From patchwork Wed Nov 8 13:46:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 34062 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E9D74C41535 for ; Wed, 8 Nov 2023 13:47:06 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web11.13926.1699451220233449833 for ; Wed, 08 Nov 2023 05:47:00 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=0bqNzBTF; spf=softfail (domain: sakoman.com, ip: 209.85.214.170, mailfrom: steve@sakoman.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-1cc3216b2a1so56111825ad.2 for ; Wed, 08 Nov 2023 05:47:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1699451219; x=1700056019; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Yy4U95czz44BluqTjiYvpNRegsPD3fHjoKD0ImcO+Mc=; b=0bqNzBTFkpzn/44N/XEnK9seTjS1bVAs34czVn4P9YmkkP7JMCeh5YVuFwgd9fDkG3 ZvD9KmgTD/C8Y8nNp3KdOc+DAGv3FZVq3yl1dImdGmaVPoXGuejnl0GBgDtnTPa6ZraM IL0rLTTdO367CAOv7VY2dw4m+GD0x6BQ54W9QbVQFvgS1eXMJ3r6Uu/4QISw9CcOLyKK 64Di0/oMCK/o0uln9Ua5h8fXUQgmHQZw+twC+ohWRLWvfO70jXytgSJEA209JCFJbpBD WDNcqOGRsp1/icn6QEA2WshRsFrRuOKYVIIIUk5Yt6GwVLjhF47nl+zPH8ZlajcwvStS E/1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699451219; x=1700056019; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Yy4U95czz44BluqTjiYvpNRegsPD3fHjoKD0ImcO+Mc=; b=wotoTW7dh3YVZmlQnUiY0Y/Ru0RISuHttbtpNO/+n/Lu1lR8QpOOY6E1zqyeh3g5mb rC+w9XWuBPhNjYTqPS7QHX0CkC7pOqSGVf+EIzs1f5wjRP5qON8FuGmlrrD4nTQU4Qy0 Ko65REdkQTDyB1Zc2VgDyFzINgeyNq99y51iMAYdfQlMOt/0ip3Vbjco9UVVJBtW+pkC c+9wNmTG0lwP1aly6BmtC4osLxnzuHFohPY6475oAz0XpSqe3J1kRqBoK113wYOADk1h 5NcZpGF9pg0XBZn17/n9YT1i5/zcn7c+NNkFRwYx9XvSPfx2CONWqGARhFlLf9fU1yCg rldg== X-Gm-Message-State: AOJu0YzGZLBdZC1pRPSVcM7GeV1gTT6bmeDjJwv8eJBlP0KnO4wZDlym MtkJ4kwThgKBMGNZEDNVa8x38r2bCCs2PWJq+rLzoA== X-Google-Smtp-Source: AGHT+IHCXGo0aMKEanvEgNYn/YtPKEnaC37BdtfwLS+bdXYlgjqvTbYmydY97bCXdXmUHPFrt7CYMg== X-Received: by 2002:a17:902:7c0d:b0:1cc:1490:e7bf with SMTP id x13-20020a1709027c0d00b001cc1490e7bfmr1689644pll.30.1699451218772; Wed, 08 Nov 2023 05:46:58 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id w12-20020a170902d3cc00b001b7cbc5871csm1781980plb.53.2023.11.08.05.46.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Nov 2023 05:46:58 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][mickledore 01/10] curl: Fix CVE-2023-38039 Date: Wed, 8 Nov 2023 03:46:42 -1000 Message-Id: <77a7921660e8da1cb618ba3634835790ae8adfdd.1699451066.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Nov 2023 13:47:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190327 From: Mingli Yu Backport patch [1] to fix CVE-2023-38039 and reference [2] and [3] to fix the build error. [1] https://github.com/curl/curl/commit/3ee79c1674fd6f9 [2] https://github.com/curl/curl/commit/2cb0d346aaa [3] https://github.com/curl/curl/commit/83319e027179 Signed-off-by: Mingli Yu Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2023-38039.patch | 209 ++++++++++++++++++ meta/recipes-support/curl/curl_8.0.1.bb | 1 + 2 files changed, 210 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2023-38039.patch diff --git a/meta/recipes-support/curl/curl/CVE-2023-38039.patch b/meta/recipes-support/curl/curl/CVE-2023-38039.patch new file mode 100644 index 0000000000..ef8b600413 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2023-38039.patch @@ -0,0 +1,209 @@ +From daa73dbfa9d4dbaf5415cc14dcbf31e45ed77468 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 2 Nov 2023 15:57:39 +0800 +Subject: [PATCH] http: return error when receiving too large header set + +To avoid abuse. The limit is set to 300 KB for the accumulated size of +all received HTTP headers for a single response. Incomplete research +suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to +1MB. + +Closes #11582 + +CVE: CVE-2023-38039 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/3ee79c1674fd6f9] + +Signed-off-by: Mingli Yu +--- + lib/c-hyper.c | 12 +++++++----- + lib/http.c | 39 +++++++++++++++++++++++++++++++++++---- + lib/http.h | 9 +++++++++ + lib/pingpong.c | 2 +- + lib/urldata.h | 18 ++++++++++-------- + 5 files changed, 62 insertions(+), 18 deletions(-) + +diff --git a/lib/c-hyper.c b/lib/c-hyper.c +index 9c7632d..28f64ef 100644 +--- a/lib/c-hyper.c ++++ b/lib/c-hyper.c +@@ -174,8 +174,11 @@ static int hyper_each_header(void *userdata, + } + } + +- data->info.header_size += (curl_off_t)len; +- data->req.headerbytecount += (curl_off_t)len; ++ result = Curl_bump_headersize(data, len, FALSE); ++ if(result) { ++ data->state.hresult = result; ++ return HYPER_ITER_BREAK; ++ } + return HYPER_ITER_CONTINUE; + } + +@@ -305,9 +308,8 @@ static CURLcode status_line(struct Curl_easy *data, + if(result) + return result; + } +- data->info.header_size += (curl_off_t)len; +- data->req.headerbytecount += (curl_off_t)len; +- return CURLE_OK; ++ result = Curl_bump_headersize(data, len, FALSE); ++ return result; + } + + /* +diff --git a/lib/http.c b/lib/http.c +index 400d2b0..d3efd60 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -3760,6 +3760,34 @@ static CURLcode verify_header(struct Curl_easy *data) + return CURLE_OK; + } + ++CURLcode Curl_bump_headersize(struct Curl_easy *data, ++ size_t delta, ++ bool connect_only) ++{ ++ size_t bad = 0; ++ unsigned int max = MAX_HTTP_RESP_HEADER_SIZE; ++ if(delta < MAX_HTTP_RESP_HEADER_SIZE) { ++ data->info.header_size += (unsigned int)delta; ++ data->req.allheadercount += (unsigned int)delta; ++ if(!connect_only) ++ data->req.headerbytecount += (unsigned int)delta; ++ if(data->req.allheadercount > max) ++ bad = data->req.allheadercount; ++ else if(data->info.header_size > (max * 20)) { ++ bad = data->info.header_size; ++ max *= 20; ++ } ++ } ++ else ++ bad = data->req.allheadercount + delta; ++ if(bad) { ++ failf(data, "Too large response headers: %zu > %u", bad, max); ++ return CURLE_RECV_ERROR; ++ } ++ return CURLE_OK; ++} ++ ++ + /* + * Read any HTTP header lines from the server and pass them to the client app. + */ +@@ -4007,8 +4035,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + if(result) + return result; + +- data->info.header_size += (long)headerlen; +- data->req.headerbytecount += (long)headerlen; ++ result = Curl_bump_headersize(data, headerlen, FALSE); ++ if(result) ++ return result; + + /* + * When all the headers have been parsed, see if we should give +@@ -4330,8 +4359,10 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, + if(result) + return result; + +- data->info.header_size += Curl_dyn_len(&data->state.headerb); +- data->req.headerbytecount += Curl_dyn_len(&data->state.headerb); ++ result = Curl_bump_headersize(data, Curl_dyn_len(&data->state.headerb), ++ FALSE); ++ if(result) ++ return result; + + Curl_dyn_reset(&data->state.headerb); + } +diff --git a/lib/http.h b/lib/http.h +index 444abc0..ea3b37e 100644 +--- a/lib/http.h ++++ b/lib/http.h +@@ -60,6 +60,10 @@ extern const struct Curl_handler Curl_handler_wss; + #endif + #endif /* websockets */ + ++CURLcode Curl_bump_headersize(struct Curl_easy *data, ++ size_t delta, ++ bool connect_only); ++ + + /* Header specific functions */ + bool Curl_compareheader(const char *headerline, /* line to check */ +@@ -176,6 +180,11 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data); + #define EXPECT_100_THRESHOLD (1024*1024) + #endif + ++/* MAX_HTTP_RESP_HEADER_SIZE is the maximum size of all response headers ++ combined that libcurl allows for a single HTTP response, any HTTP ++ version. This count includes CONNECT response headers. */ ++#define MAX_HTTP_RESP_HEADER_SIZE (300*1024) ++ + #endif /* CURL_DISABLE_HTTP */ + + #ifdef USE_NGHTTP3 +diff --git a/lib/pingpong.c b/lib/pingpong.c +index 2f4aa1c..e53a506 100644 +--- a/lib/pingpong.c ++++ b/lib/pingpong.c +@@ -341,7 +341,7 @@ CURLcode Curl_pp_readresp(struct Curl_easy *data, + ssize_t clipamount = 0; + bool restart = FALSE; + +- data->req.headerbytecount += (long)gotbytes; ++ data->req.headerbytecount += (unsigned int)gotbytes; + + pp->nread_resp += gotbytes; + for(i = 0; i < gotbytes; ptr++, i++) { +diff --git a/lib/urldata.h b/lib/urldata.h +index f3e782a..748660f 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -619,17 +619,19 @@ struct SingleRequest { + curl_off_t bytecount; /* total number of bytes read */ + curl_off_t writebytecount; /* number of bytes written */ + +- curl_off_t headerbytecount; /* only count received headers */ +- curl_off_t deductheadercount; /* this amount of bytes doesn't count when we +- check if anything has been transferred at +- the end of a connection. We use this +- counter to make only a 100 reply (without a +- following second response code) result in a +- CURLE_GOT_NOTHING error code */ + + curl_off_t pendingheader; /* this many bytes left to send is actually + header and not body */ + struct curltime start; /* transfer started at this time */ ++ unsigned int headerbytecount; /* received server headers (not CONNECT ++ headers) */ ++ unsigned int allheadercount; /* all received headers (server + CONNECT) */ ++ unsigned int deductheadercount; /* this amount of bytes doesn't count when ++ we check if anything has been transferred ++ at the end of a connection. We use this ++ counter to make only a 100 reply (without ++ a following second response code) result ++ in a CURLE_GOT_NOTHING error code */ + enum { + HEADER_NORMAL, /* no bad header at all */ + HEADER_PARTHEADER, /* part of the chunk is a bad header, the rest +@@ -1076,7 +1078,6 @@ struct PureInfo { + int httpversion; /* the http version number X.Y = X*10+Y */ + time_t filetime; /* If requested, this is might get set. Set to -1 if the + time was unretrievable. */ +- curl_off_t header_size; /* size of read header(s) in bytes */ + curl_off_t request_size; /* the amount of bytes sent in the request(s) */ + unsigned long proxyauthavail; /* what proxy auth types were announced */ + unsigned long httpauthavail; /* what host auth types were announced */ +@@ -1084,6 +1085,7 @@ struct PureInfo { + char *contenttype; /* the content type of the object */ + char *wouldredirect; /* URL this would've been redirected to if asked to */ + curl_off_t retry_after; /* info from Retry-After: header */ ++ unsigned int header_size; /* size of read header(s) in bytes */ + + /* PureInfo members 'conn_primary_ip', 'conn_primary_port', 'conn_local_ip' + and, 'conn_local_port' are copied over from the connectdata struct in +-- +2.25.1 + diff --git a/meta/recipes-support/curl/curl_8.0.1.bb b/meta/recipes-support/curl/curl_8.0.1.bb index 375b4d2f93..04da092ee9 100644 --- a/meta/recipes-support/curl/curl_8.0.1.bb +++ b/meta/recipes-support/curl/curl_8.0.1.bb @@ -21,6 +21,7 @@ SRC_URI = " \ file://CVE-2023-28320-fol1.patch \ file://CVE-2023-38545.patch \ file://CVE-2023-38546.patch \ + file://CVE-2023-38039.patch \ " SRC_URI[sha256sum] = "0a381cd82f4d00a9a334438b8ca239afea5bfefcfa9a1025f2bf118e79e0b5f0" From patchwork Wed Nov 8 13:46:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 34063 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F33D1C0018C for ; Wed, 8 Nov 2023 13:47:06 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web11.13928.1699451221743220483 for ; Wed, 08 Nov 2023 05:47:01 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=FKP6ObSI; spf=softfail (domain: sakoman.com, ip: 209.85.214.181, mailfrom: steve@sakoman.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-1cc7077d34aso52729185ad.2 for ; Wed, 08 Nov 2023 05:47:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1699451221; x=1700056021; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=/ZXPBH1TdZvBvF6yAqWgUPZcwHxJsls1R8XCiDe41n0=; b=FKP6ObSIrN+ataDxG8n10JPotQwyKiNCquVCd6GVsJTzBaUsVhKwY/eSDAfbWnPBSm adDlbR+S0cy5w9yaJArMsOeueZ3Gx0Jq2L2ZV5MBgREYT2c34QGWbEtKN9XAzR4vduTy a2kJF2Pru+DSXX1N1m5MCkCwDh5n+UATgipelu4OtignFrFN201iFQUC1JtXw/ITT8un rFDz9JZP1o3uFGdv9vlKPKtRHbAzquVJMTKYSXU1eRNmQIp4kYBq81LB6rmG+XU74iu/ PwV98aF4N787gY2hv+IvQerK/FYv86a71RUHi5KP/z5VuXXxaX0vowRJreY9x+IpdNfB QjIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699451221; x=1700056021; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/ZXPBH1TdZvBvF6yAqWgUPZcwHxJsls1R8XCiDe41n0=; b=iipgXEEmPnfTRnsTtfLUa1YWdRhsRuLbgc13MIaKn1YhiMVIr7FH2IsQAGigDizvKu dyopqz8Ylb/xMosSfy4OvLwgRted30E4pP1RNl0upyIfEnD46qYxHih+G/MQ+jz0zvmQ 9veAqjEF13MsvCcqZXkIcQoZi8KitY69w0c5AwbdRhVVBOGbZPoZxEa2mHvasuQzDWJ+ 8JO/gvCfhWzxyLK9YnUbMZOmXnM88kC2R49frygRwvDviKjYJ+93fDh6cfdvkM2wnSrm Y3XqRLFKDtO+iQiQwEm+9RmBSsXvDV6s4VpkSYnETFQNYuScwApKHQYL2cU+emehrDif D5jQ== X-Gm-Message-State: AOJu0Yy1xC03d6lHAZ0He4g8Wn2ZwqCcn2TwjiNR5ZpKwichewuw1Bip JXDvuhol77MNUHbr30aYKIIyc+sXOH5JOY9W3t2IKQ== X-Google-Smtp-Source: AGHT+IEUOyfzJeQ2qfjBPfg7G1vkW2hxzPWYRKh8pMP7ASMZQSMdEGUAKR6huiRF2E39SqQYK7z8LA== X-Received: by 2002:a17:902:cf01:b0:1c9:d8b6:e7ad with SMTP id i1-20020a170902cf0100b001c9d8b6e7admr2893607plg.56.1699451220591; Wed, 08 Nov 2023 05:47:00 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id w12-20020a170902d3cc00b001b7cbc5871csm1781980plb.53.2023.11.08.05.46.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Nov 2023 05:47:00 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][mickledore 02/10] shadow: Fix CVE-2023-4641 Date: Wed, 8 Nov 2023 03:46:43 -1000 Message-Id: <3623f48ff73ad97f583172b7dbfcb56affc9353b.1699451066.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Nov 2023 13:47:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190328 From: Xiangyu Chen shadow-utils: possible password leak during passwd(1) change Signed-off-by: Xiangyu Chen Signed-off-by: Steve Sakoman --- .../shadow/files/CVE-2023-4641.patch | 147 ++++++++++++++++++ meta/recipes-extended/shadow/shadow.inc | 1 + 2 files changed, 148 insertions(+) create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-4641.patch diff --git a/meta/recipes-extended/shadow/files/CVE-2023-4641.patch b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch new file mode 100644 index 0000000000..1fabfe928e --- /dev/null +++ b/meta/recipes-extended/shadow/files/CVE-2023-4641.patch @@ -0,0 +1,147 @@ +From 25dbe2ce166a13322b7536ff2f738786ea2e61e7 Mon Sep 17 00:00:00 2001 +From: Alejandro Colomar +Date: Sat, 10 Jun 2023 16:20:05 +0200 +Subject: [PATCH] gpasswd(1): Fix password leak + +How to trigger this password leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +When gpasswd(1) asks for the new password, it asks twice (as is usual +for confirming the new password). Each of those 2 password prompts +uses agetpass() to get the password. If the second agetpass() fails, +the first password, which has been copied into the 'static' buffer +'pass' via STRFCPY(), wasn't being zeroed. + +agetpass() is defined in <./libmisc/agetpass.c> (around line 91), and +can fail for any of the following reasons: + +- malloc(3) or readpassphrase(3) failure. + + These are going to be difficult to trigger. Maybe getting the system + to the limits of memory utilization at that exact point, so that the + next malloc(3) gets ENOMEM, and possibly even the OOM is triggered. + About readpassphrase(3), ENFILE and EINTR seem the only plausible + ones, and EINTR probably requires privilege or being the same user; + but I wouldn't discard ENFILE so easily, if a process starts opening + files. + +- The password is longer than PASS_MAX. + + The is plausible with physical access. However, at that point, a + keylogger will be a much simpler attack. + +And, the attacker must be able to know when the second password is being +introduced, which is not going to be easy. + +How to read the password after the leak? +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Provoking the leak yourself at the right point by entering a very long +password is easy, and inspecting the process stack at that point should +be doable. Try to find some consistent patterns. + +Then, search for those patterns in free memory, right after the victim +leaks their password. + +Once you get the leak, a program should read all the free memory +searching for patterns that gpasswd(1) leaves nearby the leaked +password. + +On 6/10/23 03:14, Seth Arnold wrote: +> An attacker process wouldn't be able to use malloc(3) for this task. +> There's a handful of tools available for userspace to allocate memory: +> +> - brk / sbrk +> - mmap MAP_ANONYMOUS +> - mmap /dev/zero +> - mmap some other file +> - shm_open +> - shmget +> +> Most of these return only pages of zeros to a process. Using mmap of an +> existing file, you can get some of the contents of the file demand-loaded +> into the memory space on the first use. +> +> The MAP_UNINITIALIZED flag only works if the kernel was compiled with +> CONFIG_MMAP_ALLOW_UNINITIALIZED. This is rare. +> +> malloc(3) doesn't zero memory, to our collective frustration, but all the +> garbage in the allocations is from previous allocations in the current +> process. It isn't leftover from other processes. +> +> The avenues available for reading the memory: +> - /dev/mem and /dev/kmem (requires root, not available with Secure Boot) +> - /proc/pid/mem (requires ptrace privileges, mediated by YAMA) +> - ptrace (requires ptrace privileges, mediated by YAMA) +> - causing memory to be swapped to disk, and then inspecting the swap +> +> These all require a certain amount of privileges. + +How to fix it? +~~~~~~~~~~~~~~ + +memzero(), which internally calls explicit_bzero(3), or whatever +alternative the system provides with a slightly different name, will +make sure that the buffer is zeroed in memory, and optimizations are not +allowed to impede this zeroing. + +This is not really 100% effective, since compilers may place copies of +the string somewhere hidden in the stack. Those copies won't get zeroed +by explicit_bzero(3). However, that's arguably a compiler bug, since +compilers should make everything possible to avoid optimizing strings +that are later passed to explicit_bzero(3). But we all know that +sometimes it's impossible to have perfect knowledge in the compiler, so +this is plausible. Nevertheless, there's nothing we can do against such +issues, except minimizing the time such passwords are stored in plain +text. + +Security concerns +~~~~~~~~~~~~~~~~~ + +We believe this isn't easy to exploit. Nevertheless, and since the fix +is trivial, this fix should probably be applied soon, and backported to +all supported distributions, to prevent someone else having more +imagination than us to find a way. + +Affected versions +~~~~~~~~~~~~~~~~~ + +All. Bug introduced in shadow 19990709. That's the second commit in +the git history. + +Fixes: 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)") + +CVE: CVE-2023-4641 +Upstream-Status: Backport [https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904] + +Reported-by: Alejandro Colomar +Cc: Serge Hallyn +Cc: Iker Pedrosa +Cc: Seth Arnold +Cc: Christian Brauner +Cc: Balint Reczey +Cc: Sam James +Cc: David Runge +Cc: Andreas Jaeger +Cc: <~hallyn/shadow@lists.sr.ht> +Signed-off-by: Alejandro Colomar +Signed-off-by: Xiangyu Chen +--- + src/gpasswd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/gpasswd.c b/src/gpasswd.c +index 5983f787..2d8869ef 100644 +--- a/src/gpasswd.c ++++ b/src/gpasswd.c +@@ -896,6 +896,7 @@ static void change_passwd (struct group *gr) + strzero (cp); + cp = getpass (_("Re-enter new password: ")); + if (NULL == cp) { ++ memzero (pass, sizeof pass); + exit (1); + } + +-- +2.34.1 + diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc index cf05a3af93..4014baddc1 100644 --- a/meta/recipes-extended/shadow/shadow.inc +++ b/meta/recipes-extended/shadow/shadow.inc @@ -17,6 +17,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.gz \ file://0001-Fix-can-not-print-full-login.patch \ file://CVE-2023-29383.patch \ file://0001-Overhaul-valid_field.patch \ + file://CVE-2023-4641.patch \ " SRC_URI:append:class-target = " \ From patchwork Wed Nov 8 13:46:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 34061 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E2D51C4167D for ; Wed, 8 Nov 2023 13:47:06 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.web10.13810.1699451223427594666 for ; Wed, 08 Nov 2023 05:47:03 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=ltMr+sYn; spf=softfail (domain: sakoman.com, ip: 209.85.214.173, mailfrom: steve@sakoman.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-1cc3bb32b5dso62256885ad.3 for ; Wed, 08 Nov 2023 05:47:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1699451222; x=1700056022; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=oioJgKmIboNtqkY/N4aGUdts1MnY0RQ0GV32VaEHMik=; b=ltMr+sYnLIRVBu61aJR/YBGP4t/RnEeS1DrV4tVVC0bIXBibimkzJ5RqPdKR9CE2uc 5D/1jQ9Ur/1lClFBL8dxjgyT93uBp3isykwTdXJUfm8ER+Yb9zB2WIKY4CPKvFvcFGiX 9MyVY+efxX7y0bsT0FKRS0Mr+L+2wERil1METhtZ1fNpxc+4nEOFjmmVIfSt1CpYhSqS 28vQB66ZZat3/z9mkh2zyZwhZBt93Ock5uc2sp2jLypaeTKCqg5TthPLZq2FKQ9Qdz+z eJe2dWW0lVzv29EWQMQ8gD8PSSsuYL2tFmA068JHOLh2j6Exs3L7iAx4p0GO0vbmR82/ vMrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699451222; x=1700056022; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oioJgKmIboNtqkY/N4aGUdts1MnY0RQ0GV32VaEHMik=; b=jXGz85G6QGesvYT0uid9MrGqHzfjhcV6bxFllnrZHICjSMO2oi9faeVZqKNpPtjGjY MBbxdHDuw0IxqbFmvwiKGaF0Lsd750QoVkcYRwbZSRBtMvzS0aIqOcmtSzyTY22ikbTr j/anKigC8eYIMcIZ80dYEQaHpiVxhxJJzdGNVTt+oyLMweE4uIMN7L7629AXvZd3Khgn T4bQyCW/h/179YcjhX9d/ru41XkDkueC4WzxNaUD/SbXIegimIFQ2/nPjQVA+83QBW1p 6CwJ6hz+nGuLrHrd2dSNebxXDtRRngxDKfHfU7nrcpliy+DLequ7W15qJKigR0yezB+a TuUw== X-Gm-Message-State: AOJu0Yxp4G9tQ6p28jBL6RXtOw7VOrN39PwPikSHfK0TbNF/eqln6MoQ L9h+o1QRr+RNVsaLWACaDDqSvPElC3dfIAU+MKPLEg== X-Google-Smtp-Source: AGHT+IGPYwDUVo+27Wf+dQk2OiOkyHY8NR8RR6OpZWkUEJFFbWsOXwHyAMz5wNo+9v8dliWAoRIx8Q== X-Received: by 2002:a17:902:8c83:b0:1ca:3c63:d5d3 with SMTP id t3-20020a1709028c8300b001ca3c63d5d3mr1948580plo.2.1699451222565; Wed, 08 Nov 2023 05:47:02 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id w12-20020a170902d3cc00b001b7cbc5871csm1781980plb.53.2023.11.08.05.47.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Nov 2023 05:47:02 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][mickledore 03/10] pixman: ignore CVE-2023-37769 Date: Wed, 8 Nov 2023 03:46:44 -1000 Message-Id: <3625bed6d7432091bfb144314b8ef979b5246e4c.1699451066.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Nov 2023 13:47:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190329 From: Ross Burton This issue relates to a floating point exception in stress-test, which is an unlikely security exploit at the best of times, but the test is not installed so isn't relevant. Signed-off-by: Ross Burton Signed-off-by: Richard Purdie (cherry picked from commit a36d62a06be6cce1a438f8f2178eb60aad6b7267) Signed-off-by: Steve Sakoman --- meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb b/meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb index 98df6dab21..8a93f8c0fe 100644 --- a/meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb +++ b/meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb @@ -41,3 +41,5 @@ EXTRA_OEMESON:append:armv7a = "${@bb.utils.contains("TUNE_FEATURES","neon",""," EXTRA_OEMESON:append:armv7ve = "${@bb.utils.contains("TUNE_FEATURES","neon",""," -Dneon=disabled",d)}" BBCLASSEXTEND = "native nativesdk" + +CVE_STATUS[CVE-2023-37769] = "not-applicable-config: stress-test is an uninstalled test" From patchwork Wed Nov 8 13:46:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 34059 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D42DCC4167B for ; Wed, 8 Nov 2023 13:47:06 +0000 (UTC) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mx.groups.io with SMTP id smtpd.web11.13931.1699451225813328417 for ; Wed, 08 Nov 2023 05:47:05 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=IYupF2zn; spf=softfail (domain: sakoman.com, ip: 209.85.214.170, mailfrom: steve@sakoman.com) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-1cc1ee2d8dfso62346745ad.3 for ; Wed, 08 Nov 2023 05:47:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1699451224; x=1700056024; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=dHp7bPwOcKA/A35LxgWcE4rXSe5xs3m9Ffgav+zcfNs=; b=IYupF2znkRGE5ZKu7BfRI6lRqoVROx56dB5edd1FQW1zgOeXpCKk4w/lORP9El9hIE 7GGIbGxQwF0HynDK6qKa5T5jEdTc/Nf4GmnfemEtECPtv7se8soQcYPtXqkSL5bOZLBh oiu0Yf9ZHz+6AqX050PSlk2x8TPd6IJKLvrUzhh4uOOPRy8befFrfj01RVXyqcKJgd1O fG1mrBGB5ow9uYQIZKGaM1/BMV7ceECv8eE4LMAPKHOM/1JO1YAT8QNj1IZIf57NrmwS bM2IpaJLbRQxVUOCstCb7A1YwrLBrbyifL6dHgi7yKeE5xRB10Fw3mSlaLB4Q5moskkI bTAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699451224; x=1700056024; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dHp7bPwOcKA/A35LxgWcE4rXSe5xs3m9Ffgav+zcfNs=; b=Qnrc3biwGX0MTxMePaw3rS0Bb2JpsTQsusI+NS15aI26csKYxl8zUzk9ClMPRu5F4z MdEDy3yFG1kz0e+JIKc9rkz/6LbElIp/E1A1/CclPr69oAjQ6FkmLhhSsf1CIXkncZPw xVYB8g5Pdco5aARDPVK3z7HMq01NqRH7536WbjE/dstOPedLiyuJPKLMz4BvHP58m7UI vV8mYrOjEJoMHhbz+joxrs2QUBGa75lVBl0zrk2f40SuiYKhrYsJ3Pg/lEradKo3gYUn mdbwUxo8g2f9rfZef7codXo3pLW6sErRLHiAx0Xszixf3GxgimRqw5pwXwOa9hl4m1G6 NQUQ== X-Gm-Message-State: AOJu0Yw9iefTp2mSht+cNgOdivw18zi0GzaZZDLW4vnS0O9kRY0lVxhT JjH4ASiaquIRS91ZrUZZVFOpTammBzGP+ycNi4pWjg== X-Google-Smtp-Source: AGHT+IH8W4W/DHTZUWV+TocsdEgZwl5AACvN3/5EBHySJar7zB5PQTsl3EH+ODND2thGuF5E65pgwg== X-Received: by 2002:a17:903:1cc:b0:1cc:5ac3:853f with SMTP id e12-20020a17090301cc00b001cc5ac3853fmr2517245plh.23.1699451224346; Wed, 08 Nov 2023 05:47:04 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id w12-20020a170902d3cc00b001b7cbc5871csm1781980plb.53.2023.11.08.05.47.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Nov 2023 05:47:04 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][mickledore 04/10] libwebp: Fix CVE-2023-4863 Date: Wed, 8 Nov 2023 03:46:45 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Nov 2023 13:47:06 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190330 From: Soumya Sambu Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. Removed CVE-2023-5129.patch as CVE-2023-5129 is duplicate of CVE-2023-4863. CVE: CVE-2023-4863 References: https://nvd.nist.gov/vuln/detail/CVE-2023-4863 https://security-tracker.debian.org/tracker/CVE-2023-4863 https://bugzilla.redhat.com/show_bug.cgi?id=2238431#c12 Signed-off-by: Soumya Sambu Signed-off-by: Steve Sakoman --- ...23-5129.patch => CVE-2023-4863-0001.patch} | 20 +++---- .../webp/files/CVE-2023-4863-0002.patch | 53 +++++++++++++++++++ meta/recipes-multimedia/webp/libwebp_1.3.1.bb | 3 +- 3 files changed, 66 insertions(+), 10 deletions(-) rename meta/recipes-multimedia/webp/files/{CVE-2023-5129.patch => CVE-2023-4863-0001.patch} (97%) create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch similarity index 97% rename from meta/recipes-multimedia/webp/files/CVE-2023-5129.patch rename to meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch index b246ed42f9..e623569352 100644 --- a/meta/recipes-multimedia/webp/files/CVE-2023-5129.patch +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0001.patch @@ -1,7 +1,7 @@ -From 6c928321f47ba69022cd4d814433f365dea63478 Mon Sep 17 00:00:00 2001 +From 902bc9190331343b2017211debcec8d2ab87e17a Mon Sep 17 00:00:00 2001 From: Vincent Rabaud Date: Thu, 7 Sep 2023 21:16:03 +0200 -Subject: [PATCH 1/1] Fix OOB write in BuildHuffmanTable. +Subject: [PATCH 1/2] Fix OOB write in BuildHuffmanTable. First, BuildHuffmanTable is called to check if the data is valid. If it is and the table is not big enough, more memory is allocated. @@ -12,9 +12,11 @@ codes) streams are still decodable. Bug: chromium:1479274 Change-Id: I31c36dbf3aa78d35ecf38706b50464fd3d375741 -CVE: CVE-2023-5129 +CVE: CVE-2023-4863 + Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a] -Signed-off-by: Colin McAllister + +Signed-off-by: Soumya Sambu --- src/dec/vp8l_dec.c | 46 ++++++++++--------- src/dec/vp8li_dec.h | 2 +- @@ -23,7 +25,7 @@ Signed-off-by: Colin McAllister 4 files changed, 129 insertions(+), 43 deletions(-) diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c -index c0ea0181..7995313f 100644 +index 1348055..186b0b2 100644 --- a/src/dec/vp8l_dec.c +++ b/src/dec/vp8l_dec.c @@ -253,11 +253,11 @@ static int ReadHuffmanCodeLengths( @@ -171,7 +173,7 @@ index c0ea0181..7995313f 100644 assert(dec->hdr_.num_htree_groups_ > 0); diff --git a/src/dec/vp8li_dec.h b/src/dec/vp8li_dec.h -index 72b2e861..32540a4b 100644 +index 72b2e86..32540a4 100644 --- a/src/dec/vp8li_dec.h +++ b/src/dec/vp8li_dec.h @@ -51,7 +51,7 @@ typedef struct { @@ -184,7 +186,7 @@ index 72b2e861..32540a4b 100644 typedef struct VP8LDecoder VP8LDecoder; diff --git a/src/utils/huffman_utils.c b/src/utils/huffman_utils.c -index 90c2fbf7..cf73abd4 100644 +index 0cba0fb..9efd628 100644 --- a/src/utils/huffman_utils.c +++ b/src/utils/huffman_utils.c @@ -177,21 +177,24 @@ static int BuildHuffmanTable(HuffmanCode* const root_table, int root_bits, @@ -315,7 +317,7 @@ index 90c2fbf7..cf73abd4 100644 + } +} diff --git a/src/utils/huffman_utils.h b/src/utils/huffman_utils.h -index 13b7ad1a..98415c53 100644 +index 13b7ad1..98415c5 100644 --- a/src/utils/huffman_utils.h +++ b/src/utils/huffman_utils.h @@ -43,6 +43,29 @@ typedef struct { @@ -360,5 +362,5 @@ index 13b7ad1a..98415c53 100644 #ifdef __cplusplus -- -2.34.1 +2.40.0 diff --git a/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch new file mode 100644 index 0000000000..231894e882 --- /dev/null +++ b/meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch @@ -0,0 +1,53 @@ +From 95ea5226c870449522240ccff26f0b006037c520 Mon Sep 17 00:00:00 2001 +From: Vincent Rabaud +Date: Mon, 11 Sep 2023 16:06:08 +0200 +Subject: [PATCH 2/2] Fix invalid incremental decoding check. + +The first condition is only necessary if we have not read enough +(enough being defined by src_last, not src_end which is the end +of the image). +The second condition now fits the comment below: "if not +incremental, and we are past the end of buffer". + +BUG=oss-fuzz:62136 + +Change-Id: I0700f67c62db8e1c02c2e429a069a71e606a5e4f + +CVE: CVE-2023-4863 + +Upstream-Status: Backport [https://github.com/webmproject/libwebp/commit/95ea5226c870449522240ccff26f0b006037c520] + +Signed-off-by: Soumya Sambu +--- + src/dec/vp8l_dec.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/src/dec/vp8l_dec.c b/src/dec/vp8l_dec.c +index 186b0b2..59a9e64 100644 +--- a/src/dec/vp8l_dec.c ++++ b/src/dec/vp8l_dec.c +@@ -1241,9 +1241,20 @@ static int DecodeImageData(VP8LDecoder* const dec, uint32_t* const data, + } + + br->eos_ = VP8LIsEndOfStream(br); +- if (dec->incremental_ && br->eos_ && src < src_end) { ++ // In incremental decoding: ++ // br->eos_ && src < src_last: if 'br' reached the end of the buffer and ++ // 'src_last' has not been reached yet, there is not enough data. 'dec' has to ++ // be reset until there is more data. ++ // !br->eos_ && src < src_last: this cannot happen as either the buffer is ++ // fully read, either enough has been read to reach 'src_last'. ++ // src >= src_last: 'src_last' is reached, all is fine. 'src' can actually go ++ // beyond 'src_last' in case the image is cropped and an LZ77 goes further. ++ // The buffer might have been enough or there is some left. 'br->eos_' does ++ // not matter. ++ assert(!dec->incremental_ || (br->eos_ && src < src_last) || src >= src_last); ++ if (dec->incremental_ && br->eos_ && src < src_last) { + RestoreState(dec); +- } else if (!br->eos_) { ++ } else if ((dec->incremental_ && src >= src_last) || !br->eos_) { + // Process the remaining rows corresponding to last row-block. + if (process_func != NULL) { + process_func(dec, row > last_row ? last_row : row); +-- +2.40.0 diff --git a/meta/recipes-multimedia/webp/libwebp_1.3.1.bb b/meta/recipes-multimedia/webp/libwebp_1.3.1.bb index 4d2b655644..c4e3cceb6f 100644 --- a/meta/recipes-multimedia/webp/libwebp_1.3.1.bb +++ b/meta/recipes-multimedia/webp/libwebp_1.3.1.bb @@ -14,7 +14,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=6e8dee932c26f2dab503abf70c96d8bb \ file://PATENTS;md5=c6926d0cb07d296f886ab6e0cc5a85b7" SRC_URI = "http://downloads.webmproject.org/releases/webp/${BP}.tar.gz \ - file://CVE-2023-5129.patch \ + file://CVE-2023-4863-0001.patch \ + file://CVE-2023-4863-0002.patch \ " SRC_URI[sha256sum] = "b3779627c2dfd31e3d8c4485962c2efe17785ef975e2be5c8c0c9e6cd3c4ef66" From patchwork Wed Nov 8 13:46:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 34067 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EFC2AC4167B for ; Wed, 8 Nov 2023 13:47:16 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web11.13933.1699451227469903765 for ; Wed, 08 Nov 2023 05:47:07 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=IN1JQqoP; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-1cc5916d578so62249195ad.2 for ; Wed, 08 Nov 2023 05:47:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1699451226; x=1700056026; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=JlCme3nNCJCOUhLGtiS9nGcdARcmiBfisFHPEYGAH+Y=; b=IN1JQqoPPw2au9UPTcTyMdL233/aZrLAp7Xf7IDwCZYOIeeCcKsfRb973STQIB2N/0 3AUpBVEpkdJ7eb89FiCwrZythPI/NMka0RAmns1gfSeeqIZURrlNBnWhX0sqgmV4drGJ PXXgxfjKFcdoAVnQyrbaPNcjpRWJf58xz+JvxjLs9b16dYYbLbvWeUdCqpGKNnVBT21a ldMqrgovB+7QJkgcn3cFusyOGCeApJHiosd76Ph/VxKdP934f1P1+4NmwdJ2iZVjH0c0 gF1NBZ37RUy3s33jSSQG/UXGFiPKWm0rcNGjwK/sT8rCs4WO/w3Qqr8jb493K9IAHKxB +plg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699451226; x=1700056026; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=JlCme3nNCJCOUhLGtiS9nGcdARcmiBfisFHPEYGAH+Y=; b=dzu2mnmON30kcoskOb372IgndyllH7y6fh8xePzAnzFWTlqjxwjJ3TWJY1I+JvPA/v rW4OJZG27jjvUIqSrWvECBjt+E0wNyiOXUr9CGkd/tfE9ZrsTfp5dexH5Pkce21/FB/O j0zodeLYWNDWhTBNepeHqFHBFBAETi1ZvWKBnq16HEdTlFU/9O41KLB1Nrk7xrnoK7rq xalOdCo/spyVp5r5oI8Vh8rdwQp27UK9TspHazRfk9w0Bz2dXrBDkiY7/+qAbnmTUJTK GY4kgMw19lDeahYT/whjF04YlAssuwR+YVCyp19RY/hrOHuSZzovUnhUvcuHYSOReHy6 yuwg== X-Gm-Message-State: AOJu0YzAp+mWKCmVzj89wEkuAafZraL2UKqxaj7fa15cXcU2TsdMyt7M nw2uttZSzL+X7b3Wf9anghSrFXA5L5w5VamVZYkZCw== X-Google-Smtp-Source: AGHT+IFx2TMN7HzwqGW4gHdevHUqvs1GuQ9h7YPPg7GiEbQW93z1exz1kyRQrgtEJ7SRzLVtOBr0/A== X-Received: by 2002:a17:902:ea0c:b0:1cc:4f55:db72 with SMTP id s12-20020a170902ea0c00b001cc4f55db72mr2303163plg.0.1699451226117; Wed, 08 Nov 2023 05:47:06 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id w12-20020a170902d3cc00b001b7cbc5871csm1781980plb.53.2023.11.08.05.47.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Nov 2023 05:47:05 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][mickledore 05/10] cve-check: sort the package list in the JSON report Date: Wed, 8 Nov 2023 03:46:46 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Nov 2023 13:47:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190331 From: Ross Burton The JSON report generated by the cve-check class is basically a huge list of packages. This list of packages is, however, unsorted. To make things easier for people comparing the JSON, or more specifically for git when archiving the JSON over time in a git repository, we can sort the list by package name. Signed-off-by: Ross Burton Signed-off-by: Richard Purdie (cherry picked from commit e9861be0e5020830c2ecc24fd091f4f5b05da036) Signed-off-by: Steve Sakoman --- meta/classes/cve-check.bbclass | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 3846aee5ea..171e472cef 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -104,6 +104,8 @@ def generate_json_report(d, out_path, link_path): cve_check_merge_jsons(summary, data) filename = f.readline() + summary["package"].sort(key=lambda d: d['name']) + with open(out_path, "w") as f: json.dump(summary, f, indent=2) From patchwork Wed Nov 8 13:46:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 34066 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 11793C41535 for ; Wed, 8 Nov 2023 13:47:17 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web11.13934.1699451229047108541 for ; Wed, 08 Nov 2023 05:47:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=qV+O9XNX; spf=softfail (domain: sakoman.com, ip: 209.85.214.181, mailfrom: steve@sakoman.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-1cc9784dbc1so43763585ad.2 for ; Wed, 08 Nov 2023 05:47:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1699451228; x=1700056028; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=v7pqI5PNZ7Se3roTn+gMuWkHVdeN6bO8KiasPXWmlkI=; b=qV+O9XNX9ryVPytOo1f5CWXDbE04Hdw6yIt6lIz2Krj+11aQ5ZaV9gDfeoHUSfO/vV ULm28itMWvWOJe/G6r4ktJCi1XiG9fTo8YrMmuWljfSbYBPwoO6j34heK0MBjZ5CYncG aJtIBvE+DhJMhgAZ6e0j6F7DYqUKZrgS/89vxmEWHPBBY2BSHbxhp5yGsNQC0H+wzL/n LNpiPAmt2sFYSizI9EqcthsG64GUegqQpvww08wv5ga2Jqr3Gjzlyehapt4TxjDmkc+y vZL4k8naIIE6EZ51i61Cwfizq/lj356K/6EJSrk3WaOxKmuuYhp9AXzoxdI9Oi9YV/Oh 2kZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699451228; x=1700056028; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=v7pqI5PNZ7Se3roTn+gMuWkHVdeN6bO8KiasPXWmlkI=; b=EPH/pXC22jkEtv01yo5ZXUxby3Y4wkd+AbVISIfxpWvExKgoorNHB0cFiczlgxltOd WGPBpqDOm6yEqsrgSVabp/8EevNolHuMI4roaEFZXkmTPtbe75fzynoc0fj+JBs4Q6LN jex36bn5J7iI4guniE0AHpGuWEcy7kt1RCdHNrsSXKaCDDfkCKthcGPzTbMTqrgsgoD0 aqYbuHUZ753g77ndd+RgTefVmfu56fcttoXAQJ9EJf0outf9REXmBNFkp4c1AlOqnZAt 3X7OHhJkRPSa06B3z1ELiTRgX99cq9x7nNkCFCrl6tr2UKUEfvY5eFfkVssAyPvDFHrm jL1Q== X-Gm-Message-State: AOJu0YwVE+LgSN0zDFPGsSk4KfPmlWH1Ab86lPID4bv9b07CdyAAB9QW o8tMvv2fFzj00FqkGrhRizDZkelWJH70GXMWPFT5Cw== X-Google-Smtp-Source: AGHT+IFK9+oEG8RjxRIKotlKXdii3tq2V/1FDiXQLtkbwm3HlG8mraY4c0b+KZFOnszUoz+M0+gCog== X-Received: by 2002:a17:902:dacb:b0:1c9:e765:e14a with SMTP id q11-20020a170902dacb00b001c9e765e14amr2333581plx.1.1699451227813; Wed, 08 Nov 2023 05:47:07 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id w12-20020a170902d3cc00b001b7cbc5871csm1781980plb.53.2023.11.08.05.47.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Nov 2023 05:47:07 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][mickledore 06/10] cve-check: slightly more verbose warning when adding the same package twice Date: Wed, 8 Nov 2023 03:46:47 -1000 Message-Id: <7d7d1de6211b2813c1679bb9ce35289607d66c12.1699451066.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Nov 2023 13:47:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190332 From: Ross Burton Occasionally the cve-check tool will warn that it is adding the same package twice. Knowing what this package is might be the first step towards understanding where this message comes from. Signed-off-by: Ross Burton Signed-off-by: Richard Purdie (cherry picked from commit c1179faec8583a8b7df192cf1cbf221f0e3001fc) Signed-off-by: Steve Sakoman --- meta/lib/oe/cve_check.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index dbaa0b373a..b4c9f6ffe3 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -165,7 +165,7 @@ def cve_check_merge_jsons(output, data): for product in output["package"]: if product["name"] == data["package"][0]["name"]: - bb.error("Error adding the same package twice") + bb.error("Error adding the same package %s twice" % product["name"]) return output["package"].append(data["package"][0]) From patchwork Wed Nov 8 13:46:48 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 34069 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E947C04A95 for ; Wed, 8 Nov 2023 13:47:17 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.web10.13814.1699451231022193907 for ; Wed, 08 Nov 2023 05:47:11 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=eEeKoB8G; spf=softfail (domain: sakoman.com, ip: 209.85.214.175, mailfrom: steve@sakoman.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-1cc3bc5df96so51626255ad.2 for ; Wed, 08 Nov 2023 05:47:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1699451230; x=1700056030; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=CjTfDBPML4d8cTfHodQbh0685f7WFWuwFQ3gjgTV6qA=; b=eEeKoB8GXA53IUmU8jEAXsdpsNwvZxVGNOEPxhJExONBHgPvi+yDYu0QBLzQ6bnMaX ScYHjSYcTOsw5V16lC8sAO7lb3TNTzfHtZbO+Bl2jjtYQPfc54wkPjLzXCiJ5vDE88Hr YqRKgQwqIdJuGmbroYAtLgXRSL3+29+0+c/lHcDsAJJX+YgAs6jkOFw8KLncJUUETMSh k00EIeSWBAXvY0V42ktxvAr+sdcP5Otsi9xO2m20Jrdq6Thk+0igSeUHgdgKsLIFvPII et3oHFucmAkezACUv73GC6m4DfDAb2CUDAGF4wXqONEKOaqGOIfzIM2n6OBIihwYa1YM 13Uw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699451230; x=1700056030; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CjTfDBPML4d8cTfHodQbh0685f7WFWuwFQ3gjgTV6qA=; b=CaGd1pC/cIfUX+IDQLcKxgqeNx1McwlV12Q9NXlCdQJYG0PTYJnDXEh4J1Cxac+/Bv qIp6z1VcDvQwWCUO5BUVAdyt+DTkVa9dNeJqV3gmAD6jJV+uQpcufofNewyiIETRLRcA /vvWkixAxQBPlOGZ1lBRHkOP0Eo7aMgNhVw1bK6cVgnUo3qTanKv4GOcDvXQmJJWF1uA cW7fk1V9iZwnR0tveaB8LyD6SqzgQeB0P22FqFfqHHiHdtvkuJR6lhY1DlbqEstwsvcD +don4KjeBGEONs6lWVwr6Ws6vYn9F0+U6wbl4nYpxDbW1wMBATjWfil3PAklTUDfx+W9 3/uQ== X-Gm-Message-State: AOJu0Yw2InzKw28GKAFu1sqmABSQLAZx7SiRvd5Al10ZyDKh0cxi/DVI ekE5vIdkbwqKz46JK1zayvI6gwlUQBDScMY7XtyuFw== X-Google-Smtp-Source: AGHT+IEfeyOvzUWvnQWoKs+whMy2C1lOkvYrsHnCcqEQslwvOtMMK72aMbDwJZtD4ZCv7Zyj9fdW5g== X-Received: by 2002:a17:902:b408:b0:1cc:45df:4710 with SMTP id x8-20020a170902b40800b001cc45df4710mr1882334plr.40.1699451229663; Wed, 08 Nov 2023 05:47:09 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id w12-20020a170902d3cc00b001b7cbc5871csm1781980plb.53.2023.11.08.05.47.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Nov 2023 05:47:09 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][mickledore 07/10] cve-check: don't warn if a patch is remote Date: Wed, 8 Nov 2023 03:46:48 -1000 Message-Id: <4f21354c7204c3404326ddc243d02056387472d3.1699451066.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Nov 2023 13:47:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190333 From: Ross Burton We don't make do_cve_check depend on do_unpack because that would be a waste of time 99% of the time. The compromise here is that we can't scan remote patches for issues, but this isn't a problem so downgrade the warning to a note. Also move the check for CVEs in the filename before the local file check so that even with remote patches, we still check for CVE references in the name. Signed-off-by: Ross Burton Signed-off-by: Richard Purdie (cherry picked from commit 0251cad677579f5b4dcc25fa2f8552c6040ac2cf) Signed-off-by: Steve Sakoman --- meta/lib/oe/cve_check.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index b4c9f6ffe3..8acd2879bf 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -95,11 +95,6 @@ def get_patched_cves(d): for url in oe.patch.src_patches(d): patch_file = bb.fetch.decodeurl(url)[2] - # Remote compressed patches may not be unpacked, so silently ignore them - if not os.path.isfile(patch_file): - bb.warn("%s does not exist, cannot extract CVE list" % patch_file) - continue - # Check patch file name for CVE ID fname_match = cve_file_name_match.search(patch_file) if fname_match: @@ -107,6 +102,12 @@ def get_patched_cves(d): patched_cves.add(cve) bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) + # Remote patches won't be present and compressed patches won't be + # unpacked, so say we're not scanning them + if not os.path.isfile(patch_file): + bb.note("%s is remote or compressed, not scanning content" % patch_file) + continue + with open(patch_file, "r", encoding="utf-8") as f: try: patch_text = f.read() From patchwork Wed Nov 8 13:46:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 34068 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0C730C4167D for ; Wed, 8 Nov 2023 13:47:17 +0000 (UTC) Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by mx.groups.io with SMTP id smtpd.web10.13816.1699451232874118043 for ; Wed, 08 Nov 2023 05:47:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Zvhj3Xfx; spf=softfail (domain: sakoman.com, ip: 209.85.210.172, mailfrom: steve@sakoman.com) Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-6b87c1edfd5so5278154b3a.1 for ; Wed, 08 Nov 2023 05:47:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1699451231; x=1700056031; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=53bEA/XVQ6hmeKggOPFNw8XtPe8xy9jDqn9ibWbavMg=; b=Zvhj3XfxTTgAEIoclLqesvaSEOM/Esbkv2vXFkEL/EeIRWjSXcCvzy1zhwB3D4X8yX Ea1gZwurCNDPf6hVYyqcjM07YkOi6s/aqdCjeLc+iD/EM27Fk3wYK2G2sUtCnw5pcjFe EaES7WEDBkvc1FFlMGpDF2U0CYRlQX7vdajxOpCRXe9hNVTnAmFuDr8QLiyIXJauautf j/+SWMW+mjl942OLoUMLJsFuqFS+ek8Gga2gK9204HV2k1AWJyzWB/lx/7IaAM+zlicd qkHeFzfvy9NypzCQ7WHzfH6lHzs1Jb2224/I9sGVqmA4XzfJMPEiWDLfl/JED9fRs8aU hDqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699451231; x=1700056031; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=53bEA/XVQ6hmeKggOPFNw8XtPe8xy9jDqn9ibWbavMg=; b=Af2TL518j8+C/Nj4chK/GxSK+4kTsVTurDuMUXIxSPnUsxrV6e7d13cWlV/dU1dG+Q ScGCnWUIkmjK1K62lGZRYF713hvyQMtr8b2QfgGrnaVTJI5pZym+jeDf+v2O4e+qMzdz 2w8iwAdQwOjFAcAQtBA0oeHVa/d4UahfL2jkDZI+r4B2so9w9kNtL+nUD0k2NaJRYBam gRmktwc7RYg2F4848ig9adztgDET2hTaT/XOMCitjo7IJJRL2B39UouUOc2dC+xKODvK ifi4AYITtfFtRtG7kE5X6v1gd3cw/uvNMS0TwUv0Nvsl2BZYkNCMu3yxhxN7vQizbFHc lJZw== X-Gm-Message-State: AOJu0YwhViKPkEYI6B+sBWxuIs0wapb6Gm59C3HMzjOZaLnFtj9Lp7/X xST/MtlRWVjsXPzWdV1hmnCWuukssaG9v1JGjXipRA== X-Google-Smtp-Source: AGHT+IEkyHK6tqKXI2dcOCQGDv52u3xrcE15Z4LygFIfFbq3V+czMLNKEhoV9zYytCCKxdAFVm3E1g== X-Received: by 2002:a05:6a21:47c1:b0:181:3adf:6309 with SMTP id as1-20020a056a2147c100b001813adf6309mr2104072pzc.18.1699451231565; Wed, 08 Nov 2023 05:47:11 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id w12-20020a170902d3cc00b001b7cbc5871csm1781980plb.53.2023.11.08.05.47.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Nov 2023 05:47:11 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][mickledore 08/10] openssl: Upgrade 3.1.3 -> 3.1.4 Date: Wed, 8 Nov 2023 03:46:49 -1000 Message-Id: <914f5ed4cfcc5f05fc04ec990128803a8d108fd1.1699451066.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Nov 2023 13:47:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190334 From: Peter Marko https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-313-and-openssl-314-24-oct-2023 Major changes between OpenSSL 3.1.3 and OpenSSL 3.1.4 [24 Oct 2023] * Mitigate incorrect resize handling for symmetric cipher keys and IVs. (CVE-2023-5363) Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../openssl/{openssl_3.1.3.bb => openssl_3.1.4.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-connectivity/openssl/{openssl_3.1.3.bb => openssl_3.1.4.bb} (99%) diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.3.bb b/meta/recipes-connectivity/openssl/openssl_3.1.4.bb similarity index 99% rename from meta/recipes-connectivity/openssl/openssl_3.1.3.bb rename to meta/recipes-connectivity/openssl/openssl_3.1.4.bb index ff9df693b8..72338b0022 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.1.3.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.1.4.bb @@ -18,7 +18,7 @@ SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "f0316a2ebd89e7f2352976445458689f80302093788c466692fb2a188b2eacf6" +SRC_URI[sha256sum] = "840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3" inherit lib_package multilib_header multilib_script ptest perlnative manpages MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" From patchwork Wed Nov 8 13:46:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 34064 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EF06BC4332F for ; Wed, 8 Nov 2023 13:47:16 +0000 (UTC) Received: from mail-pf1-f182.google.com (mail-pf1-f182.google.com [209.85.210.182]) by mx.groups.io with SMTP id smtpd.web11.13935.1699451234536805600 for ; Wed, 08 Nov 2023 05:47:14 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=K+asQNYQ; spf=softfail (domain: sakoman.com, ip: 209.85.210.182, mailfrom: steve@sakoman.com) Received: by mail-pf1-f182.google.com with SMTP id d2e1a72fcca58-692c02adeefso5962305b3a.3 for ; Wed, 08 Nov 2023 05:47:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1699451233; x=1700056033; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=xTal5PGeh/nSVL7GmsMV3CJACIsRXRenqv8bR1NKcUE=; b=K+asQNYQW0iByt4WO01NrkPHhWJoJqXlcmiKtC2NwKtY+OyOF8xYeSbB5gMv/Inudc 8WFbsASygpN0bhXqQcp3BrcXI+m43QJplTIJgx2LeoGvakA8Dlq4npPtzLTH75z+4L9K hPgFT8zW3dGtEg0Uy8LUIBldFxmybUKExhTRqSEtSh6NGuUceB/8L2stwflP8CfcC6j/ oYuDG4T1LCPNhV0pE18pbr9sMbjlyRNfY+NWplSWg6lMHm4bRf8pqpZx919BdiR31TfK a0TEsjj9ji/PrL09TZQEzGXjQQhWZrRWF9FEKvjsgnk+gUTr/H0TtV3WGu/7lif09LTC HIIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699451233; x=1700056033; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xTal5PGeh/nSVL7GmsMV3CJACIsRXRenqv8bR1NKcUE=; b=LJSop88zt+/wnrY3GYJTcYfapq0BMBDJdUAhL/gSe6w8MsS9BZTUCTDL2Fj5Nn6rcJ 4KMu928b9byhZBkp9d24QX7Is+40WnszRDe1COeRw3MegmXiC0QZHONBOT96mvBlVGIz ACNKw8GStNaLcMxFXi66ZQD8K8wduD+KXg5w3/fLHrqUxAZOnYr55Hr60oBUX22dHXKE u2JFTgQh7e2ELHOEzs1roTp+Qe6cU8NOy2rBpJSJx63C61RLxzW3p0QsiIDZ9qkqty6T lrR0rKEctuqO9/5X04vcarOIem/auht3yBncX7HPZGd0DsJHugAbyMYndu6rI5BdhLiz 7Tfw== X-Gm-Message-State: AOJu0Yy3to686/5tQcDBdkCFHHW2BUyJe8xRu+8zYTrspT9OgCQHSJ2o AJI5pdpv4Yt3olsCX9+uGyDTmxu3fzOrSKakKVDfDg== X-Google-Smtp-Source: AGHT+IG8g/daFwPIQJSOBYPwwJrF9/ZRi5pBFuYnU3ZgeHIl+hmL9/ZrBUIQtfMjkhBSHQ7lEfr01Q== X-Received: by 2002:a05:6a21:7802:b0:181:219f:4a4f with SMTP id be2-20020a056a21780200b00181219f4a4fmr1961441pzc.48.1699451233283; Wed, 08 Nov 2023 05:47:13 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id w12-20020a170902d3cc00b001b7cbc5871csm1781980plb.53.2023.11.08.05.47.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Nov 2023 05:47:12 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][mickledore 09/10] linux-yocto: make sure the pahole-native available before do_kernel_configme Date: Wed, 8 Nov 2023 03:46:50 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Nov 2023 13:47:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190335 From: Xiangyu Chen When using debug-btf.scc in a clean workspace, the CONFIG_MODULE_ALLOW_BTF_MISMATCH cannot apply to kernel until clean the kernel code(bitbake linux-yocto -c cleanall) and rebuild. After tracking the code, some options depend on CONFIG_PAHOLE_VERSION, it was generated by scripts/pahole-version.sh in kernel, but during do_kernel_configme step, the pahole-native is not available in sysroot-native, so need to wait pahole-native install to sysroot-native before do_kernel_configme. (cherry picked from commit 217a4db53edbd88001f6390bbff39e5dd3d137af) Signed-off-by: Xiangyu Chen Signed-off-by: Luca Ceresoli Signed-off-by: Richard Purdie Signed-off-by: Steve Sakoman --- meta/recipes-kernel/linux/linux-yocto.inc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/meta/recipes-kernel/linux/linux-yocto.inc b/meta/recipes-kernel/linux/linux-yocto.inc index 04a8105e17..461e5684cd 100644 --- a/meta/recipes-kernel/linux/linux-yocto.inc +++ b/meta/recipes-kernel/linux/linux-yocto.inc @@ -65,7 +65,10 @@ KERNEL_DEBUG ?= "" DEPENDS += '${@bb.utils.contains_any("ARCH", [ "x86", "arm64" ], "elfutils-native", "", d)}' DEPENDS += "openssl-native util-linux-native" DEPENDS += "gmp-native libmpc-native" -DEPENDS += '${@bb.utils.contains("KERNEL_DEBUG", "True", "pahole-native", "", d)}' + +# Some options depend on CONFIG_PAHOLE_VERSION, so need to make pahole-native available before do_kernel_configme +do_kernel_configme[depends] += '${@bb.utils.contains("KERNEL_DEBUG", "True", "pahole-native:do_populate_sysroot", "", d)}' + EXTRA_OEMAKE += '${@bb.utils.contains("KERNEL_DEBUG", "True", "", "PAHOLE=false", d)}' do_devshell:prepend() { From patchwork Wed Nov 8 13:46:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 34065 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0646DC0018C for ; Wed, 8 Nov 2023 13:47:17 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.13938.1699451236389444965 for ; Wed, 08 Nov 2023 05:47:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=OVhvAnse; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-1cc0d0a0355so52799385ad.3 for ; Wed, 08 Nov 2023 05:47:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1699451235; x=1700056035; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=oHP3tw2h4nTW77qb+cqnfCePXvLJHxljCV+50coVXqI=; b=OVhvAnseVrjkokJXOZaDdLOX3IGvRAR1OXdk28nfQFb/cdrg1m/xvYWBcwpRQ3HurW yIYh9YEjaYWcfgBkISRWbvtBf+BdTTEHoQclxEiBVsv2POOJUDWETOsAGpJ5YXX9FTEL bdAhlvWYto313ioKUzHUQDXklKkTPCDB65QqTO11mrYXfnhie2oa9mQTfgCA3ZEI7bV0 IEYk03EPFknjxzT6UPusGvcJmiQBcIMzi0sIuVTD4iFIedgaJG8pTkef30G64WiTVMuV AvjQmevJB7hRvpSgcc+cHQzKzAcEX1aCn9ROZouQz5QxiV5j+TVk3N4oEQpAkRUp0Pr9 IelQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699451235; x=1700056035; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oHP3tw2h4nTW77qb+cqnfCePXvLJHxljCV+50coVXqI=; b=kOO6TxhohA9GUoyt45bZiDZ5XCjkE+odqg8Dapow8AUBEX0ua4y7QOJBJ9IKVZaYe+ B5viQi+MRuJN+GRXcQNGcCXbo9o4FgubTjq2siWrGz5cc+RqlwO28M57w5PSEeDxvMrk o8c/WD3v0lRVtSzBBULudMWPwa6WSCPcm3iqJGaKqBbioHcLXf4l7WACtVy3ew0M3Nrr t9kUw5XBw3wh7VCnflyMV/BrJykJ4RmqfGhlNQntmV5Y+fPu5xAlLDc5IX3XyxC4S/J8 Q7Gt8/pWsokf/FHhA4Ktl0cPDG82aydaq0hMBHzsKQsDTZWyTqSYIHCxh4Hg8hZadLdx zkTQ== X-Gm-Message-State: AOJu0Yx+6MaDE4IlqE0W5iz7VUAdeDeyNkfo75i1zX+b8z7f8A6ZcBw4 4EJYVomu5lTqidLrDPLPyh7c9GrhJf3sMsAh6cM0Sw== X-Google-Smtp-Source: AGHT+IE9iU55voW2A6H9QiQSgXL+CZ3bM/x0wFb1OP7DooN0tWx2/PV8Y4ffNBXGYsHkbEatkr88HQ== X-Received: by 2002:a17:902:ead4:b0:1cc:ef37:664a with SMTP id p20-20020a170902ead400b001ccef37664amr1803292pld.31.1699451235038; Wed, 08 Nov 2023 05:47:15 -0800 (PST) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id w12-20020a170902d3cc00b001b7cbc5871csm1781980plb.53.2023.11.08.05.47.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Nov 2023 05:47:14 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][mickledore 10/10] systemd: backport patch to fix warning in systemd-vconsole-setup Date: Wed, 8 Nov 2023 03:46:51 -1000 Message-Id: <07c31cd6190476d9d9a4de750a30fe0fb3a93b21.1699451066.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Nov 2023 13:47:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190336 From: Chen Qi The backported patch fixes the following warning: systemd-vconsole-setup[221]: Failed to import credentials, ignoring: No such file or directory Signed-off-by: Chen Qi Signed-off-by: Steve Sakoman --- ...l-return-0-for-missing-creds-in-read.patch | 139 ++++++++++++++++++ meta/recipes-core/systemd/systemd_253.1.bb | 1 + 2 files changed, 140 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0001-shared-creds-util-return-0-for-missing-creds-in-read.patch diff --git a/meta/recipes-core/systemd/systemd/0001-shared-creds-util-return-0-for-missing-creds-in-read.patch b/meta/recipes-core/systemd/systemd/0001-shared-creds-util-return-0-for-missing-creds-in-read.patch new file mode 100644 index 0000000000..953afd20b4 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-shared-creds-util-return-0-for-missing-creds-in-read.patch @@ -0,0 +1,139 @@ +From 78fc42be73d81ff625f6479784ce1950bd4741b3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 25 Apr 2023 17:58:34 +0200 +Subject: [PATCH] shared/creds-util: return 0 for missing creds in + read_credential_strings_many + +Realistically, the only thing that the caller can do is ignore failures related +to missing credentials. If the caller requires some credentials to be present, +they should just check which output variables are not NULL. One of the callers +was already doing that, and the other wanted to, but missed -ENOENT. By +suppressing -ENOENT and -ENXIO, both callers are simplified. + +Fixes a warning at boot: +systemd-vconsole-setup[221]: Failed to import credentials, ignoring: No such file or directory + +(cherry picked from commit 55ace8e5c58441d1a2c64b297a38b232ef0c0e28) + +Upstream-Status: Backport [1575f1d9e78ab44beedd4eae4af3a14d45312d76] + +Signed-off-by: Chen Qi +--- + src/resolve/resolved-conf.c | 7 +++---- + src/shared/creds-util.c | 18 +++++++++++------- + src/test/test-creds.c | 8 ++++---- + src/vconsole/vconsole-setup.c | 2 +- + 4 files changed, 19 insertions(+), 16 deletions(-) + +diff --git a/src/resolve/resolved-conf.c b/src/resolve/resolved-conf.c +index d6929984e9..52e65caffa 100644 +--- a/src/resolve/resolved-conf.c ++++ b/src/resolve/resolved-conf.c +@@ -476,10 +476,9 @@ static void read_credentials(Manager *m) { + if (!m->read_resolv_conf) + return; + +- r = read_credential_strings_many( +- "network.dns", &dns, +- "network.search_domains", &domains); +- if (r < 0 && !IN_SET(r, -ENXIO, -ENOENT)) ++ r = read_credential_strings_many("network.dns", &dns, ++ "network.search_domains", &domains); ++ if (r < 0) + log_warning_errno(r, "Failed to read credentials, ignoring: %m"); + + if (dns) { +diff --git a/src/shared/creds-util.c b/src/shared/creds-util.c +index 750ee2571e..617bae4205 100644 +--- a/src/shared/creds-util.c ++++ b/src/shared/creds-util.c +@@ -96,17 +96,21 @@ int read_credential_strings_many_internal( + + /* Reads a bunch of credentials into the specified buffers. If the specified buffers are already + * non-NULL frees them if a credential is found. Only supports string-based credentials +- * (i.e. refuses embedded NUL bytes) */ ++ * (i.e. refuses embedded NUL bytes). ++ * ++ * 0 is returned when some or all credentials are missing. ++ */ + + if (!first_name) + return 0; + + r = read_credential(first_name, &b, NULL); +- if (r == -ENXIO) /* no creds passed at all? propagate this */ +- return r; +- if (r < 0) +- ret = r; +- else ++ if (r == -ENXIO) /* No creds passed at all? Bail immediately. */ ++ return 0; ++ if (r < 0) { ++ if (r != -ENOENT) ++ ret = r; ++ } else + free_and_replace(*first_value, b); + + va_list ap; +@@ -127,7 +131,7 @@ int read_credential_strings_many_internal( + + r = read_credential(name, &bb, NULL); + if (r < 0) { +- if (ret >= 0) ++ if (ret >= 0 && r != -ENOENT) + ret = r; + } else + free_and_replace(*value, bb); +diff --git a/src/test/test-creds.c b/src/test/test-creds.c +index 44022e7324..25b0c34a59 100644 +--- a/src/test/test-creds.c ++++ b/src/test/test-creds.c +@@ -16,7 +16,7 @@ TEST(read_credential_strings) { + if (e) + assert_se(saved = strdup(e)); + +- assert_se(read_credential_strings_many("foo", &x, "bar", &y) == -ENXIO); ++ assert_se(read_credential_strings_many("foo", &x, "bar", &y) == 0); + assert_se(x == NULL); + assert_se(y == NULL); + +@@ -24,20 +24,20 @@ TEST(read_credential_strings) { + + assert_se(setenv("CREDENTIALS_DIRECTORY", tmp, /* override= */ true) >= 0); + +- assert_se(read_credential_strings_many("foo", &x, "bar", &y) == -ENOENT); ++ assert_se(read_credential_strings_many("foo", &x, "bar", &y) == 0); + assert_se(x == NULL); + assert_se(y == NULL); + + assert_se(p = path_join(tmp, "bar")); + assert_se(write_string_file(p, "piff", WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_AVOID_NEWLINE) >= 0); + +- assert_se(read_credential_strings_many("foo", &x, "bar", &y) == -ENOENT); ++ assert_se(read_credential_strings_many("foo", &x, "bar", &y) == 0); + assert_se(x == NULL); + assert_se(streq(y, "piff")); + + assert_se(write_string_file(p, "paff", WRITE_STRING_FILE_TRUNCATE|WRITE_STRING_FILE_AVOID_NEWLINE) >= 0); + +- assert_se(read_credential_strings_many("foo", &x, "bar", &y) == -ENOENT); ++ assert_se(read_credential_strings_many("foo", &x, "bar", &y) == 0); + assert_se(x == NULL); + assert_se(streq(y, "piff")); + +diff --git a/src/vconsole/vconsole-setup.c b/src/vconsole/vconsole-setup.c +index 7d3e9db73f..b2676eb487 100644 +--- a/src/vconsole/vconsole-setup.c ++++ b/src/vconsole/vconsole-setup.c +@@ -442,7 +442,7 @@ int main(int argc, char **argv) { + "vconsole.font", &vc_font, + "vconsole.font_map", &vc_font_map, + "vconsole.font_unimap", &vc_font_unimap); +- if (r < 0 && r != -ENXIO) ++ if (r < 0) + log_warning_errno(r, "Failed to import credentials, ignoring: %m"); + + /* Load data from configuration file (middle priority) */ +-- +2.42.0 + diff --git a/meta/recipes-core/systemd/systemd_253.1.bb b/meta/recipes-core/systemd/systemd_253.1.bb index f306765168..3d8e2b4816 100644 --- a/meta/recipes-core/systemd/systemd_253.1.bb +++ b/meta/recipes-core/systemd/systemd_253.1.bb @@ -25,6 +25,7 @@ SRC_URI += " \ file://0002-binfmt-Don-t-install-dependency-links-at-install-tim.patch \ file://0008-implment-systemd-sysv-install-for-OE.patch \ file://0004-Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-to-.patch \ + file://0001-shared-creds-util-return-0-for-missing-creds-in-read.patch \ " # patches needed by musl