diff options
55 files changed, 1098 insertions, 91 deletions
diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass index 3a6780da34..726f17a946 100644 --- a/meta/classes/buildhistory.bbclass +++ b/meta/classes/buildhistory.bbclass @@ -674,13 +674,16 @@ IMAGE_POSTPROCESS_COMMAND[vardepsexclude] += "buildhistory_get_imageinfo" POPULATE_SDK_POST_TARGET_COMMAND_append = " buildhistory_list_installed_sdk_target;" POPULATE_SDK_POST_TARGET_COMMAND_append = " buildhistory_get_sdk_installed_target;" POPULATE_SDK_POST_TARGET_COMMAND[vardepvalueexclude] .= "| buildhistory_list_installed_sdk_target;| buildhistory_get_sdk_installed_target;" +POPULATE_SDK_POST_TARGET_COMMAND[vardepsexclude] += "buildhistory_list_installed_sdk_target buildhistory_get_sdk_installed_target" POPULATE_SDK_POST_HOST_COMMAND_append = " buildhistory_list_installed_sdk_host;" POPULATE_SDK_POST_HOST_COMMAND_append = " buildhistory_get_sdk_installed_host;" POPULATE_SDK_POST_HOST_COMMAND[vardepvalueexclude] .= "| buildhistory_list_installed_sdk_host;| buildhistory_get_sdk_installed_host;" +POPULATE_SDK_POST_HOST_COMMAND[vardepsexclude] += "buildhistory_list_installed_sdk_host buildhistory_get_sdk_installed_host" SDK_POSTPROCESS_COMMAND_append = " buildhistory_get_sdkinfo ; buildhistory_get_extra_sdkinfo; " SDK_POSTPROCESS_COMMAND[vardepvalueexclude] .= "| buildhistory_get_sdkinfo ; buildhistory_get_extra_sdkinfo; " +SDK_POSTPROCESS_COMMAND[vardepsexclude] += "buildhistory_get_sdkinfo buildhistory_get_extra_sdkinfo" python buildhistory_write_sigs() { if not "task" in (d.getVar('BUILDHISTORY_FEATURES') or "").split(): diff --git a/meta/classes/devshell.bbclass b/meta/classes/devshell.bbclass index fdf7dc100f..76dd0b42ee 100644 --- a/meta/classes/devshell.bbclass +++ b/meta/classes/devshell.bbclass @@ -128,6 +128,7 @@ def devpyshell(d): more = i.runsource(source, "<pyshell>") if not more: buf = [] + sys.stderr.flush() prompt(more) except KeyboardInterrupt: i.write("\nKeyboardInterrupt\n") diff --git a/meta/classes/externalsrc.bbclass b/meta/classes/externalsrc.bbclass index c7b2bf2f49..3d6b80bee2 100644 --- a/meta/classes/externalsrc.bbclass +++ b/meta/classes/externalsrc.bbclass @@ -220,11 +220,12 @@ def srctree_hash_files(d, srcdir=None): submodule_helper = subprocess.check_output(['git', 'submodule--helper', 'list'], cwd=s_dir, env=env).decode("utf-8") for line in submodule_helper.splitlines(): module_dir = os.path.join(s_dir, line.rsplit(maxsplit=1)[1]) - proc = subprocess.Popen(['git', 'add', '-A', '.'], cwd=module_dir, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) - proc.communicate() - proc = subprocess.Popen(['git', 'write-tree'], cwd=module_dir, env=env, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL) - stdout, _ = proc.communicate() - git_sha1 += stdout.decode("utf-8") + if os.path.isdir(module_dir): + proc = subprocess.Popen(['git', 'add', '-A', '.'], cwd=module_dir, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) + proc.communicate() + proc = subprocess.Popen(['git', 'write-tree'], cwd=module_dir, env=env, stdout=subprocess.PIPE, stderr=subprocess.DEVNULL) + stdout, _ = proc.communicate() + git_sha1 += stdout.decode("utf-8") sha1 = hashlib.sha1(git_sha1.encode("utf-8")).hexdigest() with open(oe_hash_file, 'w') as fobj: fobj.write(sha1) diff --git a/meta/classes/image-live.bbclass b/meta/classes/image-live.bbclass index 9ea5ddc312..47c44b4aad 100644 --- a/meta/classes/image-live.bbclass +++ b/meta/classes/image-live.bbclass @@ -30,7 +30,7 @@ do_bootimg[depends] += "dosfstools-native:do_populate_sysroot \ virtual/kernel:do_deploy \ ${MLPREFIX}syslinux:do_populate_sysroot \ syslinux-native:do_populate_sysroot \ - ${PN}:do_image_${@d.getVar('LIVE_ROOTFS_TYPE').replace('-', '_')} \ + ${@'%s:do_image_%s' % (d.getVar('PN'), d.getVar('LIVE_ROOTFS_TYPE').replace('-', '_')) if d.getVar('ROOTFS') else ''} \ " diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass index 60b07de221..2f1d5cfb46 100644 --- a/meta/classes/image.bbclass +++ b/meta/classes/image.bbclass @@ -112,7 +112,7 @@ def rootfs_command_variables(d): 'IMAGE_PREPROCESS_COMMAND','RPM_PREPROCESS_COMMANDS','RPM_POSTPROCESS_COMMANDS','DEB_PREPROCESS_COMMANDS','DEB_POSTPROCESS_COMMANDS'] python () { - variables = rootfs_command_variables(d) + sdk_command_variables(d) + variables = rootfs_command_variables(d) for var in variables: if d.getVar(var, False): d.setVarFlag(var, 'func', '1') diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass index c6dff9659c..44dbed875b 100644 --- a/meta/classes/insane.bbclass +++ b/meta/classes/insane.bbclass @@ -175,7 +175,7 @@ def package_qa_check_useless_rpaths(file, name, d, elf, messages): if rpath_eq(rpath, libdir) or rpath_eq(rpath, base_libdir): # The dynamic linker searches both these places anyway. There is no point in # looking there again. - package_qa_add_message(messages, "useless-rpaths", "%s: %s contains probably-redundant RPATH %s" % (name, package_qa_clean_path(file, d), rpath)) + package_qa_add_message(messages, "useless-rpaths", "%s: %s contains probably-redundant RPATH %s" % (name, package_qa_clean_path(file, d, name), rpath)) QAPATHTEST[dev-so] = "package_qa_check_dev" def package_qa_check_dev(path, name, d, elf, messages): @@ -184,8 +184,8 @@ def package_qa_check_dev(path, name, d, elf, messages): """ if not name.endswith("-dev") and not name.endswith("-dbg") and not name.endswith("-ptest") and not name.startswith("nativesdk-") and path.endswith(".so") and os.path.islink(path): - package_qa_add_message(messages, "dev-so", "non -dev/-dbg/nativesdk- package contains symlink .so: %s path '%s'" % \ - (name, package_qa_clean_path(path,d))) + package_qa_add_message(messages, "dev-so", "non -dev/-dbg/nativesdk- package %s contains symlink .so '%s'" % \ + (name, package_qa_clean_path(path, d, name))) QAPATHTEST[dev-elf] = "package_qa_check_dev_elf" def package_qa_check_dev_elf(path, name, d, elf, messages): @@ -195,8 +195,8 @@ def package_qa_check_dev_elf(path, name, d, elf, messages): install link-time .so files that are linker scripts. """ if name.endswith("-dev") and path.endswith(".so") and not os.path.islink(path) and elf: - package_qa_add_message(messages, "dev-elf", "-dev package contains non-symlink .so: %s path '%s'" % \ - (name, package_qa_clean_path(path,d))) + package_qa_add_message(messages, "dev-elf", "-dev package %s contains non-symlink .so '%s'" % \ + (name, package_qa_clean_path(path, d, name))) QAPATHTEST[staticdev] = "package_qa_check_staticdev" def package_qa_check_staticdev(path, name, d, elf, messages): @@ -209,7 +209,7 @@ def package_qa_check_staticdev(path, name, d, elf, messages): if not name.endswith("-pic") and not name.endswith("-staticdev") and not name.endswith("-ptest") and path.endswith(".a") and not path.endswith("_nonshared.a") and not '/usr/lib/debug-static/' in path and not '/.debug-static/' in path: package_qa_add_message(messages, "staticdev", "non -staticdev package contains static .a library: %s path '%s'" % \ - (name, package_qa_clean_path(path,d))) + (name, package_qa_clean_path(path,d, name))) QAPATHTEST[mime] = "package_qa_check_mime" def package_qa_check_mime(path, name, d, elf, messages): diff --git a/meta/classes/kernel-devicetree.bbclass b/meta/classes/kernel-devicetree.bbclass index 81dda8003f..3c5def1041 100644 --- a/meta/classes/kernel-devicetree.bbclass +++ b/meta/classes/kernel-devicetree.bbclass @@ -1,8 +1,11 @@ # Support for device tree generation -PACKAGES_append = " \ - ${KERNEL_PACKAGE_NAME}-devicetree \ - ${@[d.getVar('KERNEL_PACKAGE_NAME') + '-image-zimage-bundle', ''][d.getVar('KERNEL_DEVICETREE_BUNDLE') != '1']} \ -" +python () { + if not bb.data.inherits_class('nopackages', d): + d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-devicetree") + if d.getVar('KERNEL_DEVICETREE_BUNDLE') == '1': + d.appendVar("PACKAGES", " ${KERNEL_PACKAGE_NAME}-image-zimage-bundle") +} + FILES_${KERNEL_PACKAGE_NAME}-devicetree = "/${KERNEL_IMAGEDEST}/*.dtb /${KERNEL_IMAGEDEST}/*.dtbo" FILES_${KERNEL_PACKAGE_NAME}-image-zimage-bundle = "/${KERNEL_IMAGEDEST}/zImage-*.dtb.bin" diff --git a/meta/classes/kernel.bbclass b/meta/classes/kernel.bbclass index f405b6e523..b03a286ed4 100644 --- a/meta/classes/kernel.bbclass +++ b/meta/classes/kernel.bbclass @@ -90,6 +90,8 @@ python __anonymous () { imagedest = d.getVar('KERNEL_IMAGEDEST') for type in types.split(): + if bb.data.inherits_class('nopackages', d): + continue typelower = type.lower() d.appendVar('PACKAGES', ' %s-image-%s' % (kname, typelower)) d.setVar('FILES_' + kname + '-image-' + typelower, '/' + imagedest + '/' + type + '-${KERNEL_VERSION_NAME}' + ' /' + imagedest + '/' + type) diff --git a/meta/classes/populate_sdk_base.bbclass b/meta/classes/populate_sdk_base.bbclass index 942d3ec091..635b3a6b80 100644 --- a/meta/classes/populate_sdk_base.bbclass +++ b/meta/classes/populate_sdk_base.bbclass @@ -329,6 +329,13 @@ def sdk_variables(d): do_populate_sdk[vardeps] += "${@sdk_variables(d)}" +python () { + variables = sdk_command_variables(d) + for var in variables: + if d.getVar(var, False): + d.setVarFlag(var, 'func', '1') +} + do_populate_sdk[file-checksums] += "${TOOLCHAIN_SHAR_REL_TMPL}:True \ ${TOOLCHAIN_SHAR_EXT_TMPL}:True" diff --git a/meta/classes/populate_sdk_ext.bbclass b/meta/classes/populate_sdk_ext.bbclass index 9112ab6c5e..14689ec6ac 100644 --- a/meta/classes/populate_sdk_ext.bbclass +++ b/meta/classes/populate_sdk_ext.bbclass @@ -251,7 +251,9 @@ python copy_buildsystem () { # Create a layer for new recipes / appends bbpath = d.getVar('BBPATH') - bb.process.run(['devtool', '--bbpath', bbpath, '--basepath', baseoutpath, 'create-workspace', '--create-only', os.path.join(baseoutpath, 'workspace')]) + env = os.environ.copy() + env['PYTHONDONTWRITEBYTECODE'] = '1' + bb.process.run(['devtool', '--bbpath', bbpath, '--basepath', baseoutpath, 'create-workspace', '--create-only', os.path.join(baseoutpath, 'workspace')], env=env) # Create bblayers.conf bb.utils.mkdirhier(baseoutpath + '/conf') diff --git a/meta/classes/sanity.bbclass b/meta/classes/sanity.bbclass index 01c5434f0d..03a9792f68 100644 --- a/meta/classes/sanity.bbclass +++ b/meta/classes/sanity.bbclass @@ -882,13 +882,18 @@ def check_sanity_everybuild(status, d): except: pass - oeroot = d.getVar('COREBASE') - if oeroot.find('+') != -1: - status.addresult("Error, you have an invalid character (+) in your COREBASE directory path. Please move the installation to a directory which doesn't include any + characters.") - if oeroot.find('@') != -1: - status.addresult("Error, you have an invalid character (@) in your COREBASE directory path. Please move the installation to a directory which doesn't include any @ characters.") - if oeroot.find(' ') != -1: - status.addresult("Error, you have a space in your COREBASE directory path. Please move the installation to a directory which doesn't include a space since autotools doesn't support this.") + for checkdir in ['COREBASE', 'TMPDIR']: + val = d.getVar(checkdir) + if val.find('..') != -1: + status.addresult("Error, you have '..' in your %s directory path. Please ensure the variable contains an absolute path as this can break some recipe builds in obtuse ways." % checkdir) + if val.find('+') != -1: + status.addresult("Error, you have an invalid character (+) in your %s directory path. Please move the installation to a directory which doesn't include any + characters." % checkdir) + if val.find('@') != -1: + status.addresult("Error, you have an invalid character (@) in your %s directory path. Please move the installation to a directory which doesn't include any @ characters." % checkdir) + if val.find(' ') != -1: + status.addresult("Error, you have a space in your %s directory path. Please move the installation to a directory which doesn't include a space since autotools doesn't support this." % checkdir) + if val.find('%') != -1: + status.addresult("Error, you have an invalid character (%) in your %s directory path which causes problems with python string formatting. Please move the installation to a directory which doesn't include any % characters." % checkdir) # Check the format of MIRRORS, PREMIRRORS and SSTATE_MIRRORS import re diff --git a/meta/lib/oe/copy_buildsystem.py b/meta/lib/oe/copy_buildsystem.py index 31a84f5b06..d97bf9d1b9 100644 --- a/meta/lib/oe/copy_buildsystem.py +++ b/meta/lib/oe/copy_buildsystem.py @@ -20,7 +20,7 @@ def _smart_copy(src, dest): mode = os.stat(src).st_mode if stat.S_ISDIR(mode): bb.utils.mkdirhier(dest) - cmd = "tar --exclude='.git' --xattrs --xattrs-include='*' -chf - -C %s -p . \ + cmd = "tar --exclude='.git' --exclude='__pycache__' --xattrs --xattrs-include='*' -chf - -C %s -p . \ | tar --xattrs --xattrs-include='*' -xf - -C %s" % (src, dest) subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT) else: @@ -259,7 +259,7 @@ def create_locked_sstate_cache(lockedsigs, input_sstate_cache, output_sstate_cac bb.note('Generating sstate-cache...') nativelsbstring = d.getVar('NATIVELSBSTRING') - bb.process.run("gen-lockedsig-cache %s %s %s %s %s" % (lockedsigs, input_sstate_cache, output_sstate_cache, nativelsbstring, filterfile or '')) + bb.process.run("PYTHONDONTWRITEBYTECODE=1 gen-lockedsig-cache %s %s %s %s %s" % (lockedsigs, input_sstate_cache, output_sstate_cache, nativelsbstring, filterfile or '')) if fixedlsbstring and nativelsbstring != fixedlsbstring: nativedir = output_sstate_cache + '/' + nativelsbstring if os.path.isdir(nativedir): @@ -286,7 +286,7 @@ def check_sstate_task_list(d, targets, filteroutfile, cmdprefix='', cwd=None, lo logparam = '-l %s' % logfile else: logparam = '' - cmd = "%sBB_SETSCENE_ENFORCE=1 PSEUDO_DISABLED=1 oe-check-sstate %s -s -o %s %s" % (cmdprefix, targets, filteroutfile, logparam) + cmd = "%sPYTHONDONTWRITEBYTECODE=1 BB_SETSCENE_ENFORCE=1 PSEUDO_DISABLED=1 oe-check-sstate %s -s -o %s %s" % (cmdprefix, targets, filteroutfile, logparam) env = dict(d.getVar('BB_ORIGENV', False)) env.pop('BUILDDIR', '') env.pop('BBPATH', '') diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index ce755f940a..a1d7c292af 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -11,8 +11,13 @@ _Version = collections.namedtuple( class Version(): def __init__(self, version, suffix=None): + + suffixes = ["alphabetical", "patch"] + if str(suffix) == "alphabetical": version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" + elif str(suffix) == "patch": + version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" else: version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE) @@ -23,7 +28,7 @@ class Version(): self._version = _Version( release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")), - patch_l=match.group("patch_l") if str(suffix) == "alphabetical" and match.group("patch_l") else "", + patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "", pre_l=match.group("pre_l"), pre_v=match.group("pre_v") ) diff --git a/meta/lib/oe/package_manager/__init__.py b/meta/lib/oe/package_manager/__init__.py index 42225a3b2e..26f9f82aaa 100644 --- a/meta/lib/oe/package_manager/__init__.py +++ b/meta/lib/oe/package_manager/__init__.py @@ -189,7 +189,7 @@ class PackageManager(object, metaclass=ABCMeta): bb.utils.remove(self.intercepts_dir, True) bb.utils.mkdirhier(self.intercepts_dir) for intercept in postinst_intercepts: - bb.utils.copyfile(intercept, os.path.join(self.intercepts_dir, os.path.basename(intercept))) + shutil.copy(intercept, os.path.join(self.intercepts_dir, os.path.basename(intercept))) @abstractmethod def _handle_intercept_failure(self, failed_script): diff --git a/meta/lib/oe/package_manager/deb/sdk.py b/meta/lib/oe/package_manager/deb/sdk.py index b25eb70b00..76548b06f0 100644 --- a/meta/lib/oe/package_manager/deb/sdk.py +++ b/meta/lib/oe/package_manager/deb/sdk.py @@ -65,6 +65,8 @@ class DpkgSdk(Sdk): self.target_pm.install_complementary(self.d.getVar('SDKIMAGE_INSTALL_COMPLEMENTARY')) + self.target_pm.run_pre_post_installs() + self.target_pm.run_intercepts(populate_sdk='target') execute_pre_post_process(self.d, self.d.getVar("POPULATE_SDK_POST_TARGET_COMMAND")) @@ -78,6 +80,8 @@ class DpkgSdk(Sdk): self._populate_sysroot(self.host_pm, self.host_manifest) self.install_locales(self.host_pm) + self.host_pm.run_pre_post_installs() + self.host_pm.run_intercepts(populate_sdk='host') execute_pre_post_process(self.d, self.d.getVar("POPULATE_SDK_POST_HOST_COMMAND")) diff --git a/meta/lib/oe/terminal.py b/meta/lib/oe/terminal.py index eb10a6e33e..2ac39df9e1 100644 --- a/meta/lib/oe/terminal.py +++ b/meta/lib/oe/terminal.py @@ -163,7 +163,12 @@ class Tmux(Terminal): # devshells, if it's already there, add a new window to it. window_name = 'devshell-%i' % os.getpid() - self.command = 'tmux new -c "{{cwd}}" -d -s {0} -n {0} "{{command}}"'.format(window_name) + self.command = 'tmux new -c "{{cwd}}" -d -s {0} -n {0} "{{command}}"' + if not check_tmux_version('1.9'): + # `tmux new-session -c` was added in 1.9; + # older versions fail with that flag + self.command = 'tmux new -d -s {0} -n {0} "{{command}}"' + self.command = self.command.format(window_name) Terminal.__init__(self, sh_cmd, title, env, d) attach_cmd = 'tmux att -t {0}'.format(window_name) @@ -253,13 +258,18 @@ def spawn(name, sh_cmd, title=None, env=None, d=None): except OSError: return +def check_tmux_version(desired): + vernum = check_terminal_version("tmux") + if vernum and LooseVersion(vernum) < desired: + return False + return vernum + def check_tmux_pane_size(tmux): import subprocess as sub # On older tmux versions (<1.9), return false. The reason # is that there is no easy way to get the height of the active panel # on current window without nested formats (available from version 1.9) - vernum = check_terminal_version("tmux") - if vernum and LooseVersion(vernum) < '1.9': + if not check_tmux_version('1.9'): return False try: p = sub.Popen('%s list-panes -F "#{?pane_active,#{pane_height},}"' % tmux, diff --git a/meta/lib/oeqa/selftest/cases/buildoptions.py b/meta/lib/oeqa/selftest/cases/buildoptions.py index e91f0bd18f..b1b9ea7e55 100644 --- a/meta/lib/oeqa/selftest/cases/buildoptions.py +++ b/meta/lib/oeqa/selftest/cases/buildoptions.py @@ -57,15 +57,15 @@ class ImageOptionsTests(OESelftestTestCase): class DiskMonTest(OESelftestTestCase): def test_stoptask_behavior(self): - self.write_config('BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},100000G,100K"') + self.write_config('BB_DISKMON_DIRS = "STOPTASKS,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"') res = bitbake("delay -c delay", ignore_status = True) self.assertTrue('ERROR: No new tasks can be executed since the disk space monitor action is "STOPTASKS"!' in res.output, msg = "Tasks should have stopped. Disk monitor is set to STOPTASK: %s" % res.output) self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output)) - self.write_config('BB_DISKMON_DIRS = "ABORT,${TMPDIR},100000G,100K"') + self.write_config('BB_DISKMON_DIRS = "ABORT,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"') res = bitbake("delay -c delay", ignore_status = True) self.assertTrue('ERROR: Immediately abort since the disk space monitor action is "ABORT"!' in res.output, "Tasks should have been aborted immediatelly. Disk monitor is set to ABORT: %s" % res.output) self.assertEqual(res.status, 1, msg = "bitbake reported exit code %s. It should have been 1. Bitbake output: %s" % (str(res.status), res.output)) - self.write_config('BB_DISKMON_DIRS = "WARN,${TMPDIR},100000G,100K"') + self.write_config('BB_DISKMON_DIRS = "WARN,${TMPDIR},100000G,100K"\nBB_HEARTBEAT_EVENT = "1"') res = bitbake("delay -c delay") self.assertTrue('WARNING: The free space' in res.output, msg = "A warning should have been displayed for disk monitor is set to WARN: %s" %res.output) diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py index 3f343a2841..d1947baffc 100644 --- a/meta/lib/oeqa/selftest/cases/cve_check.py +++ b/meta/lib/oeqa/selftest/cases/cve_check.py @@ -34,3 +34,11 @@ class CVECheck(OESelftestTestCase): self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' < '1.0r'") result = Version("1.0b","alphabetical") > Version("1.0","alphabetical") self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' > '1.0'") + + # consider the trailing "p" and "patch" as patched released when comparing + result = Version("1.0","patch") < Version("1.0p1","patch") + self.assertTrue( result ,msg="Failed to compare version with suffix '1.0' < '1.0p1'") + result = Version("1.0p2","patch") > Version("1.0p1","patch") + self.assertTrue( result ,msg="Failed to compare version with suffix '1.0p2' > '1.0p1'") + result = Version("1.0_patch2","patch") < Version("1.0_patch3","patch") + self.assertTrue( result ,msg="Failed to compare version with suffix '1.0_patch2' < '1.0_patch3'") diff --git a/meta/lib/oeqa/selftest/cases/wic.py b/meta/lib/oeqa/selftest/cases/wic.py index df2d2d225e..39c6828f59 100644 --- a/meta/lib/oeqa/selftest/cases/wic.py +++ b/meta/lib/oeqa/selftest/cases/wic.py @@ -979,14 +979,18 @@ class Wic2(WicTestCase): @only_for_arch(['i586', 'i686', 'x86_64']) def test_rawcopy_plugin_qemu(self): """Test rawcopy plugin in qemu""" - # build ext4 and wic images - for fstype in ("ext4", "wic"): - config = 'IMAGE_FSTYPES = "%s"\nWKS_FILE = "test_rawcopy_plugin.wks.in"\n' % fstype - self.append_config(config) - self.assertEqual(0, bitbake('core-image-minimal').status) - self.remove_config(config) + # build ext4 and then use it for a wic image + config = 'IMAGE_FSTYPES = "ext4"\n' + self.append_config(config) + self.assertEqual(0, bitbake('core-image-minimal').status) + self.remove_config(config) - with runqemu('core-image-minimal', ssh=False, image_fstype='wic') as qemu: + config = 'IMAGE_FSTYPES = "wic"\nWKS_FILE = "test_rawcopy_plugin.wks.in"\n' + self.append_config(config) + self.assertEqual(0, bitbake('core-image-minimal-mtdutils').status) + self.remove_config(config) + + with runqemu('core-image-minimal-mtdutils', ssh=False, image_fstype='wic') as qemu: cmd = "grep sda. /proc/partitions |wc -l" status, output = qemu.run_serial(cmd) self.assertEqual(1, status, 'Failed to run command "%s": %s' % (cmd, output)) diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1j.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1k.bb index f054d2fdba..5f281197c9 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1j.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1k.bb @@ -23,7 +23,7 @@ SRC_URI_append_class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf" +SRC_URI[sha256sum] = "892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5" inherit lib_package multilib_header multilib_script ptest MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch new file mode 100644 index 0000000000..e2540fc26b --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2021-30004.patch @@ -0,0 +1,123 @@ +From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 13 Mar 2021 18:19:31 +0200 +Subject: [PATCH] ASN.1: Validate DigestAlgorithmIdentifier parameters + +The supported hash algorithms do not use AlgorithmIdentifier parameters. +However, there are implementations that include NULL parameters in +addition to ones that omit the parameters. Previous implementation did +not check the parameters value at all which supported both these cases, +but did not reject any other unexpected information. + +Use strict validation of digest algorithm parameters and reject any +unexpected value when validating a signature. This is needed to prevent +potential forging attacks. + +Signed-off-by: Jouni Malinen <j@w1.fi> + +Upstream-Status: Backport +CVE: CVE-2021-30004 + +Reference to upstream patch: +[https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15] + +Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com> +--- + src/tls/pkcs1.c | 21 +++++++++++++++++++++ + src/tls/x509v3.c | 20 ++++++++++++++++++++ + 2 files changed, 41 insertions(+) + +diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c +index 141ac50..e09db07 100644 +--- a/src/tls/pkcs1.c ++++ b/src/tls/pkcs1.c +@@ -240,6 +240,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo", ++ hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -261,6 +263,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -269,6 +273,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "PKCS #1: Unexpected digest algorithm parameters"); ++ os_free(decrypted); ++ return -1; ++ } + + if (!asn1_oid_equal(&oid, hash_alg)) { + char txt[100], txt2[100]; +diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c +index 1bd5aa0..bf2289f 100644 +--- a/src/tls/x509v3.c ++++ b/src/tls/x509v3.c +@@ -1834,6 +1834,7 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -1855,6 +1856,8 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -1862,6 +1865,23 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "X509: Unexpected digest algorithm parameters"); ++ os_free(data); ++ return -1; ++ } + + if (x509_sha1_oid(&oid)) { + if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) { +-- +2.17.1 + diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb index 0f2b7407e9..915b326b81 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.9.bb @@ -31,6 +31,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch \ file://CVE-2021-0326.patch \ file://CVE-2021-27803.patch \ + file://CVE-2021-30004.patch \ " SRC_URI[md5sum] = "2d2958c782576dc9901092fbfecb4190" SRC_URI[sha256sum] = "fcbdee7b4a64bea8177973299c8c824419c413ec2e3a95db63dd6a5dc3541f17" diff --git a/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch new file mode 100644 index 0000000000..67c9f189cc --- /dev/null +++ b/meta/recipes-core/busybox/busybox/0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch @@ -0,0 +1,58 @@ +From fe791386ebc270219ca00406c9fdadc5130b64ee Mon Sep 17 00:00:00 2001 +From: Samuel Sapalski <samuel.sapalski@nokia.com> +Date: Wed, 3 Mar 2021 16:31:22 +0100 +Subject: [PATCH] decompress_gunzip: Fix DoS if gzip is corrupt + +On certain corrupt gzip files, huft_build will set the error bit on +the result pointer. If afterwards abort_unzip is called huft_free +might run into a segmentation fault or an invalid pointer to +free(p). + +In order to mitigate this, we check in huft_free if the error bit +is set and clear it before the linked list is freed. + +Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com> +Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com> +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> + +Upstream-Status: Backport +CVE: CVE-2021-28831 +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + archival/libarchive/decompress_gunzip.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c +index eb3b64930..e93cd5005 100644 +--- a/archival/libarchive/decompress_gunzip.c ++++ b/archival/libarchive/decompress_gunzip.c +@@ -220,10 +220,20 @@ static const uint8_t border[] ALIGN1 = { + * each table. + * t: table to free + */ ++#define BAD_HUFT(p) ((uintptr_t)(p) & 1) ++#define ERR_RET ((huft_t*)(uintptr_t)1) + static void huft_free(huft_t *p) + { + huft_t *q; + ++ /* ++ * If 'p' has the error bit set we have to clear it, otherwise we might run ++ * into a segmentation fault or an invalid pointer to free(p) ++ */ ++ if (BAD_HUFT(p)) { ++ p = (huft_t*)((uintptr_t)(p) ^ (uintptr_t)(ERR_RET)); ++ } ++ + /* Go through linked list, freeing from the malloced (t[-1]) address. */ + while (p) { + q = (--p)->v.t; +@@ -289,8 +299,6 @@ static unsigned fill_bitbuffer(STATE_PARAM unsigned bitbuffer, unsigned *current + * or a valid pointer to a Huffman table, ORed with 0x1 if incompete table + * is given: "fixed inflate" decoder feeds us such data. + */ +-#define BAD_HUFT(p) ((uintptr_t)(p) & 1) +-#define ERR_RET ((huft_t*)(uintptr_t)1) + static huft_t* huft_build(const unsigned *b, const unsigned n, + const unsigned s, const struct cp_ext *cp_ext, + unsigned *m) diff --git a/meta/recipes-core/busybox/busybox_1.32.0.bb b/meta/recipes-core/busybox/busybox_1.32.0.bb index 8e23b0d4a2..b91f7cf711 100644 --- a/meta/recipes-core/busybox/busybox_1.32.0.bb +++ b/meta/recipes-core/busybox/busybox_1.32.0.bb @@ -46,7 +46,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://0001-hwclock-make-glibc-2.31-compatible.patch \ file://rev.cfg \ file://pgrep.cfg \ -" + file://0001-decompress_gunzip-Fix-DoS-if-gzip-is-corrupt.patch \ + " SRC_URI_append_libc-musl = " file://musl.cfg " SRC_URI[tarball.md5sum] = "9576986f1a960da471d03b72a62f13c7" diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc index 586b2e207e..84d199bb1d 100644 --- a/meta/recipes-core/glibc/glibc-version.inc +++ b/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.32/master" PV = "2.32" -SRCREV_glibc ?= "760e1d287825fa91d4d5a0cc921340c740d803e2" +SRCREV_glibc ?= "44b395932961a29825da4ad025124a6760858d9c" SRCREV_localedef ?= "bd644c9e6f3e20c5504da1488448173c69c56c28" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" diff --git a/meta/recipes-core/glibc/glibc_2.32.bb b/meta/recipes-core/glibc/glibc_2.32.bb index e4fe9b87b5..03aea52508 100644 --- a/meta/recipes-core/glibc/glibc_2.32.bb +++ b/meta/recipes-core/glibc/glibc_2.32.bb @@ -2,7 +2,7 @@ require glibc.inc require glibc-version.inc # whitelist CVE's with fixes in latest release/2.32/master branch -CVE_CHECK_WHITELIST += "CVE-2019-25013 CVE-2020-10029 CVE-2020-27618" +CVE_CHECK_WHITELIST += "CVE-2019-25013 CVE-2020-10029 CVE-2020-27618 CVE-2021-27645 CVE-2021-3326" DEPENDS += "gperf-native bison-native make-native" diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb index 15cb45e7a4..9e944a2534 100644 --- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb @@ -24,7 +24,7 @@ IMAGE_FSTYPES = "wic.vmdk" inherit core-image setuptools3 -SRCREV ?= "3bd4bf96cce57d3e9286f75c0f12c8b36d706a1c" +SRCREV ?= "79c4792da2b400431c09d9a2f53efd4443812281" SRC_URI = "git://git.yoctoproject.org/poky;branch=gatesgarth \ file://Yocto_Build_Appliance.vmx \ file://Yocto_Build_Appliance.vmxf \ diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index cf62e1e32c..b073936298 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -138,14 +138,24 @@ def parse_node_and_insert(c, node, cveId): for cpe in node.get('cpe_match', ()): if not cpe['vulnerable']: return - cpe23 = cpe['cpe23Uri'].split(':') + cpe23 = cpe.get('cpe23Uri') + if not cpe23: + return + cpe23 = cpe23.split(':') + if len(cpe23) < 6: + return vendor = cpe23[3] product = cpe23[4] version = cpe23[5] + if cpe23[6] == '*' or cpe23[6] == '-': + version_suffix = "" + else: + version_suffix = "_" + cpe23[6] + if version != '*' and version != '-': # Version is defined, this is a '=' match - yield [cveId, vendor, product, version, '=', '', ''] + yield [cveId, vendor, product, version + version_suffix, '=', '', ''] elif version == '-': # no version information is available yield [cveId, vendor, product, version, '', '', ''] diff --git a/meta/recipes-devtools/binutils/binutils-2.35.1.inc b/meta/recipes-devtools/binutils/binutils-2.35.1.inc index 775af2b8f2..6290d5b191 100644 --- a/meta/recipes-devtools/binutils/binutils-2.35.1.inc +++ b/meta/recipes-devtools/binutils/binutils-2.35.1.inc @@ -44,5 +44,6 @@ SRC_URI = "\ file://0017-gas-improve-reproducibility-for-stabs-debugging-data.patch \ file://0001-aarch64-Return-an-error-on-conditional-branch-to-an-.patch \ file://CVE-2020-35448.patch \ + file://0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch \ " S = "${WORKDIR}/git" diff --git a/meta/recipes-devtools/binutils/binutils/0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch b/meta/recipes-devtools/binutils/binutils/0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch new file mode 100644 index 0000000000..f46415f440 --- /dev/null +++ b/meta/recipes-devtools/binutils/binutils/0001-gold-ensure-file_counts_lock-is-initialized-before-u.patch @@ -0,0 +1,41 @@ +From de24fc96bf24fca470a9ca13176ad9ad9cc4d5a9 Mon Sep 17 00:00:00 2001 +From: Nick Gasson <nick.gasson@arm.com> +Date: Mon, 2 Nov 2020 12:02:05 +0800 +Subject: [PATCH] gold: ensure file_counts_lock is initialized before using + +Since upgrading to binutils 2.35 I've been experiencing random memory +corruption related crashes with ld.gold --threads. It's caused by +multiple threads concurrently pushing elements onto the shared +std::vector in File_read::record_file_read(). This vector is supposed to +be protected by file_counts_lock, but that is initialized lazily and +might be NULL when File_read::open() is called, in which case +Hold_optional_lock silently skips locking it. + +Fix by calling the initialize() method before attempting to acquire the +lock, the same as other places that use file_counts_lock. + + PR 26827 + * fileread.cc (File_read::open): Ensure file_counts_lock is + initialized. + * testsuite/Makefile.am (check_PROGRAMS): Add a test that passes + -Wl,--threads. + * testsuite/Makefile.in: Regenerate. + +Upstream-Status: Backport [af61e84fd2d from 2.36.0] +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> +--- + gold/fileread.cc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/gold/fileread.cc b/gold/fileread.cc +index f5ca719360d..0b5228e2afd 100644 +--- a/gold/fileread.cc ++++ b/gold/fileread.cc +@@ -212,6 +212,7 @@ File_read::open(const Task* task, const std::string& name) + gold_debug(DEBUG_FILES, "Attempt to open %s succeeded", + this->name_.c_str()); + this->token_.add_writer(task); ++ file_counts_initialize_lock.initialize(); + Hold_optional_lock hl(file_counts_lock); + record_file_read(this->name_); + } diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc index 586a305b27..3e78254eec 100644 --- a/meta/recipes-devtools/git/git.inc +++ b/meta/recipes-devtools/git/git.inc @@ -8,7 +8,9 @@ PROVIDES_append_class-native = " git-replacement-native" SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ ${KERNELORG_MIRROR}/software/scm/git/git-manpages-${PV}.tar.gz;name=manpages \ - file://fixsort.patch" + file://fixsort.patch \ + file://CVE-2021-21300.patch \ +" S = "${WORKDIR}/git-${PV}" diff --git a/meta/recipes-devtools/git/git/CVE-2021-21300.patch b/meta/recipes-devtools/git/git/CVE-2021-21300.patch new file mode 100644 index 0000000000..390570fe78 --- /dev/null +++ b/meta/recipes-devtools/git/git/CVE-2021-21300.patch @@ -0,0 +1,304 @@ +From ba07d31bd2140190c4d8c197c9b8a503544b4c29 Mon Sep 17 00:00:00 2001 +From: Minjae Kim <flowrgom@gmail.com> +Date: Sat, 27 Mar 2021 14:05:56 +0900 +Subject: [PATCH] checkout: fix bug that makes checkout follow symlinks in + leading path + +Before checking out a file, we have to confirm that all of its leading +components are real existing directories. And to reduce the number of +lstat() calls in this process, we cache the last leading path known to +contain only directories. However, when a path collision occurs (e.g. +when checking out case-sensitive files in case-insensitive file +systems), a cached path might have its file type changed on disk, +leaving the cache on an invalid state. Normally, this doesn't bring +any bad consequences as we usually check out files in index order, and +therefore, by the time the cached path becomes outdated, we no longer +need it anyway (because all files in that directory would have already +been written). + +But, there are some users of the checkout machinery that do not always +follow the index order. In particular: checkout-index writes the paths +in the same order that they appear on the CLI (or stdin); and the +delayed checkout feature -- used when a long-running filter process +replies with "status=delayed" -- postpones the checkout of some entries, +thus modifying the checkout order. + +When we have to check out an out-of-order entry and the lstat() cache is +invalid (due to a previous path collision), checkout_entry() may end up +using the invalid data and thrusting that the leading components are +real directories when, in reality, they are not. In the best case +scenario, where the directory was replaced by a regular file, the user +will get an error: "fatal: unable to create file 'foo/bar': Not a +directory". But if the directory was replaced by a symlink, checkout +could actually end up following the symlink and writing the file at a +wrong place, even outside the repository. Since delayed checkout is +affected by this bug, it could be used by an attacker to write +arbitrary files during the clone of a maliciously crafted repository. + +Some candidate solutions considered were to disable the lstat() cache +during unordered checkouts or sort the entries before passing them to +the checkout machinery. But both ideas include some performance penalty +and they don't future-proof the code against new unordered use cases. + +Instead, we now manually reset the lstat cache whenever we successfully +remove a directory. Note: We are not even checking whether the directory +was the same as the lstat cache points to because we might face a +scenario where the paths refer to the same location but differ due to +case folding, precomposed UTF-8 issues, or the presence of `..` +components in the path. Two regression tests, with case-collisions and +utf8-collisions, are also added for both checkout-index and delayed +checkout. + +Note: to make the previously mentioned clone attack unfeasible, it would +be sufficient to reset the lstat cache only after the remove_subtree() +call inside checkout_entry(). This is the place where we would remove a +directory whose path collides with the path of another entry that we are +currently trying to check out (possibly a symlink). However, in the +interest of a thorough fix that does not leave Git open to +similar-but-not-identical attack vectors, we decided to intercept +all `rmdir()` calls in one fell swoop. + +This addresses CVE-2021-21300. + +Co-authored-by: Johannes Schindelin <johannes.schindelin@gmx.de> +Signed-off-by: Matheus Tavares <matheus.bernardino@usp.br> + +Upstream-Status: Acepted [https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592] +CVE: CVE-2021-21300 +Signed-off-by: Minjae Kim <flowergom@gmail.com> +--- + cache.h | 1 + + compat/mingw.c | 2 ++ + git-compat-util.h | 5 +++++ + symlinks.c | 24 ++++++++++++++++++++ + t/t0021-conversion.sh | 39 ++++++++++++++++++++++++++++++++ + t/t0021/rot13-filter.pl | 21 ++++++++++++++--- + t/t2006-checkout-index-basic.sh | 40 +++++++++++++++++++++++++++++++++ + 7 files changed, 129 insertions(+), 3 deletions(-) + +diff --git a/cache.h b/cache.h +index 6544264..64226c3 100644 +--- a/cache.h ++++ b/cache.h +@@ -1733,6 +1733,7 @@ int has_symlink_leading_path(const char *name, int len); + int threaded_has_symlink_leading_path(struct cache_def *, const char *, int); + int check_leading_path(const char *name, int len); + int has_dirs_only_path(const char *name, int len, int prefix_len); ++extern void invalidate_lstat_cache(void); + void schedule_dir_for_removal(const char *name, int len); + void remove_scheduled_dirs(void); + +diff --git a/compat/mingw.c b/compat/mingw.c +index 8ee0b64..be2b88e 100644 +--- a/compat/mingw.c ++++ b/compat/mingw.c +@@ -364,6 +364,8 @@ int mingw_rmdir(const char *pathname) + ask_yes_no_if_possible("Deletion of directory '%s' failed. " + "Should I try again?", pathname)) + ret = _wrmdir(wpathname); ++ if (!ret) ++ invalidate_lstat_cache(); + return ret; + } + +diff --git a/git-compat-util.h b/git-compat-util.h +index 5637114..d983853 100644 +--- a/git-compat-util.h ++++ b/git-compat-util.h +@@ -345,6 +345,11 @@ static inline int noop_core_config(const char *var, const char *value, void *cb) + #define platform_core_config noop_core_config + #endif + ++int lstat_cache_aware_rmdir(const char *path); ++#if !defined(__MINGW32__) && !defined(_MSC_VER) ++#define rmdir lstat_cache_aware_rmdir ++#endif ++ + #ifndef has_dos_drive_prefix + static inline int git_has_dos_drive_prefix(const char *path) + { +diff --git a/symlinks.c b/symlinks.c +index 69d458a..7dbb6b2 100644 +--- a/symlinks.c ++++ b/symlinks.c +@@ -267,6 +267,13 @@ int has_dirs_only_path(const char *name, int len, int prefix_len) + */ + static int threaded_has_dirs_only_path(struct cache_def *cache, const char *name, int len, int prefix_len) + { ++ /* ++ * Note: this function is used by the checkout machinery, which also ++ * takes care to properly reset the cache when it performs an operation ++ * that would leave the cache outdated. If this function starts caching ++ * anything else besides FL_DIR, remember to also invalidate the cache ++ * when creating or deleting paths that might be in the cache. ++ */ + return lstat_cache(cache, name, len, + FL_DIR|FL_FULLPATH, prefix_len) & + FL_DIR; +@@ -321,3 +328,20 @@ void remove_scheduled_dirs(void) + { + do_remove_scheduled_dirs(0); + } ++ ++void invalidate_lstat_cache(void) ++{ ++ reset_lstat_cache(&default_cache); ++} ++ ++#undef rmdir ++int lstat_cache_aware_rmdir(const char *path) ++{ ++ /* Any change in this function must be made also in `mingw_rmdir()` */ ++ int ret = rmdir(path); ++ ++ if (!ret) ++ invalidate_lstat_cache(); ++ ++ return ret; ++} +diff --git a/t/t0021-conversion.sh b/t/t0021-conversion.sh +index 4bfffa9..c42f51e 100755 +--- a/t/t0021-conversion.sh ++++ b/t/t0021-conversion.sh +@@ -957,4 +957,43 @@ test_expect_success PERL 'invalid file in delayed checkout' ' + grep "error: external filter .* signaled that .unfiltered. is now available although it has not been delayed earlier" git-stderr.log + ' + ++for mode in 'case' 'utf-8' ++do ++ case "$mode" in ++ case) dir='A' symlink='a' mode_prereq='CASE_INSENSITIVE_FS' ;; ++ utf-8) ++ dir=$(printf "\141\314\210") symlink=$(printf "\303\244") ++ mode_prereq='UTF8_NFD_TO_NFC' ;; ++ esac ++ ++ test_expect_success PERL,SYMLINKS,$mode_prereq \ ++ "delayed checkout with $mode-collision don't write to the wrong place" ' ++ test_config_global filter.delay.process \ ++ "\"$TEST_ROOT/rot13-filter.pl\" --always-delay delayed.log clean smudge delay" && ++ test_config_global filter.delay.required true && ++ git init $mode-collision && ++ ( ++ cd $mode-collision && ++ mkdir target-dir && ++ empty_oid=$(printf "" | git hash-object -w --stdin) && ++ symlink_oid=$(printf "%s" "$PWD/target-dir" | git hash-object -w --stdin) && ++ attr_oid=$(echo "$dir/z filter=delay" | git hash-object -w --stdin) && ++ cat >objs <<-EOF && ++ 100644 blob $empty_oid $dir/x ++ 100644 blob $empty_oid $dir/y ++ 100644 blob $empty_oid $dir/z ++ 120000 blob $symlink_oid $symlink ++ 100644 blob $attr_oid .gitattributes ++ EOF ++ git update-index --index-info <objs && ++ git commit -m "test commit" ++ ) && ++ git clone $mode-collision $mode-collision-cloned && ++ # Make sure z was really delayed ++ grep "IN: smudge $dir/z .* \\[DELAYED\\]" $mode-collision-cloned/delayed.log && ++ # Should not create $dir/z at $symlink/z ++ test_path_is_missing $mode-collision/target-dir/z ++ ' ++done ++ + test_done +diff --git a/t/t0021/rot13-filter.pl b/t/t0021/rot13-filter.pl +index cd32a82..7bb9376 100644 +--- a/t/t0021/rot13-filter.pl ++++ b/t/t0021/rot13-filter.pl +@@ -2,9 +2,15 @@ + # Example implementation for the Git filter protocol version 2 + # See Documentation/gitattributes.txt, section "Filter Protocol" + # +-# The first argument defines a debug log file that the script write to. +-# All remaining arguments define a list of supported protocol +-# capabilities ("clean", "smudge", etc). ++# Usage: rot13-filter.pl [--always-delay] <log path> <capabilities> ++# ++# Log path defines a debug log file that the script writes to. The ++# subsequent arguments define a list of supported protocol capabilities ++# ("clean", "smudge", etc). ++# ++# When --always-delay is given all pathnames with the "can-delay" flag ++# that don't appear on the list bellow are delayed with a count of 1 ++# (see more below). + # + # This implementation supports special test cases: + # (1) If data with the pathname "clean-write-fail.r" is processed with +@@ -53,6 +59,13 @@ sub gitperllib { + use Git::Packet; + + my $MAX_PACKET_CONTENT_SIZE = 65516; ++ ++my $always_delay = 0; ++if ( $ARGV[0] eq '--always-delay' ) { ++ $always_delay = 1; ++ shift @ARGV; ++} ++ + my $log_file = shift @ARGV; + my @capabilities = @ARGV; + +@@ -134,6 +147,8 @@ sub rot13 { + if ( $buffer eq "can-delay=1" ) { + if ( exists $DELAY{$pathname} and $DELAY{$pathname}{"requested"} == 0 ) { + $DELAY{$pathname}{"requested"} = 1; ++ } elsif ( !exists $DELAY{$pathname} and $always_delay ) { ++ $DELAY{$pathname} = { "requested" => 1, "count" => 1 }; + } + } elsif ($buffer =~ /^(ref|treeish|blob)=/) { + print $debug " $buffer"; +diff --git a/t/t2006-checkout-index-basic.sh b/t/t2006-checkout-index-basic.sh +index 57cbdfe..f223a02 100755 +--- a/t/t2006-checkout-index-basic.sh ++++ b/t/t2006-checkout-index-basic.sh +@@ -21,4 +21,44 @@ test_expect_success 'checkout-index -h in broken repository' ' + test_i18ngrep "[Uu]sage" broken/usage + ' + ++for mode in 'case' 'utf-8' ++do ++ case "$mode" in ++ case) dir='A' symlink='a' mode_prereq='CASE_INSENSITIVE_FS' ;; ++ utf-8) ++ dir=$(printf "\141\314\210") symlink=$(printf "\303\244") ++ mode_prereq='UTF8_NFD_TO_NFC' ;; ++ esac ++ ++ test_expect_success SYMLINKS,$mode_prereq \ ++ "checkout-index with $mode-collision don't write to the wrong place" ' ++ git init $mode-collision && ++ ( ++ cd $mode-collision && ++ mkdir target-dir && ++ empty_obj_hex=$(git hash-object -w --stdin </dev/null) && ++ symlink_hex=$(printf "%s" "$PWD/target-dir" | git hash-object -w --stdin) && ++ cat >objs <<-EOF && ++ 100644 blob ${empty_obj_hex} ${dir}/x ++ 100644 blob ${empty_obj_hex} ${dir}/y ++ 100644 blob ${empty_obj_hex} ${dir}/z ++ 120000 blob ${symlink_hex} ${symlink} ++ EOF ++ git update-index --index-info <objs && ++ # Note: the order is important here to exercise the ++ # case where the file at ${dir} has its type changed by ++ # the time Git tries to check out ${dir}/z. ++ # ++ # Also, we use core.precomposeUnicode=false because we ++ # want Git to treat the UTF-8 paths transparently on ++ # Mac OS, matching what is in the index. ++ # ++ git -c core.precomposeUnicode=false checkout-index -f \ ++ ${dir}/x ${dir}/y ${symlink} ${dir}/z && ++ # Should not create ${dir}/z at ${symlink}/z ++ test_path_is_missing target-dir/z ++ ) ++ ' ++done ++ + test_done +-- +2.17.1 + diff --git a/meta/recipes-devtools/libtool/libtool-2.4.6.inc b/meta/recipes-devtools/libtool/libtool-2.4.6.inc index 8e17b56d46..19a03d4733 100644 --- a/meta/recipes-devtools/libtool/libtool-2.4.6.inc +++ b/meta/recipes-devtools/libtool/libtool-2.4.6.inc @@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/libtool/libtool-${PV}.tar.gz \ file://unwind-opt-parsing.patch \ file://0001-libtool-Fix-support-for-NIOS2-processor.patch \ file://0001-libtool-Check-for-static-libs-for-internal-compiler-.patch \ + file://0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch \ " SRC_URI[md5sum] = "addf44b646ddb4e3919805aa88fa7c5e" diff --git a/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch b/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch new file mode 100644 index 0000000000..2e9908725e --- /dev/null +++ b/meta/recipes-devtools/libtool/libtool/0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch @@ -0,0 +1,35 @@ +From dfbbbd359e43e0a55fbea06f2647279ad8761cb9 Mon Sep 17 00:00:00 2001 +From: Mingli Yu <mingli.yu@windriver.com> +Date: Wed, 24 Mar 2021 03:04:13 +0000 +Subject: [PATCH] Makefile.am: make sure autoheader run before autoconf + +autoheader will update ../libtool-2.4.6/libltdl/config-h.in which +autoconf needs, so there comes a race sometimes as below: + | configure.ac:45: error: required file 'config-h.in' not found + | touch '../libtool-2.4.6/libltdl/config-h.in' + +So make sure autoheader run before autoconf to avoid this race. + +Upstream-Status: Submitted [libtool-patches@gnu.org maillist] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.am b/Makefile.am +index 4142c90..fe1a9fc 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -365,7 +365,7 @@ lt_configure_deps = $(lt_aclocal_m4) $(lt_aclocal_m4_deps) + $(lt_aclocal_m4): $(lt_aclocal_m4_deps) + $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(ACLOCAL) -I ../m4 + +-$(lt_configure): $(lt_configure_deps) ++$(lt_configure): $(lt_configure_deps) $(lt_config_h_in) + $(AM_V_GEN)cd '$(srcdir)/$(ltdl_dir)' && $(AUTOCONF) + + $(lt_config_h_in): $(lt_configure_deps) +-- +2.29.2 + diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb index 17bd02c27c..4eab133128 100644 --- a/meta/recipes-devtools/pseudo/pseudo_git.bb +++ b/meta/recipes-devtools/pseudo/pseudo_git.bb @@ -6,7 +6,7 @@ SRC_URI = "git://git.yoctoproject.org/pseudo;branch=oe-core \ file://fallback-group \ " -SRCREV = "60e25a36558f1f07dcce1a044fe976b475bec42b" +SRCREV = "ee24ebec9e5a11dd5208c9be2870f35eab3b9e20" S = "${WORKDIR}/git" PV = "1.9.0+git${SRCPV}" diff --git a/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch b/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch new file mode 100644 index 0000000000..2d51ddf965 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch @@ -0,0 +1,31 @@ +From fbe85634d88e82fbb439ae2a5d1aca8b8c309bea Mon Sep 17 00:00:00 2001 +From: Matt McCutchen <matt@mattmccutchen.net> +Date: Wed, 26 Aug 2020 12:16:08 -0400 +Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using + openssl. + +CVE: CVE-2020-14387 + +Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c3f7414] + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + rsync-ssl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rsync-ssl b/rsync-ssl +index 8101975..46701af 100755 +--- a/rsync-ssl ++++ b/rsync-ssl +@@ -129,7 +129,7 @@ function rsync_ssl_helper { + fi + + if [[ $RSYNC_SSL_TYPE == openssl ]]; then +- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port ++ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port + elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then + exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port + else +-- +2.17.1 + diff --git a/meta/recipes-devtools/rsync/rsync_3.2.3.bb b/meta/recipes-devtools/rsync/rsync_3.2.3.bb index e6a3a67881..df4fbbd0d2 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.3.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.3.bb @@ -13,6 +13,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://rsyncd.conf \ file://makefile-no-rebuild.patch \ file://determism.patch \ + file://0001-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch \ " SRC_URI[sha256sum] = "becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e" diff --git a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts index f84a7e18c8..95dccb9cae 100755 --- a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts +++ b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts @@ -72,12 +72,12 @@ exec_postinst_scriptlets() { else echo "ERROR: postinst $i failed." [ "$POSTINST_LOGGING" = "1" ] && eval echo "ERROR: postinst $i failed." $append_log - remove_pi_dir=0 + remove_rcsd_link=0 fi done } -remove_pi_dir=1 +remove_rcsd_link=1 if $pm_installed; then case $pm in "ipk") @@ -92,9 +92,7 @@ else exec_postinst_scriptlets fi -# since all postinstalls executed successfully, remove the postinstalls directory -# and the rcS.d link -if [ $remove_pi_dir = 1 ]; then - rm -rf $pi_dir +# since all postinstalls executed successfully, remove the rcS.d link +if [ $remove_rcsd_link = 1 ]; then remove_rcsd_link fi diff --git a/meta/recipes-extended/sudo/sudo.inc b/meta/recipes-extended/sudo/sudo.inc index 86a18be7e2..8b50f5eee5 100644 --- a/meta/recipes-extended/sudo/sudo.inc +++ b/meta/recipes-extended/sudo/sudo.inc @@ -49,3 +49,5 @@ do_compile_prepend () { do_install_prepend (){ mkdir -p ${D}/${localstatedir}/lib } + +CVE_VERSION_SUFFIX = "patch" diff --git a/meta/recipes-extended/tar/tar/CVE-2021-20193.patch b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch new file mode 100644 index 0000000000..89e8e20844 --- /dev/null +++ b/meta/recipes-extended/tar/tar/CVE-2021-20193.patch @@ -0,0 +1,133 @@ +From d9d4435692150fa8ff68e1b1a473d187cc3fd777 Mon Sep 17 00:00:00 2001 +From: Sergey Poznyakoff <gray@gnu.org> +Date: Sun, 17 Jan 2021 20:41:11 +0200 +Subject: Fix memory leak in read_header + +Bug reported in https://savannah.gnu.org/bugs/?59897 + +* src/list.c (read_header): Don't return directly from the loop. +Instead set the status and break. Return the status. Free +next_long_name and next_long_link before returning. + +CVE: CVE-2021-20193 +Upstream-Status: Backport +[https://git.savannah.gnu.org/cgit/tar.git/patch/?id=d9d4435692150fa8ff68e1b1a473d187cc3fd777] +Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com> + +--- + src/list.c | 40 ++++++++++++++++++++++++++++------------ + 1 file changed, 28 insertions(+), 12 deletions(-) + +diff --git a/src/list.c b/src/list.c +index e40a5c8..d7ef441 100644 +--- a/src/list.c ++++ b/src/list.c +@@ -408,26 +408,27 @@ read_header (union block **return_block, struct tar_stat_info *info, + enum read_header_mode mode) + { + union block *header; +- union block *header_copy; + char *bp; + union block *data_block; + size_t size, written; +- union block *next_long_name = 0; +- union block *next_long_link = 0; ++ union block *next_long_name = NULL; ++ union block *next_long_link = NULL; + size_t next_long_name_blocks = 0; + size_t next_long_link_blocks = 0; +- ++ enum read_header status = HEADER_SUCCESS; ++ + while (1) + { +- enum read_header status; +- + header = find_next_block (); + *return_block = header; + if (!header) +- return HEADER_END_OF_FILE; ++ { ++ status = HEADER_END_OF_FILE; ++ break; ++ } + + if ((status = tar_checksum (header, false)) != HEADER_SUCCESS) +- return status; ++ break; + + /* Good block. Decode file size and return. */ + +@@ -437,7 +438,10 @@ read_header (union block **return_block, struct tar_stat_info *info, + { + info->stat.st_size = OFF_FROM_HEADER (header->header.size); + if (info->stat.st_size < 0) +- return HEADER_FAILURE; ++ { ++ status = HEADER_FAILURE; ++ break; ++ } + } + + if (header->header.typeflag == GNUTYPE_LONGNAME +@@ -447,10 +451,14 @@ read_header (union block **return_block, struct tar_stat_info *info, + || header->header.typeflag == SOLARIS_XHDTYPE) + { + if (mode == read_header_x_raw) +- return HEADER_SUCCESS_EXTENDED; ++ { ++ status = HEADER_SUCCESS_EXTENDED; ++ break; ++ } + else if (header->header.typeflag == GNUTYPE_LONGNAME + || header->header.typeflag == GNUTYPE_LONGLINK) + { ++ union block *header_copy; + size_t name_size = info->stat.st_size; + size_t n = name_size % BLOCKSIZE; + size = name_size + BLOCKSIZE; +@@ -517,7 +525,10 @@ read_header (union block **return_block, struct tar_stat_info *info, + xheader_decode_global (&xhdr); + xheader_destroy (&xhdr); + if (mode == read_header_x_global) +- return HEADER_SUCCESS_EXTENDED; ++ { ++ status = HEADER_SUCCESS_EXTENDED; ++ break; ++ } + } + + /* Loop! */ +@@ -536,6 +547,7 @@ read_header (union block **return_block, struct tar_stat_info *info, + name = next_long_name->buffer + BLOCKSIZE; + recent_long_name = next_long_name; + recent_long_name_blocks = next_long_name_blocks; ++ next_long_name = NULL; + } + else + { +@@ -567,6 +579,7 @@ read_header (union block **return_block, struct tar_stat_info *info, + name = next_long_link->buffer + BLOCKSIZE; + recent_long_link = next_long_link; + recent_long_link_blocks = next_long_link_blocks; ++ next_long_link = NULL; + } + else + { +@@ -578,9 +591,12 @@ read_header (union block **return_block, struct tar_stat_info *info, + } + assign_string (&info->link_name, name); + +- return HEADER_SUCCESS; ++ break; + } + } ++ free (next_long_name); ++ free (next_long_link); ++ return status; + } + + #define ISOCTAL(c) ((c)>='0'&&(c)<='7') +-- +cgit v1.2.1 + diff --git a/meta/recipes-extended/tar/tar_1.32.bb b/meta/recipes-extended/tar/tar_1.32.bb index ebe6cb0dbd..3ae6d674a5 100644 --- a/meta/recipes-extended/tar/tar_1.32.bb +++ b/meta/recipes-extended/tar/tar_1.32.bb @@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ file://musl_dirent.patch \ + file://CVE-2021-20193.patch \ " SRC_URI[md5sum] = "17917356fff5cb4bd3cd5a6c3e727b05" diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch new file mode 100644 index 0000000000..fe594b24bb --- /dev/null +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch @@ -0,0 +1,40 @@ +From 086e8adf4cc352cd11572f96066b001b545f354e Mon Sep 17 00:00:00 2001 +From: Emmanuele Bassi <ebassi@gnome.org> +Date: Wed, 1 Apr 2020 18:11:55 +0100 +Subject: [PATCH] Check the memset length argument + +Avoid overflows by using the checked multiplication macro for gsize. + +Fixes: #132 + +Upstream-Status: Backported [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/086e8adf4cc352cd11572f96066b001b545f354e] +CVE: CVE-2021-20240 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + gdk-pixbuf/io-gif-animation.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c +index c9db3c66e..49674fd2e 100644 +--- a/gdk-pixbuf/io-gif-animation.c ++++ b/gdk-pixbuf/io-gif-animation.c +@@ -412,11 +412,15 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter) + + /* If no rendered frame, render the first frame */ + if (anim->last_frame == NULL) { ++ gsize len = 0; + if (anim->last_frame_data == NULL) + anim->last_frame_data = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, anim->width, anim->height); + if (anim->last_frame_data == NULL) + return NULL; +- memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, gdk_pixbuf_get_rowstride (anim->last_frame_data) * anim->height); ++ if (g_size_checked_mul (&len, gdk_pixbuf_get_rowstride (anim->last_frame_data), anim->height)) ++ memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, len); ++ else ++ return NULL; + composite_frame (anim, g_list_nth_data (anim->frames, 0)); + } + +-- +GitLab diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb index 16708fd581..32af2de1e8 100644 --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb @@ -25,6 +25,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \ file://0006-Build-thumbnailer-and-tests-also-in-cross-builds.patch \ file://missing-test-data.patch \ file://CVE-2020-29385.patch \ + file://CVE-2021-20240.patch \ " SRC_URI_append_class-target = " \ diff --git a/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch new file mode 100644 index 0000000000..f8e69beb0b --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/CVE-2020-35492.patch @@ -0,0 +1,121 @@ +From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 +From: Heiko Lewin <heiko.lewin@worldiety.de> +Date: Tue, 15 Dec 2020 16:48:19 +0100 +Subject: [PATCH] Fix mask usage in image-compositor + +CVE: CVE-2020-35492 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be?merge_request_iid=85] + +original patch from upstream has a binary file, it will cause +do_patch failed with "git binary diffs are not supported". + +so add do_patch_append in recipe to add this binary source. when removing +this patch, please also remove do_patch_append for this patch + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + src/cairo-image-compositor.c | 8 ++-- + test/Makefile.sources | 1 + + test/bug-image-compositor.c | 39 ++++++++++++++++++++ + 3 files changed, 44 insertions(+), 4 deletions(-) + create mode 100644 test/bug-image-compositor.c + +diff --git a/src/cairo-image-compositor.c b/src/cairo-image-compositor.c +index 79ad69f68..4f8aaed99 100644 +--- a/src/cairo-image-compositor.c ++++ b/src/cairo-image-compositor.c +@@ -2610,14 +2610,14 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + unsigned num_spans) + { + cairo_image_span_renderer_t *r = abstract_renderer; +- uint8_t *m; ++ uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask); + int x0; + + if (num_spans == 0) + return CAIRO_STATUS_SUCCESS; + + x0 = spans[0].x; +- m = r->_buf; ++ m = base; + do { + int len = spans[1].x - spans[0].x; + if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) { +@@ -2655,7 +2655,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + spans[0].x, y, + spans[1].x - spans[0].x, h); + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else if (spans[0].coverage == 0x0) { + if (spans[0].x != x0) { +@@ -2684,7 +2684,7 @@ _inplace_src_spans (void *abstract_renderer, int y, int h, + #endif + } + +- m = r->_buf; ++ m = base; + x0 = spans[1].x; + } else { + *m++ = spans[0].coverage; +diff --git a/test/Makefile.sources b/test/Makefile.sources +index 7eb73647f..86494348d 100644 +--- a/test/Makefile.sources ++++ b/test/Makefile.sources +@@ -34,6 +34,7 @@ test_sources = \ + bug-source-cu.c \ + bug-extents.c \ + bug-seams.c \ ++ bug-image-compositor.c \ + caps.c \ + checkerboard.c \ + caps-joins.c \ +diff --git a/test/bug-image-compositor.c b/test/bug-image-compositor.c +new file mode 100644 +index 000000000..fc4fd370b +--- /dev/null ++++ b/test/bug-image-compositor.c +@@ -0,0 +1,39 @@ ++#include "cairo-test.h" ++ ++static cairo_test_status_t ++draw (cairo_t *cr, int width, int height) ++{ ++ cairo_set_source_rgb (cr, 0., 0., 0.); ++ cairo_paint (cr); ++ ++ cairo_set_source_rgb (cr, 1., 1., 1.); ++ cairo_set_line_width (cr, 1.); ++ ++ cairo_pattern_t *p = cairo_pattern_create_linear (0, 0, width, height); ++ cairo_pattern_add_color_stop_rgb (p, 0, 0.99, 1, 1); ++ cairo_pattern_add_color_stop_rgb (p, 1, 1, 1, 1); ++ cairo_set_source (cr, p); ++ ++ cairo_move_to (cr, 0.5, -1); ++ for (int i = 0; i < width; i+=3) { ++ cairo_rel_line_to (cr, 2, 2); ++ cairo_rel_line_to (cr, 1, -2); ++ } ++ ++ cairo_set_operator (cr, CAIRO_OPERATOR_SOURCE); ++ cairo_stroke (cr); ++ ++ cairo_pattern_destroy(p); ++ ++ return CAIRO_TEST_SUCCESS; ++} ++ ++ ++CAIRO_TEST (bug_image_compositor, ++ "Crash in image-compositor", ++ "stroke, stress", /* keywords */ ++ NULL, /* requirements */ ++ 10000, 1, ++ NULL, draw) ++ ++ +-- +GitLab diff --git a/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png b/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png Binary files differnew file mode 100644 index 0000000000..939f659d2c --- /dev/null +++ b/meta/recipes-graphics/cairo/cairo/bug-image-compositor.ref.png diff --git a/meta/recipes-graphics/cairo/cairo_1.16.0.bb b/meta/recipes-graphics/cairo/cairo_1.16.0.bb index 68f993d7ca..d48da1a4c7 100644 --- a/meta/recipes-graphics/cairo/cairo_1.16.0.bb +++ b/meta/recipes-graphics/cairo/cairo_1.16.0.bb @@ -27,6 +27,8 @@ SRC_URI = "http://cairographics.org/releases/cairo-${PV}.tar.xz \ file://CVE-2018-19876.patch \ file://CVE-2019-6461.patch \ file://CVE-2019-6462.patch \ + file://CVE-2020-35492.patch \ + file://bug-image-compositor.ref.png \ " SRC_URI[md5sum] = "f19e0353828269c22bd72e271243a552" @@ -64,6 +66,15 @@ export ac_cv_lib_bfd_bfd_openr="no" # Ensure we don't depend on LZO export ac_cv_lib_lzo2_lzo2a_decompress="no" +#for CVE-2020-35492.patch +do_patch_append() { + bb.build.exec_func('do_cp_binary_source', d) +} + +do_cp_binary_source () { + cp ${WORKDIR}/bug-image-compositor.ref.png ${S}/test/reference/ +} + do_install_append () { rm -rf ${D}${bindir}/cairo-sphinx rm -rf ${D}${libdir}/cairo/cairo-fdr* diff --git a/meta/recipes-kernel/kmod/kmod.inc b/meta/recipes-kernel/kmod/kmod.inc index 646dff9a97..10a319ac9f 100644 --- a/meta/recipes-kernel/kmod/kmod.inc +++ b/meta/recipes-kernel/kmod/kmod.inc @@ -26,7 +26,6 @@ SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git \ S = "${WORKDIR}/git" -EXTRA_AUTORECONF += "--install --symlink" EXTRA_OECONF +=" --enable-tools --with-zlib" PACKAGECONFIG[debug] = "--enable-debug,--disable-debug" diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20210208.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20210208.bb index 59ce4d5124..1a9374d0b4 100644 --- a/meta/recipes-kernel/linux-firmware/linux-firmware_20210208.bb +++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20210208.bb @@ -225,6 +225,7 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \ ${PN}-sd8887 ${PN}-sd8897 ${PN}-sd8997 ${PN}-usb8997 \ ${PN}-ti-connectivity-license ${PN}-wlcommon ${PN}-wl12xx ${PN}-wl18xx \ ${PN}-vt6656-license ${PN}-vt6656 \ + ${PN}-rs9113 ${PN}-rs9116 \ ${PN}-rtl-license ${PN}-rtl8188 ${PN}-rtl8192cu ${PN}-rtl8192ce ${PN}-rtl8192su ${PN}-rtl8723 ${PN}-rtl8821 \ ${PN}-rtl8168 \ ${PN}-cypress-license \ @@ -492,6 +493,13 @@ FILES_${PN}-netronome = " \ ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0096*.nffw \ ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0097*.nffw \ ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0099*.nffw \ + ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0058-0011_2x40.nffw \ + ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0058-0012_2x40.nffw \ + ${nonarch_base_libdir}/firmware/netronome/nic_AMDA0078-0011_1x100.nffw \ + ${nonarch_base_libdir}/firmware/netronome/bpf \ + ${nonarch_base_libdir}/firmware/netronome/flower \ + ${nonarch_base_libdir}/firmware/netronome/nic \ + ${nonarch_base_libdir}/firmware/netronome/nic-sriov \ " RDEPENDS_${PN}-netronome += "${PN}-netronome-license" @@ -518,6 +526,16 @@ RDEPENDS_${PN}-nvidia-gpu += "${PN}-nvidia-license" RDEPENDS_${PN}-nvidia-tegra += "${PN}-nvidia-license" RDEPENDS_${PN}-nvidia-tegra-k1 += "${PN}-nvidia-license" +# For RSI RS911x WiFi +LICENSE_${PN}-rs9113 = "WHENCE" +LICENSE_${PN}-rs9116 = "WHENCE" + +FILES_${PN}-rs9113 = " ${nonarch_base_libdir}/firmware/rsi/rs9113*.rps " +FILES_${PN}-rs9116 = " ${nonarch_base_libdir}/firmware/rsi/rs9116*.rps " + +RDEPENDS_${PN}-rs9113 += "${PN}-whence-license" +RDEPENDS_${PN}-rs9116 += "${PN}-whence-license" + # For rtl LICENSE_${PN}-rtl8188 = "Firmware-rtlwifi_firmware" LICENSE_${PN}-rtl8192cu = "Firmware-rtlwifi_firmware" @@ -618,7 +636,9 @@ FILES_${PN}-bcm4329 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4329-sdio.bi FILES_${PN}-bcm4330 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4330-sdio.*" FILES_${PN}-bcm4334 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4334-sdio.bin" FILES_${PN}-bcm4335 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4335-sdio.bin" -FILES_${PN}-bcm4339 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4339-sdio.bin" +FILES_${PN}-bcm4339 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4339-sdio.bin \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4339-sdio.bin \ +" FILES_${PN}-bcm43241b0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b0-sdio.bin" FILES_${PN}-bcm43241b4 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b4-sdio.bin" FILES_${PN}-bcm43241b5 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43241b5-sdio.bin" @@ -627,12 +647,18 @@ FILES_${PN}-bcm43143 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43143.bin \ ${nonarch_base_libdir}/firmware/brcm/brcmfmac43143-sdio.bin \ " FILES_${PN}-bcm43430a0 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430a0-sdio.*" -FILES_${PN}-bcm43455 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.*" +FILES_${PN}-bcm43455 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac43455-sdio.* \ +" FILES_${PN}-bcm4350c2 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350c2-pcie.bin" FILES_${PN}-bcm4350 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4350-pcie.bin" -FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.bin" +FILES_${PN}-bcm4356 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-sdio.bin \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-sdio.bin \ +" FILES_${PN}-bcm43569 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43569.bin" -FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin" +FILES_${PN}-bcm43570 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43570-pcie.bin \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac43570-pcie.bin \ +" FILES_${PN}-bcm4358 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4358-pcie.bin" FILES_${PN}-bcm43602 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.bin \ ${nonarch_base_libdir}/firmware/brcm/brcmfmac43602-pcie.ap.bin \ @@ -703,13 +729,21 @@ LICENSE_${PN}-cypress-license = "Firmware-cypress" FILES_${PN}-cypress-license = "${nonarch_base_libdir}/firmware/LICENCE.cypress" FILES_${PN}-bcm-0bb4-0306 = "${nonarch_base_libdir}/firmware/brcm/BCM-0bb4-0306.hcd" -FILES_${PN}-bcm43340 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43340-sdio.*" -FILES_${PN}-bcm43362 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43362-sdio.*" -FILES_${PN}-bcm43430 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.*" -FILES_${PN}-bcm4354 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4354-sdio.bin" -FILES_${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pcie.*" +FILES_${PN}-bcm43340 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43340-sdio.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac43340-sdio.*" +FILES_${PN}-bcm43362 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43362-sdio.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac43362-sdio.*" +FILES_${PN}-bcm43430 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac43430-sdio.*" +FILES_${PN}-bcm4354 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4354-sdio.bin \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4354-sdio.bin \ +" +FILES_${PN}-bcm4356-pcie = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4356-pcie.* \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4356-pcie.* \ +" FILES_${PN}-bcm4373 = "${nonarch_base_libdir}/firmware/brcm/brcmfmac4373-sdio.bin \ ${nonarch_base_libdir}/firmware/brcm/brcmfmac4373.bin \ + ${nonarch_base_libdir}/firmware/cypress/cyfmac4373-sdio.bin \ " LICENSE_${PN}-bcm-0bb4-0306 = "Firmware-cypress" diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb index 638f3df2fb..da1d5b72da 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "34ae8b39b6414e1f05fed93966c5ab1db20b6963" -SRCREV_meta ?= "feeb59687bc0f054af837a5061f8d413ec7c93e9" +SRCREV_machine ?= "324e77d816cf6434507ab29140beb24044009efa" +SRCREV_meta ?= "d7fd0213b75ce9b6206f63dbdd435ab326598642" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.4.103" +LINUX_VERSION ?= "5.4.112" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb index 9dcea7b0ab..1edc632de7 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.4.103" +LINUX_VERSION ?= "5.4.112" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "ffe71606242ccf95707aae7599805419f14277ff" -SRCREV_machine ?= "80ade4d43bbcb497d363d44508af69af74a84092" -SRCREV_meta ?= "feeb59687bc0f054af837a5061f8d413ec7c93e9" +SRCREV_machine_qemuarm ?= "8463db325b93f0669446f68c19334cfe11ffb9c2" +SRCREV_machine ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a" +SRCREV_meta ?= "d7fd0213b75ce9b6206f63dbdd435ab326598642" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb index 64f9789c6c..53cfabb3a7 100644 --- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb @@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base" KBRANCH_qemux86-64 ?= "v5.4/standard/base" KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "31486fc68d8688908700a68b6655fd50c733d882" -SRCREV_machine_qemuarm64 ?= "80ade4d43bbcb497d363d44508af69af74a84092" -SRCREV_machine_qemumips ?= "aec63899e25194c00dbc5f25db8fe6c4461eef21" -SRCREV_machine_qemuppc ?= "80ade4d43bbcb497d363d44508af69af74a84092" -SRCREV_machine_qemuriscv64 ?= "80ade4d43bbcb497d363d44508af69af74a84092" -SRCREV_machine_qemux86 ?= "80ade4d43bbcb497d363d44508af69af74a84092" -SRCREV_machine_qemux86-64 ?= "80ade4d43bbcb497d363d44508af69af74a84092" -SRCREV_machine_qemumips64 ?= "c155e91597bd1a1aae557405b5061bb8c2695e5d" -SRCREV_machine ?= "80ade4d43bbcb497d363d44508af69af74a84092" -SRCREV_meta ?= "feeb59687bc0f054af837a5061f8d413ec7c93e9" +SRCREV_machine_qemuarm ?= "133328e5d558f6060a5633d71506a6b716bb4fc6" +SRCREV_machine_qemuarm64 ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a" +SRCREV_machine_qemumips ?= "eef7365804592f95bceefa143cdb3cc19e8c6b66" +SRCREV_machine_qemuppc ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a" +SRCREV_machine_qemuriscv64 ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a" +SRCREV_machine_qemux86 ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a" +SRCREV_machine_qemux86-64 ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a" +SRCREV_machine_qemumips64 ?= "996fe040c8d8d01a9af6be42dae3844d127471bf" +SRCREV_machine ?= "5f54b437b6502d3febee553100b2cb2a9e0c5f8a" +SRCREV_meta ?= "d7fd0213b75ce9b6206f63dbdd435ab326598642" # remap qemuarm to qemuarma15 for the 5.4 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" -LINUX_VERSION ?= "5.4.103" +LINUX_VERSION ?= "5.4.112" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb b/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb index 888a235c1a..7dcc86fdc1 100644 --- a/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb +++ b/meta/recipes-support/ca-certificates/ca-certificates_20210119.bb @@ -83,8 +83,8 @@ do_install_append_class-native () { SYSROOT="${D}${base_prefix}" ${D}${sbindir}/update-ca-certificates } -RDEPENDS_${PN}_class-target = "openssl-bin" -RDEPENDS_${PN}_class-native = "openssl-native" -RDEPENDS_${PN}_class-nativesdk = "nativesdk-openssl-bin" +RDEPENDS_${PN}_append_class-target = " openssl-bin openssl" +RDEPENDS_${PN}_append_class-native = " openssl-native" +RDEPENDS_${PN}_append_class-nativesdk = " nativesdk-openssl-bin nativesdk-openssl" BBCLASSEXTEND = "native nativesdk" diff --git a/scripts/contrib/documentation-audit.sh b/scripts/contrib/documentation-audit.sh index 1191f57a8e..f436f9bae0 100755 --- a/scripts/contrib/documentation-audit.sh +++ b/scripts/contrib/documentation-audit.sh @@ -27,7 +27,7 @@ fi echo "REMINDER: you need to build for MACHINE=qemux86 or you won't get useful results" echo "REMINDER: you need to set LICENSE_FLAGS_WHITELIST appropriately in local.conf or " -echo " you'll get false positives. For example, LICENSE_FLAGS_WHITELIST = \"Commercial\"" +echo " you'll get false positives. For example, LICENSE_FLAGS_WHITELIST = \"commercial\"" for pkg in `bitbake -s | awk '{ print \$1 }'`; do if [[ "$pkg" == "Loading" || "$pkg" == "Loaded" || diff --git a/scripts/verify-bashisms b/scripts/verify-bashisms index fb0cc719ea..14d8c298e9 100755 --- a/scripts/verify-bashisms +++ b/scripts/verify-bashisms @@ -100,7 +100,7 @@ if __name__=='__main__': args = parser.parse_args() if shutil.which("checkbashisms.pl") is None: - print("Cannot find checkbashisms.pl on $PATH, get it from https://anonscm.debian.org/cgit/collab-maint/devscripts.git/plain/scripts/checkbashisms.pl") + print("Cannot find checkbashisms.pl on $PATH, get it from https://salsa.debian.org/debian/devscripts/raw/master/scripts/checkbashisms.pl") sys.exit(1) # The order of defining the worker function, diff --git a/scripts/yocto-check-layer b/scripts/yocto-check-layer index b7c83c8b54..deba3cb4f8 100755 --- a/scripts/yocto-check-layer +++ b/scripts/yocto-check-layer @@ -138,6 +138,9 @@ def main(): layer['type'] == LayerType.ERROR_BSP_DISTRO: continue + # Reset to a clean backup copy for each run + shutil.copyfile(bblayersconf + '.backup', bblayersconf) + if check_bblayers(bblayersconf, layer['path'], logger): logger.info("%s already in %s. To capture initial signatures, layer under test should not present " "in BBLAYERS. Please remove %s from BBLAYERS." % (layer['name'], bblayersconf, layer['name'])) |