[oe] [meta-xfce][PATCH 2/2] xfce4-notifyd: use python3native and depend on python3-packaging-native
* it uses gdbus-codegen from glib-2.0-native which depended on python3-distutils-native until https://lists.openembedded.org/g/openembedded-core/message/196136 but distutils on host was enforced by sanity check only until mickledore with: https://git.openembedded.org/openembedded-core/commit/?id=8e3a5b0709384f2b455a82ac1e8e212686fe4456 so on hosts without distutils this was already failing and the glib-2.0-native change only changes the dependency from distutils to packaging which results in: https://errors.yoctoproject.org/Errors/Details/754995/ gdbus-codegen \ --interface-prefix org.xfce.Notifyd.Log \ --c-namespace Xfce \ --generate-c-code xfce-notify-log-gbus \ --glib-max-allowed 2.68 \ ../../xfce4-notifyd-0.8.2/common/xfce-notify-log-dbus.xml Traceback (most recent call last): File "TOPDIR/build/tmp/work/riscv64-yoe-linux/xfce4-notifyd/0.8.2/recipe-sysroot-native/usr/bin/gdbus-codegen", line 53, in from codegen import codegen_main File "TOPDIR/build/tmp/work/riscv64-yoe-linux/xfce4-notifyd/0.8.2/recipe-sysroot-native/usr/share/glib-2.0/codegen/codegen_main.py", line 29, in from . import dbustypes File "TOPDIR/build/tmp/work/riscv64-yoe-linux/xfce4-notifyd/0.8.2/recipe-sysroot-native/usr/share/glib-2.0/codegen/dbustypes.py", line 22, in from . import utils File "TOPDIR/build/tmp/work/riscv64-yoe-linux/xfce4-notifyd/0.8.2/recipe-sysroot-native/usr/share/glib-2.0/codegen/utils.py", line 22, in import packaging.version ModuleNotFoundError: No module named 'packaging' * packaging probably isn't as wide spread on host distros as old distutils was, so make sure it's available by using python3-native with python3-packaging-native from OE build Signed-off-by: Martin Jansa --- meta-xfce/recipes-apps/xfce4-notifyd/xfce4-notifyd_0.8.2.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-xfce/recipes-apps/xfce4-notifyd/xfce4-notifyd_0.8.2.bb b/meta-xfce/recipes-apps/xfce4-notifyd/xfce4-notifyd_0.8.2.bb index 7dbd90c188..96cfd32f7b 100644 --- a/meta-xfce/recipes-apps/xfce4-notifyd/xfce4-notifyd_0.8.2.bb +++ b/meta-xfce/recipes-apps/xfce4-notifyd/xfce4-notifyd_0.8.2.bb @@ -10,9 +10,11 @@ DEPENDS = " \ libxfce4ui \ xfconf \ xfce4-panel \ +python3-packaging-native \ " inherit xfce-app +inherit python3native SRC_URI:append = " file://xfce4-notifyd-get-var-abs-path.patch" -- 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109057): https://lists.openembedded.org/g/openembedded-devel/message/109057 Mute This Topic: https://lists.openembedded.org/mt/104629514/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-xfce][PATCH 1/2] ristretto: use python3native and depend on glib-2.0-native, python3-packaging-native
* it uses gdbus-codegen from glib-2.0-native which depended on python3-distutils-native until https://lists.openembedded.org/g/openembedded-core/message/196136 but distutils on host was enforced by sanity check only until mickledore with: https://git.openembedded.org/openembedded-core/commit/?id=8e3a5b0709384f2b455a82ac1e8e212686fe4456 so on hosts without distutils this was already failing and the glib-2.0-native change only changes the dependency from distutils to packaging which results in: https://errors.yoctoproject.org/Errors/Details/754996/ gdbus-codegen \ --c-namespace=Tumbler \ --interface-prefix=org.freedesktop.thumbnails. \ --generate-c-code=tumbler \ tumbler-service-dbus.xml Traceback (most recent call last): File "TOPDIR/build/tmp/work/riscv64-yoe-linux/ristretto/0.13.1/recipe-sysroot-native/usr/bin/gdbus-codegen", line 53, in from codegen import codegen_main File "TOPDIR/build/tmp/work/riscv64-yoe-linux/ristretto/0.13.1/recipe-sysroot-native/usr/share/glib-2.0/codegen/codegen_main.py", line 29, in from . import dbustypes File "TOPDIR/build/tmp/work/riscv64-yoe-linux/ristretto/0.13.1/recipe-sysroot-native/usr/share/glib-2.0/codegen/dbustypes.py", line 22, in from . import utils File "TOPDIR/build/tmp/work/riscv64-yoe-linux/ristretto/0.13.1/recipe-sysroot-native/usr/share/glib-2.0/codegen/utils.py", line 22, in import packaging.version ModuleNotFoundError: No module named 'packaging' * packaging probably isn't as wide spread on host distros as old distutils was, so make sure it's available by using python3-native with python3-packaging-native from OE build Signed-off-by: Martin Jansa --- meta-xfce/recipes-apps/ristretto/ristretto_0.13.1.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-xfce/recipes-apps/ristretto/ristretto_0.13.1.bb b/meta-xfce/recipes-apps/ristretto/ristretto_0.13.1.bb index 4aac89fe79..dcae982cee 100644 --- a/meta-xfce/recipes-apps/ristretto/ristretto_0.13.1.bb +++ b/meta-xfce/recipes-apps/ristretto/ristretto_0.13.1.bb @@ -4,9 +4,9 @@ SECTION = "x11/application" LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=35d145429ad3cbf5308d1dc93f66376b" -DEPENDS = "exo libexif libxfce4ui libxfce4util xfconf cairo file" +DEPENDS = "exo libexif libxfce4ui libxfce4util xfconf cairo file glib-2.0-native python3-packaging-native" -inherit xfce-app mime-xdg +inherit xfce-app mime-xdg python3native RRECOMMENDS:${PN} += "tumbler" -- 2.44.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109056): https://lists.openembedded.org/g/openembedded-devel/message/109056 Mute This Topic: https://lists.openembedded.org/mt/104629513/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[oe] OpenEmbedded Happy Hour February 28 9pm/2100 UTC
All, Please note that we have our regularly scheduled OpenEmbedded Happy Hour later today, February 28 for Asia/Pacific timezones at 2100/9pm UTC (4pm ET/1pm PT) https://www.openembedded.org/wiki/Calendar https://www.openembedded.org/wiki/Happy_Hours https://www.timeanddate.com/worldclock/fixedtime.html?msg=OpenEmbedded+Happy+Hour+February+28&iso=20240228T21 Best regards, Denys Dmytriyenko OpenEmbedded Board of Directors -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109055): https://lists.openembedded.org/g/openembedded-devel/message/109055 Mute This Topic: https://lists.openembedded.org/mt/104628427/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [oe] kirkstone-next merge request: Feb 28th
merged into kirkstone, thanks Armin On Wed, Feb 28, 2024 at 5:22 AM akuster808 wrote: > > The following changes since commit 8609de00952d65bb813a48c535c937324efeb18a: > >Revert "libcroco: Add fix for CVE-2020-12825" (2024-02-07 18:41:41 -0500) > > are available in the Git repository at: > >https://git.openembedded.org/meta-openembedded kirkstone-next > > for you to fetch changes up to fda737ec0cc1d2a5217548a560074a8e4d5ec580: > >mbedtls: Upgrade 3.5.0 -> 3.5.2 (2024-02-28 08:18:18 -0500) > > > Fathi Boudra (1): >python3-django: upgrade from 4.2.7 to 4.2.10 > > Meenali Gupta (1): >graphviz: fix CVE-2023-46045 > > Soumya Sambu (2): >mbedtls: upgrade 2.28.5 -> 2.28.7 >mbedtls: Upgrade 3.5.0 -> 3.5.2 > > Vijay Anusuri (1): >squid: Backport fix for CVE-2023-49286 and CVE-2023-50269 > > Yogita Urade (1): >mariadb: fix CVE-2023-22084 > > virendra thakur (1): >nodejs: Set CVE_PRODUCT to "node.js" > > .../mbedtls/{mbedtls_2.28.5.bb => mbedtls_2.28.7.bb} | 6 +- > .../mbedtls/{mbedtls_3.5.0.bb => mbedtls_3.5.2.bb} | 7 ++- > .../recipes-daemons/squid/files/CVE-2023-49286.patch| 87 > +++ > .../recipes-daemons/squid/files/CVE-2023-50269.patch| 62 > > meta-networking/recipes-daemons/squid/squid_4.15.bb | 2 + > meta-oe/recipes-dbs/mysql/mariadb.inc | 1 + > meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-22084.patch | 91 > + > meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb | 2 + > .../recipes-graphics/graphviz/graphviz/CVE-2023-46045-1.patch | 38 > > .../recipes-graphics/graphviz/graphviz/CVE-2023-46045-2.patch | 39 > + > .../recipes-graphics/graphviz/graphviz/CVE-2023-46045-3.patch | 31 > ++ > meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb| 3 + > .../{python3-django_4.2.7.bb => python3-django_4.2.10.bb} | 2 +- > 13 files changed, 364 insertions(+), 7 deletions(-) > rename meta-networking/recipes-connectivity/mbedtls/{mbedtls_2.28.5.bb > => mbedtls_2.28.7.bb} (91%) > rename meta-networking/recipes-connectivity/mbedtls/{mbedtls_3.5.0.bb > => mbedtls_3.5.2.bb} (93%) > create mode 100644 > meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch > create mode 100644 > meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch > create mode 100644 meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-22084.patch > create mode 100644 > meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-1.patch > create mode 100644 > meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-2.patch > create mode 100644 > meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-3.patch > rename meta-python/recipes-devtools/python/{python3-django_4.2.7.bb => > python3-django_4.2.10.bb} (77%) > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109054): https://lists.openembedded.org/g/openembedded-devel/message/109054 Mute This Topic: https://lists.openembedded.org/mt/104622488/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [oe] [meta-filesystems][PATCH] e2tools: Add ptest
I am running into this error on some builders on AB stdio: ERROR: Task (/home/pokybuild/yocto-worker/meta-oe/build/meta/recipes-support/libexif/libexif_0.6.24.bb:do_package_qa) failed with exit code '1' stdio: ERROR: e2tools-0.1.0+git-r0 do_package_qa: QA Issue: /usr/lib/e2tools/ptest/git/.git/hooks/update.sample contained in package e2tools-ptest requires /usr/bin/sh, but no providers found in RDEPENDS:e2tools-ptest? [file-rdeps] stdio: ERROR: e2tools-0.1.0+git-r0 do_package_qa: Fatal QA errors were found, failing task. stdio: ERROR: Logfile of failure stored in: /home/pokybuild/yocto-worker/meta-oe/build/build/tmp/work/core2-64-poky-linux/e2tools/0.1.0+git/temp/log.do_package_qa.3114961 On Thu, Feb 22, 2024 at 5:56 AM Lyu, William via lists.openembedded.org wrote: > > From: William Lyu > > Signed-off-by: William Lyu > --- > .../recipes-utils/e2tools/e2tools_git.bb | 51 ++- > .../recipes-utils/e2tools/files/run-ptest | 5 ++ > 2 files changed, 54 insertions(+), 2 deletions(-) > create mode 100644 meta-filesystems/recipes-utils/e2tools/files/run-ptest > > diff --git a/meta-filesystems/recipes-utils/e2tools/e2tools_git.bb > b/meta-filesystems/recipes-utils/e2tools/e2tools_git.bb > index caf0025c8..a80b6f598 100644 > --- a/meta-filesystems/recipes-utils/e2tools/e2tools_git.bb > +++ b/meta-filesystems/recipes-utils/e2tools/e2tools_git.bb > @@ -9,17 +9,64 @@ SECTION = "base" > LICENSE = "GPL-2.0-only" > LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" > > -DEPENDS += "e2fsprogs" > +DEPENDS += "coreutils e2fsprogs" > > PV = "0.1.0+git" > > SRC_URI = " \ > git://github.com/e2tools/e2tools;protocol=https;branch=master \ > + file://run-ptest \ > " > + > SRCREV = "fd092754a6b65c3a769f74f888668c066f09c36d" > > S = "${WORKDIR}/git" > > -inherit autotools pkgconfig > +inherit autotools pkgconfig ptest > + > +do_configure:prepend() { > +git -C "${WORKDIR}/git" reset --hard HEAD > + > +# To install ptest for this package, special configuration needs to be > +# done before do_configure(). So, do_configure_ptest() which is scheduled > +# after do_configure() cannot be used. > + > +# We only do special configuration if we are installing ptest for this > +# package. > +if [ "${@d.getVar('PTEST_ENABLED')}" -eq "1" ]; then > +# Since we guarantee run-time dependency when installing the ptest > for > +# this package, we do not need the check macros under section "checks > +# for programs" in "configure.ac". Plus, these check macros set the > +# ouput variables to incorrect values as these checks are performed > on > +# the host environment. Still, we need these variables outputted from > +# these check macros. So, we insert the following lines to manually > +# set these output variables to the correct value in "configure.ac". > + > +# Note that HAVE_DD_COMMAND and HAVE_MKE2FS_COMMAND are only ever > used > +# in tests/Makefile-files which determines whether to include the > test > +# cases. As for output variables CHMOD, DD, and MKE2FS, they only > +# point to the programs which test cases need to run. Since these > +# commands are guaranteed to be present due to RDEPENDS and are > +# guaranteed to be accessible under PATH environment variable on the > +# target, we only need to specify the name of these programs. > + > +perl -i -0777 -pe 's/(^dnl\s*=+\s*^dnl\s*Checks for compiler > flags\s*^dnl\s*=+)/ > +AC_SUBST([CHMOD], 'chmod') > +AC_SUBST([DD], 'dd') > +AC_SUBST([MKE2FS], 'mke2fs') > +AM_CONDITIONAL([HAVE_DD_COMMAND], [true]) > +AM_CONDITIONAL([HAVE_MKE2FS_COMMAND], [true]) > +\1/ms' "${WORKDIR}/git/configure.ac" > +fi > +} > + > +do_install_ptest() { > +rm -rf "${D}${PTEST_PATH}/*" > +cp -r ../build "${D}${PTEST_PATH}" > +cp -r "${S}/build-aux" "${D}${PTEST_PATH}/build" > +cp -r "${S}" "${D}${PTEST_PATH}" > +} > + > +RDEPENDS:${PN}-ptest += "bash coreutils e2fsprogs e2tools gawk make perl" > > BBCLASSEXTEND = "native" > diff --git a/meta-filesystems/recipes-utils/e2tools/files/run-ptest > b/meta-filesystems/recipes-utils/e2tools/files/run-ptest > new file mode 100644 > index 0..3d4dd9cf3 > --- /dev/null > +++ b/meta-filesystems/recipes-utils/e2tools/files/run-ptest > @@ -0,0 +1,5 @@ > +#!/bin/sh > + > +set -e > + > +make -C build check > -- > 2.43.0 > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109053): https://lists.openembedded.org/g/openembedded-devel/message/109053 Mute This Topic: https://lists.openembedded.org/mt/104508347/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [oe] [meta-networking][dunfell][PATCH] proftpd: fix CVE-2020-9272 Out-of-bounds read
On 2/26/24 3:55 AM, Anuj Mittal wrote: On Mon, 2024-02-26 at 11:25 +0530, Hitendra Prajapati via lists.openembedded.org wrote: Upstream-Status: Backport from https://github.com/proftpd/proftpd/commit/743330874ee19dfcf2405827274015da0663bd2b Signed-off-by: Hitendra Prajapati --- .../proftpd/files/CVE-2020-9272.patch | 2839 + .../recipes-daemons/proftpd/proftpd_1.3.6.bb | 1 + 2 files changed, 2840 insertions(+) create mode 100644 meta-networking/recipes- daemons/proftpd/files/CVE-2020-9272.patch diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2020- 9272.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2020- 9272.patch new file mode 100644 index 00..aa779a0956 --- /dev/null +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2020- 9272.patch @@ -0,0 +1,2839 @@ +From 743330874ee19dfcf2405827274015da0663bd2b Mon Sep 17 00:00:00 2001 +From: TJ Saunders +Date: Tue, 18 Feb 2020 11:21:38 -0800 +Subject: [PATCH] Issue #902: Update the bundled `libcap` library to the latest + from https://github.com/mhiramat/libcap.git. + +Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/743330874ee19dfcf240582727 4015da0663bd2b] I think it'd be better to update the recipe to 1.3.6e maintenance release that already has this fix instead of carrying this patch. I agree. - armin http://proftpd.org/docs/RELEASE_NOTES-1.3.6e Thanks, Anuj +CVE: CVE-2020-9272 +Signed-off-by: Hitendra Prajapati +--- + lib/libcap/Makefile | 53 ++- + lib/libcap/_makenames.c | 41 +-- + lib/libcap/cap_alloc.c | 101 +++--- + lib/libcap/cap_extint.c | 71 ++-- + lib/libcap/cap_file.c | 314 +++--- + lib/libcap/cap_flag.c | 99 +++--- + lib/libcap/cap_proc.c | 169 +++--- + lib/libcap/cap_sys.c | 41 --- + lib/libcap/cap_text.c | 301 +++-- + lib/libcap/include/sys/capability.h | 74 +++-- + lib/libcap/include/sys/securebits.h | 22 ++ + lib/libcap/include/uapi/linux/capability.h | 367 + + lib/libcap/include/uapi/linux/prctl.h | 200 +++ + lib/libcap/include/uapi/linux/securebits.h | 60 + lib/libcap/libcap.h | 223 +++-- + 15 files changed, 1538 insertions(+), 598 deletions(-) + delete mode 100644 lib/libcap/cap_sys.c + create mode 100644 lib/libcap/include/sys/securebits.h + create mode 100644 lib/libcap/include/uapi/linux/capability.h + create mode 100644 lib/libcap/include/uapi/linux/prctl.h + create mode 100644 lib/libcap/include/uapi/linux/securebits.h + +diff --git a/lib/libcap/Makefile b/lib/libcap/Makefile +index d5311ce..ff88cfb 100644 +--- a/lib/libcap/Makefile b/lib/libcap/Makefile +@@ -1,5 +1,5 @@ +-## This libcap (for proftpd) is originally from libcap-1.10, +-## at ftp://linux.kernel.org/pub/libs/security/linux-privs. ++## This libcap (for proftpd) is originally from libcap, at: ++## https://github.com/mhiramat/libcap.git. + ## This interface is SPECIFIC TO THE LINUX 2.2 KERNEL!!! IT IS NOT GUARANTEED + ## TO WORK ON ANY PRIOR OR LATER VERSION (ie: 2.1.x or 2.3.x). + ## If this library stops working, please contact c...@proftpd.org. +@@ -9,50 +9,49 @@ + # + topdir=$(shell pwd)/.. + include ../../Make.rules ++ ++KERNEL_HEADERS=/usr/include ++LIBTITLE=libcap ++ + # + # Library version + # +-LIBNAME=libcap.a ++LIBNAME=$(LIBTITLE).so ++STALIBNAME=$(LIBTITLE).a + # + +-FILES=cap_alloc cap_proc cap_extint cap_flag cap_text cap_sys +- +-# for later when there is filesystem support for cap's: +-#FILES += cap_file ++FILES=cap_alloc cap_proc cap_extint cap_flag cap_text cap_file + + INCLS=libcap.h cap_names.h $(INCS) + OBJS=$(addsuffix .o, $(FILES)) + +-all: $(LIBNAME) ++all: $(STALIBNAME) + +-_makenames: _makenames.c cap_names.sed +- $(BUILD_CC) $(CFLAGS) $(LDFLAGS) $< -o $@ ++_makenames: _makenames.c cap_names.list.h ++ $(CC) $(CFLAGS) $< -o $@ + + cap_names.h: _makenames + ./_makenames > cap_names.h + +-cap_names.sed: Makefile /usr/include/linux/capability.h +- @echo "=> making cap_names.c from " +- @sed -ne '/^#define[ \t]CAP[_A-Z]\+[ \t]\+[0- 9]\+/{s/^#define \([^ \t]*\)[ \t]*\([^ \t]*\)/ \{ \2, \"\1\" \},/;y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/;p;}' < /usr/include/linux/capability.h | fgrep -v 0x > cap_names.sed +-# @sed -ne '/^#define[ \t]CAP[_A-Z]\+[ \t]\+[0- 9]\+/{s/^#define CAP_\([^ \t]*\)[ \t]*\([^ \t]*\)/ \{ \2, \"\1\" \},/;y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/;p;}' < /usr/include/linux/capability.h | fgrep -v 0x > cap_names.sed ++cap_names.list.h: Makefile $(KERNEL_HEADERS)/linux/capability.h ++ @echo "=> making $@ from $(KERNEL_HEADERS)/linux/capability.h" ++ perl -e 'while ($$l=<>) { if ($$l =~ /^\#define[ \t](CAP[_A- Z]+)[ \t]+([0-9]+)\s+$$/) { $$tok=$$1; $$va
Re: [oe][meta-oe][kirkstone][PATCH 2/4] nodejs: fix CVE-2024-21892
On 2/27/24 6:37 AM, Polampalli, Archana via lists.openembedded.org wrote: Kindly ignore this patch. thanks for letting me know. - Armin Regards, Archana *From:* openembedded-devel@lists.openembedded.org on behalf of Polampalli, Archana via lists.openembedded.org *Sent:* Friday, February 23, 2024 14:06 *To:* openembedded-devel@lists.openembedded.org *Subject:* [oe][meta-oe][kirkstone][PATCH 2/4] nodejs: fix CVE-2024-21892 From: Archana Polampalli On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges. Signed-off-by: Archana Polampalli --- .../nodejs/nodejs/CVE-2024-21892-0001.patch | 97 +++ .../nodejs/nodejs/CVE-2024-21892-0002.patch | 58 +++ .../recipes-devtools/nodejs/nodejs_16.20.2.bb | 2 + 3 files changed, 157 insertions(+) create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-21892-0001.patch create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-21892-0002.patch diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-21892-0001.patch b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-21892-0001.patch new file mode 100644 index 0..0eb988fac --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-21892-0001.patch @@ -0,0 +1,97 @@ +From 3f619407fe1e597657b598383d0b5003a064311b Mon Sep 17 00:00:00 2001 +From: Daniel Bevenius +Date: Wed, 17 Mar 2021 13:48:51 +0100 +Subject: [PATCH 2/5] src: allow CAP_NET_BIND_SERVICE in SafeGetenv + +This commit updates SafeGetenv to check if the current process has the +effective capability cap_net_bind_service set, and if so allows +environment variables to be read. + +The motivation for this change is a use-case where Node is run in a +container, and the is a requirement to be able to listen to ports +below 1024. This is done by setting the capability of +cap_net_bind_service. In addition there is a need to set the +environment variable `NODE_EXTRA_CA_CERTS`. But currently this +environment variable will not be read when the capability has been set +on the executable. + +PR-URL: https://github.com/nodejs/node/pull/37727 +Reviewed-By: Anna Henningsen +Reviewed-By: Richard Lau +Reviewed-By: James M Snell +Reviewed-By: Michael Dawson + +CVE: CVE-2024-21892 + +Upstream-Status: Backport [https://github.com/nodejs/node/commit/3f619407fe1e5976] + +Signed-off-by: Archana Polampalli +--- + src/node_credentials.cc | 38 +- + 1 file changed, 37 insertions(+), 1 deletion(-) + +diff --git a/src/node_credentials.cc b/src/node_credentials.cc +index 4c098c9..7688af8 100644 +--- a/src/node_credentials.cc b/src/node_credentials.cc +@@ -12,6 +12,11 @@ + #include // setuid, getuid + #endif + ++#ifdef __linux__ ++#include ++#include ++#endif // __linux__ ++ + namespace node { + + using v8::Array; +@@ -33,14 +38,45 @@ bool linux_at_secure = false; + + namespace credentials { + +-// Look up environment variable unless running as setuid root. ++#if defined(__linux__) ++// Returns true if the current process only has the passed-in capability. ++bool HasOnly(int capability) { ++ DCHECK(cap_valid(capability)); ++ ++ struct __user_cap_data_struct cap_data[2]; ++ struct __user_cap_header_struct cap_header_data = { ++ _LINUX_CAPABILITY_VERSION_3, ++ getpid()}; ++ ++ ++ if (syscall(SYS_capget, &cap_header_data, &cap_data) != 0) { ++ return false; ++ } ++ if (capability < 32) { ++ return cap_data[0].permitted == ++ static_cast(CAP_TO_MASK(capability)); ++ } ++ return cap_data[1].permitted == ++ static_cast(CAP_TO_MASK(capability)); ++} ++#endif ++ ++// Look up the environment variable and allow the lookup if the current ++// process only has the capability CAP_NET_BIND_SERVICE set. If the current ++// process does not have any capabilities set and the process is running as ++// setuid root then lookup will not be allowed. + bool SafeGetenv(const char* key, + std::string* text, + std::shared_ptr env_vars, + v8::Isolate* isolate) { + #if !defined(__CloudABI__) && !defined(_WIN32) ++#if defined(__linux__) ++ if ((!HasOnly(CAP_NET_BIND_SERVICE) && per_process::linux_at_secure) || ++ getuid() != geteuid() || getgid() != getegid()) ++#else + if (per_process::linux_at_secure || getuid() != geteuid() || + getgid() != getegid()) ++#endif + goto fail; + #endif + +-- +2.40.0 diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/CVE-2024-21892-0002.patch b/meta-oe/recipes-devtool
[oe] kirkstone-next merge request: Feb 28th
The following changes since commit 8609de00952d65bb813a48c535c937324efeb18a: Revert "libcroco: Add fix for CVE-2020-12825" (2024-02-07 18:41:41 -0500) are available in the Git repository at: https://git.openembedded.org/meta-openembedded kirkstone-next for you to fetch changes up to fda737ec0cc1d2a5217548a560074a8e4d5ec580: mbedtls: Upgrade 3.5.0 -> 3.5.2 (2024-02-28 08:18:18 -0500) Fathi Boudra (1): python3-django: upgrade from 4.2.7 to 4.2.10 Meenali Gupta (1): graphviz: fix CVE-2023-46045 Soumya Sambu (2): mbedtls: upgrade 2.28.5 -> 2.28.7 mbedtls: Upgrade 3.5.0 -> 3.5.2 Vijay Anusuri (1): squid: Backport fix for CVE-2023-49286 and CVE-2023-50269 Yogita Urade (1): mariadb: fix CVE-2023-22084 virendra thakur (1): nodejs: Set CVE_PRODUCT to "node.js" .../mbedtls/{mbedtls_2.28.5.bb => mbedtls_2.28.7.bb} | 6 +- .../mbedtls/{mbedtls_3.5.0.bb => mbedtls_3.5.2.bb} | 7 ++- .../recipes-daemons/squid/files/CVE-2023-49286.patch | 87 +++ .../recipes-daemons/squid/files/CVE-2023-50269.patch | 62 meta-networking/recipes-daemons/squid/squid_4.15.bb | 2 + meta-oe/recipes-dbs/mysql/mariadb.inc | 1 + meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-22084.patch | 91 + meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb | 2 + .../recipes-graphics/graphviz/graphviz/CVE-2023-46045-1.patch | 38 .../recipes-graphics/graphviz/graphviz/CVE-2023-46045-2.patch | 39 + .../recipes-graphics/graphviz/graphviz/CVE-2023-46045-3.patch | 31 ++ meta-oe/recipes-graphics/graphviz/graphviz_2.50.0.bb | 3 + .../{python3-django_4.2.7.bb => python3-django_4.2.10.bb} | 2 +- 13 files changed, 364 insertions(+), 7 deletions(-) rename meta-networking/recipes-connectivity/mbedtls/{mbedtls_2.28.5.bb => mbedtls_2.28.7.bb} (91%) rename meta-networking/recipes-connectivity/mbedtls/{mbedtls_3.5.0.bb => mbedtls_3.5.2.bb} (93%) create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2023-49286.patch create mode 100644 meta-networking/recipes-daemons/squid/files/CVE-2023-50269.patch create mode 100644 meta-oe/recipes-dbs/mysql/mariadb/CVE-2023-22084.patch create mode 100644 meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-1.patch create mode 100644 meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-2.patch create mode 100644 meta-oe/recipes-graphics/graphviz/graphviz/CVE-2023-46045-3.patch rename meta-python/recipes-devtools/python/{python3-django_4.2.7.bb => python3-django_4.2.10.bb} (77%) -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109050): https://lists.openembedded.org/g/openembedded-devel/message/109050 Mute This Topic: https://lists.openembedded.org/mt/104622488/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-oe][PATCH 1/1] libkcapi: Update HOMEPAGE url
The library's homepage url has changed. Signed-off-by: Alexander Stein --- meta-oe/recipes-crypto/libkcapi/libkcapi_1.5.0.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-crypto/libkcapi/libkcapi_1.5.0.bb b/meta-oe/recipes-crypto/libkcapi/libkcapi_1.5.0.bb index 35e9b032b..a34614dd9 100644 --- a/meta-oe/recipes-crypto/libkcapi/libkcapi_1.5.0.bb +++ b/meta-oe/recipes-crypto/libkcapi/libkcapi_1.5.0.bb @@ -1,5 +1,5 @@ SUMMARY = "Linux Kernel Crypto API User Space Interface Library" -HOMEPAGE = "http://www.chronox.de/libkcapi.html"; +HOMEPAGE = "https://www.chronox.de/libkcapi/index.html"; LICENSE = "BSD-3-Clause | GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=3d8a091d797491204567185a6efce70f" -- 2.34.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109049): https://lists.openembedded.org/g/openembedded-devel/message/109049 Mute This Topic: https://lists.openembedded.org/mt/104621792/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-