diff options
Diffstat (limited to 'meta/recipes-connectivity')
99 files changed, 2184 insertions, 1553 deletions
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index a830385352..a78e776a18 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -5,9 +5,8 @@ with no specific configuration. This tool implements IPv4LL, "Dynamic Configurat IPv4 Link-Local Addresses" (IETF RFC3927), a protocol for automatic IP address \ configuration from the link-local 169.254.0.0/16 range without the need for a central \ server.' -AUTHOR = "Lennart Poettering <lennart@poettering.net>" HOMEPAGE = "http://avahi.org" -BUGTRACKER = "https://github.com/lathiat/avahi/issues" +BUGTRACKER = "https://github.com/avahi/avahi/issues" SECTION = "network" # major part is under LGPL-2.1-or-later, but several .dtd, .xsl, initscripts and @@ -26,16 +25,24 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \ file://0001-Fix-opening-etc-resolv.conf-error.patch \ file://handle-hup.patch \ file://local-ping.patch \ + file://invalid-service.patch \ + file://CVE-2023-1981.patch \ + file://CVE-2023-38469-1.patch \ + file://CVE-2023-38469-2.patch \ + file://CVE-2023-38470-1.patch \ + file://CVE-2023-38470-2.patch \ + file://CVE-2023-38471-1.patch \ + file://CVE-2023-38471-2.patch \ + file://CVE-2023-38472.patch \ + file://CVE-2023-38473.patch \ " -GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/" -SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7" +GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/" SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda" -# Issue only affects Debian/SUSE, not us -CVE_CHECK_IGNORE += "CVE-2021-26720" +CVE_STATUS[CVE-2021-26720] = "not-applicable-platform: Issue only affects Debian/SUSE" -DEPENDS = "expat libcap libdaemon glib-2.0" +DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native" # For gtk related PACKAGECONFIGs: gtk, gtk3 AVAHI_GTK ?= "" @@ -83,7 +90,6 @@ RRECOMMENDS:${PN}:append:libc-glibc = " libnss-mdns" do_install() { autotools_do_install rm -rf ${D}/run - rm -rf ${D}${datadir}/dbus-1/interfaces test -d ${D}${datadir}/dbus-1 && rmdir --ignore-fail-on-non-empty ${D}${datadir}/dbus-1 rm -rf ${D}${libdir}/avahi @@ -135,7 +141,7 @@ FILES:avahi-daemon = "${sbindir}/avahi-daemon \ ${sysconfdir}/avahi/services \ ${sysconfdir}/dbus-1 \ ${sysconfdir}/init.d/avahi-daemon \ - ${datadir}/avahi/introspection/*.introspect \ + ${datadir}/dbus-1/interfaces \ ${datadir}/avahi/avahi-service.dtd \ ${datadir}/avahi/service-types \ ${datadir}/dbus-1/system-services" @@ -178,8 +184,8 @@ SYSTEMD_SERVICE:${PN}-dnsconfd = "avahi-dnsconfd.service" do_install:append() { install -d ${D}${sysconfdir}/udhcpc.d - install ${WORKDIR}/00avahi-autoipd ${D}${sysconfdir}/udhcpc.d - install ${WORKDIR}/99avahi-autoipd ${D}${sysconfdir}/udhcpc.d + install ${UNPACKDIR}/00avahi-autoipd ${D}${sysconfdir}/udhcpc.d + install ${UNPACKDIR}/99avahi-autoipd ${D}${sysconfdir}/udhcpc.d } # At the time the postinst runs, dbus might not be setup so only restart if running diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch new file mode 100644 index 0000000000..4d7924d13a --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-1981.patch @@ -0,0 +1,58 @@ +From a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> +Date: Thu, 17 Nov 2022 01:51:53 +0100 +Subject: [PATCH] Emit error if requested service is not found + +It currently just crashes instead of replying with error. Check return +value and emit error instead of passing NULL pointer to reply. + +Fixes #375 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-1981.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f] +CVE: CVE-2023-1981 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + avahi-daemon/dbus-protocol.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/avahi-daemon/dbus-protocol.c b/avahi-daemon/dbus-protocol.c +index 70d7687bc..406d0b441 100644 +--- a/avahi-daemon/dbus-protocol.c ++++ b/avahi-daemon/dbus-protocol.c +@@ -375,10 +375,14 @@ static DBusHandlerResult dbus_get_alternative_host_name(DBusConnection *c, DBusM + } + + t = avahi_alternative_host_name(n); +- avahi_dbus_respond_string(c, m, t); +- avahi_free(t); ++ if (t) { ++ avahi_dbus_respond_string(c, m, t); ++ avahi_free(t); + +- return DBUS_HANDLER_RESULT_HANDLED; ++ return DBUS_HANDLER_RESULT_HANDLED; ++ } else { ++ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Hostname not found"); ++ } + } + + static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DBusMessage *m, DBusError *error) { +@@ -389,10 +393,14 @@ static DBusHandlerResult dbus_get_alternative_service_name(DBusConnection *c, DB + } + + t = avahi_alternative_service_name(n); +- avahi_dbus_respond_string(c, m, t); +- avahi_free(t); ++ if (t) { ++ avahi_dbus_respond_string(c, m, t); ++ avahi_free(t); + +- return DBUS_HANDLER_RESULT_HANDLED; ++ return DBUS_HANDLER_RESULT_HANDLED; ++ } else { ++ return avahi_dbus_respond_error(c, m, AVAHI_ERR_NOT_FOUND, "Service not found"); ++ } + } + + static DBusHandlerResult dbus_create_new_entry_group(DBusConnection *c, DBusMessage *m, DBusError *error) { diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch new file mode 100644 index 0000000000..a078f66102 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-1.patch @@ -0,0 +1,48 @@ +From 72842945085cc3adaccfdfa2853771b0e75ef991 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin <evvers@ya.ru> +Date: Mon, 23 Oct 2023 20:29:31 +0000 +Subject: [PATCH] avahi: core: reject overly long TXT resource records + +Closes https://github.com/lathiat/avahi/issues/455 + +Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/a337a1ba7d15853fb56deef1f464529af6e3a1cf] +CVE: CVE-2023-38469 + +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +--- + avahi-core/rr.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/avahi-core/rr.c b/avahi-core/rr.c +index 7fa0bee..b03a24c 100644 +--- a/avahi-core/rr.c ++++ b/avahi-core/rr.c +@@ -32,6 +32,7 @@ + #include <avahi-common/malloc.h> + #include <avahi-common/defs.h> + ++#include "dns.h" + #include "rr.h" + #include "log.h" + #include "util.h" +@@ -688,11 +689,17 @@ int avahi_record_is_valid(AvahiRecord *r) { + case AVAHI_DNS_TYPE_TXT: { + + AvahiStringList *strlst; ++ size_t used = 0; + +- for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) ++ for (strlst = r->data.txt.string_list; strlst; strlst = strlst->next) { + if (strlst->size > 255 || strlst->size <= 0) + return 0; + ++ used += 1+strlst->size; ++ if (used > AVAHI_DNS_RDATA_MAX) ++ return 0; ++ } ++ + return 1; + } + } +-- +2.40.0 diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch new file mode 100644 index 0000000000..f8f60ddca1 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38469-2.patch @@ -0,0 +1,65 @@ +From c6cab87df290448a63323c8ca759baa516166237 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin <evvers@ya.ru> +Date: Wed, 25 Oct 2023 18:15:42 +0000 +Subject: [PATCH] tests: pass overly long TXT resource records + +to make sure they don't crash avahi any more. +It reproduces https://github.com/lathiat/avahi/issues/455 + +Canonical notes: +nickgalanis> removed first hunk since there is no .github dir in this release + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38469-2.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/lathiat/avahi/commit/c6cab87df290448a63323c8ca759baa516166237] +CVE: CVE-2023-38469 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + avahi-client/client-test.c | 14 ++++++++++++++ + 1 files changed, 14 insertions(+) + +Index: avahi-0.8/avahi-client/client-test.c +=================================================================== +--- avahi-0.8.orig/avahi-client/client-test.c ++++ avahi-0.8/avahi-client/client-test.c +@@ -22,6 +22,7 @@ + #endif + + #include <stdio.h> ++#include <string.h> + #include <assert.h> + + #include <avahi-client/client.h> +@@ -33,6 +34,8 @@ + #include <avahi-common/malloc.h> + #include <avahi-common/timeval.h> + ++#include <avahi-core/dns.h> ++ + static const AvahiPoll *poll_api = NULL; + static AvahiSimplePoll *simple_poll = NULL; + +@@ -222,6 +225,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA + uint32_t cookie; + struct timeval tv; + AvahiAddress a; ++ uint8_t rdata[AVAHI_DNS_RDATA_MAX+1]; ++ AvahiStringList *txt = NULL; ++ int r; + + simple_poll = avahi_simple_poll_new(); + poll_api = avahi_simple_poll_get(simple_poll); +@@ -258,6 +264,14 @@ int main (AVAHI_GCC_UNUSED int argc, AVA + printf("%s\n", avahi_strerror(avahi_entry_group_add_service (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "Lathiat's Site", "_http._tcp", NULL, NULL, 80, "foo=bar", NULL))); + printf("add_record: %d\n", avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "\5booya", 6)); + ++ memset(rdata, 1, sizeof(rdata)); ++ r = avahi_string_list_parse(rdata, sizeof(rdata), &txt); ++ assert(r >= 0); ++ assert(avahi_string_list_serialize(txt, NULL, 0) == sizeof(rdata)); ++ error = avahi_entry_group_add_service_strlst(group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", "_qotd._tcp", NULL, NULL, 123, txt); ++ assert(error == AVAHI_ERR_INVALID_RECORD); ++ avahi_string_list_free(txt); ++ + avahi_entry_group_commit (group); + + domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch new file mode 100644 index 0000000000..91f9e677ac --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-1.patch @@ -0,0 +1,59 @@ +From af7bfad67ca53a7c4042a4a2d85456b847e9f249 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> +Date: Tue, 11 Apr 2023 15:29:59 +0200 +Subject: [PATCH] avahi: Ensure each label is at least one byte long + +The only allowed exception is single dot, where it should return empty +string. + +Fixes #454. + +Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/94cb6489114636940ac683515417990b55b5d66c] +CVE: CVE-2023-38470 + +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +--- + avahi-common/domain-test.c | 14 ++++++++++++++ + avahi-common/domain.c | 2 +- + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/avahi-common/domain-test.c b/avahi-common/domain-test.c +index cf763ec..3acc1c1 100644 +--- a/avahi-common/domain-test.c ++++ b/avahi-common/domain-test.c +@@ -45,6 +45,20 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + printf("%s\n", s = avahi_normalize_name_strdup("fo\\\\o\\..f oo.")); + avahi_free(s); + ++ printf("%s\n", s = avahi_normalize_name_strdup(".")); ++ avahi_free(s); ++ ++ s = avahi_normalize_name_strdup(",.=.}.=.?-.}.=.?.?.}.}.?.?.?.z.?.?.}.}." ++ "}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.}.}.}" ++ ".?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.=.=.?.?.}.}.?.?.?.zM.?`" ++ "?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}??.}.}.?.?." ++ "?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM.?`?.}.}.}." ++ "??.?.zM.?`?.}.}.}.?.?.?.r.=.?.}.=.?.?.}.?.?.?.}.=.?.?.}?" ++ "?.}.}.?.?.?.z.?.?.}.}.}.?.?.?.r.=.=.}.=.?.}}.}.?.?.?.zM." ++ "?`?.}.}.}.?.?.?.r.=.=.?.?`.?.?}.}.}.?.?.?.r.=.?.}.=.?.?." ++ "}.?.?.?.}.=.?.?.}"); ++ assert(s == NULL); ++ + printf("%i\n", avahi_domain_equal("\\065aa bbb\\.\\046cc.cc\\\\.dee.fff.", "Aaa BBB\\.\\.cc.cc\\\\.dee.fff")); + printf("%i\n", avahi_domain_equal("A", "a")); + +diff --git a/avahi-common/domain.c b/avahi-common/domain.c +index 3b1ab68..e66d241 100644 +--- a/avahi-common/domain.c ++++ b/avahi-common/domain.c +@@ -201,7 +201,7 @@ char *avahi_normalize_name(const char *s, char *ret_s, size_t size) { + } + + if (!empty) { +- if (size < 1) ++ if (size < 2) + return NULL; + + *(r++) = '.'; +-- +2.40.0 diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch new file mode 100644 index 0000000000..e0736bf210 --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38470-2.patch @@ -0,0 +1,52 @@ +From 20dec84b2480821704258bc908e7b2bd2e883b24 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin <evvers@ya.ru> +Date: Tue, 19 Sep 2023 03:21:25 +0000 +Subject: [PATCH] [common] bail out when escaped labels can't fit into ret + +Fixes: +``` +==93410==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f9e76f14c16 at pc 0x00000047208d bp 0x7ffee90a6a00 sp 0x7ffee90a61c8 +READ of size 1110 at 0x7f9e76f14c16 thread T0 + #0 0x47208c in __interceptor_strlen (out/fuzz-domain+0x47208c) (BuildId: 731b20c1eef22c2104e75a6496a399b10cfc7cba) + #1 0x534eb0 in avahi_strdup avahi/avahi-common/malloc.c:167:12 + #2 0x53862c in avahi_normalize_name_strdup avahi/avahi-common/domain.c:226:12 +``` +and +``` +fuzz-domain: fuzz/fuzz-domain.c:38: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `avahi_domain_equal(s, t)' failed. +==101571== ERROR: libFuzzer: deadly signal + #0 0x501175 in __sanitizer_print_stack_trace (/home/vagrant/avahi/out/fuzz-domain+0x501175) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) + #1 0x45ad2c in fuzzer::PrintStackTrace() (/home/vagrant/avahi/out/fuzz-domain+0x45ad2c) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) + #2 0x43fc07 in fuzzer::Fuzzer::CrashCallback() (/home/vagrant/avahi/out/fuzz-domain+0x43fc07) (BuildId: 682bf6400aff9d41b64b6e2cc3ef5ad600216ea8) + #3 0x7f1581d7ebaf (/lib64/libc.so.6+0x3dbaf) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #4 0x7f1581dcf883 in __pthread_kill_implementation (/lib64/libc.so.6+0x8e883) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #5 0x7f1581d7eafd in gsignal (/lib64/libc.so.6+0x3dafd) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #6 0x7f1581d6787e in abort (/lib64/libc.so.6+0x2687e) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #7 0x7f1581d6779a in __assert_fail_base.cold (/lib64/libc.so.6+0x2679a) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #8 0x7f1581d77186 in __assert_fail (/lib64/libc.so.6+0x36186) (BuildId: c9f62793b9e886eb1b95077d4f26fe2b4aa1ac25) + #9 0x5344a4 in LLVMFuzzerTestOneInput /home/vagrant/avahi/fuzz/fuzz-domain.c:38:9 +``` + +It's a follow-up to 94cb6489114636940ac683515417990b55b5d66c + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38470-2.patch?h=ubuntu/jammy-security +CVE: CVE-2023-38470 #Follow-up patch +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + avahi-common/domain.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: avahi-0.8/avahi-common/domain.c +=================================================================== +--- avahi-0.8.orig/avahi-common/domain.c ++++ avahi-0.8/avahi-common/domain.c +@@ -210,7 +210,8 @@ char *avahi_normalize_name(const char *s + } else + empty = 0; + +- avahi_escape_label(label, strlen(label), &r, &size); ++ if (!(avahi_escape_label(label, strlen(label), &r, &size))) ++ return NULL; + } + + return ret_s; diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch new file mode 100644 index 0000000000..b3f716495d --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-1.patch @@ -0,0 +1,73 @@ +From 48d745db7fd554fc33e96ec86d3675ebd530bb8e Mon Sep 17 00:00:00 2001 +From: Michal Sekletar <msekleta@redhat.com> +Date: Mon, 23 Oct 2023 13:38:35 +0200 +Subject: [PATCH] avahi: core: extract host name using avahi_unescape_label() + +Previously we could create invalid escape sequence when we split the +string on dot. For example, from valid host name "foo\\.bar" we have +created invalid name "foo\\" and tried to set that as the host name +which crashed the daemon. + +Fixes #453 + +Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/894f085f402e023a98cbb6f5a3d117bd88d93b09] +CVE: CVE-2023-38471 + +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +--- + avahi-core/server.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/avahi-core/server.c b/avahi-core/server.c +index e507750..40f1d68 100644 +--- a/avahi-core/server.c ++++ b/avahi-core/server.c +@@ -1295,7 +1295,11 @@ static void update_fqdn(AvahiServer *s) { + } + + int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { +- char *hn = NULL; ++ char label_escaped[AVAHI_LABEL_MAX*4+1]; ++ char label[AVAHI_LABEL_MAX]; ++ char *hn = NULL, *h; ++ size_t len; ++ + assert(s); + + AVAHI_CHECK_VALIDITY(s, !host_name || avahi_is_valid_host_name(host_name), AVAHI_ERR_INVALID_HOST_NAME); +@@ -1305,17 +1309,28 @@ int avahi_server_set_host_name(AvahiServer *s, const char *host_name) { + else + hn = avahi_normalize_name_strdup(host_name); + +- hn[strcspn(hn, ".")] = 0; ++ h = hn; ++ if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { ++ avahi_free(h); ++ return AVAHI_ERR_INVALID_HOST_NAME; ++ } ++ ++ avahi_free(h); ++ ++ h = label_escaped; ++ len = sizeof(label_escaped); ++ if (!avahi_escape_label(label, strlen(label), &h, &len)) ++ return AVAHI_ERR_INVALID_HOST_NAME; + +- if (avahi_domain_equal(s->host_name, hn) && s->state != AVAHI_SERVER_COLLISION) { +- avahi_free(hn); ++ if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) + return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); +- } + + withdraw_host_rrs(s); + + avahi_free(s->host_name); +- s->host_name = hn; ++ s->host_name = avahi_strdup(label_escaped); ++ if (!s->host_name) ++ return AVAHI_ERR_NO_MEMORY; + + update_fqdn(s); + +-- +2.40.0 diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch new file mode 100644 index 0000000000..44737bfc2e --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38471-2.patch @@ -0,0 +1,52 @@ +From b675f70739f404342f7f78635d6e2dcd85a13460 Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin <evvers@ya.ru> +Date: Tue, 24 Oct 2023 22:04:51 +0000 +Subject: [PATCH] core: return errors from avahi_server_set_host_name properly + +It's a follow-up to 894f085f402e023a98cbb6f5a3d117bd88d93b09 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38471-2.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/lathiat/avahi/commit/b675f70739f404342f7f78635d6e2dcd85a13460] +CVE: CVE-2023-38471 #Follow-up Patch +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + avahi-core/server.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +Index: avahi-0.8/avahi-core/server.c +=================================================================== +--- avahi-0.8.orig/avahi-core/server.c ++++ avahi-0.8/avahi-core/server.c +@@ -1309,10 +1309,13 @@ int avahi_server_set_host_name(AvahiServ + else + hn = avahi_normalize_name_strdup(host_name); + ++ if (!hn) ++ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY); ++ + h = hn; + if (!avahi_unescape_label((const char **)&hn, label, sizeof(label))) { + avahi_free(h); +- return AVAHI_ERR_INVALID_HOST_NAME; ++ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME); + } + + avahi_free(h); +@@ -1320,7 +1323,7 @@ int avahi_server_set_host_name(AvahiServ + h = label_escaped; + len = sizeof(label_escaped); + if (!avahi_escape_label(label, strlen(label), &h, &len)) +- return AVAHI_ERR_INVALID_HOST_NAME; ++ return avahi_server_set_errno(s, AVAHI_ERR_INVALID_HOST_NAME); + + if (avahi_domain_equal(s->host_name, label_escaped) && s->state != AVAHI_SERVER_COLLISION) + return avahi_server_set_errno(s, AVAHI_ERR_NO_CHANGE); +@@ -1330,7 +1333,7 @@ int avahi_server_set_host_name(AvahiServ + avahi_free(s->host_name); + s->host_name = avahi_strdup(label_escaped); + if (!s->host_name) +- return AVAHI_ERR_NO_MEMORY; ++ return avahi_server_set_errno(s, AVAHI_ERR_NO_MEMORY); + + update_fqdn(s); + diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch new file mode 100644 index 0000000000..85dbded73b --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38472.patch @@ -0,0 +1,46 @@ +From b024ae5749f4aeba03478e6391687c3c9c8dee40 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar <msekleta@redhat.com> +Date: Thu, 19 Oct 2023 17:36:44 +0200 +Subject: [PATCH] core: make sure there is rdata to process before parsing it + +Fixes #452 + +CVE-2023-38472 + +Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/avahi/tree/debian/patches/CVE-2023-38472.patch?h=ubuntu/jammy-security +Upstream commit https://github.com/lathiat/avahi/commit/b024ae5749f4aeba03478e6391687c3c9c8dee40] +CVE: CVE-2023-38472 +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + avahi-client/client-test.c | 3 +++ + avahi-daemon/dbus-entry-group.c | 2 +- + 2 files changed, 4 insertions(+), 1 deletion(-) + +Index: avahi-0.8/avahi-client/client-test.c +=================================================================== +--- avahi-0.8.orig/avahi-client/client-test.c ++++ avahi-0.8/avahi-client/client-test.c +@@ -272,6 +272,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVA + assert(error == AVAHI_ERR_INVALID_RECORD); + avahi_string_list_free(txt); + ++ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0); ++ assert(error != AVAHI_OK); ++ + avahi_entry_group_commit (group); + + domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u"); +Index: avahi-0.8/avahi-daemon/dbus-entry-group.c +=================================================================== +--- avahi-0.8.orig/avahi-daemon/dbus-entry-group.c ++++ avahi-0.8/avahi-daemon/dbus-entry-group.c +@@ -340,7 +340,7 @@ DBusHandlerResult avahi_dbus_msg_entry_g + if (!(r = avahi_record_new_full (name, clazz, type, ttl))) + return avahi_dbus_respond_error(c, m, AVAHI_ERR_NO_MEMORY, NULL); + +- if (avahi_rdata_parse (r, rdata, size) < 0) { ++ if (!rdata || avahi_rdata_parse (r, rdata, size) < 0) { + avahi_record_unref (r); + return avahi_dbus_respond_error(c, m, AVAHI_ERR_INVALID_RDATA, NULL); + } diff --git a/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch new file mode 100644 index 0000000000..707acb60fe --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/CVE-2023-38473.patch @@ -0,0 +1,110 @@ +From 88cbbc48d5efff9726694557ca6c3f698f3affe4 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar <msekleta@redhat.com> +Date: Wed, 11 Oct 2023 17:45:44 +0200 +Subject: [PATCH] avahi: common: derive alternative host name from its + unescaped version + +Normalization of input makes sure we don't have to deal with special +cases like unescaped dot at the end of label. + +Fixes #451 #487 + +Upstream-Status: Backport [https://github.com/lathiat/avahi/commit/b448c9f771bada14ae8de175695a9729f8646797] +CVE: CVE-2023-38473 + +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +--- + avahi-common/alternative-test.c | 3 +++ + avahi-common/alternative.c | 27 +++++++++++++++++++-------- + 2 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/avahi-common/alternative-test.c b/avahi-common/alternative-test.c +index 9255435..681fc15 100644 +--- a/avahi-common/alternative-test.c ++++ b/avahi-common/alternative-test.c +@@ -31,6 +31,9 @@ int main(AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) { + const char* const test_strings[] = { + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", + "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXüüüüüüü", ++ ").", ++ "\\.", ++ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\\\", + "gurke", + "-", + " #", +diff --git a/avahi-common/alternative.c b/avahi-common/alternative.c +index b3d39f0..a094e6d 100644 +--- a/avahi-common/alternative.c ++++ b/avahi-common/alternative.c +@@ -49,15 +49,20 @@ static void drop_incomplete_utf8(char *c) { + } + + char *avahi_alternative_host_name(const char *s) { ++ char label[AVAHI_LABEL_MAX], alternative[AVAHI_LABEL_MAX*4+1]; ++ char *alt, *r, *ret; + const char *e; +- char *r; ++ size_t len; + + assert(s); + + if (!avahi_is_valid_host_name(s)) + return NULL; + +- if ((e = strrchr(s, '-'))) { ++ if (!avahi_unescape_label(&s, label, sizeof(label))) ++ return NULL; ++ ++ if ((e = strrchr(label, '-'))) { + const char *p; + + e++; +@@ -74,19 +79,18 @@ char *avahi_alternative_host_name(const char *s) { + + if (e) { + char *c, *m; +- size_t l; + int n; + + n = atoi(e)+1; + if (!(m = avahi_strdup_printf("%i", n))) + return NULL; + +- l = e-s-1; ++ len = e-label-1; + +- if (l >= AVAHI_LABEL_MAX-1-strlen(m)-1) +- l = AVAHI_LABEL_MAX-1-strlen(m)-1; ++ if (len >= AVAHI_LABEL_MAX-1-strlen(m)-1) ++ len = AVAHI_LABEL_MAX-1-strlen(m)-1; + +- if (!(c = avahi_strndup(s, l))) { ++ if (!(c = avahi_strndup(label, len))) { + avahi_free(m); + return NULL; + } +@@ -100,7 +104,7 @@ char *avahi_alternative_host_name(const char *s) { + } else { + char *c; + +- if (!(c = avahi_strndup(s, AVAHI_LABEL_MAX-1-2))) ++ if (!(c = avahi_strndup(label, AVAHI_LABEL_MAX-1-2))) + return NULL; + + drop_incomplete_utf8(c); +@@ -109,6 +113,13 @@ char *avahi_alternative_host_name(const char *s) { + avahi_free(c); + } + ++ alt = alternative; ++ len = sizeof(alternative); ++ ret = avahi_escape_label(r, strlen(r), &alt, &len); ++ ++ avahi_free(r); ++ r = avahi_strdup(ret); ++ + assert(avahi_is_valid_host_name(r)); + + return r; +-- +2.40.0 diff --git a/meta/recipes-connectivity/avahi/files/invalid-service.patch b/meta/recipes-connectivity/avahi/files/invalid-service.patch new file mode 100644 index 0000000000..8f188aff2c --- /dev/null +++ b/meta/recipes-connectivity/avahi/files/invalid-service.patch @@ -0,0 +1,29 @@ +From 46490e95151d415cd22f02565e530eb5efcef680 Mon Sep 17 00:00:00 2001 +From: Asger Hautop Drewsen <asger@princh.com> +Date: Mon, 9 Aug 2021 14:25:08 +0200 +Subject: [PATCH] Fix avahi-browse: Invalid service type + +Invalid service types will stop the browse from completing, or +in simple terms "my washing machine stops me from printing". + +Upstream-Status: Submitted [https://github.com/lathiat/avahi/pull/472] +Signed-off-by: Ross Burton <ross.burton@arm.com> +--- + avahi-core/browse-service.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/avahi-core/browse-service.c b/avahi-core/browse-service.c +index 63e0275a..ac3d2ecb 100644 +--- a/avahi-core/browse-service.c ++++ b/avahi-core/browse-service.c +@@ -103,7 +103,9 @@ AvahiSServiceBrowser *avahi_s_service_browser_prepare( + AVAHI_CHECK_VALIDITY_RETURN_NULL(server, AVAHI_PROTO_VALID(protocol), AVAHI_ERR_INVALID_PROTOCOL); + AVAHI_CHECK_VALIDITY_RETURN_NULL(server, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME); + AVAHI_CHECK_VALIDITY_RETURN_NULL(server, AVAHI_FLAGS_VALID(flags, AVAHI_LOOKUP_USE_WIDE_AREA|AVAHI_LOOKUP_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS); +- AVAHI_CHECK_VALIDITY_RETURN_NULL(server, avahi_is_valid_service_type_generic(service_type), AVAHI_ERR_INVALID_SERVICE_TYPE); ++ ++ if (!avahi_is_valid_service_type_generic(service_type)) ++ service_type = "_invalid._tcp"; + + if (!domain) + domain = server->domain_name; diff --git a/meta/recipes-connectivity/bind/bind-9.18.10/0001-avoid-start-failure-with-bind-user.patch b/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch index ec1bc7b567..ec1bc7b567 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.10/0001-avoid-start-failure-with-bind-user.patch +++ b/meta/recipes-connectivity/bind/bind/0001-avoid-start-failure-with-bind-user.patch diff --git a/meta/recipes-connectivity/bind/bind-9.18.10/0001-named-lwresd-V-and-start-log-hide-build-options.patch b/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch index 4c10f33f04..4c10f33f04 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.10/0001-named-lwresd-V-and-start-log-hide-build-options.patch +++ b/meta/recipes-connectivity/bind/bind/0001-named-lwresd-V-and-start-log-hide-build-options.patch diff --git a/meta/recipes-connectivity/bind/bind-9.18.10/bind-ensure-searching-for-json-headers-searches-sysr.patch b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch index f1abd179e8..38d07cae39 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.10/bind-ensure-searching-for-json-headers-searches-sysr.patch +++ b/meta/recipes-connectivity/bind/bind/bind-ensure-searching-for-json-headers-searches-sysr.patch @@ -1,4 +1,4 @@ -From 246087f89e9434b726c7884e4c0964f71084f091 Mon Sep 17 00:00:00 2001 +From 5ae30329f168c1e8d2e0c3831988a4f3e9096e39 Mon Sep 17 00:00:00 2001 From: Paul Gortmaker <paul.gortmaker@windriver.com> Date: Tue, 9 Jun 2015 11:22:00 -0400 Subject: [PATCH] bind: ensure searching for json headers searches sysroot @@ -33,10 +33,10 @@ Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac -index 10e8bf6..bf20690 100644 +index 2ab8ddd..92fe983 100644 --- a/configure.ac +++ b/configure.ac -@@ -814,7 +814,7 @@ AS_CASE([$with_lmdb], +@@ -761,7 +761,7 @@ AS_CASE([$with_lmdb], [no],[], [auto|yes], [PKG_CHECK_MODULES([LMDB], [lmdb], [ac_lib_lmdb_found=yes], diff --git a/meta/recipes-connectivity/bind/bind-9.18.10/bind9 b/meta/recipes-connectivity/bind/bind/bind9 index 968679ff7f..968679ff7f 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.10/bind9 +++ b/meta/recipes-connectivity/bind/bind/bind9 diff --git a/meta/recipes-connectivity/bind/bind-9.18.10/conf.patch b/meta/recipes-connectivity/bind/bind/conf.patch index aa3642acec..aa3642acec 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.10/conf.patch +++ b/meta/recipes-connectivity/bind/bind/conf.patch diff --git a/meta/recipes-connectivity/bind/bind-9.18.10/generate-rndc-key.sh b/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh index 633e29c0e6..633e29c0e6 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.10/generate-rndc-key.sh +++ b/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh diff --git a/meta/recipes-connectivity/bind/bind-9.18.10/init.d-add-support-for-read-only-rootfs.patch b/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch index 11db95ede1..11db95ede1 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.10/init.d-add-support-for-read-only-rootfs.patch +++ b/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch diff --git a/meta/recipes-connectivity/bind/bind-9.18.10/make-etc-initd-bind-stop-work.patch b/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch index 146f3e35db..146f3e35db 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.10/make-etc-initd-bind-stop-work.patch +++ b/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch diff --git a/meta/recipes-connectivity/bind/bind-9.18.10/named.service b/meta/recipes-connectivity/bind/bind/named.service index cda56ef015..cda56ef015 100644 --- a/meta/recipes-connectivity/bind/bind-9.18.10/named.service +++ b/meta/recipes-connectivity/bind/bind/named.service diff --git a/meta/recipes-connectivity/bind/bind_9.18.10.bb b/meta/recipes-connectivity/bind/bind_9.18.26.bb index cb0e251d51..b99f92537c 100644 --- a/meta/recipes-connectivity/bind/bind_9.18.10.bb +++ b/meta/recipes-connectivity/bind/bind_9.18.26.bb @@ -4,7 +4,7 @@ DESCRIPTION = "BIND 9 provides a full-featured Domain Name Server system" SECTION = "console/network" LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=9a4a897f202c0710e07f2f2836bc2b62" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=c7a0b6d9a1b692a5da9af9d503671f43" DEPENDS = "openssl libcap zlib libuv" @@ -20,7 +20,7 @@ SRC_URI = "https://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.xz \ file://0001-avoid-start-failure-with-bind-user.patch \ " -SRC_URI[sha256sum] = "f415a92feb62568b50854a063cb231e257351f8672186d0ab031a49b3de2cac6" +SRC_URI[sha256sum] = "75ffee52731e9604c849b658df29e927f1c4f01d5a71ea3ebcbeb63702cb6651" UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/" # follow the ESV versions divisible by 2 @@ -28,7 +28,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/" # Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore # so the issue doesn't affect us. -CVE_CHECK_IGNORE += "CVE-2019-6470" +CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore." inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives @@ -39,7 +39,7 @@ PACKAGECONFIG[readline] = "--with-readline=readline,,readline" PACKAGECONFIG[libedit] = "--with-readline=libedit,,libedit" PACKAGECONFIG[dns-over-http] = "--enable-doh,--disable-doh,nghttp2" -EXTRA_OECONF = " --disable-devpoll --disable-auto-validation --enable-epoll \ +EXTRA_OECONF = " --disable-auto-validation \ --with-gssapi=no --with-lmdb=no --with-zlib \ --sysconfdir=${sysconfdir}/bind \ --with-openssl=${STAGING_DIR_HOST}${prefix} \ @@ -68,15 +68,15 @@ do_install:append() { # Install systemd related files install -d ${D}${sbindir} - install -m 755 ${WORKDIR}/generate-rndc-key.sh ${D}${sbindir} + install -m 755 ${UNPACKDIR}/generate-rndc-key.sh ${D}${sbindir} install -d ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/named.service ${D}${systemd_system_unitdir} + install -m 0644 ${UNPACKDIR}/named.service ${D}${systemd_system_unitdir} sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ -e 's,@SBINDIR@,${sbindir},g' \ ${D}${systemd_system_unitdir}/named.service install -d ${D}${sysconfdir}/default - install -m 0644 ${WORKDIR}/bind9 ${D}${sysconfdir}/default + install -m 0644 ${UNPACKDIR}/bind9 ${D}${sysconfdir}/default if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then install -d ${D}${sysconfdir}/tmpfiles.d @@ -109,6 +109,5 @@ PACKAGE_BEFORE_PN += "${PN}-libs" # https://github.com/isc-projects/bind9/commit/0e25af628cd776f98c04fc4cc59048f5448f6c88 FILES_SOLIBSDEV = "${libdir}/*[!0-9].so ${libdir}/libbind9.so" FILES:${PN}-libs = "${libdir}/named/*.so* ${libdir}/*-${PV}.so" -FILES:${PN}-staticdev += "${libdir}/*.la" DEV_PKG_DEPENDENCY = "" diff --git a/meta/recipes-connectivity/bluez5/bluez5.inc b/meta/recipes-connectivity/bluez5/bluez5.inc index e10158a6e5..a1ffdeef8c 100644 --- a/meta/recipes-connectivity/bluez5/bluez5.inc +++ b/meta/recipes-connectivity/bluez5/bluez5.inc @@ -85,15 +85,7 @@ NOINST_TOOLS = " \ do_install:append() { install -d ${D}${INIT_D_DIR} - install -m 0755 ${WORKDIR}/init ${D}${INIT_D_DIR}/bluetooth - - install -d ${D}${sysconfdir}/bluetooth/ - if [ -f ${S}/profiles/network/network.conf ]; then - install -m 0644 ${S}/profiles/network/network.conf ${D}/${sysconfdir}/bluetooth/ - fi - if [ -f ${S}/profiles/input/input.conf ]; then - install -m 0644 ${S}/profiles/input/input.conf ${D}/${sysconfdir}/bluetooth/ - fi + install -m 0755 ${UNPACKDIR}/init ${D}${INIT_D_DIR}/bluetooth if [ -f ${D}/${sysconfdir}/init.d/bluetooth ]; then sed -i -e 's#@LIBEXECDIR@#${libexecdir}#g' ${D}/${sysconfdir}/init.d/bluetooth diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch index e90b6a546f..b1e93dbe19 100644 --- a/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch +++ b/meta/recipes-connectivity/bluez5/bluez5/0001-test-gatt-Fix-hung-issue.patch @@ -1,4 +1,4 @@ -From 61e741654cc2eb167bca212a3bb2ba8f3ba280c1 Mon Sep 17 00:00:00 2001 +From fb583a57f9f4ab956a09e9bb96d89aa13553bf21 Mon Sep 17 00:00:00 2001 From: Mingli Yu <Mingli.Yu@windriver.com> Date: Fri, 24 Aug 2018 12:04:03 +0800 Subject: [PATCH] test-gatt: Fix hung issue @@ -21,15 +21,16 @@ no action. Upstream-Status: Submitted [https://marc.info/?l=linux-bluetooth&m=153508881804635&w=2] Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> + --- unit/test-gatt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/unit/test-gatt.c b/unit/test-gatt.c -index c7e28f8..b57373b 100644 +index 5e06d4e..4864d36 100644 --- a/unit/test-gatt.c +++ b/unit/test-gatt.c -@@ -4463,7 +4463,7 @@ int main(int argc, char *argv[]) +@@ -4546,7 +4546,7 @@ int main(int argc, char *argv[]) test_server, service_db_1, NULL, raw_pdu(0x03, 0x00, 0x02), raw_pdu(0xbf, 0x00), @@ -38,6 +39,3 @@ index c7e28f8..b57373b 100644 define_test_server("/robustness/unkown-command", test_server, service_db_1, NULL, --- -2.7.4 - diff --git a/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch b/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch index 24ddae6b63..881494a354 100644 --- a/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch +++ b/meta/recipes-connectivity/bluez5/bluez5/0001-tests-add-a-target-for-building-tests-without-runnin.patch @@ -1,19 +1,20 @@ -From 4bdf0f96dcaa945fd29f26d56e5b36d8c23e4c8b Mon Sep 17 00:00:00 2001 +From 738e73b386352fd90f1f26cc1ee75427cf4dc23b Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex.kanavin@gmail.com> Date: Fri, 1 Apr 2016 17:07:34 +0300 Subject: [PATCH] tests: add a target for building tests without running them Upstream-Status: Inappropriate [oe specific] Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> + --- Makefile.am | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Makefile.am b/Makefile.am -index 1a48a71..ba3b92f 100644 +index e738eb3..dab17dd 100644 --- a/Makefile.am +++ b/Makefile.am -@@ -425,6 +425,9 @@ endif +@@ -710,6 +710,9 @@ endif TESTS = $(unit_tests) AM_TESTS_ENVIRONMENT = MALLOC_CHECK_=3 MALLOC_PERTURB_=69 @@ -23,6 +24,3 @@ index 1a48a71..ba3b92f 100644 if DBUS_RUN_SESSION AM_TESTS_ENVIRONMENT += dbus-run-session -- endif --- -2.8.0.rc3 - diff --git a/meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch b/meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch index f954f6dab2..516d859069 100644 --- a/meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch +++ b/meta/recipes-connectivity/bluez5/bluez5/0004-src-shared-util.c-include-linux-limits.h.patch @@ -1,4 +1,4 @@ -From 51584158b9a2e58f3790f8a7387b5cf167eca88b Mon Sep 17 00:00:00 2001 +From b53df61b41088b68c127ac76cc71683ac3453b9d Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex@linutronix.de> Date: Mon, 12 Dec 2022 13:10:19 +0100 Subject: [PATCH] src/shared/util.c: include linux/limits.h @@ -8,15 +8,16 @@ systems such as those using musl. Upstream-Status: Submitted [to linux-bluetooth@vger.kernel.org,luiz.von.dentz@intel.com,frederic.danis@collabora.com] Signed-off-by: Alexander Kanavin <alex@linutronix.de> + --- src/shared/util.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/shared/util.c b/src/shared/util.c -index 0a0308c..1f61314 100644 +index c0c2c4a..036dc0d 100644 --- a/src/shared/util.c +++ b/src/shared/util.c -@@ -22,6 +22,7 @@ +@@ -23,6 +23,7 @@ #include <unistd.h> #include <dirent.h> #include <limits.h> diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb b/meta/recipes-connectivity/bluez5/bluez5_5.72.bb index 2208b730b0..9fda960ea7 100644 --- a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb +++ b/meta/recipes-connectivity/bluez5/bluez5_5.72.bb @@ -1,9 +1,8 @@ require bluez5.inc -SRC_URI[sha256sum] = "39fea64b590c9492984a0c27a89fc203e1cdc74866086efb8f4698677ab2b574" +SRC_URI[sha256sum] = "499d7fa345a996c1bb650f5c6749e1d929111fa6ece0be0e98687fee6124536e" -# These issues have kernel fixes rather than bluez fixes so exclude here -CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490" +CVE_STATUS[CVE-2020-24490] = "cpe-incorrect: This issue has kernel fixes rather than bluez fixes" # noinst programs in Makefile.tools that are conditional on READLINE # support diff --git a/meta/recipes-connectivity/connman/connman-conf.bb b/meta/recipes-connectivity/connman/connman-conf.bb index 7959ed8e50..a1a0e08faa 100644 --- a/meta/recipes-connectivity/connman/connman-conf.bb +++ b/meta/recipes-connectivity/connman/connman-conf.bb @@ -4,7 +4,6 @@ network interface inside qemu machines." LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6" -PR = "r2" SRC_URI = "file://main.conf \ " diff --git a/meta/recipes-connectivity/connman/connman-conf/main.conf b/meta/recipes-connectivity/connman/connman-conf/main.conf index a394e8f25b..3c9dd396f6 100644 --- a/meta/recipes-connectivity/connman/connman-conf/main.conf +++ b/meta/recipes-connectivity/connman/connman-conf/main.conf @@ -1,2 +1,2 @@ [General] -NetworkInterfaceBlacklist = eth0 +NetworkInterfaceBlacklist = eth,en diff --git a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb index fcd154b4b0..46b3f854c5 100644 --- a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb +++ b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb @@ -26,5 +26,9 @@ ANY_OF_DISTRO_FEATURES = "${GTK3DISTROFEATURES}" RDEPENDS:${PN} = "connman" do_install:append() { - install -m 0644 ${WORKDIR}/images/* ${D}/usr/share/icons/hicolor/22x22/apps/ + install -m 0644 ${UNPACKDIR}/images/* ${D}/usr/share/icons/hicolor/22x22/apps/ } + +# http://errors.yoctoproject.org/Errors/Details/766926/ +# connman-client.c:200:15: error: assignment to 'GtkTreeModel *' {aka 'struct _GtkTreeModel *'} from incompatible pointer type 'GtkTreeStore *' {aka 'struct _GtkTreeStore *'} [-Wincompatible-pointer-types] +CFLAGS += "-Wno-error=incompatible-pointer-types" diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc index d7af94f792..073061eeda 100644 --- a/meta/recipes-connectivity/connman/connman.inc +++ b/meta/recipes-connectivity/connman/connman.inc @@ -27,6 +27,7 @@ EXTRA_OECONF += "\ --enable-ethernet \ --enable-tools \ --disable-polkit \ + --runstatedir=/run \ " # For smooth operation it would be best to start only one wireless daemon at a time. # If wpa-supplicant is running, connman will use it preferentially. @@ -85,7 +86,7 @@ ALTERNATIVE_LINK_NAME[resolv-conf] = "${@bb.utils.contains('DISTRO_FEATURES','sy do_install:append() { if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then install -d ${D}${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/connman ${D}${sysconfdir}/init.d/connman + install -m 0755 ${UNPACKDIR}/connman ${D}${sysconfdir}/init.d/connman sed -i s%@DATADIR@%${datadir}% ${D}${sysconfdir}/init.d/connman fi diff --git a/meta/recipes-connectivity/connman/connman/0001-src-log.c-Include-libgen.h-for-basename-API.patch b/meta/recipes-connectivity/connman/connman/0001-src-log.c-Include-libgen.h-for-basename-API.patch new file mode 100644 index 0000000000..8012606db7 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/0001-src-log.c-Include-libgen.h-for-basename-API.patch @@ -0,0 +1,55 @@ +From cbba6638986c2de763981bf6fc59df6a86fed44f Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 1 Jan 2024 17:42:21 -0800 +Subject: [PATCH v2] src/log.c: Include libgen.h for basename API + +Use POSIX version of basename. This comes to front with latest musl +which dropped the declaration from string.h [1] it fails to build with +clang-17+ because it treats implicit function declaration as error. + +Fix it by applying the basename on a copy of string since posix version +may modify the input string. + +[1] https://git.musl-libc.org/cgit/musl/commit/?id=725e17ed6dff4d0cd22487bb64470881e86a92e7 + +Upstream-Status: Submitted [https://lore.kernel.org/connman/20240102015917.3732089-1-raj.khem@gmail.com/T/#u] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + + src/log.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/log.c b/src/log.c +index 554b046..2df3af7 100644 +--- a/src/log.c ++++ b/src/log.c +@@ -24,6 +24,7 @@ + #endif + + #include <stdio.h> ++#include <libgen.h> + #include <unistd.h> + #include <stdarg.h> + #include <stdlib.h> +@@ -196,6 +197,7 @@ int __connman_log_init(const char *program, const char *debug, + const char *program_name, const char *program_version) + { + static char path[PATH_MAX]; ++ char* tmp = strdup(program); + int option = LOG_NDELAY | LOG_PID; + + program_exec = program; +@@ -212,8 +214,8 @@ int __connman_log_init(const char *program, const char *debug, + if (backtrace) + signal_setup(signal_handler); + +- openlog(basename(program), option, LOG_DAEMON); +- ++ openlog(basename(tmp), option, LOG_DAEMON); ++ free(tmp); + syslog(LOG_INFO, "%s version %s", program_name, program_version); + + return 0; +-- +2.43.0 + diff --git a/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch b/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch new file mode 100644 index 0000000000..9e5ac8da15 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch @@ -0,0 +1,152 @@ +From af55a6a414d32c12f9ef3cab778385a361e1ad6d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Eivind=20N=C3=A6ss?= <eivnaes@yahoo.com> +Date: Sat, 25 Mar 2023 20:51:52 +0000 +Subject: [PATCH] vpn: Adding support for latest pppd 2.5.0 release + +The API has gone through a significant overhaul, and this change fixes any compile issues. +1) Fixes to configure.ac itself +2) Cleanup in pppd plugin itself + +Adding a libppp-compat.h file to mask for any differences in the version. + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a48864a2e5d2a725dfc6eef567108bc13b43857f] +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> + +--- + scripts/libppp-compat.h | 127 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 127 insertions(+) + create mode 100644 scripts/libppp-compat.h + +diff --git a/scripts/libppp-compat.h b/scripts/libppp-compat.h +new file mode 100644 +index 0000000..eee1d09 +--- /dev/null ++++ b/scripts/libppp-compat.h +@@ -0,0 +1,127 @@ ++/* Copyright (C) Eivind Naess, eivnaes@yahoo.com */ ++/* SPDX-License-Identifier: GPL-2.0-or-later */ ++ ++#ifndef __LIBPPP_COMPAT_H__ ++#define __LIBPPP_COMPAT_H__ ++ ++/* Define USE_EAPTLS compile with EAP TLS support against older pppd headers, ++ * pppd >= 2.5.0 use PPP_WITH_EAPTLS and is defined in pppdconf.h */ ++#define USE_EAPTLS 1 ++ ++/* Define INET6 to compile with IPv6 support against older pppd headers, ++ * pppd >= 2.5.0 use PPP_WITH_IPV6CP and is defined in pppdconf.h */ ++#define INET6 1 ++ ++/* PPP < 2.5.0 defines and exports VERSION which overlaps with current package VERSION define. ++ * this silly macro magic is to work around that. */ ++#undef VERSION ++#include <pppd/pppd.h> ++ ++#ifndef PPPD_VERSION ++#define PPPD_VERSION VERSION ++#endif ++ ++#include <pppd/fsm.h> ++#include <pppd/ccp.h> ++#include <pppd/eui64.h> ++#include <pppd/ipcp.h> ++#include <pppd/ipv6cp.h> ++#include <pppd/eap.h> ++#include <pppd/upap.h> ++ ++#ifdef HAVE_PPPD_CHAP_H ++#include <pppd/chap.h> ++#endif ++ ++#ifdef HAVE_PPPD_CHAP_NEW_H ++#include <pppd/chap-new.h> ++#endif ++ ++#ifdef HAVE_PPPD_CHAP_MS_H ++#include <pppd/chap_ms.h> ++#endif ++ ++#ifndef PPP_PROTO_CHAP ++#define PPP_PROTO_CHAP 0xc223 ++#endif ++ ++#ifndef PPP_PROTO_EAP ++#define PPP_PROTO_EAP 0xc227 ++#endif ++ ++ ++#if WITH_PPP_VERSION < PPP_VERSION(2,5,0) ++ ++static inline bool ++debug_on (void) ++{ ++ return debug; ++} ++ ++static inline const char ++*ppp_ipparam (void) ++{ ++ return ipparam; ++} ++ ++static inline int ++ppp_ifunit (void) ++{ ++ return ifunit; ++} ++ ++static inline const char * ++ppp_ifname (void) ++{ ++ return ifname; ++} ++ ++static inline int ++ppp_get_mtu (int idx) ++{ ++ return netif_get_mtu(idx); ++} ++ ++typedef enum ppp_notify ++{ ++ NF_PID_CHANGE, ++ NF_PHASE_CHANGE, ++ NF_EXIT, ++ NF_SIGNALED, ++ NF_IP_UP, ++ NF_IP_DOWN, ++ NF_IPV6_UP, ++ NF_IPV6_DOWN, ++ NF_AUTH_UP, ++ NF_LINK_DOWN, ++ NF_FORK, ++ NF_MAX_NOTIFY ++} ppp_notify_t; ++ ++typedef void (ppp_notify_fn) (void *ctx, int arg); ++ ++static inline void ++ppp_add_notify (ppp_notify_t type, ppp_notify_fn *func, void *ctx) ++{ ++ struct notifier **list[NF_MAX_NOTIFY] = { ++ [NF_PID_CHANGE ] = &pidchange, ++ [NF_PHASE_CHANGE] = &phasechange, ++ [NF_EXIT ] = &exitnotify, ++ [NF_SIGNALED ] = &sigreceived, ++ [NF_IP_UP ] = &ip_up_notifier, ++ [NF_IP_DOWN ] = &ip_down_notifier, ++ [NF_IPV6_UP ] = &ipv6_up_notifier, ++ [NF_IPV6_DOWN ] = &ipv6_down_notifier, ++ [NF_AUTH_UP ] = &auth_up_notifier, ++ [NF_LINK_DOWN ] = &link_down_notifier, ++ [NF_FORK ] = &fork_notifier, ++ }; ++ ++ struct notifier **notify = list[type]; ++ if (notify) { ++ add_notifier(notify, func, ctx); ++ } ++} ++ ++#endif /* #if WITH_PPP_VERSION < PPP_VERSION(2,5,0) */ ++#endif /* #if__LIBPPP_COMPAT_H__ */ diff --git a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch index 9dca21a02f..9e2cc34995 100644 --- a/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch +++ b/meta/recipes-connectivity/connman/connman/0002-resolve-musl-does-not-implement-res_ninit.patch @@ -1,83 +1,88 @@ -From 01974865e4d331eeaf25248bee1bb96539c450d9 Mon Sep 17 00:00:00 2001 +From 60783f0d885c9a0db8b6f1d528786321e53f1512 Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Mon, 6 Apr 2015 23:02:21 -0700 -Subject: [PATCH] resolve: musl does not implement res_ninit +Subject: [PATCH] gweb/gresolv.c: make use of res_ninit optional and subject to + __RES -ported from +Not all libc implementation have those functions, and the way to determine +if they do is to check __RES which is explained in resolv.h thusly: + +/* + * Revision information. This is the release date in YYYYMMDD format. + * It can change every day so the right thing to do with it is use it + * in preprocessor commands such as "#if (__RES > 19931104)". Do not + * compare for equality; rather, use it to determine whether your resolver + * is new enough to contain a certain feature. + */ + +Indeed, it needs to be at least 19991006. + +The portion of the patch that implements a fallback is ported from +Alpine Linux: http://git.alpinelinux.org/cgit/aports/plain/testing/connman/libresolv.patch -Upstream-Status: Pending +Upstream-Status: Submitted [to connman@lists.linux.dev,marcel@holtmann.org] Signed-off-by: Khem Raj <raj.khem@gmail.com> - --- - gweb/gresolv.c | 34 +++++++++++++--------------------- - 1 file changed, 13 insertions(+), 21 deletions(-) + gweb/gresolv.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) diff --git a/gweb/gresolv.c b/gweb/gresolv.c -index 954e7cf..2a9bc51 100644 +index 8101d71..9f1477c 100644 --- a/gweb/gresolv.c +++ b/gweb/gresolv.c -@@ -36,6 +36,7 @@ - #include <arpa/inet.h> - #include <arpa/nameser.h> - #include <net/if.h> -+#include <ctype.h> - - #include "gresolv.h" - -@@ -878,8 +879,6 @@ GResolv *g_resolv_new(int index) +@@ -879,7 +879,9 @@ GResolv *g_resolv_new(int index) resolv->index = index; resolv->nameserver_list = NULL; -- res_ninit(&resolv->res); -- ++#if (__RES >= 19991006) + res_ninit(&resolv->res); ++#endif + return resolv; } - -@@ -919,8 +918,6 @@ void g_resolv_unref(GResolv *resolv) +@@ -920,7 +922,9 @@ void g_resolv_unref(GResolv *resolv) flush_nameservers(resolv); -- res_nclose(&resolv->res); -- ++#if (__RES >= 19991006) + res_nclose(&resolv->res); ++#endif + g_free(resolv); } - -@@ -1023,24 +1020,19 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname, +@@ -1024,6 +1028,7 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname, debug(resolv, "hostname %s", hostname); if (!resolv->nameserver_list) { -- int i; -- -- for (i = 0; i < resolv->res.nscount; i++) { -- char buf[100]; -- int family = resolv->res.nsaddr_list[i].sin_family; -- void *sa_addr = &resolv->res.nsaddr_list[i].sin_addr; -- -- if (family != AF_INET && -- resolv->res._u._ext.nsaddrs[i]) { -- family = AF_INET6; -- sa_addr = &resolv->res._u._ext.nsaddrs[i]->sin6_addr; -+ FILE *f = fopen("/etc/resolv.conf", "r"); -+ if (f) { -+ char line[256], *s; -+ int i; -+ while (fgets(line, sizeof(line), f)) { -+ if (strncmp(line, "nameserver", 10) || !isspace(line[10])) -+ continue; -+ for (s = &line[11]; isspace(s[0]); s++); -+ for (i = 0; s[i] && !isspace(s[i]); i++); -+ s[i] = 0; -+ g_resolv_add_nameserver(resolv, s, 53, 0); - } -- -- if (family != AF_INET && family != AF_INET6) -- continue; -- -- if (inet_ntop(family, sa_addr, buf, sizeof(buf))) -- g_resolv_add_nameserver(resolv, buf, 53, 0); -+ fclose(f); ++#if (__RES >= 19991006) + int i; + + for (i = 0; i < resolv->res.nscount; i++) { +@@ -1043,6 +1048,22 @@ guint g_resolv_lookup_hostname(GResolv *resolv, const char *hostname, + if (inet_ntop(family, sa_addr, buf, sizeof(buf))) + g_resolv_add_nameserver(resolv, buf, 53, 0); } ++#else ++ FILE *f = fopen("/etc/resolv.conf", "r"); ++ if (f) { ++ char line[256], *s; ++ int i; ++ while (fgets(line, sizeof(line), f)) { ++ if (strncmp(line, "nameserver", 10) || !isspace(line[10])) ++ continue; ++ for (s = &line[11]; isspace(s[0]); s++); ++ for (i = 0; s[i] && !isspace(s[i]); i++); ++ s[i] = 0; ++ g_resolv_add_nameserver(resolv, s, 53, 0); ++ } ++ fclose(f); ++ } ++#endif if (!resolv->nameserver_list) + g_resolv_add_nameserver(resolv, "127.0.0.1", 53, 0); +-- +2.39.2 + diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch deleted file mode 100644 index 182c5ca29c..0000000000 --- a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch +++ /dev/null @@ -1,37 +0,0 @@ -From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001 -From: Nathan Crandall <ncrandall@tesla.com> -Date: Tue, 12 Jul 2022 08:56:34 +0200 -Subject: gweb: Fix OOB write in received_data() - -There is a mismatch of handling binary vs. C-string data with memchr -and strlen, resulting in pos, count, and bytes_read to become out of -sync and result in a heap overflow. Instead, do not treat the buffer -as an ASCII C-string. We calculate the count based on the return value -of memchr, instead of strlen. - -Fixes: CVE-2022-32292 - -CVE: CVE-2022-32292 - -Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - gweb/gweb.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/gweb/gweb.c b/gweb/gweb.c -index 12fcb1d8..13c6c5f2 100644 ---- a/gweb/gweb.c -+++ b/gweb/gweb.c -@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond, - } - - *pos = '\0'; -- count = strlen((char *) ptr); -+ count = pos - ptr; - if (count > 0 && ptr[count - 1] == '\r') { - ptr[--count] = '\0'; - bytes_read--; --- -cgit - diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch deleted file mode 100644 index b280203594..0000000000 --- a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p1.patch +++ /dev/null @@ -1,141 +0,0 @@ -From 72343929836de80727a27d6744c869dff045757c Mon Sep 17 00:00:00 2001 -From: Daniel Wagner <wagi@monom.org> -Date: Tue, 5 Jul 2022 08:32:12 +0200 -Subject: wispr: Add reference counter to portal context - -Track the connman_wispr_portal_context live time via a -refcounter. This only adds the infrastructure to do proper reference -counting. - -Fixes: CVE-2022-32293 -CVE: CVE-2022-32293 -Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=416bfaff988882c553c672e5bfc2d4f648d29e8a] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - src/wispr.c | 52 ++++++++++++++++++++++++++++++++++++++++++---------- - 1 file changed, 42 insertions(+), 10 deletions(-) - -diff --git a/src/wispr.c b/src/wispr.c -index a07896ca..bde7e63b 100644 ---- a/src/wispr.c -+++ b/src/wispr.c -@@ -56,6 +56,7 @@ struct wispr_route { - }; - - struct connman_wispr_portal_context { -+ int refcount; - struct connman_service *service; - enum connman_ipconfig_type type; - struct connman_wispr_portal *wispr_portal; -@@ -97,6 +98,11 @@ static char *online_check_ipv4_url = NULL; - static char *online_check_ipv6_url = NULL; - static bool enable_online_to_ready_transition = false; - -+#define wispr_portal_context_ref(wp_context) \ -+ wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__) -+#define wispr_portal_context_unref(wp_context) \ -+ wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__) -+ - static void connman_wispr_message_init(struct connman_wispr_message *msg) - { - DBG(""); -@@ -162,9 +168,6 @@ static void free_connman_wispr_portal_context( - { - DBG("context %p", wp_context); - -- if (!wp_context) -- return; -- - if (wp_context->wispr_portal) { - if (wp_context->wispr_portal->ipv4_context == wp_context) - wp_context->wispr_portal->ipv4_context = NULL; -@@ -201,9 +204,38 @@ static void free_connman_wispr_portal_context( - g_free(wp_context); - } - -+static struct connman_wispr_portal_context * -+wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context, -+ const char *file, int line, const char *caller) -+{ -+ DBG("%p ref %d by %s:%d:%s()", wp_context, -+ wp_context->refcount + 1, file, line, caller); -+ -+ __sync_fetch_and_add(&wp_context->refcount, 1); -+ -+ return wp_context; -+} -+ -+static void wispr_portal_context_unref_debug( -+ struct connman_wispr_portal_context *wp_context, -+ const char *file, int line, const char *caller) -+{ -+ if (!wp_context) -+ return; -+ -+ DBG("%p ref %d by %s:%d:%s()", wp_context, -+ wp_context->refcount - 1, file, line, caller); -+ -+ if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1) -+ return; -+ -+ free_connman_wispr_portal_context(wp_context); -+} -+ - static struct connman_wispr_portal_context *create_wispr_portal_context(void) - { -- return g_try_new0(struct connman_wispr_portal_context, 1); -+ return wispr_portal_context_ref( -+ g_new0(struct connman_wispr_portal_context, 1)); - } - - static void free_connman_wispr_portal(gpointer data) -@@ -215,8 +247,8 @@ static void free_connman_wispr_portal(gpointer data) - if (!wispr_portal) - return; - -- free_connman_wispr_portal_context(wispr_portal->ipv4_context); -- free_connman_wispr_portal_context(wispr_portal->ipv6_context); -+ wispr_portal_context_unref(wispr_portal->ipv4_context); -+ wispr_portal_context_unref(wispr_portal->ipv6_context); - - g_free(wispr_portal); - } -@@ -452,7 +484,7 @@ static void portal_manage_status(GWebResult *result, - connman_info("Client-Timezone: %s", str); - - if (!enable_online_to_ready_transition) -- free_connman_wispr_portal_context(wp_context); -+ wispr_portal_context_unref(wp_context); - - __connman_service_ipconfig_indicate_state(service, - CONNMAN_SERVICE_STATE_ONLINE, type); -@@ -616,7 +648,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service, - return; - } - -- free_connman_wispr_portal_context(wp_context); -+ wispr_portal_context_unref(wp_context); - return; - } - -@@ -952,7 +984,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context) - - if (wp_context->token == 0) { - err = -EINVAL; -- free_connman_wispr_portal_context(wp_context); -+ wispr_portal_context_unref(wp_context); - } - } else if (wp_context->timeout == 0) { - wp_context->timeout = g_idle_add(no_proxy_callback, wp_context); -@@ -1001,7 +1033,7 @@ int __connman_wispr_start(struct connman_service *service, - - /* If there is already an existing context, we wipe it */ - if (wp_context) -- free_connman_wispr_portal_context(wp_context); -+ wispr_portal_context_unref(wp_context); - - wp_context = create_wispr_portal_context(); - if (!wp_context) --- -cgit - diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch deleted file mode 100644 index 56f8fc82de..0000000000 --- a/meta/recipes-connectivity/connman/connman/CVE-2022-32293_p2.patch +++ /dev/null @@ -1,174 +0,0 @@ -From 416bfaff988882c553c672e5bfc2d4f648d29e8a Mon Sep 17 00:00:00 2001 -From: Daniel Wagner <wagi@monom.org> -Date: Tue, 5 Jul 2022 09:11:09 +0200 -Subject: wispr: Update portal context references - -Maintain proper portal context references to avoid UAF. - -Fixes: CVE-2022-32293 -CVE: CVE-2022-32293 -Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - src/wispr.c | 34 ++++++++++++++++++++++------------ - 1 file changed, 22 insertions(+), 12 deletions(-) - -diff --git a/src/wispr.c b/src/wispr.c -index bde7e63b..84bed33f 100644 ---- a/src/wispr.c -+++ b/src/wispr.c -@@ -105,8 +105,6 @@ static bool enable_online_to_ready_transition = false; - - static void connman_wispr_message_init(struct connman_wispr_message *msg) - { -- DBG(""); -- - msg->has_error = false; - msg->current_element = NULL; - -@@ -166,8 +164,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context) - static void free_connman_wispr_portal_context( - struct connman_wispr_portal_context *wp_context) - { -- DBG("context %p", wp_context); -- - if (wp_context->wispr_portal) { - if (wp_context->wispr_portal->ipv4_context == wp_context) - wp_context->wispr_portal->ipv4_context = NULL; -@@ -483,9 +479,6 @@ static void portal_manage_status(GWebResult *result, - &str)) - connman_info("Client-Timezone: %s", str); - -- if (!enable_online_to_ready_transition) -- wispr_portal_context_unref(wp_context); -- - __connman_service_ipconfig_indicate_state(service, - CONNMAN_SERVICE_STATE_ONLINE, type); - -@@ -546,14 +539,17 @@ static void wispr_portal_request_portal( - { - DBG(""); - -+ wispr_portal_context_ref(wp_context); - wp_context->request_id = g_web_request_get(wp_context->web, - wp_context->status_url, - wispr_portal_web_result, - wispr_route_request, - wp_context); - -- if (wp_context->request_id == 0) -+ if (wp_context->request_id == 0) { - wispr_portal_error(wp_context); -+ wispr_portal_context_unref(wp_context); -+ } - } - - static bool wispr_input(const guint8 **data, gsize *length, -@@ -618,13 +614,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service, - return; - - if (!authentication_done) { -- wispr_portal_error(wp_context); - free_wispr_routes(wp_context); -+ wispr_portal_error(wp_context); -+ wispr_portal_context_unref(wp_context); - return; - } - - /* Restarting the test */ - __connman_service_wispr_start(service, wp_context->type); -+ wispr_portal_context_unref(wp_context); - } - - static void wispr_portal_request_wispr_login(struct connman_service *service, -@@ -700,11 +698,13 @@ static bool wispr_manage_message(GWebResult *result, - - wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN; - -+ wispr_portal_context_ref(wp_context); - if (__connman_agent_request_login_input(wp_context->service, - wispr_portal_request_wispr_login, -- wp_context) != -EINPROGRESS) -+ wp_context) != -EINPROGRESS) { - wispr_portal_error(wp_context); -- else -+ wispr_portal_context_unref(wp_context); -+ } else - return true; - - break; -@@ -753,6 +753,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) - if (length > 0) { - g_web_parser_feed_data(wp_context->wispr_parser, - chunk, length); -+ wispr_portal_context_unref(wp_context); - return true; - } - -@@ -770,6 +771,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) - - switch (status) { - case 000: -+ wispr_portal_context_ref(wp_context); - __connman_agent_request_browser(wp_context->service, - wispr_portal_browser_reply_cb, - wp_context->status_url, wp_context); -@@ -781,11 +783,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) - if (g_web_result_get_header(result, "X-ConnMan-Status", - &str)) { - portal_manage_status(result, wp_context); -+ wispr_portal_context_unref(wp_context); - return false; -- } else -+ } else { -+ wispr_portal_context_ref(wp_context); - __connman_agent_request_browser(wp_context->service, - wispr_portal_browser_reply_cb, - wp_context->redirect_url, wp_context); -+ } - - break; - case 300: -@@ -798,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) - !g_web_result_get_header(result, "Location", - &redirect)) { - -+ wispr_portal_context_ref(wp_context); - __connman_agent_request_browser(wp_context->service, - wispr_portal_browser_reply_cb, - wp_context->status_url, wp_context); -@@ -808,6 +814,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) - - wp_context->redirect_url = g_strdup(redirect); - -+ wispr_portal_context_ref(wp_context); - wp_context->request_id = g_web_request_get(wp_context->web, - redirect, wispr_portal_web_result, - wispr_route_request, wp_context); -@@ -820,6 +827,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) - - break; - case 505: -+ wispr_portal_context_ref(wp_context); - __connman_agent_request_browser(wp_context->service, - wispr_portal_browser_reply_cb, - wp_context->status_url, wp_context); -@@ -832,6 +840,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) - wp_context->request_id = 0; - done: - wp_context->wispr_msg.message_type = -1; -+ wispr_portal_context_unref(wp_context); - return false; - } - -@@ -890,6 +899,7 @@ static void proxy_callback(const char *proxy, void *user_data) - xml_wispr_parser_callback, wp_context); - - wispr_portal_request_portal(wp_context); -+ wispr_portal_context_unref(wp_context); - } - - static gboolean no_proxy_callback(gpointer user_data) --- -cgit - diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.42.bb index 79542b2175..5c60b9cb83 100644 --- a/meta/recipes-connectivity/connman/connman_1.41.bb +++ b/meta/recipes-connectivity/connman/connman_1.42.bb @@ -5,14 +5,13 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://0001-connman.service-stop-systemd-resolved-when-we-use-co.patch \ file://connman \ file://no-version-scripts.patch \ - file://CVE-2022-32293_p1.patch \ - file://CVE-2022-32293_p2.patch \ - file://CVE-2022-32292.patch \ + file://0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch \ + file://0001-src-log.c-Include-libgen.h-for-basename-API.patch \ + file://0002-resolve-musl-does-not-implement-res_ninit.patch \ " -SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" -SRC_URI[sha256sum] = "79fb40f4fdd5530c45aa8e592fb16ba23d3674f3a98cf10b89a6576f198de589" +SRC_URI[sha256sum] = "a3e6bae46fc081ef2e9dae3caa4f7649de892c3de622c20283ac0ca81423c2aa" RRECOMMENDS:${PN} = "connman-conf" RCONFLICTS:${PN} = "networkmanager" diff --git a/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb index 5cf77fa0f6..fd193b2cff 100644 --- a/meta/recipes-connectivity/dhcpcd/dhcpcd_9.4.1.bb +++ b/meta/recipes-connectivity/dhcpcd/dhcpcd_10.0.6.bb @@ -7,20 +7,18 @@ DESCRIPTION = "dhcpcd runs on your machine and silently configures your \ HOMEPAGE = "http://roy.marples.name/projects/dhcpcd/" LICENSE = "BSD-2-Clause" -LIC_FILES_CHKSUM = "file://LICENSE;md5=d148485768fe85b9f1072b186a7e9b4d" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ba9c7e534853aaf3de76c905b2410ffd" -UPSTREAM_CHECK_URI = "https://roy.marples.name/downloads/dhcpcd/" - -SRC_URI = "https://roy.marples.name/downloads/${BPN}/${BPN}-${PV}.tar.xz \ +SRC_URI = "git://github.com/NetworkConfiguration/dhcpcd;protocol=https;branch=master \ file://0001-remove-INCLUDEDIR-to-prevent-build-issues.patch \ file://0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch \ - file://0001-privsep-Allow-getrandom-sysctl-for-newer-glibc.patch \ - file://0002-privsep-Allow-newfstatat-syscall-as-well.patch \ file://dhcpcd.service \ file://dhcpcd@.service \ + file://0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch \ " -SRC_URI[sha256sum] = "819357634efed1ea5cf44ec01b24d3d3f8852fec8b4249925dcc5667c54e376c" +SRCREV = "1c8ae59836fa87b4c63c598087f0460ec20ed862" +S = "${WORKDIR}/git" inherit pkgconfig autotools-brokensep systemd useradd @@ -54,7 +52,7 @@ USERADD_PARAM:${PN} = "--system -d ${DBDIR} -M -s /bin/false -U dhcpcd" do_install:append () { # install systemd unit files install -d ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/dhcpcd*.service ${D}${systemd_system_unitdir} + install -m 0644 ${UNPACKDIR}/dhcpcd*.service ${D}${systemd_system_unitdir} chmod 700 ${D}${DBDIR} chown dhcpcd:dhcpcd ${D}${DBDIR} diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch b/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch index 6f90c88249..8d1ed6671a 100644 --- a/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch +++ b/meta/recipes-connectivity/dhcpcd/files/0001-20-resolv.conf-improve-the-sitation-of-working-with-.patch @@ -27,7 +27,7 @@ Signed-off-by: Chen Qi <Qi.Chen@windriver.com> 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/hooks/20-resolv.conf b/hooks/20-resolv.conf -index 504a6c53..eb6e5845 100644 +index 7c29e276..becc019f 100644 --- a/hooks/20-resolv.conf +++ b/hooks/20-resolv.conf @@ -11,8 +11,12 @@ nocarrier_roaming_dir="$state_dir/roaming" @@ -35,7 +35,7 @@ index 504a6c53..eb6e5845 100644 " : ${resolvconf:=resolvconf} +resolvconf_from_systemd=false - if type "$resolvconf" >/dev/null 2>&1; then + if command -v "$resolvconf" >/dev/null 2>&1; then have_resolvconf=true + if [ $(basename $(readlink -f $(which $resolvconf))) = resolvectl ]; then + resolvconf_from_systemd=true diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch b/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch new file mode 100644 index 0000000000..461d04bd1d --- /dev/null +++ b/meta/recipes-connectivity/dhcpcd/files/0001-dhcpcd.8-Fix-conflict-error-when-enable-multilib.patch @@ -0,0 +1,44 @@ +From 5d5ba8a2b8010db6bee68bd712f829cb737c9ac1 Mon Sep 17 00:00:00 2001 +From: Lei Maohui <leimaohui@fujitsu.com> +Date: Fri, 10 Mar 2023 03:48:46 +0000 +Subject: [PATCH] dhcpcd.8: Fix conflict error when enable multilib. + +Error: Transaction test error: + file /usr/share/man/man8/dhcpcd.8 conflicts between attempted + installs of dhcpcd-doc-9.4.1-r0.cortexa57 and + lib32-dhcpcd-doc-9.4.1-r0.armv7ahf_neon + +The differences between the two files are as follows: +@@ -821,7 +821,7 @@ + If you always use the same options, put them here. + .It Pa /usr/libexec/dhcpcd-run-hooks + Bourne shell script that is run to configure or de-configure an interface. +-.It Pa /usr/lib64/dhcpcd/dev ++.It Pa /usr/lib/dhcpcd/dev + Linux + .Pa /dev + management modules. + +It is just a man file, there is no necessary to manage multiple +versions. + +Upstream-Status: Inappropriate [oe specific] +Signed-off-by: Lei Maohui <leimaohui@fujitsu.com> + +--- + src/dhcpcd.8.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/dhcpcd.8.in b/src/dhcpcd.8.in +index 93232840..09930a31 100644 +--- a/src/dhcpcd.8.in ++++ b/src/dhcpcd.8.in +@@ -824,7 +824,7 @@ Configuration file for dhcpcd. + If you always use the same options, put them here. + .It Pa @SCRIPT@ + Bourne shell script that is run to configure or de-configure an interface. +-.It Pa @LIBDIR@/dhcpcd/dev ++.It Pa /usr/<libdir>/dhcpcd/dev + Linux + .Pa /dev + management modules. diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-privsep-Allow-getrandom-sysctl-for-newer-glibc.patch b/meta/recipes-connectivity/dhcpcd/files/0001-privsep-Allow-getrandom-sysctl-for-newer-glibc.patch deleted file mode 100644 index 68ab93416a..0000000000 --- a/meta/recipes-connectivity/dhcpcd/files/0001-privsep-Allow-getrandom-sysctl-for-newer-glibc.patch +++ /dev/null @@ -1,30 +0,0 @@ -From c6cdf0aee71ab4126d36b045f02428ee3c6ec50b Mon Sep 17 00:00:00 2001 -From: Roy Marples <roy@marples.name> -Date: Fri, 26 Aug 2022 09:08:36 +0100 -Subject: [PATCH 1/2] privsep: Allow getrandom sysctl for newer glibc - -Fixes #120 - -Upstream-Status: Backport [c6cdf0aee71ab4126d36b045f02428ee3c6ec50b] -Signed-off-by: Chen Qi <Qi.Chen@windriver.com> ---- - src/privsep-linux.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/privsep-linux.c b/src/privsep-linux.c -index b238644b..479a1d82 100644 ---- a/src/privsep-linux.c -+++ b/src/privsep-linux.c -@@ -300,6 +300,9 @@ static struct sock_filter ps_seccomp_filter[] = { - #ifdef __NR_getpid - SECCOMP_ALLOW(__NR_getpid), - #endif -+#ifdef __NR_getrandom -+ SECCOMP_ALLOW(__NR_getrandom), -+#endif - #ifdef __NR_getsockopt - /* For route socket overflow */ - SECCOMP_ALLOW_ARG(__NR_getsockopt, 1, SOL_SOCKET), --- -2.17.1 - diff --git a/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch b/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch index 37d2344438..c54942be4b 100644 --- a/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch +++ b/meta/recipes-connectivity/dhcpcd/files/0001-remove-INCLUDEDIR-to-prevent-build-issues.patch @@ -1,4 +1,4 @@ -From aa9e3982c1e75ad49945a62f5e262279c7a905a4 Mon Sep 17 00:00:00 2001 +From ec9fc4e6086e1dbe0ac2f94a8a088a571596a581 Mon Sep 17 00:00:00 2001 From: Stefano Cappa <stefano.cappa.ks89@gmail.com> Date: Sun, 13 Jan 2019 01:50:52 +0100 Subject: [PATCH] remove INCLUDEDIR to prevent build issues @@ -6,15 +6,16 @@ Subject: [PATCH] remove INCLUDEDIR to prevent build issues Upstream-Status: Pending Signed-off-by: Stefano Cappa <stefano.cappa.ks89@gmail.com> + --- configure | 5 ----- 1 file changed, 5 deletions(-) diff --git a/configure b/configure -index 6c81e0db..32dea2b4 100755 +index 5237b0e2..7220718b 100755 --- a/configure +++ b/configure -@@ -20,7 +20,6 @@ BUILD= +@@ -26,7 +26,6 @@ BUILD= HOST= HOSTCC= TARGET= @@ -22,7 +23,7 @@ index 6c81e0db..32dea2b4 100755 DEBUG= FORK= STATIC= -@@ -72,7 +71,6 @@ for x do +@@ -86,7 +85,6 @@ for x do --mandir) MANDIR=$var;; --datadir) DATADIR=$var;; --with-ccopts|CFLAGS) CFLAGS=$var;; @@ -30,7 +31,7 @@ index 6c81e0db..32dea2b4 100755 CC) CC=$var;; CPPFLAGS) CPPFLAGS=$var;; PKG_CONFIG) PKG_CONFIG=$var;; -@@ -309,9 +307,6 @@ if [ -n "$CPPFLAGS" ]; then +@@ -343,9 +341,6 @@ if [ -n "$CPPFLAGS" ]; then echo "CPPFLAGS=" >>$CONFIG_MK echo "CPPFLAGS+= $CPPFLAGS" >>$CONFIG_MK fi @@ -40,6 +41,3 @@ index 6c81e0db..32dea2b4 100755 if [ -n "$LDFLAGS" ]; then echo "LDFLAGS=" >>$CONFIG_MK echo "LDFLAGS+= $LDFLAGS" >>$CONFIG_MK --- -2.17.2 (Apple Git-113) - diff --git a/meta/recipes-connectivity/dhcpcd/files/0002-privsep-Allow-newfstatat-syscall-as-well.patch b/meta/recipes-connectivity/dhcpcd/files/0002-privsep-Allow-newfstatat-syscall-as-well.patch deleted file mode 100644 index c5d2cba305..0000000000 --- a/meta/recipes-connectivity/dhcpcd/files/0002-privsep-Allow-newfstatat-syscall-as-well.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 7625a555797f587a89dc2447fd9d621024d5165c Mon Sep 17 00:00:00 2001 -From: Roy Marples <roy@marples.name> -Date: Fri, 26 Aug 2022 09:24:50 +0100 -Subject: [PATCH 2/2] privsep: Allow newfstatat syscall as well - -Allows newer glibc variants to work apparently. -As reported in #84 and #89. - -Upstream-Status: Backport [7625a555797f587a89dc2447fd9d621024d5165c] -Signed-off-by: Chen Qi <Qi.Chen@windriver.com> ---- - src/privsep-linux.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/src/privsep-linux.c b/src/privsep-linux.c -index 479a1d82..6327b1bc 100644 ---- a/src/privsep-linux.c -+++ b/src/privsep-linux.c -@@ -328,6 +328,9 @@ static struct sock_filter ps_seccomp_filter[] = { - #ifdef __NR_nanosleep - SECCOMP_ALLOW(__NR_nanosleep), /* XXX should use ppoll instead */ - #endif -+#ifdef __NR_newfstatat -+ SECCOMP_ALLOW(__NR_newfstatat), -+#endif - #ifdef __NR_ppoll - SECCOMP_ALLOW(__NR_ppoll), - #endif --- -2.17.1 - diff --git a/meta/recipes-connectivity/inetutils/inetutils/0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch b/meta/recipes-connectivity/inetutils/inetutils/0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch deleted file mode 100644 index 49d319f59d..0000000000 --- a/meta/recipes-connectivity/inetutils/inetutils/0001-ftpd-telnetd-Fix-multiple-definitions-of-errcatch-an.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 7d39930468e272c740b0eed3c7e5b7fb3abf29e8 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Wed, 5 Aug 2020 10:36:22 -0700 -Subject: [PATCH] ftpd,telnetd: Fix multiple definitions of errcatch and not42 - -This helps fix build failures when -fno-common option is used - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> - -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - ftpd/extern.h | 2 +- - ftpd/ftpcmd.c | 1 + - telnetd/utility.c | 2 +- - 3 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/ftpd/extern.h b/ftpd/extern.h -index ab33cf3..91dbbee 100644 ---- a/ftpd/extern.h -+++ b/ftpd/extern.h -@@ -90,7 +90,7 @@ extern void user (const char *); - extern char *sgetsave (const char *); - - /* Exported from ftpd.c. */ --jmp_buf errcatch; -+extern jmp_buf errcatch; - extern struct sockaddr_storage data_dest; - extern socklen_t data_dest_len; - extern struct sockaddr_storage his_addr; -diff --git a/ftpd/ftpcmd.c b/ftpd/ftpcmd.c -index beb1f06..d272e9d 100644 ---- a/ftpd/ftpcmd.c -+++ b/ftpd/ftpcmd.c -@@ -106,6 +106,7 @@ - #endif - - off_t restart_point; -+jmp_buf errcatch; - - static char cbuf[512]; /* Command Buffer. */ - static char *fromname; -diff --git a/telnetd/utility.c b/telnetd/utility.c -index e7ffb8e..46bf91e 100644 ---- a/telnetd/utility.c -+++ b/telnetd/utility.c -@@ -63,7 +63,7 @@ static int ncc; - static char ptyibuf[BUFSIZ], *ptyip; - static int pcc; - --int not42; -+extern int not42; - - static int - readstream (int p, char *ibuf, int bufsize) --- -2.28.0 - diff --git a/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch b/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch deleted file mode 100644 index a91913cb51..0000000000 --- a/meta/recipes-connectivity/inetutils/inetutils/fix-buffer-fortify-tfpt.patch +++ /dev/null @@ -1,25 +0,0 @@ -tftpd: Fix abort on error path - -When trying to fetch a non existent file, the app crashes with: - -*** buffer overflow detected ***: -Aborted - - -Upstream-Status: Submitted [https://www.mail-archive.com/bug-inetutils@gnu.org/msg03036.html https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91205] -Signed-off-by: Ricardo Ribalda Delgado <ricardo@ribalda.com> -diff --git a/src/tftpd.c b/src/tftpd.c -index 56002a0..144012f 100644 ---- a/src/tftpd.c -+++ b/src/tftpd.c -@@ -864,9 +864,8 @@ nak (int error) - pe->e_msg = strerror (error - 100); - tp->th_code = EUNDEF; /* set 'undef' errorcode */ - } -- strcpy (tp->th_msg, pe->e_msg); - length = strlen (pe->e_msg); -- tp->th_msg[length] = '\0'; -+ memcpy(tp->th_msg, pe->e_msg, length + 1); - length += 5; - if (sendto (peer, buf, length, 0, (struct sockaddr *) &from, fromlen) != length) - syslog (LOG_ERR, "nak: %m\n"); diff --git a/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch b/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch deleted file mode 100644 index 603d2baf9d..0000000000 --- a/meta/recipes-connectivity/inetutils/inetutils/fix-disable-ipv6.patch +++ /dev/null @@ -1,85 +0,0 @@ -From c7c27ba763c613f83c1561e56448b49315c271c5 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Wed, 6 Mar 2019 09:36:11 -0500 -Subject: [PATCH] Upstream: - http://www.mail-archive.com/bug-inetutils@gnu.org/msg02103.html - -Upstream-Status: Pending - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> - ---- - ping/ping_common.h | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/ping/ping_common.h b/ping/ping_common.h -index 65e3e60..3e84db0 100644 ---- a/ping/ping_common.h -+++ b/ping/ping_common.h -@@ -18,10 +18,14 @@ - You should have received a copy of the GNU General Public License - along with this program. If not, see `http://www.gnu.org/licenses/'. */ - -+#include <config.h> -+ - #include <netinet/in_systm.h> - #include <netinet/in.h> - #include <netinet/ip.h> -+#ifdef HAVE_IPV6 - #include <netinet/icmp6.h> -+#endif - #include <icmp.h> - #include <error.h> - #include <progname.h> -@@ -63,7 +67,12 @@ struct ping_stat - want to follow the traditional behaviour of ping. */ - #define DEFAULT_PING_COUNT 0 - -+#ifdef HAVE_IPV6 - #define PING_HEADER_LEN (USE_IPV6 ? sizeof (struct icmp6_hdr) : ICMP_MINLEN) -+#else -+#define PING_HEADER_LEN (ICMP_MINLEN) -+#endif -+ - #define PING_TIMING(s) ((s) >= sizeof (struct timeval)) - #define PING_DATALEN (64 - PING_HEADER_LEN) /* default data length */ - -@@ -78,13 +87,20 @@ struct ping_stat - - #define PING_MIN_USER_INTERVAL (200000/PING_PRECISION) - -+#ifdef HAVE_IPV6 - /* FIXME: Adjust IPv6 case for options and their consumption. */ - #define _PING_BUFLEN(p, u) ((u)? ((p)->ping_datalen + sizeof (struct icmp6_hdr)) : \ - (MAXIPLEN + (p)->ping_datalen + ICMP_TSLEN)) - -+#else -+#define _PING_BUFLEN(p, u) (MAXIPLEN + (p)->ping_datalen + ICMP_TSLEN) -+#endif -+ -+#ifdef HAVE_IPV6 - typedef int (*ping_efp6) (int code, void *closure, struct sockaddr_in6 * dest, - struct sockaddr_in6 * from, struct icmp6_hdr * icmp, - int datalen); -+#endif - - typedef int (*ping_efp) (int code, - void *closure, -@@ -93,13 +109,17 @@ typedef int (*ping_efp) (int code, - struct ip * ip, icmphdr_t * icmp, int datalen); - - union event { -+#ifdef HAVE_IPV6 - ping_efp6 handler6; -+#endif - ping_efp handler; - }; - - union ping_address { - struct sockaddr_in ping_sockaddr; -+#ifdef HAVE_IPV6 - struct sockaddr_in6 ping_sockaddr6; -+#endif - }; - - typedef struct ping_data PING; diff --git a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch b/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch deleted file mode 100644 index 2974bd4f94..0000000000 --- a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch +++ /dev/null @@ -1,27 +0,0 @@ -From f7f785c21306010b2367572250b2822df5bc7728 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vapier at gentoo.org> -Date: Thu, 18 Nov 2010 16:59:14 -0500 -Subject: [PATCH] printf-parse: pull in features.h for __GLIBC__ - -Upstream-Status: Pending - -Signed-off-by: Mike Frysinger <vapier at gentoo.org> - ---- - lib/printf-parse.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/lib/printf-parse.h b/lib/printf-parse.h -index e7d0f82..d7b4534 100644 ---- a/lib/printf-parse.h -+++ b/lib/printf-parse.h -@@ -28,6 +28,9 @@ - - #include "printf-args.h" - -+#ifdef HAVE_FEATURES_H -+# include <features.h> /* for __GLIBC__ */ -+#endif - - /* Flags */ - #define FLAG_GROUP 1 /* ' flag */ diff --git a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch b/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch deleted file mode 100644 index 1ef7e21073..0000000000 --- a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.8-0003-wchar.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 9089c6eafbf5903174dce87b68476e35db80beb9 Mon Sep 17 00:00:00 2001 -From: Martin Jansa <martin.jansa@gmail.com> -Date: Wed, 6 Mar 2019 09:36:11 -0500 -Subject: [PATCH] inetutils: Import version 1.9.4 - -Upstream-Status: Pending - ---- - lib/wchar.in.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/lib/wchar.in.h b/lib/wchar.in.h -index cdda680..043866a 100644 ---- a/lib/wchar.in.h -+++ b/lib/wchar.in.h -@@ -77,6 +77,9 @@ - /* The include_next requires a split double-inclusion guard. */ - #if @HAVE_WCHAR_H@ - # @INCLUDE_NEXT@ @NEXT_WCHAR_H@ -+#else -+# include <stddef.h> -+# define MB_CUR_MAX 1 - #endif - - #undef _GL_ALREADY_INCLUDING_WCHAR_H diff --git a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch b/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch deleted file mode 100644 index 460ddf9830..0000000000 --- a/meta/recipes-connectivity/inetutils/inetutils/inetutils-1.9-PATH_PROCNET_DEV.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 101130f422dd5c01a1459645d7b2a5b8d19720ab Mon Sep 17 00:00:00 2001 -From: Martin Jansa <martin.jansa@gmail.com> -Date: Wed, 6 Mar 2019 09:36:11 -0500 -Subject: [PATCH] inetutils: define PATH_PROCNET_DEV if not already defined -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -this prevents the following compilation error : -system/linux.c:401:15: error: 'PATH_PROCNET_DEV' undeclared (first use in this function) - -this patch comes from : - http://repository.timesys.com/buildsources/i/inetutils/inetutils-1.9/ - -Upstream-Status: Inappropriate [not author] - -Signed-of-by: Eric Bénard <eric@eukrea.com> - ---- - ifconfig/system/linux.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/ifconfig/system/linux.c b/ifconfig/system/linux.c -index e453b46..4268ca9 100644 ---- a/ifconfig/system/linux.c -+++ b/ifconfig/system/linux.c -@@ -53,6 +53,10 @@ - #include "../ifconfig.h" - - -+#ifndef PATH_PROCNET_DEV -+ #define PATH_PROCNET_DEV "/proc/net/dev" -+#endif -+ - /* ARPHRD stuff. */ - - static void diff --git a/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch b/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch deleted file mode 100644 index 2343c03cb4..0000000000 --- a/meta/recipes-connectivity/inetutils/inetutils/inetutils-only-check-pam_appl.h-when-pam-enabled.patch +++ /dev/null @@ -1,49 +0,0 @@ -From cc66e842e037fba9f06761f942abe5c4856492b8 Mon Sep 17 00:00:00 2001 -From: Kai Kang <kai.kang@windriver.com> -Date: Wed, 6 Mar 2019 09:36:11 -0500 -Subject: [PATCH] inetutils: Import version 1.9.4 - -Only check security/pam_appl.h which is provided by package libpam when pam is -enabled. - -Upstream-Status: Pending - -Signed-off-by: Kai Kang <kai.kang@windriver.com> - ---- - configure.ac | 15 ++++++++++++++- - 1 file changed, 14 insertions(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index 5e16c3a..18510a8 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -182,6 +182,19 @@ AC_SUBST(LIBUTIL) - - # See if we have libpam.a. Investigate PAM versus Linux-PAM. - if test "$with_pam" = yes ; then -+ AC_CHECK_HEADERS([security/pam_appl.h], [], [], [ -+#include <sys/types.h> -+#ifdef HAVE_NETINET_IN_SYSTM_H -+# include <netinet/in_systm.h> -+#endif -+#include <netinet/in.h> -+#ifdef HAVE_NETINET_IP_H -+# include <netinet/ip.h> -+#endif -+#ifdef HAVE_SYS_PARAM_H -+# include <sys/param.h> -+#endif -+]) - AC_CHECK_LIB(dl, dlopen, LIBDL=-ldl) - AC_CHECK_LIB(pam, pam_authenticate, LIBPAM=-lpam) - if test "$ac_cv_lib_pam_pam_authenticate" = yes ; then -@@ -617,7 +630,7 @@ AC_HEADER_DIRENT - AC_CHECK_HEADERS([arpa/nameser.h arpa/tftp.h fcntl.h features.h \ - glob.h memory.h netinet/ether.h netinet/in_systm.h \ - netinet/ip.h netinet/ip_icmp.h netinet/ip_var.h \ -- security/pam_appl.h shadow.h \ -+ shadow.h \ - stropts.h sys/tty.h \ - sys/utsname.h sys/ptyvar.h sys/msgbuf.h sys/filio.h \ - sys/ioctl_compat.h sys/cdefs.h sys/stream.h sys/mkdev.h \ diff --git a/meta/recipes-connectivity/inetutils/inetutils_2.4.bb b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb index 6519331141..afb0462c61 100644 --- a/meta/recipes-connectivity/inetutils/inetutils_2.4.bb +++ b/meta/recipes-connectivity/inetutils/inetutils_2.5.bb @@ -1,3 +1,4 @@ +SUMMARY = "The GNU inetutils are a collection of common networking utilities and servers." DESCRIPTION = "The GNU inetutils are a collection of common \ networking utilities and servers including ftp, ftpd, rcp, \ rexec, rlogin, rlogind, rsh, rshd, syslog, syslogd, talk, \ @@ -10,25 +11,19 @@ LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=0c7051aef9219dc7237f206c5c4179a7" -SRC_URI[sha256sum] = "1789d6b1b1a57dfe2a7ab7b533ee9f5dfd9cbf5b59bb1bb3c2612ed08d0f68b2" +SRC_URI[sha256sum] = "87697d60a31e10b5cb86a9f0651e1ec7bee98320d048c0739431aac3d5764fb6" SRC_URI = "${GNU_MIRROR}/inetutils/inetutils-${PV}.tar.xz \ - file://inetutils-1.8-0001-printf-parse-pull-in-features.h-for-__GLIBC__.patch \ - file://inetutils-1.8-0003-wchar.patch \ - file://rexec.xinetd.inetutils \ + file://rexec.xinetd.inetutils \ file://rlogin.xinetd.inetutils \ file://rsh.xinetd.inetutils \ file://telnet.xinetd.inetutils \ file://tftpd.xinetd.inetutils \ - file://inetutils-1.9-PATH_PROCNET_DEV.patch \ - file://inetutils-only-check-pam_appl.h-when-pam-enabled.patch \ -" + " inherit autotools gettext update-alternatives texinfo acpaths = "-I ./m4" -SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', '', 'file://fix-disable-ipv6.patch', d)}" - PACKAGECONFIG ??= "ftp uucpd \ ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \ ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6 ping6', '', d)} \ @@ -40,21 +35,33 @@ PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6 gl_cv_socket_ipv6=no," PACKAGECONFIG[ping6] = "--enable-ping6,--disable-ping6," EXTRA_OECONF = "--with-ncurses-include-dir=${STAGING_INCDIR} \ - inetutils_cv_path_login=${base_bindir}/login \ --with-libreadline-prefix=${STAGING_LIBDIR} \ --enable-rpath=no \ -" + --with-path-login=${base_bindir}/login \ + --with-path-cp=${base_bindir}/cp \ + --with-path-uucico=${libexecdir}/uuico \ + --with-path-procnet-dev=/proc/net/dev \ + " + +EXTRA_OECONF:append:libc-musl = " --with-path-utmpx=/dev/null/utmpx --with-path-wtmpx=/dev/null/wtmpx" # These are horrible for security, disable them EXTRA_OECONF:append = " --disable-rsh --disable-rshd --disable-rcp \ --disable-rlogin --disable-rlogind --disable-rexec --disable-rexecd" +# The configure script guesses many paths in cross builds, check for this happening +do_configure_cross_check() { + if grep "may be incorrect because of cross-compilation" ${B}/config.log; then + bberror Default path values used, these must be set explicitly + fi +} +do_configure[postfuncs] += "do_configure_cross_check" + +# The --with-path options are not actually options, so this check needs to be silenced +ERROR_QA:remove = "unknown-configure-option" + do_configure:prepend () { export HELP2MAN='true' - cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${S}/build-aux/config.rpath - install -m 0755 ${STAGING_DATADIR_NATIVE}/gnu-config/config.guess ${S} - install -m 0755 ${STAGING_DATADIR_NATIVE}/gnu-config/config.sub ${S} - rm -f ${S}/glob/configure* } do_install:append () { @@ -73,23 +80,23 @@ do_install:append () { mv ${D}${libexecdir}/telnetd ${D}${sbindir}/in.telnetd if [ -e ${D}${libexecdir}/rexecd ]; then mv ${D}${libexecdir}/rexecd ${D}${sbindir}/in.rexecd - cp ${WORKDIR}/rexec.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rexec + cp ${UNPACKDIR}/rexec.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rexec fi if [ -e ${D}${libexecdir}/rlogind ]; then mv ${D}${libexecdir}/rlogind ${D}${sbindir}/in.rlogind - cp ${WORKDIR}/rlogin.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rlogin + cp ${UNPACKDIR}/rlogin.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rlogin fi if [ -e ${D}${libexecdir}/rshd ]; then mv ${D}${libexecdir}/rshd ${D}${sbindir}/in.rshd - cp ${WORKDIR}/rsh.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rsh + cp ${UNPACKDIR}/rsh.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/rsh fi if [ -e ${D}${libexecdir}/talkd ]; then mv ${D}${libexecdir}/talkd ${D}${sbindir}/in.talkd fi mv ${D}${libexecdir}/uucpd ${D}${sbindir}/in.uucpd mv ${D}${libexecdir}/* ${D}${bindir}/ - cp ${WORKDIR}/telnet.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/telnet - cp ${WORKDIR}/tftpd.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/tftpd + cp ${UNPACKDIR}/telnet.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/telnet + cp ${UNPACKDIR}/tftpd.xinetd.inetutils ${D}/${sysconfdir}/xinetd.d/tftpd sed -e 's,@SBINDIR@,${sbindir},g' -i ${D}/${sysconfdir}/xinetd.d/* if [ -e ${D}${libdir}/charset.alias ]; then diff --git a/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch b/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch deleted file mode 100644 index 74e3de1ce9..0000000000 --- a/meta/recipes-connectivity/iproute2/iproute2/0001-libc-compat.h-add-musl-workaround.patch +++ /dev/null @@ -1,39 +0,0 @@ -From c25f8d1f7a6203dfeb10b39f80ffd314bb84a58d Mon Sep 17 00:00:00 2001 -From: Baruch Siach <baruch@tkos.co.il> -Date: Thu, 22 Dec 2016 15:26:30 +0200 -Subject: [PATCH] libc-compat.h: add musl workaround - -The libc-compat.h kernel header uses glibc specific macros (__GLIBC__ and -__USE_MISC) to solve conflicts with libc provided headers. This patch makes -libc-compat.h work for musl libc as well. - -Upstream-Status: Pending - -Taken From: -https://git.buildroot.net/buildroot/tree/package/iproute2/0001-Add-the-musl-workaround-to-the-libc-compat.h-copy.patch - -Signed-off-by: Baruch Siach <baruch@tkos.co.il> -Signed-off-by: Maxin B. John <maxin.john@intel.com> - ---- - include/uapi/linux/libc-compat.h | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/include/uapi/linux/libc-compat.h b/include/uapi/linux/libc-compat.h -index a159991..22198fa 100644 ---- a/include/uapi/linux/libc-compat.h -+++ b/include/uapi/linux/libc-compat.h -@@ -50,10 +50,12 @@ - #define _LIBC_COMPAT_H - - /* We have included glibc headers... */ --#if defined(__GLIBC__) -+#if 1 -+#define __USE_MISC - - /* Coordinate with glibc net/if.h header. */ - #if defined(_NET_IF_H) && defined(__USE_MISC) -+#define __UAPI_DEF_IF_NET_DEVICE_FLAGS_LOWER_UP_DORMANT_ECHO 0 - - /* GLIBC headers included first so don't define anything - * that would already be defined. */ diff --git a/meta/recipes-connectivity/iproute2/iproute2_6.1.0.bb b/meta/recipes-connectivity/iproute2/iproute2_6.8.0.bb index 7272e8f147..24539e3d99 100644 --- a/meta/recipes-connectivity/iproute2/iproute2_6.1.0.bb +++ b/meta/recipes-connectivity/iproute2/iproute2_6.8.0.bb @@ -7,15 +7,13 @@ HOMEPAGE = "http://www.linuxfoundation.org/collaborate/workgroups/networking/ipr SECTION = "base" LICENSE = "GPL-2.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a \ - file://ip/ip.c;beginline=3;endline=8;md5=689d691d0410a4b64d3899f8d6e31817" + " DEPENDS = "flex-native bison-native iptables libcap" -SRC_URI = "${KERNELORG_MIRROR}/linux/utils/net/${BPN}/${BP}.tar.xz \ - file://0001-libc-compat.h-add-musl-workaround.patch \ - " +SRC_URI = "${KERNELORG_MIRROR}/linux/utils/net/${BPN}/${BP}.tar.xz" -SRC_URI[sha256sum] = "5ce12a0fec6b212725ef218735941b2dab76244db7e72646a76021b0537b43ab" +SRC_URI[sha256sum] = "03a6cca3d71a908d1f15f7b495be2b8fe851f941458dc4664900d7f45fcf68ce" inherit update-alternatives bash-completion pkgconfig @@ -28,6 +26,8 @@ PACKAGECONFIG[selinux] = ",,libselinux" IPROUTE2_MAKE_SUBDIRS = "lib tc ip bridge misc genl ${@bb.utils.filter('PACKAGECONFIG', 'devlink tipc rdma', d)}" +# This is needed with GCC-14 and musl +CFLAGS += "-Wno-error=incompatible-pointer-types" # CFLAGS are computed in Makefile and reference CCOPTS # EXTRA_OEMAKE = "\ @@ -36,6 +36,7 @@ EXTRA_OEMAKE = "\ DOCDIR=${docdir}/iproute2 \ SUBDIRS='${IPROUTE2_MAKE_SUBDIRS}' \ SBINDIR='${base_sbindir}' \ + CONF_USR_DIR='${libdir}/iproute2' \ LIBDIR='${libdir}' \ CCOPTS='${CFLAGS}' \ " @@ -52,12 +53,16 @@ do_install () { install -d ${D}${datadir} mv ${D}/share/* ${D}${datadir}/ || true rm ${D}/share -rf || true + + # Remove support fot ipt and xt in tc. So tc library directory is not needed. + rm ${D}${libdir}/tc -rf } # The .so files in iproute2-tc are modules, not traditional libraries INSANE_SKIP:${PN}-tc = "dev-so" IPROUTE2_PACKAGES =+ "\ + ${PN}-bridge \ ${PN}-devlink \ ${PN}-genl \ ${PN}-ifstat \ @@ -81,7 +86,7 @@ FILES:${PN}-lnstat = "${base_sbindir}/lnstat \ ${base_sbindir}/ctstat \ ${base_sbindir}/rtstat" FILES:${PN}-ifstat = "${base_sbindir}/ifstat" -FILES:${PN}-ip = "${base_sbindir}/ip.${PN} ${sysconfdir}/iproute2" +FILES:${PN}-ip = "${base_sbindir}/ip.* ${libdir}/iproute2" FILES:${PN}-genl = "${base_sbindir}/genl" FILES:${PN}-rtacct = "${base_sbindir}/rtacct" FILES:${PN}-nstat = "${base_sbindir}/nstat" @@ -90,6 +95,7 @@ FILES:${PN}-tipc = "${base_sbindir}/tipc" FILES:${PN}-devlink = "${base_sbindir}/devlink" FILES:${PN}-rdma = "${base_sbindir}/rdma" FILES:${PN}-routel = "${base_sbindir}/routel" +FILES:${PN}-bridge = "${base_sbindir}/bridge" RDEPENDS:${PN}-routel = "python3-core" diff --git a/meta/recipes-connectivity/iw/iw_5.19.bb b/meta/recipes-connectivity/iw/iw_6.7.bb index a19ae304d5..b46b54bc93 100644 --- a/meta/recipes-connectivity/iw/iw_5.19.bb +++ b/meta/recipes-connectivity/iw/iw_6.7.bb @@ -14,7 +14,7 @@ SRC_URI = "http://www.kernel.org/pub/software/network/iw/${BP}.tar.gz \ file://separate-objdir.patch \ " -SRC_URI[sha256sum] = "2a44676d28a87bbc232903d5d573e7618e4fae0cea3a1aff067a26fa66652b75" +SRC_URI[sha256sum] = "b3ef3fa85fa1177b11d3e97d6d38cdfe10ee250ca31482b581f3bd0fc79cb015" inherit pkgconfig diff --git a/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch b/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch index 451b409c88..5b135b3aee 100644 --- a/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch +++ b/meta/recipes-connectivity/kea/files/fix-multilib-conflict.patch @@ -1,4 +1,4 @@ -From d027b1d85a8c1a0193b6e4a00083d3038d699a59 Mon Sep 17 00:00:00 2001 +From 06ebd1b2ced426c420ed162980eca194f9f918ae Mon Sep 17 00:00:00 2001 From: Kai Kang <kai.kang@windriver.com> Date: Tue, 22 Sep 2020 15:02:33 +0800 Subject: [PATCH] There are conflict of config files between kea and lib32-kea: @@ -35,10 +35,10 @@ index e6ae8b8..50a3092 100644 // "param1": "foo" // } diff --git a/src/bin/keactrl/kea-dhcp4.conf.pre b/src/bin/keactrl/kea-dhcp4.conf.pre -index 26bf163..49ddb0a 100644 +index 6edb8a1..b2a7385 100644 --- a/src/bin/keactrl/kea-dhcp4.conf.pre +++ b/src/bin/keactrl/kea-dhcp4.conf.pre -@@ -252,7 +252,7 @@ +@@ -255,7 +255,7 @@ // // of all devices serviced by Kea, including their identifiers // // (like MAC address), their location in the network, times // // when they were active etc. @@ -47,7 +47,7 @@ index 26bf163..49ddb0a 100644 // "parameters": { // "path": "/var/lib/kea", // "base-name": "kea-forensic4" -@@ -269,7 +269,7 @@ +@@ -272,7 +272,7 @@ // // of specific options or perhaps even a combination of several // // options and fields to uniquely identify a client. Those scenarios // // are addressed by the Flexible Identifiers hook application. diff --git a/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch b/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch index b7c2fd4f0d..63a6a2805b 100644 --- a/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch +++ b/meta/recipes-connectivity/kea/files/fix_pid_keactrl.patch @@ -1,4 +1,4 @@ -From 18f4f6206c248d6169aa67b3ecf16bf54e9292e8 Mon Sep 17 00:00:00 2001 +From c878a356712606549f7f188b62f7d1cae08a176e Mon Sep 17 00:00:00 2001 From: Armin kuster <akuster808@gmail.com> Date: Wed, 14 Oct 2020 22:48:31 -0700 Subject: [PATCH] Busybox does not support ps -p so use pgrep @@ -13,10 +13,10 @@ Signed-off-by: Armin kuster <akuster808@gmail.com> 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/bin/keactrl/keactrl.in b/src/bin/keactrl/keactrl.in -index ae5bd8e..e9f9b73 100644 +index 450e997..c353ca9 100644 --- a/src/bin/keactrl/keactrl.in +++ b/src/bin/keactrl/keactrl.in -@@ -151,8 +151,8 @@ check_running() { +@@ -149,8 +149,8 @@ check_running() { # Get the PID from the PID file (if it exists) get_pid_from_file "${proc_name}" if [ ${_pid} -gt 0 ]; then diff --git a/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service b/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service index 91aa2eb14f..f6059d73cb 100644 --- a/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service +++ b/meta/recipes-connectivity/kea/files/kea-dhcp-ddns.service @@ -6,7 +6,6 @@ After=time-sync.target [Service] ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/run/kea/ -ExecStartPre=@BASE_BINDIR@/mkdir -p @LOCALSTATEDIR@/kea ExecStart=@SBINDIR@/kea-dhcp-ddns -c @SYSCONFDIR@/kea/kea-dhcp-ddns.conf [Install] diff --git a/meta/recipes-connectivity/kea/kea_2.2.0.bb b/meta/recipes-connectivity/kea/kea_2.4.1.bb index 2c2e5a74dd..19309ce314 100644 --- a/meta/recipes-connectivity/kea/kea_2.2.0.bb +++ b/meta/recipes-connectivity/kea/kea_2.4.1.bb @@ -3,7 +3,7 @@ DESCRIPTION = "Kea is the next generation of DHCP software developed by ISC. It HOMEPAGE = "http://kea.isc.org" SECTION = "connectivity" LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=97ce14bdd2733f5b84ab5e29380d057d" +LIC_FILES_CHKSUM = "file://COPYING;md5=ea061fa0188838072c4248c1318ec131" DEPENDS = "boost log4cplus openssl" @@ -18,7 +18,7 @@ SRC_URI = "http://ftp.isc.org/isc/kea/${PV}/${BP}.tar.gz \ file://fix_pid_keactrl.patch \ file://0001-src-lib-log-logger_unittest_support.cc-do-not-write-.patch \ " -SRC_URI[sha256sum] = "da7d90ca62a772602dac6e77e507319038422895ad68eeb142f1487d67d531d2" +SRC_URI[sha256sum] = "815c61f5c271caa4a1db31dd656eb50a7f6ea973da3690f7c8581408e180131a" inherit autotools systemd update-rc.d upstream-version-is-even @@ -38,6 +38,7 @@ DEBUG_OPTIMIZATION:append:mipsel = " -O" BUILD_OPTIMIZATION:remove:mipsel = " -Og" BUILD_OPTIMIZATION:append:mipsel = " -O" +CXXFLAGS:remove = "-fvisibility-inlines-hidden" EXTRA_OECONF = "--with-boost-libs=-lboost_system \ --with-log4cplus=${STAGING_DIR_TARGET}${prefix} \ --with-openssl=${STAGING_DIR_TARGET}${prefix}" @@ -46,7 +47,7 @@ do_configure:prepend() { # replace abs_top_builddir to avoid introducing the build path # don't expand the abs_top_builddir on the target as the abs_top_builddir is meanlingless on the target find ${S} -type f -name *.sh.in | xargs sed -i "s:@abs_top_builddir@:@abs_top_builddir_placeholder@:g" - sed -i "s:@abs_top_srcdir@:@abs_top_srcdir_placeholder@:g" ${S}/src/bin/admin/kea-admin.in + sed -i "s:@abs_top_builddir@:@abs_top_builddir_placeholder@:g" ${S}/src/bin/admin/kea-admin.in } # patch out build host paths for reproducibility @@ -58,8 +59,8 @@ do_install:append() { install -d ${D}${sysconfdir}/init.d install -d ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/kea-dhcp*service ${D}${systemd_system_unitdir} - install -m 0755 ${WORKDIR}/kea-*-server ${D}${sysconfdir}/init.d + install -m 0644 ${UNPACKDIR}/kea-dhcp*service ${D}${systemd_system_unitdir} + install -m 0755 ${UNPACKDIR}/kea-*-server ${D}${sysconfdir}/init.d sed -i -e 's,@SBINDIR@,${sbindir},g' -e 's,@BASE_BINDIR@,${base_bindir},g' \ -e 's,@LOCALSTATEDIR@,${localstatedir},g' -e 's,@SYSCONFDIR@,${sysconfdir},g' \ ${D}${systemd_system_unitdir}/kea-dhcp*service ${D}${sbindir}/keactrl diff --git a/meta/recipes-connectivity/libpcap/libpcap_1.10.3.bb b/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb index eb0a650130..166654e280 100644 --- a/meta/recipes-connectivity/libpcap/libpcap_1.10.3.bb +++ b/meta/recipes-connectivity/libpcap/libpcap_1.10.4.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5eb289217c160e2920d2e35bddc36453 \ DEPENDS = "flex-native bison-native" SRC_URI = "https://www.tcpdump.org/release/${BP}.tar.gz" -SRC_URI[sha256sum] = "2a8885c403516cf7b0933ed4b14d6caa30e02052489ebd414dc75ac52e7559e6" +SRC_URI[sha256sum] = "ed19a0383fad72e3ad435fd239d7cd80d64916b87269550159d20e47160ebe5f" inherit autotools binconfig-disabled pkgconfig @@ -40,4 +40,4 @@ do_configure:prepend () { sed 's|\([ "^'\''I]\+\)/usr/include/|\1${STAGING_INCDIR}/|g' -i ${S}/configure.ac } -BBCLASSEXTEND = "native" +BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-connectivity/libuv/libuv_1.44.2.bb b/meta/recipes-connectivity/libuv/libuv_1.48.0.bb index 27e79276b5..87a2c22a7c 100644 --- a/meta/recipes-connectivity/libuv/libuv_1.44.2.bb +++ b/meta/recipes-connectivity/libuv/libuv_1.48.0.bb @@ -3,9 +3,10 @@ HOMEPAGE = "https://github.com/libuv/libuv" DESCRIPTION = "libuv is a multi-platform support library with a focus on asynchronous I/O. It was primarily developed for use by Node.js, but it's also used by Luvit, Julia, pyuv, and others." BUGTRACKER = "https://github.com/libuv/libuv/issues" LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://LICENSE;md5=ad93ca1fffe931537fcf64f6fcce084d" +LIC_FILES_CHKSUM = "file://LICENSE;md5=74b6f2f7818a4e3a80d03556f71b129b \ + file://LICENSE-extra;md5=f9307417749e19bd1d6d68a394b49324" -SRCREV = "0c1fa696aa502eb749c2c4735005f41ba00a27b8" +SRCREV = "e9f29cb984231524e3931aa0ae2c5dae1a32884e" SRC_URI = "git://github.com/libuv/libuv.git;branch=v1.x;protocol=https" UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" diff --git a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb index e802bcee18..a4030b7b32 100644 --- a/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb +++ b/meta/recipes-connectivity/mobile-broadband-provider-info/mobile-broadband-provider-info_git.bb @@ -5,8 +5,8 @@ SECTION = "network" LICENSE = "PD" LIC_FILES_CHKSUM = "file://COPYING;md5=87964579b2a8ece4bc6744d2dc9a8b04" -SRCREV = "22a5de3ef637990ce03141f786fbdb327e9c5a3f" -PV = "20221107" +SRCREV = "aae7c68671d225e6d35224613d5b98192b9b2ffe" +PV = "20230416" PE = "1" SRC_URI = "git://gitlab.gnome.org/GNOME/mobile-broadband-provider-info.git;protocol=https;branch=main" diff --git a/meta/recipes-connectivity/neard/neard_0.18.bb b/meta/recipes-connectivity/neard/neard_0.19.bb index 23e999acc4..94df1ac3d6 100644 --- a/meta/recipes-connectivity/neard/neard_0.18.bb +++ b/meta/recipes-connectivity/neard/neard_0.19.bb @@ -6,16 +6,16 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \ file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \ " -DEPENDS = "dbus glib-2.0 libnl" +DEPENDS = "dbus glib-2.0 libnl autoconf-archive-native" -SRC_URI = "git://git.kernel.org/pub/scm/network/nfc/neard.git;protocol=git;branch=master \ +SRC_URI = "git://git.kernel.org/pub/scm/network/nfc/neard.git;protocol=https;branch=master \ file://neard.in \ file://Makefile.am-fix-parallel-issue.patch \ file://Makefile.am-do-not-ship-version.h.patch \ file://0001-Add-header-dependency-to-nciattach.o.patch \ " -SRCREV = "c781008d3786e03173f0a0f5dfcc0545c787d7fc" +SRCREV = "a1dc8a75cba999728e154a0f811ab9dd50c809f7" S = "${WORKDIR}/git" @@ -31,7 +31,7 @@ EXTRA_OECONF += "--enable-tools" do_install:append() { if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then install -d ${D}${sysconfdir}/init.d/ - sed "s:@installpath@:${libexecdir}/nfc:" ${WORKDIR}/neard.in \ + sed "s:@installpath@:${libexecdir}/nfc:" ${UNPACKDIR}/neard.in \ > ${D}${sysconfdir}/init.d/neard chmod 0755 ${D}${sysconfdir}/init.d/neard fi diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Replace-statfs64-with-statfs.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Replace-statfs64-with-statfs.patch deleted file mode 100644 index 40ceff9ae9..0000000000 --- a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-Replace-statfs64-with-statfs.patch +++ /dev/null @@ -1,171 +0,0 @@ -From e89652b853ca7de671093ae44305fa3435e13d3d Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Thu, 15 Dec 2022 13:29:43 -0800 -Subject: [PATCH] Replace statfs64 with statfs - -autoconf AC_SYS_LARGEFILE is used by configure to add needed defines -when needed for enabling 64bit off_t, therefore replacing statfs64 with -statfs should be functionally same. Additionally this helps compiling -with latest musl where 64bit LFS functions like statfs64 and friends are -now moved under _LARGEFILE64_SOURCE feature test macro, this works on -glibc systems because _GNU_SOURCE macros also enables -_LARGEFILE64_SOURCE indirectly. This is not case with musl and this -latest issue is exposed. - -Upstream-Status: Submitted [https://lore.kernel.org/linux-nfs/20221215213605.4061853-1-raj.khem@gmail.com/T/#u] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - support/export/cache.c | 14 +++++++------- - support/include/nfsd_path.h | 6 +++--- - support/misc/nfsd_path.c | 24 ++++++++++++------------ - utils/exportfs/exportfs.c | 4 ++-- - 4 files changed, 24 insertions(+), 24 deletions(-) - -diff --git a/support/export/cache.c b/support/export/cache.c -index a5823e9..2497d4f 100644 ---- a/support/export/cache.c -+++ b/support/export/cache.c -@@ -346,27 +346,27 @@ static int uuid_by_path(char *path, int type, size_t uuidlen, char *uuid) - - /* Possible sources of uuid are - * - blkid uuid -- * - statfs64 uuid -+ * - statfs uuid - * -- * On some filesystems (e.g. vfat) the statfs64 uuid is simply an -+ * On some filesystems (e.g. vfat) the statfs uuid is simply an - * encoding of the device that the filesystem is mounted from, so - * it we be very bad to use that (as device numbers change). blkid - * must be preferred. -- * On other filesystems (e.g. btrfs) the statfs64 uuid contains -+ * On other filesystems (e.g. btrfs) the statfs uuid contains - * important info that the blkid uuid cannot contain: This happens - * when multiple subvolumes are exported (they have the same -- * blkid uuid but different statfs64 uuids). -+ * blkid uuid but different statfs uuids). - * We rely on get_uuid_blkdev *knowing* which is which and not returning -- * a uuid for filesystems where the statfs64 uuid is better. -+ * a uuid for filesystems where the statfs uuid is better. - * - */ -- struct statfs64 st; -+ struct statfs st; - char fsid_val[17]; - const char *blkid_val = NULL; - const char *val; - int rc; - -- rc = nfsd_path_statfs64(path, &st); -+ rc = nfsd_path_statfs(path, &st); - - if (type == 0 && rc == 0) { - const unsigned long *bad; -diff --git a/support/include/nfsd_path.h b/support/include/nfsd_path.h -index 3b73aad..aa1e1dd 100644 ---- a/support/include/nfsd_path.h -+++ b/support/include/nfsd_path.h -@@ -7,7 +7,7 @@ - #include <sys/stat.h> - - struct file_handle; --struct statfs64; -+struct statfs; - - void nfsd_path_init(void); - -@@ -18,8 +18,8 @@ char * nfsd_path_prepend_dir(const char *dir, const char *pathname); - int nfsd_path_stat(const char *pathname, struct stat *statbuf); - int nfsd_path_lstat(const char *pathname, struct stat *statbuf); - --int nfsd_path_statfs64(const char *pathname, -- struct statfs64 *statbuf); -+int nfsd_path_statfs(const char *pathname, -+ struct statfs *statbuf); - - char * nfsd_realpath(const char *path, char *resolved_path); - -diff --git a/support/misc/nfsd_path.c b/support/misc/nfsd_path.c -index 65e53c1..c3dea4f 100644 ---- a/support/misc/nfsd_path.c -+++ b/support/misc/nfsd_path.c -@@ -184,46 +184,46 @@ nfsd_path_lstat(const char *pathname, struct stat *statbuf) - return nfsd_run_stat(nfsd_wq, nfsd_lstatfunc, pathname, statbuf); - } - --struct nfsd_statfs64_data { -+struct nfsd_statfs_data { - const char *pathname; -- struct statfs64 *statbuf; -+ struct statfs *statbuf; - int ret; - int err; - }; - - static void --nfsd_statfs64func(void *data) -+nfsd_statfsfunc(void *data) - { -- struct nfsd_statfs64_data *d = data; -+ struct nfsd_statfs_data *d = data; - -- d->ret = statfs64(d->pathname, d->statbuf); -+ d->ret = statfs(d->pathname, d->statbuf); - if (d->ret < 0) - d->err = errno; - } - - static int --nfsd_run_statfs64(struct xthread_workqueue *wq, -+nfsd_run_statfs(struct xthread_workqueue *wq, - const char *pathname, -- struct statfs64 *statbuf) -+ struct statfs *statbuf) - { -- struct nfsd_statfs64_data data = { -+ struct nfsd_statfs_data data = { - pathname, - statbuf, - 0, - 0 - }; -- xthread_work_run_sync(wq, nfsd_statfs64func, &data); -+ xthread_work_run_sync(wq, nfsd_statfsfunc, &data); - if (data.ret < 0) - errno = data.err; - return data.ret; - } - - int --nfsd_path_statfs64(const char *pathname, struct statfs64 *statbuf) -+nfsd_path_statfs(const char *pathname, struct statfs *statbuf) - { - if (!nfsd_wq) -- return statfs64(pathname, statbuf); -- return nfsd_run_statfs64(nfsd_wq, pathname, statbuf); -+ return statfs(pathname, statbuf); -+ return nfsd_run_statfs(nfsd_wq, pathname, statbuf); - } - - struct nfsd_realpath_data { -diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c -index 0897b22..6d79a5b 100644 ---- a/utils/exportfs/exportfs.c -+++ b/utils/exportfs/exportfs.c -@@ -513,7 +513,7 @@ validate_export(nfs_export *exp) - */ - struct stat stb; - char *path = exportent_realpath(&exp->m_export); -- struct statfs64 stf; -+ struct statfs stf; - int fs_has_fsid = 0; - - if (stat(path, &stb) < 0) { -@@ -528,7 +528,7 @@ validate_export(nfs_export *exp) - if (!can_test()) - return; - -- if (!statfs64(path, &stf) && -+ if (!statfs(path, &stf) && - (stf.f_fsid.__val[0] || stf.f_fsid.__val[1])) - fs_has_fsid = 1; - diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-locktest-Makefile.am-Do-not-use-build-flags.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-locktest-Makefile.am-Do-not-use-build-flags.patch new file mode 100644 index 0000000000..351407ddcd --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-locktest-Makefile.am-Do-not-use-build-flags.patch @@ -0,0 +1,36 @@ +From 9efa7a0d37665d9bb0f46d2407883a5ab42c2b84 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 24 Jul 2023 20:39:16 -0700 +Subject: [PATCH] locktest: Makefile.am: Do not use build flags + +Using CFLAGS_FOR_BUILD etc. here means it is using wrong flags +when thse flags are speficied different than target flags which +is common when cross-building. It can pass wrong paths to linker +and it would find incompatible libraries during link since they +are from host system and target maybe not same as build host. + +Fixes subtle errors like +| aarch64-yoe-linux-ld.lld: error: /mnt/b/yoe/master/build/tmp/work/cortexa72-cortexa53-crypto-yoe-linux/nfs-utils/2.6.3-r0/recipe-sysroot-native/usr/lib/libsqlite3.so is incompatible with elf64-littleaarch64 + +Upstream-Status: Submitted [https://marc.info/?l=linux-nfs&m=169025681008001&w=2] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + tools/locktest/Makefile.am | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/tools/locktest/Makefile.am b/tools/locktest/Makefile.am +index e8914655..2fd36971 100644 +--- a/tools/locktest/Makefile.am ++++ b/tools/locktest/Makefile.am +@@ -2,8 +2,5 @@ + + noinst_PROGRAMS = testlk + testlk_SOURCES = testlk.c +-testlk_CFLAGS=$(CFLAGS_FOR_BUILD) +-testlk_CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +-testlk_LDFLAGS=$(LDFLAGS_FOR_BUILD) + + MAINTAINERCLEANFILES = Makefile.in +-- +2.41.0 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch new file mode 100644 index 0000000000..57d4660571 --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch @@ -0,0 +1,34 @@ +From 45597a58e98f351b18db8444292b1cf6dd0cd810 Mon Sep 17 00:00:00 2001 +From: Robert Yang <liezhi.yang@windriver.com> +Date: Sat, 9 Dec 2023 23:34:08 -0800 +Subject: [PATCH] reexport.h: Include unistd.h to compile with musl + +Fixed error when compile with musl +reexport.c: In function 'reexpdb_init': +reexport.c:62:17: error: implicit declaration of function 'sleep' [-Werror=implicit-function-declaration] + 62 | sleep(1); + + +Upstream-Status: Submitted [https://marc.info/?l=linux-nfs&m=170254661824522&w=2] + +Signed-off-by: Robert Yang <liezhi.yang@windriver.com> +--- + support/reexport/reexport.h | 1 + + 1 files changed, 1 insertions(+) + +diff --git a/support/reexport/reexport.h b/support/reexport/reexport.h +index 85fd59c..02f8684 100644 +--- a/support/reexport/reexport.h ++++ b/support/reexport/reexport.h +@@ -1,6 +1,8 @@ + #ifndef REEXPORT_H + #define REEXPORT_H + ++#include <unistd.h> ++ + #include "nfslib.h" + + enum { +-- +2.42.0 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-tools-locktest-Use-intmax_t-to-print-off_t.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-tools-locktest-Use-intmax_t-to-print-off_t.patch new file mode 100644 index 0000000000..7d903e04bc --- /dev/null +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/0001-tools-locktest-Use-intmax_t-to-print-off_t.patch @@ -0,0 +1,53 @@ +From e2e9251dbeb452f5382179023d8ae18b511167a1 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Tue, 25 Jul 2023 23:47:08 -0700 +Subject: [PATCH] tools/locktest: Use intmax_t to print off_t + +off_t could be 64bit on 32bit architectures which means using %z printf +modifier is not enough to print it and compiler will complain about +format mismatch + +Fixes +| testlk.c:84:66: error: format '%zd' expects argument of type 'signed size_t', but argument 4 has type '__off64_t' {aka 'long long int'} [-Werror=format=] +| 84 | printf("%s: conflicting lock by %d on (%zd;%zd)\n", +| | ~~^ +| | | +| | int +| | %lld +| 85 | fname, fl.l_pid, fl.l_start, fl.l_len); +| | ~~~~~~~~~~ +| | | +| | __off64_t {aka long long int} + +Upstream-Status: Submitted [https://marc.info/?l=linux-nfs&m=169035457128067&w=2] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + tools/locktest/testlk.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tools/locktest/testlk.c b/tools/locktest/testlk.c +index ea51f788..9d4c88c4 100644 +--- a/tools/locktest/testlk.c ++++ b/tools/locktest/testlk.c +@@ -2,6 +2,7 @@ + #include <config.h> + #endif + ++#include <stdint.h> + #include <stdlib.h> + #include <stdio.h> + #include <unistd.h> +@@ -81,8 +82,8 @@ main(int argc, char **argv) + if (fl.l_type == F_UNLCK) { + printf("%s: no conflicting lock\n", fname); + } else { +- printf("%s: conflicting lock by %d on (%zd;%zd)\n", +- fname, fl.l_pid, fl.l_start, fl.l_len); ++ printf("%s: conflicting lock by %d on (%jd;%jd)\n", ++ fname, fl.l_pid, (intmax_t)fl.l_start, (intmax_t)fl.l_len); + } + return 0; + } +-- +2.41.0 + diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0005-mountd-Check-for-return-of-stat-function.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0005-mountd-Check-for-return-of-stat-function.patch deleted file mode 100644 index 13a21e5307..0000000000 --- a/meta/recipes-connectivity/nfs-utils/nfs-utils/0005-mountd-Check-for-return-of-stat-function.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 887ecc7837962e9be77a4fea7d9122648f73a84a Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Mon, 15 Aug 2022 14:47:53 -0700 -Subject: [PATCH] mountd: Check for return of stat function - -simplify the check, stat() return 0 on success -1 on failure - -Fixes clang reported errors e.g. - -| v4clients.c:29:6: error: logical not is only applied to the left hand side of this comparison [-Werror,-Wlogical-not-parentheses] -| if (!stat("/proc/fs/nfsd/clients", &sb) == 0 || -| ^ ~~ - -Upstream-Status: Submitted [https://patchwork.kernel.org/project/linux-nfs/patch/20220816024403.2694169-1-raj.khem@gmail.com/] -Signed-off-by: Khem Raj <raj.khem@gmail.com> -Cc: Konstantin Khorenko <khorenko@virtuozzo.com> -Cc: Steve Dickson <steved@redhat.com> ---- - support/export/v4clients.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/support/export/v4clients.c b/support/export/v4clients.c -index 5f15b61..3230251 100644 ---- a/support/export/v4clients.c -+++ b/support/export/v4clients.c -@@ -26,7 +26,7 @@ void v4clients_init(void) - { - struct stat sb; - -- if (!stat("/proc/fs/nfsd/clients", &sb) == 0 || -+ if (stat("/proc/fs/nfsd/clients", &sb) != 0 || - !S_ISDIR(sb.st_mode)) - return; - if (clients_fd >= 0) diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/0006-Fix-function-prototypes.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/0006-Fix-function-prototypes.patch deleted file mode 100644 index 793bc4651c..0000000000 --- a/meta/recipes-connectivity/nfs-utils/nfs-utils/0006-Fix-function-prototypes.patch +++ /dev/null @@ -1,93 +0,0 @@ -From cf0ffbb5c8fa167376926d12a63613f15aa7602f Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Mon, 15 Aug 2022 14:50:15 -0700 -Subject: [PATCH] Fix function prototypes - -Clang is now erroring out on functions with out parameter types - -Fixes errors like -error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] - -Upstream-Status: Submitted [https://patchwork.kernel.org/project/linux-nfs/patch/20220816024403.2694169-2-raj.khem@gmail.com/] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - support/export/auth.c | 2 +- - support/export/v4root.c | 2 +- - support/export/xtab.c | 2 +- - utils/exportfs/exportfs.c | 4 ++-- - utils/mount/network.c | 2 +- - 5 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/support/export/auth.c b/support/export/auth.c -index 03ce4b8..2d7960f 100644 ---- a/support/export/auth.c -+++ b/support/export/auth.c -@@ -82,7 +82,7 @@ check_useipaddr(void) - } - - unsigned int --auth_reload() -+auth_reload(void) - { - struct stat stb; - static ino_t last_inode; -diff --git a/support/export/v4root.c b/support/export/v4root.c -index c12a7d8..fbb0ad5 100644 ---- a/support/export/v4root.c -+++ b/support/export/v4root.c -@@ -198,7 +198,7 @@ static int v4root_add_parents(nfs_export *exp) - * looking for components of the v4 mount. - */ - void --v4root_set() -+v4root_set(void) - { - nfs_export *exp; - int i; -diff --git a/support/export/xtab.c b/support/export/xtab.c -index c888a80..e210ca9 100644 ---- a/support/export/xtab.c -+++ b/support/export/xtab.c -@@ -135,7 +135,7 @@ xtab_write(char *xtab, char *xtabtmp, char *lockfn, int is_export) - } - - int --xtab_export_write() -+xtab_export_write(void) - { - return xtab_write(etab.statefn, etab.tmpfn, etab.lockfn, 1); - } -diff --git a/utils/exportfs/exportfs.c b/utils/exportfs/exportfs.c -index 6ba615d..0897b22 100644 ---- a/utils/exportfs/exportfs.c -+++ b/utils/exportfs/exportfs.c -@@ -69,14 +69,14 @@ static int _lockfd = -1; - * need these additional lockfile() routines. - */ - static void --grab_lockfile() -+grab_lockfile(void) - { - _lockfd = open(lockfile, O_CREAT|O_RDWR, 0666); - if (_lockfd != -1) - lockf(_lockfd, F_LOCK, 0); - } - static void --release_lockfile() -+release_lockfile(void) - { - if (_lockfd != -1) { - lockf(_lockfd, F_ULOCK, 0); -diff --git a/utils/mount/network.c b/utils/mount/network.c -index ed2f825..01ead49 100644 ---- a/utils/mount/network.c -+++ b/utils/mount/network.c -@@ -179,7 +179,7 @@ static const unsigned long probe_mnt3_only[] = { - - static const unsigned int *nfs_default_proto(void); - #ifdef MOUNT_CONFIG --static const unsigned int *nfs_default_proto() -+static const unsigned int *nfs_default_proto(void) - { - extern unsigned long config_default_proto; - /* diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service index c01415de84..ebfe64b9ce 100644 --- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-mountd.service @@ -12,6 +12,7 @@ ConditionPathExists=@SYSCONFDIR@/exports EnvironmentFile=-@SYSCONFDIR@/nfs-utils.conf ExecStart=@SBINDIR@/rpc.mountd -F $MOUNTD_OPTS LimitNOFILE=@HIGH_RLIMIT_NOFILE@ +StateDirectory=nfs [Install] WantedBy=multi-user.target diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service index 5c845b7e82..15ceee04d0 100644 --- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-server.service @@ -18,6 +18,7 @@ ExecStopPost=@SBINDIR@/exportfs -au ExecStopPost=@SBINDIR@/exportfs -f ExecReload=@SBINDIR@/exportfs -r RemainAfterExit=yes +StateDirectory=nfs [Install] WantedBy=multi-user.target diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service index 4fa64e1998..b519194121 100644 --- a/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/nfs-statd.service @@ -4,11 +4,13 @@ DefaultDependencies=no Conflicts=umount.target Requires=nss-lookup.target rpcbind.service After=network.target nss-lookup.target rpcbind.service +ConditionPathExists=@SYSCONFDIR@/exports [Service] EnvironmentFile=-@SYSCONFDIR@/nfs-utils.conf ExecStart=@SBINDIR@/rpc.statd -F $STATD_OPTS LimitNOFILE=@HIGH_RLIMIT_NOFILE@ +StateDirectory=nfs [Install] WantedBy=multi-user.target diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.2.bb b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb index 21df1803c5..af7a74a5fb 100644 --- a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.2.bb +++ b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb @@ -30,11 +30,11 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.x file://bugfix-adjust-statd-service-name.patch \ file://0001-Makefile.am-fix-undefined-function-for-libnsm.a.patch \ file://clang-warnings.patch \ - file://0005-mountd-Check-for-return-of-stat-function.patch \ - file://0006-Fix-function-prototypes.patch \ - file://0001-Replace-statfs64-with-statfs.patch \ + file://0001-locktest-Makefile.am-Do-not-use-build-flags.patch \ + file://0001-tools-locktest-Use-intmax_t-to-print-off_t.patch \ + file://0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch \ " -SRC_URI[sha256sum] = "5200873e81c4d610e2462fc262fe18135f2dbe78b7979f95accd159ae64d5011" +SRC_URI[sha256sum] = "01b3b0fb9c7d0bbabf5114c736542030748c788ec2fd9734744201e9b0a1119d" # Only kernel-module-nfsd is required here (but can be built-in) - the nfsd module will # pull in the remainder of the dependencies. @@ -62,6 +62,8 @@ EXTRA_OECONF = "--with-statduser=rpcuser \ --with-rpcgen=${HOSTTOOLS_DIR}/rpcgen \ " +LDFLAGS:append = " -lsqlite3 -levent" + PACKAGECONFIG ??= "tcp-wrappers \ ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \ " @@ -82,6 +84,7 @@ CONFFILES:${PN}-client += "${localstatedir}/lib/nfs/etab \ ${sysconfdir}/nfsmount.conf" FILES:${PN}-client = "${sbindir}/*statd \ + ${libdir}/libnfsidmap.so.* \ ${sbindir}/rpc.idmapd ${sbindir}/sm-notify \ ${sbindir}/showmount ${sbindir}/nfsstat \ ${localstatedir}/lib/nfs \ @@ -119,22 +122,22 @@ HIGH_RLIMIT_NOFILE ??= "4096" do_install:append () { install -d ${D}${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/nfsserver ${D}${sysconfdir}/init.d/nfsserver - install -m 0755 ${WORKDIR}/nfscommon ${D}${sysconfdir}/init.d/nfscommon + install -m 0755 ${UNPACKDIR}/nfsserver ${D}${sysconfdir}/init.d/nfsserver + install -m 0755 ${UNPACKDIR}/nfscommon ${D}${sysconfdir}/init.d/nfscommon - install -m 0755 ${WORKDIR}/nfs-utils.conf ${D}${sysconfdir} + install -m 0755 ${UNPACKDIR}/nfs-utils.conf ${D}${sysconfdir} install -m 0755 ${S}/utils/mount/nfsmount.conf ${D}${sysconfdir} install -d ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/nfs-server.service ${D}${systemd_system_unitdir}/ - install -m 0644 ${WORKDIR}/nfs-mountd.service ${D}${systemd_system_unitdir}/ - install -m 0644 ${WORKDIR}/nfs-statd.service ${D}${systemd_system_unitdir}/ + install -m 0644 ${UNPACKDIR}/nfs-server.service ${D}${systemd_system_unitdir}/ + install -m 0644 ${UNPACKDIR}/nfs-mountd.service ${D}${systemd_system_unitdir}/ + install -m 0644 ${UNPACKDIR}/nfs-statd.service ${D}${systemd_system_unitdir}/ sed -i -e 's,@SBINDIR@,${sbindir},g' \ -e 's,@SYSCONFDIR@,${sysconfdir},g' \ -e 's,@HIGH_RLIMIT_NOFILE@,${HIGH_RLIMIT_NOFILE},g' \ ${D}${systemd_system_unitdir}/*.service if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - install -m 0644 ${WORKDIR}/proc-fs-nfsd.mount ${D}${systemd_system_unitdir}/ + install -m 0644 ${UNPACKDIR}/proc-fs-nfsd.mount ${D}${systemd_system_unitdir}/ install -d ${D}${systemd_system_unitdir}/sysinit.target.wants/ ln -sf ../proc-fs-nfsd.mount ${D}${systemd_system_unitdir}/sysinit.target.wants/proc-fs-nfsd.mount fi diff --git a/meta/recipes-connectivity/ofono/ofono_2.0.bb b/meta/recipes-connectivity/ofono/ofono_2.4.bb index afd43d26f3..5e1e5f3b6a 100644 --- a/meta/recipes-connectivity/ofono/ofono_2.0.bb +++ b/meta/recipes-connectivity/ofono/ofono_2.4.bb @@ -13,7 +13,7 @@ SRC_URI = "\ file://0001-mbim-add-an-optional-TEMP_FAILURE_RETRY-macro-copy.patch \ file://0002-mbim-Fix-build-with-ell-0.39-by-restoring-unlikely-m.patch \ " -SRC_URI[sha256sum] = "b0a31bf4d8ff3030c4aef9f8413df999c54df9db2ff0a1d3ec1710e0a9d1a49e" +SRC_URI[sha256sum] = "93580adc1afd1890dc516efb069de0c5cdfef014415256ddfb28ab172df2d11d" inherit autotools pkgconfig update-rc.d systemd gobject-introspection-data @@ -37,7 +37,7 @@ do_configure:prepend() { do_install:append() { install -d ${D}${sysconfdir}/init.d/ - install -m 0755 ${WORKDIR}/ofono ${D}${sysconfdir}/init.d/ofono + install -m 0755 ${UNPACKDIR}/ofono ${D}${sysconfdir}/init.d/ofono } PACKAGES =+ "${PN}-tests" diff --git a/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch new file mode 100644 index 0000000000..8763f30f4b --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-regress-banner.sh-log-input-and-output-files-on-erro.patch @@ -0,0 +1,61 @@ +From f5a4dacc987ca548fc86577c2dba121c86da3c34 Mon Sep 17 00:00:00 2001 +From: Mikko Rapeli <mikko.rapeli@linaro.org> +Date: Mon, 11 Sep 2023 09:55:21 +0100 +Subject: [PATCH] regress/banner.sh: log input and output files on error + +Some test environments like yocto with qemu are seeing these +tests failing. There may be additional error messages in the +stderr of ssh cloent command. busybox cmp shows this error when +first input file has less new line characters then second +input file: + +cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in + +Logging the full banner.out will show what other error messages +are captured in addition of the expected banner. + +Full log of a failing banner test runs is: + +run test banner.sh ... +test banner: missing banner file +test banner: size 0 +cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in +banner size 0 mismatch +test banner: size 10 +test banner: size 100 +cmp: EOF on /usr/lib/openssh/ptest/regress/banner.in +banner size 100 mismatch +test banner: size 1000 +test banner: size 10000 +test banner: size 100000 +test banner: suppress banner (-q) +FAIL: banner +return value: 1 + +See: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15178 + +Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/437] + +Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> +--- + regress/banner.sh | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/regress/banner.sh b/regress/banner.sh +index a84feb5a..de84957a 100644 +--- a/regress/banner.sh ++++ b/regress/banner.sh +@@ -32,7 +32,9 @@ for s in 0 10 100 1000 10000 100000 ; do + verbose "test $tid: size $s" + ( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ + cmp $OBJ/banner.in $OBJ/banner.out ) || \ +- fail "banner size $s mismatch" ++ ( verbose "Contents of $OBJ/banner.in:"; cat $OBJ/banner.in; \ ++ verbose "Contents of $OBJ/banner.out:"; cat $OBJ/banner.out; \ ++ fail "banner size $s mismatch" ) + done + + trace "test suppress banner (-q)" +-- +2.34.1 + diff --git a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch new file mode 100644 index 0000000000..f079d936a4 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch @@ -0,0 +1,96 @@ +From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001 +From: Matt Jolly <Matt.Jolly@footclan.ninja> +Date: Thu, 2 Feb 2023 21:05:40 +1100 +Subject: [PATCH] systemd: Add optional support for systemd `sd_notify` + +This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org> +patch based on Jakub Jelen's <jjelen@redhat.com> original patch + +Upstream-Status: Submitted [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56] + +Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> +--- + configure.ac | 24 ++++++++++++++++++++++++ + sshd.c | 13 +++++++++++++ + 2 files changed, 37 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 82e8bb7..d1145d3 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) + AC_SUBST([K5LIBS]) + AC_SUBST([CHANNELLIBS]) + ++# Check whether user wants systemd support ++SYSTEMD_MSG="no" ++AC_ARG_WITH(systemd, ++ [ --with-systemd Enable systemd support], ++ [ if test "x$withval" != "xno" ; then ++ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) ++ if test "$PKGCONFIG" != "no"; then ++ AC_MSG_CHECKING([for libsystemd]) ++ if $PKGCONFIG --exists libsystemd; then ++ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` ++ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" ++ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" ++ AC_MSG_RESULT([yes]) ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) ++ SYSTEMD_MSG="yes" ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ fi ++ fi ] ++) ++ + # Looking for programs, paths and files + + PRIVSEP_PATH=/var/empty +@@ -5688,6 +5711,7 @@ echo " libldns support: $LDNS_MSG" + echo " Solaris process contract support: $SPC_MSG" + echo " Solaris project support: $SP_MSG" + echo " Solaris privilege support: $SPP_MSG" ++echo " systemd support: $SYSTEMD_MSG" + echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" + echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" + echo " BSD Auth support: $BSD_AUTH_MSG" +diff --git a/sshd.c b/sshd.c +index b4f2b97..6820a41 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -88,6 +88,10 @@ + #include <prot.h> + #endif + ++#ifdef HAVE_SYSTEMD ++#include <systemd/sd-daemon.h> ++#endif ++ + #include "xmalloc.h" + #include "ssh.h" + #include "ssh2.h" +@@ -308,6 +312,10 @@ static void + sighup_restart(void) + { + logit("Received SIGHUP; restarting."); ++#ifdef HAVE_SYSTEMD ++ /* Signal systemd that we are reloading */ ++ sd_notify(0, "RELOADING=1"); ++#endif + if (options.pid_file != NULL) + unlink(options.pid_file); + platform_pre_restart(); +@@ -2093,6 +2101,11 @@ main(int ac, char **av) + } + } + ++#ifdef HAVE_SYSTEMD ++ /* Signal systemd that we are ready to accept connections */ ++ sd_notify(0, "READY=1"); ++#endif ++ + /* Accept a connection and return in a forked child */ + server_accept_loop(&sock_in, &sock_out, + &newsock, config_s); diff --git a/meta/recipes-connectivity/openssh/openssh/run-ptest b/meta/recipes-connectivity/openssh/openssh/run-ptest index 8a9b770d59..b2244d725a 100755 --- a/meta/recipes-connectivity/openssh/openssh/run-ptest +++ b/meta/recipes-connectivity/openssh/openssh/run-ptest @@ -4,8 +4,22 @@ export TEST_SHELL=sh export SKIP_UNIT=1 cd regress + +# copied from openssh-portable/.github/run_test.sh +output_failed_logs() { + for i in failed*.log; do + if [ -f "$i" ]; then + echo ------------------------------------------------------------------------- + echo LOGFILE $i + cat $i + echo ------------------------------------------------------------------------- + fi + done +} +trap output_failed_logs 0 + sed -i "/\t\tagent-ptrace /d" Makefile -make -k BUILDDIR=`pwd`/.. .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="sudo" tests \ +make -k BUILDDIR=`pwd`/.. .OBJDIR=`pwd` .CURDIR=`pwd` SUDO="" tests \ | sed -u -e 's/^skipped/SKIP: /g' -e 's/^ok /PASS: /g' -e 's/^failed/FAIL: /g' SSHAGENT=`which ssh-agent` diff --git a/meta/recipes-connectivity/openssh/openssh/ssh_config b/meta/recipes-connectivity/openssh/openssh/ssh_config index ca70f37375..cb2774a163 100644 --- a/meta/recipes-connectivity/openssh/openssh/ssh_config +++ b/meta/recipes-connectivity/openssh/openssh/ssh_config @@ -19,11 +19,9 @@ Include /etc/ssh/ssh_config.d/*.conf -Host * - ForwardAgent yes - ForwardX11 yes -# RhostsRSAAuthentication no -# RSAAuthentication yes +# Host * +# ForwardAgent no +# ForwardX11 no # PasswordAuthentication yes # HostbasedAuthentication no # GSSAPIAuthentication no diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service new file mode 100644 index 0000000000..3e570ab1e5 --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service @@ -0,0 +1,18 @@ +[Unit] +Description=OpenSSH server daemon +Wants=sshdgenkeys.service +After=sshdgenkeys.service +After=nss-user-lookup.target + +[Service] +Environment="SSHD_OPTS=" +EnvironmentFile=-/etc/default/ssh +ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd +ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS +ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID +KillMode=process +Restart=on-failure +RestartSec=42s + +[Install] +WantedBy=multi-user.target diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket index 8d76d62309..7dd2ed0626 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd.socket +++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket @@ -1,6 +1,7 @@ [Unit] Conflicts=sshd.service Wants=sshdgenkeys.service +After=nss-user-lookup.target [Socket] ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd diff --git a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys index ef117de897..606d1894b5 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd_check_keys +++ b/meta/recipes-connectivity/openssh/openssh/sshd_check_keys @@ -57,8 +57,7 @@ while true ; do esac done -HOST_KEYS=$(sed -n 's/^[ \t]*HostKey[ \t]\+\(.*\)/\1/p' "${sshd_config}") -[ -z "${HOST_KEYS}" ] && HOST_KEYS="$SYSCONFDIR/ssh_host_rsa_key $SYSCONFDIR/ssh_host_ecdsa_key $SYSCONFDIR/ssh_host_ed25519_key" +HOST_KEYS=$(sshd -G -f "${sshd_config}" | grep -i '^hostkey ' | cut -f2 -d' ') for key in ${HOST_KEYS} ; do [ -f $key ] && continue diff --git a/meta/recipes-connectivity/openssh/openssh_9.1p1.bb b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb index 23ae8d5b0c..36ffa49398 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.1p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb @@ -16,6 +16,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://ssh_config \ file://init \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + file://sshd.service \ file://sshd.socket \ file://sshd@.service \ file://sshdgenkeys.service \ @@ -24,18 +25,19 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \ file://sshd_check_keys \ file://add-test-support-for-busybox.patch \ + file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ + file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ " -SRC_URI[sha256sum] = "19f85009c7e3e23787f0236fbb1578392ab4d4bf9f8ec5fe6bc1cd7e8bfdd288" +SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" -# This CVE is specific to OpenSSH with the pam opie which we don't build/use here -CVE_CHECK_IGNORE += "CVE-2007-2768" +CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here." # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded -CVE_CHECK_IGNORE += "CVE-2014-9278" +CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \ +Red Hat Enterprise Linux 7 and when running in a Kerberos environment" -# CVE only applies to some distributed RHEL binaries -CVE_CHECK_IGNORE += "CVE-2008-3844" +CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries." PAM_SRC_URI = "file://sshd" @@ -48,15 +50,21 @@ INITSCRIPT_NAME:${PN}-sshd = "sshd" INITSCRIPT_PARAMS:${PN}-sshd = "defaults 9" SYSTEMD_PACKAGES = "${PN}-sshd" -SYSTEMD_SERVICE:${PN}-sshd = "sshd.socket" +SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}" -inherit autotools-brokensep ptest +inherit autotools-brokensep ptest pkgconfig +DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" -PACKAGECONFIG ??= "" +# systemd-sshd-socket-mode means installing sshd.socket +# and systemd-sshd-service-mode corresponding to sshd.service +PACKAGECONFIG ??= "systemd-sshd-socket-mode" +PACKAGECONFIG[fido2] = "--with-security-key-builtin,--disable-security-key,libfido2" PACKAGECONFIG[kerberos] = "--with-kerberos5,--without-kerberos5,krb5" PACKAGECONFIG[ldns] = "--with-ldns,--without-ldns,ldns" PACKAGECONFIG[libedit] = "--with-libedit,--without-libedit,libedit" PACKAGECONFIG[manpages] = "--with-mantype=man,--with-mantype=cat" +PACKAGECONFIG[systemd-sshd-socket-mode] = "" +PACKAGECONFIG[systemd-sshd-service-mode] = "" EXTRA_AUTORECONF += "--exclude=aclocal" @@ -68,11 +76,19 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ --sysconfdir=${sysconfdir}/ssh \ --with-xauth=${bindir}/xauth \ --disable-strip \ + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemd', '--without-systemd', d)} \ " # musl doesn't implement wtmp/utmp and logwtmp EXTRA_OECONF:append:libc-musl = " --disable-wtmp --disable-lastlog" +# Work around ICE on mips/mips64 starting in 9.6p1 +EXTRA_OECONF:append:mips = " --without-hardening" +EXTRA_OECONF:append:mips64 = " --without-hardening" + +# Work around ICE on powerpc64le starting in 9.6p1 +EXTRA_OECONF:append:powerpc64le = " --without-hardening" + # Since we do not depend on libbsd, we do not want configure to use it # just because it finds libutil.h. But, specifying --disable-libutil # causes compile errors, so... @@ -86,8 +102,8 @@ CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no" do_configure:prepend () { export LD="${CC}" - install -m 0644 ${WORKDIR}/sshd_config ${B}/ - install -m 0644 ${WORKDIR}/ssh_config ${B}/ + install -m 0644 ${UNPACKDIR}/sshd_config ${B}/ + install -m 0644 ${UNPACKDIR}/ssh_config ${B}/ } do_compile_ptest() { @@ -121,14 +137,24 @@ do_install:append () { echo "HostKey /var/run/ssh/ssh_host_ed25519_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly install -d ${D}${systemd_system_unitdir} - install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir} - install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir} + if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','true','false',d)}; then + install -c -m 0644 ${WORKDIR}/sshd.socket ${D}${systemd_system_unitdir} + install -c -m 0644 ${WORKDIR}/sshd@.service ${D}${systemd_system_unitdir} + sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ + -e 's,@SBINDIR@,${sbindir},g' \ + -e 's,@BINDIR@,${bindir},g' \ + -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ + ${D}${systemd_system_unitdir}/sshd.socket + fi + if ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','true','false',d)}; then + install -c -m 0644 ${WORKDIR}/sshd.service ${D}${systemd_system_unitdir} + fi install -c -m 0644 ${WORKDIR}/sshdgenkeys.service ${D}${systemd_system_unitdir} sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \ -e 's,@SBINDIR@,${sbindir},g' \ -e 's,@BINDIR@,${bindir},g' \ -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ - ${D}${systemd_system_unitdir}/sshd.socket ${D}${systemd_system_unitdir}/*.service + ${D}${systemd_system_unitdir}/*.service sed -i -e 's,@LIBEXECDIR@,${libexecdir}/${BPN},g' \ ${D}${sysconfdir}/init.d/sshd @@ -158,7 +184,7 @@ FILES:${PN}-keygen = "${bindir}/ssh-keygen" RDEPENDS:${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen ${PN}-sftp-server" RDEPENDS:${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}" # gdb would make attach-ptrace test pass rather than skip but not worth the build dependencies -RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed sudo coreutils" +RDEPENDS:${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make sed coreutils openssl-bin" RPROVIDES:${PN}-ssh = "ssh" RPROVIDES:${PN}-sshd = "sshd" diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch new file mode 100644 index 0000000000..aa2e5bb800 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch @@ -0,0 +1,374 @@ +From 5ba65051fea0513db0d997f0ab7cafb9826ed74a Mon Sep 17 00:00:00 2001 +From: William Lyu <William.Lyu@windriver.com> +Date: Fri, 20 Oct 2023 16:22:37 -0400 +Subject: [PATCH] Added handshake history reporting when test fails + +Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481] + +Signed-off-by: William Lyu <William.Lyu@windriver.com> +--- + test/helpers/handshake.c | 139 +++++++++++++++++++++++++++++---------- + test/helpers/handshake.h | 70 +++++++++++++++++++- + test/ssl_test.c | 44 +++++++++++++ + 3 files changed, 218 insertions(+), 35 deletions(-) + +diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c +index e0422469e4..ae2ad59dd4 100644 +--- a/test/helpers/handshake.c ++++ b/test/helpers/handshake.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -24,6 +24,102 @@ + #include <netinet/sctp.h> + #endif + ++/* Shamelessly copied from test/helpers/ssl_test_ctx.c */ ++/* Maps string names to various enumeration type */ ++typedef struct { ++ const char *name; ++ int value; ++} enum_name_map; ++ ++static const enum_name_map connect_phase_names[] = { ++ {"Handshake", HANDSHAKE}, ++ {"RenegAppData", RENEG_APPLICATION_DATA}, ++ {"RenegSetup", RENEG_SETUP}, ++ {"RenegHandshake", RENEG_HANDSHAKE}, ++ {"AppData", APPLICATION_DATA}, ++ {"Shutdown", SHUTDOWN}, ++ {"ConnectionDone", CONNECTION_DONE} ++}; ++ ++static const enum_name_map peer_status_names[] = { ++ {"PeerSuccess", PEER_SUCCESS}, ++ {"PeerRetry", PEER_RETRY}, ++ {"PeerError", PEER_ERROR}, ++ {"PeerWaiting", PEER_WAITING}, ++ {"PeerTestFail", PEER_TEST_FAILURE} ++}; ++ ++static const enum_name_map handshake_status_names[] = { ++ {"HandshakeSuccess", HANDSHAKE_SUCCESS}, ++ {"ClientError", CLIENT_ERROR}, ++ {"ServerError", SERVER_ERROR}, ++ {"InternalError", INTERNAL_ERROR}, ++ {"HandshakeRetry", HANDSHAKE_RETRY} ++}; ++ ++/* Shamelessly copied from test/helpers/ssl_test_ctx.c */ ++static const char *enum_name(const enum_name_map *enums, size_t num_enums, ++ int value) ++{ ++ size_t i; ++ for (i = 0; i < num_enums; i++) { ++ if (enums[i].value == value) { ++ return enums[i].name; ++ } ++ } ++ return "InvalidValue"; ++} ++ ++const char *handshake_connect_phase_name(connect_phase_t phase) ++{ ++ return enum_name(connect_phase_names, OSSL_NELEM(connect_phase_names), ++ (int)phase); ++} ++ ++const char *handshake_status_name(handshake_status_t handshake_status) ++{ ++ return enum_name(handshake_status_names, OSSL_NELEM(handshake_status_names), ++ (int)handshake_status); ++} ++ ++const char *handshake_peer_status_name(peer_status_t peer_status) ++{ ++ return enum_name(peer_status_names, OSSL_NELEM(peer_status_names), ++ (int)peer_status); ++} ++ ++static void save_loop_history(HANDSHAKE_HISTORY *history, ++ connect_phase_t phase, ++ handshake_status_t handshake_status, ++ peer_status_t server_status, ++ peer_status_t client_status, ++ int client_turn_count, ++ int is_client_turn) ++{ ++ HANDSHAKE_HISTORY_ENTRY *new_entry = NULL; ++ ++ /* ++ * Create a new history entry for a handshake loop with statuses given in ++ * the arguments. Potentially evicting the oldest entry when the ++ * ring buffer is full. ++ */ ++ ++(history->last_idx); ++ history->last_idx &= MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK; ++ ++ new_entry = &((history->entries)[history->last_idx]); ++ new_entry->phase = phase; ++ new_entry->handshake_status = handshake_status; ++ new_entry->server_status = server_status; ++ new_entry->client_status = client_status; ++ new_entry->client_turn_count = client_turn_count; ++ new_entry->is_client_turn = is_client_turn; ++ ++ /* Evict the oldest handshake loop entry when the ring buffer is full. */ ++ if (history->entry_count < MAX_HANDSHAKE_HISTORY_ENTRY) { ++ ++(history->entry_count); ++ } ++} ++ + HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void) + { + HANDSHAKE_RESULT *ret; +@@ -719,15 +815,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client, + SSL_set_post_handshake_auth(client, 1); + } + +-/* The status for each connection phase. */ +-typedef enum { +- PEER_SUCCESS, +- PEER_RETRY, +- PEER_ERROR, +- PEER_WAITING, +- PEER_TEST_FAILURE +-} peer_status_t; +- + /* An SSL object and associated read-write buffers. */ + typedef struct peer_st { + SSL *ssl; +@@ -1074,17 +1161,6 @@ static void do_shutdown_step(PEER *peer) + } + } + +-typedef enum { +- HANDSHAKE, +- RENEG_APPLICATION_DATA, +- RENEG_SETUP, +- RENEG_HANDSHAKE, +- APPLICATION_DATA, +- SHUTDOWN, +- CONNECTION_DONE +-} connect_phase_t; +- +- + static int renegotiate_op(const SSL_TEST_CTX *test_ctx) + { + switch (test_ctx->handshake_mode) { +@@ -1162,19 +1238,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer, + } + } + +-typedef enum { +- /* Both parties succeeded. */ +- HANDSHAKE_SUCCESS, +- /* Client errored. */ +- CLIENT_ERROR, +- /* Server errored. */ +- SERVER_ERROR, +- /* Peers are in inconsistent state. */ +- INTERNAL_ERROR, +- /* One or both peers not done. */ +- HANDSHAKE_RETRY +-} handshake_status_t; +- + /* + * Determine the handshake outcome. + * last_status: the status of the peer to have acted last. +@@ -1539,6 +1602,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( + + start = time(NULL); + ++ save_loop_history(&(ret->history), ++ phase, status, server.status, client.status, ++ client_turn_count, client_turn); ++ + /* + * Half-duplex handshake loop. + * Client and server speak to each other synchronously in the same process. +@@ -1560,6 +1627,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( + 0 /* server went last */); + } + ++ save_loop_history(&(ret->history), ++ phase, status, server.status, client.status, ++ client_turn_count, client_turn); ++ + switch (status) { + case HANDSHAKE_SUCCESS: + client_turn_count = 0; +diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h +index 78b03f9f4b..b9967c2623 100644 +--- a/test/helpers/handshake.h ++++ b/test/helpers/handshake.h +@@ -1,5 +1,5 @@ + /* +- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -12,6 +12,11 @@ + + #include "ssl_test_ctx.h" + ++#define MAX_HANDSHAKE_HISTORY_ENTRY_BIT 4 ++#define MAX_HANDSHAKE_HISTORY_ENTRY (1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT) ++#define MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK \ ++ ((1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT) - 1) ++ + typedef struct ctx_data_st { + unsigned char *npn_protocols; + size_t npn_protocols_len; +@@ -22,6 +27,63 @@ typedef struct ctx_data_st { + char *session_ticket_app_data; + } CTX_DATA; + ++typedef enum { ++ HANDSHAKE, ++ RENEG_APPLICATION_DATA, ++ RENEG_SETUP, ++ RENEG_HANDSHAKE, ++ APPLICATION_DATA, ++ SHUTDOWN, ++ CONNECTION_DONE ++} connect_phase_t; ++ ++/* The status for each connection phase. */ ++typedef enum { ++ PEER_SUCCESS, ++ PEER_RETRY, ++ PEER_ERROR, ++ PEER_WAITING, ++ PEER_TEST_FAILURE ++} peer_status_t; ++ ++typedef enum { ++ /* Both parties succeeded. */ ++ HANDSHAKE_SUCCESS, ++ /* Client errored. */ ++ CLIENT_ERROR, ++ /* Server errored. */ ++ SERVER_ERROR, ++ /* Peers are in inconsistent state. */ ++ INTERNAL_ERROR, ++ /* One or both peers not done. */ ++ HANDSHAKE_RETRY ++} handshake_status_t; ++ ++/* Stores the various status information in a handshake loop. */ ++typedef struct handshake_history_entry_st { ++ connect_phase_t phase; ++ handshake_status_t handshake_status; ++ peer_status_t server_status; ++ peer_status_t client_status; ++ int client_turn_count; ++ int is_client_turn; ++} HANDSHAKE_HISTORY_ENTRY; ++ ++typedef struct handshake_history_st { ++ /* Implemented using ring buffer. */ ++ /* ++ * The valid entries are |entries[last_idx]|, |entries[last_idx-1]|, ++ * ..., etc., going up to |entry_count| number of entries. Note that when ++ * the index into the array |entries| becomes < 0, we wrap around to ++ * the end of |entries|. ++ */ ++ HANDSHAKE_HISTORY_ENTRY entries[MAX_HANDSHAKE_HISTORY_ENTRY]; ++ /* The number of valid entries in |entries| array. */ ++ size_t entry_count; ++ /* The index of the last valid entry in the |entries| array. */ ++ size_t last_idx; ++} HANDSHAKE_HISTORY; ++ + typedef struct handshake_result { + ssl_test_result_t result; + /* These alerts are in the 2-byte format returned by the info_callback. */ +@@ -77,6 +139,8 @@ typedef struct handshake_result { + char *cipher; + /* session ticket application data */ + char *result_session_ticket_app_data; ++ /* handshake loop history */ ++ HANDSHAKE_HISTORY history; + } HANDSHAKE_RESULT; + + HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void); +@@ -95,4 +159,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, + CTX_DATA *server2_ctx_data, + CTX_DATA *client_ctx_data); + ++const char *handshake_connect_phase_name(connect_phase_t phase); ++const char *handshake_status_name(handshake_status_t handshake_status); ++const char *handshake_peer_status_name(peer_status_t peer_status); ++ + #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */ +diff --git a/test/ssl_test.c b/test/ssl_test.c +index ea608518f9..9d6b093c81 100644 +--- a/test/ssl_test.c ++++ b/test/ssl_test.c +@@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL; + /* Currently the section names are of the form test-<number>, e.g. test-15. */ + #define MAX_TESTCASE_NAME_LENGTH 100 + ++static void print_handshake_history(const HANDSHAKE_HISTORY *history) ++{ ++ size_t first_idx; ++ size_t i; ++ size_t cur_idx; ++ const HANDSHAKE_HISTORY_ENTRY *cur_entry; ++ const char header_template[] = "|%14s|%16s|%16s|%16s|%17s|%14s|"; ++ const char body_template[] = "|%14s|%16s|%16s|%16s|%17d|%14s|"; ++ ++ TEST_info("The following is the server/client state " ++ "in the most recent %d handshake loops.", ++ MAX_HANDSHAKE_HISTORY_ENTRY); ++ ++ TEST_note("==================================================" ++ "=================================================="); ++ TEST_note(header_template, ++ "phase", "handshake status", "server status", ++ "client status", "client turn count", "is client turn"); ++ TEST_note("+--------------+----------------+----------------" ++ "+----------------+-----------------+--------------+"); ++ ++ first_idx = (history->last_idx - history->entry_count + 1) & ++ MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK; ++ for (i = 0; i < history->entry_count; ++i) { ++ cur_idx = (first_idx + i) & MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK; ++ cur_entry = &(history->entries)[cur_idx]; ++ TEST_note(body_template, ++ handshake_connect_phase_name(cur_entry->phase), ++ handshake_status_name(cur_entry->handshake_status), ++ handshake_peer_status_name(cur_entry->server_status), ++ handshake_peer_status_name(cur_entry->client_status), ++ cur_entry->client_turn_count, ++ cur_entry->is_client_turn ? "true" : "false"); ++ } ++ TEST_note("==================================================" ++ "=================================================="); ++} ++ + static const char *print_alert(int alert) + { + return alert ? SSL_alert_desc_string_long(alert) : "no alert"; +@@ -388,6 +426,12 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx) + ret &= check_client_sign_type(result, test_ctx); + ret &= check_client_ca_names(result, test_ctx); + } ++ ++ /* Print handshake loop history if any check fails. */ ++ if (!ret) { ++ print_handshake_history(&(result->history)); ++ } ++ + return ret; + } + +-- +2.25.1 + diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch index 0b7abc3a11..502a7aaf32 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch @@ -1,6 +1,6 @@ -From 326909baf81a638d51fa8be1d8227518784f5cc4 Mon Sep 17 00:00:00 2001 +From 0377f0d5b5c1079e3b9a80881f4dcc891cbe9f9a Mon Sep 17 00:00:00 2001 From: Alexander Kanavin <alex@linutronix.de> -Date: Tue, 14 Sep 2021 12:18:25 +0200 +Date: Tue, 30 May 2023 09:11:27 -0700 Subject: [PATCH] Configure: do not tweak mips cflags This conflicts with mips machine definitons from yocto, @@ -9,20 +9,23 @@ e.g. Upstream-Status: Inappropriate [oe-core specific] Signed-off-by: Alexander Kanavin <alex@linutronix.de> + +Refreshed for openssl-3.1.1 +Signed-off-by: Tim Orling <tim.orling@konsulko.com> --- Configure | 10 ---------- 1 file changed, 10 deletions(-) -Index: openssl-3.0.4/Configure -=================================================================== ---- openssl-3.0.4.orig/Configure -+++ openssl-3.0.4/Configure -@@ -1423,16 +1423,6 @@ if ($target =~ /^mingw/ && `$config{CC} +diff --git a/Configure b/Configure +index 4569952..adf019b 100755 +--- a/Configure ++++ b/Configure +@@ -1422,16 +1422,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) push @{$config{shared_ldflag}}, "-mno-cygwin"; } -if ($target =~ /linux.*-mips/ && !$disabled{asm} -- && !grep { $_ !~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { +- && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { - # minimally required architecture flags for assembly modules - my $value; - $value = '-mips2' if ($target =~ /mips32/); diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3996.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2022-3996.patch deleted file mode 100644 index 6d70b323d1..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2022-3996.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 7725e7bfe6f2ce8146b6552b44e0d226be7638e7 Mon Sep 17 00:00:00 2001 -From: Pauli <pauli@openssl.org> -Date: Fri, 11 Nov 2022 09:40:19 +1100 -Subject: [PATCH] x509: fix double locking problem - -This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the -redundant flag setting. - -Fixes #19643 - -Fixes LOW CVE-2022-3996 - -Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> -Reviewed-by: Tomas Mraz <tomas@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/19652) - -(cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5) - -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7] -CVE: CVE-2022-3996 -Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> ---- - crypto/x509/pcy_map.c | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/crypto/x509/pcy_map.c b/crypto/x509/pcy_map.c -index 05406c6493..60dfd1e320 100644 ---- a/crypto/x509/pcy_map.c -+++ b/crypto/x509/pcy_map.c -@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) - - ret = 1; - bad_mapping: -- if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) { -- x->ex_flags |= EXFLAG_INVALID_POLICY; -- CRYPTO_THREAD_unlock(x->lock); -- } - sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); - return ret; - --- -2.30.2 - diff --git a/meta/recipes-connectivity/openssl/openssl/afalg.patch b/meta/recipes-connectivity/openssl/openssl/afalg.patch deleted file mode 100644 index cf77e873a2..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/afalg.patch +++ /dev/null @@ -1,31 +0,0 @@ -Don't refuse to build afalgeng if cross-compiling or the host kernel is too old. - -Upstream-Status: Submitted [hhttps://github.com/openssl/openssl/pull/7688] -Signed-off-by: Ross Burton <ross.burton@intel.com> - -Index: openssl-3.0.4/Configure -=================================================================== ---- openssl-3.0.4.orig/Configure -+++ openssl-3.0.4/Configure -@@ -1681,20 +1681,7 @@ $config{CFLAGS} = [ map { $_ eq '--ossl- - unless ($disabled{afalgeng}) { - $config{afalgeng}=""; - if (grep { $_ eq 'afalgeng' } @{$target{enable}}) { -- my $minver = 4*10000 + 1*100 + 0; -- if ($config{CROSS_COMPILE} eq "") { -- my $verstr = `uname -r`; -- my ($ma, $mi1, $mi2) = split("\\.", $verstr); -- ($mi2) = $mi2 =~ /(\d+)/; -- my $ver = $ma*10000 + $mi1*100 + $mi2; -- if ($ver < $minver) { -- disable('too-old-kernel', 'afalgeng'); -- } else { -- push @{$config{engdirs}}, "afalg"; -- } -- } else { -- disable('cross-compiling', 'afalgeng'); -- } -+ push @{$config{engdirs}}, "afalg"; - } else { - disable('not-linux', 'afalgeng'); - } diff --git a/meta/recipes-connectivity/openssl/openssl/bti.patch b/meta/recipes-connectivity/openssl/openssl/bti.patch new file mode 100644 index 0000000000..748576c30c --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/bti.patch @@ -0,0 +1,58 @@ +From ba8a599395f8b770c76316b5f5b0f3838567014f Mon Sep 17 00:00:00 2001 +From: Tom Cosgrove <tom.cosgrove@arm.com> +Date: Tue, 26 Mar 2024 13:18:00 +0000 +Subject: [PATCH] aarch64: fix BTI in bsaes assembly code + +In Arm systems where BTI is enabled but the Crypto extensions are not (more +likely in FVPs than in real hardware), the bit-sliced assembler code will +be used. However, this wasn't annotated with BTI instructions when BTI was +enabled, so the moment libssl jumps into this code it (correctly) aborts. + +Solve this by adding the missing BTI landing pads. + +Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/23982] +Signed-off-by: Ross Burton <ross.burton@arm.com> +--- + crypto/aes/asm/bsaes-armv8.pl | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/crypto/aes/asm/bsaes-armv8.pl b/crypto/aes/asm/bsaes-armv8.pl +index b3c97e439f..c3c5ff3e05 100644 +--- a/crypto/aes/asm/bsaes-armv8.pl ++++ b/crypto/aes/asm/bsaes-armv8.pl +@@ -1018,6 +1018,7 @@ _bsaes_key_convert: + // Initialisation vector overwritten with last quadword of ciphertext + // No output registers, usual AAPCS64 register preservation + ossl_bsaes_cbc_encrypt: ++ AARCH64_VALID_CALL_TARGET + cmp x2, #128 + bhs .Lcbc_do_bsaes + b AES_cbc_encrypt +@@ -1270,7 +1271,7 @@ ossl_bsaes_cbc_encrypt: + // Output text filled in + // No output registers, usual AAPCS64 register preservation + ossl_bsaes_ctr32_encrypt_blocks: +- ++ AARCH64_VALID_CALL_TARGET + cmp x2, #8 // use plain AES for + blo .Lctr_enc_short // small sizes + +@@ -1476,6 +1477,7 @@ ossl_bsaes_ctr32_encrypt_blocks: + // Output ciphertext filled in + // No output registers, usual AAPCS64 register preservation + ossl_bsaes_xts_encrypt: ++ AARCH64_VALID_CALL_TARGET + // Stack layout: + // sp -> + // nrounds*128-96 bytes: key schedule +@@ -1921,6 +1923,7 @@ ossl_bsaes_xts_encrypt: + // Output plaintext filled in + // No output registers, usual AAPCS64 register preservation + ossl_bsaes_xts_decrypt: ++ AARCH64_VALID_CALL_TARGET + // Stack layout: + // sp -> + // nrounds*128-96 bytes: key schedule +-- +2.34.1 + diff --git a/meta/recipes-connectivity/openssl/openssl/run-ptest b/meta/recipes-connectivity/openssl/openssl/run-ptest index 8dff79101f..c89ec5afa1 100644 --- a/meta/recipes-connectivity/openssl/openssl/run-ptest +++ b/meta/recipes-connectivity/openssl/openssl/run-ptest @@ -9,4 +9,4 @@ export TOP=. # OPENSSL_ENGINES is relative from the test binaries export OPENSSL_ENGINES=../engines -perl ./test/run_tests.pl $* | sed -u -r -e '/(.*) \.*.ok/ s/^/PASS: /g' -r -e '/Dubious(.*)/ s/^/FAIL: /g' -e '/(.*) \.*.skipped: (.*)/ s/^/SKIP: /g' +{ HARNESS_JOBS=4 perl ./test/run_tests.pl $* || echo "FAIL: openssl" ; } | sed -u -r -e '/(.*) \.*.ok/ s/^/PASS: /g' -r -e '/Dubious(.*)/ s/^/FAIL: /g' -e '/(.*) \.*.skipped: (.*)/ s/^/SKIP: /g' diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.7.bb b/meta/recipes-connectivity/openssl/openssl_3.3.0.bb index 1842148592..113ed4bf95 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.7.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.3.0.bb @@ -10,18 +10,18 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04" SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://run-ptest \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ - file://afalg.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ - file://CVE-2022-3996.patch \ + file://0001-Added-handshake-history-reporting-when-test-fails.patch \ + file://bti.patch \ " SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e" +SRC_URI[sha256sum] = "53e66b043322a606abf0087e7699a0e033a37fa13feb9742df35c3a33b18fb02" -inherit lib_package multilib_header multilib_script ptest perlnative +inherit lib_package multilib_header multilib_script ptest perlnative manpages MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" PACKAGECONFIG ?= "" @@ -31,6 +31,7 @@ PACKAGECONFIG:class-nativesdk = "" PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module" PACKAGECONFIG[no-tls1] = "no-tls1" PACKAGECONFIG[no-tls1_1] = "no-tls1_1" +PACKAGECONFIG[manpages] = "" B = "${WORKDIR}/build" do_configure[cleandirs] = "${B}" @@ -96,6 +97,9 @@ do_configure () { linux-gnu64-x86_64) target=linux-x86_64 ;; + linux-loongarch64) + target=linux64-loongarch64 + ;; linux-mips | linux-mipsel) # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags target="linux-mips32 ${TARGET_CC_ARCH}" @@ -119,10 +123,10 @@ do_configure () { target=linux-ppc64le ;; linux-riscv32) - target=linux-generic32 + target=linux32-riscv32 ;; linux-riscv64) - target=linux-generic64 + target=linux64-riscv64 ;; linux-sparc | linux-supersparc) target=linux-sparcv9 @@ -132,19 +136,17 @@ do_configure () { ;; esac - useprefix=${prefix} - if [ "x$useprefix" = "x" ]; then - useprefix=/ - fi # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the # environment variables set by bitbake. Adjust the environment variables instead. - HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \ - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target + PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)" + test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!" + HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \ + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=${prefix} --openssldir=${libdir}/ssl-3 --libdir=${baselib} $target perl ${B}/configdata.pm --dump } do_install () { - oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install + oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} oe_multilib_header openssl/opensslconf.h oe_multilib_header openssl/configuration.h @@ -175,7 +177,7 @@ do_install:append:class-native () { do_install:append:class-nativesdk () { mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d - install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh + install -m 644 ${UNPACKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh } @@ -184,6 +186,7 @@ PTEST_BUILD_HOST_PATTERN = "perl_version =" do_install_ptest () { install -d ${D}${PTEST_PATH}/test install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test + install -m755 ${B}/test/p_minimal.so ${D}${PTEST_PATH}/test install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test # Prune the build tree @@ -254,6 +257,3 @@ CVE_PRODUCT = "openssl:openssl" CVE_VERSION_SUFFIX = "alphabetical" -# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 -# Apache in meta-webserver is already recent enough -CVE_CHECK_IGNORE += "CVE-2019-0190" diff --git a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb index 8a6c297cb0..0c3085d3a8 100644 --- a/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb +++ b/meta/recipes-connectivity/ppp-dialin/ppp-dialin_0.1.bb @@ -3,7 +3,6 @@ SECTION = "console/network" DESCRIPTION = "PPP dail-in provides a point to point protocol (PPP), so that other computers can dial up to it and access connected networks." DEPENDS = "ppp" RDEPENDS:${PN} = "ppp" -PR = "r8" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" @@ -16,10 +15,10 @@ S = "${WORKDIR}" do_install() { install -d ${D}${sysconfdir}/ppp/peers - install -m 0644 ${WORKDIR}/host-peer ${D}${sysconfdir}/ppp/peers/host + install -m 0644 ${S}/host-peer ${D}${sysconfdir}/ppp/peers/host install -d ${D}${sbindir} - install -m 0755 ${WORKDIR}/ppp-dialin ${D}${sbindir} + install -m 0755 ${S}/ppp-dialin ${D}${sbindir} } USERADD_PACKAGES = "${PN}" diff --git a/meta/recipes-connectivity/ppp/ppp/0001-ppp-fix-build-against-5.15-headers.patch b/meta/recipes-connectivity/ppp/ppp/0001-ppp-fix-build-against-5.15-headers.patch deleted file mode 100644 index c91246dbf5..0000000000 --- a/meta/recipes-connectivity/ppp/ppp/0001-ppp-fix-build-against-5.15-headers.patch +++ /dev/null @@ -1,36 +0,0 @@ -From aba3273273e826c6dc90f197ca9a3e800e826891 Mon Sep 17 00:00:00 2001 -From: Bruce Ashfield <bruce.ashfield@gmail.com> -Date: Fri, 5 Nov 2021 12:41:35 -0400 -Subject: [PATCH] ppp: fix build against 5.15 headers - -The 5.15 kernel has removed ipx support, along with the userspace -visible header. - -This support wasn't used previously (as it hasn't been very well -maintained in the kernel for several years), so we can simply -disable it in our build and wait for upstream to do a release that -drops the support. - -Upstream-Status: Inappropriate [OE-specific configuration/headers] - -Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> ---- - pppd/Makefile.linux | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 22837c5..23b9b22 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -91,7 +91,7 @@ MAXOCTETS=y - - INCLUDE_DIRS= -I../include - --COMPILE_FLAGS= -DHAVE_PATHS_H -DIPX_CHANGE -DHAVE_MMAP -pipe -+COMPILE_FLAGS= -DHAVE_PATHS_H -DHAVE_MMAP -pipe - - CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS) '-DDESTDIR="@DESTDIR@"' - --- -2.25.1 - diff --git a/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch b/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch deleted file mode 100644 index 4325b1d6b0..0000000000 --- a/meta/recipes-connectivity/ppp/ppp/CVE-2022-4603.patch +++ /dev/null @@ -1,48 +0,0 @@ -From a75fb7b198eed50d769c80c36629f38346882cbf Mon Sep 17 00:00:00 2001 -From: Paul Mackerras <paulus@ozlabs.org> -Date: Thu, 4 Aug 2022 12:23:08 +1000 -Subject: [PATCH] pppdump: Avoid out-of-range access to packet buffer - -This fixes a potential vulnerability where data is written to spkt.buf -and rpkt.buf without a check on the array index. To fix this, we -check the array index (pkt->cnt) before storing the byte or -incrementing the count. This also means we no longer have a potential -signed integer overflow on the increment of pkt->cnt. - -Fortunately, pppdump is not used in the normal process of setting up a -PPP connection, is not installed setuid-root, and is not invoked -automatically in any scenario that I am aware of. - -Signed-off-by: Paul Mackerras <paulus@ozlabs.org> - -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> ---- - pppdump/pppdump.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c -index 2b815fc9..b85a8627 100644 ---- a/pppdump/pppdump.c -+++ b/pppdump/pppdump.c -@@ -297,6 +297,10 @@ dumpppp(f) - printf("%s aborted packet:\n ", dir); - q = " "; - } -+ if (pkt->cnt >= sizeof(pkt->buf)) { -+ printf("%s over-long packet truncated:\n ", dir); -+ q = " "; -+ } - nb = pkt->cnt; - p = pkt->buf; - pkt->cnt = 0; -@@ -400,7 +404,8 @@ dumpppp(f) - c ^= 0x20; - pkt->esc = 0; - } -- pkt->buf[pkt->cnt++] = c; -+ if (pkt->cnt < sizeof(pkt->buf)) -+ pkt->buf[pkt->cnt++] = c; - break; - } - } diff --git a/meta/recipes-connectivity/ppp/ppp/makefix.patch b/meta/recipes-connectivity/ppp/ppp/makefix.patch deleted file mode 100644 index fce068cae0..0000000000 --- a/meta/recipes-connectivity/ppp/ppp/makefix.patch +++ /dev/null @@ -1,40 +0,0 @@ -We were seeing reproducibility issues where one host would use the internal -logwtmp wrapper, another would use the one in libutil. The issue was that in -some cases the "\#include" was making it to CC, in others, "#include". The -issue seems to be related to shell escaping. - -The root cause looks to be: -http://git.savannah.gnu.org/cgit/make.git/commit/?id=c6966b323811c37acedff05b576b907b06aea5f4 - -Instead of relying on shell quoting, use make to indirect the variable -and avoid the problem. - -See https://github.com/paulusmack/ppp/issues/233 - -Upstream-Status: Backport [https://github.com/paulusmack/ppp/commit/b4430f7092ececdff2504d5f3393a4c6528c3686] -Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> - -Index: ppp-2.4.9/pppd/Makefile.linux -=================================================================== ---- ppp-2.4.9.orig/pppd/Makefile.linux -+++ ppp-2.4.9/pppd/Makefile.linux -@@ -80,7 +80,8 @@ PLUGIN=y - #USE_SRP=y - - # Use libutil; test if logwtmp is declared in <utmp.h> to detect --ifeq ($(shell echo '\#include <utmp.h>' | $(CC) -E - 2>/dev/null | grep -q logwtmp && echo yes),yes) -+UTMPHEADER = "\#include <utmp.h>" -+ifeq ($(shell echo $(UTMPHEADER) | $(CC) -E - 2>/dev/null | grep -q logwtmp && echo yes),yes) - USE_LIBUTIL=y - endif - -@@ -143,7 +144,8 @@ CFLAGS += -DHAS_SHADOW - #LIBS += -lshadow $(LIBS) - endif - --ifeq ($(shell echo '\#include <crypt.h>' | $(CC) -E - >/dev/null 2>&1 && echo yes),yes) -+CRYPTHEADER = "\#include <crypt.h>" -+ifeq ($(shell echo $(CRYPTHEADER) | $(CC) -E - >/dev/null 2>&1 && echo yes),yes) - CFLAGS += -DHAVE_CRYPT_H=1 - LIBS += -lcrypt - endif diff --git a/meta/recipes-connectivity/ppp/ppp_2.4.9.bb b/meta/recipes-connectivity/ppp/ppp_2.5.0.bb index 7e3ae43b58..36e2585de4 100644 --- a/meta/recipes-connectivity/ppp/ppp_2.4.9.bb +++ b/meta/recipes-connectivity/ppp/ppp_2.5.0.bb @@ -5,14 +5,13 @@ SECTION = "console/network" HOMEPAGE = "http://samba.org/ppp/" BUGTRACKER = "http://ppp.samba.org/cgi-bin/ppp-bugs" DEPENDS = "libpcap openssl virtual/crypt" -LICENSE = "BSD-3-Clause & BSD-3-Clause-Attribution & GPL-2.0-or-later & LGPL-2.0-or-later & PD" +LICENSE = "BSD-3-Clause & BSD-3-Clause-Attribution & GPL-2.0-or-later & LGPL-2.0-or-later & PD & RSA-MD" LIC_FILES_CHKSUM = "file://pppd/ccp.c;beginline=1;endline=29;md5=e2c43fe6e81ff77d87dc9c290a424dea \ file://pppd/plugins/passprompt.c;beginline=1;endline=10;md5=3bcbcdbf0e369c9a3e0b8c8275b065d8 \ file://pppd/tdb.c;beginline=1;endline=27;md5=4ca3a9991b011038d085d6675ae7c4e6 \ file://chat/chat.c;beginline=1;endline=15;md5=0d374b8545ee5c62d7aff1acbd38add2" SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \ - file://makefix.patch \ file://pon \ file://poff \ file://init \ @@ -24,56 +23,34 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \ file://ppp_on_boot \ file://provider \ file://ppp@.service \ - file://0001-ppp-fix-build-against-5.15-headers.patch \ - file://CVE-2022-4603.patch \ " -SRC_URI[sha256sum] = "f938b35eccde533ea800b15a7445b2f1137da7f88e32a16898d02dee8adc058d" +SRC_URI[sha256sum] = "5cae0e8075f8a1755f16ca290eb44e6b3545d3f292af4da65ecffe897de636ff" -inherit autotools-brokensep systemd +inherit autotools systemd -TARGET_CC_ARCH += " ${LDFLAGS}" -EXTRA_OEMAKE = "CC='${CC}' STRIPPROG=${STRIP} MANDIR=${D}${datadir}/man/man8 INCDIR=${D}${includedir} LIBDIR=${D}${libdir}/pppd/${PV} BINDIR=${D}${sbindir}" -EXTRA_OECONF = "--disable-strip" - -# Package Makefile computes CFLAGS, referencing COPTS. -# Typically hard-coded to '-O2 -g' in the Makefile's. -# -EXTRA_OEMAKE += ' COPTS="${CFLAGS} -I${STAGING_INCDIR}/openssl -I${S}/include"' - -EXTRA_OECONF:append:libc-musl = " --disable-ipxcp" - -do_configure () { - oe_runconf -} +EXTRA_OECONF += "--with-openssl=${STAGING_EXECPREFIXDIR}" do_install:append () { - make install-etcppp ETCDIR=${D}/${sysconfdir}/ppp mkdir -p ${D}${bindir}/ ${D}${sysconfdir}/init.d mkdir -p ${D}${sysconfdir}/ppp/ip-up.d/ mkdir -p ${D}${sysconfdir}/ppp/ip-down.d/ - install -m 0755 ${WORKDIR}/pon ${D}${bindir}/pon - install -m 0755 ${WORKDIR}/poff ${D}${bindir}/poff - install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/ppp - install -m 0755 ${WORKDIR}/ip-up ${D}${sysconfdir}/ppp/ - install -m 0755 ${WORKDIR}/ip-down ${D}${sysconfdir}/ppp/ - install -m 0755 ${WORKDIR}/08setupdns ${D}${sysconfdir}/ppp/ip-up.d/ - install -m 0755 ${WORKDIR}/92removedns ${D}${sysconfdir}/ppp/ip-down.d/ + install -m 0755 ${UNPACKDIR}/pon ${D}${bindir}/pon + install -m 0755 ${UNPACKDIR}/poff ${D}${bindir}/poff + install -m 0755 ${UNPACKDIR}/init ${D}${sysconfdir}/init.d/ppp + install -m 0755 ${UNPACKDIR}/ip-up ${D}${sysconfdir}/ppp/ + install -m 0755 ${UNPACKDIR}/ip-down ${D}${sysconfdir}/ppp/ + install -m 0755 ${UNPACKDIR}/08setupdns ${D}${sysconfdir}/ppp/ip-up.d/ + install -m 0755 ${UNPACKDIR}/92removedns ${D}${sysconfdir}/ppp/ip-down.d/ mkdir -p ${D}${sysconfdir}/chatscripts mkdir -p ${D}${sysconfdir}/ppp/peers - install -m 0755 ${WORKDIR}/pap ${D}${sysconfdir}/chatscripts - install -m 0755 ${WORKDIR}/ppp_on_boot ${D}${sysconfdir}/ppp/ppp_on_boot - install -m 0755 ${WORKDIR}/provider ${D}${sysconfdir}/ppp/peers/provider + install -m 0755 ${UNPACKDIR}/pap ${D}${sysconfdir}/chatscripts + install -m 0755 ${UNPACKDIR}/ppp_on_boot ${D}${sysconfdir}/ppp/ppp_on_boot + install -m 0755 ${UNPACKDIR}/provider ${D}${sysconfdir}/ppp/peers/provider install -d ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/ppp@.service ${D}${systemd_system_unitdir} + install -m 0644 ${UNPACKDIR}/ppp@.service ${D}${systemd_system_unitdir} sed -i -e 's,@SBINDIR@,${sbindir},g' \ ${D}${systemd_system_unitdir}/ppp@.service - rm -rf ${D}/${mandir}/man8/man8 - chmod u+s ${D}${sbindir}/pppd -} - -do_install:append:libc-musl () { - install -Dm 0644 ${S}/include/net/ppp_defs.h ${D}${includedir}/net/ppp_defs.h } CONFFILES:${PN} = "${sysconfdir}/ppp/pap-secrets ${sysconfdir}/ppp/chap-secrets ${sysconfdir}/ppp/options" @@ -96,5 +73,3 @@ SUMMARY:${PN}-password = "Plugin for PPP to get passwords via a pipe" SUMMARY:${PN}-l2tp = "Plugin for PPP for l2tp support" SUMMARY:${PN}-tools = "Additional tools for the PPP package" -# Ignore compatibility symlink rp-pppoe.so->pppoe.so -INSANE_SKIP:${PN}-oe += "dev-so" diff --git a/meta/recipes-connectivity/resolvconf/resolvconf_1.91.bb b/meta/recipes-connectivity/resolvconf/resolvconf_1.92.bb index 3f1b75d07d..c3ce5bc22e 100644 --- a/meta/recipes-connectivity/resolvconf/resolvconf_1.91.bb +++ b/meta/recipes-connectivity/resolvconf/resolvconf_1.92.bb @@ -7,7 +7,6 @@ information." SECTION = "console/network" LICENSE = "GPL-2.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b" -AUTHOR = "Thomas Hood" HOMEPAGE = "http://packages.debian.org/resolvconf" RDEPENDS:${PN} = "bash sed util-linux-flock" @@ -16,7 +15,7 @@ SRC_URI = "git://salsa.debian.org/debian/resolvconf.git;protocol=https;branch=un file://0001-avoid-using-m-option-for-readlink.patch \ " -SRCREV = "859209d573e7aec0e95d812c6b52444591a628d1" +SRCREV = "86047276c80705c51859a19f0c472102e0822f34" S = "${WORKDIR}/git" @@ -30,7 +29,7 @@ do_compile () { do_install () { install -d ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/99_resolvconf ${D}${sysconfdir}/default/volatiles + install -m 0644 ${UNPACKDIR}/99_resolvconf ${D}${sysconfdir}/default/volatiles if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then install -d ${D}${sysconfdir}/tmpfiles.d echo "d /run/${BPN}/interface - - - -" \ diff --git a/meta/recipes-connectivity/socat/files/0001-fix-compile-procan.c-failed.patch b/meta/recipes-connectivity/socat/files/0001-fix-compile-procan.c-failed.patch new file mode 100644 index 0000000000..9051ae1abe --- /dev/null +++ b/meta/recipes-connectivity/socat/files/0001-fix-compile-procan.c-failed.patch @@ -0,0 +1,62 @@ +From 4f887cc665c9a48b83e20ef4abe57afa7e365e0e Mon Sep 17 00:00:00 2001 +From: Hongxu Jia <hongxu.jia@eng.windriver.com> +Date: Tue, 5 Dec 2023 23:02:22 -0800 +Subject: [PATCH v2] fix compile procan.c failed + +1. Compile socat failed if out of tree build (build dir != source dir) +... +gcc -c -D CC="gcc" -o procan.o procan.c +cc1: fatal error: procan.c: No such file or directory +... +Explicitly add $srcdir to makefile rule + +2. Compile socat failed if multiple words in $(CC), such as CC="gcc -m64" +... +from ../socat-1.8.0.0/procan.c:10: +../socat-1.8.0.0/sysincludes.h:18:10: fatal error: inttypes.h: No such file or directory + 18 | #include <inttypes.h> /* uint16_t */ +... + +In commit [Procan: print umask, CC, and couple more new infos][1], +it defeines marcro CC in C source, the space in CC will break +C source compile. Use first word of $(CC) to defeine marco CC + +[1] https://repo.or.cz/socat.git/commit/cd5673dbd0786c94e0b3ace7e35fab14c01e3185 + +Upstream-Status: Submitted [socat@dest-unreach.org] +Signed-off-by: Hongxu Jia <hongxu.jia@eng.windriver.com> +--- + Makefile.in | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/Makefile.in b/Makefile.in +index c01b1a4..48dad69 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -109,8 +109,8 @@ depend: $(CFILES) $(HFILES) + socat: socat.o libxio.a + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ socat.o libxio.a $(CLIBS) + +-procan.o: procan.c +- $(CC) $(CFLAGS) -c -D CC=\"$(CC)\" -o $@ procan.c ++procan.o: $(srcdir)/procan.c ++ $(CC) $(CFLAGS) -c -D CC=\"$(firstword $(CC))\" -o $@ $(srcdir)/procan.c + + PROCAN_OBJS=procan_main.o procan.o procan-cdefs.o hostan.o error.o sycls.o sysutils.o utils.o vsnprintf_r.o snprinterr.o + procan: $(PROCAN_OBJS) +@@ -132,9 +132,9 @@ install: progs $(srcdir)/doc/socat.1 + mkdir -p $(DESTDIR)$(BINDEST) + $(INSTALL) -m 755 socat $(DESTDIR)$(BINDEST)/socat1 + ln -sf socat1 $(DESTDIR)$(BINDEST)/socat +- $(INSTALL) -m 755 socat-chain.sh $(DESTDIR)$(BINDEST) +- $(INSTALL) -m 755 socat-mux.sh $(DESTDIR)$(BINDEST) +- $(INSTALL) -m 755 socat-broker.sh $(DESTDIR)$(BINDEST) ++ $(INSTALL) -m 755 $(srcdir)/socat-chain.sh $(DESTDIR)$(BINDEST) ++ $(INSTALL) -m 755 $(srcdir)/socat-mux.sh $(DESTDIR)$(BINDEST) ++ $(INSTALL) -m 755 $(srcdir)/socat-broker.sh $(DESTDIR)$(BINDEST) + $(INSTALL) -m 755 procan $(DESTDIR)$(BINDEST) + $(INSTALL) -m 755 filan $(DESTDIR)$(BINDEST) + mkdir -p $(DESTDIR)$(MANDEST)/man1 +-- +2.42.0 + diff --git a/meta/recipes-connectivity/socat/socat_1.7.4.4.bb b/meta/recipes-connectivity/socat/socat_1.8.0.0.bb index 5a379380d1..912605c95c 100644 --- a/meta/recipes-connectivity/socat/socat_1.7.4.4.bb +++ b/meta/recipes-connectivity/socat/socat_1.8.0.0.bb @@ -7,11 +7,13 @@ SECTION = "console/network" LICENSE = "GPL-2.0-with-OpenSSL-exception" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://README;beginline=257;endline=287;md5=82520b052f322ac2b5b3dfdc7c7eea86" + file://README;beginline=241;endline=271;md5=338c05eadd013872abb1d6e198e10a3f" -SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2" +SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \ + file://0001-fix-compile-procan.c-failed.patch \ +" -SRC_URI[sha256sum] = "fbd42bd2f0e54a3af6d01bdf15385384ab82dbc0e4f1a5e153b3e0be1b6380ac" +SRC_URI[sha256sum] = "e1de683dd22ee0e3a6c6bbff269abe18ab0c9d7eb650204f125155b9005faca7" inherit autotools diff --git a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb index ddd10e6eeb..4a62ddacd5 100644 --- a/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb +++ b/meta/recipes-connectivity/ssh-pregen-hostkeys/ssh-pregen-hostkeys_1.0.bb @@ -8,12 +8,14 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda INHIBIT_DEFAULT_DEPS = "1" +COMPATIBLE_MACHINE = "^qemu.*$" + do_install () { install -d ${D}${sysconfdir}/dropbear - install ${WORKDIR}/dropbear_rsa_host_key -m 0600 ${D}${sysconfdir}/dropbear/ + install ${UNPACKDIR}/dropbear_rsa_host_key -m 0600 ${D}${sysconfdir}/dropbear/ install -d ${D}${sysconfdir}/ssh - install ${WORKDIR}/openssh/* ${D}${sysconfdir}/ssh/ + install ${UNPACKDIR}/openssh/* ${D}${sysconfdir}/ssh/ chmod 0600 ${D}${sysconfdir}/ssh/* chmod 0644 ${D}${sysconfdir}/ssh/*.pub -}
\ No newline at end of file +} diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch new file mode 100644 index 0000000000..620560d3c7 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch @@ -0,0 +1,213 @@ +From f6f7cead3661ceeef54b21f7e799c0afc98537ec Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <j@w1.fi> +Date: Sat, 8 Jul 2023 19:55:32 +0300 +Subject: [PATCH] PEAP client: Update Phase 2 authentication requirements + +The previous PEAP client behavior allowed the server to skip Phase 2 +authentication with the expectation that the server was authenticated +during Phase 1 through TLS server certificate validation. Various PEAP +specifications are not exactly clear on what the behavior on this front +is supposed to be and as such, this ended up being more flexible than +the TTLS/FAST/TEAP cases. However, this is not really ideal when +unfortunately common misconfiguration of PEAP is used in deployed +devices where the server trust root (ca_cert) is not configured or the +user has an easy option for allowing this validation step to be skipped. + +Change the default PEAP client behavior to be to require Phase 2 +authentication to be successfully completed for cases where TLS session +resumption is not used and the client certificate has not been +configured. Those two exceptions are the main cases where a deployed +authentication server might skip Phase 2 and as such, where a more +strict default behavior could result in undesired interoperability +issues. Requiring Phase 2 authentication will end up disabling TLS +session resumption automatically to avoid interoperability issues. + +Allow Phase 2 authentication behavior to be configured with a new phase1 +configuration parameter option: +'phase2_auth' option can be used to control Phase 2 (i.e., within TLS +tunnel) behavior for PEAP: + * 0 = do not require Phase 2 authentication + * 1 = require Phase 2 authentication when client certificate + (private_key/client_cert) is no used and TLS session resumption was + not used (default) + * 2 = require Phase 2 authentication in all cases + +Signed-off-by: Jouni Malinen <j@w1.fi> + +CVE: CVE-2023-52160 +Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baffdea9e55255a81270b768439c] + +Signed-off-by: Claus Stovgaard <claus.stovgaard@gmail.com> + +--- + src/eap_peer/eap_config.h | 8 ++++++ + src/eap_peer/eap_peap.c | 40 +++++++++++++++++++++++++++--- + src/eap_peer/eap_tls_common.c | 6 +++++ + src/eap_peer/eap_tls_common.h | 5 ++++ + wpa_supplicant/wpa_supplicant.conf | 7 ++++++ + 5 files changed, 63 insertions(+), 3 deletions(-) + +diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h +index 3238f74..047eec2 100644 +--- a/src/eap_peer/eap_config.h ++++ b/src/eap_peer/eap_config.h +@@ -469,6 +469,14 @@ struct eap_peer_config { + * 1 = use cryptobinding if server supports it + * 2 = require cryptobinding + * ++ * phase2_auth option can be used to control Phase 2 (i.e., within TLS ++ * tunnel) behavior for PEAP: ++ * 0 = do not require Phase 2 authentication ++ * 1 = require Phase 2 authentication when client certificate ++ * (private_key/client_cert) is no used and TLS session resumption was ++ * not used (default) ++ * 2 = require Phase 2 authentication in all cases ++ * + * EAP-WSC (WPS) uses following options: pin=Device_Password and + * uuid=Device_UUID + * +diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c +index 12e30df..6080697 100644 +--- a/src/eap_peer/eap_peap.c ++++ b/src/eap_peer/eap_peap.c +@@ -67,6 +67,7 @@ struct eap_peap_data { + u8 cmk[20]; + int soh; /* Whether IF-TNCCS-SOH (Statement of Health; Microsoft NAP) + * is enabled. */ ++ enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth; + }; + + +@@ -114,6 +115,19 @@ static void eap_peap_parse_phase1(struct eap_peap_data *data, + wpa_printf(MSG_DEBUG, "EAP-PEAP: Require cryptobinding"); + } + ++ if (os_strstr(phase1, "phase2_auth=0")) { ++ data->phase2_auth = NO_AUTH; ++ wpa_printf(MSG_DEBUG, ++ "EAP-PEAP: Do not require Phase 2 authentication"); ++ } else if (os_strstr(phase1, "phase2_auth=1")) { ++ data->phase2_auth = FOR_INITIAL; ++ wpa_printf(MSG_DEBUG, ++ "EAP-PEAP: Require Phase 2 authentication for initial connection"); ++ } else if (os_strstr(phase1, "phase2_auth=2")) { ++ data->phase2_auth = ALWAYS; ++ wpa_printf(MSG_DEBUG, ++ "EAP-PEAP: Require Phase 2 authentication for all cases"); ++ } + #ifdef EAP_TNC + if (os_strstr(phase1, "tnc=soh2")) { + data->soh = 2; +@@ -142,6 +156,7 @@ static void * eap_peap_init(struct eap_sm *sm) + data->force_peap_version = -1; + data->peap_outer_success = 2; + data->crypto_binding = OPTIONAL_BINDING; ++ data->phase2_auth = FOR_INITIAL; + + if (config && config->phase1) + eap_peap_parse_phase1(data, config->phase1); +@@ -454,6 +469,20 @@ static int eap_tlv_validate_cryptobinding(struct eap_sm *sm, + } + + ++static bool peap_phase2_sufficient(struct eap_sm *sm, ++ struct eap_peap_data *data) ++{ ++ if ((data->phase2_auth == ALWAYS || ++ (data->phase2_auth == FOR_INITIAL && ++ !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn) && ++ !data->ssl.client_cert_conf) || ++ data->phase2_eap_started) && ++ !data->phase2_eap_success) ++ return false; ++ return true; ++} ++ ++ + /** + * eap_tlv_process - Process a received EAP-TLV message and generate a response + * @sm: Pointer to EAP state machine allocated with eap_peer_sm_init() +@@ -568,6 +597,11 @@ static int eap_tlv_process(struct eap_sm *sm, struct eap_peap_data *data, + " - force failed Phase 2"); + resp_status = EAP_TLV_RESULT_FAILURE; + ret->decision = DECISION_FAIL; ++ } else if (!peap_phase2_sufficient(sm, data)) { ++ wpa_printf(MSG_INFO, ++ "EAP-PEAP: Server indicated Phase 2 success, but sufficient Phase 2 authentication has not been completed"); ++ resp_status = EAP_TLV_RESULT_FAILURE; ++ ret->decision = DECISION_FAIL; + } else { + resp_status = EAP_TLV_RESULT_SUCCESS; + ret->decision = DECISION_UNCOND_SUCC; +@@ -887,8 +921,7 @@ continue_req: + /* EAP-Success within TLS tunnel is used to indicate + * shutdown of the TLS channel. The authentication has + * been completed. */ +- if (data->phase2_eap_started && +- !data->phase2_eap_success) { ++ if (!peap_phase2_sufficient(sm, data)) { + wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase 2 " + "Success used to indicate success, " + "but Phase 2 EAP was not yet " +@@ -1199,8 +1232,9 @@ static struct wpabuf * eap_peap_process(struct eap_sm *sm, void *priv, + static bool eap_peap_has_reauth_data(struct eap_sm *sm, void *priv) + { + struct eap_peap_data *data = priv; ++ + return tls_connection_established(sm->ssl_ctx, data->ssl.conn) && +- data->phase2_success; ++ data->phase2_success && data->phase2_auth != ALWAYS; + } + + +diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c +index c1837db..a53eeb1 100644 +--- a/src/eap_peer/eap_tls_common.c ++++ b/src/eap_peer/eap_tls_common.c +@@ -239,6 +239,12 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, + + sm->ext_cert_check = !!(params->flags & TLS_CONN_EXT_CERT_CHECK); + ++ if (!phase2) ++ data->client_cert_conf = params->client_cert || ++ params->client_cert_blob || ++ params->private_key || ++ params->private_key_blob; ++ + return 0; + } + +diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h +index 9ac0012..3348634 100644 +--- a/src/eap_peer/eap_tls_common.h ++++ b/src/eap_peer/eap_tls_common.h +@@ -79,6 +79,11 @@ struct eap_ssl_data { + * tls_v13 - Whether TLS v1.3 or newer is used + */ + int tls_v13; ++ ++ /** ++ * client_cert_conf: Whether client certificate has been configured ++ */ ++ bool client_cert_conf; + }; + + +diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf +index 6619d6b..d63f73c 100644 +--- a/wpa_supplicant/wpa_supplicant.conf ++++ b/wpa_supplicant/wpa_supplicant.conf +@@ -1321,6 +1321,13 @@ fast_reauth=1 + # * 0 = do not use cryptobinding (default) + # * 1 = use cryptobinding if server supports it + # * 2 = require cryptobinding ++# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS ++# tunnel) behavior for PEAP: ++# * 0 = do not require Phase 2 authentication ++# * 1 = require Phase 2 authentication when client certificate ++# (private_key/client_cert) is no used and TLS session resumption was ++# not used (default) ++# * 2 = require Phase 2 authentication in all cases + # EAP-WSC (WPS) uses following options: pin=<Device Password> or + # pbc=1. + # diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb index 46604045da..8113bcab09 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb @@ -18,6 +18,7 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \ file://0001-build-Re-enable-options-for-libwpa_client.so-and-wpa.patch \ file://0002-Fix-removal-of-wpa_passphrase-on-make-clean.patch \ file://0001-Install-wpa_passphrase-when-not-disabled.patch \ + file://0001-PEAP-client-Update-Phase-2-authentication-requiremen.patch \ " SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f" @@ -61,15 +62,15 @@ do_install () { oe_runmake -C wpa_supplicant DESTDIR="${D}" install install -d ${D}${docdir}/wpa_supplicant - install -m 644 wpa_supplicant/README ${WORKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant + install -m 644 wpa_supplicant/README ${UNPACKDIR}/wpa_supplicant.conf ${D}${docdir}/wpa_supplicant install -d ${D}${sysconfdir} - install -m 600 ${WORKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf + install -m 600 ${UNPACKDIR}/wpa_supplicant.conf-sane ${D}${sysconfdir}/wpa_supplicant.conf install -d ${D}${sysconfdir}/network/if-pre-up.d/ install -d ${D}${sysconfdir}/network/if-post-down.d/ install -d ${D}${sysconfdir}/network/if-down.d/ - install -m 755 ${WORKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant + install -m 755 ${UNPACKDIR}/wpa-supplicant.sh ${D}${sysconfdir}/network/if-pre-up.d/wpa-supplicant ln -sf ../if-pre-up.d/wpa-supplicant ${D}${sysconfdir}/network/if-post-down.d/wpa-supplicant install -d ${D}/${sysconfdir}/dbus-1/system.d @@ -83,7 +84,7 @@ do_install () { fi install -d ${D}/etc/default/volatiles - install -m 0644 ${WORKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles + install -m 0644 ${UNPACKDIR}/99_wpa_supplicant ${D}/etc/default/volatiles install -d ${D}${includedir} install -m 0644 ${S}/src/common/wpa_ctrl.h ${D}${includedir} |