[OE-core] Patchtest results for [meta-selinux] [scarthgap] [PATCH] selinux: Mark CVE-2020-10751 as Patched

2025-01-16 Thread Patchtest via lists.openembedded.org
Thank you for your submission. Patchtest identified one or more issues with the patch. Please see the log below for more information: --- Testing patch /home/patchtest/share/mboxes/meta-selinux-scarthgap-selinux-Mark-CVE-2020-10751-as-Patched.patch FAIL: test target mailing list: Series sent to

[OE-core] [meta-selinux] [scarthgap] [PATCH] selinux: Mark CVE-2020-10751 as Patched

2025-01-16 Thread Madhu Marri via lists.openembedded.org
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2020-10751 Type: Security Advisory CVE: CVE-2020-10751 Score: 6.1 Patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fb73974172ff Analysis: - This is a selinux cve which is addressed in kernel. - The fix is availa

[oe-core][PATCH 1/1] rsync: upgrade 3.3.0 -> 3.4.1

2025-01-16 Thread Polampalli, Archana via lists.openembedded.org
From: Archana Polampalli CVEs addressed in this release: CVE-2024-12084 CVE-2024-12085 CVE-2024-12086 CVE-2024-12087 CVE-2024-12088 CVE-2024-12747 Refreshed below patches: makefile-no-rebuild.patch determism.patch 0001-Add-missing-prototypes-to-function-declarations.patch Changelog: https://git

[OE-core][kirkstone][PATCH 1/1] wget: fix CVE-2024-10524

2025-01-16 Thread dchellam via lists.openembedded.org
From: Divya Chellam Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host. Reference: https://nvd.nist.gov

Re: [OE-core] [PATCH] kernel-yocto: make kernel commits reproducible

2025-01-16 Thread Bruce Ashfield via lists.openembedded.org
On Thu, Jan 16, 2025 at 9:19 AM Enrico Jörns wrote: > Am Freitag, dem 20.12.2024 um 09:59 -0500 schrieb Bruce Ashfield: > > On Tue, Dec 17, 2024 at 2:46 AM Enrico Jörns wrote: > > > The git commit hashes for the kernel checkout are not reproducible > under > > > certain conditions: > > > > > > -

[OE-core][scarthgap][styhead][PATCH] socat: patch CVE-2024-54661

2025-01-16 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Picked upstream commit https://repo.or.cz/socat.git/commitdiff/4ee1f31cf80019c5907876576d6dfd49368d660f Since this was the only commit in 1.8.0.2 it also contained release changes which were dropped. Signed-off-by: Peter Marko --- .../socat/files/CVE-2024-54661.patch

Re: [oe-core][kirkstone][PATCH 1/1] socat: Fix CVE-2024-54661

2025-01-16 Thread Peter Marko via lists.openembedded.org
This patch cannot work. It picks only one line from a larger commit. And $STDERR is I think not initialized here. I have sent a patch picking the whole commit. Peter > -Original Message- > From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Polampall

[OE-core][kirkstone][PATCH] socat: patch CVE-2024-54661

2025-01-16 Thread Peter Marko via lists.openembedded.org
From: Peter Marko Picked upstream commit https://repo.or.cz/socat.git/commitdiff/4ee1f31cf80019c5907876576d6dfd49368d660f Since this was the only commit in 1.8.0.2 it also contained release changes which were dropped. Signed-off-by: Peter Marko --- .../socat/socat/CVE-2024-54661.patch

Re: [OE-core] [PATCH 2/5] vex.bbclass: Cease forced symlink creation

2025-01-16 Thread Niko Mauno via lists.openembedded.org
On 15.1.2025 11.16, Niko Mauno via lists.openembedded.org wrote: On 14.1.2025 17.57, Marta Rybczynska wrote: On Tue, Jan 14, 2025 at 4:38 PM Niko Mauno via lists.openembedded.org

Re: [OE-core] [PATCH 2/2] base: Add virtual/cross-XXX recipe specific provider control handling

2025-01-16 Thread Richard Purdie via lists.openembedded.org
I should perhaps talk about the issues this patch series highlights. My first observation is a conflcit between my choice of "virtual/cross- sdk-cc" and our renaming wanting it to become "virtual/nativesdk-cross- sdk-cc" due to MLPREFIX being needed/added for multilibs. I'm torn on going through a

[OE-core][PATCH] lib: spdx: Upgrade to final 3.0.1 release

2025-01-16 Thread Joshua Watt via lists.openembedded.org
The 3.0.1 release of SPDX has been officially released with a few minor modifications. Regenerate the bindings to use this version. Signed-off-by: Joshua Watt --- meta/lib/oe/sbom30.py | 2 +- meta/lib/oe/spdx30.py | 146 -- 2 files changed, 85 insertion

Re: [OE-core] [PATCH V2 1/2] rust: fix for rust multilib sdk configuration

2025-01-16 Thread Sundeep KOKKONDA via lists.openembedded.org
The config file has options to set the linker for the target, which is anyway getting set with the sdk environment. So, the config file is redundant and removed. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#209967): https://lists.openembedded.o

[oe-core][kirkstone][PATCH 7/8] rsync: fix CVE-2024-12088

2025-01-16 Thread Polampalli, Archana via lists.openembedded.org
From: Archana Polampalli A flaw was found in rsync. When using the `--safe-links` option, rsync fails to properly verify if a symbolic link destination contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the de

[oe-core][kirkstone][PATCH 8/8] rsync: fix CVE-2024-12747

2025-01-16 Thread Polampalli, Archana via lists.openembedded.org
From: Archana Polampalli A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time,

[oe-core][kirkstone][PATCH 6/8] rsync: fix CVE-2024-12087

2025-01-16 Thread Polampalli, Archana via lists.openembedded.org
From: Archana Polampalli A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive

[oe-core][kirkstone][PATCH 5/8] rsync: fix CVE-2024-12086

2025-01-16 Thread Polampalli, Archana via lists.openembedded.org
From: Archana Polampalli A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data

[oe-core][kirkstone][PATCH 3/8] rsync: fix CVE-2024-12084

2025-01-16 Thread Polampalli, Archana via lists.openembedded.org
From: Archana Polampalli A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in t

[oe-core][kirkstone][PATCH 1/8] rsync: update 3.2.5 -> 3.2.7

2025-01-16 Thread Polampalli, Archana via lists.openembedded.org
From: Alexander Kanavin Rebase patches. (From OE-Core rev: 827c787893caa973c509acf7cac9e17fec5692a4) Signed-off-by: Alexander Kanavin Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie Signed-off-by: Archana Polampalli --- ...-prototypes-to-function-declarations.patch | 28

[oe-core][kirkstone][PATCH 2/8] rsync: Delete pedantic errors re-ordering patch

2025-01-16 Thread Polampalli, Archana via lists.openembedded.org
From: Khem Raj It has been fixed by removing the check upstream see https://github.com/WayneD/rsync/commit/9a3449a3980421f84ac55498ba565bc112b20d6c (From OE-Core rev: c6228b8371ea5c3c452db7b536948ae96d83844b) Signed-off-by: Khem Raj Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purd

[oe-core][kirkstone][PATCH 4/8] rsync: fix CVE-2024-12085

2025-01-16 Thread Polampalli, Archana via lists.openembedded.org
From: Archana Polampalli A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialize

[oe-core][scarthgap][PATCH 5/6] rsync: fix CVE-2024-12088

2025-01-16 Thread Polampalli, Archana via lists.openembedded.org
From: Archana Polampalli A flaw was found in rsync. When using the `--safe-links` option, rsync fails to properly verify if a symbolic link destination contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the de

[oe-core][scarthgap][PATCH 2/6] rsync: fix CVE-2024-12085

2025-01-16 Thread Polampalli, Archana via lists.openembedded.org
From: Archana Polampalli A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialize

[oe-core][scarthgap][PATCH 1/6] rsync: fix CVE-2024-12084

2025-01-16 Thread Polampalli, Archana via lists.openembedded.org
From: Archana Polampalli A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in t

[oe-core][scarthgap][PATCH 6/6] rsync: fix CVE-2024-12747

2025-01-16 Thread Polampalli, Archana via lists.openembedded.org
From: Archana Polampalli A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time,

[oe-core][scarthgap][PATCH 4/6] rsync: fix CVE-2024-12087

2025-01-16 Thread Polampalli, Archana via lists.openembedded.org
From: Archana Polampalli A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive

[oe-core][scarthgap][PATCH 3/6] rsync: fix CVE-2024-12086

2025-01-16 Thread Polampalli, Archana via lists.openembedded.org
From: Archana Polampalli A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data

Re: [OE-core] [PATCH V2 1/2] rust: fix for rust multilib sdk configuration

2025-01-16 Thread Richard Purdie via lists.openembedded.org
On Thu, 2025-01-16 at 05:48 -0800, Sadineni, Harish via lists.openembedded.org wrote: > From: Harish Sadineni > > YOCTO [#15061] > The rust sdk installs both 'rust.sh' and 'cargo.sh' for lib32 and lib64 in > the same location. > This causes below error while installing the lib32 & lib64 binarie

Re: [OE-core] [PATCH] kernel-yocto: make kernel commits reproducible

2025-01-16 Thread Enrico Jörns
Am Freitag, dem 20.12.2024 um 09:59 -0500 schrieb Bruce Ashfield: > On Tue, Dec 17, 2024 at 2:46 AM Enrico Jörns wrote: > > The git commit hashes for the kernel checkout are not reproducible under > > certain conditions: > > > > - If the git repository is initialized on an archive (rather than a

[OE-core] Patchtest results for [PATCH V2 1/2] rust: fix for rust multilib sdk configuration

2025-01-16 Thread Patchtest via lists.openembedded.org
Thank you for your submission. Patchtest identified one or more issues with the patch. Please see the log below for more information: --- Testing patch /home/patchtest/share/mboxes/V2-1-2-rust-fix-for-rust-multilib-sdk-configuration.patch FAIL: test max line length: Patch line too long (current

[OE-core][scarthgap][PATCH] avahi: fix CVE-2024-52616

2025-01-16 Thread Zhang, Peng (Paul) (CN) via lists.openembedded.org
From: Zhang Peng CVE-2024-52616: A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs. Refer

[OE-core] [PATCH V2 1/2] rust: fix for rust multilib sdk configuration

2025-01-16 Thread Sadineni, Harish via lists.openembedded.org
From: Harish Sadineni YOCTO [#15061] The rust sdk installs both 'rust.sh' and 'cargo.sh' for lib32 and lib64 in the same location. This causes below error while installing the lib32 & lib64 binaries: Error: Transaction test error: file /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-po

[OE-core] [PATCH V2 2/2] oeqa/sdk/context: fix for gtk3 test failure during do_testsdk

2025-01-16 Thread Sadineni, Harish via lists.openembedded.org
From: Harish Sadineni The do_testsdk for lib32-core-image-sato aborts with below error: configure: error: Package requirements (gtk+-3.0) were not met: No package 'gtk+-3.0' found Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. Thi

[OE-core] [PATCH] lttng-tools: disable patching our libtool.m4

2025-01-16 Thread Ross Burton via lists.openembedded.org
Twelve years ago, libtool on Debian had a patch that meant it failed to cross-compile lttng-tools correctly. The solution at the time was to sed libtool.m4 whilst configure was being ran[1], which (assuming it patches the correct file) results in a re-execution of configure during do_compile. This

Re: [OE-core] [PATCH 1/2] rust: fix for rust multilib sdk configuration

2025-01-16 Thread Sadineni, Harish via lists.openembedded.org
Did testing for following architectures x86, x86_64, arm, aarch64, ppc using following commands: bitbake core-image-sato bitbake core-image-sato -c populate_Sdk bitbake core-image-sato -c testsdk Multilib Testing was conducted for x86_64 and aarch64 using the following commands: bitbake core-ima

[OE-core] Patchtest results for [PATCH 1/2] rust: fix for rust multilib sdk configuration

2025-01-16 Thread Patchtest via lists.openembedded.org
Thank you for your submission. Patchtest identified one or more issues with the patch. Please see the log below for more information: --- Testing patch /home/patchtest/share/mboxes/1-2-rust-fix-for-rust-multilib-sdk-configuration.patch FAIL: test max line length: Patch line too long (current len

[OE-core] [PATCH 2/2] oeqa/sdk/context: fix for gtk3 test failure during do_testsdk

2025-01-16 Thread Sadineni, Harish via lists.openembedded.org
From: Harish Sadineni The do_testsdk for lib32-core-image-sato aborts with below error: configure: error: Package requirements (gtk+-3.0) were not met: No package 'gtk+-3.0' found Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix. Thi

[OE-core] [PATCH 1/2] rust: fix for rust multilib sdk configuration

2025-01-16 Thread Sadineni, Harish via lists.openembedded.org
From: Harish Sadineni YOCTO [#15061] The rust sdk installs both 'rust.sh' and 'cargo.sh' for lib32 and lib64 in the same location. This causes below error while installing the lib32 & lib64 binaries: Error: Transaction test error: file /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-p

[OE-core] [scarthgap][PATCH] Revert "bluez5: remove configuration files from install task"

2025-01-16 Thread Catalin Popescu via lists.openembedded.org
This reverts commit 49391fdcf71b32c5fd3c7b134c1d1c45cc1db388 which introduced a bluetooth regression on systems with read-only rootfs. When configuration files are missing, bluez tries to generate them which fails on a read-only rootfs. As a result bluetooth service fails to start and bluetooth is

[OE-core] [PATCH] gcc: poison-system-directories patch updated for missing paths

2025-01-16 Thread SunilKumar.Dora via lists.openembedded.org
From: Sunil Dora Modified logic in gcc/incpath.cc to ensure that non-existing host system paths are not deleted during cross-compilation. If the build system attempts to search a host path, gcc will now issue a warning instead of silently ignoring it. Fixes [YOCTO #15672] https://bugzilla.yoct

[OE-core] [scarthgap][PATCH] ofono: Fix multiple CVEs

2025-01-16 Thread Hitendra Prajapati via lists.openembedded.org
Backport fixes for: * CVE-2024-7539 - Upstream-Status: Backport from https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=389e2344f86319265fb72ae590b470716e038fdc * CVE-2024-7543 - Upstream-Status: Backport from https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=90e60