[OE-core][dunfell][PATCH] go: fix CVE-2023-24537 Infinite loop in parsing

Setting a large line or column number using a //line directive can cause integer overflow even in small source files. Limit line and column numbers in //line directives to 2^30-1, which is small enough to avoid int32 overflow on all reasonbly-sized files. Fixes CVE-2023-24537 Fixes #59273 For

[OE-core][kirkstone][PATCH] cmake: add CMAKE_SYSROOT to generated toolchain file

From: Pascal Bach This already got fixed in the toolchain file that is used during development in https://github.com/openembedded/openembedded-core/commit/cb42802f2fe1760f894a435b07286bca3a220364 The toolchain file generated by the cmake.bbclass however does not set CMAKE_SYSROOT. Under

[OE-core] [PATCH] cpio: Run ptests under ptest user

Running these tests under root user on musl works ok but it emits additional diagnostic cpio: dir: Cannot change ownership to uid 0, gid 0: Not supported Ideally its better to run this test suite under non-root user which is often how these are run. Moreover, tests work on musl as well.

Re: [OE-core] [PATCH] kernel: improve initramfs bundle processing time

hi bruce, thanks for your work. looks good to me as a stopgap for now. could this be backported to kirkstone? nick On Fri, Apr 14, 2023 at 12:29 PM Bruce Ashfield wrote: > From: Bruce Ashfield > > This is a partial fix for bugzilla 15059 [ >

[OE-core] [PATCH 3/3] fts: Fix typo in summary

Signed-off-by: Khem Raj --- meta/recipes-core/fts/fts_1.2.7.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/fts/fts_1.2.7.bb b/meta/recipes-core/fts/fts_1.2.7.bb index d3b0f31eda..10103830af 100644 --- a/meta/recipes-core/fts/fts_1.2.7.bb +++

[OE-core] [PATCH 2/3] acl: Disable misc.test on musl

misc.test fails on musl due to nftw order, ignore it for now Signed-off-by: Khem Raj --- meta/recipes-support/attr/acl_2.3.1.bb | 4 1 file changed, 4 insertions(+) diff --git a/meta/recipes-support/attr/acl_2.3.1.bb b/meta/recipes-support/attr/acl_2.3.1.bb index 9cb19ed72f..9badd33254

[OE-core] [PATCH 1/3] attr: Disable attr.test on musl

the error message in musl based systems is EXPECTED: Operation not supported RECIEVED: Not supported The test is then marked as failed due to this. Ignore this test on musl Signed-off-by: Khem Raj --- meta/recipes-support/attr/attr.inc | 4 1 file changed, 4 insertions(+) diff --git

[OE-core] [PATCH v3] openssl: set package level PERL5LIB

From: Yang Xu Build openssl with shared state cache may meet problem under below conditions: 1. sstate cache generated by another user on same machine 2. inappropriate PERL5LIB setting 3. openssl build from scratch but perl using cache When build openssl from scratch with perl using cache, it

[OE-core][dunfell][PATCH] sudo: Security fix for CVE-2023-28486 and CVE-2023-28487

From: Vijay Anusuri import patches from ubuntu to fix CVE-2023-28486 CVE-2023-28487 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/sudo/tree/debian/patches?h=ubuntu/focal-security Upstream commit

Re: [OE-core] [PATCH] openssl: set package level PERL5LIB

Thank you, I will submit a new patch with more detailed information. Because two below behavior, I think it is a definite result under certain conditions. 1) @INC is set at build time with host hardcode path, 2) ABORT when searching module in @​INC paths exists but can not read. Thank you

Re: [OE-core][kirkstone][PATCH] go: fix CVE-2023-24537 Infinite loop in parsing

v2 patch has been sent with fuzz error fix. Kind regards, Vivek On Thu, Apr 20, 2023 at 8:27 PM Steve Sakoman wrote: > Hi Vivek, > > I'm getting fuzz errors with your patch: > > WARNING: go-cross-core2-64-1.17.13-r0 do_patch: Fuzz detected: > > Applying patch CVE-2023-24537.patch > patching

[OE-core][kirkstone][PATCH v2] go: fix CVE-2023-24537 Infinite loop in parsing

Setting a large line or column number using a //line directive can cause integer overflow even in small source files. Limit line and column numbers in //line directives to 2^30-1, which is small enough to avoid int32 overflow on all reasonbly-sized files. Fixes CVE-2023-24537 Fixes #59273 For

[OE-core] [PATCH 2/2] lua: Disable locale dependent tests on musl

These tests depend on features of locale which is not fully available on musl Signed-off-by: Khem Raj --- meta/recipes-devtools/lua/lua_5.4.4.bb | 6 ++ 1 file changed, 6 insertions(+) diff --git a/meta/recipes-devtools/lua/lua_5.4.4.bb b/meta/recipes-devtools/lua/lua_5.4.4.bb index

[OE-core] [PATCH 1/2] m4: Add locale-base-fr-fr rdep for musl too

Signed-off-by: Khem Raj --- meta/recipes-devtools/m4/m4-1.4.19.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-devtools/m4/m4-1.4.19.inc b/meta/recipes-devtools/m4/m4-1.4.19.inc index 3b4303b7fd..0dd273bd89 100644 ---

Re: [OE-core] [PATCH] openssl: set package level PERL5LIB

On Thu, 2023-04-20 at 19:20 +0200, Alexander Kanavin wrote: > Thank you, I understand this now. I'm fine with the fix, but can you > add this additional information to the commit message? So that it's > available in git history if anyone needs to understand it. I think there is something

Re: [OE-core] [PATCH] openssl: set package level PERL5LIB

Thank you, I understand this now. I'm fine with the fix, but can you add this additional information to the commit message? So that it's available in git history if anyone needs to understand it. Alex On Thu, 20 Apr 2023 at 15:42, Yang Xu (徐扬) wrote: > > Dear Alexander, > > Sorry, let me

Re: [OE-core] Cargo and ptest

Le jeu. 20 avr. 2023, 17:00, Khem Raj a écrit : > On 4/20/23 2:57 AM, Frederic Martinsons wrote: > > > > > > Le jeu. 20 avr. 2023, 11:41, Richard Purdie > > > > a écrit : > > > > On Thu, 2023-04-20 at 09:27 +0200, Frederic Martinsons wrote: > >

Re: [OE-core] Cargo and ptest

On 4/20/23 2:57 AM, Frederic Martinsons wrote: Le jeu. 20 avr. 2023, 11:41, Richard Purdie > a écrit : On Thu, 2023-04-20 at 09:27 +0200, Frederic Martinsons wrote: > Hello, > > I would like to build and ship tests for recipes

Re: [OE-core][kirkstone][PATCH] go: fix CVE-2023-24537 Infinite loop in parsing

Hi Vivek, I'm getting fuzz errors with your patch: WARNING: go-cross-core2-64-1.17.13-r0 do_patch: Fuzz detected: Applying patch CVE-2023-24537.patch patching file src/go/parser/parser_test.go patching file src/go/scanner/scanner.go Hunk #1 succeeded at 251 with fuzz 1. The context lines in

Re: [OE-core] [PATCH] openssl: set package level PERL5LIB

-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180252): https://lists.openembedded.org/g/openembedded-core/message/180252 Mute This Topic: https://lists.openembedded.org/mt/98383506/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org

[OE-core] [PATCH] go: backport fix for CVE-2023-24537

Signed-off-by: Ross Burton --- meta/recipes-devtools/go/go-1.20.1.inc| 1 + .../go/go/CVE-2023-24537.patch| 89 +++ 2 files changed, 90 insertions(+) create mode 100644 meta/recipes-devtools/go/go/CVE-2023-24537.patch diff --git

[OE-core] [PATCH][mickledore] xserver-xorg: backport fix for CVE-2023-1393

Signed-off-by: Ross Burton --- ...posite-Fix-use-after-free-of-the-COW.patch | 46 +++ .../xorg-xserver/xserver-xorg_21.1.7.bb | 3 +- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644

Re: [OE-core] [PATCH 2/2] xserver-xorg: backport fix for CVE-2023-1393

Yeah, drop this, I failed to update my branch to include the 21.1.8 upgrade that had been sent. Ross > On 20 Apr 2023, at 02:38, Khem Raj wrote: > > Fails to patch - https://errors.yoctoproject.org/Errors/Details/700408/ > > On Wed, Apr 19, 2023 at 6:41 AM Ross Burton wrote: >> >>

[OE-core][PATCH] devicetree.bbclass: Allow selection of dts files to build

Add DT_FILES variable to allow the user of the class to select specific dts files to build. This is useful for packages featuring dts files for multiple machines. Since many machine configs contain a list of dtb files (e.g. KERNEL_DEVICETREE), DT_FILES works with both dts and dtb files.

Re: [OE-core] [PATCHv3] python3-manifest.json: Fix re in core

Hi Paul, On 20.04.23 г. 7:59 ч., Paul Eggleton wrote: Hi Leon On Friday, 4 November 2022 01:27:55 NZST Leon Anavi wrote: Following the update from 3.10.6 to 3.11.0, the source code of module re for regular expression operations has been moved to Lib/re/. File python3-manifest.json has been

Re: [OE-core] Cargo and ptest

Le jeu. 20 avr. 2023, 11:41, Richard Purdie < richard.pur...@linuxfoundation.org> a écrit : > On Thu, 2023-04-20 at 09:27 +0200, Frederic Martinsons wrote: > > Hello, > > > > I would like to build and ship tests for recipes which uses cargo and > > in the process, three questions arose (maybe

Re: [OE-core] Cargo and ptest

On Thu, 2023-04-20 at 09:27 +0200, Frederic Martinsons wrote: > Hello, > > I would like to build and ship tests for recipes which uses cargo and > in the process, three questions arose (maybe more when I will > progress). > I would like to have your opinions on them.  > > 1) should we ship

Re: [OE-core] Cargo and ptest

Thanks alex, I made mistake for cargo-native, I meant cargo cross compiled for the test image of course. Anyway, I'll build something and submit some patch as soon as I'm happy with the code. Le jeu. 20 avr. 2023, 11:25, Alexander Kanavin a écrit : > I'm not sure anyone can really give

[OE-core][kirkstone][PATCH] go: fix CVE-2023-24537 Infinite loop in parsing

Setting a large line or column number using a //line directive can cause integer overflow even in small source files. Limit line and column numbers in //line directives to 2^30-1, which is small enough to avoid int32 overflow on all reasonbly-sized files. Fixes CVE-2023-24537 Fixes #59273 For

Re: [OE-core] Cargo and ptest

I'm not sure anyone can really give qualified answers, you just need to write down some code and iteratively get it to something you like. You don't have to show your work in progress, if you think it looks horrible :) Question 1 is odd: cargo-native would not run in target images, so you can't

Re: [OE-core] [PATCH] openssl: set package level PERL5LIB

On Thu, 20 Apr 2023 at 07:30, Yang Xu wrote: > > Build openssl with shared state cache may meet problem under below conditions: > 1. sstate cache generated by another user on same machine > 2. inappropriate PERL5LIB setting > 3. openssl build from scratch but perl using cache > > When building

[OE-core] [kirkstone][PATCH] screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs

Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7 Signed-off-by: Hitendra Prajapati --- .../screen/screen/CVE-2023-24626.patch| 40 +++ meta/recipes-extended/screen/screen_4.9.0.bb | 1 + 2

Re: [OE-core] [PATCH v2] openssl: set package level PERL5LIB

Hello Yang, thanks for you patch. However there is an issue with your e-mail, see below On Thu, 20 Apr 2023 06:30:34 + "Yang Xu via lists.openembedded.org" wrote: As you can see your sender address has been mangled, and as a result the patch is

[OE-core] Cargo and ptest

Hello, I would like to build and ship tests for recipes which uses cargo and in the process, three questions arose (maybe more when I will progress). I would like to have your opinions on them. 1) should we ship cargo-native in ptest images or should we just build and ship test binaries alone ?

[OE-core] [dunfell][PATCH] screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs

Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7 Signed-off-by: Hitendra Prajapati --- .../screen/screen/CVE-2023-24626.patch| 40 +++ meta/recipes-extended/screen/screen_4.8.0.bb | 1 + 2

[OE-core] [PATCH v2] openssl: set package level PERL5LIB

Build openssl with shared state cache may meet problem under below conditions: 1. sstate cache generated by another user on same machine 2. inappropriate PERL5LIB setting 3. openssl build from scratch but perl using cache When building openssl, without appropriate PERL5LIB setting, perl from