From patchwork Wed Mar 20 16:09:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41294 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 500A4CD11BF for ; Wed, 20 Mar 2024 16:10:23 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web11.49391.1710951018315086305 for ; Wed, 20 Mar 2024 09:10:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=nmspTbVK; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-1dffa5e3f2dso27388815ad.2 for ; Wed, 20 Mar 2024 09:10:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951017; x=1711555817; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=un6d+Llcm9ogjVszlygMZtzDe+aBKdeo1O6Ef5bR++c=; b=nmspTbVKfOqUf7D3bSJZBVKurAOQFJEVCRIaYEiT1uDAJUCuPhV37AEfKa2IIxSp1B BfJvvRH3QRDR8N58nfH1ZCrbZZWvqJBz9zST8nf3YBY1UGsF/CQ5fkOTV/7n28B8vb67 GgmoKQdS0mh3rm7tj3xmgMBZfKzoJrJYnQFz6DIuwuHFACHHz5gx7g3BurRlvVQtmnJM V43LSpC53DLlKnwB60fQ4eHBgWLs9Yi7zPxuadO0XxpIJFpnXdUXqMiE1p4E8CnrcOO2 hr/2pAX/UHOhCLY7kguhZoRntk5tQ5FaogFb2KWRDdXUaUc+u0xtRY3crwG8KHYNIVeF lFUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710951017; x=1711555817; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=un6d+Llcm9ogjVszlygMZtzDe+aBKdeo1O6Ef5bR++c=; b=I2R2lJgIsnk/SUZxQusAOy0DFgdqmDgtqJQ5AcbuVowf4erWrbW95ZM0RN6Y6INpUW RCDtwv5HB745Db3I7FI8Ur7msswMUFhOtrNx3LG3AY3r+m7ccaHp3cYi4UCcz43Nz3LS aWRQOWkELM68110a8+EInLKO1gIWGc7aQ3tVhb2cundee2H6zjheXHcf6z418cZi/Gga GqKkmNOHSUTfqs5Ywdz9ATU2AHpamSpKVfwxcckQtk08EVSSLgXryaUwFBc0dLjejaB+ O+eJHZ5ZYZ0x5GzYs+XuoueF47KkY2fbXfMNpalw/FT/l9t/rS8v/TBvvQelSjL0s32U OkzQ== X-Gm-Message-State: AOJu0YwqHlN3wi9JTb8QiK3gKq8m+IpU1degGGV2eWRsZQS2uwIOWmL7 w2ErAIezA0TQ+xLRRwGVIqDRPuOQeiOx8KlvlPtcfyd93OlS+ZYnwPsWQKdKvimsKZa+4sQ48vS nWHI= X-Google-Smtp-Source: AGHT+IGhvtxHBRtgu3GlB4Airdxvpr5XQZpFACtcWHSmDXM/qglzqt2rBylRvk3ePQKqJznyW1Of6A== X-Received: by 2002:a17:902:b216:b0:1e0:c9a:38c7 with SMTP id t22-20020a170902b21600b001e00c9a38c7mr5421048plr.32.1710951017501; Wed, 20 Mar 2024 09:10:17 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 09:10:17 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 01/15] expat: patch CVE-2024-28757 Date: Wed, 20 Mar 2024 06:09:39 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Mar 2024 16:10:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197372 From: Peter Marko Picked patch from https://github.com/libexpat/libexpat/pull/842 which is referenced in the NVD CVE report. Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- .../expat/expat/CVE-2024-28757.patch | 58 +++++++++++++++++++ meta/recipes-core/expat/expat_2.5.0.bb | 1 + 2 files changed, 59 insertions(+) create mode 100755 meta/recipes-core/expat/expat/CVE-2024-28757.patch diff --git a/meta/recipes-core/expat/expat/CVE-2024-28757.patch b/meta/recipes-core/expat/expat/CVE-2024-28757.patch new file mode 100755 index 0000000000..768dab0c84 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2024-28757.patch @@ -0,0 +1,58 @@ +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH] lib/xmlparse.c: Detect billion laughs attack with isolated + external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. + +CVE: CVE-2024-28757 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8] + +Signed-off-by: Peter Marko +--- + lib/xmlparse.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index b884d82b5..d44baa68d 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7655,6 +7655,8 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) { + + static float + accountingGetCurrentAmplification(XML_Parser rootParser) { ++ // 1.........1.........12 => 22 ++ const size_t lenOfShortestInclude = sizeof("") - 1; + const XmlBigCount countBytesOutput + = rootParser->m_accounting.countBytesDirect + + rootParser->m_accounting.countBytesIndirect; +@@ -7662,7 +7664,9 @@ accountingGetCurrentAmplification(XML_Parser rootParser) { + = rootParser->m_accounting.countBytesDirect + ? (countBytesOutput + / (float)(rootParser->m_accounting.countBytesDirect)) +- : 1.0f; ++ : ((lenOfShortestInclude ++ + rootParser->m_accounting.countBytesIndirect) ++ / (float)lenOfShortestInclude); + assert(! rootParser->m_parentParser); + return amplificationFactor; + } diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb index 7080f934d1..eb7ce1436e 100644 --- a/meta/recipes-core/expat/expat_2.5.0.bb +++ b/meta/recipes-core/expat/expat_2.5.0.bb @@ -10,6 +10,7 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}" SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://run-ptest \ + file://CVE-2024-28757.patch \ " UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Wed Mar 20 16:09:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41296 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6381ECD11DD for ; Wed, 20 Mar 2024 16:10:23 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.49392.1710951021192993968 for ; Wed, 20 Mar 2024 09:10:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Xvr4SqYG; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-1def142ae7bso50463965ad.3 for ; Wed, 20 Mar 2024 09:10:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951020; x=1711555820; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=vXVA/Kas/g6x8w966OzTVzjiYcuRQM/h2A3EY717vMA=; b=Xvr4SqYGW8PsI1Mlp3+gKiRKzTRooOg9NpIVVHQ/aM5/Rmpx7Cpl+vvH9EcSaVqzxT D//8OYD/HluczUrCN8oX/sqHen4FcVsklU2I0aMzOcZBUCuP9se7S1GLHfwmJ10J5MIU aBgzuZkBw4ox/P0PmdfNAWrWzTk5Zdw1Om/uarLKw1e23zECk269tiR1FKnlQNZYQZEW 0YoUySMzFJaoHqNQCM9ogEjSHJ92nU3Bzc4J6aRaexm9bYHvuD25b9ncWD14lwrDKzxQ U1nDtB2+pJC71qfDUnERfRIpuwPyIpJZUMe60G+kqlKy30EKLvW2TXmWqgP1MbHF2RPI 2C4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710951020; x=1711555820; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vXVA/Kas/g6x8w966OzTVzjiYcuRQM/h2A3EY717vMA=; b=eqUhhzOoo0UOaM7yW8qEGaqE7LDTVBtGT+s1QJpyzk0viDTn9vHFxXiKPRMa18zCyc iPfqGBKf5rhcZDdDycBDzLbAAXo/spnsJdLrpyqeS1nzLApHfxLOk83a/McM/Z9CJ8ur XGVSa/kZiPG/B506B8lpaSXfq7tcFYgwoZBpl/CfW96/LUM5AquAYOdMSs8XGVTqp4sa 4qRiPcp12nW7YxN3+cIc4e0wQowcH855d3v0ArNd/2yaYpYL+vH9AIeT1USZTT7DwRk6 nxd355EIv+5mIN96cY1F2eRcaKjHgLcOIG66KQdizunJthkCgZj3lx9SKYwe61QdTMLl WZog== X-Gm-Message-State: AOJu0Yw6SWjse4BAsQy70ja9fgm0jmBz6OlcmD5AMvCiOhvsZdV+sbPK SIxmDDvO+jP3o94gT+jrK7y9g4a4Sot1+Lzb7RMKxuA3yP8otPArbqxf8iGYpm974s7PwYhDCEa L3fI= X-Google-Smtp-Source: AGHT+IGdy1+0vJvnk2HBMmyfZyGTi1cz/PZp6X4DskWO7meLf0U3jZflhDUDblQs26gZQ2m1CDHd6w== X-Received: by 2002:a17:903:11d2:b0:1dd:a50c:200c with SMTP id q18-20020a17090311d200b001dda50c200cmr21688784plh.50.1710951019626; Wed, 20 Mar 2024 09:10:19 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 09:10:19 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 02/15] expat: fix CVE-2023-52426 Date: Wed, 20 Mar 2024 06:09:40 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Mar 2024 16:10:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197373 From: Meenali Gupta A flaw was found in Expat (libexpat). If XML_DTD is undefined at compile time, a recursive XML Entity Expansion condition can be triggered.This issue may lead to a condition where data is expanded exponentially, which will quickly consume system resources and cause a denial of service. References: https://nvd.nist.gov/vuln/detail/CVE-2023-52426 https://github.com/libexpat/libexpat/pull/777 Signed-off-by: Meenali Gupta Signed-off-by: Steve Sakoman --- .../expat/expat/CVE-2023-52426-001.patch | 35 ++ .../expat/expat/CVE-2023-52426-002.patch | 72 +++ .../expat/expat/CVE-2023-52426-003.patch | 28 ++ .../expat/expat/CVE-2023-52426-004.patch | 429 ++++++++++++++++++ .../expat/expat/CVE-2023-52426-005.patch | 34 ++ .../expat/expat/CVE-2023-52426-006.patch | 174 +++++++ .../expat/expat/CVE-2023-52426-007.patch | 53 +++ .../expat/expat/CVE-2023-52426-008.patch | 37 ++ .../expat/expat/CVE-2023-52426-009.patch | 354 +++++++++++++++ .../expat/expat/CVE-2023-52426-010.patch | 50 ++ .../expat/expat/CVE-2023-52426-011.patch | 45 ++ meta/recipes-core/expat/expat_2.5.0.bb | 11 + 12 files changed, 1322 insertions(+) create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-001.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-002.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-003.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-004.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-005.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-006.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-007.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-008.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-009.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-010.patch create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52426-011.patch diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-001.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-001.patch new file mode 100644 index 0000000000..c38a334540 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52426-001.patch @@ -0,0 +1,35 @@ +From cdead241d4f1136c2f38d1b28e95073c59753d30 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Thu, 26 Oct 2023 01:40:05 +0200 +Subject: [PATCH] doc/reference.html: Clarify effect of XML_DTD on external + entities + +Defining XML_DTD emnables support for external parameter(!) +entities. External general(!) entities have been supported +even with XML_DTD undefined. (Only now with Expat 2.6.0 +defining XML_GE as 0 can take that away.) + +CVE: CVE-2023-52426 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/cdead241d4f1136c2f38d1b28e95073c59753d30] + +Signed-off-by: Meenali Gupta +--- + doc/reference.html | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/reference.html b/doc/reference.html +index 8b0d47d..a30e462 100644 +--- a/doc/reference.html ++++ b/doc/reference.html +@@ -365,7 +365,7 @@ this is defined, default attribute values from an external DTD subset + are reported and attribute value normalization occurs based on the + type of attributes defined in the external subset. Without + this, Expat has a smaller memory footprint and can be faster, but will +-not load external entities or process conditional sections. If defined, makes ++not load external parameter entities or process conditional sections. If defined, makes + the functions + XML_SetBillionLaughsAttackProtectionMaximumAmplification and +-- +2.40.0 + diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-002.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-002.patch new file mode 100644 index 0000000000..9aedc3010a --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52426-002.patch @@ -0,0 +1,72 @@ +From daa89e42c005cc7f4f7af9eee271ae0723d30300 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Thu, 26 Oct 2023 00:59:52 +0200 + +Subject: [PATCH] cmake: Introduce option EXPAT_GE to control macro XML_GE + +CVE: CVE-2023-52426 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/daa89e42c005cc7f4f7af9eee271ae0723d30300] + +Signed-off-by: Meenali Gupta +--- + CMakeLists.txt | 9 +++++++++ + expat_config.h.cmake | 3 +++ + 2 files changed, 12 insertions(+) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 2b4c13c..416fe96 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -140,6 +140,8 @@ expat_shy_set(EXPAT_CONTEXT_BYTES 1024 CACHE STRING "Define to specify how much + mark_as_advanced(EXPAT_CONTEXT_BYTES) + expat_shy_set(EXPAT_DTD ON CACHE BOOL "Define to make parameter entity parsing functionality available") + mark_as_advanced(EXPAT_DTD) ++expat_shy_set(EXPAT_GE ON CACHE BOOL "Define to make general entity parsing functionality available") ++mark_as_advanced(EXPAT_GE) + expat_shy_set(EXPAT_NS ON CACHE BOOL "Define to make XML Namespaces functionality available") + mark_as_advanced(EXPAT_NS) + expat_shy_set(EXPAT_WARNINGS_AS_ERRORS OFF CACHE BOOL "Treat all compiler warnings as errors") +@@ -172,6 +174,11 @@ endif() + # + # Environment checks + # ++if(EXPAT_DTD AND NOT EXPAT_GE) ++ message(SEND_ERROR "Option EXPAT_DTD requires that EXPAT_GE is also enabled.") ++ message(SEND_ERROR "Please either enable option EXPAT_GE (recommended) or disable EXPAT_DTD also.") ++endif() ++ + if(EXPAT_WITH_LIBBSD) + find_library(LIB_BSD NAMES bsd) + if(NOT LIB_BSD) +@@ -274,6 +281,7 @@ endif() + + _expat_copy_bool_int(EXPAT_ATTR_INFO XML_ATTR_INFO) + _expat_copy_bool_int(EXPAT_DTD XML_DTD) ++_expat_copy_bool_int(EXPAT_GE XML_GE) + _expat_copy_bool_int(EXPAT_LARGE_SIZE XML_LARGE_SIZE) + _expat_copy_bool_int(EXPAT_MIN_SIZE XML_MIN_SIZE) + _expat_copy_bool_int(EXPAT_NS XML_NS) +@@ -893,6 +901,7 @@ message(STATUS " // Advanced options, changes not advised") + message(STATUS " Attributes info .......... ${EXPAT_ATTR_INFO}") + message(STATUS " Context bytes ............ ${EXPAT_CONTEXT_BYTES}") + message(STATUS " DTD support .............. ${EXPAT_DTD}") ++message(STATUS " General entities ......... ${EXPAT_GE}") + message(STATUS " Large size ............... ${EXPAT_LARGE_SIZE}") + message(STATUS " Minimum size ............. ${EXPAT_MIN_SIZE}") + message(STATUS " Namespace support ........ ${EXPAT_NS}") +diff --git a/expat_config.h.cmake b/expat_config.h.cmake +index 78fcb4c..330945e 100644 +--- a/expat_config.h.cmake ++++ b/expat_config.h.cmake +@@ -103,6 +103,9 @@ + /* Define to make parameter entity parsing functionality available. */ + #cmakedefine XML_DTD + ++/* Define as 1/0 to enable/disable support for general entities. */ ++#define XML_GE @XML_GE@ ++ + /* Define to make XML Namespaces functionality available. */ + #cmakedefine XML_NS + +-- +2.40.0 diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-003.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-003.patch new file mode 100644 index 0000000000..96a62dcffc --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52426-003.patch @@ -0,0 +1,28 @@ +From ed87a4793404e91c0cc0c81435fcfcc64a8be9f4 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Thu, 26 Oct 2023 00:45:23 +0200 +Subject: [PATCH] configure.ac: Define macro XML_GE as 1 + +CVE: CVE-2023-52426 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/ed87a4793404e91c0cc0c81435fcfcc64a8be9f4] + +Signed-off-by: Meenali Gupta +--- + configure.ac | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/configure.ac b/configure.ac +index d3642de..153bb8e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -295,6 +295,8 @@ AC_SUBST(FILEMAP) + dnl Some basic configuration: + AC_DEFINE([XML_NS], 1, + [Define to make XML Namespaces functionality available.]) ++AC_DEFINE([XML_GE], 1, ++ [Define as 1/0 to enable/disable support for general entities.]) + AC_DEFINE([XML_DTD], 1, + [Define to make parameter entity parsing functionality available.]) + AC_DEFINE([XML_DEV_URANDOM], 1, +-- +2.40.0 diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-004.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-004.patch new file mode 100644 index 0000000000..460113caf7 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52426-004.patch @@ -0,0 +1,429 @@ +From 0f075ec8ecb5e43f8fdca5182f8cca4703da0404 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Thu, 26 Oct 2023 00:43:22 +0200 +Subject: [PATCH] lib|xmlwf|cmake: Extend scope of billion laughs attack + protection + +.. from "defined(XML_DTD)" to "defined(XML_DTD) || XML_GE==1". + +CVE: CVE-2023-52426 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404] + +Signed-off-by: Meenali Gupta +--- + CMakeLists.txt | 8 ++++- + lib/expat.h | 8 +++-- + lib/internal.h | 2 +- + lib/libexpat.def.cmake | 4 +-- + lib/xmlparse.c | 71 ++++++++++++++++++++++-------------------- + xmlwf/xmlwf.c | 18 ++++++----- + 6 files changed, 62 insertions(+), 49 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 416fe96..e6939e2 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -389,7 +389,13 @@ if(EXPAT_SHARED_LIBS) + endif() + endmacro() + +- _expat_def_file_toggle(EXPAT_DTD _EXPAT_COMMENT_DTD) ++ if(EXPAT_DTD OR EXPAT_GE) ++ set(_EXPAT_DTD_OR_GE TRUE) ++ else() ++ set(_EXPAT_DTD_OR_GE FALSE) ++ endif() ++ ++ _expat_def_file_toggle(_EXPAT_DTD_OR_GE _EXPAT_COMMENT_DTD_OR_GE) + _expat_def_file_toggle(EXPAT_ATTR_INFO _EXPAT_COMMENT_ATTR_INFO) + + configure_file("${CMAKE_CURRENT_SOURCE_DIR}/lib/libexpat.def.cmake" "${CMAKE_CURRENT_BINARY_DIR}/lib/libexpat.def") +diff --git a/lib/expat.h b/lib/expat.h +index 1c83563..33c94af 100644 +--- a/lib/expat.h ++++ b/lib/expat.h +@@ -1038,13 +1038,15 @@ typedef struct { + XMLPARSEAPI(const XML_Feature *) + XML_GetFeatureList(void); + +-#ifdef XML_DTD +-/* Added in Expat 2.4.0. */ ++#if defined(XML_DTD) || XML_GE == 1 ++/* Added in Expat 2.4.0 for XML_DTD defined and ++ * added in Expat 2.6.0 for XML_GE == 1. */ + XMLPARSEAPI(XML_Bool) + XML_SetBillionLaughsAttackProtectionMaximumAmplification( + XML_Parser parser, float maximumAmplificationFactor); + +-/* Added in Expat 2.4.0. */ ++/* Added in Expat 2.4.0 for XML_DTD defined and ++ * added in Expat 2.6.0 for XML_GE == 1. */ + XMLPARSEAPI(XML_Bool) + XML_SetBillionLaughsAttackProtectionActivationThreshold( + XML_Parser parser, unsigned long long activationThresholdBytes); +diff --git a/lib/internal.h b/lib/internal.h +index e09f533..1851925 100644 +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -154,7 +154,7 @@ extern "C" { + void _INTERNAL_trim_to_complete_utf8_characters(const char *from, + const char **fromLimRef); + +-#if defined(XML_DTD) ++#if defined(XML_DTD) || XML_GE == 1 + unsigned long long testingAccountingGetCountBytesDirect(XML_Parser parser); + unsigned long long testingAccountingGetCountBytesIndirect(XML_Parser parser); + const char *unsignedCharToPrintable(unsigned char c); +diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake +index cf434a2..61a4f00 100644 +--- a/lib/libexpat.def.cmake ++++ b/lib/libexpat.def.cmake +@@ -75,5 +75,5 @@ EXPORTS + XML_SetHashSalt @67 + ; internal @68 removed with version 2.3.1 + ; added with version 2.4.0 +-@_EXPAT_COMMENT_DTD@ XML_SetBillionLaughsAttackProtectionActivationThreshold @69 +-@_EXPAT_COMMENT_DTD@ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70 ++@_EXPAT_COMMENT_DTD_OR_GE@ XML_SetBillionLaughsAttackProtectionActivationThreshold @69 ++@_EXPAT_COMMENT_DTD_OR_GE@ XML_SetBillionLaughsAttackProtectionMaximumAmplification @70 +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index b6c2eca..e23441e 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -408,7 +408,7 @@ enum XML_Account { + XML_ACCOUNT_NONE /* i.e. do not account, was accounted already */ + }; + +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + typedef unsigned long long XmlBigCount; + typedef struct accounting { + XmlBigCount countBytesDirect; +@@ -424,7 +424,7 @@ typedef struct entity_stats { + unsigned int maximumDepthSeen; + int debugLevel; + } ENTITY_STATS; +-#endif /* XML_DTD */ ++#endif /* defined(XML_DTD) || XML_GE == 1 */ + + typedef enum XML_Error PTRCALL Processor(XML_Parser parser, const char *start, + const char *end, const char **endPtr); +@@ -562,7 +562,7 @@ static XML_Parser parserCreate(const XML_Char *encodingName, + + static void parserInit(XML_Parser parser, const XML_Char *encodingName); + +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + static float accountingGetCurrentAmplification(XML_Parser rootParser); + static void accountingReportStats(XML_Parser originParser, const char *epilog); + static void accountingOnAbort(XML_Parser originParser); +@@ -585,7 +585,7 @@ static void entityTrackingOnClose(XML_Parser parser, ENTITY *entity, + + static XML_Parser getRootParserOf(XML_Parser parser, + unsigned int *outLevelDiff); +-#endif /* XML_DTD */ ++#endif /* defined(XML_DTD) || XML_GE == 1 */ + + static unsigned long getDebugLevel(const char *variableName, + unsigned long defaultDebugLevel); +@@ -703,7 +703,7 @@ struct XML_ParserStruct { + enum XML_ParamEntityParsing m_paramEntityParsing; + #endif + unsigned long m_hash_secret_salt; +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + ACCOUNTING m_accounting; + ENTITY_STATS m_entity_stats; + #endif +@@ -1163,7 +1163,7 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) { + #endif + parser->m_hash_secret_salt = 0; + +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + memset(&parser->m_accounting, 0, sizeof(ACCOUNTING)); + parser->m_accounting.debugLevel = getDebugLevel("EXPAT_ACCOUNTING_DEBUG", 0u); + parser->m_accounting.maximumAmplificationFactor +@@ -2522,8 +2522,9 @@ XML_GetFeatureList(void) { + #ifdef XML_ATTR_INFO + {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0}, + #endif +-#ifdef XML_DTD +- /* Added in Expat 2.4.0. */ ++#if defined(XML_DTD) || XML_GE == 1 ++ /* Added in Expat 2.4.0 for XML_DTD defined and ++ * added in Expat 2.6.0 for XML_GE == 1. */ + {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT, + XML_L("XML_BLAP_MAX_AMP"), + (long int) +@@ -2537,7 +2538,7 @@ XML_GetFeatureList(void) { + return features; + } + +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + XML_Bool XMLCALL + XML_SetBillionLaughsAttackProtectionMaximumAmplification( + XML_Parser parser, float maximumAmplificationFactor) { +@@ -2559,7 +2560,7 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold( + parser->m_accounting.activationThresholdBytes = activationThresholdBytes; + return XML_TRUE; + } +-#endif /* XML_DTD */ ++#endif /* defined(XML_DTD) || XML_GE == 1 */ + + /* Initially tag->rawName always points into the parse buffer; + for those TAG instances opened while the current parse buffer was +@@ -2645,13 +2646,13 @@ externalEntityInitProcessor2(XML_Parser parser, const char *start, + int tok = XmlContentTok(parser->m_encoding, start, end, &next); + switch (tok) { + case XML_TOK_BOM: +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, start, next, __LINE__, + XML_ACCOUNT_DIRECT)) { + accountingOnAbort(parser); + return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; + } +-#endif /* XML_DTD */ ++#endif /* defined(XML_DTD) || XML_GE == 1 */ + + /* If we are at the end of the buffer, this would cause the next stage, + i.e. externalEntityInitProcessor3, to pass control directly to +@@ -2765,7 +2766,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + for (;;) { + const char *next = s; /* XmlContentTok doesn't always set the last arg */ + int tok = XmlContentTok(enc, s, end, &next); +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + const char *accountAfter + = ((tok == XML_TOK_TRAILING_RSQB) || (tok == XML_TOK_TRAILING_CR)) + ? (haveMore ? s /* i.e. 0 bytes */ : end) +@@ -2831,14 +2832,14 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + XML_Char ch = (XML_Char)XmlPredefinedEntityName( + enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar); + if (ch) { +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + /* NOTE: We are replacing 4-6 characters original input for 1 character + * so there is no amplification and hence recording without + * protection. */ + accountingDiffTolerated(parser, tok, (char *)&ch, + ((char *)&ch) + sizeof(XML_Char), __LINE__, + XML_ACCOUNT_ENTITY_EXPANSION); +-#endif /* XML_DTD */ ++#endif /* defined(XML_DTD) || XML_GE == 1 */ + if (parser->m_characterDataHandler) + parser->m_characterDataHandler(parser->m_handlerArg, &ch, 1); + else if (parser->m_defaultHandler) +@@ -4040,7 +4041,7 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr, + for (;;) { + const char *next = s; /* in case of XML_TOK_NONE or XML_TOK_PARTIAL */ + int tok = XmlCdataSectionTok(enc, s, end, &next); +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) { + accountingOnAbort(parser); + return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; +@@ -4192,7 +4193,7 @@ doIgnoreSection(XML_Parser parser, const ENCODING *enc, const char **startPtr, + *eventPP = s; + *startPtr = NULL; + tok = XmlIgnoreSectionTok(enc, s, end, &next); +-# ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, + XML_ACCOUNT_DIRECT)) { + accountingOnAbort(parser); +@@ -4284,7 +4285,7 @@ processXmlDecl(XML_Parser parser, int isGeneralTextEntity, const char *s, + const XML_Char *storedversion = NULL; + int standalone = -1; + +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, XML_TOK_XML_DECL, s, next, __LINE__, + XML_ACCOUNT_DIRECT)) { + accountingOnAbort(parser); +@@ -4491,7 +4492,7 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end, + */ + else if (tok == XML_TOK_BOM && next == end + && ! parser->m_parsingStatus.finalBuffer) { +-# ifdef XML_DTD ++# if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, + XML_ACCOUNT_DIRECT)) { + accountingOnAbort(parser); +@@ -4707,11 +4708,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + } + } + role = XmlTokenRole(&parser->m_prologState, tok, s, next, enc); +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + switch (role) { + case XML_ROLE_INSTANCE_START: // bytes accounted in contentProcessor + case XML_ROLE_XML_DECL: // bytes accounted in processXmlDecl +- case XML_ROLE_TEXT_DECL: // bytes accounted in processXmlDecl ++ # ifdef XML_DTD ++ case XML_ROLE_TEXT_DECL: // bytes accounted in processXmlDecl ++# endif + break; + default: + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) { +@@ -5648,7 +5651,7 @@ epilogProcessor(XML_Parser parser, const char *s, const char *end, + for (;;) { + const char *next = NULL; + int tok = XmlPrologTok(parser->m_encoding, s, end, &next); +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, + XML_ACCOUNT_DIRECT)) { + accountingOnAbort(parser); +@@ -5728,7 +5731,7 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) { + return XML_ERROR_NO_MEMORY; + } + entity->open = XML_TRUE; +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + entityTrackingOnOpen(parser, entity, __LINE__); + #endif + entity->processed = 0; +@@ -5762,9 +5765,9 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) { + entity->processed = (int)(next - textStart); + parser->m_processor = internalEntityProcessor; + } else { +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + entityTrackingOnClose(parser, entity, __LINE__); +-#endif /* XML_DTD */ ++#endif /* defined(XML_DTD) || XML_GE == 1 */ + entity->open = XML_FALSE; + parser->m_openInternalEntities = openEntity->next; + /* put openEntity back in list of free instances */ +@@ -5813,7 +5816,7 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, + return result; + } + +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + entityTrackingOnClose(parser, entity, __LINE__); + #endif + entity->open = XML_FALSE; +@@ -5892,7 +5895,7 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + const char *next + = ptr; /* XmlAttributeValueTok doesn't always set the last arg */ + int tok = XmlAttributeValueTok(enc, ptr, end, &next); +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, ptr, next, __LINE__, account)) { + accountingOnAbort(parser); + return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; +@@ -5957,14 +5960,14 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + XML_Char ch = (XML_Char)XmlPredefinedEntityName( + enc, ptr + enc->minBytesPerChar, next - enc->minBytesPerChar); + if (ch) { +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + /* NOTE: We are replacing 4-6 characters original input for 1 character + * so there is no amplification and hence recording without + * protection. */ + accountingDiffTolerated(parser, tok, (char *)&ch, + ((char *)&ch) + sizeof(XML_Char), __LINE__, + XML_ACCOUNT_ENTITY_EXPANSION); +-#endif /* XML_DTD */ ++#endif /* defined(XML_DTD) || XML_GE == 1 */ + if (! poolAppendChar(pool, ch)) + return XML_ERROR_NO_MEMORY; + break; +@@ -6042,14 +6045,14 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + enum XML_Error result; + const XML_Char *textEnd = entity->textPtr + entity->textLen; + entity->open = XML_TRUE; +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + entityTrackingOnOpen(parser, entity, __LINE__); + #endif + result = appendAttributeValue(parser, parser->m_internalEncoding, + isCdata, (const char *)entity->textPtr, + (const char *)textEnd, pool, + XML_ACCOUNT_ENTITY_EXPANSION); +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + entityTrackingOnClose(parser, entity, __LINE__); + #endif + entity->open = XML_FALSE; +@@ -6105,7 +6108,7 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc, + = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */ + int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next); + +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, entityTextPtr, next, __LINE__, + account)) { + accountingOnAbort(parser); +@@ -7651,7 +7654,7 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) { + return result; + } + +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + + static float + accountingGetCurrentAmplification(XML_Parser rootParser) { +@@ -8382,7 +8385,7 @@ unsignedCharToPrintable(unsigned char c) { + assert(0); /* never gets here */ + } + +-#endif /* XML_DTD */ ++#endif /* defined(XML_DTD) || XML_GE == 1 */ + + static unsigned long + getDebugLevel(const char *variableName, unsigned long defaultDebugLevel) { +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c +index 471f2a2..be23f5a 100644 +--- a/xmlwf/xmlwf.c ++++ b/xmlwf/xmlwf.c +@@ -1062,9 +1062,10 @@ tmain(int argc, XML_Char **argv) { + " (needs a floating point number greater or equal than 1.0)")); + exit(XMLWF_EXIT_USAGE_ERROR); + } +-#ifndef XML_DTD +- ftprintf(stderr, T("Warning: Given amplification limit ignored") T( +- ", xmlwf has been compiled without DTD support.\n")); ++#if ! defined(XML_DTD) && XML_GE == 0 ++ ftprintf(stderr, ++ T("Warning: Given amplification limit ignored") ++ T(", xmlwf has been compiled without DTD/GE support.\n")); + #endif + break; + } +@@ -1083,9 +1084,10 @@ tmain(int argc, XML_Char **argv) { + exit(XMLWF_EXIT_USAGE_ERROR); + } + attackThresholdGiven = XML_TRUE; +-#ifndef XML_DTD +- ftprintf(stderr, T("Warning: Given attack threshold ignored") T( +- ", xmlwf has been compiled without DTD support.\n")); ++#if ! defined(XML_DTD) && XML_GE == 0 ++ ftprintf(stderr, ++ T("Warning: Given attack threshold ignored") ++ T(", xmlwf has been compiled without DTD/GE support.\n")); + #endif + break; + } +@@ -1120,13 +1122,13 @@ tmain(int argc, XML_Char **argv) { + } + + if (attackMaximumAmplification != -1.0f) { +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + XML_SetBillionLaughsAttackProtectionMaximumAmplification( + parser, attackMaximumAmplification); + #endif + } + if (attackThresholdGiven) { +-#ifdef XML_DTD ++#if defined(XML_DTD) || XML_GE == 1 + XML_SetBillionLaughsAttackProtectionActivationThreshold( + parser, attackThresholdBytes); + #else +-- +2.40.0 diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-005.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-005.patch new file mode 100644 index 0000000000..1e8223fff0 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52426-005.patch @@ -0,0 +1,34 @@ +From b0975cb73a41869fbecf0fa55afd35b69b64cc50 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Thu, 26 Oct 2023 00:47:52 +0200 +Subject: [PATCH] lib: Fail the build if XML_GE is not set to 1 or 0 + +CVE: CVE-2023-52426 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/b0975cb73a41869fbecf0fa55afd35b69b64cc50] + +Signed-off-by: Meenali Gupta +--- + lib/xmlparse.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index e23441e..ac3efe1 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -62,6 +62,14 @@ + + #include + ++#if ! defined(XML_GE) || (1 - XML_GE - 1 == 2) || (XML_GE < 0) || (XML_GE > 1) ++# error XML_GE (for general entities) must be defined, non-empty, either 1 or 0 (0 to disable, 1 to enable; 1 is a common default) ++#endif ++ ++#if defined(XML_DTD) && XML_GE == 0 ++# error Either undefine XML_DTD or define XML_GE to 1. ++#endif ++ + #if ! defined(_GNU_SOURCE) + # define _GNU_SOURCE 1 /* syscall prototype */ + #endif +-- +2.40.0 diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-006.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-006.patch new file mode 100644 index 0000000000..d1ab52fa32 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52426-006.patch @@ -0,0 +1,174 @@ +From 2b127c20b220b673cf52c6be8bef725bf04cbeaf Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Thu, 26 Oct 2023 18:32:11 +0200 +Subject: [PATCH] lib: Make XML_GE==0 use self-references as entity replacement + text + +CVE: CVE-2023-52426 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/2b127c20b220b673cf52c6be8bef725bf04cbeaf] + +Signed-off-by: Meenali Gupta +--- + lib/xmlparse.c | 79 +++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 71 insertions(+), 8 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index ac3efe1..c479174 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -504,9 +504,13 @@ static enum XML_Error appendAttributeValue(XML_Parser parser, const ENCODING *, + static ATTRIBUTE_ID *getAttributeId(XML_Parser parser, const ENCODING *enc, + const char *start, const char *end); + static int setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *); ++#if XML_GE == 1 + static enum XML_Error storeEntityValue(XML_Parser parser, const ENCODING *enc, + const char *start, const char *end, + enum XML_Account account); ++#else ++static enum XML_Error storeSelfEntityValue(XML_Parser parser, ENTITY *entity); ++#endif + static int reportProcessingInstruction(XML_Parser parser, const ENCODING *enc, + const char *start, const char *end); + static int reportComment(XML_Parser parser, const ENCODING *enc, +@@ -5040,6 +5044,9 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + break; + case XML_ROLE_ENTITY_VALUE: + if (dtd->keepProcessing) { ++#if defined(XML_DTD) || XML_GE == 1 ++ // This will store the given replacement text in ++ // parser->m_declEntity->textPtr. + enum XML_Error result + = storeEntityValue(parser, enc, s + enc->minBytesPerChar, + next - enc->minBytesPerChar, XML_ACCOUNT_NONE); +@@ -5060,6 +5067,25 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + poolDiscard(&dtd->entityValuePool); + if (result != XML_ERROR_NONE) + return result; ++#else ++ // This will store "&entity123;" in parser->m_declEntity->textPtr ++ // to end up as "&entity123;" in the handler. ++ if (parser->m_declEntity != NULL) { ++ const enum XML_Error result ++ = storeSelfEntityValue(parser, parser->m_declEntity); ++ if (result != XML_ERROR_NONE) ++ return result; ++ ++ if (parser->m_entityDeclHandler) { ++ *eventEndPP = s; ++ parser->m_entityDeclHandler( ++ parser->m_handlerArg, parser->m_declEntity->name, ++ parser->m_declEntity->is_param, parser->m_declEntity->textPtr, ++ parser->m_declEntity->textLen, parser->m_curBase, 0, 0, 0); ++ handleDefault = XML_FALSE; ++ } ++ } ++#endif + } + break; + case XML_ROLE_DOCTYPE_SYSTEM_ID: +@@ -5102,6 +5128,16 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + #endif /* XML_DTD */ + /* fall through */ + case XML_ROLE_ENTITY_SYSTEM_ID: ++#if XML_GE == 0 ++ // This will store "&entity123;" in entity->textPtr ++ // to end up as "&entity123;" in the handler. ++ if (parser->m_declEntity != NULL) { ++ const enum XML_Error result ++ = storeSelfEntityValue(parser, parser->m_declEntity); ++ if (result != XML_ERROR_NONE) ++ return result; ++ } ++#endif + if (dtd->keepProcessing && parser->m_declEntity) { + parser->m_declEntity->systemId + = poolStoreString(&dtd->pool, enc, s + enc->minBytesPerChar, +@@ -6090,6 +6126,7 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + /* not reached */ + } + ++#if XML_GE == 1 + static enum XML_Error + storeEntityValue(XML_Parser parser, const ENCODING *enc, + const char *entityTextPtr, const char *entityTextEnd, +@@ -6097,12 +6134,12 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc, + DTD *const dtd = parser->m_dtd; /* save one level of indirection */ + STRING_POOL *pool = &(dtd->entityValuePool); + enum XML_Error result = XML_ERROR_NONE; +-#ifdef XML_DTD ++# ifdef XML_DTD + int oldInEntityValue = parser->m_prologState.inEntityValue; + parser->m_prologState.inEntityValue = 1; +-#else ++# else + UNUSED_P(account); +-#endif /* XML_DTD */ ++# endif /* XML_DTD */ + /* never return Null for the value argument in EntityDeclHandler, + since this would indicate an external entity; therefore we + have to make sure that entityValuePool.start is not null */ +@@ -6116,18 +6153,18 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc, + = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */ + int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next); + +-#if defined(XML_DTD) || XML_GE == 1 ++# if defined(XML_DTD) || XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, entityTextPtr, next, __LINE__, + account)) { + accountingOnAbort(parser); + result = XML_ERROR_AMPLIFICATION_LIMIT_BREACH; + goto endEntityValue; + } +-#endif ++# endif + + switch (tok) { + case XML_TOK_PARAM_ENTITY_REF: +-#ifdef XML_DTD ++# ifdef XML_DTD + if (parser->m_isParamEntity || enc != parser->m_encoding) { + const XML_Char *name; + ENTITY *entity; +@@ -6270,12 +6307,38 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc, + entityTextPtr = next; + } + endEntityValue: +-#ifdef XML_DTD ++# ifdef XML_DTD + parser->m_prologState.inEntityValue = oldInEntityValue; +-#endif /* XML_DTD */ ++# endif /* XML_DTD */ + return result; + } + ++#else /* XML_GE == 0 */ ++ ++static enum XML_Error ++storeSelfEntityValue(XML_Parser parser, ENTITY *entity) { ++ // This will store "&entity123;" in entity->textPtr ++ // to end up as "&entity123;" in the handler. ++ const char *const entity_start = "&"; ++ const char *const entity_end = ";"; ++ ++ STRING_POOL *const pool = &(parser->m_dtd->entityValuePool); ++ if (! poolAppendString(pool, entity_start) ++ || ! poolAppendString(pool, entity->name) ++ || ! poolAppendString(pool, entity_end)) { ++ poolDiscard(pool); ++ return XML_ERROR_NO_MEMORY; ++ } ++ ++ entity->textPtr = poolStart(pool); ++ entity->textLen = (int)(poolLength(pool)); ++ poolFinish(pool); ++ ++ return XML_ERROR_NONE; ++} ++ ++#endif /* XML_GE == 0 */ ++ + static void FASTCALL + normalizeLines(XML_Char *s) { + XML_Char *p; +-- +2.40.0 diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-007.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-007.patch new file mode 100644 index 0000000000..a141bbf915 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52426-007.patch @@ -0,0 +1,53 @@ +From d3f7bbd37bef2565d64f31b549e197a3a414574e Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Thu, 26 Oct 2023 01:39:39 +0200 +Subject: [PATCH] doc/reference.html: Document build time macro XML_GE + +CVE: CVE-2023-52426 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/d3f7bbd37bef2565d64f31b549e197a3a414574e] + +Signed-off-by: Meenali Gupta +--- + doc/reference.html | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/doc/reference.html b/doc/reference.html +index 8b0d47d..74ba012 100644 +--- a/doc/reference.html ++++ b/doc/reference.html +@@ -359,6 +359,33 @@ and the definition of character types in the case of + XML_UNICODE_WCHAR_T. The symbols are:

+ +
++
XML_GE
++
++Added in Expat 2.6.0. ++Include support for ++general entities ++(syntax &e1; to reference and ++syntax <!ENTITY e1 'value1'> (an internal general entity) or ++<!ENTITY e2 SYSTEM 'file2'> (an external general entity) to declare). ++With XML_GE enabled, general entities will be replaced by their declared replacement text; ++for this to work for external general entities, in addition an ++XML_ExternalEntityRefHandler must be set using ++XML_SetExternalEntityRefHandler. ++Also, enabling XML_GE makes ++the functions ++XML_SetBillionLaughsAttackProtectionMaximumAmplification and ++ ++XML_SetBillionLaughsAttackProtectionActivationThreshold available. ++
++With XML_GE disabled, Expat has a smaller memory footprint and can be faster, but will ++not load external general entities and will replace all general entities ++(except the predefined five: ++amp, apos, gt, lt, quot) ++with a self-reference: ++for example, referencing an entity e1 via &e1; will be replaced ++by text &e1;. ++
++ +
XML_DTD
+
Include support for using and reporting DTD-based content. If + this is defined, default attribute values from an external DTD subset +-- +2.40.0 diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-008.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-008.patch new file mode 100644 index 0000000000..d07c62ccf0 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52426-008.patch @@ -0,0 +1,37 @@ +From 2848dc4e7067de503934b388717e7a3d8d0c5bca Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Fri, 27 Oct 2023 18:45:50 +0200 +Subject: [PATCH] Simplify "! defined(XML_DTD) && XML_GE == 0" to "XML_GE == 0" + +CVE: CVE-2023-52426 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/2848dc4e7067de503934b388717e7a3d8d0c5bca] + +Signed-off-by: Meenali Gupta +--- + xmlwf/xmlwf.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c +index be23f5a..04ca759 100644 +--- a/xmlwf/xmlwf.c ++++ b/xmlwf/xmlwf.c +@@ -1062,7 +1062,7 @@ tmain(int argc, XML_Char **argv) { + " (needs a floating point number greater or equal than 1.0)")); + exit(XMLWF_EXIT_USAGE_ERROR); + } +-#if ! defined(XML_DTD) && XML_GE == 0 ++#if XML_GE == 0 + ftprintf(stderr, + T("Warning: Given amplification limit ignored") + T(", xmlwf has been compiled without DTD/GE support.\n")); +@@ -1084,7 +1084,7 @@ tmain(int argc, XML_Char **argv) { + exit(XMLWF_EXIT_USAGE_ERROR); + } + attackThresholdGiven = XML_TRUE; +-#if ! defined(XML_DTD) && XML_GE == 0 ++#if XML_GE == 0 + ftprintf(stderr, + T("Warning: Given attack threshold ignored") + T(", xmlwf has been compiled without DTD/GE support.\n")); +-- +2.40.0 diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-009.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-009.patch new file mode 100644 index 0000000000..99460249c0 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52426-009.patch @@ -0,0 +1,354 @@ +From caa27198637683b15d810737bb8a6a81af19bfa5 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Fri, 27 Oct 2023 18:47:37 +0200 +Subject: [PATCH] Simplify "defined(XML_DTD) || XML_GE == 1" to "XML_GE == 1" + +CVE: CVE-2023-52426 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/caa27198637683b15d810737bb8a6a81af19bfa5] + +Signed-off-by: Meenali Gupta +--- + lib/expat.h | 2 +- + lib/internal.h | 2 +- + lib/xmlparse.c | 66 +++++++++++++++++++++++++------------------------- + xmlwf/xmlwf.c | 4 +-- + 4 files changed, 37 insertions(+), 37 deletions(-) + +diff --git a/lib/expat.h b/lib/expat.h +index 33c94af..fa2eb45 100644 +--- a/lib/expat.h ++++ b/lib/expat.h +@@ -1038,7 +1038,7 @@ typedef struct { + XMLPARSEAPI(const XML_Feature *) + XML_GetFeatureList(void); + +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + /* Added in Expat 2.4.0 for XML_DTD defined and + * added in Expat 2.6.0 for XML_GE == 1. */ + XMLPARSEAPI(XML_Bool) +diff --git a/lib/internal.h b/lib/internal.h +index 1851925..03c8fde 100644 +--- a/lib/internal.h ++++ b/lib/internal.h +@@ -154,7 +154,7 @@ extern "C" { + void _INTERNAL_trim_to_complete_utf8_characters(const char *from, + const char **fromLimRef); + +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + unsigned long long testingAccountingGetCountBytesDirect(XML_Parser parser); + unsigned long long testingAccountingGetCountBytesIndirect(XML_Parser parser); + const char *unsignedCharToPrintable(unsigned char c); +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index c479174..2d8f4c0 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -416,7 +416,7 @@ enum XML_Account { + XML_ACCOUNT_NONE /* i.e. do not account, was accounted already */ + }; + +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + typedef unsigned long long XmlBigCount; + typedef struct accounting { + XmlBigCount countBytesDirect; +@@ -432,7 +432,7 @@ typedef struct entity_stats { + unsigned int maximumDepthSeen; + int debugLevel; + } ENTITY_STATS; +-#endif /* defined(XML_DTD) || XML_GE == 1 */ ++#endif /* XML_GE == 1 */ + + typedef enum XML_Error PTRCALL Processor(XML_Parser parser, const char *start, + const char *end, const char **endPtr); +@@ -574,7 +574,7 @@ static XML_Parser parserCreate(const XML_Char *encodingName, + + static void parserInit(XML_Parser parser, const XML_Char *encodingName); + +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + static float accountingGetCurrentAmplification(XML_Parser rootParser); + static void accountingReportStats(XML_Parser originParser, const char *epilog); + static void accountingOnAbort(XML_Parser originParser); +@@ -597,7 +597,7 @@ static void entityTrackingOnClose(XML_Parser parser, ENTITY *entity, + + static XML_Parser getRootParserOf(XML_Parser parser, + unsigned int *outLevelDiff); +-#endif /* defined(XML_DTD) || XML_GE == 1 */ ++#endif /* XML_GE == 1 */ + + static unsigned long getDebugLevel(const char *variableName, + unsigned long defaultDebugLevel); +@@ -715,7 +715,7 @@ struct XML_ParserStruct { + enum XML_ParamEntityParsing m_paramEntityParsing; + #endif + unsigned long m_hash_secret_salt; +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + ACCOUNTING m_accounting; + ENTITY_STATS m_entity_stats; + #endif +@@ -1175,7 +1175,7 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) { + #endif + parser->m_hash_secret_salt = 0; + +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + memset(&parser->m_accounting, 0, sizeof(ACCOUNTING)); + parser->m_accounting.debugLevel = getDebugLevel("EXPAT_ACCOUNTING_DEBUG", 0u); + parser->m_accounting.maximumAmplificationFactor +@@ -2534,7 +2534,7 @@ XML_GetFeatureList(void) { + #ifdef XML_ATTR_INFO + {XML_FEATURE_ATTR_INFO, XML_L("XML_ATTR_INFO"), 0}, + #endif +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + /* Added in Expat 2.4.0 for XML_DTD defined and + * added in Expat 2.6.0 for XML_GE == 1. */ + {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT, +@@ -2550,7 +2550,7 @@ XML_GetFeatureList(void) { + return features; + } + +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + XML_Bool XMLCALL + XML_SetBillionLaughsAttackProtectionMaximumAmplification( + XML_Parser parser, float maximumAmplificationFactor) { +@@ -2572,7 +2572,7 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold( + parser->m_accounting.activationThresholdBytes = activationThresholdBytes; + return XML_TRUE; + } +-#endif /* defined(XML_DTD) || XML_GE == 1 */ ++#endif /* XML_GE == 1 */ + + /* Initially tag->rawName always points into the parse buffer; + for those TAG instances opened while the current parse buffer was +@@ -2658,13 +2658,13 @@ externalEntityInitProcessor2(XML_Parser parser, const char *start, + int tok = XmlContentTok(parser->m_encoding, start, end, &next); + switch (tok) { + case XML_TOK_BOM: +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, start, next, __LINE__, + XML_ACCOUNT_DIRECT)) { + accountingOnAbort(parser); + return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; + } +-#endif /* defined(XML_DTD) || XML_GE == 1 */ ++#endif /* XML_GE == 1 */ + + /* If we are at the end of the buffer, this would cause the next stage, + i.e. externalEntityInitProcessor3, to pass control directly to +@@ -2778,7 +2778,7 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + for (;;) { + const char *next = s; /* XmlContentTok doesn't always set the last arg */ + int tok = XmlContentTok(enc, s, end, &next); +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + const char *accountAfter + = ((tok == XML_TOK_TRAILING_RSQB) || (tok == XML_TOK_TRAILING_CR)) + ? (haveMore ? s /* i.e. 0 bytes */ : end) +@@ -2844,14 +2844,14 @@ doContent(XML_Parser parser, int startTagLevel, const ENCODING *enc, + XML_Char ch = (XML_Char)XmlPredefinedEntityName( + enc, s + enc->minBytesPerChar, next - enc->minBytesPerChar); + if (ch) { +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + /* NOTE: We are replacing 4-6 characters original input for 1 character + * so there is no amplification and hence recording without + * protection. */ + accountingDiffTolerated(parser, tok, (char *)&ch, + ((char *)&ch) + sizeof(XML_Char), __LINE__, + XML_ACCOUNT_ENTITY_EXPANSION); +-#endif /* defined(XML_DTD) || XML_GE == 1 */ ++#endif /* XML_GE == 1 */ + if (parser->m_characterDataHandler) + parser->m_characterDataHandler(parser->m_handlerArg, &ch, 1); + else if (parser->m_defaultHandler) +@@ -4053,7 +4053,7 @@ doCdataSection(XML_Parser parser, const ENCODING *enc, const char **startPtr, + for (;;) { + const char *next = s; /* in case of XML_TOK_NONE or XML_TOK_PARTIAL */ + int tok = XmlCdataSectionTok(enc, s, end, &next); +-#if defined(XML_DTD) || XML_GE == 1 ++# if XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, account)) { + accountingOnAbort(parser); + return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; +@@ -4205,7 +4205,7 @@ doIgnoreSection(XML_Parser parser, const ENCODING *enc, const char **startPtr, + *eventPP = s; + *startPtr = NULL; + tok = XmlIgnoreSectionTok(enc, s, end, &next); +-#if defined(XML_DTD) || XML_GE == 1 ++# if XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, + XML_ACCOUNT_DIRECT)) { + accountingOnAbort(parser); +@@ -4297,7 +4297,7 @@ processXmlDecl(XML_Parser parser, int isGeneralTextEntity, const char *s, + const XML_Char *storedversion = NULL; + int standalone = -1; + +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + if (! accountingDiffTolerated(parser, XML_TOK_XML_DECL, s, next, __LINE__, + XML_ACCOUNT_DIRECT)) { + accountingOnAbort(parser); +@@ -4504,7 +4504,7 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end, + */ + else if (tok == XML_TOK_BOM && next == end + && ! parser->m_parsingStatus.finalBuffer) { +-# if defined(XML_DTD) || XML_GE == 1 ++# if XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, + XML_ACCOUNT_DIRECT)) { + accountingOnAbort(parser); +@@ -4720,7 +4720,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + } + } + role = XmlTokenRole(&parser->m_prologState, tok, s, next, enc); +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + switch (role) { + case XML_ROLE_INSTANCE_START: // bytes accounted in contentProcessor + case XML_ROLE_XML_DECL: // bytes accounted in processXmlDecl +@@ -5044,7 +5044,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, + break; + case XML_ROLE_ENTITY_VALUE: + if (dtd->keepProcessing) { +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + // This will store the given replacement text in + // parser->m_declEntity->textPtr. + enum XML_Error result +@@ -5695,7 +5695,7 @@ epilogProcessor(XML_Parser parser, const char *s, const char *end, + for (;;) { + const char *next = NULL; + int tok = XmlPrologTok(parser->m_encoding, s, end, &next); +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, s, next, __LINE__, + XML_ACCOUNT_DIRECT)) { + accountingOnAbort(parser); +@@ -5775,7 +5775,7 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) { + return XML_ERROR_NO_MEMORY; + } + entity->open = XML_TRUE; +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + entityTrackingOnOpen(parser, entity, __LINE__); + #endif + entity->processed = 0; +@@ -5809,9 +5809,9 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl) { + entity->processed = (int)(next - textStart); + parser->m_processor = internalEntityProcessor; + } else { +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + entityTrackingOnClose(parser, entity, __LINE__); +-#endif /* defined(XML_DTD) || XML_GE == 1 */ ++#endif /* XML_GE == 1 */ + entity->open = XML_FALSE; + parser->m_openInternalEntities = openEntity->next; + /* put openEntity back in list of free instances */ +@@ -5860,7 +5860,7 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end, + return result; + } + +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + entityTrackingOnClose(parser, entity, __LINE__); + #endif + entity->open = XML_FALSE; +@@ -5939,7 +5939,7 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + const char *next + = ptr; /* XmlAttributeValueTok doesn't always set the last arg */ + int tok = XmlAttributeValueTok(enc, ptr, end, &next); +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, ptr, next, __LINE__, account)) { + accountingOnAbort(parser); + return XML_ERROR_AMPLIFICATION_LIMIT_BREACH; +@@ -6004,14 +6004,14 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + XML_Char ch = (XML_Char)XmlPredefinedEntityName( + enc, ptr + enc->minBytesPerChar, next - enc->minBytesPerChar); + if (ch) { +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + /* NOTE: We are replacing 4-6 characters original input for 1 character + * so there is no amplification and hence recording without + * protection. */ + accountingDiffTolerated(parser, tok, (char *)&ch, + ((char *)&ch) + sizeof(XML_Char), __LINE__, + XML_ACCOUNT_ENTITY_EXPANSION); +-#endif /* defined(XML_DTD) || XML_GE == 1 */ ++#endif /* XML_GE == 1 */ + if (! poolAppendChar(pool, ch)) + return XML_ERROR_NO_MEMORY; + break; +@@ -6089,14 +6089,14 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata, + enum XML_Error result; + const XML_Char *textEnd = entity->textPtr + entity->textLen; + entity->open = XML_TRUE; +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + entityTrackingOnOpen(parser, entity, __LINE__); + #endif + result = appendAttributeValue(parser, parser->m_internalEncoding, + isCdata, (const char *)entity->textPtr, + (const char *)textEnd, pool, + XML_ACCOUNT_ENTITY_EXPANSION); +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + entityTrackingOnClose(parser, entity, __LINE__); + #endif + entity->open = XML_FALSE; +@@ -6153,7 +6153,7 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc, + = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */ + int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next); + +-# if defined(XML_DTD) || XML_GE == 1 ++# if XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, entityTextPtr, next, __LINE__, + account)) { + accountingOnAbort(parser); +@@ -7725,7 +7725,7 @@ copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) { + return result; + } + +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + + static float + accountingGetCurrentAmplification(XML_Parser rootParser) { +@@ -8456,7 +8456,7 @@ unsignedCharToPrintable(unsigned char c) { + assert(0); /* never gets here */ + } + +-#endif /* defined(XML_DTD) || XML_GE == 1 */ ++#endif /* XML_GE == 1 */ + + static unsigned long + getDebugLevel(const char *variableName, unsigned long defaultDebugLevel) { +diff --git a/xmlwf/xmlwf.c b/xmlwf/xmlwf.c +index 04ca759..dd023a9 100644 +--- a/xmlwf/xmlwf.c ++++ b/xmlwf/xmlwf.c +@@ -1122,13 +1122,13 @@ tmain(int argc, XML_Char **argv) { + } + + if (attackMaximumAmplification != -1.0f) { +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + XML_SetBillionLaughsAttackProtectionMaximumAmplification( + parser, attackMaximumAmplification); + #endif + } + if (attackThresholdGiven) { +-#if defined(XML_DTD) || XML_GE == 1 ++#if XML_GE == 1 + XML_SetBillionLaughsAttackProtectionActivationThreshold( + parser, attackThresholdBytes); + #else +-- +2.40.0 diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-010.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-010.patch new file mode 100644 index 0000000000..4b5c5cb2e1 --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52426-010.patch @@ -0,0 +1,50 @@ +From 55fecd6aa4af4a540812b81234679cd6b5714f1b Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 1 Nov 2023 18:24:55 +0100 +Subject: [PATCH] Drop redundant "XML_GE == 1" guards + +These are redundant because further out there is a guard +for "XML_GE == 1" already. In the visual world, the pattern +is this: + +> #if XML_GE == 1 +> [..] +> # if XML_GE == 1 +> [..] +> # endif +> [..] +> #endif + +Spotted by Snild Dolkow, thanks! + +Co-authored-by: Snild Dolkow + +CVE: CVE-2023-52426 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/55fecd6aa4af4a540812b81234679cd6b5714f1b] + +Signed-off-by: Meenali Gupta +--- + lib/xmlparse.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 2d8f4c0..82a8006 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -6153,14 +6153,12 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc, + = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */ + int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next); + +-# if XML_GE == 1 + if (! accountingDiffTolerated(parser, tok, entityTextPtr, next, __LINE__, + account)) { + accountingOnAbort(parser); + result = XML_ERROR_AMPLIFICATION_LIMIT_BREACH; + goto endEntityValue; + } +-# endif + + switch (tok) { + case XML_TOK_PARAM_ENTITY_REF: +-- +2.40.0 diff --git a/meta/recipes-core/expat/expat/CVE-2023-52426-011.patch b/meta/recipes-core/expat/expat/CVE-2023-52426-011.patch new file mode 100644 index 0000000000..d1b0be2aff --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52426-011.patch @@ -0,0 +1,45 @@ +From 8a6c61de4a425977e357cafd8667a0d7771ce292 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Thu, 26 Oct 2023 01:29:03 +0200 +Subject: [PATCH] lib: Add XML_GE to XML_GetFeatureList and XML_FeatureEnum + Co-authored-by: Snild Dolkow + +CVE: CVE-2023-52426 +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/8a6c61de4a425977e357cafd8667a0d7771ce292] + +Signed-off-by: Meenali Gupta +--- + lib/expat.h | 4 +++- + lib/xmlparse.c | 2 ++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/expat.h b/lib/expat.h +index fa2eb45..9e64174 100644 +--- a/lib/expat.h ++++ b/lib/expat.h +@@ -1025,7 +1025,9 @@ enum XML_FeatureEnum { + XML_FEATURE_ATTR_INFO, + /* Added in Expat 2.4.0. */ + XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_MAXIMUM_AMPLIFICATION_DEFAULT, +- XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT ++ XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT, ++ /* Added in Expat 2.6.0. */ ++ XML_FEATURE_GE + /* Additional features must be added to the end of this enum. */ + }; + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 82a8006..0627d6c 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -2544,6 +2544,8 @@ XML_GetFeatureList(void) { + {XML_FEATURE_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT, + XML_L("XML_BLAP_ACT_THRES"), + EXPAT_BILLION_LAUGHS_ATTACK_PROTECTION_ACTIVATION_THRESHOLD_DEFAULT}, ++ /* Added in Expat 2.6.0. */ ++ {XML_FEATURE_GE, XML_L("XML_GE"), 0}, + #endif + {XML_FEATURE_END, NULL, 0}}; + +-- +2.40.0 diff --git a/meta/recipes-core/expat/expat_2.5.0.bb b/meta/recipes-core/expat/expat_2.5.0.bb index eb7ce1436e..31e989cfe2 100644 --- a/meta/recipes-core/expat/expat_2.5.0.bb +++ b/meta/recipes-core/expat/expat_2.5.0.bb @@ -11,6 +11,17 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}" SRC_URI = "https://github.com/libexpat/libexpat/releases/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \ file://run-ptest \ file://CVE-2024-28757.patch \ + file://CVE-2023-52426-001.patch \ + file://CVE-2023-52426-002.patch \ + file://CVE-2023-52426-003.patch \ + file://CVE-2023-52426-004.patch \ + file://CVE-2023-52426-005.patch \ + file://CVE-2023-52426-006.patch \ + file://CVE-2023-52426-007.patch \ + file://CVE-2023-52426-008.patch \ + file://CVE-2023-52426-009.patch \ + file://CVE-2023-52426-010.patch \ + file://CVE-2023-52426-011.patch \ " UPSTREAM_CHECK_URI = "https://github.com/libexpat/libexpat/releases/" From patchwork Wed Mar 20 16:09:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41295 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 63254C6FD1F for ; Wed, 20 Mar 2024 16:10:23 +0000 (UTC) Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172]) by mx.groups.io with SMTP id smtpd.web11.49393.1710951022087685045 for ; Wed, 20 Mar 2024 09:10:22 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=mekZMEo7; spf=softfail (domain: sakoman.com, ip: 209.85.214.172, mailfrom: steve@sakoman.com) Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-1dddad37712so65445705ad.3 for ; Wed, 20 Mar 2024 09:10:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951021; x=1711555821; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=EXhLd/iVuf6BbUPbwbmG7VDiGkrVBa4+BXubz2tSDhY=; b=mekZMEo7XS0/y0Z016tW8ihYEJGXlSl+ifVCTl1vY7V4pCxJ+2rY+6PPWjBboRyXJM MLP9wnCoC1HR/HJRHQSG1yc9+iB58i3EHaiyb5wv5CSFgy2CrZCce7fMJoqScciYby6J OyFk5RtLUcWAnITapbNUAD0QrXQFkNZzlL87e6PXYxjqOl75wGmv5dhFeme6ejfAgGOx 0Ana5QFT9tiZT8OtoE+vFkcXFvudSCoewAmuBbM93vfl6MQNo4fIcTcQhEuOxKK9wEmh 8po3UmJeDugzxIkCtIIshCirs45nO+pAReIZzZ24lLVPeC5NmuTWhqleSEMKNSqJVAFw 5OOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710951021; x=1711555821; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EXhLd/iVuf6BbUPbwbmG7VDiGkrVBa4+BXubz2tSDhY=; b=RzMhcK7TyfDEpNOOe6rT5P9ulrb9DZ8B1kch37GcjTSLEyVpV11Y0Zns919PWTHmMf n8Q+rnSIubcZYl4sq52y29l6FWnhmp4V3HbwgW5+Li8VOUu+MCIBPRL8wbERWluvOdka RKW6bjqKQ57xlWgvjwDalvzlOpCehMbi/k284ejDdiJz5HgOiwBfzX6wvMefzmmovlWa DktUeXUuQJrXaEWBOe4iVcgYD/JzL/0zGbNZRORyHoWflFHLGvcGK5uu+fB4VFSd/Z82 l9LyxJOWqrIlTTqW29+sbZhJX6pdLUnq45ReR/CZtcqDmVdF2eLvCW8oAEBtZw8D4o2n JVwQ== X-Gm-Message-State: AOJu0Yy5EdO0lwU9ScvQs7QPZ5pjOqMjxVilQwzhalfPajZLmbW1eCNj IpbWkOn6WI6l93b4gJBlRdZ15703eGQ3GZRYi/SmO4ug8hW5dJ4LLzm70A+nm/2GpjgRJdb0kpP UNo4= X-Google-Smtp-Source: AGHT+IHseYCdjlb4dSVq6j7Q7VLP7v5H3nX8vIJ7t2m/ZqYbe0EKdivleoaF7puv4LZ4lVwk7RKbQw== X-Received: by 2002:a17:902:e74d:b0:1dd:6414:3c5d with SMTP id p13-20020a170902e74d00b001dd64143c5dmr26243646plf.7.1710951021395; Wed, 20 Mar 2024 09:10:21 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 09:10:21 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 03/15] python3-cryptography: Backport fix for CVE-2024-26130 Date: Wed, 20 Mar 2024 06:09:41 -1000 Message-Id: <7864c4605cde4851df644dd1d2867bd28d155710.1710950846.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Mar 2024 16:10:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197374 From: Vijay Anusuri Upstream-Status: Backport from https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 Signed-off-by: Vijay Anusuri Signed-off-by: Steve Sakoman --- .../python3-cryptography/CVE-2024-26130.patch | 66 +++++++++++++++++++ .../python/python3-cryptography_36.0.2.bb | 1 + 2 files changed, 67 insertions(+) create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch new file mode 100644 index 0000000000..ff113e8cc7 --- /dev/null +++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2024-26130.patch @@ -0,0 +1,66 @@ +From 97d231672763cdb5959a3b191e692a362f1b9e55 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Mon, 19 Feb 2024 11:50:28 -0500 +Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't + match (#10423) + +Upstream-Status: Backport [https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55] +CVE: CVE-2024-26130 +Signed-off-by: Vijay Anusuri +--- + .../hazmat/backends/openssl/backend.py | 9 +++++++++ + tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index c43fea0..d687931 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -2131,6 +2131,15 @@ class Backend(BackendInterface): + mac_iter, + 0, + ) ++ if p12 == self._ffi.NULL: ++ errors = self._consume_errors() ++ raise ValueError( ++ ( ++ "Failed to create PKCS12 (does the key match the " ++ "certificate?)" ++ ), ++ errors, ++ ) + + self.openssl_assert(p12 != self._ffi.NULL) + p12 = self._ffi.gc(p12, self._lib.PKCS12_free) +diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py +index c5cfbc0..8af4c93 100644 +--- a/tests/hazmat/primitives/test_pkcs12.py ++++ b/tests/hazmat/primitives/test_pkcs12.py +@@ -25,6 +25,24 @@ from ...doubles import DummyKeySerializationEncryption + from ...utils import load_vectors_from_file + + ++ @pytest.mark.supported( ++ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, ++ skip_message="Requires OpenSSL with PKCS12_set_mac", ++ ) ++ def test_set_mac_key_certificate_mismatch(self, backend): ++ cacert, _ = _load_ca(backend) ++ key = ec.generate_private_key(ec.SECP256R1()) ++ encryption = ( ++ serialization.PrivateFormat.PKCS12.encryption_builder() ++ .hmac_hash(hashes.SHA256()) ++ .build(b"password") ++ ) ++ ++ with pytest.raises(ValueError): ++ serialize_key_and_certificates( ++ b"name", key, cacert, [], encryption ++ ) ++ + @pytest.mark.skip_fips( + reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it." + ) +-- +2.35.7 + diff --git a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb index c429c75e1b..83381f225c 100644 --- a/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb +++ b/meta/recipes-devtools/python/python3-cryptography_36.0.2.bb @@ -19,6 +19,7 @@ SRC_URI += " \ file://fix-leak-metric.patch \ file://CVE-2023-23931.patch \ file://CVE-2023-49083.patch \ + file://CVE-2024-26130.patch \ " inherit pypi python_setuptools3_rust From patchwork Wed Mar 20 16:09:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41298 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 713FCC54E58 for ; Wed, 20 Mar 2024 16:10:33 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web10.49256.1710951023935305458 for ; Wed, 20 Mar 2024 09:10:23 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=vxYhd2IT; spf=softfail (domain: sakoman.com, ip: 209.85.214.171, mailfrom: steve@sakoman.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-1e00b1c2684so32539855ad.0 for ; Wed, 20 Mar 2024 09:10:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951023; x=1711555823; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=FZaZVuKTafYFgYtEyC1h8fM3f2zusb+hLkoG/kiDCWE=; b=vxYhd2IThuaFoUzHfHS2DcENetWS7aHvlwccE6rT85VmBAnvum5/nJmxCgrtdlQQR2 wxAHVJ+H3vE4BtPgbrQ8UYZYQ2EzwyxwalgVZHZypQxKhao5xaL4ug6HQJV1IfI/Fnzq wt78an5fEKLm3E8Lno94wHfgplZnSbZk9DukKLh8VX6pUaMOf6GGGkZOb56n0HjrZxdT 2fC+djtUUKY6TqcHLMLdW3sPQpLvn0mw4kherm9kQOQBbOMAJek1ipkCashJhvLVPDYy mQ0UJyP+frnI6PKE7Y9ykz2xmMf+KHrDZjnfgXqzqwNXF22DJRAsfcX+oDb/zL9eCedQ qfgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710951023; x=1711555823; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FZaZVuKTafYFgYtEyC1h8fM3f2zusb+hLkoG/kiDCWE=; b=uVQZDAVtYKLGfsUzl5sWElJtt861LXkqSUQkBpsXU17Naj20jSWR4ea4LaN6cOhq39 k1MTRCvq0IBj8YwJune+iax8kjqyqvTZF99StPUSeA81u+jkCdApr6ubZgx9VTZ1FkDh nqk/upq7nJ2guXSuAODzam+XvWMxnzZ8GvZSg5LnVafdS7LkXwFygFVdmGjyvAZ2Madc cNsUx7sEdk3yWSvD5llKHPhj9tZBfP9a43FfkYUcvYXZHt/woW9nY6B/4V8rOKJxcBlv s0AUUUPfoJOx8ITwd+zp7MwVHafFyHfw00E/Oks73XEHKSEP//pEb+CdPbtBnZUv+raO PF4Q== X-Gm-Message-State: AOJu0YwO8RPiF7ElLKy1pq3VWXwXgMcZ8KsnGryknNGvGGZwiVgCfDGS 8k+a0sJJIsC+HgEW0dbqjo8msRiI4zYjaSEjNGWG8zz5ph9zLH8j54NowhVqTMXVsOR/qUlzYbU vlFU= X-Google-Smtp-Source: AGHT+IHAYYlEJPNV3NQ4A8z9XcNAAJ18Qx3XiVzdmmi2Acx2hNS4Mznms8VhaUUHgTmbJZliv8LUTQ== X-Received: by 2002:a17:903:186:b0:1dc:2120:2467 with SMTP id z6-20020a170903018600b001dc21202467mr22264895plg.44.1710951023257; Wed, 20 Mar 2024 09:10:23 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 09:10:22 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 04/15] cve-update-nvd2-native: Fix typo in comment Date: Wed, 20 Mar 2024 06:09:42 -1000 Message-Id: <6f49c54a0ecc9d6e79816ce8dd7b65e5a8013df6.1710950846.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Mar 2024 16:10:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197375 From: Yoann Congal attmepts -> attempts Signed-off-by: Yoann Congal Signed-off-by: Richard Purdie (cherry picked from commit dc18aaeda8e810f9082a0ceac08e5e4275bbd0f7) Signed-off-by: Steve Sakoman --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 69ba20a6cb..9b6e746add 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -26,7 +26,7 @@ NVDCVE_API_KEY ?= "" # Use a negative value to skip the update CVE_DB_UPDATE_INTERVAL ?= "86400" -# Number of attmepts for each http query to nvd server before giving up +# Number of attempts for each http query to nvd server before giving up CVE_DB_UPDATE_ATTEMPTS ?= "5" CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db" From patchwork Wed Mar 20 16:09:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41300 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A60CFCD11DD for ; Wed, 20 Mar 2024 16:10:33 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web10.49259.1710951027108394728 for ; Wed, 20 Mar 2024 09:10:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Z/vysQtu; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-1e00d1e13acso23500215ad.0 for ; Wed, 20 Mar 2024 09:10:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951026; x=1711555826; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=bY7pSB6C4iD/cu6hZe6L4ZY7xYl/RsMnvn93Bu5nuQE=; b=Z/vysQtuDSNT3LS7KPS4fXS8ZbOZln7LZkrnVmfgP5d2YWT/ystibHBdmlsiJ2pp76 zvEImqtbqmfhHKqdbCfJd7Sq5galsXnGL9BnP00k6PFgZ5XEjLiTGYw9y9W2UKdW0MSG S4FjsO1pZklX/cGlMnOrbq4GzLIujd+3lvhE3zCLAwP3mo7Tty0CK+XIFlgsXUaTqb0i OPBxw0xgvwr5kYXxv5fKNGqmLvz6j8H/D7j61CEDdDz0nmGhm6c3/vmsz0miLYmblGE3 gJyFNFgvcfNjOgecm6K88f4MmqSh6tBhQJ1+1JTJnxM1MJ0AyQYh0Jn4bC9EucS6m9bP 5QAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710951026; x=1711555826; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bY7pSB6C4iD/cu6hZe6L4ZY7xYl/RsMnvn93Bu5nuQE=; b=oiqMzMOL7QNN+Wm7VISrXPUlhMfspRfuVRBKoSTr4jelVP6MHLC7wp+LI3pjCML4LU qsxi3iwubapeE8Mhd+SX3Y+g8IZsWSBgRMLHNl0NrKlwaxyf9zIRLAYTjLFVCAlw94Nj TFbbftFOiavD/c8knd0PWC/LQbePGWjTDyWcia/+DYBYCn/Gmiu/C4E2mnt9QXCXcbl9 MXOplulOQWY1V+bwRm9Os74pmTmxJfXhfUwwLOZHAeSow9DKV9SuXp79WHSMollZfGgp gU8io7IdGKeZeFRvC8LYd62+gfm9C6/+1Ptlv7KMgcV3jiBfdGZksb7+9mz/JW79/xXk 5GHw== X-Gm-Message-State: AOJu0Yw2GI3IXzHILwZ62DW0UKk78HVE0jQfD+771JXhUP6S8u/MeGMO P3vs44I2E9W9zKNpuEcjcdT75xZR7Pmsg3HrpP+TS8Cj5uQ5izLsUkrTh/YV70nyiOmU/q5z6dj O8sg= X-Google-Smtp-Source: AGHT+IECbQ9NQj4CkRz7J5K/y8tgZtANTMHVXbehrVomsrFKzUBECP6tBcgE4an3hm0t6dJmIvj3+A== X-Received: by 2002:a17:903:32cc:b0:1de:f18c:cdd with SMTP id i12-20020a17090332cc00b001def18c0cddmr2791087plr.3.1710951026343; Wed, 20 Mar 2024 09:10:26 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 09:10:24 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 05/15] cve-update-nvd2-native: Add an age threshold for incremental update Date: Wed, 20 Mar 2024 06:09:43 -1000 Message-Id: <5259971a4785e7f664c0f588f34f8ef537c5c4c5.1710950846.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Mar 2024 16:10:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197376 From: Yoann Congal Add a new variable "CVE_DB_INCR_UPDATE_AGE_THRES", which can be used to specify the maximum age of the database for doing an incremental update For older databases, a full re-download is done. With a value of "0", this forces a full-redownload. Signed-off-by: Yoann Congal Signed-off-by: Richard Purdie (cherry picked from commit 74c1765111b6610348eae4b7e41d7045ce58ef86) Signed-off-by: Steve Sakoman --- .../meta/cve-update-nvd2-native.bb | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 9b6e746add..af21989d58 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -26,6 +26,12 @@ NVDCVE_API_KEY ?= "" # Use a negative value to skip the update CVE_DB_UPDATE_INTERVAL ?= "86400" +# CVE database incremental update age threshold, in seconds. If the database is +# older than this threshold, do a full re-download, else, do an incremental +# update. By default: the maximum allowed value from NVD: 120 days (120*24*60*60) +# Use 0 to force a full download. +CVE_DB_INCR_UPDATE_AGE_THRES ?= "10368000" + # Number of attempts for each http query to nvd server before giving up CVE_DB_UPDATE_ATTEMPTS ?= "5" @@ -172,18 +178,24 @@ def update_db_file(db_tmp_file, d, database_time): req_args = {'startIndex' : 0} - # The maximum range for time is 120 days - # Force a complete update if our range is longer - if (database_time != 0): + incr_update_threshold = int(d.getVar("CVE_DB_INCR_UPDATE_AGE_THRES")) + if database_time != 0: database_date = datetime.datetime.fromtimestamp(database_time, tz=datetime.timezone.utc) today_date = datetime.datetime.now(tz=datetime.timezone.utc) delta = today_date - database_date - if delta.days < 120: + if incr_update_threshold == 0: + bb.note("CVE database: forced full update") + elif delta < datetime.timedelta(seconds=incr_update_threshold): bb.note("CVE database: performing partial update") + # The maximum range for time is 120 days + if delta > datetime.timedelta(days=120): + bb.error("CVE database: Trying to do an incremental update on a larger than supported range") req_args['lastModStartDate'] = database_date.isoformat() req_args['lastModEndDate'] = today_date.isoformat() else: bb.note("CVE database: file too old, forcing a full update") + else: + bb.note("CVE database: no preexisting database, do a full download") with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f: From patchwork Wed Mar 20 16:09:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41297 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 76FAEC6FD1F for ; Wed, 20 Mar 2024 16:10:33 +0000 (UTC) Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by mx.groups.io with SMTP id smtpd.web10.49260.1710951029214878254 for ; Wed, 20 Mar 2024 09:10:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=AoQ16KNs; spf=softfail (domain: sakoman.com, ip: 209.85.214.177, mailfrom: steve@sakoman.com) Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-1dddb160a37so50161765ad.2 for ; Wed, 20 Mar 2024 09:10:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951028; x=1711555828; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=5TVSUgBG3OdQoN8sz4qt1bkOjb7zd40el4oOJemiZno=; b=AoQ16KNs8dfTxFP0ntBPjtRTBMAtfLXZvlBre1mqKCgpe/29OHYnkNCWPPfKHqxuEp rKP/wD/UU+zYFFOyPP2dIugmry28nnkhsJBhJRxa3prTJiLKOVjL7MiConqcLW2dKd0A CAGt7cUfwrdiN6xEEJFFEUhxu3Pabz2qr/GzQQ/U/+Eg23P89dJGXEYRKZ9zIsDfP/WA rwYNwH8rPF+dso39Mlz7S7a6etizfoSxVLGKMvTtNyqbcog89eHCTfYTfrgQcmkJMvg2 VEwTF+TZFv14G77isFt/ojcDmVNlo2XvuGOLjeK0uL/7oYbXjsZjoah/ghg2PR0V3TL8 w5Hw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710951028; x=1711555828; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5TVSUgBG3OdQoN8sz4qt1bkOjb7zd40el4oOJemiZno=; b=UAIZ3HNxobai5f5Yr9TeCTNVqNHXrlSDiGSASQ4JwbS/uKyp1NA+waP4o4FimzgdMO 5kykFzHZab1DTnaPk7xlbW3EhCxjwWI0octgk+x9l8eETTk/ENh+seB1nNm4T+JAB6XI 6JaKFO627uT0iez6jfYWAB5GqCKx4+ChnlKT57A+7x4dXEL8WY/xZCAcYVTg/fonu+CB MLPc6JtRdjgOvuU8GWBm5zVrWvGCnYWSFTQzF8m0abjSlB0Iduj24ygHHMfING9S/ePJ 063DTcuD/Oj69a07X5+CoIiemSBtHCjge4clqIEy+QlJzaHxkbAAPIOMaLFukjkKN/ea iLYw== X-Gm-Message-State: AOJu0YxwWWBL37qD3dLKkz+aimzxdV9t8FLeFdW83iFtfUcWErcZYsS3 xZPPO5RANvZ8obWm2kMgACl/h9eRhbaxUA/3IcvrB9johmdcYsyblJf0k2q+dWBg6ymqheraZlM GYrE= X-Google-Smtp-Source: AGHT+IEoe2d7E226qE9Q7k78QH6kTtjcl0YaGBiBMtAuVfZh2bk7oL78Rod/xLLzjb6Rl1VIwPHywQ== X-Received: by 2002:a17:902:a507:b0:1e0:30ca:61e with SMTP id s7-20020a170902a50700b001e030ca061emr6304056plq.5.1710951028446; Wed, 20 Mar 2024 09:10:28 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 09:10:28 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 06/15] cve-update-nvd2-native: Remove duplicated CVE_CHECK_DB_FILE definition Date: Wed, 20 Mar 2024 06:09:44 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Mar 2024 16:10:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197377 From: Yoann Congal CVE_CHECK_DB_FILE is already defined in cve-check.bbclass which is always inherited in cve-update-nvd2-native (There is a check line 40). Remove it to avoid confusion. Otherwise, this should not change anything. Signed-off-by: Yoann Congal Signed-off-by: Richard Purdie (cherry picked from commit e5f3f223885c17b7007c310273fc7c80b90a4105) Signed-off-by: Steve Sakoman --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 2 -- 1 file changed, 2 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index af21989d58..506b4b6bbf 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -37,8 +37,6 @@ CVE_DB_UPDATE_ATTEMPTS ?= "5" CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db" -CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db" - python () { if not bb.data.inherits_class("cve-check", d): raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.") From patchwork Wed Mar 20 16:09:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41299 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7E653CD11BF for ; Wed, 20 Mar 2024 16:10:33 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.49398.1710951031111374873 for ; Wed, 20 Mar 2024 09:10:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=2ZDNr5ae; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-1e00d1e13acso23500645ad.0 for ; Wed, 20 Mar 2024 09:10:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951030; x=1711555830; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=NHO7zcpN++T4K/yoj1mLAkUqMCfyo17sDK2LDVZtdWU=; b=2ZDNr5ae9eys//yQsmtEd7qDRdJtxu3n/v3n+YPy3r+gbv8JK+oZLXeuXEBVviCM4D /+2C25pAj3r3AKWGhhJRj5PI5vXspz9w1Pt/4iKPP5hkSGHQf/RGg1Vl+nqEodte9Ler BE+89jvjcTlCpVSaPs83G6v6Pbj6U2eAJ9ho8ZVAD2bbCuzuT8/1DhaE4EZA0QiueGe9 YuX04JoQc1lGA5MRWBMGrkLglqAXGQEEknaDy/0aRe9y6UhIibs0bXrEjJ8BPZ6k9aHk BJKO4mnrRCvJEAFfHUd5PlMZLrK9ort/yJyhMcmYYj4J7THdIyjNRqSbnVUJ4a/Oup/R Dnyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710951030; x=1711555830; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NHO7zcpN++T4K/yoj1mLAkUqMCfyo17sDK2LDVZtdWU=; b=FN6XssDy8HC/Q6EZX5IZmvCnFvnLONJBpV77aRLlQxGlwWYuEfBpkSEHaa1GY/MJ4e mi9+yLH+WhIr7842un/MMR2+EPZMhmYhh8PJupb5Qa9PgGnTHeSfwQmtrQoXi3kl5GSU TJ++Ks+7RfEGml88Vz6wBCE7yHJORppP5XdyUIdGnCKow7o5AeL+6JPFqoQa+PC7YaiB yGqGYeTfINwilzn8gC3Hc0szJdWmaVsdNkLb1EolqBkZCWgoAtdxr+mghRXJzK8BxZ+C JVdF5r03iqrgdz6Az4MPDoNgpiMfRZRKhV72dIrZwpSkxig4DhXmM2saQ9OyFEUDHpIu 9vUw== X-Gm-Message-State: AOJu0YxtH9HzpTKAvNSASViiMjnG5GJGyDhULH6pB2eWa53dn9CEW9fC qzpaiwQrwYcMZ78C6o6J69zxk1Anna9xUAlgqmCCfGCn2sxszJn5nhE+sD72M9t8CmwhLHYp8aO Aij0= X-Google-Smtp-Source: AGHT+IGkzEXnzf+xuS0kzLBqMHs9KGqTeJufRlT0JHBjASWSXL6yKLFwehZZFNcDoOVKC5gU9fJ0sg== X-Received: by 2002:a17:902:e5c5:b0:1df:f9fc:c9f7 with SMTP id u5-20020a170902e5c500b001dff9fcc9f7mr2857835plf.61.1710951030377; Wed, 20 Mar 2024 09:10:30 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 09:10:29 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 07/15] cve-update-nvd2-native: nvd_request_next: Improve comment Date: Wed, 20 Mar 2024 06:09:45 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Mar 2024 16:10:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197378 From: Yoann Congal Add a URL to the doc of the API used in the function. ... and fix a small typo dabase -> database Signed-off-by: Yoann Congal Signed-off-by: Richard Purdie (cherry picked from commit e0157b3b81333a24abd31dbb23a6abebca3e7ba7) Signed-off-by: Steve Sakoman --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 506b4b6bbf..a703b68aac 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -123,7 +123,8 @@ def nvd_request_wait(attempt, min_wait): def nvd_request_next(url, attempts, api_key, args, min_wait): """ - Request next part of the NVD dabase + Request next part of the NVD database + NVD API documentation: https://nvd.nist.gov/developers/vulnerabilities """ import urllib.request From patchwork Wed Mar 20 16:09:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41303 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 92458CD11BF for ; Wed, 20 Mar 2024 16:10:43 +0000 (UTC) Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com [209.85.214.173]) by mx.groups.io with SMTP id smtpd.web11.49401.1710951033575498475 for ; Wed, 20 Mar 2024 09:10:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=EhmfYMub; spf=softfail (domain: sakoman.com, ip: 209.85.214.173, mailfrom: steve@sakoman.com) Received: by mail-pl1-f173.google.com with SMTP id d9443c01a7336-1dff837d674so35412255ad.3 for ; Wed, 20 Mar 2024 09:10:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951033; x=1711555833; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=shtJfcZ8wRAXrdgxJT+aqQDcjm9BmdjW8s5AuYlo3D0=; b=EhmfYMubzY9iQJabAEY3jowsfy/Q2g+vZ3keb5zg/T/i+/XvzBqN2+FPGd2Ic26Xgj agnZ6zeUTZLBONrQWff9fHUnQRwVU90fCbeX8hralFeiMcv78rMFupo1FKNQfjN3xzCc vPjU7XNwtllOtyUAIICszvyaa61ZaZGnXrX/5+dfACFfAI0EMLpxoivHqW8uGj3UB8rZ LCYjEBhedbcuYfmc7/JVnSoKy3iO6JXGyiE9MtkNjKsuMN7eW6lS/Q2iHlDe/ZXyDgoN 4Pt568J9Jw9vlQ6g6Gm1z7c9pmcy1vOx5vauF1DGmsBCpRT3Ugrrzammd/DREfaJwB0f Qc2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710951033; x=1711555833; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=shtJfcZ8wRAXrdgxJT+aqQDcjm9BmdjW8s5AuYlo3D0=; b=FkdfJpO5CzbCWRoN43dN3Jyj7FxHOBuHoddWpsWOWBzKatFRC/VSvVd6iwthn2haVB tzZxORCNyYMjjOYDqlDja3aaUKOiLnQZQnLqbWiPGnTt1RINumR30diQFCRpmj2qUM64 E1Gdd7Ockm2uxDz8vIbvOyOqgDl71B3IfFFrse5sK51MXAvzqTkyNnM3YwgJ4WTidT3N jVriM5b7ZSJkKvXqimmwFu7EUdROKySkigTZILAp20V2LTKn9QZQFSQ9HXhEfFGSOlrH zeLcsoFA8fveh+rr6HOD+nx5QT5hAgU2J/ZT1UaS9kQcvFogIwNBVuZHs7BtYT7V2XJM Be8g== X-Gm-Message-State: AOJu0Yzn+TMcltArqEm+lKasRNYJEZ5x0f4LT1CHFk9cgdlOh5WBmJ7y nOrKAiNn+na9D8/M4gCLj4+oF7dMfi35LXtKRNfb+Qexl4ycxJnOGb/19CDuPKzyFr6uTfaIGKa 2V94= X-Google-Smtp-Source: AGHT+IEdJVDx/5kfOSMpX3DdACjlO/Rn68xO9vM9gD+irEwM4BOzdDa3lCmNEU1mZAEO8vPUxvYQFg== X-Received: by 2002:a17:902:cf05:b0:1de:e3d5:cdde with SMTP id i5-20020a170902cf0500b001dee3d5cddemr2647979plg.5.1710951032827; Wed, 20 Mar 2024 09:10:32 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 09:10:32 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 08/15] cve-update-nvd2-native: Fix CVE configuration update Date: Wed, 20 Mar 2024 06:09:46 -1000 Message-Id: <38402b5e89d43bf2a45c8f5f2d631033be5019cd.1710950846.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Mar 2024 16:10:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197379 From: Yoann Congal When a CVE is created, it often has no precise version information and this is stored as "-" (matching any version). After an update, version information is added. The previous "-" must be removed, otherwise, the CVE is still "Unpatched" for cve-check. Signed-off-by: Yoann Congal Signed-off-by: Richard Purdie (cherry picked from commit 641ae3f36e09af9932dc33043a0a5fbfce62122e) Signed-off-by: Steve Sakoman --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index a703b68aac..0044529b7d 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -352,6 +352,10 @@ def update_db(conn, elt): [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() try: + # Remove any pre-existing CVE configuration. Even for partial database + # update, those will be repopulated. This ensures that old + # configuration is not kept for an updated CVE. + conn.execute("delete from PRODUCTS where ID = ?", [cveId]).close() for config in elt['cve']['configurations']: # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing for node in config["nodes"]: From patchwork Wed Mar 20 16:09:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41304 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B3CCDCD11DC for ; Wed, 20 Mar 2024 16:10:43 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web11.49403.1710951035354755053 for ; Wed, 20 Mar 2024 09:10:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=gPm5WzxX; spf=softfail (domain: sakoman.com, ip: 209.85.214.179, mailfrom: steve@sakoman.com) Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-1e00896dfdcso25668795ad.1 for ; Wed, 20 Mar 2024 09:10:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951034; x=1711555834; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Nr+O2YIgOlFtrXaw/ZAn1Psu8p113nEC3v0V67LqiIo=; b=gPm5WzxXLzODTvyb8MwViUSA+XFRz5d/LoN49HYoXt1Xufp5UJyT/lOFK9X4koAM3x sB+ilffyTtgwh3LSFT52t7RDxXKn1ZEvgRKuHgse33MeJwJ9VIgOpvlTA23VVaoaxwHP AuMAc9BfsbGf41ShlFSTQzNv3yC80W2U1cJh5Pb1/vvahEnKN2dxvFo1Sz3MIaRWYSQJ kxVsP28T/yVZlYPnMlPpRW3y5h2T6lvxNxoWa9kGlbTYr7eLqE0auARxGDcssYMU0Buj shx/do6Y4pzvdXc1ZgPK9m3CQLlz09BAhAL0g7CTIgcYN5WqnPzUhw4kJi405YFeHOvB 4dYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710951034; x=1711555834; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Nr+O2YIgOlFtrXaw/ZAn1Psu8p113nEC3v0V67LqiIo=; b=wa7dctbhr2ILmR1q4jWMABc+i3jMFan2lkfvoRXzRJsyOd8sSKVJVgoHn2M0utgqVy +yzfYU01FjRVPUB+a4e8mnFB80crhUA7u5cyxg5jBluuOjRGVb/zihqNcBcZHHjwswc/ r81+iGe0aKsnCYNvxUBbHAUxhbcpZfkoj6oat9XYjSgAXlYLSGDYJyuZ3ZP2wKaOuZx8 /hfbBmkf/BNnpLjPv9LeGFBx03VaXSF6W9Tcm43AudQkrsVhJBWp5cnheKRkl321nR8i iUpmfXktlt14B9FqMRI2phQ3/M5iE6LCPLhzOmQG8JnwAUTrTX40NZoCYha5Kcqq+Miq m1rg== X-Gm-Message-State: AOJu0YwMXo6V/Aaqv6spBfTy+/whElCRXHnk7pchpsfpkVWdcvRMr7JK 01edYGvEytnve1VPDdi0YMKxW2KLSHLGpHtGgPot4zeXlrNBrSx4Waw3upko5dKgHb4+LZQmrYN 0Gfo= X-Google-Smtp-Source: AGHT+IFiqUNQKmbBdJZUdu7kk0lqZ7zXQgGCyk2+WOii/MXeE13tExaJkm9AleVb3YIhpLXlg1x9mg== X-Received: by 2002:a17:902:b70e:b0:1dd:de1a:bd02 with SMTP id d14-20020a170902b70e00b001ddde1abd02mr5300975pls.41.1710951034566; Wed, 20 Mar 2024 09:10:34 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 09:10:34 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 09/15] cve-update-nvd2-native: Remove rejected CVE from database Date: Wed, 20 Mar 2024 06:09:47 -1000 Message-Id: <717f0df5f35272f7706e4f92cc8b57cdda8066b6.1710950846.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Mar 2024 16:10:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197380 From: Yoann Congal When a CVE is updated to be rejected, matching database entries must be removed. Otherwise: * an incremental update is not equivalent the to an initial download. * rejected CVEs might still appear as Unpatched in cve-check. Signed-off-by: Yoann Congal Signed-off-by: Richard Purdie (cherry picked from commit f276a980b8930b98e6c8f0e1a865d77dfcfe5085) Signed-off-by: Steve Sakoman --- meta/recipes-core/meta/cve-update-nvd2-native.bb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 0044529b7d..1a3eeba6d0 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -323,6 +323,10 @@ def update_db(conn, elt): accessVector = None cveId = elt['cve']['id'] if elt['cve']['vulnStatus'] == "Rejected": + c = conn.cursor() + c.execute("delete from PRODUCTS where ID = ?;", [cveId]) + c.execute("delete from NVD where ID = ?;", [cveId]) + c.close() return cveDesc = "" for desc in elt['cve']['descriptions']: From patchwork Wed Mar 20 16:09:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41301 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9241AC6FD1F for ; Wed, 20 Mar 2024 16:10:43 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web10.49267.1710951036979369345 for ; Wed, 20 Mar 2024 09:10:37 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=AWGOfTLQ; spf=softfail (domain: sakoman.com, ip: 209.85.214.178, mailfrom: steve@sakoman.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-1e00896dfdcso25669075ad.1 for ; Wed, 20 Mar 2024 09:10:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951036; x=1711555836; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PMw7lAA4+7b1Li64sg8sOdu0NKrVOVompYgl9JZVdqk=; b=AWGOfTLQmL2ekZwPBmwN3bSbnZ0KdZmo7/oA9YMsy3lrI3ylbPccPkaTWgBFDp7i4c 7MG8VMMGolkPLnbonsoE+22QG/DUuXQ7TIK9aPfQjD8whz7mX2IYLjRWOD3K+FdBLrrB phy3xIA1UuP+o9OZIqwo3uO3CFBLcJeeEnREXT1Ufc3bDoBO4Ii7AEn9PHYkh+hWj7Ha UDzB0uq61zCC6t00ZFbrHdeQ1IIS6jgVv13JM8N/+dhxeLXPv69ECXPru/+F8kDnMCDv iUXUcL9gHaEFpo1TLBQKEDykBQkqEtMYABAFYe3J0FGc6eteVbXpZW5fpJ1fLg5av+ad lSrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710951036; x=1711555836; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PMw7lAA4+7b1Li64sg8sOdu0NKrVOVompYgl9JZVdqk=; b=uBzSOh71SRu3/LYW3b6bOSVsX1XqND3esmysG2TJ3bfEGz56qtV8RxSctEiVZtA3C0 S3nvlJPg9pu4a5lYbJ1/HkgpPLNmXhX1EaHjQ3E6/r56SnFr5MFXeASYR7p9nkPucK9s TiGkuktq9UDw+GpzdBW/Y2ke7nnhwxLte+6bs8h+YfHOuehaZOvDI/0IPY6u+cHA1FzN 6bY5+alsMwW/H7UKKBUYbVoNEC3gOVnJoNSdNyUYqWAo1avi3x0UZjSdGe4jqDvPNhfl e6geZpWqjcS8cU98hGtRJ4bp2DH1VUdX14HzNcR9ej9c7sOeB5Arwx7782QZKLQGheW4 oZ5A== X-Gm-Message-State: AOJu0Yz2SpttfpIId6f8qX7utKdVWlNApsoFAETFDNyO7hqDFjX7pYO9 X5y/n4S6Yn6mEwYfEmjli91cwGB10jlU0dMeD/YJoBENhtdfHK9D3T/ON6enI3fcMuz2CyAGZTS fehg= X-Google-Smtp-Source: AGHT+IFXO1P8NZFne5k017z01cqVco6yFMnABwVjBt5przQ4PmU5/ZMkIIoV2t0XyjbK9GqgkM2BLQ== X-Received: by 2002:a17:902:934c:b0:1dd:50f0:3e72 with SMTP id g12-20020a170902934c00b001dd50f03e72mr5431026plp.26.1710951036307; Wed, 20 Mar 2024 09:10:36 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 09:10:35 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 10/15] wireless-regdb: upgrade 2023.05.03 -> 2023.09.01 Date: Wed, 20 Mar 2024 06:09:48 -1000 Message-Id: <3af65ed130493e14a87818b76b06f9ca7c717874.1710950846.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Mar 2024 16:10:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197381 From: Wang Mingyu Changelog: ========== wireless-regdb: update regulatory database based on preceding changes wireless-regdb: Update regulatory rules for Australia (AU) for June 2023 wireless-regdb: Update regulatory info for Türkiye (TR) wireless-regdb: Update regulatory rules for Egypt (EG) from March 2022 guidel... wireless-regdb: Update regulatory rules for Philippines (PH) Signed-off-by: Wang Mingyu Signed-off-by: Richard Purdie (cherry picked from commit 2f5edb6904bf16a9c52a9b124aeb5297487cd716) Signed-off-by: Steve Sakoman --- ...ireless-regdb_2023.05.03.bb => wireless-regdb_2023.09.01.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2023.05.03.bb => wireless-regdb_2023.09.01.bb} (94%) diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.09.01.bb similarity index 94% rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.09.01.bb index cd3f52fc76..c09600ecbe 100644 --- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.05.03.bb +++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.09.01.bb @@ -5,7 +5,7 @@ LICENSE = "ISC" LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c" SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz" -SRC_URI[sha256sum] = "f254d08ab3765aeae2b856222e11a95d44aef519a6663877c71ef68fae4c8c12" +SRC_URI[sha256sum] = "26d4c2a727cc59239b84735aad856b7c7d0b04e30aa5c235c4f7f47f5f053491" inherit bin_package allarch From patchwork Wed Mar 20 16:09:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41302 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F182C54E58 for ; Wed, 20 Mar 2024 16:10:43 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web11.49406.1710951039141374147 for ; Wed, 20 Mar 2024 09:10:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Wr65sPhn; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-1e01c38f98cso24288695ad.3 for ; Wed, 20 Mar 2024 09:10:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951038; x=1711555838; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=VRWIAhmeDI6nyUEP/TCxZq1+gUOnJzmbtpHZ3n+PU9w=; b=Wr65sPhnW9R/XfL4xslDA9CA+hjuB9wu8HEvcVWP4qKalu+u+CTdnMjcArYy1hOgiW Hc4mQYQyua2uK8YE4J6qVf/hP7h2McfEhzb21Ar1gVgLkdGCeaHSeQmU2W99Vmy3uDbv teW/98aja7cJAzkXZyhbk4Kz1QRLkvQ4CBgGN2wkFEqQGabWV4+pInXMVZRicN95x22i iQWZtOKzfwC1k2z+nXproySnMkoIZGY/Tt0SGufVa2JZJPCjGernejVEeDjPmgiGqL7F H92GTObKF68D2zEOAsmPOQDyxmKSptBA473yrhkyRVZFC+aRVoryNEH3VF0Kyd/cw8Oz b2rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710951038; x=1711555838; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VRWIAhmeDI6nyUEP/TCxZq1+gUOnJzmbtpHZ3n+PU9w=; b=Nmj6g7g+QEGCvIs2URnItDkw9OHayR/Y3uSXI/HrWP3t2ByPZFcA9XgwZjhJ5YW+1s D6wgUxQO+3lpq2ZejOyncX1CNwZTuE2QI9VriESkLG+llUKxVSgcNt4sqOzm9/Ratb50 B1R5Rtaf/ZeEgwp0bpJAECRChn/1PAT8j1AiiIcI1sqcMQVo1Ju82Rsf1I1j4WT2CLRC NwKWVxAUwmh+CYul/74YS3IBiOCJhiVRWEnc0O2RyebQAVljBHyILn2Q91csIuR+vNGq dTiEadALuZ5B0Bzdi2O4xltVYpSsSi1QAtW0EXNU/sR0OgvCS52jiLs+36wg0V3BpaBW U3gA== X-Gm-Message-State: AOJu0YyNWIXQdWC0S6C3MlWQ3q1KgJDEXH7/ErssQ9jdUefYcrnZ2TtQ SaUjxRUwJEoUoxQ/q28xgY3gNo6UsNdnnPQAbuG/UDTXCYn/lPS7miI+xN/AVHnACP5+nCDeJXP e5uY= X-Google-Smtp-Source: AGHT+IHnkDCrdlSu0Bh3+32aMC3iD8awmEH9MtnyqYXN9cG0bzvHL+P3aNHxbelKfo4FEGRJ4VZbSw== X-Received: by 2002:a17:902:e802:b0:1dd:9984:29d3 with SMTP id u2-20020a170902e80200b001dd998429d3mr21471829plg.32.1710951038298; Wed, 20 Mar 2024 09:10:38 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 09:10:38 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 11/15] wireless-regdb: Upgrade 2023.09.01 -> 2024.01.23 Date: Wed, 20 Mar 2024 06:09:49 -1000 Message-Id: <11c9c6eec5ff45cd1fd4858bc28f38693c5d0fde.1710950846.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Mar 2024 16:10:43 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197382 From: Alex Kiernan Upstream maintainer has changed to Chen-Yu Tsai : https://lore.kernel.org/all/CAGb2v657baNMPKU3QADijx7hZa=GUcSv2LEDdn6N=QQaFX8r-g@mail.gmail.com/ Note that fb768d3b13ff ("wifi: cfg80211: Add my certificate") and 3c2a8ebe3fe6 ("wifi: cfg80211: fix certs build to not depend on file order") are required if you are using kernel signature verification. Signed-off-by: Alex Kiernan Signed-off-by: Alexandre Belloni (cherry picked from commit abf169fbbf8bab13224adf4c8bfa2e26607f360c) Signed-off-by: Steve Sakoman --- ...eless-regdb_2023.09.01.bb => wireless-regdb_2024.01.23.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2023.09.01.bb => wireless-regdb_2024.01.23.bb} (88%) diff --git a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.09.01.bb b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.01.23.bb similarity index 88% rename from meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.09.01.bb rename to meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.01.23.bb index c09600ecbe..8fde236ab4 100644 --- a/meta/recipes-kernel/wireless-regdb/wireless-regdb_2023.09.01.bb +++ b/meta/recipes-kernel/wireless-regdb/wireless-regdb_2024.01.23.bb @@ -5,7 +5,7 @@ LICENSE = "ISC" LIC_FILES_CHKSUM = "file://LICENSE;md5=07c4f6dea3845b02a18dc00c8c87699c" SRC_URI = "https://www.kernel.org/pub/software/network/${BPN}/${BP}.tar.xz" -SRC_URI[sha256sum] = "26d4c2a727cc59239b84735aad856b7c7d0b04e30aa5c235c4f7f47f5f053491" +SRC_URI[sha256sum] = "c8a61c9acf76fa7eb4239e89f640dee3e87098d9f69b4d3518c9c60fc6d20c55" inherit bin_package allarch @@ -13,7 +13,7 @@ do_install() { install -d -m0755 ${D}${nonarch_libdir}/crda install -d -m0755 ${D}${sysconfdir}/wireless-regdb/pubkeys install -m 0644 regulatory.bin ${D}${nonarch_libdir}/crda/regulatory.bin - install -m 0644 sforshee.key.pub.pem ${D}${sysconfdir}/wireless-regdb/pubkeys/sforshee.key.pub.pem + install -m 0644 wens.key.pub.pem ${D}${sysconfdir}/wireless-regdb/pubkeys/wens.key.pub.pem install -m 0644 -D regulatory.db ${D}${nonarch_base_libdir}/firmware/regulatory.db install -m 0644 regulatory.db.p7s ${D}${nonarch_base_libdir}/firmware/regulatory.db.p7s From patchwork Wed Mar 20 16:09:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41305 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A5FC4C54E58 for ; Wed, 20 Mar 2024 16:10:53 +0000 (UTC) Received: from mail-pl1-f174.google.com (mail-pl1-f174.google.com [209.85.214.174]) by mx.groups.io with SMTP id smtpd.web11.49409.1710951045091354002 for ; Wed, 20 Mar 2024 09:10:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=VAYV9dhW; spf=softfail (domain: sakoman.com, ip: 209.85.214.174, mailfrom: steve@sakoman.com) Received: by mail-pl1-f174.google.com with SMTP id d9443c01a7336-1def59b537cso36887015ad.2 for ; Wed, 20 Mar 2024 09:10:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951044; x=1711555844; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=+61++8/DbpA29NeIN/CHD8dNg2X0pdyC6t+QXhi1ih4=; b=VAYV9dhWlzb7dRM3G9cnG/t5fLYCX/j5bQfndJLtbOt6swUkBEVsg1A/plosjnN7rE 4/Om8dhS30b8ORrmigzyaZThsuWeU9mwasEg+bEwvwIerLBMguE69c+oge/ZnrZEjCIu sF5KJ+oVTqzZUPwHJR9ijBAE9Fy6jMDoloj6E+dkYCchSX8hea2/oiMgE8xW24odAkOa VvDbtqNo5/eKDFYHYXLKPT8ttxX+Vc8udeNtCvdR1OsSyIPJgrHinymOagdgd+lG9T0D adpxD1f1rwcdx44ADWsFDeKyuo4pGJrK0gHxbLo+VZwbu8Ad3yMgZdAbXIvrGOEd5dQi 1p9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710951044; x=1711555844; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+61++8/DbpA29NeIN/CHD8dNg2X0pdyC6t+QXhi1ih4=; b=qwBzKCZ6e4x0fJ46Oo/my58Ii2LvBKeJrICxvEMxB4JKoZl8JebbMAtJBjFIfnE5wD 76EMZpglIXHq41tBooLXp2mgehG5x+oR/KHYc5cbbO+fMLlMyPORvvhxjw+66qiRidce OcrTgdzrZ65llVmb59V1ckn4AZ2ACvu5oMmqZpqcIAOXjORPAtuHtZzLGq/PNpuRvYX6 T8a1pTtho9NM3KOzdW1f9//tborXACH8/ElVdpW4Ca2OMDWClqw/zY9+TThTv5QpwxVp P3PHry99afpsRKUDatAOrqMqpo5fOVnihQwr+YCS7hTfFSE0O2Nct7iLCL5c+zB/66S1 E52A== X-Gm-Message-State: AOJu0YzqRa06h6cltvniOHbvI9wdoYmwK7MquuzmjvSLKSQ55lvVD/aG 0zu/gbQxvb2GidPwvZq6jDlHMMDrjHsLH6FJ/Wl+2kBmkCu7QJULXqJR65dYChOozCNI04Uunmz g8J4= X-Google-Smtp-Source: AGHT+IGkpnESVuxY9+dwDaC0pS2VBKaChQ6QameqstZB0/YHdqUC9/d6NiLdTqVwr5dwzEIc3Rl3FA== X-Received: by 2002:a17:902:e802:b0:1dd:9984:29d3 with SMTP id u2-20020a170902e80200b001dd998429d3mr21472199plg.32.1710951044156; Wed, 20 Mar 2024 09:10:44 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 09:10:43 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 12/15] linux-firmware: upgrade 20231211 -> 20240220 Date: Wed, 20 Mar 2024 06:09:50 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Mar 2024 16:10:53 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197383 From: Alexander Kanavin License-Update: additional files Signed-off-by: Alexander Kanavin Signed-off-by: Richard Purdie (cherry picked from commit add81ef0299ea5260f9bdc59ffc8f5cc0e74276f) Signed-off-by: Steve Sakoman --- ...inux-firmware_20231211.bb => linux-firmware_20240220.bb} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename meta/recipes-kernel/linux-firmware/{linux-firmware_20231211.bb => linux-firmware_20240220.bb} (99%) diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20231211.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20240220.bb similarity index 99% rename from meta/recipes-kernel/linux-firmware/linux-firmware_20231211.bb rename to meta/recipes-kernel/linux-firmware/linux-firmware_20240220.bb index 48e83cb34b..425b351dc1 100644 --- a/meta/recipes-kernel/linux-firmware/linux-firmware_20231211.bb +++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20240220.bb @@ -89,7 +89,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ file://LICENCE.cadence;md5=009f46816f6956cfb75ede13d3e1cee0 \ file://LICENCE.cavium;md5=c37aaffb1ebe5939b2580d073a95daea \ file://LICENCE.chelsio_firmware;md5=819aa8c3fa453f1b258ed8d168a9d903 \ - file://LICENSE.cirrus;md5=bb18d943382abf8e8232a9407bfdafe0 \ + file://LICENSE.cirrus;md5=662ea2c1a8888f7d79ed7f27c27472e1 \ file://LICENCE.cnm;md5=93b67e6bac7f8fec22b96b8ad0a1a9d0 \ file://LICENCE.cw1200;md5=f0f770864e7a8444a5c5aa9d12a3a7ed \ file://LICENCE.cypress;md5=48cd9436c763bf873961f9ed7b5c147b \ @@ -147,7 +147,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ " # WHENCE checksum is defined separately to ease overriding it if # class-devupstream is selected. -WHENCE_CHKSUM = "3113c4ea08e5171555f3bf49eceb5b07" +WHENCE_CHKSUM = "a344e6c28970fc7daafa81c10247aeb6" # These are not common licenses, set NO_GENERIC_LICENSE for them # so that the license files will be copied from fetched source @@ -231,7 +231,7 @@ SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmw # Pin this to the 20220509 release, override this in local.conf SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae" -SRC_URI[sha256sum] = "96af7e4b5eabd37869cdb3dcbb7ab36911106d39b76e799fa1caab16a9dbe8bb" +SRC_URI[sha256sum] = "bf0f239dc0801e9d6bf5d5fb3e2f549575632cf4688f4348184199cb02c2bcd7" inherit allarch From patchwork Wed Mar 20 16:09:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41306 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A531AC54E58 for ; Wed, 20 Mar 2024 16:11:13 +0000 (UTC) Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) by mx.groups.io with SMTP id smtpd.web10.49284.1710951066727228567 for ; Wed, 20 Mar 2024 09:11:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=3Gyhzlyu; spf=softfail (domain: sakoman.com, ip: 209.85.214.176, mailfrom: steve@sakoman.com) Received: by mail-pl1-f176.google.com with SMTP id d9443c01a7336-1deffa23bb9so36763445ad.2 for ; Wed, 20 Mar 2024 09:11:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951066; x=1711555866; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=4FFBPXBeDZxmg9WIrfGltp9RsfYGigeAeqmBuMuSioo=; b=3Gyhzlyu0jnTOjxKC2ItNLsjHpfwiAPODSihbSy/HiZGamYjNXnuuYg1+iVJ/3lyEj sLxTIPp8UwM+pBeU0heMax4OlqCF/cT9v81YJgc9eyYf3KSkcTSmK2JeOtMBqHmAcT6V J5vrpDK1x38XfPrDKAZHxocZbEMWtz6aHhCyxa4ezDx7Ndf/OGqfEz/Znf+0psG4P6c0 K4FYriUEI3KZM5raOCMF5Z49pKWkdeptj2p5+tygr5bNU0cHvzvLDmZeIMRJLrxWUz0k /V48SY8BCozfsKVdv9uoSIdX6SwXa6JtfNaV7qYlHGxJ8mmCSGJCrTVNWwSsca5ds5u2 JyMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710951066; x=1711555866; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4FFBPXBeDZxmg9WIrfGltp9RsfYGigeAeqmBuMuSioo=; b=L4LuaXVT6qwhOs+bXLWlAdrmWjxxGL1lom1llXA6ua9qbT3hIEFgWUzeiRsIrzCqXr Um9yo4H9SDc8OSDayuNceO0Wfc1SGxi7yore3C0QW89gaPTWTbzXL0KfN2CYcdLbUH7O GqkWdKriiTXvlsr9OcW/ysczNa+ht2hy19znL0jf/bfj3IX2aHzNMCNgEBiTRwtzInaT Km2xdsKJ3fjsOV4Oi3SO+ViLfpK6kaDqLgwjSKhJPv7eOBTpDVD14VIRhTdqq1Rh2yu/ EqTERdY4i3qF9ap/GVa6laZT/4bSnyiOR6vlvBgd6ak2qh50/yJybcfrGcc/smoNb3nq nt7g== X-Gm-Message-State: AOJu0YytsrP7+rnsrO+MaJyDALb/pgqDaDW+q/IwL4VPfRHT7vyiQ/K7 fteonDuBlPklTQbi8/trmfo0cGkxbRvLFJeS3VCT0yclfYOXfDZAUPMHXm3osXiaND2axIwjC3x aSvM= X-Google-Smtp-Source: AGHT+IEflQ5l7L/uJ4uvytMnzD6evDHVHXfc66lZuPYYtYGHyQSZZSK7RWc2nd+vFPoiUjkNX7jvwQ== X-Received: by 2002:a17:903:246:b0:1dd:da26:8597 with SMTP id j6-20020a170903024600b001ddda268597mr22782702plh.66.1710951066034; Wed, 20 Mar 2024 09:11:06 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.10.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 09:10:45 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 13/15] yocto-uninative: Update to 4.4 for glibc 2.39 Date: Wed, 20 Mar 2024 06:09:51 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Mar 2024 16:11:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197384 From: Michael Halstead Signed-off-by: Michael Halstead Signed-off-by: Richard Purdie (cherry picked from commit 56fdd8b79e2f7ec30d2cdcfa0c399a6553efac1e) Signed-off-by: Steve Sakoman --- meta/conf/distro/include/yocto-uninative.inc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc index eaa3e9b31c..4ac66fd506 100644 --- a/meta/conf/distro/include/yocto-uninative.inc +++ b/meta/conf/distro/include/yocto-uninative.inc @@ -6,10 +6,10 @@ # to the distro running on the build machine. # -UNINATIVE_MAXGLIBCVERSION = "2.38" -UNINATIVE_VERSION = "4.3" +UNINATIVE_MAXGLIBCVERSION = "2.39" +UNINATIVE_VERSION = "4.4" UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/" -UNINATIVE_CHECKSUM[aarch64] ?= "8df05f4a41455018b4303b2e0ea4eac5c960b5a13713f6dbb33dfdb3e32753ec" -UNINATIVE_CHECKSUM[i686] ?= "bea76b4a97c9ba0077c0dd1295f519cd599dbf71f0ca1c964471c4cdb043addd" -UNINATIVE_CHECKSUM[x86_64] ?= "1c35f09a75c4096749bbe1e009df4e3968cde151424062cf4aa3ed89db22b030" +UNINATIVE_CHECKSUM[aarch64] ?= "b61876130f494f75092f21086b4a64ea5fb064045769bf1d32e9cb6af17ea8ec" +UNINATIVE_CHECKSUM[i686] ?= "9f28627828f0082cc0344eede4d9a861a9a064bfa8f36e072e46212f0fe45fcc" +UNINATIVE_CHECKSUM[x86_64] ?= "d81c54284be2bb886931fc87281d58177a2cd381cf99d1981f8923039a72a302" From patchwork Wed Mar 20 16:09:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41307 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B2074CD11BF for ; Wed, 20 Mar 2024 16:11:13 +0000 (UTC) Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178]) by mx.groups.io with SMTP id smtpd.web11.49427.1710951070504541476 for ; Wed, 20 Mar 2024 09:11:10 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Ndks5JIv; spf=softfail (domain: sakoman.com, ip: 209.85.214.178, mailfrom: steve@sakoman.com) Received: by mail-pl1-f178.google.com with SMTP id d9443c01a7336-1e01c38f98cso24293895ad.3 for ; Wed, 20 Mar 2024 09:11:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951070; x=1711555870; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=UB3DwW3fugGItE3KzVSjqyZ3fHkqSVvhANQK6yjimJQ=; b=Ndks5JIvlToJ+OXUi18Mj+uigUQy3SoGb5ykecUC8QV2Mb9Efjyk7muP+g2WGKjczg fvpDF8iHxl0tbzUQRqAU3Ugb0Tm8TVnq1hcf6s60gKKzDrG8Kq/VL4/2YXqDCj5BNe1K Y2cqfDjFEdxqHecppG0NLXX7iNM7MVlaBGk/t5Sd2fPgDDSgzKYlVuDi7bzVGR2BGRTr b45MN4gScaHZBUrOOInrwWn4PZ7IvRkvqn8mNp94lfhePqFxJLav6kqUiKzsRONBLbB9 JctKgdBiOjRpGJrW22+B9255p+7sCu5toYaLyl9LN6NJqFRXD8VcyVcHtlYBO4VEu65V XAPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710951070; x=1711555870; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UB3DwW3fugGItE3KzVSjqyZ3fHkqSVvhANQK6yjimJQ=; b=aFqg0Up20BeebyNbN8u3NCS2C7WZwRBO9WeWAGLLZjqwBWcQwp/mO9xhiCaNaKCg6O p754Qup97P/+4aTlwY5OsrY+SCSQW1KNToa/inRqHl4DR7G8HSQ5EKHwl2HoFThChuXF EfsiwlWEJEAipVaHpST+X69W/VhUJ2MeVfcxsPeNpwnX4kclBLBb5DRreAEjjvdKGqTy wTw8kmCJlIIu+RDasCPD9df+3ZNtucF49SwggUMt2JpbeOSQZjYle8kR4MfEN2nx6I1/ R4AoTh53qs5fT5dtSToVcv2r9eq8l77kU0+EvBhK88YsRq+aeTfBEcq+04M+VtEFjfaJ 6q6w== X-Gm-Message-State: AOJu0YzevYHSQaOS4ico71cNKTTrYd8KVABDVBs+b0ODx8vleSzQiaWY rgL/AvBhGcIvTA/dQC3ED71OKAWST1y0PalbQ78c33stNL9EMQ7EnMjDgo2Pe7VV8d0gP+SViMu zUiM= X-Google-Smtp-Source: AGHT+IFac711nD39CK+8AhGQTMKnUgYGUlTl0ro7YP07HFE6MCf7csvz20V9bOcdSquFvnH4vQgbPA== X-Received: by 2002:a17:903:41cb:b0:1e0:25f:acfe with SMTP id u11-20020a17090341cb00b001e0025facfemr12258995ple.42.1710951069728; Wed, 20 Mar 2024 09:11:09 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.11.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 09:11:09 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 14/15] stress-ng: avoid calling sync during do_compile Date: Wed, 20 Mar 2024 06:09:52 -1000 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Mar 2024 16:11:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197385 From: Martin Jansa calling 'sync' from do_compile in the middle of big OE world build harms the build time. Signed-off-by: Martin Jansa Signed-off-by: Steve Sakoman --- .../0001-Makefile-avoid-calling-sync.patch | 35 +++++++++++++++++++ .../stress-ng/stress-ng_0.13.12.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-extended/stress-ng/stress-ng-0.13.12/0001-Makefile-avoid-calling-sync.patch diff --git a/meta/recipes-extended/stress-ng/stress-ng-0.13.12/0001-Makefile-avoid-calling-sync.patch b/meta/recipes-extended/stress-ng/stress-ng-0.13.12/0001-Makefile-avoid-calling-sync.patch new file mode 100644 index 0000000000..fec8c524eb --- /dev/null +++ b/meta/recipes-extended/stress-ng/stress-ng-0.13.12/0001-Makefile-avoid-calling-sync.patch @@ -0,0 +1,35 @@ +From 1d1801902a4944c6f5fa521c19b32fbac7342a0c Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Sat, 6 Aug 2022 13:05:59 +0000 +Subject: [PATCH] Makefile: avoid calling sync + +Original commit message: +Makefile: use ld-gold if it is available + +Speed up linking by using ld-gold if is available. Add build +time detection to see if compiler allows it + +MJ: backported only the "sync" removal from Makefile as calling + it from do_compile in the middle of big OE world build harms + the build time. + +Upstream-Status: Backport [V0.14.04 c10e5c3f9f5560a085279f4c4b399c2f34cb897d] + +Signed-off-by: Colin Ian King +Signed-off-by: Martin Jansa +--- + Makefile | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/Makefile b/Makefile +index f8f71c54b..23db4c612 100644 +--- a/Makefile ++++ b/Makefile +@@ -425,7 +425,6 @@ OBJS += $(CONFIG_OBJS) + stress-ng: $(OBJS) + $(Q)echo "LD $@" + $(V)$(CC) $(CPPFLAGS) $(CFLAGS) $(OBJS) -lm $(LDFLAGS) -o $@ +- $(V)sync + + config.h: + +$(MAKE) -f Makefile.config STATIC=$(STATIC) -j diff --git a/meta/recipes-extended/stress-ng/stress-ng_0.13.12.bb b/meta/recipes-extended/stress-ng/stress-ng_0.13.12.bb index 807ecd3466..72dafddaf8 100644 --- a/meta/recipes-extended/stress-ng/stress-ng_0.13.12.bb +++ b/meta/recipes-extended/stress-ng/stress-ng_0.13.12.bb @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" SRC_URI = "git://github.com/ColinIanKing/stress-ng.git;protocol=https;branch=master \ file://0001-stress-cpu-disable-float128-math-on-powerpc64-to-avo.patch \ + file://0001-Makefile-avoid-calling-sync.patch \ " SRCREV = "f59bcb2fe1e25042e77d5e4942f72bfa026fa305" S = "${WORKDIR}/git" From patchwork Wed Mar 20 16:09:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 41308 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id A709DC6FD1F for ; Wed, 20 Mar 2024 16:11:23 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.web10.49292.1710951075853360218 for ; Wed, 20 Mar 2024 09:11:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=pW1ur0ty; spf=softfail (domain: sakoman.com, ip: 209.85.214.175, mailfrom: steve@sakoman.com) Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-1dd955753edso56185755ad.1 for ; Wed, 20 Mar 2024 09:11:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1710951075; x=1711555875; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=idGLRTU/UEG6lDVbIB6zPkXlraYyUd8nCm+qfx6PAbg=; b=pW1ur0ty+DbLvnwwCU40fNg/8to496x9XEI0N/XS4eXo1tfueqTDAZZZzGAwGY0LRV o/c5ie7Enqqc+eKTQ5kTP919ISoV8uih5KGJcESkCdVBY/cyE7bTHYb/lP9I0Gj4u00C HH+0uWgDSlhXb7xW+v2umpMUBL02kyPV5ewYX+XLrHyiaWfncoL4hfnaDe4SVlzneQIl 4qvjC9mGXKOYcUPJ6XMorCmuw9tR7IkiCUFOGZzB3aY/maH2Y9HMflx2wNv4QCN4d4/n 2Dz38faYRGk8Sh1/WWRN1A9TJoyW10Or8B5pKCU5b88t+Ne10WsA9p495N3bONQy6Yef jFnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710951075; x=1711555875; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=idGLRTU/UEG6lDVbIB6zPkXlraYyUd8nCm+qfx6PAbg=; b=hZLHdsn14kf/OrM5wII40gz0vNJtGaC7XanpHwCN3iuyVWn+u3RT3KB9V9maoZyICJ 47gdiRyMIWbE63QuoKBknmt5DNaIpl/4ileEQx4VXdHD4Bpljr4SgwffdQLJNTkVPI3q mGra5hhITveOJtyV4Vt5cyVqUJstZbxUYMGeL9FQGK1icG1qf6cEnkSnaPFmAzxqBHL2 mai7CX+4o7WF6syBSB4UakY4XxvwFsijCmtWLGKBKd9Uke4xXJ3D5/PiyhVrPtYEE+eS NHibPod0QXyNmqA9pMm1RCmSySbdbiSoxk0izhB7iCr2H0bteMajeNiPT8HQp3p32RRf b/1w== X-Gm-Message-State: AOJu0YypOmKFhAQMM89WvImjXES7dpI0c5oeWNPSb4Ddp3DtGERygAy1 O3uPBp/A6R9wiR3uMOoLXehIb7gEecFAh/dJTn26tqar+E9NtBj+LkY5Mx/7zOGCn+22evlVKxs u2NU= X-Google-Smtp-Source: AGHT+IGJcsxy2XFuZQrLqIdyaGAzId5wmPfdvm7u1LbbmnW89lCW0dusbqH2DmQUUv8bvzB6eLWMbg== X-Received: by 2002:a17:903:22cd:b0:1dd:a7a7:4bc1 with SMTP id y13-20020a17090322cd00b001dda7a74bc1mr23225969plg.5.1710951074945; Wed, 20 Mar 2024 09:11:14 -0700 (PDT) Received: from hexa.lan (dhcp-72-234-108-41.hawaiiantel.net. [72.234.108.41]) by smtp.gmail.com with ESMTPSA id l18-20020a170903121200b001ddc93c5759sm13775694plh.196.2024.03.20.09.11.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 09:11:14 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 15/15] glibc: Fix subscript typos for get_nscd_addresses Date: Wed, 20 Mar 2024 06:09:53 -1000 Message-Id: <1b5405955c7c2579ed1f52522e2e177d0281fa33.1710950846.git.steve@sakoman.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Mar 2024 16:11:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/197386 From: Haitao Liu Fix the following error: root@intel-x86-64:~# wget -6 http://localhost --2024-01-12 07:18:42-- http://localhost/ Resolving localhost... failed: No IPv4/IPv6 addresses for host. wget: unable to resolve host address 'localhost' Reference: https://sourceware.org/bugzilla/show_bug.cgi?id=29605 Upstream-patch: https://sourceware.org/git/?p=glibc.git;a=commit;h=c9226c03da0276593a0918eaa9a14835183343e8 Signed-off-by: Haitao Liu Signed-off-by: Steve Sakoman --- ...dresses-Fix-subscript-typos-BZ-29605.patch | 40 +++++++++++++++++++ meta/recipes-core/glibc/glibc_2.35.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/0002-get_nscd_addresses-Fix-subscript-typos-BZ-29605.patch diff --git a/meta/recipes-core/glibc/glibc/0002-get_nscd_addresses-Fix-subscript-typos-BZ-29605.patch b/meta/recipes-core/glibc/glibc/0002-get_nscd_addresses-Fix-subscript-typos-BZ-29605.patch new file mode 100644 index 0000000000..629298c23e --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0002-get_nscd_addresses-Fix-subscript-typos-BZ-29605.patch @@ -0,0 +1,40 @@ +From 707a878b655395f41b954bbed78008d1d9252f1a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rg=20Sonnenberger?= +Date: Mon, 26 Sep 2022 13:59:16 -0400 +Subject: [PATCH] get_nscd_addresses: Fix subscript typos [BZ #29605] + +Fix the subscript on air->family, which was accidentally set to COUNT +when it should have remained as I. + +Resolves: BZ #29605 + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=c9226c03da0276593a0918eaa9a14835183343e8] + +Reviewed-by: Siddhesh Poyarekar +Signed-off-by: Haitao Liu +--- + sysdeps/posix/getaddrinfo.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index f4c08d6e3b..fa333ad6ec 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -549,11 +549,11 @@ get_nscd_addresses (const char *name, const struct addrinfo *req, + at[count].addr[2] = htonl (0xffff); + } + else if (req->ai_family == AF_UNSPEC +- || air->family[count] == req->ai_family) ++ || air->family[i] == req->ai_family) + { +- at[count].family = air->family[count]; ++ at[count].family = air->family[i]; + memcpy (at[count].addr, addrs, size); +- if (air->family[count] == AF_INET6) ++ if (air->family[i] == AF_INET6) + res->got_ipv6 = true; + } + at[count].next = at + count + 1; +-- +2.35.5 + diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb index 3ec6610d01..751427517f 100644 --- a/meta/recipes-core/glibc/glibc_2.35.bb +++ b/meta/recipes-core/glibc/glibc_2.35.bb @@ -60,6 +60,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0024-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ \ file://0001-Revert-Linux-Implement-a-useful-version-of-_startup_.patch \ + file://0002-get_nscd_addresses-Fix-subscript-typos-BZ-29605.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}"