diff options
547 files changed, 10353 insertions, 894 deletions
diff --git a/contrib/pw-am.sh b/contrib/pw-am.sh index 8987eee8eb..d9d1187b0b 100755 --- a/contrib/pw-am.sh +++ b/contrib/pw-am.sh @@ -9,7 +9,7 @@ for patchnumber in $@; do - wget -nv http://patches.openembedded.org/patch/$patchnumber/mbox/ -O pw-am-$patchnumber.patch + wget -nv http://patchwork.yoctoproject.org/patch/$patchnumber/mbox/ -O pw-am-$patchnumber.patch git am -s pw-am-$patchnumber.patch rm pw-am-$patchnumber.patch done diff --git a/meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb b/meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb index d9864ac3e8..e4a0f95692 100644 --- a/meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb +++ b/meta-filesystems/recipes-filesystems/logfsprogs/logfsprogs_git.bb @@ -11,7 +11,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://fsck.c;md5=3859dc73da97909ff1d0125e88a27e02" DEPENDS = "zlib" -SRC_URI = "git://github.com/prasad-joshi/logfsprogs.git \ +SRC_URI = "git://github.com/prasad-joshi/logfsprogs.git;branch=master;protocol=https \ file://0001-Add-LDFLAGS-to-linker-cmdline.patch \ file://0001-btree-Avoid-conflicts-with-libc-namespace-about-setk.patch \ file://0001-include-sys-sysmacros.h-for-major-minor-definition.patch \ diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb index 6f5cb6cee9..efb331d7b2 100644 --- a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb +++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2022.10.3.bb @@ -10,8 +10,7 @@ SRC_URI = "http://tuxera.com/opensource/ntfs-3g_ntfsprogs-${PV}.tgz \ file://0001-libntfs-3g-Makefile.am-fix-install-failed-while-host.patch \ " S = "${WORKDIR}/ntfs-3g_ntfsprogs-${PV}" -SRC_URI[md5sum] = "d97474ae1954f772c6d2fa386a6f462c" -SRC_URI[sha256sum] = "3e5a021d7b761261836dcb305370af299793eedbded731df3d6943802e1262d5" +SRC_URI[sha256sum] = "f20e36ee68074b845e3629e6bced4706ad053804cbaf062fbae60738f854170c" UPSTREAM_CHECK_URI = "https://www.tuxera.com/community/open-source-ntfs-3g/" UPSTREAM_CHECK_REGEX = "ntfs-3g_ntfsprogs-(?P<pver>\d+(\.\d+)+)\.tgz" @@ -50,3 +49,5 @@ do_install_append() { # Satisfy the -dev runtime dependency ALLOW_EMPTY_${PN} = "1" + +CVE_PRODUCT = "tuxera:ntfs-3g" diff --git a/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb b/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb index 414084449f..9e546e8a39 100644 --- a/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb +++ b/meta-filesystems/recipes-filesystems/owfs/owfs_3.2p3.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=628b867016631792781a8735a04760e5 \ DEPENDS = "fuse virtual/libusb0" # v3.2p3 SRCREV = "3744375dfaa350e31c9b360eb1e1a517bbeb5c47" -SRC_URI = "git://github.com/owfs/owfs \ +SRC_URI = "git://github.com/owfs/owfs;branch=master;protocol=https \ file://0001-Add-build-rule-for-README.patch \ file://owhttpd \ file://owserver \ diff --git a/meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb b/meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb index bf9c34dc97..9b776e9dc7 100644 --- a/meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb +++ b/meta-filesystems/recipes-filesystems/sshfs-fuse/sshfs-fuse_3.7.0.bb @@ -6,7 +6,7 @@ LICENSE = "GPLv2" DEPENDS = "glib-2.0 fuse3" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "git://github.com/libfuse/sshfs" +SRC_URI = "git://github.com/libfuse/sshfs;branch=master;protocol=https" SRCREV = "a7e1038203c856cc7e052d439d1da49fe131339f" S = "${WORKDIR}/git" diff --git a/meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb b/meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb index 3dd5c82ee5..13273f7bc8 100644 --- a/meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb +++ b/meta-filesystems/recipes-filesystems/unionfs-fuse/unionfs-fuse_2.1.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://src/unionfs.c;beginline=3;endline=8;md5=30fa8de70fd8a file://LICENSE;md5=7e5a37fce17307066eec6b23546da3b3 \ " -SRC_URI = "git://github.com/rpodgorny/${BPN}.git;branch=master \ +SRC_URI = "git://github.com/rpodgorny/${BPN}.git;branch=master;protocol=https \ file://0001-support-cross-compiling.patch \ " SRCREV = "8d732962423c3ca5be1f14b7ec139ff464e10a51" diff --git a/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb b/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb index 24b17fc93b..dc9132a82e 100644 --- a/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb +++ b/meta-filesystems/recipes-support/fuse/fuse3_3.9.2.bb @@ -22,6 +22,8 @@ UPSTREAM_CHECK_REGEX = "fuse\-(?P<pver>3(\.\d+)+).tar.xz" inherit meson pkgconfig +CVE_PRODUCT = "fuse_project:fuse" + DEPENDS = "udev" PACKAGES =+ "fuse3-utils" diff --git a/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb b/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb index 49682b3cd4..4ec1213519 100644 --- a/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb +++ b/meta-filesystems/recipes-support/fuse/fuse_2.9.9.bb @@ -27,6 +27,8 @@ CVE_CHECK_WHITELIST += "CVE-2019-14860" UPSTREAM_CHECK_URI = "https://github.com/libfuse/libfuse/releases" UPSTREAM_CHECK_REGEX = "fuse\-(?P<pver>2(\.\d+)+).tar.gz" +CVE_PRODUCT = "fuse_project:fuse" + inherit autotools pkgconfig update-rc.d systemd INITSCRIPT_NAME = "fuse" diff --git a/meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb b/meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb index 98bd478f32..2c5a9e16b3 100644 --- a/meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb +++ b/meta-filesystems/recipes-utils/f2fs-tools/f2fs-tools_1.13.0.bb @@ -9,7 +9,7 @@ DEPENDS = "util-linux" # v1.13.0 SRCREV = "284f77f0075a16a2ad1f3b0fb89b7f64a1bc755d" -SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs-tools.git \ +SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs-tools.git;branch=master \ file://0001-f2fs-tools-Use-srcdir-prefix-to-denote-include-path.patch \ " S = "${WORKDIR}/git" diff --git a/meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb b/meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb index c72671739d..c90a7ecc2b 100644 --- a/meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb +++ b/meta-filesystems/recipes-utils/fatcat/fatcat_1.1.0.bb @@ -7,7 +7,7 @@ HOMEPAGE = "https://github.com/Gregwar/fatcat" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=57fbbfebd0dd1d6ff21b8cecb552a03f" -SRC_URI = "git://github.com/Gregwar/fatcat.git \ +SRC_URI = "git://github.com/Gregwar/fatcat.git;branch=master;protocol=https \ file://0001-Use-unistd.h-not-argp.h-for-all-POSIX-systems.patch \ " diff --git a/meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb b/meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb index 88d495b685..c258a128ee 100644 --- a/meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb +++ b/meta-filesystems/recipes-utils/fatresize/fatresize_1.0.2.bb @@ -3,7 +3,7 @@ SECTION = "console/tools" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" -SRC_URI = "git://salsa.debian.org/parted-team/fatresize.git;protocol=https" +SRC_URI = "git://salsa.debian.org/parted-team/fatresize.git;protocol=https;branch=master" SRCREV = "3f80afc76ad82d4a1b852a6c8dea24cd9f5e7a24" PV = "1.0.2-11" diff --git a/meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb b/meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb index 23583650b8..ed003ee7be 100644 --- a/meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb +++ b/meta-filesystems/recipes-utils/ufs-utils/ufs-utils_git.bb @@ -8,7 +8,7 @@ BRANCH ?= "dev" SRCREV = "a3cf93b66f4606a46354cf884d24aa966661f848" -SRC_URI = "git://github.com/westerndigitalcorporation/ufs-utils.git;protocol=git;branch=${BRANCH} \ +SRC_URI = "git://github.com/westerndigitalcorporation/ufs-utils.git;protocol=https;branch=${BRANCH} \ file://0001-Replace-u_intXX_t-with-kernel-typedefs.patch \ " diff --git a/meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb b/meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb index 90e5533015..7564275668 100644 --- a/meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb +++ b/meta-gnome/recipes-gnome/libchamplain/libchamplain_0.12.20.bb @@ -6,7 +6,7 @@ DEPENDS = "glib-2.0 gtk+3 gdk-pixbuf clutter-1.0 clutter-gtk-1.0 libsoup-2.4" inherit meson gobject-introspection SRCREV = "145e417f32e507b63c21ad4e915b808a6174099e" -SRC_URI = "git://github.com/gnome/libchamplain.git" +SRC_URI = "git://github.com/gnome/libchamplain.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-gnome/recipes-support/ibus/ibus.inc b/meta-gnome/recipes-support/ibus/ibus.inc index 1bbeb2c481..c0c0b3b31f 100644 --- a/meta-gnome/recipes-support/ibus/ibus.inc +++ b/meta-gnome/recipes-support/ibus/ibus.inc @@ -10,7 +10,7 @@ PV = "1.5.22" DEPENDS = "unicode-ucd" SRC_URI = " \ - git://github.com/ibus/ibus.git \ + git://github.com/ibus/ibus.git;branch=master;protocol=https \ file://0001-Do-not-try-to-start-dbus-we-do-not-have-dbus-lauch.patch \ " SRCREV = "e3262f08b9e3efc57808700823b0622ec03a1b5f" diff --git a/meta-gnome/recipes-support/keybinder/keybinder_3.0.bb b/meta-gnome/recipes-support/keybinder/keybinder_3.0.bb index d567d00d3f..fb4c816729 100644 --- a/meta-gnome/recipes-support/keybinder/keybinder_3.0.bb +++ b/meta-gnome/recipes-support/keybinder/keybinder_3.0.bb @@ -13,7 +13,7 @@ B = "${S}" SRCREV = "736ccef40d39603b8111c8a3a0bca0319bbafdc0" PV = "3.0+git${SRCPV}" -SRC_URI = "git://github.com/engla/keybinder.git;branch=keybinder-3.0 \ +SRC_URI = "git://github.com/engla/keybinder.git;branch=keybinder-3.0;protocol=https \ " RDEPENDS_${PN} = "gtk+" diff --git a/meta-gnome/recipes-support/libhandy/libhandy_git.bb b/meta-gnome/recipes-support/libhandy/libhandy_git.bb index 8c6159f998..6d63ddb86a 100644 --- a/meta-gnome/recipes-support/libhandy/libhandy_git.bb +++ b/meta-gnome/recipes-support/libhandy/libhandy_git.bb @@ -2,7 +2,7 @@ SUMMARY = "A library full of GTK+ widgets for mobile phones" LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" -SRC_URI = "git://source.puri.sm/Librem5/${BPN}.git;protocol=https" +SRC_URI = "git://source.puri.sm/Librem5/${BPN}.git;protocol=https;branch=master" SRCREV = "ef7c4bf75ae239495141ada83d2fbaf034315563" S = "${WORKDIR}/git" PV = "0.0.12" diff --git a/meta-gnome/recipes-support/libstemmer/libstemmer_git.bb b/meta-gnome/recipes-support/libstemmer/libstemmer_git.bb index 96dd880b6a..837807ccf9 100644 --- a/meta-gnome/recipes-support/libstemmer/libstemmer_git.bb +++ b/meta-gnome/recipes-support/libstemmer/libstemmer_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2750797da77c1d784e7626b3f7d7ff3e" DEPENDS_class-target = "${BPN}-native" SRC_URI = "\ - git://github.com/snowballstem/snowball.git \ + git://github.com/snowballstem/snowball.git;branch=master;protocol=https \ file://0001-Build-so-lib.patch \ file://0002-snowball-stemwords-do-link-with-LDFLAGS-set-by-build.patch \ " diff --git a/meta-gnome/recipes-support/libwacom/libwacom_0.33.bb b/meta-gnome/recipes-support/libwacom/libwacom_0.33.bb index 6fb3b82ef1..5db78b7cf7 100644 --- a/meta-gnome/recipes-support/libwacom/libwacom_0.33.bb +++ b/meta-gnome/recipes-support/libwacom/libwacom_0.33.bb @@ -9,6 +9,6 @@ DEPENDS = " \ inherit autotools pkgconfig -SRC_URI = "git://github.com/linuxwacom/libwacom.git" +SRC_URI = "git://github.com/linuxwacom/libwacom.git;branch=master;protocol=https" SRCREV = "87cc710e21a6220e267dd08936bbec2932aa3658" S = "${WORKDIR}/git" diff --git a/meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb b/meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb index ed3dece3f6..ee05045320 100644 --- a/meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb +++ b/meta-initramfs/recipes-bsp/kexecboot/kexecboot_git.bb @@ -5,7 +5,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" PV = "0.6+git${SRCPV}" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/kexecboot/kexecboot.git" +SRC_URI = "git://github.com/kexecboot/kexecboot.git;branch=master;protocol=https" SRC_URI_append_libc-klibc = " file://0001-kexecboot-Use-new-reboot-API-with-klibc.patch " SRCREV = "5a5e04be206140059f42ac786d424da1afaa04b6" diff --git a/meta-initramfs/recipes-devtools/dracut/dracut_git.bb b/meta-initramfs/recipes-devtools/dracut/dracut_git.bb index 13cf5f6ded..dd22b196fa 100644 --- a/meta-initramfs/recipes-devtools/dracut/dracut_git.bb +++ b/meta-initramfs/recipes-devtools/dracut/dracut_git.bb @@ -10,7 +10,7 @@ PV = "049" # v048 tag SRCREV = "225e4b94cbdb702cf512490dcd2ad9ca5f5b22c1" -SRC_URI = "git://git.kernel.org/pub/scm/boot/dracut/dracut.git;protocol=http \ +SRC_URI = "git://git.kernel.org/pub/scm/boot/dracut/dracut.git;protocol=http;branch=master \ file://0001-util.h-include-sys-reg.h-when-libc-glibc.patch \ file://0001-dracut.sh-improve-udevdir.patch \ file://0001-set-viriable-_drv-not-local.patch \ diff --git a/meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb b/meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb index 7403cf64f7..c890165b6a 100644 --- a/meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb +++ b/meta-initramfs/recipes-devtools/grubby/grubby_8.40.bb @@ -14,7 +14,7 @@ DEPENDS_append_libc-musl = " libexecinfo" S = "${WORKDIR}/git" SRCREV = "79c5cfa02c567efdc5bb18cdd584789e2e35aa23" -SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https; \ +SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https;branch=master \ file://grubby-rename-grub2-editenv-to-grub-editenv.patch \ file://run-ptest \ file://0001-Add-another-variable-LIBS-to-provides-libraries-from.patch \ diff --git a/meta-initramfs/recipes-devtools/grubby/grubby_git.bb b/meta-initramfs/recipes-devtools/grubby/grubby_git.bb index 7248147a5c..c0797ac5c6 100644 --- a/meta-initramfs/recipes-devtools/grubby/grubby_git.bb +++ b/meta-initramfs/recipes-devtools/grubby/grubby_git.bb @@ -14,7 +14,7 @@ DEPENDS_append_libc-musl = " libexecinfo" S = "${WORKDIR}/git" SRCREV = "a1d2ae93408c3408e672d7eba4550fdf27fb0201" -SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https; \ +SRC_URI = "git://github.com/rhboot/grubby.git;protocol=https;branch=master \ file://grubby-rename-grub2-editenv-to-grub-editenv.patch \ file://run-ptest \ file://0001-Add-another-variable-LIBS-to-provides-libraries-from.patch \ diff --git a/meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb b/meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb index d322381621..fe5898a903 100644 --- a/meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb +++ b/meta-initramfs/recipes-devtools/mtd/ubi-utils-klibc_2.0.2.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3 \ inherit autotools pkgconfig klibc SRCREV = "64f61a9dc71b158c7084006cbce4ea23886f0b47" -SRC_URI = "git://git.infradead.org/mtd-utils.git \ +SRC_URI = "git://git.infradead.org/mtd-utils.git;branch=master \ file://0001-libmissing.h-fix-klibc-build-when-using-glibc-toolch.patch \ file://0002-Instead-of-doing-preprocessor-magic-just-output-off_.patch \ file://0003-Makefile.am-only-build-ubi-utils.patch \ diff --git a/meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb b/meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb index 7ad55d8b8c..143ac6f433 100644 --- a/meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb +++ b/meta-initramfs/recipes-kernel/kexec/kexec-tools-klibc_git.bb @@ -12,7 +12,7 @@ DEPENDS = "zlib xz" inherit klibc autotools -SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kexec/kexec-tools.git" +SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/kexec/kexec-tools.git;branch=master" SRCREV = "5750980cdbbc33ef75bfba6660295b932376ce15" BUILD_PATCHES = "file://0001-force-static-build.patch \ diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb b/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb index 828e351be6..ef473c4896 100644 --- a/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb +++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp_git.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=394a0f17b97f33426275571e15920434" PV = "1.8.4+git${SRCPV}" # release-1.8.4 SRCREV = "d5a01fc9895daae98a0c5a8c7d3afce46add529d" -SRC_URI = "git://github.com/mrjimenez/pupnp.git;protocol=https \ +SRC_URI = "git://github.com/mrjimenez/pupnp.git;protocol=https;branch=master \ file://CVE-2020-13848.patch" S="${WORKDIR}/git" diff --git a/meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb b/meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb index 20faef047e..32e74f08c3 100644 --- a/meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb +++ b/meta-multimedia/recipes-dvb/tvheadend/tvheadend_git.bb @@ -8,7 +8,7 @@ DEPENDS = "avahi cmake-native dvb-apps libdvbcsa libpcre2 openssl uriparser zlib LICENSE = "GPLv3+" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=9cae5acac2e9ee2fc3aec01ac88ce5db" -SRC_URI = "git://github.com/tvheadend/tvheadend.git \ +SRC_URI = "git://github.com/tvheadend/tvheadend.git;branch=master;protocol=https \ file://0001-adjust-for-64bit-time_t.patch \ file://0001-allocate-space-for-buf-on-heap.patch \ " diff --git a/meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb b/meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb index 1a51abc360..343b9d7915 100644 --- a/meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb +++ b/meta-multimedia/recipes-multimedia/dca/dcadec_0.2.0.bb @@ -4,7 +4,7 @@ LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c" SRCREV = "b93deed1a231dd6dd7e39b9fe7d2abe05aa00158" -SRC_URI = "git://github.com/foo86/dcadec.git;protocol=https \ +SRC_URI = "git://github.com/foo86/dcadec.git;protocol=https;branch=master \ file://0001-define-BASELIB-make-variable.patch \ " diff --git a/meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb b/meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb index f23bc6ca81..c89156dcf8 100644 --- a/meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb +++ b/meta-multimedia/recipes-multimedia/dleyna/dleyna-connector-dbus_0.3.0.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ DEPENDS = "glib-2.0 dbus dleyna-core" -SRC_URI = "git://github.com/01org/${BPN}.git" +SRC_URI = "git://github.com/01org/${BPN}.git;branch=master;protocol=https" SRCREV = "de913c35e5c936e2d40ddbd276ee902cd802bd3a" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb b/meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb index 8939cd36e2..647532d9fa 100644 --- a/meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb +++ b/meta-multimedia/recipes-multimedia/dleyna/dleyna-core_0.6.0.bb @@ -13,7 +13,7 @@ DEPENDS = "glib-2.0 gupnp" PV .= "+git${SRCPV}" -SRC_URI = "git://github.com/01org/${BPN}.git" +SRC_URI = "git://github.com/01org/${BPN}.git;branch=master;protocol=https" SRCREV = "1c6853f5bc697dc0a8774fd70dbc915c4dbe7c5b" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb b/meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb index 642f21bd53..4b53763440 100644 --- a/meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb +++ b/meta-multimedia/recipes-multimedia/dleyna/dleyna-renderer_0.6.0.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c \ DEPENDS = "glib-2.0 gssdp gupnp gupnp-av gupnp-dlna libsoup-2.4 dleyna-core" RDEPENDS_${PN} = "dleyna-connector-dbus" -SRC_URI = "git://github.com/01org/${BPN}.git \ +SRC_URI = "git://github.com/01org/${BPN}.git;branch=master;protocol=https \ file://0001-add-gupnp-1.2-API-support.patch \ " SRCREV = "50fd1ec9d51328e7dea98874129dc8d6fe3ea1dd" diff --git a/meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb b/meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb index e31b7aea2a..5fa3e2373a 100644 --- a/meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb +++ b/meta-multimedia/recipes-multimedia/dleyna/dleyna-server_0.6.0.bb @@ -12,7 +12,7 @@ DEPENDS = "glib-2.0 gssdp gupnp gupnp-av gupnp-dlna libsoup-2.4 libxml2 dleyna-c RDEPENDS_${PN} = "dleyna-connector-dbus" PV .= "+git${SRCPV}" -SRC_URI = "git://github.com/01org/${BPN}.git" +SRC_URI = "git://github.com/01org/${BPN}.git;branch=master;protocol=https" SRCREV = "eb895ae82715e9889a948ffa810c0f828b4f4c76" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb b/meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb index d7911681c7..c499119c6f 100644 --- a/meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb +++ b/meta-multimedia/recipes-multimedia/fdk-aac/fdk-aac_2.0.1.bb @@ -11,7 +11,7 @@ LICENSE = "Fraunhofer_FDK_AAC_Codec_Library_for_Android" LICENSE_FLAGS = "commercial" LIC_FILES_CHKSUM = "file://NOTICE;md5=5985e1e12f4afa710d64ed7bfd291875" -SRC_URI = "git://github.com/mstorsjo/fdk-aac.git;protocol=git;branch=master" +SRC_URI = "git://github.com/mstorsjo/fdk-aac.git;protocol=https;branch=master" SRCREV = "d387d3b6ed79ff9a82c60440bdd86e6e5e324bec" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc index fcc9df8c30..ee3e38cd93 100644 --- a/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc +++ b/meta-multimedia/recipes-multimedia/fluidsynth/fluidsynth.inc @@ -4,7 +4,7 @@ SECTION = "libs/multimedia" LICENSE = "LGPL-2.1" LIC_FILES_CHKSUM = "file://LICENSE;md5=fc178bcd425090939a8b634d1d6a9594" -SRC_URI = "git://github.com/FluidSynth/fluidsynth.git" +SRC_URI = "git://github.com/FluidSynth/fluidsynth.git;branch=master;protocol=https" SRCREV = "19a20eb8526465fdf940b740b13462d71e190a1a" S = "${WORKDIR}/git" PV = "2.1.3" diff --git a/meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb b/meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb index c96e4c52e9..2f9ceffab7 100644 --- a/meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb +++ b/meta-multimedia/recipes-multimedia/gerbera/gerbera_git.bb @@ -3,7 +3,7 @@ Description = "Gerbera - An UPnP media server" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=25cdec9afe3f1f26212ead6bd2f7fac8" -SRC_URI = "git://github.com/v00d00/gerbera.git;protocol=https \ +SRC_URI = "git://github.com/v00d00/gerbera.git;protocol=https;branch=master \ " PV = "1.3.2" diff --git a/meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb b/meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb index d047caef5f..19d43a4b74 100644 --- a/meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb +++ b/meta-multimedia/recipes-multimedia/gstreamer-1.0/gst-shark_git.bb @@ -14,10 +14,10 @@ PV = "0.6.1" SRCREV_base = "c41a05cc9e2310c2f73eda4b4f0b4477bf4479c5" SRCREV_common = "88e512ca7197a45c4114f7fa993108f23245bf50" - +SRCREV_FORMAT = "base_common" SRC_URI = " \ git://github.com/RidgeRun/gst-shark.git;protocol=https;branch=${SRCBRANCH};name=base \ - git://gitlab.freedesktop.org/gstreamer/common.git;protocol=https;destsuffix=git/common;name=common; \ + git://gitlab.freedesktop.org/gstreamer/common.git;protocol=https;destsuffix=git/common;name=common;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb index 3f8fe2f360..e16fd25962 100644 --- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb +++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "\ " SRC_URI = " \ - git://linuxtv.org/libcamera.git;protocol=git \ + git://linuxtv.org/libcamera.git;protocol=git;branch=master \ " SRCREV = "a8be6e94e79f602d543a15afd44ef60e378b138f" diff --git a/meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb b/meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb index 7f042c382f..4cf8e2effc 100644 --- a/meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb +++ b/meta-multimedia/recipes-multimedia/libdvbcsa/libdvbcsa_1.1.0.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" SRCREV = "bc6c0b164a87ce05e9925785cc6fb3f54c02b026" -SRC_URI = "git://code.videolan.org/videolan/libdvbcsa.git;protocol=https \ +SRC_URI = "git://code.videolan.org/videolan/libdvbcsa.git;protocol=https;branch=master \ file://libdvbcsa.pc \ " diff --git a/meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb b/meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb index f060f1e80d..cb42d943fc 100644 --- a/meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb +++ b/meta-multimedia/recipes-multimedia/libsquish/libsquish_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://alpha.cpp;beginline=3;endline=22;md5=6665e479f71feb92 PV = "1.10+git${SRCPV}" SRCREV = "52e7d93c5947f72380521116c05d97c528863ba8" -SRC_URI = "git://github.com/OpenELEC/libsquish.git;protocol=https" +SRC_URI = "git://github.com/OpenELEC/libsquish.git;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb b/meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb index b313b110cc..4631b037be 100644 --- a/meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb +++ b/meta-multimedia/recipes-multimedia/mimic/mimic_1.2.0.2.bb @@ -20,7 +20,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=416ef1ca5167707fe381d7be33664a33" DEPENDS = "curl-native icu" SRCREV = "67e43bf0fa56008276b878ec3790aa5f32eb2a16" -SRC_URI = "git://github.com/MycroftAI/mimic.git" +SRC_URI = "git://github.com/MycroftAI/mimic.git;branch=master;protocol=https" inherit autotools diff --git a/meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb b/meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb index ca9d94a19c..253f995d88 100644 --- a/meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb +++ b/meta-multimedia/recipes-multimedia/musicbrainz/libmusicbrainz_git.bb @@ -8,7 +8,7 @@ DEPENDS = "expat libxml2 libxml2-native neon neon-native" PV = "5.1.0+git${SRCPV}" SRCREV = "44c05779dd996035758f5ec426766aeedce29cc3" -SRC_URI = "git://github.com/metabrainz/libmusicbrainz.git \ +SRC_URI = "git://github.com/metabrainz/libmusicbrainz.git;branch=master;protocol=https \ file://allow-libdir-override.patch " S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb b/meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb index 235e63e481..84b7baab23 100644 --- a/meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb +++ b/meta-multimedia/recipes-multimedia/musicpd/libmpdclient_2.16.bb @@ -6,7 +6,7 @@ HOMEPAGE = "https://www.musicpd.org/libs/libmpdclient/" inherit meson SRC_URI = " \ - git://github.com/MusicPlayerDaemon/libmpdclient \ + git://github.com/MusicPlayerDaemon/libmpdclient;branch=master;protocol=https \ " SRCREV = "4e8d990eb5239566ee948f1cd79b7248e008620a" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb b/meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb index 41abe7108a..b4fce35df7 100644 --- a/meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb +++ b/meta-multimedia/recipes-multimedia/musicpd/mpc_0.31.bb @@ -10,7 +10,7 @@ DEPENDS += " \ " SRC_URI = " \ - git://github.com/MusicPlayerDaemon/mpc \ + git://github.com/MusicPlayerDaemon/mpc;branch=master;protocol=https \ " SRCREV = "59875acdf34e5f0eac0c11453c49daef54f78413" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb b/meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb index 133ee6e792..3f20515993 100644 --- a/meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb +++ b/meta-multimedia/recipes-multimedia/musicpd/mpd_0.20.22.bb @@ -17,7 +17,7 @@ DEPENDS += " \ " SRC_URI = " \ - git://github.com/MusicPlayerDaemon/MPD;branch=v0.20.x \ + git://github.com/MusicPlayerDaemon/MPD;branch=v0.20.x;protocol=https \ file://mpd.conf.in \ file://0001-StringBuffer-Include-cstddef-for-size_t.patch \ file://0002-Include-stdexcept-for-runtime_error.patch \ diff --git a/meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb b/meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb index 0c99c7c698..c92a4421a3 100644 --- a/meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb +++ b/meta-multimedia/recipes-multimedia/musicpd/ncmpc_0.34.bb @@ -31,7 +31,7 @@ PACKAGECONFIG[outputs_screen] = "-Doutputs_screen=true,-Doutputs_screen=false" PACKAGECONFIG[chat_screen] = "-Dchat_screen=true,-Dchat_screen=false" SRC_URI = " \ - git://github.com/MusicPlayerDaemon/ncmpc \ + git://github.com/MusicPlayerDaemon/ncmpc;branch=master;protocol=https \ " SRCREV = "79cf9905355f25bc5cc6d5a05d2846d75342f554" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb b/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb index 62d1ad7f74..e71cb87014 100644 --- a/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb +++ b/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb @@ -7,7 +7,7 @@ LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE.md;md5=79aa497b11564d1d419ee889e7b498f6" SRCREV = "913f29d3d550637934f9abf43a097eb2c30d76fc" -SRC_URI = "git://github.com/MycroftAI/mycroft-core.git;branch=master \ +SRC_URI = "git://github.com/MycroftAI/mycroft-core.git;branch=master;protocol=https \ file://0001-Remove-python-venv.patch \ file://0002-dev_setup.sh-Remove-the-git-dependency.patch \ file://0003-dev_setup.sh-Remove-the-TERM-dependency.patch \ diff --git a/meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb b/meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb index a9cdfac8a9..5787f22036 100644 --- a/meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb +++ b/meta-multimedia/recipes-multimedia/openal/openal-soft_1.19.1.bb @@ -7,7 +7,7 @@ inherit cmake pkgconfig # openal-soft-1.19.1 SRCREV = "6761218e51699f46bf25c377e65b3e9ea5e434b9" -SRC_URI = "git://github.com/kcat/openal-soft \ +SRC_URI = "git://github.com/kcat/openal-soft;branch=master;protocol=https \ file://0001-Use-BUILD_CC-to-compile-native-tools.patch \ file://0002-makehrtf-Disable-Wstringop-truncation.patch \ " diff --git a/meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb b/meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb index 5f78be4f51..53ee2a82fb 100644 --- a/meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb +++ b/meta-multimedia/recipes-multimedia/rtmpdump/rtmpdump_2.4.bb @@ -9,7 +9,7 @@ DEPENDS = "gnutls zlib" SRCREV = "fa8646daeb19dfd12c181f7d19de708d623704c0" SRC_URI = " \ - git://git.ffmpeg.org/rtmpdump \ + git://git.ffmpeg.org/rtmpdump;branch=master \ file://fix-racing-build-issue.patch" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb b/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb index c651d8113d..47f7af46bd 100644 --- a/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb +++ b/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb @@ -3,7 +3,7 @@ LICENSE = "CC-BY-3.0" # http://www.bigbuckbunny.org/index.php/about/ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/CC-BY-3.0;md5=dfa02b5755629022e267f10b9c0a2ab7" -SRC_URI = "https://www.mediaspip.net/IMG/avi/big_buck_bunny_1080p_surround.avi" +SRC_URI = "http://www.peach.themazzone.com/big_buck_bunny_1080p_surround.avi" SRC_URI[md5sum] = "223991c8b33564eb77988a4c13c1c76a" SRC_URI[sha256sum] = "69fe2cfe7154a6e752688e3a0d7d6b07b1605bbaf75b56f6470dc7b4c20c06ea" diff --git a/meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb b/meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb index 062096892e..68cf8795a6 100644 --- a/meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb +++ b/meta-multimedia/recipes-multimedia/tinyalsa/tinyalsa.bb @@ -7,7 +7,7 @@ LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://NOTICE;md5=dbdefe400d894b510a9de14813181d0b" SRCREV = "8449529c7e50f432091539ba7b438e79b04059b5" -SRC_URI = "git://github.com/tinyalsa/tinyalsa \ +SRC_URI = "git://github.com/tinyalsa/tinyalsa;branch=master;protocol=https \ file://0001-Use-CMAKE_INSTALL_-path-instead-of-hardcoding-bin-li.patch \ " PV = "1.1.1+git${SRCPV}" diff --git a/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb b/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb index 6abf6080bd..f8ab1bf680 100644 --- a/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb +++ b/meta-multimedia/recipes-multimedia/tremor/tremor_20180319.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=db1b7a668b2a6f47b2af88fb008ad555 \ file://os.h;beginline=3;endline=14;md5=5c0af5e1bedef3ce8178c89f48cd6f1f" DEPENDS = "libogg" -SRC_URI = "git://gitlab.xiph.org/xiph/tremor.git;protocol=https \ +SRC_URI = "git://gitlab.xiph.org/xiph/tremor.git;protocol=https;branch=master \ file://obsolete_automake_macros.patch;striplevel=0 \ file://tremor-arm-thumb2.patch \ " diff --git a/meta-multimedia/recipes-support/crossguid/crossguid.bb b/meta-multimedia/recipes-support/crossguid/crossguid.bb index 228b8b6540..f2d6e7a241 100644 --- a/meta-multimedia/recipes-support/crossguid/crossguid.bb +++ b/meta-multimedia/recipes-support/crossguid/crossguid.bb @@ -10,7 +10,7 @@ DEPENDS += "util-linux" PV = "0.0+git${SRCPV}" SRCREV = "b56957ac453575e91ca1b63a80c0077c2b0d011a" -SRC_URI = "git://github.com/graeme-hill/crossguid;protocol=https" +SRC_URI = "git://github.com/graeme-hill/crossguid;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb b/meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb index feffa9fe19..50c69a9a08 100644 --- a/meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb +++ b/meta-multimedia/recipes-support/gst-instruments/gst-instruments_git.bb @@ -9,7 +9,7 @@ DEPENDS = "gstreamer1.0" S = "${WORKDIR}/git" SRCREV = "3b862e52e5c53ad1023dc6808effa4cb75572c4b" -SRC_URI = "git://github.com/kirushyk/gst-instruments.git;protocol=https;" +SRC_URI = "git://github.com/kirushyk/gst-instruments.git;protocol=https;branch=master" FILES_${PN}-staticdev += "${libdir}/gstreamer-1.0/*a" FILES_${PN} += "${libdir}/*" diff --git a/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb b/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb index d4a62bd92d..4cb85f8151 100644 --- a/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb +++ b/meta-networking/recipes-connectivity/cannelloni/cannelloni_git.bb @@ -2,7 +2,7 @@ SUMMARY = "a SocketCAN over Ethernet tunnel" HOMEPAGE = "https://github.com/mguentner/cannelloni" LICENSE = "GPLv2" -SRC_URI = "git://github.com/mguentner/cannelloni.git;protocol=https \ +SRC_URI = "git://github.com/mguentner/cannelloni.git;protocol=https;branch=master \ file://0001-Use-GNUInstallDirs-instead-of-hard-coding-paths.patch \ file://0002-include-missing-stdexcept-for-runtime_error.patch \ " diff --git a/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb b/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb index 2820f9fa6d..e9c2056180 100644 --- a/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb +++ b/meta-networking/recipes-connectivity/civetweb/civetweb_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=50bd1d7f135b50d7e218996ba28d0d88" SRCREV = "4b440a339979852d5a51fb11a822952712231c23" PV = "1.12+git${SRCPV}" -SRC_URI = "git://github.com/civetweb/civetweb.git \ +SRC_URI = "git://github.com/civetweb/civetweb.git;branch=master;protocol=https \ file://0001-Unittest-Link-librt-and-libm-using-l-option.patch \ " diff --git a/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb b/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb index 90051a319a..f856655904 100644 --- a/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb +++ b/meta-networking/recipes-connectivity/dibbler/dibbler_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=7236695bb6d4461c105d685a8b61c4e3" SRCREV = "c4b0ed52e751da7823dd9a36e91f93a6310e5525" -SRC_URI = "git://github.com/tomaszmrugalski/dibbler \ +SRC_URI = "git://github.com/tomaszmrugalski/dibbler;branch=master;protocol=https \ file://dibbler_fix_getSize_crash.patch \ file://0001-linux-port-Rename-pthread_mutex_t-variable-lock.patch \ " diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb index 2c39c4c443..1ea0cb16d3 100644 --- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb +++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.20.bb @@ -13,7 +13,7 @@ LICENSE = "GPLv2 & LGPLv2+" LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a" DEPENDS = "openssl-native openssl libidn libtool libpcap libtalloc" -SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0; \ +SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.0.x;lfs=0;protocol=https \ file://freeradius \ file://volatiles.58_radiusd \ file://freeradius-enble-user-in-conf.patch \ diff --git a/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb b/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb index 5b27cfe155..c1a8146119 100644 --- a/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb +++ b/meta-networking/recipes-connectivity/libdnet/libdnet_1.12.bb @@ -4,7 +4,7 @@ SECTION = "libs" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=0036c1b155f4e999f3e0a373490b5db9" -SRC_URI = "git://github.com/dugsong/libdnet.git;nobranch=1" +SRC_URI = "git://github.com/dugsong/libdnet.git;nobranch=1;protocol=https" SRCREV = "12fca29a6d4e99d1b923d6820887fe7b24226904" UPSTREAM_CHECK_GITTAGREGEX = "libdnet-(?P<pver>\d+(\.\d+)+)" diff --git a/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb b/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb index 8444f0b739..66a7aaa6b2 100644 --- a/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb +++ b/meta-networking/recipes-connectivity/nanomsg/nanomsg_1.1.5.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=587b3fd7fd291e418ff4d2b8f3904755" SECTION = "libs/networking" -SRC_URI = "git://github.com/nanomsg/nanomsg.git;protocol=https" +SRC_URI = "git://github.com/nanomsg/nanomsg.git;protocol=https;branch=master" SRCREV = "1749fd7b039165a91b8d556b4df18e3e632ad830" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb b/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb index 77be27ffaa..6d035f4039 100644 --- a/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb +++ b/meta-networking/recipes-connectivity/nanomsg/nng_1.2.5.bb @@ -8,7 +8,7 @@ SECTION = "libs/networking" SRCREV = "53ae1a5ab37fdfc9ad5c236df3eaf4dd63f0fee9" -SRC_URI = "git://github.com/nanomsg/nng.git;branch=v1.2.x" +SRC_URI = "git://github.com/nanomsg/nng.git;branch=v1.2.x;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb b/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb index 9f123c70fb..d91fc752e2 100644 --- a/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb +++ b/meta-networking/recipes-connectivity/netplan/netplan_0.98.bb @@ -15,7 +15,7 @@ SRCREV = "5d22e9d22c4a3724d27b80b0cd9b898ae8f59d2b" PV = "0.98+git${SRCPV}" SRC_URI = " \ - git://github.com/CanonicalLtd/netplan.git \ + git://github.com/CanonicalLtd/netplan.git;branch=master;protocol=https \ " DEPENDS = "glib-2.0 libyaml ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" diff --git a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.10.bb b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.16.bb index 33a2b7c0ce..a28372dd1f 100644 --- a/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.10.bb +++ b/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.22.16.bb @@ -33,11 +33,12 @@ SRC_URI_append_libc-musl = " \ file://musl/0003-Fix-build-with-musl-for-n-dhcp4.patch \ file://musl/0004-Fix-build-with-musl-systemd-specific.patch \ " -SRC_URI[sha256sum] = "2b29ccc1531ba7ebba95a97f40c22b963838e8b6833745efe8e6fb71fd8fca77" +SRC_URI[sha256sum] = "377aa053752eaa304b72c9906f9efcd9fbd5f7f6cb4cd4ad72425a68982cffc6" S = "${WORKDIR}/NetworkManager-${PV}" EXTRA_OECONF = " \ + --disable-firewalld-zone \ --disable-ifcfg-rh \ --disable-more-warnings \ --with-iptables=${sbindir}/iptables \ diff --git a/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb b/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb index 597c1920cf..144afb4843 100644 --- a/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb +++ b/meta-networking/recipes-connectivity/openconnect/openconnect_8.03.bb @@ -3,7 +3,7 @@ LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING.LGPL;md5=243b725d71bb5df4a1e5920b344b86ad" SRC_URI = " \ - git://git.infradead.org/users/dwmw2/openconnect.git \ + git://git.infradead.org/users/dwmw2/openconnect.git;branch=master \ file://0001-trojans-tncc-wrapper.py-convert-to-python3.patch \ " SRCREV = "ea73851969ae7a6ea54fdd2d2b8c94776af24b2a" diff --git a/meta-networking/recipes-connectivity/relayd/relayd_git.bb b/meta-networking/recipes-connectivity/relayd/relayd_git.bb index e3134e41fc..a75b43e062 100644 --- a/meta-networking/recipes-connectivity/relayd/relayd_git.bb +++ b/meta-networking/recipes-connectivity/relayd/relayd_git.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://main.c;endline=17;md5=86aad799085683e0a2e1c2684a20bab DEPENDS = "libubox" -SRC_URI = "git://git.openwrt.org/project/relayd.git \ +SRC_URI = "git://git.openwrt.org/project/relayd.git;branch=master \ file://0001-rtnl_flush-Error-on-failed-write.patch \ " diff --git a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb index 54e855a099..5d968f1476 100644 --- a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb +++ b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb @@ -9,7 +9,7 @@ DEPENDS += "libgcrypt" PV .= "r550-2jnpr1" SRCREV = "b1243d29e0c00312ead038b04a2cf5e2fa31d740" -SRC_URI = "git://github.com/ndpgroup/vpnc \ +SRC_URI = "git://github.com/ndpgroup/vpnc;branch=master;protocol=https \ file://long-help \ file://default.conf \ file://0001-search-for-log-help-in-build-dir.patch \ diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb index db7b0d486b..b9c545e155 100644 --- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb +++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_4.4.0.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" PROVIDES += "cyassl" RPROVIDES_${PN} = "cyassl" -SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https" +SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master" SRCREV = "e116c89a58af750421d82ece13f80516d2bde02e" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch b/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch new file mode 100644 index 0000000000..88794aa7ab --- /dev/null +++ b/meta-networking/recipes-daemons/atftp/atftp/0001-fix-buffer-overflow-in-atftpd.patch @@ -0,0 +1,111 @@ +From d255bf90834fb45be52decf9bc0b4fb46c90f205 Mon Sep 17 00:00:00 2001 +From: Martin Dummer <md11@users.sourceforge.net> +Date: Sun, 12 Sep 2021 22:52:26 +0200 +Subject: [PATCH] fix buffer overflow in atftpd + +Andreas B. Mundt <andi@debian.org> reports: + +I've found a problem in atftpd that might be relevant for security. +The daemon can be crashed by any client sending a crafted combination +of TFTP options to the server. As TFTP is usually only used in the LAN, +it's probably not too dramatic. + +Observations and how to reproduce the issue +=========================================== + +Install bullseye packages and prepare tftp-root: + sudo apt install atftp atftpd + mkdir tmp + touch tmp/file.txt + +Run server: + /usr/sbin/atftpd --user=$(id -un) --group=$(id -gn) --daemon --no-fork --trace \ + --logfile=/dev/stdout --verbose=7 --port 2000 tmp + +Fetch file from client: + /usr/bin/atftp -g --trace --option "blksize 8" \ + --remote-file file.txt -l /dev/null 127.0.0.1 2000 + +Crash server by adding another option to the tiny blksize: + /usr/bin/atftp -g --trace --option "blksize 8" --option "timeout 3" \ + --remote-file file.txt -l /dev/null 127.0.0.1 2000 + +Analysis +======== + +The reason for the crash is a buffer overflow. The size of the buffer keeping the data +to be sent with every segment is calculated by adding 4 bytes to the blksize (for opcode +and block number). However, the same buffer is used for the OACK, which for a blksize=8 +overflows as soon as another option is set. + +Signed-off-by: Martin Dummer <md11@users.sourceforge.net> + +CVE: CVE-2021-41054 +Upstream-Status: Backport [https://github.com/madmartin/atftp/commit/d255bf90834fb45be52decf9bc0b4fb46c90f205.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + tftpd_file.c | 34 ++++++++++++++++++++++++++++++---- + 1 file changed, 30 insertions(+), 4 deletions(-) + +diff --git a/tftpd_file.c b/tftpd_file.c +index ff40e8d..37a0906 100644 +--- a/tftpd_file.c ++++ b/tftpd_file.c +@@ -168,11 +168,24 @@ int tftpd_receive_file(struct thread_data *data) + logger(LOG_DEBUG, "timeout option -> %d", timeout); + } + +- /* blksize options */ ++ /* ++ * blksize option, must be the last option evaluated, ++ * because data->data_buffer_size may be modified here, ++ * and may be smaller than the buffer containing options ++ */ + if ((result = opt_get_blksize(data->tftp_options)) > -1) + { +- if ((result < 8) || (result > 65464)) ++ /* ++ * If we receive more options, we have to make sure our buffer for ++ * the OACK is not too small. Use the string representation of ++ * the options here for simplicity, which puts us on the save side. ++ * FIXME: Use independent buffers for OACK and data. ++ */ ++ opt_options_to_string(data->tftp_options, string, MAXLEN); ++ if ((result < strlen(string)-2) || (result > 65464)) + { ++ logger(LOG_NOTICE, "options <%s> require roughly a blksize of %d for the OACK.", ++ string, strlen(string)-2); + tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, data->data_buffer_size); + if (data->trace) + logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", EOPTNEG, +@@ -531,11 +544,24 @@ int tftpd_send_file(struct thread_data *data) + logger(LOG_INFO, "timeout option -> %d", timeout); + } + +- /* blksize options */ ++ /* ++ * blksize option, must be the last option evaluated, ++ * because data->data_buffer_size may be modified here, ++ * and may be smaller than the buffer containing options ++ */ + if ((result = opt_get_blksize(data->tftp_options)) > -1) + { +- if ((result < 8) || (result > 65464)) ++ /* ++ * If we receive more options, we have to make sure our buffer for ++ * the OACK is not too small. Use the string representation of ++ * the options here for simplicity, which puts us on the save side. ++ * FIXME: Use independent buffers for OACK and data. ++ */ ++ opt_options_to_string(data->tftp_options, string, MAXLEN); ++ if ((result < strlen(string)-2) || (result > 65464)) + { ++ logger(LOG_NOTICE, "options <%s> require roughly a blksize of %d for the OACK.", ++ string, strlen(string)-2); + tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, data->data_buffer_size); + if (data->trace) + logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", EOPTNEG, +-- +2.17.1 + diff --git a/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch b/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch new file mode 100644 index 0000000000..310728aaca --- /dev/null +++ b/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch @@ -0,0 +1,48 @@ +From 9cf799c40738722001552618518279e9f0ef62e5 Mon Sep 17 00:00:00 2001 +From: Simon Rettberg <simon.rettberg@rz.uni-freiburg.de> +Date: Wed, 10 Jan 2018 17:01:20 +0100 +Subject: [PATCH] options.c: Proper fix for the read-past-end-of-array + +This properly fixes what commit:b3e36dd tried to do. + +CVE: CVE-2021-46671 +Upstream-Status: Backport [https://github.com/madmartin/atftp/commit/9cf799c40738722001552618518279e9f0ef62e5.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + options.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/options.c b/options.c +index ee419c6..c716994 100644 +--- a/options.c ++++ b/options.c +@@ -43,6 +43,12 @@ int opt_parse_request(char *data, int data_size, struct tftp_opt *options) + struct tftphdr *tftp_data = (struct tftphdr *)data; + size_t size = data_size - sizeof(tftp_data->th_opcode); + ++ /* sanity check - requests always end in a null byte, ++ * check to prevent argz_next from reading past the end of ++ * data, as it doesn't do bounds checks */ ++ if (data_size == 0 || data[data_size-1] != '\0') ++ return ERR; ++ + /* read filename */ + entry = argz_next(tftp_data->th_stuff, size, entry); + if (!entry) +@@ -79,6 +85,12 @@ int opt_parse_options(char *data, int data_size, struct tftp_opt *options) + struct tftphdr *tftp_data = (struct tftphdr *)data; + size_t size = data_size - sizeof(tftp_data->th_opcode); + ++ /* sanity check - options always end in a null byte, ++ * check to prevent argz_next from reading past the end of ++ * data, as it doesn't do bounds checks */ ++ if (data_size == 0 || data[data_size-1] != '\0') ++ return ERR; ++ + while ((entry = argz_next(tftp_data->th_stuff, size, entry))) + { + tmp = entry; +-- +2.17.1 + diff --git a/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb b/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb index ff9084dbf6..32b776e578 100644 --- a/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb +++ b/meta-networking/recipes-daemons/atftp/atftp_0.7.2.bb @@ -6,9 +6,11 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=94d55d512a9ba36caa9b7df079bae19f" SRCREV = "52b71f0831dcbde508bd3a961d84abb80a62480f" -SRC_URI = "git://git.code.sf.net/p/atftp/code \ +SRC_URI = "git://git.code.sf.net/p/atftp/code;branch=master \ file://atftpd.init \ file://atftpd.service \ + file://0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch \ + file://0001-fix-buffer-overflow-in-atftpd.patch \ " SRC_URI_append_libc-musl = " file://0001-argz.h-fix-musl-compile-add-missing-defines.patch \ file://0002-tftp.h-tftpd.h-fix-musl-compile-missing-include.patch \ diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch new file mode 100644 index 0000000000..0ddea03c69 --- /dev/null +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl/CVE-2022-24407.patch @@ -0,0 +1,83 @@ +From 906b863c5308567086c6437ce17335b1922a78d1 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Wed, 15 Jun 2022 10:44:50 +0530 +Subject: [PATCH] CVE-2022-24407 + +Upstream-Status: Backport [https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc] +CVE: CVE-2022-24407 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + plugins/sql.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/plugins/sql.c b/plugins/sql.c +index 95f5f707..5d20759b 100644 +--- a/plugins/sql.c ++++ b/plugins/sql.c +@@ -1150,6 +1150,7 @@ static int sql_auxprop_store(void *glob_context, + char *statement = NULL; + char *escap_userid = NULL; + char *escap_realm = NULL; ++ char *escap_passwd = NULL; + const char *cmd; + + sql_settings_t *settings; +@@ -1221,6 +1222,11 @@ static int sql_auxprop_store(void *glob_context, + "Unable to begin transaction\n"); + } + for (cur = to_store; ret == SASL_OK && cur->name; cur++) { ++ /* Free the buffer, current content is from previous loop. */ ++ if (escap_passwd) { ++ sparams->utils->free(escap_passwd); ++ escap_passwd = NULL; ++ } + + if (cur->name[0] == '*') { + continue; +@@ -1242,19 +1248,32 @@ static int sql_auxprop_store(void *glob_context, + } + sparams->utils->free(statement); + ++ if (cur->values[0]) { ++ escap_passwd = (char *)sparams->utils->malloc(strlen(cur->values[0])*2+1); ++ if (!escap_passwd) { ++ ret = SASL_NOMEM; ++ break; ++ } ++ settings->sql_engine->sql_escape_str(escap_passwd, cur->values[0]); ++ } ++ + /* create a statement that we will use */ + statement = sql_create_statement(cmd, cur->name, escap_userid, + escap_realm, +- cur->values && cur->values[0] ? +- cur->values[0] : SQL_NULL_VALUE, ++ escap_passwd ? ++ escap_passwd : SQL_NULL_VALUE, + sparams->utils); ++ if (!statement) { ++ ret = SASL_NOMEM; ++ break; ++ } + + { + char *log_statement = + sql_create_statement(cmd, cur->name, + escap_userid, + escap_realm, +- cur->values && cur->values[0] ? ++ escap_passwd ? + "<omitted>" : SQL_NULL_VALUE, + sparams->utils); + sparams->utils->log(sparams->utils->conn, SASL_LOG_DEBUG, +@@ -1287,6 +1306,7 @@ static int sql_auxprop_store(void *glob_context, + done: + if (escap_userid) sparams->utils->free(escap_userid); + if (escap_realm) sparams->utils->free(escap_realm); ++ if (escap_passwd) sparams->utils->free(escap_passwd); + if (conn) settings->sql_engine->sql_close(conn); + if (userid) sparams->utils->free(userid); + if (realm) sparams->utils->free(realm); +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb index d3983eb1ae..3e7056d67d 100644 --- a/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb +++ b/meta-networking/recipes-daemons/cyrus-sasl/cyrus-sasl_2.1.27.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=3f55e0974e3d6db00ca6f57f2d206396" SRCREV = "e41cfb986c1b1935770de554872247453fdbb079" -SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https \ +SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https;branch=master \ file://avoid-to-call-AC_TRY_RUN.patch \ file://Fix-hardcoded-libdir.patch \ file://debian_patches_0014_avoid_pic_overwrite.diff \ @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/cyrusimap/cyrus-sasl;protocol=https \ file://0001-Allow-saslauthd-to-be-built-outside-of-source-tree-w.patch \ file://0001-makeinit.sh-fix-parallel-build-issue.patch \ file://CVE-2019-19906.patch \ + file://CVE-2022-24407.patch \ " UPSTREAM_CHECK_URI = "https://github.com/cyrusimap/cyrus-sasl/archives" diff --git a/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb b/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb index 4a9cf9db40..7cf8cfa94c 100644 --- a/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb +++ b/meta-networking/recipes-daemons/iscsi-initiator-utils/iscsi-initiator-utils_2.1.3.bb @@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" SRCREV ?= "34e3ffb194f6fa3028c0eb2ff57e7db2d1026771" -SRC_URI = "git://github.com/open-iscsi/open-iscsi \ +SRC_URI = "git://github.com/open-iscsi/open-iscsi;branch=master;protocol=https \ file://0001-Makefile-Do-not-set-Werror.patch \ file://initd.debian \ file://99_iscsi-initiator-utils \ diff --git a/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb b/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb index 61d656b7ca..d5296f6a96 100644 --- a/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb +++ b/meta-networking/recipes-daemons/networkd-dispatcher/networkd-dispatcher_2.0.1.bb @@ -13,7 +13,7 @@ RDEPENDS_${PN} = "python3-pygobject python3-dbus" REQUIRED_DISTRO_FEATURES = "systemd" SRCREV = "333ef1ed1d7c7c17264fcf7629e5c2f78ab4112c" -SRC_URI = "git://gitlab.com/craftyguy/networkd-dispatcher;protocol=https" +SRC_URI = "git://gitlab.com/craftyguy/networkd-dispatcher;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch b/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch new file mode 100644 index 0000000000..b6ec8c70df --- /dev/null +++ b/meta-networking/recipes-daemons/postfix/files/0001-fix-build-with-glibc-2.34.patch @@ -0,0 +1,46 @@ +From 1f25dae3f38548bad32c5a3ebee4c07938d8c1b8 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Thu, 30 Dec 2021 10:35:57 +0800 +Subject: [PATCH] fix build with glibc 2.34 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The closefrom() function which is introduced in glibc 2.34 conflicts +with the one provided by postfix. + +Fixes: +| In file included from attr_clnt.c:88: +| /usr/include/unistd.h:363:13: error: conflicting types for ‘closefrom’; have ‘void(int)’ +| 363 | extern void closefrom (int __lowfd) __THROW; +| | ^~~~~~~~~ +| In file included from attr_clnt.c:87: +| ./sys_defs.h:1506:12: note: previous declaration of ‘closefrom’ with type ‘int(int)’ +| 1506 | extern int closefrom(int); +| | ^~~~~~~~~ + +Upstream-Status: Backport +[https://github.com/vdukhovni/postfix/commit/3d966d3bd5f95b2c918aefb864549fa9f0442e24] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + src/util/sys_defs.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/util/sys_defs.h b/src/util/sys_defs.h +index 39daa16..5de5855 100644 +--- a/src/util/sys_defs.h ++++ b/src/util/sys_defs.h +@@ -827,6 +827,9 @@ extern int initgroups(const char *, int); + #define HAVE_POSIX_GETPW_R + #endif + #endif ++#if HAVE_GLIBC_API_VERSION_SUPPORT(2, 34) ++#define HAS_CLOSEFROM ++#endif + + #endif + +-- +2.17.1 + diff --git a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb b/meta-networking/recipes-daemons/postfix/postfix_3.4.27.bb index db5b41bfbd..2612e12be4 100644 --- a/meta-networking/recipes-daemons/postfix/postfix_3.4.12.bb +++ b/meta-networking/recipes-daemons/postfix/postfix_3.4.27.bb @@ -13,6 +13,7 @@ SRC_URI += "ftp://ftp.porcupine.org/mirrors/postfix-release/official/postfix-${P file://postfix-install.patch \ file://icu-config.patch \ file://0001-makedefs-add-lnsl-and-lresolv-to-SYSLIBS-by-default.patch \ + file://0001-fix-build-with-glibc-2.34.patch \ " -SRC_URI[sha256sum] = "18555183ae8b52a9e76067799279c86f9f2770cdef3836deb8462ee0a0855dec" -UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.3(\.\d+)+).tar.gz" +SRC_URI[sha256sum] = "5f71658546d9b65863249dec3a189d084ea0596e23dc4613c579ad3ae75b10d2" +UPSTREAM_CHECK_REGEX = "postfix\-(?P<pver>3\.4(\.\d+)+).tar.gz" diff --git a/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch b/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch new file mode 100644 index 0000000000..712d5db07d --- /dev/null +++ b/meta-networking/recipes-daemons/proftpd/files/CVE-2021-46854.patch @@ -0,0 +1,51 @@ +From ed31fe2cbd5b8b1148b467f84f7acea66fa43bb8 Mon Sep 17 00:00:00 2001 +From: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com> +Date: Tue, 3 Aug 2021 21:53:28 +0200 +Subject: [PATCH] CVE-2021-46854 + +mod_radius: copy _only_ the password + +Upstream-Status: Backport [https://github.com/proftpd/proftpd/commit/10a227b4d50e0a2cd2faf87926f58d865da44e43] +CVE: CVE-2021-46854 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + contrib/mod_radius.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/contrib/mod_radius.c b/contrib/mod_radius.c +index b56cdfe..f234dd5 100644 +--- a/contrib/mod_radius.c ++++ b/contrib/mod_radius.c +@@ -2319,21 +2319,26 @@ static void radius_add_passwd(radius_packet_t *packet, unsigned char type, + + pwlen = strlen((const char *) passwd); + ++ /* Clear the buffers. */ ++ memset(pwhash, '\0', sizeof(pwhash)); ++ + if (pwlen == 0) { + pwlen = RADIUS_PASSWD_LEN; + + } if ((pwlen & (RADIUS_PASSWD_LEN - 1)) != 0) { ++ /* pwlen is not a multiple of RADIUS_PASSWD_LEN, need to prepare a proper buffer */ ++ memcpy(pwhash, passwd, pwlen); + + /* Round up the length. */ + pwlen += (RADIUS_PASSWD_LEN - 1); + + /* Truncate the length, as necessary. */ + pwlen &= ~(RADIUS_PASSWD_LEN - 1); ++ } else { ++ /* pwlen is a multiple of RADIUS_PASSWD_LEN, we can just use it. */ ++ memcpy(pwhash, passwd, pwlen); + } + +- /* Clear the buffers. */ +- memset(pwhash, '\0', sizeof(pwhash)); +- memcpy(pwhash, passwd, pwlen); + + /* Find the password attribute. */ + attrib = radius_get_attrib(packet, RADIUS_PASSWORD); +-- +2.25.1 + diff --git a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb index 1e4697a633..9ec97b9237 100644 --- a/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb +++ b/meta-networking/recipes-daemons/proftpd/proftpd_1.3.6.bb @@ -12,6 +12,7 @@ SRC_URI = "ftp://ftp.proftpd.org/distrib/source/${BPN}-${PV}.tar.gz \ file://contrib.patch \ file://build_fixup.patch \ file://proftpd.service \ + file://CVE-2021-46854.patch \ " SRC_URI[md5sum] = "13270911c42aac842435f18205546a1b" SRC_URI[sha256sum] = "91ef74b143495d5ff97c4d4770c6804072a8c8eb1ad1ecc8cc541b40e152ecaf" diff --git a/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb b/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb index 115353fec7..071002c5e7 100644 --- a/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb +++ b/meta-networking/recipes-filter/arno-iptables-firewall/arno-iptables-firewall_2.1.0.bb @@ -5,7 +5,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://gpl_license.txt;md5=11c7b65c4a4acb9d5175f7e9bf99c403" SRCREV = "39276d14b659684c4c0612725ab83ea841c6ef99" -SRC_URI = "git://github.com/arno-iptables-firewall/aif" +SRC_URI = "git://github.com/arno-iptables-firewall/aif;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb b/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb index 2f627d458e..994825cb7e 100644 --- a/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb +++ b/meta-networking/recipes-filter/libnetfilter/libnetfilter-log_1.0.1.bb @@ -8,7 +8,7 @@ DEPENDS = "libnfnetlink libmnl" SRCREV = "ba196a97e810746e5660fe3f57c87c0ed0f2b324" PV .= "+git${SRCPV}" -SRC_URI = "git://git.netfilter.org/libnetfilter_log" +SRC_URI = "git://git.netfilter.org/libnetfilter_log;branch=master" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb b/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb index 896cfdfaa4..1bbab6f3cb 100644 --- a/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb +++ b/meta-networking/recipes-filter/libnetfilter/libnetfilter-queue_1.0.3.bb @@ -8,7 +8,7 @@ DEPENDS = "libnfnetlink libmnl" SRCREV = "601abd1c71ccdf90753cf294c120ad43fb25dc54" -SRC_URI = "git://git.netfilter.org/libnetfilter_queue \ +SRC_URI = "git://git.netfilter.org/libnetfilter_queue;branch=master \ file://0001-libnetfilter-queue-Declare-the-define-visivility-attribute-together.patch \ " diff --git a/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb b/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb index 4ff00bf873..fee9967ebd 100644 --- a/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb +++ b/meta-networking/recipes-filter/libnftnl/libnftnl_1.1.7.bb @@ -5,7 +5,7 @@ SECTION = "libs" DEPENDS = "libmnl" SRCREV = "eedafeb6db330b8adff1b7cdd3dac325f9144195" -SRC_URI = "git://git.netfilter.org/libnftnl \ +SRC_URI = "git://git.netfilter.org/libnftnl;branch=master \ file://0001-avoid-naming-local-function-as-one-of-printf-family.patch \ " diff --git a/meta-networking/recipes-irc/znc/znc_1.7.5.bb b/meta-networking/recipes-irc/znc/znc_1.7.5.bb index a3d4b7cc55..d7467ff4a6 100644 --- a/meta-networking/recipes-irc/znc/znc_1.7.5.bb +++ b/meta-networking/recipes-irc/znc/znc_1.7.5.bb @@ -5,8 +5,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" DEPENDS = "openssl zlib icu" -SRC_URI = "git://github.com/znc/znc.git;name=znc \ - git://github.com/jimloco/Csocket.git;destsuffix=git/third_party/Csocket;name=Csocket \ +SRC_URI = "git://github.com/znc/znc.git;name=znc;branch=master;protocol=https \ + git://github.com/jimloco/Csocket.git;destsuffix=git/third_party/Csocket;name=Csocket;branch=master;protocol=https \ " SRCREV_znc = "c7f72f8bc800115ac985e7e13eace78031cb1b50" SRCREV_Csocket = "e8d9e0bb248c521c2c7fa01e1c6a116d929c41b4" diff --git a/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch b/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch deleted file mode 100644 index a9dc9dc2b7..0000000000 --- a/meta-networking/recipes-kernel/wireguard/files/0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch +++ /dev/null @@ -1,29 +0,0 @@ -From ce8faa3ee266ea69431805e6ed4bd7102d982508 Mon Sep 17 00:00:00 2001 -From: "Jason A. Donenfeld" <Jason@zx2c4.com> -Date: Thu, 12 Nov 2020 09:43:38 +0100 -Subject: [PATCH] compat: SYM_FUNC_{START,END} were backported to 5.4 - -Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> - -Upstream-Status: Backport -Fixes build failure in Dunfell. - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - ---- - compat/compat-asm.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: src/compat/compat-asm.h -=================================================================== ---- src.orig/compat/compat-asm.h -+++ src/compat/compat-asm.h -@@ -40,7 +40,7 @@ - #undef pull - #endif - --#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 5, 0) -+#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 76) - #define SYM_FUNC_START ENTRY - #define SYM_FUNC_END ENDPROC - #endif diff --git a/meta-networking/recipes-kernel/wireguard/files/0001-compat-icmp_ndo_send-functions-were-backported-exten.patch b/meta-networking/recipes-kernel/wireguard/files/0001-compat-icmp_ndo_send-functions-were-backported-exten.patch deleted file mode 100644 index f01cfe4e1c..0000000000 --- a/meta-networking/recipes-kernel/wireguard/files/0001-compat-icmp_ndo_send-functions-were-backported-exten.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 122f06bfd8fc7b06a0899fa9adc4ce8e06900d98 Mon Sep 17 00:00:00 2001 -From: "Jason A. Donenfeld" <Jason@zx2c4.com> -Date: Sun, 7 Mar 2021 08:14:33 -0700 -Subject: [PATCH] compat: icmp_ndo_send functions were backported extensively - -Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> - -Upstream-Status: Backport - -Fixes build with 5.4.103 update. -/include/linux/icmpv6.h:56:6: note: previous declaration of 'icmpv6_ndo_send' was here -| 56 | void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info); - -Signed-of-by: Armin Kuster <akuster808@gmail.com> - ---- - src/compat/compat.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: src/compat/compat.h -=================================================================== ---- src.orig/compat/compat.h -+++ src/compat/compat.h -@@ -946,7 +946,7 @@ static inline int skb_ensure_writable(st - } - #endif - --#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0) -+#if (LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0) && LINUX_VERSION_CODE >= KERNEL_VERSION(5, 5, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(5, 4, 102) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 20, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 19, 178) && LINUX_VERSION_CODE >= KERNEL_VERSION(4, 15, 0)) || (LINUX_VERSION_CODE < KERNEL_VERSION(4, 14, 223) && LINUX_VERSION_CODE > KERNEL_VERSION(4, 10, 0)) || LINUX_VERSION_CODE < KERNEL_VERSION(4, 9, 259) || defined(ISRHEL8) || defined(ISUBUNTU1804) - #if IS_ENABLED(CONFIG_NF_NAT) - #include <linux/ip.h> - #include <linux/icmpv6.h> diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb deleted file mode 100644 index 6ed988bafa..0000000000 --- a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20200401.bb +++ /dev/null @@ -1,30 +0,0 @@ -require wireguard.inc - -SRCREV = "43f57dac7b8305024f83addc533c9eede6509129" - -SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat \ - file://0001-compat-SYM_FUNC_-START-END-were-backported-to-5.4.patch \ - file://0001-compat-icmp_ndo_send-functions-were-backported-exten.patch " - -inherit module kernel-module-split - -DEPENDS = "virtual/kernel libmnl" - -# This module requires Linux 3.10 higher and several networking related -# configuration options. For exact kernel requirements visit: -# https://www.wireguard.io/install/#kernel-requirements - -EXTRA_OEMAKE_append = " \ - KERNELDIR=${STAGING_KERNEL_DIR} \ - " - -MAKE_TARGETS = "module" - -RRECOMMENDS_${PN} = "kernel-module-xt-hashlimit" -MODULE_NAME = "wireguard" - -module_do_install() { - install -d ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME} - install -m 0644 ${MODULE_NAME}.ko \ - ${D}${nonarch_base_libdir}/modules/${KERNEL_VERSION}/kernel/${MODULE_NAME}/${MODULE_NAME}.ko -} diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb new file mode 100644 index 0000000000..df2db15349 --- /dev/null +++ b/meta-networking/recipes-kernel/wireguard/wireguard-module_1.0.20220627.bb @@ -0,0 +1,23 @@ +require wireguard.inc + +SRCREV = "18fbcd68a35a892527345dc5679d0b2d860ee004" + +SRC_URI = "git://git.zx2c4.com/wireguard-linux-compat;protocol=https;branch=master" + +inherit module kernel-module-split + +DEPENDS = "virtual/kernel libmnl" + +# This module requires Linux 3.10 higher and several networking related +# configuration options. For exact kernel requirements visit: +# https://www.wireguard.io/install/#kernel-requirements + +EXTRA_OEMAKE_append = " \ + KERNELDIR=${STAGING_KERNEL_DIR} \ + " + +MAKE_TARGETS = "module" +MODULES_INSTALL_TARGET = "module-install" + +RRECOMMENDS_${PN} = "kernel-module-xt-hashlimit" +MODULE_NAME = "wireguard" diff --git a/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb b/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20210914.bb index f698b9a9af..b63ef88182 100644 --- a/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20200319.bb +++ b/meta-networking/recipes-kernel/wireguard/wireguard-tools_1.0.20210914.bb @@ -1,7 +1,7 @@ require wireguard.inc -SRCREV = "a8063adc8ae9b4fc9848500e93f94bee8ad2e585" -SRC_URI = "git://git.zx2c4.com/wireguard-tools" +SRCREV = "3ba6527130c502144e7388b900138bca6260f4e8" +SRC_URI = "git://git.zx2c4.com/wireguard-tools;branch=master" inherit bash-completion systemd pkgconfig @@ -9,7 +9,7 @@ DEPENDS += "wireguard-module libmnl" do_install () { oe_runmake DESTDIR="${D}" PREFIX="${prefix}" SYSCONFDIR="${sysconfdir}" \ - SYSTEMDUNITDIR="${systemd_unitdir}" \ + SYSTEMDUNITDIR="${systemd_system_unitdir}" \ WITH_SYSTEMDUNITS=${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'yes', '', d)} \ WITH_BASHCOMPLETION=yes \ WITH_WGQUICK=yes \ diff --git a/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb b/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb index 6dd15ad9fc..fdcd906516 100644 --- a/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb +++ b/meta-networking/recipes-protocols/babeld/babeld_1.9.1.bb @@ -12,7 +12,7 @@ SECTION = "net" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENCE;md5=411a48ac3c2e9e0911b8dd9aed26f754" -SRC_URI = "git://github.com/jech/babeld.git;protocol=git" +SRC_URI = "git://github.com/jech/babeld.git;protocol=https;branch=master" SRCREV = "0835d5d894ea016ab7b81562466cade2c51a12d4" UPSTREAM_CHECK_GITTAGREGEX = "babeld-(?P<pver>\d+(\.\d+)+)" diff --git a/meta-networking/recipes-protocols/openflow/openflow.inc b/meta-networking/recipes-protocols/openflow/openflow.inc index cccbfa19a6..ab538c620e 100644 --- a/meta-networking/recipes-protocols/openflow/openflow.inc +++ b/meta-networking/recipes-protocols/openflow/openflow.inc @@ -11,7 +11,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=e870c934e2c3d6ccf085fd7cf0a1e2e2" -SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git" +SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git;branch=master" DEPENDS = "virtual/libc" diff --git a/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb b/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb index b02e183db7..181698d778 100644 --- a/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb +++ b/meta-networking/recipes-protocols/xl2tpd/xl2tpd_1.3.14.bb @@ -8,7 +8,7 @@ PACKAGE_ARCH = "${MACHINE_ARCH}" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "git://github.com/xelerance/xl2tpd.git" +SRC_URI = "git://github.com/xelerance/xl2tpd.git;branch=master;protocol=https" SRCREV = "ba619c79c4790c78c033df0abde4a9a5de744a08" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/arptables/arptables_git.bb b/meta-networking/recipes-support/arptables/arptables_git.bb index c02a19944d..b59dc4ca1b 100644 --- a/meta-networking/recipes-support/arptables/arptables_git.bb +++ b/meta-networking/recipes-support/arptables/arptables_git.bb @@ -6,7 +6,7 @@ SRCREV = "efae8949e31f8b2eb6290f377a28384cecaf105a" PV = "0.0.5+git${SRCPV}" SRC_URI = " \ - git://git.netfilter.org/arptables \ + git://git.netfilter.org/arptables;branch=master \ file://0001-Use-ARPCFLAGS-for-package-specific-compiler-flags.patch \ file://arptables-arpt-get-target-fix.patch \ file://arptables.service \ diff --git a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb index 1c87c48bfa..4b195ededa 100644 --- a/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb +++ b/meta-networking/recipes-support/bridge-utils/bridge-utils_1.6.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f9d20a453221a1b7e32ae84694da2c37" SRCREV = "42c1aefc303fdf891fbb099ea51f00dca83ab606" SRC_URI = "\ - git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git \ + git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/bridge-utils.git;branch=main \ file://kernel-headers.patch \ file://0005-build-don-t-ignore-CFLAGS-from-environment.patch \ file://0006-libbridge-Modifying-the-AR-to-cross-toolchain.patch \ diff --git a/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb b/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb index 8d82ee4546..e76481cc1b 100644 --- a/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb +++ b/meta-networking/recipes-support/cifs/cifs-utils_6.10.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" PV = "6.10" SRCREV = "5ff5fc2ecc10353fd39ad508db5c2828fd2d8d9a" -SRC_URI = "git://git.samba.org/cifs-utils.git" +SRC_URI = "git://git.samba.org/cifs-utils.git;branch=master" S = "${WORKDIR}/git" DEPENDS += "libtalloc" diff --git a/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb b/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb index 799cf8611c..3da651c478 100644 --- a/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb +++ b/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=fd0c9adf285a69aa3b4faf34384e1029" DEPENDS = "curl" DEPENDS_class-native = "curl-native" -SRC_URI = "git://github.com/jpbarrette/curlpp.git" +SRC_URI = "git://github.com/jpbarrette/curlpp.git;branch=master;protocol=https" SRCREV = "592552a165cc569dac7674cb7fc9de3dc829906f" diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch new file mode 100644 index 0000000000..360931a83b --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2021-3448.patch @@ -0,0 +1,1040 @@ +From 74d4fcd756a85bc1823232ea74334f7ccfb9d5d2 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Mon, 15 Mar 2021 21:59:51 +0000 +Subject: [PATCH] Use random source ports where possible if source + addresses/interfaces in use. + +CVE-2021-3448 applies. + +It's possible to specify the source address or interface to be +used when contacting upstream nameservers: server=8.8.8.8@1.2.3.4 +or server=8.8.8.8@1.2.3.4#66 or server=8.8.8.8@eth0, and all of +these have, until now, used a single socket, bound to a fixed +port. This was originally done to allow an error (non-existent +interface, or non-local address) to be detected at start-up. This +means that any upstream servers specified in such a way don't use +random source ports, and are more susceptible to cache-poisoning +attacks. + +We now use random ports where possible, even when the +source is specified, so server=8.8.8.8@1.2.3.4 or +server=8.8.8.8@eth0 will use random source +ports. server=8.8.8.8@1.2.3.4#66 or any use of --query-port will +use the explicitly configured port, and should only be done with +understanding of the security implications. +Note that this change changes non-existing interface, or non-local +source address errors from fatal to run-time. The error will be +logged and communiction with the server not possible. + +Upstream-Status: Backport +CVE: CVE-2021-3448 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + CHANGELOG | 22 +++ + man/dnsmasq.8 | 4 +- + src/dnsmasq.c | 31 ++-- + src/dnsmasq.h | 26 ++-- + src/forward.c | 392 ++++++++++++++++++++++++++++++-------------------- + src/loop.c | 20 +-- + src/network.c | 110 +++++--------- + src/option.c | 3 +- + src/tftp.c | 6 +- + src/util.c | 2 +- + 10 files changed, 344 insertions(+), 272 deletions(-) + +Index: dnsmasq-2.81/man/dnsmasq.8 +=================================================================== +--- dnsmasq-2.81.orig/man/dnsmasq.8 ++++ dnsmasq-2.81/man/dnsmasq.8 +@@ -489,7 +489,7 @@ source address specified but the port ma + part of the source address. Forcing queries to an interface is not + implemented on all platforms supported by dnsmasq. + .TP +-.B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<source-ip>|<interface>[#<port>]] ++.B --rev-server=<ip-address>/<prefix-len>[,<ipaddr>][#<port>][@<interface>][@<source-ip>[#<port>]] + This is functionally the same as + .B --server, + but provides some syntactic sugar to make specifying address-to-name queries easier. For example +Index: dnsmasq-2.81/src/dnsmasq.c +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.c ++++ dnsmasq-2.81/src/dnsmasq.c +@@ -1668,6 +1668,7 @@ static int set_dns_listeners(time_t now) + { + struct serverfd *serverfdp; + struct listener *listener; ++ struct randfd_list *rfl; + int wait = 0, i; + + #ifdef HAVE_TFTP +@@ -1688,11 +1689,14 @@ static int set_dns_listeners(time_t now) + for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next) + poll_listen(serverfdp->fd, POLLIN); + +- if (daemon->port != 0 && !daemon->osport) +- for (i = 0; i < RANDOM_SOCKS; i++) +- if (daemon->randomsocks[i].refcount != 0) +- poll_listen(daemon->randomsocks[i].fd, POLLIN); +- ++ for (i = 0; i < RANDOM_SOCKS; i++) ++ if (daemon->randomsocks[i].refcount != 0) ++ poll_listen(daemon->randomsocks[i].fd, POLLIN); ++ ++ /* Check overflow random sockets too. */ ++ for (rfl = daemon->rfl_poll; rfl; rfl = rfl->next) ++ poll_listen(rfl->rfd->fd, POLLIN); ++ + for (listener = daemon->listeners; listener; listener = listener->next) + { + /* only listen for queries if we have resources */ +@@ -1729,18 +1733,23 @@ static void check_dns_listeners(time_t n + { + struct serverfd *serverfdp; + struct listener *listener; ++ struct randfd_list *rfl; + int i; + int pipefd[2]; + + for (serverfdp = daemon->sfds; serverfdp; serverfdp = serverfdp->next) + if (poll_check(serverfdp->fd, POLLIN)) +- reply_query(serverfdp->fd, serverfdp->source_addr.sa.sa_family, now); ++ reply_query(serverfdp->fd, now); + +- if (daemon->port != 0 && !daemon->osport) +- for (i = 0; i < RANDOM_SOCKS; i++) +- if (daemon->randomsocks[i].refcount != 0 && +- poll_check(daemon->randomsocks[i].fd, POLLIN)) +- reply_query(daemon->randomsocks[i].fd, daemon->randomsocks[i].family, now); ++ for (i = 0; i < RANDOM_SOCKS; i++) ++ if (daemon->randomsocks[i].refcount != 0 && ++ poll_check(daemon->randomsocks[i].fd, POLLIN)) ++ reply_query(daemon->randomsocks[i].fd, now); ++ ++ /* Check overflow random sockets too. */ ++ for (rfl = daemon->rfl_poll; rfl; rfl = rfl->next) ++ if (poll_check(rfl->rfd->fd, POLLIN)) ++ reply_query(rfl->rfd->fd, now); + + /* Races. The child process can die before we read all of the data from the + pipe, or vice versa. Therefore send tcp_pids to zero when we wait() the +Index: dnsmasq-2.81/src/dnsmasq.h +=================================================================== +--- dnsmasq-2.81.orig/src/dnsmasq.h ++++ dnsmasq-2.81/src/dnsmasq.h +@@ -542,13 +542,20 @@ struct serverfd { + }; + + struct randfd { ++ struct server *serv; + int fd; +- unsigned short refcount, family; ++ unsigned short refcount; /* refcount == 0xffff means overflow record. */ + }; +- ++ ++struct randfd_list { ++ struct randfd *rfd; ++ struct randfd_list *next; ++}; ++ + struct server { + union mysockaddr addr, source_addr; + char interface[IF_NAMESIZE+1]; ++ unsigned int ifindex; /* corresponding to interface, above */ + struct serverfd *sfd; + char *domain; /* set if this server only handles a domain. */ + int flags, tcpfd, edns_pktsz; +@@ -669,8 +676,7 @@ struct frec { + struct frec_src *next; + } frec_src; + struct server *sentto; /* NULL means free */ +- struct randfd *rfd4; +- struct randfd *rfd6; ++ struct randfd_list *rfds; + unsigned short new_id; + int fd, forwardall, flags; + time_t time; +@@ -1100,11 +1106,12 @@ extern struct daemon { + int forwardcount; + struct server *srv_save; /* Used for resend on DoD */ + size_t packet_len; /* " " */ +- struct randfd *rfd_save; /* " " */ ++ int fd_save; /* " " */ + pid_t tcp_pids[MAX_PROCS]; + int tcp_pipes[MAX_PROCS]; + int pipe_to_parent; + struct randfd randomsocks[RANDOM_SOCKS]; ++ struct randfd_list *rfl_spare, *rfl_poll; + int v6pktinfo; + struct addrlist *interface_addrs; /* list of all addresses/prefix lengths associated with all local interfaces */ + int log_id, log_display_id; /* ids of transactions for logging */ +@@ -1275,7 +1282,7 @@ void safe_strncpy(char *dest, const char + void safe_pipe(int *fd, int read_noblock); + void *whine_malloc(size_t size); + int sa_len(union mysockaddr *addr); +-int sockaddr_isequal(union mysockaddr *s1, union mysockaddr *s2); ++int sockaddr_isequal(const union mysockaddr *s1, const union mysockaddr *s2); + int hostname_isequal(const char *a, const char *b); + int hostname_issubdomain(char *a, char *b); + time_t dnsmasq_time(void); +@@ -1326,7 +1333,7 @@ char *parse_server(char *arg, union myso + int option_read_dynfile(char *file, int flags); + + /* forward.c */ +-void reply_query(int fd, int family, time_t now); ++void reply_query(int fd, time_t now); + void receive_query(struct listener *listen, time_t now); + unsigned char *tcp_request(int confd, time_t now, + union mysockaddr *local_addr, struct in_addr netmask, int auth_dns); +@@ -1336,13 +1343,12 @@ int send_from(int fd, int nowild, char * + union mysockaddr *to, union all_addr *source, + unsigned int iface); + void resend_query(void); +-struct randfd *allocate_rfd(int family); +-void free_rfd(struct randfd *rfd); ++int allocate_rfd(struct randfd_list **fdlp, struct server *serv); ++void free_rfds(struct randfd_list **fdlp); + + /* network.c */ + int indextoname(int fd, int index, char *name); + int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp); +-int random_sock(int family); + void pre_allocate_sfds(void); + int reload_servers(char *fname); + void mark_servers(int flag); +Index: dnsmasq-2.81/src/forward.c +=================================================================== +--- dnsmasq-2.81.orig/src/forward.c ++++ dnsmasq-2.81/src/forward.c +@@ -16,7 +16,7 @@ + + #include "dnsmasq.h" + +-static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash); ++static struct frec *lookup_frec(unsigned short id, int fd, void *hash); + static struct frec *lookup_frec_by_sender(unsigned short id, + union mysockaddr *addr, + void *hash); +@@ -307,26 +307,18 @@ static int forward_query(int udpfd, unio + if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign, NULL) && !is_sign) + PUTSHORT(SAFE_PKTSZ, pheader); + +- if (forward->sentto->addr.sa.sa_family == AF_INET) +- log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (union all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec"); +- else +- log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (union all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec"); +- +- +- if (forward->sentto->sfd) +- fd = forward->sentto->sfd->fd; +- else ++ if ((fd = allocate_rfd(&forward->rfds, forward->sentto)) != -1) + { +- if (forward->sentto->addr.sa.sa_family == AF_INET6) +- fd = forward->rfd6->fd; ++ if (forward->sentto->addr.sa.sa_family == AF_INET) ++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (union all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec"); + else +- fd = forward->rfd4->fd; ++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (union all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec"); ++ ++ while (retry_send(sendto(fd, (char *)header, plen, 0, ++ &forward->sentto->addr.sa, ++ sa_len(&forward->sentto->addr)))); + } + +- while (retry_send(sendto(fd, (char *)header, plen, 0, +- &forward->sentto->addr.sa, +- sa_len(&forward->sentto->addr)))); +- + return 1; + } + #endif +@@ -501,49 +493,28 @@ static int forward_query(int udpfd, unio + + while (1) + { ++ int fd; ++ + /* only send to servers dealing with our domain. + domain may be NULL, in which case server->domain + must be NULL also. */ + + if (type == (start->flags & SERV_TYPE) && + (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) && +- !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP))) ++ !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)) && ++ ((fd = allocate_rfd(&forward->rfds, start)) != -1)) + { +- int fd; +- +- /* find server socket to use, may need to get random one. */ +- if (start->sfd) +- fd = start->sfd->fd; +- else +- { +- if (start->addr.sa.sa_family == AF_INET6) +- { +- if (!forward->rfd6 && +- !(forward->rfd6 = allocate_rfd(AF_INET6))) +- break; +- daemon->rfd_save = forward->rfd6; +- fd = forward->rfd6->fd; +- } +- else +- { +- if (!forward->rfd4 && +- !(forward->rfd4 = allocate_rfd(AF_INET))) +- break; +- daemon->rfd_save = forward->rfd4; +- fd = forward->rfd4->fd; +- } + + #ifdef HAVE_CONNTRACK +- /* Copy connection mark of incoming query to outgoing connection. */ +- if (option_bool(OPT_CONNTRACK)) +- { +- unsigned int mark; +- if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark)) +- setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); +- } +-#endif ++ /* Copy connection mark of incoming query to outgoing connection. */ ++ if (option_bool(OPT_CONNTRACK)) ++ { ++ unsigned int mark; ++ if (get_incoming_mark(&forward->frec_src.source, &forward->frec_src.dest, 0, &mark)) ++ setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); + } +- ++#endif ++ + #ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID) && (forward->flags & FREC_ADDED_PHEADER)) + { +@@ -574,6 +545,7 @@ static int forward_query(int udpfd, unio + /* Keep info in case we want to re-send this packet */ + daemon->srv_save = start; + daemon->packet_len = plen; ++ daemon->fd_save = fd; + + if (!gotname) + strcpy(daemon->namebuff, "query"); +@@ -590,7 +562,7 @@ static int forward_query(int udpfd, unio + break; + forward->forwardall++; + } +- } ++ } + + if (!(start = start->next)) + start = daemon->servers; +@@ -805,7 +777,7 @@ static size_t process_reply(struct dns_h + } + + /* sets new last_server */ +-void reply_query(int fd, int family, time_t now) ++void reply_query(int fd, time_t now) + { + /* packet from peer server, extract data for cache, and send to + original requester */ +@@ -820,9 +792,9 @@ void reply_query(int fd, int family, tim + + /* packet buffer overwritten */ + daemon->srv_save = NULL; +- ++ + /* Determine the address of the server replying so that we can mark that as good */ +- if ((serveraddr.sa.sa_family = family) == AF_INET6) ++ if (serveraddr.sa.sa_family == AF_INET6) + serveraddr.in6.sin6_flowinfo = 0; + + header = (struct dns_header *)daemon->packet; +@@ -845,7 +817,7 @@ void reply_query(int fd, int family, tim + + hash = hash_questions(header, n, daemon->namebuff); + +- if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash))) ++ if (!(forward = lookup_frec(ntohs(header->id), fd, hash))) + return; + + #ifdef HAVE_DUMPFILE +@@ -900,25 +872,8 @@ void reply_query(int fd, int family, tim + } + + +- if (start->sfd) +- fd = start->sfd->fd; +- else +- { +- if (start->addr.sa.sa_family == AF_INET6) +- { +- /* may have changed family */ +- if (!forward->rfd6) +- forward->rfd6 = allocate_rfd(AF_INET6); +- fd = forward->rfd6->fd; +- } +- else +- { +- /* may have changed family */ +- if (!forward->rfd4) +- forward->rfd4 = allocate_rfd(AF_INET); +- fd = forward->rfd4->fd; +- } +- } ++ if ((fd = allocate_rfd(&forward->rfds, start)) == -1) ++ return; + + #ifdef HAVE_DUMPFILE + dump_packet(DUMP_SEC_QUERY, (void *)header, (size_t)plen, NULL, &start->addr); +@@ -1126,8 +1081,7 @@ void reply_query(int fd, int family, tim + } + + new->sentto = server; +- new->rfd4 = NULL; +- new->rfd6 = NULL; ++ new->rfds = NULL; + new->frec_src.next = NULL; + new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA); + new->forwardall = 0; +@@ -1166,24 +1120,7 @@ void reply_query(int fd, int family, tim + /* Don't resend this. */ + daemon->srv_save = NULL; + +- if (server->sfd) +- fd = server->sfd->fd; +- else +- { +- fd = -1; +- if (server->addr.sa.sa_family == AF_INET6) +- { +- if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6))) +- fd = new->rfd6->fd; +- } +- else +- { +- if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET))) +- fd = new->rfd4->fd; +- } +- } +- +- if (fd != -1) ++ if ((fd = allocate_rfd(&new->rfds, server)) != -1) + { + #ifdef HAVE_CONNTRACK + /* Copy connection mark of incoming query to outgoing connection. */ +@@ -1344,7 +1281,7 @@ void receive_query(struct listener *list + + /* packet buffer overwritten */ + daemon->srv_save = NULL; +- ++ + dst_addr_4.s_addr = dst_addr.addr4.s_addr = 0; + netmask.s_addr = 0; + +@@ -2207,9 +2144,8 @@ static struct frec *allocate_frec(time_t + f->next = daemon->frec_list; + f->time = now; + f->sentto = NULL; +- f->rfd4 = NULL; ++ f->rfds = NULL; + f->flags = 0; +- f->rfd6 = NULL; + #ifdef HAVE_DNSSEC + f->dependent = NULL; + f->blocking_query = NULL; +@@ -2221,46 +2157,192 @@ static struct frec *allocate_frec(time_t + return f; + } + +-struct randfd *allocate_rfd(int family) ++/* return a UDP socket bound to a random port, have to cope with straying into ++ occupied port nos and reserved ones. */ ++static int random_sock(struct server *s) ++{ ++ int fd; ++ ++ if ((fd = socket(s->source_addr.sa.sa_family, SOCK_DGRAM, 0)) != -1) ++ { ++ if (local_bind(fd, &s->source_addr, s->interface, s->ifindex, 0)) ++ return fd; ++ ++ if (s->interface[0] == 0) ++ (void)prettyprint_addr(&s->source_addr, daemon->namebuff); ++ else ++ strcpy(daemon->namebuff, s->interface); ++ ++ my_syslog(LOG_ERR, _("failed to bind server socket to %s: %s"), ++ daemon->namebuff, strerror(errno)); ++ close(fd); ++ } ++ ++ return -1; ++} ++ ++/* compare source addresses and interface, serv2 can be null. */ ++static int server_isequal(const struct server *serv1, ++ const struct server *serv2) ++{ ++ return (serv2 && ++ serv2->ifindex == serv1->ifindex && ++ sockaddr_isequal(&serv2->source_addr, &serv1->source_addr) && ++ strncmp(serv2->interface, serv1->interface, IF_NAMESIZE) == 0); ++} ++ ++/* fdlp points to chain of randomfds already in use by transaction. ++ If there's already a suitable one, return it, else allocate a ++ new one and add it to the list. ++ ++ Not leaking any resources in the face of allocation failures ++ is rather convoluted here. ++ ++ Note that rfd->serv may be NULL, when a server goes away. ++*/ ++int allocate_rfd(struct randfd_list **fdlp, struct server *serv) + { + static int finger = 0; +- int i; ++ int i, j = 0; ++ struct randfd_list *rfl; ++ struct randfd *rfd = NULL; ++ int fd = 0; ++ ++ /* If server has a pre-allocated fd, use that. */ ++ if (serv->sfd) ++ return serv->sfd->fd; ++ ++ /* existing suitable random port socket linked to this transaction? */ ++ for (rfl = *fdlp; rfl; rfl = rfl->next) ++ if (server_isequal(serv, rfl->rfd->serv)) ++ return rfl->rfd->fd; ++ ++ /* No. need new link. */ ++ if ((rfl = daemon->rfl_spare)) ++ daemon->rfl_spare = rfl->next; ++ else if (!(rfl = whine_malloc(sizeof(struct randfd_list)))) ++ return -1; + + /* limit the number of sockets we have open to avoid starvation of + (eg) TFTP. Once we have a reasonable number, randomness should be OK */ +- + for (i = 0; i < RANDOM_SOCKS; i++) + if (daemon->randomsocks[i].refcount == 0) + { +- if ((daemon->randomsocks[i].fd = random_sock(family)) == -1) +- break; +- +- daemon->randomsocks[i].refcount = 1; +- daemon->randomsocks[i].family = family; +- return &daemon->randomsocks[i]; ++ if ((fd = random_sock(serv)) != -1) ++ { ++ rfd = &daemon->randomsocks[i]; ++ rfd->serv = serv; ++ rfd->fd = fd; ++ rfd->refcount = 1; ++ } ++ break; + } + + /* No free ones or cannot get new socket, grab an existing one */ +- for (i = 0; i < RANDOM_SOCKS; i++) ++ if (!rfd) ++ for (j = 0; j < RANDOM_SOCKS; j++) ++ { ++ i = (j + finger) % RANDOM_SOCKS; ++ if (daemon->randomsocks[i].refcount != 0 && ++ server_isequal(serv, daemon->randomsocks[i].serv) && ++ daemon->randomsocks[i].refcount != 0xfffe) ++ { ++ finger = i + 1; ++ rfd = &daemon->randomsocks[i]; ++ rfd->refcount++; ++ break; ++ } ++ } ++ ++ if (j == RANDOM_SOCKS) + { +- int j = (i+finger) % RANDOM_SOCKS; +- if (daemon->randomsocks[j].refcount != 0 && +- daemon->randomsocks[j].family == family && +- daemon->randomsocks[j].refcount != 0xffff) ++ struct randfd_list *rfl_poll; ++ ++ /* there are no free slots, and non with the same parameters we can piggy-back on. ++ We're going to have to allocate a new temporary record, distinguished by ++ refcount == 0xffff. This will exist in the frec randfd list, never be shared, ++ and be freed when no longer in use. It will also be held on ++ the daemon->rfl_poll list so the poll system can find it. */ ++ ++ if ((rfl_poll = daemon->rfl_spare)) ++ daemon->rfl_spare = rfl_poll->next; ++ else ++ rfl_poll = whine_malloc(sizeof(struct randfd_list)); ++ ++ if (!rfl_poll || ++ !(rfd = whine_malloc(sizeof(struct randfd))) || ++ (fd = random_sock(serv)) == -1) + { +- finger = j; +- daemon->randomsocks[j].refcount++; +- return &daemon->randomsocks[j]; ++ ++ /* Don't leak anything we may already have */ ++ rfl->next = daemon->rfl_spare; ++ daemon->rfl_spare = rfl; ++ ++ if (rfl_poll) ++ { ++ rfl_poll->next = daemon->rfl_spare; ++ daemon->rfl_spare = rfl_poll; ++ } ++ ++ if (rfd) ++ free(rfd); ++ ++ return -1; /* doom */ + } ++ ++ /* Note rfd->serv not set here, since it's not reused */ ++ rfd->fd = fd; ++ rfd->refcount = 0xffff; /* marker for temp record */ ++ ++ rfl_poll->rfd = rfd; ++ rfl_poll->next = daemon->rfl_poll; ++ daemon->rfl_poll = rfl_poll; + } + +- return NULL; /* doom */ ++ rfl->rfd = rfd; ++ rfl->next = *fdlp; ++ *fdlp = rfl; ++ ++ return rfl->rfd->fd; + } + +-void free_rfd(struct randfd *rfd) ++void free_rfds(struct randfd_list **fdlp) + { +- if (rfd && --(rfd->refcount) == 0) +- close(rfd->fd); ++ struct randfd_list *tmp, *rfl, *poll, *next, **up; ++ ++ for (rfl = *fdlp; rfl; rfl = tmp) ++ { ++ if (rfl->rfd->refcount == 0xffff || --(rfl->rfd->refcount) == 0) ++ close(rfl->rfd->fd); ++ ++ /* temporary overflow record */ ++ if (rfl->rfd->refcount == 0xffff) ++ { ++ free(rfl->rfd); ++ ++ /* go through the link of all these by steam to delete. ++ This list is expected to be almost always empty. */ ++ for (poll = daemon->rfl_poll, up = &daemon->rfl_poll; poll; poll = next) ++ { ++ next = poll->next; ++ ++ if (poll->rfd == rfl->rfd) ++ { ++ *up = poll->next; ++ poll->next = daemon->rfl_spare; ++ daemon->rfl_spare = poll; ++ } ++ else ++ up = &poll->next; ++ } ++ } ++ ++ tmp = rfl->next; ++ rfl->next = daemon->rfl_spare; ++ daemon->rfl_spare = rfl; ++ } ++ ++ *fdlp = NULL; + } + + static void free_frec(struct frec *f) +@@ -2276,12 +2358,9 @@ static void free_frec(struct frec *f) + } + + f->frec_src.next = NULL; +- free_rfd(f->rfd4); +- f->rfd4 = NULL; ++ free_rfds(&f->rfds); + f->sentto = NULL; + f->flags = 0; +- free_rfd(f->rfd6); +- f->rfd6 = NULL; + + #ifdef HAVE_DNSSEC + if (f->stash) +@@ -2389,26 +2468,39 @@ struct frec *get_new_frec(time_t now, in + } + + /* crc is all-ones if not known. */ +-static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash) ++static struct frec *lookup_frec(unsigned short id, int fd, void *hash) + { + struct frec *f; ++ struct server *s; ++ int type; ++ struct randfd_list *fdl; + + for(f = daemon->frec_list; f; f = f->next) + if (f->sentto && f->new_id == id && + (memcmp(hash, f->hash, HASH_SIZE) == 0)) + { + /* sent from random port */ +- if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd) ++ for (fdl = f->rfds; fdl; fdl = fdl->next) ++ if (fdl->rfd->fd == fd) + return f; ++ } + +- if (family == AF_INET6 && f->rfd6 && f->rfd6->fd == fd) +- return f; ++ /* Sent to upstream from socket associated with a server. ++ Note we have to iterate over all the possible servers, since they may ++ have different bound sockets. */ ++ type = f->sentto->flags & SERV_TYPE; ++ s = f->sentto; ++ do { ++ if ((type == (s->flags & SERV_TYPE)) && ++ (type != SERV_HAS_DOMAIN || ++ (s->domain && hostname_isequal(f->sentto->domain, s->domain))) && ++ !(s->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)) && ++ s->sfd && s->sfd->fd == fd) ++ return f; ++ ++ s = s->next ? s->next : daemon->servers; ++ } while (s != f->sentto); + +- /* sent to upstream from bound socket. */ +- if (f->sentto->sfd && f->sentto->sfd->fd == fd) +- return f; +- } +- + return NULL; + } + +@@ -2454,30 +2546,26 @@ static struct frec *lookup_frec_by_query + void resend_query() + { + if (daemon->srv_save) +- { +- int fd; +- +- if (daemon->srv_save->sfd) +- fd = daemon->srv_save->sfd->fd; +- else if (daemon->rfd_save && daemon->rfd_save->refcount != 0) +- fd = daemon->rfd_save->fd; +- else +- return; +- +- while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0, +- &daemon->srv_save->addr.sa, +- sa_len(&daemon->srv_save->addr)))); +- } ++ while(retry_send(sendto(daemon->fd_save, daemon->packet, daemon->packet_len, 0, ++ &daemon->srv_save->addr.sa, ++ sa_len(&daemon->srv_save->addr)))); + } + + /* A server record is going away, remove references to it */ + void server_gone(struct server *server) + { + struct frec *f; ++ int i; + + for (f = daemon->frec_list; f; f = f->next) + if (f->sentto && f->sentto == server) + free_frec(f); ++ ++ /* If any random socket refers to this server, NULL the reference. ++ No more references to the socket will be created in the future. */ ++ for (i = 0; i < RANDOM_SOCKS; i++) ++ if (daemon->randomsocks[i].refcount != 0 && daemon->randomsocks[i].serv == server) ++ daemon->randomsocks[i].serv = NULL; + + if (daemon->last_server == server) + daemon->last_server = NULL; +Index: dnsmasq-2.81/src/loop.c +=================================================================== +--- dnsmasq-2.81.orig/src/loop.c ++++ dnsmasq-2.81/src/loop.c +@@ -22,6 +22,7 @@ static ssize_t loop_make_probe(u32 uid); + void loop_send_probes() + { + struct server *serv; ++ struct randfd_list *rfds = NULL; + + if (!option_bool(OPT_LOOP_DETECT)) + return; +@@ -34,22 +35,15 @@ void loop_send_probes() + { + ssize_t len = loop_make_probe(serv->uid); + int fd; +- struct randfd *rfd = NULL; + +- if (serv->sfd) +- fd = serv->sfd->fd; +- else +- { +- if (!(rfd = allocate_rfd(serv->addr.sa.sa_family))) +- continue; +- fd = rfd->fd; +- } ++ if ((fd = allocate_rfd(&rfds, serv)) == -1) ++ continue; + + while (retry_send(sendto(fd, daemon->packet, len, 0, + &serv->addr.sa, sa_len(&serv->addr)))); +- +- free_rfd(rfd); + } ++ ++ free_rfds(&rfds); + } + + static ssize_t loop_make_probe(u32 uid) +Index: dnsmasq-2.81/src/network.c +=================================================================== +--- dnsmasq-2.81.orig/src/network.c ++++ dnsmasq-2.81/src/network.c +@@ -545,6 +545,7 @@ int enumerate_interfaces(int reset) + #ifdef HAVE_AUTH + struct auth_zone *zone; + #endif ++ struct server *serv; + + /* Do this max once per select cycle - also inhibits netlink socket use + in TCP child processes. */ +@@ -562,7 +563,21 @@ int enumerate_interfaces(int reset) + + if ((param.fd = socket(PF_INET, SOCK_DGRAM, 0)) == -1) + return 0; +- ++ ++ /* iface indexes can change when interfaces are created/destroyed. ++ We use them in the main forwarding control path, when the path ++ to a server is specified by an interface, so cache them. ++ Update the cache here. */ ++ for (serv = daemon->servers; serv; serv = serv->next) ++ if (strlen(serv->interface) != 0) ++ { ++ struct ifreq ifr; ++ ++ safe_strncpy(ifr.ifr_name, serv->interface, IF_NAMESIZE); ++ if (ioctl(param.fd, SIOCGIFINDEX, &ifr) != -1) ++ serv->ifindex = ifr.ifr_ifindex; ++ } ++ + /* Mark interfaces for garbage collection */ + for (iface = daemon->interfaces; iface; iface = iface->next) + iface->found = 0; +@@ -658,7 +673,7 @@ int enumerate_interfaces(int reset) + + errno = errsave; + spare = param.spare; +- ++ + return ret; + } + +@@ -798,10 +813,10 @@ int tcp_interface(int fd, int af) + /* use mshdr so that the CMSDG_* macros are available */ + msg.msg_control = daemon->packet; + msg.msg_controllen = len = daemon->packet_buff_sz; +- ++ + /* we overwrote the buffer... */ + daemon->srv_save = NULL; +- ++ + if (af == AF_INET) + { + if (setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &opt, sizeof(opt)) != -1 && +@@ -1102,59 +1117,6 @@ void join_multicast(int dienow) + } + #endif + +-/* return a UDP socket bound to a random port, have to cope with straying into +- occupied port nos and reserved ones. */ +-int random_sock(int family) +-{ +- int fd; +- +- if ((fd = socket(family, SOCK_DGRAM, 0)) != -1) +- { +- union mysockaddr addr; +- unsigned int ports_avail = ((unsigned short)daemon->max_port - (unsigned short)daemon->min_port) + 1; +- int tries = ports_avail < 30 ? 3 * ports_avail : 100; +- +- memset(&addr, 0, sizeof(addr)); +- addr.sa.sa_family = family; +- +- /* don't loop forever if all ports in use. */ +- +- if (fix_fd(fd)) +- while(tries--) +- { +- unsigned short port = htons(daemon->min_port + (rand16() % ((unsigned short)ports_avail))); +- +- if (family == AF_INET) +- { +- addr.in.sin_addr.s_addr = INADDR_ANY; +- addr.in.sin_port = port; +-#ifdef HAVE_SOCKADDR_SA_LEN +- addr.in.sin_len = sizeof(struct sockaddr_in); +-#endif +- } +- else +- { +- addr.in6.sin6_addr = in6addr_any; +- addr.in6.sin6_port = port; +-#ifdef HAVE_SOCKADDR_SA_LEN +- addr.in6.sin6_len = sizeof(struct sockaddr_in6); +-#endif +- } +- +- if (bind(fd, (struct sockaddr *)&addr, sa_len(&addr)) == 0) +- return fd; +- +- if (errno != EADDRINUSE && errno != EACCES) +- break; +- } +- +- close(fd); +- } +- +- return -1; +-} +- +- + int local_bind(int fd, union mysockaddr *addr, char *intname, unsigned int ifindex, int is_tcp) + { + union mysockaddr addr_copy = *addr; +@@ -1199,38 +1161,33 @@ int local_bind(int fd, union mysockaddr + return 1; + } + +-static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname) ++static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname, unsigned int ifindex) + { + struct serverfd *sfd; +- unsigned int ifindex = 0; + int errsave; + int opt = 1; + + /* when using random ports, servers which would otherwise use +- the INADDR_ANY/port0 socket have sfd set to NULL */ +- if (!daemon->osport && intname[0] == 0) ++ the INADDR_ANY/port0 socket have sfd set to NULL, this is ++ anything without an explictly set source port. */ ++ if (!daemon->osport) + { + errno = 0; + + if (addr->sa.sa_family == AF_INET && +- addr->in.sin_addr.s_addr == INADDR_ANY && + addr->in.sin_port == htons(0)) + return NULL; + + if (addr->sa.sa_family == AF_INET6 && +- memcmp(&addr->in6.sin6_addr, &in6addr_any, sizeof(in6addr_any)) == 0 && + addr->in6.sin6_port == htons(0)) + return NULL; + } + +- if (intname && strlen(intname) != 0) +- ifindex = if_nametoindex(intname); /* index == 0 when not binding to an interface */ +- + /* may have a suitable one already */ + for (sfd = daemon->sfds; sfd; sfd = sfd->next ) +- if (sockaddr_isequal(&sfd->source_addr, addr) && +- strcmp(intname, sfd->interface) == 0 && +- ifindex == sfd->ifindex) ++ if (ifindex == sfd->ifindex && ++ sockaddr_isequal(&sfd->source_addr, addr) && ++ strcmp(intname, sfd->interface) == 0) + return sfd; + + /* need to make a new one. */ +@@ -1281,7 +1238,7 @@ void pre_allocate_sfds(void) + #ifdef HAVE_SOCKADDR_SA_LEN + addr.in.sin_len = sizeof(struct sockaddr_in); + #endif +- if ((sfd = allocate_sfd(&addr, ""))) ++ if ((sfd = allocate_sfd(&addr, "", 0))) + sfd->preallocated = 1; + + memset(&addr, 0, sizeof(addr)); +@@ -1291,13 +1248,13 @@ void pre_allocate_sfds(void) + #ifdef HAVE_SOCKADDR_SA_LEN + addr.in6.sin6_len = sizeof(struct sockaddr_in6); + #endif +- if ((sfd = allocate_sfd(&addr, ""))) ++ if ((sfd = allocate_sfd(&addr, "", 0))) + sfd->preallocated = 1; + } + + for (srv = daemon->servers; srv; srv = srv->next) + if (!(srv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND)) && +- !allocate_sfd(&srv->source_addr, srv->interface) && ++ !allocate_sfd(&srv->source_addr, srv->interface, srv->ifindex) && + errno != 0 && + option_bool(OPT_NOWILD)) + { +@@ -1506,7 +1463,7 @@ void check_servers(void) + + /* Do we need a socket set? */ + if (!serv->sfd && +- !(serv->sfd = allocate_sfd(&serv->source_addr, serv->interface)) && ++ !(serv->sfd = allocate_sfd(&serv->source_addr, serv->interface, serv->ifindex)) && + errno != 0) + { + my_syslog(LOG_WARNING, +Index: dnsmasq-2.81/src/option.c +=================================================================== +--- dnsmasq-2.81.orig/src/option.c ++++ dnsmasq-2.81/src/option.c +@@ -810,7 +810,8 @@ char *parse_server(char *arg, union myso + if (interface_opt) + { + #if defined(SO_BINDTODEVICE) +- safe_strncpy(interface, interface_opt, IF_NAMESIZE); ++ safe_strncpy(interface, source, IF_NAMESIZE); ++ source = interface_opt; + #else + return _("interface binding not supported"); + #endif +Index: dnsmasq-2.81/src/tftp.c +=================================================================== +--- dnsmasq-2.81.orig/src/tftp.c ++++ dnsmasq-2.81/src/tftp.c +@@ -601,7 +601,7 @@ void check_tftp_listeners(time_t now) + + /* we overwrote the buffer... */ + daemon->srv_save = NULL; +- ++ + if ((len = get_block(daemon->packet, transfer)) == -1) + { + len = tftp_err_oops(daemon->packet, transfer->file->filename); +Index: dnsmasq-2.81/src/util.c +=================================================================== +--- dnsmasq-2.81.orig/src/util.c ++++ dnsmasq-2.81/src/util.c +@@ -316,7 +316,7 @@ void *whine_malloc(size_t size) + return ret; + } + +-int sockaddr_isequal(union mysockaddr *s1, union mysockaddr *s2) ++int sockaddr_isequal(const union mysockaddr *s1, const union mysockaddr *s2) + { + if (s1->sa.sa_family == s2->sa.sa_family) + { diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch new file mode 100644 index 0000000000..b2ef22c06f --- /dev/null +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq/CVE-2022-0934.patch @@ -0,0 +1,188 @@ +From 70df9f9104c8f0661966298b58caf794b99e26e1 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Thu, 22 Sep 2022 17:39:21 +0530 +Subject: [PATCH] CVE-2022-0934 + +Upstream-Status: Backport [https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39] +CVE: CVE-2022-0934 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + CHANGELOG | 2 ++ + src/rfc3315.c | 48 +++++++++++++++++++++++++++--------------------- + 2 files changed, 29 insertions(+), 21 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 60b08d0..d1d7e41 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -88,6 +88,8 @@ version 2.81 + + Add --script-on-renewal option. + ++ Fix write-after-free error in DHCPv6 server code. ++ CVE-2022-0934 refers. + + version 2.80 + Add support for RFC 4039 DHCP rapid commit. Thanks to Ashram Method +diff --git a/src/rfc3315.c b/src/rfc3315.c +index b3f0a0a..eef1360 100644 +--- a/src/rfc3315.c ++++ b/src/rfc3315.c +@@ -33,9 +33,9 @@ struct state { + unsigned int mac_len, mac_type; + }; + +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now); +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now); ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now); + static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts); + static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string); + static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string); +@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if + } + + /* This cost me blood to write, it will probably cost you blood to understand - srk. */ +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now) + { + void *end = inbuff + sz; + void *opts = inbuff + 34; +- int msg_type = *((unsigned char *)inbuff); ++ int msg_type = *inbuff; + unsigned char *outmsgtypep; + void *opt; + struct dhcp_vendor *vendor; +@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, + return 1; + } + +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now) ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now) + { + void *opt; +- int i, o, o1, start_opts; ++ int i, o, o1, start_opts, start_msg; + struct dhcp_opt *opt_cfg; + struct dhcp_netid *tagif; + struct dhcp_config *config = NULL; + struct dhcp_netid known_id, iface_id, v6_id; +- unsigned char *outmsgtypep; ++ unsigned char outmsgtype; + struct dhcp_vendor *vendor; + struct dhcp_context *context_tmp; + struct dhcp_mac *mac_opt; +@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + v6_id.next = state->tags; + state->tags = &v6_id; + +- /* copy over transaction-id, and save pointer to message type */ +- if (!(outmsgtypep = put_opt6(inbuff, 4))) ++ start_msg = save_counter(-1); ++ /* copy over transaction-id */ ++ if (!put_opt6(inbuff, 4)) + return 0; + start_opts = save_counter(-1); +- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16; +- ++ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16; ++ + /* We're going to be linking tags from all context we use. + mark them as unused so we don't link one twice and break the list */ + for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current) +@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE)) + + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6USEMULTI); + put_opt6_string("Use multicast"); +@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + struct dhcp_netid *solicit_tags; + struct dhcp_context *c; + +- *outmsgtypep = DHCP6ADVERTISE; ++ outmsgtype = DHCP6ADVERTISE; + + if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0)) + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + o = new_opt6(OPTION6_RAPID_COMMIT); + end_opt6(o); +@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int start = save_counter(-1); + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + + log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL); +@@ -921,7 +922,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RENEW: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPRENEW", NULL, NULL); + +@@ -1033,7 +1034,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + int good_addr = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPCONFIRM", NULL, NULL); + +@@ -1097,7 +1098,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname); + if (ignore) + return 0; +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + tagif = add_options(state, 1); + break; + } +@@ -1106,7 +1107,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6RELEASE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPRELEASE", NULL, NULL); + +@@ -1171,7 +1172,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + case DHCP6DECLINE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPDECLINE", NULL, NULL); + +@@ -1251,7 +1252,12 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_ + } + + } +- ++ ++ /* Fill in the message type. Note that we store the offset, ++ not a direct pointer, since the packet memory may have been ++ reallocated. */ ++ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype; ++ + log_tags(tagif, state->xid); + log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1)); + +-- +2.25.1 + diff --git a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb index a1dc0f3a0a..8db57edb79 100644 --- a/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb +++ b/meta-networking/recipes-support/dnsmasq/dnsmasq_2.81.bb @@ -10,4 +10,6 @@ SRC_URI += "\ file://CVE-2020-25685-2.patch \ file://CVE-2020-25686-1.patch \ file://CVE-2020-25686-2.patch \ + file://CVE-2021-3448.patch \ + file://CVE-2022-0934.patch \ " diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch new file mode 100644 index 0000000000..5580cd409f --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch @@ -0,0 +1,30 @@ +From bd9d2fe7da833f0e4705a8280efc56930371806b Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Wed, 6 May 2020 13:40:36 +0300 +Subject: [PATCH 1/3] auth: mech-rpa - Fail on zero len buffer + +--- + src/auth/mech-rpa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12674 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/auth/mech-rpa.c b/src/auth/mech-rpa.c +index 08298ebdd6..2de8705b4f 100644 +--- a/src/auth/mech-rpa.c ++++ b/src/auth/mech-rpa.c +@@ -224,7 +224,7 @@ rpa_read_buffer(pool_t pool, const unsigned char **data, + return 0; + + len = *p++; +- if (p + len > end) ++ if (p + len > end || len == 0) + return 0; + + *buffer = p_malloc(pool, len); +-- +2.11.0 diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch index f86235076e..3f87714dcc 100644 --- a/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-configure.ac-convert-AC_TRY_RUN-to-AC_TRY_LINK-state.patch @@ -13,11 +13,11 @@ Signed-off-by: Li Xin <lixin.fnst@cn.fujitsu.com> configure.ac | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) -diff --git a/configure.ac b/configure.ac -index 3b32614..94ec002 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -519,13 +519,10 @@ have_ioloop=no +Index: dovecot-2.2.36.4/configure.ac +=================================================================== +--- dovecot-2.2.36.4.orig/configure.ac ++++ dovecot-2.2.36.4/configure.ac +@@ -490,13 +490,10 @@ have_ioloop=no if test "$ioloop" = "best" || test "$ioloop" = "epoll"; then AC_CACHE_CHECK([whether we can use epoll],i_cv_epoll_works,[ @@ -34,7 +34,7 @@ index 3b32614..94ec002 100644 ], [ i_cv_epoll_works=yes ], [ -@@ -653,7 +650,7 @@ fi +@@ -596,7 +593,7 @@ fi dnl * Old glibcs have broken posix_fallocate(). Make sure not to use it. dnl * It may also be broken in AIX. AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[ @@ -43,7 +43,7 @@ index 3b32614..94ec002 100644 #define _XOPEN_SOURCE 600 #include <stdio.h> #include <stdlib.h> -@@ -662,7 +659,7 @@ AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[ +@@ -605,7 +602,7 @@ AC_CACHE_CHECK([whether posix_fallocate( #if defined(__GLIBC__) && (__GLIBC__ < 2 || __GLIBC_MINOR__ < 7) possibly broken posix_fallocate #endif @@ -52,7 +52,7 @@ index 3b32614..94ec002 100644 int fd = creat("conftest.temp", 0600); int ret; if (fd == -1) { -@@ -671,8 +668,6 @@ AC_CACHE_CHECK([whether posix_fallocate() works],i_cv_posix_fallocate_works,[ +@@ -614,8 +611,6 @@ AC_CACHE_CHECK([whether posix_fallocate( } ret = posix_fallocate(fd, 1024, 1024) < 0 ? 1 : 0; unlink("conftest.temp"); @@ -61,6 +61,3 @@ index 3b32614..94ec002 100644 ], [ i_cv_posix_fallocate_works=yes ], [ --- -1.8.4.2 - diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch index 65ae9bf910..3170ae8658 100644 --- a/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-doveadm-Fix-parallel-build.patch @@ -18,11 +18,11 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com> src/doveadm/Makefile.am | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -diff --git a/src/doveadm/Makefile.am b/src/doveadm/Makefile.am -index c644646..6ae9144 100644 ---- a/src/doveadm/Makefile.am -+++ b/src/doveadm/Makefile.am -@@ -180,8 +180,8 @@ test_libs = \ +Index: dovecot-2.2.36.4/src/doveadm/Makefile.am +=================================================================== +--- dovecot-2.2.36.4.orig/src/doveadm/Makefile.am ++++ dovecot-2.2.36.4/src/doveadm/Makefile.am +@@ -182,8 +182,8 @@ test_libs = \ ../lib/liblib.la test_deps = $(noinst_LTLIBRARIES) $(test_libs) @@ -33,6 +33,3 @@ index c644646..6ae9144 100644 test_doveadm_util_DEPENDENCIES = $(test_deps) check: check-am check-test --- -2.14.2 - diff --git a/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch new file mode 100644 index 0000000000..583f71ca58 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch @@ -0,0 +1,76 @@ +From 667d353b0f217372e8cc43ea4fe13466689c7ed0 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 11:33:31 +0300 +Subject: [PATCH 01/13] lib-mail: message-parser - Add a message_part_finish() + helper function + +--- + src/lib-mail/message-parser.c | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index b1de1950a..aaa8dd8b7 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -195,6 +195,13 @@ message_part_append(pool_t pool, struct message_part *parent) + return part; + } + ++static void message_part_finish(struct message_parser_ctx *ctx) ++{ ++ message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); ++ message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size); ++ ctx->part = ctx->part->parent; ++} ++ + static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + { + struct message_boundary *b; +@@ -312,19 +319,16 @@ static int parse_part_finish(struct message_parser_ctx *ctx, + struct message_boundary *boundary, + struct message_block *block_r, bool first_line) + { +- struct message_part *part; + size_t line_size; + + i_assert(ctx->last_boundary == NULL); + + /* get back to parent MIME part, summing the child MIME part sizes + into parent's body sizes */ +- for (part = ctx->part; part != boundary->part; part = part->parent) { +- message_size_add(&part->parent->body_size, &part->body_size); +- message_size_add(&part->parent->body_size, &part->header_size); ++ while (ctx->part != boundary->part) { ++ message_part_finish(ctx); ++ i_assert(ctx->part != NULL); + } +- i_assert(part != NULL); +- ctx->part = part; + + if (boundary->epilogue_found) { + /* this boundary isn't needed anymore */ +@@ -1132,13 +1136,8 @@ int message_parser_parse_next_block(struct message_parser_ctx *ctx, + i_assert(ctx->input->eof || ctx->input->closed || + ctx->input->stream_errno != 0 || + ctx->broken_reason != NULL); +- while (ctx->part->parent != NULL) { +- message_size_add(&ctx->part->parent->body_size, +- &ctx->part->body_size); +- message_size_add(&ctx->part->parent->body_size, +- &ctx->part->header_size); +- ctx->part = ctx->part->parent; +- } ++ while (ctx->part->parent != NULL) ++ message_part_finish(ctx); + } + + if (block_r->size == 0) { +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch new file mode 100644 index 0000000000..9f24320ebf --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-mail-message-parser-Change-message_part_append-t.patch @@ -0,0 +1,71 @@ +From de0da7bc8df55521db8fa787f88e293618c96386 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 11:34:22 +0300 +Subject: [PATCH 02/13] lib-mail: message-parser - Change message_part_append() + to do all work internally + +--- + src/lib-mail/message-parser.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index aaa8dd8b7..2edf3e7a6 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -167,16 +167,17 @@ static int message_parser_read_more(struct message_parser_ctx *ctx, + return 1; + } + +-static struct message_part * +-message_part_append(pool_t pool, struct message_part *parent) ++static void ++message_part_append(struct message_parser_ctx *ctx) + { ++ struct message_part *parent = ctx->part; + struct message_part *p, *part, **list; + + i_assert(parent != NULL); + i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART | + MESSAGE_PART_FLAG_MESSAGE_RFC822)) != 0); + +- part = p_new(pool, struct message_part, 1); ++ part = p_new(ctx->part_pool, struct message_part, 1); + part->parent = parent; + for (p = parent; p != NULL; p = p->parent) + p->children_count++; +@@ -192,7 +193,7 @@ message_part_append(pool_t pool, struct message_part *parent) + list = &(*list)->next; + + *list = part; +- return part; ++ ctx->part = part; + } + + static void message_part_finish(struct message_parser_ctx *ctx) +@@ -220,7 +221,7 @@ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + static int parse_next_body_message_rfc822_init(struct message_parser_ctx *ctx, + struct message_block *block_r) + { +- ctx->part = message_part_append(ctx->part_pool, ctx->part); ++ message_part_append(ctx); + return parse_next_header_init(ctx, block_r); + } + +@@ -270,7 +271,7 @@ boundary_line_find(struct message_parser_ctx *ctx, + static int parse_next_mime_header_init(struct message_parser_ctx *ctx, + struct message_block *block_r) + { +- ctx->part = message_part_append(ctx->part_pool, ctx->part); ++ message_part_append(ctx); + ctx->part->flags |= MESSAGE_PART_FLAG_IS_MIME; + + return parse_next_header_init(ctx, block_r); +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch new file mode 100644 index 0000000000..81aead8aad --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0002-lib-ntlm-Check-buffer-length-on-responses.patch @@ -0,0 +1,37 @@ +Backport of: + +From 1c6405d3026e5ceae3d214d63945bba85251af4c Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Mon, 18 May 2020 12:33:39 +0300 +Subject: [PATCH 2/3] lib-ntlm: Check buffer length on responses + +Add missing check for buffer length. + +If this is not checked, it is possible to send message which +causes read past buffer bug. + +Broken in c7480644202e5451fbed448508ea29a25cffc99c +--- + src/lib-ntlm/ntlm-message.c | 5 +++++ + 1 file changed, 5 insertions(+) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12673 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +--- a/src/lib-ntlm/ntlm-message.c ++++ b/src/lib-ntlm/ntlm-message.c +@@ -184,6 +184,11 @@ static int ntlmssp_check_buffer(const st + if (length == 0 && space == 0) + return 1; + ++ if (length > data_size) { ++ *error = "buffer length out of bounds"; ++ return 0; ++ } ++ + if (offset >= data_size) { + *error = "buffer offset out of bounds"; + return 0; diff --git a/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch b/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch new file mode 100644 index 0000000000..e530902350 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0003-lib-mail-message-parser-Optimize-updating-children_c.patch @@ -0,0 +1,49 @@ +From a9800b436fcf1f9633c2b136a9c5cb7a486a8a52 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 11:36:48 +0300 +Subject: [PATCH 03/13] lib-mail: message-parser - Optimize updating + children_count + +--- + src/lib-mail/message-parser.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 2edf3e7a6..05768a058 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -171,7 +171,7 @@ static void + message_part_append(struct message_parser_ctx *ctx) + { + struct message_part *parent = ctx->part; +- struct message_part *p, *part, **list; ++ struct message_part *part, **list; + + i_assert(parent != NULL); + i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART | +@@ -179,8 +179,6 @@ message_part_append(struct message_parser_ctx *ctx) + + part = p_new(ctx->part_pool, struct message_part, 1); + part->parent = parent; +- for (p = parent; p != NULL; p = p->parent) +- p->children_count++; + + /* set child position */ + part->physical_pos = +@@ -200,6 +198,7 @@ static void message_part_finish(struct message_parser_ctx *ctx) + { + message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); + message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size); ++ ctx->part->parent->children_count += 1 + ctx->part->children_count; + ctx->part = ctx->part->parent; + } + +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch b/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch new file mode 100644 index 0000000000..ba6667fa99 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0004-lib-mail-message-parser-Optimize-appending-new-part-.patch @@ -0,0 +1,90 @@ +From 99ee7596712cf0ea0a288b712bc898ecb2b35f9b Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 12:00:38 +0300 +Subject: [PATCH 04/13] lib-mail: message-parser - Optimize appending new part + to linked list + +--- + src/lib-mail/message-parser.c | 28 ++++++++++++++++++++++------ + 1 file changed, 22 insertions(+), 6 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +Index: dovecot-2.2.36.4/src/lib-mail/message-parser.c +=================================================================== +--- dovecot-2.2.36.4.orig/src/lib-mail/message-parser.c ++++ dovecot-2.2.36.4/src/lib-mail/message-parser.c +@@ -1,7 +1,7 @@ + /* Copyright (c) 2002-2018 Dovecot authors, see the included COPYING file */ + + #include "lib.h" +-#include "buffer.h" ++#include "array.h" + #include "str.h" + #include "istream.h" + #include "rfc822-parser.h" +@@ -34,6 +34,9 @@ struct message_parser_ctx { + const char *last_boundary; + struct message_boundary *boundaries; + ++ struct message_part **next_part; ++ ARRAY(struct message_part **) next_part_stack; ++ + size_t skip; + char last_chr; + unsigned int want_count; +@@ -171,7 +174,7 @@ static void + message_part_append(struct message_parser_ctx *ctx) + { + struct message_part *parent = ctx->part; +- struct message_part *part, **list; ++ struct message_part *part; + + i_assert(parent != NULL); + i_assert((parent->flags & (MESSAGE_PART_FLAG_MULTIPART | +@@ -186,16 +189,27 @@ message_part_append(struct message_parse + parent->body_size.physical_size + + parent->header_size.physical_size; + +- list = &part->parent->children; +- while (*list != NULL) +- list = &(*list)->next; ++ /* add to parent's linked list */ ++ *ctx->next_part = part; ++ /* update the parent's end-of-linked-list pointer */ ++ struct message_part **next_part = &part->next; ++ array_append(&ctx->next_part_stack, &next_part, 1); ++ /* This part is now the new parent for the next message_part_append() ++ call. Its linked list begins with the children pointer. */ ++ ctx->next_part = &part->children; + +- *list = part; + ctx->part = part; + } + + static void message_part_finish(struct message_parser_ctx *ctx) + { ++ struct message_part **const *parent_next_partp; ++ unsigned int count = array_count(&ctx->next_part_stack); ++ ++ parent_next_partp = array_idx(&ctx->next_part_stack, count-1); ++ array_delete(&ctx->next_part_stack, count-1, 1); ++ ctx->next_part = *parent_next_partp; ++ + message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); + message_size_add(&ctx->part->parent->body_size, &ctx->part->header_size); + ctx->part->parent->children_count += 1 + ctx->part->children_count; +@@ -1062,7 +1076,9 @@ message_parser_init(pool_t part_pool, st + ctx = message_parser_init_int(input, hdr_flags, flags); + ctx->part_pool = part_pool; + ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1); ++ ctx->next_part = &ctx->part->children; + ctx->parse_next_block = parse_next_header_init; ++ p_array_init(&ctx->next_part_stack, ctx->parser_pool, 4); + return ctx; + } + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch b/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch new file mode 100644 index 0000000000..4e63509b45 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch @@ -0,0 +1,45 @@ +From e39c95b248917eb2b596ca55a957f3cbc7fd406f Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 12:10:07 +0300 +Subject: [PATCH 05/13] lib-mail: message-parser - Minor code cleanup to + finding the end of boundary line + +--- + src/lib-mail/message-parser.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index ff4e09e5a..6c6a680b5 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -260,17 +260,16 @@ boundary_line_find(struct message_parser_ctx *ctx, + } + + /* need to find the end of line */ +- if (memchr(data + 2, '\n', size - 2) == NULL && +- size < BOUNDARY_END_MAX_LEN && ++ data += 2; ++ size -= 2; ++ if (memchr(data, '\n', size) == NULL && ++ size+2 < BOUNDARY_END_MAX_LEN && + !ctx->input->eof && !full) { + /* no LF found */ + ctx->want_count = BOUNDARY_END_MAX_LEN; + return 0; + } + +- data += 2; +- size -= 2; +- + *boundary_r = boundary_find(ctx->boundaries, data, size); + if (*boundary_r == NULL) + return -1; +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch b/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch new file mode 100644 index 0000000000..1012d7983e --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch @@ -0,0 +1,163 @@ +From aed125484a346b4893c1a169088c39fe7ced01f3 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 12:53:12 +0300 +Subject: [PATCH 06/13] lib-mail: message-parser - Truncate excessively long + MIME boundaries + +RFC 2046 requires that the boundaries are a maximum of 70 characters +(excluding the "--" prefix and suffix). We allow 80 characters for a bit of +extra safety. Anything longer than that is truncated and treated the same +as if it was just 80 characters. +--- + src/lib-mail/message-parser.c | 7 ++- + src/lib-mail/test-message-parser.c | 95 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 100 insertions(+), 2 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 6c6a680b5..92f541b02 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -10,7 +10,8 @@ + + /* RFC-2046 requires boundaries are max. 70 chars + "--" prefix + "--" suffix. + We'll add a bit more just in case. */ +-#define BOUNDARY_END_MAX_LEN (70 + 2 + 2 + 10) ++#define BOUNDARY_STRING_MAX_LEN (70 + 10) ++#define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2) + + struct message_boundary { + struct message_boundary *next; +@@ -526,8 +527,10 @@ static void parse_content_type(struct message_parser_ctx *ctx, + rfc2231_parse(&parser, &results); + for (; *results != NULL; results += 2) { + if (strcasecmp(results[0], "boundary") == 0) { ++ /* truncate excessively long boundaries */ + ctx->last_boundary = +- p_strdup(ctx->parser_pool, results[1]); ++ p_strndup(ctx->parser_pool, results[1], ++ BOUNDARY_STRING_MAX_LEN); + break; + } + } +diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c +index 1f1aa1437..94aa3eb7c 100644 +--- a/src/lib-mail/test-message-parser.c ++++ b/src/lib-mail/test-message-parser.c +@@ -642,6 +642,100 @@ static void test_message_parser_no_eoh(void) + test_end(); + } + ++static void test_message_parser_long_mime_boundary(void) ++{ ++ /* Close the boundaries in wrong reverse order. But because all ++ boundaries are actually truncated to the same size (..890) it ++ works the same as if all of them were duplicate boundaries. */ ++static const char input_msg[] = ++"Content-Type: multipart/mixed; boundary=\"1234567890123456789012345678901234567890123456789012345678901234567890123456789012\"\n" ++"\n" ++"--1234567890123456789012345678901234567890123456789012345678901234567890123456789012\n" ++"Content-Type: multipart/mixed; boundary=\"123456789012345678901234567890123456789012345678901234567890123456789012345678901\"\n" ++"\n" ++"--123456789012345678901234567890123456789012345678901234567890123456789012345678901\n" ++"Content-Type: multipart/mixed; boundary=\"12345678901234567890123456789012345678901234567890123456789012345678901234567890\"\n" ++"\n" ++"--12345678901234567890123456789012345678901234567890123456789012345678901234567890\n" ++"Content-Type: text/plain\n" ++"\n" ++"1\n" ++"--1234567890123456789012345678901234567890123456789012345678901234567890123456789012\n" ++"Content-Type: text/plain\n" ++"\n" ++"22\n" ++"--123456789012345678901234567890123456789012345678901234567890123456789012345678901\n" ++"Content-Type: text/plain\n" ++"\n" ++"333\n" ++"--12345678901234567890123456789012345678901234567890123456789012345678901234567890\n" ++"Content-Type: text/plain\n" ++"\n" ++"4444\n"; ++ struct message_parser_ctx *parser; ++ struct istream *input; ++ struct message_part *parts, *part; ++ struct message_block block; ++ pool_t pool; ++ int ret; ++ ++ test_begin("message parser long mime boundary"); ++ pool = pool_alloconly_create("message parser", 10240); ++ input = test_istream_create(input_msg); ++ ++ parser = message_parser_init(pool, input, 0, 0); ++ while ((ret = message_parser_parse_next_block(parser, &block)) > 0) ; ++ test_assert(ret < 0); ++ message_parser_deinit(&parser, &parts); ++ ++ part = parts; ++ test_assert(part->children_count == 6); ++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME)); ++ test_assert(part->header_size.lines == 2); ++ test_assert(part->header_size.physical_size == 126); ++ test_assert(part->header_size.virtual_size == 126+2); ++ test_assert(part->body_size.lines == 22); ++ test_assert(part->body_size.physical_size == 871); ++ test_assert(part->body_size.virtual_size == 871+22); ++ ++ part = parts->children; ++ test_assert(part->children_count == 5); ++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME)); ++ test_assert(part->header_size.lines == 2); ++ test_assert(part->header_size.physical_size == 125); ++ test_assert(part->header_size.virtual_size == 125+2); ++ test_assert(part->body_size.lines == 19); ++ test_assert(part->body_size.physical_size == 661); ++ test_assert(part->body_size.virtual_size == 661+19); ++ ++ part = parts->children->children; ++ test_assert(part->children_count == 4); ++ test_assert(part->flags == (MESSAGE_PART_FLAG_MULTIPART | MESSAGE_PART_FLAG_IS_MIME)); ++ test_assert(part->header_size.lines == 2); ++ test_assert(part->header_size.physical_size == 124); ++ test_assert(part->header_size.virtual_size == 124+2); ++ test_assert(part->body_size.lines == 16); ++ test_assert(part->body_size.physical_size == 453); ++ test_assert(part->body_size.virtual_size == 453+16); ++ ++ part = parts->children->children->children; ++ for (unsigned int i = 1; i <= 3; i++, part = part->next) { ++ test_assert(part->children_count == 0); ++ test_assert(part->flags == (MESSAGE_PART_FLAG_TEXT | MESSAGE_PART_FLAG_IS_MIME)); ++ test_assert(part->header_size.lines == 2); ++ test_assert(part->header_size.physical_size == 26); ++ test_assert(part->header_size.virtual_size == 26+2); ++ test_assert(part->body_size.lines == 0); ++ test_assert(part->body_size.physical_size == i); ++ test_assert(part->body_size.virtual_size == i); ++ } ++ ++ test_parsed_parts(input, parts); ++ i_stream_unref(&input); ++ pool_unref(&pool); ++ test_end(); ++} ++ + int main(void) + { + static void (*test_functions[])(void) = { +@@ -654,6 +748,7 @@ int main(void) + test_message_parser_garbage_suffix_mime_boundary, + test_message_parser_continuing_mime_boundary, + test_message_parser_continuing_truncated_mime_boundary, ++ test_message_parser_long_mime_boundary, + test_message_parser_no_eoh, + NULL + }; +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch b/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch new file mode 100644 index 0000000000..eeb6c96f1a --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch @@ -0,0 +1,72 @@ +From 5f8de52fec3191a1aa68a399ee2068485737dc4f Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 13:06:02 +0300 +Subject: [PATCH 07/13] lib-mail: message-parser - Optimize boundary lookups + when exact boundary is found + +When an exact boundary is found, there's no need to continue looking for +more boundaries. +--- + src/lib-mail/message-parser.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 92f541b02..c2934c761 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -80,8 +80,14 @@ boundary_find(struct message_boundary *boundaries, + while (boundaries != NULL) { + if (boundaries->len <= len && + memcmp(boundaries->boundary, data, boundaries->len) == 0 && +- (best == NULL || best->len < boundaries->len)) ++ (best == NULL || best->len < boundaries->len)) { + best = boundaries; ++ if (best->len == len) { ++ /* This is exactly the wanted boundary. There ++ can't be a better one. */ ++ break; ++ } ++ } + + boundaries = boundaries->next; + } +@@ -263,15 +269,27 @@ boundary_line_find(struct message_parser_ctx *ctx, + /* need to find the end of line */ + data += 2; + size -= 2; +- if (memchr(data, '\n', size) == NULL && ++ const unsigned char *lf_pos = memchr(data, '\n', size); ++ if (lf_pos == NULL && + size+2 < BOUNDARY_END_MAX_LEN && + !ctx->input->eof && !full) { + /* no LF found */ + ctx->want_count = BOUNDARY_END_MAX_LEN; + return 0; + } +- +- *boundary_r = boundary_find(ctx->boundaries, data, size); ++ size_t find_size = size; ++ ++ if (lf_pos != NULL) { ++ find_size = lf_pos - data; ++ if (find_size > 0 && data[find_size-1] == '\r') ++ find_size--; ++ if (find_size > 2 && data[find_size-1] == '-' && ++ data[find_size-2] == '-') ++ find_size -= 2; ++ } else if (find_size > BOUNDARY_END_MAX_LEN) ++ find_size = BOUNDARY_END_MAX_LEN; ++ ++ *boundary_r = boundary_find(ctx->boundaries, data, find_size); + if (*boundary_r == NULL) + return -1; + +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch b/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch new file mode 100644 index 0000000000..4af070a879 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch @@ -0,0 +1,50 @@ +From 929396767d831bedbdec6392aaa835b045332fd3 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 14:53:27 +0300 +Subject: [PATCH 08/13] lib-mail: message-parser - Add boundary_remove_until() + helper function + +--- + src/lib-mail/message-parser.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index c2934c761..028f74159 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -223,6 +223,13 @@ static void message_part_finish(struct message_parser_ctx *ctx) + ctx->part = ctx->part->parent; + } + ++static void ++boundary_remove_until(struct message_parser_ctx *ctx, ++ struct message_boundary *boundary) ++{ ++ ctx->boundaries = boundary; ++} ++ + static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + { + struct message_boundary *b; +@@ -364,10 +371,10 @@ static int parse_part_finish(struct message_parser_ctx *ctx, + + if (boundary->epilogue_found) { + /* this boundary isn't needed anymore */ +- ctx->boundaries = boundary->next; ++ boundary_remove_until(ctx, boundary->next); + } else { + /* forget about the boundaries we possibly skipped */ +- ctx->boundaries = boundary; ++ boundary_remove_until(ctx, boundary); + } + + /* the boundary itself should already be in buffer. add that. */ +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch b/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch new file mode 100644 index 0000000000..aade7dc2b3 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch @@ -0,0 +1,169 @@ +From d53d83214b1d635446a8cf8ff9438cc530133d62 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 15:00:57 +0300 +Subject: [PATCH 09/13] lib-mail: message-parser - Don't use memory pool for + parser + +This reduces memory usage when parsing many MIME parts where boundaries are +being added and removed constantly. +--- + src/lib-mail/message-parser.c | 48 ++++++++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 16 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 028f74159..8970d8e0e 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -17,14 +17,14 @@ struct message_boundary { + struct message_boundary *next; + + struct message_part *part; +- const char *boundary; ++ char *boundary; + size_t len; + + unsigned int epilogue_found:1; + }; + + struct message_parser_ctx { +- pool_t parser_pool, part_pool; ++ pool_t part_pool; + struct istream *input; + struct message_part *parts, *part; + const char *broken_reason; +@@ -32,7 +32,7 @@ struct message_parser_ctx { + enum message_header_parser_flags hdr_flags; + enum message_parser_flags flags; + +- const char *last_boundary; ++ char *last_boundary; + struct message_boundary *boundaries; + + struct message_part **next_part; +@@ -223,10 +223,24 @@ static void message_part_finish(struct message_parser_ctx *ctx) + ctx->part = ctx->part->parent; + } + ++static void message_boundary_free(struct message_boundary *b) ++{ ++ i_free(b->boundary); ++ i_free(b); ++} ++ + static void + boundary_remove_until(struct message_parser_ctx *ctx, + struct message_boundary *boundary) + { ++ while (ctx->boundaries != boundary) { ++ struct message_boundary *cur = ctx->boundaries; ++ ++ i_assert(cur != NULL); ++ ctx->boundaries = cur->next; ++ message_boundary_free(cur); ++ ++ } + ctx->boundaries = boundary; + } + +@@ -234,15 +248,14 @@ static void parse_next_body_multipart_init(struct message_parser_ctx *ctx) + { + struct message_boundary *b; + +- b = p_new(ctx->parser_pool, struct message_boundary, 1); ++ b = i_new(struct message_boundary, 1); + b->part = ctx->part; + b->boundary = ctx->last_boundary; ++ ctx->last_boundary = NULL; + b->len = strlen(b->boundary); + + b->next = ctx->boundaries; + ctx->boundaries = b; +- +- ctx->last_boundary = NULL; + } + + static int parse_next_body_message_rfc822_init(struct message_parser_ctx *ctx, +@@ -359,6 +372,8 @@ static int parse_part_finish(struct message_parser_ctx *ctx, + struct message_block *block_r, bool first_line) + { + size_t line_size; ++ size_t boundary_len = boundary->len; ++ bool boundary_epilogue_found = boundary->epilogue_found; + + i_assert(ctx->last_boundary == NULL); + +@@ -391,7 +406,7 @@ static int parse_part_finish(struct message_parser_ctx *ctx, + i_assert(block_r->data[0] == '\n'); + line_size = 1; + } +- line_size += 2 + boundary->len + (boundary->epilogue_found ? 2 : 0); ++ line_size += 2 + boundary_len + (boundary_epilogue_found ? 2 : 0); + i_assert(block_r->size >= ctx->skip + line_size); + block_r->size = line_size; + parse_body_add_block(ctx, block_r); +@@ -553,9 +568,9 @@ static void parse_content_type(struct message_parser_ctx *ctx, + for (; *results != NULL; results += 2) { + if (strcasecmp(results[0], "boundary") == 0) { + /* truncate excessively long boundaries */ ++ i_free(ctx->last_boundary); + ctx->last_boundary = +- p_strndup(ctx->parser_pool, results[1], +- BOUNDARY_STRING_MAX_LEN); ++ i_strndup(results[1], BOUNDARY_STRING_MAX_LEN); + break; + } + } +@@ -678,7 +693,7 @@ static int parse_next_header(struct message_parser_ctx *ctx, + i_assert(!ctx->multipart); + part->flags = 0; + } +- ctx->last_boundary = NULL; ++ i_free(ctx->last_boundary); + + if (!ctx->part_seen_content_type || + (part->flags & MESSAGE_PART_FLAG_IS_MIME) == 0) { +@@ -1081,11 +1096,8 @@ message_parser_init_int(struct istream *input, + enum message_parser_flags flags) + { + struct message_parser_ctx *ctx; +- pool_t pool; + +- pool = pool_alloconly_create("Message Parser", 1024); +- ctx = p_new(pool, struct message_parser_ctx, 1); +- ctx->parser_pool = pool; ++ ctx = i_new(struct message_parser_ctx, 1); + ctx->hdr_flags = hdr_flags; + ctx->flags = flags; + ctx->input = input; +@@ -1105,7 +1117,7 @@ message_parser_init(pool_t part_pool, struct istream *input, + ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1); + ctx->next_part = &ctx->part->children; + ctx->parse_next_block = parse_next_header_init; +- p_array_init(&ctx->next_part_stack, ctx->parser_pool, 4); ++ i_array_init(&ctx->next_part_stack, 4); + return ctx; + } + +@@ -1146,8 +1158,12 @@ int message_parser_deinit_from_parts(struct message_parser_ctx **_ctx, + + if (ctx->hdr_parser_ctx != NULL) + message_parse_header_deinit(&ctx->hdr_parser_ctx); ++ boundary_remove_until(ctx, NULL); + i_stream_unref(&ctx->input); +- pool_unref(&ctx->parser_pool); ++ if (array_is_created(&ctx->next_part_stack)) ++ array_free(&ctx->next_part_stack); ++ i_free(ctx->last_boundary); ++ i_free(ctx); + i_assert(ret < 0 || *parts_r != NULL); + return ret; + } +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch b/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch new file mode 100644 index 0000000000..ae52544665 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0010-lib-mail-message-parser-Support-limiting-max-number-.patch @@ -0,0 +1,188 @@ +From df9e0d358ef86e3342525dcdefcf79dc2d749a30 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 16:59:40 +0300 +Subject: [PATCH 10/13] lib-mail: message-parser - Support limiting max number + of nested MIME parts + +The default is to allow 100 nested MIME parts. When the limit is reached, +the innermost MIME part's body contains all the rest of the inner bodies +until a parent MIME part is reached. +--- + src/lib-mail/message-parser.c | 43 +++++++++++++++++++++++++++++++------- + src/lib-mail/test-message-parser.c | 31 +++++++++++++++++++++++++++ + 2 files changed, 67 insertions(+), 7 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 8970d8e0e..721615f76 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -13,6 +13,8 @@ + #define BOUNDARY_STRING_MAX_LEN (70 + 10) + #define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2) + ++#define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100 ++ + struct message_boundary { + struct message_boundary *next; + +@@ -28,9 +30,11 @@ struct message_parser_ctx { + struct istream *input; + struct message_part *parts, *part; + const char *broken_reason; ++ unsigned int nested_parts_count; + + enum message_header_parser_flags hdr_flags; + enum message_parser_flags flags; ++ unsigned int max_nested_mime_parts; + + char *last_boundary; + struct message_boundary *boundaries; +@@ -206,6 +210,8 @@ message_part_append(struct message_parser_ctx *ctx) + ctx->next_part = &part->children; + + ctx->part = part; ++ ctx->nested_parts_count++; ++ i_assert(ctx->nested_parts_count < ctx->max_nested_mime_parts); + } + + static void message_part_finish(struct message_parser_ctx *ctx) +@@ -213,8 +219,12 @@ static void message_part_finish(struct message_parser_ctx *ctx) + struct message_part **const *parent_next_partp; + unsigned int count = array_count(&ctx->next_part_stack); + ++ i_assert(ctx->nested_parts_count > 0); ++ ctx->nested_parts_count--; ++ + parent_next_partp = array_idx(&ctx->next_part_stack, count-1); + array_delete(&ctx->next_part_stack, count-1, 1); ++ + ctx->next_part = *parent_next_partp; + + message_size_add(&ctx->part->parent->body_size, &ctx->part->body_size); +@@ -592,6 +602,11 @@ static bool block_is_at_eoh(const struct message_block *block) + return FALSE; + } + ++static bool parse_too_many_nested_mime_parts(struct message_parser_ctx *ctx) ++{ ++ return ctx->nested_parts_count > ctx->max_nested_mime_parts; ++} ++ + #define MUTEX_FLAGS \ + (MESSAGE_PART_FLAG_MESSAGE_RFC822 | MESSAGE_PART_FLAG_MULTIPART) + +@@ -616,8 +631,12 @@ static int parse_next_header(struct message_parser_ctx *ctx, + "\n--boundary" belongs to us or to a previous boundary. + this is a problem if the boundary prefixes are identical, + because MIME requires only the prefix to match. */ +- parse_next_body_multipart_init(ctx); +- ctx->multipart = TRUE; ++ if (!parse_too_many_nested_mime_parts(ctx)) { ++ parse_next_body_multipart_init(ctx); ++ ctx->multipart = TRUE; ++ } else { ++ part->flags &= ~MESSAGE_PART_FLAG_MULTIPART; ++ } + } + + /* before parsing the header see if we can find a --boundary from here. +@@ -721,12 +740,16 @@ static int parse_next_header(struct message_parser_ctx *ctx, + i_assert(ctx->last_boundary == NULL); + ctx->multipart = FALSE; + ctx->parse_next_block = parse_next_body_to_boundary; +- } else if (part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822) ++ } else if ((part->flags & MESSAGE_PART_FLAG_MESSAGE_RFC822) != 0 && ++ !parse_too_many_nested_mime_parts(ctx)) { + ctx->parse_next_block = parse_next_body_message_rfc822_init; +- else if (ctx->boundaries != NULL) +- ctx->parse_next_block = parse_next_body_to_boundary; +- else +- ctx->parse_next_block = parse_next_body_to_eof; ++ } else { ++ part->flags &= ~MESSAGE_PART_FLAG_MESSAGE_RFC822; ++ if (ctx->boundaries != NULL) ++ ctx->parse_next_block = parse_next_body_to_boundary; ++ else ++ ctx->parse_next_block = parse_next_body_to_eof; ++ } + + ctx->want_count = 1; + +@@ -1100,6 +1123,8 @@ message_parser_init_int(struct istream *input, + ctx = i_new(struct message_parser_ctx, 1); + ctx->hdr_flags = hdr_flags; + ctx->flags = flags; ++ ctx->max_nested_mime_parts = ++ MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS; + ctx->input = input; + i_stream_ref(input); + return ctx; +@@ -1159,6 +1184,10 @@ int message_parser_deinit_from_parts(struct message_parser_ctx **_ctx, + if (ctx->hdr_parser_ctx != NULL) + message_parse_header_deinit(&ctx->hdr_parser_ctx); + boundary_remove_until(ctx, NULL); ++ /* caller might have stopped the parsing early */ ++ i_assert(ctx->nested_parts_count == 0 || ++ i_stream_have_bytes_left(ctx->input)); ++ + i_stream_unref(&ctx->input); + if (array_is_created(&ctx->next_part_stack)) + array_free(&ctx->next_part_stack); +diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c +index 94aa3eb7c..481d05942 100644 +--- a/src/lib-mail/test-message-parser.c ++++ b/src/lib-mail/test-message-parser.c +@@ -166,6 +166,36 @@ static void test_message_parser_small_blocks(void) + test_end(); + } + ++static void test_message_parser_stop_early(void) ++{ ++ struct message_parser_ctx *parser; ++ struct istream *input; ++ struct message_part *parts; ++ struct message_block block; ++ unsigned int i; ++ pool_t pool; ++ int ret; ++ ++ test_begin("message parser stop early"); ++ pool = pool_alloconly_create("message parser", 10240); ++ input = test_istream_create(test_msg); ++ ++ test_istream_set_allow_eof(input, FALSE); ++ for (i = 1; i <= TEST_MSG_LEN+1; i++) { ++ i_stream_seek(input, 0); ++ test_istream_set_size(input, i); ++ parser = message_parser_init(pool, input, 0, 0); ++ while ((ret = message_parser_parse_next_block(parser, ++ &block)) > 0) ; ++ test_assert(ret == 0); ++ message_parser_deinit(&parser, &parts); ++ } ++ ++ i_stream_unref(&input); ++ pool_unref(&pool); ++ test_end(); ++} ++ + static void test_message_parser_truncated_mime_headers(void) + { + static const char input_msg[] = +@@ -740,6 +770,7 @@ int main(void) + { + static void (*test_functions[])(void) = { + test_message_parser_small_blocks, ++ test_message_parser_stop_early, + test_message_parser_truncated_mime_headers, + test_message_parser_truncated_mime_headers2, + test_message_parser_truncated_mime_headers3, +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch b/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch new file mode 100644 index 0000000000..52848bf3a7 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0011-lib-mail-message-parser-Support-limiting-max-number-.patch @@ -0,0 +1,87 @@ +From d7bba401dd234802bcdb55ff27dfb99bffdab804 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 23 Apr 2020 17:09:33 +0300 +Subject: [PATCH 11/13] lib-mail: message-parser - Support limiting max number + of MIME parts + +The default is to allow 10000 MIME parts. When it's reached, no more +MIME boundary lines will be recognized, so the rest of the mail belongs +to the last added MIME part. +--- + src/lib-mail/message-parser.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 721615f76..646307802 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -14,6 +14,7 @@ + #define BOUNDARY_END_MAX_LEN (BOUNDARY_STRING_MAX_LEN + 2 + 2) + + #define MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS 100 ++#define MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS 10000 + + struct message_boundary { + struct message_boundary *next; +@@ -31,10 +32,12 @@ struct message_parser_ctx { + struct message_part *parts, *part; + const char *broken_reason; + unsigned int nested_parts_count; ++ unsigned int total_parts_count; + + enum message_header_parser_flags hdr_flags; + enum message_parser_flags flags; + unsigned int max_nested_mime_parts; ++ unsigned int max_total_mime_parts; + + char *last_boundary; + struct message_boundary *boundaries; +@@ -211,7 +214,9 @@ message_part_append(struct message_parser_ctx *ctx) + + ctx->part = part; + ctx->nested_parts_count++; ++ ctx->total_parts_count++; + i_assert(ctx->nested_parts_count < ctx->max_nested_mime_parts); ++ i_assert(ctx->total_parts_count <= ctx->max_total_mime_parts); + } + + static void message_part_finish(struct message_parser_ctx *ctx) +@@ -296,6 +301,12 @@ boundary_line_find(struct message_parser_ctx *ctx, + return -1; + } + ++ if (ctx->total_parts_count >= ctx->max_total_mime_parts) { ++ /* can't add any more MIME parts. just stop trying to find ++ more boundaries. */ ++ return -1; ++ } ++ + /* need to find the end of line */ + data += 2; + size -= 2; +@@ -1125,6 +1136,8 @@ message_parser_init_int(struct istream *input, + ctx->flags = flags; + ctx->max_nested_mime_parts = + MESSAGE_PARSER_DEFAULT_MAX_NESTED_MIME_PARTS; ++ ctx->max_total_mime_parts = ++ MESSAGE_PARSER_DEFAULT_MAX_TOTAL_MIME_PARTS; + ctx->input = input; + i_stream_ref(input); + return ctx; +@@ -1142,6 +1155,7 @@ message_parser_init(pool_t part_pool, struct istream *input, + ctx->parts = ctx->part = p_new(part_pool, struct message_part, 1); + ctx->next_part = &ctx->part->children; + ctx->parse_next_block = parse_next_header_init; ++ ctx->total_parts_count = 1; + i_array_init(&ctx->next_part_stack, 4); + return ctx; + } +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch b/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch new file mode 100644 index 0000000000..a81177d2ba --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch @@ -0,0 +1,133 @@ +From 0c9d56b41b992a868f299e05677a67c4d0495523 Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Thu, 2 Jul 2020 17:31:19 +0300 +Subject: [PATCH 12/13] lib-mail: Fix handling trailing "--" in MIME boundaries + +Broken by 5b8ec27fae941d06516c30476dcf4820c6d200ab +--- + src/lib-mail/message-parser.c | 14 ++++++++---- + src/lib-mail/test-message-parser.c | 46 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 56 insertions(+), 4 deletions(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 646307802..175d4b488 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -75,7 +75,7 @@ static int preparsed_parse_next_header_init(struct message_parser_ctx *ctx, + + static struct message_boundary * + boundary_find(struct message_boundary *boundaries, +- const unsigned char *data, size_t len) ++ const unsigned char *data, size_t len, bool trailing_dashes) + { + struct message_boundary *best = NULL; + +@@ -89,7 +89,11 @@ boundary_find(struct message_boundary *boundaries, + memcmp(boundaries->boundary, data, boundaries->len) == 0 && + (best == NULL || best->len < boundaries->len)) { + best = boundaries; +- if (best->len == len) { ++ /* If we see "foo--", it could either mean that there ++ is a boundary named "foo" that ends now or there's ++ a boundary "foo--" which continues. */ ++ if (best->len == len || ++ (best->len == len-2 && trailing_dashes)) { + /* This is exactly the wanted boundary. There + can't be a better one. */ + break; +@@ -319,6 +323,7 @@ boundary_line_find(struct message_parser_ctx *ctx, + return 0; + } + size_t find_size = size; ++ bool trailing_dashes = FALSE; + + if (lf_pos != NULL) { + find_size = lf_pos - data; +@@ -326,11 +331,12 @@ boundary_line_find(struct message_parser_ctx *ctx, + find_size--; + if (find_size > 2 && data[find_size-1] == '-' && + data[find_size-2] == '-') +- find_size -= 2; ++ trailing_dashes = TRUE; + } else if (find_size > BOUNDARY_END_MAX_LEN) + find_size = BOUNDARY_END_MAX_LEN; + +- *boundary_r = boundary_find(ctx->boundaries, data, find_size); ++ *boundary_r = boundary_find(ctx->boundaries, data, find_size, ++ trailing_dashes); + if (*boundary_r == NULL) + return -1; + +diff --git a/src/lib-mail/test-message-parser.c b/src/lib-mail/test-message-parser.c +index 481d05942..113454ea0 100644 +--- a/src/lib-mail/test-message-parser.c ++++ b/src/lib-mail/test-message-parser.c +@@ -510,6 +510,51 @@ static const char input_msg[] = + test_end(); + } + ++static void test_message_parser_trailing_dashes(void) ++{ ++static const char input_msg[] = ++"Content-Type: multipart/mixed; boundary=\"a--\"\n" ++"\n" ++"--a--\n" ++"Content-Type: multipart/mixed; boundary=\"a----\"\n" ++"\n" ++"--a----\n" ++"Content-Type: text/plain\n" ++"\n" ++"body\n" ++"--a------\n" ++"Content-Type: text/html\n" ++"\n" ++"body2\n" ++"--a----"; ++ struct message_parser_ctx *parser; ++ struct istream *input; ++ struct message_part *parts; ++ struct message_block block; ++ pool_t pool; ++ int ret; ++ ++ test_begin("message parser trailing dashes"); ++ pool = pool_alloconly_create("message parser", 10240); ++ input = test_istream_create(input_msg); ++ ++ parser = message_parser_init(pool, input, 0, 0); ++ while ((ret = message_parser_parse_next_block(parser, &block)) > 0) ; ++ test_assert(ret < 0); ++ message_parser_deinit(&parser, &parts); ++ ++ test_assert(parts->children_count == 2); ++ test_assert(parts->children->next == NULL); ++ test_assert(parts->children->children_count == 1); ++ test_assert(parts->children->children->next == NULL); ++ test_assert(parts->children->children->children_count == 0); ++ ++ test_parsed_parts(input, parts); ++ i_stream_unref(&input); ++ pool_unref(&pool); ++ test_end(); ++} ++ + static void test_message_parser_continuing_mime_boundary(void) + { + static const char input_msg[] = +@@ -777,6 +822,7 @@ int main(void) + test_message_parser_empty_multipart, + test_message_parser_duplicate_mime_boundary, + test_message_parser_garbage_suffix_mime_boundary, ++ test_message_parser_trailing_dashes, + test_message_parser_continuing_mime_boundary, + test_message_parser_continuing_truncated_mime_boundary, + test_message_parser_long_mime_boundary, +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch b/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch new file mode 100644 index 0000000000..97068345fb --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch @@ -0,0 +1,32 @@ +From f77a2b6c3ffe2ea96f4a4b05ec38dc9d53266ecb Mon Sep 17 00:00:00 2001 +From: Timo Sirainen <timo.sirainen@open-xchange.com> +Date: Wed, 27 May 2020 11:35:55 +0300 +Subject: [PATCH 13/13] lib-mail: Fix parse_too_many_nested_mime_parts() + +This was originally correct, until it was "optimized" wrong and got merged. +--- + src/lib-mail/message-parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +diff --git a/src/lib-mail/message-parser.c b/src/lib-mail/message-parser.c +index 175d4b488..5b11772ff 100644 +--- a/src/lib-mail/message-parser.c ++++ b/src/lib-mail/message-parser.c +@@ -621,7 +621,7 @@ static bool block_is_at_eoh(const struct message_block *block) + + static bool parse_too_many_nested_mime_parts(struct message_parser_ctx *ctx) + { +- return ctx->nested_parts_count > ctx->max_nested_mime_parts; ++ return ctx->nested_parts_count+1 >= ctx->max_nested_mime_parts; + } + + #define MUTEX_FLAGS \ +-- +2.11.0 + diff --git a/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch b/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch new file mode 100644 index 0000000000..44f6564f89 --- /dev/null +++ b/meta-networking/recipes-support/dovecot/dovecot/buffer_free_fix.patch @@ -0,0 +1,27 @@ +From 1a6ff0beebf0ab0c71081eaff1d5d7fd26015a94 Mon Sep 17 00:00:00 2001 +From: Josef 'Jeff' Sipek <jeff.sipek@dovecot.fi> +Date: Tue, 19 Sep 2017 13:26:57 +0300 +Subject: [PATCH] lib: buffer_free(NULL) should be a no-op + +--- + src/lib/buffer.c | 3 +++ + 1 file changed, 3 insertions(+) + +Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> + +CVE: CVE-2020-12100 +Upstream-Status: Backport [http://archive.ubuntu.com/ubuntu/pool/main/d/dovecot/dovecot_2.2.33.2-1ubuntu4.7.debian.tar.xz] +Comment: No change in any hunk + +--- a/src/lib/buffer.c ++++ b/src/lib/buffer.c +@@ -148,6 +148,9 @@ void buffer_free(buffer_t **_buf) + { + struct real_buffer *buf = (struct real_buffer *)*_buf; + ++ if (buf == NULL) ++ return; ++ + *_buf = NULL; + if (buf->alloced) + p_free(buf->pool, buf->w_buffer); diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb index e21a94ad64..29905196b6 100644 --- a/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb +++ b/meta-networking/recipes-support/dovecot/dovecot_2.2.36.4.bb @@ -10,6 +10,22 @@ SRC_URI = "http://dovecot.org/releases/2.2/dovecot-${PV}.tar.gz \ file://dovecot.service \ file://dovecot.socket \ file://0001-doveadm-Fix-parallel-build.patch \ + file://0001-lib-mail-message-parser-Add-a-message_part_finish-he.patch \ + file://0002-lib-mail-message-parser-Change-message_part_append-t.patch \ + file://0003-lib-mail-message-parser-Optimize-updating-children_c.patch \ + file://0004-lib-mail-message-parser-Optimize-appending-new-part-.patch \ + file://0005-lib-mail-message-parser-Minor-code-cleanup-to-findin.patch \ + file://0006-lib-mail-message-parser-Truncate-excessively-long-MI.patch \ + file://0007-lib-mail-message-parser-Optimize-boundary-lookups-wh.patch \ + file://0008-lib-mail-message-parser-Add-boundary_remove_until-he.patch \ + file://0009-lib-mail-message-parser-Don-t-use-memory-pool-for-pa.patch \ + file://0010-lib-mail-message-parser-Support-limiting-max-number-.patch \ + file://0011-lib-mail-message-parser-Support-limiting-max-number-.patch \ + file://0012-lib-mail-Fix-handling-trailing-in-MIME-boundaries.patch \ + file://0013-lib-mail-Fix-parse_too_many_nested_mime_parts.patch \ + file://buffer_free_fix.patch \ + file://0002-lib-ntlm-Check-buffer-length-on-responses.patch \ + file://0001-auth-mech-rpa-Fail-on-zero-len-buffer.patch \ " SRC_URI[md5sum] = "66c4d71858b214afee5b390ee602dee2" diff --git a/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb b/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb index 5dabdd51d0..cad2fa7d71 100644 --- a/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb +++ b/meta-networking/recipes-support/drbd/drbd-utils_9.12.0.bb @@ -8,13 +8,14 @@ SECTION = "admin" LICENSE = "GPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=5574c6965ae5f583e55880e397fbb018" -SRC_URI = "git://github.com/LINBIT/drbd-utils;name=drbd-utils \ - git://github.com/LINBIT/drbd-headers;name=drbd-headers;destsuffix=git/drbd-headers \ +SRC_URI = "git://github.com/LINBIT/drbd-utils;name=drbd-utils;branch=master;protocol=https \ + git://github.com/LINBIT/drbd-headers;name=drbd-headers;destsuffix=git/drbd-headers;branch=master;protocol=https \ ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','file://0001-drbd-utils-support-usrmerge.patch','',d)} \ " # v9.12.0 SRCREV_drbd-utils = "91629a4cce49ca0d4f917fe0bffa25cfe8db3052" SRCREV_drbd-headers = "233006b4d26cf319638be0ef6d16ec7dee287b66" +SRCREV_FORMAT = "drbd-utils_drbd-headers" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb b/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb index ed5c3a9799..8301c65bfa 100644 --- a/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb +++ b/meta-networking/recipes-support/geoip/geoip-perl_1.51.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e4f3ea6e9b28af88dc0321190a1f8250" S = "${WORKDIR}/git" SRCREV = "4cdfdc38eca237c19c22a8b90490446ce6d970fa" -SRC_URI = "git://github.com/maxmind/geoip-api-perl.git;protocol=https; \ +SRC_URI = "git://github.com/maxmind/geoip-api-perl.git;protocol=https;branch=master \ file://run-ptest \ " diff --git a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb index 4271c2e155..0efcbec1fc 100644 --- a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb +++ b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb @@ -10,7 +10,7 @@ SECTION = "libdevel" GEOIP_DATABASE_VERSION = "20181205" -SRC_URI = "git://github.com/maxmind/geoip-api-c.git \ +SRC_URI = "git://github.com/maxmind/geoip-api-c.git;branch=main;protocol=https \ http://sources.openembedded.org/GeoIP.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIP-dat; \ http://sources.openembedded.org/GeoIPv6.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIPv6-dat; \ http://sources.openembedded.org/GeoLiteCity.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoLiteCity-dat; \ diff --git a/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb b/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb index 125b59e760..9c15490dcb 100644 --- a/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb +++ b/meta-networking/recipes-support/ifenslave/ifenslave_2.9.bb @@ -9,7 +9,7 @@ inherit manpages MAN_PKG = "${PN}" SRCREV = "42bfbb9beb924672ca86b86e9679ac3d6b87d992" -SRC_URI = "git://salsa.debian.org/debian/ifenslave.git;protocol=https" +SRC_URI = "git://salsa.debian.org/debian/ifenslave.git;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb b/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb index ad0ec27001..59e540a710 100644 --- a/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb +++ b/meta-networking/recipes-support/ipcalc/ipcalc_0.2.3.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" S = "${WORKDIR}/git" SRCREV = "c3ee70c878b9c5833a77a1f339f1ca4dc6f225c5" SRC_URI = "\ - git://github.com/nmav/ipcalc.git;protocol=https; \ + git://github.com/nmav/ipcalc.git;protocol=https;branch=master \ file://0001-Makefile-pass-extra-linker-flags.patch \ " diff --git a/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb b/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb index 3cabc4ff8d..7a229c7b1e 100644 --- a/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb +++ b/meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.18.bb @@ -14,7 +14,7 @@ PV .= "+git${SRCPV}" LK_REL = "1.0.18" SRC_URI = " \ - git://github.com/sctp/lksctp-tools.git \ + git://github.com/sctp/lksctp-tools.git;branch=master;protocol=https \ file://0001-withsctp-use-PACKAGE_VERSION-in-withsctp.h.patch \ file://0001-configure.ac-add-CURRENT-REVISION-and-AGE-for-libsct.patch \ file://0001-build-fix-netinet-sctp.h-not-to-be-installed.patch \ diff --git a/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb b/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb index 5917cfb3e1..e073561655 100644 --- a/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb +++ b/meta-networking/recipes-support/lowpan-tools/lowpan-tools_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" DEPENDS = "flex-native bison-native libnl python" PV = "0.3.1+git${SRCPV}" -SRC_URI = "git://github.com/linux-wpan/lowpan-tools \ +SRC_URI = "git://github.com/linux-wpan/lowpan-tools;branch=master;protocol=https \ file://no-help2man.patch \ file://0001-Fix-build-errors-with-clang.patch \ file://0001-addrdb-coord-config-parse.y-add-missing-time.h-inclu.patch \ diff --git a/meta-networking/recipes-support/mtr/mtr_0.93.bb b/meta-networking/recipes-support/mtr/mtr_0.93.bb index dd150700a9..4db7f7bbf8 100644 --- a/meta-networking/recipes-support/mtr/mtr_0.93.bb +++ b/meta-networking/recipes-support/mtr/mtr_0.93.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://ui/mtr.c;beginline=5;endline=16;md5=00a894a39d53726a27386534d1c4e468" SRCREV = "304349bad86229aedbc62c07d5e98a8292967991" -SRC_URI = "git://github.com/traviscross/mtr" +SRC_URI = "git://github.com/traviscross/mtr;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/nbdkit/nbdkit_git.bb b/meta-networking/recipes-support/nbdkit/nbdkit_git.bb index a63e49ec55..0876c6f354 100644 --- a/meta-networking/recipes-support/nbdkit/nbdkit_git.bb +++ b/meta-networking/recipes-support/nbdkit/nbdkit_git.bb @@ -9,7 +9,7 @@ HOMEPAGE = "https://github.com/libguestfs/nbdkit" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=4332a97808994cf2133a65b6c6f33eaf" -SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https \ +SRC_URI = "git://github.com/libguestfs/nbdkit.git;protocol=https;branch=master \ file://0001-server-Fix-build-when-printf-is-a-macro.patch \ " diff --git a/meta-networking/recipes-support/ndisc6/ndisc6_git.bb b/meta-networking/recipes-support/ndisc6/ndisc6_git.bb index 5f866052c6..d359b620b8 100644 --- a/meta-networking/recipes-support/ndisc6/ndisc6_git.bb +++ b/meta-networking/recipes-support/ndisc6/ndisc6_git.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" PV = "1.0.4+git${SRCPV}" SRCREV = "4c794b5512d23c649def1f94a684225dcbb6ac3e" -SRC_URI = "git://git.remlab.net/git/ndisc6.git;protocol=http \ +SRC_URI = "git://git.remlab.net/git/ndisc6.git;protocol=http;branch=master \ file://0001-replace-VLAIS-with-malloc-free-pair.patch \ file://0002-Do-not-undef-_GNU_SOURCE.patch \ file://0001-autogen-Do-not-symlink-gettext.h-from-build-host.patch \ diff --git a/meta-networking/recipes-support/netcat/netcat_0.7.1.bb b/meta-networking/recipes-support/netcat/netcat_0.7.1.bb index 14d743f820..1e113de519 100644 --- a/meta-networking/recipes-support/netcat/netcat_0.7.1.bb +++ b/meta-networking/recipes-support/netcat/netcat_0.7.1.bb @@ -16,6 +16,8 @@ SRC_URI[sha256sum] = "b55af0bbdf5acc02d1eb6ab18da2acd77a400bafd074489003f3df0967 inherit autotools +CVE_PRODUCT = "netcat_project:netcat" + do_install_append() { install -d ${D}${bindir} mv ${D}${bindir}/nc ${D}${bindir}/nc.${BPN} diff --git a/meta-networking/recipes-support/netcf/netcf_0.2.8.bb b/meta-networking/recipes-support/netcf/netcf_0.2.8.bb index a180571f2d..af617ce922 100644 --- a/meta-networking/recipes-support/netcf/netcf_0.2.8.bb +++ b/meta-networking/recipes-support/netcf/netcf_0.2.8.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fb919cc88dbe06ec0b0bd50e001ccf1f" SRCREV = "2c5d4255857531bc09d91dcd02e86545f29004d4" PV .= "+git${SRCPV}" -SRC_URI = "git://pagure.io/netcf.git;protocol=https \ +SRC_URI = "git://pagure.io/netcf.git;protocol=https;branch=master \ " UPSTREAM_CHECK_GITTAGREGEX = "release-(?P<pver>(\d+(\.\d+)+))" diff --git a/meta-networking/recipes-support/netperf/netperf_git.bb b/meta-networking/recipes-support/netperf/netperf_git.bb index d48f3aeabd..f6ea211f7a 100644 --- a/meta-networking/recipes-support/netperf/netperf_git.bb +++ b/meta-networking/recipes-support/netperf/netperf_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a0ab17253e7a3f318da85382c7d5d5d6" PV = "2.7.0+git${SRCPV}" -SRC_URI = "git://github.com/HewlettPackard/netperf.git \ +SRC_URI = "git://github.com/HewlettPackard/netperf.git;branch=master;protocol=https \ file://cpu_set.patch \ file://vfork.patch \ file://init \ diff --git a/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb b/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb index bb401666c6..0c67f67d70 100644 --- a/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb +++ b/meta-networking/recipes-support/nis/yp-tools_4.2.3.bb @@ -14,7 +14,7 @@ and ypdomainname. \ # v4.2.3 SRCREV = "1bfda29c342a81b97cb1995ffd9e8da5de63e7ab" -SRC_URI = "git://github.com/thkukuk/yp-tools \ +SRC_URI = "git://github.com/thkukuk/yp-tools;branch=master;protocol=https \ file://domainname.service \ " diff --git a/meta-networking/recipes-support/ntimed/ntimed_git.bb b/meta-networking/recipes-support/ntimed/ntimed_git.bb index a749b16593..43ed1abe38 100644 --- a/meta-networking/recipes-support/ntimed/ntimed_git.bb +++ b/meta-networking/recipes-support/ntimed/ntimed_git.bb @@ -8,7 +8,7 @@ SECTION = "net" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://main.c;beginline=2;endline=24;md5=89db8e76f2951f3fad167e7aa9718a44" -SRC_URI = "git://github.com/bsdphk/Ntimed \ +SRC_URI = "git://github.com/bsdphk/Ntimed;branch=master;protocol=https \ file://use-ldflags.patch" PV = "0.0+git${SRCPV}" diff --git a/meta-networking/recipes-support/open-isns/open-isns_0.99.bb b/meta-networking/recipes-support/open-isns/open-isns_0.99.bb index a03b92f5fe..1bf7c48e09 100644 --- a/meta-networking/recipes-support/open-isns/open-isns_0.99.bb +++ b/meta-networking/recipes-support/open-isns/open-isns_0.99.bb @@ -13,7 +13,7 @@ SECTION = "net" DEPENDS = "openssl" -SRC_URI = "git://github.com/open-iscsi/open-isns" +SRC_URI = "git://github.com/open-iscsi/open-isns;branch=master;protocol=https" SRCREV = "cfdbcff867ee580a71bc9c18c3a38a6057df0150" diff --git a/meta-networking/recipes-support/phytool/phytool.bb b/meta-networking/recipes-support/phytool/phytool.bb index 29499d6d7a..7fde88c447 100644 --- a/meta-networking/recipes-support/phytool/phytool.bb +++ b/meta-networking/recipes-support/phytool/phytool.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=39bba7d2cf0ba1036f2a6e2be52fe3f0" PV = "2+git${SRCPV}" SRCREV = "8882328c08ba2efb13c049812098f1d0cb8adf0c" -SRC_URI = "git://github.com/wkz/phytool.git" +SRC_URI = "git://github.com/wkz/phytool.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb b/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb index 15fd7ff663..5cb4e67c28 100644 --- a/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb +++ b/meta-networking/recipes-support/rdma-core/rdma-core_28.0.bb @@ -6,7 +6,7 @@ DEPENDS = "libnl" RDEPENDS_${PN} = "bash perl" BRANCH = "stable-v${@d.getVar('PV').split('.')[0]}" -SRC_URI = "git://github.com/linux-rdma/rdma-core.git;branch=${BRANCH} \ +SRC_URI = "git://github.com/linux-rdma/rdma-core.git;branch=${BRANCH};protocol=https \ file://0001-Remove-man-files-which-cant-be-built.patch \ " SRCREV = "f12c953f0864691eacc9fcc4cda489b92ffd5a85" diff --git a/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb b/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb index 0b63f79aca..d8a1f6140f 100644 --- a/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb +++ b/meta-networking/recipes-support/smcroute/smcroute_2.4.4.bb @@ -6,7 +6,7 @@ LICENSE = "GPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" SRCREV = "a8e5847e5f7e411be424f9b52a6cdf9d2ed4aeb5" -SRC_URI = "git://github.com/troglobit/smcroute.git;branch=master;protocol=git" +SRC_URI = "git://github.com/troglobit/smcroute.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/spice/spice-protocol_git.bb b/meta-networking/recipes-support/spice/spice-protocol_git.bb index 1d56bea17c..ca683bf220 100644 --- a/meta-networking/recipes-support/spice/spice-protocol_git.bb +++ b/meta-networking/recipes-support/spice/spice-protocol_git.bb @@ -18,7 +18,7 @@ PV = "0.14.1+git${SRCPV}" SRCREV = "e0ec178a72aa33e307ee5ac02b63bf336da921a5" SRC_URI = " \ - git://anongit.freedesktop.org/spice/spice-protocol \ + git://anongit.freedesktop.org/spice/spice-protocol;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/spice/spice_git.bb b/meta-networking/recipes-support/spice/spice_git.bb index 9d3a0e6cb5..3d47f5a54a 100644 --- a/meta-networking/recipes-support/spice/spice_git.bb +++ b/meta-networking/recipes-support/spice/spice_git.bb @@ -21,8 +21,8 @@ SRCREV_spice-common = "4fc4c2db36c7f07b906e9a326a9d3dc0ae6a2671" SRCREV_FORMAT = "spice_spice-common" SRC_URI = " \ - git://anongit.freedesktop.org/spice/spice;name=spice \ - git://anongit.freedesktop.org/spice/spice-common;destsuffix=git/subprojects/spice-common;name=spice-common \ + git://anongit.freedesktop.org/spice/spice;name=spice;branch=master \ + git://anongit.freedesktop.org/spice/spice-common;destsuffix=git/subprojects/spice-common;name=spice-common;branch=master \ file://0001-Convert-pthread_t-to-be-numeric.patch \ file://0001-Fix-compile-errors-on-Linux-32bit-system.patch \ " diff --git a/meta-networking/recipes-support/spice/usbredir_0.8.0.bb b/meta-networking/recipes-support/spice/usbredir_0.8.0.bb index 9ee43be1ea..f07fb3b50c 100644 --- a/meta-networking/recipes-support/spice/usbredir_0.8.0.bb +++ b/meta-networking/recipes-support/spice/usbredir_0.8.0.bb @@ -10,7 +10,7 @@ DEPENDS = "libusb1" SRCREV = "07b98b8e71f620dfdd57e92ddef6b677b259a092" SRC_URI = " \ - git://anongit.freedesktop.org/spice/usbredir \ + git://anongit.freedesktop.org/spice/usbredir;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch new file mode 100644 index 0000000000..b7118ba1fb --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41990.patch @@ -0,0 +1,62 @@ +From 423a5d56274a1d343e0d2107dfc4fbf0df2dcca5 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 28 Sep 2021 17:52:08 +0200 +Subject: [PATCH] Reject RSASSA-PSS params with negative salt length + +The `salt_len` member in the struct is of type `ssize_t` because we use +negative values for special automatic salt lengths when generating +signatures. + +Not checking this could lead to an integer overflow. The value is assigned +to the `len` field of a chunk (`size_t`), which is further used in +calculations to check the padding structure and (if that is passed by a +matching crafted signature value) eventually a memcpy() that will result +in a segmentation fault. + +Fixes: a22316520b91 ("signature-params: Add functions to parse/build ASN.1 RSASSA-PSS params") +Fixes: 7d6b81648b2d ("gmp: Add support for RSASSA-PSS signature verification") +Fixes: CVE-2021-41990 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-41990] +CVE: CVE-2021-41990 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +--- + src/libstrongswan/credentials/keys/signature_params.c | 6 +++++- + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 2 +- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/libstrongswan/credentials/keys/signature_params.c b/src/libstrongswan/credentials/keys/signature_params.c +index d89bd2c96bb5..837de8443d43 100644 +--- a/src/libstrongswan/credentials/keys/signature_params.c ++++ b/src/libstrongswan/credentials/keys/signature_params.c +@@ -322,7 +322,11 @@ bool rsa_pss_params_parse(chunk_t asn1, int level0, rsa_pss_params_t *params) + case RSASSA_PSS_PARAMS_SALT_LEN: + if (object.len) + { +- params->salt_len = (size_t)asn1_parse_integer_uint64(object); ++ params->salt_len = (ssize_t)asn1_parse_integer_uint64(object); ++ if (params->salt_len < 0) ++ { ++ goto end; ++ } + } + break; + case RSASSA_PSS_PARAMS_TRAILER: +diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +index f9bd1d314dec..3a775090883e 100644 +--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c ++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +@@ -168,7 +168,7 @@ static bool verify_emsa_pss_signature(private_gmp_rsa_public_key_t *this, + int i; + bool success = FALSE; + +- if (!params) ++ if (!params || params->salt_len < 0) + { + return FALSE; + } +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch new file mode 100644 index 0000000000..2d898fa5cf --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-41991.patch @@ -0,0 +1,41 @@ +From b667237b3a84f601ef5a707ce8eb861c3a5002d3 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 28 Sep 2021 19:38:22 +0200 +Subject: [PATCH] cert-cache: Prevent crash due to integer overflow/sign change + +random() allocates values in the range [0, RAND_MAX], with RAND_MAX usually +equaling INT_MAX = 2^31-1. Previously, values between 0 and 31 were added +directly to that offset before applying`% CACHE_SIZE` to get an index into +the cache array. If the random value was very high, this resulted in an +integer overflow and a negative index value and, therefore, an out-of-bounds +access of the array and in turn dereferencing invalid pointers when trying +to acquire the read lock. This most likely results in a segmentation fault. + +Fixes: 764e8b2211ce ("reimplemented certificate cache") +Fixes: CVE-2021-41991 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-41991] +CVE: CVE-2021-41991 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +--- + src/libstrongswan/credentials/sets/cert_cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c +index f1579c60a9bc..ceebb3843725 100644 +--- a/src/libstrongswan/credentials/sets/cert_cache.c ++++ b/src/libstrongswan/credentials/sets/cert_cache.c +@@ -151,7 +151,7 @@ static void cache(private_cert_cache_t *this, + for (try = 0; try < REPLACE_TRIES; try++) + { + /* replace a random relation */ +- offset = random(); ++ offset = random() % CACHE_SIZE; + for (i = 0; i < CACHE_SIZE; i++) + { + rel = &this->relations[(i + offset) % CACHE_SIZE]; +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch b/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch new file mode 100644 index 0000000000..97aa6a0efc --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2021-45079.patch @@ -0,0 +1,156 @@ +From 76968cdd6b79f6ae40d674554e902ced192fd33e Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Tue, 14 Dec 2021 10:51:35 +0100 +Subject: [PATCH] eap-authenticator: Enforce failure if MSK generation fails + +Without this, the authentication succeeded if the server sent an early +EAP-Success message for mutual, key-generating EAP methods like EAP-TLS, +which may be used in EAP-only scenarios but would complete without server +or client authentication. For clients configured for such EAP-only +scenarios, a rogue server could capture traffic after the tunnel is +established or even access hosts behind the client. For non-mutual EAP +methods, public key server authentication has been enforced for a while. + +A server previously could also crash a client by sending an EAP-Success +immediately without initiating an actual EAP method. + +Fixes: 0706c39cda52 ("added support for EAP methods not establishing an MSK") +Fixes: CVE-2021-45079 + +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2021-45079/strongswan-5.5.0-5.9.4_eap_success.patch] +CVE: CVE-2021-45079 +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + src/libcharon/plugins/eap_gtc/eap_gtc.c | 2 +- + src/libcharon/plugins/eap_md5/eap_md5.c | 2 +- + src/libcharon/plugins/eap_radius/eap_radius.c | 4 ++- + src/libcharon/sa/eap/eap_method.h | 8 ++++- + .../ikev2/authenticators/eap_authenticator.c | 32 ++++++++++++++++--- + 5 files changed, 40 insertions(+), 8 deletions(-) + +diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c +index 95ba090b79ce..cffb6222c2f8 100644 +--- a/src/libcharon/plugins/eap_gtc/eap_gtc.c ++++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c +@@ -195,7 +195,7 @@ METHOD(eap_method_t, get_type, eap_type_t, + METHOD(eap_method_t, get_msk, status_t, + private_eap_gtc_t *this, chunk_t *msk) + { +- return FAILED; ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, get_identifier, uint8_t, +diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c +index ab5f7ff6a823..3a92ad7c0a04 100644 +--- a/src/libcharon/plugins/eap_md5/eap_md5.c ++++ b/src/libcharon/plugins/eap_md5/eap_md5.c +@@ -213,7 +213,7 @@ METHOD(eap_method_t, get_type, eap_type_t, + METHOD(eap_method_t, get_msk, status_t, + private_eap_md5_t *this, chunk_t *msk) + { +- return FAILED; ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, is_mutual, bool, +diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c +index 2dc7a423e702..5336dead13d9 100644 +--- a/src/libcharon/plugins/eap_radius/eap_radius.c ++++ b/src/libcharon/plugins/eap_radius/eap_radius.c +@@ -733,7 +733,9 @@ METHOD(eap_method_t, get_msk, status_t, + *out = msk; + return SUCCESS; + } +- return FAILED; ++ /* we assume the selected method did not establish an MSK, if it failed ++ * to establish one, process() would have failed */ ++ return NOT_SUPPORTED; + } + + METHOD(eap_method_t, get_identifier, uint8_t, +diff --git a/src/libcharon/sa/eap/eap_method.h b/src/libcharon/sa/eap/eap_method.h +index 0b5218dfec15..33564831f86e 100644 +--- a/src/libcharon/sa/eap/eap_method.h ++++ b/src/libcharon/sa/eap/eap_method.h +@@ -114,10 +114,16 @@ struct eap_method_t { + * Not all EAP methods establish a shared secret. For implementations of + * the EAP-Identity method, get_msk() returns the received identity. + * ++ * @note Returning NOT_SUPPORTED is important for implementations of EAP ++ * methods that don't establish an MSK. In particular as client because ++ * key-generating EAP methods MUST fail to process EAP-Success messages if ++ * no MSK is established. ++ * + * @param msk chunk receiving internal stored MSK + * @return +- * - SUCCESS, or ++ * - SUCCESS, if MSK is established + * - FAILED, if MSK not established (yet) ++ * - NOT_SUPPORTED, for non-MSK-establishing methods + */ + status_t (*get_msk) (eap_method_t *this, chunk_t *msk); + +diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +index e1e6cd7ee6f3..87548fc471a6 100644 +--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c ++++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +@@ -305,9 +305,17 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, + this->method->destroy(this->method); + return server_initiate_eap(this, FALSE); + } +- if (this->method->get_msk(this->method, &this->msk) == SUCCESS) ++ switch (this->method->get_msk(this->method, &this->msk)) + { +- this->msk = chunk_clone(this->msk); ++ case SUCCESS: ++ this->msk = chunk_clone(this->msk); ++ break; ++ case NOT_SUPPORTED: ++ break; ++ case FAILED: ++ default: ++ DBG1(DBG_IKE, "failed to establish MSK"); ++ goto failure; + } + if (vendor) + { +@@ -326,6 +334,7 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, + return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in)); + case FAILED: + default: ++failure: + /* type might have changed for virtual methods */ + type = this->method->get_type(this->method, &vendor); + if (vendor) +@@ -661,9 +670,24 @@ METHOD(authenticator_t, process_client, status_t, + uint32_t vendor; + auth_cfg_t *cfg; + +- if (this->method->get_msk(this->method, &this->msk) == SUCCESS) ++ if (!this->method) + { +- this->msk = chunk_clone(this->msk); ++ DBG1(DBG_IKE, "received unexpected %N", ++ eap_code_names, eap_payload->get_code(eap_payload)); ++ return FAILED; ++ } ++ switch (this->method->get_msk(this->method, &this->msk)) ++ { ++ case SUCCESS: ++ this->msk = chunk_clone(this->msk); ++ break; ++ case NOT_SUPPORTED: ++ break; ++ case FAILED: ++ default: ++ DBG1(DBG_IKE, "received %N but failed to establish MSK", ++ eap_code_names, eap_payload->get_code(eap_payload)); ++ return FAILED; + } + type = this->method->get_type(this->method, &vendor); + if (vendor) +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch b/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch new file mode 100644 index 0000000000..66e5047125 --- /dev/null +++ b/meta-networking/recipes-support/strongswan/files/CVE-2022-40617.patch @@ -0,0 +1,210 @@ +From 66d3b2e0e596a6eac1ebcd15c83a8d9368fe7b34 Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Fri, 22 Jul 2022 15:37:43 +0200 +Subject: [PATCH] credential-manager: Do online revocation checks only after + basic trust chain validation + +This avoids querying URLs of potentially untrusted certificates, e.g. if +an attacker sends a specially crafted end-entity and intermediate CA +certificate with a CDP that points to a server that completes the +TCP handshake but then does not send any further data, which will block +the fetcher thread (depending on the plugin) for as long as the default +timeout for TCP. Doing that multiple times will block all worker threads, +leading to a DoS attack. + +The logging during the certificate verification obviously changes. The +following example shows the output of `pki --verify` for the current +strongswan.org certificate: + +new: + + using certificate "CN=www.strongswan.org" + using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3" + using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + reached self-signed root ca with a path length of 1 +checking certificate status of "CN=www.strongswan.org" + requesting ocsp status from 'http://r3.o.lencr.org' ... + ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3" + ocsp response is valid: until Jul 27 12:59:58 2022 +certificate status is good +checking certificate status of "C=US, O=Let's Encrypt, CN=R3" +ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found + fetching crl from 'http://x1.c.lencr.org/' ... + using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl is valid: until Apr 18 01:59:59 2023 +certificate status is good +certificate trusted, lifetimes valid, certificate not revoked + +old: + + using certificate "CN=www.strongswan.org" + using trusted intermediate ca certificate "C=US, O=Let's Encrypt, CN=R3" +checking certificate status of "CN=www.strongswan.org" + requesting ocsp status from 'http://r3.o.lencr.org' ... + ocsp response correctly signed by "C=US, O=Let's Encrypt, CN=R3" + ocsp response is valid: until Jul 27 12:59:58 2022 +certificate status is good + using trusted ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" +checking certificate status of "C=US, O=Let's Encrypt, CN=R3" +ocsp response verification failed, no signer certificate 'C=US, O=Let's Encrypt, CN=R3' found + fetching crl from 'http://x1.c.lencr.org/' ... + using trusted certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl correctly signed by "C=US, O=Internet Security Research Group, CN=ISRG Root X1" + crl is valid: until Apr 18 01:59:59 2023 +certificate status is good + reached self-signed root ca with a path length of 1 +certificate trusted, lifetimes valid, certificate not revoked + +Note that this also fixes an issue with the previous dual-use of the +`trusted` flag. It not only indicated whether the chain is trusted but +also whether the current issuer is the root anchor (the corresponding +flag in the `cert_validator_t` interface is called `anchor`). This was +a problem when building multi-level trust chains for pre-trusted +end-entity certificates (i.e. where `trusted` is TRUE from the start). +This caused the main loop to get aborted after the first intermediate CA +certificate and the mentioned `anchor` flag wasn't correct in any calls +to `cert_validator_t` implementations. + +Fixes: CVE-2022-40617 + +CVE: CVE-2022-40617 +Upstream-Status: Backport [https://download.strongswan.org/security/CVE-2022-40617/strongswan-5.1.0-5.9.7_cert_online_validate.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + .../credentials/credential_manager.c | 54 +++++++++++++++---- + 1 file changed, 45 insertions(+), 9 deletions(-) + +diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c +index e93b5943a3a7..798785544e41 100644 +--- a/src/libstrongswan/credentials/credential_manager.c ++++ b/src/libstrongswan/credentials/credential_manager.c +@@ -556,7 +556,7 @@ static void cache_queue(private_credential_manager_t *this) + */ + static bool check_lifetime(private_credential_manager_t *this, + certificate_t *cert, char *label, +- int pathlen, bool trusted, auth_cfg_t *auth) ++ int pathlen, bool anchor, auth_cfg_t *auth) + { + time_t not_before, not_after; + cert_validator_t *validator; +@@ -571,7 +571,7 @@ static bool check_lifetime(private_credential_manager_t *this, + continue; + } + status = validator->check_lifetime(validator, cert, +- pathlen, trusted, auth); ++ pathlen, anchor, auth); + if (status != NEED_MORE) + { + break; +@@ -604,13 +604,13 @@ static bool check_lifetime(private_credential_manager_t *this, + */ + static bool check_certificate(private_credential_manager_t *this, + certificate_t *subject, certificate_t *issuer, bool online, +- int pathlen, bool trusted, auth_cfg_t *auth) ++ int pathlen, bool anchor, auth_cfg_t *auth) + { + cert_validator_t *validator; + enumerator_t *enumerator; + + if (!check_lifetime(this, subject, "subject", pathlen, FALSE, auth) || +- !check_lifetime(this, issuer, "issuer", pathlen + 1, trusted, auth)) ++ !check_lifetime(this, issuer, "issuer", pathlen + 1, anchor, auth)) + { + return FALSE; + } +@@ -623,7 +623,7 @@ static bool check_certificate(private_credential_manager_t *this, + continue; + } + if (!validator->validate(validator, subject, issuer, +- online, pathlen, trusted, auth)) ++ online, pathlen, anchor, auth)) + { + enumerator->destroy(enumerator); + return FALSE; +@@ -726,6 +726,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + auth_cfg_t *auth; + signature_params_t *scheme; + int pathlen; ++ bool is_anchor = FALSE; + + auth = auth_cfg_create(); + get_key_strength(subject, auth); +@@ -743,7 +744,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer)); + DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"", + issuer->get_subject(issuer)); +- trusted = TRUE; ++ trusted = is_anchor = TRUE; + } + else + { +@@ -778,11 +779,18 @@ static bool verify_trust_chain(private_credential_manager_t *this, + DBG1(DBG_CFG, " issuer is \"%Y\"", + current->get_issuer(current)); + call_hook(this, CRED_HOOK_NO_ISSUER, current); ++ if (trusted) ++ { ++ DBG1(DBG_CFG, " reached end of incomplete trust chain for " ++ "trusted certificate \"%Y\"", ++ subject->get_subject(subject)); ++ } + break; + } + } +- if (!check_certificate(this, current, issuer, online, +- pathlen, trusted, auth)) ++ /* don't do online verification here */ ++ if (!check_certificate(this, current, issuer, FALSE, ++ pathlen, is_anchor, auth)) + { + trusted = FALSE; + issuer->destroy(issuer); +@@ -794,7 +802,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, + } + current->destroy(current); + current = issuer; +- if (trusted) ++ if (is_anchor) + { + DBG1(DBG_CFG, " reached self-signed root ca with a " + "path length of %d", pathlen); +@@ -807,6 +815,34 @@ static bool verify_trust_chain(private_credential_manager_t *this, + DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN); + call_hook(this, CRED_HOOK_EXCEEDED_PATH_LEN, subject); + } ++ else if (trusted && online) ++ { ++ enumerator_t *enumerator; ++ auth_rule_t rule; ++ ++ /* do online revocation checks after basic validation of the chain */ ++ pathlen = 0; ++ current = subject; ++ enumerator = auth->create_enumerator(auth); ++ while (enumerator->enumerate(enumerator, &rule, &issuer)) ++ { ++ if (rule == AUTH_RULE_CA_CERT || rule == AUTH_RULE_IM_CERT) ++ { ++ if (!check_certificate(this, current, issuer, TRUE, pathlen++, ++ rule == AUTH_RULE_CA_CERT, auth)) ++ { ++ trusted = FALSE; ++ break; ++ } ++ else if (rule == AUTH_RULE_CA_CERT) ++ { ++ break; ++ } ++ current = issuer; ++ } ++ } ++ enumerator->destroy(enumerator); ++ } + if (trusted) + { + result->merge(result, auth, FALSE); +-- +2.25.1 + diff --git a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb index 8a8809243a..c11748645c 100644 --- a/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb +++ b/meta-networking/recipes-support/strongswan/strongswan_5.8.4.bb @@ -11,6 +11,10 @@ SRC_URI = "http://download.strongswan.org/strongswan-${PV}.tar.bz2 \ file://fix-funtion-parameter.patch \ file://0001-memory.h-Include-stdint.h-for-uintptr_t.patch \ file://0001-Remove-obsolete-setting-regarding-the-Standard-Outpu.patch \ + file://CVE-2021-41990.patch \ + file://CVE-2021-41991.patch \ + file://CVE-2021-45079.patch \ + file://CVE-2022-40617.patch \ " SRC_URI[md5sum] = "0634e7f40591bd3f6770e583c3f27d29" diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch index 9b74e00c5b..84d4716f38 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch @@ -9,6 +9,7 @@ if we haven't captured all of it. (backported from commit e4add0b010ed6f2180dcb05a13026242ed935334) +CVE: CVE-2020-8037 Upstream-Status: Backport Signed-off-by: Stacy Gaikovaia <stacy.gaikovaia@windriver.com> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch new file mode 100644 index 0000000000..5f5c68ccd6 --- /dev/null +++ b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch @@ -0,0 +1,111 @@ +From 8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86 Mon Sep 17 00:00:00 2001 +From: Guy Harris <gharris@sonic.net> +Date: Wed, 30 Sep 2020 11:37:30 -0700 +Subject: [PATCH] Handle very large -f files by rejecting them. + +_read(), on Windows, has a 32-bit size argument and a 32-bit return +value, so reject -f files that have more than 2^31-1 characters. + +Add some #defines so that, on Windows, we use _fstati64 to get the size +of that file, to handle large files. + +Don't assume that our definition for ssize_t is the same size as size_t; +by the time we want to print the return value of the read, we know it'll +fit into an int, so just cast it to int and print it with %d. + +(cherry picked from commit faf8fb70af3a013e5d662b8283dec742fd6b1a77) + +CVE: CVE-2022-25308 +Upstream-Status: Backport [https://github.com/the-tcpdump-group/tcpdump/commit/8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86] + +Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com> + +--- + netdissect-stdinc.h | 16 +++++++++++++++- + tcpdump.c | 15 ++++++++++++--- + 2 files changed, 27 insertions(+), 4 deletions(-) + +diff --git a/netdissect-stdinc.h b/netdissect-stdinc.h +index 8282c5846..9941c2a16 100644 +--- a/netdissect-stdinc.h ++++ b/netdissect-stdinc.h +@@ -149,10 +149,17 @@ + #ifdef _MSC_VER + #define stat _stat + #define open _open +-#define fstat _fstat + #define read _read + #define close _close + #define O_RDONLY _O_RDONLY ++ ++/* ++ * We define our_fstat64 as _fstati64, and define our_statb as ++ * struct _stati64, so we get 64-bit file sizes. ++ */ ++#define our_fstat _fstati64 ++#define our_statb struct _stati64 ++ + #endif /* _MSC_VER */ + + /* +@@ -211,6 +218,13 @@ typedef char* caddr_t; + + #include <arpa/inet.h> + ++/* ++ * We should have large file support enabled, if it's available, ++ * so just use fstat as our_fstat and struct stat as our_statb. ++ */ ++#define our_fstat fstat ++#define our_statb struct stat ++ + #endif /* _WIN32 */ + + #ifndef HAVE___ATTRIBUTE__ +diff --git a/tcpdump.c b/tcpdump.c +index 043bda1d7..8f27ba2a4 100644 +--- a/tcpdump.c ++++ b/tcpdump.c +@@ -108,6 +108,7 @@ The Regents of the University of California. All rights reserved.\n"; + #endif /* HAVE_CAP_NG_H */ + #endif /* HAVE_LIBCAP_NG */ + ++#include "netdissect-stdinc.h" + #include "netdissect.h" + #include "interface.h" + #include "addrtoname.h" +@@ -861,15 +862,22 @@ read_infile(char *fname) + { + register int i, fd, cc; + register char *cp; +- struct stat buf; ++ our_statb buf; + + fd = open(fname, O_RDONLY|O_BINARY); + if (fd < 0) + error("can't open %s: %s", fname, pcap_strerror(errno)); + +- if (fstat(fd, &buf) < 0) ++ if (our_fstat(fd, &buf) < 0) + error("can't stat %s: %s", fname, pcap_strerror(errno)); + ++ /* ++ * Reject files whose size doesn't fit into an int; a filter ++ * *that* large will probably be too big. ++ */ ++ if (buf.st_size > INT_MAX) ++ error("%s is too large", fname); ++ + cp = malloc((u_int)buf.st_size + 1); + if (cp == NULL) + error("malloc(%d) for %s: %s", (u_int)buf.st_size + 1, +@@ -878,7 +886,8 @@ read_infile(char *fname) + if (cc < 0) + error("read %s: %s", fname, pcap_strerror(errno)); + if (cc != buf.st_size) +- error("short read %s (%d != %d)", fname, cc, (int)buf.st_size); ++ error("short read %s (%d != %d)", fname, (int) cc, ++ (int)buf.st_size); + + close(fd); + /* replace "# comment" with spaces */ diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb index 2ea493863a..66bf217751 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb @@ -18,6 +18,7 @@ SRC_URI = " \ file://add-ptest.patch \ file://run-ptest \ file://0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch \ + file://CVE-2018-16301.patch \ " SRC_URI[md5sum] = "a4ead41d371f91aa0a2287f589958bae" diff --git a/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch b/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch new file mode 100644 index 0000000000..3ca9a831f4 --- /dev/null +++ b/meta-networking/recipes-support/tcpreplay/files/CVE-2020-24265-and-CVE-2020-24266.patch @@ -0,0 +1,37 @@ +From d3110859064b15408dbca1294dc7e31c2208504d Mon Sep 17 00:00:00 2001 +From: Gabriel Ganne <gabriel.ganne@gmail.com> +Date: Mon, 3 Aug 2020 08:26:38 +0200 +Subject: [PATCH] fix heap-buffer-overflow when DLT_JUNIPER_ETHER + +The test logic on datalen was inverted. + +Processing truncated packats should now raise a warning like the +following: + Warning: <pcap> was captured using a snaplen of 4 bytes. This may mean you have truncated packets. + +Fixes #616 #617 + +CVE: CVE-2020-24265 +CVE: CVE-2020-24266 +Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/d3110859064b15408dbca1294dc7e31c2208504d] + +Signed-off-by: Gabriel Ganne <gabriel.ganne@gmail.com> +Signed-off-by: Akash Hadke <akash.hadke@kpit.com> +Signed-off-by: Akash Hadke <hadkeakash4@gmail.com> +--- + src/common/get.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/common/get.c b/src/common/get.c +index f9ee92d3..0517bf0a 100644 +--- a/src/common/get.c ++++ b/src/common/get.c +@@ -178,7 +178,7 @@ get_l2len(const u_char *pktdata, const int datalen, const int datalink) + break; + + case DLT_JUNIPER_ETHER: +- if (datalen >= 5) { ++ if (datalen < 5) { + l2_len = -1; + break; + } diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb index 39be950ad4..557d323311 100644 --- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb +++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.3.3.bb @@ -6,7 +6,8 @@ SECTION = "net" LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=890b830b22fd632e9ffd996df20338f8" -SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcpreplay-${PV}.tar.gz" +SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcpreplay-${PV}.tar.gz \ + file://CVE-2020-24265-and-CVE-2020-24266.patch" SRC_URI[md5sum] = "53b52bf64f0b6b9443428e657b37bc6b" SRC_URI[sha256sum] = "ed2402caa9434ff5c74b2e7b31178c73e7c7c5c4ea1e1d0e2e39a7dc46958fde" diff --git a/meta-networking/recipes-support/unbound/unbound_1.9.4.bb b/meta-networking/recipes-support/unbound/unbound_1.9.4.bb index 6200214acb..f4b3c28ae4 100644 --- a/meta-networking/recipes-support/unbound/unbound_1.9.4.bb +++ b/meta-networking/recipes-support/unbound/unbound_1.9.4.bb @@ -9,7 +9,7 @@ SECTION = "net" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=5308494bc0590c0cb036afd781d78f06" -SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=http;branch=master \ +SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=http;branch=master;protocol=https \ file://0001-contrib-add-yocto-compatible-startup-scripts.patch \ " SRCREV="b60c4a472c856f0a98120b7259e991b3a6507eb5" diff --git a/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch b/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch new file mode 100644 index 0000000000..54438dd870 --- /dev/null +++ b/meta-networking/recipes-support/wireshark/files/fix_lemon_path.patch @@ -0,0 +1,22 @@ +Fix update to build for alt arch machine. + +Commit 9ca6e39c7ee26570e29dc87332ffb0f6c1d0e4a4 changed the UseLemon to use +the target lemon built by the target wireshark. Revert to use the one built by +wireshark-native. + +Upstream-Status: Inappropriate [configuration] +Signed-off: Armin Kuster <akuster@mvista.com> + +Index: wireshark-3.2.18/cmake/modules/UseLemon.cmake +=================================================================== +--- wireshark-3.2.18.orig/cmake/modules/UseLemon.cmake ++++ wireshark-3.2.18/cmake/modules/UseLemon.cmake +@@ -13,7 +13,7 @@ MACRO(ADD_LEMON_FILES _source _generated + # These files are generated as side-effect + ${_out}.h + ${_out}.out +- COMMAND $<TARGET_FILE:lemon> ++ COMMAND lemon + -T${_lemonpardir}/lempar.c + -d. + ${_in} diff --git a/meta-networking/recipes-support/wireshark/wireshark_3.2.15.bb b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb index 36e84d0ccd..f9e22141c4 100644 --- a/meta-networking/recipes-support/wireshark/wireshark_3.2.15.bb +++ b/meta-networking/recipes-support/wireshark/wireshark_3.2.18.bb @@ -8,11 +8,12 @@ DEPENDS = "pcre expat glib-2.0 glib-2.0-native libgcrypt libgpg-error libxml2 bi DEPENDS_append_class-target = " wireshark-native chrpath-replacement-native " -SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz" +SRC_URI = "https://1.eu.dl.wireshark.org/src/all-versions/wireshark-${PV}.tar.xz \ + file://fix_lemon_path.patch " UPSTREAM_CHECK_URI = "https://1.as.dl.wireshark.org/src" -SRC_URI[sha256sum] = "32f6cfd67b00903a1bfca02ecc4ccf72db6b70d4fda33e4a099fefb03e849bdb" +SRC_URI[sha256sum] = "bbe75d909b052fcd67a850f149f0d5b1e2531026fc2413946b48570293306887" PE = "1" diff --git a/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb b/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb index bab75fee3f..6b83cbd522 100644 --- a/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb +++ b/meta-networking/recipes-support/wpan-tools/wpan-tools_0.9.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4cfd939b1d7e6aba9fcefb7f6e2fd45d" DEPENDS = "libnl" -SRC_URI = "git://github.com/linux-wpan/wpan-tools" +SRC_URI = "git://github.com/linux-wpan/wpan-tools;branch=master;protocol=https" SRCREV = "a316ca2caa746d60817400e5bf646c2820f09273" S = "${WORKDIR}/git" diff --git a/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb b/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb index de4fa16426..75a206c6b8 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-benchmark/speedtest-cli/speedtest-cli_2.1.2.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" inherit setuptools3 -SRC_URI = "git://github.com/sivel/speedtest-cli.git" +SRC_URI = "git://github.com/sivel/speedtest-cli.git;branch=master;protocol=https" SRCREV = "c58ad3367bf27f4b4a4d5b1bca29ebd574731c5d" S = "${WORKDIR}/git" diff --git a/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb b/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb index 065243ccfe..f55247d9ed 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-bsp/rwmem/rwmem_1.2.bb @@ -21,7 +21,7 @@ SRCREV_inih = "4b10c654051a86556dfdb634c891b6c3224c4109" SRCREV_FORMAT = "rwmem_inih" SRC_URI = " \ - git://github.com/tomba/rwmem.git;protocol=https;name=rwmem \ + git://github.com/tomba/rwmem.git;protocol=https;name=rwmem;branch=master \ git://github.com/benhoyt/inih.git;protocol=https;name=inih;nobranch=1;destsuffix=git/ext/inih \ " diff --git a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb index 58841ef319..cc15a8de31 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb @@ -14,7 +14,7 @@ inherit scons dos2unix siteinfo python3native PV = "4.2.2" #v4.2.2 SRCREV = "a0bbbff6ada159e19298d37946ac8dc4b497eadf" -SRC_URI = "git://github.com/mongodb/mongo.git;branch=v4.2 \ +SRC_URI = "git://github.com/mongodb/mongo.git;branch=v4.2;protocol=https \ file://0001-Tell-scons-to-use-build-settings-from-environment-va.patch \ file://0001-Use-long-long-instead-of-int64_t.patch \ file://0001-Use-__GLIBC__-to-control-use-of-gnu_get_libc_version.patch \ @@ -56,6 +56,8 @@ EXTRA_OESCONS = "--prefix=${D}${prefix} \ LINKFLAGS='${LDFLAGS}' \ CXXFLAGS='${CXXFLAGS}' \ TARGET_ARCH=${TARGET_ARCH} \ + MONGO_VERSION=${PV} \ + OBJCOPY=${OBJCOPY} \ --ssl \ --disable-warnings-as-errors \ --use-system-zlib \ diff --git a/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb index 275b984e47..f0a0c67975 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-extended/lcdproc/lcdproc_git.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=18810669f13b87348459e611d31ab760 \ PV = "0.5.9+git${SRCPV}" SRCREV = "3a3d622d9bb74c44fa67bc20573751a207514134" -SRC_URI = "git://github.com/lcdproc/lcdproc \ +SRC_URI = "git://github.com/lcdproc/lcdproc;branch=master;protocol=https \ file://0001-Fix-parallel-build-fix-port-internal-make-dependenci.patch \ file://0002-Include-limits.h-for-PATH_MAX-definition.patch \ file://0003-Fix-non-x86-platforms-on-musl.patch \ diff --git a/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb b/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb index b21212a430..de2341da4c 100644 --- a/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb +++ b/meta-oe/recipes-benchmark/cpuburn/cpuburn-arm_git.bb @@ -9,7 +9,7 @@ SRCREV = "ad7e646700d14b81413297bda02fb7fe96613c3f" PV = "1.0+git${SRCPV}" -SRC_URI = "git://github.com/ssvb/cpuburn-arm.git \ +SRC_URI = "git://github.com/ssvb/cpuburn-arm.git;branch=master;protocol=https \ file://0001-cpuburn-a8.S-Remove-.func-.endfunc.patch \ file://0002-burn.S-Add.patch \ file://0003-burn.S-Remove-.func-.endfunc.patch \ diff --git a/meta-oe/recipes-benchmark/fio/fio_3.17.bb b/meta-oe/recipes-benchmark/fio/fio_3.17.bb index 759d1087c0..bb3243a5cc 100644 --- a/meta-oe/recipes-benchmark/fio/fio_3.17.bb +++ b/meta-oe/recipes-benchmark/fio/fio_3.17.bb @@ -23,7 +23,7 @@ PACKAGECONFIG ??= "${PACKAGECONFIG_NUMA}" PACKAGECONFIG[numa] = ",--disable-numa,numactl" SRCREV = "08ce9dc20b8a4e55db7af6d869ddfa49b4a02d03" -SRC_URI = "git://git.kernel.dk/fio.git \ +SRC_URI = "git://git.kernel.dk/fio.git;branch=master \ file://0001-update-the-interpreter-paths.patch \ file://python3_shebangs.patch \ " diff --git a/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb b/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb index 6d20bbdaf1..4976bf6905 100644 --- a/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb +++ b/meta-oe/recipes-benchmark/glmark2/glmark2_git.bb @@ -14,7 +14,7 @@ PV = "20191226+${SRCPV}" COMPATIBLE_HOST_rpi = "${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', '.*-linux*', 'null', d)}" -SRC_URI = "git://github.com/glmark2/glmark2.git;protocol=https \ +SRC_URI = "git://github.com/glmark2/glmark2.git;protocol=https;branch=master \ file://python3.patch" SRCREV = "72dabc5d72b49c6d45badeb8a941ba4d829b0bd6" diff --git a/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb b/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb index 4a520e3be5..86e5fef530 100644 --- a/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb +++ b/meta-oe/recipes-benchmark/iperf2/iperf2_2.0.13.bb @@ -19,3 +19,5 @@ EXTRA_OECONF = "--exec-prefix=${STAGING_DIR_HOST}${layout_exec_prefix}" PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)}" PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," + +CVE_PRODUCT = "iperf_project:iperf" diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb index 98d2faabfd..b7ffb029a3 100644 --- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb +++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb @@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=f9088fe7ffdccd042f7645f1012d7f70" DEPENDS = "openssl" -SRC_URI = "git://github.com/esnet/iperf.git \ +SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \ file://0002-Remove-pg-from-profile_CFLAGS.patch \ " @@ -28,3 +28,5 @@ PACKAGECONFIG[lksctp] = "ac_cv_header_netinet_sctp_h=yes,ac_cv_header_netinet_sc CFLAGS += "-D_GNU_SOURCE" EXTRA_OECONF = "--with-openssl=${RECIPE_SYSROOT}${prefix}" + +CVE_PRODUCT = "iperf_project:iperf" diff --git a/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb b/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb index e813894316..60286c3249 100644 --- a/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb +++ b/meta-oe/recipes-benchmark/libc-bench/libc-bench_git.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=9a825c63897c53f487ef900598c31527" SRCREV = "b6b2ce5f9f87a09b14499cb00c600c601f022634" PV = "20110206+git${SRCPV}" -SRC_URI = "git://git.musl-libc.org/libc-bench \ +SRC_URI = "git://git.musl-libc.org/libc-bench;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb b/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb index 4768d7b63a..d6c35d0b3a 100644 --- a/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb +++ b/meta-oe/recipes-benchmark/libhugetlbfs/libhugetlbfs_git.bb @@ -12,7 +12,7 @@ PE = "1" SRCREV = "e6499ff92b4a7dcffbd131d1f5d24933e48c3f20" SRC_URI = " \ - git://github.com/libhugetlbfs/libhugetlbfs.git;protocol=https \ + git://github.com/libhugetlbfs/libhugetlbfs.git;protocol=https;branch=master \ file://skip-checking-LIB32-and-LIB64-if-they-point-to-the-s.patch \ file://libhugetlbfs-avoid-search-host-library-path-for-cros.patch \ file://tests-Makefile-install-static-4G-edge-testcases.patch \ diff --git a/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb b/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb index a2966e99dd..d30ea5a01b 100644 --- a/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb +++ b/meta-oe/recipes-benchmark/stressapptest/stressapptest_1.0.9.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=55ea9d559f985fb4834317d8ed6b9e58" SRCREV = "fb72e5e5f0879231f38e0e826a98a6ca2d1ca38e" -SRC_URI = "git://github.com/stressapptest/stressapptest \ +SRC_URI = "git://github.com/stressapptest/stressapptest;branch=master;protocol=https \ file://libcplusplus-compat.patch \ file://read_sysfs_for_cachesize.patch \ " diff --git a/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb b/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb index 2ce10f9c44..9c20d68ef2 100644 --- a/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb +++ b/meta-oe/recipes-benchmark/tinymembench/tinymembench_git.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://main.c;endline=22;md5=879b9bbb60851454885b5fa47eb6b34 PV = "0.4.0+git${SRCPV}" SRCREV = "a2cf6d7e382e3aea1eb39173174d9fa28cad15f3" -SRC_URI = "git://github.com/ssvb/tinymembench.git \ +SRC_URI = "git://github.com/ssvb/tinymembench.git;branch=master;protocol=https \ file://0001-asm-Delete-.func-.endfunc-directives.patch \ " diff --git a/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb b/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb index 88fcc0200f..589d62717c 100644 --- a/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb +++ b/meta-oe/recipes-bsp/cpufrequtils/cpufrequtils_008.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" SRCREV = "a2f0c39d5f21596bb9f5223e895c0ff210b265d0" # SRC_URI = "git://git.kernel.org/pub/scm/utils/kernel/cpufreq/cpufrequtils.git -SRC_URI = "git://github.com/emagii/cpufrequtils.git \ +SRC_URI = "git://github.com/emagii/cpufrequtils.git;branch=master;protocol=https \ file://0001-dont-unset-cflags.patch \ " diff --git a/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb b/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb index b89fe6771c..e42adc6dc0 100644 --- a/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb +++ b/meta-oe/recipes-bsp/edac-utils/edac-utils_git.bb @@ -11,7 +11,7 @@ PV = "0.18+git${SRCPV}" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/grondo/edac-utils \ +SRC_URI = "git://github.com/grondo/edac-utils;branch=master;protocol=https \ file://make-init-script-be-able-to-automatically-load-EDAC-.patch \ file://add-restart-to-initscript.patch \ file://edac.service \ diff --git a/meta-oe/recipes-bsp/ledmon/ledmon_git.bb b/meta-oe/recipes-bsp/ledmon/ledmon_git.bb index f9ae9aad9a..1a9cb18c5c 100644 --- a/meta-oe/recipes-bsp/ledmon/ledmon_git.bb +++ b/meta-oe/recipes-bsp/ledmon/ledmon_git.bb @@ -16,7 +16,7 @@ inherit autotools systemd SYSTEMD_SERVICE_${PN} = "ledmon.service" # 0.93 -SRC_URI = "git://github.com/intel/ledmon;branch=master \ +SRC_URI = "git://github.com/intel/ledmon;branch=master;protocol=https \ file://0002-include-sys-select.h-and-sys-types.h.patch \ file://0001-Don-t-build-with-Werror-to-fix-compile-error.patch \ " diff --git a/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb b/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb index 890db55bcc..37a98a0996 100644 --- a/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb +++ b/meta-oe/recipes-bsp/lm_sensors/lmsensors_3.6.0.bb @@ -10,7 +10,7 @@ DEPENDS = " \ virtual/libiconv \ " -SRC_URI = "git://github.com/lm-sensors/lm-sensors.git;protocol=https \ +SRC_URI = "git://github.com/lm-sensors/lm-sensors.git;protocol=https;branch=master \ file://fancontrol.init \ file://sensord.init \ " @@ -95,7 +95,7 @@ RDEPENDS_${PN} += " \ ${PN}-sensorsdetect \ ${PN}-sensorsconfconvert \ ${PN}-pwmconfig \ - ${PN}-isatools \ + ${@bb.utils.contains('MACHINE_FEATURES', 'x86', '${PN}-isatools', '', d)} \ " # libsensors packages diff --git a/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb b/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb index 4f4bb2dfab..9344c17dce 100644 --- a/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb +++ b/meta-oe/recipes-bsp/nvme-cli/nvme-cli_1.10.1.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8264535c0c4e9c6c335635c4026a8022" DEPENDS = "util-linux" PV .= "+git${SRCPV}" -SRC_URI = "git://github.com/linux-nvme/nvme-cli.git \ +SRC_URI = "git://github.com/linux-nvme/nvme-cli.git;branch=master;protocol=https \ file://0001-fix-musl-compilation.patch \ " SRCREV = "1d84d6ae0c7d7ceff5a73fe174dde8b0005f6108" diff --git a/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb b/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb index 6b4decce51..64595d59c1 100644 --- a/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb +++ b/meta-oe/recipes-connectivity/gattlib/gattlib_git.bb @@ -9,7 +9,7 @@ DEPENDS += "glib-2.0-native" PV = "0.2+git${SRCPV}" -SRC_URI = "git://github.com/labapart/gattlib.git \ +SRC_URI = "git://github.com/labapart/gattlib.git;branch=master;protocol=https \ file://dbus-avoid-strange-chars-from-the-build-dir.patch \ file://0001-cmake-Use-GNUInstallDirs.patch \ " @@ -28,5 +28,5 @@ EXTRA_OECMAKE += "-DGATTLIB_BUILD_DOCS=OFF" inherit pkgconfig cmake -FILES_${PN} = "${libdir}/* ${includedir}/*" -FILES_${PN}-dev = "${includedir}/*" +FILES_${PN} = "${libdir}/*" +FILES_${PN}-dev = "${includedir}/* ${libdir}/pkgconfig" diff --git a/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb b/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb index 8c97662df5..bee757d5a6 100644 --- a/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb +++ b/meta-oe/recipes-connectivity/gensio/gensio_1.5.3.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=a0fd36908af843bcee10cb6dfc47fa67 \ SRCREV = "95ec1ab31ee97411fc37156d12061adcf0331598" PV = "1.5.3+git${SRCPV}" -SRC_URI = "git://github.com/cminyard/gensio;protocol=https \ +SRC_URI = "git://github.com/cminyard/gensio;protocol=https;branch=master \ file://0001-filter-Rename-some-variables-to-tr_stdxxx.patch \ " diff --git a/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb b/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb index 25500e6501..1606f10cf9 100644 --- a/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb +++ b/meta-oe/recipes-connectivity/iwd/iwd_1.9.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=fb504b67c50331fc78734fed90fb0e09" DEPENDS = "ell" -SRC_URI = "git://git.kernel.org/pub/scm/network/wireless/iwd.git" +SRC_URI = "git://git.kernel.org/pub/scm/network/wireless/iwd.git;branch=master" SRCREV = "aa3dc1b95348dea177e9d8c2c3063b29e20fe2e9" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb b/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb index 908b98d8c5..b1a9ed7ec6 100644 --- a/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb +++ b/meta-oe/recipes-connectivity/libimobiledevice/libimobiledevice_git.bb @@ -12,7 +12,7 @@ DEPENDS = "libplist usbmuxd libusbmuxd libtasn1 gnutls libgcrypt" SRCREV = "fb71aeef10488ed7b0e60a1c8a553193301428c0" PV = "1.2.0+git${SRCPV}" SRC_URI = "\ - git://github.com/libimobiledevice/libimobiledevice;protocol=https \ + git://github.com/libimobiledevice/libimobiledevice;protocol=https;branch=master \ file://configure-fix-largefile.patch \ " diff --git a/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb b/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb index 07a7a1d239..2537963dda 100644 --- a/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb +++ b/meta-oe/recipes-connectivity/libndp/libndp_1.7.bb @@ -3,7 +3,7 @@ HOMEPAGE = "http://libndp.org/" LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" -SRC_URI = "git://github.com/jpirko/libndp \ +SRC_URI = "git://github.com/jpirko/libndp;branch=master;protocol=https \ " # tag for v1.6 SRCREV = "96674e7d4f4d569c2c961e865cc16152dfab5f09" diff --git a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb index 3ee69554b6..b4094dd6f3 100644 --- a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb +++ b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" DEPENDS = "zlib libsigc++-2.0 openssl cppunit" -SRC_URI = "git://github.com/rakshasa/libtorrent \ +SRC_URI = "git://github.com/rakshasa/libtorrent;branch=master;protocol=https \ file://don-t-run-code-while-configuring-package.patch \ " SRCREV = "756f70010779927dc0691e1e722ed433d5d295e1" diff --git a/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb b/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb index 7577207318..41e95f56ae 100644 --- a/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb +++ b/meta-oe/recipes-connectivity/libuv/libuv_1.36.0.bb @@ -5,7 +5,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=a68902a430e32200263d182d44924d47" SRCREV = "533b738838ad8407032e14b6772b29ef9af63cfa" -SRC_URI = "git://github.com/libuv/libuv;branch=v1.x \ +SRC_URI = "git://github.com/libuv/libuv;branch=v1.x;protocol=https \ file://CVE-2020-8252.patch" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb b/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.1.bb index c989767790..79e59a8fea 100644 --- a/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.bb +++ b/meta-oe/recipes-connectivity/linuxptp/linuxptp_2.0.1.bb @@ -2,14 +2,13 @@ DESCRIPTION = "Precision Time Protocol (PTP) according to IEEE standard 1588 for LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "http://sourceforge.net/projects/linuxptp/files/v${PV}/linuxptp-${PV}.tgz \ +SRC_URI = "http://sourceforge.net/projects/linuxptp/files/v2.0/linuxptp-${PV}.tgz \ file://build-Allow-CC-and-prefix-to-be-overriden.patch \ file://Use-cross-cpp-in-incdefs.patch \ file://time_t_maybe_long_long.patch \ " -SRC_URI[md5sum] = "d8bb7374943bb747db7786ac26f17f11" -SRC_URI[sha256sum] = "0a24d9401e87d4af023d201e234d91127d82c350daad93432106284aa9459c7d" +SRC_URI[sha256sum] = "6f4669db1733747427217a9e74c8b5ca25c4245947463e9cdb860ec8f5ec797a" EXTRA_OEMAKE = "ARCH=${TARGET_ARCH} EXTRA_CFLAGS='${CFLAGS}'" diff --git a/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb b/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb index 3a1222e89e..d070111e95 100644 --- a/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb +++ b/meta-oe/recipes-connectivity/paho-mqtt-c/paho-mqtt-c_1.3.2.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = " \ file://about.html;md5=e5662cbb5f8fd5c9faac526e4077898e \ " -SRC_URI = "git://github.com/eclipse/paho.mqtt.c;protocol=http \ +SRC_URI = "git://github.com/eclipse/paho.mqtt.c;protocol=http;branch=master;protocol=https \ file://0001-Fix-bug-of-free-with-musl.patch" SRCREV = "3148fe2d5f4b87e16266dfe559c0764e16ca0546" diff --git a/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb b/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb index 2ef6b187e9..bbc311ee1e 100644 --- a/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb +++ b/meta-oe/recipes-connectivity/rabbitmq-c/rabbitmq-c_0.10.0.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/alanxz/rabbitmq-c" LIC_FILES_CHKSUM = "file://LICENSE-MIT;md5=6b7424f9db80cfb11fdd5c980b583f53" LICENSE = "MIT" -SRC_URI = "git://github.com/alanxz/rabbitmq-c.git" +SRC_URI = "git://github.com/alanxz/rabbitmq-c.git;branch=master;protocol=https" # v0.10.0-master SRCREV = "ffe918a5fcef72038a88054dca3c56762b1953d4" diff --git a/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb b/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb index 331f978f86..41fb1ec826 100644 --- a/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb +++ b/meta-oe/recipes-connectivity/rtorrent/rtorrent_git.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" DEPENDS = "libsigc++-2.0 curl cppunit libtorrent ncurses" -SRC_URI = "git://github.com/rakshasa/rtorrent \ +SRC_URI = "git://github.com/rakshasa/rtorrent;branch=master;protocol=https \ file://don-t-run-code-while-configuring-package.patch \ " # v0.9.8 diff --git a/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb b/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb index 7284234326..7993e608db 100644 --- a/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb +++ b/meta-oe/recipes-connectivity/usbmuxd/usbmuxd_git.bb @@ -10,7 +10,7 @@ inherit autotools pkgconfig gitpkgv systemd PKGV = "${GITPKGVTAG}" SRCREV = "ee85938c21043ef5f7cd4dfbc7677f385814d4d8" -SRC_URI = "git://github.com/libimobiledevice/usbmuxd;protocol=https" +SRC_URI = "git://github.com/libimobiledevice/usbmuxd;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb b/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb index 99cfb32051..dd2b4392c2 100644 --- a/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb +++ b/meta-oe/recipes-connectivity/wifi-test-suite/wifi-test-suite_git.bb @@ -9,7 +9,7 @@ SECTION = "test" S = "${WORKDIR}/git" SRCREV = "f7a8d7ef7d1a831c1bb47de21fa083536ea2f3a9" -SRC_URI = "git://github.com/Wi-FiTestSuite/Wi-FiTestSuite-Linux-DUT.git \ +SRC_URI = "git://github.com/Wi-FiTestSuite/Wi-FiTestSuite-Linux-DUT.git;branch=master;protocol=https \ file://0001-Use-toolchain-from-environment-variables.patch \ file://0002-Add-missing-include-removes-unnedded-stuff-and-add-n.patch \ file://0003-fix-path-to-usr-sbin-for-script-and-make-script-for-.patch \ diff --git a/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb b/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb index 0b66970a9d..2a435897d3 100644 --- a/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb +++ b/meta-oe/recipes-connectivity/zeromq/cppzmq_git.bb @@ -7,7 +7,7 @@ DEPENDS = "zeromq" SRCREV = "8d5c9a88988dcbebb72939ca0939d432230ffde1" PV = "4.6.0" -SRC_URI = "git://github.com/zeromq/cppzmq.git" +SRC_URI = "git://github.com/zeromq/cppzmq.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch b/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch index 2c4ca057f2..1c2fc3813f 100644 --- a/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch +++ b/meta-oe/recipes-core/dbus/dbus-daemon-proxy/0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch @@ -21,7 +21,7 @@ index 009e4fd..f3f0d80 100644 if (!dbus_conn) - return; -+ DBUS_HANDLER_RESULT_NOT_YET_HANDLED; ++ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; if (verbose) g_print ("New message from server: type='%d' path='%s' iface='%s'" diff --git a/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb b/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb index 42cd032c22..f40b48836a 100644 --- a/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb +++ b/meta-oe/recipes-core/dbus/dbus-daemon-proxy_git.bb @@ -6,7 +6,7 @@ SRCREV = "1226a0a1374628ff191f6d8a56000be5e53e7608" PV = "0.0.0+gitr${SRCPV}" PR = "r1.59" -SRC_URI = "git://github.com/alban/dbus-daemon-proxy \ +SRC_URI = "git://github.com/alban/dbus-daemon-proxy;branch=master;protocol=https \ file://0001-dbus-daemon-proxy-Return-DBUS_HANDLER_RESULT_NOT_YET.patch \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-core/emlog/emlog.inc b/meta-oe/recipes-core/emlog/emlog.inc index 9a0f9ba928..948e18da4d 100644 --- a/meta-oe/recipes-core/emlog/emlog.inc +++ b/meta-oe/recipes-core/emlog/emlog.inc @@ -3,7 +3,7 @@ most recent (and only the most recent) output from a process" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" -SRC_URI = "git://github.com/nicupavel/emlog.git;protocol=http" +SRC_URI = "git://github.com/nicupavel/emlog.git;protocol=http;branch=master;protocol=https" SRCREV = "aee53e8dee862f35291242ba41b0ca88010f6c71" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-core/glfw/glfw_3.3.bb b/meta-oe/recipes-core/glfw/glfw_3.3.bb index 0fcf716c8e..c920cbd507 100644 --- a/meta-oe/recipes-core/glfw/glfw_3.3.bb +++ b/meta-oe/recipes-core/glfw/glfw_3.3.bb @@ -12,7 +12,7 @@ inherit pkgconfig cmake features_check PV .= "+git${SRCPV}" SRCREV = "781fbbadb0bccc749058177b1385c82da9ace880" -SRC_URI = "git://github.com/glfw/glfw.git" +SRC_URI = "git://github.com/glfw/glfw.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-core/libnfc/libnfc_git.bb b/meta-oe/recipes-core/libnfc/libnfc_git.bb index 2851ecf9fe..65586247a2 100644 --- a/meta-oe/recipes-core/libnfc/libnfc_git.bb +++ b/meta-oe/recipes-core/libnfc/libnfc_git.bb @@ -11,7 +11,7 @@ PV = "1.7.1+git${SRCPV}" S = "${WORKDIR}/git" SRCREV = "2d4543673e9b76c02679ca8b89259659f1afd932" -SRC_URI = "git://github.com/nfc-tools/libnfc.git \ +SRC_URI = "git://github.com/nfc-tools/libnfc.git;branch=master;protocol=https \ file://0001-usbbus-Include-stdint.h-for-uintX_t.patch \ " diff --git a/meta-oe/recipes-core/mdbus2/mdbus2_git.bb b/meta-oe/recipes-core/mdbus2/mdbus2_git.bb index 82f2cf8c94..fa98e1cb46 100644 --- a/meta-oe/recipes-core/mdbus2/mdbus2_git.bb +++ b/meta-oe/recipes-core/mdbus2/mdbus2_git.bb @@ -6,7 +6,7 @@ DEPENDS = "readline" PV = "2.3.3+git${SRCPV}" -SRC_URI = "git://github.com/freesmartphone/mdbus.git;protocol=http" +SRC_URI = "git://github.com/freesmartphone/mdbus.git;protocol=http;branch=master;protocol=https" SRCREV = "28202692d0b441000f4ddb8f347f72d1355021aa" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-core/ndctl/ndctl_v67.bb b/meta-oe/recipes-core/ndctl/ndctl_v67.bb index da0c6563a7..19d96414d3 100644 --- a/meta-oe/recipes-core/ndctl/ndctl_v67.bb +++ b/meta-oe/recipes-core/ndctl/ndctl_v67.bb @@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e66651809cac5da60c8b80e9e4e79e08" inherit autotools-brokensep pkgconfig bash-completion systemd SRCREV = "637bb424dc317a044c722a671355ef9df0e0d30f" -SRC_URI = "git://github.com/pmem/ndctl.git" +SRC_URI = "git://github.com/pmem/ndctl.git;branch=master;protocol=https" DEPENDS = "kmod udev json-c keyutils" diff --git a/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb b/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb index dec1bea566..1d86f48aee 100644 --- a/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb +++ b/meta-oe/recipes-core/opencl-headers/opencl-headers_git.bb @@ -6,7 +6,7 @@ SECTION = "base" S = "${WORKDIR}/git" SRCREV = "40c5d226c7c0706f0176884e9b94b3886679c983" -SRC_URI = "git://github.com/KhronosGroup/OpenCL-Headers.git" +SRC_URI = "git://github.com/KhronosGroup/OpenCL-Headers.git;branch=main;protocol=https" do_configure[noexec] = "1" do_compile[noexec] = "1" diff --git a/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb b/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb index 7c49c8d552..de355d29d6 100644 --- a/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb +++ b/meta-oe/recipes-core/opencl-icd-loader/opencl-icd-loader_git.bb @@ -8,7 +8,7 @@ inherit pkgconfig cmake S = "${WORKDIR}/git" SRCREV = "b342ff7b7f70a4b3f2cfc53215af8fa20adc3d86" -SRC_URI = "git://github.com/KhronosGroup/OpenCL-ICD-Loader.git" +SRC_URI = "git://github.com/KhronosGroup/OpenCL-ICD-Loader.git;branch=main;protocol=https" do_install () { install -d ${D}${bindir} diff --git a/meta-oe/recipes-core/safec/safec_3.5.1.bb b/meta-oe/recipes-core/safec/safec_3.5.1.bb index 91d8fc65a0..29158094a1 100644 --- a/meta-oe/recipes-core/safec/safec_3.5.1.bb +++ b/meta-oe/recipes-core/safec/safec_3.5.1.bb @@ -9,7 +9,7 @@ inherit autotools pkgconfig S = "${WORKDIR}/git" # v08112019 SRCREV = "ad76c7b1dbd0403b0c9decf54164fcce271c590f" -SRC_URI = "git://github.com/rurban/safeclib.git \ +SRC_URI = "git://github.com/rurban/safeclib.git;branch=master;protocol=https \ " COMPATIBLE_HOST = '(x86_64|i.86|powerpc|powerpc64|arm|aarch64|mips).*-linux' diff --git a/meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch new file mode 100644 index 0000000000..89cb593e60 --- /dev/null +++ b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-0.8.1/0001-Try-to-first-find-googletest-in-the-system-before-do.patch @@ -0,0 +1,96 @@ +From b073e1c2b9a8138da83300f598b9a56fc9762b4b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stanislav=20Angelovi=C4=8D?= <angelovic.s@gmail.com> +Date: Mon, 16 Nov 2020 17:05:36 +0100 +Subject: [PATCH] Try to first find googletest in the system before downloading + it (#125) + +Upstream-Status: Backport [d6fdaca] +Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> + +--- + tests/CMakeLists.txt | 62 ++++++++++++++++++++++++++++---------------- + 1 file changed, 40 insertions(+), 22 deletions(-) + +diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt +index 97f7c1a..7ecc327 100644 +--- a/tests/CMakeLists.txt ++++ b/tests/CMakeLists.txt +@@ -2,26 +2,44 @@ + # DOWNLOAD AND BUILD OF GOOGLETEST + #------------------------------- + +-include(FetchContent) +- +-message("Fetching googletest...") +-FetchContent_Declare(googletest +- GIT_REPOSITORY https://github.com/google/googletest.git +- GIT_TAG master +- GIT_SHALLOW 1 +- UPDATE_COMMAND "") +- +-#FetchContent_MakeAvailable(googletest) # Not available in CMake 3.13 :-( Let's do it manually: +-FetchContent_GetProperties(googletest) +-if(NOT googletest_POPULATED) +- FetchContent_Populate(googletest) +- set(gtest_force_shared_crt ON CACHE INTERNAL "" FORCE) +- set(BUILD_GMOCK ON CACHE INTERNAL "" FORCE) +- set(INSTALL_GTEST OFF CACHE INTERNAL "" FORCE) +- set(BUILD_SHARED_LIBS_BAK ${BUILD_SHARED_LIBS}) +- set(BUILD_SHARED_LIBS OFF) +- add_subdirectory(${googletest_SOURCE_DIR} ${googletest_BINARY_DIR}) +- set(BUILD_SHARED_LIBS ${BUILD_SHARED_LIBS_BAK}) ++set(GOOGLETEST_VERSION 1.10.0 CACHE STRING "Version of gmock to use") ++set(GOOGLETEST_GIT_REPO "https://github.com/google/googletest.git" CACHE STRING "A git repo to clone and build googletest from if gmock is not found in the system") ++ ++find_package(GTest ${GOOGLETEST_VERSION} CONFIG) ++if (NOT TARGET GTest::gmock) ++ # Try pkg-config if GTest was not found through CMake config ++ find_package(PkgConfig) ++ if (PkgConfig_FOUND) ++ pkg_check_modules(GMock IMPORTED_TARGET GLOBAL gmock>=${GOOGLETEST_VERSION}) ++ if(TARGET PkgConfig::GMock) ++ add_library(GTest::gmock ALIAS PkgConfig::GMock) ++ endif() ++ endif() ++ # GTest was not found in the system, build it on our own ++ if (NOT TARGET GTest::gmock) ++ include(FetchContent) ++ ++ message("Fetching googletest...") ++ FetchContent_Declare(googletest ++ GIT_REPOSITORY ${GOOGLETEST_GIT_REPO} ++ GIT_TAG release-${GOOGLETEST_VERSION} ++ GIT_SHALLOW 1 ++ UPDATE_COMMAND "") ++ ++ #FetchContent_MakeAvailable(googletest) # Not available in CMake 3.13 :-( Let's do it manually: ++ FetchContent_GetProperties(googletest) ++ if(NOT googletest_POPULATED) ++ FetchContent_Populate(googletest) ++ set(gtest_force_shared_crt ON CACHE INTERNAL "" FORCE) ++ set(BUILD_GMOCK ON CACHE INTERNAL "" FORCE) ++ set(INSTALL_GTEST OFF CACHE INTERNAL "" FORCE) ++ set(BUILD_SHARED_LIBS_BAK ${BUILD_SHARED_LIBS}) ++ set(BUILD_SHARED_LIBS OFF) ++ add_subdirectory(${googletest_SOURCE_DIR} ${googletest_BINARY_DIR}) ++ set(BUILD_SHARED_LIBS ${BUILD_SHARED_LIBS_BAK}) ++ add_library(GTest::gmock ALIAS gmock) ++ endif() ++ endif() + endif() + + #------------------------------- +@@ -87,11 +105,11 @@ include_directories(${CMAKE_CURRENT_SOURCE_DIR}) + + add_executable(sdbus-c++-unit-tests ${UNITTESTS_SRCS}) + target_compile_definitions(sdbus-c++-unit-tests PRIVATE LIBSYSTEMD_VERSION=${LIBSYSTEMD_VERSION}) +-target_link_libraries(sdbus-c++-unit-tests sdbus-c++-objlib gmock gmock_main) ++target_link_libraries(sdbus-c++-unit-tests sdbus-c++-objlib GTest::gmock) + + add_executable(sdbus-c++-integration-tests ${INTEGRATIONTESTS_SRCS}) + target_compile_definitions(sdbus-c++-integration-tests PRIVATE LIBSYSTEMD_VERSION=${LIBSYSTEMD_VERSION}) +-target_link_libraries(sdbus-c++-integration-tests sdbus-c++ gmock gmock_main) ++target_link_libraries(sdbus-c++-integration-tests sdbus-c++ GTest::gmock) + + # Manual performance and stress tests + option(ENABLE_PERF_TESTS "Build and install manual performance tests (default OFF)" OFF) diff --git a/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb index c8e81a4123..f0e928d0da 100644 --- a/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb +++ b/meta-oe/recipes-core/sdbus-c++/sdbus-c++-libsystemd_243.bb @@ -12,7 +12,7 @@ DEPENDS += "gperf-native gettext-native util-linux libcap" SRCREV = "efb536d0cbe2e58f80e501d19999928c75e08f6a" SRCBRANCH = "v243-stable" -SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=git;branch=${SRCBRANCH}" +SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=https;branch=${SRCBRANCH}" SRC_URI += "file://static-libsystemd-pkgconfig.patch" diff --git a/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb b/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb index c4d63fd272..a94fb8deff 100644 --- a/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb +++ b/meta-oe/recipes-core/sdbus-c++/sdbus-c++_0.8.1.bb @@ -12,13 +12,16 @@ PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'with-exte ${@bb.utils.contains('PTEST_ENABLED', '1', 'with-tests', '', d)}" PACKAGECONFIG[with-builtin-libsystemd] = ",,sdbus-c++-libsystemd,libcap" PACKAGECONFIG[with-external-libsystemd] = ",,systemd,libsystemd" -PACKAGECONFIG[with-tests] = "-DBUILD_TESTS=ON -DTESTS_INSTALL_PATH=${libdir}/${BPN}/tests,-DBUILD_TESTS=OFF" +PACKAGECONFIG[with-tests] = "-DBUILD_TESTS=ON -DTESTS_INSTALL_PATH=${libdir}/${BPN}/tests,-DBUILD_TESTS=OFF,googletest gmock" DEPENDS += "expat" SRCREV = "3a4f343fb924650e7639660efa5f143961162044" -SRC_URI = "git://github.com/Kistler-Group/sdbus-cpp.git;protocol=https;branch=master" -SRC_URI += "file://run-ptest" + +SRC_URI = "git://github.com/Kistler-Group/sdbus-cpp.git;protocol=https;branch=master \ + file://0001-Try-to-first-find-googletest-in-the-system-before-do.patch \ + file://run-ptest \ +" EXTRA_OECMAKE = "-DBUILD_CODE_GEN=ON \ -DBUILD_DOC=ON \ diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb index b9668eb099..d303f27ebb 100644 --- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.2.bb +++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.3.7.bb @@ -21,8 +21,8 @@ RDEPENDS_${PN} = " \ " SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz" -SRC_URI[md5sum] = "6e4ffb6d35a73f7539a5d0c1354654cd" -SRC_URI[sha256sum] = "a89e13dff0798fd0280e801d5f0cc8cfdb2aa5b1929bec1b7322e13d3eca95fb" +SRC_URI[md5sum] = "9c5952cebb836ee783b0b76c5380a964" +SRC_URI[sha256sum] = "61835132a5986217af17b8943013aa3fe6d47bdc1a07386343526765e2ce27a9" inherit autotools gettext pkgconfig @@ -54,7 +54,7 @@ PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup" PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt" PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup" PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux" -PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev" +PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules" PACKAGECONFIG[kernel_crypto] = "--enable-kernel_crypto,--disable-kernel_crypto" # gcrypt-pkbdf2 requries --with-crypto_backend=gcrypt or the flag isn't # recognized. diff --git a/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb b/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb index 4e217a351d..ad5355ea64 100644 --- a/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb +++ b/meta-oe/recipes-crypto/libkcapi/libkcapi_git.bb @@ -9,7 +9,7 @@ S = "${WORKDIR}/git" SRCREV = "5649050d201856bf06c8738b5d2aa1710c86ac2f" PV = "1.1.5" SRC_URI = " \ - git://github.com/smuellerDD/libkcapi.git \ + git://github.com/smuellerDD/libkcapi.git;branch=master;protocol=https \ file://0001-kcapi-kdf-Move-code-to-fix.patch \ file://0001-Use-__builtin_bswap32-on-Clang-if-supported.patch \ " diff --git a/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb b/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb index 9b6e7ccbe2..321aa4fdc1 100644 --- a/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb +++ b/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.26.bb @@ -15,7 +15,7 @@ LIC_FILES_CHKSUM = " \ file://COPYING.GPL;md5=8a71d0475d08eee76d8b6d0c6dbec543 \ file://COPYING.BSD;md5=66b7a37c3c10483c1fd86007726104d7 \ " -SRC_URI = "git://github.com/OpenSC/${BPN}.git" +SRC_URI = "git://github.com/OpenSC/${BPN}.git;branch=master;protocol=https" S = "${WORKDIR}/git" # v1.26 diff --git a/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb b/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb index b597ef1ea8..48f2fd8ac1 100644 --- a/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb +++ b/meta-oe/recipes-dbs/leveldb/leveldb_1.22.bb @@ -4,7 +4,7 @@ HOMEPAGE = "https://github.com/google/leveldb" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=92d1b128950b11ba8495b64938fc164d" -SRC_URI = "git://github.com/google/${BPN}.git \ +SRC_URI = "git://github.com/google/${BPN}.git;branch=main;protocol=https \ file://run-ptest" SRCREV = "78b39d68c15ba020c0d60a3906fb66dbf1697595" diff --git a/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.20.bb b/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.25.bb index e1a038dfa3..e1a038dfa3 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.20.bb +++ b/meta-oe/recipes-dbs/mysql/mariadb-native_10.4.25.bb diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc index 0fb0c95ec3..565f4d5613 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb.inc +++ b/meta-oe/recipes-dbs/mysql/mariadb.inc @@ -15,12 +15,10 @@ SRC_URI = "https://downloads.mariadb.org/interstitial/${BP}/source/${BP}.tar.gz file://support-files-CMakeLists.txt-fix-do_populate_sysroot.patch \ file://sql-CMakeLists.txt-fix-gen_lex_hash-not-found.patch \ file://0001-disable-ucontext-on-musl.patch \ - file://c11_atomics.patch \ - file://clang_version_header_conflict.patch \ file://fix-arm-atomic.patch \ " -SRC_URI[md5sum] = "c3bc7a3eca3b0bbae5748f7b22a55c0c" -SRC_URI[sha256sum] = "87d5e29ee1f18de153266ec658138607703ed2a05b3ffb1f89091d33f4abf545" + +SRC_URI[sha256sum] = "ff963c4e11bc06b775f66f2b1ddef184996208fb4b23cfdb50d95fb02eaa7ef8" UPSTREAM_CHECK_URI = "https://github.com/MariaDB/server/releases" diff --git a/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch b/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch deleted file mode 100644 index b1ce963602..0000000000 --- a/meta-oe/recipes-dbs/mysql/mariadb/c11_atomics.patch +++ /dev/null @@ -1,73 +0,0 @@ -Author: Vicențiu Ciorbaru <vicentiu@mariadb.org> -Date: Fri Dec 21 19:14:04 2018 +0200 - - Link with libatomic to enable C11 atomics support - - Some architectures (mips) require libatomic to support proper - atomic operations. Check first if support is available without - linking, otherwise use the library. - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> - -Index: mariadb-10.4.17/configure.cmake -=================================================================== ---- mariadb-10.4.17.orig/configure.cmake -+++ mariadb-10.4.17/configure.cmake -@@ -863,7 +863,25 @@ int main() - long long int *ptr= &var; - return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST); - }" --HAVE_GCC_C11_ATOMICS) -+HAVE_GCC_C11_ATOMICS_WITHOUT_LIBATOMIC) -+IF (HAVE_GCC_C11_ATOMICS_WITHOUT_LIBATOMIC) -+ SET(HAVE_GCC_C11_ATOMICS True) -+ELSE() -+ SET(OLD_CMAKE_REQUIRED_LIBRARIES ${CMAKE_REQUIRED_LIBRARIES}) -+ LIST(APPEND CMAKE_REQUIRED_LIBRARIES "atomic") -+ CHECK_CXX_SOURCE_COMPILES(" -+ int main() -+ { -+ long long int var= 1; -+ long long int *ptr= &var; -+ return (int)__atomic_load_n(ptr, __ATOMIC_SEQ_CST); -+ }" -+ HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) -+ IF(HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) -+ SET(HAVE_GCC_C11_ATOMICS True) -+ ENDIF() -+ SET(CMAKE_REQUIRED_LIBRARIES ${OLD_CMAKE_REQUIRED_LIBRARIES}) -+ENDIF() - - IF(WITH_VALGRIND) - SET(HAVE_valgrind 1) -Index: mariadb-10.4.17/mysys/CMakeLists.txt -=================================================================== ---- mariadb-10.4.17.orig/mysys/CMakeLists.txt -+++ mariadb-10.4.17/mysys/CMakeLists.txt -@@ -78,6 +78,10 @@ TARGET_LINK_LIBRARIES(mysys dbug strings - ${LIBNSL} ${LIBM} ${LIBRT} ${CMAKE_DL_LIBS} ${LIBSOCKET} ${LIBEXECINFO} ${CRC32_LIBRARY}) - DTRACE_INSTRUMENT(mysys) - -+IF (HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) -+ TARGET_LINK_LIBRARIES(mysys atomic) -+ENDIF() -+ - IF(HAVE_BFD_H) - TARGET_LINK_LIBRARIES(mysys bfd) - ENDIF(HAVE_BFD_H) -Index: mariadb-10.4.17/sql/CMakeLists.txt -=================================================================== ---- mariadb-10.4.17.orig/sql/CMakeLists.txt -+++ mariadb-10.4.17/sql/CMakeLists.txt -@@ -196,6 +196,10 @@ ELSE() - SET(MYSQLD_SOURCE main.cc ${DTRACE_PROBES_ALL}) - ENDIF() - -+IF (HAVE_GCC_C11_ATOMICS_WITH_LIBATOMIC) -+ TARGET_LINK_LIBRARIES(sql atomic) -+ENDIF() -+ - - IF(MSVC AND NOT WITHOUT_DYNAMIC_PLUGINS) - diff --git a/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch b/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch deleted file mode 100644 index c77a869441..0000000000 --- a/meta-oe/recipes-dbs/mysql/mariadb/clang_version_header_conflict.patch +++ /dev/null @@ -1,32 +0,0 @@ -libc++ also has a file called version and this file and how cflags are specified -it ends up including this file and resulting in compile errors - -fixes errors like -storage/mroonga/version:1:1: error: expected unqualified-id -7.07 -^ - -Upstream-Status: Pending -Signed-off-by: Khem Raj <raj.khem@gmail.com> - ---- a/storage/mroonga/CMakeLists.txt -+++ b/storage/mroonga/CMakeLists.txt -@@ -80,7 +80,7 @@ else() - set(MRN_SOURCE_DIR ${CMAKE_SOURCE_DIR}) - endif() - --file(READ ${MRN_SOURCE_DIR}/version MRN_VERSION) -+file(READ ${MRN_SOURCE_DIR}/ver MRN_VERSION) - file(READ ${MRN_SOURCE_DIR}/version_major MRN_VERSION_MAJOR) - file(READ ${MRN_SOURCE_DIR}/version_minor MRN_VERSION_MINOR) - file(READ ${MRN_SOURCE_DIR}/version_micro MRN_VERSION_MICRO) ---- /dev/null -+++ b/storage/mroonga/ver -@@ -0,0 +1 @@ -+7.07 -\ No newline at end of file ---- a/storage/mroonga/version -+++ /dev/null -@@ -1 +0,0 @@ --7.07 -\ No newline at end of file diff --git a/meta-oe/recipes-dbs/mysql/mariadb_10.4.20.bb b/meta-oe/recipes-dbs/mysql/mariadb_10.4.25.bb index c0b53379d9..c0b53379d9 100644 --- a/meta-oe/recipes-dbs/mysql/mariadb_10.4.20.bb +++ b/meta-oe/recipes-dbs/mysql/mariadb_10.4.25.bb diff --git a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch index 865ad3287b..a1f5b2a7b4 100644 --- a/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch +++ b/meta-oe/recipes-dbs/postgresql/files/0001-Add-support-for-RISC-V.patch @@ -13,7 +13,7 @@ diff --git a/src/include/storage/s_lock.h b/src/include/storage/s_lock.h index 3fe29ce..7cd578f 100644 --- a/src/include/storage/s_lock.h +++ b/src/include/storage/s_lock.h -@@ -316,11 +316,12 @@ tas(volatile slock_t *lock) +@@ -317,11 +317,12 @@ tas(volatile slock_t *lock) /* * On ARM and ARM64, we use __sync_lock_test_and_set(int *, int) if available. @@ -27,7 +27,7 @@ index 3fe29ce..7cd578f 100644 #ifdef HAVE_GCC__SYNC_INT32_TAS #define HAS_TEST_AND_SET -@@ -337,7 +338,7 @@ tas(volatile slock_t *lock) +@@ -338,7 +339,7 @@ tas(volatile slock_t *lock) #define S_UNLOCK(lock) __sync_lock_release(lock) #endif /* HAVE_GCC__SYNC_INT32_TAS */ @@ -35,7 +35,7 @@ index 3fe29ce..7cd578f 100644 +#endif /* __arm__ || __arm || __aarch64__ || __aarch64 || __riscv */ - /* S/390 and S/390x Linux (32- and 64-bit zSeries) */ + /* -- 2.9.3 diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2022-1552.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-1552.patch new file mode 100644 index 0000000000..6f0d5ac06f --- /dev/null +++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-1552.patch @@ -0,0 +1,947 @@ +From 31eefa1efc8eecb6ab91c8835d2952d44a3b1ae1 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Thu, 22 Sep 2022 11:20:41 +0530 +Subject: [PATCH] CVE-2022-1552 + +Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=ab49ce7c3414ac19e4afb386d7843ce2d2fb8bda && https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=677a494789062ca88e0142a17bedd5415f6ab0aa] + +CVE: CVE-2022-1552 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + contrib/amcheck/expected/check_btree.out | 23 ++++++ + contrib/amcheck/sql/check_btree.sql | 21 +++++ + contrib/amcheck/verify_nbtree.c | 27 +++++++ + src/backend/access/brin/brin.c | 29 ++++++- + src/backend/catalog/index.c | 65 ++++++++++++---- + src/backend/commands/cluster.c | 37 ++++++--- + src/backend/commands/indexcmds.c | 98 ++++++++++++++++++++---- + src/backend/commands/matview.c | 30 +++----- + src/backend/utils/init/miscinit.c | 24 +++--- + src/test/regress/expected/privileges.out | 71 +++++++++++++++++ + src/test/regress/sql/privileges.sql | 64 ++++++++++++++++ + 11 files changed, 422 insertions(+), 67 deletions(-) + +diff --git a/contrib/amcheck/expected/check_btree.out b/contrib/amcheck/expected/check_btree.out +index 59a805d..0fd6ea0 100644 +--- a/contrib/amcheck/expected/check_btree.out ++++ b/contrib/amcheck/expected/check_btree.out +@@ -168,11 +168,34 @@ SELECT bt_index_check('toasty', true); + + (1 row) + ++-- ++-- Check that index expressions and predicates are run as the table's owner ++-- ++TRUNCATE bttest_a; ++INSERT INTO bttest_a SELECT * FROM generate_series(1, 1000); ++ALTER TABLE bttest_a OWNER TO regress_bttest_role; ++-- A dummy index function checking current_user ++CREATE FUNCTION ifun(int8) RETURNS int8 AS $$ ++BEGIN ++ ASSERT current_user = 'regress_bttest_role', ++ format('ifun(%s) called by %s', $1, current_user); ++ RETURN $1; ++END; ++$$ LANGUAGE plpgsql IMMUTABLE; ++CREATE INDEX bttest_a_expr_idx ON bttest_a ((ifun(id) + ifun(0))) ++ WHERE ifun(id + 10) > ifun(10); ++SELECT bt_index_check('bttest_a_expr_idx', true); ++ bt_index_check ++---------------- ++ ++(1 row) ++ + -- cleanup + DROP TABLE bttest_a; + DROP TABLE bttest_b; + DROP TABLE bttest_multi; + DROP TABLE delete_test_table; + DROP TABLE toast_bug; ++DROP FUNCTION ifun(int8); + DROP OWNED BY regress_bttest_role; -- permissions + DROP ROLE regress_bttest_role; +diff --git a/contrib/amcheck/sql/check_btree.sql b/contrib/amcheck/sql/check_btree.sql +index 99acbc8..3248187 100644 +--- a/contrib/amcheck/sql/check_btree.sql ++++ b/contrib/amcheck/sql/check_btree.sql +@@ -110,11 +110,32 @@ INSERT INTO toast_bug SELECT repeat('a', 2200); + -- Should not get false positive report of corruption: + SELECT bt_index_check('toasty', true); + ++-- ++-- Check that index expressions and predicates are run as the table's owner ++-- ++TRUNCATE bttest_a; ++INSERT INTO bttest_a SELECT * FROM generate_series(1, 1000); ++ALTER TABLE bttest_a OWNER TO regress_bttest_role; ++-- A dummy index function checking current_user ++CREATE FUNCTION ifun(int8) RETURNS int8 AS $$ ++BEGIN ++ ASSERT current_user = 'regress_bttest_role', ++ format('ifun(%s) called by %s', $1, current_user); ++ RETURN $1; ++END; ++$$ LANGUAGE plpgsql IMMUTABLE; ++ ++CREATE INDEX bttest_a_expr_idx ON bttest_a ((ifun(id) + ifun(0))) ++ WHERE ifun(id + 10) > ifun(10); ++ ++SELECT bt_index_check('bttest_a_expr_idx', true); ++ + -- cleanup + DROP TABLE bttest_a; + DROP TABLE bttest_b; + DROP TABLE bttest_multi; + DROP TABLE delete_test_table; + DROP TABLE toast_bug; ++DROP FUNCTION ifun(int8); + DROP OWNED BY regress_bttest_role; -- permissions + DROP ROLE regress_bttest_role; +diff --git a/contrib/amcheck/verify_nbtree.c b/contrib/amcheck/verify_nbtree.c +index 700a02f..cb6475d 100644 +--- a/contrib/amcheck/verify_nbtree.c ++++ b/contrib/amcheck/verify_nbtree.c +@@ -228,6 +228,9 @@ bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed, + Relation indrel; + Relation heaprel; + LOCKMODE lockmode; ++ Oid save_userid; ++ int save_sec_context; ++ int save_nestlevel; + + if (parentcheck) + lockmode = ShareLock; +@@ -244,9 +247,27 @@ bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed, + */ + heapid = IndexGetRelation(indrelid, true); + if (OidIsValid(heapid)) ++ { + heaprel = table_open(heapid, lockmode); ++ ++ /* ++ * Switch to the table owner's userid, so that any index functions are ++ * run as that user. Also lock down security-restricted operations ++ * and arrange to make GUC variable changes local to this command. ++ */ ++ GetUserIdAndSecContext(&save_userid, &save_sec_context); ++ SetUserIdAndSecContext(heaprel->rd_rel->relowner, ++ save_sec_context | SECURITY_RESTRICTED_OPERATION); ++ save_nestlevel = NewGUCNestLevel(); ++ } + else ++ { + heaprel = NULL; ++ /* for "gcc -Og" https://gcc.gnu.org/bugzilla/show_bug.cgi?id=78394 */ ++ save_userid = InvalidOid; ++ save_sec_context = -1; ++ save_nestlevel = -1; ++ } + + /* + * Open the target index relations separately (like relation_openrv(), but +@@ -293,6 +314,12 @@ bt_index_check_internal(Oid indrelid, bool parentcheck, bool heapallindexed, + heapallindexed, rootdescend); + } + ++ /* Roll back any GUC changes executed by index functions */ ++ AtEOXact_GUC(false, save_nestlevel); ++ ++ /* Restore userid and security context */ ++ SetUserIdAndSecContext(save_userid, save_sec_context); ++ + /* + * Release locks early. That's ok here because nothing in the called + * routines will trigger shared cache invalidations to be sent, so we can +diff --git a/src/backend/access/brin/brin.c b/src/backend/access/brin/brin.c +index c7b403b..781cac2 100644 +--- a/src/backend/access/brin/brin.c ++++ b/src/backend/access/brin/brin.c +@@ -873,6 +873,9 @@ brin_summarize_range(PG_FUNCTION_ARGS) + Oid heapoid; + Relation indexRel; + Relation heapRel; ++ Oid save_userid; ++ int save_sec_context; ++ int save_nestlevel; + double numSummarized = 0; + + if (RecoveryInProgress()) +@@ -899,7 +902,22 @@ brin_summarize_range(PG_FUNCTION_ARGS) + */ + heapoid = IndexGetRelation(indexoid, true); + if (OidIsValid(heapoid)) ++ { + heapRel = table_open(heapoid, ShareUpdateExclusiveLock); ++ ++ /* ++ * Autovacuum calls us. For its benefit, switch to the table owner's ++ * userid, so that any index functions are run as that user. Also ++ * lock down security-restricted operations and arrange to make GUC ++ * variable changes local to this command. This is harmless, albeit ++ * unnecessary, when called from SQL, because we fail shortly if the ++ * user does not own the index. ++ */ ++ GetUserIdAndSecContext(&save_userid, &save_sec_context); ++ SetUserIdAndSecContext(heapRel->rd_rel->relowner, ++ save_sec_context | SECURITY_RESTRICTED_OPERATION); ++ save_nestlevel = NewGUCNestLevel(); ++ } + else + heapRel = NULL; + +@@ -914,7 +932,7 @@ brin_summarize_range(PG_FUNCTION_ARGS) + RelationGetRelationName(indexRel)))); + + /* User must own the index (comparable to privileges needed for VACUUM) */ +- if (!pg_class_ownercheck(indexoid, GetUserId())) ++ if (heapRel != NULL && !pg_class_ownercheck(indexoid, save_userid)) + aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_INDEX, + RelationGetRelationName(indexRel)); + +@@ -932,6 +950,12 @@ brin_summarize_range(PG_FUNCTION_ARGS) + /* OK, do it */ + brinsummarize(indexRel, heapRel, heapBlk, true, &numSummarized, NULL); + ++ /* Roll back any GUC changes executed by index functions */ ++ AtEOXact_GUC(false, save_nestlevel); ++ ++ /* Restore userid and security context */ ++ SetUserIdAndSecContext(save_userid, save_sec_context); ++ + relation_close(indexRel, ShareUpdateExclusiveLock); + relation_close(heapRel, ShareUpdateExclusiveLock); + +@@ -973,6 +997,9 @@ brin_desummarize_range(PG_FUNCTION_ARGS) + * passed indexoid isn't an index then IndexGetRelation() will fail. + * Rather than emitting a not-very-helpful error message, postpone + * complaining, expecting that the is-it-an-index test below will fail. ++ * ++ * Unlike brin_summarize_range(), autovacuum never calls this. Hence, we ++ * don't switch userid. + */ + heapoid = IndexGetRelation(indexoid, true); + if (OidIsValid(heapoid)) +diff --git a/src/backend/catalog/index.c b/src/backend/catalog/index.c +index 3ece136..0333bfd 100644 +--- a/src/backend/catalog/index.c ++++ b/src/backend/catalog/index.c +@@ -1400,6 +1400,9 @@ index_concurrently_build(Oid heapRelationId, + Oid indexRelationId) + { + Relation heapRel; ++ Oid save_userid; ++ int save_sec_context; ++ int save_nestlevel; + Relation indexRelation; + IndexInfo *indexInfo; + +@@ -1409,7 +1412,16 @@ index_concurrently_build(Oid heapRelationId, + /* Open and lock the parent heap relation */ + heapRel = table_open(heapRelationId, ShareUpdateExclusiveLock); + +- /* And the target index relation */ ++ /* ++ * Switch to the table owner's userid, so that any index functions are run ++ * as that user. Also lock down security-restricted operations and ++ * arrange to make GUC variable changes local to this command. ++ */ ++ GetUserIdAndSecContext(&save_userid, &save_sec_context); ++ SetUserIdAndSecContext(heapRel->rd_rel->relowner, ++ save_sec_context | SECURITY_RESTRICTED_OPERATION); ++ save_nestlevel = NewGUCNestLevel(); ++ + indexRelation = index_open(indexRelationId, RowExclusiveLock); + + /* +@@ -1425,6 +1437,12 @@ index_concurrently_build(Oid heapRelationId, + /* Now build the index */ + index_build(heapRel, indexRelation, indexInfo, false, true); + ++ /* Roll back any GUC changes executed by index functions */ ++ AtEOXact_GUC(false, save_nestlevel); ++ ++ /* Restore userid and security context */ ++ SetUserIdAndSecContext(save_userid, save_sec_context); ++ + /* Close both the relations, but keep the locks */ + table_close(heapRel, NoLock); + index_close(indexRelation, NoLock); +@@ -3271,7 +3289,17 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) + + /* Open and lock the parent heap relation */ + heapRelation = table_open(heapId, ShareUpdateExclusiveLock); +- /* And the target index relation */ ++ ++ /* ++ * Switch to the table owner's userid, so that any index functions are run ++ * as that user. Also lock down security-restricted operations and ++ * arrange to make GUC variable changes local to this command. ++ */ ++ GetUserIdAndSecContext(&save_userid, &save_sec_context); ++ SetUserIdAndSecContext(heapRelation->rd_rel->relowner, ++ save_sec_context | SECURITY_RESTRICTED_OPERATION); ++ save_nestlevel = NewGUCNestLevel(); ++ + indexRelation = index_open(indexId, RowExclusiveLock); + + /* +@@ -3284,16 +3312,6 @@ validate_index(Oid heapId, Oid indexId, Snapshot snapshot) + /* mark build is concurrent just for consistency */ + indexInfo->ii_Concurrent = true; + +- /* +- * Switch to the table owner's userid, so that any index functions are run +- * as that user. Also lock down security-restricted operations and +- * arrange to make GUC variable changes local to this command. +- */ +- GetUserIdAndSecContext(&save_userid, &save_sec_context); +- SetUserIdAndSecContext(heapRelation->rd_rel->relowner, +- save_sec_context | SECURITY_RESTRICTED_OPERATION); +- save_nestlevel = NewGUCNestLevel(); +- + /* + * Scan the index and gather up all the TIDs into a tuplesort object. + */ +@@ -3497,6 +3515,9 @@ reindex_index(Oid indexId, bool skip_constraint_checks, char persistence, + Relation iRel, + heapRelation; + Oid heapId; ++ Oid save_userid; ++ int save_sec_context; ++ int save_nestlevel; + IndexInfo *indexInfo; + volatile bool skipped_constraint = false; + PGRUsage ru0; +@@ -3527,6 +3548,16 @@ reindex_index(Oid indexId, bool skip_constraint_checks, char persistence, + */ + iRel = index_open(indexId, AccessExclusiveLock); + ++ /* ++ * Switch to the table owner's userid, so that any index functions are run ++ * as that user. Also lock down security-restricted operations and ++ * arrange to make GUC variable changes local to this command. ++ */ ++ GetUserIdAndSecContext(&save_userid, &save_sec_context); ++ SetUserIdAndSecContext(heapRelation->rd_rel->relowner, ++ save_sec_context | SECURITY_RESTRICTED_OPERATION); ++ save_nestlevel = NewGUCNestLevel(); ++ + if (progress) + pgstat_progress_update_param(PROGRESS_CREATEIDX_ACCESS_METHOD_OID, + iRel->rd_rel->relam); +@@ -3684,12 +3715,18 @@ reindex_index(Oid indexId, bool skip_constraint_checks, char persistence, + errdetail_internal("%s", + pg_rusage_show(&ru0)))); + +- if (progress) +- pgstat_progress_end_command(); ++ /* Roll back any GUC changes executed by index functions */ ++ AtEOXact_GUC(false, save_nestlevel); ++ ++ /* Restore userid and security context */ ++ SetUserIdAndSecContext(save_userid, save_sec_context); + + /* Close rels, but keep locks */ + index_close(iRel, NoLock); + table_close(heapRelation, NoLock); ++ ++ if (progress) ++ pgstat_progress_end_command(); + } + + /* +diff --git a/src/backend/commands/cluster.c b/src/backend/commands/cluster.c +index bd6f408..74db03e 100644 +--- a/src/backend/commands/cluster.c ++++ b/src/backend/commands/cluster.c +@@ -266,6 +266,9 @@ void + cluster_rel(Oid tableOid, Oid indexOid, int options) + { + Relation OldHeap; ++ Oid save_userid; ++ int save_sec_context; ++ int save_nestlevel; + bool verbose = ((options & CLUOPT_VERBOSE) != 0); + bool recheck = ((options & CLUOPT_RECHECK) != 0); + +@@ -295,6 +298,16 @@ cluster_rel(Oid tableOid, Oid indexOid, int options) + return; + } + ++ /* ++ * Switch to the table owner's userid, so that any index functions are run ++ * as that user. Also lock down security-restricted operations and ++ * arrange to make GUC variable changes local to this command. ++ */ ++ GetUserIdAndSecContext(&save_userid, &save_sec_context); ++ SetUserIdAndSecContext(OldHeap->rd_rel->relowner, ++ save_sec_context | SECURITY_RESTRICTED_OPERATION); ++ save_nestlevel = NewGUCNestLevel(); ++ + /* + * Since we may open a new transaction for each relation, we have to check + * that the relation still is what we think it is. +@@ -309,11 +322,10 @@ cluster_rel(Oid tableOid, Oid indexOid, int options) + Form_pg_index indexForm; + + /* Check that the user still owns the relation */ +- if (!pg_class_ownercheck(tableOid, GetUserId())) ++ if (!pg_class_ownercheck(tableOid, save_userid)) + { + relation_close(OldHeap, AccessExclusiveLock); +- pgstat_progress_end_command(); +- return; ++ goto out; + } + + /* +@@ -327,8 +339,7 @@ cluster_rel(Oid tableOid, Oid indexOid, int options) + if (RELATION_IS_OTHER_TEMP(OldHeap)) + { + relation_close(OldHeap, AccessExclusiveLock); +- pgstat_progress_end_command(); +- return; ++ goto out; + } + + if (OidIsValid(indexOid)) +@@ -339,8 +350,7 @@ cluster_rel(Oid tableOid, Oid indexOid, int options) + if (!SearchSysCacheExists1(RELOID, ObjectIdGetDatum(indexOid))) + { + relation_close(OldHeap, AccessExclusiveLock); +- pgstat_progress_end_command(); +- return; ++ goto out; + } + + /* +@@ -350,8 +360,7 @@ cluster_rel(Oid tableOid, Oid indexOid, int options) + if (!HeapTupleIsValid(tuple)) /* probably can't happen */ + { + relation_close(OldHeap, AccessExclusiveLock); +- pgstat_progress_end_command(); +- return; ++ goto out; + } + indexForm = (Form_pg_index) GETSTRUCT(tuple); + if (!indexForm->indisclustered) +@@ -413,8 +422,7 @@ cluster_rel(Oid tableOid, Oid indexOid, int options) + !RelationIsPopulated(OldHeap)) + { + relation_close(OldHeap, AccessExclusiveLock); +- pgstat_progress_end_command(); +- return; ++ goto out; + } + + /* +@@ -430,6 +438,13 @@ cluster_rel(Oid tableOid, Oid indexOid, int options) + + /* NB: rebuild_relation does table_close() on OldHeap */ + ++out: ++ /* Roll back any GUC changes executed by index functions */ ++ AtEOXact_GUC(false, save_nestlevel); ++ ++ /* Restore userid and security context */ ++ SetUserIdAndSecContext(save_userid, save_sec_context); ++ + pgstat_progress_end_command(); + } + +diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c +index be1cf8c..167b377 100644 +--- a/src/backend/commands/indexcmds.c ++++ b/src/backend/commands/indexcmds.c +@@ -470,21 +470,22 @@ DefineIndex(Oid relationId, + LOCKTAG heaplocktag; + LOCKMODE lockmode; + Snapshot snapshot; +- int save_nestlevel = -1; ++ Oid root_save_userid; ++ int root_save_sec_context; ++ int root_save_nestlevel; + int i; + ++ root_save_nestlevel = NewGUCNestLevel(); ++ + /* + * Some callers need us to run with an empty default_tablespace; this is a + * necessary hack to be able to reproduce catalog state accurately when + * recreating indexes after table-rewriting ALTER TABLE. + */ + if (stmt->reset_default_tblspc) +- { +- save_nestlevel = NewGUCNestLevel(); + (void) set_config_option("default_tablespace", "", + PGC_USERSET, PGC_S_SESSION, + GUC_ACTION_SAVE, true, 0, false); +- } + + /* + * Force non-concurrent build on temporary relations, even if CONCURRENTLY +@@ -563,6 +564,15 @@ DefineIndex(Oid relationId, + lockmode = concurrent ? ShareUpdateExclusiveLock : ShareLock; + rel = table_open(relationId, lockmode); + ++ /* ++ * Switch to the table owner's userid, so that any index functions are run ++ * as that user. Also lock down security-restricted operations. We ++ * already arranged to make GUC variable changes local to this command. ++ */ ++ GetUserIdAndSecContext(&root_save_userid, &root_save_sec_context); ++ SetUserIdAndSecContext(rel->rd_rel->relowner, ++ root_save_sec_context | SECURITY_RESTRICTED_OPERATION); ++ + namespaceId = RelationGetNamespace(rel); + + /* Ensure that it makes sense to index this kind of relation */ +@@ -648,7 +658,7 @@ DefineIndex(Oid relationId, + { + AclResult aclresult; + +- aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(), ++ aclresult = pg_namespace_aclcheck(namespaceId, root_save_userid, + ACL_CREATE); + if (aclresult != ACLCHECK_OK) + aclcheck_error(aclresult, OBJECT_SCHEMA, +@@ -680,7 +690,7 @@ DefineIndex(Oid relationId, + { + AclResult aclresult; + +- aclresult = pg_tablespace_aclcheck(tablespaceId, GetUserId(), ++ aclresult = pg_tablespace_aclcheck(tablespaceId, root_save_userid, + ACL_CREATE); + if (aclresult != ACLCHECK_OK) + aclcheck_error(aclresult, OBJECT_TABLESPACE, +@@ -1066,15 +1076,17 @@ DefineIndex(Oid relationId, + + ObjectAddressSet(address, RelationRelationId, indexRelationId); + +- /* +- * Revert to original default_tablespace. Must do this before any return +- * from this function, but after index_create, so this is a good time. +- */ +- if (save_nestlevel >= 0) +- AtEOXact_GUC(true, save_nestlevel); +- + if (!OidIsValid(indexRelationId)) + { ++ /* ++ * Roll back any GUC changes executed by index functions. Also revert ++ * to original default_tablespace if we changed it above. ++ */ ++ AtEOXact_GUC(false, root_save_nestlevel); ++ ++ /* Restore userid and security context */ ++ SetUserIdAndSecContext(root_save_userid, root_save_sec_context); ++ + table_close(rel, NoLock); + + /* If this is the top-level index, we're done */ +@@ -1084,6 +1096,17 @@ DefineIndex(Oid relationId, + return address; + } + ++ /* ++ * Roll back any GUC changes executed by index functions, and keep ++ * subsequent changes local to this command. It's barely possible that ++ * some index function changed a behavior-affecting GUC, e.g. xmloption, ++ * that affects subsequent steps. This improves bug-compatibility with ++ * older PostgreSQL versions. They did the AtEOXact_GUC() here for the ++ * purpose of clearing the above default_tablespace change. ++ */ ++ AtEOXact_GUC(false, root_save_nestlevel); ++ root_save_nestlevel = NewGUCNestLevel(); ++ + /* Add any requested comment */ + if (stmt->idxcomment != NULL) + CreateComments(indexRelationId, RelationRelationId, 0, +@@ -1130,6 +1153,9 @@ DefineIndex(Oid relationId, + { + Oid childRelid = part_oids[i]; + Relation childrel; ++ Oid child_save_userid; ++ int child_save_sec_context; ++ int child_save_nestlevel; + List *childidxs; + ListCell *cell; + AttrNumber *attmap; +@@ -1138,6 +1164,12 @@ DefineIndex(Oid relationId, + + childrel = table_open(childRelid, lockmode); + ++ GetUserIdAndSecContext(&child_save_userid, ++ &child_save_sec_context); ++ SetUserIdAndSecContext(childrel->rd_rel->relowner, ++ child_save_sec_context | SECURITY_RESTRICTED_OPERATION); ++ child_save_nestlevel = NewGUCNestLevel(); ++ + /* + * Don't try to create indexes on foreign tables, though. Skip + * those if a regular index, or fail if trying to create a +@@ -1153,6 +1185,9 @@ DefineIndex(Oid relationId, + errdetail("Table \"%s\" contains partitions that are foreign tables.", + RelationGetRelationName(rel)))); + ++ AtEOXact_GUC(false, child_save_nestlevel); ++ SetUserIdAndSecContext(child_save_userid, ++ child_save_sec_context); + table_close(childrel, lockmode); + continue; + } +@@ -1226,6 +1261,9 @@ DefineIndex(Oid relationId, + } + + list_free(childidxs); ++ AtEOXact_GUC(false, child_save_nestlevel); ++ SetUserIdAndSecContext(child_save_userid, ++ child_save_sec_context); + table_close(childrel, NoLock); + + /* +@@ -1280,12 +1318,21 @@ DefineIndex(Oid relationId, + if (found_whole_row) + elog(ERROR, "cannot convert whole-row table reference"); + ++ /* ++ * Recurse as the starting user ID. Callee will use that ++ * for permission checks, then switch again. ++ */ ++ Assert(GetUserId() == child_save_userid); ++ SetUserIdAndSecContext(root_save_userid, ++ root_save_sec_context); + DefineIndex(childRelid, childStmt, + InvalidOid, /* no predefined OID */ + indexRelationId, /* this is our child */ + createdConstraintId, + is_alter_table, check_rights, check_not_in_use, + skip_build, quiet); ++ SetUserIdAndSecContext(child_save_userid, ++ child_save_sec_context); + } + + pgstat_progress_update_param(PROGRESS_CREATEIDX_PARTITIONS_DONE, +@@ -1322,12 +1369,17 @@ DefineIndex(Oid relationId, + * Indexes on partitioned tables are not themselves built, so we're + * done here. + */ ++ AtEOXact_GUC(false, root_save_nestlevel); ++ SetUserIdAndSecContext(root_save_userid, root_save_sec_context); + table_close(rel, NoLock); + if (!OidIsValid(parentIndexId)) + pgstat_progress_end_command(); + return address; + } + ++ AtEOXact_GUC(false, root_save_nestlevel); ++ SetUserIdAndSecContext(root_save_userid, root_save_sec_context); ++ + if (!concurrent) + { + /* Close the heap and we're done, in the non-concurrent case */ +@@ -3040,6 +3092,9 @@ ReindexRelationConcurrently(Oid relationOid, int options) + Oid newIndexId; + Relation indexRel; + Relation heapRel; ++ Oid save_userid; ++ int save_sec_context; ++ int save_nestlevel; + Relation newIndexRel; + LockRelId *lockrelid; + +@@ -3047,6 +3102,16 @@ ReindexRelationConcurrently(Oid relationOid, int options) + heapRel = table_open(indexRel->rd_index->indrelid, + ShareUpdateExclusiveLock); + ++ /* ++ * Switch to the table owner's userid, so that any index functions are ++ * run as that user. Also lock down security-restricted operations ++ * and arrange to make GUC variable changes local to this command. ++ */ ++ GetUserIdAndSecContext(&save_userid, &save_sec_context); ++ SetUserIdAndSecContext(heapRel->rd_rel->relowner, ++ save_sec_context | SECURITY_RESTRICTED_OPERATION); ++ save_nestlevel = NewGUCNestLevel(); ++ + /* This function shouldn't be called for temporary relations. */ + if (indexRel->rd_rel->relpersistence == RELPERSISTENCE_TEMP) + elog(ERROR, "cannot reindex a temporary table concurrently"); +@@ -3101,6 +3166,13 @@ ReindexRelationConcurrently(Oid relationOid, int options) + + index_close(indexRel, NoLock); + index_close(newIndexRel, NoLock); ++ ++ /* Roll back any GUC changes executed by index functions */ ++ AtEOXact_GUC(false, save_nestlevel); ++ ++ /* Restore userid and security context */ ++ SetUserIdAndSecContext(save_userid, save_sec_context); ++ + table_close(heapRel, NoLock); + } + +diff --git a/src/backend/commands/matview.c b/src/backend/commands/matview.c +index 80e9ec0..e485661 100644 +--- a/src/backend/commands/matview.c ++++ b/src/backend/commands/matview.c +@@ -167,6 +167,17 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString, + lockmode, 0, + RangeVarCallbackOwnsTable, NULL); + matviewRel = table_open(matviewOid, NoLock); ++ relowner = matviewRel->rd_rel->relowner; ++ ++ /* ++ * Switch to the owner's userid, so that any functions are run as that ++ * user. Also lock down security-restricted operations and arrange to ++ * make GUC variable changes local to this command. ++ */ ++ GetUserIdAndSecContext(&save_userid, &save_sec_context); ++ SetUserIdAndSecContext(relowner, ++ save_sec_context | SECURITY_RESTRICTED_OPERATION); ++ save_nestlevel = NewGUCNestLevel(); + + /* Make sure it is a materialized view. */ + if (matviewRel->rd_rel->relkind != RELKIND_MATVIEW) +@@ -268,19 +279,6 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString, + */ + SetMatViewPopulatedState(matviewRel, !stmt->skipData); + +- relowner = matviewRel->rd_rel->relowner; +- +- /* +- * Switch to the owner's userid, so that any functions are run as that +- * user. Also arrange to make GUC variable changes local to this command. +- * Don't lock it down too tight to create a temporary table just yet. We +- * will switch modes when we are about to execute user code. +- */ +- GetUserIdAndSecContext(&save_userid, &save_sec_context); +- SetUserIdAndSecContext(relowner, +- save_sec_context | SECURITY_LOCAL_USERID_CHANGE); +- save_nestlevel = NewGUCNestLevel(); +- + /* Concurrent refresh builds new data in temp tablespace, and does diff. */ + if (concurrent) + { +@@ -303,12 +301,6 @@ ExecRefreshMatView(RefreshMatViewStmt *stmt, const char *queryString, + LockRelationOid(OIDNewHeap, AccessExclusiveLock); + dest = CreateTransientRelDestReceiver(OIDNewHeap); + +- /* +- * Now lock down security-restricted operations. +- */ +- SetUserIdAndSecContext(relowner, +- save_sec_context | SECURITY_RESTRICTED_OPERATION); +- + /* Generate the data, if wanted. */ + if (!stmt->skipData) + processed = refresh_matview_datafill(dest, dataQuery, queryString); +diff --git a/src/backend/utils/init/miscinit.c b/src/backend/utils/init/miscinit.c +index de554e2..c9f858e 100644 +--- a/src/backend/utils/init/miscinit.c ++++ b/src/backend/utils/init/miscinit.c +@@ -455,15 +455,21 @@ GetAuthenticatedUserId(void) + * with guc.c's internal state, so SET ROLE has to be disallowed. + * + * SECURITY_RESTRICTED_OPERATION indicates that we are inside an operation +- * that does not wish to trust called user-defined functions at all. This +- * bit prevents not only SET ROLE, but various other changes of session state +- * that normally is unprotected but might possibly be used to subvert the +- * calling session later. An example is replacing an existing prepared +- * statement with new code, which will then be executed with the outer +- * session's permissions when the prepared statement is next used. Since +- * these restrictions are fairly draconian, we apply them only in contexts +- * where the called functions are really supposed to be side-effect-free +- * anyway, such as VACUUM/ANALYZE/REINDEX. ++ * that does not wish to trust called user-defined functions at all. The ++ * policy is to use this before operations, e.g. autovacuum and REINDEX, that ++ * enumerate relations of a database or schema and run functions associated ++ * with each found relation. The relation owner is the new user ID. Set this ++ * as soon as possible after locking the relation. Restore the old user ID as ++ * late as possible before closing the relation; restoring it shortly after ++ * close is also tolerable. If a command has both relation-enumerating and ++ * non-enumerating modes, e.g. ANALYZE, both modes set this bit. This bit ++ * prevents not only SET ROLE, but various other changes of session state that ++ * normally is unprotected but might possibly be used to subvert the calling ++ * session later. An example is replacing an existing prepared statement with ++ * new code, which will then be executed with the outer session's permissions ++ * when the prepared statement is next used. These restrictions are fairly ++ * draconian, but the functions called in relation-enumerating operations are ++ * really supposed to be side-effect-free anyway. + * + * SECURITY_NOFORCE_RLS indicates that we are inside an operation which should + * ignore the FORCE ROW LEVEL SECURITY per-table indication. This is used to +diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out +index 186d2fb..0f0c1b3 100644 +--- a/src/test/regress/expected/privileges.out ++++ b/src/test/regress/expected/privileges.out +@@ -1336,6 +1336,61 @@ SELECT has_table_privilege('regress_priv_user1', 'atest4', 'SELECT WITH GRANT OP + -- security-restricted operations + \c - + CREATE ROLE regress_sro_user; ++-- Check that index expressions and predicates are run as the table's owner ++-- A dummy index function checking current_user ++CREATE FUNCTION sro_ifun(int) RETURNS int AS $$ ++BEGIN ++ -- Below we set the table's owner to regress_sro_user ++ ASSERT current_user = 'regress_sro_user', ++ format('sro_ifun(%s) called by %s', $1, current_user); ++ RETURN $1; ++END; ++$$ LANGUAGE plpgsql IMMUTABLE; ++-- Create a table owned by regress_sro_user ++CREATE TABLE sro_tab (a int); ++ALTER TABLE sro_tab OWNER TO regress_sro_user; ++INSERT INTO sro_tab VALUES (1), (2), (3); ++-- Create an expression index with a predicate ++CREATE INDEX sro_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0))) ++ WHERE sro_ifun(a + 10) > sro_ifun(10); ++DROP INDEX sro_idx; ++-- Do the same concurrently ++CREATE INDEX CONCURRENTLY sro_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0))) ++ WHERE sro_ifun(a + 10) > sro_ifun(10); ++-- REINDEX ++REINDEX TABLE sro_tab; ++REINDEX INDEX sro_idx; ++REINDEX TABLE CONCURRENTLY sro_tab; ++DROP INDEX sro_idx; ++-- CLUSTER ++CREATE INDEX sro_cluster_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0))); ++CLUSTER sro_tab USING sro_cluster_idx; ++DROP INDEX sro_cluster_idx; ++-- BRIN index ++CREATE INDEX sro_brin ON sro_tab USING brin ((sro_ifun(a) + sro_ifun(0))); ++SELECT brin_desummarize_range('sro_brin', 0); ++ brin_desummarize_range ++------------------------ ++ ++(1 row) ++ ++SELECT brin_summarize_range('sro_brin', 0); ++ brin_summarize_range ++---------------------- ++ 1 ++(1 row) ++ ++DROP TABLE sro_tab; ++-- Check with a partitioned table ++CREATE TABLE sro_ptab (a int) PARTITION BY RANGE (a); ++ALTER TABLE sro_ptab OWNER TO regress_sro_user; ++CREATE TABLE sro_part PARTITION OF sro_ptab FOR VALUES FROM (1) TO (10); ++ALTER TABLE sro_part OWNER TO regress_sro_user; ++INSERT INTO sro_ptab VALUES (1), (2), (3); ++CREATE INDEX sro_pidx ON sro_ptab ((sro_ifun(a) + sro_ifun(0))) ++ WHERE sro_ifun(a + 10) > sro_ifun(10); ++REINDEX TABLE sro_ptab; ++REINDEX INDEX CONCURRENTLY sro_pidx; + SET SESSION AUTHORIZATION regress_sro_user; + CREATE FUNCTION unwanted_grant() RETURNS void LANGUAGE sql AS + 'GRANT regress_priv_group2 TO regress_sro_user'; +@@ -1373,6 +1428,22 @@ CONTEXT: SQL function "unwanted_grant" statement 1 + SQL statement "SELECT unwanted_grant()" + PL/pgSQL function sro_trojan() line 1 at PERFORM + SQL function "mv_action" statement 1 ++-- REFRESH MATERIALIZED VIEW CONCURRENTLY use of eval_const_expressions() ++SET SESSION AUTHORIZATION regress_sro_user; ++CREATE FUNCTION unwanted_grant_nofail(int) RETURNS int ++ IMMUTABLE LANGUAGE plpgsql AS $$ ++BEGIN ++ PERFORM unwanted_grant(); ++ RAISE WARNING 'owned'; ++ RETURN 1; ++EXCEPTION WHEN OTHERS THEN ++ RETURN 2; ++END$$; ++CREATE MATERIALIZED VIEW sro_index_mv AS SELECT 1 AS c; ++CREATE UNIQUE INDEX ON sro_index_mv (c) WHERE unwanted_grant_nofail(1) > 0; ++\c - ++REFRESH MATERIALIZED VIEW CONCURRENTLY sro_index_mv; ++REFRESH MATERIALIZED VIEW sro_index_mv; + DROP OWNED BY regress_sro_user; + DROP ROLE regress_sro_user; + -- Admin options +diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql +index 34fbf0e..c0b88a6 100644 +--- a/src/test/regress/sql/privileges.sql ++++ b/src/test/regress/sql/privileges.sql +@@ -826,6 +826,53 @@ SELECT has_table_privilege('regress_priv_user1', 'atest4', 'SELECT WITH GRANT OP + \c - + CREATE ROLE regress_sro_user; + ++-- Check that index expressions and predicates are run as the table's owner ++ ++-- A dummy index function checking current_user ++CREATE FUNCTION sro_ifun(int) RETURNS int AS $$ ++BEGIN ++ -- Below we set the table's owner to regress_sro_user ++ ASSERT current_user = 'regress_sro_user', ++ format('sro_ifun(%s) called by %s', $1, current_user); ++ RETURN $1; ++END; ++$$ LANGUAGE plpgsql IMMUTABLE; ++-- Create a table owned by regress_sro_user ++CREATE TABLE sro_tab (a int); ++ALTER TABLE sro_tab OWNER TO regress_sro_user; ++INSERT INTO sro_tab VALUES (1), (2), (3); ++-- Create an expression index with a predicate ++CREATE INDEX sro_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0))) ++ WHERE sro_ifun(a + 10) > sro_ifun(10); ++DROP INDEX sro_idx; ++-- Do the same concurrently ++CREATE INDEX CONCURRENTLY sro_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0))) ++ WHERE sro_ifun(a + 10) > sro_ifun(10); ++-- REINDEX ++REINDEX TABLE sro_tab; ++REINDEX INDEX sro_idx; ++REINDEX TABLE CONCURRENTLY sro_tab; ++DROP INDEX sro_idx; ++-- CLUSTER ++CREATE INDEX sro_cluster_idx ON sro_tab ((sro_ifun(a) + sro_ifun(0))); ++CLUSTER sro_tab USING sro_cluster_idx; ++DROP INDEX sro_cluster_idx; ++-- BRIN index ++CREATE INDEX sro_brin ON sro_tab USING brin ((sro_ifun(a) + sro_ifun(0))); ++SELECT brin_desummarize_range('sro_brin', 0); ++SELECT brin_summarize_range('sro_brin', 0); ++DROP TABLE sro_tab; ++-- Check with a partitioned table ++CREATE TABLE sro_ptab (a int) PARTITION BY RANGE (a); ++ALTER TABLE sro_ptab OWNER TO regress_sro_user; ++CREATE TABLE sro_part PARTITION OF sro_ptab FOR VALUES FROM (1) TO (10); ++ALTER TABLE sro_part OWNER TO regress_sro_user; ++INSERT INTO sro_ptab VALUES (1), (2), (3); ++CREATE INDEX sro_pidx ON sro_ptab ((sro_ifun(a) + sro_ifun(0))) ++ WHERE sro_ifun(a + 10) > sro_ifun(10); ++REINDEX TABLE sro_ptab; ++REINDEX INDEX CONCURRENTLY sro_pidx; ++ + SET SESSION AUTHORIZATION regress_sro_user; + CREATE FUNCTION unwanted_grant() RETURNS void LANGUAGE sql AS + 'GRANT regress_priv_group2 TO regress_sro_user'; +@@ -852,6 +899,23 @@ REFRESH MATERIALIZED VIEW sro_mv; + REFRESH MATERIALIZED VIEW sro_mv; + BEGIN; SET CONSTRAINTS ALL IMMEDIATE; REFRESH MATERIALIZED VIEW sro_mv; COMMIT; + ++-- REFRESH MATERIALIZED VIEW CONCURRENTLY use of eval_const_expressions() ++SET SESSION AUTHORIZATION regress_sro_user; ++CREATE FUNCTION unwanted_grant_nofail(int) RETURNS int ++ IMMUTABLE LANGUAGE plpgsql AS $$ ++BEGIN ++ PERFORM unwanted_grant(); ++ RAISE WARNING 'owned'; ++ RETURN 1; ++EXCEPTION WHEN OTHERS THEN ++ RETURN 2; ++END$$; ++CREATE MATERIALIZED VIEW sro_index_mv AS SELECT 1 AS c; ++CREATE UNIQUE INDEX ON sro_index_mv (c) WHERE unwanted_grant_nofail(1) > 0; ++\c - ++REFRESH MATERIALIZED VIEW CONCURRENTLY sro_index_mv; ++REFRESH MATERIALIZED VIEW sro_index_mv; ++ + DROP OWNED BY regress_sro_user; + DROP ROLE regress_sro_user; + +-- +2.25.1 + diff --git a/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch new file mode 100644 index 0000000000..6417d8a2b7 --- /dev/null +++ b/meta-oe/recipes-dbs/postgresql/files/CVE-2022-2625.patch @@ -0,0 +1,904 @@ +From 84375c1db25ef650902cf80712495fc514b0ff63 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Thu, 13 Oct 2022 10:35:32 +0530 +Subject: [PATCH] CVE-2022-2625 + +Upstream-Status: Backport [https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=5579726bd60a6e7afb04a3548bced348cd5ffd89] +CVE: CVE-2022-2625 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + doc/src/sgml/extend.sgml | 11 -- + src/backend/catalog/pg_collation.c | 49 ++++-- + src/backend/catalog/pg_depend.c | 74 ++++++++- + src/backend/catalog/pg_operator.c | 2 +- + src/backend/catalog/pg_type.c | 7 +- + src/backend/commands/createas.c | 18 ++- + src/backend/commands/foreigncmds.c | 19 ++- + src/backend/commands/schemacmds.c | 25 ++- + src/backend/commands/sequence.c | 8 + + src/backend/commands/statscmds.c | 4 + + src/backend/commands/view.c | 16 +- + src/backend/parser/parse_utilcmd.c | 10 ++ + src/include/catalog/dependency.h | 2 + + src/test/modules/test_extensions/Makefile | 5 +- + .../expected/test_extensions.out | 153 ++++++++++++++++++ + .../test_extensions/sql/test_extensions.sql | 110 +++++++++++++ + .../test_ext_cine--1.0--1.1.sql | 26 +++ + .../test_extensions/test_ext_cine--1.0.sql | 25 +++ + .../test_extensions/test_ext_cine.control | 3 + + .../test_extensions/test_ext_cor--1.0.sql | 20 +++ + .../test_extensions/test_ext_cor.control | 3 + + 21 files changed, 540 insertions(+), 50 deletions(-) + create mode 100644 src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql + create mode 100644 src/test/modules/test_extensions/test_ext_cine--1.0.sql + create mode 100644 src/test/modules/test_extensions/test_ext_cine.control + create mode 100644 src/test/modules/test_extensions/test_ext_cor--1.0.sql + create mode 100644 src/test/modules/test_extensions/test_ext_cor.control + +diff --git a/doc/src/sgml/extend.sgml b/doc/src/sgml/extend.sgml +index 53f2638..bcc7a80 100644 +--- a/doc/src/sgml/extend.sgml ++++ b/doc/src/sgml/extend.sgml +@@ -1109,17 +1109,6 @@ SELECT * FROM pg_extension_update_paths('<replaceable>extension_name</replaceabl + <varname>search_path</varname>. However, no mechanism currently exists + to require that. + </para> +- +- <para> +- Do <emphasis>not</emphasis> use <command>CREATE OR REPLACE +- FUNCTION</command>, except in an update script that must change the +- definition of a function that is known to be an extension member +- already. (Likewise for other <literal>OR REPLACE</literal> options.) +- Using <literal>OR REPLACE</literal> unnecessarily not only has a risk +- of accidentally overwriting someone else's function, but it creates a +- security hazard since the overwritten function would still be owned by +- its original owner, who could modify it. +- </para> + </sect3> + </sect2> + +diff --git a/src/backend/catalog/pg_collation.c b/src/backend/catalog/pg_collation.c +index dd99d53..ba4c3ef 100644 +--- a/src/backend/catalog/pg_collation.c ++++ b/src/backend/catalog/pg_collation.c +@@ -78,15 +78,25 @@ CollationCreate(const char *collname, Oid collnamespace, + * friendlier error message. The unique index provides a backstop against + * race conditions. + */ +- if (SearchSysCacheExists3(COLLNAMEENCNSP, +- PointerGetDatum(collname), +- Int32GetDatum(collencoding), +- ObjectIdGetDatum(collnamespace))) ++ oid = GetSysCacheOid3(COLLNAMEENCNSP, ++ Anum_pg_collation_oid, ++ PointerGetDatum(collname), ++ Int32GetDatum(collencoding), ++ ObjectIdGetDatum(collnamespace)); ++ if (OidIsValid(oid)) + { + if (quiet) + return InvalidOid; + else if (if_not_exists) + { ++ /* ++ * If we are in an extension script, insist that the pre-existing ++ * object be a member of the extension, to avoid security risks. ++ */ ++ ObjectAddressSet(myself, CollationRelationId, oid); ++ checkMembershipInCurrentExtension(&myself); ++ ++ /* OK to skip */ + ereport(NOTICE, + (errcode(ERRCODE_DUPLICATE_OBJECT), + collencoding == -1 +@@ -116,16 +126,19 @@ CollationCreate(const char *collname, Oid collnamespace, + * so we take a ShareRowExclusiveLock earlier, to protect against + * concurrent changes fooling this check. + */ +- if ((collencoding == -1 && +- SearchSysCacheExists3(COLLNAMEENCNSP, +- PointerGetDatum(collname), +- Int32GetDatum(GetDatabaseEncoding()), +- ObjectIdGetDatum(collnamespace))) || +- (collencoding != -1 && +- SearchSysCacheExists3(COLLNAMEENCNSP, +- PointerGetDatum(collname), +- Int32GetDatum(-1), +- ObjectIdGetDatum(collnamespace)))) ++ if (collencoding == -1) ++ oid = GetSysCacheOid3(COLLNAMEENCNSP, ++ Anum_pg_collation_oid, ++ PointerGetDatum(collname), ++ Int32GetDatum(GetDatabaseEncoding()), ++ ObjectIdGetDatum(collnamespace)); ++ else ++ oid = GetSysCacheOid3(COLLNAMEENCNSP, ++ Anum_pg_collation_oid, ++ PointerGetDatum(collname), ++ Int32GetDatum(-1), ++ ObjectIdGetDatum(collnamespace)); ++ if (OidIsValid(oid)) + { + if (quiet) + { +@@ -134,6 +147,14 @@ CollationCreate(const char *collname, Oid collnamespace, + } + else if (if_not_exists) + { ++ /* ++ * If we are in an extension script, insist that the pre-existing ++ * object be a member of the extension, to avoid security risks. ++ */ ++ ObjectAddressSet(myself, CollationRelationId, oid); ++ checkMembershipInCurrentExtension(&myself); ++ ++ /* OK to skip */ + table_close(rel, NoLock); + ereport(NOTICE, + (errcode(ERRCODE_DUPLICATE_OBJECT), +diff --git a/src/backend/catalog/pg_depend.c b/src/backend/catalog/pg_depend.c +index 9ffadbb..71c7cef 100644 +--- a/src/backend/catalog/pg_depend.c ++++ b/src/backend/catalog/pg_depend.c +@@ -124,15 +124,23 @@ recordMultipleDependencies(const ObjectAddress *depender, + + /* + * If we are executing a CREATE EXTENSION operation, mark the given object +- * as being a member of the extension. Otherwise, do nothing. ++ * as being a member of the extension, or check that it already is one. ++ * Otherwise, do nothing. + * + * This must be called during creation of any user-definable object type + * that could be a member of an extension. + * +- * If isReplace is true, the object already existed (or might have already +- * existed), so we must check for a pre-existing extension membership entry. +- * Passing false is a guarantee that the object is newly created, and so +- * could not already be a member of any extension. ++ * isReplace must be true if the object already existed, and false if it is ++ * newly created. In the former case we insist that it already be a member ++ * of the current extension. In the latter case we can skip checking whether ++ * it is already a member of any extension. ++ * ++ * Note: isReplace = true is typically used when updating a object in ++ * CREATE OR REPLACE and similar commands. We used to allow the target ++ * object to not already be an extension member, instead silently absorbing ++ * it into the current extension. However, this was both error-prone ++ * (extensions might accidentally overwrite free-standing objects) and ++ * a security hazard (since the object would retain its previous ownership). + */ + void + recordDependencyOnCurrentExtension(const ObjectAddress *object, +@@ -150,6 +158,12 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object, + { + Oid oldext; + ++ /* ++ * Side note: these catalog lookups are safe only because the ++ * object is a pre-existing one. In the not-isReplace case, the ++ * caller has most likely not yet done a CommandCounterIncrement ++ * that would make the new object visible. ++ */ + oldext = getExtensionOfObject(object->classId, object->objectId); + if (OidIsValid(oldext)) + { +@@ -163,6 +177,13 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object, + getObjectDescription(object), + get_extension_name(oldext)))); + } ++ /* It's a free-standing object, so reject */ ++ ereport(ERROR, ++ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE), ++ errmsg("%s is not a member of extension \"%s\"", ++ getObjectDescription(object), ++ get_extension_name(CurrentExtensionObject)), ++ errdetail("An extension is not allowed to replace an object that it does not own."))); + } + + /* OK, record it as a member of CurrentExtensionObject */ +@@ -174,6 +195,49 @@ recordDependencyOnCurrentExtension(const ObjectAddress *object, + } + } + ++/* ++ * If we are executing a CREATE EXTENSION operation, check that the given ++ * object is a member of the extension, and throw an error if it isn't. ++ * Otherwise, do nothing. ++ * ++ * This must be called whenever a CREATE IF NOT EXISTS operation (for an ++ * object type that can be an extension member) has found that an object of ++ * the desired name already exists. It is insecure for an extension to use ++ * IF NOT EXISTS except when the conflicting object is already an extension ++ * member; otherwise a hostile user could substitute an object with arbitrary ++ * properties. ++ */ ++void ++checkMembershipInCurrentExtension(const ObjectAddress *object) ++{ ++ /* ++ * This is actually the same condition tested in ++ * recordDependencyOnCurrentExtension; but we want to issue a ++ * differently-worded error, and anyway it would be pretty confusing to ++ * call recordDependencyOnCurrentExtension in these circumstances. ++ */ ++ ++ /* Only whole objects can be extension members */ ++ Assert(object->objectSubId == 0); ++ ++ if (creating_extension) ++ { ++ Oid oldext; ++ ++ oldext = getExtensionOfObject(object->classId, object->objectId); ++ /* If already a member of this extension, OK */ ++ if (oldext == CurrentExtensionObject) ++ return; ++ /* Else complain */ ++ ereport(ERROR, ++ (errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE), ++ errmsg("%s is not a member of extension \"%s\"", ++ getObjectDescription(object), ++ get_extension_name(CurrentExtensionObject)), ++ errdetail("An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns."))); ++ } ++} ++ + /* + * deleteDependencyRecordsFor -- delete all records with given depender + * classId/objectId. Returns the number of records deleted. +diff --git a/src/backend/catalog/pg_operator.c b/src/backend/catalog/pg_operator.c +index bcaa26c..84784e6 100644 +--- a/src/backend/catalog/pg_operator.c ++++ b/src/backend/catalog/pg_operator.c +@@ -867,7 +867,7 @@ makeOperatorDependencies(HeapTuple tuple, bool isUpdate) + oper->oprowner); + + /* Dependency on extension */ +- recordDependencyOnCurrentExtension(&myself, true); ++ recordDependencyOnCurrentExtension(&myself, isUpdate); + + return myself; + } +diff --git a/src/backend/catalog/pg_type.c b/src/backend/catalog/pg_type.c +index 2a51501..3ff017f 100644 +--- a/src/backend/catalog/pg_type.c ++++ b/src/backend/catalog/pg_type.c +@@ -528,10 +528,9 @@ TypeCreate(Oid newTypeOid, + * If rebuild is true, we remove existing dependencies and rebuild them + * from scratch. This is needed for ALTER TYPE, and also when replacing + * a shell type. We don't remove an existing extension dependency, though. +- * (That means an extension can't absorb a shell type created in another +- * extension, nor ALTER a type created by another extension. Also, if it +- * replaces a free-standing shell type or ALTERs a free-standing type, +- * that type will become a member of the extension.) ++ * That means an extension can't absorb a shell type that is free-standing ++ * or belongs to another extension, nor ALTER a type that is free-standing or ++ * belongs to another extension. + */ + void + GenerateTypeDependencies(Oid typeObjectId, +diff --git a/src/backend/commands/createas.c b/src/backend/commands/createas.c +index 4c1d909..a68d945 100644 +--- a/src/backend/commands/createas.c ++++ b/src/backend/commands/createas.c +@@ -243,15 +243,27 @@ ExecCreateTableAs(CreateTableAsStmt *stmt, const char *queryString, + if (stmt->if_not_exists) + { + Oid nspid; ++ Oid oldrelid; + +- nspid = RangeVarGetCreationNamespace(stmt->into->rel); ++ nspid = RangeVarGetCreationNamespace(into->rel); + +- if (get_relname_relid(stmt->into->rel->relname, nspid)) ++ oldrelid = get_relname_relid(into->rel->relname, nspid); ++ if (OidIsValid(oldrelid)) + { ++ /* ++ * The relation exists and IF NOT EXISTS has been specified. ++ * ++ * If we are in an extension script, insist that the pre-existing ++ * object be a member of the extension, to avoid security risks. ++ */ ++ ObjectAddressSet(address, RelationRelationId, oldrelid); ++ checkMembershipInCurrentExtension(&address); ++ ++ /* OK to skip */ + ereport(NOTICE, + (errcode(ERRCODE_DUPLICATE_TABLE), + errmsg("relation \"%s\" already exists, skipping", +- stmt->into->rel->relname))); ++ into->rel->relname))); + return InvalidObjectAddress; + } + } +diff --git a/src/backend/commands/foreigncmds.c b/src/backend/commands/foreigncmds.c +index d7bc6e3..bc583c6 100644 +--- a/src/backend/commands/foreigncmds.c ++++ b/src/backend/commands/foreigncmds.c +@@ -887,13 +887,22 @@ CreateForeignServer(CreateForeignServerStmt *stmt) + ownerId = GetUserId(); + + /* +- * Check that there is no other foreign server by this name. Do nothing if +- * IF NOT EXISTS was enforced. ++ * Check that there is no other foreign server by this name. If there is ++ * one, do nothing if IF NOT EXISTS was specified. + */ +- if (GetForeignServerByName(stmt->servername, true) != NULL) ++ srvId = get_foreign_server_oid(stmt->servername, true); ++ if (OidIsValid(srvId)) + { + if (stmt->if_not_exists) + { ++ /* ++ * If we are in an extension script, insist that the pre-existing ++ * object be a member of the extension, to avoid security risks. ++ */ ++ ObjectAddressSet(myself, ForeignServerRelationId, srvId); ++ checkMembershipInCurrentExtension(&myself); ++ ++ /* OK to skip */ + ereport(NOTICE, + (errcode(ERRCODE_DUPLICATE_OBJECT), + errmsg("server \"%s\" already exists, skipping", +@@ -1182,6 +1191,10 @@ CreateUserMapping(CreateUserMappingStmt *stmt) + { + if (stmt->if_not_exists) + { ++ /* ++ * Since user mappings aren't members of extensions (see comments ++ * below), no need for checkMembershipInCurrentExtension here. ++ */ + ereport(NOTICE, + (errcode(ERRCODE_DUPLICATE_OBJECT), + errmsg("user mapping for \"%s\" already exists for server \"%s\", skipping", +diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c +index 6cf94a3..6bc4edc 100644 +--- a/src/backend/commands/schemacmds.c ++++ b/src/backend/commands/schemacmds.c +@@ -113,14 +113,25 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString, + * the permissions checks, but since CREATE TABLE IF NOT EXISTS makes its + * creation-permission check first, we do likewise. + */ +- if (stmt->if_not_exists && +- SearchSysCacheExists1(NAMESPACENAME, PointerGetDatum(schemaName))) ++ if (stmt->if_not_exists) + { +- ereport(NOTICE, +- (errcode(ERRCODE_DUPLICATE_SCHEMA), +- errmsg("schema \"%s\" already exists, skipping", +- schemaName))); +- return InvalidOid; ++ namespaceId = get_namespace_oid(schemaName, true); ++ if (OidIsValid(namespaceId)) ++ { ++ /* ++ * If we are in an extension script, insist that the pre-existing ++ * object be a member of the extension, to avoid security risks. ++ */ ++ ObjectAddressSet(address, NamespaceRelationId, namespaceId); ++ checkMembershipInCurrentExtension(&address); ++ ++ /* OK to skip */ ++ ereport(NOTICE, ++ (errcode(ERRCODE_DUPLICATE_SCHEMA), ++ errmsg("schema \"%s\" already exists, skipping", ++ schemaName))); ++ return InvalidOid; ++ } + } + + /* +diff --git a/src/backend/commands/sequence.c b/src/backend/commands/sequence.c +index 0960b33..0577184 100644 +--- a/src/backend/commands/sequence.c ++++ b/src/backend/commands/sequence.c +@@ -149,6 +149,14 @@ DefineSequence(ParseState *pstate, CreateSeqStmt *seq) + RangeVarGetAndCheckCreationNamespace(seq->sequence, NoLock, &seqoid); + if (OidIsValid(seqoid)) + { ++ /* ++ * If we are in an extension script, insist that the pre-existing ++ * object be a member of the extension, to avoid security risks. ++ */ ++ ObjectAddressSet(address, RelationRelationId, seqoid); ++ checkMembershipInCurrentExtension(&address); ++ ++ /* OK to skip */ + ereport(NOTICE, + (errcode(ERRCODE_DUPLICATE_TABLE), + errmsg("relation \"%s\" already exists, skipping", +diff --git a/src/backend/commands/statscmds.c b/src/backend/commands/statscmds.c +index 5678d31..409cf28 100644 +--- a/src/backend/commands/statscmds.c ++++ b/src/backend/commands/statscmds.c +@@ -173,6 +173,10 @@ CreateStatistics(CreateStatsStmt *stmt) + { + if (stmt->if_not_exists) + { ++ /* ++ * Since stats objects aren't members of extensions (see comments ++ * below), no need for checkMembershipInCurrentExtension here. ++ */ + ereport(NOTICE, + (errcode(ERRCODE_DUPLICATE_OBJECT), + errmsg("statistics object \"%s\" already exists, skipping", +diff --git a/src/backend/commands/view.c b/src/backend/commands/view.c +index 87ed453..dd7cc97 100644 +--- a/src/backend/commands/view.c ++++ b/src/backend/commands/view.c +@@ -205,7 +205,7 @@ DefineVirtualRelation(RangeVar *relation, List *tlist, bool replace, + CommandCounterIncrement(); + + /* +- * Finally update the view options. ++ * Update the view's options. + * + * The new options list replaces the existing options list, even if + * it's empty. +@@ -218,8 +218,22 @@ DefineVirtualRelation(RangeVar *relation, List *tlist, bool replace, + /* EventTriggerAlterTableStart called by ProcessUtilitySlow */ + AlterTableInternal(viewOid, atcmds, true); + ++ /* ++ * There is very little to do here to update the view's dependencies. ++ * Most view-level dependency relationships, such as those on the ++ * owner, schema, and associated composite type, aren't changing. ++ * Because we don't allow changing type or collation of an existing ++ * view column, those dependencies of the existing columns don't ++ * change either, while the AT_AddColumnToView machinery took care of ++ * adding such dependencies for new view columns. The dependencies of ++ * the view's query could have changed arbitrarily, but that was dealt ++ * with inside StoreViewQuery. What remains is only to check that ++ * view replacement is allowed when we're creating an extension. ++ */ + ObjectAddressSet(address, RelationRelationId, viewOid); + ++ recordDependencyOnCurrentExtension(&address, true); ++ + /* + * Seems okay, so return the OID of the pre-existing view. + */ +diff --git a/src/backend/parser/parse_utilcmd.c b/src/backend/parser/parse_utilcmd.c +index 44aa38a..8f4d940 100644 +--- a/src/backend/parser/parse_utilcmd.c ++++ b/src/backend/parser/parse_utilcmd.c +@@ -206,6 +206,16 @@ transformCreateStmt(CreateStmt *stmt, const char *queryString) + */ + if (stmt->if_not_exists && OidIsValid(existing_relid)) + { ++ /* ++ * If we are in an extension script, insist that the pre-existing ++ * object be a member of the extension, to avoid security risks. ++ */ ++ ObjectAddress address; ++ ++ ObjectAddressSet(address, RelationRelationId, existing_relid); ++ checkMembershipInCurrentExtension(&address); ++ ++ /* OK to skip */ + ereport(NOTICE, + (errcode(ERRCODE_DUPLICATE_TABLE), + errmsg("relation \"%s\" already exists, skipping", +diff --git a/src/include/catalog/dependency.h b/src/include/catalog/dependency.h +index 8b1e3aa..27c7509 100644 +--- a/src/include/catalog/dependency.h ++++ b/src/include/catalog/dependency.h +@@ -201,6 +201,8 @@ extern void recordMultipleDependencies(const ObjectAddress *depender, + extern void recordDependencyOnCurrentExtension(const ObjectAddress *object, + bool isReplace); + ++extern void checkMembershipInCurrentExtension(const ObjectAddress *object); ++ + extern long deleteDependencyRecordsFor(Oid classId, Oid objectId, + bool skipExtensionDeps); + +diff --git a/src/test/modules/test_extensions/Makefile b/src/test/modules/test_extensions/Makefile +index d18108e..7428f15 100644 +--- a/src/test/modules/test_extensions/Makefile ++++ b/src/test/modules/test_extensions/Makefile +@@ -4,10 +4,13 @@ MODULE = test_extensions + PGFILEDESC = "test_extensions - regression testing for EXTENSION support" + + EXTENSION = test_ext1 test_ext2 test_ext3 test_ext4 test_ext5 test_ext6 \ +- test_ext7 test_ext8 test_ext_cyclic1 test_ext_cyclic2 ++ test_ext7 test_ext8 test_ext_cine test_ext_cor \ ++ test_ext_cyclic1 test_ext_cyclic2 + DATA = test_ext1--1.0.sql test_ext2--1.0.sql test_ext3--1.0.sql \ + test_ext4--1.0.sql test_ext5--1.0.sql test_ext6--1.0.sql \ + test_ext7--1.0.sql test_ext7--1.0--2.0.sql test_ext8--1.0.sql \ ++ test_ext_cine--1.0.sql test_ext_cine--1.0--1.1.sql \ ++ test_ext_cor--1.0.sql \ + test_ext_cyclic1--1.0.sql test_ext_cyclic2--1.0.sql + + REGRESS = test_extensions test_extdepend +diff --git a/src/test/modules/test_extensions/expected/test_extensions.out b/src/test/modules/test_extensions/expected/test_extensions.out +index b5cbdfc..1e91640 100644 +--- a/src/test/modules/test_extensions/expected/test_extensions.out ++++ b/src/test/modules/test_extensions/expected/test_extensions.out +@@ -154,3 +154,156 @@ DROP TABLE test_ext4_tab; + DROP FUNCTION create_extension_with_temp_schema(); + RESET client_min_messages; + \unset SHOW_CONTEXT ++-- It's generally bad style to use CREATE OR REPLACE unnecessarily. ++-- Test what happens if an extension does it anyway. ++-- Replacing a shell type or operator is sort of like CREATE OR REPLACE; ++-- check that too. ++CREATE FUNCTION ext_cor_func() RETURNS text ++ AS $$ SELECT 'ext_cor_func: original'::text $$ LANGUAGE sql; ++CREATE EXTENSION test_ext_cor; -- fail ++ERROR: function ext_cor_func() is not a member of extension "test_ext_cor" ++DETAIL: An extension is not allowed to replace an object that it does not own. ++SELECT ext_cor_func(); ++ ext_cor_func ++------------------------ ++ ext_cor_func: original ++(1 row) ++ ++DROP FUNCTION ext_cor_func(); ++CREATE VIEW ext_cor_view AS ++ SELECT 'ext_cor_view: original'::text AS col; ++CREATE EXTENSION test_ext_cor; -- fail ++ERROR: view ext_cor_view is not a member of extension "test_ext_cor" ++DETAIL: An extension is not allowed to replace an object that it does not own. ++SELECT ext_cor_func(); ++ERROR: function ext_cor_func() does not exist ++LINE 1: SELECT ext_cor_func(); ++ ^ ++HINT: No function matches the given name and argument types. You might need to add explicit type casts. ++SELECT * FROM ext_cor_view; ++ col ++------------------------ ++ ext_cor_view: original ++(1 row) ++ ++DROP VIEW ext_cor_view; ++CREATE TYPE test_ext_type; ++CREATE EXTENSION test_ext_cor; -- fail ++ERROR: type test_ext_type is not a member of extension "test_ext_cor" ++DETAIL: An extension is not allowed to replace an object that it does not own. ++DROP TYPE test_ext_type; ++-- this makes a shell "point <<@@ polygon" operator too ++CREATE OPERATOR @@>> ( PROCEDURE = poly_contain_pt, ++ LEFTARG = polygon, RIGHTARG = point, ++ COMMUTATOR = <<@@ ); ++CREATE EXTENSION test_ext_cor; -- fail ++ERROR: operator <<@@(point,polygon) is not a member of extension "test_ext_cor" ++DETAIL: An extension is not allowed to replace an object that it does not own. ++DROP OPERATOR <<@@ (point, polygon); ++CREATE EXTENSION test_ext_cor; -- now it should work ++SELECT ext_cor_func(); ++ ext_cor_func ++------------------------------ ++ ext_cor_func: from extension ++(1 row) ++ ++SELECT * FROM ext_cor_view; ++ col ++------------------------------ ++ ext_cor_view: from extension ++(1 row) ++ ++SELECT 'x'::test_ext_type; ++ test_ext_type ++--------------- ++ x ++(1 row) ++ ++SELECT point(0,0) <<@@ polygon(circle(point(0,0),1)); ++ ?column? ++---------- ++ t ++(1 row) ++ ++\dx+ test_ext_cor ++Objects in extension "test_ext_cor" ++ Object description ++------------------------------ ++ function ext_cor_func() ++ operator <<@@(point,polygon) ++ type test_ext_type ++ view ext_cor_view ++(4 rows) ++ ++-- ++-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension ++-- to be doing, but let's at least plug the major security hole in it. ++-- ++CREATE COLLATION ext_cine_coll ++ ( LC_COLLATE = "C", LC_CTYPE = "C" ); ++CREATE EXTENSION test_ext_cine; -- fail ++ERROR: collation ext_cine_coll is not a member of extension "test_ext_cine" ++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns. ++DROP COLLATION ext_cine_coll; ++CREATE MATERIALIZED VIEW ext_cine_mv AS SELECT 11 AS f1; ++CREATE EXTENSION test_ext_cine; -- fail ++ERROR: materialized view ext_cine_mv is not a member of extension "test_ext_cine" ++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns. ++DROP MATERIALIZED VIEW ext_cine_mv; ++CREATE FOREIGN DATA WRAPPER dummy; ++CREATE SERVER ext_cine_srv FOREIGN DATA WRAPPER dummy; ++CREATE EXTENSION test_ext_cine; -- fail ++ERROR: server ext_cine_srv is not a member of extension "test_ext_cine" ++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns. ++DROP SERVER ext_cine_srv; ++CREATE SCHEMA ext_cine_schema; ++CREATE EXTENSION test_ext_cine; -- fail ++ERROR: schema ext_cine_schema is not a member of extension "test_ext_cine" ++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns. ++DROP SCHEMA ext_cine_schema; ++CREATE SEQUENCE ext_cine_seq; ++CREATE EXTENSION test_ext_cine; -- fail ++ERROR: sequence ext_cine_seq is not a member of extension "test_ext_cine" ++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns. ++DROP SEQUENCE ext_cine_seq; ++CREATE TABLE ext_cine_tab1 (x int); ++CREATE EXTENSION test_ext_cine; -- fail ++ERROR: table ext_cine_tab1 is not a member of extension "test_ext_cine" ++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns. ++DROP TABLE ext_cine_tab1; ++CREATE TABLE ext_cine_tab2 AS SELECT 42 AS y; ++CREATE EXTENSION test_ext_cine; -- fail ++ERROR: table ext_cine_tab2 is not a member of extension "test_ext_cine" ++DETAIL: An extension may only use CREATE ... IF NOT EXISTS to skip object creation if the conflicting object is one that it already owns. ++DROP TABLE ext_cine_tab2; ++CREATE EXTENSION test_ext_cine; ++\dx+ test_ext_cine ++Objects in extension "test_ext_cine" ++ Object description ++----------------------------------- ++ collation ext_cine_coll ++ foreign-data wrapper ext_cine_fdw ++ materialized view ext_cine_mv ++ schema ext_cine_schema ++ sequence ext_cine_seq ++ server ext_cine_srv ++ table ext_cine_tab1 ++ table ext_cine_tab2 ++(8 rows) ++ ++ALTER EXTENSION test_ext_cine UPDATE TO '1.1'; ++\dx+ test_ext_cine ++Objects in extension "test_ext_cine" ++ Object description ++----------------------------------- ++ collation ext_cine_coll ++ foreign-data wrapper ext_cine_fdw ++ materialized view ext_cine_mv ++ schema ext_cine_schema ++ sequence ext_cine_seq ++ server ext_cine_srv ++ table ext_cine_tab1 ++ table ext_cine_tab2 ++ table ext_cine_tab3 ++(9 rows) ++ +diff --git a/src/test/modules/test_extensions/sql/test_extensions.sql b/src/test/modules/test_extensions/sql/test_extensions.sql +index f505466..b3d4579 100644 +--- a/src/test/modules/test_extensions/sql/test_extensions.sql ++++ b/src/test/modules/test_extensions/sql/test_extensions.sql +@@ -93,3 +93,113 @@ DROP TABLE test_ext4_tab; + DROP FUNCTION create_extension_with_temp_schema(); + RESET client_min_messages; + \unset SHOW_CONTEXT ++ ++-- It's generally bad style to use CREATE OR REPLACE unnecessarily. ++-- Test what happens if an extension does it anyway. ++-- Replacing a shell type or operator is sort of like CREATE OR REPLACE; ++-- check that too. ++ ++CREATE FUNCTION ext_cor_func() RETURNS text ++ AS $$ SELECT 'ext_cor_func: original'::text $$ LANGUAGE sql; ++ ++CREATE EXTENSION test_ext_cor; -- fail ++ ++SELECT ext_cor_func(); ++ ++DROP FUNCTION ext_cor_func(); ++ ++CREATE VIEW ext_cor_view AS ++ SELECT 'ext_cor_view: original'::text AS col; ++ ++CREATE EXTENSION test_ext_cor; -- fail ++ ++SELECT ext_cor_func(); ++ ++SELECT * FROM ext_cor_view; ++ ++DROP VIEW ext_cor_view; ++ ++CREATE TYPE test_ext_type; ++ ++CREATE EXTENSION test_ext_cor; -- fail ++ ++DROP TYPE test_ext_type; ++ ++-- this makes a shell "point <<@@ polygon" operator too ++CREATE OPERATOR @@>> ( PROCEDURE = poly_contain_pt, ++ LEFTARG = polygon, RIGHTARG = point, ++ COMMUTATOR = <<@@ ); ++ ++CREATE EXTENSION test_ext_cor; -- fail ++ ++DROP OPERATOR <<@@ (point, polygon); ++ ++CREATE EXTENSION test_ext_cor; -- now it should work ++ ++SELECT ext_cor_func(); ++ ++SELECT * FROM ext_cor_view; ++ ++SELECT 'x'::test_ext_type; ++ ++SELECT point(0,0) <<@@ polygon(circle(point(0,0),1)); ++ ++\dx+ test_ext_cor ++ ++-- ++-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension ++-- to be doing, but let's at least plug the major security hole in it. ++-- ++ ++CREATE COLLATION ext_cine_coll ++ ( LC_COLLATE = "C", LC_CTYPE = "C" ); ++ ++CREATE EXTENSION test_ext_cine; -- fail ++ ++DROP COLLATION ext_cine_coll; ++ ++CREATE MATERIALIZED VIEW ext_cine_mv AS SELECT 11 AS f1; ++ ++CREATE EXTENSION test_ext_cine; -- fail ++ ++DROP MATERIALIZED VIEW ext_cine_mv; ++ ++CREATE FOREIGN DATA WRAPPER dummy; ++ ++CREATE SERVER ext_cine_srv FOREIGN DATA WRAPPER dummy; ++ ++CREATE EXTENSION test_ext_cine; -- fail ++ ++DROP SERVER ext_cine_srv; ++ ++CREATE SCHEMA ext_cine_schema; ++ ++CREATE EXTENSION test_ext_cine; -- fail ++ ++DROP SCHEMA ext_cine_schema; ++ ++CREATE SEQUENCE ext_cine_seq; ++ ++CREATE EXTENSION test_ext_cine; -- fail ++ ++DROP SEQUENCE ext_cine_seq; ++ ++CREATE TABLE ext_cine_tab1 (x int); ++ ++CREATE EXTENSION test_ext_cine; -- fail ++ ++DROP TABLE ext_cine_tab1; ++ ++CREATE TABLE ext_cine_tab2 AS SELECT 42 AS y; ++ ++CREATE EXTENSION test_ext_cine; -- fail ++ ++DROP TABLE ext_cine_tab2; ++ ++CREATE EXTENSION test_ext_cine; ++ ++\dx+ test_ext_cine ++ ++ALTER EXTENSION test_ext_cine UPDATE TO '1.1'; ++ ++\dx+ test_ext_cine +diff --git a/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql b/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql +new file mode 100644 +index 0000000..6dadfd2 +--- /dev/null ++++ b/src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql +@@ -0,0 +1,26 @@ ++/* src/test/modules/test_extensions/test_ext_cine--1.0--1.1.sql */ ++-- complain if script is sourced in psql, rather than via ALTER EXTENSION ++\echo Use "ALTER EXTENSION test_ext_cine UPDATE TO '1.1'" to load this file. \quit ++ ++-- ++-- These are the same commands as in the 1.0 script; we expect them ++-- to do nothing. ++-- ++ ++CREATE COLLATION IF NOT EXISTS ext_cine_coll ++ ( LC_COLLATE = "POSIX", LC_CTYPE = "POSIX" ); ++ ++CREATE MATERIALIZED VIEW IF NOT EXISTS ext_cine_mv AS SELECT 42 AS f1; ++ ++CREATE SERVER IF NOT EXISTS ext_cine_srv FOREIGN DATA WRAPPER ext_cine_fdw; ++ ++CREATE SCHEMA IF NOT EXISTS ext_cine_schema; ++ ++CREATE SEQUENCE IF NOT EXISTS ext_cine_seq; ++ ++CREATE TABLE IF NOT EXISTS ext_cine_tab1 (x int); ++ ++CREATE TABLE IF NOT EXISTS ext_cine_tab2 AS SELECT 42 AS y; ++ ++-- just to verify the script ran ++CREATE TABLE ext_cine_tab3 (z int); +diff --git a/src/test/modules/test_extensions/test_ext_cine--1.0.sql b/src/test/modules/test_extensions/test_ext_cine--1.0.sql +new file mode 100644 +index 0000000..01408ff +--- /dev/null ++++ b/src/test/modules/test_extensions/test_ext_cine--1.0.sql +@@ -0,0 +1,25 @@ ++/* src/test/modules/test_extensions/test_ext_cine--1.0.sql */ ++-- complain if script is sourced in psql, rather than via CREATE EXTENSION ++\echo Use "CREATE EXTENSION test_ext_cine" to load this file. \quit ++ ++-- ++-- CREATE IF NOT EXISTS is an entirely unsound thing for an extension ++-- to be doing, but let's at least plug the major security hole in it. ++-- ++ ++CREATE COLLATION IF NOT EXISTS ext_cine_coll ++ ( LC_COLLATE = "POSIX", LC_CTYPE = "POSIX" ); ++ ++CREATE MATERIALIZED VIEW IF NOT EXISTS ext_cine_mv AS SELECT 42 AS f1; ++ ++CREATE FOREIGN DATA WRAPPER ext_cine_fdw; ++ ++CREATE SERVER IF NOT EXISTS ext_cine_srv FOREIGN DATA WRAPPER ext_cine_fdw; ++ ++CREATE SCHEMA IF NOT EXISTS ext_cine_schema; ++ ++CREATE SEQUENCE IF NOT EXISTS ext_cine_seq; ++ ++CREATE TABLE IF NOT EXISTS ext_cine_tab1 (x int); ++ ++CREATE TABLE IF NOT EXISTS ext_cine_tab2 AS SELECT 42 AS y; +diff --git a/src/test/modules/test_extensions/test_ext_cine.control b/src/test/modules/test_extensions/test_ext_cine.control +new file mode 100644 +index 0000000..ced713b +--- /dev/null ++++ b/src/test/modules/test_extensions/test_ext_cine.control +@@ -0,0 +1,3 @@ ++comment = 'Test extension using CREATE IF NOT EXISTS' ++default_version = '1.0' ++relocatable = true +diff --git a/src/test/modules/test_extensions/test_ext_cor--1.0.sql b/src/test/modules/test_extensions/test_ext_cor--1.0.sql +new file mode 100644 +index 0000000..2e8d89c +--- /dev/null ++++ b/src/test/modules/test_extensions/test_ext_cor--1.0.sql +@@ -0,0 +1,20 @@ ++/* src/test/modules/test_extensions/test_ext_cor--1.0.sql */ ++-- complain if script is sourced in psql, rather than via CREATE EXTENSION ++\echo Use "CREATE EXTENSION test_ext_cor" to load this file. \quit ++ ++-- It's generally bad style to use CREATE OR REPLACE unnecessarily. ++-- Test what happens if an extension does it anyway. ++ ++CREATE OR REPLACE FUNCTION ext_cor_func() RETURNS text ++ AS $$ SELECT 'ext_cor_func: from extension'::text $$ LANGUAGE sql; ++ ++CREATE OR REPLACE VIEW ext_cor_view AS ++ SELECT 'ext_cor_view: from extension'::text AS col; ++ ++-- These are for testing replacement of a shell type/operator, which works ++-- enough like an implicit OR REPLACE to be important to check. ++ ++CREATE TYPE test_ext_type AS ENUM('x', 'y'); ++ ++CREATE OPERATOR <<@@ ( PROCEDURE = pt_contained_poly, ++ LEFTARG = point, RIGHTARG = polygon ); +diff --git a/src/test/modules/test_extensions/test_ext_cor.control b/src/test/modules/test_extensions/test_ext_cor.control +new file mode 100644 +index 0000000..0e972e5 +--- /dev/null ++++ b/src/test/modules/test_extensions/test_ext_cor.control +@@ -0,0 +1,3 @@ ++comment = 'Test extension using CREATE OR REPLACE' ++default_version = '1.0' ++relocatable = true +-- +2.25.1 + diff --git a/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch b/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch new file mode 100644 index 0000000000..92a3dcc710 --- /dev/null +++ b/meta-oe/recipes-dbs/postgresql/files/remove_duplicate.patch @@ -0,0 +1,38 @@ +Remove duplicate code for riscv + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- a/src/include/storage/s_lock.h ++++ b/src/include/storage/s_lock.h +@@ -341,30 +341,6 @@ tas(volatile slock_t *lock) + #endif /* HAVE_GCC__SYNC_INT32_TAS */ + #endif /* __arm__ || __arm || __aarch64__ || __aarch64 || __riscv */ + +- +-/* +- * RISC-V likewise uses __sync_lock_test_and_set(int *, int) if available. +- */ +-#if defined(__riscv) +-#ifdef HAVE_GCC__SYNC_INT32_TAS +-#define HAS_TEST_AND_SET +- +-#define TAS(lock) tas(lock) +- +-typedef int slock_t; +- +-static __inline__ int +-tas(volatile slock_t *lock) +-{ +- return __sync_lock_test_and_set(lock, 1); +-} +- +-#define S_UNLOCK(lock) __sync_lock_release(lock) +- +-#endif /* HAVE_GCC__SYNC_INT32_TAS */ +-#endif /* __riscv */ +- +- + /* S/390 and S/390x Linux (32- and 64-bit zSeries) */ + #if defined(__s390__) || defined(__s390x__) + #define HAS_TEST_AND_SET diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_12.7.bb b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb index 18ba2178f4..860e821b20 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql_12.7.bb +++ b/meta-oe/recipes-dbs/postgresql/postgresql_12.9.bb @@ -6,6 +6,9 @@ SRC_URI += "\ file://not-check-libperl.patch \ file://0001-Add-support-for-RISC-V.patch \ file://0001-Improve-reproducibility.patch \ + file://remove_duplicate.patch \ + file://CVE-2022-1552.patch \ + file://CVE-2022-2625.patch \ " -SRC_URI[sha256sum] = "8490741f47c88edc8b6624af009ce19fda4dc9b31c4469ce2551d84075d5d995" +SRC_URI[sha256sum] = "89fda2de33ed04a98548e43f3ee5f15b882be17505d631fe0dd1a540a2b56dce" diff --git a/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb b/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb index b9038df81d..f971319915 100644 --- a/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb +++ b/meta-oe/recipes-dbs/rocksdb/rocksdb_git.bb @@ -10,7 +10,7 @@ SRCREV = "551a110918493a19d11243f53408b97485de1411" SRCBRANCH = "6.6.fb" PV = "6.6.4" -SRC_URI = "git://github.com/facebook/${BPN}.git;branch=${SRCBRANCH} \ +SRC_URI = "git://github.com/facebook/${BPN}.git;branch=${SRCBRANCH};protocol=https \ file://0001-db-write_thread.cc-Initialize-state.patch \ file://0001-cmake-Add-check-for-atomic-support.patch \ " diff --git a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb index e874e4a5ea..87f9c23ebf 100644 --- a/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb +++ b/meta-oe/recipes-devtools/abseil-cpp/abseil-cpp_git.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=df52c6edb7adc22e533b2bacc3bd3915" PV = "20190808+git${SRCPV}" SRCREV = "aa844899c937bde5d2b24f276b59997e5b668bde" BRANCH = "lts_2019_08_08" -SRC_URI = "git://github.com/abseil/abseil-cpp;branch=${BRANCH} \ +SRC_URI = "git://github.com/abseil/abseil-cpp;branch=${BRANCH};protocol=https \ file://0001-Remove-maes-option-from-cross-compilation.patch \ file://0002-Add-forgotten-ABSL_HAVE_VDSO_SUPPORT-conditional.patch \ file://0003-Add-fPIC-option.patch \ diff --git a/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb b/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb index fb6125e2a5..ef440471bf 100644 --- a/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb +++ b/meta-oe/recipes-devtools/android-tools/android-tools_5.1.1.r37.bb @@ -19,6 +19,7 @@ SRCREV_libhardware = "be55eb1f4d840c82ffaf7c47460df17ff5bc4d9b" SRCREV_libselinux = "07e9e1339ad1ba608acfba9dce2d0f474b252feb" SRCREV_build = "16e987def3d7d8f7d30805eb95cef69e52a87dbc" +SRCREV_FORMAT = "core_extras_libhardware_libselinux_build" SRC_URI = " \ git://${ANDROID_MIRROR}/platform/system/core;name=core;protocol=https;nobranch=1;destsuffix=git/system/core \ git://${ANDROID_MIRROR}/platform/system/extras;name=extras;protocol=https;nobranch=1;destsuffix=git/system/extras \ diff --git a/meta-oe/recipes-devtools/bootchart/bootchart_git.bb b/meta-oe/recipes-devtools/bootchart/bootchart_git.bb index 2b75eaac9d..79754050d0 100644 --- a/meta-oe/recipes-devtools/bootchart/bootchart_git.bb +++ b/meta-oe/recipes-devtools/bootchart/bootchart_git.bb @@ -8,7 +8,7 @@ PV = "1.17" PR = "r1" PE = "1" -SRC_URI = "git://gitorious.org/meego-developer-tools/bootchart.git;protocol=https \ +SRC_URI = "git://gitorious.org/meego-developer-tools/bootchart.git;protocol=https;branch=master \ file://0001-svg-add-rudimentary-support-for-ARM-cpuinfo.patch \ file://0002-svg-open-etc-os-release-and-use-PRETTY_NAME-for-the-.patch \ " diff --git a/meta-oe/recipes-devtools/breakpad/breakpad_git.bb b/meta-oe/recipes-devtools/breakpad/breakpad_git.bb index daf262ed66..1e474225a2 100644 --- a/meta-oe/recipes-devtools/breakpad/breakpad_git.bb +++ b/meta-oe/recipes-devtools/breakpad/breakpad_git.bb @@ -26,11 +26,11 @@ SRCREV_protobuf = "cb6dd4ef5f82e41e06179dcd57d3b1d9246ad6ac" SRCREV_lss = "8048ece6c16c91acfe0d36d1d3cc0890ab6e945c" SRCREV_gyp = "324dd166b7c0b39d513026fa52d6280ac6d56770" -SRC_URI = "git://github.com/google/breakpad;name=breakpad \ - git://github.com/google/googletest.git;destsuffix=git/src/testing/gtest;name=gtest \ - git://github.com/google/protobuf.git;destsuffix=git/src/third_party/protobuf/protobuf;name=protobuf \ - git://chromium.googlesource.com/linux-syscall-support;protocol=https;destsuffix=git/src/third_party/lss;name=lss \ - git://chromium.googlesource.com/external/gyp;protocol=https;destsuffix=git/src/tools/gyp;name=gyp \ +SRC_URI = "git://github.com/google/breakpad;name=breakpad;branch=main;protocol=https \ + git://github.com/google/googletest.git;destsuffix=git/src/testing/gtest;name=gtest;branch=main;protocol=https \ + git://github.com/google/protobuf.git;destsuffix=git/src/third_party/protobuf/protobuf;name=protobuf;branch=main;protocol=https \ + git://chromium.googlesource.com/linux-syscall-support;protocol=https;destsuffix=git/src/third_party/lss;name=lss;branch=main \ + git://chromium.googlesource.com/external/gyp;protocol=https;destsuffix=git/src/tools/gyp;name=gyp;branch=master \ file://0001-include-sys-reg.h-to-get-__WORDSIZE-on-musl-libc.patch \ file://0003-Fix-conflict-between-musl-libc-dirent.h-and-lss.patch \ file://0001-Turn-off-sign-compare-for-musl-libc.patch \ diff --git a/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb b/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb index c6bab5ec2b..fa1751e566 100644 --- a/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb +++ b/meta-oe/recipes-devtools/capnproto/capnproto_0.7.0.bb @@ -5,7 +5,9 @@ SECTION = "console/tools" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://../LICENSE;md5=a05663ae6cca874123bf667a60dca8c9" -SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV}" +SRC_URI = "git://github.com/sandstorm-io/capnproto.git;branch=release-${PV};protocol=https \ + file://CVE-2022-46149.patch \ +" SRCREV = "3f44c6db0f0f6c0cab0633f15f15d0a2acd01d19" S = "${WORKDIR}/git/c++" diff --git a/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch b/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch new file mode 100644 index 0000000000..b6b1fa6514 --- /dev/null +++ b/meta-oe/recipes-devtools/capnproto/files/CVE-2022-46149.patch @@ -0,0 +1,49 @@ +From 25d34c67863fd960af34fc4f82a7ca3362ee74b9 Mon Sep 17 00:00:00 2001 +From: Kenton Varda <kenton@cloudflare.com> +Date: Wed, 23 Nov 2022 12:02:29 -0600 +Subject: [PATCH] Apply data offset for list-of-pointers at access time rather + than ListReader creation time. + +Baking this offset into `ptr` reduced ops needed at access time but made the interpretation of `ptr` inconsistent depending on what type of list was expected. + +CVE: CVE-2022-46149 +Upstream-Status: Backport [https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9] +Signed-off-by: Virendra Thakur <virendrak@kpit.com> +--- + c++/src/capnp/layout.c++ | 4 ---- + c++/src/capnp/layout.h | 6 +++++- + 2 files changed, 5 insertions(+), 5 deletions(-) + +Index: c++/src/capnp/layout.c++ +=================================================================== +--- c++.orig/src/capnp/layout.c++ ++++ c++/src/capnp/layout.c++ +@@ -2322,10 +2322,6 @@ struct WireHelpers { + break; + + case ElementSize::POINTER: +- // We expected a list of pointers but got a list of structs. Assuming the first field +- // in the struct is the pointer we were looking for, we want to munge the pointer to +- // point at the first element's pointer section. +- ptr += tag->structRef.dataSize.get(); + KJ_REQUIRE(tag->structRef.ptrCount.get() > ZERO * POINTERS, + "Expected a pointer list, but got a list of data-only structs.") { + goto useDefault; +Index: c++/src/capnp/layout.h +=================================================================== +--- c++.orig/src/capnp/layout.h ++++ c++/src/capnp/layout.h +@@ -1235,8 +1235,12 @@ inline Void ListReader::getDataElement<V + } + + inline PointerReader ListReader::getPointerElement(ElementCount index) const { ++ // If the list elements have data sections we need to skip those. Note that for pointers to be ++ // present at all (which already must be true if we get here), then `structDataSize` must be a ++ // whole number of words, so we don't have to worry about unaligned reads here. ++ auto offset = structDataSize / BITS_PER_BYTE; + return PointerReader(segment, capTable, reinterpret_cast<const WirePointer*>( +- ptr + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit); ++ ptr + offset + upgradeBound<uint64_t>(index) * step / BITS_PER_BYTE), nestingLimit); + } + + // ------------------------------------------------------------------- diff --git a/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb b/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb index e6174821ff..7af05acf9a 100644 --- a/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb +++ b/meta-oe/recipes-devtools/cjson/cjson_1.7.13.bb @@ -5,7 +5,7 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=218947f77e8cb8e2fa02918dc41c50d0" -SRC_URI = "git://github.com/DaveGamble/cJSON.git" +SRC_URI = "git://github.com/DaveGamble/cJSON.git;branch=master;protocol=https" SRCREV = "39853e5148dad8dc5d32ea2b00943cf4a0c6f120" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb b/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb index 8c6cf7db20..996314a758 100644 --- a/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb +++ b/meta-oe/recipes-devtools/concurrencykit/concurrencykit_git.bb @@ -10,7 +10,7 @@ SECTION = "base" PV = "0.5.1+git${SRCPV}" SRCREV = "f97d3da5c375ac2fc5a9173cdd36cb828915a2e1" LIC_FILES_CHKSUM = "file://LICENSE;md5=a0b24c1a8f9ad516a297d055b0294231" -SRC_URI = "git://github.com/concurrencykit/ck.git \ +SRC_URI = "git://github.com/concurrencykit/ck.git;branch=master;protocol=https \ file://cross.patch \ " diff --git a/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb b/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb index 406494ebbc..d1b7134b83 100644 --- a/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb +++ b/meta-oe/recipes-devtools/dnf-plugin-tui/dnf-plugin-tui_git.bb @@ -3,11 +3,11 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "git://github.com/ubinux/dnf-plugin-tui.git;branch=master " +SRC_URI = "git://github.com/ubinux/dnf-plugin-tui.git;branch=master;protocol=https" SRCREV = "c5416adeb210154dc4ccc4c3e1c5297d83ebd41e" PV = "1.1" -SRC_URI_append_class-target = "file://oe-remote.repo.sample" +SRC_URI_append_class-target = " file://oe-remote.repo.sample" inherit distutils3-base diff --git a/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb b/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb index 7b8d47d8df..c4f3594f36 100644 --- a/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb +++ b/meta-oe/recipes-devtools/flatbuffers/flatbuffers_1.12.0.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=3b83ef96387f14655fc854ddc3c6bd57" SRCREV = "6df40a2471737b27271bdd9b900ab5f3aec746c7" -SRC_URI = "git://github.com/google/flatbuffers.git" +SRC_URI = "git://github.com/google/flatbuffers.git;branch=master;protocol=https" # affects only flatbuffers rust crate CVE_CHECK_WHITELIST += "CVE-2020-35864" @@ -24,12 +24,17 @@ BUILD_CXXFLAGS += "-std=c++11 -fPIC" # BUILD_TYPE=Release is required, otherwise flatc is not installed EXTRA_OECMAKE += "\ -DCMAKE_BUILD_TYPE=Release \ - -DFLATBUFFERS_BUILD_TESTS=OFF \ + -DFLATBUFFERS_BUILD_TESTS=OFF \ -DFLATBUFFERS_BUILD_SHAREDLIB=ON \ " inherit cmake +rm_flatc_cmaketarget_for_target() { + rm -f "${SYSROOT_DESTDIR}/${libdir}/cmake/flatbuffers/FlatcTargets.cmake" +} +SYSROOT_PREPROCESS_FUNCS:class-target += "rm_flatc_cmaketarget_for_target" + S = "${WORKDIR}/git" FILES_${PN}-compiler = "${bindir}" diff --git a/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb b/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb index 752562eb33..8a055412f2 100644 --- a/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb +++ b/meta-oe/recipes-devtools/grpc/grpc_1.24.3.bb @@ -15,9 +15,10 @@ SRCREV_grpc = "2de2e8dd8921e1f7d043e01faf7fe8a291fbb072" SRCREV_upb = "9effcbcb27f0a665f9f345030188c0b291e32482" BRANCH = "v1.24.x" SRC_URI = "git://github.com/grpc/grpc.git;protocol=https;name=grpc;branch=${BRANCH} \ - git://github.com/protocolbuffers/upb;name=upb;destsuffix=git/third_party/upb \ + git://github.com/protocolbuffers/upb;name=upb;destsuffix=git/third_party/upb;branch=main;protocol=https \ file://0001-CMakeLists.txt-Fix-libraries-installation-for-Linux.patch \ " +SRCREV_FORMAT = "grpc_upb" SRC_URI_append_class-target = " file://0001-CMakeLists.txt-Fix-grpc_cpp_plugin-path-during-cross.patch \ " SRC_URI_append_class-nativesdk = " file://0001-CMakeLists.txt-Fix-grpc_cpp_plugin-path-during-cross.patch" @@ -62,6 +63,6 @@ do_configure_prepend_toolchain-clang_x86() { BBCLASSEXTEND = "native nativesdk" -SYSROOT_DIRS_BLACKLIST_append_class-target = "${baselib}/cmake/grpc" +SYSROOT_DIRS_BLACKLIST_append_class-target = " ${baselib}/cmake/grpc" FILES_${PN}-dev += "${bindir}" diff --git a/meta-oe/recipes-devtools/guider/guider_3.9.7.bb b/meta-oe/recipes-devtools/guider/guider_3.9.7.bb index 88fad936ba..cc81443d5d 100644 --- a/meta-oe/recipes-devtools/guider/guider_3.9.7.bb +++ b/meta-oe/recipes-devtools/guider/guider_3.9.7.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=2c1c00f9d3ed9e24fa69b932b7e7aff2" PV = "3.9.7+git${SRCPV}" -SRC_URI = "git://github.com/iipeace/${BPN}" +SRC_URI = "git://github.com/iipeace/${BPN};branch=master;protocol=https" SRCREV = "459b5189a46023fc98e19888b196bdc2674022fd" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb b/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb index 8a5db3da3c..629881f0cf 100644 --- a/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb +++ b/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb @@ -14,7 +14,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=fa2a23dd1dc6c139f35105379d76df2b" SRCREV = "d2e6a971f4544c55b8e3b25cf96db266971b778f" -SRC_URI = "git://github.com/open-source-parsers/jsoncpp" +SRC_URI = "git://github.com/open-source-parsers/jsoncpp;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb b/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb index ca9675ed64..e9672ea4dd 100644 --- a/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb +++ b/meta-oe/recipes-devtools/jsonrpc/jsonrpc_1.3.0.bb @@ -9,7 +9,7 @@ SECTION = "libs" DEPENDS = "curl jsoncpp libmicrohttpd hiredis" -SRC_URI = "git://github.com/cinemast/libjson-rpc-cpp" +SRC_URI = "git://github.com/cinemast/libjson-rpc-cpp;branch=master;protocol=https" SRCREV = "c696f6932113b81cd20cd4a34fdb1808e773f23e" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb b/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb index 62d4df5e09..72f06ae44f 100644 --- a/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb +++ b/meta-oe/recipes-devtools/lapack/lapack_3.9.0.bb @@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=930f8aa500a47c7dab0f8efb5a1c9a40" DEPENDS = "libgfortran" SRCREV = "6acc99d5f39130be7cec00fb835606042101a970" -SRC_URI = "git://github.com/Reference-LAPACK/lapack.git;protocol=https" +SRC_URI = "git://github.com/Reference-LAPACK/lapack.git;protocol=https;branch=master" S = "${WORKDIR}/git" EXTRA_OECMAKE = " -DBUILD_SHARED_LIBS=ON " diff --git a/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb b/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb index b83e86a488..2dc3776e81 100644 --- a/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb +++ b/meta-oe/recipes-devtools/libsombok3/libsombok3_2.4.0.bb @@ -7,7 +7,7 @@ Cluster segmentation described in Annex #29 (UAX #29)." LICENSE = "Artistic-1.0 | GPLv1+" LIC_FILES_CHKSUM = "file://COPYING;md5=5b122a36d0f6dc55279a0ebc69f3c60b" -SRC_URI = "git://github.com/hatukanezumi/sombok.git;protocol=https \ +SRC_URI = "git://github.com/hatukanezumi/sombok.git;protocol=https;branch=master \ file://0001-configure.ac-fix-cross-compiling-issue.patch \ " diff --git a/meta-oe/recipes-devtools/libubox/libubox_git.bb b/meta-oe/recipes-devtools/libubox/libubox_git.bb index 7dbefa1152..18f26b009b 100644 --- a/meta-oe/recipes-devtools/libubox/libubox_git.bb +++ b/meta-oe/recipes-devtools/libubox/libubox_git.bb @@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "\ " SRC_URI = "\ - git://git.openwrt.org/project/libubox.git \ + git://git.openwrt.org/project/libubox.git;branch=master \ file://0001-version-libraries.patch \ file://fix-libdir.patch \ file://0001-blobmsg-fix-array-out-of-bounds-GCC-10-warning.patch \ diff --git a/meta-oe/recipes-devtools/ltrace/ltrace_git.bb b/meta-oe/recipes-devtools/ltrace/ltrace_git.bb index 5710943d74..339841acf3 100644 --- a/meta-oe/recipes-devtools/ltrace/ltrace_git.bb +++ b/meta-oe/recipes-devtools/ltrace/ltrace_git.bb @@ -14,7 +14,7 @@ PV = "7.91+git${SRCPV}" SRCREV = "c22d359433b333937ee3d803450dc41998115685" DEPENDS = "elfutils" -SRC_URI = "git://github.com/sparkleholic/ltrace.git;branch=master;protocol=http \ +SRC_URI = "git://github.com/sparkleholic/ltrace.git;branch=master;protocol=http;protocol=https \ file://configure-allow-to-disable-selinux-support.patch \ file://0001-replace-readdir_r-with-readdir.patch \ file://0001-Use-correct-enum-type.patch \ diff --git a/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch new file mode 100644 index 0000000000..606c9ea98c --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/0001-lua-fix-CVE-2022-28805.patch @@ -0,0 +1,73 @@ +From a38684e4cb4e1439e5f2f7370724496d5b363b32 Mon Sep 17 00:00:00 2001 +From: Steve Sakoman <steve@sakoman.com> +Date: Mon, 18 Apr 2022 09:04:08 -1000 +Subject: [PATCH] lua: fix CVE-2022-28805 + +singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2anyregup +call, leading to a heap-based buffer over-read that might affect a system that +compiles untrusted Lua code. + +https://nvd.nist.gov/vuln/detail/CVE-2022-28805 + +(From OE-Core rev: d2ba3b8850d461bc7b773240cdf15b22b31a3f9e) + +Signed-off-by: Sana Kazi <sana.kazi@kpit.com> +Signed-off-by: Steve Sakoman <steve@sakoman.com> +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +(cherry picked from commit 91e14d3a8e6e67267047473f5c449f266b44f354) +Signed-off-by: Omkar Patil <omkar.patil@kpit.com> +--- + .../lua/lua/CVE-2022-28805.patch | 28 +++++++++++++++++++ + meta-oe/recipes-devtools/lua/lua_5.3.6.bb | 1 + + 2 files changed, 29 insertions(+) + create mode 100644 meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch + +diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch +new file mode 100644 +index 000000000..0a21d1ce7 +--- /dev/null ++++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch +@@ -0,0 +1,28 @@ ++From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001 ++From: Roberto Ierusalimschy <roberto@inf.puc-rio.br> ++Date: Tue, 15 Feb 2022 12:28:46 -0300 ++Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const> ++ ++CVE: CVE-2022-28805 ++ ++Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa] ++ ++Signed-off-by: Sana Kazi <sana.kazi@kpit.com> ++Signed-off-by: Steve Sakoman <steve@sakoman.com> ++--- ++ src/lparser.c | 1 + ++ 1 files changed, 1 insertions(+) ++ ++diff --git a/src/lparser.c b/src/lparser.c ++index 3abe3d751..a5cd55257 100644 ++--- a/src/lparser.c +++++ b/src/lparser.c ++@@ -300,6 +300,7 @@ ++ expdesc key; ++ singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ ++ lua_assert(var->k != VVOID); /* this one must exist */ +++ luaK_exp2anyregup(fs, var); /* but could be a constant */ ++ codestring(ls, &key, varname); /* key is variable name */ ++ luaK_indexed(fs, var, &key); /* env[varname] */ ++ } ++ +diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb +index 342ed1b54..0137cc3c5 100644 +--- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb ++++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb +@@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \ + file://CVE-2020-15888.patch \ + file://CVE-2020-15945.patch \ + file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \ ++ file://CVE-2022-28805.patch \ + " + + # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release. +-- +2.17.1 + diff --git a/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch new file mode 100644 index 0000000000..0a21d1ce77 --- /dev/null +++ b/meta-oe/recipes-devtools/lua/lua/CVE-2022-28805.patch @@ -0,0 +1,28 @@ +From 1f3c6f4534c6411313361697d98d1145a1f030fa Mon Sep 17 00:00:00 2001 +From: Roberto Ierusalimschy <roberto@inf.puc-rio.br> +Date: Tue, 15 Feb 2022 12:28:46 -0300 +Subject: [PATCH] Bug: Lua can generate wrong code when _ENV is <const> + +CVE: CVE-2022-28805 + +Upstream-Status: Backport [https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa] + +Signed-off-by: Sana Kazi <sana.kazi@kpit.com> +Signed-off-by: Steve Sakoman <steve@sakoman.com> +--- + src/lparser.c | 1 + + 1 files changed, 1 insertions(+) + +diff --git a/src/lparser.c b/src/lparser.c +index 3abe3d751..a5cd55257 100644 +--- a/src/lparser.c ++++ b/src/lparser.c +@@ -300,6 +300,7 @@ + expdesc key; + singlevaraux(fs, ls->envn, var, 1); /* get environment variable */ + lua_assert(var->k != VVOID); /* this one must exist */ ++ luaK_exp2anyregup(fs, var); /* but could be a constant */ + codestring(ls, &key, varname); /* key is variable name */ + luaK_indexed(fs, var, &key); /* env[varname] */ + } + diff --git a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb index 342ed1b547..d46d402aa3 100644 --- a/meta-oe/recipes-devtools/lua/lua_5.3.6.bb +++ b/meta-oe/recipes-devtools/lua/lua_5.3.6.bb @@ -10,6 +10,7 @@ SRC_URI = "http://www.lua.org/ftp/lua-${PV}.tar.gz;name=tarballsrc \ file://CVE-2020-15888.patch \ file://CVE-2020-15945.patch \ file://0001-Fixed-bug-barriers-cannot-be-active-during-sweep.patch \ + file://CVE-2022-28805.patch \ " # if no test suite matches PV release of Lua exactly, download the suite for the closest Lua release. @@ -31,7 +32,7 @@ PACKAGECONFIG ??= "readline" PACKAGECONFIG[readline] = ",,readline" UCLIBC_PATCHES += "file://uclibc-pthread.patch" -SRC_URI_append_libc-uclibc = "${UCLIBC_PATCHES}" +SRC_URI_append_libc-uclibc = " ${UCLIBC_PATCHES}" TARGET_CC_ARCH += " -fPIC ${LDFLAGS}" EXTRA_OEMAKE = "'CC=${CC} -fPIC' 'MYCFLAGS=${CFLAGS} -fPIC' MYLDFLAGS='${LDFLAGS}'" diff --git a/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb b/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb index 1bee9fe0b9..83f6aa0f42 100644 --- a/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb +++ b/meta-oe/recipes-devtools/luaposix/luaposix_33.4.0.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7dd2aad04bb7ca212e69127ba8d58f9f" DEPENDS += "lua-native lua" -SRC_URI = "git://github.com/luaposix/luaposix.git;branch=release \ +SRC_URI = "git://github.com/luaposix/luaposix.git;branch=release;protocol=https \ file://0001-fix-avoid-race-condition-between-test-and-mkdir.patch \ " SRCREV = "8e4902ed81c922ed8f76a7ed85be1eaa3fd7e66d" diff --git a/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb b/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb index d410dc6e0a..90b55ad2df 100644 --- a/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb +++ b/meta-oe/recipes-devtools/msgpack/msgpack-c_3.2.1.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://NOTICE;md5=7a858c074723608e08614061dc044352 \ PV .= "+git${SRCPV}" -SRC_URI = "git://github.com/msgpack/msgpack-c \ +SRC_URI = "git://github.com/msgpack/msgpack-c;branch=master;protocol=https \ " # cpp-3.2.1 SRCREV = "8085ab8721090a447cf98bb802d1406ad7afe420" diff --git a/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb b/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb index 21d110aeea..5b1e2dfbf7 100644 --- a/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb +++ b/meta-oe/recipes-devtools/nanopb/nanopb_0.4.0.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=9db4b73a55a3994384112efcdb37c01f" DEPENDS = "protobuf-native" -SRC_URI = "git://github.com/nanopb/nanopb.git" +SRC_URI = "git://github.com/nanopb/nanopb.git;branch=master;protocol=https" SRCREV = "70f0de9877b1ce12abc0229d5df84db6349fcbfc" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb b/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb index a97eb53c1d..62fdecf6ff 100644 --- a/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb +++ b/meta-oe/recipes-devtools/nlohmann-fifo/nlohmann-fifo_git.bb @@ -4,7 +4,7 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.MIT;md5=b67209a1e36b682a8226de19d265b1e0" -SRC_URI = "git://github.com/nlohmann/fifo_map.git" +SRC_URI = "git://github.com/nlohmann/fifo_map.git;branch=master;protocol=https" PV = "1.0.0+git${SRCPV}" diff --git a/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb b/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb index 5766194d26..2749f44978 100644 --- a/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb +++ b/meta-oe/recipes-devtools/nlohmann-json/nlohmann-json_3.7.3.bb @@ -4,7 +4,7 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.MIT;md5=f5f7c71504da070bcf4f090205ce1080" -SRC_URI = "git://github.com/nlohmann/json.git;nobranch=1 \ +SRC_URI = "git://github.com/nlohmann/json.git;nobranch=1;protocol=https \ file://0001-Templatize-basic_json-ctor-from-json_ref.patch \ file://0001-typo-fix.patch \ " diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_12.21.0.bb b/meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb index b9e3821776..8dbdd088e9 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_12.21.0.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_12.22.12.bb @@ -1,7 +1,7 @@ DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript" HOMEPAGE = "http://nodejs.org" LICENSE = "MIT & BSD & Artistic-2.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=8c66ff8861d9f96076a7cb61e3d75f54" +LIC_FILES_CHKSUM = "file://LICENSE;md5=93997aa7a45ba0f25f9c61aaab153ab8" DEPENDS = "openssl" DEPENDS_append_class-target = " nodejs-native" @@ -26,7 +26,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ SRC_URI_append_class-target = " \ file://0002-Using-native-binaries.patch \ " -SRC_URI[sha256sum] = "052f37ace6f569b513b5a1154b2a45d3c4d8b07d7d7c807b79f1566db61e979d" +SRC_URI[sha256sum] = "bc42b7f8495b9bfc7f7850dd180bb02a5bdf139cc232b8c6f02a6967e20714f2" S = "${WORKDIR}/node-v${PV}" diff --git a/meta-oe/recipes-devtools/openocd/openocd_git.bb b/meta-oe/recipes-devtools/openocd/openocd_git.bb index e95f1cfa54..9ff23d17af 100644 --- a/meta-oe/recipes-devtools/openocd/openocd_git.bb +++ b/meta-oe/recipes-devtools/openocd/openocd_git.bb @@ -5,10 +5,10 @@ DEPENDS = "libusb-compat libftdi" RDEPENDS_${PN} = "libusb1" SRC_URI = " \ - git://repo.or.cz/openocd.git;protocol=http;name=openocd \ - git://repo.or.cz/r/git2cl.git;protocol=http;destsuffix=tools/git2cl;name=git2cl \ - git://repo.or.cz/r/jimtcl.git;protocol=http;destsuffix=git/jimtcl;name=jimtcl \ - git://repo.or.cz/r/libjaylink.git;protocol=http;destsuffix=git/src/jtag/drivers/libjaylink;name=libjaylink \ + git://repo.or.cz/openocd.git;protocol=http;name=openocd;branch=master \ + git://repo.or.cz/r/git2cl.git;protocol=http;destsuffix=tools/git2cl;name=git2cl;branch=master \ + git://repo.or.cz/r/jimtcl.git;protocol=http;destsuffix=git/jimtcl;name=jimtcl;branch=master \ + git://repo.or.cz/r/libjaylink.git;protocol=http;destsuffix=git/src/jtag/drivers/libjaylink;name=libjaylink;branch=master \ file://0001-Do-not-include-syscrtl.h-with-glibc.patch \ " diff --git a/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb b/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb index 107d5a8b72..84f6c3ce24 100644 --- a/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb +++ b/meta-oe/recipes-devtools/pcimem/pcimem_2.0.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=b234ee4d69f5fce4486a80fdaf4a4263" COMPATIBLE_HOST = "(x86_64|aarch64|arm)" SRCREV = "09724edb1783a98da2b7ae53c5aaa87493aabc9b" -SRC_URI = "git://github.com/billfarrow/pcimem.git " +SRC_URI = "git://github.com/billfarrow/pcimem.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb b/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb index c812ae1374..03812e901b 100644 --- a/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb +++ b/meta-oe/recipes-devtools/perl/ipc-run_20180523.0.bb @@ -9,7 +9,7 @@ LICENSE = "Artistic-1.0 | GPL-1.0+" LIC_FILES_CHKSUM = "file://LICENSE;md5=0ebd37caf53781e8b7223e6b99b63f4e" DEPENDS = "perl" -SRC_URI = "git://github.com/toddr/IPC-Run.git" +SRC_URI = "git://github.com/toddr/IPC-Run.git;branch=master;protocol=https" SRCREV = "0b409702490729eeb97ae65f5b94d949ec083134" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb b/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb index 049dc665dd..760c0ad0a5 100644 --- a/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb +++ b/meta-oe/recipes-devtools/perl/libdbd-mysql-perl_4.050.bb @@ -15,7 +15,7 @@ DEPENDS += "libdev-checklib-perl-native libdbi-perl-native libmysqlclient" LIC_FILES_CHKSUM = "file://LICENSE;md5=d0a06964340e5c0cde88b7af611f755c" SRCREV = "9b5b70ea372f49fe9bc9e592dae3870596d1e3d6" -SRC_URI = "git://github.com/perl5-dbi/DBD-mysql.git;protocol=https" +SRC_URI = "git://github.com/perl5-dbi/DBD-mysql.git;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb b/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb index 4e5a8a6ff2..29bc99e141 100644 --- a/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb +++ b/meta-oe/recipes-devtools/perl/libjson-perl_4.02000.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://README;beginline=1171;endline=1176;md5=3be2cb8159d094 DEPENDS += "perl" -SRC_URI = "git://github.com/makamaka/JSON.git;protocol=https" +SRC_URI = "git://github.com/makamaka/JSON.git;protocol=https;branch=master" SRCREV = "42a6324df654e92419512cee80c0b49155d9e56d" diff --git a/meta-oe/recipes-devtools/php/php_7.4.21.bb b/meta-oe/recipes-devtools/php/php_7.4.33.bb index c7c00ac30e..caaaa23426 100644 --- a/meta-oe/recipes-devtools/php/php_7.4.21.bb +++ b/meta-oe/recipes-devtools/php/php_7.4.33.bb @@ -33,7 +33,7 @@ SRC_URI_append_class-target = " \ " S = "${WORKDIR}/php-${PV}" -SRC_URI[sha256sum] = "36ec6102e757e2c2b7742057a700bbff77c76fa0ccbe9c860398c3d24e32822a" +SRC_URI[sha256sum] = "4e8117458fe5a475bf203128726b71bcbba61c42ad463dffadee5667a198a98a" inherit autotools pkgconfig python3native gettext diff --git a/meta-oe/recipes-devtools/ply/ply_git.bb b/meta-oe/recipes-devtools/ply/ply_git.bb index 7d693b36da..bf789488d7 100644 --- a/meta-oe/recipes-devtools/ply/ply_git.bb +++ b/meta-oe/recipes-devtools/ply/ply_git.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" DEPENDS += "bison-native" -SRC_URI = "git://github.com/iovisor/ply" +SRC_URI = "git://github.com/iovisor/ply;branch=master;protocol=https" SRCREV = "aa5b9ac31307ec1acece818be334ef801c802a12" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/pmtools/pmtools_git.bb b/meta-oe/recipes-devtools/pmtools/pmtools_git.bb index 9afcbbb7f5..f605d2c90d 100644 --- a/meta-oe/recipes-devtools/pmtools/pmtools_git.bb +++ b/meta-oe/recipes-devtools/pmtools/pmtools_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3" PV = "20130209+git${SRCPV}" -SRC_URI = "git://github.com/anyc/pmtools.git \ +SRC_URI = "git://github.com/anyc/pmtools.git;branch=master;protocol=https \ file://pmtools-switch-to-dynamic-buffer-for-huge-ACPI-table.patch \ " SRCREV = "3ebe0e54c54061b4c627236cbe35d820de2e1168" diff --git a/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb b/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb index ed8773443e..7bc1f23e70 100644 --- a/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb +++ b/meta-oe/recipes-devtools/protobuf/protobuf-c_1.3.3.bb @@ -14,7 +14,7 @@ DEPENDS = "protobuf-native protobuf" SRCREV = "f20a3fa131c275a0e795d99a28f94b4dbbb5af26" -SRC_URI = "git://github.com/protobuf-c/protobuf-c.git \ +SRC_URI = "git://github.com/protobuf-c/protobuf-c.git;branch=master;protocol=https \ file://0001-avoid-race-condition.patch \ " diff --git a/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch new file mode 100644 index 0000000000..bb9594e968 --- /dev/null +++ b/meta-oe/recipes-devtools/protobuf/protobuf/CVE-2021-22570.patch @@ -0,0 +1,73 @@ +From f5ce0700d80c776186b0fb0414ef20966a3a6a03 Mon Sep 17 00:00:00 2001 +From: "Sana.Kazi" <Sana.Kazi@kpit.com> +Date: Wed, 23 Feb 2022 15:50:16 +0530 +Subject: [PATCH] protobuf: Fix CVE-2021-22570 + +CVE: CVE-2021-22570 +Upstream-Status: Backport [https://src.fedoraproject.org/rpms/protobuf/blob/394beeacb500861f76473d47e10314e6a3600810/f/CVE-2021-22570.patch] +Comment: Removed first and second hunk +Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com> + +--- + src/google/protobuf/descriptor.cc | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/src/google/protobuf/descriptor.cc b/src/google/protobuf/descriptor.cc +index 6835a3cde..1514ae531 100644 +--- a/src/google/protobuf/descriptor.cc ++++ b/src/google/protobuf/descriptor.cc +@@ -2603,6 +2603,8 @@ void Descriptor::DebugString(int depth, std::string* contents, + const Descriptor::ReservedRange* range = reserved_range(i); + if (range->end == range->start + 1) { + strings::SubstituteAndAppend(contents, "$0, ", range->start); ++ } else if (range->end > FieldDescriptor::kMaxNumber) { ++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start); + } else { + strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start, + range->end - 1); +@@ -2815,6 +2817,8 @@ void EnumDescriptor::DebugString( + const EnumDescriptor::ReservedRange* range = reserved_range(i); + if (range->end == range->start) { + strings::SubstituteAndAppend(contents, "$0, ", range->start); ++ } else if (range->end == INT_MAX) { ++ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start); + } else { + strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start, + range->end); +@@ -4002,6 +4006,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name, + // Use its file as the parent instead. + if (parent == nullptr) parent = file_; + ++ if (full_name.find('\0') != std::string::npos) { ++ AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + full_name + "\" contains null character."); ++ return false; ++ } + if (tables_->AddSymbol(full_name, symbol)) { + if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) { + // This is only possible if there was already an error adding something of +@@ -4041,6 +4050,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name, + void DescriptorBuilder::AddPackage(const std::string& name, + const Message& proto, + const FileDescriptor* file) { ++ if (name.find('\0') != std::string::npos) { ++ AddError(name, proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + name + "\" contains null character."); ++ return; ++ } + if (tables_->AddSymbol(name, Symbol(file))) { + // Success. Also add parent package, if any. + std::string::size_type dot_pos = name.find_last_of('.'); +@@ -4354,6 +4368,12 @@ FileDescriptor* DescriptorBuilder::BuildFileImpl( + } + result->pool_ = pool_; + ++ if (result->name().find('\0') != std::string::npos) { ++ AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME, ++ "\"" + result->name() + "\" contains null character."); ++ return nullptr; ++ } ++ + // Add to tables. + if (!tables_->AddFile(result)) { + AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER, diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb index 4d6c5b2557..55d56ff08e 100644 --- a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb +++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb @@ -12,11 +12,12 @@ DEPENDS_append_class-target = " protobuf-native" SRCREV = "d0bfd5221182da1a7cc280f3337b5e41a89539cf" -SRC_URI = "git://github.com/google/protobuf.git;branch=3.11.x \ +SRC_URI = "git://github.com/google/protobuf.git;branch=3.11.x;protocol=https \ file://run-ptest \ file://0001-protobuf-fix-configure-error.patch \ file://0001-Makefile.am-include-descriptor.cc-when-building-libp.patch \ file://0001-examples-Makefile-respect-CXX-LDFLAGS-variables-fix-.patch \ + file://CVE-2021-22570.patch \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb b/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb index 5b5c8b2570..04ac93e92e 100644 --- a/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb +++ b/meta-oe/recipes-devtools/rapidjson/rapidjson_git.bb @@ -4,7 +4,7 @@ SECTION = "libs" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://license.txt;md5=ba04aa8f65de1396a7e59d1d746c2125" -SRC_URI = "git://github.com/miloyip/rapidjson.git;nobranch=1" +SRC_URI = "git://github.com/miloyip/rapidjson.git;nobranch=1;protocol=https" SRCREV = "0ccdbf364c577803e2a751f5aededce935314313" diff --git a/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb b/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb index cd5e0a4e5c..20cad69b53 100644 --- a/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb +++ b/meta-oe/recipes-devtools/serialcheck/serialcheck_1.0.0.bb @@ -3,7 +3,7 @@ HOMEPAGE = "http://git.breakpoint.cc/cgit/bigeasy/serialcheck.git/" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI = "git://git.breakpoint.cc/bigeasy/serialcheck.git \ +SRC_URI = "git://git.breakpoint.cc/bigeasy/serialcheck.git;branch=master \ file://0001-Add-option-to-enable-internal-loopback.patch \ file://0002-Restore-original-loopback-config.patch \ file://0001-Makefile-Change-order-of-link-flags.patch \ diff --git a/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb b/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb index 4a27e4b2a5..9d07405560 100644 --- a/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb +++ b/meta-oe/recipes-devtools/sqlite-orm/sqlite-orm_1.5.bb @@ -8,7 +8,7 @@ inherit cmake DEPENDS += "sqlite3" SRCREV = "e8a9e9416f421303f4b8970caab26dadf8bae98b" -SRC_URI = "git://github.com/fnc12/sqlite_orm;protocol=https" +SRC_URI = "git://github.com/fnc12/sqlite_orm;protocol=https;branch=master" S = "${WORKDIR}/git" EXTRA_OECMAKE += "-DSqliteOrm_BuildTests=OFF" diff --git a/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb b/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb index 46a9408031..3280dba49b 100644 --- a/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb +++ b/meta-oe/recipes-devtools/tclap/tclap_1.2.2.bb @@ -4,7 +4,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=0ca8b9c5c5445cfa7af7e78fd27e60ed" SRCREV = "75f440bcac1276c847f5351e14216f6e91def44d" -SRC_URI = "git://git.code.sf.net/p/tclap/code \ +SRC_URI = "git://git.code.sf.net/p/tclap/code;branch=master \ file://Makefile.am-disable-docs.patch \ " diff --git a/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb b/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb index c33fa048cf..a78eecfea3 100644 --- a/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb +++ b/meta-oe/recipes-devtools/uftrace/uftrace_0.9.4.bb @@ -12,7 +12,7 @@ inherit autotools # v0.9.4 SRCREV = "d648bbffedef529220896283fb59e35531c13804" -SRC_URI = "git://github.com/namhyung/${BPN} \ +SRC_URI = "git://github.com/namhyung/${BPN};branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/valijson/valijson_git.bb b/meta-oe/recipes-devtools/valijson/valijson_git.bb index c3254d16e7..5cff40752a 100644 --- a/meta-oe/recipes-devtools/valijson/valijson_git.bb +++ b/meta-oe/recipes-devtools/valijson/valijson_git.bb @@ -3,7 +3,7 @@ HOMEPAGE = "https://github.com/tristanpenman/valijson" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=015106c62262b2383f6c72063f0998f2" -SRC_URI = "git://github.com/tristanpenman/valijson.git" +SRC_URI = "git://github.com/tristanpenman/valijson.git;branch=master;protocol=https" PV = "0.1+git${SRCPV}" SRCREV = "c2f22fddf599d04dc33fcd7ed257c698a05345d9" diff --git a/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb b/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb index 6c31b69817..34df701260 100644 --- a/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb +++ b/meta-oe/recipes-devtools/xmlrpc-c/xmlrpc-c_1.51.03.bb @@ -5,7 +5,7 @@ HOMEPAGE = "http://xmlrpc-c.sourceforge.net/" LICENSE = "BSD & MIT" LIC_FILES_CHKSUM = "file://doc/COPYING;md5=aefbf81ba0750f02176b6f86752ea951" -SRC_URI = "git://github.com/mirror/xmlrpc-c.git \ +SRC_URI = "git://github.com/mirror/xmlrpc-c.git;branch=master;protocol=https \ file://0001-test-cpp-server_abyss-Fix-build-with-clang-libc.patch \ file://0002-fix-formatting-issues.patch \ " diff --git a/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb b/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb index e112a5e30f..186f2c8ed0 100644 --- a/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb +++ b/meta-oe/recipes-devtools/yajl/yajl_1.0.12.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=da2e9aa80962d54e7c726f232a2bd1e8" # Use 1.0.12 tag SRCREV = "17b1790fb9c8abbb3c0f7e083864a6a014191d56" -SRC_URI = "git://github.com/lloyd/yajl;nobranch=1" +SRC_URI = "git://github.com/lloyd/yajl;nobranch=1;protocol=https" inherit cmake lib_package diff --git a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb index d9a5821cbb..cf8dbb183e 100644 --- a/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb +++ b/meta-oe/recipes-devtools/yajl/yajl_2.1.0.bb @@ -8,7 +8,7 @@ HOMEPAGE = "http://lloyd.github.com/yajl/" LICENSE = "ISC" LIC_FILES_CHKSUM = "file://COPYING;md5=39af6eb42999852bdd3ea00ad120a36d" -SRC_URI = "git://github.com/lloyd/yajl" +SRC_URI = "git://github.com/lloyd/yajl;branch=master;protocol=https" SRCREV = "a0ecdde0c042b9256170f2f8890dd9451a4240aa" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-devtools/yasm/yasm_git.bb b/meta-oe/recipes-devtools/yasm/yasm_git.bb index 53856263f7..6aae29ad8c 100644 --- a/meta-oe/recipes-devtools/yasm/yasm_git.bb +++ b/meta-oe/recipes-devtools/yasm/yasm_git.bb @@ -9,7 +9,7 @@ DEPENDS += "flex-native bison-native xmlto-native" PV = "1.3.0+git${SRCPV}" # v1.3.0 SRCREV = "ba463d3c26c0ece2e797b8d6381b161633b5971a" -SRC_URI = "git://github.com/yasm/yasm.git" +SRC_URI = "git://github.com/yasm/yasm.git;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch new file mode 100644 index 0000000000..c21794d147 --- /dev/null +++ b/meta-oe/recipes-extended/brotli/brotli/0001-brotli-fix-CVE-2020-8927.patch @@ -0,0 +1,44 @@ +From 95ab3786ce0f16e08e41f7bf216969a37dc86cad Mon Sep 17 00:00:00 2001 +From: Jan Kraemer <jan@spectrejan.de> +Date: Thu, 7 Oct 2021 12:48:04 +0200 +Subject: [PATCH] brotli: fix CVE-2020-8927 + +[No upstream tracking] -- + +This fixes a potential overflow when input chunk is >2GiB in +BrotliGetAvailableBits by capping the returned value to 2^30 + +Fixed in brotli version 1.0.8 +https://github.com/google/brotli as of commit id +223d80cfbec8fd346e32906c732c8ede21f0cea6 + +Patch taken from Debian Buster: 1.0.7-2+deb10u1 +http://deb.debian.org/debian/pool/main/b/brotli/brotli_1.0.7-2+deb10u1.dsc +https://security-tracker.debian.org/tracker/CVE-2020-8927 + + +Upstream-Status: Backported +CVE: CVE-2020-8927 + +Signed-off-by: Jan Kraemer <jan@spectrejan.de> +--- + c/dec/bit_reader.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/c/dec/bit_reader.h b/c/dec/bit_reader.h +index c06e914..0d20312 100644 +--- a/c/dec/bit_reader.h ++++ b/c/dec/bit_reader.h +@@ -87,8 +87,11 @@ static BROTLI_INLINE uint32_t BrotliGetAvailableBits( + } + + /* Returns amount of unread bytes the bit reader still has buffered from the +- BrotliInput, including whole bytes in br->val_. */ ++ BrotliInput, including whole bytes in br->val_. Result is capped with ++ maximal ring-buffer size (larger number won't be utilized anyway). */ + static BROTLI_INLINE size_t BrotliGetRemainingBytes(BrotliBitReader* br) { ++ static const size_t kCap = (size_t)1 << 30; ++ if (br->avail_in > kCap) return kCap; + return br->avail_in + (BrotliGetAvailableBits(br) >> 3); + } + diff --git a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb index 70dbcaffb1..77fef778a4 100644 --- a/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb +++ b/meta-oe/recipes-extended/brotli/brotli_1.0.7.bb @@ -6,7 +6,9 @@ BUGTRACKER = "https://github.com/google/brotli/issues" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=941ee9cd1609382f946352712a319b4b" -SRC_URI = "git://github.com/google/brotli.git" +SRC_URI = "git://github.com/google/brotli.git;branch=master;protocol=https \ + file://0001-brotli-fix-CVE-2020-8927.patch \ + " # tag 1.0.7 SRCREV= "d6d98957ca8ccb1ef45922e978bb10efca0ea541" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb b/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb index 6c71d534be..388feb703b 100644 --- a/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb +++ b/meta-oe/recipes-extended/cmpi-bindings/cmpi-bindings_1.0.1.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b19ee058d2d5f69af45da98051d91064" SECTION = "Development/Libraries" DEPENDS = "swig-native python3 sblim-cmpi-devel" -SRC_URI = "git://github.com/kkaempf/cmpi-bindings.git;protocol=http \ +SRC_URI = "git://github.com/kkaempf/cmpi-bindings.git;protocol=http;branch=master;protocol=https \ file://cmpi-bindings-0.4.17-no-ruby-perl.patch \ file://cmpi-bindings-0.4.17-sblim-sigsegv.patch \ file://cmpi-bindings-0.9.5-python-lib-dir.patch \ diff --git a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb index 842652889c..2a045f5790 100644 --- a/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb +++ b/meta-oe/recipes-extended/dlt-daemon/dlt-daemon_2.18.7.bb @@ -14,7 +14,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8184208060df880fe3137b93eb88aeea" DEPENDS = "zlib gzip-native json-c" -SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https \ +SRC_URI = "git://github.com/GENIVI/${BPN}.git;protocol=https;branch=master \ file://0002-Don-t-execute-processes-as-a-specific-user.patch \ file://0004-Modify-systemd-config-directory.patch \ file://317.patch \ diff --git a/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb b/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb index aa55ebf84d..162f5aa339 100644 --- a/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb +++ b/meta-oe/recipes-extended/docopt.cpp/docopt.cpp_git.bb @@ -18,7 +18,7 @@ SRCREV = "3dd23e3280f213bacefdf5fcb04857bf52e90917" PV = "0.6.2+git${SRCPV}" SRC_URI = "\ - git://github.com/docopt/docopt.cpp.git;protocol=https \ + git://github.com/docopt/docopt.cpp.git;protocol=https;branch=master \ file://0001-Set-library-VERSION-and-SOVERSION.patch \ " diff --git a/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb b/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb index 09eab9dcd0..eb00092c7b 100644 --- a/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb +++ b/meta-oe/recipes-extended/dumb-init/dumb-init_1.2.2.bb @@ -4,7 +4,7 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=5940d39995ea6857d01b8227109c2e9c" SRCREV = "b1e978e486114797347deefcc03ab12629a13cc3" -SRC_URI = "git://github.com/Yelp/dumb-init" +SRC_URI = "git://github.com/Yelp/dumb-init;branch=master;protocol=https" S = "${WORKDIR}/git" EXTRA_OEMAKE = "CC='${CC}' CFLAGS='${CFLAGS} ${LDFLAGS}'" diff --git a/meta-oe/recipes-extended/figlet/figlet_git.bb b/meta-oe/recipes-extended/figlet/figlet_git.bb index 4611646b9b..61b050aac6 100644 --- a/meta-oe/recipes-extended/figlet/figlet_git.bb +++ b/meta-oe/recipes-extended/figlet/figlet_git.bb @@ -4,7 +4,7 @@ HOMEPAGE = "http://www.figlet.org/" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=1688bcd97b27704f1afcac7336409857" -SRC_URI = "git://github.com/cmatsuoka/figlet.git \ +SRC_URI = "git://github.com/cmatsuoka/figlet.git;branch=master;protocol=https \ file://0001-build-add-autotools-support-to-allow-easy-cross-comp.patch" SRCREV = "5bbcd7383a8c3a531299b216b0c734e1495c6db3" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb b/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb index 926d8851d2..b2c41756e5 100644 --- a/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb +++ b/meta-oe/recipes-extended/gnuplot/gnuplot_5.2.8.bb @@ -32,7 +32,7 @@ BBCLASSEXTEND = "native" DEPENDS_class-native = "readline-native" PACKAGECONFIG_class-native = "" -SRC_URI_append_class-native = "file://0001-reduce-build-to-conversion-tools-for-native-build.patch" +SRC_URI_append_class-native = " file://0001-reduce-build-to-conversion-tools-for-native-build.patch" do_install_class-native() { install -d ${D}${bindir} diff --git a/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb b/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb index 50326ea2f4..19b0d8dbd7 100644 --- a/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb +++ b/meta-oe/recipes-extended/haveged/haveged_1.9.13.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM="file://COPYING;md5=d32239bcb673463ab874e80d47fae504" # v1.9.9 SRCREV = "1283a65c541c4a83e152024a63faf7b267b9b1cd" -SRC_URI = "git://github.com/jirka-h/haveged.git \ +SRC_URI = "git://github.com/jirka-h/haveged.git;branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb b/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb index 050b7da3d7..c0d1b1b8bb 100644 --- a/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb +++ b/meta-oe/recipes-extended/hexedit/hexedit_1.4.2.bb @@ -6,7 +6,7 @@ DEPENDS = "ncurses" LIC_FILES_CHKSUM = "file://COPYING;md5=0636e73ff0215e8d672dc4c32c317bb3" -SRC_URI = "git://github.com/pixel/hexedit.git \ +SRC_URI = "git://github.com/pixel/hexedit.git;branch=master;protocol=https \ " SRCREV = "800e4b2e6280531a84fd23ee0b48e16baeb90878" diff --git a/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb b/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb index 29f8de8d2f..cee1f342bd 100644 --- a/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb +++ b/meta-oe/recipes-extended/hiredis/hiredis_0.14.0.bb @@ -6,7 +6,7 @@ DEPENDS = "redis" LIC_FILES_CHKSUM = "file://COPYING;md5=d84d659a35c666d23233e54503aaea51" SRCREV = "685030652cd98c5414ce554ff5b356dfe8437870" -SRC_URI = "git://github.com/redis/hiredis;protocol=git \ +SRC_URI = "git://github.com/redis/hiredis;protocol=https;branch=master \ file://0001-Makefile-remove-hardcoding-of-CC.patch" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/iotop/iotop_0.6.bb b/meta-oe/recipes-extended/iotop/iotop_0.6.bb index 3a597218db..19af46cb16 100644 --- a/meta-oe/recipes-extended/iotop/iotop_0.6.bb +++ b/meta-oe/recipes-extended/iotop/iotop_0.6.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=4325afd396febcb659c36b49533135d4" PV .= "+git${SRCPV}" SRCREV = "1bfb3bc70febb1ffb95146b6dcd65257228099a3" -SRC_URI = "git://repo.or.cz/iotop.git" +SRC_URI = "git://repo.or.cz/iotop.git;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb b/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb index b7899a11b6..2f4724a336 100644 --- a/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb +++ b/meta-oe/recipes-extended/isomd5sum/isomd5sum_1.2.3.bb @@ -7,7 +7,7 @@ RDEPENDS_${BPN} = "openssl curl" LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b" -SRC_URI = "git://github.com/rhinstaller/isomd5sum.git;branch=master \ +SRC_URI = "git://github.com/rhinstaller/isomd5sum.git;branch=master;protocol=https \ file://0001-tweak-install-prefix.patch \ file://0002-fix-parallel-error.patch \ " diff --git a/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb b/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb index d6e56ea768..7beea9f1e7 100644 --- a/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb +++ b/meta-oe/recipes-extended/jansson/jansson_2.13.1.bb @@ -11,4 +11,7 @@ SRC_URI[sha256sum] = "f4f377da17b10201a60c1108613e78ee15df6b12016b116b6de42209f4 inherit autotools pkgconfig +# upstream considers it isn't a real bug https://github.com/akheron/jansson/issues/548 +CVE_CHECK_WHITELIST = "CVE-2020-36325 " + BBCLASSEXTEND = "native" diff --git a/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb b/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb index 50dd74b685..ba1fece05c 100644 --- a/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb +++ b/meta-oe/recipes-extended/jpnevulator/jpnevulator_git.bb @@ -4,7 +4,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=892f569a555ba9c07a568a7c0c4fa63a" PV = "2.3.5+git${SRCPV}" -SRC_URI = "git://github.com/snarlistic/jpnevulator.git;protocol=http" +SRC_URI = "git://github.com/snarlistic/jpnevulator.git;protocol=http;branch=master;protocol=https" SRCREV = "c2d857091c0dfed05139ac07ea9b0f36ad259638" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb b/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb index e6d5663f85..977aabf040 100644 --- a/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb +++ b/meta-oe/recipes-extended/konkretcmpi/konkretcmpi_0.9.2.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=f673270bfc350d9ce1efc8724c6c1873" DEPENDS_append_class-target = " swig-native sblim-cmpi-devel python3" DEPENDS_append_class-native = " cmpi-bindings-native" -SRC_URI = "git://github.com/rnovacek/konkretcmpi.git \ +SRC_URI = "git://github.com/rnovacek/konkretcmpi.git;branch=master;protocol=https \ file://0001-CMakeLists.txt-fix-lib64-can-not-be-shiped-in-64bit-.patch \ file://0001-drop-including-rpath-cmake-module.patch \ " diff --git a/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb b/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb index 99cdee5bba..c1023e625e 100644 --- a/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb +++ b/meta-oe/recipes-extended/libblockdev/libblockdev_2.24.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c07cb499d259452f324bb90c3067d85c" inherit autotools gobject-introspection -SRC_URI = "git://github.com/storaged-project/libblockdev;branch=2.x-branch" +SRC_URI = "git://github.com/storaged-project/libblockdev;branch=2.x-branch;protocol=https" SRCREV = "f5a4ba8bb298f8cbc435707d0b19b4b2ff836a8e" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/libcec/libcec_git.bb b/meta-oe/recipes-extended/libcec/libcec_git.bb index 39ceb489e2..07320e42bd 100644 --- a/meta-oe/recipes-extended/libcec/libcec_git.bb +++ b/meta-oe/recipes-extended/libcec/libcec_git.bb @@ -12,7 +12,7 @@ DEPENDS_append_rpi = "${@bb.utils.contains('MACHINE_FEATURES', 'vc4graphics', '' PV = "5.0.0" SRCREV = "43bc27fe7be491149e6f57d14110e02abdac2f24" -SRC_URI = "git://github.com/Pulse-Eight/libcec.git;branch=release \ +SRC_URI = "git://github.com/Pulse-Eight/libcec.git;branch=release;protocol=https \ file://0001-CheckPlatformSupport.cmake-Do-not-hardcode-lib-path.patch \ file://0001-Enhance-reproducibility.patch \ " diff --git a/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb b/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb index b7c1958eef..e763a701e5 100644 --- a/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb +++ b/meta-oe/recipes-extended/libdivecomputer/libdivecomputer_git.bb @@ -11,7 +11,7 @@ inherit autotools pkgconfig PV = "0.6.0" SRCREV = "1195abc2f4acc7b10175d570ec73549d0938c83e" -SRC_URI = "git://github.com/libdivecomputer/libdivecomputer.git;protocol=https \ +SRC_URI = "git://github.com/libdivecomputer/libdivecomputer.git;protocol=https;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb b/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb index a990deb91f..0906e9a645 100644 --- a/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb +++ b/meta-oe/recipes-extended/libimobiledevice/libplist_2.1.0.bb @@ -9,7 +9,7 @@ DEPENDS = "libxml2 glib-2.0 swig python3" inherit autotools pkgconfig python3native python3targetconfig SRCREV = "3df02d4d0e9008771e8622fdc10de8333b3f0d85" -SRC_URI = "git://github.com/libimobiledevice/libplist;protocol=https \ +SRC_URI = "git://github.com/libimobiledevice/libplist;protocol=https;branch=master \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb b/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb index 36fc5c858c..e9c58bf589 100644 --- a/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb +++ b/meta-oe/recipes-extended/libimobiledevice/libusbmuxd_git.bb @@ -9,7 +9,7 @@ inherit autotools pkgconfig gitpkgv PKGV = "${GITPKGVTAG}" SRCREV = "78df9be5fc8222ed53846cb553de9b5d24c85c6c" -SRC_URI = "git://github.com/libimobiledevice/libusbmuxd;protocol=https" +SRC_URI = "git://github.com/libimobiledevice/libusbmuxd;protocol=https;branch=master" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb b/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb index 7fc5997983..bbfee1ff7a 100644 --- a/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb +++ b/meta-oe/recipes-extended/liblightmodbus/liblightmodbus_2.0.2.bb @@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=84dcc94da3adb52b53ae4fa38fe49e5d" inherit cmake pkgconfig -SRC_URI = "git://github.com/Jacajack/liblightmodbus.git;protocol=https \ +SRC_URI = "git://github.com/Jacajack/liblightmodbus.git;protocol=https;branch=master \ file://0001-cmake-Use-GNUInstallDirs-instead-of-hardcoding-lib-p.patch \ " SRCREV = "59d2b405f95701e5b04326589786dbb43ce49e81" diff --git a/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb b/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb index c9d259b1a0..29c35caf54 100644 --- a/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb +++ b/meta-oe/recipes-extended/libnss-nisplus/libnss-nisplus.bb @@ -17,7 +17,7 @@ PV = "1.3+git${SRCPV}" SRCREV = "116219e215858f4af9370171d3ead63baca8fdb4" -SRC_URI = "git://github.com/thkukuk/libnss_nisplus \ +SRC_URI = "git://github.com/thkukuk/libnss_nisplus;branch=master;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb b/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb index cd4019666d..dbe03fedef 100644 --- a/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb +++ b/meta-oe/recipes-extended/libqb/libqb_1.0.5.bb @@ -11,7 +11,7 @@ inherit autotools pkgconfig # v1.0.5 SRCREV = "d08dbcf08b0da418bce9b5427dfd89522916322a" -SRC_URI = "git://github.com/ClusterLabs/${BPN}.git;branch=version_1 \ +SRC_URI = "git://github.com/ClusterLabs/${BPN}.git;branch=version_1;protocol=https \ file://0001-build-fix-configure-script-neglecting-re-enable-out-.patch \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb b/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb index 4276c49173..24784f77a0 100644 --- a/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb +++ b/meta-oe/recipes-extended/libreport/libreport_2.10.0.bb @@ -11,7 +11,7 @@ DEPENDS = "xmlrpc-c xmlrpc-c-native intltool-native \ LIC_FILES_CHKSUM = "file://COPYING;md5=751419260aa954499f7abaabaa882bbe" -SRC_URI = "git://github.com/abrt/libreport.git;protocol=https" +SRC_URI = "git://github.com/abrt/libreport.git;protocol=https;branch=master" SRC_URI += "file://0001-Makefile.am-remove-doc-and-apidoc.patch \ file://0002-configure.ac-remove-prog-test-of-xmlto-and-asciidoc.patch \ file://0003-without-build-plugins.patch \ diff --git a/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb b/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb index a081cb17a8..27fe0e2c40 100644 --- a/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb +++ b/meta-oe/recipes-extended/libstatgrab/libstatgrab_0.92.bb @@ -31,4 +31,4 @@ FILES_statgrab-dbg = "${bindir}/.debug/statgrab" FILES_saidar = "${bindir}/saidar" FILES_saidar-dbg = "${bindir}/.debug/saidar" FILES_${PN}-mrtg = "${bindir}/statgrab-make-mrtg-config ${bindir}/statgrab-make-mrtg-index" -RDEPENDS_${PN}-mrtg_append = "perl statgrab" +RDEPENDS_${PN}-mrtg_append = " perl statgrab" diff --git a/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb b/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb index dd34c180a3..0278e55f3e 100644 --- a/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb +++ b/meta-oe/recipes-extended/libuio/libuio_0.2.1.bb @@ -3,7 +3,7 @@ SECTION = "base" LICENSE = "GPL-2.0" LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" -SRC_URI = "git://git.code.sf.net/p/libuio/code \ +SRC_URI = "git://git.code.sf.net/p/libuio/code;branch=master \ file://replace_inline_with_static-inline.patch \ file://0001-include-fcntl.h-for-O_RDWR-define.patch \ " diff --git a/meta-oe/recipes-extended/md5deep/md5deep_git.bb b/meta-oe/recipes-extended/md5deep/md5deep_git.bb index e8c6864c1f..cc31323c3f 100644 --- a/meta-oe/recipes-extended/md5deep/md5deep_git.bb +++ b/meta-oe/recipes-extended/md5deep/md5deep_git.bb @@ -9,7 +9,7 @@ PV = "4.4+git${SRCPV}" SRCREV = "877613493ff44807888ce1928129574be393cbb0" -SRC_URI = "git://github.com/jessek/hashdeep.git \ +SRC_URI = "git://github.com/jessek/hashdeep.git;branch=master;protocol=https \ file://wrong-variable-expansion.patch \ file://0001-Fix-literal-and-identifier-spacing-as-dictated-by-C-.patch \ " diff --git a/meta-oe/recipes-extended/mraa/mraa_git.bb b/meta-oe/recipes-extended/mraa/mraa_git.bb index 0b40dcb71b..540ef6e12a 100644 --- a/meta-oe/recipes-extended/mraa/mraa_git.bb +++ b/meta-oe/recipes-extended/mraa/mraa_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=91e7de50a8d3cf01057f318d72460acd" SRCREV = "e15ce6fbc76148ba8835adc92196b0d0a3f245e7" PV = "2.1.0+git${SRCPV}" -SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http \ +SRC_URI = "git://github.com/eclipse/${BPN}.git;protocol=http;branch=master;protocol=https \ file://0001-cmake-Use-a-regular-expression-to-match-x86-architec.patch \ " diff --git a/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb b/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb index 9d5a2307e7..f635a9b138 100644 --- a/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb +++ b/meta-oe/recipes-extended/openwsman/openwsman_2.6.11.bb @@ -17,7 +17,7 @@ REQUIRED_DISTRO_FEATURES = "pam" SRCREV = "d8eba6cb6682b59d84ca1da67a523520b879ade6" -SRC_URI = "git://github.com/Openwsman/openwsman.git \ +SRC_URI = "git://github.com/Openwsman/openwsman.git;branch=master;protocol=https \ file://libssl-is-required-if-eventint-supported.patch \ file://openwsmand.service \ file://0001-lock.c-Define-PTHREAD_MUTEX_RECURSIVE_NP-if-undefine.patch \ diff --git a/meta-oe/recipes-extended/ostree/ostree_2020.3.bb b/meta-oe/recipes-extended/ostree/ostree_2020.3.bb index c1f43feb67..5b0171d8c8 100644 --- a/meta-oe/recipes-extended/ostree/ostree_2020.3.bb +++ b/meta-oe/recipes-extended/ostree/ostree_2020.3.bb @@ -22,7 +22,7 @@ DEPENDS = " \ PREMIRRORS = "" SRC_URI = " \ - gitsm://github.com/ostreedev/ostree;branch=main \ + gitsm://github.com/ostreedev/ostree;branch=main;protocol=https \ file://run-ptest \ " SRCREV = "6ed48234ba579ff73eb128af237212b0a00f2057" @@ -181,7 +181,7 @@ RDEPENDS_${PN}-ptest += " \ " RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils glibc-localedata-en-us" -RRECOMMENDS_${PN} += "kernel-module-overlay" +RRECOMMENDS_${PN}_append_class-target = " kernel-module-overlay" SYSTEMD_SERVICE_${PN} = "ostree-remount.service ostree-finalize-staged.path" SYSTEMD_SERVICE_${PN}-switchroot = "ostree-prepare-root.service" diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch b/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch new file mode 100644 index 0000000000..98e186cbf0 --- /dev/null +++ b/meta-oe/recipes-extended/p7zip/files/CVE-2016-9296.patch @@ -0,0 +1,27 @@ +p7zip: Update CVE-2016-9296 patch URL. +From: Robert Luberda <robert@debian.org> +Date: Sat, 19 Nov 2016 08:48:08 +0100 +Subject: Fix nullptr dereference (CVE-2016-9296) + +Patch taken from https://sourceforge.net/p/p7zip/bugs/185/ +This patch file taken from Debian's patch set for p7zip + +Upstream-Status: Backport [https://sourceforge.net/p/p7zip/bugs/185/] +CVE: CVE-2016-9296 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> + +Index: p7zip_16.02/CPP/7zip/Archive/7z/7zIn.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Archive/7z/7zIn.cpp ++++ p7zip_16.02/CPP/7zip/Archive/7z/7zIn.cpp +@@ -1097,7 +1097,8 @@ HRESULT CInArchive::ReadAndDecodePackedS + if (CrcCalc(data, unpackSize) != folders.FolderCRCs.Vals[i]) + ThrowIncorrect(); + } +- HeadersSize += folders.PackPositions[folders.NumPackStreams]; ++ if (folders.PackPositions) ++ HeadersSize += folders.PackPositions[folders.NumPackStreams]; + return S_OK; + } + diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch b/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch new file mode 100644 index 0000000000..b6deb5d3a7 --- /dev/null +++ b/meta-oe/recipes-extended/p7zip/files/CVE-2018-5996.patch @@ -0,0 +1,226 @@ +From: Robert Luberda <robert@debian.org> +Date: Sun, 28 Jan 2018 23:47:40 +0100 +Subject: CVE-2018-5996 + +Hopefully fix Memory Corruptions via RAR PPMd (CVE-2018-5996) by +applying a few changes from 7Zip 18.00-beta. + +Bug-Debian: https://bugs.debian.org/#888314 + +Upstream-Status: Backport [https://sources.debian.org/data/non-free/p/p7zip-rar/16.02-3/debian/patches/06-CVE-2018-5996.patch] +CVE: CVE-2018-5996 + +Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> +--- + CPP/7zip/Compress/Rar1Decoder.cpp | 13 +++++++++---- + CPP/7zip/Compress/Rar1Decoder.h | 1 + + CPP/7zip/Compress/Rar2Decoder.cpp | 10 +++++++++- + CPP/7zip/Compress/Rar2Decoder.h | 1 + + CPP/7zip/Compress/Rar3Decoder.cpp | 23 ++++++++++++++++++++--- + CPP/7zip/Compress/Rar3Decoder.h | 2 ++ + 6 files changed, 42 insertions(+), 8 deletions(-) + +Index: p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar1Decoder.cpp ++++ p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.cpp +@@ -29,7 +29,7 @@ public: + }; + */ + +-CDecoder::CDecoder(): m_IsSolid(false) { } ++CDecoder::CDecoder(): m_IsSolid(false), _errorMode(false) { } + + void CDecoder::InitStructures() + { +@@ -406,9 +406,14 @@ HRESULT CDecoder::CodeReal(ISequentialIn + InitData(); + if (!m_IsSolid) + { ++ _errorMode = false; + InitStructures(); + InitHuff(); + } ++ ++ if (_errorMode) ++ return S_FALSE; ++ + if (m_UnpackSize > 0) + { + GetFlagsBuf(); +@@ -477,9 +482,9 @@ STDMETHODIMP CDecoder::Code(ISequentialI + const UInt64 *inSize, const UInt64 *outSize, ICompressProgressInfo *progress) + { + try { return CodeReal(inStream, outStream, inSize, outSize, progress); } +- catch(const CInBufferException &e) { return e.ErrorCode; } +- catch(const CLzOutWindowException &e) { return e.ErrorCode; } +- catch(...) { return S_FALSE; } ++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(const CLzOutWindowException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(...) { _errorMode = true; return S_FALSE; } + } + + STDMETHODIMP CDecoder::SetDecoderProperties2(const Byte *data, UInt32 size) +Index: p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.h +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar1Decoder.h ++++ p7zip_16.02/CPP/7zip/Compress/Rar1Decoder.h +@@ -39,6 +39,7 @@ public: + + Int64 m_UnpackSize; + bool m_IsSolid; ++ bool _errorMode; + + UInt32 ReadBits(int numBits); + HRESULT CopyBlock(UInt32 distance, UInt32 len); +Index: p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar2Decoder.cpp ++++ p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.cpp +@@ -80,7 +80,8 @@ static const UInt32 kHistorySize = 1 << + static const UInt32 kWindowReservSize = (1 << 22) + 256; + + CDecoder::CDecoder(): +- m_IsSolid(false) ++ m_IsSolid(false), ++ m_TablesOK(false) + { + } + +@@ -100,6 +101,8 @@ UInt32 CDecoder::ReadBits(unsigned numBi + + bool CDecoder::ReadTables(void) + { ++ m_TablesOK = false; ++ + Byte levelLevels[kLevelTableSize]; + Byte newLevels[kMaxTableSize]; + m_AudioMode = (ReadBits(1) == 1); +@@ -170,6 +173,8 @@ bool CDecoder::ReadTables(void) + } + + memcpy(m_LastLevels, newLevels, kMaxTableSize); ++ m_TablesOK = true; ++ + return true; + } + +@@ -344,6 +349,9 @@ HRESULT CDecoder::CodeReal(ISequentialIn + return S_FALSE; + } + ++ if (!m_TablesOK) ++ return S_FALSE; ++ + UInt64 startPos = m_OutWindowStream.GetProcessedSize(); + while (pos < unPackSize) + { +Index: p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.h +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar2Decoder.h ++++ p7zip_16.02/CPP/7zip/Compress/Rar2Decoder.h +@@ -139,6 +139,7 @@ class CDecoder : + + UInt64 m_PackSize; + bool m_IsSolid; ++ bool m_TablesOK; + + void InitStructures(); + UInt32 ReadBits(unsigned numBits); +Index: p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar3Decoder.cpp ++++ p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.cpp +@@ -92,7 +92,8 @@ CDecoder::CDecoder(): + _writtenFileSize(0), + _vmData(0), + _vmCode(0), +- m_IsSolid(false) ++ m_IsSolid(false), ++ _errorMode(false) + { + Ppmd7_Construct(&_ppmd); + } +@@ -545,6 +546,9 @@ HRESULT CDecoder::ReadTables(bool &keepD + return InitPPM(); + } + ++ TablesRead = false; ++ TablesOK = false; ++ + _lzMode = true; + PrevAlignBits = 0; + PrevAlignCount = 0; +@@ -606,6 +610,9 @@ HRESULT CDecoder::ReadTables(bool &keepD + } + } + } ++ if (InputEofError()) ++ return S_FALSE; ++ + TablesRead = true; + + // original code has check here: +@@ -623,6 +630,9 @@ HRESULT CDecoder::ReadTables(bool &keepD + RIF(m_LenDecoder.Build(&newLevels[kMainTableSize + kDistTableSize + kAlignTableSize])); + + memcpy(m_LastLevels, newLevels, kTablesSizesSum); ++ ++ TablesOK = true; ++ + return S_OK; + } + +@@ -824,7 +834,12 @@ HRESULT CDecoder::CodeReal(ICompressProg + PpmEscChar = 2; + PpmError = true; + InitFilters(); ++ _errorMode = false; + } ++ ++ if (_errorMode) ++ return S_FALSE; ++ + if (!m_IsSolid || !TablesRead) + { + bool keepDecompressing; +@@ -838,6 +853,8 @@ HRESULT CDecoder::CodeReal(ICompressProg + bool keepDecompressing; + if (_lzMode) + { ++ if (!TablesOK) ++ return S_FALSE; + RINOK(DecodeLZ(keepDecompressing)) + } + else +@@ -901,8 +918,8 @@ STDMETHODIMP CDecoder::Code(ISequentialI + _unpackSize = outSize ? *outSize : (UInt64)(Int64)-1; + return CodeReal(progress); + } +- catch(const CInBufferException &e) { return e.ErrorCode; } +- catch(...) { return S_FALSE; } ++ catch(const CInBufferException &e) { _errorMode = true; return e.ErrorCode; } ++ catch(...) { _errorMode = true; return S_FALSE; } + // CNewException is possible here. But probably CNewException is caused + // by error in data stream. + } +Index: p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.h +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Compress/Rar3Decoder.h ++++ p7zip_16.02/CPP/7zip/Compress/Rar3Decoder.h +@@ -192,6 +192,7 @@ class CDecoder: + UInt32 _lastFilter; + + bool m_IsSolid; ++ bool _errorMode; + + bool _lzMode; + bool _unsupportedFilter; +@@ -200,6 +201,7 @@ class CDecoder: + UInt32 PrevAlignCount; + + bool TablesRead; ++ bool TablesOK; + + CPpmd7 _ppmd; + int PpmEscChar; diff --git a/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch b/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch new file mode 100644 index 0000000000..dcde83e8a4 --- /dev/null +++ b/meta-oe/recipes-extended/p7zip/files/change_numMethods_from_bool_to_unsigned.patch @@ -0,0 +1,27 @@ +fixes the below error + +| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp: In member function 'virtual LONG NArchive::NWim::CHandler::GetArchiveProperty(PROPID, PROPVARIANT*)': +| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp:308:11: error: use of an operand of type 'bool' in 'operator++' is forbidden in C++17 +| 308 | numMethods++; +| | ^~~~~~~~~~ +| ../../../../CPP/7zip/Archive/Wim/WimHandler.cpp:318:9: error: use of an operand of type 'bool' in 'operator++' is forbidden in C++17 +| 318 | numMethods++; + + +use unsigned instead of bool +Signed-off-by: Nisha Parrakat <Nisha.Parrakat@kpit.com> + +Upstream-Status: Pending +Index: p7zip_16.02/CPP/7zip/Archive/Wim/WimHandler.cpp +=================================================================== +--- p7zip_16.02.orig/CPP/7zip/Archive/Wim/WimHandler.cpp ++++ p7zip_16.02/CPP/7zip/Archive/Wim/WimHandler.cpp +@@ -298,7 +298,7 @@ STDMETHODIMP CHandler::GetArchivePropert + + AString res; + +- bool numMethods = 0; ++ unsigned numMethods = 0; + for (unsigned i = 0; i < ARRAY_SIZE(k_Methods); i++) + { + if (methodMask & ((UInt32)1 << i)) diff --git a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb index 13479a90fe..79677c6487 100644 --- a/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb +++ b/meta-oe/recipes-extended/p7zip/p7zip_16.02.bb @@ -9,6 +9,9 @@ SRC_URI = "http://downloads.sourceforge.net/p7zip/p7zip/${PV}/p7zip_${PV}_src_al file://do_not_override_compiler_and_do_not_strip.patch \ file://CVE-2017-17969.patch \ file://0001-Fix-narrowing-errors-Wc-11-narrowing.patch \ + file://change_numMethods_from_bool_to_unsigned.patch \ + file://CVE-2018-5996.patch \ + file://CVE-2016-9296.patch \ " SRC_URI[md5sum] = "a0128d661cfe7cc8c121e73519c54fbf" @@ -16,10 +19,26 @@ SRC_URI[sha256sum] = "5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6 S = "${WORKDIR}/${BPN}_${PV}" +do_compile_append() { + oe_runmake 7z +} +FILES_${PN} += "${libdir}/* ${bindir}/7z" + +FILES_SOLIBSDEV = "" +INSANE_SKIP_${PN} += "dev-so" + do_install() { install -d ${D}${bindir} - install -m 0755 ${S}/bin/* ${D}${bindir} + install -d ${D}${bindir}/Codecs + install -d ${D}${libdir} + install -d ${D}${libdir}/Codecs + install -m 0755 ${S}/bin/7za ${D}${bindir} ln -s 7za ${D}${bindir}/7z + install -m 0755 ${S}/bin/Codecs/* ${D}${libdir}/Codecs/ + install -m 0755 ${S}/bin/7z.so ${D}${libdir}/lib7z.so } -BBCLASSEXTEND = "native" +RPROVIDES_${PN} += "lib7z.so()(64bit) 7z lib7z.so" +RPROVIDES_${PN}-dev += "lib7z.so()(64bit) 7z lib7z.so" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-oe/recipes-extended/p8platform/p8platform_git.bb b/meta-oe/recipes-extended/p8platform/p8platform_git.bb index 0690d4ba3c..2e52caeffa 100644 --- a/meta-oe/recipes-extended/p8platform/p8platform_git.bb +++ b/meta-oe/recipes-extended/p8platform/p8platform_git.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://src/os.h;md5=752555fa94e82005d45fd201fee5bd33" PV = "2.1.0.1" -SRC_URI = "git://github.com/Pulse-Eight/platform.git \ +SRC_URI = "git://github.com/Pulse-Eight/platform.git;branch=master;protocol=https \ file://0001-Make-resulting-cmake-config-relocatable.patch" SRCREV = "2d90f98620e25f47702c9e848380c0d93f29462b" diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb index 9838e75ef5..5c2af44c73 100644 --- a/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb +++ b/meta-oe/recipes-extended/pam/pam-plugin-ccreds_11.bb @@ -11,7 +11,7 @@ REQUIRED_DISTRO_FEATURES = "pam" SRCREV = "e2145df09469bf84878e4729b4ecd814efb797d1" -SRC_URI = "git://github.com/PADL/pam_ccreds" +SRC_URI = "git://github.com/PADL/pam_ccreds;branch=master;protocol=https" S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb b/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb index 626b22fe48..5022300ba3 100644 --- a/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb +++ b/meta-oe/recipes-extended/pam/pam-plugin-ldapdb_1.3.bb @@ -11,7 +11,7 @@ inherit features_check REQUIRED_DISTRO_FEATURES = "pam" SRCREV = "84d7b260f1ae6857ae36e014c9a5968e8aa1cbe8" -SRC_URI = "git://github.com/rmbreak/pam_ldapdb \ +SRC_URI = "git://github.com/rmbreak/pam_ldapdb;branch=master;protocol=https \ file://0001-include-stdexcept-for-std-invalid_argument.patch \ " diff --git a/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb b/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb index f5066da0d8..5c56a16f41 100644 --- a/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb +++ b/meta-oe/recipes-extended/pmdk/pmdk_1.7.bb @@ -11,7 +11,7 @@ DEPENDS_append_libc-musl = " fts" S = "${WORKDIR}/git" -SRC_URI = "git://github.com/pmem/pmdk.git \ +SRC_URI = "git://github.com/pmem/pmdk.git;branch=master;protocol=https \ file://0001-jemalloc-jemalloc.cfg-Specify-the-host-when-building.patch \ file://0002-Makefile-Don-t-install-the-docs.patch \ file://0001-os_posix-Use-__FreeBSD__-to-control-secure_getenv-de.patch \ diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch b/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch new file mode 100644 index 0000000000..cab1c83c09 --- /dev/null +++ b/meta-oe/recipes-extended/polkit/files/CVE-2021-4034.patch @@ -0,0 +1,74 @@ +From ed8b418f1341cf7fc576f6b17de5c6dd4017e034 Mon Sep 17 00:00:00 2001 +From: "Jeremy A. Puhlman" <jpuhlman@mvista.com> +Date: Thu, 27 Jan 2022 00:01:27 +0000 +Subject: [PATCH] CVE-2021-4034: Local privilege escalation in pkexec due to + incorrect handling of argument vector + +Upstream-Status: Backport https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 +CVE: CVE-2021-4034 + +Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> +--- + src/programs/pkcheck.c | 6 ++++++ + src/programs/pkexec.c | 21 ++++++++++++++++++++- + 2 files changed, 26 insertions(+), 1 deletion(-) + +diff --git a/src/programs/pkcheck.c b/src/programs/pkcheck.c +index f1bb4e1..aff4f60 100644 +--- a/src/programs/pkcheck.c ++++ b/src/programs/pkcheck.c +@@ -363,6 +363,12 @@ main (int argc, char *argv[]) + local_agent_handle = NULL; + ret = 126; + ++ if (argc < 1) ++ { ++ help(); ++ exit(1); ++ } ++ + /* Disable remote file access from GIO. */ + setenv ("GIO_USE_VFS", "local", 1); + +diff --git a/src/programs/pkexec.c b/src/programs/pkexec.c +index 7698c5c..3ff4c58 100644 +--- a/src/programs/pkexec.c ++++ b/src/programs/pkexec.c +@@ -488,6 +488,17 @@ main (int argc, char *argv[]) + pid_t pid_of_caller; + gpointer local_agent_handle; + ++ ++ /* ++ * If 'pkexec' is called wrong, just show help and bail out. ++ */ ++ if (argc<1) ++ { ++ clearenv(); ++ usage(argc, argv); ++ exit(1); ++ } ++ + ret = 127; + authority = NULL; + subject = NULL; +@@ -636,7 +647,15 @@ main (int argc, char *argv[]) + goto out; + } + g_free (path); +- argv[n] = path = s; ++ path = s; ++ ++ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated. ++ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination ++ */ ++ if (argv[n] != NULL) ++ { ++ argv[n] = path; ++ } + } + if (access (path, F_OK) != 0) + { +-- +2.26.2 + diff --git a/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch b/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch new file mode 100644 index 0000000000..37e0d6063c --- /dev/null +++ b/meta-oe/recipes-extended/polkit/files/CVE-2021-4115.patch @@ -0,0 +1,87 @@ +From 41cb093f554da8772362654a128a84dd8a5542a7 Mon Sep 17 00:00:00 2001 +From: Jan Rybar <jrybar@redhat.com> +Date: Mon, 21 Feb 2022 08:29:05 +0000 +Subject: [PATCH] CVE-2021-4115 (GHSL-2021-077) fix + +Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/41cb093f554da8772362654a128a84dd8a5542a7.patch] +CVE: CVE-2021-4115 +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + src/polkit/polkitsystembusname.c | 38 ++++++++++++++++++++++++++++---- + 1 file changed, 34 insertions(+), 4 deletions(-) + +diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c +index 8ed1363..2fbf5f1 100644 +--- a/src/polkit/polkitsystembusname.c ++++ b/src/polkit/polkitsystembusname.c +@@ -62,6 +62,10 @@ enum + PROP_NAME, + }; + ++ ++guint8 dbus_call_respond_fails; // has to be global because of callback ++ ++ + static void subject_iface_init (PolkitSubjectIface *subject_iface); + + G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT, +@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src, + if (!v) + { + data->caught_error = TRUE; ++ dbus_call_respond_fails += 1; + } + else + { +@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + tmp_context = g_main_context_new (); + g_main_context_push_thread_default (tmp_context); + ++ dbus_call_respond_fails = 0; ++ + /* Do two async calls as it's basically as fast as one sync call. + */ + g_dbus_connection_call (connection, +@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + on_retrieved_unix_uid_pid, + &data); + +- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) +- g_main_context_iteration (tmp_context, TRUE); ++ while (TRUE) ++ { ++ /* If one dbus call returns error, we must wait until the other call ++ * calls _call_finish(), otherwise fd leak is possible. ++ * Resolves: GHSL-2021-077 ++ */ + +- if (data.caught_error) +- goto out; ++ if ( (dbus_call_respond_fails > 1) ) ++ { ++ // we got two faults, we can leave ++ goto out; ++ } ++ ++ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid))) ++ { ++ // we got one fault and the other call finally finished, we can leave ++ goto out; ++ } ++ ++ if ( !(data.retrieved_uid && data.retrieved_pid) ) ++ { ++ g_main_context_iteration (tmp_context, TRUE); ++ } ++ else ++ { ++ break; ++ } ++ } + + if (out_uid) + *out_uid = data.uid; +-- +GitLab + diff --git a/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch b/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch new file mode 100644 index 0000000000..76308ffdb9 --- /dev/null +++ b/meta-oe/recipes-extended/polkit/polkit/CVE-2021-3560.patch @@ -0,0 +1,33 @@ +From a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81 Mon Sep 17 00:00:00 2001 +From: Jan Rybar <jrybar@redhat.com> +Date: Wed, 2 Jun 2021 15:43:38 +0200 +Subject: [PATCH] GHSL-2021-074: authentication bypass vulnerability in polkit + +initial values returned if error caught + +CVE: CVE-2021-3560 + +Upstream-Status: Backport [https://gitlab.freedesktop.org/polkit/polkit/-/commit/a04d13affe0fa53ff618e07aa8f57f4c0e3b9b81] + +Signed-off-by: Mingli Yu <mingli.yu@windriver.com> +--- + src/polkit/polkitsystembusname.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c +index 8daa12c..8ed1363 100644 +--- a/src/polkit/polkitsystembusname.c ++++ b/src/polkit/polkitsystembusname.c +@@ -435,6 +435,9 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus + while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error)) + g_main_context_iteration (tmp_context, TRUE); + ++ if (data.caught_error) ++ goto out; ++ + if (out_uid) + *out_uid = data.uid; + if (out_pid) +-- +2.29.2 + diff --git a/meta-oe/recipes-extended/polkit/polkit_0.116.bb b/meta-oe/recipes-extended/polkit/polkit_0.116.bb index ad1973b136..dd8e208616 100644 --- a/meta-oe/recipes-extended/polkit/polkit_0.116.bb +++ b/meta-oe/recipes-extended/polkit/polkit_0.116.bb @@ -25,6 +25,9 @@ PAM_SRC_URI = "file://polkit-1_pam.patch" SRC_URI = "http://www.freedesktop.org/software/polkit/releases/polkit-${PV}.tar.gz \ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ file://0003-make-netgroup-support-optional.patch \ + file://CVE-2021-3560.patch \ + file://CVE-2021-4034.patch \ + file://CVE-2021-4115.patch \ " SRC_URI[md5sum] = "4b37258583393e83069a0e2e89c0162a" SRC_URI[sha256sum] = "88170c9e711e8db305a12fdb8234fac5706c61969b94e084d0f117d8ec5d34b1" diff --git a/meta-oe/recipes-extended/redis/redis_5.0.9.bb b/meta-oe/recipes-extended/redis/redis_5.0.14.bb index d04293369a..3d849ec8c3 100644 --- a/meta-oe/recipes-extended/redis/redis_5.0.9.bb +++ b/meta-oe/recipes-extended/redis/redis_5.0.14.bb @@ -17,8 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://GNU_SOURCE.patch \ " -SRC_URI[md5sum] = "c94523c9f4ee662027ddf90575d0e058" -SRC_URI[sha256sum] = "53d0ae164cd33536c3d4b720ae9a128ea6166ebf04ff1add3b85f1242090cb85" +SRC_URI[sha256sum] = "3ea5024766d983249e80d4aa9457c897a9f079957d0fb1f35682df233f997f32" inherit autotools-brokensep update-rc.d systemd useradd diff --git a/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb b/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb index 5662e63474..914b12e7ca 100644 --- a/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb +++ b/meta-oe/recipes-extended/rrdtool/rrdtool_1.7.2.bb @@ -10,7 +10,7 @@ SRCREV = "56a83f4f52e6745cd4352f9ee008be3183a6dedf" PV = "1.7.2" SRC_URI = "\ - git://github.com/oetiker/rrdtool-1.x.git;branch=master;protocol=http; \ + git://github.com/oetiker/rrdtool-1.x.git;branch=master;protocol=http;protocol=https \ " S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb b/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb index b84dde3d37..3b63971e5d 100644 --- a/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb +++ b/meta-oe/recipes-extended/rsyslog/libfastjson_0.99.8.bb @@ -6,7 +6,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a958bb07122368f3e1d9b2efe07d231f" |