summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended
Commit message (Collapse)AuthorAgeFilesLines
* libarchive: ignore CVE-2023-30571Peter Marko2023-08-071-0/+3
| | | | | | | | | | | | | | | | | | | | | This issue was reported and discusses under [1] which is linked in NVD CVE report. It was already documented that some parts or libarchive are thread safe and some not. [2] was now merged to document that also reported function is not thread safe. So this CVE *now* reports thread race condition for non-thread-safe function. And as such the CVE report is now invalid. The issue is still not closed for 2 reasons: * better document what is and what is not thread safe * request to public if someone could make these functions thread safe This should however not invalidate above statment about ignoring this CVE. [1] https://github.com/libarchive/libarchive/issues/1876 [2] https://github.com/libarchive/libarchive/pull/1875 (From OE-Core rev: d5e7971e12cdc8748be91b4e6408b42fa86b2f15) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* mdadm: skip running known broken ptestsOvidiu Panait2023-08-024-1/+585
| | | | | | | | | | | | | | | | | | | Upstream marked some testcases as "KNOWN BROKEN" and introduced the "--skip-broken" flag to ignore them when running the testsuite (commits [1] and [2]). Backport these two commits to get rid of the last remaining ptest failures. Also, add the "--skip-broken" option to the run-ptest script. [1] https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/commit/?id=28520bf114b3 [2] https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/commit/?id=daa86d663476 (From OE-Core rev: 62daa4ca064da1c014b9c21798bc55ff3e7656e6) Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 62148b978b26b5fcd1a2fa3a0ff82ef814f4e7ec) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* mdadm: fix segfaults when running ptestsOvidiu Panait2023-08-025-0/+341
| | | | | | | | | | | | | | | | | | | | | | | Currently, some segfaults are reported when running ptest: mdadm[12333]: segfault at 0 ip 00007fe855924060 sp 00007ffc4d6caf88 error 4 in libc.so.6[7f) Code: d2 0f 84 b7 0f 00 00 48 83 fa 01 0f 84 b9 0f 00 00 49 89 d3 89 f1 89 f8 48 83 e1 3f 4f Backport the following upstream commits to fix them: 679bd9508a30 ("DDF: Cleanup validate_geometry_ddf_container()") 2b93288a5650 ("DDF: Fix NULL pointer dereference in validate_geometry_ddf()") 548e9b916f86 ("mdadm/Grow: Fix use after close bug by closing after fork") 9ae62977b51d ("monitor: Avoid segfault when calling NULL get_bad_blocks") The fixes are part of the "Bug fixes and testing improvments" patchset [1]. [1] https://www.spinics.net/lists/raid/msg70621.html (From OE-Core rev: 4ea6acbf25ad1b3e910f01d136b53c6353daf0c5) Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 9585009e3e505b361cd32b14e0e85e77e7822878) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* mdadm: fix 07revert-inplace ptestOvidiu Panait2023-08-021-1/+1
| | | | | | | | | | | | | | | | | Testcase 07revert-inplace fails if strace is not installed: ... strace -o /tmp/str ./mdadm -A /dev/md0 --update=revert-reshape /dev/<...> tests/07revert-inplace: line 40: strace: command not found Add strace to mdadm-ptest RDEPENDS to make sure the testcase passes even with a core-image-minimal build. (From OE-Core rev: 1df8d9d45bb4ff01e30d9ec9ffd0fb822d5f91e9) Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 7d9386663ac52ab69812867a0823c6055aedbc18) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* mdadm: fix util-linux ptest dependencyOvidiu Panait2023-08-021-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | Trying to run mdadm-ptest in a core-image-minimal build will result in: root@qemux86-64:~# ptest-runner mdadm START: ptest-runner BEGIN: /usr/lib/mdadm/ptest which: no lsblk in (/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin) lsblk command not found! DURATION: 0 END: /usr/lib/mdadm/ptest 2023-06-28T10:14 STOP: ptest-runner TOTAL: 1 FAIL: 0 Remove util-linux from RRECOMMENDS and only add util-linux-lsblk and util-linux-losetup to RDEPENDS. (From OE-Core rev: 898b9add68d9c30c7c90285e659b128289313668) Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 3004f7589974c135cc82630d980ea281b97ecd83) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* diffutils: update 3.9 -> 3.10Alexander Kanavin2023-08-022-13/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | * Noteworthy changes in release 3.10 (2023-05-21) [stable] ** Bug fixes cmp/diff can again work with file dates past Y2K38 [bug introduced in 3.9] diff -D no longer fails to output #ifndef lines. [bug#61193 introduced in 3.9] Remove the comment addition from the patch body, as it increases likelyhood of rebase conflicts, and repeats what the commit says. (From OE-Core rev: ab9ae300ce3895cdf64d207b5dc281b65c984211) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 925155acc6922f7e9df2afa45e79ad1b2c57ba24) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit 21e40166870fadee986fb36be80019d3bcdb69e5) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: fix CVE-2023-36664Archana Polampalli2023-07-263-0/+208
| | | | | | | | | | | | | | | | | Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-36664 Upstream patches: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=fb342fdb60391073a69147cb71af1ac416a81099 (From OE-Core rev: cd3921215cb782ecc9aeda5bb3b76863911bcb61) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* unzip: fix configure check for cross compilationChen Qi2023-07-212-0/+104
| | | | | | | | | | | | | | The original configure runs a generated binary to determine features. This is not correct for cross compilation. So change the runtime tests into compile-time tests to fix the issue. (From OE-Core rev: 7d99f3a9a2a74fe2e8753b00553f07f305d14c87) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b9aca339b59238988c48b90ea5019bfc939ba4b3) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* zip: fix configure check by using _Static_assertChen Qi2023-07-212-0/+97
| | | | | | | | | | | | | | | It's incorrect to run a cross-compiled program on build machine to check if some feature is available or not. As these two checks in zip are basically just checking the size, we can use _Static_assert and sizeof to do such check at compile time. (From OE-Core rev: 6f5986fb520ab89b0950d3e0fa8492de4de7798f) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit dda778d855b1838ae3004a9af310724b913490b4) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* logrotate: Do not create logrotate.status fileJermain Horsman2023-07-211-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | The first time logrotate runs it reports an error: error: state file /var/lib/logrotate.status is world-readable and thus can be locked from other unprivileged users. Skipping lock acquisition... This check was added with https://github.com/logrotate/logrotate/commit/1f76a381e2caa0603ae3dbc51ed0f1aa0d6658b9 This error is only reported once as logrotate removes the world-readable permissions if this happens. Since logrotate creates this file if it does not exist, there should be no need to install it in the first place. (From OE-Core rev: fbfd62ac655cf00b8f7c8fc832ce7434ad4966a3) Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8169cd2d18f1569e4357f082adbef492710e8c36) Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* wget: upgrade 1.21.3 -> 1.21.4Alexander Kanavin2023-07-212-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Stable version release Noteworthy changes in release 1.21.4 (2023-05-11) ** Document --retry-on-host-error in help text ** Increase read buffer size to 64k. This should speed up downloads on gigabit and faster connections ** Update deprecated option '--html-extension' to '--adjust-extension' in documentation ** Update gnulib compatibility layer. Fixes HSTS test failures on i686. (Thanks to Andreas Enge for ponting it out) License-Update: copyright years (From OE-Core rev: 024feac4827dc847ba83a64de82cef524156a9ea) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 67ec2d5bab891cb92af9ca32304a4927daf51ed0) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit 4e7ec4bef86c79b4221a800ace700c58ce033de1) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tzdata: upgrade to 2023cRoss Burton2023-07-213-306/+3
| | | | | | | | | | | Drop a backport patch as it is now integrated. (From OE-Core rev: 134bac52904722cd63fde07f5784c0cca3fbcb05) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 80d26d1da47dcd9213a7083d9493a7bce0897a57) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cups: fix CVE-2023-34241 use-after-free in cupsdAcceptClient() in ↵Vivek Kumbhar2023-07-122-0/+69
| | | | | | | | | scheduler/client.c (From OE-Core rev: 9a6c7442ac2fc2ce668d0c931696d39288ee3d4a) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cpio: Replace fix wrong CRC with ASCII CRC for large files with upstream ↵Marek Vasut2023-07-124-40/+372
| | | | | | | | | | | | | backport Replace the original "Wrong CRC with ASCII CRC for large files" patch with upstream backport, and add additional fix on top of the same problem which upstream detected and fixed. (From OE-Core rev: 727f301e4888c8f59cfc2d8768d02bb52ce23784) Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* minicom: remove unused patch filesMartin Jansa2023-07-013-114/+0
| | | | | | | | | | | | | | * they were removed from SRC_URI in: https://git.openembedded.org/openembedded-core/commit/?id=41f8760dd8a8ac388389bc17dbc5e0ae0f64bf57 (From OE-Core rev: 094d2341240fc09a91fea7bea1b3c51a08ad9817) Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit a0f28cd8d01f4faeedc1089e5d1e2dacc5b046f9) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit 4395c783e544de30f650459677055737148ea261) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* psmisc: Set ALTERNATIVE for pstree to resolve conflict with busyboxFrieder Schrempf2023-07-011-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | If pstree in busybox is enabled there is a conflict with pstree from psmisc resulting in: do_rootfs: Postinstall scriptlets of ['busybox'] have failed. If the intention is to defer them to first boot, then please place them into pkg_postinst_ontarget:${PN} (). Deferring to first boot via 'exit 1' is no longer supported. And more detailed in do_rootfs.log: update-alternatives: Error: not linking [...]/rootfs/usr/bin/pstree to /bin/busybox.nosuid since [...]/rootfs/usr/bin/pstree exists and is not a link On order to fix this set ALTERNATIVE:pstree accordingly. (From OE-Core rev: b40a33f0665c7086e806da4f670a3eb25351216c) Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit deb2176df76dcb16c0d90072ad63d308a0ab1158) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cups: Fix CVE-2023-32324Sanjay Chitroda2023-06-212-0/+37
| | | | | | | | | | | | | | | | | | | | | | | OpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function `format_log_line` could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file `cupsd.conf` sets the value of `loglevel `to `DEBUG`. No known patches or workarounds exist at time of publication. References: https://nvd.nist.gov/vuln/detail/CVE-2023-32324 https://security-tracker.debian.org/tracker/CVE-2023-32324 Upstream Patch: https://github.com/OpenPrinting/cups/commit/fd8bc2d32589 (From OE-Core rev: cf741646f41835024c7e53234cfd527ff3f8542b) Signed-off-by: Sanjay Chitroda <schitrod@cisco.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sysstat: Fix CVE-2023-33204Hitendra Prajapati2023-06-142-2/+83
| | | | | | | | | Upstream-Status: Backport from https://github.com/sysstat/sysstat/commit/954ff2e2673c (From OE-Core rev: d4ee3ad88392dbcb4284be48ef9fd0bbff979cca) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cpio: Fix wrong CRC with ASCII CRC for large filesMarek Vasut2023-05-302-0/+40
| | | | | | | | | | | | | | | | Due to signedness, the checksum is not computed when filesize is bigger a 2GB. Pick a fix for this problem from CPIO ML, where the fix has been posted for 5 years. Since CPIO upstream is effectively unresponsive and any and all attempts to communicate with the maintainer and get the fix applied upstream failed, add the fix here instead. (From OE-Core rev: bfff138af4bdd356ac66571e6ad91c1a5599b935) (From OE-Core rev: 8320097487cc46045482f5d0d41ad799a2435bce) Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libpam: Fix the xtests/tst-pam_motd[1|3] failuresZhixiong Chi2023-05-122-0/+109
| | | | | | | | | | | | | | | | | | Reproducer: 1.Enable the ptest of libpam and build the image. 2.Boot the rootfs with nfs, then run the following tests as root: cd /usr/share/Linux-PAM/xtests /usr/share/Linux-PAM/xtests# ./run-xtests.sh . tst-pam_motd1 /usr/share/Linux-PAM/xtests# ./run-xtests.sh . tst-pam_motd3 After applying this patch, the ptest doesn't be failed. (From OE-Core rev: 928b7e880e6a5d1b807cb7f605649233c7195578) Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> (cherry picked from commit 549e54ad6a175359b0a57987ccdab8989df9d3a9) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libarchive: Enable acls, xattr for native as well as targetPiotr Łobacz2023-05-121-5/+1
| | | | | | | | | | | | | | | | | Libarchive is being used by OPKG package manager as default API for extracting tar files. This fix allows us to extract ipks packages with preserved ACLs and xattrs. Partially addresses [YOCTO #15091] [RP: Merge into main PACKAGECONFIG and tweak commit message] (From OE-Core rev: b1f80f0a2bf30698192c7a214c5802b76464d095) Signed-off-by: Piotr Łobacz <p.lobacz@welotec.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 913aad1ac013368aef8f6af332588ef24bba46bd) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: fix CVE-2023-29979Joe Slater2023-05-032-0/+61
| | | | | | | | | Backport from 10.02.0 (unreleased). (From OE-Core rev: 6d5baff50aa83c663856cccc375c522add97625e) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDsHitendra Prajapati2023-04-262-0/+41
| | | | | | | | | Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/screen.git/commit/?id=e9ad41bfedb4537a6f0de20f00b27c7739f168f7 (From OE-Core rev: cf6348b5778c9409fc330808effc69e9939e6857) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* shadow: backport patch to fix CVE-2023-29383Xiangyu Chen2023-04-263-0/+120
| | | | | | | | | | | The fix of CVE-2023-29383.patch contains a bug that it rejects all characters that are not control ones, so backup another patch named "0001-Overhaul-valid_field.patch" from upstream to fix it. (From OE-Core rev: ab48ab23de6f6bb1f05689c97724140d4bef8faa) Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cracklib: update github branch to 'main'Tim Orling2023-03-281-1/+1
| | | | | | | | | | (From OE-Core rev: 58dfc69f522a8f135575c85cc0e6b50405ed4acc) Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ab041ca5d036c2a1a1514893c6ffb5c7188ff00f) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tzcode-native: fix build with gcc-13 on hostMartin Jansa2023-03-282-0/+303
| | | | | | | | | | | | | | | | | | | * passing -std=c2x to avoid build failure with gcc-13 on host works as well, but the resulting zic then segfaults when used in tzdata, use a fix from upstream instead * reported upstream in https://mm.icann.org/pipermail/tz/2023-March/032690.html * fixes: http://errors.yoctoproject.org/Errors/Details/697913/ (From OE-Core rev: ac9550404d14e3676ffcbac0344ded27555adf9e) Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 5dabf677f38c209fb6a8ba837d5a66fd89f57d4d) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tzdata: use separate B instead of WORKDIR for zic outputMartin Jansa2023-03-281-5/+9
| | | | | | | | | | | | | * avoid copying whole exec_prefix over base_prefix as there were only zoneinfo files anyway (From OE-Core rev: cf96296296a71d0d164f4e528991f0946efe9b29) Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 37846f8735683ed0fab5ef5c12d77c6041348801) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* timezone: use 'tz' subdir instead of ${WORKDIR} directlyMartin Jansa2023-03-283-7/+4
| | | | | | | | | | (From OE-Core rev: 8e047570ca28be2f3761d0944eaa17b64142262b) Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit bc53ccaf82c57826acac5f9c2557e403ec367807) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cups: add/fix web interface packagingTrevor Woerner2023-03-231-7/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | cups includes a web server. Users can surf to port 631 (default) of a machine running cups to (potentially, based on configuration, default off) view jobs, add printers, and perform other forms of administration. The location of the various resources that are used by the built-in web server (e.g. index.html) are installed under ${datadir}/doc/cups. By default these artifacts would be included in the ${PN}-doc package. The comments in this recipe, however, would suggest an attempt was made to have them added to ${PN}; albeit unsuccessfully. These resources add roughly 1.8M to an image. Since cups does include a configuration option to disable the web interface (--enable-webif), add a PACKAGECONFIG (default off) to allow the user to decide whether or not they would like the web interface configured and its pieces added to the image. Enabling this PACKAGECONFIG both enables the web interface to be configured and built into cups, and also adds (by way of a recommendation) the web interface package to the image. Considering that the previous intention was not working, defaulting this option to off preserves the existing behaviour. Previously in order to have the web interface data included in an image, a user would have needed to explicitly add the ${PN}-doc package to their image. (From OE-Core rev: 18194378508beda1ca1fee84e10351b5bf0d86a5) Signed-off-by: Trevor Woerner <twoerner@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 2c9bd267ec532cd86a4a1be1d4e499e2aae89aba) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cups: check PACKAGECONFIG for pam featureTrevor Woerner2023-03-231-1/+1
| | | | | | | | | | | | | | | | The cups' PACKAGECONFIG is populated based on DISTRO_FEATURES, but a user is free to enable or disable PACKAGECONFIGs at will. In theory it is possible that pam is enabled globally in DISTRO_FEATURES but disabled in cups' PACKAGECONFIG. Checking the PACKAGECONFIG to determine whether or not pam is enabled would be a safer check rather than relying on DISTRO_FEATURES. (From OE-Core rev: 7b23927a72a1f8b91802f5b2ca10f2cea239bd47) Signed-off-by: Trevor Woerner <twoerner@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit a053dd177ddc99ced11e68914079be0ffe261262) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cups: use BUILDROOT instead of DESTDIRTrevor Woerner2023-03-231-1/+1
| | | | | | | | | | | | | | | | | | | | The cups documentation is clear that the correct way to install into an alternate root directory is to use the BUILDROOT variable. From INSTALL.md: Use the `BUILDROOT` variable to install to an alternate root directory: make BUILDROOT=/some/other/root/directory install DESTDIR works, but we should use the mechanism the project specifically created for this purpose. (From OE-Core rev: a42066657c002679adcb471f329f09c8996e1b64) Signed-off-by: Trevor Woerner <twoerner@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit f8fc70674e0ea5df46969a06da62f8ed135cae4e) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* mdadm: Fix raid0 testsMingli Yu2023-03-235-0/+227
| | | | | | | | | | | | | | | Backport patches to fix raid0 tests: tests/00raid0 tests/00readonly tests/03r0assem tests/04r0update tests/04update-metadata (From OE-Core rev: a5c38968e1a188f7d186c42c38ee49fb749f2b97) Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* mdadm: fix tests/02lineargrowMingli Yu2023-03-232-0/+34
| | | | | | | | | | | | Backport patch [1] to fix tests/02lineargrow. [1] https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/commit/?id=a2c832465fc75202e244327b2081231dfa974617 (From OE-Core rev: 3c2d554f141eb64785e86c8d1e5d85c65caaf322) Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* mdadm: Fix testcase 06wrmostlyMingli Yu2023-03-232-0/+46
| | | | | | | | | | | | Backport patch [1] to fix the failure of the 06wrmostly test. [1] https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/commit/?id=41edf6f45895193f4a523cb0a08d639c9ff9ccc9 (From OE-Core rev: 9c73484cb12f39662a8f10027a55c63b95373066) Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sudo: update 1.9.12p2 -> 1.9.13p3Xiangyu Chen2023-03-203-12/+13
| | | | | | | | | | License-update: copyright years, formatting. (From OE-Core rev: b307a79caff34c0b23c72a5349f6800c48527635) Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* shadow: ignore CVE-2016-15024Ross Burton2023-03-201-0/+3
| | | | | | | | | | | | | This recently got an updated CPE which matches this recipe, but the issue is related to an entirely different shadow project so ignore it. (From OE-Core rev: d0b1f61eb1fadf44b2e4fba13b6a94140cf029db) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 2331e98abb09cbcd56625d65c4e5d258dc29dd04) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* less: backport the fix for CVE-2022-46663Hitendra Prajapati2023-03-092-0/+32
| | | | | | | | | | Upstream-Status: Backport from https://github.com/gwsw/less/commit/a78e1351113cef564d790a730d657a321624d79c (From OE-Core rev: 6cec065d795a562460c422947ac70c4a6f3f3175) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sudo: upgrade 1.9.12p1 -> 1.9.12p2Alexander Kanavin2023-02-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | Changes: Fixed a compilation error on Linux/aarch64. GitHub issue #197. Fixed a potential crash introduced in the fix GitHub issue #134. If a user’s sudoers entry did not have any RunAs user’s set, running sudo -U otheruser -l would dereference a NULL pointer. Fixed a bug introduced in sudo 1.9.12 that could prevent sudo from creating a I/O files when the iolog_file sudoers setting contains six or more Xs. Fixed a compilation issue on AIX with the native compiler. GitHub issue #231. Fixed CVE-2023-22809, a flaw in sudo’s -e option (aka sudoedit) that could allow a malicious user with sudoedit privileges to edit arbitrary files (From OE-Core rev: fce9cdb15789778fe2525b99c968bbf9a84102ac) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 5a3f5f4f607f5e06af772287109b68579154fb2f) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit cd1b6167242003c79b39d8761ea0f36db41f0671) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* diffutils: update 3.8 -> 3.9Alexander Kanavin2023-02-243-41/+6
| | | | | | | | | | | | | | | | | | | | | | | | | NEWS * Noteworthy changes in release 3.9 (2023-01-15) [stable] ** Bug fixes diff -c and -u no longer output incorrect timezones in headers on platforms like Solaris where struct tm lacks tm_gmtoff. [bug#51228 introduced in 3.4] Drop patch as issue fixed upstream. (From OE-Core rev: 686bb89d7553f48c029b6f6d79c88304f2dc0c55) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e5ec5de7217de28bccf3243496df6b41ca8a1d0b) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit 6bf52987a82370a1353399a480271a76237e7619) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tar: CVE-2022-48303Rodolfo Quesada Zumbado2023-02-242-1/+46
| | | | | | | | | | | | | | | | | | | | | | | Fixes CVE-2022-48303 by checking Base-256 encoding is at least 2 bytes long. GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-48303 Upstream patch: https://savannah.gnu.org/bugs/?62387 https://git.savannah.gnu.org/cgit/tar.git/patch/src/list.c?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8 (From OE-Core rev: 231360a55bf1b96d6bb1cf94820b08788677c58b) Signed-off-by: Rodolfo Quesada Zumbado <rodolfo.zumbado@windriver.com> Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lsof: fix old override syntaxUlrich Ölmann2023-02-151-1/+1
| | | | | | | | | | (From OE-Core rev: df20b7539b11140ac33eb2f45301b4db85d1ccae) Signed-off-by: Ulrich Ölmann <u.oelmann@pengutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 052f767f85eddab9b6e5d78268d2732f4a65d446) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libtirpc: Check if file exists before operating on itKhem Raj2023-02-041-1/+1
| | | | | | | | | | | | | In some cases (e.g. mingw) this file may not be installed (From OE-Core rev: f8dba1173dc42dd72c231fc291b2f7b44d828905) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 547f3a13ee9268bbdd439c96108ba1fe9ab78873) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* at: Change when files are copiedSaul Wold2023-01-261-2/+4
| | | | | | | | | | | | | | | | The create_spdx code relies on patched code, if files are changed or added during the do_configure phase they will be missed by the create_spdx process. So we need to ensure files modifications/additions happen in the do_patch phase. (From OE-Core rev: 6f44b146f0875c588252b5c3b2015a621eba86ab) Signed-off-by: Saul Wold <saul.wold@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 227c46fe48b64de7574f7b6b407b8c13be71b392) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libarchive: upgrade 3.6.1 -> 3.6.2Alexander Kanavin2023-01-152-47/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Libarchive 3.6.2 is a bugfix and security release. Important security fixes: NULL pointer dereference vulnerability in archive_write.c (#1754, #1759, CVE-2022-36227) Important bug fixes: include ZSTD in Windows builds (#1688) SSL fixes on Windows (#1714, #1723, #1724) rar5 reader: fix possible garbled output with bsdtar -O (#1745) mtree reader: support reading mtree files with tabs (#1783) various small fixes for issues found by CodeQL Use --without-iconv as otherwise autotools write a bogus iconv dependency into .pc file. (From OE-Core rev: 41e1b4c29e45a9022eea8f89dfb09b6eb2eae60b) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit edce1bce81fe2f47fb2c5e2b94ebda73f95cbaea) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit 93b972845a28b62ea01ee0f4a1e043bd58fc0892) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tzdata: update 2022d -> 2022gAlexander Kanavin2023-01-061-4/+3
| | | | | | | | | | (From OE-Core rev: e9f8a4ce08b7abe1232e807949cf8fbd06a929cc) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 2394a481db1b41ad4581e22ba901ac76fa7b3dcd) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libnewt: update 0.52.21 -> 0.52.23Alexander Kanavin2023-01-063-40/+7
| | | | | | | | | | (From OE-Core rev: 95a1668668ad962a3cb8676f08d1bb568f12436f) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit ff12622451f1f8580f928c6771cd82daa632071c) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lsof: add update-alternatives logicAlex Stewart2022-12-231-0/+9
| | | | | | | | | | | | | | | | | | | | Some distributions (NI LinuxRT) provide both busybox-lsof and full-featured lsof implementations. When users install the full-featured lsof package, the full-binary fails to replace the bbox-binary in PATH, because `lsof` contains no update-alternatives logic. Inherit the update-alternatives bbclass and assert that the full-featured lsof package has higher priority than the busybox implementation. Co-Authored-By: Kyle Roeschley <kyle.roeschley@ni.com> (From OE-Core rev: 750f4e17f63cf957076c13c53139ddaab1617597) Signed-off-by: Alex Stewart <alex.stewart@ni.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit e2893fa692a6e91eee09fc04c8c03fe27c718a58) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bc: extend to nativesdkChen Qi2022-12-231-1/+1
| | | | | | | | | | | | | | | | | bc is needed for compiling kernel modules, more specifially whenr running `make scripts prepare'. In linux-yocto.inc, we have bc-native in DEPENDS. But we will need nativesdk-bc in case we compile a kernel module inside SDK. (From OE-Core rev: 713ebd37cb740ebd1f3f57d14f4448ded8a5fe3c) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 95b5c89066baccb1e64bfba7d9a66feeeb086da9) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* sysstat: fix CVE-2022-39377Xiangyu Chen2022-12-132-1/+95
| | | | | | | | (From OE-Core rev: caf40fd28424aa583c18f9235d6d28651cc419b9) Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libarchive: CVE-2022-36227 NULL pointer dereference in archive_write.cHitendra Prajapati2022-12-132-1/+45
| | | | | | | | | | Upstream-Status: Backport from https://github.com/libarchive/libarchive/commit/bff38efe8c110469c5080d387bec62a6ca15b1a5 (From OE-Core rev: e723e791b4faa3d5c755b4669b0901ebd0c368c9) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>