| Age | Commit message (Collapse) | Author |
|---|
|
CVE_STATUS was set for those components, but meanwhile databases are updated
with corrected information, so setting the CVE_STATUS is not needed anymore.
Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Changelog:
==========
- Fix public key computation for other EdDSA curves.
- Remove out of core handler diagnostic in FIPS mode.
- Check that the digest size is not zero in gcry_pk_sign_md and
gcry_pk_verify_md.
- Make store an s-exp with \0 is considered to be binary.
- Various constant-time improvements.
- Use getrandom call only when supported by the platform.
- Change the default for --with-libtool-modification to never.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
|
|
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Reviewed-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
|
|
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
|
|
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Instead of installing pieces of the build system, we can install the
test driver (which can also be used to list the files needed) and run
the tests directly.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
|
|
This patch was added in 2017 to fix an ICE in GCC. GCC no longer ICEs,
so the patch isn't needed anymore. Of note is that the random failures
in ptest are in the test being patched, so maybe this is causing subtle
breakage.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
|
|
libgcrypt.pc has been built and installed by libgcrypt since 1.9.0[1],
so the manual install can be removed.
[1] 97194b422bc89a6137f4e218d4cdee118c63e96e
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
|
|
The recent ptest addition was causing reproducibility tests to fail.
Remove the problematic files as they clearly aren't needed on target
to run the ptests. Hack the Makefile so that it doesn't try to rerun
configure and similar.
Also add a missing dependency on make.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upstream removed the GPLv3 component to the license here:
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=fbb26c3ac514189f50a31f72dde2a02ef7b41f9f
Update our metadata accordingly as there are now no GPLv3 components.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add a ptest for libgcript to core-image-ptest-all. All tests passed on a trial
run.
Signed-off-by: Simone Weiss <simone.weiss@elektrobit.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
License-Update: formatting
Add another chunk to pthread fixing patch.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
license identifiers
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Includes a fix for CVE-2021-40528.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
License-Update: added terms for cipher/cipher-gcm-ppc.c, still under GPL
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixes: [YOCTO #13471]
Signed-off-by: Ida Delphine <idadelm@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Drop backports.
Add a patch that inserts missing spaces in Makefiles.
Drop determinism.patch: upstream has moved the git
stuff to an external script, which has a guard that
checkes for presence of .git/ in source tree.
License-Update: additional source file listed
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Whitelisted below CVEs:
1. CVE-2018-12433
Link: https://security-tracker.debian.org/tracker/CVE-2018-12433
Link: https://nvd.nist.gov/vuln/detail/CVE-2018-12433
CVE-2018-12433 is marked disputed and ignored by NVD as it does
not impact crypt libraries for any distros and hence, can be safely
marked whitelisted.
2. CVE-2018-12438
Link: https://security-tracker.debian.org/tracker/CVE-2018-12438
Link: https://ubuntu.com/security/CVE-2018-12438
CVE-2018-12438 was reported for affecting openjdk crypt libraries
but there are no details available on which openjdk versions are
affected and does not directly affect libgcrypt or any specific
yocto distributions, hence, can be whitelisted.
Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The build was injection git information from the wrong git tree, stop this
to allow reproducible builds.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upgrade libgcrypt. Upstream repo now has a pkg-config
feature. The new patch for compatibility with oe-core
is a replacement for a patch that added pkg-config as
a feature when upstream did not have it.
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a
flush-and-reload side-channel attack because physical addresses are
available to other processes. (The C implementation is used on platforms
where an assembly-language implementation is unavailable.)
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2019-12904
Patches from:
https://github.com/gpg/libgcrypt/commit/1374254c2904ab5b18ba4a890856824a102d4705
https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762
https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The LICENSES file contains references to source files with other
licenses than GPL/LGPL that stipulate that they shall be mentioned in
any documentation accompanying a product including this library.
License-Update: Add missing LICENSES file
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Update libgcrypt version from 1.8.0 to 1.8.1.
Signed-off-by: Jussi Laako <jussi.laako@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This patch is backported from the upstream git repository to fix building
libgcrypt on armv6 platforms such as raspberrypi.
Signed-off-by: Paul Barker <pbarker@toganlabs.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Backport the fix from https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;
a=commit;h=bf76acbf0da6b0f245e491bec12c0f0a1b5be7c9
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Rebase patches:
- add-pkgconfig-support.patch -> 0001
- libgcrypt-fix-building-error-with-O2-in-sysroot-path.patch -> 0002
- fix-ICE-failure-on-mips-with-option-O-and-g.patch -> 0003
- fix-undefined-reference-to-pthread.patch -> 0004
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
libtool tries to guess the --tag value based on CC/CXX environment
variables and the compile commandline generated by makefiles. This
heuristics however fails when we construct CC variables in OE
and add security flags to it, especially -fPIE -pie which are added
by external compilers e.g. clang particularly. It fails because
libtool removed PIE flags from compiler cmdline intelligently
if it figures out that its building a library, which means that
the CC variable passed from cmdline does not match with the compiler
cmdline constructed by libtool and we end up with errors like
| arm-bec-linux-musleabi-libtool: compile: unable to infer tagged configuration
| arm-bec-linux-musleabi-libtool: error: specify a tag with '--tag'
This works with internal gcc toolchain because we configure gcc for
PIE when hardening is selected and dont pass -fPIE -pie options explicitly
but this is not an option for clang, and some external gcc toolchains
using older gcc
This patch adds the --tag option to help libtool set correct tags
in packages where it cant get it right via its heuristics
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fixes CVE-2017-7526, 'flush+reload side-channel attack on RSA secret keys dubbed
"Sliding right into disaster"'.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
This works ok with thumb2 as well now a days
It was added in 2006
http://git.openembedded.org/openembedded/commit/?id=037b00e3d629962e8d2bc4fcc944c9ecf9a240be
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
Add PACKAGECONFIG options for 'capabilities' which enables the libcap
dependency.
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Enable nativesdk on this recipe.
Signed-off-by: Nathan Rossi <nathan@nathanrossi.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Fan Xin <fan.xin@jp.fujitsu.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
- Add fix-undefined-reference-to-pthread.patch to fix undefined
reference to `pthread_create'
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
https version seems more reliable and in an informal test fetching
all gnupg recipes now takes <20% of the time it used to.
Define GNUPG_MIRROR in bitbake.conf so future tweaks to this are
easier. Replace some slower mirrors with the official ftp site
and another from gnupg.org mirror list.
Set UPSTREAM_CHECK_URI in all recipes that need it to
"https://gnupg.org/download/index.html" as the directory listings
are not up-to-date.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Noteworthy changes in version 1.6.5 (2016-02-09) [C20/A0/R5]
------------------------------------------------
* Mitigate side-channel attack on ECDH with Weierstrass curves
[CVE-2015-7511]. See http://www.cs.tau.ac.IL/~tromer/ecdh/ for
details.
* Fix build problem on Solaris.
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fix a variety of problems such as typos, bad punctuations, or incorrect
Upstream-Status values.
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
Simone Weiß
Wang Mingyu
Andrej Valek
Alexander Kanavin
Ross Burton
Richard Purdie
Simone Weiss
Meh Mbeh Ida Delphine
saloni
Trevor Gamblin
Yi Zhao
Hongxu Jia
Peter Kjellerstedt
Juro Bystricky
Alexander Kanavin
Jussi Laako
Paul Barker
Khem Raj
Ross Burton
Nathan Rossi
Fan Xin
Jussi Kukkonen
Andre McCurdy