From patchwork Wed Jun 8 14:46:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3AADCCCA47B for ; Wed, 8 Jun 2022 14:47:09 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.web12.7372.1654699619214661460 for ; Wed, 08 Jun 2022 07:46:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=7EStGASB; spf=softfail (domain: sakoman.com, ip: 209.85.214.169, mailfrom: steve@sakoman.com) Received: by mail-pl1-f169.google.com with SMTP id o6so12749431plg.2 for ; Wed, 08 Jun 2022 07:46:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=zHQnLX1DUNMMb0k6iVZIOhfu1BvPY/Kd+yXzmfUvrps=; b=7EStGASBaMWASlQ8CjRynkGvDRqwcOPUFoVyeaX6Sq+LxS/8lA4bVAY5YpLJuM7h2F 6LNCRqCicTnBNe4SfiooYOgbQimZpWncPrRdckPzGNzdD54Ya8MDj2CdR86FKTGnr0UZ tALdPuBnQGH3lBlWNdoM1IC5489i7nVXMbELfbYZBHD/8371RUU+WLFECrk+0frYR5vx 0680YdUGn7yGlJ9xZKSZncHMBa944554ASsHc4ax1CB89Dr8N32JgxLqxviEegIO5eda sp4KxCC+74tsNSkOHH4X71sy9mdq6fL3AKvHNsjyrD03AhvUPEMrfQRkkvR+2g57FD4+ +3nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=zHQnLX1DUNMMb0k6iVZIOhfu1BvPY/Kd+yXzmfUvrps=; b=KBhJsbRmo2Pcdjs42eHAwBDCiemnX46At7UiqH/2/cyiCmRlaxYG31eQPKL1Q4QA+N iG1qcnvZ79/rYq8jBAk60e3KNpfs1lJO8vMx9gGKa9BBE6kCOM9EGIZXd3y0lEJQprzj 4jJPGXJjh4i2j4Naw59mf1S+gh1729B3eog5lZeoC8bQhS+ybo7peStniuG2q2Mbznli r3AOtJBkXex/aUWmz3U29OFCzxvh7MhDIDSx/lrZXon4HOsb89qp/JbUnYHRttHCTT30 w18pDJUlGbGG816NrXPzByQ/CTo5+eZO8mCqoBWqsqXrNpw+WwnfEizJTsSQLQKYBFnA EhEg== X-Gm-Message-State: AOAM531Gg6R6IAs2s6DYz3WSH8K7APbojvVPR2uKZ7JmF9GE9lUZh82L P/K2jRM3TjiJKSQkB2pch0qjhzeOExwYWJTB X-Google-Smtp-Source: ABdhPJwL/qI28c1YKCOxGxNHhf2o9drzKGICh84AWnPCEnMZaMSoZqJiAwjNghxOhLXhOB4S8HBUzg== X-Received: by 2002:a17:902:ea53:b0:15b:1bb8:ac9e with SMTP id r19-20020a170902ea5300b0015b1bb8ac9emr33678996plg.45.1654699618156; Wed, 08 Jun 2022 07:46:58 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id bg13-20020a17090b0d8d00b001e08461ceaesm16709701pjb.37.2022.06.08.07.46.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jun 2022 07:46:57 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 01/14] Revert "openssl: Backport fix for ptest cert expiry" Date: Wed, 8 Jun 2022 04:46:25 -1000 Message-Id: <68c97aa9e0da2799fa58de945a59b6768a5a7235.1654699348.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Jun 2022 14:47:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166736 Version 1.1.1 requires additional changes This reverts commit 4051d1a3aa5f70da96c381f9dea5f52cd9306939. --- ...ea88c3888cc5cb3ebc94ffcef706c68bc1d2.patch | 55 ------------------- .../openssl/openssl_1.1.1o.bb | 1 - 2 files changed, 56 deletions(-) delete mode 100644 meta/recipes-connectivity/openssl/openssl/770aea88c3888cc5cb3ebc94ffcef706c68bc1d2.patch diff --git a/meta/recipes-connectivity/openssl/openssl/770aea88c3888cc5cb3ebc94ffcef706c68bc1d2.patch b/meta/recipes-connectivity/openssl/openssl/770aea88c3888cc5cb3ebc94ffcef706c68bc1d2.patch deleted file mode 100644 index 0249d4181b..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/770aea88c3888cc5cb3ebc94ffcef706c68bc1d2.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 770aea88c3888cc5cb3ebc94ffcef706c68bc1d2 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Wed, 1 Jun 2022 12:06:33 +0200 -Subject: [PATCH] Update expired SCT issuer certificate - -Fixes #15179 - -Reviewed-by: Matt Caswell -Reviewed-by: Dmitry Belyavskiy -(Merged from https://github.com/openssl/openssl/pull/18444) - -Upstream-Status: Backport -[Fixes ptest failures in OE-Core] ---- - test/certs/embeddedSCTs1_issuer.pem | 30 ++++++++++++++--------------- - 1 file changed, 15 insertions(+), 15 deletions(-) - -diff --git a/test/certs/embeddedSCTs1_issuer.pem b/test/certs/embeddedSCTs1_issuer.pem -index 1fa449d5a098..6aa9455f09ed 100644 ---- a/test/certs/embeddedSCTs1_issuer.pem -+++ b/test/certs/embeddedSCTs1_issuer.pem -@@ -1,18 +1,18 @@ - -----BEGIN CERTIFICATE----- --MIIC0DCCAjmgAwIBAgIBADANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk -+MIIC0jCCAjugAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk - MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX --YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw --MDAwMDBaMFUxCzAJBgNVBAYTAkdCMSQwIgYDVQQKExtDZXJ0aWZpY2F0ZSBUcmFu --c3BhcmVuY3kgQ0ExDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGf --MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7 --jHbrkVfT0PtLO1FuzsvRyY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjP --KDHM5nugSlojgZ88ujfmJNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnL --svfP34b7arnRsQIDAQABo4GvMIGsMB0GA1UdDgQWBBRfnYgNyHPmVNT4DdjmsMEk --tEfDVTB9BgNVHSMEdjB0gBRfnYgNyHPmVNT4DdjmsMEktEfDVaFZpFcwVTELMAkG --A1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRyYW5zcGFyZW5jeSBDQTEO --MAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW6CAQAwDAYDVR0TBAUwAwEB --/zANBgkqhkiG9w0BAQUFAAOBgQAGCMxKbWTyIF4UbASydvkrDvqUpdryOvw4BmBt --OZDQoeojPUApV2lGOwRmYef6HReZFSCa6i4Kd1F2QRIn18ADB8dHDmFYT9czQiRy --f1HWkLxHqd81TbD26yWVXeGJPE3VICskovPkQNJ0tU4b03YmnKliibduyqQQkOFP --OwqULg== -+YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMjA2MDExMDM4MDJaGA8yMTIyMDUw -+ODEwMzgwMlowVTELMAkGA1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRy -+YW5zcGFyZW5jeSBDQTEOMAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW4w -+gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANWKaFNiEKJxGZNud4MhGBwqQBPG -+0HuMduuRV9PQ+0s7UW7Oy9HJjZHFL3Q/q2NdVQmc0Tq68xrlQUQkUadMeBbyJDz4 -+SM8oMczme6BKWiOBnzy6N+Yk2cO9spm4Od3+JjHSyzqE/HuytcUvz8FP/0BvXNRG -+acuy98/fhvtqudGxAgMBAAGjga8wgawwHQYDVR0OBBYEFF+diA3Ic+ZU1PgN2Oaw -+wSS0R8NVMH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQsw -+CQYDVQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENB -+MQ4wDAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAMBgNVHRMEBTAD -+AQH/MA0GCSqGSIb3DQEBCwUAA4GBAD0aYh9OkFYfXV7kBfhrtD0PJG2U47OV/1qq -++uFpqB0S1WO06eJT0pzYf1ebUcxjBkajbJZm/FHT85VthZ1lFHsky87aFD8XlJCo -+2IOhKOkvvWKPUdFLoO/ZVXqEVKkcsS1eXK1glFvb07eJZya3JVG0KdMhV2YoDg6c -+Doud4XrO - -----END CERTIFICATE----- diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb index b3dceb659b..c9cfc759c9 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb @@ -18,7 +18,6 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://afalg.patch \ file://reproducible.patch \ file://reproducibility.patch \ - file://770aea88c3888cc5cb3ebc94ffcef706c68bc1d2.patch \ " SRC_URI_append_class-nativesdk = " \ From patchwork Wed Jun 8 14:46:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9028 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A79FCCA487 for ; Wed, 8 Jun 2022 14:47:09 +0000 (UTC) Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by mx.groups.io with SMTP id smtpd.web09.7418.1654699621692168131 for ; Wed, 08 Jun 2022 07:47:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=blfUc2+e; spf=softfail (domain: sakoman.com, ip: 209.85.214.179, mailfrom: steve@sakoman.com) Received: by mail-pl1-f179.google.com with SMTP id t2so17832223pld.4 for ; Wed, 08 Jun 2022 07:47:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=y+Et+wKiIXk2Xfj17EbxxLe3yyvlGXinnHcSGg6FAqg=; b=blfUc2+eeI87Glw6AKW8eDs2kCEZreNddcVmdyYuGmOfjd256pkYosZJQUm+q3SrF9 xzwcXwrJLuwLLDB4/pyOC4BQrM2lFL2PE3/RH4WOLg2GJEsBcVvGsUQia4ie0qPL+E9h wkb/EKlouUSu7guOCXqthMrXyF/YO7Pz3T1vgJYuEfMjYgijvmA4CUIlPDaslPGOHT+v 9/MDI59cEH8pv1uwZatRP+qhYhb35pwhoGxTFQJs5rLjr7AdLKG9VrAwzi3r+NIDs8Ae 4idBxVP4ObyOxMPPR6ow5oeHjUVVioUS4c5HEOJRUqYGOm+qR4El2hCEiPtl7sWVcbJF QLgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=y+Et+wKiIXk2Xfj17EbxxLe3yyvlGXinnHcSGg6FAqg=; b=TFS49C4aOy7hFLdlTmukEQL5dlUvM8DW49E0fdQNH91egWGM60iDRtfVl//yWUpc0E mnv/b3rcGetNfWlL2GxkSVIWZw5tn6XEJmt/Hue+DFh3xTiRlujl64AegRjQ2EGLnkzY hVVMNjCJpK5plo3mWh5Ggn+sGRbmbszIUWiu53+fDjCYT02GkqHa7QW98mHzXdRoRDE/ tpfmjMMDeYKqhcKA6QuKHy9djYZDF0OL3H3xv9BqdcQfBI+PmdyMtvvdZ3h17XyTo+5W JUMpUbFMUAe7iGuD4kedN9Pg1ptokNf0j52QyZte7R/AawK3yknyOi8NNPQMFQ/sgJMH YPmw== X-Gm-Message-State: AOAM533pFI2jI3YTYH7EvVe67JWBPzq9FskI6DZvKHjW56ti5/P4zgIZ 00at4gQwIzTFOsHQxJo30NEhXOYmXesdoUwp X-Google-Smtp-Source: ABdhPJz+YQvz3i/bf6E2xjUxBiKhow7Y+zw2WS0J7GYmlzhCKD/UFQQen5Mw3EtVUQ/owmPqyKzCDg== X-Received: by 2002:a17:902:d102:b0:167:4f35:9580 with SMTP id w2-20020a170902d10200b001674f359580mr25404068plw.38.1654699620499; Wed, 08 Jun 2022 07:47:00 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id bg13-20020a17090b0d8d00b001e08461ceaesm16709701pjb.37.2022.06.08.07.46.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jun 2022 07:46:59 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 02/14] openssl: backport fix for ptest certificate expiration Date: Wed, 8 Jun 2022 04:46:26 -1000 Message-Id: <40858a05989d45b0c772fdec837d3dc95d4df59d.1654699348.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Jun 2022 14:47:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166737 ptests in in openssl have started failing as test certificates have expired. Backport a fix for this from upstream, replacing the test certificates to allow the ptests to pass again. Signed-off-by: Steve Sakoman --- ...5d82489b3ec09ccc772dfcee14fef0e8e908.patch | 192 ++++++++++++++++++ .../openssl/openssl_1.1.1o.bb | 1 + 2 files changed, 193 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/73db5d82489b3ec09ccc772dfcee14fef0e8e908.patch diff --git a/meta/recipes-connectivity/openssl/openssl/73db5d82489b3ec09ccc772dfcee14fef0e8e908.patch b/meta/recipes-connectivity/openssl/openssl/73db5d82489b3ec09ccc772dfcee14fef0e8e908.patch new file mode 100644 index 0000000000..438ecdcd32 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/73db5d82489b3ec09ccc772dfcee14fef0e8e908.patch @@ -0,0 +1,192 @@ +From 73db5d82489b3ec09ccc772dfcee14fef0e8e908 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Wed, 1 Jun 2022 12:47:44 +0200 +Subject: [PATCH] Update expired SCT certificates + +Reviewed-by: Matt Caswell +Reviewed-by: Dmitry Belyavskiy +(Merged from https://github.com/openssl/openssl/pull/18446) + +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/73db5d82489b3ec09ccc772dfcee14fef0e8e908] +Signed-off-by: Steve Sakoman + +--- + test/certs/embeddedSCTs1-key.pem | 38 ++++++++++++++++--------- + test/certs/embeddedSCTs1.pem | 35 ++++++++++++----------- + test/certs/embeddedSCTs1.sct | 12 ++++---- + test/certs/embeddedSCTs1_issuer-key.pem | 15 ++++++++++ + test/certs/embeddedSCTs1_issuer.pem | 30 +++++++++---------- + 5 files changed, 79 insertions(+), 51 deletions(-) + create mode 100644 test/certs/embeddedSCTs1_issuer-key.pem + +diff --git a/test/certs/embeddedSCTs1-key.pem b/test/certs/embeddedSCTs1-key.pem +index e3e66d55c510..28dd206dbe8d 100644 +--- a/test/certs/embeddedSCTs1-key.pem ++++ b/test/certs/embeddedSCTs1-key.pem +@@ -1,15 +1,27 @@ + -----BEGIN RSA PRIVATE KEY----- +-MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k +-WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X +-EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB +-AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g +-PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf +-flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU +-X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ +-pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA +-b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt +-9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR +-83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs +-n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ +-1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ== ++MIIEpQIBAAKCAQEAuIjpA4/iCpDA2mjywI5zG6IBX6bNcRQYDsB7Cv0VonNXtJBw ++XxMENP4jVpvEmWpJ5iMBknGHV+XWBkngYapczIsY4LGn6aMU6ySABBVQpNOQSRfT ++48xGGPR9mzOBG/yplmpFOVq1j+b65lskvAXKYaLFpFn3oY/pBSdcCNBP8LypVXAJ ++b3IqEXsBL/ErgHG9bgIRP8VxBAaryCz77kLzAXkfHL2LfSGIfNONyEKB3xI94S4L ++eouOSoWL1VkEfJs87vG4G5xoXw3KOHyiueQUUlMnu8p+Bx0xPVKPEsLje3R9k0rG ++a5ca7dXAn9UypKKp25x4NXpnjGX5txVEYfNvqQIDAQABAoIBAE0zqhh9Z5n3+Vbm ++tTht4CZdXqm/xQ9b0rzJNjDgtN5j1vuJuhlsgUQSVoJzZIqydvw7BPtZV8AkPagf ++3Cm/9lb0kpHegVsziRrfCFes+zIZ+LE7sMAKxADIuIvnvkoRKHnvN8rI8lCj16/r ++zbCD06mJSZp6sSj8ZgZr8wsU63zRGt1TeGM67uVW4agphfzuKGlXstPLsSMwknpF ++nxFS2TYbitxa9oH76oCpEk5fywYsYgUP4TdzOzfVAgMzNSu0FobvWl0CECB+G3RQ ++XQ5VWbYkFoj5XbE5kYz6sYHMQWL1NQpglUp+tAQ1T8Nca0CvbSpD77doRGm7UqYw ++ziVQKokCgYEA6BtHwzyD1PHdAYtOcy7djrpnIMaiisSxEtMhctoxg8Vr2ePEvMpZ ++S1ka8A1Pa9GzjaUk+VWKWsTf+VkmMHGtpB1sv8S7HjujlEmeQe7p8EltjstvLDmi ++BhAA7ixvZpXXjQV4GCVdUVu0na6gFGGueZb2FHEXB8j1amVwleJj2lcCgYEAy4f3 ++2wXqJfz15+YdJPpG9BbH9d/plKJm5ID3p2ojAGo5qvVuIJMNJA4elcfHDwzCWVmn ++MtR/WwtxYVVmy1BAnmk6HPSYc3CStvv1800vqN3fyJWtZ1P+8WBVZWZzIQdjdiaU ++JSRevPnjQGc+SAZQQIk1yVclbz5790yuXsdIxf8CgYEApqlABC5lsvfga4Vt1UMn ++j57FAkHe4KmPRCcZ83A88ZNGd/QWhkD9kR7wOsIz7wVqWiDkxavoZnjLIi4jP9HA ++jwEZ3zER8wl70bRy0IEOtZzj8A6fSzAu6Q+Au4RokU6yse3lZ+EcepjQvhBvnXLu ++ZxxAojj6AnsHzVf9WYJvlI0CgYEAoATIw/TEgRV/KNHs/BOiEWqP0Co5dVix2Nnk ++3EVAO6VIrbbE3OuAm2ZWeaBWSujXLHSmVfpoHubCP6prZVI1W9aTkAxmh+xsDV3P ++o3h+DiBTP1seuGx7tr7spQqFXeR3OH9gXktYCO/W0d3aQ7pjAjpehWv0zJ+ty2MI ++fQ/lkXUCgYEAgbP+P5UmY7Fqm/mi6TprEJ/eYktji4Ne11GDKGFQCfjF5RdKhdw1 ++5+elGhZes+cpzu5Ak6zBDu4bviT+tRTWJu5lVLEzlHHv4nAU7Ks5Aj67ApH21AnP ++RtlATdhWOt5Dkdq1WSpDfz5bvWgvyBx9D66dSmQdbKKe2dH327eQll4= + -----END RSA PRIVATE KEY----- +diff --git a/test/certs/embeddedSCTs1.pem b/test/certs/embeddedSCTs1.pem +index d1e85120a043..d2a111fb8235 100644 +--- a/test/certs/embeddedSCTs1.pem ++++ b/test/certs/embeddedSCTs1.pem +@@ -1,20 +1,21 @@ + -----BEGIN CERTIFICATE----- +-MIIDWTCCAsKgAwIBAgIBBzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk ++MIIDeDCCAuGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk + MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX +-YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw +-MDAwMDBaMFIxCzAJBgNVBAYTAkdCMSEwHwYDVQQKExhDZXJ0aWZpY2F0ZSBUcmFu +-c3BhcmVuY3kxDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGfMA0G +-CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/ +-BH634c4VyVui+A7kWL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWk +-EM2cW9tdSSdyba8XEPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWw +-FAn/Xdh+tQIDAQABo4IBOjCCATYwHQYDVR0OBBYEFCAxVBryXAX/2GWLaEN5T16Q +-Nve0MH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQswCQYD +-VQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4w +-DAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAJBgNVHRMEAjAAMIGK +-BgorBgEEAdZ5AgQCBHwEegB4AHYA3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4L +-vT9012QAAAE92yffkwAABAMARzBFAiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUw +-KI+j5eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8IMA0GCSqG +-SIb3DQEBBQUAA4GBAIoMS+8JnUeSea+goo5on5HhxEIb4tJpoupspOghXd7dyhUE +-oR58h8S3foDw6XkDUmjyfKIOFmgErlVvMWmB+Wo5Srer/T4lWsAERRP+dlcMZ5Wr +-5HAxM9MD+J86+mu8/FFzGd/ZW5NCQSEfY0A1w9B4MHpoxgdaLiDInza4kQyg ++YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMDAxMjUxMTUwMTNaGA8yMTIwMDEy ++NjExNTAxM1owGTEXMBUGA1UEAwwOc2VydmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3 ++DQEBAQUAA4IBDwAwggEKAoIBAQC4iOkDj+IKkMDaaPLAjnMbogFfps1xFBgOwHsK ++/RWic1e0kHBfEwQ0/iNWm8SZaknmIwGScYdX5dYGSeBhqlzMixjgsafpoxTrJIAE ++FVCk05BJF9PjzEYY9H2bM4Eb/KmWakU5WrWP5vrmWyS8BcphosWkWfehj+kFJ1wI ++0E/wvKlVcAlvcioRewEv8SuAcb1uAhE/xXEEBqvILPvuQvMBeR8cvYt9IYh8043I ++QoHfEj3hLgt6i45KhYvVWQR8mzzu8bgbnGhfDco4fKK55BRSUye7yn4HHTE9Uo8S ++wuN7dH2TSsZrlxrt1cCf1TKkoqnbnHg1emeMZfm3FURh82+pAgMBAAGjggEMMIIB ++CDAdBgNVHQ4EFgQUtMa8XD5ylrF9AqCdnPEhXa63H2owHwYDVR0jBBgwFoAUX52I ++Dchz5lTU+A3Y5rDBJLRHw1UwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcD ++ATCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN8cLsEVAJRSR6lhaDJd3Fx5Wej3xtOI ++/AAuC70/dNdkAAABb15m6AAAAAQDAEcwRQIgfDPo8RArm/vcSEZ608Q1u+XQ55QB ++u67SZEuZxLpbUM0CIQDRsgcTud4PDy8Cgg+lHeAS7UxgSKBbWAznYOuorwNewzAZ ++BgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOBgQCWFKKR ++RNkDRzB25NK07OLkbzebhnpKtbP4i3blRx1HAvTSamf/3uuHI7kfiPJorJymJpT1 ++IuJvSVKyMu1qONWBimiBfiyGL7+le1izHEJIP5lVTbddfzSIBIvrlHHcWIOL3H+W ++YT6yTEIzJuO07Xp61qnB1CE2TrinUWlyC46Zkw== + -----END CERTIFICATE----- +diff --git a/test/certs/embeddedSCTs1.sct b/test/certs/embeddedSCTs1.sct +index 59362dcee1f4..35c9eb9e3bed 100644 +--- a/test/certs/embeddedSCTs1.sct ++++ b/test/certs/embeddedSCTs1.sct +@@ -2,11 +2,11 @@ Signed Certificate Timestamp: + Version : v1 (0x0) + Log ID : DF:1C:2E:C1:15:00:94:52:47:A9:61:68:32:5D:DC:5C: + 79:59:E8:F7:C6:D3:88:FC:00:2E:0B:BD:3F:74:D7:64 +- Timestamp : Apr 5 17:04:16.275 2013 GMT ++ Timestamp : Jan 1 00:00:00.000 2020 GMT + Extensions: none + Signature : ecdsa-with-SHA256 +- 30:45:02:20:48:2F:67:51:AF:35:DB:A6:54:36:BE:1F: +- D6:64:0F:3D:BF:9A:41:42:94:95:92:45:30:28:8F:A3: +- E5:E2:3E:06:02:21:00:E4:ED:C0:DB:3A:C5:72:B1:E2: +- F5:E8:AB:6A:68:06:53:98:7D:CF:41:02:7D:FE:FF:A1: +- 05:51:9D:89:ED:BF:08 +\ No newline at end of file ++ 30:45:02:20:7C:33:E8:F1:10:2B:9B:FB:DC:48:46:7A: ++ D3:C4:35:BB:E5:D0:E7:94:01:BB:AE:D2:64:4B:99:C4: ++ BA:5B:50:CD:02:21:00:D1:B2:07:13:B9:DE:0F:0F:2F: ++ 02:82:0F:A5:1D:E0:12:ED:4C:60:48:A0:5B:58:0C:E7: ++ 60:EB:A8:AF:03:5E:C3 +\ No newline at end of file +diff --git a/test/certs/embeddedSCTs1_issuer-key.pem b/test/certs/embeddedSCTs1_issuer-key.pem +new file mode 100644 +index 000000000000..9326e38b1eb7 +--- /dev/null ++++ b/test/certs/embeddedSCTs1_issuer-key.pem +@@ -0,0 +1,15 @@ ++-----BEGIN RSA PRIVATE KEY----- ++MIICXAIBAAKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7jHbrkVfT0PtLO1FuzsvR ++yY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjPKDHM5nugSlojgZ88ujfm ++JNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnLsvfP34b7arnRsQIDAQAB ++AoGAJLR6xEJp+5IXRFlLn7WTkFvO0ddtxJ7bXhiIkTctyruyfqp7LF9Jv1G2m3PK ++QPUtBc73w/GYkfnwIwdfJbOmPHL7XyEGHZYmEXgIgEtw6LXvAv0G5JpUnNwsSBfL ++GfSQqI5Z5ytyzlJXkMcTGA2kTgNAYc73h4EnU+pwUnDPdAECQQD2aj+4LtYk1XPq ++r3gjgI6MoGvgYJfPmAtZhxxVbhXQKciFUCAcBiwlQdHIdLWE9j65ctmZRWidKifr ++4O4nz+TBAkEA3djNW/rTQq5fKZy+mCF1WYnIU/3yhJaptzRqLm7AHqe7+hdrGXJw +++mCtU8T3L/Ms8bH1yFBZhmkp1PbR8gl48QJAQo70YyWThiN5yfxXcQ96cZWrTdIJ ++b3NcLXSHPLQdhDqlBQ1dfvRT3ERpC8IqfZ2d162kBPhwh3MpkVcSPQK0gQJAC/dY ++xGBYKt2a9nSk9zG+0bCT5Kvq++ngh6hFHfINXNnxUsEWns3EeEzkrIMQTj7QqszN ++lBt5aL2dawZRNrv6EQJBAOo4STF9KEwQG0HLC/ryh1FeB0OBA5yIepXze+eJVKei ++T0cCECOQJKfWHEzYJYDJhyEFF/sYp9TXwKSDjOifrsU= ++-----END RSA PRIVATE KEY----- +diff --git a/test/certs/embeddedSCTs1_issuer.pem b/test/certs/embeddedSCTs1_issuer.pem +index 1fa449d5a098..6aa9455f09ed 100644 +--- a/test/certs/embeddedSCTs1_issuer.pem ++++ b/test/certs/embeddedSCTs1_issuer.pem +@@ -1,18 +1,18 @@ + -----BEGIN CERTIFICATE----- +-MIIC0DCCAjmgAwIBAgIBADANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk ++MIIC0jCCAjugAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk + MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX +-YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw +-MDAwMDBaMFUxCzAJBgNVBAYTAkdCMSQwIgYDVQQKExtDZXJ0aWZpY2F0ZSBUcmFu +-c3BhcmVuY3kgQ0ExDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGf +-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7 +-jHbrkVfT0PtLO1FuzsvRyY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjP +-KDHM5nugSlojgZ88ujfmJNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnL +-svfP34b7arnRsQIDAQABo4GvMIGsMB0GA1UdDgQWBBRfnYgNyHPmVNT4DdjmsMEk +-tEfDVTB9BgNVHSMEdjB0gBRfnYgNyHPmVNT4DdjmsMEktEfDVaFZpFcwVTELMAkG +-A1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRyYW5zcGFyZW5jeSBDQTEO +-MAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW6CAQAwDAYDVR0TBAUwAwEB +-/zANBgkqhkiG9w0BAQUFAAOBgQAGCMxKbWTyIF4UbASydvkrDvqUpdryOvw4BmBt +-OZDQoeojPUApV2lGOwRmYef6HReZFSCa6i4Kd1F2QRIn18ADB8dHDmFYT9czQiRy +-f1HWkLxHqd81TbD26yWVXeGJPE3VICskovPkQNJ0tU4b03YmnKliibduyqQQkOFP +-OwqULg== ++YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMjA2MDExMDM4MDJaGA8yMTIyMDUw ++ODEwMzgwMlowVTELMAkGA1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRy ++YW5zcGFyZW5jeSBDQTEOMAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW4w ++gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANWKaFNiEKJxGZNud4MhGBwqQBPG ++0HuMduuRV9PQ+0s7UW7Oy9HJjZHFL3Q/q2NdVQmc0Tq68xrlQUQkUadMeBbyJDz4 ++SM8oMczme6BKWiOBnzy6N+Yk2cO9spm4Od3+JjHSyzqE/HuytcUvz8FP/0BvXNRG ++acuy98/fhvtqudGxAgMBAAGjga8wgawwHQYDVR0OBBYEFF+diA3Ic+ZU1PgN2Oaw ++wSS0R8NVMH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQsw ++CQYDVQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENB ++MQ4wDAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAMBgNVHRMEBTAD ++AQH/MA0GCSqGSIb3DQEBCwUAA4GBAD0aYh9OkFYfXV7kBfhrtD0PJG2U47OV/1qq +++uFpqB0S1WO06eJT0pzYf1ebUcxjBkajbJZm/FHT85VthZ1lFHsky87aFD8XlJCo ++2IOhKOkvvWKPUdFLoO/ZVXqEVKkcsS1eXK1glFvb07eJZya3JVG0KdMhV2YoDg6c ++Doud4XrO + -----END CERTIFICATE----- diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb index c9cfc759c9..b306414776 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb @@ -18,6 +18,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://afalg.patch \ file://reproducible.patch \ file://reproducibility.patch \ + file://73db5d82489b3ec09ccc772dfcee14fef0e8e908.patch \ " SRC_URI_append_class-nativesdk = " \ From patchwork Wed Jun 8 14:46:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3CF03CCA47E for ; Wed, 8 Jun 2022 14:47:09 +0000 (UTC) Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) by mx.groups.io with SMTP id smtpd.web10.7343.1654699624110948426 for ; Wed, 08 Jun 2022 07:47:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=qgwGArur; spf=softfail (domain: sakoman.com, ip: 209.85.216.44, mailfrom: steve@sakoman.com) Received: by mail-pj1-f44.google.com with SMTP id o6-20020a17090a0a0600b001e2c6566046so24035355pjo.0 for ; Wed, 08 Jun 2022 07:47:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=BseSV7871XtV/Y5Abb6qF+PpSk75OVCq0QULBq+KGHo=; b=qgwGArurmm+LK3iIeAFkedq7bmZaSsqZBIjPvZe1zQjaKdYxvWMMxKJjC7AuZOcEpT IyAcNPF41283GhyD2pZO+O0A5eu4h3RXgTRJxu2wniq1ROnnmJmhlOtaDaO/vJQzrB0c Dqluyok7D9TyLg3lga67lAvKVKujhmO9ZHeet55PnnLhgic6uuHvC6efOSKcn3MEXj+f CeKUCbBVkgcDsYv0sXKfJCVRhowZy8is+E0DW4sf5GlRvlkMw+96w+fJCGHGJEljtpHx eUm0w+08IoyJA+EQCbMo5odd0sqn+apSl8aQkjgg6Fi/2n3cjLxybhnBh0GfzZvuXpYw PC0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BseSV7871XtV/Y5Abb6qF+PpSk75OVCq0QULBq+KGHo=; b=BlnkwhykCwNenkoHOp+9MCWR2kPZMtlbnZS9KDAMPU9285cQYgyyuaiVdTUIS5dkCx odMPF2Wsqs179pPdi8kUUVIqsHhFYLRMo6zqozu/2kMTDkSvA+ivl+PLVypECR9KoEBm gnD/WsY4m/A+l6HluMrCY/wXQ3EJqaMndzjrPay1q0eSfF6mmp1tN3jqR7E8jVa4xufe 3g2k1mE5y6qAvPmK8iFdKh5v3cJt72QAAzQ545PrainIz9oTbD5uoEuydtlt+f3/Urg3 NJfXpNGdsWaOiS6oZz4E/6YxYbxTouhxKIk4yojXar40+UTRTXezP/AKKLOQcEaBEu2t 6m1w== X-Gm-Message-State: AOAM533EpEfFI/wkTeGReliQLEzTPiCHbYHZxoPck76OHU0g45WWP1MB 5H41TCQz/jERaIIbQXj8KCaf+wdU0Zfzpzx9 X-Google-Smtp-Source: ABdhPJw3CqsgRqal6CcKhKwegrPE8hAkDyqyyZH/AxOOKgMaX5TwKeqGcntvY2f6V8xAIvoS/tErQA== X-Received: by 2002:a17:90b:4a12:b0:1e3:15ef:81e1 with SMTP id kk18-20020a17090b4a1200b001e315ef81e1mr52658274pjb.246.1654699623109; Wed, 08 Jun 2022 07:47:03 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id bg13-20020a17090b0d8d00b001e08461ceaesm16709701pjb.37.2022.06.08.07.47.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jun 2022 07:47:02 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 03/14] openssl: update the epoch time for ct_test ptest Date: Wed, 8 Jun 2022 04:46:27 -1000 Message-Id: <3af161acc13189cb68549f898f3964d83d00ce56.1654699348.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Jun 2022 14:47:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166738 We are getting an additional ptest failure after fixing the expired certificates. Backport a patch from upstream to fix this. Signed-off-by: Steve Sakoman --- ...611887cfac633aacc052b2e71a7f195418b8.patch | 29 +++++++++++++++++++ .../openssl/openssl_1.1.1o.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/b7ce611887cfac633aacc052b2e71a7f195418b8.patch diff --git a/meta/recipes-connectivity/openssl/openssl/b7ce611887cfac633aacc052b2e71a7f195418b8.patch b/meta/recipes-connectivity/openssl/openssl/b7ce611887cfac633aacc052b2e71a7f195418b8.patch new file mode 100644 index 0000000000..832f651660 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/b7ce611887cfac633aacc052b2e71a7f195418b8.patch @@ -0,0 +1,29 @@ +From b7ce611887cfac633aacc052b2e71a7f195418b8 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Wed, 1 Jun 2022 13:06:46 +0200 +Subject: [PATCH] ct_test.c: Update the epoch time + +Reviewed-by: Matt Caswell +Reviewed-by: Dmitry Belyavskiy +(Merged from https://github.com/openssl/openssl/pull/18446) + +Upstream-Status: Backport [https://github.com/openssl/openssl/commit/b7ce611887cfac633aacc052b2e71a7f195418b8] +Signed-off-by: Steve Sakoman + +--- + test/ct_test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/ct_test.c b/test/ct_test.c +index 78d11ca98cf7..535897d09a77 100644 +--- a/test/ct_test.c ++++ b/test/ct_test.c +@@ -63,7 +63,7 @@ static CT_TEST_FIXTURE *set_up(const char *const test_case_name) + if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) + goto end; + fixture->test_case_name = test_case_name; +- fixture->epoch_time_in_ms = 1473269626000ULL; /* Sep 7 17:33:46 2016 GMT */ ++ fixture->epoch_time_in_ms = 1580335307000ULL; /* Wed 29 Jan 2020 10:01:47 PM UTC */ + if (!TEST_ptr(fixture->ctlog_store = CTLOG_STORE_new()) + || !TEST_int_eq( + CTLOG_STORE_load_default_file(fixture->ctlog_store), 1)) diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb index b306414776..e24467739f 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1o.bb @@ -19,6 +19,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://reproducible.patch \ file://reproducibility.patch \ file://73db5d82489b3ec09ccc772dfcee14fef0e8e908.patch \ + file://b7ce611887cfac633aacc052b2e71a7f195418b8.patch \ " SRC_URI_append_class-nativesdk = " \ From patchwork Wed Jun 8 14:46:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9027 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F840CCA47F for ; Wed, 8 Jun 2022 14:47:09 +0000 (UTC) Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) by mx.groups.io with SMTP id smtpd.web12.7377.1654699626723584240 for ; Wed, 08 Jun 2022 07:47:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=EwJzqqxd; spf=softfail (domain: sakoman.com, ip: 209.85.214.169, mailfrom: steve@sakoman.com) Received: by mail-pl1-f169.google.com with SMTP id f9so7366441plg.0 for ; Wed, 08 Jun 2022 07:47:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=ucxOTDh8wKkzHwYS/ZuQdFx1I6eukvBs5YC/4CCSkCg=; b=EwJzqqxdDfibEmhhVgkn2y+6vUGIfdqGTffTYibxOgEaV7QpFoeFlgQXYrRxsYSH77 X7oUot2/rINW4igxBzGZtzvCSdWHVX1DXSAJnRHTZZPDL1PR/JFRSb9gENF0mRmMWa30 zsYeWL1GeW6OJfGYHXFXiOCJEhayTQCwyboLupjIfFhB3RwasFXSngIEs+125plXBOp8 ax4ER3CpXN04HCeHw0KaIms6H3trTq8V7Mxl3Cjf2Z/RSRy3/vG7q71CYWu24GqZ2Bor FVxIUYVpTlivHCTGsmZDZL/NK73rYtAZlu/ZxQsh5J95oqxaUWPt+U/OgWyJd1EgMZp3 +nFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ucxOTDh8wKkzHwYS/ZuQdFx1I6eukvBs5YC/4CCSkCg=; b=olzq/vTG6gcM77ec3w0661UaalxygDHS/b33/FyC3g0CGYdy/gAOsIAcdp1LHulHyl uDTfWmuQj1adCCCl2fzwygs+SESZDRX9gyUW9jVo3CtVJgu1SvUVv46AL7bv99Aplwa/ MQKQElbYYmMEI41Olr1IZLzReFibnMf2+6/Lw506qHka8wpsgPecX17u2di2baWwe8Rd TzBIUedUGMsAiNdCwOvH4OzQh7q32kcfUGaMsGFBmIfgkn+uc2T5X+mRWEQdmSFiPgWs wTvI8l3s3Yg1tZrEkLNGwonmA9cTOEXu3c6BFb3n2ZUFr5uqcrWVapPFa9vJGjJfclgC lwyg== X-Gm-Message-State: AOAM532HJi46doLKfzH8dYPDqP2e0mJ4A7MsDHWbjv4w+Cq53tQYERrk 2s+nMExTelmVvUJKjp5sfB4Bl3h/GHTqSDxO X-Google-Smtp-Source: ABdhPJwJduGCnNIiFwj9qQLY/MxCMZmedea5kpU7VEAh8d/KxNRYYQ8xdSmNSFnf2DN4glfieyBalw== X-Received: by 2002:a17:903:1104:b0:168:98a5:4ec6 with SMTP id n4-20020a170903110400b0016898a54ec6mr2777729plh.162.1654699625643; Wed, 08 Jun 2022 07:47:05 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id bg13-20020a17090b0d8d00b001e08461ceaesm16709701pjb.37.2022.06.08.07.47.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jun 2022 07:47:04 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 04/14] e2fsprogs: CVE-2022-1304 out-of-bounds read/write via crafted filesystem Date: Wed, 8 Jun 2022 04:46:28 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Jun 2022 14:47:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166739 From: Hitendra Prajapati Source: https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git MR: 117430 Type: Security Fix Disposition: Backport from https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint&id=ab51d587bb9b229b1fade1afd02e1574c1ba5c76 ChangeID: e6db00c6e8375a2e869fd2e4ead61ca9149eb8fa Description: CVE-2022-1304 e2fsprogs: out-of-bounds read/write via crafted filesystem. Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../e2fsprogs/e2fsprogs/CVE-2022-1304.patch | 42 +++++++++++++++++++ .../e2fsprogs/e2fsprogs_1.45.7.bb | 1 + 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2022-1304.patch diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2022-1304.patch b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2022-1304.patch new file mode 100644 index 0000000000..34e2567b25 --- /dev/null +++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs/CVE-2022-1304.patch @@ -0,0 +1,42 @@ +From a66071ed6a0d1fa666d22dcb78fa6fcb3bf22df3 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Fri, 27 May 2022 14:01:50 +0530 +Subject: [PATCH] CVE-2022-1304 + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint&id=ab51d587bb9b229b1fade1afd02e1574c1ba5c76] +CVE: CVE-2022-1304 +Signed-off-by: Hitendra Prajapati + +--- + lib/ext2fs/extent.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/ext2fs/extent.c b/lib/ext2fs/extent.c +index ac3dbfec9..a1b1905cd 100644 +--- a/lib/ext2fs/extent.c ++++ b/lib/ext2fs/extent.c +@@ -495,6 +495,10 @@ retry: + ext2fs_le16_to_cpu(eh->eh_entries); + newpath->max_entries = ext2fs_le16_to_cpu(eh->eh_max); + ++ /* Make sure there is at least one extent present */ ++ if (newpath->left <= 0) ++ return EXT2_ET_EXTENT_NO_DOWN; ++ + if (path->left > 0) { + ix++; + newpath->end_blk = ext2fs_le32_to_cpu(ix->ei_block); +@@ -1630,6 +1634,10 @@ errcode_t ext2fs_extent_delete(ext2_extent_handle_t handle, int flags) + + cp = path->curr; + ++ /* Sanity check before memmove() */ ++ if (path->left < 0) ++ return EXT2_ET_EXTENT_LEAF_BAD; ++ + if (path->left) { + memmove(cp, cp + sizeof(struct ext3_extent_idx), + path->left * sizeof(struct ext3_extent_idx)); +-- +2.25.1 + diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.7.bb b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.7.bb index 3bc530e02b..3e6faf4cb8 100644 --- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.7.bb +++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.45.7.bb @@ -6,6 +6,7 @@ SRC_URI += "file://remove.ldconfig.call.patch \ file://mkdir_p.patch \ file://0001-configure.ac-correct-AM_GNU_GETTEXT.patch \ file://0001-intl-do-not-try-to-use-gettext-defines-that-no-longe.patch \ + file://CVE-2022-1304.patch \ " SRC_URI_append_class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \ From patchwork Wed Jun 8 14:46:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9031 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 469B9CCA493 for ; Wed, 8 Jun 2022 14:47:19 +0000 (UTC) Received: from mail-pf1-f173.google.com (mail-pf1-f173.google.com [209.85.210.173]) by mx.groups.io with SMTP id smtpd.web10.7344.1654699629448227143 for ; Wed, 08 Jun 2022 07:47:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=D41EN4z9; spf=softfail (domain: sakoman.com, ip: 209.85.210.173, mailfrom: steve@sakoman.com) Received: by mail-pf1-f173.google.com with SMTP id x4so9968905pfj.10 for ; Wed, 08 Jun 2022 07:47:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=b4NN8quFasAxmnsTtTHin/sYpsdX0g7tyeYubs/jqn0=; b=D41EN4z9QmHMr0cYkr64L02g+Mdr6xi1vxyj1DgUj3wAayR2RThmfjuGE2EeRmgTHw mDI/aeNKgSJx48cUjHRr9iCCbCYon/NNdk15KrmowyhZi+rdcjhfD0+SXt61/4yF3dq/ J5zeyEQUbLZlg13IsH2stq0OPjamwnymVom23/91pwvOPOPZQAFqa1giAypJpyTw8inn AOYLoW3aBYulh4SRLV0mDmlVI2Tl03Crp65SeO2+NaY2LOOtNUkuXD0Wh148xJh1i/O2 yR2oJU/JGQ39sjpqh05EG8lUsqsb84odGlDk7CTgpp8yamaB6pPanJ8A6svcPVlCu9UJ 6yBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=b4NN8quFasAxmnsTtTHin/sYpsdX0g7tyeYubs/jqn0=; b=AS6uZf80c+lcfgZEO8BZ46ZdXQfyEA99Ek+29Q9zG4+/BOTYptwboimGO0ULZO8+Ln ZCBEeH5sLUXwUbG3oZflB1ALKFVNz6NYKkH/QB11Xv32L7W6f/etgvJtcJZDGoQ+tth/ mNpiE7u3C9mrYdjwCxRchyTYp0NyU+LVAmyawd71RTf9te4NsYnZkviVk031ZE2wljdl stRZJ0TgO0L/YLvaVbICnNNR43++4uq52QEzvw0CPL8wPhzkZNwKLz1iZtrx0YZkDJeA 4Vo9gXpTM5RTHgQ3tWO0q7jGyXqGV81fKQSjnqFFtbQFuD7/ZTCxehx0j7m5GCQ91sJ6 KTeg== X-Gm-Message-State: AOAM531ng2PeEdtxpg4IbAphp0aTbCtNd8AnjRfjDUngM6fWfI/kqYh3 PWvCT30IwYKm1MY2YNlfR2Eo34K6IC2QRSI9 X-Google-Smtp-Source: ABdhPJzRy6v4cR1GC2+pSQ01/x8C2Ckz2BgGi5TmRhTmc8kiTqj3wgOnIiq+1wHUQRuPNfAT9Tazmw== X-Received: by 2002:aa7:9217:0:b0:518:367d:fa85 with SMTP id 23-20020aa79217000000b00518367dfa85mr101400765pfo.9.1654699628128; Wed, 08 Jun 2022 07:47:08 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id bg13-20020a17090b0d8d00b001e08461ceaesm16709701pjb.37.2022.06.08.07.47.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jun 2022 07:47:07 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 05/14] pcre2: CVE-2022-1587 Out-of-bounds read Date: Wed, 8 Jun 2022 04:46:29 -1000 Message-Id: <46323b9e0f44f58f6aae242ebf5a0101d8c36654.1654699348.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Jun 2022 14:47:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166740 From: Hitendra Prajapati Source: https://github.com/PCRE2Project/pcre2 MR: 118031 Type: Security Fix Disposition: Backport from https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0 ChangeID: 8fbc562b3e6b6a3674f435f6527a62afc67ef933 Description: CVE-2022-1587 pcre2: Out-of-bounds read in get_recurse_data_length in pcre2_jit_compile.c. Signed-off-by: Hitendra Prajapati Signed-off-by: Steve Sakoman --- .../libpcre/libpcre2/CVE-2022-1587.patch | 660 ++++++++++++++++++ .../recipes-support/libpcre/libpcre2_10.34.bb | 1 + 2 files changed, 661 insertions(+) create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch new file mode 100644 index 0000000000..70f9f9f079 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch @@ -0,0 +1,660 @@ +From aa5aac0d209e3debf80fc2db924d9401fc50454b Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati +Date: Mon, 23 May 2022 14:11:11 +0530 +Subject: [PATCH] CVE-2022-1587 + +Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0] +CVE: CVE-2022-1587 +Signed-off-by: Hitendra Prajapati + +--- + ChangeLog | 3 + + src/pcre2_jit_compile.c | 290 ++++++++++++++++++++++++++-------------- + src/pcre2_jit_test.c | 1 + + 3 files changed, 194 insertions(+), 100 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index b5d72dc..de82de9 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -4,6 +4,9 @@ Change Log for PCRE2 + 23. Fixed a unicode properrty matching issue in JIT. The character was not + fully read in caseless matching. + ++24. Fixed an issue affecting recursions in JIT caused by duplicated data ++transfers. ++ + + Version 10.34 21-November-2019 + ------------------------------ +diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c +index 5d43865..493c96d 100644 +--- a/src/pcre2_jit_compile.c ++++ b/src/pcre2_jit_compile.c +@@ -407,6 +407,9 @@ typedef struct compiler_common { + /* Locals used by fast fail optimization. */ + sljit_s32 fast_fail_start_ptr; + sljit_s32 fast_fail_end_ptr; ++ /* Variables used by recursive call generator. */ ++ sljit_s32 recurse_bitset_size; ++ uint8_t *recurse_bitset; + + /* Flipped and lower case tables. */ + const sljit_u8 *fcc; +@@ -2109,19 +2112,39 @@ for (i = 0; i < RECURSE_TMP_REG_COUNT; i++) + + #undef RECURSE_TMP_REG_COUNT + ++static BOOL recurse_check_bit(compiler_common *common, sljit_sw bit_index) ++{ ++uint8_t *byte; ++uint8_t mask; ++ ++SLJIT_ASSERT((bit_index & (sizeof(sljit_sw) - 1)) == 0); ++ ++bit_index >>= SLJIT_WORD_SHIFT; ++ ++mask = 1 << (bit_index & 0x7); ++byte = common->recurse_bitset + (bit_index >> 3); ++ ++if (*byte & mask) ++ return FALSE; ++ ++*byte |= mask; ++return TRUE; ++} ++ + static int get_recurse_data_length(compiler_common *common, PCRE2_SPTR cc, PCRE2_SPTR ccend, + BOOL *needs_control_head, BOOL *has_quit, BOOL *has_accept) + { + int length = 1; +-int size; ++int size, offset; + PCRE2_SPTR alternative; + BOOL quit_found = FALSE; + BOOL accept_found = FALSE; + BOOL setsom_found = FALSE; + BOOL setmark_found = FALSE; +-BOOL capture_last_found = FALSE; + BOOL control_head_found = FALSE; + ++memset(common->recurse_bitset, 0, common->recurse_bitset_size); ++ + #if defined DEBUG_FORCE_CONTROL_HEAD && DEBUG_FORCE_CONTROL_HEAD + SLJIT_ASSERT(common->control_head_ptr != 0); + control_head_found = TRUE; +@@ -2144,15 +2167,17 @@ while (cc < ccend) + setsom_found = TRUE; + if (common->mark_ptr != 0) + setmark_found = TRUE; +- if (common->capture_last_ptr != 0) +- capture_last_found = TRUE; ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) ++ length++; + cc += 1 + LINK_SIZE; + break; + + case OP_KET: +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0) + { +- length++; ++ if (recurse_check_bit(common, offset)) ++ length++; + SLJIT_ASSERT(PRIVATE_DATA(cc + 1) != 0); + cc += PRIVATE_DATA(cc + 1); + } +@@ -2169,39 +2194,55 @@ while (cc < ccend) + case OP_SBRA: + case OP_SBRAPOS: + case OP_SCOND: +- length++; + SLJIT_ASSERT(PRIVATE_DATA(cc) != 0); ++ if (recurse_check_bit(common, PRIVATE_DATA(cc))) ++ length++; + cc += 1 + LINK_SIZE; + break; + + case OP_CBRA: + case OP_SCBRA: +- length += 2; +- if (common->capture_last_ptr != 0) +- capture_last_found = TRUE; +- if (common->optimized_cbracket[GET2(cc, 1 + LINK_SIZE)] == 0) ++ offset = GET2(cc, 1 + LINK_SIZE); ++ if (recurse_check_bit(common, OVECTOR(offset << 1))) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, OVECTOR((offset << 1) + 1))); ++ length += 2; ++ } ++ if (common->optimized_cbracket[offset] == 0 && recurse_check_bit(common, OVECTOR_PRIV(offset))) ++ length++; ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) + length++; + cc += 1 + LINK_SIZE + IMM2_SIZE; + break; + + case OP_CBRAPOS: + case OP_SCBRAPOS: +- length += 2 + 2; +- if (common->capture_last_ptr != 0) +- capture_last_found = TRUE; ++ offset = GET2(cc, 1 + LINK_SIZE); ++ if (recurse_check_bit(common, OVECTOR(offset << 1))) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, OVECTOR((offset << 1) + 1))); ++ length += 2; ++ } ++ if (recurse_check_bit(common, OVECTOR_PRIV(offset))) ++ length++; ++ if (recurse_check_bit(common, PRIVATE_DATA(cc))) ++ length++; ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) ++ length++; + cc += 1 + LINK_SIZE + IMM2_SIZE; + break; + + case OP_COND: + /* Might be a hidden SCOND. */ + alternative = cc + GET(cc, 1); +- if (*alternative == OP_KETRMAX || *alternative == OP_KETRMIN) ++ if ((*alternative == OP_KETRMAX || *alternative == OP_KETRMIN) && recurse_check_bit(common, PRIVATE_DATA(cc))) + length++; + cc += 1 + LINK_SIZE; + break; + + CASE_ITERATOR_PRIVATE_DATA_1 +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) + length++; + cc += 2; + #ifdef SUPPORT_UNICODE +@@ -2210,8 +2251,12 @@ while (cc < ccend) + break; + + CASE_ITERATOR_PRIVATE_DATA_2A +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw))); + length += 2; ++ } + cc += 2; + #ifdef SUPPORT_UNICODE + if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]); +@@ -2219,8 +2264,12 @@ while (cc < ccend) + break; + + CASE_ITERATOR_PRIVATE_DATA_2B +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw))); + length += 2; ++ } + cc += 2 + IMM2_SIZE; + #ifdef SUPPORT_UNICODE + if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]); +@@ -2228,20 +2277,29 @@ while (cc < ccend) + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_1 +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) + length++; + cc += 1; + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_2A +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw))); + length += 2; ++ } + cc += 1; + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_2B +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw))); + length += 2; ++ } + cc += 1 + IMM2_SIZE; + break; + +@@ -2253,7 +2311,9 @@ while (cc < ccend) + #else + size = 1 + 32 / (int)sizeof(PCRE2_UCHAR); + #endif +- if (PRIVATE_DATA(cc) != 0) ++ ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) + length += get_class_iterator_size(cc + size); + cc += size; + break; +@@ -2288,8 +2348,7 @@ while (cc < ccend) + case OP_THEN: + SLJIT_ASSERT(common->control_head_ptr != 0); + quit_found = TRUE; +- if (!control_head_found) +- control_head_found = TRUE; ++ control_head_found = TRUE; + cc++; + break; + +@@ -2309,8 +2368,6 @@ SLJIT_ASSERT(cc == ccend); + + if (control_head_found) + length++; +-if (capture_last_found) +- length++; + if (quit_found) + { + if (setsom_found) +@@ -2343,14 +2400,12 @@ sljit_sw shared_srcw[3]; + sljit_sw kept_shared_srcw[2]; + int private_count, shared_count, kept_shared_count; + int from_sp, base_reg, offset, i; +-BOOL setsom_found = FALSE; +-BOOL setmark_found = FALSE; +-BOOL capture_last_found = FALSE; +-BOOL control_head_found = FALSE; ++ ++memset(common->recurse_bitset, 0, common->recurse_bitset_size); + + #if defined DEBUG_FORCE_CONTROL_HEAD && DEBUG_FORCE_CONTROL_HEAD + SLJIT_ASSERT(common->control_head_ptr != 0); +-control_head_found = TRUE; ++recurse_check_bit(common, common->control_head_ptr); + #endif + + switch (type) +@@ -2438,11 +2493,10 @@ while (cc < ccend) + { + case OP_SET_SOM: + SLJIT_ASSERT(common->has_set_som); +- if (has_quit && !setsom_found) ++ if (has_quit && recurse_check_bit(common, OVECTOR(0))) + { + kept_shared_srcw[0] = OVECTOR(0); + kept_shared_count = 1; +- setsom_found = TRUE; + } + cc += 1; + break; +@@ -2450,33 +2504,31 @@ while (cc < ccend) + case OP_RECURSE: + if (has_quit) + { +- if (common->has_set_som && !setsom_found) ++ if (common->has_set_som && recurse_check_bit(common, OVECTOR(0))) + { + kept_shared_srcw[0] = OVECTOR(0); + kept_shared_count = 1; +- setsom_found = TRUE; + } +- if (common->mark_ptr != 0 && !setmark_found) ++ if (common->mark_ptr != 0 && recurse_check_bit(common, common->mark_ptr)) + { + kept_shared_srcw[kept_shared_count] = common->mark_ptr; + kept_shared_count++; +- setmark_found = TRUE; + } + } +- if (common->capture_last_ptr != 0 && !capture_last_found) ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) + { + shared_srcw[0] = common->capture_last_ptr; + shared_count = 1; +- capture_last_found = TRUE; + } + cc += 1 + LINK_SIZE; + break; + + case OP_KET: +- if (PRIVATE_DATA(cc) != 0) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0) + { +- private_count = 1; +- private_srcw[0] = PRIVATE_DATA(cc); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; + SLJIT_ASSERT(PRIVATE_DATA(cc + 1) != 0); + cc += PRIVATE_DATA(cc + 1); + } +@@ -2493,50 +2545,66 @@ while (cc < ccend) + case OP_SBRA: + case OP_SBRAPOS: + case OP_SCOND: +- private_count = 1; + private_srcw[0] = PRIVATE_DATA(cc); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; + cc += 1 + LINK_SIZE; + break; + + case OP_CBRA: + case OP_SCBRA: +- offset = (GET2(cc, 1 + LINK_SIZE)) << 1; +- shared_srcw[0] = OVECTOR(offset); +- shared_srcw[1] = OVECTOR(offset + 1); +- shared_count = 2; ++ offset = GET2(cc, 1 + LINK_SIZE); ++ shared_srcw[0] = OVECTOR(offset << 1); ++ if (recurse_check_bit(common, shared_srcw[0])) ++ { ++ shared_srcw[1] = shared_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, shared_srcw[1])); ++ shared_count = 2; ++ } + +- if (common->capture_last_ptr != 0 && !capture_last_found) ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) + { +- shared_srcw[2] = common->capture_last_ptr; +- shared_count = 3; +- capture_last_found = TRUE; ++ shared_srcw[shared_count] = common->capture_last_ptr; ++ shared_count++; + } + +- if (common->optimized_cbracket[GET2(cc, 1 + LINK_SIZE)] == 0) ++ if (common->optimized_cbracket[offset] == 0) + { +- private_count = 1; +- private_srcw[0] = OVECTOR_PRIV(GET2(cc, 1 + LINK_SIZE)); ++ private_srcw[0] = OVECTOR_PRIV(offset); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; + } ++ + cc += 1 + LINK_SIZE + IMM2_SIZE; + break; + + case OP_CBRAPOS: + case OP_SCBRAPOS: +- offset = (GET2(cc, 1 + LINK_SIZE)) << 1; +- shared_srcw[0] = OVECTOR(offset); +- shared_srcw[1] = OVECTOR(offset + 1); +- shared_count = 2; ++ offset = GET2(cc, 1 + LINK_SIZE); ++ shared_srcw[0] = OVECTOR(offset << 1); ++ if (recurse_check_bit(common, shared_srcw[0])) ++ { ++ shared_srcw[1] = shared_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, shared_srcw[1])); ++ shared_count = 2; ++ } + +- if (common->capture_last_ptr != 0 && !capture_last_found) ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) + { +- shared_srcw[2] = common->capture_last_ptr; +- shared_count = 3; +- capture_last_found = TRUE; ++ shared_srcw[shared_count] = common->capture_last_ptr; ++ shared_count++; + } + +- private_count = 2; + private_srcw[0] = PRIVATE_DATA(cc); +- private_srcw[1] = OVECTOR_PRIV(GET2(cc, 1 + LINK_SIZE)); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; ++ ++ offset = OVECTOR_PRIV(offset); ++ if (recurse_check_bit(common, offset)) ++ { ++ private_srcw[private_count] = offset; ++ private_count++; ++ } + cc += 1 + LINK_SIZE + IMM2_SIZE; + break; + +@@ -2545,18 +2613,17 @@ while (cc < ccend) + alternative = cc + GET(cc, 1); + if (*alternative == OP_KETRMAX || *alternative == OP_KETRMIN) + { +- private_count = 1; + private_srcw[0] = PRIVATE_DATA(cc); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; + } + cc += 1 + LINK_SIZE; + break; + + CASE_ITERATOR_PRIVATE_DATA_1 +- if (PRIVATE_DATA(cc)) +- { ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + private_count = 1; +- private_srcw[0] = PRIVATE_DATA(cc); +- } + cc += 2; + #ifdef SUPPORT_UNICODE + if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]); +@@ -2564,11 +2631,12 @@ while (cc < ccend) + break; + + CASE_ITERATOR_PRIVATE_DATA_2A +- if (PRIVATE_DATA(cc)) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + { + private_count = 2; +- private_srcw[0] = PRIVATE_DATA(cc); +- private_srcw[1] = PRIVATE_DATA(cc) + sizeof(sljit_sw); ++ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); + } + cc += 2; + #ifdef SUPPORT_UNICODE +@@ -2577,11 +2645,12 @@ while (cc < ccend) + break; + + CASE_ITERATOR_PRIVATE_DATA_2B +- if (PRIVATE_DATA(cc)) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + { + private_count = 2; +- private_srcw[0] = PRIVATE_DATA(cc); +- private_srcw[1] = PRIVATE_DATA(cc) + sizeof(sljit_sw); ++ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); + } + cc += 2 + IMM2_SIZE; + #ifdef SUPPORT_UNICODE +@@ -2590,30 +2659,30 @@ while (cc < ccend) + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_1 +- if (PRIVATE_DATA(cc)) +- { ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + private_count = 1; +- private_srcw[0] = PRIVATE_DATA(cc); +- } + cc += 1; + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_2A +- if (PRIVATE_DATA(cc)) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + { + private_count = 2; +- private_srcw[0] = PRIVATE_DATA(cc); + private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); + } + cc += 1; + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_2B +- if (PRIVATE_DATA(cc)) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + { + private_count = 2; +- private_srcw[0] = PRIVATE_DATA(cc); + private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); + } + cc += 1 + IMM2_SIZE; + break; +@@ -2630,14 +2699,17 @@ while (cc < ccend) + switch(get_class_iterator_size(cc + i)) + { + case 1: +- private_count = 1; + private_srcw[0] = PRIVATE_DATA(cc); + break; + + case 2: +- private_count = 2; + private_srcw[0] = PRIVATE_DATA(cc); +- private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ if (recurse_check_bit(common, private_srcw[0])) ++ { ++ private_count = 2; ++ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); ++ } + break; + + default: +@@ -2652,28 +2724,25 @@ while (cc < ccend) + case OP_PRUNE_ARG: + case OP_THEN_ARG: + SLJIT_ASSERT(common->mark_ptr != 0); +- if (has_quit && !setmark_found) ++ if (has_quit && recurse_check_bit(common, common->mark_ptr)) + { + kept_shared_srcw[0] = common->mark_ptr; + kept_shared_count = 1; +- setmark_found = TRUE; + } +- if (common->control_head_ptr != 0 && !control_head_found) ++ if (common->control_head_ptr != 0 && recurse_check_bit(common, common->control_head_ptr)) + { + shared_srcw[0] = common->control_head_ptr; + shared_count = 1; +- control_head_found = TRUE; + } + cc += 1 + 2 + cc[1]; + break; + + case OP_THEN: + SLJIT_ASSERT(common->control_head_ptr != 0); +- if (!control_head_found) ++ if (recurse_check_bit(common, common->control_head_ptr)) + { + shared_srcw[0] = common->control_head_ptr; + shared_count = 1; +- control_head_found = TRUE; + } + cc++; + break; +@@ -2681,7 +2750,7 @@ while (cc < ccend) + default: + cc = next_opcode(common, cc); + SLJIT_ASSERT(cc != NULL); +- break; ++ continue; + } + + if (type != recurse_copy_shared_to_global && type != recurse_copy_kept_shared_to_global) +@@ -13262,7 +13331,7 @@ SLJIT_ASSERT(!(common->req_char_ptr != 0 && common->start_used_ptr != 0)); + common->cbra_ptr = OVECTOR_START + (re->top_bracket + 1) * 2 * sizeof(sljit_sw); + + total_length = ccend - common->start; +-common->private_data_ptrs = (sljit_s32 *)SLJIT_MALLOC(total_length * (sizeof(sljit_s32) + (common->has_then ? 1 : 0)), allocator_data); ++common->private_data_ptrs = (sljit_s32*)SLJIT_MALLOC(total_length * (sizeof(sljit_s32) + (common->has_then ? 1 : 0)), allocator_data); + if (!common->private_data_ptrs) + { + SLJIT_FREE(common->optimized_cbracket, allocator_data); +@@ -13304,6 +13373,7 @@ if (!compiler) + common->compiler = compiler; + + /* Main pcre_jit_exec entry. */ ++LJIT_ASSERT((private_data_size & (sizeof(sljit_sw) - 1)) == 0); + sljit_emit_enter(compiler, 0, SLJIT_ARG1(SW), 5, 5, 0, 0, private_data_size); + + /* Register init. */ +@@ -13524,20 +13594,40 @@ common->fast_fail_end_ptr = 0; + common->currententry = common->entries; + common->local_quit_available = TRUE; + quit_label = common->quit_label; +-while (common->currententry != NULL) ++if (common->currententry != NULL) + { +- /* Might add new entries. */ +- compile_recurse(common); +- if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler))) ++ /* A free bit for each private data. */ ++ common->recurse_bitset_size = ((private_data_size / (int)sizeof(sljit_sw)) + 7) >> 3; ++ SLJIT_ASSERT(common->recurse_bitset_size > 0); ++ common->recurse_bitset = (sljit_u8*)SLJIT_MALLOC(common->recurse_bitset_size, allocator_data);; ++ ++ if (common->recurse_bitset != NULL) ++ { ++ do ++ { ++ /* Might add new entries. */ ++ compile_recurse(common); ++ if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler))) ++ break; ++ flush_stubs(common); ++ common->currententry = common->currententry->next; ++ } ++ while (common->currententry != NULL); ++ ++ SLJIT_FREE(common->recurse_bitset, allocator_data); ++ } ++ ++ if (common->currententry != NULL) + { ++ /* The common->recurse_bitset has been freed. */ ++ SLJIT_ASSERT(sljit_get_compiler_error(compiler) || common->recurse_bitset == NULL); ++ + sljit_free_compiler(compiler); + SLJIT_FREE(common->optimized_cbracket, allocator_data); + SLJIT_FREE(common->private_data_ptrs, allocator_data); + PRIV(jit_free_rodata)(common->read_only_data_head, allocator_data); + return PCRE2_ERROR_NOMEMORY; + } +- flush_stubs(common); +- common->currententry = common->currententry->next; + } + common->local_quit_available = FALSE; + common->quit_label = quit_label; +diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c +index 9df87fd..2f84834 100644 +--- a/src/pcre2_jit_test.c ++++ b/src/pcre2_jit_test.c +@@ -746,6 +746,7 @@ static struct regression_test_case regression_test_cases[] = { + { MU, A, 0, 0, "((?(R)a|(?1)){1,3}?)M", "aaaM" }, + { MU, A, 0, 0, "((.)(?:.|\\2(?1))){0}#(?1)#", "#aabbccdde# #aabbccddee#" }, + { MU, A, 0, 0, "((.)(?:\\2|\\2{4}b)){0}#(?:(?1))+#", "#aaaab# #aaaaab#" }, ++ { MU, A, 0, 0 | F_NOMATCH, "(?1)$((.|\\2xx){1,2})", "abc" }, + + /* 16 bit specific tests. */ + { CM, A, 0, 0 | F_FORCECONV, "\xc3\xa1", "\xc3\x81\xc3\xa1" }, +-- +2.25.1 + diff --git a/meta/recipes-support/libpcre/libpcre2_10.34.bb b/meta/recipes-support/libpcre/libpcre2_10.34.bb index 213b946a54..254badf6f6 100644 --- a/meta/recipes-support/libpcre/libpcre2_10.34.bb +++ b/meta/recipes-support/libpcre/libpcre2_10.34.bb @@ -13,6 +13,7 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=b1588d3bb4cb0e1f5a597d908f8c5b37" SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/pcre2-${PV}.tar.bz2 \ file://pcre-cross.patch \ file://CVE-2022-1586.patch \ + file://CVE-2022-1587.patch \ " SRC_URI[md5sum] = "d280b62ded13f9ccf2fac16ee5286366" From patchwork Wed Jun 8 14:46:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9030 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4CCCFCCA494 for ; Wed, 8 Jun 2022 14:47:19 +0000 (UTC) Received: from mail-pg1-f181.google.com (mail-pg1-f181.google.com [209.85.215.181]) by mx.groups.io with SMTP id smtpd.web10.7345.1654699631869222125 for ; Wed, 08 Jun 2022 07:47:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=w37zaoPW; spf=softfail (domain: sakoman.com, ip: 209.85.215.181, mailfrom: steve@sakoman.com) Received: by mail-pg1-f181.google.com with SMTP id h192so12306334pgc.4 for ; Wed, 08 Jun 2022 07:47:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=y9eQOrmckH2oUNRgeODfkGJpeh/vknftrhqQqZ3vBw4=; b=w37zaoPWTElVftTRBt+6TCe+7eG4zoBzQY6elcdmnqvqu/A/zSQVW6X737xIKvxY8O ohRn8ZXUtG7dj/5fgv6fFemykgZsGRV2yzzksBY/L0OjzcmFJLTOXRyloNnP7qANi85c vrmRZTS3D/8jJg5ckoR4kcL+DfxulU/S1xNuZ8xAyyKrZvaCpAaBO1Qarc2NVsNTZWqz 3CXdydUE/VH2QJvp3c2x/za0zHJrtLGUTwbTUDVDzD80EAlUR8iAIkRSGcgSoy5GkUuA JxCLFk5PVQ0lRkxphcYmbOoh30uADokFZPDIbcL9rRWBR5psguFB3mOhER2EiOk1Uwn9 f3Pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=y9eQOrmckH2oUNRgeODfkGJpeh/vknftrhqQqZ3vBw4=; b=aWHk1YzukJ665yrA6G2kMN8SkHW6kBJUMrRiM8bkoaaM+55MLTrw4G6U4XCTEAENO+ OJJvmUbLi6h6f30bfGln+Hb8n0vONf3sOUWpwyIV2KkROT3gacdef1hk6963QCMEpwUj NS3gAHthBLE24dQ0zvw+jppMgXL5zE1oEpcmxiBPg1o6hllF3rHVylsGr55XSVpKxTfg kZzTlQOxySfV1ruoEFEEZNuERivV4vMqWEaayWakFNFLu3cpR+ofb5Ie5IQJWquF8WeN 1GzO6uSRbrIzjCfFQMm1u2D1Shjxlnns0NOWyZZufVOzxmcnJMkQFocm2HalGrY86z2L Czlw== X-Gm-Message-State: AOAM531LQPW9dKITfJygN5es3eWUgxpTBrzym+krAqTqZN9OcX/VfHvw bQwzUSp4bUJ50g4j7WeCRZRR/PJD2opJPpwk X-Google-Smtp-Source: ABdhPJzc+enV7MlNeScXD7R43tixHgkoxalKXsKh8F6WPhhgDY4B90uaTrj5FFXMkjK3tzLbu8NdSQ== X-Received: by 2002:a63:2a0d:0:b0:3ab:392c:f45c with SMTP id q13-20020a632a0d000000b003ab392cf45cmr30575303pgq.575.1654699630729; Wed, 08 Jun 2022 07:47:10 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id bg13-20020a17090b0d8d00b001e08461ceaesm16709701pjb.37.2022.06.08.07.47.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jun 2022 07:47:10 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 06/14] libxslt: Fix CVE-2021-30560 Date: Wed, 8 Jun 2022 04:46:30 -1000 Message-Id: <3e01aa47b85ebeba26443fc3293c341b5ef72817.1654699348.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Jun 2022 14:47:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166741 From: omkar patil CVE: CVE-2021-30560 Signed-off-by: omkar patil Signed-off-by: Steve Sakoman --- .../libxslt/libxslt/CVE-2021-30560.patch | 201 ++++++++++++++++++ .../recipes-support/libxslt/libxslt_1.1.34.bb | 1 + 2 files changed, 202 insertions(+) create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch b/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch new file mode 100644 index 0000000000..614047ea7a --- /dev/null +++ b/meta/recipes-support/libxslt/libxslt/CVE-2021-30560.patch @@ -0,0 +1,201 @@ +From 50f9c9cd3b7dfe9b3c8c795247752d1fdcadcac8 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 12 Jun 2021 20:02:53 +0200 +Subject: [PATCH] Fix use-after-free in xsltApplyTemplates + +xsltApplyTemplates without a select expression could delete nodes in +the source document. + +1. Text nodes with strippable whitespace + +Whitespace from input documents is already stripped, so there's no +need to strip it again. Under certain circumstances, xsltApplyTemplates +could be fooled into deleting text nodes that are still referenced, +resulting in a use-after-free. + +2. The DTD + +The DTD was only unlinked, but there's no good reason to do this just +now. Maybe it was meant as a micro-optimization. + +3. Unknown nodes + +Useless and dangerous as well, especially with XInclude nodes. +See https://gitlab.gnome.org/GNOME/libxml2/-/issues/268 + +Simply stop trying to uselessly delete nodes when applying a template. +This part of the code is probably a leftover from a time where +xsltApplyStripSpaces wasn't implemented yet. Also note that +xsltApplyTemplates with a select expression never tried to delete +nodes. + +Also stop xsltDefaultProcessOneNode from deleting nodes for the same +reasons. + +This fixes CVE-2021-30560. + +CVE: CVE-2021-30560 +Upstream-Status: Backport [https://github.com/GNOME/libxslt/commit/50f9c9cd3b7dfe9b3c8c795247752d1fdcadcac8.patch] +Comment: No change in any hunk +Signed-off-by: Omkar Patil + +--- + libxslt/transform.c | 119 +++----------------------------------------- + 1 file changed, 7 insertions(+), 112 deletions(-) + +diff --git a/libxslt/transform.c b/libxslt/transform.c +index 04522154..3aba354f 100644 +--- a/libxslt/transform.c ++++ b/libxslt/transform.c +@@ -1895,7 +1895,7 @@ static void + xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node, + xsltStackElemPtr params) { + xmlNodePtr copy; +- xmlNodePtr delete = NULL, cur; ++ xmlNodePtr cur; + int nbchild = 0, oldSize; + int childno = 0, oldPos; + xsltTemplatePtr template; +@@ -1968,54 +1968,13 @@ xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node, + return; + } + /* +- * Handling of Elements: first pass, cleanup and counting ++ * Handling of Elements: first pass, counting + */ + cur = node->children; + while (cur != NULL) { +- switch (cur->type) { +- case XML_TEXT_NODE: +- case XML_CDATA_SECTION_NODE: +- case XML_DOCUMENT_NODE: +- case XML_HTML_DOCUMENT_NODE: +- case XML_ELEMENT_NODE: +- case XML_PI_NODE: +- case XML_COMMENT_NODE: +- nbchild++; +- break; +- case XML_DTD_NODE: +- /* Unlink the DTD, it's still reachable using doc->intSubset */ +- if (cur->next != NULL) +- cur->next->prev = cur->prev; +- if (cur->prev != NULL) +- cur->prev->next = cur->next; +- break; +- default: +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, +- "xsltDefaultProcessOneNode: skipping node type %d\n", +- cur->type)); +-#endif +- delete = cur; +- } ++ if (IS_XSLT_REAL_NODE(cur)) ++ nbchild++; + cur = cur->next; +- if (delete != NULL) { +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, +- "xsltDefaultProcessOneNode: removing ignorable blank node\n")); +-#endif +- xmlUnlinkNode(delete); +- xmlFreeNode(delete); +- delete = NULL; +- } +- } +- if (delete != NULL) { +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, +- "xsltDefaultProcessOneNode: removing ignorable blank node\n")); +-#endif +- xmlUnlinkNode(delete); +- xmlFreeNode(delete); +- delete = NULL; + } + + /* +@@ -4864,7 +4823,7 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node, + xsltStylePreCompPtr comp = (xsltStylePreCompPtr) castedComp; + #endif + int i; +- xmlNodePtr cur, delNode = NULL, oldContextNode; ++ xmlNodePtr cur, oldContextNode; + xmlNodeSetPtr list = NULL, oldList; + xsltStackElemPtr withParams = NULL; + int oldXPProximityPosition, oldXPContextSize; +@@ -4998,73 +4957,9 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node, + else + cur = NULL; + while (cur != NULL) { +- switch (cur->type) { +- case XML_TEXT_NODE: +- if ((IS_BLANK_NODE(cur)) && +- (cur->parent != NULL) && +- (cur->parent->type == XML_ELEMENT_NODE) && +- (ctxt->style->stripSpaces != NULL)) { +- const xmlChar *val; +- +- if (cur->parent->ns != NULL) { +- val = (const xmlChar *) +- xmlHashLookup2(ctxt->style->stripSpaces, +- cur->parent->name, +- cur->parent->ns->href); +- if (val == NULL) { +- val = (const xmlChar *) +- xmlHashLookup2(ctxt->style->stripSpaces, +- BAD_CAST "*", +- cur->parent->ns->href); +- } +- } else { +- val = (const xmlChar *) +- xmlHashLookup2(ctxt->style->stripSpaces, +- cur->parent->name, NULL); +- } +- if ((val != NULL) && +- (xmlStrEqual(val, (xmlChar *) "strip"))) { +- delNode = cur; +- break; +- } +- } +- /* Intentional fall-through */ +- case XML_ELEMENT_NODE: +- case XML_DOCUMENT_NODE: +- case XML_HTML_DOCUMENT_NODE: +- case XML_CDATA_SECTION_NODE: +- case XML_PI_NODE: +- case XML_COMMENT_NODE: +- xmlXPathNodeSetAddUnique(list, cur); +- break; +- case XML_DTD_NODE: +- /* Unlink the DTD, it's still reachable +- * using doc->intSubset */ +- if (cur->next != NULL) +- cur->next->prev = cur->prev; +- if (cur->prev != NULL) +- cur->prev->next = cur->next; +- break; +- case XML_NAMESPACE_DECL: +- break; +- default: +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext, +- "xsltApplyTemplates: skipping cur type %d\n", +- cur->type)); +-#endif +- delNode = cur; +- } ++ if (IS_XSLT_REAL_NODE(cur)) ++ xmlXPathNodeSetAddUnique(list, cur); + cur = cur->next; +- if (delNode != NULL) { +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext, +- "xsltApplyTemplates: removing ignorable blank cur\n")); +-#endif +- xmlUnlinkNode(delNode); +- xmlFreeNode(delNode); +- delNode = NULL; +- } + } + } + diff --git a/meta/recipes-support/libxslt/libxslt_1.1.34.bb b/meta/recipes-support/libxslt/libxslt_1.1.34.bb index 63cce6fe06..62afec5755 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.34.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.34.bb @@ -14,6 +14,7 @@ SECTION = "libs" DEPENDS = "libxml2" SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \ + file://CVE-2021-30560.patch \ " SRC_URI[md5sum] = "db8765c8d076f1b6caafd9f2542a304a" From patchwork Wed Jun 8 14:46:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9029 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 39417C43334 for ; Wed, 8 Jun 2022 14:47:19 +0000 (UTC) Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com [209.85.215.169]) by mx.groups.io with SMTP id smtpd.web10.7346.1654699634251795728 for ; Wed, 08 Jun 2022 07:47:14 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=SIiR0/L3; spf=softfail (domain: sakoman.com, ip: 209.85.215.169, mailfrom: steve@sakoman.com) Received: by mail-pg1-f169.google.com with SMTP id f65so8890812pgc.7 for ; Wed, 08 Jun 2022 07:47:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=PB5MYfBfqTHbRDkixB+WqsaawMyy69ssq5oQdJvsTbk=; b=SIiR0/L387RuYJZk/RZ/bxMhBWkqfXp3mhgCbF8mM7WEt4NGDPCVfe1Ll71QgkV0Ns Vnk3mzcFgwRlyoA/t+6oFj+VK4S7A+G4RmaWae1XzkPE1tEc3ig7ffoq+TRQAxfT/Glw JV6qIH1VNrfDAIqC1Nrtg4U8v5tgugC5KRy+nRnFhpOeSSLkzLms59ttVrpcW9K2Xp06 e4f0C1PNh+xJ++dJNObMl5y1oF7ABZN07RqaVt4Kadt7Bk34w0g/JzIuo3heTS7FQ0st EpQSZDWd7ePM5vSQbxYC+TfEtyIkH3k5GCra2lzgPNxsAA9bTizte0HXTFSoAZIe2VKe xSsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=PB5MYfBfqTHbRDkixB+WqsaawMyy69ssq5oQdJvsTbk=; b=FrHgbjpqwWSIH0O/YFEUHEcHu/huZIqknlo4qP9jmMxZRv9GasqOOBOj3O9pWsNxh0 em5fRVFqUlQULJU/GPdz+BsxDDg7EnQp6SWIIDCHEPGNfZ1atVnK4ymZLufL6m8gmmii dCvX0DTlTEeMUx3mj78kocfBCSBD/WQdR87UnqVNdZGUpmHUxq8Lbsi4hgyTkIhH/dbP 1b1thc2Qy1TjxEtSyUogA8pj+m9QQv0DSIxmZBJebCr3iwd91OAOuu/WJ+fD3sQ7zfTp FMvYzbaScFNUCQD4aEroDm2W9kILlutAM6zFuR8LXmcgcUMv6fbwnpF538eF17mIDnug z1Dw== X-Gm-Message-State: AOAM532gKpIm7n0TCFCDsiTYfEZU2XlwqY1BtjzIC15bgdE1JXcn+dKr X5GgsDpHH1pQgKCEnWxAhYQAQ8UTz1VWosIF X-Google-Smtp-Source: ABdhPJz25ZxX21Aiy5nIpQWscfRxRrgIRgtIH+TrpFQDv5ykATHuNmaIuyhAwBBD7aRdWAIqfND4zA== X-Received: by 2002:a63:8a44:0:b0:3fc:a9a6:91e with SMTP id y65-20020a638a44000000b003fca9a6091emr30347775pgd.296.1654699633196; Wed, 08 Jun 2022 07:47:13 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id bg13-20020a17090b0d8d00b001e08461ceaesm16709701pjb.37.2022.06.08.07.47.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jun 2022 07:47:12 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 07/14] libxslt: Mark CVE-2022-29824 as not applying Date: Wed, 8 Jun 2022 04:46:31 -1000 Message-Id: <9c736c9dcf5f18b8db082a0903be0acb3fbb51c2.1654699348.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Jun 2022 14:47:19 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166742 From: Richard Purdie We have libxml2 2.9.10 and we don't link statically against libxml2 anyway so the CVE doesn't apply to libxslt. (From OE-Core rev: c6315d8a2a1429a0fb7563b1d6352ceee7bc222c) Signed-off-by: Omkar Patil Signed-off-by: Richard Purdie (cherry picked from commit ad63694e6df4f284879f7220962a821f97928eb0) Signed-off-by: Steve Sakoman --- meta/recipes-support/libxslt/libxslt_1.1.34.bb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta/recipes-support/libxslt/libxslt_1.1.34.bb b/meta/recipes-support/libxslt/libxslt_1.1.34.bb index 62afec5755..4755677bec 100644 --- a/meta/recipes-support/libxslt/libxslt_1.1.34.bb +++ b/meta/recipes-support/libxslt/libxslt_1.1.34.bb @@ -22,6 +22,10 @@ SRC_URI[sha256sum] = "98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7 UPSTREAM_CHECK_REGEX = "libxslt-(?P\d+(\.\d+)+)\.tar" +# We have libxml2 2.9.10 and we don't link statically with it anyway +# so this isn't an issue. +CVE_CHECK_WHITELIST += "CVE-2022-29824" + S = "${WORKDIR}/libxslt-${PV}" BINCONFIG = "${bindir}/xslt-config" From patchwork Wed Jun 8 14:46:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 14251 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org From: "Steve Sakoman" Subject: [OE-core][dunfell 08/14] curl: Backport CVE fixes Date: Wed, 8 Jun 2022 04:46:32 -1000 Message-Id: In-Reply-To: References: MIME-Version: 1.0 List-id: To: openembedded-core@lists.openembedded.org From: Robert Joslyn Backport patches to address CVE-2022-27774, CVE-2022-27781, and CVE-2022-27782. Signed-off-by: Robert Joslyn Signed-off-by: Steve Sakoman --- .../curl/curl/CVE-2022-27774-1.patch | 45 +++ .../curl/curl/CVE-2022-27774-2.patch | 80 ++++ .../curl/curl/CVE-2022-27774-3.patch | 83 ++++ .../curl/curl/CVE-2022-27774-4.patch | 35 ++ .../curl/curl/CVE-2022-27781.patch | 46 +++ .../curl/curl/CVE-2022-27782-1.patch | 363 ++++++++++++++++++ .../curl/curl/CVE-2022-27782-2.patch | 71 ++++ meta/recipes-support/curl/curl_7.69.1.bb | 7 + 8 files changed, 730 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-1.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-2.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-3.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-4.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27781.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-1.patch create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-2.patch diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch new file mode 100644 index 0000000000..063c11712a --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-1.patch @@ -0,0 +1,45 @@ +From 2a797e099731facf62a2c675396334bc2ad3bc7c Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH] connect: store "conn_remote_port" in the info struct + +To make it available after the connection ended. + +Prerequisite for the patches that address CVE-2022-27774. + +Upstream-Status: Backport [https://github.com/curl/curl/commit/08b8ef4e726ba10f45081ecda5b3cea788d3c839] +Signed-off-by: Robert Joslyn +--- + lib/connect.c | 1 + + lib/urldata.h | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/connect.c b/lib/connect.c +index b3d4057..a977d67 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -624,6 +624,7 @@ void Curl_persistconninfo(struct connectdata *conn) + conn->data->info.conn_scheme = conn->handler->scheme; + conn->data->info.conn_protocol = conn->handler->protocol; + conn->data->info.conn_primary_port = conn->primary_port; ++ conn->data->info.conn_remote_port = conn->remote_port; + conn->data->info.conn_local_port = conn->local_port; + } + +diff --git a/lib/urldata.h b/lib/urldata.h +index fafb7a3..ab1b267 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1148,7 +1148,11 @@ struct PureInfo { + reused, in the connection cache. */ + + char conn_primary_ip[MAX_IPADR_LEN]; +- long conn_primary_port; ++ long conn_primary_port; /* this is the destination port to the connection, ++ which might have been a proxy */ ++ long conn_remote_port; /* this is the "remote port", which is the port ++ number of the used URL, independent of proxy or ++ not */ + char conn_local_ip[MAX_IPADR_LEN]; + long conn_local_port; + const char *conn_scheme; diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch new file mode 100644 index 0000000000..c64d614194 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-2.patch @@ -0,0 +1,80 @@ +From 5c2f3b3a5f115625134669d90d591de9c5aafc8e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 16:24:33 +0200 +Subject: [PATCH] transfer: redirects to other protocols or ports clear auth + +... unless explicitly permitted. + +Bug: https://curl.se/docs/CVE-2022-27774.html +Reported-by: Harry Sintonen +Closes #8748 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/620ea21410030a9977396b4661806bc187231b79] +Signed-off-by: Robert Joslyn +--- + lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 48 insertions(+), 1 deletion(-) + +diff --git a/lib/transfer.c b/lib/transfer.c +index 744e1c0..ac69d27 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -1627,10 +1627,57 @@ CURLcode Curl_follow(struct Curl_easy *data, + return CURLE_OUT_OF_MEMORY; + } + else { +- + uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0); + if(uc) + return Curl_uc_to_curlcode(uc); ++ ++ /* Clear auth if this redirects to a different port number or protocol, ++ unless permitted */ ++ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) { ++ char *portnum; ++ int port; ++ bool clear = FALSE; ++ ++ if(data->set.use_port && data->state.allow_port) ++ /* a custom port is used */ ++ port = (int)data->set.use_port; ++ else { ++ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum, ++ CURLU_DEFAULT_PORT); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ port = atoi(portnum); ++ free(portnum); ++ } ++ if(port != data->info.conn_remote_port) { ++ infof(data, "Clear auth, redirects to port from %u to %u", ++ data->info.conn_remote_port, port); ++ clear = TRUE; ++ } ++ else { ++ char *scheme; ++ const struct Curl_handler *p; ++ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0); ++ if(uc) { ++ free(newurl); ++ return Curl_uc_to_curlcode(uc); ++ } ++ ++ p = Curl_builtin_scheme(scheme); ++ if(p && (p->protocol != data->info.conn_protocol)) { ++ infof(data, "Clear auth, redirects scheme from %s to %s", ++ data->info.conn_scheme, scheme); ++ clear = TRUE; ++ } ++ free(scheme); ++ } ++ if(clear) { ++ Curl_safefree(data->set.str[STRING_USERNAME]); ++ Curl_safefree(data->set.str[STRING_PASSWORD]); ++ } ++ } + } + + if(type == FOLLOW_FAKE) { diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch new file mode 100644 index 0000000000..a585f6a8fa --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-3.patch @@ -0,0 +1,83 @@ +From 5dccf21ad49eed925e8f76b0cb844877239ce23d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 25 Apr 2022 17:59:15 +0200 +Subject: [PATCH] openssl: don't leak the SRP credentials in redirects either + +Follow-up to 620ea21410030 + +Reported-by: Harry Sintonen +Closes #8751 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08] +Signed-off-by: Robert Joslyn +--- + lib/http.c | 10 +++++----- + lib/http.h | 6 ++++++ + lib/vtls/openssl.c | 3 ++- + 3 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 8b16c09..5291c07 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -732,10 +732,10 @@ output_auth_headers(struct connectdata *conn, + } + + /* +- * allow_auth_to_host() tells if autentication, cookies or other "sensitive +- * data" can (still) be sent to this host. ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. + */ +-static bool allow_auth_to_host(struct Curl_easy *data) ++bool Curl_allow_auth_to_host(struct Curl_easy *data) + { + struct connectdata *conn = data->conn; + return (!data->state.this_is_a_follow || +@@ -816,7 +816,7 @@ Curl_http_output_auth(struct connectdata *conn, + + /* To prevent the user+password to get sent to other than the original host + due to a location-follow */ +- if(allow_auth_to_host(data) ++ if(Curl_allow_auth_to_host(data) + || conn->bits.netrc + ) + result = output_auth_headers(conn, authhost, request, path, FALSE); +@@ -1891,7 +1891,7 @@ CURLcode Curl_add_custom_headers(struct connectdata *conn, + checkprefix("Cookie:", compare)) && + /* be careful of sending this potentially sensitive header to + other hosts */ +- !allow_auth_to_host(data)) ++ !Curl_allow_auth_to_host(data)) + ; + else { + result = Curl_add_bufferf(&req_buffer, "%s\r\n", compare); +diff --git a/lib/http.h b/lib/http.h +index 4c1825f..4fbae1d 100644 +--- a/lib/http.h ++++ b/lib/http.h +@@ -273,4 +273,10 @@ Curl_http_output_auth(struct connectdata *conn, + bool proxytunnel); /* TRUE if this is the request setting + up the proxy tunnel */ + ++/* ++ * Curl_allow_auth_to_host() tells if authentication, cookies or other ++ * "sensitive data" can (still) be sent to this host. ++ */ ++bool Curl_allow_auth_to_host(struct Curl_easy *data); ++ + #endif /* HEADER_CURL_HTTP_H */ +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index 006a8c8..a14cecc 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2739,7 +2739,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) + #endif + + #ifdef USE_TLS_SRP +- if(ssl_authtype == CURL_TLSAUTH_SRP) { ++ if((ssl_authtype == CURL_TLSAUTH_SRP) && ++ Curl_allow_auth_to_host(data)) { + char * const ssl_username = SSL_SET_OPTION(username); + + infof(data, "Using TLS-SRP username: %s\n", ssl_username); diff --git a/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch new file mode 100644 index 0000000000..2258681cab --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27774-4.patch @@ -0,0 +1,35 @@ +From 7395752e2f7b87dc8c8f2a7137075e2da554aaea Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 26 Apr 2022 07:46:19 +0200 +Subject: [PATCH] gnutls: don't leak the SRP credentials in redirects + +Follow-up to 620ea21410030 and 139a54ed0a172a + +Reported-by: Harry Sintonen +Closes #8752 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/093531556203decd92d92bccd431edbe5561781c] +Signed-off-by: Robert Joslyn +--- + lib/vtls/gtls.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 8c05102..3d0758d 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -581,11 +581,11 @@ gtls_connect_step1(struct connectdata *conn, + } + + #ifdef USE_TLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && ++ Curl_allow_auth_to_host(data)) { + infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username)); + +- rc = gnutls_srp_allocate_client_credentials( +- &BACKEND->srp_client_cred); ++ rc = gnutls_srp_allocate_client_credentials(&BACKEND->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_srp_allocate_client_cred() failed: %s", + gnutls_strerror(rc)); diff --git a/meta/recipes-support/curl/curl/CVE-2022-27781.patch b/meta/recipes-support/curl/curl/CVE-2022-27781.patch new file mode 100644 index 0000000000..ea1bc22928 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27781.patch @@ -0,0 +1,46 @@ +From 7a1f183039a6a6c9099a114f5e5c94777413c767 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 10:07:15 +0200 +Subject: [PATCH] nss: return error if seemingly stuck in a cert loop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2022-27781 + +Reported-by: Florian Kohnhäuser +Bug: https://curl.se/docs/CVE-2022-27781.html +Closes #8822 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917] +Signed-off-by: Robert Joslyn +--- + lib/vtls/nss.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 375c78b..86102f7 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -950,6 +950,9 @@ static void display_cert_info(struct Curl_easy *data, + PR_Free(common_name); + } + ++/* A number of certs that will never occur in a real server handshake */ ++#define TOO_MANY_CERTS 300 ++ + static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock) + { + CURLcode result = CURLE_OK; +@@ -986,6 +989,11 @@ static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock) + cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); + while(cert2) { + i++; ++ if(i >= TOO_MANY_CERTS) { ++ CERT_DestroyCertificate(cert2); ++ failf(data, "certificate loop"); ++ return CURLE_SSL_CERTPROBLEM; ++ } + if(cert2->isRoot) { + CERT_DestroyCertificate(cert2); + break; diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch new file mode 100644 index 0000000000..6b6d0e1938 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27782-1.patch @@ -0,0 +1,363 @@ +From 907a16c832d9ce0ffa7e9b2297548063095a7242 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 23:13:53 +0200 +Subject: [PATCH] tls: check more TLS details for connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +Closes #8825 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/f18af4f874cecab82a9797e8c7541e0990c7a64c] +Signed-off-by: Robert Joslyn +--- + lib/setopt.c | 29 +++++++++++++++++------------ + lib/url.c | 17 ++++++++++------- + lib/urldata.h | 13 +++++++------ + lib/vtls/gtls.c | 30 ++++++++++++++++-------------- + lib/vtls/mbedtls.c | 2 +- + lib/vtls/nss.c | 6 +++--- + lib/vtls/openssl.c | 10 +++++----- + lib/vtls/vtls.c | 1 + + 8 files changed, 60 insertions(+), 48 deletions(-) + +diff --git a/lib/setopt.c b/lib/setopt.c +index 4648c87..bebb2e4 100644 +--- a/lib/setopt.c ++++ b/lib/setopt.c +@@ -2130,6 +2130,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + + case CURLOPT_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.ssl.enable_beast = + (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); + data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); +@@ -2139,6 +2140,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + #ifndef CURL_DISABLE_PROXY + case CURLOPT_PROXY_SSL_OPTIONS: + arg = va_arg(param, long); ++ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); + data->set.proxy_ssl.enable_beast = + (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); + data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); +@@ -2541,44 +2543,47 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) + case CURLOPT_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + case CURLOPT_PROXY_TLSAUTH_USERNAME: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], + va_arg(param, char *)); + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to ++ SRP */ + break; + case CURLOPT_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG], + va_arg(param, char *)); +- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && ++ !data->set.ssl.primary.authtype) ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + break; + case CURLOPT_PROXY_TLSAUTH_PASSWORD: + result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], + va_arg(param, char *)); + if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && +- !data->set.proxy_ssl.authtype) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ ++ !data->set.proxy_ssl.primary.authtype) ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ + break; + case CURLOPT_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + case CURLOPT_PROXY_TLSAUTH_TYPE: + argptr = va_arg(param, char *); + if(!argptr || + strncasecompare(argptr, "SRP", strlen("SRP"))) +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; + else +- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; ++ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; + break; + #endif + #ifdef USE_ARES +diff --git a/lib/url.c b/lib/url.c +index efa3dc7..6518be9 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -482,7 +482,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) + set->ssl.primary.verifypeer = TRUE; + set->ssl.primary.verifyhost = TRUE; + #ifdef USE_TLS_SRP +- set->ssl.authtype = CURL_TLSAUTH_NONE; ++ set->ssl.primary.authtype = CURL_TLSAUTH_NONE; + #endif + set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth + type */ +@@ -3594,8 +3594,9 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.proxy_ssl.primary.pinned_key = + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]; + +- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; +- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; ++ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; ++ data->set.proxy_ssl.primary.CRLfile = ++ data->set.str[STRING_SSL_CRLFILE_PROXY]; + data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; + data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; + data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; +@@ -3609,10 +3610,12 @@ static CURLcode create_conn(struct Curl_easy *data, + data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG]; + data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; + #ifdef USE_TLS_SRP +- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG]; +- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; +- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG]; +- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; ++ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG]; ++ data->set.proxy_ssl.primary.username = ++ data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; ++ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG]; ++ data->set.proxy_ssl.primary.password = ++ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + #endif + + if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary, +diff --git a/lib/urldata.h b/lib/urldata.h +index ab1b267..ad0ef8f 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -231,6 +231,13 @@ struct ssl_primary_config { + char *cipher_list; /* list of ciphers to use */ + char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ + char *pinned_key; ++ char *CRLfile; /* CRL to check certificate revocation */ ++ #ifdef USE_TLS_SRP ++ char *username; /* TLS username (for, e.g., SRP) */ ++ char *password; /* TLS password (for, e.g., SRP) */ ++ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ ++ #endif ++ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ + BIT(verifypeer); /* set TRUE if this is desired */ + BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ + BIT(verifystatus); /* set TRUE if certificate status must be checked */ +@@ -240,7 +247,6 @@ struct ssl_primary_config { + struct ssl_config_data { + struct ssl_primary_config primary; + long certverifyresult; /* result from the certificate verification */ +- char *CRLfile; /* CRL to check certificate revocation */ + curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ + void *fsslctxp; /* parameter for call back */ + char *cert; /* client certificate file name */ +@@ -248,11 +254,6 @@ struct ssl_config_data { + char *key; /* private key file name */ + char *key_type; /* format for private key (default: PEM) */ + char *key_passwd; /* plain text private key password */ +-#ifdef USE_TLS_SRP +- char *username; /* TLS username (for, e.g., SRP) */ +- char *password; /* TLS password (for, e.g., SRP) */ +- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ +-#endif + BIT(certinfo); /* gather lots of certificate info */ + BIT(falsestart); + BIT(enable_beast); /* allow this flaw for interoperability's sake*/ +diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c +index 3d0758d..92c301c 100644 +--- a/lib/vtls/gtls.c ++++ b/lib/vtls/gtls.c +@@ -581,9 +581,10 @@ gtls_connect_step1(struct connectdata *conn, + } + + #ifdef USE_TLS_SRP +- if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && ++ if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { +- infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username)); ++ infof(data, "Using TLS-SRP username: %s\n", ++ SSL_SET_OPTION(primary.username)); + + rc = gnutls_srp_allocate_client_credentials(&BACKEND->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { +@@ -593,8 +594,8 @@ gtls_connect_step1(struct connectdata *conn, + } + + rc = gnutls_srp_set_client_credentials(BACKEND->srp_client_cred, +- SSL_SET_OPTION(username), +- SSL_SET_OPTION(password)); ++ SSL_SET_OPTION(primary.username), ++ SSL_SET_OPTION(primary.password)); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_srp_set_client_cred() failed: %s", + gnutls_strerror(rc)); +@@ -648,19 +649,19 @@ gtls_connect_step1(struct connectdata *conn, + } + #endif + +- if(SSL_SET_OPTION(CRLfile)) { ++ if(SSL_SET_OPTION(primary.CRLfile)) { + /* set the CRL list file */ + rc = gnutls_certificate_set_x509_crl_file(BACKEND->cred, +- SSL_SET_OPTION(CRLfile), ++ SSL_SET_OPTION(primary.CRLfile), + GNUTLS_X509_FMT_PEM); + if(rc < 0) { + failf(data, "error reading crl file %s (%s)", +- SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); ++ SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); + return CURLE_SSL_CRL_BADFILE; + } + else + infof(data, "found %d CRL in %s\n", +- rc, SSL_SET_OPTION(CRLfile)); ++ rc, SSL_SET_OPTION(primary.CRLfile)); + } + + /* Initialize TLS session as a client */ +@@ -879,7 +880,7 @@ gtls_connect_step1(struct connectdata *conn, + + #ifdef USE_TLS_SRP + /* put the credentials to the current session */ +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { + rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, + BACKEND->srp_client_cred); + if(rc != GNUTLS_E_SUCCESS) { +@@ -1061,8 +1062,8 @@ gtls_connect_step3(struct connectdata *conn, + SSL_CONN_CONFIG(verifyhost) || + SSL_CONN_CONFIG(issuercert)) { + #ifdef USE_TLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) != NULL + && !SSL_CONN_CONFIG(verifypeer) + && gnutls_cipher_get(session)) { + /* no peer cert, but auth is ok if we have SRP user and cipher and no +@@ -1116,7 +1117,8 @@ gtls_connect_step3(struct connectdata *conn, + failf(data, "server certificate verification failed. CAfile: %s " + "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): + "none", +- SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); ++ SSL_SET_OPTION(primary.CRLfile) ? ++ SSL_SET_OPTION(primary.CRLfile) : "none"); + return CURLE_PEER_FAILED_VERIFICATION; + } + else +@@ -1703,8 +1705,8 @@ static int Curl_gtls_shutdown(struct connectdata *conn, int sockindex) + gnutls_certificate_free_credentials(BACKEND->cred); + + #ifdef USE_TLS_SRP +- if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP +- && SSL_SET_OPTION(username) != NULL) ++ if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP ++ && SSL_SET_OPTION(primary.username) != NULL) + gnutls_srp_free_client_credentials(BACKEND->srp_client_cred); + #endif + +diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c +index 19df847..62d2b00 100644 +--- a/lib/vtls/mbedtls.c ++++ b/lib/vtls/mbedtls.c +@@ -245,7 +245,7 @@ mbed_connect_step1(struct connectdata *conn, + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + char * const ssl_cert = SSL_SET_OPTION(cert); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 86102f7..62fd7a2 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -1955,13 +1955,13 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) + } + } + +- if(SSL_SET_OPTION(CRLfile)) { +- const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); ++ if(SSL_SET_OPTION(primary.CRLfile)) { ++ const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); + if(rv) { + result = rv; + goto error; + } +- infof(data, " CRLfile: %s\n", SSL_SET_OPTION(CRLfile)); ++ infof(data, " CRLfile: %s\n", SSL_SET_OPTION(primary.CRLfile)); + } + + if(SSL_SET_OPTION(cert)) { +diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c +index a14cecc..ec5a8f5 100644 +--- a/lib/vtls/openssl.c ++++ b/lib/vtls/openssl.c +@@ -2454,14 +2454,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) + &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; + const long int ssl_version = SSL_CONN_CONFIG(version); + #ifdef USE_TLS_SRP +- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); ++ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); + #endif + char * const ssl_cert = SSL_SET_OPTION(cert); + const char * const ssl_cert_type = SSL_SET_OPTION(cert_type); + const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); +- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); ++ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); + char error_buffer[256]; + + DEBUGASSERT(ssl_connect_1 == connssl->connecting_state); +@@ -2741,15 +2741,15 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) + #ifdef USE_TLS_SRP + if((ssl_authtype == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { +- char * const ssl_username = SSL_SET_OPTION(username); +- ++ char * const ssl_username = SSL_SET_OPTION(primary.username); ++ char * const ssl_password = SSL_SET_OPTION(primary.password); + infof(data, "Using TLS-SRP username: %s\n", ssl_username); + + if(!SSL_CTX_set_srp_username(BACKEND->ctx, ssl_username)) { + failf(data, "Unable to set SRP user name"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +- if(!SSL_CTX_set_srp_password(BACKEND->ctx, SSL_SET_OPTION(password))) { ++ if(!SSL_CTX_set_srp_password(BACKEND->ctx, ssl_password)) { + failf(data, "failed setting SRP password"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } +diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c +index e38f74e..e8cb70f 100644 +--- a/lib/vtls/vtls.c ++++ b/lib/vtls/vtls.c +@@ -89,6 +89,7 @@ Curl_ssl_config_matches(struct ssl_primary_config* data, + { + if((data->version == needle->version) && + (data->version_max == needle->version_max) && ++ (data->ssl_options == needle->ssl_options) && + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + (data->verifystatus == needle->verifystatus) && diff --git a/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch new file mode 100644 index 0000000000..3d56025210 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-27782-2.patch @@ -0,0 +1,71 @@ +From 0a115a8903dffc7f723d1d4d71fb821d69eb8761 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 9 May 2022 23:13:53 +0200 +Subject: [PATCH] url: check SSH config match on connection reuse + +CVE-2022-27782 + +Reported-by: Harry Sintonen +Bug: https://curl.se/docs/CVE-2022-27782.html +Closes #8825 + +Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5] +Signed-off-by: Robert Joslyn +--- + lib/url.c | 11 +++++++++++ + lib/vssh/ssh.h | 6 +++--- + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 6518be9..8da0245 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1027,6 +1027,12 @@ static void prune_dead_connections(struct Curl_easy *data) + } + } + ++static bool ssh_config_matches(struct connectdata *one, ++ struct connectdata *two) ++{ ++ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && ++ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); ++} + /* + * Given one filled in connection struct (named needle), this function should + * detect if there already is one that has all the significant details +@@ -1260,6 +1266,11 @@ ConnectionExists(struct Curl_easy *data, + } + } + ++ if(get_protocol_family(needle->handler->protocol) == PROTO_FAMILY_SSH) { ++ if(!ssh_config_matches(needle, check)) ++ continue; ++ } ++ + if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) || + needle->bits.tunnel_proxy) { + /* The requested connection does not use a HTTP proxy or it uses SSL or +diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h +index 0d4ee52..8f2632e 100644 +--- a/lib/vssh/ssh.h ++++ b/lib/vssh/ssh.h +@@ -7,7 +7,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -120,8 +120,8 @@ struct ssh_conn { + + /* common */ + const char *passphrase; /* pass-phrase to use */ +- char *rsa_pub; /* path name */ +- char *rsa; /* path name */ ++ char *rsa_pub; /* strdup'ed public key file */ ++ char *rsa; /* strdup'ed private key file */ + bool authed; /* the connection has been authenticated fine */ + sshstate state; /* always use ssh.c:state() to change state! */ + sshstate nextstate; /* the state to goto after stopping */ diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index e850376ff8..b53b00cc38 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -28,6 +28,13 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2022-27776.patch \ file://CVE-2022-27775.patch \ file://CVE-2022-22576.patch \ + file://CVE-2022-27774-1.patch \ + file://CVE-2022-27774-2.patch \ + file://CVE-2022-27774-3.patch \ + file://CVE-2022-27774-4.patch \ + file://CVE-2022-27781.patch \ + file://CVE-2022-27782-1.patch \ + file://CVE-2022-27782-2.patch \ " SRC_URI[md5sum] = "ec5fc263f898a3dfef08e805f1ecca42" From patchwork Wed Jun 8 14:46:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9033 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45C6BC3F2D4 for ; Wed, 8 Jun 2022 14:47:29 +0000 (UTC) Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by mx.groups.io with SMTP id smtpd.web10.7348.1654699640038011365 for ; Wed, 08 Jun 2022 07:47:20 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=yY4IpYZA; spf=softfail (domain: sakoman.com, ip: 209.85.216.42, mailfrom: steve@sakoman.com) Received: by mail-pj1-f42.google.com with SMTP id mh16-20020a17090b4ad000b001e8313301f1so10029432pjb.1 for ; Wed, 08 Jun 2022 07:47:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=OkcFYiMuBWbcXkfFRZtxXOe6JOmnn1fmIAmG8LKlZ5I=; b=yY4IpYZARr9JCC65WYDk91P8vzdJj2cCkSYjt0ewPArTAFYmoyNgM88bG4/6gcP1Ma 5oNsl010B/3SwZCxxz44bkhSZh22N5e+pkLTa4viJIKEeIOYxlseamIfqS5vwgxX72a4 mSmFF7JlQaL9Qa+OKh573fQrqcuVTlrJLZqB2dyKNNQNKeXBSq3zD7Vb+rKQc2ZfvLms 9eBls03UP9Ca3NhEK2W8iF7mwIeq7WagmMusXVuqDs7cR7mhTxfMK7gAtICh3oCiJ+7O PBJ6RfRDsKQTGcUyUzQ4B1iY3Ee9MsAhK6vRSddjBMCzbMD+PvKtn2tYaZpi755emh5v mQfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OkcFYiMuBWbcXkfFRZtxXOe6JOmnn1fmIAmG8LKlZ5I=; b=ME5VSvZcyRtlwmbuXKK8944NRROJ+cYTmN5xcs2+hoCRI8RT84k6o6+hDIqUn9MDc+ DvSrFi2SxozqgL+5xJGKR98Ejl44IkTW13jLdtdgEx57dhIabZ5RN7u5vnrqX1j74qmp Slx2n3mpOKE+/vW7nV7BmsAu/MrJl3ERedLbnUNVGH3Z0UIg1CkuZxCd1LMrfDe36Zkg MqU2WwrUUb1QwHkimiEhf4l7l4uqpw4h3/n9S8MsfOEw+Xd1DNsk8GQnxr1cI+56b+3b 4rezgMo8GWcHPFqxJ4yNiiP0rFleaUwfze3kwL41mxPwC9NJhP8AIyARIvOT5RBIvxie A2fA== X-Gm-Message-State: AOAM532RZ4/oxxlh6TfTzz30FukbmPpYuvMrGGgNyAcVicPbkLS27R+5 kFfQeGptZzIBLrjLUOyrJf6Y/VdwYrZN23PH X-Google-Smtp-Source: ABdhPJwoa71/s1BmZI6iBMBtPNCiT04GcxShCj6NXa+e1QqUQbU6xSt6iPfmOFbimAQb2btgg5790g== X-Received: by 2002:a17:903:11cc:b0:168:eae:da4a with SMTP id q12-20020a17090311cc00b001680eaeda4amr6544254plh.21.1654699638305; Wed, 08 Jun 2022 07:47:18 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id bg13-20020a17090b0d8d00b001e08461ceaesm16709701pjb.37.2022.06.08.07.47.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jun 2022 07:47:17 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 09/14] curl: Fix CVE_CHECK_WHITELIST typo Date: Wed, 8 Jun 2022 04:46:33 -1000 Message-Id: <7b2a1d908d3b63da5e9f072b61dd3c5fa91c7b8f.1654699348.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Jun 2022 14:47:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166744 From: Robert Joslyn Fix typo to properly whitelist CVE-2021-22945. Signed-off-by: Robert Joslyn Signed-off-by: Steve Sakoman --- meta/recipes-support/curl/curl_7.69.1.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb index b53b00cc38..5a597a7dd9 100644 --- a/meta/recipes-support/curl/curl_7.69.1.bb +++ b/meta/recipes-support/curl/curl_7.69.1.bb @@ -42,7 +42,7 @@ SRC_URI[sha256sum] = "2ff5e5bd507adf6aa88ff4bbafd4c7af464867ffb688be93b9930717a5 # Curl has used many names over the years... CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl daniel_stenberg:curl" -CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-22945" +CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-22945" # As per link https://security-tracker.debian.org/tracker/CVE-2021-22897 # and https://ubuntu.com/security/CVE-2021-22897 From patchwork Wed Jun 8 14:46:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9035 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 525F2CCA488 for ; Wed, 8 Jun 2022 14:47:29 +0000 (UTC) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web10.7349.1654699642777087844 for ; Wed, 08 Jun 2022 07:47:22 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=vvlS7g6u; spf=softfail (domain: sakoman.com, ip: 209.85.214.180, mailfrom: steve@sakoman.com) Received: by mail-pl1-f180.google.com with SMTP id u18so17847679plb.3 for ; Wed, 08 Jun 2022 07:47:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=9mKgTL4yjdggRrEpTBxop92doshNHE1p9HjJLDjCdRo=; b=vvlS7g6ubpwumaXfFIB7lhqgQJeXZNSfeCmm4WaanelnVYaTcWS0puxldecS9ZzMY9 XgbNNq2Xy5CIvuzaZ+XMrGZ4qDEDsnKHLKOBOElp5UzrOGqJryEocljvxy1LSNJBt1Km 404rz4J2gXJGHlQVpwJmTi69hQLYWoDt8cOyzLZVoTxVEV0VBTkrwsSv3iHPO/vqUoIa f9csKKm5rjEOC9jVGeUfjSXp7plvtMCVDrfwqFiLsAZtH/HeUrj9TQw+JItOyqFlweaq 6lFSQXIVC6Ar+J/7v+vhIcnjqM67w0PnE21ddYe3OtlgPThoBAu5jOZ+NgqPb4JJ7gb7 jxsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=9mKgTL4yjdggRrEpTBxop92doshNHE1p9HjJLDjCdRo=; b=KyofvSE9hf3140/dgEqJ4BYb6j7F2vBUucEejyQHqoPjgVqJ4FheAP0MIGXtGaG4xE 5M66Wrvf7R6Q/0U7abV3qaVLTqZWn2mNWOLBaUo5HhIhVII15FQ0KLpPu8aF+W2zVeqc oWQv0N6g892+ROCj0NcLWccvKcg2topFTdHyXI9HaD3Gs2xP9n40GhLFJaId1VsC1Z2X UhLaS8x1OLQd6Fz8Kt519soWa48OuxluWCSX4RDtMGDwjuVk3CEmyXzD1VTK999K1QhQ Xj+JDGgQPnrksLomhdqcXMQGJZ6ktWIon+pIxzc6zqw6koVm/TmPMQ7yute1MT6U+2Wv DDjA== X-Gm-Message-State: AOAM532cF3zqa73g6HP06hKeES/JbqgQoZSxF1CILxYOcfJyrCGujpSk UJIMbpCPaTfdn2vScq6Drt9Jpa2f/4BaeKOb X-Google-Smtp-Source: ABdhPJy6ew32sY69WGtUkWa8fOtKWTwurEy+WbZdmuyBpRHCBCpvryMUwaKNXWiM3/6gLuWRfbFQBA== X-Received: by 2002:a17:902:e88e:b0:163:ee82:ffb with SMTP id w14-20020a170902e88e00b00163ee820ffbmr35239302plg.142.1654699641770; Wed, 08 Jun 2022 07:47:21 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id bg13-20020a17090b0d8d00b001e08461ceaesm16709701pjb.37.2022.06.08.07.47.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jun 2022 07:47:21 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 10/14] cve-check: move update_symlinks to a library Date: Wed, 8 Jun 2022 04:46:34 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Jun 2022 14:47:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166745 From: Marta Rybczynska Move the function to a library, it could be useful in other places. Signed-off-by: Marta Rybczynska Signed-off-by: Richard Purdie (cherry picked from commit debd37abcdde8788761ebdb4a05bc61f7394cbb8) Signed-off-by: Steve Sakoman --- meta/classes/cve-check.bbclass | 11 +++-------- meta/lib/oe/cve_check.py | 10 ++++++++++ 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 0111ec6ba8..2ab1720dc3 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -76,16 +76,10 @@ CVE_CHECK_LAYER_INCLUDELIST ??= "" # set to "alphabetical" for version using single alphabetical character as increment release CVE_VERSION_SUFFIX ??= "" -def update_symlinks(target_path, link_path): - if link_path != target_path and os.path.exists(target_path): - if os.path.exists(os.path.realpath(link_path)): - os.remove(link_path) - os.symlink(os.path.basename(target_path), link_path) - def generate_json_report(d, out_path, link_path): if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")): import json - from oe.cve_check import cve_check_merge_jsons + from oe.cve_check import cve_check_merge_jsons, update_symlinks bb.note("Generating JSON CVE summary") index_file = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH") @@ -106,6 +100,7 @@ def generate_json_report(d, out_path, link_path): python cve_save_summary_handler () { import shutil import datetime + from oe.cve_check import update_symlinks cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE") @@ -174,7 +169,7 @@ python cve_check_write_rootfs_manifest () { import shutil import json from oe.rootfs import image_list_installed_packages - from oe.cve_check import cve_check_merge_jsons + from oe.cve_check import cve_check_merge_jsons, update_symlinks if d.getVar("CVE_CHECK_COPY_FILES") == "1": deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 1d3c775bbe..b17390de90 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -79,3 +79,13 @@ def cve_check_merge_jsons(output, data): return output["package"].append(data["package"][0]) + +def update_symlinks(target_path, link_path): + """ + Update a symbolic link link_path to point to target_path. + Remove the link and recreate it if exist and is different. + """ + if link_path != target_path and os.path.exists(target_path): + if os.path.exists(os.path.realpath(link_path)): + os.remove(link_path) + os.symlink(os.path.basename(target_path), link_path) From patchwork Wed Jun 8 14:46:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9032 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3F4B5CCA48D for ; Wed, 8 Jun 2022 14:47:29 +0000 (UTC) Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) by mx.groups.io with SMTP id smtpd.web09.7426.1654699645873332443 for ; Wed, 08 Jun 2022 07:47:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=j5l54Xs0; spf=softfail (domain: sakoman.com, ip: 209.85.215.174, mailfrom: steve@sakoman.com) Received: by mail-pg1-f174.google.com with SMTP id g186so10213257pgc.1 for ; Wed, 08 Jun 2022 07:47:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=/HreWVmkgvMibX5deOFbHCe3Rv53dAd98d5EjYMRV8M=; b=j5l54Xs0btN+1B9zUqsOhjf7AEfAbWQcaDjGGUbxQVGKPX6Iawe/CH8qbKC2oYljKq AL8ZrGjeJhcurQY0RdGdzxaDgpvz13nebJc5QlPLl0fwRkATv+tK2zjwVXL8xGbY2pEH UVgjGsWn3Oyf9Ip4U/dmfTH8Q4LJrPbixrf51XEX1eKwCmA+if9dD/l6G9uAf1LcX0Ny 4LK2Gd/U5GqXFT9jgWRuA/AI61uS53pkxGA3SEc1KjXltFCLdZwMRTG+UXxBYSzoyNSo I3dZZIhArVjr2XsXCo538HicIY9D69qaMloOKm6yxcs/q25qoyA7ffC02YdC4lDss/km dUog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/HreWVmkgvMibX5deOFbHCe3Rv53dAd98d5EjYMRV8M=; b=fVFHLDQDsXp82AXQll2EKRzeQfQkqTFcCk04yhaVyy/glCXfOILsdhQLqu8UzIc0Zq iqOLYKnwMDBOnfLWtAU0qbnhohtwj2ELctjRDsVxCvjuzWp6II5Wmh7SYh40CvORAaWw S7fUfJRhF/n1KsOMEnG8tFRkZNbGeLGy0rgMcc1cgqOOSbX4O/HxN2RY/gZ+RjwZf9hE xPw8gFnuxmWOkkMGblsAE0pr+vwXdkRyNVBbC6HVCMIpdXWcKZfJIuh2wWFDDjJzhSQs 4fzp6d5guETHhBT5gC10GyiqQd11AWx9cJV38b4mLcS7sVHu1kzeu5ZrL5Vxwhj7qXAS gU2g== X-Gm-Message-State: AOAM533R4TsOASuf7tIWB7sdTNgGz6pJeQGM9qFLFTpCQC6BJl7vk4mW ReJcUCFjkHXrJMQThg2TLIyYiYgh0A1Zlkfj X-Google-Smtp-Source: ABdhPJzJteNe8jBDfu+6GQ1cyE5MvLk2ObxFuJSsDIPrlbiAOKW4lsqxiq3h8q7nlpQ+f9H9Xwe+Jw== X-Received: by 2002:a63:341:0:b0:3fc:824e:86bf with SMTP id 62-20020a630341000000b003fc824e86bfmr30863824pgd.140.1654699644804; Wed, 08 Jun 2022 07:47:24 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id bg13-20020a17090b0d8d00b001e08461ceaesm16709701pjb.37.2022.06.08.07.47.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jun 2022 07:47:23 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 11/14] cve-check: write empty fragment files in the text mode Date: Wed, 8 Jun 2022 04:46:35 -1000 Message-Id: <4c10ee956f21ea2f805403704ac3c54b7f1be78c.1654699348.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Jun 2022 14:47:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166746 From: Marta Rybczynska In the cve-check text mode output, we didn't write fragment files if there are no CVEs (if CVE_CHECK_REPORT_PATCHED is 1), or no unpached CVEs otherwise. However, in a system after multiple builds, cve_check_write_rootfs_manifest might find older files and use them as current, what leads to incorrect reporting. Fix it by always writing a fragment file, even if empty. Signed-off-by: Marta Rybczynska Signed-off-by: Richard Purdie (cherry picked from commit f1b7877acd0f6e3626faa57d9f89809cfcdfd0f1) Signed-off-by: Steve Sakoman --- meta/classes/cve-check.bbclass | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 2ab1720dc3..48f75456f2 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -471,23 +471,22 @@ def cve_write_data_text(d, patched, unpatched, whitelisted, cve_data): if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1": bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) - if write_string: - with open(cve_file, "w") as f: - bb.note("Writing file %s with CVE information" % cve_file) - f.write(write_string) + with open(cve_file, "w") as f: + bb.note("Writing file %s with CVE information" % cve_file) + f.write(write_string) - if d.getVar("CVE_CHECK_COPY_FILES") == "1": - deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") - bb.utils.mkdirhier(os.path.dirname(deploy_file)) - with open(deploy_file, "w") as f: - f.write(write_string) + if d.getVar("CVE_CHECK_COPY_FILES") == "1": + deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") + bb.utils.mkdirhier(os.path.dirname(deploy_file)) + with open(deploy_file, "w") as f: + f.write(write_string) - if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": - cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") - bb.utils.mkdirhier(cvelogpath) + if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") + bb.utils.mkdirhier(cvelogpath) - with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: - f.write("%s" % write_string) + with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: + f.write("%s" % write_string) def cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file): """ From patchwork Wed Jun 8 14:46:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9034 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3FB10CCA494 for ; Wed, 8 Jun 2022 14:47:29 +0000 (UTC) Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by mx.groups.io with SMTP id smtpd.web12.7381.1654699648789379991 for ; Wed, 08 Jun 2022 07:47:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=SckR3U9r; spf=softfail (domain: sakoman.com, ip: 209.85.216.49, mailfrom: steve@sakoman.com) Received: by mail-pj1-f49.google.com with SMTP id a10so18781230pju.3 for ; Wed, 08 Jun 2022 07:47:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=Rwp8nfudl04hX2UK9Zsn5hTcgV+9qkDe6MeF+pArDao=; b=SckR3U9rZ2WmG8lka4Hc5FgUD68gf36Pkd6frXMXD6mV0Bf7ktR+CmLDhLO/roQwWO FDKnZZCCKEvHpn7aVf0kyHQY6e8n9CbHdc8SHX2keppOisozXWngrFqsNiNSlK7uNRqd FsiFhj3zmobADAJabUqVBzE0oaBSefEgc+Nc4NqPehe5AAK9yKsG+9+Ip5zYfMlB+fk+ SnaArHbqNY90UPOpocrX56LKjFmmro+wAY3oo2e+RafCgn3PM+nmKOUIy7T4n9kdHToH yE/umY3gVHZxpo93tsvH3jegDGGgppGdI353u8Fpwkiy1N1G6J+jFAQ6OI0Fr13SIE2x uqmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Rwp8nfudl04hX2UK9Zsn5hTcgV+9qkDe6MeF+pArDao=; b=mWpgjIjb0tzASM200JwOF9SyxppXZaPnH0Ykmm7gBydAYyWxWMwD6ljm2s4BHpSBMk kSo6WyNoJHAqB2sPDY08tb2RixtyDKo9PohoRv+i2ErQRvikkF0NiR4u3f+Ny4HLuuI+ YQmExg8aGeYVw5Nn34GBZopJ9W5TzY/XtwJwSBQ/n4BxVEzRBKaVY96OknSDE1RjLwBc 1Hy7iD8nccf+gXa98AhQIWqtRgfwaLCHkxuq1PoySbGuJZtNd03yYMbQgzzBMQ+L6OMw r1pBk74KmStUwTgpxuduXHTgwHwPK1iqR9EAmU2pk86cZdzJosxwrwE6lfMdwldZnnof 32Dw== X-Gm-Message-State: AOAM530TEV8J233n9YQtySPBrr56jmdwDKd2ECdHpZ4nYAtsVP7uslKZ w2C03TMMaullLEXEv/2gIPElL+dddDdfe8OF X-Google-Smtp-Source: ABdhPJy3V+6rohjmPJ9EFa9Tbt/1tb8LayhTuCZ/lCbjs+sauFQdeqUbhDO1wdMi326cFwsnTt2A/A== X-Received: by 2002:a17:90a:2e87:b0:1e8:895c:e543 with SMTP id r7-20020a17090a2e8700b001e8895ce543mr15856478pjd.100.1654699647436; Wed, 08 Jun 2022 07:47:27 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id bg13-20020a17090b0d8d00b001e08461ceaesm16709701pjb.37.2022.06.08.07.47.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jun 2022 07:47:26 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 12/14] cve-check: add coverage statistics on recipes with/without CVEs Date: Wed, 8 Jun 2022 04:46:36 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Jun 2022 14:47:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166747 From: Marta Rybczynska Until now the CVE checker was giving information about CVEs found for a product (or more products) contained in a recipe. However, there was no easy way to find out which products or recipes have no CVEs. Having no reported CVEs might mean there are simply none, but can also mean a product name (CPE) mismatch. This patch adds CVE_CHECK_COVERAGE option enabling a new type of statistics. Then we use the new JSON format to report the information. The legacy text mode report does not contain it. This option is expected to help with an identification of recipes with mismatched CPEs, issues in the database and more. This work is based on [1], but adding the JSON format makes it easier to implement, without additional result files. [1] https://lists.openembedded.org/g/openembedded-core/message/159873 Signed-off-by: Marta Rybczynska Signed-off-by: Alexandre Belloni (cherry picked from commit d1849a1facd64fa0bcf8336a0ed5fbf71b2e3cb5) Signed-off-by: Steve Sakoman --- meta/classes/cve-check.bbclass | 48 ++++++++++++++++++++++++++-------- 1 file changed, 37 insertions(+), 11 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 48f75456f2..894cebaaa4 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -56,6 +56,9 @@ CVE_CHECK_FORMAT_TEXT ??= "1" # Provide JSON output - disabled by default for backward compatibility CVE_CHECK_FORMAT_JSON ??= "0" +# Check for packages without CVEs (no issues or missing product name) +CVE_CHECK_COVERAGE ??= "1" + # Whitelist for packages (PN) CVE_CHECK_PN_WHITELIST ?= "" @@ -137,10 +140,10 @@ python do_cve_check () { patched_cves = get_patches_cves(d) except FileNotFoundError: bb.fatal("Failure in searching patches") - whitelisted, patched, unpatched = check_cves(d, patched_cves) - if patched or unpatched: + whitelisted, patched, unpatched, status = check_cves(d, patched_cves) + if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status): cve_data = get_cve_info(d, patched + unpatched) - cve_write_data(d, patched, unpatched, whitelisted, cve_data) + cve_write_data(d, patched, unpatched, whitelisted, cve_data, status) else: bb.note("No CVE database found, skipping CVE check") @@ -312,17 +315,19 @@ def check_cves(d, patched_cves): suffix = d.getVar("CVE_VERSION_SUFFIX") cves_unpatched = [] + cves_status = [] + cves_in_recipe = False # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) products = d.getVar("CVE_PRODUCT").split() # If this has been unset then we're not scanning for CVEs here (for example, image recipes) if not products: - return ([], [], []) + return ([], [], [], []) pv = d.getVar("CVE_VERSION").split("+git")[0] # If the recipe has been whitelisted we return empty lists if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split(): bb.note("Recipe has been whitelisted, skipping check") - return ([], [], []) + return ([], [], [], []) cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split() @@ -332,6 +337,7 @@ def check_cves(d, patched_cves): # For each of the known product names (e.g. curl has CPEs using curl and libcurl)... for product in products: + cves_in_product = False if ":" in product: vendor, product = product.split(":", 1) else: @@ -349,6 +355,11 @@ def check_cves(d, patched_cves): elif cve in patched_cves: bb.note("%s has been patched" % (cve)) continue + # Write status once only for each product + if not cves_in_product: + cves_status.append([product, True]) + cves_in_product = True + cves_in_recipe = True vulnerable = False for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)): @@ -395,9 +406,13 @@ def check_cves(d, patched_cves): # TODO: not patched but not vulnerable patched_cves.add(cve) + if not cves_in_product: + bb.note("No CVE records found for product %s, pn %s" % (product, pn)) + cves_status.append([product, False]) + conn.close() - return (list(cve_whitelist), list(patched_cves), cves_unpatched) + return (list(cve_whitelist), list(patched_cves), cves_unpatched, cves_status) def get_cve_info(d, cves): """ @@ -428,7 +443,6 @@ def cve_write_data_text(d, patched, unpatched, whitelisted, cve_data): CVE manifest if enabled. """ - cve_file = d.getVar("CVE_CHECK_LOG") fdir_name = d.getVar("FILE_DIRNAME") layer = fdir_name.split("/")[-3] @@ -442,6 +456,10 @@ def cve_write_data_text(d, patched, unpatched, whitelisted, cve_data): if include_layers and layer not in include_layers: return + # Early exit, the text format does not report packages without CVEs + if not patched+unpatched: + return + nvd_link = "https://nvd.nist.gov/vuln/detail/" write_string = "" unpatched_cves = [] @@ -518,7 +536,7 @@ def cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_fi with open(index_path, "a+") as f: f.write("%s\n" % fragment_path) -def cve_write_data_json(d, patched, unpatched, ignored, cve_data): +def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): """ Prepare CVE data for the JSON format, then write it. """ @@ -540,11 +558,19 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data): unpatched_cves = [] + product_data = [] + for s in cve_status: + p = {"product": s[0], "cvesInRecord": "Yes"} + if s[1] == False: + p["cvesInRecord"] = "No" + product_data.append(p) + package_version = "%s%s" % (d.getVar("EXTENDPE"), d.getVar("PV")) package_data = { "name" : d.getVar("PN"), "layer" : layer, - "version" : package_version + "version" : package_version, + "products": product_data } cve_list = [] @@ -583,7 +609,7 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data): cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file) -def cve_write_data(d, patched, unpatched, ignored, cve_data): +def cve_write_data(d, patched, unpatched, ignored, cve_data, status): """ Write CVE data in each enabled format. """ @@ -591,4 +617,4 @@ def cve_write_data(d, patched, unpatched, ignored, cve_data): if d.getVar("CVE_CHECK_FORMAT_TEXT") == "1": cve_write_data_text(d, patched, unpatched, ignored, cve_data) if d.getVar("CVE_CHECK_FORMAT_JSON") == "1": - cve_write_data_json(d, patched, unpatched, ignored, cve_data) + cve_write_data_json(d, patched, unpatched, ignored, cve_data, status) From patchwork Wed Jun 8 14:46:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9036 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3C45CCCA491 for ; Wed, 8 Jun 2022 14:47:39 +0000 (UTC) Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by mx.groups.io with SMTP id smtpd.web10.7352.1654699650641785798 for ; Wed, 08 Jun 2022 07:47:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=GUB4JEKq; spf=softfail (domain: sakoman.com, ip: 209.85.216.42, mailfrom: steve@sakoman.com) Received: by mail-pj1-f42.google.com with SMTP id v11-20020a17090a4ecb00b001e2c5b837ccso23985236pjl.3 for ; Wed, 08 Jun 2022 07:47:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=1U6O0970yR015m6Lh4r6ilbUUrdUMV8OCaew+Gvjjaw=; b=GUB4JEKqbKJHNcdu7BLu5NLQw+4TlGFCwYqW8MD8NJdMP3UPt5tpXEz2vaBPIWL+3Z 61K9ZZMe4NDOsohCOWAL86bm3oDDFX1fZCCI6QkeYo20AmRxDEIE7ZPf1WiBHvQ0WbIJ ah316Yy62shyyh+lY31OaEy4HQGVlsac5Noz2tN9RuZ6u+Lrk0h1l1HNbGaD+W6WH+Yh f3KDk5LYAdbRS+7w1Jeys/AMIJczWjzP/Xy3j8HBCMMAQ8aCs2+PWP+HHMT8due9xhjK RT5dxURt6/TdXsCbthUIjtfydEzG/Lyqe9rjk4kczSNeKS2KUXMTQvYq3zrzkNuw+zxg xjTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=1U6O0970yR015m6Lh4r6ilbUUrdUMV8OCaew+Gvjjaw=; b=lfhCjNTWDeWYSwhh51OF3Skz4LivqV1jHm6I3RRs5rJVOB0M8j69MOzy+QKpGqaUwT nRxGoECO9KYYx+HmUF+0i+t0ZMslVhHJav5SX6Ootc3t34oIm7WZfhIsE60fzXBVf7lH JkiENsAS0dm3wHOqaIGo7jSy99Rk0KeN/M1EKi4A2DQQBXJN+9njYxDcayEMZli2rr4Q JdrtDvXwksGv1BbdKlEPYW4UxYt0/yjhTZtx6L5h2j5Yd0HMEqkjDq+i1k+0R9oC1cFR WG/xtFIF10dTG0x7QEVB4IQ5e4LfS87o6p36blwiVgzpPtlnpM5hBZ3fRCNOss800zJr DkCA== X-Gm-Message-State: AOAM530awotEYJiye2wVBwi6ymWxWZXuZ829NWXNllAs8tw3SnjdN9Nv +pA+Qcjz5BgnEd0eLVs9glN6zsLwJysl0xra X-Google-Smtp-Source: ABdhPJxH+CymXgSp5w6ZqD1VkCwvgc7Y7lWQflstZcQsLUDzZrLLypMF/rSpVO4w0HFdnl2+slQIdA== X-Received: by 2002:a17:90a:4a0a:b0:1ea:2f87:3e1c with SMTP id e10-20020a17090a4a0a00b001ea2f873e1cmr5816214pjh.177.1654699649699; Wed, 08 Jun 2022 07:47:29 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id bg13-20020a17090b0d8d00b001e08461ceaesm16709701pjb.37.2022.06.08.07.47.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jun 2022 07:47:29 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 13/14] cve-update-db-native: make it possible to disable database updates Date: Wed, 8 Jun 2022 04:46:37 -1000 Message-Id: <487a53522a739b9a52720c4c40b93f88ad77d242.1654699348.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Jun 2022 14:47:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166748 From: Marta Rybczynska Make it possible to disable the database update completely by using a negative update interval CVE_DB_UPDATE_INTERVAL. Disabling the update is useful when running multiple parallel builds when we want to have a control on the database version. This allows coherent cve-check results without an database update for only some of the builds. Signed-off-by: Marta Rybczynska Signed-off-by: Richard Purdie (cherry picked from commit b5c2269240327c2a8f93b9e55354698f52c976f3) Signed-off-by: Steve Sakoman --- meta/recipes-core/meta/cve-update-db-native.bb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 594bf947c8..a49f446a53 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -14,6 +14,7 @@ deltask do_populate_sysroot # CVE database update interval, in seconds. By default: once a day (24*60*60). # Use 0 to force the update +# Use a negative value to skip the update CVE_DB_UPDATE_INTERVAL ?= "86400" python () { @@ -51,8 +52,9 @@ python do_fetch() { try: import time update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL")) - if (update_interval < 0): - update_interval = 0 + if update_interval < 0: + bb.note("CVE database update skipped") + return if time.time() - os.path.getmtime(db_file) < update_interval: return From patchwork Wed Jun 8 14:46:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 9037 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 467C3C2BBE6 for ; Wed, 8 Jun 2022 14:47:39 +0000 (UTC) Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by mx.groups.io with SMTP id smtpd.web12.7385.1654699653320351317 for ; Wed, 08 Jun 2022 07:47:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=uYfg+a1g; spf=softfail (domain: sakoman.com, ip: 209.85.210.179, mailfrom: steve@sakoman.com) Received: by mail-pf1-f179.google.com with SMTP id j6so18501979pfe.13 for ; Wed, 08 Jun 2022 07:47:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=h7vHCudAmRr1OiK49OJGUbTLHkB0iZ+CBYeInDOpxmc=; b=uYfg+a1gUvMaJPr/WXeZ6+71BPopwlKCVcu/p0JwB75TlucnodtRoWqzDbF6xQ+W4F k1hN7BCDVDxrwosUBmlkkXhmHaSOk1rQ9eySsmvyvLslAZlIVQ+w5FVyWBQ2SIHhFg+0 qCpLvBt72wkUOArACgYwvAGqcKqRmDCf5+aP5AKBCxb2+YvL1TKebYJXrYVAYS4gXG+C lT0lSeJQyEnSR6ZQXq3EldR48NJ19ZSZqZ79caDV+6wLh6BBYDe1sp1PIEp8FwhpOqc4 pOjhlVmXLabxoHYk0bUgN+HkQZHBX4qP4FU3d//c6HJYrlHZCz+fjsFpCCcA4EpdYJFb BbXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=h7vHCudAmRr1OiK49OJGUbTLHkB0iZ+CBYeInDOpxmc=; b=KltRSlk57Ys+d0LC53KPsLEvsl0SogYKiHnTNDqExXTyT3SDUYo8dNnBGjGhlgBz97 +ixrSJUI7UJlTKyM6XE/QRDUTIfLO6arLdLB3aHJfyjERp5uH+7MogwwC3fVExhx64kG UlL4uyabIP+5LfIg9UFgLBsIAYaeGtJXX1hohVMLwZ2pEVxJwf9inmJGWyVHlVFs3Slw Q54yrBee8pCADnOtCpEgwgIZC18FoKQy/asW21Mbq2WkQ17c0TZn44gy+XTQzOf+oXfd 3Wgvfj2/7ILePed6VipTahKN4g4Nzb5JKSa2Q2NRvQN+XlOLcSTlRbKBNeWepoAUa5JY aScg== X-Gm-Message-State: AOAM531k4sjo6fPYcc35R3mOjOgERgE7cYNkYYo09ZH6gsbXhhGTJQ4T BF/E67A/BnKkMfJZvIwpZXWgfLmXm2ZBbUKz X-Google-Smtp-Source: ABdhPJz8OZ8J+RppRmxk3tveNwd01FiKlmCbhL3WlzeFfdbE81OaZFsNRnLatbqpIA3lYM8AdGueUw== X-Received: by 2002:a63:2c89:0:b0:3fe:1c0a:75d2 with SMTP id s131-20020a632c89000000b003fe1c0a75d2mr5480077pgs.310.1654699651991; Wed, 08 Jun 2022 07:47:31 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id bg13-20020a17090b0d8d00b001e08461ceaesm16709701pjb.37.2022.06.08.07.47.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jun 2022 07:47:31 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 14/14] linux-yocto/5.4: update to v5.4.196 Date: Wed, 8 Jun 2022 04:46:38 -1000 Message-Id: <7e056e79a5acce8261cb5124c172cc40ad608b82.1654699348.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 08 Jun 2022 14:47:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/166749 From: Bruce Ashfield Updating to the latest korg -stable release that comprises the following commits: 04b092e4a01a Linux 5.4.196 dba1941f5bc3 afs: Fix afs_getattr() to refetch file status if callback break occurred ef5374d532ca i2c: mt7621: fix missing clk_disable_unprepare() on error in mtk_i2c_probe() 10a221e2d3d8 x86/xen: Mark cpu_bringup_and_idle() as dead_end_function a12884ff4340 x86/xen: fix booting 32-bit pv guest b2f140a9f980 Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE"" 060f38b1dfb4 ARM: dts: imx7: Use audio_mclk_post_div instead audio_mclk_root_clk b38cf3cb17df firmware_loader: use kernel credentials when reading firmware e14e3856e94d net: stmmac: disable Split Header (SPH) for Intel platforms 9ea8e6a8323e block: return ELEVATOR_DISCARD_MERGE if possible 36ac6caf742d Input: ili210x - fix reset timing 1c450bdf2e8c net: atlantic: verify hw_head_ lies within TX buffer ring e5307704c4ad net: stmmac: fix missing pci_disable_device() on error in stmmac_pci_probe() 91d8d7edf192 ethernet: tulip: fix missing pci_disable_device() on error in tulip_init_one() dd5de66f5c8a selftests: add ping test with ping_group_range tuned 9919585e5f41 mac80211: fix rx reordering with non explicit / psmp ack policy 19e2cd737c16 scsi: qla2xxx: Fix missed DMA unmap for aborted commands 74168c2207a5 perf bench numa: Address compiler error on s390 d1915d9c9fa3 gpio: mvebu/pwm: Refuse requests with inverted polarity 3fdd67e83c42 gpio: gpio-vf610: do not touch other bits when set the target bit 1fe6dc5f5d19 net: bridge: Clear offload_fwd_mark when passing frame up bridge interface. 622be11fa385 igb: skip phy status check where unavailable eb92a8ecce23 ARM: 9197/1: spectre-bhb: fix loop8 sequence for Thumb2 463a7b957db0 ARM: 9196/1: spectre-bhb: enable for Cortex-A15 1b93631c77c9 net: af_key: add check for pfkey_broadcast in function pfkey_process c0be5fec786b net/mlx5e: Properly block LRO when XDP is enabled 3277789f332e NFC: nci: fix sleep in atomic context bugs caused by nci_skb_alloc b368e07fb44d net/qla3xxx: Fix a test in ql_reset_work() d672eee9e404 clk: at91: generated: consider range when calculating best rate 8cb1a05fe38b ice: fix possible under reporting of ethtool Tx and Rx statistics dc64e8874e87 net: vmxnet3: fix possible NULL pointer dereference in vmxnet3_rq_cleanup() 32f779e6fbbe net: vmxnet3: fix possible use-after-free bugs in vmxnet3_rq_alloc_rx_buf() 1eb2d7858155 net/sched: act_pedit: sanitize shift argument before usage 50f70ee30236 net: macb: Increment rx bd head after allocating skb and buffer a42ffe88332c ARM: dts: aspeed-g6: fix SPI1/SPI2 quad pin group 6493ff94c022 ARM: dts: aspeed-g6: remove FWQSPID group in pinctrl dtsi fe2a9469eca0 dma-buf: fix use of DMA_BUF_SET_NAME_{A,B} in userspace 8cf6c24ed488 drm/dp/mst: fix a possible memory leak in fetch_monitor_name() 8be06f62b426 crypto: qcom-rng - fix infinite loop on requests not multiple of WORD_SZ f4a093215b8e KVM: x86/mmu: Update number of zapped pages even if page list is stable de8745182749 PCI/PM: Avoid putting Elo i2 PCIe Ports in D3cold 3a12b2c413b2 Fix double fget() in vhost_net_set_backend() dd0ea88b0a0f perf: Fix sys_perf_event_open() race against self c8a5e14cb407 ALSA: wavefront: Proper check of get_user() error 2f8f6c393b11 SUNRPC: Ensure we flush any closed sockets before xs_xprt_free() 975a0f14d5cd SUNRPC: Don't call connect() more than once on a TCP socket aa4d71edd609 SUNRPC: Prevent immediate close+reconnect 2d6f096476e6 SUNRPC: Clean up scheduling of autoclose f3fe8d13ac89 mmc: core: Default to generic_cmd6_time as timeout in __mmc_switch() def047ae1266 mmc: block: Use generic_cmd6_time when modifying INAND_CMD38_ARG_EXT_CSD f10260f35992 mmc: core: Specify timeouts for BKOPS and CACHE_FLUSH for eMMC 1e93f939927d nilfs2: fix lockdep warnings during disk space reclamation 307d021b1a7f nilfs2: fix lockdep warnings in page operations for btree nodes 77b71a4c8767 ARM: 9191/1: arm/stacktrace, kasan: Silence KASAN warnings in unwind_frame() 54f7358be14d platform/chrome: cros_ec_debugfs: detach log reader wq from devm 232128f6e60f drbd: remove usage of list iterator variable after loop 83abb076f473 MIPS: lantiq: check the return value of kzalloc() e7947c031ffe rtc: mc146818-lib: Fix the AltCentury for AMD platforms 7be785032c05 nvme-multipath: fix hang when disk goes live over reconnect ee0323cc8bbb ALSA: hda/realtek: Enable headset mic on Lenovo P360 c0d86f2a3c03 crypto: x86/chacha20 - Avoid spurious jumps to other functions f0213894337a crypto: stm32 - fix reference leak in stm32_crc_remove 8c015cd52442 Input: stmfts - fix reference leak in stmfts_input_open bb83a744bc67 Input: add bounds checking to input_set_capability() 4fd396695646 um: Cleanup syscall_handler_t definition/cast, fix warning 0c319b998835 rtc: fix use-after-free on device removal 05df3bdbc259 x86/xen: Make the secondary CPU idle tasks reliable 0d3817cb4ebe x86/xen: Make the boot CPU idle task reliable 67e2b62461b5 floppy: use a statically allocated error counter 0187300e6aa6 Linux 5.4.195 8fcefb43ecfc tty/serial: digicolor: fix possible null-ptr-deref in digicolor_uart_probe() 6d80857c4fc7 ping: fix address binding wrt vrf 7845532adb53 arm[64]/memremap: don't abuse pfn_valid() to ensure presence of linear map c0b735fef2af net: phy: Fix race condition on link status change a60def756821 MIPS: fix build with gcc-12 a3112d5da17c drm/vmwgfx: Initialize drm_mode_fb_cmd2 463c7431490d cgroup/cpuset: Remove cpus_allowed/mems_allowed setup in cpuset_init_smp() f25145c37c4e i40e: i40e_main: fix a missing check on list iterator 17c744716af5 drm/nouveau/tegra: Stop using iommu_present() c8f567c46543 serial: 8250_mtk: Fix register address for XON/XOFF character aa3ea7451bd6 serial: 8250_mtk: Fix UART_EFR register address 031fda28d0a6 slimbus: qcom: Fix IRQ check in qcom_slim_probe 7de6f3059629 USB: serial: option: add Fibocom MA510 modem 65732f62f730 USB: serial: option: add Fibocom L610 modem 6c78537f3e29 USB: serial: qcserial: add support for Sierra Wireless EM7590 e40d00494712 USB: serial: pl2303: add device id for HP LM930 Display 056a56f8fbfe usb: typec: tcpci: Don't skip cleanup in .remove() on error 457d9401b8c1 usb: cdc-wdm: fix reading stuck on device close 4d93303fd877 tty: n_gsm: fix mux activation issues in gsm_config() 6e34ee5b5b92 tcp: resalt the secret every 10 seconds 39c26fe93c76 net: emaclite: Don't advertise 1000BASE-T and do auto negotiation 638bfbc84cca s390: disable -Warray-bounds f66d3fa5089f ASoC: ops: Validate input values in snd_soc_put_volsw_range() 13b850a6cc80 ASoC: max98090: Generate notifications on changes for custom control 5c766c000a64 ASoC: max98090: Reject invalid values in custom control put() 22f6c68b4927 hwmon: (f71882fg) Fix negative temperature 208200e573bd gfs2: Fix filesystem block deallocation for short writes 42daae7d845c net: sfc: ef10: fix memory leak in efx_ef10_mtd_probe() e038c457bd12 net/smc: non blocking recvmsg() return -EAGAIN when no data and signal_pending 2ec2dd7d51a9 net/sched: act_pedit: really ensure the skb is writable 48c6a40e2f25 s390/lcs: fix variable dereferenced before check 467ddbbe7e74 s390/ctcm: fix potential memory leak 2cbce0110070 s390/ctcm: fix variable dereferenced before check 1c40e85d0aa0 hwmon: (ltq-cputemp) restrict it to SOC_XWAY 0a778db9319f dim: initialize all struct fields 522986cc39c1 mac80211_hwsim: call ieee80211_tx_prepare_skb under RCU protection 0729594cb788 netlink: do not reset transport header in netlink_recvmsg() 33ce32587c44 drm/nouveau: Fix a potential theorical leak in nouveau_get_backlight_name() 5809a1c53049 ipv4: drop dst in multicast routing path c9d75e87f45b net: Fix features skip in for_each_netdev_feature() 5c9057670504 mac80211: Reset MBSSID parameters upon connection cfe74fd41f18 hwmon: (tmp401) Add OF device ID table 3915341a935f batman-adv: Don't skb_split skbuffs with frag_list 90659487578c Linux 5.4.194 2f4e0bf651e3 mm: userfaultfd: fix missing cache flush in mcopy_atomic_pte() and __mcopy_atomic() e4db0c3ce0c5 mm: hugetlb: fix missing cache flush in copy_huge_page_from_user() ea9cad1c5d95 mm: fix missing cache flush for all tail pages of compound page 45c05171d6e3 Bluetooth: Fix the creation of hdev->name f52c4c067aa5 KVM: x86/svm: Account for family 17h event renumberings in amd_pmc_perf_hw_id c1bdf1e6e706 x86: kprobes: Prohibit probing on instruction which has emulate prefix 6af6427a9600 x86: xen: insn: Decode Xen and KVM emulate-prefix signature c67a4a91f5e1 x86: xen: kvm: Gather the definition of emulate prefixes 4c39e1ace3dc x86/asm: Allow to pass macros to __ASM_FORM() 29afcd5af012 KVM: x86/pmu: Refactoring find_arch_event() to pmc_perf_hw_id() ea65a7d76c00 arm: remove CONFIG_ARCH_HAS_HOLES_MEMORYMODEL 5755f946a89f can: grcan: only use the NAPI poll budget for RX caba5c13a892 can: grcan: grcan_probe(): fix broken system id check for errata workaround needs 76b64c690f03 nfp: bpf: silence bitwise vs. logical OR warning 86ccefb83ede drm/i915: Cast remain to unsigned long in eb_relocate_vma de542bd76541 drm/amd/display/dc/gpio/gpio_service: Pass around correct dce_{version, environment} types e6ff94d31c53 block: drbd: drbd_nl: Make conversion to 'enum drbd_ret_code' explicit f668da98ad83 MIPS: Use address-of operator on section symbols 01565c91b789 Linux 5.4.193 8a7f92053dc9 mmc: rtsx: add 74 Clocks in power on flow d789b9891761 PCI: aardvark: Fix reading MSI interrupt number 253bc43ca5b7 PCI: aardvark: Clear all MSIs at setup 786dc86c8434 dm: interlock pending dm_io and dm_wait_for_bios_completion ad1393b92e50 dm: fix mempool NULL pointer race when completing IO 40bcd39a0093 tcp: make sure treq->af_specific is initialized 9661bf674d6a ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and mmap_lock 37b12c16beb6 ALSA: pcm: Fix races among concurrent prealloc proc writes 2a559eec81ac ALSA: pcm: Fix races among concurrent prepare and hw_params/hw_free calls 08d1807f097a ALSA: pcm: Fix races among concurrent read/write and buffer changes fbeb492694ce ALSA: pcm: Fix races among concurrent hw_params and hw_free calls f098f8b9820f mm: fix unexpected zeroed page mapping with zram swap c7337efd1d11 block-map: add __GFP_ZERO flag for alloc_page in function bio_copy_kern 9588ac2eddc2 net: ipv6: ensure we call ipv6_mc_down() at most once 367b49086b41 KVM: LAPIC: Enable timer posted-interrupt only when mwait/hlt is advertised c2fadf2d0ab4 x86/kvm: Preserve BSP MSR_KVM_POLL_CONTROL across suspend/resume 8b78939f4b0b kvm: x86/cpuid: Only provide CPUID leaf 0xA if host has architectural PMU f455c8e657e3 NFSv4: Don't invalidate inode attributes on delegation return 89e7a625ec5c drm/amdkfd: Use drm_priv to pass VM from KFD to amdgpu 1d14c1c7a3bd net: igmp: respect RCU rules in ip_mc_source() and ip_mc_msfilter() 2b99ff4c3e3e btrfs: always log symlinks in full mode dc4784489426 smsc911x: allow using IRQ0 cff6cb162f7a bnxt_en: Fix possible bnxt_open() failure caused by wrong RFS flag 64ece01adb42 selftests: mirror_gre_bridge_1q: Avoid changing PVID while interface is operational 52401926c863 net: emaclite: Add error handling for of_address_to_resource() 354cac1e392b net: stmmac: dwmac-sun8i: add missing of_node_put() in sun8i_dwmac_register_mdio_mux() 0510b6ccfb4f net: ethernet: mediatek: add missing of_node_put() in mtk_sgmii_init() 102986592ffd RDMA/siw: Fix a condition race issue in MPA request processing e6ae21eb948a ASoC: dmaengine: Restore NULL prepare_slave_config() callback df3ea6cc1af5 hwmon: (adt7470) Fix warning on module removal 01d4363dd717 NFC: netlink: fix sleep in atomic bug when firmware download timeout 33d3e76fc7a7 nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs 85aecdef77f9 nfc: replace improper check device_is_registered() in netlink related functions da9eb43b9a56 can: grcan: use ofdev->dev when allocating DMA memory 8b451b7d7e95 can: grcan: grcan_close(): fix deadlock 8f4246450a95 s390/dasd: Fix read inconsistency for ESE DASD devices 91193a2c2f4f s390/dasd: Fix read for ESE with blksize < 4k 1aa75808edd8 s390/dasd: prevent double format of tracks for ESE devices 061a424dd1c4 s390/dasd: fix data corruption for ESE devices 860db6cdc5be ASoC: meson: Fix event generation for G12A tohdmi mux d4864e8c4ba8 ASoC: wm8958: Fix change notifications for DSP controls 6723ab2ed8bb ASoC: da7219: Fix change notifications for tone generator frequency ac5894fb8626 genirq: Synchronize interrupt thread startup 8624e2c5af95 ACPICA: Always create namespace nodes using acpi_ns_create_node() 27183539cfac firewire: core: extend card->lock in fw_core_handle_bus_reset 2fefc6259861 firewire: remove check of list iterator against head past the loop body 34b9b9182911 firewire: fix potential uaf in outbound_phy_packet_callback() f6b6e9336936 Revert "SUNRPC: attempt AF_LOCAL connect on setup" d403ff32e566 gpiolib: of: fix bounds check for 'gpio-reserved-ranges' 94842485b4ec ALSA: fireworks: fix wrong return count shorter than expected by 4 bytes 73ce49fa59a7 parisc: Merge model and model name into one line in /proc/cpuinfo 0d5bb59858c6 MIPS: Fix CP0 counter erratum detection for R4k CPUs Signed-off-by: Bruce Ashfield Signed-off-by: Steve Sakoman --- .../linux/linux-yocto-rt_5.4.bb | 6 ++--- .../linux/linux-yocto-tiny_5.4.bb | 8 +++---- meta/recipes-kernel/linux/linux-yocto_5.4.bb | 22 +++++++++---------- 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb index bf5359d120..0ef18c0b77 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "24d323fa0e17bcd62c9cfe1fd4153c304a06f38c" -SRCREV_meta ?= "3fecb08507e286d1458497faaf31d1a07cc7d373" +SRCREV_machine ?= "5a2ea5a1decb40650f6e447af2dc02579b3a5521" +SRCREV_meta ?= "9b55ffe3d137121be67c99a60bfdb3c6af47fae2" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.4.192" +LINUX_VERSION ?= "5.4.196" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb index dee636aca5..9b41d280a7 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.4.192" +LINUX_VERSION ?= "5.4.196" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "460de085c07ab1a221317e6804c13657456c5368" -SRCREV_machine ?= "b414a2fc5ce5f68c33d297d9cde4fef5437b773b" -SRCREV_meta ?= "3fecb08507e286d1458497faaf31d1a07cc7d373" +SRCREV_machine_qemuarm ?= "bae8f843b4f6520a8deb813616669951a5bf58ca" +SRCREV_machine ?= "4e04a0f737355772b02dd4225e3b579204ce41c0" +SRCREV_meta ?= "9b55ffe3d137121be67c99a60bfdb3c6af47fae2" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/meta/recipes-kernel/linux/linux-yocto_5.4.bb index 680f40d208..11e7ff6a21 100644 --- a/meta/recipes-kernel/linux/linux-yocto_5.4.bb +++ b/meta/recipes-kernel/linux/linux-yocto_5.4.bb @@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base" KBRANCH_qemux86-64 ?= "v5.4/standard/base" KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "68a2ce69aaf2e8d96eef4aaccd70fc0ef7368a46" -SRCREV_machine_qemuarm64 ?= "acfed0930d37a714d705645ff7cfbfbd0ad040e7" -SRCREV_machine_qemumips ?= "e7046a2c8972e925cd2e6ac7f392abe87cbec5f5" -SRCREV_machine_qemuppc ?= "997e06e0af674c27627eaa76a60b2f63cb16f38d" -SRCREV_machine_qemuriscv64 ?= "85f0668fea1442bbcc2c8b1509d9f711b4b73649" -SRCREV_machine_qemux86 ?= "85f0668fea1442bbcc2c8b1509d9f711b4b73649" -SRCREV_machine_qemux86-64 ?= "85f0668fea1442bbcc2c8b1509d9f711b4b73649" -SRCREV_machine_qemumips64 ?= "7b526cde12d78604b6f1e1ad62da31dcb729f35f" -SRCREV_machine ?= "85f0668fea1442bbcc2c8b1509d9f711b4b73649" -SRCREV_meta ?= "3fecb08507e286d1458497faaf31d1a07cc7d373" +SRCREV_machine_qemuarm ?= "7efd457b777ad4b9029594f2770c5f9e3cc6b88e" +SRCREV_machine_qemuarm64 ?= "4416c0026b35a6d2c9b03e27bfdbb9cb08cf84d2" +SRCREV_machine_qemumips ?= "7d4e3a8bdcdae2e56640db0d4a739000665ad0cf" +SRCREV_machine_qemuppc ?= "f0ed4149f804120d6c4b7fd5b9fb49287136b4d5" +SRCREV_machine_qemuriscv64 ?= "740afe0923aca19768b11bff283a31dbdf9509e9" +SRCREV_machine_qemux86 ?= "740afe0923aca19768b11bff283a31dbdf9509e9" +SRCREV_machine_qemux86-64 ?= "740afe0923aca19768b11bff283a31dbdf9509e9" +SRCREV_machine_qemumips64 ?= "14c090645b3e8c432dc1de659189af76d7fc7825" +SRCREV_machine ?= "740afe0923aca19768b11bff283a31dbdf9509e9" +SRCREV_meta ?= "9b55ffe3d137121be67c99a60bfdb3c6af47fae2" # remap qemuarm to qemuarma15 for the 5.4 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" -LINUX_VERSION ?= "5.4.192" +LINUX_VERSION ?= "5.4.196" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native"