A vulnerability in corydolphin/flask-cors version 4.0.1 allows the
`Access-Control-Allow-Private-Network` CORS header to be set to true
by default, without any configuration option. This behavior can expose
private network resources to unauthorized external access, leading to
significant security risks such as data breaches, unauthorized access
to sensitive information, and potential network intrusions.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-6221
Upsteam-Patch:
7ae310c56a
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Twisted is an event-based framework for internet applications, supporting
Python 3.6+. The HTTP 1.0 and 1.1 server provided by twisted.web could process
pipelined HTTP requests out-of-order, possibly resulting in information
disclosure. This vulnerability is fixed in 24.7.0rc1.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-41671
Upstream-patches:
046a164f894a930de12f
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
A flaw was found in the Poppler's Pdfinfo utility. This issue
occurs when using -dests parameter with pdfinfo utility. By
using certain malformed input files, an attacker could cause
the utility to crash, leading to a denial of service.
CVE-2024-6239-0002 is the CVE fix and CVE-2024-6239-0001 is
dependent commit to fix the CVE.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-6239
Upstream patch:
0554731052fc1c711cb5
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The json module is used in several cli commands.
The fcntl module is used in terminal input handling.
Signed-off-by: Esben Haabendal <esben@geanix.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit cb50c93096)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This reverts commit: 5edb8335dc
The Networkmanager package must not depend on ModemManager. Only the
Networkmanager-wwan package should depend on the ModemManager package.
The mobile-broadband-provider-info is fully optional and it is often not
required for embedded devices. Let the user choose if it gets installed
or not. Adding it explicitely to IMAGE_INSTALL is simple. Adding an
RRECOMMENS would work as well. But adding an RDEPENDS is bad.
In general, NetworkManager packaging is intended to provide a set of
binary packages suitable for building many different images.
NetworkManager is designed to be used for binary packages distributions
where it is not possible to rebuild NetworkManager just to install
Modemmanager. Also for OE, where a rebuilding is possible, a rebuild is
a disadvantage. So please do not destroy this flexibility by adding
RDEPENDS, which are firstly wrong and secondly only suitable for your
specific needs.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
============
* Add NULL check to cJSON_SetValuestring()(CVE-2024-31755)
* Remove non-functional list handling of compiler flags
* Fix heap buffer overflow
* remove misused optimization flag -01
* Set free'd pointers to NULL whenever they are not reassigned immediately after
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(From meta-openembedded rev: 535822eff7)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Only include the lines from icheck.js that cover the copyright and the
license text.
License-Update: Only include the relevant parts of icheck.js
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Only include the lines from the README that cover the copyright and the
license text.
License-Update: Only include the relevant parts of the README
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Frank de Brabander <debrabander@gmail.com>
Add missing RDEPENDS for ptest:
- python3-zoneinfo
- tzdata
Similar to fixes in Styhead 110b636836 but for 2.18.4
and without needing to add the python3-tzdata recipe.
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The recipe for pydantic currently is at version 2.7.3. This
project specifies in its pyproject.toml that it depends on
pydantic-core version 2.18.4. Because an older 2.16.3 version
of pydantic-core was used now, a simple bit of code will break.
from enum import Enum
from pydantic import BaseModel
class Color(str, Enum):
RED = "RED"
BLUE = "BLUE"
class Car(BaseModel):
color: Color
print(Car(color=Color.RED))
This will upgrade the python3-pydantic-core recipe to make it
compatible with python3-pydantic, so that the above snippet of
code will no longer fail.
Two patches are removed, these backports are now included in the
upstream code. A new patch is added to set the required rust
compiler from 1.76 to 1.75. Version 1.76 is not actually needed.
File python3-pydantic-core-crates.inc is regenerated by running
'bitbake -c update_crates python3-pydantic-core'.
The recipes RDEPENDS now includes python3-compression. The pydantic
schema validator imports 'importlib.metadata' which wants to import
'zipfile'.
The buildpaths QA check is skipped. This should be fixed at some
point, but it was already failing before this change.
Signed-off-by: Frank de Brabander <debrabander@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Backport from Styhead bee8b9bbc4 as part of the overall scarthgap fix
Fix typo in python3-pydantic version, it was 2.7.3 not 2.7.2
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
============
-Bump pydantic-core to v2.18.2
-Ftp and Websocket connection strings support
-Use field description for RootModel schema description when there is no docstring
-Fix validation_alias behavior with model_construct for AliasChoices and AliasPath
-Revert typing.Literal and import it outside the TYPE_CHECKING block
-Fix Secret serialization schema, applicable for unions
-Fix strict application to function-after with use_enum_values
-Address case where model_construct on a class which defines model_post_init fails with AttributeError
-Fix model_json_schema with config types
-Support multiple zeros as an int
-Fix validation of ints with leading unary plus
-Fix interaction between extra != 'ignore' and from_attributes=True
-Handle error from Enum's missing function as ValidationError
-Fix memory leak with Iterable validation
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Backport from Styhead 6112eb064c as part of the overall scarthgap fix
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
- Remove outdated comment
- Switch to git fetcher. Otherwise the official download location leads to:
WARNING: exiv2-0.28.2-r0 do_recipe_qa: QA Issue: exiv2: SRC_URI uses unstable GitHub/GitLab
archives, convert recipe to use git protocol [src-uri-bad]
- Remove reproducibility hack. Theres no buildpath leakage in exiv2Config.cmake
anymore.
Changes from version 0.28.1 to 0.28.2
-------------------------------------
Release Notes:
* https://github.com/Exiv2/exiv2/issues/2914
* https://github.com/Exiv2/exiv2/milestone/13?closed=1
This release also fixes two low-severity security issues in quicktimevideo.cpp:
* [CVE-2024-24826](https://github.com/Exiv2/exiv2/security/advisories/GHSA-g9xm-7538-mq8w):
out-of-bounds read in QuickTimeVideo::NikonTagsDecoder.
* [CVE-2024-25112](https://github.com/Exiv2/exiv2/security/advisories/GHSA-crmj-qh74-2r36):
denial of service due to unbounded recursion in QuickTimeVideo::multipleEntriesDecoder.
These vulnerabilities are in a new feature (quicktime video) that was added in version 0.28.0,
so earlier versions of Exiv2 are not affected.
Changes from version 0.28.0 to 0.28.1
-------------------------------------
Release Notes:
https://github.com/Exiv2/exiv2/issues/2813
This release also fixes [CVE-2023-44398](https://github.com/Exiv2/exiv2/security/advisories/GHSA-hrw9-ggg3-3r4r),
an out-of-bounds write in `BmffImage::brotliUncompress`. The vulnerability is in new code that was added in
version 0.28.0, so earlier versions of Exiv2 are not affected.
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 3a9fc5ba68)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Update status for:
CVE-2016-7534, CVE-2016-7535, CVE-2016-7536, CVE-2016-7537, CVE-2016-7538, CVE-2017-5506, CVE-2017-5509, CVE-2017-5510, CVE-2017-5511, CVE-2007-1667
CPE is incorrect, the current version (7.1.1) is not affected.
Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9f2e9daef1)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
WARNING: tayga-0.9.2-r0 do_package_qa: QA Issue: File /usr/sbin/.debug/tayga in package tayga-dbg contains reference to TMPDIR [buildpaths]
Make sure that the OE provided CFLAGS are passed to the compiler.
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d1bf2db7cc)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
gcab-src has some meson generated files which embed
absolute paths from build environment. meson seems
ot do this on purpose to fix other issues.
Ignored those issues for now.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit db91757e7b)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Test binaries are embeddding build paths and can't easily
figure out why. Thus ignore the errors in these binaries
for now.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e77f9f2feb)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* crypto: use _Generic only if !defined(__cplusplus)
* fixes build with gcc-14 which has __builtin_addc and __builtin_subc
with gcc-13 it was already using the #else branch because of missing builtins
* fixes
https://github.com/grpc/grpc/issues/35945http://errors.yoctoproject.org/Errors/Details/766916/
* _Generic was introduced in boringssl with:
https://boringssl.googlesource.com/boringssl/+/70ca6bc24be103dabd68e448cd3af29b929b771d%5E%21/#F4
* but e.g. third_party/boringssl-with-bazel/src/ssl/d1_both.cc includes
this internal.h and from the .cc extension gcc will process it as C++
where _Generic isn't available, causing:
In file included from third_party/boringssl-with-bazel/src/ssl/d1_both.cc:125:
third_party/boringssl-with-bazel/src/ssl/../crypto/internal.h: In function 'uint32_t CRYPTO_addc_u32(uint32_t, uint32_t, uint32_t, uint32_t*)':
third_party/boringssl-with-bazel/src/ssl/../crypto/internal.h:1159:7: error: expected primary-expression before 'unsigned'
1159 | unsigned: __builtin_addc, \
| ^~~~~~~~
third_party/boringssl-with-bazel/src/ssl/../crypto/internal.h:1166:10: note: in expansion of macro 'CRYPTO_GENERIC_ADDC'
1166 | return CRYPTO_GENERIC_ADDC(x, y, carry, out_carry);
| ^~~~~~~~~~~~~~~~~~~
third_party/boringssl-with-bazel/src/ssl/../crypto/internal.h:1160:7: error: expected primary-expression before 'unsigned'
1160 | unsigned long: __builtin_addcl, \
| ^~~~~~~~
third_party/boringssl-with-bazel/src/ssl/../crypto/internal.h:1166:10: note: in expansion of macro 'CRYPTO_GENERIC_ADDC'
1166 | return CRYPTO_GENERIC_ADDC(x, y, carry, out_carry);
| ^~~~~~~~~~~~~~~~~~~
third_party/boringssl-with-bazel/src/ssl/../crypto/internal.h:1161:7: error: expected primary-expression before 'unsigned'
1161 | unsigned long long: __builtin_addcll))((x), (y), (carry), (out_carry))
| ^~~~~~~~
third_party/boringssl-with-bazel/src/ssl/../crypto/internal.h:1166:10: note: in expansion of macro 'CRYPTO_GENERIC_ADDC'
1166 | return CRYPTO_GENERIC_ADDC(x, y, carry, out_carry);
| ^~~~~~~~~~~~~~~~~~~
third_party/boringssl-with-bazel/src/ssl/../crypto/internal.h:1158:4: error: '_Generic' was not declared in this scope
1158 | (_Generic((x), \
| ^~~~~~~~
third_party/boringssl-with-bazel/src/ssl/../crypto/internal.h:1166:10: note: in expansion of macro 'CRYPTO_GENERIC_ADDC'
1166 | return CRYPTO_GENERIC_ADDC(x, y, carry, out_carry);
| ^~~~~~~~~~~~~~~~~~~
(cherry picked from commit 5778e32eae)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Release notes:
https://github.com/HDFGroup/hdf5/blob/hdf5_1.14.4.3/release_docs/RELEASE.txt
License update: link update
from https://raw.githubusercontent.com/hdfgroup/hdf5/develop/COPYING_LBNL_HDF5
to https://raw.githubusercontent.com/hdfgroup/hdf5/hdf5_1_14/COPYING_LBNL_HDF5.
Upstream has only Released tar file extension is .gz so
SRC_URI tar file extension changed from .bz2 to .gz
Fixes
File /usr/lib/libhdf5.settings in package hdf5 contains reference to TMPDIR
File /usr/src/debug/hdf5/1.14.4-3/src/H5build_settings.c in package
hdf5-src contains reference to TMPDIR [buildpaths]
- Running H5make_libsettings is no longer required for cross-compiling
The functionality of H5make_libsettings is now handled via template files,
so H5make_libsettings has been removed.
- Running H5detect is no longer required for cross-compiling
The functionality of H5detect is now exercised at library startup,
so H5detect has been removed
Rework the patch 0001-cmake-remove-build-flags.patch to fix the build path
issue.
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Currently, any non-native recipes that inherits cpan-base ends up
with an image RDEPENDS on perl (via
https://git.yoctoproject.org/poky/tree/meta/classes-recipe/cpan-base.bbclass?h=scarthgap#n14)
If you are building an image and desire to have Postgresql installed
but NOT perl, this creates a problem. This changeset attempts
to fix this shortcoming by not inheriting cpan-base directly.
Note this work is a continuation of attempts to change cpan-base:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=15563
The Postgresql build system uses perl, so add it as a DEPENDS. This
happened previously via the "inherit cpan-base" directive.
I've validated this recipe successfully packages with and without
the perl PACKAGECONFIG in Scarthgap.
Signed-off-by: Barry Grussling <mr.scada@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f311f1f01c)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
==========
- Fixed typo 'marking' instead of 'marketing' in case-insensitive mailbox name list.
- When DNS-based deliverability checks fail, in some cases exceptions are now
thrown with raise ... from for better nested exception tracking.
- Fixed tests to work when no local resolver can be configured.
- This project is now licensed under the Unlicense (instead of CC0).
- Minor improvements to tests.
- Minor improvements to code style.
License-Update: Relicense under the Unlicense (instead of CC0)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0dd1264a94)
Signed-off-by: Richard Leitner <dev@g0hl1n.net>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Graphviz 2.36 before 10.0.0 has an out-of-bounds read via a
crafted config6a file. NOTE: exploitability may be uncommon
because this file is typically owned by root.
CVE-2023-46045-0003.patch is the CVE fix and CVE-2023-46045-0001.patch,
CVE-2023-46045-0002.patch are dependent commits to fix the CVE.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-46045
Upstream patches:
361f274ca93f31704cafa95f977f5d
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Our python3-protobuf is installed in standard site-packages location,
there's no need for an extra .pth file. So this .pth is useless.
What's worse, this .pth file is problematic for python 3.12 ptest. It will
cause the following test case to hang forever:
test.test__xxsubinterpreters.CreateTests.test_in_thread
I've filed an issue[1] for cpython. Until the problem is resolved there,
we should avoid packaging this .pth file.
In fact, Debian also removes this file in the rules file, though their reason
for removal is likely that the file is useless.
rules: find $(CURDIR)/debian/python3-protobuf -name 'protobuf-*-nspkg.pth' -delete
Some more information below, just for better tracking:
1. That .pth file is way too complicated according to .pth design[2].
2. The subinterpreter is not offically part of python, at least for 3.12. The PEP[3][4]
has not been accepted. The test__xxsubinterpreter is a preparation for it.
[1] https://github.com/python/cpython/issues/122220
[2] https://docs.python.org/3/library/site.html
[3] https://peps.python.org/pep-0554/
[4] https://peps.python.org/pep-0554/
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
