A vulnerability in Outline.cc for Poppler prior to 23.06.0
allows a remote attacker to cause a Denial of Service (DoS)
(crash) via a crafted PDF file in OutlineItem::open.
Reference:
https://gitlab.freedesktop.org/poppler/poppler/-/issues/1399
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Update run-ptest script to print the output of python3-appdirs ptest results in
unified format
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
When using the image type:
IMAGE_FSTYPES += " wic.sparse"
IMAGE_CLASSES += " image_types_sparse"
The following error arises:
Syntax error: Bad function name
So need to remove function in favor of variable.
Signed-off-by: Chris Dimich <chris.dimich@boundarydevices.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* use BPN, BP where useful
* use prefix instead of hardcoding /usr
* add patch to search also in lib32 subdir of --with-libpcap value
to fix:
checking for libpcap... configure: error: "Unable to find matching library for header file in TOPDIR/BUILD/work/raspberrypi4_64-oemllib32-linux-gnueabi/lib32-tcpreplay/4.4.4-r0/lib32-recipe-sysroot/usr"
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* testing ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_LIBDIR} existence
doesn't really work in cross compilation and on some hosts was causing:
ERROR: QA Issue: libcyusbserial: Files/directories were installed but not shipped in any package:
/usr/lib/libcyusbserial.so.1
/usr/lib/libcyusbserial.so
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
libcyusbserial: 2 installed and not shipped files. [installed-vs-shipped]
with multilib using /usr/lib32 or /usr/lib64 when the same didn't
exist on host.
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
==========
Source code:
----------------
Fix spaces before tabs in indentation.
Updated printers:
-----------------
LSP ping: Fix "Unused value" warnings from Coverity.
CVE-2023-1801: Fix an out-of-bounds write in the SMB printer.
DNS: sync resource types with IANA.
ICMPv6: Update the output to show a RPL DAO field name.
Geneve: Fix the Geneve UDP port test.
Building and testing:
----------------------
Require at least autoconf 2.69.
Don't check for strftime(), as it's in C90 and beyond.
Update config.{guess,sub}, timestamps 2023-01-01,2023-01-21.
Documentation:
-------------
man: Document TCP flag names better.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2e782260d0b6018614dbdea95899a4a0921915e0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2
and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote
authenticated user can trigger a kadmind crash. This occurs because
_xdr_kadm5_principal_ent_rec does not validate the relationship
between n_key_data and the key_data array count.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-36054
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Yasm v1.3.0.78 was found prone to NULL Pointer Dereference in /libyasm/intnum.c
and /elf/elf.c, which allows the attacker to cause a denial of service via a
crafted file.
References:
https://github.com/yasm/yasm/issues/233https://nvd.nist.gov/vuln/detail/CVE-2023-37732
Signed-off-by: Soumya <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An issue was discovered in open-mpi hwloc 2.1.0 allows attackers to cause
a denial of service or other unspecified impacts via glibc-cpuset in topology-linux.c.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-47022https://github.com/open-mpi/hwloc/issues/544
Upstream patches:
ac1f8db9a0
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2023-3748:
A flaw was found in FRRouting when parsing certain babeld unicast hello
messages that are intended to be ignored. This issue may allow an
attacker to send specially crafted hello messages with the unicast flag
set, the interval field set to 0, or any TLV that contains a sub-TLV
with the Mandatory flag set to enter an infinite loop and cause a denial
of service.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-3748
Patch from:
ae1e0e1fed
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ee1026ab77dcb31b0f5cb723b4d998aab4c00382)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Drop unneeded autotools-brokensep class inherit, this package has
traditional makefile build.
This change also fixes the below buildpaths issue altogether.
WARNING: mcelog-191-r0 do_package_qa: QA Issue: File /usr/sbin/.debug/mcelog in package mcelog-dbg contains reference to TMPDIR [buildpaths]
(cherry picked from commit 29e6c4928cfbfe3a00921b956938781d53563582)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Khronos-cts.inc is used for building vulkan-cts or opengl-es-cts. Even
though vulkan-cts depends on vulkan-loader, which automatically
requires vulkan distro feature, it is more explicitly stated if written
here next to opengl.
Some systems do not support a windowing service (like wayland) but still
might use standard khronos GPU libraries. For these cases, wayland
dependancy is invalid.
Patch replaces the invalid wayland distro feature dependancy with
vulkan for clarity.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
php 8.2.7 is a security release and the php 8.2.8 is a bug fix release
and more details at [1].
[1] https://www.php.net/ChangeLog-8.php#8.2.7
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The current use of RDEPENDS to add a dependency on bats results
in the QA warning/error
lib32-libgpiod package lib32-libgpiod-ptest-dev - suspicious values
'bats-dev' in RRECOMMENDS [multilib]
when building lib32-libgpiod with ptest not enabled. We add the
dependency only if ptest is enabled.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9904bd6a24ed9327bd05926ba28f9c2ea49e34dd)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
https://c-ares.org/changelog.html
c-ares version 1.19.1 - May 22 2023
Security:
CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service
CVE-2023-31147 Moderate. Insufficient randomness in generation of DNS
query IDs
CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton()
CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during
cross compilation
Bug fixes:
Fix uninitialized memory warning in test
Turn off IPV6_V6ONLY on Windows to allow IPv4-mapped IPv6 addresses
ares_getaddrinfo() should allow a port of 0
Fix memory leak in ares_send() on error
Fix comment style in ares_data.h
Remove unneeded ifdef for Windows
Fix typo in ares_init_options.3
Re-add support for Watcom compiler
Sync ax_pthread.m4 with upstream
Windows: Invalid stack variable used out of scope for HOSTS path
Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Mbed TLS 2.28 is a long-time support branch. It will be supported with
bug-fixes and security fixes until end of 2024.
ChangeLog:
https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This release contains bug fixes only.
The following CVEs have been addressed:
CVE-2023-27783
CVE-2023-27784
CVE-2023-27785
CVE-2023-27786
CVE-2023-27787
CVE-2023-27788
CVE-2023-27789
Changelog:
=========
dlt_jnpr_ether_cleanup: check subctx before cleanup by @Marsman1996 in #781
Bug #780 assert tcpedit dlt cleanup by @fklassen in #800
Fix bugs caused by strtok_r by @Marsman1996 in #783
Bug #782#784#785#786#787#788 strtok r isuses by @fklassen in #801
Update en10mb.c by @david-guti in #793
PR #793 ip6 unicast flood by @fklassen in #802
Bug #719 fix overflow check for parse_mpls() by @fklassen in #804
PR #793 - update tests for corrected IPv6 MAC by @fklassen in #805
PR #793 - update tests for vlandel by @fklassen in #806
Feature #773 gh actions ci by @fklassen in #807
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
A vulnerability classified as problematic was found in OpenCV
wechat_qrcode Module up to 4.7.0. Affected by this vulnerability
is the function DecodedBitStreamParser::decodeByteSegment of the
file qrcode/decoder/decoded_bit_stream_parser.cpp. The manipulation
leads to null pointer dereference. The attack can be launched
remotely. The exploit has been disclosed to the public and may
be used. It is recommended to apply a patch to fix this issue.
The associated identifier of this vulnerability is VDB-228547.
Signed-off-by: Soumya <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This reverts commit 0abf5af3ffd3d13c009a8ffcd5a6f045c36be837
libopencv-ts package is not empty and libopencv_ts libraries are
not all installed in the -dev package, these libraries are needed
for sdk development listed in opencv4.pc file.
Signed-off-by: Sandeep Gundlupet Raju <sandeep.gundlupet-raju@amd.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Look for level transitions when testing toggling
values because using fixed delays to assume value
changes is not reliable.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
cherry-pick from meta-oe/master 45a8bb2620...
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
These pyc files include references to buildtime TMPDIR, therefore delete
them and let them be regerated during runtime if needed.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b1b7ee87ac55fced4bcf88b0e374025d7f908731)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Remove intltool-native as it is not used, and add autoconf-archive-native.
Also explicitly disable systemd when not selected to be sure it doesn't
automatically enable.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0713297ae90cdf6fc7339ebdcaf5f6f839bcd028)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This can be satisfied via transitive dependencies, but make it an
explicit DEPENDS.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2697f5bcf4f2396efe93a3597d2f96290d9fd2a8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
If you try to build libblockdev with an empty PACKAGECONFIG then the
configure fails.
Add autoconf-archive, glib-2.0, and udev; these were implicitly pulled
in via other dependencies. Move kmod to DEPENDS as it's a hard
requirement.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f14663746bd519650c8654bbf91971a0a96c109e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This can be satisfied via transitive dependencies, but make it an
explicit DEPENDS.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5fca30d672c291b1af8284d6d5cbfc520c95d4fc)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This can be satisfied via transitive dependencies, but make it an
explicit DEPENDS.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit dbbafeceb4f84625d6eab59c50500b6b8347c613)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
