Pick commit mentioned in NVD CVE report.
Conflict in src/errorpage.cc resolved per patch from Debian bookworm.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This ancient CVE [1] is unversioned ("*") in NVD DB.
"mod_sqlpw module in ProFTPD does not reset a cached password..."
Looking at history and changelog, the module was removed [2] around
the time when this CVE was published, likely as reaction to this CVE.
"mod_sqlpw.c, mod_mysql.c and mod_pgsql.c have been REMOVED from the
distribution. They are currently unmaintained and have numerous bugs."
Note: It was later re-introduced as mod_sql when it got fixed under
new maintainer.
[1] https://nvd.nist.gov/vuln/detail/CVE-2001-0027
[2] https://github.com/proftpd/proftpd/blob/v1.3.8b/NEWS#L3362
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 03a1b56bc7)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Per [1] this CVE is already patched by commit [2].
This can be also verified with yocto build.
Running without this patch:
root@qemux86-64:~# sfconvert poc.wav output format wave
malloc(): corrupted top size
Aborted
Running with it:
root@qemux86-64:~# sfconvert poc.wav output format wave
Audio File Library: Bad number of coefficients [error 62]
Could not open file 'poc.wav' for reading.
[1] https://github.com/mpruett/audiofile/issues/56
[2] c48e4c6503
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 68f55c158e)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
remmina has a hard dependency on curl [1]. This doesn't result in an
error on branches with gtk4 because curl gets pulled in via vte ->
gtk4 -> gstreamer-plugins-bad -> curl.
Add an explicit DEPENDS on curl to reflect the dependency.
[1] a8afdd728d/src/CMakeLists.txt (L259)
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
============
* Do not allow formatting LUKS2 with Opal SED (hardware encryption)
* Fixes to wiping LUKS2 headers after Opal locking area erase.
* Mention the need for possible PSID revert before Opal format for some
drives (man page).
* Fix Bitlocker-compatible code to ignore newly seen metadata entries.
* Fix interactive query retry if LUKS2 unbound keyslot is present.
* Detect unsupported zoned devices for LUKS header devices.
* Allow "capi" cipher format for benchmark command and fix parsing
of plain IV in "capi" format.
* Add support for HCTR2 encryption mode.
* Source code now uses SPDX license identifiers instead of full
license preambles.
* Fix missing includes for cryptographic backend that could cause
compilation errors for some systems.
* Fix tests to work correctly in FIPS mode with recent OpenSSL 3.2.
* Fix various (mostly false positive) issues detected by Coverity.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 7916a5c55a)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changelog:
==========
* Fix feh not respecting aspect ratio of thumbnails that are smaller than
--thumb-width and --thumb-height
* Fix --no-recursive behaving like --recursive
* Fix rotation by 180° corrupting images
* Speed up --sort=size and --sort=mtime by caching stat(2) calls
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2775cdb58c)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Fix "audit" set in CVE_PRODUCT to "linux:audit" to detect only vulnerabilities where the vendor is "linux".
Currently, CVE_PRODUCT also detects vulnerabilities where the vendor is "visionsoft",
which are unrelated to the "audit" in this recipe.
https://www.opencve.io/cve?vendor=visionsoft&product=audit
In addition, all the vulnerabilities currently detected in "audit" have the vendor of "visionsoft" or "linux".
Therefore, fix "audit" set in CVE_PRODUCT to "linux:audit".
Signed-off-by: Shinji Matsunaga <shin.matsunaga@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e87e51da49)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
ChangeLog:
- Fix musl C builds
- Many code cleanups
- Use atomic variables if available for signal related flags
- Dont rotate audit logs when auditd is in debug mode
- Fix a couple memory leaks on error paths
- Correct output when displaying rules with exe/path/dir
- Fix auparse lookup test to not use the system libaupaurse
- Improve auparse metrics
- Update auparse normalizer for recent syscalls
- Make status report uniform
Drop 0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch as
the issue has been fixed upstream.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f7e691ff43)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Bug fixes:
- fix C++ tests with recent kernels which introduced stricter reconfigure
behavior
- fix a use-after-free bug in python bindings
- fix passing the event clock property to line requests in python bindings
- fix a memory leak in tools
- make sure the string buffers in line-info and chip-info are big enough to not
truncate the strings they hold below the size accepted by the kernel
Dropped patch which is merged in the upstream
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9958590b70)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
The OpenLDAP license is versioned. As such, listing the license as
simply "OpenLDAP" does not convey a complete picture of what license the
component is actually using.
Update the LICENSE variable to use the SPDX identifier for OpenLDAP
licenses, with the appropriate version number, "OLDAP-2.8".
Rename the license file for the OpenLDAP license to "OLDAP-2.8" from
"OpenLDAP".
Signed-off-by: Ethan Roderick <Ethan.Roderick@digi.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0bd728bfd9)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Changes in 1.18.4
=================
Released: 2024-04-18
- Don't allow commandline arrays when the first commandline item starts with
whitespace or hyphen. (CVE-2024-32462)
- Do not store device access permission if it returned an error.
- Fix crash with config files without a default backend set.
Changes in 1.18.3
=================
Released: 2024-04-04
- Don't try to read D-Bus object properties of Request objects on construction.
- Fix various memory and file descriptor leaks.
- Minuscule optimization to the ScreenCast portal so that it stores restoration
data with a single D-Bus call, instead of two.
- Fix a crash in the OpenURI file when trying to open a non-existing file.
- Various smaller bug fixes.
Changes in 1.18.2
=================
Released: 2023-11-22
- Pass the token to the OpenURI portal and, when missing, an empty string.
- Fix various memory and file descriptor leaks in the Document portal.
- Make files and folders openend with the Document portal close properly. This
should fix cases where the Document portal prevented external devices from
unmounting, due to files inside them not getting closed after applications
stop using them.
- Implement FUSE getlk and setlk callbacks.This should enable using sqlite3
through the Document portal.
- Properly resolve fd symlinks before opening them with O_NOFOLLOW.
- Fix cases where the portal id is assumed to match the .desktop file name.
- Allow sending directories in the file transfer portal. This should make it
possible to, among other things, drag and drop folders and files simultaneously
from and to sandboxed applications.
- Fallback to a hardcoded check to xdg-desktop-portal-gtk in the absence of any
other portal or configuration file, as a last resort mechanism.
- Various smaller fixes to the build system.
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9e57692e9f)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Fix a build error caused by a missing build directory. This is already
fixed in cockpit 344 and newer so backport the fix.
Signed-off-by: Leonard Anderweit <l.anderweit@phytec.de>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
