[kirkstone] glibc: Update to latest on stable 2.35 branch

From: Peter Marko <peter.marko@siemens.com>

Adresses CVE-2023-4911.

Single commit bump:
* c84018a05ae tunables: Terminate if end of input is reached (CVE-2023-4911)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-core/glibc/glibc-version.inc | 2 +-
 meta/recipes-core/glibc/glibc_2.35.bb     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Hello,

I have a small question concerning glibc source handling.

I have a machine connected to the Internet that runs
bitbake -k -f --runall=fetch universe
and another offline machine that uses the previous fetch as a source mirror.
When I bitbake my image, it fails to use this with

ERROR: cross-localedef-native-2.35-r0 do_fetch: Bitbake Fetcher Error:
NetworkAccess('git://sourceware.org/git/glibc.git;branch=release/2.35/master;name=glibc',
'LANG=C git -c core.fsyncobjectfiles=0 -c gc.autoDetach=false -c
core.pager=cat fetch -f --progress git://sourceware.org/git/glibc.git
refs/heads/*:refs/heads/* refs/tags/*:refs/tags/*')
It seems git archives seem corrupted?

Do you know what could be causing this?
Best regards,
Vincent

Le ven. 6 oct. 2023 à 22:10, Peter Marko via lists.openembedded.org
<peter.marko=siemens.com@lists.openembedded.org> a écrit :
>
> From: Peter Marko <peter.marko@siemens.com>
>
> Adresses CVE-2023-4911.
>
> Single commit bump:
> * c84018a05ae tunables: Terminate if end of input is reached (CVE-2023-4911)
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  meta/recipes-core/glibc/glibc-version.inc | 2 +-
>  meta/recipes-core/glibc/glibc_2.35.bb     | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
> index c23a43576c..e0d47f283b 100644
> --- a/meta/recipes-core/glibc/glibc-version.inc
> +++ b/meta/recipes-core/glibc/glibc-version.inc
> @@ -1,6 +1,6 @@
>  SRCBRANCH ?= "release/2.35/master"
>  PV = "2.35"
> -SRCREV_glibc ?= "73d4ce728a59deb2fd18969e559769b3f590fac9"
> +SRCREV_glibc ?= "c84018a05aec80f5ee6f682db0da1130b0196aef"
>  SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
>
>  GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
> diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb
> index b4bad5b7ac..271520f76b 100644
> --- a/meta/recipes-core/glibc/glibc_2.35.bb
> +++ b/meta/recipes-core/glibc/glibc_2.35.bb
> @@ -17,7 +17,7 @@ CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
>  CVE_CHECK_IGNORE += "CVE-2019-1010025"
>
>  # To avoid these in cve-check reports since the recipe version did not change
> -CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-5156"
> +CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156"
>
>  DEPENDS += "gperf-native bison-native"
>
> --
> 2.30.2
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#188784): https://lists.openembedded.org/g/openembedded-core/message/188784
> Mute This Topic: https://lists.openembedded.org/mt/101805676/3616779
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [vincent.prince.fr@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

-----Original Message-----
From: Vincent Prince <vincent.prince.fr@gmail.com> 
Sent: Monday, October 9, 2023 21:09
To: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][kirkstone][PATCH] glibc: Update to latest on stable 2.35 branch

> Hello,
>
> I have a small question concerning glibc source handling.
>
> I have a machine connected to the Internet that runs
> bitbake -k -f --runall=fetch universe
> and another offline machine that uses the previous fetch as a source mirror.
> When I bitbake my image, it fails to use this with
>
> ERROR: cross-localedef-native-2.35-r0 do_fetch: Bitbake Fetcher Error:
> NetworkAccess('git://sourceware.org/git/glibc.git;branch=release/2.35/master;name=glibc',
> 'LANG=C git -c core.fsyncobjectfiles=0 -c gc.autoDetach=false -c
> core.pager=cat fetch -f --progress git://sourceware.org/git/glibc.git
> refs/heads/*:refs/heads/* refs/tags/*:refs/tags/*')
> It seems git archives seem corrupted?
>
> Do you know what could be causing this?
> Best regards,
> Vincent

Fetch works for me and since it was merged also on autobuilder.
What I can imagine is that your fetch on networked machine failed (e.g. due to temporary network problem).
Did you check log on the networked machine?

Peter

>
> Le ven. 6 oct. 2023 à 22:10, Peter Marko via lists.openembedded.org
> <peter.marko=siemens.com@lists.openembedded.org> a écrit :
> >
> > From: Peter Marko <peter.marko@siemens.com>
> >
> > Adresses CVE-2023-4911.
> >
> > Single commit bump:
> > * c84018a05ae tunables: Terminate if end of input is reached (CVE-2023-4911)
> >
> > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > ---
> >  meta/recipes-core/glibc/glibc-version.inc | 2 +-
> >  meta/recipes-core/glibc/glibc_2.35.bb     | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
> > index c23a43576c..e0d47f283b 100644
> > --- a/meta/recipes-core/glibc/glibc-version.inc
> > +++ b/meta/recipes-core/glibc/glibc-version.inc
> > @@ -1,6 +1,6 @@
> >  SRCBRANCH ?= "release/2.35/master"
> >  PV = "2.35"
> > -SRCREV_glibc ?= "73d4ce728a59deb2fd18969e559769b3f590fac9"
> > +SRCREV_glibc ?= "c84018a05aec80f5ee6f682db0da1130b0196aef"
> >  SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
> >
> >  GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
> > diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb
> > index b4bad5b7ac..271520f76b 100644
> > --- a/meta/recipes-core/glibc/glibc_2.35.bb
> > +++ b/meta/recipes-core/glibc/glibc_2.35.bb
> > @@ -17,7 +17,7 @@ CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
> >  CVE_CHECK_IGNORE += "CVE-2019-1010025"
> >
> >  # To avoid these in cve-check reports since the recipe version did not change
> > -CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-5156"
> > +CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156"
> >
> >  DEPENDS += "gperf-native bison-native"
> >
> > --
> > 2.30.2
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#188784): https://lists.openembedded.org/g/openembedded-core/message/188784
> > Mute This Topic: https://lists.openembedded.org/mt/101805676/3616779
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [vincent.prince.fr@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >

Fetching on the networked machine was ok.
I managed to get rid of the problem by cleaning glibc and
cross-localedef-native downloads  and sstate-cache from both machines
gitshallow_sourceware.org.git.glibc.git_561e9da-1_release.2.35.master.tar.gz
gitshallow_sourceware.org.git.glibc.git_561e9da-1_release.2.35.master.tar.gz.done
gitshallow_sourceware.org.git.glibc.git_c84018a-1_release.2.35.master.tar.gz
gitshallow_sourceware.org.git.glibc.git_c84018a-1_release.2.35.master.tar.gz.done
git2/sourceware.org.git.glibc.git
git2/sourceware.org.git.glibc.git.done
....
 and relaunching the build, not sure what happened here, maybe
something related to
SRCREV_FORMAT // SRCREV_glibc // SRCREV_localedef variables that does
not trigger cache/download recomputing?


Le lun. 9 oct. 2023 à 23:08, Marko, Peter <Peter.Marko@siemens.com> a écrit :
>
> -----Original Message-----
> From: Vincent Prince <vincent.prince.fr@gmail.com>
> Sent: Monday, October 9, 2023 21:09
> To: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com>
> Cc: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core][kirkstone][PATCH] glibc: Update to latest on stable 2.35 branch
>
> > Hello,
> >
> > I have a small question concerning glibc source handling.
> >
> > I have a machine connected to the Internet that runs
> > bitbake -k -f --runall=fetch universe
> > and another offline machine that uses the previous fetch as a source mirror.
> > When I bitbake my image, it fails to use this with
> >
> > ERROR: cross-localedef-native-2.35-r0 do_fetch: Bitbake Fetcher Error:
> > NetworkAccess('git://sourceware.org/git/glibc.git;branch=release/2.35/master;name=glibc',
> > 'LANG=C git -c core.fsyncobjectfiles=0 -c gc.autoDetach=false -c
> > core.pager=cat fetch -f --progress git://sourceware.org/git/glibc.git
> > refs/heads/*:refs/heads/* refs/tags/*:refs/tags/*')
> > It seems git archives seem corrupted?
> >
> > Do you know what could be causing this?
> > Best regards,
> > Vincent
>
> Fetch works for me and since it was merged also on autobuilder.
> What I can imagine is that your fetch on networked machine failed (e.g. due to temporary network problem).
> Did you check log on the networked machine?
>
> Peter
>
> >
> > Le ven. 6 oct. 2023 à 22:10, Peter Marko via lists.openembedded.org
> > <peter.marko=siemens.com@lists.openembedded.org> a écrit :
> > >
> > > From: Peter Marko <peter.marko@siemens.com>
> > >
> > > Adresses CVE-2023-4911.
> > >
> > > Single commit bump:
> > > * c84018a05ae tunables: Terminate if end of input is reached (CVE-2023-4911)
> > >
> > > Signed-off-by: Peter Marko <peter.marko@siemens.com>
> > > ---
> > >  meta/recipes-core/glibc/glibc-version.inc | 2 +-
> > >  meta/recipes-core/glibc/glibc_2.35.bb     | 2 +-
> > >  2 files changed, 2 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
> > > index c23a43576c..e0d47f283b 100644
> > > --- a/meta/recipes-core/glibc/glibc-version.inc
> > > +++ b/meta/recipes-core/glibc/glibc-version.inc
> > > @@ -1,6 +1,6 @@
> > >  SRCBRANCH ?= "release/2.35/master"
> > >  PV = "2.35"
> > > -SRCREV_glibc ?= "73d4ce728a59deb2fd18969e559769b3f590fac9"
> > > +SRCREV_glibc ?= "c84018a05aec80f5ee6f682db0da1130b0196aef"
> > >  SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
> > >
> > >  GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
> > > diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb
> > > index b4bad5b7ac..271520f76b 100644
> > > --- a/meta/recipes-core/glibc/glibc_2.35.bb
> > > +++ b/meta/recipes-core/glibc/glibc_2.35.bb
> > > @@ -17,7 +17,7 @@ CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
> > >  CVE_CHECK_IGNORE += "CVE-2019-1010025"
> > >
> > >  # To avoid these in cve-check reports since the recipe version did not change
> > > -CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-5156"
> > > +CVE_CHECK_IGNORE += "CVE-2023-4813 CVE-2023-4806 CVE-2023-4911 CVE-2023-5156"
> > >
> > >  DEPENDS += "gperf-native bison-native"
> > >
> > > --
> > > 2.30.2
> > >
> > >
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > > Links: You receive all messages sent to this group.
> > > View/Reply Online (#188784): https://lists.openembedded.org/g/openembedded-core/message/188784
> > > Mute This Topic: https://lists.openembedded.org/mt/101805676/3616779
> > > Group Owner: openembedded-core+owner@lists.openembedded.org
> > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [vincent.prince.fr@gmail.com]
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > >