After upgrading GCC—for example, from 14.1.0 to 14.2.0—building lmsensors that
was previously compiled with GCC 14.1.0 may fail with an error like:
lmsensors/3.6.0/recipe-sysroot-native/usr/lib/x86_64-wrs-linux/gcc/x86_64-wrs-linux/
14.1.0/include/stddef.h can't find, which is needed by 'prog/sensord/args.rd'.
This occurs because prog/sensord/args.rd still references stale headers from the
older GCC version.
The root cause is that stale *.rd and *.ro files under prog/sensord are not
properly cleaned during do_configure. This patch ensures those files are removed
to prevent broken dependencies when GCC is upgraded.
Also remove the same statement in do_compile.
(master rev: 86b20b84ec)
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Pick commit mentioning the bug and two follow-up commits mentioning the
first commit.
Tested by running the test-suite (test starter scripts were copied from
scarthgap version which has them working).
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Backport a patch to fix CVE-2025-0838
CVE-2025-0838:
There exists a heap buffer overflow vulnerable in Abseil-cpp. The sized
constructors, reserve(), and rehash() methods of
absl::{flat,node}hash{set,map} did not impose an upper bound on their
size argument. As a result, it was possible for a caller to pass a very
large size that would cause an integer overflow when computing the size
of the container's backing store, and a subsequent out-of-bounds memory
write. Subsequent accesses to the container might also access
out-of-bounds memory. We recommend upgrading past commit
5a0e2cb5e3958dd90bb8569a2766622cb74d90c1
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-0838
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2022-39836:
An issue was discovered in Connected Vehicle Systems Alliance (COVESA)
dlt-daemon through 2.18.8. Due to a faulty DLT file parser, a crafted
DLT file that crashes the process can be created. This is due to missing
validation checks. There is a heap-based buffer over-read of one byte.
CVE-2022-39837:
An issue was discovered in Connected Vehicle Systems Alliance (COVESA)
dlt-daemon through 2.18.8. Due to a faulty DLT file parser, a crafted
DLT file that crashes the process can be created. This is due to missing
validation checks. There is a NULL pointer dereference.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-39836https://nvd.nist.gov/vuln/detail/CVE-2022-39837
Upstream patch:
https://github.com/COVESA/dlt-daemon/commit/855e0017a980d2990c16f7dbf3b4983b48fac272
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Redis is an open source, in-memory database that persists on disk.
An authenticated user may use a specially crafted Lua script to
manipulate the garbage collector and potentially lead to remote
code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17.
An additional workaround to mitigate the problem without patching
the redis-server executable is to prevent users from executing Lua
scripts. This can be done using ACL to restrict EVAL and EVALSHA
commands.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-46981
Upstream-patch:
https://github.com/redis/redis/commit/e344b2b5879aa52870e6838212dfb78b7968fcbf
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Redis is an open source, in-memory database that persists on disk.
Authenticated users can trigger a denial-of-service by using specially
crafted, long string match patterns on supported commands such as
`KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL
definitions. Matching of extremely long patterns may result in
unbounded recursion, leading to stack overflow and process crash.
This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1.
Users are advised to upgrade. There are no known workarounds for this
vulnerability.
References:
https://security-tracker.debian.org/tracker/CVE-2024-31228
Upstream-patch:
https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Redis is an in-memory database that persists on disk. On startup,
Redis begins listening on a Unix socket before adjusting its
permissions to the user-provided configuration. If a permissive
umask(2) is used, this creates a race condition that enables,
during a short period of time, another process to establish an
otherwise unauthorized connection. This problem has existed
since Redis 2.6.0-RC1. This issue has been addressed in Redis
versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade.
For users unable to upgrade, it is possible to work around the
problem by disabling Unix sockets, starting Redis with a restrictive
umask, or storing the Unix socket file in a protected directory.
Reference:
https://security-tracker.debian.org/tracker/CVE-2023-45145
Upstream-patch:
https://github.com/redis/redis/commit/7f486ea6eebf0afce74f2e59763b9b82b78629dc
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2024-1454:
The use-after-free vulnerability was found in the AuthentIC driver in OpenSC packages,
occuring in the card enrolment process using pkcs15-init when a user or administrator
enrols or modifies cards. An attacker must have physical access to the computer system
and requires a crafted USB device or smart card to present the system with specially
crafted responses to the APDUs, which are considered high complexity and low severity.
This manipulation can allow for compromised card management operations during enrolment.
Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-1454]
Upstream patches:
[https://github.com/OpenSC/OpenSC/commit/5835f0d4f6c033bd58806d33fa546908d39825c9]
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.
Signed-off-by: Akash Hadke <akash.hadke27@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Picked patches according to
http://w1.fi/security/2024-1/hostapd-and-radius-protocol-forgery-attacks.txt
First patch is style commit picked to have a clean cherry-pick of all
mentioned commits without any conflict.
Patch CVE-2024-3596_03.patch was removed as it only patched
wpa_supplicant. The patch names were not changed so it is comparable
with wpa_supplicant recipe.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Backport patch with tweaks for the current version to fix
CVE-2024-7254.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2023-52160:
The implementation of PEAP in wpa_supplicant through 2.10 allows
authentication bypass. For a successful attack, wpa_supplicant must be
configured to not verify the network's TLS certificate during Phase 1
authentication, and an eap_peap_decrypt vulnerability can then be abused
to skip Phase 2 authentication. The attack vector is sending an EAP-TLV
Success packet instead of starting Phase 2. This allows an adversary to
impersonate Enterprise Wi-Fi networks.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-52160
Patch from:
https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Branches used in langdale, mickledore, nanbield were re-written in upstream :(, fixes were sent to meta-oe:
langdale: https://lists.openembedded.org/g/openembedded-devel/message/107533
mickledore: https://lists.openembedded.org/g/openembedded-devel/message/107531
merged in:
https://git.openembedded.org/meta-openembedded/commit/?h=mickledore&id=b0d67900ae9e8911f734c25c0674fe55df8cd188
nanbield: https://lists.openembedded.org/g/openembedded-devel/message/107532
merged in:
https://git.openembedded.org/meta-openembedded/commit/?h=nanbield&id=2da6e1b0e43a8993fd422fee3f83940100b59f4c
fix for langdale wasn't ever fixed because it was sent after langdale
was already EOL, but looks like the version used in kirkstone got
broken recently as well, because master branch was removed:
poco/1.11.2-r0/git $ git branch -a --contains 9d1c428c861f2e5ccf09149bbe8d2149720c5896
* master
...
remotes/origin/dev-task-test-diag
remotes/origin/devel
remotes/origin/feat/acceptor-service-handler-args
remotes/origin/fix/posix-sleep
remotes/origin/issue-templates
remotes/origin/master
remotes/origin/poco-1.12.0
remotes/origin/poco-1.12.1
remotes/origin/poco-1.12.2
remotes/origin/poco-1.12.3
remotes/origin/poco-1.12.4
remotes/origin/poco-1.12.5
remotes/origin/poco-1.12.6
remotes/origin/poco-1.9.5-not-released
remotes/origin/poll-closed-server-test
remotes/origin/upgrade-ci-actions-to-v3
poco/1.11.2-r0/git $ git remote prune origin
Pruning origin
URL: https://github.com/pocoproject/poco.git
...
* [pruned] origin/android-ndk-action
* [pruned] origin/develop
* [pruned] origin/feat/wepoll
* [pruned] origin/fix/PollSet-race
* [pruned] origin/fix/swap-noexcept
* [pruned] origin/master
* [pruned] origin/poco-1.10.2
* [pruned] origin/poco-1.9.5
refs/remotes/origin/HEAD has become dangling!
poco/1.11.2-r0/git $ git branch -a --contains 9d1c428c861f2e5ccf09149bbe8d2149720c5896
* master
...
remotes/origin/dev-task-test-diag
remotes/origin/devel
remotes/origin/discourage-using-configure-and-make
remotes/origin/feat/acceptor-service-handler-args
remotes/origin/feat/json-logging
remotes/origin/fix/posix-sleep
remotes/origin/issue-templates
remotes/origin/main
remotes/origin/master-pre-1.13.0
remotes/origin/master-unused
remotes/origin/openssl_fix
remotes/origin/poco-1.12.0
remotes/origin/poco-1.12.1
remotes/origin/poco-1.12.2
remotes/origin/poco-1.12.3
remotes/origin/poco-1.12.4
remotes/origin/poco-1.12.5
remotes/origin/poco-1.12.6
remotes/origin/poco-1.13.0
remotes/origin/poco-1.13.1
remotes/origin/poco-1.13.2
remotes/origin/poco-1.13.3
remotes/origin/poco-1.13.4
remotes/origin/poco-1.9.5-not-released
remotes/origin/poll-closed-server-test
remotes/origin/release-1.14-changelog-authors
remotes/origin/search-support
remotes/origin/upgrade-ci-actions-to-v3
switch to main branch which is the most common and the least surprising.
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* it was updated in nanbield with upgrade to 3.0.5 in:
fc0a506bde libjs-jquery-cookie: upgrade 3.0.1 -> 3.0.5
* drop duplicated protocol param as in mickledore:
2e0a581bee recipes: Remove double protocol= from SRC_URIs
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fixes
DeprecationWarning: 'pipes' is deprecated and slated for removal in Python 3.13
pipes is an alias for shlex therefore switch to using shlex
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Haixiao Yan
Jiaying Song
Peter Marko
wangmy
Changqing Li
Vijay Anusuri
Yogita Urade
Martin Jansa
Virendra Thakur
Divya Chellam
Zhang Peng
akash hadke
Mingli Yu
Khem Raj
Chen Qi
hongxu
Yi Zhao
