" diff --git a/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219.patch b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219.patch new file mode 100644 index 0000000000..a4ec01134a --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/CVE-2021-27219.patch @@ -0,0 +1,1444 @@ +commit b70039028b4a39ea071f6ed368a58ad5b5b90ba3 +Author: Anatol Belski <anbelski@microsoft.com> +Date: Sun Mar 14 17:51:53 2021 +0000 + + backport: 2.64.5_CVE-2021-27219 + +CVE: CVE-2021-27219 +Upstream-Status: Backport +[https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1926] + +Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com> + +diff --git a/docs/reference/glib/meson.build b/docs/reference/glib/meson.build +index 62d95f78d..7eebb04ac 100644 +--- a/docs/reference/glib/meson.build ++++ b/docs/reference/glib/meson.build +@@ -22,6 +22,7 @@ if get_option('gtk_doc') + 'gprintfint.h', + 'gmirroringtable.h', + 'gscripttable.h', ++ 'gstrfuncsprivate.h', + 'glib-mirroring-tab', + 'gnulib', + 'pcre', +diff --git a/gio/gdatainputstream.c b/gio/gdatainputstream.c +index 2e7750cb5..2cdcbda19 100644 +--- a/gio/gdatainputstream.c ++++ b/gio/gdatainputstream.c +@@ -27,6 +27,7 @@ + #include "gioenumtypes.h" + #include "gioerror.h" + #include "glibintl.h" ++#include "gstrfuncsprivate.h" + + #include <string.h> + +@@ -856,7 +857,7 @@ static gssize + scan_for_chars (GDataInputStream *stream, + gsize *checked_out, + const char *stop_chars, +- gssize stop_chars_len) ++ gsize stop_chars_len) + { + GBufferedInputStream *bstream; + const char *buffer; +@@ -952,7 +953,7 @@ typedef struct + gsize checked; + + gchar *stop_chars; +- gssize stop_chars_len; ++ gsize stop_chars_len; + gsize length; + } GDataInputStreamReadData; + +@@ -1078,12 +1079,17 @@ g_data_input_stream_read_async (GDataInputStream *stream, + { + GDataInputStreamReadData *data; + GTask *task; ++ gsize stop_chars_len_unsigned; + + data = g_slice_new0 (GDataInputStreamReadData); +- if (stop_chars_len == -1) +- stop_chars_len = strlen (stop_chars); +- data->stop_chars = g_memdup (stop_chars, stop_chars_len); +- data->stop_chars_len = stop_chars_len; ++ ++ if (stop_chars_len < 0) ++ stop_chars_len_unsigned = strlen (stop_chars); ++ else ++ stop_chars_len_unsigned = (gsize) stop_chars_len; ++ ++ data->stop_chars = g_memdup2 (stop_chars, stop_chars_len_unsigned); ++ data->stop_chars_len = stop_chars_len_unsigned; + data->last_saw_cr = FALSE; + + task = g_task_new (stream, cancellable, callback, user_data); +@@ -1338,17 +1344,20 @@ g_data_input_stream_read_upto (GDataInputStream *stream, + gssize found_pos; + gssize res; + char *data_until; ++ gsize stop_chars_len_unsigned; + + g_return_val_if_fail (G_IS_DATA_INPUT_STREAM (stream), NULL); + + if (stop_chars_len < 0) +- stop_chars_len = strlen (stop_chars); ++ stop_chars_len_unsigned = strlen (stop_chars); ++ else ++ stop_chars_len_unsigned = (gsize) stop_chars_len; + + bstream = G_BUFFERED_INPUT_STREAM (stream); + + checked = 0; + +- while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len)) == -1) ++ while ((found_pos = scan_for_chars (stream, &checked, stop_chars, stop_chars_len_unsigned)) == -1) + { + if (g_buffered_input_stream_get_available (bstream) == + g_buffered_input_stream_get_buffer_size (bstream)) +diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c +index 1a4dae3bd..9de661bde 100644 +--- a/gio/gdbusconnection.c ++++ b/gio/gdbusconnection.c +@@ -110,6 +110,7 @@ + #include "gasyncinitable.h" + #include "giostream.h" + #include "gasyncresult.h" ++#include "gstrfuncsprivate.h" + #include "gtask.h" + #include "gmarshal-internal.h" + +@@ -4007,7 +4008,7 @@ _g_dbus_interface_vtable_copy (const GDBusInterfaceVTable *vtable) + /* Don't waste memory by copying padding - remember to update this + * when changing struct _GDBusInterfaceVTable in gdbusconnection.h + */ +- return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer)); ++ return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer)); + } + + static void +@@ -4024,7 +4025,7 @@ _g_dbus_subtree_vtable_copy (const GDBusSubtreeVTable *vtable) + /* Don't waste memory by copying padding - remember to update this + * when changing struct _GDBusSubtreeVTable in gdbusconnection.h + */ +- return g_memdup ((gconstpointer) vtable, 3 * sizeof (gpointer)); ++ return g_memdup2 ((gconstpointer) vtable, 3 * sizeof (gpointer)); + } + + static void +diff --git a/gio/gdbusinterfaceskeleton.c b/gio/gdbusinterfaceskeleton.c +index 4a06516c1..4a4b719a5 100644 +--- a/gio/gdbusinterfaceskeleton.c ++++ b/gio/gdbusinterfaceskeleton.c +@@ -28,6 +28,7 @@ + #include "gdbusmethodinvocation.h" + #include "gdbusconnection.h" + #include "gmarshal-internal.h" ++#include "gstrfuncsprivate.h" + #include "gtask.h" + #include "gioerror.h" + +@@ -701,7 +702,7 @@ add_connection_locked (GDBusInterfaceSkeleton *interface_, + * properly before building the hooked_vtable, so we create it + * once at the last minute. + */ +- interface_->priv->hooked_vtable = g_memdup (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable)); ++ interface_->priv->hooked_vtable = g_memdup2 (g_dbus_interface_skeleton_get_vtable (interface_), sizeof (GDBusInterfaceVTable)); + interface_->priv->hooked_vtable->method_call = skeleton_intercept_handle_method_call; + } + +diff --git a/gio/gfile.c b/gio/gfile.c +index a2ded14ea..25930435f 100644 +--- a/gio/gfile.c ++++ b/gio/gfile.c +@@ -60,6 +60,7 @@ + #include "gasyncresult.h" + #include "gioerror.h" + #include "glibintl.h" ++#include "gstrfuncsprivate.h" + + + /** +@@ -7854,7 +7855,7 @@ measure_disk_usage_progress (gboolean reporting, + g_main_context_invoke_full (g_task_get_context (task), + g_task_get_priority (task), + measure_disk_usage_invoke_progress, +- g_memdup (&progress, sizeof progress), ++ g_memdup2 (&progress, sizeof progress), + g_free); + } + +@@ -7872,7 +7873,7 @@ measure_disk_usage_thread (GTask *task, + data->progress_callback ? measure_disk_usage_progress : NULL, task, + &result.disk_usage, &result.num_dirs, &result.num_files, + &error)) +- g_task_return_pointer (task, g_memdup (&result, sizeof result), g_free); ++ g_task_return_pointer (task, g_memdup2 (&result, sizeof result), g_free); + else + g_task_return_error (task, error); + } +@@ -7896,7 +7897,7 @@ g_file_real_measure_disk_usage_async (GFile *file, + + task = g_task_new (file, cancellable, callback, user_data); + g_task_set_source_tag (task, g_file_real_measure_disk_usage_async); +- g_task_set_task_data (task, g_memdup (&data, sizeof data), g_free); ++ g_task_set_task_data (task, g_memdup2 (&data, sizeof data), g_free); + g_task_set_priority (task, io_priority); + + g_task_run_in_thread (task, measure_disk_usage_thread); +diff --git a/gio/giowin32-private.c b/gio/giowin32-private.c +index 7120ae0ea..47e840805 100644 +--- a/gio/giowin32-private.c ++++ b/gio/giowin32-private.c +@@ -16,11 +16,12 @@ + * along with this library; if not, see <http://www.gnu.org/licenses/>. + */ + ++#include "gstrfuncsprivate.h" + +-static gssize ++static gsize + g_utf16_len (const gunichar2 *str) + { +- gssize result; ++ gsize result; + + for (result = 0; str[0] != 0; str++, result++) + ; +@@ -31,17 +32,20 @@ g_utf16_len (const gunichar2 *str) + static gunichar2 * + g_wcsdup (const gunichar2 *str, gssize str_len) + { +- gssize str_size; ++ gsize str_len_unsigned; ++ gsize str_size; + + g_return_val_if_fail (str != NULL, NULL); + +- if (str_len == -1) +- str_len = g_utf16_len (str); ++ if (str_len < 0) ++ str_len_unsigned = g_utf16_len (str); ++ else ++ str_len_unsigned = (gsize) str_len; + +- g_assert (str_len <= G_MAXSIZE / sizeof (gunichar2) - 1); +- str_size = (str_len + 1) * sizeof (gunichar2); ++ g_assert (str_len_unsigned <= G_MAXSIZE / sizeof (gunichar2) - 1); ++ str_size = (str_len_unsigned + 1) * sizeof (gunichar2); + +- return g_memdup (str, str_size); ++ return g_memdup2 (str, str_size); + } + + static const gunichar2 * +diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c +index cd5765afd..de216e615 100644 +--- a/gio/gkeyfilesettingsbackend.c ++++ b/gio/gkeyfilesettingsbackend.c +@@ -33,6 +33,7 @@ + #include "gfilemonitor.h" + #include "gsimplepermission.h" + #include "gsettingsbackendinternal.h" ++#include "gstrfuncsprivate.h" + #include "giomodule-priv.h" + #include "gportalsupport.h" + +@@ -145,8 +146,8 @@ convert_path (GKeyfileSettingsBackend *kfsb, + gchar **group, + gchar **basename) + { +- gint key_len = strlen (key); +- gint i; ++ gsize key_len = strlen (key); ++ const gchar *last_slash; + + if (key_len < kfsb->prefix_len || + memcmp (key, kfsb->prefix, kfsb->prefix_len) != 0) +@@ -155,38 +156,48 @@ convert_path (GKeyfileSettingsBackend *kfsb, + key_len -= kfsb->prefix_len; + key += kfsb->prefix_len; + +- for (i = key_len; i >= 0; i--) +- if (key[i] == '/') +- break; ++ last_slash = strrchr (key, '/'); ++ ++ /* Disallow empty group names or key names */ ++ if (key_len == 0 || ++ (last_slash != NULL && ++ (*(last_slash + 1) == '\0' || ++ last_slash == key))) ++ return FALSE; + + if (kfsb->root_group) + { + /* if a root_group was specified, make sure the user hasn't given + * a path that ghosts that group name + */ +- if (i == kfsb->root_group_len && memcmp (key, kfsb->root_group, i) == 0) ++ if (last_slash != NULL && (last_slash - key) == kfsb->root_group_len && memcmp (key, kfsb->root_group, last_slash - key) == 0) + return FALSE; + } + else + { + /* if no root_group was given, ensure that the user gave a path */ +- if (i == -1) ++ if (last_slash == NULL) + return FALSE; + } + + if (group) + { +- if (i >= 0) ++ if (last_slash != NULL) + { +- *group = g_memdup (key, i + 1); +- (*group)[i] = '\0'; ++ *group = g_memdup2 (key, (last_slash - key) + 1); ++ (*group)[(last_slash - key)] = '\0'; + } + else + *group = g_strdup (kfsb->root_group); + } + + if (basename) +- *basename = g_memdup (key + i + 1, key_len - i); ++ { ++ if (last_slash != NULL) ++ *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key)); ++ else ++ *basename = g_strdup (key); ++ } + + return TRUE; + } +diff --git a/gio/gsettingsschema.c b/gio/gsettingsschema.c +index 0b94f76f6..eb5a3b846 100644 +--- a/gio/gsettingsschema.c ++++ b/gio/gsettingsschema.c +@@ -20,6 +20,7 @@ + + #include "gsettingsschema-internal.h" + #include "gsettings.h" ++#include "gstrfuncsprivate.h" + + #include "gvdb/gvdb-reader.h" + #include "strinfo.c" +@@ -1067,9 +1068,9 @@ g_settings_schema_list_children (GSettingsSchema *schema) + + if (g_str_has_suffix (key, "/")) + { +- gint length = strlen (key); ++ gsize length = strlen (key); + +- strv[j] = g_memdup (key, length); ++ strv[j] = g_memdup2 (key, length); + strv[j][length - 1] = '\0'; + j++; + } +diff --git a/gio/gsocket.c b/gio/gsocket.c +index 2a15bdd22..554af026b 100644 +--- a/gio/gsocket.c ++++ b/gio/gsocket.c +@@ -75,6 +75,7 @@ + #include "gcredentialsprivate.h" + #include "glibintl.h" + #include "gioprivate.h" ++#include "gstrfuncsprivate.h" + + #ifdef G_OS_WIN32 + /* For Windows XP runtime compatibility, but use the system's if_nametoindex() if available */ +@@ -174,7 +175,7 @@ static gboolean g_socket_datagram_based_condition_wait (GDatagramBased + GError **error); + + static GSocketAddress * +-cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len); ++cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len); + + static gssize + g_socket_receive_message_with_timeout (GSocket *socket, +@@ -260,7 +261,7 @@ struct _GSocketPrivate + struct { + GSocketAddress *addr; + struct sockaddr *native; +- gint native_len; ++ gsize native_len; + guint64 last_used; + } recv_addr_cache[RECV_ADDR_CACHE_SIZE]; + }; +@@ -5259,14 +5260,14 @@ g_socket_send_messages_with_timeout (GSocket *socket, + } + + static GSocketAddress * +-cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len) ++cache_recv_address (GSocket *socket, struct sockaddr *native, size_t native_len) + { + GSocketAddress *saddr; + gint i; + guint64 oldest_time = G_MAXUINT64; + gint oldest_index = 0; + +- if (native_len <= 0) ++ if (native_len == 0) + return NULL; + + saddr = NULL; +@@ -5274,7 +5275,7 @@ cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len) + { + GSocketAddress *tmp = socket->priv->recv_addr_cache[i].addr; + gpointer tmp_native = socket->priv->recv_addr_cache[i].native; +- gint tmp_native_len = socket->priv->recv_addr_cache[i].native_len; ++ gsize tmp_native_len = socket->priv->recv_addr_cache[i].native_len; + + if (!tmp) + continue; +@@ -5304,7 +5305,7 @@ cache_recv_address (GSocket *socket, struct sockaddr *native, int native_len) + g_free (socket->priv->recv_addr_cache[oldest_index].native); + } + +- socket->priv->recv_addr_cache[oldest_index].native = g_memdup (native, native_len); ++ socket->priv->recv_addr_cache[oldest_index].native = g_memdup2 (native, native_len); + socket->priv->recv_addr_cache[oldest_index].native_len = native_len; + socket->priv->recv_addr_cache[oldest_index].addr = g_object_ref (saddr); + socket->priv->recv_addr_cache[oldest_index].last_used = g_get_monotonic_time (); +@@ -5452,6 +5453,9 @@ g_socket_receive_message_with_timeout (GSocket *socket, + /* do it */ + while (1) + { ++ /* addrlen has to be of type int because that’s how WSARecvFrom() is defined */ ++ G_STATIC_ASSERT (sizeof addr <= G_MAXINT); ++ + addrlen = sizeof addr; + if (address) + result = WSARecvFrom (socket->priv->fd, +diff --git a/gio/gtlspassword.c b/gio/gtlspassword.c +index 1e437a7b6..bd86a6dfe 100644 +--- a/gio/gtlspassword.c ++++ b/gio/gtlspassword.c +@@ -23,6 +23,7 @@ + #include "glibintl.h" + + #include "gioenumtypes.h" ++#include "gstrfuncsprivate.h" + #include "gtlspassword.h" + + #include <string.h> +@@ -287,9 +288,14 @@ g_tls_password_set_value (GTlsPassword *password, + g_return_if_fail (G_IS_TLS_PASSWORD (password)); + + if (length < 0) +- length = strlen ((gchar *)value); ++ { ++ /* FIXME: g_tls_password_set_value_full() doesn’t support unsigned gsize */ ++ gsize length_unsigned = strlen ((gchar *) value); ++ g_return_if_fail (length_unsigned <= G_MAXSSIZE); ++ length = (gssize) length_unsigned; ++ } + +- g_tls_password_set_value_full (password, g_memdup (value, length), length, g_free); ++ g_tls_password_set_value_full (password, g_memdup2 (value, (gsize) length), length, g_free); + } + + /** +diff --git a/gio/gwin32registrykey.c b/gio/gwin32registrykey.c +index aa7819294..efb9ae713 100644 +--- a/gio/gwin32registrykey.c ++++ b/gio/gwin32registrykey.c +@@ -28,6 +28,8 @@ + #include <ntstatus.h> + #include <winternl.h> + ++#include "gstrfuncsprivate.h" ++ + #ifndef _WDMDDK_ + typedef enum _KEY_INFORMATION_CLASS { + KeyBasicInformation, +@@ -125,16 +127,34 @@ typedef enum + G_WIN32_REGISTRY_UPDATED_PATH = 1, + } GWin32RegistryKeyUpdateFlag; + ++static gsize ++g_utf16_len (const gunichar2 *str) ++{ ++ gsize result; ++ ++ for (result = 0; str[0] != 0; str++, result++) ++ ; ++ ++ return result; ++} ++ + static gunichar2 * +-g_wcsdup (const gunichar2 *str, +- gssize str_size) ++g_wcsdup (const gunichar2 *str, gssize str_len) + { +- if (str_size == -1) +- { +- str_size = wcslen (str) + 1; +- str_size *= sizeof (gunichar2); +- } +- return g_memdup (str, str_size); ++ gsize str_len_unsigned; ++ gsize str_size; ++ ++ g_return_val_if_fail (str != NULL, NULL); ++ ++ if (str_len < 0) ++ str_len_unsigned = g_utf16_len (str); ++ else ++ str_len_unsigned = (gsize) str_len; ++ ++ g_assert (str_len_unsigned <= G_MAXSIZE / sizeof (gunichar2) - 1); ++ str_size = (str_len_unsigned + 1) * sizeof (gunichar2); ++ ++ return g_memdup2 (str, str_size); + } + + /** +@@ -247,7 +267,7 @@ g_win32_registry_value_iter_copy (const GWin32RegistryValueIter *iter) + new_iter->value_name_size = iter->value_name_size; + + if (iter->value_data != NULL) +- new_iter->value_data = g_memdup (iter->value_data, iter->value_data_size); ++ new_iter->value_data = g_memdup2 (iter->value_data, iter->value_data_size); + + new_iter->value_data_size = iter->value_data_size; + +@@ -268,8 +288,8 @@ g_win32_registry_value_iter_copy (const GWin32RegistryValueIter *iter) + new_iter->value_data_expanded_charsize = iter->value_data_expanded_charsize; + + if (iter->value_data_expanded_u8 != NULL) +- new_iter->value_data_expanded_u8 = g_memdup (iter->value_data_expanded_u8, +- iter->value_data_expanded_charsize); ++ new_iter->value_data_expanded_u8 = g_memdup2 (iter->value_data_expanded_u8, ++ iter->value_data_expanded_charsize); + + new_iter->value_data_expanded_u8_size = iter->value_data_expanded_charsize; + +diff --git a/gio/tests/async-close-output-stream.c b/gio/tests/async-close-output-stream.c +index 5f6620275..d3f97a119 100644 +--- a/gio/tests/async-close-output-stream.c ++++ b/gio/tests/async-close-output-stream.c +@@ -24,6 +24,8 @@ + #include <stdlib.h> + #include <string.h> + ++#include "gstrfuncsprivate.h" ++ + #define DATA_TO_WRITE "Hello world\n" + + typedef struct +@@ -147,9 +149,9 @@ prepare_data (SetupData *data, + + data->expected_size = g_memory_output_stream_get_data_size (G_MEMORY_OUTPUT_STREAM (data->data_stream)); + +- g_assert_cmpint (data->expected_size, >, 0); ++ g_assert_cmpuint (data->expected_size, >, 0); + +- data->expected_output = g_memdup (written, (guint)data->expected_size); ++ data->expected_output = g_memdup2 (written, data->expected_size); + + /* then recreate the streams and prepare them for the asynchronous close */ + destroy_streams (data); +diff --git a/gio/tests/gdbus-export.c b/gio/tests/gdbus-export.c +index fda654c44..10dd6d82f 100644 +--- a/gio/tests/gdbus-export.c ++++ b/gio/tests/gdbus-export.c +@@ -23,6 +23,7 @@ + #include <string.h> + + #include "gdbus-tests.h" ++#include "gstrfuncsprivate.h" + + /* all tests rely on a shared mainloop */ + static GMainLoop *loop = NULL; +@@ -671,7 +672,7 @@ subtree_introspect (GDBusConnection *connection, + g_assert_not_reached (); + } + +- return g_memdup (interfaces, 2 * sizeof (void *)); ++ return g_memdup2 (interfaces, 2 * sizeof (void *)); + } + + static const GDBusInterfaceVTable * +@@ -727,7 +728,7 @@ dynamic_subtree_introspect (GDBusConnection *connection, + { + const GDBusInterfaceInfo *interfaces[2] = { &dyna_interface_info, NULL }; + +- return g_memdup (interfaces, 2 * sizeof (void *)); ++ return g_memdup2 (interfaces, 2 * sizeof (void *)); + } + + static const GDBusInterfaceVTable * +diff --git a/gio/tests/gsettings.c b/gio/tests/gsettings.c +index baadca8f5..afe594a23 100644 +--- a/gio/tests/gsettings.c ++++ b/gio/tests/gsettings.c +@@ -1,3 +1,4 @@ ++#include <errno.h> + #include <stdlib.h> + #include <locale.h> + #include <libintl.h> +@@ -1740,6 +1741,14 @@ key_changed_cb (GSettings *settings, const gchar *key, gpointer data) + (*b) = TRUE; + } + ++typedef struct ++{ ++ const gchar *path; ++ const gchar *root_group; ++ const gchar *keyfile_group; ++ const gchar *root_path; ++} KeyfileTestData; ++ + /* + * Test that using a keyfile works + */ +@@ -1834,7 +1843,11 @@ test_keyfile (Fixture *fixture, + g_free (str); + + g_settings_set (settings, "farewell", "s", "cheerio"); +- ++ ++ /* Check that empty keys/groups are not allowed. */ ++ g_assert_false (g_settings_is_writable (settings, "")); ++ g_assert_false (g_settings_is_writable (settings, "/")); ++ + /* When executing as root, changing the mode of the keyfile will have + * no effect on the writability of the settings. + */ +@@ -1866,6 +1879,149 @@ test_keyfile (Fixture *fixture, + g_free (keyfile_path); + } + ++/* ++ * Test that using a keyfile works with a schema with no path set. ++ */ ++static void ++test_keyfile_no_path (Fixture *fixture, ++ gconstpointer user_data) ++{ ++ const KeyfileTestData *test_data = user_data; ++ GSettingsBackend *kf_backend; ++ GSettings *settings; ++ GKeyFile *keyfile; ++ gboolean writable; ++ gchar *key = NULL; ++ GError *error = NULL; ++ gchar *keyfile_path = NULL, *store_path = NULL; ++ ++ keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL); ++ store_path = g_build_filename (keyfile_path, "gsettings.store", NULL); ++ kf_backend = g_keyfile_settings_backend_new (store_path, test_data->root_path, test_data->root_group); ++ settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, test_data->path); ++ g_object_unref (kf_backend); ++ ++ g_settings_reset (settings, "test-boolean"); ++ g_assert_true (g_settings_get_boolean (settings, "test-boolean")); ++ ++ writable = g_settings_is_writable (settings, "test-boolean"); ++ g_assert_true (writable); ++ g_settings_set (settings, "test-boolean", "b", FALSE); ++ ++ g_assert_false (g_settings_get_boolean (settings, "test-boolean")); ++ ++ g_settings_delay (settings); ++ g_settings_set (settings, "test-boolean", "b", TRUE); ++ g_settings_apply (settings); ++ ++ keyfile = g_key_file_new (); ++ g_assert_true (g_key_file_load_from_file (keyfile, store_path, 0, NULL)); ++ ++ g_assert_true (g_key_file_get_boolean (keyfile, test_data->keyfile_group, "test-boolean", NULL)); ++ ++ g_key_file_free (keyfile); ++ ++ g_settings_reset (settings, "test-boolean"); ++ g_settings_apply (settings); ++ keyfile = g_key_file_new (); ++ g_assert_true (g_key_file_load_from_file (keyfile, store_path, 0, NULL)); ++ ++ g_assert_false (g_key_file_get_string (keyfile, test_data->keyfile_group, "test-boolean", &error)); ++ g_assert_error (error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_KEY_NOT_FOUND); ++ g_clear_error (&error); ++ ++ /* Check that empty keys/groups are not allowed. */ ++ g_assert_false (g_settings_is_writable (settings, "")); ++ g_assert_false (g_settings_is_writable (settings, "/")); ++ ++ /* Keys which ghost the root group name are not allowed. This can only be ++ * tested when the path is `/` as otherwise it acts as a prefix and prevents ++ * any ghosting. */ ++ if (g_str_equal (test_data->path, "/")) ++ { ++ key = g_strdup_printf ("%s/%s", test_data->root_group, ""); ++ g_assert_false (g_settings_is_writable (settings, key)); ++ g_free (key); ++ ++ key = g_strdup_printf ("%s/%s", test_data->root_group, "/"); ++ g_assert_false (g_settings_is_writable (settings, key)); ++ g_free (key); ++ ++ key = g_strdup_printf ("%s/%s", test_data->root_group, "test-boolean"); ++ g_assert_false (g_settings_is_writable (settings, key)); ++ g_free (key); ++ } ++ ++ g_key_file_free (keyfile); ++ g_object_unref (settings); ++ ++ /* Clean up the temporary directory. */ ++ g_assert_cmpint (g_chmod (keyfile_path, 0777) == 0 ? 0 : errno, ==, 0); ++ g_assert_cmpint (g_remove (store_path) == 0 ? 0 : errno, ==, 0); ++ g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0); ++ g_free (store_path); ++ g_free (keyfile_path); ++} ++ ++/* ++ * Test that a keyfile rejects writes to keys outside its root path. ++ */ ++static void ++test_keyfile_outside_root_path (Fixture *fixture, ++ gconstpointer user_data) ++{ ++ GSettingsBackend *kf_backend; ++ GSettings *settings; ++ gchar *keyfile_path = NULL, *store_path = NULL; ++ ++ keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL); ++ store_path = g_build_filename (keyfile_path, "gsettings.store", NULL); ++ kf_backend = g_keyfile_settings_backend_new (store_path, "/tests/basic-types/", "root"); ++ settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, "/tests/"); ++ g_object_unref (kf_backend); ++ ++ g_assert_false (g_settings_is_writable (settings, "test-boolean")); ++ ++ g_object_unref (settings); ++ ++ /* Clean up the temporary directory. The keyfile probably doesn’t exist, so ++ * don’t error on failure. */ ++ g_remove (store_path); ++ g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0); ++ g_free (store_path); ++ g_free (keyfile_path); ++} ++ ++/* ++ * Test that a keyfile rejects writes to keys in the root if no root group is set. ++ */ ++static void ++test_keyfile_no_root_group (Fixture *fixture, ++ gconstpointer user_data) ++{ ++ GSettingsBackend *kf_backend; ++ GSettings *settings; ++ gchar *keyfile_path = NULL, *store_path = NULL; ++ ++ keyfile_path = g_build_filename (fixture->tmp_dir, "keyfile", NULL); ++ store_path = g_build_filename (keyfile_path, "gsettings.store", NULL); ++ kf_backend = g_keyfile_settings_backend_new (store_path, "/", NULL); ++ settings = g_settings_new_with_backend_and_path ("org.gtk.test.no-path", kf_backend, "/"); ++ g_object_unref (kf_backend); ++ ++ g_assert_false (g_settings_is_writable (settings, "test-boolean")); ++ g_assert_true (g_settings_is_writable (settings, "child/test-boolean")); ++ ++ g_object_unref (settings); ++ ++ /* Clean up the temporary directory. The keyfile probably doesn’t exist, so ++ * don’t error on failure. */ ++ g_remove (store_path); ++ g_assert_cmpint (g_rmdir (keyfile_path) == 0 ? 0 : errno, ==, 0); ++ g_free (store_path); ++ g_free (keyfile_path); ++} ++ + /* Test that getting child schemas works + */ + static void +@@ -2844,6 +3000,14 @@ main (int argc, char *argv[]) + gchar *override_text; + gchar *enums; + gint result; ++ const KeyfileTestData keyfile_test_data_explicit_path = { "/tests/", "root", "tests", "/" }; ++ const KeyfileTestData keyfile_test_data_empty_path = { "/", "root", "root", "/" }; ++ const KeyfileTestData keyfile_test_data_long_path = { ++ "/tests/path/is/very/long/and/this/makes/some/comparisons/take/a/different/branch/", ++ "root", ++ "tests/path/is/very/long/and/this/makes/some/comparisons/take/a/different/branch", ++ "/" ++ }; + + /* Meson build sets this */ + #ifdef TEST_LOCALE_PATH +@@ -2967,6 +3131,11 @@ main (int argc, char *argv[]) + } + + g_test_add ("/gsettings/keyfile", Fixture, NULL, setup, test_keyfile, teardown); ++ g_test_add ("/gsettings/keyfile/explicit-path", Fixture, &keyfile_test_data_explicit_path, setup, test_keyfile_no_path, teardown); ++ g_test_add ("/gsettings/keyfile/empty-path", Fixture, &keyfile_test_data_empty_path, setup, test_keyfile_no_path, teardown); ++ g_test_add ("/gsettings/keyfile/long-path", Fixture, &keyfile_test_data_long_path, setup, test_keyfile_no_path, teardown); ++ g_test_add ("/gsettings/keyfile/outside-root-path", Fixture, NULL, setup, test_keyfile_outside_root_path, teardown); ++ g_test_add ("/gsettings/keyfile/no-root-group", Fixture, NULL, setup, test_keyfile_no_root_group, teardown); + g_test_add_func ("/gsettings/child-schema", test_child_schema); + g_test_add_func ("/gsettings/strinfo", test_strinfo); + g_test_add_func ("/gsettings/enums", test_enums); +diff --git a/gio/tests/tls-interaction.c b/gio/tests/tls-interaction.c +index 4f0737d7e..5661e8e0d 100644 +--- a/gio/tests/tls-interaction.c ++++ b/gio/tests/tls-interaction.c +@@ -174,6 +174,38 @@ test_interaction_ask_password_finish_failure (GTlsInteraction *interaction, + } + + ++/* Return a copy of @str that is allocated in a silly way, to exercise ++ * custom free-functions. The returned pointer points to a copy of @str ++ * in a buffer of the form "BEFORE \0 str \0 AFTER". */ ++static guchar * ++special_dup (const char *str) ++{ ++ GString *buf = g_string_new ("BEFORE"); ++ guchar *ret; ++ ++ g_string_append_c (buf, '\0'); ++ g_string_append (buf, str); ++ g_string_append_c (buf, '\0'); ++ g_string_append (buf, "AFTER"); ++ ret = (guchar *) g_string_free (buf, FALSE); ++ return ret + strlen ("BEFORE") + 1; ++} ++ ++ ++/* Free a copy of @str that was made with special_dup(), after asserting ++ * that it has not been corrupted. */ ++static void ++special_free (gpointer p) ++{ ++ gchar *s = p; ++ gchar *buf = s - strlen ("BEFORE") - 1; ++ ++ g_assert_cmpstr (buf, ==, "BEFORE"); ++ g_assert_cmpstr (s + strlen (s) + 1, ==, "AFTER"); ++ g_free (buf); ++} ++ ++ + static GTlsInteractionResult + test_interaction_ask_password_sync_success (GTlsInteraction *interaction, + GTlsPassword *password, +@@ -181,6 +213,8 @@ test_interaction_ask_password_sync_success (GTlsInteraction *interaction, + GError **error) + { + TestInteraction *self; ++ const guchar *value; ++ gsize len; + + g_assert (TEST_IS_INTERACTION (interaction)); + self = TEST_INTERACTION (interaction); +@@ -192,6 +226,27 @@ test_interaction_ask_password_sync_success (GTlsInteraction *interaction, + g_assert (error != NULL); + g_assert (*error == NULL); + ++ /* Exercise different ways to set the value */ ++ g_tls_password_set_value (password, (const guchar *) "foo", 4); ++ len = 0; ++ value = g_tls_password_get_value (password, &len); ++ g_assert_cmpmem (value, len, "foo", 4); ++ ++ g_tls_password_set_value (password, (const guchar *) "bar", -1); ++ len = 0; ++ value = g_tls_password_get_value (password, &len); ++ g_assert_cmpmem (value, len, "bar", 3); ++ ++ g_tls_password_set_value_full (password, special_dup ("baa"), 4, special_free); ++ len = 0; ++ value = g_tls_password_get_value (password, &len); ++ g_assert_cmpmem (value, len, "baa", 4); ++ ++ g_tls_password_set_value_full (password, special_dup ("baz"), -1, special_free); ++ len = 0; ++ value = g_tls_password_get_value (password, &len); ++ g_assert_cmpmem (value, len, "baz", 3); ++ + /* Don't do this in real life. Include a null terminator for testing */ + g_tls_password_set_value (password, (const guchar *)"the password", 13); + return G_TLS_INTERACTION_HANDLED; +diff --git a/gio/win32/gwinhttpfile.c b/gio/win32/gwinhttpfile.c +index cf5eed31d..246ec0578 100644 +--- a/gio/win32/gwinhttpfile.c ++++ b/gio/win32/gwinhttpfile.c +@@ -29,6 +29,7 @@ + #include "gio/gfile.h" + #include "gio/gfileattribute.h" + #include "gio/gfileinfo.h" ++#include "gstrfuncsprivate.h" + #include "gwinhttpfile.h" + #include "gwinhttpfileinputstream.h" + #include "gwinhttpfileoutputstream.h" +@@ -393,10 +394,10 @@ g_winhttp_file_resolve_relative_path (GFile *file, + child = g_object_new (G_TYPE_WINHTTP_FILE, NULL); + child->vfs = winhttp_file->vfs; + child->url = winhttp_file->url; +- child->url.lpszScheme = g_memdup (winhttp_file->url.lpszScheme, (winhttp_file->url.dwSchemeLength+1)*2); +- child->url.lpszHostName = g_memdup (winhttp_file->url.lpszHostName, (winhttp_file->url.dwHostNameLength+1)*2); +- child->url.lpszUserName = g_memdup (winhttp_file->url.lpszUserName, (winhttp_file->url.dwUserNameLength+1)*2); +- child->url.lpszPassword = g_memdup (winhttp_file->url.lpszPassword, (winhttp_file->url.dwPasswordLength+1)*2); ++ child->url.lpszScheme = g_memdup2 (winhttp_file->url.lpszScheme, ((gsize) winhttp_file->url.dwSchemeLength + 1) * 2); ++ child->url.lpszHostName = g_memdup2 (winhttp_file->url.lpszHostName, ((gsize) winhttp_file->url.dwHostNameLength + 1) * 2); ++ child->url.lpszUserName = g_memdup2 (winhttp_file->url.lpszUserName, ((gsize) winhttp_file->url.dwUserNameLength + 1) * 2); ++ child->url.lpszPassword = g_memdup2 (winhttp_file->url.lpszPassword, ((gsize) winhttp_file->url.dwPasswordLength + 1) * 2); + child->url.lpszUrlPath = wnew_path; + child->url.dwUrlPathLength = wcslen (wnew_path); + child->url.lpszExtraInfo = NULL; +diff --git a/glib/gbytes.c b/glib/gbytes.c +index ec6923188..6f17d104c 100644 +--- a/glib/gbytes.c ++++ b/glib/gbytes.c +@@ -34,6 +34,8 @@ + + #include <string.h> + ++#include "gstrfuncsprivate.h" ++ + /** + * GBytes: + * +@@ -95,7 +97,7 @@ g_bytes_new (gconstpointer data, + { + g_return_val_if_fail (data != NULL || size == 0, NULL); + +- return g_bytes_new_take (g_memdup (data, size), size); ++ return g_bytes_new_take (g_memdup2 (data, size), size); + } + + /** +@@ -499,7 +501,7 @@ g_bytes_unref_to_data (GBytes *bytes, + * Copy: Non g_malloc (or compatible) allocator, or static memory, + * so we have to copy, and then unref. + */ +- result = g_memdup (bytes->data, bytes->size); ++ result = g_memdup2 (bytes->data, bytes->size); + *size = bytes->size; + g_bytes_unref (bytes); + } +diff --git a/glib/gdir.c b/glib/gdir.c +index 6b85e99c8..6747a8c6f 100644 +--- a/glib/gdir.c ++++ b/glib/gdir.c +@@ -37,6 +37,7 @@ + #include "gconvert.h" + #include "gfileutils.h" + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gtestutils.h" + #include "glibintl.h" + +@@ -112,7 +113,7 @@ g_dir_open_with_errno (const gchar *path, + return NULL; + #endif + +- return g_memdup (&dir, sizeof dir); ++ return g_memdup2 (&dir, sizeof dir); + } + + /** +diff --git a/glib/ghash.c b/glib/ghash.c +index 0f1562a06..c1e15c957 100644 +--- a/glib/ghash.c ++++ b/glib/ghash.c +@@ -34,6 +34,7 @@ + #include "gmacros.h" + #include "glib-private.h" + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gatomic.h" + #include "gtestutils.h" + #include "gslice.h" +@@ -962,7 +963,7 @@ g_hash_table_ensure_keyval_fits (GHashTable *hash_table, gpointer key, gpointer + if (hash_table->have_big_keys) + { + if (key != value) +- hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size); ++ hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size); + /* Keys and values are both big now, so no need for further checks */ + return; + } +@@ -970,7 +971,7 @@ g_hash_table_ensure_keyval_fits (GHashTable *hash_table, gpointer key, gpointer + { + if (key != value) + { +- hash_table->values = g_memdup (hash_table->keys, sizeof (guint) * hash_table->size); ++ hash_table->values = g_memdup2 (hash_table->keys, sizeof (guint) * hash_table->size); + is_a_set = FALSE; + } + } +@@ -998,7 +999,7 @@ g_hash_table_ensure_keyval_fits (GHashTable *hash_table, gpointer key, gpointer + + /* Just split if necessary */ + if (is_a_set && key != value) +- hash_table->values = g_memdup (hash_table->keys, sizeof (gpointer) * hash_table->size); ++ hash_table->values = g_memdup2 (hash_table->keys, sizeof (gpointer) * hash_table->size); + + #endif + } +diff --git a/glib/giochannel.c b/glib/giochannel.c +index d16399846..b41381d38 100644 +--- a/glib/giochannel.c ++++ b/glib/giochannel.c +@@ -37,6 +37,7 @@ + #include "giochannel.h" + + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gtestutils.h" + #include "glibintl.h" + +@@ -886,17 +887,26 @@ g_io_channel_set_line_term (GIOChannel *channel, + const gchar *line_term, + gint length) + { ++ guint length_unsigned; ++ + g_return_if_fail (channel != NULL); + g_return_if_fail (line_term == NULL || length != 0); /* Disallow "" */ + + if (line_term == NULL) +- length = 0; +- else if (length < 0) +- length = strlen (line_term); ++ length_unsigned = 0; ++ else if (length >= 0) ++ length_unsigned = (guint) length; ++ else ++ { ++ /* FIXME: We’re constrained by line_term_len being a guint here */ ++ gsize length_size = strlen (line_term); ++ g_return_if_fail (length_size <= G_MAXUINT); ++ length_unsigned = (guint) length_size; ++ } + + g_free (channel->line_term); +- channel->line_term = line_term ? g_memdup (line_term, length) : NULL; +- channel->line_term_len = length; ++ channel->line_term = line_term ? g_memdup2 (line_term, length_unsigned) : NULL; ++ channel->line_term_len = length_unsigned; + } + + /** +@@ -1673,10 +1683,10 @@ g_io_channel_read_line (GIOChannel *channel, + + /* Copy the read bytes (including any embedded nuls) and nul-terminate. + * `USE_BUF (channel)->str` is guaranteed to be nul-terminated as it’s a +- * #GString, so it’s safe to call g_memdup() with +1 length to allocate ++ * #GString, so it’s safe to call g_memdup2() with +1 length to allocate + * a nul-terminator. */ + g_assert (USE_BUF (channel)); +- line = g_memdup (USE_BUF (channel)->str, got_length + 1); ++ line = g_memdup2 (USE_BUF (channel)->str, got_length + 1); + line[got_length] = '\0'; + *str_return = g_steal_pointer (&line); + g_string_erase (USE_BUF (channel), 0, got_length); +diff --git a/glib/gslice.c b/glib/gslice.c +index 4c758c3be..bcdbb8853 100644 +--- a/glib/gslice.c ++++ b/glib/gslice.c +@@ -41,6 +41,7 @@ + #include "gmain.h" + #include "gmem.h" /* gslice.h */ + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gutils.h" + #include "gtrashstack.h" + #include "gtestutils.h" +@@ -350,7 +351,7 @@ g_slice_get_config_state (GSliceConfig ckey, + array[i++] = allocator->contention_counters[address]; + array[i++] = allocator_get_magazine_threshold (allocator, address); + *n_values = i; +- return g_memdup (array, sizeof (array[0]) * *n_values); ++ return g_memdup2 (array, sizeof (array[0]) * *n_values); + default: + return NULL; + } +diff --git a/glib/gstrfuncsprivate.h b/glib/gstrfuncsprivate.h +new file mode 100644 +index 000000000..85c88328a +--- /dev/null ++++ b/glib/gstrfuncsprivate.h +@@ -0,0 +1,55 @@ ++/* GLIB - Library of useful routines for C programming ++ * Copyright (C) 1995-1997 Peter Mattis, Spencer Kimball and Josh MacDonald ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, see <http://www.gnu.org/licenses/>. ++ */ ++ ++#include <glib.h> ++#include <string.h> ++ ++/* ++ * g_memdup2: ++ * @mem: (nullable): the memory to copy. ++ * @byte_size: the number of bytes to copy. ++ * ++ * Allocates @byte_size bytes of memory, and copies @byte_size bytes into it ++ * from @mem. If @mem is %NULL it returns %NULL. ++ * ++ * This replaces g_memdup(), which was prone to integer overflows when ++ * converting the argument from a #gsize to a #guint. ++ * ++ * This static inline version is a backport of the new public API from ++ * GLib 2.68, kept internal to GLib for backport to older stable releases. ++ * See https://gitlab.gnome.org/GNOME/glib/-/issues/2319. ++ * ++ * Returns: (nullable): a pointer to the newly-allocated copy of the memory, ++ * or %NULL if @mem is %NULL. ++ * Since: 2.68 ++ */ ++static inline gpointer ++g_memdup2 (gconstpointer mem, ++ gsize byte_size) ++{ ++ gpointer new_mem; ++ ++ if (mem && byte_size != 0) ++ { ++ new_mem = g_malloc (byte_size); ++ memcpy (new_mem, mem, byte_size); ++ } ++ else ++ new_mem = NULL; ++ ++ return new_mem; ++} +diff --git a/glib/gtestutils.c b/glib/gtestutils.c +index 18b117285..26d46ad75 100644 +--- a/glib/gtestutils.c ++++ b/glib/gtestutils.c +@@ -49,6 +49,7 @@ + #include "gpattern.h" + #include "grand.h" + #include "gstrfuncs.h" ++#include "gstrfuncsprivate.h" + #include "gtimer.h" + #include "gslice.h" + #include "gspawn.h" +@@ -3803,7 +3804,7 @@ g_test_log_extract (GTestLogBuffer *tbuffer) + if (p <= tbuffer->data->str + mlength) + { + g_string_erase (tbuffer->data, 0, mlength); +- tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup (&msg, sizeof (msg))); ++ tbuffer->msgs = g_slist_prepend (tbuffer->msgs, g_memdup2 (&msg, sizeof (msg))); + return TRUE; + } + +diff --git a/glib/gvariant.c b/glib/gvariant.c +index 77d7e746b..ef4257f6d 100644 +--- a/glib/gvariant.c ++++ b/glib/gvariant.c +@@ -33,6 +33,7 @@ + + #include <string.h> + ++#include "gstrfuncsprivate.h" + + /** + * SECTION:gvariant +@@ -725,7 +726,7 @@ g_variant_new_variant (GVariant *value) + g_variant_ref_sink (value); + + return g_variant_new_from_children (G_VARIANT_TYPE_VARIANT, +- g_memdup (&value, sizeof value), ++ g_memdup2 (&value, sizeof value), + 1, g_variant_is_trusted (value)); + } + +@@ -1229,7 +1230,7 @@ g_variant_new_fixed_array (const GVariantType *element_type, + return NULL; + } + +- data = g_memdup (elements, n_elements * element_size); ++ data = g_memdup2 (elements, n_elements * element_size); + value = g_variant_new_from_data (array_type, data, + n_elements * element_size, + FALSE, g_free, data); +@@ -1908,7 +1909,7 @@ g_variant_dup_bytestring (GVariant *value, + if (length) + *length = size; + +- return g_memdup (original, size + 1); ++ return g_memdup2 (original, size + 1); + } + + /** +diff --git a/glib/gvarianttype.c b/glib/gvarianttype.c +index c46f1a2c6..585e29ab2 100644 +--- a/glib/gvarianttype.c ++++ b/glib/gvarianttype.c +@@ -28,6 +28,7 @@ + + #include <string.h> + ++#include "gstrfuncsprivate.h" + + /** + * SECTION:gvarianttype +@@ -1181,7 +1182,7 @@ g_variant_type_new_tuple (const GVariantType * const *items, + g_assert (offset < sizeof buffer); + buffer[offset++] = ')'; + +- return (GVariantType *) g_memdup (buffer, offset); ++ return (GVariantType *) g_memdup2 (buffer, offset); + } + + /** +diff --git a/glib/meson.build b/glib/meson.build +index 456e0c2a1..2e5cd77bb 100644 +--- a/glib/meson.build ++++ b/glib/meson.build +@@ -268,6 +268,7 @@ glib_sources = files( + 'gslist.c', + 'gstdio.c', + 'gstrfuncs.c', ++ 'gstrfuncsprivate.h', + 'gstring.c', + 'gstringchunk.c', + 'gtestutils.c', +diff --git a/glib/tests/array-test.c b/glib/tests/array-test.c +index 1da514a3e..88f22de80 100644 +--- a/glib/tests/array-test.c ++++ b/glib/tests/array-test.c +@@ -29,6 +29,8 @@ + #include <string.h> + #include "glib.h" + ++#include "gstrfuncsprivate.h" ++ + /* Test data to be passed to any function which calls g_array_new(), providing + * the parameters for that call. Most #GArray tests should be repeated for all + * possible values of #ArrayTestData. */ +@@ -1917,7 +1919,7 @@ byte_array_new_take (void) + GByteArray *gbarray; + guint8 *data; + +- data = g_memdup ("woooweeewow", 11); ++ data = g_memdup2 ("woooweeewow", 11); + gbarray = g_byte_array_new_take (data, 11); + g_assert (gbarray->data == data); + g_assert_cmpuint (gbarray->len, ==, 11); +diff --git a/glib/tests/io-channel.c b/glib/tests/io-channel.c +index ff53fcef7..4a1b10876 100644 +--- a/glib/tests/io-channel.c ++++ b/glib/tests/io-channel.c +@@ -49,8 +49,10 @@ test_read_line_embedded_nuls (void) + channel = g_io_channel_new_file (filename, "r", &local_error); + g_assert_no_error (local_error); + +- /* Only break on newline characters, not nuls. */ +- g_io_channel_set_line_term (channel, "\n", 1); ++ /* Only break on newline characters, not nuls. ++ * Use length -1 here to exercise glib#2323; the case where length > 0 ++ * is covered in glib/tests/protocol.c. */ ++ g_io_channel_set_line_term (channel, "\n", -1); + g_io_channel_set_encoding (channel, NULL, &local_error); + g_assert_no_error (local_error); + +diff --git a/glib/tests/option-context.c b/glib/tests/option-context.c +index 149d22353..88d2b80d1 100644 +--- a/glib/tests/option-context.c ++++ b/glib/tests/option-context.c +@@ -27,6 +27,8 @@ + #include <string.h> + #include <locale.h> + ++#include "gstrfuncsprivate.h" ++ + static GOptionEntry main_entries[] = { + { "main-switch", 0, 0, + G_OPTION_ARG_NONE, NULL, +@@ -256,7 +258,7 @@ join_stringv (int argc, char **argv) + static char ** + copy_stringv (char **argv, int argc) + { +- return g_memdup (argv, sizeof (char *) * (argc + 1)); ++ return g_memdup2 (argv, sizeof (char *) * (argc + 1)); + } + + static void +@@ -2323,7 +2325,7 @@ test_group_parse (void) + g_option_context_add_group (context, group); + + argv = split_string ("program --test arg1 -f arg2 --group-test arg3 --frob arg4 -z arg5", &argc); +- orig_argv = g_memdup (argv, (argc + 1) * sizeof (char *)); ++ orig_argv = g_memdup2 (argv, (argc + 1) * sizeof (char *)); + + retval = g_option_context_parse (context, &argc, &argv, &error); + +diff --git a/glib/tests/strfuncs.c b/glib/tests/strfuncs.c +index e1f9619c7..d968afff9 100644 +--- a/glib/tests/strfuncs.c ++++ b/glib/tests/strfuncs.c +@@ -32,6 +32,8 @@ + #include <string.h> + #include "glib.h" + ++#include "gstrfuncsprivate.h" ++ + #if defined (_MSC_VER) && (_MSC_VER <= 1800) + #define isnan(x) _isnan(x) + +@@ -219,6 +221,26 @@ test_memdup (void) + g_free (str_dup); + } + ++/* Testing g_memdup2() function with various positive and negative cases */ ++static void ++test_memdup2 (void) ++{ ++ gchar *str_dup = NULL; ++ const gchar *str = "The quick brown fox jumps over the lazy dog"; ++ ++ /* Testing negative cases */ ++ g_assert_null (g_memdup2 (NULL, 1024)); ++ g_assert_null (g_memdup2 (str, 0)); ++ g_assert_null (g_memdup2 (NULL, 0)); ++ ++ /* Testing normal usage cases */ ++ str_dup = g_memdup2 (str, strlen (str) + 1); ++ g_assert_nonnull (str_dup); ++ g_assert_cmpstr (str, ==, str_dup); ++ ++ g_free (str_dup); ++} ++ + /* Testing g_strpcpy() function with various positive and negative cases */ + static void + test_stpcpy (void) +@@ -2523,6 +2545,7 @@ main (int argc, + g_test_add_func ("/strfuncs/has-prefix", test_has_prefix); + g_test_add_func ("/strfuncs/has-suffix", test_has_suffix); + g_test_add_func ("/strfuncs/memdup", test_memdup); ++ g_test_add_func ("/strfuncs/memdup2", test_memdup2); + g_test_add_func ("/strfuncs/stpcpy", test_stpcpy); + g_test_add_func ("/strfuncs/str_match_string", test_str_match_string); + g_test_add_func ("/strfuncs/str_tokenize_and_fold", test_str_tokenize_and_fold); +diff --git a/gobject/gsignal.c b/gobject/gsignal.c +index 45effa92d..effbfec62 100644 +--- a/gobject/gsignal.c ++++ b/gobject/gsignal.c +@@ -28,6 +28,7 @@ + #include <signal.h> + + #include "gsignal.h" ++#include "gstrfuncsprivate.h" + #include "gtype-private.h" + #include "gbsearcharray.h" + #include "gvaluecollector.h" +@@ -1809,7 +1810,7 @@ g_signal_newv (const gchar *signal_name, + node->single_va_closure_is_valid = FALSE; + node->flags = signal_flags & G_SIGNAL_FLAGS_MASK; + node->n_params = n_params; +- node->param_types = g_memdup (param_types, sizeof (GType) * n_params); ++ node->param_types = g_memdup2 (param_types, sizeof (GType) * n_params); + node->return_type = return_type; + node->class_closure_bsa = NULL; + if (accumulator) +diff --git a/gobject/gtype.c b/gobject/gtype.c +index b5ef2d11e..8d152dccc 100644 +--- a/gobject/gtype.c ++++ b/gobject/gtype.c +@@ -33,6 +33,7 @@ + + #include "glib-private.h" + #include "gconstructor.h" ++#include "gstrfuncsprivate.h" + + #ifdef G_OS_WIN32 + #include <windows.h> +@@ -1470,7 +1471,7 @@ type_add_interface_Wm (TypeNode *node, + iholder->next = iface_node_get_holders_L (iface); + iface_node_set_holders_W (iface, iholder); + iholder->instance_type = NODE_TYPE (node); +- iholder->info = info ? g_memdup (info, sizeof (*info)) : NULL; ++ iholder->info = info ? g_memdup2 (info, sizeof (*info)) : NULL; + iholder->plugin = plugin; + + /* create an iface entry for this type */ +@@ -1731,7 +1732,7 @@ type_iface_retrieve_holder_info_Wm (TypeNode *iface, + INVALID_RECURSION ("g_type_plugin_*", iholder->plugin, NODE_NAME (iface)); + + check_interface_info_I (iface, instance_type, &tmp_info); +- iholder->info = g_memdup (&tmp_info, sizeof (tmp_info)); ++ iholder->info = g_memdup2 (&tmp_info, sizeof (tmp_info)); + } + + return iholder; /* we don't modify write lock upon returning NULL */ +@@ -2016,10 +2017,10 @@ type_iface_vtable_base_init_Wm (TypeNode *iface, + IFaceEntry *pentry = type_lookup_iface_entry_L (pnode, iface); + + if (pentry) +- vtable = g_memdup (pentry->vtable, iface->data->iface.vtable_size); ++ vtable = g_memdup2 (pentry->vtable, iface->data->iface.vtable_size); + } + if (!vtable) +- vtable = g_memdup (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size); ++ vtable = g_memdup2 (iface->data->iface.dflt_vtable, iface->data->iface.vtable_size); + entry->vtable = vtable; + vtable->g_type = NODE_TYPE (iface); + vtable->g_instance_type = NODE_TYPE (node); +diff --git a/gobject/gtypemodule.c b/gobject/gtypemodule.c +index 4ecaf8c88..20911fafd 100644 +--- a/gobject/gtypemodule.c ++++ b/gobject/gtypemodule.c +@@ -19,6 +19,7 @@ + + #include <stdlib.h> + ++#include "gstrfuncsprivate.h" + #include "gtypeplugin.h" + #include "gtypemodule.h" + +@@ -436,7 +437,7 @@ g_type_module_register_type (GTypeModule *module, + module_type_info->loaded = TRUE; + module_type_info->info = *type_info; + if (type_info->value_table) +- module_type_info->info.value_table = g_memdup (type_info->value_table, ++ module_type_info->info.value_table = g_memdup2 (type_info->value_table, + sizeof (GTypeValueTable)); + + return module_type_info->type; +diff --git a/gobject/tests/param.c b/gobject/tests/param.c +index 93c3f4b94..0a77e51b7 100644 +--- a/gobject/tests/param.c ++++ b/gobject/tests/param.c +@@ -2,6 +2,8 @@ + #include <glib-object.h> + #include <stdlib.h> + ++#include "gstrfuncsprivate.h" ++ + static void + test_param_value (void) + { +@@ -874,7 +876,7 @@ main (int argc, char *argv[]) + test_path = g_strdup_printf ("/param/implement/subprocess/%d-%d-%d-%d", + data.change_this_flag, data.change_this_type, + data.use_this_flag, data.use_this_type); +- test_data = g_memdup (&data, sizeof (TestParamImplementData)); ++ test_data = g_memdup2 (&data, sizeof (TestParamImplementData)); + g_test_add_data_func_full (test_path, test_data, test_param_implement_child, g_free); + g_free (test_path); + } diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.64.5.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.64.5.bb index b9462bc945..ed7b649dc6 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.64.5.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.64.5.bb @@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \ file://tzdata-update.patch \ file://CVE-2020-35457.patch \ + file://CVE-2021-27219.patch \ " SRC_URI_append_class-native = " file://relocate-modules.patch" diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc index e48b5cb67b..71777bc459 100644 --- a/meta/recipes-core/glib-2.0/glib.inc +++ b/meta/recipes-core/glib-2.0/glib.inc @@ -34,10 +34,6 @@ DEPENDS_append_class-target = "${@' gtk-doc' if d.getVar('GTKDOC_ENABLED') == 'T GTKDOC_MESON_OPTION = "gtk_doc" -# This avoids the need to depend on target python3, which in case of mingw is not even possible. -# meson's python configuration pokes into python3 configuration, so this provides the native config to it. -unset _PYTHON_SYSCONFIGDATA_NAME - S = "${WORKDIR}/glib-${PV}" PACKAGECONFIG ??= "system-pcre libmount \ diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc index 1566056297..84d199bb1d 100644 --- a/meta/recipes-core/glibc/glibc-version.inc +++ b/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.32/master" PV = "2.32" -SRCREV_glibc ?= "3de512be7ea6053255afed6154db9ee31d4e557a" +SRCREV_glibc ?= "44b395932961a29825da4ad025124a6760858d9c" SRCREV_localedef ?= "bd644c9e6f3e20c5504da1488448173c69c56c28" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" diff --git a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch b/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch deleted file mode 100644 index 987e959db2..0000000000 --- a/meta/recipes-core/glibc/glibc/CVE-2019-25013.patch +++ /dev/null @@ -1,137 +0,0 @@ -From ee7a3144c9922808181009b7b3e50e852fb4999b Mon Sep 17 00:00:00 2001 -From: Andreas Schwab <schwab@suse.de> -Date: Mon, 21 Dec 2020 08:56:43 +0530 -Subject: [PATCH] Fix buffer overrun in EUC-KR conversion module (bz #24973) - -The byte 0xfe as input to the EUC-KR conversion denotes a user-defined -area and is not allowed. The from_euc_kr function used to skip two bytes -when told to skip over the unknown designation, potentially running over -the buffer end. - -Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=patch;h=ee7a3144c9922808181009b7b3e50e852fb4999b] -CVE: CVE-2019-25013 -Signed-off-by: Scott Murray <scott.murray@konsulko.com> ---- - iconvdata/Makefile | 3 ++- - iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++ - iconvdata/euc-kr.c | 6 +---- - iconvdata/ksc5601.h | 6 ++--- - 4 files changed, 59 insertions(+), 9 deletions(-) - create mode 100644 iconvdata/bug-iconv13.c - -diff --git a/iconvdata/Makefile b/iconvdata/Makefile -index 4ec2741cdc..85009f3390 100644 ---- a/iconvdata/Makefile -+++ b/iconvdata/Makefile -@@ -73,7 +73,8 @@ modules.so := $(addsuffix .so, $(modules)) - ifeq (yes,$(build-shared)) - tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \ - tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \ -- bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 -+ bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \ -+ bug-iconv13 - ifeq ($(have-thread-library),yes) - tests += bug-iconv3 - endif -diff --git a/iconvdata/bug-iconv13.c b/iconvdata/bug-iconv13.c -new file mode 100644 -index 0000000000..87aaff398e ---- /dev/null -+++ b/iconvdata/bug-iconv13.c -@@ -0,0 +1,53 @@ -+/* bug 24973: Test EUC-KR module -+ Copyright (C) 2020 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ <https://www.gnu.org/licenses/>. */ -+ -+#include <errno.h> -+#include <iconv.h> -+#include <stdio.h> -+#include <support/check.h> -+ -+static int -+do_test (void) -+{ -+ iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR"); -+ TEST_VERIFY_EXIT (cd != (iconv_t) -1); -+ -+ /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined -+ areas, which are not allowed and should be skipped over due to -+ //IGNORE. The trailing 0xfe also is an incomplete sequence, which -+ should be checked first. */ -+ char input[4] = { '\xc9', '\xa1', '\0', '\xfe' }; -+ char *inptr = input; -+ size_t insize = sizeof (input); -+ char output[4]; -+ char *outptr = output; -+ size_t outsize = sizeof (output); -+ -+ /* This used to crash due to buffer overrun. */ -+ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1); -+ TEST_VERIFY (errno == EINVAL); -+ /* The conversion should produce one character, the converted null -+ character. */ -+ TEST_VERIFY (sizeof (output) - outsize == 1); -+ -+ TEST_VERIFY_EXIT (iconv_close (cd) != -1); -+ -+ return 0; -+} -+ -+#include <support/test-driver.c> -diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c -index b0d56cf3ee..1045bae926 100644 ---- a/iconvdata/euc-kr.c -+++ b/iconvdata/euc-kr.c -@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp) - \ - if (ch <= 0x9f) \ - ++inptr; \ -- /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are \ -- user-defined areas. */ \ -- else if (__builtin_expect (ch == 0xa0, 0) \ -- || __builtin_expect (ch > 0xfe, 0) \ -- || __builtin_expect (ch == 0xc9, 0)) \ -+ else if (__glibc_unlikely (ch == 0xa0)) \ - { \ - /* This is illegal. */ \ - STANDARD_FROM_LOOP_ERR_HANDLER (1); \ -diff --git a/iconvdata/ksc5601.h b/iconvdata/ksc5601.h -index d3eb3a4ff8..f5cdc72797 100644 ---- a/iconvdata/ksc5601.h -+++ b/iconvdata/ksc5601.h -@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s, size_t avail, unsigned char offset) - unsigned char ch2; - int idx; - -+ if (avail < 2) -+ return 0; -+ - /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */ - - if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e - || (ch - offset) == 0x49) - return __UNKNOWN_10646_CHAR; - -- if (avail < 2) -- return 0; -- - ch2 = (*s)[1]; - if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f) - return __UNKNOWN_10646_CHAR; --- -2.27.0 - diff --git a/meta/recipes-core/glibc/glibc_2.32.bb b/meta/recipes-core/glibc/glibc_2.32.bb index d43c8c56cb..03aea52508 100644 --- a/meta/recipes-core/glibc/glibc_2.32.bb +++ b/meta/recipes-core/glibc/glibc_2.32.bb @@ -1,7 +1,8 @@ require glibc.inc require glibc-version.inc -CVE_CHECK_WHITELIST += "CVE-2020-10029" +# whitelist CVE's with fixes in latest release/2.32/master branch +CVE_CHECK_WHITELIST += "CVE-2019-25013 CVE-2020-10029 CVE-2020-27618 CVE-2021-27645 CVE-2021-3326" DEPENDS += "gperf-native bison-native make-native" @@ -46,7 +47,6 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0031-linux-Allow-adjtime-with-NULL-argument-BZ-26833.patch \ file://CVE-2020-29562.patch \ file://CVE-2020-29573.patch \ - file://CVE-2019-25013.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}" diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb index 7f87c065db..9e944a2534 100644 --- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb @@ -22,9 +22,9 @@ APPEND += "rootfstype=ext4 quiet" DEPENDS = "zip-native python3-pip-native" IMAGE_FSTYPES = "wic.vmdk" -inherit core-image module-base setuptools3 +inherit core-image setuptools3 -SRCREV ?= "76dac9d657f3b2864dec3bfcd2ee392fafdcdfe6" +SRCREV ?= "79c4792da2b400431c09d9a2f53efd4443812281" SRC_URI = "git://git.yoctoproject.org/poky;branch=gatesgarth \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \ @@ -61,12 +61,6 @@ fakeroot do_populate_poky_src () { # Place the README_VirtualBox_Toaster file in builders home folder. cp ${WORKDIR}/README_VirtualBox_Toaster.txt ${IMAGE_ROOTFS}/home/builder/ - # Create a symlink, needed for out-of-tree kernel modules build - if [ ! -e ${IMAGE_ROOTFS}/lib/modules/${KERNEL_VERSION}/build ]; then - rm -f ${IMAGE_ROOTFS}/lib/modules/${KERNEL_VERSION}/build - lnr ${IMAGE_ROOTFS}${KERNEL_SRC_PATH} ${IMAGE_ROOTFS}/lib/modules/${KERNEL_VERSION}/build - fi - echo "INHERIT += \"rm_work\"" >> ${IMAGE_ROOTFS}/home/builder/poky/build/conf/auto.conf echo "export LC_ALL=en_US.utf8" >> ${IMAGE_ROOTFS}/home/builder/.bashrc diff --git a/meta/recipes-core/initrdscripts/files/init-install-efi.sh b/meta/recipes-core/initrdscripts/files/init-install-efi.sh index b6855b5aac..f667518b89 100644 --- a/meta/recipes-core/initrdscripts/files/init-install-efi.sh +++ b/meta/recipes-core/initrdscripts/files/init-install-efi.sh @@ -279,6 +279,11 @@ fi umount /tgt_root +# copy any extra files needed for ESP +if [ -d /run/media/$1/esp ]; then + cp -r /run/media/$1/esp/* /boot +fi + # Copy kernel artifacts. To add more artifacts just add to types # For now just support kernel types already being used by something in OE-core for types in bzImage zImage vmlinux vmlinuz fitImage; do diff --git a/meta/recipes-core/meta/buildtools-extended-tarball.bb b/meta/recipes-core/meta/buildtools-extended-tarball.bb index 0816486754..83e3fddccc 100644 --- a/meta/recipes-core/meta/buildtools-extended-tarball.bb +++ b/meta/recipes-core/meta/buildtools-extended-tarball.bb @@ -28,11 +28,21 @@ TOOLCHAIN_HOST_TASK += "\ nativesdk-libtool \ nativesdk-pkgconfig \ nativesdk-glibc-utils \ + nativesdk-glibc-gconv-ibm850 \ + nativesdk-glibc-gconv-iso8859-1 \ + nativesdk-glibc-gconv-utf-16 \ + nativesdk-glibc-gconv-cp1250 \ + nativesdk-glibc-gconv-cp1251 \ + nativesdk-glibc-gconv-cp1252 \ + nativesdk-glibc-gconv-euc-jp \ + nativesdk-glibc-gconv-libjis \ nativesdk-libxcrypt-dev \ nativesdk-parted \ nativesdk-dosfstools \ nativesdk-gptfdisk \ " +# gconv-cp1250, cp1251 and euc-jp needed for iconv to work in vim builds +# also copied list from uninative TOOLCHAIN_OUTPUTNAME = "${SDK_ARCH}-buildtools-extended-nativesdk-standalone-${DISTRO_VERSION}" diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index cf62e1e32c..b073936298 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -138,14 +138,24 @@ def parse_node_and_insert(c, node, cveId): for cpe in node.get('cpe_match', ()): if not cpe['vulnerable']: return - cpe23 = cpe['cpe23Uri'].split(':') + cpe23 = cpe.get('cpe23Uri') + if not cpe23: + return + cpe23 = cpe23.split(':') + if len(cpe23) < 6: + return vendor = cpe23[3] product = cpe23[4] version = cpe23[5] + if cpe23[6] == '*' or cpe23[6] == '-': + version_suffix = "" + else: + version_suffix = "_" + cpe23[6] + if version != '*' and version != '-': # Version is defined, this is a '=' match - yield [cveId, vendor, product, version, '=', '', ''] + yield [cveId, vendor, product, version + version_suffix, '=', '', ''] elif version == '-': # no version information is available yield [cveId, vendor, product, version, '', '', ''] diff --git a/meta/recipes-core/ncurses/ncurses.inc b/meta/recipes-core/ncurses/ncurses.inc index fe4e8a5d6e..ef59bc3b0a 100644 --- a/meta/recipes-core/ncurses/ncurses.inc +++ b/meta/recipes-core/ncurses/ncurses.inc @@ -324,3 +324,8 @@ FILES_${PN}-terminfo-base = "\ RSUGGESTS_${PN}-libtinfo = "${PN}-terminfo" RRECOMMENDS_${PN}-libtinfo = "${PN}-terminfo-base" + +# Putting terminfo into the sysroot adds around 2800 files to +# each recipe specific sysroot. We can live without this, particularly +# as many recipes may have native and target copies. +SYSROOT_DIRS_remove = "${datadir}" diff --git a/meta/recipes-core/ovmf/ovmf-shell-image.bb b/meta/recipes-core/ovmf/ovmf-shell-image.bb index 0d2b8bf52f..fd4fb5b732 100644 --- a/meta/recipes-core/ovmf/ovmf-shell-image.bb +++ b/meta/recipes-core/ovmf/ovmf-shell-image.bb @@ -1,4 +1,5 @@ DESCRIPTION = "boot image with UEFI shell and tools" +COMPATIBLE_HOST_class-target='(i.86|x86_64).*' # For this image recipe, only the wic format with a # single vfat partition makes sense. Because we have no diff --git a/meta/recipes-core/systemd/systemd-conf/wired.network b/meta/recipes-core/systemd/systemd-conf/wired.network index dcf3534596..06d00ea1ba 100644 --- a/meta/recipes-core/systemd/systemd-conf/wired.network +++ b/meta/recipes-core/systemd/systemd-conf/wired.network @@ -1,6 +1,7 @@ [Match] Name=en* eth* KernelCommandLine=!nfsroot +KernelCommandLine=!ip [Network] DHCP=yes diff --git a/meta/recipes-core/systemd/systemd-conf_246.9.bb b/meta/recipes-core/systemd/systemd-conf_246.9.bb index d9ec023bfd..9b797a91f4 100644 --- a/meta/recipes-core/systemd/systemd-conf_246.9.bb +++ b/meta/recipes-core/systemd/systemd-conf_246.9.bb @@ -23,9 +23,6 @@ do_install() { # Based on change from YP bug 8141, OE commit 5196d7bacaef1076c361adaa2867be31759c1b52 do_install_append_qemuall() { install -D -m0644 ${WORKDIR}/system.conf-qemuall ${D}${systemd_unitdir}/system.conf.d/01-${PN}.conf - - # Do not install wired.network for qemu bsps - rm -rf ${D}${systemd_unitdir}/network } PACKAGE_ARCH = "${MACHINE_ARCH}" diff --git a/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch new file mode 100644 index 0000000000..89ef39bc3e --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch @@ -0,0 +1,227 @@ +From 150d9cade6d475570395cb418b824524dead9577 Mon Sep 17 00:00:00 2001 +From: Joshua Watt <JPEWhacker@gmail.com> +Date: Fri, 30 Oct 2020 08:15:43 -0500 +Subject: [PATCH] logind: Restore chvt as non-root user without polkit + +4acf0cfd2f ("logind: check PolicyKit before allowing VT switch") broke +the ability to write user sessions that run graphical sessions (e.g. +weston/X11). This was partially amended in 19bb87fbfa ("login: allow +non-console sessions to change vt") by changing the default PolicyKit +policy so that non-root users are again allowed to switch the VT. This +makes the policy when PolKit is not enabled (as on many embedded +systems) match the default PolKit policy and allows launching graphical +sessions as a non-root user. + +Closes #17473 +--- + src/login/logind-dbus.c | 11 ++------- + src/login/logind-polkit.c | 26 +++++++++++++++++++++ + src/login/logind-polkit.h | 10 ++++++++ + src/login/logind-seat-dbus.c | 41 ++++----------------------------- + src/login/logind-session-dbus.c | 11 ++------- + src/login/meson.build | 1 + + 6 files changed, 46 insertions(+), 54 deletions(-) + create mode 100644 src/login/logind-polkit.c + create mode 100644 src/login/logind-polkit.h + +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c +index 0f83ed99bc..a3765d88ba 100644 +--- a/src/login/logind-dbus.c ++++ b/src/login/logind-dbus.c +@@ -30,6 +30,7 @@ + #include "format-util.h" + #include "fs-util.h" + #include "logind-dbus.h" ++#include "logind-polkit.h" + #include "logind-seat-dbus.h" + #include "logind-session-dbus.h" + #include "logind-user-dbus.h" +@@ -1047,15 +1048,7 @@ static int method_activate_session_on_seat(sd_bus_message *message, void *userda + return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, + "Session %s not on seat %s", session_name, seat_name); + +- r = bus_verify_polkit_async( +- message, +- CAP_SYS_ADMIN, +- "org.freedesktop.login1.chvt", +- NULL, +- false, +- UID_INVALID, +- &m->polkit_registry, +- error); ++ r = check_polkit_chvt(message, m, error); + if (r < 0) + return r; + if (r == 0) +diff --git a/src/login/logind-polkit.c b/src/login/logind-polkit.c +new file mode 100644 +index 0000000000..9072570cc6 +--- /dev/null ++++ b/src/login/logind-polkit.c +@@ -0,0 +1,26 @@ ++/* SPDX-License-Identifier: LGPL-2.1+ */ ++ ++#include "bus-polkit.h" ++#include "logind-polkit.h" ++#include "missing_capability.h" ++#include "user-util.h" ++ ++int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error) { ++#if ENABLE_POLKIT ++ return bus_verify_polkit_async( ++ message, ++ CAP_SYS_ADMIN, ++ "org.freedesktop.login1.chvt", ++ NULL, ++ false, ++ UID_INVALID, ++ &manager->polkit_registry, ++ error); ++#else ++ /* Allow chvt when polkit is not present. This allows a service to start a graphical session as a ++ * non-root user when polkit is not compiled in, matching the default polkit policy */ ++ return 1; ++#endif ++} ++ ++ +diff --git a/src/login/logind-polkit.h b/src/login/logind-polkit.h +new file mode 100644 +index 0000000000..476c077a8a +--- /dev/null ++++ b/src/login/logind-polkit.h +@@ -0,0 +1,10 @@ ++/* SPDX-License-Identifier: LGPL-2.1+ */ ++#pragma once ++ ++#include "sd-bus.h" ++ ++#include "bus-object.h" ++#include "logind.h" ++ ++int check_polkit_chvt(sd_bus_message *message, Manager *manager, sd_bus_error *error); ++ +diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c +index a945132284..f22e9e2734 100644 +--- a/src/login/logind-seat-dbus.c ++++ b/src/login/logind-seat-dbus.c +@@ -9,6 +9,7 @@ + #include "bus-polkit.h" + #include "bus-util.h" + #include "logind-dbus.h" ++#include "logind-polkit.h" + #include "logind-seat-dbus.h" + #include "logind-seat.h" + #include "logind-session-dbus.h" +@@ -179,15 +180,7 @@ static int method_activate_session(sd_bus_message *message, void *userdata, sd_b + if (session->seat != s) + return sd_bus_error_setf(error, BUS_ERROR_SESSION_NOT_ON_SEAT, "Session %s not on seat %s", name, s->id); + +- r = bus_verify_polkit_async( +- message, +- CAP_SYS_ADMIN, +- "org.freedesktop.login1.chvt", +- NULL, +- false, +- UID_INVALID, +- &s->manager->polkit_registry, +- error); ++ r = check_polkit_chvt(message, s->manager, error); + if (r < 0) + return r; + if (r == 0) +@@ -215,15 +208,7 @@ static int method_switch_to(sd_bus_message *message, void *userdata, sd_bus_erro + if (to <= 0) + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid virtual terminal"); + +- r = bus_verify_polkit_async( +- message, +- CAP_SYS_ADMIN, +- "org.freedesktop.login1.chvt", +- NULL, +- false, +- UID_INVALID, +- &s->manager->polkit_registry, +- error); ++ r = check_polkit_chvt(message, s->manager, error); + if (r < 0) + return r; + if (r == 0) +@@ -243,15 +228,7 @@ static int method_switch_to_next(sd_bus_message *message, void *userdata, sd_bus + assert(message); + assert(s); + +- r = bus_verify_polkit_async( +- message, +- CAP_SYS_ADMIN, +- "org.freedesktop.login1.chvt", +- NULL, +- false, +- UID_INVALID, +- &s->manager->polkit_registry, +- error); ++ r = check_polkit_chvt(message, s->manager, error); + if (r < 0) + return r; + if (r == 0) +@@ -271,15 +248,7 @@ static int method_switch_to_previous(sd_bus_message *message, void *userdata, sd + assert(message); + assert(s); + +- r = bus_verify_polkit_async( +- message, +- CAP_SYS_ADMIN, +- "org.freedesktop.login1.chvt", +- NULL, +- false, +- UID_INVALID, +- &s->manager->polkit_registry, +- error); ++ r = check_polkit_chvt(message, s->manager, error); + if (r < 0) + return r; + if (r == 0) +diff --git a/src/login/logind-session-dbus.c b/src/login/logind-session-dbus.c +index ccc5ac8df2..57c8a4e900 100644 +--- a/src/login/logind-session-dbus.c ++++ b/src/login/logind-session-dbus.c +@@ -11,6 +11,7 @@ + #include "fd-util.h" + #include "logind-brightness.h" + #include "logind-dbus.h" ++#include "logind-polkit.h" + #include "logind-seat-dbus.h" + #include "logind-session-dbus.h" + #include "logind-session-device.h" +@@ -192,15 +193,7 @@ int bus_session_method_activate(sd_bus_message *message, void *userdata, sd_bus_ + assert(message); + assert(s); + +- r = bus_verify_polkit_async( +- message, +- CAP_SYS_ADMIN, +- "org.freedesktop.login1.chvt", +- NULL, +- false, +- UID_INVALID, +- &s->manager->polkit_registry, +- error); ++ r = check_polkit_chvt(message, s->manager, error); + if (r < 0) + return r; + if (r == 0) +diff --git a/src/login/meson.build b/src/login/meson.build +index 0a7d3d5440..7e46be2add 100644 +--- a/src/login/meson.build ++++ b/src/login/meson.build +@@ -26,6 +26,7 @@ liblogind_core_sources = files(''' + logind-device.h + logind-inhibit.c + logind-inhibit.h ++ logind-polkit.c + logind-seat-dbus.c + logind-seat-dbus.h + logind-seat.c +-- +2.28.0 + diff --git a/meta/recipes-core/systemd/systemd_246.9.bb b/meta/recipes-core/systemd/systemd_246.9.bb index 9215adf8dc..6524b8216a 100644 --- a/meta/recipes-core/systemd/systemd_246.9.bb +++ b/meta/recipes-core/systemd/systemd_246.9.bb @@ -21,6 +21,7 @@ SRC_URI += "file://touchscreen.rules \ file://0001-binfmt-Don-t-install-dependency-links-at-install-tim.patch \ file://0003-implment-systemd-sysv-install-for-OE.patch \ file://0001-systemd.pc.in-use-ROOTPREFIX-without-suffixed-slash.patch \ + file://0001-logind-Restore-chvt-as-non-root-user-without-polkit.patch \ " # patches needed by musl @@ -134,7 +135,7 @@ PACKAGECONFIG[hibernate] = "-Dhibernate=true,-Dhibernate=false" PACKAGECONFIG[hostnamed] = "-Dhostnamed=true,-Dhostnamed=false" PACKAGECONFIG[idn] = "-Didn=true,-Didn=false" PACKAGECONFIG[ima] = "-Dima=true,-Dima=false" -# importd requires curl/xz/zlib/bzip2/gcrypt +# importd requires journal-upload/xz/zlib/bzip2/gcrypt PACKAGECONFIG[importd] = "-Dimportd=true,-Dimportd=false" # Update NAT firewall rules PACKAGECONFIG[iptc] = "-Dlibiptc=true,-Dlibiptc=false,iptables" @@ -357,15 +358,15 @@ USERADD_PACKAGES = "${PN} ${PN}-extra-utils \ ${@bb.utils.contains('PACKAGECONFIG', 'journal-upload', '${PN}-journal-upload', '', d)} \ " GROUPADD_PARAM_${PN} = "-r systemd-journal" -USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /bin/nologin systemd-coredump;', '', d)}" -USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /bin/nologin systemd-network;', '', d)}" +USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /sbin/nologin systemd-coredump;', '', d)}" +USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /sbin/nologin systemd-network;', '', d)}" USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit', '--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd;', '', d)}" -USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'resolved', '--system -d / -M --shell /bin/nologin systemd-resolve;', '', d)}" -USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'timesyncd', '--system -d / -M --shell /bin/nologin systemd-timesync;', '', d)}" -USERADD_PARAM_${PN}-extra-utils = "--system -d / -M --shell /bin/nologin systemd-bus-proxy" -USERADD_PARAM_${PN}-journal-gateway = "--system -d / -M --shell /bin/nologin systemd-journal-gateway" -USERADD_PARAM_${PN}-journal-remote = "--system -d / -M --shell /bin/nologin systemd-journal-remote" -USERADD_PARAM_${PN}-journal-upload = "--system -d / -M --shell /bin/nologin systemd-journal-upload" +USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'resolved', '--system -d / -M --shell /sbin/nologin systemd-resolve;', '', d)}" +USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'timesyncd', '--system -d / -M --shell /sbin/nologin systemd-timesync;', '', d)}" +USERADD_PARAM_${PN}-extra-utils = "--system -d / -M --shell /sbin/nologin systemd-bus-proxy" +USERADD_PARAM_${PN}-journal-gateway = "--system -d / -M --shell /sbin/nologin systemd-journal-gateway" +USERADD_PARAM_${PN}-journal-remote = "--system -d / -M --shell /sbin/nologin systemd-journal-remote" +USERADD_PARAM_${PN}-journal-upload = "--system -d / -M --shell /sbin/nologin systemd-journal-upload" FILES_${PN}-analyze = "${bindir}/systemd-analyze" diff --git a/meta/recipes-devtools/binutils/binutils-2.35.1.inc b/meta/recipes-devtools/binutils/binutils-2.35.1.inc index 775af2b8f2..6290d5b191 100644 --- a/meta/recipes-devtools/binutils/binutils-2.35.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.35.1.inc @@ -44,5 +44,6 @@ SRC_URI = "\ file://0017-gas-improve-reproducibility-for-stabs-debugging-data.patch \ file://0001-aarch64-Return-an-error-on-conditional-branch-to-an-.patch \ file://CVE-2020-35448.patch \ + file://0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch b/meta/recipes-devtools/binutils/binutils/0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch new file mode 100644 index 0000000000..f46415f440 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch @@ -0,0 +1,41 @@ +From de24fc96bf24fca470a9ca13176ad9ad9cc4d5a9 Mon Sep 17 00:00:00 2001 +From: Nick Gasson <nick.gasson@arm.com> +Date: Mon, 2 Nov 2020 12:02:05 +0800 +Subject: [PATCH] gold: ensure file_counts_lock is initialized before using + +Since upgrading to binutils 2.35 I've been experiencing random memory +corruption related crashes with ld.gold --threads. It's caused by +multiple threads concurrently pushing elements onto the shared +std::vector in File_read::record_file_read(). This vector is supposed to +be protected by file_counts_lock, but that is initialized lazily and +might be NULL when File_read::open() is called, in which case +Hold_optional_lock silently skips locking it. + +Fix by calling the initialize() method before attempting to acquire the +lock, the same as other places that use file_counts_lock. + + PR 26827 + * fileread.cc (File_read::open): Ensure file_counts_lock is + initialized. + * testsuite/Makefile.am (check_PROGRAMS): Add a test that passes + -Wl,--threads. + * testsuite/Makefile.in: Regenerate. + +Upstream-Status: Backport [af61e84fd2d from 2.36.0] +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + gold/fileread.cc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/gold/fileread.cc b/gold/fileread.cc +index f5ca719360d..0b5228e2afd 100644 +--- a/gold/fileread.cc ++++ b/gold/fileread.cc +@@ -212,6 +212,7 @@ File_read::open(const Task* task, const std::string& name) + gold_debug(DEBUG_FILES, "Attempt to open %s succeeded", + this->name_.c_str()); + this->token_.add_writer(task); ++ file_counts_initialize_lock.initialize(); + Hold_optional_lock hl(file_counts_lock); + record_file_read(this->name_); + } diff --git a/meta/recipes-devtools/bison/bison/0001-Use-mapped-file-name-for-symbols.patch b/meta/recipes-devtools/bison/bison/0001-Use-mapped-file-name-for-symbols.patch new file mode 100644 index 0000000000..568ee4df19 --- /dev/null +++ b/meta/recipes-devtools/bison/bison/0001-Use-mapped-file-name-for-symbols.patch @@ -0,0 +1,62 @@ +From 2a3db4e3b8d33bad5577c2fcfe124ee7a202ef4f Mon Sep 17 00:00:00 2001 +From: Joshua Watt <JPEWhacker@gmail.com> +Date: Mon, 15 Feb 2021 20:39:57 -0600 +Subject: [PATCH] Use mapped file name for symbols + +Applies the file name mapping before exporting it as a symbol. This +allows the symbols to correctly respect the --file-prefix-map command +line option. + +Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> +Upstream-Status: Submitted [https://lists.gnu.org/archive/html/bison-patches/2021-02/msg00014.html] +--- + src/muscle-tab.c | 4 +++- + src/output.c | 8 ++++++-- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/muscle-tab.c b/src/muscle-tab.c +index b610d0b8..3e7657ca 100644 +--- a/src/muscle-tab.c ++++ b/src/muscle-tab.c +@@ -204,8 +204,10 @@ static void + muscle_syncline_grow (char const *key, location loc) + { + obstack_printf (&muscle_obstack, "]b4_syncline(%d, ", loc.start.line); ++ char *f = map_file_name (loc.start.file); + obstack_quote (&muscle_obstack, +- quotearg_style (c_quoting_style, loc.start.file)); ++ quotearg_style (c_quoting_style, f)); ++ free (f); + obstack_sgrow (&muscle_obstack, ")dnl\n["); + char const *extension = obstack_finish0 (&muscle_obstack); + muscle_grow (key, extension, "", ""); +diff --git a/src/output.c b/src/output.c +index 391d8e65..34dbc671 100644 +--- a/src/output.c ++++ b/src/output.c +@@ -531,7 +531,9 @@ user_actions_output (FILE *out) + { + fprintf (out, "b4_syncline(%d, ", + rules[r].action_loc.start.line); +- string_output (out, rules[r].action_loc.start.file); ++ char *f = map_file_name (rules[r].action_loc.start.file); ++ string_output (out, f); ++ free(f); + fprintf (out, ")dnl\n"); + } + fprintf (out, "[%*s%s]],\n[[", +@@ -629,8 +631,10 @@ prepare_symbol_definitions (void) + + if (p->code) + { ++ char *f = map_file_name (p->location.start.file); + SET_KEY2 (pname, "file"); +- MUSCLE_INSERT_C_STRING (key, p->location.start.file); ++ MUSCLE_INSERT_C_STRING (key, f); ++ free (f); + + SET_KEY2 (pname, "line"); + MUSCLE_INSERT_INT (key, p->location.start.line); +-- +2.30.0 + diff --git a/meta/recipes-devtools/bison/bison_3.7.2.bb b/meta/recipes-devtools/bison/bison_3.7.2.bb index ace4ea5c3f..6fd9d288e0 100644 --- a/meta/recipes-devtools/bison/bison_3.7.2.bb +++ b/meta/recipes-devtools/bison/bison_3.7.2.bb @@ -11,6 +11,7 @@ DEPENDS = "bison-native flex-native" SRC_URI = "${GNU_MIRROR}/bison/bison-${PV}.tar.xz \ file://add-with-bisonlocaledir.patch \ + file://0001-Use-mapped-file-name-for-symbols.patch \ " SRC_URI[sha256sum] = "7948d193104d979c0fb0294a1854c73c89d72ae41acfc081826142578a78a91b" diff --git a/meta/recipes-devtools/flex/flex/0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch b/meta/recipes-devtools/flex/flex/0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch new file mode 100644 index 0000000000..c8202b6bd5 --- /dev/null +++ b/meta/recipes-devtools/flex/flex/0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch @@ -0,0 +1,32 @@ +From 440f3f55739468cd26e22f31871eca8cbbd53294 Mon Sep 17 00:00:00 2001 +From: Oleksiy Obitotskyy <oobitots@cisco.com> +Date: Wed, 6 Jan 2021 06:12:14 -0800 +Subject: [PATCH] Emit no #line directives if gen_line_dirs is false + +If we set --noline we should not print line directives. +But setting --noline means gen_line_dirs is false. + +Upstream-Status: Submitted +Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com> +--- + src/buf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/buf.c b/src/buf.c +index 185083c..4439e28 100644 +--- a/src/buf.c ++++ b/src/buf.c +@@ -95,8 +95,8 @@ struct Buf *buf_linedir (struct Buf *buf, const char* filename, int lineno) + const char *src; + size_t tsz; + +- if (gen_line_dirs) +- return buf; ++ if (!gen_line_dirs) ++ return buf; + + tsz = strlen("#line \"\"\n") + /* constant parts */ + 2 * strlen (filename) + /* filename with possibly all backslashes escaped */ +-- +2.26.2.Cisco + diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb index 3d57572865..1d43d2228a 100644 --- a/meta/recipes-devtools/flex/flex_2.6.4.bb +++ b/meta/recipes-devtools/flex/flex_2.6.4.bb @@ -16,6 +16,7 @@ SRC_URI = "https://github.com/westes/flex/releases/download/v${PV}/flex-${PV}.ta ${@bb.utils.contains('PTEST_ENABLED', '1', '', 'file://disable-tests.patch', d)} \ file://0001-build-AC_USE_SYSTEM_EXTENSIONS-in-configure.ac.patch \ file://check-funcs.patch \ + file://0001-Emit-no-line-directives-if-gen_line_dirs-is-false.patch \ " SRC_URI[md5sum] = "2882e3179748cc9f9c23ec593d6adc8d" diff --git a/meta/recipes-devtools/gcc/gcc-sanitizers.inc b/meta/recipes-devtools/gcc/gcc-sanitizers.inc index 668e14a59f..9e643ee277 100644 --- a/meta/recipes-devtools/gcc/gcc-sanitizers.inc +++ b/meta/recipes-devtools/gcc/gcc-sanitizers.inc @@ -35,6 +35,11 @@ do_compile () { do_install () { cd ${B}/${TARGET_SYS}/libsanitizer/ oe_runmake 'DESTDIR=${D}' MULTIBUILDTOP=${B}/${TARGET_SYS}/libsanitizer/ install + if [ -d ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/include ]; then + install -d ${D}${libdir}/${TARGET_SYS}/${BINV}/include + mv ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/include/* ${D}${libdir}/${TARGET_SYS}/${BINV}/include + rmdir --ignore-fail-on-non-empty -p ${D}${libdir}/gcc/${TARGET_SYS}/${BINV}/include + fi if [ -d ${D}${infodir} ]; then rmdir --ignore-fail-on-non-empty -p ${D}${infodir} fi @@ -109,4 +114,4 @@ FILES_libtsan-dev += "\ " FILES_libtsan-staticdev += "${libdir}/libtsan.a" -FILES_${PN} = "${libdir}/*.spec ${libdir}/gcc/${TARGET_SYS}/${BINV}/include/sanitizer/*.h" +FILES_${PN} = "${libdir}/*.spec ${libdir}/${TARGET_SYS}/${BINV}/include/sanitizer/*.h" diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc index 544e23c844..3e78254eec 100644 --- a/meta/recipes-devtools/git/git.inc +++ b/meta/recipes-devtools/git/git.inc @@ -7,7 +7,10 @@ DEPENDS = "openssl curl zlib expat" PROVIDES_append_class-native = " git-replacement-native" SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ - ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages" + ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \ + file://fixsort.patch \ + file://CVE-2021-21300.patch \ +" S = "${WORKDIR}/git-${PV}" diff --git a/meta/recipes-devtools/git/git/CVE-2021-21300.patch b/meta/recipes-devtools/git/git/CVE-2021-21300.patch new file mode 100644 index 0000000000..390570fe78 --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2021-21300.patch @@ -0,0 +1,304 @@ +From ba07d31bd2140190c4d8c197c9b8a503544b4c29 Mon Sep 17 00:00:00 2001 +From: Minjae Kim <flowrgom@gmail.com> +Date: Sat, 27 Mar 2021 14:05:56 +0900 +Subject: [PATCH] checkout: fix bug that makes checkout follow symlinks in + leading path + +Before checking out a file, we have to confirm that all of its leading +components are real existing directories. And to reduce the number of +lstat() calls in this process, we cache the last leading path known to +contain only directories. However, when a path collision occurs (e.g. +when checking out case-sensitive files in case-insensitive file +systems), a cached path might have its file type changed on disk, +leaving the cache on an invalid state. Normally, this doesn't bring +any bad consequences as we usually check out files in index order, and +therefore, by the time the cached path becomes outdated, we no longer +need it anyway (because all files in that directory would have already +been written). + +But, there are some users of the checkout machinery that do not always +follow the index order. In particular: checkout-index writes the paths +in the same order that they appear on the CLI (or stdin); and the +delayed checkout feature -- used when a long-running filter process +replies with "status=delayed" -- postpones the checkout of some entries, +thus modifying the checkout order. + +When we have to check out an out-of-order entry and the lstat() cache is +invalid (due to a previous path collision), checkout_entry() may end up +using the invalid data and thrusting that the leading components are +real directories when, in reality, they are not. In the best case +scenario, where the directory was replaced by a regular file, the user +will get an error: "fatal: unable to create file 'foo/bar': Not a +directory". But if the directory was replaced by a symlink, checkout +could actually end up following the symlink and writing the file at a +wrong place, even outside the repository. Since delayed checkout is +affected by this bug, it could be used by an attacker to write +arbitrary files during the clone of a maliciously crafted repository. + +Some candidate solutions considered were to disable the lstat() cache +during unordered checkouts or sort the entries before passing them to +the checkout machinery. But both ideas include some performance penalty +and they don't future-proof the code against new unordered use cases. + +Instead, we now manually reset the lstat cache whenever we successfully +remove a directory. Note: We are not even checking whether the directory +was the same as the lstat cache points to because we might face a +scenario where the paths refer to the same location but differ due to +case folding, precomposed UTF-8 issues, or the presence of `..` +components in the path. Two regression tests, with case-collisions and +utf8-collisions, are also added for both checkout-index and delayed +checkout. + +Note: to make the previously mentioned clone attack unfeasible, it would +be sufficient to reset the lstat cache only after the remove_subtree() +call inside checkout_entry(). This is the place where we would remove a +directory whose path collides with the path of another entry that we are +currently trying to check out (possibly a symlink). However, in the +interest of a thorough fix that does not leave Git open to +similar-but-not-identical attack vectors, we decided to intercept +all `rmdir()` calls in one fell swoop. + +This addresses CVE-2021-21300. + +Co-authored-by: Johannes Schindelin <johannes.schindelin@gmx.de> +Signed-off-by: Matheus Tavares <matheus.bernardino@usp.br> + +Upstream-Status: Acepted [https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592] +CVE: CVE-2021-21300 +Signed-off-by: Minjae Kim <flowergom@gmail.com> +--- + cache.h | 1 + + compat/mingw.c | 2 ++ + git-compat-util.h | 5 +++++ + symlinks.c | 24 ++++++++++++++++++++ + t/t0021-conversion.sh | 39 ++++++++++++++++++++++++++++++++ + t/t0021/rot13-filter.pl | 21 ++++++++++++++--- + t/t2006-checkout-index-basic.sh | 40 +++++++++++++++++++++++++++++++++ + 7 files changed, 129 insertions(+), 3 deletions(-) + +diff --git a/cache.h b/cache.h +index 6544264..64226c3 100644 +--- a/cache.h ++++ b/cache.h +@@ -1733,6 +1733,7 @@ int has_symlink_leading_path(const char *name, int len); + int threaded_has_symlink_leading_path(struct cache_def *, const char *, int); + int check_leading_path(const char *name, int len); + int has_dirs_only_path(const char *name, int len, int prefix_len); ++extern void invalidate_lstat_cache(void); + void schedule_dir_for_removal(const char *name, int len); + void remove_scheduled_dirs(void); + +diff --git a/compat/mingw.c b/compat/mingw.c +index 8ee0b64..be2b88e 100644 +--- a/compat/mingw.c ++++ b/compat/mingw.c +@@ -364,6 +364,8 @@ int mingw_rmdir(const char *pathname) + ask_yes_no_if_possible("Deletion of directory '%s' failed. " + "Should I try again?", pathname)) + ret = _wrmdir(wpathname); ++ if (!ret) ++ invalidate_lstat_cache(); + return ret; + } + +diff --git a/git-compat-util.h b/git-compat-util.h +index 5637114..d983853 100644 +--- a/git-compat-util.h ++++ b/git-compat-util.h +@@ -345,6 +345,11 @@ static inline int noop_core_config(const char *var, const char *value, void *cb) + #define platform_core_config noop_core_config + #endif + ++int lstat_cache_aware_rmdir(const char *path); ++#if !defined(__MINGW32__) && !defined(_MSC_VER) ++#define rmdir lstat_cache_aware_rmdir ++#endif ++ + #ifndef has_dos_drive_prefix + static inline int git_has_dos_drive_prefix(const char *path) + { +diff --git a/symlinks.c b/symlinks.c +index 69d458a..7dbb6b2 100644 +--- a/symlinks.c ++++ b/symlinks.c +@@ -267,6 +267,13 @@ int has_dirs_only_path(const char *name, int len, int prefix_len) + */ + static int threaded_has_dirs_only_path(struct cache_def *cache, const char *name, int len, int prefix_len) + { ++ /* ++ * Note: this function is used by the checkout machinery, which also ++ * takes care to properly reset the cache when it performs an operation ++ * that would leave the cache outdated. If this function starts caching ++ * anything else besides FL_DIR, remember to also invalidate the cache ++ * when creating or deleting paths that might be in the cache. ++ */ + return lstat_cache(cache, name, len, + FL_DIR|FL_FULLPATH, prefix_len) & + FL_DIR; +@@ -321,3 +328,20 @@ void remove_scheduled_dirs(void) + { + do_remove_scheduled_dirs(0); + } ++ ++void invalidate_lstat_cache(void) ++{ ++ reset_lstat_cache(&default_cache); ++} ++ ++#undef rmdir ++int lstat_cache_aware_rmdir(const char *path) ++{ ++ /* Any change in this function must be made also in `mingw_rmdir()` */ ++ int ret = rmdir(path); ++ ++ if (!ret) ++ invalidate_lstat_cache(); ++ ++ return ret; ++} +diff --git a/t/t0021-conversion.sh b/t/t0021-conversion.sh +index 4bfffa9..c42f51e 100755 +--- a/t/t0021-conversion.sh ++++ b/t/t0021-conversion.sh +@@ -957,4 +957,43 @@ test_expect_success PERL 'invalid file in delayed checkout' ' + grep "error: external filter .* signaled that .unfiltered. is now available although it has not been delayed earlier" git-stderr.log + ' + ++for mode in 'case' 'utf-8' ++do ++ case "$mode" in ++ case) dir='A' symlink='a' mode_prereq='CASE_INSENSITIVE_FS' ;; ++ utf-8) ++ dir=$(printf "\141\314\210") symlink=$(printf "\303\244") ++ mode_prereq='UTF8_NFD_TO_NFC' ;; ++ esac ++ ++ test_expect_success PERL,SYMLINKS,$mode_prereq \ ++ "delayed checkout with $mode-collision don't write to the wrong place" ' ++ test_config_global filter.delay.process \ ++ "\"$TEST_ROOT/rot13-filter.pl\" --always-delay delayed.log clean smudge delay" && ++ test_config_global filter.delay.required true && ++ git init $mode-collision && ++ ( ++ cd $mode-collision && ++ mkdir target-dir && ++ empty_oid=$(printf "" | git hash-object -w --stdin) && ++ symlink_oid=$(printf "%s" "$PWD/target-dir" | git hash-object -w --stdin) && ++ attr_oid=$(echo "$dir/z filter=delay" | git hash-object -w --stdin) && ++ cat >objs <<-EOF && ++ 100644 blob $empty_oid $dir/x ++ 100644 blob $empty_oid $dir/y ++ 100644 blob $empty_oid $dir/z ++ 120000 blob $symlink_oid $symlink ++ 100644 blob $attr_oid .gitattributes ++ EOF ++ git update-index --index-info <objs && ++ git commit -m "test commit" ++ ) && ++ git clone $mode-collision $mode-collision-cloned && ++ # Make sure z was really delayed ++ grep "IN: smudge $dir/z .* \\[DELAYED\\]" $mode-collision-cloned/delayed.log && ++ # Should not create $dir/z at $symlink/z ++ test_path_is_missing $mode-collision/target-dir/z ++ ' ++done ++ + test_done +diff --git a/t/t0021/rot13-filter.pl b/t/t0021/rot13-filter.pl +index cd32a82..7bb9376 100644 +--- a/t/t0021/rot13-filter.pl ++++ b/t/t0021/rot13-filter.pl +@@ -2,9 +2,15 @@ + # Example implementation for the Git filter protocol version 2 + # See Documentation/gitattributes.txt, section "Filter Protocol" + # +-# The first argument defines a debug log file that the script write to. +-# All remaining arguments define a list of supported protocol +-# capabilities ("clean", "smudge", etc). ++# Usage: rot13-filter.pl [--always-delay] <log path> <capabilities> ++# ++# Log path defines a debug log file that the script writes to. The ++# subsequent arguments define a list of supported protocol capabilities ++# ("clean", "smudge", etc). ++# ++# When --always-delay is given all pathnames with the "can-delay" flag ++# that don't appear on the list bellow are delayed with a count of 1 ++# (see more below). + # + # This implementation supports special test cases: + # (1) If data with the pathname "clean-write-fail.r" is processed with +@@ -53,6 +59,13 @@ sub gitperllib { + use Git::Packet; + + my $MAX_PACKET_CONTENT_SIZE = 65516; ++ ++my $always_delay = 0; ++if ( $ARGV[0] eq '--always-delay' ) { ++ $always_delay = 1; ++ shift @ARGV; ++} ++ + my $log_file = shift @ARGV; + my @capabilities = @ARGV; + +@@ -134,6 +147,8 @@ sub rot13 { + if ( $buffer eq "can-delay=1" ) { + if ( exists $DELAY{$pathname} and $DELAY{$pathname}{"requested"} == 0 ) { + $DELAY{$pathname}{"requested"} = 1; ++ } elsif ( !exists $DELAY{$pathname} and $always_delay ) { ++ $DELAY{$pathname} = { "requested" => 1, "count" => 1 }; + } + } elsif ($buffer =~ /^(ref|treeish|blob)=/) { + print $debug " $buffer"; +diff --git a/t/t2006-checkout-index-basic.sh b/t/t2006-checkout-index-basic.sh +index 57cbdfe..f223a02 100755 +--- a/t/t2006-checkout-index-basic.sh ++++ b/t/t2006-checkout-index-basic.sh +@@ -21,4 +21,44 @@ test_expect_success 'checkout-index -h in broken repository' ' + test_i18ngrep "[Uu]sage" broken/usage + ' + ++for mode in 'case' 'utf-8' ++do ++ case "$mode" in ++ case) dir='A' symlink='a' mode_prereq='CASE_INSENSITIVE_FS' ;; ++ utf-8) ++ dir=$(printf "\141\314\210") symlink=$(printf "\303\244") ++ mode_prereq='UTF8_NFD_TO_NFC' ;; ++ esac ++ ++ test_expect_success SYMLINKS,$mode_prereq \ ++ "checkout-index with $mode-collision don't write to the wrong place" ' ++ git init $mode-collision && ++ ( ++ cd $mode-collision && ++ mkdir target-dir && ++ empty_obj_hex=$(git hash-object -w --stdin </dev/null) && ++ symlink_hex=$(printf "%s" "$PWD/target-dir" | git hash-object -w --stdin) && ++ cat >objs <<-EOF && ++ 100644 blob ${empty_obj_hex} ${dir}/x ++ 100644 blob ${empty_obj_hex} ${dir}/y ++ 100644 blob ${empty_obj_hex} ${dir}/z ++ 120000 blob ${symlink_hex} ${symlink} ++ EOF ++ git update-index --index-info <objs && ++ # Note: the order is important here to exercise the ++ # case where the file at ${dir} has its type changed by ++ # the time Git tries to check out ${dir}/z. ++ # ++ # Also, we use core.precomposeUnicode=false because we ++ # want Git to treat the UTF-8 paths transparently on ++ # Mac OS, matching what is in the index. ++ # ++ git -c core.precomposeUnicode=false checkout-index -f \ ++ ${dir}/x ${dir}/y ${symlink} ${dir}/z && ++ # Should not create ${dir}/z at ${symlink}/z ++ test_path_is_missing target-dir/z ++ ) ++ ' ++done ++ + test_done +-- +2.17.1 + diff --git a/meta/recipes-devtools/git/git/fixsort.patch b/meta/recipes-devtools/git/git/fixsort.patch new file mode 100644 index 0000000000..07a487e8ca --- /dev/null +++ b/meta/recipes-devtools/git/git/fixsort.patch @@ -0,0 +1,31 @@ +[PATCH] generate-configlist.sh: Fix determinism issue + +Currently git binaries are not entirely reproducible, at least partly +due to config-list.h differing in order depending on the system's +locale settings. Under different locales, the entries: + +"sendemail.identity", +"sendemail.<identity>.*", + +would differ in order for example and this leads to differences in +the debug symbols for the binaries. + +This can be fixed by specifying the C locale for the sort in the +shell script generating the header. + +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +Upstream-Status: Submitted [https://public-inbox.org/git/f029a942dd3d50d85e60bd37d8e454524987842f.camel@linuxfoundation.org/T/#u] + +Index: git-2.30.0/generate-configlist.sh +=================================================================== +--- git-2.30.0.orig/generate-configlist.sh ++++ git-2.30.0/generate-configlist.sh +@@ -9,7 +9,7 @@ static const char *config_name_list[] = + EOF + grep -h '^[a-zA-Z].*\..*::$' Documentation/*config.txt Documentation/config/*.txt | + sed '/deprecated/d; s/::$//; s/, */\n/g' | +- sort | ++ LC_ALL=C sort | + sed 's/^.*$/ "&",/' + cat <<EOF + NULL, diff --git a/meta/recipes-devtools/go/go-1.15.inc b/meta/recipes-devtools/go/go-1.15.inc index abe74e5eb7..7c8190f68c 100644 --- a/meta/recipes-devtools/go/go-1.15.inc +++ b/meta/recipes-devtools/go/go-1.15.inc @@ -1,7 +1,7 @@ require go-common.inc GO_BASEVERSION = "1.15" -PV = "1.15.6" +PV = "1.15.8" FILESEXTRAPATHS_prepend := "${FILE_DIRNAME}/go-${GO_BASEVERSION}:" LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" @@ -16,4 +16,4 @@ SRC_URI += "\ file://0007-cmd-go-make-GOROOT-precious-by-default.patch \ file://0008-use-GOBUILDMODE-to-set-buildmode.patch \ " -SRC_URI[main.sha256sum] = "890bba73c5e2b19ffb1180e385ea225059eb008eb91b694875dd86ea48675817" +SRC_URI[main.sha256sum] = "540c0ab7781084d124991321ed1458e479982de94454a98afab6acadf38497c2" diff --git a/meta/recipes-devtools/go/go-binary-native_1.15.6.bb b/meta/recipes-devtools/go/go-binary-native_1.15.8.bb index 622557ad2b..df697e2781 100644 --- a/meta/recipes-devtools/go/go-binary-native_1.15.6.bb +++ b/meta/recipes-devtools/go/go-binary-native_1.15.8.bb @@ -8,8 +8,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5d4950ecb7b26d2c5e4e7b4e0dd74707" PROVIDES = "go-native" SRC_URI = "https://dl.google.com/go/go${PV}.${BUILD_GOOS}-${BUILD_GOARCH}.tar.gz;name=go_${BUILD_GOTUPLE}" -SRC_URI[go_linux_amd64.sha256sum] = "3918e6cc85e7eaaa6f859f1bdbaac772e7a825b0eb423c63d3ae68b21f84b844" -SRC_URI[go_linux_arm64.sha256sum] = "f87515b9744154ffe31182da9341d0a61eb0795551173d242c8cad209239e492" +SRC_URI[go_linux_amd64.sha256sum] = "d3379c32a90fdf9382166f8f48034c459a8cc433730bc9476d39d9082c94583b" +SRC_URI[go_linux_arm64.sha256sum] = "0e31ea4bf53496b0f0809730520dee98c0ae5c530f3701a19df0ba0a327bf3d2" UPSTREAM_CHECK_URI = "https://golang.org/dl/" UPSTREAM_CHECK_REGEX = "go(?P<pver>\d+(\.\d+)+)\.linux" diff --git a/meta/recipes-devtools/libtool/libtool-2.4.6.inc b/meta/recipes-devtools/libtool/libtool-2.4.6.inc index 8e17b56d46..19a03d4733 100644 --- a/meta/recipes-devtools/libtool/libtool-2.4.6.inc +++ b/meta/recipes-devtools/libtool/libtool-2.4.6.inc @@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/libtool/libtool-${PV}.tar.gz \ file://unwind-opt-parsing.patch \ file://0001-libtool-Fix-support-for-NIOS2-processor.patch \ file://0001-libtool-Check-for-static-libs-for-internal-compiler-.patch \ + file://0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch \ " SRC_URI[md5sum] = "addf44b646ddb4e3919805aa88fa7c5e" diff --git a/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch b/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch new file mode 100644 index 0000000000..2e9908725e --- /dev/null +++ b/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch @@ -0,0 +1,35 @@ +From dfbbbd359e43e0a55fbea06f2647279ad8761cb9 Mon Sep 17 00:00:00 2001 +From: Mingli Yu <mingli.yu@windriver.com> +Date: Wed, 24 Mar 2021 03:04:13 +0000 +Subject: [PATCH] Makefile.am: make sure autoheader run before autoconf + +autoheader will update ../libtool-2.4.6/libltdl/config-h.in which +autoconf needs, so there comes a race sometimes as below: + | configure.ac:45: error: required file 'config-h.in' not found + | touch '../libtool-2.4.6/libltdl/config-h.in' + +So make sure autoheader run before autoconf to avoid this race. + +Upstream-Status: Submitted [libtool-patches@gnu.org maillist] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 4142c90..fe1a9fc 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -365,7 +365,7 @@ lt_configure_deps = $(lt_aclocal_m4) $(lt_aclocal_m4_deps) + $(lt_aclocal_m4): $(lt_aclocal_m4_deps) + $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(ACLOCAL) -I ../m4 + +-$(lt_configure): $(lt_configure_deps) ++$(lt_configure): $(lt_configure_deps) $(lt_config_h_in) + $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(AUTOCONF) + + $(lt_config_h_in): $(lt_configure_deps) +-- +2.29.2 + diff --git a/meta/recipes-devtools/mtd/mtd-utils_git.bb b/meta/recipes-devtools/mtd/mtd-utils_git.bb index 8d6bbfca3f..ff42219513 100644 --- a/meta/recipes-devtools/mtd/mtd-utils_git.bb +++ b/meta/recipes-devtools/mtd/mtd-utils_git.bb @@ -42,11 +42,9 @@ ALTERNATIVE_PRIORITY = "100" ALTERNATIVE_${PN} = "flashcp flash_eraseall flash_lock flash_unlock nanddump nandwrite" ALTERNATIVE_${PN}-ubifs = "ubiattach ubidetach ubimkvol ubirename ubirmvol ubirsvol ubiupdatevol" -ALTERNATIVE_LINK_NAME[flash_eraseall] = "${sbindir}/flash_eraseall" ALTERNATIVE_LINK_NAME[nandwrite] = "${sbindir}/nandwrite" ALTERNATIVE_LINK_NAME[nanddump] = "${sbindir}/nanddump" ALTERNATIVE_LINK_NAME[ubiattach] = "${sbindir}/ubiattach" -ALTERNATIVE_LINK_NAME[ubiattach] = "${sbindir}/ubiattach" ALTERNATIVE_LINK_NAME[ubidetach] = "${sbindir}/ubidetach" ALTERNATIVE_LINK_NAME[ubimkvol] = "${sbindir}/ubimkvol" ALTERNATIVE_LINK_NAME[ubirename] = "${sbindir}/ubirename" diff --git a/meta/recipes-devtools/opkg/opkg/sourcedateepoch.patch b/meta/recipes-devtools/opkg/opkg/sourcedateepoch.patch new file mode 100644 index 0000000000..4578fa33be --- /dev/null +++ b/meta/recipes-devtools/opkg/opkg/sourcedateepoch.patch @@ -0,0 +1,24 @@ +Having CLEAN_DATE come from the current date doesn't allow for build +reproducibility. Add the option of using SOURCE_DATE_EPOCH if set +which for OE, it will be. + +Upstream-Status: Pending +RP 2021/2/2 + +Index: opkg-0.4.4/configure.ac +=================================================================== +--- opkg-0.4.4.orig/configure.ac ++++ opkg-0.4.4/configure.ac +@@ -281,7 +281,11 @@ AC_FUNC_UTIME_NULL + AC_FUNC_VPRINTF + AC_CHECK_FUNCS([memmove memset mkdir regcomp strchr strcspn strdup strerror strndup strrchr strstr strtol strtoul sysinfo utime]) + +-CLEAN_DATE=`date +"%B %Y" | tr -d '\n'` ++if ! test -z "$SOURCE_DATE_EPOCH" ; then ++ CLEAN_DATE=`LC_ALL=C date -d @$SOURCE_DATE_EPOCH +"%B %Y" | tr -d '\n'` ++else ++ CLEAN_DATE=`date +"%B %Y" | tr -d '\n'` ++fi + + AC_SUBST([CLEAN_DATE]) + diff --git a/meta/recipes-devtools/opkg/opkg_0.4.3.bb b/meta/recipes-devtools/opkg/opkg_0.4.3.bb index 46b7aa2523..ea01d473fc 100644 --- a/meta/recipes-devtools/opkg/opkg_0.4.3.bb +++ b/meta/recipes-devtools/opkg/opkg_0.4.3.bb @@ -14,6 +14,7 @@ PE = "1" SRC_URI = "http://downloads.yoctoproject.org/releases/${BPN}/${BPN}-${PV}.tar.gz \ file://opkg.conf \ file://0001-opkg_conf-create-opkg.lock-in-run-instead-of-var-run.patch \ + file://sourcedateepoch.patch \ file://run-ptest \ " diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb index 29fa9152e2..4eab133128 100644 --- a/meta/recipes-devtools/pseudo/pseudo_git.bb +++ b/meta/recipes-devtools/pseudo/pseudo_git.bb @@ -6,7 +6,7 @@ SRC_URI = "git://git.yoctoproject.org/pseudo;branch=oe-core \ file://fallback-group \ " -SRCREV = "f9754ac14672c4af19b77bc698a1a808b0828265" +SRCREV = "ee24ebec9e5a11dd5208c9be2870f35eab3b9e20" S = "${WORKDIR}/git" PV = "1.9.0+git${SRCPV}" diff --git a/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb b/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb index 89538d2f27..9d0666a5c1 100644 --- a/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb +++ b/meta/recipes-devtools/python/python3-jinja2_2.11.2.bb @@ -7,6 +7,8 @@ SRC_URI[sha256sum] = "89aab215427ef59c34ad58735269eb58b1a5808103067f7bb9d5836c65 PYPI_PACKAGE = "Jinja2" +CVE_PRODUCT = "jinja2 jinja" + CLEANBROKEN = "1" inherit pypi setuptools3 diff --git a/meta/recipes-devtools/python/python3-pycairo_1.19.1.bb b/meta/recipes-devtools/python/python3-pycairo_1.19.1.bb index 34c8543bce..1734610d12 100644 --- a/meta/recipes-devtools/python/python3-pycairo_1.19.1.bb +++ b/meta/recipes-devtools/python/python3-pycairo_1.19.1.bb @@ -18,7 +18,7 @@ SRC_URI[sha256sum] = "2c143183280feb67f5beb4e543fd49990c28e7df427301ede04fc550d3 S = "${WORKDIR}/pycairo-${PV}" -inherit meson pkgconfig +inherit meson pkgconfig python3targetconfig CFLAGS += "-fPIC" diff --git a/meta/recipes-devtools/python/python3/CVE-2021-23336.patch b/meta/recipes-devtools/python/python3/CVE-2021-23336.patch new file mode 100644 index 0000000000..27893f69fb --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2021-23336.patch @@ -0,0 +1,548 @@ +From e3110c3cfbb7daa690d54d0eff6c264c870a71bf Mon Sep 17 00:00:00 2001 +From: Senthil Kumaran <senthil@uthcode.com> +Date: Mon, 15 Feb 2021 10:15:02 -0800 +Subject: [PATCH] [3.8] bpo-42967: only use '&' as a query string separator + (GH-24297) (#24529) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* bpo-42967: only use '&' as a query string separator (#24297) + +bpo-42967: [security] Address a web cache-poisoning issue reported in +urllib.parse.parse_qsl(). + +urllib.parse will only us "&" as query string separator by default +instead of both ";" and "&" as allowed in earlier versions. An optional +argument seperator with default value "&" is added to specify the +separator. + +Co-authored-by: Éric Araujo <merwok@netwok.org> +Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> +Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> +Co-authored-by: Éric Araujo <merwok@netwok.org> +(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776) + +* [3.8] bpo-42967: only use '&' as a query string separator (GH-24297) + +bpo-42967: [security] Address a web cache-poisoning issue reported in urllib.parse.parse_qsl(). + +urllib.parse will only us "&" as query string separator by default instead of both ";" and "&" as allowed in earlier versions. An optional argument seperator with default value "&" is added to specify the separator. + +Co-authored-by: Éric Araujo <merwok@netwok.org> +Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com> +Co-authored-by: Ken Jin <28750310+Fidget-Spinner@users.noreply.github.com> +Co-authored-by: Éric Araujo <merwok@netwok.org>. +(cherry picked from commit fcbe0cb04d35189401c0c880ebfb4311e952d776) + +Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com> + +* Update correct version information. + +* fix docs and make logic clearer + +Co-authored-by: Adam Goldschmidt <adamgold7@gmail.com> +Co-authored-by: Fidget-Spinner <28750310+Fidget-Spinner@users.noreply.github.com> + +Upstream-Status: Backport [https://github.com/python/cpython/commit/e3110c3cfbb7daa690d54d0eff6c264c870a71bf] +CVE: CVE-2020-23336 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + Doc/library/cgi.rst | 11 ++- + Doc/library/urllib.parse.rst | 22 +++++- + Doc/whatsnew/3.6.rst | 13 ++++ + Doc/whatsnew/3.7.rst | 13 ++++ + Doc/whatsnew/3.8.rst | 13 ++++ + Lib/cgi.py | 23 ++++--- + Lib/test/test_cgi.py | 29 ++++++-- + Lib/test/test_urlparse.py | 68 +++++++++++++------ + Lib/urllib/parse.py | 19 ++++-- + .../2021-02-14-15-59-16.bpo-42967.YApqDS.rst | 1 + + 10 files changed, 166 insertions(+), 46 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst + +diff --git a/Doc/library/cgi.rst b/Doc/library/cgi.rst +index 4048592e7361f..880074bed6026 100644 +--- a/Doc/library/cgi.rst ++++ b/Doc/library/cgi.rst +@@ -277,14 +277,16 @@ These are useful if you want more control, or if you want to employ some of the + algorithms implemented in this module in other circumstances. + + +-.. function:: parse(fp=None, environ=os.environ, keep_blank_values=False, strict_parsing=False) ++.. function:: parse(fp=None, environ=os.environ, keep_blank_values=False, strict_parsing=False, separator="&") + + Parse a query in the environment or from a file (the file defaults to +- ``sys.stdin``). The *keep_blank_values* and *strict_parsing* parameters are ++ ``sys.stdin``). The *keep_blank_values*, *strict_parsing* and *separator* parameters are + passed to :func:`urllib.parse.parse_qs` unchanged. + ++ .. versionchanged:: 3.8.8 ++ Added the *separator* parameter. + +-.. function:: parse_multipart(fp, pdict, encoding="utf-8", errors="replace") ++.. function:: parse_multipart(fp, pdict, encoding="utf-8", errors="replace", separator="&") + + Parse input of type :mimetype:`multipart/form-data` (for file uploads). + Arguments are *fp* for the input file, *pdict* for a dictionary containing +@@ -303,6 +305,9 @@ algorithms implemented in this module in other circumstances. + Added the *encoding* and *errors* parameters. For non-file fields, the + value is now a list of strings, not bytes. + ++ .. versionchanged:: 3.8.8 ++ Added the *separator* parameter. ++ + + .. function:: parse_header(string) + +diff --git a/Doc/library/urllib.parse.rst b/Doc/library/urllib.parse.rst +index 25e5cc1a6ce0b..fcad7076e6c77 100644 +--- a/Doc/library/urllib.parse.rst ++++ b/Doc/library/urllib.parse.rst +@@ -165,7 +165,7 @@ or on combining URL components into a URL string. + now raise :exc:`ValueError`. + + +-.. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None) ++.. function:: parse_qs(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None, separator='&') + + Parse a query string given as a string argument (data of type + :mimetype:`application/x-www-form-urlencoded`). Data are returned as a +@@ -190,6 +190,9 @@ or on combining URL components into a URL string. + read. If set, then throws a :exc:`ValueError` if there are more than + *max_num_fields* fields read. + ++ The optional argument *separator* is the symbol to use for separating the ++ query arguments. It defaults to ``&``. ++ + Use the :func:`urllib.parse.urlencode` function (with the ``doseq`` + parameter set to ``True``) to convert such dictionaries into query + strings. +@@ -201,8 +204,14 @@ or on combining URL components into a URL string. + .. versionchanged:: 3.8 + Added *max_num_fields* parameter. + ++ .. versionchanged:: 3.8.8 ++ Added *separator* parameter with the default value of ``&``. Python ++ versions earlier than Python 3.8.8 allowed using both ``;`` and ``&`` as ++ query parameter separator. This has been changed to allow only a single ++ separator key, with ``&`` as the default separator. ++ + +-.. function:: parse_qsl(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None) ++.. function:: parse_qsl(qs, keep_blank_values=False, strict_parsing=False, encoding='utf-8', errors='replace', max_num_fields=None, separator='&') + + Parse a query string given as a string argument (data of type + :mimetype:`application/x-www-form-urlencoded`). Data are returned as a list of +@@ -226,6 +235,9 @@ or on combining URL components into a URL string. + read. If set, then throws a :exc:`ValueError` if there are more than + *max_num_fields* fields read. + ++ The optional argument *separator* is the symbol to use for separating the ++ query arguments. It defaults to ``&``. ++ + Use the :func:`urllib.parse.urlencode` function to convert such lists of pairs into + query strings. + +@@ -235,6 +247,12 @@ or on combining URL components into a URL string. + .. versionchanged:: 3.8 + Added *max_num_fields* parameter. + ++ .. versionchanged:: 3.8.8 ++ Added *separator* parameter with the default value of ``&``. Python ++ versions earlier than Python 3.8.8 allowed using both ``;`` and ``&`` as ++ query parameter separator. This has been changed to allow only a single ++ separator key, with ``&`` as the default separator. ++ + + .. function:: urlunparse(parts) + +diff --git a/Doc/whatsnew/3.6.rst b/Doc/whatsnew/3.6.rst +index 85a6657fdfbda..03a877a3d9178 100644 +--- a/Doc/whatsnew/3.6.rst ++++ b/Doc/whatsnew/3.6.rst +@@ -2443,3 +2443,16 @@ because of the behavior of the socket option ``SO_REUSEADDR`` in UDP. For more + details, see the documentation for ``loop.create_datagram_endpoint()``. + (Contributed by Kyle Stanley, Antoine Pitrou, and Yury Selivanov in + :issue:`37228`.) ++ ++Notable changes in Python 3.6.13 ++================================ ++ ++Earlier Python versions allowed using both ``;`` and ``&`` as ++query parameter separators in :func:`urllib.parse.parse_qs` and ++:func:`urllib.parse.parse_qsl`. Due to security concerns, and to conform with ++newer W3C recommendations, this has been changed to allow only a single ++separator key, with ``&`` as the default. This change also affects ++:func:`cgi.parse` and :func:`cgi.parse_multipart` as they use the affected ++functions internally. For more details, please see their respective ++documentation. ++(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.) +diff --git a/Doc/whatsnew/3.7.rst b/Doc/whatsnew/3.7.rst +index 4933cba3990b1..824dc13e0c6fd 100644 +--- a/Doc/whatsnew/3.7.rst ++++ b/Doc/whatsnew/3.7.rst +@@ -2556,3 +2556,16 @@ because of the behavior of the socket option ``SO_REUSEADDR`` in UDP. For more + details, see the documentation for ``loop.create_datagram_endpoint()``. + (Contributed by Kyle Stanley, Antoine Pitrou, and Yury Selivanov in + :issue:`37228`.) ++ ++Notable changes in Python 3.7.10 ++================================ ++ ++Earlier Python versions allowed using both ``;`` and ``&`` as ++query parameter separators in :func:`urllib.parse.parse_qs` and ++:func:`urllib.parse.parse_qsl`. Due to security concerns, and to conform with ++newer W3C recommendations, this has been changed to allow only a single ++separator key, with ``&`` as the default. This change also affects ++:func:`cgi.parse` and :func:`cgi.parse_multipart` as they use the affected ++functions internally. For more details, please see their respective ++documentation. ++(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.) +diff --git a/Doc/whatsnew/3.8.rst b/Doc/whatsnew/3.8.rst +index 1a192800b2f02..632ccc1f2c40a 100644 +--- a/Doc/whatsnew/3.8.rst ++++ b/Doc/whatsnew/3.8.rst +@@ -2251,3 +2251,16 @@ The constant values of future flags in the :mod:`__future__` module + are updated in order to prevent collision with compiler flags. Previously + ``PyCF_ALLOW_TOP_LEVEL_AWAIT`` was clashing with ``CO_FUTURE_DIVISION``. + (Contributed by Batuhan Taskaya in :issue:`39562`) ++ ++Notable changes in Python 3.8.8 ++=============================== ++ ++Earlier Python versions allowed using both ``;`` and ``&`` as ++query parameter separators in :func:`urllib.parse.parse_qs` and ++:func:`urllib.parse.parse_qsl`. Due to security concerns, and to conform with ++newer W3C recommendations, this has been changed to allow only a single ++separator key, with ``&`` as the default. This change also affects ++:func:`cgi.parse` and :func:`cgi.parse_multipart` as they use the affected ++functions internally. For more details, please see their respective ++documentation. ++(Contributed by Adam Goldschmidt, Senthil Kumaran and Ken Jin in :issue:`42967`.) +diff --git a/Lib/cgi.py b/Lib/cgi.py +index 77ab703cc0360..1e880e51848af 100755 +--- a/Lib/cgi.py ++++ b/Lib/cgi.py +@@ -115,7 +115,8 @@ def closelog(): + # 0 ==> unlimited input + maxlen = 0 + +-def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0): ++def parse(fp=None, environ=os.environ, keep_blank_values=0, ++ strict_parsing=0, separator='&'): + """Parse a query in the environment or from a file (default stdin) + + Arguments, all optional: +@@ -134,6 +135,9 @@ def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0): + strict_parsing: flag indicating what to do with parsing errors. + If false (the default), errors are silently ignored. + If true, errors raise a ValueError exception. ++ ++ separator: str. The symbol to use for separating the query arguments. ++ Defaults to &. + """ + if fp is None: + fp = sys.stdin +@@ -154,7 +158,7 @@ def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0): + if environ['REQUEST_METHOD'] == 'POST': + ctype, pdict = parse_header(environ['CONTENT_TYPE']) + if ctype == 'multipart/form-data': +- return parse_multipart(fp, pdict) ++ return parse_multipart(fp, pdict, separator=separator) + elif ctype == 'application/x-www-form-urlencoded': + clength = int(environ['CONTENT_LENGTH']) + if maxlen and clength > maxlen: +@@ -178,10 +182,10 @@ def parse(fp=None, environ=os.environ, keep_blank_values=0, strict_parsing=0): + qs = "" + environ['QUERY_STRING'] = qs # XXX Shouldn't, really + return urllib.parse.parse_qs(qs, keep_blank_values, strict_parsing, +- encoding=encoding) ++ encoding=encoding, separator=separator) + + +-def parse_multipart(fp, pdict, encoding="utf-8", errors="replace"): ++def parse_multipart(fp, pdict, encoding="utf-8", errors="replace", separator='&'): + """Parse multipart input. + + Arguments: +@@ -205,7 +209,7 @@ def parse_multipart(fp, pdict, encoding="utf-8", errors="replace"): + except KeyError: + pass + fs = FieldStorage(fp, headers=headers, encoding=encoding, errors=errors, +- environ={'REQUEST_METHOD': 'POST'}) ++ environ={'REQUEST_METHOD': 'POST'}, separator=separator) + return {k: fs.getlist(k) for k in fs} + + def _parseparam(s): +@@ -315,7 +319,7 @@ class FieldStorage: + def __init__(self, fp=None, headers=None, outerboundary=b'', + environ=os.environ, keep_blank_values=0, strict_parsing=0, + limit=None, encoding='utf-8', errors='replace', +- max_num_fields=None): ++ max_num_fields=None, separator='&'): + """Constructor. Read multipart/* until last part. + + Arguments, all optional: +@@ -363,6 +367,7 @@ def __init__(self, fp=None, headers=None, outerboundary=b'', + self.keep_blank_values = keep_blank_values + self.strict_parsing = strict_parsing + self.max_num_fields = max_num_fields ++ self.separator = separator + if 'REQUEST_METHOD' in environ: + method = environ['REQUEST_METHOD'].upper() + self.qs_on_post = None +@@ -589,7 +594,7 @@ def read_urlencoded(self): + query = urllib.parse.parse_qsl( + qs, self.keep_blank_values, self.strict_parsing, + encoding=self.encoding, errors=self.errors, +- max_num_fields=self.max_num_fields) ++ max_num_fields=self.max_num_fields, separator=self.separator) + self.list = [MiniFieldStorage(key, value) for key, value in query] + self.skip_lines() + +@@ -605,7 +610,7 @@ def read_multi(self, environ, keep_blank_values, strict_parsing): + query = urllib.parse.parse_qsl( + self.qs_on_post, self.keep_blank_values, self.strict_parsing, + encoding=self.encoding, errors=self.errors, +- max_num_fields=self.max_num_fields) ++ max_num_fields=self.max_num_fields, separator=self.separator) + self.list.extend(MiniFieldStorage(key, value) for key, value in query) + + klass = self.FieldStorageClass or self.__class__ +@@ -649,7 +654,7 @@ def read_multi(self, environ, keep_blank_values, strict_parsing): + else self.limit - self.bytes_read + part = klass(self.fp, headers, ib, environ, keep_blank_values, + strict_parsing, limit, +- self.encoding, self.errors, max_num_fields) ++ self.encoding, self.errors, max_num_fields, self.separator) + + if max_num_fields is not None: + max_num_fields -= 1 +diff --git a/Lib/test/test_cgi.py b/Lib/test/test_cgi.py +index 101942de947fb..4e1506a6468b9 100644 +--- a/Lib/test/test_cgi.py ++++ b/Lib/test/test_cgi.py +@@ -53,12 +53,9 @@ def do_test(buf, method): + ("", ValueError("bad query field: ''")), + ("&", ValueError("bad query field: ''")), + ("&&", ValueError("bad query field: ''")), +- (";", ValueError("bad query field: ''")), +- (";&;", ValueError("bad query field: ''")), + # Should the next few really be valid? + ("=", {}), + ("=&=", {}), +- ("=;=", {}), + # This rest seem to make sense + ("=a", {'': ['a']}), + ("&=a", ValueError("bad query field: ''")), +@@ -73,8 +70,6 @@ def do_test(buf, method): + ("a=a+b&b=b+c", {'a': ['a b'], 'b': ['b c']}), + ("a=a+b&a=b+a", {'a': ['a b', 'b a']}), + ("x=1&y=2.0&z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}), +- ("x=1;y=2.0&z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}), +- ("x=1;y=2.0;z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}), + ("Hbc5161168c542333633315dee1182227:key_store_seqid=400006&cuyer=r&view=bustomer&order_id=0bb2e248638833d48cb7fed300000f1b&expire=964546263&lobale=en-US&kid=130003.300038&ss=env", + {'Hbc5161168c542333633315dee1182227:key_store_seqid': ['400006'], + 'cuyer': ['r'], +@@ -201,6 +196,30 @@ def test_strict(self): + else: + self.assertEqual(fs.getvalue(key), expect_val[0]) + ++ def test_separator(self): ++ parse_semicolon = [ ++ ("x=1;y=2.0", {'x': ['1'], 'y': ['2.0']}), ++ ("x=1;y=2.0;z=2-3.%2b0", {'x': ['1'], 'y': ['2.0'], 'z': ['2-3.+0']}), ++ (";", ValueError("bad query field: ''")), ++ (";;", ValueError("bad query field: ''")), ++ ("=;a", ValueError("bad query field: 'a'")), ++ (";b=a", ValueError("bad query field: ''")), ++ ("b;=a", ValueError("bad query field: 'b'")), ++ ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}), ++ ("a=a+b;a=b+a", {'a': ['a b', 'b a']}), ++ ] ++ for orig, expect in parse_semicolon: ++ env = {'QUERY_STRING': orig} ++ fs = cgi.FieldStorage(separator=';', environ=env) ++ if isinstance(expect, dict): ++ for key in expect.keys(): ++ expect_val = expect[key] ++ self.assertIn(key, fs) ++ if len(expect_val) > 1: ++ self.assertEqual(fs.getvalue(key), expect_val) ++ else: ++ self.assertEqual(fs.getvalue(key), expect_val[0]) ++ + def test_log(self): + cgi.log("Testing") + +diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py +index 4ae6ed33858ce..90c8d6922629e 100644 +--- a/Lib/test/test_urlparse.py ++++ b/Lib/test/test_urlparse.py +@@ -32,16 +32,10 @@ + (b"&a=b", [(b'a', b'b')]), + (b"a=a+b&b=b+c", [(b'a', b'a b'), (b'b', b'b c')]), + (b"a=1&a=2", [(b'a', b'1'), (b'a', b'2')]), +- (";", []), +- (";;", []), +- (";a=b", [('a', 'b')]), +- ("a=a+b;b=b+c", [('a', 'a b'), ('b', 'b c')]), +- ("a=1;a=2", [('a', '1'), ('a', '2')]), +- (b";", []), +- (b";;", []), +- (b";a=b", [(b'a', b'b')]), +- (b"a=a+b;b=b+c", [(b'a', b'a b'), (b'b', b'b c')]), +- (b"a=1;a=2", [(b'a', b'1'), (b'a', b'2')]), ++ (";a=b", [(';a', 'b')]), ++ ("a=a+b;b=b+c", [('a', 'a b;b=b c')]), ++ (b";a=b", [(b';a', b'b')]), ++ (b"a=a+b;b=b+c", [(b'a', b'a b;b=b c')]), + ] + + # Each parse_qs testcase is a two-tuple that contains +@@ -68,16 +62,10 @@ + (b"&a=b", {b'a': [b'b']}), + (b"a=a+b&b=b+c", {b'a': [b'a b'], b'b': [b'b c']}), + (b"a=1&a=2", {b'a': [b'1', b'2']}), +- (";", {}), +- (";;", {}), +- (";a=b", {'a': ['b']}), +- ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}), +- ("a=1;a=2", {'a': ['1', '2']}), +- (b";", {}), +- (b";;", {}), +- (b";a=b", {b'a': [b'b']}), +- (b"a=a+b;b=b+c", {b'a': [b'a b'], b'b': [b'b c']}), +- (b"a=1;a=2", {b'a': [b'1', b'2']}), ++ (";a=b", {';a': ['b']}), ++ ("a=a+b;b=b+c", {'a': ['a b;b=b c']}), ++ (b";a=b", {b';a': [b'b']}), ++ (b"a=a+b;b=b+c", {b'a':[ b'a b;b=b c']}), + ] + + class UrlParseTestCase(unittest.TestCase): +@@ -884,10 +872,46 @@ def test_parse_qsl_encoding(self): + def test_parse_qsl_max_num_fields(self): + with self.assertRaises(ValueError): + urllib.parse.parse_qs('&'.join(['a=a']*11), max_num_fields=10) +- with self.assertRaises(ValueError): +- urllib.parse.parse_qs(';'.join(['a=a']*11), max_num_fields=10) + urllib.parse.parse_qs('&'.join(['a=a']*10), max_num_fields=10) + ++ def test_parse_qs_separator(self): ++ parse_qs_semicolon_cases = [ ++ (";", {}), ++ (";;", {}), ++ (";a=b", {'a': ['b']}), ++ ("a=a+b;b=b+c", {'a': ['a b'], 'b': ['b c']}), ++ ("a=1;a=2", {'a': ['1', '2']}), ++ (b";", {}), ++ (b";;", {}), ++ (b";a=b", {b'a': [b'b']}), ++ (b"a=a+b;b=b+c", {b'a': [b'a b'], b'b': [b'b c']}), ++ (b"a=1;a=2", {b'a': [b'1', b'2']}), ++ ] ++ for orig, expect in parse_qs_semicolon_cases: ++ with self.subTest(f"Original: {orig!r}, Expected: {expect!r}"): ++ result = urllib.parse.parse_qs(orig, separator=';') ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ ++ ++ def test_parse_qsl_separator(self): ++ parse_qsl_semicolon_cases = [ ++ (";", []), ++ (";;", []), ++ (";a=b", [('a', 'b')]), ++ ("a=a+b;b=b+c", [('a', 'a b'), ('b', 'b c')]), ++ ("a=1;a=2", [('a', '1'), ('a', '2')]), ++ (b";", []), ++ (b";;", []), ++ (b";a=b", [(b'a', b'b')]), ++ (b"a=a+b;b=b+c", [(b'a', b'a b'), (b'b', b'b c')]), ++ (b"a=1;a=2", [(b'a', b'1'), (b'a', b'2')]), ++ ] ++ for orig, expect in parse_qsl_semicolon_cases: ++ with self.subTest(f"Original: {orig!r}, Expected: {expect!r}"): ++ result = urllib.parse.parse_qsl(orig, separator=';') ++ self.assertEqual(result, expect, "Error parsing %r" % orig) ++ ++ + def test_urlencode_sequences(self): + # Other tests incidentally urlencode things; test non-covered cases: + # Sequence and object values. +diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py +index 95be7181133b4..0c1c94f5fc986 100644 +--- a/Lib/urllib/parse.py ++++ b/Lib/urllib/parse.py +@@ -650,7 +650,7 @@ def unquote(string, encoding='utf-8', errors='replace'): + + + def parse_qs(qs, keep_blank_values=False, strict_parsing=False, +- encoding='utf-8', errors='replace', max_num_fields=None): ++ encoding='utf-8', errors='replace', max_num_fields=None, separator='&'): + """Parse a query given as a string argument. + + Arguments: +@@ -674,12 +674,15 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False, + max_num_fields: int. If set, then throws a ValueError if there + are more than n fields read by parse_qsl(). + ++ separator: str. The symbol to use for separating the query arguments. ++ Defaults to &. ++ + Returns a dictionary. + """ + parsed_result = {} + pairs = parse_qsl(qs, keep_blank_values, strict_parsing, + encoding=encoding, errors=errors, +- max_num_fields=max_num_fields) ++ max_num_fields=max_num_fields, separator=separator) + for name, value in pairs: + if name in parsed_result: + parsed_result[name].append(value) +@@ -689,7 +692,7 @@ def parse_qs(qs, keep_blank_values=False, strict_parsing=False, + + + def parse_qsl(qs, keep_blank_values=False, strict_parsing=False, +- encoding='utf-8', errors='replace', max_num_fields=None): ++ encoding='utf-8', errors='replace', max_num_fields=None, separator='&'): + """Parse a query given as a string argument. + + Arguments: +@@ -712,19 +715,25 @@ def parse_qsl(qs, keep_blank_values=False, strict_parsing=False, + max_num_fields: int. If set, then throws a ValueError + if there are more than n fields read by parse_qsl(). + ++ separator: str. The symbol to use for separating the query arguments. ++ Defaults to &. ++ + Returns a list, as G-d intended. + """ + qs, _coerce_result = _coerce_args(qs) + ++ if not separator or (not isinstance(separator, (str, bytes))): ++ raise ValueError("Separator must be of type string or bytes.") ++ + # If max_num_fields is defined then check that the number of fields + # is less than max_num_fields. This prevents a memory exhaustion DOS + # attack via post bodies with many fields. + if max_num_fields is not None: +- num_fields = 1 + qs.count('&') + qs.count(';') ++ num_fields = 1 + qs.count(separator) + if max_num_fields < num_fields: + raise ValueError('Max number of fields exceeded') + +- pairs = [s2 for s1 in qs.split('&') for s2 in s1.split(';')] ++ pairs = [s1 for s1 in qs.split(separator)] + r = [] + for name_value in pairs: + if not name_value and not strict_parsing: +diff --git a/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst b/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst +new file mode 100644 +index 0000000000000..f08489b41494e +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-02-14-15-59-16.bpo-42967.YApqDS.rst +@@ -0,0 +1 @@ ++Fix web cache poisoning vulnerability by defaulting the query args separator to ``&``, and allowing the user to choose a custom separator. diff --git a/meta/recipes-devtools/python/python3/CVE-2021-3177.patch b/meta/recipes-devtools/python/python3/CVE-2021-3177.patch new file mode 100644 index 0000000000..43d678db46 --- /dev/null +++ b/meta/recipes-devtools/python/python3/CVE-2021-3177.patch @@ -0,0 +1,191 @@ +From ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 18 Jan 2021 13:28:52 -0800 +Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode + formatting in ctypes param reprs. (GH-24248) + +(cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) + +Co-authored-by: Benjamin Peterson <benjamin@python.org> + +Co-authored-by: Benjamin Peterson <benjamin@python.org> + +CVE: CVE-2021-3177 +Upstream-Status: Backport [https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +--- + Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ + .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + + Modules/_ctypes/callproc.c | 51 +++++++------------ + 3 files changed, 64 insertions(+), 32 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst + +diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py +index e4c25fd880cef..531894fdec838 100644 +--- a/Lib/ctypes/test/test_parameters.py ++++ b/Lib/ctypes/test/test_parameters.py +@@ -201,6 +201,49 @@ def __dict__(self): + with self.assertRaises(ZeroDivisionError): + WorseStruct().__setstate__({}, b'foo') + ++ def test_parameter_repr(self): ++ from ctypes import ( ++ c_bool, ++ c_char, ++ c_wchar, ++ c_byte, ++ c_ubyte, ++ c_short, ++ c_ushort, ++ c_int, ++ c_uint, ++ c_long, ++ c_ulong, ++ c_longlong, ++ c_ulonglong, ++ c_float, ++ c_double, ++ c_longdouble, ++ c_char_p, ++ c_wchar_p, ++ c_void_p, ++ ) ++ self.assertRegex(repr(c_bool.from_param(True)), r"^<cparam '\?' at 0x[A-Fa-f0-9]+>$") ++ self.assertEqual(repr(c_char.from_param(97)), "<cparam 'c' ('a')>") ++ self.assertRegex(repr(c_wchar.from_param('a')), r"^<cparam 'u' at 0x[A-Fa-f0-9]+>$") ++ self.assertEqual(repr(c_byte.from_param(98)), "<cparam 'b' (98)>") ++ self.assertEqual(repr(c_ubyte.from_param(98)), "<cparam 'B' (98)>") ++ self.assertEqual(repr(c_short.from_param(511)), "<cparam 'h' (511)>") ++ self.assertEqual(repr(c_ushort.from_param(511)), "<cparam 'H' (511)>") ++ self.assertRegex(repr(c_int.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") ++ self.assertRegex(repr(c_uint.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") ++ self.assertRegex(repr(c_long.from_param(20000)), r"^<cparam '[li]' \(20000\)>$") ++ self.assertRegex(repr(c_ulong.from_param(20000)), r"^<cparam '[LI]' \(20000\)>$") ++ self.assertRegex(repr(c_longlong.from_param(20000)), r"^<cparam '[liq]' \(20000\)>$") ++ self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^<cparam '[LIQ]' \(20000\)>$") ++ self.assertEqual(repr(c_float.from_param(1.5)), "<cparam 'f' (1.5)>") ++ self.assertEqual(repr(c_double.from_param(1.5)), "<cparam 'd' (1.5)>") ++ self.assertEqual(repr(c_double.from_param(1e300)), "<cparam 'd' (1e+300)>") ++ self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^<cparam ('d' \(1.5\)|'g' at 0x[A-Fa-f0-9]+)>$") ++ self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^<cparam 'z' \(0x[A-Fa-f0-9]+\)>$") ++ self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^<cparam 'Z' \(0x[A-Fa-f0-9]+\)>$") ++ self.assertRegex(repr(c_void_p.from_param(0x12)), r"^<cparam 'P' \(0x0*12\)>$") ++ + ################################################################ + + if __name__ == '__main__': +diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +new file mode 100644 +index 0000000000000..7df65a156feab +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst +@@ -0,0 +1,2 @@ ++Avoid static buffers when computing the repr of :class:`ctypes.c_double` and ++:class:`ctypes.c_longdouble` values. +diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c +index a9b8675cd951b..de75918d49f37 100644 +--- a/Modules/_ctypes/callproc.c ++++ b/Modules/_ctypes/callproc.c +@@ -484,58 +484,47 @@ is_literal_char(unsigned char c) + static PyObject * + PyCArg_repr(PyCArgObject *self) + { +- char buffer[256]; + switch(self->tag) { + case 'b': + case 'B': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.b); +- break; + case 'h': + case 'H': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.h); +- break; + case 'i': + case 'I': +- sprintf(buffer, "<cparam '%c' (%d)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%d)>", + self->tag, self->value.i); +- break; + case 'l': + case 'L': +- sprintf(buffer, "<cparam '%c' (%ld)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%ld)>", + self->tag, self->value.l); +- break; + + case 'q': + case 'Q': +- sprintf(buffer, +-#ifdef MS_WIN32 +- "<cparam '%c' (%I64d)>", +-#else +- "<cparam '%c' (%lld)>", +-#endif ++ return PyUnicode_FromFormat("<cparam '%c' (%lld)>", + self->tag, self->value.q); +- break; + case 'd': +- sprintf(buffer, "<cparam '%c' (%f)>", +- self->tag, self->value.d); +- break; +- case 'f': +- sprintf(buffer, "<cparam '%c' (%f)>", +- self->tag, self->value.f); +- break; +- ++ case 'f': { ++ PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); ++ if (f == NULL) { ++ return NULL; ++ } ++ PyObject *result = PyUnicode_FromFormat("<cparam '%c' (%R)>", self->tag, f); ++ Py_DECREF(f); ++ return result; ++ } + case 'c': + if (is_literal_char((unsigned char)self->value.c)) { +- sprintf(buffer, "<cparam '%c' ('%c')>", ++ return PyUnicode_FromFormat("<cparam '%c' ('%c')>", + self->tag, self->value.c); + } + else { +- sprintf(buffer, "<cparam '%c' ('\\x%02x')>", ++ return PyUnicode_FromFormat("<cparam '%c' ('\\x%02x')>", + self->tag, (unsigned char)self->value.c); + } +- break; + + /* Hm, are these 'z' and 'Z' codes useful at all? + Shouldn't they be replaced by the functionality of c_string +@@ -544,22 +533,20 @@ PyCArg_repr(PyCArgObject *self) + case 'z': + case 'Z': + case 'P': +- sprintf(buffer, "<cparam '%c' (%p)>", ++ return PyUnicode_FromFormat("<cparam '%c' (%p)>", + self->tag, self->value.p); + break; + + default: + if (is_literal_char((unsigned char)self->tag)) { +- sprintf(buffer, "<cparam '%c' at %p>", ++ return PyUnicode_FromFormat("<cparam '%c' at %p>", + (unsigned char)self->tag, (void *)self); + } + else { +- sprintf(buffer, "<cparam 0x%02x at %p>", ++ return PyUnicode_FromFormat("<cparam 0x%02x at %p>", + (unsigned char)self->tag, (void *)self); + } +- break; + } +- return PyUnicode_FromString(buffer); + } + + static PyMemberDef PyCArgType_members[] = { + diff --git a/meta/recipes-devtools/python/python3_3.8.5.bb b/meta/recipes-devtools/python/python3_3.8.5.bb index f09a3c1d6e..418d35acfe 100644 --- a/meta/recipes-devtools/python/python3_3.8.5.bb +++ b/meta/recipes-devtools/python/python3_3.8.5.bb @@ -33,6 +33,8 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \ file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \ file://CVE-2020-27619.patch \ + file://CVE-2021-3177.patch \ + file://CVE-2021-23336.patch \ " SRC_URI_append_class-native = " \ @@ -168,6 +170,10 @@ do_install_append() { } do_install_append_class-nativesdk () { + # Make sure we use /usr/bin/env python + for PYTHSCRIPT in `grep -rIl ${bindir}/python ${D}${bindir}`; do + sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' $PYTHSCRIPT + done create_wrapper ${D}${bindir}/python${PYTHON_MAJMIN} TERMINFO_DIRS='${sysconfdir}/terminfo:/etc/terminfo:/usr/share/terminfo:/usr/share/misc/terminfo:/lib/terminfo' PYTHONNOUSERSITE='1' } @@ -306,11 +312,8 @@ do_create_manifest() { } # bitbake python -c create_manifest -addtask do_create_manifest - # Make sure we have native python ready when we create a new manifest -do_create_manifest[depends] += "${PN}:do_prepare_recipe_sysroot" -do_create_manifest[depends] += "${PN}:do_patch" +addtask do_create_manifest after do_patch do_prepare_recipe_sysroot # manual dependency additions RRECOMMENDS_${PN}-core_append_class-nativesdk = " nativesdk-python3-modules" @@ -363,3 +366,9 @@ RDEPENDS_${PN}-dev = "" RDEPENDS_${PN}-tests_append_class-target = " ${MLPREFIX}bash" RDEPENDS_${PN}-tests_append_class-nativesdk = " ${MLPREFIX}bash" + +# Python's tests contain large numbers of files we don't need in the recipe sysroots +SYSROOT_PREPROCESS_FUNCS += " py3_sysroot_cleanup" +py3_sysroot_cleanup () { + rm -rf ${SYSROOT_DESTDIR}${libdir}/python${PYTHON_MAJMIN}/test +} diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 69b9a5f89e..482ca3d6e5 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -37,6 +37,9 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://CVE-2020-25624.patch \ file://CVE-2020-25723.patch \ file://CVE-2020-28916.patch \ + file://CVE-2020-35517.patch \ + file://CVE-2020-29443.patch \ + file://CVE-2021-20203.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch new file mode 100644 index 0000000000..5a3b99bb23 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch @@ -0,0 +1,46 @@ + +m 813212288970c39b1800f63e83ac6e96588095c6 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Tue, 1 Dec 2020 13:09:26 +0100 +Subject: [PATCH] ide: atapi: assert that the buffer pointer is in range + +A case was reported where s->io_buffer_index can be out of range. +The report skimped on the details but it seems to be triggered +by s->lba == -1 on the READ/READ CD paths (e.g. by sending an +ATAPI command with LBA = 0xFFFFFFFF). For now paper over it +with assertions. The first one ensures that there is no overflow +when incrementing s->io_buffer_index, the second checks for the +buffer overrun. + +Note that the buffer overrun is only a read, so I am not sure +if the assertion failure is actually less harmful than the overrun. + +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Message-id: 20201201120926.56559-1-pbonzini@redhat.com +Reviewed-by: Kevin Wolf <kwolf@redhat.com> +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=813212288970c39b1800f63e83ac6e96588095c6] +CVE: CVE-2020-29443 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + hw/ide/atapi.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c +index 14a2b0b..e791578 100644 +--- a/hw/ide/atapi.c ++++ b/hw/ide/atapi.c +@@ -276,6 +276,8 @@ void ide_atapi_cmd_reply_end(IDEState *s) + s->packet_transfer_size -= size; + s->elementary_transfer_size -= size; + s->io_buffer_index += size; ++ assert(size <= s->io_buffer_total_len); ++ assert(s->io_buffer_index <= s->io_buffer_total_len); + + /* Some adapters process PIO data right away. In that case, we need + * to avoid mutual recursion between ide_transfer_start +-- +1.8.3.1 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch new file mode 100644 index 0000000000..f818eb3bf5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517.patch @@ -0,0 +1,126 @@ +From ebf101955ce8f8d72fba103b5151115a4335de2c Mon Sep 17 00:00:00 2001 +From: Stefan Hajnoczi <stefanha@redhat.com> +Date: Tue, 6 Oct 2020 10:58:26 +0100 +Subject: [PATCH] virtiofsd: avoid /proc/self/fd tempdir + +In order to prevent /proc/self/fd escapes a temporary directory is +created where /proc/self/fd is bind-mounted. This doesn't work on +read-only file systems. + +Avoid the temporary directory by bind-mounting /proc/self/fd over /proc. +This does not affect other processes since we remounted / with MS_REC | +MS_SLAVE. /proc must exist and virtiofsd does not use it so it's safe to +do this. + +Path traversal can be tested with the following function: + + static void test_proc_fd_escape(struct lo_data *lo) + { + int fd; + int level = 0; + ino_t last_ino = 0; + + fd = lo->proc_self_fd; + for (;;) { + struct stat st; + + if (fstat(fd, &st) != 0) { + perror("fstat"); + return; + } + if (last_ino && st.st_ino == last_ino) { + fprintf(stderr, "inode number unchanged, stopping\n"); + return; + } + last_ino = st.st_ino; + + fprintf(stderr, "Level %d dev %lu ino %lu\n", level, + (unsigned long)st.st_dev, + (unsigned long)last_ino); + fd = openat(fd, "..", O_PATH | O_DIRECTORY | O_NOFOLLOW); + level++; + } + } + +Before and after this patch only Level 0 is displayed. Without +/proc/self/fd bind-mount protection it is possible to traverse parent +directories. + +Fixes: 397ae982f4df4 ("virtiofsd: jail lo->proc_self_fd") +Cc: Miklos Szeredi <mszeredi@redhat.com> +Cc: Jens Freimann <jfreimann@redhat.com> +Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> +Message-Id: <20201006095826.59813-1-stefanha@redhat.com> +Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> +Tested-by: Jens Freimann <jfreimann@redhat.com> +Reviewed-by: Jens Freimann <jfreimann@redhat.com> +Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> + + +Upstream-Status: Backport +[https://github.com/qemu/qemu/commit/ebf101955ce8f8d72fba103b5151115a4335de2c] +CVE: CVE-2020-35517 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + tools/virtiofsd/passthrough_ll.c | 34 +++++++++++--------------------- + 1 file changed, 11 insertions(+), 23 deletions(-) + +diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c +index 477e6ee0b53..ff53df44510 100644 +--- a/tools/virtiofsd/passthrough_ll.c ++++ b/tools/virtiofsd/passthrough_ll.c +@@ -2393,8 +2393,6 @@ static void setup_wait_parent_capabilities(void) + static void setup_namespaces(struct lo_data *lo, struct fuse_session *se) + { + pid_t child; +- char template[] = "virtiofsd-XXXXXX"; +- char *tmpdir; + + /* + * Create a new pid namespace for *child* processes. We'll have to +@@ -2458,33 +2456,23 @@ static void setup_namespaces(struct lo_data *lo, struct fuse_session *se) + exit(1); + } + +- tmpdir = mkdtemp(template); +- if (!tmpdir) { +- fuse_log(FUSE_LOG_ERR, "tmpdir(%s): %m\n", template); +- exit(1); +- } +- +- if (mount("/proc/self/fd", tmpdir, NULL, MS_BIND, NULL) < 0) { +- fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, %s, MS_BIND): %m\n", +- tmpdir); ++ /* ++ * We only need /proc/self/fd. Prevent ".." from accessing parent ++ * directories of /proc/self/fd by bind-mounting it over /proc. Since / was ++ * previously remounted with MS_REC | MS_SLAVE this mount change only ++ * affects our process. ++ */ ++ if (mount("/proc/self/fd", "/proc", NULL, MS_BIND, NULL) < 0) { ++ fuse_log(FUSE_LOG_ERR, "mount(/proc/self/fd, MS_BIND): %m\n"); + exit(1); + } + +- /* Now we can get our /proc/self/fd directory file descriptor */ +- lo->proc_self_fd = open(tmpdir, O_PATH); ++ /* Get the /proc (actually /proc/self/fd, see above) file descriptor */ ++ lo->proc_self_fd = open("/proc", O_PATH); + if (lo->proc_self_fd == -1) { +- fuse_log(FUSE_LOG_ERR, "open(%s, O_PATH): %m\n", tmpdir); ++ fuse_log(FUSE_LOG_ERR, "open(/proc, O_PATH): %m\n"); + exit(1); + } +- +- if (umount2(tmpdir, MNT_DETACH) < 0) { +- fuse_log(FUSE_LOG_ERR, "umount2(%s, MNT_DETACH): %m\n", tmpdir); +- exit(1); +- } +- +- if (rmdir(tmpdir) < 0) { +- fuse_log(FUSE_LOG_ERR, "rmdir(%s): %m\n", tmpdir); +- } + } + + /* diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch new file mode 100644 index 0000000000..31440af0bd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch @@ -0,0 +1,74 @@ +From: Prasad J Pandit <pjp@fedoraproject.org> + +While activating device in vmxnet3_acticate_device(), it does not +validate guest supplied configuration values against predefined +minimum - maximum limits. This may lead to integer overflow or +OOB access issues. Add checks to avoid it. + +Fixes: CVE-2021-20203 +Buglink: https://bugs.launchpad.net/qemu/+bug/1913873 +Reported-by: Gaoning Pan <pgn@zju.edu.cn> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> + +Upstream-Status: Acepted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html] +CVE: CVE-2021-20203 +Signed-off-by: Minjae Kim <flowergom@gmail.com> +--- + hw/net/vmxnet3.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index eff299f629..4a910ca971 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s) + vmxnet3_setup_rx_filtering(s); + /* Cache fields from shared memory */ + s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu); ++ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU); + VMW_CFPRN("MTU is %u", s->mtu); + + s->max_rx_frags = +@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* Read rings memory locations for TX queues */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize); ++ if (size > VMXNET3_TX_RING_MAX_SIZE) { ++ size = VMXNET3_TX_RING_MAX_SIZE; ++ } + + vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size, + sizeof(struct Vmxnet3_TxDesc), false); +@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* TXC ring */ + pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA); + size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize); ++ if (size > VMXNET3_TC_RING_MAX_SIZE) { ++ size = VMXNET3_TC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_TxCompDesc), true); + VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring); +@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RX rings */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]); ++ if (size > VMXNET3_RX_RING_MAX_SIZE) { ++ size = VMXNET3_RX_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size, + sizeof(struct Vmxnet3_RxDesc), false); + VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d", +@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s) + /* RXC ring */ + pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA); + size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize); ++ if (size > VMXNET3_RC_RING_MAX_SIZE) { ++ size = VMXNET3_RC_RING_MAX_SIZE; ++ } + vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size, + sizeof(struct Vmxnet3_RxCompDesc), true); + VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size); +-- +2.29.2 + diff --git a/meta/recipes-devtools/quilt/quilt.inc b/meta/recipes-devtools/quilt/quilt.inc index d6d06c049c..d7ecda7aaa 100644 --- a/meta/recipes-devtools/quilt/quilt.inc +++ b/meta/recipes-devtools/quilt/quilt.inc @@ -30,7 +30,7 @@ EXTRA_OECONF = "--with-perl='${USRBINPATH}/env perl' --with-patch=patch" EXTRA_OECONF_append_class-native = " --disable-nls" EXTRA_AUTORECONF += "--exclude=aclocal" -CACHED_CONFIGUREVARS += "ac_cv_path_BASH=/bin/bash" +CACHED_CONFIGUREVARS += "ac_cv_path_BASH=/bin/bash ac_cv_path_COLUMN=column" # Make sure we don't have "-w" in shebang lines: it breaks using # "/usr/bin/env perl" as parser diff --git a/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch b/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch new file mode 100644 index 0000000000..2d51ddf965 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch @@ -0,0 +1,31 @@ +From fbe85634d88e82fbb439ae2a5d1aca8b8c309bea Mon Sep 17 00:00:00 2001 +From: Matt McCutchen <matt@mattmccutchen.net> +Date: Wed, 26 Aug 2020 12:16:08 -0400 +Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using + openssl. + +CVE: CVE-2020-14387 + +Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c3f7414] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + rsync-ssl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rsync-ssl b/rsync-ssl +index 8101975..46701af 100755 +--- a/rsync-ssl ++++ b/rsync-ssl +@@ -129,7 +129,7 @@ function rsync_ssl_helper { + fi + + if [[ $RSYNC_SSL_TYPE == openssl ]]; then +- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port ++ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port + elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then + exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port + else +-- +2.17.1 + diff --git a/meta/recipes-devtools/rsync/files/determism.patch b/meta/recipes-devtools/rsync/files/determism.patch new file mode 100644 index 0000000000..53a4ca7505 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/determism.patch @@ -0,0 +1,28 @@ +The Makefile calls awk on a "*.c" glob. The results of this glob are sorted +but the order depends on the locale settings, particularly whether +"util.c" and "util2.c" sort before or after each other. In en_US.UTF-8 +they sort one way, in C, they sort the other. The sorting order changes +the output binaries. The behaviour also changes dependning on whether +SHELL (/bin/sh) is dash or bash. + +Specify a C locale setting to be deterministic. + +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +Upstream-Status: Pending + +Index: rsync-3.2.3/Makefile.in +=================================================================== +--- rsync-3.2.3.orig/Makefile.in ++++ rsync-3.2.3/Makefile.in +@@ -26,6 +26,11 @@ MKDIR_P=@MKDIR_P@ + VPATH=$(srcdir) + SHELL=/bin/sh + ++# We use globbing in commands, need to be deterministic ++unexport LC_ALL ++LC_COLLATE=C ++export LC_COLLATE ++ + .SUFFIXES: + .SUFFIXES: .c .o + diff --git a/meta/recipes-devtools/rsync/rsync_3.2.3.bb b/meta/recipes-devtools/rsync/rsync_3.2.3.bb index 375efa0dea..df4fbbd0d2 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.3.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.3.bb @@ -12,6 +12,8 @@ DEPENDS = "popt" SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://rsyncd.conf \ file://makefile-no-rebuild.patch \ + file://determism.patch \ + file://0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch \ " SRC_URI[sha256sum] = "becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e" @@ -38,7 +40,7 @@ PACKAGECONFIG[zstd] = "--enable-zstd,--disable-zstd,zstd" CACHED_CONFIGUREVARS += "rsync_cv_can_hardlink_special=yes rsync_cv_can_hardlink_symlink=yes" EXTRA_OEMAKE = 'STRIP=""' -EXTRA_OECONF = "--disable-simd --disable-md2man --disable-asm" +EXTRA_OECONF = "--disable-simd --disable-md2man --disable-asm --with-nobody-group=nogroup" # rsync 3.0 uses configure.sh instead of configure, and # makefile checks the existence of configure.sh diff --git a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts index f84a7e18c8..95dccb9cae 100755 --- a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts +++ b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts @@ -72,12 +72,12 @@ exec_postinst_scriptlets() { else echo "ERROR: postinst $i failed." [ "$POSTINST_LOGGING" = "1" ] && eval echo "ERROR: postinst $i failed." $append_log - remove_pi_dir=0 + remove_rcsd_link=0 fi done } -remove_pi_dir=1 +remove_rcsd_link=1 if $pm_installed; then case $pm in "ipk") @@ -92,9 +92,7 @@ else exec_postinst_scriptlets fi -# since all postinstalls executed successfully, remove the postinstalls directory -# and the rcS.d link -if [ $remove_pi_dir = 1 ]; then - rm -rf $pi_dir +# since all postinstalls executed successfully, remove the rcS.d link +if [ $remove_rcsd_link = 1 ]; then remove_rcsd_link fi diff --git a/meta/recipes-devtools/strace/strace/run-ptest b/meta/recipes-devtools/strace/strace/run-ptest index 4660207220..3a51fb0be9 100755 --- a/meta/recipes-devtools/strace/strace/run-ptest +++ b/meta/recipes-devtools/strace/strace/run-ptest @@ -1,5 +1,5 @@ #!/bin/sh -export TIMEOUT_DURATION=120 +export TIMEOUT_DURATION=240 chown nobody tests chown nobody tests/* chown nobody ../ptest diff --git a/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb b/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb index ed14fe66b1..c1b05691b8 100644 --- a/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb +++ b/meta/recipes-devtools/tcf-agent/tcf-agent_git.bb @@ -48,6 +48,7 @@ CFLAGS_append_libc-musl = " ${LCL_STOP_SERVICES}" CFLAGS_append_powerpc64 = " ${LCL_STOP_SERVICES}" CFLAGS_append_powerpc64le = " ${LCL_STOP_SERVICES}" CFLAGS_append_riscv64 = " ${LCL_STOP_SERVICES}" +CFLAGS_append_riscv32 = " ${LCL_STOP_SERVICES}" do_install() { oe_runmake install INSTALLROOT=${D} diff --git a/meta/recipes-devtools/valgrind/valgrind/0001-gdbserver_tests-Disable-nlcontrolc.vgtest-for-x86-64.patch b/meta/recipes-devtools/valgrind/valgrind/0001-gdbserver_tests-Disable-nlcontrolc.vgtest-for-x86-64.patch new file mode 100644 index 0000000000..0bd8273cd8 --- /dev/null +++ b/meta/recipes-devtools/valgrind/valgrind/0001-gdbserver_tests-Disable-nlcontrolc.vgtest-for-x86-64.patch @@ -0,0 +1,36 @@ +From d8c19e0bb9ca2fd48f223e1fdeffcafeb0aa1745 Mon Sep 17 00:00:00 2001 +From: Yi Fan Yu <yifan.yu@windriver.com> +Date: Wed, 17 Feb 2021 14:53:44 -0500 +Subject: [PATCH] gdbserver_tests: Disable nlcontrolc.vgtest for x86-64 + +Test hangs after glibc 2.33 uprev + +Using gdb to modify the timeout argument no longer +affects how long `select` wait. + +https://bugs.kde.org/show_bug.cgi?id=432870 +Upstream-Status: Pending +Waiting for upstream to take action. + +Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com> +--- + gdbserver_tests/nlcontrolc.vgtest | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/gdbserver_tests/nlcontrolc.vgtest b/gdbserver_tests/nlcontrolc.vgtest +index bb5308403..96d2b52bb 100644 +--- a/gdbserver_tests/nlcontrolc.vgtest ++++ b/gdbserver_tests/nlcontrolc.vgtest +@@ -13,7 +13,8 @@ args: 1000000000 1000000000 1000000000 BSBSBSBS 1 + vgopts: --tool=none --vgdb=yes --vgdb-error=0 --vgdb-prefix=./vgdb-prefix-nlcontrolc + stderr_filter: filter_stderr + # Bug 338633 nlcontrol hangs on arm64 currently. +-prereq: test -e gdb -a -f vgdb.invoker && ! ../tests/arch_test arm64 && ! ../tests/os_test solaris ++# Bug 432870 nlcontrolc hangs on x86-64 starting with glibc 2.33 ++prereq: test -e gdb -a -f vgdb.invoker && ! ../tests/arch_test arm64 && ! ../tests/os_test solaris && ! ../tests/arch_test amd64 + progB: gdb + argsB: --quiet -l 60 --nx ./sleepers + stdinB: nlcontrolc.stdinB.gdb +-- +2.29.2 + diff --git a/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch b/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch index 7985308e41..0c399ef52c 100644 --- a/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch +++ b/meta/recipes-devtools/valgrind/valgrind/0005-Modify-vg_test-wrapper-to-support-PTEST-formats.patch @@ -19,6 +19,11 @@ Upstream-Status: Pending Signed-off-by: Dave Lerner <dave.lerner@windriver.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com> Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> + +Increase time limit to 90 s. +(double of the expected time of drd/tests/std_list on qemuarm64) + +Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com> --- tests/vg_regtest.in | 75 +++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 55 insertions(+), 20 deletions(-) @@ -66,7 +71,7 @@ index a441f42..cb05b52 100755 # Since most of the program time is spent in system() calls, need this to # propagate a Ctrl-C enabling us to quit. -sub mysystem($) -+# Enforce 30 seconds limit for the test. ++# Enforce 90 seconds limit for the test. +# This resume execution of the remaining tests if valgrind hangs. +sub mysystem($) { @@ -76,7 +81,7 @@ index a441f42..cb05b52 100755 + my $exit_code=0; + eval { + local $SIG{'ALRM'} = sub { die "timed out\n" }; -+ alarm(30); ++ alarm(90); + $exit_code = system($_[0]); + alarm (0); + ($exit_code == 2) and die "SIGINT\n"; # 2 is SIGINT diff --git a/meta/recipes-devtools/valgrind/valgrind_3.16.1.bb b/meta/recipes-devtools/valgrind/valgrind_3.16.1.bb index 25fa58249c..fc070dec78 100644 --- a/meta/recipes-devtools/valgrind/valgrind_3.16.1.bb +++ b/meta/recipes-devtools/valgrind/valgrind_3.16.1.bb @@ -44,6 +44,7 @@ SRC_URI = "https://sourceware.org/pub/valgrind/valgrind-${PV}.tar.bz2 \ file://0001-drd-Port-to-Fedora-33.patch \ file://0001-drd-musl-fix.patch \ file://0001-helgrind-Intercept-libc-functions.patch \ + file://0001-gdbserver_tests-Disable-nlcontrolc.vgtest-for-x86-64.patch \ " SRC_URI[md5sum] = "d1b153f1ab17cf1f311705e7a83ef589" SRC_URI[sha256sum] = "c91f3a2f7b02db0f3bc99479861656154d241d2fdb265614ba918cc6720a33ca" diff --git a/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb b/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb index 7d27c43c83..5ed2709e31 100644 --- a/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb +++ b/meta/recipes-devtools/xmlto/xmlto_0.0.28.bb @@ -29,7 +29,7 @@ RDEPENDS_${PN}_append_class-target = " \ libxslt-bin \ coreutils \ " -CACHED_CONFIGUREVARS += "ac_cv_path_TAIL=tail" +CACHED_CONFIGUREVARS += "ac_cv_path_TAIL=tail ac_cv_path_GREP=grep" BBCLASSEXTEND = "native" diff --git a/meta/recipes-extended/acpica/acpica_20200717.bb b/meta/recipes-extended/acpica/acpica_20200717.bb index d1d06c0c24..e3c8c2bdfb 100644 --- a/meta/recipes-extended/acpica/acpica_20200717.bb +++ b/meta/recipes-extended/acpica/acpica_20200717.bb @@ -34,6 +34,8 @@ EXTRA_OEMAKE = "CC='${CC}' \ PREFIX=${prefix} \ INSTALLDIR=${bindir} \ INSTALLFLAGS= \ + YACC=bison \ + YFLAGS='-y --file-prefix-map=${WORKDIR}=/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR}' \ " do_install() { diff --git a/meta/recipes-extended/asciidoc/asciidoc_9.0.2.bb b/meta/recipes-extended/asciidoc/asciidoc_9.0.2.bb index 711bfbfb9b..5fd3832ef9 100644 --- a/meta/recipes-extended/asciidoc/asciidoc_9.0.2.bb +++ b/meta/recipes-extended/asciidoc/asciidoc_9.0.2.bb @@ -8,7 +8,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=4e5d1baf6f20559e3bec172226a47e4e \ file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263 " -SRC_URI = "git://github.com/asciidoc/asciidoc-py3;protocol=https \ +SRC_URI = "git://github.com/asciidoc/asciidoc-py3;protocol=https;branch=main \ file://auto-catalogs.patch" SRCREV = "9a407dc9a497364c91421fd961954eddb565baf1" diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index e7a704134c..244c87001f 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -15,6 +15,7 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t file://0004-cups-fix-multilib-install-file-conflicts.patch \ file://volatiles.99_cups \ file://cups-volatiles.conf \ + file://CVE-2020-10001.patch \ " UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases" @@ -54,6 +55,8 @@ EXTRA_OECONF = " \ --enable-debug \ --disable-relro \ --enable-libusb \ + --with-system-groups=lpadmin \ + --with-cups-group=lp \ --with-domainsocket=/run/cups/cups.sock \ DSOFLAGS='${LDFLAGS}' \ " diff --git a/meta/recipes-extended/cups/cups/CVE-2020-10001.patch b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch new file mode 100644 index 0000000000..09a0a5765d --- /dev/null +++ b/meta/recipes-extended/cups/cups/CVE-2020-10001.patch @@ -0,0 +1,74 @@ +From efbea1742bd30f842fbbfb87a473e5c84f4162f9 Mon Sep 17 00:00:00 2001 +From: Michael R Sweet <msweet@msweet.org> +Date: Mon, 1 Feb 2021 15:02:32 -0500 +Subject: [PATCH] Fix a buffer (read) overflow in ippReadIO (CVE-2020-10001) + +Upstream-Status: Backport +CVE: CVE-2020-10001 + +Reference to upstream patch: +[https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9] + +[SG: Addapted for version 2.3.3] +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + CHANGES.md | 2 ++ + cups/ipp.c | 8 +++++--- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/CHANGES.md b/CHANGES.md +index df72892..5ca12da 100644 +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -4,6 +4,8 @@ CHANGES - 2.3.3 - 2020-04-24 + Changes in CUPS v2.3.3 + ---------------------- + ++- Security: Fixed a buffer (read) overflow in the `ippReadIO` function ++ (CVE-2020-10001) + - CVE-2020-3898: The `ppdOpen` function did not handle invalid UI + constraint. `ppdcSource::get_resolution` function did not handle + invalid resolution strings. +diff --git a/cups/ipp.c b/cups/ipp.c +index 3d52934..adbb26f 100644 +--- a/cups/ipp.c ++++ b/cups/ipp.c +@@ -2866,7 +2866,8 @@ ippReadIO(void *src, /* I - Data source */ + unsigned char *buffer, /* Data buffer */ + string[IPP_MAX_TEXT], + /* Small string buffer */ +- *bufptr; /* Pointer into buffer */ ++ *bufptr, /* Pointer into buffer */ ++ *bufend; /* End of buffer */ + ipp_attribute_t *attr; /* Current attribute */ + ipp_tag_t tag; /* Current tag */ + ipp_tag_t value_tag; /* Current value tag */ +@@ -3441,6 +3442,7 @@ ippReadIO(void *src, /* I - Data source */ + } + + bufptr = buffer; ++ bufend = buffer + n; + + /* + * text-with-language and name-with-language are composite +@@ -3454,7 +3456,7 @@ ippReadIO(void *src, /* I - Data source */ + + n = (bufptr[0] << 8) | bufptr[1]; + +- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE) || n >= (int)sizeof(string)) ++ if ((bufptr + 2 + n + 2) > bufend || n >= (int)sizeof(string)) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, + _("IPP language length overflows value."), 1); +@@ -3481,7 +3483,7 @@ ippReadIO(void *src, /* I - Data source */ + bufptr += 2 + n; + n = (bufptr[0] << 8) | bufptr[1]; + +- if ((bufptr + 2 + n) >= (buffer + IPP_BUF_SIZE)) ++ if ((bufptr + 2 + n) > bufend) + { + _cupsSetError(IPP_STATUS_ERROR_INTERNAL, + _("IPP string length overflows value."), 1); +-- +2.17.1 + diff --git a/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb b/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb index 65a99fc28d..02b016fdf1 100644 --- a/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb +++ b/meta/recipes-extended/cwautomacros/cwautomacros_20110201.bb @@ -13,7 +13,7 @@ do_configure() { } do_install() { - oe_runmake CWAUTOMACROSPREFIX=${D}${prefix} install + oe_runmake LABEL=`date -d @${SOURCE_DATE_EPOCH} +%Y%m%d` CWAUTOMACROSPREFIX=${D}${prefix} install # cleanup buildpaths in autogen.sh sed -i -e 's,${D},,g' ${D}${prefix}/share/cwautomacros/scripts/autogen.sh diff --git a/meta/recipes-extended/groff/files/0001-Include-config.h.patch b/meta/recipes-extended/groff/files/0001-Include-config.h.patch index 348a61d9df..46065bc513 100644 --- a/meta/recipes-extended/groff/files/0001-Include-config.h.patch +++ b/meta/recipes-extended/groff/files/0001-Include-config.h.patch @@ -17,6 +17,9 @@ In file included from TOPDIR/build/tmp/work/aarch64-yoe-linux-musl/groff/1.22.4- ^ ./lib/math.h:40:1: error: unknown type name '_GL_INLINE_HEADER_BEGIN' +We delete eqn.cpp and qen.hpp in do_configure +to ensure they're regenerated and deterministic. + Upstream-Status: Pending Signed-off-by: Khem Raj <raj.khem@gmail.com> --- @@ -140,1029 +143,6 @@ index f95c05e..d875045 100644 #include <string.h> #include <stdlib.h> -diff --git a/src/preproc/eqn/eqn.cpp b/src/preproc/eqn/eqn.cpp -index 4ede465..fdd9484 100644 ---- a/src/preproc/eqn/eqn.cpp -+++ b/src/preproc/eqn/eqn.cpp -@@ -1,8 +1,9 @@ --/* A Bison parser, made by GNU Bison 3.2. */ -+/* A Bison parser, made by GNU Bison 3.4.1. */ - - /* Bison implementation for Yacc-like parsers in C - -- Copyright (C) 1984, 1989-1990, 2000-2015, 2018 Free Software Foundation, Inc. -+ Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2019 Free Software Foundation, -+ Inc. - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by -@@ -47,7 +48,7 @@ - #define YYBISON 1 - - /* Bison version. */ --#define YYBISON_VERSION "3.2" -+#define YYBISON_VERSION "3.4.1" - - /* Skeleton name. */ - #define YYSKELETON_NAME "yacc.c" -@@ -65,7 +66,11 @@ - - - /* First part of user prologue. */ --#line 18 "../src/preproc/eqn/eqn.ypp" /* yacc.c:338 */ -+#line 18 "src/preproc/eqn/eqn.ypp" -+ -+#if HAVE_CONFIG_H -+# include <config.h> -+#endif - - #include <stdio.h> - #include <string.h> -@@ -77,7 +82,8 @@ extern int non_empty_flag; - int yylex(); - void yyerror(const char *); - --#line 81 "src/preproc/eqn/eqn.cpp" /* yacc.c:338 */ -+#line 86 "src/preproc/eqn/eqn.cpp" -+ - # ifndef YY_NULLPTR - # if defined __cplusplus - # if 201103L <= __cplusplus -@@ -98,8 +104,8 @@ void yyerror(const char *); - # define YYERROR_VERBOSE 0 - #endif - --/* In a future release of Bison, this section will be replaced -- by #include "y.tab.h". */ -+/* Use api.header.include to #include this header -+ instead of duplicating it here. */ - #ifndef YY_YY_SRC_PREPROC_EQN_EQN_HPP_INCLUDED - # define YY_YY_SRC_PREPROC_EQN_EQN_HPP_INCLUDED - /* Debug traces. */ -@@ -237,10 +243,9 @@ extern int yydebug; - - /* Value type. */ - #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED -- - union YYSTYPE - { --#line 30 "../src/preproc/eqn/eqn.ypp" /* yacc.c:353 */ -+#line 34 "src/preproc/eqn/eqn.ypp" - - char *str; - box *b; -@@ -249,9 +254,9 @@ union YYSTYPE - int n; - column *col; - --#line 253 "src/preproc/eqn/eqn.cpp" /* yacc.c:353 */ --}; -+#line 258 "src/preproc/eqn/eqn.cpp" - -+}; - typedef union YYSTYPE YYSTYPE; - # define YYSTYPE_IS_TRIVIAL 1 - # define YYSTYPE_IS_DECLARED 1 -@@ -366,6 +371,8 @@ typedef short yytype_int16; - #endif - - -+#define YY_ASSERT(E) ((void) (0 && (E))) -+ - #if ! defined yyoverflow || YYERROR_VERBOSE - - /* The parser invokes alloca or malloc; define the necessary symbols. */ -@@ -508,16 +515,16 @@ union yyalloc - /* YYNSTATES -- Number of states. */ - #define YYNSTATES 142 - --/* YYTRANSLATE[YYX] -- Symbol number corresponding to YYX as returned -- by yylex, with out-of-bounds checking. */ - #define YYUNDEFTOK 2 - #define YYMAXUTOK 315 - -+/* YYTRANSLATE(TOKEN-NUM) -- Symbol number corresponding to TOKEN-NUM -+ as returned by yylex, with out-of-bounds checking. */ - #define YYTRANSLATE(YYX) \ - ((unsigned) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK) - - /* YYTRANSLATE[TOKEN-NUM] -- Symbol number corresponding to TOKEN-NUM -- as returned by yylex, without out-of-bounds checking. */ -+ as returned by yylex. */ - static const yytype_uint8 yytranslate[] = - { - 0, 2, 2, 2, 2, 2, 2, 2, 2, 63, -@@ -558,14 +565,14 @@ static const yytype_uint8 yytranslate[] = - /* YYRLINE[YYN] -- Source line where rule number YYN was defined. */ - static const yytype_uint16 yyrline[] = - { -- 0, 121, 121, 123, 128, 130, 141, 143, 145, 150, -- 152, 154, 156, 158, 163, 165, 167, 169, 174, 176, -- 181, 183, 185, 190, 192, 194, 196, 198, 200, 202, -- 204, 206, 208, 210, 212, 214, 216, 218, 220, 222, -- 224, 226, 228, 230, 232, 234, 236, 238, 240, 242, -- 244, 246, 248, 250, 252, 254, 259, 269, 271, 276, -- 278, 283, 285, 290, 292, 297, 299, 304, 306, 308, -- 310, 314, 316, 321, 323, 325 -+ 0, 125, 125, 127, 132, 134, 145, 147, 149, 154, -+ 156, 158, 160, 162, 167, 169, 171, 173, 178, 180, -+ 185, 187, 189, 194, 196, 198, 200, 202, 204, 206, -+ 208, 210, 212, 214, 216, 218, 220, 222, 224, 226, -+ 228, 230, 232, 234, 236, 238, 240, 242, 244, 246, -+ 248, 250, 252, 254, 256, 258, 263, 273, 275, 280, -+ 282, 287, 289, 294, 296, 301, 303, 308, 310, 312, -+ 314, 318, 320, 325, 327, 329 - }; - #endif - -@@ -818,22 +825,22 @@ static const yytype_uint8 yyr2[] = - - #define YYRECOVERING() (!!yyerrstatus) - --#define YYBACKUP(Token, Value) \ --do \ -- if (yychar == YYEMPTY) \ -- { \ -- yychar = (Token); \ -- yylval = (Value); \ -- YYPOPSTACK (yylen); \ -- yystate = *yyssp; \ -- goto yybackup; \ -- } \ -- else \ -- { \ -- yyerror (YY_("syntax error: cannot back up")); \ -- YYERROR; \ -- } \ --while (0) -+#define YYBACKUP(Token, Value) \ -+ do \ -+ if (yychar == YYEMPTY) \ -+ { \ -+ yychar = (Token); \ -+ yylval = (Value); \ -+ YYPOPSTACK (yylen); \ -+ yystate = *yyssp; \ -+ goto yybackup; \ -+ } \ -+ else \ -+ { \ -+ yyerror (YY_("syntax error: cannot back up")); \ -+ YYERROR; \ -+ } \ -+ while (0) - - /* Error token number */ - #define YYTERROR 1 -@@ -948,7 +955,7 @@ yy_reduce_print (yytype_int16 *yyssp, YYSTYPE *yyvsp, int yyrule) - YYFPRINTF (stderr, " $%d = ", yyi + 1); - yy_symbol_print (stderr, - yystos[yyssp[yyi + 1 - yynrhs]], -- &(yyvsp[(yyi + 1) - (yynrhs)]) -+ &yyvsp[(yyi + 1) - (yynrhs)] - ); - YYFPRINTF (stderr, "\n"); - } -@@ -1052,7 +1059,10 @@ yytnamerr (char *yyres, const char *yystr) - case '\\': - if (*++yyp != '\\') - goto do_not_strip_quotes; -- /* Fall through. */ -+ else -+ goto append; -+ -+ append: - default: - if (yyres) - yyres[yyn] = *yyp; -@@ -1148,10 +1158,10 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg, - yyarg[yycount++] = yytname[yyx]; - { - YYSIZE_T yysize1 = yysize + yytnamerr (YY_NULLPTR, yytname[yyx]); -- if (! (yysize <= yysize1 -- && yysize1 <= YYSTACK_ALLOC_MAXIMUM)) -+ if (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM) -+ yysize = yysize1; -+ else - return 2; -- yysize = yysize1; - } - } - } -@@ -1175,9 +1185,10 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg, - - { - YYSIZE_T yysize1 = yysize + yystrlen (yyformat); -- if (! (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM)) -+ if (yysize <= yysize1 && yysize1 <= YYSTACK_ALLOC_MAXIMUM) -+ yysize = yysize1; -+ else - return 2; -- yysize = yysize1; - } - - if (*yymsg_alloc < yysize) -@@ -1303,23 +1314,33 @@ yyparse (void) - yychar = YYEMPTY; /* Cause a token to be read. */ - goto yysetstate; - -+ - /*------------------------------------------------------------. --| yynewstate -- Push a new state, which is found in yystate. | -+| yynewstate -- push a new state, which is found in yystate. | - `------------------------------------------------------------*/ -- yynewstate: -+yynewstate: - /* In all cases, when you get here, the value and location stacks - have just been pushed. So pushing a state here evens the stacks. */ - yyssp++; - -- yysetstate: -+ -+/*--------------------------------------------------------------------. -+| yynewstate -- set current state (the top of the stack) to yystate. | -+`--------------------------------------------------------------------*/ -+yysetstate: -+ YYDPRINTF ((stderr, "Entering state %d\n", yystate)); -+ YY_ASSERT (0 <= yystate && yystate < YYNSTATES); - *yyssp = (yytype_int16) yystate; - - if (yyss + yystacksize - 1 <= yyssp) -+#if !defined yyoverflow && !defined YYSTACK_RELOCATE -+ goto yyexhaustedlab; -+#else - { - /* Get the current used size of the three stacks, in elements. */ - YYSIZE_T yysize = (YYSIZE_T) (yyssp - yyss + 1); - --#ifdef yyoverflow -+# if defined yyoverflow - { - /* Give user a chance to reallocate the stack. Use copies of - these so that the &'s don't force the real ones into -@@ -1338,10 +1359,7 @@ yyparse (void) - yyss = yyss1; - yyvs = yyvs1; - } --#else /* no yyoverflow */ --# ifndef YYSTACK_RELOCATE -- goto yyexhaustedlab; --# else -+# else /* defined YYSTACK_RELOCATE */ - /* Extend the stack our own way. */ - if (YYMAXDEPTH <= yystacksize) - goto yyexhaustedlab; -@@ -1357,12 +1375,11 @@ yyparse (void) - goto yyexhaustedlab; - YYSTACK_RELOCATE (yyss_alloc, yyss); - YYSTACK_RELOCATE (yyvs_alloc, yyvs); --# undef YYSTACK_RELOCATE -+# undef YYSTACK_RELOCATE - if (yyss1 != yyssa) - YYSTACK_FREE (yyss1); - } - # endif --#endif /* no yyoverflow */ - - yyssp = yyss + yysize - 1; - yyvsp = yyvs + yysize - 1; -@@ -1373,19 +1390,18 @@ yyparse (void) - if (yyss + yystacksize - 1 <= yyssp) - YYABORT; - } -- -- YYDPRINTF ((stderr, "Entering state %d\n", yystate)); -+#endif /* !defined yyoverflow && !defined YYSTACK_RELOCATE */ - - if (yystate == YYFINAL) - YYACCEPT; - - goto yybackup; - -+ - /*-----------. - | yybackup. | - `-----------*/ - yybackup: -- - /* Do appropriate processing given the current state. Read a - lookahead token if we need one and don't already have one. */ - -@@ -1443,7 +1459,6 @@ yybackup: - YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN - *++yyvsp = yylval; - YY_IGNORE_MAYBE_UNINITIALIZED_END -- - goto yynewstate; - - -@@ -1458,7 +1473,7 @@ yydefault: - - - /*-----------------------------. --| yyreduce -- Do a reduction. | -+| yyreduce -- do a reduction. | - `-----------------------------*/ - yyreduce: - /* yyn is the number of a rule to reduce with. */ -@@ -1478,20 +1493,20 @@ yyreduce: - YY_REDUCE_PRINT (yyn); - switch (yyn) - { -- case 3: --#line 124 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+ case 3: -+#line 128 "src/preproc/eqn/eqn.ypp" - { (yyvsp[0].b)->top_level(); non_empty_flag = 1; } --#line 1485 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1500 "src/preproc/eqn/eqn.cpp" - break; - - case 4: --#line 129 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 133 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = (yyvsp[0].b); } --#line 1491 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1506 "src/preproc/eqn/eqn.cpp" - break; - - case 5: --#line 131 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 135 "src/preproc/eqn/eqn.ypp" - { - list_box *lb = (yyvsp[-1].b)->to_list_box(); - if (!lb) -@@ -1499,436 +1514,437 @@ yyreduce: - lb->append((yyvsp[0].b)); - (yyval.b) = lb; - } --#line 1503 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1518 "src/preproc/eqn/eqn.cpp" - break; - - case 6: --#line 142 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 146 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = (yyvsp[0].b); } --#line 1509 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1524 "src/preproc/eqn/eqn.cpp" - break; - - case 7: --#line 144 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 148 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_mark_box((yyvsp[0].b)); } --#line 1515 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1530 "src/preproc/eqn/eqn.cpp" - break; - - case 8: --#line 146 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 150 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_lineup_box((yyvsp[0].b)); } --#line 1521 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1536 "src/preproc/eqn/eqn.cpp" - break; - - case 9: --#line 151 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 155 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = (yyvsp[0].b); } --#line 1527 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1542 "src/preproc/eqn/eqn.cpp" - break; - - case 10: --#line 153 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 157 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_limit_box((yyvsp[-2].b), 0, (yyvsp[0].b)); } --#line 1533 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1548 "src/preproc/eqn/eqn.cpp" - break; - - case 11: --#line 155 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 159 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_limit_box((yyvsp[-2].b), (yyvsp[0].b), 0); } --#line 1539 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1554 "src/preproc/eqn/eqn.cpp" - break; - - case 12: --#line 157 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 161 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_limit_box((yyvsp[-4].b), (yyvsp[-2].b), (yyvsp[0].b)); } --#line 1545 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1560 "src/preproc/eqn/eqn.cpp" - break; - - case 13: --#line 159 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 163 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_limit_box((yyvsp[-4].b), make_limit_box((yyvsp[-2].b), (yyvsp[0].b), 0), 0); } --#line 1551 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1566 "src/preproc/eqn/eqn.cpp" - break; - - case 14: --#line 164 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 168 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = (yyvsp[0].b); } --#line 1557 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1572 "src/preproc/eqn/eqn.cpp" - break; - - case 15: --#line 166 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 170 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_sqrt_box((yyvsp[0].b)); } --#line 1563 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1578 "src/preproc/eqn/eqn.cpp" - break; - - case 16: --#line 168 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 172 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_over_box((yyvsp[-2].b), (yyvsp[0].b)); } --#line 1569 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1584 "src/preproc/eqn/eqn.cpp" - break; - - case 17: --#line 170 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 174 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_small_over_box((yyvsp[-2].b), (yyvsp[0].b)); } --#line 1575 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1590 "src/preproc/eqn/eqn.cpp" - break; - - case 18: --#line 175 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 179 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = (yyvsp[0].b); } --#line 1581 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1596 "src/preproc/eqn/eqn.cpp" - break; - - case 19: --#line 177 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 181 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_script_box((yyvsp[-2].b), 0, (yyvsp[0].b)); } --#line 1587 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1602 "src/preproc/eqn/eqn.cpp" - break; - - case 20: --#line 182 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 186 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = (yyvsp[0].b); } --#line 1593 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1608 "src/preproc/eqn/eqn.cpp" - break; - - case 21: --#line 184 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 188 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_script_box((yyvsp[-2].b), (yyvsp[0].b), 0); } --#line 1599 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1614 "src/preproc/eqn/eqn.cpp" - break; - - case 22: --#line 186 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 190 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_script_box((yyvsp[-4].b), (yyvsp[-2].b), (yyvsp[0].b)); } --#line 1605 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1620 "src/preproc/eqn/eqn.cpp" - break; - - case 23: --#line 191 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 195 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = split_text((yyvsp[0].str)); } --#line 1611 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1626 "src/preproc/eqn/eqn.cpp" - break; - - case 24: --#line 193 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 197 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = new quoted_text_box((yyvsp[0].str)); } --#line 1617 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1632 "src/preproc/eqn/eqn.cpp" - break; - - case 25: --#line 195 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 199 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = split_text((yyvsp[0].str)); } --#line 1623 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1638 "src/preproc/eqn/eqn.cpp" - break; - - case 26: --#line 197 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 201 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = new quoted_text_box((yyvsp[0].str)); } --#line 1629 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1644 "src/preproc/eqn/eqn.cpp" - break; - - case 27: --#line 199 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 203 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = new half_space_box; } --#line 1635 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1650 "src/preproc/eqn/eqn.cpp" - break; - - case 28: --#line 201 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 205 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = new space_box; } --#line 1641 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1656 "src/preproc/eqn/eqn.cpp" - break; - - case 29: --#line 203 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 207 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = new tab_box; } --#line 1647 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1662 "src/preproc/eqn/eqn.cpp" - break; - - case 30: --#line 205 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 209 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = (yyvsp[-1].b); } --#line 1653 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1668 "src/preproc/eqn/eqn.cpp" - break; - - case 31: --#line 207 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 211 "src/preproc/eqn/eqn.ypp" - { (yyvsp[0].pb)->set_alignment(CENTER_ALIGN); (yyval.b) = (yyvsp[0].pb); } --#line 1659 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1674 "src/preproc/eqn/eqn.cpp" - break; - - case 32: --#line 209 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 213 "src/preproc/eqn/eqn.ypp" - { (yyvsp[0].pb)->set_alignment(LEFT_ALIGN); (yyval.b) = (yyvsp[0].pb); } --#line 1665 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1680 "src/preproc/eqn/eqn.cpp" - break; - - case 33: --#line 211 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 215 "src/preproc/eqn/eqn.ypp" - { (yyvsp[0].pb)->set_alignment(RIGHT_ALIGN); (yyval.b) = (yyvsp[0].pb); } --#line 1671 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1686 "src/preproc/eqn/eqn.cpp" - break; - - case 34: --#line 213 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 217 "src/preproc/eqn/eqn.ypp" - { (yyvsp[0].pb)->set_alignment(CENTER_ALIGN); (yyval.b) = (yyvsp[0].pb); } --#line 1677 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1692 "src/preproc/eqn/eqn.cpp" - break; - - case 35: --#line 215 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 219 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = (yyvsp[-1].mb); } --#line 1683 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1698 "src/preproc/eqn/eqn.cpp" - break; - - case 36: --#line 217 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 221 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_delim_box((yyvsp[-3].str), (yyvsp[-2].b), (yyvsp[0].str)); } --#line 1689 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1704 "src/preproc/eqn/eqn.cpp" - break; - - case 37: --#line 219 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 223 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_delim_box((yyvsp[-1].str), (yyvsp[0].b), 0); } --#line 1695 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1710 "src/preproc/eqn/eqn.cpp" - break; - - case 38: --#line 221 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 225 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_overline_box((yyvsp[-1].b)); } --#line 1701 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1716 "src/preproc/eqn/eqn.cpp" - break; - - case 39: --#line 223 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 227 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_underline_box((yyvsp[-1].b)); } --#line 1707 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1722 "src/preproc/eqn/eqn.cpp" - break; - - case 40: --#line 225 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 229 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_prime_box((yyvsp[-1].b)); } --#line 1713 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1728 "src/preproc/eqn/eqn.cpp" - break; - - case 41: --#line 227 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 231 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_accent_box((yyvsp[-2].b), (yyvsp[0].b)); } --#line 1719 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1734 "src/preproc/eqn/eqn.cpp" - break; - - case 42: --#line 229 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 233 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_uaccent_box((yyvsp[-2].b), (yyvsp[0].b)); } --#line 1725 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1740 "src/preproc/eqn/eqn.cpp" - break; - - case 43: --#line 231 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 235 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = new font_box(strsave(get_grfont()), (yyvsp[0].b)); } --#line 1731 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1746 "src/preproc/eqn/eqn.cpp" - break; - - case 44: --#line 233 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 237 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = new font_box(strsave(get_gbfont()), (yyvsp[0].b)); } --#line 1737 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1752 "src/preproc/eqn/eqn.cpp" - break; - - case 45: --#line 235 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 239 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = new font_box(strsave(get_gfont()), (yyvsp[0].b)); } --#line 1743 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1758 "src/preproc/eqn/eqn.cpp" - break; - - case 46: --#line 237 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 241 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = new fat_box((yyvsp[0].b)); } --#line 1749 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1764 "src/preproc/eqn/eqn.cpp" - break; - - case 47: --#line 239 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 243 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = new font_box((yyvsp[-1].str), (yyvsp[0].b)); } --#line 1755 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1770 "src/preproc/eqn/eqn.cpp" - break; - - case 48: --#line 241 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 245 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = new size_box((yyvsp[-1].str), (yyvsp[0].b)); } --#line 1761 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1776 "src/preproc/eqn/eqn.cpp" - break; - - case 49: --#line 243 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 247 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = new hmotion_box((yyvsp[-1].n), (yyvsp[0].b)); } --#line 1767 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1782 "src/preproc/eqn/eqn.cpp" - break; - - case 50: --#line 245 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 249 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = new hmotion_box(-(yyvsp[-1].n), (yyvsp[0].b)); } --#line 1773 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1788 "src/preproc/eqn/eqn.cpp" - break; - - case 51: --#line 247 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 251 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = new vmotion_box((yyvsp[-1].n), (yyvsp[0].b)); } --#line 1779 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1794 "src/preproc/eqn/eqn.cpp" - break; - - case 52: --#line 249 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 253 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = new vmotion_box(-(yyvsp[-1].n), (yyvsp[0].b)); } --#line 1785 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1800 "src/preproc/eqn/eqn.cpp" - break; - - case 53: --#line 251 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 255 "src/preproc/eqn/eqn.ypp" - { (yyvsp[0].b)->set_spacing_type((yyvsp[-1].str)); (yyval.b) = (yyvsp[0].b); } --#line 1791 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1806 "src/preproc/eqn/eqn.cpp" - break; - - case 54: --#line 253 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 257 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = new vcenter_box((yyvsp[0].b)); } --#line 1797 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1812 "src/preproc/eqn/eqn.cpp" - break; - - case 55: --#line 255 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 259 "src/preproc/eqn/eqn.ypp" - { (yyval.b) = make_special_box((yyvsp[-1].str), (yyvsp[0].b)); } --#line 1803 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1818 "src/preproc/eqn/eqn.cpp" - break; - - case 56: --#line 260 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 264 "src/preproc/eqn/eqn.ypp" - { - int n; - if (sscanf((yyvsp[0].str), "%d", &n) == 1) - (yyval.n) = n; - a_delete (yyvsp[0].str); - } --#line 1814 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1829 "src/preproc/eqn/eqn.cpp" - break; - - case 57: --#line 270 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 274 "src/preproc/eqn/eqn.ypp" - { (yyval.pb) = new pile_box((yyvsp[0].b)); } --#line 1820 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1835 "src/preproc/eqn/eqn.cpp" - break; - - case 58: --#line 272 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 276 "src/preproc/eqn/eqn.ypp" - { (yyvsp[-2].pb)->append((yyvsp[0].b)); (yyval.pb) = (yyvsp[-2].pb); } --#line 1826 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1841 "src/preproc/eqn/eqn.cpp" - break; - - case 59: --#line 277 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 281 "src/preproc/eqn/eqn.ypp" - { (yyval.pb) = (yyvsp[-1].pb); } --#line 1832 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1847 "src/preproc/eqn/eqn.cpp" - break; - - case 60: --#line 279 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 283 "src/preproc/eqn/eqn.ypp" - { (yyvsp[-1].pb)->set_space((yyvsp[-3].n)); (yyval.pb) = (yyvsp[-1].pb); } --#line 1838 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1853 "src/preproc/eqn/eqn.cpp" - break; - - case 61: --#line 284 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 288 "src/preproc/eqn/eqn.ypp" - { (yyval.mb) = new matrix_box((yyvsp[0].col)); } --#line 1844 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1859 "src/preproc/eqn/eqn.cpp" - break; - - case 62: --#line 286 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 290 "src/preproc/eqn/eqn.ypp" - { (yyvsp[-1].mb)->append((yyvsp[0].col)); (yyval.mb) = (yyvsp[-1].mb); } --#line 1850 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1865 "src/preproc/eqn/eqn.cpp" - break; - - case 63: --#line 291 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 295 "src/preproc/eqn/eqn.ypp" - { (yyval.col) = new column((yyvsp[0].b)); } --#line 1856 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1871 "src/preproc/eqn/eqn.cpp" - break; - - case 64: --#line 293 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 297 "src/preproc/eqn/eqn.ypp" - { (yyvsp[-2].col)->append((yyvsp[0].b)); (yyval.col) = (yyvsp[-2].col); } --#line 1862 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1877 "src/preproc/eqn/eqn.cpp" - break; - - case 65: --#line 298 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 302 "src/preproc/eqn/eqn.ypp" - { (yyval.col) = (yyvsp[-1].col); } --#line 1868 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1883 "src/preproc/eqn/eqn.cpp" - break; - - case 66: --#line 300 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 304 "src/preproc/eqn/eqn.ypp" - { (yyvsp[-1].col)->set_space((yyvsp[-3].n)); (yyval.col) = (yyvsp[-1].col); } --#line 1874 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1889 "src/preproc/eqn/eqn.cpp" - break; - - case 67: --#line 305 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 309 "src/preproc/eqn/eqn.ypp" - { (yyvsp[0].col)->set_alignment(CENTER_ALIGN); (yyval.col) = (yyvsp[0].col); } --#line 1880 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1895 "src/preproc/eqn/eqn.cpp" - break; - - case 68: --#line 307 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 311 "src/preproc/eqn/eqn.ypp" - { (yyvsp[0].col)->set_alignment(LEFT_ALIGN); (yyval.col) = (yyvsp[0].col); } --#line 1886 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1901 "src/preproc/eqn/eqn.cpp" - break; - - case 69: --#line 309 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 313 "src/preproc/eqn/eqn.ypp" - { (yyvsp[0].col)->set_alignment(RIGHT_ALIGN); (yyval.col) = (yyvsp[0].col); } --#line 1892 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1907 "src/preproc/eqn/eqn.cpp" - break; - - case 70: --#line 311 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 315 "src/preproc/eqn/eqn.ypp" - { (yyvsp[0].col)->set_alignment(CENTER_ALIGN); (yyval.col) = (yyvsp[0].col); } --#line 1898 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1913 "src/preproc/eqn/eqn.cpp" - break; - - case 71: --#line 315 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 319 "src/preproc/eqn/eqn.ypp" - { (yyval.str) = (yyvsp[0].str); } --#line 1904 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1919 "src/preproc/eqn/eqn.cpp" - break; - - case 72: --#line 317 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 321 "src/preproc/eqn/eqn.ypp" - { (yyval.str) = (yyvsp[0].str); } --#line 1910 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1925 "src/preproc/eqn/eqn.cpp" - break; - - case 73: --#line 322 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 326 "src/preproc/eqn/eqn.ypp" - { (yyval.str) = (yyvsp[0].str); } --#line 1916 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1931 "src/preproc/eqn/eqn.cpp" - break; - - case 74: --#line 324 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 328 "src/preproc/eqn/eqn.ypp" - { (yyval.str) = strsave("{"); } --#line 1922 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1937 "src/preproc/eqn/eqn.cpp" - break; - - case 75: --#line 326 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1645 */ -+#line 330 "src/preproc/eqn/eqn.ypp" - { (yyval.str) = strsave("}"); } --#line 1928 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1943 "src/preproc/eqn/eqn.cpp" - break; - - --#line 1932 "src/preproc/eqn/eqn.cpp" /* yacc.c:1645 */ -+#line 1947 "src/preproc/eqn/eqn.cpp" -+ - default: break; - } - /* User semantic actions sometimes alter yychar, and that requires -@@ -2042,12 +2058,10 @@ yyerrlab: - | yyerrorlab -- error raised explicitly by YYERROR. | - `---------------------------------------------------*/ - yyerrorlab: -- -- /* Pacify compilers like GCC when the user code never invokes -- YYERROR and the label yyerrorlab therefore never appears in user -- code. */ -- if (/*CONSTCOND*/ 0) -- goto yyerrorlab; -+ /* Pacify compilers when the user code never invokes YYERROR and the -+ label yyerrorlab therefore never appears in user code. */ -+ if (0) -+ YYERROR; - - /* Do not reclaim the symbols of the rule whose action triggered - this YYERROR. */ -@@ -2109,6 +2123,7 @@ yyacceptlab: - yyresult = 0; - goto yyreturn; - -+ - /*-----------------------------------. - | yyabortlab -- YYABORT comes here. | - `-----------------------------------*/ -@@ -2116,6 +2131,7 @@ yyabortlab: - yyresult = 1; - goto yyreturn; - -+ - #if !defined yyoverflow || YYERROR_VERBOSE - /*-------------------------------------------------. - | yyexhaustedlab -- memory exhaustion comes here. | -@@ -2126,6 +2142,10 @@ yyexhaustedlab: - /* Fall through. */ - #endif - -+ -+/*-----------------------------------------------------. -+| yyreturn -- parsing is finished, return the result. | -+`-----------------------------------------------------*/ - yyreturn: - if (yychar != YYEMPTY) - { -@@ -2155,5 +2175,5 @@ yyreturn: - #endif - return yyresult; - } --#line 329 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1903 */ -+#line 333 "src/preproc/eqn/eqn.ypp" - -diff --git a/src/preproc/eqn/eqn.hpp b/src/preproc/eqn/eqn.hpp -index 32a32a5..9a092c1 100644 ---- a/src/preproc/eqn/eqn.hpp -+++ b/src/preproc/eqn/eqn.hpp -@@ -1,8 +1,9 @@ --/* A Bison parser, made by GNU Bison 3.2. */ -+/* A Bison parser, made by GNU Bison 3.4.1. */ - - /* Bison interface for Yacc-like parsers in C - -- Copyright (C) 1984, 1989-1990, 2000-2015, 2018 Free Software Foundation, Inc. -+ Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2019 Free Software Foundation, -+ Inc. - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by -@@ -170,10 +171,9 @@ extern int yydebug; - - /* Value type. */ - #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED -- - union YYSTYPE - { --#line 30 "../src/preproc/eqn/eqn.ypp" /* yacc.c:1906 */ -+#line 34 "src/preproc/eqn/eqn.ypp" - - char *str; - box *b; -@@ -182,9 +182,9 @@ union YYSTYPE - int n; - column *col; - --#line 186 "src/preproc/eqn/eqn.hpp" /* yacc.c:1906 */ --}; -+#line 186 "src/preproc/eqn/eqn.hpp" - -+}; - typedef union YYSTYPE YYSTYPE; - # define YYSTYPE_IS_TRIVIAL 1 - # define YYSTYPE_IS_DECLARED 1 diff --git a/src/preproc/eqn/eqn.ypp b/src/preproc/eqn/eqn.ypp index fb318c3..b7b647e 100644 --- a/src/preproc/eqn/eqn.ypp diff --git a/meta/recipes-extended/groff/groff_1.22.4.bb b/meta/recipes-extended/groff/groff_1.22.4.bb index 0867452ce7..7bb393e09c 100644 --- a/meta/recipes-extended/groff/groff_1.22.4.bb +++ b/meta/recipes-extended/groff/groff_1.22.4.bb @@ -18,6 +18,10 @@ SRC_URI = "${GNU_MIRROR}/groff/groff-${PV}.tar.gz \ SRC_URI[md5sum] = "08fb04335e2f5e73f23ea4c3adbf0c5f" SRC_URI[sha256sum] = "e78e7b4cb7dec310849004fa88847c44701e8d133b5d4c13057d876c1bad0293" +# Remove at the next upgrade +PR = "r1" +HASHEQUIV_HASH_VERSION .= ".1" + DEPENDS = "bison-native" RDEPENDS_${PN} += "perl sed" @@ -30,6 +34,13 @@ PARALLEL_MAKE = "" CACHED_CONFIGUREVARS += "ac_cv_path_PERL='/usr/bin/env perl' ac_cv_path_BASH_PROG='no' PAGE=A4" +# Delete these generated files since we depend on bison-native +# and regenerate them. Do it deterministically (always). +do_configure_prepend() { + rm -f ${S}/src/preproc/eqn/eqn.cpp + rm -f ${S}/src/preproc/eqn/eqn.hpp +} + do_install_append() { # Some distros have both /bin/perl and /usr/bin/perl, but we set perl location # for target as /usr/bin/perl, so fix it to /usr/bin/perl. diff --git a/meta/recipes-extended/parted/parted_3.3.bb b/meta/recipes-extended/parted/parted_3.3.bb index ce40c04ad4..915ab05b65 100644 --- a/meta/recipes-extended/parted/parted_3.3.bb +++ b/meta/recipes-extended/parted/parted_3.3.bb @@ -42,6 +42,7 @@ do_install_ptest() { sed -i "s|^abs_srcdir =.*|abs_srcdir = \.|g" $t/tests/Makefile sed -i "s|^abs_top_srcdir =.*|abs_top_srcdir = \.\.|g" $t/tests/Makefile sed -i "s|^Makefile:.*|Makefile:|g" $t/tests/Makefile + sed -i "/^BUILDINFO.*$/d" $t/tests/Makefile for i in print-align print-max print-flags dup-clobber duplicate fs-resize; \ do cp ${B}/tests/.libs/$i $t/tests/; \ done diff --git a/meta/recipes-extended/screen/screen/CVE-2021-26937.patch b/meta/recipes-extended/screen/screen/CVE-2021-26937.patch new file mode 100644 index 0000000000..983b35c1b0 --- /dev/null +++ b/meta/recipes-extended/screen/screen/CVE-2021-26937.patch @@ -0,0 +1,68 @@ +Description: [CVE-2021-26937] Fix out of bounds array access +Author: Michael Schröder <mls@suse.de> +Bug-Debian: https://bugs.debian.org/982435 +Bug: https://savannah.gnu.org/bugs/?60030 +Bug: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html +Bug-OSS-Security: https://www.openwall.com/lists/oss-security/2021/02/09/3 +Origin: https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00010.html + +CVE: CVE-2021-26937 +Upstream-Status: Pending +Signed-off-by: Scott Murray <scott.murray@konsulko.com> + +--- a/encoding.c ++++ b/encoding.c +@@ -43,7 +43,7 @@ + # ifdef UTF8 + static int recode_char __P((int, int, int)); + static int recode_char_to_encoding __P((int, int)); +-static void comb_tofront __P((int, int)); ++static void comb_tofront __P((int)); + # ifdef DW_CHARS + static int recode_char_dw __P((int, int *, int, int)); + static int recode_char_dw_to_encoding __P((int, int *, int)); +@@ -1263,6 +1263,8 @@ + {0x30000, 0x3FFFD}, + }; + ++ if (c >= 0xdf00 && c <= 0xdfff) ++ return 1; /* dw combining sequence */ + return ((bisearch(c, wide, sizeof(wide) / sizeof(struct interval) - 1)) || + (cjkwidth && + bisearch(c, ambiguous, +@@ -1330,11 +1332,12 @@ + } + + static void +-comb_tofront(root, i) +-int root, i; ++comb_tofront(i) ++int i; + { + for (;;) + { ++ int root = i >= 0x700 ? 0x801 : 0x800; + debug1("bring to front: %x\n", i); + combchars[combchars[i]->prev]->next = combchars[i]->next; + combchars[combchars[i]->next]->prev = combchars[i]->prev; +@@ -1396,9 +1399,9 @@ + { + /* full, recycle old entry */ + if (c1 >= 0xd800 && c1 < 0xe000) +- comb_tofront(root, c1 - 0xd800); ++ comb_tofront(c1 - 0xd800); + i = combchars[root]->prev; +- if (c1 == i + 0xd800) ++ if (i == 0x800 || i == 0x801 || c1 == i + 0xd800) + { + /* completely full, can't recycle */ + debug("utf8_handle_comp: completely full!\n"); +@@ -1422,7 +1425,7 @@ + mc->font = (i >> 8) + 0xd8; + mc->fontx = 0; + debug3("combinig char %x %x -> %x\n", c1, c, i + 0xd800); +- comb_tofront(root, i); ++ comb_tofront(i); + } + + #else /* !UTF8 */ diff --git a/meta/recipes-extended/screen/screen_4.8.0.bb b/meta/recipes-extended/screen/screen_4.8.0.bb index 4772eb6c7a..fe640c262b 100644 --- a/meta/recipes-extended/screen/screen_4.8.0.bb +++ b/meta/recipes-extended/screen/screen_4.8.0.bb @@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \ file://0002-comm.h-now-depends-on-term.h.patch \ file://0001-fix-for-multijob-build.patch \ file://0001-Remove-more-compatibility-stuff.patch \ + file://CVE-2021-26937.patch \ " SRC_URI[md5sum] = "d276213d3acd10339cd37848b8c4ab1e" diff --git a/meta/recipes-extended/shadow/shadow_4.8.1.bb b/meta/recipes-extended/shadow/shadow_4.8.1.bb index c975395ff8..ff4aad926f 100644 --- a/meta/recipes-extended/shadow/shadow_4.8.1.bb +++ b/meta/recipes-extended/shadow/shadow_4.8.1.bb @@ -6,5 +6,6 @@ BUILD_LDFLAGS_append_class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p BBCLASSEXTEND = "native nativesdk" - - +# Severity is low and marked as closed and won't fix. +# https://bugzilla.redhat.com/show_bug.cgi?id=884658 +CVE_CHECK_WHITELIST += "CVE-2013-4235" diff --git a/meta/recipes-extended/sudo/files/CVE-2021-23239.patch b/meta/recipes-extended/sudo/files/CVE-2021-23239.patch new file mode 100644 index 0000000000..e16baecd5a --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-23239.patch @@ -0,0 +1,62 @@ + +# HG changeset patch +# User Todd C. Miller <Todd.Miller@sudo.ws> +# Date 1609953360 25200 +# Node ID ea19d0073c02951bbbf35342dd63304da83edce8 +# Parent f1ca39a0d87089d005b78a2556e2b1a2dc17f672 +Fix potential directory existing info leak in sudoedit. +When creating a new file, sudoedit checks to make sure the parent +directory exists so it can provide the user with a sensible error +message. However, this could be used to test for the existence of +directories not normally accessible to the user by pointing to them +with a symbolic link when the parent directory is controlled by the +user. Problem reported by Matthias Gerstner of SUSE. + +Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/ea19d0073c02] +CVE: CVE-2021-23239 +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> + +diff -r f1ca39a0d870 -r ea19d0073c02 src/sudo_edit.c +--- a/src/sudo_edit.c Wed Jan 06 10:16:00 2021 -0700 ++++ b/src/sudo_edit.c Wed Jan 06 10:16:00 2021 -0700 +@@ -541,14 +541,33 @@ + S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details); + if (ofd != -1 || errno == ENOENT) { + if (ofd == -1) { +- /* New file, verify parent dir exists unless in cwd. */ ++ /* ++ * New file, verify parent dir exists unless in cwd. ++ * This fails early so the user knows ahead of time if the ++ * edit won't succeed. Additional checks are performed ++ * when copying the temporary file back to the origin. ++ */ + char *slash = strrchr(files[i], '/'); + if (slash != NULL && slash != files[i]) { +- int serrno = errno; ++ const int sflags = command_details->flags; ++ const int serrno = errno; ++ int dfd; ++ ++ /* ++ * The parent directory is allowed to be a symbolic ++ * link as long as *its* parent is not writable. ++ */ + *slash = '\0'; +- if (stat(files[i], &sb) == 0 && S_ISDIR(sb.st_mode)) { +- memset(&sb, 0, sizeof(sb)); +- rc = 0; ++ SET(command_details->flags, CD_SUDOEDIT_FOLLOW); ++ dfd = sudo_edit_open(files[i], DIR_OPEN_FLAGS, ++ S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH, command_details); ++ command_details->flags = sflags; ++ if (dfd != -1) { ++ if (fstat(dfd, &sb) == 0 && S_ISDIR(sb.st_mode)) { ++ memset(&sb, 0, sizeof(sb)); ++ rc = 0; ++ } ++ close(dfd); + } + *slash = '/'; + errno = serrno; + + diff --git a/meta/recipes-extended/sudo/files/CVE-2021-23240.patch b/meta/recipes-extended/sudo/files/CVE-2021-23240.patch new file mode 100644 index 0000000000..740a13cd90 --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-23240.patch @@ -0,0 +1,419 @@ +Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/8fcb36ef422a] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +CVE: CVE-2021-23240 + +# HG changeset patch +# User Todd C. Miller <Todd.Miller@sudo.ws> +# Date 1609953360 25200 +# Node ID 8fcb36ef422a251fe33738a347551439944a4a37 +# Parent ea19d0073c02951bbbf35342dd63304da83edce8 +Add security checks before using temp files for SELinux RBAC sudoedit. +Otherwise, it may be possible for the user running sudoedit to +replace the newly-created temporary files with a symbolic link and +have sudoedit set the owner of an arbitrary file. +Problem reported by Matthias Gerstner of SUSE. + +diff -r ea19d0073c02 -r 8fcb36ef422a src/copy_file.c +--- a/src/copy_file.c Wed Jan 06 10:16:00 2021 -0700 ++++ b/src/copy_file.c Wed Jan 06 10:16:00 2021 -0700 +@@ -1,7 +1,7 @@ + /* + * SPDX-License-Identifier: ISC + * +- * Copyright (c) 2020 Todd C. Miller <Todd.Miller@sudo.ws> ++ * Copyright (c) 2020-2021 Todd C. Miller <Todd.Miller@sudo.ws> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -23,6 +23,8 @@ + + #include <config.h> + ++#include <sys/stat.h> ++ + #include <stdlib.h> + #include <unistd.h> + #include <errno.h> +@@ -134,3 +136,34 @@ + sudo_warn(U_("unable to write to %s"), dst); + debug_return_int(-1); + } ++ ++#ifdef HAVE_SELINUX ++bool ++sudo_check_temp_file(int tfd, const char *tfile, uid_t uid, struct stat *sb) ++{ ++ struct stat sbuf; ++ debug_decl(sudo_check_temp_file, SUDO_DEBUG_UTIL); ++ ++ if (sb == NULL) ++ sb = &sbuf; ++ ++ if (fstat(tfd, sb) == -1) { ++ sudo_warn(U_("unable to stat %s"), tfile); ++ debug_return_bool(false); ++ } ++ if (!S_ISREG(sb->st_mode)) { ++ sudo_warnx(U_("%s: not a regular file"), tfile); ++ debug_return_bool(false); ++ } ++ if ((sb->st_mode & ALLPERMS) != (S_IRUSR|S_IWUSR)) { ++ sudo_warnx(U_("%s: bad file mode: 0%o"), tfile, sb->st_mode & ALLPERMS); ++ debug_return_bool(false); ++ } ++ if (sb->st_uid != uid) { ++ sudo_warnx(U_("%s is owned by uid %u, should be %u"), ++ tfile, (unsigned int)sb->st_uid, (unsigned int)uid); ++ debug_return_bool(false); ++ } ++ debug_return_bool(true); ++} ++#endif /* SELINUX */ +diff -r ea19d0073c02 -r 8fcb36ef422a src/sesh.c +--- a/src/sesh.c Wed Jan 06 10:16:00 2021 -0700 ++++ b/src/sesh.c Wed Jan 06 10:16:00 2021 -0700 +@@ -1,7 +1,7 @@ + /* + * SPDX-License-Identifier: ISC + * +- * Copyright (c) 2008, 2010-2018, 2020 Todd C. Miller <Todd.Miller@sudo.ws> ++ * Copyright (c) 2008, 2010-2018, 2020-2021 Todd C. Miller <Todd.Miller@sudo.ws> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -132,7 +132,7 @@ + static int + sesh_sudoedit(int argc, char *argv[]) + { +- int i, oflags_dst, post, ret = SESH_ERR_FAILURE; ++ int i, oflags_src, oflags_dst, post, ret = SESH_ERR_FAILURE; + int fd_src = -1, fd_dst = -1, follow = 0; + struct stat sb; + struct timespec times[2]; +@@ -174,10 +174,12 @@ + debug_return_int(SESH_ERR_BAD_PATHS); + + /* +- * Use O_EXCL if we are not in the post editing stage +- * so that it's ensured that the temporary files are +- * created by us and that we are not opening any symlinks. ++ * In the pre-editing stage, use O_EXCL to ensure that the temporary ++ * files are created by us and that we are not opening any symlinks. ++ * In the post-editing stage, use O_NOFOLLOW so we don't follow symlinks ++ * when opening the temporary files. + */ ++ oflags_src = O_RDONLY|(post ? O_NONBLOCK|O_NOFOLLOW : follow); + oflags_dst = O_WRONLY|O_CREAT|(post ? follow : O_EXCL); + for (i = 0; i < argc - 1; i += 2) { + const char *path_src = argv[i]; +@@ -187,7 +189,7 @@ + * doesn't exist, that's OK, we'll create an empty + * destination file. + */ +- if ((fd_src = open(path_src, O_RDONLY|follow, S_IRUSR|S_IWUSR)) < 0) { ++ if ((fd_src = open(path_src, oflags_src, S_IRUSR|S_IWUSR)) < 0) { + if (errno != ENOENT) { + sudo_warn("%s", path_src); + if (post) { +@@ -197,6 +199,14 @@ + goto cleanup_0; + } + } ++ if (post) { ++ /* Make sure the temporary file is safe and has the proper owner. */ ++ if (!sudo_check_temp_file(fd_src, path_src, geteuid(), &sb)) { ++ ret = SESH_ERR_SOME_FILES; ++ goto nocleanup; ++ } ++ fcntl(fd_src, F_SETFL, fcntl(fd_src, F_GETFL, 0) & ~O_NONBLOCK); ++ } + + if ((fd_dst = open(path_dst, oflags_dst, post ? + (S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH) : (S_IRUSR|S_IWUSR))) < 0) { +@@ -214,10 +224,7 @@ + off_t len_dst = -1; + + if (post) { +- if (fstat(fd_src, &sb) != 0) { +- ret = SESH_ERR_SOME_FILES; +- goto nocleanup; +- } ++ /* sudo_check_temp_file() filled in sb for us. */ + len_src = sb.st_size; + if (fstat(fd_dst, &sb) != 0) { + ret = SESH_ERR_SOME_FILES; +diff -r ea19d0073c02 -r 8fcb36ef422a src/sudo_edit.c +--- a/src/sudo_edit.c Wed Jan 06 10:16:00 2021 -0700 ++++ b/src/sudo_edit.c Wed Jan 06 10:16:00 2021 -0700 +@@ -1,7 +1,7 @@ + /* + * SPDX-License-Identifier: ISC + * +- * Copyright (c) 2004-2008, 2010-2020 Todd C. Miller <Todd.Miller@sudo.ws> ++ * Copyright (c) 2004-2008, 2010-2021 Todd C. Miller <Todd.Miller@sudo.ws> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -259,8 +259,10 @@ + } else { + len = asprintf(tfile, "%s/%s.XXXXXXXX", edit_tmpdir, cp); + } +- if (len == -1) +- sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); ++ if (len == -1) { ++ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); ++ debug_return_int(-1); ++ } + tfd = mkstemps(*tfile, suff ? strlen(suff) : 0); + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "%s -> %s, fd %d", ofile, *tfile, tfd); +@@ -735,7 +737,8 @@ + + #ifdef HAVE_SELINUX + static int +-selinux_run_helper(char *argv[], char *envp[]) ++selinux_run_helper(uid_t uid, gid_t gid, int ngroups, GETGROUPS_T *groups, ++ char *const argv[], char *const envp[]) + { + int status, ret = SESH_ERR_FAILURE; + const char *sesh; +@@ -755,8 +758,10 @@ + break; + case 0: + /* child runs sesh in new context */ +- if (selinux_setcon() == 0) ++ if (selinux_setcon() == 0) { ++ switch_user(uid, gid, ngroups, groups); + execve(sesh, argv, envp); ++ } + _exit(SESH_ERR_FAILURE); + default: + /* parent waits */ +@@ -775,7 +780,7 @@ + struct tempfile *tf, char *files[], int nfiles) + { + char **sesh_args, **sesh_ap; +- int i, rc, sesh_nargs; ++ int i, error, sesh_nargs, ret = -1; + struct stat sb; + debug_decl(selinux_edit_create_tfiles, SUDO_DEBUG_EDIT); + +@@ -787,7 +792,7 @@ + sesh_args = sesh_ap = reallocarray(NULL, sesh_nargs, sizeof(char *)); + if (sesh_args == NULL) { + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); +- debug_return_int(-1); ++ goto done; + } + *sesh_ap++ = "sesh"; + *sesh_ap++ = "-e"; +@@ -795,7 +800,6 @@ + *sesh_ap++ = "-h"; + *sesh_ap++ = "0"; + +- /* XXX - temp files should be created with user's context */ + for (i = 0; i < nfiles; i++) { + char *tfile, *ofile = files[i]; + int tfd; +@@ -813,8 +817,7 @@ + if (tfd == -1) { + sudo_warn("mkstemps"); + free(tfile); +- free(sesh_args); +- debug_return_int(-1); ++ goto done; + } + /* Helper will re-create temp file with proper security context. */ + close(tfd); +@@ -825,8 +828,10 @@ + *sesh_ap = NULL; + + /* Run sesh -e [-h] 0 <o1> <t1> ... <on> <tn> */ +- rc = selinux_run_helper(sesh_args, command_details->envp); +- switch (rc) { ++ error = selinux_run_helper(command_details->uid, command_details->gid, ++ command_details->ngroups, command_details->groups, sesh_args, ++ command_details->envp); ++ switch (error) { + case SESH_SUCCESS: + break; + case SESH_ERR_BAD_PATHS: +@@ -836,21 +841,35 @@ + case SESH_ERR_KILLED: + sudo_fatalx("%s", U_("sesh: killed by a signal")); + default: +- sudo_fatalx(U_("sesh: unknown error %d"), rc); ++ sudo_warnx(U_("sesh: unknown error %d"), error); ++ goto done; + } + +- /* Chown to user's UID so they can edit the temporary files. */ + for (i = 0; i < nfiles; i++) { +- if (chown(tf[i].tfile, user_details.uid, user_details.gid) != 0) { ++ int tfd = open(tf[i].tfile, O_RDONLY|O_NONBLOCK|O_NOFOLLOW); ++ if (tfd == -1) { ++ sudo_warn(U_("unable to open %s"), tf[i].tfile); ++ goto done; ++ } ++ if (!sudo_check_temp_file(tfd, tf[i].tfile, command_details->uid, NULL)) { ++ close(tfd); ++ goto done; ++ } ++ if (fchown(tfd, user_details.uid, user_details.gid) != 0) { + sudo_warn("unable to chown(%s) to %d:%d for editing", + tf[i].tfile, user_details.uid, user_details.gid); ++ close(tfd); ++ goto done; + } ++ close(tfd); + } ++ ret = nfiles; + ++done: + /* Contents of tf will be freed by caller. */ + free(sesh_args); + +- return (nfiles); ++ debug_return_int(ret); + } + + static int +@@ -858,7 +877,8 @@ + struct tempfile *tf, int nfiles, struct timespec *times) + { + char **sesh_args, **sesh_ap; +- int i, rc, sesh_nargs, ret = 1; ++ int i, error, sesh_nargs, ret = 1; ++ int tfd = -1; + struct timespec ts; + struct stat sb; + debug_decl(selinux_edit_copy_tfiles, SUDO_DEBUG_EDIT); +@@ -879,33 +899,43 @@ + + /* Construct args for sesh -e 1 */ + for (i = 0; i < nfiles; i++) { +- if (stat(tf[i].tfile, &sb) == 0) { +- mtim_get(&sb, ts); +- if (tf[i].osize == sb.st_size && sudo_timespeccmp(&tf[i].omtim, &ts, ==)) { +- /* +- * If mtime and size match but the user spent no measurable +- * time in the editor we can't tell if the file was changed. +- */ +- if (sudo_timespeccmp(×[0], ×[1], !=)) { +- sudo_warnx(U_("%s unchanged"), tf[i].ofile); +- unlink(tf[i].tfile); +- continue; +- } ++ if (tfd != -1) ++ close(tfd); ++ if ((tfd = open(tf[i].tfile, O_RDONLY|O_NONBLOCK|O_NOFOLLOW)) == -1) { ++ sudo_warn(U_("unable to open %s"), tf[i].tfile); ++ continue; ++ } ++ if (!sudo_check_temp_file(tfd, tf[i].tfile, user_details.uid, &sb)) ++ continue; ++ mtim_get(&sb, ts); ++ if (tf[i].osize == sb.st_size && sudo_timespeccmp(&tf[i].omtim, &ts, ==)) { ++ /* ++ * If mtime and size match but the user spent no measurable ++ * time in the editor we can't tell if the file was changed. ++ */ ++ if (sudo_timespeccmp(×[0], ×[1], !=)) { ++ sudo_warnx(U_("%s unchanged"), tf[i].ofile); ++ unlink(tf[i].tfile); ++ continue; + } + } + *sesh_ap++ = tf[i].tfile; + *sesh_ap++ = tf[i].ofile; +- if (chown(tf[i].tfile, command_details->uid, command_details->gid) != 0) { ++ if (fchown(tfd, command_details->uid, command_details->gid) != 0) { + sudo_warn("unable to chown(%s) back to %d:%d", tf[i].tfile, + command_details->uid, command_details->gid); + } + } + *sesh_ap = NULL; ++ if (tfd != -1) ++ close(tfd); + + if (sesh_ap - sesh_args > 3) { + /* Run sesh -e 1 <t1> <o1> ... <tn> <on> */ +- rc = selinux_run_helper(sesh_args, command_details->envp); +- switch (rc) { ++ error = selinux_run_helper(command_details->uid, command_details->gid, ++ command_details->ngroups, command_details->groups, sesh_args, ++ command_details->envp); ++ switch (error) { + case SESH_SUCCESS: + ret = 0; + break; +@@ -921,7 +951,7 @@ + sudo_warnx("%s", U_("sesh: killed by a signal")); + break; + default: +- sudo_warnx(U_("sesh: unknown error %d"), rc); ++ sudo_warnx(U_("sesh: unknown error %d"), error); + break; + } + if (ret != 0) +@@ -943,7 +973,7 @@ + { + struct command_details saved_command_details; + char **nargv = NULL, **ap, **files = NULL; +- int errors, i, ac, nargc, rc; ++ int errors, i, ac, nargc, ret; + int editor_argc = 0, nfiles = 0; + struct timespec times[2]; + struct tempfile *tf = NULL; +@@ -1038,7 +1068,7 @@ + command_details->ngroups = user_details.ngroups; + command_details->groups = user_details.groups; + command_details->argv = nargv; +- rc = run_command(command_details); ++ ret = run_command(command_details); + if (sudo_gettime_real(×[1]) == -1) { + sudo_warn("%s", U_("unable to read the clock")); + goto cleanup; +@@ -1062,14 +1092,14 @@ + errors = sudo_edit_copy_tfiles(command_details, tf, nfiles, times); + if (errors) { + /* Preserve the edited temporary files. */ +- rc = W_EXITCODE(1, 0); ++ ret = W_EXITCODE(1, 0); + } + + for (i = 0; i < nfiles; i++) + free(tf[i].tfile); + free(tf); + free(nargv); +- debug_return_int(rc); ++ debug_return_int(ret); + + cleanup: + /* Clean up temp files and return. */ +diff -r ea19d0073c02 -r 8fcb36ef422a src/sudo_exec.h +--- a/src/sudo_exec.h Wed Jan 06 10:16:00 2021 -0700 ++++ b/src/sudo_exec.h Wed Jan 06 10:16:00 2021 -0700 +@@ -1,7 +1,7 @@ + /* + * SPDX-License-Identifier: ISC + * +- * Copyright (c) 2010-2016 Todd C. Miller <Todd.Miller@sudo.ws> ++ * Copyright (c) 2010-2017, 2020-2021 Todd C. Miller <Todd.Miller@sudo.ws> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -84,9 +84,11 @@ + */ + struct command_details; + struct command_status; ++struct stat; + + /* copy_file.c */ + int sudo_copy_file(const char *src, int src_fd, off_t src_len, const char *dst, int dst_fd, off_t dst_len); ++bool sudo_check_temp_file(int tfd, const char *tname, uid_t uid, struct stat *sb); + + /* exec.c */ + void exec_cmnd(struct command_details *details, int errfd); + + diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch new file mode 100644 index 0000000000..83c277575e --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-1.patch @@ -0,0 +1,100 @@ +Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/9b97f1787804] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +CVE: CVE-2021-3156 + +# HG changeset patch +# User Todd C. Miller <Todd.Miller@sudo.ws> +# Date 1611416639 25200 +# Node ID 9b97f1787804aedccaec63c379053b1a91a0e409 +# Parent 90aba6ba6e03f3bc33b4eabf16358396ed83642d +Reset valid_flags to MODE_NONINTERACTIVE for sudoedit. +This is consistent with how the -e option is handled. +Also reject -H and -P flags for sudoedit as was done in sudo 1.7. +Found by Qualys, this is part of the fix for CVE-2021-3156. + +diff -r 90aba6ba6e03 -r 9b97f1787804 src/parse_args.c +--- a/src/parse_args.c Mon Jan 18 12:30:52 2021 +0100 ++++ b/src/parse_args.c Sat Jan 23 08:43:59 2021 -0700 +@@ -117,7 +117,10 @@ + /* + * Default flags allowed when running a command. + */ +-#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_SHELL) ++#define DEFAULT_VALID_FLAGS (MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_PRESERVE_GROUPS|MODE_SHELL) ++#define EDIT_VALID_FLAGS MODE_NONINTERACTIVE ++#define LIST_VALID_FLAGS (MODE_NONINTERACTIVE|MODE_LONG_LIST) ++#define VALIDATE_VALID_FLAGS MODE_NONINTERACTIVE + + /* Option number for the --host long option due to ambiguity of the -h flag. */ + #define OPT_HOSTNAME 256 +@@ -262,6 +265,7 @@ + progname = "sudoedit"; + mode = MODE_EDIT; + sudo_settings[ARG_SUDOEDIT].value = "true"; ++ valid_flags = EDIT_VALID_FLAGS; + } + + /* Load local IP addresses and masks. */ +@@ -365,7 +369,7 @@ + usage_excl(); + mode = MODE_EDIT; + sudo_settings[ARG_SUDOEDIT].value = "true"; +- valid_flags = MODE_NONINTERACTIVE; ++ valid_flags = EDIT_VALID_FLAGS; + break; + case 'g': + assert(optarg != NULL); +@@ -377,6 +381,7 @@ + break; + case 'H': + sudo_settings[ARG_SET_HOME].value = "true"; ++ SET(flags, MODE_RESET_HOME); + break; + case 'h': + if (optarg == NULL) { +@@ -431,7 +436,7 @@ + usage_excl(); + } + mode = MODE_LIST; +- valid_flags = MODE_NONINTERACTIVE|MODE_LONG_LIST; ++ valid_flags = LIST_VALID_FLAGS; + break; + case 'n': + SET(flags, MODE_NONINTERACTIVE); +@@ -439,6 +444,7 @@ + break; + case 'P': + sudo_settings[ARG_PRESERVE_GROUPS].value = "true"; ++ SET(flags, MODE_PRESERVE_GROUPS); + break; + case 'p': + /* An empty prompt is allowed. */ +@@ -505,7 +511,7 @@ + if (mode && mode != MODE_VALIDATE) + usage_excl(); + mode = MODE_VALIDATE; +- valid_flags = MODE_NONINTERACTIVE; ++ valid_flags = VALIDATE_VALID_FLAGS; + break; + case 'V': + if (mode && mode != MODE_VERSION) +@@ -533,7 +539,7 @@ + if (!mode) { + /* Defer -k mode setting until we know whether it is a flag or not */ + if (sudo_settings[ARG_IGNORE_TICKET].value != NULL) { +- if (argc == 0 && !(flags & (MODE_SHELL|MODE_LOGIN_SHELL))) { ++ if (argc == 0 && !ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL)) { + mode = MODE_INVALIDATE; /* -k by itself */ + sudo_settings[ARG_IGNORE_TICKET].value = NULL; + valid_flags = 0; +@@ -601,7 +607,7 @@ + /* + * For shell mode we need to rewrite argv + */ +- if (ISSET(mode, MODE_RUN) && ISSET(flags, MODE_SHELL)) { ++ if (ISSET(flags, MODE_SHELL|MODE_LOGIN_SHELL) && ISSET(mode, MODE_RUN)) { + char **av, *cmnd = NULL; + int ac = 1; + + + diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch new file mode 100644 index 0000000000..6d051252cb --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-2.patch @@ -0,0 +1,53 @@ +From 03d04069468d6633be0d6ef6c4adff07620488da Mon Sep 17 00:00:00 2001 +From: Anuj Mittal <anuj.mittal@intel.com> +Date: Sat, 6 Feb 2021 15:57:55 +0800 +Subject: [PATCH] sudo: fix CVE-2021-3156 + +Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/a97dc92eae6b] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +CVE: CVE-2021-3156 + +# HG changeset patch +# User Todd C. Miller <Todd.Miller@sudo.ws> +# Date 1611416639 25200 +# Node ID a97dc92eae6b60ae285055441341d493c17262ff +# Parent 9b97f1787804aedccaec63c379053b1a91a0e409 +Add sudoedit flag checks in plugin that are consistent with front-end. +Don't assume the sudo front-end is sending reasonable mode flags. +These checks need to be kept consistent between the sudo front-end +and the sudoers plugin. + +--- + plugins/sudoers/policy.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c +index c4749a6..2f18fe1 100644 +--- a/plugins/sudoers/policy.c ++++ b/plugins/sudoers/policy.c +@@ -88,10 +88,11 @@ parse_bool(const char *line, int varlen, int *flags, int fval) + int + sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group) + { ++ const int edit_mask = MODE_EDIT|MODE_IGNORE_TICKET|MODE_NONINTERACTIVE; + struct sudoers_open_info *info = v; +- char * const *cur; + const char *p, *errstr, *groups = NULL; + const char *remhost = NULL; ++ char * const *cur; + int flags = 0; + debug_decl(sudoers_policy_deserialize_info, SUDOERS_DEBUG_PLUGIN); + +@@ -343,6 +344,12 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group) + #endif + } + ++ /* Sudo front-end should restrict mode flags for sudoedit. */ ++ if (ISSET(flags, MODE_EDIT) && (flags & edit_mask) != flags) { ++ sudo_warnx(U_("invalid mode flags from sudo front end: 0x%x"), flags); ++ goto bad; ++ } ++ + user_gid = (gid_t)-1; + user_sid = (pid_t)-1; + user_uid = (gid_t)-1; diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch new file mode 100644 index 0000000000..30a574d05c --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-3.patch @@ -0,0 +1,73 @@ +Upstream-Status: Backport[https://www.sudo.ws/repos/sudo/rev/049ad90590be] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +CVE: CVE-2021-3156 + +# HG changeset patch +# User Todd C. Miller <Todd.Miller@sudo.ws> +# Date 1611416639 25200 +# Node ID 049ad90590be1e5dfb7df2675d2eb3e37c96ab86 +# Parent a97dc92eae6b60ae285055441341d493c17262ff +Fix potential buffer overflow when unescaping backslashes in user_args. +Also, do not try to unescaping backslashes unless in run mode *and* +we are running the command via a shell. +Found by Qualys, this fixes CVE-2021-3156. + +diff -r a97dc92eae6b -r 049ad90590be plugins/sudoers/sudoers.c +--- a/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700 ++++ b/plugins/sudoers/sudoers.c Sat Jan 23 08:43:59 2021 -0700 +@@ -547,7 +547,7 @@ + + /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */ + /* XXX - causes confusion when root is not listed in sudoers */ +- if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) { ++ if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) { + if (user_uid == 0 && strcmp(prev_user, "root") != 0) { + struct passwd *pw; + +@@ -932,8 +932,8 @@ + if (user_cmnd == NULL) + user_cmnd = NewArgv[0]; + +- if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) { +- if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) { ++ if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) { ++ if (!ISSET(sudo_mode, MODE_EDIT)) { + const char *runchroot = user_runchroot; + if (runchroot == NULL && def_runchroot != NULL && + strcmp(def_runchroot, "*") != 0) +@@ -961,7 +961,8 @@ + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + debug_return_int(NOT_FOUND_ERROR); + } +- if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) { ++ if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) && ++ ISSET(sudo_mode, MODE_RUN)) { + /* + * When running a command via a shell, the sudo front-end + * escapes potential meta chars. We unescape non-spaces +@@ -969,10 +970,22 @@ + */ + for (to = user_args, av = NewArgv + 1; (from = *av); av++) { + while (*from) { +- if (from[0] == '\\' && !isspace((unsigned char)from[1])) ++ if (from[0] == '\\' && from[1] != '\0' && ++ !isspace((unsigned char)from[1])) { + from++; ++ } ++ if (size - (to - user_args) < 1) { ++ sudo_warnx(U_("internal error, %s overflow"), ++ __func__); ++ debug_return_int(NOT_FOUND_ERROR); ++ } + *to++ = *from++; + } ++ if (size - (to - user_args) < 1) { ++ sudo_warnx(U_("internal error, %s overflow"), ++ __func__); ++ debug_return_int(NOT_FOUND_ERROR); ++ } + *to++ = ' '; + } + *--to = '\0'; + + diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch new file mode 100644 index 0000000000..c1b00c740e --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-4.patch @@ -0,0 +1,29 @@ +Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/09f98816fc89] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +CVE: CVE-2021-3156 + +# HG changeset patch +# User Todd C. Miller <Todd.Miller@sudo.ws> +# Date 1611416640 25200 +# Node ID 09f98816fc8978f1d8623a857073d2d5746f0379 +# Parent 049ad90590be1e5dfb7df2675d2eb3e37c96ab86 +Fix the memset offset when converting a v1 timestamp to TS_LOCKEXCL. +We want to zero the struct starting at flags, not type (which was just set). +Found by Qualys. + +diff -r 049ad90590be -r 09f98816fc89 plugins/sudoers/timestamp.c +--- a/plugins/sudoers/timestamp.c Sat Jan 23 08:43:59 2021 -0700 ++++ b/plugins/sudoers/timestamp.c Sat Jan 23 08:44:00 2021 -0700 +@@ -643,8 +643,8 @@ + if (entry.size == sizeof(struct timestamp_entry_v1)) { + /* Old sudo record, convert it to TS_LOCKEXCL. */ + entry.type = TS_LOCKEXCL; +- memset((char *)&entry + offsetof(struct timestamp_entry, type), 0, +- nread - offsetof(struct timestamp_entry, type)); ++ memset((char *)&entry + offsetof(struct timestamp_entry, flags), 0, ++ nread - offsetof(struct timestamp_entry, flags)); + if (ts_write(cookie->fd, cookie->fname, &entry, 0) == -1) + debug_return_bool(false); + } else { + + diff --git a/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch new file mode 100644 index 0000000000..c04b8e72a6 --- /dev/null +++ b/meta/recipes-extended/sudo/files/CVE-2021-3156-5.patch @@ -0,0 +1,41 @@ +Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/c125fbe68783] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +CVE: CVE-2021-3156 + +# HG changeset patch +# User Todd C. Miller <Todd.Miller@sudo.ws> +# Date 1611416640 25200 +# Node ID c125fbe6878395d10f01d891d3c09b1229ada404 +# Parent 09f98816fc8978f1d8623a857073d2d5746f0379 +Don't assume that argv is allocated as a single flat buffer. +While this is how the kernel behaves it is not a portable assumption. +The assumption may also be violated if getopt_long(3) permutes arguments. +Found by Qualys. + +diff -r 09f98816fc89 -r c125fbe68783 src/parse_args.c +--- a/src/parse_args.c Sat Jan 23 08:44:00 2021 -0700 ++++ b/src/parse_args.c Sat Jan 23 08:44:00 2021 -0700 +@@ -614,16 +614,16 @@ + if (argc != 0) { + /* shell -c "command" */ + char *src, *dst; +- size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) + +- strlen(argv[argc - 1]) + 1; ++ size_t size = 0; + +- cmnd = dst = reallocarray(NULL, cmnd_size, 2); +- if (cmnd == NULL) ++ for (av = argv; *av != NULL; av++) ++ size += strlen(*av) + 1; ++ if (size == 0 || (cmnd = reallocarray(NULL, size, 2)) == NULL) + sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + if (!gc_add(GC_PTR, cmnd)) + exit(EXIT_FAILURE); + +- for (av = argv; *av != NULL; av++) { ++ for (dst = cmnd, av = argv; *av != NULL; av++) { + for (src = *av; *src != '\0'; src++) { + /* quote potential meta characters */ + if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-' && *src != '$') + + diff --git a/meta/recipes-extended/sudo/sudo.inc b/meta/recipes-extended/sudo/sudo.inc index 86a18be7e2..8b50f5eee5 100644 --- a/meta/recipes-extended/sudo/sudo.inc +++ b/meta/recipes-extended/sudo/sudo.inc @@ -49,3 +49,5 @@ do_compile_prepend () { do_install_prepend (){ mkdir -p ${D}/${localstatedir}/lib } + +CVE_VERSION_SUFFIX = "patch" diff --git a/meta/recipes-extended/sudo/sudo_1.9.3.bb b/meta/recipes-extended/sudo/sudo_1.9.3.bb index 0d0be9ab8b..37fd6386dd 100644 --- a/meta/recipes-extended/sudo/sudo_1.9.3.bb +++ b/meta/recipes-extended/sudo/sudo_1.9.3.bb @@ -3,6 +3,13 @@ require sudo.inc SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \ + file://CVE-2021-23239.patch \ + file://CVE-2021-23240.patch \ + file://CVE-2021-3156-1.patch \ + file://CVE-2021-3156-2.patch \ + file://CVE-2021-3156-3.patch \ + file://CVE-2021-3156-4.patch \ + file://CVE-2021-3156-5.patch \ " PAM_SRC_URI = "file://sudo.pam" diff --git a/meta/recipes-extended/tar/tar/CVE-2021-20193.patch b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch new file mode 100644 index 0000000000..89e8e20844 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch @@ -0,0 +1,133 @@ +From d9d4435692150fa8ff68e1b1a473d187cc3fd777 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Sun, 17 Jan 2021 20:41:11 +0200 +Subject: Fix memory leak in read_header + +Bug reported in https://savannah.gnu.org/bugs/?59897 + +* src/list.c (read_header): Don't return directly from the loop. +Instead set the status and break. Return the status. Free +next_long_name and next_long_link before returning. + +CVE: CVE-2021-20193 +Upstream-Status: Backport +[https://git.savannah.gnu.org/cgit/tar.git/patch/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777] +Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com> + +--- + src/list.c | 40 ++++++++++++++++++++++++++++------------ + 1 file changed, 28 insertions(+), 12 deletions(-) + +diff --git a/src/list.c b/src/list.c +index e40a5c8..d7ef441 100644 +--- a/src/list.c ++++ b/src/list.c +@@ -408,26 +408,27 @@ read_header (union block **return_block, struct tar_stat_info *info, + enum read_header_mode mode) + { + union block *header; +- union block *header_copy; + char *bp; + union block *data_block; + size_t size, written; +- union block *next_long_name = 0; +- union block *next_long_link = 0; ++ union block *next_long_name = NULL; ++ union block *next_long_link = NULL; + size_t next_long_name_blocks = 0; + size_t next_long_link_blocks = 0; +- ++ enum read_header status = HEADER_SUCCESS; ++ + while (1) + { +- enum read_header status; +- + header = find_next_block (); + *return_block = header; + if (!header) +- return HEADER_END_OF_FILE; ++ { ++ status = HEADER_END_OF_FILE; ++ break; ++ } + + if ((status = tar_checksum (header, false)) != HEADER_SUCCESS) +- return status; ++ break; + + /* Good block. Decode file size and return. */ + +@@ -437,7 +438,10 @@ read_header (union block **return_block, struct tar_stat_info *info, + { + info->stat.st_size = OFF_FROM_HEADER (header->header.size); + if (info->stat.st_size < 0) +- return HEADER_FAILURE; ++ { ++ status = HEADER_FAILURE; ++ break; ++ } + } + + if (header->header.typeflag == GNUTYPE_LONGNAME +@@ -447,10 +451,14 @@ read_header (union block **return_block, struct tar_stat_info *info, + || header->header.typeflag == SOLARIS_XHDTYPE) + { + if (mode == read_header_x_raw) +- return HEADER_SUCCESS_EXTENDED; ++ { ++ status = HEADER_SUCCESS_EXTENDED; ++ break; ++ } + else if (header->header.typeflag == GNUTYPE_LONGNAME + || header->header.typeflag == GNUTYPE_LONGLINK) + { ++ union block *header_copy; + size_t name_size = info->stat.st_size; + size_t n = name_size % BLOCKSIZE; + size = name_size + BLOCKSIZE; +@@ -517,7 +525,10 @@ read_header (union block **return_block, struct tar_stat_info *info, + xheader_decode_global (&xhdr); + xheader_destroy (&xhdr); + if (mode == read_header_x_global) +- return HEADER_SUCCESS_EXTENDED; ++ { ++ status = HEADER_SUCCESS_EXTENDED; ++ break; ++ } + } + + /* Loop! */ +@@ -536,6 +547,7 @@ read_header (union block **return_block, struct tar_stat_info *info, + name = next_long_name->buffer + BLOCKSIZE; + recent_long_name = next_long_name; + recent_long_name_blocks = next_long_name_blocks; ++ next_long_name = NULL; + } + else + { +@@ -567,6 +579,7 @@ read_header (union block **return_block, struct tar_stat_info *info, + name = next_long_link->buffer + BLOCKSIZE; + recent_long_link = next_long_link; + recent_long_link_blocks = next_long_link_blocks; ++ next_long_link = NULL; + } + else + { +@@ -578,9 +591,12 @@ read_header (union block **return_block, struct tar_stat_info *info, + } + assign_string (&info->link_name, name); + +- return HEADER_SUCCESS; ++ break; + } + } ++ free (next_long_name); ++ free (next_long_link); ++ return status; + } + + #define ISOCTAL(c) ((c)>='0'&&(c)<='7') +-- +cgit v1.2.1 + diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb index ebe6cb0dbd..3ae6d674a5 100644 --- a/meta/recipes-extended/tar/tar_1.32.bb +++ b/meta/recipes-extended/tar/tar_1.32.bb @@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ file://musl_dirent.patch \ + file://CVE-2021-20193.patch \ " SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05" diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc index 9a19093e24..a89560b424 100644 --- a/meta/recipes-extended/timezone/timezone.inc +++ b/meta/recipes-extended/timezone/timezone.inc @@ -6,7 +6,7 @@ SECTION = "base" LICENSE = "PD & BSD & BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba" -PV = "2020f" +PV = "2021a" SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode \ http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata \ @@ -14,5 +14,5 @@ SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones" -SRC_URI[tzcode.sha256sum] = "cfeeea2a7745164f64bd9f6d76e47916f4ac820c4434493674adbbd4324329c5" -SRC_URI[tzdata.sha256sum] = "121131918c3ae6dc5d40f0eb87563a2be920b71a76e2392c09519a5e4a666881" +SRC_URI[tzcode.sha256sum] = "eb46bfa124b5b6bd13d61a609bfde8351bd192894708d33aa06e5c1e255802d0" +SRC_URI[tzdata.sha256sum] = "39e7d2ba08c68cbaefc8de3227aab0dec2521be8042cf56855f7dc3a9fb14e08" diff --git a/meta/recipes-extended/watchdog/watchdog_5.16.bb b/meta/recipes-extended/watchdog/watchdog_5.16.bb index 1988952603..a44a459c20 100644 --- a/meta/recipes-extended/watchdog/watchdog_5.16.bb +++ b/meta/recipes-extended/watchdog/watchdog_5.16.bb @@ -18,6 +18,11 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/watchdog/watchdog-${PV}.tar.gz \ SRC_URI[md5sum] = "1b4f51cabc64d1bee2fce7cdd626831f" SRC_URI[sha256sum] = "b8e7c070e1b72aee2663bdc13b5cc39f76c9232669cfbb1ac0adc7275a3b019d" +# Can be dropped when the output next changes, avoids failures after +# reproducibility issues +PR = "r1" +HASHEQUIV_HASH_VERSION .= ".1" + UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/watchdog/files/watchdog/" UPSTREAM_CHECK_REGEX = "/watchdog/(?P<pver>(\d+[\.\-_]*)+)/" @@ -28,6 +33,7 @@ CFLAGS += "-I${STAGING_INCDIR}/tirpc" LDFLAGS += "-ltirpc" EXTRA_OECONF += " --disable-nfs " +CACHED_CONFIGUREVARS += "ac_cv_path_PATH_SENDMAIL=${sbindir}/sendmail" INITSCRIPT_PACKAGES = "${PN} ${PN}-keepalive" diff --git a/meta/recipes-gnome/epiphany/epiphany_3.36.4.bb b/meta/recipes-gnome/epiphany/epiphany_3.36.4.bb index 4c3b18331a..0c22a67bde 100644 --- a/meta/recipes-gnome/epiphany/epiphany_3.36.4.bb +++ b/meta/recipes-gnome/epiphany/epiphany_3.36.4.bb @@ -13,6 +13,8 @@ REQUIRED_DISTRO_FEATURES = "x11 opengl" SRC_URI = "${GNOME_MIRROR}/${GNOMEBN}/${@gnome_verdir("${PV}")}/${GNOMEBN}-${PV}.tar.${GNOME_COMPRESS_TYPE};name=archive \ file://0002-help-meson.build-disable-the-use-of-yelp.patch \ + file://migrator.patch \ + file://distributor.patch \ " SRC_URI[archive.sha256sum] = "588a75b1588f5a509c33cf0be6a38a0f4fc1748eeb499a51d991ddef485242bf" diff --git a/meta/recipes-gnome/epiphany/files/distributor.patch b/meta/recipes-gnome/epiphany/files/distributor.patch new file mode 100644 index 0000000000..b09c9b38d2 --- /dev/null +++ b/meta/recipes-gnome/epiphany/files/distributor.patch @@ -0,0 +1,17 @@ +Don't encode the distro from /etc/os-release into the binaries. + +Upstream-Status: Pending +RP 2021/2/26 + +Index: epiphany-3.38.2/meson.build +=================================================================== +--- epiphany-3.38.2.orig/meson.build ++++ epiphany-3.38.2/meson.build +@@ -15,6 +15,7 @@ if r.returncode() == 0 + else + distributor_name = 'GNOME Web' + endif ++distributor_name = 'OpenEmbedded' + + prefix = get_option('prefix') + datadir = join_paths(prefix, get_option('datadir')) diff --git a/meta/recipes-gnome/epiphany/files/migrator.patch b/meta/recipes-gnome/epiphany/files/migrator.patch new file mode 100644 index 0000000000..a9a650a64a --- /dev/null +++ b/meta/recipes-gnome/epiphany/files/migrator.patch @@ -0,0 +1,24 @@ +We don't want to encide BUILD_ROOT into target packages. This is used +for build time tests but in our case those would be on target anyway +do use the target paths. + +Upstream-Status: Pending +RP 2021/2/25 + +Index: epiphany-3.38.2/lib/ephy-profile-utils.c +=================================================================== +--- epiphany-3.38.2.orig/lib/ephy-profile-utils.c ++++ epiphany-3.38.2/lib/ephy-profile-utils.c +@@ -130,10 +130,10 @@ ephy_profile_utils_do_migration (const c + argv[i++] = NULL; + + #if DEVELOPER_MODE +- argv[0] = BUILD_ROOT "/src/" EPHY_PROFILE_MIGRATOR; ++ argv[0] = PKGLIBEXECDIR "/" EPHY_PROFILE_MIGRATOR; + #else + if (debug) +- argv[0] = BUILD_ROOT "/src/" EPHY_PROFILE_MIGRATOR; ++ argv[0] = PKGLIBEXECDIR "/" EPHY_PROFILE_MIGRATOR; + #endif + + g_spawn_sync (NULL, (char **)argv, envp, G_SPAWN_SEARCH_PATH, diff --git a/meta/recipes-gnome/gcr/gcr_3.36.0.bb b/meta/recipes-gnome/gcr/gcr_3.36.0.bb index ff455a68ec..567ca8b774 100644 --- a/meta/recipes-gnome/gcr/gcr_3.36.0.bb +++ b/meta/recipes-gnome/gcr/gcr_3.36.0.bb @@ -11,6 +11,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=55ca817ccb7d5b5b66355690e9abc605" DEPENDS = "gtk+3 p11-kit glib-2.0 libgcrypt gnupg-native \ ${@bb.utils.contains('GI_DATA_ENABLED', 'True', 'libxslt-native', '', d)}" +CACHED_CONFIGUREVARS += "ac_cv_path_GPG='gpg2'" + GNOMEBASEBUILDCLASS = "meson" GTKDOC_MESON_OPTION = "gtk_doc" inherit gnomebase gtk-icon-cache gtk-doc features_check upstream-version-is-even vala gobject-introspection gettext mime mime-xdg @@ -32,3 +34,11 @@ FILES_${PN} += " \ ARM_INSTRUCTION_SET_armv4 = "arm" ARM_INSTRUCTION_SET_armv5 = "arm" ARM_INSTRUCTION_SET_armv6 = "arm" + +EXTRA_OEMESON += "--cross-file ${WORKDIR}/meson-${PN}.cross" +do_write_config_append() { + cat >${WORKDIR}/meson-${PN}.cross <<EOF +[binaries] +gpg2 = '${bindir}/gpg2' +EOF +} diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2020-29385.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2020-29385.patch new file mode 100644 index 0000000000..3fef2bc1eb --- /dev/null +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2020-29385.patch @@ -0,0 +1,55 @@ +From bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81 Mon Sep 17 00:00:00 2001 +From: Robert Ancell <robert.ancell@canonical.com> +Date: Mon, 30 Nov 2020 12:26:12 +1300 +Subject: [PATCH 02/13] gif: Fix LZW decoder accepting invalid LZW code. + +The code value after a reset wasn't being validated, which means we would +accept invalid codes. This could cause an infinite loop in the decoder. + +Fixes CVE-2020-29385 + +Fixes https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164 + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81] +CVE: CVE-2020-29385 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + gdk-pixbuf/lzw.c | 13 +++++++------ + 1 files changed, 7 insertions(+), 6 deletions(-) + create mode 100644 tests/test-images/fail/hang_114.gif + +diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c +index 9e052a6f7..105daf2b1 100644 +--- a/gdk-pixbuf/lzw.c ++++ b/gdk-pixbuf/lzw.c +@@ -195,19 +195,20 @@ lzw_decoder_feed (LZWDecoder *self, + if (self->last_code != self->clear_code && self->code_table_size < MAX_CODES) { + if (self->code < self->code_table_size) + add_code (self, self->code); +- else if (self->code == self->code_table_size) ++ else + add_code (self, self->last_code); +- else { +- /* Invalid code received - just stop here */ +- self->last_code = self->eoi_code; +- return output_length; +- } + + /* When table is full increase code size */ + if (self->code_table_size == (1 << self->code_size) && self->code_size < LZW_CODE_MAX) + self->code_size++; + } + ++ /* Invalid code received - just stop here */ ++ if (self->code >= self->code_table_size) { ++ self->last_code = self->eoi_code; ++ return output_length; ++ } ++ + /* Convert codeword into indexes */ + n_written += write_indexes (self, output + n_written, output_length - n_written); + } +-- +2.25.1 + diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch new file mode 100644 index 0000000000..fe594b24bb --- /dev/null +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch @@ -0,0 +1,40 @@ +From 086e8adf4cc352cd11572f96066b001b545f354e Mon Sep 17 00:00:00 2001 +From: Emmanuele Bassi <ebassi@gnome.org> +Date: Wed, 1 Apr 2020 18:11:55 +0100 +Subject: [PATCH] Check the memset length argument + +Avoid overflows by using the checked multiplication macro for gsize. + +Fixes: #132 + +Upstream-Status: Backported [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/086e8adf4cc352cd11572f96066b001b545f354e] +CVE: CVE-2021-20240 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + gdk-pixbuf/io-gif-animation.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c +index c9db3c66e..49674fd2e 100644 +--- a/gdk-pixbuf/io-gif-animation.c ++++ b/gdk-pixbuf/io-gif-animation.c +@@ -412,11 +412,15 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter) + + /* If no rendered frame, render the first frame */ + if (anim->last_frame == NULL) { ++ gsize len = 0; + if (anim->last_frame_data == NULL) + anim->last_frame_data = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, anim->width, anim->height); + if (anim->last_frame_data == NULL) + return NULL; +- memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, gdk_pixbuf_get_rowstride (anim->last_frame_data) * anim->height); ++ if (g_size_checked_mul (&len, gdk_pixbuf_get_rowstride (anim->last_frame_data), anim->height)) ++ memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, len); ++ else ++ return NULL; + composite_frame (anim, g_list_nth_data (anim->frames, 0)); + } + +-- +GitLab diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb index 3dec5ed052..32af2de1e8 100644 --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb @@ -24,6 +24,8 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \ file://0004-Do-not-run-tests-when-building.patch \ file://0006-Build-thumbnailer-and-tests-also-in-cross-builds.patch \ file://missing-test-data.patch \ + file://CVE-2020-29385.patch \ + file://CVE-2021-20240.patch \ " SRC_URI_append_class-target = " \ diff --git a/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.64.1.bb b/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.64.1.bb index 4d80f00e10..0f0f7a82c4 100644 --- a/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.64.1.bb +++ b/meta/recipes-gnome/gobject-introspection/gobject-introspection_1.64.1.bb @@ -29,14 +29,14 @@ GTKDOC_MESON_OPTION = "gtk_doc" MULTILIB_SCRIPTS = "${PN}:${bindir}/g-ir-annotation-tool ${PN}:${bindir}/g-ir-scanner" -DEPENDS_append = " libffi zlib glib-2.0 python3 flex-native bison-native autoconf-archive" +DEPENDS += " libffi zlib glib-2.0 python3 flex-native bison-native autoconf-archive" # target build needs qemu to run temporary introspection binaries created # on the fly by g-ir-scanner and a native version of itself to run # native versions of its own tools during build. # Also prelink-rtld is used to find out library dependencies of introspection binaries # (standard ldd doesn't work when cross-compiling). -DEPENDS_class-target_append = " gobject-introspection-native qemu-native prelink-native" +DEPENDS_append_class-target = " gobject-introspection-native qemu-native prelink-native" # needed for writing out the qemu wrapper script export STAGING_DIR_HOST diff --git a/meta/recipes-gnome/libsecret/libsecret/determinism.patch b/meta/recipes-gnome/libsecret/libsecret/determinism.patch new file mode 100644 index 0000000000..ad96e8f59b --- /dev/null +++ b/meta/recipes-gnome/libsecret/libsecret/determinism.patch @@ -0,0 +1,37 @@ +secret-enum-types.c/h.template: Fix reproducibility issue + +When full filenames are used in generated sources it makes the resulting +debug packages non-reproducible. Best practise is to use basename in +comments instead. + +Signed-off-by: Richard Purdie richard.purdie@linuxfoundation.org +Upstream-Status: Submitted [https://gitlab.gnome.org/GNOME/libsecret/-/merge_requests/68] + +Index: libsecret-0.20.4/libsecret/secret-enum-types.c.template +=================================================================== +--- libsecret-0.20.4.orig/libsecret/secret-enum-types.c.template ++++ libsecret-0.20.4/libsecret/secret-enum-types.c.template +@@ -23,8 +23,8 @@ + /*** END file-header ***/ + + /*** BEGIN file-production ***/ +-#include "@filename@" +-/* enumerations from "@filename@" */ ++#include "@basename@" ++/* enumerations from "@basename@" */ + /*** END file-production ***/ + + /*** BEGIN value-header ***/ +Index: libsecret-0.20.4/libsecret/secret-enum-types.h.template +=================================================================== +--- libsecret-0.20.4.orig/libsecret/secret-enum-types.h.template ++++ libsecret-0.20.4/libsecret/secret-enum-types.h.template +@@ -27,7 +27,7 @@ G_BEGIN_DECLS + + /*** BEGIN file-production ***/ + +-/* enumerations from "@filename@" */ ++/* enumerations from "@basename@" */ + /*** END file-production ***/ + + /*** BEGIN value-header ***/ diff --git a/meta/recipes-gnome/libsecret/libsecret_0.20.3.bb b/meta/recipes-gnome/libsecret/libsecret_0.20.3.bb index 533015a1e4..b72206535f 100644 --- a/meta/recipes-gnome/libsecret/libsecret_0.20.3.bb +++ b/meta/recipes-gnome/libsecret/libsecret_0.20.3.bb @@ -13,7 +13,8 @@ inherit gnomebase gtk-doc vala gobject-introspection manpages DEPENDS += "glib-2.0 libgcrypt gettext-native" -SRC_URI += "file://0001-meson-add-option-introspection.patch" +SRC_URI += "file://0001-meson-add-option-introspection.patch \ + file://determinism.patch" SRC_URI[archive.md5sum] = "47c3fdfeb111a87b509ad271e4a6f496" SRC_URI[archive.sha256sum] = "4fcb3c56f8ac4ab9c75b66901fb0104ec7f22aa9a012315a14c0d6dffa5290e4" diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch new file mode 100644 index 0000000000..f8e69beb0b --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch @@ -0,0 +1,121 @@ +From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 +From: Heiko Lewin <heiko.lewin@worldiety.de> +Date: Tue, 15 Dec 2020 16:48:19 +0100 +Subject: [PATCH] Fix mask usage in image-compositor + +CVE: CVE-2020-35492 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be?merge_request_iid=85] + +original patch from upstream has a binary file, it will cause +do_patch failed with "git binary diffs are not supported". + +so add do_patch_append in recipe to add this binary source. when removing +this patch, please also remove do_patch_append for this patch + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + src/cairo-image-compositor.c | 8 ++-- + test/Makefile.sources | 1 + + test/bug-image-compositor.c | 39 ++++++++++++++++++++ + 3 files changed, 44 insertions(+), 4 deletions(-) + create mode 100644 test/bug-image-compositor.c + +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c +index 79ad69f68..4f8aaed99 100644 +--- a/src/cairo-image-compositor.c ++++ b/src/cairo-image-compositor.c +@@ -2610,14 +2610,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + unsigned num_spans) + { + cairo_image_span_renderer_t *r = abstract_renderer; +- uint8_t *m; ++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); + int x0; + + if (num_spans == 0) + return CAIRO_STATUS_SUCCESS; + + x0 = spans[0].x; +- m = r->_buf; ++ m = base; + do { + int len = spans[1].x - spans[0].x; + if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { +@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + spans[0].x, y, + spans[1].x - spans[0].x, h); + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else if (spans[0].coverage == 0x0) { + if (spans[0].x != x0) { +@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + #endif + } + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else { + *m++ = spans[0].coverage; +diff --git a/test/Makefile.sources b/test/Makefile.sources +index 7eb73647f..86494348d 100644 +--- a/test/Makefile.sources ++++ b/test/Makefile.sources +@@ -34,6 +34,7 @@ test_sources = \ + bug-source-cu.c \ + bug-extents.c \ + bug-seams.c \ ++ bug-image-compositor.c \ + caps.c \ + checkerboard.c \ + caps-joins.c \ +diff --git a/test/bug-image-compositor.c b/test/bug-image-compositor.c +new file mode 100644 +index 000000000..fc4fd370b +--- /dev/null ++++ b/test/bug-image-compositor.c +@@ -0,0 +1,39 @@ ++#include "cairo-test.h" ++ ++static cairo_test_status_t ++draw (cairo_t *cr, int width, int height) ++{ ++ cairo_set_source_rgb (cr, 0., 0., 0.); ++ cairo_paint (cr); ++ ++ cairo_set_source_rgb (cr, 1., 1., 1.); ++ cairo_set_line_width (cr, 1.); ++ ++ cairo_pattern_t *p = cairo_pattern_create_linear (0, 0, width, height); ++ cairo_pattern_add_color_stop_rgb (p, 0, 0.99, 1, 1); ++ cairo_pattern_add_color_stop_rgb (p, 1, 1, 1, 1); ++ cairo_set_source (cr, p); ++ ++ cairo_move_to (cr, 0.5, -1); ++ for (int i = 0; i < width; i+=3) { ++ cairo_rel_line_to (cr, 2, 2); ++ cairo_rel_line_to (cr, 1, -2); ++ } ++ ++ cairo_set_operator (cr, CAIRO_OPERATOR_SOURCE); ++ cairo_stroke (cr); ++ ++ cairo_pattern_destroy(p); ++ ++ return CAIRO_TEST_SUCCESS; ++} ++ ++ ++CAIRO_TEST (bug_image_compositor, ++ "Crash in image-compositor", ++ "stroke, stress", /* keywords */ ++ NULL, /* requirements */ ++ 10000, 1, ++ NULL, draw) ++ ++ +-- +GitLab diff --git a/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png b/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png Binary files differnew file mode 100644 index 0000000000..939f659d2c --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png diff --git a/meta/recipes-graphics/cairo/cairo_1.16.0.bb b/meta/recipes-graphics/cairo/cairo_1.16.0.bb index 68f993d7ca..d48da1a4c7 100644 --- a/meta/recipes-graphics/cairo/cairo_1.16.0.bb +++ b/meta/recipes-graphics/cairo/cairo_1.16.0.bb @@ -27,6 +27,8 @@ SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \ file://CVE-2018-19876.patch \ file://CVE-2019-6461.patch \ file://CVE-2019-6462.patch \ + file://CVE-2020-35492.patch \ + file://bug-image-compositor.ref.png \ " SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552" @@ -64,6 +66,15 @@ export ac_cv_lib_bfd_bfd_openr="no" # Ensure we don't depend on LZO export ac_cv_lib_lzo2_lzo2a_decompress="no" +#for CVE-2020-35492.patch +do_patch_append() { + bb.build.exec_func('do_cp_binary_source', d) +} + +do_cp_binary_source () { + cp ${WORKDIR}/bug-image-compositor.ref.png ${S}/test/reference/ +} + do_install_append () { rm -rf ${D}${bindir}/cairo-sphinx rm -rf ${D}${libdir}/cairo/cairo-fdr* diff --git a/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools/reproducibility.patch b/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools/reproducibility.patch new file mode 100644 index 0000000000..39e36d8737 --- /dev/null +++ b/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools/reproducibility.patch @@ -0,0 +1,38 @@ +meson: Allow source location to be configurable + +Hardcoding a build source path into a binary when cross compiling isn't +appropriate and breaks build reproducibility. Allow the srcdir to be +specified by an optional configuration option to meson. + +Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org> +Upstream-Status: Submitted [https://lists.freedesktop.org/archives/igt-dev/2021-February/029443.html] + +Index: git/lib/meson.build +=================================================================== +--- git.orig/lib/meson.build ++++ git/lib/meson.build +@@ -122,7 +122,11 @@ if chamelium.found() + lib_sources += 'igt_chamelium_stream.c' + endif + +-srcdir = join_paths(meson.source_root(), 'tests') ++if get_option('srcdir') != '' ++ srcdir = join_paths(get_option('srcdir'), 'tests') ++else ++ srcdir = join_paths(meson.source_root(), 'tests') ++endif + + lib_version = vcs_tag(input : 'version.h.in', output : 'version.h', + fallback : 'NO-GIT', +Index: git/meson_options.txt +=================================================================== +--- git.orig/meson_options.txt ++++ git/meson_options.txt +@@ -50,3 +50,7 @@ option('use_rpath', + type : 'boolean', + value : false, + description : 'Set runpath on installed executables for libigt.so') ++ ++option('srcdir', ++ type : 'string', ++ description : 'Path to source code to be compiled into binaries (optional)') diff --git a/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools_git.bb b/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools_git.bb index 89480d79d2..f25cbc0603 100644 --- a/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools_git.bb +++ b/meta/recipes-graphics/igt-gpu-tools/igt-gpu-tools_git.bb @@ -10,7 +10,8 @@ inherit meson SRCREV = "d16ad07e7f2a028e14d61f570931c87fa5ce404c" PV = "1.25+git${SRCPV}" -SRC_URI = "git://gitlab.freedesktop.org/drm/igt-gpu-tools.git;protocol=https" +SRC_URI = "git://gitlab.freedesktop.org/drm/igt-gpu-tools.git;protocol=https \ + file://reproducibility.patch" S = "${WORKDIR}/git" @@ -22,7 +23,7 @@ PACKAGE_BEFORE_PN = "${PN}-benchmarks ${PN}-tests" PACKAGECONFIG[chamelium] = "-Dchamelium=enabled,-Dchamelium=disabled,gsl xmlrpc-c" -EXTRA_OEMESON = "-Ddocs=disabled -Drunner=enabled" +EXTRA_OEMESON = "-Ddocs=disabled -Drunner=enabled -Dsrcdir=/usr/src/debug/${PN}/${PV}-${PR}/git/" COMPATIBLE_HOST = "(x86_64.*|i.86.*|arm.*|aarch64).*-linux" COMPATIBLE_HOST_libc-musl_class-target = "null" SECURITY_LDFLAGS = "${SECURITY_X_LDFLAGS}" diff --git a/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch new file mode 100644 index 0000000000..d8fa24bc65 --- /dev/null +++ b/meta/recipes-graphics/libsdl2/libsdl2/CVE-2020-14409-14410.patch @@ -0,0 +1,79 @@ +From a7ff6e96155f550a5597621ebeddd03c98aa9294 Mon Sep 17 00:00:00 2001 +From: Sam Lantinga <slouken@libsdl.org> +Date: Wed, 17 Jun 2020 08:44:45 -0700 +Subject: [PATCH] Fixed overflow in surface pitch calculation + + +Upstream-Status: Backport +[https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294] +CVE: CVE-2020-14409 CVE-2020-14410 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + src/video/SDL_surface.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/src/video/SDL_surface.c b/src/video/SDL_surface.c +index 085d9ff1e..bff826f7c 100644 +--- a/src/video/SDL_surface.c ++++ b/src/video/SDL_surface.c +@@ -28,24 +28,23 @@ + #include "SDL_yuv_c.h" + + +-/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow size_t */ +-SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, +- sizeof(int) == sizeof(Sint32) && sizeof(size_t) >= sizeof(Sint32)); ++/* Check to make sure we can safely check multiplication of surface w and pitch and it won't overflow Sint64 */ ++SDL_COMPILE_TIME_ASSERT(surface_size_assumptions, sizeof(int) == sizeof(Sint32)); + + /* Public routines */ + + /* + * Calculate the pad-aligned scanline width of a surface + */ +-static int ++static Sint64 + SDL_CalculatePitch(Uint32 format, int width) + { +- int pitch; ++ Sint64 pitch; + + if (SDL_ISPIXELFORMAT_FOURCC(format) || SDL_BITSPERPIXEL(format) >= 8) { +- pitch = (width * SDL_BYTESPERPIXEL(format)); ++ pitch = ((Sint64)width * SDL_BYTESPERPIXEL(format)); + } else { +- pitch = ((width * SDL_BITSPERPIXEL(format)) + 7) / 8; ++ pitch = (((Sint64)width * SDL_BITSPERPIXEL(format)) + 7) / 8; + } + pitch = (pitch + 3) & ~3; /* 4-byte aligning for speed */ + return pitch; +@@ -59,11 +58,19 @@ SDL_Surface * + SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth, + Uint32 format) + { ++ Sint64 pitch; + SDL_Surface *surface; + + /* The flags are no longer used, make the compiler happy */ + (void)flags; + ++ pitch = SDL_CalculatePitch(format, width); ++ if (pitch < 0 || pitch > SDL_MAX_SINT32) { ++ /* Overflow... */ ++ SDL_OutOfMemory(); ++ return NULL; ++ } ++ + /* Allocate the surface */ + surface = (SDL_Surface *) SDL_calloc(1, sizeof(*surface)); + if (surface == NULL) { +@@ -78,7 +85,7 @@ SDL_CreateRGBSurfaceWithFormat(Uint32 flags, int width, int height, int depth, + } + surface->w = width; + surface->h = height; +- surface->pitch = SDL_CalculatePitch(format, width); ++ surface->pitch = (int)pitch; + SDL_SetClipRect(surface, NULL); + + if (SDL_ISPIXELFORMAT_INDEXED(surface->format->format)) { diff --git a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb index 1513746492..639a465567 100644 --- a/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb +++ b/meta/recipes-graphics/libsdl2/libsdl2_2.0.12.bb @@ -20,6 +20,7 @@ SRC_URI = "http://www.libsdl.org/release/SDL2-${PV}.tar.gz \ file://more-gen-depends.patch \ file://directfb-spurious-curly-brace-missing-e.patch \ file://directfb-renderfillrect-fix.patch \ + file://CVE-2020-14409-14410.patch \ " S = "${WORKDIR}/SDL2-${PV}" diff --git a/meta/recipes-graphics/mesa/mesa.inc b/meta/recipes-graphics/mesa/mesa.inc index 9fc62e95e1..a4c7007157 100644 --- a/meta/recipes-graphics/mesa/mesa.inc +++ b/meta/recipes-graphics/mesa/mesa.inc @@ -48,11 +48,6 @@ PROVIDES = " \ inherit meson pkgconfig python3native gettext features_check -# Unset these to stop python trying to report the target Python setup -_PYTHON_SYSCONFIGDATA_NAME[unexport] = "1" -STAGING_INCDIR[unexport] = "1" -STAGING_LIBDIR[unexport] = "1" - BBCLASSEXTEND = "native nativesdk" ANY_OF_DISTRO_FEATURES_class-target = "opengl vulkan" diff --git a/meta/recipes-graphics/wayland/libinput/run-ptest b/meta/recipes-graphics/wayland/libinput/run-ptest index 5a84c568b9..d11e6eb25b 100644 --- a/meta/recipes-graphics/wayland/libinput/run-ptest +++ b/meta/recipes-graphics/wayland/libinput/run-ptest @@ -1,6 +1,6 @@ #!/bin/sh -/usr/libexec/libinput/libinput-test-suite +/usr/libexec/libinput/libinput-test-suite -j1 if [ $? -eq 0 ]; then echo 'PASS: libinput-test-suite' else diff --git a/meta/recipes-graphics/wayland/weston-init/weston.ini b/meta/recipes-graphics/wayland/weston-init/weston.ini index b48726d59c..6bd5aef55a 100644 --- a/meta/recipes-graphics/wayland/weston-init/weston.ini +++ b/meta/recipes-graphics/wayland/weston-init/weston.ini @@ -42,7 +42,7 @@ require-input=false #path=/build/weston-0lEgCh/weston-1.11.0/weston-flower #[input-method] -#path=/usr/lib/weston/weston-keyboard +#path=/usr/libexec/weston-keyboard #[output] #name=LVDS1 diff --git a/meta/recipes-graphics/wayland/weston_9.0.0.bb b/meta/recipes-graphics/wayland/weston_9.0.0.bb index 75f9fb05fd..d60b5e1a35 100644 --- a/meta/recipes-graphics/wayland/weston_9.0.0.bb +++ b/meta/recipes-graphics/wayland/weston_9.0.0.bb @@ -73,7 +73,7 @@ PACKAGECONFIG[colord] = "-Dcolor-management-colord=true,-Dcolor-management-color # Clients support PACKAGECONFIG[clients] = "-Dsimple-clients=all -Ddemo-clients=true,-Dsimple-clients= -Ddemo-clients=false" # Virtual remote output with GStreamer on DRM backend -PACKAGECONFIG[remoting] = "-Dremoting=true,-Dremoting=false,gstreamer1.0" +PACKAGECONFIG[remoting] = "-Dremoting=true,-Dremoting=false,gstreamer1.0 gstreamer1.0-plugins-base" # Weston with PAM support PACKAGECONFIG[pam] = "-Dpam=true,-Dpam=false,libpam" # Weston with screen-share support diff --git a/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb b/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb index 1ea08a6c99..bf8385fe6d 100644 --- a/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb +++ b/meta/recipes-graphics/xorg-font/xorg-minimal-fonts.bb @@ -10,8 +10,12 @@ LIC_FILES_CHKSUM = "file://../misc/fonts.dir;md5=82a143d94d6a974aafe97132d2d519a SRC_URI = "file://misc" +SOURCE_DATE_EPOCH = "1613559011" + PE = "1" -PR = "r2" +PR = "r3" +HASHEQUIV_HASH_VERSION .= ".1" + inherit allarch features_check @@ -27,6 +31,8 @@ RDEPENDS_${PN} += "font-alias" do_install() { install -d ${D}/${datadir}/fonts/X11/misc install -m 0644 ${S}/* ${D}/${datadir}/fonts/X11/misc/ + # Pick a date/time as otherwise it would be the git checkout/modify time + touch -d @1613559011 ${D}/${datadir}/fonts/X11/misc/* install -d ${D}/${libdir}/X11 ln -sf ${datadir}/fonts/X11/ ${D}/${libdir}/X11/fonts -s } diff --git a/meta/recipes-graphics/xorg-proto/xcb-proto_1.14.bb b/meta/recipes-graphics/xorg-proto/xcb-proto_1.14.1.bb index 6de30098d6..52e474a2e9 100644 --- a/meta/recipes-graphics/xorg-proto/xcb-proto_1.14.bb +++ b/meta/recipes-graphics/xorg-proto/xcb-proto_1.14.1.bb @@ -11,8 +11,8 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=d763b081cb10c223435b01e00dc0aba7 \ file://src/dri2.xml;beginline=2;endline=28;md5=f8763b13ff432e8597e0d610cf598e65" -SRC_URI = "http://xcb.freedesktop.org/dist/${BP}.tar.xz" -SRC_URI[sha256sum] = "186a3ceb26f9b4a015f5a44dcc814c93033a5fc39684f36f1ecc79834416a605" +SRC_URI = "https://xorg.freedesktop.org/archive/individual/proto/${BP}.tar.xz" +SRC_URI[sha256sum] = "f04add9a972ac334ea11d9d7eb4fc7f8883835da3e4859c9afa971efdf57fcc3" inherit autotools pkgconfig python3native diff --git a/meta/recipes-kernel/dtc/dtc.inc b/meta/recipes-kernel/dtc/dtc.inc index 0650e3c82e..5da6c24fbf 100644 --- a/meta/recipes-kernel/dtc/dtc.inc +++ b/meta/recipes-kernel/dtc/dtc.inc @@ -7,7 +7,9 @@ DEPENDS = "flex-native bison-native" SRC_URI = "git://git.kernel.org/pub/scm/utils/dtc/dtc.git \ file://make_install.patch \ + file://0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch \ " + UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" EXTRA_OEMAKE='NO_PYTHON=1 PREFIX="${prefix}" LIBDIR="${libdir}" DESTDIR="${D}"' diff --git a/meta/recipes-kernel/dtc/dtc/0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch b/meta/recipes-kernel/dtc/dtc/0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch new file mode 100644 index 0000000000..a2deb12d4b --- /dev/null +++ b/meta/recipes-kernel/dtc/dtc/0001-dtc-Fix-Makefile-to-add-CFLAGS-not-override.patch @@ -0,0 +1,36 @@ +From f0119060ef1b9bd80e2cae487df1e4aedffb0e9b Mon Sep 17 00:00:00 2001 +From: Oleksiy Obitotskyy <oobitots@cisco.com> +Date: Fri, 22 Jan 2021 09:12:48 +0200 +Subject: [PATCH] dtc: Fix Makefile to add CFLAGS not override + +Makefile override CFLAGS not extend them, so some of them +missing. Sources builds out of kernel tree and probably not all +options could be used (?). We need at least -fmacro-prefix-map/ +debug-prefix-map to eliminate absolute path in binaries. + +Upstream-Status: Pending +Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com> +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index 35d936f..b5b13cf 100644 +--- a/Makefile ++++ b/Makefile +@@ -20,10 +20,10 @@ CONFIG_LOCALVERSION = + # See libfdt_internal.h for details + ASSUME_MASK ?= 0 + +-CPPFLAGS = -I libfdt -I . -DFDT_ASSUME_MASK=$(ASSUME_MASK) ++CPPFLAGS += -I libfdt -I . -DFDT_ASSUME_MASK=$(ASSUME_MASK) + WARNINGS = -Wall -Wpointer-arith -Wcast-qual -Wnested-externs \ + -Wstrict-prototypes -Wmissing-prototypes -Wredundant-decls -Wshadow +-CFLAGS = -g -Os $(SHAREDLIB_CFLAGS) -Werror $(WARNINGS) $(EXTRA_CFLAGS) ++CFLAGS += -g -Os $(SHAREDLIB_CFLAGS) -Werror $(WARNINGS) $(EXTRA_CFLAGS) + + BISON = bison + LEX = flex +-- +2.25.1 + diff --git a/meta/recipes-kernel/kmod/kmod.inc b/meta/recipes-kernel/kmod/kmod.inc index 646dff9a97..10a319ac9f 100644 --- a/meta/recipes-kernel/kmod/kmod.inc +++ b/meta/recipes-kernel/kmod/kmod.inc @@ -26,7 +26,6 @@ SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git \ S = "${WORKDIR}/git" -EXTRA_AUTORECONF += "--install --symlink" EXTRA_OECONF +=" --enable-tools --with-zlib" PACKAGECONFIG[debug] = "--enable-debug,--disable-debug" diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20201218.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20210208.bb index 700a79b118..1a9374d0b4 100644 --- a/meta/recipes-kernel/linux-firmware/linux-firmware_20201218.bb +++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20210208.bb @@ -128,7 +128,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ file://LICENCE.xc4000;md5=0ff51d2dc49fce04814c9155081092f0 \ file://LICENCE.xc5000;md5=1e170c13175323c32c7f4d0998d53f66 \ file://LICENCE.xc5000c;md5=12b02efa3049db65d524aeb418dd87ca \ - file://WHENCE;md5=03f0fad70b8b557b56084e3090198021 \ + file://WHENCE;md5=ef0565762eac313c409567b59dff00b2 \ " # These are not common licenses, set NO_GENERIC_LICENSE for them @@ -201,7 +201,7 @@ PE = "1" SRC_URI = "${KERNELORG_MIRROR}/linux/kernel/firmware/${BPN}-${PV}.tar.xz" -SRC_URI[sha256sum] = "a1cc1ff72c739f312b095df589e9fd639fc81c3f8f7966377ea35222dc94c04b" +SRC_URI[sha256sum] = "1bcb1a3944c361507754a7d26ccff40ffc28d1fb93bce711d67da26b33e785b7" inherit allarch @@ -225,6 +225,7 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \ ${PN}-sd8887 ${PN}-sd8897 ${PN}-sd8997 ${PN}-usb8997 \ ${PN}-ti-connectivity-license ${PN}-wlcommon ${PN}-wl12xx ${PN}-wl18xx \ ${PN}-vt6656-license ${PN}-vt6656 \ + ${PN}-rs9113 ${PN}-rs9116 \ ${PN}-rtl-license ${PN}-rtl8188 ${PN}-rtl8192cu ${PN}-rtl8192ce ${PN}-rtl8192su ${PN}-rtl8723 ${PN}-rtl8821 \ ${PN}-rtl8168 \ ${PN}-cypress-license \ @@ -492,6 +493,13 @@ FILES_${PN}-netronome = " \ ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0096*.nffw \ ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0097*.nffw \ ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0099*.nffw \ + ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0058-0011_2x40.nffw \ + ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0058-0012_2x40.nffw \ + ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0078-0011_1x100.nffw \ + ${nonarch_base_libdir}/firmware/netronome/bpf \ + ${nonarch_base_libdir}/firmware/netronome/flower \ + ${nonarch_base_libdir}/firmware/netronome/nic \ + ${nonarch_base_libdir}/firmware/netronome/nic-sriov \ " RDEPENDS_${PN}-netronome += "${PN}-netronome-license" @@ -518,6 +526,16 @@ RDEPENDS_${PN}-nvidia-gpu += "${PN}-nvidia-license" RDEPENDS_${PN}-nvidia-tegra += "${PN}-nvidia-license" RDEPENDS_${PN}-nvidia-tegra-k1 += "${PN}-nvidia-license" +# For RSI RS911x WiFi +LICENSE_${PN}-rs9113 = "WHENCE" +LICENSE_${PN}-rs9116 = "WHENCE" + +FILES_${PN}-rs9113 = " ${nonarch_base_libdir}/firmware/rsi/rs9113*.rps " +FILES_${PN}-rs9116 = " ${nonarch_base_libdir}/firmware/rsi/rs9116*.rps " + +RDEPENDS_${PN}-rs9113 += "${PN}-whence-license" +RDEPENDS_${PN}-rs9116 += "${PN}-whence-license" + # For rtl LICENSE_${PN}-rtl8188 = "Firmware-rtlwifi_firmware" LICENSE_${PN}-rtl8192cu = "Firmware-rtlwifi_firmware" @@ -618,7 +636,9 @@ FILES_${PN}-bcm4329 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4329-sdio.bi FILES_${PN}-bcm4330 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4330-sdio.*" FILES_${PN}-bcm4334 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4334-sdio.bin" FILES_${PN}-bcm4335 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4335-sdio.bin" -FILES_${PN}-bcm4339 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4339-sdio.bin" +FILES_${PN}-bcm4339 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4339-sdio.bin \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4339-sdio.bin \ +" FILES_${PN}-bcm43241b0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b0-sdio.bin" FILES_${PN}-bcm43241b4 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b4-sdio.bin" FILES_${PN}-bcm43241b5 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b5-sdio.bin" @@ -627,12 +647,18 @@ FILES_${PN}-bcm43143 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43143.bin \ ${nonarch_base_libdir}/firmware/brcm/brcmfmac43143-sdio.bin \ " FILES_${PN}-bcm43430a0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430a0-sdio.*" -FILES_${PN}-bcm43455 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.*" +FILES_${PN}-bcm43455 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac43455-sdio.* \ +" FILES_${PN}-bcm4350c2 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350c2-pcie.bin" FILES_${PN}-bcm4350 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350-pcie.bin" -FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.bin" +FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.bin \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-sdio.bin \ +" FILES_${PN}-bcm43569 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43569.bin" -FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin" +FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac43570-pcie.bin \ +" FILES_${PN}-bcm4358 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4358-pcie.bin" FILES_${PN}-bcm43602 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.bin \ ${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.ap.bin \ @@ -703,13 +729,21 @@ LICENSE_${PN}-cypress-license = "Firmware-cypress" FILES_${PN}-cypress-license = "${nonarch_base_libdir}/firmware/LICENCE.cypress" FILES_${PN}-bcm-0bb4-0306 = "${nonarch_base_libdir}/firmware/brcm/BCM-0bb4-0306.hcd" -FILES_${PN}-bcm43340 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43340-sdio.*" -FILES_${PN}-bcm43362 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43362-sdio.*" -FILES_${PN}-bcm43430 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.*" -FILES_${PN}-bcm4354 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4354-sdio.bin" -FILES_${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pcie.*" +FILES_${PN}-bcm43340 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43340-sdio.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac43340-sdio.*" +FILES_${PN}-bcm43362 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43362-sdio.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac43362-sdio.*" +FILES_${PN}-bcm43430 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac43430-sdio.*" +FILES_${PN}-bcm4354 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4354-sdio.bin \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4354-sdio.bin \ +" +FILES_${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pcie.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-pcie.* \ +" FILES_${PN}-bcm4373 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.bin \ ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373.bin \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4373-sdio.bin \ " LICENSE_${PN}-bcm-0bb4-0306 = "Firmware-cypress" diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb index f6dd97c9b4..da1d5b72da 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "b82b3d52ee94caf6165eda89d3294a561bfb4f0b" -SRCREV_meta ?= "bc855ca4626f33c38c1398d48c71df10334a9132" +SRCREV_machine ?= "324e77d816cf6434507ab29140beb24044009efa" +SRCREV_meta ?= "d7fd0213b75ce9b6206f63dbdd435ab326598642" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.4.87" +LINUX_VERSION ?= "5.4.112" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb index 05edcfa63d..1edc632de7 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.4.87" +LINUX_VERSION ?= "5.4.112" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "18b82a8554b25c86cbf31af312765832edca3498" -SRCREV_machine ?= "292d752af8e4015e40e7c523641983bac543e2b4" -SRCREV_meta ?= "bc855ca4626f33c38c1398d48c71df10334a9132" +SRCREV_machine_qemuarm ?= "8463db325b93f0669446f68c19334cfe11ffb9c2" +SRCREV_machine ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a" +SRCREV_meta ?= "d7fd0213b75ce9b6206f63dbdd435ab326598642" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb index ba8660d5d3..53cfabb3a7 100644 --- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb @@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base" KBRANCH_qemux86-64 ?= "v5.4/standard/base" KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "03f94e8a96d027da980f2cc2ad6e95bbb45e22c5" -SRCREV_machine_qemuarm64 ?= "292d752af8e4015e40e7c523641983bac543e2b4" -SRCREV_machine_qemumips ?= "0b055d3e2e8d41743b00cd84975ff383e35f1ae9" -SRCREV_machine_qemuppc ?= "292d752af8e4015e40e7c523641983bac543e2b4" -SRCREV_machine_qemuriscv64 ?= "292d752af8e4015e40e7c523641983bac543e2b4" -SRCREV_machine_qemux86 ?= "292d752af8e4015e40e7c523641983bac543e2b4" -SRCREV_machine_qemux86-64 ?= "292d752af8e4015e40e7c523641983bac543e2b4" -SRCREV_machine_qemumips64 ?= "126e385b2dd8580a266fe15907c3725d2da12458" -SRCREV_machine ?= "292d752af8e4015e40e7c523641983bac543e2b4" -SRCREV_meta ?= "bc855ca4626f33c38c1398d48c71df10334a9132" +SRCREV_machine_qemuarm ?= "133328e5d558f6060a5633d71506a6b716bb4fc6" +SRCREV_machine_qemuarm64 ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a" +SRCREV_machine_qemumips ?= "eef7365804592f95bceefa143cdb3cc19e8c6b66" +SRCREV_machine_qemuppc ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a" +SRCREV_machine_qemuriscv64 ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a" +SRCREV_machine_qemux86 ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a" +SRCREV_machine_qemux86-64 ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a" +SRCREV_machine_qemumips64 ?= "996fe040c8d8d01a9af6be42dae3844d127471bf" +SRCREV_machine ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a" +SRCREV_meta ?= "d7fd0213b75ce9b6206f63dbdd435ab326598642" # remap qemuarm to qemuarma15 for the 5.4 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" -LINUX_VERSION ?= "5.4.87" +LINUX_VERSION ?= "5.4.112" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/meta/recipes-kernel/lttng/babeltrace2_2.0.3.bb b/meta/recipes-kernel/lttng/babeltrace2_2.0.3.bb index c65882581d..32ba75bf36 100644 --- a/meta/recipes-kernel/lttng/babeltrace2_2.0.3.bb +++ b/meta/recipes-kernel/lttng/babeltrace2_2.0.3.bb @@ -17,7 +17,7 @@ UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>2(\.\d+)+)$" S = "${WORKDIR}/git" -inherit autotools pkgconfig ptest +inherit autotools pkgconfig ptest python3targetconfig EXTRA_OECONF = "--disable-debug-info" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb index 14b34a2808..3eeb69d72c 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-python_1.16.3.bb @@ -16,6 +16,8 @@ PNREAL = "gst-python" S = "${WORKDIR}/${PNREAL}-${PV}" +EXTRA_OEMESON += "-Dlibpython-dir=${libdir}" + # gobject-introspection is mandatory and cannot be configured REQUIRED_DISTRO_FEATURES = "gobject-introspection-data" UNKNOWN_CONFIGURE_WHITELIST_append = " introspection" diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0/0001-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0001-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch new file mode 100644 index 0000000000..e0e64e2c7a --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0/0001-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch @@ -0,0 +1,32 @@ +From 1db36347d05d88835519368442e9aa89c64091ad Mon Sep 17 00:00:00 2001 +From: Seungha Yang <seungha@centricular.com> +Date: Tue, 15 Sep 2020 00:54:58 +0900 +Subject: [PATCH] tests: seek: Don't use too strict timeout for validation + +Expected segment-done message might not be seen within expected +time if system is not powerful enough. + +Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/625> + +Upstream-Status: Backport [https://cgit.freedesktop.org/gstreamer/gstreamer/commit?id=f44312ae5d831438fcf8041162079c65321c588c] +Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> +--- + tests/check/pipelines/seek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/check/pipelines/seek.c b/tests/check/pipelines/seek.c +index 28bb8846d..5f7447bc5 100644 +--- a/tests/check/pipelines/seek.c ++++ b/tests/check/pipelines/seek.c +@@ -521,7 +521,7 @@ GST_START_TEST (test_loopback_2) + + GST_INFO ("wait for segment done message"); + +- msg = gst_bus_timed_pop_filtered (bus, (GstClockTime) 2 * GST_SECOND, ++ msg = gst_bus_timed_pop_filtered (bus, GST_CLOCK_TIME_NONE, + GST_MESSAGE_SEGMENT_DONE | GST_MESSAGE_ERROR); + fail_unless (msg, "no message within the timed window"); + fail_unless_equals_string (GST_MESSAGE_TYPE_NAME (msg), "segment-done"); +-- +2.29.2 + diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb index 7afe56cd7b..632ef8819c 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.16.3.bb @@ -22,6 +22,7 @@ SRC_URI = " \ file://0003-meson-Add-valgrind-feature.patch \ file://0004-meson-Add-option-for-installed-tests.patch \ file://0005-bufferpool-only-resize-in-reset-when-maxsize-is-larger.patch \ + file://0001-tests-seek-Don-t-use-too-strict-timeout-for-validati.patch \ " SRC_URI[md5sum] = "beecf6965a17fb17fa3b262fd36df70a" SRC_URI[sha256sum] = "692f037968e454e508b0f71d9674e2e26c78475021407fcf8193b1c7e59543c7" diff --git a/meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb b/meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb index 2061c280e4..82cdaf54c7 100644 --- a/meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb +++ b/meta/recipes-multimedia/libomxil/libomxil_0.9.3.bb @@ -4,7 +4,7 @@ DESCRIPTION = "Bellagio is an opensource implementation of the Khronos OpenMAX \ HOMEPAGE = "http://omxil.sourceforge.net/" LICENSE = "LGPLv2.1+" -LICENSE_FLAGS = "commercial" +LICENSE_FLAGS = "${@bb.utils.contains('PACKAGECONFIG', 'amr', 'commercial', '', d)}" LIC_FILES_CHKSUM = "file://COPYING;md5=ae6f0f4dbc7ac193b50f323a6ae191cb \ file://src/omxcore.h;beginline=1;endline=27;md5=806b1e5566c06486fe8e42b461e03a90" @@ -28,6 +28,10 @@ PROVIDES += "virtual/libomxil" CFLAGS += "-fcommon" +PACKAGECONFIG ??= "" + +PACKAGECONFIG[amr] = "--enable-amr,," + # # The .so files under ${libdir}/bellagio are not intended to be versioned and symlinked. # Make sure they get packaged in the main package. diff --git a/meta/recipes-sato/images/core-image-sato-ptest-fast.bb b/meta/recipes-sato/images/core-image-sato-ptest-fast.bb index 3641217306..4f08d6eb64 100644 --- a/meta/recipes-sato/images/core-image-sato-ptest-fast.bb +++ b/meta/recipes-sato/images/core-image-sato-ptest-fast.bb @@ -1,3 +1,6 @@ +inherit features_check +REQUIRED_DISTRO_FEATURES = "ptest" + require core-image-sato-sdk.bb require conf/distro/include/ptest-packagelists.inc diff --git a/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb b/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb index bf749acd79..4d59c9536b 100644 --- a/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb +++ b/meta/recipes-sato/images/core-image-sato-sdk-ptest.bb @@ -1,3 +1,6 @@ +inherit features_check +REQUIRED_DISTRO_FEATURES = "ptest" + require core-image-sato-sdk.bb require conf/distro/include/ptest-packagelists.inc diff --git a/meta/recipes-sato/webkit/wpebackend-fdo_1.7.1.bb b/meta/recipes-sato/webkit/wpebackend-fdo_1.7.1.bb index 519762d125..15f4f4276c 100644 --- a/meta/recipes-sato/webkit/wpebackend-fdo_1.7.1.bb +++ b/meta/recipes-sato/webkit/wpebackend-fdo_1.7.1.bb @@ -15,3 +15,6 @@ REQUIRED_DISTRO_FEATURES = "opengl" SRC_URI = "https://wpewebkit.org/releases/${BPN}-${PV}.tar.xz" SRC_URI[sha256sum] = "9b980a73ea4e3762266c48f81ded56d9dcad4acf32bad9bd05d0dffdd454c6f5" +FILES_${PN} += "${libdir}/libWPEBackend-fdo-1.0.so" +FILES_SOLIBSDEV = "" +INSANE_SKIP_${PN} += "dev-so" diff --git a/meta/recipes-support/apr/apr-util_1.6.1.bb b/meta/recipes-support/apr/apr-util_1.6.1.bb index f7d827a1d8..4e183ca374 100644 --- a/meta/recipes-support/apr/apr-util_1.6.1.bb +++ b/meta/recipes-support/apr/apr-util_1.6.1.bb @@ -35,6 +35,7 @@ OE_BINCONFIG_EXTRA_MANGLE = " -e 's:location=source:location=installed:'" do_configure_append() { if [ "${CLASSOVERRIDE}" = "class-target" ]; then cp ${STAGING_DATADIR}/apr/apr_rules.mk ${B}/build/rules.mk + sed -i -e 's#^CFLAGS=.*#CFLAGS=${TARGET_CFLAGS}#g' ${B}/build/rules.mk fi } do_configure_prepend_class-native() { @@ -49,6 +50,7 @@ do_configure_append_class-native() { do_configure_prepend_class-nativesdk() { cp ${STAGING_DATADIR}/apr/apr_rules.mk ${S}/build/rules.mk + sed -i -e 's#^CFLAGS=.*#CFLAGS=${TARGET_CFLAGS}#g' ${S}/build/rules.mk } do_configure_append_class-nativesdk() { diff --git a/meta/recipes-support/ca-certificates/ca-certificates/0001-certdata2pem.py-use-python3.patch b/meta/recipes-support/ca-certificates/ca-certificates/0001-certdata2pem.py-use-python3.patch deleted file mode 100644 index aa2c85ff43..0000000000 --- a/meta/recipes-support/ca-certificates/ca-certificates/0001-certdata2pem.py-use-python3.patch +++ /dev/null @@ -1,37 +0,0 @@ -From b6d18ca77f131cdcaa10d0eaa9d303399767edf6 Mon Sep 17 00:00:00 2001 -From: Alexander Kanavin <alex.kanavin@gmail.com> -Date: Wed, 28 Aug 2019 19:18:14 +0200 -Subject: [PATCH] certdata2pem.py: use python3 - -Comments in that file imply it is already py3 compatible. - -Upstream-Status: Pending -Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> ---- - mozilla/Makefile | 2 +- - mozilla/certdata2pem.py | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/mozilla/Makefile b/mozilla/Makefile -index 6f46118..f98877c 100644 ---- a/mozilla/Makefile -+++ b/mozilla/Makefile -@@ -3,7 +3,7 @@ - # - - all: -- python certdata2pem.py -+ python3 certdata2pem.py - - clean: - -rm -f *.crt -diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py -index 0b02b2a..7d796f1 100644 ---- a/mozilla/certdata2pem.py -+++ b/mozilla/certdata2pem.py -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!/usr/bin/python3 - # vim:set et sw=4: - # - # certdata2pem.py - splits certdata.txt into multiple files diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20200601.bb b/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb index 6f39df7985..7dcc86fdc1 100644 --- a/meta/recipes-support/ca-certificates/ca-certificates_20200601.bb +++ b/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb @@ -14,7 +14,7 @@ DEPENDS_class-nativesdk = "openssl-native" # Need rehash from openssl and run-parts from debianutils PACKAGE_WRITE_DEPS += "openssl-native debianutils-native" -SRCREV = "b3a8980b781bc9a370e42714a605cd4191bb6c0b" +SRCREV = "181be7ebd169b4a6fb5d90c3e6dc791e90534144" SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \ file://0002-update-ca-certificates-use-SYSROOT.patch \ @@ -23,7 +23,6 @@ SRC_URI = "git://salsa.debian.org/debian/ca-certificates.git;protocol=https \ file://default-sysroot.patch \ file://sbindir.patch \ file://0003-update-ca-certificates-use-relative-symlinks-from-ET.patch \ - file://0001-certdata2pem.py-use-python3.patch \ " UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+)" @@ -84,8 +83,8 @@ do_install_append_class-native () { SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates } -RDEPENDS_${PN}_class-target = "openssl-bin" -RDEPENDS_${PN}_class-native = "openssl-native" -RDEPENDS_${PN}_class-nativesdk = "nativesdk-openssl-bin" +RDEPENDS_${PN}_append_class-target = " openssl-bin openssl" +RDEPENDS_${PN}_append_class-native = " openssl-native" +RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl" BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-support/gpgme/gpgme_1.14.0.bb b/meta/recipes-support/gpgme/gpgme_1.14.0.bb index 9fa8212808..fb7215381c 100644 --- a/meta/recipes-support/gpgme/gpgme_1.14.0.bb +++ b/meta/recipes-support/gpgme/gpgme_1.14.0.bb @@ -48,7 +48,7 @@ DEFAULT_LANGUAGES_class-target = "cpp" LANGUAGES ?= "${DEFAULT_LANGUAGES} python" PYTHON_INHERIT = "${@bb.utils.contains('PACKAGECONFIG', 'python2', 'pythonnative', '', d)}" -PYTHON_INHERIT .= "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3native', '', d)}" +PYTHON_INHERIT .= "${@bb.utils.contains('PACKAGECONFIG', 'python3', 'python3native python3targetconfig', '', d)}" EXTRA_OECONF += '--enable-languages="${LANGUAGES}" \ --disable-gpgconf-test \ diff --git a/meta/recipes-support/iso-codes/iso-codes_4.5.0.bb b/meta/recipes-support/iso-codes/iso-codes_4.5.0.bb index 9d02f5c794..0b4582b202 100644 --- a/meta/recipes-support/iso-codes/iso-codes_4.5.0.bb +++ b/meta/recipes-support/iso-codes/iso-codes_4.5.0.bb @@ -5,7 +5,7 @@ BUGTRACKER = "https://salsa.debian.org/iso-codes-team/iso-codes/issues" LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" -SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=http;branch=main;" +SRC_URI = "git://salsa.debian.org/iso-codes-team/iso-codes.git;protocol=https;branch=main;" SRCREV = "a36019e5014bff251f83d522ddcfebaecf52afd3" # inherit gettext cannot be used, because it adds gettext-native to BASEDEPENDS which diff --git a/meta/recipes-support/libcroco/files/CVE-2020-12825.patch b/meta/recipes-support/libcroco/files/CVE-2020-12825.patch new file mode 100644 index 0000000000..42f92e3607 --- /dev/null +++ b/meta/recipes-support/libcroco/files/CVE-2020-12825.patch @@ -0,0 +1,192 @@ +From fdf78a4877afa987ba646a8779b513f258e6d04c Mon Sep 17 00:00:00 2001 +From: Michael Catanzaro <mcatanzaro@gnome.org> +Date: Fri, 31 Jul 2020 15:21:53 -0500 +Subject: [PATCH] libcroco: Limit recursion in block and any productions + + (CVE-2020-12825) + +If we don't have any limits, we can recurse forever and overflow the +stack. + +Fixes #8 +This is per https://gitlab.gnome.org/Archive/libcroco/-/issues/8 + +https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1404 + +CVE: CVE-2020-12825 +Upstream-Status: Backport [https://gitlab.gnome.org/Archive/libcroco/-/commit/6eb257e5c731c691eb137fca94e916ca73941a5a] +Comment: No refreshing changes done. +Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com> + +--- + src/cr-parser.c | 44 +++++++++++++++++++++++++++++--------------- + 1 file changed, 29 insertions(+), 15 deletions(-) + +diff --git a/src/cr-parser.c b/src/cr-parser.c +index 18c9a01..f4a62e3 100644 +--- a/src/cr-parser.c ++++ b/src/cr-parser.c +@@ -136,6 +136,8 @@ struct _CRParserPriv { + + #define CHARS_TAB_SIZE 12 + ++#define RECURSIVE_CALLERS_LIMIT 100 ++ + /** + * IS_NUM: + *@a_char: the char to test. +@@ -344,9 +346,11 @@ static enum CRStatus cr_parser_parse_selector_core (CRParser * a_this); + + static enum CRStatus cr_parser_parse_declaration_core (CRParser * a_this); + +-static enum CRStatus cr_parser_parse_any_core (CRParser * a_this); ++static enum CRStatus cr_parser_parse_any_core (CRParser * a_this, ++ guint n_calls); + +-static enum CRStatus cr_parser_parse_block_core (CRParser * a_this); ++static enum CRStatus cr_parser_parse_block_core (CRParser * a_this, ++ guint n_calls); + + static enum CRStatus cr_parser_parse_value_core (CRParser * a_this); + +@@ -784,7 +788,7 @@ cr_parser_parse_atrule_core (CRParser * a_this) + cr_parser_try_to_skip_spaces_and_comments (a_this); + + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, 0); + } while (status == CR_OK); + + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, +@@ -795,7 +799,7 @@ cr_parser_parse_atrule_core (CRParser * a_this) + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, + token); + token = NULL; +- status = cr_parser_parse_block_core (a_this); ++ status = cr_parser_parse_block_core (a_this, 0); + CHECK_PARSING_STATUS (status, + FALSE); + goto done; +@@ -930,11 +934,11 @@ cr_parser_parse_selector_core (CRParser * a_this) + + RECORD_INITIAL_POS (a_this, &init_pos); + +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, 0); + CHECK_PARSING_STATUS (status, FALSE); + + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, 0); + + } while (status == CR_OK); + +@@ -956,10 +960,12 @@ cr_parser_parse_selector_core (CRParser * a_this) + *in chapter 4.1 of the css2 spec. + *block ::= '{' S* [ any | block | ATKEYWORD S* | ';' ]* '}' S*; + *@param a_this the current instance of #CRParser. ++ *@param n_calls used to limit recursion depth + *FIXME: code this function. + */ + static enum CRStatus +-cr_parser_parse_block_core (CRParser * a_this) ++cr_parser_parse_block_core (CRParser * a_this, ++ guint n_calls) + { + CRToken *token = NULL; + CRInputPos init_pos; +@@ -967,6 +973,9 @@ cr_parser_parse_block_core (CRParser * a_this) + + g_return_val_if_fail (a_this && PRIVATE (a_this), CR_BAD_PARAM_ERROR); + ++ if (n_calls > RECURSIVE_CALLERS_LIMIT) ++ return CR_ERROR; ++ + RECORD_INITIAL_POS (a_this, &init_pos); + + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token); +@@ -996,13 +1005,13 @@ cr_parser_parse_block_core (CRParser * a_this) + } else if (token->type == CBO_TK) { + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token); + token = NULL; +- status = cr_parser_parse_block_core (a_this); ++ status = cr_parser_parse_block_core (a_this, n_calls + 1); + CHECK_PARSING_STATUS (status, FALSE); + goto parse_block_content; + } else { + cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, token); + token = NULL; +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); + CHECK_PARSING_STATUS (status, FALSE); + goto parse_block_content; + } +@@ -1109,7 +1118,7 @@ cr_parser_parse_value_core (CRParser * a_this) + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, + token); + token = NULL; +- status = cr_parser_parse_block_core (a_this); ++ status = cr_parser_parse_block_core (a_this, 0); + CHECK_PARSING_STATUS (status, FALSE); + ref++; + goto continue_parsing; +@@ -1123,7 +1132,7 @@ cr_parser_parse_value_core (CRParser * a_this) + status = cr_tknzr_unget_token (PRIVATE (a_this)->tknzr, + token); + token = NULL; +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, 0); + if (status == CR_OK) { + ref++; + goto continue_parsing; +@@ -1162,10 +1171,12 @@ cr_parser_parse_value_core (CRParser * a_this) + * | FUNCTION | DASHMATCH | '(' any* ')' | '[' any* ']' ] S*; + * + *@param a_this the current instance of #CRParser. ++ *@param n_calls used to limit recursion depth + *@return CR_OK upon successfull completion, an error code otherwise. + */ + static enum CRStatus +-cr_parser_parse_any_core (CRParser * a_this) ++cr_parser_parse_any_core (CRParser * a_this, ++ guint n_calls) + { + CRToken *token1 = NULL, + *token2 = NULL; +@@ -1174,6 +1185,9 @@ cr_parser_parse_any_core (CRParser * a_this) + + g_return_val_if_fail (a_this, CR_BAD_PARAM_ERROR); + ++ if (n_calls > RECURSIVE_CALLERS_LIMIT) ++ return CR_ERROR; ++ + RECORD_INITIAL_POS (a_this, &init_pos); + + status = cr_tknzr_get_next_token (PRIVATE (a_this)->tknzr, &token1); +@@ -1212,7 +1226,7 @@ cr_parser_parse_any_core (CRParser * a_this) + *We consider parameter as being an "any*" production. + */ + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); + } while (status == CR_OK); + + ENSURE_PARSING_COND (status == CR_PARSING_ERROR); +@@ -1237,7 +1251,7 @@ cr_parser_parse_any_core (CRParser * a_this) + } + + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); + } while (status == CR_OK); + + ENSURE_PARSING_COND (status == CR_PARSING_ERROR); +@@ -1265,7 +1279,7 @@ cr_parser_parse_any_core (CRParser * a_this) + } + + do { +- status = cr_parser_parse_any_core (a_this); ++ status = cr_parser_parse_any_core (a_this, n_calls + 1); + } while (status == CR_OK); + + ENSURE_PARSING_COND (status == CR_PARSING_ERROR); diff --git a/meta/recipes-support/libcroco/libcroco_0.6.13.bb b/meta/recipes-support/libcroco/libcroco_0.6.13.bb index 9171a9de5c..a443ff23fe 100644 --- a/meta/recipes-support/libcroco/libcroco_0.6.13.bb +++ b/meta/recipes-support/libcroco/libcroco_0.6.13.bb @@ -18,3 +18,6 @@ inherit gnomebase gtk-doc binconfig-disabled SRC_URI[archive.md5sum] = "c80c5a8385011a0260dce6bd0da93dce" SRC_URI[archive.sha256sum] = "767ec234ae7aa684695b3a735548224888132e063f92db585759b422570621d4" + +SRC_URI +="file://CVE-2020-12825.patch \ +" diff --git a/meta/recipes-support/libevdev/libevdev/determinism.patch b/meta/recipes-support/libevdev/libevdev/determinism.patch index f6b7fc82d3..71cbd876eb 100644 --- a/meta/recipes-support/libevdev/libevdev/determinism.patch +++ b/meta/recipes-support/libevdev/libevdev/determinism.patch @@ -9,7 +9,8 @@ Sort to remove this inconsistency. RP 2020/2/7 Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> -Upstream-Status: Pending +Submitted: https://lists.freedesktop.org/archives/input-tools/2021-February/001560.html +Upstream-Status: Backport [https://gitlab.freedesktop.org/libevdev/libevdev/-/commit/8d70f449892c6f7659e07bb0f06b8347677bb7d8] --- libevdev/make-event-names.py | 6 +++--- diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb index ac09417e89..832d07d515 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.6.bb @@ -28,6 +28,9 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ " SRC_URI[sha256sum] = "0cba2700617b99fc33864a0c16b1fa7fdf9781d9ed3509f5d767178e5fd7b975" +# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro. +CVE_CHECK_WHITELIST += "CVE-2018-12433 CVE-2018-12438" + BINCONFIG = "${bindir}/libgcrypt-config" inherit autotools texinfo binconfig-disabled pkgconfig diff --git a/meta/recipes-support/p11-kit/p11-kit_0.23.21.bb b/meta/recipes-support/p11-kit/p11-kit_0.23.22.bb index b1fd2334b2..c539ecdbc6 100644 --- a/meta/recipes-support/p11-kit/p11-kit_0.23.21.bb +++ b/meta/recipes-support/p11-kit/p11-kit_0.23.22.bb @@ -2,17 +2,18 @@ SUMMARY = "Provides a way to load and enumerate PKCS#11 modules" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://COPYING;md5=02933887f609807fbb57aa4237d14a50" -inherit meson gettext pkgconfig gtk-doc bash-completion +inherit meson gettext pkgconfig gtk-doc bash-completion manpages DEPENDS = "libtasn1 libtasn1-native libffi" DEPENDS_append = "${@' glib-2.0' if d.getVar('GTKDOC_ENABLED') == 'True' else ''}" -SRC_URI = "git://github.com/p11-glue/p11-kit" -SRCREV = "fd8b56f3ee971f94dc6fc95411fc01e1c12153ab" +SRC_URI = "git://github.com/p11-glue/p11-kit;branch=0.23" +SRCREV = "bd97afbfe28d5fbbde95ce36ff7a8834fc0291ee" S = "${WORKDIR}/git" PACKAGECONFIG ??= "" +PACKAGECONFIG[manpages] = "-Dman=true,-Dman=false,libxslt-native" PACKAGECONFIG[trust-paths] = "-Dtrust_paths=/etc/ssl/certs/ca-certificates.crt,,,ca-certificates" GTKDOC_MESON_OPTION = 'gtk_doc' diff --git a/meta/recipes-support/vim/files/racefix.patch b/meta/recipes-support/vim/files/racefix.patch new file mode 100644 index 0000000000..48dca44cad --- /dev/null +++ b/meta/recipes-support/vim/files/racefix.patch @@ -0,0 +1,33 @@ +The creation of the LINGUAS file is duplicated for each desktop file +which can lead the commands to race against each other. Rework +the makefile to avoid this as the expense of leaving the file on disk. + +Upstream-Status: Pending +RP 2021/2/15 + +Index: git/src/po/Makefile +=================================================================== +--- git.orig/src/po/Makefile ++++ git/src/po/Makefile +@@ -165,17 +165,16 @@ $(PACKAGE).pot: ../*.c ../if_perl.xs ../ + po/gvim.desktop.in po/vim.desktop.in + mv -f ../$(PACKAGE).po $(PACKAGE).pot + +-vim.desktop: vim.desktop.in $(POFILES) ++LINGUAS: + echo $(LANGUAGES) | tr " " "\n" |sed -e '/\./d' | sort > LINGUAS ++ ++vim.desktop: vim.desktop.in $(POFILES) LINGUAS + $(MSGFMT) --desktop -d . --template vim.desktop.in -o tmp_vim.desktop +- rm -f LINGUAS + if command -v desktop-file-validate; then desktop-file-validate tmp_vim.desktop; fi + mv tmp_vim.desktop vim.desktop + +-gvim.desktop: gvim.desktop.in $(POFILES) +- echo $(LANGUAGES) | tr " " "\n" |sed -e '/\./d' | sort > LINGUAS ++gvim.desktop: gvim.desktop.in $(POFILES) LINGUAS + $(MSGFMT) --desktop -d . --template gvim.desktop.in -o tmp_gvim.desktop +- rm -f LINGUAS + if command -v desktop-file-validate; then desktop-file-validate tmp_gvim.desktop; fi + mv tmp_gvim.desktop gvim.desktop + diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 4d2886c19e..d57f784da5 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -12,6 +12,7 @@ SRC_URI = "git://github.com/vim/vim.git \ file://vim-add-knob-whether-elf.h-are-checked.patch \ file://0001-src-Makefile-improve-reproducibility.patch \ file://no-path-adjust.patch \ + file://racefix.patch \ " SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44" @@ -68,8 +69,10 @@ EXTRA_OECONF = " \ --disable-gtktest \ --disable-xim \ --disable-netbeans \ + --disable-desktop-database-update \ --with-tlib=ncurses \ ac_cv_small_wchar_t=no \ + ac_cv_path_GLIB_COMPILE_RESOURCES=no \ vim_cv_getcwd_broken=no \ vim_cv_memmove_handles_overlap=yes \ vim_cv_stat_ignores_slash=no \ diff --git a/scripts/contrib/documentation-audit.sh b/scripts/contrib/documentation-audit.sh index 1191f57a8e..f436f9bae0 100755 --- a/scripts/contrib/documentation-audit.sh +++ b/scripts/contrib/documentation-audit.sh @@ -27,7 +27,7 @@ fi echo "REMINDER: you need to build for MACHINE=qemux86 or you won't get useful results" echo "REMINDER: you need to set LICENSE_FLAGS_WHITELIST appropriately in local.conf or " -echo " you'll get false positives. For example, LICENSE_FLAGS_WHITELIST = \"Commercial\"" +echo " you'll get false positives. For example, LICENSE_FLAGS_WHITELIST = \"commercial\"" for pkg in `bitbake -s | awk '{ print \$1 }'`; do if [[ "$pkg" == "Loading" || "$pkg" == "Loaded" || diff --git a/scripts/lib/devtool/standard.py b/scripts/lib/devtool/standard.py index f7d8a82117..f364a45283 100644 --- a/scripts/lib/devtool/standard.py +++ b/scripts/lib/devtool/standard.py @@ -474,7 +474,11 @@ def symlink_oelocal_files_srctree(rd,srctree): destpth = os.path.join(srctree, relpth, fn) if os.path.exists(destpth): os.unlink(destpth) - os.symlink('oe-local-files/%s' % fn, destpth) + if relpth != '.': + back_relpth = os.path.relpath(local_files_dir, root) + os.symlink('%s/oe-local-files/%s/%s' % (back_relpth, relpth, fn), destpth) + else: + os.symlink('oe-local-files/%s' % fn, destpth) addfiles.append(os.path.join(relpth, fn)) if addfiles: bb.process.run('git add %s' % ' '.join(addfiles), cwd=srctree) @@ -949,12 +953,17 @@ def modify(args, config, basepath, workspace): if bb.data.inherits_class('kernel', rd): f.write('SRCTREECOVEREDTASKS = "do_validate_branches do_kernel_checkout ' - 'do_fetch do_unpack do_kernel_configme do_kernel_configcheck"\n') + 'do_fetch do_unpack do_kernel_configcheck"\n') f.write('\ndo_patch[noexec] = "1"\n') f.write('\ndo_configure_append() {\n' ' cp ${B}/.config ${S}/.config.baseline\n' ' ln -sfT ${B}/.config ${S}/.config.new\n' '}\n') + f.write('\ndo_kernel_configme_prepend() {\n' + ' if [ -e ${S}/.config ]; then\n' + ' mv ${S}/.config ${S}/.config.old\n' + ' fi\n' + '}\n') if rd.getVarFlag('do_menuconfig','task'): f.write('\ndo_configure_append() {\n' ' if [ ! ${DEVTOOL_DISABLE_MENUCONFIG} ]; then\n' diff --git a/scripts/lib/recipetool/create_npm.py b/scripts/lib/recipetool/create_npm.py index 579b7ae48a..2bcae91dfa 100644 --- a/scripts/lib/recipetool/create_npm.py +++ b/scripts/lib/recipetool/create_npm.py @@ -204,6 +204,9 @@ class NpmRecipeHandler(RecipeHandler): self._run_npm_install(d, srctree, registry, dev) shrinkwrap_file = self._generate_shrinkwrap(d, srctree, dev) + with open(shrinkwrap_file, "r") as f: + shrinkwrap = json.load(f) + if os.path.exists(lock_copy): bb.utils.movefile(lock_copy, lock_file) @@ -226,7 +229,8 @@ class NpmRecipeHandler(RecipeHandler): value = origvalue.replace("version=" + data["version"], "version=${PV}") value = value.replace("version=latest", "version=${PV}") values = [line.strip() for line in value.strip('\n').splitlines()] - values.append(url_recipe) + if "dependencies" in shrinkwrap: + values.append(url_recipe) return values, None, 4, False (_, newlines) = bb.utils.edit_metadata(lines_before, ["SRC_URI"], _handle_srcuri) diff --git a/scripts/lib/wic/canned-wks/common.wks.inc b/scripts/lib/wic/canned-wks/common.wks.inc index 89880b417b..4fd29fa8c1 100644 --- a/scripts/lib/wic/canned-wks/common.wks.inc +++ b/scripts/lib/wic/canned-wks/common.wks.inc @@ -1,3 +1,3 @@ # This file is included into 3 canned wks files from this directory part /boot --source bootimg-pcbios --ondisk sda --label boot --active --align 1024 -part / --source rootfs --use-uuid --fstype=ext4 --label platform --align 1024 +part / --source rootfs --use-uuid --fstype=ext4 --mkfs-extraopts "-T default" --label platform --align 1024 diff --git a/scripts/lib/wic/canned-wks/directdisk-gpt.wks b/scripts/lib/wic/canned-wks/directdisk-gpt.wks index 8d7d8de6ea..cf16c0c30b 100644 --- a/scripts/lib/wic/canned-wks/directdisk-gpt.wks +++ b/scripts/lib/wic/canned-wks/directdisk-gpt.wks @@ -4,7 +4,7 @@ part /boot --source bootimg-pcbios --ondisk sda --label boot --active --align 1024 -part / --source rootfs --ondisk sda --fstype=ext4 --label platform --align 1024 --use-uuid +part / --source rootfs --ondisk sda --fstype=ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --use-uuid bootloader --ptable gpt --timeout=0 --append="rootwait rootfstype=ext4 video=vesafb vga=0x318 console=tty0 console=ttyS0,115200n8" diff --git a/scripts/lib/wic/canned-wks/mkefidisk.wks b/scripts/lib/wic/canned-wks/mkefidisk.wks index 9f534fe184..d1878e23e5 100644 --- a/scripts/lib/wic/canned-wks/mkefidisk.wks +++ b/scripts/lib/wic/canned-wks/mkefidisk.wks @@ -4,7 +4,7 @@ part /boot --source bootimg-efi --sourceparams="loader=grub-efi" --ondisk sda --label msdos --active --align 1024 -part / --source rootfs --ondisk sda --fstype=ext4 --label platform --align 1024 --use-uuid +part / --source rootfs --ondisk sda --fstype=ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --use-uuid part swap --ondisk sda --size 44 --label swap1 --fstype=swap diff --git a/scripts/lib/wic/misc.py b/scripts/lib/wic/misc.py index 75b219cd3f..57c042c503 100644 --- a/scripts/lib/wic/misc.py +++ b/scripts/lib/wic/misc.py @@ -26,6 +26,7 @@ logger = logging.getLogger('wic') # executable -> recipe pairs for exec_native_cmd NATIVE_RECIPES = {"bmaptool": "bmap-tools", + "dumpe2fs": "e2fsprogs", "grub-mkimage": "grub-efi", "isohybrid": "syslinux", "mcopy": "mtools", diff --git a/scripts/lib/wic/partition.py b/scripts/lib/wic/partition.py index e574f40c47..85f9847047 100644 --- a/scripts/lib/wic/partition.py +++ b/scripts/lib/wic/partition.py @@ -298,6 +298,8 @@ class Partition(): mkfs_cmd = "fsck.%s -pvfD %s" % (self.fstype, rootfs) exec_native_cmd(mkfs_cmd, native_sysroot, pseudo=pseudo) + self.check_for_Y2038_problem(rootfs, native_sysroot) + def prepare_rootfs_btrfs(self, rootfs, cr_workdir, oe_builddir, rootfs_dir, native_sysroot, pseudo): """ @@ -388,6 +390,8 @@ class Partition(): (self.fstype, extraopts, label_str, self.fsuuid, rootfs) exec_native_cmd(mkfs_cmd, native_sysroot) + self.check_for_Y2038_problem(rootfs, native_sysroot) + def prepare_empty_partition_btrfs(self, rootfs, oe_builddir, native_sysroot): """ @@ -449,3 +453,37 @@ class Partition(): mkswap_cmd = "mkswap %s -U %s %s" % (label_str, self.fsuuid, path) exec_native_cmd(mkswap_cmd, native_sysroot) + + def check_for_Y2038_problem(self, rootfs, native_sysroot): + """ + Check if the filesystem is affected by the Y2038 problem + (Y2038 problem = 32 bit time_t overflow in January 2038) + """ + def get_err_str(part): + err = "The {} filesystem {} has no Y2038 support." + if part.mountpoint: + args = [part.fstype, "mounted at %s" % part.mountpoint] + elif part.label: + args = [part.fstype, "labeled '%s'" % part.label] + elif part.part_name: + args = [part.fstype, "in partition '%s'" % part.part_name] + else: + args = [part.fstype, "in partition %s" % part.num] + return err.format(*args) + + # ext2 and ext3 are always affected by the Y2038 problem + if self.fstype in ["ext2", "ext3"]: + logger.warn(get_err_str(self)) + return + + ret, out = exec_native_cmd("dumpe2fs %s" % rootfs, native_sysroot) + + # if ext4 is affected by the Y2038 problem depends on the inode size + for line in out.splitlines(): + if line.startswith("Inode size:"): + size = int(line.split(":")[1].strip()) + if size < 256: + logger.warn("%s Inodes (of size %d) are too small." % + (get_err_str(self), size)) + break + diff --git a/scripts/lib/wic/plugins/imager/direct.py b/scripts/lib/wic/plugins/imager/direct.py index 7e1c1c03ab..ea709e8c54 100644 --- a/scripts/lib/wic/plugins/imager/direct.py +++ b/scripts/lib/wic/plugins/imager/direct.py @@ -54,6 +54,7 @@ class DirectPlugin(ImagerPlugin): self.native_sysroot = native_sysroot self.oe_builddir = oe_builddir + self.debug = options.debug self.outdir = options.outdir self.compressor = options.compressor self.bmap = options.bmap @@ -274,8 +275,9 @@ class DirectPlugin(ImagerPlugin): if os.path.isfile(path): shutil.move(path, os.path.join(self.outdir, fname)) - # remove work directory - shutil.rmtree(self.workdir, ignore_errors=True) + # remove work directory when it is not in debugging mode + if not self.debug: + shutil.rmtree(self.workdir, ignore_errors=True) # Overhead of the MBR partitioning scheme (just one sector) MBR_OVERHEAD = 1 diff --git a/scripts/oe-pkgdata-util b/scripts/oe-pkgdata-util index 93220e3617..75dd23efa3 100755 --- a/scripts/oe-pkgdata-util +++ b/scripts/oe-pkgdata-util @@ -598,6 +598,9 @@ def main(): logger.error("Unable to find bitbake by searching parent directory of this script or PATH") sys.exit(1) logger.debug('Found bitbake path: %s' % bitbakepath) + if not os.environ.get('BUILDDIR', ''): + logger.error("This script can only be run after initialising the build environment (e.g. by using oe-init-build-env)") + sys.exit(1) tinfoil = tinfoil_init() try: args.pkgdata_dir = tinfoil.config_data.getVar('PKGDATA_DIR') diff --git a/scripts/runqemu b/scripts/runqemu index e5e66f3453..b80fec1c99 100755 --- a/scripts/runqemu +++ b/scripts/runqemu @@ -1340,6 +1340,8 @@ class BaseConfig(object): for ovmf in self.ovmf_bios: format = ovmf.rsplit('.', 1)[-1] + if format == "bin": + format = "raw" self.qemu_opt += ' -drive if=pflash,format=%s,file=%s' % (format, ovmf) self.qemu_opt += ' ' + self.qemu_opt_script diff --git a/scripts/verify-bashisms b/scripts/verify-bashisms index fb0cc719ea..14d8c298e9 100755 --- a/scripts/verify-bashisms +++ b/scripts/verify-bashisms @@ -100,7 +100,7 @@ if __name__=='__main__': args = parser.parse_args() if shutil.which("checkbashisms.pl") is None: - print("Cannot find checkbashisms.pl on $PATH, get it from https://anonscm.debian.org/cgit/collab-maint/devscripts.git/plain/scripts/checkbashisms.pl") + print("Cannot find checkbashisms.pl on $PATH, get it from https://salsa.debian.org/debian/devscripts/raw/master/scripts/checkbashisms.pl") sys.exit(1) # The order of defining the worker function, diff --git a/scripts/yocto-check-layer b/scripts/yocto-check-layer index b7c83c8b54..deba3cb4f8 100755 --- a/scripts/yocto-check-layer +++ b/scripts/yocto-check-layer @@ -138,6 +138,9 @@ def main(): layer['type'] == LayerType.ERROR_BSP_DISTRO: continue + # Reset to a clean backup copy for each run + shutil.copyfile(bblayersconf + '.backup', bblayersconf) + if check_bblayers(bblayersconf, layer['path'], logger): logger.info("%s already in %s. To capture initial signatures, layer under test should not present " "in BBLAYERS. Please remove %s from BBLAYERS." % (layer['name'], bblayersconf, layer['name'])) |