From 2eaa3fd064097eb221b56d5df0e7136ba705a0cd Mon Sep 17 00:00:00 2001 From: Andrii Davydenko Date: Wed, 14 Dec 2022 12:08:42 +0200 Subject: CVE Packages Update Move libfastjson to the rsyslog directory rsyslog 8.2002.0 -> 8.2206.0 add ntp4.2.8 recipe with fixed CVEs update cryptsetup to 2.4.3 fix libxml2 CVE-2016-3709 curl 7.75.0 -> 7.86.0 strongswan 5.8.4 -> 5.9.8 libmodbus 3.1.6 -> 3.1.7 libesmtp 1.0.6 -> 1.1.0 cifs-utils 6.1 -> 7.0 update libtirpc to version 1.3.3 update rsync to version 3.2.5 Add zlib 1.2.13 upgrade gnutls to 3.7.8 upgrade openssh to 8.9p1 Add cmake 3.24.2 and cmake-native 3.24.2 to avoid loop dependecies building expat Add expat 2.5.0 to fix CVE-2022-40674 and CVE-2022-43680 openvpn 2.4.9 -> 2.4.12 hostapd 2.9 -> 2.10 [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Openssh 8.9p1 no longer needed, because all necessary CVE fixes, backports and whitelists are present for current Openssh 8.4p1. There are no new CVE's in report. [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Backported CVE patches for python3 component. Need to remove after upgrading Yocto to version more than 3.1.21. [GP-1837] mPower R.6.3.X (Fall'22): CVE Upgrade (after 2022-12-28) Backported CVE patch for sudo component. Added 2 CVE's to whitelist for OpenVPN component. --- ...d-target-to-only-build-tests-not-run-them.patch | 45 +++++++++++++++++ ...k-header-files-of-openssl-only-if-enable_.patch | 36 ++++++++++++++ recipes-support/nettle/nettle/dlopen-test.patch | 29 +++++++++++ recipes-support/nettle/nettle/run-ptest | 36 ++++++++++++++ recipes-support/nettle/nettle_3.8.1.bb | 57 ++++++++++++++++++++++ 5 files changed, 203 insertions(+) create mode 100644 recipes-support/nettle/nettle/Add-target-to-only-build-tests-not-run-them.patch create mode 100644 recipes-support/nettle/nettle/check-header-files-of-openssl-only-if-enable_.patch create mode 100644 recipes-support/nettle/nettle/dlopen-test.patch create mode 100644 recipes-support/nettle/nettle/run-ptest create mode 100644 recipes-support/nettle/nettle_3.8.1.bb (limited to 'recipes-support/nettle') diff --git a/recipes-support/nettle/nettle/Add-target-to-only-build-tests-not-run-them.patch b/recipes-support/nettle/nettle/Add-target-to-only-build-tests-not-run-them.patch new file mode 100644 index 0000000..e3f5c6d --- /dev/null +++ b/recipes-support/nettle/nettle/Add-target-to-only-build-tests-not-run-them.patch @@ -0,0 +1,45 @@ +Add target to only build tests (not run them) + +Not sending upstream as this is only a start of a solution to +installable tests: It's useful for us already as is. + +Upstream-Status: Inappropriate [not a complete solution] + +Signed-off-by: Jussi Kukkonen +Refactored for 3.4 +Signed-off-by: Armin Kuster +--- + Makefile.in | 3 +++ + testsuite/Makefile.in | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/Makefile.in b/Makefile.in +index e5ccfc7..15c9275 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -52,6 +52,9 @@ clean distclean mostlyclean maintainer-clean tags: + echo "Making $@ in $$d" ; (cd $$d && $(MAKE) $@); done + $(MAKE) $@-here + ++buildtest: ++ echo "Making $@ in testsuite" ; (cd testsuite && $(MAKE) $@) ++ + check-here: + true + +diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in +index 3f5e5f6..8fd68a3 100644 +--- a/testsuite/Makefile.in ++++ b/testsuite/Makefile.in +@@ -122,6 +122,8 @@ $(TARGETS) $(EXTRA_TARGETS): testutils.$(OBJEXT) ../nettle-internal.$(OBJEXT) \ + # data. + VALGRIND = valgrind --error-exitcode=1 --leak-check=full --show-reachable=yes @IF_ASM@ --partial-loads-ok=yes + ++buildtest: $(TS_ALL) ++ + check: $(TS_ALL) + TEST_SHLIB_DIR="$(TEST_SHLIB_DIR)" \ + srcdir="$(srcdir)" \ +-- +2.17.1 + diff --git a/recipes-support/nettle/nettle/check-header-files-of-openssl-only-if-enable_.patch b/recipes-support/nettle/nettle/check-header-files-of-openssl-only-if-enable_.patch new file mode 100644 index 0000000..d5f2666 --- /dev/null +++ b/recipes-support/nettle/nettle/check-header-files-of-openssl-only-if-enable_.patch @@ -0,0 +1,36 @@ +From ffee6b5f6204a0210f717968ec6ce514d70acca1 Mon Sep 17 00:00:00 2001 +From: Haiqing Bai +Date: Fri, 9 Dec 2016 15:23:17 +0800 +Subject: [PATCH] nettle: check header files of openssl only if + 'enable_openssl=yes'. + +The original configure script checks openssl header files to generate +config.h even if 'enable_openssl' is not set to yes, this made inconsistent +building for nettle. + +Upstream-Status: Pending +Signed-off-by: Haiqing Bai + +refactored for 3.4. pending not in as of 3.4 + +Signed-off-by: Armin Kuster + +Index: nettle-3.4/configure.ac +=================================================================== +--- nettle-3.4.orig/configure.ac ++++ nettle-3.4/configure.ac +@@ -185,9 +185,11 @@ AC_HEADER_TIME + AC_CHECK_SIZEOF(long) + AC_CHECK_SIZEOF(size_t) + +-AC_CHECK_HEADERS([openssl/evp.h openssl/ecdsa.h],, +-[enable_openssl=no +- break]) ++if test "x$enable_openssl" = "xyes"; then ++ AC_CHECK_HEADERS([openssl/evp.h openssl/ecdsa.h],, ++ [enable_openssl=no ++ break]) ++fi + + # For use by the testsuite + AC_CHECK_HEADERS([valgrind/memcheck.h]) diff --git a/recipes-support/nettle/nettle/dlopen-test.patch b/recipes-support/nettle/nettle/dlopen-test.patch new file mode 100644 index 0000000..ab9b91f --- /dev/null +++ b/recipes-support/nettle/nettle/dlopen-test.patch @@ -0,0 +1,29 @@ +Remove the relative path for libnettle.so so the test +program can find it. +Relative paths are not suitable, as the folder strucure for ptest +is different from the one expected by the nettle testsuite. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Juro Bystricky +Signed-off-by: Mingli Yu +--- + testsuite/dlopen-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/testsuite/dlopen-test.c b/testsuite/dlopen-test.c +index 4265bf7..1a25d17 100644 +--- a/testsuite/dlopen-test.c ++++ b/testsuite/dlopen-test.c +@@ -15,7 +15,7 @@ int + main (int argc UNUSED, char **argv UNUSED) + { + #if HAVE_LIBDL +- void *handle = dlopen ("../libnettle." SO_EXT, RTLD_NOW); ++ void *handle = dlopen ("libnettle.so", RTLD_NOW); + int (*get_version)(void); + if (!handle) + { +-- +2.17.1 + diff --git a/recipes-support/nettle/nettle/run-ptest b/recipes-support/nettle/nettle/run-ptest new file mode 100644 index 0000000..b90bed6 --- /dev/null +++ b/recipes-support/nettle/nettle/run-ptest @@ -0,0 +1,36 @@ +#! /bin/sh + +cd testsuite + +failed=0 +all=0 + +for f in *-test; do + if [ "$f" = "sha1-huge-test" ] ; then + echo "SKIP: $f (skipped for ludicrous run time)" + continue + fi + + "./$f" + case "$?" in + 0) + echo "PASS: $f" + all=$((all + 1)) + ;; + 77) + echo "SKIP: $f" + ;; + *) + echo "FAIL: $f" + failed=$((failed + 1)) + all=$((all + 1)) + ;; + esac +done + +if [ "$failed" -eq 0 ] ; then + echo "All $all tests passed" +else + echo "$failed of $all tests failed" +fi + diff --git a/recipes-support/nettle/nettle_3.8.1.bb b/recipes-support/nettle/nettle_3.8.1.bb new file mode 100644 index 0000000..bf49132 --- /dev/null +++ b/recipes-support/nettle/nettle_3.8.1.bb @@ -0,0 +1,57 @@ +SUMMARY = "A low level cryptographic library" +DESCRIPTION = "Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space." +HOMEPAGE = "http://www.lysator.liu.se/~nisse/nettle/" +DESCRIPTION = "It tries to solve a problem of providing a common set of \ +cryptographic algorithms for higher-level applications by implementing a \ +context-independent set of cryptographic algorithms" +SECTION = "libs" +LICENSE = "LGPL-3.0-or-later | GPL-2.0-or-later" + +LIC_FILES_CHKSUM = "file://COPYING.LESSERv3;md5=6a6a8e020838b23406c81b19c1d46df6 \ + file://COPYINGv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://serpent-decrypt.c;beginline=14;endline=36;md5=ca0d220bc413e1842ecc507690ce416e \ + file://serpent-set-key.c;beginline=14;endline=36;md5=ca0d220bc413e1842ecc507690ce416e" + +DEPENDS += "gmp" + +SRC_URI = "${GNU_MIRROR}/${BPN}/${BP}.tar.gz \ + file://Add-target-to-only-build-tests-not-run-them.patch \ + file://run-ptest \ + file://check-header-files-of-openssl-only-if-enable_.patch \ + " + +SRC_URI:append:class-target = "\ + file://dlopen-test.patch \ + " + +SRC_URI[sha256sum] = "364f3e2b77cd7dcde83fd7c45219c834e54b0c75e428b6f894a23d12dd41cbfe" + +UPSTREAM_CHECK_REGEX = "nettle-(?P\d+(\.\d+)+)\.tar" + +inherit autotools ptest multilib_header + +EXTRA_AUTORECONF += "--exclude=aclocal" + +EXTRA_OECONF = "--disable-openssl" + +do_compile_ptest() { + oe_runmake buildtest +} + +do_install:append() { + oe_multilib_header nettle/version.h +} + +do_install_ptest() { + install -d ${D}${PTEST_PATH}/testsuite/ + install ${S}/testsuite/gold-bug.txt ${D}${PTEST_PATH}/testsuite/ + install ${S}/testsuite/*-test ${D}${PTEST_PATH}/testsuite/ + # tools can be found in PATH, not in ../tools/ + sed -i -e 's|../tools/||' ${D}${PTEST_PATH}/testsuite/*-test + install ${B}/testsuite/*-test ${D}${PTEST_PATH}/testsuite/ +} + +RDEPENDS:${PN}-ptest += "${PN}-dev" +INSANE_SKIP:${PN}-ptest += "dev-deps" + +BBCLASSEXTEND = "native nativesdk" -- cgit v1.2.3