Security
gh-108310: Fixed an issue where instances of ssl.SSLSocket were
vulnerable to a bypass of the TLS handshake and included protections
(like certificate verification) and treating sent unencrypted data as if
it were post-handshake TLS encrypted data. Security issue reported as
CVE-2023-40217 by Aapo Oksman. Patch by Gregory P. Smith.
Library
gh-107845: tarfile.data_filter() now takes the location of symlinks into
account when determining their target, so it will no longer reject some
valid tarballs with LinkOutsideDestinationError.
Tools/Demos
gh-107565: Update multissltests and GitHub CI workflows to use OpenSSL
1.1.1v, 3.0.10, and 3.1.2.
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Richard Purdie [Mon, 11 Sep 2023 20:47:41 +0000 (21:47 +0100)]
vim: Upgrade 9.0.1664 -> 9.0.1894
This includes multiple CVE fixes.
The license change is due to changes in maintainership, the license
itself is unchanged.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 91e66b93a0c0928f0c2cfe78e22898a6c9800f34) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Ross Burton [Tue, 12 Sep 2023 17:24:34 +0000 (18:24 +0100)]
gcc: Fix -fstack-protector issue on aarch64
This series of patches fixes deficiencies in GCC's -fstack-protector
implementation for AArch64 when using dynamically allocated stack space.
This is CVE-2023-4039. See:
Buffer Overflow vulnerability in function bitwriter_grow_ in flac before
1.4.0 allows remote attackers to run arbitrary code via crafted input to
the encoder.
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Tested-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a84b8d683b4b3f4d30999eac987790896d21eba6) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Richard Purdie [Thu, 27 Jul 2023 16:25:50 +0000 (17:25 +0100)]
oeqa/runtime/ltp: Increase ltp test output timeout
On our slower arm server, the tests currently timeout leading to inconsistent test
results. Increase the timeout to avoid this and aim to make the test results
consistent.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9a8b49208f3c99e184eab426360b137bc773aa31) Signed-off-by: Steve Sakoman <steve@sakoman.com>
We have a suspicion that the read() call may return EAGAIN on the non-blocking
fd and this may truncate test output leading to some of our intermittent failures.
Tweak the code to avoid this potential issue.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a8920c105725431e989cceb616bd04eaa52127ec) Signed-off-by: Steve Sakoman <steve@sakoman.com>
kernel: Fix path comparison in kernel staging dir symlinking
Due to an oversight in the do_symlink_kernsrc function, the path
comparison between "S" and "STAGING_KERNEL_DIR" is broken. The code
obtains both variables, but modifies the local copy of "S" before
comparing them, causing the comparison to always return false.
This can cause the build to fail when the EXTERNALSRC flag is enabled,
since the code will try to create a symlink even if one already exists.
This patch resolves the issue by comparing the variables before they are
modified.
Signed-off-by: Staffan Rydén <staffan.ryden@axis.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit afd2038ef8a66a5e6433be31a14e1eb0d9f9a1d3) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add in stable updates to glibc 2.38 to fix malloc bugs
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 39f987fcb20ad7c0e45425b9f508d463c50ce0c1) Signed-off-by: Steve Sakoman <steve@sakoman.com>
remove the traling blanks before the ;-delimiter, so one could use
"_remove" to avoid running tasks like 'rootfs_update_timestamp',
which are currently hardcoded and not bound to any
configurable feature flag
Signed-off-by: Priyal Doshi <pdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an
insufficiently trustworthy search path, leading to remote code
execution if an agent is forwarded to an attacker-controlled system.
(Code in /usr/lib is not necessarily safe for loading into ssh-agent.)
NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.
Ross Burton [Fri, 25 Aug 2023 16:44:17 +0000 (17:44 +0100)]
linux-yocto: add script to generate kernel CVE_CHECK_WHITELIST entries
Instead of manually looking up new CVEs and determining what point
releases the fixes are incorporated into, add a script to generate the
CVE_CHECK_WHITELIST data automatically.
First, note that this is very much an interim solution until the
cve-check class fetches data from www.linuxkernelcves.com directly.
The script should be passed the path to a local clone of the
linuxkernelcves repository[1] and the kernel version number. It will
then write to standard output the CVE_STATUS entries for every known
kernel CVE.
The script should be periodically reran as CVEs are backported and
kernels upgraded frequently.
[1] https://github.com/nluedtke/linux_kernel_cves
Note: for the Dunfell backport this is not a cherry-pick of the commit
in master as the variable names are different. This incorporates the
following commits:
linux/generate-cve-exclusions: add version check warning
linux/generate-cve-exclusions.py: fix comparison
linux-yocto: add script to generate kernel CVE_STATUS entries
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
it is introduced by a commit to fix CVE. So remove option '-O2' from
CFLAGS rather than revert the commit to avoid the failure.
[YOCTO #14367]
CC: Tony Battersby <tonyb@cybernetics.com> Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 69805629b8f47fd46a37b7c5cc435982e2ac3d1d) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Ross Burton [Wed, 5 Jul 2023 10:50:01 +0000 (11:50 +0100)]
oeqa/runtime/cases/rpm: fix wait_for_no_process_for_user failure case
str.format() doesn't use % notation, update the formatting to work.
assertTrue() is a member of self not a global, and assertTrue(True) will
always pass. Change this to just self.fail() as this is the failure case.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 017f3a0b1265c1a3b69c20bdb56bbf446111977e) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Michael Halstead [Wed, 16 Aug 2023 09:05:44 +0000 (02:05 -0700)]
yocto-uninative: Update to 4.2 for glibc 2.38
Uninative 4.2 adds glibc 2.38.
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c6654fab00a1b4e4bb05eec8b77c8c60e1f8a709) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1c5c8ff97ba0a7f9adc592d702b865b3d166a24b) Signed-off-by: Steve Sakoman <steve@sakoman.com>
linux-firmware: split platform-specific Adreno shaders to separate packages
For newest Qualcomm platforms the firmware for the Adreno GPU consists
of two parts: platform-independent SQE/GMU/GPMU/PFP/PM4 and
platform-specific ZAP shader, which is used during the boot process. As
the platform-independent parts can be shared between different
platforms, split the platform-specific part to the separate package.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bf00a042d2fa2eb4b20d8c5982926758821bf990) Signed-off-by: Steve Sakoman <steve@sakoman.com>
RTL8822 is a serie of wireless modules that need firmwares to function correctly.
The linux firmware recipe does not have a package of these firmwares, and this commit add them.
Signed-off-by: BELOUARGA Mohamed <m.belouarga@technologyandstrategy.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6459959beeb91c0b694f5f17b6587a12c6dcb087) Signed-off-by: Steve Sakoman <steve@sakoman.com>
linux-firmware: package firmare for Dragonboard 410c
Latest linux-firmware archive inclues firmware for the Dragonboard 410c
device (Qualcomm apq8016 SBC). Follow the rest of linux-firmware-qcom-*
packages as a template and create packages for the new firmware files.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 380216e8d3b63d563ebfb10445fc6eb5e77eb9f2) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Chee Yang Lee [Mon, 21 Aug 2023 01:16:31 +0000 (09:16 +0800)]
tiff: CVE-2022-3599.patch also fix CVE-2022-4645 CVE-2023-30774
The same patch also fix CVE-2022-4645 CVE-2023-30774
CVE-2022-4645 - https://gitlab.com/libtiff/libtiff/-/issues/277
CVE-2023-30774 - https://gitlab.com/libtiff/libtiff/-/issues/463
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Yuta Hayama <hayama@lineo.co.jp> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
The following linux-firmware commit moved the mt7601u firmware blob
into a mediatek/ subdirectory, update the path accordingly. 8451c2b1 ("mt76xx: Move the old Mediatek WiFi firmware to mediatek")
Peter Marko [Thu, 10 Aug 2023 17:46:12 +0000 (19:46 +0200)]
openssl: Upgrade 1.1.1t -> 1.1.1v
https://www.openssl.org/news/openssl-1.1.1-notes.html
Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023]
* Fix excessive time spent checking DH q parameter value (CVE-2023-3817)
* Fix DH_check() excessive time with over sized modulus (CVE-2023-3446)
Major changes between OpenSSL 1.1.1t and OpenSSL 1.1.1u [30 May 2023]
* Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
* Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
* Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465)
* Limited the number of nodes created in a policy tree ([CVE-2023-0464])
All CVEs for upgrade to 1.1.1u were already patched, so effectively
this will apply patches for CVE-2023-3446 and CVE-2023-3817 plus
several non-CVE fixes.
Because of mips build changes were backported to openssl 1.1.1 branch,
backport of a patch from kirkstone is necessary.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Bruce Ashfield [Tue, 8 Aug 2023 03:55:46 +0000 (23:55 -0400)]
linux-yocto/5.4: update to v5.4.251
Updating to the latest korg -stable release that comprises
the following commits:
887433e4bc93 Linux 5.4.251 1e02fbe4f0ed tracing/histograms: Return an error if we fail to add histogram to hist_vars list b1062596556e tcp: annotate data-races around fastopenq.max_qlen 21c325d01ecc tcp: annotate data-races around tp->notsent_lowat 7175277b4d0b tcp: annotate data-races around rskq_defer_accept 3121d649e4c6 tcp: annotate data-races around tp->linger2 b1cd5655fc13 net: Replace the limit of TCP_LINGER2 with TCP_FIN_TIMEOUT_MAX 8ce44cf35ef6 tcp: annotate data-races around tp->tcp_tx_delay c822536b3e41 netfilter: nf_tables: can't schedule in nft_chain_validate caa228792fb5 netfilter: nf_tables: fix spurious set element insertion failure b8944e53ee70 llc: Don't drop packet from non-root netns. b07e31824df6 fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe 6d39e9fc5934 Revert "tcp: avoid the lookup process failing to get sk in ehash table" 0c0bd9789a8d net:ipv6: check return value of pskb_trim() 17046107ca15 iavf: Fix use-after-free in free_netdev 765e1eaf42de net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()/cpsw_ale_set_field() 3b6f56021af6 pinctrl: amd: Use amd_pinconf_set() for all config options 951f4e9730f1 fbdev: imxfb: warn about invalid left/right margin 3e03319ab97d spi: bcm63xx: fix max prepend length c9f56f3c7bc9 igb: Fix igb_down hung on surprise removal 7d80e834625c wifi: iwlwifi: mvm: avoid baid size integer overflow 41d149376078 wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point() 970c7035f4b0 devlink: report devlink_port_type_warn source device e09a285ea1e8 bpf: Address KCSAN report on bpf_lru_list cec1857b1ea5 sched/fair: Don't balance task to its current running CPU 9d8d3df71516 arm64: mm: fix VA-range sanity check 8ad6679a5bb9 posix-timers: Ensure timer ID search-loop limit is valid d0345f7c7dbc md/raid10: prevent soft lockup while flush writes 09539f9e2076 md: fix data corruption for raid456 when reshape restart while grow up 4181c30a2c55 nbd: Add the maximum limit of allocated index in nbd_dev_add d4f1cd9b9d66 debugobjects: Recheck debug_objects_enabled before reporting 0afcebcec057 ext4: correct inline offset when handling xattrs in inode body 5d580017bdb9 drm/client: Fix memory leak in drm_client_modeset_probe 52daf6ba2e0d drm/client: Fix memory leak in drm_client_target_cloned 9533dbfac0ff can: bcm: Fix UAF in bcm_proc_show() 5dd838be69e4 selftests: tc: set timeout to 15 minutes 7f83199862c2 fuse: revalidate: don't invalidate if interrupted ae91ab710d8e btrfs: fix warning when putting transaction with qgroups enabled after abort e217a3d19e10 perf probe: Add test for regression introduced by switch to die_get_decl_file() 380c7ceabdde drm/atomic: Fix potential use-after-free in nonblocking commits b7084ebf4f54 scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue 3f22f9ddbb29 scsi: qla2xxx: Pointer may be dereferenced a1c5149a82de scsi: qla2xxx: Correct the index of array 1b7e5bdf2be2 scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() 4f90a8b04816 scsi: qla2xxx: Fix potential NULL pointer dereference d25fded78d88 scsi: qla2xxx: Wait for io return on terminate rport 056fd1820724 tracing/probes: Fix not to count error code to total length 93114cbc7cb1 tracing: Fix null pointer dereference in tracing_err_log_open() 597eb52583d4 xtensa: ISS: fix call to split_if_spec e84829522fc7 ring-buffer: Fix deadloop issue on reading trace_pipe 481535905608 tracing/histograms: Add histograms to hist_vars if they have referenced variables 46574e5a0a2a tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk 30962268fa1a tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error 0697a1a592c7 Revert "8250: add support for ASIX devices with a FIFO bug" 45e55e9cac13 meson saradc: fix clock divider mask length 2cdced57bc00 ceph: don't let check_caps skip sending responses for revoke msgs 1883a484c87e hwrng: imx-rngc - fix the timeout for init and self check e3373e6b6c79 firmware: stratix10-svc: Fix a potential resource leak in svc_create_memory_pool() 826c7bfe5c49 serial: atmel: don't enable IRQs prematurely 15d4bd0f0a6b drm/rockchip: vop: Leave vblank enabled in self-refresh 6bc6ec8b0a0b drm/atomic: Allow vblank-enabled + self-refresh "disable" f86942709b0e fs: dlm: return positive pid value for F_GETLK ecfd1f82c4f5 md/raid0: add discard support for the 'original' layout dac4afa3efae misc: pci_endpoint_test: Re-init completion for every test dd2210379205 misc: pci_endpoint_test: Free IRQs before removing the device 9cfa4ef25de5 PCI: rockchip: Set address alignment for endpoint mode 35aec6bc0c04 PCI: rockchip: Use u32 variable to access 32-bit registers 13b93891308c PCI: rockchip: Fix legacy IRQ generation for RK3399 PCIe endpoint core c049b20655f6 PCI: rockchip: Add poll and timeout to wait for PHY PLLs to be locked a1f311d430f2 PCI: rockchip: Write PCI Device ID to correct register 592795119f2b PCI: rockchip: Assert PCI Configuration Enable bit after probe 35c95eda7b6d PCI: qcom: Disable write access to read only registers for IP v2.3.3 b0aac7792525 PCI: Add function 1 DMA alias quirk for Marvell 88SE9235 f450388d8b6d PCI/PM: Avoid putting EloPOS E2/S2/H2 PCIe Ports in D3cold a4855aeb13e4 jfs: jfs_dmap: Validate db_l2nbperpage while mounting ee2fd448608e ext4: only update i_reserved_data_blocks on successful block allocation 02543d1ddd77 ext4: fix wrong unit use in ext4_mb_clear_bb 96a85becb811 erofs: fix compact 4B support for 16k block size 42725e5c1b18 SUNRPC: Fix UAF in svc_tcp_listen_data_ready() 29a560437f67 misc: fastrpc: Create fastrpc scalar with correct buffer count b157987242bd powerpc: Fail build if using recordmcount with binutils v2.37 2b59740ebc86 net: bcmgenet: Ensure MDIO unregistration has clocks enabled 1fe96568e78b mtd: rawnand: meson: fix unaligned DMA buffers handling 86b9820395f2 tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation 96a16069a81d pinctrl: amd: Only use special debounce behavior for GPIO 0 6dcb493fc478 pinctrl: amd: Detect internal GPIO0 debounce handling a1a443651569 pinctrl: amd: Fix mistake in handling clearing pins at startup cf57a0853ba5 net/sched: make psched_mtu() RTNL-less safe 96391959a99e net/sched: flower: Ensure both minimum and maximum ports are specified 166fa538e0dd cls_flower: Add extack support for src and dst port range options aadca5f08aef wifi: airo: avoid uninitialized warning in airo_get_rate() cc2c06ca7fbf erofs: avoid infinite loop in z_erofs_do_read_page() when reading beyond EOF b55c38fe2441 platform/x86: wmi: Break possible infinite loop when parsing GUID cb8a256202b9 platform/x86: wmi: move variables 669c488cb25a platform/x86: wmi: use guid_t and guid_equal() fd8049d6553f platform/x86: wmi: remove unnecessary argument 4c8e26fc3302 platform/x86: wmi: Fix indentation in some cases 8717326e4362 platform/x86: wmi: Replace UUID redefinitions by their originals c7eeba470585 ipv6/addrconf: fix a potential refcount underflow for idev 7a06554214fe NTB: ntb_tool: Add check for devm_kcalloc 88e243618e4c NTB: ntb_transport: fix possible memory leak while device_register() fails b5b9e041eb04 ntb: intel: Fix error handling in intel_ntb_pci_driver_init() 0ae4fac8fe33 NTB: amd: Fix error handling in amd_ntb_pci_driver_init() bb17520c0383 ntb: idt: Fix error handling in idt_pci_driver_init() 4e64ef41c6cf udp6: fix udp6_ehashfn() typo 61b4c4659746 icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev(). 4c7276a6daf7 ionic: remove WARN_ON to prevent panic_on_warn 3e77647acdcf ionic: ionic_intr_free parameter change f0dc38bdef52 ionic: move irq request to qcq alloc 7cf21fba1bf8 ionic: clean irq affinity on queue deinit ef7fc26b6a19 ionic: improve irq numa locality 808211a8d427 net/sched: cls_fw: Fix improper refcount update leads to use-after-free d98ac5bce2d5 net: mvneta: fix txq_map in case of txq_number==1 58cd168825b4 scsi: qla2xxx: Fix error code in qla2x00_start_sp() b49b55a7d578 igc: set TP bit in 'supported' and 'advertising' fields of ethtool_link_ksettings a45afb07121c igc: Remove delay during TX ring configuration 59c190082a01 drm/panel: simple: Add connector_type for innolux_at043tn24 64b76abfe32d drm/panel: Add and fill drm_panel type field 362940f8e40f drm/panel: Initialise panel dev and funcs through drm_panel_init() 6d5172a3ab8f workqueue: clean up WORK_* constant types, clarify masking 003d33924911 net: lan743x: Don't sleep in atomic context 373b9475ea8c block/partition: fix signedness issue for Amiga partitions 22df19fee7b9 tty: serial: fsl_lpuart: add earlycon for imx8ulp platform b7d636c924eb netfilter: nf_tables: prevent OOB access in nft_byteorder_eval 61c7a5256543 netfilter: conntrack: Avoid nf_ct_helper_hash uses after free 565bdccdded3 netfilter: nf_tables: fix scheduling-while-atomic splat 7c4610ac3b41 netfilter: nf_tables: unbind non-anonymous set if rule construction fails 90d54ee329d2 netfilter: nf_tables: reject unbound anonymous set before commit phase 1df28fde1270 netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain 1adb5c272b20 netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE 077ef851f0a3 netfilter: nf_tables: add rescheduling points during loop detection walks 11352851944c netfilter: nf_tables: use net_generic infra for transaction data d59ed9dc0058 netfilter: add helper function to set up the nfnetlink header and use it fa498dead9ee netfilter: nftables: add helper function to set the base sequence number ef35dd70a340 netfilter: nf_tables: fix nat hook table deletion d1b7fe307c75 block: add overflow checks for Amiga partition support 2b71cbf7ab48 fanotify: disallow mount/sb marks on kernel internal pseudo fs 9a6ce27a5d61 fs: no need to check source c1c41cda0ab1 ARM: orion5x: fix d2net gpio initialization 679c34821ab7 btrfs: fix race when deleting quota root from the dirty cow roots list f0fbbd405a94 fs: Lock moved directories b97ac51f8492 fs: Establish locking order for unrelated directories d95dc41ad181 Revert "f2fs: fix potential corruption when moving a directory" a9a926423a63 ext4: Remove ext4 locking of moved directory eefebf8877d3 fs: avoid empty option when generating legacy mount string e9a3310bc2fc jffs2: reduce stack usage in jffs2_build_xattr_subsystem() a249a61ac528 integrity: Fix possible multiple allocation in integrity_inode_get() 0729029e6472 bcache: Remove unnecessary NULL point check in node allocations 4be68f1c7076 mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is used. 2f6c76994646 mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M c491e27151c1 mmc: core: disable TRIM on Kingston EMMC04G-M627 ce7278dedab7 NFSD: add encoding of op_recall flag for write delegation 5016511287dc ALSA: jack: Fix mutex call in snd_jack_report() c64fda48a3ad i2c: xiic: Don't try to handle more interrupt events after error 696e470e910e i2c: xiic: Defer xiic_wakeup() and __xiic_start_xfer() in xiic_process() 498962715773 sh: dma: Fix DMA channel offset calculation 58b1b3c54e16 net: dsa: tag_sja1105: fix MAC DA patching from meta frames 67a67e258407 net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX ab0085bd7902 xsk: Honor SO_BINDTODEVICE on bind 9347e432297e xsk: Improve documentation for AF_XDP e63dc31b9452 tcp: annotate data races in __tcp_oow_rate_limited() e9c2687988b7 net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode fffa51e786ce powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y 45b34500f3ef f2fs: fix error path handling in truncate_dnode() 860d9b717f65 mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0 398e6a015877 spi: bcm-qspi: return error if neither hif_mspi nor mspi is available 18d50fb44109 Add MODULE_FIRMWARE() for FIRMWARE_TG357766. 4d8fc6137749 sctp: fix potential deadlock on &net->sctp.addr_wq_lock 999ff7fe492b rtc: st-lpc: Release some resources in st_rtc_probe() in case of error d5c39cca4d03 pwm: sysfs: Do not apply state to already disabled PWMs 5375c024f8ae pwm: imx-tpm: force 'real_period' to be zero in suspend d252c74b8b7a mfd: stmpe: Only disable the regulators if they are enabled d9db18addf42 KVM: s390: vsie: fix the length of APCB bitmap baec796723b7 mfd: stmfx: Fix error path in stmfx_chip_init 5d26f134efa8 serial: 8250_omap: Use force_suspend and resume for system suspend 337073cacad4 mfd: intel-lpss: Add missing check for platform_get_resource 0a6afc83b028 usb: dwc3: qcom: Release the correct resources in dwc3_qcom_remove() becd09685d44 KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes 151b0dd6d1a0 mfd: rt5033: Drop rt5033-battery sub-device 8e8dae8eb230 usb: hide unused usbfs_notify_suspend/resume functions fe9cdc198619 usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe() 1531ba3fab51 extcon: Fix kernel doc of property capability fields to avoid warnings 257daec29dcd extcon: Fix kernel doc of property fields to avoid warnings 648a163cff21 usb: dwc3: qcom: Fix potential memory leak d485150c9a52 media: usb: siano: Fix warning due to null work_func_t function pointer 619e6f9a564a media: videodev2.h: Fix struct v4l2_input tuner index comment e9586c49bdd4 media: usb: Check az6007_read() return value fd869bdb5f12 sh: j2: Use ioremap() to translate device tree address into kernel memory 85f4c53849e4 w1: fix loop in w1_fini() dc88382c1d44 block: change all __u32 annotations to __be32 in affs_hardblocks.h fa8548d1a0a4 block: fix signed int overflow in Amiga partition support bec218258cbd usb: dwc3: gadget: Propagate core init errors to UDC during pullup f55127df9918 USB: serial: option: add LARA-R6 01B PIDs bac502cd472a hwrng: st - keep clock enabled while hwrng is registered 071560202a52 hwrng: st - Fix W=1 unused variable warning 18fa56ca4cb8 NFSv4.1: freeze the session table upon receiving NFS4ERR_BADSESSION c182d87c67e2 ARC: define ASM_NL and __ALIGN(_STR) outside #ifdef __ASSEMBLY__ guard 02dc8e8bdbe4 modpost: fix off by one in is_executable_section() 1030c0c30968 crypto: marvell/cesa - Fix type mismatch warning ad3c4ecff00b modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24} 084bf580019c modpost: fix section mismatch message for R_ARM_ABS32 c893658d9ce6 crypto: nx - fix build warnings when DEBUG_FS is not enabled a43bcb0b661c hwrng: virtio - Fix race on data_avail and actual data b70315e44f03 hwrng: virtio - always add a pending request 102a354d52ca hwrng: virtio - don't waste entropy f2a7dfd35f0c hwrng: virtio - don't wait on cleanup 6fe732764a58 hwrng: virtio - add an internal buffer 2cbfb51d2c7e powerpc/mm/dax: Fix the condition when checking if altmap vmemap can cross-boundary aa3932eb0739 pinctrl: at91-pio4: check return value of devm_kasprintf() e297350c33f6 perf dwarf-aux: Fix off-by-one in die_get_varname() 7f822c8036fe pinctrl: cherryview: Return correct value if pin in push-pull mode 1768e362f20f PCI: Add pci_clear_master() stub for non-CONFIG_PCI 5d3955bc32d4 PCI: ftpci100: Release the clock resources 331dce61c0d4 PCI: pciehp: Cancel bringup sequence if card is not present f58c8563686b scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe() 666e7f9d60ce PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free 961c8370c5f7 scsi: qedf: Fix NULL dereference in error handling 6f64558b43cf ASoC: imx-audmix: check return value of devm_kasprintf() 35455616110b clk: keystone: sci-clk: check return value of kasprintf() ffe6ad17cf14 clk: cdce925: check return value of kasprintf() 5f13d67027fa ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer 801c8341f7af clk: tegra: tegra124-emc: Fix potential memory leak 262db3ff58e2 drm/radeon: fix possible division-by-zero errors cacc0506e571 drm/amdkfd: Fix potential deallocation of previously deallocated memory. 9e3858f82e3c fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe() 5541d1856c87 arm64: dts: renesas: ulcb-kf: Remove flow control for SCIF1 40ac5cb6cbb0 IB/hfi1: Fix sdma.h tx->num_descs off-by-one errors 68e0033dee72 soc/fsl/qe: fix usb.c build errors b756eb5eb9b0 ASoC: es8316: Do not set rate constraints for unsupported MCLKs d1c1ca27cac0 ASoC: es8316: Increment max value for ALC Capture Target Volume control b54bac970b54 memory: brcmstb_dpfe: fix testing array offset after use f54142ed16b5 ARM: ep93xx: fix missing-prototype warnings c2324c5aa247 drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H 4a23954279fc arm64: dts: qcom: msm8916: correct camss unit address 97dcb8dfefaa ARM: dts: gta04: Move model property out of pinctrl node 25bbd1c7bef8 RDMA/bnxt_re: Fix to remove an unnecessary log ed039ad88ab0 drm: sun4i_tcon: use devm_clk_get_enabled in `sun4i_tcon_init_clocks` 87ccaf56097a Input: adxl34x - do not hardcode interrupt trigger type c7a8cc9140cf ARM: dts: BCM5301X: Drop "clock-names" from the SPI node c516c00847f5 Input: drv260x - sleep between polling GO bit 3e789aee218b radeon: avoid double free in ci_dpm_init() bc5b57a23087 netlink: Add __sock_i_ino() for __netlink_diag_dump(). 1c405b3d3769 ipvlan: Fix return value of ipvlan_queue_xmit() 1d2ab3d4383e netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value. 337fdce45063 netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one 32deadf89430 lib/ts_bm: reset initial match offset for every block of text dd6ff3f38627 net: nfc: Fix use-after-free caused by nfc_llcp_find_local edc5d8776a32 nfc: llcp: simplify llcp_sock_connect() error paths 9c9662e2512b gtp: Fix use-after-free in __gtp_encap_destroy(). 08d8ff1bc688 selftests: rtnetlink: remove netdevsim device after ipsec offload test bd1de6107f10 netlink: do not hard code device address lenth in fdb dumps 8f6652ed2ad9 netlink: fix potential deadlock in netlink_set_err() 88d89b4a3102 wifi: ath9k: convert msecs to jiffies where needed 76d5bda2c3af wifi: cfg80211: rewrite merging of inherited elements e4c33144fc75 wifi: iwlwifi: pull from TXQs with softirqs disabled 2ba902da9090 rtnetlink: extend RTEXT_FILTER_SKIP_STATS to IFLA_VF_INFO 786e264b37d2 wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key() 68305a19bada memstick r592: make memstick_debug_get_tpc_name() static 6f4454ccbea9 kexec: fix a memory leak in crash_shrink_memory() 4503261ab97b watchdog/perf: more properly prevent false positives with turbo modes d5fa3918dfce watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on correct config 7874fb3bef8b wifi: rsi: Do not set MMC_PM_KEEP_POWER in shutdown 4dc3560561a0 wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes f432198058a6 wifi: ray_cs: Fix an error handling path in ray_probe() 8fe51dce8bdc wifi: ray_cs: Drop useless status variable in parse_addr() 0dec0ad304d4 wifi: ray_cs: Utilize strnlen() in parse_addr() ee73ad566a29 wifi: wl3501_cs: Fix an error handling path in wl3501_probe() b7df4e0cb4ed wl3501_cs: use eth_hw_addr_set() 24f34f67be24 net: create netdev->dev_addr assignment helpers dd5dca10d806 wl3501_cs: Fix misspelling and provide missing documentation 051d70773b9c wl3501_cs: Remove unnecessary NULL check 91c3c9eaf1ed wl3501_cs: Fix a bunch of formatting issues related to function docs add539f7d16b wifi: atmel: Fix an error handling path in atmel_probe() 5b06f702805d wifi: orinoco: Fix an error handling path in orinoco_cs_probe() ca4a2955d866 wifi: orinoco: Fix an error handling path in spectrum_cs_probe() 91c3325da240 regulator: core: Streamline debugfs operations 1bb38ef697e4 regulator: core: Fix more error checking for debugfs_create_dir() 6ca0c94f2b02 nfc: llcp: fix possible use of uninitialized variable in nfc_llcp_send_connect() 66a1be74230b nfc: constify several pointers to u8, char and sk_buff fea2104e752a wifi: mwifiex: Fix the size of a memory allocation in mwifiex_ret_802_11_scan() bc5099512057 spi: spi-geni-qcom: Correct CS_TOGGLE bit in SPI_TRANS_CFG f394d204d640 samples/bpf: Fix buffer overflow in tcp_basertt 90e3c1017757 wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx be3989d93be3 wifi: ath9k: fix AR9003 mac hardware hang check register offset calculation 717e4277ddf7 ima: Fix build warnings 8430a8e8e854 pstore/ram: Add check for kstrdup 540cdd720772 evm: Complete description of evm_inode_setattr() 568b73406d93 ARM: 9303/1: kprobes: avoid missing-declaration warnings ba6da16eefb1 powercap: RAPL: Fix CONFIG_IOSF_MBI dependency c97460ce1f7c PM: domains: fix integer overflow issues in genpd_parse_state() 54cc10a0f4b0 clocksource/drivers/cadence-ttc: Fix memory leak in ttc_timer_probe 38ca169d66c3 clocksource/drivers/cadence-ttc: Use ttc driver as platform driver 8af3b8d770da tracing/timer: Add missing hrtimer modes to decode_hrtimer_mode(). 7b0c664541cd irqchip/jcore-aic: Fix missing allocation of IRQ descriptors d244927e350e irqchip/jcore-aic: Kill use of irq_create_strict_mappings() be481881753b md/raid10: fix io loss while replacement replace rdev 45fa023b3334 md/raid10: fix null-ptr-deref of mreplace in raid10_sync_request 31c805a44b75 md/raid10: fix wrong setting of max_corr_read_errors 283f4a63fee3 md/raid10: fix overflow of md/safe_mode_delay b0b971fe7d61 md/raid10: check slab-out-of-bounds in md_bitmap_get_counter 484104918305 x86/resctrl: Only show tasks' pid in current pid namespace 7206eca1ac44 x86/resctrl: Use is_closid_match() in more places 6f2bb37da468 bgmac: fix *initial* chip reset to support BCM5358 794bfb6fd992 drm/amdgpu: Validate VM ioctl flags. 2a4cfd5b0354 scripts/tags.sh: Resolve gtags empty index generation fff826d665f9 drm/i915: Initialise outparam for error return from wait_for_register 99036f1aed7e HID: wacom: Use ktime_t rather than int when dealing with timestamps 815c95d82b79 fbdev: imsttfb: Fix use after free bug in imsttfb_probe a7c8d2f3753d video: imsttfb: check for ioremap() failures f042d80a631f x86/smp: Use dedicated cache-line for mwait_play_dead() 23f98fe887ce gfs2: Don't deref jdesc in evict
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Bruce Ashfield [Tue, 8 Aug 2023 03:55:45 +0000 (23:55 -0400)]
linux-yocto/5.4: update to v5.4.250
Updating to the latest korg -stable release that comprises
the following commits:
27745d94abe1 Linux 5.4.250 00363ef30797 x86/cpu/amd: Add a Zenbleed fix 92b292bed627 x86/cpu/amd: Move the errata checking functionality up 4d4112e2845c x86/microcode/AMD: Load late on both threads too
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
The commit [https://github.com/openembedded/openembedded-core/commit/c22bbe9b45e3]
backports fix for CVE-2023-25193 for version 2.6.4.
The apply() in src/hb-ot-layout-gpos-table.hh ends prematurely.
The if block in apply() has an extra return statement,
which causes it to return w/o executing
buffer->unsafe_to_concat_from_outbuffer() function.
Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Yuta Hayama [Thu, 27 Jul 2023 08:56:26 +0000 (17:56 +0900)]
cve-update-nvd2-native: always pass str for json.loads()
Currently json.loads() accepts one of the types str, bytes, or bytearray
as an argument, but bytes and bytearrays have only been allowed since
python 3.6. The version of Python3 provided by default on Ubuntu 16.04
and Debian 9.x is 3.5, so make raw_data type str to work correctly on
these build hosts.
Signed-off-by: Yuta Hayama <hayama@lineo.co.jp> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Peter Marko [Thu, 10 Aug 2023 20:22:37 +0000 (22:22 +0200)]
procps: patch CVE-2023-4016
Backport patch from upstream master.
There were three changes needed to apply the patch:
* move NEWS change to start of the file
* change file location from src/ps/ to ps/
* change xmalloc/xcmalloc to malloc/cmalloc
The x*malloc functions were introduced in commit in future version.
https://gitlab.com/procps-ng/procps/-/commit/584028dbe513127ef68c55aa631480454bcc26bf
They call the original function plus additionally throw error when out of memory.
https://gitlab.com/procps-ng/procps/-/blob/v4.0.3/local/xalloc.h?ref_type=tags
So this replacement is correct in context of our version.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Emily Vekariya [Wed, 9 Aug 2023 12:40:44 +0000 (18:10 +0530)]
qemu: CVE-ID correction for CVE-2020-35505
- The commit [https://github.com/qemu/qemu/commit/995457517340]
("esp: ensure cmdfifo is not empty and current_dev is non-NULL")
fixes CVE-2020-35505 instead of CVE-2020-35504.
- Hence, corrected the CVE-ID in CVE-2020-35505.patch.
- Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
Signed-off-by: Emily Vekariya <emily.vekariya@einfochips.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Peter Marko [Sat, 29 Jul 2023 18:23:19 +0000 (20:23 +0200)]
libarchive: ignore CVE-2023-30571
This issue was reported and discusses under [1] which is linked in NVD CVE report.
It was already documented that some parts or libarchive are thread safe and some not.
[2] was now merged to document that also reported function is not thread safe.
So this CVE *now* reports thread race condition for non-thread-safe function.
And as such the CVE report is now invalid.
The issue is still not closed for 2 reasons:
* better document what is and what is not thread safe
* request to public if someone could make these functions thread safe
This should however not invalidate above statment about ignoring this CVE.
Peter Marko [Sun, 23 Jul 2023 09:17:18 +0000 (11:17 +0200)]
python3: ignore CVE-2023-36632
This CVE shouldn't have been filed as the "exploit" is described in the
documentation as how the library behaves.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c652f094d86c4efb7ff99accba63b8169493ab18) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Tom Hochstein [Wed, 7 Sep 2022 22:38:51 +0000 (17:38 -0500)]
cmake: Fix CMAKE_SYSTEM_PROCESSOR setting for SDK
When building using an SDK, cmake complains that the target
architecture 'cortexa53-crypto' is unknown. The same build in bitbake
uses the target architecture 'aarch64'.
Set CMAKE_SYSTEM_PROCESSOR the same as for bitbake.
Signed-off-by: Tom Hochstein <tom.hochstein@nxp.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d32a6225eefce2073a1cd401034b5b4c68351bfe) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Nikhil R [Mon, 10 Jul 2023 11:19:47 +0000 (16:49 +0530)]
libpng: Add ptest for libpng
libpng is a platform-independent library which
supports all PNG features.
This ptest executes the below binaries, parses
the png image and prints the image features.
1. pngfix - provides information about PNG image
copyrights details.
2. pngtest - tests, optimizes and optionally fixes
the zlib header in PNG files.
3. pngstest - verifies the integrity of PNG image by
dumping chunk level information.
4. timepng - provides details about PNG image chunks.
Signed-off-by: Nikhil R <nikhil.r@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
Anthony Bagwell [Mon, 15 Feb 2021 15:16:06 +0000 (15:16 +0000)]
kernel-fitimage: fix dtbo support for fit images
8a2f4e143 added support for u-boot boot script but missed adding the
extra parameter to fitimage_emit_section_config on the dtbo branch
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 22bac8aea0d5d28cc5a3bf20edf638225cce2f88) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Trevor Gamblin [Tue, 30 May 2023 15:57:19 +0000 (11:57 -0400)]
vim: upgrade 9.0.1527 -> 9.0.1592
Fixes:
https://nvd.nist.gov/vuln/detail/CVE-2023-2609 d1ae836 patch 9.0.1531: crash when register contents ends up being invalid
https://nvd.nist.gov/vuln/detail/CVE-2023-2610 ab9a2d8 patch 9.0.1532: crash when expanding "~" in substitute causes very long text
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1e4b4dfb4145bc00eb6937b5f54a41170e9a5b4c) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 47438402fa430499864a4b1f1a13eaac66aa21c0) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 64603f602d00999220fe5bafeed996ddcb56d36b) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Ross Burton [Tue, 11 Jul 2023 11:54:47 +0000 (12:54 +0100)]
cve-update-nvd2-native: actually use API keys
There were vestigal remains of API key support which could be removed,
but as using an API key - in theory - gives the user larger rate limits
it's probably wise to expose it.
If the user has an API key, then set NVDCVE_API_KEY.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a542de684282bfec79f24ae2f1a2027ffde319d8) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Ross Burton [Tue, 11 Jul 2023 11:26:35 +0000 (12:26 +0100)]
cve-update-nvd2-native: log a little more
Add a note of what range we're fetching, and use bb.note() instead of
debug() as messages about retrying shouldn't really be considered debug
logging.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b64a869b9c5e1d504f1011da16b5c5ff721afbf0) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Peter Marko [Tue, 11 Jul 2023 06:36:29 +0000 (08:36 +0200)]
cve-update-nvd2-native: increase retry count
Current 503 errors seem to last several seconds.
In most cases there are two errors and third request succeeds.
However sometimes the outage takes more than time needed
for two retries and third one also fails.
Extend retry count from 3 to 5 to improve the probablity
that the fetcher succeeds.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f4d118af2360cff7f234102fd5e4b65a6f4146a6) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Peter Marko [Tue, 11 Jul 2023 06:36:28 +0000 (08:36 +0200)]
cve-update-nvd2-native: retry all errors and sleep between retries
Last couple days it is not possible to update NVD DB as servers
are returning lot of errors.
Mostly "HTTP Error 503: Service Unavailable" is observed but
sporadially also some others.
Retrying helps in most cases, so extend retries to all errors.
Additionally add sleep which is recommended by NVD between requests.
These retries are already implemented between successful requests,
but giving servers time between failed ones is important, too.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 88dad8f198baa80af5ab576498f4df6ed639d551) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Peter Marko [Thu, 29 Jun 2023 21:12:52 +0000 (23:12 +0200)]
cve-update-nvd2-native: fix cvssV3 metrics
After upgrade to soon-to-be-released kirkstone 4.0.11 CVE annotations got broken.
Anything which has only cvssV3 does not resolve properly.
Fix the API fields used to extract it.
i0.0 score is now at level of NVD DB 1.1.
All CVEs with UNKNOWN vector are not present in NVD DB 1.1.
NVD API 1.1:
sqlite> select vector, count(vector) from nvd group by vector;
ADJACENT_NETWORK|4776
LOCAL|32146
NETWORK|167746
PHYSICAL|185
sqlite> select scorev3, count(scorev3) from nvd group by scorev3;
0.0|73331
1.8|7
1.9|3
...
NVD API 2.0 (broken):
sqlite> select vector, count(vector) from nvd group by vector;
ADJACENT_NETWORK|4587
LOCAL|26273
NETWORK|150421
UNKNOWN|24644
sqlite> select scorev3, count(scorev3) from nvd group by scorev3;
0.0|205925
NVD API 2.0 (fixed):
sqlite> select vector, count(vector) from nvd group by vector;
ADJACENT_NETWORK|5090
LOCAL|32322
NETWORK|168004
PHYSICAL|213
UNKNOWN|511
sqlite> select scorev3, count(scorev3) from nvd group by scorev3;
0.0|73841
1.8|7
1.9|3
...
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 61a5857efdcc0f49c69c0deb24fce99007aeef19) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Ross Burton [Fri, 23 Jun 2023 12:32:50 +0000 (13:32 +0100)]
cve-update-nvd2-native: use exact times, don't truncate
When requesting updates in a specific range, use the actual current time
and database mtime instead of truncating to midnight, and explicitly set
the timezone to UTC so that NIST don't treat the timestamps as _their_ local
time when they're _our_ local time.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9aa0ec37f5f74252588d2494a71c71a7d8e68df9) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 61947762e410c685f667e0af6440fb8a33cd6777) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Mikko Rapeli [Tue, 13 Jun 2023 08:02:16 +0000 (11:02 +0300)]
useradd-staticids.bbclass: improve error message
Current error message is difficult to read:
ERROR: Nothing PROVIDES 'image'
trs-image was skipped: image - image: normal username test does not have a static ID defined. Add test to one of these files
It's not clear that first "image" is recipe name, second "image" is
binary package name and that "test" is the user account which does not
have a static ID defined. Improve the error message so that these are
more explicit. Now the error message looks like:
image was skipped: Recipe image, package image: normal username "test" does not have a static ID defined.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 07898218f3908a83e07178b6530dfa48d55d4ec2) Signed-off-by: Steve Sakoman <steve@sakoman.com>
scripts/runqemu: allocate unfsd ports in a way that doesn't race or clash with unrelated processes
There is already a neat check_free_port() function for finding an available port
atomically, so use that and make two additional tweaks:
- no need to allocate two separate ports; per unfsd documentation they can be the same
- move lockfile release until after unfsd has been shut down and the port(s) used has been freed
[YOCTO #15077]
Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dee96e82fb04ea99ecd6c25513c7bd368df3bd37) Signed-off-by: Steve Sakoman <steve@sakoman.com>