diff --git a/meta-gnome/dynamic-layers/meta-security/recipes-gnome/gnome-remote-desktop/gnome-remote-desktop_46.1.bb b/meta-gnome/dynamic-layers/meta-security/recipes-gnome/gnome-remote-desktop/gnome-remote-desktop_46.2.bb similarity index 64% rename from meta-gnome/dynamic-layers/meta-security/recipes-gnome/gnome-remote-desktop/gnome-remote-desktop_46.1.bb rename to meta-gnome/dynamic-layers/meta-security/recipes-gnome/gnome-remote-desktop/gnome-remote-desktop_46.2.bb index 634b37971e8..59ae9383db5 100644 --- a/meta-gnome/dynamic-layers/meta-security/recipes-gnome/gnome-remote-desktop/gnome-remote-desktop_46.1.bb +++ b/meta-gnome/dynamic-layers/meta-security/recipes-gnome/gnome-remote-desktop/gnome-remote-desktop_46.2.bb @@ -4,11 +4,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" GNOMEBASEBUILDCLASS = "meson" -inherit gnomebase gettext gsettings features_check +inherit gnomebase gettext gsettings features_check useradd -REQUIRED_DISTRO_FEATURES = "opengl" +REQUIRED_DISTRO_FEATURES = "opengl polkit" -SRC_URI[archive.sha256sum] = "7c62a4281fdfa9522110affbf75d09973035f2adc7fa4577511d733186beb68f" +SRC_URI[archive.sha256sum] = "97443eaffe4b1a69626886a41d25cbeb2c148d3fed43d92115c1b7d20d5238ab" DEPENDS = " \ asciidoc-native \ @@ -36,5 +36,15 @@ PACKAGECONFIG[vnc] = "-Dvnc=true,-Dvnc=false,libvncserver" PACKAGECONFIG[rdp] = "-Drdp=true,-Drdp=false,freerdp3 fuse3 libxkbcommon" PACKAGECONFIG[systemd] = "-Dsystemd=true,-Dsystemd=false,systemd" +USERADD_PACKAGES = "${PN}" +USERADD_PARAM:${PN} = "--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd" + +do_install:append() { + if [ -d ${D}${datadir}/polkit-1/rules.d ]; then + chmod 700 ${D}${datadir}/polkit-1/rules.d + chown polkitd:root ${D}${datadir}/polkit-1/rules.d + fi +} + PACKAGE_DEBUG_SPLIT_STYLE = "debug-without-src" FILES:${PN} += "${systemd_user_unitdir} ${systemd_system_unitdir} ${datadir} ${libdir}/sysusers.d ${libdir}/tmpfiles.d" diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.8.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.9.bb similarity index 98% rename from meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.8.bb rename to meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.9.bb index 301e6559899..da984a3990b 100644 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.8.bb +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.9.bb @@ -23,7 +23,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=379d5819937a6c2f1ef1630d341e026d" SECTION = "libs" S = "${WORKDIR}/git" -SRCREV = "5a764e5555c64337ed17444410269ff21cb617b1" +SRCREV = "5e146adef63b326b04282252639bebc2730939c6" SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=mbedtls-2.28 \ file://run-ptest \ " diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.0.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.1.bb similarity index 93% rename from meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.0.bb rename to meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.1.bb index 92a2de82a3f..29c96f19aa8 100644 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.0.bb +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.6.1.bb @@ -23,12 +23,12 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=379d5819937a6c2f1ef1630d341e026d" SECTION = "libs" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=master \ +SRC_URI = "git://github.com/Mbed-TLS/mbedtls.git;protocol=https;branch=mbedtls-3.6 \ git://github.com/Mbed-TLS/mbedtls-framework.git;protocol=https;branch=main;destsuffix=git/framework;name=framework \ file://run-ptest" -SRCREV = "2ca6c285a0dd3f33982dd57299012dacab1ff206" -SRCREV_framework = "750634d3a51eb9d61b59fd5d801546927c946588" +SRCREV = "71c569d44bf3a8bd53d874c81ee8ac644dd6e9e3" +SRCREV_framework = "94599c0e3b5036e086446a51a3f79640f70f22f6" SRCREV_FORMAT .= "_framework" UPSTREAM_CHECK_GITTAGREGEX = "v(?P\d+(\.\d+)+)" @@ -76,7 +76,8 @@ sysroot_stage_all:append() { do_install_ptest () { install -d ${D}${PTEST_PATH}/tests + install -d ${D}${PTEST_PATH}/framework cp -f ${B}/tests/test_suite_* ${D}${PTEST_PATH}/tests/ find ${D}${PTEST_PATH}/tests/ -type f -name "*.c" -delete - cp -fR ${S}/tests/data_files ${D}${PTEST_PATH}/tests/ + cp -fR ${S}/framework/data_files ${D}${PTEST_PATH}/framework/ } diff --git a/meta-networking/recipes-connectivity/samba/samba_4.19.6.bb b/meta-networking/recipes-connectivity/samba/samba_4.19.8.bb similarity index 99% rename from meta-networking/recipes-connectivity/samba/samba_4.19.6.bb rename to meta-networking/recipes-connectivity/samba/samba_4.19.8.bb index bd0309934b9..429f983c93d 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.19.6.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.19.8.bb @@ -31,7 +31,7 @@ SRC_URI:append:libc-musl = " \ file://samba-4.3.9-remove-getpwent_r.patch \ " -SRC_URI[sha256sum] = "653b52095554dbc223c63b96af5cdf9e98c3e048549c5f56143d3b33dce1cef1" +SRC_URI[sha256sum] = "1aeff76c207f383477ce4badebd154691c408d2e15b01b333c85eb775468ddf6" UPSTREAM_CHECK_REGEX = "samba\-(?P4\.19(\.\d+)+).tar.gz" diff --git a/meta-networking/recipes-extended/tgt/files/CVE-2024-45751.patch b/meta-networking/recipes-extended/tgt/files/CVE-2024-45751.patch new file mode 100644 index 00000000000..2de9ae9b289 --- /dev/null +++ b/meta-networking/recipes-extended/tgt/files/CVE-2024-45751.patch @@ -0,0 +1,71 @@ +From abd8e0d987ab56013d360077202bf2aca20a42dd Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Tue, 3 Sep 2024 16:14:58 +0200 +Subject: [PATCH] chap: Use proper entropy source + +The challenge sent to the initiator is based on a poor +source of randomness, it uses rand() without seeding it by srand(). +So the glibc PRNG is always seeded with 1 and as a consequence the +sequence of challenges is always the same. + +An attacker which is able to monitor network traffic can apply a replay +attack to bypass the CHAP authentication. All the attacker has to do +is waiting for the server or the service to restart and replay with a +previously record CHAP session which fits into the sequence. + +To overcome the issue, use getrandom() to query the kernel random +number generator. +Also always send a challenge of length CHAP_CHALLENGE_MAX, there is no +benefit in sending a variable length challenge. + +Signed-off-by: Richard Weinberger + +Upstream-Status: Backport [https://github.com/fujita/tgt/commit/abd8e0d987ab56013d360077202bf2aca20a42dd] +CVE: CVE-2024-45751 +Signed-off-by: Hitendra Prajapati +--- + usr/iscsi/chap.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/usr/iscsi/chap.c b/usr/iscsi/chap.c +index aa0fc67..b89ecab 100644 +--- a/usr/iscsi/chap.c ++++ b/usr/iscsi/chap.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + #include "iscsid.h" + #include "tgtd.h" +@@ -359,22 +360,19 @@ static int chap_initiator_auth_create_challenge(struct iscsi_connection *conn) + sprintf(text, "%u", (unsigned char)conn->auth.chap.id); + text_key_add(conn, "CHAP_I", text); + +- /* +- * FIXME: does a random challenge length provide any benefits security- +- * wise, or should we rather always use the max. allowed length of +- * 1024 for the (unencoded) challenge? +- */ +- conn->auth.chap.challenge_size = (rand() % (CHAP_CHALLENGE_MAX / 2)) + CHAP_CHALLENGE_MAX / 2; ++ conn->auth.chap.challenge_size = CHAP_CHALLENGE_MAX; + + conn->auth.chap.challenge = malloc(conn->auth.chap.challenge_size); + if (!conn->auth.chap.challenge) + return CHAP_TARGET_ERROR; + ++ if (getrandom(conn->auth.chap.challenge, conn->auth.chap.challenge_size, 0) != conn->auth.chap.challenge_size) ++ return CHAP_TARGET_ERROR; ++ + p = text; + strcpy(p, "0x"); + p += 2; + for (i = 0; i < conn->auth.chap.challenge_size; i++) { +- conn->auth.chap.challenge[i] = rand(); + sprintf(p, "%.2hhx", conn->auth.chap.challenge[i]); + p += 2; + } +-- +2.25.1 + diff --git a/meta-networking/recipes-extended/tgt/tgt_1.0.90.bb b/meta-networking/recipes-extended/tgt/tgt_1.0.90.bb index 35995f7876d..f70f77f5401 100644 --- a/meta-networking/recipes-extended/tgt/tgt_1.0.90.bb +++ b/meta-networking/recipes-extended/tgt/tgt_1.0.90.bb @@ -11,6 +11,7 @@ SRC_URI = "git://github.com/fujita/tgt.git;branch=master;protocol=https \ file://0001-usr-Makefile-WARNING-fix.patch \ file://usr-Makefile-apply-LDFLAGS-to-all-executables.patch \ file://musl-__wordsize.patch \ + file://CVE-2024-45751.patch \ " SRC_URI += "file://tgtd.init \ file://tgtd.service \ diff --git a/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb b/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb index 77189227425..569ab6f6afc 100644 --- a/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb +++ b/meta-networking/recipes-filter/nftables/nftables_1.0.9.bb @@ -35,9 +35,9 @@ EXTRA_OECONF = " \ SETUPTOOLS_SETUP_PATH = "${S}/py" -inherit ${@bb.utils.contains('PACKAGECONFIG', 'python', 'setuptools3', '', d)} +inherit_defer ${@bb.utils.contains('PACKAGECONFIG', 'python', 'setuptools3', '', d)} -PACKAGES =+ "${PN}-python" +PACKAGES =+ "${@bb.utils.contains('PACKAGECONFIG', 'python', '${PN}-python', '', d)}" FILES:${PN}-python = "${PYTHON_SITEPACKAGES_DIR}" RDEPENDS:${PN}-python = "python3-core python3-json ${PN}" @@ -64,7 +64,10 @@ do_install() { fi } -RDEPENDS:${PN}-ptest += " ${PN}-python bash coreutils make iproute2 iputils-ping procps python3-core python3-ctypes python3-json python3-misc sed util-linux" +RDEPENDS:${PN}-ptest += " \ + bash coreutils make iproute2 iputils-ping procps python3-core python3-ctypes python3-json python3-misc sed util-linux \ + ${@bb.utils.contains('PACKAGECONFIG', 'python', '${PN}-python', '', d)} \ +" RRECOMMENDS:${PN}-ptest += "\ kernel-module-nft-chain-nat kernel-module-nft-queue \ diff --git a/meta-networking/recipes-support/libldb/libldb_2.8.0.bb b/meta-networking/recipes-support/libldb/libldb_2.8.1.bb similarity index 97% rename from meta-networking/recipes-support/libldb/libldb_2.8.0.bb rename to meta-networking/recipes-support/libldb/libldb_2.8.1.bb index bdd87993d71..29ff2cf6f2b 100644 --- a/meta-networking/recipes-support/libldb/libldb_2.8.0.bb +++ b/meta-networking/recipes-support/libldb/libldb_2.8.1.bb @@ -34,7 +34,7 @@ LIC_FILES_CHKSUM = "file://pyldb.h;endline=24;md5=dfbd238cecad76957f7f860fbe9ada file://man/ldb.3.xml;beginline=261;endline=262;md5=137f9fd61040c1505d1aa1019663fd08 \ file://tools/ldbdump.c;endline=19;md5=a7d4fc5d1f75676b49df491575a86a42" -SRC_URI[sha256sum] = "358dca10fcd27207ac857a0d7f435a46dbc6cd1f7c10dbb840c1931bf1965f08" +SRC_URI[sha256sum] = "b68ce6eb0ccd2870fa3c8c334f2028b5d16606fd41308696c17b71959f7bf59f" inherit pkgconfig waf-samba ptest diff --git a/meta-networking/recipes-support/wireshark/wireshark_4.2.5.bb b/meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb similarity index 97% rename from meta-networking/recipes-support/wireshark/wireshark_4.2.5.bb rename to meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb index 7cbe3e6324f..b80710683cb 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_4.2.5.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_4.2.7.bb @@ -17,7 +17,7 @@ SRC_URI = "https://1.eu.dl.wireshark.org/src/wireshark-${PV}.tar.xz \ UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" -SRC_URI[sha256sum] = "55e793ab87a9a73aac44336235c92cb76c52180c469b362ed3a54f26fbb1261f" +SRC_URI[sha256sum] = "2c5de08e19081bd666a2ce3f052c023274d06acaabc5d667a3c3051a9c618f86" PE = "1" diff --git a/meta-oe/dynamic-layers/selinux/recipes-devtool/android-tools/android-tools/android-tools-adbd.service b/meta-oe/dynamic-layers/selinux/recipes-devtool/android-tools/android-tools/android-tools-adbd.service index ddf8d7f74e3..b6661f2e39b 100644 --- a/meta-oe/dynamic-layers/selinux/recipes-devtool/android-tools/android-tools/android-tools-adbd.service +++ b/meta-oe/dynamic-layers/selinux/recipes-devtool/android-tools/android-tools/android-tools-adbd.service @@ -1,6 +1,6 @@ [Unit] Description=Android Debug Bridge -ConditionPathExists=/var/usb-debugging-enabled +ConditionPathExists=/etc/usb-debugging-enabled Before=android-system.service [Service] diff --git a/meta-oe/dynamic-layers/selinux/recipes-devtool/android-tools/android-tools_29.0.6.r14.bb b/meta-oe/dynamic-layers/selinux/recipes-devtool/android-tools/android-tools_29.0.6.r14.bb index fbad5e13689..e9b0c97e961 100644 --- a/meta-oe/dynamic-layers/selinux/recipes-devtool/android-tools/android-tools_29.0.6.r14.bb +++ b/meta-oe/dynamic-layers/selinux/recipes-devtool/android-tools/android-tools_29.0.6.r14.bb @@ -188,7 +188,7 @@ FILES:${PN} += "${libdir}/android ${libdir}/android/*" BBCLASSEXTEND = "native" android_tools_enable_devmode() { - touch ${IMAGE_ROOTFS}/var/usb-debugging-enabled + touch ${IMAGE_ROOTFS}/etc/usb-debugging-enabled } ROOTFS_POSTPROCESS_COMMAND_${PN}-adbd += "${@bb.utils.contains("USB_DEBUGGING_ENABLED", "1", "android_tools_enable_devmode;", "", d)}" diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch new file mode 100644 index 00000000000..5780f27f8b9 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch @@ -0,0 +1,52 @@ +From 364c2da8741f0979dae497551e70b94c0e6c8636 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sun, 7 Jul 2024 11:46:49 +0300 +Subject: [PATCH 1/3] SAE: Check for invalid Rejected Groups element length + explicitly + +Instead of practically ignoring an odd octet at the end of the element, +check for such invalid case explicitly. This is needed to avoid a +potential group downgrade attack. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=364c2da8741f0979dae497551e70b94c0e6c8636] +Signed-off-by: Peter Marko +--- + src/ap/ieee802_11.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c +index db4104928..1a62e30cc 100644 +--- a/src/ap/ieee802_11.c ++++ b/src/ap/ieee802_11.c +@@ -1258,7 +1258,7 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd, + struct sae_data *sae) + { + const struct wpabuf *groups; +- size_t i, count; ++ size_t i, count, len; + const u8 *pos; + + if (!sae->tmp) +@@ -1268,7 +1268,15 @@ static int check_sae_rejected_groups(struct hostapd_data *hapd, + return 0; + + pos = wpabuf_head(groups); +- count = wpabuf_len(groups) / 2; ++ len = wpabuf_len(groups); ++ if (len & 1) { ++ wpa_printf(MSG_DEBUG, ++ "SAE: Invalid length of the Rejected Groups element payload: %zu", ++ len); ++ return 1; ++ } ++ ++ count = len / 2; + for (i = 0; i < count; i++) { + int enabled; + u16 group; +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch new file mode 100644 index 00000000000..5e9e8bc01d8 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch @@ -0,0 +1,38 @@ +From 9716bf1160beb677e965d9e6475d6c9e162e8374 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Tue, 9 Jul 2024 23:34:34 +0300 +Subject: [PATCH 3/3] SAE: Reject invalid Rejected Groups element in the parser + +There is no need to depend on all uses (i.e., both hostapd and +wpa_supplicant) to verify that the length of the Rejected Groups field +in the Rejected Groups element is valid (i.e., a multiple of two octets) +since the common parser can reject the message when detecting this. + +Signed-off-by: Jouni Malinen + +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=9716bf1160beb677e965d9e6475d6c9e162e8374] +Signed-off-by: Peter Marko +--- + src/common/sae.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/common/sae.c b/src/common/sae.c +index c0f154e91..620bdf753 100644 +--- a/src/common/sae.c ++++ b/src/common/sae.c +@@ -2076,6 +2076,12 @@ static int sae_parse_rejected_groups(struct sae_data *sae, + return WLAN_STATUS_UNSPECIFIED_FAILURE; + epos++; /* skip ext ID */ + len--; ++ if (len & 1) { ++ wpa_printf(MSG_DEBUG, ++ "SAE: Invalid length of the Rejected Groups element payload: %u", ++ len); ++ return WLAN_STATUS_UNSPECIFIED_FAILURE; ++ } + + wpabuf_free(sae->tmp->peer_rejected_groups); + sae->tmp->peer_rejected_groups = wpabuf_alloc(len); +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_00.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_00.patch new file mode 100644 index 00000000000..7a8197d2b4e --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_00.patch @@ -0,0 +1,82 @@ +From 945acf3ef06a6c312927da4fa055693dbac432d1 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 2 Apr 2022 16:28:12 +0300 +Subject: [PATCH 1/9] ieee802_11_auth: Coding style cleanup - no string + constant splitting + +Signed-off-by: Jouni Malinen + +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=945acf3ef06a6c312927da4fa055693dbac432d1] +Signed-off-by: Peter Marko +--- + src/ap/ieee802_11_auth.c | 27 +++++++++++++++------------ + 1 file changed, 15 insertions(+), 12 deletions(-) + +diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c +index 783ee6dea..47cc625be 100644 +--- a/src/ap/ieee802_11_auth.c ++++ b/src/ap/ieee802_11_auth.c +@@ -267,16 +267,16 @@ int hostapd_allowed_address(struct hostapd_data *hapd, const u8 *addr, + os_get_reltime(&query->timestamp); + os_memcpy(query->addr, addr, ETH_ALEN); + if (hostapd_radius_acl_query(hapd, addr, query)) { +- wpa_printf(MSG_DEBUG, "Failed to send Access-Request " +- "for ACL query."); ++ wpa_printf(MSG_DEBUG, ++ "Failed to send Access-Request for ACL query."); + hostapd_acl_query_free(query); + return HOSTAPD_ACL_REJECT; + } + + query->auth_msg = os_memdup(msg, len); + if (query->auth_msg == NULL) { +- wpa_printf(MSG_ERROR, "Failed to allocate memory for " +- "auth frame."); ++ wpa_printf(MSG_ERROR, ++ "Failed to allocate memory for auth frame."); + hostapd_acl_query_free(query); + return HOSTAPD_ACL_REJECT; + } +@@ -467,19 +467,21 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, + if (query == NULL) + return RADIUS_RX_UNKNOWN; + +- wpa_printf(MSG_DEBUG, "Found matching Access-Request for RADIUS " +- "message (id=%d)", query->radius_id); ++ wpa_printf(MSG_DEBUG, ++ "Found matching Access-Request for RADIUS message (id=%d)", ++ query->radius_id); + + if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) { +- wpa_printf(MSG_INFO, "Incoming RADIUS packet did not have " +- "correct authenticator - dropped\n"); ++ wpa_printf(MSG_INFO, ++ "Incoming RADIUS packet did not have correct authenticator - dropped"); + return RADIUS_RX_INVALID_AUTHENTICATOR; + } + + if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT && + hdr->code != RADIUS_CODE_ACCESS_REJECT) { +- wpa_printf(MSG_DEBUG, "Unknown RADIUS message code %d to ACL " +- "query", hdr->code); ++ wpa_printf(MSG_DEBUG, ++ "Unknown RADIUS message code %d to ACL query", ++ hdr->code); + return RADIUS_RX_UNKNOWN; + } + +@@ -506,8 +508,9 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, + msg, RADIUS_ATTR_ACCT_INTERIM_INTERVAL, + &info->acct_interim_interval) == 0 && + info->acct_interim_interval < 60) { +- wpa_printf(MSG_DEBUG, "Ignored too small " +- "Acct-Interim-Interval %d for STA " MACSTR, ++ wpa_printf(MSG_DEBUG, ++ "Ignored too small Acct-Interim-Interval %d for STA " ++ MACSTR, + info->acct_interim_interval, + MAC2STR(query->addr)); + info->acct_interim_interval = 0; +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_01.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_01.patch new file mode 100644 index 00000000000..dab2eedd6a9 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_01.patch @@ -0,0 +1,165 @@ +From adac846bd0e258a0aa50750bbd2b411fa0085c46 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 Mar 2024 11:11:44 +0200 +Subject: [PATCH 2/9] RADIUS: Allow Message-Authenticator attribute as the + first attribute + +If a Message-Authenticator attribute was already added to a RADIUS +message, use that attribute instead of adding a new one when finishing +message building. This allows the Message-Authenticator attribute to be +placed as the first attribute in the message. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=adac846bd0e258a0aa50750bbd2b411fa0085c46] +Signed-off-by: Peter Marko +--- + src/radius/radius.c | 85 ++++++++++++++++++++++++++++----------------- + src/radius/radius.h | 1 + + 2 files changed, 54 insertions(+), 32 deletions(-) + +diff --git a/src/radius/radius.c b/src/radius/radius.c +index be16e27b9..2d2e00b5c 100644 +--- a/src/radius/radius.c ++++ b/src/radius/radius.c +@@ -364,25 +364,54 @@ void radius_msg_dump(struct radius_msg *msg) + } + + ++u8 * radius_msg_add_msg_auth(struct radius_msg *msg) ++{ ++ u8 auth[MD5_MAC_LEN]; ++ struct radius_attr_hdr *attr; ++ ++ os_memset(auth, 0, MD5_MAC_LEN); ++ attr = radius_msg_add_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, ++ auth, MD5_MAC_LEN); ++ if (!attr) { ++ wpa_printf(MSG_ERROR, ++ "WARNING: Could not add Message-Authenticator"); ++ return NULL; ++ } ++ ++ return (u8 *) (attr + 1); ++} ++ ++ ++static u8 * radius_msg_auth_pos(struct radius_msg *msg) ++{ ++ u8 *pos; ++ size_t alen; ++ ++ if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, ++ &pos, &alen, NULL) == 0 && ++ alen == MD5_MAC_LEN) { ++ /* Use already added Message-Authenticator attribute */ ++ return pos; ++ } ++ ++ /* Add a Message-Authenticator attribute */ ++ return radius_msg_add_msg_auth(msg); ++} ++ ++ + int radius_msg_finish(struct radius_msg *msg, const u8 *secret, + size_t secret_len) + { + if (secret) { +- u8 auth[MD5_MAC_LEN]; +- struct radius_attr_hdr *attr; ++ u8 *pos; + +- os_memset(auth, 0, MD5_MAC_LEN); +- attr = radius_msg_add_attr(msg, +- RADIUS_ATTR_MESSAGE_AUTHENTICATOR, +- auth, MD5_MAC_LEN); +- if (attr == NULL) { +- wpa_printf(MSG_WARNING, "RADIUS: Could not add " +- "Message-Authenticator"); ++ pos = radius_msg_auth_pos(msg); ++ if (!pos) + return -1; +- } + msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); +- hmac_md5(secret, secret_len, wpabuf_head(msg->buf), +- wpabuf_len(msg->buf), (u8 *) (attr + 1)); ++ if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf), ++ wpabuf_len(msg->buf), pos) < 0) ++ return -1; + } else + msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); + +@@ -398,23 +427,19 @@ int radius_msg_finish(struct radius_msg *msg, const u8 *secret, + int radius_msg_finish_srv(struct radius_msg *msg, const u8 *secret, + size_t secret_len, const u8 *req_authenticator) + { +- u8 auth[MD5_MAC_LEN]; +- struct radius_attr_hdr *attr; + const u8 *addr[4]; + size_t len[4]; ++ u8 *pos; + +- os_memset(auth, 0, MD5_MAC_LEN); +- attr = radius_msg_add_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, +- auth, MD5_MAC_LEN); +- if (attr == NULL) { +- wpa_printf(MSG_ERROR, "WARNING: Could not add Message-Authenticator"); ++ pos = radius_msg_auth_pos(msg); ++ if (!pos) + return -1; +- } + msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); + os_memcpy(msg->hdr->authenticator, req_authenticator, + sizeof(msg->hdr->authenticator)); +- hmac_md5(secret, secret_len, wpabuf_head(msg->buf), +- wpabuf_len(msg->buf), (u8 *) (attr + 1)); ++ if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf), ++ wpabuf_len(msg->buf), pos) < 0) ++ return -1; + + /* ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) */ + addr[0] = (u8 *) msg->hdr; +@@ -442,21 +467,17 @@ int radius_msg_finish_das_resp(struct radius_msg *msg, const u8 *secret, + { + const u8 *addr[2]; + size_t len[2]; +- u8 auth[MD5_MAC_LEN]; +- struct radius_attr_hdr *attr; ++ u8 *pos; + +- os_memset(auth, 0, MD5_MAC_LEN); +- attr = radius_msg_add_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, +- auth, MD5_MAC_LEN); +- if (attr == NULL) { +- wpa_printf(MSG_WARNING, "Could not add Message-Authenticator"); ++ pos = radius_msg_auth_pos(msg); ++ if (!pos) + return -1; +- } + + msg->hdr->length = host_to_be16(wpabuf_len(msg->buf)); + os_memcpy(msg->hdr->authenticator, req_hdr->authenticator, 16); +- hmac_md5(secret, secret_len, wpabuf_head(msg->buf), +- wpabuf_len(msg->buf), (u8 *) (attr + 1)); ++ if (hmac_md5(secret, secret_len, wpabuf_head(msg->buf), ++ wpabuf_len(msg->buf), pos) < 0) ++ return -1; + + /* ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) */ + addr[0] = wpabuf_head_u8(msg->buf); +diff --git a/src/radius/radius.h b/src/radius/radius.h +index fb8148180..6b9dfbca2 100644 +--- a/src/radius/radius.h ++++ b/src/radius/radius.h +@@ -240,6 +240,7 @@ struct wpabuf * radius_msg_get_buf(struct radius_msg *msg); + struct radius_msg * radius_msg_new(u8 code, u8 identifier); + void radius_msg_free(struct radius_msg *msg); + void radius_msg_dump(struct radius_msg *msg); ++u8 * radius_msg_add_msg_auth(struct radius_msg *msg); + int radius_msg_finish(struct radius_msg *msg, const u8 *secret, + size_t secret_len); + int radius_msg_finish_srv(struct radius_msg *msg, const u8 *secret, +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_02.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_02.patch new file mode 100644 index 00000000000..02e35bd6de5 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_02.patch @@ -0,0 +1,62 @@ +From 54abb0d3cf35894e7d86e3f7555e95b106306803 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 Mar 2024 11:13:32 +0200 +Subject: [PATCH 3/9] RADIUS server: Place Message-Authenticator attribute as + the first one + +Move the Message-Authenticator attribute to be the first attribute in +the RADIUS messages. This mitigates certain MD5 attacks against +RADIUS/UDP. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=54abb0d3cf35894e7d86e3f7555e95b106306803] +Signed-off-by: Peter Marko +--- + src/radius/radius_server.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c +index e02c21540..fa3691548 100644 +--- a/src/radius/radius_server.c ++++ b/src/radius/radius_server.c +@@ -920,6 +920,11 @@ radius_server_encapsulate_eap(struct radius_server_data *data, + return NULL; + } + ++ if (!radius_msg_add_msg_auth(msg)) { ++ radius_msg_free(msg); ++ return NULL; ++ } ++ + sess_id = htonl(sess->sess_id); + if (code == RADIUS_CODE_ACCESS_CHALLENGE && + !radius_msg_add_attr(msg, RADIUS_ATTR_STATE, +@@ -1204,6 +1209,11 @@ radius_server_macacl(struct radius_server_data *data, + return NULL; + } + ++ if (!radius_msg_add_msg_auth(msg)) { ++ radius_msg_free(msg); ++ return NULL; ++ } ++ + if (radius_msg_copy_attr(msg, request, RADIUS_ATTR_PROXY_STATE) < 0) { + RADIUS_DEBUG("Failed to copy Proxy-State attribute(s)"); + radius_msg_free(msg); +@@ -1253,6 +1263,11 @@ static int radius_server_reject(struct radius_server_data *data, + return -1; + } + ++ if (!radius_msg_add_msg_auth(msg)) { ++ radius_msg_free(msg); ++ return -1; ++ } ++ + os_memset(&eapfail, 0, sizeof(eapfail)); + eapfail.code = EAP_CODE_FAILURE; + eapfail.identifier = 0; +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_04.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_04.patch new file mode 100644 index 00000000000..ce499ce8b6c --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_04.patch @@ -0,0 +1,52 @@ +From 37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 Mar 2024 11:22:43 +0200 +Subject: [PATCH 5/9] hostapd: Move Message-Authenticator attribute to be the + first one in req + +Even if this is not strictly speaking necessary for mitigating certain +RADIUS protocol attacks, be consistent with the RADIUS server behavior +and move the Message-Authenticator attribute to be the first attribute +in the message from RADIUS client in hostapd. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17] +Signed-off-by: Peter Marko +--- + src/ap/ieee802_11_auth.c | 3 +++ + src/ap/ieee802_1x.c | 3 +++ + 2 files changed, 6 insertions(+) + +diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c +index 47cc625be..2a950cf7f 100644 +--- a/src/ap/ieee802_11_auth.c ++++ b/src/ap/ieee802_11_auth.c +@@ -119,6 +119,9 @@ static int hostapd_radius_acl_query(struct hostapd_data *hapd, const u8 *addr, + goto fail; + } + ++ if (!radius_msg_add_msg_auth(msg)) ++ goto fail; ++ + os_snprintf(buf, sizeof(buf), RADIUS_ADDR_FORMAT, MAC2STR(addr)); + if (!radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, (u8 *) buf, + os_strlen(buf))) { +diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c +index 753c88335..89e3dd30e 100644 +--- a/src/ap/ieee802_1x.c ++++ b/src/ap/ieee802_1x.c +@@ -702,6 +702,9 @@ void ieee802_1x_encapsulate_radius(struct hostapd_data *hapd, + goto fail; + } + ++ if (!radius_msg_add_msg_auth(msg)) ++ goto fail; ++ + if (sm->identity && + !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME, + sm->identity, sm->identity_len)) { +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_05.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_05.patch new file mode 100644 index 00000000000..44113afd4aa --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_05.patch @@ -0,0 +1,51 @@ +From f54157077f799d84ce26bed6ad6b01c4a16e31cf Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 Mar 2024 11:26:58 +0200 +Subject: [PATCH 6/9] RADIUS DAS: Move Message-Authenticator attribute to be + the first one + +Even if this might not be strictly speaking necessary for mitigating +certain RADIUS protocol attacks, be consistent with the RADIUS server +behavior and move the Message-Authenticator attribute to be the first +attribute in the RADIUS DAS responses from hostapd. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=f54157077f799d84ce26bed6ad6b01c4a16e31cf] +Signed-off-by: Peter Marko +--- + src/radius/radius_das.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/radius/radius_das.c b/src/radius/radius_das.c +index aaa3fc267..8d7c9b4c4 100644 +--- a/src/radius/radius_das.c ++++ b/src/radius/radius_das.c +@@ -177,6 +177,11 @@ fail: + if (reply == NULL) + return NULL; + ++ if (!radius_msg_add_msg_auth(reply)) { ++ radius_msg_free(reply); ++ return NULL; ++ } ++ + if (error) { + if (!radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, + error)) { +@@ -368,6 +373,11 @@ fail: + if (!reply) + return NULL; + ++ if (!radius_msg_add_msg_auth(reply)) { ++ radius_msg_free(reply); ++ return NULL; ++ } ++ + if (error && + !radius_msg_add_attr_int32(reply, RADIUS_ATTR_ERROR_CAUSE, error)) { + radius_msg_free(reply); +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_06.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_06.patch new file mode 100644 index 00000000000..9a284b52619 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_06.patch @@ -0,0 +1,46 @@ +From 934b0c3a45ce0726560ccefbd992a9d385c36385 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 16 Mar 2024 11:31:37 +0200 +Subject: [PATCH 7/9] Require Message-Authenticator in Access-Reject even + without EAP-Message + +Do not allow the exception for missing Message-Authenticator in +Access-Reject without EAP-Message. While such exception is allowed in +RADIUS definition, there is no strong reason to maintain this since +Access-Reject is supposed to include EAP-Message and even if it doesn't, +discarding Access-Reject will result in the connection not completing. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=934b0c3a45ce0726560ccefbd992a9d385c36385] +Signed-off-by: Peter Marko +--- + src/ap/ieee802_1x.c | 11 +---------- + 1 file changed, 1 insertion(+), 10 deletions(-) + +diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c +index 89e3dd30e..6e7b75128 100644 +--- a/src/ap/ieee802_1x.c ++++ b/src/ap/ieee802_1x.c +@@ -1939,16 +1939,7 @@ ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req, + } + sta = sm->sta; + +- /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be +- * present when packet contains an EAP-Message attribute */ +- if (hdr->code == RADIUS_CODE_ACCESS_REJECT && +- radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL, +- 0) < 0 && +- radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) { +- wpa_printf(MSG_DEBUG, +- "Allowing RADIUS Access-Reject without Message-Authenticator since it does not include EAP-Message"); +- } else if (radius_msg_verify(msg, shared_secret, shared_secret_len, +- req, 1)) { ++ if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 1)) { + wpa_printf(MSG_INFO, + "Incoming RADIUS packet did not have correct Message-Authenticator - dropped"); + return RADIUS_RX_INVALID_AUTHENTICATOR; +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_07.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_07.patch new file mode 100644 index 00000000000..78d3f5d5911 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_07.patch @@ -0,0 +1,105 @@ +From 58097123ec5ea6f8276b38cb9b07669ec368a6c1 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sun, 17 Mar 2024 10:42:56 +0200 +Subject: [PATCH 8/9] RADIUS: Require Message-Authenticator attribute in MAC + ACL cases + +hostapd required Message-Authenticator attribute to be included in EAP +authentication cases, but that requirement was not in place for MAC ACL +cases. Start requiring Message-Authenticator attribute for MAC ACL by +default. Unlike the EAP case, this can still be disabled with +radius_require_message_authenticator=1 to maintain compatibility with +some RADIUS servers when used in a network where the connection to such +a server is secure. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=58097123ec5ea6f8276b38cb9b07669ec368a6c1] +Signed-off-by: Peter Marko +--- + hostapd/config_file.c | 3 +++ + hostapd/hostapd.conf | 11 +++++++++++ + src/ap/ap_config.c | 1 + + src/ap/ap_config.h | 1 + + src/ap/ieee802_11_auth.c | 4 +++- + 5 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/hostapd/config_file.c b/hostapd/config_file.c +index b14728d1b..af1e81d1d 100644 +--- a/hostapd/config_file.c ++++ b/hostapd/config_file.c +@@ -2806,6 +2806,9 @@ static int hostapd_config_fill(struct hostapd_config *conf, + bss->radius->acct_server->shared_secret_len = len; + } else if (os_strcmp(buf, "radius_retry_primary_interval") == 0) { + bss->radius->retry_primary_interval = atoi(pos); ++ } else if (os_strcmp(buf, ++ "radius_require_message_authenticator") == 0) { ++ bss->radius_require_message_authenticator = atoi(pos); + } else if (os_strcmp(buf, "radius_acct_interim_interval") == 0) { + bss->acct_interim_interval = atoi(pos); + } else if (os_strcmp(buf, "radius_request_cui") == 0) { +diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf +index 3c2019f73..c055946a6 100644 +--- a/hostapd/hostapd.conf ++++ b/hostapd/hostapd.conf +@@ -1447,6 +1447,17 @@ own_ip_addr=127.0.0.1 + # currently used secondary server is still working. + #radius_retry_primary_interval=600 + ++# Message-Authenticator attribute requirement for non-EAP cases ++# hostapd requires Message-Authenticator attribute to be included in all cases ++# where RADIUS is used for EAP authentication. This is also required for cases ++# where RADIUS is used for MAC ACL (macaddr_acl=2) by default, but that case ++# can be configured to not require this for compatibility with RADIUS servers ++# that do not include the attribute. This is not recommended due to potential ++# security concerns, but can be used as a temporary workaround in networks where ++# the connection to the RADIUS server is secure. ++# 0 = Do not require Message-Authenticator in MAC ACL response ++# 1 = Require Message-Authenticator in all authentication cases (default) ++#radius_require_message_authenticator=1 + + # Interim accounting update interval + # If this is set (larger than 0) and acct_server is configured, hostapd will +diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c +index 86b6e097c..cf497a180 100644 +--- a/src/ap/ap_config.c ++++ b/src/ap/ap_config.c +@@ -120,6 +120,7 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss) + #endif /* CONFIG_IEEE80211R_AP */ + + bss->radius_das_time_window = 300; ++ bss->radius_require_message_authenticator = 1; + + bss->anti_clogging_threshold = 5; + bss->sae_sync = 5; +diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h +index 49cd3168a..22ad617f4 100644 +--- a/src/ap/ap_config.h ++++ b/src/ap/ap_config.h +@@ -302,6 +302,7 @@ struct hostapd_bss_config { + struct hostapd_ip_addr own_ip_addr; + char *nas_identifier; + struct hostapd_radius_servers *radius; ++ int radius_require_message_authenticator; + int acct_interim_interval; + int radius_request_cui; + struct hostapd_radius_attr *radius_auth_req_attr; +diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c +index 2a950cf7f..dab9bcde3 100644 +--- a/src/ap/ieee802_11_auth.c ++++ b/src/ap/ieee802_11_auth.c +@@ -474,7 +474,9 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req, + "Found matching Access-Request for RADIUS message (id=%d)", + query->radius_id); + +- if (radius_msg_verify(msg, shared_secret, shared_secret_len, req, 0)) { ++ if (radius_msg_verify( ++ msg, shared_secret, shared_secret_len, req, ++ hapd->conf->radius_require_message_authenticator)) { + wpa_printf(MSG_INFO, + "Incoming RADIUS packet did not have correct authenticator - dropped"); + return RADIUS_RX_INVALID_AUTHENTICATOR; +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_08.patch b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_08.patch new file mode 100644 index 00000000000..e23d1e00473 --- /dev/null +++ b/meta-oe/recipes-connectivity/hostapd/hostapd/CVE-2024-3596_08.patch @@ -0,0 +1,47 @@ +From f302d9f9646704cce745734af21d540baa0da65f Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sun, 17 Mar 2024 10:47:58 +0200 +Subject: [PATCH 9/9] RADIUS: Check Message-Authenticator if it is present even + if not required + +Always check the Message-Authenticator attribute in a received RADIUS +message if it is present. Previously, this would have been skipped if +the attribute was not required to be present. + +Signed-off-by: Jouni Malinen + +CVE: CVE-2024-3596 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=f302d9f9646704cce745734af21d540baa0da65f] +Signed-off-by: Peter Marko +--- + src/radius/radius.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/radius/radius.c b/src/radius/radius.c +index 2d2e00b5c..a0e3ce399 100644 +--- a/src/radius/radius.c ++++ b/src/radius/radius.c +@@ -879,6 +879,20 @@ int radius_msg_verify(struct radius_msg *msg, const u8 *secret, + return 1; + } + ++ if (!auth) { ++ u8 *pos; ++ size_t alen; ++ ++ if (radius_msg_get_attr_ptr(msg, ++ RADIUS_ATTR_MESSAGE_AUTHENTICATOR, ++ &pos, &alen, NULL) == 0) { ++ /* Check the Message-Authenticator attribute since it ++ * was included even if we are configured to not ++ * require it. */ ++ auth = 1; ++ } ++ } ++ + if (auth && + radius_msg_verify_msg_auth(msg, secret, secret_len, + sent_msg->hdr->authenticator)) { +-- +2.30.2 + diff --git a/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb b/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb index 3c5f78f91a6..a745e7a4041 100644 --- a/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb +++ b/meta-oe/recipes-connectivity/hostapd/hostapd_2.10.bb @@ -11,6 +11,16 @@ SRC_URI = " \ file://defconfig \ file://init \ file://hostapd.service \ + file://CVE-2024-3596_00.patch \ + file://CVE-2024-3596_01.patch \ + file://CVE-2024-3596_02.patch \ + file://CVE-2024-3596_04.patch \ + file://CVE-2024-3596_05.patch \ + file://CVE-2024-3596_06.patch \ + file://CVE-2024-3596_07.patch \ + file://CVE-2024-3596_08.patch \ + file://0001-SAE-Check-for-invalid-Rejected-Groups-element-length.patch \ + file://0003-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch \ " diff --git a/meta-oe/recipes-dbs/mysql/mariadb-native_10.11.7.bb b/meta-oe/recipes-dbs/mysql/mariadb-native_10.11.9.bb similarity index 100% rename from meta-oe/recipes-dbs/mysql/mariadb-native_10.11.7.bb rename to meta-oe/recipes-dbs/mysql/mariadb-native_10.11.9.bb diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc index 33da32fb286..f52947f3597 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb.inc +++ b/meta-oe/recipes-dbs/mysql/mariadb.inc @@ -23,11 +23,9 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \ file://0001-sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \ file://lfs64.patch \ file://0001-Add-missing-includes-cstdint-and-cstdio.patch \ - file://0001-Remove-the-compile_time_assert-lines.patch \ - file://0001-MDEV-33439-Fix-build-with-libxml2-2.12.patch \ " SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch" -SRC_URI[sha256sum] = "5239a245ed90517e96396605cd01ccd8f73cd7442d1b3076b6ffe258110e5157" +SRC_URI[sha256sum] = "0a00180864cd016187c986faab8010de23a117b9a75f91d6456421f894e48d20" UPSTREAM_CHECK_URI = "https://github.com/MariaDB/server/releases" diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-33439-Fix-build-with-libxml2-2.12.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-33439-Fix-build-with-libxml2-2.12.patch deleted file mode 100644 index 3e42535dade..00000000000 --- a/meta-oe/recipes-dbs/mysql/mariadb/0001-MDEV-33439-Fix-build-with-libxml2-2.12.patch +++ /dev/null @@ -1,170 +0,0 @@ -From dae52f5916ef59434c93f0b716270f59dd0c3a94 Mon Sep 17 00:00:00 2001 -From: Jan Tojnar -Date: Sun, 7 Jan 2024 10:19:54 +0100 -Subject: [PATCH] MDEV-33439 Fix build with libxml2 2.12 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -libxml2 2.12.0 made `xmlGetLastError()` return `const` pointer: - -https://gitlab.gnome.org/GNOME/libxml2/-/commit/61034116d0a3c8b295c6137956adc3ae55720711 - -Clang 16 does not like this: - - error: assigning to 'xmlErrorPtr' (aka '_xmlError *') from 'const xmlError *' (aka 'const _xmlError *') discards qualifiers - error: cannot initialize a variable of type 'xmlErrorPtr' (aka '_xmlError *') with an rvalue of type 'const xmlError *' (aka 'const _xmlError *') - -Let’s update the variables to `const`. -For older versions, it will be automatically converted. - -But then `xmlResetError(xmlError*)` will not like the `const` pointer: - - error: no matching function for call to 'xmlResetError' - note: candidate function not viable: 1st argument ('const xmlError *' (aka 'const _xmlError *')) would lose const qualifier - -Let’s replace it with `xmlResetLastError()`. - -ALso remove `LIBXMLDOC::Xerr` protected member property. -It was introduced in 65b0e5455b547a3d574fa77b34cce23ae3bea0a0 -along with the `xmlResetError` calls. -It does not appear to be used for anything. - -Upstream-Status: Backport [https://github.com/MariaDB/server/pull/2983] -Signed-off-by: Khem Raj ---- - storage/connect/libdoc.cpp | 39 +++++++++++++++++++------------------- - 1 file changed, 19 insertions(+), 20 deletions(-) - -diff --git a/storage/connect/libdoc.cpp b/storage/connect/libdoc.cpp -index 67f22ce2..ab588dd4 100644 ---- a/storage/connect/libdoc.cpp -+++ b/storage/connect/libdoc.cpp -@@ -93,7 +93,6 @@ class LIBXMLDOC : public XMLDOCUMENT { - xmlXPathContextPtr Ctxp; - xmlXPathObjectPtr Xop; - xmlXPathObjectPtr NlXop; -- xmlErrorPtr Xerr; - char *Buf; // Temporary - bool Nofreelist; - }; // end of class LIBXMLDOC -@@ -327,7 +326,6 @@ LIBXMLDOC::LIBXMLDOC(char *nsl, char *nsdf, char *enc, PFBLOCK fp) - Ctxp = NULL; - Xop = NULL; - NlXop = NULL; -- Xerr = NULL; - Buf = NULL; - Nofreelist = false; - } // end of LIBXMLDOC constructor -@@ -365,8 +363,8 @@ bool LIBXMLDOC::ParseFile(PGLOBAL g, char *fn) - Encoding = (char*)Docp->encoding; - - return false; -- } else if ((Xerr = xmlGetLastError())) -- xmlResetError(Xerr); -+ } else if (xmlGetLastError()) -+ xmlResetLastError(); - - return true; - } // end of ParseFile -@@ -505,9 +503,9 @@ int LIBXMLDOC::DumpDoc(PGLOBAL g, char *ofn) - #if 1 - // This function does not crash ( - if (xmlSaveFormatFileEnc((const char *)ofn, Docp, Encoding, 0) < 0) { -- xmlErrorPtr err = xmlGetLastError(); -+ const xmlError *err = xmlGetLastError(); - strcpy(g->Message, (err) ? err->message : "Error saving XML doc"); -- xmlResetError(Xerr); -+ xmlResetLastError(); - rc = -1; - } // endif Save - // rc = xmlDocDump(of, Docp); -@@ -546,8 +544,8 @@ void LIBXMLDOC::CloseDoc(PGLOBAL g, PFBLOCK xp) - if (Nlist) { - xmlXPathFreeNodeSet(Nlist); - -- if ((Xerr = xmlGetLastError())) -- xmlResetError(Xerr); -+ if (xmlGetLastError()) -+ xmlResetLastError(); - - Nlist = NULL; - } // endif Nlist -@@ -555,8 +553,8 @@ void LIBXMLDOC::CloseDoc(PGLOBAL g, PFBLOCK xp) - if (Xop) { - xmlXPathFreeObject(Xop); - -- if ((Xerr = xmlGetLastError())) -- xmlResetError(Xerr); -+ if (xmlGetLastError()) -+ xmlResetLastError(); - - Xop = NULL; - } // endif Xop -@@ -564,8 +562,8 @@ void LIBXMLDOC::CloseDoc(PGLOBAL g, PFBLOCK xp) - if (NlXop) { - xmlXPathFreeObject(NlXop); - -- if ((Xerr = xmlGetLastError())) -- xmlResetError(Xerr); -+ if (xmlGetLastError()) -+ xmlResetLastError(); - - NlXop = NULL; - } // endif NlXop -@@ -573,8 +571,8 @@ void LIBXMLDOC::CloseDoc(PGLOBAL g, PFBLOCK xp) - if (Ctxp) { - xmlXPathFreeContext(Ctxp); - -- if ((Xerr = xmlGetLastError())) -- xmlResetError(Xerr); -+ if (xmlGetLastError()) -+ xmlResetLastError(); - - Ctxp = NULL; - } // endif Ctxp -@@ -590,6 +588,7 @@ void LIBXMLDOC::CloseDoc(PGLOBAL g, PFBLOCK xp) - /******************************************************************/ - xmlNodeSetPtr LIBXMLDOC::GetNodeList(PGLOBAL g, xmlNodePtr np, char *xp) - { -+ const xmlError *xerr; - xmlNodeSetPtr nl; - - if (trace(1)) -@@ -649,11 +648,11 @@ xmlNodeSetPtr LIBXMLDOC::GetNodeList(PGLOBAL g, xmlNodePtr np, char *xp) - } else - xmlXPathFreeObject(Xop); // Caused node not found - -- if ((Xerr = xmlGetLastError())) { -- strcpy(g->Message, Xerr->message); -- xmlResetError(Xerr); -+ if ((xerr = xmlGetLastError())) { -+ strcpy(g->Message, xerr->message); -+ xmlResetLastError(); - return NULL; -- } // endif Xerr -+ } // endif xerr - - } // endif Xop - -@@ -1079,7 +1078,7 @@ void XML2NODE::AddText(PGLOBAL g, PCSZ txtp) - /******************************************************************/ - void XML2NODE::DeleteChild(PGLOBAL g, PXNODE dnp) - { -- xmlErrorPtr xerr; -+ const xmlError *xerr; - - if (trace(1)) - htrc("DeleteChild: node=%p\n", dnp); -@@ -1122,7 +1121,7 @@ void XML2NODE::DeleteChild(PGLOBAL g, PXNODE dnp) - if (trace(1)) - htrc("DeleteChild: errmsg=%-.256s\n", xerr->message); - -- xmlResetError(xerr); -+ xmlResetLastError(); - } // end of DeleteChild - - /* -------------------- class XML2NODELIST ---------------------- */ --- -2.44.0 - diff --git a/meta-oe/recipes-dbs/mysql/mariadb/0001-Remove-the-compile_time_assert-lines.patch b/meta-oe/recipes-dbs/mysql/mariadb/0001-Remove-the-compile_time_assert-lines.patch deleted file mode 100644 index 9a6e28297b7..00000000000 --- a/meta-oe/recipes-dbs/mysql/mariadb/0001-Remove-the-compile_time_assert-lines.patch +++ /dev/null @@ -1,43 +0,0 @@ -From cc5f1d0759b367265a1a000287e2ec15c31eb518 Mon Sep 17 00:00:00 2001 -From: Mingli Yu -Date: Mon, 26 Feb 2024 14:56:02 +0800 -Subject: [PATCH] Remove the compile_time_assert lines - -Remove the problematic compile_time_assert lines to fix the below build -failure on 32-bit arm. - In file included from TOPDIR/build/tmp/work/cortexa15t2hf-neon-yoe-linux-gnueabi/mariadb/10.11.7/mariadb-10.11.7/tests/mysql_client_test.c:38: - TOPDIR/build/tmp/work/cortexa15t2hf-neon-yoe-linux-gnueabi/mariadb/10.11.7/mariadb-10.11.7/tests/mysql_client_fw.c:1438:3: error: 'compile_time_assert' declared as an array with a negative size - 1438 | compile_time_assert(sizeof(MYSQL) == 77*sizeof(void*)+656); - | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Upstream-Status: Inappropriate [Upstream will bring the asset back - in a new way [1]] -[1] https://jira.mariadb.org/browse/MDEV-33429 - -Signed-off-by: Mingli Yu ---- - tests/mysql_client_fw.c | 8 -------- - 1 file changed, 8 deletions(-) - -diff --git a/tests/mysql_client_fw.c b/tests/mysql_client_fw.c -index c9e64678..5c0c7ce2 100644 ---- a/tests/mysql_client_fw.c -+++ b/tests/mysql_client_fw.c -@@ -1430,14 +1430,6 @@ int main(int argc, char **argv) - tests_to_run[i]= NULL; - } - --#ifdef _WIN32 -- /* must be the same in C/C and embedded, 1208 on 64bit, 968 on 32bit */ -- compile_time_assert(sizeof(MYSQL) == 60*sizeof(void*)+728); --#else -- /* must be the same in C/C and embedded, 1272 on 64bit, 964 on 32bit */ -- compile_time_assert(sizeof(MYSQL) == 77*sizeof(void*)+656); --#endif -- - if (mysql_server_init(embedded_server_arg_count, - embedded_server_args, - (char**) embedded_server_groups)) --- -2.25.1 - diff --git a/meta-oe/recipes-dbs/mysql/mariadb_10.11.7.bb b/meta-oe/recipes-dbs/mysql/mariadb_10.11.9.bb similarity index 100% rename from meta-oe/recipes-dbs/mysql/mariadb_10.11.7.bb rename to meta-oe/recipes-dbs/mysql/mariadb_10.11.9.bb diff --git a/meta-oe/recipes-dbs/postgresql/files/0003-configure.ac-bypass-autoconf-2.69-version-check.patch b/meta-oe/recipes-dbs/postgresql/files/0003-configure.ac-bypass-autoconf-2.69-version-check.patch index 9df4d073ff4..342aeba85e5 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0003-configure.ac-bypass-autoconf-2.69-version-check.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0003-configure.ac-bypass-autoconf-2.69-version-check.patch @@ -13,12 +13,12 @@ Signed-off-by: Yi Fan Yu 1 file changed, 4 deletions(-) diff --git a/configure.ac b/configure.ac -index 401ce30..27f382d 100644 +index 65715a4..4ad6340 100644 --- a/configure.ac +++ b/configure.ac @@ -19,10 +19,6 @@ m4_pattern_forbid(^PGAC_)dnl to catch undefined macros - AC_INIT([PostgreSQL], [16.3], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) + AC_INIT([PostgreSQL], [16.4], [pgsql-bugs@lists.postgresql.org], [], [https://www.postgresql.org/]) -m4_if(m4_defn([m4_PACKAGE_VERSION]), [2.69], [], [m4_fatal([Autoconf version 2.69 is required. -Untested combinations of 'autoconf' and PostgreSQL versions are not @@ -28,5 +28,5 @@ index 401ce30..27f382d 100644 AC_CONFIG_SRCDIR([src/backend/access/common/heaptuple.c]) AC_CONFIG_AUX_DIR(config) -- -2.25.1 +2.34.1 diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_16.3.bb b/meta-oe/recipes-dbs/postgresql/postgresql_16.4.bb similarity index 86% rename from meta-oe/recipes-dbs/postgresql/postgresql_16.3.bb rename to meta-oe/recipes-dbs/postgresql/postgresql_16.4.bb index 6df719cd985..1a47369e4d3 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql_16.3.bb +++ b/meta-oe/recipes-dbs/postgresql/postgresql_16.4.bb @@ -11,6 +11,6 @@ SRC_URI += "\ file://0005-postgresql-fix-ptest-failure-of-sysviews.patch \ " -SRC_URI[sha256sum] = "331963d5d3dc4caf4216a049fa40b66d6bcb8c730615859411b9518764e60585" +SRC_URI[sha256sum] = "971766d645aa73e93b9ef4e3be44201b4f45b5477095b049125403f9f3386d6f" CVE_STATUS[CVE-2017-8806] = "not-applicable-config: Ddoesn't apply to out configuration of postgresql so we can safely ignore it." diff --git a/meta-oe/recipes-dbs/rocksdb/files/static_library_as_option.patch b/meta-oe/recipes-dbs/rocksdb/files/static_library_as_option.patch new file mode 100644 index 00000000000..9a85e8db453 --- /dev/null +++ b/meta-oe/recipes-dbs/rocksdb/files/static_library_as_option.patch @@ -0,0 +1,71 @@ +From 285d306494bde3e9c24c8cd6fea1eb380a304d03 Mon Sep 17 00:00:00 2001 +From: Bindu-Bhabu +Date: Fri, 26 Jul 2024 15:14:45 +0530 +Subject: Add option to CMake for building static libraries + +ROCKSDB creates a STATIC library target reference by default. +Modify the cmake so that the STATIC library is also an option +just like creating a SHARED library and set default to ON. + +Upstream-Status: Submitted [https://github.com/facebook/rocksdb/pull/12890] + +Signed-off-by: Nisha Parrakat +Signed-off-by: Bindu Bhabu +--- + CMakeLists.txt | 29 +++++++++++++++++------------ + 1 file changed, 17 insertions(+), 12 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 93b884dd9c1..2ca925d505c 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -98,6 +98,7 @@ if (WITH_WINDOWS_UTF8_FILENAMES) + add_definitions(-DROCKSDB_WINDOWS_UTF8_FILENAMES) + endif() + option(ROCKSDB_BUILD_SHARED "Build shared versions of the RocksDB libraries" ON) ++option(ROCKSDB_BUILD_STATIC "Build static versions of the RocksDB libraries" ON) + + if( NOT DEFINED CMAKE_CXX_STANDARD ) + set(CMAKE_CXX_STANDARD 17) +@@ -1139,11 +1140,13 @@ string(REGEX REPLACE "[^0-9: /-]+" "" GIT_DATE "${GIT_DATE}") + set(BUILD_VERSION_CC ${CMAKE_BINARY_DIR}/build_version.cc) + configure_file(util/build_version.cc.in ${BUILD_VERSION_CC} @ONLY) + +-add_library(${ROCKSDB_STATIC_LIB} STATIC ${SOURCES} ${BUILD_VERSION_CC}) +-target_include_directories(${ROCKSDB_STATIC_LIB} PUBLIC +- $) +-target_link_libraries(${ROCKSDB_STATIC_LIB} PRIVATE +- ${THIRDPARTY_LIBS} ${SYSTEM_LIBS}) ++if(ROCKSDB_BUILD_STATIC) ++ add_library(${ROCKSDB_STATIC_LIB} STATIC ${SOURCES} ${BUILD_VERSION_CC}) ++ target_include_directories(${ROCKSDB_STATIC_LIB} PUBLIC ++ $) ++ target_link_libraries(${ROCKSDB_STATIC_LIB} PRIVATE ++ ${THIRDPARTY_LIBS} ${SYSTEM_LIBS}) ++endif() + + if(ROCKSDB_BUILD_SHARED) + add_library(${ROCKSDB_SHARED_LIB} SHARED ${SOURCES} ${BUILD_VERSION_CC}) +@@ -1238,13 +1241,15 @@ if(NOT WIN32 OR ROCKSDB_INSTALL_ON_WINDOWS) + + install(DIRECTORY "${PROJECT_SOURCE_DIR}/cmake/modules" COMPONENT devel DESTINATION ${package_config_destination}) + +- install( +- TARGETS ${ROCKSDB_STATIC_LIB} +- EXPORT RocksDBTargets +- COMPONENT devel +- ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}" +- INCLUDES DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}" +- ) ++ if(ROCKSDB_BUILD_STATIC) ++ install( ++ TARGETS ${ROCKSDB_STATIC_LIB} ++ EXPORT RocksDBTargets ++ COMPONENT devel ++ ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}" ++ INCLUDES DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}" ++ ) ++ endif() + + if(ROCKSDB_BUILD_SHARED) + install( diff --git a/meta-oe/recipes-dbs/rocksdb/rocksdb_9.0.0.bb b/meta-oe/recipes-dbs/rocksdb/rocksdb_9.0.0.bb index 444351dbb4e..fae54fdba41 100644 --- a/meta-oe/recipes-dbs/rocksdb/rocksdb_9.0.0.bb +++ b/meta-oe/recipes-dbs/rocksdb/rocksdb_9.0.0.bb @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/facebook/${BPN}.git;branch=${SRCBRANCH};protocol=htt file://0005-Implement-timer-implementation-for-mips-platform.patch \ file://0006-Implement-timer-for-arm-v6.patch \ file://0007-Fix-declaration-scope-of-LE_LOAD32-in-crc32c.patch \ + file://static_library_as_option.patch \ " SRC_URI:append:riscv32 = " file://0001-replace-old-sync-with-new-atomic-builtin-equivalents.patch" @@ -43,6 +44,7 @@ EXTRA_OECMAKE = "\ -DWITH_BENCHMARK_TOOLS=OFF \ -DWITH_TOOLS=OFF \ -DFAIL_ON_WARNINGS=OFF \ + -DROCKSDB_BUILD_STATIC=OFF \ " CXXFLAGS += "${@bb.utils.contains('SELECTED_OPTIMIZATION', '-Og', '-DXXH_NO_INLINE_HINTS', '', d)}" diff --git a/meta-oe/recipes-devtools/android-tools/android-tools/android-tools-adbd.service b/meta-oe/recipes-devtools/android-tools/android-tools/android-tools-adbd.service index ddf8d7f74e3..b6661f2e39b 100644 --- a/meta-oe/recipes-devtools/android-tools/android-tools/android-tools-adbd.service +++ b/meta-oe/recipes-devtools/android-tools/android-tools/android-tools-adbd.service @@ -1,6 +1,6 @@ [Unit] Description=Android Debug Bridge -ConditionPathExists=/var/usb-debugging-enabled +ConditionPathExists=/etc/usb-debugging-enabled Before=android-system.service [Service] diff --git a/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb b/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb index 1c66ea4997d..9f02d703ba9 100644 --- a/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb +++ b/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb @@ -189,7 +189,7 @@ FILES:${PN}-fstools = "\ BBCLASSEXTEND = "native" android_tools_enable_devmode() { - touch ${IMAGE_ROOTFS}/var/usb-debugging-enabled + touch ${IMAGE_ROOTFS}/etc/usb-debugging-enabled } ROOTFS_POSTPROCESS_COMMAND_${PN}-adbd += "${@bb.utils.contains("USB_DEBUGGING_ENABLED", "1", "android_tools_enable_devmode;", "", d)}" diff --git a/meta-oe/recipes-devtools/flatbuffers/python3-flatbuffers.bb b/meta-oe/recipes-devtools/flatbuffers/python3-flatbuffers.bb index 5d3c73fd9a9..1fab013580c 100644 --- a/meta-oe/recipes-devtools/flatbuffers/python3-flatbuffers.bb +++ b/meta-oe/recipes-devtools/flatbuffers/python3-flatbuffers.bb @@ -12,4 +12,4 @@ RDEPENDS:${PN} = "flatbuffers" inherit setuptools3 -BBCLASSEXTEND = "native" +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-devtools/xerces-c/xerces-c/0001-aclocal.m4-don-t-use-full-path-of-with_curl-in-xerce.patch b/meta-oe/recipes-devtools/xerces-c/xerces-c/0001-aclocal.m4-don-t-use-full-path-of-with_curl-in-xerce.patch new file mode 100644 index 00000000000..2ad7beb51cd --- /dev/null +++ b/meta-oe/recipes-devtools/xerces-c/xerces-c/0001-aclocal.m4-don-t-use-full-path-of-with_curl-in-xerce.patch @@ -0,0 +1,58 @@ +From d001f12d428f7adaeaadee5263a22c797c99d67b Mon Sep 17 00:00:00 2001 +From: Martin Jansa +Date: Fri, 30 Aug 2024 11:42:27 +0200 +Subject: [PATCH] aclocal.m4: don't use full path of $with_curl in xerces-c.pc + +* fixes: + ERROR: QA Issue: File /usr/lib32/pkgconfig/xerces-c.pc in package lib32-libxerces-c-dev contains reference to TMPDIR [buildpaths] + +* xerces-c was blacklisted due to tmpdir since 2016: + https://git.openembedded.org/meta-openembedded/commit/?id=1af196e42c811947bb483df30bfce758adee83d1 + +* then sed call: + sed -i -e 's:-L${STAGING_DIR}/lib:-L\$\{libdir\}:g' ${B}/xerces-c.pc + was added to do_install:append and blacklist dropped in: + https://git.openembedded.org/meta-openembedded/commit/?id=87b9efff79e62f569525e4760adc594d0d9ac476 + +* sed call was adjusted in: + https://git.openembedded.org/meta-openembedded/commit/?id=87c9e9537dc43468a6aaf706853b784ce6de14e0 + sed -i s:-L${STAGING_LIBDIR}::g ${B}/xerces-c.pc + +* but it was still failing in some cases, e.g. with multilib where libdir is /usr/lib64, so the sed call is: + sed -i s:-L{WORKDIR}/recipe-sysroot/usr/lib64::g ${WORKDIR}/build/xerces-c.pc + but the actual xerces-c.pc file still has: + + Libs: -L${libdir} -lxerces-c + Libs.private: -L${WORKDIR}/recipe-sysroot/usr/lib -lcurl + + because this aclocal was always hardcoding "lib" (appended to --with-curl + value which is passed together with ${prefix}) and not respecting the libdir value: + PACKAGECONFIG[curl] = "--with-curl=${STAGING_DIR_TARGET}${prefix},--with-curl=no,curl" + PACKAGECONFIG[icu] = "--with-icu=${STAGING_DIR_TARGET}${prefix},--with-icu=no,icu" + +* xerces-c supports CMake since 2017: + https://github.com/apache/xerces-c/commit/2606b2924c3e2bf0cf50f72b79378721b6bcf04e + switching from autotools to CMake would probably resolve some of this as well + +Signed-off-by: Martin Jansa +--- +Upstream-Status: Pending [It would be better to just switch to CMake] + + m4/xerces_curl_prefix.m4 | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/m4/xerces_curl_prefix.m4 b/m4/xerces_curl_prefix.m4 +index d1d015c..7928bdc 100644 +--- a/m4/xerces_curl_prefix.m4 ++++ b/m4/xerces_curl_prefix.m4 +@@ -39,8 +39,8 @@ AC_DEFUN([XERCES_CURL_PREFIX], + curl_libs=`$curl_config --libs` + else + if test -n "$with_curl"; then +- curl_flags="-I$with_curl/include" +- curl_libs="-L$with_curl/lib -lcurl" ++ curl_flags="" ++ curl_libs="-lcurl" + else + # Default compiler paths. + # diff --git a/meta-oe/recipes-devtools/xerces-c/xerces-c_3.2.5.bb b/meta-oe/recipes-devtools/xerces-c/xerces-c_3.2.5.bb index 1643af25465..9fd7e8fbab8 100644 --- a/meta-oe/recipes-devtools/xerces-c/xerces-c_3.2.5.bb +++ b/meta-oe/recipes-devtools/xerces-c/xerces-c_3.2.5.bb @@ -9,7 +9,9 @@ SECTION = "libs" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRC_URI = "http://archive.apache.org/dist/xerces/c/3/sources/${BP}.tar.bz2" +SRC_URI = "http://archive.apache.org/dist/xerces/c/3/sources/${BP}.tar.bz2 \ + file://0001-aclocal.m4-don-t-use-full-path-of-with_curl-in-xerce.patch \ +" SRC_URI[sha256sum] = "1db4028c9b7f1f778efbf4a9462d65e13f9938f2c22f9e9994e12c49ba97e252" inherit autotools @@ -18,10 +20,6 @@ PACKAGECONFIG ??= "curl icu" PACKAGECONFIG[curl] = "--with-curl=${STAGING_DIR_TARGET}${prefix},--with-curl=no,curl" PACKAGECONFIG[icu] = "--with-icu=${STAGING_DIR_TARGET}${prefix},--with-icu=no,icu" -do_install:prepend () { - sed -i s:-L${STAGING_LIBDIR}::g ${B}/xerces-c.pc -} - PACKAGES = "libxerces-c \ libxerces-c-dev \ xerces-c-samples \ diff --git a/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.59.01.bb b/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.59.01.bb index 5d5152b8344..b667507ef94 100644 --- a/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.59.01.bb +++ b/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.59.01.bb @@ -10,7 +10,7 @@ SRC_URI = "git://github.com/mirror/xmlrpc-c.git;branch=master;protocol=https \ file://0002-fix-formatting-issues.patch \ " #Release 1.59.01 -SRCREV = "352aeaa9ae49e90e55187cbda839f2113df06278" +SRCREV = "08b052692b70171a6fcb437d4f52a46977eda62e" S = "${WORKDIR}/git/stable" diff --git a/meta-oe/recipes-extended/polkit/polkit_124.bb b/meta-oe/recipes-extended/polkit/polkit_124.bb index 9e2eb05c623..a597b40ee34 100644 --- a/meta-oe/recipes-extended/polkit/polkit_124.bb +++ b/meta-oe/recipes-extended/polkit/polkit_124.bb @@ -1,10 +1,11 @@ -SUMMARY = "PolicyKit Authorization Framework" +SUMMARY = "Polkit Authorization Framework" DESCRIPTION = "The polkit package is an application-level toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes." HOMEPAGE = "http://www.freedesktop.org/wiki/Software/polkit" LICENSE = "LGPL-2.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=155db86cdbafa7532b41f390409283eb" +BUGTRACKER = "https://github.com/polkit-org/polkit/issues" -SRC_URI = "git://gitlab.freedesktop.org/polkit/polkit.git;protocol=https;branch=master" +SRC_URI = "git://github.com/polkit-org/polkit.git;protocol=https;branch=main" S = "${WORKDIR}/git" SRCREV = "82f0924dc0eb23b9df68e88dbaf9e07c81940a5a" diff --git a/meta-oe/recipes-gnome/gcab/gcab_1.6.bb b/meta-oe/recipes-gnome/gcab/gcab_1.6.bb index 49c64f0ba6b..4278fc94539 100644 --- a/meta-oe/recipes-gnome/gcab/gcab_1.6.bb +++ b/meta-oe/recipes-gnome/gcab/gcab_1.6.bb @@ -22,6 +22,3 @@ PACKAGECONFIG[nls] = "-Dnls=true,-Dnls=false" PACKAGECONFIG[tests] = "-Dtests=true -Dinstalled_tests=true,-Dtests=false -Dinstalled_tests=false" BBCLASSEXTEND = "native" - -# meson embeds absolute paths to generated files on purpose -INSANE_SKIP:gcab-src += "buildpaths" diff --git a/meta-oe/recipes-kernel/bpftool/bpftool.bb b/meta-oe/recipes-kernel/bpftool/bpftool.bb index b22334fe90f..8bddde94514 100644 --- a/meta-oe/recipes-kernel/bpftool/bpftool.bb +++ b/meta-oe/recipes-kernel/bpftool/bpftool.bb @@ -26,7 +26,7 @@ SECURITY_CFLAGS = "" do_configure[depends] += "virtual/kernel:do_shared_workdir" -COMPATIBLE_HOST = "(x86_64|aarch64).*-linux" +COMPATIBLE_HOST = "(x86_64|aarch64|riscv64).*-linux" COMPATIBLE_HOST:libc-musl = 'null' do_compile() { diff --git a/meta-oe/recipes-kernel/cpupower/cpupower.bb b/meta-oe/recipes-kernel/cpupower/cpupower.bb index 18e36380521..453ebe8c7f0 100644 --- a/meta-oe/recipes-kernel/cpupower/cpupower.bb +++ b/meta-oe/recipes-kernel/cpupower/cpupower.bb @@ -7,7 +7,7 @@ PROVIDES = "virtual/cpupower" inherit kernelsrc kernel-arch bash-completion -do_populate_lic[depends] += "virtual/kernel:do_patch" +do_populate_lic[depends] += "virtual/kernel:do_shared_workdir" EXTRA_OEMAKE = "-C ${S}/tools/power/cpupower O=${B} CROSS=${TARGET_PREFIX} CC="${CC}" LD="${LD}" AR=${AR} ARCH=${ARCH}" diff --git a/meta-oe/recipes-kernel/intel-speed-select/intel-speed-select.bb b/meta-oe/recipes-kernel/intel-speed-select/intel-speed-select.bb index 23ea0d8aae8..3b5866180de 100644 --- a/meta-oe/recipes-kernel/intel-speed-select/intel-speed-select.bb +++ b/meta-oe/recipes-kernel/intel-speed-select/intel-speed-select.bb @@ -13,7 +13,7 @@ COMPATIBLE_HOST:libc-musl = 'null' DEPENDS = "libnl" -do_populate_lic[depends] += "virtual/kernel:do_patch" +do_populate_lic[depends] += "virtual/kernel:do_shared_workdir" B = "${WORKDIR}/${BPN}-${PV}" diff --git a/meta-oe/recipes-kernel/kernel-selftest/kernel-selftest.bb b/meta-oe/recipes-kernel/kernel-selftest/kernel-selftest.bb index 01f185adbae..a070ceab55e 100644 --- a/meta-oe/recipes-kernel/kernel-selftest/kernel-selftest.bb +++ b/meta-oe/recipes-kernel/kernel-selftest/kernel-selftest.bb @@ -55,7 +55,7 @@ TEST_LIST = "\ EXTRA_OEMAKE = '\ CROSS_COMPILE=${TARGET_PREFIX} \ ARCH=${ARCH} \ - CC="${CC}" \ + CC="${CC} ${DEBUG_PREFIX_MAP}" \ AR="${AR}" \ LD="${LD}" \ CLANG="clang -fno-stack-protector -target ${TARGET_ARCH} ${TOOLCHAIN_OPTIONS} -isystem ${S} -D__WORDSIZE=\'64\' -Wno-error=unused-command-line-argument" \ @@ -96,25 +96,13 @@ either install it and add it to HOSTTOOLS, or add clang-native from meta-clang t sed -i -e '/mrecord-mcount/d' ${S}/Makefile sed -i -e '/Wno-alloc-size-larger-than/d' ${S}/Makefile sed -i -e '/Wno-alloc-size-larger-than/d' ${S}/scripts/Makefile.* - for i in ${TEST_LIST} - do - oe_runmake -C ${S}/tools/testing/selftests/${i} - done + oe_runmake -C ${S}/tools/testing/selftests TARGETS="${TEST_LIST}" } do_install() { - for i in ${TEST_LIST} - do - oe_runmake -C ${S}/tools/testing/selftests/${i} INSTALL_PATH=${D}/usr/kernel-selftest/${i} install - # Install kselftest-list.txt that required by kselftest runner. - oe_runmake -s --no-print-directory COLLECTION=${i} -C ${S}/tools/testing/selftests/${i} emit_tests \ - >> ${D}/usr/kernel-selftest/kselftest-list.txt - done - # Install kselftest runner. - install -m 0755 ${S}/tools/testing/selftests/run_kselftest.sh ${D}/usr/kernel-selftest/ - cp -R --no-dereference --preserve=mode,links -v ${S}/tools/testing/selftests/kselftest ${D}/usr/kernel-selftest/ + oe_runmake -C ${S}/tools/testing/selftests INSTALL_PATH=${D}/usr/kernel-selftest TARGETS="${TEST_LIST}" install if [ -e ${D}/usr/kernel-selftest/bpf/test_offload.py ]; then - sed -i -e '1s,#!.*python3,#! /usr/bin/env python3,' ${D}/usr/kernel-selftest/bpf/test_offload.py + sed -i -e '1s,#!.*python3,#! /usr/bin/env python3,' ${D}/usr/kernel-selftest/bpf/test_offload.py fi chown root:root -R ${D}/usr/kernel-selftest } @@ -158,6 +146,12 @@ RDEPENDS:${PN} += "python3 perl perl-module-io-handle" INSANE_SKIP:${PN} += "libdir" +# A few of the selftests set compile flags that trip up the "ldflags" and +# "already-stripped" QA checks. As this is mainly a testing package and +# not really meant for user level execution, disable these two checks. +INSANE_SKIP:${PN} += "ldflags" +INSANE_SKIP:${PN} += "already-stripped" + SECURITY_CFLAGS = "" COMPATIBLE_HOST:libc-musl = 'null' diff --git a/meta-oe/recipes-kernel/spidev-test/spidev-test.bb b/meta-oe/recipes-kernel/spidev-test/spidev-test.bb index 2e8c5cbb8de..7b87dd28dfb 100644 --- a/meta-oe/recipes-kernel/spidev-test/spidev-test.bb +++ b/meta-oe/recipes-kernel/spidev-test/spidev-test.bb @@ -6,7 +6,7 @@ PROVIDES = "virtual/spidev-test" inherit bash-completion kernelsrc kernel-arch -do_populate_lic[depends] += "virtual/kernel:do_patch" +do_populate_lic[depends] += "virtual/kernel:do_shared_workdir" EXTRA_OEMAKE = "-C ${S}/tools/spi O=${B} CROSS=${TARGET_PREFIX} CC="${CC}" LD="${LD}" AR=${AR} ARCH=${ARCH}" diff --git a/meta-oe/recipes-support/gpm/gpm_git.bb b/meta-oe/recipes-support/gpm/gpm_git.bb index 31503e9c620..1a96bea099c 100644 --- a/meta-oe/recipes-support/gpm/gpm_git.bb +++ b/meta-oe/recipes-support/gpm/gpm_git.bb @@ -24,6 +24,10 @@ inherit autotools-brokensep update-rc.d systemd texinfo INITSCRIPT_NAME = "gpm" INITSCRIPT_PARAMS = "defaults" +# Avoid line statements with bison/yacc +# ERROR: lib32-gpm-1.99.7+gite82d1a653ca94aa4ed12441424da6ce780b1e530-r0 do_package_qa: QA Issue: File /usr/src/debug/lib32-gpm/1.99.7+gite82d1a653ca94aa4ed12441424da6ce780b1e530/src/prog/gpm-root.c in package lib32-gpm-src contains reference to TMPDIR [buildpaths] +EXTRA_OEMAKE = "YFLAGS='-l'" + do_configure:prepend() { (cd ${S};./autogen.sh;cd -) } diff --git a/meta-oe/recipes-support/lvm2/libdevmapper_2.03.22.bb b/meta-oe/recipes-support/lvm2/libdevmapper_2.03.22.bb index be558ce1d21..3b4439c3ae0 100644 --- a/meta-oe/recipes-support/lvm2/libdevmapper_2.03.22.bb +++ b/meta-oe/recipes-support/lvm2/libdevmapper_2.03.22.bb @@ -5,6 +5,8 @@ require lvm2.inc DEPENDS += "autoconf-archive-native" +inherit nopackages + TARGET_CC_ARCH += "${LDFLAGS}" do_install() { diff --git a/meta-oe/recipes-support/tbb/tbb/0001-Fix-suppress-new-GCC-12-13-warnings-1192.patch b/meta-oe/recipes-support/tbb/tbb/0001-Fix-suppress-new-GCC-12-13-warnings-1192.patch new file mode 100644 index 00000000000..489f011b84e --- /dev/null +++ b/meta-oe/recipes-support/tbb/tbb/0001-Fix-suppress-new-GCC-12-13-warnings-1192.patch @@ -0,0 +1,57 @@ +From e131071769ee3df51b56b053ba6bfa06ae9eff25 Mon Sep 17 00:00:00 2001 +From: Dmitri Mokhov +Date: Mon, 11 Sep 2023 10:35:07 -0500 +Subject: [PATCH] Fix/suppress new GCC 12/13 warnings (#1192) + +Upstream-Status: Backport [https://github.com/oneapi-src/oneTBB/commit/e131071769ee3df51b56b053ba6bfa06ae9eff25] +Signed-off-by: Dmitri Mokhov +--- + .../oneapi/tbb/detail/_concurrent_unordered_base.h | 2 +- + src/tbb/concurrent_monitor.h | 12 +++++++++++- + 2 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/include/oneapi/tbb/detail/_concurrent_unordered_base.h b/include/oneapi/tbb/detail/_concurrent_unordered_base.h +index ade91c33..40829208 100644 +--- a/include/oneapi/tbb/detail/_concurrent_unordered_base.h ++++ b/include/oneapi/tbb/detail/_concurrent_unordered_base.h +@@ -921,7 +921,7 @@ private: + node_allocator_traits::deallocate(dummy_node_allocator, node, 1); + } else { + // GCC 11.1 issues a warning here that incorrect destructor might be called for dummy_nodes +- #if (__TBB_GCC_VERSION >= 110100 && __TBB_GCC_VERSION < 130000 ) && !__clang__ && !__INTEL_COMPILER ++ #if (__TBB_GCC_VERSION >= 110100 && __TBB_GCC_VERSION < 140000 ) && !__clang__ && !__INTEL_COMPILER + volatile + #endif + value_node_ptr val_node = static_cast(node); +diff --git a/src/tbb/concurrent_monitor.h b/src/tbb/concurrent_monitor.h +index 3d20ef5b..3e5c4beb 100644 +--- a/src/tbb/concurrent_monitor.h ++++ b/src/tbb/concurrent_monitor.h +@@ -1,5 +1,5 @@ + /* +- Copyright (c) 2005-2021 Intel Corporation ++ Copyright (c) 2005-2023 Intel Corporation + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. +@@ -290,7 +290,17 @@ public: + n = my_waitset.front(); + if (n != end) { + my_waitset.remove(*n); ++ ++// GCC 12.x-13.x issues a warning here that to_wait_node(n)->my_is_in_list might have size 0, since n is ++// a base_node pointer. (This cannot happen, because only wait_node pointers are added to my_waitset.) ++#if (__TBB_GCC_VERSION >= 120100 && __TBB_GCC_VERSION < 140000 ) && !__clang__ && !__INTEL_COMPILER ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wstringop-overflow" ++#endif + to_wait_node(n)->my_is_in_list.store(false, std::memory_order_relaxed); ++#if (__TBB_GCC_VERSION >= 120100 && __TBB_GCC_VERSION < 140000 ) && !__clang__ && !__INTEL_COMPILER ++#pragma GCC diagnostic pop ++#endif + } + } + +-- +2.43.0 + diff --git a/meta-oe/recipes-support/tbb/tbb_2021.11.0.bb b/meta-oe/recipes-support/tbb/tbb_2021.11.0.bb index f834726bd6c..318cd876438 100644 --- a/meta-oe/recipes-support/tbb/tbb_2021.11.0.bb +++ b/meta-oe/recipes-support/tbb/tbb_2021.11.0.bb @@ -16,6 +16,7 @@ BRANCH = "onetbb_2021" SRCREV = "8b829acc65569019edb896c5150d427f288e8aba" SRC_URI = "git://github.com/oneapi-src/oneTBB.git;protocol=https;branch=${BRANCH} \ file://0001-hwloc_detection.cmake-remove-cross-compiation-check.patch \ + file://0001-Fix-suppress-new-GCC-12-13-warnings-1192.patch \ " S = "${WORKDIR}/git" diff --git a/meta-python/recipes-devtools/python/python3-cbor2_5.6.3.bb b/meta-python/recipes-devtools/python/python3-cbor2_5.6.3.bb index c9c98b6fb5a..69573064bc6 100644 --- a/meta-python/recipes-devtools/python/python3-cbor2_5.6.3.bb +++ b/meta-python/recipes-devtools/python/python3-cbor2_5.6.3.bb @@ -1,8 +1,8 @@ DESCRIPTION = "An implementation of RFC 7049 - Concise Binary Object Representation (CBOR)." DEPENDS +="python3-setuptools-scm-native" -LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=a79e64179819c7ce293372c059f1dbd8" SRC_URI[sha256sum] = "e6f0ae2751c2d333a960e0807c0611494eb1245631a167965acbc100509455d3" diff --git a/meta-python/recipes-devtools/python/python3-colorama_0.4.6.bb b/meta-python/recipes-devtools/python/python3-colorama_0.4.6.bb index 0f364c424df..3871244031c 100644 --- a/meta-python/recipes-devtools/python/python3-colorama_0.4.6.bb +++ b/meta-python/recipes-devtools/python/python3-colorama_0.4.6.bb @@ -1,6 +1,6 @@ SUMMARY = "Cross-platform colored terminal text." HOMEPAGE = "https://github.com/tartley/colorama" -LICENSE = "BSD-2-Clause" +LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=b4936429a56a652b84c5c01280dcaa26" inherit pypi python_setuptools_build_meta diff --git a/meta-python/recipes-devtools/python/python3-crc32c_2.3.bb b/meta-python/recipes-devtools/python/python3-crc32c_2.3.bb index da756ea0746..125a7ad8770 100644 --- a/meta-python/recipes-devtools/python/python3-crc32c_2.3.bb +++ b/meta-python/recipes-devtools/python/python3-crc32c_2.3.bb @@ -1,7 +1,7 @@ SUMMARY = "A python package implementing the crc32c algorithmin hardware and software" HOMEPAGE = "https://github.com/ICRAR/crc32c" -LICENSE = "BSD-2-Clause & BSD-3-Clause & CRC32C-ADLER & LGPL-2.0-or-later" +LICENSE = "BSD-2-Clause & BSD-3-Clause & CRC32C-ADLER & LGPL-2.1-or-later" LIC_FILES_CHKSUM = " \ file://LICENSE;md5=4fbd65380cdd255951079008b364516c \ file://LICENSE.google-crc32c;md5=e9ed01b5e5ac9eae23fc2bb33701220c \ diff --git a/meta-python/recipes-devtools/python/python3-django_4.2.11.bb b/meta-python/recipes-devtools/python/python3-django_4.2.16.bb similarity index 63% rename from meta-python/recipes-devtools/python/python3-django_4.2.11.bb rename to meta-python/recipes-devtools/python/python3-django_4.2.16.bb index 0642b7e7c31..9254e8b009e 100644 --- a/meta-python/recipes-devtools/python/python3-django_4.2.11.bb +++ b/meta-python/recipes-devtools/python/python3-django_4.2.16.bb @@ -1,7 +1,7 @@ require python-django.inc inherit setuptools3 -SRC_URI[sha256sum] = "6e6ff3db2d8dd0c986b4eec8554c8e4f919b5c1ff62a5b4390c17aff2ed6e5c4" +SRC_URI[sha256sum] = "6f1616c2786c408ce86ab7e10f792b8f15742f7b7b7460243929cb371e7f1dad" RDEPENDS:${PN} += "\ python3-sqlparse \ @@ -10,5 +10,5 @@ RDEPENDS:${PN} += "\ # Set DEFAULT_PREFERENCE so that the LTS version of django is built by # default. To build the 4.x branch, -# PREFERRED_VERSION_python3-django = "4.2.11" can be added to local.conf +# PREFERRED_VERSION_python3-django = "4.2.16" can be added to local.conf DEFAULT_PREFERENCE = "-1" diff --git a/meta-python/recipes-devtools/python/python3-django_5.0.4.bb b/meta-python/recipes-devtools/python/python3-django_5.0.9.bb similarity index 56% rename from meta-python/recipes-devtools/python/python3-django_5.0.4.bb rename to meta-python/recipes-devtools/python/python3-django_5.0.9.bb index 3139ed46829..60e9c592b06 100644 --- a/meta-python/recipes-devtools/python/python3-django_5.0.4.bb +++ b/meta-python/recipes-devtools/python/python3-django_5.0.9.bb @@ -1,7 +1,7 @@ require python-django.inc inherit setuptools3 -SRC_URI[sha256sum] = "4bd01a8c830bb77a8a3b0e7d8b25b887e536ad17a81ba2dce5476135c73312bd" +SRC_URI[sha256sum] = "6333870d342329b60174da3a60dbd302e533f3b0bb0971516750e974a99b5a39" RDEPENDS:${PN} += "\ python3-sqlparse \ diff --git a/meta-python/recipes-devtools/python/python3-email-validator_2.1.1.bb b/meta-python/recipes-devtools/python/python3-email-validator_2.1.1.bb index 90a22e5a0e8..746d56d18e0 100644 --- a/meta-python/recipes-devtools/python/python3-email-validator_2.1.1.bb +++ b/meta-python/recipes-devtools/python/python3-email-validator_2.1.1.bb @@ -1,6 +1,6 @@ SUMMARY = "A robust email address syntax and deliverability validation library." SECTION = "devel/python" -LICENSE = "CC0-1.0" +LICENSE = "Unlicense" LIC_FILES_CHKSUM = "file://LICENSE;md5=2890aee62bd2a4c3197e2059016a397e" SRC_URI[sha256sum] = "200a70680ba08904be6d1eef729205cc0d687634399a5924d842533efb824b84" diff --git a/meta-python/recipes-devtools/python/python3-fann2_1.1.2.bb b/meta-python/recipes-devtools/python/python3-fann2_1.1.2.bb index 2fbc2771398..2099d791ddf 100644 --- a/meta-python/recipes-devtools/python/python3-fann2_1.1.2.bb +++ b/meta-python/recipes-devtools/python/python3-fann2_1.1.2.bb @@ -1,6 +1,6 @@ SUMMARY = "Python bindings for Fast Artificial Neural Networks 2.2.0 (FANN >= 2.2.0)" SECTION = "devel/python" -LICENSE = "LGPL-2.0-only" +LICENSE = "LGPL-2.1-only" LIC_FILES_CHKSUM = "file://LICENSE;md5=c73b943dc75f6f65e007c56ac6515c8f" SRC_URI[md5sum] = "0b85b418018746d63ed66b55465697a9" diff --git a/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch b/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch new file mode 100644 index 00000000000..9049b2ffe67 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-flask-cors/CVE-2024-6221.patch @@ -0,0 +1,110 @@ +From 7ae310c56ac30e0b94fb42129aa377bf633256ec Mon Sep 17 00:00:00 2001 +From: Adriano Sela Aviles +Date: Fri, 30 Aug 2024 12:14:31 -0400 +Subject: [PATCH] Backwards Compatible Fix for CVE-2024-6221 (#363) + +CVE: CVE-2024-6221 + +Upstream-Status: Backport [https://github.com/corydolphin/flask-cors/commit/7ae310c56ac30e0b94fb42129aa377bf633256ec] + +Signed-off-by: Soumya Sambu +--- + docs/configuration.rst | 14 ++++++++++++++ + flask_cors/core.py | 8 +++++--- + flask_cors/extension.py | 16 ++++++++++++++++ + 3 files changed, 35 insertions(+), 3 deletions(-) + +diff --git a/docs/configuration.rst b/docs/configuration.rst +index 91282d3..c750cf4 100644 +--- a/docs/configuration.rst ++++ b/docs/configuration.rst +@@ -23,6 +23,19 @@ CORS_ALLOW_HEADERS (:py:class:`~typing.List` or :py:class:`str`) + Headers to accept from the client. + Headers in the :http:header:`Access-Control-Request-Headers` request header (usually part of the preflight OPTIONS request) matching headers in this list will be included in the :http:header:`Access-Control-Allow-Headers` response header. + ++CORS_ALLOW_PRIVATE_NETWORK (:py:class:`bool`) ++ If True, the response header :http:header:`Access-Control-Allow-Private-Network` ++ will be set with the value 'true' whenever the request header ++ :http:header:`Access-Control-Request-Private-Network` has a value 'true'. ++ ++ If False, the reponse header :http:header:`Access-Control-Allow-Private-Network` ++ will be set with the value 'false' whenever the request header ++ :http:header:`Access-Control-Request-Private-Network` has a value of 'true'. ++ ++ If the request header :http:header:`Access-Control-Request-Private-Network` is ++ not present or has a value other than 'true', the response header ++ :http:header:`Access-Control-Allow-Private-Network` will not be set. ++ + CORS_ALWAYS_SEND (:py:class:`bool`) + Usually, if a request doesn't include an :http:header:`Origin` header, the client did not request CORS. + This means we can ignore this request. +@@ -83,6 +96,7 @@ Default values + ~~~~~~~~~~~~~~ + + * CORS_ALLOW_HEADERS: "*" ++* CORS_ALLOW_PRIVATE_NETWORK: True + * CORS_ALWAYS_SEND: True + * CORS_AUTOMATIC_OPTIONS: True + * CORS_EXPOSE_HEADERS: None +diff --git a/flask_cors/core.py b/flask_cors/core.py +index 5358036..bd011f4 100644 +--- a/flask_cors/core.py ++++ b/flask_cors/core.py +@@ -36,7 +36,7 @@ CONFIG_OPTIONS = ['CORS_ORIGINS', 'CORS_METHODS', 'CORS_ALLOW_HEADERS', + 'CORS_MAX_AGE', 'CORS_SEND_WILDCARD', + 'CORS_AUTOMATIC_OPTIONS', 'CORS_VARY_HEADER', + 'CORS_RESOURCES', 'CORS_INTERCEPT_EXCEPTIONS', +- 'CORS_ALWAYS_SEND'] ++ 'CORS_ALWAYS_SEND', 'CORS_ALLOW_PRIVATE_NETWORK'] + # Attribute added to request object by decorator to indicate that CORS + # was evaluated, in case the decorator and extension are both applied + # to a view. +@@ -56,7 +56,8 @@ DEFAULT_OPTIONS = dict(origins='*', + vary_header=True, + resources=r'/*', + intercept_exceptions=True, +- always_send=True) ++ always_send=True, ++ allow_private_network=True) + + + def parse_resources(resources): +@@ -186,7 +187,8 @@ def get_cors_headers(options, request_headers, request_method): + + if ACL_REQUEST_HEADER_PRIVATE_NETWORK in request_headers \ + and request_headers.get(ACL_REQUEST_HEADER_PRIVATE_NETWORK) == 'true': +- headers[ACL_RESPONSE_PRIVATE_NETWORK] = 'true' ++ allow_private_network = 'true' if options.get('allow_private_network') else 'false' ++ headers[ACL_RESPONSE_PRIVATE_NETWORK] = allow_private_network + + # This is a preflight request + # http://www.w3.org/TR/cors/#resource-preflight-requests +diff --git a/flask_cors/extension.py b/flask_cors/extension.py +index c00cbff..694953f 100644 +--- a/flask_cors/extension.py ++++ b/flask_cors/extension.py +@@ -136,6 +136,22 @@ class CORS(object): + + Default : True + :type vary_header: bool ++ ++ :param allow_private_network: ++ If True, the response header `Access-Control-Allow-Private-Network` ++ will be set with the value 'true' whenever the request header ++ `Access-Control-Request-Private-Network` has a value 'true'. ++ ++ If False, the reponse header `Access-Control-Allow-Private-Network` ++ will be set with the value 'false' whenever the request header ++ `Access-Control-Request-Private-Network` has a value of 'true'. ++ ++ If the request header `Access-Control-Request-Private-Network` is ++ not present or has a value other than 'true', the response header ++ `Access-Control-Allow-Private-Network` will not be set. ++ ++ Default : True ++ :type allow_private_network: bool + """ + + def __init__(self, app=None, **kwargs): +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb index 1d0d86b4e7a..77b51c55156 100644 --- a/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb +++ b/meta-python/recipes-devtools/python/python3-flask-cors_4.0.0.bb @@ -9,6 +9,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=118fecaa576ab51c1520f95e98db61ce" PYPI_PACKAGE = "Flask-Cors" +SRC_URI += " \ + file://CVE-2024-6221.patch \ +" + SRC_URI[sha256sum] = "f268522fcb2f73e2ecdde1ef45e2fd5c71cc48fe03cffb4b441c6d1b40684eb0" inherit pypi setuptools3 diff --git a/meta-python/recipes-devtools/python/python3-googleapis-common-protos_1.63.0.bb b/meta-python/recipes-devtools/python/python3-googleapis-common-protos_1.63.0.bb index aee2337267e..3c55294498b 100644 --- a/meta-python/recipes-devtools/python/python3-googleapis-common-protos_1.63.0.bb +++ b/meta-python/recipes-devtools/python/python3-googleapis-common-protos_1.63.0.bb @@ -1,7 +1,7 @@ DESCRIPTION = "Common protobufs used in Google APIs" HOMEPAGE = "https://github.com/googleapis/python-api-common-protos" LICENSE = "Apache-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" inherit pypi setuptools3 diff --git a/meta-python/recipes-devtools/python/python3-haversine_2.8.1.bb b/meta-python/recipes-devtools/python/python3-haversine_2.8.1.bb index e45ae798605..5fd5ddd71cd 100644 --- a/meta-python/recipes-devtools/python/python3-haversine_2.8.1.bb +++ b/meta-python/recipes-devtools/python/python3-haversine_2.8.1.bb @@ -1,6 +1,6 @@ SUMMARY = "Calculate the distance between 2 points on Earth" LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" +LIC_FILES_CHKSUM = "file://LICENSE;md5=20a52d2c688975e989fcbee3e6c8d1a1" SRC_URI[sha256sum] = "ab750caa0c8f2168bd7b00a429757a83a8393be1aa30f91c2becf6b523189e2a" diff --git a/meta-python/recipes-devtools/python/python3-libevdev_0.11.bb b/meta-python/recipes-devtools/python/python3-libevdev_0.11.bb index 27e336710cc..5ad2a599519 100644 --- a/meta-python/recipes-devtools/python/python3-libevdev_0.11.bb +++ b/meta-python/recipes-devtools/python/python3-libevdev_0.11.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://gitlab.freedesktop.org/libevdev/python-libevdev" SECTION = "devel/python" LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" +LIC_FILES_CHKSUM = "file://COPYING;md5=d94c10c546b419eddc6296157ec40747" SRC_URI[md5sum] = "34b48098c1fba26de79a0d67a17a588a" SRC_URI[sha256sum] = "e9ca006a4df2488a60bd9a740011ee948d81904be2364f017e560169508f560f" diff --git a/meta-python/recipes-devtools/python/python3-lru-dict_1.3.0.bb b/meta-python/recipes-devtools/python/python3-lru-dict_1.3.0.bb index e9535fa6f1b..51f3860b07c 100644 --- a/meta-python/recipes-devtools/python/python3-lru-dict_1.3.0.bb +++ b/meta-python/recipes-devtools/python/python3-lru-dict_1.3.0.bb @@ -1,7 +1,7 @@ -SUMMARY = "A fixed size dict like container which evicts Least Recently Used (LRU) items once size limit is exceeded." +DESCRIPTION = "A fixed size dict like container which evicts Least Recently Used (LRU) items once size limit is exceeded." HOMEPAGE = "https://github.com/amitdev/lru-dict" SECTION = "devel/python" -LICENSE = "BSD-3-Clause" +LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=9d10a486ee04034fdef5162fd791f153" SRC_URI[sha256sum] = "54fd1966d6bd1fcde781596cb86068214edeebff1db13a2cea11079e3fd07b6b" diff --git a/meta-python/recipes-devtools/python/python3-mock_5.1.0.bb b/meta-python/recipes-devtools/python/python3-mock_5.1.0.bb index d9ecb9d4c83..1b89260e1b4 100644 --- a/meta-python/recipes-devtools/python/python3-mock_5.1.0.bb +++ b/meta-python/recipes-devtools/python/python3-mock_5.1.0.bb @@ -1,7 +1,7 @@ DESCRIPTION = "A Python Mocking and Patching Library for Testing" HOMEPAGE = "https://pypi.python.org/pypi/mock" SECTION = "devel/python" -LICENSE = "Apache-2.0" +LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=de9dfbf780446b18aab11f00baaf5b7e" inherit pypi setuptools3 diff --git a/meta-python/recipes-devtools/python/python3-nmap_1.6.0.bb b/meta-python/recipes-devtools/python/python3-nmap_1.6.0.bb index 5fe9ab4e396..2293e3ddf85 100644 --- a/meta-python/recipes-devtools/python/python3-nmap_1.6.0.bb +++ b/meta-python/recipes-devtools/python/python3-nmap_1.6.0.bb @@ -1,8 +1,8 @@ DESCRIPTION = "python-nmap is a python library which helps in using nmap port scanner" HOMEPAGE = "https://www.nmmapper.com/" SECTION = "devel/python" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" +LICENSE = "GPL-3.0-only" +LIC_FILES_CHKSUM = "file://LICENSE;md5=1ebbd3e34237af26da5dc08a4e440464" DEPENDS += "python3-wheel-native" diff --git a/meta-python/recipes-devtools/python/python3-parse-type_0.6.2.bb b/meta-python/recipes-devtools/python/python3-parse-type_0.6.2.bb index a7d8cd86ce0..57dfc5a508c 100644 --- a/meta-python/recipes-devtools/python/python3-parse-type_0.6.2.bb +++ b/meta-python/recipes-devtools/python/python3-parse-type_0.6.2.bb @@ -1,6 +1,6 @@ SUMMARY = "Simplifies building parse types based on the parse module" HOMEPAGE = "https://github.com/jenisys/parse_type" -LICENSE = "BSD-3-Clause" +LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=2e469278ace89c246d52505acc39c3da" SRC_URI[sha256sum] = "79b1f2497060d0928bc46016793f1fca1057c4aacdf15ef876aa48d75a73a355" diff --git a/meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb b/meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb index debf488154b..8b0bcf55ddb 100644 --- a/meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb +++ b/meta-python/recipes-devtools/python/python3-pillow_10.3.0.bb @@ -1,8 +1,8 @@ -SUMMARY = "Python Imaging Library (Fork). Pillow is the friendly PIL fork by Alex \ +DESCRIPTION = "Python Imaging Library (Fork). Pillow is the friendly PIL fork by Alex \ Clark and Contributors. PIL is the Python Imaging Library by Fredrik Lundh and \ Contributors." HOMEPAGE = "https://pillow.readthedocs.io" -LICENSE = "MIT" +LICENSE = "HPND" LIC_FILES_CHKSUM = "file://LICENSE;md5=c349a4b4b9ec2377a8fd6a7df87dbffe" SRC_URI = "git://github.com/python-pillow/Pillow.git;branch=main;protocol=https \ diff --git a/meta-python/recipes-devtools/python/python3-platformdirs_4.2.0.bb b/meta-python/recipes-devtools/python/python3-platformdirs_4.2.0.bb index 19c95b374a9..c69c390b802 100644 --- a/meta-python/recipes-devtools/python/python3-platformdirs_4.2.0.bb +++ b/meta-python/recipes-devtools/python/python3-platformdirs_4.2.0.bb @@ -1,6 +1,6 @@ SUMMARY = "A small Python module for determining appropriate platform-specific dirs" HOMEPAGE = "https://github.com/platformdirs/platformdirs" -LICENSE = "BSD-3-Clause" +LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=ea4f5a41454746a9ed111e3d8723d17a" SRC_URI += " \ diff --git a/meta-python/recipes-devtools/python/python3-pycurl_7.45.2.bb b/meta-python/recipes-devtools/python/python3-pycurl_7.45.2.bb index a6863e21ff4..10d3cd1027b 100644 --- a/meta-python/recipes-devtools/python/python3-pycurl_7.45.2.bb +++ b/meta-python/recipes-devtools/python/python3-pycurl_7.45.2.bb @@ -7,7 +7,7 @@ be used to fetch objects identified by a URL from a Python program \ SECTION = "devel/python" HOMEPAGE = "http://pycurl.io/" -LICENSE = "LGPL-2.0-only | MIT" +LICENSE = "LGPL-2.1-only | MIT" LIC_FILES_CHKSUM = "file://COPYING-LGPL;md5=4fbd65380cdd255951079008b364516c \ file://COPYING-MIT;md5=be42e1b1e58c8d59c2901fd747bfc55d \ " diff --git a/meta-python/recipes-devtools/python/python3-xlsxwriter_3.1.9.bb b/meta-python/recipes-devtools/python/python3-xlsxwriter_3.1.9.bb index ee7dab35cb6..4e23feebbba 100644 --- a/meta-python/recipes-devtools/python/python3-xlsxwriter_3.1.9.bb +++ b/meta-python/recipes-devtools/python/python3-xlsxwriter_3.1.9.bb @@ -1,7 +1,7 @@ SUMMARY = "Python 2 and 3 compatibility library" HOMEPAGE = "https://xlsxwriter.readthedocs.io" SECTION = "devel/python" -LICENSE = "MIT" +LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=12d9fac1f0049be71ab5aa4a78da02b0" inherit pypi setuptools3 diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb index dc6a1530bae..66a017a864e 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.62.bb @@ -175,6 +175,9 @@ INITSCRIPT_PARAMS = "defaults 91 20" SYSTEMD_SERVICE:${PN} = "apache2.service" SYSTEMD_AUTO_ENABLE:${PN} = "enable" +ALTERNATIVE:${PN} = "httpd" +ALTERNATIVE_LINK_NAME[httpd] = "${sbindir}/httpd" +ALTERNATIVE_PRIORITY[httpd] = "60" ALTERNATIVE:${PN}-doc = "htpasswd.1" ALTERNATIVE_LINK_NAME[htpasswd.1] = "${mandir}/man1/htpasswd.1"