ld.hugetlbfs is munging certain linker commandline options
and presenting a differently named options to its users, in
summary its expecting linker process to call ld.hugetlbfs
which calls the final linker with additional decorations.
This patch makes space for that by adding -B option to compiler
so it finds this the linker in S and then we creates symlinks
for linker name that clang/gcc are expecting.
Fixes
libhugetlbfs/2.24/recipe-sysroot-native/usr/bin/x86_64-yoe-linux/x86_64-yoe-linux-ld.bfd: unrecognized option '--hugetlbfs-link=B'
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit dc84a9e699)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
cve-check.bbclass reported unpatched vulnerabilities in libtar
[1,2,3,4,5]. The NIST assigned base score for the worst vulnerability
is 9.1 / critical.
The patches were taken from the libtar [6] master branch after the
latest tag v1.2.20 (the changes in libtar master mostly originate from
Fedora and their patches), and from the Fedora 41 libtar source package
[7] and the Debian libtar package 1.2.20-8 [8] where the patches were
not available in the libtar repository itself.
The Fedora patch series was taken in its entirety in order to minimize
differences to Fedora's source tree instead of cherry-picking only CVE
fixes. Minimizing the differences should avoid issues with potential
inter-dependencies between the patches, and hopefully provide better
confidence as even the newest patches have been in use in Fedora for
nearly 2 years (since December 2022; Fedora rpms/libtar.git commit
e25b692fc7ceaa387dafb865b472510754f51bd2). The series includes even the
Fedora patch libtar-1.2.20-no-static-buffer.patch, which contains
changes *) that match the libtar commit
ec613af2e9371d7a3e1f7c7a6822164a4255b4d1 ("decode: avoid using a static
buffer in th_get_pathname()") whose commit message says
Note this can break programs that expect sizeof(TAR) to be fixed.
The patches applied cleanly except for the Fedora srpm patch
libtar-1.2.11-bz729009.patch, which is identical with the pre-existing
meta-oe patch 0002-Do-not-strip-libtar.patch and is thus omitted.
The meta-openembedded recipe does not include any of the patches in
Kirkstone [9] nor the current master [10].
libtar does not have newer releases, and the libtar master doesn't
contain all of the changes included in the patches. Fedora's
libtar.1.2.11-*.patch are not included in the libtar v1.2.20 release
either but only in the master branch after the tag v1.2.20. The version
number in the filename is supposedly due to the patches being created
originally against v1.2.11 but have been upstreamed or at least
committed to the master only after v1.2.20.
The commit metadata could not be practically completed in most of the
cases due to missing commit messages in the original commits and
patches. The informal note about the author ("Authored by") was added to
the patch commit messages where the commit message was missing the
original author(s)' Signed-off-by.
*) The patch also contains the changes split to the libtar commits
495d0c0eabc5648186e7d58ad54b508d14af38f4 ("Check for NULL before
freeing th_pathname") and 20aa09bd7775094a2beb0f136c2c7d9e9fd6c7e6
("Added stdlib.h for malloc() in lib/decode.c"))
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-33643
[2] https://nvd.nist.gov/vuln/detail/CVE-2021-33644
[3] https://nvd.nist.gov/vuln/detail/CVE-2021-33645
[4] https://nvd.nist.gov/vuln/detail/CVE-2021-33646
[5] https://nvd.nist.gov/vuln/detail/CVE-2013-4420
[6] https://repo.or.cz/libtar.git
[7] https://src.fedoraproject.org/rpms/libtar/tree/f41
[8] https://sources.debian.org/patches/libtar/1.2.20-8/CVE-2013-4420.patch/
[9] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=kirkstone&id=9a24b7679810628b594cc5a9b52f77f53d37004f
[10] https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/libtar/libtar_1.2.20.bb?h=master&id=9356340655b3a4f87f98be88f2d167bb2514a54c
Signed-off-by: Katariina Lounento <katariina.lounento@vaisala.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 3c9b5b36c8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The project has a proper pyproject.toml which declares the setuptools.build.meta PEP-517 backend.
Fix:
WARNING: python3-reedsolo-2.1.0b1-r0 do_check_backend: QA Issue: inherits setuptools3 but has pyproject.toml with setuptools.build_meta, use the correct class [pep517-backend]
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9a5f017a01)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
- The project has a proper pyproject.toml which declares the setuptools.build.meta PEP-517 backend.
- Unnecessary dependencies dropped.
Fix:
WARNING: python3-pastedeploy-3.1.0-r0 do_check_backend: QA Issue: inherits setuptools3 but has pyproject.toml with setuptools.build_meta, use the correct class [pep517-backend]
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f421917ff6)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fix:
WARNING: python3-spidev-3.6-r0 do_check_backend: QA Issue: inherits setuptools3 but has pyproject.toml with setuptools.build_meta, use the correct class [pep517-backend]
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit dd22a1cdc7)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
- The project has a proper pyproject.toml which declares the setuptools.build.meta PEP-517 backend.
- The PyPi package name (defaults to PN without the python3- prefix), so there is no need to set PYPI_PACKAGE as inflate64, it is by default.
- Added missing dependency python3-setuptools-scm-native.
Fix:
WARNING: python3-inflate64-1.0.0-r0 do_check_backend: QA Issue: inherits setuptools3 but has pyproject.toml with setuptools.build_meta, use the correct class [pep517-backend]
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 289470f0eb)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
- The project has a proper pyproject.toml which declares the setuptools.build.meta PEP-517 backend.
- The PyPi package name (defaults to PN without the python3- prefix), so there is no need to set PYPI_PACKAGE as alembic, it is by default.
WARNING: python3-alembic-1.13.3-r0 do_check_backend: QA Issue: inherits setuptools3 but has pyproject.toml with setuptools.build_meta, use the correct class [pep517-backend]
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 207266f4c0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Currently softhsm will try to access deleted obejcts due to the order of
atexit handler implementations. Add a patch which adds a global variable
to track whether objects are deleted and prevents access if this is the
case.
This fixes a failure with the signing.bbclass where when signing
multiple fitimage configurations the second signing operation will lead
to a segfault.
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The python3-pyserial dependency was introduced in [1].
It is provided by the meta-python layer and so make it conditionally.
Fixes:
| NOTE: Resolving any missing task queue dependencies
| ERROR: Nothing RPROVIDES 'python3-pyserial' (but ../meta-openembedded/meta-oe/recipes-navigation/gpsd/gpsd_3.25.bb RDEPENDS on or otherwise requires it)
| NOTE: Runtime target 'python3-pyserial' is unbuildable, removing...
| Missing or unbuildable dependency chain was: ['python3-pyserial']
| NOTE: Runtime target 'gpsd' is unbuildable, removing...
| Missing or unbuildable dependency chain was: ['gpsd', 'python3-pyserial']
[1] https://git.openembedded.org/meta-openembedded/commit/?id=1266c912afa0abf118eaa5d152a0641c87665fbd
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
- Switch to fetching from pypi
- Use automake format for pytests
- Fix ptests, by adding missing runtime deps
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Its needed for
ModuleNotFoundError: No module named 'tracemalloc'
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fix "audit" set in CVE_PRODUCT to "linux:audit" to detect only vulnerabilities where the vendor is "linux".
Currently, CVE_PRODUCT also detects vulnerabilities where the vendor is "visionsoft",
which are unrelated to the "audit" in this recipe.
https://www.opencve.io/cve?vendor=visionsoft&product=audit
In addition, all the vulnerabilities currently detected in "audit" have the vendor of "visionsoft" or "linux".
Therefore, fix "audit" set in CVE_PRODUCT to "linux:audit".
Signed-off-by: Shinji Matsunaga <shin.matsunaga@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The python3-pyserial dependency was introduced in [1].
It is provided by the meta-python layer and so make it conditionally.
Fixes:
| NOTE: Resolving any missing task queue dependencies
| ERROR: Nothing RPROVIDES 'python3-pyserial' (but ../meta-openembedded/meta-oe/recipes-navigation/gpsd/gpsd_3.25.bb RDEPENDS on or otherwise requires it)
| NOTE: Runtime target 'python3-pyserial' is unbuildable, removing...
| Missing or unbuildable dependency chain was: ['python3-pyserial']
| NOTE: Runtime target 'gpsd' is unbuildable, removing...
| Missing or unbuildable dependency chain was: ['gpsd', 'python3-pyserial']
[1] https://git.openembedded.org/meta-openembedded/commit/?id=1266c912afa0abf118eaa5d152a0641c87665fbd
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
- Let getaddrinfo(3) select the default IPv4 or IPv6 protocol version
when it is not explicitly specified on the command line
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
fix-openssl-no-des.patch
refreshed for 5.73
Changelog:
===========
* Security bugfixes
- OpenSSL DLLs updated to version 3.3.2.
- OpenSSL FIPS Provider updated to version 3.0.9.
* Bugfixes
- Fixed a memory leak while reloading stunnel.conf
sections with "client=yes" and "delay=no".
- Fixed TIMEOUTocsp with values greater than 4.
- Fix the IPv6 test on a non-IPv6 machine.
* Features
- HELO replaced with EHLO in the post-STARTTLS SMTP
protocol negotiation (thx to Peter Pentchev).
- OCSP stapling fetches moved away from server threads.
- Improved client-side session resumption.
- Added support for the mimalloc allocator.
- Check for protocolHost moved to configuration file
processing for the client-side CONNECT protocol.
- Clarified some confusing OpenSSL's certificate
verification error messages.
- stunnel.nsi updated for Debian 13 and Fedora.
- Improved NetBSD compatibility.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
J. S.
Khem Raj
Ghislain Mangé
alperak
Yi Zhao
Katariina Lounento
Armin Kuster
Rouven Czerwinski
Jose Quaresma
s-tokumoto
Yoann Congal
Etienne Cordonnier
Shinji Matsunaga
Markus Volk
ptak
Wang Mingyu