From 3750a3439399b06688191fd49052d0efbd501c06 Mon Sep 17 00:00:00 2001 From: akash hadke Date: Sat, 31 Aug 2024 00:00:54 +0530 Subject: [PATCH 01/52] python3-flatbuffers: provide nativesdk support nativesdk support is needed in some of the projects for codegeneration Signed-off-by: Nisha Parrakat Signed-off-by: Akash Hadke Signed-off-by: Armin Kuster --- meta-oe/recipes-devtools/flatbuffers/python3-flatbuffers.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-devtools/flatbuffers/python3-flatbuffers.bb b/meta-oe/recipes-devtools/flatbuffers/python3-flatbuffers.bb index 5d3c73fd9a9..1fab013580c 100644 --- a/meta-oe/recipes-devtools/flatbuffers/python3-flatbuffers.bb +++ b/meta-oe/recipes-devtools/flatbuffers/python3-flatbuffers.bb @@ -12,4 +12,4 @@ RDEPENDS:${PN} = "flatbuffers" inherit setuptools3 -BBCLASSEXTEND = "native" +BBCLASSEXTEND = "native nativesdk" From f88706fe2f81f7ec6c98e6313acbefc89370bcb5 Mon Sep 17 00:00:00 2001 From: Soumya Sambu Date: Tue, 3 Sep 2024 12:52:59 +0000 Subject: [PATCH 02/52] python3-flask-cors: Fix CVE-2024-6221 A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions. References: https://nvd.nist.gov/vuln/detail/CVE-2024-6221 Upsteam-Patch: https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster --- .../python3-flask-cors/CVE-2024-6221.patch | 110 ++++++++++++++++++ .../python/python3-flask-cors_4.0.0.bb | 4 + 2 files changed, 114 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch diff --git a/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch b/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch new file mode 100644 index 00000000000..9049b2ffe67 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch @@ -0,0 +1,110 @@ +From 7ae310c56ac30e0b94fb42129aa377bf633256ec Mon Sep 17 00:00:00 2001 +From: Adriano Sela Aviles +Date: Fri, 30 Aug 2024 12:14:31 -0400 +Subject: [PATCH] Backwards Compatible Fix for CVE-2024-6221 (#363) + +CVE: CVE-2024-6221 + +Upstream-Status: Backport [https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec] + +Signed-off-by: Soumya Sambu +--- + docs/configuration.rst | 14 ++++++++++++++ + flask_cors/core.py | 8 +++++--- + flask_cors/extension.py | 16 ++++++++++++++++ + 3 files changed, 35 insertions(+), 3 deletions(-) + +diff --git a/docs/configuration.rst b/docs/configuration.rst +index 91282d3..c750cf4 100644 +--- a/docs/configuration.rst ++++ b/docs/configuration.rst +@@ -23,6 +23,19 @@ CORS_ALLOW_HEADERS (:py:class:`~typing.List` or :py:class:`str`) + Headers to accept from the client. + Headers in the :http:header:`Access-Control-Request-Headers` request header (usually part of the preflight OPTIONS request) matching headers in this list will be included in the :http:header:`Access-Control-Allow-Headers` response header. + ++CORS_ALLOW_PRIVATE_NETWORK (:py:class:`bool`) ++ If True, the response header :http:header:`Access-Control-Allow-Private-Network` ++ will be set with the value 'true' whenever the request header ++ :http:header:`Access-Control-Request-Private-Network` has a value 'true'. ++ ++ If False, the reponse header :http:header:`Access-Control-Allow-Private-Network` ++ will be set with the value 'false' whenever the request header ++ :http:header:`Access-Control-Request-Private-Network` has a value of 'true'. ++ ++ If the request header :http:header:`Access-Control-Request-Private-Network` is ++ not present or has a value other than 'true', the response header ++ :http:header:`Access-Control-Allow-Private-Network` will not be set. ++ + CORS_ALWAYS_SEND (:py:class:`bool`) + Usually, if a request doesn't include an :http:header:`Origin` header, the client did not request CORS. + This means we can ignore this request. +@@ -83,6 +96,7 @@ Default values + ~~~~~~~~~~~~~~ + + * CORS_ALLOW_HEADERS: "*" ++* CORS_ALLOW_PRIVATE_NETWORK: True + * CORS_ALWAYS_SEND: True + * CORS_AUTOMATIC_OPTIONS: True + * CORS_EXPOSE_HEADERS: None +diff --git a/flask_cors/core.py b/flask_cors/core.py +index 5358036..bd011f4 100644 +--- a/flask_cors/core.py ++++ b/flask_cors/core.py +@@ -36,7 +36,7 @@ CONFIG_OPTIONS = ['CORS_ORIGINS', 'CORS_METHODS', 'CORS_ALLOW_HEADERS', + 'CORS_MAX_AGE', 'CORS_SEND_WILDCARD', + 'CORS_AUTOMATIC_OPTIONS', 'CORS_VARY_HEADER', + 'CORS_RESOURCES', 'CORS_INTERCEPT_EXCEPTIONS', +- 'CORS_ALWAYS_SEND'] ++ 'CORS_ALWAYS_SEND', 'CORS_ALLOW_PRIVATE_NETWORK'] + # Attribute added to request object by decorator to indicate that CORS + # was evaluated, in case the decorator and extension are both applied + # to a view. +@@ -56,7 +56,8 @@ DEFAULT_OPTIONS = dict(origins='*', + vary_header=True, + resources=r'/*', + intercept_exceptions=True, +- always_send=True) ++ always_send=True, ++ allow_private_network=True) + + + def parse_resources(resources): +@@ -186,7 +187,8 @@ def get_cors_headers(options, request_headers, request_method): + + if ACL_REQUEST_HEADER_PRIVATE_NETWORK in request_headers \ + and request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true': +- headers[ACL_RESPONSE_PRIVATE_NETWORK] = 'true' ++ allow_private_network = 'true' if options.get('allow_private_network') else 'false' ++ headers[ACL_RESPONSE_PRIVATE_NETWORK] = allow_private_network + + # This is a preflight request + # http://www.w3.org/TR/cors/#resource-preflight-requests +diff --git a/flask_cors/extension.py b/flask_cors/extension.py +index c00cbff..694953f 100644 +--- a/flask_cors/extension.py ++++ b/flask_cors/extension.py +@@ -136,6 +136,22 @@ class CORS(object): + + Default : True + :type vary_header: bool ++ ++ :param allow_private_network: ++ If True, the response header `Access-Control-Allow-Private-Network` ++ will be set with the value 'true' whenever the request header ++ `Access-Control-Request-Private-Network` has a value 'true'. ++ ++ If False, the reponse header `Access-Control-Allow-Private-Network` ++ will be set with the value 'false' whenever the request header ++ `Access-Control-Request-Private-Network` has a value of 'true'. ++ ++ If the request header `Access-Control-Request-Private-Network` is ++ not present or has a value other than 'true', the response header ++ `Access-Control-Allow-Private-Network` will not be set. ++ ++ Default : True ++ :type allow_private_network: bool + """ + + def __init__(self, app=None, **kwargs): +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb index 1d0d86b4e7a..77b51c55156 100644 --- a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb +++ b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb @@ -9,6 +9,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=118fecaa576ab51c1520f95e98db61ce" PYPI_PACKAGE = "Flask-Cors" +SRC_URI += " \ + file://CVE-2024-6221.patch \ +" + SRC_URI[sha256sum] = "f268522fcb2f73e2ecdde1ef45e2fd5c71cc48fe03cffb4b441c6d1b40684eb0" inherit pypi setuptools3 From 1d85f631925812cc146b5e9aa5a49bd2d4080539 Mon Sep 17 00:00:00 2001 From: Martin Jansa Date: Tue, 3 Sep 2024 18:05:51 +0200 Subject: [PATCH 03/52] Revert "gcab: ignore buildpaths error from sources" This reverts commit e11df061339051eda38750fa75429778d3d8dbb4. This isn't needed in scarthgap where buildpaths aren't in default ERROR_QA and it's not a correct fix anyway, see https://lists.openembedded.org/g/openembedded-devel/message/112048 This doesn't work with multilib where the package is named ${PN}-src (e.g. lib32-gcab-src) and it's better to just lower buildpaths from ERROR_QA to WARN_QA instead of skipping it completely, because it's still an issue which should be fixed (at least to improve hashserv efficiency if you don't care about reproducibility itself) and commits in master: https://git.openembedded.org/meta-openembedded/commit/?id=154f5bb1342739d88185ac0cce9c15b7b2958187 https://git.openembedded.org/meta-openembedded/commit/?id=6644c4a420db82da1ce71697ff889e7b1b6e41ad Signed-off-by: Martin Jansa Signed-off-by: Armin Kuster --- meta-oe/recipes-gnome/gcab/gcab_1.6.bb | 3 --- 1 file changed, 3 deletions(-) diff --git a/meta-oe/recipes-gnome/gcab/gcab_1.6.bb b/meta-oe/recipes-gnome/gcab/gcab_1.6.bb index 49c64f0ba6b..4278fc94539 100644 --- a/meta-oe/recipes-gnome/gcab/gcab_1.6.bb +++ b/meta-oe/recipes-gnome/gcab/gcab_1.6.bb @@ -22,6 +22,3 @@ PACKAGECONFIG[nls] = "-Dnls=true,-Dnls=false" PACKAGECONFIG[tests] = "-Dtests=true -Dinstalled_tests=true,-Dtests=false -Dinstalled_tests=false" BBCLASSEXTEND = "native" - -# meson embeds absolute paths to generated files on purpose -INSANE_SKIP:gcab-src += "buildpaths" From e5c0a0be96eb549858a987b353263c877eae275e Mon Sep 17 00:00:00 2001 From: Changqing Li Date: Tue, 3 Sep 2024 12:52:47 +0800 Subject: [PATCH 04/52] mariadb: fix runtime failure on riscv Starting with Linux 6.6, RDCYCLE is a privileged instruction on RISC-V and can't be used directly from userland. This causes 'systemctl start mysqld.service' failed with error: [ 1456.918172] mariadbd[12115]: unhandled signal 4 code 0x1 at 0x000055558689d134 in mariadbd[555585bfa000+14a7000] [ 1456.921772] CPU: 1 PID: 12115 Comm: mariadbd Not tainted 6.6.43-yocto-standard #1 [ 1456.922327] Hardware name: riscv-virtio,qemu (DT) [ 1456.923045] epc : 000055558689d134 ra : 000055558620ea48 sp : 00007fffdc487770 [ 1456.923525] gp : 00005555872ec400 tp : 00007fff89560780 t0 : 0000555587be32e8 [ 1456.923951] t1 : 0000555586886042 t2 : 000000002d6a89f0 s0 : 00007fffdc4877b0 Signed-off-by: Changqing Li Signed-off-by: Armin Kuster --- meta-oe/recipes-dbs/mysql/mariadb.inc | 1 + ...RISC-V-use-RDTIME-instead-of-RDCYCLE.patch | 66 +++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-RISC-V-use-RDTIME-instead-of-RDCYCLE.patch diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc index 33da32fb286..124a49ff960 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb.inc +++ b/meta-oe/recipes-dbs/mysql/mariadb.inc @@ -25,6 +25,7 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \ file://0001-Add-missing-includes-cstdint-and-cstdio.patch \ file://0001-Remove-the-compile_time_assert-lines.patch \ file://0001-MDEV-33439-Fix-build-with-libxml2-2.12.patch \ + file://0001-RISC-V-use-RDTIME-instead-of-RDCYCLE.patch \ " SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch" SRC_URI[sha256sum] = "5239a245ed90517e96396605cd01ccd8f73cd7442d1b3076b6ffe258110e5157" diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-RISC-V-use-RDTIME-instead-of-RDCYCLE.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-RISC-V-use-RDTIME-instead-of-RDCYCLE.patch new file mode 100644 index 00000000000..25a2c399cc9 --- /dev/null +++ b/meta-oe/recipes-dbs/mysql/mariadb/0001-RISC-V-use-RDTIME-instead-of-RDCYCLE.patch @@ -0,0 +1,66 @@ +From 342f0dd9b4f9fc49dcb589cd98933ea330de55d8 Mon Sep 17 00:00:00 2001 +From: Aurelien Jarno +Date: Thu, 4 Jan 2024 11:30:34 +0100 +Subject: [PATCH] RISC-V: use RDTIME instead of RDCYCLE + +Starting with Linux 6.6 [1], RDCYCLE is a privileged instruction on +RISC-V and can't be used directly from userland. There is a sysctl +option to change that as a transition period, but it will eventually +disappear. + +Use RDTIME instead, which while less accurate has the advantage of being +synchronized between CPU (and thus monotonic) and of constant frequency. + +[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cc4c07c89aada16229084eeb93895c95b7eabaa3 + +Upstream-Status: Backport [https://github.com/MariaDB/server/commit/656f8867720efc1b4dd0969319f35a3e1a2a005e] +Signed-off-by: Changqing Li +--- + include/my_rdtsc.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/include/my_rdtsc.h b/include/my_rdtsc.h +index 8b9b0046bc0..21e44847d9a 100644 +--- a/include/my_rdtsc.h ++++ b/include/my_rdtsc.h +@@ -111,7 +111,7 @@ C_MODE_START + On AARCH64, we use the generic timer base register. We override clang + implementation for aarch64 as it access a PMU register which is not + guaranteed to be active. +- On RISC-V, we use the rdcycle instruction to read from mcycle register. ++ On RISC-V, we use the rdtime instruction to read from mtime register. + + Sadly, we have nothing for the Digital Alpha, MIPS, Motorola m68k, + HP PA-RISC or other non-mainstream (or obsolete) processors. +@@ -211,15 +211,15 @@ static inline ulonglong my_timer_cycles(void) + } + #elif defined(__riscv) + #define MY_TIMER_ROUTINE_CYCLES MY_TIMER_ROUTINE_RISCV +- /* Use RDCYCLE (and RDCYCLEH on riscv32) */ ++ /* Use RDTIME (and RDTIMEH on riscv32) */ + { + # if __riscv_xlen == 32 + ulong result_lo, result_hi0, result_hi1; + /* Implemented in assembly because Clang insisted on branching. */ + __asm __volatile__( +- "rdcycleh %0\n" +- "rdcycle %1\n" +- "rdcycleh %2\n" ++ "rdtimeh %0\n" ++ "rdtime %1\n" ++ "rdtimeh %2\n" + "sub %0, %0, %2\n" + "seqz %0, %0\n" + "sub %0, zero, %0\n" +@@ -228,7 +228,7 @@ static inline ulonglong my_timer_cycles(void) + return (static_cast(result_hi1) << 32) | result_lo; + # else + ulonglong result; +- __asm __volatile__("rdcycle %0" : "=r"(result)); ++ __asm __volatile__("rdtime %0" : "=r"(result)); + return result; + } + # endif +-- +2.25.1 + From 4f0f1bd855ff14c2434c25d72a79f99173bef487 Mon Sep 17 00:00:00 2001 From: Vijay Anusuri Date: Mon, 9 Sep 2024 16:47:36 +0530 Subject: [PATCH 05/52] wireshark: upgrade 4.2.5 -> 4.2.7 CVE's fixed by upgrade: CVE-2024-8250 Other Changes between 4.2.5 -> 4.2.7 ====================================== https://www.wireshark.org/docs/relnotes/wireshark-4.2.7.html https://www.wireshark.org/docs/relnotes/wireshark-4.2.6.html Signed-off-by: Vijay Anusuri Signed-off-by: Armin Kuster --- .../wireshark/{wireshark_4.2.5.bb => wireshark_4.2.7.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-networking/recipes-support/wireshark/{wireshark_4.2.5.bb => wireshark_4.2.7.bb} (97%) diff --git a/meta-networking/recipes-support/wireshark/wireshark_4.2.5.bb b/meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb similarity index 97% rename from meta-networking/recipes-support/wireshark/wireshark_4.2.5.bb rename to meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb index 7cbe3e6324f..b80710683cb 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_4.2.5.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb @@ -17,7 +17,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/wireshark-${PV}.tar.xz \ UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" -SRC_URI[sha256sum] = "55e793ab87a9a73aac44336235c92cb76c52180c469b362ed3a54f26fbb1261f" +SRC_URI[sha256sum] = "2c5de08e19081bd666a2ce3f052c023274d06acaabc5d667a3c3051a9c618f86" PE = "1" From a89f9b2db0744bdda6e1e3d4482891860e6d7893 Mon Sep 17 00:00:00 2001 From: Ashish Sharma Date: Mon, 9 Sep 2024 20:31:27 +0530 Subject: [PATCH 06/52] postgresql: Backport fix for CVE-2024-7348 Upstream-Status: Backport []https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=79c7a7e29695a32fef2e65682be224b8d61ec972 Signed-off-by: Ashish Sharma Signed-off-by: Armin Kuster --- .../postgresql/files/CVE-2024-7348.patch | 583 ++++++++++++++++++ .../recipes-dbs/postgresql/postgresql_16.3.bb | 1 + 2 files changed, 584 insertions(+) create mode 100644 meta-oe/recipes-dbs/postgresql/files/CVE-2024-7348.patch diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2024-7348.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2024-7348.patch new file mode 100644 index 00000000000..10c2fa3efe8 --- /dev/null +++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2024-7348.patch @@ -0,0 +1,583 @@ +From 6aba85a4b0a0e60126cc7c598b3e010e272516ec Mon Sep 17 00:00:00 2001 +From: Masahiko Sawada +Date: Mon, 5 Aug 2024 06:05:28 -0700 +Subject: [PATCH] Restrict accesses to non-system views and foreign tables + during pg_dump. + +When pg_dump retrieves the list of database objects and performs the +data dump, there was possibility that objects are replaced with others +of the same name, such as views, and access them. This vulnerability +could result in code execution with superuser privileges during the +pg_dump process. + +This issue can arise when dumping data of sequences, foreign +tables (only 13 or later), or tables registered with a WHERE clause in +the extension configuration table. + +To address this, pg_dump now utilizes the newly introduced +restrict_nonsystem_relation_kind GUC parameter to restrict the +accesses to non-system views and foreign tables during the dump +process. This new GUC parameter is added to back branches too, but +these changes do not require cluster recreation. + +Back-patch to all supported branches. + +Reviewed-by: Noah Misch +Security: CVE-2024-7348 +Backpatch-through: 12 + +Upstream-Status: Backport from [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=79c7a7e29695a32fef2e65682be224b8d61ec972] +CVE: CVE-2024-7348 +Signed-off-by: Ashish Sharma + + .../postgres_fdw/expected/postgres_fdw.out | 11 ++++ + contrib/postgres_fdw/sql/postgres_fdw.sql | 8 +++ + doc/src/sgml/config.sgml | 17 +++++ + doc/src/sgml/ref/pg_dump.sgml | 8 +++ + src/backend/foreign/foreign.c | 10 +++ + src/backend/optimizer/plan/createplan.c | 13 ++++ + src/backend/optimizer/util/plancat.c | 12 ++++ + src/backend/rewrite/rewriteHandler.c | 17 +++++ + src/backend/tcop/postgres.c | 64 +++++++++++++++++++ + src/backend/utils/misc/guc_tables.c | 12 ++++ + src/bin/pg_dump/pg_dump.c | 47 ++++++++++++++ + src/include/tcop/tcopprot.h | 6 ++ + src/include/utils/guc_hooks.h | 3 + + src/test/regress/expected/create_view.out | 19 +++++- + src/test/regress/sql/create_view.sql | 9 +++ + 15 files changed, 255 insertions(+), 1 deletion(-) + +diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out +index a6fd3f6ff0..9b7a7eed05 100644 +--- a/contrib/postgres_fdw/expected/postgres_fdw.out ++++ b/contrib/postgres_fdw/expected/postgres_fdw.out +@@ -637,6 +637,17 @@ EXPLAIN (VERBOSE, COSTS OFF) SELECT * FROM ft_empty ORDER BY c1; + Remote SQL: SELECT c1, c2 FROM public.loct_empty ORDER BY c1 ASC NULLS LAST + (3 rows) + ++-- test restriction on non-system foreign tables. ++SET restrict_nonsystem_relation_kind TO 'foreign-table'; ++SELECT * from ft1 where c1 < 1; -- ERROR ++ERROR: access to non-system foreign table is restricted ++INSERT INTO ft1 (c1) VALUES (1); -- ERROR ++ERROR: access to non-system foreign table is restricted ++DELETE FROM ft1 WHERE c1 = 1; -- ERROR ++ERROR: access to non-system foreign table is restricted ++TRUNCATE ft1; -- ERROR ++ERROR: access to non-system foreign table is restricted ++RESET restrict_nonsystem_relation_kind; + -- =================================================================== + -- WHERE with remotely-executable conditions + -- =================================================================== +diff --git a/contrib/postgres_fdw/sql/postgres_fdw.sql b/contrib/postgres_fdw/sql/postgres_fdw.sql +index 1c1dedd991..80cc3f9d8e 100644 +--- a/contrib/postgres_fdw/sql/postgres_fdw.sql ++++ b/contrib/postgres_fdw/sql/postgres_fdw.sql +@@ -327,6 +327,14 @@ DELETE FROM loct_empty; + ANALYZE ft_empty; + EXPLAIN (VERBOSE, COSTS OFF) SELECT * FROM ft_empty ORDER BY c1; + ++-- test restriction on non-system foreign tables. ++SET restrict_nonsystem_relation_kind TO 'foreign-table'; ++SELECT * from ft1 where c1 < 1; -- ERROR ++INSERT INTO ft1 (c1) VALUES (1); -- ERROR ++DELETE FROM ft1 WHERE c1 = 1; -- ERROR ++TRUNCATE ft1; -- ERROR ++RESET restrict_nonsystem_relation_kind; ++ + -- =================================================================== + -- WHERE with remotely-executable conditions + -- =================================================================== +diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml +index e8c5d2a3b7..69c4bc614f 100644 +--- a/doc/src/sgml/config.sgml ++++ b/doc/src/sgml/config.sgml +@@ -9564,6 +9564,23 @@ SET XML OPTION { DOCUMENT | CONTENT }; + + + ++ ++ restrict_nonsystem_relation_kind (string) ++ ++ restrict_nonsystem_relation_kind ++ configuration parameter ++ ++ ++ ++ ++ This variable specifies relation kind to which access is restricted. ++ It contains a comma-separated list of relation kind. Currently, the ++ supported relation kinds are view and ++ foreign-table. ++ ++ ++ ++ + + + +diff --git a/doc/src/sgml/ref/pg_dump.sgml b/doc/src/sgml/ref/pg_dump.sgml +index 7ff5d04c73..b879c30c18 100644 +--- a/doc/src/sgml/ref/pg_dump.sgml ++++ b/doc/src/sgml/ref/pg_dump.sgml +@@ -868,6 +868,14 @@ PostgreSQL documentation + The only exception is that an empty pattern is disallowed. + + ++ ++ ++ Using wildcards in may result ++ in access to unexpected foreign servers. Also, to use this option securely, ++ make sure that the named server must have a trusted owner. ++ ++ ++ + + + When is specified, +diff --git a/src/backend/foreign/foreign.c b/src/backend/foreign/foreign.c +index ca3ad55b62..7335838af3 100644 +--- a/src/backend/foreign/foreign.c ++++ b/src/backend/foreign/foreign.c +@@ -23,6 +23,7 @@ + #include "funcapi.h" + #include "lib/stringinfo.h" + #include "miscadmin.h" ++#include "tcop/tcopprot.h" + #include "utils/builtins.h" + #include "utils/memutils.h" + #include "utils/rel.h" +@@ -323,6 +324,15 @@ GetFdwRoutine(Oid fdwhandler) + Datum datum; + FdwRoutine *routine; + ++ /* Check if the access to foreign tables is restricted */ ++ if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_FOREIGN_TABLE) != 0)) ++ { ++ /* there must not be built-in FDW handler */ ++ ereport(ERROR, ++ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE), ++ errmsg("access to non-system foreign table is restricted"))); ++ } ++ + datum = OidFunctionCall0(fdwhandler); + routine = (FdwRoutine *) DatumGetPointer(datum); + +diff --git a/src/backend/optimizer/plan/createplan.c b/src/backend/optimizer/plan/createplan.c +index 4bb38160b3..974c50b29f 100644 +--- a/src/backend/optimizer/plan/createplan.c ++++ b/src/backend/optimizer/plan/createplan.c +@@ -40,6 +40,7 @@ + #include "parser/parse_clause.h" + #include "parser/parsetree.h" + #include "partitioning/partprune.h" ++#include "tcop/tcopprot.h" + #include "utils/lsyscache.h" + + +@@ -7090,7 +7091,19 @@ make_modifytable(PlannerInfo *root, Plan *subplan, + + if (rte->rtekind == RTE_RELATION && + rte->relkind == RELKIND_FOREIGN_TABLE) ++ { ++ /* Check if the access to foreign tables is restricted */ ++ if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_FOREIGN_TABLE) != 0)) ++ { ++ /* there must not be built-in foreign tables */ ++ Assert(rte->relid >= FirstNormalObjectId); ++ ereport(ERROR, ++ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE), ++ errmsg("access to non-system foreign table is restricted"))); ++ } ++ + fdwroutine = GetFdwRoutineByRelId(rte->relid); ++ } + else + fdwroutine = NULL; + } +diff --git a/src/backend/optimizer/util/plancat.c b/src/backend/optimizer/util/plancat.c +index 07c4ba384a..1a3045479f 100644 +--- a/src/backend/optimizer/util/plancat.c ++++ b/src/backend/optimizer/util/plancat.c +@@ -47,6 +47,7 @@ + #include "rewrite/rewriteManip.h" + #include "statistics/statistics.h" + #include "storage/bufmgr.h" ++#include "tcop/tcopprot.h" + #include "utils/builtins.h" + #include "utils/lsyscache.h" + #include "utils/partcache.h" +@@ -500,6 +501,17 @@ get_relation_info(PlannerInfo *root, Oid relationObjectId, bool inhparent, + /* Grab foreign-table info using the relcache, while we have it */ + if (relation->rd_rel->relkind == RELKIND_FOREIGN_TABLE) + { ++ /* Check if the access to foreign tables is restricted */ ++ if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_FOREIGN_TABLE) != 0)) ++ { ++ /* there must not be built-in foreign tables */ ++ Assert(RelationGetRelid(relation) >= FirstNormalObjectId); ++ ++ ereport(ERROR, ++ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE), ++ errmsg("access to non-system foreign table is restricted"))); ++ } ++ + rel->serverid = GetForeignServerIdByRelId(RelationGetRelid(relation)); + rel->fdwroutine = GetFdwRoutineForRelation(relation, true); + } +diff --git a/src/backend/rewrite/rewriteHandler.c b/src/backend/rewrite/rewriteHandler.c +index 6cef936f82..9cd96fd17e 100644 +--- a/src/backend/rewrite/rewriteHandler.c ++++ b/src/backend/rewrite/rewriteHandler.c +@@ -41,6 +41,7 @@ + #include "rewrite/rewriteManip.h" + #include "rewrite/rewriteSearchCycle.h" + #include "rewrite/rowsecurity.h" ++#include "tcop/tcopprot.h" + #include "utils/builtins.h" + #include "utils/lsyscache.h" + #include "utils/rel.h" +@@ -1740,6 +1741,14 @@ ApplyRetrieveRule(Query *parsetree, + if (rule->qual != NULL) + elog(ERROR, "cannot handle qualified ON SELECT rule"); + ++ /* Check if the expansion of non-system views are restricted */ ++ if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_VIEW) != 0 && ++ RelationGetRelid(relation) >= FirstNormalObjectId)) ++ ereport(ERROR, ++ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE), ++ errmsg("access to non-system view \"%s\" is restricted", ++ RelationGetRelationName(relation)))); ++ + if (rt_index == parsetree->resultRelation) + { + /* +@@ -3104,6 +3113,14 @@ + } + } + ++ /* Check if the expansion of non-system views are restricted */ ++ if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_VIEW) != 0 && ++ RelationGetRelid(view) >= FirstNormalObjectId)) ++ ereport(ERROR, ++ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE), ++ errmsg("access to non-system view \"%s\" is restricted", ++ RelationGetRelationName(view)))); ++ + /* + * For INSERT/UPDATE the modified columns must all be updatable. Note that + * we get the modified columns from the query's targetlist, not from the +diff --git a/src/backend/tcop/postgres.c b/src/backend/tcop/postgres.c +index 36cc99ec9c..e7d486ca2f 100644 +--- a/src/backend/tcop/postgres.c ++++ b/src/backend/tcop/postgres.c +@@ -77,6 +77,7 @@ + #include "utils/snapmgr.h" + #include "utils/timeout.h" + #include "utils/timestamp.h" ++#include "utils/varlena.h" + + /* ---------------- + * global variables +@@ -101,6 +102,9 @@ int PostAuthDelay = 0; + /* Time between checks that the client is still connected. */ + int client_connection_check_interval = 0; + ++/* flags for non-system relation kinds to restrict use */ ++int restrict_nonsystem_relation_kind; ++ + /* ---------------- + * private typedefs etc + * ---------------- +@@ -3628,6 +3632,66 @@ check_log_stats(bool *newval, void **extra, GucSource source) + return true; + } + ++/* ++ * GUC check_hook for restrict_nonsystem_relation_kind ++ */ ++bool ++check_restrict_nonsystem_relation_kind(char **newval, void **extra, GucSource source) ++{ ++ char *rawstring; ++ List *elemlist; ++ ListCell *l; ++ int flags = 0; ++ ++ /* Need a modifiable copy of string */ ++ rawstring = pstrdup(*newval); ++ ++ if (!SplitIdentifierString(rawstring, ',', &elemlist)) ++ { ++ /* syntax error in list */ ++ GUC_check_errdetail("List syntax is invalid."); ++ pfree(rawstring); ++ list_free(elemlist); ++ return false; ++ } ++ ++ foreach(l, elemlist) ++ { ++ char *tok = (char *) lfirst(l); ++ ++ if (pg_strcasecmp(tok, "view") == 0) ++ flags |= RESTRICT_RELKIND_VIEW; ++ else if (pg_strcasecmp(tok, "foreign-table") == 0) ++ flags |= RESTRICT_RELKIND_FOREIGN_TABLE; ++ else ++ { ++ GUC_check_errdetail("Unrecognized key word: \"%s\".", tok); ++ pfree(rawstring); ++ list_free(elemlist); ++ return false; ++ } ++ } ++ ++ pfree(rawstring); ++ list_free(elemlist); ++ ++ /* Save the flags in *extra, for use by the assign function */ ++ *extra = guc_malloc(ERROR, sizeof(int)); ++ *((int *) *extra) = flags; ++ ++ return true; ++} ++ ++/* ++ * GUC assign_hook for restrict_nonsystem_relation_kind ++ */ ++void ++assign_restrict_nonsystem_relation_kind(const char *newval, void *extra) ++{ ++ int *flags = (int *) extra; ++ ++ restrict_nonsystem_relation_kind = *flags; ++} + + /* + * set_debug_options --- apply "-d N" command line option +diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c +index b078b934a7..a515ecde97 100644 +--- a/src/backend/utils/misc/guc_tables.c ++++ b/src/backend/utils/misc/guc_tables.c +@@ -564,6 +564,7 @@ static char *server_encoding_string; + static char *server_version_string; + static int server_version_num; + static char *debug_io_direct_string; ++static char *restrict_nonsystem_relation_kind_string; + + #ifdef HAVE_SYSLOG + #define DEFAULT_SYSLOG_FACILITY LOG_LOCAL0 +@@ -4549,6 +4550,17 @@ struct config_string ConfigureNamesString[] = + check_debug_io_direct, assign_debug_io_direct, NULL + }, + ++ { ++ {"restrict_nonsystem_relation_kind", PGC_USERSET, CLIENT_CONN_STATEMENT, ++ gettext_noop("Sets relation kinds of non-system relation to restrict use"), ++ NULL, ++ GUC_LIST_INPUT | GUC_NOT_IN_SAMPLE ++ }, ++ &restrict_nonsystem_relation_kind_string, ++ "", ++ check_restrict_nonsystem_relation_kind, assign_restrict_nonsystem_relation_kind, NULL ++ }, ++ + /* End-of-list marker */ + { + {NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL, NULL +diff --git a/src/bin/pg_dump/pg_dump.c b/src/bin/pg_dump/pg_dump.c +index 300fe071fc..1694ff55f8 100644 +--- a/src/bin/pg_dump/pg_dump.c ++++ b/src/bin/pg_dump/pg_dump.c +@@ -324,6 +324,7 @@ static bool nonemptyReloptions(const char *reloptions); + static void appendReloptionsArrayAH(PQExpBuffer buffer, const char *reloptions, + const char *prefix, Archive *fout); + static char *get_synchronized_snapshot(Archive *fout); ++static void set_restrict_relation_kind(Archive *AH, const char *value); + static void setupDumpWorker(Archive *AH); + static TableInfo *getRootTableInfo(const TableInfo *tbinfo); + static bool forcePartitionRootLoad(const TableInfo *tbinfo); +@@ -1252,6 +1253,13 @@ setup_connection(Archive *AH, const char *dumpencoding, + ExecuteSqlStatement(AH, "SET row_security = off"); + } + ++ /* ++ * For security reasons, we restrict the expansion of non-system views and ++ * access to foreign tables during the pg_dump process. This restriction ++ * is adjusted when dumping foreign table data. ++ */ ++ set_restrict_relation_kind(AH, "view, foreign-table"); ++ + /* + * Initialize prepared-query state to "nothing prepared". We do this here + * so that a parallel dump worker will have its own state. +@@ -2114,6 +2122,10 @@ dumpTableData_copy(Archive *fout, const void *dcontext) + */ + if (tdinfo->filtercond || tbinfo->relkind == RELKIND_FOREIGN_TABLE) + { ++ /* Temporary allows to access to foreign tables to dump data */ ++ if (tbinfo->relkind == RELKIND_FOREIGN_TABLE) ++ set_restrict_relation_kind(fout, "view"); ++ + appendPQExpBufferStr(q, "COPY (SELECT "); + /* klugery to get rid of parens in column list */ + if (strlen(column_list) > 2) +@@ -2225,6 +2237,11 @@ dumpTableData_copy(Archive *fout, const void *dcontext) + classname); + + destroyPQExpBuffer(q); ++ ++ /* Revert back the setting */ ++ if (tbinfo->relkind == RELKIND_FOREIGN_TABLE) ++ set_restrict_relation_kind(fout, "view, foreign-table"); ++ + return 1; + } + +@@ -2251,6 +2268,10 @@ dumpTableData_insert(Archive *fout, const void *dcontext) + int rows_per_statement = dopt->dump_inserts; + int rows_this_statement = 0; + ++ /* Temporary allows to access to foreign tables to dump data */ ++ if (tbinfo->relkind == RELKIND_FOREIGN_TABLE) ++ set_restrict_relation_kind(fout, "view"); ++ + /* + * If we're going to emit INSERTs with column names, the most efficient + * way to deal with generated columns is to exclude them entirely. For +@@ -2490,6 +2511,10 @@ dumpTableData_insert(Archive *fout, const void *dcontext) + destroyPQExpBuffer(insertStmt); + free(attgenerated); + ++ /* Revert back the setting */ ++ if (tbinfo->relkind == RELKIND_FOREIGN_TABLE) ++ set_restrict_relation_kind(fout, "view, foreign-table"); ++ + return 1; + } + +@@ -4590,6 +4615,28 @@ is_superuser(Archive *fout) + return false; + } + ++/* ++ * Set the given value to restrict_nonsystem_relation_kind value. Since ++ * restrict_nonsystem_relation_kind is introduced in minor version releases, ++ * the setting query is effective only where available. ++ */ ++static void ++set_restrict_relation_kind(Archive *AH, const char *value) ++{ ++ PQExpBuffer query = createPQExpBuffer(); ++ PGresult *res; ++ ++ appendPQExpBuffer(query, ++ "SELECT set_config(name, '%s', false) " ++ "FROM pg_settings " ++ "WHERE name = 'restrict_nonsystem_relation_kind'", ++ value); ++ res = ExecuteSqlQuery(AH, query->data, PGRES_TUPLES_OK); ++ ++ PQclear(res); ++ destroyPQExpBuffer(query); ++} ++ + /* + * getSubscriptions + * get information about subscriptions +diff --git a/src/include/tcop/tcopprot.h b/src/include/tcop/tcopprot.h +index abd7b4fff3..e529e9f06c 100644 +--- a/src/include/tcop/tcopprot.h ++++ b/src/include/tcop/tcopprot.h +@@ -43,6 +43,12 @@ typedef enum + + extern PGDLLIMPORT int log_statement; + ++/* Flags for restrict_nonsystem_relation_kind value */ ++#define RESTRICT_RELKIND_VIEW 0x01 ++#define RESTRICT_RELKIND_FOREIGN_TABLE 0x02 ++ ++extern PGDLLIMPORT int restrict_nonsystem_relation_kind; ++ + extern List *pg_parse_query(const char *query_string); + extern List *pg_rewrite_query(Query *query); + extern List *pg_analyze_and_rewrite_fixedparams(RawStmt *parsetree, +diff --git a/src/include/utils/guc_hooks.h b/src/include/utils/guc_hooks.h +index 952293a1c3..0ea33fede9 100644 +--- a/src/include/utils/guc_hooks.h ++++ b/src/include/utils/guc_hooks.h +@@ -118,6 +118,9 @@ extern void assign_recovery_target_xid(const char *newval, void *extra); + extern bool check_role(char **newval, void **extra, GucSource source); + extern void assign_role(const char *newval, void *extra); + extern const char *show_role(void); ++extern bool check_restrict_nonsystem_relation_kind(char **newval, void **extra, ++ GucSource source); ++extern void assign_restrict_nonsystem_relation_kind(const char *newval, void *extra); + extern bool check_search_path(char **newval, void **extra, GucSource source); + extern void assign_search_path(const char *newval, void *extra); + extern bool check_session_authorization(char **newval, void **extra, GucSource source); +diff --git a/src/test/regress/expected/create_view.out b/src/test/regress/expected/create_view.out +index 61825ef7d4..f3f8c7b5a2 100644 +--- a/src/test/regress/expected/create_view.out ++++ b/src/test/regress/expected/create_view.out +@@ -2202,6 +2202,21 @@ select pg_get_viewdef('tt26v', true); + FROM ( VALUES (1,2,3)) v(x, y, z); + (1 row) + ++-- test restriction on non-system view expansion. ++create table tt27v_tbl (a int); ++create view tt27v as select a from tt27v_tbl; ++set restrict_nonsystem_relation_kind to 'view'; ++select a from tt27v where a > 0; -- Error ++ERROR: access to non-system view "tt27v" is restricted ++insert into tt27v values (1); -- Error ++ERROR: access to non-system view "tt27v" is restricted ++select viewname from pg_views where viewname = 'tt27v'; -- Ok to access a system view. ++ viewname ++---------- ++ tt27v ++(1 row) ++ ++reset restrict_nonsystem_relation_kind; + -- clean up all the random objects we made above + DROP SCHEMA temp_view_test CASCADE; + NOTICE: drop cascades to 27 other objects +@@ -2233,7 +2248,7 @@ drop cascades to view aliased_view_2 + drop cascades to view aliased_view_3 + drop cascades to view aliased_view_4 + DROP SCHEMA testviewschm2 CASCADE; +-NOTICE: drop cascades to 77 other objects ++NOTICE: drop cascades to 79 other objects + DETAIL: drop cascades to table t1 + drop cascades to view temporal1 + drop cascades to view temporal2 +@@ -2311,3 +2326,5 @@ drop cascades to view tt23v + drop cascades to view tt24v + drop cascades to view tt25v + drop cascades to view tt26v ++drop cascades to table tt27v_tbl ++drop cascades to view tt27v +diff --git a/src/test/regress/sql/create_view.sql b/src/test/regress/sql/create_view.sql +index 8838a40f7a..3a78be1b0c 100644 +--- a/src/test/regress/sql/create_view.sql ++++ b/src/test/regress/sql/create_view.sql +@@ -813,6 +813,15 @@ select x + y + z as c1, + from (values(1,2,3)) v(x,y,z); + select pg_get_viewdef('tt26v', true); + ++-- test restriction on non-system view expansion. ++create table tt27v_tbl (a int); ++create view tt27v as select a from tt27v_tbl; ++set restrict_nonsystem_relation_kind to 'view'; ++select a from tt27v where a > 0; -- Error ++insert into tt27v values (1); -- Error ++select viewname from pg_views where viewname = 'tt27v'; -- Ok to access a system view. ++reset restrict_nonsystem_relation_kind; ++ + -- clean up all the random objects we made above + DROP SCHEMA temp_view_test CASCADE; + DROP SCHEMA testviewschm2 CASCADE; +-- +2.30.2 + diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_16.3.bb b/meta-oe/recipes-dbs/postgresql/postgresql_16.3.bb index 6df719cd985..31f427503bf 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql_16.3.bb +++ b/meta-oe/recipes-dbs/postgresql/postgresql_16.3.bb @@ -9,6 +9,7 @@ SRC_URI += "\ file://0003-configure.ac-bypass-autoconf-2.69-version-check.patch \ file://0004-config_info.c-not-expose-build-info.patch \ file://0005-postgresql-fix-ptest-failure-of-sysviews.patch \ + file://CVE-2024-7348.patch \ " SRC_URI[sha256sum] = "331963d5d3dc4caf4216a049fa40b66d6bcb8c730615859411b9518764e60585" From 5a3fe1fcfc8c1128d373ce6f48103dbca95da6c0 Mon Sep 17 00:00:00 2001 From: Niko Mauno Date: Sun, 8 Sep 2024 15:33:50 +0000 Subject: [PATCH 07/52] python3-xlsxwriter: Fix LICENSE According to homepage https://xlsxwriter.readthedocs.io/license.html and pypi page https://pypi.org/project/XlsxWriter/ as well as https://github.com/jmcnamara/XlsxWriter/blob/RELEASE_3.1.9/LICENSE.txt the module is licensed under BSD-2-Clause. Signed-off-by: Niko Mauno Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- meta-python/recipes-devtools/python/python3-xlsxwriter_3.1.9.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-python/recipes-devtools/python/python3-xlsxwriter_3.1.9.bb b/meta-python/recipes-devtools/python/python3-xlsxwriter_3.1.9.bb index ee7dab35cb6..4e23feebbba 100644 --- a/meta-python/recipes-devtools/python/python3-xlsxwriter_3.1.9.bb +++ b/meta-python/recipes-devtools/python/python3-xlsxwriter_3.1.9.bb @@ -1,7 +1,7 @@ SUMMARY = "Python 2 and 3 compatibility library" HOMEPAGE = "https://xlsxwriter.readthedocs.io" SECTION = "devel/python" -LICENSE = "MIT" +LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=12d9fac1f0049be71ab5aa4a78da02b0" inherit pypi setuptools3 From 0f8a8d46e35f3035c4d830f6b15c3071b8bf4b32 Mon Sep 17 00:00:00 2001 From: Niko Mauno Date: Sun, 8 Sep 2024 15:33:52 +0000 Subject: [PATCH 08/52] python3-cbor2: Fix LICENSE and LIC_FILES_CHKSUM Both project pypi page: https://pypi.org/project/cbor2/ as well as https://github.com/agronholm/cbor2/blob/5.6.3/LICENSE.txt state that it is subject to MIT rather than Apache-2.0 license. Also update LIC_FILES_CHKSUM value to reference the LICENSE.txt file from the downloaded archive. Signed-off-by: Niko Mauno Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- meta-python/recipes-devtools/python/python3-cbor2_5.6.3.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-python/recipes-devtools/python/python3-cbor2_5.6.3.bb b/meta-python/recipes-devtools/python/python3-cbor2_5.6.3.bb index c9c98b6fb5a..69573064bc6 100644 --- a/meta-python/recipes-devtools/python/python3-cbor2_5.6.3.bb +++ b/meta-python/recipes-devtools/python/python3-cbor2_5.6.3.bb @@ -1,8 +1,8 @@ DESCRIPTION = "An implementation of RFC 7049 - Concise Binary Object Representation (CBOR)." DEPENDS +="python3-setuptools-scm-native" -LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=a79e64179819c7ce293372c059f1dbd8" SRC_URI[sha256sum] = "e6f0ae2751c2d333a960e0807c0611494eb1245631a167965acbc100509455d3" From 753486b270116ca1e1c0ccfac161c2676a7dba5f Mon Sep 17 00:00:00 2001 From: Niko Mauno Date: Sun, 8 Sep 2024 15:33:53 +0000 Subject: [PATCH 09/52] python3-crc32c: Amend LICENSE declaration According to https://github.com/ICRAR/crc32c/blob/v2.3/LICENSE and https://github.com/ICRAR/crc32c?tab=readme-ov-file#license change 'LGPL-2.0-or-later' in LICENSE value to 'LGPL-2.1-or-later'. Signed-off-by: Niko Mauno Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- meta-python/recipes-devtools/python/python3-crc32c_2.3.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-python/recipes-devtools/python/python3-crc32c_2.3.bb b/meta-python/recipes-devtools/python/python3-crc32c_2.3.bb index da756ea0746..125a7ad8770 100644 --- a/meta-python/recipes-devtools/python/python3-crc32c_2.3.bb +++ b/meta-python/recipes-devtools/python/python3-crc32c_2.3.bb @@ -1,7 +1,7 @@ SUMMARY = "A python package implementing the crc32c algorithmin hardware and software" HOMEPAGE = "https://github.com/ICRAR/crc32c" -LICENSE = "BSD-2-Clause & BSD-3-Clause & CRC32C-ADLER & LGPL-2.0-or-later" +LICENSE = "BSD-2-Clause & BSD-3-Clause & CRC32C-ADLER & LGPL-2.1-or-later" LIC_FILES_CHKSUM = " \ file://LICENSE;md5=4fbd65380cdd255951079008b364516c \ file://LICENSE.google-crc32c;md5=e9ed01b5e5ac9eae23fc2bb33701220c \ From 23bda39c1ffdaedb49ab84efe16f6be4714a3a2f Mon Sep 17 00:00:00 2001 From: Niko Mauno Date: Sun, 8 Sep 2024 15:33:54 +0000 Subject: [PATCH 10/52] python3-email-validator: Fix LICENSE Both https://pypi.org/project/email-validator/ and https://github.com/JoshData/python-email-validator/blob/v2.1.1/LICENSE declare this project is subject to 'Unlicense'. For additional reference, see upstream commit https://github.com/JoshData/python-email-validator/commit/5d72f53412821189ebc826100fb2a673530c5ac6 ("Relicense under the Unlicense (instead of CC0)") Signed-off-by: Niko Mauno Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- .../recipes-devtools/python/python3-email-validator_2.1.1.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-python/recipes-devtools/python/python3-email-validator_2.1.1.bb b/meta-python/recipes-devtools/python/python3-email-validator_2.1.1.bb index 90a22e5a0e8..746d56d18e0 100644 --- a/meta-python/recipes-devtools/python/python3-email-validator_2.1.1.bb +++ b/meta-python/recipes-devtools/python/python3-email-validator_2.1.1.bb @@ -1,6 +1,6 @@ SUMMARY = "A robust email address syntax and deliverability validation library." SECTION = "devel/python" -LICENSE = "CC0-1.0" +LICENSE = "Unlicense" LIC_FILES_CHKSUM = "file://LICENSE;md5=2890aee62bd2a4c3197e2059016a397e" SRC_URI[sha256sum] = "200a70680ba08904be6d1eef729205cc0d687634399a5924d842533efb824b84" From 4949169c3caec3696cfb8e57f34153809e4a2dcb Mon Sep 17 00:00:00 2001 From: Niko Mauno Date: Sun, 8 Sep 2024 15:33:55 +0000 Subject: [PATCH 11/52] python3-lru-dict: Fix LICENSE and change SUMMARY to DESCRIPTION According to https://pypi.org/project/lru-dict/ and https://github.com/amitdev/lru-dict/blob/v1.3.0/LICENSE the project is licensed under MIT. Also change SUMMARY to DESCRIPTION as it's value is clearly over 72 characters long. Signed-off-by: Niko Mauno Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- meta-python/recipes-devtools/python/python3-lru-dict_1.3.0.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-python/recipes-devtools/python/python3-lru-dict_1.3.0.bb b/meta-python/recipes-devtools/python/python3-lru-dict_1.3.0.bb index e9535fa6f1b..51f3860b07c 100644 --- a/meta-python/recipes-devtools/python/python3-lru-dict_1.3.0.bb +++ b/meta-python/recipes-devtools/python/python3-lru-dict_1.3.0.bb @@ -1,7 +1,7 @@ -SUMMARY = "A fixed size dict like container which evicts Least Recently Used (LRU) items once size limit is exceeded." +DESCRIPTION = "A fixed size dict like container which evicts Least Recently Used (LRU) items once size limit is exceeded." HOMEPAGE = "https://github.com/amitdev/lru-dict" SECTION = "devel/python" -LICENSE = "BSD-3-Clause" +LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=9d10a486ee04034fdef5162fd791f153" SRC_URI[sha256sum] = "54fd1966d6bd1fcde781596cb86068214edeebff1db13a2cea11079e3fd07b6b" From c8a4cdeb2664e3855e2f0b772d17e904cb423ca1 Mon Sep 17 00:00:00 2001 From: Niko Mauno Date: Sun, 8 Sep 2024 15:33:56 +0000 Subject: [PATCH 12/52] python3-mock: Fix LICENSE According to https://github.com/testing-cabal/mock/blob/5.1.0/LICENSE.txt the project is subject to BSD-2-Clause license. (Also https://pypi.org/project/mock/ states 'BSD License'.) Signed-off-by: Niko Mauno Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- meta-python/recipes-devtools/python/python3-mock_5.1.0.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-python/recipes-devtools/python/python3-mock_5.1.0.bb b/meta-python/recipes-devtools/python/python3-mock_5.1.0.bb index d9ecb9d4c83..1b89260e1b4 100644 --- a/meta-python/recipes-devtools/python/python3-mock_5.1.0.bb +++ b/meta-python/recipes-devtools/python/python3-mock_5.1.0.bb @@ -1,7 +1,7 @@ DESCRIPTION = "A Python Mocking and Patching Library for Testing" HOMEPAGE = "https://pypi.python.org/pypi/mock" SECTION = "devel/python" -LICENSE = "Apache-2.0" +LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=de9dfbf780446b18aab11f00baaf5b7e" inherit pypi setuptools3 From 2f4c729b12764e87a4529be3fe7379f64b3b9e04 Mon Sep 17 00:00:00 2001 From: Niko Mauno Date: Sun, 8 Sep 2024 15:33:57 +0000 Subject: [PATCH 13/52] python3-parse-type: Fix LICENSE According to https://pypi.org/project/parse-type/ and https://github.com/jenisys/parse_type/blob/v0.6.2/LICENSE the project is subject to MIT license. Signed-off-by: Niko Mauno Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- meta-python/recipes-devtools/python/python3-parse-type_0.6.2.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-python/recipes-devtools/python/python3-parse-type_0.6.2.bb b/meta-python/recipes-devtools/python/python3-parse-type_0.6.2.bb index a7d8cd86ce0..57dfc5a508c 100644 --- a/meta-python/recipes-devtools/python/python3-parse-type_0.6.2.bb +++ b/meta-python/recipes-devtools/python/python3-parse-type_0.6.2.bb @@ -1,6 +1,6 @@ SUMMARY = "Simplifies building parse types based on the parse module" HOMEPAGE = "https://github.com/jenisys/parse_type" -LICENSE = "BSD-3-Clause" +LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=2e469278ace89c246d52505acc39c3da" SRC_URI[sha256sum] = "79b1f2497060d0928bc46016793f1fca1057c4aacdf15ef876aa48d75a73a355" From f091c53f65a1ead2f39099b7e929f0611c59e495 Mon Sep 17 00:00:00 2001 From: Niko Mauno Date: Sun, 8 Sep 2024 15:33:58 +0000 Subject: [PATCH 14/52] python3-pillow: Fix LICENSE and change SUMMARY to DESCRIPTION According to https://pypi.org/project/pillow/ and https://github.com/python-pillow/Pillow/blob/10.3.0/LICENSE the project is subject to HPND license. Also change SUMMARY to DESCRIPTION as it's value is clearly over 72 characters long. Signed-off-by: Niko Mauno Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb b/meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb index debf488154b..8b0bcf55ddb 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb @@ -1,8 +1,8 @@ -SUMMARY = "Python Imaging Library (Fork). Pillow is the friendly PIL fork by Alex \ +DESCRIPTION = "Python Imaging Library (Fork). Pillow is the friendly PIL fork by Alex \ Clark and Contributors. PIL is the Python Imaging Library by Fredrik Lundh and \ Contributors." HOMEPAGE = "https://pillow.readthedocs.io" -LICENSE = "MIT" +LICENSE = "HPND" LIC_FILES_CHKSUM = "file://LICENSE;md5=c349a4b4b9ec2377a8fd6a7df87dbffe" SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https \ From 597808066bb81e600cb6b0215e8fab1f09664006 Mon Sep 17 00:00:00 2001 From: Niko Mauno Date: Sun, 8 Sep 2024 15:33:59 +0000 Subject: [PATCH 15/52] python3-platformdirs: Fix LICENSE According to https://pypi.org/project/platformdirs/ and https://github.com/platformdirs/platformdirs/blob/4.2.0/LICENSE the project is subject to MIT license. Signed-off-by: Niko Mauno Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- .../recipes-devtools/python/python3-platformdirs_4.2.0.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-python/recipes-devtools/python/python3-platformdirs_4.2.0.bb b/meta-python/recipes-devtools/python/python3-platformdirs_4.2.0.bb index 19c95b374a9..c69c390b802 100644 --- a/meta-python/recipes-devtools/python/python3-platformdirs_4.2.0.bb +++ b/meta-python/recipes-devtools/python/python3-platformdirs_4.2.0.bb @@ -1,6 +1,6 @@ SUMMARY = "A small Python module for determining appropriate platform-specific dirs" HOMEPAGE = "https://github.com/platformdirs/platformdirs" -LICENSE = "BSD-3-Clause" +LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=ea4f5a41454746a9ed111e3d8723d17a" SRC_URI += " \ From d23e9e2c68f32f87c356e1e4ccf8a2ec265f02d7 Mon Sep 17 00:00:00 2001 From: Niko Mauno Date: Sun, 8 Sep 2024 15:34:00 +0000 Subject: [PATCH 16/52] python3-colorama: Fix LICENSE https://github.com/tartley/colorama?tab=readme-ov-file#license and https://github.com/tartley/colorama/blob/0.4.6/LICENSE.txt declare that this project is subject to BSD-3-Clause license. Signed-off-by: Niko Mauno Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- meta-python/recipes-devtools/python/python3-colorama_0.4.6.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-python/recipes-devtools/python/python3-colorama_0.4.6.bb b/meta-python/recipes-devtools/python/python3-colorama_0.4.6.bb index 0f364c424df..3871244031c 100644 --- a/meta-python/recipes-devtools/python/python3-colorama_0.4.6.bb +++ b/meta-python/recipes-devtools/python/python3-colorama_0.4.6.bb @@ -1,6 +1,6 @@ SUMMARY = "Cross-platform colored terminal text." HOMEPAGE = "https://github.com/tartley/colorama" -LICENSE = "BSD-2-Clause" +LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=b4936429a56a652b84c5c01280dcaa26" inherit pypi python_setuptools_build_meta From eb7381e885e368c88589d101ec964cd89e7ab896 Mon Sep 17 00:00:00 2001 From: Niko Mauno Date: Sun, 8 Sep 2024 15:34:01 +0000 Subject: [PATCH 17/52] python3-fann2: Fix LICENSE According to https://github.com/FutureLinkCorporation/fann2/tree/1.1.2?tab=readme-ov-file#license and https://github.com/FutureLinkCorporation/fann2/blob/1.1.2/LICENSE this project is subject to LGPL-2.1-only license. Signed-off-by: Niko Mauno Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- meta-python/recipes-devtools/python/python3-fann2_1.1.2.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-python/recipes-devtools/python/python3-fann2_1.1.2.bb b/meta-python/recipes-devtools/python/python3-fann2_1.1.2.bb index 2fbc2771398..2099d791ddf 100644 --- a/meta-python/recipes-devtools/python/python3-fann2_1.1.2.bb +++ b/meta-python/recipes-devtools/python/python3-fann2_1.1.2.bb @@ -1,6 +1,6 @@ SUMMARY = "Python bindings for Fast Artificial Neural Networks 2.2.0 (FANN >= 2.2.0)" SECTION = "devel/python" -LICENSE = "LGPL-2.0-only" +LICENSE = "LGPL-2.1-only" LIC_FILES_CHKSUM = "file://LICENSE;md5=c73b943dc75f6f65e007c56ac6515c8f" SRC_URI[md5sum] = "0b85b418018746d63ed66b55465697a9" From fac657774bab175d0be0db63947943c40702f79b Mon Sep 17 00:00:00 2001 From: Niko Mauno Date: Sun, 8 Sep 2024 15:34:02 +0000 Subject: [PATCH 18/52] python3-nmap: Fix LICENSE and LIC_FILES_CHKSUM In the source code repository the LICENSE file is GPL-3.0-only: https://github.com/nmmapper/python3-nmap/blob/1.5.2/LICENSE https://github.com/nmmapper/python3-nmap/blob/1.7.0/LICENSE Also change the LIC_FILES_CHKSUM reference to the GPLv3.0 license containing LICENSE file in the downloaded archive. Signed-off-by: Niko Mauno Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- meta-python/recipes-devtools/python/python3-nmap_1.6.0.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-python/recipes-devtools/python/python3-nmap_1.6.0.bb b/meta-python/recipes-devtools/python/python3-nmap_1.6.0.bb index 5fe9ab4e396..2293e3ddf85 100644 --- a/meta-python/recipes-devtools/python/python3-nmap_1.6.0.bb +++ b/meta-python/recipes-devtools/python/python3-nmap_1.6.0.bb @@ -1,8 +1,8 @@ DESCRIPTION = "python-nmap is a python library which helps in using nmap port scanner" HOMEPAGE = "https://www.nmmapper.com/" SECTION = "devel/python" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" +LICENSE = "GPL-3.0-only" +LIC_FILES_CHKSUM = "file://LICENSE;md5=1ebbd3e34237af26da5dc08a4e440464" DEPENDS += "python3-wheel-native" From 465ced17dbde9e20bb4eaa877ce94e9a77f48bf1 Mon Sep 17 00:00:00 2001 From: Niko Mauno Date: Sun, 8 Sep 2024 15:34:03 +0000 Subject: [PATCH 19/52] python3-pycurl: Fix LICENSE Contents of https://github.com/pycurl/pycurl/blob/REL_7_45_2/COPYING-LGPL correspond to version 2.1 of the license rather than 2.0. Signed-off-by: Niko Mauno Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- meta-python/recipes-devtools/python/python3-pycurl_7.45.2.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-python/recipes-devtools/python/python3-pycurl_7.45.2.bb b/meta-python/recipes-devtools/python/python3-pycurl_7.45.2.bb index a6863e21ff4..10d3cd1027b 100644 --- a/meta-python/recipes-devtools/python/python3-pycurl_7.45.2.bb +++ b/meta-python/recipes-devtools/python/python3-pycurl_7.45.2.bb @@ -7,7 +7,7 @@ be used to fetch objects identified by a URL from a Python program \ SECTION = "devel/python" HOMEPAGE = "http://pycurl.io/" -LICENSE = "LGPL-2.0-only | MIT" +LICENSE = "LGPL-2.1-only | MIT" LIC_FILES_CHKSUM = "file://COPYING-LGPL;md5=4fbd65380cdd255951079008b364516c \ file://COPYING-MIT;md5=be42e1b1e58c8d59c2901fd747bfc55d \ " From fa1f7f7057241d314372a52695b9b7a4ce9a6639 Mon Sep 17 00:00:00 2001 From: Niko Mauno Date: Sun, 8 Sep 2024 15:34:04 +0000 Subject: [PATCH 20/52] python3-googleapis-common-protos: Fix LIC_FILES_CHKSUM Change the reference to the Apache-2.0 license containing LICENSE file in the downloaded archive. Signed-off-by: Niko Mauno Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- .../python/python3-googleapis-common-protos_1.63.0.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-python/recipes-devtools/python/python3-googleapis-common-protos_1.63.0.bb b/meta-python/recipes-devtools/python/python3-googleapis-common-protos_1.63.0.bb index aee2337267e..3c55294498b 100644 --- a/meta-python/recipes-devtools/python/python3-googleapis-common-protos_1.63.0.bb +++ b/meta-python/recipes-devtools/python/python3-googleapis-common-protos_1.63.0.bb @@ -1,7 +1,7 @@ DESCRIPTION = "Common protobufs used in Google APIs" HOMEPAGE = "https://github.com/googleapis/python-api-common-protos" LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" inherit pypi setuptools3 From 32d0b39f048117e75b8714f335a792ca439ba83a Mon Sep 17 00:00:00 2001 From: Niko Mauno Date: Sun, 8 Sep 2024 15:34:05 +0000 Subject: [PATCH 21/52] python3-haversine: Fix LIC_FILES_CHKSUM Change the reference to the MIT license containing LICENSE file in the downloaded archive. Signed-off-by: Niko Mauno Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- meta-python/recipes-devtools/python/python3-haversine_2.8.1.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-python/recipes-devtools/python/python3-haversine_2.8.1.bb b/meta-python/recipes-devtools/python/python3-haversine_2.8.1.bb index e45ae798605..5fd5ddd71cd 100644 --- a/meta-python/recipes-devtools/python/python3-haversine_2.8.1.bb +++ b/meta-python/recipes-devtools/python/python3-haversine_2.8.1.bb @@ -1,6 +1,6 @@ SUMMARY = "Calculate the distance between 2 points on Earth" LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" +LIC_FILES_CHKSUM = "file://LICENSE;md5=20a52d2c688975e989fcbee3e6c8d1a1" SRC_URI[sha256sum] = "ab750caa0c8f2168bd7b00a429757a83a8393be1aa30f91c2becf6b523189e2a" From 801849483137e3b24a8409f124aa24aba1af47f8 Mon Sep 17 00:00:00 2001 From: Niko Mauno Date: Sun, 8 Sep 2024 15:34:06 +0000 Subject: [PATCH 22/52] python3-libevdev: Fix LIC_FILES_CHKSUM Change the reference to the MIT license containing COPYING file in the downloaded archive. Signed-off-by: Niko Mauno Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- meta-python/recipes-devtools/python/python3-libevdev_0.11.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-python/recipes-devtools/python/python3-libevdev_0.11.bb b/meta-python/recipes-devtools/python/python3-libevdev_0.11.bb index 27e336710cc..5ad2a599519 100644 --- a/meta-python/recipes-devtools/python/python3-libevdev_0.11.bb +++ b/meta-python/recipes-devtools/python/python3-libevdev_0.11.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://gitlab.freedesktop.org/libevdev/python-libevdev" SECTION = "devel/python" LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" +LIC_FILES_CHKSUM = "file://COPYING;md5=d94c10c546b419eddc6296157ec40747" SRC_URI[md5sum] = "34b48098c1fba26de79a0d67a17a588a" SRC_URI[sha256sum] = "e9ca006a4df2488a60bd9a740011ee948d81904be2364f017e560169508f560f" From 94d83e480b8dc7380d0e85dd7b7d7d6947e60185 Mon Sep 17 00:00:00 2001 From: Markus Volk Date: Tue, 28 May 2024 13:53:26 +0200 Subject: [PATCH 23/52] gnome-remote-desktop: update 46.1 -> 46.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 46.2 ==== * Potential crasher fix * Improved disconnection messages * Broader client compatibility support * Various security hardening improvements * CVE-2024-5148 Limit login screen->user session handover access to appropriate user Contributors: Pascal Nowack, Ray Strode Translators: Balázs Úr [hu], Efstathios Iosifidis [el], Fabio Tomat [fur], Hugo Carvalho [pt], Jordi Mas i Hernandez [ca], Juliano de Souza Camargo [pt_BR] - add polkitd user and fix permissions to avoid: Error: Transaction test error: file /usr/share/polkit-1/rules.d conflicts between attempted installs of gnome-remote-desktop-46.2-r0.corei7_64 and gnome-control-center-46.2-r0.corei7_64 Signed-off-by: Markus Volk Signed-off-by: Khem Raj (cherry picked from commit 7ecfdeb3cf4e13801b63f0c05afd572d9df54403) Signed-off-by: Armin Kuster --- ...ktop_46.1.bb => gnome-remote-desktop_46.2.bb} | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) rename meta-gnome/dynamic-layers/meta-security/recipes-gnome/gnome-remote-desktop/{gnome-remote-desktop_46.1.bb => gnome-remote-desktop_46.2.bb} (64%) diff --git a/meta-gnome/dynamic-layers/meta-security/recipes-gnome/gnome-remote-desktop/gnome-remote-desktop_46.1.bb b/meta-gnome/dynamic-layers/meta-security/recipes-gnome/gnome-remote-desktop/gnome-remote-desktop_46.2.bb similarity index 64% rename from meta-gnome/dynamic-layers/meta-security/recipes-gnome/gnome-remote-desktop/gnome-remote-desktop_46.1.bb rename to meta-gnome/dynamic-layers/meta-security/recipes-gnome/gnome-remote-desktop/gnome-remote-desktop_46.2.bb index 634b37971e8..59ae9383db5 100644 --- a/meta-gnome/dynamic-layers/meta-security/recipes-gnome/gnome-remote-desktop/gnome-remote-desktop_46.1.bb +++ b/meta-gnome/dynamic-layers/meta-security/recipes-gnome/gnome-remote-desktop/gnome-remote-desktop_46.2.bb @@ -4,11 +4,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" GNOMEBASEBUILDCLASS = "meson" -inherit gnomebase gettext gsettings features_check +inherit gnomebase gettext gsettings features_check useradd -REQUIRED_DISTRO_FEATURES = "opengl" +REQUIRED_DISTRO_FEATURES = "opengl polkit" -SRC_URI[archive.sha256sum] = "7c62a4281fdfa9522110affbf75d09973035f2adc7fa4577511d733186beb68f" +SRC_URI[archive.sha256sum] = "97443eaffe4b1a69626886a41d25cbeb2c148d3fed43d92115c1b7d20d5238ab" DEPENDS = " \ asciidoc-native \ @@ -36,5 +36,15 @@ PACKAGECONFIG[vnc] = "-Dvnc=true,-Dvnc=false,libvncserver" PACKAGECONFIG[rdp] = "-Drdp=true,-Drdp=false,freerdp3 fuse3 libxkbcommon" PACKAGECONFIG[systemd] = "-Dsystemd=true,-Dsystemd=false,systemd" +USERADD_PACKAGES = "${PN}" +USERADD_PARAM:${PN} = "--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd" + +do_install:append() { + if [ -d ${D}${datadir}/polkit-1/rules.d ]; then + chmod 700 ${D}${datadir}/polkit-1/rules.d + chown polkitd:root ${D}${datadir}/polkit-1/rules.d + fi +} + PACKAGE_DEBUG_SPLIT_STYLE = "debug-without-src" FILES:${PN} += "${systemd_user_unitdir} ${systemd_system_unitdir} ${datadir} ${libdir}/sysusers.d ${libdir}/tmpfiles.d" From fc5b65d80fa21031149a99d5008864b13d1f02a1 Mon Sep 17 00:00:00 2001 From: Marc Ferland Date: Mon, 22 Jul 2024 22:26:12 -0400 Subject: [PATCH 24/52] polkit: update SRC_URI Project has moved to github. Signed-off-by: Marc Ferland (cherry picked from commit fb3408270282fbd619df7a5efac5178cabc37ddb) Signed-off-by: Armin Kuster --- meta-oe/recipes-extended/polkit/polkit_124.bb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/meta-oe/recipes-extended/polkit/polkit_124.bb b/meta-oe/recipes-extended/polkit/polkit_124.bb index 9e2eb05c623..a597b40ee34 100644 --- a/meta-oe/recipes-extended/polkit/polkit_124.bb +++ b/meta-oe/recipes-extended/polkit/polkit_124.bb @@ -1,10 +1,11 @@ -SUMMARY = "PolicyKit Authorization Framework" +SUMMARY = "Polkit Authorization Framework" DESCRIPTION = "The polkit package is an application-level toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes." HOMEPAGE = "http://www.freedesktop.org/wiki/Software/polkit" LICENSE = "LGPL-2.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=155db86cdbafa7532b41f390409283eb" +BUGTRACKER = "https://github.com/polkit-org/polkit/issues" -SRC_URI = "git://gitlab.freedesktop.org/polkit/polkit.git;protocol=https;branch=master" +SRC_URI = "git://github.com/polkit-org/polkit.git;protocol=https;branch=main" S = "${WORKDIR}/git" SRCREV = "82f0924dc0eb23b9df68e88dbaf9e07c81940a5a" From ea1926c7428442cabafaa9b24eb8482ea70e4960 Mon Sep 17 00:00:00 2001 From: Martin Jansa Date: Fri, 30 Aug 2024 10:41:39 +0200 Subject: [PATCH 25/52] gpm: fix buildpaths QA issue Signed-off-by: Martin Jansa Signed-off-by: Khem Raj (cherry picked from commit 7e8a786c291659083d746a4fe066fbc68c2abf34) Signed-off-by: Armin Kuster --- meta-oe/recipes-support/gpm/gpm_git.bb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta-oe/recipes-support/gpm/gpm_git.bb b/meta-oe/recipes-support/gpm/gpm_git.bb index 31503e9c620..1a96bea099c 100644 --- a/meta-oe/recipes-support/gpm/gpm_git.bb +++ b/meta-oe/recipes-support/gpm/gpm_git.bb @@ -24,6 +24,10 @@ inherit autotools-brokensep update-rc.d systemd texinfo INITSCRIPT_NAME = "gpm" INITSCRIPT_PARAMS = "defaults" +# Avoid line statements with bison/yacc +# ERROR: lib32-gpm-1.99.7+gite82d1a653ca94aa4ed12441424da6ce780b1e530-r0 do_package_qa: QA Issue: File /usr/src/debug/lib32-gpm/1.99.7+gite82d1a653ca94aa4ed12441424da6ce780b1e530/src/prog/gpm-root.c in package lib32-gpm-src contains reference to TMPDIR [buildpaths] +EXTRA_OEMAKE = "YFLAGS='-l'" + do_configure:prepend() { (cd ${S};./autogen.sh;cd -) } From a306751658760c2c8961baa5a4cde8857b2d2b35 Mon Sep 17 00:00:00 2001 From: Martin Jansa Date: Fri, 30 Aug 2024 12:05:57 +0200 Subject: [PATCH 26/52] xerces-c: fix buildpaths QA issue Signed-off-by: Martin Jansa Signed-off-by: Khem Raj (cherry picked from commit bbcb7d6023a516f3d432fbf01b78cdcc486e31ba) Signed-off-by: Armin Kuster --- ...-use-full-path-of-with_curl-in-xerce.patch | 58 +++++++++++++++++++ .../xerces-c/xerces-c_3.2.5.bb | 8 +-- 2 files changed, 61 insertions(+), 5 deletions(-) create mode 100644 meta-oe/recipes-devtools/xerces-c/xerces-c/0001-aclocal.m4-don-t-use-full-path-of-with_curl-in-xerce.patch diff --git a/meta-oe/recipes-devtools/xerces-c/xerces-c/0001-aclocal.m4-don-t-use-full-path-of-with_curl-in-xerce.patch b/meta-oe/recipes-devtools/xerces-c/xerces-c/0001-aclocal.m4-don-t-use-full-path-of-with_curl-in-xerce.patch new file mode 100644 index 00000000000..2ad7beb51cd --- /dev/null +++ b/meta-oe/recipes-devtools/xerces-c/xerces-c/0001-aclocal.m4-don-t-use-full-path-of-with_curl-in-xerce.patch @@ -0,0 +1,58 @@ +From d001f12d428f7adaeaadee5263a22c797c99d67b Mon Sep 17 00:00:00 2001 +From: Martin Jansa +Date: Fri, 30 Aug 2024 11:42:27 +0200 +Subject: [PATCH] aclocal.m4: don't use full path of $with_curl in xerces-c.pc + +* fixes: + ERROR: QA Issue: File /usr/lib32/pkgconfig/xerces-c.pc in package lib32-libxerces-c-dev contains reference to TMPDIR [buildpaths] + +* xerces-c was blacklisted due to tmpdir since 2016: + https://git.openembedded.org/meta-openembedded/commit/?id=1af196e42c811947bb483df30bfce758adee83d1 + +* then sed call: + sed -i -e 's:-L${STAGING_DIR}/lib:-L\$\{libdir\}:g' ${B}/xerces-c.pc + was added to do_install:append and blacklist dropped in: + https://git.openembedded.org/meta-openembedded/commit/?id=87b9efff79e62f569525e4760adc594d0d9ac476 + +* sed call was adjusted in: + https://git.openembedded.org/meta-openembedded/commit/?id=87c9e9537dc43468a6aaf706853b784ce6de14e0 + sed -i s:-L${STAGING_LIBDIR}::g ${B}/xerces-c.pc + +* but it was still failing in some cases, e.g. with multilib where libdir is /usr/lib64, so the sed call is: + sed -i s:-L{WORKDIR}/recipe-sysroot/usr/lib64::g ${WORKDIR}/build/xerces-c.pc + but the actual xerces-c.pc file still has: + + Libs: -L${libdir} -lxerces-c + Libs.private: -L${WORKDIR}/recipe-sysroot/usr/lib -lcurl + + because this aclocal was always hardcoding "lib" (appended to --with-curl + value which is passed together with ${prefix}) and not respecting the libdir value: + PACKAGECONFIG[curl] = "--with-curl=${STAGING_DIR_TARGET}${prefix},--with-curl=no,curl" + PACKAGECONFIG[icu] = "--with-icu=${STAGING_DIR_TARGET}${prefix},--with-icu=no,icu" + +* xerces-c supports CMake since 2017: + https://github.com/apache/xerces-c/commit/2606b2924c3e2bf0cf50f72b79378721b6bcf04e + switching from autotools to CMake would probably resolve some of this as well + +Signed-off-by: Martin Jansa +--- +Upstream-Status: Pending [It would be better to just switch to CMake] + + m4/xerces_curl_prefix.m4 | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/m4/xerces_curl_prefix.m4 b/m4/xerces_curl_prefix.m4 +index d1d015c..7928bdc 100644 +--- a/m4/xerces_curl_prefix.m4 ++++ b/m4/xerces_curl_prefix.m4 +@@ -39,8 +39,8 @@ AC_DEFUN([XERCES_CURL_PREFIX], + curl_libs=`$curl_config --libs` + else + if test -n "$with_curl"; then +- curl_flags="-I$with_curl/include" +- curl_libs="-L$with_curl/lib -lcurl" ++ curl_flags="" ++ curl_libs="-lcurl" + else + # Default compiler paths. + # diff --git a/meta-oe/recipes-devtools/xerces-c/xerces-c_3.2.5.bb b/meta-oe/recipes-devtools/xerces-c/xerces-c_3.2.5.bb index 1643af25465..9fd7e8fbab8 100644 --- a/meta-oe/recipes-devtools/xerces-c/xerces-c_3.2.5.bb +++ b/meta-oe/recipes-devtools/xerces-c/xerces-c_3.2.5.bb @@ -9,7 +9,9 @@ SECTION = "libs" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRC_URI = "http://archive.apache.org/dist/xerces/c/3/sources/${BP}.tar.bz2" +SRC_URI = "http://archive.apache.org/dist/xerces/c/3/sources/${BP}.tar.bz2 \ + file://0001-aclocal.m4-don-t-use-full-path-of-with_curl-in-xerce.patch \ +" SRC_URI[sha256sum] = "1db4028c9b7f1f778efbf4a9462d65e13f9938f2c22f9e9994e12c49ba97e252" inherit autotools @@ -18,10 +20,6 @@ PACKAGECONFIG ??= "curl icu" PACKAGECONFIG[curl] = "--with-curl=${STAGING_DIR_TARGET}${prefix},--with-curl=no,curl" PACKAGECONFIG[icu] = "--with-icu=${STAGING_DIR_TARGET}${prefix},--with-icu=no,icu" -do_install:prepend () { - sed -i s:-L${STAGING_LIBDIR}::g ${B}/xerces-c.pc -} - PACKAGES = "libxerces-c \ libxerces-c-dev \ xerces-c-samples \ From d3cd9c14cbadbc5c1505908c78916b6a0e98d225 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 21 Jun 2024 10:11:38 +0800 Subject: [PATCH 27/52] samba: upgrade 4.19.6 -> 4.19.7 ChangeLog: https://www.samba.org/samba/history/samba-4.19.7.html Signed-off-by: Yi Zhao Signed-off-by: Khem Raj (cherry picked from commit 41df431b91f1d81070c1f0e8633995d7afba52e4) Signed-off-by: Armin Kuster --- .../samba/{samba_4.19.6.bb => samba_4.19.7.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-networking/recipes-connectivity/samba/{samba_4.19.6.bb => samba_4.19.7.bb} (99%) diff --git a/meta-networking/recipes-connectivity/samba/samba_4.19.6.bb b/meta-networking/recipes-connectivity/samba/samba_4.19.7.bb similarity index 99% rename from meta-networking/recipes-connectivity/samba/samba_4.19.6.bb rename to meta-networking/recipes-connectivity/samba/samba_4.19.7.bb index bd0309934b9..dddf5945155 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.19.6.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.19.7.bb @@ -31,7 +31,7 @@ SRC_URI:append:libc-musl = " \ file://samba-4.3.9-remove-getpwent_r.patch \ " -SRC_URI[sha256sum] = "653b52095554dbc223c63b96af5cdf9e98c3e048549c5f56143d3b33dce1cef1" +SRC_URI[sha256sum] = "2bbb800af2d6bc7b9c23e708cd58d008da3bfa6ef7e621d9ec8b53387efee445" UPSTREAM_CHECK_REGEX = "samba\-(?P4\.19(\.\d+)+).tar.gz" From 1b62af8ac675e6e277b075f38e702b38dd516adb Mon Sep 17 00:00:00 2001 From: Wang Mingyu Date: Wed, 28 Aug 2024 16:25:22 +0800 Subject: [PATCH 28/52] samba: upgrade 4.19.7 -> 4.19.8 Changelog: https://www.samba.org/samba/history/samba-4.19.8.html Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj (cherry picked from commit 3cbd140c7d85d99afc81ffd83b75698ee621c1c1) Signed-off-by: Armin Kuster --- .../samba/{samba_4.19.7.bb => samba_4.19.8.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-networking/recipes-connectivity/samba/{samba_4.19.7.bb => samba_4.19.8.bb} (99%) diff --git a/meta-networking/recipes-connectivity/samba/samba_4.19.7.bb b/meta-networking/recipes-connectivity/samba/samba_4.19.8.bb similarity index 99% rename from meta-networking/recipes-connectivity/samba/samba_4.19.7.bb rename to meta-networking/recipes-connectivity/samba/samba_4.19.8.bb index dddf5945155..429f983c93d 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.19.7.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.19.8.bb @@ -31,7 +31,7 @@ SRC_URI:append:libc-musl = " \ file://samba-4.3.9-remove-getpwent_r.patch \ " -SRC_URI[sha256sum] = "2bbb800af2d6bc7b9c23e708cd58d008da3bfa6ef7e621d9ec8b53387efee445" +SRC_URI[sha256sum] = "1aeff76c207f383477ce4badebd154691c408d2e15b01b333c85eb775468ddf6" UPSTREAM_CHECK_REGEX = "samba\-(?P4\.19(\.\d+)+).tar.gz" From 735ae0310870ffce07ce0c55c4f87c20ac161ff9 Mon Sep 17 00:00:00 2001 From: Wang Mingyu Date: Wed, 28 Aug 2024 16:24:55 +0800 Subject: [PATCH 29/52] postgresql: upgrade 16.3 -> 16.4 0003-configure.ac-bypass-autoconf-2.69-version-check.patch refreshed for 16.4 drop: CVE-2024-7348.patch Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj (cherry picked from commit 4d253bca26c5e6f9d79e19ab1b62fa34b5c05429) [Drop CVE patch now included in update] Signed-off-by: Armin Kuster --- [V2] Missed dropping CVE patch --- ...c-bypass-autoconf-2.69-version-check.patch | 6 +- .../postgresql/files/CVE-2024-7348.patch | 583 ------------------ ...{postgresql_16.3.bb => postgresql_16.4.bb} | 3 +- 3 files changed, 4 insertions(+), 588 deletions(-) delete mode 100644 meta-oe/recipes-dbs/postgresql/files/CVE-2024-7348.patch rename meta-oe/recipes-dbs/postgresql/{postgresql_16.3.bb => postgresql_16.4.bb} (82%) diff --git a/meta-oe/recipes-dbs/postgresql/files/0003-configure.ac-bypass-autoconf-2.69-version-check.patch b/meta-oe/recipes-dbs/postgresql/files/0003-configure.ac-bypass-autoconf-2.69-version-check.patch index 9df4d073ff4..342aeba85e5 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0003-configure.ac-bypass-autoconf-2.69-version-check.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0003-configure.ac-bypass-autoconf-2.69-version-check.patch @@ -13,12 +13,12 @@ Signed-off-by: Yi Fan Yu 1 file changed, 4 deletions(-) diff --git a/configure.ac b/configure.ac -index 401ce30..27f382d 100644 +index 65715a4..4ad6340 100644 --- a/configure.ac +++ b/configure.ac @@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch undefined macros - AC_INIT([PostgreSQL], [16.3], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) + AC_INIT([PostgreSQL], [16.4], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) -m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required. -Untested combinations of 'autoconf' and PostgreSQL versions are not @@ -28,5 +28,5 @@ index 401ce30..27f382d 100644 AC_CONFIG_SRCDIR([src/backend/access/common/heaptuple.c]) AC_CONFIG_AUX_DIR(config) -- -2.25.1 +2.34.1 diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2024-7348.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2024-7348.patch deleted file mode 100644 index 10c2fa3efe8..00000000000 --- a/meta-oe/recipes-dbs/postgresql/files/CVE-2024-7348.patch +++ /dev/null @@ -1,583 +0,0 @@ -From 6aba85a4b0a0e60126cc7c598b3e010e272516ec Mon Sep 17 00:00:00 2001 -From: Masahiko Sawada -Date: Mon, 5 Aug 2024 06:05:28 -0700 -Subject: [PATCH] Restrict accesses to non-system views and foreign tables - during pg_dump. - -When pg_dump retrieves the list of database objects and performs the -data dump, there was possibility that objects are replaced with others -of the same name, such as views, and access them. This vulnerability -could result in code execution with superuser privileges during the -pg_dump process. - -This issue can arise when dumping data of sequences, foreign -tables (only 13 or later), or tables registered with a WHERE clause in -the extension configuration table. - -To address this, pg_dump now utilizes the newly introduced -restrict_nonsystem_relation_kind GUC parameter to restrict the -accesses to non-system views and foreign tables during the dump -process. This new GUC parameter is added to back branches too, but -these changes do not require cluster recreation. - -Back-patch to all supported branches. - -Reviewed-by: Noah Misch -Security: CVE-2024-7348 -Backpatch-through: 12 - -Upstream-Status: Backport from [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=79c7a7e29695a32fef2e65682be224b8d61ec972] -CVE: CVE-2024-7348 -Signed-off-by: Ashish Sharma - - .../postgres_fdw/expected/postgres_fdw.out | 11 ++++ - contrib/postgres_fdw/sql/postgres_fdw.sql | 8 +++ - doc/src/sgml/config.sgml | 17 +++++ - doc/src/sgml/ref/pg_dump.sgml | 8 +++ - src/backend/foreign/foreign.c | 10 +++ - src/backend/optimizer/plan/createplan.c | 13 ++++ - src/backend/optimizer/util/plancat.c | 12 ++++ - src/backend/rewrite/rewriteHandler.c | 17 +++++ - src/backend/tcop/postgres.c | 64 +++++++++++++++++++ - src/backend/utils/misc/guc_tables.c | 12 ++++ - src/bin/pg_dump/pg_dump.c | 47 ++++++++++++++ - src/include/tcop/tcopprot.h | 6 ++ - src/include/utils/guc_hooks.h | 3 + - src/test/regress/expected/create_view.out | 19 +++++- - src/test/regress/sql/create_view.sql | 9 +++ - 15 files changed, 255 insertions(+), 1 deletion(-) - -diff --git a/contrib/postgres_fdw/expected/postgres_fdw.out b/contrib/postgres_fdw/expected/postgres_fdw.out -index a6fd3f6ff0..9b7a7eed05 100644 ---- a/contrib/postgres_fdw/expected/postgres_fdw.out -+++ b/contrib/postgres_fdw/expected/postgres_fdw.out -@@ -637,6 +637,17 @@ EXPLAIN (VERBOSE, COSTS OFF) SELECT * FROM ft_empty ORDER BY c1; - Remote SQL: SELECT c1, c2 FROM public.loct_empty ORDER BY c1 ASC NULLS LAST - (3 rows) - -+-- test restriction on non-system foreign tables. -+SET restrict_nonsystem_relation_kind TO 'foreign-table'; -+SELECT * from ft1 where c1 < 1; -- ERROR -+ERROR: access to non-system foreign table is restricted -+INSERT INTO ft1 (c1) VALUES (1); -- ERROR -+ERROR: access to non-system foreign table is restricted -+DELETE FROM ft1 WHERE c1 = 1; -- ERROR -+ERROR: access to non-system foreign table is restricted -+TRUNCATE ft1; -- ERROR -+ERROR: access to non-system foreign table is restricted -+RESET restrict_nonsystem_relation_kind; - -- =================================================================== - -- WHERE with remotely-executable conditions - -- =================================================================== -diff --git a/contrib/postgres_fdw/sql/postgres_fdw.sql b/contrib/postgres_fdw/sql/postgres_fdw.sql -index 1c1dedd991..80cc3f9d8e 100644 ---- a/contrib/postgres_fdw/sql/postgres_fdw.sql -+++ b/contrib/postgres_fdw/sql/postgres_fdw.sql -@@ -327,6 +327,14 @@ DELETE FROM loct_empty; - ANALYZE ft_empty; - EXPLAIN (VERBOSE, COSTS OFF) SELECT * FROM ft_empty ORDER BY c1; - -+-- test restriction on non-system foreign tables. -+SET restrict_nonsystem_relation_kind TO 'foreign-table'; -+SELECT * from ft1 where c1 < 1; -- ERROR -+INSERT INTO ft1 (c1) VALUES (1); -- ERROR -+DELETE FROM ft1 WHERE c1 = 1; -- ERROR -+TRUNCATE ft1; -- ERROR -+RESET restrict_nonsystem_relation_kind; -+ - -- =================================================================== - -- WHERE with remotely-executable conditions - -- =================================================================== -diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml -index e8c5d2a3b7..69c4bc614f 100644 ---- a/doc/src/sgml/config.sgml -+++ b/doc/src/sgml/config.sgml -@@ -9564,6 +9564,23 @@ SET XML OPTION { DOCUMENT | CONTENT }; - - - -+ -+ restrict_nonsystem_relation_kind (string) -+ -+ restrict_nonsystem_relation_kind -+ configuration parameter -+ -+ -+ -+ -+ This variable specifies relation kind to which access is restricted. -+ It contains a comma-separated list of relation kind. Currently, the -+ supported relation kinds are view and -+ foreign-table. -+ -+ -+ -+ - - - -diff --git a/doc/src/sgml/ref/pg_dump.sgml b/doc/src/sgml/ref/pg_dump.sgml -index 7ff5d04c73..b879c30c18 100644 ---- a/doc/src/sgml/ref/pg_dump.sgml -+++ b/doc/src/sgml/ref/pg_dump.sgml -@@ -868,6 +868,14 @@ PostgreSQL documentation - The only exception is that an empty pattern is disallowed. - - -+ -+ -+ Using wildcards in may result -+ in access to unexpected foreign servers. Also, to use this option securely, -+ make sure that the named server must have a trusted owner. -+ -+ -+ - - - When is specified, -diff --git a/src/backend/foreign/foreign.c b/src/backend/foreign/foreign.c -index ca3ad55b62..7335838af3 100644 ---- a/src/backend/foreign/foreign.c -+++ b/src/backend/foreign/foreign.c -@@ -23,6 +23,7 @@ - #include "funcapi.h" - #include "lib/stringinfo.h" - #include "miscadmin.h" -+#include "tcop/tcopprot.h" - #include "utils/builtins.h" - #include "utils/memutils.h" - #include "utils/rel.h" -@@ -323,6 +324,15 @@ GetFdwRoutine(Oid fdwhandler) - Datum datum; - FdwRoutine *routine; - -+ /* Check if the access to foreign tables is restricted */ -+ if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_FOREIGN_TABLE) != 0)) -+ { -+ /* there must not be built-in FDW handler */ -+ ereport(ERROR, -+ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE), -+ errmsg("access to non-system foreign table is restricted"))); -+ } -+ - datum = OidFunctionCall0(fdwhandler); - routine = (FdwRoutine *) DatumGetPointer(datum); - -diff --git a/src/backend/optimizer/plan/createplan.c b/src/backend/optimizer/plan/createplan.c -index 4bb38160b3..974c50b29f 100644 ---- a/src/backend/optimizer/plan/createplan.c -+++ b/src/backend/optimizer/plan/createplan.c -@@ -40,6 +40,7 @@ - #include "parser/parse_clause.h" - #include "parser/parsetree.h" - #include "partitioning/partprune.h" -+#include "tcop/tcopprot.h" - #include "utils/lsyscache.h" - - -@@ -7090,7 +7091,19 @@ make_modifytable(PlannerInfo *root, Plan *subplan, - - if (rte->rtekind == RTE_RELATION && - rte->relkind == RELKIND_FOREIGN_TABLE) -+ { -+ /* Check if the access to foreign tables is restricted */ -+ if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_FOREIGN_TABLE) != 0)) -+ { -+ /* there must not be built-in foreign tables */ -+ Assert(rte->relid >= FirstNormalObjectId); -+ ereport(ERROR, -+ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE), -+ errmsg("access to non-system foreign table is restricted"))); -+ } -+ - fdwroutine = GetFdwRoutineByRelId(rte->relid); -+ } - else - fdwroutine = NULL; - } -diff --git a/src/backend/optimizer/util/plancat.c b/src/backend/optimizer/util/plancat.c -index 07c4ba384a..1a3045479f 100644 ---- a/src/backend/optimizer/util/plancat.c -+++ b/src/backend/optimizer/util/plancat.c -@@ -47,6 +47,7 @@ - #include "rewrite/rewriteManip.h" - #include "statistics/statistics.h" - #include "storage/bufmgr.h" -+#include "tcop/tcopprot.h" - #include "utils/builtins.h" - #include "utils/lsyscache.h" - #include "utils/partcache.h" -@@ -500,6 +501,17 @@ get_relation_info(PlannerInfo *root, Oid relationObjectId, bool inhparent, - /* Grab foreign-table info using the relcache, while we have it */ - if (relation->rd_rel->relkind == RELKIND_FOREIGN_TABLE) - { -+ /* Check if the access to foreign tables is restricted */ -+ if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_FOREIGN_TABLE) != 0)) -+ { -+ /* there must not be built-in foreign tables */ -+ Assert(RelationGetRelid(relation) >= FirstNormalObjectId); -+ -+ ereport(ERROR, -+ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE), -+ errmsg("access to non-system foreign table is restricted"))); -+ } -+ - rel->serverid = GetForeignServerIdByRelId(RelationGetRelid(relation)); - rel->fdwroutine = GetFdwRoutineForRelation(relation, true); - } -diff --git a/src/backend/rewrite/rewriteHandler.c b/src/backend/rewrite/rewriteHandler.c -index 6cef936f82..9cd96fd17e 100644 ---- a/src/backend/rewrite/rewriteHandler.c -+++ b/src/backend/rewrite/rewriteHandler.c -@@ -41,6 +41,7 @@ - #include "rewrite/rewriteManip.h" - #include "rewrite/rewriteSearchCycle.h" - #include "rewrite/rowsecurity.h" -+#include "tcop/tcopprot.h" - #include "utils/builtins.h" - #include "utils/lsyscache.h" - #include "utils/rel.h" -@@ -1740,6 +1741,14 @@ ApplyRetrieveRule(Query *parsetree, - if (rule->qual != NULL) - elog(ERROR, "cannot handle qualified ON SELECT rule"); - -+ /* Check if the expansion of non-system views are restricted */ -+ if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_VIEW) != 0 && -+ RelationGetRelid(relation) >= FirstNormalObjectId)) -+ ereport(ERROR, -+ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE), -+ errmsg("access to non-system view \"%s\" is restricted", -+ RelationGetRelationName(relation)))); -+ - if (rt_index == parsetree->resultRelation) - { - /* -@@ -3104,6 +3113,14 @@ - } - } - -+ /* Check if the expansion of non-system views are restricted */ -+ if (unlikely((restrict_nonsystem_relation_kind & RESTRICT_RELKIND_VIEW) != 0 && -+ RelationGetRelid(view) >= FirstNormalObjectId)) -+ ereport(ERROR, -+ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE), -+ errmsg("access to non-system view \"%s\" is restricted", -+ RelationGetRelationName(view)))); -+ - /* - * For INSERT/UPDATE the modified columns must all be updatable. Note that - * we get the modified columns from the query's targetlist, not from the -diff --git a/src/backend/tcop/postgres.c b/src/backend/tcop/postgres.c -index 36cc99ec9c..e7d486ca2f 100644 ---- a/src/backend/tcop/postgres.c -+++ b/src/backend/tcop/postgres.c -@@ -77,6 +77,7 @@ - #include "utils/snapmgr.h" - #include "utils/timeout.h" - #include "utils/timestamp.h" -+#include "utils/varlena.h" - - /* ---------------- - * global variables -@@ -101,6 +102,9 @@ int PostAuthDelay = 0; - /* Time between checks that the client is still connected. */ - int client_connection_check_interval = 0; - -+/* flags for non-system relation kinds to restrict use */ -+int restrict_nonsystem_relation_kind; -+ - /* ---------------- - * private typedefs etc - * ---------------- -@@ -3628,6 +3632,66 @@ check_log_stats(bool *newval, void **extra, GucSource source) - return true; - } - -+/* -+ * GUC check_hook for restrict_nonsystem_relation_kind -+ */ -+bool -+check_restrict_nonsystem_relation_kind(char **newval, void **extra, GucSource source) -+{ -+ char *rawstring; -+ List *elemlist; -+ ListCell *l; -+ int flags = 0; -+ -+ /* Need a modifiable copy of string */ -+ rawstring = pstrdup(*newval); -+ -+ if (!SplitIdentifierString(rawstring, ',', &elemlist)) -+ { -+ /* syntax error in list */ -+ GUC_check_errdetail("List syntax is invalid."); -+ pfree(rawstring); -+ list_free(elemlist); -+ return false; -+ } -+ -+ foreach(l, elemlist) -+ { -+ char *tok = (char *) lfirst(l); -+ -+ if (pg_strcasecmp(tok, "view") == 0) -+ flags |= RESTRICT_RELKIND_VIEW; -+ else if (pg_strcasecmp(tok, "foreign-table") == 0) -+ flags |= RESTRICT_RELKIND_FOREIGN_TABLE; -+ else -+ { -+ GUC_check_errdetail("Unrecognized key word: \"%s\".", tok); -+ pfree(rawstring); -+ list_free(elemlist); -+ return false; -+ } -+ } -+ -+ pfree(rawstring); -+ list_free(elemlist); -+ -+ /* Save the flags in *extra, for use by the assign function */ -+ *extra = guc_malloc(ERROR, sizeof(int)); -+ *((int *) *extra) = flags; -+ -+ return true; -+} -+ -+/* -+ * GUC assign_hook for restrict_nonsystem_relation_kind -+ */ -+void -+assign_restrict_nonsystem_relation_kind(const char *newval, void *extra) -+{ -+ int *flags = (int *) extra; -+ -+ restrict_nonsystem_relation_kind = *flags; -+} - - /* - * set_debug_options --- apply "-d N" command line option -diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c -index b078b934a7..a515ecde97 100644 ---- a/src/backend/utils/misc/guc_tables.c -+++ b/src/backend/utils/misc/guc_tables.c -@@ -564,6 +564,7 @@ static char *server_encoding_string; - static char *server_version_string; - static int server_version_num; - static char *debug_io_direct_string; -+static char *restrict_nonsystem_relation_kind_string; - - #ifdef HAVE_SYSLOG - #define DEFAULT_SYSLOG_FACILITY LOG_LOCAL0 -@@ -4549,6 +4550,17 @@ struct config_string ConfigureNamesString[] = - check_debug_io_direct, assign_debug_io_direct, NULL - }, - -+ { -+ {"restrict_nonsystem_relation_kind", PGC_USERSET, CLIENT_CONN_STATEMENT, -+ gettext_noop("Sets relation kinds of non-system relation to restrict use"), -+ NULL, -+ GUC_LIST_INPUT | GUC_NOT_IN_SAMPLE -+ }, -+ &restrict_nonsystem_relation_kind_string, -+ "", -+ check_restrict_nonsystem_relation_kind, assign_restrict_nonsystem_relation_kind, NULL -+ }, -+ - /* End-of-list marker */ - { - {NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL, NULL -diff --git a/src/bin/pg_dump/pg_dump.c b/src/bin/pg_dump/pg_dump.c -index 300fe071fc..1694ff55f8 100644 ---- a/src/bin/pg_dump/pg_dump.c -+++ b/src/bin/pg_dump/pg_dump.c -@@ -324,6 +324,7 @@ static bool nonemptyReloptions(const char *reloptions); - static void appendReloptionsArrayAH(PQExpBuffer buffer, const char *reloptions, - const char *prefix, Archive *fout); - static char *get_synchronized_snapshot(Archive *fout); -+static void set_restrict_relation_kind(Archive *AH, const char *value); - static void setupDumpWorker(Archive *AH); - static TableInfo *getRootTableInfo(const TableInfo *tbinfo); - static bool forcePartitionRootLoad(const TableInfo *tbinfo); -@@ -1252,6 +1253,13 @@ setup_connection(Archive *AH, const char *dumpencoding, - ExecuteSqlStatement(AH, "SET row_security = off"); - } - -+ /* -+ * For security reasons, we restrict the expansion of non-system views and -+ * access to foreign tables during the pg_dump process. This restriction -+ * is adjusted when dumping foreign table data. -+ */ -+ set_restrict_relation_kind(AH, "view, foreign-table"); -+ - /* - * Initialize prepared-query state to "nothing prepared". We do this here - * so that a parallel dump worker will have its own state. -@@ -2114,6 +2122,10 @@ dumpTableData_copy(Archive *fout, const void *dcontext) - */ - if (tdinfo->filtercond || tbinfo->relkind == RELKIND_FOREIGN_TABLE) - { -+ /* Temporary allows to access to foreign tables to dump data */ -+ if (tbinfo->relkind == RELKIND_FOREIGN_TABLE) -+ set_restrict_relation_kind(fout, "view"); -+ - appendPQExpBufferStr(q, "COPY (SELECT "); - /* klugery to get rid of parens in column list */ - if (strlen(column_list) > 2) -@@ -2225,6 +2237,11 @@ dumpTableData_copy(Archive *fout, const void *dcontext) - classname); - - destroyPQExpBuffer(q); -+ -+ /* Revert back the setting */ -+ if (tbinfo->relkind == RELKIND_FOREIGN_TABLE) -+ set_restrict_relation_kind(fout, "view, foreign-table"); -+ - return 1; - } - -@@ -2251,6 +2268,10 @@ dumpTableData_insert(Archive *fout, const void *dcontext) - int rows_per_statement = dopt->dump_inserts; - int rows_this_statement = 0; - -+ /* Temporary allows to access to foreign tables to dump data */ -+ if (tbinfo->relkind == RELKIND_FOREIGN_TABLE) -+ set_restrict_relation_kind(fout, "view"); -+ - /* - * If we're going to emit INSERTs with column names, the most efficient - * way to deal with generated columns is to exclude them entirely. For -@@ -2490,6 +2511,10 @@ dumpTableData_insert(Archive *fout, const void *dcontext) - destroyPQExpBuffer(insertStmt); - free(attgenerated); - -+ /* Revert back the setting */ -+ if (tbinfo->relkind == RELKIND_FOREIGN_TABLE) -+ set_restrict_relation_kind(fout, "view, foreign-table"); -+ - return 1; - } - -@@ -4590,6 +4615,28 @@ is_superuser(Archive *fout) - return false; - } - -+/* -+ * Set the given value to restrict_nonsystem_relation_kind value. Since -+ * restrict_nonsystem_relation_kind is introduced in minor version releases, -+ * the setting query is effective only where available. -+ */ -+static void -+set_restrict_relation_kind(Archive *AH, const char *value) -+{ -+ PQExpBuffer query = createPQExpBuffer(); -+ PGresult *res; -+ -+ appendPQExpBuffer(query, -+ "SELECT set_config(name, '%s', false) " -+ "FROM pg_settings " -+ "WHERE name = 'restrict_nonsystem_relation_kind'", -+ value); -+ res = ExecuteSqlQuery(AH, query->data, PGRES_TUPLES_OK); -+ -+ PQclear(res); -+ destroyPQExpBuffer(query); -+} -+ - /* - * getSubscriptions - * get information about subscriptions -diff --git a/src/include/tcop/tcopprot.h b/src/include/tcop/tcopprot.h -index abd7b4fff3..e529e9f06c 100644 ---- a/src/include/tcop/tcopprot.h -+++ b/src/include/tcop/tcopprot.h -@@ -43,6 +43,12 @@ typedef enum - - extern PGDLLIMPORT int log_statement; - -+/* Flags for restrict_nonsystem_relation_kind value */ -+#define RESTRICT_RELKIND_VIEW 0x01 -+#define RESTRICT_RELKIND_FOREIGN_TABLE 0x02 -+ -+extern PGDLLIMPORT int restrict_nonsystem_relation_kind; -+ - extern List *pg_parse_query(const char *query_string); - extern List *pg_rewrite_query(Query *query); - extern List *pg_analyze_and_rewrite_fixedparams(RawStmt *parsetree, -diff --git a/src/include/utils/guc_hooks.h b/src/include/utils/guc_hooks.h -index 952293a1c3..0ea33fede9 100644 ---- a/src/include/utils/guc_hooks.h -+++ b/src/include/utils/guc_hooks.h -@@ -118,6 +118,9 @@ extern void assign_recovery_target_xid(const char *newval, void *extra); - extern bool check_role(char **newval, void **extra, GucSource source); - extern void assign_role(const char *newval, void *extra); - extern const char *show_role(void); -+extern bool check_restrict_nonsystem_relation_kind(char **newval, void **extra, -+ GucSource source); -+extern void assign_restrict_nonsystem_relation_kind(const char *newval, void *extra); - extern bool check_search_path(char **newval, void **extra, GucSource source); - extern void assign_search_path(const char *newval, void *extra); - extern bool check_session_authorization(char **newval, void **extra, GucSource source); -diff --git a/src/test/regress/expected/create_view.out b/src/test/regress/expected/create_view.out -index 61825ef7d4..f3f8c7b5a2 100644 ---- a/src/test/regress/expected/create_view.out -+++ b/src/test/regress/expected/create_view.out -@@ -2202,6 +2202,21 @@ select pg_get_viewdef('tt26v', true); - FROM ( VALUES (1,2,3)) v(x, y, z); - (1 row) - -+-- test restriction on non-system view expansion. -+create table tt27v_tbl (a int); -+create view tt27v as select a from tt27v_tbl; -+set restrict_nonsystem_relation_kind to 'view'; -+select a from tt27v where a > 0; -- Error -+ERROR: access to non-system view "tt27v" is restricted -+insert into tt27v values (1); -- Error -+ERROR: access to non-system view "tt27v" is restricted -+select viewname from pg_views where viewname = 'tt27v'; -- Ok to access a system view. -+ viewname -+---------- -+ tt27v -+(1 row) -+ -+reset restrict_nonsystem_relation_kind; - -- clean up all the random objects we made above - DROP SCHEMA temp_view_test CASCADE; - NOTICE: drop cascades to 27 other objects -@@ -2233,7 +2248,7 @@ drop cascades to view aliased_view_2 - drop cascades to view aliased_view_3 - drop cascades to view aliased_view_4 - DROP SCHEMA testviewschm2 CASCADE; --NOTICE: drop cascades to 77 other objects -+NOTICE: drop cascades to 79 other objects - DETAIL: drop cascades to table t1 - drop cascades to view temporal1 - drop cascades to view temporal2 -@@ -2311,3 +2326,5 @@ drop cascades to view tt23v - drop cascades to view tt24v - drop cascades to view tt25v - drop cascades to view tt26v -+drop cascades to table tt27v_tbl -+drop cascades to view tt27v -diff --git a/src/test/regress/sql/create_view.sql b/src/test/regress/sql/create_view.sql -index 8838a40f7a..3a78be1b0c 100644 ---- a/src/test/regress/sql/create_view.sql -+++ b/src/test/regress/sql/create_view.sql -@@ -813,6 +813,15 @@ select x + y + z as c1, - from (values(1,2,3)) v(x,y,z); - select pg_get_viewdef('tt26v', true); - -+-- test restriction on non-system view expansion. -+create table tt27v_tbl (a int); -+create view tt27v as select a from tt27v_tbl; -+set restrict_nonsystem_relation_kind to 'view'; -+select a from tt27v where a > 0; -- Error -+insert into tt27v values (1); -- Error -+select viewname from pg_views where viewname = 'tt27v'; -- Ok to access a system view. -+reset restrict_nonsystem_relation_kind; -+ - -- clean up all the random objects we made above - DROP SCHEMA temp_view_test CASCADE; - DROP SCHEMA testviewschm2 CASCADE; --- -2.30.2 - diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_16.3.bb b/meta-oe/recipes-dbs/postgresql/postgresql_16.4.bb similarity index 82% rename from meta-oe/recipes-dbs/postgresql/postgresql_16.3.bb rename to meta-oe/recipes-dbs/postgresql/postgresql_16.4.bb index 31f427503bf..1a47369e4d3 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql_16.3.bb +++ b/meta-oe/recipes-dbs/postgresql/postgresql_16.4.bb @@ -9,9 +9,8 @@ SRC_URI += "\ file://0003-configure.ac-bypass-autoconf-2.69-version-check.patch \ file://0004-config_info.c-not-expose-build-info.patch \ file://0005-postgresql-fix-ptest-failure-of-sysviews.patch \ - file://CVE-2024-7348.patch \ " -SRC_URI[sha256sum] = "331963d5d3dc4caf4216a049fa40b66d6bcb8c730615859411b9518764e60585" +SRC_URI[sha256sum] = "971766d645aa73e93b9ef4e3be44201b4f45b5477095b049125403f9f3386d6f" CVE_STATUS[CVE-2017-8806] = "not-applicable-config: Ddoesn't apply to out configuration of postgresql so we can safely ignore it." From 9afe2c5047dfdd925f1889baafc60d5562d270fb Mon Sep 17 00:00:00 2001 From: Harish Sadineni Date: Mon, 16 Sep 2024 03:33:52 -0700 Subject: [PATCH 30/52] bpftool: Add support for riscv64 bpftool is supported for riscv64 and tested on qemuriscv64. Signed-off-by: Harish Sadineni Signed-off-by: Armin Kuster --- meta-oe/recipes-kernel/bpftool/bpftool.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-kernel/bpftool/bpftool.bb b/meta-oe/recipes-kernel/bpftool/bpftool.bb index b22334fe90f..8bddde94514 100644 --- a/meta-oe/recipes-kernel/bpftool/bpftool.bb +++ b/meta-oe/recipes-kernel/bpftool/bpftool.bb @@ -26,7 +26,7 @@ SECURITY_CFLAGS = "" do_configure[depends] += "virtual/kernel:do_shared_workdir" -COMPATIBLE_HOST = "(x86_64|aarch64).*-linux" +COMPATIBLE_HOST = "(x86_64|aarch64|riscv64).*-linux" COMPATIBLE_HOST:libc-musl = 'null' do_compile() { From e318c5df6993ca714c1a56abeeb32c243e4d2cde Mon Sep 17 00:00:00 2001 From: Peter Kjellerstedt Date: Tue, 17 Sep 2024 11:45:50 +0100 Subject: [PATCH 31/52] libdevmapper: Inherit nopackages This fixes errors from buildhistory changes where packages-split would be empty. Signed-off-by: Peter Kjellerstedt Signed-off-by: Khem Raj (cherry picked from commit 90f96e053ad3eefa7693d9748efdfbfa72d7dcfd) Signed-off-by: Armin Kuster --- meta-oe/recipes-support/lvm2/libdevmapper_2.03.22.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-support/lvm2/libdevmapper_2.03.22.bb b/meta-oe/recipes-support/lvm2/libdevmapper_2.03.22.bb index be558ce1d21..3b4439c3ae0 100644 --- a/meta-oe/recipes-support/lvm2/libdevmapper_2.03.22.bb +++ b/meta-oe/recipes-support/lvm2/libdevmapper_2.03.22.bb @@ -5,6 +5,8 @@ require lvm2.inc DEPENDS += "autoconf-archive-native" +inherit nopackages + TARGET_CC_ARCH += "${LDFLAGS}" do_install() { From 6ba98f138e0f6ca0bcf4e0d3e73cd16ac39f20ce Mon Sep 17 00:00:00 2001 From: Fathi Boudra Date: Tue, 17 Sep 2024 17:53:55 +0200 Subject: [PATCH 32/52] python3-django: upgrade 4.2.11 -> 4.2.16 CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize() urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. CVE-2024-45231: Potential user email enumeration via response status on password reset Due to unhandled email sending failures, the django.contrib.auth.forms.PasswordResetForm class allowed remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes. To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using the django.contrib.auth logger. CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat() The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize() The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list() QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. CVE-2024-38875: Potential denial-of-service in django.utils.html.urlize() urlize() and urlizetrunc() were subject to a potential denial-of-service attack via certain inputs with a very large number of brackets. CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords The django.contrib.auth.backends.ModelBackend.authenticate() method allowed remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords. CVE-2024-39330: Potential directory-traversal in django.core.files.storage.Storage.save() Derived classes of the django.core.files.storage.Storage base class which override generate_filename() without replicating the file path validations existing in the parent class, allowed for potential directory-traversal via certain inputs when calling save(). Built-in Storage sub-classes were not affected by this vulnerability. CVE-2024-39614: Potential denial-of-service in django.utils.translation.get_supported_language_variant() get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. To mitigate this vulnerability, the language code provided to get_supported_language_variant() is now parsed up to a maximum length of 500 characters. Fixed a crash in Django 4.2 when validating email max line lengths with content decoded using the surrogateescape error handling scheme (#35361) Signed-off-by: Fathi Boudra Signed-off-by: Khem Raj Signed-off-by: Armin Kuster --- .../{python3-django_4.2.11.bb => python3-django_4.2.16.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta-python/recipes-devtools/python/{python3-django_4.2.11.bb => python3-django_4.2.16.bb} (63%) diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.11.bb b/meta-python/recipes-devtools/python/python3-django_4.2.16.bb similarity index 63% rename from meta-python/recipes-devtools/python/python3-django_4.2.11.bb rename to meta-python/recipes-devtools/python/python3-django_4.2.16.bb index 0642b7e7c31..9254e8b009e 100644 --- a/meta-python/recipes-devtools/python/python3-django_4.2.11.bb +++ b/meta-python/recipes-devtools/python/python3-django_4.2.16.bb @@ -1,7 +1,7 @@ require python-django.inc inherit setuptools3 -SRC_URI[sha256sum] = "6e6ff3db2d8dd0c986b4eec8554c8e4f919b5c1ff62a5b4390c17aff2ed6e5c4" +SRC_URI[sha256sum] = "6f1616c2786c408ce86ab7e10f792b8f15742f7b7b7460243929cb371e7f1dad" RDEPENDS:${PN} += "\ python3-sqlparse \ @@ -10,5 +10,5 @@ RDEPENDS:${PN} += "\ # Set DEFAULT_PREFERENCE so that the LTS version of django is built by # default. To build the 4.x branch, -# PREFERRED_VERSION_python3-django = "4.2.11" can be added to local.conf +# PREFERRED_VERSION_python3-django = "4.2.16" can be added to local.conf DEFAULT_PREFERENCE = "-1" From 1897dc18a2a90ec907ce0e73e4ca622b5141b5da Mon Sep 17 00:00:00 2001 From: Fathi Boudra Date: Tue, 17 Sep 2024 17:53:56 +0200 Subject: [PATCH 33/52] python3-django: upgrade 5.0.4 -> 5.0.9 CVE-2024-45230: Potential denial-of-service vulnerability in django.utils.html.urlize() urlize and urlizetrunc were subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. CVE-2024-45231: Potential user email enumeration via response status on password reset Due to unhandled email sending failures, the django.contrib.auth.forms.PasswordResetForm class allowed remote attackers to enumerate user emails by issuing password reset requests and observing the outcomes. To mitigate this risk, exceptions occurring during password reset email sending are now handled and logged using the django.contrib.auth logger. CVE-2024-41989: Memory exhaustion in django.utils.numberformat.floatformat() The floatformat template filter is subject to significant memory consumption when given a string representation of a number in scientific notation with a large exponent. CVE-2024-41990: Potential denial-of-service in django.utils.html.urlize() The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. CVE-2024-41991: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. CVE-2024-42005: Potential SQL injection in QuerySet.values() and values_list() QuerySet.values() and values_list() methods on models with a JSONField are subject to SQL injection in column aliases via a crafted JSON object key as a passed *arg. CVE-2024-38875: Potential denial-of-service in django.utils.html.urlize() urlize() and urlizetrunc() were subject to a potential denial-of-service attack via certain inputs with a very large number of brackets. CVE-2024-39329: Username enumeration through timing difference for users with unusable passwords The django.contrib.auth.backends.ModelBackend.authenticate() method allowed remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords. CVE-2024-39330: Potential directory-traversal in django.core.files.storage.Storage.save() Derived classes of the django.core.files.storage.Storage base class which override generate_filename() without replicating the file path validations existing in the parent class, allowed for potential directory-traversal via certain inputs when calling save(). Built-in Storage sub-classes were not affected by this vulnerability. CVE-2024-39614: Potential denial-of-service in django.utils.translation.get_supported_language_variant() get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. To mitigate this vulnerability, the language code provided to get_supported_language_variant() is now parsed up to a maximum length of 500 characters. Signed-off-by: Fathi Boudra Signed-off-by: Armin Kuster --- .../python/{python3-django_5.0.4.bb => python3-django_5.0.9.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-python/recipes-devtools/python/{python3-django_5.0.4.bb => python3-django_5.0.9.bb} (56%) diff --git a/meta-python/recipes-devtools/python/python3-django_5.0.4.bb b/meta-python/recipes-devtools/python/python3-django_5.0.9.bb similarity index 56% rename from meta-python/recipes-devtools/python/python3-django_5.0.4.bb rename to meta-python/recipes-devtools/python/python3-django_5.0.9.bb index 3139ed46829..60e9c592b06 100644 --- a/meta-python/recipes-devtools/python/python3-django_5.0.4.bb +++ b/meta-python/recipes-devtools/python/python3-django_5.0.9.bb @@ -1,7 +1,7 @@ require python-django.inc inherit setuptools3 -SRC_URI[sha256sum] = "4bd01a8c830bb77a8a3b0e7d8b25b887e536ad17a81ba2dce5476135c73312bd" +SRC_URI[sha256sum] = "6333870d342329b60174da3a60dbd302e533f3b0bb0971516750e974a99b5a39" RDEPENDS:${PN} += "\ python3-sqlparse \ From 6f28dfb8b969a1ccd13c03504bedf3f53d7aa64d Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Wed, 18 Sep 2024 11:28:45 +0000 Subject: [PATCH 34/52] mbedtls: upgrade 3.6.0 -> 3.6.1 ChangeLog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.1 Security fixes: CVE-2024-45157 CVE-2024-45158 CVE-2024-45159 * According to commit[1], install data_files into framework directory for ptest. [1] https://github.com/Mbed-TLS/mbedtls/commit/9c4dd4ee6fe570b6a50a275d78b7d140fec0e02f Signed-off-by: Yi Zhao Signed-off-by: Khem Raj Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster --- .../mbedtls/{mbedtls_3.6.0.bb => mbedtls_3.6.1.bb} | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) rename meta-networking/recipes-connectivity/mbedtls/{mbedtls_3.6.0.bb => mbedtls_3.6.1.bb} (93%) diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.0.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.1.bb similarity index 93% rename from meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.0.bb rename to meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.1.bb index 92a2de82a3f..29c96f19aa8 100644 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.0.bb +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.1.bb @@ -23,12 +23,12 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=379d5819937a6c2f1ef1630d341e026d" SECTION = "libs" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=master \ +SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=mbedtls-3.6 \ git://github.com/Mbed-TLS/mbedtls-framework.git;protocol=https;branch=main;destsuffix=git/framework;name=framework \ file://run-ptest" -SRCREV = "2ca6c285a0dd3f33982dd57299012dacab1ff206" -SRCREV_framework = "750634d3a51eb9d61b59fd5d801546927c946588" +SRCREV = "71c569d44bf3a8bd53d874c81ee8ac644dd6e9e3" +SRCREV_framework = "94599c0e3b5036e086446a51a3f79640f70f22f6" SRCREV_FORMAT .= "_framework" UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d+(\.\d+)+)" @@ -76,7 +76,8 @@ sysroot_stage_all:append() { do_install_ptest () { install -d ${D}${PTEST_PATH}/tests + install -d ${D}${PTEST_PATH}/framework cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/ find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete - cp -fR ${S}/tests/data_files ${D}${PTEST_PATH}/tests/ + cp -fR ${S}/framework/data_files ${D}${PTEST_PATH}/framework/ } From e2f0fb24c56d8e8cb66c608d9e4ea42ded2f4fd0 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Wed, 18 Sep 2024 11:29:04 +0000 Subject: [PATCH 35/52] mbedtls: upgrade 2.28.8 -> 2.28.9 ChangeLog https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.9 Security fix: CVE-2024-45157 Signed-off-by: Yi Zhao Signed-off-by: Khem Raj Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster --- .../mbedtls/{mbedtls_2.28.8.bb => mbedtls_2.28.9.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-networking/recipes-connectivity/mbedtls/{mbedtls_2.28.8.bb => mbedtls_2.28.9.bb} (98%) diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.8.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.9.bb similarity index 98% rename from meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.8.bb rename to meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.9.bb index 301e6559899..da984a3990b 100644 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.8.bb +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.9.bb @@ -23,7 +23,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=379d5819937a6c2f1ef1630d341e026d" SECTION = "libs" S = "${WORKDIR}/git" -SRCREV = "5a764e5555c64337ed17444410269ff21cb617b1" +SRCREV = "5e146adef63b326b04282252639bebc2730939c6" SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=mbedtls-2.28 \ file://run-ptest \ " From ce456f692384f56f03328d3466a36f05146314f2 Mon Sep 17 00:00:00 2001 From: Hitendra Prajapati Date: Fri, 20 Sep 2024 11:08:25 +0530 Subject: [PATCH 36/52] tgt: fix CVE-2024-45751 Upstream-Status: Backport from https://github.com/fujita/tgt/commit/abd8e0d987ab56013d360077202bf2aca20a42dd Signed-off-by: Hitendra Prajapati Signed-off-by: Armin Kuster --- .../tgt/files/CVE-2024-45751.patch | 71 +++++++++++++++++++ .../recipes-extended/tgt/tgt_1.0.90.bb | 1 + 2 files changed, 72 insertions(+) create mode 100644 meta-networking/recipes-extended/tgt/files/CVE-2024-45751.patch diff --git a/meta-networking/recipes-extended/tgt/files/CVE-2024-45751.patch b/meta-networking/recipes-extended/tgt/files/CVE-2024-45751.patch new file mode 100644 index 00000000000..2de9ae9b289 --- /dev/null +++ b/meta-networking/recipes-extended/tgt/files/CVE-2024-45751.patch @@ -0,0 +1,71 @@ +From abd8e0d987ab56013d360077202bf2aca20a42dd Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Tue, 3 Sep 2024 16:14:58 +0200 +Subject: [PATCH] chap: Use proper entropy source + +The challenge sent to the initiator is based on a poor +source of randomness, it uses rand() without seeding it by srand(). +So the glibc PRNG is always seeded with 1 and as a consequence the +sequence of challenges is always the same. + +An attacker which is able to monitor network traffic can apply a replay +attack to bypass the CHAP authentication. All the attacker has to do +is waiting for the server or the service to restart and replay with a +previously record CHAP session which fits into the sequence. + +To overcome the issue, use getrandom() to query the kernel random +number generator. +Also always send a challenge of length CHAP_CHALLENGE_MAX, there is no +benefit in sending a variable length challenge. + +Signed-off-by: Richard Weinberger + +Upstream-Status: Backport [https://github.com/fujita/tgt/commit/abd8e0d987ab56013d360077202bf2aca20a42dd] +CVE: CVE-2024-45751 +Signed-off-by: Hitendra Prajapati +--- + usr/iscsi/chap.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/usr/iscsi/chap.c b/usr/iscsi/chap.c +index aa0fc67..b89ecab 100644 +--- a/usr/iscsi/chap.c ++++ b/usr/iscsi/chap.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + #include "iscsid.h" + #include "tgtd.h" +@@ -359,22 +360,19 @@ static int chap_initiator_auth_create_challenge(struct iscsi_connection *conn) + sprintf(text, "%u", (unsigned char)conn->auth.chap.id); + text_key_add(conn, "CHAP_I", text); + +- /* +- * FIXME: does a random challenge length provide any benefits security- +- * wise, or should we rather always use the max. allowed length of +- * 1024 for the (unencoded) challenge? +- */ +- conn->auth.chap.challenge_size = (rand() % (CHAP_CHALLENGE_MAX / 2)) + CHAP_CHALLENGE_MAX / 2; ++ conn->auth.chap.challenge_size = CHAP_CHALLENGE_MAX; + + conn->auth.chap.challenge = malloc(conn->auth.chap.challenge_size); + if (!conn->auth.chap.challenge) + return CHAP_TARGET_ERROR; + ++ if (getrandom(conn->auth.chap.challenge, conn->auth.chap.challenge_size, 0) != conn->auth.chap.challenge_size) ++ return CHAP_TARGET_ERROR; ++ + p = text; + strcpy(p, "0x"); + p += 2; + for (i = 0; i < conn->auth.chap.challenge_size; i++) { +- conn->auth.chap.challenge[i] = rand(); + sprintf(p, "%.2hhx", conn->auth.chap.challenge[i]); + p += 2; + } +-- +2.25.1 + diff --git a/meta-networking/recipes-extended/tgt/tgt_1.0.90.bb b/meta-networking/recipes-extended/tgt/tgt_1.0.90.bb index 35995f7876d..f70f77f5401 100644 --- a/meta-networking/recipes-extended/tgt/tgt_1.0.90.bb +++ b/meta-networking/recipes-extended/tgt/tgt_1.0.90.bb @@ -11,6 +11,7 @@ SRC_URI = "git://github.com/fujita/tgt.git;branch=master;protocol=https \ file://0001-usr-Makefile-WARNING-fix.patch \ file://usr-Makefile-apply-LDFLAGS-to-all-executables.patch \ file://musl-__wordsize.patch \ + file://CVE-2024-45751.patch \ " SRC_URI += "file://tgtd.init \ file://tgtd.service \ From 5d3fb27a4edff7ef13280a5ab66e638fd4df7519 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 21 Jun 2024 10:11:37 +0800 Subject: [PATCH 37/52] libldb: upgrade 2.8.0 -> 2.8.1 Signed-off-by: Yi Zhao Signed-off-by: Khem Raj (cherry picked from commit 09f8ef2242c2d7f83101effed09ee7894e14c069) Signed-off-by: Armin Kuster --- .../recipes-support/libldb/{libldb_2.8.0.bb => libldb_2.8.1.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-networking/recipes-support/libldb/{libldb_2.8.0.bb => libldb_2.8.1.bb} (97%) diff --git a/meta-networking/recipes-support/libldb/libldb_2.8.0.bb b/meta-networking/recipes-support/libldb/libldb_2.8.1.bb similarity index 97% rename from meta-networking/recipes-support/libldb/libldb_2.8.0.bb rename to meta-networking/recipes-support/libldb/libldb_2.8.1.bb index bdd87993d71..29ff2cf6f2b 100644 --- a/meta-networking/recipes-support/libldb/libldb_2.8.0.bb +++ b/meta-networking/recipes-support/libldb/libldb_2.8.1.bb @@ -34,7 +34,7 @@ LIC_FILES_CHKSUM = "file://pyldb.h;endline=24;md5=dfbd238cecad76957f7f860fbe9ada file://man/ldb.3.xml;beginline=261;endline=262;md5=137f9fd61040c1505d1aa1019663fd08 \ file://tools/ldbdump.c;endline=19;md5=a7d4fc5d1f75676b49df491575a86a42" -SRC_URI[sha256sum] = "358dca10fcd27207ac857a0d7f435a46dbc6cd1f7c10dbb840c1931bf1965f08" +SRC_URI[sha256sum] = "b68ce6eb0ccd2870fa3c8c334f2028b5d16606fd41308696c17b71959f7bf59f" inherit pkgconfig waf-samba ptest From aff78ae800fc7f8e4a36c7a80024c6a5000d123a Mon Sep 17 00:00:00 2001 From: Michael Olbrich Date: Tue, 24 Sep 2024 18:59:37 +0530 Subject: [PATCH 38/52] nftables: avoid python dependencies when building without python Use inherit_defer instead of inhert. This way, setuptools3 is not inherited when python is removed from PACKAGECONFIG in a .bbappend file. This avoids dependencies added by setuptools3. Don't add nftables-python to PACKAGES if python is disabled. It adds extra runtime dependencies on python3-core and python3-json. Signed-off-by: Michael Olbrich Signed-off-by: Khem Raj (cherry picked from commit 5cf3766cf6395d4bfa5de20cf7427950ca498eaa) Signed-off-by: Nikhil R Signed-off-by: Armin Kuster --- meta-networking/recipes-filter/nftables/nftables_1.0.9.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb b/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb index 77189227425..17f00ffd426 100644 --- a/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb +++ b/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb @@ -35,9 +35,9 @@ EXTRA_OECONF = " \ SETUPTOOLS_SETUP_PATH = "${S}/py" -inherit ${@bb.utils.contains('PACKAGECONFIG', 'python', 'setuptools3', '', d)} +inherit_defer ${@bb.utils.contains('PACKAGECONFIG', 'python', 'setuptools3', '', d)} -PACKAGES =+ "${PN}-python" +PACKAGES =+ "${@bb.utils.contains('PACKAGECONFIG', 'python', '${PN}-python', '', d)}" FILES:${PN}-python = "${PYTHON_SITEPACKAGES_DIR}" RDEPENDS:${PN}-python = "python3-core python3-json ${PN}" From bd6854fc05bc47f18cf82e2a66bcbd12f5f81d0a Mon Sep 17 00:00:00 2001 From: Nikhil R Date: Tue, 24 Sep 2024 19:03:30 +0530 Subject: [PATCH 39/52] nftables: Conditionally add ${PN}-python as RDEPENDS for ptest This commit updates the RDEPENDS for the ptest package to include ${PN}-python only when the 'python' PACKAGECONFIG option is enabled. This fix is required as ptest is enabled in the Distro features, which was causing the following error: ERROR: Nothing RPROVIDES 'nftables-python' (but /home/builder/src/base/node0/meta-openembedded/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb RDEPENDS on or otherwise requires it) NOTE: Runtime target 'nftables-python' is unbuildable, removing... Missing or unbuildable dependency chain was: ['nftables-python'] ERROR: Required build target 'nftables' has no buildable providers. Missing or unbuildable dependency chain was: ['nftables', 'nftables-python'] Signed-off-by: Nikhil R Signed-off-by: Armin Kuster --- meta-networking/recipes-filter/nftables/nftables_1.0.9.bb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb b/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb index 17f00ffd426..569ab6f6afc 100644 --- a/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb +++ b/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb @@ -64,7 +64,10 @@ do_install() { fi } -RDEPENDS:${PN}-ptest += " ${PN}-python bash coreutils make iproute2 iputils-ping procps python3-core python3-ctypes python3-json python3-misc sed util-linux" +RDEPENDS:${PN}-ptest += " \ + bash coreutils make iproute2 iputils-ping procps python3-core python3-ctypes python3-json python3-misc sed util-linux \ + ${@bb.utils.contains('PACKAGECONFIG', 'python', '${PN}-python', '', d)} \ +" RRECOMMENDS:${PN}-ptest += "\ kernel-module-nft-chain-nat kernel-module-nft-queue \ From c56ca0cd69eaff250a8bb421dec6c1d3d962855e Mon Sep 17 00:00:00 2001 From: Yogesh Tyagi Date: Wed, 25 Sep 2024 15:22:24 +0530 Subject: [PATCH 40/52] tbb-native: Fix build with gcc-13 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fixes following stringop-overflow warning with gcc-13: In file included from /usr/include/c++/13/atomic:41, from /poky/build/tmp/work/x86_64-linux/tbb-native/2021.11.0/git/src/tbb/../../include/oneapi/tbb/detail/_utils.h:22, from /poky/build/tmp/work/x86_64-linux/tbb-native/2021.11.0/git/src/tbb/task_dispatcher.h:20, from /poky/build/tmp/work/x86_64-linux/tbb-native/2021.11.0/git/src/tbb/arena.cpp:17: In member function ‘void std::__atomic_base<_IntTp>::store(__int_type, std::memory_order) [with _ITp = bool]’, inlined from ‘void std::atomic::store(bool, std::memory_order)’ at /usr/include/c++/13/atomic:104:20, inlined from ‘void tbb::detail::r1::concurrent_monitor_base::notify_one_relaxed() [with Context = long unsigned int]’ at /poky/build/tmp/work/x86_64-linux/tbb-native/2021.11.0/git/src/tbb/concurrent_monitor.h:293:53: /usr/include/c++/13/bits/atomic_base.h:481:25: error: ‘void __atomic_store_1(volatile void*, unsigned char, int)’ writing 1 byte into a region of size 0 overflows the destination [-Werror=stringop-overflow=] 481 | __atomic_store_n(&_M_i, __i, int(__m)); | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~ compilation terminated due to -Wfatal-errors. cc1plus: all warnings being treated as errors (cherry picked from commit e131071769ee3df51b56b053ba6bfa06ae9eff25) Signed-off-by: Yogesh Tyagi Signed-off-by: Armin Kuster --- ...suppress-new-GCC-12-13-warnings-1192.patch | 57 +++++++++++++++++++ meta-oe/recipes-support/tbb/tbb_2021.11.0.bb | 1 + 2 files changed, 58 insertions(+) create mode 100644 meta-oe/recipes-support/tbb/tbb/0001-Fix-suppress-new-GCC-12-13-warnings-1192.patch diff --git a/meta-oe/recipes-support/tbb/tbb/0001-Fix-suppress-new-GCC-12-13-warnings-1192.patch b/meta-oe/recipes-support/tbb/tbb/0001-Fix-suppress-new-GCC-12-13-warnings-1192.patch new file mode 100644 index 00000000000..489f011b84e --- /dev/null +++ b/meta-oe/recipes-support/tbb/tbb/0001-Fix-suppress-new-GCC-12-13-warnings-1192.patch @@ -0,0 +1,57 @@ +From e131071769ee3df51b56b053ba6bfa06ae9eff25 Mon Sep 17 00:00:00 2001 +From: Dmitri Mokhov +Date: Mon, 11 Sep 2023 10:35:07 -0500 +Subject: [PATCH] Fix/suppress new GCC 12/13 warnings (#1192) + +Upstream-Status: Backport [https://github.com/oneapi-src/oneTBB/commit/e131071769ee3df51b56b053ba6bfa06ae9eff25] +Signed-off-by: Dmitri Mokhov +--- + .../oneapi/tbb/detail/_concurrent_unordered_base.h | 2 +- + src/tbb/concurrent_monitor.h | 12 +++++++++++- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/include/oneapi/tbb/detail/_concurrent_unordered_base.h b/include/oneapi/tbb/detail/_concurrent_unordered_base.h +index ade91c33..40829208 100644 +--- a/include/oneapi/tbb/detail/_concurrent_unordered_base.h ++++ b/include/oneapi/tbb/detail/_concurrent_unordered_base.h +@@ -921,7 +921,7 @@ private: + node_allocator_traits::deallocate(dummy_node_allocator, node, 1); + } else { + // GCC 11.1 issues a warning here that incorrect destructor might be called for dummy_nodes +- #if (__TBB_GCC_VERSION >= 110100 && __TBB_GCC_VERSION < 130000 ) && !__clang__ && !__INTEL_COMPILER ++ #if (__TBB_GCC_VERSION >= 110100 && __TBB_GCC_VERSION < 140000 ) && !__clang__ && !__INTEL_COMPILER + volatile + #endif + value_node_ptr val_node = static_cast(node); +diff --git a/src/tbb/concurrent_monitor.h b/src/tbb/concurrent_monitor.h +index 3d20ef5b..3e5c4beb 100644 +--- a/src/tbb/concurrent_monitor.h ++++ b/src/tbb/concurrent_monitor.h +@@ -1,5 +1,5 @@ + /* +- Copyright (c) 2005-2021 Intel Corporation ++ Copyright (c) 2005-2023 Intel Corporation + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. +@@ -290,7 +290,17 @@ public: + n = my_waitset.front(); + if (n != end) { + my_waitset.remove(*n); ++ ++// GCC 12.x-13.x issues a warning here that to_wait_node(n)->my_is_in_list might have size 0, since n is ++// a base_node pointer. (This cannot happen, because only wait_node pointers are added to my_waitset.) ++#if (__TBB_GCC_VERSION >= 120100 && __TBB_GCC_VERSION < 140000 ) && !__clang__ && !__INTEL_COMPILER ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wstringop-overflow" ++#endif + to_wait_node(n)->my_is_in_list.store(false, std::memory_order_relaxed); ++#if (__TBB_GCC_VERSION >= 120100 && __TBB_GCC_VERSION < 140000 ) && !__clang__ && !__INTEL_COMPILER ++#pragma GCC diagnostic pop ++#endif + } + } + +-- +2.43.0 + diff --git a/meta-oe/recipes-support/tbb/tbb_2021.11.0.bb b/meta-oe/recipes-support/tbb/tbb_2021.11.0.bb index f834726bd6c..318cd876438 100644 --- a/meta-oe/recipes-support/tbb/tbb_2021.11.0.bb +++ b/meta-oe/recipes-support/tbb/tbb_2021.11.0.bb @@ -16,6 +16,7 @@ BRANCH = "onetbb_2021" SRCREV = "8b829acc65569019edb896c5150d427f288e8aba" SRC_URI = "git://github.com/oneapi-src/oneTBB.git;protocol=https;branch=${BRANCH} \ file://0001-hwloc_detection.cmake-remove-cross-compiation-check.patch \ + file://0001-Fix-suppress-new-GCC-12-13-warnings-1192.patch \ " S = "${WORKDIR}/git" From 3309a9d4dde1b8cbab60322ec24e121330e23cea Mon Sep 17 00:00:00 2001 From: Raghuvarya S Date: Tue, 24 Sep 2024 12:02:28 +0530 Subject: [PATCH 41/52] android-tools-adbd.service: Update ConditionPathExists to /etc To ensure android-tools-adbd.service starts at boot, the path for ConditionPathExists must be present at build time. /etc is more suitable for build-time files than /var, which is for runtime files. Changed ConditionPathExists from /var/usb-debugging-enabled to /etc/usb-debugging-enabled Backport-of: 8106cfe769aa ("android-tools-adbd.service: Change /var to /etc in ConditionPathExists") CC: Khem Raj CC: Dmitry Baryshkov Signed-off-by: Raghuvarya S Acked-by: Dmitry Baryshkov Signed-off-by: Armin Kuster --- .../android-tools/android-tools/android-tools-adbd.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-devtools/android-tools/android-tools/android-tools-adbd.service b/meta-oe/recipes-devtools/android-tools/android-tools/android-tools-adbd.service index ddf8d7f74e3..b6661f2e39b 100644 --- a/meta-oe/recipes-devtools/android-tools/android-tools/android-tools-adbd.service +++ b/meta-oe/recipes-devtools/android-tools/android-tools/android-tools-adbd.service @@ -1,6 +1,6 @@ [Unit] Description=Android Debug Bridge -ConditionPathExists=/var/usb-debugging-enabled +ConditionPathExists=/etc/usb-debugging-enabled Before=android-system.service [Service] From ebad6c98e2bde6ed770b4ae9dd074f760b917be4 Mon Sep 17 00:00:00 2001 From: Raghuvarya S Date: Tue, 24 Sep 2024 12:02:30 +0530 Subject: [PATCH 42/52] android-toold-adbd: Fix inconsistency between selinux configurations ConditionPathExists is set to /etc/usb-debugging-enabled as part of meta-oe/recipes-devtools/android-tools/android-tools/android-tools- -adbd.service file. However, in meta-oe/dynamic-layers/selinux/ recipes-devtool/android-tools/android-tools/android-tools-adbd.service file ConditionPathExists is set to /var/usb-debugging-enabled This causes an internal inconsistency between selinux-enabled and selinux-disabled configurations. Backport-of: a29c6386d576 ("android-toold-adbd: Fix inconsistency between selinux configurations") Reported-by: Dmitry Baryshkov Signed-off-by: Raghuvarya S Acked-by: Dmitry Baryshkov Signed-off-by: Armin Kuster --- .../android-tools/android-tools/android-tools-adbd.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/dynamic-layers/selinux/recipes-devtool/android-tools/android-tools/android-tools-adbd.service b/meta-oe/dynamic-layers/selinux/recipes-devtool/android-tools/android-tools/android-tools-adbd.service index ddf8d7f74e3..b6661f2e39b 100644 --- a/meta-oe/dynamic-layers/selinux/recipes-devtool/android-tools/android-tools/android-tools-adbd.service +++ b/meta-oe/dynamic-layers/selinux/recipes-devtool/android-tools/android-tools/android-tools-adbd.service @@ -1,6 +1,6 @@ [Unit] Description=Android Debug Bridge -ConditionPathExists=/var/usb-debugging-enabled +ConditionPathExists=/etc/usb-debugging-enabled Before=android-system.service [Service] From 145ae5af9ef45f566f07751a2c2ea6c224e71a24 Mon Sep 17 00:00:00 2001 From: Dmitry Baryshkov Date: Tue, 24 Sep 2024 12:02:32 +0530 Subject: [PATCH 43/52] android-tools: Create flag file /etc/usb-debugging-enabled Location of the file that systemd uses to check whether to start adbd or not has been updated from /var to /etc in android-tools-adbd.service. This change changes the path of creation of usb-debugging-enabled flag file in android-tools recipes from /var/usb-debugging-enabled to /etc/usb-debugging-enabled Backport-of: 2a3d4be9994e ("android-tools: create flag flag file for adbd at a proper location") Fixes: a29c6386d576 ("android-toold-adbd: Fix inconsistency between selinux configurations") Fixes: 8106cfe769aa ("android-tools-adbd.service: Change /var to /etc in ConditionPathExists") Signed-off-by: Dmitry Baryshkov Signed-off-by: Raghuvarya S Acked-by: Dmitry Baryshkov Signed-off-by: Armin Kuster --- .../recipes-devtool/android-tools/android-tools_29.0.6.r14.bb | 2 +- .../recipes-devtools/android-tools/android-tools_5.1.1.r37.bb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-oe/dynamic-layers/selinux/recipes-devtool/android-tools/android-tools_29.0.6.r14.bb b/meta-oe/dynamic-layers/selinux/recipes-devtool/android-tools/android-tools_29.0.6.r14.bb index fbad5e13689..e9b0c97e961 100644 --- a/meta-oe/dynamic-layers/selinux/recipes-devtool/android-tools/android-tools_29.0.6.r14.bb +++ b/meta-oe/dynamic-layers/selinux/recipes-devtool/android-tools/android-tools_29.0.6.r14.bb @@ -188,7 +188,7 @@ FILES:${PN} += "${libdir}/android ${libdir}/android/*" BBCLASSEXTEND = "native" android_tools_enable_devmode() { - touch ${IMAGE_ROOTFS}/var/usb-debugging-enabled + touch ${IMAGE_ROOTFS}/etc/usb-debugging-enabled } ROOTFS_POSTPROCESS_COMMAND_${PN}-adbd += "${@bb.utils.contains("USB_DEBUGGING_ENABLED", "1", "android_tools_enable_devmode;", "", d)}" diff --git a/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb b/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb index 1c66ea4997d..9f02d703ba9 100644 --- a/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb +++ b/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb @@ -189,7 +189,7 @@ FILES:${PN}-fstools = "\ BBCLASSEXTEND = "native" android_tools_enable_devmode() { - touch ${IMAGE_ROOTFS}/var/usb-debugging-enabled + touch ${IMAGE_ROOTFS}/etc/usb-debugging-enabled } ROOTFS_POSTPROCESS_COMMAND_${PN}-adbd += "${@bb.utils.contains("USB_DEBUGGING_ENABLED", "1", "android_tools_enable_devmode;", "", d)}" From 08efaa896d3a52b1a5b9ad4bd00916e50bee46c8 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Sun, 6 Oct 2024 07:17:47 -0400 Subject: [PATCH 44/52] Revert "mariadb: fix runtime failure on riscv" This reverts commit e5c0a0be96eb549858a987b353263c877eae275e. pkg being updated Signed-off-by: Armin Kuster --- meta-oe/recipes-dbs/mysql/mariadb.inc | 1 - ...RISC-V-use-RDTIME-instead-of-RDCYCLE.patch | 66 ------------------- 2 files changed, 67 deletions(-) delete mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-RISC-V-use-RDTIME-instead-of-RDCYCLE.patch diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc index 124a49ff960..33da32fb286 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb.inc +++ b/meta-oe/recipes-dbs/mysql/mariadb.inc @@ -25,7 +25,6 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \ file://0001-Add-missing-includes-cstdint-and-cstdio.patch \ file://0001-Remove-the-compile_time_assert-lines.patch \ file://0001-MDEV-33439-Fix-build-with-libxml2-2.12.patch \ - file://0001-RISC-V-use-RDTIME-instead-of-RDCYCLE.patch \ " SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch" SRC_URI[sha256sum] = "5239a245ed90517e96396605cd01ccd8f73cd7442d1b3076b6ffe258110e5157" diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-RISC-V-use-RDTIME-instead-of-RDCYCLE.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-RISC-V-use-RDTIME-instead-of-RDCYCLE.patch deleted file mode 100644 index 25a2c399cc9..00000000000 --- a/meta-oe/recipes-dbs/mysql/mariadb/0001-RISC-V-use-RDTIME-instead-of-RDCYCLE.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 342f0dd9b4f9fc49dcb589cd98933ea330de55d8 Mon Sep 17 00:00:00 2001 -From: Aurelien Jarno -Date: Thu, 4 Jan 2024 11:30:34 +0100 -Subject: [PATCH] RISC-V: use RDTIME instead of RDCYCLE - -Starting with Linux 6.6 [1], RDCYCLE is a privileged instruction on -RISC-V and can't be used directly from userland. There is a sysctl -option to change that as a transition period, but it will eventually -disappear. - -Use RDTIME instead, which while less accurate has the advantage of being -synchronized between CPU (and thus monotonic) and of constant frequency. - -[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cc4c07c89aada16229084eeb93895c95b7eabaa3 - -Upstream-Status: Backport [https://github.com/MariaDB/server/commit/656f8867720efc1b4dd0969319f35a3e1a2a005e] -Signed-off-by: Changqing Li ---- - include/my_rdtsc.h | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/include/my_rdtsc.h b/include/my_rdtsc.h -index 8b9b0046bc0..21e44847d9a 100644 ---- a/include/my_rdtsc.h -+++ b/include/my_rdtsc.h -@@ -111,7 +111,7 @@ C_MODE_START - On AARCH64, we use the generic timer base register. We override clang - implementation for aarch64 as it access a PMU register which is not - guaranteed to be active. -- On RISC-V, we use the rdcycle instruction to read from mcycle register. -+ On RISC-V, we use the rdtime instruction to read from mtime register. - - Sadly, we have nothing for the Digital Alpha, MIPS, Motorola m68k, - HP PA-RISC or other non-mainstream (or obsolete) processors. -@@ -211,15 +211,15 @@ static inline ulonglong my_timer_cycles(void) - } - #elif defined(__riscv) - #define MY_TIMER_ROUTINE_CYCLES MY_TIMER_ROUTINE_RISCV -- /* Use RDCYCLE (and RDCYCLEH on riscv32) */ -+ /* Use RDTIME (and RDTIMEH on riscv32) */ - { - # if __riscv_xlen == 32 - ulong result_lo, result_hi0, result_hi1; - /* Implemented in assembly because Clang insisted on branching. */ - __asm __volatile__( -- "rdcycleh %0\n" -- "rdcycle %1\n" -- "rdcycleh %2\n" -+ "rdtimeh %0\n" -+ "rdtime %1\n" -+ "rdtimeh %2\n" - "sub %0, %0, %2\n" - "seqz %0, %0\n" - "sub %0, zero, %0\n" -@@ -228,7 +228,7 @@ static inline ulonglong my_timer_cycles(void) - return (static_cast(result_hi1) << 32) | result_lo; - # else - ulonglong result; -- __asm __volatile__("rdcycle %0" : "=r"(result)); -+ __asm __volatile__("rdtime %0" : "=r"(result)); - return result; - } - # endif --- -2.25.1 - From 50fc72e99f142483cf4347d6594f506007e5f62d Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Wed, 25 Sep 2024 06:55:03 +0000 Subject: [PATCH 45/52] mariadb: Upgrade to 10.11.9 release Drop upstreamed patches Fixes build with fmt11 Signed-off-by: Khem Raj Signed-off-by: Yogita Urade Signed-off-by: Armin Kuster --- ...e_10.11.7.bb => mariadb-native_10.11.9.bb} | 0 meta-oe/recipes-dbs/mysql/mariadb.inc | 4 +- ...EV-33439-Fix-build-with-libxml2-2.12.patch | 170 ------------------ ...Remove-the-compile_time_assert-lines.patch | 43 ----- ...{mariadb_10.11.7.bb => mariadb_10.11.9.bb} | 0 5 files changed, 1 insertion(+), 216 deletions(-) rename meta-oe/recipes-dbs/mysql/{mariadb-native_10.11.7.bb => mariadb-native_10.11.9.bb} (100%) delete mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-33439-Fix-build-with-libxml2-2.12.patch delete mode 100644 meta-oe/recipes-dbs/mysql/mariadb/0001-Remove-the-compile_time_assert-lines.patch rename meta-oe/recipes-dbs/mysql/{mariadb_10.11.7.bb => mariadb_10.11.9.bb} (100%) diff --git a/meta-oe/recipes-dbs/mysql/mariadb-native_10.11.7.bb b/meta-oe/recipes-dbs/mysql/mariadb-native_10.11.9.bb similarity index 100% rename from meta-oe/recipes-dbs/mysql/mariadb-native_10.11.7.bb rename to meta-oe/recipes-dbs/mysql/mariadb-native_10.11.9.bb diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc index 33da32fb286..f52947f3597 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb.inc +++ b/meta-oe/recipes-dbs/mysql/mariadb.inc @@ -23,11 +23,9 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \ file://0001-sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \ file://lfs64.patch \ file://0001-Add-missing-includes-cstdint-and-cstdio.patch \ - file://0001-Remove-the-compile_time_assert-lines.patch \ - file://0001-MDEV-33439-Fix-build-with-libxml2-2.12.patch \ " SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch" -SRC_URI[sha256sum] = "5239a245ed90517e96396605cd01ccd8f73cd7442d1b3076b6ffe258110e5157" +SRC_URI[sha256sum] = "0a00180864cd016187c986faab8010de23a117b9a75f91d6456421f894e48d20" UPSTREAM_CHECK_URI = "https://github.com/MariaDB/server/releases" diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-33439-Fix-build-with-libxml2-2.12.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-33439-Fix-build-with-libxml2-2.12.patch deleted file mode 100644 index 3e42535dade..00000000000 --- a/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-33439-Fix-build-with-libxml2-2.12.patch +++ /dev/null @@ -1,170 +0,0 @@ -From dae52f5916ef59434c93f0b716270f59dd0c3a94 Mon Sep 17 00:00:00 2001 -From: Jan Tojnar -Date: Sun, 7 Jan 2024 10:19:54 +0100 -Subject: [PATCH] MDEV-33439 Fix build with libxml2 2.12 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -libxml2 2.12.0 made `xmlGetLastError()` return `const` pointer: - -https://gitlab.gnome.org/GNOME/libxml2/-/commit/61034116d0a3c8b295c6137956adc3ae55720711 - -Clang 16 does not like this: - - error: assigning to 'xmlErrorPtr' (aka '_xmlError *') from 'const xmlError *' (aka 'const _xmlError *') discards qualifiers - error: cannot initialize a variable of type 'xmlErrorPtr' (aka '_xmlError *') with an rvalue of type 'const xmlError *' (aka 'const _xmlError *') - -Let’s update the variables to `const`. -For older versions, it will be automatically converted. - -But then `xmlResetError(xmlError*)` will not like the `const` pointer: - - error: no matching function for call to 'xmlResetError' - note: candidate function not viable: 1st argument ('const xmlError *' (aka 'const _xmlError *')) would lose const qualifier - -Let’s replace it with `xmlResetLastError()`. - -ALso remove `LIBXMLDOC::Xerr` protected member property. -It was introduced in 65b0e5455b547a3d574fa77b34cce23ae3bea0a0 -along with the `xmlResetError` calls. -It does not appear to be used for anything. - -Upstream-Status: Backport [https://github.com/MariaDB/server/pull/2983] -Signed-off-by: Khem Raj ---- - storage/connect/libdoc.cpp | 39 +++++++++++++++++++------------------- - 1 file changed, 19 insertions(+), 20 deletions(-) - -diff --git a/storage/connect/libdoc.cpp b/storage/connect/libdoc.cpp -index 67f22ce2..ab588dd4 100644 ---- a/storage/connect/libdoc.cpp -+++ b/storage/connect/libdoc.cpp -@@ -93,7 +93,6 @@ class LIBXMLDOC : public XMLDOCUMENT { - xmlXPathContextPtr Ctxp; - xmlXPathObjectPtr Xop; - xmlXPathObjectPtr NlXop; -- xmlErrorPtr Xerr; - char *Buf; // Temporary - bool Nofreelist; - }; // end of class LIBXMLDOC -@@ -327,7 +326,6 @@ LIBXMLDOC::LIBXMLDOC(char *nsl, char *nsdf, char *enc, PFBLOCK fp) - Ctxp = NULL; - Xop = NULL; - NlXop = NULL; -- Xerr = NULL; - Buf = NULL; - Nofreelist = false; - } // end of LIBXMLDOC constructor -@@ -365,8 +363,8 @@ bool LIBXMLDOC::ParseFile(PGLOBAL g, char *fn) - Encoding = (char*)Docp->encoding; - - return false; -- } else if ((Xerr = xmlGetLastError())) -- xmlResetError(Xerr); -+ } else if (xmlGetLastError()) -+ xmlResetLastError(); - - return true; - } // end of ParseFile -@@ -505,9 +503,9 @@ int LIBXMLDOC::DumpDoc(PGLOBAL g, char *ofn) - #if 1 - // This function does not crash ( - if (xmlSaveFormatFileEnc((const char *)ofn, Docp, Encoding, 0) < 0) { -- xmlErrorPtr err = xmlGetLastError(); -+ const xmlError *err = xmlGetLastError(); - strcpy(g->Message, (err) ? err->message : "Error saving XML doc"); -- xmlResetError(Xerr); -+ xmlResetLastError(); - rc = -1; - } // endif Save - // rc = xmlDocDump(of, Docp); -@@ -546,8 +544,8 @@ void LIBXMLDOC::CloseDoc(PGLOBAL g, PFBLOCK xp) - if (Nlist) { - xmlXPathFreeNodeSet(Nlist); - -- if ((Xerr = xmlGetLastError())) -- xmlResetError(Xerr); -+ if (xmlGetLastError()) -+ xmlResetLastError(); - - Nlist = NULL; - } // endif Nlist -@@ -555,8 +553,8 @@ void LIBXMLDOC::CloseDoc(PGLOBAL g, PFBLOCK xp) - if (Xop) { - xmlXPathFreeObject(Xop); - -- if ((Xerr = xmlGetLastError())) -- xmlResetError(Xerr); -+ if (xmlGetLastError()) -+ xmlResetLastError(); - - Xop = NULL; - } // endif Xop -@@ -564,8 +562,8 @@ void LIBXMLDOC::CloseDoc(PGLOBAL g, PFBLOCK xp) - if (NlXop) { - xmlXPathFreeObject(NlXop); - -- if ((Xerr = xmlGetLastError())) -- xmlResetError(Xerr); -+ if (xmlGetLastError()) -+ xmlResetLastError(); - - NlXop = NULL; - } // endif NlXop -@@ -573,8 +571,8 @@ void LIBXMLDOC::CloseDoc(PGLOBAL g, PFBLOCK xp) - if (Ctxp) { - xmlXPathFreeContext(Ctxp); - -- if ((Xerr = xmlGetLastError())) -- xmlResetError(Xerr); -+ if (xmlGetLastError()) -+ xmlResetLastError(); - - Ctxp = NULL; - } // endif Ctxp -@@ -590,6 +588,7 @@ void LIBXMLDOC::CloseDoc(PGLOBAL g, PFBLOCK xp) - /******************************************************************/ - xmlNodeSetPtr LIBXMLDOC::GetNodeList(PGLOBAL g, xmlNodePtr np, char *xp) - { -+ const xmlError *xerr; - xmlNodeSetPtr nl; - - if (trace(1)) -@@ -649,11 +648,11 @@ xmlNodeSetPtr LIBXMLDOC::GetNodeList(PGLOBAL g, xmlNodePtr np, char *xp) - } else - xmlXPathFreeObject(Xop); // Caused node not found - -- if ((Xerr = xmlGetLastError())) { -- strcpy(g->Message, Xerr->message); -- xmlResetError(Xerr); -+ if ((xerr = xmlGetLastError())) { -+ strcpy(g->Message, xerr->message); -+ xmlResetLastError(); - return NULL; -- } // endif Xerr -+ } // endif xerr - - } // endif Xop - -@@ -1079,7 +1078,7 @@ void XML2NODE::AddText(PGLOBAL g, PCSZ txtp) - /******************************************************************/ - void XML2NODE::DeleteChild(PGLOBAL g, PXNODE dnp) - { -- xmlErrorPtr xerr; -+ const xmlError *xerr; - - if (trace(1)) - htrc("DeleteChild: node=%p\n", dnp); -@@ -1122,7 +1121,7 @@ void XML2NODE::DeleteChild(PGLOBAL g, PXNODE dnp) - if (trace(1)) - htrc("DeleteChild: errmsg=%-.256s\n", xerr->message); - -- xmlResetError(xerr); -+ xmlResetLastError(); - } // end of DeleteChild - - /* -------------------- class XML2NODELIST ---------------------- */ --- -2.44.0 - diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-Remove-the-compile_time_assert-lines.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-Remove-the-compile_time_assert-lines.patch deleted file mode 100644 index 9a6e28297b7..00000000000 --- a/meta-oe/recipes-dbs/mysql/mariadb/0001-Remove-the-compile_time_assert-lines.patch +++ /dev/null @@ -1,43 +0,0 @@ -From cc5f1d0759b367265a1a000287e2ec15c31eb518 Mon Sep 17 00:00:00 2001 -From: Mingli Yu -Date: Mon, 26 Feb 2024 14:56:02 +0800 -Subject: [PATCH] Remove the compile_time_assert lines - -Remove the problematic compile_time_assert lines to fix the below build -failure on 32-bit arm. - In file included from TOPDIR/build/tmp/work/cortexa15t2hf-neon-yoe-linux-gnueabi/mariadb/10.11.7/mariadb-10.11.7/tests/mysql_client_test.c:38: - TOPDIR/build/tmp/work/cortexa15t2hf-neon-yoe-linux-gnueabi/mariadb/10.11.7/mariadb-10.11.7/tests/mysql_client_fw.c:1438:3: error: 'compile_time_assert' declared as an array with a negative size - 1438 | compile_time_assert(sizeof(MYSQL) == 77*sizeof(void*)+656); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Upstream-Status: Inappropriate [Upstream will bring the asset back - in a new way [1]] -[1] https://jira.mariadb.org/browse/MDEV-33429 - -Signed-off-by: Mingli Yu ---- - tests/mysql_client_fw.c | 8 -------- - 1 file changed, 8 deletions(-) - -diff --git a/tests/mysql_client_fw.c b/tests/mysql_client_fw.c -index c9e64678..5c0c7ce2 100644 ---- a/tests/mysql_client_fw.c -+++ b/tests/mysql_client_fw.c -@@ -1430,14 +1430,6 @@ int main(int argc, char **argv) - tests_to_run[i]= NULL; - } - --#ifdef _WIN32 -- /* must be the same in C/C and embedded, 1208 on 64bit, 968 on 32bit */ -- compile_time_assert(sizeof(MYSQL) == 60*sizeof(void*)+728); --#else -- /* must be the same in C/C and embedded, 1272 on 64bit, 964 on 32bit */ -- compile_time_assert(sizeof(MYSQL) == 77*sizeof(void*)+656); --#endif -- - if (mysql_server_init(embedded_server_arg_count, - embedded_server_args, - (char**) embedded_server_groups)) --- -2.25.1 - diff --git a/meta-oe/recipes-dbs/mysql/mariadb_10.11.7.bb b/meta-oe/recipes-dbs/mysql/mariadb_10.11.9.bb similarity index 100% rename from meta-oe/recipes-dbs/mysql/mariadb_10.11.7.bb rename to meta-oe/recipes-dbs/mysql/mariadb_10.11.9.bb From 62b7dc247bdfd908abd6bbfc1c79a45358fb8e54 Mon Sep 17 00:00:00 2001 From: Trevor Woerner Date: Thu, 26 Sep 2024 18:45:23 -0400 Subject: [PATCH 46/52] apache2: use update-alternatives for httpd Busybox can optionally provide an httpd server, but by default The Yocto Project defconfig for busybox does not enable it. If it is enabled, busybox puts the resulting /usr/sbin/httpd object under the control of update-alternatives. apache2, on the other hand, does not put /usr/sbin/httpd under the control of update-alternatives. Therefore, in the off chance a user enables the busybox httpd server, it does not play well with apache2. Add update-alternatives information to apache2 so that it plays nicely with busybox which can optionally provide an httpd server at /usr/sbin/httpd. Signed-off-by: Trevor Woerner Signed-off-by: Armin Kuster --- meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb index dc6a1530bae..66a017a864e 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb @@ -175,6 +175,9 @@ INITSCRIPT_PARAMS = "defaults 91 20" SYSTEMD_SERVICE:${PN} = "apache2.service" SYSTEMD_AUTO_ENABLE:${PN} = "enable" +ALTERNATIVE:${PN} = "httpd" +ALTERNATIVE_LINK_NAME[httpd] = "${sbindir}/httpd" +ALTERNATIVE_PRIORITY[httpd] = "60" ALTERNATIVE:${PN}-doc = "htpasswd.1" ALTERNATIVE_LINK_NAME[htpasswd.1] = "${mandir}/man1/htpasswd.1" From b2dc7d2aae9796edce300540b944774399df6ac3 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 29 Sep 2024 14:58:34 +0200 Subject: [PATCH 47/52] hostapd: Patch CVE-2024-3596 Picked patches according to http://w1.fi/security/2024-1/hostapd-and-radius-protocol-forgery-attacks.txt First patch is style commit picked to have a clean cherry-pick of all mentioned commits without any conflict. Patch CVE-2024-3596_03.patch was removed as it only patched wpa_supplicant. The patch names were not changed so it is comparable with wpa_supplicant recipe. Signed-off-by: Peter Marko Signed-off-by: Armin Kuster --- .../hostapd/hostapd/CVE-2024-3596_00.patch | 82 +++++++++ .../hostapd/hostapd/CVE-2024-3596_01.patch | 165 ++++++++++++++++++ .../hostapd/hostapd/CVE-2024-3596_02.patch | 62 +++++++ .../hostapd/hostapd/CVE-2024-3596_04.patch | 52 ++++++ .../hostapd/hostapd/CVE-2024-3596_05.patch | 51 ++++++ .../hostapd/hostapd/CVE-2024-3596_06.patch | 46 +++++ .../hostapd/hostapd/CVE-2024-3596_07.patch | 105 +++++++++++ .../hostapd/hostapd/CVE-2024-3596_08.patch | 47 +++++ .../hostapd/hostapd_2.10.bb | 8 + 9 files changed, 618 insertions(+) create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_00.patch create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_01.patch create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_02.patch create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_04.patch create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_05.patch create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_06.patch create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_07.patch create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_08.patch diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_00.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_00.patch new file mode 100644 index 00000000000..7a8197d2b4e --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_00.patch @@ -0,0 +1,82 @@ +From 945acf3ef06a6c312927da4fa055693dbac432d1 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 2 Apr 2022 16:28:12 +0300 +Subject: [PATCH 1/9] ieee802_11_auth: Coding style cleanup - no string + constant splitting + +Signed-off-by: Jouni Malinen + +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=945acf3ef06a6c312927da4fa055693dbac432d1] +Signed-off-by: Peter Marko +--- + src/ap/ieee802_11_auth.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c +index 783ee6dea..47cc625be 100644 +--- a/src/ap/ieee802_11_auth.c ++++ b/src/ap/ieee802_11_auth.c +@@ -267,16 +267,16 @@ int hostapd_allowed_address(struct hostapd_data *hapd, const u8 *addr, + os_get_reltime(&query->timestamp); + os_memcpy(query->addr, addr, ETH_ALEN); + if (hostapd_radius_acl_query(hapd, addr, query)) { +- wpa_printf(MSG_DEBUG, "Failed to send Access-Request " +- "for ACL query."); ++ wpa_printf(MSG_DEBUG, ++ "Failed to send Access-Request for ACL query."); + hostapd_acl_query_free(query); + return HOSTAPD_ACL_REJECT; + } + + query->auth_msg = os_memdup(msg, len); + if (query->auth_msg == NULL) { +- wpa_printf(MSG_ERROR, "Failed to allocate memory for " +- "auth frame."); ++ wpa_printf(MSG_ERROR, ++ "Failed to allocate memory for auth frame."); + hostapd_acl_query_free(query); + return HOSTAPD_ACL_REJECT; + } +@@ -467,19 +467,21 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, + if (query == NULL) + return RADIUS_RX_UNKNOWN; + +- wpa_printf(MSG_DEBUG, "Found matching Access-Request for RADIUS " +- "message (id=%d)", query->radius_id); ++ wpa_printf(MSG_DEBUG, ++ "Found matching Access-Request for RADIUS message (id=%d)", ++ query->radius_id); + + if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) { +- wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have " +- "correct authenticator - dropped\n"); ++ wpa_printf(MSG_INFO, ++ "Incoming RADIUS packet did not have correct authenticator - dropped"); + return RADIUS_RX_INVALID_AUTHENTICATOR; + } + + if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && + hdr->code != RADIUS_CODE_ACCESS_REJECT) { +- wpa_printf(MSG_DEBUG, "Unknown RADIUS message code %d to ACL " +- "query", hdr->code); ++ wpa_printf(MSG_DEBUG, ++ "Unknown RADIUS message code %d to ACL query", ++ hdr->code); + return RADIUS_RX_UNKNOWN; + } + +@@ -506,8 +508,9 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, + msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, + &info->acct_interim_interval) == 0 && + info->acct_interim_interval < 60) { +- wpa_printf(MSG_DEBUG, "Ignored too small " +- "Acct-Interim-Interval %d for STA " MACSTR, ++ wpa_printf(MSG_DEBUG, ++ "Ignored too small Acct-Interim-Interval %d for STA " ++ MACSTR, + info->acct_interim_interval, + MAC2STR(query->addr)); + info->acct_interim_interval = 0; +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_01.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_01.patch new file mode 100644 index 00000000000..dab2eedd6a9 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_01.patch @@ -0,0 +1,165 @@ +From adac846bd0e258a0aa50750bbd2b411fa0085c46 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 Mar 2024 11:11:44 +0200 +Subject: [PATCH 2/9] RADIUS: Allow Message-Authenticator attribute as the + first attribute + +If a Message-Authenticator attribute was already added to a RADIUS +message, use that attribute instead of adding a new one when finishing +message building. This allows the Message-Authenticator attribute to be +placed as the first attribute in the message. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=adac846bd0e258a0aa50750bbd2b411fa0085c46] +Signed-off-by: Peter Marko +--- + src/radius/radius.c | 85 ++++++++++++++++++++++++++++----------------- + src/radius/radius.h | 1 + + 2 files changed, 54 insertions(+), 32 deletions(-) + +diff --git a/src/radius/radius.c b/src/radius/radius.c +index be16e27b9..2d2e00b5c 100644 +--- a/src/radius/radius.c ++++ b/src/radius/radius.c +@@ -364,25 +364,54 @@ void radius_msg_dump(struct radius_msg *msg) + } + + ++u8 * radius_msg_add_msg_auth(struct radius_msg *msg) ++{ ++ u8 auth[MD5_MAC_LEN]; ++ struct radius_attr_hdr *attr; ++ ++ os_memset(auth, 0, MD5_MAC_LEN); ++ attr = radius_msg_add_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, ++ auth, MD5_MAC_LEN); ++ if (!attr) { ++ wpa_printf(MSG_ERROR, ++ "WARNING: Could not add Message-Authenticator"); ++ return NULL; ++ } ++ ++ return (u8 *) (attr + 1); ++} ++ ++ ++static u8 * radius_msg_auth_pos(struct radius_msg *msg) ++{ ++ u8 *pos; ++ size_t alen; ++ ++ if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, ++ &pos, &alen, NULL) == 0 && ++ alen == MD5_MAC_LEN) { ++ /* Use already added Message-Authenticator attribute */ ++ return pos; ++ } ++ ++ /* Add a Message-Authenticator attribute */ ++ return radius_msg_add_msg_auth(msg); ++} ++ ++ + int radius_msg_finish(struct radius_msg *msg, const u8 *secret, + size_t secret_len) + { + if (secret) { +- u8 auth[MD5_MAC_LEN]; +- struct radius_attr_hdr *attr; ++ u8 *pos; + +- os_memset(auth, 0, MD5_MAC_LEN); +- attr = radius_msg_add_attr(msg, +- RADIUS_ATTR_MESSAGE_AUTHENTICATOR, +- auth, MD5_MAC_LEN); +- if (attr == NULL) { +- wpa_printf(MSG_WARNING, "RADIUS: Could not add " +- "Message-Authenticator"); ++ pos = radius_msg_auth_pos(msg); ++ if (!pos) + return -1; +- } + msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); +- hmac_md5(secret, secret_len, wpabuf_head(msg->buf), +- wpabuf_len(msg->buf), (u8 *) (attr + 1)); ++ if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf), ++ wpabuf_len(msg->buf), pos) < 0) ++ return -1; + } else + msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); + +@@ -398,23 +427,19 @@ int radius_msg_finish(struct radius_msg *msg, const u8 *secret, + int radius_msg_finish_srv(struct radius_msg *msg, const u8 *secret, + size_t secret_len, const u8 *req_authenticator) + { +- u8 auth[MD5_MAC_LEN]; +- struct radius_attr_hdr *attr; + const u8 *addr[4]; + size_t len[4]; ++ u8 *pos; + +- os_memset(auth, 0, MD5_MAC_LEN); +- attr = radius_msg_add_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, +- auth, MD5_MAC_LEN); +- if (attr == NULL) { +- wpa_printf(MSG_ERROR, "WARNING: Could not add Message-Authenticator"); ++ pos = radius_msg_auth_pos(msg); ++ if (!pos) + return -1; +- } + msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); + os_memcpy(msg->hdr->authenticator, req_authenticator, + sizeof(msg->hdr->authenticator)); +- hmac_md5(secret, secret_len, wpabuf_head(msg->buf), +- wpabuf_len(msg->buf), (u8 *) (attr + 1)); ++ if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf), ++ wpabuf_len(msg->buf), pos) < 0) ++ return -1; + + /* ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) */ + addr[0] = (u8 *) msg->hdr; +@@ -442,21 +467,17 @@ int radius_msg_finish_das_resp(struct radius_msg *msg, const u8 *secret, + { + const u8 *addr[2]; + size_t len[2]; +- u8 auth[MD5_MAC_LEN]; +- struct radius_attr_hdr *attr; ++ u8 *pos; + +- os_memset(auth, 0, MD5_MAC_LEN); +- attr = radius_msg_add_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, +- auth, MD5_MAC_LEN); +- if (attr == NULL) { +- wpa_printf(MSG_WARNING, "Could not add Message-Authenticator"); ++ pos = radius_msg_auth_pos(msg); ++ if (!pos) + return -1; +- } + + msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); + os_memcpy(msg->hdr->authenticator, req_hdr->authenticator, 16); +- hmac_md5(secret, secret_len, wpabuf_head(msg->buf), +- wpabuf_len(msg->buf), (u8 *) (attr + 1)); ++ if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf), ++ wpabuf_len(msg->buf), pos) < 0) ++ return -1; + + /* ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) */ + addr[0] = wpabuf_head_u8(msg->buf); +diff --git a/src/radius/radius.h b/src/radius/radius.h +index fb8148180..6b9dfbca2 100644 +--- a/src/radius/radius.h ++++ b/src/radius/radius.h +@@ -240,6 +240,7 @@ struct wpabuf * radius_msg_get_buf(struct radius_msg *msg); + struct radius_msg * radius_msg_new(u8 code, u8 identifier); + void radius_msg_free(struct radius_msg *msg); + void radius_msg_dump(struct radius_msg *msg); ++u8 * radius_msg_add_msg_auth(struct radius_msg *msg); + int radius_msg_finish(struct radius_msg *msg, const u8 *secret, + size_t secret_len); + int radius_msg_finish_srv(struct radius_msg *msg, const u8 *secret, +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_02.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_02.patch new file mode 100644 index 00000000000..02e35bd6de5 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_02.patch @@ -0,0 +1,62 @@ +From 54abb0d3cf35894e7d86e3f7555e95b106306803 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 Mar 2024 11:13:32 +0200 +Subject: [PATCH 3/9] RADIUS server: Place Message-Authenticator attribute as + the first one + +Move the Message-Authenticator attribute to be the first attribute in +the RADIUS messages. This mitigates certain MD5 attacks against +RADIUS/UDP. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=54abb0d3cf35894e7d86e3f7555e95b106306803] +Signed-off-by: Peter Marko +--- + src/radius/radius_server.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c +index e02c21540..fa3691548 100644 +--- a/src/radius/radius_server.c ++++ b/src/radius/radius_server.c +@@ -920,6 +920,11 @@ radius_server_encapsulate_eap(struct radius_server_data *data, + return NULL; + } + ++ if (!radius_msg_add_msg_auth(msg)) { ++ radius_msg_free(msg); ++ return NULL; ++ } ++ + sess_id = htonl(sess->sess_id); + if (code == RADIUS_CODE_ACCESS_CHALLENGE && + !radius_msg_add_attr(msg, RADIUS_ATTR_STATE, +@@ -1204,6 +1209,11 @@ radius_server_macacl(struct radius_server_data *data, + return NULL; + } + ++ if (!radius_msg_add_msg_auth(msg)) { ++ radius_msg_free(msg); ++ return NULL; ++ } ++ + if (radius_msg_copy_attr(msg, request, RADIUS_ATTR_PROXY_STATE) < 0) { + RADIUS_DEBUG("Failed to copy Proxy-State attribute(s)"); + radius_msg_free(msg); +@@ -1253,6 +1263,11 @@ static int radius_server_reject(struct radius_server_data *data, + return -1; + } + ++ if (!radius_msg_add_msg_auth(msg)) { ++ radius_msg_free(msg); ++ return -1; ++ } ++ + os_memset(&eapfail, 0, sizeof(eapfail)); + eapfail.code = EAP_CODE_FAILURE; + eapfail.identifier = 0; +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_04.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_04.patch new file mode 100644 index 00000000000..ce499ce8b6c --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_04.patch @@ -0,0 +1,52 @@ +From 37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 Mar 2024 11:22:43 +0200 +Subject: [PATCH 5/9] hostapd: Move Message-Authenticator attribute to be the + first one in req + +Even if this is not strictly speaking necessary for mitigating certain +RADIUS protocol attacks, be consistent with the RADIUS server behavior +and move the Message-Authenticator attribute to be the first attribute +in the message from RADIUS client in hostapd. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17] +Signed-off-by: Peter Marko +--- + src/ap/ieee802_11_auth.c | 3 +++ + src/ap/ieee802_1x.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c +index 47cc625be..2a950cf7f 100644 +--- a/src/ap/ieee802_11_auth.c ++++ b/src/ap/ieee802_11_auth.c +@@ -119,6 +119,9 @@ static int hostapd_radius_acl_query(struct hostapd_data *hapd, const u8 *addr, + goto fail; + } + ++ if (!radius_msg_add_msg_auth(msg)) ++ goto fail; ++ + os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr)); + if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf, + os_strlen(buf))) { +diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c +index 753c88335..89e3dd30e 100644 +--- a/src/ap/ieee802_1x.c ++++ b/src/ap/ieee802_1x.c +@@ -702,6 +702,9 @@ void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, + goto fail; + } + ++ if (!radius_msg_add_msg_auth(msg)) ++ goto fail; ++ + if (sm->identity && + !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, + sm->identity, sm->identity_len)) { +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_05.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_05.patch new file mode 100644 index 00000000000..44113afd4aa --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_05.patch @@ -0,0 +1,51 @@ +From f54157077f799d84ce26bed6ad6b01c4a16e31cf Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 Mar 2024 11:26:58 +0200 +Subject: [PATCH 6/9] RADIUS DAS: Move Message-Authenticator attribute to be + the first one + +Even if this might not be strictly speaking necessary for mitigating +certain RADIUS protocol attacks, be consistent with the RADIUS server +behavior and move the Message-Authenticator attribute to be the first +attribute in the RADIUS DAS responses from hostapd. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=f54157077f799d84ce26bed6ad6b01c4a16e31cf] +Signed-off-by: Peter Marko +--- + src/radius/radius_das.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/radius/radius_das.c b/src/radius/radius_das.c +index aaa3fc267..8d7c9b4c4 100644 +--- a/src/radius/radius_das.c ++++ b/src/radius/radius_das.c +@@ -177,6 +177,11 @@ fail: + if (reply == NULL) + return NULL; + ++ if (!radius_msg_add_msg_auth(reply)) { ++ radius_msg_free(reply); ++ return NULL; ++ } ++ + if (error) { + if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, + error)) { +@@ -368,6 +373,11 @@ fail: + if (!reply) + return NULL; + ++ if (!radius_msg_add_msg_auth(reply)) { ++ radius_msg_free(reply); ++ return NULL; ++ } ++ + if (error && + !radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, error)) { + radius_msg_free(reply); +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_06.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_06.patch new file mode 100644 index 00000000000..9a284b52619 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_06.patch @@ -0,0 +1,46 @@ +From 934b0c3a45ce0726560ccefbd992a9d385c36385 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 Mar 2024 11:31:37 +0200 +Subject: [PATCH 7/9] Require Message-Authenticator in Access-Reject even + without EAP-Message + +Do not allow the exception for missing Message-Authenticator in +Access-Reject without EAP-Message. While such exception is allowed in +RADIUS definition, there is no strong reason to maintain this since +Access-Reject is supposed to include EAP-Message and even if it doesn't, +discarding Access-Reject will result in the connection not completing. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=934b0c3a45ce0726560ccefbd992a9d385c36385] +Signed-off-by: Peter Marko +--- + src/ap/ieee802_1x.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c +index 89e3dd30e..6e7b75128 100644 +--- a/src/ap/ieee802_1x.c ++++ b/src/ap/ieee802_1x.c +@@ -1939,16 +1939,7 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, + } + sta = sm->sta; + +- /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be +- * present when packet contains an EAP-Message attribute */ +- if (hdr->code == RADIUS_CODE_ACCESS_REJECT && +- radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, +- 0) < 0 && +- radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { +- wpa_printf(MSG_DEBUG, +- "Allowing RADIUS Access-Reject without Message-Authenticator since it does not include EAP-Message"); +- } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, +- req, 1)) { ++ if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 1)) { + wpa_printf(MSG_INFO, + "Incoming RADIUS packet did not have correct Message-Authenticator - dropped"); + return RADIUS_RX_INVALID_AUTHENTICATOR; +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_07.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_07.patch new file mode 100644 index 00000000000..78d3f5d5911 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_07.patch @@ -0,0 +1,105 @@ +From 58097123ec5ea6f8276b38cb9b07669ec368a6c1 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sun, 17 Mar 2024 10:42:56 +0200 +Subject: [PATCH 8/9] RADIUS: Require Message-Authenticator attribute in MAC + ACL cases + +hostapd required Message-Authenticator attribute to be included in EAP +authentication cases, but that requirement was not in place for MAC ACL +cases. Start requiring Message-Authenticator attribute for MAC ACL by +default. Unlike the EAP case, this can still be disabled with +radius_require_message_authenticator=1 to maintain compatibility with +some RADIUS servers when used in a network where the connection to such +a server is secure. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=58097123ec5ea6f8276b38cb9b07669ec368a6c1] +Signed-off-by: Peter Marko +--- + hostapd/config_file.c | 3 +++ + hostapd/hostapd.conf | 11 +++++++++++ + src/ap/ap_config.c | 1 + + src/ap/ap_config.h | 1 + + src/ap/ieee802_11_auth.c | 4 +++- + 5 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/hostapd/config_file.c b/hostapd/config_file.c +index b14728d1b..af1e81d1d 100644 +--- a/hostapd/config_file.c ++++ b/hostapd/config_file.c +@@ -2806,6 +2806,9 @@ static int hostapd_config_fill(struct hostapd_config *conf, + bss->radius->acct_server->shared_secret_len = len; + } else if (os_strcmp(buf, "radius_retry_primary_interval") == 0) { + bss->radius->retry_primary_interval = atoi(pos); ++ } else if (os_strcmp(buf, ++ "radius_require_message_authenticator") == 0) { ++ bss->radius_require_message_authenticator = atoi(pos); + } else if (os_strcmp(buf, "radius_acct_interim_interval") == 0) { + bss->acct_interim_interval = atoi(pos); + } else if (os_strcmp(buf, "radius_request_cui") == 0) { +diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf +index 3c2019f73..c055946a6 100644 +--- a/hostapd/hostapd.conf ++++ b/hostapd/hostapd.conf +@@ -1447,6 +1447,17 @@ own_ip_addr=127.0.0.1 + # currently used secondary server is still working. + #radius_retry_primary_interval=600 + ++# Message-Authenticator attribute requirement for non-EAP cases ++# hostapd requires Message-Authenticator attribute to be included in all cases ++# where RADIUS is used for EAP authentication. This is also required for cases ++# where RADIUS is used for MAC ACL (macaddr_acl=2) by default, but that case ++# can be configured to not require this for compatibility with RADIUS servers ++# that do not include the attribute. This is not recommended due to potential ++# security concerns, but can be used as a temporary workaround in networks where ++# the connection to the RADIUS server is secure. ++# 0 = Do not require Message-Authenticator in MAC ACL response ++# 1 = Require Message-Authenticator in all authentication cases (default) ++#radius_require_message_authenticator=1 + + # Interim accounting update interval + # If this is set (larger than 0) and acct_server is configured, hostapd will +diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c +index 86b6e097c..cf497a180 100644 +--- a/src/ap/ap_config.c ++++ b/src/ap/ap_config.c +@@ -120,6 +120,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) + #endif /* CONFIG_IEEE80211R_AP */ + + bss->radius_das_time_window = 300; ++ bss->radius_require_message_authenticator = 1; + + bss->anti_clogging_threshold = 5; + bss->sae_sync = 5; +diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h +index 49cd3168a..22ad617f4 100644 +--- a/src/ap/ap_config.h ++++ b/src/ap/ap_config.h +@@ -302,6 +302,7 @@ struct hostapd_bss_config { + struct hostapd_ip_addr own_ip_addr; + char *nas_identifier; + struct hostapd_radius_servers *radius; ++ int radius_require_message_authenticator; + int acct_interim_interval; + int radius_request_cui; + struct hostapd_radius_attr *radius_auth_req_attr; +diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c +index 2a950cf7f..dab9bcde3 100644 +--- a/src/ap/ieee802_11_auth.c ++++ b/src/ap/ieee802_11_auth.c +@@ -474,7 +474,9 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, + "Found matching Access-Request for RADIUS message (id=%d)", + query->radius_id); + +- if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) { ++ if (radius_msg_verify( ++ msg, shared_secret, shared_secret_len, req, ++ hapd->conf->radius_require_message_authenticator)) { + wpa_printf(MSG_INFO, + "Incoming RADIUS packet did not have correct authenticator - dropped"); + return RADIUS_RX_INVALID_AUTHENTICATOR; +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_08.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_08.patch new file mode 100644 index 00000000000..e23d1e00473 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_08.patch @@ -0,0 +1,47 @@ +From f302d9f9646704cce745734af21d540baa0da65f Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sun, 17 Mar 2024 10:47:58 +0200 +Subject: [PATCH 9/9] RADIUS: Check Message-Authenticator if it is present even + if not required + +Always check the Message-Authenticator attribute in a received RADIUS +message if it is present. Previously, this would have been skipped if +the attribute was not required to be present. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=f302d9f9646704cce745734af21d540baa0da65f] +Signed-off-by: Peter Marko +--- + src/radius/radius.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/radius/radius.c b/src/radius/radius.c +index 2d2e00b5c..a0e3ce399 100644 +--- a/src/radius/radius.c ++++ b/src/radius/radius.c +@@ -879,6 +879,20 @@ int radius_msg_verify(struct radius_msg *msg, const u8 *secret, + return 1; + } + ++ if (!auth) { ++ u8 *pos; ++ size_t alen; ++ ++ if (radius_msg_get_attr_ptr(msg, ++ RADIUS_ATTR_MESSAGE_AUTHENTICATOR, ++ &pos, &alen, NULL) == 0) { ++ /* Check the Message-Authenticator attribute since it ++ * was included even if we are configured to not ++ * require it. */ ++ auth = 1; ++ } ++ } ++ + if (auth && + radius_msg_verify_msg_auth(msg, secret, secret_len, + sent_msg->hdr->authenticator)) { +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb index 3c5f78f91a6..70fac06d891 100644 --- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb +++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb @@ -11,6 +11,14 @@ SRC_URI = " \ file://defconfig \ file://init \ file://hostapd.service \ + file://CVE-2024-3596_00.patch \ + file://CVE-2024-3596_01.patch \ + file://CVE-2024-3596_02.patch \ + file://CVE-2024-3596_04.patch \ + file://CVE-2024-3596_05.patch \ + file://CVE-2024-3596_06.patch \ + file://CVE-2024-3596_07.patch \ + file://CVE-2024-3596_08.patch \ " From 6c9e6612f233a33f2ae4fd7427701375ba1a7113 Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sun, 29 Sep 2024 14:58:35 +0200 Subject: [PATCH 48/52] hostapd: Patch security advisory 2024-2 Pick patches according to http://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt SAE H2E and incomplete downgrade protection for group negotiation Patch 0002-SAE-Check-for-invalid-Rejected-Groups-element-length.patch was removed as it only patched wpa_supplicant. The patch names were not changed so it is comparable with wpa_supplicant recipe. Signed-off-by: Peter Marko Signed-off-by: Armin Kuster --- ...valid-Rejected-Groups-element-length.patch | 52 +++++++++++++++++++ ...id-Rejected-Groups-element-in-the-pa.patch | 38 ++++++++++++++ .../hostapd/hostapd_2.10.bb | 2 + 3 files changed, 92 insertions(+) create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch create mode 100644 meta-oe/recipes-connectivity/hostapd/hostapd/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch new file mode 100644 index 00000000000..5780f27f8b9 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch @@ -0,0 +1,52 @@ +From 364c2da8741f0979dae497551e70b94c0e6c8636 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sun, 7 Jul 2024 11:46:49 +0300 +Subject: [PATCH 1/3] SAE: Check for invalid Rejected Groups element length + explicitly + +Instead of practically ignoring an odd octet at the end of the element, +check for such invalid case explicitly. This is needed to avoid a +potential group downgrade attack. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=364c2da8741f0979dae497551e70b94c0e6c8636] +Signed-off-by: Peter Marko +--- + src/ap/ieee802_11.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index db4104928..1a62e30cc 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -1258,7 +1258,7 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd, + struct sae_data *sae) + { + const struct wpabuf *groups; +- size_t i, count; ++ size_t i, count, len; + const u8 *pos; + + if (!sae->tmp) +@@ -1268,7 +1268,15 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd, + return 0; + + pos = wpabuf_head(groups); +- count = wpabuf_len(groups) / 2; ++ len = wpabuf_len(groups); ++ if (len & 1) { ++ wpa_printf(MSG_DEBUG, ++ "SAE: Invalid length of the Rejected Groups element payload: %zu", ++ len); ++ return 1; ++ } ++ ++ count = len / 2; + for (i = 0; i < count; i++) { + int enabled; + u16 group; +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch new file mode 100644 index 00000000000..5e9e8bc01d8 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch @@ -0,0 +1,38 @@ +From 9716bf1160beb677e965d9e6475d6c9e162e8374 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Tue, 9 Jul 2024 23:34:34 +0300 +Subject: [PATCH 3/3] SAE: Reject invalid Rejected Groups element in the parser + +There is no need to depend on all uses (i.e., both hostapd and +wpa_supplicant) to verify that the length of the Rejected Groups field +in the Rejected Groups element is valid (i.e., a multiple of two octets) +since the common parser can reject the message when detecting this. + +Signed-off-by: Jouni Malinen + +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=9716bf1160beb677e965d9e6475d6c9e162e8374] +Signed-off-by: Peter Marko +--- + src/common/sae.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/common/sae.c b/src/common/sae.c +index c0f154e91..620bdf753 100644 +--- a/src/common/sae.c ++++ b/src/common/sae.c +@@ -2076,6 +2076,12 @@ static int sae_parse_rejected_groups(struct sae_data *sae, + return WLAN_STATUS_UNSPECIFIED_FAILURE; + epos++; /* skip ext ID */ + len--; ++ if (len & 1) { ++ wpa_printf(MSG_DEBUG, ++ "SAE: Invalid length of the Rejected Groups element payload: %u", ++ len); ++ return WLAN_STATUS_UNSPECIFIED_FAILURE; ++ } + + wpabuf_free(sae->tmp->peer_rejected_groups); + sae->tmp->peer_rejected_groups = wpabuf_alloc(len); +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb index 70fac06d891..a745e7a4041 100644 --- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb +++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb @@ -19,6 +19,8 @@ SRC_URI = " \ file://CVE-2024-3596_06.patch \ file://CVE-2024-3596_07.patch \ file://CVE-2024-3596_08.patch \ + file://0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch \ + file://0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch \ " From 72018ca1b1a471226917e8246e8bbf9a374ccf97 Mon Sep 17 00:00:00 2001 From: Nikhil R Date: Fri, 9 Aug 2024 16:36:19 +0530 Subject: [PATCH 49/52] rocksdb: Add an option to set static library Modify the CMakeLists.txt to add an Option for STATIC target import, as available for shared library. Link: https://github.com/facebook/rocksdb/pull/12890 Configure static library default to switched off as shared libraries are sufficient in most cases. Signed-off-by: Bhabu Bindu Signed-off-by: Khem Raj (cherry picked from commit 233079a41caded6b68972317f01dc09435ba1ae0) Signed-off-by: Armin Kuster --- .../files/static_library_as_option.patch | 71 +++++++++++++++++++ meta-oe/recipes-dbs/rocksdb/rocksdb_9.0.0.bb | 2 + 2 files changed, 73 insertions(+) create mode 100644 meta-oe/recipes-dbs/rocksdb/files/static_library_as_option.patch diff --git a/meta-oe/recipes-dbs/rocksdb/files/static_library_as_option.patch b/meta-oe/recipes-dbs/rocksdb/files/static_library_as_option.patch new file mode 100644 index 00000000000..9a85e8db453 --- /dev/null +++ b/meta-oe/recipes-dbs/rocksdb/files/static_library_as_option.patch @@ -0,0 +1,71 @@ +From 285d306494bde3e9c24c8cd6fea1eb380a304d03 Mon Sep 17 00:00:00 2001 +From: Bindu-Bhabu +Date: Fri, 26 Jul 2024 15:14:45 +0530 +Subject: Add option to CMake for building static libraries + +ROCKSDB creates a STATIC library target reference by default. +Modify the cmake so that the STATIC library is also an option +just like creating a SHARED library and set default to ON. + +Upstream-Status: Submitted [https://github.com/facebook/rocksdb/pull/12890] + +Signed-off-by: Nisha Parrakat +Signed-off-by: Bindu Bhabu +--- + CMakeLists.txt | 29 +++++++++++++++++------------ + 1 file changed, 17 insertions(+), 12 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 93b884dd9c1..2ca925d505c 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -98,6 +98,7 @@ if (WITH_WINDOWS_UTF8_FILENAMES) + add_definitions(-DROCKSDB_WINDOWS_UTF8_FILENAMES) + endif() + option(ROCKSDB_BUILD_SHARED "Build shared versions of the RocksDB libraries" ON) ++option(ROCKSDB_BUILD_STATIC "Build static versions of the RocksDB libraries" ON) + + if( NOT DEFINED CMAKE_CXX_STANDARD ) + set(CMAKE_CXX_STANDARD 17) +@@ -1139,11 +1140,13 @@ string(REGEX REPLACE "[^0-9: /-]+" "" GIT_DATE "${GIT_DATE}") + set(BUILD_VERSION_CC ${CMAKE_BINARY_DIR}/build_version.cc) + configure_file(util/build_version.cc.in ${BUILD_VERSION_CC} @ONLY) + +-add_library(${ROCKSDB_STATIC_LIB} STATIC ${SOURCES} ${BUILD_VERSION_CC}) +-target_include_directories(${ROCKSDB_STATIC_LIB} PUBLIC +- $) +-target_link_libraries(${ROCKSDB_STATIC_LIB} PRIVATE +- ${THIRDPARTY_LIBS} ${SYSTEM_LIBS}) ++if(ROCKSDB_BUILD_STATIC) ++ add_library(${ROCKSDB_STATIC_LIB} STATIC ${SOURCES} ${BUILD_VERSION_CC}) ++ target_include_directories(${ROCKSDB_STATIC_LIB} PUBLIC ++ $) ++ target_link_libraries(${ROCKSDB_STATIC_LIB} PRIVATE ++ ${THIRDPARTY_LIBS} ${SYSTEM_LIBS}) ++endif() + + if(ROCKSDB_BUILD_SHARED) + add_library(${ROCKSDB_SHARED_LIB} SHARED ${SOURCES} ${BUILD_VERSION_CC}) +@@ -1238,13 +1241,15 @@ if(NOT WIN32 OR ROCKSDB_INSTALL_ON_WINDOWS) + + install(DIRECTORY "${PROJECT_SOURCE_DIR}/cmake/modules" COMPONENT devel DESTINATION ${package_config_destination}) + +- install( +- TARGETS ${ROCKSDB_STATIC_LIB} +- EXPORT RocksDBTargets +- COMPONENT devel +- ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}" +- INCLUDES DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}" +- ) ++ if(ROCKSDB_BUILD_STATIC) ++ install( ++ TARGETS ${ROCKSDB_STATIC_LIB} ++ EXPORT RocksDBTargets ++ COMPONENT devel ++ ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}" ++ INCLUDES DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}" ++ ) ++ endif() + + if(ROCKSDB_BUILD_SHARED) + install( diff --git a/meta-oe/recipes-dbs/rocksdb/rocksdb_9.0.0.bb b/meta-oe/recipes-dbs/rocksdb/rocksdb_9.0.0.bb index 444351dbb4e..fae54fdba41 100644 --- a/meta-oe/recipes-dbs/rocksdb/rocksdb_9.0.0.bb +++ b/meta-oe/recipes-dbs/rocksdb/rocksdb_9.0.0.bb @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/facebook/${BPN}.git;branch=${SRCBRANCH};protocol=htt file://0005-Implement-timer-implementation-for-mips-platform.patch \ file://0006-Implement-timer-for-arm-v6.patch \ file://0007-Fix-declaration-scope-of-LE_LOAD32-in-crc32c.patch \ + file://static_library_as_option.patch \ " SRC_URI:append:riscv32 = " file://0001-replace-old-sync-with-new-atomic-builtin-equivalents.patch" @@ -43,6 +44,7 @@ EXTRA_OECMAKE = "\ -DWITH_BENCHMARK_TOOLS=OFF \ -DWITH_TOOLS=OFF \ -DFAIL_ON_WARNINGS=OFF \ + -DROCKSDB_BUILD_STATIC=OFF \ " CXXFLAGS += "${@bb.utils.contains('SELECTED_OPTIMIZATION', '-Og', '-DXXH_NO_INLINE_HINTS', '', d)}" From 92db140f5f29d5803d11fa6176fe4d4a6df0d4e0 Mon Sep 17 00:00:00 2001 From: Andrej Valek Date: Mon, 14 Oct 2024 09:48:48 +0200 Subject: [PATCH 50/52] externalsrc: fix support in various components Affected components: - cpupower - intel-speed-select - spidev-test When the externalsrc class is used the tasks listed in SRCTREECOVEREDTASKS are deleted to prevent them being executed. If externalsrc is used for the kernel then this will include virtual/kernel:do_patch. Signed-off-by: Andrej Valek Signed-off-by: Armin Kuster --- meta-oe/recipes-kernel/cpupower/cpupower.bb | 2 +- meta-oe/recipes-kernel/intel-speed-select/intel-speed-select.bb | 2 +- meta-oe/recipes-kernel/spidev-test/spidev-test.bb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/meta-oe/recipes-kernel/cpupower/cpupower.bb b/meta-oe/recipes-kernel/cpupower/cpupower.bb index 18e36380521..453ebe8c7f0 100644 --- a/meta-oe/recipes-kernel/cpupower/cpupower.bb +++ b/meta-oe/recipes-kernel/cpupower/cpupower.bb @@ -7,7 +7,7 @@ PROVIDES = "virtual/cpupower" inherit kernelsrc kernel-arch bash-completion -do_populate_lic[depends] += "virtual/kernel:do_patch" +do_populate_lic[depends] += "virtual/kernel:do_shared_workdir" EXTRA_OEMAKE = "-C ${S}/tools/power/cpupower O=${B} CROSS=${TARGET_PREFIX} CC="${CC}" LD="${LD}" AR=${AR} ARCH=${ARCH}" diff --git a/meta-oe/recipes-kernel/intel-speed-select/intel-speed-select.bb b/meta-oe/recipes-kernel/intel-speed-select/intel-speed-select.bb index 23ea0d8aae8..3b5866180de 100644 --- a/meta-oe/recipes-kernel/intel-speed-select/intel-speed-select.bb +++ b/meta-oe/recipes-kernel/intel-speed-select/intel-speed-select.bb @@ -13,7 +13,7 @@ COMPATIBLE_HOST:libc-musl = 'null' DEPENDS = "libnl" -do_populate_lic[depends] += "virtual/kernel:do_patch" +do_populate_lic[depends] += "virtual/kernel:do_shared_workdir" B = "${WORKDIR}/${BPN}-${PV}" diff --git a/meta-oe/recipes-kernel/spidev-test/spidev-test.bb b/meta-oe/recipes-kernel/spidev-test/spidev-test.bb index 2e8c5cbb8de..7b87dd28dfb 100644 --- a/meta-oe/recipes-kernel/spidev-test/spidev-test.bb +++ b/meta-oe/recipes-kernel/spidev-test/spidev-test.bb @@ -6,7 +6,7 @@ PROVIDES = "virtual/spidev-test" inherit bash-completion kernelsrc kernel-arch -do_populate_lic[depends] += "virtual/kernel:do_patch" +do_populate_lic[depends] += "virtual/kernel:do_shared_workdir" EXTRA_OEMAKE = "-C ${S}/tools/spi O=${B} CROSS=${TARGET_PREFIX} CC="${CC}" LD="${LD}" AR=${AR} ARCH=${ARCH}" From 304585159f81df8def6ec195e4e701a157445dae Mon Sep 17 00:00:00 2001 From: Ryan Eatmon Date: Fri, 11 Oct 2024 09:24:16 -0500 Subject: [PATCH 51/52] kernel-selftest: Update to allow for turning on all tests In testing adding in more kernel-selftests there were a number of issues that arose that require changes that are more appropriate for the main recipe and not a bbappend. 1) Stop looping over TEST_LIST ourselves and use the TARGETS="" provided by the kernel-sefltest Makefiles. This correctly sets up various variables that the selftest Makefiles all need. Also, do_install becomes cleaner because the main Makefile already installs the list of tests and the top level script. 2) Add DEBUG_PREFIX_MAP to the CC setting to avoid some "buildpaths" QA errors. 3) Add two INSANE_SKIPS for "already-stripped" and "ldflags". Some of the selftest Makefiles are adding flags to their compiles that basically break the above checks. Since these compiles are not really meant as user level tools and instead testing, it should be ok to just always set INSANE_SKIP for these two. Signed-off-by: Ryan Eatmon Signed-off-by: Armin Kuster --- .../kernel-selftest/kernel-selftest.bb | 26 +++++++------------ 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/meta-oe/recipes-kernel/kernel-selftest/kernel-selftest.bb b/meta-oe/recipes-kernel/kernel-selftest/kernel-selftest.bb index 01f185adbae..a070ceab55e 100644 --- a/meta-oe/recipes-kernel/kernel-selftest/kernel-selftest.bb +++ b/meta-oe/recipes-kernel/kernel-selftest/kernel-selftest.bb @@ -55,7 +55,7 @@ TEST_LIST = "\ EXTRA_OEMAKE = '\ CROSS_COMPILE=${TARGET_PREFIX} \ ARCH=${ARCH} \ - CC="${CC}" \ + CC="${CC} ${DEBUG_PREFIX_MAP}" \ AR="${AR}" \ LD="${LD}" \ CLANG="clang -fno-stack-protector -target ${TARGET_ARCH} ${TOOLCHAIN_OPTIONS} -isystem ${S} -D__WORDSIZE=\'64\' -Wno-error=unused-command-line-argument" \ @@ -96,25 +96,13 @@ either install it and add it to HOSTTOOLS, or add clang-native from meta-clang t sed -i -e '/mrecord-mcount/d' ${S}/Makefile sed -i -e '/Wno-alloc-size-larger-than/d' ${S}/Makefile sed -i -e '/Wno-alloc-size-larger-than/d' ${S}/scripts/Makefile.* - for i in ${TEST_LIST} - do - oe_runmake -C ${S}/tools/testing/selftests/${i} - done + oe_runmake -C ${S}/tools/testing/selftests TARGETS="${TEST_LIST}" } do_install() { - for i in ${TEST_LIST} - do - oe_runmake -C ${S}/tools/testing/selftests/${i} INSTALL_PATH=${D}/usr/kernel-selftest/${i} install - # Install kselftest-list.txt that required by kselftest runner. - oe_runmake -s --no-print-directory COLLECTION=${i} -C ${S}/tools/testing/selftests/${i} emit_tests \ - >> ${D}/usr/kernel-selftest/kselftest-list.txt - done - # Install kselftest runner. - install -m 0755 ${S}/tools/testing/selftests/run_kselftest.sh ${D}/usr/kernel-selftest/ - cp -R --no-dereference --preserve=mode,links -v ${S}/tools/testing/selftests/kselftest ${D}/usr/kernel-selftest/ + oe_runmake -C ${S}/tools/testing/selftests INSTALL_PATH=${D}/usr/kernel-selftest TARGETS="${TEST_LIST}" install if [ -e ${D}/usr/kernel-selftest/bpf/test_offload.py ]; then - sed -i -e '1s,#!.*python3,#! /usr/bin/env python3,' ${D}/usr/kernel-selftest/bpf/test_offload.py + sed -i -e '1s,#!.*python3,#! /usr/bin/env python3,' ${D}/usr/kernel-selftest/bpf/test_offload.py fi chown root:root -R ${D}/usr/kernel-selftest } @@ -158,6 +146,12 @@ RDEPENDS:${PN} += "python3 perl perl-module-io-handle" INSANE_SKIP:${PN} += "libdir" +# A few of the selftests set compile flags that trip up the "ldflags" and +# "already-stripped" QA checks. As this is mainly a testing package and +# not really meant for user level execution, disable these two checks. +INSANE_SKIP:${PN} += "ldflags" +INSANE_SKIP:${PN} += "already-stripped" + SECURITY_CFLAGS = "" COMPATIBLE_HOST:libc-musl = 'null' From 2e3126c9c16bb3df0560f6b3896d01539a3bfad7 Mon Sep 17 00:00:00 2001 From: Martin Jansa Date: Mon, 14 Oct 2024 17:25:23 +0200 Subject: [PATCH 52/52] xmlrpc-c: update SRCREV * github repo was force pushed and git history re-written since 2018 commit: 69ee98df Release 1.43.07 * $ git branch -a --contains 352aeaa9ae49e90e55187cbda839f2113df06278 $ * $ git diff 352aeaa9ae49e90e55187cbda839f2113df06278 08b052692b70171a6fcb437d4f52a46977eda62e $ * so at least the 1.59.01 content is the same Signed-off-by: Martin Jansa Signed-off-by: Armin Kuster --- meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.59.01.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.59.01.bb b/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.59.01.bb index 5d5152b8344..b667507ef94 100644 --- a/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.59.01.bb +++ b/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.59.01.bb @@ -10,7 +10,7 @@ SRC_URI = "git://github.com/mirror/xmlrpc-c.git;branch=master;protocol=https \ file://0002-fix-formatting-issues.patch \ " #Release 1.59.01 -SRCREV = "352aeaa9ae49e90e55187cbda839f2113df06278" +SRCREV = "08b052692b70171a6fcb437d4f52a46977eda62e" S = "${WORKDIR}/git/stable"