[OE-core] [dunfell][PATCH] ppp: fix CVE-2022-4603

Avoid out-of-range access to packet buffer Upstream-Status: Backport[https://github.com/ppp-project/ppp/commit/a75fb7b198eed50d769c80c36629f38346882cbf] Signed-off-by:Minjae Kim --- .../ppp/ppp/CVE-2022-4603.patch | 50 +++ meta/recipes-connectivity/ppp/ppp_2.4.7.

[OE-core] [dunfell][PATCHv2] xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553

xkb: proof GetCountedString against request length attacks Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e] xkb: fix some possible memleaks in XkbGetKbdByName Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/x

[OE-core] [dunfell][PATCH] xserver-xorg: backport fixes for CVE-2022-3550, CVE-2022-3551 and CVE-2022-3553

From: Steve Sakoman xkb: proof GetCountedString against request length attacks pstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=11beef0b7f1ed290348e45618e5fa0d2bffcb72e] xkb: fix some possible memleaks in XkbGetKbdByName Upstream-Status: Backport [https://cgit.f

[OE-core] [dunfell][PATCH] inetutils: Fix remote DoS vulnerability in inetutils-telnetd

..da2da8da8a --- /dev/null +++ b/meta/recipes-connectivity/inetutils/inetutils/CVE-2022-39028.patch @@ -0,0 +1,54 @@ +From eaae65aac967f9628787dca4a2501ca860bb6598 Mon Sep 17 00:00:00 2001 +From: Minjae Kim +Date: Mon, 26 Sep 2022 22:05:07 +0200 +Subject: [PATCH] telnetd: Handle early IAC EC or IAC

[OE-core] [dunfell][PATCHv2] u-boot: fix CVE-2022-34835

i2c: fix stack buffer overflow vulnerability in i2c md command CVE: CVE-2022-34835 Signed-off-by:Minjae Kim --- .../u-boot/files/CVE-2022-34835.patch | 124 ++ meta/recipes-bsp/u-boot/u-boot_2020.01.bb | 4 + 2 files changed, 128 insertions(+) create mode 100644 m

Re: [OE-core] [dunfell][PATCH] u-boot: fix CVE-2022-34835

@Tom and Steve! I just checked this issue because I was on a long vacation for personal reasons. Sorry for the late response. I'll update this patch with the latest dunfell branch. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#170083): https://lis

[OE-core] [dunfell][PATCH] u-boot: fix CVE-2022-34835

i2c: fix stack buffer overflow vulnerability in i2c md command CVE: CVE-2022-34835 Signed-off-by:Minjae Kim --- .../u-boot/files/CVE-2022-34835.patch | 124 ++ meta/recipes-bsp/u-boot/u-boot_2020.01.bb | 4 + 2 files changed, 128 insertions(+) create mode 100644 m

[OE-core] [dunfell][PATCH] epiphany: fix CVE-2022-29536

Fix memory corruption in ephy_string_shorten() Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106] CVE: CVE-2022-29536 Signed-off-by:Minjae Kim --- .../recipes-gnome/epiphany/epiphany_3.34.4.bb | 3 +- .../epiphany/files/CVE-2022-29536.patch | 45 ++

Re: [OE-core] [dunfell][PATCHv2] libdrm: add libdrm-{nouveau,radeon,intel} to RPROVIDES

@Martin, I don't know why you think I'm hiding something. I will use this when installing the rpm package using the dnf tool on the target image such as qemu or raspberrypi. For example, There is component A. It needs libdrm-{nouveau,radeon,intel} packages to work properly. When this A component

[OE-core] [dunfell][PATCHv2] libdrm: add libdrm-{nouveau,radeon,intel} to RPROVIDES

The libdrm-{nouveau,radeon,intel} are generated by libdrm recipe. To use these libraries as a dependency in another component, It should be explicitly added as RPROVIDES. Signed-off-by:Minjae Kim --- meta/recipes-graphics/drm/libdrm_2.4.101.bb | 6 ++ 1 file changed, 6 insertions(+) diff --

Re: [OE-core] [dunfell 4/4] libdrm: add libdrm-{nouveau,radeon,intel} to RPROVIDES

To these packages( ${PN}-nouveau ${PN}-intel ${PN}-radeon) use as rdepends,  these packages will not be installed when just libdrm add. So I would like to use these packages directly, I added it as RPROVIDES. In case of installing packages using DNF from binary feed on the target image, this change

[OE-core] [dunfell][PATCH] libdrm: add libdrm-{nouveau,radeon,intel} to RPROVIDES

The libdrm-{nouveau,radeon,intel} are generated by libdrm recipe. To use these libraries as a dependency in another component, It should be explicitly added as RPROVIDES. Signed-off-by:Minjae Kim --- meta/recipes-graphics/drm/libdrm_2.4.101.bb | 6 ++ 1 file changed, 6 insertions(+) diff --

[OE-core] [dunfell][PATCH 1/2] ncurses: add libncurses5 to RPROVIDES

The libncurses5 is generated by ncurse recipe. To use this library as a dependency in another component, It should be explicitly added as RPROVIDES. Signed-off-by:Minjae Kim --- meta/recipes-core/ncurses/ncurses.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-core/ncurses/

Re: [OE-core] [PATCH] multipath-tools: update SRC_URI

I think that this commit move to meta-oe. please ignore it! -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#163987): https://lists.openembedded.org/g/openembedded-core/message/163987 Mute This Topic: https://lists.openembedded.org/mt/90239281/21656

[OE-core] [PATCH] multipath-tools: update SRC_URI

The git repo for multipath-tools was changed, so update the SRC_URI accordingly with the new link. Signed-off-by:Minjae Kim --- .../recipes-support/multipath-tools/multipath-tools_0.8.4.bb| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-support/multipath-to

[OE-core] [PATCH 2/2] virglrenderer: update SRC_URI

The git repo for virglrenderer was changed, so update the SRC_URI accordingly with the new link. Signed-off-by:Minjae Kim --- meta/recipes-graphics/virglrenderer/virglrenderer_0.9.1.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-graphics/virglrenderer/virglre

[OE-core] [PATCH 1/2] gnu-config: update SRC_URI

The git repo for gnu-config was changed, so update the SRC_URI accordingly with the new link. Signed-off-by:Minjae Kim --- meta/recipes-devtools/gnu-config/gnu-config_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/gnu-config/gnu-config_git.bb b/

[OE-core] [hardknott][PATCHv2] virglrenderer: update SRC_URI

The git repo for virglrenderer was changed, so update the SRC_URI accordingly with the new link. Signed-off-by:Minjae Kim --- meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-graphics/virglrenderer/virglre

[OE-core] [hardknott][PATCH 2/2] virglrenderer: update SRC_URI

The git repo for gnu-config was changed, so update the SRC_URI accordingly with the new link. Signed-off-by:Minjae Kim --- meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-graphics/virglrenderer/virglrende

[OE-core] [hardknott][PATCH 1/2] gnu-config: update SRC_URI

The git repo for gnu-config was changed, so update the SRC_URI accordingly with the new link. Signed-off-by:Minjae Kim --- meta/recipes-devtools/gnu-config/gnu-config_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/gnu-config/gnu-config_git.bb b/

[OE-core] [dunfell][PATCH 2/2] virglrenderer: update SRC_URI

The git repo for gnu-config was changed, so update the SRC_URI accordingly with the new link. Signed-off-by:Minjae Kim --- meta/recipes-graphics/virglrenderer/virglrenderer_0.8.2.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-graphics/virglrenderer/virglrende

[OE-core] [dunfell][PATCH 1/2] gnu-config: update SRC_URI

The git repo for gnu-config was changed, so update the SRC_URI accordingly with the new link. Signed-off-by:Minjae Kim --- meta/recipes-devtools/gnu-config/gnu-config_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/gnu-config/gnu-config_git.bb b/

[OE-core] [dunfell][PATCH] bluez5: fix CVE-2021-3658

adapter incorrectly restores Discoverable state after powered down Upstream-Status: Backport [https://github.com/bluez/bluez/commit/b497b5942a8beb8f89ca1c359c54ad67ec843055] CVE: CVE-2021-3658 Signed-off-by:Minjae Kim --- meta/recipes-connectivity/bluez5/bluez5.inc | 1 + .../bluez5/bluez5/C

[OE-core] [dunfell][PATCH 2/2] go: fix CVE-2022-23772

math/big: prevent large memory consumption in Rat.SetString An attacker can cause unbounded memory growth in a program using (*Rat).SetString due to an unhandled overflow. Upstream-Status: Backport [https://go.dev/issue/50699] CVE: CVE-2022-23772 Signed-off-by:Minjae Kim --- meta/recipes-devto

[OE-core] [dunfell][PATCH 1/2] go: fix CVE-2022-23806

es #50974 +Fixes #50977 +Fixes CVE-2022-23806 + +Signed-off-by: Minjae Kim + +--- + src/crypto/elliptic/elliptic.go | 6 +++ + src/crypto/elliptic/elliptic_test.go | 81 + src/crypto/elliptic/p224.go | 6 +++ + 3 files changed, 93 insertions(+) + +di

[OE-core] [dunfell][PATCH v4] ghostscript: fix CVE-2021-45949

/vuln/detail/CVE-2021-45949 Signed-off-by: Minjae Kim --- .../ghostscript/CVE-2021-45949.patch | 65 +++ ...tack-limits-after-function-evalution.patch | 51 +++ .../ghostscript/ghostscript_9.52.bb | 2 + 3 files changed, 118 insertions(+) create mode

[OE-core] [dunfell][PATCH v3] ghostscript: fix CVE-2021-45949

From: Minjae Kim Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overflow in sampled_data_finish (called from sampled_data_continue and interp). To apply this CVE-2021-45959 patch, the check-stack-limits-after-function-evalution.patch should be applied first. References

[OE-core] [dunfell][PATCH v2] ghostscript: fix CVE-2021-45949

/detail/CVE-2021-45949 Signed-off-by: Minjae Kim --- .../ghostscript/CVE-2021-45949.patch | 68 +++ ...tack-limits-after-function-evalution.patch | 51 ++ .../ghostscript/ghostscript_9.52.bb | 2 + 3 files changed, 121 insertions(+) create mode 100644

[OE-core] [dunfell][PATCH] ghostscript: fix CVE-2021-45949

/detail/CVE-2021-45949 Signed-off-by: Minjae Kim --- .../ghostscript/CVE-2021-45949.patch | 68 +++ ...tack-limits-after-function-evalution.patch | 51 ++ .../ghostscript/ghostscript_9.52.bb | 2 + 3 files changed, 121 insertions(+) create mode 100644

[OE-core] [dunfell][PATCH] inetutils: fix CVE-2021-40491

/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd Signed-off-by: Minjae Kim --- .../inetutils/inetutils/CVE-2021-40491.patch | 67 +++ .../inetutils/inetutils_1.9.4.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes

[OE-core] [dunfell][PATCH v2] vim: fix CVE-2021-4069

/vim/files/CVE-2021-4069.patch @@ -0,0 +1,43 @@ +From cd2422ee2dab3f33b2dbd1271e17cdaf8762b6d1 Mon Sep 17 00:00:00 2001 +From: Minjae Kim +Date: Fri, 17 Dec 2021 20:32:02 -0800 +Subject: [PATCH] using freed memory in open command + +Problem:Using freed memory in open command. +Solution: Make a

[OE-core] [dunfell][PATCH] git: fix CVE-2021-4069

/vim/files/CVE-2021-4069.patch @@ -0,0 +1,43 @@ +From cd2422ee2dab3f33b2dbd1271e17cdaf8762b6d1 Mon Sep 17 00:00:00 2001 +From: Minjae Kim +Date: Fri, 17 Dec 2021 20:32:02 -0800 +Subject: [PATCH] using freed memory in open command + +Problem:Using freed memory in open command. +Solution: Make a

[OE-core] [dunfell][PATCH v2] git: fix CVE-2021-40330

/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473] CVE: CVE-2021-40330 Signed-off-by: Minjae Kim --- .../git/files/CVE-2021-40330.patch| 108 ++ meta/recipes-devtools/git/git.inc | 4 +- 2 files changed, 111 insertions(+), 1 deletion(-) create mode

[OE-core] [dunfell][PATCH] git: fix CVE-2021-40330

://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473] CVE: CVE-2020-8625 Signed-off-by: Minjae Kim --- .../git/files/CVE-2021-40330.patch| 108 ++ meta/recipes-devtools/git/git.inc | 4 +- 2 files changed, 111 insertions(+), 1 deletion(-) create

Re: [OE-core] [dunfell][PATCH] vim: fix 2021-3796

Hi Steve! I also updated the patch for dunfell. Thanks, Minjae Kim. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#157334): https://lists.openembedded.org/g/openembedded-core/message/157334 Mute This Topic: https://lists.openembedded.org/mt

[OE-core] [dunfell][PATCH v2] vim: fix 2021-3796

vim is vulnerable to Use After Free Problem: Checking first character of url twice. reference: https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3 Signed-off-by: Minjae Kim --- .../vim/files/CVE-2021-3796.patch | 50 +++ 1 file changed, 50

Re: [OE-core] [PATCH] vim: fix 2021-3796

Sstate summary: Wanted 7 Local 0 Network 0 Missed 7 Current 552 (0% match, 98% complete) NOTE: Executing Tasks NOTE: Tasks Summary: Attempted 1964 tasks of which 1949 didn't need to be rerun and all succeeded. Summary: There was 1 WARNING message

[OE-core] [PATCH v2] vim: fix 2021-3796

:Using freed memory when replacing. (Dhiraj Mishra) +Solution: Get the line pointer after calling ins_copychar(). + +Upstream-Status: Backport [https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3] +CVE: CVE-2021-3796 + +Signed-off-by: Minjae Kim +--- + src/normal.c | 10

[OE-core] [dunfell][PATCH] vim: fix 2021-3796

/meta/recipes-support/vim/files/CVE-2021-3796.patch @@ -0,0 +1,70 @@ +From 296bf20889e66e3235e199838c6e360db2c4166d Mon Sep 17 00:00:00 2001 +From: Minjae Kim +Date: Fri, 22 Oct 2021 02:24:32 + +Subject: [PATCH] patch 8.2.3428: using freed memory when replacing + +Problem:Using freed memory

[OE-core] [PATCH] vim: fix 2021-3796

--- /dev/null +++ b/meta/recipes-support/vim/files/CVE-2021-3796.patch @@ -0,0 +1,70 @@ +From 296bf20889e66e3235e199838c6e360db2c4166d Mon Sep 17 00:00:00 2001 +From: Minjae Kim +Date: Fri, 22 Oct 2021 02:24:32 + +Subject: [PATCH] patch 8.2.3428: using freed memory when replacing + +Problem

Re: [OE-core] [PATCH] vim: fix CVE-2021-3778

ects for arch qemux86_64: 100% |##| Time: 0:00:00 NOTE: Executing Tasks NOTE: Tasks Summary: Attempted 1964 tasks of which 1945 didn't need to be rerun and all succe

Re: [OE-core] [PATCH] vim: fix CVE-2021-3778

Hi Richard , Thanks for the notice, I'll update it properly. Thanks Minjae Kim. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#156407): https://lists.openembedded.org/g/openembedded-core/message/156407 Mute This Topic:

[OE-core] [PATCH] vim: fix CVE-2021-3778

-2021-3778.patch @@ -0,0 +1,49 @@ +From eb41373c8c88b0789e5cf04669d6116f9a199264 Mon Sep 17 00:00:00 2001 +From: Minjae Kim +Date: Sun, 26 Sep 2021 23:48:00 + +Subject: [PATCH] patch 8.2.3409: reading beyond end of line with invalid utf-8 + character + +Problem: Reading beyond end of line with

[OE-core] [hardknott][PATCH] vim: fix CVE-2021-3778

-2021-3778.patch @@ -0,0 +1,49 @@ +From eb41373c8c88b0789e5cf04669d6116f9a199264 Mon Sep 17 00:00:00 2001 +From: Minjae Kim +Date: Sun, 26 Sep 2021 23:48:00 + +Subject: [PATCH] patch 8.2.3409: reading beyond end of line with invalid utf-8 + character + +Problem: Reading beyond end of line with

[OE-core] [dunfell][PATCH] vim: fix CVE-2021-3778

-2021-3778.patch @@ -0,0 +1,49 @@ +From eb41373c8c88b0789e5cf04669d6116f9a199264 Mon Sep 17 00:00:00 2001 +From: Minjae Kim +Date: Sun, 26 Sep 2021 23:48:00 + +Subject: [PATCH] patch 8.2.3409: reading beyond end of line with invalid utf-8 + character + +Problem: Reading beyond end of line with

Re: [OE-core] [meta][dunfell][PATCH] rpm: Handle proper return value to avoid major issues and removing unnecessary code

re not used. I left it with the author`s intent. If the build goes well without those variables, it doesn't seem to matter. Thanks, Minjae Kim. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#155997): https://lists.openembedded.org/g/openem

Re: [OE-core] [meta][dunfell][PATCH] rpm: Handle proper return value to avoid major issues and removing unnecessary code

On Mon, Sep 13, 2021 at 11:34 AM, Steve Sakoman wrote: > > RPMSIGTAG_FILESIGNATURELENGTH Sorry for the late reponse. I know that the RPMSIGTAG_FILESIGNATURES and RPMSIGTAG_FILESIGNATURELENGTH are defined in the original commit, but are not used. I left it with the author`s intent. If the build

[OE-core] [gatesgarth][PATCH] ruby: 2.7.1 -> 2.7.4

This release includes security fixes. CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP CVE-2021-31799: A command injection vulnerability in RDoc CVE-2021-28965: XML round-trip vulnerability in REXML CVE-2021-28966

[OE-core] [dunfell][PATCH] ruby: 2.7.3 -> 2.7.4

This release includes security fixes. CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP CVE-2021-31799: A command injection vulnerability in RDoc https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/ -

[OE-core] [dunfell][PATCH] dhcp: fix CVE-2021-25217

.patch new file mode 100644 index 00..91aaf83a77 --- /dev/null +++ b/meta/recipes-connectivity/dhcp/dhcp/CVE-2021-25217.patch @@ -0,0 +1,66 @@ +From 5a7344b05081d84343a1627e47478f3990b17700 Mon Sep 17 00:00:00 2001 +From: Minjae Kim +Date: Thu, 8 Jul 2021 00:08:25 + +Subject: [PATCH] ISC

[OE-core] [dunfell][PATCH] gstreamer-plugins-base: fix CVE-2021-3522

amer/gst-plugins-base/-/merge_requests/1066> + +Upstream-Status: Backport +[https://gstreamer.freedesktop.org/security/sa-2021-0001.html] +CVE: CVE-2021-3522 +Signed-off-by: Minjae Kim +--- + gst-libs/gst/tag/id3v2frames.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/g

Re: [OE-core] [dunfell 00/14] Patch review

Hi Steve, How about this patch? I already tested on qemux86-64. https://lists.openembedded.org/g/openembedded-core/message/153284 Do I need more testing? Thanks, Minjae Kim. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153401): https

Re: [OE-core] [dunfell][PATCH] rpm: fix CVE-2021-3421

Hi Steve and Anuj I tested it on qemu, it works well. - git package is installed by rpm command. - git package is removed by rpm command. Could you tell me what is needed to verify for RPM? Thanks, Minjae Kim. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View

Re: [OE-core] [dunfell][PATCH] rpm: fix CVE-2021-3421

In order to fix CVE-2021-3421, I added RPMSIGTAG_FILESIGNATURES and RPMSIGTAG_FILESIGNATURELENGTH in lib/rpmtag.h. So It is possible to build. but I cannot test on target yet. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#153263): https://lists.o

[OE-core] [dunfell][PATCH] rpm: fix CVE-2021-3421

mode 100644 index 00..b1a05b6863 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/CVE-2021-3421.patch @@ -0,0 +1,197 @@ +From 1e5b70cab83c95aa138107a38ecda75ff70e8985 Mon Sep 17 00:00:00 2001 +From: Minjae Kim +Date: Thu, 24 Jun 2021 01:11:26 + +Subject: [PATCH] Be much more careful

[OE-core] [dunfell][PATCH] python3: fix CVE-2021-3426

ource code of Python +modules can contain sensitive data like passwords. Vulnerability +reported by David Schwörer. + +Upstream-Status: Acepted +[https://github.com/python/cpython/pull/25015/commits/dc9580949cc82c51022a882ba43dad937ff929a8] +CVE: CVE-2021-3426 +Signed-off-by: Minjae Kim +

[OE-core] [gatesgarth][PATCH v2] qemu: fix CVE-2021-3392

/CVE-2021-3392.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch new file mode 100644 index 00..1c688827db --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch @@ -0,0 +1,45 @@ +From 3431b01b43584de5f710c40605fe3251f81c0e11 Mon Sep 17 00:00:00 2001 +From: Minjae

[OE-core] [dunfell][PATCH] qemu: fix CVE-2021-3392

From: Minjae Kim scsi: use-after-free in mptsas_process_scsi_io_request() of mptsas1068 emulator --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-3392.patch | 45 +++ 2 files changed, 46 insertions(+) create mode 100644 meta/recipes

[OE-core] [gatesgarth][PATCH] qemu: fix CVE-2021-3392

/CVE-2021-3392.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch new file mode 100644 index 00..1c688827db --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch @@ -0,0 +1,45 @@ +From 3431b01b43584de5f710c40605fe3251f81c0e11 Mon Sep 17 00:00:00 2001 +From: Minjae

[OE-core] [hardknott][PATCH] qemu: fix CVE-2021-3392

1c0e11 Mon Sep 17 00:00:00 2001 +From: Minjae Kim +Date: Tue, 27 Apr 2021 02:09:49 + +Subject: [PATCH] scsi: mptsas: dequeue request object in case of an error + (CVE-2021-3392) + +From: Prasad J Pandit + +While processing SCSI i/o requests in mptsas_process_scsi_io_request(), +the Megaraid

[OE-core] [PATCH] qemu: fix CVE-2021-3392

u/qemu/CVE-2021-3392.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch new file mode 100644 index 00..1c688827db --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch @@ -0,0 +1,45 @@ +From 3431b01b43584de5f710c40605fe3251f81c0e11 Mon Sep 17 00:00:00 2001 +Fro

Re: [OE-core] [PATCH] git: Remove CVE-2021-21300 patch

0_1/81646287?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,20,81646287 ) Thanks Minjae Kim -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#150035): https://lists.openembedded.org/g/openembedded-core/message/150035 Mute This Topic: ht

[OE-core] [dunfell][PATCH] git: fix CVE-2021-21300

checkout: fix bug that makes checkout follow symlinks in leading path Upstream-Status: Acepted [https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592] CVE: CVE-2021-21300 Signed-off-by: Minjae Kim --- .../git/files/CVE-2021-21300.patch| 305

[OE-core] [gatesgarth][PATCH] git: fix CVE-2021-21300

checkout: fix bug that makes checkout follow symlinks in leading path Upstream-Status: Acepted [https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592] CVE: CVE-2021-21300 Signed-off-by: Minjae Kim --- meta/recipes-devtools/git/git.inc | 4 +- .../git/git/CVE

[OE-core] [PATCH] git: upgrade 2.30.1 -> 2.31.1

Includes a fix for CVE-2021-21300 Signed-off-by: Minjae Kim --- meta/recipes-devtools/git/{git_2.30.1.bb => git_2.31.1.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-devtools/git/{git_2.30.1.bb => git_2.31.1.bb} (51%) diff --git a/meta/recipes-devtoo

[OE-core] [PATCH] git: fix CVE-2021-21300

checkout: fix bug that makes checkout follow symlinks in leading path Upstream-Status: Acepted [https://github.com/git/git/commit/684dd4c2b414bcf648505e74498a608f28de4592] CVE: CVE-2021-21300 Signed-off-by: Minjae Kim --- meta/recipes-devtools/git/git.inc | 4 +- .../git/git/CVE

[OE-core] [PATCH] qemu: fix CVE-2021-20203

net: vmxnet3: validate configuration values during activate Upstream-Status: Acepted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html] CVE: CVE-2021-20203 Signed-off-by: Minjae Kim --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-20203.patch

[OE-core] [gatesgarth][PATCH] qemu: fix CVE-2021-20203

net: vmxnet3: validate configuration values during activate Upstream-Status: Acepted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html] CVE: CVE-2021-20203 Signed-off-by: Minjae Kim --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-20203.patch

[OE-core] [dunfell][PATCH 2/2] qemu: fix CVE-2021-20203

net: vmxnet3: validate configuration values during activate Upstream-Status: Acepted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html] CVE: CVE-2021-20203 Signed-off-by: Minjae Kim --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2021-20203.patch

[OE-core] [dunfell][PATCH 1/2] wpa-supplicant: fix CVE-2021-27803

[https://w1.fi/cgit/hostap/commit/?id=8460e3230988ef2ec13ce6b69b687e941f6cdb32] CVE: CVE-2021-27803 Signed-off-by: Minjae Kim --- .../wpa-supplicant/CVE-2021-27803.patch | 54 +++ .../wpa-supplicant/wpa-supplicant_2.9.bb | 1 + 2 files changed, 55 insertions(+) create

[OE-core] [dunfell][PATCH] librepo: fix CVE-2020-14352

librepo: missing path validation in repomd.xml may lead to directory traversal Upstream-Status: Acepted [https://github.com/rpm-software-management/librepo/commit/7daea2a2429a54dad68b1de9b37a5f65c5cf2600] CVE: CVE-2020-14352 Signed-off-by: Minjae Kim --- .../librepo/librepo/CVE-2020-14352

[OE-core] [gatesgarth][PATCH v2] bind: fix CVE-2020-8625

BIND Operational Notification: Zone journal (.jnl) file incompatibility Upstream-Status: Backporting [https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch] CVE: CVE-2020-8625 Signed-off-by: Minjae Kim --- .../bind/bind-9.16.7/CVE-2020-8625.patch | 29

[OE-core] [dunfell][PATCH] bind: fix CVE-2020-8625

BIND Operational Notification: Zone journal (.jnl) file incompatibility Upstream-Status: Backporting [https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch] CVE: CVE-2020-8625 Signed-off-by: Minjae Kim --- .../bind/bind/CVE-2020-8625.patch | 17

[OE-core] [gatesgarth][PATCH] bind: fix CVE-2020-8625

BIND Operational Notification: Zone journal (.jnl) file incompatibility Upstream-Status: Backporting [https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch] CVE: CVE-2020-8625 Signed-off-by: Minjae Kim --- .../bind/bind-9.16.7/CVE-2020-8625.patch| 17

[OE-core] [PATCHv2] bind: fix CVE-2020-8625

BIND Operational Notification: Zone journal (.jnl) file incompatibility Upstream-Status: Acepted [https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch] CVE: CVE-2020-8625 Signed-off-by: Minjae Kim --- .../bind/bind-9.16.11/CVE-2020-8625.patch| 16

[OE-core] [PATCH] bind: fix CVE-2020-8625

BIND Operational Notification: Zone journal (.jnl) file incompatibility Upstream-Status: Acepted [https://downloads.isc.org/isc/bind9/9.16.12/patches/CVE-2020-8625.patch] CVE: CVE-2020-8625 Signed-off-by: Minjae Kim --- .../bind/bind/CVE-2020-8625.patch | 41

[OE-core] [PATCH] librepo: fix CVE-2020-14352

librepo: missing path validation in repomd.xml may lead to directory traversal Upstream-Status: Acepted [https://github.com/rpm-software-management/librepo/commit/7daea2a2429a54dad68b1de9b37a5f65c5cf2600] CVE: CVE-2020-14352 Signed-off-by: Minjae Kim --- .../librepo/librepo/CVE-2020-14352

[OE-core] [PATCH] python3: fix CVE-2021-3177

Replace snprintf with Python unicode formatting in ctypes param reprs Upstream-Status: Backport [https://github.com/python/cpython/commit/916610ef90a0d0761f08747f7b0905541f0977c7] CVE: CVE-2021-3177 Signed-off-by: Minjae Kim --- .../python/python3/CVE-2021-3177.patch| 183