Handles CVE-2024-50602, CVE-2024-11168 and CVE-2024-9287.
(From OE-Core rev: 5a611fbbdb3e373d379f922ffc5606ff70279831)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame
function within libavcodec/rkmppdec.c.
(From OE-Core rev: bc73c3ef68826ffbb6de960b7bfa4b784e289ea8)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options
function of sbgdec.c within the libavformat module. When parsing certain options,
the software does not adequately validate the input. This allows for negative
duration values to be accepted without proper bounds checking.
(From OE-Core rev: 9acfc54b2707bf04922f153d06ae27ff552fbe23)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The patches are copied from xserver-xorg recipe.
The CVES are reported for both and patched apply on both.
(From OE-Core rev: cdcb9957a6fe1629dc3230fcdfd09322877d4038)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These CVEs are patched in gstreamer1.0-plugins-bad.
CPE for gstreamer-plugins-bad mostly hits original gstreamer recipe.
(From OE-Core rev: a2339d124c2561bf157f3e14af0b3152d257d937)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport fix from upstream.
There was style refactoring done in the code meanwhile, so the patch mas
assembled manually by applying each change on 4.3.0 sources.
(From OE-Core rev: fda622289ef26fac38e7dc41e6f0c9d7c866f06e)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These are currently tested on the autobuilder for Kirkstone.
(From meta-yocto rev: f9d0be9bb3c447cad6292434b803c317c9efac53)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
To avoid errors from eudev/udev we need an sgx group, but if we add it
via groupadd that causes shadow login to be brought into an image, which
causes images which have CONFIG_MULTIUSER unset to fail with `setgid:
Function not implemented` as shadow's login doesn't implement the
heuristics which busybox has to handle this kernel configuration.
(From OE-Core rev: a20b02fdfe64c005f7587a1d9077bdc282f7b6b1)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a1c81ac4a869cc57394071ace2ca086eb8ac47a4)
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The wheel group is not declared while it can be used to access the systemd
journal and to configure printers in CUPS. It can also be used for su and sudo
permissions.
So far it was created later in the rootfs postcommand systemd_create_users.
(From OE-Core rev: 4cafad1a0ef5506151656fd644dcdf3193245173)
Signed-off-by: Louis Rannou <lrannou@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bebe52ae9576393ebb9d7405fc77fba21e84ba5b)
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The two patches to disable use of debconf and generation of
documentation have been merged upstream.
(From OE-Core rev: f68617115d3518368db16bc16bcf4578619999fe)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit aca8844d7c05b4ba937625e59275d3f7953d3da7)
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Add a patch to allow the use of debconf to be disabled.
* Replace 0007-Disable-generation-of-the-documentation.patch with a new
patch to disable the generation of the documentation using a
configuration option.
* Replace 0006-Disable-shell-for-default-users.patch with a sed
expression that uses a variable, NOLOGIN, to specify what command to
use for users that are not expected to login. This allows to use some
other command than "nologin", e.g., "false". Also, by using
${base_sbindir}, it adheres to usrmerge being configured.
(From OE-Core rev: 65f01b1e94d956c5591850deb6abc469e05138eb)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e7abf63cc8bdc61c8d978b3c21a38e17716fc292)
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The pipes library is deprecated in Python 3.11 and will be removed in
Python 3.13. pipes.quote is just an import of shlex.quote anyway.
(From OE-Core rev: d167661bceebebafb04dca3bf6a888003f46e6c9)
Signed-off-by: Ernst Persson <ernst.persson@non.se.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Insufficient validation of filenames against control characters in
Apache Subversion repositories served via mod_dav_svn allows
authenticated users with commit access to commit a corrupted revision,
leading to disruption for users of the repository. All versions of
Subversion up to and including Subversion 1.14.4 are affected if serving
repositories via mod_dav_svn. Users are recommended to upgrade to
version 1.14.5, which fixes this issue. Repositories served via other
access methods are not affected.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-46901
Upstream patches:
https://subversion.apache.org/security/CVE-2024-46901-advisory.txt
(From OE-Core rev: 2082038de00090e4b10a151068876f83c83f94c7)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
After much debugging, the corruption issues on the autobuilder appear to
be due to the way sqlite accesses database files. It doesn't change the
file timestamp after making changes, which for reasons unknown, confuses
NFS. As soon as the file is touched, NFS becomes fine again accross the
whole cluster, as if by magic.
We could try and debug further but putting a "touch" call into the code
is easy and harmless. Lets hope this removes this annoying source of
errors.
(From OE-Core rev: c73af2d77f4c3eb474237fa8d5e340be4aefeb67)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
To match the list in meta-poky/conf/distro/poky.conf.
(From yocto-docs rev: 802677ea3ef7b6c1ed43c71f7f33489288c0735a)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This is a requirement for building the documentation, otherwise we get
(on Ubuntu 24.04):
File "/usr/lib/python3.12/locale.py", line 615, in setlocale
return _setlocale(category, locale)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
locale.Error: unsupported locale setting
(From yocto-docs rev: cecf8bc678756790e9164000769e798be30d9d46)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 0943a7b67ef0012b5d9badc15e0c579dbb9014ae)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
We used to have packages here and there in system-requirements.rst for
each distro. Instead, gather all the dependencies in poky.yaml.in so we
have an overview of what we provide for each distro.
Use yaml ">" to list the dependencies in alphabetical order, one entry
per line, which makes them easier to read and compare among distros.
Rename UBUNTU_… variables to UBUNTU_DEBIAN_…, since these are used for
both distros.
(From yocto-docs rev: 580b410c535f3b24f901cdbf011bf817038ba4c3)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 1ed6118b7cf1b5dcbfca753c83fa30fb97bf44ad)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Modify locale installation method to be standard accross all debian-based distributions.
Pre-existing method is available only on Ubuntu, locale-gen tool has no parameter in Debian.
(From yocto-docs rev: 057f2fbce22fc020bef7d432275e28227895e022)
Signed-off-by: Guénaël Muller <guenael.muller@smile.fr>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
Reviewed-by: Antonin Godard <antonin.godard@bootlin.com>
Tested-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 30002019198a168e48537407bb928facb26af82a)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There was a report that enabling assertions and all tests results in
notices in log.do_configure:
NOTE: building with unit tests increases the size of the installed library and renders it insecure.
NOTE: building with assertions increases library size and decreases performance.
This was overlooked when dbus and dbus-tests recipes were merged;
enabling all tests and assertions still requires a special, separate
build of dbus. If those tests are useful this could be revisited.
Until then, we should use productions settings for the main recipe.
Buildhistory-diff:
packages/core2-64-poky-linux/dbus/dbus-dbg: PKGSIZE changed from 9958176 to 8627824 (-13%)
packages/core2-64-poky-linux/dbus/dbus-lib: PKGSIZE changed from 544347 to 346339 (-36%)
packages/core2-64-poky-linux/dbus/dbus-ptest: PKGSIZE changed from 3524983 to 3116951 (-12%)
packages/core2-64-poky-linux/dbus/dbus-ptest: FILELIST: removed "/usr/share/installed-tests/dbus/test-dbus-launch-eval.sh_with_config.test /usr/share/installed-tests/dbus/test-counter_with_config.test /usr/libexec/installed-tests/dbus/test-dbus-launch-eval.sh /usr/libexec/installed-tests/dbus/test-dbus-launch-x11.sh /usr/share/installed-tests/dbus/test-counter.test /usr/libexec/installed-tests/dbus/test-counter /usr/share/installed-tests/dbus/test-dbus-launch-x11.sh.test /usr/share/installed-tests/dbus/test-dbus-launch-x11.sh_with_config.test /usr/share/installed-tests/dbus/test-dbus-launch-eval.sh.test"
packages/core2-64-poky-linux/dbus/dbus: PKGSIZE changed from 510939 to 350331 (-31%)
(From OE-Core rev: 054ce01ae84eb10e055a41ec8dd85ebce9ea23c8)
(From OE-Core rev: b132b817f5931b290e5348dd4a17fbfdc5c6e2c4)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Newer compilers end up with errors while compiling these test snippets
and build results in failures.
(From OE-Core rev: 61bd7eccd8e305e2dd95f0b0b86b09d72e99fc1a)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If user namespaces are not available (typically because AppArmor is
blocking them), alert the user.
We consider network isolation sufficiently important that this is a fatal
error, and the user will need to configure AppArmor to allow bitbake to
create a user namespace.
[ YOCTO #15592 ]
(From OE-Core rev: a069b9f9ee6708022e12970d53262d966ee806ba)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b6af956fe6e876957a49d4abf425e8c789bf0459)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
opkg stores the current time as Installed-Time in its status file when
installing packages to the rootfs. Make this reproducible by replacing
Installed-Time with ${REPRODUCIBLE_TIMESTAMP_ROOTFS}, which then also
matches the files' datestamps.
Based on OpenWrt's approach for the issue [1].
[1] https://github.com/openwrt/openwrt/blob/main/include/rootfs.mk#L103
(From OE-Core rev: 61a9b1b1cb618ce90ba7886036f41263075c07df)
(From OE-Core rev: bfa9c2f15ac275fceccf22084bed9a064304eb6e)
Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Requests is a HTTP library. Prior to 2.32.0, when making requests
through a Requests `Session`, if the first request is made with
`verify=False` to disable cert verification, all subsequent requests to
the same host will continue to ignore cert verification regardless of
changes to the value of `verify`. This behavior will continue for the
lifecycle of the connection in the connection pool. This vulnerability
is fixed in 2.32.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-35195
Upstream patches:
https://github.com/psf/requests/commit/a58d7f2ffb4d00b46dca2d70a3932a0b37e22fac
(From OE-Core rev: 8bc8d316a6e8ac08b4eb2b9e2ec30b1f2309c31c)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This was fixed in 2.0.14, but NVD DB lists > 2.0.20 causing
false positives in CVE metrics.
NVD entries [1] and [2] list commit [3] which redirects to commit [4].
Also Debian 10 uses this commit, while Debian 11 with 2.0.14 does not
patch it and claims it's fixed.
Trying to apply the patch shows it's already applied.
Following shows git history of this commit wrt tags.
SDL$ git describe a7ff6e96155f550a5597621ebeddd03c98aa9294 --tags
release-2.0.12-305-ga7ff6e961
SDL$ git describe release-2.0.14 --tags --match=release-2.0.12
release-2.0.12-873-g4cd981609
SDL$ git describe release-2.0.20 --tags --match=release-2.0.12
release-2.0.12-3126-gb424665e0
[1] https://nvd.nist.gov/vuln/detail/CVE-2020-14409
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-14410
[3] https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9
[4] https://github.com/libsdl-org/SDL/commit/a7ff6e96155f550a5597621ebeddd03c98aa9294
(From OE-Core rev: 3079d562b4df69ab0ac20ec8d13a4240ce0a3514)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The previous bin_package description was confusing: it would instruct to
use the git fetcher to extract the content of an RPM package using the
`subpath` option - but that's not possible as the git fetcher can be
used to clone a repository but not to do the extraction.
Update the description by telling what it really does and what it
doesn't do, and by giving an HTTPS+RPM example.
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: e201ee883c152555ef4c9bd3fa31c3eb96f6dc2f)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 305f024bf99ba02b153eed0cebe3d36594868497)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
We try to limit our usage of these admonitions to `note` and `warning`,
as the Sphinx documentation warns that most themes only style these two
admonitions. So add a section on that.
Suggested-by: Quentin Schulz <quentin.schulz@cherry.de>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: 41788e6d230cfb49fadae58ab9651d57cc26f857)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit f86ffa1b1dcf0665c17424eee87b6bead09960f6)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Having all oe-selftest results on top of each other results in a large 640MB
json file which is hard to use. Split the results out per machine and test type.
This also stops the toolchain raw logs from overwriting each other meaning more
than one MACHINE is preserved.
(From OE-Core rev: e42b6a40a3a01e328966bb5ee1bb3e0993975b15)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4b890f04bc7d147b4a11b824a84f3d2abd75ac54)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The duration values have pointless amounts of precision. Removing some of the
least significant digits reduces result size and makes the results easier to read.
(From OE-Core rev: 4ec9bb7e1a02de8223fb7485fc47cb43ad19093c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a789a2e6d97bb8efd663226a17db8d1ca6c1e40f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
We've improved the data stored for reproduicible builds. Teach resulttool how
to apply those cleanups when reprocessing data so we can reduce results file
sizes and make the data easier to process.
(From OE-Core rev: cf1b4eb85ca3cb62c9746c6dc8f6dc9c4802c142)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b799c57ae6d61c1b1c7035c8a2c4ba6ee08d1a81)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Improve the rawlogs handling to include ltp logs as well as the ptest ones to
reduce the size of the results git repos.
(From OE-Core rev: 0309366b04dd2d0819c4af409269995c08c7abb3)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a0a1954d559609c2c1ca16936d0d68eb3c4c6b45)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Storing the log files inside the testresults git repo isn't scaling and isn't
really appropriate use of a git repository. Allow these to be optionally stored
in a separate filesystem location so the git repo can remain managable.
(From OE-Core rev: 1084e88534f7a1341249ab453b82a35f0cddba87)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1afc0f3d7e93fa8496be241e9622d3b9a6904bd5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When using store mode, --all was broken as not all files were being preserved.
Fix this by limiting the scope of the git rm command.
(From OE-Core rev: 25173a06c4c1b4c6f1f8cdfe49f0b600cd3efd65)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9604561d2022b6c76b1cb4186d40800d1affdd2b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Tweak the gitarchive exclude handling not to error if excluded files
don't match.
Also return the tagname created so that other code can then use it.
(From OE-Core rev: 2df9c2248ac4996ad1fd1fe9f492eb2d71b758cb)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1adba3430faffdf6217b6a00533a3b48a9388abc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Vijay Anusuri
Mikko Rapeli
Peter Marko
Archana Polampalli
Rohini Sangam
aszh07
Antonin Godard
Alex Kiernan
Alexandre Belloni
Louis Rannou
Peter Kjellerstedt
Ernst Persson
Jiaying Song
Yogita Urade
Richard Purdie
Guénaël Muller
Alexander Kanavin
Khem Raj
Ross Burton
Divya Chellam
Lee Chee Yang