CVE-2022-45063 ported onto the dunfell baseline introduces two
variables that cause xterm to fail compilation with the error
./fontutils.c:4143:13: error: 'added' undeclared (first use in this function)
These two variables don't appear to be defined at all in findXftGlyph for
xterm_353, so they should be removed.
Fixes: 10148c538ebc("xterm : Fix CVE-2022-45063 code execution via OSC 50 input sequences] CVE-2022-45063")
Signed-off-by: Chris Rogers <crogers122@gmail.com>
Tested-by: Jason Andryuk <jandryuk@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This patch contains a fix for CVE-2022-46149
Patch backported from :
25d34c6786
Signed-off-by: Virendra Thakur <virendrak@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Flatbuffers contains a library and a schema compiler. The package
contains cmake files to discover the libraries and the compiler tool.
Currently, all of these cmake files are installed into the target
sysroot. However, the compiler utility isn't installed into the sysroot
(as it is not runnable on the build machine).
When an application that depends on flatbuffers gets built, it uses
flatbuffers' exported cmake targets to configure the project. One of the
exported targets is FlatcTarget.cmake which expects to see flatc binary
in /usr/bin of the sysroot. Since binaries for target don't end up in
target sysroot, cmake configuration fails.
This patch addresses this problem of flatbuffers' build infrastructure
in cross-compiling environments. By removing FlatcTarget.cmake for
target builds from the sysroot we essentially skip this step of
flatbuffers' configuration.
Signed-off-by: Ivan Stepic <Ivan.Stepic@bmw.de>
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
Add a patch to fix CVE-2022-40617 issue which allows remote attackers to
cause a denial of service in the revocation plugin by sending a crafted
end-entity (and intermediate CA) certificate that contains a CRL/OCSP
URL that points to a server (under the attacker's control) that doesn't
properly respond but (for example) just does nothing after the initial
TCP handshake, or sends an excessive amount of application data.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-40617
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Quoting Jason A. Donenfeld on IRC:
<zx2c4> Colin_Finck: you should never, ever use old versions
<zx2c4> Notice that neither the major nor minor version numbers change
<zx2c4> Use the latest versions on your LTS
With that definite answer, I'd like to fix the problem described in https://lore.kernel.org/yocto/CswA.1659543156268567471.pbrp@lists.yoctoproject.org/ by importing the latest versions instead of maintaining our own fork of wireguard 1.0.20200401.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
c-ares version 1.18.1 - Oct 27 2021
Bug fixes:
ares_getaddrinfo() would return ai_addrlen of 16 for ipv6 adddresses
rather than the sizeof(struct sockaddr_in6)
Conflicts:
meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e251d7b827)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.vom>
Current patch is breaking the library dependencies added by cmake
especially when you are static linking.
Applications need the ws2_32 library to be linked for mingw32
and with the existing patch this is not getting passed to the users.
Current patch seems to address this issue:
https://github.com/c-ares/c-ares/issues/373
Both issues are resolved in 1.17.2:
1.17.2-r0/git $ find . | grep c-ares-config.cmake.in
./c-ares-config.cmake.in
1.17.2-r0/git $ find . | grep libcares.pc.cmake
./libcares.pc.cmake
Conflicts:
meta-oe/recipes-support/c-ares/c-ares_1.17.2.bb
Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 621bdc1993)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.vom>
Forward port cmake-install-libcares.pc.patch, drop the need to install
pkgconfig files as its already being done by main Makefile
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Forward port cmake-install-libcares.pc.patch, drop the need to install
pkgconfig files as its already being done by main Makefile
Conflicts:
meta-oe/recipes-support/c-ares/c-ares_1.17.1.bb
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b65f290419)
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.vom>
Stable security bug-fix release that fixes CVE-2021-4122.
ReleaseNotes:
https://kernel.org/pub/linux/utils/cryptsetup/v2.3/v2.3.7-ReleaseNotes
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 5dca16b451)
This is just the rename and SRC_URI hash updates made to apply
to dunfell.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
As per the below release note, it should be a last release for 12.x
stable LTS series.
Link: https://github.com/nodejs/node/releases/tag/v12.22.12
Remove CVE-2021-44532 fix as it already available in this release
v12.22.12
License-Update: src/gtest additional file in the LICENSE
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Set CVE_PRODUCT to 'tuxera:ntfs-3g' for ntfs-3g-ntfsprogs recipe,
cve-check class is setting default CVE_PRODUCT to 'ntfs-3g-ntfsprogs'
which ignores the ntfs-3g-ntfsprogs CVEs from NVD Database.
Reference:
CVE-2019-9755
Link: https://nvd.nist.gov/vuln/detail/CVE-2019-9755
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Set CVE_PRODUCT as 'iperf_project:iperf' for iperf2 and iperf3
recipes, cve-check class is setting default CVE_PRODUCT to
'iperf2' and 'iperf3' respectively which ignores the iperf
CVEs from NVD Database.
Reference:
CVE-2016-4303
Link: https://nvd.nist.gov/vuln/detail/CVE-2016-4303
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
