subtree updates:openembedded:poky: Jan 27 2023
poky: 0ce159991d..5e249ec855:
Alex Kiernan (2):
rust: Upgrade 1.66.0 -> 1.66.1
rust: Remove CARGO_VERSION
Alexander Kanavin (7):
selftest/virgl: use pkg-config from the host
ethtool: upgrade 6.0 -> 6.1
man-pages: upgrade 6.01 -> 6.02
mesa: update 22.2.3 -> 22.3.3
webkitgtk: submit a patch upstream
python3-sphinxcontrib-applehelp: update 1.0.2 -> 1.0.3
vulkan-samples: branch rename master -> main
Benoît Mauduit (1):
lib/oe/reproducible: Use git log without gpg signature
Bruce Ashfield (6):
linux-yocto/6.1: edgerouter: Replace OCTEON_USB with USB_OCTEON_HCD
linux-yocto/6.1: qemuriscv32: Enable CONFIG_NONPORTABLE
linux-yocto/6.1: update to v6.1.5
linux-yocto/5.15: update to v5.15.87
conf/qemu: bump preferred kernel version to 6.1
poky/poky-tiny: bump preferred version to 6.1
Changqing Li (1):
cmake-native: use internal cmcurl library
Chen Qi (2):
file: export MAGIC in SDK
rpm: do not export MAGIC in SDK
Chuck Wolber (1):
scripts/oe-setup-layers: Make efficiently idempotent
Fabio Estevam (2):
u-boot: Upgrade to 2023.01
u-boot: Update Upstream-Status
He Zhe (1):
lttng-modules: update 2.13.7 -> 2.13.8
Jan Luebbe (1):
p11-kit: add native to BBCLASSEXTEND
Jermain Horsman (1):
cve-check: write the cve manifest to IMGDEPLOYDIR
Kevin Hao (1):
meta-yocto-bsp: Update the default kernel to 6.1
Khem Raj (31):
createrepo-c: Include missing rpm/rpmstring.h
libglu: Remove deprecated register in C++17
cpio: Do not use _Noreturn in gnulib
groff: Drop use of `register` storage class
vulkan-samples: Update to the tip of trunk
unfs3: Fix implicit function declarations of fix_dir_times()
gperf: Make the code C++17 compliant
libxcb: Fixed c2x standard undefined behaviour
dbus: Use Alignof when using C11 or newer standard
m4: Define alignof_slot using _Alignof when using C11 or newer
opkg: Define alignof using _Alignof when using C11 or newer
cpio: Fix gnulib alignof implementation on clang
python3-numpy: Define _ALIGN using _Alignof when using C11 or newer
vulkan-samples: Drop using u8string_view
musl-obstack: Update to 1.2.3
mdadm: Define alignof using _Alignof when using C11 or newer
lttng-tools: Switch to alternative upstream submitted patch
libtirpc: Check if file exists before operating on it
ruby: Use C11 _Alignof to define ALIGN_OF when possible
libusb1: Link with latomic only if compiler has no atomic builtins
libusb1: Strip trailing whitespaces
elfutils: Fix build with libcurl >= 7.87
stress-ng: Robustify test-float test
harfbuzz: Add missing <cstdio> and <cstdlib> includes
apt: add missing <cstdint> for uint16_t
vulkan-samples: Include missing header cstdint for uint32_t
ruby: Update the patch status
systemd: Add another fix for using XSI strerror_r
elfutils: Remove funcretval test from run-native-test.sh for now
binutils: Upgrade to 2.40 release
binutils: Package libsframe
Lee Chee Yang (1):
migration-guides: add release-notes for 4.1.2
Luca Boccassi (1):
systemd: add PACKAGECONFIG to select default compression format
Luca Ceresoli (1):
manuals: fix typo in the MLPREFIX description
Markus Volk (3):
gptfdisk: add follow-up patch to fix with current popt
gtk+3: add PACKAGECONFIG for libcloudservice and tracker; fix cups backend
gtk4: add PACKAGECONFIG for cloudproviders
Martin Jansa (1):
mesa: update submitted patch with backported version
Michael Opdenacker (3):
rust-bin.bbclass: remove unused class
meta/classes-global: remove package_tar.bbclass
ref-manual: initial documentation for go and go-mod classes
Mikko Rapeli (1):
kmod: enable openssl support by default
Niko Mauno (1):
Fix missing leading whitespace with ':append'
Ovidiu Panait (1):
webkitgtk: fix perl-native dependency
Paulo Neves (1):
bitbake: bitbake-getvar: Add a quiet command line argument
Pavel Zhukov (3):
bitbake: fetch2: kill parameters in uri_find_decoded
bitbake: fetch2/tests: Add test for Mercurial
bitbake: fetch2/tests: Add parameter to recipe_uri
Pawel Zalewski (1):
classes/fs-uuid: Fix command output decoding issue
Peter Kjellerstedt (2):
librsvg: Only enable the Vala bindings if GObject Introspection is enabled
cargo-update-recipe-crates.bbclass: Mark the update_crates task as nostamp
Peter Marko (1):
iproute2: separate routel and add python dependency
Quentin Schulz (1):
packagegroup-core-boot: make init-ifupdown package a recommendation
Randy MacLeod (1):
vim: upgrade 9.0.0947 -> 9.0.1211
Richard Purdie (23):
bitbake: server/process: Improve lockfile handling at exit
pseudo: Update to pull in linux-libc-headers race fix
pseudo: Switch back to the master branch
insane: Improve patch warning/error handling
poky: Set INIT_MANAGER by a separate variable
bitbake: server/process: Fix lockfile contents check bug
bitbake: cooker: Fix siggen recipe cache race issue
bitbake: cache: Only write files if we have data
bitbake: cooker: Fix parsing race around cache handling
bitbake: data: Add support for new BB_HASH_CODEPARSER_VALS for cache optimisation
bitbake: data_smart: Small optimisation to _findVar()
native: Drop special variable handling
bitbake.conf: Add BB_HASH_CODEPARSER_VALS
pseudo: Update to include logic fix
bitbake.conf: Add METADATA_REVISION to BB_HASH_CODEPARSER_VALS
native: Implement BBCLASSEXTEND PACKAGES_DYNAMIC handling
conf/sdk/x86-64: Set march specifically
bitbake: cache/codeparser: Switch to a new BB_CACHEDIR variable for cache location
oeqa/selftest/devtool: Fix for linux 6.1 versions onwards
wic/efi-bootdisk.wks: Fix for 6.1 kernel versions
kernel/linux-kernel-base: Fix kernel build artefact determinism issues
build-appliance-image: Update to master head revision
build-appliance: Fix merge error
Ross Burton (12):
python3-pyproject-hooks: add new recipe
python3-build: add 0.10.0
python_pep517: use python3-build, not picobuild
python3-picobuild: remove
cve-update-db-native: show IP on failure
quilt: rewrite ptest glue
quilt: fix intermittent failure in faildiff.test
spirv-headers/spirv-tools: set correct branch name
quilt: use upstreamed faildiff.test fix
ppp: backport fix for CVE-2022-4603
bitbake: bb/utils: include SSL certificate paths in export_proxies
buildtools-tarball: set pkg-config search path
Thomas Roos (1):
devtool: fix devtool finish when gitmodules file is empty
Tim Orling (3):
bitbake: bitbake: fix deprecated threading.Thread.setDaemon
python3-cryptography{-vectors}: 38.0.4 -> 39.0.0
bitbake: toaster: update fixtures
Tom Hochstein (1):
gstreamer1.0-plugins-good: Fix libsoup runtime dependency
Vincent Davis Jr (1):
mesa: allow mesa (gbm) to compile without backend
Wang Mingyu (20):
btrfs-tools: upgrade 6.1 -> 6.1.2
libpcap: upgrade 1.10.2 -> 1.10.3
libwebp: upgrade 1.2.4 -> 1.3.0
man-db: upgrade 2.11.1 -> 2.11.2
dpkg: upgrade 1.21.17 -> 1.21.18
ed: upgrade 1.18 -> 1.19
gi-docgen: upgrade 2022.2 -> 2023.1
python3-alabaster: upgrade 0.7.12 -> 0.7.13
python3-setuptools: upgrade 65.6.3 -> 65.7.0
patchelf: upgrade 0.17.0 -> 0.17.2
python3-cython: upgrade 0.29.32 -> 0.29.33
python3-dbusmock: upgrade 0.28.6 -> 0.28.7
python3-hatchling: upgrade 1.12.1 -> 1.12.2
python3-hypothesis: upgrade 6.61.0 -> 6.62.0
python3-importlib-metadata: upgrade 5.2.0 -> 6.0.0
python3-packaging: upgrade 22.0 -> 23.0
python3-pbr: upgrade 5.11.0 -> 5.11.1
python3-pygments: upgrade 2.13.0 -> 2.14.0
stress-ng: upgrade 0.15.01 -> 0.15.02
xz: upgrade 5.4.0 -> 5.4.1
Xiangyu Chen (4):
numactl: skip test case when target platform doesn't have 2 CPU node
qemuboot.bbclass: add QB_NFSROOTFS_EXTRA_OPT for nfs rootfs extra option
runqemu: add process of option QB_NFSROOTFS_EXTRA_OPT
qemuppc64: set the qemuppc64 nfs r/wsize mount options to 524288
Yoann Congal (2):
bitbake: persist_data: Handle sqlite error when cachefile path is too long
sanity: Fix small typos
meta-openembedded: cd13881611..2ab113e8be:
Alejandro Enedino Hernandez Samaniego (1):
weechat: Update 3.4.1 -> 3.8
Alex Kiernan (4):
dnsmasq: Merge .inc into .bb
dnsmasq: Expand configuration options
ntpsec: Upgrade 1.2.1 -> 1.2.2
keyutils: Upgrade 1.6.1 -> 1.6.3
Archana Polampalli (1):
Nodejs: Upgrade to 18.12.1
Bartosz Golaszewski (1):
libgpiod: fix python bindings build
Chee Yang Lee (5):
opencv: fix reproducible builds
xerces-c: upgrade to 3.2.4
zsh: Fix CVE-2021-45444
redis: Upgrade to 7.0.8
redis: Upgrade to 6.2.9
Dmitry Baryshkov (1):
edid-decode: an utility to parse EDID information
Etienne Cordonnier (1):
uutils-coreutils: upgrade 0.0.16 -> 0.0.17
Fabio Estevam (1):
lvgl-demo-fb: Add recipe
Gianfranco Costamagna (1):
boinc-client: Update boinc from 7.20.4 to 7.20.5
Hermes Zhang (1):
kernel_add_regdb: Change the task order
Jan Luebbe (3):
pcsc-lite: fix native build
pcsc-lite: fix homepage URL
opensc: fix homepage URL
Kai Kang (2):
mozjs: fix compile error for arm
crda: 3.18 -> 4.15
Khem Raj (65):
packagegroup-meta-oe: Remove boost-url from comments
trace-cmd: Update to upstream submitted patches
packagegroup-meta-oe: Update to reflect latest recipes
freeglut: Add packageconfigs for x11/wayland/gles
xdg-desktop-portal-wlr: Add wayland to REQUIRED_DISTRO_FEATURES
ipmitool: Remove unneeded patch
dibbler: Fix build with c++17 and newer std
libtevent: Package cmocka tests into ptest package
netkit-telnet: Drop using register storage class keyword
libxml-libxml-perl: Fix function pointer types
fatcat: Fix build with std=c++17
ncmpc: Upgrade to 0.47
python3-matplotlib: Upgrade to 3.6.3
python3-matplotlib: Fix build with c++17
python3-greenlet: Drop using register keyword
libmodplug: Fix build with c++17
xmlrpc-c: Upgrade to 1.54.06
satyr: Fix build with musl
p8platform: Fix build with c++17 clang
freerdp: Fix incompatible function pointer type
libtorrent: Update to tip of trunk
gnuchess: Fix build with c++17
ippool: Use unsigned int type for 1-bit integer bitfield
audiofile: Stick to c++14 std
ssiapi: Use c++14 standard
log4cpp: Keep using std=c++14
gengetopt: Use std=c++14
libmimetic: Pin to using -std=c++14
ace: Upgrade to 6.5.19
pipewire-media-session: Use PW_ENABLE_DEPRECATED
rtorrent: Update to latest tip of trunk
nspr: Fix build with clang16
net-snmp: Fix build with clang16
xmlstarlet: Fix build with clang16
libol: Drop recipe
hplip: Update to 3.22.10
espeak: Drop using 'register' keyword for storage classifier
uw-imap: Fix build with clang 16
xmlsec1: Include xmlsec/parser.h for xmlSecParserSetDefaultOptions()
exiv2: Upgrade to 0.27.6
packagegroup-meta-oe: Remove mongodb for upsupported arches
rtorrent: Add missing dependency on autoconf-archive
thrift: Fix c++ and system header include order problem
libcereal: Use -idirafter instead of -isystem
poppler: cmake: Do not use -isystem
uftreace: Fix a build race
sdbus-c++: Disable ccache
libcamera: Fix build with gcc-13
mariadb: Fix build with gcc-13
vulkan-cts,opengl-es-cts: Fix build with gcc-13
rocksdb: Fix build with gcc13
rocksdb: Upgrade to 7.9.2
redis-plus-plus: Upgrade to 1.3.7
redis-plus-plus: Fix build with gcc13
rdfind: Upgrade to 1.5.0 release
rdfind: Fix build with gcc13
libiodbc: Fix SRC_URI to not use gitlab archives
opensaf: Fix build with gcc13
crossguid: Fix build with gcc13
dbus-cxx: Fix build with gcc13
dbus-cxx: Upgrade to 2.3.1
msktutil: Upgrade to 1.2.1
hiredis: Enable SSL/TLS support by default
redis-plus-plus: Enable SSL/TLS by default
rocksdb: Fix build with clang compiler
Lei Maohui (2):
biodbc: Added a new recipe.
trace-cmd: Fix QA Issue of do_package when enable multilib:
Leon Anavi (14):
python3-traitlets: Upgrade 5.8.0 -> 5.8.1
python3-prettytable: Upgrade 3.4.1 -> 3.6.0
python3-cantools: Upgrade 38.0.0 -> 38.0.1
python3-imageio: Upgrade 2.23.0 -> 2.24.0
python3-astroid: Upgrade 2.12.13 -> 2.13.2
python3-alembic: Upgrade 1.9.1 -> 1.9.2
python3-autobahn: Upgrade 22.12.1 -> 23.1.1
python3-eventlet: Upgrade 0.33.2 -> 0.33.3
python3-configobj: Upgrade 5.0.6 -> 5.0.8
python3-nocaselist: Upgrade 1.0.6 -> 1.1.0
python3-nocasedict: Upgrade 1.0.4 -> 1.1.0
python3-email-validator: Upgrade 1.3.0 -> 1.3.1
python3-imageio: Upgrade 2.24.0 -> 2.25.0
python3-cachetools: Upgrade 5.2.1 -> 5.3.0
Markus Volk (8):
webp-pixbuf-loader: add recipe
freerdp: build the rdp server
nv-codec-headers: add recipe
gnome-chess: import recipe
gnome-shell: update 43.1 -> 43.2
pipewire: update 0.3.63 -> 0.3.64
cups-filters: build with dbus support
cups-pk-helper: add recipe
Martin Jansa (3):
s-nail: fix Upstream-Status format
smartmontools: fix Upstream-Status format
htop: fix Upstream-Status format
Niko Mauno (2):
Fix missing leading whitespace with ':append'
nftables: Fix missing leading whitespace with ':append'
Peter Bašista (1):
Make tvheadend recipe compatible with the latest tvheadend version
Quentin Schulz (1):
python3-reedsolo: Add recipe
Randy MacLeod (2):
librelp: update to 1.11.0
rsyslog: update to 8.2212.0
Richard Hughes (1):
fwupd: Upgrade to 1.8.9
Robert Yang (1):
tftpy: Add it for python tftp server and client
Ross Burton (3):
khronos-cts: fix build when python3-build-native is present
python3-pytest-forked: update for move from picobuild to build
mbedtls: add option to use PSA for X.509/TLS operations
Stefan Ghinea (1):
mbedtls: upgrade to 2.28.2 to fix CVE-2022-46392, CVE-2022-46393
Trevor Woerner (1):
psqlodbc: fix HOMEPAGE
Wang Mingyu (62):
ctags: upgrade 6.0.20230101.0 -> 6.0.20230108.0
flatbuffers: upgrade 22.12.06 -> 23.1.4
libadwaita: upgrade 1.2.0 -> 1.2.1
hwdata: upgrade 0.365 -> 0.366
libmoo-perl: upgrade 2.005004 -> 2.005005
evolution-data-server-native: upgrade 3.46.2 -> 3.46.3
cli11: upgrade 2.3.1 -> 2.3.2
imapfilter: upgrade 2.7.6 -> 2.8.1
libcgi-perl: upgrade 4.54 -> 4.55
hidapi: upgrade 0.12.0 -> 0.13.0
python3-lazy-object-proxy: upgrade 1.8.0 -> 1.9.0
xfsprogs: upgrade 6.0.0 -> 6.1.0
tbb: upgrade 2021.7.0 -> 2021.8.0
python3-networkx: upgrade 2.8.8 -> 3.0
python3-sqlalchemy: upgrade 1.4.45 -> 1.4.46
python3-aiohue: upgrade 4.5.0 -> 4.6.1
python3-cachetools: upgrade 5.2.0 -> 5.2.1
python3-google-api-python-client: upgrade 2.70.0 -> 2.71.0
python3-flask-migrate: upgrade 4.0.0 -> 4.0.1
python3-coverage: upgrade 7.0.3 -> 7.0.4
python3-googleapis-common-protos: upgrade 1.57.0 -> 1.58.0
python3-ipython: upgrade 8.7.0 -> 8.8.0
python3-redis: upgrade 4.4.0 -> 4.4.1
python3-robotframework: upgrade 6.0.1 -> 6.0.2
python3-uefi-firmware: upgrade 1.9 -> 1.10
python3-ujson: upgrade 5.6.0 -> 5.7.0
python3-xlsxwriter: upgrade 3.0.5 -> 3.0.6
xfsprogs: upgrade 6.1.0 -> 6.1.1
xfstests: upgrade 2022.12.18 -> 2023.01.01
eog: upgrade 43.1 -> 43.2
gvfs: upgrade 1.50.2 -> 1.50.3
libnma: upgrade 1.10.4 -> 1.10.6
nautilus: upgrade 43.1 -> 43.2
nbdkit: upgrade 1.33.4 -> 1.33.7
networkmanager: upgrade 1.40.0 -> 1.40.10
tcpdump: upgrade 4.99.2 -> 4.99.3
unbound: upgrade 1.17.0 -> 1.17.1
ctags: upgrade 6.0.20230108.0 -> 6.0.20230115.0
dnfdragora: upgrade 2.1.3 -> 2.1.4
gensio: upgrade 2.6.1 -> 2.6.2
hidapi: upgrade 0.13.0 -> 0.13.1
librelp: upgrade 1.10.0 -> 1.11.0
libtraceevent: upgrade 1.7.0 -> 1.7.1
libtracefs: upgrade 1.6.3 -> 1.6.4
uftrace: upgrade 0.12 -> 0.13
xterm: upgrade 377 -> 378
python3-absl: upgrade 1.3.0 -> 1.4.0
python3-coverage: upgrade 7.0.4 -> 7.0.5
python3-dateparser: upgrade 1.1.5 -> 1.1.6
python3-decouple: upgrade 3.6 -> 3.7
python3-dnspython: upgrade 2.2.1 -> 2.3.0
python3-flask-wtf: upgrade 1.0.1 -> 1.1.0
python3-future: upgrade 0.18.2 -> 0.18.3
python3-google-api-python-client: upgrade 2.71.0 -> 2.72.0
python3-google-auth: upgrade 2.15.0 -> 2.16.0
python3-mock: upgrade 5.0.0 -> 5.0.1
python3-pymodbus: upgrade 3.0.2 -> 3.1.0
python3-pyzmq: upgrade 24.0.1 -> 25.0.0
python3-redis: upgrade 4.4.1 -> 4.4.2
python3-sentry-sdk: upgrade 1.12.1 -> 1.13.0
python3-txaio: upgrade 22.2.1 -> 23.1.1
python3-xlsxwriter: upgrade 3.0.6 -> 3.0.7
Yi Zhao (2):
freeradius: upgrade 3.0.21 -> 3.0.26
strongswan: upgrade 5.9.8 -> 5.9.9
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I625cfaa0bd5052cd72a121f010db3ecd2f274caf
diff --git a/meta-openembedded/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch b/meta-openembedded/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch
new file mode 100644
index 0000000..fb8fa34
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_1.patch
@@ -0,0 +1,60 @@
+Origin: commit c187154f47697cdbf822c2f9d714d570ed4a0fd1
+From: Oliver Kiddle <opk@zsh.org>
+Date: Wed, 15 Dec 2021 01:56:40 +0100
+Subject: [PATCH 1/9] security/41: Don't perform PROMPT_SUBST evaluation on
+ %F/%K arguments
+
+Mitigates CVE-2021-45444
+
+https://salsa.debian.org/debian/zsh/-/raw/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_1.patch?inline=false
+Upstream-Status: Backport
+CVE: CVE-2021-45444
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ ChangeLog | 5 +++++
+ Src/prompt.c | 10 ++++++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/ChangeLog b/ChangeLog
+index 8d7dfc169..eb248ec06 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,8 @@
++2022-01-27 dana <dana@dana.is>
++
++ * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive
++ PROMPT_SUBST
++
+ 2020-02-14 dana <dana@dana.is>
+
+ * unposted: Config/version.mk: Update for 5.8
+diff --git a/Src/prompt.c b/Src/prompt.c
+index b65bfb86b..91e21c8e9 100644
+--- a/Src/prompt.c
++++ b/Src/prompt.c
+@@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg)
+ bv->fm += 2; /* skip over F{ */
+ if ((ep = strchr(bv->fm, '}'))) {
+ char oc = *ep, *col, *coll;
++ int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG];
++ int opp = opts[PROMPTPERCENT];
++
++ opts[PROMPTPERCENT] = 1;
++ opts[PROMPTSUBST] = opts[PROMPTBANG] = 0;
++
+ *ep = '\0';
+ /* expand the contents of the argument so you can use
+ * %v for example */
+@@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg)
+ arg = match_colour((const char **)&coll, is_fg, 0);
+ free(col);
+ bv->fm = ep;
++
++ opts[PROMPTSUBST] = ops;
++ opts[PROMPTBANG] = opb;
++ opts[PROMPTPERCENT] = opp;
+ } else {
+ arg = match_colour((const char **)&bv->fm, is_fg, 0);
+ if (*bv->fm != '}')
+--
+2.34.1
diff --git a/meta-openembedded/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch b/meta-openembedded/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch
new file mode 100644
index 0000000..e5b6d7c
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_2.patch
@@ -0,0 +1,140 @@
+From 8a4d65ef6d0023ab9b238529410afb433553d2fa Mon Sep 17 00:00:00 2001
+From: Marc Cornellà <hello@mcornella.com>
+Date: Mon, 24 Jan 2022 09:43:28 +0100
+Subject: [PATCH 2/9] security/89: Add patch which can optionally be used to
+ work around CVE-2021-45444 in VCS_Info
+Comment: Updated to use the same file name without blanks as actually
+ used in the final 5.8.1 release.
+
+
+https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_2.patch
+Upstream-Status: Backport
+CVE: CVE-2021-45444
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ ChangeLog | 5 +
+ Etc/CVE-2021-45444-VCS_Info-workaround.patch | 98 ++++++++++++++++++++
+ 2 files changed, 103 insertions(+)
+ create mode 100644 Etc/CVE-2021-45444-VCS_Info-workaround.patch
+
+diff --git a/ChangeLog b/ChangeLog
+index eb248ec06..9a05a09e1 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,5 +1,10 @@
+ 2022-01-27 dana <dana@dana.is>
+
++ * Marc Cornellà: security/89:
++ Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which
++ can optionally be used to work around recursive PROMPT_SUBST
++ issue in VCS_Info
++
+ * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive
+ PROMPT_SUBST
+
+diff --git a/Etc/CVE-2021-45444-VCS_Info-workaround.patch b/Etc/CVE-2021-45444-VCS_Info-workaround.patch
+new file mode 100644
+index 000000000..13e54be77
+--- /dev/null
++++ b/Etc/CVE-2021-45444-VCS_Info-workaround.patch
+@@ -0,0 +1,98 @@
++From 972887bbe5eb6a00e5f0e73781d6d73bfdcafb93 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Marc=20Cornell=C3=A0?= <hello@mcornella.com>
++Date: Mon, 24 Jan 2022 09:43:28 +0100
++Subject: [PATCH] security/89: Partially work around CVE-2021-45444 in VCS_Info
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++This patch is a partial, VCS_Info-specific work-around for CVE-2021-45444,
++which is mitigated in the shell itself in 5.8.1 and later versions. It is
++offered for users who are concerned about an exploit but are unable to update
++their binaries to receive the complete fix.
++
++The patch works around the vulnerability by pre-escaping values substituted
++into format strings in VCS_Info. Please note that this may break some user
++configurations that rely on those values being un-escaped (which is why it was
++not included directly in 5.8.1). It may be possible to limit this breakage by
++adjusting exactly which ones are pre-escaped, but of course this may leave
++them vulnerable again.
++
++If applying the patch to the file system is inconvenient or not possible, the
++following script can be used to idempotently patch the relevant function
++running in memory (and thus must be re-run when the shell is restarted):
++
++
++# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version)
++autoload -Uz is-at-least
++if is-at-least 5.8.1 || ! is-at-least 5.0.3; then
++ return
++fi
++
++# Quote necessary $hook_com[<field>] items just before they are used
++# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats
++# function, where <field> is:
++#
++# base: the full path of the repository's root directory.
++# base-name: the name of the repository's root directory.
++# branch: the name of the currently checked out branch.
++# revision: an identifier of the currently checked out revision.
++# subdir: the path of the current directory relative to the
++# repository's root directory.
++# misc: a string that may contain anything the vcs_info backend wants.
++#
++# This patch %-quotes these fields previous to their use in vcs_info hooks and
++# the zformat call and, eventually, when they get expanded in the prompt.
++# It's important to quote these here, and not later after hooks have modified the
++# fields, because then we could be quoting % characters from valid prompt sequences,
++# like %F{color}, %B, etc.
++#
++# 32 │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
++# 33 │ hook_com[subdir_orig]="${hook_com[subdir]}"
++# 34 │
++# 35 + │ for tmp in base base-name branch misc revision subdir; do
++# 36 + │ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
++# 37 + │ done
++# 38 + │
++# 39 │ VCS_INFO_hook 'post-backend'
++#
++# This is especially important so that no command substitution is performed
++# due to malicious input as a consequence of CVE-2021-45444, which affects
++# zsh versions from 5.0.3 to 5.8.
++#
++autoload -Uz +X regexp-replace VCS_INFO_formats
++
++# We use $tmp here because it's already a local variable in VCS_INFO_formats
++typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"'
++# Unique string to avoid reapplying the patch if this code gets called twice
++typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b
++# Only patch the VCS_INFO_formats function if not already patched
++if [[ "$functions[VCS_INFO_formats]" != *$PATCH_ID* ]]; then
++ regexp-replace 'functions[VCS_INFO_formats]' \
++ "VCS_INFO_hook 'post-backend'" \
++ ': ${PATCH_ID}; ${PATCH}; ${MATCH}'
++fi
++unset PATCH PATCH_ID
++
++
++---
++ Functions/VCS_Info/VCS_INFO_formats | 4 ++++
++ 1 file changed, 4 insertions(+)
++
++diff --git a/Functions/VCS_Info/VCS_INFO_formats b/Functions/VCS_Info/VCS_INFO_formats
++index e0e1dc738..4d88e28b6 100644
++--- a/Functions/VCS_Info/VCS_INFO_formats
+++++ b/Functions/VCS_Info/VCS_INFO_formats
++@@ -32,6 +32,10 @@ hook_com[base-name_orig]="${hook_com[base_name]}"
++ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})"
++ hook_com[subdir_orig]="${hook_com[subdir]}"
++
+++for tmp in base base-name branch misc revision subdir; do
+++ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"
+++done
+++
++ VCS_INFO_hook 'post-backend'
++
++ ## description (for backend authors):
++--
++2.34.1
+--
+2.34.1
diff --git a/meta-openembedded/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch b/meta-openembedded/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch
new file mode 100644
index 0000000..adfc00a
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-shells/zsh/zsh/CVE-2021-45444_3.patch
@@ -0,0 +1,77 @@
+From 4abf2fc193fc2f3e680deecbf81289a7b02e245b Mon Sep 17 00:00:00 2001
+From: dana <dana@dana.is>
+Date: Tue, 21 Dec 2021 13:13:33 -0600
+Subject: [PATCH 3/9] CVE-2021-45444: Update NEWS/README
+
+https://salsa.debian.org/debian/zsh/-/blob/debian/5.8-6+deb11u1/debian/patches/cherry-pick-CVE-2021-45444_3.patch
+Upstream-Status: Backport
+CVE: CVE-2021-45444
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ ChangeLog | 2 ++
+ NEWS | 20 ++++++++++++++++++++
+ README | 6 ++++++
+ 3 files changed, 28 insertions(+)
+
+diff --git a/ChangeLog b/ChangeLog
+index 9a05a09e1..93b0bc337 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,5 +1,7 @@
+ 2022-01-27 dana <dana@dana.is>
+
++ * CVE-2021-45444: NEWS, README: Document preceding two changes
++
+ * Marc Cornellà: security/89:
+ Etc/CVE-2021-45444-VCS_Info-workaround.patch: Add patch which
+ can optionally be used to work around recursive PROMPT_SUBST
+diff --git a/NEWS b/NEWS
+index 964e1633f..d34b3f79e 100644
+--- a/NEWS
++++ b/NEWS
+@@ -4,6 +4,26 @@ CHANGES FROM PREVIOUS VERSIONS OF ZSH
+
+ Note also the list of incompatibilities in the README file.
+
++Changes since 5.8
++-----------------
++
++CVE-2021-45444: Some prompt expansion sequences, such as %F, support
++'arguments' which are themselves expanded in case they contain colour
++values, etc. This additional expansion would trigger PROMPT_SUBST
++evaluation, if enabled. This could be abused to execute code the user
++didn't expect. e.g., given a certain prompt configuration, an attacker
++could trick a user into executing arbitrary code by having them check
++out a Git branch with a specially crafted name.
++
++This is fixed in the shell itself by no longer performing PROMPT_SUBST
++evaluation on these prompt-expansion arguments.
++
++Users who are concerned about an exploit but unable to update their
++binaries may apply the partial work-around described in the file
++'Etc/CVE-2021-45444 VCS_Info workaround.patch' included with the shell
++source. [ Reported by RyotaK <security@ryotak.me>. Additional thanks to
++Marc Cornellà <hello@mcornella.com>. ]
++
+ Changes since 5.7.1-test-3
+ --------------------------
+
+diff --git a/README b/README
+index 7f1dd5f92..c9e994ab3 100644
+--- a/README
++++ b/README
+@@ -31,6 +31,12 @@ Zsh is a shell with lots of features. For a list of some of these, see the
+ file FEATURES, and for the latest changes see NEWS. For more
+ details, see the documentation.
+
++Incompatibilities since 5.8
++---------------------------
++
++PROMPT_SUBST expansion is no longer performed on arguments to prompt-
++expansion sequences such as %F.
++
+ Incompatibilities since 5.7.1
+ -----------------------------
+
+--
+2.34.1
diff --git a/meta-openembedded/meta-oe/recipes-shells/zsh/zsh_5.8.bb b/meta-openembedded/meta-oe/recipes-shells/zsh/zsh_5.8.bb
index 0429cb9..b023e8d 100644
--- a/meta-openembedded/meta-oe/recipes-shells/zsh/zsh_5.8.bb
+++ b/meta-openembedded/meta-oe/recipes-shells/zsh/zsh_5.8.bb
@@ -10,7 +10,11 @@
DEPENDS = "ncurses bison-native libcap libpcre gdbm groff-native"
-SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/5.8/${BP}.tar.xz"
+SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}/5.8/${BP}.tar.xz \
+ file://CVE-2021-45444_1.patch \
+ file://CVE-2021-45444_2.patch \
+ file://CVE-2021-45444_3.patch \
+ "
SRC_URI[sha256sum] = "dcc4b54cc5565670a65581760261c163d720991f0d06486da61f8d839b52de27"
inherit autotools-brokensep gettext update-alternatives manpages