From patchwork Wed Mar 20 16:09:39 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman
X-Patchwork-Id: 41294
X-Patchwork-Delegate: steve@sakoman.com
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id 500A4CD11BF
for ; Wed, 20 Mar 2024 16:10:23 +0000 (UTC)
Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com
[209.85.214.177])
by mx.groups.io with SMTP id smtpd.web11.49391.1710951018315086305
for ;
Wed, 20 Mar 2024 09:10:18 -0700
Authentication-Results: mx.groups.io;
dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
header.b=nmspTbVK;
spf=softfail (domain: sakoman.com, ip: 209.85.214.177,
mailfrom: steve@sakoman.com)
Received: by mail-pl1-f177.google.com with SMTP id
d9443c01a7336-1dffa5e3f2dso27388815ad.2
for ;
Wed, 20 Mar 2024 09:10:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951017;
x=1711555817; darn=lists.openembedded.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:from:to:cc:subject:date:message-id
:reply-to;
bh=un6d+Llcm9ogjVszlygMZtzDe+aBKdeo1O6Ef5bR++c=;
b=nmspTbVKfOqUf7D3bSJZBVKurAOQFJEVCRIaYEiT1uDAJUCuPhV37AEfKa2IIxSp1B
BfJvvRH3QRDR8N58nfH1ZCrbZZWvqJBz9zST8nf3YBY1UGsF/CQ5fkOTV/7n28B8vb67
GgmoKQdS0mh3rm7tj3xmgMBZfKzoJrJYnQFz6DIuwuHFACHHz5gx7g3BurRlvVQtmnJM
V43LSpC53DLlKnwB60fQ4eHBgWLs9Yi7zPxuadO0XxpIJFpnXdUXqMiE1p4E8CnrcOO2
hr/2pAX/UHOhCLY7kguhZoRntk5tQ5FaogFb2KWRDdXUaUc+u0xtRY3crwG8KHYNIVeF
lFUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710951017; x=1711555817;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=un6d+Llcm9ogjVszlygMZtzDe+aBKdeo1O6Ef5bR++c=;
b=I2R2lJgIsnk/SUZxQusAOy0DFgdqmDgtqJQ5AcbuVowf4erWrbW95ZM0RN6Y6INpUW
RCDtwv5HB745Db3I7FI8Ur7msswMUFhOtrNx3LG3AY3r+m7ccaHp3cYi4UCcz43Nz3LS
aWRQOWkELM68110a8+EInLKO1gIWGc7aQ3tVhb2cundee2H6zjheXHcf6z418cZi/Gga
GqKkmNOHSUTfqs5Ywdz9ATU2AHpamSpKVfwxcckQtk08EVSSLgXryaUwFBc0dLjejaB+
O+eJHZ5ZYZ0x5GzYs+XuoueF47KkY2fbXfMNpalw/FT/l9t/rS8v/TBvvQelSjL0s32U
OkzQ==
X-Gm-Message-State: AOJu0YwqHlN3wi9JTb8QiK3gKq8m+IpU1degGGV2eWRsZQS2uwIOWmL7
w2ErAIezA0TQ+xLRRwGVIqDRPuOQeiOx8KlvlPtcfyd93OlS+ZYnwPsWQKdKvimsKZa+4sQ48vS
nWHI=
X-Google-Smtp-Source:
AGHT+IGhvtxHBRtgu3GlB4Airdxvpr5XQZpFACtcWHSmDXM/qglzqt2rBylRvk3ePQKqJznyW1Of6A==
X-Received: by 2002:a17:902:b216:b0:1e0:c9a:38c7 with SMTP id
t22-20020a170902b21600b001e00c9a38c7mr5421048plr.32.1710951017501;
Wed, 20 Mar 2024 09:10:17 -0700 (PDT)
Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41])
by smtp.gmail.com with ESMTPSA id
l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.16
for
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Mar 2024 09:10:17 -0700 (PDT)
From: Steve Sakoman
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 01/15] expat: patch CVE-2024-28757
Date: Wed, 20 Mar 2024 06:09:39 -1000
Message-Id:
X-Mailer: git-send-email 2.34.1
In-Reply-To:
References:
MIME-Version: 1.0
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Wed, 20 Mar 2024 16:10:23 -0000
X-Groupsio-URL:
https://lists.openembedded.org/g/openembedded-core/message/197372
From: Peter Marko
Picked patch from https://github.com/libexpat/libexpat/pull/842
which is referenced in the NVD CVE report.
Signed-off-by: Peter Marko
Signed-off-by: Steve Sakoman
---
.../expat/expat/CVE-2024-28757.patch | 58 +++++++++++++++++++
meta/recipes-core/expat/expat_2.5.0.bb | 1 +
2 files changed, 59 insertions(+)
create mode 100755 meta/recipes-core/expat/expat/CVE-2024-28757.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2024-28757.patch b/meta/recipes-core/expat/expat/CVE-2024-28757.patch
new file mode 100755
index 0000000000..768dab0c84
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2024-28757.patch
@@ -0,0 +1,58 @@
+From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Mon, 4 Mar 2024 23:49:06 +0100
+Subject: [PATCH] lib/xmlparse.c: Detect billion laughs attack with isolated
+ external parser
+
+When parsing DTD content with code like ..
+
+ XML_Parser parser = XML_ParserCreate(NULL);
+ XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
+ enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
+
+.. there are 0 bytes accounted as direct input and all input from `doc` accounted
+as indirect input. Now function accountingGetCurrentAmplification cannot calculate
+the current amplification ratio as "(direct + indirect) / direct", and it did refuse
+to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
+no amplification over direct input. As a result, billion laughs attacks from
+DTD-only input were not detected with this isolated way of using an external parser.
+
+The new approach is to assume direct input of length not 0 but 22 -- derived from
+ghost input "", the shortest possible way to include an external
+DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
+
+GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
+finding 66812.
+
+CVE: CVE-2024-28757
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8]
+
+Signed-off-by: Peter Marko
+---
+ lib/xmlparse.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index b884d82b5..d44baa68d 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7655,6 +7655,8 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
+
+ static float
+ accountingGetCurrentAmplification(XML_Parser rootParser) {
++ // 1.........1.........12 => 22
++ const size_t lenOfShortestInclude = sizeof("") - 1;
+ const XmlBigCount countBytesOutput
+ = rootParser->m_accounting.countBytesDirect
+ + rootParser->m_accounting.countBytesIndirect;
+@@ -7662,7 +7664,9 @@ accountingGetCurrentAmplification(XML_Parser rootParser) {
+ = rootParser->m_accounting.countBytesDirect
+ ? (countBytesOutput
+ / (float)(rootParser->m_accounting.countBytesDirect))
+- : 1.0f;
++ : ((lenOfShortestInclude
++ + rootParser->m_accounting.countBytesIndirect)
++ / (float)lenOfShortestInclude);
+ assert(! rootParser->m_parentParser);
+ return amplificationFactor;
+ }
diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb
index 7080f934d1..eb7ce1436e 100644
--- a/meta/recipes-core/expat/expat_2.5.0.bb
+++ b/meta/recipes-core/expat/expat_2.5.0.bb
@@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://run-ptest \
+ file://CVE-2024-28757.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
From patchwork Wed Mar 20 16:09:40 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman
X-Patchwork-Id: 41296
X-Patchwork-Delegate: steve@sakoman.com
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id 6381ECD11DD
for ; Wed, 20 Mar 2024 16:10:23 +0000 (UTC)
Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com
[209.85.214.176])
by mx.groups.io with SMTP id smtpd.web11.49392.1710951021192993968
for ;
Wed, 20 Mar 2024 09:10:21 -0700
Authentication-Results: mx.groups.io;
dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
header.b=Xvr4SqYG;
spf=softfail (domain: sakoman.com, ip: 209.85.214.176,
mailfrom: steve@sakoman.com)
Received: by mail-pl1-f176.google.com with SMTP id
d9443c01a7336-1def142ae7bso50463965ad.3
for ;
Wed, 20 Mar 2024 09:10:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951020;
x=1711555820; darn=lists.openembedded.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:from:to:cc:subject:date:message-id
:reply-to;
bh=vXVA/Kas/g6x8w966OzTVzjiYcuRQM/h2A3EY717vMA=;
b=Xvr4SqYGW8PsI1Mlp3+gKiRKzTRooOg9NpIVVHQ/aM5/Rmpx7Cpl+vvH9EcSaVqzxT
D//8OYD/HluczUrCN8oX/sqHen4FcVsklU2I0aMzOcZBUCuP9se7S1GLHfwmJ10J5MIU
aBgzuZkBw4ox/P0PmdfNAWrWzTk5Zdw1Om/uarLKw1e23zECk269tiR1FKnlQNZYQZEW
0YoUySMzFJaoHqNQCM9ogEjSHJ92nU3Bzc4J6aRaexm9bYHvuD25b9ncWD14lwrDKzxQ
U1nDtB2+pJC71qfDUnERfRIpuwPyIpJZUMe60G+kqlKy30EKLvW2TXmWqgP1MbHF2RPI
2C4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710951020; x=1711555820;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=vXVA/Kas/g6x8w966OzTVzjiYcuRQM/h2A3EY717vMA=;
b=eqUhhzOoo0UOaM7yW8qEGaqE7LDTVBtGT+s1QJpyzk0viDTn9vHFxXiKPRMa18zCyc
iPfqGBKf5rhcZDdDycBDzLbAAXo/spnsJdLrpyqeS1nzLApHfxLOk83a/McM/Z9CJ8ur
XGVSa/kZiPG/B506B8lpaSXfq7tcFYgwoZBpl/CfW96/LUM5AquAYOdMSs8XGVTqp4sa
4qRiPcp12nW7YxN3+cIc4e0wQowcH855d3v0ArNd/2yaYpYL+vH9AIeT1USZTT7DwRk6
nxd355EIv+5mIN96cY1F2eRcaKjHgLcOIG66KQdizunJthkCgZj3lx9SKYwe61QdTMLl
WZog==
X-Gm-Message-State: AOJu0Yw6SWjse4BAsQy70ja9fgm0jmBz6OlcmD5AMvCiOhvsZdV+sbPK
SIxmDDvO+jP3o94gT+jrK7y9g4a4Sot1+Lzb7RMKxuA3yP8otPArbqxf8iGYpm974s7PwYhDCEa
L3fI=
X-Google-Smtp-Source:
AGHT+IGdy1+0vJvnk2HBMmyfZyGTi1cz/PZp6X4DskWO7meLf0U3jZflhDUDblQs26gZQ2m1CDHd6w==
X-Received: by 2002:a17:903:11d2:b0:1dd:a50c:200c with SMTP id
q18-20020a17090311d200b001dda50c200cmr21688784plh.50.1710951019626;
Wed, 20 Mar 2024 09:10:19 -0700 (PDT)
Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41])
by smtp.gmail.com with ESMTPSA id
l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.18
for
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Mar 2024 09:10:19 -0700 (PDT)
From: Steve Sakoman
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 02/15] expat: fix CVE-2023-52426
Date: Wed, 20 Mar 2024 06:09:40 -1000
Message-Id:
X-Mailer: git-send-email 2.34.1
In-Reply-To:
References:
MIME-Version: 1.0
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Wed, 20 Mar 2024 16:10:23 -0000
X-Groupsio-URL:
https://lists.openembedded.org/g/openembedded-core/message/197373
From: Meenali Gupta
A flaw was found in Expat (libexpat). If XML_DTD is undefined at compile time, a
recursive XML Entity Expansion condition can be triggered.This issue may lead to
a condition where data is expanded exponentially, which will quickly consume system
resources and cause a denial of service.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-52426
https://github.com/libexpat/libexpat/pull/777
Signed-off-by: Meenali Gupta
Signed-off-by: Steve Sakoman
---
.../expat/expat/CVE-2023-52426-001.patch | 35 ++
.../expat/expat/CVE-2023-52426-002.patch | 72 +++
.../expat/expat/CVE-2023-52426-003.patch | 28 ++
.../expat/expat/CVE-2023-52426-004.patch | 429 ++++++++++++++++++
.../expat/expat/CVE-2023-52426-005.patch | 34 ++
.../expat/expat/CVE-2023-52426-006.patch | 174 +++++++
.../expat/expat/CVE-2023-52426-007.patch | 53 +++
.../expat/expat/CVE-2023-52426-008.patch | 37 ++
.../expat/expat/CVE-2023-52426-009.patch | 354 +++++++++++++++
.../expat/expat/CVE-2023-52426-010.patch | 50 ++
.../expat/expat/CVE-2023-52426-011.patch | 45 ++
meta/recipes-core/expat/expat_2.5.0.bb | 11 +
12 files changed, 1322 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-001.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-002.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-003.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-004.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-005.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-006.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-007.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-008.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-009.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-010.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-011.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-001.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-001.patch
new file mode 100644
index 0000000000..c38a334540
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52426-001.patch
@@ -0,0 +1,35 @@
+From cdead241d4f1136c2f38d1b28e95073c59753d30 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Thu, 26 Oct 2023 01:40:05 +0200
+Subject: [PATCH] doc/reference.html: Clarify effect of XML_DTD on external
+ entities
+
+Defining XML_DTD emnables support for external parameter(!)
+entities. External general(!) entities have been supported
+even with XML_DTD undefined. (Only now with Expat 2.6.0
+defining XML_GE as 0 can take that away.)
+
+CVE: CVE-2023-52426
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/cdead241d4f1136c2f38d1b28e95073c59753d30]
+
+Signed-off-by: Meenali Gupta
+---
+ doc/reference.html | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/reference.html b/doc/reference.html
+index 8b0d47d..a30e462 100644
+--- a/doc/reference.html
++++ b/doc/reference.html
+@@ -365,7 +365,7 @@ this is defined, default attribute values from an external DTD subset
+ are reported and attribute value normalization occurs based on the
+ type of attributes defined in the external subset. Without
+ this, Expat has a smaller memory footprint and can be faster, but will
+-not load external entities or process conditional sections. If defined, makes
++not load external parameter entities or process conditional sections. If defined, makes
+ the functions
+ XML_SetBillionLaughsAttackProtectionMaximumAmplification
and
+--
+2.40.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-002.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-002.patch
new file mode 100644
index 0000000000..9aedc3010a
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52426-002.patch
@@ -0,0 +1,72 @@
+From daa89e42c005cc7f4f7af9eee271ae0723d30300 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Thu, 26 Oct 2023 00:59:52 +0200
+
+Subject: [PATCH] cmake: Introduce option EXPAT_GE to control macro XML_GE
+
+CVE: CVE-2023-52426
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/daa89e42c005cc7f4f7af9eee271ae0723d30300]
+
+Signed-off-by: Meenali Gupta
+---
+ CMakeLists.txt | 9 +++++++++
+ expat_config.h.cmake | 3 +++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 2b4c13c..416fe96 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -140,6 +140,8 @@ expat_shy_set(EXPAT_CONTEXT_BYTES 1024 CACHE STRING "Define to specify how much
+ mark_as_advanced(EXPAT_CONTEXT_BYTES)
+ expat_shy_set(EXPAT_DTD ON CACHE BOOL "Define to make parameter entity parsing functionality available")
+ mark_as_advanced(EXPAT_DTD)
++expat_shy_set(EXPAT_GE ON CACHE BOOL "Define to make general entity parsing functionality available")
++mark_as_advanced(EXPAT_GE)
+ expat_shy_set(EXPAT_NS ON CACHE BOOL "Define to make XML Namespaces functionality available")
+ mark_as_advanced(EXPAT_NS)
+ expat_shy_set(EXPAT_WARNINGS_AS_ERRORS OFF CACHE BOOL "Treat all compiler warnings as errors")
+@@ -172,6 +174,11 @@ endif()
+ #
+ # Environment checks
+ #
++if(EXPAT_DTD AND NOT EXPAT_GE)
++ message(SEND_ERROR "Option EXPAT_DTD requires that EXPAT_GE is also enabled.")
++ message(SEND_ERROR "Please either enable option EXPAT_GE (recommended) or disable EXPAT_DTD also.")
++endif()
++
+ if(EXPAT_WITH_LIBBSD)
+ find_library(LIB_BSD NAMES bsd)
+ if(NOT LIB_BSD)
+@@ -274,6 +281,7 @@ endif()
+
+ _expat_copy_bool_int(EXPAT_ATTR_INFO XML_ATTR_INFO)
+ _expat_copy_bool_int(EXPAT_DTD XML_DTD)
++_expat_copy_bool_int(EXPAT_GE XML_GE)
+ _expat_copy_bool_int(EXPAT_LARGE_SIZE XML_LARGE_SIZE)
+ _expat_copy_bool_int(EXPAT_MIN_SIZE XML_MIN_SIZE)
+ _expat_copy_bool_int(EXPAT_NS XML_NS)
+@@ -893,6 +901,7 @@ message(STATUS " // Advanced options, changes not advised")
+ message(STATUS " Attributes info .......... ${EXPAT_ATTR_INFO}")
+ message(STATUS " Context bytes ............ ${EXPAT_CONTEXT_BYTES}")
+ message(STATUS " DTD support .............. ${EXPAT_DTD}")
++message(STATUS " General entities ......... ${EXPAT_GE}")
+ message(STATUS " Large size ............... ${EXPAT_LARGE_SIZE}")
+ message(STATUS " Minimum size ............. ${EXPAT_MIN_SIZE}")
+ message(STATUS " Namespace support ........ ${EXPAT_NS}")
+diff --git a/expat_config.h.cmake b/expat_config.h.cmake
+index 78fcb4c..330945e 100644
+--- a/expat_config.h.cmake
++++ b/expat_config.h.cmake
+@@ -103,6 +103,9 @@
+ /* Define to make parameter entity parsing functionality available. */
+ #cmakedefine XML_DTD
+
++/* Define as 1/0 to enable/disable support for general entities. */
++#define XML_GE @XML_GE@
++
+ /* Define to make XML Namespaces functionality available. */
+ #cmakedefine XML_NS
+
+--
+2.40.0
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-003.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-003.patch
new file mode 100644
index 0000000000..96a62dcffc
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52426-003.patch
@@ -0,0 +1,28 @@
+From ed87a4793404e91c0cc0c81435fcfcc64a8be9f4 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Thu, 26 Oct 2023 00:45:23 +0200
+Subject: [PATCH] configure.ac: Define macro XML_GE as 1
+
+CVE: CVE-2023-52426
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/ed87a4793404e91c0cc0c81435fcfcc64a8be9f4]
+
+Signed-off-by: Meenali Gupta
+---
+ configure.ac | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index d3642de..153bb8e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -295,6 +295,8 @@ AC_SUBST(FILEMAP)
+ dnl Some basic configuration:
+ AC_DEFINE([XML_NS], 1,
+ [Define to make XML Namespaces functionality available.])
++AC_DEFINE([XML_GE], 1,
++ [Define as 1/0 to enable/disable support for general entities.])
+ AC_DEFINE([XML_DTD], 1,
+ [Define to make parameter entity parsing functionality available.])
+ AC_DEFINE([XML_DEV_URANDOM], 1,
+--
+2.40.0
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-004.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-004.patch
new file mode 100644
index 0000000000..460113caf7
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52426-004.patch
@@ -0,0 +1,429 @@
+From 0f075ec8ecb5e43f8fdca5182f8cca4703da0404 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Thu, 26 Oct 2023 00:43:22 +0200
+Subject: [PATCH] lib|xmlwf|cmake: Extend scope of billion laughs attack
+ protection
+
+.. from "defined(XML_DTD)" to "defined(XML_DTD) || XML_GE==1".
+
+CVE: CVE-2023-52426
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404]
+
+Signed-off-by: Meenali Gupta
+---
+ CMakeLists.txt | 8 ++++-
+ lib/expat.h | 8 +++--
+ lib/internal.h | 2 +-
+ lib/libexpat.def.cmake | 4 +--
+ lib/xmlparse.c | 71 ++++++++++++++++++++++--------------------
+ xmlwf/xmlwf.c | 18 ++++++-----
+ 6 files changed, 62 insertions(+), 49 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 416fe96..e6939e2 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -389,7 +389,13 @@ if(EXPAT_SHARED_LIBS)
+ endif()
+ endmacro()
+
+- _expat_def_file_toggle(EXPAT_DTD _EXPAT_COMMENT_DTD)
++ if(EXPAT_DTD OR EXPAT_GE)
++ set(_EXPAT_DTD_OR_GE TRUE)
++ else()
++ set(_EXPAT_DTD_OR_GE FALSE)
++ endif()
++
++ _expat_def_file_toggle(_EXPAT_DTD_OR_GE _EXPAT_COMMENT_DTD_OR_GE)
+ _expat_def_file_toggle(EXPAT_ATTR_INFO _EXPAT_COMMENT_ATTR_INFO)
+
+ configure_file("${CMAKE_CURRENT_SOURCE_DIR}/lib/libexpat.def.cmake" "${CMAKE_CURRENT_BINARY_DIR}/lib/libexpat.def")
+diff --git a/lib/expat.h b/lib/expat.h
+index 1c83563..33c94af 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -1038,13 +1038,15 @@ typedef struct {
+ XMLPARSEAPI(const XML_Feature *)
+ XML_GetFeatureList(void);
+
+-#ifdef XML_DTD
+-/* Added in Expat 2.4.0. */
++#if defined(XML_DTD) || XML_GE == 1
++/* Added in Expat 2.4.0 for XML_DTD defined and
++ * added in Expat 2.6.0 for XML_GE == 1. */
+ XMLPARSEAPI(XML_Bool)
+ XML_SetBillionLaughsAttackProtectionMaximumAmplification(
+ XML_Parser parser, float maximumAmplificationFactor);
+
+-/* Added in Expat 2.4.0. */
++/* Added in Expat 2.4.0 for XML_DTD defined and
++ * added in Expat 2.6.0 for XML_GE == 1. */
+ XMLPARSEAPI(XML_Bool)
+ XML_SetBillionLaughsAttackProtectionActivationThreshold(
+ XML_Parser parser, unsigned long long activationThresholdBytes);
+diff --git a/lib/internal.h b/lib/internal.h
+index e09f533..1851925 100644
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -154,7 +154,7 @@ extern "C" {
+ void _INTERNAL_trim_to_complete_utf8_characters(const char *from,
+ const char **fromLimRef);
+
+-#if defined(XML_DTD)
++#if defined(XML_DTD) || XML_GE == 1
+ unsigned long long testingAccountingGetCountBytesDirect(XML_Parser parser);
+ unsigned long long testingAccountingGetCountBytesIndirect(XML_Parser parser);
+ const char *unsignedCharToPrintable(unsigned char c);
+diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake
+index cf434a2..61a4f00 100644
+--- a/lib/libexpat.def.cmake
++++ b/lib/libexpat.def.cmake
+@@ -75,5 +75,5 @@ EXPORTS
+ XML_SetHashSalt @67
+ ; internal @68 removed with version 2.3.1
+ ; added with version 2.4.0
+-@_EXPAT_COMMENT_DTD@ XML_SetBillionLaughsAttackProtectionActivationThreshold @69
+-@_EXPAT_COMMENT_DTD@ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
++@_EXPAT_COMMENT_DTD_OR_GE@ XML_SetBillionLaughsAttackProtectionActivationThreshold @69
++@_EXPAT_COMMENT_DTD_OR_GE@ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index b6c2eca..e23441e 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -408,7 +408,7 @@ enum XML_Account {
+ XML_ACCOUNT_NONE /* i.e. do not account, was accounted already */
+ };
+
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ typedef unsigned long long XmlBigCount;
+ typedef struct accounting {
+ XmlBigCount countBytesDirect;
+@@ -424,7 +424,7 @@ typedef struct entity_stats {
+ unsigned int maximumDepthSeen;
+ int debugLevel;
+ } ENTITY_STATS;
+-#endif /* XML_DTD */
++#endif /* defined(XML_DTD) || XML_GE == 1 */
+
+ typedef enum XML_Error PTRCALL Processor(XML_Parser parser, const char *start,
+ const char *end, const char **endPtr);
+@@ -562,7 +562,7 @@ static XML_Parser parserCreate(const XML_Char *encodingName,
+
+ static void parserInit(XML_Parser parser, const XML_Char *encodingName);
+
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ static float accountingGetCurrentAmplification(XML_Parser rootParser);
+ static void accountingReportStats(XML_Parser originParser, const char *epilog);
+ static void accountingOnAbort(XML_Parser originParser);
+@@ -585,7 +585,7 @@ static void entityTrackingOnClose(XML_Parser parser, ENTITY *entity,
+
+ static XML_Parser getRootParserOf(XML_Parser parser,
+ unsigned int *outLevelDiff);
+-#endif /* XML_DTD */
++#endif /* defined(XML_DTD) || XML_GE == 1 */
+
+ static unsigned long getDebugLevel(const char *variableName,
+ unsigned long defaultDebugLevel);
+@@ -703,7 +703,7 @@ struct XML_ParserStruct {
+ enum XML_ParamEntityParsing m_paramEntityParsing;
+ #endif
+ unsigned long m_hash_secret_salt;
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ ACCOUNTING m_accounting;
+ ENTITY_STATS m_entity_stats;
+ #endif
+@@ -1163,7 +1163,7 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) {
+ #endif
+ parser->m_hash_secret_salt = 0;
+
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ memset(&parser->m_accounting, 0, sizeof(ACCOUNTING));
+ parser->m_accounting.debugLevel = getDebugLevel("EXPAT_ACCOUNTING_DEBUG", 0u);
+ parser->m_accounting.maximumAmplificationFactor
+@@ -2522,8 +2522,9 @@ XML_GetFeatureList(void) {
+ #ifdef XML_ATTR_INFO
+ {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0},
+ #endif
+-#ifdef XML_DTD
+- /* Added in Expat 2.4.0. */
++#if defined(XML_DTD) || XML_GE == 1
++ /* Added in Expat 2.4.0 for XML_DTD defined and
++ * added in Expat 2.6.0 for XML_GE == 1. */
+ {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT,
+ XML_L("XML_BLAP_MAX_AMP"),
+ (long int)
+@@ -2537,7 +2538,7 @@ XML_GetFeatureList(void) {
+ return features;
+ }
+
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ XML_Bool XMLCALL
+ XML_SetBillionLaughsAttackProtectionMaximumAmplification(
+ XML_Parser parser, float maximumAmplificationFactor) {
+@@ -2559,7 +2560,7 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(
+ parser->m_accounting.activationThresholdBytes = activationThresholdBytes;
+ return XML_TRUE;
+ }
+-#endif /* XML_DTD */
++#endif /* defined(XML_DTD) || XML_GE == 1 */
+
+ /* Initially tag->rawName always points into the parse buffer;
+ for those TAG instances opened while the current parse buffer was
+@@ -2645,13 +2646,13 @@ externalEntityInitProcessor2(XML_Parser parser, const char *start,
+ int tok = XmlContentTok(parser->m_encoding, start, end, &next);
+ switch (tok) {
+ case XML_TOK_BOM:
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ if (! accountingDiffTolerated(parser, tok, start, next, __LINE__,
+ XML_ACCOUNT_DIRECT)) {
+ accountingOnAbort(parser);
+ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
+ }
+-#endif /* XML_DTD */
++#endif /* defined(XML_DTD) || XML_GE == 1 */
+
+ /* If we are at the end of the buffer, this would cause the next stage,
+ i.e. externalEntityInitProcessor3, to pass control directly to
+@@ -2765,7 +2766,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ for (;;) {
+ const char *next = s; /* XmlContentTok doesn't always set the last arg */
+ int tok = XmlContentTok(enc, s, end, &next);
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ const char *accountAfter
+ = ((tok == XML_TOK_TRAILING_RSQB) || (tok == XML_TOK_TRAILING_CR))
+ ? (haveMore ? s /* i.e. 0 bytes */ : end)
+@@ -2831,14 +2832,14 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ XML_Char ch = (XML_Char)XmlPredefinedEntityName(
+ enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar);
+ if (ch) {
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ /* NOTE: We are replacing 4-6 characters original input for 1 character
+ * so there is no amplification and hence recording without
+ * protection. */
+ accountingDiffTolerated(parser, tok, (char *)&ch,
+ ((char *)&ch) + sizeof(XML_Char), __LINE__,
+ XML_ACCOUNT_ENTITY_EXPANSION);
+-#endif /* XML_DTD */
++#endif /* defined(XML_DTD) || XML_GE == 1 */
+ if (parser->m_characterDataHandler)
+ parser->m_characterDataHandler(parser->m_handlerArg, &ch, 1);
+ else if (parser->m_defaultHandler)
+@@ -4040,7 +4041,7 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
+ for (;;) {
+ const char *next = s; /* in case of XML_TOK_NONE or XML_TOK_PARTIAL */
+ int tok = XmlCdataSectionTok(enc, s, end, &next);
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) {
+ accountingOnAbort(parser);
+ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
+@@ -4192,7 +4193,7 @@ doIgnoreSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
+ *eventPP = s;
+ *startPtr = NULL;
+ tok = XmlIgnoreSectionTok(enc, s, end, &next);
+-# ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
+ XML_ACCOUNT_DIRECT)) {
+ accountingOnAbort(parser);
+@@ -4284,7 +4285,7 @@ processXmlDecl(XML_Parser parser, int isGeneralTextEntity, const char *s,
+ const XML_Char *storedversion = NULL;
+ int standalone = -1;
+
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ if (! accountingDiffTolerated(parser, XML_TOK_XML_DECL, s, next, __LINE__,
+ XML_ACCOUNT_DIRECT)) {
+ accountingOnAbort(parser);
+@@ -4491,7 +4492,7 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
+ */
+ else if (tok == XML_TOK_BOM && next == end
+ && ! parser->m_parsingStatus.finalBuffer) {
+-# ifdef XML_DTD
++# if defined(XML_DTD) || XML_GE == 1
+ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
+ XML_ACCOUNT_DIRECT)) {
+ accountingOnAbort(parser);
+@@ -4707,11 +4708,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ }
+ }
+ role = XmlTokenRole(&parser->m_prologState, tok, s, next, enc);
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ switch (role) {
+ case XML_ROLE_INSTANCE_START: // bytes accounted in contentProcessor
+ case XML_ROLE_XML_DECL: // bytes accounted in processXmlDecl
+- case XML_ROLE_TEXT_DECL: // bytes accounted in processXmlDecl
++ # ifdef XML_DTD
++ case XML_ROLE_TEXT_DECL: // bytes accounted in processXmlDecl
++# endif
+ break;
+ default:
+ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) {
+@@ -5648,7 +5651,7 @@ epilogProcessor(XML_Parser parser, const char *s, const char *end,
+ for (;;) {
+ const char *next = NULL;
+ int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
+ XML_ACCOUNT_DIRECT)) {
+ accountingOnAbort(parser);
+@@ -5728,7 +5731,7 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) {
+ return XML_ERROR_NO_MEMORY;
+ }
+ entity->open = XML_TRUE;
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ entityTrackingOnOpen(parser, entity, __LINE__);
+ #endif
+ entity->processed = 0;
+@@ -5762,9 +5765,9 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) {
+ entity->processed = (int)(next - textStart);
+ parser->m_processor = internalEntityProcessor;
+ } else {
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ entityTrackingOnClose(parser, entity, __LINE__);
+-#endif /* XML_DTD */
++#endif /* defined(XML_DTD) || XML_GE == 1 */
+ entity->open = XML_FALSE;
+ parser->m_openInternalEntities = openEntity->next;
+ /* put openEntity back in list of free instances */
+@@ -5813,7 +5816,7 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+ return result;
+ }
+
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ entityTrackingOnClose(parser, entity, __LINE__);
+ #endif
+ entity->open = XML_FALSE;
+@@ -5892,7 +5895,7 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ const char *next
+ = ptr; /* XmlAttributeValueTok doesn't always set the last arg */
+ int tok = XmlAttributeValueTok(enc, ptr, end, &next);
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ if (! accountingDiffTolerated(parser, tok, ptr, next, __LINE__, account)) {
+ accountingOnAbort(parser);
+ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
+@@ -5957,14 +5960,14 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ XML_Char ch = (XML_Char)XmlPredefinedEntityName(
+ enc, ptr + enc->minBytesPerChar, next - enc->minBytesPerChar);
+ if (ch) {
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ /* NOTE: We are replacing 4-6 characters original input for 1 character
+ * so there is no amplification and hence recording without
+ * protection. */
+ accountingDiffTolerated(parser, tok, (char *)&ch,
+ ((char *)&ch) + sizeof(XML_Char), __LINE__,
+ XML_ACCOUNT_ENTITY_EXPANSION);
+-#endif /* XML_DTD */
++#endif /* defined(XML_DTD) || XML_GE == 1 */
+ if (! poolAppendChar(pool, ch))
+ return XML_ERROR_NO_MEMORY;
+ break;
+@@ -6042,14 +6045,14 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ enum XML_Error result;
+ const XML_Char *textEnd = entity->textPtr + entity->textLen;
+ entity->open = XML_TRUE;
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ entityTrackingOnOpen(parser, entity, __LINE__);
+ #endif
+ result = appendAttributeValue(parser, parser->m_internalEncoding,
+ isCdata, (const char *)entity->textPtr,
+ (const char *)textEnd, pool,
+ XML_ACCOUNT_ENTITY_EXPANSION);
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ entityTrackingOnClose(parser, entity, __LINE__);
+ #endif
+ entity->open = XML_FALSE;
+@@ -6105,7 +6108,7 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+ = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */
+ int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next);
+
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ if (! accountingDiffTolerated(parser, tok, entityTextPtr, next, __LINE__,
+ account)) {
+ accountingOnAbort(parser);
+@@ -7651,7 +7654,7 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
+ return result;
+ }
+
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+
+ static float
+ accountingGetCurrentAmplification(XML_Parser rootParser) {
+@@ -8382,7 +8385,7 @@ unsignedCharToPrintable(unsigned char c) {
+ assert(0); /* never gets here */
+ }
+
+-#endif /* XML_DTD */
++#endif /* defined(XML_DTD) || XML_GE == 1 */
+
+ static unsigned long
+ getDebugLevel(const char *variableName, unsigned long defaultDebugLevel) {
+diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c
+index 471f2a2..be23f5a 100644
+--- a/xmlwf/xmlwf.c
++++ b/xmlwf/xmlwf.c
+@@ -1062,9 +1062,10 @@ tmain(int argc, XML_Char **argv) {
+ " (needs a floating point number greater or equal than 1.0)"));
+ exit(XMLWF_EXIT_USAGE_ERROR);
+ }
+-#ifndef XML_DTD
+- ftprintf(stderr, T("Warning: Given amplification limit ignored") T(
+- ", xmlwf has been compiled without DTD support.\n"));
++#if ! defined(XML_DTD) && XML_GE == 0
++ ftprintf(stderr,
++ T("Warning: Given amplification limit ignored")
++ T(", xmlwf has been compiled without DTD/GE support.\n"));
+ #endif
+ break;
+ }
+@@ -1083,9 +1084,10 @@ tmain(int argc, XML_Char **argv) {
+ exit(XMLWF_EXIT_USAGE_ERROR);
+ }
+ attackThresholdGiven = XML_TRUE;
+-#ifndef XML_DTD
+- ftprintf(stderr, T("Warning: Given attack threshold ignored") T(
+- ", xmlwf has been compiled without DTD support.\n"));
++#if ! defined(XML_DTD) && XML_GE == 0
++ ftprintf(stderr,
++ T("Warning: Given attack threshold ignored")
++ T(", xmlwf has been compiled without DTD/GE support.\n"));
+ #endif
+ break;
+ }
+@@ -1120,13 +1122,13 @@ tmain(int argc, XML_Char **argv) {
+ }
+
+ if (attackMaximumAmplification != -1.0f) {
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ XML_SetBillionLaughsAttackProtectionMaximumAmplification(
+ parser, attackMaximumAmplification);
+ #endif
+ }
+ if (attackThresholdGiven) {
+-#ifdef XML_DTD
++#if defined(XML_DTD) || XML_GE == 1
+ XML_SetBillionLaughsAttackProtectionActivationThreshold(
+ parser, attackThresholdBytes);
+ #else
+--
+2.40.0
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-005.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-005.patch
new file mode 100644
index 0000000000..1e8223fff0
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52426-005.patch
@@ -0,0 +1,34 @@
+From b0975cb73a41869fbecf0fa55afd35b69b64cc50 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Thu, 26 Oct 2023 00:47:52 +0200
+Subject: [PATCH] lib: Fail the build if XML_GE is not set to 1 or 0
+
+CVE: CVE-2023-52426
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/b0975cb73a41869fbecf0fa55afd35b69b64cc50]
+
+Signed-off-by: Meenali Gupta
+---
+ lib/xmlparse.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index e23441e..ac3efe1 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -62,6 +62,14 @@
+
+ #include
+
++#if ! defined(XML_GE) || (1 - XML_GE - 1 == 2) || (XML_GE < 0) || (XML_GE > 1)
++# error XML_GE (for general entities) must be defined, non-empty, either 1 or 0 (0 to disable, 1 to enable; 1 is a common default)
++#endif
++
++#if defined(XML_DTD) && XML_GE == 0
++# error Either undefine XML_DTD or define XML_GE to 1.
++#endif
++
+ #if ! defined(_GNU_SOURCE)
+ # define _GNU_SOURCE 1 /* syscall prototype */
+ #endif
+--
+2.40.0
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-006.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-006.patch
new file mode 100644
index 0000000000..d1ab52fa32
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52426-006.patch
@@ -0,0 +1,174 @@
+From 2b127c20b220b673cf52c6be8bef725bf04cbeaf Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Thu, 26 Oct 2023 18:32:11 +0200
+Subject: [PATCH] lib: Make XML_GE==0 use self-references as entity replacement
+ text
+
+CVE: CVE-2023-52426
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/2b127c20b220b673cf52c6be8bef725bf04cbeaf]
+
+Signed-off-by: Meenali Gupta
+---
+ lib/xmlparse.c | 79 +++++++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 71 insertions(+), 8 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index ac3efe1..c479174 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -504,9 +504,13 @@ static enum XML_Error appendAttributeValue(XML_Parser parser, const ENCODING *,
+ static ATTRIBUTE_ID *getAttributeId(XML_Parser parser, const ENCODING *enc,
+ const char *start, const char *end);
+ static int setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *);
++#if XML_GE == 1
+ static enum XML_Error storeEntityValue(XML_Parser parser, const ENCODING *enc,
+ const char *start, const char *end,
+ enum XML_Account account);
++#else
++static enum XML_Error storeSelfEntityValue(XML_Parser parser, ENTITY *entity);
++#endif
+ static int reportProcessingInstruction(XML_Parser parser, const ENCODING *enc,
+ const char *start, const char *end);
+ static int reportComment(XML_Parser parser, const ENCODING *enc,
+@@ -5040,6 +5044,9 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ break;
+ case XML_ROLE_ENTITY_VALUE:
+ if (dtd->keepProcessing) {
++#if defined(XML_DTD) || XML_GE == 1
++ // This will store the given replacement text in
++ // parser->m_declEntity->textPtr.
+ enum XML_Error result
+ = storeEntityValue(parser, enc, s + enc->minBytesPerChar,
+ next - enc->minBytesPerChar, XML_ACCOUNT_NONE);
+@@ -5060,6 +5067,25 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ poolDiscard(&dtd->entityValuePool);
+ if (result != XML_ERROR_NONE)
+ return result;
++#else
++ // This will store "&entity123;" in parser->m_declEntity->textPtr
++ // to end up as "&entity123;" in the handler.
++ if (parser->m_declEntity != NULL) {
++ const enum XML_Error result
++ = storeSelfEntityValue(parser, parser->m_declEntity);
++ if (result != XML_ERROR_NONE)
++ return result;
++
++ if (parser->m_entityDeclHandler) {
++ *eventEndPP = s;
++ parser->m_entityDeclHandler(
++ parser->m_handlerArg, parser->m_declEntity->name,
++ parser->m_declEntity->is_param, parser->m_declEntity->textPtr,
++ parser->m_declEntity->textLen, parser->m_curBase, 0, 0, 0);
++ handleDefault = XML_FALSE;
++ }
++ }
++#endif
+ }
+ break;
+ case XML_ROLE_DOCTYPE_SYSTEM_ID:
+@@ -5102,6 +5128,16 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ #endif /* XML_DTD */
+ /* fall through */
+ case XML_ROLE_ENTITY_SYSTEM_ID:
++#if XML_GE == 0
++ // This will store "&entity123;" in entity->textPtr
++ // to end up as "&entity123;" in the handler.
++ if (parser->m_declEntity != NULL) {
++ const enum XML_Error result
++ = storeSelfEntityValue(parser, parser->m_declEntity);
++ if (result != XML_ERROR_NONE)
++ return result;
++ }
++#endif
+ if (dtd->keepProcessing && parser->m_declEntity) {
+ parser->m_declEntity->systemId
+ = poolStoreString(&dtd->pool, enc, s + enc->minBytesPerChar,
+@@ -6090,6 +6126,7 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ /* not reached */
+ }
+
++#if XML_GE == 1
+ static enum XML_Error
+ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+ const char *entityTextPtr, const char *entityTextEnd,
+@@ -6097,12 +6134,12 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+ DTD *const dtd = parser->m_dtd; /* save one level of indirection */
+ STRING_POOL *pool = &(dtd->entityValuePool);
+ enum XML_Error result = XML_ERROR_NONE;
+-#ifdef XML_DTD
++# ifdef XML_DTD
+ int oldInEntityValue = parser->m_prologState.inEntityValue;
+ parser->m_prologState.inEntityValue = 1;
+-#else
++# else
+ UNUSED_P(account);
+-#endif /* XML_DTD */
++# endif /* XML_DTD */
+ /* never return Null for the value argument in EntityDeclHandler,
+ since this would indicate an external entity; therefore we
+ have to make sure that entityValuePool.start is not null */
+@@ -6116,18 +6153,18 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+ = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */
+ int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next);
+
+-#if defined(XML_DTD) || XML_GE == 1
++# if defined(XML_DTD) || XML_GE == 1
+ if (! accountingDiffTolerated(parser, tok, entityTextPtr, next, __LINE__,
+ account)) {
+ accountingOnAbort(parser);
+ result = XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
+ goto endEntityValue;
+ }
+-#endif
++# endif
+
+ switch (tok) {
+ case XML_TOK_PARAM_ENTITY_REF:
+-#ifdef XML_DTD
++# ifdef XML_DTD
+ if (parser->m_isParamEntity || enc != parser->m_encoding) {
+ const XML_Char *name;
+ ENTITY *entity;
+@@ -6270,12 +6307,38 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+ entityTextPtr = next;
+ }
+ endEntityValue:
+-#ifdef XML_DTD
++# ifdef XML_DTD
+ parser->m_prologState.inEntityValue = oldInEntityValue;
+-#endif /* XML_DTD */
++# endif /* XML_DTD */
+ return result;
+ }
+
++#else /* XML_GE == 0 */
++
++static enum XML_Error
++storeSelfEntityValue(XML_Parser parser, ENTITY *entity) {
++ // This will store "&entity123;" in entity->textPtr
++ // to end up as "&entity123;" in the handler.
++ const char *const entity_start = "&";
++ const char *const entity_end = ";";
++
++ STRING_POOL *const pool = &(parser->m_dtd->entityValuePool);
++ if (! poolAppendString(pool, entity_start)
++ || ! poolAppendString(pool, entity->name)
++ || ! poolAppendString(pool, entity_end)) {
++ poolDiscard(pool);
++ return XML_ERROR_NO_MEMORY;
++ }
++
++ entity->textPtr = poolStart(pool);
++ entity->textLen = (int)(poolLength(pool));
++ poolFinish(pool);
++
++ return XML_ERROR_NONE;
++}
++
++#endif /* XML_GE == 0 */
++
+ static void FASTCALL
+ normalizeLines(XML_Char *s) {
+ XML_Char *p;
+--
+2.40.0
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-007.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-007.patch
new file mode 100644
index 0000000000..a141bbf915
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52426-007.patch
@@ -0,0 +1,53 @@
+From d3f7bbd37bef2565d64f31b549e197a3a414574e Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Thu, 26 Oct 2023 01:39:39 +0200
+Subject: [PATCH] doc/reference.html: Document build time macro XML_GE
+
+CVE: CVE-2023-52426
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/d3f7bbd37bef2565d64f31b549e197a3a414574e]
+
+Signed-off-by: Meenali Gupta
+---
+ doc/reference.html | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/doc/reference.html b/doc/reference.html
+index 8b0d47d..74ba012 100644
+--- a/doc/reference.html
++++ b/doc/reference.html
+@@ -359,6 +359,33 @@ and the definition of character types in the case of
+ XML_UNICODE_WCHAR_T
. The symbols are:
+
+
++- XML_GE
++-
++Added in Expat 2.6.0.
++Include support for
++general entities
++(syntax
&e1;
to reference and
++syntax <!ENTITY e1 'value1'>
(an internal general entity) or
++<!ENTITY e2 SYSTEM 'file2'>
(an external general entity) to declare).
++With XML_GE
enabled, general entities will be replaced by their declared replacement text;
++for this to work for external general entities, in addition an
++XML_ExternalEntityRefHandler
must be set using
++XML_SetExternalEntityRefHandler
.
++Also, enabling XML_GE
makes
++the functions
++XML_SetBillionLaughsAttackProtectionMaximumAmplification
and
++
++XML_SetBillionLaughsAttackProtectionActivationThreshold
available.
++
++With XML_GE
disabled, Expat has a smaller memory footprint and can be faster, but will
++not load external general entities and will replace all general entities
++(except the predefined five:
++amp
, apos
, gt
, lt
, quot
)
++with a self-reference:
++for example, referencing an entity e1
via &e1;
will be replaced
++by text &e1;
.
++
++
+ - XML_DTD
+ - Include support for using and reporting DTD-based content. If
+ this is defined, default attribute values from an external DTD subset
+--
+2.40.0
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-008.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-008.patch
new file mode 100644
index 0000000000..d07c62ccf0
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52426-008.patch
@@ -0,0 +1,37 @@
+From 2848dc4e7067de503934b388717e7a3d8d0c5bca Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Fri, 27 Oct 2023 18:45:50 +0200
+Subject: [PATCH] Simplify "! defined(XML_DTD) && XML_GE == 0" to "XML_GE == 0"
+
+CVE: CVE-2023-52426
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/2848dc4e7067de503934b388717e7a3d8d0c5bca]
+
+Signed-off-by: Meenali Gupta
+---
+ xmlwf/xmlwf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c
+index be23f5a..04ca759 100644
+--- a/xmlwf/xmlwf.c
++++ b/xmlwf/xmlwf.c
+@@ -1062,7 +1062,7 @@ tmain(int argc, XML_Char **argv) {
+ " (needs a floating point number greater or equal than 1.0)"));
+ exit(XMLWF_EXIT_USAGE_ERROR);
+ }
+-#if ! defined(XML_DTD) && XML_GE == 0
++#if XML_GE == 0
+ ftprintf(stderr,
+ T("Warning: Given amplification limit ignored")
+ T(", xmlwf has been compiled without DTD/GE support.\n"));
+@@ -1084,7 +1084,7 @@ tmain(int argc, XML_Char **argv) {
+ exit(XMLWF_EXIT_USAGE_ERROR);
+ }
+ attackThresholdGiven = XML_TRUE;
+-#if ! defined(XML_DTD) && XML_GE == 0
++#if XML_GE == 0
+ ftprintf(stderr,
+ T("Warning: Given attack threshold ignored")
+ T(", xmlwf has been compiled without DTD/GE support.\n"));
+--
+2.40.0
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-009.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-009.patch
new file mode 100644
index 0000000000..99460249c0
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52426-009.patch
@@ -0,0 +1,354 @@
+From caa27198637683b15d810737bb8a6a81af19bfa5 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Fri, 27 Oct 2023 18:47:37 +0200
+Subject: [PATCH] Simplify "defined(XML_DTD) || XML_GE == 1" to "XML_GE == 1"
+
+CVE: CVE-2023-52426
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/caa27198637683b15d810737bb8a6a81af19bfa5]
+
+Signed-off-by: Meenali Gupta
+---
+ lib/expat.h | 2 +-
+ lib/internal.h | 2 +-
+ lib/xmlparse.c | 66 +++++++++++++++++++++++++-------------------------
+ xmlwf/xmlwf.c | 4 +--
+ 4 files changed, 37 insertions(+), 37 deletions(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index 33c94af..fa2eb45 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -1038,7 +1038,7 @@ typedef struct {
+ XMLPARSEAPI(const XML_Feature *)
+ XML_GetFeatureList(void);
+
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ /* Added in Expat 2.4.0 for XML_DTD defined and
+ * added in Expat 2.6.0 for XML_GE == 1. */
+ XMLPARSEAPI(XML_Bool)
+diff --git a/lib/internal.h b/lib/internal.h
+index 1851925..03c8fde 100644
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -154,7 +154,7 @@ extern "C" {
+ void _INTERNAL_trim_to_complete_utf8_characters(const char *from,
+ const char **fromLimRef);
+
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ unsigned long long testingAccountingGetCountBytesDirect(XML_Parser parser);
+ unsigned long long testingAccountingGetCountBytesIndirect(XML_Parser parser);
+ const char *unsignedCharToPrintable(unsigned char c);
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index c479174..2d8f4c0 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -416,7 +416,7 @@ enum XML_Account {
+ XML_ACCOUNT_NONE /* i.e. do not account, was accounted already */
+ };
+
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ typedef unsigned long long XmlBigCount;
+ typedef struct accounting {
+ XmlBigCount countBytesDirect;
+@@ -432,7 +432,7 @@ typedef struct entity_stats {
+ unsigned int maximumDepthSeen;
+ int debugLevel;
+ } ENTITY_STATS;
+-#endif /* defined(XML_DTD) || XML_GE == 1 */
++#endif /* XML_GE == 1 */
+
+ typedef enum XML_Error PTRCALL Processor(XML_Parser parser, const char *start,
+ const char *end, const char **endPtr);
+@@ -574,7 +574,7 @@ static XML_Parser parserCreate(const XML_Char *encodingName,
+
+ static void parserInit(XML_Parser parser, const XML_Char *encodingName);
+
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ static float accountingGetCurrentAmplification(XML_Parser rootParser);
+ static void accountingReportStats(XML_Parser originParser, const char *epilog);
+ static void accountingOnAbort(XML_Parser originParser);
+@@ -597,7 +597,7 @@ static void entityTrackingOnClose(XML_Parser parser, ENTITY *entity,
+
+ static XML_Parser getRootParserOf(XML_Parser parser,
+ unsigned int *outLevelDiff);
+-#endif /* defined(XML_DTD) || XML_GE == 1 */
++#endif /* XML_GE == 1 */
+
+ static unsigned long getDebugLevel(const char *variableName,
+ unsigned long defaultDebugLevel);
+@@ -715,7 +715,7 @@ struct XML_ParserStruct {
+ enum XML_ParamEntityParsing m_paramEntityParsing;
+ #endif
+ unsigned long m_hash_secret_salt;
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ ACCOUNTING m_accounting;
+ ENTITY_STATS m_entity_stats;
+ #endif
+@@ -1175,7 +1175,7 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) {
+ #endif
+ parser->m_hash_secret_salt = 0;
+
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ memset(&parser->m_accounting, 0, sizeof(ACCOUNTING));
+ parser->m_accounting.debugLevel = getDebugLevel("EXPAT_ACCOUNTING_DEBUG", 0u);
+ parser->m_accounting.maximumAmplificationFactor
+@@ -2534,7 +2534,7 @@ XML_GetFeatureList(void) {
+ #ifdef XML_ATTR_INFO
+ {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0},
+ #endif
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ /* Added in Expat 2.4.0 for XML_DTD defined and
+ * added in Expat 2.6.0 for XML_GE == 1. */
+ {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT,
+@@ -2550,7 +2550,7 @@ XML_GetFeatureList(void) {
+ return features;
+ }
+
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ XML_Bool XMLCALL
+ XML_SetBillionLaughsAttackProtectionMaximumAmplification(
+ XML_Parser parser, float maximumAmplificationFactor) {
+@@ -2572,7 +2572,7 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(
+ parser->m_accounting.activationThresholdBytes = activationThresholdBytes;
+ return XML_TRUE;
+ }
+-#endif /* defined(XML_DTD) || XML_GE == 1 */
++#endif /* XML_GE == 1 */
+
+ /* Initially tag->rawName always points into the parse buffer;
+ for those TAG instances opened while the current parse buffer was
+@@ -2658,13 +2658,13 @@ externalEntityInitProcessor2(XML_Parser parser, const char *start,
+ int tok = XmlContentTok(parser->m_encoding, start, end, &next);
+ switch (tok) {
+ case XML_TOK_BOM:
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ if (! accountingDiffTolerated(parser, tok, start, next, __LINE__,
+ XML_ACCOUNT_DIRECT)) {
+ accountingOnAbort(parser);
+ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
+ }
+-#endif /* defined(XML_DTD) || XML_GE == 1 */
++#endif /* XML_GE == 1 */
+
+ /* If we are at the end of the buffer, this would cause the next stage,
+ i.e. externalEntityInitProcessor3, to pass control directly to
+@@ -2778,7 +2778,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ for (;;) {
+ const char *next = s; /* XmlContentTok doesn't always set the last arg */
+ int tok = XmlContentTok(enc, s, end, &next);
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ const char *accountAfter
+ = ((tok == XML_TOK_TRAILING_RSQB) || (tok == XML_TOK_TRAILING_CR))
+ ? (haveMore ? s /* i.e. 0 bytes */ : end)
+@@ -2844,14 +2844,14 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc,
+ XML_Char ch = (XML_Char)XmlPredefinedEntityName(
+ enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar);
+ if (ch) {
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ /* NOTE: We are replacing 4-6 characters original input for 1 character
+ * so there is no amplification and hence recording without
+ * protection. */
+ accountingDiffTolerated(parser, tok, (char *)&ch,
+ ((char *)&ch) + sizeof(XML_Char), __LINE__,
+ XML_ACCOUNT_ENTITY_EXPANSION);
+-#endif /* defined(XML_DTD) || XML_GE == 1 */
++#endif /* XML_GE == 1 */
+ if (parser->m_characterDataHandler)
+ parser->m_characterDataHandler(parser->m_handlerArg, &ch, 1);
+ else if (parser->m_defaultHandler)
+@@ -4053,7 +4053,7 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
+ for (;;) {
+ const char *next = s; /* in case of XML_TOK_NONE or XML_TOK_PARTIAL */
+ int tok = XmlCdataSectionTok(enc, s, end, &next);
+-#if defined(XML_DTD) || XML_GE == 1
++# if XML_GE == 1
+ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) {
+ accountingOnAbort(parser);
+ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
+@@ -4205,7 +4205,7 @@ doIgnoreSection(XML_Parser parser, const ENCODING *enc, const char **startPtr,
+ *eventPP = s;
+ *startPtr = NULL;
+ tok = XmlIgnoreSectionTok(enc, s, end, &next);
+-#if defined(XML_DTD) || XML_GE == 1
++# if XML_GE == 1
+ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
+ XML_ACCOUNT_DIRECT)) {
+ accountingOnAbort(parser);
+@@ -4297,7 +4297,7 @@ processXmlDecl(XML_Parser parser, int isGeneralTextEntity, const char *s,
+ const XML_Char *storedversion = NULL;
+ int standalone = -1;
+
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ if (! accountingDiffTolerated(parser, XML_TOK_XML_DECL, s, next, __LINE__,
+ XML_ACCOUNT_DIRECT)) {
+ accountingOnAbort(parser);
+@@ -4504,7 +4504,7 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
+ */
+ else if (tok == XML_TOK_BOM && next == end
+ && ! parser->m_parsingStatus.finalBuffer) {
+-# if defined(XML_DTD) || XML_GE == 1
++# if XML_GE == 1
+ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
+ XML_ACCOUNT_DIRECT)) {
+ accountingOnAbort(parser);
+@@ -4720,7 +4720,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ }
+ }
+ role = XmlTokenRole(&parser->m_prologState, tok, s, next, enc);
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ switch (role) {
+ case XML_ROLE_INSTANCE_START: // bytes accounted in contentProcessor
+ case XML_ROLE_XML_DECL: // bytes accounted in processXmlDecl
+@@ -5044,7 +5044,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
+ break;
+ case XML_ROLE_ENTITY_VALUE:
+ if (dtd->keepProcessing) {
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ // This will store the given replacement text in
+ // parser->m_declEntity->textPtr.
+ enum XML_Error result
+@@ -5695,7 +5695,7 @@ epilogProcessor(XML_Parser parser, const char *s, const char *end,
+ for (;;) {
+ const char *next = NULL;
+ int tok = XmlPrologTok(parser->m_encoding, s, end, &next);
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ if (! accountingDiffTolerated(parser, tok, s, next, __LINE__,
+ XML_ACCOUNT_DIRECT)) {
+ accountingOnAbort(parser);
+@@ -5775,7 +5775,7 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) {
+ return XML_ERROR_NO_MEMORY;
+ }
+ entity->open = XML_TRUE;
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ entityTrackingOnOpen(parser, entity, __LINE__);
+ #endif
+ entity->processed = 0;
+@@ -5809,9 +5809,9 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) {
+ entity->processed = (int)(next - textStart);
+ parser->m_processor = internalEntityProcessor;
+ } else {
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ entityTrackingOnClose(parser, entity, __LINE__);
+-#endif /* defined(XML_DTD) || XML_GE == 1 */
++#endif /* XML_GE == 1 */
+ entity->open = XML_FALSE;
+ parser->m_openInternalEntities = openEntity->next;
+ /* put openEntity back in list of free instances */
+@@ -5860,7 +5860,7 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
+ return result;
+ }
+
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ entityTrackingOnClose(parser, entity, __LINE__);
+ #endif
+ entity->open = XML_FALSE;
+@@ -5939,7 +5939,7 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ const char *next
+ = ptr; /* XmlAttributeValueTok doesn't always set the last arg */
+ int tok = XmlAttributeValueTok(enc, ptr, end, &next);
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ if (! accountingDiffTolerated(parser, tok, ptr, next, __LINE__, account)) {
+ accountingOnAbort(parser);
+ return XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
+@@ -6004,14 +6004,14 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ XML_Char ch = (XML_Char)XmlPredefinedEntityName(
+ enc, ptr + enc->minBytesPerChar, next - enc->minBytesPerChar);
+ if (ch) {
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ /* NOTE: We are replacing 4-6 characters original input for 1 character
+ * so there is no amplification and hence recording without
+ * protection. */
+ accountingDiffTolerated(parser, tok, (char *)&ch,
+ ((char *)&ch) + sizeof(XML_Char), __LINE__,
+ XML_ACCOUNT_ENTITY_EXPANSION);
+-#endif /* defined(XML_DTD) || XML_GE == 1 */
++#endif /* XML_GE == 1 */
+ if (! poolAppendChar(pool, ch))
+ return XML_ERROR_NO_MEMORY;
+ break;
+@@ -6089,14 +6089,14 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
+ enum XML_Error result;
+ const XML_Char *textEnd = entity->textPtr + entity->textLen;
+ entity->open = XML_TRUE;
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ entityTrackingOnOpen(parser, entity, __LINE__);
+ #endif
+ result = appendAttributeValue(parser, parser->m_internalEncoding,
+ isCdata, (const char *)entity->textPtr,
+ (const char *)textEnd, pool,
+ XML_ACCOUNT_ENTITY_EXPANSION);
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ entityTrackingOnClose(parser, entity, __LINE__);
+ #endif
+ entity->open = XML_FALSE;
+@@ -6153,7 +6153,7 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+ = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */
+ int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next);
+
+-# if defined(XML_DTD) || XML_GE == 1
++# if XML_GE == 1
+ if (! accountingDiffTolerated(parser, tok, entityTextPtr, next, __LINE__,
+ account)) {
+ accountingOnAbort(parser);
+@@ -7725,7 +7725,7 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
+ return result;
+ }
+
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+
+ static float
+ accountingGetCurrentAmplification(XML_Parser rootParser) {
+@@ -8456,7 +8456,7 @@ unsignedCharToPrintable(unsigned char c) {
+ assert(0); /* never gets here */
+ }
+
+-#endif /* defined(XML_DTD) || XML_GE == 1 */
++#endif /* XML_GE == 1 */
+
+ static unsigned long
+ getDebugLevel(const char *variableName, unsigned long defaultDebugLevel) {
+diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c
+index 04ca759..dd023a9 100644
+--- a/xmlwf/xmlwf.c
++++ b/xmlwf/xmlwf.c
+@@ -1122,13 +1122,13 @@ tmain(int argc, XML_Char **argv) {
+ }
+
+ if (attackMaximumAmplification != -1.0f) {
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ XML_SetBillionLaughsAttackProtectionMaximumAmplification(
+ parser, attackMaximumAmplification);
+ #endif
+ }
+ if (attackThresholdGiven) {
+-#if defined(XML_DTD) || XML_GE == 1
++#if XML_GE == 1
+ XML_SetBillionLaughsAttackProtectionActivationThreshold(
+ parser, attackThresholdBytes);
+ #else
+--
+2.40.0
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-010.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-010.patch
new file mode 100644
index 0000000000..4b5c5cb2e1
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52426-010.patch
@@ -0,0 +1,50 @@
+From 55fecd6aa4af4a540812b81234679cd6b5714f1b Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Wed, 1 Nov 2023 18:24:55 +0100
+Subject: [PATCH] Drop redundant "XML_GE == 1" guards
+
+These are redundant because further out there is a guard
+for "XML_GE == 1" already. In the visual world, the pattern
+is this:
+
+> #if XML_GE == 1
+> [..]
+> # if XML_GE == 1
+> [..]
+> # endif
+> [..]
+> #endif
+
+Spotted by Snild Dolkow, thanks!
+
+Co-authored-by: Snild Dolkow
+
+CVE: CVE-2023-52426
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/55fecd6aa4af4a540812b81234679cd6b5714f1b]
+
+Signed-off-by: Meenali Gupta
+---
+ lib/xmlparse.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 2d8f4c0..82a8006 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6153,14 +6153,12 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+ = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */
+ int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next);
+
+-# if XML_GE == 1
+ if (! accountingDiffTolerated(parser, tok, entityTextPtr, next, __LINE__,
+ account)) {
+ accountingOnAbort(parser);
+ result = XML_ERROR_AMPLIFICATION_LIMIT_BREACH;
+ goto endEntityValue;
+ }
+-# endif
+
+ switch (tok) {
+ case XML_TOK_PARAM_ENTITY_REF:
+--
+2.40.0
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-011.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-011.patch
new file mode 100644
index 0000000000..d1b0be2aff
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2023-52426-011.patch
@@ -0,0 +1,45 @@
+From 8a6c61de4a425977e357cafd8667a0d7771ce292 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping
+Date: Thu, 26 Oct 2023 01:29:03 +0200
+Subject: [PATCH] lib: Add XML_GE to XML_GetFeatureList and XML_FeatureEnum
+ Co-authored-by: Snild Dolkow
+
+CVE: CVE-2023-52426
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/8a6c61de4a425977e357cafd8667a0d7771ce292]
+
+Signed-off-by: Meenali Gupta
+---
+ lib/expat.h | 4 +++-
+ lib/xmlparse.c | 2 ++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/lib/expat.h b/lib/expat.h
+index fa2eb45..9e64174 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -1025,7 +1025,9 @@ enum XML_FeatureEnum {
+ XML_FEATURE_ATTR_INFO,
+ /* Added in Expat 2.4.0. */
+ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT,
+- XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT
++ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT,
++ /* Added in Expat 2.6.0. */
++ XML_FEATURE_GE
+ /* Additional features must be added to the end of this enum. */
+ };
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 82a8006..0627d6c 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -2544,6 +2544,8 @@ XML_GetFeatureList(void) {
+ {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT,
+ XML_L("XML_BLAP_ACT_THRES"),
+ EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT},
++ /* Added in Expat 2.6.0. */
++ {XML_FEATURE_GE, XML_L("XML_GE"), 0},
+ #endif
+ {XML_FEATURE_END, NULL, 0}};
+
+--
+2.40.0
diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb
index eb7ce1436e..31e989cfe2 100644
--- a/meta/recipes-core/expat/expat_2.5.0.bb
+++ b/meta/recipes-core/expat/expat_2.5.0.bb
@@ -11,6 +11,17 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://run-ptest \
file://CVE-2024-28757.patch \
+ file://CVE-2023-52426-001.patch \
+ file://CVE-2023-52426-002.patch \
+ file://CVE-2023-52426-003.patch \
+ file://CVE-2023-52426-004.patch \
+ file://CVE-2023-52426-005.patch \
+ file://CVE-2023-52426-006.patch \
+ file://CVE-2023-52426-007.patch \
+ file://CVE-2023-52426-008.patch \
+ file://CVE-2023-52426-009.patch \
+ file://CVE-2023-52426-010.patch \
+ file://CVE-2023-52426-011.patch \
"
UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/"
From patchwork Wed Mar 20 16:09:41 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman
X-Patchwork-Id: 41295
X-Patchwork-Delegate: steve@sakoman.com
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id 63254C6FD1F
for ; Wed, 20 Mar 2024 16:10:23 +0000 (UTC)
Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com
[209.85.214.172])
by mx.groups.io with SMTP id smtpd.web11.49393.1710951022087685045
for ;
Wed, 20 Mar 2024 09:10:22 -0700
Authentication-Results: mx.groups.io;
dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
header.b=mekZMEo7;
spf=softfail (domain: sakoman.com, ip: 209.85.214.172,
mailfrom: steve@sakoman.com)
Received: by mail-pl1-f172.google.com with SMTP id
d9443c01a7336-1dddad37712so65445705ad.3
for ;
Wed, 20 Mar 2024 09:10:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951021;
x=1711555821; darn=lists.openembedded.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:from:to:cc:subject:date:message-id
:reply-to;
bh=EXhLd/iVuf6BbUPbwbmG7VDiGkrVBa4+BXubz2tSDhY=;
b=mekZMEo7XS0/y0Z016tW8ihYEJGXlSl+ifVCTl1vY7V4pCxJ+2rY+6PPWjBboRyXJM
MLP9wnCoC1HR/HJRHQSG1yc9+iB58i3EHaiyb5wv5CSFgy2CrZCce7fMJoqScciYby6J
OyFk5RtLUcWAnITapbNUAD0QrXQFkNZzlL87e6PXYxjqOl75wGmv5dhFeme6ejfAgGOx
0Ana5QFT9tiZT8OtoE+vFkcXFvudSCoewAmuBbM93vfl6MQNo4fIcTcQhEuOxKK9wEmh
8po3UmJeDugzxIkCtIIshCirs45nO+pAReIZzZ24lLVPeC5NmuTWhqleSEMKNSqJVAFw
5OOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710951021; x=1711555821;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=EXhLd/iVuf6BbUPbwbmG7VDiGkrVBa4+BXubz2tSDhY=;
b=RzMhcK7TyfDEpNOOe6rT5P9ulrb9DZ8B1kch37GcjTSLEyVpV11Y0Zns919PWTHmMf
n8Q+rnSIubcZYl4sq52y29l6FWnhmp4V3HbwgW5+Li8VOUu+MCIBPRL8wbERWluvOdka
RKW6bjqKQ57xlWgvjwDalvzlOpCehMbi/k284ejDdiJz5HgOiwBfzX6wvMefzmmovlWa
DktUeXUuQJrXaEWBOe4iVcgYD/JzL/0zGbNZRORyHoWflFHLGvcGK5uu+fB4VFSd/Z82
l9LyxJOWqrIlTTqW29+sbZhJX6pdLUnq45ReR/CZtcqDmVdF2eLvCW8oAEBtZw8D4o2n
JVwQ==
X-Gm-Message-State: AOJu0Yy5EdO0lwU9ScvQs7QPZ5pjOqMjxVilQwzhalfPajZLmbW1eCNj
IpbWkOn6WI6l93b4gJBlRdZ15703eGQ3GZRYi/SmO4ug8hW5dJ4LLzm70A+nm/2GpjgRJdb0kpP
UNo4=
X-Google-Smtp-Source:
AGHT+IHseYCdjlb4dSVq6j7Q7VLP7v5H3nX8vIJ7t2m/ZqYbe0EKdivleoaF7puv4LZ4lVwk7RKbQw==
X-Received: by 2002:a17:902:e74d:b0:1dd:6414:3c5d with SMTP id
p13-20020a170902e74d00b001dd64143c5dmr26243646plf.7.1710951021395;
Wed, 20 Mar 2024 09:10:21 -0700 (PDT)
Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41])
by smtp.gmail.com with ESMTPSA id
l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.20
for
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Mar 2024 09:10:21 -0700 (PDT)
From: Steve Sakoman
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 03/15] python3-cryptography: Backport fix for
CVE-2024-26130
Date: Wed, 20 Mar 2024 06:09:41 -1000
Message-Id:
<7864c4605cde4851df644dd1d2867bd28d155710.1710950846.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To:
References:
MIME-Version: 1.0
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Wed, 20 Mar 2024 16:10:23 -0000
X-Groupsio-URL:
https://lists.openembedded.org/g/openembedded-core/message/197374
From: Vijay Anusuri
Upstream-Status: Backport from https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
Signed-off-by: Vijay Anusuri
Signed-off-by: Steve Sakoman
---
.../python3-cryptography/CVE-2024-26130.patch | 66 +++++++++++++++++++
.../python/python3-cryptography_36.0.2.bb | 1 +
2 files changed, 67 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch
diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch
new file mode 100644
index 0000000000..ff113e8cc7
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch
@@ -0,0 +1,66 @@
+From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor
+Date: Mon, 19 Feb 2024 11:50:28 -0500
+Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't
+ match (#10423)
+
+Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55]
+CVE: CVE-2024-26130
+Signed-off-by: Vijay Anusuri
+---
+ .../hazmat/backends/openssl/backend.py | 9 +++++++++
+ tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index c43fea0..d687931 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
++++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2131,6 +2131,15 @@ class Backend(BackendInterface):
+ mac_iter,
+ 0,
+ )
++ if p12 == self._ffi.NULL:
++ errors = self._consume_errors()
++ raise ValueError(
++ (
++ "Failed to create PKCS12 (does the key match the "
++ "certificate?)"
++ ),
++ errors,
++ )
+
+ self.openssl_assert(p12 != self._ffi.NULL)
+ p12 = self._ffi.gc(p12, self._lib.PKCS12_free)
+diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py
+index c5cfbc0..8af4c93 100644
+--- a/tests/hazmat/primitives/test_pkcs12.py
++++ b/tests/hazmat/primitives/test_pkcs12.py
+@@ -25,6 +25,24 @@ from ...doubles import DummyKeySerializationEncryption
+ from ...utils import load_vectors_from_file
+
+
++ @pytest.mark.supported(
++ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC,
++ skip_message="Requires OpenSSL with PKCS12_set_mac",
++ )
++ def test_set_mac_key_certificate_mismatch(self, backend):
++ cacert, _ = _load_ca(backend)
++ key = ec.generate_private_key(ec.SECP256R1())
++ encryption = (
++ serialization.PrivateFormat.PKCS12.encryption_builder()
++ .hmac_hash(hashes.SHA256())
++ .build(b"password")
++ )
++
++ with pytest.raises(ValueError):
++ serialize_key_and_certificates(
++ b"name", key, cacert, [], encryption
++ )
++
+ @pytest.mark.skip_fips(
+ reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it."
+ )
+--
+2.35.7
+
diff --git a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
index c429c75e1b..83381f225c 100644
--- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
+++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb
@@ -19,6 +19,7 @@ SRC_URI += " \
file://fix-leak-metric.patch \
file://CVE-2023-23931.patch \
file://CVE-2023-49083.patch \
+ file://CVE-2024-26130.patch \
"
inherit pypi python_setuptools3_rust
From patchwork Wed Mar 20 16:09:42 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman
X-Patchwork-Id: 41298
X-Patchwork-Delegate: steve@sakoman.com
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id 713FCC54E58
for ; Wed, 20 Mar 2024 16:10:33 +0000 (UTC)
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com
[209.85.214.171])
by mx.groups.io with SMTP id smtpd.web10.49256.1710951023935305458
for ;
Wed, 20 Mar 2024 09:10:23 -0700
Authentication-Results: mx.groups.io;
dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
header.b=vxYhd2IT;
spf=softfail (domain: sakoman.com, ip: 209.85.214.171,
mailfrom: steve@sakoman.com)
Received: by mail-pl1-f171.google.com with SMTP id
d9443c01a7336-1e00b1c2684so32539855ad.0
for ;
Wed, 20 Mar 2024 09:10:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951023;
x=1711555823; darn=lists.openembedded.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:from:to:cc:subject:date:message-id
:reply-to;
bh=FZaZVuKTafYFgYtEyC1h8fM3f2zusb+hLkoG/kiDCWE=;
b=vxYhd2IThuaFoUzHfHS2DcENetWS7aHvlwccE6rT85VmBAnvum5/nJmxCgrtdlQQR2
wxAHVJ+H3vE4BtPgbrQ8UYZYQ2EzwyxwalgVZHZypQxKhao5xaL4ug6HQJV1IfI/Fnzq
wt78an5fEKLm3E8Lno94wHfgplZnSbZk9DukKLh8VX6pUaMOf6GGGkZOb56n0HjrZxdT
2fC+djtUUKY6TqcHLMLdW3sPQpLvn0mw4kherm9kQOQBbOMAJek1ipkCashJhvLVPDYy
mQ0UJyP+frnI6PKE7Y9ykz2xmMf+KHrDZjnfgXqzqwNXF22DJRAsfcX+oDb/zL9eCedQ
qfgA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710951023; x=1711555823;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=FZaZVuKTafYFgYtEyC1h8fM3f2zusb+hLkoG/kiDCWE=;
b=uVQZDAVtYKLGfsUzl5sWElJtt861LXkqSUQkBpsXU17Naj20jSWR4ea4LaN6cOhq39
k1MTRCvq0IBj8YwJune+iax8kjqyqvTZF99StPUSeA81u+jkCdApr6ubZgx9VTZ1FkDh
nqk/upq7nJ2guXSuAODzam+XvWMxnzZ8GvZSg5LnVafdS7LkXwFygFVdmGjyvAZ2Madc
cNsUx7sEdk3yWSvD5llKHPhj9tZBfP9a43FfkYUcvYXZHt/woW9nY6B/4V8rOKJxcBlv
s0AUUUPfoJOx8ITwd+zp7MwVHafFyHfw00E/Oks73XEHKSEP//pEb+CdPbtBnZUv+raO
PF4Q==
X-Gm-Message-State: AOJu0YwO8RPiF7ElLKy1pq3VWXwXgMcZ8KsnGryknNGvGGZwiVgCfDGS
8k+a0sJJIsC+HgEW0dbqjo8msRiI4zYjaSEjNGWG8zz5ph9zLH8j54NowhVqTMXVsOR/qUlzYbU
vlFU=
X-Google-Smtp-Source:
AGHT+IHAYYlEJPNV3NQ4A8z9XcNAAJ18Qx3XiVzdmmi2Acx2hNS4Mznms8VhaUUHgTmbJZliv8LUTQ==
X-Received: by 2002:a17:903:186:b0:1dc:2120:2467 with SMTP id
z6-20020a170903018600b001dc21202467mr22264895plg.44.1710951023257;
Wed, 20 Mar 2024 09:10:23 -0700 (PDT)
Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41])
by smtp.gmail.com with ESMTPSA id
l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.22
for
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Mar 2024 09:10:22 -0700 (PDT)
From: Steve Sakoman
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 04/15] cve-update-nvd2-native: Fix typo in
comment
Date: Wed, 20 Mar 2024 06:09:42 -1000
Message-Id:
<6f49c54a0ecc9d6e79816ce8dd7b65e5a8013df6.1710950846.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To:
References:
MIME-Version: 1.0
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Wed, 20 Mar 2024 16:10:33 -0000
X-Groupsio-URL:
https://lists.openembedded.org/g/openembedded-core/message/197375
From: Yoann Congal
attmepts -> attempts
Signed-off-by: Yoann Congal
Signed-off-by: Richard Purdie
(cherry picked from commit dc18aaeda8e810f9082a0ceac08e5e4275bbd0f7)
Signed-off-by: Steve Sakoman
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 69ba20a6cb..9b6e746add 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -26,7 +26,7 @@ NVDCVE_API_KEY ?= ""
# Use a negative value to skip the update
CVE_DB_UPDATE_INTERVAL ?= "86400"
-# Number of attmepts for each http query to nvd server before giving up
+# Number of attempts for each http query to nvd server before giving up
CVE_DB_UPDATE_ATTEMPTS ?= "5"
CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db"
From patchwork Wed Mar 20 16:09:43 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman
X-Patchwork-Id: 41300
X-Patchwork-Delegate: steve@sakoman.com
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id A60CFCD11DD
for ; Wed, 20 Mar 2024 16:10:33 +0000 (UTC)
Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com
[209.85.214.174])
by mx.groups.io with SMTP id smtpd.web10.49259.1710951027108394728
for ;
Wed, 20 Mar 2024 09:10:27 -0700
Authentication-Results: mx.groups.io;
dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
header.b=Z/vysQtu;
spf=softfail (domain: sakoman.com, ip: 209.85.214.174,
mailfrom: steve@sakoman.com)
Received: by mail-pl1-f174.google.com with SMTP id
d9443c01a7336-1e00d1e13acso23500215ad.0
for ;
Wed, 20 Mar 2024 09:10:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951026;
x=1711555826; darn=lists.openembedded.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:from:to:cc:subject:date:message-id
:reply-to;
bh=bY7pSB6C4iD/cu6hZe6L4ZY7xYl/RsMnvn93Bu5nuQE=;
b=Z/vysQtuDSNT3LS7KPS4fXS8ZbOZln7LZkrnVmfgP5d2YWT/ystibHBdmlsiJ2pp76
zvEImqtbqmfhHKqdbCfJd7Sq5galsXnGL9BnP00k6PFgZ5XEjLiTGYw9y9W2UKdW0MSG
S4FjsO1pZklX/cGlMnOrbq4GzLIujd+3lvhE3zCLAwP3mo7Tty0CK+XIFlgsXUaTqb0i
OPBxw0xgvwr5kYXxv5fKNGqmLvz6j8H/D7j61CEDdDz0nmGhm6c3/vmsz0miLYmblGE3
gJyFNFgvcfNjOgecm6K88f4MmqSh6tBhQJ1+1JTJnxM1MJ0AyQYh0Jn4bC9EucS6m9bP
5QAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710951026; x=1711555826;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=bY7pSB6C4iD/cu6hZe6L4ZY7xYl/RsMnvn93Bu5nuQE=;
b=oiqMzMOL7QNN+Wm7VISrXPUlhMfspRfuVRBKoSTr4jelVP6MHLC7wp+LI3pjCML4LU
qsxi3iwubapeE8Mhd+SX3Y+g8IZsWSBgRMLHNl0NrKlwaxyf9zIRLAYTjLFVCAlw94Nj
TFbbftFOiavD/c8knd0PWC/LQbePGWjTDyWcia/+DYBYCn/Gmiu/C4E2mnt9QXCXcbl9
MXOplulOQWY1V+bwRm9Os74pmTmxJfXhfUwwLOZHAeSow9DKV9SuXp79WHSMollZfGgp
gU8io7IdGKeZeFRvC8LYd62+gfm9C6/+1Ptlv7KMgcV3jiBfdGZksb7+9mz/JW79/xXk
5GHw==
X-Gm-Message-State: AOJu0Yw2GI3IXzHILwZ62DW0UKk78HVE0jQfD+771JXhUP6S8u/MeGMO
P3vs44I2E9W9zKNpuEcjcdT75xZR7Pmsg3HrpP+TS8Cj5uQ5izLsUkrTh/YV70nyiOmU/q5z6dj
O8sg=
X-Google-Smtp-Source:
AGHT+IECbQ9NQj4CkRz7J5K/y8tgZtANTMHVXbehrVomsrFKzUBECP6tBcgE4an3hm0t6dJmIvj3+A==
X-Received: by 2002:a17:903:32cc:b0:1de:f18c:cdd with SMTP id
i12-20020a17090332cc00b001def18c0cddmr2791087plr.3.1710951026343;
Wed, 20 Mar 2024 09:10:26 -0700 (PDT)
Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41])
by smtp.gmail.com with ESMTPSA id
l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.24
for
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Mar 2024 09:10:24 -0700 (PDT)
From: Steve Sakoman
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 05/15] cve-update-nvd2-native: Add an age
threshold for incremental update
Date: Wed, 20 Mar 2024 06:09:43 -1000
Message-Id:
<5259971a4785e7f664c0f588f34f8ef537c5c4c5.1710950846.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To:
References:
MIME-Version: 1.0
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Wed, 20 Mar 2024 16:10:33 -0000
X-Groupsio-URL:
https://lists.openembedded.org/g/openembedded-core/message/197376
From: Yoann Congal
Add a new variable "CVE_DB_INCR_UPDATE_AGE_THRES", which can be used to
specify the maximum age of the database for doing an incremental update
For older databases, a full re-download is done.
With a value of "0", this forces a full-redownload.
Signed-off-by: Yoann Congal
Signed-off-by: Richard Purdie
(cherry picked from commit 74c1765111b6610348eae4b7e41d7045ce58ef86)
Signed-off-by: Steve Sakoman
---
.../meta/cve-update-nvd2-native.bb | 20 +++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 9b6e746add..af21989d58 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -26,6 +26,12 @@ NVDCVE_API_KEY ?= ""
# Use a negative value to skip the update
CVE_DB_UPDATE_INTERVAL ?= "86400"
+# CVE database incremental update age threshold, in seconds. If the database is
+# older than this threshold, do a full re-download, else, do an incremental
+# update. By default: the maximum allowed value from NVD: 120 days (120*24*60*60)
+# Use 0 to force a full download.
+CVE_DB_INCR_UPDATE_AGE_THRES ?= "10368000"
+
# Number of attempts for each http query to nvd server before giving up
CVE_DB_UPDATE_ATTEMPTS ?= "5"
@@ -172,18 +178,24 @@ def update_db_file(db_tmp_file, d, database_time):
req_args = {'startIndex' : 0}
- # The maximum range for time is 120 days
- # Force a complete update if our range is longer
- if (database_time != 0):
+ incr_update_threshold = int(d.getVar("CVE_DB_INCR_UPDATE_AGE_THRES"))
+ if database_time != 0:
database_date = datetime.datetime.fromtimestamp(database_time, tz=datetime.timezone.utc)
today_date = datetime.datetime.now(tz=datetime.timezone.utc)
delta = today_date - database_date
- if delta.days < 120:
+ if incr_update_threshold == 0:
+ bb.note("CVE database: forced full update")
+ elif delta < datetime.timedelta(seconds=incr_update_threshold):
bb.note("CVE database: performing partial update")
+ # The maximum range for time is 120 days
+ if delta > datetime.timedelta(days=120):
+ bb.error("CVE database: Trying to do an incremental update on a larger than supported range")
req_args['lastModStartDate'] = database_date.isoformat()
req_args['lastModEndDate'] = today_date.isoformat()
else:
bb.note("CVE database: file too old, forcing a full update")
+ else:
+ bb.note("CVE database: no preexisting database, do a full download")
with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f:
From patchwork Wed Mar 20 16:09:44 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman
X-Patchwork-Id: 41297
X-Patchwork-Delegate: steve@sakoman.com
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id 76FAEC6FD1F
for ; Wed, 20 Mar 2024 16:10:33 +0000 (UTC)
Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com
[209.85.214.177])
by mx.groups.io with SMTP id smtpd.web10.49260.1710951029214878254
for ;
Wed, 20 Mar 2024 09:10:29 -0700
Authentication-Results: mx.groups.io;
dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
header.b=AoQ16KNs;
spf=softfail (domain: sakoman.com, ip: 209.85.214.177,
mailfrom: steve@sakoman.com)
Received: by mail-pl1-f177.google.com with SMTP id
d9443c01a7336-1dddb160a37so50161765ad.2
for ;
Wed, 20 Mar 2024 09:10:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951028;
x=1711555828; darn=lists.openembedded.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:from:to:cc:subject:date:message-id
:reply-to;
bh=5TVSUgBG3OdQoN8sz4qt1bkOjb7zd40el4oOJemiZno=;
b=AoQ16KNs8dfTxFP0ntBPjtRTBMAtfLXZvlBre1mqKCgpe/29OHYnkNCWPPfKHqxuEp
rKP/wD/UU+zYFFOyPP2dIugmry28nnkhsJBhJRxa3prTJiLKOVjL7MiConqcLW2dKd0A
CAGt7cUfwrdiN6xEEJFFEUhxu3Pabz2qr/GzQQ/U/+Eg23P89dJGXEYRKZ9zIsDfP/WA
rwYNwH8rPF+dso39Mlz7S7a6etizfoSxVLGKMvTtNyqbcog89eHCTfYTfrgQcmkJMvg2
VEwTF+TZFv14G77isFt/ojcDmVNlo2XvuGOLjeK0uL/7oYbXjsZjoah/ghg2PR0V3TL8
w5Hw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710951028; x=1711555828;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=5TVSUgBG3OdQoN8sz4qt1bkOjb7zd40el4oOJemiZno=;
b=UAIZ3HNxobai5f5Yr9TeCTNVqNHXrlSDiGSASQ4JwbS/uKyp1NA+waP4o4FimzgdMO
5kykFzHZab1DTnaPk7xlbW3EhCxjwWI0octgk+x9l8eETTk/ENh+seB1nNm4T+JAB6XI
6JaKFO627uT0iez6jfYWAB5GqCKx4+ChnlKT57A+7x4dXEL8WY/xZCAcYVTg/fonu+CB
MLPc6JtRdjgOvuU8GWBm5zVrWvGCnYWSFTQzF8m0abjSlB0Iduj24ygHHMfING9S/ePJ
063DTcuD/Oj69a07X5+CoIiemSBtHCjge4clqIEy+QlJzaHxkbAAPIOMaLFukjkKN/ea
iLYw==
X-Gm-Message-State: AOJu0YxwWWBL37qD3dLKkz+aimzxdV9t8FLeFdW83iFtfUcWErcZYsS3
xZPPO5RANvZ8obWm2kMgACl/h9eRhbaxUA/3IcvrB9johmdcYsyblJf0k2q+dWBg6ymqheraZlM
GYrE=
X-Google-Smtp-Source:
AGHT+IEoe2d7E226qE9Q7k78QH6kTtjcl0YaGBiBMtAuVfZh2bk7oL78Rod/xLLzjb6Rl1VIwPHywQ==
X-Received: by 2002:a17:902:a507:b0:1e0:30ca:61e with SMTP id
s7-20020a170902a50700b001e030ca061emr6304056plq.5.1710951028446;
Wed, 20 Mar 2024 09:10:28 -0700 (PDT)
Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41])
by smtp.gmail.com with ESMTPSA id
l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.27
for
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Mar 2024 09:10:28 -0700 (PDT)
From: Steve Sakoman
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 06/15] cve-update-nvd2-native: Remove duplicated
CVE_CHECK_DB_FILE definition
Date: Wed, 20 Mar 2024 06:09:44 -1000
Message-Id:
X-Mailer: git-send-email 2.34.1
In-Reply-To:
References:
MIME-Version: 1.0
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Wed, 20 Mar 2024 16:10:33 -0000
X-Groupsio-URL:
https://lists.openembedded.org/g/openembedded-core/message/197377
From: Yoann Congal
CVE_CHECK_DB_FILE is already defined in cve-check.bbclass which is
always inherited in cve-update-nvd2-native (There is a check line 40).
Remove it to avoid confusion. Otherwise, this should not change
anything.
Signed-off-by: Yoann Congal
Signed-off-by: Richard Purdie
(cherry picked from commit e5f3f223885c17b7007c310273fc7c80b90a4105)
Signed-off-by: Steve Sakoman
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 2 --
1 file changed, 2 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index af21989d58..506b4b6bbf 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -37,8 +37,6 @@ CVE_DB_UPDATE_ATTEMPTS ?= "5"
CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db"
-
python () {
if not bb.data.inherits_class("cve-check", d):
raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
From patchwork Wed Mar 20 16:09:45 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman
X-Patchwork-Id: 41299
X-Patchwork-Delegate: steve@sakoman.com
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id 7E653CD11BF
for ; Wed, 20 Mar 2024 16:10:33 +0000 (UTC)
Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com
[209.85.214.176])
by mx.groups.io with SMTP id smtpd.web11.49398.1710951031111374873
for ;
Wed, 20 Mar 2024 09:10:31 -0700
Authentication-Results: mx.groups.io;
dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
header.b=2ZDNr5ae;
spf=softfail (domain: sakoman.com, ip: 209.85.214.176,
mailfrom: steve@sakoman.com)
Received: by mail-pl1-f176.google.com with SMTP id
d9443c01a7336-1e00d1e13acso23500645ad.0
for ;
Wed, 20 Mar 2024 09:10:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951030;
x=1711555830; darn=lists.openembedded.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:from:to:cc:subject:date:message-id
:reply-to;
bh=NHO7zcpN++T4K/yoj1mLAkUqMCfyo17sDK2LDVZtdWU=;
b=2ZDNr5ae9eys//yQsmtEd7qDRdJtxu3n/v3n+YPy3r+gbv8JK+oZLXeuXEBVviCM4D
/+2C25pAj3r3AKWGhhJRj5PI5vXspz9w1Pt/4iKPP5hkSGHQf/RGg1Vl+nqEodte9Ler
BE+89jvjcTlCpVSaPs83G6v6Pbj6U2eAJ9ho8ZVAD2bbCuzuT8/1DhaE4EZA0QiueGe9
YuX04JoQc1lGA5MRWBMGrkLglqAXGQEEknaDy/0aRe9y6UhIibs0bXrEjJ8BPZ6k9aHk
BJKO4mnrRCvJEAFfHUd5PlMZLrK9ort/yJyhMcmYYj4J7THdIyjNRqSbnVUJ4a/Oup/R
Dnyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710951030; x=1711555830;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=NHO7zcpN++T4K/yoj1mLAkUqMCfyo17sDK2LDVZtdWU=;
b=FN6XssDy8HC/Q6EZX5IZmvCnFvnLONJBpV77aRLlQxGlwWYuEfBpkSEHaa1GY/MJ4e
mi9+yLH+WhIr7842un/MMR2+EPZMhmYhh8PJupb5Qa9PgGnTHeSfwQmtrQoXi3kl5GSU
TJ++Ks+7RfEGml88Vz6wBCE7yHJORppP5XdyUIdGnCKow7o5AeL+6JPFqoQa+PC7YaiB
yGqGYeTfINwilzn8gC3Hc0szJdWmaVsdNkLb1EolqBkZCWgoAtdxr+mghRXJzK8BxZ+C
JVdF5r03iqrgdz6Az4MPDoNgpiMfRZRKhV72dIrZwpSkxig4DhXmM2saQ9OyFEUDHpIu
9vUw==
X-Gm-Message-State: AOJu0YxtH9HzpTKAvNSASViiMjnG5GJGyDhULH6pB2eWa53dn9CEW9fC
qzpaiwQrwYcMZ78C6o6J69zxk1Anna9xUAlgqmCCfGCn2sxszJn5nhE+sD72M9t8CmwhLHYp8aO
Aij0=
X-Google-Smtp-Source:
AGHT+IGkzEXnzf+xuS0kzLBqMHs9KGqTeJufRlT0JHBjASWSXL6yKLFwehZZFNcDoOVKC5gU9fJ0sg==
X-Received: by 2002:a17:902:e5c5:b0:1df:f9fc:c9f7 with SMTP id
u5-20020a170902e5c500b001dff9fcc9f7mr2857835plf.61.1710951030377;
Wed, 20 Mar 2024 09:10:30 -0700 (PDT)
Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41])
by smtp.gmail.com with ESMTPSA id
l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.29
for
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Mar 2024 09:10:29 -0700 (PDT)
From: Steve Sakoman
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 07/15] cve-update-nvd2-native: nvd_request_next:
Improve comment
Date: Wed, 20 Mar 2024 06:09:45 -1000
Message-Id:
X-Mailer: git-send-email 2.34.1
In-Reply-To:
References:
MIME-Version: 1.0
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Wed, 20 Mar 2024 16:10:33 -0000
X-Groupsio-URL:
https://lists.openembedded.org/g/openembedded-core/message/197378
From: Yoann Congal
Add a URL to the doc of the API used in the function.
... and fix a small typo dabase -> database
Signed-off-by: Yoann Congal
Signed-off-by: Richard Purdie
(cherry picked from commit e0157b3b81333a24abd31dbb23a6abebca3e7ba7)
Signed-off-by: Steve Sakoman
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 506b4b6bbf..a703b68aac 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -123,7 +123,8 @@ def nvd_request_wait(attempt, min_wait):
def nvd_request_next(url, attempts, api_key, args, min_wait):
"""
- Request next part of the NVD dabase
+ Request next part of the NVD database
+ NVD API documentation: https://nvd.nist.gov/developers/vulnerabilities
"""
import urllib.request
From patchwork Wed Mar 20 16:09:46 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman
X-Patchwork-Id: 41303
X-Patchwork-Delegate: steve@sakoman.com
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id 92458CD11BF
for ; Wed, 20 Mar 2024 16:10:43 +0000 (UTC)
Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com
[209.85.214.173])
by mx.groups.io with SMTP id smtpd.web11.49401.1710951033575498475
for ;
Wed, 20 Mar 2024 09:10:33 -0700
Authentication-Results: mx.groups.io;
dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
header.b=EhmfYMub;
spf=softfail (domain: sakoman.com, ip: 209.85.214.173,
mailfrom: steve@sakoman.com)
Received: by mail-pl1-f173.google.com with SMTP id
d9443c01a7336-1dff837d674so35412255ad.3
for ;
Wed, 20 Mar 2024 09:10:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951033;
x=1711555833; darn=lists.openembedded.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:from:to:cc:subject:date:message-id
:reply-to;
bh=shtJfcZ8wRAXrdgxJT+aqQDcjm9BmdjW8s5AuYlo3D0=;
b=EhmfYMubzY9iQJabAEY3jowsfy/Q2g+vZ3keb5zg/T/i+/XvzBqN2+FPGd2Ic26Xgj
agnZ6zeUTZLBONrQWff9fHUnQRwVU90fCbeX8hralFeiMcv78rMFupo1FKNQfjN3xzCc
vPjU7XNwtllOtyUAIICszvyaa61ZaZGnXrX/5+dfACFfAI0EMLpxoivHqW8uGj3UB8rZ
LCYjEBhedbcuYfmc7/JVnSoKy3iO6JXGyiE9MtkNjKsuMN7eW6lS/Q2iHlDe/ZXyDgoN
4Pt568J9Jw9vlQ6g6Gm1z7c9pmcy1vOx5vauF1DGmsBCpRT3Ugrrzammd/DREfaJwB0f
Qc2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710951033; x=1711555833;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=shtJfcZ8wRAXrdgxJT+aqQDcjm9BmdjW8s5AuYlo3D0=;
b=FkdfJpO5CzbCWRoN43dN3Jyj7FxHOBuHoddWpsWOWBzKatFRC/VSvVd6iwthn2haVB
tzZxORCNyYMjjOYDqlDja3aaUKOiLnQZQnLqbWiPGnTt1RINumR30diQFCRpmj2qUM64
E1Gdd7Ockm2uxDz8vIbvOyOqgDl71B3IfFFrse5sK51MXAvzqTkyNnM3YwgJ4WTidT3N
jVriM5b7ZSJkKvXqimmwFu7EUdROKySkigTZILAp20V2LTKn9QZQFSQ9HXhEfFGSOlrH
zeLcsoFA8fveh+rr6HOD+nx5QT5hAgU2J/ZT1UaS9kQcvFogIwNBVuZHs7BtYT7V2XJM
Be8g==
X-Gm-Message-State: AOJu0Yzn+TMcltArqEm+lKasRNYJEZ5x0f4LT1CHFk9cgdlOh5WBmJ7y
nOrKAiNn+na9D8/M4gCLj4+oF7dMfi35LXtKRNfb+Qexl4ycxJnOGb/19CDuPKzyFr6uTfaIGKa
2V94=
X-Google-Smtp-Source:
AGHT+IEdJVDx/5kfOSMpX3DdACjlO/Rn68xO9vM9gD+irEwM4BOzdDa3lCmNEU1mZAEO8vPUxvYQFg==
X-Received: by 2002:a17:902:cf05:b0:1de:e3d5:cdde with SMTP id
i5-20020a170902cf0500b001dee3d5cddemr2647979plg.5.1710951032827;
Wed, 20 Mar 2024 09:10:32 -0700 (PDT)
Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41])
by smtp.gmail.com with ESMTPSA id
l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.31
for
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Mar 2024 09:10:32 -0700 (PDT)
From: Steve Sakoman
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 08/15] cve-update-nvd2-native: Fix CVE
configuration update
Date: Wed, 20 Mar 2024 06:09:46 -1000
Message-Id:
<38402b5e89d43bf2a45c8f5f2d631033be5019cd.1710950846.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To:
References:
MIME-Version: 1.0
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Wed, 20 Mar 2024 16:10:43 -0000
X-Groupsio-URL:
https://lists.openembedded.org/g/openembedded-core/message/197379
From: Yoann Congal
When a CVE is created, it often has no precise version information and
this is stored as "-" (matching any version). After an update, version
information is added. The previous "-" must be removed, otherwise, the
CVE is still "Unpatched" for cve-check.
Signed-off-by: Yoann Congal
Signed-off-by: Richard Purdie
(cherry picked from commit 641ae3f36e09af9932dc33043a0a5fbfce62122e)
Signed-off-by: Steve Sakoman
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index a703b68aac..0044529b7d 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -352,6 +352,10 @@ def update_db(conn, elt):
[cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
try:
+ # Remove any pre-existing CVE configuration. Even for partial database
+ # update, those will be repopulated. This ensures that old
+ # configuration is not kept for an updated CVE.
+ conn.execute("delete from PRODUCTS where ID = ?", [cveId]).close()
for config in elt['cve']['configurations']:
# This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing
for node in config["nodes"]:
From patchwork Wed Mar 20 16:09:47 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman
X-Patchwork-Id: 41304
X-Patchwork-Delegate: steve@sakoman.com
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id B3CCDCD11DC
for ; Wed, 20 Mar 2024 16:10:43 +0000 (UTC)
Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com
[209.85.214.179])
by mx.groups.io with SMTP id smtpd.web11.49403.1710951035354755053
for ;
Wed, 20 Mar 2024 09:10:35 -0700
Authentication-Results: mx.groups.io;
dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
header.b=gPm5WzxX;
spf=softfail (domain: sakoman.com, ip: 209.85.214.179,
mailfrom: steve@sakoman.com)
Received: by mail-pl1-f179.google.com with SMTP id
d9443c01a7336-1e00896dfdcso25668795ad.1
for ;
Wed, 20 Mar 2024 09:10:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951034;
x=1711555834; darn=lists.openembedded.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:from:to:cc:subject:date:message-id
:reply-to;
bh=Nr+O2YIgOlFtrXaw/ZAn1Psu8p113nEC3v0V67LqiIo=;
b=gPm5WzxXLzODTvyb8MwViUSA+XFRz5d/LoN49HYoXt1Xufp5UJyT/lOFK9X4koAM3x
sB+ilffyTtgwh3LSFT52t7RDxXKn1ZEvgRKuHgse33MeJwJ9VIgOpvlTA23VVaoaxwHP
AuMAc9BfsbGf41ShlFSTQzNv3yC80W2U1cJh5Pb1/vvahEnKN2dxvFo1Sz3MIaRWYSQJ
kxVsP28T/yVZlYPnMlPpRW3y5h2T6lvxNxoWa9kGlbTYr7eLqE0auARxGDcssYMU0Buj
shx/do6Y4pzvdXc1ZgPK9m3CQLlz09BAhAL0g7CTIgcYN5WqnPzUhw4kJi405YFeHOvB
4dYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710951034; x=1711555834;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=Nr+O2YIgOlFtrXaw/ZAn1Psu8p113nEC3v0V67LqiIo=;
b=wa7dctbhr2ILmR1q4jWMABc+i3jMFan2lkfvoRXzRJsyOd8sSKVJVgoHn2M0utgqVy
+yzfYU01FjRVPUB+a4e8mnFB80crhUA7u5cyxg5jBluuOjRGVb/zihqNcBcZHHjwswc/
r81+iGe0aKsnCYNvxUBbHAUxhbcpZfkoj6oat9XYjSgAXlYLSGDYJyuZ3ZP2wKaOuZx8
/hfbBmkf/BNnpLjPv9LeGFBx03VaXSF6W9Tcm43AudQkrsVhJBWp5cnheKRkl321nR8i
iUpmfXktlt14B9FqMRI2phQ3/M5iE6LCPLhzOmQG8JnwAUTrTX40NZoCYha5Kcqq+Miq
m1rg==
X-Gm-Message-State: AOJu0YwMXo6V/Aaqv6spBfTy+/whElCRXHnk7pchpsfpkVWdcvRMr7JK
01edYGvEytnve1VPDdi0YMKxW2KLSHLGpHtGgPot4zeXlrNBrSx4Waw3upko5dKgHb4+LZQmrYN
0Gfo=
X-Google-Smtp-Source:
AGHT+IFiqUNQKmbBdJZUdu7kk0lqZ7zXQgGCyk2+WOii/MXeE13tExaJkm9AleVb3YIhpLXlg1x9mg==
X-Received: by 2002:a17:902:b70e:b0:1dd:de1a:bd02 with SMTP id
d14-20020a170902b70e00b001ddde1abd02mr5300975pls.41.1710951034566;
Wed, 20 Mar 2024 09:10:34 -0700 (PDT)
Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41])
by smtp.gmail.com with ESMTPSA id
l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.33
for
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Mar 2024 09:10:34 -0700 (PDT)
From: Steve Sakoman
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 09/15] cve-update-nvd2-native: Remove rejected
CVE from database
Date: Wed, 20 Mar 2024 06:09:47 -1000
Message-Id:
<717f0df5f35272f7706e4f92cc8b57cdda8066b6.1710950846.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To:
References:
MIME-Version: 1.0
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Wed, 20 Mar 2024 16:10:43 -0000
X-Groupsio-URL:
https://lists.openembedded.org/g/openembedded-core/message/197380
From: Yoann Congal
When a CVE is updated to be rejected, matching database entries must be
removed. Otherwise:
* an incremental update is not equivalent the to an initial download.
* rejected CVEs might still appear as Unpatched in cve-check.
Signed-off-by: Yoann Congal
Signed-off-by: Richard Purdie
(cherry picked from commit f276a980b8930b98e6c8f0e1a865d77dfcfe5085)
Signed-off-by: Steve Sakoman
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 0044529b7d..1a3eeba6d0 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -323,6 +323,10 @@ def update_db(conn, elt):
accessVector = None
cveId = elt['cve']['id']
if elt['cve']['vulnStatus'] == "Rejected":
+ c = conn.cursor()
+ c.execute("delete from PRODUCTS where ID = ?;", [cveId])
+ c.execute("delete from NVD where ID = ?;", [cveId])
+ c.close()
return
cveDesc = ""
for desc in elt['cve']['descriptions']:
From patchwork Wed Mar 20 16:09:48 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Steve Sakoman
X-Patchwork-Id: 41301
X-Patchwork-Delegate: steve@sakoman.com
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id 9241AC6FD1F
for ; Wed, 20 Mar 2024 16:10:43 +0000 (UTC)
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com
[209.85.214.178])
by mx.groups.io with SMTP id smtpd.web10.49267.1710951036979369345
for ;
Wed, 20 Mar 2024 09:10:37 -0700
Authentication-Results: mx.groups.io;
dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
header.b=AWGOfTLQ;
spf=softfail (domain: sakoman.com, ip: 209.85.214.178,
mailfrom: steve@sakoman.com)
Received: by mail-pl1-f178.google.com with SMTP id
d9443c01a7336-1e00896dfdcso25669075ad.1
for ;
Wed, 20 Mar 2024 09:10:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951036;
x=1711555836; darn=lists.openembedded.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:from:to:cc:subject:date:message-id
:reply-to;
bh=PMw7lAA4+7b1Li64sg8sOdu0NKrVOVompYgl9JZVdqk=;
b=AWGOfTLQmL2ekZwPBmwN3bSbnZ0KdZmo7/oA9YMsy3lrI3ylbPccPkaTWgBFDp7i4c
7MG8VMMGolkPLnbonsoE+22QG/DUuXQ7TIK9aPfQjD8whz7mX2IYLjRWOD3K+FdBLrrB
phy3xIA1UuP+o9OZIqwo3uO3CFBLcJeeEnREXT1Ufc3bDoBO4Ii7AEn9PHYkh+hWj7Ha
UDzB0uq61zCC6t00ZFbrHdeQ1IIS6jgVv13JM8N/+dhxeLXPv69ECXPru/+F8kDnMCDv
iUXUcL9gHaEFpo1TLBQKEDykBQkqEtMYABAFYe3J0FGc6eteVbXpZW5fpJ1fLg5av+ad
lSrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710951036; x=1711555836;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=PMw7lAA4+7b1Li64sg8sOdu0NKrVOVompYgl9JZVdqk=;
b=uBzSOh71SRu3/LYW3b6bOSVsX1XqND3esmysG2TJ3bfEGz56qtV8RxSctEiVZtA3C0
S3nvlJPg9pu4a5lYbJ1/HkgpPLNmXhX1EaHjQ3E6/r56SnFr5MFXeASYR7p9nkPucK9s
TiGkuktq9UDw+GpzdBW/Y2ke7nnhwxLte+6bs8h+YfHOuehaZOvDI/0IPY6u+cHA1FzN
6bY5+alsMwW/H7UKKBUYbVoNEC3gOVnJoNSdNyUYqWAo1avi3x0UZjSdGe4jqDvPNhfl
e6geZpWqjcS8cU98hGtRJ4bp2DH1VUdX14HzNcR9ej9c7sOeB5Arwx7782QZKLQGheW4
oZ5A==
X-Gm-Message-State: AOJu0Yz2SpttfpIId6f8qX7utKdVWlNApsoFAETFDNyO7hqDFjX7pYO9
X5y/n4S6Yn6mEwYfEmjli91cwGB10jlU0dMeD/YJoBENhtdfHK9D3T/ON6enI3fcMuz2CyAGZTS
fehg=
X-Google-Smtp-Source:
AGHT+IFXO1P8NZFne5k017z01cqVco6yFMnABwVjBt5przQ4PmU5/ZMkIIoV2t0XyjbK9GqgkM2BLQ==
X-Received: by 2002:a17:902:934c:b0:1dd:50f0:3e72 with SMTP id
g12-20020a170902934c00b001dd50f03e72mr5431026plp.26.1710951036307;
Wed, 20 Mar 2024 09:10:36 -0700 (PDT)
Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41])
by smtp.gmail.com with ESMTPSA id
l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.35
for
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Mar 2024 09:10:35 -0700 (PDT)
From: Steve Sakoman
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 10/15] wireless-regdb: upgrade 2023.05.03 ->
2023.09.01
Date: Wed, 20 Mar 2024 06:09:48 -1000
Message-Id:
<3af65ed130493e14a87818b76b06f9ca7c717874.1710950846.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To:
References:
MIME-Version: 1.0
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Wed, 20 Mar 2024 16:10:43 -0000
X-Groupsio-URL:
https://lists.openembedded.org/g/openembedded-core/message/197381
From: Wang Mingyu
Changelog:
==========
wireless-regdb: update regulatory database based on preceding changes
wireless-regdb: Update regulatory rules for Australia (AU) for June 2023
wireless-regdb: Update regulatory info for Türkiye (TR)
wireless-regdb: Update regulatory rules for Egypt (EG) from March 2022 guidel...
wireless-regdb: Update regulatory rules for Philippines (PH)
Signed-off-by: Wang Mingyu
Signed-off-by: Richard Purdie
(cherry picked from commit 2f5edb6904bf16a9c52a9b124aeb5297487cd716)
Signed-off-by: Steve Sakoman
---
...ireless-regdb_2023.05.03.bb => wireless-regdb_2023.09.01.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2023.05.03.bb => wireless-regdb_2023.09.01.bb} (94%)
diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.09.01.bb
similarity index 94%
rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb
rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.09.01.bb
index cd3f52fc76..c09600ecbe 100644
--- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb
+++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.09.01.bb
@@ -5,7 +5,7 @@ LICENSE = "ISC"
LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c"
SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz"
-SRC_URI[sha256sum] = "f254d08ab3765aeae2b856222e11a95d44aef519a6663877c71ef68fae4c8c12"
+SRC_URI[sha256sum] = "26d4c2a727cc59239b84735aad856b7c7d0b04e30aa5c235c4f7f47f5f053491"
inherit bin_package allarch
From patchwork Wed Mar 20 16:09:49 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman
X-Patchwork-Id: 41302
X-Patchwork-Delegate: steve@sakoman.com
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id 9F182C54E58
for ; Wed, 20 Mar 2024 16:10:43 +0000 (UTC)
Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com
[209.85.214.176])
by mx.groups.io with SMTP id smtpd.web11.49406.1710951039141374147
for ;
Wed, 20 Mar 2024 09:10:39 -0700
Authentication-Results: mx.groups.io;
dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
header.b=Wr65sPhn;
spf=softfail (domain: sakoman.com, ip: 209.85.214.176,
mailfrom: steve@sakoman.com)
Received: by mail-pl1-f176.google.com with SMTP id
d9443c01a7336-1e01c38f98cso24288695ad.3
for ;
Wed, 20 Mar 2024 09:10:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951038;
x=1711555838; darn=lists.openembedded.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:from:to:cc:subject:date:message-id
:reply-to;
bh=VRWIAhmeDI6nyUEP/TCxZq1+gUOnJzmbtpHZ3n+PU9w=;
b=Wr65sPhnW9R/XfL4xslDA9CA+hjuB9wu8HEvcVWP4qKalu+u+CTdnMjcArYy1hOgiW
Hc4mQYQyua2uK8YE4J6qVf/hP7h2McfEhzb21Ar1gVgLkdGCeaHSeQmU2W99Vmy3uDbv
teW/98aja7cJAzkXZyhbk4Kz1QRLkvQ4CBgGN2wkFEqQGabWV4+pInXMVZRicN95x22i
iQWZtOKzfwC1k2z+nXproySnMkoIZGY/Tt0SGufVa2JZJPCjGernejVEeDjPmgiGqL7F
H92GTObKF68D2zEOAsmPOQDyxmKSptBA473yrhkyRVZFC+aRVoryNEH3VF0Kyd/cw8Oz
b2rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710951038; x=1711555838;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=VRWIAhmeDI6nyUEP/TCxZq1+gUOnJzmbtpHZ3n+PU9w=;
b=Nmj6g7g+QEGCvIs2URnItDkw9OHayR/Y3uSXI/HrWP3t2ByPZFcA9XgwZjhJ5YW+1s
D6wgUxQO+3lpq2ZejOyncX1CNwZTuE2QI9VriESkLG+llUKxVSgcNt4sqOzm9/Ratb50
B1R5Rtaf/ZeEgwp0bpJAECRChn/1PAT8j1AiiIcI1sqcMQVo1Ju82Rsf1I1j4WT2CLRC
NwKWVxAUwmh+CYul/74YS3IBiOCJhiVRWEnc0O2RyebQAVljBHyILn2Q91csIuR+vNGq
dTiEadALuZ5B0Bzdi2O4xltVYpSsSi1QAtW0EXNU/sR0OgvCS52jiLs+36wg0V3BpaBW
U3gA==
X-Gm-Message-State: AOJu0YyNWIXQdWC0S6C3MlWQ3q1KgJDEXH7/ErssQ9jdUefYcrnZ2TtQ
SaUjxRUwJEoUoxQ/q28xgY3gNo6UsNdnnPQAbuG/UDTXCYn/lPS7miI+xN/AVHnACP5+nCDeJXP
e5uY=
X-Google-Smtp-Source:
AGHT+IHnkDCrdlSu0Bh3+32aMC3iD8awmEH9MtnyqYXN9cG0bzvHL+P3aNHxbelKfo4FEGRJ4VZbSw==
X-Received: by 2002:a17:902:e802:b0:1dd:9984:29d3 with SMTP id
u2-20020a170902e80200b001dd998429d3mr21471829plg.32.1710951038298;
Wed, 20 Mar 2024 09:10:38 -0700 (PDT)
Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41])
by smtp.gmail.com with ESMTPSA id
l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.37
for
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Mar 2024 09:10:38 -0700 (PDT)
From: Steve Sakoman
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 11/15] wireless-regdb: Upgrade 2023.09.01 ->
2024.01.23
Date: Wed, 20 Mar 2024 06:09:49 -1000
Message-Id:
<11c9c6eec5ff45cd1fd4858bc28f38693c5d0fde.1710950846.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To:
References:
MIME-Version: 1.0
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Wed, 20 Mar 2024 16:10:43 -0000
X-Groupsio-URL:
https://lists.openembedded.org/g/openembedded-core/message/197382
From: Alex Kiernan
Upstream maintainer has changed to Chen-Yu Tsai :
https://lore.kernel.org/all/CAGb2v657baNMPKU3QADijx7hZa=GUcSv2LEDdn6N=QQaFX8r-g@mail.gmail.com/
Note that fb768d3b13ff ("wifi: cfg80211: Add my certificate") and
3c2a8ebe3fe6 ("wifi: cfg80211: fix certs build to not depend on file
order") are required if you are using kernel signature verification.
Signed-off-by: Alex Kiernan
Signed-off-by: Alexandre Belloni
(cherry picked from commit abf169fbbf8bab13224adf4c8bfa2e26607f360c)
Signed-off-by: Steve Sakoman
---
...eless-regdb_2023.09.01.bb => wireless-regdb_2024.01.23.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2023.09.01.bb => wireless-regdb_2024.01.23.bb} (88%)
diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.09.01.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.01.23.bb
similarity index 88%
rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.09.01.bb
rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.01.23.bb
index c09600ecbe..8fde236ab4 100644
--- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.09.01.bb
+++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.01.23.bb
@@ -5,7 +5,7 @@ LICENSE = "ISC"
LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c"
SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz"
-SRC_URI[sha256sum] = "26d4c2a727cc59239b84735aad856b7c7d0b04e30aa5c235c4f7f47f5f053491"
+SRC_URI[sha256sum] = "c8a61c9acf76fa7eb4239e89f640dee3e87098d9f69b4d3518c9c60fc6d20c55"
inherit bin_package allarch
@@ -13,7 +13,7 @@ do_install() {
install -d -m0755 ${D}${nonarch_libdir}/crda
install -d -m0755 ${D}${sysconfdir}/wireless-regdb/pubkeys
install -m 0644 regulatory.bin ${D}${nonarch_libdir}/crda/regulatory.bin
- install -m 0644 sforshee.key.pub.pem ${D}${sysconfdir}/wireless-regdb/pubkeys/sforshee.key.pub.pem
+ install -m 0644 wens.key.pub.pem ${D}${sysconfdir}/wireless-regdb/pubkeys/wens.key.pub.pem
install -m 0644 -D regulatory.db ${D}${nonarch_base_libdir}/firmware/regulatory.db
install -m 0644 regulatory.db.p7s ${D}${nonarch_base_libdir}/firmware/regulatory.db.p7s
From patchwork Wed Mar 20 16:09:50 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman
X-Patchwork-Id: 41305
X-Patchwork-Delegate: steve@sakoman.com
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id A5FC4C54E58
for ; Wed, 20 Mar 2024 16:10:53 +0000 (UTC)
Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com
[209.85.214.174])
by mx.groups.io with SMTP id smtpd.web11.49409.1710951045091354002
for ;
Wed, 20 Mar 2024 09:10:45 -0700
Authentication-Results: mx.groups.io;
dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
header.b=VAYV9dhW;
spf=softfail (domain: sakoman.com, ip: 209.85.214.174,
mailfrom: steve@sakoman.com)
Received: by mail-pl1-f174.google.com with SMTP id
d9443c01a7336-1def59b537cso36887015ad.2
for ;
Wed, 20 Mar 2024 09:10:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951044;
x=1711555844; darn=lists.openembedded.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:from:to:cc:subject:date:message-id
:reply-to;
bh=+61++8/DbpA29NeIN/CHD8dNg2X0pdyC6t+QXhi1ih4=;
b=VAYV9dhWlzb7dRM3G9cnG/t5fLYCX/j5bQfndJLtbOt6swUkBEVsg1A/plosjnN7rE
4/Om8dhS30b8ORrmigzyaZThsuWeU9mwasEg+bEwvwIerLBMguE69c+oge/ZnrZEjCIu
sF5KJ+oVTqzZUPwHJR9ijBAE9Fy6jMDoloj6E+dkYCchSX8hea2/oiMgE8xW24odAkOa
VvDbtqNo5/eKDFYHYXLKPT8ttxX+Vc8udeNtCvdR1OsSyIPJgrHinymOagdgd+lG9T0D
adpxD1f1rwcdx44ADWsFDeKyuo4pGJrK0gHxbLo+VZwbu8Ad3yMgZdAbXIvrGOEd5dQi
1p9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710951044; x=1711555844;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=+61++8/DbpA29NeIN/CHD8dNg2X0pdyC6t+QXhi1ih4=;
b=qwBzKCZ6e4x0fJ46Oo/my58Ii2LvBKeJrICxvEMxB4JKoZl8JebbMAtJBjFIfnE5wD
76EMZpglIXHq41tBooLXp2mgehG5x+oR/KHYc5cbbO+fMLlMyPORvvhxjw+66qiRidce
OcrTgdzrZ65llVmb59V1ckn4AZ2ACvu5oMmqZpqcIAOXjORPAtuHtZzLGq/PNpuRvYX6
T8a1pTtho9NM3KOzdW1f9//tborXACH8/ElVdpW4Ca2OMDWClqw/zY9+TThTv5QpwxVp
P3PHry99afpsRKUDatAOrqMqpo5fOVnihQwr+YCS7hTfFSE0O2Nct7iLCL5c+zB/66S1
E52A==
X-Gm-Message-State: AOJu0YzqRa06h6cltvniOHbvI9wdoYmwK7MquuzmjvSLKSQ55lvVD/aG
0zu/gbQxvb2GidPwvZq6jDlHMMDrjHsLH6FJ/Wl+2kBmkCu7QJULXqJR65dYChOozCNI04Uunmz
g8J4=
X-Google-Smtp-Source:
AGHT+IGkpnESVuxY9+dwDaC0pS2VBKaChQ6QameqstZB0/YHdqUC9/d6NiLdTqVwr5dwzEIc3Rl3FA==
X-Received: by 2002:a17:902:e802:b0:1dd:9984:29d3 with SMTP id
u2-20020a170902e80200b001dd998429d3mr21472199plg.32.1710951044156;
Wed, 20 Mar 2024 09:10:44 -0700 (PDT)
Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41])
by smtp.gmail.com with ESMTPSA id
l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.43
for
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Mar 2024 09:10:43 -0700 (PDT)
From: Steve Sakoman
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 12/15] linux-firmware: upgrade 20231211 ->
20240220
Date: Wed, 20 Mar 2024 06:09:50 -1000
Message-Id:
X-Mailer: git-send-email 2.34.1
In-Reply-To:
References:
MIME-Version: 1.0
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Wed, 20 Mar 2024 16:10:53 -0000
X-Groupsio-URL:
https://lists.openembedded.org/g/openembedded-core/message/197383
From: Alexander Kanavin
License-Update: additional files
Signed-off-by: Alexander Kanavin
Signed-off-by: Richard Purdie
(cherry picked from commit add81ef0299ea5260f9bdc59ffc8f5cc0e74276f)
Signed-off-by: Steve Sakoman
---
...inux-firmware_20231211.bb => linux-firmware_20240220.bb} | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
rename meta/recipes-kernel/linux-firmware/{linux-firmware_20231211.bb => linux-firmware_20240220.bb} (99%)
diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20231211.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20240220.bb
similarity index 99%
rename from meta/recipes-kernel/linux-firmware/linux-firmware_20231211.bb
rename to meta/recipes-kernel/linux-firmware/linux-firmware_20240220.bb
index 48e83cb34b..425b351dc1 100644
--- a/meta/recipes-kernel/linux-firmware/linux-firmware_20231211.bb
+++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20240220.bb
@@ -89,7 +89,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
file://LICENCE.cadence;md5=009f46816f6956cfb75ede13d3e1cee0 \
file://LICENCE.cavium;md5=c37aaffb1ebe5939b2580d073a95daea \
file://LICENCE.chelsio_firmware;md5=819aa8c3fa453f1b258ed8d168a9d903 \
- file://LICENSE.cirrus;md5=bb18d943382abf8e8232a9407bfdafe0 \
+ file://LICENSE.cirrus;md5=662ea2c1a8888f7d79ed7f27c27472e1 \
file://LICENCE.cnm;md5=93b67e6bac7f8fec22b96b8ad0a1a9d0 \
file://LICENCE.cw1200;md5=f0f770864e7a8444a5c5aa9d12a3a7ed \
file://LICENCE.cypress;md5=48cd9436c763bf873961f9ed7b5c147b \
@@ -147,7 +147,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \
"
# WHENCE checksum is defined separately to ease overriding it if
# class-devupstream is selected.
-WHENCE_CHKSUM = "3113c4ea08e5171555f3bf49eceb5b07"
+WHENCE_CHKSUM = "a344e6c28970fc7daafa81c10247aeb6"
# These are not common licenses, set NO_GENERIC_LICENSE for them
# so that the license files will be copied from fetched source
@@ -231,7 +231,7 @@ SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmw
# Pin this to the 20220509 release, override this in local.conf
SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae"
-SRC_URI[sha256sum] = "96af7e4b5eabd37869cdb3dcbb7ab36911106d39b76e799fa1caab16a9dbe8bb"
+SRC_URI[sha256sum] = "bf0f239dc0801e9d6bf5d5fb3e2f549575632cf4688f4348184199cb02c2bcd7"
inherit allarch
From patchwork Wed Mar 20 16:09:51 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman
X-Patchwork-Id: 41306
X-Patchwork-Delegate: steve@sakoman.com
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id A531AC54E58
for ; Wed, 20 Mar 2024 16:11:13 +0000 (UTC)
Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com
[209.85.214.176])
by mx.groups.io with SMTP id smtpd.web10.49284.1710951066727228567
for ;
Wed, 20 Mar 2024 09:11:06 -0700
Authentication-Results: mx.groups.io;
dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
header.b=3Gyhzlyu;
spf=softfail (domain: sakoman.com, ip: 209.85.214.176,
mailfrom: steve@sakoman.com)
Received: by mail-pl1-f176.google.com with SMTP id
d9443c01a7336-1deffa23bb9so36763445ad.2
for ;
Wed, 20 Mar 2024 09:11:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951066;
x=1711555866; darn=lists.openembedded.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:from:to:cc:subject:date:message-id
:reply-to;
bh=4FFBPXBeDZxmg9WIrfGltp9RsfYGigeAeqmBuMuSioo=;
b=3Gyhzlyu0jnTOjxKC2ItNLsjHpfwiAPODSihbSy/HiZGamYjNXnuuYg1+iVJ/3lyEj
sLxTIPp8UwM+pBeU0heMax4OlqCF/cT9v81YJgc9eyYf3KSkcTSmK2JeOtMBqHmAcT6V
J5vrpDK1x38XfPrDKAZHxocZbEMWtz6aHhCyxa4ezDx7Ndf/OGqfEz/Znf+0psG4P6c0
K4FYriUEI3KZM5raOCMF5Z49pKWkdeptj2p5+tygr5bNU0cHvzvLDmZeIMRJLrxWUz0k
/V48SY8BCozfsKVdv9uoSIdX6SwXa6JtfNaV7qYlHGxJ8mmCSGJCrTVNWwSsca5ds5u2
JyMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710951066; x=1711555866;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=4FFBPXBeDZxmg9WIrfGltp9RsfYGigeAeqmBuMuSioo=;
b=L4LuaXVT6qwhOs+bXLWlAdrmWjxxGL1lom1llXA6ua9qbT3hIEFgWUzeiRsIrzCqXr
Um9yo4H9SDc8OSDayuNceO0Wfc1SGxi7yore3C0QW89gaPTWTbzXL0KfN2CYcdLbUH7O
GqkWdKriiTXvlsr9OcW/ysczNa+ht2hy19znL0jf/bfj3IX2aHzNMCNgEBiTRwtzInaT
Km2xdsKJ3fjsOV4Oi3SO+ViLfpK6kaDqLgwjSKhJPv7eOBTpDVD14VIRhTdqq1Rh2yu/
EqTERdY4i3qF9ap/GVa6laZT/4bSnyiOR6vlvBgd6ak2qh50/yJybcfrGcc/smoNb3nq
nt7g==
X-Gm-Message-State: AOJu0YytsrP7+rnsrO+MaJyDALb/pgqDaDW+q/IwL4VPfRHT7vyiQ/K7
fteonDuBlPklTQbi8/trmfo0cGkxbRvLFJeS3VCT0yclfYOXfDZAUPMHXm3osXiaND2axIwjC3x
aSvM=
X-Google-Smtp-Source:
AGHT+IEflQ5l7L/uJ4uvytMnzD6evDHVHXfc66lZuPYYtYGHyQSZZSK7RWc2nd+vFPoiUjkNX7jvwQ==
X-Received: by 2002:a17:903:246:b0:1dd:da26:8597 with SMTP id
j6-20020a170903024600b001ddda268597mr22782702plh.66.1710951066034;
Wed, 20 Mar 2024 09:11:06 -0700 (PDT)
Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41])
by smtp.gmail.com with ESMTPSA id
l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.45
for
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Mar 2024 09:10:45 -0700 (PDT)
From: Steve Sakoman
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 13/15] yocto-uninative: Update to 4.4 for glibc
2.39
Date: Wed, 20 Mar 2024 06:09:51 -1000
Message-Id:
X-Mailer: git-send-email 2.34.1
In-Reply-To:
References:
MIME-Version: 1.0
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Wed, 20 Mar 2024 16:11:13 -0000
X-Groupsio-URL:
https://lists.openembedded.org/g/openembedded-core/message/197384
From: Michael Halstead
Signed-off-by: Michael Halstead
Signed-off-by: Richard Purdie
(cherry picked from commit 56fdd8b79e2f7ec30d2cdcfa0c399a6553efac1e)
Signed-off-by: Steve Sakoman
---
meta/conf/distro/include/yocto-uninative.inc | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index eaa3e9b31c..4ac66fd506 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,10 +6,10 @@
# to the distro running on the build machine.
#
-UNINATIVE_MAXGLIBCVERSION = "2.38"
-UNINATIVE_VERSION = "4.3"
+UNINATIVE_MAXGLIBCVERSION = "2.39"
+UNINATIVE_VERSION = "4.4"
UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "8df05f4a41455018b4303b2e0ea4eac5c960b5a13713f6dbb33dfdb3e32753ec"
-UNINATIVE_CHECKSUM[i686] ?= "bea76b4a97c9ba0077c0dd1295f519cd599dbf71f0ca1c964471c4cdb043addd"
-UNINATIVE_CHECKSUM[x86_64] ?= "1c35f09a75c4096749bbe1e009df4e3968cde151424062cf4aa3ed89db22b030"
+UNINATIVE_CHECKSUM[aarch64] ?= "b61876130f494f75092f21086b4a64ea5fb064045769bf1d32e9cb6af17ea8ec"
+UNINATIVE_CHECKSUM[i686] ?= "9f28627828f0082cc0344eede4d9a861a9a064bfa8f36e072e46212f0fe45fcc"
+UNINATIVE_CHECKSUM[x86_64] ?= "d81c54284be2bb886931fc87281d58177a2cd381cf99d1981f8923039a72a302"
From patchwork Wed Mar 20 16:09:52 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman
X-Patchwork-Id: 41307
X-Patchwork-Delegate: steve@sakoman.com
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id B2074CD11BF
for ; Wed, 20 Mar 2024 16:11:13 +0000 (UTC)
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com
[209.85.214.178])
by mx.groups.io with SMTP id smtpd.web11.49427.1710951070504541476
for ;
Wed, 20 Mar 2024 09:11:10 -0700
Authentication-Results: mx.groups.io;
dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
header.b=Ndks5JIv;
spf=softfail (domain: sakoman.com, ip: 209.85.214.178,
mailfrom: steve@sakoman.com)
Received: by mail-pl1-f178.google.com with SMTP id
d9443c01a7336-1e01c38f98cso24293895ad.3
for ;
Wed, 20 Mar 2024 09:11:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951070;
x=1711555870; darn=lists.openembedded.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:from:to:cc:subject:date:message-id
:reply-to;
bh=UB3DwW3fugGItE3KzVSjqyZ3fHkqSVvhANQK6yjimJQ=;
b=Ndks5JIvlToJ+OXUi18Mj+uigUQy3SoGb5ykecUC8QV2Mb9Efjyk7muP+g2WGKjczg
fvpDF8iHxl0tbzUQRqAU3Ugb0Tm8TVnq1hcf6s60gKKzDrG8Kq/VL4/2YXqDCj5BNe1K
Y2cqfDjFEdxqHecppG0NLXX7iNM7MVlaBGk/t5Sd2fPgDDSgzKYlVuDi7bzVGR2BGRTr
b45MN4gScaHZBUrOOInrwWn4PZ7IvRkvqn8mNp94lfhePqFxJLav6kqUiKzsRONBLbB9
JctKgdBiOjRpGJrW22+B9255p+7sCu5toYaLyl9LN6NJqFRXD8VcyVcHtlYBO4VEu65V
XAPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710951070; x=1711555870;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=UB3DwW3fugGItE3KzVSjqyZ3fHkqSVvhANQK6yjimJQ=;
b=aFqg0Up20BeebyNbN8u3NCS2C7WZwRBO9WeWAGLLZjqwBWcQwp/mO9xhiCaNaKCg6O
p754Qup97P/+4aTlwY5OsrY+SCSQW1KNToa/inRqHl4DR7G8HSQ5EKHwl2HoFThChuXF
EfsiwlWEJEAipVaHpST+X69W/VhUJ2MeVfcxsPeNpwnX4kclBLBb5DRreAEjjvdKGqTy
wTw8kmCJlIIu+RDasCPD9df+3ZNtucF49SwggUMt2JpbeOSQZjYle8kR4MfEN2nx6I1/
R4AoTh53qs5fT5dtSToVcv2r9eq8l77kU0+EvBhK88YsRq+aeTfBEcq+04M+VtEFjfaJ
6q6w==
X-Gm-Message-State: AOJu0YzevYHSQaOS4ico71cNKTTrYd8KVABDVBs+b0ODx8vleSzQiaWY
rgL/AvBhGcIvTA/dQC3ED71OKAWST1y0PalbQ78c33stNL9EMQ7EnMjDgo2Pe7VV8d0gP+SViMu
zUiM=
X-Google-Smtp-Source:
AGHT+IFac711nD39CK+8AhGQTMKnUgYGUlTl0ro7YP07HFE6MCf7csvz20V9bOcdSquFvnH4vQgbPA==
X-Received: by 2002:a17:903:41cb:b0:1e0:25f:acfe with SMTP id
u11-20020a17090341cb00b001e0025facfemr12258995ple.42.1710951069728;
Wed, 20 Mar 2024 09:11:09 -0700 (PDT)
Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41])
by smtp.gmail.com with ESMTPSA id
l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.11.09
for
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Mar 2024 09:11:09 -0700 (PDT)
From: Steve Sakoman
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 14/15] stress-ng: avoid calling sync during
do_compile
Date: Wed, 20 Mar 2024 06:09:52 -1000
Message-Id:
X-Mailer: git-send-email 2.34.1
In-Reply-To:
References:
MIME-Version: 1.0
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Wed, 20 Mar 2024 16:11:13 -0000
X-Groupsio-URL:
https://lists.openembedded.org/g/openembedded-core/message/197385
From: Martin Jansa
calling 'sync' from do_compile in the middle of big OE world
build harms the build time.
Signed-off-by: Martin Jansa
Signed-off-by: Steve Sakoman
---
.../0001-Makefile-avoid-calling-sync.patch | 35 +++++++++++++++++++
.../stress-ng/stress-ng_0.13.12.bb | 1 +
2 files changed, 36 insertions(+)
create mode 100644 meta/recipes-extended/stress-ng/stress-ng-0.13.12/0001-Makefile-avoid-calling-sync.patch
diff --git a/meta/recipes-extended/stress-ng/stress-ng-0.13.12/0001-Makefile-avoid-calling-sync.patch b/meta/recipes-extended/stress-ng/stress-ng-0.13.12/0001-Makefile-avoid-calling-sync.patch
new file mode 100644
index 0000000000..fec8c524eb
--- /dev/null
+++ b/meta/recipes-extended/stress-ng/stress-ng-0.13.12/0001-Makefile-avoid-calling-sync.patch
@@ -0,0 +1,35 @@
+From 1d1801902a4944c6f5fa521c19b32fbac7342a0c Mon Sep 17 00:00:00 2001
+From: Colin Ian King
+Date: Sat, 6 Aug 2022 13:05:59 +0000
+Subject: [PATCH] Makefile: avoid calling sync
+
+Original commit message:
+Makefile: use ld-gold if it is available
+
+Speed up linking by using ld-gold if is available. Add build
+time detection to see if compiler allows it
+
+MJ: backported only the "sync" removal from Makefile as calling
+ it from do_compile in the middle of big OE world build harms
+ the build time.
+
+Upstream-Status: Backport [V0.14.04 c10e5c3f9f5560a085279f4c4b399c2f34cb897d]
+
+Signed-off-by: Colin Ian King
+Signed-off-by: Martin Jansa
+---
+ Makefile | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index f8f71c54b..23db4c612 100644
+--- a/Makefile
++++ b/Makefile
+@@ -425,7 +425,6 @@ OBJS += $(CONFIG_OBJS)
+ stress-ng: $(OBJS)
+ $(Q)echo "LD $@"
+ $(V)$(CC) $(CPPFLAGS) $(CFLAGS) $(OBJS) -lm $(LDFLAGS) -o $@
+- $(V)sync
+
+ config.h:
+ +$(MAKE) -f Makefile.config STATIC=$(STATIC) -j
diff --git a/meta/recipes-extended/stress-ng/stress-ng_0.13.12.bb b/meta/recipes-extended/stress-ng/stress-ng_0.13.12.bb
index 807ecd3466..72dafddaf8 100644
--- a/meta/recipes-extended/stress-ng/stress-ng_0.13.12.bb
+++ b/meta/recipes-extended/stress-ng/stress-ng_0.13.12.bb
@@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
SRC_URI = "git://github.com/ColinIanKing/stress-ng.git;protocol=https;branch=master \
file://0001-stress-cpu-disable-float128-math-on-powerpc64-to-avo.patch \
+ file://0001-Makefile-avoid-calling-sync.patch \
"
SRCREV = "f59bcb2fe1e25042e77d5e4942f72bfa026fa305"
S = "${WORKDIR}/git"
From patchwork Wed Mar 20 16:09:53 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Sakoman
X-Patchwork-Id: 41308
X-Patchwork-Delegate: steve@sakoman.com
Return-Path:
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
(localhost.localdomain [127.0.0.1])
by smtp.lore.kernel.org (Postfix) with ESMTP id A709DC6FD1F
for ; Wed, 20 Mar 2024 16:11:23 +0000 (UTC)
Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com
[209.85.214.175])
by mx.groups.io with SMTP id smtpd.web10.49292.1710951075853360218
for ;
Wed, 20 Mar 2024 09:11:15 -0700
Authentication-Results: mx.groups.io;
dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601
header.b=pW1ur0ty;
spf=softfail (domain: sakoman.com, ip: 209.85.214.175,
mailfrom: steve@sakoman.com)
Received: by mail-pl1-f175.google.com with SMTP id
d9443c01a7336-1dd955753edso56185755ad.1
for ;
Wed, 20 Mar 2024 09:11:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951075;
x=1711555875; darn=lists.openembedded.org;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:from:to:cc:subject:date:message-id
:reply-to;
bh=idGLRTU/UEG6lDVbIB6zPkXlraYyUd8nCm+qfx6PAbg=;
b=pW1ur0ty+DbLvnwwCU40fNg/8to496x9XEI0N/XS4eXo1tfueqTDAZZZzGAwGY0LRV
o/c5ie7Enqqc+eKTQ5kTP919ISoV8uih5KGJcESkCdVBY/cyE7bTHYb/lP9I0Gj4u00C
HH+0uWgDSlhXb7xW+v2umpMUBL02kyPV5ewYX+XLrHyiaWfncoL4hfnaDe4SVlzneQIl
4qvjC9mGXKOYcUPJ6XMorCmuw9tR7IkiCUFOGZzB3aY/maH2Y9HMflx2wNv4QCN4d4/n
2Dz38faYRGk8Sh1/WWRN1A9TJoyW10Or8B5pKCU5b88t+Ne10WsA9p495N3bONQy6Yef
jFnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1710951075; x=1711555875;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=idGLRTU/UEG6lDVbIB6zPkXlraYyUd8nCm+qfx6PAbg=;
b=hZLHdsn14kf/OrM5wII40gz0vNJtGaC7XanpHwCN3iuyVWn+u3RT3KB9V9maoZyICJ
47gdiRyMIWbE63QuoKBknmt5DNaIpl/4ileEQx4VXdHD4Bpljr4SgwffdQLJNTkVPI3q
mGra5hhITveOJtyV4Vt5cyVqUJstZbxUYMGeL9FQGK1icG1qf6cEnkSnaPFmAzxqBHL2
mai7CX+4o7WF6syBSB4UakY4XxvwFsijCmtWLGKBKd9Uke4xXJ3D5/PiyhVrPtYEE+eS
NHibPod0QXyNmqA9pMm1RCmSySbdbiSoxk0izhB7iCr2H0bteMajeNiPT8HQp3p32RRf
b/1w==
X-Gm-Message-State: AOJu0YypOmKFhAQMM89WvImjXES7dpI0c5oeWNPSb4Ddp3DtGERygAy1
O3uPBp/A6R9wiR3uMOoLXehIb7gEecFAh/dJTn26tqar+E9NtBj+LkY5Mx/7zOGCn+22evlVKxs
u2NU=
X-Google-Smtp-Source:
AGHT+IGJcsxy2XFuZQrLqIdyaGAzId5wmPfdvm7u1LbbmnW89lCW0dusbqH2DmQUUv8bvzB6eLWMbg==
X-Received: by 2002:a17:903:22cd:b0:1dd:a7a7:4bc1 with SMTP id
y13-20020a17090322cd00b001dda7a74bc1mr23225969plg.5.1710951074945;
Wed, 20 Mar 2024 09:11:14 -0700 (PDT)
Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41])
by smtp.gmail.com with ESMTPSA id
l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.11.14
for
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Mar 2024 09:11:14 -0700 (PDT)
From: Steve Sakoman
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 15/15] glibc: Fix subscript typos for
get_nscd_addresses
Date: Wed, 20 Mar 2024 06:09:53 -1000
Message-Id:
<1b5405955c7c2579ed1f52522e2e177d0281fa33.1710950846.git.steve@sakoman.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To:
References:
MIME-Version: 1.0
List-Id:
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
; Wed, 20 Mar 2024 16:11:23 -0000
X-Groupsio-URL:
https://lists.openembedded.org/g/openembedded-core/message/197386
From: Haitao Liu
Fix the following error:
root@intel-x86-64:~# wget -6 http://localhost
--2024-01-12 07:18:42-- http://localhost/
Resolving localhost... failed: No IPv4/IPv6 addresses for host.
wget: unable to resolve host address 'localhost'
Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=29605
Upstream-patch:
https://sourceware.org/git/?p=glibc.git;a=commit;h=c9226c03da0276593a0918eaa9a14835183343e8
Signed-off-by: Haitao Liu
Signed-off-by: Steve Sakoman
---
...dresses-Fix-subscript-typos-BZ-29605.patch | 40 +++++++++++++++++++
meta/recipes-core/glibc/glibc_2.35.bb | 1 +
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/0002-get_nscd_addresses-Fix-subscript-typos-BZ-29605.patch
diff --git a/meta/recipes-core/glibc/glibc/0002-get_nscd_addresses-Fix-subscript-typos-BZ-29605.patch b/meta/recipes-core/glibc/glibc/0002-get_nscd_addresses-Fix-subscript-typos-BZ-29605.patch
new file mode 100644
index 0000000000..629298c23e
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0002-get_nscd_addresses-Fix-subscript-typos-BZ-29605.patch
@@ -0,0 +1,40 @@
+From 707a878b655395f41b954bbed78008d1d9252f1a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Sonnenberger?=
+Date: Mon, 26 Sep 2022 13:59:16 -0400
+Subject: [PATCH] get_nscd_addresses: Fix subscript typos [BZ #29605]
+
+Fix the subscript on air->family, which was accidentally set to COUNT
+when it should have remained as I.
+
+Resolves: BZ #29605
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=c9226c03da0276593a0918eaa9a14835183343e8]
+
+Reviewed-by: Siddhesh Poyarekar
+Signed-off-by: Haitao Liu
+---
+ sysdeps/posix/getaddrinfo.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index f4c08d6e3b..fa333ad6ec 100644
+--- a/sysdeps/posix/getaddrinfo.c
++++ b/sysdeps/posix/getaddrinfo.c
+@@ -549,11 +549,11 @@ get_nscd_addresses (const char *name, const struct addrinfo *req,
+ at[count].addr[2] = htonl (0xffff);
+ }
+ else if (req->ai_family == AF_UNSPEC
+- || air->family[count] == req->ai_family)
++ || air->family[i] == req->ai_family)
+ {
+- at[count].family = air->family[count];
++ at[count].family = air->family[i];
+ memcpy (at[count].addr, addrs, size);
+- if (air->family[count] == AF_INET6)
++ if (air->family[i] == AF_INET6)
+ res->got_ipv6 = true;
+ }
+ at[count].next = at + count + 1;
+--
+2.35.5
+
diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb
index 3ec6610d01..751427517f 100644
--- a/meta/recipes-core/glibc/glibc_2.35.bb
+++ b/meta/recipes-core/glibc/glibc_2.35.bb
@@ -60,6 +60,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0024-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \
\
file://0001-Revert-Linux-Implement-a-useful-version-of-_startup_.patch \
+ file://0002-get_nscd_addresses-Fix-subscript-typos-BZ-29605.patch \
"
S = "${WORKDIR}/git"
B = "${WORKDIR}/build-${TARGET_SYS}"