diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2023-06-15 01:50:09 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2023-06-15 01:56:06 +0300 |
commit | c2858f16b31b065f92c42c838cf21d3592bc06e7 (patch) | |
tree | 58ffae2ee30976a58733f0ad4a3e6950b4258987 | |
parent | 841583d6ba5918b60868b708ff0b89cf0409efa7 (diff) | |
download | openbmc-c2858f16b31b065f92c42c838cf21d3592bc06e7.tar.xz |
subtree updatesdunfell
poky: a631bfc3a3..733d919af4:
Alex Kiernan (2):
pypi.bbclass: Set CVE_PRODUCT to PYPI_PACKAGE
openssh: Move sshdgenkeys.service to sshd.socket
Arturo Buzarra (1):
run-postinsts: Set dependency for ldconfig to avoid boot issues
Ashish Sharma (2):
connman: Fix CVE-2023-28488 DoS in client.c
golang: Fix CVE-2023-24539
Bruce Ashfield (5):
linux-yocto/5.4: update to v5.4.238
linux-yocto/5.4: update to v5.4.240
linux-yocto/5.4: update to v5.4.241
linux-yocto/5.4: update to v5.4.242
linux-yocto/5.4: update to v5.4.243
Dmitry Baryshkov (1):
linux-firmware: upgrade 20230210 -> 20230404
Hitendra Prajapati (2):
git: fix CVE-2023-29007
git: fix CVE-2023-25652
Khem Raj (1):
perf: Depend on native setuptools3
Marek Vasut (1):
cpio: Fix wrong CRC with ASCII CRC for large files
Martin Jansa (1):
populate_sdk_ext.bbclass: set METADATA_REVISION with an DISTRO override
Nikhil R (1):
ffmpeg: Fix CVE-2022-48434
Peter Marko (1):
libxml2: patch CVE-2023-28484 and CVE-2023-29469
Randolph Sapp (1):
wic/bootimg-efi: if fixed-size is set then use that for mkdosfs
Ranjitsinh Rathod (1):
libbsd: Add correct license for all packages
Shubham Kulkarni (1):
go: Security fix for CVE-2023-24538
Siddharth (1):
curl: ammend fix for CVE-2023-27534 to fix error when ssh is enabled
Steve Sakoman (1):
selftest: skip virgl test on ubuntu 22.10, fedora 37, and all rocky
Thomas Roos (1):
oeqa/utils/metadata.py: Fix running oe-selftest running with no distro set
Vijay Anusuri (3):
ghostscript: Fix CVE-2023-28879
xserver-xorg: Security fix CVE-2023-0494 and CVE-2023-1393
go: Security fix CVE-2023-24540
Vivek Kumbhar (1):
freetype: fix CVE-2023-2004 integer overflowin in tt_hvadvance_adjust() in src/truetype/ttgxvar.c
Yoann Congal (1):
linux-yocto: Exclude 294 CVEs already fixed upstream
meta-openembedded: 7007d14c25..116bfe8d5e:
Alex Yao (1):
lcov: Fix Perl Path
Hitendra Prajapati (1):
multipath-tools: CVE-2022-41973 Symlink attack multipathd operates insecurely
Hugo SIMELIERE (3):
openvpn: add CVE-2020-7224 and CVE-2020-27569 to allowlist
openvpn: upgrade 2.4.9 -> 2.4.12
libmodbus: Fix CVE-2022-0367
Jack Mitchell (2):
nss: backport fix for native build failure due to implicit casting with gcc13
nss: backport fix for native build failure due to dangling pointer with gcc13
Narpat Mali (1):
nodejs: make 14.18.1 available but not default
Valeria Petrov (1):
apache2: upgrade 2.4.56 -> 2.4.57
Viktor Rosendahl (1):
jsoncpp: Fix broken handling of escape characters
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I8260e0168ea1ddec7ee03555e4f5653155e0ab45
65 files changed, 4348 insertions, 141 deletions
diff --git a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.4.9.bb b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.4.12.bb index 529e3912bb..55e66036b7 100644 --- a/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.4.9.bb +++ b/meta-openembedded/meta-networking/recipes-support/openvpn/openvpn_2.4.12.bb @@ -14,8 +14,11 @@ SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" -SRC_URI[md5sum] = "52863fa9b98e5a3d7f8bec1d5785a2ba" -SRC_URI[sha256sum] = "46b268ef88e67ca6de2e9f19943eb9e5ac8544e55f5c1f3af677298d03e64b6e" +SRC_URI[md5sum] = "e83d430947fb7c9ad1a174987317d1dc" +SRC_URI[sha256sum] = "66952d9c95490e5875f04c9f8fa313b5e816d1b7b4d6cda3fb2ff749ad405dee" + +# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. +CVE_CHECK_WHITELIST += "CVE-2020-7224 CVE-2020-27569" SYSTEMD_SERVICE_${PN} += "openvpn@loopback-server.service openvpn@loopback-client.service" SYSTEMD_AUTO_ENABLE = "disable" diff --git a/meta-openembedded/meta-oe/recipes-devtools/jsoncpp/jsoncpp/0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch b/meta-openembedded/meta-oe/recipes-devtools/jsoncpp/jsoncpp/0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch new file mode 100644 index 0000000000..784f175eea --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/jsoncpp/jsoncpp/0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch @@ -0,0 +1,52 @@ +From 2d5a94aeeab01f0448b5a0bb8d4a9a23a5b790d5 Mon Sep 17 00:00:00 2001 +From: Andrew Childs <lorne@cons.org.nz> +Date: Sat, 28 Dec 2019 16:04:24 +0900 +Subject: [PATCH] json_writer: fix inverted sense in isAnyCharRequiredQuoting + (#1120) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This bug is only affects platforms where `char` is unsigned. + +When char is a signed type, values >= 0x80 are also considered < 0, +and hence require escaping due to the < ' ' condition. + +When char is an unsigned type, values >= 0x80 match none of the +conditions and are considered safe to emit without escaping. + +This shows up as a test failure: + +* Detail of EscapeSequenceTest/writeEscapeSequence test failure: +/build/source/src/test_lib_json/main.cpp(3370): expected == result + Expected: '["\"","\\","\b","\f","\n","\r","\t","\u0278","\ud852\udf62"] + ' + Actual : '["\"","\\","\b","\f","\n","\r","\t","ɸ","𤭢"] + ' +Upstream-Status: Backport [https://github.com/open-source-parsers/jsoncpp/commit/f11611c8785082ead760494cba06196f14a06dcb] + +Signed-off-by: Viktor Rosendahl <Viktor.Rosendahl@bmw.de> + +--- + src/lib_json/json_writer.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/lib_json/json_writer.cpp b/src/lib_json/json_writer.cpp +index 519ce23..b68a638 100644 +--- a/src/lib_json/json_writer.cpp ++++ b/src/lib_json/json_writer.cpp +@@ -178,8 +178,9 @@ static bool isAnyCharRequiredQuoting(char const* s, size_t n) { + + char const* const end = s + n; + for (char const* cur = s; cur < end; ++cur) { +- if (*cur == '\\' || *cur == '\"' || *cur < ' ' || +- static_cast<unsigned char>(*cur) < 0x80) ++ if (*cur == '\\' || *cur == '\"' || ++ static_cast<unsigned char>(*cur) < ' ' || ++ static_cast<unsigned char>(*cur) >= 0x80) + return true; + } + return false; +-- +2.17.1 + diff --git a/meta-openembedded/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb b/meta-openembedded/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb index 629881f0cf..ae4b4c9840 100644 --- a/meta-openembedded/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb +++ b/meta-openembedded/meta-oe/recipes-devtools/jsoncpp/jsoncpp_1.9.2.bb @@ -14,7 +14,10 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE;md5=fa2a23dd1dc6c139f35105379d76df2b" SRCREV = "d2e6a971f4544c55b8e3b25cf96db266971b778f" -SRC_URI = "git://github.com/open-source-parsers/jsoncpp;branch=master;protocol=https" +SRC_URI = "\ + git://github.com/open-source-parsers/jsoncpp;branch=master;protocol=https \ + file://0001-json_writer-fix-inverted-sense-in-isAnyCharRequiredQ.patch \ + " S = "${WORKDIR}/git" diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch new file mode 100644 index 0000000000..c719c9c3b0 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch @@ -0,0 +1,22 @@ +From 7d94bfe53beeb2d25eb5f2ff6b1d509df7e6ab80 Mon Sep 17 00:00:00 2001 +From: Zuzana Svetlikova <zsvetlik@redhat.com> +Date: Thu, 27 Apr 2017 14:25:42 +0200 +Subject: [PATCH] Disable running gyp on shared deps + +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 93d63110..79caaec2 100644 +--- a/Makefile ++++ b/Makefile +@@ -138,7 +138,7 @@ with-code-cache test-code-cache: + $(warning '$@' target is a noop) + + out/Makefile: config.gypi common.gypi node.gyp \ +- deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \ ++ deps/llhttp/llhttp.gyp \ + tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ + tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp + $(PYTHON) tools/gyp_node.py -f make diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch new file mode 100644 index 0000000000..8c5f75112d --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch @@ -0,0 +1,40 @@ +From e1d838089cd461d9efcf4d29d9f18f65994d2d6b Mon Sep 17 00:00:00 2001 +From: Alexander Kanavin <alex@linutronix.de> +Date: Sun, 3 Oct 2021 22:48:39 +0200 +Subject: [PATCH] jinja/tests.py: add py 3.10 fix + +Upstream-Status: Pending +Signed-off-by: Alexander Kanavin <alex@linutronix.de> +--- + deps/v8/third_party/jinja2/tests.py | 2 +- + tools/inspector_protocol/jinja2/tests.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/deps/v8/third_party/jinja2/tests.py b/deps/v8/third_party/jinja2/tests.py +index 0adc3d4..b14f85f 100644 +--- a/deps/v8/third_party/jinja2/tests.py ++++ b/deps/v8/third_party/jinja2/tests.py +@@ -10,7 +10,7 @@ + """ + import operator + import re +-from collections import Mapping ++from collections.abc import Mapping + from jinja2.runtime import Undefined + from jinja2._compat import text_type, string_types, integer_types + import decimal +diff --git a/tools/inspector_protocol/jinja2/tests.py b/tools/inspector_protocol/jinja2/tests.py +index 0adc3d4..b14f85f 100644 +--- a/tools/inspector_protocol/jinja2/tests.py ++++ b/tools/inspector_protocol/jinja2/tests.py +@@ -10,7 +10,7 @@ + """ + import operator + import re +-from collections import Mapping ++from collections.abc import Mapping + from jinja2.runtime import Undefined + from jinja2._compat import text_type, string_types, integer_types + import decimal +-- +2.20.1 diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch new file mode 100644 index 0000000000..ee287bf94a --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch @@ -0,0 +1,27 @@ +From 0976af0f3b328436ea44a74a406f311adb2ab211 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Tue, 15 Jun 2021 19:01:31 -0700 +Subject: [PATCH] ppc64: Do not use -mminimal-toc with clang + +clang does not support this option + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + common.gypi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/common.gypi b/common.gypi +index ee91fb1d..049c8f8c 100644 +--- a/common.gypi ++++ b/common.gypi +@@ -413,7 +413,7 @@ + 'ldflags': [ '-m32' ], + }], + [ 'target_arch=="ppc64" and OS!="aix"', { +- 'cflags': [ '-m64', '-mminimal-toc' ], ++ 'cflags': [ '-m64' ], + 'ldflags': [ '-m64' ], + }], + [ 'target_arch=="s390x"', { +-- +2.32.0 diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries-nodejs14.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries-nodejs14.patch new file mode 100644 index 0000000000..c6fc2dcd76 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0002-Using-native-binaries-nodejs14.patch @@ -0,0 +1,62 @@ +From 6c3ac20477a4bac643088f24df3c042e627fafa9 Mon Sep 17 00:00:00 2001 +From: Guillaume Burel <guillaume.burel@stormshield.eu> +Date: Fri, 3 Jan 2020 11:25:54 +0100 +Subject: [PATCH] Using native binaries + +--- + node.gyp | 4 ++-- + tools/v8_gypfiles/v8.gyp | 11 ++++------- + 2 files changed, 6 insertions(+), 9 deletions(-) + +--- a/node.gyp ++++ b/node.gyp +@@ -487,6 +487,7 @@ + 'action_name': 'run_mkcodecache', + 'process_outputs_as_sources': 1, + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(mkcodecache_exec)', + ], + 'outputs': [ +@@ -512,6 +513,7 @@ + 'action_name': 'node_mksnapshot', + 'process_outputs_as_sources': 1, + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(node_mksnapshot_exec)', + ], + 'outputs': [ +--- a/tools/v8_gypfiles/v8.gyp ++++ b/tools/v8_gypfiles/v8.gyp +@@ -220,6 +220,7 @@ + { + 'action_name': 'run_torque_action', + 'inputs': [ # Order matters. ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)torque<(EXECUTABLE_SUFFIX)', + '<@(torque_files)', + ], +@@ -351,6 +352,7 @@ + { + 'action_name': 'generate_bytecode_builtins_list_action', + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)bytecode_builtins_list_generator<(EXECUTABLE_SUFFIX)', + ], + 'outputs': [ +@@ -533,6 +535,7 @@ + ], + }, + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(mksnapshot_exec)', + ], + 'outputs': [ +@@ -1448,6 +1451,7 @@ + { + 'action_name': 'run_gen-regexp-special-case_action', + 'inputs': [ ++ '<(PRODUCT_DIR)/v8-qemu-wrapper.sh', + '<(PRODUCT_DIR)/<(EXECUTABLE_PREFIX)gen-regexp-special-case<(EXECUTABLE_SUFFIX)', + ], + 'outputs': [ diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir-nodejs14.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir-nodejs14.patch new file mode 100644 index 0000000000..3c4b2317d8 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/0003-Install-both-binaries-and-use-libdir-nodejs14.patch @@ -0,0 +1,84 @@ +From 5b22fac923d1ca3e9fefb97f5a171124a88f5e22 Mon Sep 17 00:00:00 2001 +From: Elliott Sales de Andrade <quantum.analyst@gmail.com> +Date: Tue, 19 Mar 2019 23:22:40 -0400 +Subject: [PATCH] Install both binaries and use libdir. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This allows us to build with a shared library for other users while +still providing the normal executable. + +Taken from - https://src.fedoraproject.org/rpms/nodejs/raw/rawhide/f/0002-Install-both-binaries-and-use-libdir.patch + +Upstream-Status: Pending + +Signed-off-by: Elliott Sales de Andrade <quantum.analyst@gmail.com> +Signed-off-by: Andreas Müller <schnitzeltony@gmail.com> +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + configure.py | 7 +++++++ + tools/install.py | 21 +++++++++------------ + 2 files changed, 16 insertions(+), 12 deletions(-) + +diff --git a/configure.py b/configure.py +index e6f7e4db..6cf5c45d 100755 +--- a/configure.py ++++ b/configure.py +@@ -626,6 +626,12 @@ parser.add_option('--shared', + help='compile shared library for embedding node in another project. ' + + '(This mode is not officially supported for regular applications)') + ++parser.add_option('--libdir', ++ action='store', ++ dest='libdir', ++ default='lib', ++ help='a directory to install the shared library into') ++ + parser.add_option('--without-v8-platform', + action='store_true', + dest='without_v8_platform', +@@ -1202,6 +1208,7 @@ def configure_node(o): + o['variables']['node_no_browser_globals'] = b(options.no_browser_globals) + + o['variables']['node_shared'] = b(options.shared) ++ o['variables']['libdir'] = options.libdir + node_module_version = getmoduleversion.get_version() + + if options.dest_os == 'android': +diff --git a/tools/install.py b/tools/install.py +index 729b416f..9bfc6234 100755 +--- a/tools/install.py ++++ b/tools/install.py +@@ -121,22 +121,19 @@ def subdir_files(path, dest, action): + + def files(action): + is_windows = sys.platform == 'win32' +- output_file = 'node' + output_prefix = 'out/Release/' ++ output_libprefix = output_prefix + +- if 'false' == variables.get('node_shared'): +- if is_windows: +- output_file += '.exe' ++ if is_windows: ++ output_bin = 'node.exe' ++ output_lib = 'node.dll' + else: +- if is_windows: +- output_file += '.dll' +- else: +- output_file = 'lib' + output_file + '.' + variables.get('shlib_suffix') ++ output_bin = 'node' ++ output_lib = 'libnode.' + variables.get('shlib_suffix') + +- if 'false' == variables.get('node_shared'): +- action([output_prefix + output_file], 'bin/' + output_file) +- else: +- action([output_prefix + output_file], 'lib/' + output_file) ++ action([output_prefix + output_bin], 'bin/' + output_bin) ++ if 'true' == variables.get('node_shared'): ++ action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib) + + if 'true' == variables.get('node_use_dtrace'): + action(['out/Release/node.d'], 'lib/dtrace/node.d') diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/libatomic-nodejs14.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/libatomic-nodejs14.patch new file mode 100644 index 0000000000..cdf6bc8e23 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/libatomic-nodejs14.patch @@ -0,0 +1,21 @@ +Link mksnapshot with libatomic on x86 + +Clang-12 on x86 emits atomic builtins + +Fixes +| module-compiler.cc:(.text._ZN2v88internal4wasm12_GLOBAL__N_123ExecuteCompilationUnitsERKSt10shared_ptrINS2_22BackgroundCompileTokenEEPNS0_8CountersEiNS2_19CompileBaselineOnlyE+0x558): un +defined reference to `__atomic_load' + +Upstream-Status: Pending +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- a/tools/v8_gypfiles/v8.gyp ++++ b/tools/v8_gypfiles/v8.gyp +@@ -1336,6 +1336,7 @@ + { + 'target_name': 'mksnapshot', + 'type': 'executable', ++ 'libraries': [ '-latomic' ], + 'dependencies': [ + 'v8_base_without_compiler', + 'v8_compiler_for_mksnapshot', diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/mips-less-memory-nodejs14.patch b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/mips-less-memory-nodejs14.patch new file mode 100644 index 0000000000..21a2281231 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs/mips-less-memory-nodejs14.patch @@ -0,0 +1,32 @@ +Description: mksnapshot uses too much memory on 32-bit mipsel +Author: Jérémy Lal <kapouer@melix.org> +Last-Update: 2020-06-03 +Forwarded: https://bugs.chromium.org/p/v8/issues/detail?id=10586 + +This ensures that we reserve 500M instead of 2G range for codegen +ensures that qemu-mips can allocate such large ranges + +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +--- a/deps/v8/src/common/globals.h ++++ b/deps/v8/src/common/globals.h +@@ -224,7 +224,7 @@ constexpr size_t kMinimumCodeRangeSize = + constexpr size_t kMinExpectedOSPageSize = 64 * KB; // OS page on PPC Linux + #elif V8_TARGET_ARCH_MIPS + constexpr bool kPlatformRequiresCodeRange = false; +-constexpr size_t kMaximalCodeRangeSize = 2048LL * MB; ++constexpr size_t kMaximalCodeRangeSize = 512 * MB; + constexpr size_t kMinimumCodeRangeSize = 0 * MB; + constexpr size_t kMinExpectedOSPageSize = 4 * KB; // OS page. + #else +--- a/deps/v8/src/codegen/mips/constants-mips.h ++++ b/deps/v8/src/codegen/mips/constants-mips.h +@@ -140,7 +140,7 @@ const uint32_t kLeastSignificantByteInIn + namespace v8 { + namespace internal { + +-constexpr size_t kMaxPCRelativeCodeRangeInMB = 4096; ++constexpr size_t kMaxPCRelativeCodeRangeInMB = 1024; + + // ----------------------------------------------------------------------------- + // Registers and FPURegisters. diff --git a/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_14.18.1.bb b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_14.18.1.bb new file mode 100644 index 0000000000..fc886817ac --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-devtools/nodejs/nodejs_14.18.1.bb @@ -0,0 +1,205 @@ +DESCRIPTION = "nodeJS Evented I/O for V8 JavaScript" +HOMEPAGE = "http://nodejs.org" +LICENSE = "MIT & BSD & Artistic-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=6768abdfc4dae4fde59d6b4df96930f3" + +DEFAULT_PREFERENCE = "-1" + +DEPENDS = "openssl" +DEPENDS:append:class-target = " qemu-native" +DEPENDS:append:class-native = " c-ares-native" + +inherit pkgconfig python3native qemu + +COMPATIBLE_MACHINE:armv4 = "(!.*armv4).*" +COMPATIBLE_MACHINE:armv5 = "(!.*armv5).*" +COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*" + +COMPATIBLE_HOST:riscv64 = "null" +COMPATIBLE_HOST:riscv32 = "null" + +SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ + file://0001-Disable-running-gyp-files-for-bundled-deps-nodejs14.patch \ + file://0003-Install-both-binaries-and-use-libdir-nodejs14.patch \ + file://0004-v8-don-t-override-ARM-CFLAGS.patch \ + file://big-endian.patch \ + file://mips-warnings.patch \ + file://mips-less-memory-nodejs14.patch \ + file://0001-jinja-tests.py-add-py-3.10-fix-nodejs14.patch \ + file://CVE-2022-32212.patch \ + file://CVE-2022-35255.patch \ + file://CVE-2022-43548.patch \ + " +SRC_URI:append:class-target = " \ + file://0002-Using-native-binaries-nodejs14.patch \ + " +SRC_URI:append:toolchain-clang:x86 = " \ + file://libatomic-nodejs14.patch \ + " +SRC_URI:append:toolchain-clang:powerpc64le = " \ + file://0001-ppc64-Do-not-use-mminimal-toc-with-clang-nodejs14.patch \ + " +SRC_URI[sha256sum] = "3fa1d71adddfab2f5e3e41874b4eddbdf92b65cade4a43922fb1e437afcf89ed" + +S = "${WORKDIR}/node-v${PV}" + +# v8 errors out if you have set CCACHE +CCACHE = "" + +def map_nodejs_arch(a, d): + import re + + if re.match('i.86$', a): return 'ia32' + elif re.match('x86_64$', a): return 'x64' + elif re.match('aarch64$', a): return 'arm64' + elif re.match('(powerpc64|powerpc64le|ppc64le)$', a): return 'ppc64' + elif re.match('powerpc$', a): return 'ppc' + return a + +ARCHFLAGS:arm = "${@bb.utils.contains('TUNE_FEATURES', 'callconvention-hard', '--with-arm-float-abi=hard', '--with-arm-float-abi=softfp', d)} \ + ${@bb.utils.contains('TUNE_FEATURES', 'neon', '--with-arm-fpu=neon', \ + bb.utils.contains('TUNE_FEATURES', 'vfpv3d16', '--with-arm-fpu=vfpv3-d16', \ + bb.utils.contains('TUNE_FEATURES', 'vfpv3', '--with-arm-fpu=vfpv3', \ + '--with-arm-fpu=vfp', d), d), d)}" +GYP_DEFINES:append:mipsel = " mips_arch_variant='r1' " +ARCHFLAGS ?= "" + +PACKAGECONFIG ??= "brotli icu zlib" + +PACKAGECONFIG[ares] = "--shared-cares,,c-ares" +PACKAGECONFIG[brotli] = "--shared-brotli,,brotli" +PACKAGECONFIG[icu] = "--with-intl=system-icu,--without-intl,icu" +PACKAGECONFIG[libuv] = "--shared-libuv,,libuv" +PACKAGECONFIG[nghttp2] = "--shared-nghttp2,,nghttp2" +PACKAGECONFIG[shared] = "--shared" +PACKAGECONFIG[zlib] = "--shared-zlib,,zlib" + +# We don't want to cross-compile during target compile, +# and we need to use the right flags during host compile, +# too. +EXTRA_OEMAKE = "\ + CC.host='${CC}' \ + CFLAGS.host='${CPPFLAGS} ${CFLAGS}' \ + CXX.host='${CXX}' \ + CXXFLAGS.host='${CPPFLAGS} ${CXXFLAGS}' \ + LDFLAGS.host='${LDFLAGS}' \ + AR.host='${AR}' \ + \ + builddir_name=./ \ +" + +python do_unpack() { + import shutil + + bb.build.exec_func('base_do_unpack', d) + + if 'ares' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/cares', True) + if 'brotli' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/brotli', True) + if 'libuv' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/uv', True) + if 'nghttp2' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/nghttp2', True) + if 'zlib' in d.getVar('PACKAGECONFIG'): + shutil.rmtree(d.getVar('S') + '/deps/zlib', True) +} + +# V8's JIT infrastructure requires binaries such as mksnapshot and +# mkpeephole to be run in the host during the build. However, these +# binaries must have the same bit-width as the target (e.g. a x86_64 +# host targeting ARMv6 needs to produce a 32-bit binary). Instead of +# depending on a third Yocto toolchain, we just build those binaries +# for the target and run them on the host with QEMU. +python do_create_v8_qemu_wrapper () { + """Creates a small wrapper that invokes QEMU to run some target V8 binaries + on the host.""" + qemu_libdirs = [d.expand('${STAGING_DIR_HOST}${libdir}'), + d.expand('${STAGING_DIR_HOST}${base_libdir}')] + qemu_cmd = qemu_wrapper_cmdline(d, d.getVar('STAGING_DIR_HOST', True), + qemu_libdirs) + wrapper_path = d.expand('${B}/v8-qemu-wrapper.sh') + with open(wrapper_path, 'w') as wrapper_file: + wrapper_file.write("""#!/bin/sh + +# This file has been generated automatically. +# It invokes QEMU to run binaries built for the target in the host during the +# build process. + +%s "$@" +""" % qemu_cmd) + os.chmod(wrapper_path, 0o755) +} + +do_create_v8_qemu_wrapper[dirs] = "${B}" +addtask create_v8_qemu_wrapper after do_configure before do_compile + +LDFLAGS:append:x86 = " -latomic" + +# Node is way too cool to use proper autotools, so we install two wrappers to forcefully inject proper arch cflags to workaround gypi +do_configure () { + export LD="${CXX}" + GYP_DEFINES="${GYP_DEFINES}" export GYP_DEFINES + # $TARGET_ARCH settings don't match --dest-cpu settings + python3 configure.py --prefix=${prefix} --cross-compiling \ + --without-dtrace \ + --without-etw \ + --dest-cpu="${@map_nodejs_arch(d.getVar('TARGET_ARCH'), d)}" \ + --dest-os=linux \ + --libdir=${D}${libdir} \ + ${ARCHFLAGS} \ + ${PACKAGECONFIG_CONFARGS} +} + +do_compile () { + export LD="${CXX}" + install -Dm 0755 ${B}/v8-qemu-wrapper.sh ${B}/out/Release/v8-qemu-wrapper.sh + oe_runmake BUILDTYPE=Release +} + +do_install () { + oe_runmake install DESTDIR=${D} + + # wasn't updated since 2009 and is the only thing requiring python2 in runtime + # ERROR: nodejs-12.14.1-r0 do_package_qa: QA Issue: /usr/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples contained in package nodejs-npm requires /usr/bin/python, but no providers found in RDEPENDS:nodejs-npm? [file-rdeps] + rm -f ${D}${exec_prefix}/lib/node_modules/npm/node_modules/node-gyp/gyp/samples/samples +} + +do_install:append:class-native() { + # use node from PATH instead of absolute path to sysroot + # node-v0.10.25/tools/install.py is using: + # shebang = os.path.join(node_prefix, 'bin/node') + # update_shebang(link_path, shebang) + # and node_prefix can be very long path to bindir in native sysroot and + # when it exceeds 128 character shebang limit it's stripped to incorrect path + # and npm fails to execute like in this case with 133 characters show in log.do_install: + # updating shebang of /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/work/x86_64-linux/nodejs-native/0.10.15-r0/image/home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/npm to /home/jenkins/workspace/build-webos-nightly/device/qemux86/label/open-webos-builder/BUILD-qemux86/sysroots/x86_64-linux/usr/bin/node + # /usr/bin/npm is symlink to /usr/lib/node_modules/npm/bin/npm-cli.js + # use sed on npm-cli.js because otherwise symlink is replaced with normal file and + # npm-cli.js continues to use old shebang + sed "1s^.*^#\!/usr/bin/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js + + # Install the native binaries to provide it within sysroot for the target compilation + install -d ${D}${bindir} + install -m 0755 ${S}/out/Release/torque ${D}${bindir}/torque + install -m 0755 ${S}/out/Release/bytecode_builtins_list_generator ${D}${bindir}/bytecode_builtins_list_generator + if ${@bb.utils.contains('PACKAGECONFIG','icu','true','false',d)}; then + install -m 0755 ${S}/out/Release/gen-regexp-special-case ${D}${bindir}/gen-regexp-special-case + fi + install -m 0755 ${S}/out/Release/mkcodecache ${D}${bindir}/mkcodecache + install -m 0755 ${S}/out/Release/node_mksnapshot ${D}${bindir}/node_mksnapshot +} + +do_install:append:class-target() { + sed "1s^.*^#\!${bindir}/env node^g" -i ${D}${exec_prefix}/lib/node_modules/npm/bin/npm-cli.js +} + +PACKAGES =+ "${PN}-npm" +FILES:${PN}-npm = "${exec_prefix}/lib/node_modules ${bindir}/npm ${bindir}/npx" +RDEPENDS:${PN}-npm = "bash python3-core python3-shell python3-datetime \ + python3-misc python3-multiprocessing" + +PACKAGES =+ "${PN}-systemtap" +FILES:${PN}-systemtap = "${datadir}/systemtap" + +BBCLASSEXTEND = "native" diff --git a/meta-openembedded/meta-oe/recipes-extended/libmodbus/libmodbus/CVE-2022-0367.patch b/meta-openembedded/meta-oe/recipes-extended/libmodbus/libmodbus/CVE-2022-0367.patch new file mode 100644 index 0000000000..2aec818574 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-extended/libmodbus/libmodbus/CVE-2022-0367.patch @@ -0,0 +1,38 @@ +From 790ff6dad16b70e68804a2d53ad54db40412e889 Mon Sep 17 00:00:00 2001 +From: Michael Heimpold <mhei@heimpold.de> +Date: Sat, 8 Jan 2022 20:00:50 +0100 +Subject: [PATCH] modbus_reply: fix copy & paste error in sanity check (fixes + #614) + +[ Upstream commit b4ef4c17d618eba0adccc4c7d9e9a1ef809fc9b6 ] + +While handling MODBUS_FC_WRITE_AND_READ_REGISTERS, both address offsets +must be checked, i.e. the read and the write address must be within the +mapping range. + +At the moment, only the read address was considered, it looks like a +simple copy and paste error, so let's fix it. + +CVE: CVE-2022-0367 + +Signed-off-by: Michael Heimpold <mhei@heimpold.de> +--- + src/modbus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/modbus.c b/src/modbus.c +index 68a28a3..c871152 100644 +--- a/src/modbus.c ++++ b/src/modbus.c +@@ -961,7 +961,7 @@ int modbus_reply(modbus_t *ctx, const uint8_t *req, + nb_write, nb, MODBUS_MAX_WR_WRITE_REGISTERS, MODBUS_MAX_WR_READ_REGISTERS); + } else if (mapping_address < 0 || + (mapping_address + nb) > mb_mapping->nb_registers || +- mapping_address < 0 || ++ mapping_address_write < 0 || + (mapping_address_write + nb_write) > mb_mapping->nb_registers) { + rsp_length = response_exception( + ctx, &sft, MODBUS_EXCEPTION_ILLEGAL_DATA_ADDRESS, rsp, FALSE, +-- +2.39.1 + diff --git a/meta-openembedded/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb b/meta-openembedded/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb index 075487ae90..5c59312760 100644 --- a/meta-openembedded/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb +++ b/meta-openembedded/meta-oe/recipes-extended/libmodbus/libmodbus_3.1.6.bb @@ -2,7 +2,10 @@ require libmodbus.inc SRC_URI += "file://f1eb4bc7ccb09cd8d19ab641ee37637f8c34d16d.patch \ file://Fix-float-endianness-issue-on-big-endian-arch.patch \ - file://Fix-typo.patch" + file://Fix-typo.patch \ + file://CVE-2022-0367.patch \ + " + SRC_URI[md5sum] = "15c84c1f7fb49502b3efaaa668cfd25e" SRC_URI[sha256sum] = "d7d9fa94a16edb094e5fdf5d87ae17a0dc3f3e3d687fead81835d9572cf87c16" diff --git a/meta-openembedded/meta-oe/recipes-support/lcov/lcov_1.14.bb b/meta-openembedded/meta-oe/recipes-support/lcov/lcov_1.14.bb index 0cc8b31b3f..5e8fb938cf 100755 --- a/meta-openembedded/meta-oe/recipes-support/lcov/lcov_1.14.bb +++ b/meta-openembedded/meta-oe/recipes-support/lcov/lcov_1.14.bb @@ -59,7 +59,7 @@ SRC_URI[md5sum] = "0220d01753469f83921f8f41ae5054c1" SRC_URI[sha256sum] = "14995699187440e0ae4da57fe3a64adc0a3c5cf14feab971f8db38fb7d8f071a" do_install() { - oe_runmake install PREFIX=${D}${prefix} CFG_DIR=${D}${sysconfdir} + oe_runmake install PREFIX=${D}${prefix} CFG_DIR=${D}${sysconfdir} LCOV_PERL_PATH="/usr/bin/env perl" } BBCLASSEXTEND = "native nativesdk" diff --git a/meta-openembedded/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch b/meta-openembedded/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch new file mode 100644 index 0000000000..d06ef44f68 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch @@ -0,0 +1,154 @@ +From cb57b930fa690ab79b3904846634681685e3470f Mon Sep 17 00:00:00 2001 +From: Martin Wilck <mwilck@suse.com> +Date: Thu, 1 Sep 2022 19:21:30 +0200 +Subject: [PATCH] multipath-tools: use /run instead of /dev/shm + +/dev/shm may have unsafe permissions. Use /run instead. +Use systemd's tmpfiles.d mechanism to create /run/multipath +early during boot. + +For backward compatibilty, make the runtime directory configurable +via the "runtimedir" make variable. + +Signed-off-by: Martin Wilck <mwilck@suse.com> +Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com> + +CVE: CVE-2022-41973 +Upstream-Status: Backport [https://github.com/opensvc/multipath-tools/commit/cb57b930fa690ab79b3904846634681685e3470f] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + .gitignore | 2 ++ + Makefile.inc | 7 ++++++- + libmultipath/defaults.h | 3 +-- + multipath/Makefile | 11 ++++++++--- + multipath/{multipath.rules => multipath.rules.in} | 4 ++-- + multipath/tmpfiles.conf.in | 1 + + 6 files changed, 20 insertions(+), 8 deletions(-) + rename multipath/{multipath.rules => multipath.rules.in} (95%) + create mode 100644 multipath/tmpfiles.conf.in + +diff --git a/.gitignore b/.gitignore +index 9926756b..f90b0350 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -8,6 +8,8 @@ + *.d + kpartx/kpartx + multipath/multipath ++multipath/multipath.rules ++multipath/tmpfiles.conf + multipathd/multipathd + mpathpersist/mpathpersist + .nfs* +diff --git a/Makefile.inc b/Makefile.inc +index 4eb08eed..648f91b4 100644 +--- a/Makefile.inc ++++ b/Makefile.inc +@@ -44,6 +44,7 @@ exec_prefix = $(prefix) + usr_prefix = $(prefix) + bindir = $(exec_prefix)/usr/sbin + libudevdir = $(prefix)/$(SYSTEMDPATH)/udev ++tmpfilesdir = $(prefix)/$(SYSTEMDPATH)/tmpfiles.d + udevrulesdir = $(libudevdir)/rules.d + multipathdir = $(TOPDIR)/libmultipath + man8dir = $(prefix)/usr/share/man/man8 +@@ -60,6 +61,7 @@ libdmmpdir = $(TOPDIR)/libdmmp + nvmedir = $(TOPDIR)/libmultipath/nvme + includedir = $(prefix)/usr/include + pkgconfdir = $(usrlibdir)/pkgconfig ++runtimedir := /$(RUN) + + GZIP = gzip -9 -c + RM = rm -f +@@ -95,7 +97,10 @@ OPTFLAGS += -Wextra -Wstrict-prototypes -Wformat=2 -Werror=implicit-int \ + -Wno-unused-parameter -Werror=cast-qual \ + -Werror=discarded-qualifiers + +-CPPFLAGS := -Wp,-D_FORTIFY_SOURCE=2 ++CPPFLAGS := $(FORTIFY_OPT) \ ++ -DBIN_DIR=\"$(bindir)\" -DMULTIPATH_DIR=\"$(plugindir)\" -DRUN_DIR=\"${RUN}\" \ ++ -DRUNTIME_DIR=\"$(runtimedir)\" \ ++ -DCONFIG_DIR=\"$(configdir)\" -DEXTRAVERSION=\"$(EXTRAVERSION)\" -MMD -MP + CFLAGS := $(OPTFLAGS) -DBIN_DIR=\"$(bindir)\" -DLIB_STRING=\"${LIB}\" -DRUN_DIR=\"${RUN}\" \ + -MMD -MP $(CFLAGS) + BIN_CFLAGS = -fPIE -DPIE +diff --git a/libmultipath/defaults.h b/libmultipath/defaults.h +index c2164c16..908e0ca3 100644 +--- a/libmultipath/defaults.h ++++ b/libmultipath/defaults.h +@@ -64,8 +64,7 @@ + #define DEFAULT_WWIDS_FILE "/etc/multipath/wwids" + #define DEFAULT_PRKEYS_FILE "/etc/multipath/prkeys" + #define DEFAULT_CONFIG_DIR "/etc/multipath/conf.d" +-#define MULTIPATH_SHM_BASE "/dev/shm/multipath/" +- ++#define MULTIPATH_SHM_BASE RUNTIME_DIR "/multipath/" + + static inline char *set_default(char *str) + { +diff --git a/multipath/Makefile b/multipath/Makefile +index e720c7f6..28976546 100644 +--- a/multipath/Makefile ++++ b/multipath/Makefile +@@ -12,7 +12,7 @@ EXEC = multipath + + OBJS = main.o + +-all: $(EXEC) ++all: $(EXEC) multipath.rules tmpfiles.conf + + $(EXEC): $(OBJS) $(multipathdir)/libmultipath.so $(mpathcmddir)/libmpathcmd.so + $(CC) $(CFLAGS) $(OBJS) -o $(EXEC) $(LDFLAGS) $(LIBDEPS) +@@ -26,7 +26,9 @@ install: + $(INSTALL_PROGRAM) -m 755 mpathconf $(DESTDIR)$(bindir)/ + $(INSTALL_PROGRAM) -d $(DESTDIR)$(udevrulesdir) + $(INSTALL_PROGRAM) -m 644 11-dm-mpath.rules $(DESTDIR)$(udevrulesdir) +- $(INSTALL_PROGRAM) -m 644 $(EXEC).rules $(DESTDIR)$(libudevdir)/rules.d/62-multipath.rules ++ $(INSTALL_PROGRAM) -m 644 multipath.rules $(DESTDIR)$(udevrulesdir)/56-multipath.rules ++ $(INSTALL_PROGRAM) -d $(DESTDIR)$(tmpfilesdir) ++ $(INSTALL_PROGRAM) -m 644 tmpfiles.conf $(DESTDIR)$(tmpfilesdir)/multipath.conf + $(INSTALL_PROGRAM) -d $(DESTDIR)$(man8dir) + $(INSTALL_PROGRAM) -m 644 $(EXEC).8.gz $(DESTDIR)$(man8dir) + $(INSTALL_PROGRAM) -d $(DESTDIR)$(man5dir) +@@ -43,9 +45,12 @@ uninstall: + $(RM) $(DESTDIR)$(man8dir)/mpathconf.8.gz + + clean: dep_clean +- $(RM) core *.o $(EXEC) *.gz ++ $(RM) core *.o $(EXEC) multipath.rules tmpfiles.conf + + include $(wildcard $(OBJS:.o=.d)) + + dep_clean: + $(RM) $(OBJS:.o=.d) ++ ++%: %.in ++ sed 's,@RUNTIME_DIR@,$(runtimedir),' $< >$@ +diff --git a/multipath/multipath.rules b/multipath/multipath.rules.in +similarity index 95% +rename from multipath/multipath.rules +rename to multipath/multipath.rules.in +index 0486bf70..5fb499e6 100644 +--- a/multipath/multipath.rules ++++ b/multipath/multipath.rules.in +@@ -1,8 +1,8 @@ + # Set DM_MULTIPATH_DEVICE_PATH if the device should be handled by multipath + SUBSYSTEM!="block", GOTO="end_mpath" + KERNEL!="sd*|dasd*|nvme*", GOTO="end_mpath" +-ACTION=="remove", TEST=="/dev/shm/multipath/find_multipaths/$major:$minor", \ +- RUN+="/usr/bin/rm -f /dev/shm/multipath/find_multipaths/$major:$minor" ++ACTION=="remove", TEST=="@RUNTIME_DIR@/multipath/find_multipaths/$major:$minor", \ ++ RUN+="/usr/bin/rm -f @RUNTIME_DIR@/multipath/find_multipaths/$major:$minor" + ACTION!="add|change", GOTO="end_mpath" + + IMPORT{cmdline}="nompath" +diff --git a/multipath/tmpfiles.conf.in b/multipath/tmpfiles.conf.in +new file mode 100644 +index 00000000..21be438a +--- /dev/null ++++ b/multipath/tmpfiles.conf.in +@@ -0,0 +1 @@ ++d @RUNTIME_DIR@/multipath 0700 root root - +-- +2.25.1 + diff --git a/meta-openembedded/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb b/meta-openembedded/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb index 90cfd7d202..23273f5d5b 100644 --- a/meta-openembedded/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb +++ b/meta-openembedded/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb @@ -45,6 +45,7 @@ SRC_URI = "git://github.com/opensvc/multipath-tools.git;protocol=http;branch=mas file://0031-Always-use-devmapper-for-kpartx.patch \ file://0001-fix-bug-of-do_compile-and-do_install.patch \ file://0001-add-explicit-dependency-on-libraries.patch \ + file://CVE-2022-41973.patch \ " LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2" @@ -117,3 +118,6 @@ FILES_kpartx = "${base_sbindir}/kpartx \ RDEPENDS_${PN} += "kpartx" PARALLEL_MAKE = "" + +FILES:${PN}-libs += "usr/lib/*.so.*" +FILES:${PN}-libs += "usr/lib/tmpfiles.d/*" diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss/0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch b/meta-openembedded/meta-oe/recipes-support/nss/nss/0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch new file mode 100644 index 0000000000..b935d9eec5 --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/nss/nss/0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch @@ -0,0 +1,46 @@ +From 4e7e332b25a2794f381323518e52d8d95273b69e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Franti=C5=A1ek=20Kren=C5=BEelok?= <fkrenzel@redhat.com> +Date: Mon, 30 Jan 2023 12:59:20 +0000 +Subject: [PATCH] Bug 1812671 - build failure while implicitly casting + SECStatus to PRUInt32. r=nss-reviewers,mt + +Author of the patch: Bob Relyea <rrelyea@redhat.com> + +Differential Revision: https://phabricator.services.mozilla.com/D167983 + +--HG-- +extra : moz-landing-system : lando +--- + lib/ssl/ssl3exthandle.c | 2 +- + lib/ssl/sslsnce.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c +index b5ae62f39..7134447bf 100644 +--- a/lib/ssl/ssl3exthandle.c ++++ b/lib/ssl/ssl3exthandle.c +@@ -201,7 +201,7 @@ ssl3_FreeSniNameArray(TLSExtensionData *xtnData) + * Clients sends a filled in session ticket if one is available, and otherwise + * sends an empty ticket. Servers always send empty tickets. + */ +-PRInt32 ++SECStatus + ssl3_ClientSendSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData, + sslBuffer *buf, PRBool *added) + { +diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c +index 56edafa1f..49f041c97 100644 +--- a/lib/ssl/sslsnce.c ++++ b/lib/ssl/sslsnce.c +@@ -1820,7 +1820,7 @@ ssl_GetSelfEncryptKeyPair(SECKEYPublicKey **pubKey, + return SECSuccess; + } + +-static PRBool ++static SECStatus + ssl_GenerateSelfEncryptKeys(void *pwArg, PRUint8 *keyName, + PK11SymKey **aesKey, PK11SymKey **macKey); + +-- +2.40.1 + diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss/0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch b/meta-openembedded/meta-oe/recipes-support/nss/nss/0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch new file mode 100644 index 0000000000..dc7e172aae --- /dev/null +++ b/meta-openembedded/meta-oe/recipes-support/nss/nss/0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch @@ -0,0 +1,75 @@ +From cbf5a2bce75ca2c2fd3e247796b9892f5298584e Mon Sep 17 00:00:00 2001 +From: "John M. Schanck" <jschanck@mozilla.com> +Date: Thu, 13 Apr 2023 17:43:46 +0000 +Subject: [PATCH] Bug 1826650 - cmd/ecperf: fix dangling pointer warning on gcc + 13. r=djackson + +Differential Revision: https://phabricator.services.mozilla.com/D174822 + +--HG-- +extra : moz-landing-system : lando +--- + cmd/ecperf/ecperf.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/cmd/ecperf/ecperf.c b/cmd/ecperf/ecperf.c +index 705d68f35..a07004d8e 100644 +--- a/cmd/ecperf/ecperf.c ++++ b/cmd/ecperf/ecperf.c +@@ -53,6 +53,7 @@ PKCS11Thread(void *data) + SECItem sig; + CK_SESSION_HANDLE session; + CK_RV crv; ++ void *tmp = NULL; + + threadData->status = SECSuccess; + threadData->count = 0; +@@ -68,6 +69,7 @@ PKCS11Thread(void *data) + if (threadData->isSign) { + sig.data = sigData; + sig.len = sizeof(sigData); ++ tmp = threadData->p2; + threadData->p2 = (void *)&sig; + } + +@@ -79,6 +81,10 @@ PKCS11Thread(void *data) + } + threadData->count++; + } ++ ++ if (threadData->isSign) { ++ threadData->p2 = tmp; ++ } + return; + } + +@@ -89,6 +95,7 @@ genericThread(void *data) + int iters = threadData->iters; + unsigned char sigData[256]; + SECItem sig; ++ void *tmp = NULL; + + threadData->status = SECSuccess; + threadData->count = 0; +@@ -96,6 +103,7 @@ genericThread(void *data) + if (threadData->isSign) { + sig.data = sigData; + sig.len = sizeof(sigData); ++ tmp = threadData->p2; + threadData->p2 = (void *)&sig; + } + +@@ -107,6 +115,10 @@ genericThread(void *data) + } + threadData->count++; + } ++ ++ if (threadData->isSign) { ++ threadData->p2 = tmp; ++ } + return; + } + +-- +2.40.1 + diff --git a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb index 1de2a40094..af842ee67c 100644 --- a/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb +++ b/meta-openembedded/meta-oe/recipes-support/nss/nss_3.51.1.bb @@ -43,6 +43,8 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO file://CVE-2021-43527.patch \ file://CVE-2022-22747.patch \ file://CVE-2023-0767.patch \ + file://0001-Bug-1812671-build-failure-while-implicitly-casting-S.patch;patchdir=nss \ + file://0001-Bug-1826650-cmd-ecperf-fix-dangling-pointer-warning-.patch;patchdir=nss \ " SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233" diff --git a/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0011-modules-mappers-config9.m4-Add-server-directory-to-i.patch b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0011-modules-mappers-config9.m4-Add-server-directory-to-i.patch new file mode 100644 index 0000000000..996eabf586 --- /dev/null +++ b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2/0011-modules-mappers-config9.m4-Add-server-directory-to-i.patch @@ -0,0 +1,31 @@ +From 5c9257fa34335ff83f7c01581cf953111072a457 Mon Sep 17 00:00:00 2001 +From: Valeria Petrov <valeria.petrov@spinetix.com> +Date: Tue, 18 Apr 2023 15:38:53 +0200 +Subject: [PATCH] * modules/mappers/config9.m4: Add 'server' directory to + include path if mod_rewrite is enabled. + +Upstream-Status: Accepted [https://svn.apache.org/viewvc?view=revision&revision=1909241] + +--- + modules/mappers/config9.m4 | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/modules/mappers/config9.m4 b/modules/mappers/config9.m4 +index 55a97ab993..7120b729b7 100644 +--- a/modules/mappers/config9.m4 ++++ b/modules/mappers/config9.m4 +@@ -14,6 +14,11 @@ APACHE_MODULE(userdir, mapping of requests to user-specific directories, , , mos + APACHE_MODULE(alias, mapping of requests to different filesystem parts, , , yes) + APACHE_MODULE(rewrite, rule based URL manipulation, , , most) + ++if test "x$enable_rewrite" != "xno"; then ++ # mod_rewrite needs test_char.h ++ APR_ADDTO(INCLUDES, [-I\$(top_builddir)/server]) ++fi ++ + APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current]) + + APACHE_MODPATH_FINISH +-- +2.25.1 + diff --git a/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.56.bb b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.57.bb index ed5690a4ab..669d277567 100644 --- a/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.56.bb +++ b/meta-openembedded/meta-webserver/recipes-httpd/apache2/apache2_2.4.57.bb @@ -15,6 +15,7 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \ file://0007-apache2-allow-to-disable-selinux-support.patch \ file://0008-Fix-perl-install-directory-to-usr-bin.patch \ file://0009-support-apxs.in-force-destdir-to-be-empty-string.patch \ + file://0011-modules-mappers-config9.m4-Add-server-directory-to-i.patch \ " SRC_URI:append:class-target = " \ @@ -26,7 +27,7 @@ SRC_URI:append:class-target = " \ " LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3" -SRC_URI[sha256sum] = "d8d45f1398ba84edd05bb33ca7593ac2989b17cb9c7a0cafe5442d41afdb2d7c" +SRC_URI[sha256sum] = "dbccb84aee95e095edfbb81e5eb926ccd24e6ada55dcd83caecb262e5cf94d2a" S = "${WORKDIR}/httpd-${PV}" diff --git a/poky/meta/classes/populate_sdk_ext.bbclass b/poky/meta/classes/populate_sdk_ext.bbclass index a43ff3fb32..1bdfd92847 100644 --- a/poky/meta/classes/populate_sdk_ext.bbclass +++ b/poky/meta/classes/populate_sdk_ext.bbclass @@ -363,7 +363,8 @@ python copy_buildsystem () { f.write('BUILDCFG_HEADER = ""\n\n') # Write METADATA_REVISION - f.write('METADATA_REVISION = "%s"\n\n' % d.getVar('METADATA_REVISION')) + # Needs distro override so it can override the value set in the bbclass code (later than local.conf) + f.write('METADATA_REVISION:%s = "%s"\n\n' % (d.getVar('DISTRO'), d.getVar('METADATA_REVISION'))) f.write('# Provide a flag to indicate we are in the EXT_SDK Context\n') f.write('WITHIN_EXT_SDK = "1"\n\n') diff --git a/poky/meta/classes/pypi.bbclass b/poky/meta/classes/pypi.bbclass index 87b4c85fc0..c68367449a 100644 --- a/poky/meta/classes/pypi.bbclass +++ b/poky/meta/classes/pypi.bbclass @@ -24,3 +24,5 @@ S = "${WORKDIR}/${PYPI_PACKAGE}-${PV}" UPSTREAM_CHECK_URI ?= "https://pypi.org/project/${PYPI_PACKAGE}/" UPSTREAM_CHECK_REGEX ?= "/${PYPI_PACKAGE}/(?P<pver>(\d+[\.\-_]*)+)/" + +CVE_PRODUCT ?= "python:${PYPI_PACKAGE}" diff --git a/poky/meta/lib/oeqa/selftest/cases/runtime_test.py b/poky/meta/lib/oeqa/selftest/cases/runtime_test.py index 5439bd426b..d80f85dba2 100644 --- a/poky/meta/lib/oeqa/selftest/cases/runtime_test.py +++ b/poky/meta/lib/oeqa/selftest/cases/runtime_test.py @@ -177,6 +177,8 @@ class TestImage(OESelftestTestCase): distro = oe.lsb.distro_identifier() if distro and distro.startswith('almalinux'): self.skipTest('virgl isn\'t working with Alma Linux') + if distro and distro.startswith('rocky'): + self.skipTest('virgl isn\'t working with Rocky Linux') if distro and distro == 'debian-8': self.skipTest('virgl isn\'t working with Debian 8') if distro and distro == 'centos-7': @@ -189,10 +191,14 @@ class TestImage(OESelftestTestCase): self.skipTest('virgl isn\'t working with Fedora 35') if distro and distro == 'fedora-36': self.skipTest('virgl isn\'t working with Fedora 36') + if distro and distro == 'fedora-37': + self.skipTest('virgl isn\'t working with Fedora 37') if distro and distro == 'opensuseleap-15.0': self.skipTest('virgl isn\'t working with Opensuse 15.0') if distro and distro == 'ubuntu-22.04': self.skipTest('virgl isn\'t working with Ubuntu 22.04') + if distro and distro == 'ubuntu-22.10': + self.skipTest('virgl isn\'t working with Ubuntu 22.10') qemu_packageconfig = get_bb_var('PACKAGECONFIG', 'qemu-system-native') sdl_packageconfig = get_bb_var('PACKAGECONFIG', 'libsdl2-native') diff --git a/poky/meta/lib/oeqa/utils/metadata.py b/poky/meta/lib/oeqa/utils/metadata.py index 8013aa684d..15ec190c4a 100644 --- a/poky/meta/lib/oeqa/utils/metadata.py +++ b/poky/meta/lib/oeqa/utils/metadata.py @@ -27,9 +27,9 @@ def metadata_from_bb(): data_dict = get_bb_vars() # Distro information - info_dict['distro'] = {'id': data_dict['DISTRO'], - 'version_id': data_dict['DISTRO_VERSION'], - 'pretty_name': '%s %s' % (data_dict['DISTRO'], data_dict['DISTRO_VERSION'])} + info_dict['distro'] = {'id': data_dict.get('DISTRO', 'NODISTRO'), + 'version_id': data_dict.get('DISTRO_VERSION', 'NO_DISTRO_VERSION'), + 'pretty_name': '%s %s' % (data_dict.get('DISTRO', 'NODISTRO'), data_dict.get('DISTRO_VERSION', 'NO_DISTRO_VERSION'))} # Host distro information os_release = get_os_release() diff --git a/poky/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch b/poky/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch new file mode 100644 index 0000000000..ea1601cc04 --- /dev/null +++ b/poky/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch @@ -0,0 +1,54 @@ +From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001 +From: Daniel Wagner <wagi@monom.org> +Date: Tue, 11 Apr 2023 08:12:56 +0200 +Subject: gdhcp: Verify and sanitize packet length first + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138] +CVE: CVE-2023-28488 +Signed-off-by: Ashish Sharma <asharma@mvista.com> + + gdhcp/client.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/gdhcp/client.c b/gdhcp/client.c +index 7efa7e45..82017692 100644 +--- a/gdhcp/client.c ++++ b/gdhcp/client.c +@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes) + static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd, + struct sockaddr_in *dst_addr) + { +- int bytes; + struct ip_udp_dhcp_packet packet; + uint16_t check; ++ int bytes, tot_len; + + memset(&packet, 0, sizeof(packet)); + +@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd, + if (bytes < 0) + return -1; + +- if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp))) +- return -1; +- +- if (bytes < ntohs(packet.ip.tot_len)) ++ tot_len = ntohs(packet.ip.tot_len); ++ if (bytes > tot_len) { ++ /* ignore any extra garbage bytes */ ++ bytes = tot_len; ++ } else if (bytes < tot_len) { + /* packet is bigger than sizeof(packet), we did partial read */ + return -1; ++ } + +- /* ignore any extra garbage bytes */ +- bytes = ntohs(packet.ip.tot_len); ++ if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp))) ++ return -1; + + if (!sanity_check(&packet, bytes)) + return -1; +-- +cgit + diff --git a/poky/meta/recipes-connectivity/connman/connman_1.37.bb b/poky/meta/recipes-connectivity/connman/connman_1.37.bb index 73d7f7527e..8062a094d3 100644 --- a/poky/meta/recipes-connectivity/connman/connman_1.37.bb +++ b/poky/meta/recipes-connectivity/connman/connman_1.37.bb @@ -14,6 +14,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://CVE-2022-23098.patch \ file://CVE-2022-32292.patch \ file://CVE-2022-32293.patch \ + file://CVE-2023-28488.patch \ " SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" diff --git a/poky/meta/recipes-connectivity/openssh/openssh/sshd.socket b/poky/meta/recipes-connectivity/openssh/openssh/sshd.socket index 12c39b26b5..8d76d62309 100644 --- a/poky/meta/recipes-connectivity/openssh/openssh/sshd.socket +++ b/poky/meta/recipes-connectivity/openssh/openssh/sshd.socket @@ -1,5 +1,6 @@ [Unit] Conflicts=sshd.service +Wants=sshdgenkeys.service [Socket] ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd diff --git a/poky/meta/recipes-connectivity/openssh/openssh/sshd@.service b/poky/meta/recipes-connectivity/openssh/openssh/sshd@.service index 9d83dfb2bb..422450c7a1 100644 --- a/poky/meta/recipes-connectivity/openssh/openssh/sshd@.service +++ b/poky/meta/recipes-connectivity/openssh/openssh/sshd@.service @@ -1,13 +1,11 @@ [Unit] Description=OpenSSH Per-Connection Daemon -Wants=sshdgenkeys.service After=sshdgenkeys.service [Service] Environment="SSHD_OPTS=" EnvironmentFile=-/etc/default/ssh ExecStart=-@SBINDIR@/sshd -i $SSHD_OPTS -ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID StandardInput=socket StandardError=syslog KillMode=process diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch new file mode 100644 index 0000000000..907f2c4d47 --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2023-28484.patch @@ -0,0 +1,79 @@ +From e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Fri, 7 Apr 2023 11:46:35 +0200 +Subject: [PATCH] [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType + +Fix a null pointer dereference when parsing (invalid) XML schemas. + +Thanks to Robby Simpson for the report! + +Fixes #491. + +CVE: CVE-2023-28484 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/e4f85f1bd2eb34d9b49da9154a4cc3a1bc284f68] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + result/schemas/issue491_0_0.err | 1 + + test/schemas/issue491_0.xml | 1 + + test/schemas/issue491_0.xsd | 18 ++++++++++++++++++ + xmlschemas.c | 2 +- + 4 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 result/schemas/issue491_0_0.err + create mode 100644 test/schemas/issue491_0.xml + create mode 100644 test/schemas/issue491_0.xsd + +diff --git a/result/schemas/issue491_0_0.err b/result/schemas/issue491_0_0.err +new file mode 100644 +index 00000000..9b2bb969 +--- /dev/null ++++ b/result/schemas/issue491_0_0.err +@@ -0,0 +1 @@ ++./test/schemas/issue491_0.xsd:8: element complexType: Schemas parser error : complex type 'ChildType': The content type of both, the type and its base type, must either 'mixed' or 'element-only'. +diff --git a/test/schemas/issue491_0.xml b/test/schemas/issue491_0.xml +new file mode 100644 +index 00000000..e2b2fc2e +--- /dev/null ++++ b/test/schemas/issue491_0.xml +@@ -0,0 +1 @@ ++<Child xmlns="http://www.test.com">5</Child> +diff --git a/test/schemas/issue491_0.xsd b/test/schemas/issue491_0.xsd +new file mode 100644 +index 00000000..81702649 +--- /dev/null ++++ b/test/schemas/issue491_0.xsd +@@ -0,0 +1,18 @@ ++<?xml version='1.0' encoding='UTF-8'?> ++<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://www.test.com" targetNamespace="http://www.test.com" elementFormDefault="qualified" attributeFormDefault="unqualified"> ++ <xs:complexType name="BaseType"> ++ <xs:simpleContent> ++ <xs:extension base="xs:int" /> ++ </xs:simpleContent> ++ </xs:complexType> ++ <xs:complexType name="ChildType"> ++ <xs:complexContent> ++ <xs:extension base="BaseType"> ++ <xs:sequence> ++ <xs:element name="bad" type="xs:int" minOccurs="0" maxOccurs="1"/> ++ </xs:sequence> ++ </xs:extension> ++ </xs:complexContent> ++ </xs:complexType> ++ <xs:element name="Child" type="ChildType" /> ++</xs:schema> +diff --git a/xmlschemas.c b/xmlschemas.c +index 6a353858..a4eaf591 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -18632,7 +18632,7 @@ xmlSchemaFixupComplexType(xmlSchemaParserCtxtPtr pctxt, + "allowed to appear inside other model groups", + NULL, NULL); + +- } else if (! dummySequence) { ++ } else if ((!dummySequence) && (baseType->subtypes != NULL)) { + xmlSchemaTreeItemPtr effectiveContent = + (xmlSchemaTreeItemPtr) type->subtypes; + /* +-- +GitLab + diff --git a/poky/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch b/poky/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch new file mode 100644 index 0000000000..1252668577 --- /dev/null +++ b/poky/meta/recipes-core/libxml/libxml2/CVE-2023-29469.patch @@ -0,0 +1,42 @@ +From 547edbf1cbdccd46b2e8ff322a456eaa5931c5df Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Fri, 7 Apr 2023 11:49:27 +0200 +Subject: [PATCH] [CVE-2023-29469] Hashing of empty dict strings isn't + deterministic + +When hashing empty strings which aren't null-terminated, +xmlDictComputeFastKey could produce inconsistent results. This could +lead to various logic or memory errors, including double frees. + +For consistency the seed is also taken into account, but this shouldn't +have an impact on security. + +Found by OSS-Fuzz. + +Fixes #510. + +CVE: CVE-2023-29469 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + dict.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/dict.c b/dict.c +index 86c3f6d7..d7fd1a06 100644 +--- a/dict.c ++++ b/dict.c +@@ -451,7 +451,8 @@ static unsigned long + xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) { + unsigned long value = seed; + +- if (name == NULL) return(0); ++ if ((name == NULL) || (namelen <= 0)) ++ return(value); + value = *name; + value <<= 5; + if (namelen > 10) { +-- +GitLab + diff --git a/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb b/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb index 40e3434ead..034192d64e 100644 --- a/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb +++ b/poky/meta/recipes-core/libxml/libxml2_2.9.10.bb @@ -36,6 +36,8 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar.gz;subdir=${BP};name=te file://CVE-2016-3709.patch \ file://CVE-2022-40303.patch \ file://CVE-2022-40304.patch \ + file://CVE-2023-28484.patch \ + file://CVE-2023-29469.patch \ " SRC_URI[archive.sha256sum] = "593b7b751dd18c2d6abcd0c4bcb29efc203d0b4373a6df98e3a455ea74ae2813" diff --git a/poky/meta/recipes-devtools/git/files/CVE-2023-25652.patch b/poky/meta/recipes-devtools/git/files/CVE-2023-25652.patch new file mode 100644 index 0000000000..d6b17a2b8a --- /dev/null +++ b/poky/meta/recipes-devtools/git/files/CVE-2023-25652.patch @@ -0,0 +1,94 @@ +From 9db05711c98efc14f414d4c87135a34c13586e0b Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin <johannes.schindelin@gmx.de> +Date: Thu, 9 Mar 2023 16:02:54 +0100 +Subject: [PATCH] apply --reject: overwrite existing `.rej` symlink if it + exists + +The `git apply --reject` is expected to write out `.rej` files in case +one or more hunks fail to apply cleanly. Historically, the command +overwrites any existing `.rej` files. The idea being that +apply/reject/edit cycles are relatively common, and the generated `.rej` +files are not considered precious. + +But the command does not overwrite existing `.rej` symbolic links, and +instead follows them. This is unsafe because the same patch could +potentially create such a symbolic link and point at arbitrary paths +outside the current worktree, and `git apply` would write the contents +of the `.rej` file into that location. + +Therefore, let's make sure that any existing `.rej` file or symbolic +link is removed before writing it. + +Reported-by: RyotaK <ryotak.mail@gmail.com> +Helped-by: Taylor Blau <me@ttaylorr.com> +Helped-by: Junio C Hamano <gitster@pobox.com> +Helped-by: Linus Torvalds <torvalds@linuxfoundation.org> +Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> + +Upstream-Status: Backport [https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b] +CVE: CVE-2023-25652 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + apply.c | 14 ++++++++++++-- + t/t4115-apply-symlink.sh | 15 +++++++++++++++ + 2 files changed, 27 insertions(+), 2 deletions(-) + +diff --git a/apply.c b/apply.c +index 4f303bf..aa7111d 100644 +--- a/apply.c ++++ b/apply.c +@@ -4531,7 +4531,7 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch) + FILE *rej; + char namebuf[PATH_MAX]; + struct fragment *frag; +- int cnt = 0; ++ int fd, cnt = 0; + struct strbuf sb = STRBUF_INIT; + + for (cnt = 0, frag = patch->fragments; frag; frag = frag->next) { +@@ -4571,7 +4571,17 @@ static int write_out_one_reject(struct apply_state *state, struct patch *patch) + memcpy(namebuf, patch->new_name, cnt); + memcpy(namebuf + cnt, ".rej", 5); + +- rej = fopen(namebuf, "w"); ++ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666); ++ if (fd < 0) { ++ if (errno != EEXIST) ++ return error_errno(_("cannot open %s"), namebuf); ++ if (unlink(namebuf)) ++ return error_errno(_("cannot unlink '%s'"), namebuf); ++ fd = open(namebuf, O_CREAT | O_EXCL | O_WRONLY, 0666); ++ if (fd < 0) ++ return error_errno(_("cannot open %s"), namebuf); ++ } ++ rej = fdopen(fd, "w"); + if (!rej) + return error_errno(_("cannot open %s"), namebuf); + +diff --git a/t/t4115-apply-symlink.sh b/t/t4115-apply-symlink.sh +index 1acb7b2..2b034ff 100755 +--- a/t/t4115-apply-symlink.sh ++++ b/t/t4115-apply-symlink.sh +@@ -125,4 +125,19 @@ test_expect_success SYMLINKS 'symlink escape when deleting file' ' + test_path_is_file .git/delete-me + ' + ++test_expect_success SYMLINKS '--reject removes .rej symlink if it exists' ' ++ test_when_finished "git reset --hard && git clean -dfx" && ++ ++ test_commit file && ++ echo modified >file.t && ++ git diff -- file.t >patch && ++ echo modified-again >file.t && ++ ++ ln -s foo file.t.rej && ++ test_must_fail git apply patch --reject 2>err && ++ test_i18ngrep "Rejected hunk" err && ++ test_path_is_missing foo && ++ test_path_is_file file.t.rej ++' ++ + test_done +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/git/files/CVE-2023-29007.patch b/poky/meta/recipes-devtools/git/files/CVE-2023-29007.patch new file mode 100644 index 0000000000..e166c01412 --- /dev/null +++ b/poky/meta/recipes-devtools/git/files/CVE-2023-29007.patch @@ -0,0 +1,159 @@ +From 057c07a7b1fae22fdeef26c243f4cfbe3afc90ce Mon Sep 17 00:00:00 2001 +From: Taylor Blau <me@ttaylorr.com> +Date: Fri, 14 Apr 2023 11:46:59 -0400 +Subject: [PATCH] Merge branch 'tb/config-copy-or-rename-in-file-injection' + +Avoids issues with renaming or deleting sections with long lines, where +configuration values may be interpreted as sections, leading to +configuration injection. Addresses CVE-2023-29007. + +* tb/config-copy-or-rename-in-file-injection: + config.c: disallow overly-long lines in `copy_or_rename_section_in_file()` + config.c: avoid integer truncation in `copy_or_rename_section_in_file()` + config: avoid fixed-sized buffer when renaming/deleting a section + t1300: demonstrate failure when renaming sections with long lines + +Signed-off-by: Taylor Blau <me@ttaylorr.com> + +Upstream-Status: Backport [https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4] +CVE: CVE-2023-29007 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + config.c | 36 +++++++++++++++++++++++++----------- + t/t1300-config.sh | 30 ++++++++++++++++++++++++++++++ + 2 files changed, 55 insertions(+), 11 deletions(-) + +diff --git a/config.c b/config.c +index e7052b3..676b687 100644 +--- a/config.c ++++ b/config.c +@@ -2987,9 +2987,10 @@ void git_config_set_multivar(const char *key, const char *value, + multi_replace); + } + +-static int section_name_match (const char *buf, const char *name) ++static size_t section_name_match (const char *buf, const char *name) + { +- int i = 0, j = 0, dot = 0; ++ size_t i = 0, j = 0; ++ int dot = 0; + if (buf[i] != '[') + return 0; + for (i = 1; buf[i] && buf[i] != ']'; i++) { +@@ -3042,6 +3043,8 @@ static int section_name_is_ok(const char *name) + return 1; + } + ++#define GIT_CONFIG_MAX_LINE_LEN (512 * 1024) ++ + /* if new_name == NULL, the section is removed instead */ + static int git_config_copy_or_rename_section_in_file(const char *config_filename, + const char *old_name, +@@ -3051,11 +3054,12 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + char *filename_buf = NULL; + struct lock_file lock = LOCK_INIT; + int out_fd; +- char buf[1024]; ++ struct strbuf buf = STRBUF_INIT; + FILE *config_file = NULL; + struct stat st; + struct strbuf copystr = STRBUF_INIT; + struct config_store_data store; ++ uint32_t line_nr = 0; + + memset(&store, 0, sizeof(store)); + +@@ -3092,16 +3096,25 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + goto out; + } + +- while (fgets(buf, sizeof(buf), config_file)) { +- int i; +- int length; ++ while (!strbuf_getwholeline(&buf, config_file, '\n')) { ++ size_t i, length; + int is_section = 0; +- char *output = buf; +- for (i = 0; buf[i] && isspace(buf[i]); i++) ++ char *output = buf.buf; ++ ++ line_nr++; ++ ++ if (buf.len >= GIT_CONFIG_MAX_LINE_LEN) { ++ ret = error(_("refusing to work with overly long line " ++ "in '%s' on line %"PRIuMAX), ++ config_filename, (uintmax_t)line_nr); ++ goto out; ++ } ++ ++ for (i = 0; buf.buf[i] && isspace(buf.buf[i]); i++) + ; /* do nothing */ +- if (buf[i] == '[') { ++ if (buf.buf[i] == '[') { + /* it's a section */ +- int offset; ++ size_t offset; + is_section = 1; + + /* +@@ -3118,7 +3131,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + strbuf_reset(©str); + } + +- offset = section_name_match(&buf[i], old_name); ++ offset = section_name_match(&buf.buf[i], old_name); + if (offset > 0) { + ret++; + if (new_name == NULL) { +@@ -3193,6 +3206,7 @@ static int git_config_copy_or_rename_section_in_file(const char *config_filename + out_no_rollback: + free(filename_buf); + config_store_data_clear(&store); ++ strbuf_release(&buf); + return ret; + } + +diff --git a/t/t1300-config.sh b/t/t1300-config.sh +index 983a0a1..9b67f6b 100755 +--- a/t/t1300-config.sh ++++ b/t/t1300-config.sh +@@ -616,6 +616,36 @@ test_expect_success 'renaming to bogus section is rejected' ' + test_must_fail git config --rename-section branch.zwei "bogus name" + ' + ++test_expect_success 'renaming a section with a long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %1024s [a] e = f\\n" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ git config -f y --rename-section a xyz && ++ test_must_fail git config -f y b.e ++' ++ ++test_expect_success 'renaming an embedded section with a long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %1024s [a] [foo] e = f\\n" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ git config -f y --rename-section a xyz && ++ test_must_fail git config -f y foo.e ++' ++ ++test_expect_success 'renaming a section with an overly-long line' ' ++ { ++ printf "[b]\\n" && ++ printf " c = d %525000s e" " " && ++ printf "[a] g = h\\n" ++ } >y && ++ test_must_fail git config -f y --rename-section a xyz 2>err && ++ test_i18ngrep "refusing to work with overly long line in .y. on line 2" err ++' ++ + cat >> .git/config << EOF + [branch "zwei"] a = 1 [branch "vier"] + EOF +-- +2.25.1 + diff --git a/poky/meta/recipes-devtools/git/git.inc b/poky/meta/recipes-devtools/git/git.inc index 36318eed20..e64472ea28 100644 --- a/poky/meta/recipes-devtools/git/git.inc +++ b/poky/meta/recipes-devtools/git/git.inc @@ -28,6 +28,8 @@ SRC_URI = "${KERNELORG_MIRROR}/software/scm/git/git-${PV}.tar.gz;name=tarball \ file://CVE-2023-22490-2.patch \ file://CVE-2023-22490-3.patch \ file://CVE-2023-23946.patch \ + file://CVE-2023-29007.patch \ + file://CVE-2023-25652.patch \ " S = "${WORKDIR}/git-${PV}" diff --git a/poky/meta/recipes-devtools/go/go-1.14.inc b/poky/meta/recipes-devtools/go/go-1.14.inc index 3b99b8fe7e..2c500e8331 100644 --- a/poky/meta/recipes-devtools/go/go-1.14.inc +++ b/poky/meta/recipes-devtools/go/go-1.14.inc @@ -58,6 +58,11 @@ SRC_URI += "\ file://CVE-2020-29510.patch \ file://CVE-2023-24537.patch \ file://CVE-2023-24534.patch \ + file://CVE-2023-24538-1.patch \ + file://CVE-2023-24538-2.patch \ + file://CVE-2023-24538-3.patch \ + file://CVE-2023-24539.patch \ + file://CVE-2023-24540.patch \ " SRC_URI_append_libc-musl = " file://0009-ld-replace-glibc-dynamic-linker-with-musl.patch" diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch new file mode 100644 index 0000000000..eda26e5ff6 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-1.patch @@ -0,0 +1,125 @@ +From 8acd01094d9ee17f6e763a61e49a8a808b3a9ddb Mon Sep 17 00:00:00 2001 +From: Brad Fitzpatrick <bradfitz@golang.org> +Date: Mon, 2 Aug 2021 14:55:51 -0700 +Subject: [PATCH 1/3] net/netip: add new IP address package + +Co-authored-by: Alex Willmer <alex@moreati.org.uk> (GitHub @moreati) +Co-authored-by: Alexander Yastrebov <yastrebov.alex@gmail.com> +Co-authored-by: David Anderson <dave@natulte.net> (Tailscale CLA) +Co-authored-by: David Crawshaw <crawshaw@tailscale.com> (Tailscale CLA) +Co-authored-by: Dmytro Shynkevych <dmytro@tailscale.com> (Tailscale CLA) +Co-authored-by: Elias Naur <mail@eliasnaur.com> +Co-authored-by: Joe Tsai <joetsai@digital-static.net> (Tailscale CLA) +Co-authored-by: Jonathan Yu <jawnsy@cpan.org> (GitHub @jawnsy) +Co-authored-by: Josh Bleecher Snyder <josharian@gmail.com> (Tailscale CLA) +Co-authored-by: Maisem Ali <maisem@tailscale.com> (Tailscale CLA) +Co-authored-by: Manuel Mendez (Go AUTHORS mmendez534@...) +Co-authored-by: Matt Layher <mdlayher@gmail.com> +Co-authored-by: Noah Treuhaft <noah.treuhaft@gmail.com> (GitHub @nwt) +Co-authored-by: Stefan Majer <stefan.majer@gmail.com> +Co-authored-by: Terin Stock <terinjokes@gmail.com> (Cloudflare CLA) +Co-authored-by: Tobias Klauser <tklauser@distanz.ch> + +Fixes #46518 + +Change-Id: I0041f9e1115d61fa6e95fcf32b01d9faee708712 +Reviewed-on: https://go-review.googlesource.com/c/go/+/339309 +Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org> +TryBot-Result: Go Bot <gobot@golang.org> +Reviewed-by: Russ Cox <rsc@golang.org> +Trust: Brad Fitzpatrick <bradfitz@golang.org> + +Dependency Patch #1 + +Upstream-Status: Backport [https://github.com/golang/go/commit/a59e33224e42d60a97fa720a45e1b74eb6aaa3d0] +CVE: CVE-2023-24538 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/internal/godebug/godebug.go | 34 ++++++++++++++++++++++++++++++++++ + src/internal/godebug/godebug_test.go | 34 ++++++++++++++++++++++++++++++++++ + 2 files changed, 68 insertions(+) + create mode 100644 src/internal/godebug/godebug.go + create mode 100644 src/internal/godebug/godebug_test.go + +diff --git a/src/internal/godebug/godebug.go b/src/internal/godebug/godebug.go +new file mode 100644 +index 0000000..ac434e5 +--- /dev/null ++++ b/src/internal/godebug/godebug.go +@@ -0,0 +1,34 @@ ++// Copyright 2021 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++// Package godebug parses the GODEBUG environment variable. ++package godebug ++ ++import "os" ++ ++// Get returns the value for the provided GODEBUG key. ++func Get(key string) string { ++ return get(os.Getenv("GODEBUG"), key) ++} ++ ++// get returns the value part of key=value in s (a GODEBUG value). ++func get(s, key string) string { ++ for i := 0; i < len(s)-len(key)-1; i++ { ++ if i > 0 && s[i-1] != ',' { ++ continue ++ } ++ afterKey := s[i+len(key):] ++ if afterKey[0] != '=' || s[i:i+len(key)] != key { ++ continue ++ } ++ val := afterKey[1:] ++ for i, b := range val { ++ if b == ',' { ++ return val[:i] ++ } ++ } ++ return val ++ } ++ return "" ++} +diff --git a/src/internal/godebug/godebug_test.go b/src/internal/godebug/godebug_test.go +new file mode 100644 +index 0000000..41b9117 +--- /dev/null ++++ b/src/internal/godebug/godebug_test.go +@@ -0,0 +1,34 @@ ++// Copyright 2021 The Go Authors. All rights reserved. ++// Use of this source code is governed by a BSD-style ++// license that can be found in the LICENSE file. ++ ++package godebug ++ ++import "testing" ++ ++func TestGet(t *testing.T) { ++ tests := []struct { ++ godebug string ++ key string ++ want string ++ }{ ++ {"", "", ""}, ++ {"", "foo", ""}, ++ {"foo=bar", "foo", "bar"}, ++ {"foo=bar,after=x", "foo", "bar"}, ++ {"before=x,foo=bar,after=x", "foo", "bar"}, ++ {"before=x,foo=bar", "foo", "bar"}, ++ {",,,foo=bar,,,", "foo", "bar"}, ++ {"foodecoy=wrong,foo=bar", "foo", "bar"}, ++ {"foo=", "foo", ""}, ++ {"foo", "foo", ""}, ++ {",foo", "foo", ""}, ++ {"foo=bar,baz", "loooooooong", ""}, ++ } ++ for _, tt := range tests { ++ got := get(tt.godebug, tt.key) ++ if got != tt.want { ++ t.Errorf("get(%q, %q) = %q; want %q", tt.godebug, tt.key, got, tt.want) ++ } ++ } ++} +-- +2.7.4 diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch new file mode 100644 index 0000000000..5036f2890b --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-2.patch @@ -0,0 +1,196 @@ +From 6fc21505614f36178df0dad7034b6b8e3f7588d5 Mon Sep 17 00:00:00 2001 +From: empijei <robclap8@gmail.com> +Date: Fri, 27 Mar 2020 19:27:55 +0100 +Subject: [PATCH 2/3] html/template,text/template: switch to Unicode escapes + for JSON compatibility +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The existing implementation is not compatible with JSON +escape as it uses hex escaping. +Unicode escape, instead, is valid for both JSON and JS. +This fix avoids creating a separate escaping context for +scripts of type "application/ld+json" and it is more +future-proof in case more JSON+JS contexts get added +to the platform (e.g. import maps). + +Fixes #33671 +Fixes #37634 + +Change-Id: Id6f6524b4abc52e81d9d744d46bbe5bf2e081543 +Reviewed-on: https://go-review.googlesource.com/c/go/+/226097 +Reviewed-by: Carl Johnson <me@carlmjohnson.net> +Reviewed-by: Daniel Martí <mvdan@mvdan.cc> +Run-TryBot: Daniel Martí <mvdan@mvdan.cc> +TryBot-Result: Gobot Gobot <gobot@golang.org> + +Dependency Patch #2 + +Upstream-Status: Backport from https://github.com/golang/go/commit/d4d298040d072ddacea0e0d6b55fb148fff18070 +CVE: CVE-2023-24538 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/html/template/js.go | 70 +++++++++++++++++++++++++++------------------- + src/text/template/funcs.go | 8 +++--- + 2 files changed, 46 insertions(+), 32 deletions(-) + +diff --git a/src/html/template/js.go b/src/html/template/js.go +index 0e91458..ea9c183 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -163,7 +163,6 @@ func jsValEscaper(args ...interface{}) string { + } + // TODO: detect cycles before calling Marshal which loops infinitely on + // cyclic data. This may be an unacceptable DoS risk. +- + b, err := json.Marshal(a) + if err != nil { + // Put a space before comment so that if it is flush against +@@ -178,8 +177,8 @@ func jsValEscaper(args ...interface{}) string { + // TODO: maybe post-process output to prevent it from containing + // "<!--", "-->", "<![CDATA[", "]]>", or "</script" + // in case custom marshalers produce output containing those. +- +- // TODO: Maybe abbreviate \u00ab to \xab to produce more compact output. ++ // Note: Do not use \x escaping to save bytes because it is not JSON compatible and this escaper ++ // supports ld+json content-type. + if len(b) == 0 { + // In, `x=y/{{.}}*z` a json.Marshaler that produces "" should + // not cause the output `x=y/*z`. +@@ -260,6 +259,8 @@ func replace(s string, replacementTable []string) string { + r, w = utf8.DecodeRuneInString(s[i:]) + var repl string + switch { ++ case int(r) < len(lowUnicodeReplacementTable): ++ repl = lowUnicodeReplacementTable[r] + case int(r) < len(replacementTable) && replacementTable[r] != "": + repl = replacementTable[r] + case r == '\u2028': +@@ -283,67 +284,80 @@ func replace(s string, replacementTable []string) string { + return b.String() + } + ++var lowUnicodeReplacementTable = []string{ ++ 0: `\u0000`, 1: `\u0001`, 2: `\u0002`, 3: `\u0003`, 4: `\u0004`, 5: `\u0005`, 6: `\u0006`, ++ '\a': `\u0007`, ++ '\b': `\u0008`, ++ '\t': `\t`, ++ '\n': `\n`, ++ '\v': `\u000b`, // "\v" == "v" on IE 6. ++ '\f': `\f`, ++ '\r': `\r`, ++ 0xe: `\u000e`, 0xf: `\u000f`, 0x10: `\u0010`, 0x11: `\u0011`, 0x12: `\u0012`, 0x13: `\u0013`, ++ 0x14: `\u0014`, 0x15: `\u0015`, 0x16: `\u0016`, 0x17: `\u0017`, 0x18: `\u0018`, 0x19: `\u0019`, ++ 0x1a: `\u001a`, 0x1b: `\u001b`, 0x1c: `\u001c`, 0x1d: `\u001d`, 0x1e: `\u001e`, 0x1f: `\u001f`, ++} ++ + var jsStrReplacementTable = []string{ +- 0: `\0`, ++ 0: `\u0000`, + '\t': `\t`, + '\n': `\n`, +- '\v': `\x0b`, // "\v" == "v" on IE 6. ++ '\v': `\u000b`, // "\v" == "v" on IE 6. + '\f': `\f`, + '\r': `\r`, + // Encode HTML specials as hex so the output can be embedded + // in HTML attributes without further encoding. +- '"': `\x22`, +- '&': `\x26`, +- '\'': `\x27`, +- '+': `\x2b`, ++ '"': `\u0022`, ++ '&': `\u0026`, ++ '\'': `\u0027`, ++ '+': `\u002b`, + '/': `\/`, +- '<': `\x3c`, +- '>': `\x3e`, ++ '<': `\u003c`, ++ '>': `\u003e`, + '\\': `\\`, + } + + // jsStrNormReplacementTable is like jsStrReplacementTable but does not + // overencode existing escapes since this table has no entry for `\`. + var jsStrNormReplacementTable = []string{ +- 0: `\0`, ++ 0: `\u0000`, + '\t': `\t`, + '\n': `\n`, +- '\v': `\x0b`, // "\v" == "v" on IE 6. ++ '\v': `\u000b`, // "\v" == "v" on IE 6. + '\f': `\f`, + '\r': `\r`, + // Encode HTML specials as hex so the output can be embedded + // in HTML attributes without further encoding. +- '"': `\x22`, +- '&': `\x26`, +- '\'': `\x27`, +- '+': `\x2b`, ++ '"': `\u0022`, ++ '&': `\u0026`, ++ '\'': `\u0027`, ++ '+': `\u002b`, + '/': `\/`, +- '<': `\x3c`, +- '>': `\x3e`, ++ '<': `\u003c`, ++ '>': `\u003e`, + } +- + var jsRegexpReplacementTable = []string{ +- 0: `\0`, ++ 0: `\u0000`, + '\t': `\t`, + '\n': `\n`, +- '\v': `\x0b`, // "\v" == "v" on IE 6. ++ '\v': `\u000b`, // "\v" == "v" on IE 6. + '\f': `\f`, + '\r': `\r`, + // Encode HTML specials as hex so the output can be embedded + // in HTML attributes without further encoding. +- '"': `\x22`, ++ '"': `\u0022`, + '$': `\$`, +- '&': `\x26`, +- '\'': `\x27`, ++ '&': `\u0026`, ++ '\'': `\u0027`, + '(': `\(`, + ')': `\)`, + '*': `\*`, +- '+': `\x2b`, ++ '+': `\u002b`, + '-': `\-`, + '.': `\.`, + '/': `\/`, +- '<': `\x3c`, +- '>': `\x3e`, ++ '<': `\u003c`, ++ '>': `\u003e`, + '?': `\?`, + '[': `\[`, + '\\': `\\`, +diff --git a/src/text/template/funcs.go b/src/text/template/funcs.go +index 46125bc..f3de9fb 100644 +--- a/src/text/template/funcs.go ++++ b/src/text/template/funcs.go +@@ -640,10 +640,10 @@ var ( + jsBackslash = []byte(`\\`) + jsApos = []byte(`\'`) + jsQuot = []byte(`\"`) +- jsLt = []byte(`\x3C`) +- jsGt = []byte(`\x3E`) +- jsAmp = []byte(`\x26`) +- jsEq = []byte(`\x3D`) ++ jsLt = []byte(`\u003C`) ++ jsGt = []byte(`\u003E`) ++ jsAmp = []byte(`\u0026`) ++ jsEq = []byte(`\u003D`) + ) + + // JSEscape writes to w the escaped JavaScript equivalent of the plain text data b. +-- +2.7.4 diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch new file mode 100644 index 0000000000..d5bb33e091 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24538-3.patch @@ -0,0 +1,208 @@ +From 16f4882984569f179d73967c9eee679bb9b098c5 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Mon, 20 Mar 2023 11:01:13 -0700 +Subject: [PATCH 3/3] html/template: disallow actions in JS template literals + +ECMAScript 6 introduced template literals[0][1] which are delimited with +backticks. These need to be escaped in a similar fashion to the +delimiters for other string literals. Additionally template literals can +contain special syntax for string interpolation. + +There is no clear way to allow safe insertion of actions within JS +template literals, as handling (JS) string interpolation inside of these +literals is rather complex. As such we've chosen to simply disallow +template actions within these template literals. + +A new error code is added for this parsing failure case, errJsTmplLit, +but it is unexported as it is not backwards compatible with other minor +release versions to introduce an API change in a minor release. We will +export this code in the next major release. + +The previous behavior (with the cavet that backticks are now escaped +properly) can be re-enabled with GODEBUG=jstmpllitinterp=1. + +This change subsumes CL471455. + +Thanks to Sohom Datta, Manipal Institute of Technology, for reporting +this issue. + +Fixes CVE-2023-24538 +For #59234 +Fixes #59271 + +[0] https://tc39.es/ecma262/multipage/ecmascript-language-expressions.html#sec-template-literals +[1] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals + +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802457 +Reviewed-by: Damien Neil <dneil@google.com> +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-by: Julie Qiu <julieqiu@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1802612 +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Change-Id: Ic7f10595615f2b2740d9c85ad7ef40dc0e78c04c +Reviewed-on: https://go-review.googlesource.com/c/go/+/481987 +Auto-Submit: Michael Knyszek <mknyszek@google.com> +TryBot-Result: Gopher Robot <gobot@golang.org> +Run-TryBot: Michael Knyszek <mknyszek@google.com> +Reviewed-by: Matthew Dempsky <mdempsky@google.com> + +Upstream-Status: Backport from https://github.com/golang/go/commit/b1e3ecfa06b67014429a197ec5e134ce4303ad9b +CVE: CVE-2023-24538 +Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com> +--- + src/html/template/context.go | 2 ++ + src/html/template/error.go | 13 +++++++++++++ + src/html/template/escape.go | 11 +++++++++++ + src/html/template/js.go | 2 ++ + src/html/template/jsctx_string.go | 9 +++++++++ + src/html/template/transition.go | 7 ++++++- + 6 files changed, 43 insertions(+), 1 deletion(-) + +diff --git a/src/html/template/context.go b/src/html/template/context.go +index f7d4849..0b65313 100644 +--- a/src/html/template/context.go ++++ b/src/html/template/context.go +@@ -116,6 +116,8 @@ const ( + stateJSDqStr + // stateJSSqStr occurs inside a JavaScript single quoted string. + stateJSSqStr ++ // stateJSBqStr occurs inside a JavaScript back quoted string. ++ stateJSBqStr + // stateJSRegexp occurs inside a JavaScript regexp literal. + stateJSRegexp + // stateJSBlockCmt occurs inside a JavaScript /* block comment */. +diff --git a/src/html/template/error.go b/src/html/template/error.go +index 0e52706..fd26b64 100644 +--- a/src/html/template/error.go ++++ b/src/html/template/error.go +@@ -211,6 +211,19 @@ const ( + // pipeline occurs in an unquoted attribute value context, "html" is + // disallowed. Avoid using "html" and "urlquery" entirely in new templates. + ErrPredefinedEscaper ++ ++ // errJSTmplLit: "... appears in a JS template literal" ++ // Example: ++ // <script>var tmpl = `{{.Interp}`</script> ++ // Discussion: ++ // Package html/template does not support actions inside of JS template ++ // literals. ++ // ++ // TODO(rolandshoemaker): we cannot add this as an exported error in a minor ++ // release, since it is backwards incompatible with the other minor ++ // releases. As such we need to leave it unexported, and then we'll add it ++ // in the next major release. ++ errJSTmplLit + ) + + func (e *Error) Error() string { +diff --git a/src/html/template/escape.go b/src/html/template/escape.go +index f12dafa..29ca5b3 100644 +--- a/src/html/template/escape.go ++++ b/src/html/template/escape.go +@@ -8,6 +8,7 @@ import ( + "bytes" + "fmt" + "html" ++ "internal/godebug" + "io" + "text/template" + "text/template/parse" +@@ -203,6 +204,16 @@ func (e *escaper) escapeAction(c context, n *parse.ActionNode) context { + c.jsCtx = jsCtxDivOp + case stateJSDqStr, stateJSSqStr: + s = append(s, "_html_template_jsstrescaper") ++ case stateJSBqStr: ++ debugAllowActionJSTmpl := godebug.Get("jstmpllitinterp") ++ if debugAllowActionJSTmpl == "1" { ++ s = append(s, "_html_template_jsstrescaper") ++ } else { ++ return context{ ++ state: stateError, ++ err: errorf(errJSTmplLit, n, n.Line, "%s appears in a JS template literal", n), ++ } ++ } + case stateJSRegexp: + s = append(s, "_html_template_jsregexpescaper") + case stateCSS: +diff --git a/src/html/template/js.go b/src/html/template/js.go +index ea9c183..b888eaf 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -308,6 +308,7 @@ var jsStrReplacementTable = []string{ + // Encode HTML specials as hex so the output can be embedded + // in HTML attributes without further encoding. + '"': `\u0022`, ++ '`': `\u0060`, + '&': `\u0026`, + '\'': `\u0027`, + '+': `\u002b`, +@@ -331,6 +332,7 @@ var jsStrNormReplacementTable = []string{ + '"': `\u0022`, + '&': `\u0026`, + '\'': `\u0027`, ++ '`': `\u0060`, + '+': `\u002b`, + '/': `\/`, + '<': `\u003c`, +diff --git a/src/html/template/jsctx_string.go b/src/html/template/jsctx_string.go +index dd1d87e..2394893 100644 +--- a/src/html/template/jsctx_string.go ++++ b/src/html/template/jsctx_string.go +@@ -4,6 +4,15 @@ package template + + import "strconv" + ++func _() { ++ // An "invalid array index" compiler error signifies that the constant values have changed. ++ // Re-run the stringer command to generate them again. ++ var x [1]struct{} ++ _ = x[jsCtxRegexp-0] ++ _ = x[jsCtxDivOp-1] ++ _ = x[jsCtxUnknown-2] ++} ++ + const _jsCtx_name = "jsCtxRegexpjsCtxDivOpjsCtxUnknown" + + var _jsCtx_index = [...]uint8{0, 11, 21, 33} +diff --git a/src/html/template/transition.go b/src/html/template/transition.go +index 06df679..92eb351 100644 +--- a/src/html/template/transition.go ++++ b/src/html/template/transition.go +@@ -27,6 +27,7 @@ var transitionFunc = [...]func(context, []byte) (context, int){ + stateJS: tJS, + stateJSDqStr: tJSDelimited, + stateJSSqStr: tJSDelimited, ++ stateJSBqStr: tJSDelimited, + stateJSRegexp: tJSDelimited, + stateJSBlockCmt: tBlockCmt, + stateJSLineCmt: tLineCmt, +@@ -262,7 +263,7 @@ func tURL(c context, s []byte) (context, int) { + + // tJS is the context transition function for the JS state. + func tJS(c context, s []byte) (context, int) { +- i := bytes.IndexAny(s, `"'/`) ++ i := bytes.IndexAny(s, "\"`'/") + if i == -1 { + // Entire input is non string, comment, regexp tokens. + c.jsCtx = nextJSCtx(s, c.jsCtx) +@@ -274,6 +275,8 @@ func tJS(c context, s []byte) (context, int) { + c.state, c.jsCtx = stateJSDqStr, jsCtxRegexp + case '\'': + c.state, c.jsCtx = stateJSSqStr, jsCtxRegexp ++ case '`': ++ c.state, c.jsCtx = stateJSBqStr, jsCtxRegexp + case '/': + switch { + case i+1 < len(s) && s[i+1] == '/': +@@ -303,6 +306,8 @@ func tJSDelimited(c context, s []byte) (context, int) { + switch c.state { + case stateJSSqStr: + specials = `\'` ++ case stateJSBqStr: ++ specials = "`\\" + case stateJSRegexp: + specials = `\/[]` + } +-- +2.7.4 diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch new file mode 100644 index 0000000000..281b6486a8 --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24539.patch @@ -0,0 +1,60 @@ +From 8673ca81e5340b87709db2d9749c92a3bf925df1 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Thu, 13 Apr 2023 15:40:44 -0700 +Subject: [PATCH] html/template: disallow angle brackets in CSS values + +Angle brackets should not appear in CSS contexts, as they may affect +token boundaries (such as closing a <style> tag, resulting in +injection). Instead emit filterFailsafe, matching the behavior for other +dangerous characters. + +Thanks to Juho Nurminen of Mattermost for reporting this issue. + +Fixes #59720 +Fixes CVE-2023-24539 + +Change-Id: Iccc659c9a18415992b0c05c178792228e3a7bae4 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1826636 +Reviewed-by: Julie Qiu <julieqiu@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/491615 +Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +Run-TryBot: Carlos Amedee <carlos@golang.org> +TryBot-Result: Gopher Robot <gobot@golang.org> + +Upstream-Status: Backport from [https://github.com/golang/go/commit/8673ca81e5340b87709db2d9749c92a3bf925df1] +CVE: CVE-2023-24539 +Signed-off-by: Ashish Sharma <asharma@mvista.com> +--- + src/html/template/css.go | 2 +- + src/html/template/css_test.go | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/html/template/css.go b/src/html/template/css.go +index 890a0c6b227fe..f650d8b3e843a 100644 +--- a/src/html/template/css.go ++++ b/src/html/template/css.go +@@ -238,7 +238,7 @@ func cssValueFilter(args ...any) string { + // inside a string that might embed JavaScript source. + for i, c := range b { + switch c { +- case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}': ++ case 0, '"', '\'', '(', ')', '/', ';', '@', '[', '\\', ']', '`', '{', '}', '<', '>': + return filterFailsafe + case '-': + // Disallow <!-- or -->. +diff --git a/src/html/template/css_test.go b/src/html/template/css_test.go +index a735638b0314f..2b76256a766e9 100644 +--- a/src/html/template/css_test.go ++++ b/src/html/template/css_test.go +@@ -231,6 +231,8 @@ func TestCSSValueFilter(t *testing.T) { + {`-exp\000052 ession(alert(1337))`, "ZgotmplZ"}, + {`-expre\0000073sion`, "-expre\x073sion"}, + {`@import url evil.css`, "ZgotmplZ"}, ++ {"<", "ZgotmplZ"}, ++ {">", "ZgotmplZ"}, + } + for _, test := range tests { + got := cssValueFilter(test.css) diff --git a/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch new file mode 100644 index 0000000000..799a0dfcda --- /dev/null +++ b/poky/meta/recipes-devtools/go/go-1.14/CVE-2023-24540.patch @@ -0,0 +1,90 @@ +From ce7bd33345416e6d8cac901792060591cafc2797 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker <bracewell@google.com> +Date: Tue, 11 Apr 2023 16:27:43 +0100 +Subject: [PATCH] [release-branch.go1.19] html/template: handle all JS + whitespace characters + +Rather than just a small set. Character class as defined by \s [0]. + +Thanks to Juho Nurminen of Mattermost for reporting this. + +For #59721 +Fixes #59813 +Fixes CVE-2023-24540 + +[0] https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions/Character_Classes + +Change-Id: I56d4fa1ef08125b417106ee7dbfb5b0923b901ba +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1821459 +Reviewed-by: Julie Qiu <julieqiu@google.com> +Run-TryBot: Roland Shoemaker <bracewell@google.com> +Reviewed-by: Damien Neil <dneil@google.com> +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1851497 +Run-TryBot: Damien Neil <dneil@google.com> +Reviewed-by: Roland Shoemaker <bracewell@google.com> +Reviewed-on: https://go-review.googlesource.com/c/go/+/491355 +Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> +Reviewed-by: Carlos Amedee <carlos@golang.org> +TryBot-Bypass: Carlos Amedee <carlos@golang.org> +Run-TryBot: Carlos Amedee <carlos@golang.org> + +Upstream-Status: Backport [https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797] +CVE: CVE-2023-24540 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + src/html/template/js.go | 8 +++++++- + src/html/template/js_test.go | 11 +++++++---- + 2 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/src/html/template/js.go b/src/html/template/js.go +index fe7054efe5cd8..4e05c1455723f 100644 +--- a/src/html/template/js.go ++++ b/src/html/template/js.go +@@ -13,6 +13,11 @@ import ( + "unicode/utf8" + ) + ++// jsWhitespace contains all of the JS whitespace characters, as defined ++// by the \s character class. ++// See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_expressions/Character_classes. ++const jsWhitespace = "\f\n\r\t\v\u0020\u00a0\u1680\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200a\u2028\u2029\u202f\u205f\u3000\ufeff" ++ + // nextJSCtx returns the context that determines whether a slash after the + // given run of tokens starts a regular expression instead of a division + // operator: / or /=. +@@ -26,7 +31,8 @@ import ( + // JavaScript 2.0 lexical grammar and requires one token of lookbehind: + // https://www.mozilla.org/js/language/js20-2000-07/rationale/syntax.html + func nextJSCtx(s []byte, preceding jsCtx) jsCtx { +- s = bytes.TrimRight(s, "\t\n\f\r \u2028\u2029") ++ // Trim all JS whitespace characters ++ s = bytes.TrimRight(s, jsWhitespace) + if len(s) == 0 { + return preceding + } +diff --git a/src/html/template/js_test.go b/src/html/template/js_test.go +index e07c695f7a77d..e52180cc113b5 100644 +--- a/src/html/template/js_test.go ++++ b/src/html/template/js_test.go +@@ -81,14 +81,17 @@ func TestNextJsCtx(t *testing.T) { + {jsCtxDivOp, "0"}, + // Dots that are part of a number are div preceders. + {jsCtxDivOp, "0."}, ++ // Some JS interpreters treat NBSP as a normal space, so ++ // we must too in order to properly escape things. ++ {jsCtxRegexp, "=\u00A0"}, + } + + for _, test := range tests { +- if nextJSCtx([]byte(test.s), jsCtxRegexp) != test.jsCtx { +- t.Errorf("want %s got %q", test.jsCtx, test.s) ++ if ctx := nextJSCtx([]byte(test.s), jsCtxRegexp); ctx != test.jsCtx { ++ t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx) + } +- if nextJSCtx([]byte(test.s), jsCtxDivOp) != test.jsCtx { +- t.Errorf("want %s got %q", test.jsCtx, test.s) ++ if ctx := nextJSCtx([]byte(test.s), jsCtxDivOp); ctx != test.jsCtx { ++ t.Errorf("%q: want %s got %s", test.s, test.jsCtx, ctx) + } + } + diff --git a/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service b/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service index 7f72f3388a..b6b81d5c1a 100644 --- a/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service +++ b/poky/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts.service @@ -1,7 +1,7 @@ [Unit] Description=Run pending postinsts DefaultDependencies=no -After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount +After=systemd-remount-fs.service systemd-tmpfiles-setup.service tmp.mount ldconfig.service Before=sysinit.target [Service] diff --git a/poky/meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch b/poky/meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch new file mode 100644 index 0000000000..4b96e4316c --- /dev/null +++ b/poky/meta/recipes-extended/cpio/cpio-2.13/0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch @@ -0,0 +1,39 @@ +From 77ff5f1be394eb2c786df561ff37dde7f982ec76 Mon Sep 17 00:00:00 2001 +From: Stefano Babic <sbabic@denx.de> +Date: Fri, 28 Jul 2017 13:20:52 +0200 +Subject: [PATCH] Wrong CRC with ASCII CRC for large files + +Due to signedness, the checksum is not computed when filesize is bigger +a 2GB. + +Upstream-Status: Submitted [https://lists.gnu.org/archive/html/bug-cpio/2017-07/msg00004.html] +Signed-off-by: Stefano Babic <sbabic@denx.de> +--- + src/copyout.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/copyout.c b/src/copyout.c +index 1f0987a..727aeca 100644 +--- a/src/copyout.c ++++ b/src/copyout.c +@@ -34,13 +34,13 @@ + compute and return a checksum for them. */ + + static uint32_t +-read_for_checksum (int in_file_des, int file_size, char *file_name) ++read_for_checksum (int in_file_des, unsigned int file_size, char *file_name) + { + uint32_t crc; + char buf[BUFSIZ]; +- int bytes_left; +- int bytes_read; +- int i; ++ unsigned int bytes_left; ++ unsigned int bytes_read; ++ unsigned int i; + + crc = 0; + +-- +2.7.4 + diff --git a/poky/meta/recipes-extended/cpio/cpio_2.13.bb b/poky/meta/recipes-extended/cpio/cpio_2.13.bb index 7c8a465cd0..86527da744 100644 --- a/poky/meta/recipes-extended/cpio/cpio_2.13.bb +++ b/poky/meta/recipes-extended/cpio/cpio_2.13.bb @@ -10,6 +10,7 @@ SRC_URI = "${GNU_MIRROR}/cpio/cpio-${PV}.tar.gz \ file://0001-Unset-need_charset_alias-when-building-for-musl.patch \ file://0002-src-global.c-Remove-superfluous-declaration-of-progr.patch \ file://CVE-2021-38185.patch \ + file://0001-Wrong-CRC-with-ASCII-CRC-for-large-files.patch \ " SRC_URI[md5sum] = "389c5452d667c23b5eceb206f5000810" diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch b/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch new file mode 100644 index 0000000000..852f2459f7 --- /dev/null +++ b/poky/meta/recipes-extended/ghostscript/ghostscript/CVE-2023-28879.patch @@ -0,0 +1,54 @@ +From 37ed5022cecd584de868933b5b60da2e995b3179 Mon Sep 17 00:00:00 2001 +From: Ken Sharp <ken.sharp@artifex.com> +Date: Fri, 24 Mar 2023 13:19:57 +0000 +Subject: [PATCH] Graphics library - prevent buffer overrun in (T)BCP encoding + +Bug #706494 "Buffer Overflow in s_xBCPE_process" + +As described in detail in the bug report, if the write buffer is filled +to one byte less than full, and we then try to write an escaped +character, we overrun the buffer because we don't check before +writing two bytes to it. + +This just checks if we have two bytes before starting to write an +escaped character and exits if we don't (replacing the consumed byte +of the input). + +Up for further discussion; why do we even permit a BCP encoding filter +anyway ? I think we should remove this, at least when SAFER is true. + +Upstream-Status: Backport [https://git.ghostscript.com/?p=ghostpdl.git;h=37ed5022cecd584de868933b5b60da2e995b3179] +CVE: CVE-2023-28879 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + base/sbcp.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/base/sbcp.c b/base/sbcp.c +index 6b0383c..90784b5 100644 +--- a/base/sbcp.c ++++ b/base/sbcp.c +@@ -1,4 +1,4 @@ +-/* Copyright (C) 2001-2019 Artifex Software, Inc. ++/* Copyright (C) 2001-2023 Artifex Software, Inc. + All Rights Reserved. + + This software is provided AS-IS with no warranty, either express or +@@ -50,6 +50,14 @@ s_xBCPE_process(stream_state * st, stream_cursor_read * pr, + byte ch = *++p; + + if (ch <= 31 && escaped[ch]) { ++ /* Make sure we have space to store two characters in the write buffer, ++ * if we don't then exit without consuming the input character, we'll process ++ * that on the next time round. ++ */ ++ if (pw->limit - q < 2) { ++ p--; ++ break; ++ } + if (p == rlimit) { + p--; + break; +-- +2.25.1 + diff --git a/poky/meta/recipes-extended/ghostscript/ghostscript_9.52.bb b/poky/meta/recipes-extended/ghostscript/ghostscript_9.52.bb index a829d4b4ae..57f0b51ad3 100644 --- a/poky/meta/recipes-extended/ghostscript/ghostscript_9.52.bb +++ b/poky/meta/recipes-extended/ghostscript/ghostscript_9.52.bb @@ -39,6 +39,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d file://CVE-2021-3781_1.patch \ file://CVE-2021-3781_2.patch \ file://CVE-2021-3781_3.patch \ + file://CVE-2023-28879.patch \ " SRC_URI = "${SRC_URI_BASE} \ diff --git a/poky/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch b/poky/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch new file mode 100644 index 0000000000..800d77579e --- /dev/null +++ b/poky/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch @@ -0,0 +1,40 @@ +From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Mon, 14 Nov 2022 19:18:19 +0100 +Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer + overflow. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462 + +Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611] +CVE: CVE-2023-2004 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + src/truetype/ttgxvar.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c +index 78d87dc..258d701 100644 +--- a/src/truetype/ttgxvar.c ++++ b/src/truetype/ttgxvar.c +@@ -43,6 +43,7 @@ + #include FT_INTERNAL_DEBUG_H + #include FT_CONFIG_CONFIG_H + #include FT_INTERNAL_STREAM_H ++#include <freetype/internal/ftcalc.h> + #include FT_INTERNAL_SFNT_H + #include FT_TRUETYPE_TAGS_H + #include FT_TRUETYPE_IDS_H +@@ -1065,7 +1066,7 @@ + delta == 1 ? "" : "s", + vertical ? "VVAR" : "HVAR" )); + +- *avalue += delta; ++ *avalue = ADD_INT( *avalue, delta ); + + Exit: + return error; +-- +2.17.1 diff --git a/poky/meta/recipes-graphics/freetype/freetype_2.10.1.bb b/poky/meta/recipes-graphics/freetype/freetype_2.10.1.bb index 72001c529a..6af744b981 100644 --- a/poky/meta/recipes-graphics/freetype/freetype_2.10.1.bb +++ b/poky/meta/recipes-graphics/freetype/freetype_2.10.1.bb @@ -18,6 +18,7 @@ SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \ file://CVE-2022-27404.patch \ file://CVE-2022-27405.patch \ file://CVE-2022-27406.patch \ + file://CVE-2023-2004.patch \ " SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f" SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f" diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch new file mode 100644 index 0000000000..ef2ee5d55e --- /dev/null +++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-0494.patch @@ -0,0 +1,38 @@ +From 0ba6d8c37071131a49790243cdac55392ecf71ec Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <peter.hutterer@who-t.net> +Date: Wed, 25 Jan 2023 11:41:40 +1000 +Subject: [PATCH] Xi: fix potential use-after-free in DeepCopyPointerClasses + +CVE-2023-0494, ZDI-CAN-19596 + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0ba6d8c37071131a49790243cdac55392ecf71ec] +CVE: CVE-2023-0494 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + Xi/exevents.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/Xi/exevents.c b/Xi/exevents.c +index 217baa9561..dcd4efb3bc 100644 +--- a/Xi/exevents.c ++++ b/Xi/exevents.c +@@ -619,8 +619,10 @@ DeepCopyPointerClasses(DeviceIntPtr from, DeviceIntPtr to) + memcpy(to->button->xkb_acts, from->button->xkb_acts, + sizeof(XkbAction)); + } +- else ++ else { + free(to->button->xkb_acts); ++ to->button->xkb_acts = NULL; ++ } + + memcpy(to->button->labels, from->button->labels, + from->button->numButtons * sizeof(Atom)); +-- +GitLab + diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch new file mode 100644 index 0000000000..51d0e0cab6 --- /dev/null +++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-1393.patch @@ -0,0 +1,46 @@ +From 26ef545b3502f61ca722a7a3373507e88ef64110 Mon Sep 17 00:00:00 2001 +From: Olivier Fourdan <ofourdan@redhat.com> +Date: Mon, 13 Mar 2023 11:08:47 +0100 +Subject: [PATCH] composite: Fix use-after-free of the COW + +ZDI-CAN-19866/CVE-2023-1393 + +If a client explicitly destroys the compositor overlay window (aka COW), +we would leave a dangling pointer to that window in the CompScreen +structure, which will trigger a use-after-free later. + +Make sure to clear the CompScreen pointer to the COW when the latter gets +destroyed explicitly by the client. + +This vulnerability was discovered by: +Jan-Niklas Sohn working with Trend Micro Zero Day Initiative + +Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> +Reviewed-by: Adam Jackson <ajax@redhat.com> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/26ef545b3502f61ca722a7a3373507e88ef64110] +CVE: CVE-2023-1393 +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> +--- + composite/compwindow.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/composite/compwindow.c b/composite/compwindow.c +index 4e2494b86b..b30da589e9 100644 +--- a/composite/compwindow.c ++++ b/composite/compwindow.c +@@ -620,6 +620,11 @@ compDestroyWindow(WindowPtr pWin) + ret = (*pScreen->DestroyWindow) (pWin); + cs->DestroyWindow = pScreen->DestroyWindow; + pScreen->DestroyWindow = compDestroyWindow; ++ ++ /* Did we just destroy the overlay window? */ ++ if (pWin == cs->pOverlayWin) ++ cs->pOverlayWin = NULL; ++ + /* compCheckTree (pWin->drawable.pScreen); can't check -- tree isn't good*/ + return ret; + } +-- +GitLab + diff --git a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb index ab18a87a3d..5c604fa86e 100644 --- a/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb +++ b/poky/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.20.14.bb @@ -14,6 +14,8 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat file://CVE-2022-46342.patch \ file://CVE-2022-46343.patch \ file://CVE-2022-46344.patch \ + file://CVE-2023-0494.patch \ + file://CVE-2023-1393.patch \ " SRC_URI[md5sum] = "453fc86aac8c629b3a5b77e8dcca30bf" SRC_URI[sha256sum] = "54b199c9280ff8bf0f73a54a759645bd0eeeda7255d1c99310d5b7595f3ac066" diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230210.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb index fb1ea61906..9ac70b2a3a 100644 --- a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230210.bb +++ b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20230404.bb @@ -108,7 +108,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ file://LICENCE.OLPC;md5=5b917f9d8c061991be4f6f5f108719cd \ file://LICENCE.open-ath9k-htc-firmware;md5=1b33c9f4d17bc4d457bdb23727046837 \ file://LICENCE.phanfw;md5=954dcec0e051f9409812b561ea743bfa \ - file://LICENCE.qat_firmware;md5=9e7d8bea77612d7cc7d9e9b54b623062 \ + file://LICENCE.qat_firmware;md5=72de83dfd9b87be7685ed099a39fbea4 \ file://LICENSE.qcom;md5=164e3362a538eb11d3ac51e8e134294b \ file://LICENSE.qcom_yamato;md5=d0de0eeccaf1843a850bf7a6777eec5c \ file://LICENCE.qla1280;md5=d6895732e622d950609093223a2c4f5d \ @@ -134,7 +134,7 @@ LIC_FILES_CHKSUM = "file://LICENCE.Abilis;md5=b5ee3f410780e56711ad48eadc22b8bc \ " # WHENCE checksum is defined separately to ease overriding it if # class-devupstream is selected. -WHENCE_CHKSUM = "aadb3cccbde1e53fc244a409e9bd5a22" +WHENCE_CHKSUM = "0782deea054d4b1b7f10c92c3a245da4" # These are not common licenses, set NO_GENERIC_LICENSE for them # so that the license files will be copied from fetched source @@ -212,7 +212,7 @@ SRC_URI:class-devupstream = "git://git.kernel.org/pub/scm/linux/kernel/git/firmw # Pin this to the 20220509 release, override this in local.conf SRCREV:class-devupstream ?= "b19cbdca78ab2adfd210c91be15a22568e8b8cae" -SRC_URI[sha256sum] = "6e3d9e8d52cffc4ec0dbe8533a8445328e0524a20f159a5b61c2706f983ce38a" +SRC_URI[sha256sum] = "c3f9ad2bb5311cce2490f37a8052f836703d6936aabd840246b6576f1f71f607" inherit allarch diff --git a/poky/meta/recipes-kernel/linux/cve-exclusion.inc b/poky/meta/recipes-kernel/linux/cve-exclusion.inc new file mode 100644 index 0000000000..a18e603bc9 --- /dev/null +++ b/poky/meta/recipes-kernel/linux/cve-exclusion.inc @@ -0,0 +1,1840 @@ +# Kernel CVE exclusion file + +# https://nvd.nist.gov/vuln/detail/CVE-2014-8171 +# Patched in kernel since v3.12 4942642080ea82d99ab5b653abb9a12b7ba31f4a +CVE_CHECK_WHITELIST += "CVE-2014-8171" + +# https://nvd.nist.gov/vuln/detail/CVE-2017-1000255 +# Patched in kernel since v4.14 265e60a170d0a0ecfc2d20490134ed2c48dd45ab +CVE_CHECK_WHITELIST += "CVE-2017-1000255" + +# https://nvd.nist.gov/vuln/detail/CVE-2018-5873 +# Patched in kernel since v4.11 073c516ff73557a8f7315066856c04b50383ac34 +CVE_CHECK_WHITELIST += "CVE-2018-5873" + +# https://nvd.nist.gov/vuln/detail/CVE-2018-10840 +# Patched in kernel since v4.18 8a2b307c21d4b290e3cbe33f768f194286d07c23 +CVE_CHECK_WHITELIST += "CVE-2018-10840" + +# https://nvd.nist.gov/vuln/detail/CVE-2018-10876 +# Patched in kernel since v4.18 8844618d8aa7a9973e7b527d038a2a589665002c +CVE_CHECK_WHITELIST += "CVE-2018-10876" + +# https://nvd.nist.gov/vuln/detail/CVE-2018-10882 +# Patched in kernel since v4.18 c37e9e013469521d9adb932d17a1795c139b36db +CVE_CHECK_WHITELIST += "CVE-2018-10882" + +# https://nvd.nist.gov/vuln/detail/CVE-2018-10902 +# Patched in kernel since v4.18 39675f7a7c7e7702f7d5341f1e0d01db746543a0 +CVE_CHECK_WHITELIST += "CVE-2018-10902" + +# https://nvd.nist.gov/vuln/detail/CVE-2018-14625 +# Patched in kernel since v4.20 834e772c8db0c6a275d75315d90aba4ebbb1e249 +CVE_CHECK_WHITELIST += "CVE-2018-14625" + +# https://nvd.nist.gov/vuln/detail/CVE-2018-16880 +# Patched in kernel since v5.0 b46a0bf78ad7b150ef5910da83859f7f5a514ffd +CVE_CHECK_WHITELIST += "CVE-2018-16880" + +# https://nvd.nist.gov/vuln/detail/CVE-2018-16884 +# Patched in kernel since v5.0 d4b09acf924b84bae77cad090a9d108e70b43643 +CVE_CHECK_WHITELIST += "CVE-2018-16884" + +# https://nvd.nist.gov/vuln/detail/CVE-2019-3819 +# Patched in kernel since v5.0 13054abbaa4f1fd4e6f3b4b63439ec033b4c8035 +CVE_CHECK_WHITELIST += "CVE-2019-3819" + +# https://nvd.nist.gov/vuln/detail/CVE-2019-20810 +# Patched in kernel since v5.6 9453264ef58638ce8976121ac44c07a3ef375983 +# Backported in version v5.4.48 6e688a315acf9c2b9b6e8c3e3b7a0c2720f72cba +CVE_CHECK_WHITELIST += "CVE-2019-20810" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-1749 +# Patched in kernel since v5.5 6c8991f41546c3c472503dff1ea9daaddf9331c2 +# Backported in version v5.4.5 48d58ae9e87aaa11814364ddb52b3461f9abac57 +CVE_CHECK_WHITELIST += "CVE-2020-1749" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-8428 +# Patched in kernel since v5.5 d0cb50185ae942b03c4327be322055d622dc79f6 +# Backported in version v5.4.16 454759886d0b463213fad0f1c733469e2c501ab9 +CVE_CHECK_WHITELIST += "CVE-2020-8428" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-8647 +# Patched in kernel since v5.6 513dc792d6060d5ef572e43852683097a8420f56 +# Backported in version v5.4.25 5d230547476eea90b57ed9fda4bfe5307779abbb +CVE_CHECK_WHITELIST += "CVE-2020-8647" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-8649 +# Patched in kernel since v5.6 513dc792d6060d5ef572e43852683097a8420f56 +# Backported in version v5.4.25 5d230547476eea90b57ed9fda4bfe5307779abbb +CVE_CHECK_WHITELIST += "CVE-2020-8649" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-8992 +# Patched in kernel since v5.6 af133ade9a40794a37104ecbcc2827c0ea373a3c +# Backported in version v5.4.21 94f0fe04da78adc214b51523499031664f9db408 +CVE_CHECK_WHITELIST += "CVE-2020-8992" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-9383 +# Patched in kernel since v5.6 2e90ca68b0d2f5548804f22f0dd61145516171e3 +# Backported in version v5.4.23 1eb78bc92c847f9e1c01a01b2773fc2fe7b134cf +CVE_CHECK_WHITELIST += "CVE-2020-9383" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-10690 +# Patched in kernel since v5.5 a33121e5487b424339636b25c35d3a180eaa5f5e +# Backported in version v5.4.8 bfa2e0cd3dfda64fde43c3dca3aeba298d2fe7ad +CVE_CHECK_WHITELIST += "CVE-2020-10690" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-10711 +# Patched in kernel since v5.7 eead1c2ea2509fd754c6da893a94f0e69e83ebe4 +# Backported in version v5.4.42 debcbc56fdfc2847804d3d00d43f68f3074c5987 +CVE_CHECK_WHITELIST += "CVE-2020-10711" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-10732 +# Patched in kernel since v5.7 1d605416fb7175e1adf094251466caa52093b413 +# Backported in version v5.4.44 a02c130efbbce91af1e9dd99a5a381dd43494e15 +CVE_CHECK_WHITELIST += "CVE-2020-10732" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-10742 +# Patched in kernel since v3.16 91f79c43d1b54d7154b118860d81b39bad07dfff +CVE_CHECK_WHITELIST += "CVE-2020-10742" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-10757 +# Patched in kernel since v5.8 5bfea2d9b17f1034a68147a8b03b9789af5700f9 +# Backported in version v5.4.45 df4988aa1c9618d9c612639e96002cd4e772def2 +CVE_CHECK_WHITELIST += "CVE-2020-10757" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-10766 +# Patched in kernel since v5.8 dbbe2ad02e9df26e372f38cc3e70dab9222c832e +# Backported in version v5.4.47 9d1dcba6dd48cf7c5801d8aee12852ca41110896 +CVE_CHECK_WHITELIST += "CVE-2020-10766" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-10767 +# Patched in kernel since v5.8 21998a351512eba4ed5969006f0c55882d995ada +# Backported in version v5.4.47 6d60d5462a91eb46fb88b016508edfa8ee0bc7c8 +CVE_CHECK_WHITELIST += "CVE-2020-10767" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-10768 +# Patched in kernel since v5.8 4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf +# Backported in version v5.4.47 e1545848ad5510e82eb75717c1f5757b984014cb +CVE_CHECK_WHITELIST += "CVE-2020-10768" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-10781 +# Patched in kernel since v5.8 853eab68afc80f59f36bbdeb715e5c88c501e680 +# Backported in version v5.4.53 72648019cd52488716891c2cbb096ad1023ab83e +CVE_CHECK_WHITELIST += "CVE-2020-10781" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-10942 +# Patched in kernel since v5.6 42d84c8490f9f0931786f1623191fcab397c3d64 +# Backported in version v5.4.24 f09fbb1175cffdbbb36b28e2ff7db96dcc90de08 +CVE_CHECK_WHITELIST += "CVE-2020-10942" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-11494 +# Patched in kernel since v5.7 b9258a2cece4ec1f020715fe3554bc2e360f6264 +# Backported in version v5.4.32 fdb6a094ba41e985d9fb14ae2bfc180e3e983720 +CVE_CHECK_WHITELIST += "CVE-2020-11494" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-11565 +# Patched in kernel since v5.7 aa9f7d5172fac9bf1f09e678c35e287a40a7b7dd +# Backported in version v5.4.31 c3f87e03f90ff2901525cc99c0e3bfb6fcbfd184 +CVE_CHECK_WHITELIST += "CVE-2020-11565" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-11608 +# Patched in kernel since v5.7 998912346c0da53a6dbb71fab3a138586b596b30 +# Backported in version v5.4.29 e4af1cf37b901839320e40515d9a60a1c8b51f3a +CVE_CHECK_WHITELIST += "CVE-2020-11608" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-11609 +# Patched in kernel since v5.7 485b06aadb933190f4bc44e006076bc27a23f205 +# Backported in version v5.4.29 4490085a9e2d2cde69e865e3691223ea9e94513b +CVE_CHECK_WHITELIST += "CVE-2020-11609" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-11668 +# Patched in kernel since v5.7 a246b4d547708f33ff4d4b9a7a5dbac741dc89d8 +# Backported in version v5.4.29 e7cd85f398cd1ffe3ce707ce7e2ec0e4a5010475 +CVE_CHECK_WHITELIST += "CVE-2020-11668" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-11884 +# Patched in kernel since v5.7 316ec154810960052d4586b634156c54d0778f74 +# Backported in version v5.4.36 44d9eb0ebe8fd04f46b18d10a18b2c543b379a0c +CVE_CHECK_WHITELIST += "CVE-2020-11884" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-12464 +# Patched in kernel since v5.7 056ad39ee9253873522f6469c3364964a322912b +# Backported in version v5.4.36 b48193a7c303272d357b27dd7d72cbf89f7b2d35 +CVE_CHECK_WHITELIST += "CVE-2020-12464" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-12465 +# Patched in kernel since v5.6 b102f0c522cf668c8382c56a4f771b37d011cda2 +# Backported in version v5.4.26 02013734629bf57070525a3515509780092a63ab +CVE_CHECK_WHITELIST += "CVE-2020-12465" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-12653 +# Patched in kernel since v5.6 b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d +# Backported in version v5.4.20 3c822e1f31186767d6b7261c3c066f01907ecfca +CVE_CHECK_WHITELIST += "CVE-2020-12653" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-12654 +# Patched in kernel since v5.6 3a9b153c5591548612c3955c9600a98150c81875 +# Backported in version v5.4.20 c5b071e3f44d1125694ad4dcf1234fb9a78d0be6 +CVE_CHECK_WHITELIST += "CVE-2020-12654" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-12655 +# Patched in kernel since v5.7 d0c7feaf87678371c2c09b3709400be416b2dc62 +# Backported in version v5.4.50 ffd40b7962d463daa531a8110e5b708bcb5c6da7 +CVE_CHECK_WHITELIST += "CVE-2020-12655" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-12657 +# Patched in kernel since v5.7 2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9 +# Backported in version v5.4.33 b37de1b1e882fa3741d252333e5745eea444483b +CVE_CHECK_WHITELIST += "CVE-2020-12657" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-12659 +# Patched in kernel since v5.7 99e3a236dd43d06c65af0a2ef9cb44306aef6e02 +# Backported in version v5.4.35 25c9cdef57488578da21d99eb614b97ffcf6e59f +CVE_CHECK_WHITELIST += "CVE-2020-12659" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-12768 +# Patched in kernel since v5.6 d80b64ff297e40c2b6f7d7abc1b3eba70d22a068 +# Backported in version v5.4.43 ac46cea606d59be18a6afd4560c48bcca836c44c +CVE_CHECK_WHITELIST += "CVE-2020-12768" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-12770 +# Patched in kernel since v5.7 83c6f2390040f188cc25b270b4befeb5628c1aee +# Backported in version v5.4.42 2d6d0ce4de03832c8deedeb16c7af52868d7e99e +CVE_CHECK_WHITELIST += "CVE-2020-12770" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-12771 +# Patched in kernel since v5.8 be23e837333a914df3f24bf0b32e87b0331ab8d1 +# Backported in version v5.4.49 f651e94899ed08b1766bda30f410d33fdd3970ff +CVE_CHECK_WHITELIST += "CVE-2020-12771" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-12826 +# Patched in kernel since v5.7 d1e7fd6462ca9fc76650fbe6ca800e35b24267da +# Backported in version v5.4.33 5f2d04139aa5ed04eab54b84e8a25bab87a2449c +CVE_CHECK_WHITELIST += "CVE-2020-12826" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-12888 +# Patched in kernel since v5.8 abafbc551fddede3e0a08dee1dcde08fc0eb8476 +# Backported in version v5.4.64 8f747b0149c5a0c72626a87eb0dd2a5ec91f1a7d +CVE_CHECK_WHITELIST += "CVE-2020-12888" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-13143 +# Patched in kernel since v5.7 15753588bcd4bbffae1cca33c8ced5722477fe1f +# Backported in version v5.4.42 6bb054f006c3df224cc382f1ebd81b7276dcfb1c +CVE_CHECK_WHITELIST += "CVE-2020-13143" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-14314 +# Patched in kernel since v5.9 5872331b3d91820e14716632ebb56b1399b34fe1 +# Backported in version v5.4.61 ea54176e5821936d109bb45dc2c19bd53559e735 +CVE_CHECK_WHITELIST += "CVE-2020-14314" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-14331 +# Patched in kernel since v5.9 ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d +# Backported in version v5.4.58 8c3215a0426c404f4b7b02a1e0fdb0f7f4f1e6d3 +CVE_CHECK_WHITELIST += "CVE-2020-14331" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-14351 +# Patched in kernel since v5.10 f91072ed1b7283b13ca57fcfbece5a3b92726143 +# Backported in version v5.4.78 c5cf5c7b585c7f48195892e44b76237010c0747a +CVE_CHECK_WHITELIST += "CVE-2020-14351" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-14381 +# Patched in kernel since v5.6 8019ad13ef7f64be44d4f892af9c840179009254 +# Backported in version v5.4.28 553d46b07dc4813e1d8e6a3b3d6eb8603b4dda74 +CVE_CHECK_WHITELIST += "CVE-2020-14381" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-14385 +# Patched in kernel since v5.9 f4020438fab05364018c91f7e02ebdd192085933 +# Backported in version v5.4.64 da7a1676d6c19971758976a84e87f5b1009409e7 +CVE_CHECK_WHITELIST += "CVE-2020-14385" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-14390 +# Patched in kernel since v5.9 50145474f6ef4a9c19205b173da6264a644c7489 +# Backported in version v5.4.66 cf5a7ded53652c3d63d7243944c6a8ec1f0ef392 +CVE_CHECK_WHITELIST += "CVE-2020-14390" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-15393 +# Patched in kernel since v5.8 28ebeb8db77035e058a510ce9bd17c2b9a009dba +# Backported in version v5.4.51 3dca0a299ff43204a69c9a7a00ce2b3e7ab3088c +CVE_CHECK_WHITELIST += "CVE-2020-15393" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-15436 +# Patched in kernel since v5.8 2d3a8e2deddea6c89961c422ec0c5b851e648c14 +# Backported in version v5.4.49 b3dc33946a742256ad9d2ccac848c9e3c2aaafef +CVE_CHECK_WHITELIST += "CVE-2020-15436" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-15437 +# Patched in kernel since v5.8 f4c23a140d80ef5e6d3d1f8f57007649014b60fa +# Backported in version v5.4.54 af811869db0698b587aa5418eab05c9f7e0bea3c +CVE_CHECK_WHITELIST += "CVE-2020-15437" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-15780 +# Patched in kernel since v5.8 75b0cea7bf307f362057cc778efe89af4c615354 +# Backported in version v5.4.50 824d0b6225f3fa2992704478a8df520537cfcb56 +CVE_CHECK_WHITELIST += "CVE-2020-15780" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-16119 +# Patched in kernel since v5.15 d9ea761fdd197351890418acd462c51f241014a7 +# Backported in version v5.4.148 5ab04a4ffed02f66e8e6310ba8261a43d1572343 +# Backported in version v5.10.68 6c3cb65d561e76fd0398026c023e587fec70e188 +CVE_CHECK_WHITELIST += "CVE-2020-16119" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-16166 +# Patched in kernel since v5.8 f227e3ec3b5cad859ad15666874405e8c1bbc1d4 +# Backported in version v5.4.57 c15a77bdda2c4f8acaa3e436128630a81f904ae7 +CVE_CHECK_WHITELIST += "CVE-2020-16166" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-24394 +# Patched in kernel since v5.8 22cf8419f1319ff87ec759d0ebdff4cbafaee832 +# Backported in version v5.4.51 fe05e114d0fde7f644ac9ab5edfce3fa65650875 +CVE_CHECK_WHITELIST += "CVE-2020-24394" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-25211 +# Patched in kernel since v5.9 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6 +# Backported in version v5.4.70 253052b636e98083b1ecc3e9b0cf6f151e1cb8c6 +CVE_CHECK_WHITELIST += "CVE-2020-25211" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-25212 +# Patched in kernel since v5.9 b4487b93545214a9db8cbf32e86411677b0cca21 +# Backported in version v5.4.60 75cf7f895f563e14c82c1aeea0362dc155b5baf3 +CVE_CHECK_WHITELIST += "CVE-2020-25212" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-25284 +# Patched in kernel since v5.9 f44d04e696feaf13d192d942c4f14ad2e117065a +# Backported in version v5.4.66 ea3d3bf85669195247ad6a522f4e4209695edca2 +CVE_CHECK_WHITELIST += "CVE-2020-25284" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-25285 +# Patched in kernel since v5.9 17743798d81238ab13050e8e2833699b54e15467 +# Backported in version v5.4.64 af7786b20c717ff13d9148161dad4b8e286bfd39 +CVE_CHECK_WHITELIST += "CVE-2020-25285" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-25639 +# Patched in kernel since v5.12 eaba3b28401f50e22d64351caa8afe8d29509f27 +# Backported in version v5.4.102 0faef25462f886a77e0b397cca31d51163215332 +# Backported in version v5.10.20 e3fcff9f45aa82dacad26e5828598340d2742f47 +CVE_CHECK_WHITELIST += "CVE-2020-25639" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-25641 +# Patched in kernel since v5.9 7e24969022cbd61ddc586f14824fc205661bb124 +# Backported in version v5.4.64 84c041c12442d233c9b3c593cbe9eb8a77875578 +CVE_CHECK_WHITELIST += "CVE-2020-25641" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-25643 +# Patched in kernel since v5.9 66d42ed8b25b64eb63111a2b8582c5afc8bf1105 +# Backported in version v5.4.68 c3de9daa662617132744731f1b4eb7b5cd1270a8 +CVE_CHECK_WHITELIST += "CVE-2020-25643" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-25645 +# Patched in kernel since v5.9 34beb21594519ce64a55a498c2fe7d567bc1ca20 +# Backported in version v5.4.68 745c24fd1d79b588a951d3c5beca43575907f881 +CVE_CHECK_WHITELIST += "CVE-2020-25645" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-25656 +# Patched in kernel since v5.10 82e61c3909db51d91b9d3e2071557b6435018b80 +# Backported in version v5.4.75 87d398f348b8a2d5246d3670a93fb63d4fd9f62a +CVE_CHECK_WHITELIST += "CVE-2020-25656" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-25672 +# Patched in kernel since v5.12 7574fcdbdcb335763b6b322f6928dc0fd5730451 +# Backported in version v5.4.112 404daa4d62a364623b48349eb73a18579edf51ac +# Backported in version v5.10.30 568ac94df580b1a65837dc299e8758635e7b1423 +CVE_CHECK_WHITELIST += "CVE-2020-25672" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-25704 +# Patched in kernel since v5.10 7bdb157cdebbf95a1cd94ed2e01b338714075d00 +# Backported in version v5.4.76 b7f7474b392194530d1ec07203c8668e81b7fdb9 +CVE_CHECK_WHITELIST += "CVE-2020-25704" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-25705 +# Patched in kernel since v5.10 b38e7819cae946e2edf869e604af1e65a5d241c5 +# Backported in version v5.4.73 8df0ffe2f32c09b4627cbce5cd5faf8e98a6a71e +CVE_CHECK_WHITELIST += "CVE-2020-25705" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-26088 +# Patched in kernel since v5.9 26896f01467a28651f7a536143fe5ac8449d4041 +# Backported in version v5.4.59 0b305f259ca9b85c48f9cb3159d034b7328ed225 +CVE_CHECK_WHITELIST += "CVE-2020-26088" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-26541 +# Patched in kernel since v5.13 56c5812623f95313f6a46fbf0beee7fa17c68bbf +# Backported in version v5.4.129 e20b90e4f81bb04e2b180824caae585928e24ba9 +# Backported in version v5.10.47 45109066f686597116467a53eaf4330450702a96 +CVE_CHECK_WHITELIST += "CVE-2020-26541" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-27170 +# Patched in kernel since v5.12 f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 +# Backported in version v5.4.107 ea8fb45eaac141b13f656a7056e4823845aa3b69 +# Backported in version v5.10.25 c4d37eea1c641a9319baf34253cc373abb39d3e1 +CVE_CHECK_WHITELIST += "CVE-2020-27170" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-27171 +# Patched in kernel since v5.12 10d2bb2e6b1d8c4576c56a748f697dbeb8388899 +# Backported in version v5.4.107 2da0540739e43154b500a817d9c95d36c2f6a323 +# Backported in version v5.10.25 ac1b87a18c1ffbe3d093000b762121b5aae0a3f9 +CVE_CHECK_WHITELIST += "CVE-2020-27171" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-27675 +# Patched in kernel since v5.10 073d0552ead5bfc7a3a9c01de590e924f11b5dd2 +# Backported in version v5.4.75 a01379671d67d34f254cc81f42cf854aa628f3a3 +CVE_CHECK_WHITELIST += "CVE-2020-27675" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-27777 +# Patched in kernel since v5.10 bd59380c5ba4147dcbaad3e582b55ccfd120b764 +# Backported in version v5.4.75 240baebeda09e1e010fff58acc9183992f41f638 +CVE_CHECK_WHITELIST += "CVE-2020-27777" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-27784 +# Patched in kernel since v5.10 e8d5f92b8d30bb4ade76494490c3c065e12411b1 +# Backported in version v5.4.73 e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3 +CVE_CHECK_WHITELIST += "CVE-2020-27784" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-27830 +# Patched in kernel since v5.10 f0992098cadb4c9c6a00703b66cafe604e178fea +# Backported in version v5.4.83 b0d4fa10bfcc3051e9426b6286fb2d80bad04d74 +CVE_CHECK_WHITELIST += "CVE-2020-27830" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-28097 +# Patched in kernel since v5.9 973c096f6a85e5b5f2a295126ba6928d9a6afd45 +# Backported in version v5.4.66 087b6cb17df5834d395ab72da3f937380470ba15 +CVE_CHECK_WHITELIST += "CVE-2020-28097" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-28374 +# Patched in kernel since v5.11 2896c93811e39d63a4d9b63ccf12a8fbc226e5e4 +# Backported in version v5.4.89 485e21729b1e1235e6075318225c09e76b376e81 +# Backported in version v5.10.7 6f1e88527c1869de08632efa2cc796e0131850dc +CVE_CHECK_WHITELIST += "CVE-2020-28374" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-28915 +# Patched in kernel since v5.9 5af08640795b2b9a940c9266c0260455377ae262 +# Backported in version v5.4.71 1b2fcd82c0ca23f6fa01298c0d7b59eb4efbaf48 +CVE_CHECK_WHITELIST += "CVE-2020-28915" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-28941 +# Patched in kernel since v5.10 d4122754442799187d5d537a9c039a49a67e57f1 +# Backported in version v5.4.80 3b78db264675e47ad3cf9c1e809e85d02fe1de90 +CVE_CHECK_WHITELIST += "CVE-2020-28941" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-28974 +# Patched in kernel since v5.10 3c4e0dff2095c579b142d5a0693257f1c58b4804 +# Backported in version v5.4.76 642181fe3567419d84d2457b58f262c37467f525 +CVE_CHECK_WHITELIST += "CVE-2020-28974" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-29368 +# Patched in kernel since v5.8 c444eb564fb16645c172d550359cb3d75fe8a040 +# Backported in version v5.4.48 a88d8aaf9b8b5e0af163a235a3baa9fdcb7d430a +CVE_CHECK_WHITELIST += "CVE-2020-29368" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-29369 +# Patched in kernel since v5.8 246c320a8cfe0b11d81a4af38fa9985ef0cc9a4c +# Backported in version v5.4.54 549bfc14270681cd776c6d9b78fe544cbd21673a +CVE_CHECK_WHITELIST += "CVE-2020-29369" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-29370 +# Patched in kernel since v5.6 fd4d9c7d0c71866ec0c2825189ebd2ce35bd95b8 +# Backported in version v5.4.27 ae119b7e12472517bc35c1c003d5abf26653674a +CVE_CHECK_WHITELIST += "CVE-2020-29370" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-29371 +# Patched in kernel since v5.9 bcf85fcedfdd17911982a3e3564fcfec7b01eebd +# Backported in version v5.4.61 19a77c937a1914bdd655366e79a2a1b7d675f554 +CVE_CHECK_WHITELIST += "CVE-2020-29371" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-29373 +# Patched in kernel since v5.6 ff002b30181d30cdfbca316dadd099c3ca0d739c +# Backported in version v5.4.24 cac68d12c531aa3010509a5a55a5dfd18dedaa80 +CVE_CHECK_WHITELIST += "CVE-2020-29373" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-29374 +# Patched in kernel since v5.8 17839856fd588f4ab6b789f482ed3ffd7c403e1f +# Backported in version v5.4.47 1027dc04f557328eb7b7b7eea48698377a959157 +CVE_CHECK_WHITELIST += "CVE-2020-29374" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-29660 +# Patched in kernel since v5.10 c8bcd9c5be24fb9e6132e97da5a35e55a83e36b9 +# Backported in version v5.4.83 35ee9ac513280f46eeb1196bac82ed5320380412 +CVE_CHECK_WHITELIST += "CVE-2020-29660" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-35508 +# Patched in kernel since v5.10 b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948 +# Backported in version v5.4.76 beeb658cfd3544ceca894375c36b6572e4ae7a5f +CVE_CHECK_WHITELIST += "CVE-2020-35508" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-36158 +# Patched in kernel since v5.11 5c455c5ab332773464d02ba17015acdca198f03d +# Backported in version v5.4.88 0a49aaf4df2936bca119ee38fe5a570a7024efdc +# Backported in version v5.10.6 94cc73b27a2599e4c88b7b2d6fd190107c58e480 +CVE_CHECK_WHITELIST += "CVE-2020-36158" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-36311 +# Patched in kernel since v5.9 7be74942f184fdfba34ddd19a0d995deb34d4a03 +# Backported in version v5.4.131 abbd42939db646f7210e1473e9cb17c6bc6f184c +CVE_CHECK_WHITELIST += "CVE-2020-36311" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-36312 +# Patched in kernel since v5.9 f65886606c2d3b562716de030706dfe1bea4ed5e +# Backported in version v5.4.66 41b2ea7a6a11e2b1a7f2c29e1675a709a6b2b98d +CVE_CHECK_WHITELIST += "CVE-2020-36312" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-36322 +# Patched in kernel since v5.11 5d069dbe8aaf2a197142558b6fb2978189ba3454 +# Backported in version v5.4.88 732251cabeb3bfd917d453a42274d769d6883fc4 +# Backported in version v5.10.6 36cf9ae54b0ead0daab7701a994de3dcd9ef605d +CVE_CHECK_WHITELIST += "CVE-2020-36322" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-36386 +# Patched in kernel since v5.9 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 +# Backported in version v5.4.58 c26eaaf547b785ae98fa08607b599c7df0da51bc +CVE_CHECK_WHITELIST += "CVE-2020-36386" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-36516 +# Patched in kernel since v5.17 23f57406b82de51809d5812afd96f210f8b627f3 +# Backported in version v5.4.176 1f748455a8f0e984dc91fc09e6dfe99f0e58cfbe +# Backported in version v5.10.96 b26fed25e67bc09f28f998569ed14022e07b174b +# Backported in version v5.15.19 dee686cbfdd13ca022f20be344a14f595a93f303 +CVE_CHECK_WHITELIST += "CVE-2020-36516" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-36557 +# Patched in kernel since v5.7 ca4463bf8438b403596edd0ec961ca0d4fbe0220 +# Backported in version v5.4.30 acf0e94019310a9e1c4b6807c208f49a25f74573 +CVE_CHECK_WHITELIST += "CVE-2020-36557" + +# https://nvd.nist.gov/vuln/detail/CVE-2020-36558 +# Patched in kernel since v5.6 6cd1ed50efd88261298577cd92a14f2768eddeeb +# Backported in version v5.4.23 897d5aaf3397e64a56274f2176d9e1b13adcb92e +CVE_CHECK_WHITELIST += "CVE-2020-36558" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3178 +# Patched in kernel since v5.11 51b2ee7d006a736a9126e8111d1f24e4fd0afaa6 +# Backported in version v5.4.92 4aef760c28e8bd1860a27fd78067b4ea77124987 +# Backported in version v5.10.10 fdcaa4af5e70e2d984c9620a09e9dade067f2620 +CVE_CHECK_WHITELIST += "CVE-2021-3178" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3348 +# Patched in kernel since v5.11 b98e762e3d71e893b221f871825dc64694cfb258 +# Backported in version v5.4.95 587c6b75d7fdd366ad7dc615471006ce73c03a51 +# Backported in version v5.10.13 41f6f4a3143506ea1499cda2f14a16a2f82118a8 +CVE_CHECK_WHITELIST += "CVE-2021-3348" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3483 +# Patched in kernel since v5.12 829933ef05a951c8ff140e814656d73e74915faf +# Backported in version v5.4.110 5ecfad1efbc31ab913f16ed60f0efff301aebfca +# Backported in version v5.10.28 c04adcc819d3bdd85a5dc2523687707b89724df7 +CVE_CHECK_WHITELIST += "CVE-2021-3483" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3506 +# Patched in kernel since v5.13 b862676e371715456c9dade7990c8004996d0d9e +# Backported in version v5.4.118 27a130638406815eba083c632ee083f0c5e688c2 +# Backported in version v5.10.36 9aa4602237d535b83c579eb752e8fc1c3e7e7055 +CVE_CHECK_WHITELIST += "CVE-2021-3506" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3564 +# Patched in kernel since v5.13 6a137caec23aeb9e036cdfd8a46dd8a366460e5d +# Backported in version v5.4.125 8d3d0ac73a4a1d31e3d4f7c068312aba78470166 +# Backported in version v5.10.43 3795007c8dfc8bca176529bfeceb17c6f4ef7e44 +CVE_CHECK_WHITELIST += "CVE-2021-3564" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3573 +# Patched in kernel since v5.13 e305509e678b3a4af2b3cfd410f409f7cdaabb52 +# Backported in version v5.4.125 b6f97555c71f78288682bc967121572f10715c89 +# Backported in version v5.10.43 74caf718cc7422a957aac381c73d798c0a999a65 +CVE_CHECK_WHITELIST += "CVE-2021-3573" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3609 +# Patched in kernel since v5.14 d5f9023fa61ee8b94f37a93f08e94b136cf1e463 +# Backported in version v5.4.132 70a9116b9e5ccd5332d3a60b359fb5902d268fd0 +# Backported in version v5.10.50 b52e0cf0bfc1ede495de36aec86f6013efa18f60 +CVE_CHECK_WHITELIST += "CVE-2021-3609" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3612 +# Patched in kernel since v5.14 f8f84af5da9ee04ef1d271528656dac42a090d00 +# Backported in version v5.4.132 0f382fa359ca1cb717ce27407538eb579b29a99f +# Backported in version v5.10.50 b4c35e9e8061b2386da1aa0d708e991204e76c45 +CVE_CHECK_WHITELIST += "CVE-2021-3612" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3635 +# Patched in kernel since v5.5 335178d5429c4cee61b58f4ac80688f556630818 +# Backported in version v5.4.14 8f4dc50b5c12e159ac846fdc00702c547fdf2e95 +CVE_CHECK_WHITELIST += "CVE-2021-3635" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3640 +# Patched in kernel since v5.16 99c23da0eed4fd20cae8243f2b51e10e66aa0951 +# Backported in version v5.4.160 d416020f1a9cc5f903ae66649b2c56d9ad5256ab +# Backported in version v5.10.80 4dfba42604f08a505f1a1efc69ec5207ea6243de +# Backported in version v5.15.3 b990c219c4c9d4993ef65ea9db73d9497e70f697 +CVE_CHECK_WHITELIST += "CVE-2021-3640" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3653 +# Patched in kernel since v5.14 0f923e07124df069ba68d8bb12324398f4b6b709 +# Backported in version v5.4.142 7c1c96ffb658fbfe66c5ebed6bcb5909837bc267 +# Backported in version v5.10.60 c0883f693187c646c0972d73e525523f9486c2e3 +CVE_CHECK_WHITELIST += "CVE-2021-3653" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3679 +# Patched in kernel since v5.14 67f0d6d9883c13174669f88adac4f0ee656cc16a +# Backported in version v5.4.136 f899f24d34d964593b16122a774c192a78e2ca56 +# Backported in version v5.10.54 757bdba8026be19b4f447487695cd0349a648d9e +CVE_CHECK_WHITELIST += "CVE-2021-3679" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3732 +# Patched in kernel since v5.14 427215d85e8d1476da1a86b8d67aceb485eb3631 +# Backported in version v5.4.141 812f39ed5b0b7f34868736de3055c92c7c4cf459 +# Backported in version v5.10.59 6a002d48a66076524f67098132538bef17e8445e +CVE_CHECK_WHITELIST += "CVE-2021-3732" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3739 +# Patched in kernel since v5.15 e4571b8c5e9ffa1e85c0c671995bd4dcc5c75091 +# Backported in version v5.4.144 d7f7eca72ecc08f0bb6897fda2290293fca63068 +# Backported in version v5.10.62 c43add24dffdbac269d5610465ced70cfc1bad9e +CVE_CHECK_WHITELIST += "CVE-2021-3739" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3744 +# Patched in kernel since v5.15 505d9dcb0f7ddf9d075e729523a33d38642ae680 +# Backported in version v5.4.151 24f3d2609114f1e1f6b487b511ce5fa36f21e0ae +# Backported in version v5.10.71 17ccc64e4fa5d3673528474bfeda814d95dc600a +CVE_CHECK_WHITELIST += "CVE-2021-3744" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3752 +# Patched in kernel since v5.16 1bff51ea59a9afb67d2dd78518ab0582a54a472c +# Backported in version v5.4.160 67bd269a84ce29dfc543c1683a2553b4169f9a55 +# Backported in version v5.10.80 c10465f6d6208db2e45a6dac1db312b9589b2583 +# Backported in version v5.15.3 7e22e4db95b04f09adcce18c75d27cbca8f53b99 +CVE_CHECK_WHITELIST += "CVE-2021-3752" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3753 +# Patched in kernel since v5.15 2287a51ba822384834dafc1c798453375d1107c7 +# Backported in version v5.4.144 f4418015201bdca0cd4e28b363d88096206e4ad0 +# Backported in version v5.10.62 60d69cb4e60de0067e5d8aecacd86dfe92a5384a +CVE_CHECK_WHITELIST += "CVE-2021-3753" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3759 +# Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f +# Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92 +# Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196 +CVE_CHECK_WHITELIST += "CVE-2021-3759" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3764 +# Patched in kernel since v5.15 505d9dcb0f7ddf9d075e729523a33d38642ae680 +# Backported in version v5.4.151 24f3d2609114f1e1f6b487b511ce5fa36f21e0ae +# Backported in version v5.10.71 17ccc64e4fa5d3673528474bfeda814d95dc600a +CVE_CHECK_WHITELIST += "CVE-2021-3764" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-3923 +# Patched in kernel since v5.16 b35a0f4dd544eaa6162b6d2f13a2557a121ae5fd +# Backported in version v5.4.171 5eb5d9c6591d7e58f32088ef848503a4a947fc46 +# Backported in version v5.10.91 beeb0fdedae802a7fb606e955a81a56a2e3bbac1 +# Backported in version v5.15.14 e1e354771812b12f0b4c433bbaf916f87cd0f6c7 +CVE_CHECK_WHITELIST += "CVE-2021-3923" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-4002 +# Patched in kernel since v5.16 a4a118f2eead1d6c49e00765de89878288d4b890 +# Backported in version v5.4.162 201340ca4eb748c52062c5e938826ddfbe313088 +# Backported in version v5.10.82 40bc831ab5f630431010d1ff867390b07418a7ee +# Backported in version v5.15.5 556d59293a2a94863797a7a50890992aa5e8db16 +CVE_CHECK_WHITELIST += "CVE-2021-4002" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-4083 +# Patched in kernel since v5.16 054aa8d439b9185d4f5eb9a90282d1ce74772969 +# Backported in version v5.4.164 03d4462ba3bc8f830d9807e3c3fde54fad06e2e2 +# Backported in version v5.10.84 4baba6ba56eb91a735a027f783cc4b9276b48d5b +# Backported in version v5.15.7 6fe4eadd54da3040cf6f6579ae157ae1395dc0f8 +CVE_CHECK_WHITELIST += "CVE-2021-4083" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-4135 +# Patched in kernel since v5.16 481221775d53d6215a6e5e9ce1cce6d2b4ab9a46 +# Backported in version v5.4.168 699e794c12a3cd79045ff135bc87a53b97024e43 +# Backported in version v5.10.88 1a34fb9e2bf3029f7c0882069d67ff69cbd645d8 +# Backported in version v5.15.11 27358aa81a7d60e6bd36f0bb1db65cd084c2cad0 +CVE_CHECK_WHITELIST += "CVE-2021-4135" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-4149 +# Patched in kernel since v5.15 19ea40dddf1833db868533958ca066f368862211 +# Backported in version v5.4.155 005a07c9acd6cf8a40555884f0650dfd4ec23fbe +# Backported in version v5.10.75 206868a5b6c14adc4098dd3210a2f7510d97a670 +CVE_CHECK_WHITELIST += "CVE-2021-4149" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-4155 +# Patched in kernel since v5.16 983d8e60f50806f90534cc5373d0ce867e5aaf79 +# Backported in version v5.4.171 102af6edfd3a372db6e229177762a91f552e5f5e +# Backported in version v5.10.91 16d8568378f9ee2d1e69216d39961aa72710209f +# Backported in version v5.15.14 b0e72ba9e520b95346e68800afff0db65e766ca8 +CVE_CHECK_WHITELIST += "CVE-2021-4155" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-4159 +# Patched in kernel since v5.7 294f2fc6da27620a506e6c050241655459ccd6bd +# Backported in version v5.4.210 7c1134c7da997523e2834dd516e2ddc51920699a +CVE_CHECK_WHITELIST += "CVE-2021-4159" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-4203 +# Patched in kernel since v5.15 35306eb23814444bd4021f8a1c3047d3cb0c8b2b +# Backported in version v5.4.151 0fcfaa8ed9d1dcbe377b202a1b3cdfd4e566114c +# Backported in version v5.10.71 3db53827a0e9130d9e2cbe3c3b5bca601caa4c74 +CVE_CHECK_WHITELIST += "CVE-2021-4203" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-20265 +# Patched in kernel since v4.5 fa0dc04df259ba2df3ce1920e9690c7842f8fa4b +CVE_CHECK_WHITELIST += "CVE-2021-20265" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-20292 +# Patched in kernel since v5.9 5de5b6ecf97a021f29403aa272cb4e03318ef586 +# Backported in version v5.4.59 c6d2ddf1a30d524106265ad2c48b907cd7a083d4 +CVE_CHECK_WHITELIST += "CVE-2021-20292" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-20321 +# Patched in kernel since v5.15 a295aef603e109a47af355477326bd41151765b6 +# Backported in version v5.4.153 fab338f33c25c4816ca0b2d83a04a0097c2c4aaf +# Backported in version v5.10.73 9763ffd4da217adfcbdcd519e9f434dfa3952fc3 +CVE_CHECK_WHITELIST += "CVE-2021-20321" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-23133 +# Patched in kernel since v5.13 34e5b01186858b36c4d7c87e1a025071e8e2401f +# Backported in version v5.4.119 3fe9ee040fb7332e2b4cc04c85561eced0a7f227 +# Backported in version v5.10.37 42f1b8653f85924743ea5b57b051a4e1f05b5e43 +CVE_CHECK_WHITELIST += "CVE-2021-23133" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-23134 +# Patched in kernel since v5.13 c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 +# Backported in version v5.4.119 e32352070bcac22be6ed8ab635debc280bb65b8c +# Backported in version v5.10.37 6b7021ed36dabf29e56842e3408781cd3b82ef6e +CVE_CHECK_WHITELIST += "CVE-2021-23134" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-27363 +# Patched in kernel since v5.12 688e8128b7a92df982709a4137ea4588d16f24aa +# Backported in version v5.4.103 ca3afdd0377379f5031f376aec4b0c1b0285b556 +# Backported in version v5.10.21 c71edc5d2480774ec2fec62bb84064aed6d582bd +CVE_CHECK_WHITELIST += "CVE-2021-27363" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-27364 +# Patched in kernel since v5.12 688e8128b7a92df982709a4137ea4588d16f24aa +# Backported in version v5.4.103 ca3afdd0377379f5031f376aec4b0c1b0285b556 +# Backported in version v5.10.21 c71edc5d2480774ec2fec62bb84064aed6d582bd +CVE_CHECK_WHITELIST += "CVE-2021-27364" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-28714 +# Patched in kernel since v5.16 6032046ec4b70176d247a71836186d47b25d1684 +# Backported in version v5.4.168 8bfcd0385211044627f93d170991da1ae5937245 +# Backported in version v5.10.88 525875c410df5d876b9615c44885ca7640aed6f2 +# Backported in version v5.15.11 88449dbe6203c3a91cf1c39ea3032ad61a297bd7 +CVE_CHECK_WHITELIST += "CVE-2021-28714" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-28715 +# Patched in kernel since v5.16 be81992f9086b230623ae3ebbc85ecee4d00a3d3 +# Backported in version v5.4.168 0d99b3c6bd39a0a023e972d8f912fd47698bbbb8 +# Backported in version v5.10.88 88f20cccbeec9a5e83621df5cc2453b5081454dc +# Backported in version v5.15.11 bd926d189210cd1d5b4e618e45898053be6b4b3b +CVE_CHECK_WHITELIST += "CVE-2021-28715" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-28950 +# Patched in kernel since v5.12 775c5033a0d164622d9d10dd0f0a5531639ed3ed +# Backported in version v5.4.107 187ae04636531065cdb4d0f15deac1fe0e812104 +# Backported in version v5.10.25 d955f13ea2120269319d6133d0dd82b66d1eeca3 +CVE_CHECK_WHITELIST += "CVE-2021-28950" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-28964 +# Patched in kernel since v5.12 dbcc7d57bffc0c8cac9dac11bec548597d59a6a5 +# Backported in version v5.4.108 5b3b99525c4f18e543f6ef17ef97c29f5694e8b4 +# Backported in version v5.10.26 38ffe9eaeb7cce383525439f0948f9eb74632e1d +CVE_CHECK_WHITELIST += "CVE-2021-28964" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-28971 +# Patched in kernel since v5.12 d88d05a9e0b6d9356e97129d4ff9942d765f46ea +# Backported in version v5.4.108 da326ba3b84aae8ac0513aa4725a49843f2f871e +# Backported in version v5.10.26 514ea597be8e4b6a787bc34da111c44944fbf5a5 +CVE_CHECK_WHITELIST += "CVE-2021-28971" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-28972 +# Patched in kernel since v5.12 cc7a0bb058b85ea03db87169c60c7cfdd5d34678 +# Backported in version v5.4.108 51a2b19b554c8c75ee2d253b87240309cd81f1fc +# Backported in version v5.10.26 be1f58e58f7644ab33f1413685c84173766408d3 +CVE_CHECK_WHITELIST += "CVE-2021-28972" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-29265 +# Patched in kernel since v5.12 9380afd6df70e24eacbdbde33afc6a3950965d22 +# Backported in version v5.4.106 8698133003cfb67e0f04dd044c954198e421b152 +# Backported in version v5.10.24 ab5c3186686aa87c741381d10a948817f1deb9b2 +CVE_CHECK_WHITELIST += "CVE-2021-29265" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-29647 +# Patched in kernel since v5.12 50535249f624d0072cd885bcdce4e4b6fb770160 +# Backported in version v5.4.109 ae23957bd1fb3184a9935bd99c5ad2351a59d7c8 +# Backported in version v5.10.27 fce6fb90218935f7319265459484b3762c80d0a8 +CVE_CHECK_WHITELIST += "CVE-2021-29647" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-29650 +# Patched in kernel since v5.12 175e476b8cdf2a4de7432583b49c871345e4f8a1 +# Backported in version v5.4.109 19a5fb4ceada903e692de96b8aa8494179abbf0b +# Backported in version v5.10.27 3fdebc2d8e7965f946a3d716ffdd482e66c1f46c +CVE_CHECK_WHITELIST += "CVE-2021-29650" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-30002 +# Patched in kernel since v5.12 fb18802a338b36f675a388fc03d2aa504a0d0899 +# Backported in version v5.4.103 027ddd67f68583a178a9bd65220611e9f978f014 +# Backported in version v5.10.21 5400770e31e8b80efc25b4c1d619361255174d11 +CVE_CHECK_WHITELIST += "CVE-2021-30002" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-31916 +# Patched in kernel since v5.12 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a +# Backported in version v5.4.109 e6587d142d0214eb466f9978e25f0575c19b1ea0 +# Backported in version v5.10.27 921aae17bb0f02181fa05cf5580ebc855fdbd74d +CVE_CHECK_WHITELIST += "CVE-2021-31916" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-32399 +# Patched in kernel since v5.13 e2cb6b891ad2b8caa9131e3be70f45243df82a80 +# Backported in version v5.4.119 eeec325c9944b4427f482018d00b737220c31fd9 +# Backported in version v5.10.37 2d84ef4e6569a818f912d93d5345c21542807ac7 +CVE_CHECK_WHITELIST += "CVE-2021-32399" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-33656 +# Patched in kernel since v5.12 ff2047fb755d4415ec3c70ac799889371151796d +# Backported in version v5.4.202 c87e851b23e5cb2ba90a3049ef38340ed7d5746f +# Backported in version v5.10.127 3acb7dc242ca25eb258493b513ef2f4b0f2a9ad1 +CVE_CHECK_WHITELIST += "CVE-2021-33656" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-34693 +# Patched in kernel since v5.13 5e87ddbe3942e27e939bdc02deb8579b0cbd8ecc +# Backported in version v5.4.128 c297559a2a2a6b6f0de61ed333a978a118b0e660 +# Backported in version v5.10.46 acb755be1f7adb204dcedc4d3b204ef098628623 +CVE_CHECK_WHITELIST += "CVE-2021-34693" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-35039 +# Patched in kernel since v5.13 0c18f29aae7ce3dadd26d8ee3505d07cc982df75 +# Backported in version v5.4.129 e2dc07ca4e0148d75963e14d2b78afc12426a487 +# Backported in version v5.10.47 3051f230f19feb02dfe5b36794f8c883b576e184 +CVE_CHECK_WHITELIST += "CVE-2021-35039" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-37159 +# Patched in kernel since v5.14 a6ecfb39ba9d7316057cea823b196b734f6b18ca +# Backported in version v5.4.151 fe57d53dd91d7823f1ceef5ea8e9458a4aeb47fa +# Backported in version v5.10.54 115e4f5b64ae8d9dd933167cafe2070aaac45849 +CVE_CHECK_WHITELIST += "CVE-2021-37159" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-38160 +# Patched in kernel since v5.14 d00d8da5869a2608e97cfede094dfc5e11462a46 +# Backported in version v5.4.134 52bd1bce8624acb861fa96b7c8fc2e75422dc8f7 +# Backported in version v5.10.52 f6ec306b93dc600a0ab3bb2693568ef1cc5f7f7a +CVE_CHECK_WHITELIST += "CVE-2021-38160" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-38198 +# Patched in kernel since v5.13 b1bd5cba3306691c771d558e94baa73e8b0b96b7 +# Backported in version v5.4.141 d28adaabbbf4a6949d0f6f71daca6744979174e2 +# Backported in version v5.10.44 6b6ff4d1f349cb35a7c7d2057819af1b14f80437 +CVE_CHECK_WHITELIST += "CVE-2021-38198" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-38199 +# Patched in kernel since v5.14 dd99e9f98fbf423ff6d365b37a98e8879170f17c +# Backported in version v5.4.134 81e03fe5bf8f5f66b8a62429fb4832b11ec6b272 +# Backported in version v5.10.52 ff4023d0194263a0827c954f623c314978cf7ddd +CVE_CHECK_WHITELIST += "CVE-2021-38199" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-38204 +# Patched in kernel since v5.14 b5fdf5c6e6bee35837e160c00ac89327bdad031b +# Backported in version v5.4.136 863d071dbcd54dacf47192a1365faec46b7a68ca +# Backported in version v5.10.54 7af54a4e221e5619a87714567e2258445dc35435 +CVE_CHECK_WHITELIST += "CVE-2021-38204" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-38205 +# Patched in kernel since v5.14 d0d62baa7f505bd4c59cd169692ff07ec49dde37 +# Backported in version v5.4.141 38b8485b72cbe4521fd2e0b8770e3d78f9b89e60 +# Backported in version v5.10.59 25cff25ec60690247db8138cd1af8b867df2c489 +CVE_CHECK_WHITELIST += "CVE-2021-38205" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-38207 +# Patched in kernel since v5.13 c364df2489b8ef2f5e3159b1dff1ff1fdb16040d +# Backported in version v5.4.128 b6c0ab11c88fb016bfc85fa4f6f878f5f4263646 +# Backported in version v5.10.46 cfe403f209b11fad123a882100f0822a52a7630f +CVE_CHECK_WHITELIST += "CVE-2021-38207" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-38208 +# Patched in kernel since v5.13 4ac06a1e013cf5fdd963317ffd3b968560f33bba +# Backported in version v5.4.125 5d4c4b06ed9fb7a69d0b2e2a73fc73226d25ab70 +# Backported in version v5.10.43 48ee0db61c8299022ec88c79ad137f290196cac2 +CVE_CHECK_WHITELIST += "CVE-2021-38208" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-38209 +# Patched in kernel since v5.13 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 +# Backported in version v5.4.120 baea536cf51f8180ab993e374cb134b5edad25e2 +# Backported in version v5.10.35 d3598eb3915cc0c0d8cab42f4a6258ff44c4033e +CVE_CHECK_WHITELIST += "CVE-2021-38209" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-40490 +# Patched in kernel since v5.15 a54c4613dac1500b40e4ab55199f7c51f028e848 +# Backported in version v5.4.145 9b3849ba667af99ee99a7853a021a7786851b9fd +# Backported in version v5.10.63 09a379549620f122de3aa4e65df9329976e4cdf5 +CVE_CHECK_WHITELIST += "CVE-2021-40490" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-41864 +# Patched in kernel since v5.15 30e29a9a2bc6a4888335a6ede968b75cd329657a +# Backported in version v5.4.153 b14f28126c51533bb329379f65de5b0dd689b13a +# Backported in version v5.10.73 064faa8e8a9b50f5010c5aa5740e06d477677a89 +CVE_CHECK_WHITELIST += "CVE-2021-41864" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-42008 +# Patched in kernel since v5.14 19d1532a187669ce86d5a2696eb7275310070793 +# Backported in version v5.4.143 a73b9aa142691c2ae313980a8734997a78f74b22 +# Backported in version v5.10.61 85e0518f181a0ff060f5543d2655fb841a83d653 +CVE_CHECK_WHITELIST += "CVE-2021-42008" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-42252 +# Patched in kernel since v5.15 b49a0e69a7b1a68c8d3f64097d06dabb770fec96 +# Backported in version v5.4.148 2712f29c44f18db826c7e093915a727b6f3a20e4 +# Backported in version v5.10.67 3fdf2feb6cbe76c6867224ed8527b356e805352c +CVE_CHECK_WHITELIST += "CVE-2021-42252" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-42739 +# Patched in kernel since v5.16 35d2969ea3c7d32aee78066b1f3cf61a0d935a4e +# Backported in version v5.4.158 2461f38384d50dd966e1db44fe165b1896f5df5a +# Backported in version v5.10.78 d7fc85f6104259541ec136199d3bf7c8a736613d +# Backported in version v5.15.1 cb667140875a3b1db92e4c50b4617a7cbf84659b +CVE_CHECK_WHITELIST += "CVE-2021-42739" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-43389 +# Patched in kernel since v5.15 1f3e2e97c003f80c4b087092b225c8787ff91e4d +# Backported in version v5.4.156 285e9210b1fab96a11c0be3ed5cea9dd48b6ac54 +# Backported in version v5.10.76 7f221ccbee4ec662e2292d490a43ce6c314c4594 +CVE_CHECK_WHITELIST += "CVE-2021-43389" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-43975 +# Patched in kernel since v5.16 b922f622592af76b57cbc566eaeccda0b31a3496 +# Backported in version v5.4.164 89d15a2e40d7edaaa16da2763b349dd7b056cc09 +# Backported in version v5.10.84 2c514d25003ac89bb7716bb4402918ccb141f8f5 +# Backported in version v5.15.7 cec49b6dfdb0b9fefd0f17c32014223f73ee2605 +CVE_CHECK_WHITELIST += "CVE-2021-43975" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-43976 +# Patched in kernel since v5.17 04d80663f67ccef893061b49ec8a42ff7045ae84 +# Backported in version v5.4.174 ae56c5524a750fd8cf32565cb3902ce5baaeb4e6 +# Backported in version v5.10.94 6036500fdf77caaca9333003f78d25a3d61c4e40 +# Backported in version v5.15.17 b2762757f4e484f8a164546f93aca82568d87649 +CVE_CHECK_WHITELIST += "CVE-2021-43976" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-44733 +# Patched in kernel since v5.16 dfd0743f1d9ea76931510ed150334d571fbab49d +# Backported in version v5.4.170 940e68e57ab69248fabba5889e615305789db8a7 +# Backported in version v5.10.89 c05d8f66ec3470e5212c4d08c46d6cb5738d600d +# Backported in version v5.15.12 492eb7afe858d60408b2da09adc78540c4d16543 +CVE_CHECK_WHITELIST += "CVE-2021-44733" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-45095 +# Patched in kernel since v5.16 bcd0f93353326954817a4f9fa55ec57fb38acbb0 +# Backported in version v5.4.171 2a6a811a45fde5acb805ead4d1e942be3875b302 +# Backported in version v5.10.91 4f260ea5537db35d2eeec9bca78a74713078a544 +# Backported in version v5.15.14 9ca97a693aa8b86e8424f0047198ea3ab997d50f +CVE_CHECK_WHITELIST += "CVE-2021-45095" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-45480 +# Patched in kernel since v5.16 5f9562ebe710c307adc5f666bf1a2162ee7977c0 +# Backported in version v5.4.168 166f0adf7e7525c87595ceadb21a91e2a9519a1e +# Backported in version v5.10.88 74dc97dfb276542f12746d706abef63364d816bb +# Backported in version v5.15.11 68014890e4382ff9192e1357be39b7d0455665fa +CVE_CHECK_WHITELIST += "CVE-2021-45480" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-45485 +# Patched in kernel since v5.14 62f20e068ccc50d6ab66fdb72ba90da2b9418c99 +# Backported in version v5.4.133 ccde03a6a0fbdc3c0ba81930e629b8b14974cce4 +# Backported in version v5.10.51 8f939b79579715b195dc3ad36669707fce6853ee +CVE_CHECK_WHITELIST += "CVE-2021-45485" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-45486 +# Patched in kernel since v5.13 aa6dd211e4b1dde9d5dc25d699d35f789ae7eeba +# Backported in version v5.4.119 fee81285bd09ec2080ce2cbb5063aad0e58eb272 +# Backported in version v5.10.37 a273c27d7255fc527023edeb528386d1b64bedf5 +CVE_CHECK_WHITELIST += "CVE-2021-45486" + +# https://nvd.nist.gov/vuln/detail/CVE-2021-45868 +# Patched in kernel since v5.16 9bf3d20331295b1ecb81f4ed9ef358c51699a050 +# Backported in version v5.4.160 10b808307d37d09b132fc086002bc1aa9910d315 +# Backported in version v5.10.80 ceeb0a8a8716a1c72af3fa4d4f98c3aced32b037 +# Backported in version v5.15.3 332db0909293f3f4d853ee2ea695272c75082d87 +CVE_CHECK_WHITELIST += "CVE-2021-45868" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-0322 +# Patched in kernel since v5.15 a2d859e3fc97e79d907761550dbc03ff1b36479c +# Backported in version v5.4.155 d88774539539dcbf825a25e61234f110513f5963 +# Backported in version v5.10.75 d84a69ac410f6228873d05d35120f6bdddab7fc3 +CVE_CHECK_WHITELIST += "CVE-2022-0322" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-0330 +# Patched in kernel since v5.17 7938d61591d33394a21bdd7797a245b65428f44c +# Backported in version v5.4.175 1b5553c79d52f17e735cd924ff2178a2409e6d0b +# Backported in version v5.10.95 6a6acf927895c38bdd9f3cd76b8dbfc25ac03e88 +# Backported in version v5.15.18 8a17a077e7e9ecce25c95dbdb27843d2d6c2f0f7 +CVE_CHECK_WHITELIST += "CVE-2022-0330" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-0487 +# Patched in kernel since v5.17 bd2db32e7c3e35bd4d9b8bbff689434a50893546 +# Backported in version v5.4.179 3a0a7ec5574b510b067cfc734b8bdb6564b31d4e +# Backported in version v5.10.100 be93028d306dac9f5b59ebebd9ec7abcfc69c156 +# Backported in version v5.15.23 af0e6c49438b1596e4be8a267d218a0c88a42323 +CVE_CHECK_WHITELIST += "CVE-2022-0487" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-0492 +# Patched in kernel since v5.17 24f6008564183aa120d07c03d9289519c2fe02af +# Backported in version v5.4.177 0e8283cbe4996ae046cd680b3ed598a8f2b0d5d8 +# Backported in version v5.10.97 1fc3444cda9a78c65b769e3fa93455e09ff7a0d3 +# Backported in version v5.15.20 4b1c32bfaa02255a5df602b41587174004996477 +CVE_CHECK_WHITELIST += "CVE-2022-0492" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-0494 +# Patched in kernel since v5.17 cc8f7fe1f5eab010191aa4570f27641876fa1267 +# Backported in version v5.4.193 c7337efd1d11acb6f84c68ffee57d3f312e87b24 +# Backported in version v5.10.115 a439819f4797f0846c7cffa9475f44aef23c541f +# Backported in version v5.15.27 a1ba98731518b811ff90009505c1aebf6e400bc2 +CVE_CHECK_WHITELIST += "CVE-2022-0494" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-0812 +# Patched in kernel since v5.8 912288442cb2f431bf3c8cb097a5de83bc6dbac1 +# Backported in version v5.4.53 c8a4452da9f4b09c28d904f70247b097d4c14932 +CVE_CHECK_WHITELIST += "CVE-2022-0812" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-0850 +# Patched in kernel since v5.14 ce3aba43599f0b50adbebff133df8d08a3d5fffe +# Backported in version v5.4.132 ed628b2531196cc76d7c9b730abe4020cad26b0b +# Backported in version v5.10.50 ea5466f1a77720217a25a859b5a58b618aaba544 +CVE_CHECK_WHITELIST += "CVE-2022-0850" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-0854 +# Patched in kernel since v5.18 901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544 +# Backported in version v5.4.196 b2f140a9f980806f572d672e1780acea66b9a25c +# Backported in version v5.10.118 f3f2247ac31cb71d1f05f56536df5946c6652f4a +# Backported in version v5.15.33 7007c894631cf43041dcfa0da7142bbaa7eb673c +CVE_CHECK_WHITELIST += "CVE-2022-0854" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-1011 +# Patched in kernel since v5.17 0c4bcfdecb1ac0967619ee7ff44871d93c08c909 +# Backported in version v5.4.185 a9174077febfb1608ec3361622bf5f91e2668d7f +# Backported in version v5.10.106 ab5595b45f732212b3b1974041b43a257153edb7 +# Backported in version v5.15.29 ca62747b38f59d4e75967ebf63c992de8852ca1b +CVE_CHECK_WHITELIST += "CVE-2022-1011" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-1016 +# Patched in kernel since v5.18 4c905f6740a365464e91467aa50916555b28213d +# Backported in version v5.4.188 06f0ff82c70241a766a811ae1acf07d6e2734dcb +# Backported in version v5.10.109 2c74374c2e88c7b7992bf808d9f9391f7452f9d9 +# Backported in version v5.15.32 fafb904156fbb8f1dd34970cd5223e00b47c33be +CVE_CHECK_WHITELIST += "CVE-2022-1016" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-1055 +# Patched in kernel since v5.17 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5 +# Backported in version v5.4.177 b1d17e920dfcd4b56fa2edced5710c191f7e50b5 +# Backported in version v5.10.97 e7be56926397cf9d992be8913f74a76152f8f08d +# Backported in version v5.15.20 f36cacd6c933183c1a8827d5987cf2cfc0a44c76 +CVE_CHECK_WHITELIST += "CVE-2022-1055" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-1195 +# Patched in kernel since v5.16 b2f37aead1b82a770c48b5d583f35ec22aabb61e +# Backported in version v5.4.169 a5c6a13e9056d87805ba3042c208fbd4164ad22b +# Backported in version v5.10.89 7dd52af1eb5798f590d9d9e1c56ed8f5744ee0ca +# Backported in version v5.15.12 03d00f7f1815ec00dab5035851b3de83afd054a8 +CVE_CHECK_WHITELIST += "CVE-2022-1195" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-1198 +# Patched in kernel since v5.17 efe4186e6a1b54bf38b9e05450d43b0da1fd7739 +# Backported in version v5.4.189 28c8fd84bea13cbf238d7b19d392de2fcc31331c +# Backported in version v5.10.110 f67a1400788f550d201c71aeaf56706afe57f0da +# Backported in version v5.15.33 3eb18f8a1d02a9462a0e4903efc674ca3d0406d1 +CVE_CHECK_WHITELIST += "CVE-2022-1198" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-1199 +# Patched in kernel since v5.17 71171ac8eb34ce7fe6b3267dce27c313ab3cb3ac +# Backported in version v5.4.185 0a64aea5fe023cf1e4973676b11f49038b1f045b +# Backported in version v5.10.106 e2201ef32f933944ee02e59205adb566bafcdf91 +# Backported in version v5.15.29 46ad629e58ce3a88c924ff3c5a7e9129b0df5659 +CVE_CHECK_WHITELIST += "CVE-2022-1199" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-1353 +# Patched in kernel since v5.17 9a564bccb78a76740ea9d75a259942df8143d02c +# Backported in version v5.4.189 ef388db2fe351230ff7194b37d507784bef659ec +# Backported in version v5.10.110 8d3f4ad43054619379ccc697cfcbdb2c266800d8 +# Backported in version v5.15.33 d06ee4572fd916fbb34d16dc81eb37d1dff83446 +CVE_CHECK_WHITELIST += "CVE-2022-1353" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-1419 +# Patched in kernel since v5.6 4b848f20eda5974020f043ca14bacf7a7e634fc8 +# Backported in version v5.4.21 3ea7f138cec139be98f8bb9fc1a6b432003f834e +CVE_CHECK_WHITELIST += "CVE-2022-1419" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-1462 +# Patched in kernel since v5.19 a501ab75e7624d133a5a3c7ec010687c8b961d23 +# Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132 +# Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c +# Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29 +CVE_CHECK_WHITELIST += "CVE-2022-1462" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-1734 +# Patched in kernel since v5.18 d270453a0d9ec10bb8a802a142fb1b3601a83098 +# Backported in version v5.4.193 33d3e76fc7a7037f402246c824d750542e2eb37f +# Backported in version v5.10.115 1961c5a688edb53fe3bc25cbda57f47adf12563c +# Backported in version v5.15.39 b8f2b836e7d0a553b886654e8b3925a85862d2eb +CVE_CHECK_WHITELIST += "CVE-2022-1734" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-2196 +# Patched in kernel since v6.2 2e7eab81425ad6c875f2ed47c0ce01e78afc38a5 +# Backported in version v5.4.233 f93a1a5bdcdd122aae0a3eab7a52c15b71fb725b +# Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349 +# Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35 +# Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15 +CVE_CHECK_WHITELIST += "CVE-2022-2196" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-2318 +# Patched in kernel since v5.19 9cc02ede696272c5271a401e4f27c262359bc2f6 +# Backported in version v5.4.204 bb91556d2af066f8ca2e7fd8e334d652e731ee29 +# Backported in version v5.10.129 8f74cb27c2b4872fd14bf046201fa7b36a46885e +# Backported in version v5.15.53 659d39545260100628d8a30020d09fb6bf63b915 +CVE_CHECK_WHITELIST += "CVE-2022-2318" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-2380 +# Patched in kernel since v5.18 bd771cf5c4254511cc4abb88f3dab3bd58bdf8e8 +# Backported in version v5.4.189 478154be3a8c21ff106310bb1037b1fc9d81dc62 +# Backported in version v5.10.110 72af8810922eb143ed4f116db246789ead2d8543 +# Backported in version v5.15.33 46cdbff26c88fd75dccbf28df1d07cbe18007eac +CVE_CHECK_WHITELIST += "CVE-2022-2380" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-2503 +# Patched in kernel since v5.19 4caae58406f8ceb741603eee460d79bacca9b1b5 +# Backported in version v5.4.197 fd2f7e9984850a0162bfb6948b98ffac9fb5fa58 +# Backported in version v5.10.120 8df42bcd364cc3b41105215d841792aea787b133 +# Backported in version v5.15.45 69712b170237ec5979f168149cd31e851a465853 +CVE_CHECK_WHITELIST += "CVE-2022-2503" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-2663 +# Patched in kernel since v6.0 e8d5dfd1d8747b56077d02664a8838c71ced948e +# Backported in version v5.4.215 d0a24bc8e2aa703030d80affa3e5237fe3ad4dd2 +# Backported in version v5.10.146 9a5d7e0acb41bb2aac552f8eeb4b404177f3f66d +# Backported in version v5.15.71 dc33ffbc361e2579a8f31b8724ef85d4117440e4 +# Backported in version v5.19.12 510ea9eae5ee45f4e443023556532bda99387351 +CVE_CHECK_WHITELIST += "CVE-2022-2663" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-2873 +# Patched in kernel since v6.2 39244cc754829bf707dccd12e2ce37510f5b1f8d +# Backported in version v5.4.229 cdcbae2c5003747ddfd14e29db9c1d5d7e7c44dd +# Backported in version v5.10.163 9ac541a0898e8ec187a3fa7024b9701cffae6bf2 +# Backported in version v5.15.86 96c12fd0ec74641295e1c3c34dea3dce1b6c3422 +# Backported in version v6.1.2 233348a04becf133283f0076e20b317302de21d9 +CVE_CHECK_WHITELIST += "CVE-2022-2873" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3028 +# Patched in kernel since v6.0 ba953a9d89a00c078b85f4b190bc1dde66fe16b5 +# Backported in version v5.4.212 8ee27a4f0f1ad36d430221842767880df6494147 +# Backported in version v5.10.140 c5c4d4c9806dadac7bc82f9c29ef4e1b78894775 +# Backported in version v5.15.64 103bd319c0fc90f1cb013c3a508615e6df8af823 +# Backported in version v5.19.6 6901885656c029c976498290b52f67f2c251e6a0 +CVE_CHECK_WHITELIST += "CVE-2022-3028" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3105 +# Patched in kernel since v5.16 7694a7de22c53a312ea98960fcafc6ec62046531 +# Backported in version v5.4.171 7646a340b25bb68cfb6d2e087a608802346d0f7b +# Backported in version v5.10.91 16e5cad6eca1e506c38c39dc256298643fa1852a +# Backported in version v5.15.14 0ea8bb0811ba0ec22903cbb48ff2cd872382e8d4 +CVE_CHECK_WHITELIST += "CVE-2022-3105" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3107 +# Patched in kernel since v5.17 886e44c9298a6b428ae046e2fa092ca52e822e6a +# Backported in version v5.4.187 b01e2df5fbf68719dfb8e766c1ca6089234144c2 +# Backported in version v5.10.108 9b763ceda6f8963cc99df5772540c54ba46ba37c +# Backported in version v5.15.31 ab0ab176183191cffc69fe9dd8ac6c8db23f60d3 +CVE_CHECK_WHITELIST += "CVE-2022-3107" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3111 +# Patched in kernel since v5.18 6dee930f6f6776d1e5a7edf542c6863b47d9f078 +# Backported in version v5.4.189 90bec38f6a4c81814775c7f3dfc9acf281d5dcfa +# Backported in version v5.10.110 48d23ef90116c8c702bfa4cad93744e4e5588d7d +# Backported in version v5.15.33 4124966fbd95eeecca26d52433f393e2b9649a33 +CVE_CHECK_WHITELIST += "CVE-2022-3111" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3115 +# Patched in kernel since v5.19 73c3ed7495c67b8fbdc31cf58e6ca8757df31a33 +# Backported in version v5.4.198 fa0d7ba25a53ac2e4bb24ef31aec49ff3578b44f +# Backported in version v5.10.121 b4c7dd0037e6aeecad9b947b30f0d9eaeda11762 +# Backported in version v5.15.46 4cb37f715f601cee5b026c6f9091a466266b5ba5 +CVE_CHECK_WHITELIST += "CVE-2022-3115" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3202 +# Patched in kernel since v5.18 a53046291020ec41e09181396c1e829287b48d47 +# Backported in version v5.4.189 e19c3149a80e4fc8df298d6546640e01601f3758 +# Backported in version v5.10.111 b9c5ac0a15f24d63b20f899072fa6dd8c93af136 +# Backported in version v5.15.34 d925b7e78b62805fcc5440d1521181c82b6f03cb +CVE_CHECK_WHITELIST += "CVE-2022-3202" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3303 +# Patched in kernel since v6.0 8423f0b6d513b259fdab9c9bf4aaa6188d054c2d +# Backported in version v5.4.215 4051324a6dafd7053c74c475e80b3ba10ae672b0 +# Backported in version v5.10.148 fce793a056c604b41a298317cf704dae255f1b36 +# Backported in version v5.15.68 8015ef9e8a0ee5cecfd0cb6805834d007ab26f86 +# Backported in version v5.19.9 723ac5ab2891b6c10dd6cc78ef5456af593490eb +CVE_CHECK_WHITELIST += "CVE-2022-3303" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3424 +# Patched in kernel since v6.2 643a16a0eb1d6ac23744bb6e90a00fc21148a9dc +# Backported in version v5.4.229 0078dd8758561540ed30b2c5daa1cb647e758977 +# Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c +# Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106 +# Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e +CVE_CHECK_WHITELIST += "CVE-2022-3424" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3435 +# Patched in kernel since v6.1 61b91eb33a69c3be11b259c5ea484505cd79f883 +# Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32 +# Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e +# Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133 +CVE_CHECK_WHITELIST += "CVE-2022-3435" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3521 +# Patched in kernel since v6.1 ec7eede369fe5b0d085ac51fdbb95184f87bfc6c +# Backported in version v5.4.225 ad39d09190a545d0f05ae0a82900eee96c5facea +# Backported in version v5.10.156 7deb7a9d33e4941c5ff190108146d3a56bf69e9d +# Backported in version v5.15.80 27d706b0d394a907ff8c4f83ffef9d3e5817fa84 +CVE_CHECK_WHITELIST += "CVE-2022-3521" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3545 +# Patched in kernel since v6.0 02e1a114fdb71e59ee6770294166c30d437bf86a +# Backported in version v5.4.228 3c837460f920a63165961d2b88b425703f59affb +# Backported in version v5.10.160 eb6313c12955c58c3d3d40f086c22e44ca1c9a1b +# Backported in version v5.15.84 9d933af8fef33c32799b9f2d3ff6bf58a63d7f24 +CVE_CHECK_WHITELIST += "CVE-2022-3545" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3564 +# Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966 +# Backported in version v5.4.224 4cd094fd5d872862ca278e15b9b51b07e915ef3f +# Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569 +# Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde +CVE_CHECK_WHITELIST += "CVE-2022-3564" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3586 +# Patched in kernel since v6.0 9efd23297cca530bb35e1848665805d3fcdd7889 +# Backported in version v5.4.213 279c7668e354fa151d5fd2e8c42b5153a1de3135 +# Backported in version v5.10.143 2ee85ac1b29dbd2ebd2d8e5ac1dd5793235d516b +# Backported in version v5.15.68 1a889da60afc017050e1f517b3b976b462846668 +# Backported in version v5.19.9 8f796f36f5ba839c11eb4685150ebeed496c546f +CVE_CHECK_WHITELIST += "CVE-2022-3586" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3594 +# Patched in kernel since v6.1 93e2be344a7db169b7119de21ac1bf253b8c6907 +# Backported in version v5.4.220 61fd56b0a1a3e923aced4455071177778dd59e88 +# Backported in version v5.10.150 484400d433ca1903a87268c55f019e932297538a +# Backported in version v5.15.75 b3179865cf7e892b26eedab3d6c54b4747c774a2 +# Backported in version v5.19.17 2e896abccf99fef76691d8e1019bd44105a12e1f +CVE_CHECK_WHITELIST += "CVE-2022-3594" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3621 +# Patched in kernel since v6.1 21a87d88c2253350e115029f14fe2a10a7e6c856 +# Backported in version v5.4.218 792211333ad77fcea50a44bb7f695783159fc63c +# Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2 +# Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55 +# Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd +CVE_CHECK_WHITELIST += "CVE-2022-3621" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3623 +# Patched in kernel since v6.1 fac35ba763ed07ba93154c95ffc0c4a55023707f +# Backported in version v5.4.228 176ba4c19d1bb153aa6baaa61d586e785b7d736c +# Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850 +# Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff +# Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54 +CVE_CHECK_WHITELIST += "CVE-2022-3623" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3629 +# Patched in kernel since v6.0 7e97cfed9929eaabc41829c395eb0d1350fccb9d +# Backported in version v5.4.211 f82f1e2042b397277cd39f16349950f5abade58d +# Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50 +# Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795 +# Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72 +CVE_CHECK_WHITELIST += "CVE-2022-3629" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3633 +# Patched in kernel since v6.0 8c21c54a53ab21842f5050fa090f26b03c0313d6 +# Backported in version v5.4.211 04e41b6bacf474f5431491f92e981096e8cc8e93 +# Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027 +# Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2 +# Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de +CVE_CHECK_WHITELIST += "CVE-2022-3633" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3635 +# Patched in kernel since v6.0 3f4093e2bf4673f218c0bf17d8362337c400e77b +# Backported in version v5.4.211 9a6cbaa50f263b12df18a051b37f3f42f9fb5253 +# Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e +# Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4 +# Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835 +CVE_CHECK_WHITELIST += "CVE-2022-3635" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3646 +# Patched in kernel since v6.1 d0d51a97063db4704a5ef6bc978dddab1636a306 +# Backported in version v5.4.218 b7e409d11db9ce9f8bc05fcdfa24d143f60cd393 +# Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee +# Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc +# Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570 +CVE_CHECK_WHITELIST += "CVE-2022-3646" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3649 +# Patched in kernel since v6.1 d325dc6eb763c10f591c239550b8c7e5466a5d09 +# Backported in version v5.4.220 d1c2d820a2cd73867b7d352e89e92fb3ac29e926 +# Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652 +# Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006 +# Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4 +CVE_CHECK_WHITELIST += "CVE-2022-3649" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-3707 +# Patched in kernel since v6.2 4a61648af68f5ba4884f0e3b494ee1cabc4b6620 +# Backported in version v5.4.233 787ef0db014085df8691e5aeb58ab0bb081e5ff0 +# Backported in version v5.10.170 3d743415c6fb092167df6c23e9c7e9f6df7db625 +# Backported in version v5.15.96 0d3d5099a50badadad6837edda00e42149b2f657 +# Backported in version v6.1.5 1022519da69d99d455c58ca181a6c499c562c70e +CVE_CHECK_WHITELIST += "CVE-2022-3707" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-4095 +# Patched in kernel since v6.0 e230a4455ac3e9b112f0367d1b8e255e141afae0 +# Backported in version v5.4.213 d0aac7146e96bf39e79c65087d21dfa02ef8db38 +# Backported in version v5.10.142 19e3f69d19801940abc2ac37c169882769ed9770 +# Backported in version v5.15.66 dc02aaf950015850e7589696521c7fca767cea77 +# Backported in version v5.19.8 b1727def850904e4b8ba384043775672841663a1 +CVE_CHECK_WHITELIST += "CVE-2022-4095" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-4139 +# Patched in kernel since v6.1 04aa64375f48a5d430b5550d9271f8428883e550 +# Backported in version v5.4.226 3659e33c1e4f8cfc62c6c15aca5d797010c277a4 +# Backported in version v5.10.157 86f0082fb9470904b15546726417f28077088fee +# Backported in version v5.15.81 ee2d04f23bbb16208045c3de545c6127aaa1ed0e +CVE_CHECK_WHITELIST += "CVE-2022-4139" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-4382 +# Patched in kernel since v6.2 d18dcfe9860e842f394e37ba01ca9440ab2178f4 +# Backported in version v5.4.230 9a39f4626b361ee7aa10fd990401c37ec3b466ae +# Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4 +# Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9 +# Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3 +CVE_CHECK_WHITELIST += "CVE-2022-4382" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-4662 +# Patched in kernel since v6.0 9c6d778800b921bde3bff3cff5003d1650f942d1 +# Backported in version v5.4.213 df1875084898b15cbc42f712e93d7f113ae6271b +# Backported in version v5.10.142 abe3cfb7a7c8e907b312c7dbd7bf4d142b745aa8 +# Backported in version v5.15.66 c548b99e1c37db6f7df86ecfe9a1f895d6c5966e +# Backported in version v5.19.8 d5eb850b3e8836197a38475840725260b9783e94 +CVE_CHECK_WHITELIST += "CVE-2022-4662" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-24448 +# Patched in kernel since v5.17 ac795161c93699d600db16c1a8cc23a65a1eceaf +# Backported in version v5.4.176 0dfacee40021dcc0a9aa991edd965addc04b9370 +# Backported in version v5.10.96 ce8c552b88ca25d775ecd0a0fbef4e0e03de9ed2 +# Backported in version v5.15.19 4c36ca387af4a9b5d775e46a6cb9dc2d151bf057 +CVE_CHECK_WHITELIST += "CVE-2022-24448" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-24959 +# Patched in kernel since v5.17 29eb31542787e1019208a2e1047bb7c76c069536 +# Backported in version v5.4.176 7afc09c8915b0735203ebcb8d766d7db37b794c0 +# Backported in version v5.10.96 729e54636b3ebefb77796702a5b1f1ed5586895e +# Backported in version v5.15.19 0690c3943ed0fa76654e600eca38cde6a13c87ac +CVE_CHECK_WHITELIST += "CVE-2022-24959" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-25258 +# Patched in kernel since v5.17 75e5b4849b81e19e9efe1654b30d7f3151c33c2c +# Backported in version v5.4.180 38fd68f55a7ef57fb9cc3102ac65d1ac474a1a18 +# Backported in version v5.10.101 22ec1004728548598f4f5b4a079a7873409eacfd +# Backported in version v5.15.24 3e33e5c67cb9ebd2b791b9a9fb2b71daacebd8d4 +CVE_CHECK_WHITELIST += "CVE-2022-25258" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-25375 +# Patched in kernel since v5.17 38ea1eac7d88072bbffb630e2b3db83ca649b826 +# Backported in version v5.4.180 c9e952871ae47af784b4aef0a77db02e557074d6 +# Backported in version v5.10.101 fb4ff0f96de37c44236598e8b53fe43b1df36bf3 +# Backported in version v5.15.24 2da3b0ab54fb7f4d7c5a82757246d0ee33a47197 +CVE_CHECK_WHITELIST += "CVE-2022-25375" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-25636 +# Patched in kernel since v5.17 b1a5983f56e371046dcf164f90bfaf704d2b89f6 +# Backported in version v5.4.182 49c011a44edd14adb555dbcbaf757f52b1f2f748 +# Backported in version v5.10.103 68f19845f580a1d3ac1ef40e95b0250804e046bb +# Backported in version v5.15.26 6c5d780469d6c3590729940e2be8a3bd66ea4814 +CVE_CHECK_WHITELIST += "CVE-2022-25636" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-26365 +# Patched in kernel since v5.19 2f446ffe9d737e9a844b97887919c4fda18246e7 +# Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506 +# Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1 +# Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9 +CVE_CHECK_WHITELIST += "CVE-2022-26365" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-26490 +# Patched in kernel since v5.17 4fbcc1a4cb20fe26ad0225679c536c80f1648221 +# Backported in version v5.4.188 0aef7184630b599493a0dcad4eec6d42b3e68e91 +# Backported in version v5.10.109 25c23fe40e6e1ef8e6d503c52b4f518b2e520ab7 +# Backported in version v5.15.32 a34c47b1ab07153a047476de83581dc822287f39 +CVE_CHECK_WHITELIST += "CVE-2022-26490" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-26966 +# Patched in kernel since v5.17 e9da0b56fe27206b49f39805f7dcda8a89379062 +# Backported in version v5.4.182 b95d71abeb7d31d4d51cd836d80f99fd783fd6d5 +# Backported in version v5.10.103 4f5f5411f0c14ac0b61d5e6a77d996dd3d5b5fd3 +# Backported in version v5.15.26 9f2d614779906f3d8ad4fb882c5b3e5ad6150bbe +CVE_CHECK_WHITELIST += "CVE-2022-26966" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-27223 +# Patched in kernel since v5.17 7f14c7227f342d9932f9b918893c8814f86d2a0d +# Backported in version v5.4.182 6b23eda989236fd75b4a9893cc816cd690c29dfc +# Backported in version v5.10.103 bfa8ffbaaaaf9752f66bc7cabcef2de715e7621f +# Backported in version v5.15.26 2c775ad1fd5e014b35e483da2aab8400933fb09d +CVE_CHECK_WHITELIST += "CVE-2022-27223" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-27666 +# Patched in kernel since v5.17 ebe48d368e97d007bfeb76fcb065d6cfc4c96645 +# Backported in version v5.4.188 fee4dfbda68ba10f3bbcf51c861d6aa32f08f9e4 +# Backported in version v5.10.108 9248694dac20eda06e22d8503364dc9d03df4e2f +# Backported in version v5.15.29 4aaabbffc3b0658ce80eebdde9bafa20a3f932e0 +CVE_CHECK_WHITELIST += "CVE-2022-27666" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-28356 +# Patched in kernel since v5.18 764f4eb6846f5475f1244767d24d25dd86528a4a +# Backported in version v5.4.188 572f9a0d3f3feb8bd3422e88ad71882bc034b3ff +# Backported in version v5.10.109 571df3393f523b59cba87e2f3e80a3a624030f9c +# Backported in version v5.15.32 e9072996108387ab19b497f5b557c93f98d96b0b +CVE_CHECK_WHITELIST += "CVE-2022-28356" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-28388 +# Patched in kernel since v5.18 3d3925ff6433f98992685a9679613a2cc97f3ce2 +# Backported in version v5.4.191 660784e7194ac2953aebe874c1f75f2441ba3d19 +# Backported in version v5.10.110 5318cdf4fd834856ce71238b064f35386f9ef528 +# Backported in version v5.15.33 f2ce5238904f539648aaf56c5ee49e5eaf44d8fc +CVE_CHECK_WHITELIST += "CVE-2022-28388" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-28389 +# Patched in kernel since v5.18 04c9b00ba83594a29813d6b1fb8fdc93a3915174 +# Backported in version v5.4.189 2dfe9422d528630e2ce0d454147230cce113f814 +# Backported in version v5.10.110 0801a51d79389282c1271e623613b2e1886e071e +# Backported in version v5.15.33 37f07ad24866c6c1423b37b131c9a42414bcf8a1 +CVE_CHECK_WHITELIST += "CVE-2022-28389" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-28390 +# Patched in kernel since v5.18 c70222752228a62135cee3409dccefd494a24646 +# Backported in version v5.4.189 e27caad38b59b5b00b9c5228d04c13111229deec +# Backported in version v5.10.110 b417f9c50586588754b2b0453a1f99520cf7c0e8 +# Backported in version v5.15.33 459b19f42fd5e031e743dfa119f44aba0b62ff97 +CVE_CHECK_WHITELIST += "CVE-2022-28390" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-28893 +# Patched in kernel since v5.18 f00432063db1a0db484e85193eccc6845435b80e +# Backported in version v5.4.196 2f8f6c393b11b5da059b1fc10a69fc2f2b6c446a +# Backported in version v5.10.117 e68b60ae29de10c7bd7636e227164a8dbe305a82 +# Backported in version v5.15.41 54f6834b283d9b4d070b0639d9ef5e1d156fe7b0 +CVE_CHECK_WHITELIST += "CVE-2022-28893" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-32250 +# Patched in kernel since v5.19 520778042ccca019f3ffa136dd0ca565c486cedd +# Backported in version v5.4.198 f36736fbd48491a8d85cd22f4740d542c5a1546e +# Backported in version v5.10.120 ea62d169b6e731e0b54abda1d692406f6bc6a696 +# Backported in version v5.15.45 f692bcffd1f2ce5488d24fbcb8eab5f351abf79d +CVE_CHECK_WHITELIST += "CVE-2022-32250" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-32296 +# Patched in kernel since v5.18 4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5 +# Backported in version v5.4.201 c26e1addf15763ae404f4bbf131719a724e768ab +# Backported in version v5.10.125 9429b75bc271b6f29e50dbb0ee0751800ff87dd9 +# Backported in version v5.15.41 952a238d779eea4ecb2f8deb5004c8f56be79bc9 +CVE_CHECK_WHITELIST += "CVE-2022-32296" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-32981 +# Patched in kernel since v5.19 8e1278444446fc97778a5e5c99bca1ce0bbc5ec9 +# Backported in version v5.4.198 0c4bc0a2f8257f79a70fe02b9a698eb14695a64b +# Backported in version v5.10.122 3be74fc0afbeadc2aff8dc69f3bf9716fbe66486 +# Backported in version v5.15.47 2a0165d278973e30f2282c15c52d91788749d2d4 +CVE_CHECK_WHITELIST += "CVE-2022-32981" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-33740 +# Patched in kernel since v5.19 307c8de2b02344805ebead3440d8feed28f2f010 +# Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14 +# Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404 +# Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961 +CVE_CHECK_WHITELIST += "CVE-2022-33740" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-33741 +# Patched in kernel since v5.19 4491001c2e0fa69efbb748c96ec96b100a5cdb7e +# Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd +# Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca +# Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49 +CVE_CHECK_WHITELIST += "CVE-2022-33741" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-33742 +# Patched in kernel since v5.19 2400617da7eebf9167d71a46122828bc479d64c9 +# Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997 +# Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6 +# Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3 +CVE_CHECK_WHITELIST += "CVE-2022-33742" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-33744 +# Patched in kernel since v5.19 b75cd218274e01d026dc5240e86fdeb44bbed0c8 +# Backported in version v5.4.204 5c03cad51b84fb26ccea7fd99130d8ec47949cfc +# Backported in version v5.10.129 43c8d33ce353091f15312cb6de3531517d7bba90 +# Backported in version v5.15.53 9f83c8f6ab14bbf4311b70bf1b7290d131059101 +CVE_CHECK_WHITELIST += "CVE-2022-33744" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-33981 +# Patched in kernel since v5.18 233087ca063686964a53c829d547c7571e3f67bf +# Backported in version v5.4.192 7dea5913000c6a2974a00d9af8e7ffb54e47eac1 +# Backported in version v5.10.114 54c028cfc49624bfc27a571b94edecc79bbaaab4 +# Backported in version v5.15.37 e52da8e4632f9c8fe78bf1c5881ce6871c7e08f3 +CVE_CHECK_WHITELIST += "CVE-2022-33981" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-36123 +# Patched in kernel since v5.19 38fa5479b41376dc9d7f57e71c83514285a25ca0 +# Backported in version v5.4.207 a3c7c1a726a4c6b63b85e8c183f207543fd75e1b +# Backported in version v5.10.132 136d7987fcfdeca73ee3c6a29e48f99fdd0f4d87 +# Backported in version v5.15.56 26bb7afc027ce6ac8ab6747babec674d55689ff0 +CVE_CHECK_WHITELIST += "CVE-2022-36123" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-36280 +# Patched in kernel since v6.2 4cf949c7fafe21e085a4ee386bb2dade9067316e +# Backported in version v5.4.229 94b283341f9f3f0ed56a360533766377a01540e0 +# Backported in version v5.10.163 439cbbc1519547f9a7b483f0de33b556ebfec901 +# Backported in version v5.15.87 6948e570f54f2044dd4da444b10471373a047eeb +# Backported in version v6.1.4 622d527decaac0eb65512acada935a0fdc1d0202 +CVE_CHECK_WHITELIST += "CVE-2022-36280" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-36879 +# Patched in kernel since v5.19 f85daf0e725358be78dfd208dea5fd665d8cb901 +# Backported in version v5.4.208 f4248bdb7d5c1150a2a6f8c3d3b6da0b71f62a20 +# Backported in version v5.10.134 47b696dd654450cdec3103a833e5bf29c4b83bfa +# Backported in version v5.15.58 c8e32bca0676ac663266a3b16562cb017300adcd +CVE_CHECK_WHITELIST += "CVE-2022-36879" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-36946 +# Patched in kernel since v5.19 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164 +# Backported in version v5.4.209 52be29e8b6455788a4d0f501bd87aa679ca3ba3c +# Backported in version v5.10.135 440dccd80f627e0e11ceb0429e4cdab61857d17e +# Backported in version v5.15.59 91c11008aab0282957b8b8ccb0707d90e74cc3b9 +CVE_CHECK_WHITELIST += "CVE-2022-36946" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-39188 +# Patched in kernel since v5.19 b67fbebd4cf980aecbcc750e1462128bffe8ae15 +# Backported in version v5.4.212 c9c5501e815132530d741ec9fdd22657f91656bc +# Backported in version v5.10.141 895428ee124ad70b9763259308354877b725c31d +# Backported in version v5.15.65 3ffb97fce282df03723995f5eed6a559d008078e +CVE_CHECK_WHITELIST += "CVE-2022-39188" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-39842 +# Patched in kernel since v5.19 a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 +# Backported in version v5.4.215 1878eaf0edb8c9e58a6ca0cf31b7a647ca346be9 +# Backported in version v5.10.145 06e194e1130c98f82d46beb40cdbc88a0d4fd6de +# Backported in version v5.15.70 ab5140c6ddd7473509e12f468948de91138b124e +CVE_CHECK_WHITELIST += "CVE-2022-39842" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-40307 +# Patched in kernel since v6.0 9cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95 +# Backported in version v5.4.213 8028ff4cdbb3f20d3c1c04be33a83bab0cb94997 +# Backported in version v5.10.143 918d9c4a4bdf5205f2fb3f64dddfb56c9a1d01d6 +# Backported in version v5.15.68 dd291e070be0eca8807476b022bda00c891d9066 +# Backported in version v5.19.9 d46815a8f26ca6db2336106a148265239f73b0af +CVE_CHECK_WHITELIST += "CVE-2022-40307" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-40768 +# Patched in kernel since v6.1 6022f210461fef67e6e676fd8544ca02d1bcfa7a +# Backported in version v5.4.218 20a5bde605979af270f94b9151f753ec2caf8b05 +# Backported in version v5.10.148 36b33c63515a93246487691046d18dd37a9f589b +# Backported in version v5.15.74 76efb4897bc38b2f16176bae27ae801037ebf49a +# Backported in version v5.19.16 6ae8aa5dcf0d7ada07964c8638e55d3af5896a86 +CVE_CHECK_WHITELIST += "CVE-2022-40768" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-41218 +# Patched in kernel since v6.2 fd3d91ab1c6ab0628fe642dd570b56302c30a792 +# Backported in version v5.4.229 a29d6213098816ed4574824b6adae94fb1c0457d +# Backported in version v5.10.163 3df07728abde249e2d3f47cf22f134cb4d4f5fb1 +# Backported in version v5.15.87 8b45a3b19a2e909e830d09a90a7e1ec8601927d9 +# Backported in version v6.1.4 530ca64b44625f7d39eb1d5efb6f9ff21da991e2 +CVE_CHECK_WHITELIST += "CVE-2022-41218" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-41222 +# Patched in kernel since v5.14 97113eb39fa7972722ff490b947d8af023e1f6a2 +# Backported in version v5.4.211 79e522101cf40735f1936a10312e17f937b8dcad +# Backported in version v5.10.137 2613baa3ab2153cc45b175c58700d93f72ef36c4 +CVE_CHECK_WHITELIST += "CVE-2022-41222" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-41849 +# Patched in kernel since v6.1 5610bcfe8693c02e2e4c8b31427f1bdbdecc839c +# Backported in version v5.4.220 3742e9fd552e6c4193ebc5eb3d2cd02d429cad9c +# Backported in version v5.10.150 e50472949604f385e09ce3fa4e74dce9f44fb19b +# Backported in version v5.15.75 2b0897e33682a332167b7d355eec28693b62119e +# Backported in version v5.19.17 02c871d44090c851b07770176f88c6f5564808a1 +CVE_CHECK_WHITELIST += "CVE-2022-41849" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-41850 +# Patched in kernel since v6.1 cacdb14b1c8d3804a3a7d31773bc7569837b71a4 +# Backported in version v5.4.220 e30c3a9a88818e5cf3df3fda6ab8388bef3bc6cd +# Backported in version v5.10.150 dbcca76435a606a352c794956e6df62eedd3a353 +# Backported in version v5.15.75 c61786dc727d1850336d12c85a032c9a36ae396d +# Backported in version v5.19.17 2d38886ae0365463cdba3db669170eef1e3d55c0 +CVE_CHECK_WHITELIST += "CVE-2022-41850" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-41858 +# Patched in kernel since v5.18 ec4eb8a86ade4d22633e1da2a7d85a846b7d1798 +# Backported in version v5.4.190 d05cd68ed8460cb158cc62c41ffe39fe0ca16169 +# Backported in version v5.10.112 ca24c5e8f0ac3d43ec0cff29e1c861be73aff165 +# Backported in version v5.15.35 efb020924a71391fc12e6f204eaf25694cc116a1 +CVE_CHECK_WHITELIST += "CVE-2022-41858" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-42328 +# Patched in kernel since v6.1 74e7e1efdad45580cc3839f2a155174cf158f9b5 +# Backported in version v5.4.227 50e1ab7e638f1009d953658af8f6b2d7813a7883 +# Backported in version v5.10.159 83632fc41449c480f2d0193683ec202caaa186c9 +# Backported in version v5.15.83 5d0fa6fc8899fe842329c0109f8ddd01144b1ed8 +CVE_CHECK_WHITELIST += "CVE-2022-42328" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-42329 +# Patched in kernel since v6.1 74e7e1efdad45580cc3839f2a155174cf158f9b5 +# Backported in version v5.4.227 50e1ab7e638f1009d953658af8f6b2d7813a7883 +# Backported in version v5.10.159 83632fc41449c480f2d0193683ec202caaa186c9 +# Backported in version v5.15.83 5d0fa6fc8899fe842329c0109f8ddd01144b1ed8 +CVE_CHECK_WHITELIST += "CVE-2022-42329" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-42703 +# Patched in kernel since v6.0 2555283eb40df89945557273121e9393ef9b542b +# Backported in version v5.4.212 2fe3eee48899a890310177d54537d5b8e255eb31 +# Backported in version v5.10.141 98f401d36396134c0c86e9e3bd00b6b6b028b521 +# Backported in version v5.15.65 c18a209b56e37b2a60414f714bd70b084ef25835 +# Backported in version v5.19.7 7877eaa1131147b4d6a063962f3aac0ab1b8ea1c +CVE_CHECK_WHITELIST += "CVE-2022-42703" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-42721 +# Patched in kernel since v6.1 bcca852027e5878aec911a347407ecc88d6fff7f +# Backported in version v5.4.218 77bb20ccb9dfc9ed4f9c93788c90d08cfd891cdc +# Backported in version v5.10.148 b0e5c5deb7880be5b8a459d584e13e1f9879d307 +# Backported in version v5.15.74 0a8ee682e4f992eccce226b012bba600bb2251e2 +# Backported in version v5.19.16 1d73c990e9bafc2754b1ced71345f73f5beb1781 +CVE_CHECK_WHITELIST += "CVE-2022-42721" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-42895 +# Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e +# Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89 +# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7 +# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422 +CVE_CHECK_WHITELIST += "CVE-2022-42895" + +# https://nvd.nist.gov/vuln/detail/CVE-2022-47929 +# Patched in kernel since v6.2 96398560f26aa07e8f2969d73c8197e6a6d10407 +# Backported in version v5.4.229 9b83ec63d0de7b1f379daa1571e128bc7b9570f8 +# Backported in version v5.10.163 9f7bc28a6b8afc2274e25650511555e93f45470f +# Backported in version v5.15.88 04941c1d5bb59d64165e09813de2947bdf6f4f28 +# Backported in version v6.1.6 e8988e878af693ac13b0fa80ba2e72d22d68f2dd +CVE_CHECK_WHITELIST += "CVE-2022-47929" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-0394 +# Patched in kernel since v6.2 cb3e9864cdbe35ff6378966660edbcbac955fe17 +# Backported in version v5.4.229 3998dba0f78a59922b0ef333ccfeb58d9410cd3d +# Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5 +# Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf +# Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4 +CVE_CHECK_WHITELIST += "CVE-2023-0394" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-0458 +# Patched in kernel since v6.2 739790605705ddcf18f21782b9c99ad7d53a8c11 +# Backported in version v5.4.230 96b02125dd68d77e28a29488e6f370a5eac7fb1c +# Backported in version v5.10.165 9f8e45720e0e7edb661d0082422f662ed243d8d8 +# Backported in version v5.15.90 f01aefe374d32c4bb1e5fd1e9f931cf77fca621a +# Backported in version v6.1.8 91185568c99d60534bacf38439846103962d1e2c +CVE_CHECK_WHITELIST += "CVE-2023-0458" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-0461 +# Patched in kernel since v6.2 2c02d41d71f90a5168391b6a5f2954112ba2307c +# Backported in version v5.4.229 c6d29a5ffdbc362314853462a0e24e63330a654d +# Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0 +# Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6 +# Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c +CVE_CHECK_WHITELIST += "CVE-2023-0461" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1073 +# Patched in kernel since v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456 +# Backported in version v5.4.231 89e7fe3999e057c91f157b6ba663264f4cdfcb55 +# Backported in version v5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58 +# Backported in version v5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64 +# Backported in version v6.1.9 cdcdc0531a51659527fea4b4d064af343452062d +CVE_CHECK_WHITELIST += "CVE-2023-1073" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1074 +# Patched in kernel since v6.2 458e279f861d3f61796894cd158b780765a1569f +# Backported in version v5.4.231 a7585028ac0a5836f39139c11594d79ede97d975 +# Backported in version v5.10.166 6ef652f35dcfaa1ab2b2cf6c1694718595148eee +# Backported in version v5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32 +# Backported in version v6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3 +CVE_CHECK_WHITELIST += "CVE-2023-1074" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1077 +# Patched in kernel since v6.3 7c4a5b89a0b5a57a64b601775b296abf77a9fe97 +# Backported in version v5.4.235 084cd75643b61fb924f70cba98a71dea14942938 +# Backported in version v5.10.173 80a1751730b302d8ab63a084b2fa52c820ad0273 +# Backported in version v5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7 +# Backported in version v6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3 +# Backported in version v6.2.3 1099004ae1664703ec573fc4c61ffb24144bcb63 +CVE_CHECK_WHITELIST += "CVE-2023-1077" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1078 +# Patched in kernel since v6.2 f753a68980cf4b59a80fe677619da2b1804f526d +# Backported in version v5.4.232 ba38eacade35dd2316d77b37494e6e0c01bab595 +# Backported in version v5.10.168 c53f34ec3fbf3e9f67574118a6bb35ae1146f7ca +# Backported in version v5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba +# Backported in version v6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3 +CVE_CHECK_WHITELIST += "CVE-2023-1078" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1079 +# Patched in kernel since v6.3 4ab3a086d10eeec1424f2e8a968827a6336203df +# Backported in version v5.4.235 dd08e68d04d08d2f42b09162c939a0b0841216cc +# Backported in version v5.10.173 21a2eec4a440060a6eb294dc890eaf553101ba09 +# Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138 +# Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e +# Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540 +CVE_CHECK_WHITELIST += "CVE-2023-1079" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1095 +# Patched in kernel since v6.0 580077855a40741cf511766129702d97ff02f4d9 +# Backported in version v5.4.211 a452bc3deb23bf93f8a13d3e24611b7ef39645dc +# Backported in version v5.10.137 80977126bc20309f7f7bae6d8621356b393e8b41 +# Backported in version v5.15.61 8a2df34b5bf652566f2889d9fa321f3b398547ef +# Backported in version v5.19.2 109539c9ba8497aad2948af4f09077f6a65059fe +CVE_CHECK_WHITELIST += "CVE-2023-1095" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1118 +# Patched in kernel since v6.3 29b0589a865b6f66d141d79b2dd1373e4e50fe17 +# Backported in version v5.4.235 d120334278b370b6a1623a75ebe53b0c76cb247c +# Backported in version v5.10.173 78da5a378bdacd5bf68c3a6389bdc1dd0c0f5b3c +# Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28 +# Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a +# Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555 +CVE_CHECK_WHITELIST += "CVE-2023-1118" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1382 +# Patched in kernel since v6.1 a7b42969d63f47320853a802efd879fbdc4e010e +# Backported in version v5.4.226 59f9aad22fd743572bdafa37d3e1dd5dc5658e26 +# Backported in version v5.10.157 4058e3b74ab3eabe0835cee9a0c6deda79e8a295 +# Backported in version v5.15.81 33fb115a76ae6683e34f76f7e07f6f0734b2525f +CVE_CHECK_WHITELIST += "CVE-2023-1382" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1390 +# Patched in kernel since v5.11 b77413446408fdd256599daf00d5be72b5f3e7c6 +# Backported in version v5.4.92 56e8947bcf814d195eb4954b4821868803d3dd67 +# Backported in version v5.10.10 60b8b4e6310b7dfc551ba68e8639eeaf70a0b2dd +CVE_CHECK_WHITELIST += "CVE-2023-1390" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1513 +# Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952 +# Backported in version v5.4.232 9f95a161a7deef62d6d2f57b1a69f94e0546d8d8 +# Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107 +# Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8 +# Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb +CVE_CHECK_WHITELIST += "CVE-2023-1513" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1829 +# Patched in kernel since v6.3 8c710f75256bb3cf05ac7b1672c82b92c43f3d28 +# Backported in version v5.4.235 7a6fb69bbcb21e9ce13bdf18c008c268874f0480 +# Backported in version v5.10.173 18c3fa7a7fdbb4d21dafc8a7710ae2c1680930f6 +# Backported in version v5.15.100 7c183dc0af472dec33d2c0786a5e356baa8cad19 +# Backported in version v6.1.18 3abebc503a5148072052c229c6b04b329a420ecd +# Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd +CVE_CHECK_WHITELIST += "CVE-2023-1829" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1838 +# Patched in kernel since v5.18 fb4554c2232e44d595920f4d5c66cf8f7d13f9bc +# Backported in version v5.4.196 3a12b2c413b20c17832ec51cb836a0b713b916ac +# Backported in version v5.10.118 ec0d801d1a44d9259377142c6218885ecd685e41 +# Backported in version v5.15.42 42d8a6dc45fc6619b8def1a70b7bd0800bcc4574 +CVE_CHECK_WHITELIST += "CVE-2023-1838" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1998 +# Patched in kernel since v6.3 6921ed9049bc7457f66c1596c5b78aec0dae4a9d +# Backported in version v5.4.235 34c1b60e7a80404056c03936dd9c2438da2789d4 +# Backported in version v5.10.173 abfed855f05863d292de2d0ebab4656791bab9c8 +# Backported in version v5.15.99 e7f1ddebd9f5b12de40bc37db9243957678f1448 +# Backported in version v6.1.16 08d87c87d6461d16827c9b88d84c48c26b6c994a +# Backported in version v6.2.3 ead3c8e54d28fa1d5454b1f8a21b96b4a969b1cb +CVE_CHECK_WHITELIST += "CVE-2023-1998" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-2008 +# Patched in kernel since v5.19 05b252cccb2e5c3f56119d25de684b4f810ba40a +# Backported in version v5.4.202 c7bdaad9cbfe17c83e4f56c7bb7a2d87d944f0fb +# Backported in version v5.10.127 20119c1e0fff89542ff3272ace87e04cf6ee6bea +# Backported in version v5.15.51 5b45535865d62633e3816ee30eb8d3213038dc17 +CVE_CHECK_WHITELIST += "CVE-2023-2008" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-2162 +# Patched in kernel since v6.2 f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 +# Backported in version v5.4.232 d4d765f4761f9e3a2d62992f825aeee593bcb6b9 +# Backported in version v5.10.168 9758ffe1c07b86aefd7ca8e40d9a461293427ca0 +# Backported in version v5.15.93 0aaabdb900c7415caa2006ef580322f7eac5f6b6 +# Backported in version v6.1.11 61e43ebfd243bcbad11be26bd921723027b77441 +CVE_CHECK_WHITELIST += "CVE-2023-2162" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-2166 +# Patched in kernel since v6.1 0acc442309a0a1b01bcdaa135e56e6398a49439c +# Backported in version v5.4.227 3982652957e8d79ac32efcb725450580650a8644 +# Backported in version v5.10.159 c42221efb1159d6a3c89e96685ee38acdce86b6f +# Backported in version v5.15.83 c142cba37de29f740a3852f01f59876af8ae462a +CVE_CHECK_WHITELIST += "CVE-2023-2166" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-2177 +# Patched in kernel since v5.19 181d8d2066c000ba0a0e6940a7ad80f1a0e68e9d +# Backported in version v5.4.209 8d6dab81ee3d0309c09987ff76164a25486c43e0 +# Backported in version v5.10.135 6f3505588d66b27220f07d0cab18da380fae2e2d +# Backported in version v5.15.59 e796e1fe20ecaf6da419ef6a5841ba181bba7a0c +CVE_CHECK_WHITELIST += "CVE-2023-2177" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-23006 +# Patched in kernel since v5.16 6b8b42585886c59a008015083282aae434349094 +# Backported in version v5.4.170 db484d35a9482d21a7f36da4dfc7a68aa2e9e1d6 +# Backported in version v5.10.90 4cd1da02f0c39606e3378c9255f17d6f85d106c7 +# Backported in version v5.15.13 4595dffccfa5b9360162c72cc0f6a33477d871cf +CVE_CHECK_WHITELIST += "CVE-2023-23006" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-23454 +# Patched in kernel since v6.2 caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12 +# Backported in version v5.4.229 6b17b84634f932f4787f04578f5d030874b9ff32 +# Backported in version v5.10.163 b2c917e510e5ddbc7896329c87d20036c8b82952 +# Backported in version v5.15.87 04dc4003e5df33fb38d3dd85568b763910c479d4 +# Backported in version v6.1.5 dc46e39b727fddc5aacc0272ef83ee872d51be16 +CVE_CHECK_WHITELIST += "CVE-2023-23454" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-23455 +# Patched in kernel since v6.2 a2965c7be0522eaa18808684b7b82b248515511b +# Backported in version v5.4.229 63e469cb54a87df53edcfd85bb5bcdd84327ae4a +# Backported in version v5.10.163 5f65f48516bfeebaab1ccc52c8fad698ddf21282 +# Backported in version v5.15.87 f02327a4877a06cbc8277e22d4834cb189565187 +# Backported in version v6.1.5 85655c63877aeafdc23226510ea268a9fa0af807 +CVE_CHECK_WHITELIST += "CVE-2023-23455" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-23559 +# Patched in kernel since v6.2 b870e73a56c4cccbec33224233eaf295839f228c +# Backported in version v5.4.231 9042a9a3f29c942387e6d6036551d90c9ae6ce4f +# Backported in version v5.10.166 802fd7623e9ed19ee809b503e93fccc1e3f37bd6 +# Backported in version v5.15.91 8cbf932c5c40b0c20597fa623c308d5bde0848b5 +# Backported in version v6.1.9 7794efa358bca8b8a2a80070c6e088a74945f018 +CVE_CHECK_WHITELIST += "CVE-2023-23559" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-25012 +# Patched in kernel since v6.3 76ca8da989c7d97a7f76c75d475fe95a584439d7 +# Backported in version v5.4.235 25e14bf0c894f9003247e3475372f33d9be1e424 +# Backported in version v5.10.173 fddde36316da8acb45a3cca2e5fda102f5215877 +# Backported in version v5.15.99 0fd9998052926ed24cfb30ab1a294cfeda4d0a8f +# Backported in version v6.1.16 f2bf592ebd5077661e00aa11e12e054c4c8f6dd0 +# Backported in version v6.2.3 90289e71514e9533a9c44d694e2b492be9ed2b77 +CVE_CHECK_WHITELIST += "CVE-2023-25012" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-26545 +# Patched in kernel since v6.2 fda6c89fe3d9aca073495a664e1d5aea28cd4377 +# Backported in version v5.4.232 df099e65564aa47478eb1cacf81ba69024fb5c69 +# Backported in version v5.10.169 7ff0fdba82298d1f456c685e24930da89703c0fb +# Backported in version v5.15.95 59a74da8da75bdfb464cbdb399e87ba4f7500e96 +# Backported in version v6.1.13 c376227845eef8f2e62e2c29c3cf2140d35dd8e8 +CVE_CHECK_WHITELIST += "CVE-2023-26545" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-28327 +# Patched in kernel since v6.1 b3abe42e94900bdd045c472f9c9be620ba5ce553 +# Backported in version v5.4.227 c66d78aee55dab72c92020ebfbebc464d4f5dd2a +# Backported in version v5.10.159 575a6266f63dbb3b8eb1da03671451f0d81b8034 +# Backported in version v5.15.83 5c014eb0ed6c8c57f483e94cc6e90f34ce426d91 +CVE_CHECK_WHITELIST += "CVE-2023-28327" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-28328 +# Patched in kernel since v6.2 0ed554fd769a19ea8464bb83e9ac201002ef74ad +# Backported in version v5.4.229 8b256d23361c51aa4b7fdb71176c1ca50966fb39 +# Backported in version v5.10.163 559891d430e3f3a178040c4371ed419edbfa7d65 +# Backported in version v5.15.86 210fcf64be4db82c0e190e74b5111e4eef661a7a +# Backported in version v6.1.2 6b60cf73a931af34b7a0a3f467a79d9fe0df2d70 +CVE_CHECK_WHITELIST += "CVE-2023-28328" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-28772 +# Patched in kernel since v5.14 d3b16034a24a112bb83aeb669ac5b9b01f744bb7 +# Backported in version v5.4.133 33ab9138a13e379cf1c4ccd76b97ae2ee8c5421b +# Backported in version v5.10.51 f9fb4986f4d81182f938d16beb4f983fe71212aa +CVE_CHECK_WHITELIST += "CVE-2023-28772" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb index e0967223b9..01eca24a00 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-rt_5.4.bb @@ -11,13 +11,13 @@ python () { raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it") } -SRCREV_machine ?= "f064f6017b7ce09ade0f365e1b7d776dc9e2e168" -SRCREV_meta ?= "c7e2e528893abbebd14447510d38ded1ef98dcd2" +SRCREV_machine ?= "c705bb899d37bbd61a87a2f850e4d6f04613a908" +SRCREV_meta ?= "c7d5b73674d53f51772862b951d8cc56683ef04f" SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine \ git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" -LINUX_VERSION ?= "5.4.237" +LINUX_VERSION ?= "5.4.243" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb index 6cdf00763b..c3d4ff4608 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto-tiny_5.4.bb @@ -6,7 +6,7 @@ KCONFIG_MODE = "--allnoconfig" require recipes-kernel/linux/linux-yocto.inc -LINUX_VERSION ?= "5.4.237" +LINUX_VERSION ?= "5.4.243" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" @@ -15,9 +15,9 @@ DEPENDS += "openssl-native util-linux-native" KMETA = "kernel-meta" KCONF_BSP_AUDIT_LEVEL = "2" -SRCREV_machine_qemuarm ?= "00c3a33c0f772ff1fa8902e8fe8856131c27a9b5" -SRCREV_machine ?= "0693cbc007cf6a7b335edb5f78542d77b048d5dd" -SRCREV_meta ?= "c7e2e528893abbebd14447510d38ded1ef98dcd2" +SRCREV_machine_qemuarm ?= "140d4ff6bab1e5959377d4974ade490c837ef9cc" +SRCREV_machine ?= "66990885cd865944a093b47ee7164ef2838f75a3" +SRCREV_meta ?= "c7d5b73674d53f51772862b951d8cc56683ef04f" PV = "${LINUX_VERSION}+git${SRCPV}" diff --git a/poky/meta/recipes-kernel/linux/linux-yocto.inc b/poky/meta/recipes-kernel/linux/linux-yocto.inc index 0a4d528aab..2978c2fb90 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto.inc +++ b/poky/meta/recipes-kernel/linux/linux-yocto.inc @@ -56,3 +56,6 @@ do_install_append(){ # enable kernel-sample for oeqa/runtime/cases's ksample.py test KERNEL_FEATURES_append_qemuall=" features/kernel-sample/kernel-sample.scc" + +# CVE exclusion +include recipes-kernel/linux/cve-exclusion.inc diff --git a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb index e95a044099..c361f0c701 100644 --- a/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb +++ b/poky/meta/recipes-kernel/linux/linux-yocto_5.4.bb @@ -12,16 +12,16 @@ KBRANCH_qemux86 ?= "v5.4/standard/base" KBRANCH_qemux86-64 ?= "v5.4/standard/base" KBRANCH_qemumips64 ?= "v5.4/standard/mti-malta64" -SRCREV_machine_qemuarm ?= "981be716d817e38d2d67269aab3caaa095bd2bdd" -SRCREV_machine_qemuarm64 ?= "32083245f7eb993b85a33a8d30bd9f41128b6147" -SRCREV_machine_qemumips ?= "4d002b5ac3b434b21ae58ac15cd73be3ae5ef5a8" -SRCREV_machine_qemuppc ?= "82b4b51143a6beeb49efa548494bdb5c01f336b2" -SRCREV_machine_qemuriscv64 ?= "936721bc390034d774b28393bf61808de8899718" -SRCREV_machine_qemux86 ?= "936721bc390034d774b28393bf61808de8899718" -SRCREV_machine_qemux86-64 ?= "936721bc390034d774b28393bf61808de8899718" -SRCREV_machine_qemumips64 ?= "d662d749c441de5a09bfd8870cd10e41b1e27b6b" -SRCREV_machine ?= "936721bc390034d774b28393bf61808de8899718" -SRCREV_meta ?= "c7e2e528893abbebd14447510d38ded1ef98dcd2" +SRCREV_machine_qemuarm ?= "3c105623bdba36118195e9c188d728edcc00345a" +SRCREV_machine_qemuarm64 ?= "993c666984249097d093ee71eb3dffa0844fef6c" +SRCREV_machine_qemumips ?= "2469bc35f1c2ef5ab2e85b7b705b32e33c6350c7" +SRCREV_machine_qemuppc ?= "98229034b888ad319d7d030d279381a671c41dc0" +SRCREV_machine_qemuriscv64 ?= "ba7e46214a9d60247170245cc09e2e1faf6622a1" +SRCREV_machine_qemux86 ?= "ba7e46214a9d60247170245cc09e2e1faf6622a1" +SRCREV_machine_qemux86-64 ?= "ba7e46214a9d60247170245cc09e2e1faf6622a1" +SRCREV_machine_qemumips64 ?= "fb1936fa93be6bfd1b18cd8568cfc5b279904fa5" +SRCREV_machine ?= "ba7e46214a9d60247170245cc09e2e1faf6622a1" +SRCREV_meta ?= "c7d5b73674d53f51772862b951d8cc56683ef04f" # remap qemuarm to qemuarma15 for the 5.4 kernel # KMACHINE_qemuarm ?= "qemuarma15" @@ -30,7 +30,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-5.4;destsuffix=${KMETA}" LIC_FILES_CHKSUM = "file://COPYING;md5=bbea815ee2795b2f4230826c0c6b8814" -LINUX_VERSION ?= "5.4.237" +LINUX_VERSION ?= "5.4.243" DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}" DEPENDS += "openssl-native util-linux-native" diff --git a/poky/meta/recipes-kernel/perf/perf.bb b/poky/meta/recipes-kernel/perf/perf.bb index 9c9bf1647f..91bf648caa 100644 --- a/poky/meta/recipes-kernel/perf/perf.bb +++ b/poky/meta/recipes-kernel/perf/perf.bb @@ -13,7 +13,7 @@ PR = "r9" PACKAGECONFIG ??= "scripting tui libunwind" PACKAGECONFIG[dwarf] = ",NO_DWARF=1" -PACKAGECONFIG[scripting] = ",NO_LIBPERL=1 NO_LIBPYTHON=1,perl python3" +PACKAGECONFIG[scripting] = ",NO_LIBPERL=1 NO_LIBPYTHON=1,perl python3 python3-setuptools-native" # gui support was added with kernel 3.6.35 # since 3.10 libnewt was replaced by slang # to cover a wide range of kernel we add both dependencies diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch new file mode 100644 index 0000000000..707073709a --- /dev/null +++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2022-48434.patch @@ -0,0 +1,136 @@ +From d4b7b3c03ee2baf0166ce49dff17ec9beff684db Mon Sep 17 00:00:00 2001 +From: Anton Khirnov <anton@khirnov.net> +Date: Fri, 2 Sep 2022 22:21:27 +0200 +Subject: [PATCH] lavc/pthread_frame: avoid leaving stale hwaccel state in + worker threads + +This state is not refcounted, so make sure it always has a well-defined +owner. + +Remove the block added in 091341f2ab5bd35ca1a2aae90503adc74f8d3523, as +this commit also solves that issue in a more general way. + +(cherry picked from commit cc867f2c09d2b69cee8a0eccd62aff002cbbfe11) +Signed-off-by: Anton Khirnov <anton@khirnov.net> +(cherry picked from commit 35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda) +Signed-off-by: Anton Khirnov <anton@khirnov.net> +(cherry picked from commit 3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba) +Signed-off-by: Anton Khirnov <anton@khirnov.net> + +CVE: CVE-2022-48434 +Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db] +Signed-off-by: Ranjitsinh Rathod ranjitsinh.rathod@kpit.com +Comment: Hunk#6 refreshed to backport changes and other to remove patch-fuzz warnings +--- + libavcodec/pthread_frame.c | 46 +++++++++++++++++++++++++++++--------- + 1 file changed, 35 insertions(+), 11 deletions(-) + +diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c +index 36ac0ac..bbc5ba6 100644 +--- a/libavcodec/pthread_frame.c ++++ b/libavcodec/pthread_frame.c +@@ -135,6 +135,12 @@ typedef struct FrameThreadContext { + * Set for the first N packets, where N is the number of threads. + * While it is set, ff_thread_en/decode_frame won't return any results. + */ ++ ++ /* hwaccel state is temporarily stored here in order to transfer its ownership ++ * to the next decoding thread without the need for extra synchronization */ ++ const AVHWAccel *stash_hwaccel; ++ void *stash_hwaccel_context; ++ void *stash_hwaccel_priv; + } FrameThreadContext; + + #define THREAD_SAFE_CALLBACKS(avctx) \ +@@ -211,9 +217,17 @@ static attribute_align_arg void *frame_worker_thread(void *arg) + ff_thread_finish_setup(avctx); + + if (p->hwaccel_serializing) { ++ /* wipe hwaccel state to avoid stale pointers lying around; ++ * the state was transferred to FrameThreadContext in ++ * ff_thread_finish_setup(), so nothing is leaked */ ++ avctx->hwaccel = NULL; ++ avctx->hwaccel_context = NULL; ++ avctx->internal->hwaccel_priv_data = NULL; ++ + p->hwaccel_serializing = 0; + pthread_mutex_unlock(&p->parent->hwaccel_mutex); + } ++ av_assert0(!avctx->hwaccel); + + if (p->async_serializing) { + p->async_serializing = 0; +@@ -275,14 +289,10 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src, + dst->color_range = src->color_range; + dst->chroma_sample_location = src->chroma_sample_location; + +- dst->hwaccel = src->hwaccel; +- dst->hwaccel_context = src->hwaccel_context; +- + dst->channels = src->channels; + dst->sample_rate = src->sample_rate; + dst->sample_fmt = src->sample_fmt; + dst->channel_layout = src->channel_layout; +- dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data; + + if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx || + (dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) { +@@ -415,6 +425,12 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx, + pthread_mutex_unlock(&p->mutex); + return err; + } ++ ++ /* transfer hwaccel state stashed from previous thread, if any */ ++ av_assert0(!p->avctx->hwaccel); ++ FFSWAP(const AVHWAccel*, p->avctx->hwaccel, fctx->stash_hwaccel); ++ FFSWAP(void*, p->avctx->hwaccel_context, fctx->stash_hwaccel_context); ++ FFSWAP(void*, p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv); + } + + av_packet_unref(&p->avpkt); +@@ -616,6 +632,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) { + async_lock(p->parent); + } + ++ /* save hwaccel state for passing to the next thread; ++ * this is done here so that this worker thread can wipe its own hwaccel ++ * state after decoding, without requiring synchronization */ ++ av_assert0(!p->parent->stash_hwaccel); ++ p->parent->stash_hwaccel = avctx->hwaccel; ++ p->parent->stash_hwaccel_context = avctx->hwaccel_context; ++ p->parent->stash_hwaccel_priv = avctx->internal->hwaccel_priv_data; ++ + pthread_mutex_lock(&p->progress_mutex); + if(atomic_load(&p->state) == STATE_SETUP_FINISHED){ + av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n"); +@@ -657,13 +681,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) + + park_frame_worker_threads(fctx, thread_count); + +- if (fctx->prev_thread && fctx->prev_thread != fctx->threads) +- if (update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0) < 0) { +- av_log(avctx, AV_LOG_ERROR, "Final thread update failed\n"); +- fctx->prev_thread->avctx->internal->is_copy = fctx->threads->avctx->internal->is_copy; +- fctx->threads->avctx->internal->is_copy = 1; +- } +- + for (i = 0; i < thread_count; i++) { + PerThreadContext *p = &fctx->threads[i]; + +@@ -713,6 +730,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count) + pthread_mutex_destroy(&fctx->async_mutex); + pthread_cond_destroy(&fctx->async_cond); + ++ /* if we have stashed hwaccel state, move it to the user-facing context, ++ * so it will be freed in avcodec_close() */ ++ av_assert0(!avctx->hwaccel); ++ FFSWAP(const AVHWAccel*, avctx->hwaccel, fctx->stash_hwaccel); ++ FFSWAP(void*, avctx->hwaccel_context, fctx->stash_hwaccel_context); ++ FFSWAP(void*, avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv); ++ + av_freep(&avctx->internal->thread_ctx); + + if (avctx->priv_data && avctx->codec && avctx->codec->priv_class) +-- +2.25.1 + diff --git a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb index 1e000dddfa..f12052548f 100644 --- a/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb +++ b/poky/meta/recipes-multimedia/ffmpeg/ffmpeg_4.2.2.bb @@ -32,6 +32,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ file://CVE-2022-1475.patch \ file://CVE-2022-3109.patch \ file://CVE-2022-3341.patch \ + file://CVE-2022-48434.patch \ " SRC_URI[md5sum] = "348956fc2faa57a2f79bbb84ded9fbc3" SRC_URI[sha256sum] = "cb754255ab0ee2ea5f66f8850e1bd6ad5cac1cd855d0a2f4990fb8c668b0d29c" diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch new file mode 100644 index 0000000000..46c57afb73 --- /dev/null +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-27534-pre1.patch @@ -0,0 +1,51 @@ +From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001 +From: Eric Vigeant <evigeant@gmail.com> +Date: Wed, 2 Nov 2022 11:47:09 -0400 +Subject: [PATCH] cur_path: do not add '/' if homedir ends with one + +When using SFTP and a path relative to the user home, do not add a +trailing '/' to the user home dir if it already ends with one. + +Closes #9844 + +CVE: CVE-2023-27534 +Note: +- The upstream patch for CVE-2023-27534 does three things: +1) creates new path with dynbuf(dynamic buffer) +2) solves the tilde error which causes CVE-2023-27534 +3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf. +- dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions. +- This patch completes the 3rd task of the patch which was implemented without using dynbuf +Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b] + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + lib/curl_path.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/lib/curl_path.c b/lib/curl_path.c +index f429634..40b92ee 100644 +--- a/lib/curl_path.c ++++ b/lib/curl_path.c +@@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, + /* It is referenced to the home directory, so strip the + leading '/' */ + memcpy(real_path, homedir, homelen); +- real_path[homelen] = '/'; +- real_path[homelen + 1] = '\0'; ++ /* Only add a trailing '/' if homedir does not end with one */ ++ if(homelen == 0 || real_path[homelen - 1] != '/') { ++ real_path[homelen] = '/'; ++ homelen++; ++ real_path[homelen] = '\0'; ++ } + if(working_path_len > 3) { +- memcpy(real_path + homelen + 1, working_path + 3, ++ memcpy(real_path + homelen, working_path + 3, + 1 + working_path_len -3); + } + } +-- +2.24.4 + diff --git a/poky/meta/recipes-support/curl/curl/CVE-2023-27534.patch b/poky/meta/recipes-support/curl/curl/CVE-2023-27534.patch index aeeffd5fea..3ecd181290 100644 --- a/poky/meta/recipes-support/curl/curl/CVE-2023-27534.patch +++ b/poky/meta/recipes-support/curl/curl/CVE-2023-27534.patch @@ -3,121 +3,31 @@ From: Daniel Stenberg <daniel@haxx.se> Date: Thu, 9 Mar 2023 16:22:11 +0100 Subject: [PATCH] curl_path: create the new path with dynbuf +Closes #10729 + CVE: CVE-2023-27534 -Upstream-Status: Backport [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] +Note: This patch is needed to backport CVE-2023-27534 +Upstream-Status: Backport from [https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6] Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> --- - lib/curl_path.c | 71 ++++++++++++++++++++++++------------------------- - 1 file changed, 35 insertions(+), 36 deletions(-) + lib/curl_path.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/curl_path.c b/lib/curl_path.c -index f429634..e17db4b 100644 +index 40b92ee..598c5dd 100644 --- a/lib/curl_path.c +++ b/lib/curl_path.c -@@ -30,6 +30,8 @@ - #include "escape.h" - #include "memdebug.h" - -+#define MAX_SSHPATH_LEN 100000 /* arbitrary */ -+ - /* figure out the path to work with in this particular request */ - CURLcode Curl_getworkingpath(struct connectdata *conn, - char *homedir, /* when SFTP is used */ -@@ -37,60 +39,57 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, - real path to work with */ - { - struct Curl_easy *data = conn->data; -- char *real_path = NULL; - char *working_path; - size_t working_path_len; -+ struct dynbuf npath; - CURLcode result = - Curl_urldecode(data, data->state.up.path, 0, &working_path, - &working_path_len, FALSE); - if(result) - return result; - -+ /* new path to switch to in case we need to */ -+ Curl_dyn_init(&npath, MAX_SSHPATH_LEN); -+ - /* Check for /~/, indicating relative to the user's home directory */ -- if(conn->handler->protocol & CURLPROTO_SCP) { -- real_path = malloc(working_path_len + 1); -- if(real_path == NULL) { -+ if((data->conn->handler->protocol & CURLPROTO_SCP) && -+ (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) { -+ /* It is referenced to the home directory, so strip the leading '/~/' */ -+ if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) { - free(working_path); - return CURLE_OUT_OF_MEMORY; - } -- if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) -- /* It is referenced to the home directory, so strip the leading '/~/' */ -- memcpy(real_path, working_path + 3, working_path_len - 2); -- else -- memcpy(real_path, working_path, 1 + working_path_len); +@@ -60,7 +60,7 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, + memcpy(real_path, working_path, 1 + working_path_len); } -- else if(conn->handler->protocol & CURLPROTO_SFTP) { + else if(conn->handler->protocol & CURLPROTO_SFTP) { - if((working_path_len > 1) && (working_path[1] == '~')) { -- size_t homelen = strlen(homedir); -- real_path = malloc(homelen + working_path_len + 1); -- if(real_path == NULL) { -- free(working_path); -- return CURLE_OUT_OF_MEMORY; -- } -- /* It is referenced to the home directory, so strip the -- leading '/' */ -- memcpy(real_path, homedir, homelen); -- real_path[homelen] = '/'; -- real_path[homelen + 1] = '\0'; -- if(working_path_len > 3) { -- memcpy(real_path + homelen + 1, working_path + 3, -- 1 + working_path_len -3); -- } -+ else if((data->conn->handler->protocol & CURLPROTO_SFTP) && -+ (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { -+ size_t len; -+ const char *p; -+ int copyfrom = 3; -+ if(Curl_dyn_add(&npath, homedir)) { -+ free(working_path); -+ return CURLE_OUT_OF_MEMORY; - } -- else { -- real_path = malloc(working_path_len + 1); -- if(real_path == NULL) { -- free(working_path); -- return CURLE_OUT_OF_MEMORY; -- } -- memcpy(real_path, working_path, 1 + working_path_len); -+ /* Copy a separating '/' if homedir does not end with one */ -+ len = Curl_dyn_len(&npath); -+ p = Curl_dyn_ptr(&npath); -+ if(len && (p[len-1] != '/')) -+ copyfrom = 2; -+ -+ if(Curl_dyn_addn(&npath, -+ &working_path[copyfrom], working_path_len - copyfrom)) { -+ free(working_path); -+ return CURLE_OUT_OF_MEMORY; - } - } - -- free(working_path); -+ if(Curl_dyn_len(&npath)) { -+ free(working_path); - -- /* store the pointer for the caller to receive */ -- *path = real_path; -+ /* store the pointer for the caller to receive */ -+ *path = Curl_dyn_ptr(&npath); -+ } -+ else -+ *path = working_path; - - return CURLE_OK; - } ++ if((working_path_len > 2) && !memcmp(working_path, "/~/", 3)) { + size_t homelen = strlen(homedir); + real_path = malloc(homelen + working_path_len + 1); + if(real_path == NULL) { -- -2.25.1 +2.24.4 diff --git a/poky/meta/recipes-support/curl/curl_7.69.1.bb b/poky/meta/recipes-support/curl/curl_7.69.1.bb index 32d18ddb3a..13ec117099 100644 --- a/poky/meta/recipes-support/curl/curl_7.69.1.bb +++ b/poky/meta/recipes-support/curl/curl_7.69.1.bb @@ -43,6 +43,7 @@ SRC_URI = "https://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://CVE-2022-35260.patch \ file://CVE-2022-43552.patch \ file://CVE-2023-23916.patch \ + file://CVE-2023-27534-pre1.patch \ file://CVE-2023-27534.patch \ file://CVE-2023-27538.patch \ file://CVE-2023-27533.patch \ diff --git a/poky/meta/recipes-support/libbsd/libbsd_0.10.0.bb b/poky/meta/recipes-support/libbsd/libbsd_0.10.0.bb index 5b32b9af41..58925738cb 100644 --- a/poky/meta/recipes-support/libbsd/libbsd_0.10.0.bb +++ b/poky/meta/recipes-support/libbsd/libbsd_0.10.0.bb @@ -29,6 +29,12 @@ HOMEPAGE = "https://libbsd.freedesktop.org/wiki/" # License: public-domain-Colin-Plumb LICENSE = "BSD-3-Clause & BSD-4-Clause & ISC & PD" LICENSE_${PN} = "BSD-3-Clause & ISC & PD" +LICENSE:${PN}-dbg = "BSD-3-Clause & ISC & PD" +LICENSE:${PN}-dev = "BSD-3-Clause & ISC & PD" +LICENSE:${PN}-doc = "BSD-3-Clause & BSD-4-Clause & ISC & PD" +LICENSE:${PN}-locale = "BSD-3-Clause & ISC & PD" +LICENSE:${PN}-src = "BSD-3-Clause & ISC & PD" +LICENSE:${PN}-staticdev = "BSD-3-Clause & ISC & PD" LIC_FILES_CHKSUM = "file://COPYING;md5=2120be0173469a06ed185b688e0e1ae0" SECTION = "libs" diff --git a/poky/scripts/lib/wic/plugins/source/bootimg-efi.py b/poky/scripts/lib/wic/plugins/source/bootimg-efi.py index 2cfdc10ecd..05e8471116 100644 --- a/poky/scripts/lib/wic/plugins/source/bootimg-efi.py +++ b/poky/scripts/lib/wic/plugins/source/bootimg-efi.py @@ -277,6 +277,13 @@ class BootimgEFIPlugin(SourcePlugin): logger.debug("Added %d extra blocks to %s to get to %d total blocks", extra_blocks, part.mountpoint, blocks) + # required for compatibility with certain devices expecting file system + # block count to be equal to partition block count + if blocks < part.fixed_size: + blocks = part.fixed_size + logger.debug("Overriding %s to %d total blocks for compatibility", + part.mountpoint, blocks) + # dosfs image, created by mkdosfs bootimg = "%s/boot.img" % cr_workdir |