Ignore a number of CVEs for this recipe (because they are for another software,
outdated version, or because they affect only non-Linux platforms). This commit
is a backport of a number of commits from the master branch (which uses the same
version of the recipe):
0e7733f1b81b86a60f6259d3949e3e1b86a60f62da2b5e8b930e7733f1b8
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
In case netcat PACKAGECONFIG is enabled, do_configure fails
with the following error message:
| configure: error: hddtemp isn't queryable via netcat (use --disable-pathchecks to disable this check)
hddtemp service keeps a TCP port open to query the sensor data.
In case netcat is enabled for this recipe, the configure script
will search for the netcat binary, and will try to query this
hddtemp port, as a sanity check. This check is performed
independently from the hddtemp PACKAGECONFIG. Since hddtemp
isn't running in the build environment (probably) and
network connection is also disabled, this check fails.
To avoid this problem, add the extra config argument suggested by the
error message.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b16f9c6f04)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
pyconnman has an install_requires on 'future', but the corresponding
'python3-future' is missing from the recipes RDEPENDS.
Signed-off-by: Marcus Flyckt <mafl@kvaser.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4ccb2fa47f)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Fixes an issue where lcov is using the system Perl rather than the yocto
provided Perl. This causes packages to not be found during runtime such
as PerlIO::gzip.
Signed-off-by: Alex Yao <alexyao1@meraki.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e66ae31c95)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Current version 3.22 is not affected by the issue.
Affected versions: Up to (excl.) 3.2.1
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 30e6d975e8)
Adapted to Kirkstone
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Per convert-srcuri.py script, github repos should be accessed
via https.
Change it accordingly.
Signed-off-by: Fabio Estevam <festevam@denx.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 4cef1e68ea)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
cve-check.bbclass reported unpatched vulnerabilities in libtar
[1,2,3,4,5]. The NIST assigned base score for the worst vulnerability
is 9.1 / critical.
The patches were taken from the libtar [6] master branch after the
latest tag v1.2.20 (the changes in libtar master mostly originate from
Fedora and their patches), and from the Fedora 41 libtar source package
[7] and the Debian libtar package 1.2.20-8 [8] where the patches were
not available in the libtar repository itself.
The Fedora patch series was taken in its entirety in order to minimize
differences to Fedora's source tree instead of cherry-picking only CVE
fixes. Minimizing the differences should avoid issues with potential
inter-dependencies between the patches, and hopefully provide better
confidence as even the newest patches have been in use in Fedora for
nearly 2 years (since December 2022; Fedora rpms/libtar.git commit
e25b692fc7ceaa387dafb865b472510754f51bd2). The series includes even the
Fedora patch libtar-1.2.20-no-static-buffer.patch, which contains
changes *) that match the libtar commit
ec613af2e9371d7a3e1f7c7a6822164a4255b4d1 ("decode: avoid using a static
buffer in th_get_pathname()") whose commit message says
Note this can break programs that expect sizeof(TAR) to be fixed.
The patches applied cleanly except for the Fedora srpm patch
libtar-1.2.11-bz729009.patch, which is identical with the pre-existing
meta-oe patch 0002-Do-not-strip-libtar.patch and is thus omitted.
The meta-openembedded recipe does not include any of the patches in
Kirkstone [9] nor the current master [10].
libtar does not have newer releases, and the libtar master doesn't
contain all of the changes included in the patches. Fedora's
libtar.1.2.11-*.patch are not included in the libtar v1.2.20 release
either but only in the master branch after the tag v1.2.20. The version
number in the filename is supposedly due to the patches being created
originally against v1.2.11 but have been upstreamed or at least
committed to the master only after v1.2.20.
The commit metadata could not be practically completed in most of the
cases due to missing commit messages in the original commits and
patches. The informal note about the author ("Authored by") was added to
the patch commit messages where the commit message was missing the
original author(s)' Signed-off-by.
*) The patch also contains the changes split to the libtar commits
495d0c0eabc5648186e7d58ad54b508d14af38f4 ("Check for NULL before
freeing th_pathname") and 20aa09bd7775094a2beb0f136c2c7d9e9fd6c7e6
("Added stdlib.h for malloc() in lib/decode.c"))
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-33643
[2] https://nvd.nist.gov/vuln/detail/CVE-2021-33644
[3] https://nvd.nist.gov/vuln/detail/CVE-2021-33645
[4] https://nvd.nist.gov/vuln/detail/CVE-2021-33646
[5] https://nvd.nist.gov/vuln/detail/CVE-2013-4420
[6] https://repo.or.cz/libtar.git
[7] https://src.fedoraproject.org/rpms/libtar/tree/f41
[8] https://sources.debian.org/patches/libtar/1.2.20-8/CVE-2013-4420.patch/
[9] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=kirkstone&id=9a24b7679810628b594cc5a9b52f77f53d37004f
[10] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master&id=9356340655b3a4f87f98be88f2d167bb2514a54c
Signed-off-by: Katariina Lounento <katariina.lounento@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 3c9b5b36c8)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Only include the lines from icheck.js that cover the copyright and the
license text.
License-Update: Only include the relevant parts of icheck.js
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e1bced7399)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
According to its copyright file, dash is only BSD-3-Clause. It has
a build time tool from bash that's under the GPL, but only the
tool's output is used, not the tool itself. So all compiled artefacts
in dash appear to share the same licence.
Signed-off-by: Dan McGregor <dan.mcgregor@usask.ca>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 8eba35f8b0)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Building with ndiff PACKAGECONFIG failed with the following error:
| File "/yocto/sandbox/build/tmp/work/cortexa53-poky-linux/nmap/7.95/nmap-7.95/ndiff/setup.py", line 11, in <module>
| import setuptools.command.install
| ModuleNotFoundError: No module named 'setuptools'
Fix it by adding the missing dependency.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 3564ec12de)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Switch to the sourceforge SRC_URI since the mars.org site only supports ftp.
Also switch the HOMEPAGE and BUGTRACKER links over to https.
and drop the obsolete SRC_URI[md5sum].
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f61cc52609)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Sana Kazi
Saravanan
Gyorgy Sarvari
simoneScaravati
Bartosz Golaszewski
Marcus Flyckt
Yi Zhao
Benjamin Szőke
Tim Orling
Wang Mingyu
Alex Yao
Peter Marko
Ninette Adhikari
Julian Haller
Martin Jansa
Fabio Estevam
Katariina Lounento
Peter Kjellerstedt
Dan McGregor
Jiaying Song
Randy MacLeod