[OE-core] [mickledore][PATCH] acpica: Update SRC_URI

[Yu, Mingli]

From: Mingli Yu 

Update the SRC_URI to fix the do_fetch warning.
 $ wget https://acpica.org/sites/acpica/files/acpica-unix-20220331.tar.gz
--2023-07-19 02:45:33--  
https://acpica.org/sites/acpica/files/acpica-unix-20220331.tar.gz
Resolving acpica.org... 20.29.206.128
Connecting to acpica.org|20.29.206.128|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: 
https://www.intel.com/content/www/us/en/developer/topic-technology/open/acpica/overview.html
 [following]
--2023-07-19 02:45:33--  
https://www.intel.com/content/www/us/en/developer/topic-technology/open/acpica/overview.html
Resolving www.intel.com... 23.72.14.54
Connecting to www.intel.com|23.72.14.54|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2023-07-19 02:45:34 ERROR 403: Forbidden.

 $ wget https://downloadmirror.intel.com/774879/acpica-unix-20220331.tar.gz
--2023-07-19 02:46:04--  
https://downloadmirror.intel.com/774879/acpica-unix-20220331.tar.gz
Resolving downloadmirror.intel.com... 18.164.154.85, 18.164.154.5, 
18.164.154.74, ...
Connecting to downloadmirror.intel.com|18.164.154.85|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1911044 (1.8M) [application/gzip]
Saving to: ‘acpica-unix-20220331.tar.gz’

acpica-unix-20220331.tar.gz   
100%[=>]
   1.82M  1.61MB/sin 1.1s

2023-07-19 02:46:06 (1.61 MB/s) - ‘acpica-unix-20220331.tar.gz’ saved 
[1911044/1911044]

Signed-off-by: Mingli Yu 
---
 meta/recipes-extended/acpica/acpica_20220331.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-extended/acpica/acpica_20220331.bb 
b/meta/recipes-extended/acpica/acpica_20220331.bb
index 2c554f863a..73b9154ee7 100644
--- a/meta/recipes-extended/acpica/acpica_20220331.bb
+++ b/meta/recipes-extended/acpica/acpica_20220331.bb
@@ -16,7 +16,7 @@ COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64).*-linux"
 
 DEPENDS = "m4-native flex-native bison-native"
 
-SRC_URI = "https://acpica.org/sites/acpica/files/acpica-unix-${PV}.tar.gz";
+SRC_URI = "https://downloadmirror.intel.com/774879/acpica-unix-${PV}.tar.gz";
 SRC_URI[sha256sum] = 
"acaff68b14f1e0804ebbfc4b97268a4ccbefcfa053b02ed9924f2b14d8a98e21"
 
 UPSTREAM_CHECK_URI = "https://acpica.org/downloads";
-- 
2.35.5


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184565): 
https://lists.openembedded.org/g/openembedded-core/message/184565
Mute This Topic: https://lists.openembedded.org/mt/100229117/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] systemd service@ bug

[Yuta Hayama]

Hi,

This issue has been fixed in master.
https://git.openembedded.org/openembedded-core/commit/?id=d18b939fb08b37380ce95934da38e6522392621c

But, yes. This patch has not yet been backported to the any stable branch.


I don't know about the maintenance process for the stable branch, but I
expect that patch will probably be queued and backported to dunfell in
a month or so.

Please let me know if anyone knows anything about this. Should we simply
wait? Or do I have to submit a backport request?


Regards,

Yuta Hayama

On 2023/07/14 22:42, Dvorkin Dmitry wrote:
> Hello!
> 
> (sorry, previously posted as the reply to wrong message)
> 
> starting from 2aa82324d43467e7c8bfbbb59570ee3306264b75 commit (dunfell and 
> probably other branches)
> 
> https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=2aa82324d43467e7c8bfbbb59570ee3306264b75
> 
> the
> 
> SYSTEMD_SERVICE:${PN} = "php-fpm@9000.service"
> 
> syntax in the recipe brings OE to error at do_rootfs step:
> 
> https://pastebin.com/WbDCPy4V
> 
> 
> + for service in php-fpm@9000.service
> + systemctl 
> --root=/workdir/build.tppg2/tmp/work/tppg2-tps-linux-gnueabi/img-oac
> -anpr/1.0-r0/rootfs enable php-fpm@9000.service
> Traceback (most recent call last):
> File "/workdir/build.tppg2/tmp/work/tppg2-tps-linux-gnueabi/img-oac-anpr/1.0-r
> 0/recipe-sysroot-native/usr/bin/systemctl", line 331, in 
> main()
> File "/workdir/build.tppg2/tmp/work/tppg2-tps-linux-gnueabi/img-oac-anpr/1.0-r
> 0/recipe-sysroot-native/usr/bin/systemctl", line 319, in main
> SystemdUnit(root, service).enable()
> File "/workdir/build.tppg2/tmp/work/tppg2-tps-linux-gnueabi/img-oac-anpr/1.0-r
> 0/recipe-sysroot-native/usr/bin/systemctl", line 232, in enable
> self._process_deps(config, service, path, 'WantedBy', 'wants', instance)
> File "/workdir/build.tppg2/tmp/work/tppg2-tps-linux-gnueabi/img-oac-anpr/1.0-r
> 0/recipe-sysroot-native/usr/bin/systemctl", line 192, in _process_deps
> dependent = re.sub("([^%](%%)*)%i", "\\1{}".format(instance), dependent)
> File "/workdir/build.tppg2/tmp/work/tppg2-tps-linux-gnueabi/img-oac-anpr/1.0-r
> 0/recipe-sysroot-native/usr/lib/python3.8/re.py", line 210, in sub
> return _compile(pattern, flags).sub(repl, string, count)
> File "/workdir/build.tppg2/tmp/work/tppg2-tps-linux-gnueabi/img-oac-anpr/1.0-r
> 0/recipe-sysroot-native/usr/lib/python3.8/re.py", line 327, in _subx
> template = _compile_repl(template, pattern)
> File "/workdir/build.tppg2/tmp/work/tppg2-tps-linux-gnueabi/img-oac-anpr/1.0-r
> 0/recipe-sysroot-native/usr/lib/python3.8/re.py", line 318, in _compile_repl
> return sre_parse.parse_template(repl, pattern)
> File "/workdir/build.tppg2/tmp/work/tppg2-tps-linux-gnueabi/img-oac-anpr/1.0-r
> 0/recipe-sysroot-native/usr/lib/python3.8/sre_parse.py", line 1036, in 
> parse_tem
> plate
> addgroup(int(this[1:]), len(this) - 1)
> File "/workdir/build.tppg2/tmp/work/tppg2-tps-linux-gnueabi/img-oac-anpr/1.0-r
> 0/recipe-sysroot-native/usr/lib/python3.8/sre_parse.py", line 980, in addgroup
> raise s.error("invalid group reference %d" % index, pos)
> re.error: invalid group reference 19 at position 1
> %post(oac-php-1.0-r0.noarch): waitpid(3549888) rc 3549888 status 100
> warning: %post(oac-php-1.0-r0.noarch) scriptlet failed, exit status 1
> Error in POSTIN scriptlet in rpm package oac-php
> Installing : curl-7.69.1-r0.cortexa9hf_neon 849/863
> 
> 
> 
> 
> 

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184564): 
https://lists.openembedded.org/g/openembedded-core/message/184564
Mute This Topic: https://lists.openembedded.org/mt/100140897/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core][mickledore 02/26] dmidecode: fix CVE-2023-30630

[Randy MacLeod via lists.openembedded.org]

On 2023-07-18 18:32, Steve Sakoman wrote:

On Tue, Jul 18, 2023 at 11:49 AM Randy MacLeod
  wrote:

Add Kai,

On 2023-07-14 18:32, Steve Sakoman via lists.openembedded.org wrote:

From: Yogita Urade

Dmidecode before 3.5 allows -dump-bin to overwrite a local file.
This has security relevance because, for example, execution of
Dmidecode via Sudo is plausible.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-30630
https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00016.html
https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00017.html

Signed-off-by: Yogita Urade
Signed-off-by: Steve Sakoman
---
  .../dmidecode/CVE-2023-30630_1.patch  | 237 ++
  .../dmidecode/CVE-2023-30630_2.patch  |  81 ++
  .../dmidecode/CVE-2023-30630_3.patch  |  69 +
  .../dmidecode/CVE-2023-30630_4.patch  | 137 ++


Summary:

 I think this can merge but we should agree on how to handle dmidecode.


Details:

These changes work but it's bringing back 4 patches rather than bumping the 
version to 3.5
and picking up 2 patches. My conclusion is that it's okay but we should 
probably talk
about how to maintain dmidecode since it just produces a bunch of programs for 
dumping
HW DMI/SMBIOS info and doesn't provide a runtime ABI, we can probably update to 
3.5
( or even 3.6 when that's out).

Do you agree Steve?

You'll always get the same answer from me: no version bumps that
implement new features/apis.  Bug/security fixes only.

If there is a strong case to be made for something outside this
policy, it should go to the TSC for consideration.

I don't want our stable branches to start resembling the kernel
"stable" branches ...

So, yes, I think we should merge this patch rather than version bump :-)


Ok, that works for me and if there's no follow-up for Yogita, that's 
also good news.


I may ping the upstream devs to see if they really are following
a semantic versioning scheme (1). My goal was to not only get the CVEs
fixed but to get the additional decode info to better support new hardware.

I suppose that even for simple executables like this, it's possible that 
something

changed in the output format or the one or two changes that seem suspect,
could cause problems for someone and so we should be more conservative and
by keeping the number of exceptions to a minimum, we usually make 
maintenance easier.


Thanks for the comments,

../Randy

1)

https://semver.org/


Steve


The patches back-ported are:

❯ rg -i "subject: \[PATCH\]" /tmp/dmidecode-mickledore-cve.eml
201:+Subject: [PATCH] dmidecode: Write the whole dump file at once
444:+Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an existing 
file
531:+Subject: [PATCH] Consistently use read_file() when reading from a dump file
606:+Subject: [PATCH] Don't read beyond sysfs entry point buffer


Two of these patches would be picked up if we update mickledore to 3.5 - so 
let's look at what changed:

❯ git log --oneline dmidecode-3-4..dmidecode-3-5

484f893 (tag: dmidecode-3-5) Set the version to 3.5
8baf2f5 Fix a build warning when USE_MMAP isn't set
b9ebecc dmioem: HPE type 242: Fix ID on 32-bit systems
189ca35 Ensure /dev/mem is a character device file
8427888 dmidecode: Use the right variable for -s bios-revision/firmware-revision
6ca381c dmidecode: Do not let --dump-bin overwrite an existing file <-- 
Added.
d8cfbc8 dmidecode: Write the whole dump file at once   
<-- Added.
39b2dd7 dmidecode: Split table fetching from decoding
11b168f dmioem: Avoid intermediate buffer (HPE type 216)
9d2bbd5 dmioem: Decode HPE OEM Record 216
3d68350 dmidecode: Drop the CPUID exception list
c1a2520 dmidecode: Add a --no-quirks option
67dc0b2 dmidecode: Fortify entry point length checks
f801673 dmioem: Typo fix (Virutal -> Virtual)
90d1323 dmioem: Decode HPE OEM Record 242
f50b925 dmioem: Update HPE OEM Record 238
ac24b67 dmioem: Decode HPE OEM Record 230
c3357b5 dmioem: Fix segmentation fault in dmi_hp_240_attr()
a1a2258 dmioem: Decode HPE OEM Record 224
fb8766a NEWS: Fix typo


My summary of the changes above:

  - support additional HW,

  -  fix bugs, typos and build warnings.

  - internal program restructuring: 39b2dd7 dmidecode: Split table fetching 
from decoding

I was a bit concerned about:

3d68350 dmidecode: Drop the CPUID exception list

but it's pretty arcane (1) and only affects HW from 2008 or earlier

so we should be okay with that change!


Steve,

Do you agree?

Thanks,

../Randy



1)

commit 3d6835047f80691678e5db3127f9d573956413f0
Author: Jean Delvare
Date:   Fri Dec 16 04:37:04 2022

 dmidecode: Drop the CPUID exception list

 Back in 2003, I had a system where the CPU type was not set. I added
 a quirk so that it would still be recognized as x86, and the CPUID
 could be decoded.

 A few more exceptions where added over the years, but in effect, the
 list was last modified in 2008.

 Having suc

Re: [OE-core][mickledore 02/26] dmidecode: fix CVE-2023-30630

[Steve Sakoman]

On Tue, Jul 18, 2023 at 11:49 AM Randy MacLeod
 wrote:
>
> Add Kai,
>
> On 2023-07-14 18:32, Steve Sakoman via lists.openembedded.org wrote:
>
> From: Yogita Urade 
>
> Dmidecode before 3.5 allows -dump-bin to overwrite a local file.
> This has security relevance because, for example, execution of
> Dmidecode via Sudo is plausible.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2023-30630
> https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00016.html
> https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00017.html
>
> Signed-off-by: Yogita Urade 
> Signed-off-by: Steve Sakoman 
> ---
>  .../dmidecode/CVE-2023-30630_1.patch  | 237 ++
>  .../dmidecode/CVE-2023-30630_2.patch  |  81 ++
>  .../dmidecode/CVE-2023-30630_3.patch  |  69 +
>  .../dmidecode/CVE-2023-30630_4.patch  | 137 ++
>
>
> Summary:
>
> I think this can merge but we should agree on how to handle dmidecode.
>
>
> Details:
>
> These changes work but it's bringing back 4 patches rather than bumping the 
> version to 3.5
> and picking up 2 patches. My conclusion is that it's okay but we should 
> probably talk
> about how to maintain dmidecode since it just produces a bunch of programs 
> for dumping
> HW DMI/SMBIOS info and doesn't provide a runtime ABI, we can probably update 
> to 3.5
> ( or even 3.6 when that's out).
>
> Do you agree Steve?

You'll always get the same answer from me: no version bumps that
implement new features/apis.  Bug/security fixes only.

If there is a strong case to be made for something outside this
policy, it should go to the TSC for consideration.

I don't want our stable branches to start resembling the kernel
"stable" branches ...

So, yes, I think we should merge this patch rather than version bump :-)

Steve

> The patches back-ported are:
>
> ❯ rg -i "subject: \[PATCH\]" /tmp/dmidecode-mickledore-cve.eml
> 201:+Subject: [PATCH] dmidecode: Write the whole dump file at once
> 444:+Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an existing 
> file
> 531:+Subject: [PATCH] Consistently use read_file() when reading from a dump 
> file
> 606:+Subject: [PATCH] Don't read beyond sysfs entry point buffer
>
>
> Two of these patches would be picked up if we update mickledore to 3.5 - so 
> let's look at what changed:
>
> ❯ git log --oneline dmidecode-3-4..dmidecode-3-5
>
> 484f893 (tag: dmidecode-3-5) Set the version to 3.5
> 8baf2f5 Fix a build warning when USE_MMAP isn't set
> b9ebecc dmioem: HPE type 242: Fix ID on 32-bit systems
> 189ca35 Ensure /dev/mem is a character device file
> 8427888 dmidecode: Use the right variable for -s 
> bios-revision/firmware-revision
> 6ca381c dmidecode: Do not let --dump-bin overwrite an existing file 
> <-- Added.
> d8cfbc8 dmidecode: Write the whole dump file at once   
> <-- Added.
> 39b2dd7 dmidecode: Split table fetching from decoding
> 11b168f dmioem: Avoid intermediate buffer (HPE type 216)
> 9d2bbd5 dmioem: Decode HPE OEM Record 216
> 3d68350 dmidecode: Drop the CPUID exception list
> c1a2520 dmidecode: Add a --no-quirks option
> 67dc0b2 dmidecode: Fortify entry point length checks
> f801673 dmioem: Typo fix (Virutal -> Virtual)
> 90d1323 dmioem: Decode HPE OEM Record 242
> f50b925 dmioem: Update HPE OEM Record 238
> ac24b67 dmioem: Decode HPE OEM Record 230
> c3357b5 dmioem: Fix segmentation fault in dmi_hp_240_attr()
> a1a2258 dmioem: Decode HPE OEM Record 224
> fb8766a NEWS: Fix typo
>
>
> My summary of the changes above:
>
>  - support additional HW,
>
>  -  fix bugs, typos and build warnings.
>
>  - internal program restructuring: 39b2dd7 dmidecode: Split table fetching 
> from decoding
>
> I was a bit concerned about:
>
>3d68350 dmidecode: Drop the CPUID exception list
>
> but it's pretty arcane (1) and only affects HW from 2008 or earlier
>
> so we should be okay with that change!
>
>
> Steve,
>
> Do you agree?
>
> Thanks,
>
> ../Randy
>
>
>
> 1)
>
> commit 3d6835047f80691678e5db3127f9d573956413f0
> Author: Jean Delvare 
> Date:   Fri Dec 16 04:37:04 2022
>
> dmidecode: Drop the CPUID exception list
>
> Back in 2003, I had a system where the CPU type was not set. I added
> a quirk so that it would still be recognized as x86, and the CPUID
> could be decoded.
>
> A few more exceptions where added over the years, but in effect, the
> list was last modified in 2008.
>
> Having such an exception list isn't actually a good idea, for the
> following reasons:
>  * It requires endless maintenance work if we want to keep it
>up-to-date.
>  * It adds some (admittedly minimal) burden to the sane systems.
>  * If we were to add more entries to the exception list, it wouldn't
>scale well (linear algorithmic complexity). This could be improved
>but at the cost of more complex code.
>  * It sends the wrong message to the hardware manufacturers ("You can
>get

Re: [OE-core][mickledore 02/26] dmidecode: fix CVE-2023-30630

[Richard Purdie]

On Tue, 2023-07-18 at 17:48 -0400, Randy MacLeod via lists.openembedded.org 
wrote:
> 
> Add Kai,
> 
> On 2023-07-14 18:32, Steve Sakoman via lists.openembedded.org wrote:
>  From: Yogita Urade 
> > 
> > Dmidecode before 3.5 allows -dump-bin to overwrite a local file.
> > This has security relevance because, for example, execution of
> > Dmidecode via Sudo is plausible.
> > 
> > References:
> > https://nvd.nist.gov/vuln/detail/CVE-2023-30630
> > https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00016.html
> > https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00017.html
> > 
> > Signed-off-by: Yogita Urade 
> > Signed-off-by: Steve Sakoman 
> > ---
> >  .../dmidecode/CVE-2023-30630_1.patch  | 237
> > ++
> >  .../dmidecode/CVE-2023-30630_2.patch  |  81 ++
> >  .../dmidecode/CVE-2023-30630_3.patch  |  69 +
> >  .../dmidecode/CVE-2023-30630_4.patch  | 137 ++
> >  
> 
> Summary:
>  
>     I think this can merge but we should agree on how to handle
> dmidecode.
>  
> Details:
>  
> These changes work but it's bringing back 4 patches rather than
> bumping the version to 3.5
>  and picking up 2 patches. My conclusion is that it's okay but we
> should probably talk
>  about how to maintain dmidecode since it just produces a bunch of
> programs for dumping
>  HW DMI/SMBIOS info and doesn't provide a runtime ABI, we can
> probably update to 3.5 
>  ( or even 3.6 when that's out).
>  
> Do you agree Steve?
>  
>  
> The patches back-ported are:
>  
> ❯ rg -i "subject: \[PATCH\]" /tmp/dmidecode-mickledore-cve.eml 
>  201:+Subject: [PATCH] dmidecode: Write the whole dump file at once
>  444:+Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an
> existing file
>  531:+Subject: [PATCH] Consistently use read_file() when reading from
> a dump file
>  606:+Subject: [PATCH] Don't read beyond sysfs entry point buffer
>    
> Two of these patches would be picked up if we update mickledore to
> 3.5 - so let's look at what changed:
>  
> ❯ git log --oneline dmidecode-3-4..dmidecode-3-5
>  
> 484f893 (tag: dmidecode-3-5) Set the version to 3.5
>  8baf2f5 Fix a build warning when USE_MMAP isn't set
>  b9ebecc dmioem: HPE type 242: Fix ID on 32-bit systems
>  189ca35 Ensure /dev/mem is a character device file
>  8427888 dmidecode: Use the right variable for -s bios-
> revision/firmware-revision
>  6ca381c dmidecode: Do not let --dump-bin overwrite an existing file
> <-- Added.
>  d8cfbc8 dmidecode: Write the whole dump file at
> once   <-- Added.
>  39b2dd7 dmidecode: Split table fetching from decoding
>  11b168f dmioem: Avoid intermediate buffer (HPE type 216)
>  9d2bbd5 dmioem: Decode HPE OEM Record 216
>  3d68350 dmidecode: Drop the CPUID exception list
>  c1a2520 dmidecode: Add a --no-quirks option
>  67dc0b2 dmidecode: Fortify entry point length checks
>  f801673 dmioem: Typo fix (Virutal -> Virtual)
>  90d1323 dmioem: Decode HPE OEM Record 242
>  f50b925 dmioem: Update HPE OEM Record 238
>  ac24b67 dmioem: Decode HPE OEM Record 230
>  c3357b5 dmioem: Fix segmentation fault in dmi_hp_240_attr()
>  a1a2258 dmioem: Decode HPE OEM Record 224
>  fb8766a NEWS: Fix typo
>  
>  My summary of the changes above: 
>   - support additional HW,
>  
>  -  fix bugs, typos and build warnings.
>  
>  - internal program restructuring: 39b2dd7 dmidecode: Split table
> fetching from decoding
>  
> I was a bit concerned about:
>  
>  
>    3d68350 dmidecode: Drop the CPUID exception list
>  
> but it's pretty arcane (1) and only affects HW from 2008 or earlier
>  
> so we should be okay with that change!

This discussion seems like it is starting to appear on a number of
recipes each time we have to backport CVE fixes.

The policy is very clear for good reasons. We do not take upgrades
where there are mixes of features and fixes. We only take upgrades
where they are part of some kind of stable series that the upstream is
promoting/supporting.

The policy is like this to make things clear cut. Yes, there are fuzzy
cases where you can make the argument but that is not the policy.

You can make this argument for many different pieces of software and I
don't want to see this discussion happening every time. I really don't
want to keep seeing this discussion coming back up either. There is
risk starting to make guesses about what feature changes do and these
are not the risks we've stated the stable series supports.

If someone wants to maintain a branch where they upgrade all the
software to the latest versions they can feel free to do so but it will
look a lot like master.

Cheers,

Richard






-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184561): 
https://lists.openembedded.org/g/openembedded-core/message/184561
Mute This Topic: https://lists.openembedded.org/mt/100151225/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://li

Re: [OE-core][mickledore 02/26] dmidecode: fix CVE-2023-30630

[Randy MacLeod via lists.openembedded.org]

Add Kai,

On 2023-07-14 18:32, Steve Sakoman via lists.openembedded.org wrote:

From: Yogita Urade

Dmidecode before 3.5 allows -dump-bin to overwrite a local file.
This has security relevance because, for example, execution of
Dmidecode via Sudo is plausible.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-30630
https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00016.html
https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00017.html

Signed-off-by: Yogita Urade
Signed-off-by: Steve Sakoman
---
  .../dmidecode/CVE-2023-30630_1.patch  | 237 ++
  .../dmidecode/CVE-2023-30630_2.patch  |  81 ++
  .../dmidecode/CVE-2023-30630_3.patch  |  69 +
  .../dmidecode/CVE-2023-30630_4.patch  | 137 ++



Summary:

    I think this can merge but we should agree on how to handle dmidecode.


Details:

These changes work but it's bringing back 4 patches rather than bumping 
the version to 3.5
and picking up 2 patches. My conclusion is that it's okay but we should 
probably talk
about how to maintain dmidecode since it just produces a bunch of 
programs for dumping
HW DMI/SMBIOS info and doesn't provide a runtime ABI, we can probably 
update to 3.5

( or even 3.6 when that's out).

Do you agree Steve?


The patches back-ported are:

❯ rg -i "subject: \[PATCH\]" /tmp/dmidecode-mickledore-cve.eml
201:+Subject: [PATCH] dmidecode: Write the whole dump file at once
444:+Subject: [PATCH] dmidecode: Do not let --dump-bin overwrite an 
existing file
531:+Subject: [PATCH] Consistently use read_file() when reading from a 
dump file

606:+Subject: [PATCH] Don't read beyond sysfs entry point buffer


Two of these patches would be picked up if we update mickledore to 3.5 - 
so let's look at what changed:


❯ git log --oneline dmidecode-3-4..dmidecode-3-5

484f893 (tag: dmidecode-3-5) Set the version to 3.5
8baf2f5 Fix a build warning when USE_MMAP isn't set
b9ebecc dmioem: HPE type 242: Fix ID on 32-bit systems
189ca35 Ensure /dev/mem is a character device file
8427888 dmidecode: Use the right variable for -s 
bios-revision/firmware-revision
6ca381c dmidecode: Do not let --dump-bin overwrite an existing file 
<-- Added.
d8cfbc8 dmidecode: Write the whole dump file at 
once   <-- Added.

39b2dd7 dmidecode: Split table fetching from decoding
11b168f dmioem: Avoid intermediate buffer (HPE type 216)
9d2bbd5 dmioem: Decode HPE OEM Record 216
3d68350 dmidecode: Drop the CPUID exception list
c1a2520 dmidecode: Add a --no-quirks option
67dc0b2 dmidecode: Fortify entry point length checks
f801673 dmioem: Typo fix (Virutal -> Virtual)
90d1323 dmioem: Decode HPE OEM Record 242
f50b925 dmioem: Update HPE OEM Record 238
ac24b67 dmioem: Decode HPE OEM Record 230
c3357b5 dmioem: Fix segmentation fault in dmi_hp_240_attr()
a1a2258 dmioem: Decode HPE OEM Record 224
fb8766a NEWS: Fix typo


My summary of the changes above:

 - support additional HW,

 -  fix bugs, typos and build warnings.

 - internal program restructuring: 39b2dd7 dmidecode: Split table 
fetching from decoding


I was a bit concerned about:

   3d68350 dmidecode: Drop the CPUID exception list

but it's pretty arcane (1) and only affects HW from 2008 or earlier

so we should be okay with that change!


Steve,

Do you agree?

Thanks,

../Randy



1)

commit 3d6835047f80691678e5db3127f9d573956413f0
Author: Jean Delvare 
Date:   Fri Dec 16 04:37:04 2022

    dmidecode: Drop the CPUID exception list

    Back in 2003, I had a system where the CPU type was not set. I added
    a quirk so that it would still be recognized as x86, and the CPUID
    could be decoded.

    A few more exceptions where added over the years, but in effect, the
    list was last modified in 2008.

    Having such an exception list isn't actually a good idea, for the
    following reasons:
 * It requires endless maintenance work if we want to keep it
   up-to-date.
 * It adds some (admittedly minimal) burden to the sane systems.
 * If we were to add more entries to the exception list, it wouldn't
   scale well (linear algorithmic complexity). This could be improved
   but at the cost of more complex code.
 * It sends the wrong message to the hardware manufacturers ("You can
   get things wrong, we'll add a workaround on our side.")

    Therefore I would like to get rid of this exception list. Doing so
    has the nice side effect of simplifying the code and making the
    binary smaller.

    If anyone really needs the CPUID information on such non-compliant
    systems, there are other ways to retrieve it, such as lscpu or
    /proc/cpuinfo.

https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=3d6835047f80691678e5db3127f9d573956413f0




  .../dmidecode/dmidecode_3.4.bb|   4 +
  5 files changed, 528 insertions(+)
  create mode 100644 
meta/recipes-devtools/dmidecode/dmidecode/CVE-2023-30630_1.patch
  create mode 100644 
meta/

Re: ODP: [OE-Core][PATCH v5 1/5] bitbake.conf: add acl and xattr distro native features support

[Alexandre Belloni via lists.openembedded.org]

On 18/07/2023 08:05:12+, Piotr Łobacz wrote:
> Alexander, this message:
> 
> > Alex,
> > from what I'm seeing the issue touches opkg-build command:
> >
> > opkg-build -Z xz -a "--memlimit=5% --threads=8" "" "" 
> > nativesdk-xcb-proto-dbg 
> > /home/pokybuild/yocto-worker/genericx86-64/build/build/tmp/work/i686-nativesdk-pokysdk-linux/nativesdk-xcb-proto/1.15.2-r0/deploy-ipks/i686-nativesdk'
> >  returned non-zero exit status 1.
> >
> > which causes you an error. This may happen with bad tar hosttools command. 
> > Can you please post me which version is on yocto autobuilder?
> 
> > BR
> > Piotr
> 
> was meant for you, sorry for the confusion. Can you please verify/check what 
> version of `tar` is being used on the autobuilder? This is really important 
> for me, if we're going to move forward with it, because I have suspicions 
> that it may not support posix or it may not be patched with --acls and 
> --xattrs attributes https://www.mail-archive.com/bug-tar@gnu.org/msg06198.html
> 

This fails at least on:

fedora38-ty-4: tar (GNU tar) 1.34, has --acls and --xattrs
stream8-ty-1: tar (GNU tar) 1.30, has --acls and --xattrs
rocky9-ty-1: tar (GNU tar) 1.34, has --acls and --xattrs
debian12-ty-1: tar (GNU tar) 1.34, has --acls and --xattrs
ubuntu2204-ty-3: tar (GNU tar) 1.34, has --acls and --xattrs
ubuntu2004-arm-1: tar (GNU tar) 1.30, has --acls and --xattrs
opensuse154-ty-3: tar (GNU tar) 1.34, has --acls and --xattrs
alma9-ty-1: tar (GNU tar) 1.34, has --acls and --xattrs
ubuntu2210-ty-1: tar (GNU tar) 1.34, has --acls and --xattrs
ubuntu2004-ty-1: tar (GNU tar) 1.30, has --acls and --xattrs

Really, the question is more on which host this is working.


-- 
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184559): 
https://lists.openembedded.org/g/openembedded-core/message/184559
Mute This Topic: https://lists.openembedded.org/mt/100138221/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] icu: upgrade 72-1 -> 73-2

[Trevor Gamblin]

Changelog: https://github.com/unicode-org/icu/releases/tag/release-73-2

ICU moved to a common LICENSE file in the project root. The only actual
change was an update to the copyright year.

Signed-off-by: Trevor Gamblin 
---
 meta/recipes-support/icu/{icu_72-1.bb => icu_73-2.bb} | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename meta/recipes-support/icu/{icu_72-1.bb => icu_73-2.bb} (95%)

diff --git a/meta/recipes-support/icu/icu_72-1.bb 
b/meta/recipes-support/icu/icu_73-2.bb
similarity index 95%
rename from meta/recipes-support/icu/icu_72-1.bb
rename to meta/recipes-support/icu/icu_73-2.bb
index c2eae5298f..7c59f8bb89 100644
--- a/meta/recipes-support/icu/icu_72-1.bb
+++ b/meta/recipes-support/icu/icu_73-2.bb
@@ -78,7 +78,7 @@ FILES:libicuio = "${libdir}/libicuio.so.*"
 
 BBCLASSEXTEND = "native nativesdk"
 
-LIC_FILES_CHKSUM = "file://../LICENSE;md5=a89d03060ff9c46552434dbd1fe3ed1f"
+LIC_FILES_CHKSUM = "file://../LICENSE;md5=80c2cf39ad8ae12b9b9482a1737c6650"
 
 def icu_download_version(d):
 pvsplit = d.getVar('PV').split('-')
@@ -111,8 +111,8 @@ SRC_URI = "${BASE_SRC_URI};name=code \
 SRC_URI:append:class-target = "\
file://0001-Disable-LDFLAGSICUDT-for-Linux.patch \
   "
-SRC_URI[code.sha256sum] = 
"a2d2d38217092a7ed56635e34467f92f976b370e20182ad325edea6681a71d68"
-SRC_URI[data.sha256sum] = 
"ee19f876507d6c23d9e0a2b631096f6b0eaa6fa61728c33a89efdb55e3385dea"
+SRC_URI[code.sha256sum] = 
"818a80712ed3caacd9b652305e01afc7fa167e6f2e94996da44b90c2ab604ce1"
+SRC_URI[data.sha256sum] = 
"ca1ee076163b438461e484421a7679fc33a64cd0a54f9d4b401893fa1eb42701"
 
 UPSTREAM_CHECK_REGEX = "releases/tag/release-(?P(?!.+rc).+)"
 GITHUB_BASE_URI = "https://github.com/unicode-org/icu/releases";
-- 
2.41.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184558): 
https://lists.openembedded.org/g/openembedded-core/message/184558
Mute This Topic: https://lists.openembedded.org/mt/100222302/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH v2] python3-editables: add python3-io to RDEPENDS

[Trevor Gamblin]

editables needs the ipaddress module to function, so add python3-io to
the RDEPENDS list.

Signed-off-by: Trevor Gamblin 
---
v2 adds to the RDEPENDS list so that it doesn't overwrite any existing
ones by mistake.

 meta/recipes-devtools/python/python3-editables_0.3.bb | 4 
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-editables_0.3.bb 
b/meta/recipes-devtools/python/python3-editables_0.3.bb
index b42ff06872..93fa195637 100644
--- a/meta/recipes-devtools/python/python3-editables_0.3.bb
+++ b/meta/recipes-devtools/python/python3-editables_0.3.bb
@@ -8,4 +8,8 @@ SRC_URI[sha256sum] = 
"167524e377358ed1f1374e61c268f0d7a4bf7dbd046c656f7b410cde16
 
 inherit pypi python_setuptools_build_meta
 
+RDEPENDS:${PN} += "\
+python3-io \
+"
+
 BBCLASSEXTEND = "native nativesdk"
-- 
2.41.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184556): 
https://lists.openembedded.org/g/openembedded-core/message/184556
Mute This Topic: https://lists.openembedded.org/mt/100220994/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH 2/3] python3-cython: upgrade 0.29.35 -> 0.29.36

[Trevor Gamblin]

Changelog: https://github.com/cython/cython/blob/master/CHANGES.rst

Bugs fixed

- Async generators lost their return value in PyPy. (Github issue :issue:`5465`)
- The outdated C macro _PyGC_FINALIZED() is no longer used in Py3.9+.
- The deprecated Py_OptimizeFlag is no longer used in Python 3.9+. (Github 
issue :issue:`5343`)
- Using the global __debug__ variable but not assertions could lead to compile 
errors.
- The broken HTML template support was removed from Tempita. (Github issue 
:issue:`3309`)

Signed-off-by: Trevor Gamblin 
---
 meta/recipes-devtools/python/python-cython.inc  | 2 +-
 .../{python3-cython_0.29.35.bb => python3-cython_0.29.36.bb}| 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-devtools/python/{python3-cython_0.29.35.bb => 
python3-cython_0.29.36.bb} (100%)

diff --git a/meta/recipes-devtools/python/python-cython.inc 
b/meta/recipes-devtools/python/python-cython.inc
index 71596caedd..6aec6b012f 100644
--- a/meta/recipes-devtools/python/python-cython.inc
+++ b/meta/recipes-devtools/python/python-cython.inc
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = 
"file://LICENSE.txt;md5=e23fadd6ceef8c618fc1c65191d846fa"
 PYPI_PACKAGE = "Cython"
 BBCLASSEXTEND = "native nativesdk"
 
-SRC_URI[sha256sum] = 
"6e381fa0bf08b3c26ec2f616b19ae852c06f5750f4290118bf986b6f85c8c527"
+SRC_URI[sha256sum] = 
"41c0cfd2d754e383c9eeb95effc9aa4ab847d0c9747077ddd7c0dcb68c3bc01f"
 UPSTREAM_CHECK_REGEX = "Cython-(?P.*)\.tar"
 
 inherit pypi
diff --git a/meta/recipes-devtools/python/python3-cython_0.29.35.bb 
b/meta/recipes-devtools/python/python3-cython_0.29.36.bb
similarity index 100%
rename from meta/recipes-devtools/python/python3-cython_0.29.35.bb
rename to meta/recipes-devtools/python/python3-cython_0.29.36.bb
-- 
2.41.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184554): 
https://lists.openembedded.org/g/openembedded-core/message/184554
Mute This Topic: https://lists.openembedded.org/mt/100220767/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH 1/3] python3-trove-classifiers: upgrade 2023.5.24 -> 2023.7.6

[Trevor Gamblin]

Changelog: https://github.com/pypa/trove-classifiers/releases

Signed-off-by: Trevor Gamblin 
---
 ...fiers_2023.5.24.bb => python3-trove-classifiers_2023.7.6.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-devtools/python/{python3-trove-classifiers_2023.5.24.bb => 
python3-trove-classifiers_2023.7.6.bb} (87%)

diff --git 
a/meta/recipes-devtools/python/python3-trove-classifiers_2023.5.24.bb 
b/meta/recipes-devtools/python/python3-trove-classifiers_2023.7.6.bb
similarity index 87%
rename from meta/recipes-devtools/python/python3-trove-classifiers_2023.5.24.bb
rename to meta/recipes-devtools/python/python3-trove-classifiers_2023.7.6.bb
index 2d484d4b2c..7879dc2031 100644
--- a/meta/recipes-devtools/python/python3-trove-classifiers_2023.5.24.bb
+++ b/meta/recipes-devtools/python/python3-trove-classifiers_2023.7.6.bb
@@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/pypa/trove-classifiers";
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327"
 
-SRC_URI[sha256sum] = 
"fd5a1546283be941f47540a135bdeae8fb261380a6a204d9c18012f2a1b0ceae"
+SRC_URI[sha256sum] = 
"8a8e168b51d20fed607043831d37632bb50919d1c80a64e0f1393744691a8b22"
 
 inherit pypi python_setuptools_build_meta ptest
 
-- 
2.41.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184553): 
https://lists.openembedded.org/g/openembedded-core/message/184553
Mute This Topic: https://lists.openembedded.org/mt/100220766/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH 3/3] python3-editables: add python3-io to RDEPENDS

[Trevor Gamblin]

editables needs the ipaddress module to function, so add python3-io to
the RDEPENDS list.

Signed-off-by: Trevor Gamblin 
---
 meta/recipes-devtools/python/python3-editables_0.3.bb | 4 
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-devtools/python/python3-editables_0.3.bb 
b/meta/recipes-devtools/python/python3-editables_0.3.bb
index b42ff06872..79d7fcaaf0 100644
--- a/meta/recipes-devtools/python/python3-editables_0.3.bb
+++ b/meta/recipes-devtools/python/python3-editables_0.3.bb
@@ -8,4 +8,8 @@ SRC_URI[sha256sum] = 
"167524e377358ed1f1374e61c268f0d7a4bf7dbd046c656f7b410cde16
 
 inherit pypi python_setuptools_build_meta
 
+RDEPENDS:${PN} = "\
+python3-io \
+"
+
 BBCLASSEXTEND = "native nativesdk"
-- 
2.41.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184555): 
https://lists.openembedded.org/g/openembedded-core/message/184555
Mute This Topic: https://lists.openembedded.org/mt/100220768/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] linux-firmware: upgrade 20230515 -> 20230625

[Trevor Gamblin]

WHENCE checksum changed because of updated version lists and removal of
information for the RTL8188EU driver.

Signed-off-by: Trevor Gamblin 
---
 ...{linux-firmware_20230515.bb => linux-firmware_20230625.bb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230515.bb => 
linux-firmware_20230625.bb} (99%)

diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb 
b/meta/recipes-kernel/linux-firmware/linux-firmware_20230625.bb
similarity index 99%
rename from meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb
rename to meta/recipes-kernel/linux-firmware/linux-firmware_20230625.bb
index 3470131294..329a3e3c9a 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20230625.bb
@@ -134,7 +134,7 @@ LIC_FILES_CHKSUM = 
"file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
 "
 # WHENCE checksum is defined separately to ease overriding it if
 # class-devupstream is selected.
-WHENCE_CHKSUM  = "a0997fc7a9af4e46d96529d6ef13b58a"
+WHENCE_CHKSUM  = "57bf874056926f12aec2405d3fc390d9"
 
 # These are not common licenses, set NO_GENERIC_LICENSE for them
 # so that the license files will be copied from fetched source
@@ -212,7 +212,7 @@ SRC_URI:class-devupstream = 
"git://git.kernel.org/pub/scm/linux/kernel/git/firmw
 # Pin this to the 20220509 release, override this in local.conf
 SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae"
 
-SRC_URI[sha256sum] = 
"8b1acfa16f1ee94732a6acb50d9d6c835cf53af11068bd89ed207bbe04a1e951"
+SRC_URI[sha256sum] = 
"87597111c0d4b71b31e53cb85a92c386921b84c825a402db8c82e0e86015500d"
 
 inherit allarch
 
-- 
2.41.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184552): 
https://lists.openembedded.org/g/openembedded-core/message/184552
Mute This Topic: https://lists.openembedded.org/mt/100219937/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [mickledore][PATCH 0/1] Cherry pick commit from master to update webkitgtk to 2.40.2

[Alexander Kanavin]

This type of update is perhaps best suited for an lts mixin branch in
meta-lts-mixins, even if mickledore isn't LTS.

Alex

On Tue, 18 Jul 2023 at 16:37, Steve Sakoman  wrote:
>
> On Mon, Jul 17, 2023 at 1:20 PM Randy MacLeod
>  wrote:
> >
> > On 2023-07-17 12:09, Steve Sakoman via lists.openembedded.org wrote:
> >
> > On Sun, Jul 16, 2023 at 3:34 PM Kai  wrote:
> >
> > On 7/14/23 15:15, Kai Kang wrote:
> >
> > From: Kai Kang 
> >
> > Hi,
> >
> > I've discussed with webkitgtk maintainers about api compatable issues on
> >
> > https://lists.webkit.org/pipermail/webkit-gtk/2023-March/003887.html
> >
> > WebKitGTK 2.38.x is backwards compatible with 2.36.x, you can safely update
> >
> > without needing to change applications. In general, we always keep the API 
> > and
> > ABI backwards compatible.
> >
> > Note that the current stable releases (2.40.x) introduce a new API level
> > when using GTK4, but I suppose this is not a problem because most likely you
> > are still using GTK3
> >
> >
> > I suggest we apply the update in mickledore too which solves lots of
> > CVEs.
> >
> > Hi Steve,
> >
> > I have no idea why the cover-letter is not in the same thread with the
> > patch.
> >
> > So according to the reply from webkitgtk maintainer, would you like to
> > re-consider
> > to cherry-pick the commit to mickledore, please?
> >
> > Sorry, still not possible, this is a major release bump that adds
> > features and APIs.  Please see:
> >
> > https://wpewebkit.org/release/wpewebkit-2.40.0.html
> >
> > We do need to be careful but upstream is saying that:
> >
> >   "WebKitGTK 2.40.x is backwards-compatible as well and that will remain 
> > true indefinitely,
> >as long as you continue to build the same API version [2]. "
> >
> > I'd like a simple way to measure if that's true but I'm not sure one exists.
> >
> > Kai,
> >
> > Have you looked at the source diff to understand how upstream is able to 
> > introduce
> > a new API yet enable building the old one?
> >
> >
> > Kai, Steve,
> >
> > Should we investigate using the flags suggested:
> >"is still possible to build the old 1.0 API using -USE_SOUP2=ON, or the 
> > 1.1 API using -DENABLE_WPE_1_1_API=ON. "
> >   -- https://wpewebkit.org/release/wpewebkit-2.40.0.html
>
> I'm wrangling patches for the three stable branches with releases
> every 1-2 weeks, so I really don't have the cycles to investigate
> this.
>
> > or do we really have to backport patches to 2.38.x ?
>
> A version bump of this type (with the addition of features and APIs)
> is outside the scope of allowed updates for stable branches.  As such,
> it would require TSC approval.
>
> So the two options are to either backport CVE fixes or take the issue
> to the TSC.
>
> Steve
>
> > Alexander Kanavin (1):
> >webkitgtk: update 2.38.5 -> 2.40.2
> >
> >   meta/recipes-gnome/epiphany/epiphany_43.1.bb  |  3 ++
> >   ...tCore-CMakeLists.txt-ensure-reproduc.patch | 28 +
> >   ...44e17d258106617b0e6d783d073b188a2548.patch | 42 ---
> >   ...290ab4ab35258a6da9b13795c9b0f7894bf4.patch | 41 ++
> >   ...bb461f040b90453bc4e100dcf967243ecd98.patch | 30 -
> >   ...ebkitgtk_2.38.5.bb => webkitgtk_2.40.2.bb} | 15 +--
> >   6 files changed, 111 insertions(+), 48 deletions(-)
> >   create mode 100644 
> > meta/recipes-sato/webkit/webkitgtk/0001-Source-JavaScriptCore-CMakeLists.txt-ensure-reproduc.patch
> >   create mode 100644 
> > meta/recipes-sato/webkit/webkitgtk/4977290ab4ab35258a6da9b13795c9b0f7894bf4.patch
> >   delete mode 100644 
> > meta/recipes-sato/webkit/webkitgtk/d318bb461f040b90453bc4e100dcf967243ecd98.patch
> >   rename meta/recipes-sato/webkit/{webkitgtk_2.38.5.bb => 
> > webkitgtk_2.40.2.bb} (90%)
> >
> >
> >
> >
> > --
> > Kai Kang
> > Wind River Linux
> >
> >
> >
> >
> >
> > --
> > # Randy MacLeod
> > # Wind River Linux
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184551): 
https://lists.openembedded.org/g/openembedded-core/message/184551
Mute This Topic: https://lists.openembedded.org/mt/100136728/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 13/13] cmake: Fix CMAKE_SYSTEM_PROCESSOR setting for SDK

[Steve Sakoman]

From: Tom Hochstein 

When building using an SDK, cmake complains that the target
architecture 'cortexa53-crypto' is unknown. The same build in bitbake
uses the target architecture 'aarch64'.

Set CMAKE_SYSTEM_PROCESSOR the same as for bitbake.

Signed-off-by: Tom Hochstein 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Richard Purdie 
(cherry picked from commit d32a6225eefce2073a1cd401034b5b4c68351bfe)
Signed-off-by: Steve Sakoman 
---
 meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake | 5 +
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake 
b/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
index f8af79ddd5..a7020da9c7 100644
--- a/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
+++ b/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
@@ -12,10 +12,7 @@ set( CMAKE_FIND_ROOT_PATH_MODE_PACKAGE ONLY )
 
 set(CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX 
"$ENV{OE_CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX}")
 
-# Set CMAKE_SYSTEM_PROCESSOR from the sysroot name (assuming 
processor-distro-os).
-if ($ENV{SDKTARGETSYSROOT} MATCHES "/sysroots/([a-zA-Z0-9_-]+)-.+-.+")
-  set(CMAKE_SYSTEM_PROCESSOR ${CMAKE_MATCH_1})
-endif()
+set( CMAKE_SYSTEM_PROCESSOR $ENV{OECORE_TARGET_ARCH} )
 
 # Include the toolchain configuration subscripts
 file( GLOB toolchain_config_files "${CMAKE_TOOLCHAIN_FILE}.d/*.cmake" )
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184550): 
https://lists.openembedded.org/g/openembedded-core/message/184550
Mute This Topic: https://lists.openembedded.org/mt/100218497/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 12/13] libpng: Add ptest for libpng

[Steve Sakoman]

From: Nikhil R 

libpng is a platform-independent library which
supports all PNG features.
This ptest executes the below binaries, parses
the png image and prints the image features.

1. pngfix - provides information about PNG image
copyrights details.

2. pngtest - tests, optimizes and optionally fixes
the zlib header in PNG files.

3. pngstest - verifies the integrity of PNG image by
dumping chunk level information.

4. timepng - provides details about PNG image chunks.

Signed-off-by: Nikhil R 
Signed-off-by: Steve Sakoman 
---
 .../distro/include/ptest-packagelists.inc |  1 +
 .../recipes-multimedia/libpng/files/run-ptest | 29 +++
 .../libpng/libpng_1.6.37.bb   | 15 --
 3 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-multimedia/libpng/files/run-ptest

diff --git a/meta/conf/distro/include/ptest-packagelists.inc 
b/meta/conf/distro/include/ptest-packagelists.inc
index badfd69325..3fb7ec2657 100644
--- a/meta/conf/distro/include/ptest-packagelists.inc
+++ b/meta/conf/distro/include/ptest-packagelists.inc
@@ -26,6 +26,7 @@ PTESTS_FAST = "\
 liberror-perl-ptest \
 libmodule-build-perl-ptest \
 libpcre-ptest \
+libpng-ptest \
 libtimedate-perl-ptest \
 libtest-needs-perl-ptest \
 liburi-perl-ptest \
diff --git a/meta/recipes-multimedia/libpng/files/run-ptest 
b/meta/recipes-multimedia/libpng/files/run-ptest
new file mode 100644
index 00..9ab5d0c1f4
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/run-ptest
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+set -eux
+
+./pngfix pngtest.png &> log.txt  2>&1
+
+if grep -i "OK" log.txt 2>&1 ; then
+   echo "PASS: pngfix passed"
+else
+   echo "FAIL: pngfix failed"
+fi
+rm -f log.txt
+
+./pngtest pngtest.png &> log.txt 2>&1
+
+if grep -i "PASS" log.txt 2>&1 ; then
+   echo "PASS: pngtest passed"
+else
+   echo "FAIL: pngtest failed"
+fi
+rm -f log.txt
+
+for i in pngstest timepng; do
+if "./${i}" pngtest.png 2>&1; then
+echo "PASS: $i"
+else
+echo "FAIL: $i"
+fi
+done
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb 
b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
index 3c46fa3302..9387fc8e2e 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
@@ -10,7 +10,10 @@ DEPENDS = "zlib"
 
 LIBV = "16"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz"
+SRC_URI = "\
+   ${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \
+   file://run-ptest \
+   "
 SRC_URI[md5sum] = "015e8e15db1eecde5f2eb9eb5b6e59e9"
 SRC_URI[sha256sum] = 
"505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201fc80868d88ca"
 
@@ -20,7 +23,7 @@ UPSTREAM_CHECK_URI = "http://libpng.org/pub/png/libpng.html";
 
 BINCONFIG = "${bindir}/libpng-config ${bindir}/libpng16-config"
 
-inherit autotools binconfig-disabled pkgconfig
+inherit autotools binconfig-disabled pkgconfig ptest
 
 # Work around missing symbols
 EXTRA_OECONF_append_class-target = " ${@bb.utils.contains("TUNE_FEATURES", 
"neon", "--enable-arm-neon=on", "--enable-arm-neon=off" ,d)}"
@@ -33,3 +36,11 @@ BBCLASSEXTEND = "native nativesdk"
 
 # CVE-2019-17371 is actually a memory leak in gif2png 2.x
 CVE_CHECK_WHITELIST += "CVE-2019-17371"
+
+do_install_ptest() {
+install -m644 "${S}/pngtest.png" "${D}${PTEST_PATH}"
+install -m755 "${B}/.libs/pngfix" "${D}${PTEST_PATH}"
+install -m755 "${B}/.libs/pngtest" "${D}${PTEST_PATH}"
+install -m755 "${B}/.libs/pngstest" "${D}${PTEST_PATH}"
+install -m755 "${B}/.libs/timepng" "${D}${PTEST_PATH}"
+}
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184549): 
https://lists.openembedded.org/g/openembedded-core/message/184549
Mute This Topic: https://lists.openembedded.org/mt/100218495/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 10/13] vim: upgrade 9.0.1527 -> 9.0.1592

[Steve Sakoman]

From: Trevor Gamblin 

Fixes:

https://nvd.nist.gov/vuln/detail/CVE-2023-2609
d1ae836 patch 9.0.1531: crash when register contents ends up being invalid
https://nvd.nist.gov/vuln/detail/CVE-2023-2610
ab9a2d8 patch 9.0.1532: crash when expanding "~" in substitute causes very long 
text

Signed-off-by: Trevor Gamblin 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Richard Purdie 
(cherry picked from commit 1e4b4dfb4145bc00eb6937b5f54a41170e9a5b4c)
Signed-off-by: Steve Sakoman 
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 800ee40f92..bbafa170f4 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,8 +19,8 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"
 
-PV .= ".1527"
-SRCREV = "c28e7a2b2f23dbd246a1ad7ad7aaa6f7ab2e5887"
+PV .= ".1592"
+SRCREV = "29b4c513b11deb37f0e0538df53d195f602fa42c"
 
 # Remove when 8.3 is out
 UPSTREAM_VERSION_UNKNOWN = "1"
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184547): 
https://lists.openembedded.org/g/openembedded-core/message/184547
Mute This Topic: https://lists.openembedded.org/mt/100218491/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 11/13] kernel-fitimage: fix dtbo support for fit images

[Steve Sakoman]

From: Anthony Bagwell 

8a2f4e143 added support for u-boot boot script but missed adding the
extra parameter to fitimage_emit_section_config on the dtbo branch

Signed-off-by: Richard Purdie 
(cherry picked from commit 22bac8aea0d5d28cc5a3bf20edf638225cce2f88)
Signed-off-by: Steve Sakoman 
---
 meta/classes/kernel-fitimage.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/kernel-fitimage.bbclass 
b/meta/classes/kernel-fitimage.bbclass
index b88d7dbe4b..7c7bcd3fc0 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -519,7 +519,7 @@ fitimage_assemble() {
for DTB in ${DTBS}; do
dtb_ext=${DTB##*.}
if [ "${dtb_ext}" = "dtbo" ]; then
-   fitimage_emit_section_config ${1} "" "${DTB}" 
"" "" "`expr ${i} = ${dtbcount}`"
+   fitimage_emit_section_config ${1} "" "${DTB}" 
"" "${bootscr_id}" "" "`expr ${i} = ${dtbcount}`"
else
fitimage_emit_section_config ${1} 
"${kernelcount}" "${DTB}" "${ramdiskcount}" "${bootscr_id}" "${setupcount}" 
"`expr ${i} = ${dtbcount}`"
fi
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184548): 
https://lists.openembedded.org/g/openembedded-core/message/184548
Mute This Topic: https://lists.openembedded.org/mt/100218493/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 07/13] glibc: stable 2.31 branch updates.

[Steve Sakoman]

From: Deepthi Hemraj 

Below commits on glibc-2.31 stable branch are updated.
2d4f26e5cf x86: Fix wcsnlen-avx2 page cross length comparison

Signed-off-by: Deepthi Hemraj 
Signed-off-by: Steve Sakoman 
---
 meta/recipes-core/glibc/glibc-version.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/glibc/glibc-version.inc 
b/meta/recipes-core/glibc/glibc-version.inc
index 5414297ba1..95e2bba301 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.31/master"
 PV = "2.31+git${SRCPV}"
-SRCREV_glibc ?= "d4b75594574ab8a9c2c41209cd8c62aac76b5a04"
+SRCREV_glibc ?= "2d4f26e5cfda682f9ce61444b81533b83f6381af"
 SRCREV_localedef ?= "cd9f958c4c94a638fa7b2b4e21627364f1a1a655"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184544): 
https://lists.openembedded.org/g/openembedded-core/message/184544
Mute This Topic: https://lists.openembedded.org/mt/100218487/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 09/13] wireless-regdb: upgrade 2023.02.13 -> 2023.05.03

[Steve Sakoman]

From: Alexander Kanavin 

Signed-off-by: Alexander Kanavin 
Signed-off-by: Richard Purdie 
(cherry picked from commit 47438402fa430499864a4b1f1a13eaac66aa21c0)
Signed-off-by: Steve Sakoman 
---
 ...ireless-regdb_2023.02.13.bb => wireless-regdb_2023.05.03.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2023.02.13.bb => 
wireless-regdb_2023.05.03.bb} (94%)

diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.02.13.bb 
b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb
similarity index 94%
rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.02.13.bb
rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb
index 295510225a..f3c3cd78e9 100644
--- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.02.13.bb
+++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb
@@ -5,7 +5,7 @@ LICENSE = "ISC"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c"
 
 SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz";
-SRC_URI[sha256sum] = 
"fe81e8a8694dc4753a45087a1c4c7e1b48dee5a59f5f796ce374ea550f0b2e73"
+SRC_URI[sha256sum] = 
"f254d08ab3765aeae2b856222e11a95d44aef519a6663877c71ef68fae4c8c12"
 
 inherit bin_package allarch
 
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184546): 
https://lists.openembedded.org/g/openembedded-core/message/184546
Mute This Topic: https://lists.openembedded.org/mt/100218489/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 08/13] linux-firmware: upgrade 20230404 -> 20230515

[Steve Sakoman]

From: Alexander Kanavin 

License-Update: additional firmwares

Signed-off-by: Alexander Kanavin 
Signed-off-by: Richard Purdie 
(cherry picked from commit 64603f602d00999220fe5bafeed996ddcb56d36b)
Signed-off-by: Steve Sakoman 
---
 ...{linux-firmware_20230404.bb => linux-firmware_20230515.bb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230404.bb => 
linux-firmware_20230515.bb} (99%)

diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb 
b/meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb
similarity index 99%
rename from meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb
rename to meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb
index 9ac70b2a3a..a367a9fd01 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb
@@ -134,7 +134,7 @@ LIC_FILES_CHKSUM = 
"file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
 "
 # WHENCE checksum is defined separately to ease overriding it if
 # class-devupstream is selected.
-WHENCE_CHKSUM  = "0782deea054d4b1b7f10c92c3a245da4"
+WHENCE_CHKSUM  = "a0997fc7a9af4e46d96529d6ef13b58a"
 
 # These are not common licenses, set NO_GENERIC_LICENSE for them
 # so that the license files will be copied from fetched source
@@ -212,7 +212,7 @@ SRC_URI:class-devupstream = 
"git://git.kernel.org/pub/scm/linux/kernel/git/firmw
 # Pin this to the 20220509 release, override this in local.conf
 SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae"
 
-SRC_URI[sha256sum] = 
"c3f9ad2bb5311cce2490f37a8052f836703d6936aabd840246b6576f1f71f607"
+SRC_URI[sha256sum] = 
"8b1acfa16f1ee94732a6acb50d9d6c835cf53af11068bd89ed207bbe04a1e951"
 
 inherit allarch
 
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184545): 
https://lists.openembedded.org/g/openembedded-core/message/184545
Mute This Topic: https://lists.openembedded.org/mt/100218488/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 06/13] tzdata: upgrade to 2023c

[Steve Sakoman]

From: Priyal Doshi 

Signed-off-by: Priyal Doshi 
Signed-off-by: Steve Sakoman 
---
 meta/recipes-extended/timezone/timezone.inc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-extended/timezone/timezone.inc 
b/meta/recipes-extended/timezone/timezone.inc
index 1834665a1e..2960bfefe3 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -6,7 +6,7 @@ SECTION = "base"
 LICENSE = "PD & BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
 
-PV = "2022g"
+PV = "2023c"
 
 SRC_URI =" 
http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode
 \

http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata
 \
@@ -14,5 +14,5 @@ SRC_URI =" 
http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz
 
 UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones";
 
-SRC_URI[tzcode.sha256sum] = 
"9610bb0b9656ff404c361a41f3286da53064b5469d84f00c9cb2314c8614da74"
-SRC_URI[tzdata.sha256sum] = 
"4491db8281ae94a84d939e427bdd83dc389f26764d27d9a5c52d782c16764478"
+SRC_URI[tzcode.sha256sum] = 
"46d17f2bb19ad73290f03a203006152e0fa0d7b11e5b71467c4a823811b214e7"
+SRC_URI[tzdata.sha256sum] = 
"3f510b5d1b4ae9bb38e485aa302a776b317fb3637bdb6404c4adf7b6cadd965c"
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184543): 
https://lists.openembedded.org/g/openembedded-core/message/184543
Mute This Topic: https://lists.openembedded.org/mt/100218486/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 04/13] python3: fix CVE-2023-24329 urllib.parse url blocklisting bypass

[Steve Sakoman]

From: Vivek Kumbhar 

Signed-off-by: Vivek Kumbhar 
Signed-off-by: Steve Sakoman 
---
 .../python/python3/CVE-2023-24329.patch   | 80 +++
 .../recipes-devtools/python/python3_3.8.17.bb |  1 +
 2 files changed, 81 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2023-24329.patch

diff --git a/meta/recipes-devtools/python/python3/CVE-2023-24329.patch 
b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch
new file mode 100644
index 00..23dec65602
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2023-24329.patch
@@ -0,0 +1,80 @@
+From 72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-isling...@users.noreply.github.com>
+Date: Sun, 13 Nov 2022 11:00:25 -0800
+Subject: [PATCH] gh-99418: Make urllib.parse.urlparse enforce that a scheme
+ must begin with an alphabetical ASCII character. (GH-99421)
+
+Prevent urllib.parse.urlparse from accepting schemes that don't begin with an 
alphabetical ASCII character.
+
+RFC 3986 defines a scheme like this: `scheme = ALPHA *( ALPHA / DIGIT / "+" / 
"-" / "." )`
+RFC 2234 defines an ALPHA like this: `ALPHA = %x41-5A / %x61-7A`
+
+The WHATWG URL spec defines a scheme like this:
+`"A URL-scheme string must be one ASCII alpha, followed by zero or more of 
ASCII alphanumeric, U+002B (+), U+002D (-), and U+002E (.)."`
+(cherry picked from commit 439b9cfaf43080e91c4ad69f312f21fa098befc7)
+
+Co-authored-by: Ben Kallus <49924171+kenbal...@users.noreply.github.com>
+
+Upstream-Status: Backport 
[https://github.com/python/cpython/commit/72d356e3584ebfb8e813a8e9f2cd3dccf233c0d9]
+CVE: CVE-2023-24329
+Signed-off-by: Vivek Kumbhar 
+---
+ Lib/test/test_urlparse.py  | 18 ++
+ Lib/urllib/parse.py|  2 +-
+ ...22-11-12-15-45-51.gh-issue-99418.FxfAXS.rst |  2 ++
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 
Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
+
+diff --git a/Lib/test/test_urlparse.py b/Lib/test/test_urlparse.py
+index 0ad3bf1..e1aa913 100644
+--- a/Lib/test/test_urlparse.py
 b/Lib/test/test_urlparse.py
+@@ -735,6 +735,24 @@ class UrlParseTestCase(unittest.TestCase):
+ with self.assertRaises(ValueError):
+ p.port
+
++def test_attributes_bad_scheme(self):
++"""Check handling of invalid schemes."""
++for bytes in (False, True):
++for parse in (urllib.parse.urlsplit, urllib.parse.urlparse):
++for scheme in (".", "+", "-", "0", "http&", "६http"):
++with self.subTest(bytes=bytes, parse=parse, 
scheme=scheme):
++url = scheme + "://www.example.net"
++if bytes:
++if url.isascii():
++url = url.encode("ascii")
++else:
++continue
++p = parse(url)
++if bytes:
++self.assertEqual(p.scheme, b"")
++else:
++self.assertEqual(p.scheme, "")
++
+ def test_attributes_without_netloc(self):
+ # This example is straight from RFC 3261.  It looks like it
+ # should allow the username, hostname, and port to be filled
+diff --git a/Lib/urllib/parse.py b/Lib/urllib/parse.py
+index 979e6d2..2e7a3e2 100644
+--- a/Lib/urllib/parse.py
 b/Lib/urllib/parse.py
+@@ -452,7 +452,7 @@ def urlsplit(url, scheme='', allow_fragments=True):
+ clear_cache()
+ netloc = query = fragment = ''
+ i = url.find(':')
+-if i > 0:
++if i > 0 and url[0].isascii() and url[0].isalpha():
+ if url[:i] == 'http': # optimize the common case
+ url = url[i+1:]
+ if url[:2] == '//':
+diff --git 
a/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst 
b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
+new file mode 100644
+index 000..0a06e7c
+--- /dev/null
 b/Misc/NEWS.d/next/Library/2022-11-12-15-45-51.gh-issue-99418.FxfAXS.rst
+@@ -0,0 +1,2 @@
++Fix bug in :func:`urllib.parse.urlparse` that causes URL schemes that begin
++with a digit, a plus sign, or a minus sign to be parsed incorrectly.
+--
+2.25.1
diff --git a/meta/recipes-devtools/python/python3_3.8.17.bb 
b/meta/recipes-devtools/python/python3_3.8.17.bb
index ba5f564d8e..8c00d65794 100644
--- a/meta/recipes-devtools/python/python3_3.8.17.bb
+++ b/meta/recipes-devtools/python/python3_3.8.17.bb
@@ -34,6 +34,7 @@ SRC_URI = 
"http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-python3-Do-not-hardcode-lib-for-distutils.patch \

file://0020-configure.ac-setup.py-do-not-add-a-curses-include-pa.patch \
file://makerace.patch \
+   file://CVE-2023-24329.p

[OE-core][dunfell 05/13] qemu: backport Debian patch to fix CVE-2023-0330

[Steve Sakoman]

From: Vijay Anusuri 

import patch from ubuntu to fix
 CVE-2023-0330

Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches?h=ubuntu/focal-security
Upstream commit
https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75]

Signed-off-by: Vijay Anusuri 
Signed-off-by: Steve Sakoman 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2023-0330.patch | 77 +++
 2 files changed, 78 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 8d6c4050f7..352277573b 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -137,6 +137,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://CVE-2021-3409-4.patch \
file://CVE-2021-3409-5.patch \
file://hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \
+   file://CVE-2023-0330.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
new file mode 100644
index 00..26e22b4c31
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
@@ -0,0 +1,77 @@
+[Ubuntu note: remove fuzz-lsi53c895a-test.c changes since the file does not
+ exist for this release]
+From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001
+From: Thomas Huth 
+Date: Mon, 22 May 2023 11:10:11 +0200
+Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
+ controller (CVE-2023-0330)
+
+We cannot use the generic reentrancy guard in the LSI code, so
+we have to manually prevent endless reentrancy here. The problematic
+lsi_execute_script() function has already a way to detect whether
+too many instructions have been executed - we just have to slightly
+change the logic here that it also takes into account if the function
+has been called too often in a reentrant way.
+
+The code in fuzz-lsi53c895a-test.c has been taken from an earlier
+patch by Mauro Matteo Cascella.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563
+Message-Id: <20230522091011.1082574-1-th...@redhat.com>
+Reviewed-by: Stefan Hajnoczi 
+Reviewed-by: Alexander Bulekov 
+Signed-off-by: Thomas Huth 
+
+Reference: https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.27
+
+Upstream-Status: Backport [import from ubuntu 
https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2023-0330.patch?h=ubuntu/focal-security
+Upstream commit 
https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75]
+CVE: CVE-2023-0330
+Signed-off-by: Vijay Anusuri 
+---
+ hw/scsi/lsi53c895a.c   | 23 +++--
+ tests/qtest/fuzz-lsi53c895a-test.c | 33 ++
+ 2 files changed, 50 insertions(+), 6 deletions(-)
+
+--- qemu-4.2.orig/hw/scsi/lsi53c895a.c
 qemu-4.2/hw/scsi/lsi53c895a.c
+@@ -1135,15 +1135,24 @@ static void lsi_execute_script(LSIState
+ uint32_t addr, addr_high;
+ int opcode;
+ int insn_processed = 0;
++static int reentrancy_level;
++
++reentrancy_level++;
+ 
+ s->istat1 |= LSI_ISTAT1_SRUN;
+ again:
+-if (++insn_processed > LSI_MAX_INSN) {
+-/* Some windows drivers make the device spin waiting for a memory
+-   location to change.  If we have been executed a lot of code then
+-   assume this is the case and force an unexpected device disconnect.
+-   This is apparently sufficient to beat the drivers into submission.
+- */
++/*
++ * Some windows drivers make the device spin waiting for a memory location
++ * to change. If we have executed more than LSI_MAX_INSN instructions then
++ * assume this is the case and force an unexpected device disconnect. This
++ * is apparently sufficient to beat the drivers into submission.
++ *
++ * Another issue (CVE-2023-0330) can occur if the script is programmed to
++ * trigger itself again and again. Avoid this problem by stopping after
++ * being called multiple times in a reentrant way (8 is an arbitrary value
++ * which should be enough for all valid use cases).
++ */
++if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
+ if (!(s->sien0 & LSI_SIST0_UDC)) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+   "lsi_scsi: inf. loop with UDC masked");
+@@ -1597,6 +1606,8 @@ again:
+ }
+ }
+ trace_lsi_execute_script_stop();
++
++reentrancy_level--;
+ }
+ 
+ static uint8_t lsi_reg_readb(LSIState *s, int offset)
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184542): 
https://lists.openembedded.org/g/openembedded-core/message/184542
Mute

[OE-core][dunfell 03/13] curl: fix CVE-2023-28320 siglongjmp race condition may lead to crash

[Steve Sakoman]

From: Vivek Kumbhar 

Introduced by: 
https://github.com/curl/curl/commit/3c49b405de4fbf1fd7127f91908261268640e54f 
(curl-7_9_8)
Fixed by: 
https://github.com/curl/curl/commit/13718030ad4b3209a7583b4f27f683cd3a6fa5f2 
(curl-8_1_0)
Follow-up: 
https://github.com/curl/curl/commit/f446258f0269a62289cca0210157cb8558d0edc3 
(curl-8_1_0)
https://curl.se/docs/CVE-2023-28320.html

Signed-off-by: Vivek Kumbhar 
Signed-off-by: Steve Sakoman 
---
 .../curl/curl/CVE-2023-28320-fol1.patch   | 197 ++
 .../curl/curl/CVE-2023-28320.patch|  86 
 meta/recipes-support/curl/curl_7.69.1.bb  |   2 +
 3 files changed, 285 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28320.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch 
b/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch
new file mode 100644
index 00..eaa6fdc327
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch
@@ -0,0 +1,197 @@
+From f446258f0269a62289cca0210157cb8558d0edc3 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg 
+Date: Tue, 16 May 2023 23:40:42 +0200
+Subject: [PATCH] hostip: include easy_lock.h before using
+ GLOBAL_INIT_IS_THREADSAFE
+
+Since that header file is the only place that define can be defined.
+
+Reported-by: Marc Deslauriers
+
+Follow-up to 13718030ad4b3209
+
+Closes #11121
+
+Upstream-Status: Backport 
[https://github.com/curl/curl/commit/f446258f0269a62289cca0210157cb8558d0edc3]
+CVE: CVE-2023-28320
+Signed-off-by: Vivek Kumbhar 
+---
+ lib/easy_lock.h | 109 
+ lib/hostip.c|  10 ++---
+ lib/hostip.h|   9 
+ 3 files changed, 113 insertions(+), 15 deletions(-)
+ create mode 100644 lib/easy_lock.h
+
+diff --git a/lib/easy_lock.h b/lib/easy_lock.h
+new file mode 100644
+index 000..6399a39
+--- /dev/null
 b/lib/easy_lock.h
+@@ -0,0 +1,109 @@
++#ifndef HEADER_CURL_EASY_LOCK_H
++#define HEADER_CURL_EASY_LOCK_H
++/***
++ *  _   _   _
++ *  Project ___| | | |  _ \| |
++ * / __| | | | |_) | |
++ *| (__| |_| |  _ <| |___
++ * \___|\___/|_| \_\_|
++ *
++ * Copyright (C) Daniel Stenberg, , et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***/
++
++#include "curl_setup.h"
++
++#define GLOBAL_INIT_IS_THREADSAFE
++
++#if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x600
++
++#ifdef __MINGW32__
++#ifndef __MINGW64_VERSION_MAJOR
++#if (__MINGW32_MAJOR_VERSION < 5) || \
++(__MINGW32_MAJOR_VERSION == 5 && __MINGW32_MINOR_VERSION == 0)
++/* mingw >= 5.0.1 defines SRWLOCK, and slightly different from MS define */
++typedef PVOID SRWLOCK, *PSRWLOCK;
++#endif
++#endif
++#ifndef SRWLOCK_INIT
++#define SRWLOCK_INIT NULL
++#endif
++#endif /* __MINGW32__ */
++
++#define curl_simple_lock SRWLOCK
++#define CURL_SIMPLE_LOCK_INIT SRWLOCK_INIT
++
++#define curl_simple_lock_lock(m) AcquireSRWLockExclusive(m)
++#define curl_simple_lock_unlock(m) ReleaseSRWLockExclusive(m)
++
++#elif defined(HAVE_ATOMIC) && defined(HAVE_STDATOMIC_H)
++#include 
++#if defined(HAVE_SCHED_YIELD)
++#include 
++#endif
++
++#define curl_simple_lock atomic_int
++#define CURL_SIMPLE_LOCK_INIT 0
++
++/* a clang-thing */
++#ifndef __has_builtin
++#define __has_builtin(x) 0
++#endif
++
++#ifndef __INTEL_COMPILER
++/* The Intel compiler tries to look like GCC *and* clang *and* lies in its
++   __has_builtin() function, so override it. */
++
++/* if GCC on i386/x86_64 or if the built-in is present */
++#if ( (defined(__GNUC__) && !defined(__clang__)) && \
++  (defined(__i386__) || defined(__x86_64__))) ||\
++  __has_builtin(__builtin_ia32_pause)
++#define HAVE_BUILTIN_IA32_PAUSE
++#endif
++
++#endif
++
++static inline void curl_simple_lock_lock(curl_simple_lock *lock)
++{
++  for(;;) {
++if(!atomic_exchange_explicit(lock, true, memory_order_acquire))
++  break;
++/* Reduce cache coherency traffic */
++while(atomic_load_explicit(lock, memory_order_relaxed)) {
++  /* Reduce load (not mandatory) */
++#ifdef HAVE_BUILTIN_IA32_PAUSE
++  __builtin_ia32_pause();
++#elif defined

[OE-core][dunfell 02/13] go: Fix CVE-2023-29400

[Steve Sakoman]

From: Ashish Sharma 

emit filterFailsafe for empty unquoted attr
value

Signed-off-by: Ashish Sharma 
Signed-off-by: Steve Sakoman 
---
 meta/recipes-devtools/go/go-1.14.inc  |  1 +
 .../go/go-1.14/CVE-2023-29400.patch   | 94 +++
 2 files changed, 95 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch

diff --git a/meta/recipes-devtools/go/go-1.14.inc 
b/meta/recipes-devtools/go/go-1.14.inc
index ea7b9ea80f..33b53b1a34 100644
--- a/meta/recipes-devtools/go/go-1.14.inc
+++ b/meta/recipes-devtools/go/go-1.14.inc
@@ -67,6 +67,7 @@ SRC_URI += "\
 file://CVE-2023-29405-2.patch \
 file://CVE-2023-29402.patch \
 file://CVE-2023-29404.patch \
+file://CVE-2023-29400.patch \
 "
 
 SRC_URI_append_libc-musl = " 
file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch"
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch 
b/meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch
new file mode 100644
index 00..092c7aa0ff
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch
@@ -0,0 +1,94 @@
+From 0d347544cbca0f42b160424f6bc2458ebcc7b3fc Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker 
+Date: Thu, 13 Apr 2023 14:01:50 -0700
+Subject: [PATCH] html/template: emit filterFailsafe for empty unquoted attr
+ value
+
+An unquoted action used as an attribute value can result in unsafe
+behavior if it is empty, as HTML normalization will result in unexpected
+attributes, and may allow attribute injection. If executing a template
+results in a empty unquoted attribute value, emit filterFailsafe
+instead.
+
+Thanks to Juho Nurminen of Mattermost for reporting this issue.
+
+Fixes #59722
+Fixes CVE-2023-29400
+
+Change-Id: Ia38d1b536ae2b4af5323a6c6d861e3c057c2570a
+Reviewed-on: 
https://team-review.git.corp.google.com/c/golang/go-private/+/1826631
+Reviewed-by: Julie Qiu 
+Run-TryBot: Roland Shoemaker 
+Reviewed-by: Damien Neil 
+Reviewed-on: https://go-review.googlesource.com/c/go/+/491617
+Run-TryBot: Carlos Amedee 
+Reviewed-by: Dmitri Shuralyov 
+Reviewed-by: Dmitri Shuralyov 
+TryBot-Result: Gopher Robot 
+
+Upstream-Status: Backport from 
[https://github.com/golang/go/commit/0d347544cbca0f42b160424f6bc2458ebcc7b3fc]
+CVE: CVE-2023-29400
+Signed-off-by: Ashish Sharma 
+---
+ src/html/template/escape.go  |  5 ++---
+ src/html/template/escape_test.go | 15 +++
+ src/html/template/html.go|  3 +++
+ 3 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/src/html/template/escape.go b/src/html/template/escape.go
+index 4ba1d6b31897e..a62ef159f0dcd 100644
+--- a/src/html/template/escape.go
 b/src/html/template/escape.go
+@@ -382,9 +382,8 @@ func normalizeEscFn(e string) string {
+ // for all x.
+ var redundantFuncs = map[string]map[string]bool{
+   "_html_template_commentescaper": {
+-  "_html_template_attrescaper":true,
+-  "_html_template_nospaceescaper": true,
+-  "_html_template_htmlescaper":true,
++  "_html_template_attrescaper": true,
++  "_html_template_htmlescaper": true,
+   },
+   "_html_template_cssescaper": {
+   "_html_template_attrescaper": true,
+diff --git a/src/html/template/escape_test.go 
b/src/html/template/escape_test.go
+index 3dd212bac9406..f8b2b448f2dfa 100644
+--- a/src/html/template/escape_test.go
 b/src/html/template/escape_test.go
+@@ -678,6 +678,21 @@ func TestEscape(t *testing.T) {
+   ``,
+   ``,
+   },
++  {
++  "unquoted empty attribute value (plaintext)",
++  "",
++  "",
++  },
++  {
++  "unquoted empty attribute value (url)",
++  "",
++  "",
++  },
++  {
++  "quoted empty attribute value",
++  "",
++  "",
++  },
+   }
+ 
+   for _, test := range tests {
+diff --git a/src/html/template/html.go b/src/html/template/html.go
+index bcca0b51a0ef9..a181699a5bda8 100644
+--- a/src/html/template/html.go
 b/src/html/template/html.go
+@@ -14,6 +14,9 @@ import (
+ // htmlNospaceEscaper escapes for inclusion in unquoted attribute values.
+ func htmlNospaceEscaper(args ...interface{}) string {
+   s, t := stringify(args...)
++  if s == "" {
++  return filterFailsafe
++  }
+   if t == contentTypeHTML {
+   return htmlReplacer(stripTags(s), 
htmlNospaceNormReplacementTable, false)
+   }
+
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184539): 
https://lists.openembedded.org/g/openembedded-core/message/184539
Mute This Topic: https://lists.openembedded.org/mt/100218482/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscrib

[OE-core][dunfell 00/13] Patch review

[Steve Sakoman]

Please review this set of changes for dunfell and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5614

The following changes since commit b3fc8ef9aba822b3d485242c8ebd0e0bff0ebfc8:

  cve-update-nvd2-native: actually use API keys (2023-07-13 06:54:58 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut
  
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut

Alexander Kanavin (2):
  linux-firmware: upgrade 20230404 -> 20230515
  wireless-regdb: upgrade 2023.02.13 -> 2023.05.03

Anthony Bagwell (1):
  kernel-fitimage: fix dtbo support for fit images

Ashish Sharma (1):
  go: Fix CVE-2023-29400

Deepthi Hemraj (1):
  glibc: stable 2.31 branch updates.

Nikhil R (1):
  libpng: Add ptest for libpng

Poonam Jadhav (1):
  libx11: Fix CVE-2023-3138 for dunfell branch

Priyal Doshi (1):
  tzdata: upgrade to 2023c

Tom Hochstein (1):
  cmake: Fix CMAKE_SYSTEM_PROCESSOR setting for SDK

Trevor Gamblin (1):
  vim: upgrade 9.0.1527 -> 9.0.1592

Vijay Anusuri (1):
  qemu: backport Debian patch to fix CVE-2023-0330

Vivek Kumbhar (2):
  curl: fix CVE-2023-28320 siglongjmp race condition may lead to crash
  python3: fix CVE-2023-24329 urllib.parse url blocklisting bypass

 meta/classes/kernel-fitimage.bbclass  |   2 +-
 .../distro/include/ptest-packagelists.inc |   1 +
 meta/recipes-core/glibc/glibc-version.inc |   2 +-
 .../cmake/cmake/OEToolchainConfig.cmake   |   5 +-
 meta/recipes-devtools/go/go-1.14.inc  |   1 +
 .../go/go-1.14/CVE-2023-29400.patch   |  94 +
 .../python/python3/CVE-2023-24329.patch   |  80 +++
 .../recipes-devtools/python/python3_3.8.17.bb |   1 +
 meta/recipes-devtools/qemu/qemu.inc   |   1 +
 .../qemu/qemu/CVE-2023-0330.patch |  77 +++
 meta/recipes-extended/timezone/timezone.inc   |   6 +-
 .../xorg-lib/libx11/CVE-2023-3138.patch   | 111 ++
 .../recipes-graphics/xorg-lib/libx11_1.6.9.bb |   1 +
 ...20230404.bb => linux-firmware_20230515.bb} |   4 +-
 02.13.bb => wireless-regdb_2023.05.03.bb} |   2 +-
 .../recipes-multimedia/libpng/files/run-ptest |  29 +++
 .../libpng/libpng_1.6.37.bb   |  15 +-
 .../curl/curl/CVE-2023-28320-fol1.patch   | 197 ++
 .../curl/curl/CVE-2023-28320.patch|  86 
 meta/recipes-support/curl/curl_7.69.1.bb  |   2 +
 meta/recipes-support/vim/vim.inc  |   4 +-
 21 files changed, 705 insertions(+), 16 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.14/CVE-2023-29400.patch
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2023-24329.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230404.bb => 
linux-firmware_20230515.bb} (99%)
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2023.02.13.bb => 
wireless-regdb_2023.05.03.bb} (94%)
 create mode 100644 meta/recipes-multimedia/libpng/files/run-ptest
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28320.patch

-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184537): 
https://lists.openembedded.org/g/openembedded-core/message/184537
Mute This Topic: https://lists.openembedded.org/mt/100218478/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][dunfell 01/13] libx11: Fix CVE-2023-3138 for dunfell branch

[Steve Sakoman]

From: Poonam Jadhav 

Add patch to fix CVE-2023-3138 for dunfell branch

Link: 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c.patch

Signed-off-by: Poonam Jadhav 
Signed-off-by: Steve Sakoman 
---
 .../xorg-lib/libx11/CVE-2023-3138.patch   | 111 ++
 .../recipes-graphics/xorg-lib/libx11_1.6.9.bb |   1 +
 2 files changed, 112 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch 
b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
new file mode 100644
index 00..c724cf8fdd
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
@@ -0,0 +1,111 @@
+From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith 
+Date: Sat, 10 Jun 2023 16:30:07 -0700
+Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, &
+ error codes
+
+Fixes CVE-2023-3138: X servers could return values from XQueryExtension
+that would cause Xlib to write entries out-of-bounds of the arrays to
+store them, though this would only overwrite other parts of the Display
+struct, not outside the bounds allocated for that structure.
+
+Reported-by: Gregory James DUCK 
+Signed-off-by: Alan Coopersmith 
+
+CVE: CVE-2023-3138
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c.patch]
+Signed-off-by: Poonam Jadhav 
+---
+ src/InitExt.c | 42 ++
+ 1 file changed, 42 insertions(+)
+
+diff --git a/src/InitExt.c b/src/InitExt.c
+index 4de46f15..afc00a6b 100644
+--- a/src/InitExt.c
 b/src/InitExt.c
+@@ -33,6 +33,18 @@ from The Open Group.
+ #include 
+ #include 
+ 
++/* The X11 protocol spec reserves events 64 through 127 for extensions */
++#ifndef LastExtensionEvent
++#define LastExtensionEvent 127
++#endif
++
++/* The X11 protocol spec reserves requests 128 through 255 for extensions */
++#ifndef LastExtensionRequest
++#define FirstExtensionRequest 128
++#define LastExtensionRequest 255
++#endif
++
++
+ /*
+  * This routine is used to link a extension in so it will be called
+  * at appropriate times.
+@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
+   WireToEventType proc)   /* routine to call when converting event */
+ {
+   register WireToEventType oldproc;
++  if (event_number < 0 ||
++  event_number > LastExtensionEvent) {
++  fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
++  event_number);
++  return (WireToEventType)_XUnknownWireEvent;
++  }
+   if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
+   LockDisplay (dpy);
+   oldproc = dpy->event_vec[event_number];
+@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
+ )
+ {
+   WireToEventCookieType oldproc;
++  if (extension < FirstExtensionRequest ||
++  extension > LastExtensionRequest) {
++  fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
++  extension);
++  return (WireToEventCookieType)_XUnknownWireEventCookie;
++  }
+   if (proc == NULL) proc = 
(WireToEventCookieType)_XUnknownWireEventCookie;
+   LockDisplay (dpy);
+   oldproc = dpy->generic_event_vec[extension & 0x7F];
+@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
+ )
+ {
+   CopyEventCookieType oldproc;
++  if (extension < FirstExtensionRequest ||
++  extension > LastExtensionRequest) {
++  fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
++  extension);
++  return (CopyEventCookieType)_XUnknownCopyEventCookie;
++  }
+   if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
+   LockDisplay (dpy);
+   oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
+@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
+   EventToWireType proc)   /* routine to call when converting event */
+ {
+   register EventToWireType oldproc;
++  if (event_number < 0 ||
++  event_number > LastExtensionEvent) {
++  fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
++  event_number);
++  return (EventToWireType)_XUnknownNativeEvent;
++  }
+   if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
+   LockDisplay (dpy);
+   oldproc = dpy->wire_vec[event_number];
+@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
+   WireToErrorType proc)   /* routine to call when converting error */
+ {
+   register WireToErrorType oldproc = NULL;
++  if (error_number < 0 ||
++  error_number > LastExtensionError) {
++ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
++  error_number);
++ return (WireToErrorType)_XDefaultWir

[OE-core][PATCH] diffoscope: upgrade 243 -> 244

[Trevor Gamblin]

Changelog: https://diffoscope.org/news/diffoscope-244-released/

* Address compatibility with python-libarchive-c version 5.
  (Closes: reproducible-builds/diffoscope#344)
* Testsuite changes:
  - Mark that test_dex::test_javap_14_differences requires procyon.
  - Fix "test skipped" textual reason generation in the case of a required
version being outside of the required range.
  - Temporarily mark some Android-related as XFAIL due to Debian bugs
#1040941 and #1040916.

Signed-off-by: Trevor Gamblin 
---
 .../diffoscope/{diffoscope_243.bb => diffoscope_244.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-support/diffoscope/{diffoscope_243.bb => 
diffoscope_244.bb} (92%)

diff --git a/meta/recipes-support/diffoscope/diffoscope_243.bb 
b/meta/recipes-support/diffoscope/diffoscope_244.bb
similarity index 92%
rename from meta/recipes-support/diffoscope/diffoscope_243.bb
rename to meta/recipes-support/diffoscope/diffoscope_244.bb
index a73ad6da9e..7500eae132 100644
--- a/meta/recipes-support/diffoscope/diffoscope_243.bb
+++ b/meta/recipes-support/diffoscope/diffoscope_244.bb
@@ -12,7 +12,7 @@ PYPI_PACKAGE = "diffoscope"
 
 inherit pypi setuptools3
 
-SRC_URI[sha256sum] = 
"3ce7ff00d72ffd9c904d1d93a4a147208878f56e8f0286073533615689d840b1"
+SRC_URI[sha256sum] = 
"8bee8bbb144cdb7ddfa21886d5ce180139241c9a53def09b4adc3340db93"
 
 RDEPENDS:${PN} += "binutils vim squashfs-tools python3-libarchive-c 
python3-magic python3-rpm"
 
-- 
2.41.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184536): 
https://lists.openembedded.org/g/openembedded-core/message/184536
Mute This Topic: https://lists.openembedded.org/mt/100218065/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] Toolchain test results

[Steve Sakoman]

On Mon, Jul 17, 2023 at 11:14 PM Richard Purdie
 wrote:
>
> [Anuj/Steve/Ross - questions below!]
>
> I thought I'd share a summary of the recent toolchain test
> changes/work. We can see the "baseline" from the 4.2 test report:
>
> https://downloads.yoctoproject.org/releases/yocto/milestones/yocto-4.2_M3/testresults/testresult-report.txt
>
> showing that we run 2.9 million tests (2946881) with 174470 failures.
>
> Once we noticed qemuarm64 toolchain test results were showing ~125,000
> failures and had done since the 3.4 release, Ross was able to find and
> fix it:
>
> https://git.yoctoproject.org/poky/commit/?id=b0f1ab9810d87960d2753b0fe78039b874fd15fd
> https://git.yoctoproject.org/poky/commit/?id=af39b83e58ec159a9a13d85067c2595535442566
>
> Thanks Ross (even if you did break it too! :)
>
> I've also merged:
>
> https://git.yoctoproject.org/poky/commit/?id=c94fd2737e7e341188c8c41d911f1c60240088a2
>
> which takes care of many of the qemuppc failures.
>
> This brings the report down to:
>
> https://autobuilder.yocto.io/pub/non-release/20230717-18/testresults/testresult-report.txt
>
> so 3229355 tests and 15496 failures.
>
> qemuarm has ~350 failures
> qemuarm64 has ~350 failures
> qemux86-64 has ~4000 (3900 in glibc)
> qemux86 has ~4000 (3500 in glibc)
> qemuppc has ~600 failures
> qemumips64 has ~5000 failures (all over)
> qemumips has ~1600 failures
>
> We could also do with understanding the qemuarm64 ltp syscall failures.
> The other ltp failures look the same for x86 and arm.
>
> Anuj: Can Intel look into the glibc test failures on x86?
> Steve: Can we backport those patches to kirkstone/mickledore?

Yes, I've got them in my test queue for both kirkstone/mickledore.

Steve

> Ross: Can ARM look into the ltp syscall issue?
>
> Is anyone else interested/able to help in cleaning up these results a
> bit further? Once have a good baseline, it will make it much easier to
> look for and spot regressions.
>
> Cheers,
>
> Richard
>
>
>
>
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184535): 
https://lists.openembedded.org/g/openembedded-core/message/184535
Mute This Topic: https://lists.openembedded.org/mt/100212267/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][mickledore][PATCH 1/1] qemu: fix CVE-2023-0330

[Polampalli, Archana via lists.openembedded.org]

A vulnerability in the lsi53c895a device affects the latest version
of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption
bugs like stack overflow or use-after-free.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-0330

Upstream patches:
https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75

Signed-off-by: Archana Polampalli 
---
 meta/recipes-devtools/qemu/qemu.inc   |  1 +
 .../qemu/qemu/CVE-2023-0330.patch | 75 +++
 2 files changed, 76 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc 
b/meta/recipes-devtools/qemu/qemu.inc
index 4c9be91cb0..15eba6163f 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -36,6 +36,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://qemu-guest-agent.init \
file://qemu-guest-agent.udev \
file://ppc.patch \
+  file://CVE-2023-0330.patch \
"
 UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar"
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch 
b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
new file mode 100644
index 00..f609ea29b4
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
@@ -0,0 +1,75 @@
+From b987718bbb1d0eabf95499b976212dd5f0120d75 Mon Sep 17 00:00:00 2001
+From: Thomas Huth 
+Date: Mon, 22 May 2023 11:10:11 +0200
+Subject: [PATCH] hw/scsi/lsi53c895a: Fix reentrancy issues in the LSI
+ controller (CVE-2023-0330)
+
+We cannot use the generic reentrancy guard in the LSI code, so
+we have to manually prevent endless reentrancy here. The problematic
+lsi_execute_script() function has already a way to detect whether
+too many instructions have been executed - we just have to slightly
+change the logic here that it also takes into account if the function
+has been called too often in a reentrant way.
+
+The code in fuzz-lsi53c895a-test.c has been taken from an earlier
+patch by Mauro Matteo Cascella.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1563
+Message-Id: <20230522091011.1082574-1-th...@redhat.com>
+Reviewed-by: Stefan Hajnoczi 
+Reviewed-by: Alexander Bulekov 
+Signed-off-by: Thomas Huth 
+
+Upstream-Status: Backport 
[https://gitlab.com/qemu-project/qemu/-/commit/b987718bbb1d0eabf95499b976212dd5f0120d75]
+CVE: CVE-2023-0330
+
+Signed-off-by: Archana Polampalli 
+---
+ hw/scsi/lsi53c895a.c   | 23 +++--
+ tests/qtest/fuzz-lsi53c895a-test.c | 33 ++
+ 2 files changed, 50 insertions(+), 6 deletions(-)
+
+diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
+index 048436352b7a..f7d45b0b20fb 100644
+--- a/hw/scsi/lsi53c895a.c
 b/hw/scsi/lsi53c895a.c
+@@ -1134,15 +1134,24 @@ static void lsi_execute_script(LSIState *s)
+ uint32_t addr, addr_high;
+ int opcode;
+ int insn_processed = 0;
++static int reentrancy_level;
++
++reentrancy_level++;
+
+ s->istat1 |= LSI_ISTAT1_SRUN;
+ again:
+-if (++insn_processed > LSI_MAX_INSN) {
+-/* Some windows drivers make the device spin waiting for a memory
+-   location to change.  If we have been executed a lot of code then
+-   assume this is the case and force an unexpected device disconnect.
+-   This is apparently sufficient to beat the drivers into submission.
+- */
++/*
++ * Some windows drivers make the device spin waiting for a memory location
++ * to change. If we have executed more than LSI_MAX_INSN instructions then
++ * assume this is the case and force an unexpected device disconnect. This
++ * is apparently sufficient to beat the drivers into submission.
++ *
++ * Another issue (CVE-2023-0330) can occur if the script is programmed to
++ * trigger itself again and again. Avoid this problem by stopping after
++ * being called multiple times in a reentrant way (8 is an arbitrary value
++ * which should be enough for all valid use cases).
++ */
++if (++insn_processed > LSI_MAX_INSN || reentrancy_level > 8) {
+ if (!(s->sien0 & LSI_SIST0_UDC)) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+   "lsi_scsi: inf. loop with UDC masked");
+@@ -1596,6 +1605,8 @@ static void lsi_execute_script(LSIState *s)
+ }
+ }
+ trace_lsi_execute_script_stop();
++
++reentrancy_level--;
+ }
+
+ static uint8_t lsi_reg_readb(LSIState *s, int offset)
-- 
2.40.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184534): 
https://lists.openembedded.org/g/openembedded-core/message/184534
Mute This Topic: https://lists.openembedded.org/mt/100217890/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=

[OE-core] Yocto Project Status 18 July 2023 (WW29)

[Stephen Jolley]

Current Dev Position: YP 4.3 M2

Next Deadline: 17th July 2023 YP 4.3 M2 build date

 

Next Team Meetings:

*   Bug Triage meeting Thursday July 20th 7:30 am PDT (

https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09)
*   Weekly Project Engineering Sync Tuesday July 18th at 8 am PDT (

https://zoom.us/j/990892712?pwd=cHU1MjhoM2x6ck81bkcrYjRrcmJsUT09
 )
*   Twitch -  See  
https://www.twitch.tv/theyoctojester

 

Key Status/Updates:

*   YP 4.2.2 is due to be released
*   YP 4.3 M2 is due to build this week
*   Our toolchain test results showed high failure rates for qemuarm64
and qemuppc. Three patches have merged removing ~210,000 failures taking the
overall failure count to 15,000 in 3,200,000 tests. There is a summary on
the OE-Core mailing list:

 
https://lists.openembedded.org/g/openembedded-core/message/184498

*   There have been further ptest-runner issues so further patches are
in testing
*   The 6.4 kernel has merged but is not the default yet as various
issues are resolved
*   We're considering switching to a pre-release version of autoconf due
to improvements in largefile/64 bit time support.
*   We have an open request for quotation for several engineering
tasks/projects:

https://www.yoctoproject.org/community/yocto-project-engineering-request-for
-quotation/

The document as an update added to the end and the RFQ closes on 24th July.

 

Ways to contribute:

*   As people are likely aware, the project has a number of components
which are either unmaintained, or have people with little to no time trying
to keep them alive. These components include: patchtest, layerindex,
devtool, toaster, wic, oeqa, autobuilder, CROPs containers, pseudo and more.
Many have open bugs. Help is welcome in trying to better look after these
components!
*   There are bugs identified as possible for newcomers to the project:

https://wiki.yoctoproject.org/wiki/Newcomers
*   There are bugs that are currently unassigned for YP 4.3. See:

https://wiki.yoctoproject.org/wiki/Bug_Triage#Medium.2B_4.3_Unassigned_Enhan
cements.2FBugs
*   We'd welcome new maintainers for recipes in OE-Core. Please see the
list at:

http://git.yoctoproject.org/cgit.cgi/poky/tree/meta/conf/distro/include/main
tainers.inc and discuss with the existing maintainer, or ask on the OE-Core
mailing list. We will likely move a chunk of these to "Unassigned" soon to
help facilitate this.
*   Help is very much welcome in trying to resolve our autobuilder
intermittent issues. You can see the list of failures we're continuing to
see by searching for the "AB-INT" tag in bugzilla:

https://bugzilla.yoctoproject.org/buglist.cgi?quicksearch=AB-INT.
*   Help us resolve CVE issues:
 CVE metrics 
*   We have a growing number of bugs in bugzilla, any help with them is
appreciated.

 

YP 4.3 Milestone Dates:

*   YP 4.3 M2 build date  2023/07/17
*   YP 4.3 M2 Release date 2023/07/28
*   YP 4.3 M3 build date  2023/08/28
*   YP 4.3 M3 Release date 2023/09/08
*   YP 4.3 M4 build date  2023/10/02
*   YP 4.3 M4 Release date 2023/10/27

 

Upcoming dot releases:

*   YP 4.2.2 is ready for release
*   YP 3.1.27 build date 2023/07/31
*   YP 3.1.27 Release date 2023/08/11
*   YP 4.0.12 build date 2023/08/07
*   YP 4.0.12 Release date 2023/08/18
*   YP 4.2.3 build date 2023/08/28
*   YP 4.2.3 Release date 2023/09/08
*   YP 3.1.28 build date 2023/09/18
*   YP 3.1.28 Release date 2023/09/29
*   YP 4.0.13 build date 2023/09/25
*   YP 4.0.13 Release date 2023/10/06
*   YP 3.1.29 build date 2023/10/30
*   YP 3.1.29 Release date 2023/11/10
*   YP 4.0.14 build date 2023/11/06
*   YP 4.0.14 Release date 2023/11/17
*   YP 4.2.4 build date 2023/11/13
*   YP 4.2.4 Release date 2023/11/24
*   YP 3.1.30 build date 2023/12/11
*   YP 3.1.30 Release date 2023/12/22
*   YP 4.0.15 build date 2023/12/18
*   YP 4.0.15 Release date 2023/12/29

 

Tracking Metrics:

*   WDD 2477 (last week 2479) (

https://wiki.yoctoproject.org/charts/combo.html)
*   OE-Core/Poky Patch Metrics

*   Total patches found: 1146 (last week 1142)
*   Patches in the Pen

Re: [OE-core] [mickledore][PATCH 0/1] Cherry pick commit from master to update webkitgtk to 2.40.2

[Steve Sakoman]

On Mon, Jul 17, 2023 at 1:20 PM Randy MacLeod
 wrote:
>
> On 2023-07-17 12:09, Steve Sakoman via lists.openembedded.org wrote:
>
> On Sun, Jul 16, 2023 at 3:34 PM Kai  wrote:
>
> On 7/14/23 15:15, Kai Kang wrote:
>
> From: Kai Kang 
>
> Hi,
>
> I've discussed with webkitgtk maintainers about api compatable issues on
>
> https://lists.webkit.org/pipermail/webkit-gtk/2023-March/003887.html
>
> WebKitGTK 2.38.x is backwards compatible with 2.36.x, you can safely update
>
> without needing to change applications. In general, we always keep the API and
> ABI backwards compatible.
>
> Note that the current stable releases (2.40.x) introduce a new API level
> when using GTK4, but I suppose this is not a problem because most likely you
> are still using GTK3
>
>
> I suggest we apply the update in mickledore too which solves lots of
> CVEs.
>
> Hi Steve,
>
> I have no idea why the cover-letter is not in the same thread with the
> patch.
>
> So according to the reply from webkitgtk maintainer, would you like to
> re-consider
> to cherry-pick the commit to mickledore, please?
>
> Sorry, still not possible, this is a major release bump that adds
> features and APIs.  Please see:
>
> https://wpewebkit.org/release/wpewebkit-2.40.0.html
>
> We do need to be careful but upstream is saying that:
>
>   "WebKitGTK 2.40.x is backwards-compatible as well and that will remain true 
> indefinitely,
>as long as you continue to build the same API version [2]. "
>
> I'd like a simple way to measure if that's true but I'm not sure one exists.
>
> Kai,
>
> Have you looked at the source diff to understand how upstream is able to 
> introduce
> a new API yet enable building the old one?
>
>
> Kai, Steve,
>
> Should we investigate using the flags suggested:
>"is still possible to build the old 1.0 API using -USE_SOUP2=ON, or the 
> 1.1 API using -DENABLE_WPE_1_1_API=ON. "
>   -- https://wpewebkit.org/release/wpewebkit-2.40.0.html

I'm wrangling patches for the three stable branches with releases
every 1-2 weeks, so I really don't have the cycles to investigate
this.

> or do we really have to backport patches to 2.38.x ?

A version bump of this type (with the addition of features and APIs)
is outside the scope of allowed updates for stable branches.  As such,
it would require TSC approval.

So the two options are to either backport CVE fixes or take the issue
to the TSC.

Steve

> Alexander Kanavin (1):
>webkitgtk: update 2.38.5 -> 2.40.2
>
>   meta/recipes-gnome/epiphany/epiphany_43.1.bb  |  3 ++
>   ...tCore-CMakeLists.txt-ensure-reproduc.patch | 28 +
>   ...44e17d258106617b0e6d783d073b188a2548.patch | 42 ---
>   ...290ab4ab35258a6da9b13795c9b0f7894bf4.patch | 41 ++
>   ...bb461f040b90453bc4e100dcf967243ecd98.patch | 30 -
>   ...ebkitgtk_2.38.5.bb => webkitgtk_2.40.2.bb} | 15 +--
>   6 files changed, 111 insertions(+), 48 deletions(-)
>   create mode 100644 
> meta/recipes-sato/webkit/webkitgtk/0001-Source-JavaScriptCore-CMakeLists.txt-ensure-reproduc.patch
>   create mode 100644 
> meta/recipes-sato/webkit/webkitgtk/4977290ab4ab35258a6da9b13795c9b0f7894bf4.patch
>   delete mode 100644 
> meta/recipes-sato/webkit/webkitgtk/d318bb461f040b90453bc4e100dcf967243ecd98.patch
>   rename meta/recipes-sato/webkit/{webkitgtk_2.38.5.bb => 
> webkitgtk_2.40.2.bb} (90%)
>
>
>
>
> --
> Kai Kang
> Wind River Linux
>
>
> 
>
>
> --
> # Randy MacLeod
> # Wind River Linux

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184532): 
https://lists.openembedded.org/g/openembedded-core/message/184532
Mute This Topic: https://lists.openembedded.org/mt/100136728/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 27/27] cmake: Fix CMAKE_SYSTEM_PROCESSOR setting for SDK

[Steve Sakoman]

From: Tom Hochstein 

When building using an SDK, cmake complains that the target
architecture 'cortexa53-crypto' is unknown. The same build in bitbake
uses the target architecture 'aarch64'.

Set CMAKE_SYSTEM_PROCESSOR the same as for bitbake.

Signed-off-by: Tom Hochstein 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Richard Purdie 
(cherry picked from commit d32a6225eefce2073a1cd401034b5b4c68351bfe)
Signed-off-by: Steve Sakoman 
---
 meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake | 5 +
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake 
b/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
index 3ddef12c83..d6a1e0464c 100644
--- a/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
+++ b/meta/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake
@@ -11,10 +11,7 @@ set( CMAKE_FIND_ROOT_PATH_MODE_PACKAGE ONLY )
 
 set(CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX 
"$ENV{OE_CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX}")
 
-# Set CMAKE_SYSTEM_PROCESSOR from the sysroot name (assuming 
processor-distro-os).
-if ($ENV{SDKTARGETSYSROOT} MATCHES "/sysroots/([a-zA-Z0-9_-]+)-.+-.+")
-  set(CMAKE_SYSTEM_PROCESSOR ${CMAKE_MATCH_1})
-endif()
+set( CMAKE_SYSTEM_PROCESSOR $ENV{OECORE_TARGET_ARCH} )
 
 # Include the toolchain configuration subscripts
 file( GLOB toolchain_config_files "${CMAKE_CURRENT_LIST_FILE}.d/*.cmake" )
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184531): 
https://lists.openembedded.org/g/openembedded-core/message/184531
Mute This Topic: https://lists.openembedded.org/mt/100216376/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 26/27] wic: Add dependencies for erofs-utils

[Steve Sakoman]

From: Heiko Thole 

In order to build erofs filesystems, wic must have the erofs-utils package 
installed into its sysroot.

Signed-off-by: Heiko Thole 
Signed-off-by: Steve Sakoman 
---
 meta/classes/image_types_wic.bbclass | 2 +-
 meta/recipes-core/meta/wic-tools.bb  | 2 +-
 scripts/lib/wic/misc.py  | 1 +
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/meta/classes/image_types_wic.bbclass 
b/meta/classes/image_types_wic.bbclass
index 6453dd1b74..8497916d48 100644
--- a/meta/classes/image_types_wic.bbclass
+++ b/meta/classes/image_types_wic.bbclass
@@ -83,7 +83,7 @@ do_image_wic[recrdeptask] += "do_deploy"
 do_image_wic[deptask] += "do_image_complete"
 
 WKS_FILE_DEPENDS_DEFAULT = '${@bb.utils.contains_any("BUILD_ARCH", [ 'x86_64', 
'i686' ], "syslinux-native", "",d)}'
-WKS_FILE_DEPENDS_DEFAULT += "bmap-tools-native cdrtools-native 
btrfs-tools-native squashfs-tools-native e2fsprogs-native"
+WKS_FILE_DEPENDS_DEFAULT += "bmap-tools-native cdrtools-native 
btrfs-tools-native squashfs-tools-native e2fsprogs-native erofs-utils-native"
 # Unified kernel images need objcopy
 WKS_FILE_DEPENDS_DEFAULT += "virtual/${MLPREFIX}${TARGET_PREFIX}binutils"
 WKS_FILE_DEPENDS_BOOTLOADERS = ""
diff --git a/meta/recipes-core/meta/wic-tools.bb 
b/meta/recipes-core/meta/wic-tools.bb
index daaf3ea576..9282d36a4d 100644
--- a/meta/recipes-core/meta/wic-tools.bb
+++ b/meta/recipes-core/meta/wic-tools.bb
@@ -6,7 +6,7 @@ DEPENDS = "\
parted-native gptfdisk-native dosfstools-native \
mtools-native bmap-tools-native grub-native cdrtools-native \
btrfs-tools-native squashfs-tools-native pseudo-native \
-   e2fsprogs-native util-linux-native tar-native \
+   e2fsprogs-native util-linux-native tar-native erofs-utils-native \
virtual/${TARGET_PREFIX}binutils \
"
 DEPENDS:append:x86 = " syslinux-native syslinux grub-efi systemd-boot"
diff --git a/scripts/lib/wic/misc.py b/scripts/lib/wic/misc.py
index a8aab6c524..2b90821b30 100644
--- a/scripts/lib/wic/misc.py
+++ b/scripts/lib/wic/misc.py
@@ -36,6 +36,7 @@ NATIVE_RECIPES = {"bmaptool": "bmap-tools",
   "mkdosfs": "dosfstools",
   "mkisofs": "cdrtools",
   "mkfs.btrfs": "btrfs-tools",
+  "mkfs.erofs": "erofs-utils",
   "mkfs.ext2": "e2fsprogs",
   "mkfs.ext3": "e2fsprogs",
   "mkfs.ext4": "e2fsprogs",
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184530): 
https://lists.openembedded.org/g/openembedded-core/message/184530
Mute This Topic: https://lists.openembedded.org/mt/100216375/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 25/27] sysfsutils: fetch a supported fork from github

[Steve Sakoman]

From: Alexander Kanavin 

Debian does the same:
https://packages.debian.org/source/sid/sysfsutils

Signed-off-by: Alexander Kanavin 
Signed-off-by: Luca Ceresoli 
Signed-off-by: Richard Purdie 
(cherry picked from commit 504b2f590cb94b217c5f48090cfb71a749bd5ac8)
Signed-off-by: Steve Sakoman 
---
 meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb | 10 +++---
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb 
b/meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb
index c90a02f131..fd72cf4165 100644
--- a/meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb
+++ b/meta/recipes-core/sysfsutils/sysfsutils_2.1.0.bb
@@ -10,18 +10,14 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=3d06403ea54c7574a9e581c6478cc393 \
 file://lib/LGPL;md5=b75d069791103ffe1c0d6435deeff72e"
 PR = "r5"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/linux-diag/sysfsutils-${PV}.tar.gz \
+SRC_URI = 
"git://github.com/linux-ras/sysfsutils.git;protocol=https;branch=master \
file://sysfsutils-2.0.0-class-dup.patch \
file://obsolete_automake_macros.patch \
file://separatebuild.patch"
 
-SRC_URI[md5sum] = "14e7dcd0436d2f49aa403f67e1ef7ddc"
-SRC_URI[sha256sum] = 
"e865de2c1f559fff0d3fc936e660c0efaf7afe662064f2fb97ccad1ec28d208a"
+SRCREV = "0d5456e1c9d969cdad6accef2ae2d4881d5db085"
 
-UPSTREAM_CHECK_URI = 
"http://sourceforge.net/projects/linux-diag/files/sysfsutils/";
-UPSTREAM_CHECK_REGEX = "/sysfsutils/(?P(\d+[\.\-_]*)+)/"
-
-S = "${WORKDIR}/sysfsutils-${PV}"
+S = "${WORKDIR}/git"
 
 inherit autotools
 
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184529): 
https://lists.openembedded.org/g/openembedded-core/message/184529
Mute This Topic: https://lists.openembedded.org/mt/100216374/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 24/27] unzip: fix configure check for cross compilation

[Steve Sakoman]

From: Chen Qi 

The original configure runs a generated binary to determine
features. This is not correct for cross compilation. So change
the runtime tests into compile-time tests to fix the issue.

Signed-off-by: Chen Qi 
Signed-off-by: Luca Ceresoli 
Signed-off-by: Richard Purdie 
(cherry picked from commit b9aca339b59238988c48b90ea5019bfc939ba4b3)
Signed-off-by: Steve Sakoman 
---
 ...-fix-detection-for-cross-compilation.patch | 103 ++
 meta/recipes-extended/unzip/unzip_6.0.bb  |   1 +
 2 files changed, 104 insertions(+)
 create mode 100644 
meta/recipes-extended/unzip/unzip/0001-unix-configure-fix-detection-for-cross-compilation.patch

diff --git 
a/meta/recipes-extended/unzip/unzip/0001-unix-configure-fix-detection-for-cross-compilation.patch
 
b/meta/recipes-extended/unzip/unzip/0001-unix-configure-fix-detection-for-cross-compilation.patch
new file mode 100644
index 00..2fa7f481b7
--- /dev/null
+++ 
b/meta/recipes-extended/unzip/unzip/0001-unix-configure-fix-detection-for-cross-compilation.patch
@@ -0,0 +1,103 @@
+From 5cbf901b5c3b6a7d1d0ed91b6df4194bb6d25a40 Mon Sep 17 00:00:00 2001
+From: Chen Qi 
+Date: Thu, 15 Jun 2023 07:14:17 -0700
+Subject: [PATCH] unix/configure: fix detection for cross compilation
+
+We're doing cross compilation, running a cross-compiled problem
+on host to detemine feature is not correct. So we change runtime
+check into compile-time check to detect the features.
+
+Upstream-Status: Inactive-Upstream
+
+Signed-off-by: Chen Qi 
+---
+ unix/configure | 44 +++-
+ 1 file changed, 15 insertions(+), 29 deletions(-)
+
+diff --git a/unix/configure b/unix/configure
+index 8fd82dd..68dee98 100755
+--- a/unix/configure
 b/unix/configure
+@@ -259,6 +259,10 @@ cat > conftest.c << _EOF_
+ #include 
+ #include 
+ #include 
++
++_Static_assert(sizeof(off_t) < 8, "sizeof off_t < 8 failed");
++_Static_assert(sizeof((struct stat){0}.st_size) < 8, "sizeof st_size < 8 
failed");
++
+ int main()
+ {
+   off_t offset;
+@@ -278,21 +282,10 @@ _EOF_
+ # compile it
+ $CC $CFLAGS $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null
+ if [ $? -ne 0 ]; then
+-  echo -- no Large File Support
++  echo -- yes we have Large File Support!
++  CFLAGSR="${CFLAGSR} -DLARGE_FILE_SUPPORT"
+ else
+-# run it
+-  ./conftest
+-  r=$?
+-  if [ $r -eq 1 ]; then
+-echo -- no Large File Support - no 64-bit off_t
+-  elif [ $r -eq 2 ]; then
+-echo -- no Large File Support - no 64-bit stat
+-  elif [ $r -eq 3 ]; then
+-echo -- yes we have Large File Support!
+-CFLAGSR="${CFLAGSR} -DLARGE_FILE_SUPPORT"
+-  else
+-echo -- no Large File Support - conftest returned $r
+-  fi
++  echo -- no Large File Support
+ fi
+ 
+ # Added 11/24/2005 EG
+@@ -302,6 +295,11 @@ cat > conftest.c << _EOF_
+ #include 
+ #include 
+ #include 
++
++#ifndef __STDC_ISO_10646__
++#error "__STDC_ISO_10646__ not defined
++#endif
++
+ int main()
+ {
+   size_t wsize;
+@@ -327,19 +325,8 @@ if [ $? -ne 0 ]; then
+   echo "-- no Unicode (wchar_t) support"
+ else
+ # have wide char support
+-# run it
+-  ./conftest
+-  r=$?
+-  if [ $r -eq 0 ]; then
+-echo -- no Unicode wchar_t support - wchar_t allocation error
+-  elif [ $r -eq 1 ]; then
+-echo -- no Unicode support - wchar_t encoding unspecified
+-  elif [ $r -eq 2 ]; then
+-echo -- have wchar_t with known UCS encoding - enabling Unicode support!
+-CFLAGSR="${CFLAGSR} -DUNICODE_SUPPORT -DUNICODE_WCHAR"
+-  else
+-echo "-- no Unicode (wchar_t) support - conftest returned $r"
+-  fi
++  echo -- have wchar_t with known UCS encoding - enabling Unicode support!
++  CFLAGSR="${CFLAGSR} -DUNICODE_SUPPORT -DUNICODE_WCHAR"
+ fi
+ 
+ echo "Check for setlocale support (needed for UNICODE Native check)"
+@@ -418,8 +405,7 @@ temp_link="link_$$"
+   echo "int main() { lchmod(\"${temp_file}\", 0666); }" \
+ ) > conftest.c
+ ln -s "${temp_link}" "${temp_file}" && \
+- $CC $BFLAG $LDFLAGS -o conftest conftest.c >/dev/null 2>/dev/null && \
+- ./conftest
++ $CC -Werror=implicit-function-declaration $BFLAG $LDFLAGS -o conftest 
conftest.c >/dev/null
+ [ $? -ne 0 ] && CFLAGSR="${CFLAGSR} -DNO_LCHMOD"
+ rm -f "${temp_file}"
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb 
b/meta/recipes-extended/unzip/unzip_6.0.bb
index f35856cf61..e3fffa30ab 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -31,6 +31,7 @@ SRC_URI = 
"${SOURCEFORGE_MIRROR}/infozip/UnZip%206.x%20%28latest%29/UnZip%206.0/
 file://CVE-2021-4217.patch \
 file://CVE-2022-0529.patch \
 file://CVE-2022-0530.patch \
+file://0001-unix-configure-fix-detection-for-cross-compilation.patch \
 "
 UPSTREAM_VERSION_UNKNOWN = "1"
 
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184528): 
https://lists.openembedded.org/g/openembedded-core/message/184528
Mute This Topic: https://lists.openembedde

[OE-core][kirkstone 23/27] zip: fix configure check by using _Static_assert

[Steve Sakoman]

From: Chen Qi 

It's incorrect to run a cross-compiled program on build machine
to check if some feature is available or not. As these two checks
in zip are basically just checking the size, we can use _Static_assert
and sizeof to do such check at compile time.

Signed-off-by: Chen Qi 
Signed-off-by: Luca Ceresoli 
Signed-off-by: Richard Purdie 
(cherry picked from commit dda778d855b1838ae3004a9af310724b913490b4)
Signed-off-by: Steve Sakoman 
---
 ...se-_Static_assert-to-do-correct-dete.patch | 96 +++
 meta/recipes-extended/zip/zip_3.0.bb  |  1 +
 2 files changed, 97 insertions(+)
 create mode 100644 
meta/recipes-extended/zip/zip-3.0/0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch

diff --git 
a/meta/recipes-extended/zip/zip-3.0/0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch
 
b/meta/recipes-extended/zip/zip-3.0/0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch
new file mode 100644
index 00..106f246a7c
--- /dev/null
+++ 
b/meta/recipes-extended/zip/zip-3.0/0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch
@@ -0,0 +1,96 @@
+From 9916fc6f1f93f3e092e3c6937c30dc8137c26d34 Mon Sep 17 00:00:00 2001
+From: Chen Qi 
+Date: Thu, 15 Jun 2023 18:31:26 +0800
+Subject: [PATCH] unix/configure: use _Static_assert to do correct detection
+
+We're doing cross compilation, running a cross-compiled problem
+on host to detemine feature is not correct. Use _Static_assert
+to do the detection correctly.
+
+Upstream-Status: Inactive-Upstream
+
+Signed-off-by: Chen Qi 
+---
+ unix/configure | 42 --
+ 1 file changed, 12 insertions(+), 30 deletions(-)
+
+diff --git a/unix/configure b/unix/configure
+index f2b3d02..f917086 100644
+--- a/unix/configure
 b/unix/configure
+@@ -361,6 +361,10 @@ cat > conftest.c << _EOF_
+ #include 
+ #include 
+ #include 
++
++_Static_assert(sizeof((struct stat){0}.st_uid) == 2, "sizeof st_uid is not 16 
bit");
++_Static_assert(sizeof((struct stat){0}.st_gid) == 2, "sizeof st_gid is not 16 
bit");
++
+ int main()
+ {
+   struct stat s;
+@@ -385,21 +389,7 @@ if [ $? -ne 0 ]; then
+   echo -- UID/GID test failed on compile - disabling old 16-bit UID/GID 
support
+   CFLAGS="${CFLAGS} -DUIDGID_NOT_16BIT"
+ else
+-# run it
+-  ./conftest
+-  r=$?
+-  if [ $r -eq 1 ]; then
+-echo -- UID not 2 bytes - disabling old 16-bit UID/GID support
+-CFLAGS="${CFLAGS} -DUIDGID_NOT_16BIT"
+-  elif [ $r -eq 2 ]; then
+-echo -- GID not 2 bytes - disabling old 16-bit UID/GID support
+-CFLAGS="${CFLAGS} -DUIDGID_NOT_16BIT"
+-  elif [ $r -eq 3 ]; then
+-echo -- 16-bit UIDs and GIDs - keeping old 16-bit UID/GID support
+-  else
+-echo -- test failed - conftest returned $r - disabling old 16-bit UID/GID 
support
+-CFLAGS="${CFLAGS} -DUIDGID_NOT_16BIT"
+-  fi
++  echo -- 16-bit UIDs and GIDs - keeping old 16-bit UID/GID support
+ fi
+ 
+ 
+@@ -417,6 +407,10 @@ cat > conftest.c << _EOF_
+ #include 
+ #include 
+ #include 
++
++_Static_assert(sizeof(off_t) < 8, "sizeof off_t < 8 failed");
++_Static_assert(sizeof((struct stat){0}.st_size) < 8, "sizeof st_size < 8 
failed");
++
+ int main()
+ {
+   off_t offset;
+@@ -436,24 +430,12 @@ _EOF_
+ # compile it
+ $CC -o conftest conftest.c >/dev/null 2>/dev/null
+ if [ $? -ne 0 ]; then
+-  echo -- no Large File Support
++  echo -- yes we have Large File Support!
++  CFLAGS="${CFLAGS} -DLARGE_FILE_SUPPORT"
+ else
+-# run it
+-  ./conftest
+-  r=$?
+-  if [ $r -eq 1 ]; then
+-echo -- no Large File Support - no 64-bit off_t
+-  elif [ $r -eq 2 ]; then
+-echo -- no Large File Support - no 64-bit stat
+-  elif [ $r -eq 3 ]; then
+-echo -- yes we have Large File Support!
+-CFLAGS="${CFLAGS} -DLARGE_FILE_SUPPORT"
+-  else
+-echo -- no Large File Support - conftest returned $r
+-  fi
++  echo -- no Large File Support
+ fi
+ 
+-
+ # Check for wide char for Unicode support
+ # Added 11/24/2005 EG
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-extended/zip/zip_3.0.bb 
b/meta/recipes-extended/zip/zip_3.0.bb
index 07a67b9634..83e1e52e97 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -17,6 +17,7 @@ SRC_URI = 
"${SOURCEFORGE_MIRROR}/infozip/Zip%203.x%20%28latest%29/3.0/zip30.tar.
file://0001-configure-use-correct-CPP.patch \
file://0002-configure-support-PIC-code-build.patch \

file://0001-configure-Use-CFLAGS-and-LDFLAGS-when-doing-link-tes.patch \
+   
file://0001-unix-configure-use-_Static_assert-to-do-correct-dete.patch \
"
 UPSTREAM_VERSION_UNKNOWN = "1"
 
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184527): 
https://lists.openembedded.org/g/openembedded-core/message/184527
Mute This Topic: https://lists.openembedded.org/mt/100216370/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembe

[OE-core][kirkstone 22/27] sdk.py: fix moving dnf contents

[Steve Sakoman]

From: Chen Qi 

The dnf contents should be moved to /etc/dnf/xxx
instead of just /etc.

Signed-off-by: Chen Qi 
Signed-off-by: Richard Purdie 
(cherry picked from commit 74b78d160a985e98f869c777847ab798e419dd2d)
Signed-off-by: Steve Sakoman 
---
 meta/lib/oe/package_manager/rpm/sdk.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/lib/oe/package_manager/rpm/sdk.py 
b/meta/lib/oe/package_manager/rpm/sdk.py
index c5f232431f..04dccf49d7 100644
--- a/meta/lib/oe/package_manager/rpm/sdk.py
+++ b/meta/lib/oe/package_manager/rpm/sdk.py
@@ -110,5 +110,6 @@ class PkgSdk(Sdk):
 for f in glob.glob(os.path.join(self.sdk_output, "etc", "rpm*")):
 self.movefile(f, native_sysconf_dir)
 for f in glob.glob(os.path.join(self.sdk_output, "etc", "dnf", "*")):
-self.movefile(f, native_sysconf_dir)
+self.mkdirhier(native_sysconf_dir + "/dnf")
+self.movefile(f, native_sysconf_dir + "/dnf")
 self.remove(os.path.join(self.sdk_output, "etc"), True)
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184526): 
https://lists.openembedded.org/g/openembedded-core/message/184526
Mute This Topic: https://lists.openembedded.org/mt/100216368/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 21/27] sdk.py: error out when moving file fails

[Steve Sakoman]

From: Chen Qi 

Instead of printing an error message and continuing, we should just
error out when moving file fails.

Signed-off-by: Chen Qi 
Signed-off-by: Richard Purdie 
(cherry picked from commit 12aecd9da94b5f27041982c661e8bab316d365d4)
Signed-off-by: Steve Sakoman 
---
 meta/lib/oe/sdk.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/lib/oe/sdk.py b/meta/lib/oe/sdk.py
index 27347667e8..2383bd58b7 100644
--- a/meta/lib/oe/sdk.py
+++ b/meta/lib/oe/sdk.py
@@ -68,7 +68,7 @@ class Sdk(object, metaclass=ABCMeta):
 #FIXME: using umbrella exc catching because bb.utils method raises it
 except Exception as e:
 bb.debug(1, "printing the stack trace\n %s" 
%traceback.format_exc())
-bb.error("unable to place %s in final SDK location" % sourcefile)
+bb.fatal("unable to place %s in final SDK location" % sourcefile)
 
 def mkdirhier(self, dirpath):
 try:
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184525): 
https://lists.openembedded.org/g/openembedded-core/message/184525
Mute This Topic: https://lists.openembedded.org/mt/100216367/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 20/27] bitbake.conf: add unzstd in HOSTTOOLS

[Steve Sakoman]

From: Alberto Planas 

rpm2cpio.sh can make calls to unzstd to uncompress the RPM payload that
conform the cpio file.

zstd is already part of HOSTTOOLS, as a link to the system installed
zstd.

This patch add unzstd in HOSTOOLS list as a non-optional binary, so is
available to rpm2cpio.sh when it is required.

Signed-off-by: Alberto Planas 
Signed-off-by: Richard Purdie 
(cherry picked from commit bff58d337890e804d33d7decbaa46065a4d3bba4)
Signed-off-by: Steve Sakoman 
---
 meta/conf/bitbake.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 8ef4b00d08..290dfda6c8 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -523,7 +523,7 @@ HOSTTOOLS += " \
 python3 pzstd ranlib readelf readlink realpath rm rmdir rpcgen sed seq sh \
 sha1sum sha224sum sha256sum sha384sum sha512sum \
 sleep sort split stat strings strip tail tar tee test touch tr true uname \
-uniq wc wget which xargs zstd \
+uniq unzstd wc wget which xargs zstd \
 "
 
 # Tools needed to run testimage runtime image testing
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184524): 
https://lists.openembedded.org/g/openembedded-core/message/184524
Mute This Topic: https://lists.openembedded.org/mt/100216365/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 19/27] rust-llvm: backport a fix for build with gcc-13

[Steve Sakoman]

From: Alexander Sverdlin 

* needed for rust-llvm-native on hosts with gcc-13

Based on commit 3382759cb6c5 ("llvm: backport a fix for build with gcc-13")

Signed-off-by: Alexander Sverdlin 
Signed-off-by: Steve Sakoman 
---
 meta/recipes-devtools/rust/rust-llvm.inc  |  4 ++-
 ...-missing-cstdint-header-to-Signals.h.patch | 32 +++
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 
meta/recipes-devtools/rust/rust-llvm/0003-Support-Add-missing-cstdint-header-to-Signals.h.patch

diff --git a/meta/recipes-devtools/rust/rust-llvm.inc 
b/meta/recipes-devtools/rust/rust-llvm.inc
index 5c2ccdac9a..e645e7a7ac 100644
--- a/meta/recipes-devtools/rust/rust-llvm.inc
+++ b/meta/recipes-devtools/rust/rust-llvm.inc
@@ -3,7 +3,9 @@ LICENSE ?= "Apache-2.0-with-LLVM-exception"
 HOMEPAGE = "http://www.rust-lang.org";
 
 SRC_URI += "file://0002-llvm-allow-env-override-of-exe-path.patch;striplevel=2 
\
-
file://0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch;striplevel=2"
+
file://0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch;striplevel=2
 \
+
file://0003-Support-Add-missing-cstdint-header-to-Signals.h.patch;striplevel=2 \
+"
 
 S = "${RUSTSRC}/src/llvm-project/llvm"
 
diff --git 
a/meta/recipes-devtools/rust/rust-llvm/0003-Support-Add-missing-cstdint-header-to-Signals.h.patch
 
b/meta/recipes-devtools/rust/rust-llvm/0003-Support-Add-missing-cstdint-header-to-Signals.h.patch
new file mode 100644
index 00..6ed23aa9c5
--- /dev/null
+++ 
b/meta/recipes-devtools/rust/rust-llvm/0003-Support-Add-missing-cstdint-header-to-Signals.h.patch
@@ -0,0 +1,32 @@
+From a94bf34221fc4519bd8ec72560c2d363ffe2de4c Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich 
+Date: Mon, 23 May 2022 08:03:23 +0100
+Subject: [PATCH] [Support] Add missing  header to Signals.h
+
+Without the change llvm build fails on this week's gcc-13 snapshot as:
+
+[  0%] Building CXX object 
lib/Support/CMakeFiles/LLVMSupport.dir/Signals.cpp.o
+In file included from llvm/lib/Support/Signals.cpp:14:
+llvm/include/llvm/Support/Signals.h:119:8: error: variable or field 
'CleanupOnSignal' declared void
+  119 |   void CleanupOnSignal(uintptr_t Context);
+  |^~~
+
+Upstream-Status: Backport [llvmorg-15.0.0 
ff1681ddb303223973653f7f5f3f3435b48a1983]
+Signed-off-by: Martin Jansa 
+Signed-off-by: Alexander Sverdlin 
+---
+ llvm/include/llvm/Support/Signals.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/llvm/include/llvm/Support/Signals.h 
b/llvm/include/llvm/Support/Signals.h
+index 44f5a750ff5c..937e0572d4a7 100644
+--- a/llvm/include/llvm/Support/Signals.h
 b/llvm/include/llvm/Support/Signals.h
+@@ -14,6 +14,7 @@
+ #ifndef LLVM_SUPPORT_SIGNALS_H
+ #define LLVM_SUPPORT_SIGNALS_H
+ 
++#include 
+ #include 
+ 
+ namespace llvm {
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184523): 
https://lists.openembedded.org/g/openembedded-core/message/184523
Mute This Topic: https://lists.openembedded.org/mt/100216364/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 18/27] systemd: Backport nspawn: make sure host root can write to the uidmapped mounts we prepare for the container payload

[Steve Sakoman]

From: Marek Vasut 

Backport fix for systemd nspawn uidmap handling from systemd v253 .
Without this, attempt to start mkosi generated debian stable 12
container would ultimately fail (per "$ strace -ff") with:
"
symlinkat("usr/lib/aarch64-linux-gnu", 8, "lib64") = -1 EOVERFLOW (Value too 
large for defined data type)
"

Command to generate test container:
"
mkosi --distribution debian --release stable --architecture arm64 \
  --cache-dir /home/oe/cache/ --format tar --compress-output xz \
  --output-dir /home/oe/output/ --checksum 1 --root-password root \
  --package systemd --package udev --package dbus
"

Command to import test container and start it, which triggers the failure:
"
$ machinectl pull-tar http://192.168.1.300/image.tar.xz default
$ machinectl read-only default false
$ rm -f /var/lib/machines/default/etc/machine-id
$ dbus-uuidgen --ensure=/var/lib/machines/default/etc/machine-id
$ machinectl start default
"

Minimal command to trigger the failure once container is imported:
"
$ strace -ff systemd-nspawn --keep-unit --boot --link-journal=try-guest 
--network-veth -U --settings=override --machine=default
"

Extracted from systemd MR:
https://github.com/systemd/systemd/pull/22774

Further explanation by Christian Brauner at second half of:
https://github.com/systemd/systemd/issues/20989

Signed-off-by: Marek Vasut 
Signed-off-by: Steve Sakoman 
---
 ...-host-root-can-write-to-the-uidmappe.patch | 216 ++
 meta/recipes-core/systemd/systemd_250.5.bb|   1 +
 2 files changed, 217 insertions(+)
 create mode 100644 
meta/recipes-core/systemd/systemd/0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch

diff --git 
a/meta/recipes-core/systemd/systemd/0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch
 
b/meta/recipes-core/systemd/systemd/0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch
new file mode 100644
index 00..8715019c99
--- /dev/null
+++ 
b/meta/recipes-core/systemd/systemd/0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch
@@ -0,0 +1,216 @@
+From e34fb1a4568bd080032065bb1506ab9b6c6606f1 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering 
+Date: Thu, 17 Mar 2022 13:46:12 +0100
+Subject: [PATCH] nspawn: make sure host root can write to the uidmapped mounts
+ we prepare for the container payload
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When using user namespaces in conjunction with uidmapped mounts, nspawn
+so far set up two uidmappings:
+
+1. One that is used for the uidmapped mount and that maps the UID range
+   0…65535 on the backing fs to some high UID range X…X+65535 on the
+   uidmapped fs. (Let's call this mapping the "mount mapping")
+
+2. One that is used for the userns namespace the container payload
+   processes run in, that maps X…X+65535 back to 0…65535. (Let's call
+   this one the "process mapping").
+
+These mappings hence are pretty much identical, one just moves things up
+and one back down. (Reminder: we do all this so that the processes can
+run under high UIDs while running off file systems that require no
+recursive chown()ing, i.e. we want processes with high UID range but
+files with low UID range.)
+
+This creates one problem, i.e. issue #20989: if nspawn (which runs as
+host root, i.e. host UID 0) wants to add inodes to the uidmapped mount
+it can't do that, since host UID 0 is not defined in the mount mapping
+(only the X…X+65536 range is, after all, and X > 0), and processes whose
+UID is not mapped in a uidmapped fs cannot create inodes in it since
+those would be owned by an unmapped UID, which then triggers
+the famous EOVERFLOW error.
+
+Let's fix this, by explicitly including an entry for the host UID 0 in
+the mount mapping. Specifically, we'll extend the mount mapping to map
+UID 2147483646 (which is INT32_MAX-1, see code for an explanation why I
+picked this one) of the backing fs to UID 0 on the uidmapped fs. This
+way nspawn can creates inode on the uidmapped as it likes (which will
+then actually be owned by UID 2147483646 on the backing fs), and as it
+always did. Note that we do *not* create a similar entry in the process
+mapping. Thus any files created by nspawn that way (and not chown()ed to
+something better) will appear as unmapped (i.e. as overflowuid/"nobody")
+in the container payload. And that's good. Of course, the latter is
+mostly theoretic, as nspawn should generally chown() the inodes it
+creates to UID ranges that actually make sense for the container (and we
+generally already do this correctly), but it#s good to know that we are
+safe here, given we might accidentally forget to chown() some inodes we
+create.
+
+Net effect: the two mappings will not be identical anymore. The mount
+mapping has one entry more, and the only reason it exists is so that
+nspawn can access the uidmapped fs reasonably independently from any
+process mapping.
+
+Fixes: #20989
+
+Upstream-Status: Backport [50ae2966d20

[OE-core][kirkstone 17/27] pybootchartgui: show elapsed time for each task

[Steve Sakoman]

From: Mauro Queiros 

Currently, finding the elapsed time of each task in buildtimes.svg
is a manual effort of checking the top axis and finding and subtracting
the end and start time of the task.

This change adds the elapsed time for each task, so that
manual effort of comparing start/end time is avoided.

Signed-off-by: Mauro Queiros 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Richard Purdie 
(cherry picked from commit 3efebd3404de548f0757863da237f2d18ce60013)
Signed-off-by: Jose Quaresma 
Signed-off-by: Steve Sakoman 
---
 scripts/pybootchartgui/pybootchartgui/draw.py | 5 +
 1 file changed, 5 insertions(+)

diff --git a/scripts/pybootchartgui/pybootchartgui/draw.py 
b/scripts/pybootchartgui/pybootchartgui/draw.py
index fc708b55c3..707e7fe427 100644
--- a/scripts/pybootchartgui/pybootchartgui/draw.py
+++ b/scripts/pybootchartgui/pybootchartgui/draw.py
@@ -558,6 +558,11 @@ def render_processes_chart(ctx, options, trace, curr_y, w, 
h, sec_w):
 draw_rect(ctx, PROC_BORDER_COLOR, (x, y, w, proc_h))
 
 draw_label_in_box(ctx, PROC_TEXT_COLOR, process, x, y + proc_h - 
4, w, proc_h)
+
+# Show elapsed time for each task
+elapsed_time = f"{trace.processes[process][1] - start}s"
+draw_text(ctx, elapsed_time, PROC_TEXT_COLOR, x + w + 4, y + 
proc_h - 4)
+
 y = y + proc_h
 
 return curr_y
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184521): 
https://lists.openembedded.org/g/openembedded-core/message/184521
Mute This Topic: https://lists.openembedded.org/mt/100216361/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 16/27] logrotate: Do not create logrotate.status file

[Steve Sakoman]

From: Jermain Horsman 

The first time logrotate runs it reports an error:

  error: state file /var/lib/logrotate.status is
  world-readable and thus can be locked from other
  unprivileged users. Skipping lock acquisition...

This check was added with
https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9

This error is only reported once as logrotate removes
the world-readable permissions if this happens.
Since logrotate creates this file if it does not exist,
there should be no need to install it in the first place.

Signed-off-by: Jermain Horsman 
Signed-off-by: Luca Ceresoli 
Signed-off-by: Richard Purdie 
(cherry picked from commit 8169cd2d18f1569e4357f082adbef492710e8c36)
Signed-off-by: Jermain Horsman 
Signed-off-by: Steve Sakoman 
---
 meta/recipes-extended/logrotate/logrotate_3.20.1.bb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/meta/recipes-extended/logrotate/logrotate_3.20.1.bb 
b/meta/recipes-extended/logrotate/logrotate_3.20.1.bb
index 35977535aa..3df6ebd26d 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.20.1.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.20.1.bb
@@ -67,7 +67,6 @@ do_install(){
 install -p -m 644 ${S}/examples/logrotate.conf 
${D}${sysconfdir}/logrotate.conf
 install -p -m 644 ${S}/examples/btmp ${D}${sysconfdir}/logrotate.d/btmp
 install -p -m 644 ${S}/examples/wtmp ${D}${sysconfdir}/logrotate.d/wtmp
-touch ${D}${localstatedir}/lib/logrotate.status
 
 if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', 
d)}; then
 install -d ${D}${systemd_system_unitdir}
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184520): 
https://lists.openembedded.org/g/openembedded-core/message/184520
Mute This Topic: https://lists.openembedded.org/mt/100216360/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 15/27] libpng: Add ptest for libpng

[Steve Sakoman]

From: Nikhil R 

libpng is a platform-independent library which
supports all PNG features.
This ptest executes the below binaries, parses
the png image and prints the image features.

1. pngfix - provides information about PNG image
copyrights details.

2. pngtest - tests, optimizes and optionally fixes
the zlib header in PNG files.

3. pngstest - verifies the integrity of PNG image by
dumping chunk level information.

4. timepng - provides details about PNG image chunks.

Signed-off-by: Nikhil R 
Signed-off-by: Steve Sakoman 
---
 .../distro/include/ptest-packagelists.inc |  1 +
 .../recipes-multimedia/libpng/files/run-ptest | 29 +++
 .../libpng/libpng_1.6.39.bb   | 16 --
 3 files changed, 44 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-multimedia/libpng/files/run-ptest

diff --git a/meta/conf/distro/include/ptest-packagelists.inc 
b/meta/conf/distro/include/ptest-packagelists.inc
index 5bcff83093..5c6a30635f 100644
--- a/meta/conf/distro/include/ptest-packagelists.inc
+++ b/meta/conf/distro/include/ptest-packagelists.inc
@@ -29,6 +29,7 @@ PTESTS_FAST = "\
 libnl-ptest \
 libmodule-build-perl-ptest \
 libpcre-ptest \
+libpng-ptest \
 libssh2-ptest \
 libtimedate-perl-ptest \
 libtest-needs-perl-ptest \
diff --git a/meta/recipes-multimedia/libpng/files/run-ptest 
b/meta/recipes-multimedia/libpng/files/run-ptest
new file mode 100644
index 00..9ab5d0c1f4
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/run-ptest
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+set -eux
+
+./pngfix pngtest.png &> log.txt  2>&1
+
+if grep -i "OK" log.txt 2>&1 ; then
+   echo "PASS: pngfix passed"
+else
+   echo "FAIL: pngfix failed"
+fi
+rm -f log.txt
+
+./pngtest pngtest.png &> log.txt 2>&1
+
+if grep -i "PASS" log.txt 2>&1 ; then
+   echo "PASS: pngtest passed"
+else
+   echo "FAIL: pngtest failed"
+fi
+rm -f log.txt
+
+for i in pngstest timepng; do
+if "./${i}" pngtest.png 2>&1; then
+echo "PASS: $i"
+else
+echo "FAIL: $i"
+fi
+done
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb 
b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index d9dcf379e9..94db1d3f6b 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -10,7 +10,11 @@ DEPENDS = "zlib"
 
 LIBV = "16"
 
-SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz"
+SRC_URI = "\
+   ${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/${BP}.tar.xz \
+   file://run-ptest \
+   "
+
 SRC_URI[sha256sum] = 
"1f4696ce70b4ee5f85f1e1623dc1229b210029fa4b7aee573df3e2ba7b036937"
 
 MIRRORS += "${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/ 
${SOURCEFORGE_MIRROR}/${BPN}/${BPN}${LIBV}/older-releases/"
@@ -19,7 +23,7 @@ UPSTREAM_CHECK_URI = "http://libpng.org/pub/png/libpng.html";
 
 BINCONFIG = "${bindir}/libpng-config ${bindir}/libpng16-config"
 
-inherit autotools binconfig-disabled pkgconfig
+inherit autotools binconfig-disabled pkgconfig ptest
 
 # Work around missing symbols
 EXTRA_OECONF:append:class-target = " ${@bb.utils.contains("TUNE_FEATURES", 
"neon", "--enable-arm-neon=on", "--enable-arm-neon=off", d)}"
@@ -32,3 +36,11 @@ BBCLASSEXTEND = "native nativesdk"
 
 # CVE-2019-17371 is actually a memory leak in gif2png 2.x
 CVE_CHECK_IGNORE += "CVE-2019-17371"
+
+do_install_ptest() {
+install -m644 "${S}/pngtest.png" "${D}${PTEST_PATH}"
+install -m755 "${B}/.libs/pngfix" "${D}${PTEST_PATH}"
+install -m755 "${B}/.libs/pngtest" "${D}${PTEST_PATH}"
+install -m755 "${B}/.libs/pngstest" "${D}${PTEST_PATH}"
+install -m755 "${B}/.libs/timepng" "${D}${PTEST_PATH}"
+}
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184519): 
https://lists.openembedded.org/g/openembedded-core/message/184519
Mute This Topic: https://lists.openembedded.org/mt/100216358/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 14/27] selftest/reproducible: Allow chose the package manager

[Steve Sakoman]

From: Jose Quaresma 

This is a follow-up of 76e5fcb2 that also allow users to chose
the package manager using OEQA_REPRODUCIBLE_TEST_PACKAGE

Signed-off-by: Jose Quaresma 
Signed-off-by: Richard Purdie 
(cherry picked from commit 3d414d85b44077bac57aba36707b0fc699a73e97)
Signed-off-by: Steve Sakoman 
---
 meta/lib/oeqa/selftest/cases/reproducible.py | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py 
b/meta/lib/oeqa/selftest/cases/reproducible.py
index 98259ae515..49318be43a 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -126,7 +126,11 @@ class DiffoscopeTests(OESelftestTestCase):
 class ReproducibleTests(OESelftestTestCase):
 # Test the reproducibility of whatever is built between sstate_targets and 
targets
 
-package_classes = ['deb', 'ipk', 'rpm']
+package_classes = get_bb_var("OEQA_REPRODUCIBLE_TEST_PACKAGE")
+if package_classes:
+package_classes = package_classes.split()
+else:
+package_classes = ['deb', 'ipk', 'rpm']
 
 # Maximum report size, in bytes
 max_report_size = 250 * 1024 * 1024
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184518): 
https://lists.openembedded.org/g/openembedded-core/message/184518
Mute This Topic: https://lists.openembedded.org/mt/100216356/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 13/27] selftest reproducible.py: support different build targets

[Steve Sakoman]

From: Mikko Rapeli 

Allow users to set different build reproducibility targets than
the defaults using OEQA_REPRODUCIBLE_TEST_TARGET and
OEQA_REPRODUCIBLE_TEST_SSTATE_TARGETS variables in local.conf.

Fixing all issues from "world" builds is not possible in some
complex build environments with lots of layers. Limiting the focus to
a smaller subset allows using this test to detect and fix build
reproduction issues incrementally.

Signed-off-by: Mikko Rapeli 
Signed-off-by: Alexandre Belloni 
(cherry picked from commit c66bebbce5995e386a1a4d055a914a39b6ee518d)
Signed-off-by: Steve Sakoman 
---
 meta/lib/oeqa/selftest/cases/reproducible.py | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/reproducible.py 
b/meta/lib/oeqa/selftest/cases/reproducible.py
index 2c9bc0bf90..98259ae515 100644
--- a/meta/lib/oeqa/selftest/cases/reproducible.py
+++ b/meta/lib/oeqa/selftest/cases/reproducible.py
@@ -132,9 +132,13 @@ class ReproducibleTests(OESelftestTestCase):
 max_report_size = 250 * 1024 * 1024
 
 # targets are the things we want to test the reproducibility of
-targets = ['core-image-minimal', 'core-image-sato', 
'core-image-full-cmdline', 'core-image-weston', 'world']
+targets = get_bb_var("OEQA_REPRODUCIBLE_TEST_TARGET")
+if targets:
+targets = targets.split()
+else:
+targets = ['core-image-minimal', 'core-image-sato', 
'core-image-full-cmdline', 'core-image-weston', 'world']
 # sstate targets are things to pull from sstate to potentially cut 
build/debugging time
-sstate_targets = []
+sstate_targets = (get_bb_var("OEQA_REPRODUCIBLE_TEST_SSTATE_TARGETS") or 
"").split()
 save_results = False
 if 'OEQA_DEBUGGING_SAVED_OUTPUT' in os.environ:
 save_results = os.environ['OEQA_DEBUGGING_SAVED_OUTPUT']
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184517): 
https://lists.openembedded.org/g/openembedded-core/message/184517
Mute This Topic: https://lists.openembedded.org/mt/100216354/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 12/27] vim: upgrade 9.0.1527 -> 9.0.1592

[Steve Sakoman]

From: Trevor Gamblin 

Fixes:

https://nvd.nist.gov/vuln/detail/CVE-2023-2609
d1ae836 patch 9.0.1531: crash when register contents ends up being invalid
https://nvd.nist.gov/vuln/detail/CVE-2023-2610
ab9a2d8 patch 9.0.1532: crash when expanding "~" in substitute causes very long 
text

Signed-off-by: Trevor Gamblin 
Signed-off-by: Alexandre Belloni 
Signed-off-by: Richard Purdie 
(cherry picked from commit 1e4b4dfb4145bc00eb6937b5f54a41170e9a5b4c)
Signed-off-by: Steve Sakoman 
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index e1d2563316..33ae0d8079 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,8 +19,8 @@ SRC_URI = 
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
"
 
-PV .= ".1527"
-SRCREV = "c28e7a2b2f23dbd246a1ad7ad7aaa6f7ab2e5887"
+PV .= ".1592"
+SRCREV = "29b4c513b11deb37f0e0538df53d195f602fa42c"
 
 # Remove when 8.3 is out
 UPSTREAM_VERSION_UNKNOWN = "1"
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184516): 
https://lists.openembedded.org/g/openembedded-core/message/184516
Mute This Topic: https://lists.openembedded.org/mt/100216350/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 11/27] wireless-regdb: upgrade 2023.02.13 -> 2023.05.03

[Steve Sakoman]

From: Alexander Kanavin 

Signed-off-by: Alexander Kanavin 
Signed-off-by: Richard Purdie 
(cherry picked from commit 47438402fa430499864a4b1f1a13eaac66aa21c0)
Signed-off-by: Steve Sakoman 
---
 ...ireless-regdb_2023.02.13.bb => wireless-regdb_2023.05.03.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2023.02.13.bb => 
wireless-regdb_2023.05.03.bb} (94%)

diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.02.13.bb 
b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb
similarity index 94%
rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.02.13.bb
rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb
index ce60154f1e..cd3f52fc76 100644
--- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.02.13.bb
+++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb
@@ -5,7 +5,7 @@ LICENSE = "ISC"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c"
 
 SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz";
-SRC_URI[sha256sum] = 
"fe81e8a8694dc4753a45087a1c4c7e1b48dee5a59f5f796ce374ea550f0b2e73"
+SRC_URI[sha256sum] = 
"f254d08ab3765aeae2b856222e11a95d44aef519a6663877c71ef68fae4c8c12"
 
 inherit bin_package allarch
 
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184515): 
https://lists.openembedded.org/g/openembedded-core/message/184515
Mute This Topic: https://lists.openembedded.org/mt/100216345/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 10/27] linux-firmware: upgrade 20230404 -> 20230515

[Steve Sakoman]

From: Alexander Kanavin 

License-Update: additional firmwares

Signed-off-by: Alexander Kanavin 
Signed-off-by: Richard Purdie 
(cherry picked from commit 64603f602d00999220fe5bafeed996ddcb56d36b)
Signed-off-by: Steve Sakoman 
---
 ...{linux-firmware_20230404.bb => linux-firmware_20230515.bb} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230404.bb => 
linux-firmware_20230515.bb} (99%)

diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb 
b/meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb
similarity index 99%
rename from meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb
rename to meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb
index 7412c022ba..3470131294 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20230515.bb
@@ -134,7 +134,7 @@ LIC_FILES_CHKSUM = 
"file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
 "
 # WHENCE checksum is defined separately to ease overriding it if
 # class-devupstream is selected.
-WHENCE_CHKSUM  = "0782deea054d4b1b7f10c92c3a245da4"
+WHENCE_CHKSUM  = "a0997fc7a9af4e46d96529d6ef13b58a"
 
 # These are not common licenses, set NO_GENERIC_LICENSE for them
 # so that the license files will be copied from fetched source
@@ -212,7 +212,7 @@ SRC_URI:class-devupstream = 
"git://git.kernel.org/pub/scm/linux/kernel/git/firmw
 # Pin this to the 20220509 release, override this in local.conf
 SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae"
 
-SRC_URI[sha256sum] = 
"c3f9ad2bb5311cce2490f37a8052f836703d6936aabd840246b6576f1f71f607"
+SRC_URI[sha256sum] = 
"8b1acfa16f1ee94732a6acb50d9d6c835cf53af11068bd89ed207bbe04a1e951"
 
 inherit allarch
 
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184514): 
https://lists.openembedded.org/g/openembedded-core/message/184514
Mute This Topic: https://lists.openembedded.org/mt/100216342/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 09/27] wget: upgrade 1.21.3 -> 1.21.4

[Steve Sakoman]

From: Alexander Kanavin 

Stable version release

Noteworthy changes in release 1.21.4 (2023-05-11)

** Document --retry-on-host-error in help text

** Increase read buffer size to 64k. This should speed up downloads on gigabit
and faster connections

** Update deprecated option '--html-extension' to '--adjust-extension' in
documentation

** Update gnulib compatibility layer.
   Fixes HSTS test failures on i686. (Thanks to Andreas Enge for ponting it out)

License-Update: copyright years

Signed-off-by: Alexander Kanavin 
Signed-off-by: Richard Purdie 
(cherry picked from commit 67ec2d5bab891cb92af9ca32304a4927daf51ed0)
Signed-off-by: Steve Sakoman 
(cherry picked from commit 4e7ec4bef86c79b4221a800ace700c58ce033de1)
Signed-off-by: Steve Sakoman 
---
 meta/recipes-extended/wget/wget.inc   | 2 +-
 meta/recipes-extended/wget/{wget_1.21.3.bb => wget_1.21.4.bb} | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename meta/recipes-extended/wget/{wget_1.21.3.bb => wget_1.21.4.bb} (60%)

diff --git a/meta/recipes-extended/wget/wget.inc 
b/meta/recipes-extended/wget/wget.inc
index 58cb5ca73d..30abaff7b7 100644
--- a/meta/recipes-extended/wget/wget.inc
+++ b/meta/recipes-extended/wget/wget.inc
@@ -7,7 +7,7 @@ FTP sites"
 HOMEPAGE = "https://www.gnu.org/software/wget/";
 SECTION = "console/network"
 LICENSE = "GPL-3.0-only"
-LIC_FILES_CHKSUM = "file://COPYING;md5=c678957b0c8e964aa6c70fd77641a71e"
+LIC_FILES_CHKSUM = "file://COPYING;md5=6f65012d1daf98cb09b386cfb68df26b"
 
 inherit autotools gettext texinfo update-alternatives pkgconfig
 
diff --git a/meta/recipes-extended/wget/wget_1.21.3.bb 
b/meta/recipes-extended/wget/wget_1.21.4.bb
similarity index 60%
rename from meta/recipes-extended/wget/wget_1.21.3.bb
rename to meta/recipes-extended/wget/wget_1.21.4.bb
index f176a1546c..1d31b0116d 100644
--- a/meta/recipes-extended/wget/wget_1.21.3.bb
+++ b/meta/recipes-extended/wget/wget_1.21.4.bb
@@ -2,6 +2,6 @@ SRC_URI = "${GNU_MIRROR}/wget/wget-${PV}.tar.gz \
file://0002-improve-reproducibility.patch \
   "
 
-SRC_URI[sha256sum] = 
"5726bb8bc5ca0f6dc7110f6416e4bb7019e2d2ff5bf93d1ca2ffcc6656f220e5"
+SRC_URI[sha256sum] = 
"81542f5cefb8faacc39bbbc6c82ded80e3e4a88505ae72ea51df27525bcde04c"
 
 require wget.inc
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184513): 
https://lists.openembedded.org/g/openembedded-core/message/184513
Mute This Topic: https://lists.openembedded.org/mt/100216340/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 08/27] serf: upgrade 1.3.9 -> 1.3.10

[Steve Sakoman]

From: Alexander Kanavin 

Apache Serf 1.3.10 [2023-05-31, from tags/1.3.10, r1910048]
  Support for OpenSSL 3 (r1901937, ...)
  Fix issue #171: Win32: Running tests fails with "no OPENSSL_Applink" error
  Fix issue #194: Win32: Linking error when building against OpenSSL 1.1+
  Fix issue #198: OpenSSL BIO control method incorrectly handles unknown 
requests
  Fix issue #202: SSL tests are not passing with OpenSSL 3
  Fix error handling when reading the outgoing request body (r1804534, ...)
  Fix handling of invalid chunk lengths in the dechunk bucket (r1804005, ...)
  Fix an endless loop in the deflate bucket with truncated input (r1805301)
  Fix BIO control handlers to support BIO_CTRL_EOF (r1902208)
  Fix a CRT mismatch issue caused by using certain OpenSSL functions (r1909252)
  Build changes to support VS2017, VS2019 and VS2022 (r1712131, ...)
  Build changes to support Python 3 (r1875933)

As serf is undead, we need to reassess all the remaining patches.

Signed-off-by: Alexander Kanavin 
Signed-off-by: Richard Purdie 
(cherry picked from commit 775cbcc876edcb6c339f342a3253f5afcf6ef163)
Signed-off-by: Steve Sakoman 
(cherry picked from commit 17a46eee905f0ecfdbebb014533848dc7e906ec7)
Signed-off-by: Steve Sakoman 
---
 ...print-in-the-scons-file-to-unbreak-b.patch | 29 ---
 ...sl_buckets.c-do-not-use-ERR_GET_FUNC.patch | 28 --
 ...11083-fix-building-with-scons-3.0.0-.patch | 29 ---
 ...ories.without.sandbox-install.prefix.patch |  2 +-
 .../serf/{serf_1.3.9.bb => serf_1.3.10.bb}|  6 +---
 5 files changed, 2 insertions(+), 92 deletions(-)
 delete mode 100644 
meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch
 delete mode 100644 
meta/recipes-support/serf/serf/0001-buckets-ssl_buckets.c-do-not-use-ERR_GET_FUNC.patch
 delete mode 100644 
meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building-with-scons-3.0.0-.patch
 rename meta/recipes-support/serf/{serf_1.3.9.bb => serf_1.3.10.bb} (78%)

diff --git 
a/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch
 
b/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch
deleted file mode 100644
index 4a5832ac1a..00
--- 
a/meta/recipes-support/serf/serf/0001-Fix-syntax-of-a-print-in-the-scons-file-to-unbreak-b.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 99f6e1b0d68281b63218d6adfe68cd9e331ac5be Mon Sep 17 00:00:00 2001
-From: Khem Raj 
-Date: Mon, 3 Sep 2018 10:50:08 -0700
-Subject: [PATCH] Fix syntax of a print() in the scons file to unbreak building
- with most recent scons version.
-
-* SConstruct Use Python 3.0 valid syntax to make Scons 3.0.0 happy on both 
python
-  3.0 and 2.7.
-
-Upstream-Status: Backport
-[https://svn.apache.org/viewvc/serf/trunk/SConstruct?r1=1809132&r2=1811083&diff_format=h]
-Signed-off-by: Khem Raj 

- SConstruct | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/SConstruct b/SConstruct
-index 1670459..18a45fa 100644
 a/SConstruct
-+++ b/SConstruct
-@@ -184,7 +184,7 @@ CALLOUT_OKAY = not (env.GetOption('clean') or 
env.GetOption('help'))
- 
- unknown = opts.UnknownVariables()
- if unknown:
--  print 'Warning: Used unknown variables:', ', '.join(unknown.keys())
-+  print('Warning: Used unknown variables:', ', '.join(unknown.keys()))
- 
- apr = str(env['APR'])
- apu = str(env['APU'])
diff --git 
a/meta/recipes-support/serf/serf/0001-buckets-ssl_buckets.c-do-not-use-ERR_GET_FUNC.patch
 
b/meta/recipes-support/serf/serf/0001-buckets-ssl_buckets.c-do-not-use-ERR_GET_FUNC.patch
deleted file mode 100644
index 91ccc8a474..00
--- 
a/meta/recipes-support/serf/serf/0001-buckets-ssl_buckets.c-do-not-use-ERR_GET_FUNC.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 2f45711a66ff99886b6e4a5708e2db01a63e5af4 Mon Sep 17 00:00:00 2001
-From: Alexander Kanavin 
-Date: Fri, 10 Sep 2021 11:05:10 +0200
-Subject: [PATCH] buckets/ssl_buckets.c: do not use ERR_GET_FUNC
-
-Upstream removed it in
-https://github.com/openssl/openssl/pull/16004
-
-Upstream-Status: Inactive-Upstream [lastrelease: 2015, lastcommit: 2019]
-Signed-off-by: Alexander Kanavin 

- buckets/ssl_buckets.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/buckets/ssl_buckets.c b/buckets/ssl_buckets.c
-index b01e535..9801f87 100644
 a/buckets/ssl_buckets.c
-+++ b/buckets/ssl_buckets.c
-@@ -1325,8 +1325,7 @@ static int ssl_need_client_cert(SSL *ssl, X509 **cert, 
EVP_PKEY **pkey)
- return 0;
- }
- else {
--printf("OpenSSL cert error: %d %d %d\n", ERR_GET_LIB(err),
--   ERR_GET_FUNC(err),
-+printf("OpenSSL cert error: %d %d\n", ERR_GET_LIB(err),
-ERR_GET_REASON(err));
- PKCS12_free(p12);
- bio_meth_free(biom);
diff --git 
a/meta/recipes-support/serf/serf/0004-Follow-up-to-r1811083-fix-building

[OE-core][kirkstone 07/27] tzdata: upgrade to 2023c

[Steve Sakoman]

From: Ross Burton 

Drop a backport patch as it is now integrated.

Signed-off-by: Ross Burton 
Signed-off-by: Alexandre Belloni 
(cherry picked from commit 80d26d1da47dcd9213a7083d9493a7bce0897a57)
Signed-off-by: Steve Sakoman 
---
 meta/recipes-extended/timezone/timezone.inc   |   6 +-
 .../timezone/tzcode-native.bb |   2 -
 ...0001-Fix-C23-related-conformance-bug.patch | 301 --
 3 files changed, 3 insertions(+), 306 deletions(-)
 delete mode 100644 
meta/recipes-extended/timezone/tzcode/0001-Fix-C23-related-conformance-bug.patch

diff --git a/meta/recipes-extended/timezone/timezone.inc 
b/meta/recipes-extended/timezone/timezone.inc
index eec7177228..14a1ce18f3 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -6,7 +6,7 @@ SECTION = "base"
 LICENSE = "PD & BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
 
-PV = "2022g"
+PV = "2023c"
 
 SRC_URI =" 
http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode;subdir=tz
 \

http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata;subdir=tz
 \
@@ -16,5 +16,5 @@ S = "${WORKDIR}/tz"
 
 UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones";
 
-SRC_URI[tzcode.sha256sum] = 
"9610bb0b9656ff404c361a41f3286da53064b5469d84f00c9cb2314c8614da74"
-SRC_URI[tzdata.sha256sum] = 
"4491db8281ae94a84d939e427bdd83dc389f26764d27d9a5c52d782c16764478"
+SRC_URI[tzcode.sha256sum] = 
"46d17f2bb19ad73290f03a203006152e0fa0d7b11e5b71467c4a823811b214e7"
+SRC_URI[tzdata.sha256sum] = 
"3f510b5d1b4ae9bb38e485aa302a776b317fb3637bdb6404c4adf7b6cadd965c"
diff --git a/meta/recipes-extended/timezone/tzcode-native.bb 
b/meta/recipes-extended/timezone/tzcode-native.bb
index 6d52b3c422..d0b23a9d80 100644
--- a/meta/recipes-extended/timezone/tzcode-native.bb
+++ b/meta/recipes-extended/timezone/tzcode-native.bb
@@ -2,8 +2,6 @@ require timezone.inc
 
 SUMMARY = "tzcode, timezone zoneinfo utils -- zic, zdump, tzselect"
 
-SRC_URI += "file://0001-Fix-C23-related-conformance-bug.patch"
-
 inherit native
 
 EXTRA_OEMAKE += "cc='${CC}'"
diff --git 
a/meta/recipes-extended/timezone/tzcode/0001-Fix-C23-related-conformance-bug.patch
 
b/meta/recipes-extended/timezone/tzcode/0001-Fix-C23-related-conformance-bug.patch
deleted file mode 100644
index c91ef93e95..00
--- 
a/meta/recipes-extended/timezone/tzcode/0001-Fix-C23-related-conformance-bug.patch
+++ /dev/null
@@ -1,301 +0,0 @@
-From 509c5974398952618abdd17f39117b88e3f50057 Mon Sep 17 00:00:00 2001
-From: Paul Eggert 
-Date: Thu, 1 Dec 2022 10:28:04 -0800
-Subject: [PATCH] Fix C23-related conformance bug
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Problem reported by Houge Langley for ‘gcc -std=gnu99’ in:
-https://bugs.gentoo.org/show_bug.cgi?id=883719
-* NEWS: Mention this.
-* date.c, localtime.c, private.h, zdump.c, zic.c:
-Use ATTRIBUTE_* at the start of function declarations,
-not later (such as after the keyword ‘static’).
-This is required for strict conformance to C23.
-
-Upstream-Status: Backport 
[https://github.com/eggert/tz/commit/9cfe9507fcc22cd4a0c4da486ea1c7f0de6b075f]
-
-NEWS change skipped to avoid conflicts.
-
-Signed-off-by: Martin Jansa 

- date.c  |  2 +-
- localtime.c |  4 ++--
- private.h   |  6 +++---
- zdump.c | 12 ++--
- zic.c   | 34 +-
- 5 files changed, 29 insertions(+), 29 deletions(-)
-
-diff --git a/date.c b/date.c
-index 11c5e5fe..97df6ab0 100644
 a/date.c
-+++ b/date.c
-@@ -42,7 +42,7 @@ static void  display(const char *, time_t);
- static void   dogmt(void);
- static void   errensure(void);
- static void   timeout(FILE *, const char *, const struct tm *);
--static ATTRIBUTE_NORETURN void usage(void);
-+ATTRIBUTE_NORETURN static void usage(void);
- 
- int
- main(const int argc, char *argv[])
-diff --git a/localtime.c b/localtime.c
-index 1d22d351..3bf1b911 100644
 a/localtime.c
-+++ b/localtime.c
-@@ -838,7 +838,7 @@ is_digit(char c)
- ** Return a pointer to that character.
- */
- 
--static ATTRIBUTE_REPRODUCIBLE const char *
-+ATTRIBUTE_REPRODUCIBLE static const char *
- getzname(register const char *strp)
- {
-   register char   c;
-@@ -859,7 +859,7 @@ getzname(register const char *strp)
- ** We don't do any checking here; checking is done later in common-case code.
- */
- 
--static ATTRIBUTE_REPRODUCIBLE const char *
-+ATTRIBUTE_REPRODUCIBLE static const char *
- getqzname(register const char *strp, const int delim)
- {
-   register intc;
-diff --git a/private.h b/private.h
-index 7a73eff7..ae522986 100644
 a/private.h
-+++ b/private.h
-@@ -628,7 +628,7 @@ char *asctime(struct tm const *);
- char *asctime_r(struct tm const *restrict, char *restrict);
- char *ctime(time_t const *);
- char *ctime_r(time_t const *, char *);
--double difftime(time_t, time_t) ATTRIBUTE_UN

[OE-core][kirkstone 06/27] libwebp: Fix CVE-2023-1999

[Steve Sakoman]

From: Soumya 

There exists a use after free/double free in libwebp. An attacker can
use the ApplyFiltersAndEncode() function and loop through to free
best.bw and assign best = trial pointer. The second loop will then
return 0 because of an Out of memory error in VP8 encoder, the pointer
is still assigned to trial and the AddressSanitizer will attempt a double free.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-1999

Upstream patch:
https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129

Signed-off-by: Soumya 
Signed-off-by: Steve Sakoman 
---
 .../webp/files/CVE-2023-1999.patch| 60 +++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |  4 +-
 2 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-1999.patch

diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch 
b/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch
new file mode 100644
index 00..895d01ea7d
--- /dev/null
+++ b/meta/recipes-multimedia/webp/files/CVE-2023-1999.patch
@@ -0,0 +1,60 @@
+From a486d800b60d0af4cc0836bf7ed8f21e12974129 Mon Sep 17 00:00:00 2001
+From: James Zern 
+Date: Wed, 22 Feb 2023 22:15:47 -0800
+Subject: [PATCH] EncodeAlphaInternal: clear result->bw on error
+
+This avoids a double free should the function fail prior to
+VP8BitWriterInit() and a previous trial result's buffer carried over.
+Previously in ApplyFiltersAndEncode() trial.bw (with a previous
+iteration's buffer) would be freed, followed by best.bw pointing to the
+same buffer.
+
+Since:
+187d379d add a fallback to ALPHA_NO_COMPRESSION
+
+In addition, check the return value of VP8BitWriterInit() in this
+function.
+
+Bug: webp:603
+Change-Id: Ic258381ee26c8c16bc211d157c8153831c8c6910
+
+CVE: CVE-2023-1999
+
+Upstream-Status: Backport 
[https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129]
+
+Signed-off-by: Soumya 
+---
+ src/enc/alpha_enc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/enc/alpha_enc.c b/src/enc/alpha_enc.c
+index f7c0269..7d20558 100644
+--- a/src/enc/alpha_enc.c
 b/src/enc/alpha_enc.c
+@@ -13,6 +13,7 @@
+
+ #include 
+ #include 
++#include 
+
+ #include "src/enc/vp8i_enc.h"
+ #include "src/dsp/dsp.h"
+@@ -148,6 +149,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, 
int width, int height,
+   }
+ } else {
+   VP8LBitWriterWipeOut(&tmp_bw);
++  memset(&result->bw, 0, sizeof(result->bw));
+   return 0;
+ }
+   }
+@@ -162,7 +164,7 @@ static int EncodeAlphaInternal(const uint8_t* const data, 
int width, int height,
+   header = method | (filter << 2);
+   if (reduce_levels) header |= ALPHA_PREPROCESSED_LEVELS << 4;
+
+-  VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size);
++  if (!VP8BitWriterInit(&result->bw, ALPHA_HEADER_LEN + output_size)) ok = 0;
+   ok = ok && VP8BitWriterAppend(&result->bw, &header, ALPHA_HEADER_LEN);
+   ok = ok && VP8BitWriterAppend(&result->bw, output, output_size);
+
+--
+2.40.0
diff --git a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb 
b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
index 263589846a..5d868b3b96 100644
--- a/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
+++ b/meta/recipes-multimedia/webp/libwebp_1.2.4.bb
@@ -13,7 +13,9 @@ LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \
 file://PATENTS;md5=c6926d0cb07d296f886ab6e0cc5a85b7"
 
-SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz";
+SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \
+   file://CVE-2023-1999.patch \
+   "
 SRC_URI[sha256sum] = 
"7bf5a8a28cc69bcfa8cb214f2c3095703c6b73ac5fba4d5480c205331d9494df"
 
 UPSTREAM_CHECK_URI = 
"http://downloads.webmproject.org/releases/webp/index.html";
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184510): 
https://lists.openembedded.org/g/openembedded-core/message/184510
Mute This Topic: https://lists.openembedded.org/mt/100216336/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 05/27] curl: Added CVE-2023-28320 Follow-up patch

[Steve Sakoman]

From: Vivek Kumbhar 

Introduced by: 
https://github.com/curl/curl/commit/3c49b405de4fbf1fd7127f91908261268640e54f 
(curl-7_9_8)
Fixed by: 
https://github.com/curl/curl/commit/13718030ad4b3209a7583b4f27f683cd3a6fa5f2 
(curl-8_1_0)
Follow-up: 
https://github.com/curl/curl/commit/f446258f0269a62289cca0210157cb8558d0edc3 
(curl-8_1_0)

Signed-off-by: Vivek Kumbhar 
Signed-off-by: Steve Sakoman 
---
 .../curl/curl/CVE-2023-28320-fol1.patch   | 197 ++
 meta/recipes-support/curl/curl_7.82.0.bb  |   1 +
 2 files changed, 198 insertions(+)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch

diff --git a/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch 
b/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch
new file mode 100644
index 00..2ba749
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2023-28320-fol1.patch
@@ -0,0 +1,197 @@
+From f446258f0269a62289cca0210157cb8558d0edc3 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg 
+Date: Tue, 16 May 2023 23:40:42 +0200
+Subject: [PATCH] hostip: include easy_lock.h before using
+ GLOBAL_INIT_IS_THREADSAFE
+
+Since that header file is the only place that define can be defined.
+
+Reported-by: Marc Deslauriers
+
+Follow-up to 13718030ad4b3209
+
+Closes #11121
+
+Upstream-Status: Backport 
[https://github.com/curl/curl/commit/f446258f0269a62289cca0210157cb8558d0edc3]
+CVE: CVE-2023-28320
+Signed-off-by: Vivek Kumbhar 
+---
+ lib/easy_lock.h | 109 
+ lib/hostip.c|  10 ++---
+ lib/hostip.h|   9 
+ 3 files changed, 113 insertions(+), 15 deletions(-)
+ create mode 100644 lib/easy_lock.h
+
+diff --git a/lib/easy_lock.h b/lib/easy_lock.h
+new file mode 100644
+index 000..6399a39
+--- /dev/null
 b/lib/easy_lock.h
+@@ -0,0 +1,109 @@
++#ifndef HEADER_CURL_EASY_LOCK_H
++#define HEADER_CURL_EASY_LOCK_H
++/***
++ *  _   _   _
++ *  Project ___| | | |  _ \| |
++ * / __| | | | |_) | |
++ *| (__| |_| |  _ <| |___
++ * \___|\___/|_| \_\_|
++ *
++ * Copyright (C) Daniel Stenberg, , et al.
++ *
++ * This software is licensed as described in the file COPYING, which
++ * you should have received as part of this distribution. The terms
++ * are also available at https://curl.se/docs/copyright.html.
++ *
++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
++ * copies of the Software, and permit persons to whom the Software is
++ * furnished to do so, under the terms of the COPYING file.
++ *
++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
++ * KIND, either express or implied.
++ *
++ * SPDX-License-Identifier: curl
++ *
++ ***/
++
++#include "curl_setup.h"
++
++#define GLOBAL_INIT_IS_THREADSAFE
++
++#if defined(_WIN32_WINNT) && _WIN32_WINNT >= 0x600
++
++#ifdef __MINGW32__
++#ifndef __MINGW64_VERSION_MAJOR
++#if (__MINGW32_MAJOR_VERSION < 5) || \
++(__MINGW32_MAJOR_VERSION == 5 && __MINGW32_MINOR_VERSION == 0)
++/* mingw >= 5.0.1 defines SRWLOCK, and slightly different from MS define */
++typedef PVOID SRWLOCK, *PSRWLOCK;
++#endif
++#endif
++#ifndef SRWLOCK_INIT
++#define SRWLOCK_INIT NULL
++#endif
++#endif /* __MINGW32__ */
++
++#define curl_simple_lock SRWLOCK
++#define CURL_SIMPLE_LOCK_INIT SRWLOCK_INIT
++
++#define curl_simple_lock_lock(m) AcquireSRWLockExclusive(m)
++#define curl_simple_lock_unlock(m) ReleaseSRWLockExclusive(m)
++
++#elif defined(HAVE_ATOMIC) && defined(HAVE_STDATOMIC_H)
++#include 
++#if defined(HAVE_SCHED_YIELD)
++#include 
++#endif
++
++#define curl_simple_lock atomic_int
++#define CURL_SIMPLE_LOCK_INIT 0
++
++/* a clang-thing */
++#ifndef __has_builtin
++#define __has_builtin(x) 0
++#endif
++
++#ifndef __INTEL_COMPILER
++/* The Intel compiler tries to look like GCC *and* clang *and* lies in its
++   __has_builtin() function, so override it. */
++
++/* if GCC on i386/x86_64 or if the built-in is present */
++#if ( (defined(__GNUC__) && !defined(__clang__)) && \
++  (defined(__i386__) || defined(__x86_64__))) ||\
++  __has_builtin(__builtin_ia32_pause)
++#define HAVE_BUILTIN_IA32_PAUSE
++#endif
++
++#endif
++
++static inline void curl_simple_lock_lock(curl_simple_lock *lock)
++{
++  for(;;) {
++if(!atomic_exchange_explicit(lock, true, memory_order_acquire))
++  break;
++/* Reduce cache coherency traffic */
++while(atomic_load_explicit(lock, memory_order_relaxed)) {
++  /* Reduce load (not mandatory) */
++#ifdef HAVE_BUILTIN_IA32_PAUSE
++  __builtin_ia32_pause();
++#elif defined(__aarch64__)
++  __asm__ volatile("yield" ::: "memory");
++#elif defined(HAVE_SCHED_YIELD)
++  sched_yield();
++#endif
++}
++  }
++}
++
++static inline void curl_

[OE-core][kirkstone 04/27] libx11: Fix CVE-2023-3138 for kirkstone branch

[Steve Sakoman]

From: Poonam Jadhav 

Add patch to fix CVE-2023-3138 for kirkstone branch

Link: 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c.patch

Signed-off-by: Poonam Jadhav 
Signed-off-by: Steve Sakoman 
---
 .../xorg-lib/libx11/CVE-2023-3138.patch   | 111 ++
 .../xorg-lib/libx11_1.7.3.1.bb|   1 +
 2 files changed, 112 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch

diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch 
b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
new file mode 100644
index 00..c724cf8fdd
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2023-3138.patch
@@ -0,0 +1,111 @@
+From 304a654a0d57bf0f00d8998185f0360332cfa36c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith 
+Date: Sat, 10 Jun 2023 16:30:07 -0700
+Subject: [PATCH] InitExt.c: Add bounds checks for extension request, event, &
+ error codes
+
+Fixes CVE-2023-3138: X servers could return values from XQueryExtension
+that would cause Xlib to write entries out-of-bounds of the arrays to
+store them, though this would only overwrite other parts of the Display
+struct, not outside the bounds allocated for that structure.
+
+Reported-by: Gregory James DUCK 
+Signed-off-by: Alan Coopersmith 
+
+CVE: CVE-2023-3138
+Upstream-Status: Backport 
[https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c.patch]
+Signed-off-by: Poonam Jadhav 
+---
+ src/InitExt.c | 42 ++
+ 1 file changed, 42 insertions(+)
+
+diff --git a/src/InitExt.c b/src/InitExt.c
+index 4de46f15..afc00a6b 100644
+--- a/src/InitExt.c
 b/src/InitExt.c
+@@ -33,6 +33,18 @@ from The Open Group.
+ #include 
+ #include 
+ 
++/* The X11 protocol spec reserves events 64 through 127 for extensions */
++#ifndef LastExtensionEvent
++#define LastExtensionEvent 127
++#endif
++
++/* The X11 protocol spec reserves requests 128 through 255 for extensions */
++#ifndef LastExtensionRequest
++#define FirstExtensionRequest 128
++#define LastExtensionRequest 255
++#endif
++
++
+ /*
+  * This routine is used to link a extension in so it will be called
+  * at appropriate times.
+@@ -242,6 +254,12 @@ WireToEventType XESetWireToEvent(
+   WireToEventType proc)   /* routine to call when converting event */
+ {
+   register WireToEventType oldproc;
++  if (event_number < 0 ||
++  event_number > LastExtensionEvent) {
++  fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
++  event_number);
++  return (WireToEventType)_XUnknownWireEvent;
++  }
+   if (proc == NULL) proc = (WireToEventType)_XUnknownWireEvent;
+   LockDisplay (dpy);
+   oldproc = dpy->event_vec[event_number];
+@@ -263,6 +281,12 @@ WireToEventCookieType XESetWireToEventCookie(
+ )
+ {
+   WireToEventCookieType oldproc;
++  if (extension < FirstExtensionRequest ||
++  extension > LastExtensionRequest) {
++  fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
++  extension);
++  return (WireToEventCookieType)_XUnknownWireEventCookie;
++  }
+   if (proc == NULL) proc = 
(WireToEventCookieType)_XUnknownWireEventCookie;
+   LockDisplay (dpy);
+   oldproc = dpy->generic_event_vec[extension & 0x7F];
+@@ -284,6 +308,12 @@ CopyEventCookieType XESetCopyEventCookie(
+ )
+ {
+   CopyEventCookieType oldproc;
++  if (extension < FirstExtensionRequest ||
++  extension > LastExtensionRequest) {
++  fprintf(stderr, "Xlib: ignoring invalid extension opcode %d\n",
++  extension);
++  return (CopyEventCookieType)_XUnknownCopyEventCookie;
++  }
+   if (proc == NULL) proc = (CopyEventCookieType)_XUnknownCopyEventCookie;
+   LockDisplay (dpy);
+   oldproc = dpy->generic_event_copy_vec[extension & 0x7F];
+@@ -305,6 +335,12 @@ EventToWireType XESetEventToWire(
+   EventToWireType proc)   /* routine to call when converting event */
+ {
+   register EventToWireType oldproc;
++  if (event_number < 0 ||
++  event_number > LastExtensionEvent) {
++  fprintf(stderr, "Xlib: ignoring invalid extension event %d\n",
++  event_number);
++  return (EventToWireType)_XUnknownNativeEvent;
++  }
+   if (proc == NULL) proc = (EventToWireType) _XUnknownNativeEvent;
+   LockDisplay (dpy);
+   oldproc = dpy->wire_vec[event_number];
+@@ -325,6 +361,12 @@ WireToErrorType XESetWireToError(
+   WireToErrorType proc)   /* routine to call when converting error */
+ {
+   register WireToErrorType oldproc = NULL;
++  if (error_number < 0 ||
++  error_number > LastExtensionError) {
++ fprintf(stderr, "Xlib: ignoring invalid extension error %d\n",
++  error_number);
++ return (WireToErrorType)_XDefaultW

[OE-core][kirkstone 03/27] bind : fix CVE-2023-2828 & CVE-2023-2911

[Steve Sakoman]

From: Hitendra Prajapati 

Backport fixes for:
* CVE-2023-2828 - Upstream-Status: Backport from 
https://gitlab.isc.org/isc-projects/bind9/-/commit/e9d5219fca9f6b819d953990b369d6acfb4e952b
* CVE-2023-2911 - Upstream-Status: Backport from 
https://gitlab.isc.org/isc-projects/bind9/-/commit/240caa32b9cab90a38ab863fd64e6becf5d1393c
 && 
https://gitlab.isc.org/isc-projects/bind9/-/commit/ff5bacf17c2451e9d48c78a5ef96ec0c376ff33d

Signed-off-by: Hitendra Prajapati 
Signed-off-by: Steve Sakoman 
---
 .../bind/bind-9.18.11/CVE-2023-2828.patch | 197 ++
 .../bind/bind-9.18.11/CVE-2023-2911.patch |  97 +
 .../recipes-connectivity/bind/bind_9.18.11.bb |   2 +
 3 files changed, 296 insertions(+)
 create mode 100644 
meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2828.patch
 create mode 100644 
meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2911.patch

diff --git a/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2828.patch 
b/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2828.patch
new file mode 100644
index 00..ef2d64b16c
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind-9.18.11/CVE-2023-2828.patch
@@ -0,0 +1,197 @@
+From e9d5219fca9f6b819d953990b369d6acfb4e952b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= 
+Date: Tue, 30 May 2023 08:46:17 +0200
+Subject: [PATCH] Improve RBT overmem cache cleaning
+
+When cache memory usage is over the configured cache size (overmem) and
+we are cleaning unused entries, it might not be enough to clean just two
+entries if the entries to be expired are smaller than the newly added
+rdata.  This could be abused by an attacker to cause a remote Denial of
+Service by possibly running out of the operating system memory.
+
+Currently, the addrdataset() tries to do a single TTL-based cleaning
+considering the serve-stale TTL and then optionally moves to overmem
+cleaning if we are in that condition.  Then the overmem_purge() tries to
+do another single TTL based cleaning from the TTL heap and then continue
+with LRU-based cleaning up to 2 entries cleaned.
+
+Squash the TTL-cleaning mechanism into single call from addrdataset(),
+but ignore the serve-stale TTL if we are currently overmem.
+
+Then instead of having a fixed number of entries to clean, pass the size
+of newly added rdatasetheader to the overmem_purge() function and
+cleanup at least the size of the newly added data.  This prevents the
+cache going over the configured memory limit (`max-cache-size`).
+
+Additionally, refactor the overmem_purge() function to reduce for-loop
+nesting for readability.
+
+Patch taken from : 
https://downloads.isc.org/isc/bind9/9.18.16/patches/0001-CVE-2023-2828.patch
+
+Upstream-Status: Backport 
[https://gitlab.isc.org/isc-projects/bind9/-/commit/e9d5219fca9f6b819d953990b369d6acfb4e952b]
+CVE: CVE-2023-2828
+Signed-off-by: Hitendra Prajapati 
+---
+ lib/dns/rbtdb.c | 106 +---
+ 1 file changed, 65 insertions(+), 41 deletions(-)
+
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index d1aee54..ba60a49 100644
+--- a/lib/dns/rbtdb.c
 b/lib/dns/rbtdb.c
+@@ -561,7 +561,7 @@ static void
+ expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, bool tree_locked,
+ expire_t reason);
+ static void
+-overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, isc_stdtime_t 
now,
++overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start, size_t 
purgesize,
+ bool tree_locked);
+ static void
+ resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader);
+@@ -6787,6 +6787,16 @@ cleanup:
+ 
+ static dns_dbmethods_t zone_methods;
+ 
++static size_t
++rdataset_size(rdatasetheader_t *header) {
++  if (!NONEXISTENT(header)) {
++  return (dns_rdataslab_size((unsigned char *)header,
++ sizeof(*header)));
++  }
++
++  return (sizeof(*header));
++}
++
+ static isc_result_t
+ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+   isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+@@ -6951,7 +6961,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, 
dns_dbversion_t *version,
+   }
+ 
+   if (cache_is_overmem) {
+-  overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
++  overmem_purge(rbtdb, rbtnode->locknum, rdataset_size(newheader),
++tree_locked);
+   }
+ 
+   NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
+@@ -6970,11 +6981,18 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, 
dns_dbversion_t *version,
+   }
+ 
+   header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
+-  if (header != NULL &&
+-  header->rdh_ttl + STALE_TTL(header, rbtdb) <
+-  now - RBTDB_VIRTUAL)
+-  {
+-  expire_header(rbtdb, header, tree_locked, expire_ttl);
++   

[OE-core][kirkstone 02/27] sqlite3: CVE-2023-36191 CLI fault on missing -nonce

[Steve Sakoman]

From: Vijay Anusuri 

Upstream-Status: Backport [https://sqlite.org/src/info/cd24178bbaad4a1d]

Signed-off-by: Vijay Anusuri 
Signed-off-by: Steve Sakoman 
---
 .../sqlite/files/CVE-2023-36191.patch | 37 +++
 meta/recipes-support/sqlite/sqlite3_3.38.5.bb |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2023-36191.patch

diff --git a/meta/recipes-support/sqlite/files/CVE-2023-36191.patch 
b/meta/recipes-support/sqlite/files/CVE-2023-36191.patch
new file mode 100644
index 00..aca79c334a
--- /dev/null
+++ b/meta/recipes-support/sqlite/files/CVE-2023-36191.patch
@@ -0,0 +1,37 @@
+From 4e8a0eb4e773b808d9e9697af94319599777169a Mon Sep 17 00:00:00 2001
+From: larrybr 
+Date: Fri, 2 Jun 2023 12:56:32 +
+Subject: [PATCH] Fix CLI fault on missing -nonce reported by 
[forum:/info/f8c14a1134|forum post f8c14a1134].
+
+FossilOrigin-Name: 
cd24178bbaad4a1dafc3848e7d74240f90030160b5c43c93e1e0e11b073c2df5
+
+Upstream-Status: Backport [https://sqlite.org/src/info/cd24178bbaad4a1d
+Upstream commit 
https://github.com/sqlite/sqlite/commit/4e8a0eb4e773b808d9e9697af94319599777169a]
+CVE: CVE-2023-36191
+Signed-off-by: Vijay Anusuri 
+---
+ shell.c | 8 ++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/shell.c b/shell.c
+index 0200c0a..fa45d40 100644
+--- a/shell.c
 b/shell.c
+@@ -23163,8 +23163,12 @@ int SQLITE_CDECL wmain(int argc, wchar_t **wargv){
+ }else if( strcmp(z,"-bail")==0 ){
+   bail_on_error = 1;
+ }else if( strcmp(z,"-nonce")==0 ){
+-  free(data.zNonce);
+-  data.zNonce = strdup(argv[++i]);
++  if( data.zNonce ) free(data.zNonce);
++  if( i+1 < argc ) data.zNonce = strdup(argv[++i]);
++  else{
++data.zNonce = 0;
++break;
++  }
+ }else if( strcmp(z,"-safe")==0 ){
+   /* no-op - catch this on the second pass */
+ }
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb 
b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
index 313c15dff4..55cc514412 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.38.5.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = 
"file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
 SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz \

file://0001-sqlite-Increased-the-size-of-loop-variables-in-the-printf-implementation.patch
 \
file://CVE-2022-46908.patch \
+   file://CVE-2023-36191.patch \
 "
 SRC_URI[sha256sum] = 
"5af07de982ba658fd91a03170c945f99c971f6955bc79df3266544373e39869c"
 
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184506): 
https://lists.openembedded.org/g/openembedded-core/message/184506
Mute This Topic: https://lists.openembedded.org/mt/100216329/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][kirkstone 01/27] perl: Fix CVE-2023-31486

[Steve Sakoman]

From: Soumya 

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available
standalone on CPAN, has an insecure default TLS configuration where
users must opt in to verify certificates.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-31486

Upstream patches:
https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d
https://github.com/chansen/p5-http-tiny/commit/a22785783b17cbaa28afaee4a024d81a1903701d

Signed-off-by: Soumya 
Signed-off-by: Steve Sakoman 
---
 .../perl/files/CVE-2023-31486-0001.patch  | 215 ++
 .../perl/files/CVE-2023-31486-0002.patch  |  36 +++
 meta/recipes-devtools/perl/perl_5.34.1.bb |   2 +
 3 files changed, 253 insertions(+)
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
 create mode 100644 meta/recipes-devtools/perl/files/CVE-2023-31486-0002.patch

diff --git a/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch 
b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
new file mode 100644
index 00..d29996ddcb
--- /dev/null
+++ b/meta/recipes-devtools/perl/files/CVE-2023-31486-0001.patch
@@ -0,0 +1,215 @@
+From 77f557ef84698efeb6eed04e4a9704eaf85b741d
+From: Stig Palmquist 
+Date: Mon Jun 5 16:46:22 2023 +0200
+Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable
+ insecure default - Changes the `verify_SSL` default parameter from `0` to `1`
+
+  Based on patch by Dominic Hargreaves:
+  
https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92
+
+  CVE: CVE-2023-31486
+
+- Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that
+  enables the previous insecure default behaviour if set to `1`.
+
+  This provides a workaround for users who encounter problems with the
+  new `verify_SSL` default.
+
+  Example to disable certificate checks:
+  ```
+$ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl
+  ```
+
+- Updates to documentation:
+  - Describe changing the verify_SSL value
+  - Describe the escape-hatch environment variable
+  - Remove rationale for not enabling verify_SSL
+  - Add missing certificate search paths
+  - Replace "SSL" with "TLS/SSL" where appropriate
+  - Use "machine-in-the-middle" instead of "man-in-the-middle"
+
+Upstream-Status: Backport 
[https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d]
+
+Signed-off-by: Soumya 
+---
+ cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++---
+ 1 file changed, 57 insertions(+), 29 deletions(-)
+
+diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+index 5803e45..1808c41 100644
+--- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
 b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm
+@@ -39,10 +39,14 @@ sub _croak { require Carp; Carp::croak(@_) }
+ #pod   C<$ENV{no_proxy}> —)
+ #pod * C — Request timeout in seconds (default is 60) If a socket 
open,
+ #pod   read or write takes longer than the timeout, an exception is thrown.
+-#pod * C — A boolean that indicates whether to validate the SSL
+-#pod   certificate of an C — connection (default is false)
++#pod * C — A boolean that indicates whether to validate the 
TLS/SSL
++#pod   certificate of an C — connection (default is true). Changed 
from false
++#pod   to true in version 0.083.
+ #pod * C — A hashref of C — options to pass through to
+ #pod   L
++#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default
++#pod   certificate verification behavior to not check server identity if set 
to 1.
++#pod   Only effective if C is not set. Added in version 0.083.
+ #pod
+ #pod Passing an explicit C for C, C or 
C will
+ #pod prevent getting the corresponding proxies from the environment.
+@@ -108,11 +112,17 @@ sub timeout {
+ sub new {
+ my($class, %args) = @_;
+
++# Support lower case verify_ssl argument, but only if verify_SSL is not
++# true.
++if ( exists $args{verify_ssl} ) {
++$args{verify_SSL}  ||= $args{verify_ssl};
++}
++
+ my $self = {
+ max_redirect => 5,
+ timeout  => defined $args{timeout} ? $args{timeout} : 60,
+ keep_alive   => 1,
+-verify_SSL   => $args{verify_SSL} || $args{verify_ssl} || 0, # no 
verification by default
++verify_SSL   => defined $args{verify_SSL} ? $args{verify_SSL} : 
_verify_SSL_default(),
+ no_proxy => $ENV{no_proxy},
+ };
+
+@@ -131,6 +141,13 @@ sub new {
+ return $self;
+ }
+
++sub _verify_SSL_default {
++my ($self) = @_;
++# Check if insecure default certificate verification behaviour has been
++# changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1
++return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1;
++}
++
+ sub _set_proxies {
+ my ($self) = @_;
+
+@@ -1038,7 +1055,7 @@ sub new {
+ timeout  => 60,
+ max_line_size=> 16384,
+ max_header_lines => 64,
+-verify_SSL   => 0,

[OE-core][kirkstone 00/27] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5608

with the exception of a known intermittent issue on oe-selftest-ubuntu involving
a regression introduced in recent kernel stable branch updates:

https://bugzilla.yoctoproject.org/show_bug.cgi?id=15138

This will be fixed in an upcoming linux-yocto version bump, see thread below
for details:

https://lists.openembedded.org/g/openembedded-core/topic/99542122#182828

The following changes since commit 200c2783b3f8546f561382fff6bd5268680d403a:

  cve-update-nvd2-native: actually use API keys (2023-07-13 06:39:45 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alberto Planas (1):
  bitbake.conf: add unzstd in HOSTTOOLS

Alexander Kanavin (5):
  serf: upgrade 1.3.9 -> 1.3.10
  wget: upgrade 1.21.3 -> 1.21.4
  linux-firmware: upgrade 20230404 -> 20230515
  wireless-regdb: upgrade 2023.02.13 -> 2023.05.03
  sysfsutils: fetch a supported fork from github

Alexander Sverdlin (1):
  rust-llvm: backport a fix for build with gcc-13

Chen Qi (4):
  sdk.py: error out when moving file fails
  sdk.py: fix moving dnf contents
  zip: fix configure check by using _Static_assert
  unzip: fix configure check for cross compilation

Heiko Thole (1):
  wic: Add dependencies for erofs-utils

Hitendra Prajapati (1):
  bind : fix CVE-2023-2828 & CVE-2023-2911

Jermain Horsman (1):
  logrotate: Do not create logrotate.status file

Jose Quaresma (1):
  selftest/reproducible: Allow chose the package manager

Marek Vasut (1):
  systemd: Backport nspawn: make sure host root can write to the
uidmapped mounts we prepare for the container payload

Mauro Queiros (1):
  pybootchartgui: show elapsed time for each task

Mikko Rapeli (1):
  selftest reproducible.py: support different build targets

Nikhil R (1):
  libpng: Add ptest for libpng

Poonam Jadhav (1):
  libx11: Fix CVE-2023-3138 for kirkstone branch

Ross Burton (1):
  tzdata: upgrade to 2023c

Soumya (2):
  perl: Fix CVE-2023-31486
  libwebp: Fix CVE-2023-1999

Tom Hochstein (1):
  cmake: Fix CMAKE_SYSTEM_PROCESSOR setting for SDK

Trevor Gamblin (1):
  vim: upgrade 9.0.1527 -> 9.0.1592

Vijay Anusuri (1):
  sqlite3: CVE-2023-36191 CLI fault on missing -nonce

Vivek Kumbhar (1):
  curl: Added CVE-2023-28320 Follow-up patch

 meta/classes/image_types_wic.bbclass  |   2 +-
 meta/conf/bitbake.conf|   2 +-
 .../distro/include/ptest-packagelists.inc |   1 +
 meta/lib/oe/package_manager/rpm/sdk.py|   3 +-
 meta/lib/oe/sdk.py|   2 +-
 meta/lib/oeqa/selftest/cases/reproducible.py  |  14 +-
 .../bind/bind-9.18.11/CVE-2023-2828.patch | 197 
 .../bind/bind-9.18.11/CVE-2023-2911.patch |  97 ++
 .../recipes-connectivity/bind/bind_9.18.11.bb |   2 +
 meta/recipes-core/meta/wic-tools.bb   |   2 +-
 .../sysfsutils/sysfsutils_2.1.0.bb|  10 +-
 ...-host-root-can-write-to-the-uidmappe.patch | 216 +
 meta/recipes-core/systemd/systemd_250.5.bb|   1 +
 .../cmake/cmake/OEToolchainConfig.cmake   |   5 +-
 .../perl/files/CVE-2023-31486-0001.patch  | 215 +
 .../perl/files/CVE-2023-31486-0002.patch  |  36 +++
 meta/recipes-devtools/perl/perl_5.34.1.bb |   2 +
 meta/recipes-devtools/rust/rust-llvm.inc  |   4 +-
 ...-missing-cstdint-header-to-Signals.h.patch |  32 ++
 .../logrotate/logrotate_3.20.1.bb |   1 -
 meta/recipes-extended/timezone/timezone.inc   |   6 +-
 .../timezone/tzcode-native.bb |   2 -
 ...0001-Fix-C23-related-conformance-bug.patch | 301 --
 ...-fix-detection-for-cross-compilation.patch | 103 ++
 meta/recipes-extended/unzip/unzip_6.0.bb  |   1 +
 meta/recipes-extended/wget/wget.inc   |   2 +-
 .../wget/{wget_1.21.3.bb => wget_1.21.4.bb}   |   2 +-
 ...se-_Static_assert-to-do-correct-dete.patch |  96 ++
 meta/recipes-extended/zip/zip_3.0.bb  |   1 +
 .../xorg-lib/libx11/CVE-2023-3138.patch   | 111 +++
 .../xorg-lib/libx11_1.7.3.1.bb|   1 +
 ...20230404.bb => linux-firmware_20230515.bb} |   4 +-
 02.13.bb => wireless-regdb_2023.05.03.bb} |   2 +-
 .../recipes-multimedia/libpng/files/run-ptest |  29 ++
 .../libpng/libpng_1.6.39.bb   |  16 +-
 .../webp/files/CVE-2023-1999.patch|  60 
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |   4 +-
 .../curl/curl/CVE-2023-28320-fol1.patch   | 197 
 meta/recipes-support/curl/curl_7.82.0.bb  |   1 +
 ...print-in-the-scons-file-to-unbreak-b.patch |  29 --
 ...sl_buckets.c-do-not-use-ERR_GET_FUNC.patch |  28 --
 ...11083-fix-building-with-scons-3.0.0-.patch |  29 --
 ...ories.without.sandbox

Re: [OE-core][PATCH] python3: parallelize ptests, add test_cppext dependencies

[Trevor Gamblin]

On 2023-07-17 16:16, Alexander Kanavin wrote:

On Mon, 17 Jul 2023 at 15:06, Trevor Gamblin  wrote:

AssertionError:
ptests which had no test results:
['python3']

This happens when the test prints no PASS: and no FAIL:, this is used
to catch regressed ptests that don't test anything but don't return an
error either.

Can you run run-ptest manually and check what it prints? There should
be at least one PASS:
Fixed it. Needed to have curly brackets around the OR statement for it 
to print. Since the patch is already merged, I've sent a new one to add 
this in.


Alex

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184502): 
https://lists.openembedded.org/g/openembedded-core/message/184502
Mute This Topic: https://lists.openembedded.org/mt/100083497/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core][PATCH] python3: ensure ptest regression capture

[Trevor Gamblin]

Add a conditional echo statement to make sure that there is a
FAIL emitted when python3 ptests regress in a way sed doesn't
catch.

Signed-off-by: Trevor Gamblin 
---
 meta/recipes-devtools/python/python3/run-ptest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/python/python3/run-ptest 
b/meta/recipes-devtools/python/python3/run-ptest
index ee1130284b..efa84555a5 100644
--- a/meta/recipes-devtools/python/python3/run-ptest
+++ b/meta/recipes-devtools/python/python3/run-ptest
@@ -1,3 +1,3 @@
 #!/bin/sh
 
-SETUPTOOLS_USE_DISTUTILS=nonlocal python3 -m test -v -j 4 | sed -u -e '/\.\.\. 
ok/ s/^/PASS: /g' -r -e '/\.\.\. (ERROR|FAIL)/ s/^/FAIL: /g' -e '/\.\.\. 
skipped/ s/^/SKIP: /g' -e 's/ \.\.\. ok//g' -e 's/ \.\.\. ERROR//g' -e 's/ 
\.\.\. FAIL//g' -e 's/ \.\.\. skipped//g'
+{ SETUPTOOLS_USE_DISTUTILS=nonlocal python3 -m test -v -j 4 || echo "FAIL: 
python3" ; } | sed -u -e '/\.\.\. ok/ s/^/PASS: /g' -r -e '/\.\.\. 
(ERROR|FAIL)/ s/^/FAIL: /g' -e '/\.\.\. skipped/ s/^/SKIP: /g' -e 's/ \.\.\. 
ok//g' -e 's/ \.\.\. ERROR//g' -e 's/ \.\.\. FAIL//g' -e 's/ \.\.\. skipped//g'
-- 
2.41.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184501): 
https://lists.openembedded.org/g/openembedded-core/message/184501
Mute This Topic: https://lists.openembedded.org/mt/100214436/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[oe-core][kirkstone][PATCH 1/1] ghostscript: fix CVE-2023-36664

[Polampalli, Archana via lists.openembedded.org]

Artifex Ghostscript through 10.01.2 mishandles permission validation for
pipe devices (with the %pipe% prefix or the | pipe character prefix).

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-36664

Upstream patches:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb342fdb60391073a69147cb71af1ac416a81099

Signed-off-by: Archana Polampalli 
---
 .../ghostscript/CVE-2023-36664-0001.patch | 146 ++
 .../ghostscript/CVE-2023-36664-0002.patch |  60 +++
 .../ghostscript/ghostscript_9.55.0.bb |   2 +
 3 files changed, 208 insertions(+)
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch
 create mode 100644 
meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0002.patch

diff --git 
a/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch 
b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch
new file mode 100644
index 00..99fcc61b9b
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch
@@ -0,0 +1,146 @@
+From ed607fedbcd41f4a0e71df6af4ba5b07dd630209 Mon Sep 17 00:00:00 2001
+From: Chris Liddell 
+Date: Wed, 7 Jun 2023 10:23:06 +0100
+Subject: [PATCH 1/2] Bug 706761: Don't "reduce" %pipe% file names for
+ permission validation
+
+For regular file names, we try to simplfy relative paths before we use them.
+
+Because the %pipe% device can, effectively, accept command line calls, we
+shouldn't be simplifying that string, because the command line syntax can end
+up confusing the path simplifying code. That can result in permitting a pipe
+command which does not match what was originally permitted.
+
+Special case "%pipe" in the validation code so we always deal with the entire
+string.
+
+Upstream-Status: Backport 
[https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea]
+CVE: CVE-2023-36664
+
+Signed-off-by: Archana Polampalli 
+---
+ base/gpmisc.c   | 31 +++
+ base/gslibctx.c | 56 -
+ 2 files changed, 64 insertions(+), 23 deletions(-)
+
+diff --git a/base/gpmisc.c b/base/gpmisc.c
+index 8b6458a..c61ab3f 100644
+--- a/base/gpmisc.c
 b/base/gpmisc.c
+@@ -1076,16 +1076,29 @@ gp_validate_path_len(const gs_memory_t *mem,
+  && !memcmp(path + cdirstrl, dirsepstr, dirsepstrl)) {
+   prefix_len = 0;
+ }
+-rlen = len+1;
+-bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + 
prefix_len, "gp_validate_path");
+-if (bufferfull == NULL)
+-return gs_error_VMerror;
+-
+-buffer = bufferfull + prefix_len;
+-if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != 
gp_combine_success)
+-return gs_error_invalidfileaccess;
+-buffer[rlen] = 0;
+
++/* "%pipe%" do not follow the normal rules for path definitions, so we
++   don't "reduce" them to avoid unexpected results
++ */
++if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++bufferfull = buffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, 
len + 1, "gp_validate_path");
++if (buffer == NULL)
++return gs_error_VMerror;
++memcpy(buffer, path, len);
++buffer[len] = 0;
++rlen = len;
++}
++else {
++rlen = len+1;
++bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + 
prefix_len, "gp_validate_path");
++if (bufferfull == NULL)
++return gs_error_VMerror;
++
++buffer = bufferfull + prefix_len;
++if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != 
gp_combine_success)
++return gs_error_invalidfileaccess;
++buffer[rlen] = 0;
++}
+ while (1) {
+ switch (mode[0])
+ {
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index 5bf497b..5fdfe25 100644
+--- a/base/gslibctx.c
 b/base/gslibctx.c
+@@ -734,14 +734,28 @@ gs_add_control_path_len_flags(const gs_memory_t *mem, 
gs_path_control_t type, co
+ return gs_error_rangecheck;
+ }
+
+-rlen = len+1;
+-buffer = (char *)gs_alloc_bytes(core->memory, rlen, "gp_validate_path");
+-if (buffer == NULL)
+-return gs_error_VMerror;
++/* "%pipe%" do not follow the normal rules for path definitions, so we
++   don't "reduce" them to avoid unexpected results
++ */
++if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
++buffer = (char *)gs_alloc_bytes(core->memory, len + 1, 
"gs_add_control_path_len");
++if (buffer == NULL)
++return gs_error_VMerror;
++memcpy(buffer, path, len);
++buffer[len] = 0;
++rlen = len;
++}
++else {
++rlen = len + 1;
+
+-if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != 
gp_combine_success)
+-return gs_error_invalidfileaccess;
+-buffe

[OE-core] [PATCH v2] libva: upgrade to 2.19.0

[wangmy]

From: Wang Mingyu 

Changelog:
===
* docs: fix references and descriptions snf focyhrn mstkup
* ci: add build docs test
* win: change default driver search path to bindir
* win: rely on compiler to define link names
* add: Add mono_chrome to VAEncSequenceParameterBufferAV1
* add: Enable support for license acquisition of multiple protected playbacks
* fix: year for version 2.18.0 in NEWS
* fix: use secure_getenv instead of getenv
* trace: Improve and add VA trace log for AV1 encode
* trace: Unify va log message, replace va_TracePrint with va_TraceMsg.

Signed-off-by: Wang Mingyu 
---
 .../{libva-initial_2.18.0.bb => libva-initial_2.19.0.bb}  | 0
 .../libva/{libva-utils_2.18.2.bb => libva-utils_2.19.0.bb}| 4 ++--
 meta/recipes-graphics/libva/libva.inc | 2 +-
 .../libva/{libva_2.18.0.bb => libva_2.19.0.bb}| 0
 4 files changed, 3 insertions(+), 3 deletions(-)
 rename meta/recipes-graphics/libva/{libva-initial_2.18.0.bb => 
libva-initial_2.19.0.bb} (100%)
 rename meta/recipes-graphics/libva/{libva-utils_2.18.2.bb => 
libva-utils_2.19.0.bb} (90%)
 rename meta/recipes-graphics/libva/{libva_2.18.0.bb => libva_2.19.0.bb} (100%)

diff --git a/meta/recipes-graphics/libva/libva-initial_2.18.0.bb 
b/meta/recipes-graphics/libva/libva-initial_2.19.0.bb
similarity index 100%
rename from meta/recipes-graphics/libva/libva-initial_2.18.0.bb
rename to meta/recipes-graphics/libva/libva-initial_2.19.0.bb
diff --git a/meta/recipes-graphics/libva/libva-utils_2.18.2.bb 
b/meta/recipes-graphics/libva/libva-utils_2.19.0.bb
similarity index 90%
rename from meta/recipes-graphics/libva/libva-utils_2.18.2.bb
rename to meta/recipes-graphics/libva/libva-utils_2.19.0.bb
index c7bf36023d..acb25a3f0d 100644
--- a/meta/recipes-graphics/libva/libva-utils_2.18.2.bb
+++ b/meta/recipes-graphics/libva/libva-utils_2.19.0.bb
@@ -14,8 +14,8 @@ SECTION = "x11"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://COPYING;md5=b148fc8adf19dc9aec17cf9cd29a9a5e"
 
-SRC_URI = 
"git://github.com/intel/libva-utils.git;branch=v2.18-branch;protocol=https"
-SRCREV = "76993ae8d0fbd17e5bfff80ed495c71e727f0d06"
+SRC_URI = 
"git://github.com/intel/libva-utils.git;branch=v2.19-branch;protocol=https"
+SRCREV = "5bf107ec4f7b18a6457d23abf57560dfb382a751"
 S = "${WORKDIR}/git"
 
 UPSTREAM_CHECK_GITTAGREGEX = "(?P(\d+(\.\d+)+))$"
diff --git a/meta/recipes-graphics/libva/libva.inc 
b/meta/recipes-graphics/libva/libva.inc
index 7ed0c9ed89..3388fea32b 100644
--- a/meta/recipes-graphics/libva/libva.inc
+++ b/meta/recipes-graphics/libva/libva.inc
@@ -18,7 +18,7 @@ LICENSE = "MIT"
 
 SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/libva-${PV}.tar.bz2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=2e48940f94acb0af582e5ef03537800f"
-SRC_URI[sha256sum] = 
"a3577eeba0c23924686c7e2f2030073736c8282a80f27b5473e33ea94ccd4982"
+SRC_URI[sha256sum] = 
"963be798d559df7feebda6fa81aa0dae6f9409c633a37909c44c6aa8af1e2174"
 
 S = "${WORKDIR}/libva-${PV}"
 
diff --git a/meta/recipes-graphics/libva/libva_2.18.0.bb 
b/meta/recipes-graphics/libva/libva_2.19.0.bb
similarity index 100%
rename from meta/recipes-graphics/libva/libva_2.18.0.bb
rename to meta/recipes-graphics/libva/libva_2.19.0.bb
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184499): 
https://lists.openembedded.org/g/openembedded-core/message/184499
Mute This Topic: https://lists.openembedded.org/mt/100213367/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] Toolchain test results

[Richard Purdie]

[Anuj/Steve/Ross - questions below!]

I thought I'd share a summary of the recent toolchain test
changes/work. We can see the "baseline" from the 4.2 test report:

https://downloads.yoctoproject.org/releases/yocto/milestones/yocto-4.2_M3/testresults/testresult-report.txt

showing that we run 2.9 million tests (2946881) with 174470 failures.

Once we noticed qemuarm64 toolchain test results were showing ~125,000
failures and had done since the 3.4 release, Ross was able to find and
fix it:

https://git.yoctoproject.org/poky/commit/?id=b0f1ab9810d87960d2753b0fe78039b874fd15fd
https://git.yoctoproject.org/poky/commit/?id=af39b83e58ec159a9a13d85067c2595535442566

Thanks Ross (even if you did break it too! :)

I've also merged:

https://git.yoctoproject.org/poky/commit/?id=c94fd2737e7e341188c8c41d911f1c60240088a2

which takes care of many of the qemuppc failures.

This brings the report down to:

https://autobuilder.yocto.io/pub/non-release/20230717-18/testresults/testresult-report.txt

so 3229355 tests and 15496 failures.

qemuarm has ~350 failures
qemuarm64 has ~350 failures
qemux86-64 has ~4000 (3900 in glibc)
qemux86 has ~4000 (3500 in glibc)
qemuppc has ~600 failures
qemumips64 has ~5000 failures (all over)
qemumips has ~1600 failures

We could also do with understanding the qemuarm64 ltp syscall failures.
The other ltp failures look the same for x86 and arm.

Anuj: Can Intel look into the glibc test failures on x86?
Steve: Can we backport those patches to kirkstone/mickledore?
Ross: Can ARM look into the ltp syscall issue?

Is anyone else interested/able to help in cleaning up these results a
bit further? Once have a good baseline, it will make it much easier to
look for and spot regressions.

Cheers,

Richard







-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184498): 
https://lists.openembedded.org/g/openembedded-core/message/184498
Mute This Topic: https://lists.openembedded.org/mt/100212267/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

ODP: [OE-Core][PATCH v5 1/5] bitbake.conf: add acl and xattr distro native features support

[Piotr Łobacz]

Alexander, this message:

> Alex,
> from what I'm seeing the issue touches opkg-build command:
>
> opkg-build -Z xz -a "--memlimit=5% --threads=8" "" "" nativesdk-xcb-proto-dbg 
> /home/pokybuild/yocto-worker/genericx86-64/build/build/tmp/work/i686-nativesdk-pokysdk-linux/nativesdk-xcb-proto/1.15.2-r0/deploy-ipks/i686-nativesdk'
>  returned non-zero exit status 1.
>
> which causes you an error. This may happen with bad tar hosttools command. 
> Can you please post me which version is on yocto autobuilder?

> BR
> Piotr

was meant for you, sorry for the confusion. Can you please verify/check what 
version of `tar` is being used on the autobuilder? This is really important for 
me, if we're going to move forward with it, because I have suspicions that it 
may not support posix or it may not be patched with --acls and --xattrs 
attributes https://www.mail-archive.com/bug-tar@gnu.org/msg06198.html

BR
Piotr
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#184497): 
https://lists.openembedded.org/g/openembedded-core/message/184497
Mute This Topic: https://lists.openembedded.org/mt/100138221/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-