The first version of this patch introduced a problem with python3-pyqt5.
Python emitted the following error message when one attempted to import
PyQt5.Qt:
ImportError: dynamic module does not define module export function (PyInit_Qt)
This came about due to segfault in sip when executed in do_configure of
python3-pyqt5. This resulted in a zero-length sipQtcmodule.c file being
produced. This compiled successfully which meant no build failure was
observed.
The segfault was caused by a mistake in backporting the patch from SIP 6.
The generateCompositeCpp() function uses the generate_include_sip_h()
helper function in later versions which doesn't exist in SIP 4.
We must replace the first parameter passed to isPY_SSIZE_T_CLEAN() from
mod to pt->module to account for this. The change is not necessary for
generateInternalAPIHeader()
To simplify the patch we can remove the generated lexer and parser files
and run flex and bison in do_configure instead.
Signed-off-by: Rob Woolley <rob.woolley@windriver.com>
Tested-by: Toby Flynn <campingandskiing@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Align to commit 8e297cdc841c6cad34097f00a6903ba25edfc153
("nginx: Remove obsolete patch") by removing reference to
removed patch file. By doing so we mitigate the following
BitBake complaint:
WARNING: .../meta-openembedded/meta-webserver/recipes-httpd/nginx/nginx_1.21.1.bb: Unable to get checksum for nginx SRC_URI entry 0001-HTTP-2-per-iteration-stream-handling-limit.patch: file could not be found
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
With the inclusion of commit 85102dd2dff41945997b983f7c2bfc954dd3bc47
the same patch was introduced again, thus this copy can be deleted
(which accidently was never used, since I originally forgot to add it to
the SRC_URI, whoops).
Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
A flaw was found in libssh. By utilizing the
ProxyCommand or ProxyJump feature, users can exploit
unchecked hostname syntax on the client. This issue
may allow an attacker to inject malicious code into
the command of the features mentioned through the
hostname parameter
Signed-off-by: Nikhil R <nikhil.r@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
https://nvd.nist.gov/vuln/detail/CVE-2024-0743
mentions bug 1867408 as tracking fix for this issue.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
https://nvd.nist.gov/vuln/detail/CVE-2023-5388
mentions bug 1780432 as tracking fix for this issue.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The HTTP/2 protocol allows a denial of service (server resource consumption)
because request cancellation can reset many streams quickly, as exploited in
the wild in August through October 2023.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-44487
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
To fix crash due to missing module:
File "/usr/lib/python3.11/site-packages/twisted/internet/defer.py", line 42, in <module>
from typing_extensions import Literal, ParamSpec, Protocol
ModuleNotFoundError: No module named 'typing_extensions'
Signed-off-by: Hains van den Bosch <hainsvdbosch@ziggo.nl>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
To fix crash due to missing module:
from twisted.internet import defer
File "/usr/lib/python3.11/site-packages/twisted/internet/defer.py", line 14, in <module>
from asyncio import AbstractEventLoop, Future, iscoroutine
ModuleNotFoundError: No module named 'asyncio'
Signed-off-by: Hains van den Bosch <hainsvdbosch@ziggo.nl>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Guðni Már Gilbert <gudnimar@noxmedical.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
aiohttp is an asynchronous HTTP client/server framework
for asyncio and Python.When using aiohttp as a web server
and configuring static routes, it is necessary to specify
the root path for static files. Additionally, the option
'follow_symlinks' can be used to determine whether to
follow symbolic links outside the static root directory.
When 'follow_symlinks' is set to True, there is no
validation to check if reading a file is within the root
directory. This can lead to directory traversal
vulnerabilities, resulting in unauthorized access to
arbitrary files on the system, even when symlinks are not
present. Disabling follow_symlinks and using a reverse proxy
are encouraged mitigations. Version 3.9.2 fixes this issue.
References:
https://security-tracker.debian.org/tracker/CVE-2024-23334https://github.com/aio-libs/aiohttp/releases/tag/v3.9.2
Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This upgrade incorporates the fixes for CVE-2024-27316,
CVE-2024-24795,CVE-2023-38709 and other bugfixes.
Adjusted 0004-apache2-log-the-SELinux-context-at-startup.patch
and 0007-apache2-allow-to-disable-selinux-support.patch to
align with upgraded version.
Changelog:
https://downloads.apache.org/httpd/CHANGES_2.4.59
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
There is a heap buffer overflow in DumpScreen2RGB() in gif2rgb.c. This
occurs when a crafted gif file, where size of color table is < 256 but
image data contains pixels with color code highier than size of color
table. This causes oferflow of ColorMap->Colors array.
Fix the issue by checking if value of each pixel is within bounds of
given color table. If the value is out of color table, print error
message and exit.
Signed-off-by: Nikhil R <nikhil.r@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10,
and Django 5.0 before 5.0.2. The intcomma template filter was subject
to a potential denial-of-service attack when used with very long strings.
Since, there is no ptest available for python3-django so have not
tested the patch changes at runtime.
References:
https://security-tracker.debian.org/tracker/CVE-2024-24680https://docs.djangoproject.com/en/dev/releases/4.2.10/
Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
bat-format-pretty hardcoded the lib folder that cause it reports
missing formatter.bash error when multilib is enabled.
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE fixed:
- CVE-2023-40359 xterm: ReGIS reporting for character-set names containing characters other than alphanumerics or underscore
Upstream-Status: Backport from 41ba5cf31d
Note: The CVE patch is part of minor version-up and is extracted from the snapshot of xterm-379c.
Documentation of the commit shows 2 different overflows being fixed and hence the fix was extracted from the commit.
Signed-off-by: Rohini Sangam <rsangam@mvista.com>
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
iniparser v4.1 is vulnerable to NULL Pointer Dereference
in function iniparser_getlongint which misses check NULL
for function iniparser_getstring's return.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-33461
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Upgrade to 1.4.1 to make it work with setuptools 59.x as it doesn't
support pep 621 [1], so remove pyproject.toml and add setup.cfg back [2].
* Add python3-toml to RDEPENDS to fix below error:
self = <yamlinclude.readers.TomlReader object at 0x7faceccdbd30>
def __call__(self):
if sys.version_info >= (3, 11):
with open(self._path, "rb") as fp:
return tomllib.load(fp)
else:
try:
import toml
except ImportError as err: # pragma: no cover
> raise ImportError(f'Un-supported file "{self._path}".\n`pip install toml` should solve the problem.\n\n{err}')
E ImportError: Un-supported file "tests/data/include.d/1.toml".
E `pip install toml` should solve the problem.
E
E No module named 'toml'
../../python3.10/site-packages/yamlinclude/readers.py:69: ImportError
[1] https://setuptools.pypa.io/en/latest/userguide/pyproject_config.html
[2] https://github.com/tanbro/pyyaml-include/issues/43
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add a recipe for the pyyaml-include package that extends PyYAML to include
YAML files within YAML files. Add a ptest to run the unit tests and include
the tests as part of the package lists in meta-python
Signed-off-by: Derek Straka <derek@asterius.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit bf011a9f5e89186b338b6a335d10ef84929be0ce)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An out-of-bounds stack write flaw was found in unixODBC on 64-bit
architectures where the caller has 4 bytes and callee writes 8 bytes.
This issue may go unnoticed on little-endian architectures, while
big-endian architectures can be broken.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-1013
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
c-ares is a C library for asynchronous DNS requests.
`ares__read_line()` is used to parse local configuration
files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`,
the `HOSTALIASES` file, and if using a c-ares version
prior to 1.27.0, the `/etc/hosts` file. If any of these
configuration files has an embedded `NULL` character as
the first character in a new line, it can lead to
attempting to read memory prior to the start of the given
buffer which may result in a crash. This issue is fixed
in c-ares 1.27.0. No known workarounds exist.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-25629https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48qhttps://security-tracker.debian.org/tracker/CVE-2024-25629
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Download and unpack contrib modules and other repositories in S instead
of WORKDIR so they don't escape file-prefix-map substitutions.
Fixes a number of reproducibility problems because of OpenCV check
macros that were embedding path to files in contrib/.
MJ: this is backport from langdale and fixes not only reproducibility
issues but also pseudo aborts in do_install when do_install
is executed again after do_package (in incremental builds):
| DEBUG: Executing shell function do_install
| NOTE: DESTDIR=opencv/4.5.5-r0/image VERBOSE=1 cmake --build opencv/4.5.5-r0/build --target install --
| abort()ing pseudo client by server request. See https://wiki.yoctoproject.org/wiki/Pseudo_Abort for more details on this.
| Check logfile: opencv/4.5.5-r0/pseudo//pseudo.log
| Subprocess aborted
and pseudo.log file shows:
path mismatch [3 links]: ino 214373575 db 'opencv/4.5.5-r0/package/usr/src/debug/lib32-opencv/4.5.5-r0/contrib/modules/intensity_transform/src/bimef.cpp' req 'opencv/4.5.5-r0/contrib/modules/intensity_transform/src/bimef.cpp'.
easily reproducible with:
bitbake -c cleansstate opencv; bitbake -c package opencv; bitbake -c install -f opencv
unlike ${S} ${WORKDIR}/contrib isn't in default PSEUDO_IGNORE_PATHS
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Addresses CVEs and other bug fixes. Remove patches that are fixed
in this release. Release notes are available at:
https://www.postgresql.org/docs/release/14.10/https://www.postgresql.org/docs/release/14.11/
0001-configure.ac-bypass-autoconf-2.69-version-check.patch
refreshed for new version.
License-Update: Copyright year updated
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Includes security fix for CVE-2024-23170 - Timing side channel in private key RSA operations
* Includes security fix for CVE-2024-23775 - Buffer overflow in mbedtls_x509_set_extension()
Use canonical URL, add UPSTREAM_CHECK_GITTAGREGEX.
License-update: Upstream clarified licensing as dual Apache-2.0 or GPL-2.0 or later
Changelog:
https://github.com/Mbed-TLS/mbedtls/blob/v3.5.2/ChangeLog
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Graphviz 2.36 before 10.0.0 has an out-of-bounds read via a crafted config6a file.
NOTE: exploitability may be uncommon because this file is typically owned by root.
Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Vulnerability in the MySQL Server product of Oracle MySQL
(component: InnoDB). Supported versions that are affected
are 5.7.43 and prior, 8.0.34 and prior and 8.1.0. Easily
exploitable vulnerability allows high privileged attacker
with network access via multiple protocols to compromise
MySQL Server. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of MySQL Server. CVSS 3.1
Base Score 4.9 (Availability impacts).
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-22084https://security-tracker.debian.org/tracker/CVE-2023-22084
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This reverts commit 522603beb6d88ad6ea443806bb986096d5b766e6.
This change was for oe-core not meta-oe repository, creating
unused directory "meta" which doesn't belong here.
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
