From patchwork Mon May 23 13:59:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 14230 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org From: "Steve Sakoman" Subject: [OE-core][kirkstone 1/9] curl: Backport CVE fixes Date: Mon, 23 May 2022 03:59:40 -1000 Message-Id: In-Reply-To: References: MIME-Version: 1.0 List-id: To: openembedded-core@lists.openembedded.org From: Robert Joslyn Backport patches to address the following CVEs: * https://curl.se/docs/CVE-2022-22576.html * https://curl.se/docs/CVE-2022-27775.html * https://curl.se/docs/CVE-2022-27776.html * https://curl.se/docs/CVE-2022-27774.html * https://curl.se/docs/CVE-2022-30115.html * https://curl.se/docs/CVE-2022-27780.html * https://curl.se/docs/CVE-2022-27781.html * https://curl.se/docs/CVE-2022-27779.html * https://curl.se/docs/CVE-2022-27782.html Signed-off-by: Robert Joslyn Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2022-22576.patch | 145 ++++++ .../curl/curl/CVE-2022-27774-1.patch | 45 ++ .../curl/curl/CVE-2022-27774-2.patch | 80 +++ .../curl/curl/CVE-2022-27774-3.patch | 83 ++++ .../curl/curl/CVE-2022-27774-4.patch | 35 ++ .../curl/curl/CVE-2022-27775.patch | 37 ++ .../curl/curl/CVE-2022-27776.patch | 115 +++++ .../curl/curl/CVE-2022-27779.patch | 42 ++ .../curl/curl/CVE-2022-27780.patch | 33 ++ .../curl/curl/CVE-2022-27781.patch | 43 ++ .../curl/curl/CVE-2022-27782-1.patch | 458 ++++++++++++++++++ .../curl/curl/CVE-2022-27782-2.patch | 71 +++ .../curl/curl/CVE-2022-30115.patch | 82 ++++ meta/recipes-support/curl/curl_7.82.0.bb | 16 +- 14 files changed, 1284 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/curl/curl/CVE-2022-22576.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-1.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-2.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-3.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-4.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27775.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27776.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27779.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27780.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27781.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-1.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-2.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-30115.patch diff --git a/meta/recipes-support/curl/curl/CVE-2022-22576.patch b/meta/recipes-support/curl/curl/CVE-2022-22576.patch new file mode 100644 index 0000000000..469cf220ba --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-22576.patch @@ -0,0 +1,145 @@ +From 371264697a70e8ed3da678aefbe20940759485fa Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Mon, 25 Apr 2022 11:44:05 +0200 +Subject: [PATCH] url: check sasl additional parameters for connection reuse. + +Also move static function safecmp() as non-static Curl_safecmp() since +its purpose is needed at several places. + +Bug: https://curl.se/docs/CVE-2022-22576.html + +CVE-2022-22576 + +Closes #8746 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425] +Signed-off-by: Robert Joslyn +--- + lib/strcase.c | 10 ++++++++++ + lib/strcase.h | 2 ++ + lib/url.c | 13 ++++++++++++- + lib/urldata.h | 1 + + lib/vtls/vtls.c | 21 ++++++--------------- + 5 files changed, 31 insertions(+), 16 deletions(-) + +diff --git a/lib/strcase.c b/lib/strcase.c +index dd46ca1..692a3f1 100644 +--- a/lib/strcase.c ++++ b/lib/strcase.c +@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n) + } while(*src++ && --n); + } + ++/* Compare case-sensitive NUL-terminated strings, taking care of possible ++ * null pointers. Return true if arguments match. ++ */ ++bool Curl_safecmp(char *a, char *b) ++{ ++ if(a && b) ++ return !strcmp(a, b); ++ return !a && !b; ++} ++ + /* --- public functions --- */ + + int curl_strequal(const char *first, const char *second) +diff --git a/lib/strcase.h b/lib/strcase.h +index b628656..382b80a 100644 +--- a/lib/strcase.h ++++ b/lib/strcase.h +@@ -47,4 +47,6 @@ char Curl_raw_toupper(char in); + void Curl_strntoupper(char *dest, const char *src, size_t n); + void Curl_strntolower(char *dest, const char *src, size_t n); + ++bool Curl_safecmp(char *a, char *b); ++ + #endif /* HEADER_CURL_STRCASE_H */ +diff --git a/lib/url.c b/lib/url.c +index adef2cd..94e3406 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -779,6 +779,7 @@ static void conn_free(struct connectdata *conn) + Curl_safefree(conn->passwd); + Curl_safefree(conn->sasl_authzid); + Curl_safefree(conn->options); ++ Curl_safefree(conn->oauth_bearer); + Curl_dyn_free(&conn->trailer); + Curl_safefree(conn->host.rawalloc); /* host name buffer */ + Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ +@@ -1340,7 +1341,9 @@ ConnectionExists(struct Curl_easy *data, + /* This protocol requires credentials per connection, + so verify that we're using the same name and password as well */ + if(strcmp(needle->user, check->user) || +- strcmp(needle->passwd, check->passwd)) { ++ strcmp(needle->passwd, check->passwd) || ++ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || ++ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { + /* one of them was different */ + continue; + } +@@ -3635,6 +3638,14 @@ static CURLcode create_conn(struct Curl_easy *data, + } + } + ++ if(data->set.str[STRING_BEARER]) { ++ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); ++ if(!conn->oauth_bearer) { ++ result = CURLE_OUT_OF_MEMORY; ++ goto out; ++ } ++ } ++ + #ifdef USE_UNIX_SOCKETS + if(data->set.str[STRING_UNIX_SOCKET_PATH]) { + conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]); +diff --git a/lib/urldata.h b/lib/urldata.h +index cc8a600..03da59a 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -984,6 +984,7 @@ struct connectdata { + char *passwd; /* password string, allocated */ + char *options; /* options string, allocated */ + char *sasl_authzid; /* authorisation identity string, allocated */ ++ char *oauth_bearer; /* OAUTH2 bearer, allocated */ + unsigned char httpversion; /* the HTTP version*10 reported by the server */ + struct curltime now; /* "current" time */ + struct curltime created; /* creation time */ +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index 03b85ba..a40ac06 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) + return !memcmp(first->data, second->data, first->len); /* same data */ + } + +-static bool safecmp(char *a, char *b) +-{ +- if(a && b) +- return !strcmp(a, b); +- else if(!a && !b) +- return TRUE; /* match */ +- return FALSE; /* no match */ +-} +- + + bool + Curl_ssl_config_matches(struct ssl_primary_config *data, +@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + blobcmp(data->cert_blob, needle->cert_blob) && + blobcmp(data->ca_info_blob, needle->ca_info_blob) && + blobcmp(data->issuercert_blob, needle->issuercert_blob) && +- safecmp(data->CApath, needle->CApath) && +- safecmp(data->CAfile, needle->CAfile) && +- safecmp(data->issuercert, needle->issuercert) && +- safecmp(data->clientcert, needle->clientcert) && +- safecmp(data->random_file, needle->random_file) && +- safecmp(data->egdsocket, needle->egdsocket) && ++ Curl_safecmp(data->CApath, needle->CApath) && ++ Curl_safecmp(data->CAfile, needle->CAfile) && ++ Curl_safecmp(data->issuercert, needle->issuercert) && ++ Curl_safecmp(data->clientcert, needle->clientcert) && ++ Curl_safecmp(data->random_file, needle->random_file) && ++ Curl_safecmp(data->egdsocket, needle->egdsocket) && + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch new file mode 100644 index 0000000000..f24003fd79 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch @@ -0,0 +1,45 @@ +From f489d50ca5fd8b6a3a622e2521e2ca52787a6608 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH] connect: store "conn_remote_port" in the info struct + +To make it available after the connection ended. + +Prerequisite for the patches that address CVE-2022-27774. + +Upstream-Status: Backport [https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839] +Signed-off-by: Robert Joslyn +--- + lib/connect.c | 1 + + lib/urldata.h | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/connect.c b/lib/connect.c +index 64f9511..7518807 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -623,6 +623,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn, + data->info.conn_scheme = conn->handler->scheme; + data->info.conn_protocol = conn->handler->protocol; + data->info.conn_primary_port = conn->port; ++ data->info.conn_remote_port = conn->remote_port; + data->info.conn_local_port = local_port; + } + +diff --git a/lib/urldata.h b/lib/urldata.h +index f92052a..5218f76 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1160,7 +1160,11 @@ struct PureInfo { + reused, in the connection cache. */ + + char conn_primary_ip[MAX_IPADR_LEN]; +- int conn_primary_port; ++ int conn_primary_port; /* this is the destination port to the connection, ++ which might have been a proxy */ ++ int conn_remote_port; /* this is the "remote port", which is the port ++ number of the used URL, independent of proxy or ++ not */ + char conn_local_ip[MAX_IPADR_LEN]; + int conn_local_port; + const char *conn_scheme; diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch new file mode 100644 index 0000000000..9739634dfe --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch @@ -0,0 +1,80 @@ +From 50aebd6ea20956513e9b7d7c776830b54d9c8ff6 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH] transfer: redirects to other protocols or ports clear auth + +... unless explicitly permitted. + +Bug: https://curl.se/docs/CVE-2022-27774.html +Reported-by: Harry Sintonen +Closes #8748 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79] +Signed-off-by: Robert Joslyn +--- + lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 48 insertions(+), 1 deletion(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 1f8019b..752fe14 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1608,10 +1608,57 @@ CURLcode Curl_follow(struct Curl_easy *data, + return CURLE_OUT_OF_MEMORY; + } + else { +- + uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); + if(uc) + return Curl_uc_to_curlcode(uc); ++ ++ /* Clear auth if this redirects to a different port number or protocol, ++ unless permitted */ ++ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { ++ char *portnum; ++ int port; ++ bool clear = FALSE; ++ ++ if(data->set.use_port && data->state.allow_port) ++ /* a custom port is used */ ++ port = (int)data->set.use_port; ++ else { ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, ++ CURLU_DEFAULT_PORT); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ port = atoi(portnum); ++ free(portnum); ++ } ++ if(port != data->info.conn_remote_port) { ++ infof(data, "Clear auth, redirects to port from %u to %u", ++ data->info.conn_remote_port, port); ++ clear = TRUE; ++ } ++ else { ++ char *scheme; ++ const struct Curl_handler *p; ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ ++ p = Curl_builtin_scheme(scheme); ++ if(p && (p->protocol != data->info.conn_protocol)) { ++ infof(data, "Clear auth, redirects scheme from %s to %s", ++ data->info.conn_scheme, scheme); ++ clear = TRUE; ++ } ++ free(scheme); ++ } ++ if(clear) { ++ Curl_safefree(data->state.aptr.user); ++ Curl_safefree(data->state.aptr.passwd); ++ } ++ } + } + + if(type == FOLLOW_FAKE) { diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch new file mode 100644 index 0000000000..e4e8c294a6 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch @@ -0,0 +1,83 @@ +From 8af08ebf94bc6448dbc7da59845f5b78964689d9 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 17:59:15 +0200 +Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either + +Follow-up to 620ea21410030 + +Reported-by: Harry Sintonen +Closes #8751 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08] +Signed-off-by: Robert Joslyn +--- + lib/http.c | 10 +++++----- + lib/http.h | 6 ++++++ + lib/vtls/openssl.c | 3 ++- + 3 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 0791dcf..4433824 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data, + } + + /* +- * allow_auth_to_host() tells if autentication, cookies or other "sensitive +- * data" can (still) be sent to this host. ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. + */ +-static bool allow_auth_to_host(struct Curl_easy *data) ++bool Curl_allow_auth_to_host(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; + return (!data->state.this_is_a_follow || +@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data, + + /* To prevent the user+password to get sent to other than the original host + due to a location-follow */ +- if(allow_auth_to_host(data) ++ if(Curl_allow_auth_to_host(data) + #ifndef CURL_DISABLE_NETRC + || conn->bits.netrc + #endif +@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- !allow_auth_to_host(data)) ++ !Curl_allow_auth_to_host(data)) + ; + else { + #ifdef USE_HYPER +diff --git a/lib/http.h b/lib/http.h +index 07e963d..9000bae 100644 +--- a/lib/http.h ++++ b/lib/http.h +@@ -320,4 +320,10 @@ Curl_http_output_auth(struct Curl_easy *data, + bool proxytunnel); /* TRUE if this is the request setting + up the proxy tunnel */ + ++/* ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. ++ */ ++bool Curl_allow_auth_to_host(struct Curl_easy *data); ++ + #endif /* HEADER_CURL_HTTP_H */ +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 616a510..e8633f4 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2893,7 +2893,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #endif + + #ifdef USE_OPENSSL_SRP +- if(ssl_authtype == CURL_TLSAUTH_SRP) { ++ if((ssl_authtype == CURL_TLSAUTH_SRP) && ++ Curl_allow_auth_to_host(data)) { + char * const ssl_username = SSL_SET_OPTION(username); + + infof(data, "Using TLS-SRP username: %s", ssl_username); diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch new file mode 100644 index 0000000000..a642336797 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch @@ -0,0 +1,35 @@ +From 56a145d6ca031841610daeebde99fbde0f8fcf21 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 26 Apr 2022 07:46:19 +0200 +Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects + +Follow-up to 620ea21410030 and 139a54ed0a172a + +Reported-by: Harry Sintonen +Closes #8752 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/093531556203decd92d92bccd431edbe5561781c] +Signed-off-by: Robert Joslyn +--- + lib/vtls/gtls.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 5749376..fe45b3a 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -437,11 +437,11 @@ gtls_connect_step1(struct Curl_easy *data, + } + + #ifdef HAVE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && ++ Curl_allow_auth_to_host(data)) { + infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); + +- rc = gnutls_srp_allocate_client_credentials( +- &backend->srp_client_cred); ++ rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_srp_allocate_client_cred() failed: %s", + gnutls_strerror(rc)); diff --git a/meta/recipes-support/curl/curl/CVE-2022-27775.patch b/meta/recipes-support/curl/curl/CVE-2022-27775.patch new file mode 100644 index 0000000000..666a906352 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27775.patch @@ -0,0 +1,37 @@ +From eef2b165c39245857b1663e9153e7c4b4b519a4c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 11:48:00 +0200 +Subject: [PATCH] conncache: include the zone id in the "bundle" hashkey + +Make connections to two separate IPv6 zone ids create separate +connections. + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27775.html +Closes #8747 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/058f98dc3fe595f21dc26a5b9b1699e519ba5705] +Signed-off-by: Robert Joslyn +--- + lib/conncache.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/conncache.c b/lib/conncache.c +index cd5756a..9b9f683 100644 +--- a/lib/conncache.c ++++ b/lib/conncache.c +@@ -155,8 +155,12 @@ static void hashkey(struct connectdata *conn, char *buf, + /* report back which name we used */ + *hostp = hostname; + +- /* put the number first so that the hostname gets cut off if too long */ +- msnprintf(buf, len, "%ld%s", port, hostname); ++ /* put the numbers first so that the hostname gets cut off if too long */ ++#ifdef ENABLE_IPV6 ++ msnprintf(buf, len, "%u/%ld/%s", conn->scope_id, port, hostname); ++#else ++ msnprintf(buf, len, "%ld/%s", port, hostname); ++#endif + Curl_strntolower(buf, buf, len); + } + diff --git a/meta/recipes-support/curl/curl/CVE-2022-27776.patch b/meta/recipes-support/curl/curl/CVE-2022-27776.patch new file mode 100644 index 0000000000..2feee45200 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27776.patch @@ -0,0 +1,115 @@ +From f6eba3638f9b25adfe85f3570f9a0fb2ceb09c2b Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 13:05:40 +0200 +Subject: [PATCH] http: avoid auth/cookie on redirects same host diff port + +CVE-2022-27776 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27776.html +Closes #8749 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/6e659993952aa5f90f48864be84a1bbb047fc258] +Signed-off-by: Robert Joslyn +--- + lib/http.c | 34 ++++++++++++++++++++++------------ + lib/urldata.h | 16 +++++++++------- + 2 files changed, 31 insertions(+), 19 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 799d4fb..0791dcf 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data, + return CURLE_OK; + } + ++/* ++ * allow_auth_to_host() tells if autentication, cookies or other "sensitive ++ * data" can (still) be sent to this host. ++ */ ++static bool allow_auth_to_host(struct Curl_easy *data) ++{ ++ struct connectdata *conn = data->conn; ++ return (!data->state.this_is_a_follow || ++ data->set.allow_auth_to_other_hosts || ++ (data->state.first_host && ++ strcasecompare(data->state.first_host, conn->host.name) && ++ (data->state.first_remote_port == conn->remote_port) && ++ (data->state.first_remote_protocol == conn->handler->protocol))); ++} ++ + /** + * Curl_http_output_auth() setups the authentication headers for the + * host/proxy and the correct authentication +@@ -847,17 +862,14 @@ Curl_http_output_auth(struct Curl_easy *data, + with it */ + authproxy->done = TRUE; + +- /* To prevent the user+password to get sent to other than the original +- host due to a location-follow, we do some weirdo checks here */ +- if(!data->state.this_is_a_follow || ++ /* To prevent the user+password to get sent to other than the original host ++ due to a location-follow */ ++ if(allow_auth_to_host(data) + #ifndef CURL_DISABLE_NETRC +- conn->bits.netrc || ++ || conn->bits.netrc + #endif +- !data->state.first_host || +- data->set.allow_auth_to_other_hosts || +- strcasecompare(data->state.first_host, conn->host.name)) { ++ ) + result = output_auth_headers(data, conn, authhost, request, path, FALSE); +- } + else + authhost->done = TRUE; + +@@ -1905,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data, + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- (data->state.this_is_a_follow && +- data->state.first_host && +- !data->set.allow_auth_to_other_hosts && +- !strcasecompare(data->state.first_host, conn->host.name))) ++ !allow_auth_to_host(data)) + ; + else { + #ifdef USE_HYPER +@@ -2084,6 +2093,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) + return CURLE_OUT_OF_MEMORY; + + data->state.first_remote_port = conn->remote_port; ++ data->state.first_remote_protocol = conn->handler->protocol; + } + Curl_safefree(data->state.aptr.host); + +diff --git a/lib/urldata.h b/lib/urldata.h +index 03da59a..f92052a 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1329,14 +1329,16 @@ struct UrlState { + char *ulbuf; /* allocated upload buffer or NULL */ + curl_off_t current_speed; /* the ProgressShow() function sets this, + bytes / second */ +- char *first_host; /* host name of the first (not followed) request. +- if set, this should be the host name that we will +- sent authorization to, no else. Used to make Location: +- following not keep sending user+password... This is +- strdup() data. +- */ ++ ++ /* host name, port number and protocol of the first (not followed) request. ++ if set, this should be the host name that we will sent authorization to, ++ no else. Used to make Location: following not keep sending user+password. ++ This is strdup()ed data. */ ++ char *first_host; ++ int first_remote_port; ++ unsigned int first_remote_protocol; ++ + int retrycount; /* number of retries on a new connection */ +- int first_remote_port; /* remote port of the first (not followed) request */ + struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */ + long sessionage; /* number of the most recent session */ + struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */ diff --git a/meta/recipes-support/curl/curl/CVE-2022-27779.patch b/meta/recipes-support/curl/curl/CVE-2022-27779.patch new file mode 100644 index 0000000000..235be900a3 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27779.patch @@ -0,0 +1,42 @@ +From 33dac5777fe5f9c8d2d7d340144b1685cd511d11 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 16:47:06 +0200 +Subject: [PATCH] cookies: make bad_domain() not consider a trailing dot fine + +The check for a dot in the domain must not consider a single trailing +dot to be fine, as then TLD + trailing dot is fine and curl will accept +setting cookies for it. + +CVE-2022-27779 + +Reported-by: Axel Chong +Bug: https://curl.se/docs/CVE-2022-27779.html +Closes #8820 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/7e92d12b4e6911f424678a133b19de670e183a59] +Signed-off-by: Robert Joslyn +--- + lib/cookie.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index d418efa..1b8c8f9 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies) + /* Make sure domain contains a dot or is localhost. */ + static bool bad_domain(const char *domain) + { +- return !strchr(domain, '.') && !strcasecompare(domain, "localhost"); ++ if(strcasecompare(domain, "localhost")) ++ return FALSE; ++ else { ++ /* there must be a dot present, but that dot must not be a trailing dot */ ++ char *dot = strchr(domain, '.'); ++ if(dot) ++ return dot[1] ? FALSE : TRUE; ++ } ++ return TRUE; + } + + /* diff --git a/meta/recipes-support/curl/curl/CVE-2022-27780.patch b/meta/recipes-support/curl/curl/CVE-2022-27780.patch new file mode 100644 index 0000000000..8820af3f74 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27780.patch @@ -0,0 +1,33 @@ +From 304b7acf73712fa501119b1ca0724f71f3074fe7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 08:19:38 +0200 +Subject: [PATCH] urlapi: reject percent-decoding host name into separator + bytes + +CVE-2022-27780 + +Reported-by: Axel Chong +Bug: https://curl.se/docs/CVE-2022-27780.html +Closes #8826 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/914aaab9153764ef8fa4178215b8ad89d3ac263a] +Signed-off-by: Robert Joslyn +--- + lib/urlapi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/urlapi.c b/lib/urlapi.c +index ff00ee4..00222fc 100644 +--- a/lib/urlapi.c ++++ b/lib/urlapi.c +@@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname) + #endif + } + else { +- /* letters from the second string is not ok */ +- len = strcspn(hostname, " \r\n"); ++ /* letters from the second string are not ok */ ++ len = strcspn(hostname, " \r\n\t/:#?!@"); + if(hlen != len) + /* hostname with bad content */ + return CURLUE_BAD_HOSTNAME; diff --git a/meta/recipes-support/curl/curl/CVE-2022-27781.patch b/meta/recipes-support/curl/curl/CVE-2022-27781.patch new file mode 100644 index 0000000000..52f39a0cc5 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27781.patch @@ -0,0 +1,43 @@ +From 5bb5b2a901db4c6441fc451f21408be2a9463058 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 10:07:15 +0200 +Subject: [PATCH] nss: return error if seemingly stuck in a cert loop + +CVE-2022-27781 + +Reported-by: Florian Kohnhäuser +Bug: https://curl.se/docs/CVE-2022-27781.html +Closes #8822 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917] +Signed-off-by: Robert Joslyn +--- + lib/vtls/nss.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 558e3be..52f2060 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data, + PR_Free(common_name); + } + ++/* A number of certs that will never occur in a real server handshake */ ++#define TOO_MANY_CERTS 300 ++ + static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) + { + CURLcode result = CURLE_OK; +@@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) + cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); + while(cert2) { + i++; ++ if(i >= TOO_MANY_CERTS) { ++ CERT_DestroyCertificate(cert2); ++ failf(data, "certificate loop"); ++ return CURLE_SSL_CERTPROBLEM; ++ } + if(cert2->isRoot) { + CERT_DestroyCertificate(cert2); + break; diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch new file mode 100644 index 0000000000..ce2599be81 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch @@ -0,0 +1,458 @@ +From acee9eb38639b35af9047521d71333423657de0d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 23:13:53 +0200 +Subject: [PATCH] tls: check more TLS details for connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +Closes #8825 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c] +Signed-off-by: Robert Joslyn +--- + lib/setopt.c | 29 +++++++++++++++++------------ + lib/url.c | 23 ++++++++++++++++------- + lib/urldata.h | 13 +++++++------ + lib/vtls/gtls.c | 32 +++++++++++++++++--------------- + lib/vtls/mbedtls.c | 2 +- + lib/vtls/nss.c | 6 +++--- + lib/vtls/openssl.c | 10 +++++----- + lib/vtls/vtls.c | 21 +++++++++++++++++++++ + 8 files changed, 87 insertions(+), 49 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 8e1bf12..7aa6fdb 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + + case CURLOPT_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); + data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); + data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); +@@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); + data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); + data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); +@@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + case CURLOPT_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], + va_arg(param, char *)); + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to ++ SRP */ + break; + #endif + case CURLOPT_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], + va_arg(param, char *)); + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + break; + #endif + case CURLOPT_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #endif + #endif +diff --git a/lib/url.c b/lib/url.c +index 94e3406..5ebf5e2 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) + set->ssl.primary.verifypeer = TRUE; + set->ssl.primary.verifyhost = TRUE; + #ifdef USE_TLS_SRP +- set->ssl.authtype = CURL_TLSAUTH_NONE; ++ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; + #endif + set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth + type */ +@@ -1758,11 +1758,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) + conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; + conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; + conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; ++ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; ++#ifdef USE_TLS_SRP ++#endif + #ifndef CURL_DISABLE_PROXY + conn->proxy_ssl_config.verifystatus = + data->set.proxy_ssl.primary.verifystatus; + conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; + conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; ++ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; ++#ifdef USE_TLS_SRP ++#endif + #endif + conn->ip_version = data->set.ipver; + conn->bits.connect_only = data->set.connect_only; +@@ -3848,7 +3854,8 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.str[STRING_SSL_ISSUERCERT_PROXY]; + data->set.proxy_ssl.primary.issuercert_blob = + data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; +- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; ++ data->set.proxy_ssl.primary.CRLfile = ++ data->set.str[STRING_SSL_CRLFILE_PROXY]; + data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; + data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; + data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; +@@ -3856,18 +3863,20 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; + data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; + #endif +- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; ++ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; + data->set.ssl.key = data->set.str[STRING_KEY]; + data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; + data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; + data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; + #ifdef USE_TLS_SRP +- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; +- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; ++ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; ++ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; + #ifndef CURL_DISABLE_PROXY +- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; +- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; ++ data->set.proxy_ssl.primary.username = ++ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; ++ data->set.proxy_ssl.primary.password = ++ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + #endif + #endif + data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; +diff --git a/lib/urldata.h b/lib/urldata.h +index 5218f76..e006495 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -253,10 +253,17 @@ struct ssl_primary_config { + char *cipher_list; /* list of ciphers to use */ + char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ + char *pinned_key; ++ char *CRLfile; /* CRL to check certificate revocation */ + struct curl_blob *cert_blob; + struct curl_blob *ca_info_blob; + struct curl_blob *issuercert_blob; ++#ifdef USE_TLS_SRP ++ char *username; /* TLS username (for, e.g., SRP) */ ++ char *password; /* TLS password (for, e.g., SRP) */ ++ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ ++#endif + char *curves; /* list of curves to use */ ++ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ + BIT(verifypeer); /* set TRUE if this is desired */ + BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ + BIT(verifystatus); /* set TRUE if certificate status must be checked */ +@@ -266,7 +273,6 @@ struct ssl_primary_config { + struct ssl_config_data { + struct ssl_primary_config primary; + long certverifyresult; /* result from the certificate verification */ +- char *CRLfile; /* CRL to check certificate revocation */ + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + char *cert_type; /* format for certificate (default: PEM)*/ +@@ -274,11 +280,6 @@ struct ssl_config_data { + struct curl_blob *key_blob; + char *key_type; /* format for private key (default: PEM) */ + char *key_passwd; /* plain text private key password */ +-#ifdef USE_TLS_SRP +- char *username; /* TLS username (for, e.g., SRP) */ +- char *password; /* TLS password (for, e.g., SRP) */ +- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ +-#endif + BIT(certinfo); /* gather lots of certificate info */ + BIT(falsestart); + BIT(enable_beast); /* allow this flaw for interoperability's sake*/ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index fe45b3a..3c31782 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -437,9 +437,10 @@ gtls_connect_step1(struct Curl_easy *data, + } + + #ifdef HAVE_GNUTLS_SRP +- if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && ++ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { +- infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); ++ infof(data, "Using TLS-SRP username: %s", ++ SSL_SET_OPTION(primary.username)); + + rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { +@@ -449,8 +450,8 @@ gtls_connect_step1(struct Curl_easy *data, + } + + rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, +- SSL_SET_OPTION(username), +- SSL_SET_OPTION(password)); ++ SSL_SET_OPTION(primary.username), ++ SSL_SET_OPTION(primary.password)); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_srp_set_client_cred() failed: %s", + gnutls_strerror(rc)); +@@ -507,19 +508,19 @@ gtls_connect_step1(struct Curl_easy *data, + } + #endif + +- if(SSL_SET_OPTION(CRLfile)) { ++ if(SSL_SET_OPTION(primary.CRLfile)) { + /* set the CRL list file */ + rc = gnutls_certificate_set_x509_crl_file(backend->cred, +- SSL_SET_OPTION(CRLfile), ++ SSL_SET_OPTION(primary.CRLfile), + GNUTLS_X509_FMT_PEM); + if(rc < 0) { + failf(data, "error reading crl file %s (%s)", +- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); ++ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); + return CURLE_SSL_CRL_BADFILE; + } + else + infof(data, "found %d CRL in %s", +- rc, SSL_SET_OPTION(CRLfile)); ++ rc, SSL_SET_OPTION(primary.CRLfile)); + } + + /* Initialize TLS session as a client */ +@@ -590,7 +591,7 @@ gtls_connect_step1(struct Curl_easy *data, + #ifdef HAVE_GNUTLS_SRP + /* Only add SRP to the cipher list if SRP is requested. Otherwise + * GnuTLS will disable TLS 1.3 support. */ +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { + size_t len = strlen(prioritylist); + + char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); +@@ -685,7 +686,7 @@ gtls_connect_step1(struct Curl_easy *data, + + #ifdef HAVE_GNUTLS_SRP + /* put the credentials to the current session */ +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { + rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, + backend->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { +@@ -867,8 +868,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + SSL_CONN_CONFIG(verifyhost) || + SSL_CONN_CONFIG(issuercert)) { + #ifdef HAVE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) + && !SSL_CONN_CONFIG(verifypeer) + && gnutls_cipher_get(session)) { + /* no peer cert, but auth is ok if we have SRP user and cipher and no +@@ -926,7 +927,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, + failf(data, "server certificate verification failed. CAfile: %s " + "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): + "none", +- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); ++ SSL_SET_OPTION(primary.CRLfile) ? ++ SSL_SET_OPTION(primary.CRLfile) : "none"); + return CURLE_PEER_FAILED_VERIFICATION; + } + else +@@ -1556,8 +1558,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, + gnutls_certificate_free_credentials(backend->cred); + + #ifdef HAVE_GNUTLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL) ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) != NULL) + gnutls_srp_free_client_credentials(backend->srp_client_cred); + #endif + +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index b9fd26a..bd4ad8f 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + const char * const hostname = SSL_HOST_NAME(); + #ifndef CURL_DISABLE_VERBOSE_STRINGS + const long int port = SSL_HOST_PORT(); +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 52f2060..959e23e 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -2035,13 +2035,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, + } + } + +- if(SSL_SET_OPTION(CRLfile)) { +- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); ++ if(SSL_SET_OPTION(primary.CRLfile)) { ++ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); + if(rv) { + result = rv; + goto error; + } +- infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); ++ infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); + } + + if(SSL_SET_OPTION(primary.clientcert)) { +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index e8633f4..d98bbcb 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2632,7 +2632,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #endif + const long int ssl_version = SSL_CONN_CONFIG(version); + #ifdef USE_OPENSSL_SRP +- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); ++ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); + #endif + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); +@@ -2643,7 +2643,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + char error_buffer[256]; + struct ssl_backend_data *backend = connssl->backend; + bool imported_native_ca = false; +@@ -2895,15 +2895,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, + #ifdef USE_OPENSSL_SRP + if((ssl_authtype == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { +- char * const ssl_username = SSL_SET_OPTION(username); +- ++ char * const ssl_username = SSL_SET_OPTION(primary.username); ++ char * const ssl_password = SSL_SET_OPTION(primary.password); + infof(data, "Using TLS-SRP username: %s", ssl_username); + + if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { + failf(data, "Unable to set SRP user name"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { ++ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { + failf(data, "failed setting SRP password"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index a40ac06..e2d3438 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + { + if((data->version == needle->version) && + (data->version_max == needle->version_max) && ++ (data->ssl_options == needle->ssl_options) && + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && +@@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, + Curl_safecmp(data->clientcert, needle->clientcert) && + Curl_safecmp(data->random_file, needle->random_file) && + Curl_safecmp(data->egdsocket, needle->egdsocket) && ++#ifdef USE_TLS_SRP ++ Curl_safecmp(data->username, needle->username) && ++ Curl_safecmp(data->password, needle->password) && ++ (data->authtype == needle->authtype) && ++#endif + Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && + Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && + Curl_safe_strcasecompare(data->curves, needle->curves) && ++ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && + Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) + return TRUE; + +@@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + dest->verifyhost = source->verifyhost; + dest->verifystatus = source->verifystatus; + dest->sessionid = source->sessionid; ++ dest->ssl_options = source->ssl_options; ++#ifdef USE_TLS_SRP ++ dest->authtype = source->authtype; ++#endif + + CLONE_BLOB(cert_blob); + CLONE_BLOB(ca_info_blob); +@@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, + CLONE_STRING(cipher_list13); + CLONE_STRING(pinned_key); + CLONE_STRING(curves); ++ CLONE_STRING(CRLfile); ++#ifdef USE_TLS_SRP ++ CLONE_STRING(username); ++ CLONE_STRING(password); ++#endif + + return TRUE; + } +@@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) + Curl_safefree(sslc->ca_info_blob); + Curl_safefree(sslc->issuercert_blob); + Curl_safefree(sslc->curves); ++ Curl_safefree(sslc->CRLfile); ++#ifdef USE_TLS_SRP ++ Curl_safefree(sslc->username); ++ Curl_safefree(sslc->password); ++#endif + } + + #ifdef USE_SSL diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch new file mode 100644 index 0000000000..74fa7f85a9 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch @@ -0,0 +1,71 @@ +From 782a5e8e5b0271f8cb33eeef6a3819b0149093e0 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 23:13:53 +0200 +Subject: [PATCH] url: check SSH config match on connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +Closes #8825 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5] +Signed-off-by: Robert Joslyn +--- + lib/url.c | 11 +++++++++++ + lib/vssh/ssh.h | 6 +++--- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 5ebf5e2..c713e54 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data) + } + } + ++static bool ssh_config_matches(struct connectdata *one, ++ struct connectdata *two) ++{ ++ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && ++ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); ++} + /* + * Given one filled in connection struct (named needle), this function should + * detect if there already is one that has all the significant details +@@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data, + (data->state.httpwant < CURL_HTTP_VERSION_2_0)) + continue; + ++ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { ++ if(!ssh_config_matches(needle, check)) ++ continue; ++ } ++ + if((needle->handler->flags&PROTOPT_SSL) + #ifndef CURL_DISABLE_PROXY + || !needle->bits.httpproxy || needle->bits.tunnel_proxy +diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h +index 7972081..30d82e5 100644 +--- a/lib/vssh/ssh.h ++++ b/lib/vssh/ssh.h +@@ -7,7 +7,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -131,8 +131,8 @@ struct ssh_conn { + + /* common */ + const char *passphrase; /* pass-phrase to use */ +- char *rsa_pub; /* path name */ +- char *rsa; /* path name */ ++ char *rsa_pub; /* strdup'ed public key file */ ++ char *rsa; /* strdup'ed private key file */ + bool authed; /* the connection has been authenticated fine */ + bool acceptfail; /* used by the SFTP_QUOTE (continue if + quote command fails) */ diff --git a/meta/recipes-support/curl/curl/CVE-2022-30115.patch b/meta/recipes-support/curl/curl/CVE-2022-30115.patch new file mode 100644 index 0000000000..96839cf204 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-30115.patch @@ -0,0 +1,82 @@ +From 8313ef3f507b5bdc54e985cae71aa9df00609d55 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 08:13:55 +0200 +Subject: [PATCH] hsts: ignore trailing dots when comparing hosts names + +CVE-2022-30115 + +Reported-by: Axel Chong +Bug: https://curl.se/docs/CVE-2022-30115.html +Closes #8821 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/fae6fea209a2d4db1582f608bd8cc8000721733a] +Signed-off-by: Robert Joslyn +--- + lib/hsts.c | 30 +++++++++++++++++++++++++----- + 1 file changed, 25 insertions(+), 5 deletions(-) + +diff --git a/lib/hsts.c b/lib/hsts.c +index 03fcc9e..b9fa6f7 100644 +--- a/lib/hsts.c ++++ b/lib/hsts.c +@@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h, + curl_off_t expires) + { + struct stsentry *sts = hsts_entry(); ++ char *duphost; ++ size_t hlen; + if(!sts) + return CURLE_OUT_OF_MEMORY; + +- sts->expires = expires; +- sts->includeSubDomains = subdomains; +- sts->host = strdup(hostname); +- if(!sts->host) { ++ duphost = strdup(hostname); ++ if(!duphost) { + free(sts); + return CURLE_OUT_OF_MEMORY; + } ++ ++ hlen = strlen(duphost); ++ if(duphost[hlen - 1] == '.') ++ /* strip off trailing any dot */ ++ duphost[--hlen] = 0; ++ ++ sts->host = duphost; ++ sts->expires = expires; ++ sts->includeSubDomains = subdomains; + Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node); + return CURLE_OK; + } +@@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, + bool subdomain) + { + if(h) { ++ char buffer[MAX_HSTS_HOSTLEN + 1]; + time_t now = time(NULL); + size_t hlen = strlen(hostname); + struct Curl_llist_element *e; + struct Curl_llist_element *n; ++ ++ if((hlen > MAX_HSTS_HOSTLEN) || !hlen) ++ return NULL; ++ memcpy(buffer, hostname, hlen); ++ if(hostname[hlen-1] == '.') ++ /* remove the trailing dot */ ++ --hlen; ++ buffer[hlen] = 0; ++ hostname = buffer; ++ + for(e = h->list.head; e; e = n) { + struct stsentry *sts = e->ptr; + n = e->next; +@@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h) + CURLSTScode sc; + DEBUGASSERT(h); + do { +- char buffer[257]; ++ char buffer[MAX_HSTS_HOSTLEN + 1]; + struct curl_hstsentry e; + e.name = buffer; + e.namelen = sizeof(buffer)-1; diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb index 23bd7eaa52..ba3fd11820 100644 --- a/meta/recipes-support/curl/curl_7.82.0.bb +++ b/meta/recipes-support/curl/curl_7.82.0.bb @@ -9,7 +9,21 @@ SECTION = "console/network" LICENSE = "MIT-open-group" LIC_FILES_CHKSUM = "file://COPYING;md5=190c514872597083303371684954f238" -SRC_URI = "https://curl.se/download/${BP}.tar.xz" +SRC_URI = "https://curl.se/download/${BP}.tar.xz \ + file://CVE-2022-22576.patch \ + file://CVE-2022-27775.patch \ + file://CVE-2022-27776.patch \ + file://CVE-2022-27774-1.patch \ + file://CVE-2022-27774-2.patch \ + file://CVE-2022-27774-3.patch \ + file://CVE-2022-27774-4.patch \ + file://CVE-2022-30115.patch \ + file://CVE-2022-27780.patch \ + file://CVE-2022-27781.patch \ + file://CVE-2022-27779.patch \ + file://CVE-2022-27782-1.patch \ + file://CVE-2022-27782-2.patch \ + " SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c" # Curl has used many names over the years... From patchwork Mon May 23 13:59:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 14231 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org From: "Steve Sakoman" Subject: [OE-core][kirkstone 2/9] cve-check: Fix report generation Date: Mon, 23 May 2022 03:59:41 -1000 Message-Id: <2fcc696e27d7f8c70ba60f5c7de8c48030a938d3.1653313955.git.steve@sakoman.com> In-Reply-To: References: MIME-Version: 1.0 List-id: To: openembedded-core@lists.openembedded.org From: Marta Rybczynska The addition of summary output caused two issues: error when building an image and the fact that JSON output was generated even when CVE_CHECK_FORMAT_JSON. When generating an image it caused an error like: ERROR: core-image-minimal-1.0-r0 do_rootfs: Error executing a python function in exec_func_python() autogenerated: The stack trace of python calls that resulted in this exception/failure was: File: 'exec_func_python() autogenerated', lineno: 2, function: 0001: *** 0002:cve_check_write_rootfs_manifest(d) 0003: File: '/home/alexk/poky/meta/classes/cve-check.bbclass', lineno: 213, function: cve_check_write_rootfs_manifest 0209: 0210: link_path = os.path.join(deploy_dir, "%s.json" % link_name) 0211: manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON") 0212: bb.note("Generating JSON CVE manifest") *** 0213: generate_json_report(json_summary_name, json_summary_link_name) 0214: bb.plain("Image CVE JSON report stored in: %s" % link_path) 0215:} 0216: 0217:ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" Exception: NameError: name 'json_summary_name' is not defined The fix is to pass the d variable to the pure python function generate_json_report to get correct values of variables and add conditions for the JSON output where needed. In addition clarify the message presenting the summary JSON file, which isn't related to an image. Uses partial fixes from Alex Kiernan, Ernst Sjöstrand (ernstp), and Davide Gardenal. Fixes: f2987891d315 ("cve-check: add JSON format to summary output") Signed-off-by: Marta Rybczynska Signed-off-by: Richard Purdie (cherry picked from commit 9015dec93233c7d45fd0c9885ff5d4ec23ad377d) Signed-off-by: Steve Sakoman --- meta/classes/cve-check.bbclass | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 24ddb865ea..7cd98ae462 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -79,7 +79,7 @@ CVE_CHECK_LAYER_INCLUDELIST ??= "" # set to "alphabetical" for version using single alphabetical character as increment release CVE_VERSION_SUFFIX ??= "" -def generate_json_report(out_path, link_path): +def generate_json_report(d, out_path, link_path): if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")): import json from oe.cve_check import cve_check_merge_jsons @@ -127,10 +127,11 @@ python cve_save_summary_handler () { os.remove(cvefile_link) os.symlink(os.path.basename(cve_summary_file), cvefile_link) + if d.getVar("CVE_CHECK_FORMAT_JSON") == "1": json_summary_link_name = os.path.join(cvelogpath, d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON")) json_summary_name = os.path.join(cvelogpath, "%s-%s.json" % (cve_summary_name, timestamp)) - generate_json_report(json_summary_name, json_summary_link_name) - bb.plain("CVE report summary created at: %s" % json_summary_link_name) + generate_json_report(d, json_summary_name, json_summary_link_name) + bb.plain("Complete CVE JSON report summary created at: %s" % json_summary_link_name) } addhandler cve_save_summary_handler @@ -207,11 +208,12 @@ python cve_check_write_rootfs_manifest () { os.symlink(os.path.basename(manifest_name), manifest_link) bb.plain("Image CVE report stored in: %s" % manifest_name) - link_path = os.path.join(deploy_dir, "%s.json" % link_name) - manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON") - bb.note("Generating JSON CVE manifest") - generate_json_report(json_summary_name, json_summary_link_name) - bb.plain("Image CVE JSON report stored in: %s" % link_path) + if d.getVar("CVE_CHECK_FORMAT_JSON") == "1": + link_path = os.path.join(deploy_dir, "%s.json" % link_name) + manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON") + bb.note("Generating JSON CVE manifest") + generate_json_report(d, manifest_path, link_path) + bb.plain("Image CVE JSON report stored in: %s" % link_path) } ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" From patchwork Mon May 23 13:59:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 8390 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED78DC433F5 for ; Mon, 23 May 2022 14:00:24 +0000 (UTC) Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by mx.groups.io with SMTP id smtpd.web12.27901.1653314421269082582 for ; Mon, 23 May 2022 07:00:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=Hp7ExQBH; spf=softfail (domain: sakoman.com, ip: 209.85.215.182, mailfrom: steve@sakoman.com) Received: by mail-pg1-f182.google.com with SMTP id g184so13772795pgc.1 for ; Mon, 23 May 2022 07:00:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=jAZaNgVqtN0iUeCSfveAUf/MTVG880buJ1GgedkJCuo=; b=Hp7ExQBHB4KdPb7rd1UIaGQt75ZYpOmNO+ykGHPaecWwhcqgfdhLMAsRfu9HEtO8VJ X0aAa/nT3/7CpMfzAqOOpamrz4E4pR4iAiiwltb36i35r/+iNTZMC1ICpP1XLI7+He45 qzpxFHw48NFtvSlORp/6gJLV8f8gtvL4r73ixyLDtrQ7mFEQqTL5szei1UAaNsDXdqf/ 73PVzFnWPbGx3CkMv7YouCT5n+2ztBB/M1xRSJpdn/0qD6hrdpf5WuPOxFOpLBzqAEo0 EZha+781Td4hOLEqpH1lq0j+sBzgUlJJKePRKO78XDV3rfqCYaHwPXeHCTG00lq+tjGU 3jpg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jAZaNgVqtN0iUeCSfveAUf/MTVG880buJ1GgedkJCuo=; b=z3tjQBZRLg5LbOecteOSErGKwwEA2GuhZ44j8+Cse+2uASJdrkeJuT/CCROrywFQ6b Bs7owt5HoZ/JVVX+2qqaFN05VQMeVdqknE5t2WLYTVxuAEclPpgiYDzTSJRqrzaR2rU0 JEafoaumO3eTnMos8fEa//h+oZExUXeR8Xui0ww5gC3Q7Pl3raxOUccRcz9EvIhTU/P9 42vuvEHJ7grnwY8HamLGi1p79NR1g8BtTnyePcI1/eYCXLh8X2v4BdaiGCOdDOncSdhm 0p0nhz7FGq1qNqccRkwvJWYsnb5liPY0NHHQIE9diX4Rtvrguq/0JZx6k6eremIDztfP jy5g== X-Gm-Message-State: AOAM532k5voxs7XcW7M4Ec0+nkceGVYCOaOBFyvnrY2SdWvAGb3L/ISY afbVB31Q73kBYnlqmsisj60gPIS0RAw4yzcp X-Google-Smtp-Source: ABdhPJwAUQLHgR7koSu5fBVwmDyqVBQA+yRPml82qPV1ZHqtv/+TZLQdHiVAYDN01hXPzz+9HNZ1CQ== X-Received: by 2002:a05:6a00:1385:b0:50a:9768:9eca with SMTP id t5-20020a056a00138500b0050a97689ecamr23831204pfg.43.1653314419870; Mon, 23 May 2022 07:00:19 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id m10-20020a637d4a000000b003c14af505fcsm4778952pgn.20.2022.05.23.07.00.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 May 2022 07:00:18 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 3/9] python3: fix reproducibility issue with python3-core Date: Mon, 23 May 2022 03:59:42 -1000 Message-Id: <00b62965bd4c9eb6fd8c016f83126da2a107a5c5.1653313955.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 May 2022 14:00:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166026 traceback.cpython-310.pyc is non-deterministic due to 'frozenset' being written without strict ordering. For now let's just not install the problematic file. Signed-off-by: Steve Sakoman Signed-off-by: Luca Ceresoli Signed-off-by: Richard Purdie (cherry picked from commit 4b1f0f7542abcb8606688c974695a6c8a142e7a2) Signed-off-by: Steve Sakoman --- meta/recipes-devtools/python/python3_3.10.4.bb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/recipes-devtools/python/python3_3.10.4.bb b/meta/recipes-devtools/python/python3_3.10.4.bb index d678d55083..2ef320350e 100644 --- a/meta/recipes-devtools/python/python3_3.10.4.bb +++ b/meta/recipes-devtools/python/python3_3.10.4.bb @@ -193,6 +193,11 @@ do_install:append() { rm -f ${D}${libdir}/python${PYTHON_MAJMIN}/test/__pycache__/test_range.cpython* rm -f ${D}${libdir}/python${PYTHON_MAJMIN}/test/__pycache__/test_xml_etree.cpython* + # Similar to the above, we're getting reproducibility issues with + # /usr/lib/python3.10/__pycache__/traceback.cpython-310.pyc + # so remove it too + rm -f ${D}${libdir}/python${PYTHON_MAJMIN}/__pycache__/traceback.cpython* + # Remove the opt-1.pyc and opt-2.pyc files. They effectively waste space on embedded # style targets as they're only used when python is called with the -O or -OO options # which is rare. From patchwork Mon May 23 13:59:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 8393 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F1EEFC433EF for ; Mon, 23 May 2022 14:00:34 +0000 (UTC) Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) by mx.groups.io with SMTP id smtpd.web12.27905.1653314425367897309 for ; Mon, 23 May 2022 07:00:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=itVYlZSA; spf=softfail (domain: sakoman.com, ip: 209.85.216.47, mailfrom: steve@sakoman.com) Received: by mail-pj1-f47.google.com with SMTP id pq9-20020a17090b3d8900b001df622bf81dso13789808pjb.3 for ; Mon, 23 May 2022 07:00:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=pUVBadfkcXIoKWzcqkFKj9SM8mfHlKOLwAOPSwoHxA0=; b=itVYlZSAYv4L0vPtJlRsUGIv5II4PxjKJVNI63H9ix8Zb0skN8xyNiQGCeMzJT8tHn W5lGSKyAFPo4folXeq2+3SF35vUTtJ43FrJkzg2uSqrp46enH9Me8IyZfJNgrJyHgI/I KY4W5/J4S0iFCeGojbivR/vj7poeW/d7qC+hoQEi9qvHwMXQELwkdIvCHsWMoeHdOtAS lADVr1NMpodaMh5bYndmJHhb0RcidpNePn4rO0gVHf20iNwQbt4dGpqTA1GYAi310S1D M/RGd7hCfZR+o7V3yiQ/9v0q+gSFC4oEiM7NLBVYCrxUDMZIsDa1IMVAzinGVe9R6wfa v6YA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=pUVBadfkcXIoKWzcqkFKj9SM8mfHlKOLwAOPSwoHxA0=; b=bpfYpMT3kRwG6i6Wy0mjUaXt08l4Us6HYGyYffceZ7H2l53NQjVDN3/2hIZ5BQ5t6c scIwrt+2BMJDKqXaixhKluPhokgT/1mc4tG59+d+0oQf7ifuUkkaSN//Du+LyYEPS/Ct fkVkNFCEeIoYJKyUpD2901MRasqKIb2FGmpylMGEEhoL9Uuy4XM1drLIIsl9Eb06kRB/ RNClpbbxB4Yc21Fup3c7ghDLkd/30iaqrJHmnx3IYKs+ZNztv77kve0cz3709Tafe9Yx APppm+/gq2SHYeOokfrL/5b0IUmOHLg8ubhZxEEeSjuHDzyhJfinBySUrgJ0yAtto3TI Ehzw== X-Gm-Message-State: AOAM530bBCWDEkbN8XwGuhlaxJZfVynN98F3M4t4ypVZo9SPzA+X+gYb UXKLqZ2JKe4XL9KgQxrlV0oH7gH56mTo0CwK X-Google-Smtp-Source: ABdhPJwkBfUkkv0r2TkKq3NAmzRS/NBu/gwMy9jJP1I2TzN45Iow8oEhalZoJV9EA98L0RI0y9i4Xg== X-Received: by 2002:a17:902:8608:b0:158:b827:7721 with SMTP id f8-20020a170902860800b00158b8277721mr23070173plo.149.1653314423811; Mon, 23 May 2022 07:00:23 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id m10-20020a637d4a000000b003c14af505fcsm4778952pgn.20.2022.05.23.07.00.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 May 2022 07:00:21 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 4/9] mmc-utils: upgrade to latest revision Date: Mon, 23 May 2022 03:59:43 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 May 2022 14:00:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166027 From: Alexander Kanavin Fixes build error: when using Linux 5.4 kernel: In function read_extcsd: mmc_cmds.c:72:18: error: MMC_BLOCK_MAJOR undeclared (first use in this function) This SRCREV bump includes two commits: b7e4d5a mmc-utils: Add General command CMD56 read support 0d493fb mmc-utils: Fix build error MMC_BLOCK_MAJOR undeclared Signed-off-by: Alexander Kanavin Signed-off-by: Luca Ceresoli Signed-off-by: Richard Purdie (cherry picked from commit d98b06c9c6f480de1e5167bfe8392e39300fc02c) Signed-off-by: Ming Liu Signed-off-by: Steve Sakoman --- meta/recipes-devtools/mmc/mmc-utils_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/mmc/mmc-utils_git.bb b/meta/recipes-devtools/mmc/mmc-utils_git.bb index addefe9abf..3e611d1306 100644 --- a/meta/recipes-devtools/mmc/mmc-utils_git.bb +++ b/meta/recipes-devtools/mmc/mmc-utils_git.bb @@ -5,7 +5,7 @@ LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://mmc.c;beginline=1;endline=20;md5=fae32792e20f4d27ade1c5a762d16b7d" SRCBRANCH ?= "master" -SRCREV = "4303889c8bd9a2357587eb6ebacecb70098a264d" +SRCREV = "b7e4d5a6ae9942d26a11de9b05ae7d52c0802802" PV = "0.1+git${SRCPV}" From patchwork Mon May 23 13:59:44 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 8391 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EDA8DC433F5 for ; Mon, 23 May 2022 14:00:34 +0000 (UTC) Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) by mx.groups.io with SMTP id smtpd.web09.28090.1653314429378976634 for ; Mon, 23 May 2022 07:00:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=l4lSbOUL; spf=softfail (domain: sakoman.com, ip: 209.85.210.174, mailfrom: steve@sakoman.com) Received: by mail-pf1-f174.google.com with SMTP id z25so1083965pfr.1 for ; Mon, 23 May 2022 07:00:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=NTUknsKScsUUsML4ZJ/g5VdSrE16JIaxLKsuecDNLsc=; b=l4lSbOULnTKZP6a84wVpiY2JSJRgMNTqDUWfixVK8Mundi1acb85UP4mN4lxvnsjsg TrkPAnTZPD2FWw4JBH8PWAiMhtS0vQGEVgJJGWjYifT8vp9yVDSfLeruB4Hq7rUsysew NBlbH6IFHz8696XmnbRZTNWAkwXD4ioWHIap8XauCf1OBFEbzix73ALnCbxlF+qAmAXU qxP5URhEln1jQw299x4z0sDyIOD5iTHxn6bwKngOWywkzHLQucQ58f3RNiL89457n6ap BK88ipdoU4SpFTYehr9/ASiTDqGy1lRhEdNxwPnnLRfnXYczEtcBxUEg8f/C1D0dOnp0 o0SQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=NTUknsKScsUUsML4ZJ/g5VdSrE16JIaxLKsuecDNLsc=; b=f4cpdV+joglhAW6lOyMYJAP/tVAPSlo/Ol/Qu22heVCZxv/HXY9V49YvOLmagr8K9V 6PxUjWo7ED3/+MPA9Tm7jQ/81dn9Tal0TNffq+StHqrxiGwcghKStQPq+CKs1BidJS/i TQ1yry69FR3FHmxGoh1NyvWe31W9GOZjt8ygLcVI2ultymB6oZF68XESTr7oRC/Xx+F9 q4gDVy5dcD21+XwsIjfO7YHH0UE1+lNyk14Uqdqi6VmcumotgU3IghgX3MOQpp9zSYHJ 836/3e8wsrUBM0kEGp6qkzJdbJlboTFeve33uY1rLqu/vkfaKv2wl8s3c2Y/Yvce9WFA X5KQ== X-Gm-Message-State: AOAM533mztdqIPN9KHnmjcnI34jRHGq7obDu6tmYDPaMVG5sHRFQSRLt s7GQWk95dFz85fuBZBlk5GwQkEP08mQKbhWf X-Google-Smtp-Source: ABdhPJysq/5oU7OZy9goUhHoZo9B22zivzD23bRf14fkaU1hOpTpTS+R6y9DvJdJhCUDSjbTT7WsJg== X-Received: by 2002:a63:f653:0:b0:3fa:ac4:d910 with SMTP id u19-20020a63f653000000b003fa0ac4d910mr8643923pgj.407.1653314428105; Mon, 23 May 2022 07:00:28 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id m10-20020a637d4a000000b003c14af505fcsm4778952pgn.20.2022.05.23.07.00.24 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 May 2022 07:00:26 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 5/9] librepo: upgrade 1.14.2 -> 1.14.3 Date: Mon, 23 May 2022 03:59:44 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 May 2022 14:00:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166028 From: wangmy Minor bug fix release with a single commit: Make error messages about repodata and rpm mismatch more user friendly This should help users to recognize the error is not on dnf side but instead on the server (in the repository). Signed-off-by: Wang Mingyu Signed-off-by: Luca Ceresoli Signed-off-by: Richard Purdie (cherry picked from commit 2b41ae2900dc308e005d3f0e8a4d3912be35bc01) Signed-off-by: Steve Sakoman --- .../librepo/{librepo_1.14.2.bb => librepo_1.14.3.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-devtools/librepo/{librepo_1.14.2.bb => librepo_1.14.3.bb} (94%) diff --git a/meta/recipes-devtools/librepo/librepo_1.14.2.bb b/meta/recipes-devtools/librepo/librepo_1.14.3.bb similarity index 94% rename from meta/recipes-devtools/librepo/librepo_1.14.2.bb rename to meta/recipes-devtools/librepo/librepo_1.14.3.bb index 8dece946b4..2c8e592251 100644 --- a/meta/recipes-devtools/librepo/librepo_1.14.2.bb +++ b/meta/recipes-devtools/librepo/librepo_1.14.3.bb @@ -10,7 +10,7 @@ SRC_URI = "git://github.com/rpm-software-management/librepo.git;branch=master;pr file://0004-Set-gpgme-variables-with-pkg-config-not-with-cmake-m.patch \ " -SRCREV = "3b9a8d17188ba602d139f79b6e61305030f21109" +SRCREV = "8fc7950795282d9c7c50071f45973006de5594ab" S = "${WORKDIR}/git" From patchwork Mon May 23 13:59:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 8392 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F20CAC4332F for ; Mon, 23 May 2022 14:00:34 +0000 (UTC) Received: from mail-pg1-f182.google.com (mail-pg1-f182.google.com [209.85.215.182]) by mx.groups.io with SMTP id smtpd.web12.27901.1653314421269082582 for ; Mon, 23 May 2022 07:00:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=UOCO5LOI; spf=softfail (domain: sakoman.com, ip: 209.85.215.182, mailfrom: steve@sakoman.com) Received: by mail-pg1-f182.google.com with SMTP id g184so13772795pgc.1 for ; Mon, 23 May 2022 07:00:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=PUeRVe1wGCzVNo2OzeM1GczPeLXvUEDSM1PocY4hr/Q=; b=UOCO5LOI9r1lV+9G2XA6yFZtIGubm8d/Yn2LCbDLaiTbETOOsCp2QfwCsjUpPWEuTR 3C8/XaxL+bZUG3MkQ2DGZkpPHG9M3GGvbCHYX8MI65ckIoxxNwpo9BzjEgXLLWl+7QCS 6v2LHPIapyx+Ba84+I8tQeM5vKpIMIQrXGcTikdANMYOXLdXZMN0/++ar/FJCkryenl6 vOCJ3EmXo1bS+wlBxp01pnK/qnOZNt70Zr14JyTUF2OrxHwNmzwiofGyuTzBFJWKR4Hp VyZKDO5itAFFjNwyI1vggKVNfcsq6e9j79D+1ToJMUYk5sXl0DxRn1H17uh9tGOZjfZr 6Uyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=PUeRVe1wGCzVNo2OzeM1GczPeLXvUEDSM1PocY4hr/Q=; b=5Qj06Lviru58KSRHQ0tl8CqslWrj5pnUG/flREDw0PRNB+yHd2OggrMnDRWIsKkjKS iFwsqFtYJZdkqiHzGe6GpVQpKumrP6PLQoBWNaRUWn+QHHozjwrM/cBhRweYGiVinwGZ vhCEvpjY2IP28j0N/NVLrdC4kMsluv+99VsBGQmcZWMQ5ViNm4F5NPGme8e2WwzjDd7C orqmO43WI1Va0ULduZC2xUi5Hr/UKamoeQ8CBXxFLKxSKCB08v3sXr022tjvf/Kfn+wi t3nMGPtERwf+cbv0JIFrS7/u7zbZSSl961JXI3YYwZheaesZf5auAUTub+QnjwxOw/ug lcDw== X-Gm-Message-State: AOAM530h5b+yNxJcN87u45RJWwvqSNMhI9EtVZ0R5h+WU9HSKj1E+3Zh CqyVHLEHCJvrKoEjb1muUV9mI0Mb4lBrksNZ X-Google-Smtp-Source: ABdhPJwO2+icwJhTOn0WKIf9CvbpEjtdODGajvQ/S8BNguCjzhtBWBlR2kpjiM7yw8P16FXQH75w9Q== X-Received: by 2002:a05:6a00:1952:b0:518:9fbd:ff7a with SMTP id s18-20020a056a00195200b005189fbdff7amr5300957pfk.77.1653314431505; Mon, 23 May 2022 07:00:31 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id m10-20020a637d4a000000b003c14af505fcsm4778952pgn.20.2022.05.23.07.00.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 May 2022 07:00:29 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 6/9] binutils: Bump to latest 2.38 release branch Date: Mon, 23 May 2022 03:59:45 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 May 2022 14:00:34 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166029 From: Samuli Piippo Fixes Qt build with GCC 12.1. Brings following fixes * 3d549e5ccc0 PR29142, segv in ar with empty archive and libdeps specified * c473aa1b9d8 M68K: avoid quadratic slowdlow in label alignment check * 8d1187516e3 Adjust ld ctf test for 32-bit targets * 9c67f6382ac x86: Properly handle function pointer reference * 9a01457e02e s390: Add DT_JMPREL pointing to .rela.[i]plt with static-pie * 82a5bb730a1 s390: Avoid dynamic TLS relocs in PIE * d54081c642a LoongArch: Update ABI eflag in elf header. * fb4d148004f IBM zSystems: Add support for z16 as CPU name. * 975b5540232 libctf, ld: diagnose corrupted CTF header cth_strlen * 99852365513 dlltool: Use the output name as basis for deterministic temp prefixes * 210bf1d6225 Updated Serbian (for binutils/) and Russian (for gprof/) translations * fcf60fe8482 PR28959, obdump doesn't disassemble mftb instruction * e4a35c73196 PowerPC64 DT_RELR relative reloc addresses * 7183434818e Work around gcc-4 warnings in elf64-ppc.c Signed-off-by: Samuli Piippo Signed-off-by: Luca Ceresoli Signed-off-by: Richard Purdie (cherry picked from commit c007a7251e697836a29bd1aebe49d4f2433a5e6e) Signed-off-by: Steve Sakoman --- meta/recipes-devtools/binutils/binutils-2.38.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/binutils/binutils-2.38.inc b/meta/recipes-devtools/binutils/binutils-2.38.inc index 3544c0c7e7..dc0a2a4054 100644 --- a/meta/recipes-devtools/binutils/binutils-2.38.inc +++ b/meta/recipes-devtools/binutils/binutils-2.38.inc @@ -18,7 +18,7 @@ SRCBRANCH ?= "binutils-2_38-branch" UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P\d+_(\d_?)*)" -SRCREV ?= "6938a3aca19044aeb9bc4b9564e04f9092a701ed" +SRCREV ?= "134f17ef688ba4c72a6c4e57af7382882cc1a705" BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=git" SRC_URI = "\ ${BINUTILS_GIT_URI} \ From patchwork Mon May 23 13:59:46 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 8394 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3366C433F5 for ; Mon, 23 May 2022 14:00:44 +0000 (UTC) Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com [209.85.215.176]) by mx.groups.io with SMTP id smtpd.web09.28092.1653314435332714805 for ; Mon, 23 May 2022 07:00:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=V7ss1MJb; spf=softfail (domain: sakoman.com, ip: 209.85.215.176, mailfrom: steve@sakoman.com) Received: by mail-pg1-f176.google.com with SMTP id j21so13553026pga.13 for ; Mon, 23 May 2022 07:00:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=ykNbNEJzrSwEUg/Xpn6mc9XPFaAJpV/S6Eo0bRlI9Uc=; b=V7ss1MJb1jnFty16Pyo/BwCheDnSQkbUuqFZNhKIgwJT8YzaK9lTKj0Stk4qpvMPUC IaMgC2qkdKdDb3+rDQ8Ts7eFrNa4zJCkrQX3GX0EyneGGfj8rnplrj1/w3ELgBB4YKVe fGcea5Q/4ob3OM0J28WofO9zV7ZhkiijfkCu7wUCp7+yALXM9ihpcIaSQUCXWeas5pNm +IVhpbEFptXlGViwP2wDNL4jOKpko2a17S01U/7IU4OnrUEhN4+sGJL+GBmoKORxRmNG pLLHRcLiP7eRgT6/PBdL8s9pFTSSJ6hbP4Yjeu1lirvbMjmicmii1nsADy/lB7fwUDht ikNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ykNbNEJzrSwEUg/Xpn6mc9XPFaAJpV/S6Eo0bRlI9Uc=; b=fyOtYdYLMl8nuGPCsuoOpeZLz45T9ZSElg/TBHndLTCQOrcwQbKhxdyGDAi7TspNfQ IjIWwyOu7lmEDTF0IFhOnXD+O5Bhk4ONaltUxbTnmnF/nxqkyMVoq6opNiUbD0vTXqw4 uHbHsFDqye8Yjq5n7yj0F5IaEH7SJekfhro6BtD1obxhbUTNrMZgO9kRD/N0Gl+MzHJL Cy9VUDBia84WHOkbw/GCJP8TFei88aAXOPg+dmX4Mg3NTdYBMGz+C/NaSyeeXkFcw2tD Zg8VGamLmPKKPSFqC1zUPBah2RkriwiQXwAWXjKNZ3FbeO23FC7t4IRyRPaS7N+TSBzR elPQ== X-Gm-Message-State: AOAM533+K2z/1nuq3/4jm39QaZQ+gXGLMOOepdi8Uk9RF4ZVfYauCtz5 iMfPBnWDCPCwKFuEtCEIS1lLoJnCnouqQEG6 X-Google-Smtp-Source: ABdhPJyT4/ndcE1m2sqzgGkWVs219KpfrZ54ET9zrHVmtdCxpuDN46mIc2pJdfas0I4Ire/OiIz4jw== X-Received: by 2002:a62:ea17:0:b0:50d:8d25:a17 with SMTP id t23-20020a62ea17000000b0050d8d250a17mr23744440pfh.67.1653314434045; Mon, 23 May 2022 07:00:34 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id m10-20020a637d4a000000b003c14af505fcsm4778952pgn.20.2022.05.23.07.00.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 May 2022 07:00:33 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 7/9] classes: rootfs-postcommands: add skip option to overlayfs_qa_check Date: Mon, 23 May 2022 03:59:46 -1000 Message-Id: <34b6d6b5f078c6948e53815af3c7b61de43d851c.1653313955.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 May 2022 14:00:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166030 From: Claudius Heine The overlayfs_qa_check checks if the current root file system has a mount configured for each overlayfs, when the overlayfs class is used. However there are certain instances where this mount point is created at runtime and not static in a fstab entry or systemd mount unit. One such case would be if overlayfs-etc is used, where the device is mounted in the preinit script and not via a mount unit or fstab entry. However there are other possibilities for this as well, like startup scripts that support a dynamic partition layout. For instance when systemd-repart is used. This adds the `OVERLAYFS_QA_SKIP` variable, which allows to define QA skips via its flags. In principle it supports multiple QA skip flags separated by whitespace, but only one (`mount-configured`) is implemented here. To skip this QA check simply add `mount-configured` to the flag of `OVERLAYFS_QA_SKIP` with the same name. For instance if a overlayfs is configured as: OVERLAYFS_MOUNT_POINT[data] = "/data" Skipping this QA check can be done by setting: OVERLAYFS_QA_SKIP[data] = "mount-configured" Also add a testcase and fix a typo (fstat -> fstab). Signed-off-by: Claudius Heine Signed-off-by: Luca Ceresoli Signed-off-by: Richard Purdie (cherry picked from commit 2ce9173169a2a86392c4a85fe9be7fbbd7353b7f) Signed-off-by: Steve Sakoman --- meta/classes/rootfs-postcommands.bbclass | 10 ++++++++-- meta/lib/oeqa/selftest/cases/overlayfs.py | 20 +++++++++++++++++++- 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass index 63e716c955..d302c23cf4 100644 --- a/meta/classes/rootfs-postcommands.bbclass +++ b/meta/classes/rootfs-postcommands.bbclass @@ -400,6 +400,10 @@ python overlayfs_qa_check() { allUnitExist = True; for mountPoint in overlayMountPoints: + qaSkip = (d.getVarFlag("OVERLAYFS_QA_SKIP", mountPoint) or "").split() + if "mount-configured" in qaSkip: + continue + mountPath = d.getVarFlag('OVERLAYFS_MOUNT_POINT', mountPoint) if mountPath in fstabDevices: continue @@ -409,8 +413,10 @@ python overlayfs_qa_check() { for dirpath in searchpaths): continue - bb.warn('Mount path %s not found in fstat and unit %s not found ' - 'in systemd unit directories' % (mountPath, mountUnit)) + bb.warn(f'Mount path {mountPath} not found in fstab and unit ' + f'{mountUnit} not found in systemd unit directories.') + bb.warn(f'Skip this check by setting OVERLAYFS_QA_SKIP[{mountPoint}] = ' + '"mount-configured"') allUnitExist = False; if not allUnitExist: diff --git a/meta/lib/oeqa/selftest/cases/overlayfs.py b/meta/lib/oeqa/selftest/cases/overlayfs.py index 472746a64f..ce1d2f1ec3 100644 --- a/meta/lib/oeqa/selftest/cases/overlayfs.py +++ b/meta/lib/oeqa/selftest/cases/overlayfs.py @@ -62,11 +62,29 @@ DISTRO_FEATURES += "systemd overlayfs" self.add_overlay_conf_to_machine() res = bitbake('core-image-minimal', ignore_status=True) - line = getline(res, " Mount path /mnt/overlay not found in fstat and unit mnt-overlay.mount not found in systemd unit directories") + line = getline(res, " Mount path /mnt/overlay not found in fstab and unit mnt-overlay.mount not found in systemd unit directories") self.assertTrue(line and line.startswith("WARNING:"), msg=res.output) line = getline(res, "Not all mount paths and units are installed in the image") self.assertTrue(line and line.startswith("ERROR:"), msg=res.output) + def test_not_all_units_installed_but_qa_skipped(self): + """ + Summary: Test skipping the QA check + Expected: Image is created successfully + Author: Claudius Heine + """ + + config = """ +IMAGE_INSTALL:append = " overlayfs-user" +DISTRO_FEATURES += "systemd overlayfs" +OVERLAYFS_QA_SKIP[mnt-overlay] = "mount-configured" +""" + + self.write_config(config) + self.add_overlay_conf_to_machine() + + bitbake('core-image-minimal') + def test_mount_unit_not_set(self): """ Summary: Test whether mount unit was set properly From patchwork Mon May 23 13:59:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 8395 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F338EC433FE for ; Mon, 23 May 2022 14:00:44 +0000 (UTC) Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) by mx.groups.io with SMTP id smtpd.web11.27927.1653314438056136453 for ; Mon, 23 May 2022 07:00:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=1yGRO90y; spf=softfail (domain: sakoman.com, ip: 209.85.210.177, mailfrom: steve@sakoman.com) Received: by mail-pf1-f177.google.com with SMTP id f21so1426823pfa.3 for ; Mon, 23 May 2022 07:00:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=+OaF9KpcMiwqvDT9lS/7b98nnKVkvzI2aLlT0Lki4To=; b=1yGRO90ywoJBBfie5UUFBPkvtxGTrMsNBmP/2+mymSx7/r1LSAgqmgtFJzueXXpEBf g1FYs+2OqiCSKFf0tOFloD8hCcD5n8SBwxLDZq1EuOirLUvWxYa7cgr0OwDB6gDQ40KC MMIj4VCuWhepwcbr+DEYs8bgIeeWUCuctEYO9RE6P2j5m05yq1tXR2ByiUjmjC3ui09g q1bCkBlLoXcwk7Dre8fH2620IyeDdPjQVzlKmdyH+asj7IoPNIVEzfKWsonQ6UKgqrNZ B4YrZYN3RjNNzLjuGI0495XyMQXTfwc0Yr9+bM+fF6suIZelCs4YyTMAcepICOyQC8ep XgBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+OaF9KpcMiwqvDT9lS/7b98nnKVkvzI2aLlT0Lki4To=; b=qPwhw+qUQVV2hroKPdbw0ArVr2rSm/7r7rr10TfocG2aZqyUNdI7SC+KyLxnk+D98B DJYY0awOIsIxhE0/OjDir9/XISYfN75v739bPCv4Adv/469DFUVr6VJI9J7uZrtUpr4o VdGuB+K3IcmD3F6h2jDPghW0L4X+GrlPMxOjb020sxB+aQmpunjWoOZG5vQ11k6l9IiG 2HBkCbBT/aPpejSFaNPJyZQFFyQp4pwG5wBUYSMpH+xBev4XWI6O7/sZ6D08k2DjojHk 8WpbG9sQos0xv8pQbdOwRvzhU2dGZ3AgJypEX1FqitEcmgdBk/Mr2UluU7r0ohb8I1ii UifQ== X-Gm-Message-State: AOAM533JgsUbWaQSX/JE6GqK4IwxtdnRzw79M0P4mEYGXqf3ke0r06Lt oswimHfcylzXsUpKKqnlvARaNYxb29hD3k1s X-Google-Smtp-Source: ABdhPJw0nB8ARAv9ji4b4nrvUSVBAxQ37phT3x1Y+IeoVnB5p+oOxfwOpJcL2zExVRm7Ut8Q5Fi9/A== X-Received: by 2002:a65:5c48:0:b0:382:2c7:28e9 with SMTP id v8-20020a655c48000000b0038202c728e9mr20714869pgr.472.1653314436872; Mon, 23 May 2022 07:00:36 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id m10-20020a637d4a000000b003c14af505fcsm4778952pgn.20.2022.05.23.07.00.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 May 2022 07:00:35 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 8/9] staging: Fix rare sysroot corruption issue Date: Mon, 23 May 2022 03:59:47 -1000 Message-Id: <927837e29a1e79e8eeecaacc6de6b8f9e6aa6f70.1653313955.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 May 2022 14:00:44 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166031 From: Richard Purdie We've seen failures on the autobuilder in oe-selftest where things which should be in the sysroot aren't. The exact steps to reproduce the exact failure are elusive and probably hash equivalance dependency but this set of steps does reproduce corruption which is probably of the same origin: Add DISTRO_FEATURES += "systemd" bitbake dbus Remove DISTRO_FEATURES += "systemd" bitbake dbus bitbake dbus -c clean bitbake dbus -c configure Add DISTRO_FEATURES += "systemd" bitbake quilt-native bitbake dbus -c populate_sysroot Remove DISTRO_FEATURES += "systemd" bitbake dbus -c compile Where dbus will now fail as the compiler was no longer in the sysroot. This works by clearing x11 and other values out of DISTRO_FEATURES so the x11 dependencies are removed from the sysroot. The configure stamp remains valid so when the original configuration is restored, it becomes valid again but a load of the sysroot disappeared and build failures result. Fix this by removing stamps when we remove things from the sysroot. Depends on a change to bitbake build.py to add the clean_stamp API. [YOCTO #14790] Signed-off-by: Richard Purdie (cherry picked from commit f4b1cecc82435b71135d7b65f6ea67be0e4f8c66) Signed-off-by: Steve Sakoman --- meta/classes/staging.bbclass | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass index 9fc8f4f283..8372a4574a 100644 --- a/meta/classes/staging.bbclass +++ b/meta/classes/staging.bbclass @@ -404,7 +404,9 @@ python extend_recipe_sysroot() { # All files that we're going to be installing, to find conflicts. fileset = {} + invalidate_tasks = set() for f in os.listdir(depdir): + removed = [] if not f.endswith(".complete"): continue f = depdir + "/" + f @@ -414,6 +416,28 @@ python extend_recipe_sysroot() { sstate_clean_manifest(depdir + "/" + lnk, d, canrace=True, prefix=workdir) os.unlink(f) os.unlink(f.replace(".complete", "")) + removed.append(os.path.basename(f.replace(".complete", ""))) + + # If we've removed files from the sysroot above, the task that installed them may still + # have a stamp file present for the task. This is probably invalid right now but may become + # valid again if the user were to change configuration back for example. Since we've removed + # the files a task might need, remove the stamp file too to force it to rerun. + # YOCTO #14790 + if removed: + for i in glob.glob(depdir + "/index.*"): + if i.endswith("." + mytaskname): + continue + with open(i, "r") as f: + for l in f: + if l.startswith("TaskDeps:"): + continue + l = l.strip() + if l in removed: + invalidate_tasks.add(i.rsplit(".", 1)[1]) + break + for t in invalidate_tasks: + bb.note("Invalidating stamps for task %s" % t) + bb.build.clean_stamp(t, d) installed = [] for dep in configuredeps: From patchwork Mon May 23 13:59:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 8396 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id F264EC433F5 for ; Mon, 23 May 2022 14:00:54 +0000 (UTC) Received: from mail-oa1-f41.google.com (mail-oa1-f41.google.com [209.85.160.41]) by mx.groups.io with SMTP id smtpd.web10.27624.1653314453300847101 for ; Mon, 23 May 2022 07:00:53 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=rzTCUwEB; spf=softfail (domain: sakoman.com, ip: 209.85.160.41, mailfrom: steve@sakoman.com) Received: by mail-oa1-f41.google.com with SMTP id 586e51a60fabf-f1eafa567cso15144760fac.8 for ; Mon, 23 May 2022 07:00:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=bBIq7CqWrzdVIC8FH5Elp5+/Q2+rZQx412xvJYJuTuc=; b=rzTCUwEBzEo9YTZksOvivXNiMRWeK3xbDkbUVNxWi4JJi/fV4LvFaIlUDy1Fd8FAtU DN1Kffq8a1AMjrkhe1lntSuoHlvF3vdZFeppmG8xi+M+2gw/1jiXdXwxN+UmNIG5pLqK LF0QBM6Nsw2K8cUzihty3eLZ1ID1vnx1HLMlXdwHuD3vg8Iw43wpKJT8qyYaSIJQ+O7Y ynQDC60NRQmvnd/uPisaoMon3Ju1aGc5QeM3/q0gAW2x0l+DAzpuqeorf0A+GQx+jT1o FlSug/bI4iMrJRlJlFwuOndk0zeLt4n8wFfrY8T2Ge60KV1nnwChgWrW3Img9JfSfHAi pEWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=bBIq7CqWrzdVIC8FH5Elp5+/Q2+rZQx412xvJYJuTuc=; b=nP9+BXnLsRWJtneVDpCu8edjPKqkeP1L7uOvVUBVUzRMTVSa/a8MD72qGbE8qK5KJq Y4So+vAoN0VOPFVoxpYAlWM5nTtRiSYNWN7ZS0/azUEpaB1r17JudEC0dfxsS+7YGnIa P4MI+Az6S4+3XEB/dvZM0RVqaIuEQYaFo9WpCEkIGfkeq+wTH0jsRcz6G/7gB/mWha7h /HETTCT5htBLaUEG9qMBRJePDY9imFuxXBAC+BZ7tvY+6XRtn2F1rDHzgbnalSvb/fng 9ECVSVJHSrrKmCFyzlpmWVPtsY7qlQskD06f+KiaaX3+9jZGyNWodJELJe/6BExE8+u7 Zdqg== X-Gm-Message-State: AOAM532XL9pDHiixP8euRnSTong9ZSZm9ZuNKtIacH3xazDHpmIIf6yp C+P6LpvBsvrBuLAXFdCEmxP3zbyHOTpKQDub X-Google-Smtp-Source: ABdhPJxduLlEMAty78aSygyp/4WptHZ7dRN/arHDDZIlCozmR5rxLfte+FK9k62hMnhW6O4vkRYjxQ== X-Received: by 2002:a17:90b:4b88:b0:1df:a87c:f741 with SMTP id lr8-20020a17090b4b8800b001dfa87cf741mr26376328pjb.110.1653314441133; Mon, 23 May 2022 07:00:41 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id m10-20020a637d4a000000b003c14af505fcsm4778952pgn.20.2022.05.23.07.00.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 May 2022 07:00:39 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 9/9] selftest/imagefeatures/overlayfs: Always append to DISTRO_FEATURES Date: Mon, 23 May 2022 03:59:48 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 May 2022 14:00:54 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166032 From: Richard Purdie Using += unintentionally removes all other entries from DISTRO_FEATURES if DISTRO_FEATURES was set by ?= such as by poky.conf. This reduces sstate reusage on the autobuilder. Fix this to speed up builds. Signed-off-by: Richard Purdie (cherry picked from commit 124b82c32c4545bb216a8249954817f692f9795a) Signed-off-by: Steve Sakoman --- meta/lib/oeqa/selftest/cases/imagefeatures.py | 2 +- meta/lib/oeqa/selftest/cases/overlayfs.py | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/meta/lib/oeqa/selftest/cases/imagefeatures.py b/meta/lib/oeqa/selftest/cases/imagefeatures.py index 6b94ace4eb..6d010b3e3a 100644 --- a/meta/lib/oeqa/selftest/cases/imagefeatures.py +++ b/meta/lib/oeqa/selftest/cases/imagefeatures.py @@ -235,7 +235,7 @@ USERADD_GID_TABLES += "files/static-group" DISTRO_FEATURES:append = " pam opengl wayland" # Switch to systemd -DISTRO_FEATURES += "systemd" +DISTRO_FEATURES:append = " systemd" VIRTUAL-RUNTIME_init_manager = "systemd" VIRTUAL-RUNTIME_initscripts = "" VIRTUAL-RUNTIME_syslog = "" diff --git a/meta/lib/oeqa/selftest/cases/overlayfs.py b/meta/lib/oeqa/selftest/cases/overlayfs.py index ce1d2f1ec3..96beb8b869 100644 --- a/meta/lib/oeqa/selftest/cases/overlayfs.py +++ b/meta/lib/oeqa/selftest/cases/overlayfs.py @@ -55,7 +55,7 @@ inherit overlayfs config = """ IMAGE_INSTALL:append = " overlayfs-user" -DISTRO_FEATURES += "systemd overlayfs" +DISTRO_FEATURES:append = " systemd overlayfs" """ self.write_config(config) @@ -94,7 +94,7 @@ OVERLAYFS_QA_SKIP[mnt-overlay] = "mount-configured" config = """ IMAGE_INSTALL:append = " overlayfs-user" -DISTRO_FEATURES += "systemd overlayfs" +DISTRO_FEATURES:append = " systemd overlayfs" """ self.write_config(config) @@ -112,7 +112,7 @@ DISTRO_FEATURES += "systemd overlayfs" config = """ IMAGE_INSTALL:append = " overlayfs-user" -DISTRO_FEATURES += "systemd overlayfs" +DISTRO_FEATURES:append = " systemd overlayfs" """ wrong_machine_config = """ @@ -136,7 +136,7 @@ OVERLAYFS_MOUNT_POINT[usr-share-overlay] = "/usr/share/overlay" config = """ IMAGE_INSTALL:append = " overlayfs-user systemd-machine-units" -DISTRO_FEATURES += "systemd overlayfs" +DISTRO_FEATURES:append = " systemd overlayfs" # Use systemd as init manager VIRTUAL-RUNTIME_init_manager = "systemd" @@ -271,7 +271,7 @@ class OverlayFSEtcRunTimeTests(OESelftestTestCase): """ configBase = """ -DISTRO_FEATURES += "systemd" +DISTRO_FEATURES:append = " systemd" # Use systemd as init manager VIRTUAL-RUNTIME_init_manager = "systemd" @@ -313,7 +313,7 @@ OVERLAYFS_ETC_DEVICE = "/dev/mmcblk0p1" """ config = """ -DISTRO_FEATURES += "systemd" +DISTRO_FEATURES:append = " systemd" # Use systemd as init manager VIRTUAL-RUNTIME_init_manager = "systemd" @@ -349,7 +349,7 @@ INHERIT += "overlayfs-etc" """ config = f""" -DISTRO_FEATURES += "systemd" +DISTRO_FEATURES:append = " systemd" # Use systemd as init manager VIRTUAL-RUNTIME_init_manager = "systemd" @@ -391,7 +391,7 @@ OVERLAYFS_ETC_DEVICE = "/dev/sda3" """ config = """ -DISTRO_FEATURES += "systemd" +DISTRO_FEATURES:append = " systemd" # Use systemd as init manager VIRTUAL-RUNTIME_init_manager = "systemd"