This release fixes the following CVEs:
- CVE-2023-43788
- CVE-2023-43789
(From OE-Core rev: b4596281de1f96fdf6533ab4caa957f1eaeff756)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 46dd8ce41756dbc2aa0f9001416f208cced1c8d5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This incorporates fixes for the following CVEs:
- CVE-2023-43785
- CVE-2023-43786
- CVE-2023-43787
(From OE-Core rev: 79f9c062df37ca15649d41bb6501e6fab2d73114)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a1534bb34b680bfc5cb2f35b5fd5a0c2afed6368)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
1.26.17 (2023-10-02)
Added the Cookie header to the list of headers to strip from requests
when redirecting to a different host. As before, different headers can
be set via Retry.remove_headers_on_redirect. (CVE-2023-43804)
1.26.16 (2023-05-23)
Fixed thread-safety issue where accessing a PoolManager with many
distinct origins would cause connection pools to be closed while
requests are in progress (#2954)
(From OE-Core rev: 7466db00ca2f884cf58504c3910b858a87f33128)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This allows building detailed vulnerability analysis tools without
relying on external resources.
(From OE-Core rev: 587ae7bc85fc471d927308d866821d463799023d)
Signed-off-by: Antoine Lubineau <antoine.lubineau@easymile.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 048ff0ad927f4d37cc5547ebeba9e0c221687ea6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(From OE-Core rev: 7300254fdb6659c0a7462c64133f893d1a152850)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The previous CVE-2023-30630_1.patch picked only the patch
"dmidecode: Write the whole dump file at once" d8cfbc808f.
But there was a refactoring which does not allow to cherry-pick it fast
forward. Resolving this conflict was not correctly done. The patch was:
+ u32 len;
+ u8 *table;
...
- if (!(opt.flags & FLAG_QUIET))
- pr_comment("Writing %d bytes to %s.", crafted[0x05],
- opt.dumpfile);
- write_dump(0, crafted[0x05], crafted, opt.dumpfile, 1);
+ dmi_table_dump(crafted, crafted[0x05], table, len);
It looks like the variables len and table have been added without
initialization.
Now this problem is solved by applying the previous refactoring as
well. Patch 1 gets replaced by Patch 1a and Patch 1b. Patch 2..4 are
rebased without changes.
This is basically the same patch as in kirkstone:
ea069a94a2 dmidecode: fixup for CVE-2023-30630
(From OE-Core rev: 0bc69dc078c39381a39789d3c5fff673d7da994c)
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(From OE-Core rev: a1138dfc1e9394966dcca8f6259767a8ce5ca4cb)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add a SECURITY.md file with hints for security researchers and other
parties who might report potential security vulnerabilities.
(From meta-yocto rev: c8f27eaa00fdd1a2594aaa70695373f608ff30bb)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a SECURITY.md file with hints for security researchers and other
parties who might report potential security vulnerabilities.
(Bitbake rev: 973aa73b9f1f542f4a636cf8eca733b4df5a778f)
Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
TUI mode needs terminfo at runtime, which is required to be
explicitly stated in the respective PACKAGECONFIG variable.
Without this change /etc/terminfo/ might be missing, which
leads to a runtime error when trying to use tui, e.g.:
(gdb) tui enable
Cannot enable the TUI: error opening terminal [TERM=xterm-256color]
(From OE-Core rev: 266944eb216912b7b2a935360aa51cd79847a071)
Signed-off-by: Stefan Tauner <stefan.tauner@artech.at>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5f17bc03a0c2d894e43c3c835fa38a24b1d5df64)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
assertTrue is a problematic call use in test cases since when it fails,
you just get an unhelpful "False is not True" message.
Replace some uses with assertIn/assertNotIn which will give more helpful results
and for the rest, add msg entries which given more helpful debugging.
For example, this patch would help debugging of #15176.
(From OE-Core rev: 52a2455ba7d91d404fc2c4568c805cf1fbe2b2ad)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 35d4c39e0df1a304f557471151a03d1e4b0f30c7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The soup.cross file is only created when building for target so only
tell meson to read it when it exists. This allows libsoup-2.4-native to
be built again.
(From OE-Core rev: d52003dd13cb17e32ccfa717f8462c8301334dd1)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4acbd2269931b500846d56885c3304d244e514f8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Piping results through sed may mask failures that sed isn't catching.
(From OE-Core rev: 687989f2ee2204643157e04a976d3310018a3bb3)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2b1b0e9e4d5011e7c2fd1b59fc277a7cfdc41194)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This brings them from 15 minutes to just over 4.
(From OE-Core rev: 3cd99ff32da3bb85d7ee278fec69504a12c1f715)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9eeee78aa94aaa441da012aeb904a0f1cbcd4d91)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
strace is one of the slowest tests otherwise (can take 40 minutes or more),
and this brings it to under 10 minutes \0/
(From OE-Core rev: 30b6692ef4a12958419c94b96e3fc5a50e8a7ad6)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0c632b418a785494318d9f375a07d879772e8ced)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
I'm not sure if this was reported correctly before, but it
currently is not. Test that is stuck is an error in itself.
(From OE-Core rev: f2989e8f87b8793b03fe13254f8214e495008527)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 002e27c9932a83e46be0b03a5232594cfba7212c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Don't ignore return values from the git command lines. If something goes
wrong, fail the test right away.
(From OE-Core rev: 776053f4af19e9c2de7ce725e6ec94312028fa7f)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dfc178a70d6fa60e89d4716f05d68e2c72c6ecd3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Use correct HTTPService parameters like apt.py when setting up the repo
server. These work with qemu tun and slirp networking. Fixes test
failure with slirp networking when executing testimage.bbclass
selftests "oe-selftest -r runtime_test.TestImage".
(From OE-Core rev: 68f0100b779bac1788818320f8aa64d79e3db3c2)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
(cherry picked from commit 764424df2f4b6bf0e89fb20b4253a7601468f70d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The udev rule has been removed but the comment has kept, by
mistake. Remove it.
Fixes: dd83fb40f7 ("weston-init: Stop running weston as root")
Tested-by: Tom Hochstein <tom.hochstein@nxp.com>
(From OE-Core rev: 35367d029fedc78724396d94abd899e4bd8bef0c)
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8aa3d43fa1c53cdce45ec88a49f27b076d3812ac)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
qemu itself is not helpful when render nodes exist, but can't be opened:
qemu-system-x86_64: egl: render node init failed
To fix this, users likely need to
* modprobe vgem (presence when physical graphic card is absent or has a driver without
support for render nodes, such as many older cards found in server machines)
* add their user to "render" group to write to /dev/dri/renderD* (permissions)
With this change runqemu should print hints for the above as appropriate from probing the nodes.
(From OE-Core rev: 12ae43abbc4e7d6184198a912487ace3a4e66e50)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit acd85925cb197b7a31a25b60e8de762e2c3697ef)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Services which broadcast an invalid service type will cause the browse
to fail. Instead of failing, replace the service type and continue.
(From OE-Core rev: 273aed0462728508506a4c65d367d583a86a54c3)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e581da6c4db21312833395e96b48e868a202f0f9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Running either of these ends up corrupting the os.execv args.
If we run:
./scripts/nativesdk-intercept/chown -R foo:foo bar
The loop here ends up missing the conversion of foo:foo to root:root because
it sees sys.argv[0] and assumes that it's the user:group argument and that we
should convert that. We end up a os.execv(path, args) that have the following
args:
['root:root', '-R', 'foo:foo', 'bar']
As os.execv ignores args[0], we can just populate it with sys.argv[0] and then
loop through sys.argv[1:]. As both chgrp and chown would have either flags and
USER[:GROUP] next, this fixes the issue.
(From OE-Core rev: e27982afaed33e5823962f7fefe6f709c10e9107)
Signed-off-by: Eilís 'pidge' Ní Fhlannagáin <pidge@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2a75f647ec7696d353f4b09099d777ba53f34d36)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This includes CVE fix for CVE-2023-5441.
(From OE-Core rev: 7166f503211c39542d828aa3fef5006dccf2c07a)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Support stop/parity bits on serial port
* Add needed system headers in checks and return values for implicit function declarations
* Fixes:
- Avoid zombies after shell exit
- Missed signal sending permission check on failed query messages (CVE-2023-24626)
- manpage fixes
- source code fixes during cleanup
- UTF-8 encoding can emit invalid UTF-8 sequences for out of range unicode values
Remove patches; they are merged upstream or backported.
(From OE-Core rev: 224f1929b92b38993e5f50100ce6306f63ee8ade)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2566f8e51d56848d8b28f37462160e90253b79fc)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changelog:
==========
wireless-regdb: update regulatory database based on preceding changes
wireless-regdb: Update regulatory rules for Australia (AU) for June 2023
wireless-regdb: Update regulatory info for Türkiye (TR)
wireless-regdb: Update regulatory rules for Egypt (EG) from March 2022 guidel...
wireless-regdb: Update regulatory rules for Philippines (PH)
(From OE-Core rev: c1ae47b562460e82d94a94a2009c4cb50aa1daa9)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2f5edb6904bf16a9c52a9b124aeb5297487cd716)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changelog:
===========
• Avoid a dbus-daemon crash if re-creating a connection's policy fails.
• If getting the groups from a user ID fails, report the error correctly,
instead of logging "(null)"
• Return the primary group ID in GetConnectionCredentials()' UnixGroupIDs
field for processes with a valid-but-empty supplementary group list
(From OE-Core rev: 67ddf87d3286007a68071685d28a8f9e1ce7f3fa)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit aeabd6dd4e65e5cc31f4c2acc5cc46ea03737bed)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in the Curl package. This flaw allows an attacker to insert
cookies into a running program using libcurl if the specific series of conditions are met.
(From OE-Core rev: a6c5931192a1315cfc5f708585d22bc7bed9f7fd)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.
(From OE-Core rev: 9b0867861a9c053f19bdb99bd6cba44ee5cb64e1)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The patch is copied from kirkstone. master has advanced
to ghostscript 10.02.0 which includes the fix.
(From OE-Core rev: 80a9b54ca94a9fe5818daa1cd03ae8035043e1e8)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Adds an additional note about some of the side effects that can occur if
recipes are not reproducible and hash equivalence is enabled.
(From yocto-docs rev: 968ac9807466df775f18fca050070170d3ed8585)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The proper way to inherit the testimage class is now
IMAGE_CLASSES += "testimage"
so change lines with 'INHERIT += "testimage"' to match. This makes the
dev-manual consistent with the migration guide, which already specifies
that the old way causes an error.
(From yocto-docs rev: 4d660551a6547ffe216e53402759baef424c4da2)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Explicitly disable the tests and vapi support instead of relying on
defaults and missing dependencies.
(From OE-Core rev: c451a9cb6adbc9480dacd81e935a0b9369f22e07)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 575e2e29e00bb4492e7ee7f10b753e3f17982caa)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A dependency on coreutils was added to busybox-ptest in oe-core 658c5ed
to fix a test failure.
The failure is because one of the start-stop-daemon tests is known to
fail if /bin/false is busybox. Instead of failing, we can check if
/bin/false is a symlink to busybox and skip the test if so.
[ YOCTO #15068 ]
(From OE-Core rev: 12fc32351ff6e42d0b5f9ce679793a8875d3447a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 37482e404cf4dcf9360c29986ced8db78baf249b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
It's not a warning but a handled case and layer gets added
automatically. Very few build configs have this layer enabled
by default.
(From OE-Core rev: 70d2ceea48ef6ec04675e4e6a9c48ebc5bb78f52)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
(cherry picked from commit 9a2493ea83f0b30578a819de05108502aaadc7f5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
wayland-utils has optional libdrm support, so add a PACKAGECONFIG and
enable it.
(From OE-Core rev: 0ba10930f73e4b0c2896afd326229fc6ae460f51)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c6c488c259d1f38a05a71e576ca2f32d412413f1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add explicit PACKAGECONFIGs for brotli,ntlm, and sysprof.
libsoup needs to be told where ntlm_auth will be on the target, so write
a cross file to do so.
(From OE-Core rev: c78a34caf466524356572b8cdd2ada615081bfc2)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 54b6ea078daeb58a3bb20bb4275d1140640a77d2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pango has had an explicit option since 1.46.2
(From OE-Core rev: dc939fbc70c124a515b882b3425d7810be0c6748)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 42755f135d2d015e564d783996fbb3ef860f2bf7)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Bruce Ashfield
Ross Burton
Lee Chee Yang
Antoine Lubineau
Sean Nyekjaer
Richard Purdie
Marta Rybczynska
Stefan Tauner
Peter Kjellerstedt
Alexander Kanavin
Mikko Rapeli
Khem Raj
Otavio Salvador
Eilís 'pidge' Ní Fhlannagáin
Siddharth Doshi
Wang Mingyu
Archana Polampalli
Joe Slater
Yogita Urade
Joshua Watt
Trevor Gamblin
Michael Opdenacker
Emil Kronborg Andersen