On Wed, Nov 1, 2023 at 6:31 AM Marta Rybczynska via
lists.openembedded.org
wrote:
>
>
>
>
> On Wed, 1 Nov 2023, 11:48 Anuj Mittal, wrote:
>>
>> On Tue, 2023-10-31 at 19:33 -0700, Tim Orling wrote:
>> >
>> >
>> > On Tue, Oct 31, 2023 at 7:26 PM Anuj Mittal
>> > wrote:
>> > > On Tue, 2023-10-31 at
On Wed, 1 Nov 2023, 11:48 Anuj Mittal, wrote:
> On Tue, 2023-10-31 at 19:33 -0700, Tim Orling wrote:
> >
> >
> > On Tue, Oct 31, 2023 at 7:26 PM Anuj Mittal
> > wrote:
> > > On Tue, 2023-10-31 at 14:20 +, Trevor Gamblin wrote:
> > > > Thank you for your submission. Patchtest identified one
>
On Tue, 2023-10-31 at 19:33 -0700, Tim Orling wrote:
>
>
> On Tue, Oct 31, 2023 at 7:26 PM Anuj Mittal
> wrote:
> > On Tue, 2023-10-31 at 14:20 +, Trevor Gamblin wrote:
> > > Thank you for your submission. Patchtest identified one
> > > or more issues with the patch. Please see the log below
On Tue, Oct 31, 2023 at 7:26 PM Anuj Mittal wrote:
> On Tue, 2023-10-31 at 14:20 +, Trevor Gamblin wrote:
> > Thank you for your submission. Patchtest identified one
> > or more issues with the patch. Please see the log below for
> > more information:
> >
> > ---
> > Testing patch /home/patch
On Tue, 2023-10-31 at 14:20 +, Trevor Gamblin wrote:
> Thank you for your submission. Patchtest identified one
> or more issues with the patch. Please see the log below for
> more information:
>
> ---
> Testing patch /home/patchtest/share/mboxes/patchtest-shorten-test-
> result-outputs.patch
>
From: Randy MacLeod
Update the COPYING checksum; only the copyright date changed.
Noteworthy changes in strace 6.6 (2023-10-31)
=
* Improvements
* Implemented --kill-on-exit option that instructs the tracer to set
PTRACE_O_EXITKILL option to all
On 2023-10-31 7:47 p.m., Randy MacLeod via lists.openembedded.org wrote:
From: Randy MacLeod
Backport the fix for the so_peerpidfd-test:
44cf51a38 tests: fix so_peerpidfd test
and drop the patch that skipped that test.
Note that options-syntax.test failed with the default qemux86-64/kvm mem
From: Randy MacLeod
Backport the fix for the so_peerpidfd-test:
44cf51a38 tests: fix so_peerpidfd test
and drop the patch that skipped that test.
Signed-off-by: Randy MacLeod
---
.../skip-test-so_peerpidfd.gen.test.patch | 25 ---
.../strace/tests-fix-so_peerpidfd-test.patch
I'm surprised this one does apply in kirkstone as there is this security
issue already fixed as 2023-5129 (see dunfell commit
https://git.openembedded.org/openembedded-core/commit/?h=dunfell&id=7dce529515baa843ba3e5c89b2ad605b9845c59b
and
a bit more details in
https://lists.openembedded.org/g/opene
From: Samantha Jalabert
Add classes AnyLicenseInfo, LicenseExpression and SimpleLicensingText. Suppose
inheritance of AnyLicenseInfo in LicenseExpression and SimpleLicensingText
Add the option to enable Licensing Profile: SPDX_ENABLE_LICENSING = "1"
Add methods to SPDX3SpdxDocument to return th
fix issue in selftest due to spdx bump
Signed-off-by: Louis Rannou
---
meta/lib/oeqa/selftest/cases/spdx.py | 16 +++-
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/spdx.py
b/meta/lib/oeqa/selftest/cases/spdx.py
index 05fc4e390b..215c3c5
From: Samantha Jalabert
Support for dependencies to provide the complete recipe SPDX.
Support for runtime SPDX
Support for combined SPDX
Signed-off-by: Samantha Jalabert
Signed-off-by: Louis Rannou
---
meta/classes/create-spdx-2.2.bbclass | 1 -
meta/classes/create-spdx-3.0.bbclass | 389 ++
From: Samantha Jalabert
Create a function to generate spdxIds
Create a function to generate relationship and remove add_relationship method
Implement both functions
Signed-off-by: Samantha Jalabert
Signed-off-by: Louis Rannou
---
meta/classes/create-spdx-3.0.bbclass | 73 -
From: Samantha Jalabert
Change functions and tasks to match the SPDX 3 model.
Signed-off-by: Samantha Jalabert
Signed-off-by: Louis Rannou
---
meta/classes/create-spdx-3.0.bbclass | 731 +--
meta/lib/oe/spdx3.py | 4 +-
2 files changed, 230 insertions
remove stuff which are hard to fix and low value
Signed-off-by: Louis Rannou
---
meta/classes/create-spdx-3.0.bbclass | 109 ++-
1 file changed, 5 insertions(+), 104 deletions(-)
diff --git a/meta/classes/create-spdx-3.0.bbclass
b/meta/classes/create-spdx-3.0.bbclass
in
From: Marta Rybczynska
Add a specific readme for SPDX3 with open questions and other notes
related to the PoC.
Signed-off-by: Marta Rybczynska
Signed-off-by: Samantha Jalabert
Signed-off-by: Louis Rannou
---
README.SPDX3 | 45 +
1 file changed, 45
This changes the prototype of write_doc as the SPDX3 documentation does not
specify yet which is the root element.
Signed-off-by: Louis Rannou
Signed-off-by: Marta Rybczynska
Signed-off-by: Samantha Jalabert
---
meta/classes/create-spdx.bbclass | 2 +-
meta/lib/oe/sbom.py | 6
Create SPDX3 objects that classes as they are described in the SPDX3 model.
Signed-off-by: Louis Rannou
Signed-off-by: Samantha Jalabert
---
meta/lib/oe/spdx3.py | 386 +++
1 file changed, 386 insertions(+)
create mode 100644 meta/lib/oe/spdx3.py
diff -
Create a function that search into a json-ld instead of completely loading it.
Signed-off-by: Louis Rannou
---
meta/lib/oe/sbom.py | 32
meta/lib/oe/spdx3.py | 13 +++--
2 files changed, 39 insertions(+), 6 deletions(-)
diff --git a/meta/lib/oe/sbom.py
Extend objects used to build the spdx scheme:
- add support for inheritance
- hide all attributes starting by _spdx
- add methods to list properties and item pairs
- improve the serializer to match the spdx3 scheme
Signed-off-by: Louis Rannou
---
meta/lib/oe/sbom.py | 2 +-
meta/lib/oe/spdx.py
Initialize the work on SPDX 3 with a copy of the SPDX 2.2. Change default to
SPDX 3.
Signed-off-by: Marta Rybczynska
Signed-off-by: Louis Rannou
---
meta/classes/create-spdx-3.0.bbclass | 1158 ++
1 file changed, 1158 insertions(+)
create mode 100644 meta/classes/create
This patch-set adds a proof-of-concept implementation of the upcoming
SPDX3 standard to the SBOM generation of the Yocto Project/OpenEmbedded.
The current code delivers an equivalent of what is produced for SPDX2.2.
The standard has not been released yet, and there is some specification
work in pr
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch
/home/patchtest/share/mboxes/kirkstone-3-3-libwebp-Fix-CVE-2023-4863.patch
FAIL: test CVE presence in commit message: A CVE tag should be provid
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch
/home/patchtest/share/mboxes/kirkstone-1-3-libxml2-Patch-CVE-2023-45322.patch
FAIL: test CVE presence in commit message: A CVE tag should be pro
From: Soumya Sambu
Heap buffer overflow in WebP in Google Chrome prior to
116.0.5845.187 allowed a remote attacker to perform an
out of bounds memory write via a crafted HTML page.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-486
From: Vijay Anusuri
- The commit
[https://gitlab.com/libtiff/libtiff/-/commit/881a070194783561fd209b7c789a4e75566f7f37]
fixes CVE-2023-3576
- Hence, renamed the CVE-2023-3618-1.patch to CVE-2023-3576.patch
- Reference: https://security-tracker.debian.org/tracker/CVE-2023-3576
https:
From: Peter Marko
Backport patch for gitlab issue mentioned in NVD CVE report.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
Backport also one of 14 patches for older issue with similar errors
to have clean cherry-pick without patch fuzz.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, October 2
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6124
The following changes since commit 56503e3e80603de3b69acef2f6d32836bc9e5e5d:
linux-firm
http:// results in 301 Moved Permanently and redirects to https://
Also drop SRC_URI[md5sum].
Signed-off-by: Tim Orling
---
Steve,
Really this applies to any stable release... this is after all 2001 code.
meta/recipes-extended/lsb/lsb-release_1.4.bb | 3 +--
1 file changed, 1 insertion(+), 2
From: Ross Burton
We don't make do_cve_check depend on do_unpack because that would be a
waste of time 99% of the time. The compromise here is that we can't
scan remote patches for issues, but this isn't a problem so downgrade
the warning to a note.
Also move the check for CVEs in the filename
pylint 3.x has removed epylint, which is now a separate module. To avoid
adding another recipe or using outdated modules, modify the
test_python_pylint tests so that they use the standard pylint API.
Signed-off-by: Trevor Gamblin
---
meta/lib/patchtest/tests/test_python_pylint.py | 17 ++
From: Peter Marko
This vulnerability was introduced in 2.36, so 2.31 is not vulnerable.
Signed-off-by: Peter Marko
---
meta/recipes-core/glibc/glibc_2.31.bb | 7 +++
1 file changed, 7 insertions(+)
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb
b/meta/recipes-core/glibc/glibc_2.31.bb
From: Peter Marko
This vulnerability was introduced in 2.36, so 2.35 is not vulnerable.
Signed-off-by: Peter Marko
---
meta/recipes-core/glibc/glibc_2.35.bb | 7 +++
1 file changed, 7 insertions(+)
diff --git a/meta/recipes-core/glibc/glibc_2.35.bb
b/meta/recipes-core/glibc/glibc_2.35.bb
On Tue, Oct 31, 2023 at 5:55 AM Richard Purdie
wrote:
>
> On Tue, 2023-10-31 at 05:35 -1000, Steve Sakoman wrote:
> > Please review this set of patches for mickledore and have comments back by
> > end of day Thursday, November 2
> >
> > Passed a-full on autobuilder:
> >
> > https://autobuilder.yoc
On Tue, 2023-10-31 at 05:35 -1000, Steve Sakoman wrote:
> Please review this set of patches for mickledore and have comments back by
> end of day Thursday, November 2
>
> Passed a-full on autobuilder:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6123
>
> The following ch
From: Soumya Sambu
Heap buffer overflow in WebP in Google Chrome prior to
116.0.5845.187 allowed a remote attacker to perform an
out of bounds memory write via a crafted HTML page.
CVE: CVE-2023-4863
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch
/home/patchtest/share/mboxes/mickledore-2-5-grub2-fix-CVE-2023-4693.patch
FAIL: test CVE presence in commit message: A CVE tag should be provide
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch
/home/patchtest/share/mboxes/mickledore-5-5-linux-yocto-make-sure-the-pahole-native-available-before-do_kernel_configme.patch
FAIL: test shortlo
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch
/home/patchtest/share/mboxes/mickledore-1-5-grub2-fix-CVE-2023-4692.patch
FAIL: test CVE presence in commit message: A CVE tag should be provide
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch
/home/patchtest/share/mboxes/mickledore-3-5-shadow-Fix-CVE-2023-4641.patch
FAIL: test CVE presence in commit message: A CVE tag should be provid
From: Xiangyu Chen
When using debug-btf.scc in a clean workspace, the
CONFIG_MODULE_ALLOW_BTF_MISMATCH cannot
apply to kernel until clean the kernel code(bitbake linux-yocto -c cleanall)
and rebuild.
After tracking the code, some options depend on CONFIG_PAHOLE_VERSION, it was
generated by
sc
From: Peter Marko
https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-313-and-openssl-314-24-oct-2023
Major changes between OpenSSL 3.1.3 and OpenSSL 3.1.4 [24 Oct 2023]
* Mitigate incorrect resize handling for symmetric cipher keys and IVs.
(CVE-2023-5363)
From: Xiangyu Chen
shadow-utils: possible password leak during passwd(1) change
Signed-off-by: Xiangyu Chen
Signed-off-by: Steve Sakoman
---
.../shadow/files/CVE-2023-4641.patch | 147 ++
meta/recipes-extended/shadow/shadow.inc | 1 +
2 files changed, 148 inse
From: Xiangyu Chen
There an out-of-bounds read at fs/ntfs.c, a physically present attacker
may leverage that by presenting a specially crafted NTFS file system
image to read arbitrary memory locations. A successful attack may allow
sensitive data cached in memory or EFI variables values to be lea
From: Xiangyu Chen
Crafted file system images can cause heap-based buffer overflow and may
allow arbitrary code execution and secure boot bypass
Reference:
https://security-tracker.debian.org/tracker/CVE-2023-4692
Signed-off-by: Xiangyu Chen
Signed-off-by: Steve Sakoman
---
.../grub/files/CV
Please review this set of patches for mickledore and have comments back by
end of day Thursday, November 2
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6123
The following changes since commit e9ca1405b732720ff72d379e0262a78bfd2e7d53:
busybox:
I'd suggest using shlex.split() all the time when dealing with pieces of a
shell command-line, rather than assuming single-word or using str.split().
On Tue, Oct 31, 2023 at 5:26 AM Richard Purdie <
richard.pur...@linuxfoundation.org> wrote:
> On Mon, 2023-10-30 at 22:27 -0600, Javier Tia wrote:
*ping*
> -Original Message-
> From: openembedded-core@lists.openembedded.org
> On Behalf Of Peter Kjellerstedt
> Sent: den 6 oktober 2023 17:38
> To: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH] oeqa/selftest/context: Rely on bitbake-getvar
> --value to only
On 2023-10-31 10:54, Michael Opdenacker wrote:
Hi Trevor,
On 31.10.23 at 15:20, Trevor Gamblin wrote:
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch
/home/patchtest/share/mboxes/patchtest
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch
/home/patchtest/share/mboxes/kirkstone-v2-1-1-libwebp-Fix-CVE-2023-4863.patch
FAIL: test CVE presence in commit message: A CVE tag should be pro
Hi Trevor,
On 31.10.23 at 15:20, Trevor Gamblin wrote:
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch
/home/patchtest/share/mboxes/patchtest-shorten-test-result-outputs.patch
Thanks for t
From: Soumya Sambu
Heap buffer overflow in WebP in Google Chrome prior to
116.0.5845.187 allowed a remote attacker to perform an
out of bounds memory write via a crafted HTML page.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-486
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch
/home/patchtest/share/mboxes/patchtest-shorten-test-result-outputs.patch
FAIL: test CVE presence in commit message: A CVE tag should be provided
From: Niko Mauno
Since ccache version 4.0, according to
https://github.com/ccache/ccache/blob/master/doc/NEWS.adoc#ccache-40
* An appropriate cache directory level structure is now chosen automatically.
The cache_dir_levels (CCACHE_NLEVELS) configuration option has therefore been
removed.
Th
On Tue, 31 Oct 2023 at 13:28, Richard Purdie
wrote:
> > Then we can pull all of it together into 'devtool esdk '
> > command (or similar), which would enter the esdk environment directly
> > via:
> > - running 'bitbake meta-ide-support'
> > - running the above mentioned bitbake local.conf task t
Yes! You are correct Michael. This is that strange in-between week. Next
week it goes back to 17:00 CET.
Good catch!
-- Neal
*Neal Caidin*
Program Manager
The Linux Foundation
Durham, NC, U.S.A. - Eastern time zone
+1 (919) 238-9104 (w/h)
+1 (919) 949-1861 (m)
ncai...@linuxfoundation.org
On
Greetings,
On 31.10.23 at 13:29, Neal Caidin wrote:
Current Dev Position: YP 4.3 M4 (Feature Freeze)
Next Deadline: 2nd October 2023 YP 4.3 M4 build date
Next Team Meetings:
*
Bug Triage meeting Thursday November 2, 7:30 am PDT
(https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5
Current Dev Position: YP 4.3 M4 (Feature Freeze)
Next Deadline: 2nd October 2023 YP 4.3 M4 build date
Next Team Meetings:
-
Bug Triage meeting Thursday November 2, 7:30 am PDT (
https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09)
-
Weekly Project Engineering Sync T
On Tue, 2023-10-31 at 13:08 +0100, Alexander Kanavin wrote:
> On Mon, 30 Oct 2023 at 16:02, Alexander Kanavin via
> lists.openembedded.org
> wrote:
> > So here's what could be done:
> >
> > - esdk tools become symlinks in poky/scripts/esdk-tools/. esdk
> > environment script puts that in PATH, ra
On Mon, 2023-10-30 at 22:27 -0600, Javier Tia wrote:
> Using ccache stopped to work after 77497dbdca with following error:
>
> FileNotFoundError: [Errno 2] No such file or directory: 'ccache
> aarch64-trs-linux-strip'
>
> Signed-off-by: Javier Tia
> ---
> meta/lib/oe/package.py | 2 +-
> 1 f
On Mon, 30 Oct 2023 at 16:02, Alexander Kanavin via
lists.openembedded.org
wrote:
> So here's what could be done:
>
> - esdk tools become symlinks in poky/scripts/esdk-tools/. esdk
> environment script puts that in PATH, rather than some custom
> esdk-specific location (the code to generate that c
Hi Adrian
Thanks for the new code and the corresponding documentation. See my
comments below... (also copying the "docs" mailing list).
On 30.10.23 at 22:32, Adrian Freihofer wrote:
Cover the new devtool ide plugin in the extensible sdk section.
Many thanks to Enguerrand de Ribaucourt for hi
On 26 Oct 2023, at 17:31, Robert P. J. Day via lists.openembedded.org
wrote:
> just noticed that there is a lot of "class Something(object):" in
> oe-core, where AIUI, the argument of "object" is a throwback to
> Python2 and shouldn't(?) be necessary.
>
> is there any value in letting a newbie
Hello Qiu,
I think the easiest is to adjust the code so that it first obtains the
datadir from some environment variable, and if that is not set, falls
back to the hardcoded default. Then run-ptest can set the variable.
Such a patch can even be proposed upstream.
Alex
On Tue, 31 Oct 2023 at 09:2
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch
/home/patchtest/share/mboxes/kirkstone-v2-1-1-libwebp-Fix-CVE-2023-4863.patch
FAIL: test CVE presence in commit message: A CVE tag should be pro
Hi, Alex
I'm afraid DATADIR should be an absolute path.
Tried to make a ptest.patch with relative path, but failed.
As we know the ptest directory is not a fixed path, so making a patch may be
not suitable.
For no 'make clean', we can modify the Makefile.am in do_patch().
Any ideas?
Best Regards
From: Soumya Sambu
Heap buffer overflow in WebP in Google Chrome prior to
116.0.5845.187 allowed a remote attacker to perform an
out of bounds memory write via a crafted HTML page.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4863
https://security-tracker.debian.org/tracker/CVE-2023-486
Yes Anuj, I will correct it and will send v2.
Regards,
Soumya
From: Mittal, Anuj
Sent: Tuesday, October 31, 2023 10:25 AM
To: openembedded-core@lists.openembedded.org
; Sambu, Soumya
Subject: Re: [OE-core][kirkstone][PATCH 1/1] libwebp: Fix CVE-2023-4863
CAUTI
68 matches
Mail list logo
