subtree updates
meta-raspberrypi: 40283f583b..ca11a291ee:
Martin Schuessler (1):
omxplayer: remove hardcoded tune and arch from Makefile
poky: 111b7173fe..50d272863d:
Adrian Bunk (3):
wireless-regdb: Add recipe
go: Upgrade 1.12.5 -> 1.12.6
libxslt: Fix CVE-2019-11068
Alexander Kanavin (7):
vala: upgrade 0.44.3 -> 0.44.5
libnewt: merge libnewt-python recipe into the main recipe
epiphany: update to 3.32.3
btrfs-tools: update to 5.1.1
createrepo-c: upgrade 0.14.0 -> 0.14.2
librepo: upgrade 1.10.2 -> 1.10.3
libmodulemd: upgrade 2.4.0 -> 2.5.0
Alistair Francis (6):
libffi: Add RISC-V support
opensbi: Initial commit of OpenSBI
qemuriscv64: Add the QEMU RISC-V 64-bit machine
linux-yocto: Mark qemuriscv64 as compatible
qemuriscv: Build uImage for RISC-V machines
qemuriscv64: Fix QB_OPT_APPEND overwrite
Anuj Mittal (1):
runtime/cases/logrotate: make test more reliable
Ayoub Zaki (1):
kernel-fitimage: introduce FIT_HASH_ALG
Changqing Li (1):
gcc-runtime: fix C++ header mapping for n32/x32 tune
Chee Yang Lee (1):
wic/bootimg-efi: allow multiple initrd
Chen Qi (2):
manifest.py: fix test_SDK_manifest_entries
target-sdk-provides-dummy: add libperl.so.5 to DUMMY_PROVIDES
Chris PeBenito (1):
volatile-binds: Change cp to use -a instead of -p.
Denys Dmytriyenko (2):
mtd-utils: upgrade 2.0.2 -> 2.1.0+
mtd-utils: add "jffs" and "ubifs" PACKAGECONFIG options
He Zhe (1):
kernel: qemuarmv5: Update machine overrides of KERNEL_DEVICETREE
Joe Slater (1):
parted: change device manager check in ptest
Joshua Watt (1):
python3: Disable PGO for reproducible builds
Kai Kang (3):
systemd-conf: not configure network for nfs root
rng-tools: 6.6 -> 6.7
qemu: disable capstone for 32-bit mips with multilib
Lei Maohui (1):
openssl: Fix a build bug on aarch64BE.
Martin Jansa (4):
buildhistory: show time spent writting buildhistory
base.bbclass: define PACKAGECONFIG_CONFARGS before only sometimes appending to it
serf: stop scons trying to create directories in hosts rootfs
bitbake: tests/utils.py: add one more test cases for bb.utils.vercmp_string
Matt Madison (1):
apt: fix permissions on apt-daily script for systemd
Mingli Yu (1):
bitbake: add iconv to HOSTTOOLS
Pierre Le Magourou (4):
cve-update-db: New recipe to update CVE database
cve-check: Remove dependency to cve-check-tool-native
cve-check: Manage CVE_PRODUCT with more than one name
cve-check: Consider CVE that affects versions with less than operator
Ricardo Ribalda Delgado (4):
dpkg: Use less as pager
meson: Fix native patch to python3
rootfs: Fix dependency for every dpkg run
python3: python3: Fix build error x86->x86
Richard Purdie (7):
libxcrypt: Switch to disable obsolete APIs
libxcrypt-compat: Add recipe to build the obsolete APIs
uninative-tarball: Add libxcrypt-compat
openssh: Add missing DEPENDS on virtual/crypt
lttng-tools: Filter ptest output to remove random tmp directories
cmake: Clarify comment in cmake toolchain file
uninative: Update to 2.6 release
Robert Yang (2):
linux-dummy: Add do_compile_kernelmodules
make-mod-scripts: Depends on bison-native
Ross Burton (7):
insane: improve buildpath warning messages
insane: remove empty test that does nothing
binconfig: don't try to fix up .la files
libsdl2: use binconfig-disabled
glib-2.0: fix host path appearing in gsocketclient-slow test script
oeqa/logparser: ignore test failure commentary
python: make 'python' install everything instead of just the interpretter
Stefano Babic (1):
systat: systemd never enables the service
Tim Orling (4):
perl-rdepends.txt: more ptest dependencies fixes
libxml-sax-perl: upgrade 1.00 -> 1.02
libmodule-build-perl: move from meta-perl
libmodule-build-perl: upgrade 0.4224 -> 0.4229; enable ptest
Yi Zhao (2):
shadow: fix configure error with dash
less: upgrade 550 -> 551
Zang Ruochen (9):
lighttpd: Upgrade 1.4.53 -> 1.4.54
libevent:upgrade 2.1.8 -> 2.1.10
libevdev:upgrade 1.6.0 -> 1.7.0
gnutls:upgrade 3.6.7 -> 3.6.8
gnupg:upgrade 2.2.15 -> 2.2.16
curl:upgrade 7.64.1 -> 7.65.1
lttng-ust:upgrade 2.10.3 -> 2.10.4
xkeyboard:upgrade 2.26 -> 2.27
gobject-introspection:upgrade 1.60.1 -> 1.60.2
Change-Id: I3df401c6822e1c5c2ee9cff57c7264fe31c6d22d
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/poky/meta/classes/base.bbclass b/poky/meta/classes/base.bbclass
index 90af8ba..0c8a4b2 100644
--- a/poky/meta/classes/base.bbclass
+++ b/poky/meta/classes/base.bbclass
@@ -15,6 +15,8 @@
OE_IMPORTS += "os sys time oe.path oe.utils oe.types oe.package oe.packagegroup oe.sstatesig oe.lsb oe.cachedpath oe.license ${OE_EXTRA_IMPORTS}"
OE_IMPORTS[type] = "list"
+PACKAGECONFIG_CONFARGS ??= ""
+
def oe_import(d):
import sys
diff --git a/poky/meta/classes/binconfig.bbclass b/poky/meta/classes/binconfig.bbclass
index 133b953..9112ed4 100644
--- a/poky/meta/classes/binconfig.bbclass
+++ b/poky/meta/classes/binconfig.bbclass
@@ -40,15 +40,6 @@
-e 's:${STAGING_DIR_HOST}${prefix}:${prefix}:' \
$config
done
- for lafile in `find ${PKGD} -type f -name "*.la"` ; do
- sed -i \
- -e 's:${STAGING_BASELIBDIR}:${base_libdir}:g;' \
- -e 's:${STAGING_LIBDIR}:${libdir}:g;' \
- -e 's:${STAGING_INCDIR}:${includedir}:g;' \
- -e 's:${STAGING_DATADIR}:${datadir}:' \
- -e 's:${STAGING_DIR_HOST}${prefix}:${prefix}:' \
- $lafile
- done
}
SYSROOT_PREPROCESS_FUNCS += "binconfig_sysroot_preprocess"
diff --git a/poky/meta/classes/buildhistory.bbclass b/poky/meta/classes/buildhistory.bbclass
index 796f68c..2e501df 100644
--- a/poky/meta/classes/buildhistory.bbclass
+++ b/poky/meta/classes/buildhistory.bbclass
@@ -839,11 +839,15 @@
if e.data.getVar("BUILDHISTORY_COMMIT") == "1":
bb.note("Writing buildhistory")
bb.build.exec_func("buildhistory_write_sigs", d)
+ import time
+ start=time.time()
localdata = bb.data.createCopy(e.data)
localdata.setVar('BUILDHISTORY_BUILD_FAILURES', str(e._failures))
interrupted = getattr(e, '_interrupted', 0)
localdata.setVar('BUILDHISTORY_BUILD_INTERRUPTED', str(interrupted))
bb.build.exec_func("buildhistory_commit", localdata)
+ stop=time.time()
+ bb.note("Writing buildhistory took: %s seconds" % round(stop-start))
else:
bb.note("No commit since BUILDHISTORY_COMMIT != '1'")
}
diff --git a/poky/meta/classes/cmake.bbclass b/poky/meta/classes/cmake.bbclass
index f80a7e2..2b317c8 100644
--- a/poky/meta/classes/cmake.bbclass
+++ b/poky/meta/classes/cmake.bbclass
@@ -119,7 +119,7 @@
# directory as rpath by default
set( CMAKE_INSTALL_RPATH ${OECMAKE_RPATH} )
-# Use native cmake modules
+# Use our cmake modules
list(APPEND CMAKE_MODULE_PATH "${STAGING_DATADIR}/cmake/Modules/")
# add for non /usr/lib libdir, e.g. /usr/lib64
diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass
index 743bc08..379f712 100644
--- a/poky/meta/classes/cve-check.bbclass
+++ b/poky/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@
CVE_VERSION ??= "${PV}"
CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd-json.db"
CVE_CHECK_LOG ?= "${T}/cve.log"
CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
@@ -62,7 +62,7 @@
}
addtask cve_check after do_unpack before do_build
-do_cve_check[depends] = "cve-check-tool-native:do_populate_sysroot cve-check-tool-native:do_populate_cve_db"
+do_cve_check[depends] = "cve-update-db:do_populate_cve_db"
do_cve_check[nostamp] = "1"
python cve_check_cleanup () {
@@ -163,61 +163,55 @@
def check_cves(d, patched_cves):
"""
- Run cve-check-tool looking for patched and unpatched CVEs.
+ Connect to the NVD database and find unpatched cves.
"""
-
import ast, csv, tempfile, subprocess, io
+ from distutils.version import LooseVersion
- cves_patched = []
cves_unpatched = []
- bpn = d.getVar("CVE_PRODUCT")
+ # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
+ bpn = d.getVar("CVE_PRODUCT").split()
# If this has been unset then we're not scanning for CVEs here (for example, image recipes)
- if not bpn:
+ if len(bpn) == 0:
return ([], [])
pv = d.getVar("CVE_VERSION").split("+git")[0]
- cves = " ".join(patched_cves)
- cve_db_dir = d.getVar("CVE_CHECK_DB_DIR")
cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
- cve_cmd = "cve-check-tool"
- cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir]
# If the recipe has been whitlisted we return empty lists
if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
bb.note("Recipe has been whitelisted, skipping check")
return ([], [])
- try:
- # Write the faux CSV file to be used with cve-check-tool
- fd, faux = tempfile.mkstemp(prefix="cve-faux-")
- with os.fdopen(fd, "w") as f:
- for pn in bpn.split():
- f.write("%s,%s,%s,\n" % (pn, pv, cves))
- cmd.append(faux)
+ import sqlite3
+ db_file = d.getVar("CVE_CHECK_DB_FILE")
+ conn = sqlite3.connect(db_file)
+ c = conn.cursor()
- output = subprocess.check_output(cmd).decode("utf-8")
- bb.debug(2, "Output of command %s:\n%s" % ("\n".join(cmd), output))
- except subprocess.CalledProcessError as e:
- bb.warn("Couldn't check for CVEs: %s (output %s)" % (e, e.output))
- finally:
- os.remove(faux)
+ query = """SELECT * FROM PRODUCTS WHERE
+ (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR
+ (PRODUCT IS '{0}' AND OPERATOR IS '<=');"""
+ for idx in range(len(bpn)):
+ for row in c.execute(query.format(bpn[idx],pv)):
+ cve = row[1]
+ version = row[4]
- for row in csv.reader(io.StringIO(output)):
- # Third row has the unpatched CVEs
- if row[2]:
- for cve in row[2].split():
- # Skip if the CVE has been whitlisted for the current version
- if pv in cve_whitelist.get(cve,[]):
- bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve))
- else:
- cves_unpatched.append(cve)
- bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve))
- # Fourth row has patched CVEs
- if row[3]:
- for cve in row[3].split():
- cves_patched.append(cve)
- bb.debug(2, "%s-%s is patched for %s" % (bpn, pv, cve))
+ try:
+ discardVersion = LooseVersion(version) < LooseVersion(pv)
+ except:
+ discardVersion = True
- return (cves_patched, cves_unpatched)
+ if pv in cve_whitelist.get(cve,[]):
+ bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve))
+ elif cve in patched_cves:
+ bb.note("%s has been patched" % (cve))
+ elif discardVersion:
+ bb.debug(2, "Do not consider version %s " % (version))
+ else:
+ cves_unpatched.append(cve)
+ bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve))
+ conn.close()
+
+ return (list(patched_cves), cves_unpatched)
def get_cve_info(d, cves):
"""
@@ -241,9 +235,10 @@
for row in cur.execute(query, tuple(cves)):
cve_data[row[0]] = {}
cve_data[row[0]]["summary"] = row[1]
- cve_data[row[0]]["score"] = row[2]
- cve_data[row[0]]["modified"] = row[3]
- cve_data[row[0]]["vector"] = row[4]
+ cve_data[row[0]]["scorev2"] = row[2]
+ cve_data[row[0]]["scorev3"] = row[3]
+ cve_data[row[0]]["modified"] = row[4]
+ cve_data[row[0]]["vector"] = row[5]
conn.close()
return cve_data
@@ -270,7 +265,8 @@
unpatched_cves.append(cve)
write_string += "CVE STATUS: Unpatched\n"
write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
- write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"]
+ write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
+ write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
diff --git a/poky/meta/classes/insane.bbclass b/poky/meta/classes/insane.bbclass
index fdc20c4..0695a04 100644
--- a/poky/meta/classes/insane.bbclass
+++ b/poky/meta/classes/insane.bbclass
@@ -259,13 +259,6 @@
package_qa_add_message(messages, "debug-files", "non debug package contains .debug directory: %s path %s" % \
(name, package_qa_clean_path(path,d)))
-QAPATHTEST[perms] = "package_qa_check_perm"
-def package_qa_check_perm(path,name,d, elf, messages):
- """
- Check the permission of files
- """
- return
-
QAPATHTEST[arch] = "package_qa_check_arch"
def package_qa_check_arch(path,name,d, elf, messages):
"""
@@ -408,7 +401,8 @@
with open(path, 'rb') as f:
file_content = f.read()
if tmpdir in file_content:
- package_qa_add_message(messages, "buildpaths", "File %s in package contained reference to tmpdir" % package_qa_clean_path(path,d))
+ trimmed = path.replace(os.path.join (d.getVar("PKGDEST"), name), "")
+ package_qa_add_message(messages, "buildpaths", "File %s in package %s contains reference to TMPDIR" % (trimmed, name))
QAPATHTEST[xorg-driver-abi] = "package_qa_check_xorg_driver_abi"
diff --git a/poky/meta/classes/kernel-fitimage.bbclass b/poky/meta/classes/kernel-fitimage.bbclass
index 9e224da..b51882d 100644
--- a/poky/meta/classes/kernel-fitimage.bbclass
+++ b/poky/meta/classes/kernel-fitimage.bbclass
@@ -50,6 +50,9 @@
# Options for the device tree compiler passed to mkimage '-D' feature:
UBOOT_MKIMAGE_DTCOPTS ??= ""
+# fitImage Hash Algo
+FIT_HASH_ALG ?= "sha256"
+
#
# Emit the fitImage ITS header
#
@@ -109,7 +112,7 @@
# $4 ... Compression type
fitimage_emit_section_kernel() {
- kernel_csum="sha1"
+ kernel_csum="${FIT_HASH_ALG}"
ENTRYPOINT="${UBOOT_ENTRYPOINT}"
if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then
@@ -142,7 +145,7 @@
# $3 ... Path to DTB image
fitimage_emit_section_dtb() {
- dtb_csum="sha1"
+ dtb_csum="${FIT_HASH_ALG}"
dtb_loadline=""
dtb_ext=${DTB##*.}
@@ -176,7 +179,7 @@
# $3 ... Path to setup image
fitimage_emit_section_setup() {
- setup_csum="sha1"
+ setup_csum="${FIT_HASH_ALG}"
cat << EOF >> ${1}
setup@${2} {
@@ -203,7 +206,7 @@
# $3 ... Path to ramdisk image
fitimage_emit_section_ramdisk() {
- ramdisk_csum="sha1"
+ ramdisk_csum="${FIT_HASH_ALG}"
ramdisk_ctype="none"
ramdisk_loadline=""
ramdisk_entryline=""
@@ -261,7 +264,7 @@
# $6 ... default flag
fitimage_emit_section_config() {
- conf_csum="sha1"
+ conf_csum="${FIT_HASH_ALG}"
if [ -n "${UBOOT_SIGN_ENABLE}" ] ; then
conf_sign_keyname="${UBOOT_SIGN_KEYNAME}"
fi