[oe] [meta-networking][PATCH] openipmi: fix do_configure error when using dash
We encountered a do_configure error when using dash on Ubuntu 20.04:
conftest.c:31:26: fatal error: Python.h: No such file or directory
31 | #include
| ^~
It seems that PYTHON_CPPFLAGS is not passed to configure command
correctly. Use configuration option --with-pythoncflags instead of
passing it in cmdline.
Signed-off-by: Yi Zhao
---
meta-networking/recipes-support/openipmi/openipmi_2.0.34.bb | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/meta-networking/recipes-support/openipmi/openipmi_2.0.34.bb
b/meta-networking/recipes-support/openipmi/openipmi_2.0.34.bb
index 470ce1e25..eacbe5ce9 100644
--- a/meta-networking/recipes-support/openipmi/openipmi_2.0.34.bb
+++ b/meta-networking/recipes-support/openipmi/openipmi_2.0.34.bb
@@ -42,7 +42,9 @@ CFLAGS += "-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
EXTRA_OECONF = "--disable-static \
--with-perl='${STAGING_BINDIR_NATIVE}/perl-native/perl' \
---with-glibver=2.0"
+--with-glibver=2.0 \
+
--with-pythoncflags='-I${STAGING_INCDIR}/${PYTHON_DIR}${PYTHON_ABI}' \
+ "
PACKAGECONFIG ??= "gdbm"
PACKAGECONFIG[gdbm] = "ac_cv_header_gdbm_h=yes,ac_cv_header_gdbm_h=no,gdbm,"
@@ -64,7 +66,7 @@ FILES:${PN}-dbg += " \
do_configure () {
# Let's perform regular configuration first then handle perl issues.
-PYTHON_CPPFLAGS=-I${STAGING_INCDIR}/${PYTHON_DIR}${PYTHON_ABI}
autotools_do_configure
+autotools_do_configure
perl_ver=`perl -V:version | cut -d\' -f 2`
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#109048):
https://lists.openembedded.org/g/openembedded-devel/message/109048
Mute This Topic: https://lists.openembedded.org/mt/104619651/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-python][PATCH 2/2] python3-pydantic-core: Fix build for arches without 64bit atomics
Signed-off-by: Khem Raj --- .../python/python3-pydantic-core-crates.inc | 20 +-- ...-github.com-pyo3-pyo3-from-0.20.2-to.patch | 115 ++ .../python/python3-pydantic-core_2.16.3.bb| 1 + 3 files changed, 127 insertions(+), 9 deletions(-) create mode 100644 meta-python/recipes-devtools/python/python3-pydantic-core/0001-Bumps-pyo3-https-github.com-pyo3-pyo3-from-0.20.2-to.patch diff --git a/meta-python/recipes-devtools/python/python3-pydantic-core-crates.inc b/meta-python/recipes-devtools/python/python3-pydantic-core-crates.inc index 5518ff6ec9..e8e4ef23a8 100644 --- a/meta-python/recipes-devtools/python/python3-pydantic-core-crates.inc +++ b/meta-python/recipes-devtools/python/python3-pydantic-core-crates.inc @@ -38,11 +38,12 @@ SRC_URI += " \ crate://crates.io/parking_lot/0.12.1 \ crate://crates.io/parking_lot_core/0.9.8 \ crate://crates.io/percent-encoding/2.3.1 \ +crate://crates.io/portable-atomic/1.6.0 \ crate://crates.io/proc-macro2/1.0.76 \ -crate://crates.io/pyo3/0.20.2 \ -crate://crates.io/pyo3-build-config/0.20.2 \ -crate://crates.io/pyo3-ffi/0.20.2 \ -crate://crates.io/pyo3-macros/0.20.2 \ +crate://crates.io/pyo3/0.20.3 \ +crate://crates.io/pyo3-build-config/0.20.3 \ +crate://crates.io/pyo3-ffi/0.20.3 \ +crate://crates.io/pyo3-macros/0.20.3 \ crate://crates.io/pyo3-macros-backend/0.20.2 \ crate://crates.io/python3-dll-a/0.2.9 \ crate://crates.io/quote/1.0.35 \ @@ -121,12 +122,13 @@ SRC_URI[once_cell-1.18.0.sha256sum] = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7 SRC_URI[parking_lot-0.12.1.sha256sum] = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f" SRC_URI[parking_lot_core-0.9.8.sha256sum] = "93f00c865fe7cabf650081affecd3871070f26767e7b2070a3ffae14c654b447" SRC_URI[percent-encoding-2.3.1.sha256sum] = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e" +SRC_URI[portable-atomic-1.6.0.sha256sum] = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" SRC_URI[proc-macro2-1.0.76.sha256sum] = "95fc56cda0b5c3325f5fbbd7ff9fda9e02bb00bb3dac51252d2f1bfa1cb8cc8c" -SRC_URI[pyo3-0.20.2.sha256sum] = "9a89dc7a5850d0e983be1ec2a463a171d20990487c3cfcd68b5363f1ee3d6fe0" -SRC_URI[pyo3-build-config-0.20.2.sha256sum] = "07426f0d8fe5a601f26293f300afd1a7b1ed5e78b2a705870c5f30893c5163be" -SRC_URI[pyo3-ffi-0.20.2.sha256sum] = "dbb7dec17e17766b46bca4f1a4215a85006b4c2ecde122076c562dd058da6cf1" -SRC_URI[pyo3-macros-0.20.2.sha256sum] = "05f738b4e40d50b5711957f142878cfa0f28e054aa0ebdfc3fd137a843f74ed3" -SRC_URI[pyo3-macros-backend-0.20.2.sha256sum] = "0fc910d4851847827daf9d6cdd4a823fbdaab5b8818325c5e97a86da79e8881f" +SRC_URI[pyo3-0.20.3.sha256sum] = "53bdbb96d49157e65d45cc287af5f32ffadd5f4761438b527b055fb0d4bb8233" +SRC_URI[pyo3-build-config-0.20.3.sha256sum] = "deaa5745de3f5231ce10517a1f5dd97d53e5a2fd77aa6b5842292085831d48d7" +SRC_URI[pyo3-ffi-0.20.3.sha256sum] = "62b42531d03e08d4ef1f6e85a2ed422eb678b8cd62b762e53891c05faf0d4afa" +SRC_URI[pyo3-macros-0.20.3.sha256sum] = "7305c720fa01b8055ec95e484a6eca7a83c841267f0dd5280f0c8b8551d2c158" +SRC_URI[pyo3-macros-backend-0.20.2.sha256sum] = "7c7e9b68bb9c3149c5b0cade5d07f953d6d125eb4337723c4ccdb665f1f96185" SRC_URI[python3-dll-a-0.2.9.sha256sum] = "d5f07cd4412be8fa09a721d40007c483981bbe072cd6a21f2e83e04ec8f8343f" SRC_URI[quote-1.0.35.sha256sum] = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef" SRC_URI[redox_syscall-0.3.5.sha256sum] = "567664f262709473930a4bf9e51bf2ebf3348f2e748ccc50dea20646858f8f29" diff --git a/meta-python/recipes-devtools/python/python3-pydantic-core/0001-Bumps-pyo3-https-github.com-pyo3-pyo3-from-0.20.2-to.patch b/meta-python/recipes-devtools/python/python3-pydantic-core/0001-Bumps-pyo3-https-github.com-pyo3-pyo3-from-0.20.2-to.patch new file mode 100644 index 00..ba9bd1c150 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pydantic-core/0001-Bumps-pyo3-https-github.com-pyo3-pyo3-from-0.20.2-to.patch @@ -0,0 +1,115 @@ +From a5690f973384bf8cbf4deb3b83d822b7aaefbdd8 Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Tue, 27 Feb 2024 11:00:46 -0800 +Subject: [PATCH] Bumps [pyo3](https://github.com/pyo3/pyo3) from 0.20.2 to + 0.20.3. + +Upstream-Status: Pending +Signed-off-by: Khem Raj +--- + Cargo.lock | 26 +- + Cargo.toml | 2 +- + 2 files changed, 18 insertions(+), 10 deletions(-) + +diff --git a/Cargo.lock b/Cargo.lock +index 62615dc..b0d4448 100644 +--- a/Cargo.lock b/Cargo.lock +@@ -321,6 +321,12 @@ version = "2.3.1" + source = "registry+https://github.com/rust-lang/crates.io-index"; + checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e" + ++[[package]] ++name = "portable-atomic" ++version = "1.6.0" ++source = "registry+https://github.com/rust-lang/crates.io-index"; ++checksum = "7170ef9988bc169ba16dd36a7fa041e5c4cbeb6a35b76d4c03daded371eae7c0" ++ + [[package]] + name = "proc-macro2" + version =
[oe] [meta-python][PATCH 1/2] python3-pydantic-core, python3-pydantic: Update to 2.16.3 and 2.6.2 respectively
below is changelogs
[1] https://github.com/pydantic/pydantic-core/releases/tag/v2.16.3
[2] https://github.com/pydantic/pydantic/releases/tag/v2.6.3
[3] https://github.com/pydantic/pydantic/releases/tag/v2.6.2
[4] https://github.com/pydantic/pydantic/releases/tag/v2.6.1
Signed-off-by: Khem Raj
---
...-pydantic-core_2.16.2.bb => python3-pydantic-core_2.16.3.bb} | 2 +-
.../{python3-pydantic_2.6.0.bb => python3-pydantic_2.6.2.bb}| 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
rename meta-python/recipes-devtools/python/{python3-pydantic-core_2.16.2.bb =>
python3-pydantic-core_2.16.3.bb} (94%)
rename meta-python/recipes-devtools/python/{python3-pydantic_2.6.0.bb =>
python3-pydantic_2.6.2.bb} (94%)
diff --git
a/meta-python/recipes-devtools/python/python3-pydantic-core_2.16.2.bb
b/meta-python/recipes-devtools/python/python3-pydantic-core_2.16.3.bb
similarity index 94%
rename from meta-python/recipes-devtools/python/python3-pydantic-core_2.16.2.bb
rename to meta-python/recipes-devtools/python/python3-pydantic-core_2.16.3.bb
index 7ac2b076c2..ef48c0020d 100644
--- a/meta-python/recipes-devtools/python/python3-pydantic-core_2.16.2.bb
+++ b/meta-python/recipes-devtools/python/python3-pydantic-core_2.16.3.bb
@@ -8,7 +8,7 @@ HOMEPAGE = "https://github.com/pydantic/pydantic-core";
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE;md5=ab599c188b4a314d2856b3a55030c75c"
-SRC_URI[sha256sum] =
"0ba503850d8b8dcc18391f10de896ae51d37fe5fe43dbfb6a35c5c5cad271a06"
+SRC_URI[sha256sum] =
"1cac689f80a3abab2d3c0048b29eea5751114054f032a941a32de4c852c59cad"
DEPENDS = "python3-maturin-native python3-typing-extensions"
diff --git a/meta-python/recipes-devtools/python/python3-pydantic_2.6.0.bb
b/meta-python/recipes-devtools/python/python3-pydantic_2.6.2.bb
similarity index 94%
rename from meta-python/recipes-devtools/python/python3-pydantic_2.6.0.bb
rename to meta-python/recipes-devtools/python/python3-pydantic_2.6.2.bb
index af465f4230..dadb3c07f8 100644
--- a/meta-python/recipes-devtools/python/python3-pydantic_2.6.0.bb
+++ b/meta-python/recipes-devtools/python/python3-pydantic_2.6.2.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM =
"file://LICENSE;md5=09280955509d1c4ca14bae02f21d49a6"
inherit pypi python_hatchling
-SRC_URI[sha256sum] =
"ae887bd94eb404b09d86e4d12f93893bdca79d766e738528c6fa1c849f3c6bcf"
+SRC_URI[sha256sum] =
"a09be1c3d28f3abe37f8a78af58284b236a92ce520105ddc91a6d29ea1176ba7"
DEPENDS += "python3-hatch-fancy-pypi-readme-native"
--
2.44.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#109046):
https://lists.openembedded.org/g/openembedded-devel/message/109046
Mute This Topic: https://lists.openembedded.org/mt/104609479/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-oe][PATCH] ostree: Remove strace from ptest rdeps
it checks for strace and then try fault injection if it exists. So,
while it will be good to have strace port for rv32 it can be disabled
for now
Signed-off-by: Khem Raj
---
meta-oe/recipes-extended/ostree/ostree_2024.3.bb | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/meta-oe/recipes-extended/ostree/ostree_2024.3.bb
b/meta-oe/recipes-extended/ostree/ostree_2024.3.bb
index 07dedc8b81..158ec9bc23 100644
--- a/meta-oe/recipes-extended/ostree/ostree_2024.3.bb
+++ b/meta-oe/recipes-extended/ostree/ostree_2024.3.bb
@@ -28,8 +28,6 @@ S = "${WORKDIR}/libostree-${PV}"
inherit autotools bash-completion gobject-introspection github-releases
gtk-doc manpages pkgconfig ptest-gnome systemd
-COMPATIBLE_HOST:riscv32 = "${@bb.utils.contains('DISTRO_FEATURES', 'ptest',
'null', 'riscv32', d)}"
-
UNKNOWN_CONFIGURE_OPT_IGNORE = "--disable-introspection --enable-introspection"
# Workaround compile failure:
@@ -203,6 +201,7 @@ RDEPENDS:${PN}-ptest += " \
python3-pyyaml \
${@bb.utils.contains('PACKAGECONFIG', 'gjs', 'gjs', '', d)} \
"
+RDEPENDS:${PN}-ptest:remove:riscv32 = "strace"
RDEPENDS:${PN}-ptest:append:libc-glibc = " glibc-utils glibc-localedata-en-us"
RRECOMMENDS:${PN}:append:class-target = " kernel-module-overlay"
--
2.44.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#109045):
https://lists.openembedded.org/g/openembedded-devel/message/109045
Mute This Topic: https://lists.openembedded.org/mt/104607778/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe] [PATCH] yasm: improve reproducibility
Place reproducible build date in source files instead of
actual build date if SOURCE_DATE_EPOCH available.
Signed-off-by: Oleh Matiusha
---
...-Set-build-date-to-SOURCE_DATE_EPOCH.patch | 35
...m-Use-BUILD_DATE-for-reproducibility.patch | 40 +++
meta-oe/recipes-devtools/yasm/yasm_git.bb | 3 ++
3 files changed, 78 insertions(+)
create mode 100644
meta-oe/recipes-devtools/yasm/yasm/0001-yasm-Set-build-date-to-SOURCE_DATE_EPOCH.patch
create mode 100644
meta-oe/recipes-devtools/yasm/yasm/0002-yasm-Use-BUILD_DATE-for-reproducibility.patch
diff --git
a/meta-oe/recipes-devtools/yasm/yasm/0001-yasm-Set-build-date-to-SOURCE_DATE_EPOCH.patch
b/meta-oe/recipes-devtools/yasm/yasm/0001-yasm-Set-build-date-to-SOURCE_DATE_EPOCH.patch
new file mode 100644
index 0..e65c9853e
--- /dev/null
+++
b/meta-oe/recipes-devtools/yasm/yasm/0001-yasm-Set-build-date-to-SOURCE_DATE_EPOCH.patch
@@ -0,0 +1,35 @@
+From eb164bb201c0f792fa8aa78270c47294065183a3 Mon Sep 17 00:00:00 2001
+From: Oleh Matiusha
+Date: Tue, 6 Feb 2024 09:33:11 +
+Subject: [PATCH 1/2] yasm: Set build date to SOURCE_DATE_EPOCH
+
+If SOURCE_DATE_EPOCH is set, use it to generate a reproducible
+string for BUILD_DATE.
+
+Signed-off-by: Oleh Matiusha
+---
+ configure.ac | 8
+ 1 file changed, 8 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 2823ecd..eeb51ce 100644
+--- a/configure.ac
b/configure.ac
+@@ -103,6 +103,14 @@ AM_WITH_DMALLOC
+ #
+ AC_CHECK_HEADERS([strings.h libgen.h unistd.h direct.h sys/stat.h])
+
++# Use reproducible build date and time
++if test "$SOURCE_DATE_EPOCH"; then
++ DATE_FMT="%d %b %Y %H:%M:%S"
++ BUILD_DATE=$(LC_ALL=C date -u -d "@$SOURCE_DATE_EPOCH" "+$DATE_FMT")
++ AC_DEFINE_UNQUOTED([BUILD_DATE], ["$BUILD_DATE"], [Use reproducidle
build date])
++fi
++
++
+ #
+ # Checks for typedefs, structures, and compiler characteristics.
+ #
+--
+2.33.0
+
diff --git
a/meta-oe/recipes-devtools/yasm/yasm/0002-yasm-Use-BUILD_DATE-for-reproducibility.patch
b/meta-oe/recipes-devtools/yasm/yasm/0002-yasm-Use-BUILD_DATE-for-reproducibility.patch
new file mode 100644
index 0..665f3afc9
--- /dev/null
+++
b/meta-oe/recipes-devtools/yasm/yasm/0002-yasm-Use-BUILD_DATE-for-reproducibility.patch
@@ -0,0 +1,40 @@
+From 19fffab74a201dc41c3da7e74d86eafa8f68bbc6 Mon Sep 17 00:00:00 2001
+From: Oleh Matiusha
+Date: Tue, 6 Feb 2024 09:34:26 +
+Subject: [PATCH] yasm: Use BUILD_DATE for reproducibility
+
+Use reproducible build date instead of compilation time and date.
+
+Signed-off-by: Oleh Matiusha
+
+---
+ tools/re2c/parser.c | 5 +
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tools/re2c/parser.c b/tools/re2c/parser.c
+index 02d5c66..1c90aee 100644
+--- a/tools/re2c/parser.c
b/tools/re2c/parser.c
+@@ -5,6 +5,7 @@
+ #include "tools/re2c/globals.h"
+ #include "tools/re2c/parse.h"
+ #include "tools/re2c/parser.h"
++#include "config.h"
+
+ int yylex(void);
+ static RegExp *parse_expr(void);
+@@ -233,7 +234,11 @@ void parse(FILE *i, FILE *o){
+ peektok = NONE;
+
+ fputs("/* Generated by re2c 0.9.1-C on ", o);
++#ifndef BUILD_DATE
+ fprintf(o, "%-24s", ctime(&now));
++#else
++fprintf(o, "%-24s", BUILD_DATE " ");
++#endif
+ fputs(" */\n", o); oline+=2;
+
+ in = Scanner_new(i);
+--
+2.33.0
+
diff --git a/meta-oe/recipes-devtools/yasm/yasm_git.bb
b/meta-oe/recipes-devtools/yasm/yasm_git.bb
index 079f805d6..216b77766 100644
--- a/meta-oe/recipes-devtools/yasm/yasm_git.bb
+++ b/meta-oe/recipes-devtools/yasm/yasm_git.bb
@@ -14,6 +14,8 @@ SRC_URI =
"git://github.com/yasm/yasm.git;branch=master;protocol=https \
file://0001-Do-not-use-AC_HEADER_STDC.patch \
file://CVE-2023-31975.patch \
file://CVE-2023-37732.patch \
+ file://0001-yasm-Set-build-date-to-SOURCE_DATE_EPOCH.patch \
+ file://0002-yasm-Use-BUILD_DATE-for-reproducibility.patch \
"
S = "${WORKDIR}/git"
@@ -30,3 +32,4 @@ do_configure:prepend() {
# Don't include $CC (which includes path to sysroot) in generated header.
sed -i -e "s/^echo \"\/\* generated \$ac_cv_stdint_message \*\/\"
>>\$ac_stdint$"// ${S}/m4/ax_create_stdint_h.m4
}
+
--
2.33.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#109044):
https://lists.openembedded.org/g/openembedded-devel/message/109044
Mute This Topic: https://lists.openembedded.org/mt/104602703/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe][meta-oe][kirkstone][PATCH V2 2/2] nodejs: fix CVE-2023-46809
From: Archana Polampalli
Signed-off-by: Archana Polampalli
---
.../nodejs/nodejs/CVE-2023-46809.patch| 625 ++
.../recipes-devtools/nodejs/nodejs_16.20.2.bb | 1 +
2 files changed, 626 insertions(+)
create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-46809.patch
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-46809.patch
b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-46809.patch
new file mode 100644
index 0..991d39fcf
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2023-46809.patch
@@ -0,0 +1,625 @@
+From d3d357ab096884f10f5d2f164149727eea875635 Mon Sep 17 00:00:00 2001
+From: Michael Dawson
+Date: Thu, 4 Jan 2024 21:32:51 +
+Subject: [PATCH] crypto: disable PKCS#1 padding for privateDecrypt
+
+Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2269177
+
+Disable RSA_PKCS1_PADDING for crypto.privateDecrypt() in order
+to protect against the Marvin attack.
+
+Includes a security revert flag that can be used to restore
+support.
+
+Signed-off-by: Michael Dawson
+PR-URL: https://github.com/nodejs-private/node-private/pull/525
+Reviewed-By: Rafael Gonzaga
+Reviewed-By: Matteo Collina
+
+CVE-ID: CVE-2023-46809
+
+Upstream-Status: Backport
[https://github.com/nodejs/node/commit/d3d357ab096884f1]
+Signed-off-by: Archana Polampalli
+---
+ src/crypto/crypto_cipher.cc | 28 ++
+ src/node_revert.h | 1 +
+ test/parallel/test-crypto-rsa-dsa-revert.js | 475
+ test/parallel/test-crypto-rsa-dsa.js| 42 +-
+ 4 files changed, 533 insertions(+), 13 deletions(-)
+ create mode 100644 test/parallel/test-crypto-rsa-dsa-revert.js
+
+diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc
+index 10579ce..0311c68 100644
+--- a/src/crypto/crypto_cipher.cc
b/src/crypto/crypto_cipher.cc
+@@ -6,6 +6,7 @@
+ #include "node_buffer.h"
+ #include "node_internals.h"
+ #include "node_process-inl.h"
++#include "node_revert.h"
+ #include "v8.h"
+
+ namespace node {
+@@ -1061,6 +1062,33 @@ void PublicKeyCipher::Cipher(const
FunctionCallbackInfo& args) {
+ uint32_t padding;
+ if (!args[offset + 1]->Uint32Value(env->context()).To(&padding)) return;
+
++ if (EVP_PKEY_cipher == EVP_PKEY_decrypt &&
++ operation == PublicKeyCipher::kPrivate && padding == RSA_PKCS1_PADDING
&&
++ !IsReverted(SECURITY_REVERT_CVE_2023_46809)) {
++EVPKeyCtxPointer ctx(EVP_PKEY_CTX_new(pkey.get(), nullptr));
++CHECK(ctx);
++
++if (EVP_PKEY_decrypt_init(ctx.get()) <= 0) {
++ return ThrowCryptoError(env, ERR_get_error());
++}
++
++int rsa_pkcs1_implicit_rejection =
++EVP_PKEY_CTX_ctrl_str(ctx.get(), "rsa_pkcs1_implicit_rejection", "1");
++// From the doc -2 means that the option is not supported.
++// The default for the option is enabled and if it has been
++// specifically disabled we want to respect that so we will
++// not throw an error if the option is supported regardless
++// of how it is set. The call to set the value
++// will not affect what is used since a different context is
++// used in the call if the option is supported
++if (rsa_pkcs1_implicit_rejection <= 0) {
++ return THROW_ERR_INVALID_ARG_VALUE(
++ env,
++ "RSA_PKCS1_PADDING is no longer supported for private decryption,"
++ " this can be reverted with --security-revert=CVE-2023-46809");
++}
++ }
++
+ const EVP_MD* digest = nullptr;
+ if (args[offset + 2]->IsString()) {
+ const Utf8Value oaep_str(env->isolate(), args[offset + 2]);
+diff --git a/src/node_revert.h b/src/node_revert.h
+index 83dcb62..bc2a288 100644
+--- a/src/node_revert.h
b/src/node_revert.h
+@@ -18,6 +18,7 @@ namespace node {
+ #define SECURITY_REVERSIONS(XX)\
+ XX(CVE_2021_44531, "CVE-2021-44531", "Cert Verif Bypass via URI SAN")\
+ XX(CVE_2021_44532, "CVE-2021-44532", "Cert Verif Bypass via Str Inject") \
++ XX(CVE_2023_46809, "CVE-2023-46809", "Marvin attack on PKCS#1 padding") \
+ // XX(CVE_2016_PEND, "CVE-2016-PEND", "Vulnerability Title")
+
+ enum reversion {
+diff --git a/test/parallel/test-crypto-rsa-dsa-revert.js
b/test/parallel/test-crypto-rsa-dsa-revert.js
+new file mode 100644
+index 000..84ec8f6
+--- /dev/null
b/test/parallel/test-crypto-rsa-dsa-revert.js
+@@ -0,0 +1,475 @@
++'use strict';
++// Flags: --security-revert=CVE-2023-46809
++const common = require('../common');
++if (!common.hasCrypto)
++ common.skip('missing crypto');
++
++const assert = require('assert');
++const crypto = require('crypto');
++
++const constants = crypto.constants;
++
++const fixtures = require('../common/fixtures');
++
++// Test certificates
++const certPem = fixtures.readKey('rsa_cert.crt');
++const keyPem = fixtures.readKey('rsa_private.pem');
++const rsaKeySize = 2048;
++const rsaPubPem = fixtures.readKey('rsa_public.pem', 'ascii');
++const rsaKeyPem = fixt
[oe][meta-oe][kirkstone][PATCH V2 1/2] nodejs: fix CVE-2024-22025
From: Archana Polampalli
Signed-off-by: Archana Polampalli
---
.../nodejs/nodejs/CVE-2024-22025.patch| 148 ++
.../recipes-devtools/nodejs/nodejs_16.20.2.bb | 1 +
2 files changed, 149 insertions(+)
create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-22025.patch
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-22025.patch
b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-22025.patch
new file mode 100644
index 0..ac3a54aba
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-22025.patch
@@ -0,0 +1,148 @@
+From 9052ef43dc2d1b0db340591a9bc9e45a25c01d90 Mon Sep 17 00:00:00 2001
+From: Matteo Collina
+Date: Tue, 6 Feb 2024 16:47:20 +0100
+Subject: [PATCH 4/5] zlib: pause stream if outgoing buffer is full
+
+Signed-off-by: Matteo Collina
+PR-URL: https://github.com/nodejs-private/node-private/pull/540
+Reviewed-By: Robert Nagy
+Ref: https://hackerone.com/reports/2284065
+
+CVE-ID: CVE-2024-22025
+
+Upstream-Status: Backport
[https://github.com/nodejs/node/commit/9052ef43dc2d1b0d]
+
+Signed-off-by: Archana Polampalli
+---
+ lib/zlib.js| 32 +++---
+ test/parallel/test-zlib-brotli-16GB.js | 22 ++
+ test/parallel/test-zlib-params.js | 24 +++
+ 3 files changed, 61 insertions(+), 17 deletions(-)
+ create mode 100644 test/parallel/test-zlib-brotli-16GB.js
+
+diff --git a/lib/zlib.js b/lib/zlib.js
+index 9bde199..8e033e5 100644
+--- a/lib/zlib.js
b/lib/zlib.js
+@@ -560,10 +560,11 @@ function processCallback() {
+ self.bytesWritten += inDelta;
+
+ const have = handle.availOutBefore - availOutAfter;
++ let streamBufferIsFull = false;
+ if (have > 0) {
+ const out = self._outBuffer.slice(self._outOffset, self._outOffset +
have);
+ self._outOffset += have;
+-self.push(out);
++streamBufferIsFull = !self.push(out);
+ } else {
+ assert(have === 0, 'have should not go down');
+ }
+@@ -588,13 +589,28 @@ function processCallback() {
+ handle.inOff += inDelta;
+ handle.availInBefore = availInAfter;
+
+-this.write(handle.flushFlag,
+- this.buffer, // in
+- handle.inOff, // in_off
+- handle.availInBefore, // in_len
+- self._outBuffer, // out
+- self._outOffset, // out_off
+- self._chunkSize); // out_len
++if (!streamBufferIsFull) {
++ this.write(handle.flushFlag,
++ this.buffer, // in
++ handle.inOff, // in_off
++ handle.availInBefore, // in_len
++ self._outBuffer, // out
++ self._outOffset, // out_off
++ self._chunkSize); // out_len
++} else {
++ const oldRead = self._read;
++ self._read = (n) => {
++self._read = oldRead;
++this.write(handle.flushFlag,
++ this.buffer, // in
++ handle.inOff, // in_off
++ handle.availInBefore, // in_len
++ self._outBuffer, // out
++ self._outOffset, // out_off
++ self._chunkSize); // out_len
++self._read(n);
++ };
++}
+ return;
+ }
+
+diff --git a/test/parallel/test-zlib-brotli-16GB.js
b/test/parallel/test-zlib-brotli-16GB.js
+new file mode 100644
+index 000..1ca10f7
+--- /dev/null
b/test/parallel/test-zlib-brotli-16GB.js
+@@ -0,0 +1,22 @@
++use strict';
++
++const common = require('../common');
++const { createBrotliDecompress } = require('node:zlib');
++const strictEqual = require('node:assert').strictEqual;
++
++// This tiny HEX string is a 16GB file.
++// This test verifies that the stream actually stops.
++/* eslint-disable max-len */
++const content =
'cf7ff82700e2b14020f7fe904f00c4610180eefd3fffe19f0088c32200ddfb7ffec33f0110870500baf7fffc877f02200e0b0074e90fff04401c1600e8defff31ffe0980382c00d0bdffe73ffc1300715800a07bffcf7ff82700e2b00040f7fe904f00c4610180eefd3fffe19f0088c30200ddfb7ffec33f0110870500baf7fffc877f02200e0b0074e90fff04401c1600e8defff31ffe0980382c00d0bdffe73ffc1300715800a07bffcf7ff82700e2b00040f7fe904f00c4610180eefd3fffe19f0088c30200ddfb7ffec33f0110870500baf7fffc877f02200e0b0074e90fff04401c1600e8defff31ffe0980382c00d0bdffe73ffc1300715800a07bffcf7ff82700e2b00040f7fe904f00c4610180eefd3fffe19f0088c30200ddfb7ffec33f0110870500baf7fffc877f02200e0b0074e90fff04401c1600e8defff31ffe0980382c00d0bdffe73ffc1300715800a07bffcf7ff82700e2b00040f7fe904f00c4610180eefd3fffe19f0088c30200ddfb7ffec33f0110870500baf7fffc877f02200e0b0074e90fff04401c1600e8defff31ffe0980382c00d0bdffe73ffc1300715800a07bffcf7ff82700e2b00040f7fe904f00c4610180eefd3fffe19f0088c30200ddfb7ffec33f0110870500baf7fffc877f02200e0b0074e90fff0
[oe] [meta-oe][PATCH 2/2] networkmanager-fortisslvpn: use python3native and depend on python3-packaging-native
* it uses gdbus-codegen from glib-2.0-native which depended
on python3-distutils-native until
https://lists.openembedded.org/g/openembedded-core/message/196136
but distutils on host was enforced by sanity check only until mickledore with:
https://git.openembedded.org/openembedded-core/commit/?id=8e3a5b0709384f2b455a82ac1e8e212686fe4456
so on hosts without distutils this was already failing with:
http://errors.yoctoproject.org/Errors/Details/754697/
gdbus-codegen \
--generate-c-code src/nm-fortisslvpn-pppd-service-dbus \
--c-namespace NMDBus \
--interface-prefix org.freedesktop.NetworkManager \
../NetworkManager-fortisslvpn-1.4.0/src/nm-fortisslvpn-pppd-service.xml
Traceback (most recent call last):
File
"TOPDIR/tmp-glibc/work/core2-64-oe-linux/networkmanager-fortisslvpn/1.4.0/recipe-sysroot-native/usr/bin/gdbus-codegen",
line 53, in
from codegen import codegen_main
File
"TOPDIR/tmp-glibc/work/core2-64-oe-linux/networkmanager-fortisslvpn/1.4.0/recipe-sysroot-native/usr/share/glib-2.0/codegen/codegen_main.py",
line 29, in
from . import dbustypes
File
"TOPDIR/tmp-glibc/work/core2-64-oe-linux/networkmanager-fortisslvpn/1.4.0/recipe-sysroot-native/usr/share/glib-2.0/codegen/dbustypes.py",
line 22, in
from . import utils
File
"TOPDIR/tmp-glibc/work/core2-64-oe-linux/networkmanager-fortisslvpn/1.4.0/recipe-sysroot-native/usr/share/glib-2.0/codegen/utils.py",
line 22, in
import distutils.version
ModuleNotFoundError: No module named 'distutils'
make: *** [Makefile:2081: src/nm-fortisslvpn-pppd-service-dbus.h] Error 1
and the glib-2.0-native change only changes the dependency from
distutils to packaging which results in:
http://errors.yoctoproject.org/Errors/Details/754693/
gdbus-codegen \
--generate-c-code src/nm-fortisslvpn-pppd-service-dbus \
--c-namespace NMDBus \
--interface-prefix org.freedesktop.NetworkManager \
../NetworkManager-fortisslvpn-1.4.0/src/nm-fortisslvpn-pppd-service.xml
Traceback (most recent call last):
File
"TOPDIR/tmp-glibc/work/core2-64-oe-linux/networkmanager-fortisslvpn/1.4.0/recipe-sysroot-native/usr/bin/gdbus-codegen",
line 53, in
from codegen import codegen_main
File
"TOPDIR/tmp-glibc/work/core2-64-oe-linux/networkmanager-fortisslvpn/1.4.0/recipe-sysroot-native/usr/share/glib-2.0/codegen/codegen_main.py",
line 29, in
from . import dbustypes
File
"TOPDIR/tmp-glibc/work/core2-64-oe-linux/networkmanager-fortisslvpn/1.4.0/recipe-sysroot-native/usr/share/glib-2.0/codegen/dbustypes.py",
line 22, in
from . import utils
File
"TOPDIR/tmp-glibc/work/core2-64-oe-linux/networkmanager-fortisslvpn/1.4.0/recipe-sysroot-native/usr/share/glib-2.0/codegen/utils.py",
line 22, in
import packaging.version
ModuleNotFoundError: No module named 'packaging'
make: *** [Makefile:2081: src/nm-fortisslvpn-pppd-service-dbus.h] Error 1
* packaging probably isn't as wide spread on host distros as old
distutils was, so make sure it's available by using
python3-native with python3-packaging-native from OE build
Signed-off-by: Martin Jansa
---
.../networkmanager/networkmanager-fortisslvpn_1.4.0.bb| 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git
a/meta-networking/recipes-connectivity/networkmanager/networkmanager-fortisslvpn_1.4.0.bb
b/meta-networking/recipes-connectivity/networkmanager/networkmanager-fortisslvpn_1.4.0.bb
index a15c69b601..48f50abaf1 100644
---
a/meta-networking/recipes-connectivity/networkmanager/networkmanager-fortisslvpn_1.4.0.bb
+++
b/meta-networking/recipes-connectivity/networkmanager/networkmanager-fortisslvpn_1.4.0.bb
@@ -4,10 +4,10 @@ SECTION = "net/misc"
LICENSE = "GPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552"
-DEPENDS = "glib-2.0-native libxml2-native networkmanager ppp"
+DEPENDS = "glib-2.0-native libxml2-native networkmanager ppp
python3-packaging-native"
GNOMEBASEBUILDCLASS = "autotools"
-inherit gnomebase gettext useradd
+inherit gnomebase gettext useradd python3native
SRC_URI = " \
${GNOME_MIRROR}/NetworkManager-fortisslvpn/${@gnome_verdir("${PV}")}/NetworkManager-fortisslvpn-${PV}.tar.xz
\
--
2.44.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#109041):
https://lists.openembedded.org/g/openembedded-devel/message/109041
Mute This Topic: https://lists.openembedded.org/mt/104600759/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-oe][PATCH 1/2] gattlib: use python3native and depend on python3-packaging-native
* it uses gdbus-codegen from glib-2.0-native which depended
on python3-distutils-native until
https://lists.openembedded.org/g/openembedded-core/message/196136
but distutils on host was enforced by sanity check only until mickledore with:
https://git.openembedded.org/openembedded-core/commit/?id=8e3a5b0709384f2b455a82ac1e8e212686fe4456
so on hosts without distutils this was already failing with:
http://errors.yoctoproject.org/Errors/Details/754696/
cd TOPDIR/tmp-glibc/work/core2-64-oe-linux/gattlib/0.2+git/build/dbus &&
gdbus-codegen --pragma-once --interface-prefix org.bluez.Descriptor1.
--generate-c-code
TOPDIR/tmp-glibc/work/core2-64-oe-linux/gattlib/0.2+git/build/dbus/org-bluez-gattdescriptor1
TOPDIR/tmp-glibc/work/core2-64-oe-linux/gattlib/0.2+git/git/dbus/dbus-bluez-v5.48/org.bluez.GattDescriptor1.xml
Traceback (most recent call last):
File
"TOPDIR/tmp-glibc/work/core2-64-oe-linux/gattlib/0.2+git/recipe-sysroot-native/usr/bin/gdbus-codegen",
line 53, in
from codegen import codegen_main
File
"TOPDIR/tmp-glibc/work/core2-64-oe-linux/gattlib/0.2+git/recipe-sysroot-native/usr/share/glib-2.0/codegen/codegen_main.py",
line 29, in
from . import dbustypes
File
"TOPDIR/tmp-glibc/work/core2-64-oe-linux/gattlib/0.2+git/recipe-sysroot-native/usr/share/glib-2.0/codegen/dbustypes.py",
line 22, in
from . import utils
File
"TOPDIR/tmp-glibc/work/core2-64-oe-linux/gattlib/0.2+git/recipe-sysroot-native/usr/share/glib-2.0/codegen/utils.py",
line 22, in
import distutils.version
ModuleNotFoundError: No module named 'distutils'
and the glib-2.0-native change only changes the dependency from
distutils to packaging which results in:
http://errors.yoctoproject.org/Errors/Details/754692/
FAILED: dbus/org-bluez-gattdescriptor1.c
TOPDIR/tmp-glibc/work/core2-64-oe-linux/gattlib/0.2+git/build/dbus/org-bluez-gattdescriptor1.c
cd TOPDIR/tmp-glibc/work/core2-64-oe-linux/gattlib/0.2+git/build/dbus &&
gdbus-codegen --pragma-once --interface-prefix org.bluez.Descriptor1.
--generate-c-code
TOPDIR/tmp-glibc/work/core2-64-oe-linux/gattlib/0.2+git/build/dbus/org-bluez-gattdescriptor1
TOPDIR/tmp-glibc/work/core2-64-oe-linux/gattlib/0.2+git/git/dbus/dbus-bluez-v5.48/org.bluez.GattDescriptor1.xml
Traceback (most recent call last):
File
"TOPDIR/tmp-glibc/work/core2-64-oe-linux/gattlib/0.2+git/recipe-sysroot-native/usr/bin/gdbus-codegen",
line 53, in
from codegen import codegen_main
File
"TOPDIR/tmp-glibc/work/core2-64-oe-linux/gattlib/0.2+git/recipe-sysroot-native/usr/share/glib-2.0/codegen/codegen_main.py",
line 29, in
from . import dbustypes
File
"TOPDIR/tmp-glibc/work/core2-64-oe-linux/gattlib/0.2+git/recipe-sysroot-native/usr/share/glib-2.0/codegen/dbustypes.py",
line 22, in
from . import utils
File
"TOPDIR/tmp-glibc/work/core2-64-oe-linux/gattlib/0.2+git/recipe-sysroot-native/usr/share/glib-2.0/codegen/utils.py",
line 22, in
import packaging.version
ModuleNotFoundError: No module named 'packaging'
* packaging probably isn't as wide spread on host distros as old
distutils was, so make sure it's available by using
python3-native with python3-packaging-native from OE build
Signed-off-by: Martin Jansa
---
meta-oe/recipes-connectivity/gattlib/gattlib_git.bb | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb
b/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb
index f54d833a01..7ad28d594d 100644
--- a/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb
+++ b/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb
@@ -4,8 +4,7 @@ SECTION = "libs/network"
LICENSE = "GPL-2.0-or-later | BSD-3-Clause"
LIC_FILES_CHKSUM =
"file://CMakeLists.txt;beginline=1;endline=6;md5=a87ee154f005a6f035b8b34ac2191f3b"
-DEPENDS = "bluez5 glib-2.0"
-DEPENDS += "glib-2.0-native"
+DEPENDS = "bluez5 glib-2.0 glib-2.0-native python3-packaging-native"
PV = "0.2+git"
@@ -26,7 +25,7 @@ PACKAGECONFIG[force-dbus] =
"-DGATTLIB_FORCE_DBUS=TRUE,-DGATTLIB_FORCE_DBUS=FALS
EXTRA_OECMAKE += "-DGATTLIB_PYTHON_INTERFACE=OFF"
EXTRA_OECMAKE += "-DGATTLIB_BUILD_DOCS=OFF"
-inherit pkgconfig cmake
+inherit pkgconfig cmake python3native
do_compile:append() {
for f in org-bluez-gattdescriptor1.c org-bluez-battery1.c
org-bluez-adaptater1.c \
--
2.44.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#109040):
https://lists.openembedded.org/g/openembedded-devel/message/109040
Mute This Topic: https://lists.openembedded.org/mt/104600758/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [oe][meta-oe][kirkstone][PATCH 2/4] nodejs: fix CVE-2024-21892
Kindly ignore this patch.
Regards,
Archana
From: openembedded-devel@lists.openembedded.org
on behalf of Polampalli, Archana
via lists.openembedded.org
Sent: Friday, February 23, 2024 14:06
To: openembedded-devel@lists.openembedded.org
Subject: [oe][meta-oe][kirkstone][PATCH 2/4] nodejs: fix CVE-2024-21892
From: Archana Polampalli
On Linux, Node.js ignores certain environment variables if those may have been
set by an unprivileged user while the process is running with elevated
privileges
with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the
implementation of this exception, Node.js incorrectly applies this exception
even when certain other capabilities have been set. This allows unprivileged
users to inject code that inherits the process's elevated privileges.
Signed-off-by: Archana Polampalli
---
.../nodejs/nodejs/CVE-2024-21892-0001.patch | 97 +++
.../nodejs/nodejs/CVE-2024-21892-0002.patch | 58 +++
.../recipes-devtools/nodejs/nodejs_16.20.2.bb | 2 +
3 files changed, 157 insertions(+)
create mode 100644
meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-21892-0001.patch
create mode 100644
meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-21892-0002.patch
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-21892-0001.patch
b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-21892-0001.patch
new file mode 100644
index 0..0eb988fac
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-21892-0001.patch
@@ -0,0 +1,97 @@
+From 3f619407fe1e597657b598383d0b5003a064311b Mon Sep 17 00:00:00 2001
+From: Daniel Bevenius
+Date: Wed, 17 Mar 2021 13:48:51 +0100
+Subject: [PATCH 2/5] src: allow CAP_NET_BIND_SERVICE in SafeGetenv
+
+This commit updates SafeGetenv to check if the current process has the
+effective capability cap_net_bind_service set, and if so allows
+environment variables to be read.
+
+The motivation for this change is a use-case where Node is run in a
+container, and the is a requirement to be able to listen to ports
+below 1024. This is done by setting the capability of
+cap_net_bind_service. In addition there is a need to set the
+environment variable `NODE_EXTRA_CA_CERTS`. But currently this
+environment variable will not be read when the capability has been set
+on the executable.
+
+PR-URL: https://github.com/nodejs/node/pull/37727
+Reviewed-By: Anna Henningsen
+Reviewed-By: Richard Lau
+Reviewed-By: James M Snell
+Reviewed-By: Michael Dawson
+
+CVE: CVE-2024-21892
+
+Upstream-Status: Backport
[https://github.com/nodejs/node/commit/3f619407fe1e5976]
+
+Signed-off-by: Archana Polampalli
+---
+ src/node_credentials.cc | 38 +-
+ 1 file changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/src/node_credentials.cc b/src/node_credentials.cc
+index 4c098c9..7688af8 100644
+--- a/src/node_credentials.cc
b/src/node_credentials.cc
+@@ -12,6 +12,11 @@
+ #include // setuid, getuid
+ #endif
+
++#ifdef __linux__
++#include
++#include
++#endif // __linux__
++
+ namespace node {
+
+ using v8::Array;
+@@ -33,14 +38,45 @@ bool linux_at_secure = false;
+
+ namespace credentials {
+
+-// Look up environment variable unless running as setuid root.
++#if defined(__linux__)
++// Returns true if the current process only has the passed-in capability.
++bool HasOnly(int capability) {
++ DCHECK(cap_valid(capability));
++
++ struct __user_cap_data_struct cap_data[2];
++ struct __user_cap_header_struct cap_header_data = {
++_LINUX_CAPABILITY_VERSION_3,
++getpid()};
++
++
++ if (syscall(SYS_capget, &cap_header_data, &cap_data) != 0) {
++return false;
++ }
++ if (capability < 32) {
++return cap_data[0].permitted ==
++static_cast(CAP_TO_MASK(capability));
++ }
++ return cap_data[1].permitted ==
++ static_cast(CAP_TO_MASK(capability));
++}
++#endif
++
++// Look up the environment variable and allow the lookup if the current
++// process only has the capability CAP_NET_BIND_SERVICE set. If the current
++// process does not have any capabilities set and the process is running as
++// setuid root then lookup will not be allowed.
+ bool SafeGetenv(const char* key,
+ std::string* text,
+ std::shared_ptr env_vars,
+ v8::Isolate* isolate) {
+ #if !defined(__CloudABI__) && !defined(_WIN32)
++#if defined(__linux__)
++ if ((!HasOnly(CAP_NET_BIND_SERVICE) && per_process::linux_at_secure) ||
++ getuid() != geteuid() || getgid() != getegid())
++#else
+ if (per_process::linux_at_secure || getuid() != geteuid() ||
+ getgid() != getegid())
++#endif
+ goto fail;
+ #endif
+
+--
+2.40.0
diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-21892-0002.patch
b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-21892-0002.patch
new file mode 100644
index 0..efb64db7d
--- /dev/null
+++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-21892-0002.patch
@@ -0,0 +
