summaryrefslogtreecommitdiff
path: root/recipes-extended
diff options
context:
space:
mode:
authorAndrii Davydenko <andrii.davydenko@globallogic.com>2022-12-14 12:08:42 +0200
committerMykyta Dorokhin <mykyta.dorokhin@globallogic.com>2023-01-24 12:41:29 +0200
commit2eaa3fd064097eb221b56d5df0e7136ba705a0cd (patch)
tree2ca46c9a625d6f743933b1ea7e2fc6bd2581e6eb /recipes-extended
parent1e52890ac41318d28923787af35541a8f9ee0653 (diff)
downloadmeta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.tar.gz
meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.tar.bz2
meta-mlinux-2eaa3fd064097eb221b56d5df0e7136ba705a0cd.zip
CVE Packages Update
Move libfastjson to the rsyslog directory rsyslog 8.2002.0 -> 8.2206.0 add ntp4.2.8 recipe with fixed CVEs update cryptsetup to 2.4.3 fix libxml2 CVE-2016-3709 curl 7.75.0 -> 7.86.0 strongswan 5.8.4 -> 5.9.8 libmodbus 3.1.6 -> 3.1.7 libesmtp 1.0.6 -> 1.1.0 cifs-utils 6.1 -> 7.0 update libtirpc to version 1.3.3 update rsync to version 3.2.5 Add zlib 1.2.13 upgrade gnutls to 3.7.8 upgrade openssh to 8.9p1 Add cmake 3.24.2 and cmake-native 3.24.2 to avoid loop dependecies building expat Add expat 2.5.0 to fix CVE-2022-40674 and CVE-2022-43680 openvpn 2.4.9 -> 2.4.12 hostapd 2.9 -> 2.10 [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Openssh 8.9p1 no longer needed, because all necessary CVE fixes, backports and whitelists are present for current Openssh 8.4p1. There are no new CVE's in report. [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Backported CVE patches for python3 component. Need to remove after upgrading Yocto to version more than 3.1.21. [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Backported CVE patch for sudo component. Added 2 CVE's to whitelist for OpenVPN component.
Diffstat (limited to 'recipes-extended')
-rw-r--r--recipes-extended/libtirpc/libtirpc_1.3.3.bb28
-rw-r--r--recipes-extended/rsyslog/libfastjson/CVE-2020-12762.patch (renamed from recipes-extended/libfastjson/libfastjson/CVE-2020-12762.patch)0
-rw-r--r--recipes-extended/rsyslog/libfastjson_%.bbappend (renamed from recipes-extended/libfastjson/libfastjson_%.bbappend)0
-rw-r--r--recipes-extended/rsyslog/libfastjson_0.99.9.bb15
-rw-r--r--recipes-extended/rsyslog/librelp_1.10.0.bb18
-rw-r--r--recipes-extended/rsyslog/rsyslog/0001-Include-sys-time-h.patch32
-rw-r--r--recipes-extended/rsyslog/rsyslog/0001-tests-disable-the-check-for-inotify.patch46
-rw-r--r--recipes-extended/rsyslog/rsyslog/initscript118
-rw-r--r--recipes-extended/rsyslog/rsyslog/rsyslog.conf91
-rw-r--r--recipes-extended/rsyslog/rsyslog/rsyslog.logrotate39
-rw-r--r--recipes-extended/rsyslog/rsyslog/rsyslog.service21
-rw-r--r--recipes-extended/rsyslog/rsyslog/run-ptest12
-rw-r--r--recipes-extended/rsyslog/rsyslog/use-pkgconfig-to-check-libgcrypt.patch43
-rw-r--r--recipes-extended/rsyslog/rsyslog_8.2206.0.bb204
-rw-r--r--recipes-extended/sudo/files/CVE-2022-43995.patch59
-rw-r--r--recipes-extended/sudo/sudo_1.9.5p2.bb1
16 files changed, 727 insertions, 0 deletions
diff --git a/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/recipes-extended/libtirpc/libtirpc_1.3.3.bb
new file mode 100644
index 0000000..8c6c207
--- /dev/null
+++ b/recipes-extended/libtirpc/libtirpc_1.3.3.bb
@@ -0,0 +1,28 @@
+SUMMARY = "Transport-Independent RPC library"
+DESCRIPTION = "Libtirpc is a port of Suns Transport-Independent RPC library to Linux"
+SECTION = "libs/network"
+HOMEPAGE = "http://sourceforge.net/projects/libtirpc/"
+BUGTRACKER = "http://sourceforge.net/tracker/?group_id=183075&atid=903784"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://COPYING;md5=f835cce8852481e4b2bbbdd23b5e47f3 \
+ file://src/netname.c;beginline=1;endline=27;md5=f8a8cd2cb25ac5aa16767364fb0e3c24"
+
+PROVIDES = "virtual/librpc"
+
+SRC_URI = "${SOURCEFORGE_MIRROR}/${BPN}/${BP}.tar.bz2"
+UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
+UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
+SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"
+
+# Was fixed in 1.3.3rc1 so not present in 1.3.3
+CVE_CHECK_IGNORE += "CVE-2021-46828"
+
+inherit autotools pkgconfig
+
+EXTRA_OECONF = "--disable-gssapi"
+
+do_install:append() {
+ chown root:root ${D}${sysconfdir}/netconfig
+}
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/recipes-extended/libfastjson/libfastjson/CVE-2020-12762.patch b/recipes-extended/rsyslog/libfastjson/CVE-2020-12762.patch
index 84e8206..84e8206 100644
--- a/recipes-extended/libfastjson/libfastjson/CVE-2020-12762.patch
+++ b/recipes-extended/rsyslog/libfastjson/CVE-2020-12762.patch
diff --git a/recipes-extended/libfastjson/libfastjson_%.bbappend b/recipes-extended/rsyslog/libfastjson_%.bbappend
index 103c92e..103c92e 100644
--- a/recipes-extended/libfastjson/libfastjson_%.bbappend
+++ b/recipes-extended/rsyslog/libfastjson_%.bbappend
diff --git a/recipes-extended/rsyslog/libfastjson_0.99.9.bb b/recipes-extended/rsyslog/libfastjson_0.99.9.bb
new file mode 100644
index 0000000..24ad172
--- /dev/null
+++ b/recipes-extended/rsyslog/libfastjson_0.99.9.bb
@@ -0,0 +1,15 @@
+SUMMARY = "A fork of json-c library"
+HOMEPAGE = "https://github.com/rsyslog/libfastjson"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://COPYING;md5=a958bb07122368f3e1d9b2efe07d231f"
+
+DEPENDS = ""
+
+SRC_URI = "git://github.com/rsyslog/libfastjson.git;protocol=https;branch=master"
+
+SRCREV = "0293afb3913f760c449348551cca4d2df59c1a00"
+
+S = "${WORKDIR}/git"
+
+inherit autotools
diff --git a/recipes-extended/rsyslog/librelp_1.10.0.bb b/recipes-extended/rsyslog/librelp_1.10.0.bb
new file mode 100644
index 0000000..acdbbb7
--- /dev/null
+++ b/recipes-extended/rsyslog/librelp_1.10.0.bb
@@ -0,0 +1,18 @@
+SUMMARY = "A reliable logging library"
+HOMEPAGE = "https://github.com/rsyslog/librelp"
+
+LICENSE = "GPL-3.0-only"
+LIC_FILES_CHKSUM = "file://COPYING;md5=1fb9c10ed9fd6826757615455ca893a9"
+
+DEPENDS = "gmp nettle libidn zlib gnutls openssl"
+
+SRC_URI = "git://github.com/rsyslog/librelp.git;protocol=https;branch=stable \
+"
+
+SRCREV = "9e749453d51d602d8159717f8a7c27971dcb4c6c"
+
+S = "${WORKDIR}/git"
+
+inherit autotools pkgconfig
+
+CPPFLAGS += "-Wno-error"
diff --git a/recipes-extended/rsyslog/rsyslog/0001-Include-sys-time-h.patch b/recipes-extended/rsyslog/rsyslog/0001-Include-sys-time-h.patch
new file mode 100644
index 0000000..6ce8b7a
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog/0001-Include-sys-time-h.patch
@@ -0,0 +1,32 @@
+From 7baf35b88d742032a2dc456c396843e17e866f8e Mon Sep 17 00:00:00 2001
+From: Ming Liu <peter.x.liu@external.atlascopco.com>
+Date: Wed, 27 Jun 2018 14:04:57 +0800
+Subject: [PATCH] Include sys/time.h
+
+struct timeval is defined in sys/time.h with a musl libc.
+
+Upstream-Status: Inappropriate [musl libc specific]
+
+Signed-off-by: Ming Liu <peter.x.liu@external.atlascopco.com>
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ tests/msleep.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/tests/msleep.c b/tests/msleep.c
+index 98dbece..96f6950 100644
+--- a/tests/msleep.c
++++ b/tests/msleep.c
+@@ -26,11 +26,7 @@
+ #include "config.h"
+ #include <stdio.h>
+ #include <stdlib.h>
+-#if defined(__FreeBSD__)
+ #include <sys/time.h>
+-#else
+-#include <time.h>
+-#endif
+ #if defined(HAVE_SYS_SELECT_H)
+ #include <sys/select.h>
+ #endif
+2.7.4
diff --git a/recipes-extended/rsyslog/rsyslog/0001-tests-disable-the-check-for-inotify.patch b/recipes-extended/rsyslog/rsyslog/0001-tests-disable-the-check-for-inotify.patch
new file mode 100644
index 0000000..552172d
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog/0001-tests-disable-the-check-for-inotify.patch
@@ -0,0 +1,46 @@
+From 194e199ce08acc2192f6a63420ff24d9064666e5 Mon Sep 17 00:00:00 2001
+From: Yi Fan Yu <yifan.yu@windriver.com>
+Date: Sat, 27 Mar 2021 19:18:25 -0400
+Subject: [PATCH] tests: disable the check for inotify
+
+We don't need to check inotify.h.
+Assume it is present since it is part of the linux kernel
+since 2.6.13 [1].
+
+[1](https://kernelnewbies.org/Linux_2_6_13)
+
+(it would require installing the libc headers otherwise,
+ for the test to detect /usr/include/sys/inotify.h.)
+
+Upstream-Status: Inappropriate[OE-specific]
+
+Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
+---
+ tests/diag.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/diag.sh b/tests/diag.sh
+index 6cd60ea88..7424f48c5 100755
+--- a/tests/diag.sh
++++ b/tests/diag.sh
+@@ -2672,7 +2672,7 @@ case $1 in
+ fi
+ ;;
+ 'check-inotify') # Check for inotify/fen support
+- if [ -n "$(find /usr/include -name 'inotify.h' -print -quit)" ]; then
++ if true; then
+ echo [inotify mode]
+ elif [ -n "$(find /usr/include/sys/ -name 'port.h' -print -quit)" ]; then
+ grep -qF "PORT_SOURCE_FILE" < /usr/include/sys/port.h
+@@ -2687,7 +2687,7 @@ case $1 in
+ fi
+ ;;
+ 'check-inotify-only') # Check for ONLY inotify support
+- if [ -n "$(find /usr/include -name 'inotify.h' -print -quit)" ]; then
++ if true; then
+ echo [inotify mode]
+ else
+ echo [inotify not supported, skipping...]
+--
+2.29.2
+
diff --git a/recipes-extended/rsyslog/rsyslog/initscript b/recipes-extended/rsyslog/rsyslog/initscript
new file mode 100644
index 0000000..7a8f8f9
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog/initscript
@@ -0,0 +1,118 @@
+#! /bin/sh
+#
+# This is an init script for openembedded
+# Copy it to /etc/init.d/rsyslog and type
+# > update-rc.d rsyslog defaults 5
+#
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+NAME=rsyslog
+RSYSLOGD=rsyslogd
+RSYSLOGD_BIN=/usr/sbin/rsyslogd
+RSYSLOGD_OPTIONS=""
+RSYSLOGD_PIDFILE=/var/run/rsyslogd.pid
+SCRIPTNAME=/etc/init.d/$NAME
+# Exit if the package is not installed
+[ -x "$RSYSLOGD_BIN" ] || exit 0
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ DAEMON=$1
+ DAEMON_ARGS=$2
+ PIDFILE=$3
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon could not be started
+ # if daemon had already been started, start-stop-daemon will return 1
+ # so add -o/--oknodo(if nothing is done, exit 0)
+ start-stop-daemon -S --quiet --pidfile $PIDFILE --exec $DAEMON \
+ --oknodo -- $DAEMON_ARGS || return 1
+}
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ NAME=$1
+ PIDFILE=$2
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ # QUIT/TERM/INT should work here, but they don't ?????
+ start-stop-daemon -K --quiet --signal KILL --pidfile $PIDFILE --name $NAME
+ RETVAL="$?"
+ rm -f $PIDFILE
+ return "$RETVAL"
+}
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ NAME=$1
+ PIDFILE=$2
+ start-stop-daemon -K --signal HUP --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+do_status() {
+ NAME=$1
+ PIDFILE=$2
+ # -t: test only but not stop
+ start-stop-daemon -K -t --quiet --pidfile $PIDFILE --name $NAME
+ # exit with status 0 if process is found
+ if [ "$?" = "0" ]; then
+ return 0
+ else
+ return 1
+ fi
+}
+
+case "$1" in
+ start)
+ echo -n "starting $RSYSLOGD ... "
+ do_start "$RSYSLOGD_BIN" "$RSYSLOGD_OPTIONS" "$RSYSLOGD_PIDFILE"
+ case "$?" in
+ 0) echo "done" ;;
+ 1) echo "failed" ;;
+ esac
+ ;;
+ stop)
+ echo -n "stopping $RSYSLOGD ... "
+ do_stop "$RSYSLOGD" "$RSYSLOGD_PIDFILE"
+ case "$?" in
+ 0|1) echo "done" ;;
+ 2) echo "failed" ;;
+ esac
+ ;;
+ reload|force-reload)
+ echo -n "reloading $RSYSLOGD ... "
+ do_reload "$RSYSLOGD" "$RSYSLOGD_PIDFILE"
+ echo "done"
+ ;;
+ restart)
+ $0 stop
+ $0 start
+ ;;
+ status)
+ echo -n "status $RSYSLOGD ... "
+ do_status "$RSYSLOGD" "$RSYSLOGD_PIDFILE"
+ if [ "$?" = "0" ]; then
+ echo "running"
+ exit 0
+ else
+ echo "stopped"
+ exit 1
+ fi
+ ;;
+ *)
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2
+ exit 3
+ ;;
+esac
+exit 0
diff --git a/recipes-extended/rsyslog/rsyslog/rsyslog.conf b/recipes-extended/rsyslog/rsyslog/rsyslog.conf
new file mode 100644
index 0000000..dbfefb7
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog/rsyslog.conf
@@ -0,0 +1,91 @@
+# if you experience problems, check
+# http://www.rsyslog.com/troubleshoot for assistance
+
+# rsyslog v3: load input modules
+# If you do not load inputs, nothing happens!
+# You may need to set the module load path if modules are not found.
+#
+# Ported from debian's sysklogd.conf
+
+$ModLoad immark # provides --MARK-- message capability
+$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
+$ModLoad imklog # kernel logging (formerly provided by rklogd)
+
+#
+# Set the default permissions
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+auth,authpriv.* /var/log/auth.log
+*.*;auth,authpriv.none -/var/log/syslog
+cron.* /var/log/cron.log
+daemon.* -/var/log/daemon.log
+kern.* -/var/log/kern.log
+lpr.* -/var/log/lpr.log
+mail.* -/var/log/mail.log
+user.* -/var/log/user.log
+
+#
+# Logging for the mail system. Split it up so that
+# it is easy to write scripts to parse these files.
+#
+mail.info -/var/log/mail.info
+mail.warn -/var/log/mail.warn
+mail.err /var/log/mail.err
+
+# Logging for INN news system
+#
+news.crit /var/log/news.crit
+news.err /var/log/news.err
+news.notice -/var/log/news.notice
+
+#
+# Some `catch-all' logfiles.
+#
+*.=debug;\
+ auth,authpriv.none;\
+ news.none;mail.none -/var/log/debug
+*.=info;*.=notice;*.=warn;\
+ auth,authpriv.none;\
+ cron,daemon.none;\
+ mail,news.none -/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg :omusrmsg:*
+
+# Save boot messages also to boot.log
+local7.* /var/log/boot.log
+
+# Remote Logging (we use TCP for reliable delivery)
+# An on-disk queue is created for this action. If the remote host is
+# down, messages are spooled to disk and sent when it is up again.
+#$WorkDirectory /var/spool/rsyslog # where to place spool files
+#$ActionQueueFileName uniqName # unique name prefix for spool files
+$ActionQueueMaxDiskSpace 10m # 1gb space limit (use as much as possible)
+#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
+#$ActionQueueType LinkedList # run asynchronously
+#$ActionResumeRetryCount -1 # infinite retries if host is down
+# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
+#*.* @@remote-host:514
+
+
+# ######### Receiving Messages from Remote Hosts ##########
+# TCP Syslog Server:
+# provides TCP syslog reception and GSS-API (if compiled to support it)
+#$ModLoad imtcp.so # load module
+#$InputTCPServerRun 514 # start up TCP listener at port 514
+
+# UDP Syslog Server:
+#$ModLoad imudp.so # provides UDP syslog reception
+#$UDPServerRun 514 # start a UDP syslog server at standard port 514
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
diff --git a/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate b/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
new file mode 100644
index 0000000..5f8568f
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog/rsyslog.logrotate
@@ -0,0 +1,39 @@
+# /etc/logrotate.d/rsyslog - Ported from Debian
+
+/var/log/syslog
+{
+ rotate 7
+ daily
+ missingok
+ notifempty
+ delaycompress
+ compress
+ postrotate
+ @BINDIR@/pkill -HUP rsyslogd 2> /dev/null || true
+ endscript
+}
+
+/var/log/mail.info
+/var/log/mail.warn
+/var/log/mail.err
+/var/log/mail.log
+/var/log/daemon.log
+/var/log/kern.log
+/var/log/auth.log
+/var/log/user.log
+/var/log/lpr.log
+/var/log/cron.log
+/var/log/debug
+/var/log/messages
+{
+ rotate 4
+ weekly
+ missingok
+ notifempty
+ compress
+ delaycompress
+ sharedscripts
+ postrotate
+ @BINDIR@/pkill -HUP rsyslogd 2> /dev/null || true
+ endscript
+}
diff --git a/recipes-extended/rsyslog/rsyslog/rsyslog.service b/recipes-extended/rsyslog/rsyslog/rsyslog.service
new file mode 100644
index 0000000..0aacff3
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog/rsyslog.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=System Logging Service
+Requires=syslog.socket
+Wants=network.target network-online.target
+After=network.target network-online.target
+Documentation=man:rsyslogd(8)
+Documentation=http://www.rsyslog.com/doc/
+
+[Service]
+Type=notify
+ExecStart=@sbindir@/rsyslogd -n -iNONE
+StandardOutput=null
+Restart=on-failure
+
+# Increase the default a bit in order to allow many simultaneous
+# files to be monitored, we might need a lot of fds.
+LimitNOFILE=16384
+
+[Install]
+WantedBy=multi-user.target
+Alias=syslog.service
diff --git a/recipes-extended/rsyslog/rsyslog/run-ptest b/recipes-extended/rsyslog/rsyslog/run-ptest
new file mode 100644
index 0000000..efa9ba3
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog/run-ptest
@@ -0,0 +1,12 @@
+#!/bin/sh
+#
+set -e
+set -o pipefail
+
+SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
+cd ${SCRIPTPATH}
+useradd tester || echo "user already exists"
+ln -sf /usr/sbin/logrotate /usr/bin/logrotate
+su tester -c "make -C tests -k check-TESTS"
+userdel tester
+rm -f /usr/bin/logrotate
diff --git a/recipes-extended/rsyslog/rsyslog/use-pkgconfig-to-check-libgcrypt.patch b/recipes-extended/rsyslog/rsyslog/use-pkgconfig-to-check-libgcrypt.patch
new file mode 100644
index 0000000..0352587
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog/use-pkgconfig-to-check-libgcrypt.patch
@@ -0,0 +1,43 @@
+From d0852006bf3d305e8984b85b41997d43d4476937 Mon Sep 17 00:00:00 2001
+From: Roy Li <rongqing.li@windriver.com>
+Date: Wed, 18 Jun 2014 13:46:52 +0800
+Subject: [PATCH] use pkgconfig to check libgcrypt
+
+Upstream-Status: Inappropriate [configuration]
+
+libgcrypt does no longer provide libgcrypt-config, and provide
+*.pc, so we should use pkgconfig to check
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+
+---
+ configure.ac | 15 +--------------
+ 1 file changed, 1 insertion(+), 14 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 62178c3..b56c9c7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -889,20 +889,7 @@ AC_ARG_ENABLE(libgcrypt,
+ [enable_libgcrypt=yes]
+ )
+ if test "x$enable_libgcrypt" = "xyes"; then
+- AC_PATH_PROG([LIBGCRYPT_CONFIG],[libgcrypt-config],[no])
+- if test "x${LIBGCRYPT_CONFIG}" = "xno"; then
+- AC_MSG_FAILURE([libgcrypt-config not found in PATH])
+- fi
+- AC_CHECK_LIB(
+- [gcrypt],
+- [gcry_cipher_open],
+- [LIBGCRYPT_CFLAGS="`${LIBGCRYPT_CONFIG} --cflags`"
+- LIBGCRYPT_LIBS="`${LIBGCRYPT_CONFIG} --libs`"
+- ],
+- [AC_MSG_FAILURE([libgcrypt is missing])],
+- [`${LIBGCRYPT_CONFIG} --libs --cflags`]
+- )
+- AC_DEFINE([ENABLE_LIBGCRYPT], [1], [Indicator that LIBGCRYPT is present])
++ PKG_CHECK_MODULES(LIBGCRYPT, libgcrypt)
+ fi
+ AM_CONDITIONAL(ENABLE_LIBGCRYPT, test x$enable_libgcrypt = xyes)
+ AC_SUBST(LIBGCRYPT_CFLAGS)
diff --git a/recipes-extended/rsyslog/rsyslog_8.2206.0.bb b/recipes-extended/rsyslog/rsyslog_8.2206.0.bb
new file mode 100644
index 0000000..f7604f8
--- /dev/null
+++ b/recipes-extended/rsyslog/rsyslog_8.2206.0.bb
@@ -0,0 +1,204 @@
+SUMMARY = "Rsyslog is an enhanced multi-threaded syslogd"
+DESCRIPTION = "\
+Rsyslog is an enhanced syslogd supporting, among others, MySQL,\
+ PostgreSQL, failover log destinations, syslog/tcp, fine grain\
+ output format control, high precision timestamps, queued operations\
+ and the ability to filter on any message part. It is quite\
+ compatible to stock sysklogd and can be used as a drop-in replacement.\
+ Its advanced features make it suitable for enterprise-class,\
+ encryption protected syslog relay chains while at the same time being\
+ very easy to setup for the novice user."
+
+DEPENDS = "zlib libestr libfastjson bison-native flex-native liblogging"
+HOMEPAGE = "http://www.rsyslog.com/"
+LICENSE = "GPL-3.0+ & LGPL-3.0+ & Apache-2.0"
+LIC_FILES_CHKSUM = "file://COPYING;md5=51d9635e646fb75e1b74c074f788e973 \
+ file://COPYING.LESSER;md5=cb7903f1e5c39ae838209e130dca270a \
+ file://COPYING.ASL20;md5=052f8a09206615ab07326ff8ce2d9d32\
+"
+
+SRC_URI = "http://www.rsyslog.com/download/files/download/rsyslog/${BPN}-${PV}.tar.gz \
+ file://initscript \
+ file://rsyslog.conf \
+ file://rsyslog.logrotate \
+ file://rsyslog.service \
+ file://use-pkgconfig-to-check-libgcrypt.patch \
+ file://run-ptest \
+ file://0001-tests-disable-the-check-for-inotify.patch \
+"
+
+SRC_URI_append_libc-musl = " \
+ file://0001-Include-sys-time-h.patch \
+"
+
+SRC_URI[sha256sum] = "a1377218b26c0767a7a3f67d166d5338af7c24b455d35ec99974e18e6845ba27"
+
+UPSTREAM_CHECK_URI = "https://github.com/rsyslog/rsyslog/releases"
+UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)"
+
+inherit autotools pkgconfig systemd update-rc.d ptest
+
+EXTRA_OECONF += "--disable-generate-man-pages ap_cv_atomic_builtins=yes"
+EXTRA_OECONF += "--enable-imfile-tests"
+EXTRA_OECONF_remove_mipsarch = "ap_cv_atomic_builtins=yes"
+EXTRA_OECONF_remove_powerpc = "ap_cv_atomic_builtins=yes"
+EXTRA_OECONF_remove_riscv32 = "ap_cv_atomic_builtins=yes"
+
+# first line is default yes in configure
+PACKAGECONFIG ??= " \
+ rsyslogd rsyslogrt klog inet regexp uuid libgcrypt \
+ fmhttp imdiag gnutls imfile \
+ ${@bb.utils.filter('DISTRO_FEATURES', 'snmp systemd', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'testbench relp ${VALGRIND}', '', d)} \
+"
+
+# default yes in configure
+PACKAGECONFIG[relp] = "--enable-relp,--disable-relp,librelp,"
+PACKAGECONFIG[rsyslogd] = "--enable-rsyslogd,--disable-rsyslogd,,"
+PACKAGECONFIG[rsyslogrt] = "--enable-rsyslogrt,--disable-rsyslogrt,,"
+PACKAGECONFIG[fmhttp] = "--enable-fmhttp,--disable-fmhttp,curl,"
+PACKAGECONFIG[inet] = "--enable-inet,--disable-inet,,"
+PACKAGECONFIG[klog] = "--enable-klog,--disable-klog,,"
+PACKAGECONFIG[regexp] = "--enable-regexp,--disable-regexp,,"
+PACKAGECONFIG[uuid] = "--enable-uuid,--disable-uuid,util-linux,"
+PACKAGECONFIG[libgcrypt] = "--enable-libgcrypt,--disable-libgcrypt,libgcrypt,"
+PACKAGECONFIG[testbench] = "--enable-testbench --enable-omstdout,--disable-testbench --disable-omstdout,,"
+
+# default no in configure
+PACKAGECONFIG[debug] = "--enable-debug,--disable-debug,,"
+PACKAGECONFIG[imdiag] = "--enable-imdiag,--disable-imdiag,,"
+PACKAGECONFIG[imfile] = "--enable-imfile,--disable-imfile,,"
+PACKAGECONFIG[snmp] = "--enable-snmp,--disable-snmp,net-snmp,"
+PACKAGECONFIG[gnutls] = "--enable-gnutls,--disable-gnutls,gnutls,"
+PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/,--without-systemdsystemunitdir,systemd,"
+PACKAGECONFIG[imjournal] = "--enable-imjournal,--disable-imjournal,"
+PACKAGECONFIG[mmjsonparse] = "--enable-mmjsonparse,--disable-mmjsonparse,"
+PACKAGECONFIG[mysql] = "--enable-mysql,--disable-mysql,mysql5,"
+PACKAGECONFIG[postgresql] = "--enable-pgsql,--disable-pgsql,postgresql,"
+PACKAGECONFIG[libdbi] = "--enable-libdbi,--disable-libdbi,libdbi,"
+PACKAGECONFIG[mail] = "--enable-mail,--disable-mail,,"
+PACKAGECONFIG[valgrind] = ",--without-valgrind-testbench,valgrind,"
+PACKAGECONFIG[imhttp] = "--enable-imhttp,--disable-imhttp,civetweb,"
+
+
+TESTDIR = "tests"
+do_compile_ptest() {
+ echo 'buildtest-TESTS: $(check_PROGRAMS)' >> ${TESTDIR}/Makefile
+ oe_runmake -C ${TESTDIR} buildtest-TESTS
+}
+
+do_install_ptest() {
+ # install the tests
+ cp -rf ${S}/${TESTDIR} ${D}${PTEST_PATH}
+ cp -rf ${B}/${TESTDIR} ${D}${PTEST_PATH}
+
+ # give permissions to all users
+ # some tests need to write to this directory as user 'daemon'
+ chmod 777 -R ${D}${PTEST_PATH}/tests
+
+ # do NOT need to rebuild Makefile itself
+ sed -i 's/^Makefile:.*$/Makefile:/' ${D}${PTEST_PATH}/${TESTDIR}/Makefile
+ # do NOT need to rebuild $(check_PROGRAMS)
+ sed -i 's/^check-TESTS:.*$/check-TESTS:/' ${D}${PTEST_PATH}/${TESTDIR}/Makefile
+
+ # fix the srcdir, top_srcdir
+ sed -i 's,^\(srcdir = \).*,\1${PTEST_PATH}/tests,' ${D}${PTEST_PATH}/${TESTDIR}/Makefile
+ sed -i 's,^\(top_srcdir = \).*,\1${PTEST_PATH}/tests,' ${D}${PTEST_PATH}/${TESTDIR}/Makefile
+ # fix the abs_top_builddir
+ sed -i 's,^\(abs_top_builddir = \).*,\1${PTEST_PATH}/,' ${D}${PTEST_PATH}/${TESTDIR}/Makefile
+
+ # install test-driver
+ install -m 644 ${S}/test-driver ${D}${PTEST_PATH}
+
+ # install necessary links
+ install -d ${D}${PTEST_PATH}/tools
+ ln -sf ${sbindir}/rsyslogd ${D}${PTEST_PATH}/tools/rsyslogd
+
+ install -d ${D}${PTEST_PATH}/runtime
+ install -d ${D}${PTEST_PATH}/runtime/.libs
+ (
+ cd ${D}/${libdir}/rsyslog
+ allso="*.so"
+ for i in $allso; do
+ ln -sf ${libdir}/rsyslog/$i ${D}${PTEST_PATH}/runtime/.libs/$i
+ done
+ )
+
+ # fix the module load path with runtime/.libs
+ find ${D}${PTEST_PATH}/${TESTDIR} -name "*.conf" -o -name "*.sh" -o -name "*.c" | xargs \
+ sed -i -e 's:../plugins/.*/.libs/:../runtime/.libs/:g'
+ # fix the python3 path for tests/set-envar
+ sed -i -e s:${HOSTTOOLS_DIR}:${bindir}:g ${D}${PTEST_PATH}/tests/set-envvars
+}
+
+do_install_append() {
+ install -d "${D}${sysconfdir}/init.d"
+ install -d "${D}${sysconfdir}/logrotate.d"
+ install -m 755 ${WORKDIR}/initscript ${D}${sysconfdir}/init.d/syslog
+ install -m 644 ${WORKDIR}/rsyslog.conf ${D}${sysconfdir}/rsyslog.conf
+ install -m 644 ${WORKDIR}/rsyslog.logrotate ${D}${sysconfdir}/logrotate.d/logrotate.rsyslog
+ sed -i -e "s#@BINDIR@#${bindir}#g" ${D}${sysconfdir}/logrotate.d/logrotate.rsyslog
+
+ if ${@bb.utils.contains('PACKAGECONFIG', 'imjournal', 'true', 'false', d)}; then
+ install -d 0755 ${D}${sysconfdir}/rsyslog.d
+ echo '$ModLoad imjournal' >> ${D}${sysconfdir}/rsyslog.d/imjournal.conf
+ fi
+ if ${@bb.utils.contains('PACKAGECONFIG', 'mmjsonparse', 'true', 'false', d)}; then
+ install -d 0755 ${D}${sysconfdir}/rsyslog.d
+ echo '$ModLoad mmjsonparse' >> ${D}${sysconfdir}/rsyslog.d/mmjsonparse.conf
+ fi
+ if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+ install -d ${D}${systemd_system_unitdir}
+ install -m 644 ${WORKDIR}/rsyslog.service ${D}${systemd_system_unitdir}
+ sed -i -e "s,@sbindir@,${sbindir},g" ${D}${systemd_system_unitdir}/rsyslog.service
+ fi
+}
+
+FILES_${PN} += "${bindir}"
+
+INITSCRIPT_NAME = "syslog"
+INITSCRIPT_PARAMS = "defaults"
+
+CONFFILES_${PN} = "${sysconfdir}/rsyslog.conf"
+
+RCONFLICTS_${PN} = "busybox-syslog sysklogd syslog-ng"
+
+RPROVIDES_${PN} += "${PN}-systemd"
+RREPLACES_${PN} += "${PN}-systemd"
+RCONFLICTS_${PN} += "${PN}-systemd"
+SYSTEMD_SERVICE_${PN} = "${BPN}.service"
+
+RDEPENDS_${PN} += "logrotate"
+
+# for rsyslog-ptest
+VALGRIND = "valgrind"
+
+# valgrind supports armv7 and above
+VALGRIND_armv4 = ''
+VALGRIND_armv5 = ''
+VALGRIND_armv6 = ''
+
+# X32 isn't supported by valgrind at this time
+VALGRIND_linux-gnux32 = ''
+VALGRIND_linux-muslx32 = ''
+
+# Disable for some MIPS variants
+VALGRIND_mipsarchr6 = ''
+VALGRIND_linux-gnun32 = ''
+
+# Disable for powerpc64 with musl
+VALGRIND_libc-musl_powerpc64 = ''
+VALGRIND_libc-musl_powerpc64le = ''
+
+# RISC-V support for valgrind is not there yet
+VALGRIND_riscv64 = ""
+VALGRIND_riscv32 = ""
+
+# util-linux: logger needs the -d option
+RDEPENDS_${PN}-ptest += "\
+ make diffutils gzip bash gawk coreutils procps \
+ libgcc python3-core python3-io python3-json \
+ curl util-linux shadow \
+ "
+
+RRECOMMENDS_${PN}-ptest += "${TCLIBC}-dbg ${VALGRIND}"
diff --git a/recipes-extended/sudo/files/CVE-2022-43995.patch b/recipes-extended/sudo/files/CVE-2022-43995.patch
new file mode 100644
index 0000000..1336c77
--- /dev/null
+++ b/recipes-extended/sudo/files/CVE-2022-43995.patch
@@ -0,0 +1,59 @@
+From e1554d7996a59bf69544f3d8dd4ae683027948f9 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Tue, 15 Nov 2022 09:17:18 +0530
+Subject: [PATCH] CVE-2022-43995
+
+Upstream-Status: Backport [https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050]
+CVE: CVE-2022-43995
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+
+Potential heap overflow for passwords < 8
+characters. Starting with sudo 1.8.0 the plaintext password buffer is
+dynamically sized so it is not safe to assume that it is at least 9 bytes in
+size.
+Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz.
+---
+ plugins/sudoers/auth/passwd.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
+index 03c7a16..76a7824 100644
+--- a/plugins/sudoers/auth/passwd.c
++++ b/plugins/sudoers/auth/passwd.c
+@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth)
+ int
+ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
+ {
+- char sav, *epass;
++ char des_pass[9], *epass;
+ char *pw_epasswd = auth->data;
+ size_t pw_len;
+ int matched = 0;
+@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
+
+ /*
+ * Truncate to 8 chars if standard DES since not all crypt()'s do this.
+- * If this turns out not to be safe we will have to use OS #ifdef's (sigh).
+ */
+- sav = pass[8];
+ pw_len = strlen(pw_epasswd);
+- if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
+- pass[8] = '\0';
++ if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
++ strlcpy(des_pass, pass, sizeof(des_pass));
++ pass = des_pass;
++ }
+
+ /*
+ * Normal UN*X password check.
+@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
+ * only compare the first DESLEN characters in that case.
+ */
+ epass = (char *) crypt(pass, pw_epasswd);
+- pass[8] = sav;
+ if (epass != NULL) {
+ if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
+ matched = !strncmp(pw_epasswd, epass, DESLEN);
+--
+2.25.1
+
diff --git a/recipes-extended/sudo/sudo_1.9.5p2.bb b/recipes-extended/sudo/sudo_1.9.5p2.bb
index a1164e9..e40c058 100644
--- a/recipes-extended/sudo/sudo_1.9.5p2.bb
+++ b/recipes-extended/sudo/sudo_1.9.5p2.bb
@@ -3,6 +3,7 @@ require sudo.inc
SRC_URI = "https://www.sudo.ws/dist/sudo-${PV}.tar.gz \
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
file://0001-sudo.conf.in-fix-conflict-with-multilib.patch \
+ file://CVE-2022-43995.patch \
"
PAM_SRC_URI = "file://sudo.pam"