Re: [OE-core] [PATCH] make-mod-scripts: preserve libraries when rm_work is used
Am 21.04.23 um 22:28 schrieb Bruce Ashfield: On Wed, Apr 19, 2023 at 11:03 PM Bruce Ashfield via lists.openembedded.org wrote: On Wed, Apr 19, 2023 at 6:54 PM Richard Purdie wrote: On Wed, 2023-04-19 at 23:34 +0100, Jose Quaresma wrote: Hi, Not related with the previous discussion but just for your information. The rm_work.bbclass has an exception for the kernel recipes [1]. So I don't understand why we can't do the same for the make-mod- scripts who is the twin brother of all these kernel recipes. [1] https://git.openembedded.org/openembedded-core/tree/meta/classes/rm_work.bbclass#n168 Ideally we wouldn't be doing this for the kernel recipes. There is also a big difference to that and the proposed patch. The proposed patch was preserving a specific directory rather than an entire recipe. Removing the task stamps but leaving a small piece of WORKDIR is quite different to preserving WORKDIR and STAMPS for a specific recipe. The former is not tested and will break things. The latter is better tolerated by bitbake. Agreed. Plus, I am working on this now. I have static linking of the scripts/tools working, but what I haven't figured out is how to do that without patching the Makefiles. It turned out to be quite the battle to get older kernels what was required for static linking of the tools. Attached is my WIP patch. I'm out of the office early next week, but will revisit it once I'm back. Bruce Next up will be some rpath trickery. Bruce So yes, we could do the same. I'm sure there will be other recipes people want to preserve for other reasons. Where do we draw the line? We could preserve everything and drop rm_work, then we wouldn't have these problems? :) Cheers, Richard -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II Thank you for your work, I see you put some time and effort into it. HOSTPKG_CONFIG is, as you mentioned, available since kernel version 5.19 (see kernel patch [1]), so we need a way to call 'pkg-config --static' with pre-5.19 kernels. A way without modifying the Makefile would be to modify openssls pkg-config in recipe-sysroot-native of make-mod-script, so 'pkg-config --libs' actually shows the dependencies of 'pkg-config --static --libs', but it's a bit hacky. Also fully-static executables still need the same glibc during runtime that they were built with, which makes them error-prone and is generally discouraged. As an alternative, we could build dynamic executables that use the static libcrypto library. The linker links by default against the shared library, so we could remove them from recipe-sysroot-native to force linking against the static library (again, somewhat hacky). [1] https://github.com/torvalds/linux/commit/d5ea4fece4508bf8e72b659cd22fa4840d8d61e5 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180301): https://lists.openembedded.org/g/openembedded-core/message/180301 Mute This Topic: https://lists.openembedded.org/mt/98296212/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone 0/8] Patch review
Please review this set of patches for kirkstone and have comments back by end of day Tuesday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5209 The following changes since commit b67e714b367a08fdeeeff68c2d9495ec9bc07304: package.bbclass: correct check for /build in copydebugsources() (2023-04-14 07:19:08 -1000) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut Hitendra Prajapati (2): ruby: CVE-2023-28756 ReDoS vulnerability in Time screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs Peter Marko (1): go: ignore CVE-2022-41716 Shubham Kulkarni (1): go-runtime: Security fix for CVE-2022-41722 Siddharth Doshi (1): curl: Security fix for CVE-2023-27535, CVE-2023-27536, CVE-2023-27538 Sundeep KOKKONDA (1): cargo : non vulnerable cve-2022-46176 added to excluded list Vivek Kumbhar (1): go: fix CVE-2023-24537 Infinite loop in parsing Xiangyu Chen (1): shadow: backport patch to fix CVE-2023-29383 .../distro/include/cve-extra-exclusions.inc | 5 + meta/recipes-devtools/go/go-1.17.13.inc | 5 + .../go/go-1.18/CVE-2022-41722.patch | 103 + .../go/go-1.18/CVE-2023-24537.patch | 75 +++ .../ruby/ruby/CVE-2023-28756.patch| 73 +++ meta/recipes-devtools/ruby/ruby_3.1.3.bb | 1 + .../screen/screen/CVE-2023-24626.patch| 40 meta/recipes-extended/screen/screen_4.9.0.bb | 1 + .../files/0001-Overhaul-valid_field.patch | 65 ++ .../shadow/files/CVE-2023-29383.patch | 53 + meta/recipes-extended/shadow/shadow.inc | 2 + .../curl/curl/CVE-2023-27535-pre1.patch | 196 ++ .../CVE-2023-27535_and_CVE-2023-27538.patch | 170 +++ .../curl/curl/CVE-2023-27536.patch| 52 + meta/recipes-support/curl/curl_7.82.0.bb | 3 + 15 files changed, 844 insertions(+) create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch create mode 100644 meta/recipes-extended/screen/screen/CVE-2023-24626.patch create mode 100644 meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-29383.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180302): https://lists.openembedded.org/g/openembedded-core/message/180302 Mute This Topic: https://lists.openembedded.org/mt/98435929/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone 1/8] ruby: CVE-2023-28756 ReDoS vulnerability in Time
From: Hitendra Prajapati
Upstream-Status: Backport from
https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e
Signed-off-by: Hitendra Prajapati
Signed-off-by: Steve Sakoman
---
.../ruby/ruby/CVE-2023-28756.patch| 73 +++
meta/recipes-devtools/ruby/ruby_3.1.3.bb | 1 +
2 files changed, 74 insertions(+)
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
new file mode 100644
index 00..cf24b13f53
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
@@ -0,0 +1,73 @@
+From 957bb7cb81995f26c671afce0ee50a5c660e540e Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA
+Date: Wed, 29 Mar 2023 13:28:25 +0900
+Subject: [PATCH] CVE-2023-28756
+
+CVE: CVE-2023-28756
+Upstream-Status: Backport
[https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e]
+Signed-off-by: Hitendra Prajapati
+---
+ lib/time.gemspec | 2 +-
+ lib/time.rb | 6 +++---
+ test/test_time.rb | 9 +
+ 3 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/lib/time.gemspec b/lib/time.gemspec
+index 72fba34..bada91a 100644
+--- a/lib/time.gemspec
b/lib/time.gemspec
+@@ -1,6 +1,6 @@
+ Gem::Specification.new do |spec|
+ spec.name = "time"
+- spec.version = "0.2.0"
++ spec.version = "0.2.2"
+ spec.authors = ["Tanaka Akira"]
+ spec.email = ["a...@fsij.org"]
+
+diff --git a/lib/time.rb b/lib/time.rb
+index bd20a1a..6a13212 100644
+--- a/lib/time.rb
b/lib/time.rb
+@@ -509,8 +509,8 @@ class Time
+ (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+
+ (\d{2,})\s+
+ (\d{2})\s*
+- :\s*(\d{2})\s*
+- (?::\s*(\d{2}))?\s+
++ :\s*(\d{2})
++ (?:\s*:\s*(\d\d))?\s+
+ ([+-]\d{4}|
+UT|GMT|EST|EDT|CST|CDT|MST|MDT|PST|PDT|[A-IK-Z])/ix =~ date
+ # Since RFC 2822 permit comments, the regexp has no right anchor.
+@@ -701,7 +701,7 @@ class Time
+ #
+ # If self is a UTC time, Z is used as TZD. [+-]hh:mm is used otherwise.
+ #
+- # +fractional_digits+ specifies a number of digits to use for fractional
++ # +fraction_digits+ specifies a number of digits to use for fractional
+ # seconds. Its default value is 0.
+ #
+ # require 'time'
+diff --git a/test/test_time.rb b/test/test_time.rb
+index b50d841..23e8e10 100644
+--- a/test/test_time.rb
b/test/test_time.rb
+@@ -62,6 +62,15 @@ class TestTimeExtension < Test::Unit::TestCase # :nodoc:
+ assert_equal(true, t.utc?)
+ end
+
++ def test_rfc2822_nonlinear
++pre = ->(n) {"0 Feb 00 00 :00" + " " * n}
++assert_linear_performance([100, 500, 5000, 50_000], pre: pre) do |s|
++ assert_raise(ArgumentError) do
++Time.rfc2822(s)
++ end
++end
++ end
++
+ if defined?(Ractor)
+ def test_rfc2822_ractor
+ assert_ractor(<<~RUBY, require: 'time')
+--
+2.25.1
+
diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb
b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
index c8454da3a9..92efc5db91 100644
--- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@@ -29,6 +29,7 @@ SRC_URI =
"http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
file://0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch \
file://0006-Make-gemspecs-reproducible.patch \
file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch
\
+ file://CVE-2023-28756.patch \
"
UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/";
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180303):
https://lists.openembedded.org/g/openembedded-core/message/180303
Mute This Topic: https://lists.openembedded.org/mt/98435930/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone 2/8] curl: Security fix for CVE-2023-27535, CVE-2023-27536, CVE-2023-27538
From: Siddharth Doshi
Upstream-Status: Backport from
[https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878,
https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1,
https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb,
https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
Signed-off-by: Siddharth Doshi
Signed-off-by: Steve Sakoman
---
.../curl/curl/CVE-2023-27535-pre1.patch | 196 ++
.../CVE-2023-27535_and_CVE-2023-27538.patch | 170 +++
.../curl/curl/CVE-2023-27536.patch| 52 +
meta/recipes-support/curl/curl_7.82.0.bb | 3 +
4 files changed, 421 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
create mode 100644
meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
new file mode 100644
index 00..57e1cb9e13
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
@@ -0,0 +1,196 @@
+From ed5095ed94281989e103c72e032200b83be37878 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Thu, 6 Oct 2022 00:49:10 +0200
+Subject: [PATCH] strcase: add and use Curl_timestrcmp
+
+This is a strcmp() alternative function for comparing "secrets",
+designed to take the same time no matter the content to not leak
+match/non-match info to observers based on how fast it is.
+
+The time this function takes is only a function of the shortest input
+string.
+
+Reported-by: Trail of Bits
+
+Closes #9658
+
+Upstream-Status: Backport from
[https://github.com/curl/curl/commit/ed5095ed94281989e103c72e032200b83be37878]
+Comment: to backport fix for CVE-2023-27535, add function Curl_timestrcmp.
+Signed-off-by: Siddharth Doshi
+---
+ lib/netrc.c | 6 +++---
+ lib/strcase.c | 22 ++
+ lib/strcase.h | 1 +
+ lib/url.c | 33 +
+ lib/vauth/digest_sspi.c | 4 ++--
+ lib/vtls/vtls.c | 4 ++--
+ 6 files changed, 43 insertions(+), 27 deletions(-)
+
+diff --git a/lib/netrc.c b/lib/netrc.c
+index 0a4ae2c..b771b60 100644
+--- a/lib/netrc.c
b/lib/netrc.c
+@@ -140,9 +140,9 @@ static int parsenetrc(const char *host,
+ /* we are now parsing sub-keywords concerning "our" host */
+ if(state_login) {
+ if(specific_login) {
+- state_our_login = strcasecompare(login, tok);
++ state_our_login = !Curl_timestrcmp(login, tok);
+ }
+-else if(!login || strcmp(login, tok)) {
++else if(!login || Curl_timestrcmp(login, tok)) {
+ if(login_alloc) {
+ free(login);
+ login_alloc = FALSE;
+@@ -158,7 +158,7 @@ static int parsenetrc(const char *host,
+ }
+ else if(state_password) {
+ if((state_our_login || !specific_login)
+-&& (!password || strcmp(password, tok))) {
++ && (!password || Curl_timestrcmp(password, tok))) {
+ if(password_alloc) {
+ free(password);
+ password_alloc = FALSE;
+diff --git a/lib/strcase.c b/lib/strcase.c
+index 692a3f1..be085b3 100644
+--- a/lib/strcase.c
b/lib/strcase.c
+@@ -141,6 +141,28 @@ bool Curl_safecmp(char *a, char *b)
+ return !a && !b;
+ }
+
++/*
++ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this
++ * function spends is a function of the shortest string, not of the contents.
++ */
++int Curl_timestrcmp(const char *a, const char *b)
++{
++ int match = 0;
++ int i = 0;
++
++ if(a && b) {
++while(1) {
++ match |= a[i]^b[i];
++ if(!a[i] || !b[i])
++break;
++ i++;
++}
++ }
++ else
++return a || b;
++ return match;
++}
++
+ /* --- public functions --- */
+
+ int curl_strequal(const char *first, const char *second)
+diff --git a/lib/strcase.h b/lib/strcase.h
+index 382b80a..c6979da 100644
+--- a/lib/strcase.h
b/lib/strcase.h
+@@ -48,5 +48,6 @@ void Curl_strntoupper(char *dest, const char *src, size_t n);
+ void Curl_strntolower(char *dest, const char *src, size_t n);
+
+ bool Curl_safecmp(char *a, char *b);
++int Curl_timestrcmp(const char *first, const char *second);
+
+ #endif /* HEADER_CURL_STRCASE_H */
+diff --git a/lib/url.c b/lib/url.c
+index df4377d..c397b57 100644
+--- a/lib/url.c
b/lib/url.c
+@@ -930,19 +930,10 @@ socks_proxy_info_matches(const struct proxy_info *data,
+ /* the user information is case-sensitive
+ or at least it is not defined as case-insensitive
+ see https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1 */
+- if(!data->user != !needle->user)
+-return FALSE;
+- /* curl_strequal does a case insentive co
[OE-core][kirkstone 3/8] cargo : non vulnerable cve-2022-46176 added to excluded list
From: Sundeep KOKKONDA This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh. Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, cargo-native also not vulnerable to this cve and so added to excluded list. Signed-off-by: Sundeep KOKKONDA Acked-by: Richard Purdie Signed-off-by: Steve Sakoman --- meta/conf/distro/include/cve-extra-exclusions.inc | 5 + 1 file changed, 5 insertions(+) diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index 8b5f8d49b8..cb2d920441 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -15,6 +15,11 @@ # the aim of sharing that work and ensuring we don't duplicate it. # +#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176 +#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html +#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve. +#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list. +CVE_CHECK_IGNORE += "CVE-2022-46176" # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 # CVE is more than 20 years old with no resolution evident -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180305): https://lists.openembedded.org/g/openembedded-core/message/180305 Mute This Topic: https://lists.openembedded.org/mt/98435933/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone 4/8] go-runtime: Security fix for CVE-2022-41722
From: Shubham Kulkarni
path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
Backport from
https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c
Signed-off-by: Shubham Kulkarni
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.18/CVE-2022-41722.patch | 103 ++
2 files changed, 104 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc
b/meta/recipes-devtools/go/go-1.17.13.inc
index 23380f04c3..15d19ed124 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -26,6 +26,7 @@ SRC_URI += "\
file://cve-2022-41724.patch \
file://add_godebug.patch \
file://cve-2022-41725.patch \
+file://CVE-2022-41722.patch \
"
SRC_URI[main.sha256sum] =
"a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
new file mode 100644
index 00..426a4f925f
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
@@ -0,0 +1,103 @@
+From a826b19625caebed6dd0f3fbd9d0111f6c83737c Mon Sep 17 00:00:00 2001
+From: Damien Neil
+Date: Mon, 12 Dec 2022 16:43:37 -0800
+Subject: [PATCH] path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
+
+Do not permit Clean to convert a relative path into one starting
+with a drive reference. This change causes Clean to insert a .
+path element at the start of a path when the original path does not
+start with a volume name, and the first path element would contain
+a colon.
+
+This may introduce a spurious but harmless . path element under
+some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`.
+
+This reverts CL 401595, since the change here supersedes the one
+in that CL.
+
+Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
+
+Updates #57274
+Fixes #57276
+Fixes CVE-2022-41722
+
+Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17
+Reviewed-on:
https://team-review.git.corp.google.com/c/golang/go-private/+/1675249
+Reviewed-by: Roland Shoemaker
+Run-TryBot: Damien Neil
+Reviewed-by: Julie Qiu
+TryBot-Result: Security TryBots
+(cherry picked from commit 8ca37f4813ef2f64600c92b83f17c9f3ca6c03a5)
+Reviewed-on:
https://team-review.git.corp.google.com/c/golang/go-private/+/1728944
+Run-TryBot: Roland Shoemaker
+Reviewed-by: Tatiana Bradley
+Reviewed-by: Damien Neil
+Reviewed-on: https://go-review.googlesource.com/c/go/+/468119
+Reviewed-by: Than McIntosh
+Run-TryBot: Michael Pratt
+TryBot-Result: Gopher Robot
+Auto-Submit: Michael Pratt
+
+CVE: CVE-2022-41722
+Upstream-Status: Backport from
https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18
+Signed-off-by: Shubham Kulkarni
+---
+ src/path/filepath/path.go | 27 ++-
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
+index 8300a32..94621a0 100644
+--- a/src/path/filepath/path.go
b/src/path/filepath/path.go
+@@ -15,6 +15,7 @@ import (
+ "errors"
+ "io/fs"
+ "os"
++ "runtime"
+ "sort"
+ "strings"
+ )
+@@ -117,21 +118,9 @@ func Clean(path string) string {
+ case os.IsPathSeparator(path[r]):
+ // empty path element
+ r++
+- case path[r] == '.' && r+1 == n:
++ case path[r] == '.' && (r+1 == n ||
os.IsPathSeparator(path[r+1])):
+ // . element
+ r++
+- case path[r] == '.' && os.IsPathSeparator(path[r+1]):
+- // ./ element
+- r++
+-
+- for r < len(path) && os.IsPathSeparator(path[r]) {
+- r++
+- }
+- if out.w == 0 && volumeNameLen(path[r:]) > 0 {
+- // When joining prefix "." and an absolute path
on Windows,
+- // the prefix should not be removed.
+- out.append('.')
+- }
+ case path[r] == '.' && path[r+1] == '.' && (r+2 == n ||
os.IsPathSeparator(path[r+2])):
+ // .. element: remove to last separator
+ r += 2
+@@ -157,6 +146,18 @@ func Clean(path string) string {
+ if rooted && out.w != 1 || !rooted && out.w != 0 {
+ out.append(Separator)
+ }
++ // If a ':' appears in the path element at the start of
a Windows path,
++ // insert a .\ at the beginning to avoid converting
relative paths
++ // like a/../c: into c:.
++ if runtime.GOOS == "
[OE-core][kirkstone 5/8] shadow: backport patch to fix CVE-2023-29383
From: Xiangyu Chen
The fix of CVE-2023-29383.patch contains a bug that it rejects all
characters that are not control ones, so backup another patch named
"0001-Overhaul-valid_field.patch" from upstream to fix it.
Signed-off-by: Xiangyu Chen
Signed-off-by: Steve Sakoman
---
.../files/0001-Overhaul-valid_field.patch | 65 +++
.../shadow/files/CVE-2023-29383.patch | 53 +++
meta/recipes-extended/shadow/shadow.inc | 2 +
3 files changed, 120 insertions(+)
create mode 100644
meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-29383.patch
diff --git a/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
new file mode 100644
index 00..ac08be515b
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
@@ -0,0 +1,65 @@
+From 2eaea70111f65b16d55998386e4ceb4273c19eb4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?=
+Date: Fri, 31 Mar 2023 14:46:50 +0200
+Subject: [PATCH] Overhaul valid_field()
+
+e5905c4b ("Added control character check") introduced checking for
+control characters but had the logic inverted, so it rejects all
+characters that are not control ones.
+
+Cast the character to `unsigned char` before passing to the character
+checking functions to avoid UB.
+
+Use strpbrk(3) for the illegal character test and return early.
+
+Upstream-Status: Backport
[https://github.com/shadow-maint/shadow/commit/2eaea70111f65b16d55998386e4ceb4273c19eb4]
+
+Signed-off-by: Xiangyu Chen
+---
+ lib/fields.c | 24 ++--
+ 1 file changed, 10 insertions(+), 14 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index fb51b582..53929248 100644
+--- a/lib/fields.c
b/lib/fields.c
+@@ -37,26 +37,22 @@ int valid_field (const char *field, const char *illegal)
+
+ /* For each character of field, search if it appears in the list
+* of illegal characters. */
++ if (illegal && NULL != strpbrk (field, illegal)) {
++ return -1;
++ }
++
++ /* Search if there are non-printable or control characters */
+ for (cp = field; '\0' != *cp; cp++) {
+- if (strchr (illegal, *cp) != NULL) {
++ unsigned char c = *cp;
++ if (!isprint (c)) {
++ err = 1;
++ }
++ if (iscntrl (c)) {
+ err = -1;
+ break;
+ }
+ }
+
+- if (0 == err) {
+- /* Search if there are non-printable or control characters */
+- for (cp = field; '\0' != *cp; cp++) {
+- if (!isprint (*cp)) {
+- err = 1;
+- }
+- if (!iscntrl (*cp)) {
+- err = -1;
+- break;
+- }
+- }
+- }
+-
+ return err;
+ }
+
+--
+2.34.1
+
diff --git a/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
new file mode 100644
index 00..f53341d3fc
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/CVE-2023-29383.patch
@@ -0,0 +1,53 @@
+From e5905c4b84d4fb90aefcd96ee618411ebfac663d Mon Sep 17 00:00:00 2001
+From: tomspiderlabs <128755403+tomspiderl...@users.noreply.github.com>
+Date: Thu, 23 Mar 2023 23:39:38 +
+Subject: [PATCH] Added control character check
+
+Added control character check, returning -1 (to "err") if control characters
are present.
+
+CVE: CVE-2023-29383
+Upstream-Status: Backport
+
+Reference to upstream:
+https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
+
+Signed-off-by: Xiangyu Chen
+---
+ lib/fields.c | 11 +++
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/fields.c b/lib/fields.c
+index 640be931..fb51b582 100644
+--- a/lib/fields.c
b/lib/fields.c
+@@ -21,9 +21,9 @@
+ *
+ * The supplied field is scanned for non-printable and other illegal
+ * characters.
+- * + -1 is returned if an illegal character is present.
+- * + 1 is returned if no illegal characters are present, but the field
+- * contains a non-printable character.
++ * + -1 is returned if an illegal or control character is present.
++ * + 1 is returned if no illegal or control characters are present,
++ * but the field contains a non-printable character.
+ * + 0 is returned otherwise.
+ */
+ int valid_field (const char *field, const char *illegal)
+@@ -45,10 +45,13 @@ int valid_field (const char *field, const char *illegal)
+ }
+
+ if (0 == err) {
+- /* Search if there are some non-printable characters */
++ /* Search if there are non-printable or control characters */
+ for (cp = field; '\0'
[OE-core][kirkstone 6/8] go: ignore CVE-2022-41716
From: Peter Marko This CVE is specific to Microsoft Windows, ignore it. Patch fixing it (https://go-review.googlesource.com/c/go/+/446916) also adds a redundant check to generic os/exec which could be backported but it should not be necessary as backport always takes a small risk to break old code. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.17.13.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-devtools/go/go-1.17.13.inc b/meta/recipes-devtools/go/go-1.17.13.inc index 15d19ed124..34d58aec2f 100644 --- a/meta/recipes-devtools/go/go-1.17.13.inc +++ b/meta/recipes-devtools/go/go-1.17.13.inc @@ -34,3 +34,6 @@ SRC_URI[main.sha256sum] = "a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784 # fix in 1.17 onwards where we can drop this. # https://github.com/golang/go/issues/30999#issuecomment-910470358 CVE_CHECK_IGNORE += "CVE-2021-29923" + +# This is specific to Microsoft Windows +CVE_CHECK_IGNORE += "CVE-2022-41716" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180308): https://lists.openembedded.org/g/openembedded-core/message/180308 Mute This Topic: https://lists.openembedded.org/mt/98435937/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone 7/8] screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs
From: Hitendra Prajapati
Upstream-Status: Backport from
https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7
Signed-off-by: Hitendra Prajapati
Signed-off-by: Steve Sakoman
---
.../screen/screen/CVE-2023-24626.patch| 40 +++
meta/recipes-extended/screen/screen_4.9.0.bb | 1 +
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-extended/screen/screen/CVE-2023-24626.patch
diff --git a/meta/recipes-extended/screen/screen/CVE-2023-24626.patch
b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch
new file mode 100644
index 00..73caf9d81b
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch
@@ -0,0 +1,40 @@
+From e9ad41bfedb4537a6f0de20f00b27c7739f168f7 Mon Sep 17 00:00:00 2001
+From: Alexander Naumov
+Date: Mon, 30 Jan 2023 17:22:25 +0200
+Subject: fix: missing signal sending permission check on failed query messages
+
+Signed-off-by: Alexander Naumov
+
+CVE: CVE-2023-24626
+Upstream-Status: Backport
[https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7]
+Signed-off-by: Hitendra Prajapati
+---
+ socket.c | 9 +++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/socket.c b/socket.c
+index bb68b35..9d87445 100644
+--- a/socket.c
b/socket.c
+@@ -1285,11 +1285,16 @@ ReceiveMsg()
+ else
+ queryflag = -1;
+
+- Kill(m.m.command.apid,
++ if (CheckPid(m.m.command.apid)) {
++Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid);
++ }
++ else {
++Kill(m.m.command.apid,
+(queryflag >= 0)
+? SIGCONT
+: SIG_BYE); /* Send SIG_BYE if an error happened */
+- queryflag = -1;
++queryflag = -1;
++ }
+ }
+ break;
+ case MSG_COMMAND:
+--
+2.25.1
+
diff --git a/meta/recipes-extended/screen/screen_4.9.0.bb
b/meta/recipes-extended/screen/screen_4.9.0.bb
index b36173b8de..19070d87d8 100644
--- a/meta/recipes-extended/screen/screen_4.9.0.bb
+++ b/meta/recipes-extended/screen/screen_4.9.0.bb
@@ -21,6 +21,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
file://0002-comm.h-now-depends-on-term.h.patch \
file://0001-fix-for-multijob-build.patch \
file://0001-Remove-more-compatibility-stuff.patch \
+ file://CVE-2023-24626.patch \
"
SRC_URI[sha256sum] =
"f9335281bb4d1538ed078df78a20c2f39d3af9a4e91c57d084271e0289c730f4"
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180309):
https://lists.openembedded.org/g/openembedded-core/message/180309
Mute This Topic: https://lists.openembedded.org/mt/98435938/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][kirkstone 8/8] go: fix CVE-2023-24537 Infinite loop in parsing
From: Vivek Kumbhar
Setting a large line or column number using a //line directive can cause
integer overflow even in small source files.
Limit line and column numbers in //line directives to 2^30-1, which
is small enough to avoid int32 overflow on all reasonbly-sized files.
Fixes CVE-2023-24537
Fixes #59273
For #59180
Signed-off-by: Vivek Kumbhar
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools/go/go-1.17.13.inc | 1 +
.../go/go-1.18/CVE-2023-24537.patch | 75 +++
2 files changed, 76 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch
diff --git a/meta/recipes-devtools/go/go-1.17.13.inc
b/meta/recipes-devtools/go/go-1.17.13.inc
index 34d58aec2f..cda9227042 100644
--- a/meta/recipes-devtools/go/go-1.17.13.inc
+++ b/meta/recipes-devtools/go/go-1.17.13.inc
@@ -27,6 +27,7 @@ SRC_URI += "\
file://add_godebug.patch \
file://cve-2022-41725.patch \
file://CVE-2022-41722.patch \
+file://CVE-2023-24537.patch \
"
SRC_URI[main.sha256sum] =
"a1a48b23afb206f95e7bbaa9b898d965f90826f6f1d1fc0c1d784ada0cd300fd"
diff --git a/meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch
b/meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch
new file mode 100644
index 00..4521f159ea
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch
@@ -0,0 +1,75 @@
+From bf8c7c575c8a552d9d79deb29e80854dc88528d0 Mon Sep 17 00:00:00 2001
+From: Damien Neil
+Date: Mon, 20 Mar 2023 10:43:19 -0700
+Subject: [PATCH] [release-branch.go1.20] mime/multipart: limit parsed mime
+ message sizes
+
+Reviewed-on:
https://team-review.git.corp.google.com/c/golang/go-private/+/1802456
+Reviewed-by: Julie Qiu
+Reviewed-by: Roland Shoemaker
+Run-TryBot: Damien Neil
+Reviewed-on:
https://team-review.git.corp.google.com/c/golang/go-private/+/1802611
+Reviewed-by: Damien Neil
+Change-Id: Ifdfa192d54f722d781a4d8c5f35b5fb72d122168
+Reviewed-on: https://go-review.googlesource.com/c/go/+/481986
+Reviewed-by: Matthew Dempsky
+TryBot-Result: Gopher Robot
+Run-TryBot: Michael Knyszek
+Auto-Submit: Michael Knyszek
+
+Upstream-Status: Backport
[https://github.com/golang/go/commit/126a1d02da82f93ede7ce0bd8d3c51ef627f2104]
+CVE: CVE-2023-24537
+Signed-off-by: Vivek Kumbhar
+---
+ src/go/parser/parser_test.go | 16
+ src/go/scanner/scanner.go| 5 -
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go
+index 1a46c87..993df63 100644
+--- a/src/go/parser/parser_test.go
b/src/go/parser/parser_test.go
+@@ -746,3 +746,19 @@ func TestScopeDepthLimit(t *testing.T) {
+ }
+ }
+ }
++
++// TestIssue59180 tests that line number overflow doesn't cause an infinite
loop.
++func TestIssue59180(t *testing.T) {
++ testcases := []string{
++ "package p\n//line :9223372036854775806\n\n//",
++ "package p\n//line :1:9223372036854775806\n\n//",
++ "package p\n//line file:9223372036854775806\n\n//",
++ }
++
++ for _, src := range testcases {
++ _, err := ParseFile(token.NewFileSet(), "", src, ParseComments)
++ if err == nil {
++ t.Errorf("ParseFile(%s) succeeded unexpectedly", src)
++ }
++ }
++}
+diff --git a/src/go/scanner/scanner.go b/src/go/scanner/scanner.go
+index f08e28c..ff847b5 100644
+--- a/src/go/scanner/scanner.go
b/src/go/scanner/scanner.go
+@@ -251,13 +251,16 @@ func (s *Scanner) updateLineInfo(next, offs int, text
[]byte) {
+ return
+ }
+
++ // Put a cap on the maximum size of line and column numbers.
++ // 30 bits allows for some additional space before wrapping an int32.
++ const maxLineCol = 1<<30 - 1
+ var line, col int
+ i2, n2, ok2 := trailingDigits(text[:i-1])
+ if ok2 {
+ //line filename:line:col
+ i, i2 = i2, i
+ line, col = n2, n
+- if col == 0 {
++ if col == 0 || col > maxLineCol {
+ s.error(offs+i2, "invalid column number:
"+string(text[i2:]))
+ return
+ }
+--
+2.25.1
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180310):
https://lists.openembedded.org/g/openembedded-core/message/180310
Mute This Topic: https://lists.openembedded.org/mt/98435940/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 0/7] Patch review
Please review this set of patches for dunfell and have comments back by end of day Tuesday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5210 The following changes since commit 9aefb4e46cf4fbf14b46f9adaf3771854553e7f3: curl: CVE-2023-27534 SFTP path ~ resolving discrepancy (2023-04-14 07:14:33 -1000) are available in the Git repository at: https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Hitendra Prajapati (2): curl: CVE-2023-27538 fix SSH connection too eager reuse screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs Peter Marko (1): go: ignore CVE-2022-41716 Shubham Kulkarni (2): go-runtime: Security fix for CVE-2022-41722 go: Security fix for CVE-2020-29510 Vivek Kumbhar (1): go: fix CVE-2023-24537 Infinite loop in parsing rajmohan r (1): systemd: Fix CVE-2023-26604 .../systemd/systemd/CVE-2023-26604-1.patch| 115 .../systemd/systemd/CVE-2023-26604-2.patch| 264 ++ .../systemd/systemd/CVE-2023-26604-3.patch| 182 .../systemd/systemd/CVE-2023-26604-4.patch| 32 +++ meta/recipes-core/systemd/systemd_244.5.bb| 4 + meta/recipes-devtools/go/go-1.14.inc | 7 + .../go/go-1.14/CVE-2020-29510.patch | 65 + .../go/go-1.14/CVE-2022-41722-1.patch | 53 .../go/go-1.14/CVE-2022-41722-2.patch | 104 +++ .../go/go-1.14/CVE-2023-24537.patch | 76 + .../screen/screen/CVE-2023-24626.patch| 40 +++ meta/recipes-extended/screen/screen_4.8.0.bb | 1 + .../curl/curl/CVE-2023-27538.patch| 31 ++ meta/recipes-support/curl/curl_7.69.1.bb | 1 + 14 files changed, 975 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2020-29510.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch create mode 100644 meta/recipes-extended/screen/screen/CVE-2023-24626.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27538.patch -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180311): https://lists.openembedded.org/g/openembedded-core/message/180311 Mute This Topic: https://lists.openembedded.org/mt/98436017/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 1/7] curl: CVE-2023-27538 fix SSH connection too eager reuse
From: Hitendra Prajapati
Upstream-Status: Backport from
https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb
Signed-off-by: Hitendra Prajapati
Signed-off-by: Steve Sakoman
---
.../curl/curl/CVE-2023-27538.patch| 31 +++
meta/recipes-support/curl/curl_7.69.1.bb | 1 +
2 files changed, 32 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27538.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2023-27538.patch
b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
new file mode 100644
index 00..6c40989d3b
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-27538.patch
@@ -0,0 +1,31 @@
+From af369db4d3833272b8ed443f7fcc2e757a0872eb Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg
+Date: Fri, 10 Mar 2023 08:22:51 +0100
+Subject: [PATCH] url: fix the SSH connection reuse check
+
+Reported-by: Harry Sintonen
+Closes #10735
+
+CVE: CVE-2023-27538
+Upstream-Status: Backport
[https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb]
+Signed-off-by: Hitendra Prajapati
+---
+ lib/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/url.c b/lib/url.c
+index 8da0245..9f14a7b 100644
+--- a/lib/url.c
b/lib/url.c
+@@ -1266,7 +1266,7 @@ ConnectionExists(struct Curl_easy *data,
+ }
+ }
+
+- if(get_protocol_family(needle->handler->protocol) == PROTO_FAMILY_SSH) {
++ if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_SSH) {
+ if(!ssh_config_matches(needle, check))
+ continue;
+ }
+--
+2.25.1
+
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb
b/meta/recipes-support/curl/curl_7.69.1.bb
index a7f4f5748f..46ee25da3a 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -44,6 +44,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \
file://CVE-2022-43552.patch \
file://CVE-2023-23916.patch \
file://CVE-2023-27534.patch \
+ file://CVE-2023-27538.patch \
"
SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42"
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180312):
https://lists.openembedded.org/g/openembedded-core/message/180312
Mute This Topic: https://lists.openembedded.org/mt/98436018/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 2/7] go-runtime: Security fix for CVE-2022-41722
From: Shubham Kulkarni
path/filepath: do not Clean("a/../c:/b") into c:\b on Windows
Backport from
https://github.com/golang/go/commit/bdf07c2e168baf736e4c057279ca12a4d674f18c
Signed-off-by: Shubham Kulkarni
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools/go/go-1.14.inc | 2 +
.../go/go-1.14/CVE-2022-41722-1.patch | 53 +
.../go/go-1.14/CVE-2022-41722-2.patch | 104 ++
3 files changed, 159 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch
diff --git a/meta/recipes-devtools/go/go-1.14.inc
b/meta/recipes-devtools/go/go-1.14.inc
index f2a5fc3f7c..74017f4d90 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -53,6 +53,8 @@ SRC_URI += "\
file://CVE-2022-41717.patch \
file://CVE-2022-1962.patch \
file://CVE-2022-41723.patch \
+file://CVE-2022-41722-1.patch \
+file://CVE-2022-41722-2.patch \
"
SRC_URI_append_libc-musl = "
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch
b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch
new file mode 100644
index 00..f5bffd7a0b
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-1.patch
@@ -0,0 +1,53 @@
+From 94e0c36694fb044e81381d112fef3692de7cdf52 Mon Sep 17 00:00:00 2001
+From: Yasuhiro Matsumoto
+Date: Fri, 22 Apr 2022 10:07:51 +0900
+Subject: [PATCH 1/2] path/filepath: do not remove prefix "." when following
+ path contains ":".
+
+Fixes #52476
+
+Change-Id: I9eb72ac7dbccd6322d060291f31831dc389eb9bb
+Reviewed-on: https://go-review.googlesource.com/c/go/+/401595
+Auto-Submit: Ian Lance Taylor
+Reviewed-by: Alex Brainman
+Run-TryBot: Ian Lance Taylor
+Reviewed-by: Ian Lance Taylor
+Reviewed-by: Damien Neil
+TryBot-Result: Gopher Robot
+
+Upstream-Status: Backport from
https://github.com/golang/go/commit/9cd1818a7d019c02fa4898b3e45a323e35033290
+CVE: CVE-2022-41722
+Signed-off-by: Shubham Kulkarni
+---
+ src/path/filepath/path.go | 14 +-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go
+index 26f1833..92dc090 100644
+--- a/src/path/filepath/path.go
b/src/path/filepath/path.go
+@@ -116,9 +116,21 @@ func Clean(path string) string {
+ case os.IsPathSeparator(path[r]):
+ // empty path element
+ r++
+- case path[r] == '.' && (r+1 == n ||
os.IsPathSeparator(path[r+1])):
++ case path[r] == '.' && r+1 == n:
+ // . element
+ r++
++ case path[r] == '.' && os.IsPathSeparator(path[r+1]):
++ // ./ element
++ r++
++
++ for r < len(path) && os.IsPathSeparator(path[r]) {
++ r++
++ }
++ if out.w == 0 && volumeNameLen(path[r:]) > 0 {
++ // When joining prefix "." and an absolute path
on Windows,
++ // the prefix should not be removed.
++ out.append('.')
++ }
+ case path[r] == '.' && path[r+1] == '.' && (r+2 == n ||
os.IsPathSeparator(path[r+2])):
+ // .. element: remove to last separator
+ r += 2
+--
+2.7.4
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch
b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch
new file mode 100644
index 00..e1f7a55581
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2022-41722-2.patch
@@ -0,0 +1,104 @@
+From b8803cb711ae163b8e67897deb6cf8c49702227c Mon Sep 17 00:00:00 2001
+From: Damien Neil
+Date: Mon, 12 Dec 2022 16:43:37 -0800
+Subject: [PATCH 2/2] path/filepath: do not Clean("a/../c:/b") into c:\b on
+ Windows
+
+Do not permit Clean to convert a relative path into one starting
+with a drive reference. This change causes Clean to insert a .
+path element at the start of a path when the original path does not
+start with a volume name, and the first path element would contain
+a colon.
+
+This may introduce a spurious but harmless . path element under
+some circumstances. For example, Clean("a/../b:/../c") becomes `.\c`.
+
+This reverts CL 401595, since the change here supersedes the one
+in that CL.
+
+Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
+
+Updates #57274
+Fixes #57276
+Fixes CVE-2022-41722
+
+Change-Id: I837446285a03aa74c79d7642720e01f354c2ca17
+Reviewed-on:
https://team-review.git.corp.google.com/c/golang/go-private/+/1675249
+Reviewed-by: Roland Shoemaker
+Run-TryBot: Damien Neil
+Reviewed-by: Julie Qiu
+TryBot-Result: Security TryBots
+(cherry picked from commit 8ca37f4813ef2f646
[OE-core][dunfell 4/7] go: ignore CVE-2022-41716
From: Peter Marko This CVE is specific to Microsoft Windows, ignore it. Patch fixing it (https://go-review.googlesource.com/c/go/+/446916) also adds a redundant check to generic os/exec which could be backported but it should not be necessary as backport always takes a small risk to break old code. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-devtools/go/go-1.14.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 74017f4d90..8df9d62612 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -82,3 +82,6 @@ CVE_CHECK_WHITELIST += "CVE-2021-41772" # Fixes code that was added in go1.16, does not exist in 1.14 CVE_CHECK_WHITELIST += "CVE-2022-30630" + +# This is specific to Microsoft Windows +CVE_CHECK_WHITELIST += "CVE-2022-41716" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180315): https://lists.openembedded.org/g/openembedded-core/message/180315 Mute This Topic: https://lists.openembedded.org/mt/98436024/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 3/7] systemd: Fix CVE-2023-26604
From: rajmohan r
Below patch files to fix CVE-2023-26604
CVE-2023-26604-1.patch, CVE-2023-26604-2.patch and
CVE-2023-26604-3.patch and CVE-2023-26604-4.patch
make pager secure when under euid is changed or explicitly
requested
Reference:
CVE-2023-26604-1.patch:
https://github.com/systemd/systemd/pull/17270/commits/612ebf6c913dd0e4197c44909cb3157f5c51a2f0
CVE-2023-26604-2.patch:
https://github.com/systemd/systemd/pull/17270/commits/1b5b507cd2d1d7a2b053151abb548475ad9c5c3b
CVE-2023-26604-3.patch:
https://github.com/systemd/systemd/pull/17270/commits/0a42426d797406b4b01a0d9c13bb759c2629d108
CVE-2023-26604-4.patch:
https://github.com/systemd/systemd/pull/17359/commits/b8f736b30e20a2b44e7c34bb4e43b0d97ae77e3c
Signed-off-by: rajmohan r
Signed-off-by: Steve Sakoman
---
.../systemd/systemd/CVE-2023-26604-1.patch| 115
.../systemd/systemd/CVE-2023-26604-2.patch| 264 ++
.../systemd/systemd/CVE-2023-26604-3.patch| 182
.../systemd/systemd/CVE-2023-26604-4.patch| 32 +++
meta/recipes-core/systemd/systemd_244.5.bb| 4 +
5 files changed, 597 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-26604-2.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-26604-3.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-26604-4.patch
diff --git a/meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch
b/meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch
new file mode 100644
index 00..39f9480cf8
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2023-26604-1.patch
@@ -0,0 +1,115 @@
+From 612ebf6c913dd0e4197c44909cb3157f5c51a2f0 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering
+Date: Mon, 31 Aug 2020 19:37:13 +0200
+Subject: [PATCH] pager: set $LESSSECURE whenver we invoke a pager
+
+Some extra safety when invoked via "sudo". With this we address a
+genuine design flaw of sudo, and we shouldn't need to deal with this.
+But it's still a good idea to disable this surface given how exotic it
+is.
+
+Prompted by #5666
+
+CVE: CVE-2023-26604
+Upstream-Status: Backport
[https://github.com/systemd/systemd/pull/17270/commits/612ebf6c913dd0e4197c44909cb3157f5c51a2f0]
+Comments: Hunk not refreshed
+Signed-off-by: rajmohan r
+---
+ man/less-variables.xml | 9 +
+ man/systemctl.xml | 1 +
+ man/systemd.xml| 1 +
+ src/shared/pager.c | 23 +--
+ 4 files changed, 32 insertions(+), 2 deletions(-)
+
+diff --git a/man/less-variables.xml b/man/less-variables.xml
+index 08e513c99f8e..c52511ca8e18 100644
+--- a/man/less-variables.xml
b/man/less-variables.xml
+@@ -64,6 +64,15 @@
+ the invoking terminal is determined to be UTF-8
compatible).
+
+
++
++ $SYSTEMD_LESSSECURE
++
++ Takes a boolean argument. Overrides the
$LESSSECURE environment
++ variable when invoking the pager, which controls the "secure" mode of
less (which disables commands
++ such as | which allow to easily shell out to
external command lines). By default
++ less secure mode is enabled, with this setting it may be
disabled.
++
++
+
+ $SYSTEMD_COLORS
+
+diff --git a/man/systemctl.xml b/man/systemctl.xml
+index 1c5502883700..a3f0c3041a57 100644
+--- a/man/systemctl.xml
b/man/systemctl.xml
+@@ -2240,6 +2240,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]:
gatt-time-server: Input/output err
+
+
+
++
+
+
+
+diff --git a/man/systemd.xml b/man/systemd.xml
+index a9040545c2ab..c92cfef77689 100644
+--- a/man/systemd.xml
b/man/systemd.xml
+@@ -692,6 +692,7 @@
+
+
+
++
+
+
+
+diff --git a/src/shared/pager.c b/src/shared/pager.c
+index e03be6d23b2d..9c21881241f5 100644
+--- a/src/shared/pager.c
b/src/shared/pager.c
+@@ -9,6 +9,7 @@
+ #include
+
+ #include "copy.h"
++#include "env-util.h"
+ #include "fd-util.h"
+ #include "fileio.h"
+ #include "io-util.h"
+@@ -152,8 +153,7 @@ int pager_open(PagerFlags flags) {
+ _exit(EXIT_FAILURE);
+ }
+
+-/* Initialize a good charset for less. This is
+- * particularly important if we output UTF-8
++/* Initialize a good charset for less. This is particularly
important if we output UTF-8
+ * characters. */
+ less_charset = getenv("SYSTEMD_LESSCHARSET");
+ if (!less_charset && is_locale_utf8())
+@@ -164,6 +164,25 @@ int pager_open(PagerFlags flags) {
+ _exit(EXIT_FAILURE);
+ }
+
++/* People might invoke us from sudo, don't needlessly allow
less to be a way to shell out
++ * privileged stuff. */
++r = getenv_bool("SYSTEMD_LESSSECURE");
++if (r == 0) { /* Remove env var if off */
++
[OE-core][dunfell 5/7] screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs
From: Hitendra Prajapati
Upstream-Status: Backport from
https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7
Signed-off-by: Hitendra Prajapati
Signed-off-by: Steve Sakoman
---
.../screen/screen/CVE-2023-24626.patch| 40 +++
meta/recipes-extended/screen/screen_4.8.0.bb | 1 +
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-extended/screen/screen/CVE-2023-24626.patch
diff --git a/meta/recipes-extended/screen/screen/CVE-2023-24626.patch
b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch
new file mode 100644
index 00..73caf9d81b
--- /dev/null
+++ b/meta/recipes-extended/screen/screen/CVE-2023-24626.patch
@@ -0,0 +1,40 @@
+From e9ad41bfedb4537a6f0de20f00b27c7739f168f7 Mon Sep 17 00:00:00 2001
+From: Alexander Naumov
+Date: Mon, 30 Jan 2023 17:22:25 +0200
+Subject: fix: missing signal sending permission check on failed query messages
+
+Signed-off-by: Alexander Naumov
+
+CVE: CVE-2023-24626
+Upstream-Status: Backport
[https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7]
+Signed-off-by: Hitendra Prajapati
+---
+ socket.c | 9 +++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/socket.c b/socket.c
+index bb68b35..9d87445 100644
+--- a/socket.c
b/socket.c
+@@ -1285,11 +1285,16 @@ ReceiveMsg()
+ else
+ queryflag = -1;
+
+- Kill(m.m.command.apid,
++ if (CheckPid(m.m.command.apid)) {
++Msg(0, "Query attempt with bad pid(%d)!", m.m.command.apid);
++ }
++ else {
++Kill(m.m.command.apid,
+(queryflag >= 0)
+? SIGCONT
+: SIG_BYE); /* Send SIG_BYE if an error happened */
+- queryflag = -1;
++queryflag = -1;
++ }
+ }
+ break;
+ case MSG_COMMAND:
+--
+2.25.1
+
diff --git a/meta/recipes-extended/screen/screen_4.8.0.bb
b/meta/recipes-extended/screen/screen_4.8.0.bb
index fe640c262b..c4faa27023 100644
--- a/meta/recipes-extended/screen/screen_4.8.0.bb
+++ b/meta/recipes-extended/screen/screen_4.8.0.bb
@@ -22,6 +22,7 @@ SRC_URI = "${GNU_MIRROR}/screen/screen-${PV}.tar.gz \
file://0001-fix-for-multijob-build.patch \
file://0001-Remove-more-compatibility-stuff.patch \
file://CVE-2021-26937.patch \
+ file://CVE-2023-24626.patch \
"
SRC_URI[md5sum] = "d276213d3acd10339cd37848b8c4ab1e"
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180316):
https://lists.openembedded.org/g/openembedded-core/message/180316
Mute This Topic: https://lists.openembedded.org/mt/98436025/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 6/7] go: Security fix for CVE-2020-29510
From: Shubham Kulkarni
encoding/xml: replace comments inside directives with a space
Backport from
https://github.com/golang/go/commit/a9cfd55e2b09735a25976d1b008a0a3c767494f8
Signed-off-by: Shubham Kulkarni
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools/go/go-1.14.inc | 1 +
.../go/go-1.14/CVE-2020-29510.patch | 65 +++
2 files changed, 66 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2020-29510.patch
diff --git a/meta/recipes-devtools/go/go-1.14.inc
b/meta/recipes-devtools/go/go-1.14.inc
index 8df9d62612..7178739b7e 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -55,6 +55,7 @@ SRC_URI += "\
file://CVE-2022-41723.patch \
file://CVE-2022-41722-1.patch \
file://CVE-2022-41722-2.patch \
+file://CVE-2020-29510.patch \
"
SRC_URI_append_libc-musl = "
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2020-29510.patch
b/meta/recipes-devtools/go/go-1.14/CVE-2020-29510.patch
new file mode 100644
index 00..e1c9e0bdb9
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2020-29510.patch
@@ -0,0 +1,65 @@
+From a0bf4d38dc2057d28396594264bbdd43d412de22 Mon Sep 17 00:00:00 2001
+From: Filippo Valsorda
+Date: Tue, 27 Oct 2020 00:21:30 +0100
+Subject: [PATCH] encoding/xml: replace comments inside directives with a space
+
+A Directive (like ) can't have other nodes nested inside
+it (in our data structure representation), so there is no way to
+preserve comments. The previous behavior was to just elide them, which
+however might change the semantic meaning of the surrounding markup.
+Instead, replace them with a space which hopefully has the same semantic
+effect of the comment.
+
+Directives are not actually a node type in the XML spec, which instead
+specifies each of them separately (https://go-review.googlesource.com/c/go/+/277893
+Run-TryBot: Filippo Valsorda
+TryBot-Result: Go Bot
+Trust: Filippo Valsorda
+Reviewed-by: Katie Hockman
+
+Upstream-Status: Backport from
https://github.com/golang/go/commit/a9cfd55e2b09735a25976d1b008a0a3c767494f8
+CVE: CVE-2020-29510
+Signed-off-by: Shubham Kulkarni
+---
+ src/encoding/xml/xml.go | 6 ++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/encoding/xml/xml.go b/src/encoding/xml/xml.go
+index 01a1460..98647b2 100644
+--- a/src/encoding/xml/xml.go
b/src/encoding/xml/xml.go
+@@ -768,6 +768,12 @@ func (d *Decoder) rawToken() (Token, error) {
+ }
+ b0, b1 = b1, b
+ }
++
++ // Replace the comment with a space in the
returned Directive
++ // body, so that markup parts that were
separated by the comment
++ // (like a "<" and a "!") don't get joined when
re-encoding the
++ // Directive, taking new semantic meaning.
++ d.buf.WriteByte(' ')
+ }
+ }
+ return Directive(d.buf.Bytes()), nil
+--
+2.7.4
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180317):
https://lists.openembedded.org/g/openembedded-core/message/180317
Mute This Topic: https://lists.openembedded.org/mt/98436026/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 7/7] go: fix CVE-2023-24537 Infinite loop in parsing
From: Vivek Kumbhar
Setting a large line or column number using a //line directive can cause
integer overflow even in small source files.
Limit line and column numbers in //line directives to 2^30-1, which
is small enough to avoid int32 overflow on all reasonbly-sized files.
Signed-off-by: Vivek Kumbhar
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools/go/go-1.14.inc | 1 +
.../go/go-1.14/CVE-2023-24537.patch | 76 +++
2 files changed, 77 insertions(+)
create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch
diff --git a/meta/recipes-devtools/go/go-1.14.inc
b/meta/recipes-devtools/go/go-1.14.inc
index 7178739b7e..56f4f12c37 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -56,6 +56,7 @@ SRC_URI += "\
file://CVE-2022-41722-1.patch \
file://CVE-2022-41722-2.patch \
file://CVE-2020-29510.patch \
+file://CVE-2023-24537.patch \
"
SRC_URI_append_libc-musl = "
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch
b/meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch
new file mode 100644
index 00..e04b717fc1
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-24537.patch
@@ -0,0 +1,76 @@
+From bf8c7c575c8a552d9d79deb29e80854dc88528d0 Mon Sep 17 00:00:00 2001
+From: Damien Neil
+Date: Mon, 20 Mar 2023 10:43:19 -0700
+Subject: [PATCH] [release-branch.go1.20] mime/multipart: limit parsed mime
+ message sizes
+
+Reviewed-on:
https://team-review.git.corp.google.com/c/golang/go-private/+/1802456
+Reviewed-by: Julie Qiu
+Reviewed-by: Roland Shoemaker
+Run-TryBot: Damien Neil
+Reviewed-on:
https://team-review.git.corp.google.com/c/golang/go-private/+/1802611
+Reviewed-by: Damien Neil
+Change-Id: Ifdfa192d54f722d781a4d8c5f35b5fb72d122168
+Reviewed-on: https://go-review.googlesource.com/c/go/+/481986
+Reviewed-by: Matthew Dempsky
+TryBot-Result: Gopher Robot
+Run-TryBot: Michael Knyszek
+Auto-Submit: Michael Knyszek
+
+Upstream-Status: Backport
[https://github.com/golang/go/commit/126a1d02da82f93ede7ce0bd8d3c51ef627f2104]
+CVE: CVE-2023-24537
+Signed-off-by: Vivek Kumbhar
+---
+ src/go/parser/parser_test.go | 16
+ src/go/scanner/scanner.go| 5 -
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/src/go/parser/parser_test.go b/src/go/parser/parser_test.go
+index 37a6a2b..714557c 100644
+--- a/src/go/parser/parser_test.go
b/src/go/parser/parser_test.go
+@@ -738,3 +738,19 @@ func TestScopeDepthLimit(t *testing.T) {
+ }
+ }
+ }
++
++// TestIssue59180 tests that line number overflow doesn't cause an infinite
loop.
++func TestIssue59180(t *testing.T) {
++ testcases := []string{
++ "package p\n//line :9223372036854775806\n\n//",
++ "package p\n//line :1:9223372036854775806\n\n//",
++ "package p\n//line file:9223372036854775806\n\n//",
++ }
++
++ for _, src := range testcases {
++ _, err := ParseFile(token.NewFileSet(), "", src, ParseComments)
++ if err == nil {
++ t.Errorf("ParseFile(%s) succeeded unexpectedly", src)
++ }
++ }
++}
+diff --git a/src/go/scanner/scanner.go b/src/go/scanner/scanner.go
+index 00fe2dc..3159d25 100644
+--- a/src/go/scanner/scanner.go
b/src/go/scanner/scanner.go
+@@ -246,13 +246,16 @@ func (s *Scanner) updateLineInfo(next, offs int, text
[]byte) {
+ return
+ }
+
++ // Put a cap on the maximum size of line and column numbers.
++ // 30 bits allows for some additional space before wrapping an int32.
++ const maxLineCol = 1<<30 - 1
+ var line, col int
+ i2, n2, ok2 := trailingDigits(text[:i-1])
+ if ok2 {
+ //line filename:line:col
+ i, i2 = i2, i
+ line, col = n2, n
+- if col == 0 {
++ if col == 0 || col > maxLineCol {
+ s.error(offs+i2, "invalid column number:
"+string(text[i2:]))
+ return
+ }
+--
+2.25.1
+
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180318):
https://lists.openembedded.org/g/openembedded-core/message/180318
Mute This Topic: https://lists.openembedded.org/mt/98436028/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 0/3] Create class for building rust unit test
From: Frederic Martinsons This brings the possibility to use this class to build and ship unit tests of rust projects, the class also create (or modified) standard run-ptest script to run the generated rust test suite. It has been tested successfully with core-image-sato under qemu for zvariant-ptest and python3-bcrypt-ptest (though the last one didn't define any unit tests). Note that I tried to do the same with python3-cryptography but fail to build the test suite and I don't know how to do it with the rust extension module build by python setuptools. There must be some kind of way for doing that so maybe someone will put some work in it ( because python3-cryptography rust extension do have unit tests). Moreover, in the class, I didn't manage to share data between do_compile_ptest_base and do_install_ptest_base cleanly (I tried to d.setVar in compile and d.getVar in install but it seems that the data store doens't recognize my new variable) so I used a file for that. I'm sure there is a clever way for doing that, so feel free to tell me. The following changes since commit 45a8bb6e4676899d40525e7d5ad1c1ddefee3185: apt-util: Fix ptest on musl (2023-04-20 11:56:03 +0100) are available in the Git repository at: https://gitlab.com/fmartinsons/openembedded-core cargo-add-ptest Frederic Martinsons (3): ptest-cargo.bbclass: create class python3-bcrypt: enable build of unit tests zvariant: add ptest feature for zvariant test suite .../zvariant/zvariant_3.12.0.bb | 11 +- meta/classes-recipe/ptest-cargo.bbclass | 108 ++ .../python/python3-bcrypt_4.0.1.bb| 4 +- 3 files changed, 121 insertions(+), 2 deletions(-) create mode 100644 meta/classes-recipe/ptest-cargo.bbclass -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180319): https://lists.openembedded.org/g/openembedded-core/message/180319 Mute This Topic: https://lists.openembedded.org/mt/98436057/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 1/3] ptest-cargo.bbclass: create class
From: Frederic Martinsons
This new class offer the capbility to build rust tests and
find them correctly.
Due to non deterministic name of generated binaries, a custom
parsing of build result must be performed.
See https://github.com/rust-lang/cargo/issues/1924
All rust project will generate a test binary even if there are
not test defined in source code (the binary will just output
that it ran 0 tests)
Signed-off-by: Frederic Martinsons
---
meta/classes-recipe/ptest-cargo.bbclass | 108
1 file changed, 108 insertions(+)
create mode 100644 meta/classes-recipe/ptest-cargo.bbclass
diff --git a/meta/classes-recipe/ptest-cargo.bbclass
b/meta/classes-recipe/ptest-cargo.bbclass
new file mode 100644
index 00..a76b06b46a
--- /dev/null
+++ b/meta/classes-recipe/ptest-cargo.bbclass
@@ -0,0 +1,108 @@
+inherit cargo ptest
+
+CARGO_TEST_BINARIES_FILES ?= "${B}/test_binaries_list"
+
+# sadly generated test binary have no deterministic names
(https://github.com/rust-lang/cargo/issues/1924)
+# which force us to parse the cargo output in json format to find those test
binaries
+python do_compile_ptest_base() {
+import subprocess
+import json
+
+cargo = bb.utils.which(d.getVar("PATH"), d.getVar("CARGO", True))
+cargo_build_flags = d.getVar("CARGO_BUILD_FLAGS", True)
+rust_flags = d.getVar("RUSTFLAGS", True)
+manifest_path = d.getVar("MANIFEST_PATH", True)
+
+env = os.environ.copy()
+env['RUSTFLAGS'] = rust_flags
+cmd = f"{cargo} build --tests --message-format json {cargo_build_flags}"
+bb.note(f"Building tests with cargo ({cmd})")
+
+try:
+proc = subprocess.Popen(cmd, shell=True, env=env,
stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+except subprocess.CalledProcessError as e:
+bb.fatal(f"Cannot build test with cargo: {e}")
+
+lines = []
+for line in proc.stdout:
+data = line.decode('utf-8').strip('\n')
+lines.append(data)
+bb.note(data)
+proc.communicate()
+if proc.returncode != 0:
+bb.fatal(f"Unable to compile test with cargo, '{cmd}' failed")
+
+# Definition of the format:
https://doc.rust-lang.org/cargo/reference/external-tools.html#json-messages
+test_bins = []
+for line in lines:
+try:
+data = json.loads(line)
+except json.JSONDecodeError:
+# skip lines that are not a json
+pass
+else:
+try:
+# Filter the test packages coming from the current manifest
+current_manifest_path = os.path.normpath(data['manifest_path'])
+project_manifest_path = os.path.normpath(manifest_path)
+if current_manifest_path == project_manifest_path:
+if data['target']['test'] or data['target']['doctest'] and
data['executable']:
+test_bins.append(data['executable'])
+except KeyError as e:
+# skip lines that do not meet the requirements
+pass
+
+# All rust project will genrate at least one unit test binary
+# It will just run a test suite with 0 tests if the project didn't define
some
+# So it is not expected to have an empty list here
+if not test_bins:
+bb.fatal("Unable to find any test binaries")
+
+cargo_test_binaries_file = d.getVar('CARGO_TEST_BINARIES_FILES', True)
+bb.note(f"Found {len(test_bins)} tests, write their path into
{cargo_test_binaries_file}")
+with open(cargo_test_binaries_file, "w") as f:
+for test_bin in test_bins:
+f.write(f"{test_bin}\n")
+
+}
+
+python do_install_ptest_base() {
+import shutil
+
+dest_dir = d.getVar("D", True)
+pn = d.getVar("PN", True)
+ptest_path = d.getVar("PTEST_PATH", True)
+cargo_test_binaries_file = d.getVar('CARGO_TEST_BINARIES_FILES', True)
+
+ptest_dir = os.path.join(dest_dir, ptest_path.lstrip('/'))
+os.makedirs(ptest_dir, exist_ok=True)
+
+test_bins = []
+with open(cargo_test_binaries_file, "r") as f:
+for line in f.readlines():
+test_bins.append(line.strip('\n'))
+
+test_paths = []
+for test_bin in test_bins:
+shutil.copy2(test_bin, ptest_dir)
+test_paths.append(os.path.join(ptest_path, os.path.basename(test_bin)))
+
+ptest_script = os.path.join(ptest_dir, "run-ptest")
+if os.path.exists(ptest_script):
+with open(ptest_script, "a") as f:
+for test_path in test_paths:
+f.write(f"{test_path}\n")
+else:
+with open(ptest_script, "a") as f:
+f.write("#!/bin/sh\n")
+for test_path in test_paths:
+f.write(f"{test_path}\n")
+os.chmod(ptest_script, 0o755)
+
+# this is chown -R root:root ${D}${PTEST_PATH}
+for root, dirs, files in os.walk(ptest_dir):
+for d in dirs:
+shutil.chown(os.path.join(root, d), "root", "root")
+for f in files:
+
[OE-core] [PATCH 2/3] python3-bcrypt: enable build of unit tests
From: Frederic Martinsons
The source code of bcrypt extension doesn't define any tests
but it is to show the ptest-cargo usage
Signed-off-by: Frederic Martinsons
---
meta/recipes-devtools/python/python3-bcrypt_4.0.1.bb | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/python/python3-bcrypt_4.0.1.bb
b/meta/recipes-devtools/python/python3-bcrypt_4.0.1.bb
index 21f2eb6ba4..b4f245530d 100644
--- a/meta/recipes-devtools/python/python3-bcrypt_4.0.1.bb
+++ b/meta/recipes-devtools/python/python3-bcrypt_4.0.1.bb
@@ -7,12 +7,14 @@ DEPENDS += "${PYTHON_PN}-cffi-native"
SRC_URI[sha256sum] =
"27d375903ac8261cfe4047f6709d16f7d18d39b1ec92aaf72af989552a650ebd"
-inherit pypi python_setuptools3_rust ptest cargo-update-recipe-crates
+inherit pypi python_setuptools3_rust ptest-cargo cargo-update-recipe-crates
SRC_URI += " \
file://run-ptest \
"
+CARGO_SRC_DIR = "src/_bcrypt"
+
require ${BPN}-crates.inc
RDEPENDS:${PN}-ptest += " \
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180321):
https://lists.openembedded.org/g/openembedded-core/message/180321
Mute This Topic: https://lists.openembedded.org/mt/98436060/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 3/3] zvariant: add ptest feature for zvariant test suite
From: Frederic Martinsons
Signed-off-by: Frederic Martinsons
---
.../recipes-extended/zvariant/zvariant_3.12.0.bb | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/meta-selftest/recipes-extended/zvariant/zvariant_3.12.0.bb
b/meta-selftest/recipes-extended/zvariant/zvariant_3.12.0.bb
index 4285d11b72..6c69c80940 100644
--- a/meta-selftest/recipes-extended/zvariant/zvariant_3.12.0.bb
+++ b/meta-selftest/recipes-extended/zvariant/zvariant_3.12.0.bb
@@ -7,6 +7,8 @@ HOMEPAGE = "https://gitlab.freedesktop.org/dbus/zbus/";
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=b377b220f43d747efdec40d69fcaa69d"
+DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'glib-2.0', '',
d)}"
+
SRC_URI = " \
git://gitlab.freedesktop.org/dbus/zbus;protocol=https;branch=main;subpath=zvariant
\
file://0001-Tweak-zvariant-crate-config.patch;striplevel=2 \
@@ -21,10 +23,17 @@ python do_clean_lic_file_symlink() {
addtask clean_lic_file_symlink after do_unpack before do_patch
-inherit cargo cargo-update-recipe-crates
+inherit ptest-cargo pkgconfig cargo-update-recipe-crates
# Remove this when the recipe is reproducible
EXCLUDE_FROM_WORLD = "1"
require ${BPN}-crates.inc
require ${BPN}-git-crates.inc
+
+# zvariant is an indermediate product for the zbus project
+# and so, it provided only a static lib (rlib) which fall only
+# in -dev package
+ALLOW_EMPTY:${PN} = "1"
+RDEPENDS:${PN}-ptest:remove = "${PN}"
+
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180322):
https://lists.openembedded.org/g/openembedded-core/message/180322
Mute This Topic: https://lists.openembedded.org/mt/98436061/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][dunfell][PATCH] go: Ignore CVE-2022-1705
Hi Steve, Is there any issue with this patch? It's not included in the patch review list email. Thanks, Shubham On Fri, 21 Apr, 2023, 4:54 pm Shubham Kulkarni, wrote: > From: Shubham Kulkarni > > The vulnerability was introduced in go1.15beta1 with commit d5734d4. > Dunfell uses go1.14 version which does not contain the affected code. > > Ref: https://security-tracker.debian.org/tracker/CVE-2022-1705 > > Signed-off-by: Shubham Kulkarni > --- > meta/recipes-devtools/go/go-1.14.inc | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-devtools/go/go-1.14.inc > b/meta/recipes-devtools/go/go-1.14.inc > index 8df9d62612..961e233fe6 100644 > --- a/meta/recipes-devtools/go/go-1.14.inc > +++ b/meta/recipes-devtools/go/go-1.14.inc > @@ -85,3 +85,6 @@ CVE_CHECK_WHITELIST += "CVE-2022-30630" > > # This is specific to Microsoft Windows > CVE_CHECK_WHITELIST += "CVE-2022-41716" > + > +# Issue introduced in go1.15beta1, does not exist in 1.14 > +CVE_CHECK_WHITELIST += "CVE-2022-1705" > -- > 2.40.0 > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180323): https://lists.openembedded.org/g/openembedded-core/message/180323 Mute This Topic: https://lists.openembedded.org/mt/98436310/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH v3] devicetree.bbclass: Allow selection of dts files to build
On Fri, Apr 21, 2023 at 05:23:25PM +0200, Petr Kubizňák wrote:
> Add DT_FILES variable to allow the user of the class to select specific
> dts files to build. This is useful for packages featuring dts files
> for multiple machines.
>
> Since many machine configs contain a list of dtb files
> (e.g. KERNEL_DEVICETREE), DT_FILES works with both dts and dtb files.
Any examples of this being used? Not really clear from the description what's
this really used for...
> Signed-off-by: Petr Kubizňák
> ---
> meta/classes-recipe/devicetree.bbclass | 9 +++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/meta/classes-recipe/devicetree.bbclass
> b/meta/classes-recipe/devicetree.bbclass
> index ed2a92e447..bd50d7fa1d 100644
> --- a/meta/classes-recipe/devicetree.bbclass
> +++ b/meta/classes-recipe/devicetree.bbclass
> @@ -53,8 +53,10 @@ KERNEL_INCLUDE ??= " \
>
> DT_INCLUDE[doc] = "Search paths to be made available to both the device tree
> compiler and preprocessor for inclusion."
> DT_INCLUDE ?= "${DT_FILES_PATH} ${KERNEL_INCLUDE}"
> -DT_FILES_PATH[doc] = "Defaults to source directory, can be used to select
> dts files that are not in source (e.g. generated)."
> +DT_FILES_PATH[doc] = "Path to the directory containing dts files to build.
> Defaults to source directory."
> DT_FILES_PATH ?= "${S}"
> +DT_FILES[doc] = "Space-separated list of dts or dtb files (relative to
> DT_FILES_PATH) to build. If empty, all dts files are built."
> +DT_FILES ?= ""
>
> DT_PADDING_SIZE[doc] = "Size of padding on the device tree blob, used as
> extra space typically for additional properties during boot."
> DT_PADDING_SIZE ??= "0x3000"
> @@ -125,9 +127,12 @@ def devicetree_compile(dtspath, includes, d):
> subprocess.run(dtcargs, check = True, stdout=subprocess.PIPE,
> stderr=subprocess.STDOUT)
>
> python devicetree_do_compile() {
> +import re
> includes = expand_includes("DT_INCLUDE", d)
> +dtfiles = d.getVar("DT_FILES").split()
> +dtfiles = [ re.sub(r"\.dtbo?$", ".dts", dtfile) for dtfile in dtfiles ]
> listpath = d.getVar("DT_FILES_PATH")
> -for dts in os.listdir(listpath):
> +for dts in dtfiles or os.listdir(listpath):
> dtspath = os.path.join(listpath, dts)
> try:
> if not(os.path.isfile(dtspath)) or not(dts.endswith(".dts") or
> devicetree_source_is_overlay(dtspath)):
> --
> 2.30.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180324):
https://lists.openembedded.org/g/openembedded-core/message/180324
Mute This Topic: https://lists.openembedded.org/mt/98413143/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][dunfell][PATCH] go: Ignore CVE-2022-1705
I don't see the patch on this list or in patchworks. Could you please resend? Thanks, Steve On Sat, Apr 22, 2023 at 6:12 AM Shubham Kulkarni wrote: > > Hi Steve, > > Is there any issue with this patch? It's not included in the patch review > list email. > > Thanks, > Shubham > > On Fri, 21 Apr, 2023, 4:54 pm Shubham Kulkarni, wrote: >> >> From: Shubham Kulkarni >> >> The vulnerability was introduced in go1.15beta1 with commit d5734d4. >> Dunfell uses go1.14 version which does not contain the affected code. >> >> Ref: https://security-tracker.debian.org/tracker/CVE-2022-1705 >> >> Signed-off-by: Shubham Kulkarni >> --- >> meta/recipes-devtools/go/go-1.14.inc | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/meta/recipes-devtools/go/go-1.14.inc >> b/meta/recipes-devtools/go/go-1.14.inc >> index 8df9d62612..961e233fe6 100644 >> --- a/meta/recipes-devtools/go/go-1.14.inc >> +++ b/meta/recipes-devtools/go/go-1.14.inc >> @@ -85,3 +85,6 @@ CVE_CHECK_WHITELIST += "CVE-2022-30630" >> >> # This is specific to Microsoft Windows >> CVE_CHECK_WHITELIST += "CVE-2022-41716" >> + >> +# Issue introduced in go1.15beta1, does not exist in 1.14 >> +CVE_CHECK_WHITELIST += "CVE-2022-1705" >> -- >> 2.40.0 >> -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180325): https://lists.openembedded.org/g/openembedded-core/message/180325 Mute This Topic: https://lists.openembedded.org/mt/98436310/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH] go: Ignore CVE-2022-1705
From: Shubham Kulkarni The vulnerability was introduced in go1.15beta1 with commit d5734d4. Dunfell uses go1.14 version which does not contain the affected code. Ref: https://security-tracker.debian.org/tracker/CVE-2022-1705 Signed-off-by: Shubham Kulkarni --- meta/recipes-devtools/go/go-1.14.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-devtools/go/go-1.14.inc b/meta/recipes-devtools/go/go-1.14.inc index 56f4f12..b1d7bc1 100644 --- a/meta/recipes-devtools/go/go-1.14.inc +++ b/meta/recipes-devtools/go/go-1.14.inc @@ -87,3 +87,6 @@ CVE_CHECK_WHITELIST += "CVE-2022-30630" # This is specific to Microsoft Windows CVE_CHECK_WHITELIST += "CVE-2022-41716" + +# Issue introduced in go1.15beta1, does not exist in 1.14 +CVE_CHECK_WHITELIST += "CVE-2022-1705" -- 2.7.4 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180326): https://lists.openembedded.org/g/openembedded-core/message/180326 Mute This Topic: https://lists.openembedded.org/mt/98436310/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][dunfell][PATCH] go: Ignore CVE-2022-1705
Hi Steve, I resent the patch ( https://lists.openembedded.org/g/openembedded-core/message/180326). Please let me know if this is ok OR shall I need to send it as v2 ? Thanks, Shubham On Sun, Apr 23, 2023 at 3:52 AM Steve Sakoman wrote: > I don't see the patch on this list or in patchworks. Could you please > resend? > > Thanks, > > Steve > > On Sat, Apr 22, 2023 at 6:12 AM Shubham Kulkarni > wrote: > > > > Hi Steve, > > > > Is there any issue with this patch? It's not included in the patch > review list email. > > > > Thanks, > > Shubham > > > > On Fri, 21 Apr, 2023, 4:54 pm Shubham Kulkarni, > wrote: > >> > >> From: Shubham Kulkarni > >> > >> The vulnerability was introduced in go1.15beta1 with commit d5734d4. > >> Dunfell uses go1.14 version which does not contain the affected code. > >> > >> Ref: https://security-tracker.debian.org/tracker/CVE-2022-1705 > >> > >> Signed-off-by: Shubham Kulkarni > >> --- > >> meta/recipes-devtools/go/go-1.14.inc | 3 +++ > >> 1 file changed, 3 insertions(+) > >> > >> diff --git a/meta/recipes-devtools/go/go-1.14.inc > b/meta/recipes-devtools/go/go-1.14.inc > >> index 8df9d62612..961e233fe6 100644 > >> --- a/meta/recipes-devtools/go/go-1.14.inc > >> +++ b/meta/recipes-devtools/go/go-1.14.inc > >> @@ -85,3 +85,6 @@ CVE_CHECK_WHITELIST += "CVE-2022-30630" > >> > >> # This is specific to Microsoft Windows > >> CVE_CHECK_WHITELIST += "CVE-2022-41716" > >> + > >> +# Issue introduced in go1.15beta1, does not exist in 1.14 > >> +CVE_CHECK_WHITELIST += "CVE-2022-1705" > >> -- > >> 2.40.0 > >> > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180327): https://lists.openembedded.org/g/openembedded-core/message/180327 Mute This Topic: https://lists.openembedded.org/mt/98436310/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
