diff options
Diffstat (limited to 'meta-security')
75 files changed, 1148 insertions, 154 deletions
diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml index 1e82a874ec..db6a5e5eab 100644 --- a/meta-security/.gitlab-ci.yml +++ b/meta-security/.gitlab-ci.yml @@ -77,7 +77,7 @@ qemux86-test: qemux86-64: extends: .base script: - - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm-image security-tpm2-image integrity-image-minimal" + - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k core-image-minimal security-build-image security-tpm-image security-tpm2-image integrity-image-minimal" - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml @@ -116,11 +116,6 @@ qemuarm64-parsec: script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemumips64: - extends: .base - script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml - qemuriscv64: extends: .base script: diff --git a/meta-security/README.md b/meta-security/README.md index 3e092a9dfa..6c24c2efe4 100644 --- a/meta-security/README.md +++ b/meta-security/README.md @@ -76,7 +76,7 @@ When sending single patches, please using something like: These values can be set as defaults for this repository: -$ git config sendemail.to yocto@lists.yoctoproject.org +$ git config sendemail.to yocto-patches@lists.yoctoproject.org $ git config format.subjectPrefix meta-security][PATCH Now you can just do 'git send-email origin/master' to send all local patches. diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 471674cd8b..c57c8b9c77 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -9,7 +9,7 @@ BBFILE_COLLECTIONS += "security" BBFILE_PATTERN_security = "^${LAYERDIR}/" BBFILE_PRIORITY_security = "8" -LAYERSERIES_COMPAT_security = "nanbield scarthgap" +LAYERSERIES_COMPAT_security = "styhead" LAYERDEPENDS_security = "core openembedded-layer" diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb index f2ef335b13..7074f68152 100644 --- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb @@ -83,11 +83,11 @@ do_install () { install -m 0644 Bastille/AccountSecurity.pm ${D}${libdir}/Bastille install -m 0644 Bastille/Apache.pm ${D}${libdir}/Bastille install -m 0644 Bastille/API.pm ${D}${libdir}/Bastille - install -m 0644 ${WORKDIR}/AccountPermission.pm ${D}${libdir}/Bastille/API - install -m 0644 ${WORKDIR}/FileContent.pm ${D}${libdir}/Bastille/API - install -m 0644 ${WORKDIR}/HPSpecific.pm ${D}${libdir}/Bastille/API - install -m 0644 ${WORKDIR}/ServiceAdmin.pm ${D}${libdir}/Bastille/API - install -m 0644 ${WORKDIR}/Miscellaneous.pm ${D}${libdir}/Bastille/API + install -m 0644 ${UNPACKDIR}/AccountPermission.pm ${D}${libdir}/Bastille/API + install -m 0644 ${UNPACKDIR}/FileContent.pm ${D}${libdir}/Bastille/API + install -m 0644 ${UNPACKDIR}/HPSpecific.pm ${D}${libdir}/Bastille/API + install -m 0644 ${UNPACKDIR}/ServiceAdmin.pm ${D}${libdir}/Bastille/API + install -m 0644 ${UNPACKDIR}/Miscellaneous.pm ${D}${libdir}/Bastille/API install -m 0644 Bastille/BootSecurity.pm ${D}${libdir}/Bastille install -m 0644 Bastille/ConfigureMiscPAM.pm ${D}${libdir}/Bastille install -m 0644 Bastille/DisableUserTools.pm ${D}${libdir}/Bastille @@ -138,7 +138,7 @@ do_install () { install -m 0644 OSMap/OSX.bastille ${D}${datadir}/Bastille/OSMap install -m 0644 OSMap/OSX.system ${D}${datadir}/Bastille/OSMap - install -m 0644 ${WORKDIR}/config ${D}${sysconfdir}/Bastille/config + install -m 0644 ${UNPACKDIR}/config ${D}${sysconfdir}/Bastille/config for file in `cat Modules.txt` ; do install -m 0644 Questions/$file.txt ${D}${datadir}/Bastille/Questions diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb index ba0f974c33..46cdc8e3c9 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb @@ -7,7 +7,11 @@ SRC_URI[sha256sum] = "6425963d91054cfcc185807141c7314a9c5ad46325911bd24dcb489bd0 PYPI_PACKAGE = "Flask-Script" -inherit pypi setuptools3 +inherit pypi python_setuptools_build_meta + +DEPENDS += " \ + python3-setuptools-scm-native \ +" RDEPENDS:${PN} += "\ python3-flask \ diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb index 638c56fc27..3d7e8975c0 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb @@ -6,4 +6,8 @@ SRC_URI[sha256sum] = "8951a53662ae9cfd812685facdba693fc950ffc1c1fd1a8a2d3cf4c346 PYPI_PACKAGE = "json2html" -inherit pypi setuptools3 +inherit pypi python_setuptools_build_meta + +DEPENDS += " \ + python3-setuptools-scm-native \ +" diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb index ff1b611bf5..9aaa7c990c 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb @@ -2,6 +2,19 @@ DESCRIPTION = "Python pyinotify: Linux filesystem events monitoring" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=ab173cade7965b411528464589a08382" +SRC_URI[md5sum] = "8e580fa1ff3971f94a6f81672b76c406" +SRC_URI[sha256sum] = "9c998a5d7606ca835065cdabc013ae6c66eb9ea76a00a1e3bc6e0cfe2b4f71f4" + +SRC_URI += " \ + file://0001-Make-asyncore-support-optional-for-Python-3.patch \ +" + +inherit pypi python_setuptools_build_meta + +DEPENDS += " \ + python3-setuptools-scm-native \ +" + RDEPENDS:${PN} += "\ python3-ctypes \ python3-fcntl \ @@ -11,12 +24,3 @@ RDEPENDS:${PN} += "\ python3-shell \ python3-threading \ " - -SRC_URI[md5sum] = "8e580fa1ff3971f94a6f81672b76c406" -SRC_URI[sha256sum] = "9c998a5d7606ca835065cdabc013ae6c66eb9ea76a00a1e3bc6e0cfe2b4f71f4" - -SRC_URI += " \ - file://0001-Make-asyncore-support-optional-for-Python-3.patch \ -" - -inherit pypi setuptools3 diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb index f8a6552ad4..e24f3222f7 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb @@ -4,6 +4,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8e8db3765a57bcb968140e0a353c1a35" SRC_URI[sha256sum] = "983424b296e62189d70fc73460cd946cf56dcbe82b9bda18c066fc1b24371cdc" -#PYPI_PACKAGE = "Flask-Script" +inherit pypi python_setuptools_build_meta -inherit pypi setuptools3 +DEPENDS += " \ + python3-setuptools-scm-native \ +" diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb index 517ed87f3a..811cf36756 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb @@ -6,4 +6,8 @@ SRC_URI[sha256sum] = "19b030b3fa37d1f0b5c5ad9ada9059884c3bf2c751c5dd8f1eb4ed49cf PYPI_PACKAGE = "xmldiff" -inherit pypi setuptools3 +inherit pypi python_setuptools_build_meta + +DEPENDS += " \ + python3-setuptools-scm-native \ +" diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb index 5d88951658..8d5f33ec42 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb @@ -6,4 +6,8 @@ SRC_URI[sha256sum] = "81d5b8baba60c255b519ccd31a691f9bc064223ff196709d41119bde81 PYPI_PACKAGE = "yamlpath" -inherit pypi setuptools3 +inherit pypi python_setuptools_build_meta + +DEPENDS += " \ + python3-setuptools-scm-native \ +" diff --git a/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb index bf5f87d367..52d35f85c9 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb @@ -11,12 +11,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f" DEPENDS = "python3-native" -SRCREV = "e1d3006b0330e9777705a7baafe3989d442ed120" +SRCREV = "ac62658c10f492911f8a0037a0bcf97c8521cd78" SRC_URI = "git://github.com/fail2ban/fail2ban.git;branch=master;protocol=https \ file://initd \ file://run-ptest \ " +PV = "1.1.0+git" + UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)" inherit update-rc.d ptest setuptools3_legacy @@ -24,23 +26,13 @@ inherit systemd SYSTEMD_SERVICE:${PN} = "fail2ban.service" -S = "${WORKDIR}/git" - -do_compile () { - cd ${S} - - #remove symlink to python3 - # otherwise 2to3 is run against it - rm -f bin/fail2ban-python - - ./fail2ban-2to3 -} +S = "${UNPACKDIR}/git" do_install:append () { rm -f ${D}/${bindir}/fail2ban-python install -d ${D}/${sysconfdir}/fail2ban install -d ${D}/${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server + install -m 0755 ${UNPACKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then install -d ${D}${systemd_system_unitdir} @@ -66,7 +58,7 @@ INITSCRIPT_PARAMS = "defaults 25" INSANE_SKIP:${PN}:append = "already-stripped" -RDEPENDS:${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables python3-core python3-pyinotify" +RDEPENDS:${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} nftables python3-core python3-pyinotify" RDEPENDS:${PN} += "python3-sqlite3" RDEPENDS:${PN} += " python3-logging python3-fcntl python3-json" RDEPENDS:${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban" diff --git a/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.9.1.bb b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.9.1.bb index 8268345f7e..36e50e4841 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.9.1.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.9.1.bb @@ -8,7 +8,11 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c0acfa7a8a03b718abee9135bc1a1c55" PYPI_PACKAGE = "privacyIDEA" SRC_URI[sha256sum] = "7c70feb44980a3fd7501457777a1ec30e73541e54d3b31f2b9b5ab6cd73cff4f" -inherit pypi setuptools3 +inherit pypi python_setuptools_build_meta + +DEPENDS += " \ + python3-setuptools-scm-native \ +" do_install:append () { rm -fr ${D}${libdir}/${PYTHON_DIR}/site-packages/tests diff --git a/meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb b/meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb index 3a074614a5..62157e0859 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb @@ -6,6 +6,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=038e1390e94fe637991fa5569daa62bc" PYPI_PACKAGE = "oauth2client" SRC_URI[sha256sum] = "d486741e451287f69568a4d26d70d9acd73a2bbfa275746c535b4209891cccc6" -inherit pypi setuptools3 +inherit pypi python_setuptools_build_meta + +DEPENDS += " \ + python3-setuptools-scm-native \ +" RDEPENDS:${PN} = "python3-six python3-rsa python3-httplib2 python3-pyasn1 python3-pyasn1-modules" diff --git a/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch new file mode 100644 index 0000000000..1e9fca5425 --- /dev/null +++ b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch @@ -0,0 +1,219 @@ +From f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 Mon Sep 17 00:00:00 2001 +From: Sumit Bose <sbose@redhat.com> +Date: Wed, 8 Nov 2023 14:50:24 +0100 +Subject: [PATCH] ad-gpo: use hash to store intermediate results + +Currently after the evaluation of a single GPO file the intermediate +results are stored in the cache and this cache entry is updated until +all applicable GPO files are evaluated. Finally the data in the cache is +used to make the decision of access is granted or rejected. + +If there are two or more access-control request running in parallel one +request might overwrite the cache object with intermediate data while +another request reads the cached data for the access decision and as a +result will do this decision based on intermediate data. + +To avoid this the intermediate results are not stored in the cache +anymore but in hash tables which are specific to the request. Only the +final result is written to the cache to have it available for offline +authentication. + +Reviewed-by: Alexey Tikhonov <atikhono@redhat.com> +Reviewed-by: Tomáš Halman <thalman@redhat.com> +(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a) + +Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726] +CVE: CVE-2023-3758 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +--- + src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++----- + 1 file changed, 102 insertions(+), 14 deletions(-) + +diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c +index 44e9cbb..cec0cb4 100644 +--- a/src/providers/ad/ad_gpo.c ++++ b/src/providers/ad/ad_gpo.c +@@ -1317,6 +1317,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, + return ret; + } + ++static errno_t ++add_result_to_hash(hash_table_t *hash, const char *key, char *value) ++{ ++ int hret; ++ hash_key_t k; ++ hash_value_t v; ++ ++ if (hash == NULL || key == NULL || value == NULL) { ++ return EINVAL; ++ } ++ ++ k.type = HASH_KEY_CONST_STRING; ++ k.c_str = key; ++ ++ v.type = HASH_VALUE_PTR; ++ v.ptr = value; ++ ++ hret = hash_enter(hash, &k, &v); ++ if (hret != HASH_SUCCESS) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n", ++ key, value, hash_error_string(hret)); ++ return EIO; ++ } ++ ++ return EOK; ++} ++ + /* + * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename, + * and stores the allow_key and deny_key of all of the gpo_map_types present +@@ -1324,6 +1351,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, + */ + static errno_t + ad_gpo_store_policy_settings(struct sss_domain_info *domain, ++ hash_table_t *allow_maps, hash_table_t *deny_maps, + const char *filename) + { + struct ini_cfgfile *file_ctx = NULL; +@@ -1457,14 +1485,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, + goto done; + } else if (ret != ENOENT) { + const char *value = allow_value ? allow_value : empty_val; +- ret = sysdb_gpo_store_gpo_result_setting(domain, +- allow_key, +- value); ++ ret = add_result_to_hash(allow_maps, allow_key, ++ talloc_strdup(allow_maps, value)); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "sysdb_gpo_store_gpo_result_setting failed for key:" +- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value, +- ret, sss_strerror(ret)); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] " ++ "value: [%s] to allow maps " ++ "[%d][%s].\n", ++ allow_key, value, ret, ++ sss_strerror(ret)); + goto done; + } + } +@@ -1484,14 +1512,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, + goto done; + } else if (ret != ENOENT) { + const char *value = deny_value ? deny_value : empty_val; +- ret = sysdb_gpo_store_gpo_result_setting(domain, +- deny_key, +- value); ++ ret = add_result_to_hash(deny_maps, deny_key, ++ talloc_strdup(deny_maps, value)); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "sysdb_gpo_store_gpo_result_setting failed for key:" +- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value, +- ret, sss_strerror(ret)); ++ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] " ++ "value: [%s] to deny maps " ++ "[%d][%s].\n", ++ deny_key, value, ret, ++ sss_strerror(ret)); + goto done; + } + } +@@ -1784,6 +1812,8 @@ struct ad_gpo_access_state { + int num_cse_filtered_gpos; + int cse_gpo_index; + const char *ad_domain; ++ hash_table_t *allow_maps; ++ hash_table_t *deny_maps; + }; + + static void ad_gpo_connect_done(struct tevent_req *subreq); +@@ -1906,6 +1936,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx, + goto immediately; + } + ++ ret = sss_hash_create(state, 0, &state->allow_maps); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps " ++ "hash table [%d]: %s\n", ret, sss_strerror(ret)); ++ goto immediately; ++ } ++ ++ ret = sss_hash_create(state, 0, &state->deny_maps); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps " ++ "hash table [%d]: %s\n", ret, sss_strerror(ret)); ++ goto immediately; ++ } + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (subreq == NULL) { +@@ -2725,6 +2768,43 @@ ad_gpo_cse_step(struct tevent_req *req) + return EAGAIN; + } + ++static errno_t ++store_hash_maps_in_cache(struct sss_domain_info *domain, ++ hash_table_t *allow_maps, hash_table_t *deny_maps) ++{ ++ int ret; ++ struct hash_iter_context_t *iter; ++ hash_entry_t *entry; ++ size_t c; ++ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL}; ++ ++ ++ for (c = 0; hash_list[c] != NULL; c++) { ++ iter = new_hash_iter_context(hash_list[c]); ++ if (iter == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n"); ++ return EINVAL; ++ } ++ ++ while ((entry = iter->next(iter)) != NULL) { ++ ret = sysdb_gpo_store_gpo_result_setting(domain, ++ entry->key.c_str, ++ entry->value.ptr); ++ if (ret != EOK) { ++ free(iter); ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sysdb_gpo_store_gpo_result_setting failed for key:" ++ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str, ++ (char *) entry->value.ptr, ret, sss_strerror(ret)); ++ return ret; ++ } ++ } ++ talloc_free(iter); ++ } ++ ++ return EOK; ++} ++ + /* + * This cse-specific function (GP_EXT_GUID_SECURITY) increments the + * cse_gpo_index until the policy settings for all applicable GPOs have been +@@ -2766,6 +2846,7 @@ ad_gpo_cse_done(struct tevent_req *subreq) + * (as part of the GPO Result object in the sysdb cache). + */ + ret = ad_gpo_store_policy_settings(state->host_domain, ++ state->allow_maps, state->deny_maps, + cse_filtered_gpo->policy_filename); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, +@@ -2779,6 +2860,13 @@ ad_gpo_cse_done(struct tevent_req *subreq) + + if (ret == EOK) { + /* ret is EOK only after all GPO policy files have been downloaded */ ++ ret = store_hash_maps_in_cache(state->host_domain, ++ state->allow_maps, state->deny_maps); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps " ++ "[%d][%s].\n", ret, sss_strerror(ret)); ++ goto done; ++ } + ret = ad_gpo_perform_hbac_processing(state, + state->gpo_mode, + state->gpo_map_type, +-- +2.25.1 diff --git a/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb index 0c75d8f45f..f973ee158d 100644 --- a/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb +++ b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb @@ -25,6 +25,7 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \ file://fix-ldblibdir.patch \ file://musl_fixup.patch \ file://0001-sssctl-add-error-analyzer.patch \ + file://CVE-2023-3758.patch \ " SRC_URI[sha256sum] = "827bc65d64132410e6dd3df003f04829d60387ec30e72b2d4e22d93bb6f762ba" diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf index 8da050be18..f5db75119f 100644 --- a/meta-security/meta-hardening/conf/layer.conf +++ b/meta-security/meta-hardening/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "harden-layer" BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_harden-layer = "6" -LAYERSERIES_COMPAT_harden-layer = "nanbield scarthgap" +LAYERSERIES_COMPAT_harden-layer = "styhead" LAYERDEPENDS_harden-layer = "core openembedded-layer" diff --git a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb index 38771cdfb9..4366961eac 100644 --- a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb +++ b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb @@ -18,9 +18,9 @@ DEFAULT_ADMIN_ACCOUNT ?= "myadmin" DEFAULT_ADMIN_GROUP ?= "wheel" DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!" -EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}" +EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -p '${ROOT_DEFAULT_PASSWORD}' root;", d)}" EXTRA_USERS_PARAMS:append = " useradd ${DEFAULT_ADMIN_ACCOUNT};" EXTRA_USERS_PARAMS:append = " groupadd ${DEFAULT_ADMIN_GROUP};" -EXTRA_USERS_PARAMS:append = " usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS:append = " usermod -p '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" EXTRA_USERS_PARAMS:append = " usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};" diff --git a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend index 92e364caf7..8af6979fa4 100644 --- a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend +++ b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend @@ -4,5 +4,5 @@ SRC_URI:append:harden = " file://mountall.sh" do_install:append:harden() { install -d ${D}${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d + install -m 0755 ${UNPACKDIR}/mountall.sh ${D}${sysconfdir}/init.d } diff --git a/meta-security/meta-integrity/README.md b/meta-security/meta-integrity/README.md index c333a9f120..6845c21baa 100644 --- a/meta-security/meta-integrity/README.md +++ b/meta-security/meta-integrity/README.md @@ -95,6 +95,8 @@ the image, enable image signing in the local.conf like this: IMA_EVM_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" IMA_EVM_PRIVKEY = "${IMA_EVM_KEY_DIR}/privkey_ima.pem" + IMA_EVM_EVMCTL_KEY_PASSWORD = "<optional private key password>" + IMA_EVM_PRIVKEY_KEYID_OPT = "<options to use while signing>" IMA_EVM_X509 = "${IMA_EVM_KEY_DIR}/x509_ima.der" IMA_EVM_ROOT_CA = "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" @@ -153,12 +155,7 @@ ima-evm-rootfs.bbclass: IMA_EVM_KEY_DIR = "<full path>" IMA_EVM_PRIVKEY = "<some other path/privkey_ima.pem>" -By default, the entire file system gets signed. When using a policy which -does not require that, the set of files to be labelled can be chosen -by overriding the default "find" expression, for example like this: - - IMA_EVM_ROOTFS_FILES = "usr sbin bin lib -type f" - +By default, the entire file system gets signed. 2. Usage ======== diff --git a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass index 7b7337379c..7ec27519fa 100644 --- a/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass +++ b/meta-security/meta-integrity/classes/ima-evm-rootfs.bbclass @@ -8,6 +8,13 @@ IMA_EVM_KEY_DIR ?= "IMA_EVM_KEY_DIR_NOT_SET" # using the example key directory. IMA_EVM_PRIVKEY ?= "${IMA_EVM_KEY_DIR}/privkey_ima.pem" +# Additional option when signing. Allows to for example provide +# --keyid <id> or --keyid-from-cert <filename>. +IMA_EVM_PRIVKEY_KEYID_OPT ?= "" + +# Password for the private key +IMA_EVM_EVMCTL_KEY_PASSWORD ?= "" + # Public part of certificates (used for both IMA and EVM). # The default is okay when using the example key directory. IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" @@ -19,11 +26,6 @@ IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" # ima-local-ca.x509 is what ima-gen-local-ca.sh creates. IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" -# Sign all regular files by default. -IMA_EVM_ROOTFS_SIGNED ?= ". -type f" -# Hash nothing by default. -IMA_EVM_ROOTFS_HASHED ?= ". -depth 0 -false" - # Mount these file systems (identified via their mount point) with # the iversion flags (needed by IMA when allowing writing). IMA_EVM_ROOTFS_IVERSION ?= "" @@ -73,8 +75,11 @@ ima_evm_sign_rootfs () { exit 1 fi + export EVMCTL_KEY_PASSWORD=${IMA_EVM_EVMCTL_KEY_PASSWORD} + bbnote "IMA/EVM: Signing root filesystem at ${IMAGE_ROOTFS} with key ${IMA_EVM_PRIVKEY}" - evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key ${IMA_EVM_PRIVKEY} -r "${IMAGE_ROOTFS}" + evmctl sign --imasig ${evmctl_param} --portable -a sha256 \ + --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} -r "${IMAGE_ROOTFS}" # check signing key and signature verification key evmctl ima_verify ${evmctl_param} --key "${IMA_EVM_X509}" "${IMAGE_ROOTFS}/lib/libc.so.6" || exit 1 @@ -87,7 +92,8 @@ ima_evm_sign_rootfs () { install "${IMA_EVM_POLICY}" ./${sysconfdir}/ima/ima-policy bbnote "IMA/EVM: Signing IMA policy with key ${IMA_EVM_PRIVKEY}" - evmctl sign --imasig ${evmctl_param} --portable -a sha256 --key "${IMA_EVM_PRIVKEY}" "${IMAGE_ROOTFS}/etc/ima/ima-policy" + evmctl sign --imasig ${evmctl_param} --portable -a sha256 \ + --key "${IMA_EVM_PRIVKEY}" ${IMA_EVM_PRIVKEY_KEYID_OPT} "${IMAGE_ROOTFS}/etc/ima/ima-policy" fi # Optionally write the file names and ima and evm signatures into files diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index aab9652250..292ba21b02 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -20,7 +20,7 @@ INTEGRITY_BASE := '${LAYERDIR}' # interactive shell is enough. OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" -LAYERSERIES_COMPAT_integrity = "nanbield scarthgap" +LAYERSERIES_COMPAT_integrity = "styhead" # ima-evm-utils depends on keyutils from meta-oe LAYERDEPENDS_integrity = "core openembedded-layer" diff --git a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb index 58cbe6e958..fed4609773 100644 --- a/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb +++ b/meta-security/meta-integrity/recipes-core/initrdscripts/initramfs-framework-ima.bb @@ -25,7 +25,7 @@ REQUIRED_DISTRO_FEATURES = "ima" do_install () { install -d ${D}/${sysconfdir}/ima install -d ${D}/init.d - install ${WORKDIR}/ima ${D}/init.d/20-ima + install ${UNPACKDIR}/ima ${D}/init.d/20-ima sed -i "s/@@FORCE_IMA@@/${IMA_FORCE}/g" ${D}/init.d/20-ima } diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb index 5f2244edc3..b9aa35242f 100644 --- a/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb +++ b/meta-security/meta-integrity/recipes-security/ima_policy_appraise_all/ima-policy-appraise-all_1.0.bb @@ -4,12 +4,14 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 SRC_URI = " file://ima_policy_appraise_all" +S = "${UNPACKDIR}" + inherit features_check REQUIRED_DISTRO_FEATURES = "ima" do_install () { install -d ${D}/${sysconfdir}/ima - install ${WORKDIR}/ima_policy_appraise_all ${D}/${sysconfdir}/ima/ima-policy + install ${UNPACKDIR}/ima_policy_appraise_all ${D}/${sysconfdir}/ima/ima-policy } FILES:${PN} = "${sysconfdir}/ima" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb index 57c06400be..8f0df9bd06 100644 --- a/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb +++ b/meta-security/meta-integrity/recipes-security/ima_policy_hashed/ima-policy-hashed_1.0.bb @@ -6,12 +6,14 @@ SRC_URI = " \ file://ima_policy_hashed \ " +S = "${UNPACKDIR}" + inherit features_check REQUIRED_DISTRO_FEATURES = "ima" do_install () { install -d ${D}/${sysconfdir}/ima - install ${WORKDIR}/ima_policy_hashed ${D}/${sysconfdir}/ima/ima-policy + install ${UNPACKDIR}/ima_policy_hashed ${D}/${sysconfdir}/ima/ima-policy } FILES:${PN} = "${sysconfdir}/ima" diff --git a/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb index 8fed410063..440ce892ed 100644 --- a/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb +++ b/meta-security/meta-integrity/recipes-security/ima_policy_simple/ima-policy-simple_1.0.bb @@ -4,12 +4,14 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384 SRC_URI = " file://ima_policy_simple" +S = "${UNPACKDIR}" + inherit features_check REQUIRED_DISTRO_FEATURES = "ima" do_install () { install -d ${D}/${sysconfdir}/ima - install ${WORKDIR}/ima_policy_simple ${D}/${sysconfdir}/ima/ima-policy + install ${UNPACKDIR}/ima_policy_simple ${D}/${sysconfdir}/ima/ima-policy } FILES:${PN} = "${sysconfdir}/ima" diff --git a/meta-security/meta-parsec/conf/layer.conf b/meta-security/meta-parsec/conf/layer.conf index e9d02306c2..e59b60c832 100644 --- a/meta-security/meta-parsec/conf/layer.conf +++ b/meta-security/meta-parsec/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "parsec-layer" BBFILE_PATTERN_parsec-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_parsec-layer = "5" -LAYERSERIES_COMPAT_parsec-layer = "nanbield scarthgap" +LAYERSERIES_COMPAT_parsec-layer = "styhead nanbield scarthgap" LAYERDEPENDS_parsec-layer = "core clang-layer" BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec" diff --git a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.4.1.bb b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.4.1.bb index 2d55c2460f..3aa0b0a592 100644 --- a/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.4.1.bb +++ b/meta-security/meta-parsec/recipes-parsec/parsec-service/parsec-service_1.4.1.bb @@ -61,12 +61,12 @@ do_install () { install -m 644 ${S}/systemd-daemon/parsec.service ${D}${systemd_unitdir}/system install -d ${D}${libdir}/tmpfiles.d - install -m 644 ${WORKDIR}/parsec-tmpfiles.conf ${D}${libdir}/tmpfiles.d + install -m 644 ${UNPACKDIR}/parsec-tmpfiles.conf ${D}${libdir}/tmpfiles.d fi if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then install -d ${D}${sysconfdir}/init.d - install -m 755 ${WORKDIR}/parsec_init ${D}${sysconfdir}/init.d/parsec + install -m 755 ${UNPACKDIR}/parsec_init ${D}${sysconfdir}/init.d/parsec # Data dir install -d -m 700 -o parsec -g parsec "${D}${localstatedir}/lib/parsec" fi diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index 58b61d4d2b..b8df817b7b 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer" BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_tpm-layer = "6" -LAYERSERIES_COMPAT_tpm-layer = "nanbield scarthgap" +LAYERSERIES_COMPAT_tpm-layer = "styhead" LAYERDEPENDS_tpm-layer = " \ core \ diff --git a/meta-security/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb index b47d53a689..816f382f5c 100644 --- a/meta-security/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb +++ b/meta-security/meta-tpm/recipes-tpm1/tpm-tools/tpm-tools_1.3.9.2.bb @@ -22,7 +22,11 @@ SRC_URI = " \ inherit autotools-brokensep gettext -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" + +# Compile failing with gcc-14 +CFLAGS += " -Wno-incompatible-pointer-types -Wno-stringop-truncation -Wno-error=implicit-function-declaration" +BUILD_CFLAGS += " -Wno-incompatible-pointer-types -Wno-stringop-truncation -Wno-error=implicit-function-declaration" do_configure:prepend () { mkdir -p po diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.3.0.bb index c98d4abf7f..57e284bd7f 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.1.0.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.3.0.bb @@ -3,13 +3,19 @@ HOMEPAGE = "https://github.com/tpm2-software/tpm2-pytss" LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" -SRC_URI[sha256sum] = "5b5b4b1456fdc1aeef3d2c3970beaa078c8f7f2648c97a69bcf60c5a2f95c897" - PYPI_PACKAGE = "tpm2-pytss" -DEPENDS = "python3-pkgconfig-native python3-pycparser-native python3-asn1crypto-native" -DEPENDS:append = " python3-cryptography-native tpm2-tss" +SRC_URI[sha256sum] = "20071129379656f5f3c3bc16d364612672b147d81191fb4eb9f9ff9fbee48410" + +inherit autotools pkgconfig pypi python_setuptools_build_meta -inherit autotools pkgconfig pypi setuptools3_legacy +DEPENDS = " \ + python3-setuptools-scm-native \ + python3-asn1crypto-native \ + python3-cryptography-native \ + python3-pkgconfig-native \ + python3-pycparser-native \ + tpm2-tss \ +" RDEPENDS:${PN} = "libtss2" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.7.bb index 9bad758c24..bb422cf1dc 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.5.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tools/tpm2-tools_5.7.bb @@ -8,7 +8,7 @@ DEPENDS = "tpm2-tss openssl curl" SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz" -SRC_URI[sha256sum] = "1fdb49c730537bfdaed088884881a61e3bfd121e957ec0bdceeec0261236c123" +SRC_URI[sha256sum] = "3810d36b5079256f4f2f7ce552e22213d43b1031c131538df8a2dbc3c570983a" UPSTREAM_CHECK_URI = "https://github.com/tpm2-software/${BPN}/releases" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.1.2.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.1.2.bb index 9a57308b03..a27accac6d 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.1.2.bb +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-tss/tpm2-tss_4.1.2.bb @@ -4,7 +4,7 @@ LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" SECTION = "tpm" -DEPENDS = "autoconf-archive-native libgcrypt openssl" +DEPENDS = "autoconf-archive-native openssl" SRC_URI = "https://github.com/tpm2-software/${BPN}/releases/download/${PV}/${BPN}-${PV}.tar.gz \ file://fixup_hosttools.patch \ @@ -92,6 +92,4 @@ FILES:${PN} = "\ ${sysconfdir}/tpm2-tss \ ${sysconfdir}/sysusers.d" -RDEPENDS:libtss2 = "libgcrypt" - BBCLASSEXTEND = "native nativesdk" diff --git a/meta-security/recipes-compliance/lynis/lynis_3.1.1.bb b/meta-security/recipes-compliance/lynis/lynis_3.1.1.bb index b69f4dfd6d..f6fddd0b20 100644 --- a/meta-security/recipes-compliance/lynis/lynis_3.1.1.bb +++ b/meta-security/recipes-compliance/lynis/lynis_3.1.1.bb @@ -12,7 +12,7 @@ SRC_URI[sha256sum] = "d72f4ee7325816bb8dbfcf31eb104207b9fe58a2493c2a875373746a71 #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis" -S = "${WORKDIR}/${BPN}" +S = "${UNPACKDIR}/${BPN}" inherit autotools-brokensep diff --git a/meta-security/recipes-compliance/openscap/files/0001-CMakeLists.txt-fix-installation-directory-for-system.patch b/meta-security/recipes-compliance/openscap/files/0001-CMakeLists.txt-fix-installation-directory-for-system.patch new file mode 100644 index 0000000000..87dd00be8c --- /dev/null +++ b/meta-security/recipes-compliance/openscap/files/0001-CMakeLists.txt-fix-installation-directory-for-system.patch @@ -0,0 +1,29 @@ +From 887bd1b60720f02e937c57568d7ef4d3df4b00e8 Mon Sep 17 00:00:00 2001 +From: Yi Zhao <yi.zhao@windriver.com> +Date: Mon, 24 Jun 2024 11:27:30 +0800 +Subject: [PATCH] CMakeLists.txt: fix installation directory for systemd unit + file + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + CMakeLists.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index fdeda6eb4..77645ecd4 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -637,7 +637,7 @@ if(NOT WIN32) + configure_file("oscap-remediate.service.in" "oscap-remediate.service" @ONLY) + install(FILES + ${CMAKE_CURRENT_BINARY_DIR}/oscap-remediate.service +- DESTINATION ${CMAKE_INSTALL_PREFIX}/${SYSTEMD_UNITDIR} ++ DESTINATION ${SYSTEMD_UNITDIR} + ) + endif() + endif() +-- +2.25.1 + diff --git a/meta-security/recipes-compliance/openscap/openscap_1.3.10.bb b/meta-security/recipes-compliance/openscap/openscap_1.4.0.bb index d3e44a890f..de56e9dc6e 100644 --- a/meta-security/recipes-compliance/openscap/openscap_1.3.10.bb +++ b/meta-security/recipes-compliance/openscap/openscap_1.4.0.bb @@ -9,11 +9,13 @@ LICENSE = "LGPL-2.1-only" DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig libpcre xmlsec1" DEPENDS:class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native libpcre-native xmlsec1-native" -#March 18th, 2024 -SRCREV = "6d008616978306ce5e68997dce554a1683064f8f" -SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3;protocol=https " +SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=main;protocol=https \ + file://0001-CMakeLists.txt-fix-installation-directory-for-system.patch \ + " -S = "${WORKDIR}/git" +SRCREV = "a01b5d6927c7bccf41d9c623fee0c5f7105db835" + +S = "${UNPACKDIR}/git" inherit cmake pkgconfig python3native python3targetconfig perlnative systemd @@ -24,7 +26,7 @@ PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=ON, ,rpm, rpm" PACKAGECONFIG[gcrypt] = "-DWITH_CRYPTO=gcrypt, ,libgcrypt" PACKAGECONFIG[nss3] = "-DWITH_CRYPTO=nss3, ,nss" PACKAGECONFIG[selinux] = ", ,libselinux" -PACKAGECONFIG[remdediate_service] = "-DENABLE_OSCAP_REMEDIATE_SERVICE=ON,-DENABLE_OSCAP_REMEDIATE_SERVICE=NO," +PACKAGECONFIG[remediate_service] = "-DENABLE_OSCAP_REMEDIATE_SERVICE=ON,-DENABLE_OSCAP_REMEDIATE_SERVICE=OFF," EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \ -DENABLE_PROBES_SOLARIS=OFF -DENABLE_PROBES_INDEPENDENT=ON \ @@ -47,14 +49,6 @@ do_configure:append:class-native () { sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h } -do_install:append () { - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - if ${@bb.utils.contains('PACKAGECONFIG','remdediate_service','true','false',d)}; then - install -D -m 0644 ${B}/oscap-remediate.service ${D}${systemd_system_unitdir}/oscap-remediate.service - fi - fi -} - do_install:class-native[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" do_install:append:class-native () { oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} @@ -64,7 +58,7 @@ do_install:append:class-native () { SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE:${PN} = "${@bb.utils.contains('PACKAGECONFIG','remdediate_service', 'oscap-remediate.service', '',d)}" +SYSTEMD_SERVICE:${PN} = "${@bb.utils.contains('PACKAGECONFIG','remediate_service', 'oscap-remediate.service', '',d)}" SYSTEMD_AUTO_ENABLE = "disable" diff --git a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.73.bb b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.74.bb index 539b6cf745..23b18250fe 100644 --- a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.73.bb +++ b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.74.bb @@ -6,7 +6,7 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820" LICENSE = "BSD-3-Clause" -SRCREV = "2bf9d43840d3ed36a25262d4f45a4015f9b77d8d" +SRCREV = "1bf21b05fa9581e8ca44e104e741e13fad3551ef" SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=stable;protocol=https \ file://run_eval.sh \ file://run-ptest \ @@ -15,7 +15,7 @@ SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=stable;protocol= DEPENDS = "openscap-native python3-pyyaml-native python3-jinja2-native libxml2-native expat-native coreutils-native" -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" B = "${S}/build" inherit cmake pkgconfig python3native python3targetconfig ptest @@ -54,7 +54,7 @@ do_install_ptest() { do sed -e 's#${HOSTTOOLS_DIR}/##g' \ -e 's#${RECIPE_SYSROOT_NATIVE}##g' \ - -e 's#${WORKDIR}#${PTEST_PATH}#g' \ + -e 's#${UNPACKDIR}#${PTEST_PATH}#g' \ -e 's#/.*/xmllint#/usr/bin/xmllint#g' \ -e 's#/.*/oscap#/usr/bin/oscap#g' \ -e 's#/python3-native##g' \ diff --git a/meta-security/recipes-ids/aide/aide/m4_allow.patch b/meta-security/recipes-ids/aide/aide/m4_allow.patch new file mode 100644 index 0000000000..6f0b97bfdc --- /dev/null +++ b/meta-security/recipes-ids/aide/aide/m4_allow.patch @@ -0,0 +1,40 @@ +Fixes build issues + +Upstream-Status: Inappropriate [next version has many changes to configure.ac] +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: aide-0.18.8/configure.ac +=================================================================== +--- aide-0.18.8.orig/configure.ac ++++ aide-0.18.8/configure.ac +@@ -14,6 +14,7 @@ dnl The name of the configure h-file. + AC_CONFIG_HEADERS(include/config.h) + + dnl Checks for programs. ++m4_pattern_allow([AC_MSG_ERROR]) + AC_PROG_CC + if test "x$ac_cv_prog_cc_c99" = xno; then + AC_MSG_ERROR([AIDE needs a C99 compatible compiler]) +@@ -246,6 +247,7 @@ if test "$aide_static_choice" != "yes"; + fi + + dnl This macro is new in autoconf-2.13 ++m4_pattern_allow([AC_DEFINE]) + AC_SEARCH_LIBS(syslog, bsd socket inet, [AC_DEFINE(HAVE_SYSLOG,1,[syslog available?])]) + AC_CHECK_FUNCS(vsyslog) + +@@ -320,14 +322,10 @@ fi + AC_CHECK_HEADERS(syslog.h inttypes.h fcntl.h ctype.h) + + AIDE_PKG_CHECK_MANDATORY(pcre2, PCRE2, libpcre2-8) +- + AC_MSG_CHECKING(for pthread for multithreading) + AC_ARG_WITH([pthread], AS_HELP_STRING([--with-pthread], [use pthread for multithreading (default: yes)]), [with_pthread=$withval], [with_pthread=yes]) + AC_MSG_RESULT([$with_pthread]) + compoptionstring="${compoptionstring}use pthread: $with_pthread\\n" +-AS_IF([test x"$with_pthread" = xyes], [ +- AX_PTHREAD([AC_DEFINE(WITH_PTHREAD,1,[use pthread])], [AC_MSG_ERROR([AIDE requires pthread])]) +-]) + + AIDE_PKG_CHECK(zlib, zlib compression, yes, ZLIB, zlib) + diff --git a/meta-security/recipes-ids/aide/aide_0.17.4.bb b/meta-security/recipes-ids/aide/aide_0.18.8.bb index 52ddc43ff8..e2014a1ea6 100644 --- a/meta-security/recipes-ids/aide/aide_0.17.4.bb +++ b/meta-security/recipes-ids/aide/aide_0.18.8.bb @@ -3,18 +3,20 @@ HOMEPAGE = "https://aide.github.io" LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" LICENSE = "GPL-2.0-only" -DEPENDS = "bison-native libpcre" +DEPENDS = "bison-native libpcre2" SRC_URI = "https://github.com/aide/aide/releases/download/v${PV}/${BPN}-${PV}.tar.gz \ - file://aide.conf" + file://aide.conf \ + file://m4_allow.patch \ + " -SRC_URI[sha256sum] = "c81505246f3ffc2e76036d43a77212ae82895b5881d9b9e25c1361b1a9b7a846" +SRC_URI[sha256sum] = "16662dc632d17e2c5630b801752f97912a8e22697c065ebde175f1cc37b83a60" UPSTREAM_CHECK_URI = "https://github.com/${BPN}/${BPN}/releases" inherit autotools pkgconfig aide-base -PACKAGECONFIG ??=" mhash zlib e2fsattrs posix capabilities curl \ +PACKAGECONFIG ??=" gcrypt zlib e2fsattrs posix capabilities curl pthread \ ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \ ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'xattr', '', d)} \ " @@ -28,14 +30,14 @@ PACKAGECONFIG[mhash] = "--with-mhash, --without-mhash, libmhash, libmhash" PACKAGECONFIG[e2fsattrs] = "--with-e2fsattrs, --without-e2fsattrs, e2fsprogs, e2fsprogs" PACKAGECONFIG[capabilities] = "--with-capabilities, --without-capabilities, libcap, libcap" PACKAGECONFIG[posix] = "--with-posix-acl, --without-posix-acl, acl, acl" - +PACKAGECONFIG[pthread] = "--with-pthread," do_install[nostamp] = "1" do_install:append () { install -d ${D}${libdir}/${PN}/logs install -d ${D}${sysconfdir} - install ${WORKDIR}/aide.conf ${D}${sysconfdir}/ + install ${UNPACKDIR}/aide.conf ${D}${sysconfdir}/ for dir in ${AIDE_INCLUDE_DIRS}; do echo "${dir} NORMAL" >> ${D}${sysconfdir}/aide.conf @@ -50,7 +52,7 @@ do_install:class-native () { install -d ${STAGING_AIDE_DIR}/lib/logs install ${B}/aide ${STAGING_AIDE_DIR}/bin - install ${WORKDIR}/aide.conf ${STAGING_AIDE_DIR}/ + install ${UNPACKDIR}/aide.conf ${STAGING_AIDE_DIR}/ sed -i -s "s:\@\@define DBDIR.*:\@\@define DBDIR ${STAGING_AIDE_DIR}/lib:" ${STAGING_AIDE_DIR}/aide.conf sed -i -e "s:\@\@define LOGDIR.*:\@\@define LOGDIR ${STAGING_AIDE_DIR}/lib/logs:" ${STAGING_AIDE_DIR}/aide.conf diff --git a/meta-security/recipes-ids/crowdsec/crowdsec_1.1.1.bb b/meta-security/recipes-ids/crowdsec/crowdsec_1.1.1.bb index 81f2b8fe84..deccecfef7 100644 --- a/meta-security/recipes-ids/crowdsec/crowdsec_1.1.1.bb +++ b/meta-security/recipes-ids/crowdsec/crowdsec_1.1.1.bb @@ -12,7 +12,7 @@ GO_IMPORT = "import" inherit go -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" do_compile() { export GOARCH="${TARGET_GOARCH}" diff --git a/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb b/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb index 829715bc29..fbd1294792 100644 --- a/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb +++ b/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb @@ -15,7 +15,7 @@ UPSTREAM_CHECK_COMMITS = "1" inherit autotools-brokensep useradd -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" OSSEC_DIR="/var/ossec" diff --git a/meta-security/recipes-ids/samhain/samhain.inc b/meta-security/recipes-ids/samhain/samhain.inc index 61ec0da24c..65e6734b89 100644 --- a/meta-security/recipes-ids/samhain/samhain.inc +++ b/meta-security/recipes-ids/samhain/samhain.inc @@ -26,7 +26,7 @@ SRC_URI[sha256sum] = "ae6ee8eff3cb111b7fc14a57bcc258443dd0bcf1bfacfdf229935ed053 UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html" UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar" -S = "${WORKDIR}/samhain-${PV}" +S = "${UNPACKDIR}/samhain-${PV}" inherit autotools-brokensep update-rc.d pkgconfig systemd @@ -65,7 +65,7 @@ EXTRA_OEMAKE:append:mips64 = " CPPFLAGS+=-DCONFIG_ARCH_MIPS64=1" do_unpack_samhain() { cd ${UNPACKDIR} - tar -xzvf samhain-${PV}.tar.gz -C ${WORKDIR} + tar -xzvf samhain-${PV}.tar.gz -C ${UNPACKDIR} } python do_unpack:append() { diff --git a/meta-security/recipes-ids/suricata/files/CVE-2024-37151.patch b/meta-security/recipes-ids/suricata/files/CVE-2024-37151.patch new file mode 100644 index 0000000000..7e5d8e2708 --- /dev/null +++ b/meta-security/recipes-ids/suricata/files/CVE-2024-37151.patch @@ -0,0 +1,53 @@ +From a6052dca1e27f3c8f96ec7be0fe7514c56a0d56f Mon Sep 17 00:00:00 2001 +From: Victor Julien <vjulien@oisf.net> +Date: Tue, 4 Jun 2024 14:43:22 +0200 +Subject: [PATCH 1/4] defrag: don't use completed tracker + +When a Tracker is set up for a IPID, frags come in for it and it's +reassembled and complete, the `DefragTracker::remove` flag is set. This +is mean to tell the hash cleanup code to recyle the tracker and to let +the lookup code skip the tracker during lookup. + +A logic error lead to the following scenario: + +1. there are sufficient frag trackers to make sure the hash table is + filled with trackers +2. frags for a Packet with IPID X are processed correctly (X1) +3. frags for a new Packet that also has IPID X come in quickly after the + first (X2). +4. during the lookup, the frag for X2 hashes to a hash row that holds + more than one tracker +5. as the trackers in hash row are evaluated, it finds the tracker for + X1, but since the `remove` bit is not checked, it is returned as the + tracker for X2. +6. reassembly fails, as the tracker is already complete + +The logic error is that only for the first tracker in a row the `remove` +bit was checked, leading to reuse to a closed tracker if there were more +trackers in the hash row. + +Ticket: #7042. + +Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b] +CVE: CVE-2024-37151 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + src/defrag-hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/defrag-hash.c b/src/defrag-hash.c +index 2f19ce2..87d40f9 100644 +--- a/src/defrag-hash.c ++++ b/src/defrag-hash.c +@@ -591,7 +591,7 @@ DefragTracker *DefragGetTrackerFromHash (Packet *p) + return dt; + } + +- if (DefragTrackerCompare(dt, p) != 0) { ++ if (!dt->remove && DefragTrackerCompare(dt, p) != 0) { + /* we found our tracker, lets put it on top of the + * hash list -- this rewards active trackers */ + if (dt->hnext) { +-- +2.44.0 + diff --git a/meta-security/recipes-ids/suricata/files/CVE-2024-38534.patch b/meta-security/recipes-ids/suricata/files/CVE-2024-38534.patch new file mode 100644 index 0000000000..14a958cb11 --- /dev/null +++ b/meta-security/recipes-ids/suricata/files/CVE-2024-38534.patch @@ -0,0 +1,44 @@ +From f1645ea911d4e90b1be8ee5863e8e1a665079cce Mon Sep 17 00:00:00 2001 +From: Philippe Antoine <pantoine@oisf.net> +Date: Thu, 25 Apr 2024 21:24:33 +0200 +Subject: [PATCH 2/4] modbus: abort flow parsing on flood + +Ticket: 6987 + +Let's not spend more resources for a flow which is trying to +make us do it... + +(cherry picked from commit 37509e8e0ed097f8e0174df754835ac60584fc72) + +Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/a753cdbe84caee3b66d0bf49b2712d29a50d67ae] +CVE: CVE-2024-38534 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + rust/src/modbus/modbus.rs | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rust/src/modbus/modbus.rs b/rust/src/modbus/modbus.rs +index 246e9ca..d2f7c6b 100644 +--- a/rust/src/modbus/modbus.rs ++++ b/rust/src/modbus/modbus.rs +@@ -189,7 +189,7 @@ impl ModbusState { + None => { + let mut tx = match self.new_tx() { + Some(tx) => tx, +- None => return AppLayerResult::ok(), ++ None => return AppLayerResult::err(), + }; + tx.set_events_from_flags(&msg.error_flags); + tx.request = Some(msg); +@@ -215,7 +215,7 @@ impl ModbusState { + None => { + let mut tx = match self.new_tx() { + Some(tx) => tx, +- None => return AppLayerResult::ok(), ++ None => return AppLayerResult::err(), + }; + if msg + .access_type +-- +2.44.0 + diff --git a/meta-security/recipes-ids/suricata/files/CVE-2024-38535.patch b/meta-security/recipes-ids/suricata/files/CVE-2024-38535.patch new file mode 100644 index 0000000000..7ac72c8b19 --- /dev/null +++ b/meta-security/recipes-ids/suricata/files/CVE-2024-38535.patch @@ -0,0 +1,57 @@ +From 6b00dc36d7527f051c2346f03d20f8d9e5a60138 Mon Sep 17 00:00:00 2001 +From: Philippe Antoine <pantoine@oisf.net> +Date: Mon, 17 Jun 2024 16:30:49 +0200 +Subject: [PATCH 3/4] http2: do not expand duplicate headers + +Ticket: 7104 + +As this can cause a big mamory allocation due to the quadratic +nature of the HPACK compression. + +(cherry picked from commit 5bd17934df321b88f502d48afdd6cc8bad4787a7) + +Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/c82fa5ca0d1ce0bd8f936e0b860707a6571373b2] +CVE: CVE-2024-38535 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + rust/src/http2/detect.rs | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/rust/src/http2/detect.rs b/rust/src/http2/detect.rs +index 99261ad..9c2f8ab 100644 +--- a/rust/src/http2/detect.rs ++++ b/rust/src/http2/detect.rs +@@ -432,11 +432,11 @@ pub fn http2_frames_get_header_value_vec( + if found == 0 { + vec.extend_from_slice(&block.value); + found = 1; +- } else if found == 1 { ++ } else if found == 1 && Rc::strong_count(&block.name) <= 2 { + vec.extend_from_slice(&[b',', b' ']); + vec.extend_from_slice(&block.value); + found = 2; +- } else { ++ } else if Rc::strong_count(&block.name) <= 2 { + vec.extend_from_slice(&[b',', b' ']); + vec.extend_from_slice(&block.value); + } +@@ -469,14 +469,14 @@ fn http2_frames_get_header_value<'a>( + if found == 0 { + single = Ok(&block.value); + found = 1; +- } else if found == 1 { ++ } else if found == 1 && Rc::strong_count(&block.name) <= 2 { + if let Ok(s) = single { + vec.extend_from_slice(s); + } + vec.extend_from_slice(&[b',', b' ']); + vec.extend_from_slice(&block.value); + found = 2; +- } else { ++ } else if Rc::strong_count(&block.name) <= 2 { + vec.extend_from_slice(&[b',', b' ']); + vec.extend_from_slice(&block.value); + } +-- +2.44.0 + diff --git a/meta-security/recipes-ids/suricata/files/CVE-2024-38535_pre.patch b/meta-security/recipes-ids/suricata/files/CVE-2024-38535_pre.patch new file mode 100644 index 0000000000..2aa42c465a --- /dev/null +++ b/meta-security/recipes-ids/suricata/files/CVE-2024-38535_pre.patch @@ -0,0 +1,292 @@ +From 390f09692eb99809c679d3f350c7cc185d163e1a Mon Sep 17 00:00:00 2001 +From: Philippe Antoine <pantoine@oisf.net> +Date: Wed, 27 Mar 2024 14:33:54 +0100 +Subject: [PATCH] http2: use a reference counter for headers + +Ticket: 6892 + +As HTTP hpack header compression allows one single byte to +express a previously seen arbitrary-size header block (name+value) +we should avoid to copy the vectors data, but just point +to the same data, while reamining memory safe, even in the case +of later headers eviction from the dybnamic table. + +Rust std solution is Rc, and the use of clone, so long as the +data is accessed by only one thread. + +Note: This patch is needed to patch CVE-2024-38535 as it defines Rc. +Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/390f09692eb99809c679d3f350c7cc185d163e1a] +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + rust/src/http2/detect.rs | 19 +++++++------ + rust/src/http2/http2.rs | 2 +- + rust/src/http2/parser.rs | 61 +++++++++++++++++++++------------------- + 3 files changed, 43 insertions(+), 39 deletions(-) + +diff --git a/rust/src/http2/detect.rs b/rust/src/http2/detect.rs +index 9c2f8ab..e068a17 100644 +--- a/rust/src/http2/detect.rs ++++ b/rust/src/http2/detect.rs +@@ -23,6 +23,7 @@ use crate::core::Direction; + use crate::detect::uint::{detect_match_uint, DetectUintData}; + use std::ffi::CStr; + use std::str::FromStr; ++use std::rc::Rc; + + fn http2_tx_has_frametype( + tx: &mut HTTP2Transaction, direction: Direction, value: u8, +@@ -404,7 +405,7 @@ fn http2_frames_get_header_firstvalue<'a>( + for frame in frames { + if let Some(blocks) = http2_header_blocks(frame) { + for block in blocks.iter() { +- if block.name == name.as_bytes() { ++ if block.name.as_ref() == name.as_bytes() { + return Ok(&block.value); + } + } +@@ -428,7 +429,7 @@ pub fn http2_frames_get_header_value_vec( + for frame in frames { + if let Some(blocks) = http2_header_blocks(frame) { + for block in blocks.iter() { +- if block.name == name.as_bytes() { ++ if block.name.as_ref() == name.as_bytes() { + if found == 0 { + vec.extend_from_slice(&block.value); + found = 1; +@@ -465,7 +466,7 @@ fn http2_frames_get_header_value<'a>( + for frame in frames { + if let Some(blocks) = http2_header_blocks(frame) { + for block in blocks.iter() { +- if block.name == name.as_bytes() { ++ if block.name.as_ref() == name.as_bytes() { + if found == 0 { + single = Ok(&block.value); + found = 1; +@@ -905,8 +906,8 @@ fn http2_tx_set_header(state: &mut HTTP2State, name: &[u8], input: &[u8]) { + }; + let mut blocks = Vec::new(); + let b = parser::HTTP2FrameHeaderBlock { +- name: name.to_vec(), +- value: input.to_vec(), ++ name: Rc::new(name.to_vec()), ++ value: Rc::new(input.to_vec()), + error: parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess, + sizeupdate: 0, + }; +@@ -1061,15 +1062,15 @@ mod tests { + }; + let mut blocks = Vec::new(); + let b = parser::HTTP2FrameHeaderBlock { +- name: "Host".as_bytes().to_vec(), +- value: "abc.com".as_bytes().to_vec(), ++ name: "Host".as_bytes().to_vec().into(), ++ value: "abc.com".as_bytes().to_vec().into(), + error: parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess, + sizeupdate: 0, + }; + blocks.push(b); + let b2 = parser::HTTP2FrameHeaderBlock { +- name: "Host".as_bytes().to_vec(), +- value: "efg.net".as_bytes().to_vec(), ++ name: "Host".as_bytes().to_vec().into(), ++ value: "efg.net".as_bytes().to_vec().into(), + error: parser::HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess, + sizeupdate: 0, + }; +diff --git a/rust/src/http2/http2.rs b/rust/src/http2/http2.rs +index 326030f..d14ca06 100644 +--- a/rust/src/http2/http2.rs ++++ b/rust/src/http2/http2.rs +@@ -204,7 +204,7 @@ impl HTTP2Transaction { + + fn handle_headers(&mut self, blocks: &[parser::HTTP2FrameHeaderBlock], dir: Direction) { + for block in blocks { +- if block.name == b"content-encoding" { ++ if block.name.as_ref() == b"content-encoding" { + self.decoder.http2_encoding_fromvec(&block.value, dir); + } + } +diff --git a/rust/src/http2/parser.rs b/rust/src/http2/parser.rs +index adabeb2..1a46437 100644 +--- a/rust/src/http2/parser.rs ++++ b/rust/src/http2/parser.rs +@@ -30,6 +30,7 @@ use nom7::sequence::tuple; + use nom7::{Err, IResult}; + use std::fmt; + use std::str::FromStr; ++use std::rc::Rc; + + #[repr(u8)] + #[derive(Clone, Copy, PartialEq, Eq, FromPrimitive, Debug)] +@@ -295,8 +296,8 @@ fn http2_frame_header_static(n: u64, dyn_headers: &HTTP2DynTable) -> Option<HTTP + }; + if !name.is_empty() { + return Some(HTTP2FrameHeaderBlock { +- name: name.as_bytes().to_vec(), +- value: value.as_bytes().to_vec(), ++ name: Rc::new(name.as_bytes().to_vec()), ++ value: Rc::new(value.as_bytes().to_vec()), + error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess, + sizeupdate: 0, + }); +@@ -304,23 +305,23 @@ fn http2_frame_header_static(n: u64, dyn_headers: &HTTP2DynTable) -> Option<HTTP + //use dynamic table + if n == 0 { + return Some(HTTP2FrameHeaderBlock { +- name: Vec::new(), +- value: Vec::new(), ++ name: Rc::new(Vec::new()), ++ value: Rc::new(Vec::new()), + error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeIndex0, + sizeupdate: 0, + }); + } else if dyn_headers.table.len() + HTTP2_STATIC_HEADERS_NUMBER < n as usize { + return Some(HTTP2FrameHeaderBlock { +- name: Vec::new(), +- value: Vec::new(), ++ name: Rc::new(Vec::new()), ++ value: Rc::new(Vec::new()), + error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeNotIndexed, + sizeupdate: 0, + }); + } else { + let indyn = dyn_headers.table.len() - (n as usize - HTTP2_STATIC_HEADERS_NUMBER); + let headcopy = HTTP2FrameHeaderBlock { +- name: dyn_headers.table[indyn].name.to_vec(), +- value: dyn_headers.table[indyn].value.to_vec(), ++ name: dyn_headers.table[indyn].name.clone(), ++ value: dyn_headers.table[indyn].value.clone(), + error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess, + sizeupdate: 0, + }; +@@ -348,8 +349,10 @@ impl fmt::Display for HTTP2HeaderDecodeStatus { + + #[derive(Clone, Debug)] + pub struct HTTP2FrameHeaderBlock { +- pub name: Vec<u8>, +- pub value: Vec<u8>, ++ // Use Rc reference counted so that indexed headers do not get copied. ++ // Otherwise, this leads to quadratic complexity in memory occupation. ++ pub name: Rc<Vec<u8>>, ++ pub value: Rc<Vec<u8>>, + pub error: HTTP2HeaderDecodeStatus, + pub sizeupdate: u64, + } +@@ -391,7 +394,7 @@ fn http2_parse_headers_block_literal_common<'a>( + ) -> IResult<&'a [u8], HTTP2FrameHeaderBlock> { + let (i3, name, error) = if index == 0 { + match http2_parse_headers_block_string(input) { +- Ok((r, n)) => Ok((r, n, HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess)), ++ Ok((r, n)) => Ok((r, Rc::new(n), HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSuccess)), + Err(e) => Err(e), + } + } else { +@@ -403,7 +406,7 @@ fn http2_parse_headers_block_literal_common<'a>( + )), + None => Ok(( + input, +- Vec::new(), ++ Rc::new(Vec::new()), + HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeNotIndexed, + )), + } +@@ -413,7 +416,7 @@ fn http2_parse_headers_block_literal_common<'a>( + i4, + HTTP2FrameHeaderBlock { + name, +- value, ++ value: Rc::new(value), + error, + sizeupdate: 0, + }, +@@ -435,8 +438,8 @@ fn http2_parse_headers_block_literal_incindex<'a>( + match r { + Ok((r, head)) => { + let headcopy = HTTP2FrameHeaderBlock { +- name: head.name.to_vec(), +- value: head.value.to_vec(), ++ name: head.name.clone(), ++ value: head.value.clone(), + error: head.error, + sizeupdate: 0, + }; +@@ -556,8 +559,8 @@ fn http2_parse_headers_block_dynamic_size<'a>( + return Ok(( + i3, + HTTP2FrameHeaderBlock { +- name: Vec::new(), +- value: Vec::new(), ++ name: Rc::new(Vec::new()), ++ value: Rc::new(Vec::new()), + error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeSizeUpdate, + sizeupdate: maxsize2, + }, +@@ -614,8 +617,8 @@ fn http2_parse_headers_blocks<'a>( + // if we error from http2_parse_var_uint, we keep the first parsed headers + if err.code == ErrorKind::LengthValue { + blocks.push(HTTP2FrameHeaderBlock { +- name: Vec::new(), +- value: Vec::new(), ++ name: Rc::new(Vec::new()), ++ value: Rc::new(Vec::new()), + error: HTTP2HeaderDecodeStatus::HTTP2HeaderDecodeIntegerOverflow, + sizeupdate: 0, + }); +@@ -765,8 +768,8 @@ mod tests { + match r0 { + Ok((remainder, hd)) => { + // Check the first message. +- assert_eq!(hd.name, ":method".as_bytes().to_vec()); +- assert_eq!(hd.value, "GET".as_bytes().to_vec()); ++ assert_eq!(hd.name, ":method".as_bytes().to_vec().into()); ++ assert_eq!(hd.value, "GET".as_bytes().to_vec().into()); + // And we should have no bytes left. + assert_eq!(remainder.len(), 0); + } +@@ -782,8 +785,8 @@ mod tests { + match r1 { + Ok((remainder, hd)) => { + // Check the first message. +- assert_eq!(hd.name, "accept".as_bytes().to_vec()); +- assert_eq!(hd.value, "*/*".as_bytes().to_vec()); ++ assert_eq!(hd.name, "accept".as_bytes().to_vec().into()); ++ assert_eq!(hd.value, "*/*".as_bytes().to_vec().into()); + // And we should have no bytes left. + assert_eq!(remainder.len(), 0); + assert_eq!(dynh.table.len(), 1); +@@ -802,8 +805,8 @@ mod tests { + match result { + Ok((remainder, hd)) => { + // Check the first message. +- assert_eq!(hd.name, ":authority".as_bytes().to_vec()); +- assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec()); ++ assert_eq!(hd.name, ":authority".as_bytes().to_vec().into()); ++ assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec().into()); + // And we should have no bytes left. + assert_eq!(remainder.len(), 0); + assert_eq!(dynh.table.len(), 2); +@@ -820,8 +823,8 @@ mod tests { + match r3 { + Ok((remainder, hd)) => { + // same as before +- assert_eq!(hd.name, ":authority".as_bytes().to_vec()); +- assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec()); ++ assert_eq!(hd.name, ":authority".as_bytes().to_vec().into()); ++ assert_eq!(hd.value, "localhost:3000".as_bytes().to_vec().into()); + // And we should have no bytes left. + assert_eq!(remainder.len(), 0); + assert_eq!(dynh.table.len(), 2); +@@ -856,8 +859,8 @@ mod tests { + match r2 { + Ok((remainder, hd)) => { + // Check the first message. +- assert_eq!(hd.name, ":path".as_bytes().to_vec()); +- assert_eq!(hd.value, "/doc/manual/html/index.html".as_bytes().to_vec()); ++ assert_eq!(hd.name, ":path".as_bytes().to_vec().into()); ++ assert_eq!(hd.value, "/doc/manual/html/index.html".as_bytes().to_vec().into()); + // And we should have no bytes left. + assert_eq!(remainder.len(), 0); + assert_eq!(dynh.table.len(), 2); +-- +2.44.0 + diff --git a/meta-security/recipes-ids/suricata/files/CVE-2024-38536.patch b/meta-security/recipes-ids/suricata/files/CVE-2024-38536.patch new file mode 100644 index 0000000000..2d4b3d78cf --- /dev/null +++ b/meta-security/recipes-ids/suricata/files/CVE-2024-38536.patch @@ -0,0 +1,40 @@ +From 4026bca7f04c419dd3f3ba17a1af17bbcbcf18bc Mon Sep 17 00:00:00 2001 +From: Philippe Antoine <pantoine@oisf.net> +Date: Fri, 17 May 2024 09:39:52 +0200 +Subject: [PATCH 4/4] http: fix nul deref on memcap reached + +HttpRangeOpenFileAux may return NULL in different cases, including +when memcap is reached. +But is only caller did not check it before calling HttpRangeAppendData +which would dereference the NULL value. + +Ticket: 7029 +(cherry picked from commit fd262df457f67f2174752dd6505ba2ed5911fd96) + +Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/2bd3bd0e318f19008e9fe068ab17277c530ffb92] +CVE: CVE-2024-38536 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + src/app-layer-htp-range.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/app-layer-htp-range.c b/src/app-layer-htp-range.c +index 3cdde35..f0d75a9 100644 +--- a/src/app-layer-htp-range.c ++++ b/src/app-layer-htp-range.c +@@ -351,8 +351,10 @@ static HttpRangeContainerBlock *HttpRangeOpenFile(HttpRangeContainerFile *c, uin + { + HttpRangeContainerBlock *r = + HttpRangeOpenFileAux(c, start, end, total, sbcfg, name, name_len, flags); +- if (HttpRangeAppendData(sbcfg, r, data, len) < 0) { +- SCLogDebug("Failed to append data while opening"); ++ if (r) { ++ if (HttpRangeAppendData(sbcfg, r, data, len) < 0) { ++ SCLogDebug("Failed to append data while opening"); ++ } + } + return r; + } +-- +2.44.0 + diff --git a/meta-security/recipes-ids/suricata/files/CVE-2024-45797.patch b/meta-security/recipes-ids/suricata/files/CVE-2024-45797.patch new file mode 100644 index 0000000000..3db4625224 --- /dev/null +++ b/meta-security/recipes-ids/suricata/files/CVE-2024-45797.patch @@ -0,0 +1,148 @@ +From 0d550de551b91d5e57ba23e2b1e2c6430fad6818 Mon Sep 17 00:00:00 2001 +From: Philippe Antoine <contact@catenacyber.fr> +Date: Mon, 12 Aug 2024 14:06:40 +0200 +Subject: [PATCH] headers: put a configurable limit on their numbers + +So as to avoid quadratic complexity + +Ticket: 7191 + +Upstream-Status: Backport [https://github.com/OISF/libhtp/commit/0d550de551b91d5e57ba23e2b1e2c6430fad6818] +CVE: CVE-2024-45797 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + htp/htp_config.c | 8 ++++++++ + htp/htp_config.h | 8 ++++++++ + htp/htp_config_private.h | 6 ++++++ + htp/htp_core.h | 1 + + htp/htp_request_generic.c | 11 +++++++++++ + htp/htp_response_generic.c | 10 ++++++++++ + 6 files changed, 44 insertions(+) + +diff --git a/htp/htp_config.c b/htp/htp_config.c +index 767458f..9e0eee3 100644 +--- a/htp/htp_config.c ++++ b/htp/htp_config.c +@@ -145,6 +145,8 @@ static unsigned char bestfit_1252[] = { + 0xff, 0x5d, 0x7d, 0xff, 0x5e, 0x7e, 0x00, 0x00, 0x00 + }; + ++#define HTP_HEADERS_LIMIT 1024 ++ + htp_cfg_t *htp_config_create(void) { + htp_cfg_t *cfg = calloc(1, sizeof (htp_cfg_t)); + if (cfg == NULL) return NULL; +@@ -163,6 +165,7 @@ htp_cfg_t *htp_config_create(void) { + cfg->response_lzma_layer_limit = 1; // default is only one layer + cfg->compression_bomb_limit = HTP_COMPRESSION_BOMB_LIMIT; + cfg->compression_time_limit = HTP_COMPRESSION_TIME_LIMIT_USEC; ++ cfg->number_headers_limit = HTP_HEADERS_LIMIT; + cfg->allow_space_uri = 0; + + // Default settings for URL-encoded data. +@@ -542,6 +545,11 @@ void htp_config_set_compression_time_limit(htp_cfg_t *cfg, size_t useclimit) { + } + } + ++void htp_config_set_number_headers_limit(htp_cfg_t *cfg, uint32_t limit) { ++ if (cfg == NULL) return; ++ cfg->number_headers_limit = limit; ++} ++ + void htp_config_set_log_level(htp_cfg_t *cfg, enum htp_log_level_t log_level) { + if (cfg == NULL) return; + cfg->log_level = log_level; +diff --git a/htp/htp_config.h b/htp/htp_config.h +index d1365dc..ed0eaeb 100644 +--- a/htp/htp_config.h ++++ b/htp/htp_config.h +@@ -466,6 +466,14 @@ void htp_config_set_compression_time_limit(htp_cfg_t *cfg, size_t useclimit); + */ + void htp_config_set_log_level(htp_cfg_t *cfg, enum htp_log_level_t log_level); + ++/** ++ * Configures the maximum number of headers LibHTP will accept per request or response. ++ * ++ * @param[in] cfg ++ * @param[in] limit ++ */ ++void htp_config_set_number_headers_limit(htp_cfg_t *cfg, uint32_t limit); ++ + /** + * Configures how the server reacts to encoded NUL bytes. Some servers will stop at + * at NUL, while some will respond with 400 or 404. When the termination option is not +diff --git a/htp/htp_config_private.h b/htp/htp_config_private.h +index 5f1d60d..ecc8717 100644 +--- a/htp/htp_config_private.h ++++ b/htp/htp_config_private.h +@@ -360,6 +360,12 @@ struct htp_cfg_t { + + /** Whether to decompress compressed request bodies. */ + int request_decompression_enabled; ++ ++ /** Maximum number of transactions. */ ++ uint32_t max_tx; ++ ++ /** Maximum number of headers. */ ++ uint32_t number_headers_limit; + }; + + #ifdef __cplusplus +diff --git a/htp/htp_core.h b/htp/htp_core.h +index e4c933e..7c23212 100644 +--- a/htp/htp_core.h ++++ b/htp/htp_core.h +@@ -235,6 +235,7 @@ enum htp_file_source_t { + #define HTP_REQUEST_INVALID 0x100000000ULL + #define HTP_REQUEST_INVALID_C_L 0x200000000ULL + #define HTP_AUTH_INVALID 0x400000000ULL ++#define HTP_HEADERS_TOO_MANY 0x800000000ULL + + #define HTP_MAX_HEADERS_REPETITIONS 64 + +diff --git a/htp/htp_request_generic.c b/htp/htp_request_generic.c +index 435cf0a..1350e57 100644 +--- a/htp/htp_request_generic.c ++++ b/htp/htp_request_generic.c +@@ -120,6 +120,17 @@ htp_status_t htp_process_request_header_generic(htp_connp_t *connp, unsigned cha + bstr_free(h->value); + free(h); + } else { ++ if (htp_table_size(connp->in_tx->request_headers) > connp->cfg->number_headers_limit) { ++ if (!(connp->in_tx->flags & HTP_HEADERS_TOO_MANY)) { ++ connp->in_tx->flags |= HTP_HEADERS_TOO_MANY; ++ htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Too many request headers"); ++ } ++ bstr_free(h->name); ++ bstr_free(h->value); ++ free(h); ++ // give up on what comes next ++ return HTP_ERROR; ++ } + // Add as a new header. + if (htp_table_add(connp->in_tx->request_headers, h->name, h) != HTP_OK) { + bstr_free(h->name); +diff --git a/htp/htp_response_generic.c b/htp/htp_response_generic.c +index f5fa59e..69da625 100644 +--- a/htp/htp_response_generic.c ++++ b/htp/htp_response_generic.c +@@ -321,6 +321,16 @@ htp_status_t htp_process_response_header_generic(htp_connp_t *connp, unsigned ch + bstr_free(h->value); + free(h); + } else { ++ if (htp_table_size(connp->out_tx->response_headers) > connp->cfg->number_headers_limit) { ++ if (!(connp->out_tx->flags & HTP_HEADERS_TOO_MANY)) { ++ connp->out_tx->flags |= HTP_HEADERS_TOO_MANY; ++ htp_log(connp, HTP_LOG_MARK, HTP_LOG_WARNING, 0, "Too many response headers"); ++ } ++ bstr_free(h->name); ++ bstr_free(h->value); ++ free(h); ++ return HTP_ERROR; ++ } + // Add as a new header. + if (htp_table_add(connp->out_tx->response_headers, h->name, h) != HTP_OK) { + bstr_free(h->name); +-- +2.25.1 + diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.45.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.45.bb index cc8285ccbe..74a53df471 100644 --- a/meta-security/recipes-ids/suricata/libhtp_0.5.45.bb +++ b/meta-security/recipes-ids/suricata/libhtp_0.5.45.bb @@ -4,7 +4,9 @@ require suricata.inc LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843" -SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x" +SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x \ + file://CVE-2024-45797.patch \ + " SRCREV = "8bdfe7b9d04e5e948c8fbaa7472e14d884cc00af" DEPENDS = "zlib" @@ -13,9 +15,9 @@ inherit autotools-brokensep pkgconfig CFLAGS += "-D_DEFAULT_SOURCE" -#S = "${WORKDIR}/suricata-${VER}/${BPN}" +#S = "${UNPACKDIR}/suricata-${VER}/${BPN}" -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" do_configure () { cd ${S} diff --git a/meta-security/recipes-ids/suricata/suricata_7.0.0.bb b/meta-security/recipes-ids/suricata/suricata_7.0.0.bb index a01b3d937e..6e6c426041 100644 --- a/meta-security/recipes-ids/suricata/suricata_7.0.0.bb +++ b/meta-security/recipes-ids/suricata/suricata_7.0.0.bb @@ -16,6 +16,11 @@ SRC_URI += " \ file://suricata.service \ file://run-ptest \ file://fixup.patch \ + file://CVE-2024-37151.patch \ + file://CVE-2024-38534.patch \ + file://CVE-2024-38535_pre.patch \ + file://CVE-2024-38535.patch \ + file://CVE-2024-38536.patch \ " inherit autotools pkgconfig python3native systemd ptest cargo cargo-update-recipe-crates @@ -63,9 +68,11 @@ do_configure:prepend () { # use host for RUST_SURICATA_LIB_XC_DIR sed -i -e 's,\${host_alias},${RUST_HOST_SYS},' ${S}/configure.ac sed -i -e 's,libsuricata_rust.a,libsuricata.a,' ${S}/configure.ac - oe_runconf + autotools_do_configure } +CFLAGS += "-Wno-error=incompatible-pointer-types" + do_compile () { # we do this to bypass the make provided by this pkg # patches Makefile to skip the subdir @@ -82,14 +89,14 @@ do_install () { oe_runmake install DESTDIR=${D} install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/03_suricata + install -m 0644 ${UNPACKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/03_suricata install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata install -m 0644 ${S}/suricata.yaml ${D}${sysconfdir}/suricata if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then install -d ${D}${sysconfdir}/tmpfiles.d - install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf + install -m 0644 ${UNPACKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf install -d ${D}${systemd_unitdir}/system sed -e s:/etc:${sysconfdir}:g \ @@ -98,7 +105,7 @@ do_install () { -e s:/usr/bin:${bindir}:g \ -e s:/bin/kill:${base_bindir}/kill:g \ -e s:/usr/lib:${libdir}:g \ - ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service + ${UNPACKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service fi # Remove /var/run as it is created on startup @@ -107,6 +114,10 @@ do_install () { sed -i -e "s:#!.*$:#!${USRBINPATH}/env python3:g" ${D}${bindir}/suricatasc sed -i -e "s:#!.*$:#!${USRBINPATH}/env python3:g" ${D}${bindir}/suricatactl sed -i -e "s:#!.*$:#!${USRBINPATH}/env python3:g" ${D}${libdir}/suricata/python/suricata/sc/suricatasc.py + # The build process dumps config logs into the binary, remove them. + sed -i -e 's#${RECIPE_SYSROOT}##g' ${D}${bindir}/suricata + sed -i -e 's#${RECIPE_SYSROOT_NATIVE}##g' ${D}${bindir}/suricata + sed -i -e 's#CFLAGS.*##g' ${D}${bindir}/suricata } pkg_postinst_ontarget:${PN} () { @@ -124,3 +135,4 @@ FILES:${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d" FILES:${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" CONFFILES:${PN} = "${sysconfdir}/suricata/suricata.yaml" +INSANE_SKIP:${PN} = "already-stripped" diff --git a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb index 9149e89232..e67d3c7d86 100644 --- a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb +++ b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb @@ -19,7 +19,7 @@ SRC_URI = "\ file://run-ptest \ " -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" inherit autotools-brokensep update-rc.d ptest @@ -43,11 +43,11 @@ do_install () { install -m 0755 ${S}/bin/* ${D}${sbindir} install -m 0644 ${S}/lib/* ${D}${base_libdir} install -m 0644 ${S}/lib/* ${D}${localstatedir}/lib/${PN} - install -m 0755 ${WORKDIR}/tripwire.cron ${D}${sysconfdir} - install -m 0755 ${WORKDIR}/tripwire.sh ${D}${sysconfdir}/init.d/tripwire - install -m 0755 ${WORKDIR}/twinstall.sh ${D}${sysconfdir}/${PN} - install -m 0644 ${WORKDIR}/twpol-yocto.txt ${D}${sysconfdir}/${PN}/twpol.txt - install -m 0644 ${WORKDIR}/twcfg.txt ${D}${sysconfdir}/${PN} + install -m 0755 ${UNPACKDIR}/tripwire.cron ${D}${sysconfdir} + install -m 0755 ${UNPACKDIR}/tripwire.sh ${D}${sysconfdir}/init.d/tripwire + install -m 0755 ${UNPACKDIR}/twinstall.sh ${D}${sysconfdir}/${PN} + install -m 0644 ${UNPACKDIR}/twpol-yocto.txt ${D}${sysconfdir}/${PN}/twpol.txt + install -m 0644 ${UNPACKDIR}/twcfg.txt ${D}${sysconfdir}/${PN} install -m 0644 ${S}/man/man4/* ${D}${mandir}/man4 install -m 0644 ${S}/man/man5/* ${D}${mandir}/man5 @@ -57,7 +57,7 @@ do_install () { install -m 0644 ${S}/policy/*txt ${D}${docdir}/${BPN} install -m 0644 ${S}/COPYING ${D}${docdir}/${BPN} install -m 0644 ${S}/TRADEMARK ${D}${docdir}/${BPN} - install -m 0644 ${WORKDIR}/tripwire.txt ${D}${docdir}/${BPN} + install -m 0644 ${UNPACKDIR}/tripwire.txt ${D}${docdir}/${BPN} } do_install_ptest:append () { diff --git a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.7.bb b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.7.bb index 020c3a1df3..751c04572d 100644 --- a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.7.bb +++ b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.7.bb @@ -13,7 +13,7 @@ SRC_URI = "git://github.com/lkrg-org/lkrg.git;protocol=https;branch=main" SRCREV = "5dc5cfea1f4dc8febdd5274d99e277c17df06acc" -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" inherit module kernel-module-split diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.1.3.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.1.3.bb index fd649e400e..49ab7a7064 100644 --- a/meta-security/recipes-mac/AppArmor/apparmor_3.1.3.bb +++ b/meta-security/recipes-mac/AppArmor/apparmor_3.1.3.bb @@ -22,7 +22,7 @@ SRC_URI = " \ " SRCREV = "e69cb5047946818e6a9df326851483bb075a5cfe" -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" PARALLEL_MAKE = "" @@ -74,6 +74,8 @@ do_compile () { } do_install () { + sed -i -e 's#${RECIPE_SYSROOT}##g' ${B}/libraries/libapparmor/swig/perl/libapparmor_wrap.c + oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install oe_runmake -C ${B}/binutils DESTDIR="${D}" install oe_runmake -C ${B}/utils DESTDIR="${D}" install @@ -102,6 +104,9 @@ do_install () { fi chown root:root -R ${D}/${sysconfdir}/apparmor.d chown root:root -R ${D}/${datadir}/apparmor + + find ${D}${libdir}/perl5/ -type f -name ".packlist" -delete + find ${D}${PYTHON_SITEPACKAGES_DIR}/LibAppArmor/ -type f -name "_LibAppArmor*.so" -delete } #Building ptest on arm fails. diff --git a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb index 8185e51047..a746c56ad5 100644 --- a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb +++ b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb @@ -12,7 +12,7 @@ SRC_URI = "http://osdn.dl.sourceforge.jp/tomoyo/49693/${BPN}-${PV}-${DS}.tar.gz" SRC_URI[sha256sum] = "7900126cf2dd8706c42c2c1ef7a37fd8b50f1505abd7d9c3d653dc390fb4d620" -S = "${WORKDIR}/${BPN}" +S = "${UNPACKDIR}/${BPN}" inherit features_check diff --git a/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c index 3c8921f131..248a5f6074 100644 --- a/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c +++ b/meta-security/recipes-mac/smack/tcp-smack-test/tcp_server.c @@ -18,8 +18,10 @@ // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN // THE SOFTWARE. #include <stdio.h> +#include <stdlib.h> #include <sys/socket.h> #include <sys/types.h> +#include <sys/xattr.h> #include <errno.h> #include <netinet/in.h> #include <unistd.h> diff --git a/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c b/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c index 976cbdc2fa..00bb548356 100644 --- a/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c +++ b/meta-security/recipes-mac/smack/udp-smack-test/udp_client.c @@ -18,8 +18,10 @@ // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN // THE SOFTWARE. #include <sys/socket.h> +#include <sys/xattr.h> #include <stdlib.h> #include <stdio.h> +#include <unistd.h> #include <netinet/in.h> #include <netdb.h> #include <string.h> diff --git a/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c b/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c index 7d2fcf5258..32b544252a 100644 --- a/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c +++ b/meta-security/recipes-mac/smack/udp-smack-test/udp_server.c @@ -18,10 +18,13 @@ // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN // THE SOFTWARE. #include <sys/socket.h> +#include <sys/xattr.h> #include <stdio.h> +#include <stdlib.h> #include <netinet/in.h> #include <netdb.h> #include <string.h> +#include <unistd.h> int main(int argc, char* argv[]) { diff --git a/meta-security/recipes-perl/perl/lib-perl_0.63.bb b/meta-security/recipes-perl/perl/lib-perl_0.63.bb index 25d0890d48..6fc44e4430 100644 --- a/meta-security/recipes-perl/perl/lib-perl_0.63.bb +++ b/meta-security/recipes-perl/perl/lib-perl_0.63.bb @@ -16,7 +16,7 @@ SRC_URI = "http://www.cpan.org/authors/id/S/SM/SMUELLER/lib-${PV}.tar.gz" SRC_URI[md5sum] = "8607ac4e0d9d43585ec28312f52df67c" SRC_URI[sha256sum] = "72f63db9220098e834d7a38231626bd0c9b802c1ec54a628e2df35f3818e5a00" -S = "${WORKDIR}/lib-${PV}" +S = "${UNPACKDIR}/lib-${PV}" EXTRA_CPANFLAGS = "EXPATLIBPATH=${STAGING_LIBDIR} EXPATINCPATH=${STAGING_INCDIR}" diff --git a/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb b/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb index c58d883554..2c32bfcf0b 100644 --- a/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb +++ b/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb @@ -11,7 +11,7 @@ SRC_URI = "http://sourceforge.net/projects/whisker/files/libwhisker/${PV}/libwhi SRC_URI[md5sum] = "7cc1718dddde8f9a439d5622ae2f37eb" SRC_URI[sha256sum] = "f45a1cf2ad2637b29dd1b13d7221ea12e3923ea09d107ced446400f19070a42f" -S = "${WORKDIR}/libwhisker2-2.5" +S = "${UNPACKDIR}/libwhisker2-2.5" inherit cpan-base diff --git a/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb b/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb index e547938b20..84f93da800 100644 --- a/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb +++ b/meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb @@ -21,6 +21,10 @@ ARPWATCH_GID ?= "arpwatch" APRWATCH_FROM ?= "root " ARPWATH_REPLY ?= "${ARPWATCH_UID}" +# many configure tests are failing with gcc-14 +CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-declaration" +BUILD_CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-declaration" + PACKAGECONFIG ??= "" PACKAGECONFIG[email] = "-with-watcher=email=${APRWATCH_FROM} --with-watchee=email=${ARPWATH_REPLY}, , postfix, postfix postfix-cfg" @@ -60,9 +64,9 @@ do_install () { install -d ${D}/var/lib/arpwatch oe_runmake install DESTDIR=${D} - install -m 644 ${WORKDIR}/arpwatch.conf ${D}${sysconfdir} - install -m 655 ${WORKDIR}/arpwatch_init ${D}${sysconfdir}/init.d/arpwatch - install -m 644 ${WORKDIR}/arpwatch.default ${D}${sysconfdir}/default + install -m 644 ${UNPACKDIR}/arpwatch.conf ${D}${sysconfdir} + install -m 655 ${UNPACKDIR}/arpwatch_init ${D}${sysconfdir}/init.d/arpwatch + install -m 644 ${UNPACKDIR}/arpwatch.default ${D}${sysconfdir}/default } INITSCRIPT_NAME = "arpwatch" diff --git a/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb b/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb index 85884a770c..5d4de1065b 100644 --- a/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb +++ b/meta-security/recipes-scanners/buck-security/buck-security_0.7.bb @@ -10,7 +10,7 @@ SRC_URI = "http://sourceforge.net/projects/buck-security/files/buck-security/buc SRC_URI[md5sum] = "611a3e9bb7ed8a8270aa15216c321c53" SRC_URI[sha256sum] = "c533c6631ec3554dd8d39d2d1c3ed44badbbf50810ebb75469c74639fa294b01" -S = "${WORKDIR}/${BPN}_${PV}" +S = "${UNPACKDIR}/${BPN}_${PV}" do_configure[noexec] = "1" do_compile[noexec] = "1" diff --git a/meta-security/recipes-scanners/checksec/checksec_2.6.0.bb b/meta-security/recipes-scanners/checksec/checksec_2.6.0.bb index 1ba3721432..3712e683c9 100644 --- a/meta-security/recipes-scanners/checksec/checksec_2.6.0.bb +++ b/meta-security/recipes-scanners/checksec/checksec_2.6.0.bb @@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=879b2147c754bc040c29e9c3b84da836" SRCREV = "2753ebb89fcdc96433ae8a4c4e5a49214a845be2" SRC_URI = "git://github.com/slimm609/checksec.sh;branch=main;protocol=https" -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" do_install() { install -d ${D}${bindir} diff --git a/meta-security/recipes-scanners/clamav/clamav_0.104.4.bb b/meta-security/recipes-scanners/clamav/clamav_0.104.4.bb index 102f26790a..48cc75cac8 100644 --- a/meta-security/recipes-scanners/clamav/clamav_0.104.4.bb +++ b/meta-security/recipes-scanners/clamav/clamav_0.104.4.bb @@ -21,7 +21,7 @@ SRC_URI = "git://github.com/Cisco-Talos/clamav;branch=rel/0.104;protocol=https \ file://headers_fixup.patch \ file://oe_cmake_fixup.patch \ " -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" LEAD_SONAME = "libclamav.so" SO_VER = "9.6.0" @@ -58,9 +58,9 @@ do_install:append () { install -d -o ${PN} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles - install -m 644 ${WORKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir} - install -m 644 ${WORKDIR}/freshclam.conf ${D}/${prefix}/${sysconfdir} - install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/03_clamav + install -m 644 ${UNPACKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir} + install -m 644 ${UNPACKDIR}/freshclam.conf ${D}/${prefix}/${sysconfdir} + install -m 0644 ${UNPACKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/03_clamav sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc rm ${D}/${libdir}/libclamav.so if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then @@ -71,7 +71,7 @@ do_install:append () { if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then install -d ${D}${sysconfdir}/tmpfiles.d - install -m 0644 ${WORKDIR}/tmpfiles.clamav ${D}${sysconfdir}/tmpfiles.d/clamav.conf + install -m 0644 ${UNPACKDIR}/tmpfiles.clamav ${D}${sysconfdir}/tmpfiles.d/clamav.conf fi oe_multilib_header clamav-types.h } diff --git a/meta-security/recipes-security/Firejail/firejail_0.9.72.bb b/meta-security/recipes-security/Firejail/firejail_0.9.72.bb index 5713f466b4..10023c162a 100644 --- a/meta-security/recipes-security/Firejail/firejail_0.9.72.bb +++ b/meta-security/recipes-security/Firejail/firejail_0.9.72.bb @@ -16,7 +16,7 @@ SRC_URI = "git://github.com/netblue30/firejail.git;protocol=https;branch=master DEPENDS = "libseccomp" -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" inherit autotools-brokensep pkgconfig bash-completion features_check diff --git a/meta-security/recipes-security/chipsec/chipsec_1.9.1.bb b/meta-security/recipes-security/chipsec/chipsec_1.9.1.bb index 9fbdaa7a7c..213b047a97 100644 --- a/meta-security/recipes-security/chipsec/chipsec_1.9.1.bb +++ b/meta-security/recipes-security/chipsec/chipsec_1.9.1.bb @@ -12,7 +12,7 @@ DEPENDS = "virtual/kernel nasm-native" SRC_URI = "git://github.com/chipsec/chipsec.git;branch=main;protocol=https" SRCREV = "d8c2a606bf440c32196c6289a7a458f3ae3107cc" -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" inherit module setuptools3 @@ -24,6 +24,9 @@ do_compile:append() { } do_install:append() { + sed -i -e 's#${S}##g' ${S}/drivers/linux/chipsec.ko + sed -i -e 's#${STAGING_KERNEL_BUILDDIR}##g' ${S}/drivers/linux/chipsec.ko + sed -i -e 's#${STAGING_KERNEL_DIR}##g' ${S}/drivers/linux/chipsec.ko install -m 0644 ${S}/drivers/linux/chipsec.ko ${D}${PYTHON_SITEPACKAGES_DIR}/chipsec/helper/linux } @@ -32,3 +35,4 @@ COMPATIBLE_HOST = "(i.86|x86_64).*-linux" FILES:${PN} += "${exec_prefix}" RDEPENDS:${PN} = "python3 python3-modules" +INSANE_SKIP:${PN} = "already-stripped" diff --git a/meta-security/recipes-security/fscrypt/fscrypt_1.1.0.bb b/meta-security/recipes-security/fscrypt/fscrypt_1.1.0.bb index ea9593ba6c..c620c6e30f 100644 --- a/meta-security/recipes-security/fscrypt/fscrypt_1.1.0.bb +++ b/meta-security/recipes-security/fscrypt/fscrypt_1.1.0.bb @@ -20,12 +20,12 @@ inherit go goarch features_check REQUIRED_DISTRO_FEATURES = "pam" -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" do_compile() { export GOARCH=${TARGET_GOARCH} export GOROOT="${STAGING_LIBDIR_NATIVE}/${TARGET_SYS}/go" - export GOPATH="${WORKDIR}/git" + export GOPATH="${UNPACKDIR}/git" # Pass the needed cflags/ldflags so that cgo # can find the needed headers files and libraries diff --git a/meta-security/recipes-security/fscryptctl/fscryptctl_1.1.0.bb b/meta-security/recipes-security/fscryptctl/fscryptctl_1.1.0.bb index 3de2bfac86..cf03a1807d 100644 --- a/meta-security/recipes-security/fscryptctl/fscryptctl_1.1.0.bb +++ b/meta-security/recipes-security/fscryptctl/fscryptctl_1.1.0.bb @@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" SRCREV = "7c80c73c084ce9ea49a03b814dac7a82fd7b4c23" SRC_URI = "git://github.com/google/fscryptctl.git;branch=master;protocol=https" -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" do_compile:prepend() { sed -i 's/fscryptctl\.1//g' ${S}/Makefile diff --git a/meta-security/recipes-security/glome/glome_git.bb b/meta-security/recipes-security/glome/glome_git.bb index 8787ddc359..b99239ee22 100644 --- a/meta-security/recipes-security/glome/glome_git.bb +++ b/meta-security/recipes-security/glome/glome_git.bb @@ -10,7 +10,7 @@ inherit meson pkgconfig DEPENDS += "openssl" -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" SRC_URI = "git://github.com/google/glome.git;branch=master;protocol=https" SRCREV = "48d28f82bd51ae4bccc84fbbee93c375b026596b" diff --git a/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb b/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb index 8a0b1ee8d9..ba0531c139 100644 --- a/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb +++ b/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb @@ -8,7 +8,7 @@ SRCREV = "962f353aac6cfc7b804547319db40f8b804f0b6c" DEPENDS = "libpam" -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" inherit autotools features_check diff --git a/meta-security/recipes-security/isic/isic_0.07.bb b/meta-security/recipes-security/isic/isic_0.07.bb index 28153e3b4e..d39184ef8d 100644 --- a/meta-security/recipes-security/isic/isic_0.07.bb +++ b/meta-security/recipes-security/isic/isic_0.07.bb @@ -17,12 +17,16 @@ SRC_URI = "http://prdownloads.sourceforge.net/isic/${BPN}-${PV}.tgz \ SRC_URI[md5sum] = "29f70c9bde9aa9128b8f7e66a315f9a4" SRC_URI[sha256sum] = "e033c53e03e26a4c72b723e2a5a1c433ee70eb4d23a1ba0d7d7e14ee1a80429d" -S="${WORKDIR}/${BPN}-${PV}" +S="${UNPACKDIR}/${BPN}-${PV}" inherit autotools-brokensep EXTRA_OECONF += "--with-libnet-dir=${STAGING_DIR_HOST}${libdir} " +# many configure tests are failing with gcc-14 +CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-declaration" +BUILD_CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-declaration" + do_configure () { oe_runconf } diff --git a/meta-security/recipes-security/krill/krill_0.12.3.bb b/meta-security/recipes-security/krill/krill_0.12.3.bb index ee959c2e47..d5917a153b 100644 --- a/meta-security/recipes-security/krill/krill_0.12.3.bb +++ b/meta-security/recipes-security/krill/krill_0.12.3.bb @@ -15,7 +15,7 @@ include krill-crates.inc UPSTREAM_CHECK_URI = "https://github.com/NLnetLabs/${BPN}/releases" UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" CARGO_SRC_DIR = "" inherit pkgconfig useradd systemd cargo cargo-update-recipe-crates @@ -26,6 +26,7 @@ do_install:append () { install -m 664 ${S}/defaults/krill.conf ${D}${sysconfdir}/. install ${S}/defaults/* ${D}${datadir}/krill/. + find ${D}${bindir}/ -name "krill*" -exec sed -i -e 's#${CARGO_HOME}/bitbake##g' {} + } KRILL_UID ?= "krill" @@ -38,5 +39,6 @@ USERADD_PARAM:${PN} = "--system -g ${KRILL_GID} --home-dir \ --shell /sbin/nologin ${BPN}" FILES:${PN} += "{sysconfdir}/defaults ${datadir}" +INSANE_SKIP:${PN} = "already-stripped" COMPATIBLE_HOST = "(i.86|x86_64|aarch64).*-linux" diff --git a/meta-security/recipes-security/libest/libest_3.2.0.bb b/meta-security/recipes-security/libest/libest_3.2.0.bb index b4c61654f1..04bfcee82d 100644 --- a/meta-security/recipes-security/libest/libest_3.2.0.bb +++ b/meta-security/recipes-security/libest/libest_3.2.0.bb @@ -20,7 +20,7 @@ EXTRA_OECONF = "--disable-pthreads --with-ssl-dir=${STAGING_LIBDIR}" CFLAGS += "-fcommon" LDFLAGS:append:libc-musl = " -lexecinfo" -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" PACKAGES = "${PN} ${PN}-dbg ${PN}-dev" diff --git a/meta-security/recipes-security/libgssglue/libgssglue_0.8.bb b/meta-security/recipes-security/libgssglue/libgssglue_0.8.bb index 9d019648e7..e534615974 100644 --- a/meta-security/recipes-security/libgssglue/libgssglue_0.8.bb +++ b/meta-security/recipes-security/libgssglue/libgssglue_0.8.bb @@ -21,11 +21,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=56871e72a5c475289c0d5e4ba3f2ee3a \ file://src/oid_ops.c;beginline=378;endline=398;md5=72457a5cdc0354cb5c25c8b150326364\ " -SRC_URI = "${DEBIAN_MIRROR}/main/libg/${BPN}/${BPN}_${PV}.orig.tar.gz \ +SRC_URI = "git://gitlab.com/gsasl/libgssglue.git;protocol=https;branch=master \ file://libgssglue-canon-name.patch \ " +SRCREV = "c8b4b2936b854a7d4f7ef12e30d6f519b30dec87" -SRC_URI[sha256sum] = "a2bb183e946f6e30562a2a856950a2916c9b6d42c34d67a8400e4efc28917746" +S = "${WORKDIR}/git" inherit autotools-brokensep diff --git a/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb b/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb index f725a26bc2..f5518d2cef 100644 --- a/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb +++ b/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb @@ -10,7 +10,7 @@ HOMEPAGE = "http://mhash.sourceforge.net/" LICENSE = "LGPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=3bf50002aefd002f49e7bb854063f7e7" -S = "${WORKDIR}/mhash-${PV}" +S = "${UNPACKDIR}/mhash-${PV}" SECTION = "libs" diff --git a/meta-security/recipes-security/libmspack/libmspack_1.11.bb b/meta-security/recipes-security/libmspack/libmspack_1.11.bb index 59df84b73e..338701efca 100644 --- a/meta-security/recipes-security/libmspack/libmspack_1.11.bb +++ b/meta-security/recipes-security/libmspack/libmspack_1.11.bb @@ -11,6 +11,6 @@ SRC_URI = "git://github.com/kyz/libmspack.git;branch=master;protocol=https" inherit autotools -S = "${WORKDIR}/git/${BPN}" +S = "${UNPACKDIR}/git/${BPN}" inherit autotools diff --git a/meta-security/recipes-security/ncrack/ncrack_0.7.bb b/meta-security/recipes-security/ncrack/ncrack_0.7.bb index 8e6b444a2f..881ee38c85 100644 --- a/meta-security/recipes-security/ncrack/ncrack_0.7.bb +++ b/meta-security/recipes-security/ncrack/ncrack_0.7.bb @@ -13,6 +13,6 @@ DEPENDS = "openssl zlib" inherit autotools-brokensep -S = "${WORKDIR}/git" +S = "${UNPACKDIR}/git" INSANE_SKIP:${PN} = "already-stripped" |