[oe] [meta-oe][PATCH v2 1/1] multipath-tools: upgrade 0.8.4 -> 0.9.3
From: Ovidiu Panait
* most patches were rebased on top of 0.9.3 with various small adjustments.
* the following patches were dropped:
0001-fix-boolean-value-with-json-c-0.14.patch
0001-libmultipath-uevent.c-fix-error-handling-for-udev_mo.patch
replaced by upstream commits:
82129852d747 ("fix boolean value with json-c 0.14")
54349bcfc818 ("libmultipath: avoid buffer size warning with systemd 240+")
* prefix, usrlibdir, plugindir, modulesloaddir, and tmpfilesdir were added to
EXTRA_OEMAKE to fix QA.
* libgcc was added to RDEPENDS in order to fix the following startup error:
"libgcc_s.so.1 must be installed for pthread_cancel to work"
Signed-off-by: Ovidiu Panait
---
...add-explicit-dependency-on-libraries.patch | 24 +++---
...1-fix-boolean-value-with-json-c-0.14.patch | 42 --
...fix-bug-of-do_compile-and-do_install.patch | 33
...ent.c-fix-error-handling-for-udev_mo.patch | 39 -
.../0021-RH-fixup-udev-rules-for-redhat.patch | 40 -
...property-blacklist-exception-builtin.patch | 25 +++---
...RH-don-t-start-without-a-config-file.patch | 58 ++---
.../0024-RH-use-rpm-optflags-if-present.patch | 44 ++
.../files/0025-RH-add-mpathconf.patch | 61 +++---
...om-kernel-cmdline-mpath.wwids-with-A.patch | 17 ++--
...-on-invalid-regex-instead-of-failing.patch | 82 +++
...modify-Makefile.inc-for-cross-compil.patch | 14 ++--
.../files/0030-Always-use-devmapper.patch | 59 -
...0031-Always-use-devmapper-for-kpartx.patch | 16 ++--
...-replace-perl-with-sed-in-install-ta.patch | 14 ++--
...ools_0.8.4.bb => multipath-tools_0.9.3.bb} | 11 ++-
16 files changed, 257 insertions(+), 322 deletions(-)
delete mode 100644
meta-oe/recipes-support/multipath-tools/files/0001-fix-boolean-value-with-json-c-0.14.patch
delete mode 100644
meta-oe/recipes-support/multipath-tools/files/0001-libmultipath-uevent.c-fix-error-handling-for-udev_mo.patch
rename meta-oe/recipes-support/multipath-tools/{multipath-tools_0.8.4.bb =>
multipath-tools_0.9.3.bb} (93%)
diff --git
a/meta-oe/recipes-support/multipath-tools/files/0001-add-explicit-dependency-on-libraries.patch
b/meta-oe/recipes-support/multipath-tools/files/0001-add-explicit-dependency-on-libraries.patch
index 2827bb874..3b0a70448 100644
---
a/meta-oe/recipes-support/multipath-tools/files/0001-add-explicit-dependency-on-libraries.patch
+++
b/meta-oe/recipes-support/multipath-tools/files/0001-add-explicit-dependency-on-libraries.patch
@@ -1,4 +1,4 @@
-From 04884263d1de8c427a7a15bd1cf6466ea65d3a0b Mon Sep 17 00:00:00 2001
+From ee9f7b6e764be5668bc958f8bb97a46e5056d050 Mon Sep 17 00:00:00 2001
From: Hongxu Jia
Date: Mon, 25 May 2020 23:22:55 -0700
Subject: [PATCH] add explicit dependency on libraries
@@ -17,24 +17,24 @@ ln -sf libmpathpersist.so.0 libmpathpersist.so
Upstream-Status: Pending
Signed-off-by: Hongxu Jia
+[OP: Rebase to 0.9.3]
+Signed-off-by: Ovidiu Panait
---
- Makefile | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ Makefile | 1 +
+ 1 file changed, 1 insertion(+)
diff --git a/Makefile b/Makefile
-index bea0a0b2..37a77129 100644
+index f195b570..2d22881c 100644
--- a/Makefile
+++ b/Makefile
-@@ -29,7 +29,8 @@ $(BUILDDIRS):
- $(MAKE) -C $@
-
- multipath multipathd mpathpersist libmpathpersist : libmultipath
--mpathpersist: libmpathpersist
-+mpathpersist multipathd: libmpathpersist
-+libdmmp libmultipath mpathpersist multipath multipathd: libmpathcmd
+@@ -78,6 +78,7 @@ libmultipath: libmpathutil
+ libmpathpersist libmpathvalid multipath multipathd: libmultipath
+ libmultipath/prioritizers libmultipath/checkers libmultipath/foreign:
libmultipath
+ mpathpersist multipathd: libmpathpersist
++libmultipath mpathpersist multipath multipathd: libmpathcmd
DEPS_ON_MULTIPATH := \
multipath \
--
-2.21.0
+2.38.1
diff --git
a/meta-oe/recipes-support/multipath-tools/files/0001-fix-boolean-value-with-json-c-0.14.patch
b/meta-oe/recipes-support/multipath-tools/files/0001-fix-boolean-value-with-json-c-0.14.patch
deleted file mode 100644
index cf97b491e..0
---
a/meta-oe/recipes-support/multipath-tools/files/0001-fix-boolean-value-with-json-c-0.14.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 5ae81386a8cfea4180738c261cd3f7944a631199 Mon Sep 17 00:00:00 2001
-From: Khem Raj
-Date: Wed, 3 Jun 2020 16:03:56 -0700
-Subject: [PATCH] fix boolean value with json-c 0.14
-
-Patch from Christian Hesse posted here
-https://www.spinics.net/lists/dm-devel/msg40646.html
-
-Upstream json-c 0.14+ removed the TRUE and FALSE defines in commit
-0992aac61f8b087efd7094e9ac2b84fa9c040fcd.
-
-Upstream-Status: Submitted
[https://www.spinics.net/lists/dm-devel/msg40646.html]
-Signed-off-by: Khem Raj
- libdmmp/libdmmp_private.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libdmmp/libdmmp_private.h b/libdmmp/libdmmp_private.h
-index ac85b63f..29400826 100
[oe] [meta-oe][PATCH 1/1] multipath-tools: upgrade 0.8.4 -> 0.9.3
From: Ovidiu Panait
* most patches were rebased on top of 0.9.3 with various small adjustments.
* the following patches were dropped:
0001-fix-boolean-value-with-json-c-0.14.patch
0001-libmultipath-uevent.c-fix-error-handling-for-udev_mo.patch
replaced by upstream commits:
82129852d747 ("fix boolean value with json-c 0.14")
54349bcfc818 ("libmultipath: avoid buffer size warning with systemd 240+")
* prefix, plugindir, modulesloaddir, and tmpfilesdir were added to EXTRA_OEMAKE
to fix QA.
* libgcc was added to RDEPENDS in order to fix the following startup error:
"libgcc_s.so.1 must be installed for pthread_cancel to work"
Signed-off-by: Ovidiu Panait
---
...add-explicit-dependency-on-libraries.patch | 24 +++---
...1-fix-boolean-value-with-json-c-0.14.patch | 42 --
...fix-bug-of-do_compile-and-do_install.patch | 33
...ent.c-fix-error-handling-for-udev_mo.patch | 39 -
.../0021-RH-fixup-udev-rules-for-redhat.patch | 40 -
...property-blacklist-exception-builtin.patch | 25 +++---
...RH-don-t-start-without-a-config-file.patch | 58 ++---
.../0024-RH-use-rpm-optflags-if-present.patch | 44 ++
.../files/0025-RH-add-mpathconf.patch | 61 +++---
...om-kernel-cmdline-mpath.wwids-with-A.patch | 17 ++--
...-on-invalid-regex-instead-of-failing.patch | 82 +++
...modify-Makefile.inc-for-cross-compil.patch | 14 ++--
.../files/0030-Always-use-devmapper.patch | 59 -
...0031-Always-use-devmapper-for-kpartx.patch | 16 ++--
...-replace-perl-with-sed-in-install-ta.patch | 14 ++--
...ools_0.8.4.bb => multipath-tools_0.9.3.bb} | 10 ++-
16 files changed, 256 insertions(+), 322 deletions(-)
delete mode 100644
meta-oe/recipes-support/multipath-tools/files/0001-fix-boolean-value-with-json-c-0.14.patch
delete mode 100644
meta-oe/recipes-support/multipath-tools/files/0001-libmultipath-uevent.c-fix-error-handling-for-udev_mo.patch
rename meta-oe/recipes-support/multipath-tools/{multipath-tools_0.8.4.bb =>
multipath-tools_0.9.3.bb} (93%)
diff --git
a/meta-oe/recipes-support/multipath-tools/files/0001-add-explicit-dependency-on-libraries.patch
b/meta-oe/recipes-support/multipath-tools/files/0001-add-explicit-dependency-on-libraries.patch
index 2827bb874..3b0a70448 100644
---
a/meta-oe/recipes-support/multipath-tools/files/0001-add-explicit-dependency-on-libraries.patch
+++
b/meta-oe/recipes-support/multipath-tools/files/0001-add-explicit-dependency-on-libraries.patch
@@ -1,4 +1,4 @@
-From 04884263d1de8c427a7a15bd1cf6466ea65d3a0b Mon Sep 17 00:00:00 2001
+From ee9f7b6e764be5668bc958f8bb97a46e5056d050 Mon Sep 17 00:00:00 2001
From: Hongxu Jia
Date: Mon, 25 May 2020 23:22:55 -0700
Subject: [PATCH] add explicit dependency on libraries
@@ -17,24 +17,24 @@ ln -sf libmpathpersist.so.0 libmpathpersist.so
Upstream-Status: Pending
Signed-off-by: Hongxu Jia
+[OP: Rebase to 0.9.3]
+Signed-off-by: Ovidiu Panait
---
- Makefile | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ Makefile | 1 +
+ 1 file changed, 1 insertion(+)
diff --git a/Makefile b/Makefile
-index bea0a0b2..37a77129 100644
+index f195b570..2d22881c 100644
--- a/Makefile
+++ b/Makefile
-@@ -29,7 +29,8 @@ $(BUILDDIRS):
- $(MAKE) -C $@
-
- multipath multipathd mpathpersist libmpathpersist : libmultipath
--mpathpersist: libmpathpersist
-+mpathpersist multipathd: libmpathpersist
-+libdmmp libmultipath mpathpersist multipath multipathd: libmpathcmd
+@@ -78,6 +78,7 @@ libmultipath: libmpathutil
+ libmpathpersist libmpathvalid multipath multipathd: libmultipath
+ libmultipath/prioritizers libmultipath/checkers libmultipath/foreign:
libmultipath
+ mpathpersist multipathd: libmpathpersist
++libmultipath mpathpersist multipath multipathd: libmpathcmd
DEPS_ON_MULTIPATH := \
multipath \
--
-2.21.0
+2.38.1
diff --git
a/meta-oe/recipes-support/multipath-tools/files/0001-fix-boolean-value-with-json-c-0.14.patch
b/meta-oe/recipes-support/multipath-tools/files/0001-fix-boolean-value-with-json-c-0.14.patch
deleted file mode 100644
index cf97b491e..0
---
a/meta-oe/recipes-support/multipath-tools/files/0001-fix-boolean-value-with-json-c-0.14.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 5ae81386a8cfea4180738c261cd3f7944a631199 Mon Sep 17 00:00:00 2001
-From: Khem Raj
-Date: Wed, 3 Jun 2020 16:03:56 -0700
-Subject: [PATCH] fix boolean value with json-c 0.14
-
-Patch from Christian Hesse posted here
-https://www.spinics.net/lists/dm-devel/msg40646.html
-
-Upstream json-c 0.14+ removed the TRUE and FALSE defines in commit
-0992aac61f8b087efd7094e9ac2b84fa9c040fcd.
-
-Upstream-Status: Submitted
[https://www.spinics.net/lists/dm-devel/msg40646.html]
-Signed-off-by: Khem Raj
- libdmmp/libdmmp_private.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libdmmp/libdmmp_private.h b/libdmmp/libdmmp_private.h
-index ac85b63f..29400826 100644
---
[oe] [meta-oe][PATCH v3] syzkaller: add recipe and selftest for syzkaller fuzzing
Syzkaller is a coverage-guided fuzzer that is widely used to find bugs in
the Linux kernel:
https://github.com/google/syzkaller
Add the recipe and a selftest for running the fuzzer in a qemux86-64
kvm environment. The following steps can be used to start the test:
"""
cat >> conf/local.conf <http://127.0.0.1:49605
serving rpc on tcp://[::]:46475
booting test machines...
wait for the connection from test machine...
vm-0: crash: KCSAN: data-race in poll_schedule_timeout.constprop.NUM / pollwake
vm-1: crash: KCSAN: data-race in mutex_spin_on_owner
machine check:
syscalls: 2227/4223
code coverage : enabled
comparison tracing : enabled
extra coverage : enabled
delay kcov mmap : mmap returned an invalid pointer
setuid sandbox : enabled
namespace sandbox : enabled
Android sandbox : /sys/fs/selinux/policy does not exist
fault injection : enabled
leak checking : enabled
net packet injection: enabled
net device setup: enabled
concurrency sanitizer : enabled
devlink PCI setup : PCI device :00:10.0 is not available
USB emulation : enabled
hci packet injection: enabled
wifi device emulation : enabled
802.15.4 emulation : enabled
corpus : 0 (deleted 0 broken)
seeds : 0/0
VMs 2, executed 1, cover 0, signal 0/0, crashes 2, repro 0
vm-1: crash: KCSAN: data-race in mutex_spin_on_owner
"""
This will fuzz the yocto kernel for 30 minutes using 2 qemu VMs, each VM
getting 2048MB of memory and 2 CPUs.
The path in SYZ_WORKDIR must be an absolute path that is persistent across
oe-selftest runs, so that fuzzing does not start all over again on each
invocation. Syzkaller will save the corpus database in that directory and will
use the database to keep track of the interfaces already fuzzed.
After the test is done, /crashes directory will contain the report
files for all the bugs found.
Signed-off-by: Ovidiu Panait
---
v3 updates:
- fix build with clang
meta-oe/lib/oeqa/selftest/cases/syzkaller.py | 124 ++
...ets.go-allow-users-to-override-hardc.patch | 67 ++
.../recipes-test/syzkaller/syzkaller_git.bb | 73 +++
3 files changed, 264 insertions(+)
create mode 100644 meta-oe/lib/oeqa/selftest/cases/syzkaller.py
create mode 100644
meta-oe/recipes-test/syzkaller/syzkaller/0001-sys-targets-targets.go-allow-users-to-override-hardc.patch
create mode 100644 meta-oe/recipes-test/syzkaller/syzkaller_git.bb
diff --git a/meta-oe/lib/oeqa/selftest/cases/syzkaller.py
b/meta-oe/lib/oeqa/selftest/cases/syzkaller.py
new file mode 100644
index 0..64fc864bf
--- /dev/null
+++ b/meta-oe/lib/oeqa/selftest/cases/syzkaller.py
@@ -0,0 +1,124 @@
+#
+# SPDX-License-Identifier: MIT
+#
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars
+from oeqa.utils.network import get_free_port
+
+class TestSyzkaller(OESelftestTestCase):
+def setUpSyzkallerConfig(self, os_arch, qemu_postfix):
+syz_target_sysroot = get_bb_var('PKGD', 'syzkaller')
+syz_target = os.path.join(syz_target_sysroot, 'usr')
+
+qemu_native_bin = os.path.join(self.syz_native_sysroot,
'usr/bin/qemu-system-' + qemu_postfix)
+kernel_cmdline = "ip=dhcp rootfs=/dev/sda dummy_hcd.num=%s" %
(self.dummy_hcd_num)
+kernel_objdir = self.deploy_dir_image
+port = get_free_port()
+
+if not os.path.exists(self.syz_workdir):
+os.mkdir(self.syz_workdir)
+
+with open(self.syz_cfg, 'w') as f:
+f.write(
+"""
+{
+ "target": "%s",
+ "http": "127.0.0.1:%s",
+ "workdir": "%s",
+ "kernel_obj": "%s",
+ "kernel_src": "%s",
+ "image": "%s",
+ "syzkaller": "%s",
+ "type": "qemu",
+ "reproduce" : false,
+ "sandbox": "none",
+ "vm": {
+ "count": %s,
+ "kernel": "%s",
+ "cmdline": "%s",
+ "cpu": %s,
+ "mem": %s,
+ "qemu": "%s",
+ "qemu_args": "-device virtio-scsi-pci,id=scsi -device
scsi-hd,drive=rootfs -enable-kvm -cpu host,migratable=off",
+ "image_device": "drive
index=0,id=rootfs,if=none,media=disk,file="
+ }
+}
+"""
+% (os_arch, port, self.syz_workdir, kernel_objdir, self.kernel_src,
+ self.rootfs, syz_target, self.syz_qemu_vms, self.kernel, kernel_cmdline,
+ self.syz_qemu_cpus, self.syz_qemu_mem, qemu_native_bin))
+
+def tes
[oe] [meta-oe][PATCH v2] syzkaller: add recipe and selftest for syzkaller fuzzing
Syzkaller is a coverage-guided fuzzer that is widely used to find bugs in
the Linux kernel:
https://github.com/google/syzkaller
Add the recipe and a selftest for running the fuzzer in a qemux86-64
kvm environment. The following steps can be used to start the test:
"""
cat >> conf/local.conf <http://127.0.0.1:49605
serving rpc on tcp://[::]:46475
booting test machines...
wait for the connection from test machine...
vm-0: crash: KCSAN: data-race in poll_schedule_timeout.constprop.NUM / pollwake
vm-1: crash: KCSAN: data-race in mutex_spin_on_owner
machine check:
syscalls: 2227/4223
code coverage : enabled
comparison tracing : enabled
extra coverage : enabled
delay kcov mmap : mmap returned an invalid pointer
setuid sandbox : enabled
namespace sandbox : enabled
Android sandbox : /sys/fs/selinux/policy does not exist
fault injection : enabled
leak checking : enabled
net packet injection: enabled
net device setup: enabled
concurrency sanitizer : enabled
devlink PCI setup : PCI device :00:10.0 is not available
USB emulation : enabled
hci packet injection: enabled
wifi device emulation : enabled
802.15.4 emulation : enabled
corpus : 0 (deleted 0 broken)
seeds : 0/0
VMs 2, executed 1, cover 0, signal 0/0, crashes 2, repro 0
vm-1: crash: KCSAN: data-race in mutex_spin_on_owner
"""
This will fuzz the yocto kernel for 30 minutes using 2 qemu VMs, each VM
getting 2048MB of memory and 2 CPUs.
The path in SYZ_WORKDIR must be an absolute path that is persistent across
oe-selftest runs, so that fuzzing does not start all over again on each
invocation. Syzkaller will save the corpus database in that directory and will
use the database to keep track of the interfaces already fuzzed.
After the test is done, /crashes directory will contain the report
files for all the bugs found.
Signed-off-by: Ovidiu Panait
---
meta-oe/lib/oeqa/selftest/cases/syzkaller.py | 124 ++
...ets.go-allow-users-to-override-hardc.patch | 67 ++
.../recipes-test/syzkaller/syzkaller_git.bb | 85
3 files changed, 276 insertions(+)
create mode 100644 meta-oe/lib/oeqa/selftest/cases/syzkaller.py
create mode 100644
meta-oe/recipes-test/syzkaller/syzkaller/0001-sys-targets-targets.go-allow-users-to-override-hardc.patch
create mode 100644 meta-oe/recipes-test/syzkaller/syzkaller_git.bb
diff --git a/meta-oe/lib/oeqa/selftest/cases/syzkaller.py
b/meta-oe/lib/oeqa/selftest/cases/syzkaller.py
new file mode 100644
index 0..64fc864bf
--- /dev/null
+++ b/meta-oe/lib/oeqa/selftest/cases/syzkaller.py
@@ -0,0 +1,124 @@
+#
+# SPDX-License-Identifier: MIT
+#
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars
+from oeqa.utils.network import get_free_port
+
+class TestSyzkaller(OESelftestTestCase):
+def setUpSyzkallerConfig(self, os_arch, qemu_postfix):
+syz_target_sysroot = get_bb_var('PKGD', 'syzkaller')
+syz_target = os.path.join(syz_target_sysroot, 'usr')
+
+qemu_native_bin = os.path.join(self.syz_native_sysroot,
'usr/bin/qemu-system-' + qemu_postfix)
+kernel_cmdline = "ip=dhcp rootfs=/dev/sda dummy_hcd.num=%s" %
(self.dummy_hcd_num)
+kernel_objdir = self.deploy_dir_image
+port = get_free_port()
+
+if not os.path.exists(self.syz_workdir):
+os.mkdir(self.syz_workdir)
+
+with open(self.syz_cfg, 'w') as f:
+f.write(
+"""
+{
+ "target": "%s",
+ "http": "127.0.0.1:%s",
+ "workdir": "%s",
+ "kernel_obj": "%s",
+ "kernel_src": "%s",
+ "image": "%s",
+ "syzkaller": "%s",
+ "type": "qemu",
+ "reproduce" : false,
+ "sandbox": "none",
+ "vm": {
+ "count": %s,
+ "kernel": "%s",
+ "cmdline": "%s",
+ "cpu": %s,
+ "mem": %s,
+ "qemu": "%s",
+ "qemu_args": "-device virtio-scsi-pci,id=scsi -device
scsi-hd,drive=rootfs -enable-kvm -cpu host,migratable=off",
+ "image_device": "drive
index=0,id=rootfs,if=none,media=disk,file="
+ }
+}
+"""
+% (os_arch, port, self.syz_workdir, kernel_objdir, self.kernel_src,
+ self.rootfs, syz_target, self.syz_qemu_vms, self.kernel, kernel_cmdline,
+ self.syz_qemu_cpus, self.syz_qemu_mem, qemu_native_bin))
+
+def test_syzkallerFuzzingQemux86_64(self):
+
[oe] [meta-oe][PATCH] redis: build with USE_SYSTEMD=yes when systemd is enabled
Compile redis with full systemd support when the chosen init system is
systemd.
Enabling systemd supervision allows redis to communicate the actual server
status (i.e. "Loading dataset", "Waiting for master<->replica sync") to
systemd, instead of declaring readiness right after initializing the server
process.
Signed-off-by: Ovidiu Panait
---
meta-oe/recipes-extended/redis/redis-7/redis.service | 1 +
meta-oe/recipes-extended/redis/redis_7.0.4.bb| 8 ++--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/meta-oe/recipes-extended/redis/redis-7/redis.service
b/meta-oe/recipes-extended/redis/redis-7/redis.service
index 36d29852d..a52204cc7 100644
--- a/meta-oe/recipes-extended/redis/redis-7/redis.service
+++ b/meta-oe/recipes-extended/redis/redis-7/redis.service
@@ -9,6 +9,7 @@ ExecStart=/usr/bin/redis-server /etc/redis/redis.conf
ExecStop=/usr/bin/redis-cli shutdown
Restart=always
LimitNOFILE=10032
+Type=notify
[Install]
WantedBy=multi-user.target
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.4.bb
b/meta-oe/recipes-extended/redis/redis_7.0.4.bb
index cde32e414..35165923c 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.4.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.4.bb
@@ -35,7 +35,10 @@ USERADD_PACKAGES = "${PN}"
USERADD_PARAM:${PN} = "--system --home-dir /var/lib/redis -g redis --shell
/bin/false redis"
GROUPADD_PARAM:${PN} = "--system redis"
-REDIS_ON_SYSTEMD = "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true',
'false', d)}"
+PACKAGECONFIG = "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}"
+PACKAGECONFIG[systemd] = "USE_SYSTEMD=yes,USE_SYSTEMD=no,systemd"
+
+EXTRA_OEMAKE += "${PACKAGECONFIG_CONFARGS}"
do_compile:prepend() {
(cd deps && oe_runmake hiredis lua linenoise)
@@ -55,8 +58,9 @@ do_install() {
install -m 0644 ${WORKDIR}/redis.service ${D}${systemd_system_unitdir}
sed -i 's!/usr/sbin/!${sbindir}/!g'
${D}${systemd_system_unitdir}/redis.service
-if [ "${REDIS_ON_SYSTEMD}" = true ]; then
+if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false',
d)}; then
sed -i 's!daemonize yes!# daemonize yes!'
${D}/${sysconfdir}/redis/redis.conf
+sed -i 's!supervised no!supervised systemd!'
${D}/${sysconfdir}/redis/redis.conf
fi
}
--
2.37.3
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#98942):
https://lists.openembedded.org/g/openembedded-devel/message/98942
Mute This Topic: https://lists.openembedded.org/mt/93866838/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-networking][PATCH 1/1] net-snmp: upgrade 5.9.1 -> 5.9.3
Upgrade summary:
- drop 0002-configure-fix-a-cc-check-issue.patch, as it was replaced with
upstream commit https://github.com/net-snmp/net-snmp/commit/dbb49acfa2af
- drop 0001-snmpd-always-exit-after-displaying-usage.patch backport
- rebase net-snmp-5.7.2-fix-engineBoots-value-on-SIGHUP.patch manually
- refresh patches with devtool to get rid of fuzz
Changelog:
--
*5.9.3*:
security:
- These two CVEs can be exploited by a user with read-only credentials:
- CVE-2022-24805 A buffer overflow in the handling of the INDEX of
NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
- CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
can cause a NULL pointer dereference.
- These CVEs can be exploited by a user with read-write credentials:
- CVE-2022-24806 Improper Input Validation when SETing malformed
OIDs in master agent and subagent simultaneously
- CVE-2022-24807 A malformed OID in a SET request to
SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
out-of-bounds memory access.
- CVE-2022-24808 A malformed OID in a SET request to
NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
- CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
can cause a NULL pointer dereference.
- To avoid these flaws, use strong SNMPv3 credentials and do not share them.
If you must use SNMPv1 or SNMPv2c, use a complex community string
and enhance the protection by restricting access to a given IP address
range.
- Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
reporting the following CVEs that have been fixed in this release, and
to Arista Networks for providing fixes.
Windows:
- WinExtDLL: Fix multiple compiler warnings
- WinExtDLL: Make long strings occupy a single line Make it easier to
look up error messages in the source code by making long strings
occupy a single source code line.
- WinExtDLL: Restore MIB-II support Make winExtDLL work on 64-bit
Windows systems") caused snmpd to skip MIB-II on 64-bit systems.
IF-MIB: Update ifTable entries even if the interface name has changed
At least on Linux a network interface index may be reused for a
network interface with a different name. Hence this patch that
enables replacing network interface information even if the network
interface name has changed.
unspecified:
- Moved transport code into a separate subdirectory in snmplib
- Snmplib: remove inline versions of container funcs".
misc:
- snmp-create-v3-user: Fix the snmpd.conf path @datadir@ is
expanded in ${datarootdir} so datarootdir must be set before
@datadir@ is used.
*5.9.2*:
skipped due to a last minute library versioning found bug -- use 5.9.3 instead
Signed-off-by: Ovidiu Panait
---
...ath.m4-keep-consistent-between-32bit.patch | 11 ++--
.../0001-config_os_headers-Error-Fix.patch| 4 +-
...1-get_pid_from_inode-Include-limit.h.patch | 6 +-
...d-always-exit-after-displaying-usage.patch | 55 ---
c-Don-t-check-for-return-from-EVP_M.patch | 4 +-
.../0002-configure-fix-a-cc-check-issue.patch | 28 --
...004-configure-fix-incorrect-variable.patch | 6 +-
.../net-snmp/fix-libtool-finish.patch | 6 +-
7.2-fix-engineBoots-value-on-SIGHUP.patch | 26 -
...add-knob-whether-nlist.h-are-checked.patch | 4 +-
.../net-snmp-fix-for-disable-des.patch| 4 +-
...ting-add-the-output-format-for-ptest.patch | 2 +-
.../reproducibility-have-printcap.patch | 4 +-
.../{net-snmp_5.9.1.bb => net-snmp_5.9.3.bb} | 4 +-
14 files changed, 38 insertions(+), 126 deletions(-)
delete mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/0001-snmpd-always-exit-after-displaying-usage.patch
delete mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/0002-configure-fix-a-cc-check-issue.patch
rename meta-networking/recipes-protocols/net-snmp/{net-snmp_5.9.1.bb =>
net-snmp_5.9.3.bb} (98%)
diff --git
a/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-ac_add_search_path.m4-keep-consistent-between-32bit.patch
b/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-ac_add_search_path.m4-keep-consistent-between-32bit.patch
index 4cd729044..0eeddf752 100644
---
a/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-ac_add_search_path.m4-keep-consistent-between-32bit.patch
+++
b/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-ac_add_search_path.m4-keep-consistent-between-32bit.patch
@@ -1,7 +1,8 @@
-From 6f8ea2e841ad45eed193310b599d3f3b410ae91d Mon Sep 17 00:00:00 2001
+From 98c62e24fdd05d7e8bd8149840bad8eb0feb3fb1 Mon Sep 17 00:00:00 2001
From: Mingli Yu
Date: Fri, 29 Jan 2021 08:49:15 +
-Subject: [PATCH] ac_add_search_path.m4: keep consistent between 32bit and 64bit
+Subject: [PATCH] ac_add_search_path.m4: keep consiste
Re: [oe] [meta-oe][PATCH] syzkaller: add recipe and selftest for syzkaller fuzzer
Hi Khem,
Any feedback for this patch?
Thanks!
Ovidiu
On 14.04.2022 18:56, Ovidiu Panait wrote:
Syzkaller is a coverage-guided fuzzer that is widely used to find bugs in
the Linux kernel:
https://github.com/google/syzkaller
Add the recipe and a selftest for running the fuzzer in a qemux86-64
kvm environment. The following steps can be used to start the test:
"""
cat >> conf/local.conf <http://127.0.0.1:49605
serving rpc on tcp://[::]:46475
booting test machines...
wait for the connection from test machine...
vm-0: crash: KCSAN: data-race in poll_schedule_timeout.constprop.NUM / pollwake
vm-1: crash: KCSAN: data-race in mutex_spin_on_owner
machine check:
syscalls: 2227/4223
code coverage : enabled
comparison tracing : enabled
extra coverage : enabled
delay kcov mmap : mmap returned an invalid pointer
setuid sandbox : enabled
namespace sandbox : enabled
Android sandbox : /sys/fs/selinux/policy does not exist
fault injection : enabled
leak checking : enabled
net packet injection: enabled
net device setup: enabled
concurrency sanitizer : enabled
devlink PCI setup : PCI device :00:10.0 is not available
USB emulation : enabled
hci packet injection: enabled
wifi device emulation : enabled
802.15.4 emulation : enabled
corpus : 0 (deleted 0 broken)
seeds : 0/0
VMs 2, executed 1, cover 0, signal 0/0, crashes 2, repro 0
vm-1: crash: KCSAN: data-race in mutex_spin_on_owner
"""
This will fuzz the yocto kernel for 30 minutes using 2 qemu VMs, each VM
getting 2048MB of memory and 2 CPUs.
The path in SYZ_WORKDIR must be an absolute path that is persistent across
oe-selftest runs, so that fuzzing does not start all over again on each
invocation. Syzkaller will save the corpus database in that directory and will
use the database to keep track of the interfaces already fuzzed.
After the test is done, /crashes directory will contain the report
files for all the bugs found.
Signed-off-by: Ovidiu Panait
---
meta-oe/lib/oeqa/selftest/cases/syzkaller.py | 123 ++
...ets.go-allow-users-to-override-hardc.patch | 67 ++
.../recipes-test/syzkaller/syzkaller_git.bb | 85
3 files changed, 275 insertions(+)
create mode 100644 meta-oe/lib/oeqa/selftest/cases/syzkaller.py
create mode 100644
meta-oe/recipes-test/syzkaller/syzkaller/0001-sys-targets-targets.go-allow-users-to-override-hardc.patch
create mode 100644 meta-oe/recipes-test/syzkaller/syzkaller_git.bb
diff --git a/meta-oe/lib/oeqa/selftest/cases/syzkaller.py
b/meta-oe/lib/oeqa/selftest/cases/syzkaller.py
new file mode 100644
index 0..c11cadddb
--- /dev/null
+++ b/meta-oe/lib/oeqa/selftest/cases/syzkaller.py
@@ -0,0 +1,123 @@
+#
+# SPDX-License-Identifier: MIT
+#
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars
+from oeqa.utils.network import get_free_port
+
+class TestSyzkaller(OESelftestTestCase):
+def setUpSyzkallerConfig(self, os_arch, qemu_postfix):
+syz_target_sysroot = get_bb_var('PKGD', 'syzkaller')
+syz_target = os.path.join(syz_target_sysroot, 'usr')
+
+qemu_native_bin = os.path.join(self.syz_native_sysroot,
'usr/bin/qemu-system-' + qemu_postfix)
+kernel_cmdline = "ip=dhcp rootfs=/dev/sda dummy_hcd.num=%s" %
(self.dummy_hcd_num)
+kernel_objdir = self.deploy_dir_image
+port = get_free_port()
+
+if not os.path.exists(self.syz_workdir):
+os.mkdir(self.syz_workdir)
+
+with open(self.syz_cfg, 'w') as f:
+f.write(
+"""
+{
+ "target": "%s",
+ "http": "127.0.0.1:%s",
+ "workdir": "%s",
+ "kernel_obj": "%s",
+ "kernel_src": "%s",
+ "image": "%s",
+ "syzkaller": "%s",
+ "type": "qemu",
+ "reproduce" : false,
+ "sandbox": "none",
+ "vm": {
+ "count": %s,
+ "kernel": "%s",
+ "cmdline": "%s",
+ "cpu": %s,
+ "mem": %s,
+ "qemu": "%s",
+ "qemu_args": "-device virtio-scsi-pci,id=scsi -device
scsi-hd,drive=rootfs -enable-kvm -cpu host,migratable=off",
+ "image_device": "drive
index=0,id=rootfs,if=none,media=disk,file="
+ }
+}
+"""
+% (os_arch, port, self.syz_workdir, kernel_objdir, self.kernel_src,
+ self.rootfs, syz_target, self.syz_qemu_vms, self.kernel, kernel_cmdline,
+ self.syz_qemu_cpus,
[oe] [meta-oe][PATCH] syzkaller: add recipe and selftest for syzkaller fuzzer
Syzkaller is a coverage-guided fuzzer that is widely used to find bugs in
the Linux kernel:
https://github.com/google/syzkaller
Add the recipe and a selftest for running the fuzzer in a qemux86-64
kvm environment. The following steps can be used to start the test:
"""
cat >> conf/local.conf <http://127.0.0.1:49605
serving rpc on tcp://[::]:46475
booting test machines...
wait for the connection from test machine...
vm-0: crash: KCSAN: data-race in poll_schedule_timeout.constprop.NUM / pollwake
vm-1: crash: KCSAN: data-race in mutex_spin_on_owner
machine check:
syscalls: 2227/4223
code coverage : enabled
comparison tracing : enabled
extra coverage : enabled
delay kcov mmap : mmap returned an invalid pointer
setuid sandbox : enabled
namespace sandbox : enabled
Android sandbox : /sys/fs/selinux/policy does not exist
fault injection : enabled
leak checking : enabled
net packet injection: enabled
net device setup: enabled
concurrency sanitizer : enabled
devlink PCI setup : PCI device :00:10.0 is not available
USB emulation : enabled
hci packet injection: enabled
wifi device emulation : enabled
802.15.4 emulation : enabled
corpus : 0 (deleted 0 broken)
seeds : 0/0
VMs 2, executed 1, cover 0, signal 0/0, crashes 2, repro 0
vm-1: crash: KCSAN: data-race in mutex_spin_on_owner
"""
This will fuzz the yocto kernel for 30 minutes using 2 qemu VMs, each VM
getting 2048MB of memory and 2 CPUs.
The path in SYZ_WORKDIR must be an absolute path that is persistent across
oe-selftest runs, so that fuzzing does not start all over again on each
invocation. Syzkaller will save the corpus database in that directory and will
use the database to keep track of the interfaces already fuzzed.
After the test is done, /crashes directory will contain the report
files for all the bugs found.
Signed-off-by: Ovidiu Panait
---
meta-oe/lib/oeqa/selftest/cases/syzkaller.py | 123 ++
...ets.go-allow-users-to-override-hardc.patch | 67 ++
.../recipes-test/syzkaller/syzkaller_git.bb | 85
3 files changed, 275 insertions(+)
create mode 100644 meta-oe/lib/oeqa/selftest/cases/syzkaller.py
create mode 100644
meta-oe/recipes-test/syzkaller/syzkaller/0001-sys-targets-targets.go-allow-users-to-override-hardc.patch
create mode 100644 meta-oe/recipes-test/syzkaller/syzkaller_git.bb
diff --git a/meta-oe/lib/oeqa/selftest/cases/syzkaller.py
b/meta-oe/lib/oeqa/selftest/cases/syzkaller.py
new file mode 100644
index 0..c11cadddb
--- /dev/null
+++ b/meta-oe/lib/oeqa/selftest/cases/syzkaller.py
@@ -0,0 +1,123 @@
+#
+# SPDX-License-Identifier: MIT
+#
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars
+from oeqa.utils.network import get_free_port
+
+class TestSyzkaller(OESelftestTestCase):
+def setUpSyzkallerConfig(self, os_arch, qemu_postfix):
+syz_target_sysroot = get_bb_var('PKGD', 'syzkaller')
+syz_target = os.path.join(syz_target_sysroot, 'usr')
+
+qemu_native_bin = os.path.join(self.syz_native_sysroot,
'usr/bin/qemu-system-' + qemu_postfix)
+kernel_cmdline = "ip=dhcp rootfs=/dev/sda dummy_hcd.num=%s" %
(self.dummy_hcd_num)
+kernel_objdir = self.deploy_dir_image
+port = get_free_port()
+
+if not os.path.exists(self.syz_workdir):
+os.mkdir(self.syz_workdir)
+
+with open(self.syz_cfg, 'w') as f:
+f.write(
+"""
+{
+ "target": "%s",
+ "http": "127.0.0.1:%s",
+ "workdir": "%s",
+ "kernel_obj": "%s",
+ "kernel_src": "%s",
+ "image": "%s",
+ "syzkaller": "%s",
+ "type": "qemu",
+ "reproduce" : false,
+ "sandbox": "none",
+ "vm": {
+ "count": %s,
+ "kernel": "%s",
+ "cmdline": "%s",
+ "cpu": %s,
+ "mem": %s,
+ "qemu": "%s",
+ "qemu_args": "-device virtio-scsi-pci,id=scsi -device
scsi-hd,drive=rootfs -enable-kvm -cpu host,migratable=off",
+ "image_device": "drive
index=0,id=rootfs,if=none,media=disk,file="
+ }
+}
+"""
+% (os_arch, port, self.syz_workdir, kernel_objdir, self.kernel_src,
+ self.rootfs, syz_target, self.syz_qemu_vms, self.kernel, kernel_cmdline,
+ self.syz_qemu_cpus, self.syz_qemu_mem, qemu_native_bin))
+
+def test_syzkallerFuzzingQemux86_64(self):
+
[oe] [meta-oe][PATCH] syslog-ng: adjust control socket location
Commit [1] changed the pidfile dir to /var/run/syslog-ng. This also changed
the location where the control socket is searched for, causing the following
error with systemd:
root@qemux86-64:~# syslog-ng-ctl config
Error connecting control socket, socket='/var/run/syslog-ng/syslog-ng.ctl',
error='No such file or directory'
Update the systemd service file to point to the new location.
[1] 00d1d63e4f7f ("syslog-ng: provide correct PID directory location to
restart/stop syslog-ng daemon")
Signed-off-by: lmorales
Signed-off-by: Ovidiu Panait
---
.../files/syslog-ng.service-the-syslog-ng-service.patch | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/meta-oe/recipes-support/syslog-ng/files/syslog-ng.service-the-syslog-ng-service.patch
b/meta-oe/recipes-support/syslog-ng/files/syslog-ng.service-the-syslog-ng-service.patch
index 0e1d09492..733480030 100644
---
a/meta-oe/recipes-support/syslog-ng/files/syslog-ng.service-the-syslog-ng-service.patch
+++
b/meta-oe/recipes-support/syslog-ng/files/syslog-ng.service-the-syslog-ng-service.patch
@@ -38,7 +38,7 @@ index 0ccc2b9..7f08c0e 100644
-CONTROL_FILE=/var/run/syslog-ng.ctl
-PID_FILE=/var/run/syslog-ng.pid
+PERSIST_FILE=@LOCALSTATEDIR@/lib/syslog-ng/syslog-ng.persist
-+CONTROL_FILE=@LOCALSTATEDIR@/lib/syslog-ng/syslog-ng.ctl
++CONTROL_FILE=@LOCALSTATEDIR@/run/syslog-ng/syslog-ng.ctl
+PID_FILE=@LOCALSTATEDIR@/run/syslog-ng.pid
OTHER_OPTIONS="--enable-core"
--
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#93883):
https://lists.openembedded.org/g/openembedded-devel/message/93883
Mute This Topic: https://lists.openembedded.org/mt/86932252/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-oe][PATCH] libeigen: update LICENSE information
>From COPYING.README: """ Eigen is primarily MPL2 licensed. See COPYING.MPL2 and these links: http://www.mozilla.org/MPL/2.0/ http://www.mozilla.org/MPL/2.0/FAQ.html Some files contain third-party code under BSD or LGPL licenses, whence the other COPYING.* files here. All the LGPL code is either LGPL 2.1-only, or LGPL 2.1-or-later. For this reason, the COPYING.LGPL file contains the LGPL 2.1 text. """ The upstream repository contains multiple COPYING files (various 3rd party code is under different licenses), so update the LICENSE information accordingly. Also, add MINPACK to meta-oe/licenses. Signed-off-by: Ovidiu Panait --- meta-oe/licenses/MINPACK | 51 +++ .../libeigen/libeigen_3.3.9.bb| 9 +++- 2 files changed, 58 insertions(+), 2 deletions(-) create mode 100644 meta-oe/licenses/MINPACK diff --git a/meta-oe/licenses/MINPACK b/meta-oe/licenses/MINPACK new file mode 100644 index 0..132cc3f33 --- /dev/null +++ b/meta-oe/licenses/MINPACK @@ -0,0 +1,51 @@ +Minpack Copyright Notice (1999) University of Chicago. All rights reserved + +Redistribution and use in source and binary forms, with or +without modification, are permitted provided that the +following conditions are met: + +1. Redistributions of source code must retain the above +copyright notice, this list of conditions and the following +disclaimer. + +2. Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following +disclaimer in the documentation and/or other materials +provided with the distribution. + +3. The end-user documentation included with the +redistribution, if any, must include the following +acknowledgment: + + "This product includes software developed by the + University of Chicago, as Operator of Argonne National + Laboratory. + +Alternately, this acknowledgment may appear in the software +itself, if and wherever such third-party acknowledgments +normally appear. + +4. WARRANTY DISCLAIMER. THE SOFTWARE IS SUPPLIED "AS IS" +WITHOUT WARRANTY OF ANY KIND. THE COPYRIGHT HOLDER, THE +UNITED STATES, THE UNITED STATES DEPARTMENT OF ENERGY, AND +THEIR EMPLOYEES: (1) DISCLAIM ANY WARRANTIES, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES +OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE +OR NON-INFRINGEMENT, (2) DO NOT ASSUME ANY LEGAL LIABILITY +OR RESPONSIBILITY FOR THE ACCURACY, COMPLETENESS, OR +USEFULNESS OF THE SOFTWARE, (3) DO NOT REPRESENT THAT USE OF +THE SOFTWARE WOULD NOT INFRINGE PRIVATELY OWNED RIGHTS, (4) +DO NOT WARRANT THAT THE SOFTWARE WILL FUNCTION +UNINTERRUPTED, THAT IT IS ERROR-FREE OR THAT ANY ERRORS WILL +BE CORRECTED. + +5. LIMITATION OF LIABILITY. IN NO EVENT WILL THE COPYRIGHT +HOLDER, THE UNITED STATES, THE UNITED STATES DEPARTMENT OF +ENERGY, OR THEIR EMPLOYEES: BE LIABLE FOR ANY INDIRECT, +INCIDENTAL, CONSEQUENTIAL, SPECIAL OR PUNITIVE DAMAGES OF +ANY KIND OR NATURE, INCLUDING BUT NOT LIMITED TO LOSS OF +PROFITS OR LOSS OF DATA, FOR ANY REASON WHATSOEVER, WHETHER +SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT +(INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, +EVEN IF ANY OF SAID PARTIES HAS BEEN WARNED OF THE +POSSIBILITY OF SUCH LOSS OR DAMAGES. diff --git a/meta-oe/recipes-support/libeigen/libeigen_3.3.9.bb b/meta-oe/recipes-support/libeigen/libeigen_3.3.9.bb index d6ef98f94..a54d8f8f7 100644 --- a/meta-oe/recipes-support/libeigen/libeigen_3.3.9.bb +++ b/meta-oe/recipes-support/libeigen/libeigen_3.3.9.bb @@ -1,8 +1,13 @@ DESCRIPTION = "Eigen is a C++ template library for linear algebra: matrices, vectors, numerical solvers, and related algorithms." AUTHOR = "Benoît Jacob and Gaël Guennebaud and others" HOMEPAGE = "http://eigen.tuxfamily.org/; -LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING.MPL2;md5=815ca599c9df247a0c7f619bab123dad" +LICENSE = "MPL-2.0 & Apache-2.0 & BSD-3-Clause & GPLv3 & LGPLv2.1 & MINPACK" +LIC_FILES_CHKSUM = "file://COPYING.MPL2;md5=815ca599c9df247a0c7f619bab123dad \ +file://COPYING.BSD;md5=543367b8e11f07d353ef894f71b574a0 \ +file://COPYING.GPL;md5=d32239bcb673463ab874e80d47fae504 \ +file://COPYING.LGPL;md5=4fbd65380cdd255951079008b364516c \ + file://COPYING.MINPACK;md5=5fe4603e80ef7390306f51ef74449bbd \ +" SRC_URI = "git://gitlab.com/libeigen/eigen.git;protocol=http;nobranch=1" -- 2.17.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#91787): https://lists.openembedded.org/g/openembedded-devel/message/91787 Mute This Topic: https://lists.openembedded.org/mt/83390828/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[oe] [zeus][meta-networking][PATCH] net-snmp: Fix CVE-2020-15861 and CVE-2020-15862
Net-SNMP through 5.7.3 allows Escalation of Privileges because of UNIX symbolic
link (symlink) following.
Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE
access to the EXTEND MIB provides the ability to run arbitrary commands as
root.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-15861
https://nvd.nist.gov/vuln/detail/CVE-2020-15862
Upstream patches:
https://github.com/net-snmp/net-snmp/commit/2b3e300ade4add03b889e61d610b0db77d300fc3
https://github.com/net-snmp/net-snmp/commit/9cfb38b0aa95363da1466ca81dd929989ba27c1f
https://github.com/net-snmp/net-snmp/commit/114e4c2cec2601ca56e8afb1f441520f75a9a312
https://github.com/net-snmp/net-snmp/commit/2968b455e6f182f329746e2bca1043f368618c73
https://github.com/net-snmp/net-snmp/commit/4fd9a450444a434a993bc72f7c3486ccce41f602
https://github.com/net-snmp/net-snmp/commit/77f6c60f57dba0aaea5d8ef1dd94bcd0c8e6d205
CVE-2020-15861-0005.patch is the actual fix for CVE-2020-15861 and
CVE-2020-15861-0001.patch through CVE-2020-15861-0004.patch are context
patches needed by the fix to apply cleanly.
Signed-off-by: Ovidiu Panait
---
.../net-snmp/CVE-2020-15861-0001.patch| 164
.../net-snmp/CVE-2020-15861-0002.patch| 44 +++
.../net-snmp/CVE-2020-15861-0003.patch| 40 ++
.../net-snmp/CVE-2020-15861-0004.patch| 33 ++
.../net-snmp/CVE-2020-15861-0005.patch| 349 ++
.../net-snmp/net-snmp/CVE-2020-15862.patch| 87 +
.../net-snmp/net-snmp_5.8.bb | 6 +
7 files changed, 723 insertions(+)
create mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0001.patch
create mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0002.patch
create mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0003.patch
create mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0004.patch
create mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0005.patch
create mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15862.patch
diff --git
a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0001.patch
b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0001.patch
new file mode 100644
index 0..f43803a66
--- /dev/null
+++
b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0001.patch
@@ -0,0 +1,164 @@
+From c449946b9d06571b447fce3fc0dcad89e8df05b5 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche
+Date: Wed, 15 May 2019 14:09:25 +0200
+Subject: [PATCH 1/5] CHANGES: libsnmp: Scan MIB directories in alphabetical
+ order
+
+This guarantees that e.g. mibs/RFC1213-MIB.txt is read before
mibs/SNMPv2-MIB.txt.
+The order in which these MIBs is read matters because both define sysLocation
but
+with different attributes.
+
+CVE: CVE-2020-15861
+Upstream-Status: Backport
[https://github.com/net-snmp/net-snmp/commit/2b3e300ade4add03b889e61d610b0db77d300fc3]
+
+Signed-off-by: Ovidiu Panait
+---
+ snmplib/parse.c | 113 +++-
+ 1 file changed, 82 insertions(+), 31 deletions(-)
+
+diff --git a/snmplib/parse.c b/snmplib/parse.c
+index 7678b35..51d119b 100644
+--- a/snmplib/parse.c
b/snmplib/parse.c
+@@ -4894,6 +4894,79 @@ add_mibfile(const char* tmpstr, const char* d_name,
FILE *ip )
+ }
+ }
+
++static int elemcmp(const void *a, const void *b)
++{
++const char *const *s1 = a, *const *s2 = b;
++
++return strcmp(*s1, *s2);
++}
++
++/*
++ * Scan a directory and return all filenames found as an array of pointers to
++ * directory entries (@result).
++ */
++static int scan_directory(char ***result, const char *dirname)
++{
++DIR*dir, *dir2;
++struct dirent *file;
++char **filenames = NULL;
++int fname_len, i, filename_count = 0, array_size = 0;
++char *tmpstr;
++
++*result = NULL;
++
++dir = opendir(dirname);
++if (!dir)
++return -1;
++
++while ((file = readdir(dir))) {
++/*
++ * Only parse file names that don't begin with a '.'
++ * Also skip files ending in '~', or starting/ending
++ * with '#' which are typically editor backup files.
++ */
++fname_len = strlen(file->d_name);
++if (fname_len > 0 && file->d_name[0] != '.'
++&& file->d_name[0] != '#'
++&& file->d_name[fname_len-1] != '#'
++&& file->d_name[fname_len-1] != '~') {
++if (asprintf(, "%s/%s", dirname, file->d_name) < 0)
++continue;
++dir2 = opendir(tmpstr);
++if (dir2) {
++/* file is a directory, don't read it */
++closedir(dir2);
++} else {
++if (filename_count >= array_size) {
++
[oe] [dunfell][meta-networking][PATCH] net-snmp: Fix CVE-2020-15861 and CVE-2020-15862
Net-SNMP through 5.7.3 allows Escalation of Privileges because of UNIX symbolic
link (symlink) following.
Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE
access to the EXTEND MIB provides the ability to run arbitrary commands as
root.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-15861
https://nvd.nist.gov/vuln/detail/CVE-2020-15862
Upstream patches:
https://github.com/net-snmp/net-snmp/commit/2b3e300ade4add03b889e61d610b0db77d300fc3
https://github.com/net-snmp/net-snmp/commit/9cfb38b0aa95363da1466ca81dd929989ba27c1f
https://github.com/net-snmp/net-snmp/commit/114e4c2cec2601ca56e8afb1f441520f75a9a312
https://github.com/net-snmp/net-snmp/commit/2968b455e6f182f329746e2bca1043f368618c73
https://github.com/net-snmp/net-snmp/commit/4fd9a450444a434a993bc72f7c3486ccce41f602
https://github.com/net-snmp/net-snmp/commit/77f6c60f57dba0aaea5d8ef1dd94bcd0c8e6d205
CVE-2020-15861-0005.patch is the actual fix for CVE-2020-15861 and
CVE-2020-15861-0001.patch through CVE-2020-15861-0004.patch are context
patches needed by the fix to apply cleanly.
Signed-off-by: Ovidiu Panait
---
.../net-snmp/CVE-2020-15861-0001.patch| 164
.../net-snmp/CVE-2020-15861-0002.patch| 44 +++
.../net-snmp/CVE-2020-15861-0003.patch| 40 ++
.../net-snmp/CVE-2020-15861-0004.patch| 33 ++
.../net-snmp/CVE-2020-15861-0005.patch| 349 ++
.../net-snmp/net-snmp/CVE-2020-15862.patch| 87 +
.../net-snmp/net-snmp_5.8.bb | 6 +
7 files changed, 723 insertions(+)
create mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0001.patch
create mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0002.patch
create mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0003.patch
create mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0004.patch
create mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0005.patch
create mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15862.patch
diff --git
a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0001.patch
b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0001.patch
new file mode 100644
index 0..f43803a66
--- /dev/null
+++
b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2020-15861-0001.patch
@@ -0,0 +1,164 @@
+From c449946b9d06571b447fce3fc0dcad89e8df05b5 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche
+Date: Wed, 15 May 2019 14:09:25 +0200
+Subject: [PATCH 1/5] CHANGES: libsnmp: Scan MIB directories in alphabetical
+ order
+
+This guarantees that e.g. mibs/RFC1213-MIB.txt is read before
mibs/SNMPv2-MIB.txt.
+The order in which these MIBs is read matters because both define sysLocation
but
+with different attributes.
+
+CVE: CVE-2020-15861
+Upstream-Status: Backport
[https://github.com/net-snmp/net-snmp/commit/2b3e300ade4add03b889e61d610b0db77d300fc3]
+
+Signed-off-by: Ovidiu Panait
+---
+ snmplib/parse.c | 113 +++-
+ 1 file changed, 82 insertions(+), 31 deletions(-)
+
+diff --git a/snmplib/parse.c b/snmplib/parse.c
+index 7678b35..51d119b 100644
+--- a/snmplib/parse.c
b/snmplib/parse.c
+@@ -4894,6 +4894,79 @@ add_mibfile(const char* tmpstr, const char* d_name,
FILE *ip )
+ }
+ }
+
++static int elemcmp(const void *a, const void *b)
++{
++const char *const *s1 = a, *const *s2 = b;
++
++return strcmp(*s1, *s2);
++}
++
++/*
++ * Scan a directory and return all filenames found as an array of pointers to
++ * directory entries (@result).
++ */
++static int scan_directory(char ***result, const char *dirname)
++{
++DIR*dir, *dir2;
++struct dirent *file;
++char **filenames = NULL;
++int fname_len, i, filename_count = 0, array_size = 0;
++char *tmpstr;
++
++*result = NULL;
++
++dir = opendir(dirname);
++if (!dir)
++return -1;
++
++while ((file = readdir(dir))) {
++/*
++ * Only parse file names that don't begin with a '.'
++ * Also skip files ending in '~', or starting/ending
++ * with '#' which are typically editor backup files.
++ */
++fname_len = strlen(file->d_name);
++if (fname_len > 0 && file->d_name[0] != '.'
++&& file->d_name[0] != '#'
++&& file->d_name[fname_len-1] != '#'
++&& file->d_name[fname_len-1] != '~') {
++if (asprintf(, "%s/%s", dirname, file->d_name) < 0)
++continue;
++dir2 = opendir(tmpstr);
++if (dir2) {
++/* file is a directory, don't read it */
++closedir(dir2);
++} else {
++if (filename_count >= array_size) {
++
[oe] [PATCH] net-snmp: upgrade 5.8 -> 5.9
Upgrade net-snmp 5.8 -> 5.9:
* refresh patches
* drop backports:
https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9
https://github.com/net-snmp/net-snmp/commit/6e1329bde834e0edcfadb88d3c05e6015e945638
https://github.com/net-snmp/net-snmp/commit/abdcb6af8df352a257a7092c1649471af1e4e97b
https://github.com/net-snmp/net-snmp/commit/21260fdd60c172839f997fb6f888a6e21c6825eb
Signed-off-by: Ovidiu Panait
---
...upport-for-building-applications-and.patch | 168 --
.../0001-config_os_headers-Error-Fix.patch| 10 +-
...1-get_pid_from_inode-Include-limit.h.patch | 2 +-
...t-snmp-fix-compile-error-disable-des.patch | 62 ---
c-Don-t-check-for-return-from-EVP_M.patch | 21 ++-
.../0002-configure-fix-a-cc-check-issue.patch | 4 +-
...004-configure-fix-incorrect-variable.patch | 8 +-
.../net-snmp/net-snmp/CVE-2019-20892.patch| 120 -
.../net-snmp/fix-libtool-finish.patch | 4 +-
7.2-fix-engineBoots-value-on-SIGHUP.patch | 10 +-
...add-knob-whether-nlist.h-are-checked.patch | 16 +-
.../net-snmp-fix-for-disable-des.patch| 6 +-
...ting-add-the-output-format-for-ptest.patch | 2 +-
...ty-accept-configure-options-from-env.patch | 15 --
.../reproducibility-have-printcap.patch | 17 +-
.../{net-snmp_5.8.bb => net-snmp_5.9.bb} | 7 +-
16 files changed, 56 insertions(+), 416 deletions(-)
delete mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Add-pkg-config-support-for-building-applications-and.patch
delete mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/0001-net-snmp-fix-compile-error-disable-des.patch
delete mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2019-20892.patch
delete mode 100644
meta-networking/recipes-protocols/net-snmp/net-snmp/reproducibility-accept-configure-options-from-env.patch
rename meta-networking/recipes-protocols/net-snmp/{net-snmp_5.8.bb =>
net-snmp_5.9.bb} (96%)
diff --git
a/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Add-pkg-config-support-for-building-applications-and.patch
b/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Add-pkg-config-support-for-building-applications-and.patch
deleted file mode 100644
index dd159b9ce..0
---
a/meta-networking/recipes-protocols/net-snmp/net-snmp/0001-Add-pkg-config-support-for-building-applications-and.patch
+++ /dev/null
@@ -1,168 +0,0 @@
-From 4bf83597379523032663c8e95b3786a217c9a849 Mon Sep 17 00:00:00 2001
-From: Hugh McMaster
-Date: Wed, 3 Apr 2019 21:36:03 +1100
-Subject: [PATCH] Add pkg-config support for building applications and
- sub-agents
-
-The netsnmp package should be used when building Net-SNMP applications.
-The netsnmp-agent package should be used when building Net-SNMP subagents.
-
-Signed-off-by: Hugh McMaster
-[ bvanassche: edited makefile code and .pc files; added ./configure changes ]
-
-Upstream-Status: Backport
-https://sourceforge.net/p/net-snmp/patches/_discuss/thread/a0d66e91dd/f940/attachment/0001-Add-pkg-config-support-for-building-applications-and.patch
- Makefile.in | 2 ++
- Makefile.rules | 30 ++
- configure | 4
- configure.ac| 1 +
- netsnmp-agent.pc.in | 12
- netsnmp.pc.in | 12
- 6 files changed, 57 insertions(+), 4 deletions(-)
- create mode 100644 netsnmp-agent.pc.in
- create mode 100644 netsnmp.pc.in
-
-diff --git a/Makefile.in b/Makefile.in
-index 9dbdde1353..ec972636c2 100644
a/Makefile.in
-+++ b/Makefile.in
-@@ -35,6 +35,7 @@ INSTALLBUILTHEADERS=include/net-snmp/net-snmp-config.h
- INSTALLBUILTINCLUDEHEADERS=@FEATUREHEADERS@
- INSTALLBINSCRIPTS=net-snmp-config net-snmp-create-v3-user
- INSTALLUCDHEADERS=ucd-snmp-config.h version.h mib_module_config.h
-+INSTALL_PKGCONFIG=netsnmp.pc netsnmp-agent.pc
-
- #
- # other install rules.
-@@ -275,6 +276,7 @@ configclean: makefileclean
- libtool include/net-snmp/net-snmp-config.h \
- net-snmp-config net-snmp-config-x configure-summary \
- net-snmp-create-v3-user net-snmp-create-v3-user-x
-+ rm -f *.pc
- rm -f mibs/.index
- rm -f include/net-snmp/agent/mib_module_config.h\
- include/net-snmp/agent/agent_module_config.h\
-diff --git a/Makefile.rules b/Makefile.rules
-index 9e9e9009e5..e714f91e72 100644
a/Makefile.rules
-+++ b/Makefile.rules
-@@ -85,12 +85,14 @@ subdirs:
- # installlibs handles local, ucd and subdir libs. need to do subdir libs
- # before bins, sinze those libs may be needed for successful linking
- install: installlocalheaders @installucdheaders@ \
-- installlibs \
-- installlocalbin installlocalsbin \
-+ installlibs install_pkgconfig \
-+ installlocalbin installlocalsbin\
- installsubdirs $(OTHERINSTALL)
-
--uninstall: unin
[oe] [meta-oe][dunfell][PATCH 1/1] nss: Fix CVE-2020-12399
Master (nss version 3.54) is not affected by this issue. This is a backport
from nss version 3.54.
NSS has shown timing differences when performing DSA signatures, which was
exploitable and could eventually leak private keys. This vulnerability affects
Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
Upstream patch:
https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e
Signed-off-by: Ovidiu Panait
---
...e-a-fixed-length-for-DSA-exponentiat.patch | 110 ++
meta-oe/recipes-support/nss/nss_3.51.1.bb | 1 +
2 files changed, 111 insertions(+)
create mode 100644
meta-oe/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch
diff --git
a/meta-oe/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch
b/meta-oe/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch
new file mode 100644
index 0..517c277ae
--- /dev/null
+++
b/meta-oe/recipes-support/nss/nss/0001-Bug-1631576-Force-a-fixed-length-for-DSA-exponentiat.patch
@@ -0,0 +1,110 @@
+From 5942c26888ba12ad5e0d92fb62f23d7cde6dc159 Mon Sep 17 00:00:00 2001
+From: Ovidiu Panait
+Date: Mon, 13 Jul 2020 06:25:56 +
+Subject: [PATCH] Bug 1631576 - Force a fixed length for DSA exponentiation
+ r=pereida,bbrumley
+
+Differential Revision: https://phabricator.services.mozilla.com/D72011
+
+Upstream-Status: Backport
[https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e]
+
+Authored-by: Robert Relyea
+Signed-off-by: Ovidiu Panait
+---
+ nss/lib/freebl/dsa.c | 45 ++--
+ 1 file changed, 35 insertions(+), 10 deletions(-)
+
+diff --git a/nss/lib/freebl/dsa.c b/nss/lib/freebl/dsa.c
+index aef3539..389c9de 100644
+--- a/nss/lib/freebl/dsa.c
b/nss/lib/freebl/dsa.c
+@@ -313,13 +313,14 @@ DSA_NewKeyFromSeed(const PQGParams *params,
+
+ static SECStatus
+ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
+- const unsigned char *kb)
++ const unsigned char *kbytes)
+ {
+ mp_int p, q, g; /* PQG parameters */
+ mp_int x, k;/* private key & pseudo-random integer */
+ mp_int r, s;/* tuple (r, s) is signature) */
+ mp_int t; /* holding tmp values */
+ mp_int ar; /* holding blinding values */
++mp_digit fuzz; /* blinding multiplier for q */
+ mp_err err = MP_OKAY;
+ SECStatus rv = SECSuccess;
+ unsigned int dsa_subprime_len, dsa_signature_len, offset;
+@@ -373,6 +374,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature,
const SECItem *digest,
+ CHECK_MPI_OK(mp_init());
+ CHECK_MPI_OK(mp_init());
+ CHECK_MPI_OK(mp_init());
++
+ /*
+ ** Convert stored PQG and private key into MPI integers.
+ */
+@@ -380,14 +382,28 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature,
const SECItem *digest,
+ SECITEM_TO_MPINT(key->params.subPrime, );
+ SECITEM_TO_MPINT(key->params.base, );
+ SECITEM_TO_MPINT(key->privateValue, );
+-OCTETS_TO_MPINT(kb, , dsa_subprime_len);
++OCTETS_TO_MPINT(kbytes, , dsa_subprime_len);
++
++/* k blinding create a single value that has the high bit set in
++ * the mp_digit*/
++if (RNG_GenerateGlobalRandomBytes(, sizeof(mp_digit)) != SECSuccess)
{
++PORT_SetError(SEC_ERROR_NEED_RANDOM);
++rv = SECFailure;
++goto cleanup;
++}
++fuzz |= 1ULL << ((sizeof(mp_digit) * PR_BITS_PER_BYTE - 1));
+ /*
+ ** FIPS 186-1, Section 5, Step 1
+ **
+ ** r = (g**k mod p) mod q
+ */
+-CHECK_MPI_OK(mp_exptmod(, , , )); /* r = g**k mod p */
+-CHECK_MPI_OK(mp_mod(, , )); /* r = r mod q*/
++CHECK_MPI_OK(mp_mul_d(, fuzz, )); /* t = q*fuzz */
++CHECK_MPI_OK(mp_add(, , )); /* t = k+q*fuzz */
++/* length of t is now fixed, bits in k have been blinded */
++CHECK_MPI_OK(mp_exptmod(, , , )); /* r = g**t mod p */
++/* r is now g**(k+q*fuzz) == g**k mod p */
++CHECK_MPI_OK(mp_mod(, , )); /* r = r mod q*/
++
+ /*
+ ** FIPS 186-1, Section 5, Step 2
+ **
+@@ -411,15 +427,24 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature,
const SECItem *digest,
+ /* Using mp_invmod on k directly would leak bits from k. */
+ CHECK_MPI_OK(mp_mul(, , )); /* k = k * ar */
+ CHECK_MPI_OK(mp_mulmod(, , , )); /* k = k * t mod q */
+-CHECK_MPI_OK(mp_invmod(, , )); /* k = k**-1 mod q */
++/* k is now k*t*ar */
++CHECK_MPI_OK(mp_invmod(, , )); /* k = k**-1 mod q */
++/* k is now (k*t*ar)**-1 */
+ CHECK_MPI_OK(mp_mulmod(, , , )); /* k = k * t mod q */
+-SECITEM_TO_MPINT(localDigest, ); /* s = HASH(M) */
++/* k is now (k*ar)**-1 */
++SECITEM_TO_MPINT(localDigest, ); /* s = HASH(M) */
+ /* To avoid leaking secret bits here the addition is blinded. */
+-CHECK_MPI_OK(mp_mul(
[oe] [meta-oe][PATCH 1/1] nss: upgrade 3.51.1 -> 3.54
Upgrade nss 3.51.1 -> 3.54:
* Refresh patches
* Drop riscv.patch and 0001-Enable-uint128-on-mips64.patch patches as upstream
commit [1] should implement that logic
* Use "autobuild" as do_compile make target (Makefile logic has changed
significantly, so the default target is no longer enough)
[1]
https://hg.mozilla.org/projects/nss/rev/60aa7df14f119d2a21750668c5ce36fa38ef2c6c
Signed-off-by: Ovidiu Panait
---
.../nss/0001-Enable-uint128-on-mips64.patch | 48
...figure-option-to-disable-ARM-HW-cryp.patch | 22 ++--
...0001-nss-fix-support-cross-compiling.patch | 10 +-
.../nss/nss/disable-Wvarargs-with-clang.patch | 17 ++-
.../nss-fix-incorrect-shebang-of-perl.patch | 107 +++---
.../nss/nss/nss-fix-nsinstall-build.patch | 20 +++-
.../nss-no-rpath-for-cross-compiling.patch| 10 +-
.../nss/nss/pqg.c-ULL_addend.patch| 21 +++-
meta-oe/recipes-support/nss/nss/riscv.patch | 36 --
.../nss/{nss_3.51.1.bb => nss_3.54.bb}| 8 +-
10 files changed, 113 insertions(+), 186 deletions(-)
delete mode 100644
meta-oe/recipes-support/nss/nss/0001-Enable-uint128-on-mips64.patch
delete mode 100644 meta-oe/recipes-support/nss/nss/riscv.patch
rename meta-oe/recipes-support/nss/{nss_3.51.1.bb => nss_3.54.bb} (97%)
diff --git
a/meta-oe/recipes-support/nss/nss/0001-Enable-uint128-on-mips64.patch
b/meta-oe/recipes-support/nss/nss/0001-Enable-uint128-on-mips64.patch
deleted file mode 100644
index 90ec379c6..0
--- a/meta-oe/recipes-support/nss/nss/0001-Enable-uint128-on-mips64.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 8cf7afb5417e23cd3ebf8141239bf020f5dd2ac8 Mon Sep 17 00:00:00 2001
-From: Mingli Yu
-Date: Thu, 30 Apr 2020 06:56:09 +
-Subject: [PATCH] Enable uint128 on mips64
-
-Fix below error:
-| verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h:22:1: error:
'FStar_UInt128___proj__Mkuint128__item__low' declared 'static' but never
defined [-Werror=unused-function]
-| 22 | FStar_UInt128___proj__Mkuint128__item__low(FStar_UInt128_uint128
projectee);
-
-Upstream-Status: Pending
-
-Signed-off-by: Mingli Yu
- .../freebl/verified/kremlin/include/kremlin/internal/types.h | 3 ++-
- .../kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h | 3 ++-
- 2 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
b/nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-index 801e78f..cdac61e 100644
a/nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-+++ b/nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-@@ -57,7 +57,8 @@ typedef const char *Prims_string;
- typedef __m128i FStar_UInt128_uint128;
- #elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
- (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
-- (defined(__riscv) && __riscv_xlen == 64))
-+ (defined(__riscv) && __riscv_xlen == 64) || \
-+ defined(__mips64))
- typedef unsigned __int128 FStar_UInt128_uint128;
- #else
- typedef struct FStar_UInt128_uint128_s {
-diff --git
a/nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
b/nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-index f38fda3..7ca67d2 100644
a/nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-+++
b/nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-@@ -26,7 +26,8 @@
- #include
- #if !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
- (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
-- (defined(__riscv) && __riscv_xlen == 64))
-+ (defined(__riscv) && __riscv_xlen == 64) || \
-+ defined(__mips64))
-
- /* GCC + using native unsigned __int128 support */
-
---
-2.24.1
-
diff --git
a/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch
b/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch
index c380c1449..1a87a0577 100644
---
a/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch
+++
b/meta-oe/recipes-support/nss/nss/0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch
@@ -1,4 +1,4 @@
-From 5595e9651aca39af945931c73eb524a0f8bd130d Mon Sep 17 00:00:00 2001
+From 8b67c22b057e158f61c9fdd5b01f37195c6f5ca4 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin
Date: Wed, 18 Dec 2019 12:29:50 +0100
Subject: [PATCH] freebl: add a configure option to disable ARM HW crypto
@@ -8,10 +8,14 @@ prior to armv8 does not.
Upstream-Status: Pending
Signed-off-by: Alexander Kanavin
+
---
- nss/lib/freebl/Makefile | 3 +++
- 1 file changed, 3 insertions(+)
+ nss/lib/freebl/Makefile | 4
+ nss/lib/freebl/gcm.c| 2 ++
+ 2 files changed, 6 insertions(+)
+diff --git a/nss/lib/
Re: [oe] [meta-networking][zeus][dunfell][PATCH] freediameter: Fix testcnx ptest failure
Hi,
On 09.07.2020 18:58, akuster808 wrote:
On 7/8/20 9:45 PM, Ovidiu Panait wrote:
Currently, testcnx ptest fails due to expired CA certificates:
Test project /usr/lib64/freeDiameter/ptest
...
Start 10: testcnx
10/11 Test #10: testcnx ..***Failed 0.12 sec
...
Does this affect Master ?
-armin
Command: "/usr/lib64/freeDiameter/ptest/testcnx"
Directory: /usr/lib64/freeDiameter/ptest
"testcnx" start time: Jun 17 10:52 UTC
Output:
--
10:52:43 ERROR ERROR: Invalid parameter '(conn->cc_rcvthr !=
(pthread_t)((voidd
*)0))', 22
10:52:43 ERROR TLS: Remote certificate invalid on socket 6 (Remote:
'localhostt
.localdomain')(Connection: '{---T} TCP from [127.0.0.1]:57898 (4<-6)') :
10:52:43 ERROR - The certificate has expired.
10:52:43 ERROR TLS ERROR: in 'ret =
gnutls_handshake(conn->cc_tls_para.sessionn
)' :Error in the certificate.
10:52:43 FATAL! testcnx.c:867: CHECK FAILED : fd_cnx_handshake(server_side,
GNUU
TLS_SERVER, ALGO_HANDSHAKE_DEFAULT , NULL, NULL) == 16 != 0
10:52:43 FATAL! FAILED: testcnx.c
Test time = 0.02 sec
Backport upstream patch [1] to fix this issue.
[1]http://www.freediameter.net/hg/freeDiameter/rev/eff5bb332b5a
This patch is present in version 1.4.0, so master is not affected.
No, this does not affect master. The patch is a backport from version
1.4.0, which is the one currently present in master.
Ovidiu
Signed-off-by: Ovidiu Panait
---
.../0001-Fix-testcnx-expired-CA-data.patch| 746 ++
.../freediameter/freediameter_1.3.2.bb| 1 +
2 files changed, 747 insertions(+)
create mode 100644
meta-networking/recipes-protocols/freediameter/files/0001-Fix-testcnx-expired-CA-data.patch
diff --git
a/meta-networking/recipes-protocols/freediameter/files/0001-Fix-testcnx-expired-CA-data.patch
b/meta-networking/recipes-protocols/freediameter/files/0001-Fix-testcnx-expired-CA-data.patch
new file mode 100644
index 0..354d3dc83
--- /dev/null
+++
b/meta-networking/recipes-protocols/freediameter/files/0001-Fix-testcnx-expired-CA-data.patch
@@ -0,0 +1,746 @@
+From c892c87dc50e036af4e35de0321e6f37a70b25d2 Mon Sep 17 00:00:00 2001
+From: Ovidiu Panait
+Date: Tue, 23 Jun 2020 14:17:56 +0300
+Subject: [PATCH] Fix testcnx expired CA data
+
+Upstream-Status: Backport
[http://www.freediameter.net/hg/freeDiameter/rev/eff5bb332b5a]
+
+Authored-by: Sebastien Decugis
+Signed-off-by: Ovidiu Panait
+---
+ tests/testcnx.c | 707 ++--
+ 1 file changed, 425 insertions(+), 282 deletions(-)
+
+diff --git a/tests/testcnx.c b/tests/testcnx.c
+index e1826c9..809d89a 100644
+--- a/tests/testcnx.c
b/tests/testcnx.c
+@@ -53,300 +53,443 @@
+
+
+ /* The cryptographic data */
+-static char ca_data[] = "-BEGIN CERTIFICATE-\n"
+-
"MIIEqjCCA5KgAwIBAgIJANKgDwdlDYQDMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYD\n"
+-
"VQQGEwJKUDEOMAwGA1UECAwFVG9reW8xEDAOBgNVBAcMB0tvZ2FuZWkxDTALBgNV\n"
+-
"BAoMBFdJREUxDzANBgNVBAsMBkFBQSBXRzEfMB0GA1UEAwwWY2hhdnJvdXguY293\n"
+-
"YWRkaWN0Lm9yZzEiMCAGCSqGSIb3DQEJARYTc2RlY3VnaXNAbmljdC5nby5qcDAe\n"
+-
"Fw0wOTEwMDUwODUxNDRaFw0xOTEwMDMwODUxNDRaMIGUMQswCQYDVQQGEwJKUDEO\n"
+-
"MAwGA1UECAwFVG9reW8xEDAOBgNVBAcMB0tvZ2FuZWkxDTALBgNVBAoMBFdJREUx\n"
+-
"DzANBgNVBAsMBkFBQSBXRzEfMB0GA1UEAwwWY2hhdnJvdXguY293YWRkaWN0Lm9y\n"
+-
"ZzEiMCAGCSqGSIb3DQEJARYTc2RlY3VnaXNAbmljdC5nby5qcDCCASIwDQYJKoZI\n"
+-
"hvcNAQEBBQADggEPADCCAQoCggEBAM5c6w4NnngTvGNWcJzbo0Kklp+kvUNQNgGu\n"
+-
"myvz826qPp07HTSyJrIcgFnuYDR0Nd130Ot9u5osqpQhHTvolxDE87Tii8i3hJSj\n"
+-
"TTY9K0ZwGb4AZ6QkuyMXS1jtOY657HqjpGZqT/2Syh0i7dM/hqSXFw0SPbyq+W1H\n"
+-
"SVFWa1CTkPywFWAzwdr5WKah77uZ1dxWqgPgUdcZOiIQtLRp5n3fg40Nwso5YdwS\n"
+-
"64+ebBX1pkhrCQ8AGc8O61Ep1JTXcO7jqQmPgzjiN+FeostI1Dp73S3MqleTAHjR\n"
+-
"hqZ77VF7nkroMM9btMHJBaxnfwc2ewULUJwnuOiGWrvMq/9Z4J8CAwEAAaOB/DCB\n"
+-
"+TAdBgNVHQ4EFgQUkqpVn7N3gmiJ7X5zQ2bki+7qv4UwgckGA1UdIwSBwTCBvoAU\n"
+-
"kqpVn7N3gmiJ7X5zQ2bki+7qv4WhgZqkgZcwgZQxCzAJBgNVBAYTAkpQMQ4wDAYD\n"
+-
"VQQIDAVUb2t5bzEQMA4GA1UEBwwHS29nYW5laTENMAsGA1UECgwEV0lERTEPMA0G\n"
+-
"A1UECwwGQUFBIFdHMR8wHQYDVQQDDBZjaGF2cm91eC5jb3dhZGRpY3Qub3JnMSIw\n"
+-
[oe] [meta-networking][zeus][dunfell][PATCH] freediameter: Fix testcnx ptest failure
Currently, testcnx ptest fails due to expired CA certificates:
Test project /usr/lib64/freeDiameter/ptest
...
Start 10: testcnx
10/11 Test #10: testcnx ..***Failed 0.12 sec
...
Command: "/usr/lib64/freeDiameter/ptest/testcnx"
Directory: /usr/lib64/freeDiameter/ptest
"testcnx" start time: Jun 17 10:52 UTC
Output:
--
10:52:43 ERROR ERROR: Invalid parameter '(conn->cc_rcvthr !=
(pthread_t)((voidd
*)0))', 22
10:52:43 ERROR TLS: Remote certificate invalid on socket 6 (Remote:
'localhostt
.localdomain')(Connection: '{---T} TCP from [127.0.0.1]:57898 (4<-6)') :
10:52:43 ERROR - The certificate has expired.
10:52:43 ERROR TLS ERROR: in 'ret =
gnutls_handshake(conn->cc_tls_para.sessionn
)' :Error in the certificate.
10:52:43 FATAL! testcnx.c:867: CHECK FAILED : fd_cnx_handshake(server_side,
GNUU
TLS_SERVER, ALGO_HANDSHAKE_DEFAULT , NULL, NULL) == 16 != 0
10:52:43 FATAL! FAILED: testcnx.c
Test time = 0.02 sec
Backport upstream patch [1] to fix this issue.
[1] http://www.freediameter.net/hg/freeDiameter/rev/eff5bb332b5a
This patch is present in version 1.4.0, so master is not affected.
Signed-off-by: Ovidiu Panait
---
.../0001-Fix-testcnx-expired-CA-data.patch| 746 ++
.../freediameter/freediameter_1.3.2.bb| 1 +
2 files changed, 747 insertions(+)
create mode 100644
meta-networking/recipes-protocols/freediameter/files/0001-Fix-testcnx-expired-CA-data.patch
diff --git
a/meta-networking/recipes-protocols/freediameter/files/0001-Fix-testcnx-expired-CA-data.patch
b/meta-networking/recipes-protocols/freediameter/files/0001-Fix-testcnx-expired-CA-data.patch
new file mode 100644
index 0..354d3dc83
--- /dev/null
+++
b/meta-networking/recipes-protocols/freediameter/files/0001-Fix-testcnx-expired-CA-data.patch
@@ -0,0 +1,746 @@
+From c892c87dc50e036af4e35de0321e6f37a70b25d2 Mon Sep 17 00:00:00 2001
+From: Ovidiu Panait
+Date: Tue, 23 Jun 2020 14:17:56 +0300
+Subject: [PATCH] Fix testcnx expired CA data
+
+Upstream-Status: Backport
[http://www.freediameter.net/hg/freeDiameter/rev/eff5bb332b5a]
+
+Authored-by: Sebastien Decugis
+Signed-off-by: Ovidiu Panait
+---
+ tests/testcnx.c | 707 ++--
+ 1 file changed, 425 insertions(+), 282 deletions(-)
+
+diff --git a/tests/testcnx.c b/tests/testcnx.c
+index e1826c9..809d89a 100644
+--- a/tests/testcnx.c
b/tests/testcnx.c
+@@ -53,300 +53,443 @@
+
+
+ /* The cryptographic data */
+-static char ca_data[] = "-BEGIN CERTIFICATE-\n"
+-
"MIIEqjCCA5KgAwIBAgIJANKgDwdlDYQDMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYD\n"
+-
"VQQGEwJKUDEOMAwGA1UECAwFVG9reW8xEDAOBgNVBAcMB0tvZ2FuZWkxDTALBgNV\n"
+-
"BAoMBFdJREUxDzANBgNVBAsMBkFBQSBXRzEfMB0GA1UEAwwWY2hhdnJvdXguY293\n"
+-
"YWRkaWN0Lm9yZzEiMCAGCSqGSIb3DQEJARYTc2RlY3VnaXNAbmljdC5nby5qcDAe\n"
+-
"Fw0wOTEwMDUwODUxNDRaFw0xOTEwMDMwODUxNDRaMIGUMQswCQYDVQQGEwJKUDEO\n"
+-
"MAwGA1UECAwFVG9reW8xEDAOBgNVBAcMB0tvZ2FuZWkxDTALBgNVBAoMBFdJREUx\n"
+-
"DzANBgNVBAsMBkFBQSBXRzEfMB0GA1UEAwwWY2hhdnJvdXguY293YWRkaWN0Lm9y\n"
+-
"ZzEiMCAGCSqGSIb3DQEJARYTc2RlY3VnaXNAbmljdC5nby5qcDCCASIwDQYJKoZI\n"
+-
"hvcNAQEBBQADggEPADCCAQoCggEBAM5c6w4NnngTvGNWcJzbo0Kklp+kvUNQNgGu\n"
+-
"myvz826qPp07HTSyJrIcgFnuYDR0Nd130Ot9u5osqpQhHTvolxDE87Tii8i3hJSj\n"
+-
"TTY9K0ZwGb4AZ6QkuyMXS1jtOY657HqjpGZqT/2Syh0i7dM/hqSXFw0SPbyq+W1H\n"
+-
"SVFWa1CTkPywFWAzwdr5WKah77uZ1dxWqgPgUdcZOiIQtLRp5n3fg40Nwso5YdwS\n"
+-
"64+ebBX1pkhrCQ8AGc8O61Ep1JTXcO7jqQmPgzjiN+FeostI1Dp73S3MqleTAHjR\n"
+-
"hqZ77VF7nkroMM9btMHJBaxnfwc2ewULUJwnuOiGWrvMq/9Z4J8CAwEAAaOB/DCB\n"
+-
"+TAdBgNVHQ4EFgQUkqpVn7N3gmiJ7X5zQ2bki+7qv4UwgckGA1UdIwSBwTCBvoAU\n"
+-
"kqpVn7N3gmiJ7X5zQ2bki+7qv4WhgZqkgZcwgZQxCzAJBgNVBAYTAkpQMQ4wDAYD\n"
+-
"VQQIDAVUb2t5bzEQMA4GA1UEBwwHS29nYW5laTENMAsGA1UECgwEV0lERTEPMA0G\n"
+-
"A1UECwwGQUFBIFdHMR8wHQYDVQQDDBZjaGF2cm91eC5jb3dhZGRpY3Qub3JnMSIw\n"
+-
"IAYJKoZIhvcNAQkBFhNzZGVjdWdpc0BuaWN0LmdvLmpwggkA0qAPB2UNhAMwDAYD\n"
+-
"VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAJy0XLk8j8YLSTt2/VMy9TAUx\n"
+-
"esXUiZj0Ung+gkr7A1K0NnwYxD
[oe] [meta-networking][PATCH] freediameter: upgrade 1.3.2 -> 1.4.0
Signed-off-by: Ovidiu Panait
---
.../{freediameter_1.3.2.bb => freediameter_1.4.0.bb} | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
rename meta-networking/recipes-protocols/freediameter/{freediameter_1.3.2.bb
=> freediameter_1.4.0.bb} (97%)
diff --git
a/meta-networking/recipes-protocols/freediameter/freediameter_1.3.2.bb
b/meta-networking/recipes-protocols/freediameter/freediameter_1.4.0.bb
similarity index 97%
rename from meta-networking/recipes-protocols/freediameter/freediameter_1.3.2.bb
rename to meta-networking/recipes-protocols/freediameter/freediameter_1.4.0.bb
index 385b8b373..15ee56196 100644
--- a/meta-networking/recipes-protocols/freediameter/freediameter_1.3.2.bb
+++ b/meta-networking/recipes-protocols/freediameter/freediameter_1.4.0.bb
@@ -23,8 +23,7 @@ SRC_URI = "\
file://0001-libfdcore-sctp.c-update-the-old-sctp-api-check.patch \
"
-SRC_URI[md5sum] = "73ce230b4789f9f28fff77cbc83c65af"
-SRC_URI[sha256sum] =
"ce05b4bf2a04cd2f472e77ba4b86fbfca690bfc83e51da8ce0e575804b763eda"
+SRC_URI[sha256sum] =
"7a537401bd110c606594b7c6be71b993f0ccc73ae151ad68040979286ba4e50e"
S = "${WORKDIR}/${fd_pkgname}-${PV}"
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#85295):
https://lists.openembedded.org/g/openembedded-devel/message/85295
Mute This Topic: https://lists.openembedded.org/mt/75057427/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-networking][PATCH 1/2] netkit-telnet: Use alternatives to avoid manpage conflict
Fix the following manpage installation conflict:
* check_data_file_clashes: Package netkit-telnet-doc wants to install file
/usr/share/man/man8/telnetd.8
But that file is already provided by package * inetutils-doc
Signed-off-by: Ovidiu Panait
---
.../recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
index cf9934138..ffd3b48e8 100644
--- a/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
+++ b/meta-networking/recipes-netkit/netkit-telnet/netkit-telnet_0.17.bb
@@ -57,6 +57,9 @@ ALTERNATIVE_${PN} = "telnet"
ALTERNATIVE_LINK_NAME[telnet] = "${bindir}/telnet"
ALTERNATIVE_TARGET[telnet] = "${bindir}/telnet.${PN}"
+ALTERNATIVE_${PN}-doc = "telnetd.8"
+ALTERNATIVE_LINK_NAME[telnetd.8] = "${mandir}/man8/telnetd.8"
+
SRC_URI[md5sum] = "d6beabaaf53fe6e382c42ce3faa05a36"
SRC_URI[sha256sum] =
"9c80d5c7838361a328fb6b60016d503def9ce53ad3c589f3b08ff71a2bb88e00"
FILES_${PN} += "${sbindir}/in.* ${libdir}/* ${sysconfdir}/xinetd.d/*"
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#83588):
https://lists.openembedded.org/g/openembedded-devel/message/83588
Mute This Topic: https://lists.openembedded.org/mt/72695049/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-networking][PATCH 2/2] tftp-hpa: Use alternatives to avoid manpage conflicts
Fix the following manpage conflicts:
* check_data_file_clashes: Package inetutils-doc wants to install file
/usr/share/man/man1/tftp.1
But that file is already provided by package * tftp-hpa-doc
* check_data_file_clashes: Package inetutils-doc wants to install file
/usr/share/man/man8/tftpd.8
But that file is already provided by package * tftp-hpa-doc
Signed-off-by: Ovidiu Panait
---
meta-networking/recipes-daemons/tftp-hpa/tftp-hpa_5.2.bb | 5 +
1 file changed, 5 insertions(+)
diff --git a/meta-networking/recipes-daemons/tftp-hpa/tftp-hpa_5.2.bb
b/meta-networking/recipes-daemons/tftp-hpa/tftp-hpa_5.2.bb
index 132972b33..413950be1 100644
--- a/meta-networking/recipes-daemons/tftp-hpa/tftp-hpa_5.2.bb
+++ b/meta-networking/recipes-daemons/tftp-hpa/tftp-hpa_5.2.bb
@@ -82,10 +82,15 @@ INITSCRIPT_PACKAGES = "tftp-hpa-server"
INITSCRIPT_NAME = "tftpd-hpa"
INITSCRIPT_PARAMS = "start 20 2 3 4 5 . stop 20 1 ."
+ALTERNATIVE_${PN}-doc = "tftpd.8 tftp.1"
+ALTERNATIVE_LINK_NAME[tftpd.8] = "${mandir}/man8/tftpd.8"
+ALTERNATIVE_LINK_NAME[tftp.1] = "${mandir}/man1/tftp.1"
+
ALTERNATIVE_${PN} = "tftp"
ALTERNATIVE_TARGET[tftp] = "${bindir}/tftp-hpa"
ALTERNATIVE_PRIORITY = "60"
+
SYSTEMD_PACKAGES = "tftp-hpa-server"
SYSTEMD_SERVICE_tftp-hpa-server = "tftpd-hpa.socket tftpd-hpa.service"
SYSTEMD_AUTO_ENABLE_tftp-hpa-server = "enable"
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#83589):
https://lists.openembedded.org/g/openembedded-devel/message/83589
Mute This Topic: https://lists.openembedded.org/mt/72695050/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[oe] [meta-networking][PATCH 1/1] kea: Disable parallel install
According to configure.ac, make install might fail when run with multiple jobs:
$ tail -15 log.do_configure
...
When running "make install" do not use any form of parallel or job
server options (such as GNU make's -j option). Doing so may cause
errors.
...
Signed-off-by: Ovidiu Panait
---
meta-networking/recipes-connectivity/kea/kea_1.7.0.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta-networking/recipes-connectivity/kea/kea_1.7.0.bb
b/meta-networking/recipes-connectivity/kea/kea_1.7.0.bb
index fb166df60..08e9923ba 100644
--- a/meta-networking/recipes-connectivity/kea/kea_1.7.0.bb
+++ b/meta-networking/recipes-connectivity/kea/kea_1.7.0.bb
@@ -60,3 +60,5 @@ FILES_${PN}-staticdev += "${libdir}/kea/hooks/*.a
${libdir}/hooks/*.a"
FILES_${PN} += "${libdir}/hooks/*.so"
BBCLASSEXTEND += "native"
+
+PARALLEL_MAKEINST = ""
--
2.20.1
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [meta-python][PATCH 2/2] python3-pillow: Add python3-misc/logging/numbers to RDEPENDS
Fix the following issues:
$ python3 -c 'from PIL import Image'
ModuleNotFoundError: No module named 'pathlib'
...
ModuleNotFoundError: No module named 'logging'
...
ModuleNotFoundError: No module named 'numbers'
Signed-off-by: Ovidiu Panait
---
meta-python/recipes-devtools/python/python3-pillow_6.1.bb | 6 ++
1 file changed, 6 insertions(+)
diff --git a/meta-python/recipes-devtools/python/python3-pillow_6.1.bb
b/meta-python/recipes-devtools/python/python3-pillow_6.1.bb
index 13e6b4143..b74326755 100644
--- a/meta-python/recipes-devtools/python/python3-pillow_6.1.bb
+++ b/meta-python/recipes-devtools/python/python3-pillow_6.1.bb
@@ -23,6 +23,12 @@ DEPENDS += " \
openjpeg \
"
+RDEPENDS_${PN} += " \
+${PYTHON_PN}-misc \
+${PYTHON_PN}-logging \
+${PYTHON_PN}-numbers \
+"
+
CVE_PRODUCT = "pillow"
S = "${WORKDIR}/git"
--
2.20.1
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [meta-python][PATCH 1/2] python3-pillow: 5.4.1 -> 6.1
Update python3-pillow to version 6.1 and refresh patches.
License-Update: copyright years
Signed-off-by: Ovidiu Panait
---
.../0001-explicitly-set-compile-options.patch | 10 +++---
.../0001-support-cross-compiling.patch| 32 +--
...-pillow_5.4.1.bb => python3-pillow_6.1.bb} | 6 ++--
3 files changed, 24 insertions(+), 24 deletions(-)
rename meta-python/recipes-devtools/python/{python3-pillow_5.4.1.bb =>
python3-pillow_6.1.bb} (74%)
diff --git
a/meta-python/recipes-devtools/python/python3-pillow/0001-explicitly-set-compile-options.patch
b/meta-python/recipes-devtools/python/python3-pillow/0001-explicitly-set-compile-options.patch
index de89ba005..d4372696f 100644
---
a/meta-python/recipes-devtools/python/python3-pillow/0001-explicitly-set-compile-options.patch
+++
b/meta-python/recipes-devtools/python/python3-pillow/0001-explicitly-set-compile-options.patch
@@ -1,4 +1,4 @@
-From 52879439f2976662140b76951f43f16e1d5ef08e Mon Sep 17 00:00:00 2001
+From 9f3073bf6a7c7c51bb49d25f65c8f75cc704a5ee Mon Sep 17 00:00:00 2001
From: Hongxu Jia
Date: Mon, 18 Mar 2019 23:23:55 -0400
Subject: [PATCH] explicitly set compile options
@@ -15,12 +15,12 @@ Signed-off-by: Hongxu Jia
1 file changed, 12 insertions(+)
diff --git a/setup.cfg b/setup.cfg
-index 95900ff..27da313 100644
+index 3ab2e127..e92615f3 100644
--- a/setup.cfg
+++ b/setup.cfg
-@@ -9,3 +9,15 @@ addopts = -vx Tests
-
+@@ -4,3 +4,15 @@ test=pytest
[flake8]
+ extend-ignore = E203, W503
max-line-length = 88
+
+[build_ext]
@@ -35,5 +35,5 @@ index 95900ff..27da313 100644
+disable-webpmux = 1
+disable-imagequant = 1
--
-2.8.1
+2.20.1
diff --git
a/meta-python/recipes-devtools/python/python3-pillow/0001-support-cross-compiling.patch
b/meta-python/recipes-devtools/python/python3-pillow/0001-support-cross-compiling.patch
index e86293421..6de19ad87 100644
---
a/meta-python/recipes-devtools/python/python3-pillow/0001-support-cross-compiling.patch
+++
b/meta-python/recipes-devtools/python/python3-pillow/0001-support-cross-compiling.patch
@@ -1,4 +1,4 @@
-From a78411402c824668283beb94db4bf7e206a4cf60 Mon Sep 17 00:00:00 2001
+From ae7c8d0336381dd4c10e809e9c8926f9deeafeb8 Mon Sep 17 00:00:00 2001
From: Hongxu Jia
Date: Thu, 14 Mar 2019 03:48:10 -0400
Subject: [PATCH] support cross compiling
@@ -11,29 +11,29 @@ Signed-off-by: Hongxu Jia
1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/setup.py b/setup.py
-index 79f912b..37e5827 100755
+index 5ceae344..07863340 100755
--- a/setup.py
+++ b/setup.py
-@@ -50,7 +50,7 @@ _LIB_IMAGING = (
- "ZipEncode", "TiffDecode", "Jpeg2KDecode", "Jpeg2KEncode", "BoxBlur",
- "QuantPngQuant", "codec_fd")
+@@ -105,7 +105,7 @@ _LIB_IMAGING = (
+ "codec_fd",
+ )
-DEBUG = False
+DEBUG = True
class DependencyException(Exception):
-@@ -345,21 +345,16 @@ class pil_build_ext(build_ext):
+@@ -396,21 +396,16 @@ class pil_build_ext(build_ext):
_add_directory(library_dirs, match.group(1))
# include, rpath, if set as environment variables:
--for k in ('C_INCLUDE_PATH', 'CPATH', 'INCLUDE'):
+-for k in ("C_INCLUDE_PATH", "CPATH", "INCLUDE"):
+for k in ('C_INCLUDE_PATH', 'CPATH', 'INCLUDE', 'STAGING_INCDIR'):
if k in os.environ:
for d in os.environ[k].split(os.path.pathsep):
_add_directory(include_dirs, d)
--for k in ('LD_RUN_PATH', 'LIBRARY_PATH', 'LIB'):
+-for k in ("LD_RUN_PATH", "LIBRARY_PATH", "LIB"):
+for k in ('LD_RUN_PATH', 'LIBRARY_PATH', 'LIB', 'STAGING_LIBDIR'):
if k in os.environ:
for d in os.environ[k].split(os.path.pathsep):
@@ -47,15 +47,15 @@ index 79f912b..37e5827 100755
#
# add platform directories
-@@ -413,8 +408,6 @@ class pil_build_ext(build_ext):
- elif sys.platform.startswith("linux") or \
- sys.platform.startswith("gnu") or \
- sys.platform.startswith("freebsd"):
+@@ -469,8 +464,6 @@ class pil_build_ext(build_ext):
+ or sys.platform.startswith("gnu")
+ or sys.platform.startswith("freebsd")
+ ):
-for dirname in _find_library_dirs_ldconfig():
-_add_directory(library_dirs, dirname)
- if sys.platform.startswith("linux") and \
- os.environ.get('ANDROID_ROOT', None):
- # termux support for android.
+ if sys.platform.startswith("linux") and os.environ.get(
+ "ANDROID_ROOT", None
+ ):
--
-2.8.1
+2.20.1
diff --git a/meta-python/recipes-devtools/python/python3-pillow_5.4.1.bb
b/meta-python/recipes-devtools/python/python3-pillow_6
[oe] [meta-filesystems][PATCH] xfsprogs: Fix host contamination
Currently, the following symbolic links point to the host:
$ cd xfsprogs/4.18.0-r0/image
$ find . -type l -iname "lib*" -ls
./usr/lib/libhandle.so -> /lib/libhandle.so
./lib/libhandle.a -> /usr/lib/libhandle.a
This causes a build failure if the files already exist on the host:
ERROR: xfsprogs-4.18.0-r0 do_package_write_rpm: Function failed: BUILDSPEC
...
| NOTE: Creating RPM package for xfsprogs-fsck
| NOTE: Creating RPM package for xfsprogs-mkfs
| NOTE: Creating RPM package for xfsprogs-repair
| NOTE: Creating RPM package for libhandle1
| NOTE: Creating RPM package for xfsprogs-dbg
| NOTE: Creating RPM package for xfsprogs-staticdev
| NOTE: Creating RPM package for libhandle1
| NOTE: Creating RPM package for xfsprogs-doc
| NOTE: Not creating empty RPM package for xfsprogs-locale
| NOTE: Creating RPM package for xfsprogs
| NOTE: Creating RPM package for xfsprogs
| error: line 175: %package -n libhandle1: package libhandle1 already exists
...
Signed-off-by: Ovidiu Panait
---
meta-filesystems/recipes-utils/xfsprogs/xfsprogs_4.18.0.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta-filesystems/recipes-utils/xfsprogs/xfsprogs_4.18.0.bb
b/meta-filesystems/recipes-utils/xfsprogs/xfsprogs_4.18.0.bb
index 0a1bacb93..59c67fda6 100644
--- a/meta-filesystems/recipes-utils/xfsprogs/xfsprogs_4.18.0.bb
+++ b/meta-filesystems/recipes-utils/xfsprogs/xfsprogs_4.18.0.bb
@@ -65,4 +65,7 @@ do_install_append() {
oe_runmake 'DESTDIR=${D}' install-dev
rm ${D}${libdir}/*.la
rmdir --ignore-fail-on-non-empty ${D}${libdir}
+
+ln -sf -r ${D}${libdir}/libhandle.a ${D}${base_libdir}/libhandle.a
+ln -sf -r ${D}${base_libdir}/libhandle.so ${D}${libdir}/libhandle.so
}
--
2.18.1
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [thud][meta-python][PATCH] python3-blivetgui: Fix _supported_filesystems crash
Fix the following error when attempting to use blivet-gui in anaconda:
Traceback (most recent call first):
File "/usr/lib64/python3.5/site-packages/blivetgui/blivetgui.py", line 153,
in supported_filesystems
if self._supported_filesystems:
File "/usr/lib64/python3.5/site-packages/blivetgui/blivetgui.py", line 456,
in add_device
supported_filesystems=self.supported_filesystems,
AttributeError: 'BlivetGUIAnaconda' object has no attribute
'_supported_filesystems'
Reference:
https://github.com/storaged-project/blivet-gui/pull/100/
Signed-off-by: Ovidiu Panait
---
...ilesystems-in-BlivetGUIAnaconda-init.patch | 39 +++
.../python-blivet/python3-blivetgui_2.1.8.bb | 1 +
2 files changed, 40 insertions(+)
create mode 100644
meta-python/recipes-extended/python-blivet/python3-blivetgui/0001-Set-_supported_filesystems-in-BlivetGUIAnaconda-init.patch
diff --git
a/meta-python/recipes-extended/python-blivet/python3-blivetgui/0001-Set-_supported_filesystems-in-BlivetGUIAnaconda-init.patch
b/meta-python/recipes-extended/python-blivet/python3-blivetgui/0001-Set-_supported_filesystems-in-BlivetGUIAnaconda-init.patch
new file mode 100644
index 0..25a71d4a7
--- /dev/null
+++
b/meta-python/recipes-extended/python-blivet/python3-blivetgui/0001-Set-_supported_filesystems-in-BlivetGUIAnaconda-init.patch
@@ -0,0 +1,39 @@
+From a7b76f783608033e449ba1e33d040c2b40c01a4d Mon Sep 17 00:00:00 2001
+From: Adam Williamson
+Date: Wed, 17 Jan 2018 10:38:18 -0800
+Subject: [PATCH] Set _supported_filesystems in BlivetGUIAnaconda init
+
+BlivetGUIAnaconda subclasses BlivetGUI, but doesn't call the
+parent class's __init__. c4b6e174 added supported_filesystems
+to BlivetGUI and set _supported_filesystems for caching during
+__init__, but this was not also added to BlivetGUIAnaconda, so
+when anything tries to use the supported_filesystems property
+of a BlivetGUIAnaconda instance, it will crash. This is causing
+all attempts to use blivet-gui in anaconda to crash since 2.1.8
+landed in Rawhide.
+
+Upstream-Status: Backport [https://github.com/storaged-project/blivet-gui]
+
+Signed-off-by: Adam Williamson
+Signed-off-by: Ovidiu Panait
+---
+ blivetgui/osinstall.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/blivetgui/osinstall.py b/blivetgui/osinstall.py
+index 21806ca..32ff66b 100644
+--- a/blivetgui/osinstall.py
b/blivetgui/osinstall.py
+@@ -94,6 +94,9 @@ class BlivetGUIAnaconda(BlivetGUI):
+ self.builder.set_translation_domain("blivet-gui")
+ self.builder.add_from_file(locate_ui_file("blivet-gui.ui"))
+
++# supported filesystems
++self._supported_filesystems = []
++
+ # CSS styles
+ css_provider = Gtk.CssProvider()
+ css_provider.load_from_path(locate_css_file("rectangle.css"))
+--
+2.20.1
+
diff --git
a/meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.8.bb
b/meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.8.bb
index 91f0dff71..5f62b9e5c 100644
--- a/meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.8.bb
+++ b/meta-python/recipes-extended/python-blivet/python3-blivetgui_2.1.8.bb
@@ -10,6 +10,7 @@ B = "${S}"
SRCREV = "a4fd427ee2acc5a8f5fb030bf7816917cee63bd8"
SRC_URI = "git://github.com/rhinstaller/blivet-gui;branch=master \
+file://0001-Set-_supported_filesystems-in-BlivetGUIAnaconda-init.patch \
"
inherit distro_features_check
--
2.20.1
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [meta-oe][PATCH 1/2] vim: Fix "--enable-gtk2-test" unrecognized option error
Fix the following build error when vim PACKAGECONFIG[gtkgui] is enabled:
...
ERROR: vim-8.1.0347-r0 do_configure: QA Issue: vim: configure was passed
unrecognised options: --enable-gtk2-test [unknown-configure-option]
ERROR: vim-8.1.0347-r0 do_configure: Fatal QA errors found, failing task.
ERROR: vim-8.1.0347-r0 do_configure: Function failed: do_qa_configure
...
Signed-off-by: Ovidiu Panait
---
meta-oe/recipes-support/vim/vim_8.1.0347.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta-oe/recipes-support/vim/vim_8.1.0347.bb
b/meta-oe/recipes-support/vim/vim_8.1.0347.bb
index 46d229e03..a09582f99 100644
--- a/meta-oe/recipes-support/vim/vim_8.1.0347.bb
+++ b/meta-oe/recipes-support/vim/vim_8.1.0347.bb
@@ -37,7 +37,7 @@ do_configure () {
PACKAGECONFIG ??= ""
PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
-PACKAGECONFIG[gtkgui] = "--enable-gtk2-test
--enable-gui=gtk2,--enable-gui=no,gtk+,"
+PACKAGECONFIG[gtkgui] = "--enable-gui=gtk2,--enable-gui=no,gtk+,"
PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl,"
PACKAGECONFIG[x11] = "--with-x,--without-x,xt,"
PACKAGECONFIG[tiny] = "--with-features=tiny,--with-features=big,,"
--
2.20.1
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [meta-oe][PATCH 2/2] vim: Enable GUI support for x11 DISTRO_FEATURES
Adding vim to a sato image will produce a non-working Gvim desktop entry
because GUI support is not compiled in:
# vim -g
E25: GUI cannot be used: Not enabled at compile time
Signed-off-by: Ovidiu Panait
---
meta-oe/recipes-support/vim/vim_8.1.0347.bb | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/meta-oe/recipes-support/vim/vim_8.1.0347.bb
b/meta-oe/recipes-support/vim/vim_8.1.0347.bb
index a09582f99..0b99438b9 100644
--- a/meta-oe/recipes-support/vim/vim_8.1.0347.bb
+++ b/meta-oe/recipes-support/vim/vim_8.1.0347.bb
@@ -35,7 +35,10 @@ do_configure () {
#Available PACKAGECONFIG options are gtkgui, acl, x11, tiny
PACKAGECONFIG ??= ""
-PACKAGECONFIG += "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
+PACKAGECONFIG += " \
+${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)} \
+${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11 gtkgui', '', d)} \
+"
PACKAGECONFIG[gtkgui] = "--enable-gui=gtk2,--enable-gui=no,gtk+,"
PACKAGECONFIG[acl] = "--enable-acl,--disable-acl,acl,"
--
2.20.1
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [thud][meta-oe][PATCH] polkit: Fix CVE-2019-6133
In PolicyKit (aka polkit) 0.115, the start time protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c. Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-6133 Upstream patch: https://gitlab.freedesktop.org/polkit/polkit/commit/c898fdf4b1aafaa04f8ada9d73d77c8bb76e2f81 Signed-off-by: Ovidiu Panait --- .../polkit/polkit/CVE-2019-6133.patch | 190 + meta-oe/recipes-extended/polkit/polkit_0.115.bb| 1 + 2 files changed, 191 insertions(+) create mode 100644 meta-oe/recipes-extended/polkit/polkit/CVE-2019-6133.patch diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2019-6133.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2019-6133.patch new file mode 100644 index 0..6fd20dc75 --- /dev/null +++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2019-6133.patch @@ -0,0 +1,190 @@ +From 6cc6aafee135ba44ea748250d7d29b562ca190e3 Mon Sep 17 00:00:00 2001 +From: Colin Walters +Date: Fri, 4 Jan 2019 14:24:48 -0500 +Subject: [PATCH] backend: Compare PolkitUnixProcess uids for temporary + authorizations + +It turns out that the combination of `(pid, start time)` is not +enough to be unique. For temporary authorizations, we can avoid +separate users racing on pid reuse by simply comparing the uid. + +https://bugs.chromium.org/p/project-zero/issues/detail?id=1692 + +And the above original email report is included in full in a new comment. + +Reported-by: Jann Horn + +Closes: https://gitlab.freedesktop.org/polkit/polkit/issues/75 + +CVE: CVE-2019-6133 +Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit.git] + +Signed-off-by: Ovidiu Panait +--- + src/polkit/polkitsubject.c| 2 + + src/polkit/polkitunixprocess.c| 71 ++- + .../polkitbackendinteractiveauthority.c | 39 +- + 3 files changed, 110 insertions(+), 2 deletions(-) + +diff --git a/src/polkit/polkitsubject.c b/src/polkit/polkitsubject.c +index d4c1182..ccabd0a 100644 +--- a/src/polkit/polkitsubject.c b/src/polkit/polkitsubject.c +@@ -99,6 +99,8 @@ polkit_subject_hash (PolkitSubject *subject) + * @b: A #PolkitSubject. + * + * Checks if @a and @b are equal, ie. represent the same subject. ++ * However, avoid calling polkit_subject_equal() to compare two processes; ++ * for more information see the `PolkitUnixProcess` documentation. + * + * This function can be used in e.g. g_hash_table_new(). + * +diff --git a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c +index b02b258..78d7251 100644 +--- a/src/polkit/polkitunixprocess.c b/src/polkit/polkitunixprocess.c +@@ -51,7 +51,10 @@ + * @title: PolkitUnixProcess + * @short_description: Unix processs + * +- * An object for representing a UNIX process. ++ * An object for representing a UNIX process. NOTE: This object as ++ * designed is now known broken; a mechanism to exploit a delay in ++ * start time in the Linux kernel was identified. Avoid ++ * calling polkit_subject_equal() to compare two processes. + * + * To uniquely identify processes, both the process id and the start + * time of the process (a monotonic increasing value representing the +@@ -66,6 +69,72 @@ + * polkit_unix_process_new_for_owner() with trusted data. + */ + ++/* See https://gitlab.freedesktop.org/polkit/polkit/issues/75 ++ ++ But quoting the original email in full here to ensure it's preserved: ++ ++ From: Jann Horn ++ Subject: [SECURITY] polkit: temporary auth hijacking via PID reuse and non-atomic fork ++ Date: Wednesday, October 10, 2018 5:34 PM ++ ++When a (non-root) user attempts to e.g. control systemd units in the system ++instance from an active session over DBus, the access is gated by a polkit ++policy that requires "auth_admin_keep" auth. This results in an auth prompt ++being shown to the user, asking the user to confirm the action by entering the ++password of an administrator account. ++ ++After the action has been confirmed, the auth decision for "auth_admin_keep" is ++cached for up to five minutes. Subject to some restrictions, similar actions can ++then be performed in this timespan without requiring re-auth: ++ ++ - The PID of the DBus client requesting the new action must match the PID of ++ the DBus client requesting the old action (based on SO_PEERCRED information ++ forwarded by the DBus daemon). ++ - The "start time" of the client's PID (as seen in /proc/$pid/stat, field 22) ++ must not have changed. The granularity of this timestamp is in the ++ millisecond range. ++ - polkit polls every two seconds whether a process with the expected start time ++ still exists. If not, the temporary auth entry is purged. ++ ++Without the start time check, this would obviously be buggy because an attacker ++could simply wait for the legitimate cl
[oe] [meta-oe][PATCH] lvm2-udevrules: Add ALLOW_EMPTY
When lvm2 is configured without udev feature, the lvm2-udevrules package
is empty, so do_rootfs will fail to install any other packages that
rdepend on it. (e.g. cryptsetup with meta-secure-core layer since commit
https://github.com/jiazhang0/meta-secure-core/commit/afc3939):
..
Problem: conflicting requests
- nothing provides lvm2-udevrules needed by cryptsetup
..
Signed-off-by: Ovidiu Panait
---
meta-oe/recipes-support/lvm2/lvm2_2.02.177.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta-oe/recipes-support/lvm2/lvm2_2.02.177.bb
b/meta-oe/recipes-support/lvm2/lvm2_2.02.177.bb
index 1d9de3d94..388e89117 100644
--- a/meta-oe/recipes-support/lvm2/lvm2_2.02.177.bb
+++ b/meta-oe/recipes-support/lvm2/lvm2_2.02.177.bb
@@ -46,6 +46,7 @@ FILES_${PN}-scripts = " \
# Specified explicitly for the udev rules, just in case that it does not get
picked
# up automatically:
FILES_${PN}-udevrules = "${nonarch_base_libdir}/udev/rules.d"
+ALLOW_EMPTY_${PN}-udevrules = "1"
RDEPENDS_${PN}_append_class-target = " libdevmapper"
RDEPENDS_${PN}_append_class-nativesdk = " libdevmapper"
--
2.17.1
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [meta-oe][PATCH 1/1] nativesdk-lvm2: Fix installed-vs-shipped errors
Fix the following build errors:
$ bitbake nativesdk-lvm2
ERROR: nativesdk-lvm2-2.02.177-r0 do_package: QA Issue: nativesdk-lvm2:
Files/directories were installed but not shipped in any package:
/etc
/etc/lvm
/etc/lvm/lvmlocal.conf
/etc/lvm/lvm.conf
/etc/lvm/profile
/etc/lvm/profile/metadata_profile_template.profile
/etc/lvm/profile/cache-smq.profile
/etc/lvm/profile/thin-generic.profile
/etc/lvm/profile/command_profile_template.profile
/etc/lvm/profile/cache-mq.profile
/etc/lvm/profile/thin-performance.profile
/etc/lvm/profile/lvmdbusd.profile
...
nativesdk-lvm2: 12 installed and not shipped files. [installed-vs-shipped]
Signed-off-by: Ovidiu Panait
---
meta-oe/recipes-support/lvm2/lvm2_2.02.177.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta-oe/recipes-support/lvm2/lvm2_2.02.177.bb
b/meta-oe/recipes-support/lvm2/lvm2_2.02.177.bb
index 390970fcb..34b2e99f2 100644
--- a/meta-oe/recipes-support/lvm2/lvm2_2.02.177.bb
+++ b/meta-oe/recipes-support/lvm2/lvm2_2.02.177.bb
@@ -34,6 +34,8 @@ SYSTEMD_AUTO_ENABLE = "disable"
TARGET_CC_ARCH += "${LDFLAGS}"
+EXTRA_OECONF_append_class-nativesdk = " --with-confdir=${sysconfdir}"
+
FILES_${PN} += "${libdir}/device-mapper/*.so"
FILES_${PN}-scripts = " \
${sbindir}/blkdeactivate \
@@ -45,6 +47,7 @@ FILES_${PN}-scripts = " \
# up automatically:
FILES_${PN}-udevrules = "${nonarch_base_libdir}/udev/rules.d"
RDEPENDS_${PN}_append_class-target = " libdevmapper"
+RDEPENDS_${PN}_append_class-nativesdk = " libdevmapper"
RDEPENDS_${PN}-scripts = "${PN} (= ${EXTENDPKGV}) bash"
RRECOMMENDS_${PN}_class-target = "${PN}-scripts (= ${EXTENDPKGV})"
--
2.17.1
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [meta-networking][PATCH 1/1] net-snmp: Fix host contamination
If "/usr/local/ssl/include" directory exists on the host machine, net-snmp will
also search the host openssl headers:
build/net-snmp/temp$ grep -i "/usr/local/ssl/include" log.do_compile
x86_64-wrs-linux-libtool: compile: x86_64-wrs-linux-gcc ...
-I/usr/local/ssl/include
Fix this by selecting the proper sysroot headers using
--with-openssl=${STAGING_EXECPREFIXDIR}
Signed-off-by: Ovidiu Panait
---
meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
index 5c827bb86..6f6f19ac9 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
@@ -66,7 +66,8 @@ EXTRA_OECONF = "--enable-shared \
--with-install-prefix=${D} \
--with-persistent-directory=${localstatedir}/lib/net-snmp \
${@oe.utils.conditional('SITEINFO_ENDIANNESS', 'le',
'--with-endianness=little', '--with-endianness=big', d)} \
-"
+--with-openssl=${STAGING_EXECPREFIXDIR} \
+"
# net-snmp needs to have mib-modules=smux enabled to enable quagga to support
snmp
EXTRA_OECONF += "--with-mib-modules=smux"
@@ -121,8 +122,10 @@ do_install_append() {
install -m 0644 ${WORKDIR}/snmpd.service ${D}${systemd_unitdir}/system
install -m 0644 ${WORKDIR}/snmptrapd.service ${D}${systemd_unitdir}/system
sed-e "s@^NSC_SRCDIR=.*@NSC_SRCDIR=.@g" \
+ -e "s@${STAGING_DIR_TARGET}@@g" \
-i ${D}${bindir}/net-snmp-create-v3-user
sed-e "s@^NSC_SRCDIR=.*@NSC_SRCDIR=.@g" \
+ -e "s@${STAGING_DIR_TARGET}@@g" \
-e "s@\([^ ]*-fdebug-prefix-map=[^ ]*\)\1*@@g" \
-e "s@\([^ ]*--sysroot=[^ ]*\)\1*@@g" \
-e "s@\([^ ]*--with-libtool-sysroot=[^ ]*\)\1*@@g" \
--
2.17.1
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [meta-networking][PATCH v2] net-snmp: fix invalid paths in target net-snmp-config
Remove build host paths from target net-snmp-config.
Signed-off-by: Ovidiu Panait <ovidiu.pan...@windriver.com>
---
meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb | 11 +++
1 file changed, 11 insertions(+)
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
index af6fd1b1f..f6da945af 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
@@ -116,6 +116,10 @@ do_install_append() {
sed-e "s@^NSC_SRCDIR=.*@NSC_SRCDIR=.@g" \
-i ${D}${bindir}/net-snmp-create-v3-user
sed-e "s@^NSC_SRCDIR=.*@NSC_SRCDIR=.@g" \
+ -e "s@${STAGING_DIR_NATIVE}@@g" \
+ -e "s@${STAGING_DIR_HOST}@@g" \
+ -e "s@${D}@@g" \
+ -e "s@${WORKDIR}@@g" \
-i ${D}${bindir}/net-snmp-config
if [ "${HAS_PERL}" = "1" ]; then
@@ -144,6 +148,7 @@ do_install_ptest() {
}
SYSROOT_PREPROCESS_FUNCS += "net_snmp_sysroot_preprocess"
+SNMP_DBGDIR = "/usr/src/debug/${PN}/${EXTENDPE}${PV}-${PR}"
net_snmp_sysroot_preprocess () {
if [ -e ${D}${bindir}/net-snmp-config ]; then
@@ -155,6 +160,12 @@ net_snmp_sysroot_preprocess () {
-e "s@^includedir=.*@includedir=${STAGING_INCDIR}@g" \
-e "s@^libdir=.*@libdir=${STAGING_LIBDIR}@g" \
-e "s@^NSC_SRCDIR=.*@NSC_SRCDIR=${S}@g" \
+-e
"s@-fdebug-prefix-map==${SNMP_DBGDIR}@-fdebug-prefix-map=${WORKDIR}=${SNMP_DBGDIR}@g"
\
+-e "s@-fdebug-prefix-map==
-fdebug-prefix-map==@-fdebug-prefix-map=${STAGING_DIR_NATIVE}= \
+ -fdebug-prefix-map=${STAGING_DIR_HOST}=@g" \
+-e "s@--sysroot=@--sysroot=${STAGING_DIR_HOST}@g" \
+-e
"s@--with-libtool-sysroot=@--with-libtool-sysroot=${STAGING_DIR_HOST}@g" \
+-e "s@--with-install-prefix=@--with-install-prefix=${D}@g" \
-i ${SYSROOT_DESTDIR}${bindir_crossscripts}/net-snmp-config
fi
}
--
2.13.3
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [PATCH] net-snmp: fix invalid paths in target net-snmp-config
Remove build host paths form target net-snmp-config.
Signed-off-by: Catalin Enache <catalin.ena...@windriver.com>
Signed-off-by: Ovidiu Panait <ovidiu.pan...@windriver.com>
---
meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb | 4
1 file changed, 4 insertions(+)
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
index af6fd1b..9401c7e 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.3.bb
@@ -116,6 +116,10 @@ do_install_append() {
sed-e "s@^NSC_SRCDIR=.*@NSC_SRCDIR=.@g" \
-i ${D}${bindir}/net-snmp-create-v3-user
sed-e "s@^NSC_SRCDIR=.*@NSC_SRCDIR=.@g" \
+ -e "s@${STAGING_DIR_NATIVE}[=]*@@g" \
+ -e "s@${STAGING_DIR_HOST}[=]*@@g" \
+ -e "s@${WORKDIR}[=]*@@g" \
+ -e "s@${D}@@g" \
-i ${D}${bindir}/net-snmp-config
if [ "${HAS_PERL}" = "1" ]; then
--
2.10.2
--
___
Openembedded-devel mailing list
Openembedded-devel@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [PATCH] rsyslog: fix segfault after configuration errors
rsyslog will segfault on startup if
a) the local machine's hostname is set to a non-FQDN name
b) the getaddrinfo() system call fails
This scenario is higly unlikely, but may exist especially with
provisioned VMs which may not properly be able to do name queries
on startup (seen for example on AWS).
This patch fixes the situation and also provides more robustness
for very early startup error messages when some of the error-reporting
subsystem is not yet properly initialized. Note that under these
circumstances, errors may only show up on stderr.
closes https://github.com/rsyslog/rsyslog/issues/1573
Reference:
https://github.com/rsyslog/rsyslog/issues/1573
Upstream patch:
https://github.com/rsyslog/rsyslog/commit/6d258339802cb9f13d8a4a157a4b74eccb902d8f
Signed-off-by: Ovidiu Panait <ovidiu.pan...@windriver.com>
---
...ugfix-segfault-after-configuration-errors.patch | 90 ++
meta-oe/recipes-extended/rsyslog/rsyslog_8.22.0.bb | 1 +
2 files changed, 91 insertions(+)
create mode 100644
meta-oe/recipes-extended/rsyslog/rsyslog/0001-core-bugfix-segfault-after-configuration-errors.patch
diff --git
a/meta-oe/recipes-extended/rsyslog/rsyslog/0001-core-bugfix-segfault-after-configuration-errors.patch
b/meta-oe/recipes-extended/rsyslog/rsyslog/0001-core-bugfix-segfault-after-configuration-errors.patch
new file mode 100644
index 000..189ca65
--- /dev/null
+++
b/meta-oe/recipes-extended/rsyslog/rsyslog/0001-core-bugfix-segfault-after-configuration-errors.patch
@@ -0,0 +1,90 @@
+From 6d258339802cb9f13d8a4a157a4b74eccb902d8f Mon Sep 17 00:00:00 2001
+From: Rainer Gerhards <rgerha...@adiscon.com>
+Date: Mon, 17 Jul 2017 15:36:32 +0200
+Subject: [PATCH] core bugfix: segfault after configuration errors
+
+rsyslog will segfault on startup if
+a) the local machine's hostname is set to a non-FQDN name
+b) the getaddrinfo() system call fails
+This scenario is higly unlikely, but may exist especially with
+provisioned VMs which may not properly be able to do name queries
+on startup (seen for example on AWS).
+
+This patch fixes the situation and also provides more robustness
+for very early startup error messages when some of the error-reporting
+subsystem is not yet properly initialized. Note that under these
+circumstances, errors may only show up on stderr.
+
+Upstream status: Backport
+
+closes https://github.com/rsyslog/rsyslog/issues/1573
+
+Signed-off-by: Ovidiu Panait <ovidiu.pan...@windriver.com>
+---
+ runtime/prop.c | 6 ++
+ tools/rsyslogd.c | 17 +
+ 2 files changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/runtime/prop.c b/runtime/prop.c
+index e5b4693..cb93285 100644
+--- a/runtime/prop.c
b/runtime/prop.c
+@@ -133,7 +133,13 @@ propConstructFinalize(prop_t __attribute__((unused))
*pThis)
+ */
+ static rsRetVal AddRef(prop_t *pThis)
+ {
++ if(pThis == NULL) {
++ DBGPRINTF("prop/AddRef is passed a NULL ptr - ignoring it "
++ "- further problems may occur\n");
++ FINALIZE;
++ }
+ ATOMIC_INC(>iRefCount, >mutRefCount);
++finalize_it:
+ return RS_RET_OK;
+ }
+
+diff --git a/tools/rsyslogd.c b/tools/rsyslogd.c
+index 759d293..6aa1487 100644
+--- a/tools/rsyslogd.c
b/tools/rsyslogd.c
+@@ -808,9 +808,11 @@ logmsgInternal(int iErr, const syslog_pri_t pri, const
uchar *const msg, int fla
+* permits us to process unmodified config files which otherwise
contain a
+* supressor statement.
+*/
+- if(((Debug == DEBUG_FULL || !doFork) &&
ourConf->globals.bErrMsgToStderr) || iConfigVerify) {
++ int emit_to_stderr = (ourConf == NULL) ? 1 :
ourConf->globals.bErrMsgToStderr;
++ if(((Debug == DEBUG_FULL || !doFork) && emit_to_stderr) ||
iConfigVerify) {
+ if(pri2sev(pri) == LOG_ERR)
+- fprintf(stderr, "rsyslogd: %s\n", (bufModMsg == NULL) ?
(char*)msg : bufModMsg);
++ fprintf(stderr, "rsyslogd: %s\n",
++ (bufModMsg == NULL) ? (char*)msg : bufModMsg);
+ }
+
+ finalize_it:
+@@ -1115,18 +1117,17 @@ initAll(int argc, char **argv)
+
+ /* doing some core initializations */
+
+- /* get our host and domain names - we need to do this early as we may
emit
+- * error log messages, which need the correct hostname. -- rgerhards,
2008-04-04
+- */
+- queryLocalHostname();
+-
+- /* initialize the objects */
+ if((iRet = modInitIminternal()) != RS_RET_OK) {
+ fprintf(stderr, "fatal error: could not initialize errbuf
object (error code %d).\n",
+ iRet);
+ exit(1); /* "good" exit, leaving at init for fatal error */
+ }
+
++ /* get our host and domain names - we need to do this early as we may
emit
++ * error log messages, whi
