[OE-core] [PATCH] sysklogd: fix parallel build problem
From: Changqing Li
Parallel compile maybe failed with error:
error: ../lib/strlcat.o: No such file or directory
Makefile:619: recipe for target 'syslogd' failed
remove previous patch, and backport lastest fix
for this problem
Signed-off-by: Changqing Li
---
...pat-to-simplify-build-deps-and-really-fix.patch | 127 +
...arallel-build-problem-reported-by-Gentoo-.patch | 47
meta/recipes-extended/sysklogd/sysklogd.inc| 2 +-
3 files changed, 128 insertions(+), 48 deletions(-)
create mode 100644
meta/recipes-extended/sysklogd/files/0001-Drop-libcompat-to-simplify-build-deps-and-really-fix.patch
delete mode 100644
meta/recipes-extended/sysklogd/files/0001-Fix-nasty-parallel-build-problem-reported-by-Gentoo-.patch
diff --git
a/meta/recipes-extended/sysklogd/files/0001-Drop-libcompat-to-simplify-build-deps-and-really-fix.patch
b/meta/recipes-extended/sysklogd/files/0001-Drop-libcompat-to-simplify-build-deps-and-really-fix.patch
new file mode 100644
index 000..9ba7ecc
--- /dev/null
+++
b/meta/recipes-extended/sysklogd/files/0001-Drop-libcompat-to-simplify-build-deps-and-really-fix.patch
@@ -0,0 +1,127 @@
+From 84d70e63fc105e3713943ed8c0bdd4e31a698226 Mon Sep 17
+00:00:00 2001 From: Joachim Nilsson Date: Thu, 16 Jan
+2020 22:16:51 +0100 Subject: [PATCH] Drop libcompat to simplify build deps
+and really fix
+
+The original idea with libcompat was to keep as few objects as
+possible for linking with libsyslog. That in turn to prevent
+a user of libsyslog from suddenly also getting strong binding
+to symbols like strlcpy() from libsyslog, rather than their C
+library of choice.
+
+However, this caused strlcpy.c to be built as both .o and .lo
+files, which in turn caused really bizarre build problems due
+to bad DAG dependency.
+
+This patch drops libcompat and instead marks all replacement APIs
+as weak symbols, which a C library can override.
+
+Signed-off-by: Joachim Nilsson
+
+Upstream-Status: Backport
+[https://github.com/troglobit/sysklogd/commit/84d70e63fc105e3713943ed8c0bdd4e31a698226]
+
+Signed-off-by: Changqing Li
+---
+ lib/pidfile.c | 8 +++-
+ lib/utimensat.c | 10 --
+ src/Makefile.am | 7 +--
+ 3 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/lib/pidfile.c b/lib/pidfile.c
+index 81f2315..25b1c04 100644
+--- a/lib/pidfile.c
b/lib/pidfile.c
+@@ -31,6 +31,9 @@
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
++#include
++#ifndef HAVE_PIDFILE
++
+ #define _GNU_SOURCE /* Needed with GLIBC to get asprintf() */
+ #include /* utimensat() */
+ #include /* utimensat() on *BSD */
+@@ -54,7 +57,7 @@ const char *__pidfile_path = RUNSTATEDIR;
+ const char *__pidfile_name = NULL;
+
+ int
+-pidfile(const char *basename)
++__pidfile(const char *basename)
+ {
+ int save_errno;
+ int atexit_already;
+@@ -127,6 +130,9 @@ pidfile(const char *basename)
+ return (0);
+ }
+
++weak_alias(__pidfile, pidfile);
++#endif /* HAVE_PIDFILE */
++
+ static void
+ pidfile_cleanup(void)
+ {
+diff --git a/lib/utimensat.c b/lib/utimensat.c
+index edf7e10..b68ce0e 100644
+--- a/lib/utimensat.c
b/lib/utimensat.c
+@@ -15,7 +15,8 @@
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+-#include "config.h"
++#include
++#ifndef HAVE_UTIMENSAT
+
+ #include
+ #ifdef HAVE_FCNTL_H
+@@ -23,7 +24,8 @@
+ #endif
+ #include /* lutimes(), utimes(), utimensat() */
+
+-int utimensat(int dirfd, const char *pathname, const struct timespec ts[2],
int flags)
++int
++__utimensat(int dirfd, const char *pathname, const struct timespec ts[2], int
flags)
+ {
+ int ret = -1;
+ struct timeval tv[2];
+@@ -45,3 +47,7 @@ int utimensat(int dirfd, const char *pathname, const struct
timespec ts[2], int
+
+ return ret;
+ }
++
++weak_alias(__utimensat, utimensat);
++
++#endif /* HAVE_UTIMENSAT */
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 6e2a51c..1db88d3 100644
+--- a/src/Makefile.am
b/src/Makefile.am
+@@ -19,7 +19,6 @@
+ bin_PROGRAMS =
+ sbin_PROGRAMS = syslogd
+ lib_LTLIBRARIES = libsyslog.la
+-noinst_LTLIBRARIES= libcompat.la
+
+ if ENABLE_KLOGD
+ sbin_PROGRAMS+= klogd
+@@ -48,10 +47,6 @@ logger_CPPFLAGS = $(AM_CPPFLAGS) -D_XOPEN_SOURCE=600
+ logger_LDADD = $(LIBS) $(LIBOBJS)
+ logger_LDADD += libsyslog.la
+
+-# Convenience library for libsyslog instead of linking with $(LTLIBOBJS),
+-# which would pull in pidfile() and other (strong) symbols as well.
+-libcompat_la_SOURCES = ../lib/strlcpy.c ../lib/strlcat.c
+-
+ pkgconfigdir = $(libdir)/pkgconfig
+ pkgincludedir = $(includedir)/syslog
+ pkgconfig_DATA= libsyslog.pc
+@@ -59,4 +54,4 @@ pkginclude_HEADERS= syslog.h
+ libsyslog_la_SOURCES = syslog.c syslog.h compat.h
+ libsyslog_la_CPPFLAGS = $(AM_CPPFLAGS) -D_XOPEN_SOURCE=600
+ libsyslog_la_LDFLAGS = $(AM_LDFLAGS) -version-info 0:0:0
+-libsyslog_la_LIBADD =
[OE-core] [PATCH] core: recipes: fix some native tools dependencies
Some native tools dependency issues were seen while building with
external GCC tool-set rather than source GCC tool-set. While building
with source tool-set these dependencies were implicitly met which is not
the case with external tool-set. So explicitly state these native tools
dependencies.
Signed-off-by: Sumit Garg
---
meta/classes/autotools.bbclass | 2 +-
meta/recipes-extended/man-db/man-db_2.9.0.bb | 2 +-
meta/recipes-graphics/xorg-app/xorg-app-common.inc | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/classes/autotools.bbclass b/meta/classes/autotools.bbclass
index 3d22ad0..4c71be2 100644
--- a/meta/classes/autotools.bbclass
+++ b/meta/classes/autotools.bbclass
@@ -10,7 +10,7 @@ def autotools_dep_prepend(d):
deps += 'autoconf-native automake-native '
if not pn in ['libtool', 'libtool-native'] and not
pn.endswith("libtool-cross"):
-deps += 'libtool-native '
+deps += 'libtool-native xz-native '
if not bb.data.inherits_class('native', d) \
and not bb.data.inherits_class('nativesdk', d) \
and not bb.data.inherits_class('cross', d) \
diff --git a/meta/recipes-extended/man-db/man-db_2.9.0.bb
b/meta/recipes-extended/man-db/man-db_2.9.0.bb
index 5b017e8..3cbb0de 100644
--- a/meta/recipes-extended/man-db/man-db_2.9.0.bb
+++ b/meta/recipes-extended/man-db/man-db_2.9.0.bb
@@ -10,7 +10,7 @@ SRC_URI =
"${SAVANNAH_NONGNU_MIRROR}/man-db/man-db-${PV}.tar.xz \
SRC_URI[md5sum] = "897576a19ecbef376a916485608cd790"
SRC_URI[sha256sum] =
"5d4aacd9e8876d6a3203a889860c3524c293c38f04111a3350deab8a6cd3e261"
-DEPENDS = "libpipeline gdbm groff-native base-passwd"
+DEPENDS = "libpipeline gdbm groff-native base-passwd flex-native"
RDEPENDS_${PN} += "base-passwd"
# | /usr/src/debug/man-db/2.8.0-r0/man-db-2.8.0/src/whatis.c:939: undefined
reference to `_nl_msg_cat_cntr'
diff --git a/meta/recipes-graphics/xorg-app/xorg-app-common.inc
b/meta/recipes-graphics/xorg-app/xorg-app-common.inc
index 101b3df..2938da0 100644
--- a/meta/recipes-graphics/xorg-app/xorg-app-common.inc
+++ b/meta/recipes-graphics/xorg-app/xorg-app-common.inc
@@ -3,7 +3,7 @@ HOMEPAGE = "http://www.x.org/;
BUGTRACKER = "https://bugs.freedesktop.org;
SECTION = "x11/apps"
LICENSE = "MIT-X"
-DEPENDS = "util-macros-native virtual/libx11"
+DEPENDS = "util-macros-native virtual/libx11 gettext-native"
# depends on virtual/libx11
REQUIRED_DISTRO_FEATURES = "x11"
--
2.7.4
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [oe-core] attr dependency on linux-yocto
Hi, Question about attr. I'm not familiar with it. On a clean poky is it normal(not a bug?) to have deps such as "attr.do_build" -> "linux-libc-headers.do_package_write_rpm" "attr.do_build" -> "linux-yocto.do_deploy" "attr.do_build" -> "linux-yocto.do_package_write_rpm" How they are appear? I didn't find anything in attr which could be the cause. It's just a clean poky from a repo, after . oe-init-build-env and bitbake -g attr. Appreciate any hints. BR, Vladimir. -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 01/12] gstreamer: Add common .inc files for meson based recipes
On Sun, 2020-01-12 at 14:59 +0100, Carlos Rafael Giani wrote: > * gstreamer1.0-plugins-common.inc > The old gstreamer1.0-plugins.inc file, adapted for meson > * gstreamer1.0-plugins-packaging.inc > The old gst-plugins-package.inc file, adapted for meson > * gstreamer1.0-ptest.inc > Common code for meson based PTest support; autogenerates the run- > ptest > file and is designed to use the gnome-desktop-testing suite runner > (which is why the .inc files inherits from ptest-gnome) > > Signed-off-by: Carlos Rafael Giani > --- > .../gstreamer/gstreamer1.0-plugins-common.inc | 47 + > .../gstreamer1.0-plugins-packaging.inc| 70 > +++ > .../gstreamer/gstreamer1.0-ptest.inc | 21 ++ > 3 files changed, 138 insertions(+) > create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0- > plugins-common.inc > create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0- > plugins-packaging.inc > create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0- > ptest.inc FWIW I've merged this series with some of the fixes that were also sent. I've done this on the basis that its the correct direction we're going and whilst there are some gremlins to sort out such as the issue Ross mentions, some of the comments/options and so on, we may as well move forward and we can fix those things as follow ups. Thanks again for working on this, I know its not a simple change! Cheers, Richard -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] patchtest licensing
On Thu, 16 Jan 2020 at 22:00, Richard Purdie wrote: > > On Thu, 2020-01-16 at 20:07 +, Paul Barker wrote: > > Hey folks, > > > > I've started looking through patchtest & patchtest-oe in detail and > > spotted that all the scripts, support code and test cases are > > licensed > > under GPLv2. Is that ok given that we plan to copy this into > > openembedded-core (probably under meta/lib/oeqa)? Is there any > > practical effect of this not being MIT licensed? > > We have a mix of MIT and GPL licensing already. As long as the scripts > have a clear SPDX license identifier, I think we're fine. If not, we > should add that in the existing repo before the move. Ok cool. Converting the license headers to SPDX is already on my list. Thanks, Paul -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] patchtest licensing
On Thu, 2020-01-16 at 20:07 +, Paul Barker wrote: > Hey folks, > > I've started looking through patchtest & patchtest-oe in detail and > spotted that all the scripts, support code and test cases are > licensed > under GPLv2. Is that ok given that we plan to copy this into > openembedded-core (probably under meta/lib/oeqa)? Is there any > practical effect of this not being MIT licensed? We have a mix of MIT and GPL licensing already. As long as the scripts have a clear SPDX license identifier, I think we're fine. If not, we should add that in the existing repo before the move. Cheers, Richard -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] Looking for a way to build latest tagged releases in recipes
> TODO:
>
> * Right now, the class triggers a base environment change every time, which
> means BitBake always reparses every recipe. I guess this
> is because I'm modifying the datastore when I get bb.event.ConfigParsed and
> bb.event.MultiConfigParsed, in order to ensure
> REVRECORD_DATETIME is the same across all configurations when multiconfig is
> active. Perhaps there is a more elegant way to do
> this that won't trigger the environment change? To be fair I think in most
> cases you won't care, since I expect this class to mainly be
> used in a continuous integration environment where you'll be doing a clean
> build and having to reparse everything anyway. But I
> could also see this class a useful to thing to always have enabled, even for
> personal builds, and in that case obviously I'd want to fix
> this issue.
> * When multiconfig is active, I would also like a "global" revs.inc to be
> generated, which is the product of aggregated the "revs.inc" for
> all the multiconfigs. Still need to think about how exactly this will work in
> the face of conflicting SRCREVs.
> * We have a use case for JSON format data as well ("revs.json") - I'll add
> that too.
> * Possibly a small tinfoil script that simply automates the task of
> INHERIT'ing this class, parsing all the recipes, and then dumping
> revs.inc.
Cross the first TODO off the list:
https://gist.github.com/mostthingsweb/39e24b329de70c0212e5bf21a431e143/8d1a5f51b3c0bf260c730ed5716d9807c78335b8
(BTW eventually I will move this to poky-contrib; gist is just more convenient
for me for the short term. If there's a desire for it to happen sooner let me
know.)
Chris
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] logrotate.py: improve oeqa test implementation
From: Trevor Gamblin
See bug https://bugzilla.yoctoproject.org/show_bug.cgi?id=13632
Autobuilder tests occasionally fail, reporting that a new logfile
could not be created. While this failure did occur multiple times, it
could not be manually reproduced. However, there are issues with the
implementation of the logrotate.py script that can be fixed. These
changes will help make the failures clearer, should they continue to
occur.
Previously, the test_2_logrotate test would, after running the
logrotate tool, use "ls -al $HOME/logrotate_dir | wc -l" to count
the number of files in the rotation directory and determine if the
rotation was successful. The test to see if there are at least three
files is problematic, because depending on the version of ls used, it
may report the target value of 3 even when there are only hidden files
in the directory, potentially reporting a pass for the test when it
should actually fail. An example with coreutils:
root@qemux86-64:~# ls -al emptydir/
total 2
drwxr-xr-x 2 root root 1024 Jan 14 19:50 .
drwx-- 3 root root 1024 Jan 14 19:50 ..
root@qemux86-64:~#
Where "total" is the number of blocks used. Compare with busybox ls:
root@qemux86-64:~# ls -al emptydir/
drwxr-xr-x2 root root 1024 Jan 14 19:54 .
drwx--3 root root 1024 Jan 14 19:54 ..
root@qemux86-64:~#
Instead of using ls to verify that a certain number of files exists
in $HOME/logrotate_dir, the tests have been changed to rotate two
specific logs: the log for wtmp and a new logrotate_testfile created
during the second test. Both tests check that the logs are correctly
rotated into $HOME/logrotate_dir by using find and grep on the
expected filename (e.g. "wtmp" when rotated becomes "wtmp.1", so we
check to see that wtmp.1 is present in $HOME/logrotate_dir). In
addition, should the test fail, the directory listing is included in
the log to aid debugging.
Finally, note that while the autobuilder failures that this patch
addresses were only seen during core-image-full-cmdline tests, these
changes were successfully tested on core-image-minimal and
core-image-sato with the manual addition of logrotate and openssh-sshd
to the images.
Signed-off-by: Trevor Gamblin
---
meta/lib/oeqa/runtime/cases/logrotate.py | 57 ++--
1 file changed, 44 insertions(+), 13 deletions(-)
diff --git a/meta/lib/oeqa/runtime/cases/logrotate.py
b/meta/lib/oeqa/runtime/cases/logrotate.py
index bfa57c534a..44e32766c7 100644
--- a/meta/lib/oeqa/runtime/cases/logrotate.py
+++ b/meta/lib/oeqa/runtime/cases/logrotate.py
@@ -18,32 +18,63 @@ class LogrotateTest(OERuntimeTestCase):
@classmethod
def tearDownClass(cls):
cls.tc.target.run('mv -f $HOME/wtmp.oeqabak /etc/logrotate.d/wtmp &&
rm -rf $HOME/logrotate_dir')
+cls.tc.target.run('rm -rf /var/log/logrotate_testfile && rm -rf
/etc/logrotate.d/logrotate_testfile')
@OETestDepends(['ssh.SSHTest.test_ssh'])
@OEHasPackage(['logrotate'])
-def test_1_logrotate_setup(self):
+def test_logrotate_wtmp(self):
+
status, output = self.target.run('mkdir $HOME/logrotate_dir')
msg = 'Could not create logrotate_dir. Output: %s' % output
self.assertEqual(status, 0, msg = msg)
-cmd = ('sed -i "s#wtmp {#wtmp {\\nolddir $HOME/logrotate_dir#"'
- ' /etc/logrotate.d/wtmp')
-status, output = self.target.run(cmd)
-msg = ('Could not write to logrotate.d/wtmp file. Status and output: '
- ' %s and %s' % (status, output))
+status, output = self.target.run('echo "create \n olddir
$HOME/logrotate_dir \n include /etc/logrotate.d/wtmp" >
/tmp/logrotate-test.conf')
+msg = ('Could not write to /tmp/logrotate-test.conf')
+self.assertEqual(status, 0, msg = msg)
+
+status, output = self.target.run('echo "/var/log/logrotate_test {\\n
missingok \\n monthly \\n rotate 1" > /etc/logrotate.d/logrotate_test')
+msg = ('Could not write to /etc/logrotate.d/logrotate_test')
self.assertEqual(status, 0, msg = msg)
-@OETestDepends(['logrotate.LogrotateTest.test_1_logrotate_setup'])
-def test_2_logrotate(self):
-status, output = self.target.run('echo "create \n include
/etc/logrotate.d" > /tmp/logrotate-test.conf')
status, output = self.target.run('logrotate -f
/tmp/logrotate-test.conf')
-
msg = ('logrotate service could not be reloaded. Status and output: '
'%s and %s' % (status, output))
self.assertEqual(status, 0, msg = msg)
-_, output = self.target.run('ls -la $HOME/logrotate_dir/ | wc -l')
+status, output = self.target.run('find $HOME/logrotate_dir -type f |
grep wtmp.1')
msg = ('new logfile could not be created. List of files within log '
'directory: %s' % (
-self.target.run('ls -la $HOME/logrotate_dir')[1]))
-self.assertTrue(int(output)>=3, msg = msg)
+
[OE-core] patchtest licensing
Hey folks, I've started looking through patchtest & patchtest-oe in detail and spotted that all the scripts, support code and test cases are licensed under GPLv2. Is that ok given that we plan to copy this into openembedded-core (probably under meta/lib/oeqa)? Is there any practical effect of this not being MIT licensed? Thanks, Paul -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] Looking for a way to build latest tagged releases in recipes
> > As mentioned in IRC, as I get deeper into it, I'll be going with approach
> > #3 after all :/. Hope to post a tinfoil script soon.
>
> That would be very much appreciated!
Here's a prototype bbclass:
https://gist.github.com/mostthingsweb/39e24b329de70c0212e5bf21a431e143. Please
give it a try.
All you need to do is INHERIT it in local.conf:
INHERIT += "revrecord"
Then you can just do "bitbake --parse-only" and during parsing it will create a
directory structure in ${TOPDIR}/revs that looks something like this:
revs
├── 20200116170750
│ ├── recipe1
│ │ └── revs.inc
│ ├── recipe2
│ │ └── revs.inc
│ ├── recipe3
│ │ └── revs.inc
│ └── revs.inc
└── latest -> 20200116170750
It also supports multiconfig. When multiconfig is enabled, there will be an
additional layer of directories in the 'revs' directory, one per multiconfig
(plus "default"):
revs
├── 20200116170750
│ ├── default
│ │ ├── recipe1
│ │ │ └── revs.inc
│ │ ├── recipe2
│ │ │ └── revs.inc
│ │ └── revs.inc
│ └── mc1
│ ├── recipe1
│ │ └── revs.inc
│ ├── recipe2
│ │ └── revs.inc
│ └── revs.inc
└── latest -> 20200116170750
TODO:
* Right now, the class triggers a base environment change every time, which
means BitBake always reparses every recipe. I guess this is because I'm
modifying the datastore when I get bb.event.ConfigParsed and
bb.event.MultiConfigParsed, in order to ensure REVRECORD_DATETIME is the same
across all configurations when multiconfig is active. Perhaps there is a more
elegant way to do this that won't trigger the environment change? To be fair I
think in most cases you won't care, since I expect this class to mainly be used
in a continuous integration environment where you'll be doing a clean build and
having to reparse everything anyway. But I could also see this class a useful
to thing to always have enabled, even for personal builds, and in that case
obviously I'd want to fix this issue.
* When multiconfig is active, I would also like a "global" revs.inc to be
generated, which is the product of aggregated the "revs.inc" for all the
multiconfigs. Still need to think about how exactly this will work in the face
of conflicting SRCREVs.
* We have a use case for JSON format data as well ("revs.json") - I'll add that
too.
* Possibly a small tinfoil script that simply automates the task of INHERIT'ing
this class, parsing all the recipes, and then dumping revs.inc.
Thanks,
Chris
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] vim: update from 8.1.1518 to 8.2.0110
On Tue, Jan 14, 2020 at 11:18:44PM +0100, Alexander Kanavin wrote: > On Tue, 14 Jan 2020 at 21:10, Randy MacLeod > wrote: > > > Oleg is getting started using Yocto so I'll reply on his behalf since > > I asked him to update vim as his first commit. > > > > I'm not sure what you mean by 8.2. Are you talking about calling the > > recipe: > > vim_8.2.bb > > instead of vim_8.2.0110.bb? > > > > Vim tags on a daily or more frequent basis. Are you saying that we > > should keep the > > same SRCREV for 8.2.0110 but use a different name? > > > > I looked at: > > git log v8.2...v8.2.0118 > > and all the commits seem to fix bugs so I prefer to take this tested > > v8.2.0110 > > update and update vim every month or two so that we get the latest fixes. > > > > Vim adds a tag for every single commit they make, fixes or not, so this > approach would in effect be updating to random development snapshots. I > would rather have a more conservative update strategy, and update to the > original 8.2 release. If you look at the homepage, 8.2 is the version they > announced as the new release: https://www.vim.org/ > > That's also what 'devtool latest-version vim' should currently report and > 'devtool upgrade' upgrade to: I purposely cut off the point releases and > left only the major.minor part there. What we had talked about before was trying to follow (more or less) updating to versions that one of the desktop distros had chosen, to avoid the fact that yes, every commit to vim is a new version number thus making it hard to know what's an important/good release but also still getting bug fixes and so forth. -- Tom -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 30/32] sudo: correct SRC_URI
From: Alexander Kanavin
The old URI returns 404, and has an invalid TLS certificate.
Signed-off-by: Alexander Kanavin
Signed-off-by: Richard Purdie
(cherry picked from commit 73ff6aba0a53ffc3ee0a5859a3ad4c8021be4de0)
Signed-off-by: Armin Kuster
---
meta/recipes-extended/sudo/sudo_1.8.27.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-extended/sudo/sudo_1.8.27.bb
b/meta/recipes-extended/sudo/sudo_1.8.27.bb
index 7460a5bfed..bbca8395b9 100644
--- a/meta/recipes-extended/sudo/sudo_1.8.27.bb
+++ b/meta/recipes-extended/sudo/sudo_1.8.27.bb
@@ -1,6 +1,6 @@
require sudo.inc
-SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \
+SRC_URI = "http://www.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}',
'', d)} \
file://0001-Include-sys-types.h-for-id_t-definition.patch \
file://CVE-2019-14287-1.patch \
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 31/32] sudo: Fix fetching sources
From: Ferry Toth
It looks like https://www.sudo.ws/download.html changed certificate
and directory structure. This breaks fetching sources.
Signed-off-by: Ferry Toth
Signed-off-by: Ross Burton
Signed-off-by: Armin Kuster
(cherry picked from commit f02e9f46ce54fed3c7ddfad7d1003a2fb7ba3a67)
Signed-off-by: Armin Kuster
---
meta/recipes-extended/sudo/sudo_1.8.27.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-extended/sudo/sudo_1.8.27.bb
b/meta/recipes-extended/sudo/sudo_1.8.27.bb
index bbca8395b9..43c27bf37f 100644
--- a/meta/recipes-extended/sudo/sudo_1.8.27.bb
+++ b/meta/recipes-extended/sudo/sudo_1.8.27.bb
@@ -1,6 +1,6 @@
require sudo.inc
-SRC_URI = "http://www.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \
+SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}',
'', d)} \
file://0001-Include-sys-types.h-for-id_t-definition.patch \
file://CVE-2019-14287-1.patch \
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 28/32] cve-check: Switch to NVD CVE JSON feed version 1.1
From: Niko Mauno
Switch to recently released version 1.1 of NVD CVE JSON feed, as in
https://nvd.nist.gov/General/News/JSON-1-1-Vulnerability-Feed-Release
it is mentioned that
Due to changes required to support CVSS v3.1 scoring, the JSON
vulnerability feeds must be modified. This will require the consumers
of this data to update their internal processes. We will be providing
the JSON 1.1 schema on the data feeds page and the information below
to prepare for this transition.
...
The JSON 1.1 data feeds will be available on September 9th, 2019. At
that time the current JSON 1.0 data feeds will no longer available.
This change was tested briefly by issuing 'bitbake core-image-minimal'
with 'cve-check.bbclass' inherited via local.conf, and then comparing
the content between the resulting two
'DEPLOY_DIR_IMAGE/core-image-minimal-qemux86.cve' files, which did not
seem to contain any other change, except total of 167 entries like
CVSS v3 BASE SCORE: 0.0
were replaced with similar 'CVSS v3 BASE SCORE:' entries which had
scores that were greater than '0.0' (up to '9.8').
(From OE-Core rev: cc20e4d8ff2f3aa52a2658404af9a0ff358cc323)
Signed-off-by: Niko Mauno
Signed-off-by: Richard Purdie
Signed-off-by: Anuj Mittal
Signed-off-by: Richard Purdie
(cherry picked from commit c92b8804d6e59b2707332859957f0e6a46db0a73)
Signed-off-by: Armin Kuster
---
meta/classes/cve-check.bbclass | 2 +-
meta/recipes-core/meta/cve-update-db-native.bb | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 19ed5548b3..01b3637469 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
CVE_VERSION ??= "${PV}"
CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.1.db"
CVE_CHECK_LOG ?= "${T}/cve.log"
CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb
b/meta/recipes-core/meta/cve-update-db-native.bb
index db1d69a28e..575254af40 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -27,7 +27,7 @@ python do_populate_cve_db() {
bb.utils.export_proxies(d)
-BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-;
+BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-;
YEAR_START = 2002
db_file = d.getVar("CVE_CHECK_DB_FILE")
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 29/32] popt: fix SRC_URI
From: Oleksandr Kravchuk
rpm5.org has been down for about a year now. Use linuxfromscratch.org
as an alternative reliable source instead.
Signed-off-by: Oleksandr Kravchuk
Signed-off-by: Richard Purdie
(cherry picked from commit d9224014da9a512b1b8837e4e7a736d465c97be3)
Signed-off-by: Armin Kuster
---
meta/recipes-support/popt/popt_1.16.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-support/popt/popt_1.16.bb
b/meta/recipes-support/popt/popt_1.16.bb
index 478288f9bf..27e49c2ca2 100644
--- a/meta/recipes-support/popt/popt_1.16.bb
+++ b/meta/recipes-support/popt/popt_1.16.bb
@@ -8,7 +8,7 @@ PR = "r3"
DEPENDS = "virtual/libiconv"
-SRC_URI = "http://rpm5.org/files/popt/popt-${PV}.tar.gz \
+SRC_URI = "http://anduin.linuxfromscratch.org/BLFS/popt/popt-${PV}.tar.gz \
file://pkgconfig_fix.patch \
file://popt_fix_for_automake-1.12.patch \
file://disable_tests.patch \
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 32/32] stress: update SRC_URI
Fixes:
WARNING: stress-1.0.4-r0 do_fetch: Failed to fetch URL
http://people.seas.harvard.edu/~apw/stress/stress-1.0.4.tar.gz, attempting
MIRRORS if available
Signed-off-by: Armin Kuster
---
meta/recipes-extended/stress/stress_1.0.4.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-extended/stress/stress_1.0.4.bb
b/meta/recipes-extended/stress/stress_1.0.4.bb
index e9179d3e19..42046d5bf4 100644
--- a/meta/recipes-extended/stress/stress_1.0.4.bb
+++ b/meta/recipes-extended/stress/stress_1.0.4.bb
@@ -5,7 +5,7 @@ HOMEPAGE = "http://people.seas.harvard.edu/~apw/stress/;
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-SRC_URI = "http://people.seas.harvard.edu/~apw/${BPN}/${BP}.tar.gz \
+SRC_URI = "https://fossies.org/linux/privat/${BP}.tar.gz \
file://texinfo.patch \
"
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 22/32] cve-update-db-native: don't hardcode the database name
From: Ross Burton
Don't hardcode the database filename, there's a variable for this in
cve-check.bbclass.
(From OE-Core rev: 0d188a9dc4ae64c64cd661e9d9c3841e86f226ab)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Armin Kuster
---
meta/recipes-core/meta/cve-update-db-native.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb
b/meta/recipes-core/meta/cve-update-db-native.bb
index 19875a49b1..c15534de08 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -28,8 +28,8 @@ python do_populate_cve_db() {
BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-;
YEAR_START = 2002
-db_dir = os.path.join(d.getVar("DL_DIR"), 'CVE_CHECK')
-db_file = os.path.join(db_dir, 'nvdcve_1.0.db')
+db_file = d.getVar("CVE_CHECK_DB_FILE")
+db_dir = os.path.dirname(db_file)
json_tmpfile = os.path.join(db_dir, 'nvd.json.gz')
# Don't refresh the database more than once an hour
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 26/32] cve-check: neaten get_cve_info
From: Ross Burton
Remove obsolete Python 2 code, and use convenience methods for neatness.
(From OE-Core rev: f19253cc9e70c974a8e21a142086c13d7cde04ff)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Armin Kuster
---
meta/classes/cve-check.bbclass | 18 +-
1 file changed, 5 insertions(+), 13 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index c1cbdbde7b..e95716d9de 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -261,23 +261,15 @@ def check_cves(d, patched_cves):
def get_cve_info(d, cves):
"""
Get CVE information from the database.
-
-Unfortunately the only way to get CVE info is set the output to
-html (hard to parse) or query directly the database.
"""
-try:
-import sqlite3
-except ImportError:
-from pysqlite2 import dbapi2 as sqlite3
+import sqlite3
cve_data = {}
-db_file = d.getVar("CVE_CHECK_DB_FILE")
-placeholder = ",".join("?" * len(cves))
-query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholder
-conn = sqlite3.connect(db_file)
-cur = conn.cursor()
-for row in cur.execute(query, tuple(cves)):
+conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE"))
+placeholders = ",".join("?" * len(cves))
+query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholders
+for row in conn.execute(query, tuple(cves)):
cve_data[row[0]] = {}
cve_data[row[0]]["summary"] = row[1]
cve_data[row[0]]["scorev2"] = row[2]
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 25/32] cve-check: rewrite look to fix false negatives
From: Ross Burton
A previous optimisation was premature and resulted in false-negatives in the
report.
Rewrite the checking algorithm to first get the list of potential CVEs by
vendor:product, then iterate through every matching CPE for that CVE to
determine if the bounds match or not. By doing this in two stages we can know
if we've checked every CPE, instead of accidentally breaking out of the scan too
early.
(From OE-Core rev: d61aff9e22704ad69df1f7ab0f8784f4e7cc0c69)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Armin Kuster
---
meta/classes/cve-check.bbclass | 63 ++
1 file changed, 34 insertions(+), 29 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 3326944d79..c1cbdbde7b 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -165,7 +165,6 @@ def check_cves(d, patched_cves):
"""
Connect to the NVD database and find unpatched cves.
"""
-import ast, csv, tempfile, subprocess, io
from distutils.version import LooseVersion
cves_unpatched = []
@@ -187,68 +186,74 @@ def check_cves(d, patched_cves):
cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
import sqlite3
-db_file = d.getVar("CVE_CHECK_DB_FILE")
-conn = sqlite3.connect(db_file)
+db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
+conn = sqlite3.connect(db_file, uri=True)
+# For each of the known product names (e.g. curl has CPEs using curl and
libcurl)...
for product in products:
-c = conn.cursor()
if ":" in product:
vendor, product = product.split(":", 1)
-c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR IS
?", (product, vendor))
else:
-c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ?", (product,))
+vendor = "%"
-for row in c:
-cve = row[0]
-version_start = row[3]
-operator_start = row[4]
-version_end = row[5]
-operator_end = row[6]
+# Find all relevant CVE IDs.
+for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE
PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)):
+cve = cverow[0]
if cve in cve_whitelist:
bb.note("%s-%s has been whitelisted for %s" % (product, pv,
cve))
# TODO: this should be in the report as 'whitelisted'
patched_cves.add(cve)
+continue
elif cve in patched_cves:
bb.note("%s has been patched" % (cve))
-else:
-to_append = False
+continue
+
+vulnerable = False
+for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND
PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)):
+(_, _, _, version_start, operator_start, version_end,
operator_end) = row
+#bb.debug(2, "Evaluating row " + str(row))
+
if (operator_start == '=' and pv == version_start):
-to_append = True
+vulnerable = True
else:
if operator_start:
try:
-to_append_start = (operator_start == '>=' and
LooseVersion(pv) >= LooseVersion(version_start))
-to_append_start |= (operator_start == '>' and
LooseVersion(pv) > LooseVersion(version_start))
+vulnerable_start = (operator_start == '>=' and
LooseVersion(pv) >= LooseVersion(version_start))
+vulnerable_start |= (operator_start == '>' and
LooseVersion(pv) > LooseVersion(version_start))
except:
bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_start,
version_start, cve))
-to_append_start = False
+vulnerable_start = False
else:
-to_append_start = False
+vulnerable_start = False
if operator_end:
try:
-to_append_end = (operator_end == '<=' and
LooseVersion(pv) <= LooseVersion(version_end))
-to_append_end |= (operator_end == '<' and
LooseVersion(pv) < LooseVersion(version_end))
+vulnerable_end = (operator_end == '<=' and
LooseVersion(pv) <= LooseVersion(version_end))
+vulnerable_end |= (operator_end == '<' and
LooseVersion(pv) < LooseVersion(version_end))
except:
bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_end, version_end,
cve))
-
[OE-core] [warrior 19/32] cve-check: failure to parse versions should be more visible
From: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Armin Kuster
---
meta/classes/cve-check.bbclass | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index f87bcc9dc6..1c8b2223a2 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -222,7 +222,7 @@ def check_cves(d, patched_cves):
to_append_start = (operator_start == '>=' and
LooseVersion(pv) >= LooseVersion(version_start))
to_append_start |= (operator_start == '>' and
LooseVersion(pv) > LooseVersion(version_start))
except:
-bb.note("%s: Failed to compare %s %s %s for %s" %
+bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_start,
version_start, cve))
to_append_start = False
else:
@@ -233,7 +233,7 @@ def check_cves(d, patched_cves):
to_append_end = (operator_end == '<=' and
LooseVersion(pv) <= LooseVersion(version_end))
to_append_end |= (operator_end == '<' and
LooseVersion(pv) < LooseVersion(version_end))
except:
-bb.note("%s: Failed to compare %s %s %s for %s" %
+bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_end, version_end,
cve))
to_append_end = False
else:
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 27/32] cve-check: fetch CVE data once at a time instead of in a single call
From: Ross Burton
This code used to construct a single SQL statement that fetched the NVD data for
every CVE requested. For recipes such as the kernel where there are over 2000
CVEs to report this can hit the variable count limit and the query fails with
"sqlite3.OperationalError: too many SQL variables". The default limit is 999
variables, but some distributions such as Debian set the default to 25.
As the NVD table has an index on the ID column, whilst requesting the data
CVE-by-CVE is five times slower when working with 2000 CVEs the absolute time
different is insignificant: 0.05s verses 0.01s on my machine.
(From OE-Core rev: 53d0cc1e9b7190fa66d7ff1c59518f91b0128d99)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Armin Kuster
---
meta/classes/cve-check.bbclass | 20 ++--
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index e95716d9de..19ed5548b3 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -267,17 +267,17 @@ def get_cve_info(d, cves):
cve_data = {}
conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE"))
-placeholders = ",".join("?" * len(cves))
-query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholders
-for row in conn.execute(query, tuple(cves)):
-cve_data[row[0]] = {}
-cve_data[row[0]]["summary"] = row[1]
-cve_data[row[0]]["scorev2"] = row[2]
-cve_data[row[0]]["scorev3"] = row[3]
-cve_data[row[0]]["modified"] = row[4]
-cve_data[row[0]]["vector"] = row[5]
-conn.close()
+for cve in cves:
+for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)):
+cve_data[row[0]] = {}
+cve_data[row[0]]["summary"] = row[1]
+cve_data[row[0]]["scorev2"] = row[2]
+cve_data[row[0]]["scorev3"] = row[3]
+cve_data[row[0]]["modified"] = row[4]
+cve_data[row[0]]["vector"] = row[5]
+
+conn.close()
return cve_data
def cve_write_data(d, patched, unpatched, cve_data):
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 21/32] cve-update-db-native: don't refresh more than once an hour
From: Ross Burton
We already fetch the yearly CVE metadata and check that for updates before
downloading the full data, but we can speed up CVE checking further by only
checking the CVE metadata once an hour.
(From OE-Core rev: 50d898fd360c58fe85460517d965f62b7654771a)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Armin Kuster
---
meta/recipes-core/meta/cve-update-db-native.bb | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb
b/meta/recipes-core/meta/cve-update-db-native.bb
index 2c427a5884..19875a49b1 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -31,8 +31,16 @@ python do_populate_cve_db() {
db_dir = os.path.join(d.getVar("DL_DIR"), 'CVE_CHECK')
db_file = os.path.join(db_dir, 'nvdcve_1.0.db')
json_tmpfile = os.path.join(db_dir, 'nvd.json.gz')
-proxy = d.getVar("https_proxy")
+# Don't refresh the database more than once an hour
+try:
+import time
+if time.time() - os.path.getmtime(db_file) < (60*60):
+return
+except OSError:
+pass
+
+proxy = d.getVar("https_proxy")
if proxy:
# instantiate an opener but do not install it as the global
# opener unless if we're really sure it's applicable for all
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 23/32] cve-update-db-native: add an index on the CVE ID column
From: Ross Burton
Create an index on the PRODUCTS table which contains a row for each CPE,
drastically increasing the performance of lookups for a specific CVE.
(From OE-Core rev: b4048b05b3a00d85c40d09961f846eadcebd812e)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Armin Kuster
---
meta/recipes-core/meta/cve-update-db-native.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb
b/meta/recipes-core/meta/cve-update-db-native.bb
index c15534de08..08b18f064f 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -120,11 +120,14 @@ python do_populate_cve_db() {
def initialize_db(c):
c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE
TEXT)")
+
c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
+
c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
VERSION_END TEXT, OPERATOR_END TEXT)")
+c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);")
def parse_node_and_insert(c, node, cveId):
# Parse children node if needed
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 24/32] cve-update-db-native: clean up proxy handling
From: Ross Burton
urllib handles adding proxy handlers if the proxies are set in the environment,
so call bb.utils.export_proxies() to do that and remove the manual setup.
(From OE-Core rev: 6b73004668b3b71c9c38814b79fbb58c893ed434)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Armin Kuster
---
.../recipes-core/meta/cve-update-db-native.bb | 31 +++
1 file changed, 5 insertions(+), 26 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb
b/meta/recipes-core/meta/cve-update-db-native.bb
index 08b18f064f..db1d69a28e 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -21,10 +21,12 @@ python do_populate_cve_db() {
"""
Update NVD database with json data feed
"""
-
+import bb.utils
import sqlite3, urllib, urllib.parse, shutil, gzip
from datetime import date
+bb.utils.export_proxies(d)
+
BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-;
YEAR_START = 2002
@@ -40,16 +42,6 @@ python do_populate_cve_db() {
except OSError:
pass
-proxy = d.getVar("https_proxy")
-if proxy:
-# instantiate an opener but do not install it as the global
-# opener unless if we're really sure it's applicable for all
-# urllib requests
-proxy_handler = urllib.request.ProxyHandler({'https': proxy})
-proxy_opener = urllib.request.build_opener(proxy_handler)
-else:
-proxy_opener = None
-
cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a')
if not os.path.isdir(db_dir):
@@ -67,15 +59,7 @@ python do_populate_cve_db() {
json_url = year_url + ".json.gz"
# Retrieve meta last modified date
-
-response = None
-
-if proxy_opener:
-response = proxy_opener.open(meta_url)
-else:
-req = urllib.request.Request(meta_url)
-response = urllib.request.urlopen(req)
-
+response = urllib.request.urlopen(meta_url)
if response:
for l in response.read().decode("utf-8").splitlines():
key, value = l.split(":", 1)
@@ -95,12 +79,7 @@ python do_populate_cve_db() {
# Update db with current year json file
try:
-if proxy_opener:
-response = proxy_opener.open(json_url)
-else:
-req = urllib.request.Request(json_url)
-response = urllib.request.urlopen(req)
-
+response = urllib.request.urlopen(json_url)
if response:
update_db(c,
gzip.decompress(response.read()).decode('utf-8'))
c.execute("insert or replace into META values (?, ?)", [year,
last_modified])
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 20/32] cve-check: we don't actually need to unpack to check
From: Ross Burton
The patch scanner works with patch files in the layer, not in the workdir, so it
doesn't need to unpack.
(From OE-Core rev: 2cba6ada970deb5156e1ba0182f4f372851e3c17)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Armin Kuster
---
meta/classes/cve-check.bbclass | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 1c8b2223a2..3326944d79 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -62,7 +62,7 @@ python do_cve_check () {
}
-addtask cve_check after do_unpack before do_build
+addtask cve_check before do_build
do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db"
do_cve_check[nostamp] = "1"
@@ -70,7 +70,6 @@ python cve_check_cleanup () {
"""
Delete the file used to gather all the CVE information.
"""
-
bb.utils.remove(e.data.getVar("CVE_CHECK_TMP_FILE"))
}
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 17/32] sdk: Install nativesdk locales for all TCLIBC variants
From: Khem Raj
install_locales() here is actually operating on nativesdk and only glibc
is the default library for nativesdk, since thats what most of
desktop/server distros use, therefore bailing out based on TCLIBC is not
needed here, since nativesdk-glibc would be required for all non-glibc
targetting SDKs as well.
Fixes SDK install time error
ERROR: OE-core's config sanity checker detected a potential misconfiguration.
Either fix the cause of this error or at your own risk disable the checker (see
sanity.conf).
Following is the list of potential problems / advisories:
Your system needs to support the en_US.UTF-8 locale.
ERROR: SDK preparation failed
Signed-off-by: Khem Raj
Signed-off-by: Richard Purdie
Signed-off-by: Armin Kuster
---
meta/lib/oe/sdk.py | 4
1 file changed, 4 deletions(-)
diff --git a/meta/lib/oe/sdk.py b/meta/lib/oe/sdk.py
index b4fbdb799e..d02a274812 100644
--- a/meta/lib/oe/sdk.py
+++ b/meta/lib/oe/sdk.py
@@ -88,10 +88,6 @@ class Sdk(object, metaclass=ABCMeta):
bb.warn("cannot remove SDK dir: %s" % path)
def install_locales(self, pm):
-# This is only relevant for glibc
-if self.d.getVar("TCLIBC") != "glibc":
-return
-
linguas = self.d.getVar("SDKIMAGE_LINGUAS")
if linguas:
import fnmatch
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 16/32] libpcap: upgrade 1.9.0 -> 1.9.1
From: Zang Ruochen
-libpcap/0001-pcap-usb-linux.c-add-missing-limits.h-for-musl-syste.patch
Removed since this is included in 1.9.1.
Signed-off-by: Zang Ruochen
Signed-off-by: Richard Purdie
[CVE-2018-16301 CVE-2019-15161 CVE-2019-15162 CVE-2019-15163 CVE-2019-15164
CVE-2019-15165]
Signed-off-by: Adrian Bunk
Signed-off-by: Armin Kuster
---
...-add-missing-limits.h-for-musl-syste.patch | 29 ---
.../{libpcap_1.9.0.bb => libpcap_1.9.1.bb}| 5 ++--
2 files changed, 2 insertions(+), 32 deletions(-)
delete mode 100644
meta/recipes-connectivity/libpcap/libpcap/0001-pcap-usb-linux.c-add-missing-limits.h-for-musl-syste.patch
rename meta/recipes-connectivity/libpcap/{libpcap_1.9.0.bb =>
libpcap_1.9.1.bb} (88%)
diff --git
a/meta/recipes-connectivity/libpcap/libpcap/0001-pcap-usb-linux.c-add-missing-limits.h-for-musl-syste.patch
b/meta/recipes-connectivity/libpcap/libpcap/0001-pcap-usb-linux.c-add-missing-limits.h-for-musl-syste.patch
deleted file mode 100644
index 01773834c7..00
---
a/meta/recipes-connectivity/libpcap/libpcap/0001-pcap-usb-linux.c-add-missing-limits.h-for-musl-syste.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From aafa3512b7b742f5e66a5543e41974cc5e7eebfa Mon Sep 17 00:00:00 2001
-From: maxice8
-Date: Sun, 22 Jul 2018 18:54:17 -0300
-Subject: [PATCH] pcap-usb-linux.c: add missing limits.h for musl systems.
-
-fix compilation on musl libc systems like Void Linux and Alpine.
-
-Upstream-Status: Backport
[https://github.com/the-tcpdump-group/libpcap/commit/d557c98a16dc254aaff03762b694fe624e180bea]
-
-Signed-off-by: Anuj Mittal
- pcap-usb-linux.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/pcap-usb-linux.c b/pcap-usb-linux.c
-index 6f8adf65..b92c05ea 100644
a/pcap-usb-linux.c
-+++ b/pcap-usb-linux.c
-@@ -50,6 +50,7 @@
- #include
- #include
- #include
-+#include
- #include
- #include
- #include
---
-2.17.1
-
diff --git a/meta/recipes-connectivity/libpcap/libpcap_1.9.0.bb
b/meta/recipes-connectivity/libpcap/libpcap_1.9.1.bb
similarity index 88%
rename from meta/recipes-connectivity/libpcap/libpcap_1.9.0.bb
rename to meta/recipes-connectivity/libpcap/libpcap_1.9.1.bb
index 78361561e6..a0f66ac0fa 100644
--- a/meta/recipes-connectivity/libpcap/libpcap_1.9.0.bb
+++ b/meta/recipes-connectivity/libpcap/libpcap_1.9.1.bb
@@ -11,10 +11,9 @@ LIC_FILES_CHKSUM =
"file://LICENSE;md5=5eb289217c160e2920d2e35bddc36453 \
DEPENDS = "flex-native bison-native"
SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz \
-
file://0001-pcap-usb-linux.c-add-missing-limits.h-for-musl-syste.patch \
"
-SRC_URI[md5sum] = "dffd65cb14406ab9841f421732eb0f33"
-SRC_URI[sha256sum] =
"2edb88808e5913fdaa8e9c1fcaf272e19b2485338742b5074b9fe44d68f37019"
+SRC_URI[md5sum] = "21af603d9a591c7d96a6457021d84e6c"
+SRC_URI[sha256sum] =
"635237637c5b619bcceba91900666b64d56ecb7be63f298f601ec786ce087094"
inherit autotools binconfig-disabled pkgconfig bluetooth
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 18/32] cve-check: ensure all known CVEs are in the report
From: Ross Burton
CVEs that are whitelisted or were not vulnerable when there are version
comparisons were not included in the report, so alter the logic to ensure that
all relevant CVEs are in the report for completeness.
(From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Armin Kuster
---
meta/classes/cve-check.bbclass | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index c00d2910be..f87bcc9dc6 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -208,12 +208,14 @@ def check_cves(d, patched_cves):
if cve in cve_whitelist:
bb.note("%s-%s has been whitelisted for %s" % (product, pv,
cve))
+# TODO: this should be in the report as 'whitelisted'
+patched_cves.add(cve)
elif cve in patched_cves:
bb.note("%s has been patched" % (cve))
else:
to_append = False
if (operator_start == '=' and pv == version_start):
-cves_unpatched.append(cve)
+to_append = True
else:
if operator_start:
try:
@@ -243,8 +245,11 @@ def check_cves(d, patched_cves):
to_append = to_append_start or to_append_end
if to_append:
+bb.note("%s-%s is vulnerable to %s" % (product, pv, cve))
cves_unpatched.append(cve)
-bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve))
+else:
+bb.note("%s-%s is not vulnerable to %s" % (product, pv,
cve))
+patched_cves.add(cve)
conn.close()
return (list(patched_cves), cves_unpatched)
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 14/32] webkitgtk: set CVE_PRODUCT
From: Chen Qi Signed-off-by: Chen Qi Signed-off-by: Richard Purdie Signed-off-by: Adrian Bunk Signed-off-by: Armin Kuster --- meta/recipes-sato/webkit/webkitgtk_2.22.7.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-sato/webkit/webkitgtk_2.22.7.bb b/meta/recipes-sato/webkit/webkitgtk_2.22.7.bb index 301bf10cea..26e673cbcb 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.22.7.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.22.7.bb @@ -30,6 +30,8 @@ inherit cmake pkgconfig gobject-introspection perlnative distro_features_check u REQUIRED_DISTRO_FEATURES = "x11 opengl" +CVE_PRODUCT = "webkitgtk webkitgtk\+" + DEPENDS = "zlib libsoup-2.4 curl libxml2 cairo libxslt libxt libidn libgcrypt \ gtk+3 gstreamer1.0 gstreamer1.0-plugins-base flex-native gperf-native sqlite3 \ pango icu bison-native gawk intltool-native libwebp \ -- 2.17.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 15/32] procps: whitelist CVE-2018-1121
From: Ross Burton
This CVE is about race conditions in 'ps' which make it unsuitable for security
audits. As these race conditions are unavoidable ps shouldn't be used for
security auditing, so this isn't a valid CVE.
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Adrian Bunk
Signed-off-by: Armin Kuster
---
meta/recipes-extended/procps/procps_3.3.15.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-extended/procps/procps_3.3.15.bb
b/meta/recipes-extended/procps/procps_3.3.15.bb
index 9756db0e7b..a20917b223 100644
--- a/meta/recipes-extended/procps/procps_3.3.15.bb
+++ b/meta/recipes-extended/procps/procps_3.3.15.bb
@@ -64,3 +64,6 @@ python __anonymous() {
d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' %
(d.getVar('base_sbindir'), prog))
}
+# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
+CVE_CHECK_WHITELIST += "CVE-2018-1121"
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 13/32] libsndfile1: whitelist CVE-2018-13419
From: Ross Burton
This is a memory leak that nobody else can replicate and has been rejected by
upstream.
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Adrian Bunk
Signed-off-by: Armin Kuster
---
meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index 77393db847..6044bf09c7 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -38,3 +38,6 @@ do_configure_prepend_arm() {
export ac_cv_sys_file_offset_bits=64
}
+# This can't be replicated and is just a memory leak.
+# https://github.com/erikd/libsndfile/issues/398
+CVE_CHECK_WHITELIST += "CVE-2018-13419"
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 12/32] libxfont2: set CVE_PRODUCT
From: Chen Qi
Signed-off-by: Chen Qi
Signed-off-by: Richard Purdie
Signed-off-by: Adrian Bunk
Signed-off-by: Armin Kuster
---
meta/recipes-graphics/xorg-lib/libxfont2_2.0.3.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-graphics/xorg-lib/libxfont2_2.0.3.bb
b/meta/recipes-graphics/xorg-lib/libxfont2_2.0.3.bb
index 2b72d6750c..6994d79e89 100644
--- a/meta/recipes-graphics/xorg-lib/libxfont2_2.0.3.bb
+++ b/meta/recipes-graphics/xorg-lib/libxfont2_2.0.3.bb
@@ -20,3 +20,5 @@ SRC_URI[sha256sum] =
"0e8ab7fd737ccdfe87e1f02b55f221f0bd4503a1c5f28be4ed6a54586b
PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
+
+CVE_PRODUCT = "libxfont libxfont2"
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 11/32] libpam: set CVE_PRODUCT
From: Ross Burton
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Adrian Bunk
Signed-off-by: Armin Kuster
---
meta/recipes-extended/pam/libpam_1.3.0.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-extended/pam/libpam_1.3.0.bb
b/meta/recipes-extended/pam/libpam_1.3.0.bb
index c124e3bb02..ad6ac4b701 100644
--- a/meta/recipes-extended/pam/libpam_1.3.0.bb
+++ b/meta/recipes-extended/pam/libpam_1.3.0.bb
@@ -164,3 +164,5 @@ CONFFILES_${PN}-runtime +=
"${sysconfdir}/pam.d/common-password"
CONFFILES_${PN}-runtime += "${sysconfdir}/pam.d/common-session-noninteractive"
CONFFILES_${PN}-runtime += "${sysconfdir}/pam.d/common-account"
CONFFILES_${PN}-runtime += "${sysconfdir}/security/limits.conf"
+
+CVE_PRODUCT = "linux-pam"
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 08/32] subversion: set CVE vendor to Apache
From: Ross Burton There's a Jenkins plugin for Subversion. Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Adrian Bunk Signed-off-by: Armin Kuster --- meta/recipes-devtools/subversion/subversion_1.11.1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-devtools/subversion/subversion_1.11.1.bb b/meta/recipes-devtools/subversion/subversion_1.11.1.bb index 8abac7408e..9909461bf7 100644 --- a/meta/recipes-devtools/subversion/subversion_1.11.1.bb +++ b/meta/recipes-devtools/subversion/subversion_1.11.1.bb @@ -18,6 +18,8 @@ SRC_URI[sha256sum] = "9efd2750ca4d72ec903431a24b9c732b6cbb84aad9b7563f59dd96dea5 inherit autotools pkgconfig gettext +CVE_PRODUCT = "apache:subversion" + PACKAGECONFIG ?= "" PACKAGECONFIG[sasl] = "--with-sasl,--without-sasl,cyrus-sasl" -- 2.17.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 09/32] ed: set CVE vendor to avoid false positives
From: Ross Burton
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Adrian Bunk
Signed-off-by: Armin Kuster
---
meta/recipes-extended/ed/ed_1.15.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-extended/ed/ed_1.15.bb
b/meta/recipes-extended/ed/ed_1.15.bb
index c79310325f..886c3ddcab 100644
--- a/meta/recipes-extended/ed/ed_1.15.bb
+++ b/meta/recipes-extended/ed/ed_1.15.bb
@@ -9,6 +9,8 @@ LIC_FILES_CHKSUM =
"file://COPYING;md5=0c7051aef9219dc7237f206c5c4179a7 \
SECTION = "base"
+CVE_PRODUCT = "gnu:ed"
+
# LSB states that ed should be in /bin/
bindir = "${base_bindir}"
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 06/32] flex: set CVE_PRODUCT to include vendor
From: Ross Burton
There are many projects called Flex and they have CVEs, so also set the vendor
to remove these false positives.
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Adrian Bunk
Signed-off-by: Armin Kuster
---
meta/recipes-devtools/flex/flex_2.6.0.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-devtools/flex/flex_2.6.0.bb
b/meta/recipes-devtools/flex/flex_2.6.0.bb
index b477cd8c7f..12ce0cb461 100644
--- a/meta/recipes-devtools/flex/flex_2.6.0.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.0.bb
@@ -68,3 +68,6 @@ do_install_ptest() {
-e 's/^builddir = \(.*\)/builddir = ./' -e 's/^top_builddir =
\(.*\)/top_builddir = ./' \
-i ${D}${PTEST_PATH}/Makefile
}
+
+# Not Apache Flex, or Adobe Flex, or IBM Flex.
+CVE_PRODUCT = "flex_project:flex"
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 07/32] git: set CVE vendor to git-scm
From: Ross Burton
There's a Jenkins plugin for Git.
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
Signed-off-by: Adrian Bunk
Signed-off-by: Armin Kuster
---
meta/recipes-devtools/git/git.inc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-devtools/git/git.inc
b/meta/recipes-devtools/git/git.inc
index 26a22ac1e8..6e137432f0 100644
--- a/meta/recipes-devtools/git/git.inc
+++ b/meta/recipes-devtools/git/git.inc
@@ -13,6 +13,8 @@ S = "${WORKDIR}/git-${PV}"
LIC_FILES_CHKSUM = "file://COPYING;md5=7c0d7ef03a7eb04ce795b0f60e68e7e1"
+CVE_PRODUCT = "git-scm:git"
+
PACKAGECONFIG ??= ""
PACKAGECONFIG[cvsserver] = ""
PACKAGECONFIG[svn] = ""
--
2.17.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 10/32] boost: set CVE vendor to Boost
From: Ross Burton There's a Boost module for Drupal. Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Adrian Bunk Signed-off-by: Armin Kuster --- meta/recipes-support/boost/boost.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-support/boost/boost.inc b/meta/recipes-support/boost/boost.inc index c2e2cbb352..f385541653 100644 --- a/meta/recipes-support/boost/boost.inc +++ b/meta/recipes-support/boost/boost.inc @@ -2,6 +2,8 @@ SUMMARY = "Free peer-reviewed portable C++ source libraries" SECTION = "libs" DEPENDS = "bjam-native zlib bzip2" +CVE_PRODUCT = "boost:boost" + ARM_INSTRUCTION_SET_armv4 = "arm" ARM_INSTRUCTION_SET_armv5 = "arm" -- 2.17.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 04/32] python: update to 2.7.17
From: Alexander Kanavin
Drop backports, rebase a couple of patches.
This is the second last release of py 2.x; upstream support ends on
1 January 2020, there will be one final 2.x afterwards.
Note that the only thing that still needs python 2.x in oe-core is
u-boot; when the next u-boot update arrives, we should find out
where the py3 migration is for that component before merging the
update.
(From OE-Core rev: 184b60eb905bb75ecc7a0c29a175e624d8555fac)
Signed-off-by: Alexander Kanavin
Signed-off-by: Richard Purdie
Signed-off-by: Anuj Mittal
[Minor fixup for warrior context]
Signed-off-by: Armin Kuster
---
...-fix-one-do_populate_sysroot-warning.patch | 25 +-
...tive_2.7.16.bb => python-native_2.7.17.bb} | 2 +-
meta/recipes-devtools/python/python.inc | 10 +-
...nt-parse-domains-containing-GH-13079.patch | 90
...cape-the-server-title-of-DocXMLRPCSe.patch | 101
...Resolve-intermediate-staging-issues.patch} | 53 +++--
.../python/python/CVE-2018-20852.patch| 123 --
.../python/python/CVE-2019-9740.patch | 215 --
.../python/bpo-35907-cve-2019-9948-fix.patch | 55 -
.../python/bpo-35907-cve-2019-9948.patch | 55 -
.../python/bpo-36216-cve-2019-9636-fix.patch | 28 ---
.../python/bpo-36216-cve-2019-9636.patch | 111 -
.../python/bpo-36742-cve-2019-10160.patch | 81 ---
.../{python_2.7.16.bb => python_2.7.17.bb}| 3 -
14 files changed, 49 insertions(+), 903 deletions(-)
rename meta/recipes-devtools/python/{python-native_2.7.16.bb =>
python-native_2.7.17.bb} (97%)
delete mode 100644
meta/recipes-devtools/python/python/0001-2.7-bpo-34155-Dont-parse-domains-containing-GH-13079.patch
delete mode 100644
meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
rename meta/recipes-devtools/python/python/{builddir.patch =>
0001-python-Resolve-intermediate-staging-issues.patch} (58%)
delete mode 100644 meta/recipes-devtools/python/python/CVE-2018-20852.patch
delete mode 100644 meta/recipes-devtools/python/python/CVE-2019-9740.patch
delete mode 100644
meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948-fix.patch
delete mode 100644
meta/recipes-devtools/python/python/bpo-35907-cve-2019-9948.patch
delete mode 100644
meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636-fix.patch
delete mode 100644
meta/recipes-devtools/python/python/bpo-36216-cve-2019-9636.patch
delete mode 100644
meta/recipes-devtools/python/python/bpo-36742-cve-2019-10160.patch
rename meta/recipes-devtools/python/{python_2.7.16.bb => python_2.7.17.bb}
(97%)
diff --git
a/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch
b/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch
index 989818927d..707ee596fa 100644
---
a/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch
+++
b/meta/recipes-devtools/python/python-native/0001-python-native-fix-one-do_populate_sysroot-warning.patch
@@ -1,4 +1,4 @@
-From 12292444e1b3662b994bc223d92b8338fb0895ff Mon Sep 17 00:00:00 2001
+From 6cbb7529cf7ff0da3ca649fb3486facd9620d625 Mon Sep 17 00:00:00 2001
From: Changqing Li
Date: Thu, 25 Oct 2018 07:32:14 +
Subject: [PATCH] python-native: fix one do_populate_sysroot warning
@@ -17,23 +17,24 @@ when do_populate_sysroot. use append to fix it.
Upstream-Status: Inappropriate [oe-specific]
Signed-off-by: Changqing Li
+
---
setup.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/setup.py b/setup.py
-index 7bf13ed..6c0f29b 100644
+index a2c8127..22f9e23 100644
--- a/setup.py
+++ b/setup.py
-@@ -40,7 +40,7 @@ def add_dir_to_list(dirlist, dir):
- 1) 'dir' is not already in 'dirlist'
- 2) 'dir' actually exists, and is a directory."""
- if dir is not None and os.path.isdir(dir) and dir not in dirlist:
--dirlist.insert(0, dir)
-+dirlist.append(dir)
-
- def macosx_sdk_root():
- """
+@@ -47,7 +47,7 @@ def add_dir_to_list(dirlist, dir):
+ else:
+ dir_exists = os.path.isdir(dir)
+ if dir_exists:
+-dirlist.insert(0, dir)
++dirlist.append(dir)
+
+ MACOS_SDK_ROOT = None
+
--
-2.18.0
+2.17.1
diff --git a/meta/recipes-devtools/python/python-native_2.7.16.bb
b/meta/recipes-devtools/python/python-native_2.7.17.bb
similarity index 97%
rename from meta/recipes-devtools/python/python-native_2.7.16.bb
rename to meta/recipes-devtools/python/python-native_2.7.17.bb
index b7442800d9..335318bab8 100644
--- a/meta/recipes-devtools/python/python-native_2.7.16.bb
+++ b/meta/recipes-devtools/python/python-native_2.7.17.bb
@@ -12,7 +12,7 @@ SRC_URI += "\
file://nohostlibs.patch \
file://multilib.patch \
file://add-md5module-support.patch \
-file://builddir.patch \
+
[OE-core] [warrior 05/32] openssl: set CVE vendor to openssl
From: Anuj Mittal Differentiate it from openssl gem for Ruby. Signed-off-by: Anuj Mittal Signed-off-by: Richard Purdie Signed-off-by: Adrian Bunk Signed-off-by: Armin Kuster --- meta/recipes-connectivity/openssl/openssl_1.1.1b.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1b.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1b.bb index 9e36df807c..13e6ad4db7 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1b.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1b.bb @@ -204,3 +204,5 @@ RREPLACES_openssl-conf = "openssl10-conf" RCONFLICTS_openssl-conf = "openssl10-conf" BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT = "openssl:openssl" -- 2.17.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [warrior 01/32] bind: fix CVE-2019-6471 and CVE-2018-5743
From: Kai Kang
Backport patches to fix CVE-2019-6471 and CVE-2018-5743 for bind.
CVE-2019-6471 is fixed by 0001-bind-fix-CVE-2019-6471.patch and the
other 6 patches are for CVE-2018-5743. And backport one more patch to
fix compile error on arm caused by these 6 commits.
(From OE-Core rev: 3c39d4158677b97253df63f23b74c3a9dd5539f6)
Signed-off-by: Kai Kang
Signed-off-by: Richard Purdie
Signed-off-by: Anuj Mittal
Signed-off-by: Armin Kuster
---
.../bind/0001-bind-fix-CVE-2019-6471.patch| 64 ++
...01-fix-enforcement-of-tcp-clients-v1.patch | 60 ++
...p-clients-could-still-be-exceeded-v2.patch | 670 +
...rence-counter-for-pipeline-groups-v3.patch | 278 ++
...accounting-and-client-mortality-chec.patch | 512 ++
...a-and-pipeline-refs-allow-special-ca.patch | 911 ++
...allowance-for-tcp-clients-interfaces.patch | 80 ++
...perations-in-bin-named-client.c-with.patch | 140 +++
.../bind/bind_9.11.5-P4.bb| 8 +
9 files changed, 2723 insertions(+)
create mode 100644
meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch
create mode 100644
meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch
create mode 100644
meta/recipes-connectivity/bind/bind/0002-tcp-clients-could-still-be-exceeded-v2.patch
create mode 100644
meta/recipes-connectivity/bind/bind/0003-use-reference-counter-for-pipeline-groups-v3.patch
create mode 100644
meta/recipes-connectivity/bind/bind/0004-better-tcpquota-accounting-and-client-mortality-chec.patch
create mode 100644
meta/recipes-connectivity/bind/bind/0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch
create mode 100644
meta/recipes-connectivity/bind/bind/0006-restore-allowance-for-tcp-clients-interfaces.patch
create mode 100644
meta/recipes-connectivity/bind/bind/0007-Replace-atomic-operations-in-bin-named-client.c-with.patch
diff --git
a/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch
b/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch
new file mode 100644
index 00..2fed99e1bb
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch
@@ -0,0 +1,64 @@
+Backport patch to fix CVE-2019-6471.
+
+Ref:
+https://security-tracker.debian.org/tracker/CVE-2019-6471
+
+CVE: CVE-2019-6471
+Upstream-Status: Backport
[https://gitlab.isc.org/isc-projects/bind9/commit/3a9c7bb]
+
+Signed-off-by: Kai Kang
+
+From 3a9c7bb80d4a609b86427406d9dd783199920b5b Mon Sep 17 00:00:00 2001
+From: Mark Andrews
+Date: Tue, 19 Mar 2019 14:14:21 +1100
+Subject: [PATCH] move item_out test inside lock in dns_dispatch_getnext()
+
+(cherry picked from commit 60c42f849d520564ed42e5ed0ba46b4b69c07712)
+---
+ lib/dns/dispatch.c | 12
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
+index 408beda367..3278db4a07 100644
+--- a/lib/dns/dispatch.c
b/lib/dns/dispatch.c
+@@ -134,7 +134,7 @@ struct dns_dispentry {
+ isc_task_t *task;
+ isc_taskaction_taction;
+ void *arg;
+- boolitem_out;
++ boolitem_out;
+ dispsocket_t*dispsocket;
+ ISC_LIST(dns_dispatchevent_t) items;
+ ISC_LINK(dns_dispentry_t) link;
+@@ -3422,13 +3422,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp,
dns_dispatchevent_t **sockevent) {
+ disp = resp->disp;
+ REQUIRE(VALID_DISPATCH(disp));
+
+- REQUIRE(resp->item_out == true);
+- resp->item_out = false;
+-
+ ev = *sockevent;
+ *sockevent = NULL;
+
+ LOCK(>lock);
++
++ REQUIRE(resp->item_out == true);
++ resp->item_out = false;
++
+ if (ev->buffer.base != NULL)
+ free_buffer(disp, ev->buffer.base, ev->buffer.length);
+ free_devent(disp, ev);
+@@ -3573,6 +3574,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
+ isc_task_send(disp->task[0], >ctlevent);
+ }
+
++/*
++ * disp must be locked.
++ */
+ static void
+ do_cancel(dns_dispatch_t *disp) {
+ dns_dispatchevent_t *ev;
+--
+2.20.1
+
diff --git
a/meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch
b/meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch
new file mode 100644
index 00..48ae125f84
--- /dev/null
+++
b/meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch
@@ -0,0 +1,60 @@
+Backport patch to fix CVE-2018-5743.
+
+Ref:
+https://security-tracker.debian.org/tracker/CVE-2018-5743
+
+CVE: CVE-2018-5743
+Upstream-Status: Backport
[https://gitlab.isc.org/isc-projects/bind9/commit/ec2d50d]
+
+Signed-off-by: Kai Kang
+
+From ec2d50da8d81814640e28593d912f4b96c7efece Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Witold=20Kr=C4=99cicki?=
+Date: Thu, 3 Jan 2019 14:17:43 +0100
+Subject:
[OE-core] [warrior 03/32] python: fix CVE-2018-20852
From: Anuj Mittal
Signed-off-by: Anuj Mittal
Signed-off-by: Richard Purdie
Signed-off-by: Armin Kuster
---
meta/recipes-devtools/python/python.inc | 1 +
.../python/python/CVE-2018-20852.patch| 123 ++
2 files changed, 124 insertions(+)
create mode 100644 meta/recipes-devtools/python/python/CVE-2018-20852.patch
diff --git a/meta/recipes-devtools/python/python.inc
b/meta/recipes-devtools/python/python.inc
index 8d0e90862c..70481002bb 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -13,6 +13,7 @@ SRC_URI =
"http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://bpo-36216-cve-2019-9636.patch \
file://bpo-36216-cve-2019-9636-fix.patch \
file://CVE-2019-9740.patch \
+ file://CVE-2018-20852.patch \
"
SRC_URI[md5sum] = "30157d85a2c0479c09ea2cbe61f2aaf5"
diff --git a/meta/recipes-devtools/python/python/CVE-2018-20852.patch
b/meta/recipes-devtools/python/python/CVE-2018-20852.patch
new file mode 100644
index 00..23c784a210
--- /dev/null
+++ b/meta/recipes-devtools/python/python/CVE-2018-20852.patch
@@ -0,0 +1,123 @@
+From 979daae300916adb399ab5b51410b6ebd0888f13 Mon Sep 17 00:00:00 2001
+From: Xtreak
+Date: Sat, 15 Jun 2019 20:59:43 +0530
+Subject: [PATCH] [2.7] bpo-35121: prefix dot in domain for proper subdomain
+ validation (GH-10258) (GH-13426)
+
+This is a manual backport of ca7fe5063593958e5efdf90f068582837f07bd14 since
2.7 has `http.cookiejar` in `cookielib`
+
+
+https://bugs.python.org/issue35121
+CVE: CVE-2018-20852
+Upstream-Status: Backport [https://github.com/python/cpython/pull/13426]
+Signed-off-by: Anuj Mittal
+---
+ Lib/cookielib.py | 13 ++--
+ Lib/test/test_cookielib.py| 30 +++
+ .../2019-05-20-00-35-12.bpo-35121.RRi-HU.rst | 4 +++
+ 3 files changed, 45 insertions(+), 2 deletions(-)
+ create mode 100644
Misc/NEWS.d/next/Security/2019-05-20-00-35-12.bpo-35121.RRi-HU.rst
+
+diff --git a/Lib/cookielib.py b/Lib/cookielib.py
+index 2dd7c48728e0..0b471a42f296 100644
+--- a/Lib/cookielib.py
b/Lib/cookielib.py
+@@ -1139,6 +1139,11 @@ def return_ok_domain(self, cookie, request):
+ req_host, erhn = eff_request_host(request)
+ domain = cookie.domain
+
++if domain and not domain.startswith("."):
++dotdomain = "." + domain
++else:
++dotdomain = domain
++
+ # strict check of non-domain cookies: Mozilla does this, MSIE5 doesn't
+ if (cookie.version == 0 and
+ (self.strict_ns_domain & self.DomainStrictNonDomain) and
+@@ -1151,7 +1156,7 @@ def return_ok_domain(self, cookie, request):
+ _debug(" effective request-host name %s does not domain-match "
+"RFC 2965 cookie domain %s", erhn, domain)
+ return False
+-if cookie.version == 0 and not ("."+erhn).endswith(domain):
++if cookie.version == 0 and not ("."+erhn).endswith(dotdomain):
+ _debug(" request-host %s does not match Netscape cookie domain "
+"%s", req_host, domain)
+ return False
+@@ -1165,7 +1170,11 @@ def domain_return_ok(self, domain, request):
+ req_host = "."+req_host
+ if not erhn.startswith("."):
+ erhn = "."+erhn
+-if not (req_host.endswith(domain) or erhn.endswith(domain)):
++if domain and not domain.startswith("."):
++dotdomain = "." + domain
++else:
++dotdomain = domain
++if not (req_host.endswith(dotdomain) or erhn.endswith(dotdomain)):
+ #_debug(" request domain %s does not match cookie domain %s",
+ # req_host, domain)
+ return False
+diff --git a/Lib/test/test_cookielib.py b/Lib/test/test_cookielib.py
+index f2dd9727d137..7f7ff614d61d 100644
+--- a/Lib/test/test_cookielib.py
b/Lib/test/test_cookielib.py
+@@ -368,6 +368,7 @@ def test_domain_return_ok(self):
+ ("http://foo.bar.com/;, ".foo.bar.com", True),
+ ("http://foo.bar.com/;, "foo.bar.com", True),
+ ("http://foo.bar.com/;, ".bar.com", True),
++("http://foo.bar.com/;, "bar.com", True),
+ ("http://foo.bar.com/;, "com", True),
+ ("http://foo.com/;, "rhubarb.foo.com", False),
+ ("http://foo.com/;, ".foo.com", True),
+@@ -378,6 +379,8 @@ def test_domain_return_ok(self):
+ ("http://foo/;, "foo", True),
+ ("http://foo/;, "foo.local", True),
+ ("http://foo/;, ".local", True),
++("http://barfoo.com;, ".foo.com", False),
++("http://barfoo.com;, "foo.com", False),
+ ]:
+ request = urllib2.Request(url)
+ r = pol.domain_return_ok(domain, request)
+@@ -938,6 +941,33 @@ def test_domain_block(self):
+ c.add_cookie_header(req)
+
[OE-core] [warrior 02/32] python: fix CVE-2019-16935
From: Chen Qi
(From OE-Core rev: 1a7593bcdaf8a8cf15259aee8a0e2686247f2987)
Signed-off-by: Chen Qi
Signed-off-by: Richard Purdie
Signed-off-by: Anuj Mittal
Signed-off-by: Richard Purdie
Signed-off-by: Armin Kuster
---
...cape-the-server-title-of-DocXMLRPCSe.patch | 101 ++
meta/recipes-devtools/python/python_2.7.16.bb | 1 +
2 files changed, 102 insertions(+)
create mode 100644
meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
diff --git
a/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
b/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
new file mode 100644
index 00..3025cf7bc8
--- /dev/null
+++
b/meta/recipes-devtools/python/python/0001-2.7-bpo-38243-Escape-the-server-title-of-DocXMLRPCSe.patch
@@ -0,0 +1,101 @@
+From b161c89c8bd66fe928192e21364678c8e9b8fcc0 Mon Sep 17 00:00:00 2001
+From: Dong-hee Na
+Date: Tue, 1 Oct 2019 19:58:01 +0900
+Subject: [PATCH] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer
+ (GH-16447)
+
+Escape the server title of DocXMLRPCServer.DocXMLRPCServer
+when rendering the document page as HTML.
+
+CVE: CVE-2019-16935
+
+Upstream-Status: Backport
[https://github.com/python/cpython/pull/16447/commits/b41cde823d026f2adc21ef14b1c2e92b1006de06]
+
+Signed-off-by: Chen Qi
+---
+ Lib/DocXMLRPCServer.py| 13 +++-
+ Lib/test/test_docxmlrpc.py| 20 +++
+ .../2019-09-25-13-21-09.bpo-38243.1pfz24.rst | 3 +++
+ 3 files changed, 35 insertions(+), 1 deletion(-)
+ create mode 100644
Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+
+diff --git a/Lib/DocXMLRPCServer.py b/Lib/DocXMLRPCServer.py
+index 4064ec2e48..90b037dd35 100644
+--- a/Lib/DocXMLRPCServer.py
b/Lib/DocXMLRPCServer.py
+@@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXMLRPCServer,
+ CGIXMLRPCRequestHandler,
+ resolve_dotted_attribute)
+
++
++def _html_escape_quote(s):
++s = s.replace("&", "") # Must be done first!
++s = s.replace("<", "")
++s = s.replace(">", "")
++s = s.replace('"', "")
++s = s.replace('\'', "")
++return s
++
++
+ class ServerHTMLDoc(pydoc.HTMLDoc):
+ """Class used to generate pydoc HTML document for a server"""
+
+@@ -210,7 +220,8 @@ class XMLRPCDocGenerator:
+ methods
+ )
+
+-return documenter.page(self.server_title, documentation)
++title = _html_escape_quote(self.server_title)
++return documenter.page(title, documentation)
+
+ class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
+ """XML-RPC and documentation request handler class.
+diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
+index 4dff4159e2..c45b892b8b 100644
+--- a/Lib/test/test_docxmlrpc.py
b/Lib/test/test_docxmlrpc.py
+@@ -1,5 +1,6 @@
+ from DocXMLRPCServer import DocXMLRPCServer
+ import httplib
++import re
+ import sys
+ from test import test_support
+ threading = test_support.import_module('threading')
+@@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase):
+ self.assertIn("""Tryself.add,too.""",
+ response.read())
+
++def test_server_title_escape(self):
++"""Test that the server title and documentation
++are escaped for HTML.
++"""
++
[OE-core] [warrior 00/32] Pull request
Please consider this series for the next warrior release.
The following changes since commit 0a1b1e88b936177344392e185fbd077622d88b3e:
file: fix CVE-2019-18218 (2019-11-11 20:49:54 -0800)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/warrior-next
http://cgit.openembedded.org//log/?h=stable/warrior-next
Alexander Kanavin (2):
python: update to 2.7.17
sudo: correct SRC_URI
Anuj Mittal (2):
python: fix CVE-2018-20852
openssl: set CVE vendor to openssl
Armin Kuster (1):
stress: update SRC_URI
Chen Qi (3):
python: fix CVE-2019-16935
libxfont2: set CVE_PRODUCT
webkitgtk: set CVE_PRODUCT
Ferry Toth (1):
sudo: Fix fetching sources
Kai Kang (1):
bind: fix CVE-2019-6471 and CVE-2018-5743
Khem Raj (1):
sdk: Install nativesdk locales for all TCLIBC variants
Niko Mauno (1):
cve-check: Switch to NVD CVE JSON feed version 1.1
Oleksandr Kravchuk (1):
popt: fix SRC_URI
Ross Burton (18):
flex: set CVE_PRODUCT to include vendor
git: set CVE vendor to git-scm
subversion: set CVE vendor to Apache
ed: set CVE vendor to avoid false positives
boost: set CVE vendor to Boost
libpam: set CVE_PRODUCT
libsndfile1: whitelist CVE-2018-13419
procps: whitelist CVE-2018-1121
cve-check: ensure all known CVEs are in the report
cve-check: failure to parse versions should be more visible
cve-check: we don't actually need to unpack to check
cve-update-db-native: don't refresh more than once an hour
cve-update-db-native: don't hardcode the database name
cve-update-db-native: add an index on the CVE ID column
cve-update-db-native: clean up proxy handling
cve-check: rewrite look to fix false negatives
cve-check: neaten get_cve_info
cve-check: fetch CVE data once at a time instead of in a single call
Zang Ruochen (1):
libpcap: upgrade 1.9.0 -> 1.9.1
meta/classes/cve-check.bbclass| 105 +-
meta/lib/oe/sdk.py| 4 -
.../bind/0001-bind-fix-CVE-2019-6471.patch| 64 ++
...01-fix-enforcement-of-tcp-clients-v1.patch | 60 ++
...p-clients-could-still-be-exceeded-v2.patch | 670 +
...rence-counter-for-pipeline-groups-v3.patch | 278 ++
...accounting-and-client-mortality-chec.patch | 512 ++
...a-and-pipeline-refs-allow-special-ca.patch | 911 ++
...allowance-for-tcp-clients-interfaces.patch | 80 ++
...perations-in-bin-named-client.c-with.patch | 140 +++
.../bind/bind_9.11.5-P4.bb| 8 +
...-add-missing-limits.h-for-musl-syste.patch | 29 -
.../{libpcap_1.9.0.bb => libpcap_1.9.1.bb}| 5 +-
.../openssl/openssl_1.1.1b.bb | 2 +
.../recipes-core/meta/cve-update-db-native.bb | 46 +-
meta/recipes-devtools/flex/flex_2.6.0.bb | 3 +
meta/recipes-devtools/git/git.inc | 2 +
...-fix-one-do_populate_sysroot-warning.patch | 25 +-
...tive_2.7.16.bb => python-native_2.7.17.bb} | 2 +-
meta/recipes-devtools/python/python.inc | 9 +-
...nt-parse-domains-containing-GH-13079.patch | 90 --
...Resolve-intermediate-staging-issues.patch} | 53 +-
.../python/python/CVE-2019-9740.patch | 215 -
.../python/bpo-35907-cve-2019-9948-fix.patch | 55 --
.../python/bpo-35907-cve-2019-9948.patch | 55 --
.../python/bpo-36216-cve-2019-9636-fix.patch | 28 -
.../python/bpo-36216-cve-2019-9636.patch | 111 ---
.../python/bpo-36742-cve-2019-10160.patch | 81 --
.../{python_2.7.16.bb => python_2.7.17.bb}| 2 -
.../subversion/subversion_1.11.1.bb | 2 +
meta/recipes-extended/ed/ed_1.15.bb | 2 +
meta/recipes-extended/pam/libpam_1.3.0.bb | 2 +
meta/recipes-extended/procps/procps_3.3.15.bb | 3 +
meta/recipes-extended/stress/stress_1.0.4.bb | 2 +-
meta/recipes-extended/sudo/sudo_1.8.27.bb | 2 +-
.../xorg-lib/libxfont2_2.0.3.bb | 2 +
.../libsndfile/libsndfile1_1.0.28.bb | 3 +
meta/recipes-sato/webkit/webkitgtk_2.22.7.bb | 2 +
meta/recipes-support/boost/boost.inc | 2 +
meta/recipes-support/popt/popt_1.16.bb| 2 +-
40 files changed, 2873 insertions(+), 796 deletions(-)
create mode 100644
meta/recipes-connectivity/bind/bind/0001-bind-fix-CVE-2019-6471.patch
create mode 100644
meta/recipes-connectivity/bind/bind/0001-fix-enforcement-of-tcp-clients-v1.patch
create mode 100644
meta/recipes-connectivity/bind/bind/0002-tcp-clients-could-still-be-exceeded-v2.patch
create mode 100644
meta/recipes-connectivity/bind/bind/0003-use-reference-counter-for-pipeline-groups-v3.patch
create mode 100644
meta/recipes-connectivity/bind/bind/0004-better-tcpquota-accounting-and-client-mortality-chec.patch
create mode 100644
meta/recipes-connectivity/bind/bind/0005-refactor-tcpquota-and-pipeline-refs-allow-special-ca.patch
create mode 100644
meta/recipes-connectivity/bind/bind/0006-restore-allowance-for-tcp-clients-interfaces.patch
create mode 100644
Re: [OE-core] [PATCH] gettext: Fix overloadable error with clang
On Thu, Jan 16, 2020 at 5:13 AM Adrian Bunk wrote: > > On Wed, Jan 15, 2020 at 08:46:09PM -0800, Khem Raj wrote: > > Clang detects that getcwd is being re-declared and signatures don't > > match, simple solution is to let clang use overloadable attribute > >... > > +Fixes > > +dcigettext.c:147:7: error: redeclaration of 'getcwd' must have the > > 'overloadable' attribute > >... > > +-char *getcwd (); > >... > > Looks like a bug in clang to me, and should be fixed there. > > The code does not tell anything regarding the parameters, > but clang seems to misinterpret it as "no parameters". > its conflicting with declaration from glibc system headers usr/include/unistd.h:extern char *getcwd (char *__buf, size_t __size) __THROW __wur; > cu > Adrian -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 02/12] gstreamer1.0: Transition to meson based builds
Changes to packages/core2-64-poky-linux/gstreamer1.0 (sysroot): /usr/share/bash-completion/helpers/gst was removed /usr/share/bash-completion/helpers was removed /usr/share/bash-completion/completions/gst-launch-1.0 was removed /usr/share/bash-completion/completions was removed Bash completion was on by default previously. Also there's a class to package it neatly. Ross -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 04/12] gstreamer1.0-plugins-good: Transition to meson based builds
Changes to images/qemux86_64/glibc/core-image-sato (installed-package-names.txt): gstreamer1.0-plugins-good-monoscope was added gstreamer1.0-plugins-good-oss4 was added These were not being built with autotools. Do we want them to be enabled out of the box and do we want PACKAGECONFIGs for them? (the minimal-impact response would be no and yes) Ross -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] security_flags: Remove stack protector flags from LDFLAGS
Ping...
On 2020/1/2 18:53, Junling Zheng wrote:
> The stack protector flag is a compile option, not a link option, so
> remove it from LDFLAGS.
>
> Signed-off-by: Junling Zheng
> ---
> meta/conf/distro/include/security_flags.inc | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/meta/conf/distro/include/security_flags.inc
> b/meta/conf/distro/include/security_flags.inc
> index aaf04e9e59..5b79340be9 100644
> --- a/meta/conf/distro/include/security_flags.inc
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -26,8 +26,8 @@ SECURITY_STACK_PROTECTOR ?= "-fstack-protector-strong"
> SECURITY_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${SECURITY_PIE_CFLAGS}
> ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
> SECURITY_NO_PIE_CFLAGS ?= "${SECURITY_STACK_PROTECTOR} ${lcl_maybe_fortify}
> ${SECURITY_STRINGFORMAT}"
>
> -SECURITY_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro,-z,now"
> -SECURITY_X_LDFLAGS ?= "${SECURITY_STACK_PROTECTOR} -Wl,-z,relro"
> +SECURITY_LDFLAGS ?= "-Wl,-z,relro,-z,now"
> +SECURITY_X_LDFLAGS ?= "-Wl,-z,relro"
>
> # powerpc does not get on with pie for reasons not looked into as yet
> GCCPIE_powerpc = ""
>
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] gettext: Fix overloadable error with clang
On Wed, Jan 15, 2020 at 08:46:09PM -0800, Khem Raj wrote: > Clang detects that getcwd is being re-declared and signatures don't > match, simple solution is to let clang use overloadable attribute >... > +Fixes > +dcigettext.c:147:7: error: redeclaration of 'getcwd' must have the > 'overloadable' attribute >... > +-char *getcwd (); >... Looks like a bug in clang to me, and should be fixed there. The code does not tell anything regarding the parameters, but clang seems to misinterpret it as "no parameters". cu Adrian -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] Best practices: Multiple images on one partition.
Hi Paul
It looks interesting, I guess I can use your code and extend it to
support complete file system instead of just a file. Will come back to
the list with a patch in case someone else finds it useful
Thanks
On Wed, Jan 15, 2020 at 2:53 PM Paul Barker wrote:
>
> On Wed, 15 Jan 2020 at 13:05, Ricardo Ribalda Delgado
> wrote:
> >
> > Hello
> >
> > I am trying to figure out the best way to achieve this. I have a
> > system with a host and a target. The target netboots form the host and
> > have a different package architecture.
> >
> > Usually I was solving this with one partition per image/machine,
> > combined using a .wks file like:
> >
> > part /export --source rootfs --rootfs-dir=target-image --fstype=ext4
> > --label export --align 1024 --use-uuid --fsoptions defaults,ro
> > --extra-space 400M
> > part / --source rootfs --fstype=ext4 --label rootfs --align 1024
> > --use-uuid --fsoptions defaults,ro --extra-space 400M
> >
> > and then calling wic file after generating both images. ("wic create")
> >
> > This works fine, but now I need to combine both partitions into one.
> > The reason is that the partition needs to play nice with the current
> > OTA upgrade system.
> >
> > What would be the best way to do this?
> >
> > 1) Implement a new wic plugin, called something like muli-rootfs,
> > where I can specify multiple rootfs and in which directory to unpack
> > them
> >
> > 2) Implement a .bb file that combines the two images in one.
> >
> > do_install() {
> > tar -mzxf $HOST/host-image.tar.gz -C ${D}/
> > tar -mzxf $HOST/target-image.tar.gz -C ${D}/export
> > }
> >
> > 3) Another way that I am not aware :)
>
> I've recently added the `--include-path` option to wic on master which
> may be helpful here:
> https://git.openembedded.org/openembedded-core/commit/?id=d4cd27a9837426e809190548a83c6c7c76505114.
> My use case was multiple rootfs copies on different partitions, with
> extra files added to just one copy of the rootfs. But it may also be
> useful for this case.
>
> Thanks,
> Paul
--
Ricardo Ribalda
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
