diff options
| author | Andrii Davydenko <andrii.davydenko@globallogic.com> | 2022-12-14 12:08:42 +0200 |
|---|---|---|
| committer | Mykyta Dorokhin <mykyta.dorokhin@globallogic.com> | 2023-01-24 12:41:29 +0200 |
| commit | 2eaa3fd064097eb221b56d5df0e7136ba705a0cd (patch) | |
| tree | 2ca46c9a625d6f743933b1ea7e2fc6bd2581e6eb /recipes-devtools | |
| parent | 1e52890ac41318d28923787af35541a8f9ee0653 (diff) | |
| download | meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.tar.gz meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.tar.bz2 meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.zip | |
CVE Packages Update
Move libfastjson to the rsyslog directory
rsyslog 8.2002.0 -> 8.2206.0
add ntp4.2.8 recipe with fixed CVEs
update cryptsetup to 2.4.3
fix libxml2 CVE-2016-3709
curl 7.75.0 -> 7.86.0
strongswan 5.8.4 -> 5.9.8
libmodbus 3.1.6 -> 3.1.7
libesmtp 1.0.6 -> 1.1.0
cifs-utils 6.1 -> 7.0
update libtirpc to version 1.3.3
update rsync to version 3.2.5
Add zlib 1.2.13
upgrade gnutls to 3.7.8
upgrade openssh to 8.9p1
Add cmake 3.24.2 and cmake-native 3.24.2 to avoid loop dependecies building expat
Add expat 2.5.0 to fix CVE-2022-40674 and CVE-2022-43680
openvpn 2.4.9 -> 2.4.12
hostapd 2.9 -> 2.10
[GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28)
Openssh 8.9p1 no longer needed, because all necessary CVE fixes, backports and whitelists are present for current Openssh 8.4p1. There are no new CVE's in report.
[GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28)
Backported CVE patches for python3 component. Need to remove after upgrading Yocto to version more than 3.1.21.
[GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28)
Backported CVE patch for sudo component.
Added 2 CVE's to whitelist for OpenVPN component.
Diffstat (limited to 'recipes-devtools')
18 files changed, 984 insertions, 0 deletions
diff --git a/recipes-devtools/cmake/cmake-native_3.24.2.bb b/recipes-devtools/cmake/cmake-native_3.24.2.bb new file mode 100644 index 0000000..bcc87eb --- /dev/null +++ b/recipes-devtools/cmake/cmake-native_3.24.2.bb @@ -0,0 +1,65 @@ +require cmake.inc +inherit native + +DEPENDS += "bzip2-replacement-native xz-native zlib-native curl-native ncurses-native zstd-native" + +SRC_URI += "file://OEToolchainConfig.cmake \ + file://environment.d-cmake.sh \ + file://0001-CMakeDetermineSystem-use-oe-environment-vars-to-load.patch \ + file://0005-Disable-use-of-ext2fs-ext2_fs.h-by-cmake-s-internal-.patch \ + " + +LICENSE:append = " & BSD-1-Clause & MIT & BSD-2-Clause" +LIC_FILES_CHKSUM:append = " \ + file://Utilities/cmjsoncpp/LICENSE;md5=5d73c165a0f9e86a1342f32d19ec5926 \ + file://Utilities/cmlibarchive/COPYING;md5=d499814247adaee08d88080841cb5665 \ + file://Utilities/cmexpat/COPYING;md5=9e2ce3b3c4c0f2670883a23bbd7c37a9 \ + file://Utilities/cmlibrhash/COPYING;md5=a8c2a557a5c53b1c12cddbee98c099af \ + file://Utilities/cmlibuv/LICENSE;md5=ad93ca1fffe931537fcf64f6fcce084d \ +" + +B = "${WORKDIR}/build" +do_configure[cleandirs] = "${B}" + +CMAKE_EXTRACONF = "\ + -DCMAKE_LIBRARY_PATH=${STAGING_LIBDIR_NATIVE} \ + -DBUILD_CursesDialog=1 \ + -DCMAKE_USE_SYSTEM_LIBRARIES=1 \ + -DCMAKE_USE_SYSTEM_LIBRARY_JSONCPP=0 \ + -DCMAKE_USE_SYSTEM_LIBRARY_LIBARCHIVE=0 \ + -DCMAKE_USE_SYSTEM_LIBRARY_LIBUV=0 \ + -DCMAKE_USE_SYSTEM_LIBRARY_LIBRHASH=0 \ + -DCMAKE_USE_SYSTEM_LIBRARY_EXPAT=0 \ + -DENABLE_ACL=0 -DHAVE_ACL_LIBACL_H=0 \ + -DHAVE_SYS_ACL_H=0 \ + -DCURL_LIBRARIES=-lcurl \ +" + +do_configure () { + ${S}/configure --verbose --prefix=${prefix} \ + ${@oe.utils.parallel_make_argument(d, '--parallel=%d')} \ + ${@bb.utils.contains('CCACHE', 'ccache ', '--enable-ccache', '', d)} \ + -- ${CMAKE_EXTRACONF} +} + +do_compile() { + oe_runmake +} + +do_install() { + oe_runmake 'DESTDIR=${D}' install + + # The following codes are here because eSDK needs to provide compatibilty + # for SDK. That is, eSDK could also be used like traditional SDK. + mkdir -p ${D}${datadir}/cmake + install -m 644 ${WORKDIR}/OEToolchainConfig.cmake ${D}${datadir}/cmake/ + mkdir -p ${D}${base_prefix}/environment-setup.d + install -m 644 ${WORKDIR}/environment.d-cmake.sh ${D}${base_prefix}/environment-setup.d/cmake.sh + + # Help docs create tons of files in the native sysroot and aren't needed there + rm -rf ${D}${datadir}/cmake-*/Help +} + +do_compile[progress] = "percent" + +SYSROOT_DIRS_NATIVE += "${datadir}/cmake ${base_prefix}/environment-setup.d" diff --git a/recipes-devtools/cmake/cmake.inc b/recipes-devtools/cmake/cmake.inc new file mode 100644 index 0000000..7561e85 --- /dev/null +++ b/recipes-devtools/cmake/cmake.inc @@ -0,0 +1,28 @@ +# Copyright (C) 2005, Koninklijke Philips Electronics NV. All Rights Reserved +# Released under the MIT license (see packages/COPYING) + +SUMMARY = "Cross-platform, open-source make system" +DESCRIPTION = "CMake is used to control the software compilation process \ +using simple platform and compiler independent configuration files. CMake \ +generates native makefiles and workspaces that can be used in the compiler \ +environment of your choice." +HOMEPAGE = "http://www.cmake.org/" +BUGTRACKER = "http://public.kitware.com/Bug/my_view_page.php" +SECTION = "console/utils" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://Copyright.txt;md5=45025187a129339459b6f1a24f7fac6e \ + file://Source/cmake.h;beginline=1;endline=2;md5=a5f70e1fef8614734eae0d62b4f5891b \ + " + +CMAKE_MAJOR_VERSION = "${@'.'.join(d.getVar('PV').split('.')[0:2])}" + +SRC_URI = "https://cmake.org/files/v${CMAKE_MAJOR_VERSION}/cmake-${PV}.tar.gz \ +" + +SRC_URI[sha256sum] = "0d9020f06f3ddf17fb537dc228e1a56c927ee506b486f55fe2dc19f69bf0c8db" + +UPSTREAM_CHECK_REGEX = "cmake-(?P<pver>\d+(\.\d+)+)\.tar" + +# This is specific to the npm package that installs cmake, so isn't +# relevant to OpenEmbedded +CVE_CHECK_IGNORE += "CVE-2016-10642" diff --git a/recipes-devtools/cmake/cmake/0001-CMakeDetermineSystem-use-oe-environment-vars-to-load.patch b/recipes-devtools/cmake/cmake/0001-CMakeDetermineSystem-use-oe-environment-vars-to-load.patch new file mode 100644 index 0000000..9a2287f --- /dev/null +++ b/recipes-devtools/cmake/cmake/0001-CMakeDetermineSystem-use-oe-environment-vars-to-load.patch @@ -0,0 +1,44 @@ +From 89f6c846f02ad6d30b9ebb7eaaaa4fb6f9cec054 Mon Sep 17 00:00:00 2001 +From: Cody P Schafer <dev@codyps.com> +Date: Thu, 27 Apr 2017 11:35:05 -0400 +Subject: [PATCH] CMakeDetermineSystem: use oe environment vars to load default + toolchain file in sdk + +Passing the toolchain by: + + - shell aliases does not work if cmake is called by a script + - unconditionally by a wrapper script causes cmake to believe it is + configuring things when it is not (for example, `cmake --build` breaks). + +The OE_CMAKE_TOOLCHAIN_FILE variable is only used as a default if no +toolchain is explicitly specified. + +Setting the CMAKE_TOOLCHAIN_FILE cmake variable is marked as cached +because '-D' options are cache entries themselves. + +Upstream-Status: Inappropriate [oe-core specific] +Signed-off-by: Cody P Schafer <dev@codyps.com> +Signed-off-by: Otavio Salvador <otavio@ossystems.com.br> + +--- + Modules/CMakeDetermineSystem.cmake | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/Modules/CMakeDetermineSystem.cmake b/Modules/CMakeDetermineSystem.cmake +index 8c7af067..ade2b189 100644 +--- a/Modules/CMakeDetermineSystem.cmake ++++ b/Modules/CMakeDetermineSystem.cmake +@@ -112,6 +112,13 @@ else() + endif() + endif() + ++if(NOT DEFINED CMAKE_TOOLCHAIN_FILE) ++ if(DEFINED ENV{OE_CMAKE_TOOLCHAIN_FILE}) ++ set(CMAKE_TOOLCHAIN_FILE "$ENV{OE_CMAKE_TOOLCHAIN_FILE}" CACHE FILEPATH "toolchain file") ++ message(STATUS "Toolchain file defaulted to '${CMAKE_TOOLCHAIN_FILE}'") ++ endif() ++endif() ++ + # if a toolchain file is used, the user wants to cross compile. + # in this case read the toolchain file and keep the CMAKE_HOST_SYSTEM_* + # variables around so they can be used in CMakeLists.txt. diff --git a/recipes-devtools/cmake/cmake/0005-Disable-use-of-ext2fs-ext2_fs.h-by-cmake-s-internal-.patch b/recipes-devtools/cmake/cmake/0005-Disable-use-of-ext2fs-ext2_fs.h-by-cmake-s-internal-.patch new file mode 100644 index 0000000..d6f7308 --- /dev/null +++ b/recipes-devtools/cmake/cmake/0005-Disable-use-of-ext2fs-ext2_fs.h-by-cmake-s-internal-.patch @@ -0,0 +1,39 @@ +From fd9a04c1434e12f21c043385e306e0b52d38d749 Mon Sep 17 00:00:00 2001 +From: Otavio Salvador <otavio@ossystems.com.br> +Date: Thu, 5 Jul 2018 10:28:04 -0300 +Subject: [PATCH] Disable use of ext2fs/ext2_fs.h by cmake's internal + + libarchive copy +Organization: O.S. Systems Software LTDA. + +We don't want to add a dependency on e2fsprogs-native for cmake-native, +and we don't use CPack so just disable this functionality. + +Upstream-Status: Inappropriate [config] + +Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> +Signed-off-by: Otavio Salvador <otavio@ossystems.com.br> + +--- + Utilities/cmlibarchive/CMakeLists.txt | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/Utilities/cmlibarchive/CMakeLists.txt b/Utilities/cmlibarchive/CMakeLists.txt +index bfcaf30..2960683 100644 +--- a/Utilities/cmlibarchive/CMakeLists.txt ++++ b/Utilities/cmlibarchive/CMakeLists.txt +@@ -682,12 +682,8 @@ LA_CHECK_INCLUDE_FILE("copyfile.h" HAVE_COPYFILE_H) + LA_CHECK_INCLUDE_FILE("direct.h" HAVE_DIRECT_H) + LA_CHECK_INCLUDE_FILE("dlfcn.h" HAVE_DLFCN_H) + LA_CHECK_INCLUDE_FILE("errno.h" HAVE_ERRNO_H) +-LA_CHECK_INCLUDE_FILE("ext2fs/ext2_fs.h" HAVE_EXT2FS_EXT2_FS_H) +- +-CHECK_C_SOURCE_COMPILES("#include <sys/ioctl.h> +-#include <ext2fs/ext2_fs.h> +-int main(void) { return EXT2_IOC_GETFLAGS; }" HAVE_WORKING_EXT2_IOC_GETFLAGS) +- ++SET(HAVE_EXT2FS_EXT2_FS_H 0) ++SET(HAVE_WORKING_EXT2_IOC_GETFLAGS 0) + LA_CHECK_INCLUDE_FILE("fcntl.h" HAVE_FCNTL_H) + LA_CHECK_INCLUDE_FILE("grp.h" HAVE_GRP_H) + LA_CHECK_INCLUDE_FILE("io.h" HAVE_IO_H) diff --git a/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake b/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake new file mode 100644 index 0000000..d6a1e04 --- /dev/null +++ b/recipes-devtools/cmake/cmake/OEToolchainConfig.cmake @@ -0,0 +1,20 @@ +set( CMAKE_SYSTEM_NAME Linux ) +set( CMAKE_C_FLAGS $ENV{CFLAGS} CACHE STRING "" FORCE ) +set( CMAKE_CXX_FLAGS $ENV{CXXFLAGS} CACHE STRING "" FORCE ) +set( CMAKE_SYSROOT $ENV{OECORE_TARGET_SYSROOT} ) + +set( CMAKE_FIND_ROOT_PATH $ENV{OECORE_TARGET_SYSROOT} ) +set( CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER ) +set( CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY ) +set( CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY ) +set( CMAKE_FIND_ROOT_PATH_MODE_PACKAGE ONLY ) + +set(CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX "$ENV{OE_CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX}") + +set( CMAKE_SYSTEM_PROCESSOR $ENV{OECORE_TARGET_ARCH} ) + +# Include the toolchain configuration subscripts +file( GLOB toolchain_config_files "${CMAKE_CURRENT_LIST_FILE}.d/*.cmake" ) +foreach(config ${toolchain_config_files}) + include(${config}) +endforeach() diff --git a/recipes-devtools/cmake/cmake/SDKToolchainConfig.cmake.template b/recipes-devtools/cmake/cmake/SDKToolchainConfig.cmake.template new file mode 100644 index 0000000..c69569a --- /dev/null +++ b/recipes-devtools/cmake/cmake/SDKToolchainConfig.cmake.template @@ -0,0 +1,31 @@ +set(SDK_INSTALL_DIR "${CMAKE_CURRENT_LIST_DIR}/../../../../..") +set(HOST_SYSROOT "${SDK_INSTALL_DIR}/sysroots/@OECORE_SDK_SYS") +set(TARGET_SYSROOT "${SDK_INSTALL_DIR}/sysroots/@OECORE_TARGET_SYS") +set(HOST_BIN "${HOST_SYSROOT}/usr/bin") +set(TOOLCHAIN_NAME "@OECORE_TARGET_ALIAS") +set(GCC_DIR "${HOST_BIN}/${TOOLCHAIN_NAME}") + +set(CMAKE_SYSTEM_NAME Linux) +set(CMAKE_SYSTEM_PROCESSOR "@OECORE_TARGET_ARCH") + +set(CMAKE_C_COMPILER "${GCC_DIR}/${TOOLCHAIN_NAME}-gcc") +set(CMAKE_CXX_COMPILER "${GCC_DIR}/${TOOLCHAIN_NAME}-g++") + +set(ARCH_FLAGS "@OECORE_TUNE_CCARGS") +set(CMAKE_C_FLAGS "${ARCH_FLAGS}" CACHE STRING "" FORCE ) +set(CMAKE_CXX_FLAGS "${ARCH_FLAGS}" CACHE STRING "" FORCE ) +set(CMAKE_ASM_FLAGS ${CMAKE_C_FLAGS} CACHE STRING "" FORCE ) +set(CMAKE_LDFLAGS_FLAGS ${CMAKE_C_FLAGS} CACHE STRING "" FORCE ) + +set(CMAKE_SYSROOT "${TARGET_SYSROOT}") + +set(CMAKE_FIND_ROOT_PATH "${TARGET_SYSROOT}" ) + +set(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER ) +set(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY ) +set(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY ) +set(CMAKE_FIND_ROOT_PATH_MODE_PACKAGE ONLY ) + +set(CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX "") + +set(CMAKE_PROGRAM_PATH "${HOST_SYSROOT}/usr/bin" CACHE STRING "" FORCE) diff --git a/recipes-devtools/cmake/cmake/cmake-setup.py b/recipes-devtools/cmake/cmake/cmake-setup.py new file mode 100755 index 0000000..af587a4 --- /dev/null +++ b/recipes-devtools/cmake/cmake/cmake-setup.py @@ -0,0 +1,33 @@ +#!/usr/bin/env python3 + +import os +import string +import sys + +class Template(string.Template): + delimiter = "@" + +class Environ(): + def __getitem__(self, name): + if name == "OECORE_SDK_SYS": + return os.path.basename(os.environ["OECORE_NATIVE_SYSROOT"]) + elif name == "OECORE_TARGET_SYS": + return os.path.basename(os.environ["OECORE_TARGET_SYSROOT"]) + elif name == "OECORE_TARGET_ALIAS": + return os.path.basename(os.environ["TARGET_PREFIX"].strip("-")) + else: + return os.environ[name] + +try: + sysroot = os.environ['OECORE_NATIVE_SYSROOT'] +except KeyError: + print("Not in environment setup, bailing") + sys.exit(1) + +template_file = os.path.join(sysroot, 'usr/share/cmake/SDKToolchainConfig.cmake.template') +cross_file = os.path.join(sysroot, 'usr/share/cmake/%s-toolchain.cmake' % (os.path.basename(os.environ["OECORE_TARGET_SYSROOT"]))) +with open(template_file) as in_file: + template = in_file.read() + output = Template(template).substitute(Environ()) + with open(cross_file, "w") as out_file: + out_file.write(output) diff --git a/recipes-devtools/cmake/cmake/environment.d-cmake.sh b/recipes-devtools/cmake/cmake/environment.d-cmake.sh new file mode 100644 index 0000000..7bdb19f --- /dev/null +++ b/recipes-devtools/cmake/cmake/environment.d-cmake.sh @@ -0,0 +1,2 @@ +export OE_CMAKE_TOOLCHAIN_FILE="$OECORE_NATIVE_SYSROOT/usr/share/cmake/OEToolchainConfig.cmake" +export OE_CMAKE_FIND_LIBRARY_CUSTOM_LIB_SUFFIX="`echo $OECORE_BASELIB | sed -e s/lib//`" diff --git a/recipes-devtools/cmake/cmake_3.24.2.bb b/recipes-devtools/cmake/cmake_3.24.2.bb new file mode 100644 index 0000000..bb7ed83 --- /dev/null +++ b/recipes-devtools/cmake/cmake_3.24.2.bb @@ -0,0 +1,67 @@ +require cmake.inc + +inherit cmake bash-completion + +DEPENDS += "curl expat zlib libarchive xz ncurses bzip2" + +SRC_URI:append:class-nativesdk = " \ + file://OEToolchainConfig.cmake \ + file://SDKToolchainConfig.cmake.template \ + file://cmake-setup.py \ + file://environment.d-cmake.sh \ + file://0001-CMakeDetermineSystem-use-oe-environment-vars-to-load.patch \ +" + +LICENSE:append = " & BSD-1-Clause & MIT" +LIC_FILES_CHKSUM:append = " \ + file://Utilities/cmjsoncpp/LICENSE;md5=5d73c165a0f9e86a1342f32d19ec5926 \ + file://Utilities/cmlibrhash/COPYING;md5=a8c2a557a5c53b1c12cddbee98c099af \ + file://Utilities/cmlibuv/LICENSE;md5=ad93ca1fffe931537fcf64f6fcce084d \ +" + +# Strip ${prefix} from ${docdir}, set result into docdir_stripped +python () { + prefix=d.getVar("prefix") + docdir=d.getVar("docdir") + + if not docdir.startswith(prefix): + bb.fatal('docdir must contain prefix as its prefix') + + docdir_stripped = docdir[len(prefix):] + if len(docdir_stripped) > 0 and docdir_stripped[0] == '/': + docdir_stripped = docdir_stripped[1:] + + d.setVar("docdir_stripped", docdir_stripped) +} + +EXTRA_OECMAKE=" \ + -DCMAKE_DOC_DIR=${docdir_stripped}/cmake-${CMAKE_MAJOR_VERSION} \ + -DCMAKE_USE_SYSTEM_LIBRARIES=1 \ + -DCMAKE_USE_SYSTEM_LIBRARY_JSONCPP=0 \ + -DCMAKE_USE_SYSTEM_LIBRARY_LIBUV=0 \ + -DCMAKE_USE_SYSTEM_LIBRARY_LIBRHASH=0 \ + -DKWSYS_CHAR_IS_SIGNED=1 \ + -DBUILD_CursesDialog=0 \ + -DKWSYS_LFS_WORKS=1 \ +" + +do_install:append:class-nativesdk() { + mkdir -p ${D}${datadir}/cmake + install -m 644 ${WORKDIR}/OEToolchainConfig.cmake ${D}${datadir}/cmake/ + + mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d + install -m 644 ${WORKDIR}/environment.d-cmake.sh ${D}${SDKPATHNATIVE}/environment-setup.d/cmake.sh + + # install cmake-setup.py to create arch-specific toolchain cmake file from template + install -m 0644 ${WORKDIR}/SDKToolchainConfig.cmake.template ${D}${datadir}/cmake/ + install -d ${D}${SDKPATHNATIVE}/post-relocate-setup.d + install -m 0755 ${WORKDIR}/cmake-setup.py ${D}${SDKPATHNATIVE}/post-relocate-setup.d/ +} + +FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}" + +FILES:${PN} += "${datadir}/cmake-${CMAKE_MAJOR_VERSION} ${datadir}/cmake ${datadir}/aclocal ${datadir}/emacs ${datadir}/vim" +FILES:${PN}-doc += "${docdir}/cmake-${CMAKE_MAJOR_VERSION}" +FILES:${PN}-dev = "" + +BBCLASSEXTEND = "nativesdk" diff --git a/recipes-devtools/python/python3/CVE-2022-37454.patch b/recipes-devtools/python/python3/CVE-2022-37454.patch new file mode 100644 index 0000000..f45c5bd --- /dev/null +++ b/recipes-devtools/python/python3/CVE-2022-37454.patch @@ -0,0 +1,106 @@ +From 948c6794711458fd148a3fa62296cadeeb2ed631 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Fri, 28 Oct 2022 03:07:50 -0700 +Subject: [PATCH] [3.8] gh-98517: Fix buffer overflows in _sha3 module + (GH-98519) (#98527) + +This is a port of the applicable part of XKCP's fix [1] for +CVE-2022-37454 and avoids the segmentation fault and the infinite +loop in the test cases published in [2]. + +[1]: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a +[2]: https://mouha.be/sha-3-buffer-overflow/ + +Regression test added by: Gregory P. Smith [Google LLC] <greg@krypto.org> +(cherry picked from commit 0e4e058602d93b88256ff90bbef501ba20be9dd3) + +Co-authored-by: Theo Buehler <botovq@users.noreply.github.com> + +CVE: CVE-2022-37454 +Upstream-Status: Backport [https://github.com/python/cpython/commit/948c6794711458fd148a3fa62296cadeeb2ed631] +Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com> +--- + Lib/test/test_hashlib.py | 9 +++++++++ + .../2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst | 1 + + Modules/_sha3/kcp/KeccakSponge.inc | 15 ++++++++------- + 3 files changed, 18 insertions(+), 7 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst + +diff --git a/Lib/test/test_hashlib.py b/Lib/test/test_hashlib.py +index 8b53d23ef525..e6cec4e306e5 100644 +--- a/Lib/test/test_hashlib.py ++++ b/Lib/test/test_hashlib.py +@@ -434,6 +434,15 @@ def test_case_md5_huge(self, size): + def test_case_md5_uintmax(self, size): + self.check('md5', b'A'*size, '28138d306ff1b8281f1a9067e1a1a2b3') + ++ @unittest.skipIf(sys.maxsize < _4G - 1, 'test cannot run on 32-bit systems') ++ @bigmemtest(size=_4G - 1, memuse=1, dry_run=False) ++ def test_sha3_update_overflow(self, size): ++ """Regression test for gh-98517 CVE-2022-37454.""" ++ h = hashlib.sha3_224() ++ h.update(b'\x01') ++ h.update(b'\x01'*0xffff_ffff) ++ self.assertEqual(h.hexdigest(), '80762e8ce6700f114fec0f621fd97c4b9c00147fa052215294cceeed') ++ + # use the three examples from Federal Information Processing Standards + # Publication 180-1, Secure Hash Standard, 1995 April 17 + # http://www.itl.nist.gov/div897/pubs/fip180-1.htm +diff --git a/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst +new file mode 100644 +index 000000000000..2d23a6ad93c7 +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2022-10-21-13-31-47.gh-issue-98517.SXXGfV.rst +@@ -0,0 +1 @@ ++Port XKCP's fix for the buffer overflows in SHA-3 (CVE-2022-37454). +diff --git a/Modules/_sha3/kcp/KeccakSponge.inc b/Modules/_sha3/kcp/KeccakSponge.inc +index e10739deafa8..cf92e4db4d36 100644 +--- a/Modules/_sha3/kcp/KeccakSponge.inc ++++ b/Modules/_sha3/kcp/KeccakSponge.inc +@@ -171,7 +171,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat + i = 0; + curData = data; + while(i < dataByteLen) { +- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) { ++ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) { + #ifdef SnP_FastLoop_Absorb + /* processing full blocks first */ + +@@ -199,10 +199,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat + } + else { + /* normal lane: using the message queue */ +- +- partialBlock = (unsigned int)(dataByteLen - i); +- if (partialBlock+instance->byteIOIndex > rateInBytes) ++ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) + partialBlock = rateInBytes-instance->byteIOIndex; ++ else ++ partialBlock = (unsigned int)(dataByteLen - i); + #ifdef KeccakReference + displayBytes(1, "Block to be absorbed (part)", curData, partialBlock); + #endif +@@ -281,7 +281,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte + i = 0; + curData = data; + while(i < dataByteLen) { +- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) { ++ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) { + for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) { + SnP_Permute(instance->state); + SnP_ExtractBytes(instance->state, curData, 0, rateInBytes); +@@ -299,9 +299,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte + SnP_Permute(instance->state); + instance->byteIOIndex = 0; + } +- partialBlock = (unsigned int)(dataByteLen - i); +- if (partialBlock+instance->byteIOIndex > rateInBytes) ++ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) + partialBlock = rateInBytes-instance->byteIOIndex; ++ else ++ partialBlock = (unsigned int)(dataByteLen - i); + i += partialBlock; + + SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock); + diff --git a/recipes-devtools/python/python3/CVE-2022-45061.patch b/recipes-devtools/python/python3/CVE-2022-45061.patch new file mode 100644 index 0000000..2d0a449 --- /dev/null +++ b/recipes-devtools/python/python3/CVE-2022-45061.patch @@ -0,0 +1,101 @@ +From 064ec20bf7a181ba5fa961aaa12973812aa6ca5d Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Mon, 7 Nov 2022 18:57:10 -0800 +Subject: [PATCH] [3.11] gh-98433: Fix quadratic time idna decoding. (GH-99092) + (GH-99222) + +There was an unnecessary quadratic loop in idna decoding. This restores +the behavior to linear. + +(cherry picked from commit d315722564927c7202dd6e111dc79eaf14240b0d) + +(cherry picked from commit a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15) + +Co-authored-by: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> +Co-authored-by: Gregory P. Smith <greg@krypto.org> + +CVE: CVE-2022-45061 +Upstream-Status: Backport [https://github.com/python/cpython/pull/99231/commits/064ec20bf7a181ba5fa961aaa12973812aa6ca5d] +Signed-off-by: Omkar Patil <Omkar.Patil@kpit.com> + +--- + Lib/encodings/idna.py | 32 +++++++++---------- + Lib/test/test_codecs.py | 6 ++++ + ...2-11-04-09-29-36.gh-issue-98433.l76c5G.rst | 6 ++++ + 3 files changed, 27 insertions(+), 17 deletions(-) + create mode 100644 Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst + +diff --git a/Lib/encodings/idna.py b/Lib/encodings/idna.py +index ea4058512fe3..bf98f513366b 100644 +--- a/Lib/encodings/idna.py ++++ b/Lib/encodings/idna.py +@@ -39,23 +39,21 @@ def nameprep(label): + + # Check bidi + RandAL = [stringprep.in_table_d1(x) for x in label] +- for c in RandAL: +- if c: +- # There is a RandAL char in the string. Must perform further +- # tests: +- # 1) The characters in section 5.8 MUST be prohibited. +- # This is table C.8, which was already checked +- # 2) If a string contains any RandALCat character, the string +- # MUST NOT contain any LCat character. +- if any(stringprep.in_table_d2(x) for x in label): +- raise UnicodeError("Violation of BIDI requirement 2") +- +- # 3) If a string contains any RandALCat character, a +- # RandALCat character MUST be the first character of the +- # string, and a RandALCat character MUST be the last +- # character of the string. +- if not RandAL[0] or not RandAL[-1]: +- raise UnicodeError("Violation of BIDI requirement 3") ++ if any(RandAL): ++ # There is a RandAL char in the string. Must perform further ++ # tests: ++ # 1) The characters in section 5.8 MUST be prohibited. ++ # This is table C.8, which was already checked ++ # 2) If a string contains any RandALCat character, the string ++ # MUST NOT contain any LCat character. ++ if any(stringprep.in_table_d2(x) for x in label): ++ raise UnicodeError("Violation of BIDI requirement 2") ++ # 3) If a string contains any RandALCat character, a ++ # RandALCat character MUST be the first character of the ++ # string, and a RandALCat character MUST be the last ++ # character of the string. ++ if not RandAL[0] or not RandAL[-1]: ++ raise UnicodeError("Violation of BIDI requirement 3") + + return label + +diff --git a/Lib/test/test_codecs.py b/Lib/test/test_codecs.py +index d1faf0126c1e..37ade7d80d02 100644 +--- a/Lib/test/test_codecs.py ++++ b/Lib/test/test_codecs.py +@@ -1532,6 +1532,12 @@ def test_builtin_encode(self): + self.assertEqual("pyth\xf6n.org".encode("idna"), b"xn--pythn-mua.org") + self.assertEqual("pyth\xf6n.org.".encode("idna"), b"xn--pythn-mua.org.") + ++ def test_builtin_decode_length_limit(self): ++ with self.assertRaisesRegex(UnicodeError, "too long"): ++ (b"xn--016c"+b"a"*1100).decode("idna") ++ with self.assertRaisesRegex(UnicodeError, "too long"): ++ (b"xn--016c"+b"a"*70).decode("idna") ++ + def test_stream(self): + r = codecs.getreader("idna")(io.BytesIO(b"abc")) + r.read(3) +diff --git a/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst +new file mode 100644 +index 000000000000..5185fac2e29d +--- /dev/null ++++ b/Misc/NEWS.d/next/Security/2022-11-04-09-29-36.gh-issue-98433.l76c5G.rst +@@ -0,0 +1,6 @@ ++The IDNA codec decoder used on DNS hostnames by :mod:`socket` or :mod:`asyncio` ++related name resolution functions no longer involves a quadratic algorithm. ++This prevents a potential CPU denial of service if an out-of-spec excessive ++length hostname involving bidirectional characters were decoded. Some protocols ++such as :mod:`urllib` http ``3xx`` redirects potentially allow for an attacker ++to supply such a name. + diff --git a/recipes-devtools/python/python3_%.bbappend b/recipes-devtools/python/python3_%.bbappend index 70b4561..6636814 100644 --- a/recipes-devtools/python/python3_%.bbappend +++ b/recipes-devtools/python/python3_%.bbappend @@ -1,6 +1,13 @@ # Make python3 the default # Remove this stuff if there is ever a python4. +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI_append = " \ + file://CVE-2022-45061.patch \ + file://CVE-2022-37454.patch \ +" + # Debian and Ubuntu have this (prior levels linked to python2) PACKAGES_append = " python-is-python3" ALLOW_EMPTY_python-is-python3 = "1" diff --git a/recipes-devtools/rsync/files/0001-Add-missing-prototypes-to-function-declarations.patch b/recipes-devtools/rsync/files/0001-Add-missing-prototypes-to-function-declarations.patch new file mode 100644 index 0000000..474d82d --- /dev/null +++ b/recipes-devtools/rsync/files/0001-Add-missing-prototypes-to-function-declarations.patch @@ -0,0 +1,173 @@ +From 785c0072c80c2f6e0839478453cf65fdeac15da0 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Mon, 29 Aug 2022 19:53:28 -0700 +Subject: [PATCH] Add missing prototypes to function declarations + +With Clang 15+ compiler -Wstrict-prototypes is triggering warnings which +are turned into errors with -Werror, this fixes the problem by adding +missing prototypes + +Fixes errors like +| log.c:134:24: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes] +| static void syslog_init() +| ^ +| void + +Upstream-Status: Submitted [https://lists.samba.org/archive/rsync/2022-August/032858.html] +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + checksum.c | 2 +- + exclude.c | 2 +- + hlink.c | 3 +-- + lib/pool_alloc.c | 2 +- + log.c | 2 +- + main.c | 2 +- + syscall.c | 4 ++-- + zlib/crc32.c | 2 +- + zlib/trees.c | 2 +- + zlib/zutil.c | 4 ++-- + 10 files changed, 12 insertions(+), 13 deletions(-) + +diff --git a/checksum.c b/checksum.c +index fb8c0a0..174c28c 100644 +--- a/checksum.c ++++ b/checksum.c +@@ -629,7 +629,7 @@ int sum_end(char *sum) + return csum_len_for_type(cursum_type, 0); + } + +-void init_checksum_choices() ++void init_checksum_choices(void) + { + #ifdef SUPPORT_XXH3 + char buf[32816]; +diff --git a/exclude.c b/exclude.c +index adc82e2..79f5a82 100644 +--- a/exclude.c ++++ b/exclude.c +@@ -358,7 +358,7 @@ void implied_include_partial_string(const char *s_start, const char *s_end) + memcpy(partial_string_buf, s_start, partial_string_len); + } + +-void free_implied_include_partial_string() ++void free_implied_include_partial_string(void) + { + if (partial_string_buf) { + free(partial_string_buf); +diff --git a/hlink.c b/hlink.c +index 66810a3..6511dfb 100644 +--- a/hlink.c ++++ b/hlink.c +@@ -117,8 +117,7 @@ static void match_gnums(int32 *ndx_list, int ndx_count) + struct ht_int32_node *node = NULL; + int32 gnum, gnum_next; + +- qsort(ndx_list, ndx_count, sizeof ndx_list[0], (int (*)()) hlink_compare_gnum); +- ++ qsort(ndx_list, ndx_count, sizeof ndx_list[0], (int (*)(const void *, const void *)) hlink_compare_gnum); + for (from = 0; from < ndx_count; from++) { + file = hlink_flist->sorted[ndx_list[from]]; + gnum = F_HL_GNUM(file); +diff --git a/lib/pool_alloc.c b/lib/pool_alloc.c +index a1a7245..4eae062 100644 +--- a/lib/pool_alloc.c ++++ b/lib/pool_alloc.c +@@ -9,7 +9,7 @@ struct alloc_pool + size_t size; /* extent size */ + size_t quantum; /* allocation quantum */ + struct pool_extent *extents; /* top extent is "live" */ +- void (*bomb)(); /* called if malloc fails */ ++ void (*bomb)(const char *, const char *, int); /* called if malloc fails */ + int flags; + + /* statistical data */ +diff --git a/log.c b/log.c +index 44344e2..991e359 100644 +--- a/log.c ++++ b/log.c +@@ -131,7 +131,7 @@ static void logit(int priority, const char *buf) + } + } + +-static void syslog_init() ++static void syslog_init(void) + { + int options = LOG_PID; + +diff --git a/main.c b/main.c +index 9ebfbea..affa244 100644 +--- a/main.c ++++ b/main.c +@@ -244,7 +244,7 @@ void read_del_stats(int f) + stats.deleted_files += stats.deleted_specials = read_varint(f); + } + +-static void become_copy_as_user() ++static void become_copy_as_user(void) + { + char *gname; + uid_t uid; +diff --git a/syscall.c b/syscall.c +index d92074a..92ca86d 100644 +--- a/syscall.c ++++ b/syscall.c +@@ -389,9 +389,9 @@ OFF_T do_lseek(int fd, OFF_T offset, int whence) + { + #ifdef HAVE_LSEEK64 + #if !SIZEOF_OFF64_T +- OFF_T lseek64(); ++ OFF_T lseek64(int fd, OFF_T offset, int whence); + #else +- off64_t lseek64(); ++ off64_t lseek64(int fd, off64_t offset, int whence); + #endif + return lseek64(fd, offset, whence); + #else +diff --git a/zlib/crc32.c b/zlib/crc32.c +index 05733f4..50c6c02 100644 +--- a/zlib/crc32.c ++++ b/zlib/crc32.c +@@ -187,7 +187,7 @@ local void write_table(out, table) + /* ========================================================================= + * This function can be used by asm versions of crc32() + */ +-const z_crc_t FAR * ZEXPORT get_crc_table() ++const z_crc_t FAR * ZEXPORT get_crc_table(void) + { + #ifdef DYNAMIC_CRC_TABLE + if (crc_table_empty) +diff --git a/zlib/trees.c b/zlib/trees.c +index 9c66770..0d9047e 100644 +--- a/zlib/trees.c ++++ b/zlib/trees.c +@@ -231,7 +231,7 @@ local void send_bits(s, value, length) + /* =========================================================================== + * Initialize the various 'constant' tables. + */ +-local void tr_static_init() ++local void tr_static_init(void) + { + #if defined(GEN_TREES_H) || !defined(STDC) + static int static_init_done = 0; +diff --git a/zlib/zutil.c b/zlib/zutil.c +index bbba7b2..61f8dc9 100644 +--- a/zlib/zutil.c ++++ b/zlib/zutil.c +@@ -27,12 +27,12 @@ z_const char * const z_errmsg[10] = { + ""}; + + +-const char * ZEXPORT zlibVersion() ++const char * ZEXPORT zlibVersion(void) + { + return ZLIB_VERSION; + } + +-uLong ZEXPORT zlibCompileFlags() ++uLong ZEXPORT zlibCompileFlags(void) + { + uLong flags; + +-- +2.37.2 + diff --git a/recipes-devtools/rsync/files/0001-Turn-on-pedantic-errors-at-the-end-of-configure.patch b/recipes-devtools/rsync/files/0001-Turn-on-pedantic-errors-at-the-end-of-configure.patch new file mode 100644 index 0000000..1d9c4bf --- /dev/null +++ b/recipes-devtools/rsync/files/0001-Turn-on-pedantic-errors-at-the-end-of-configure.patch @@ -0,0 +1,68 @@ +From e64a58387db46239902b610871a0eb81626e99ff Mon Sep 17 00:00:00 2001 +From: Paul Eggert <eggert@cs.ucla.edu> +Date: Thu, 18 Aug 2022 07:46:28 -0700 +Subject: [PATCH] Turn on -pedantic-errors at the end of 'configure' + +Problem reported by Khem Raj in: +https://lists.gnu.org/r/autoconf-patches/2022-08/msg00009.html +Upstream-Status: Submitted [https://lists.samba.org/archive/rsync/2022-August/032862.html] +--- + configure.ac | 35 ++++++++++++++++++++--------------- + 1 file changed, 20 insertions(+), 15 deletions(-) + +diff --git a/configure.ac b/configure.ac +index d185b2d3..7e9514f7 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1071,21 +1071,6 @@ elif test x"$ac_cv_header_popt_h" != x"yes"; then + with_included_popt=yes + fi + +-if test x"$GCC" = x"yes"; then +- if test x"$with_included_popt" != x"yes"; then +- # Turn pedantic warnings into errors to ensure an array-init overflow is an error. +- CFLAGS="$CFLAGS -pedantic-errors" +- else +- # Our internal popt code cannot be compiled with pedantic warnings as errors, so try to +- # turn off pedantic warnings (which will not lose the error for array-init overflow). +- # Older gcc versions don't understand -Wno-pedantic, so check if --help=warnings lists +- # -Wpedantic and use that as a flag. +- case `$CC --help=warnings 2>/dev/null | grep Wpedantic` in +- *-Wpedantic*) CFLAGS="$CFLAGS -pedantic-errors -Wno-pedantic" ;; +- esac +- fi +-fi +- + AC_MSG_CHECKING([whether to use included libpopt]) + if test x"$with_included_popt" = x"yes"; then + AC_MSG_RESULT($srcdir/popt) +@@ -1444,6 +1429,26 @@ case "$CC" in + ;; + esac + ++# Enable -pedantic-errors last, so that it doesn't mess up other ++# 'configure' tests. For example, Autoconf uses empty function ++# prototypes like 'int main () {}' which Clang 15's -pedantic-errors ++# would reject. Generally it's not a good idea to try to run ++# 'configure' itself with strict compiler checking. ++if test x"$GCC" = x"yes"; then ++ if test x"$with_included_popt" != x"yes"; then ++ # Turn pedantic warnings into errors to ensure an array-init overflow is an error. ++ CFLAGS="$CFLAGS -pedantic-errors" ++ else ++ # Our internal popt code cannot be compiled with pedantic warnings as errors, so try to ++ # turn off pedantic warnings (which will not lose the error for array-init overflow). ++ # Older gcc versions don't understand -Wno-pedantic, so check if --help=warnings lists ++ # -Wpedantic and use that as a flag. ++ case `$CC --help=warnings 2>/dev/null | grep Wpedantic` in ++ *-Wpedantic*) CFLAGS="$CFLAGS -pedantic-errors -Wno-pedantic" ;; ++ esac ++ fi ++fi ++ + AC_CONFIG_FILES([Makefile lib/dummy zlib/dummy popt/dummy shconfig]) + AC_OUTPUT + +-- +2.37.1 + diff --git a/recipes-devtools/rsync/files/determism.patch b/recipes-devtools/rsync/files/determism.patch new file mode 100644 index 0000000..e3494fd --- /dev/null +++ b/recipes-devtools/rsync/files/determism.patch @@ -0,0 +1,34 @@ +The Makefile calls awk on a "*.c" glob. The results of this glob are sorted +but the order depends on the locale settings, particularly whether +"util.c" and "util2.c" sort before or after each other. In en_US.UTF-8 +they sort one way, in C, they sort the other. The sorting order changes +the output binaries. The behaviour also changes dependning on whether +SHELL (/bin/sh) is dash or bash. + +Specify a C locale setting to be deterministic. + +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> +Submitted: https://github.com/WayneD/rsync/pull/155 + +Upstream-Status: Backport [ish, see below] + +After discussion upstream renamed util.c to util1.c which avoids the problem +in a different way. This patch can be dropped when we upgrade to include: +https://github.com/WayneD/rsync/commit/d3085f7add38a5cf833a0b31cb0637ff46c80f8d + +Index: rsync-3.2.3/Makefile.in +=================================================================== +--- rsync-3.2.3.orig/Makefile.in ++++ rsync-3.2.3/Makefile.in +@@ -26,6 +26,11 @@ MKDIR_P=@MKDIR_P@ + VPATH=$(srcdir) + SHELL=/bin/sh + ++# We use globbing in commands, need to be deterministic ++unexport LC_ALL ++LC_COLLATE=C ++export LC_COLLATE ++ + .SUFFIXES: + .SUFFIXES: .c .o + diff --git a/recipes-devtools/rsync/files/makefile-no-rebuild.patch b/recipes-devtools/rsync/files/makefile-no-rebuild.patch new file mode 100644 index 0000000..92ed1f4 --- /dev/null +++ b/recipes-devtools/rsync/files/makefile-no-rebuild.patch @@ -0,0 +1,80 @@ +From 81700d1a0e51391028c761cc8ef1cd660084d114 Mon Sep 17 00:00:00 2001 +From: Ross Burton <ross.burton@intel.com> +Date: Tue, 12 Apr 2016 15:51:54 +0100 +Subject: [PATCH] rsync: remove upstream's rebuild logic + +Remove the Makefile rules to reinvoke autoconf, they're not out-of-tree safe and +generally overcomplicated, and we ensure that autoreconf is invoked if required. + +Upstream-Status: Inappropriate +Signed-off-by: Ross Burton <ross.burton@intel.com> + +--- + Makefile.in | 54 ----------------------------------------------------- + 1 file changed, 54 deletions(-) + +diff --git a/Makefile.in b/Makefile.in +index 3cde955..d963a70 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -190,60 +190,6 @@ gensend: gen + fi + rsync -aic $(GENFILES) git-version.h $${SAMBA_HOST-samba.org}:/home/ftp/pub/rsync/generated-files/ || true + +-aclocal.m4: $(srcdir)/m4/*.m4 +- aclocal -I $(srcdir)/m4 +- +-configure.sh config.h.in: configure.ac aclocal.m4 +- @if test -f configure.sh; then cp -p configure.sh configure.sh.old; else touch configure.sh.old; fi +- @if test -f config.h.in; then cp -p config.h.in config.h.in.old; else touch config.h.in.old; fi +- autoconf -o configure.sh +- autoheader && touch config.h.in +- @if diff configure.sh configure.sh.old >/dev/null 2>&1; then \ +- echo "configure.sh is unchanged."; \ +- rm configure.sh.old; \ +- else \ +- echo "configure.sh has CHANGED."; \ +- fi +- @if diff config.h.in config.h.in.old >/dev/null 2>&1; then \ +- echo "config.h.in is unchanged."; \ +- rm config.h.in.old; \ +- else \ +- echo "config.h.in has CHANGED."; \ +- fi +- @if test -f configure.sh.old || test -f config.h.in.old; then \ +- if test "$(MAKECMDGOALS)" = reconfigure; then \ +- echo 'Continuing with "make reconfigure".'; \ +- else \ +- echo 'You may need to run:'; \ +- echo ' make reconfigure'; \ +- exit 1; \ +- fi \ +- fi +- +-.PHONY: reconfigure +-reconfigure: configure.sh +- ./config.status --recheck +- ./config.status +- +-.PHONY: restatus +-restatus: +- ./config.status +- +-Makefile: Makefile.in config.status configure.sh config.h.in +- @if test -f Makefile; then cp -p Makefile Makefile.old; else touch Makefile.old; fi +- @./config.status +- @if diff Makefile Makefile.old >/dev/null 2>&1; then \ +- echo "Makefile is unchanged."; \ +- rm Makefile.old; \ +- else \ +- if test "$(MAKECMDGOALS)" = reconfigure; then \ +- echo 'Continuing with "make reconfigure".'; \ +- else \ +- echo "Makefile updated -- rerun your make command."; \ +- exit 1; \ +- fi \ +- fi +- + stunnel-rsyncd.conf: $(srcdir)/stunnel-rsyncd.conf.in Makefile + sed 's;\@bindir\@;$(bindir);g' <$(srcdir)/stunnel-rsyncd.conf.in >stunnel-rsyncd.conf + diff --git a/recipes-devtools/rsync/files/rsyncd.conf b/recipes-devtools/rsync/files/rsyncd.conf new file mode 100644 index 0000000..845f5b3 --- /dev/null +++ b/recipes-devtools/rsync/files/rsyncd.conf @@ -0,0 +1,15 @@ +# /etc/rsyncd.conf + +# Minimal configuration file for rsync daemon +# See rsync(1) and rsyncd.conf(5) man pages for help + +# This file is required by rsync --daemon +pid file = /var/run/rsyncd.pid +use chroot = yes +read only = yes + +# Simple example for enabling your own local rsync server +#[everything] +# path = / +# comment = Everything except /etc exposed +# exclude = /etc diff --git a/recipes-devtools/rsync/rsync_3.2.5.bb b/recipes-devtools/rsync/rsync_3.2.5.bb new file mode 100644 index 0000000..0bbbac7 --- /dev/null +++ b/recipes-devtools/rsync/rsync_3.2.5.bb @@ -0,0 +1,71 @@ +SUMMARY = "File synchronization tool" +HOMEPAGE = "http://rsync.samba.org/" +DESCRIPTION = "rsync is an open source utility that provides fast incremental file transfer." +BUGTRACKER = "http://rsync.samba.org/bugzilla.html" +SECTION = "console/network" +# GPL-2.0-or-later (<< 3.0.0), GPL-3.0-or-later (>= 3.0.0) +# Includes opennsh and xxhash dynamic link exception +LICENSE = "GPL-3.0-or-later" +LIC_FILES_CHKSUM = "file://COPYING;md5=24423708fe159c9d12be1ea29fcb18c7" + +DEPENDS = "popt" + +SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ + file://rsyncd.conf \ + file://makefile-no-rebuild.patch \ + file://determism.patch \ + file://0001-Add-missing-prototypes-to-function-declarations.patch \ + file://0001-Turn-on-pedantic-errors-at-the-end-of-configure.patch \ + " +SRC_URI[sha256sum] = "2ac4d21635cdf791867bc377c35ca6dda7f50d919a58be45057fd51600c69aba" + +# -16548 required for v3.1.3pre1. Already in v3.1.3. +CVE_CHECK_IGNORE += " CVE-2017-16548 " + +inherit autotools-brokensep + +PACKAGECONFIG ??= "acl attr \ + ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \ +" + +PACKAGECONFIG[acl] = "--enable-acl-support,--disable-acl-support,acl," +PACKAGECONFIG[attr] = "--enable-xattr-support,--disable-xattr-support,attr," +PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," +PACKAGECONFIG[lz4] = "--enable-lz4,--disable-lz4,lz4" +PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl" +PACKAGECONFIG[xxhash] = "--enable-xxhash,--disable-xxhash,xxhash" +PACKAGECONFIG[zstd] = "--enable-zstd,--disable-zstd,zstd" + +# By default, if crosscompiling, rsync disables a number of +# capabilities, hardlinking symlinks and special files (i.e. devices) +CACHED_CONFIGUREVARS += "rsync_cv_can_hardlink_special=yes rsync_cv_can_hardlink_symlink=yes" + +EXTRA_OEMAKE = 'STRIP=""' +EXTRA_OECONF = "--disable-md2man --with-nobody-group=nogroup" + +#| ./simd-checksum-x86_64.cpp: In function 'uint32_t get_checksum1_cpp(char*, int32_t)': +#| ./simd-checksum-x86_64.cpp:89:52: error: multiversioning needs 'ifunc' which is not supported on this target +#| 89 | __attribute__ ((target("default"))) MVSTATIC int32 get_checksum1_avx2_64(schar* buf, int32 len, int32 i, uint32* ps1, uint32* ps2) { return i; } +#| | ^~~~~~~~~~~~~~~~~~~~~ +#| ./simd-checksum-x86_64.cpp:480:1: error: use of multiversioned function without a default +#| 480 | } +#| | ^ +#| If you can't fix the issue, re-run ./configure with --disable-roll-simd. +EXTRA_OECONF:append:libc-musl = " --disable-roll-simd" + +# rsync 3.0 uses configure.sh instead of configure, and +# makefile checks the existence of configure.sh +do_configure:prepend () { + rm -f ${S}/configure ${S}/configure.sh +} + +do_configure:append () { + cp -f ${S}/configure ${S}/configure.sh +} + +do_install:append() { + install -d ${D}${sysconfdir} + install -m 0644 ${WORKDIR}/rsyncd.conf ${D}${sysconfdir} +} + +BBCLASSEXTEND = "native nativesdk" |