Fix "audit" set in CVE_PRODUCT to "linux:audit" to detect only vulnerabilities where the vendor is "linux".
Currently, CVE_PRODUCT also detects vulnerabilities where the vendor is "visionsoft",
which are unrelated to the "audit" in this recipe.
https://www.opencve.io/cve?vendor=visionsoft&product=audit
In addition, all the vulnerabilities currently detected in "audit" have the vendor of "visionsoft" or "linux".
Therefore, fix "audit" set in CVE_PRODUCT to "linux:audit".
Signed-off-by: Shinji Matsunaga <shin.matsunaga@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e87e51da49)
Adapted to Kirkstone.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
All the ptest cases are failed since error "+++ Can't Determine Endianness",
update the regex for matching the endianness to fix this issue.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6de9b46cc7)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Building with ndiff PACKAGECONFIG failed with the following error:
| File "/yocto/sandbox/build/tmp/work/cortexa53-poky-linux/nmap/7.95/nmap-7.95/ndiff/setup.py", line 11, in <module>
| import setuptools.command.install
| ModuleNotFoundError: No module named 'setuptools'
Fix it by adding the missing dependency.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 3564ec12de)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This tweak is needed for building audit but not the interfaces it may
expose via the headers, therefore undo the tweak before packaging things
up
Reported-By: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4ff83dfb5a)
audit errors out due to swig munging it does with kernel headers
| audit_wrap.c: In function '_wrap_audit_rule_data_buf_set':
| audit_wrap.c:4701:17: error: cast specifies array type
| 4701 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size));
| | ^
| audit_wrap.c:4701:15: error: invalid use of flexible array member
| 4701 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size));
| | ^
| audit_wrap.c:4703:15: error: invalid use of flexible array member
| 4703 | arg1->buf = 0;
| | ^
These errors are due to VLAIS from kernel headers, so we copy
linux/audit.h and make the needed change in local audit.h and make
needed arrangements in build to use it when building audit package
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Bruce Ashfield <bruce.ashfield@gmail.com>
(cherry picked from commit ee3c680c30)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
default SBINDIR is hardcoded to /sbin which does not work when using
usrmerge
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8c7ffffa07)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Set one crypto-backend library at a time
OpenSSL is the crypto-backend library set for device hashing
Override PACKAGECONFIG to replace it with libsodium or libgcrypt
Signed-off-by: Anu Deepthika, Nandipati <Nandipati.AnuDeepthika@philips.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This patch updates SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls as generated by the conversion script
in OE-Core.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* Backport a patch to fix the compile error
* Refresh the patches to fix the patch-fuzz warning.
* Minor tweaks to the recipe with reference to the 3.0 bb file.
Fixes:
tmp/work/core2-64-poky-linux/audit/2.8.5-r0/recipe-sysroot-native/usr/bin/x86_64-poky-linux/../../libexec/x86_64-poky-linux/gcc/x86_64-poky-linux/11.1.1/ld:
ausearch-checkpt.o:/usr/src/debug/audit/2.8.5-r0/build/src/../../git/src/ausearch-common.h:53: multiple definition of `event_node_list';
ausearch.o:/usr/src/debug/audit/2.8.5-r0/build/src/../../git/src/ausearch-common.h:53: first defined here
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Move audit to a more common layer to simplify integration.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
upstream nmap is python2 compatiable now, but this recipe
supports python3.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
meta-security has this pkg to but newer. Move from meta-sec to meta-oe
minor cleanups.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It is either += or append but not both - picking
append to be the safe bet
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This change makes the parsing go though, we still might have build
issues, which will be reported in world builds seprately
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is useful for consolidation of code-signing interfaces when
building an image with verified boot mechanisms or signed update
artifacts. It can also be used on the target as a backend for software
which uses the PKCS#11 API to access private key material.
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Fixed:
$ bitbake nativesdk-keyutils
ERROR: nativesdk-keyutils-1.6-r0 do_package: QA Issue: nativesdk-keyutils: Files/directories were installed but not shipped in any package:
/usr
/etc
/usr/share
/usr/share/man
/usr/share/keyutils
[snip]
/etc/request-key.conf
/etc/request-key.d
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Updates nmap to v7.80, this solves the following CVEs:
- CVE-2017-18594
- CVE-2018-15173
and addressed numerous bugs as well.
The patch '0001-include-time.h-for-time-structure-definition.patch'
is modified to be applicable to the new version while serving for
the same purpose.
The license changed in the commit https://github.com/nmap/nmap/commit/d639a53
and is only a date bump without modification of any content in the
license.
Signed-off-by: Peiran Hong <peiran.hong@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
If both ncat and ssl are in PACKAGECONFIG then the installer adds
a cert bundle to
/usr/share/ncat/ca-bundle.crt
Signed-off-by: Scott Ellis <scott@jumpnowtek.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Currently, the ndiff isn't built and installed
as ndiff is python2 compatible script and it
checks PYTHON_VERSION to determine whether
build and install ndiff in configure phase.
Update to inherit pythonnative to let the
PYTHON_VERSION to be 2 to let ndiff be built
and installed.
Apart from ndiff python script, there is another
script named ndiff.py used by ndiff, export
PYTHON_SITEPACKAGES_DIR to make ndiff.py installed
in the correct place.
Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* there is explicit dependency on libpam without respecting pam in DISTRO_FEATURES
so add the check to prevent people building it against broken libpam
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Gyorgy Sarvari
Shinji Matsunaga
Changqing Li
Jiaying Song
Bartosz Golaszewski
Liyin Zhang
Khem Raj
Alex Kiernan
Anu Deepthika, Nandipati
Richard Purdie
Yi Zhao
Alexander Thoma
Martin Jansa
Armin Kuster
Konrad Weihmann
Mingli Yu
Mingde (Matthew) Zeng
Jan Luebbe
Denys Dmytriyenko
Christophe PRIOUZEAU
Robert Yang
Peiran Hong
Adrian Bunk
Yongxin Liu
Scott Ellis