AgeCommit message (Collapse)Author
2021-06-02oeqa/runtime/rpm: Drop log message counting test componenthardknott-nextRichard Purdie
This test is flawed since multiple parts of the system can write to the log and we obtain different numbers of log messages depending on factors we can't control. Drop the log testing component of the test. [YOCTO #12465] (From OE-Core rev: 6ca1047e98a1c8bc305a3f40ad1919c5038e1698) Signed-off-by: Richard Purdie <>
2021-06-02package_rpm: pass XZ_THREADS to rpmRoss Burton
By default RPM uses the number of cores as the number of threads to use, which can result in quite antisocial memory usage. As we control the macros for compression anyway, we can pass XZ_THREADS to limit the number of threads if needed. (From OE-Core rev: 959e1faa911ee67d5d84a57b932135b76cac6a53) Signed-off-by: Ross Burton <> Signed-off-by: Richard Purdie <>
2021-06-02pkgconfig: update SRC_URIChangqing Li
The git repo for pkg-config was changed, so update the SRC_URI accordingly with the new link. (From OE-Core rev: 07f223048a5b8ac3cb828a68b6069825c8d656ae) Signed-off-by: Changqing Li <> Signed-off-by: Richard Purdie <>
2021-06-02flex: correct license informationNikolay Papenkov
License-Update: Corrected license information flex package is under two licenses: - "BSD-3-Clause" is provided in top-level COPYING file; the license actually include third obligation (without the actual "3" numbering) - "LGPL-2.0+" is explained by src/gettext.h (From OE-Core rev: f5c5763ae530f6c6b53d0ab510b62b9ae77a5f81) Signed-off-by: Dmitry Kisil <> Signed-off-by: Richard Purdie <>
2021-06-02expat: set CVE_PRODUCTSteve Sakoman
Upstream database uses both "expat" and "libexpat" to report CVEs (From OE-Core rev: 30357a56df82d3ea11f7288a8c02dd2d201b498a) Signed-off-by: Steve Sakoman <> Signed-off-by: Richard Purdie <>
2021-06-02curl: fix CVE-2021-22876Trevor Gamblin
Backport and modify the patch for CVE-2021-22876 from curl 7.76 to make it apply cleanly on 7.75. CVE: CVE-2021-22876 (From OE-Core rev: 7c39b71b78ffc64a456872769b341cfc662e747d) Signed-off-by: Trevor Gamblin <> Signed-off-by: Richard Purdie <>
2021-06-02curl: fix CVE-2021-22890Trevor Gamblin
Backport and modify the patch for CVE-2021-22890 from curl 7.76 to make it apply cleanly on 7.75. CVE: CVE-2021-22890 (From OE-Core rev: b11dc35cce0449623182ecf044c4a49664119b9c) Signed-off-by: Trevor Gamblin <> Signed-off-by: Richard Purdie <>
2021-06-02qemu: Exclude CVE-2020-3550[4/5/6] from cve-checkSakib Sajal
CVE's affect ESP (NCR53C90) part of chip STP2000 (Master I/O). On Sparc32 it is the NCR89C100 part of the chip. On Macintosh Quadra it is NCR53C96. Both are not supported by yocto. (From OE-Core rev: e3ded54f9fd089382e6304604ca02d2305f16f21) Signed-off-by: Sakib Sajal <> Signed-off-by: Richard Purdie <>
2021-06-02bind: upgrade 9.16.15 -> 9.16.16Trevor Gamblin
(From OE-Core rev: 5e1a46f08284e0c54f42f999e3a1c0a403943810) Signed-off-by: Trevor Gamblin <> Signed-off-by: Richard Purdie <>
2021-06-02bind: upgrade 9.16.13 -> 9.16.15Richard Purdie
(From OE-Core rev: bceca3c36eade64c87a88d70eecd45ae1cb5aae9) Signed-off-by: Richard Purdie <>
2021-06-02bind: upgrade 9.16.12 -> 9.16.13Alexander Kanavin
(From OE-Core rev: 342cdbc0671cbf8a41984784db7d986086b64977) Signed-off-by: Alexander Kanavin <> Signed-off-by: Richard Purdie <>
2021-06-02xinetd: Exclude CVE-2013-4342 from cve-checkRichard Purdie
We use the SUSE mirror of xinetd. The CVE fix was added to the main repo after the latest release but is included in the version from the SUSE repo. (From OE-Core rev: 14477263562fe683f914ae640e0ff30a4d54977a) Signed-off-by: Richard Purdie <> add exclusion list for intractable CVE'sRichard Purdie
The preferred methods for CVE resolution are: 1. Version upgrades where possible 2. Patches where not possible 3. Database updates where version info is incorrect 4. Exclusion from checking where it is determined that the CVE does not apply to our environment In some cases none of these methods are possible. For example the CVE may be decades old with no apparent resolution, and with broken links that make further research impractical. Some CVEs are vauge with no specific action the project can take too. This patch creates a mechanism for users to remove this type of CVE from the cve-check results via an optional include file. Based on an initial patch from Steve Sakoman <> but extended heavily by RP. (From OE-Core rev: 4a70af7b89d2ddff341b724a97cb96987874a3b0) Signed-off-by: Richard Purdie <>
2021-05-30grub: Exclude CVE-2019-14865 from cve-checkRichard Purdie
The CVE only applies to RHEL. (From OE-Core rev: a1130182a086eebeff5dfc5bebc708a3191fb5be) Signed-off-by: Richard Purdie <>
2021-05-30grub2: Add CVE whitelist entries for issues fixed in 2.06Richard Purdie
We're using a pre-release version of 2.06 so these issues are fixed but continue to show up in the checks since it is pre-2.06 and the CPE entries are "before but excluding 2.06". Adding these will clean up CVE reports until the 2.06 release comes out. (From OE-Core rev: 07451418e8ffef608e05b981bf7516bef5450d49) Signed-off-by: Richard Purdie <>
2021-05-30lib/oe/ Fix gpg verificationDaniel McGregor
A stray space made it into the command for verifying gpg signatures. This caused verification to fail, at least on my host. Removing the space makes it work as expected. (From OE-Core rev: 4acd52e2111cbe783201dec42df027945dad62ee) Signed-off-by: Daniel McGregor <> Signed-off-by: Richard Purdie <>
2021-05-30sstate: Ignore sstate signing keyDaniel McGregor
What key is used to sign sstate artefacts should not affect the hash of the object, otherwise everyone would need to use the same signing key. (From OE-Core rev: 01a9358abe821c1da06c3243ccbcc93348042937) Signed-off-by: Daniel McGregor <> Signed-off-by: Richard Purdie <>
2021-05-30boost: fix do_fetch failureStefan Ghinea
Bintray service has been discontinued causing boost do_fetch to fail: WARNING: boost-1.76.0-r0 do_fetch: Failed to fetch URL, attempting MIRRORS if available RP: Backport to 1.75.0 (From OE-Core rev: 146f04f9d38f781767a52884f4870570c0d817e0) Signed-off-by: Stefan Ghinea <> Signed-off-by: Richard Purdie <>
2021-05-30baremetal-image: Fix post process command rootfs_update_timestampAlejandro Hernandez Samaniego
When running: execute_pre_post_process(d, d.getVar(ROOTFS_POSTPROCESS_COMMAND)) rootfs_update_timestamp is run, which assumes that rootfs/${sysconfdir} is already created (usually done through the do_rootfs task on linux). This causes the build to fail if ${sysconfdir} does not exist. This may be overlooked if debug-tweaks is enabled since some other commands are added, one of which creates the required path (see postinst_enable_logging). See [1] for more info: [1] (From OE-Core rev: 179a912bf10ba02448e8d603043c454ca678ac60) Signed-off-by: Alejandro Enedino Hernandez Samaniego <> Signed-off-by: Richard Purdie <>
2021-05-30ltp: Disable problematic tests causing autobuilder hangsRichard Purdie
We've seen three hangs in cgroup_xattr and two in proc01 so far. The new plan is just to disable any tests seen to hang. I've had enough of these causing problems on our testing infrastructure. (From OE-Core rev: 622b1a409aaa8fd895821a53ee5db33206b98825) Signed-off-by: Richard Purdie <>
2021-05-30libxml2: Fix CVE-2021-3541Tony Tascioglu
Upstream commit: This is related to parameter entities expansion and following the line of the billion laugh attack. Somehow in that path the counting of parameters was missed and the normal algorithm based on entities "density" was useless. CVE: CVE-2021-3541 Upstream-Status: Backport [] (From OE-Core rev: e1e04de65e24d1596d800d7f8e85f98bb7f72632) Signed-off-by: Tony Tascioglu <> Signed-off-by: Richard Purdie <>
2021-05-30libxml2: Fix CVE-2021-3518Tony Tascioglu
This patch fixes CVE-2021-3518. The fix for the CVE is the following 3 lines in 1098c30a: - (cur->children->type != XML_ENTITY_DECL) && - (cur->children->type != XML_XINCLUDE_START) && - (cur->children->type != XML_XINCLUDE_END)) { + ((cur->type == XML_DOCUMENT_NODE) || + (cur->type == XML_ELEMENT_NODE))) { This relies on an updated version of xinclude.c from upstream which also adds several new tests. Those changes are brought in first so that the CVE patch can be applied cleanly. The first patch updates xinclude.c and adds the new tests from upstream, and the second applies the fix for the CVE. CVE: CVE-2021-3518 Upstream-Status: Backport [] (From OE-Core rev: 6c59d33ee158129d5c0cca3cce65824f9bc4e7e3) Signed-off-by: Tony Tascioglu <> Signed-off-by: Richard Purdie <>
2021-05-22libxml2: fix CVE-2021-3537Tony Tascioglu
Parsing specially crafted Mixed Content while parsing XML data may lead to invalid data structure being created, as errors were not propagated. This could lead to several NULL Pointer Dereference when post-validating documents parsed in recovery mode. CVE: CVE-2021-3537 Upstream-Status: Backport [] (From OE-Core rev: 6d69f7453f78dcb19f472dcea183e859648c5243) Signed-off-by: Tony Tascioglu <> Signed-off-by: Richard Purdie <>
2021-05-22libxml2: fix CVE-2021-3516Tony Tascioglu
Fixes use-after-free in xmlEncodeEntitiesInternal() in entities.c CVE: CVE-2021-3516 Upstream-Status: Backport [] (From OE-Core rev: 490cddd7baf1aacb814128b611aabf82fda3e77b) Signed-off-by: Tony Tascioglu <> Signed-off-by: Richard Purdie <>
2021-05-22libxml2: fix CVE-2021-3517Tony Tascioglu
Fixes heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c CVE: CVE-2021-3517 Upstream-status: Backport [] (From OE-Core rev: 16ad173ba0e8f88b23c62aa8357b8afca36c2161) Signed-off-by: Tony Tascioglu <> Signed-off-by: Richard Purdie <>
2021-05-22ccache: add packageconfig docs optionBastian Krause
Before, ccache's configure stage built HTML documentation and man pages depending on if asciidoc is installed. This patch makes it configurable. Pass the new cmake option ENABLE_DOCUMENTATION along and add the asciidoc dependency if necessary. This fixes an issue when ccache's configure stage found asciidoc/a2x on the system outside of the sysroot (e.g. installed via 'apt install asciidoc'). ccache would then decide to build docs and manual pages, but would fail during compilation: the system's a2x could not find the system's asciidoc because it did not reside in the set PATH. By enabling/disabling docs/man page generation explicitly and adding asciidoc to DEPENDS as necessary, this is no longer an issue. [ This corresponds to commit b0aedd74 and parts of commit 1eedc5f8, with the patch replaced by the upstream version. ] (From OE-Core rev: 3ca3c890834152597d8440b77e3d2767ca72c7a6) Signed-off-by: Peter Kjellerstedt <> Signed-off-by: Richard Purdie <>
2021-05-22sstate: Handle manifest 'corruption' issueRichard Purdie
Under certain build patterns, warnings about missing manifests can appear. These are real issues where the manifest was removed and shouldn't have been. Martin Jansa was able to find a reproducer of: MACHINE=qemux86 bitbake zlib-native echo 'PR = "r1"' >> meta/recipes-core/zlib/ MACHINE=qemux86-64 bitbake zlib-native MACHINE=qemux86 bitbake zlib-native <the zlib-native manifest is now removed along with the sysroot-components contents> The code maintains a per machine list of stamps but a per PACAGE_ARCH list of stamp/manifest/workdir mappings. The latter is only appended to for speed with the assumption that once stamps are gone, the code wouldn't trigger. The code only ever appends to the mapping list (for speed/efficency under lock) meaning that multiple entries can result where the stamp/workdir differs due to version changes but the manifest remains the same. By switching MACHINE part way through the build, the older stamp is referenced and the manifest is incorrectly removed as it matches an now obsolete entry in the mapping file. There are two possible fixes, one is to rewrite the mapping file every time which means adding regexs, iterating and generally complicating that code. The second option is to only use the last mapping entry in the file for a given manifest and ignore any earlier ones. This patch implments the latter. Also drop the stale entries if we are rewriting it. (From OE-Core rev: fe468802f697d0be41cf3407df2460e1473e35f8) Signed-off-by: Richard Purdie <>
2021-05-22cups: whitelist CVE-2021-25317Ross Burton
This CVE relates to bad ownership of /var/log/cups, which we don't have. (From OE-Core rev: 60bca0789b9830fa27694c5d65042d1206a07fe2) Signed-off-by: Ross Burton <> Signed-off-by: Richard Purdie <>
2021-05-22glibc: Add 8GB VM usage cap for usermode test suiteRichard Purdie
We've noticed that: MACHINE=qemuarm oe-selftest -r glibc.GlibcSelfTest.test_glibc ends up with one process growing to about the size of system memory and triggering the OOM killer. This has been taking out other builds running on the system on the autobuilders and is one cause of our intermittent failures. This was tracked down to: WORKDIR=XXX/tmp/work/armv7vet2hf-neon-poky-linux-gnueabi/glibc-testsuite/2.33-r0 BUILDDIR=$WORKDIR/build-arm-poky-linux-gnueabi QEMU_SYSROOT=$WORKDIR/recipe-sysroot QEMU_OPTIONS="$WORKDIR/recipe-sysroot-native/usr/bin/qemu-arm -r 3.2.0" \ $WORKDIR/check-test-wrapper user env GCONV_PATH=$BUILDDIR/iconvdata LOCPATH=$BUILDDIR/localedata LC_ALL=C $BUILDDIR/elf/ \ --library-path $BUILDDIR:$BUILDDIR/math:$BUILDDIR/elf:$BUILDDIR/dlfcn:$BUILDDIR/nss:$BUILDDIR/nis:$BUILDDIR/rt:$BUILDDIR/resolv:$BUILDDIR/mathvec:$BUILDDIR/support:$BUILDDIR/nptl \ $BUILDDIR/nptl/tst-pthread-timedlock-lockloop although other glibc tests appear to use 16GB of memory before failing anyway. By capping the VM size to 8GB, we see the same number of failures but no OOM situations. There may be some issue in qemu or the test which could be improved to avoid this entirely but this provides a necessary and useful safeguard to other builds and doensn't appear to make the situation worse. On a loaded system OOM may not occur as the test timeout may be triggered first. An experiment with a 5GB limit showed an additional 7 failures. (From OE-Core rev: 0dfbc94bb61095138c3d3ff026b2981f0061c1ca) Signed-off-by: Richard Purdie <>
2021-05-22uninative: Upgrade to 3.2 (gcc11 support)Michael Halstead
This upgrade builds unnative with gcc11 allowing it to work with newer distros using gcc 11. (From OE-Core rev: 700c00265f5b85e876b632df787a2e3121aee3a6) Signed-off-by: Michael Halstead <> Signed-off-by: Richard Purdie <>
2021-05-22meta/lib/oe/ Fix typo "Restoreing" -> "Restoring"Robert P. J. Day
(From OE-Core rev: 499a40c8378144b86026177523373786c701b482) Signed-off-by: Robert P. J. Day <> Signed-off-by: Richard Purdie <>
2021-05-22image.bbclass: fix comment "pacackages" -> "packages"Robert P. J. Day
(From OE-Core rev: 114bdccb2723f1479e68e9a0da39c87ef9c51be1) Signed-off-by: Robert P. J. Day <> Signed-off-by: Richard Purdie <>
2021-05-22avahi: Exclude CVE-2021-26720 from cve-checkRichard Purdie
Issue only affects Debian and SUSE. (From OE-Core rev: 37ff24c9ba0634e7b69dd9c2219b8fd8b2315de6) Signed-off-by: Richard Purdie <>
2021-05-22librsvg: Exclude CVE-2018-1000041 from cve-checkRichard Purdie
Issue only affects windows. (From OE-Core rev: eee05da7eb054f474d24e66799b98e288a2a85fe) Signed-off-by: Richard Purdie <>
2021-05-22coreutils: Exclude CVE-2016-2781 from cve-checkRichard Purdie "Given runcon is not really a sandbox command, the advice is to use `runcon ... setsid ...` to avoid this particular issue. (From OE-Core rev: c5d07dcba0762ccc000f8466b710a8ed8b7aa356) Signed-off-by: Richard Purdie <>
2021-05-22tiff: Exclude CVE-2015-7313 from cve-checkRichard Purdie
Some fix upstream addresses the issue, it isn't clear which change this was. Our current version doesn't have issues with the test image though so we can exclude. (From OE-Core rev: 65124cac1ac1d0b746eacfe128da19c353f07eb0) Signed-off-by: Richard Purdie <>
2021-05-22bluez: Exclude CVE-2020-12352 CVE-2020-24490 from cve-checkRichard Purdie
These CVEs are fixed with kernel changes and don't affect the bluez recipe. (From OE-Core rev: 21b6975cc6c785aa3bf7f7d4ea2400e11f1800bd) Signed-off-by: Richard Purdie <>
2021-05-22ghostscript: Exclude CVE-2013-6629 from cve-checkRichard Purdie
The CVE is in the jpeg sources included with ghostscript. We use our own external jpeg library so this doesn't affect us. (From OE-Core rev: e19caff111bcbd70e5e7507388a4aaea2d10f7e0) Signed-off-by: Richard Purdie <>
2021-05-22cpio: Exclude CVE-2010-4226 from cve-checkRichard Purdie
Issue applies to use of cpio in SUSE/OBS, doesn't apply to us. (From OE-Core rev: a175059e678bf9a5e843d00ac1bbf65b49f97f32) Signed-off-by: Richard Purdie <>
2021-05-22unzip: Exclude CVE-2008-0888 from cve-checkRichard Purdie
The patch mentioned as the fix for the CVE is applied to the 6.0 source code. Zip versioning makes CPE entry changes hard. (From OE-Core rev: f816be9387d4691dbacd17673749809fe125d35c) Signed-off-by: Richard Purdie <>
2021-05-22openssh: Exclude CVE-2008-3844 from cve-checkRichard Purdie
CVE only applies to some distributed RHEL binaries so irrelavent to us. (From OE-Core rev: 416230b7236c391e89d0d7941b2d34b6234f993c) Signed-off-by: Richard Purdie <>
2021-05-22openssh: Exclude CVE-2007-2768 from cve-checkRichard Purdie
We don't build/use the OPIE PAM module, exclude the CVE from this recipe. (From OE-Core rev: a7aba0f1226411f44f316cdced6b2b47621d1d3f) Signed-off-by: Richard Purdie <>
2021-05-22logrotate: Exclude CVE-2011-1548,1549,1550 from cve-checkRichard Purdie
These CVEs apply to the way logrotate was installed on Gentoo, Debian and SUSE, exclude from cve-check as they don't apply to OE. (From OE-Core rev: 55b53c501e911df04bdff6fca54b11c3e54770c9) Signed-off-by: Richard Purdie <>
2021-05-22jquery: Exclude CVE-2007-2379 from cve-checkRichard Purdie
The CVE is non-specific and depends on the users of jquery, doesn't make sense to have this flagged against jquery as there is nothing we can do about it. (From OE-Core rev: 6f422e966fdc1e62ff0e48d3382ec246ff8bd998) Signed-off-by: Richard Purdie <>
2021-05-22qemu: Exclude CVE-2018-18438 from cve-checkRichard Purdie
The issues were investigated and found not to be an issue therefore exclude from checks. (From OE-Core rev: 7c7c3f3dd3bf7dc34f26d931acf562e93c45e807) Signed-off-by: Richard Purdie <>
2021-05-22qemu: Exclude CVE-2007-0998 from cve-checkRichard Purdie
The CVE applies to the built-in VNC server but we don't enable this by default. (From OE-Core rev: 9ac9f2709a45fc7ce5b3b9a1a5e4f2e116ec2bb7) Signed-off-by: Richard Purdie <>
2021-05-22qemu: Exclude CVE-2017-5957 from cve-checkRichard Purdie
The CVE applies to virglrender before 0.6.0 which we don't have. (From OE-Core rev: d8df88018fc90b2ff039ef58249f8581d22b1cc6) Signed-off-by: Richard Purdie <> (cherry picked from commit 9b5355375d028577de0b98e05992de6a088cb972) Signed-off-by: Steve Sakoman <> Signed-off-by: Richard Purdie <>
2021-05-22builder: whitelist CVE-2008-4178 (a different builder)Ross Burton
(From OE-Core rev: 8a903793dc3a40f051a8599210e36f184ffe109b) Signed-off-by: Ross Burton <> Signed-off-by: Richard Purdie <>
2021-05-22libnotify: whitelist CVE-2013-7381 (specific to the NodeJS bindings)Ross Burton
(From OE-Core rev: 2aa9aa01445ad648721c28b15bc9aeab7a1656b1) Signed-off-by: Ross Burton <> Signed-off-by: Richard Purdie <>
2021-05-22glibc: Document and whitelist CVE-2019-1010022-25Richard Purdie
These CVEs are disputed by upstream and there is no plan to fix/address them. No other distros are carrying patches for them. There is a patch for 1010025 however it isn't merged upstream and probably carries more risk of other bugs than not having it. (From OE-Core rev: e764a689844f19230cbf5f9741635f42f677e333) Signed-off-by: Richard Purdie <>