From patchwork Wed May 18 02:30:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 8153 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E5FB1C433F5 for ; Wed, 18 May 2022 02:31:02 +0000 (UTC) Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) by mx.groups.io with SMTP id smtpd.web12.332.1652841056998896429 for ; Tue, 17 May 2022 19:30:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=jDsJi7D7; spf=softfail (domain: sakoman.com, ip: 209.85.214.182, mailfrom: steve@sakoman.com) Received: by mail-pl1-f182.google.com with SMTP id d22so480787plr.9 for ; Tue, 17 May 2022 19:30:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=qrVyXfsid++Mc/hudyLyC4ZlJYp7+djblauWvioeQXw=; b=jDsJi7D7nLPaNep3c51MC0QRGYepswfcEACcUPy4TY4HwZxvVp3EJduRmO3hbwvYAu gkWtP5qd9j30PBNSsD93Plkvp6fXvB3K9eJDkHhsrkcph9erupZKE7WIjbMYDiTwb6uc GegQXVRFk64Ei7bOstJ0G2QLYvrGj7vM4wnsoST2NMJv1Y7l44q2+n7faN5hy1T3IjHU SLp1JFblyaF0xhXL+6VaTxrYb/fCFeq36zOZrDVcGZ2/FTeSvc7IMyFvE5PL6n6nX0sc PM1gmgGMRx7WSpU3IZpEellSrrcbgDiBiEi3x/pxAOMUmS+bXOH7bH3ZZmlKecG6CRzS MiHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=qrVyXfsid++Mc/hudyLyC4ZlJYp7+djblauWvioeQXw=; b=peGFcBCDUArJv0nxC2u4De/Ev/O/zPi0i3KjR70tUxeUKu4yIxSMRK5LUOmfRwEkTe jf4grHPixFiBfOwo8h7MSUMOxvHRsNCkHd1Ifz4tOe0AA6B9zpYLsTYkTjI7WHydL5NN Vq6SSdSokMDy+rFX1hXIqw1JtgfRTzOfcJq+Q7WD/sdNfi74Is0d61qKhyCL3c6i8NBK O1doUhtXiwe3PbeLv3zd3HEHC21hx1lSz4RCivwkbckWR/9QybANxXdkBWB3VF5k309C g+YI9xDTud1SRv9MxvTWPuG+pCtLzE4UVsWUndzFTMQQMFdPHrZ5u9vNv3OhKxYet4qw Z4Kw== X-Gm-Message-State: AOAM532tDvrfb7aLyLg1IayxRPS93ZDZSk8bulhlXwrqHZ9ep0f/45hi pcALNx0JpBfT5W7rcWOgkyfiJHSud4mTd8TJ X-Google-Smtp-Source: ABdhPJxLw30JiervTbVZG2PiQ6dUWM9ZknFhg45NdNH/S61HMYaCVTr0g3jY45pzyx2uQApe1g5pAA== X-Received: by 2002:a17:902:e3d4:b0:161:888e:e707 with SMTP id r20-20020a170902e3d400b00161888ee707mr11169489ple.118.1652841055794; Tue, 17 May 2022 19:30:55 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id p25-20020a62b819000000b00512ead539casm438926pfe.113.2022.05.17.19.30.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 May 2022 19:30:55 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 1/9] vim: Upgrade 8.2.4681 -> 8.2.4912 Date: Tue, 17 May 2022 16:30:29 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 May 2022 02:31:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/165783 From: Richard Purdie Includes fixes for CVE-2022-1381, CVE-2022-1420. Signed-off-by: Richard Purdie (cherry picked from commit 77d745bd49c979de987c75fd7a3af116e99db82b) Signed-off-by: Steve Sakoman --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 5f01fc3bca..4b8f4d1dfb 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -21,8 +21,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://racefix.patch \ " -PV .= ".4681" -SRCREV = "15f74fab653a784548d5d966644926b47ba2cfa7" +PV .= ".4912" +SRCREV = "a7583c42cd6b64fd276a5d7bb0db5ce7bfafa730" # Remove when 8.3 is out UPSTREAM_VERSION_UNKNOWN = "1" From patchwork Wed May 18 02:30:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 8154 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8127C433FE for ; Wed, 18 May 2022 02:31:02 +0000 (UTC) Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by mx.groups.io with SMTP id smtpd.web08.330.1652841059887177632 for ; Tue, 17 May 2022 19:31:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=QM/VFHu9; spf=softfail (domain: sakoman.com, ip: 209.85.216.44, mailfrom: steve@sakoman.com) Received: by mail-pj1-f44.google.com with SMTP id nr2-20020a17090b240200b001df2b1bfc40so4265803pjb.5 for ; Tue, 17 May 2022 19:30:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=I/I8Bgtv4ZgFDTWbUvbXxw77Q2ZH/dYACXJD0FkEqBA=; b=QM/VFHu9/1YagI/wb9V8/qL4SxfYTo6gJ3y1q2iDD4uKgsrgxnae/pTqm5g2RKtH8F nP+Jrch3b3cV8Q2PjSX/ZqFvr069EoG9W6q0I7avPKXG0Ey15i3Jz5ri97UXDHAGvRes lSdXI0vfWphseZKyPHQ/dBx3p46kf1SxwFydbj4ZDjNK+2sLm53xunaSr6uHH7tp6zGy jy3LTh8cHpFXm46B7v6VU3614UWDs2c6oHvvS8mPaiEf48A1zms6pebrGbUO/Ex6YeI0 +VAiHEbRNmwSneeSUD9Faqh4sbhTS8BDn7ZMhP+bQpaxkKtS8B3ae2NnpUK/mp0N0m10 DEYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=I/I8Bgtv4ZgFDTWbUvbXxw77Q2ZH/dYACXJD0FkEqBA=; b=awRNOXtYY1tFfmD3D4qzct2bK3K62OULqJIyOYjtM11aTOK32dwGxQ9sEdVLjfoQD2 cyGIhWiiMLMHr0oVugT3kMQui24Ss4ik3cItm7PjBEIUOaNcg4GlaTkpxjJt2B1/KbBo /swU7daTPcCrOXJJBw0SOWWhgKVGEQE189+01UW+71yACuwmA+d5XNKwlDCWSaH6ee3w DJv638fZhUl2a1mu8UKYByJ+W+BEUzr0DLorSAeO6vzFUECUxnV2yIvdAkgcGOtPAPGh VXZ2C5ASdOdQzG3Irwn911ND7SOuZamsNiJ3SmWmWxNVA4eFSO8HQLS0q7HtZIvd4AFU R0Pw== X-Gm-Message-State: AOAM533uyGpsYGAQiVAF8dlvd8PVY+ENKWOySyauNMLjAh3f+TgM9V5X DyxECtkgbhj/FRGcZMnYHVw7k2JppeaZxJts X-Google-Smtp-Source: ABdhPJwu6DROZPQClsjhofI92eD4n5DfqcI62oqu8aIYx+jBmjSHzery4r42Bhe2mAsFo1oswB+3JQ== X-Received: by 2002:a17:90b:1809:b0:1dc:1597:20c with SMTP id lw9-20020a17090b180900b001dc1597020cmr28110322pjb.36.1652841058228; Tue, 17 May 2022 19:30:58 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id p25-20020a62b819000000b00512ead539casm438926pfe.113.2022.05.17.19.30.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 May 2022 19:30:57 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 2/9] curl: Fix CVEs for curl Date: Tue, 17 May 2022 16:30:30 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 May 2022 02:31:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/165784 From: Sana Kazi Fix below listed CVEs: CVE-2022-22576 Link: https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425.patch CVE-2022-27775 Link: https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705.patch CVE-2022-27776 Link: https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258.patch Signed-off-by: Sana.Kazi Signed-off-by: Sana Kazi Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2022-22576.patch | 148 ++++++++++++++++++ .../curl/curl/CVE-2022-27775.patch | 39 +++++ .../curl/curl/CVE-2022-27776.patch | 114 ++++++++++++++ meta/recipes-support/curl/curl_7.69.1.bb | 3 + 4 files changed, 304 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2022-22576.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27775.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27776.patch diff --git a/meta/recipes-support/curl/curl/CVE-2022-22576.patch b/meta/recipes-support/curl/curl/CVE-2022-22576.patch new file mode 100644 index 0000000000..13479e7f0e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-22576.patch @@ -0,0 +1,148 @@ +From 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Mon, 25 Apr 2022 11:44:05 +0200 +Subject: [PATCH] url: check sasl additional parameters for connection reuse. + +Also move static function safecmp() as non-static Curl_safecmp() since +its purpose is needed at several places. + +Bug: https://curl.se/docs/CVE-2022-22576.html + +CVE-2022-22576 + +Closes #8746 +--- + lib/strcase.c | 10 ++++++++++ + lib/strcase.h | 2 ++ + lib/url.c | 13 ++++++++++++- + lib/urldata.h | 1 + + lib/vtls/vtls.c | 21 ++++++--------------- + 5 files changed, 31 insertions(+), 16 deletions(-) + +CVE: CVE-2022-22576 +Upstream-Status: Backport [https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425.patch] +Comment: Refreshed patch +Signed-off-by: Sana.Kazi + +diff --git a/lib/strcase.c b/lib/strcase.c +index dd46ca1ba0e5..692a3f14aee7 100644 +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -251,6 +251,16 @@ + } while(*src++ && --n); + } + ++/* Compare case-sensitive NUL-terminated strings, taking care of possible ++ * null pointers. Return true if arguments match. ++ */ ++bool Curl_safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ return !a && !b; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index b234d3815220..2635f5117e99 100644 +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -48,4 +48,6 @@ + void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + ++bool Curl_safecmp(char *a, char *b); ++ + #endif /* HEADER_CURL_STRCASE_H */ +diff --git a/lib/url.c b/lib/url.c +index 9a988b4d58d8..e1647b133854 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -730,6 +730,7 @@ + Curl_safefree(conn->allocptr.host); + Curl_safefree(conn->allocptr.cookiehost); + Curl_safefree(conn->allocptr.rtsp_transport); ++ Curl_safefree(conn->oauth_bearer); + Curl_safefree(conn->trailer); + Curl_safefree(conn->host.rawalloc); /* host name buffer */ + Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ +@@ -1251,7 +1252,9 @@ + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ + if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd)) { ++ strcmp(needle->passwd, check->passwd) || ++ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || ++ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { + /* one of them was different */ + continue; + } +@@ -3392,6 +3395,14 @@ + result = CURLE_OUT_OF_MEMORY; + goto out; + } ++ } ++ ++ if(data->set.str[STRING_BEARER]) { ++ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); ++ if(!conn->oauth_bearer) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto out; ++ } + } + + #ifdef USE_UNIX_SOCKETS +diff --git a/lib/urldata.h b/lib/urldata.h +index 07eb19b87034..1d89b8d7fa68 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -949,6 +949,8 @@ + + char *sasl_authzid; /* authorisation identity string, allocated */ + ++ char *oauth_bearer; /* OAUTH2 bearer, allocated */ ++ + int httpversion; /* the HTTP version*10 reported by the server */ + int rtspversion; /* the RTSP version*10 reported by the server */ + +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 03b85ba065e5..a40ac06f684f 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -82,15 +82,6 @@ + else \ + dest->var = NULL; + +-static bool safecmp(char *a, char *b) +-{ +- if(a && b) +- return !strcmp(a, b); +- else if(!a && !b) +- return TRUE; /* match */ +- return FALSE; /* no match */ +-} +- + + bool + Curl_ssl_config_matches(struct ssl_primary_config* data, +@@ -101,12 +101,12 @@ + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && +- safecmp(data->CApath, needle->CApath) && +- safecmp(data->CAfile, needle->CAfile) && +- safecmp(data->issuercert, needle->issuercert) && +- safecmp(data->clientcert, needle->clientcert) && +- safecmp(data->random_file, needle->random_file) && +- safecmp(data->egdsocket, needle->egdsocket) && ++ Curl_safecmp(data->CApath, needle->CApath) && ++ Curl_safecmp(data->CAfile, needle->CAfile) && ++ Curl_safecmp(data->issuercert, needle->issuercert) && ++ Curl_safecmp(data->clientcert, needle->clientcert) && ++ Curl_safecmp(data->random_file, needle->random_file) && ++ Curl_safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) diff --git a/meta/recipes-support/curl/curl/CVE-2022-27775.patch b/meta/recipes-support/curl/curl/CVE-2022-27775.patch new file mode 100644 index 0000000000..b3fe7b4494 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27775.patch @@ -0,0 +1,39 @@ +From 058f98dc3fe595f21dc26a5b9b1699e519ba5705 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 11:48:00 +0200 +Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey + +Make connections to two separate IPv6 zone ids create separate +connections. + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27775.html +Closes #8747 +--- + lib/conncache.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +CVE: CVE-2022-27775 +Upstream-Status: Backport [https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705.patch] +Comment: Refreshed patch +Signed-off-by: Sana.Kazi + +diff --git a/lib/conncache.c b/lib/conncache.c +index ec669b971dc3..8948b53fa500 100644 +--- a/lib/conncache.c ++++ b/lib/conncache.c +@@ -156,8 +156,12 @@ + /* report back which name we used */ + *hostp = hostname; + +- /* put the number first so that the hostname gets cut off if too long */ +- msnprintf(buf, len, "%ld%s", port, hostname); ++ /* put the numbers first so that the hostname gets cut off if too long */ ++#ifdef ENABLE_IPV6 ++ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); ++#else ++ msnprintf(buf, len, "%ld/%s", port, hostname); ++#endif + } + + /* Returns number of connections currently held in the connection cache. diff --git a/meta/recipes-support/curl/curl/CVE-2022-27776.patch b/meta/recipes-support/curl/curl/CVE-2022-27776.patch new file mode 100644 index 0000000000..1a13df2d95 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27776.patch @@ -0,0 +1,114 @@ +From 6e659993952aa5f90f48864be84a1bbb047fc258 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 13:05:40 +0200 +Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port + +CVE-2022-27776 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27776.html +Closes #8749 +--- + lib/http.c | 34 ++++++++++++++++++++++------------ + lib/urldata.h | 16 +++++++++------- + 2 files changed, 31 insertions(+), 19 deletions(-) + +CVE: CVE-2022-27776 +Upstream-Status: Backport [https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258.patch] +Comment: Refreshed patch +Signed-off-by: Sana.Kazi + +diff --git a/lib/http.c b/lib/http.c +index ce79fc4e31c8..f0476f3b9272 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -731,6 +731,21 @@ + return CURLE_OK; + } + ++/* ++ * allow_auth_to_host() tells if autentication, cookies or other "sensitive ++ * data" can (still) be sent to this host. ++ */ ++static bool allow_auth_to_host(struct Curl_easy *data) ++{ ++ struct connectdata *conn = data->conn; ++ return (!data->state.this_is_a_follow || ++ data->set.allow_auth_to_other_hosts || ++ (data->state.first_host && ++ strcasecompare(data->state.first_host, conn->host.name) && ++ (data->state.first_remote_port == conn->remote_port) && ++ (data->state.first_remote_protocol == conn->handler->protocol))); ++} ++ + /** + * Curl_http_output_auth() setups the authentication headers for the + * host/proxy and the correct authentication +@@ -799,15 +799,12 @@ + with it */ + authproxy->done = TRUE; + +- /* To prevent the user+password to get sent to other than the original +- host due to a location-follow, we do some weirdo checks here */ +- if(!data->state.this_is_a_follow || +- conn->bits.netrc || +- !data->state.first_host || +- data->set.allow_auth_to_other_hosts || +- strcasecompare(data->state.first_host, conn->host.name)) { ++ /* To prevent the user+password to get sent to other than the original host ++ due to a location-follow */ ++ if(allow_auth_to_host(data) ++ || conn->bits.netrc ++ ) + result = output_auth_headers(conn, authhost, request, path, FALSE); +- } + else + authhost->done = TRUE; + +@@ -1879,10 +1891,7 @@ + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- (data->state.this_is_a_follow && +- data->state.first_host && +- !data->set.allow_auth_to_other_hosts && +- !strcasecompare(data->state.first_host, conn->host.name))) ++ !allow_auth_to_host(data)) + ; + else { + result = Curl_add_bufferf(&req_buffer, "%s\r\n", compare); +@@ -2065,6 +2074,7 @@ + return CURLE_OUT_OF_MEMORY; + + data->state.first_remote_port = conn->remote_port; ++ data->state.first_remote_protocol = conn->handler->protocol; + } + + if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) && +diff --git a/lib/urldata.h b/lib/urldata.h +index 1d89b8d7fa68..ef2174d9e727 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1342,13 +1342,15 @@ + char *ulbuf; /* allocated upload buffer or NULL */ + curl_off_t current_speed; /* the ProgressShow() function sets this, + bytes / second */ +- char *first_host; /* host name of the first (not followed) request. +- if set, this should be the host name that we will +- sent authorization to, no else. Used to make Location: +- following not keep sending user+password... This is +- strdup() data. +- */ +- int first_remote_port; /* remote port of the first (not followed) request */ ++ ++ /* host name, port number and protocol of the first (not followed) request. ++ if set, this should be the host name that we will sent authorization to, ++ no else. Used to make Location: following not keep sending user+password. ++ This is strdup()ed data. */ ++ char *first_host; ++ int first_remote_port; ++ unsigned int first_remote_protocol; ++ + struct curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ + long sessionage; /* number of the most recent session */ + unsigned int tempcount; /* number of entries in use in tempwrite, 0 - 3 */ diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index bc1b993e9e..e850376ff8 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -25,6 +25,9 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2021-22946-pre1.patch \ file://CVE-2021-22946.patch \ file://CVE-2021-22947.patch \ + file://CVE-2022-27776.patch \ + file://CVE-2022-27775.patch \ + file://CVE-2022-22576.patch \ " SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" From patchwork Wed May 18 02:30:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 8155 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EA1C9C433EF for ; Wed, 18 May 2022 02:31:02 +0000 (UTC) Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by mx.groups.io with SMTP id smtpd.web08.333.1652841062160293073 for ; Tue, 17 May 2022 19:31:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=rXnfKXzN; spf=softfail (domain: sakoman.com, ip: 209.85.216.52, mailfrom: steve@sakoman.com) Received: by mail-pj1-f52.google.com with SMTP id n10so635779pjh.5 for ; Tue, 17 May 2022 19:31:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=HMVhZMaQj7Hu+GlKbx3M66HvBNYPuUvKeu4pse5eSHQ=; b=rXnfKXzNO6rTPSLerzjG9QTCszInvWB/QKlmmqIsICgJPNOQxGUyzwsSNxfttMfl/L CxoE8MdDQiI42I5utFp+mzlz4lI4I8yGJV1QYNC+jojH9bdZXTZmOf9aXcxS6nhY0MeF 50W9yFFr0YP9cAw3QPxJ6GswKdTFpiyTZnMssRhsS7wnqP4iz1nRMU0TqWRS8y9YcG4O 2iAH1qqPvlpWpGhGRbsmLnXIaw3B9RwUaaJATP7O1rvf1GkeRt4Aloe3e7sbEBks4fgY JTHJf6EL8fovchv+Ewq8+C926nFAkLBfPyGlhjyfm9PXUoJ+iC+4Wh9s7DFqAa+dhifg aMCw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=HMVhZMaQj7Hu+GlKbx3M66HvBNYPuUvKeu4pse5eSHQ=; b=Frb96F7okTkGN9n5sdoPtUugGAiL+qYNmFAyRaCdVuyXD6N+GJC3ntf6XI8PZGE4rm hCDrCGzZzDPnseptJiFE95c6NaE5P3w5D473RE/L7M5DdmWGA5Qps1nbXoSNGg4cfzbe KY/Ho1/6Wx4WRlxpnbZYwoU1De8tQyalqpeSGg/xVTdBZHaZUe9FFqS49tpQlbpDlj/b VcxX0sUYDdIrOS3LNGmPC7GpIIChUYkSWpbdauM6M1F3ohwT82ov7F1A1HHHAANDvdck zRzzQ4kPdwqUf6VtxcYtlQiD7nxTxvkrmb21BAGBdCsu12nRutKs8kJYo9f6dmqzVhJt JeIg== X-Gm-Message-State: AOAM530ZmiNYECcnKIuQKI8JbTORKs/Yc6k1ytTZKJZxN+8b121Bp697 d4MrWnF7imAKcUuHGpVZK/cAmMpzvq49J5Jr X-Google-Smtp-Source: ABdhPJxdDgfp9n5BVtf9epfsy+sZHQf4RCEytyfE0esXW75hwG+bw1spgape6Viu2P0LvH8amXns9A== X-Received: by 2002:a17:90b:38d2:b0:1df:51e5:9a0b with SMTP id nn18-20020a17090b38d200b001df51e59a0bmr14468488pjb.101.1652841060792; Tue, 17 May 2022 19:31:00 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id p25-20020a62b819000000b00512ead539casm438926pfe.113.2022.05.17.19.30.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 May 2022 19:30:59 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 3/9] tiff: Add patches to fix multiple CVEs Date: Tue, 17 May 2022 16:30:31 -1000 Message-Id: <7c71434832caf6a15f8fb884d028a8c1bf4090a9.1652840866.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 May 2022 02:31:02 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/165785 From: Ranjitsinh Rathod Add patches to fix below CVE issues CVE-2022-0865 CVE-2022-0907 CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 Signed-off-by: Ranjitsinh Rathod Signed-off-by: Ranjitsinh Rathod Signed-off-by: Steve Sakoman --- .../libtiff/files/CVE-2022-0865.patch | 39 ++++++++ .../libtiff/files/CVE-2022-0907.patch | 94 +++++++++++++++++++ .../libtiff/files/CVE-2022-0908.patch | 34 +++++++ .../libtiff/files/CVE-2022-0909.patch | 37 ++++++++ .../libtiff/files/CVE-2022-0924.patch | 58 ++++++++++++ meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 5 + 6 files changed, 267 insertions(+) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch new file mode 100644 index 0000000000..e2d136f587 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0865.patch @@ -0,0 +1,39 @@ +From a1c933dabd0e1c54a412f3f84ae0aa58115c6067 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 24 Feb 2022 22:26:02 +0100 +Subject: [PATCH] tif_jbig.c: fix crash when reading a file with multiple IFD + in memory-mapped mode and when bit reversal is needed (fixes #385) + +CVE: CVE-2022-0865 +Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0865.patch/] +Signed-off-by: Ranjitsinh Rathod +Comment: No change in any hunk + +--- + libtiff/tif_jbig.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/libtiff/tif_jbig.c b/libtiff/tif_jbig.c +index 74086338..8bfa4cef 100644 +--- a/libtiff/tif_jbig.c ++++ b/libtiff/tif_jbig.c +@@ -208,6 +208,16 @@ int TIFFInitJBIG(TIFF* tif, int scheme) + */ + tif->tif_flags |= TIFF_NOBITREV; + tif->tif_flags &= ~TIFF_MAPPED; ++ /* We may have read from a previous IFD and thus set TIFF_BUFFERMMAP and ++ * cleared TIFF_MYBUFFER. It is necessary to restore them to their initial ++ * value to be consistent with the state of a non-memory mapped file. ++ */ ++ if (tif->tif_flags&TIFF_BUFFERMMAP) { ++ tif->tif_rawdata = NULL; ++ tif->tif_rawdatasize = 0; ++ tif->tif_flags &= ~TIFF_BUFFERMMAP; ++ tif->tif_flags |= TIFF_MYBUFFER; ++ } + + /* Setup the function pointers for encode, decode, and cleanup. */ + tif->tif_setupdecode = JBIGSetupDecode; +-- +GitLab + diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch new file mode 100644 index 0000000000..da3ead5481 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0907.patch @@ -0,0 +1,94 @@ +From 40b00cfb32256d377608b4d4cd30fac338d0a0bc Mon Sep 17 00:00:00 2001 +From: Augustus +Date: Mon, 7 Mar 2022 18:21:49 +0800 +Subject: [PATCH] add checks for return value of limitMalloc (#392) + +CVE: CVE-2022-0907 +Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0907.patch/] +Signed-off-by: Ranjitsinh Rathod +Comment: No change in any hunk + +--- + tools/tiffcrop.c | 33 +++++++++++++++++++++------------ + 1 file changed, 21 insertions(+), 12 deletions(-) + +diff --git a/tools/tiffcrop.c b/tools/tiffcrop.c +index f2e5474a..9b8acc7e 100644 +--- a/tools/tiffcrop.c ++++ b/tools/tiffcrop.c +@@ -7337,7 +7337,11 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + if (!sect_buff) + { + sect_buff = (unsigned char *)_TIFFmalloc(sectsize); +- *sect_buff_ptr = sect_buff; ++ if (!sect_buff) ++ { ++ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); ++ return (-1); ++ } + _TIFFmemset(sect_buff, 0, sectsize); + } + else +@@ -7353,15 +7357,15 @@ createImageSection(uint32_t sectsize, unsigned char **sect_buff_ptr) + else + sect_buff = new_buff; + ++ if (!sect_buff) ++ { ++ TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); ++ return (-1); ++ } + _TIFFmemset(sect_buff, 0, sectsize); + } + } + +- if (!sect_buff) +- { +- TIFFError("createImageSection", "Unable to allocate/reallocate section buffer"); +- return (-1); +- } + prev_sectsize = sectsize; + *sect_buff_ptr = sect_buff; + +@@ -7628,7 +7632,11 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + if (!crop_buff) + { + crop_buff = (unsigned char *)_TIFFmalloc(cropsize); +- *crop_buff_ptr = crop_buff; ++ if (!crop_buff) ++ { ++ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); ++ return (-1); ++ } + _TIFFmemset(crop_buff, 0, cropsize); + prev_cropsize = cropsize; + } +@@ -7644,15 +7652,15 @@ createCroppedImage(struct image_data *image, struct crop_mask *crop, + } + else + crop_buff = new_buff; ++ if (!crop_buff) ++ { ++ TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); ++ return (-1); ++ } + _TIFFmemset(crop_buff, 0, cropsize); + } + } + +- if (!crop_buff) +- { +- TIFFError("createCroppedImage", "Unable to allocate/reallocate crop buffer"); +- return (-1); +- } + *crop_buff_ptr = crop_buff; + + if (crop->crop_mode & CROP_INVERT) +@@ -9211,3 +9219,4 @@ invertImage(uint16_t photometric, uint16_t spp, uint16_t bps, uint32_t width, ui + * fill-column: 78 + * End: + */ ++ +-- +GitLab + diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch new file mode 100644 index 0000000000..e65af6c600 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0908.patch @@ -0,0 +1,34 @@ +From a95b799f65064e4ba2e2dfc206808f86faf93e85 Mon Sep 17 00:00:00 2001 +From: Even Rouault +Date: Thu, 17 Feb 2022 15:28:43 +0100 +Subject: [PATCH] TIFFFetchNormalTag(): avoid calling memcpy() with a null + source pointer and size of zero (fixes #383) + +CVE: CVE-2022-0908 +Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0908.patch/] +Signed-off-by: Ranjitsinh Rathod +Comment: No change in any hunk + +--- + libtiff/tif_dirread.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libtiff/tif_dirread.c b/libtiff/tif_dirread.c +index 50ebf8ac..2ec44a4f 100644 +--- a/libtiff/tif_dirread.c ++++ b/libtiff/tif_dirread.c +@@ -5021,7 +5021,10 @@ TIFFFetchNormalTag(TIFF* tif, TIFFDirEntry* dp, int recover) + _TIFFfree(data); + return(0); + } +- _TIFFmemcpy(o,data,(uint32)dp->tdir_count); ++ if (dp->tdir_count > 0 ) ++ { ++ _TIFFmemcpy(o,data,(uint32)dp->tdir_count); ++ } + o[(uint32)dp->tdir_count]=0; + if (data!=0) + _TIFFfree(data); +-- +GitLab + diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch new file mode 100644 index 0000000000..d487f1bd95 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0909.patch @@ -0,0 +1,37 @@ +From 32ea0722ee68f503b7a3f9b2d557acb293fc8cde Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Tue, 8 Mar 2022 16:22:04 +0000 +Subject: [PATCH] fix the FPE in tiffcrop (#393) + +CVE: CVE-2022-0909 +Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0909.patch/] +Signed-off-by: Ranjitsinh Rathod +Comment: No change in any hunk + +--- + libtiff/tif_dir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/libtiff/tif_dir.c b/libtiff/tif_dir.c +index 57055ca9..59b346ca 100644 +--- a/libtiff/tif_dir.c ++++ b/libtiff/tif_dir.c +@@ -334,13 +334,13 @@ _TIFFVSetField(TIFF* tif, uint32_t tag, va_list ap) + break; + case TIFFTAG_XRESOLUTION: + dblval = va_arg(ap, double); +- if( dblval < 0 ) ++ if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; + td->td_xresolution = _TIFFClampDoubleToFloat( dblval ); + break; + case TIFFTAG_YRESOLUTION: + dblval = va_arg(ap, double); +- if( dblval < 0 ) ++ if( dblval != dblval || dblval < 0 ) + goto badvaluedouble; + td->td_yresolution = _TIFFClampDoubleToFloat( dblval ); + break; +-- +GitLab + diff --git a/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch new file mode 100644 index 0000000000..ddb035c972 --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/CVE-2022-0924.patch @@ -0,0 +1,58 @@ +From 88d79a45a31c74cba98c697892fed5f7db8b963a Mon Sep 17 00:00:00 2001 +From: 4ugustus +Date: Thu, 10 Mar 2022 08:48:00 +0000 +Subject: [PATCH] fix heap buffer overflow in tiffcp (#278) + +CVE: CVE-2022-0924 +Upstream-Status: Backport [https://sources.debian.org/src/tiff/4.1.0+git191117-2%7Edeb10u4/debian/patches/CVE-2022-0924.patch/] +Signed-off-by: Ranjitsinh Rathod +Comment: No change in any hunk + +--- + tools/tiffcp.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/tools/tiffcp.c b/tools/tiffcp.c +index 224583e0..aa32b118 100644 +--- a/tools/tiffcp.c ++++ b/tools/tiffcp.c +@@ -1524,12 +1524,27 @@ DECLAREwriteFunc(writeBufferToSeparateSt + tdata_t obuf; + tstrip_t strip = 0; + tsample_t s; ++ uint16 bps = 0, bytes_per_sample; + + obuf = _TIFFmalloc(stripsize); + if (obuf == NULL) + return (0); + _TIFFmemset(obuf, 0, stripsize); + (void) TIFFGetFieldDefaulted(out, TIFFTAG_ROWSPERSTRIP, &rowsperstrip); ++ (void) TIFFGetField(out, TIFFTAG_BITSPERSAMPLE, &bps); ++ if( bps == 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot read BitsPerSample"); ++ _TIFFfree(obuf); ++ return 0; ++ } ++ if( (bps % 8) != 0 ) ++ { ++ TIFFError(TIFFFileName(out), "Error, cannot handle BitsPerSample that is not a multiple of 8"); ++ _TIFFfree(obuf); ++ return 0; ++ } ++ bytes_per_sample = bps/8; + for (s = 0; s < spp; s++) { + uint32 row; + for (row = 0; row < imagelength; row += rowsperstrip) { +@@ -1539,7 +1539,7 @@ DECLAREwriteFunc(writeBufferToSeparateSt + + cpContigBufToSeparateBuf( + obuf, (uint8*) buf + row*rowsize + s, +- nrows, imagewidth, 0, 0, spp, 1); ++ nrows, imagewidth, 0, 0, spp, bytes_per_sample); + if (TIFFWriteEncodedStrip(out, strip++, obuf, stripsize) < 0) { + TIFFError(TIFFFileName(out), + "Error, can't write strip %u", +-- +GitLab + diff --git a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb index e3ffb12f9e..75bc20de78 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.1.0.bb @@ -18,7 +18,12 @@ SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \ file://0001-tiffset-fix-global-buffer-overflow-for-ASCII-tags-wh.patch \ file://561599c99f987dc32ae110370cfdd7df7975586b.patch \ file://eecb0712f4c3a5b449f70c57988260a667ddbdef.patch \ + file://CVE-2022-0865.patch \ + file://CVE-2022-0908.patch \ + file://CVE-2022-0907.patch \ + file://CVE-2022-0909.patch \ file://CVE-2022-0891.patch \ + file://CVE-2022-0924.patch \ " SRC_URI[md5sum] = "2165e7aba557463acc0664e71a3ed424" SRC_URI[sha256sum] = "5d29f32517dadb6dbcd1255ea5bbc93a2b54b94fbf83653b4d65c7d6775b8634" From patchwork Wed May 18 02:30:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 8157 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0CE29C433FE for ; Wed, 18 May 2022 02:31:13 +0000 (UTC) Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com [209.85.216.41]) by mx.groups.io with SMTP id smtpd.web09.334.1652841064249997119 for ; Tue, 17 May 2022 19:31:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=G5MwLpg5; spf=softfail (domain: sakoman.com, ip: 209.85.216.41, mailfrom: steve@sakoman.com) Received: by mail-pj1-f41.google.com with SMTP id gg20so656751pjb.1 for ; Tue, 17 May 2022 19:31:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=J9DG6lv00rGeGy9Ql1R5sqWNEQEl3hg3Rs40dWhuCIs=; b=G5MwLpg5xgf/28FCELTC8g+kJvn6TMWAKvfHdJz5F/HoH12Io6oyuOXWa00I/NdbmB bT8Jq8oJb+sc2Lqazppn+VVauqR031S+3zqNN6mEJhPV+qmjnMo1KWEQ1RI3TOa5GILk PbxPixA9TErQVQFWFpP4oASVcQg6hQaFVbuK0s+13AsLkzyhLdEHTaUe6XYL86f0nngV owa7RTNzzbJf7f9gobmZauZ3y2wYmGXFuYtOonLVzPC3X6fvPxbF/ciOtHGkVbStJtu6 wGW/1NXkgzlp/zLt6KNjBPno5CthIVfRE6IwCw/icAJkgilWadGu5RITZ13vY0spRXrB glhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=J9DG6lv00rGeGy9Ql1R5sqWNEQEl3hg3Rs40dWhuCIs=; b=UnPzt0+J1Xp66OfANSfx3ULWMjWsUhGdGDXA/VY0LIRrV5eI1a9aaSlfvfUtZGn8h9 14k/iXfL9e0R8wEMEaQtIz3hx7+O1CADwJK8aM2rox5BMPDRXplzqYPqbZEJLdJJbCaS xtB+EbrsgQi/E17Sm55sZqK7hmS74K9pRiHf/2FcnAdeCg39aEep2iqX5kTH/MqAXieJ iZ5D4YTWlh4ILJFjwq/q9hCzf5mNEVFuX4TJOLowz5ZwQOoFmixg9/ayLg7PwipjDMWZ Y70vLW+dLPuxh9ZzKgU63hNFNmaFY8c5pwS3LHSh4YIgsOuvWBMCjjnoHD2GcDWpF6G8 81Dg== X-Gm-Message-State: AOAM530j/bvlxDRQ5rweuNtQwDtMw1Fiuv+GbpymkFoV/+EUvQoA8WMm TpVr9NwK5RMo1MVxpaR7SkxHkFflejc/ZtkP X-Google-Smtp-Source: ABdhPJyD5ljjT13/jJRiOyreno0ki6xYwF/JZcvdZrAZZMXI8mD/V1h27iXV62X16INb9OrqGBm8hw== X-Received: by 2002:a17:90a:6284:b0:1df:4595:57af with SMTP id d4-20020a17090a628400b001df459557afmr15487430pjj.188.1652841063162; Tue, 17 May 2022 19:31:03 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id p25-20020a62b819000000b00512ead539casm438926pfe.113.2022.05.17.19.31.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 May 2022 19:31:02 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 4/9] freetype: Fix CVEs for freetype Date: Tue, 17 May 2022 16:30:32 -1000 Message-Id: <51a92860bdbab28a2b487be3b054f103a54b86ac.1652840866.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 May 2022 02:31:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/165786 From: Ranjitsinh Rathod Apply below patches to fix the CVEs for freetype: CVE-2022-27404.patch Link: https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db.patch CVE-2022-27405.patch Link: https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5.patch CVE-2022-27406.patch Link: https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2.patch Signed-off-by: Ranjitsinh Rathod Signed-off-by: Ranjitsinh Rathod Signed-off-by: Steve Sakoman --- .../freetype/freetype/CVE-2022-27404.patch | 33 ++++++++++++++++ .../freetype/freetype/CVE-2022-27405.patch | 38 +++++++++++++++++++ .../freetype/freetype/CVE-2022-27406.patch | 31 +++++++++++++++ .../freetype/freetype_2.10.1.bb | 3 ++ 4 files changed, 105 insertions(+) create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch new file mode 100644 index 0000000000..e66400ddb1 --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch @@ -0,0 +1,33 @@ +From 53dfdcd8198d2b3201a23c4bad9190519ba918db Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Thu, 17 Mar 2022 19:24:16 +0100 +Subject: [PATCH] [sfnt] Avoid invalid face index. + +Fixes #1138. + +* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font): +Check `face_index` before decrementing. + +CVE: CVE-2022-27404 +Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db.patch] +Comment: Removed second hunk as sfwoff2.c file is not part of current v2.10.1 code +Signed-off-by: Ranjitsinh Rathod +--- + src/sfnt/sfobjs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c +index f9d4d3858..9771c35df 100644 +--- a/src/sfnt/sfobjs.c ++++ b/src/sfnt/sfobjs.c +@@ -566,7 +566,7 @@ + face_index = FT_ABS( face_instance_index ) & 0xFFFF; + + /* value -(N+1) requests information on index N */ +- if ( face_instance_index < 0 ) ++ if ( face_instance_index < 0 && face_index > 0 ) + face_index--; + + if ( face_index >= face->ttc_header.count ) +-- +GitLab diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch new file mode 100644 index 0000000000..08fccd5a3b --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch @@ -0,0 +1,38 @@ +From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Sat, 19 Mar 2022 06:40:17 +0100 +Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard + `face_index`. +We must ensure that the cast to `FT_Int` doesn't change the sign. +Fixes #1139. + +CVE: CVE-2022-27405 +Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5] +Comment: No Change in any hunk +Signed-off-by: Ranjitsinh Rathod +--- + src/base/ftobjs.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c +index 2c0f0e6c9..10952a6c6 100644 +--- a/src/base/ftobjs.c ++++ b/src/base/ftobjs.c +@@ -2527,6 +2527,15 @@ + #endif + + ++ /* only use lower 31 bits together with sign bit */ ++ if ( face_index > 0 ) ++ face_index &= 0x7FFFFFFFL; ++ else ++ { ++ face_index &= 0x7FFFFFFFL; ++ face_index = -face_index; ++ } ++ + #ifdef FT_DEBUG_LEVEL_TRACE + FT_TRACE3(( "FT_Open_Face: " )); + if ( face_index < 0 ) +-- +GitLab diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch new file mode 100644 index 0000000000..4b5e629f30 --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch @@ -0,0 +1,31 @@ +From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Sat, 19 Mar 2022 09:37:28 +0100 +Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`. + +Fixes #1140. + +CVE: CVE-2022-27406 +Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2] +Comment: No Change in any hunk +Signed-off-by: Ranjitsinh Rathod +--- + src/base/ftobjs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c +index 6492a1517..282c9121a 100644 +--- a/src/base/ftobjs.c ++++ b/src/base/ftobjs.c +@@ -3409,6 +3409,9 @@ + if ( !face ) + return FT_THROW( Invalid_Face_Handle ); + ++ if ( !face->size ) ++ return FT_THROW( Invalid_Size_Handle ); ++ + if ( !req || req->width < 0 || req->height < 0 || + req->type >= FT_SIZE_REQUEST_TYPE_MAX ) + return FT_THROW( Invalid_Argument ); +-- +GitLab diff --git a/meta/recipes-graphics/freetype/freetype_2.10.1.bb b/meta/recipes-graphics/freetype/freetype_2.10.1.bb index 2d444bbf19..72001c529a 100644 --- a/meta/recipes-graphics/freetype/freetype_2.10.1.bb +++ b/meta/recipes-graphics/freetype/freetype_2.10.1.bb @@ -15,6 +15,9 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=4af6221506f202774ef74f64932878a1 SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \ file://use-right-libtool.patch \ file://0001-sfnt-Fix-heap-buffer-overflow-59308.patch \ + file://CVE-2022-27404.patch \ + file://CVE-2022-27405.patch \ + file://CVE-2022-27406.patch \ " SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f" SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f" From patchwork Wed May 18 02:30:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 8156 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B9E1C433F5 for ; Wed, 18 May 2022 02:31:13 +0000 (UTC) Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mx.groups.io with SMTP id smtpd.web08.335.1652841066474008356 for ; Tue, 17 May 2022 19:31:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=PrafHgjD; spf=softfail (domain: sakoman.com, ip: 209.85.214.175, mailfrom: steve@sakoman.com) Received: by mail-pl1-f175.google.com with SMTP id n8so508117plh.1 for ; Tue, 17 May 2022 19:31:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=VHbgKVqdt9uewbg514XpAZRQrL3fPr3t2sW99n3YG6I=; b=PrafHgjDKZD/rPcYiZ7GP5to1TcvEjpHKE537jgRzm5HIs0/286MoYDlleqqEA7gWS 5/TAJbxadofhIUMRlW+1WJS0jyVcdB8NbOSDj6I4ddzzvHfuxxLv2HciKNnggveKKu0u 4fzt5QlhOEVMQtv+FUO3seQO/eWXrNR5AvP4Hf4KdDMz7ECiFT1JuqLbgqBNN+JwUoHP 1TnEYvDcE/uSTeC3ORlTP3K7tShMHhhmFB7evxesHacwV6azQEXU1NXY1AGB2gVpvIhj 7O1lMbxskNOH8afz4R7eRTu0iKAZuUP9VlYP4/xeSAOyTevglDdoUC4bsvpHSYSkH6Yk t8AQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=VHbgKVqdt9uewbg514XpAZRQrL3fPr3t2sW99n3YG6I=; b=QnKZyrDHksYtkiSlK5WMOtPLEb/LxBan9lfoHYH8JDCfvXrekhpnY1R4FpcWyVkw+I vRHIyCmA5epMHEwUQiwXJiFqTuP1ocGJ4a+eFDML18PxZ8oHJmW2OnF34+DO2xottE5L m+HRG1p5SYXYju/YOhle+5+6gCq1GcH639Tp8kufuW4eiQAn0AEIcEl8HPHPOCmXMwjF 5mjvG/ONF+6U6WyKnGR9JxVUlb5+X2zHcwY5np4eqP+Mu9b38HEkpUig2NXoyr1dhEjx TO5fqgjLC8L+hxAPs2Jei3xzjQ8nKpgIPj7wy2LZ+iL5YH7J3T3Hf0ByC/GsUSot7Z42 OLEg== X-Gm-Message-State: AOAM532XgzJ5FlqZqXBuwLNad4Koc3n/oouNA0983Djjjnc2oCrCL0d8 9cqllyrZRnyr+MrIs986FHCiPYxtvfZC1ePA X-Google-Smtp-Source: ABdhPJyxnUBKdqSYrLiY6vgNLnDoModz+MzGN0TzIY9Cn3ElHg9GFGey6n1dRhsy0K259KYDuN9v6w== X-Received: by 2002:a17:902:e84f:b0:15e:8edc:dec9 with SMTP id t15-20020a170902e84f00b0015e8edcdec9mr25206508plg.78.1652841065416; Tue, 17 May 2022 19:31:05 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id p25-20020a62b819000000b00512ead539casm438926pfe.113.2022.05.17.19.31.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 May 2022 19:31:04 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 5/9] git: Use CVE_CHECK_WHITELIST instead of CVE_CHECK_IGNORE Date: Tue, 17 May 2022 16:30:33 -1000 Message-Id: <970743af349e21a399da6241587b849b14933bc5.1652840866.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 May 2022 02:31:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/165787 From: Ranjitsinh Rathod Use CVE_CHECK_WHITELIST as CVE_CHECK_IGNORE is not valid on dunfell branch Signed-off-by: Ranjitsinh Rathod Signed-off-by: Steve Sakoman --- meta/recipes-devtools/git/git.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc index 879920d97e..b5d0004712 100644 --- a/meta/recipes-devtools/git/git.inc +++ b/meta/recipes-devtools/git/git.inc @@ -22,7 +22,7 @@ CVE_PRODUCT = "git-scm:git" # This is about a manpage not mentioning --mirror may "leak" information # in mirrored git repos. Most OE users wouldn't build the docs and # we don't see this as a major issue for our general users/usecases. -CVE_CHECK_IGNORE += "CVE-2022-24975" +CVE_CHECK_WHITELIST += "CVE-2022-24975" PACKAGECONFIG ??= "" PACKAGECONFIG[cvsserver] = "" From patchwork Wed May 18 02:30:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 8158 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 08F0BC433EF for ; Wed, 18 May 2022 02:31:13 +0000 (UTC) Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by mx.groups.io with SMTP id smtpd.web11.308.1652841068897348562 for ; Tue, 17 May 2022 19:31:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=B9bbfIbV; spf=softfail (domain: sakoman.com, ip: 209.85.210.177, mailfrom: steve@sakoman.com) Received: by mail-pf1-f177.google.com with SMTP id k16so842522pff.5 for ; Tue, 17 May 2022 19:31:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=hwoyfI3DAbt9x7uBL0BG6fXRWVRo7oOG7PQkdEgsYHk=; b=B9bbfIbVUVjUvCrBNQa20TSThgJsTCfh8njvLrTSWM3nQTQ1GtQ3rrC+fLvhBiX27R OMqEWgGcIuxF++OCgjnPLFLueDjw5wjsqzjiuPHb5eg4jNhJVDtmGeb2dC3ldEwG/5oK 7p3uNnJmcVuEAd9Xs4U/04euOckk6v6DsVj6h+XcrCB8hYMktTW1bmjGciOW+UzoopSi z5z3azFfDDyXpbz+rVPrv9jdYkhD8ybWpU4lQuL1i+T6bzXM8u9e3dnPOTc6meh9IyMP 2gJHkhIEeMBvHQEXcQXYh88EPE3b9tHRfL+Y+LC8b2ybhT650accwaKplrYjDuazg/Dk /hAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hwoyfI3DAbt9x7uBL0BG6fXRWVRo7oOG7PQkdEgsYHk=; b=S6r2dSk7er6MXdvz2D8NWczcUQFj9zQqljViC2rbpNkQMfO8Y+5xI6iyHX8ZGEJrh/ hdX71f7dqW0GpCldQgdeczoS3AL6zI3Pti2YRO6tzHx2G0G6dSP8x/4uoGroyTOb8qq+ n1lc8DGphRtbnEvY+9U5A043fcdwxC/XagFM2b/pyaslhJZ+BoTHQwcu/D2dVJj+WQ8u ZGLfNmZRNwipjvS8mptLqVUxrukGIYawELS+YTOhJrTBZEmI2dsL+/vRBAh/nntPt9WA hpzk59n62p8iyazWIknOFnDxgZm4PA7pekcptmhCSoUao3a71lURUbytKrxKwDTrkgEy VVFA== X-Gm-Message-State: AOAM531dihUq4mWuxJM4xzl97zoIYp/RPVheN+mXZbh2ddg5UBaBdJmn QMwrhzPM8YVEy1m9Uh6ZxZ8svoJxigA+nNjb X-Google-Smtp-Source: ABdhPJwzppr10nWsmsnwKVrtA71G1K5/z0yCviP6Loc0H8ir1LE7B1FJ52FWdict0bbBNrxE/BMuAw== X-Received: by 2002:aa7:8dd8:0:b0:518:11:18db with SMTP id j24-20020aa78dd8000000b00518001118dbmr5112001pfr.29.1652841067721; Tue, 17 May 2022 19:31:07 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id p25-20020a62b819000000b00512ead539casm438926pfe.113.2022.05.17.19.31.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 May 2022 19:31:06 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 6/9] openssl: Minor security upgrade 1.1.1n to 1.1.1o Date: Tue, 17 May 2022 16:30:34 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 May 2022 02:31:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/165788 From: Ranjitsinh Rathod This security upgrade fixes CVE-2022-1292 as per below link Link: https://www.openssl.org/news/cl111.txt Signed-off-by: Ranjitsinh Rathod Signed-off-by: Ranjitsinh Rathod Signed-off-by: Steve Sakoman --- .../openssl/{openssl_1.1.1n.bb => openssl_1.1.1o.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-connectivity/openssl/{openssl_1.1.1n.bb => openssl_1.1.1o.bb} (98%) diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb similarity index 98% rename from meta/recipes-connectivity/openssl/openssl_1.1.1n.bb rename to meta/recipes-connectivity/openssl/openssl_1.1.1o.bb index 8538bd5a18..c9cfc759c9 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb @@ -24,7 +24,7 @@ SRC_URI_append_class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a" +SRC_URI[sha256sum] = "9384a2b0570dd80358841464677115df785edb941c71211f75076d72fe6b438f" inherit lib_package multilib_header multilib_script ptest MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" From patchwork Wed May 18 02:30:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 8159 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1D0B7C4332F for ; Wed, 18 May 2022 02:31:13 +0000 (UTC) Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) by mx.groups.io with SMTP id smtpd.web10.358.1652841071535317489 for ; Tue, 17 May 2022 19:31:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=EvPpXryN; spf=softfail (domain: sakoman.com, ip: 209.85.216.46, mailfrom: steve@sakoman.com) Received: by mail-pj1-f46.google.com with SMTP id l14so653510pjk.2 for ; Tue, 17 May 2022 19:31:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=mH8dC2AqJJwFx+vSD/6oQpu+KtZDuwgV1DEvDGaB0jI=; b=EvPpXryNF+Tc9tyDdba7tEmJJpHKH8LEmxU3AFPyNiVHHWW6o8MU7TDsMZ5o+tTQEY OYmA1LEonSyxytufDUDwOoZGc3fJltp1wxs49J5mygv30ZG8PMxpEBVnFGIPIRhJKWQY k0qD7VUgBfIo3fdqlYNfRYlOZfHz7PmpFjBKp7kDd4FKA8jC6XsfIH5aFY+Dz5Zi9rg7 WbmmlIkK/PP09AR7e4uro2ePAZZwI9PypDpQ+V2RyDDRf5hUjR0E2hRmjiVlS3y+RWpJ 5BZgSUHb0tJ+eVjt3QI7Rrk+AAp062h8QRnhADKoHQObFPsBmtZ6a7y0WguX25ya6u+9 U4Lg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mH8dC2AqJJwFx+vSD/6oQpu+KtZDuwgV1DEvDGaB0jI=; b=geHrzh2hupemVeNhogKkSmjT0/80SInEasIYKNtg6la992E3XMc103Nl2s6dfgo4dx gTtZHE2JPZaieYxzBlPmJ/RTon1JxEYMlkNQcXwz615l+7ssOB01uvEv/t8M/9fCffdU H5Kai9r1wUu231FK01fkTTWm4zX71yaf81rFs8LWUkIihD77t07bh1CAPHGOJd+m3Oor LhH77WEfCD6dp8kJun4n1Kf6zH+t9+uQhbqvtxhN1It9sq+SDRT6mLYyqhEG1I91AV9a U/t/NJqev7Z0s1fzZwXAPpbMTgqr7jSMpVkOx7TuuzCiiUnFSSQmTp2NNwFVY6icFH2r Jzzw== X-Gm-Message-State: AOAM531Yd/dMugBrES1+IvlgAvRd1yXl56aYIMQfWyUYiqH+WRq2Y5Oo Nrx+wmh7FFhyBMAGHA4rlw02PosmjlEFiARD X-Google-Smtp-Source: ABdhPJzYKUC+ylMn4qtT7xyjYKuxgv3ps7XITczeZW5Inf+/bRACRd+q8DCE+AQbv67/jdPd3QE/JQ== X-Received: by 2002:a17:902:f60e:b0:158:5c4d:d9b0 with SMTP id n14-20020a170902f60e00b001585c4dd9b0mr25527365plg.63.1652841070258; Tue, 17 May 2022 19:31:10 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id p25-20020a62b819000000b00512ead539casm438926pfe.113.2022.05.17.19.31.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 May 2022 19:31:09 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 7/9] linux-firmware: replace mkdir by install Date: Tue, 17 May 2022 16:30:35 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 May 2022 02:31:13 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/165789 From: Konrad Weihmann if a setup is using RPM for packaging and there are multiple recipes that install to ${nonarch_base_libdir}/firmware by using install -d ${nonarch_base_libdir}/firmware, it will create installation clashes on image install, as linux-firmware in before this patch used mkdir -p, which creates different file mode bits (depending on the current user's settings). In a particular example linux-fimware created /lib/firmware with 0600 while other-firmware-package created it with 0644 making the combination not installable by rpm backend Signed-off-by: Konrad Weihmann Signed-off-by: Luca Ceresoli Signed-off-by: Richard Purdie (cherry picked from commit 98bf3f427702687bf81ed759e7cde5d6d15e77eb) Signed-off-by: Steve Sakoman --- ...01-Makefile-replace-mkdir-by-install.patch | 84 +++++++++++++++++++ .../linux-firmware/linux-firmware_20220411.bb | 5 +- 2 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-kernel/linux-firmware/files/0001-Makefile-replace-mkdir-by-install.patch diff --git a/meta/recipes-kernel/linux-firmware/files/0001-Makefile-replace-mkdir-by-install.patch b/meta/recipes-kernel/linux-firmware/files/0001-Makefile-replace-mkdir-by-install.patch new file mode 100644 index 0000000000..b1ac5a16ab --- /dev/null +++ b/meta/recipes-kernel/linux-firmware/files/0001-Makefile-replace-mkdir-by-install.patch @@ -0,0 +1,84 @@ +From 71514e74f35f2b51ca24062573d6d913525b30db Mon Sep 17 00:00:00 2001 +From: Konrad Weihmann +Date: Mon, 9 May 2022 12:57:57 +0200 +Subject: [PATCH] Makefile: replace mkdir by install + +mkdir -p creates paths that are bound to user's settings and therefore +can lead to different file mode bits of the base paths accross different +machines. +Use install instead, as this tool is not prone to such behavior. + +Signed-off-by: Konrad Weihmann +Upstream-Status: Submitted [https://lore.kernel.org/linux-firmware/PR2PR09MB310088EA719E6D7CA5C268F1A8C69@PR2PR09MB3100.eurprd09.prod.outlook.com/] +--- + Makefile | 2 +- + carl9170fw/toolchain/Makefile | 4 ++-- + copy-firmware.sh | 6 +++--- + 3 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/Makefile b/Makefile +index e1c362f..83a0ec6 100644 +--- a/Makefile ++++ b/Makefile +@@ -9,5 +9,5 @@ check: + @./check_whence.py + + install: +- mkdir -p $(DESTDIR)$(FIRMWAREDIR) ++ install -d $(DESTDIR)$(FIRMWAREDIR) + ./copy-firmware.sh $(DESTDIR)$(FIRMWAREDIR) +diff --git a/carl9170fw/toolchain/Makefile b/carl9170fw/toolchain/Makefile +index 2b25ffe..aaea8e8 100644 +--- a/carl9170fw/toolchain/Makefile ++++ b/carl9170fw/toolchain/Makefile +@@ -46,14 +46,14 @@ src/gcc-$(GCC_VER): src/$(GCC_TAR) src/newlib-$(NEWLIB_VER) + ln -s $(BASEDIR)/src/newlib-$(NEWLIB_VER)/libgloss $@ + + binutils: src/binutils-$(BINUTILS_VER) +- mkdir -p build/binutils ++ install -d build/binutils + cd build/binutils; \ + $(BASEDIR)/$ //g' | while read f d; d + if test -L "$f"; then + test -f "$destdir/$f" && continue + $verbose "copying link $f" +- mkdir -p $destdir/$(dirname "$f") ++ install -d $destdir/$(dirname "$f") + cp -d "$f" $destdir/"$f" + + if test "x$d" != "x"; then +@@ -63,7 +63,7 @@ grep -E '^Link:' WHENCE | sed -e's/^Link: *//g' -e's/-> //g' | while read f d; d + fi + else + $verbose "creating link $f -> $d" +- mkdir -p $destdir/$(dirname "$f") ++ install -d $destdir/$(dirname "$f") + ln -sf "$d" "$destdir/$f" + fi + done +-- +2.25.1 + diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20220411.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20220411.bb index ad8dbac17f..34ed0c04c4 100644 --- a/meta/recipes-kernel/linux-firmware/linux-firmware_20220411.bb +++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20220411.bb @@ -203,7 +203,10 @@ NO_GENERIC_LICENSE[WHENCE] = "WHENCE" PE = "1" -SRC_URI = "${KERNELORG_MIRROR}/linux/kernel/firmware/${BPN}-${PV}.tar.xz" +SRC_URI = "\ + ${KERNELORG_MIRROR}/linux/kernel/firmware/${BPN}-${PV}.tar.xz \ + file://0001-Makefile-replace-mkdir-by-install.patch \ +" SRC_URI[sha256sum] = "020b11f6412f4956f5a6f98de7d41867d2b30ea0ce81b1e2d206ec9840363849" From patchwork Wed May 18 02:30:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 8160 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 038C0C433FE for ; Wed, 18 May 2022 02:31:23 +0000 (UTC) Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by mx.groups.io with SMTP id smtpd.web12.339.1652841073825372834 for ; Tue, 17 May 2022 19:31:13 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=xbDl7Jkn; spf=softfail (domain: sakoman.com, ip: 209.85.216.44, mailfrom: steve@sakoman.com) Received: by mail-pj1-f44.google.com with SMTP id v5-20020a17090a7c0500b001df84fa82f8so662010pjf.5 for ; Tue, 17 May 2022 19:31:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=wKaYMS+pIGu4eYjsK0rIgG/blPdFqdcANVWSI6JIcNY=; b=xbDl7JknJmI4yj0OO0ollQm0tB2TzUxRQYAPmNNHTuZ0r6AmTywHE2lm4OpVtYlH7p n9cXrjXo4cDV0Upwk/2t77ZIjP31HL/u4xzW6zwh2zBz/zr3ypo9ITruMOfd39XBpiGe Fi6QlBIkyJNZrVuuTrNZ7PfsKQsZFKK5z53t0eg8pZFBcueYwqO6UXnM6LzCyyuvFBfq vmn3R0eIx41/OqzeHNlfWNPhUO+8OeoWkKFoLOV6S5hjxUJldQo9JmBYF/9nbEsVehL4 26+ISAOciDQqoQ9I+b6wkglBAF4/NqUoS8iW4S8lkioiayCaJOzUohtHwAloMrUSuKrb tcfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=wKaYMS+pIGu4eYjsK0rIgG/blPdFqdcANVWSI6JIcNY=; b=sqMQR1T8d4FIdfhFiVwbk5ZJgvD5jfU5wnk57+R6mWfur7w9e/J0WgE5esvpVAa7qQ ZffYGLPYS4Jp2JiUmxh+QUvcnx3hiIBtVJn5/43bZpzUOUl+78dxioQV1+QctznFxLxL aHtA5ax6HpODCeN4J3WAcvaR6tstRNHD622OImiMxW2JDjDppwhpq3eSpUQxl03SuhCM l+mKIItDbgxoqaVRH/U3biXOn4rYBADyT6KbDfe8Ib4S/CXKLNUwKD7zJebnG1t5FfFG QLzt7DnUghRHt1gcD1GcUGLKVbk8RtDM6rRQpVRRLH5KI20c+c64QzlhIvGLGcd7opxq SFfg== X-Gm-Message-State: AOAM533tHdw4mZZ1dt29oa6El5MqUuR4RhyzQV1sngmSLj76S4zZegmQ XIJckjcuLi2yQDbm/y6t3+ssMrHVwh08NeJS X-Google-Smtp-Source: ABdhPJz+HNVAz9qlSzASk9y/USs0A07Q7wsIkY1yHur1THvy5inhNiK4zM+hWrBs0LvyofMVgPEBlw== X-Received: by 2002:a17:902:b703:b0:15e:ea16:2c6e with SMTP id d3-20020a170902b70300b0015eea162c6emr25059035pls.100.1652841072667; Tue, 17 May 2022 19:31:12 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id p25-20020a62b819000000b00512ead539casm438926pfe.113.2022.05.17.19.31.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 May 2022 19:31:11 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 8/9] linux-firmware: upgrade 20220411 -> 20220509 Date: Tue, 17 May 2022 16:30:36 -1000 Message-Id: <1ec7c6f0f048482ae902fd15beab5cdfc7b50c7b.1652840866.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 May 2022 02:31:23 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/165790 From: Dmitry Baryshkov License-Update: additional files Signed-off-by: Dmitry Baryshkov Signed-off-by: Luca Ceresoli Signed-off-by: Richard Purdie (cherry picked from commit 85b1fef733683be09a1efdb2d8b8ffe543053ace) Signed-off-by: Steve Sakoman --- ...{linux-firmware_20220411.bb => linux-firmware_20220509.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-kernel/linux-firmware/{linux-firmware_20220411.bb => linux-firmware_20220509.bb} (99%) diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20220411.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20220509.bb similarity index 99% rename from meta/recipes-kernel/linux-firmware/linux-firmware_20220411.bb rename to meta/recipes-kernel/linux-firmware/linux-firmware_20220509.bb index 34ed0c04c4..ec92cae2fa 100644 --- a/meta/recipes-kernel/linux-firmware/linux-firmware_20220411.bb +++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20220509.bb @@ -132,7 +132,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ file://LICENCE.xc4000;md5=0ff51d2dc49fce04814c9155081092f0 \ file://LICENCE.xc5000;md5=1e170c13175323c32c7f4d0998d53f66 \ file://LICENCE.xc5000c;md5=12b02efa3049db65d524aeb418dd87ca \ - file://WHENCE;md5=4cf67d71a21887c682c3989a4318745e \ + file://WHENCE;md5=d3eb82686904888f8bbbe8d865371404 \ " # These are not common licenses, set NO_GENERIC_LICENSE for them @@ -208,7 +208,7 @@ SRC_URI = "\ file://0001-Makefile-replace-mkdir-by-install.patch \ " -SRC_URI[sha256sum] = "020b11f6412f4956f5a6f98de7d41867d2b30ea0ce81b1e2d206ec9840363849" +SRC_URI[sha256sum] = "376e0b3d7b4f8aaa2abf7f5ab74803dcf14b06b94e3d841b1467cd9a2848255e" inherit allarch From patchwork Wed May 18 02:30:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 8161 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3878C433EF for ; Wed, 18 May 2022 02:31:22 +0000 (UTC) Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) by mx.groups.io with SMTP id smtpd.web09.338.1652841076198858303 for ; Tue, 17 May 2022 19:31:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=GXowjpNK; spf=softfail (domain: sakoman.com, ip: 209.85.210.169, mailfrom: steve@sakoman.com) Received: by mail-pf1-f169.google.com with SMTP id a11so856446pff.1 for ; Tue, 17 May 2022 19:31:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=5/7NvdhcbQTeXTgOGeqQ7PbRMabIjRn6lw80+vyRdKg=; b=GXowjpNKIMhZ5RRy3LhqMqsetdSY02cySkoyZokMqrflifWHfOTdG9UivUF9+XFpQM E51ax+vZ6FUQF4sctOqzGWepraU/N6fBWOzevK4MmvvGaRyUps7JMfUltBW7esobflQ6 yTm9CoEt+bWWbIUaJyuQAxaVspg+4DFczM7HvbFzEFxddqnq7V1pBN/hpCd78lQYEirh dAKQq23rxcXtu7up4PNeyDnMVoy+61X5DROnOumq1bkAdbygDvuvzKlKfqXLxIpECBAB 8PLhclpTY5j+eBgEjvAvionNVP5xf3u4lVxp93O9GUiK+HpQbGhF2lxW+X8MWvTj34x6 lL+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=5/7NvdhcbQTeXTgOGeqQ7PbRMabIjRn6lw80+vyRdKg=; b=ZlXHfzd4kK3zoWyBRcUfdmFD3wVHT5hmx51C+ChgSDArOVw/TDW1ruE+HLGhgmSlNQ 8N/junIggMTxW8IUfO5vGz7Lv4s5cIgveMl8gf7yi89T1BCUT8jG7PZxxbdbSFS3XEEm WoNxfmoCpog51upG11str/l+PfNcvonnnawFG22dEm/zwglp0VHfvp0JiuSlzGt6tdn5 8FK2YqIEP4QKWHvyf0XHRFg58TRbUnYrq94+9vi/rBnqWIxbsKvUrlO/QeB+BcmUw6JF M41Ozw0O6bfJvz3mep1BAae4OocFyUY9NjOeaRWIgY75ohtB1eTGAtxusvX+0zKywrsy 0RFQ== X-Gm-Message-State: AOAM5300MI1iF1F8NxgboY/bIkj0hsZKcsaw/scaLdb7/ajvPS6wL8VG xbni2msr5sy5HE7GmQIIQJj8P68Ob4etUIQv X-Google-Smtp-Source: ABdhPJy8JdW4seYGeZgEcxK6jqMzfL5kc/D22syjDyyDul5BX28OgOa8l7fF0FZx2qpq825i8+QQ6Q== X-Received: by 2002:a63:1d4:0:b0:3c2:479d:39e0 with SMTP id 203-20020a6301d4000000b003c2479d39e0mr21637235pgb.427.1652841075104; Tue, 17 May 2022 19:31:15 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id p25-20020a62b819000000b00512ead539casm438926pfe.113.2022.05.17.19.31.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 May 2022 19:31:14 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 9/9] selftest: skip virgl test on alma 8.6 Date: Tue, 17 May 2022 16:30:37 -1000 Message-Id: <48ce924dc82aa959fb897ec36873db7dc3813b71.1652840866.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 18 May 2022 02:31:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/165791 This test will fail any time the host has libdrm > 2.4.107 Signed-off-by: Steve Sakoman --- meta/lib/oeqa/selftest/cases/runtime_test.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py index 20dc1c9482..3f78a18603 100644 --- a/meta/lib/oeqa/selftest/cases/runtime_test.py +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py @@ -175,6 +175,8 @@ class TestImage(OESelftestTestCase): if "DISPLAY" not in os.environ: self.skipTest("virgl gtk test must be run inside a X session") distro = oe.lsb.distro_identifier() + if distro and distro == 'almalinux-8.6': + self.skipTest('virgl isn\'t working with Alma 8') if distro and distro == 'debian-8': self.skipTest('virgl isn\'t working with Debian 8') if distro and distro == 'centos-7':