December 2020 - openSUSE Commits - openSUSE Mailing Lists

commit ovmf for openSUSE:Leap:15.2:Update
by User for buildservice source handling 22 Dec '20

22 Dec '20

Hello community, here is the log from the commit of package ovmf for openSUSE:Leap:15.2:Update checked in at 2020-12-22 06:22:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/ovmf (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.ovmf.new.5145 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ovmf" Tue Dec 22 06:22:51 2020 rev:3 rq:856935 version:unknown Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.kv4NcJ/_old 2020-12-22 06:22:52.444557663 +0100 +++ /var/tmp/diff_new_pack.kv4NcJ/_new 2020-12-22 06:22:52.444557663 +0100 @@ -1 +1 @@ -<link package='ovmf.14143' cicount='copy' /> +<link package='ovmf.15364' cicount='copy' />

1 0

commit ovmf.15364 for openSUSE:Leap:15.2:Update
by User for buildservice source handling 22 Dec '20

22 Dec '20

Hello community, here is the log from the commit of package ovmf.15364 for openSUSE:Leap:15.2:Update checked in at 2020-12-22 06:22:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/ovmf.15364 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.ovmf.15364.new.5145 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ovmf.15364" Tue Dec 22 06:22:49 2020 rev:1 rq:856935 version:201911 Changes: -------- New Changes file: --- /dev/null 2020-12-09 01:05:43.965003977 +0100 +++ /work/SRC/openSUSE:Leap:15.2:Update/.ovmf.15364.new.5145/ovmf.changes 2020-12-22 06:22:51.312556425 +0100 @@ -0,0 +1,3646 @@ +------------------------------------------------------------------- +Wed Dec 2 09:03:01 UTC 2020 - Gary Ching-Pang Lin <glin(a)suse.com> + +- Add ovmf-bsc1177789-cryptopkg-fix-null-dereference.patch to fix + the potential NULL dereference in AuthenticodeVerify() + (bsc#1177789, CVE-2019-14584) + +------------------------------------------------------------------- +Thu Sep 3 03:07:28 UTC 2020 - Gary Ching-Pang Lin <glin(a)suse.com> + +- Add ovmf-bsc1175476-fix-DxeImageVerificationLib-overflow.patch + to fix overflow in DxeImageVerificationHandler + (bsc#1175476, CVE-2019-14562) + +------------------------------------------------------------------- +Mon Jul 20 07:32:48 UTC 2020 - Gary Ching-Pang Lin <glin(a)suse.com> + +- Add ovmf-bsc1119454-additional-scsi-drivers.patch to support more + SCSI drivers (PvScsi, MptScsi, and LsiScsi) (bsc#1119454) + + Enable LsiScsi explicitly since it's disabled by default + +------------------------------------------------------------------- +Mon Apr 6 03:54:48 UTC 2020 - Gary Ching-Pang Lin <glin(a)suse.com> + +- Add ovmf-bsc1163927-fix-ping-and-ip6dxe.patch to fix crash and + hang in ShellPkg and Ip6Dxe (bsc#1163927, CVE-2019-14559) + +------------------------------------------------------------------- +Mon Feb 24 04:00:24 UTC 2020 - Gary Ching-Pang Lin <glin(a)suse.com> + +- Add ovmf-bsc1163969-fix-DxeImageVerificationHandler.patch to fix + dbx signature check (bsc#1163969, CVE-2019-14575) + + Also change the order of several patches to distinguish the + openssl patch +- Add ovmf-bsc1163927-fix-ip4dxe-and-arpdxe.patch to fix memory + leakage in Ip4Dxe and ArpDxe (bsc#1163927, CVE-2019-14559) + +------------------------------------------------------------------- +Tue Feb 18 09:24:30 UTC 2020 - Gary Ching-Pang Lin <glin(a)suse.com> + +- Add ovmf-bsc1163959-PiDxeS3BootScriptLib-fix-numeric-truncation.patch + to fix the numeric truncation to avoid the potential memory + corruption (bsc#1163959, CVE-2019-14563) + +------------------------------------------------------------------- +Mon Feb 3 02:14:23 UTC 2020 - Gary Ching-Pang Lin <glin(a)suse.com> + +- Build the unified firmware with preloaded keys for backward + compatibility (bsc#1159793) + +------------------------------------------------------------------- +Fri Dec 20 09:11:37 UTC 2019 - Dirk Mueller <dmueller(a)suse.com> + +- only build -aarch32 Cortex-A15 EFI on armv7hl + +------------------------------------------------------------------- +Tue Dec 3 02:35:19 UTC 2019 - Gary Ching-Pang Lin <glin(a)suse.com> + +- Update to edk2-stable201911 + + SecurityPkg: Fix TPM2 ACPI measurement + + MdeModulePkg: Enable variable runtime cache by default + + OvmfPkg: Disable variable runtime cache + + MdeModulePkg/Variable: Add RT GetVariable() cache support + + CryptoPkg: Upgrade OpenSSL to 1.1.1d + + MdePkg-UefiSpec.h: Add UEFI 2.8 new memory attributes + + MdePkg/UefiFileHandleLib: Fix potential NULL dereference + + NetworkPkg/HttpDxe: Set the HostName for the verification + (CVE-2019-14553) + + NetworkPkg/TlsDxe: Add the support of host validation to TlsDxe + driver (CVE-2019-14553) + + CryptoPkg/TlsLib: TlsSetVerifyHost: parse IP address literals + as such (CVE-2019-14553) + + CryptoPkg/TlsLib: Add the new API "TlsSetVerifyHost" + (CVE-2019-14553) + + MdePkg/Include/Protocol/Tls.h: Add the data type of + EfiTlsVerifyHost (CVE-2019-14553) + + MdeModulePkg/BdsDxe: Fix PlatformRecovery issue + + NetworkPkg/SnpDxe: Add PCD to remove ExitBootServices event + from SNP driver + + MdeModulePkg: Update to support SmBios 3.3.0 + + UefiCpuPkg/MpInitLib: honor the platform's boot CPU count in AP + detection + + SecurityPkg/Tcg2: Add Support Laml, Lasa for TPM2 ACPI + + OvmfPkg/PlatformDxe: fix EFI_HII_HANDLE parameters of internal + functions + + OvmfPkg/VirtioNetDxe: fix SignalEvent() call + + OvmfPkg/XenBusDxe: fix UninstallMultipleProtocolInterfaces() + call + + NetworkPkg/Ip4Dxe: fix NetLibDestroyServiceChild() call + + MdeModulePkg/ScsiDiskDxe: Support Storage Security Command + Protocol + + MdePkg: Implement SCSI commands for Security Protocol In/Out + + MdeModulePkg/TerminalDxe: Enhance the arrow keys support + + MdeModulePkg/UefiBootManager: Unload image on + EFI_SECURITY_VIOLATION + + MdeModulePkg/DxeCapsuleLibFmp: Unload image on + EFI_SECURITY_VIOLATION + + MdeModulePkg: Extend the support keyboard type of Terminal + console + + UefiCpuPkg/CpuExceptionHandlerLib: Fix split lock + + UefiCpuPkg: Fix potential spinLock issue in SmmStartupThisAp + + UefiCpuPkg/PiSmmCpu: Enable 5L paging only when phy addr line + > 48 + + OvmfPkg/EnrollDefaultKeys: clean up Base64Decode() retval + handling + + ArmVirtPkg/PlatformBootManagerLib: unload image on + EFI_SECURITY_VIOLATION + + ShellPkg/ShellPkg.dsc AARCH64: enable stack protector + + ArmVirtPkg/ArmVirtPrePiUniCoreRelocatable: revert to PIE + linking + + BaseTools/GenFw AARCH64: fix up GOT based relative relocations + + ShellPkg/Pci.c: Update supported link speed to PCI5.0 + + PcAtChipsetPkg: add PcdRealTimeClockUpdateTimeout + + UefiCpuPkg: Add PcdCpuSmmRestrictedMemoryAccess + + ShellPkg/CommandLib: avoid NULL derefence and memory leak + + MdePkg/DxeHstiLib: Added checks to improve error handling + + BaseTools: Support more file types in build cache + + UefiCpuPkg/SecCore: get AllSecPpiList after SecPlatformMain +- Update openssl to 1.1.1d + + Add openssl-fix-syntax-error.patch to fix a syntax error +- Drop ovmf-bsc1153072-fix-invalid-https-cert.patch + + Already upstreamed + +------------------------------------------------------------------- +Fri Nov 8 04:09:48 UTC 2019 - Gary Ching-Pang Lin <glin(a)suse.com> + +- Use the same x86 4MB firmware names as the ones in the previous + version (< stable201905) for backward compatibility + +------------------------------------------------------------------- +Wed Nov 6 03:01:29 UTC 2019 - Gary Ching-Pang Lin <glin(a)suse.com> + +- Update to edk2-stable201908 + + Add TLS and IPv6 supports for ArmVirtQemu + + Various fixes and updates for TPM2 + + Various fixes for OvmfPkg and the underlying infrastructures + + Drop the build requirement of python2 + + Drop the obsolete IntelFrameworkPkg and IntelFrameworkModulePkg + + Remove ShellBinPkg and move the platform packages out of edk2 +- Update openssl to 1.1.1b + + Add berkeley-softfloat-3-b64af41c3276f.tar.xz since arm7 needs + the softfloat implementation for openssl 1.1.1b +- Add ovmf-bsc1153072-fix-invalid-https-cert.patch to reject the + invalid server certificates for HTTPS Boot + (bsc#1153072, CVE-2019-14553) +- Build the varstore templates with EnrollDefaultKeys.efi + + Create the iso files for key enrollment + - Add gen-key-enrollment-iso.sh to generate the iso file + + Drop the non-upstream ovmf-embed-default-keys.patch + - Also drop owner-guid-zero.h + + Drop the MS keys and dbx since they are already in + EnrollDefaultKeys.efi: MicCorKEKCA2011_2011-06-24.crt, + MicCorUEFCA2011_2011-06-27.crt, MicWinProPCA2011_2011-10-19.crt, + and dbxupdate.zip + - Also drop the related script strip_authinfo.pl + + Add ovmf-set-fixed-enroll-time.patch to set the fixed enrolling + time to make the varstore template reproducible + + Require qemu 3.0.0 for fw_cfg +- Enable TLS (HTTPS Boot) and TPM2 support +- Add the firmware descriptors for QEMU +- Update README to match the current settings +- Update the License tag to BSD-2-Clause-Patent +- Build SecureBoot firmwares for aarch64 +- Add a new "smm" flavor to enable System Management Mode + + Also add ovmf-add-exclude-shell-flag.patch to exclude shell + from the resultant SMM firmware files +- Retire the old openSUSE 4096 bit certificates since all those + programs are unmaintained. +- Drop upstreamed patches + + ovmf-bsc1092943-fix-attributes-table.patch + + ovmf-bsc1099193-fix-sev-flash-variables.patch + + ovmf-bsc1115916-fix-timestamp-zeroing.patch + + ovmf-bsc1115917-bounds-checking-for-ueficompress.patch + + ovmf-bsc1127820-fix-blockio-buffer-overflow.patch + + ovmf-bsc1127821-dns-check-packet-size.patch + + ovmf-bsc1127822-fix-fv-parsing.patch + + ovmf-bsc1128503-fix-stack-overflow-in-HiiImage-and-HiiDatabase.patch + + ovmf-bsc1130267-overflow-in-partition-and-udf.patch + + ovmf-bsc1131361-fix-stack-overflow-xhci.patch +- Refresh patches: + + ovmf-add-exclude-shell-flag.patch + + ovmf-disable-ia32-firmware-piepic.patch + + ovmf-pie.patch +- Drop the requirement of xxd + +------------------------------------------------------------------- +Tue Apr 9 03:33:40 UTC 2019 - Gary Ching-Pang Lin <glin(a)suse.com> + +- Add ovmf-bsc1131361-fix-stack-overflow-xhci.patch to fix stack + overflow in UsbBusDxe and UsbBusPei (bsc#1131361, CVE-2019-0161) + +------------------------------------------------------------------- +Mon Mar 25 03:33:47 UTC 2019 - Gary Ching-Pang Lin <glin(a)suse.com> + +- Add ovmf-bsc1130267-overflow-in-partition-and-udf.patch to fix + buffer overflows in PartitionDxe and UdfDxe (bsc#1130267, + CVE-2019-0160) ++++ 3449 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.ovmf.15364.new.5145/ovmf.changes New: ---- README SLES-UEFI-CA-Certificate-2048.crt _service berkeley-softfloat-3-b64af41c3276f.tar.xz descriptors.tar.xz edk2-stable201911.tar.gz gdb_uefi.py.in gen-key-enrollment-iso.sh openSUSE-UEFI-CA-Certificate-2048.crt openSUSE-UEFI-SIGN-Certificate-2048.crt openssl-1.1.1d.tar.gz openssl-1.1.1d.tar.gz.asc openssl-fix-syntax-error.patch openssl.keyring ovmf-add-exclude-shell-flag.patch ovmf-bsc1119454-additional-scsi-drivers.patch ovmf-bsc1163927-fix-ip4dxe-and-arpdxe.patch ovmf-bsc1163927-fix-ping-and-ip6dxe.patch ovmf-bsc1163959-PiDxeS3BootScriptLib-fix-numeric-truncation.patch ovmf-bsc1163969-fix-DxeImageVerificationHandler.patch ovmf-bsc1175476-fix-DxeImageVerificationLib-overflow.patch ovmf-bsc1177789-cryptopkg-fix-null-dereference.patch ovmf-disable-ia32-firmware-piepic.patch ovmf-gdb-symbols.patch ovmf-pie.patch ovmf-rpmlintrc ovmf-set-fixed-enroll-time.patch ovmf.changes ovmf.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ovmf.spec ++++++ ++++ 650 lines (skipped) ++++++ README ++++++ Running the OVMF image in qemu ============================== The easiest way to run the OVMF image is to specify a pflash device for the firmware file. Here is the example to use OVMF in the flash mode: $ cp /usr/share/qemu/ovmf-x86_64.bin . $ qemu-system-x86_64 -pflash ovmf-x86_64.bin Please make sure the file is writable before using the flash mode, or all your changes won't be saved. Starting from r15670, two extra firmware files are provided for the flash mode: ovmf-*-code.bin and ovmf-*-vars.bin, and all non-volatile variables will be stored in ovmf-*-vars.bin. Example: $ cp /usr/share/qemu/ovmf-x86_64-vars.bin . $ qemu-system-x86_64 \ -drive if=pflash,format=raw,unit=0,readonly,file=/usr/share/qemu/ovmf-x86_64-code.bin \ -drive if=pflash,format=raw,unit=1,file=ovmf-x86_64-vars.bin It would be easier to manage the NV variables with the separated vars firmware. NOTE: Running OVMF with '-bios' is deprecated and should not be used anymore. Variable Stores with preloaded keys ----------------------------------- Besides the generic OVMF images, there are images preloaded with different vendor keys. ovmf-x86_64-smm-ms-vars.bin - PK: SUSE Linux Enterprise Secure Boot CA - KEK: Microsoft Corporation KEK CA 2011, SUSE Linux Enterprise Secure Boot CA - db: Microsoft Corporation UEFI CA 2011, Microsoft Windows Production PCA 2011 ovmf-x86_64-smm-opensuse-vars.bin - PK: openSUSE Secure Boot CA - KEK: openSUSE Secure Boot CA - db: openSUSE Secure Boot CA ovmf-x86_64-smm-suse-vars.bin - PK: SUSE Linux Enterprise Secure Boot CA - KEK: SUSE Linux Enterprise Secure Boot CA - db: SUSE Linux Enterprise Secure Boot CA Note that the preloaded key images are all 64 bit because openSUSE/SLE and Windows only support Secure Boot in 64 bit mode. Those variable stores are created with EnrollDefaultKeys.efi which enrolls the Microsoft keys into KEK and db. It also reads the key from SMBIOS Type 11 and enrolls the key into PK and KEK. If the "--no-default" switch is provided, the program will ignore the Microsoft keys and enroll the key from SMBIOS into db instead. x86_64 4MB images ----------------- The OVMF upstream decides to switch the default flash size to 4MB since the edk2 commit 1c47fcd465a496. It's mainly for Windows HCK which requests a larger variable store. To maintain the backward compatibility, the 4MB images are built separately. Only those images with 4m, e.g. ovmf-x86_64-4m.bin, are the 4MB images. Otherwise, it's built with FD_SIZE_2MB, i.e. a 2MB image. x86_64 SMM Support ------------------ The image files with "-smm", e.g. ovmf-x86_64-smm.bin, are the images with SMM support. SMM provides better (virtual) hardware separation between the guest OS and the firmware to prevent the runtime guest OS from tampering with the variable store and S3 areas, so it's recommended to enable SMM along with Secure Boot. Here are the requirements to use the SMM images: * SMM support requires QEMU 2.5. * The minimum required QEMU machine type is "pc-q35-2.5". * SMM with KVM requires Linux 4.4 (host). Here are the qemu commands to start a VM with SMM support: $ cp /usr/share/qemu/ovmf-x86_64-smm-vars.bin . $ qemu-system-x86_64 \ -machine q35,smm=on,accel=(tcg|kvm) \ -global driver=cfi.pflash01,property=secure,value=on \ -drive if=pflash,format=raw,unit=0,readonly,file=/usr/share/qemu/ovmf-x86_64-smm-code.bin \ -drive if=pflash,format=raw,unit=1,file=ovmf-x86_64-smm-vars.bin \ -global ICH9-LPC.disable_s3=1 \ ... NOTE: The pflash variable store is required to use OVMF with SMM. Creating Platform and Key Exchange keys ======================================= A note about terminology. In UEFI terms, "key" means certificate (not the openssl key). UEFI keys are required to be based on RSA 2048 bit keys. The Platform key and Key Exchange Keys should be the equivalent of CA root certificates (i.e. a self signed certificate). Note that in current tianocore OVMF, the input certificates, if taken from external media, *must* be in a file with a .cer extension and in DER format. The platform key is the key which controls updates to the Key Exchange Key database. The Key Exchange Key controls updates to the signature databases. Note that if the Key Exchange Key is an X509 key, any key which has the KEK as its root signature can also be used to validate an efi binary without need for any entries in the signatures database. Create Platform Key (PK) ------------------------ openssl req -new -x509 -newkey rsa:2048 -keyout PK.key -out PK.crt -days <length> Note that the Key is PK.crt (PK.key is the private key you use to sign other certificates) Now convert to DER format openssl x509 -in PK.crt -out PK.cer -outform DER The file PK.cer can be placed on a USB key for enrolling as the platform key. Create Key Exchange Key (KEK) ----------------------------- This is done exactly as the Platform key above, except call the file KEK.cer instead. Note, for expermentation purposes, there's no reason the KEK and the PK can't be the same certificate. Creating derived keys from the KEK ---------------------------------- This process can be used to create subordinate keys which can be used to sign efi binaries (since their roots can be traced back to the KEK). openssl req -new -newkey rsa:2048 -keyout new.key -out new.csr -days <length> Now sign the certificate request with the KEK: openssl x509 -req -in new.csr -CA KEK.crt -CAkey KEK.key -set_serial 1 -out new.crt Note that since the new key doesn't have to be enrolled in the platform because its root of trust can be traced back to the KEK, there's no need to create a DER form of the key (the sbsign utilites used to sign efi binaries take the key.crt file which is in PEM form). Running the UEFI ARM image in qemu ================================== There are two flavors of the UEFI ARM images: AArch32 and AArch64. For the AArch64 image, use the following command: qemu-system-aarch64 -m 1024 -M virt -cpu cortex-a57 -bios /usr/share/qemu/qemu-uefi-aarch64.bin -serial stdio For AArch32: qemu-system-arm -m 1024 -M virt -cpu cortex-a15 -bios /usr/share/qemu/qemu-uefi-aarch32.bin -serial stdio Source Level Debugging ====================== It's possible to debug OVMF with gdb connecting to qemu with the following steps: (1) install the debug package: qemu-ovmf-x86_64-debug (2) Start the virtual machine with '-s' or "-gdb tcp::1234" (3) Start gdb in another terminal and issue the following commands: (gdb) set architecture i386:x86-64:intel (gdb) target remote localhost:1234 (gdb) source /usr/share/ovmf-x86_64/gdb_uefi-ovmf-x86_64-<flavor>.py (gdb) reload-uefi -o /usr/lib/debug/ovmf-x86_64/DebugPkg/GdbSyms/GdbSyms/DEBUG/GdbSyms.dll (4) Happy debugging Reference: https://www.mail-archive.com/edk2-devel@lists.sourceforge.net/msg07075.html Note: It's also possible to debug OVMF with Xen, but the way to set up the port is differnt. Instead of adding the port number to qemu, you need gdbsx. Before starting gdb, execute this command: # gdbsx -a <domainid> 64 1234 Then gdbsx will listen to port 1234 for the specific domainU. The rest is the same as qemu. ++++++ _service ++++++ <services> <service name="tar_scm" mode="disabled"> <param name="filename">ovmf</param> <param name="versionformat">2017+git%at.%h</param> <param name="revision">UDK2017</param> <param name="url">https://github.com/tianocore/edk2.git</param> <param name="scm">git</param> </service> <service name="recompress" mode="disabled"> <param name="compression">xz</param> <param name="file">*.tar</param> </service> <service name="set_version" mode="disabled"/> </services> ++++++ gdb_uefi.py.in ++++++ """ Allows loading TianoCore symbols into a GDB session attached to EFI Firmware. This is how it works: build GdbSyms - it's a dummy binary that contains the relevant symbols needed to find and load image symbols. $ gdb (gdb) taget remote .... (gdb) source Scripts/gdb_uefi.py (gdb) reload-uefi -o /path/to/GdbSyms.dll The -o option should be used if you've debugging EFI, where the PE images were converted from MACH-O or ELF binaries. """ import array import getopt import binascii import re __license__ = "BSD" __version = "1.0.0" __maintainer__ = "Andrei Warkentin" __email__ = "andrey.warkentin(a)gmail.com" __status__ = "Works" # FOR RPM PACKAGE replace the strings in the spec file build_path="__BUILD_PATH__" source_path="__SOURCE_PATH__" gdb_src_path="__GDB_SRC_PATH__" flavor="__FLAVOR__" class ReloadUefi (gdb.Command): """Reload UEFI symbols""" # # Various constants. # EINVAL = 0xffffffff CV_NB10 = 0x3031424E CV_RSDS = 0x53445352 CV_MTOC = 0x434F544D DOS_MAGIC = 0x5A4D PE32PLUS_MAGIC = 0x20b EST_SIGNATURE = 0x5453595320494249L DEBUG_GUID = [0x49152E77, 0x1ADA, 0x4764, [0xB7,0xA2,0x7A,0xFE, 0xFE,0xD9,0x5E, 0x8B]] DEBUG_IS_UPDATING = 0x1 # # If the images were built as ELF/MACH-O and then converted to PE, # then the base address needs to be offset by PE headers. # offset_by_headers = False def __init__ (self): super (ReloadUefi, self).__init__ ("reload-uefi", gdb.COMMAND_OBSCURE) # # Returns gdb.Type for a type. # def type (self, typename): return gdb.lookup_type (typename) # # Returns gdb.Type for a pointer to a type. # def ptype (self, typename): return gdb.lookup_type (typename).pointer () # # Computes CRC32 on an array of data. # def crc32 (self, data): return binascii.crc32 (data) & 0xFFFFFFFF # # Sets a field in a struct to a value, i.e. # value->field_name = data. # # Newer Py bindings to Gdb provide access to the inferior # memory, but not all, so have to do it this awkward way. # def set_field (self, value, field_name, data): gdb.execute ("set *(%s *) 0x%x = 0x%x" % \ (str (value[field_name].type), \ long (value[field_name].address), \ data)) # # Returns data backing a gdb.Value as an array. # Same comment as above regarding newer Py bindings... # def value_data (self, value, bytes=0): value_address = gdb.Value (value.address) array_t = self.ptype ('UINT8') value_array = value_address.cast (array_t) if bytes == 0: bytes = value.type.sizeof data = array.array ('B') for i in range (0, bytes): data.append (value_array[i]) return data # # Locates the EFI_SYSTEM_TABLE as per UEFI spec 17.4. # Returns base address or -1. # def search_est (self): address = 0 estp_t = self.ptype ('EFI_SYSTEM_TABLE_POINTER') while True: estp = gdb.Value(address).cast(estp_t) if estp['Signature'] == self.EST_SIGNATURE: oldcrc = long (estp['Crc32']) self.set_field (estp, 'Crc32', 0) newcrc = self.crc32 (self.value_data (estp.dereference (), 0)) self.set_field (estp, 'Crc32', long (oldcrc)) if newcrc == oldcrc: return estp['EfiSystemTableBase'] address = address + 4*1024*1024 if long (address) == 0: return gdb.Value(self.EINVAL) # # Searches for a vendor-specific configuration table (in EST), # given a vendor-specific table GUID. GUID is a list like - # [32-bit, 16-bit, 16-bit, [8 bytes]] # def search_config (self, cfg_table, count, guid): index = 0 while index != count: cfg_entry = cfg_table[index]['VendorGuid'] if cfg_entry['Data1'] == guid[0] and \ cfg_entry['Data2'] == guid[1] and \ cfg_entry['Data3'] == guid[2] and \ self.value_data (cfg_entry['Data4']).tolist () == guid[3]: return cfg_table[index]['VendorTable'] index = index + 1 return gdb.Value(self.EINVAL) # # Returns a UTF16 string corresponding to a (CHAR16 *) value in EFI. # def parse_utf16 (self, value): index = 0 data = array.array ('H') while value[index] != 0: data.append (value[index]) index = index + 1 return data.tostring ().decode ('utf-16') # # Returns offset of a field within structure. Useful # for getting container of a structure. # def offsetof (self, typename, field): t = gdb.Value (0).cast (self.ptype (typename)) return long (t[field].address) # # Returns sizeof of a type. # def sizeof (self, typename): return self.type (typename).sizeof # # Returns the EFI_IMAGE_NT_HEADERS32 pointer, given # an ImageBase address as a gdb.Value. # def pe_headers (self, imagebase): dosh_t = self.ptype ('EFI_IMAGE_DOS_HEADER') head_t = self.ptype ('EFI_IMAGE_OPTIONAL_HEADER_UNION') dosh = imagebase.cast(dosh_t) h_addr = imagebase if dosh['e_magic'] == self.DOS_MAGIC: h_addr = h_addr + dosh['e_lfanew'] return gdb.Value(h_addr).cast (head_t) # # Returns True if pe_headers refer to a PE32+ image. # def pe_is_64 (self, pe_headers): if pe_headers['Pe32']['OptionalHeader']['Magic'] == self.PE32PLUS_MAGIC: return True return False # # Returns the PE (not so) optional header. # def pe_optional (self, pe): if self.pe_is_64 (pe): return pe['Pe32Plus']['OptionalHeader'] else: return pe['Pe32']['OptionalHeader'] # # Returns the symbol file name for a PE image. # def pe_parse_debug (self, pe): opt = self.pe_optional (pe) debug_dir_entry = opt['DataDirectory'][6] dep = debug_dir_entry['VirtualAddress'] + opt['ImageBase'] dep = dep.cast (self.ptype ('EFI_IMAGE_DEBUG_DIRECTORY_ENTRY')) cvp = dep.dereference ()['RVA'] + opt['ImageBase'] cvv = cvp.cast(self.ptype ('UINT32')).dereference () if cvv == self.CV_NB10: return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY') elif cvv == self.CV_RSDS: return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY') elif cvv == self.CV_MTOC: return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY') return gdb.Value(self.EINVAL) # # Parses an EFI_LOADED_IMAGE_PROTOCOL, figuring out the symbol file name. # This file name is then appended to list of loaded symbols. # # TBD: Support TE images. # def parse_image (self, image, syms): base = image['ImageBase'] pe = self.pe_headers (base) opt = self.pe_optional (pe) sym_name = self.pe_parse_debug (pe) # For ELF and Mach-O-derived images... if self.offset_by_headers: base = base + opt['SizeOfHeaders'] if sym_name != self.EINVAL: sym_name = sym_name.cast (self.ptype('CHAR8')).string () # Ignore the driver from qemu if re.search (r"\.efidrv$", sym_name): return # FOR RPM PACKAGE substitute the build path sym_name = re.sub(r"^"+re.escape(build_path), "/usr/lib/debug/"+flavor, sym_name) sym_name = re.sub(r"\.dll$", ".debug", sym_name) syms.append ("add-symbol-file %s 0x%x" % \ (sym_name, long (base))) # # Parses table EFI_DEBUG_IMAGE_INFO structures, builds # a list of add-symbol-file commands, and reloads debugger # symbols. # def parse_edii (self, edii, count): index = 0 syms = [] while index != count: entry = edii[index] if entry['ImageInfoType'].dereference () == 1: entry = entry['NormalImage'] self.parse_image(entry['LoadedImageProtocolInstance'], syms) else: print "Skipping unknown EFI_DEBUG_IMAGE_INFO (Type 0x%x)" % \ entry['ImageInfoType'].dereference () index = index + 1 gdb.execute ("symbol-file") print "Loading new symbols..." for sym in syms: print sym gdb.execute (sym) # # Parses EFI_DEBUG_IMAGE_INFO_TABLE_HEADER, in order to load # image symbols. # def parse_dh (self, dh): dh_t = self.ptype ('EFI_DEBUG_IMAGE_INFO_TABLE_HEADER') dh = dh.cast (dh_t) print "DebugImageInfoTable @ 0x%x, 0x%x entries" \ % (long (dh['EfiDebugImageInfoTable']), dh['TableSize']) if dh['UpdateStatus'] & self.DEBUG_IS_UPDATING: print "EfiDebugImageInfoTable update in progress, retry later" return self.parse_edii (dh['EfiDebugImageInfoTable'], dh['TableSize']) # # Parses EFI_SYSTEM_TABLE, in order to load image symbols. # def parse_est (self, est): est_t = self.ptype ('EFI_SYSTEM_TABLE') est = est.cast (est_t) print "Connected to %s (Rev. 0x%x)" % \ (self.parse_utf16 (est['FirmwareVendor']), \ long (est['FirmwareRevision'])) print "ConfigurationTable @ 0x%x, 0x%x entries" \ % (long (est['ConfigurationTable']), est['NumberOfTableEntries']) dh = self.search_config(est['ConfigurationTable'], est['NumberOfTableEntries'], self.DEBUG_GUID) if dh == self.EINVAL: print "No EFI_DEBUG_IMAGE_INFO_TABLE_HEADER" return self.parse_dh (dh) # # Usage information. # def usage (self): print "Usage: reload-uefi [-o] /path/to/GdbSyms.dll" # # Handler for reload-uefi. # def invoke (self, arg, from_tty): args = arg.split(' ') try: opts, args = getopt.getopt(args, "o", ["offset-by-headers"]) except getopt.GetoptError, err: self.usage () return for opt, arg in opts: if opt == "-o": self.offset_by_headers = True if len(args) < 1: self.usage () return # FOR RPM PACKAGE substitute the path of the source code gdb.execute ("set substitute-path "+source_path+" "+gdb_src_path) gdb.execute ("symbol-file") gdb.execute ("symbol-file %s" % args[0]) est = self.search_est () if est == self.EINVAL: print "No EFI_SYSTEM_TABLE..." return print "EFI_SYSTEM_TABLE @ 0x%x" % est self.parse_est (est) ReloadUefi () ++++++ gen-key-enrollment-iso.sh ++++++ #!/bin/bash -e # The script to generate the key enrollment iso file # based on build_iso() in https://git.kraxel.org/cgit/jenkins/edk2/tree/edk2.git.spec # Example: $0 X64 Shell.efi EnrollDefaultKeys.efi default key.iso usage() { PROG_NAME=$1 echo "Usage: $PROG_NAME <Arch> <Shell> <Enroller> <Type> <ISO NAME>" echo "ex: $PROG_NAME X64 Shell.efi EnrollDefaultKeys.efi default key.iso" } ARCH=$(echo $1 | tr '[:lower:'] '[:upper:]') UEFI_SHELL_BINARY="$2" ENROLLER_BINARY="$3" TYPE="$4" ISO_NAME="$5" # Check the arguments if [ x$ARCH != xX64 ] && [ x$ARCH != xAARCH64 ]; then echo "Supported architecture: X64, AARCH64" usage $0 exit 1 fi if [ x$UEFI_SHELL_BINARY == x ] || [ ! -e "$UEFI_SHELL_BINARY" ]; then echo "Please specify the UEFI shell binary" usage $0 exit 1 fi if [ x$ENROLLER_BINARY == x ] || [ ! -e "$ENROLLER_BINARY" ]; then echo "Please specify the enroller binary" usage $0 exit 1 fi if [ x$TYPE == x ]; then echo "Please specify the type of image: default or no-default" usage $0 exit 1 fi if [ x$ISO_NAME == x ]; then echo "Please specify the name of output iso" usage $0 exit 1 fi ISO_PATH=$(realpath $ISO_NAME) TMP_DIR=$(mktemp -d) cp $UEFI_SHELL_BINARY $TMP_DIR/Shell.efi cp $ENROLLER_BINARY $TMP_DIR/EnrollDefaultKeys.efi UEFI_BOOT_EFI=$( if [ $ARCH == "X64" ]; then echo bootx64.efi elif [ $ARCH == "AARCH64" ]; then echo bootaa64.efi else exit 1 fi ) UEFI_SHELL_SIZE=$(stat --format=%s -- "$UEFI_SHELL_BINARY") ENROLLER_SIZE=$(stat --format=%s -- "$ENROLLER_BINARY") START_SCRIPT=$TMP_DIR/"startup.nsh" # Enter the first ESP echo "fs0:" > $START_SCRIPT # Enroll the keys if [ $TYPE == "default" ]; then echo "EnrollDefaultKeys.efi" >> $START_SCRIPT else echo "EnrollDefaultKeys.efi --no-default" >> $START_SCRIPT fi # Reset BootOrder echo "setvar BootOrder -guid 8be4df61-93ca-11d2-aa0d-00e098032b8c -bs -rt -nv =" >> $START_SCRIPT # Shutdown the system echo "reset -s" >> $START_SCRIPT UEFI_SHELL_IMAGE=uefi_shell_${ARCH}_${TYPE}.img # Add 1MB then 10% for metadata UEFI_SHELL_IMAGE_KB=$(( (UEFI_SHELL_SIZE + ENROLLER_SIZE + 1 * 1024 * 1024) * 11 / 10 / 1024 )) pushd $TMP_DIR # Create non-partitioned FAT image rm -f -- "$UEFI_SHELL_IMAGE" /usr/sbin/mkdosfs -C "$UEFI_SHELL_IMAGE" -n UEFI_SHELL -- "$UEFI_SHELL_IMAGE_KB" export MTOOLS_SKIP_CHECK=1 mmd -i "$UEFI_SHELL_IMAGE" ::efi mmd -i "$UEFI_SHELL_IMAGE" ::efi/boot mcopy -i "$UEFI_SHELL_IMAGE" Shell.efi ::efi/boot/$UEFI_BOOT_EFI mcopy -i "$UEFI_SHELL_IMAGE" "$START_SCRIPT" ::efi/boot/startup.nsh mcopy -i "$UEFI_SHELL_IMAGE" EnrollDefaultKeys.efi ::EnrollDefaultKeys.efi mdir -i "$UEFI_SHELL_IMAGE" -/ :: # build ISO with FAT image file as El Torito EFI boot image mkisofs -input-charset ASCII -J -rational-rock \ -eltorito-platform efi -eltorito-boot "$UEFI_SHELL_IMAGE" \ -no-emul-boot -o "$ISO_PATH" -- "$UEFI_SHELL_IMAGE" popd #rm -rf $TMP_DIR ++++++ openssl-fix-syntax-error.patch ++++++ From c3656cc594daac8167721dde7220f0e59ae146fc Mon Sep 17 00:00:00 2001 From: "Dr. Matthias St. Pierre" <Matthias.St.Pierre(a)ncp-e.com> Date: Wed, 11 Sep 2019 10:25:43 +0200 Subject: [PATCH] crypto/threads_none.c: fix syntax error in openssl_get_fork_id() Fixes #9858 Reviewed-by: Matt Caswell <matt(a)openssl.org> (Merged from https://github.com/openssl/openssl/pull/9860) --- crypto/threads_none.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/threads_none.c b/crypto/threads_none.c index aabf0e0dc0..aaaaae872a 100644 --- a/crypto/threads_none.c +++ b/crypto/threads_none.c @@ -143,7 +143,7 @@ int openssl_get_fork_id(void) # if defined(OPENSSL_SYS_UNIX) return getpid(); # else - return return 0; + return 0; # endif } #endif -- 2.24.0 ++++++ ovmf-add-exclude-shell-flag.patch ++++++ Index: edk2-edk2-stable201905/OvmfPkg/OvmfPkgX64.fdf =================================================================== --- edk2-edk2-stable201905.orig/OvmfPkg/OvmfPkgX64.fdf +++ edk2-edk2-stable201905/OvmfPkg/OvmfPkgX64.fdf @@ -291,7 +291,9 @@ INF MdeModulePkg/Universal/Disk/UdfDxe/ !if $(TOOL_CHAIN_TAG) != "XCODE5" INF ShellPkg/DynamicCommand/TftpDynamicCommand/TftpDynamicCommand.inf !endif +!ifndef $(EXCLUDE_SHELL) INF ShellPkg/Application/Shell/Shell.inf +!endif INF MdeModulePkg/Logo/LogoDxe.inf ++++++ ovmf-bsc1119454-additional-scsi-drivers.patch ++++++ ++++ 8397 lines (skipped) ++++++ ovmf-bsc1163927-fix-ip4dxe-and-arpdxe.patch ++++++ From 7f9f7fccf58af2db5ac8c88801f56f4efe664fcb Mon Sep 17 00:00:00 2001 From: Jiaxin Wu <Jiaxin.wu(a)intel.com> Date: Mon, 29 Apr 2019 09:51:53 +0800 Subject: [PATCH 1/2] NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559). v3: correct the coding style. v2: correct the commit message & add BZ number. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1610 This patch is to check the received package length to make sure the package has a valid length field. Cc: Fu Siyuan <siyuan.fu(a)intel.com> Cc: Maciej Rabeda <maciej.rabeda(a)linux.intel.com> Signed-off-by: Wu Jiaxin <jiaxin.wu(a)intel.com> Reviewed-by: Siyuan Fu <siyuan.fu(a)intel.com> (cherry picked from commit 578bcdc2605e3438b9cbdac4e68339f90f5bf8af) --- NetworkPkg/Ip4Dxe/Ip4Input.c | 46 +++++++++++++++++++++++++++++------- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/NetworkPkg/Ip4Dxe/Ip4Input.c b/NetworkPkg/Ip4Dxe/Ip4Input.c index 24c584658803..fc1a892f14eb 100644 --- a/NetworkPkg/Ip4Dxe/Ip4Input.c +++ b/NetworkPkg/Ip4Dxe/Ip4Input.c @@ -1,7 +1,7 @@ /** @file IP4 input process. -Copyright (c) 2005 - 2018, Intel Corporation. All rights reserved. +Copyright (c) 2005 - 2020, Intel Corporation. All rights reserved. (C) Copyright 2015 Hewlett-Packard Development Company, L.P. SPDX-License-Identifier: BSD-2-Clause-Patent @@ -711,10 +711,6 @@ Ip4PreProcessPacket ( // // Check if the IP4 header is correctly formatted. // - if ((*Packet)->TotalSize < IP4_MIN_HEADLEN) { - return EFI_INVALID_PARAMETER; - } - HeadLen = (Head->HeadLen << 2); TotalLen = NTOHS (Head->TotalLen); @@ -808,6 +804,30 @@ Ip4PreProcessPacket ( return EFI_SUCCESS; } +/** + This function checks the IPv4 packet length. + + @param[in] Packet Pointer to the IPv4 Packet to be checked. + + @retval TRUE The input IPv4 packet length is valid. + @retval FALSE The input IPv4 packet length is invalid. + +**/ +BOOLEAN +Ip4IsValidPacketLength ( + IN NET_BUF *Packet + ) +{ + // + // Check the IP4 packet length. + // + if (Packet->TotalSize < IP4_MIN_HEADLEN) { + return FALSE; + } + + return TRUE; +} + /** The IP4 input routine. It is called by the IP4_INTERFACE when a IP4 fragment is received from MNP. @@ -844,6 +864,10 @@ Ip4AccpetFrame ( goto DROP; } + if (!Ip4IsValidPacketLength (Packet)) { + goto RESTART; + } + Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL); ASSERT (Head != NULL); OptionLen = (Head->HeadLen << 2) - IP4_MIN_HEADLEN; @@ -890,10 +914,14 @@ Ip4AccpetFrame ( // ZeroMem (&ZeroHead, sizeof (IP4_HEAD)); if (0 == CompareMem (Head, &ZeroHead, sizeof (IP4_HEAD))) { - // Packet may have been changed. Head, HeadLen, TotalLen, and - // info must be reloaded bofore use. The ownership of the packet - // is transfered to the packet process logic. - // + // Packet may have been changed. Head, HeadLen, TotalLen, and + // info must be reloaded before use. The ownership of the packet + // is transferred to the packet process logic. + // + if (!Ip4IsValidPacketLength (Packet)) { + goto RESTART; + } + Head = (IP4_HEAD *) NetbufGetByte (Packet, 0, NULL); ASSERT (Head != NULL); Status = Ip4PreProcessPacket ( -- 2.25.0 From 03225826203c978146e4067e1d14fe66fcb75e22 Mon Sep 17 00:00:00 2001 From: Siyuan Fu <siyuan.fu(a)intel.com> Date: Fri, 21 Feb 2020 10:14:18 +0800 Subject: [PATCH 2/2] NetworkPkg/ArpDxe: Recycle invalid ARP packets (CVE-2019-14559) REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2031 This patch triggers the RecycleEvent for invalid ARP packets. Prior to this, we would just ignore invalid ARP packets, and never free them. Cc: Jiaxin Wu <jiaxin.wu(a)intel.com> Cc: Maciej Rabeda <maciej.rabeda(a)linux.intel.com> Cc: Siyuan Fu <siyuan.fu(a)intel.com> Signed-off-by: Nicholas Armour <nicholas.armour(a)intel.com> Reviewed-by: Siyuan Fu <siyuan.fu(a)intel.com> (cherry picked from commit 1d3215fd24f47eaa4877542a59b4bbf5afc0cfe8) --- NetworkPkg/ArpDxe/ArpImpl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/NetworkPkg/ArpDxe/ArpImpl.c b/NetworkPkg/ArpDxe/ArpImpl.c index 0e9ef103eff9..c7f770db0734 100644 --- a/NetworkPkg/ArpDxe/ArpImpl.c +++ b/NetworkPkg/ArpDxe/ArpImpl.c @@ -1,7 +1,7 @@ /** @file The implementation of the ARP protocol. -Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved. +Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent **/ @@ -113,7 +113,7 @@ ArpOnFrameRcvdDpc ( // // Restart the receiving if packet size is not correct. // - goto RESTART_RECEIVE; + goto RECYCLE_RXDATA; } // @@ -125,7 +125,7 @@ ArpOnFrameRcvdDpc ( Head->OpCode = NTOHS (Head->OpCode); if (RxData->DataLength < (sizeof (ARP_HEAD) + 2 * Head->HwAddrLen + 2 * Head->ProtoAddrLen)) { - goto RESTART_RECEIVE; + goto RECYCLE_RXDATA; } if ((Head->HwType != ArpService->SnpMode.IfType) || -- 2.25.0 ++++++ ovmf-bsc1163927-fix-ping-and-ip6dxe.patch ++++++ From 6a5e9bdd108741bcc8fd68276116f41b4a35da75 Mon Sep 17 00:00:00 2001 From: Maciej Rabeda <maciej.rabeda(a)linux.intel.com> Date: Thu, 27 Feb 2020 11:30:43 +0100 Subject: [PATCH 1/3] ShellPkg: Fix 'ping' command Ip4 receive flow. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2032 'ping' command's receive flow utilizes a single Rx token which it attempts to reuse before recycling the previously received packet. This causes a situation where under ICMP traffic, Ping6OnEchoReplyReceived() function will receive an already recycled packet with EFI_SUCCESS token status and finally dereference invalid pointers from RxData structure. Cc: Ray Ni <ray.ni(a)intel.com> Cc: Zhichao Gao <zhichao.gao(a)intel.com> Signed-off-by: Maciej Rabeda <maciej.rabeda(a)linux.intel.com> Reviewed-by: Siyuan Fu <siyuan.fu(a)intel.com> Acked-by: Zhichao Gao <zhichao.gao(a)intel.com> (cherry picked from commit 65c73df44c61235ede84c5aa1d2eab6650844966) --- ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c b/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c index 23567fa2c1bb..a3fa32515192 100644 --- a/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c +++ b/ShellPkg/Library/UefiShellNetwork1CommandsLib/Ping.c @@ -614,6 +614,11 @@ Ping6OnEchoReplyReceived ( ON_EXIT: + // + // Recycle the packet before reusing RxToken + // + gBS->SignalEvent (Private->IpChoice == PING_IP_CHOICE_IP6?((EFI_IP6_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal:((EFI_IP4_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal); + if (Private->RxCount < Private->SendNum) { // // Continue to receive icmp echo reply packets. @@ -632,10 +637,6 @@ ON_EXIT: // Private->Status = EFI_SUCCESS; } - // - // Singal to recycle the each rxdata here, not at the end of process. - // - gBS->SignalEvent (Private->IpChoice == PING_IP_CHOICE_IP6?((EFI_IP6_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal:((EFI_IP4_RECEIVE_DATA*)Private->RxToken.Packet.RxData)->RecycleSignal); } /** -- 2.25.1 From 35fb4bd10b630663d7eaa6731e15089f2d6091b1 Mon Sep 17 00:00:00 2001 From: Maciej Rabeda <maciej.rabeda(a)linux.intel.com> Date: Mon, 2 Mar 2020 13:25:20 +0100 Subject: [PATCH 2/3] NetworkPkg/Ip6Dxe: Improve Neightbor Discovery message validation. REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2174 Problem has been identified with Ip6ProcessRouterAdvertise() when Router Advertise packet contains options with malicious/invalid 'Length' field. This can lead to platform entering infinite loop when processing options from that packet. Cc: Jiaxin Wu <jiaxin.wu(a)intel.com> Cc: Siyuan Fu <siyuan.fu(a)intel.com> Signed-off-by: Maciej Rabeda <maciej.rabeda(a)linux.intel.com> Reviewed-by: Siyuan Fu <siyuan.fu(a)intel.com> (cherry picked from commit 9c20342eed70ec99ec50cd73cb81804299f05403) --- NetworkPkg/Ip6Dxe/Ip6Nd.c | 44 ++++++++++++++++----------- NetworkPkg/Ip6Dxe/Ip6Nd.h | 13 ++++++++ NetworkPkg/Ip6Dxe/Ip6Option.c | 57 ++++++++++++++++++++++++++--------- 3 files changed, 83 insertions(+), 31 deletions(-) diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.c b/NetworkPkg/Ip6Dxe/Ip6Nd.c index 67d7022a7673..1254f0fdd921 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Nd.c +++ b/NetworkPkg/Ip6Dxe/Ip6Nd.c @@ -1927,7 +1927,7 @@ Ip6ProcessRouterAdvertise ( UINT32 ReachableTime; UINT32 RetransTimer; UINT16 RouterLifetime; - UINT16 Offset; + UINT32 Offset; UINT8 Type; UINT8 Length; IP6_ETHER_ADDR_OPTION LinkLayerOption; @@ -2094,10 +2094,11 @@ Ip6ProcessRouterAdvertise ( // // The only defined options that may appear are the Source // Link-Layer Address, Prefix information and MTU options. - // All included options have a length that is greater than zero. + // All included options have a length that is greater than zero and + // fit within the input packet. // Offset = 16; - while (Offset < Head->PayloadLength) { + while (Offset < (UINT32) Head->PayloadLength) { NetbufCopy (Packet, Offset, sizeof (UINT8), &Type); switch (Type) { case Ip6OptionEtherSource: @@ -2105,9 +2106,12 @@ Ip6ProcessRouterAdvertise ( // Update the neighbor cache // NetbufCopy (Packet, Offset, sizeof (IP6_ETHER_ADDR_OPTION), (UINT8 *) &LinkLayerOption); - if (LinkLayerOption.Length <= 0) { - goto Exit; - } + + // + // Option size validity ensured by Ip6IsNDOptionValid(). + // + ASSERT (LinkLayerOption.Length != 0); + ASSERT (Offset + (UINT32) LinkLayerOption.Length * 8 >= (UINT32) Head->PayloadLength); ZeroMem (&LinkLayerAddress, sizeof (EFI_MAC_ADDRESS)); CopyMem (&LinkLayerAddress, LinkLayerOption.EtherAddr, 6); @@ -2151,13 +2155,17 @@ Ip6ProcessRouterAdvertise ( } } - Offset = (UINT16) (Offset + (UINT16) LinkLayerOption.Length * 8); + Offset += (UINT32) LinkLayerOption.Length * 8; break; case Ip6OptionPrefixInfo: NetbufCopy (Packet, Offset, sizeof (IP6_PREFIX_INFO_OPTION), (UINT8 *) &PrefixOption); - if (PrefixOption.Length != 4) { - goto Exit; - } + + // + // Option size validity ensured by Ip6IsNDOptionValid(). + // + ASSERT (PrefixOption.Length == 4); + ASSERT (Offset + (UINT32) PrefixOption.Length * 8 >= (UINT32) Head->PayloadLength); + PrefixOption.ValidLifetime = NTOHL (PrefixOption.ValidLifetime); PrefixOption.PreferredLifetime = NTOHL (PrefixOption.PreferredLifetime); @@ -2321,9 +2329,12 @@ Ip6ProcessRouterAdvertise ( break; case Ip6OptionMtu: NetbufCopy (Packet, Offset, sizeof (IP6_MTU_OPTION), (UINT8 *) &MTUOption); - if (MTUOption.Length != 1) { - goto Exit; - } + + // + // Option size validity ensured by Ip6IsNDOptionValid(). + // + ASSERT (MTUOption.Length == 1); + ASSERT (Offset + (UINT32) MTUOption.Length * 8 >= (UINT32) Head->PayloadLength); // // Use IPv6 minimum link MTU 1280 bytes as the maximum packet size in order @@ -2338,11 +2349,10 @@ Ip6ProcessRouterAdvertise ( // Silently ignore unrecognized options // NetbufCopy (Packet, Offset + sizeof (UINT8), sizeof (UINT8), &Length); - if (Length <= 0) { - goto Exit; - } - Offset = (UINT16) (Offset + (UINT16) Length * 8); + ASSERT (Length != 0); + + Offset += (UINT32) Length * 8; break; } } diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.h b/NetworkPkg/Ip6Dxe/Ip6Nd.h index 891a32d7d3ca..e4004662951a 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Nd.h +++ b/NetworkPkg/Ip6Dxe/Ip6Nd.h @@ -56,12 +56,21 @@ VOID VOID *Context ); +typedef struct _IP6_OPTION_HEADER { + UINT8 Type; + UINT8 Length; +} IP6_OPTION_HEADER; + +STATIC_ASSERT (sizeof (IP6_OPTION_HEADER) == 2, "IP6_OPTION_HEADER is expected to be exactly 2 bytes long."); + typedef struct _IP6_ETHE_ADDR_OPTION { UINT8 Type; UINT8 Length; UINT8 EtherAddr[6]; } IP6_ETHER_ADDR_OPTION; +STATIC_ASSERT (sizeof (IP6_ETHER_ADDR_OPTION) == 8, "IP6_ETHER_ADDR_OPTION is expected to be exactly 8 bytes long."); + typedef struct _IP6_MTU_OPTION { UINT8 Type; UINT8 Length; @@ -69,6 +78,8 @@ typedef struct _IP6_MTU_OPTION { UINT32 Mtu; } IP6_MTU_OPTION; +STATIC_ASSERT (sizeof (IP6_MTU_OPTION) == 8, "IP6_MTU_OPTION is expected to be exactly 8 bytes long."); + typedef struct _IP6_PREFIX_INFO_OPTION { UINT8 Type; UINT8 Length; @@ -80,6 +91,8 @@ typedef struct _IP6_PREFIX_INFO_OPTION { EFI_IPv6_ADDRESS Prefix; } IP6_PREFIX_INFO_OPTION; +STATIC_ASSERT (sizeof (IP6_PREFIX_INFO_OPTION) == 32, "IP6_PREFIX_INFO_OPTION is expected to be exactly 32 bytes long."); + typedef VOID (*IP6_DAD_CALLBACK) ( diff --git a/NetworkPkg/Ip6Dxe/Ip6Option.c b/NetworkPkg/Ip6Dxe/Ip6Option.c index 4d92a852dc86..6b4b029d1479 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Option.c +++ b/NetworkPkg/Ip6Dxe/Ip6Option.c @@ -129,45 +129,74 @@ Ip6IsNDOptionValid ( IN UINT16 OptionLen ) { - UINT16 Offset; - UINT8 OptionType; + UINT32 Offset; UINT16 Length; + IP6_OPTION_HEADER *OptionHeader; + + if (Option == NULL) { + ASSERT (Option != NULL); + return FALSE; + } Offset = 0; - while (Offset < OptionLen) { - OptionType = *(Option + Offset); - Length = (UINT16) (*(Option + Offset + 1) * 8); + // + // RFC 4861 states that Neighbor Discovery packet can contain zero or more + // options. Start processing the options if at least Type + Length fields + // fit within the input buffer. + // + while (Offset + sizeof (IP6_OPTION_HEADER) - 1 < OptionLen) { + OptionHeader = (IP6_OPTION_HEADER*) (Option + Offset); + Length = (UINT16) OptionHeader->Length * 8; - switch (OptionType) { + switch (OptionHeader->Type) { case Ip6OptionPrefixInfo: if (Length != 32) { return FALSE; } - break; case Ip6OptionMtu: if (Length != 8) { return FALSE; } - break; default: - // - // Check the length of Ip6OptionEtherSource, Ip6OptionEtherTarget, and - // Ip6OptionRedirected here. For unrecognized options, silently ignore - // and continue processing the message. - // + // RFC 4861 states that Length field cannot be 0. if (Length == 0) { return FALSE; } + break; + } + + // + // Check whether recognized options are within the input buffer's scope. + // + switch (OptionHeader->Type) { + case Ip6OptionEtherSource: + case Ip6OptionEtherTarget: + case Ip6OptionPrefixInfo: + case Ip6OptionRedirected: + case Ip6OptionMtu: + if (Offset + Length > (UINT32) OptionLen) { + return FALSE; + } + break; + default: + // + // Unrecognized options can be either valid (but unused) or invalid + // (garbage in between or right after valid options). Silently ignore. + // break; } - Offset = (UINT16) (Offset + Length); + // + // Advance to the next option. + // Length already considers option header's Type + Length. + // + Offset += Length; } return TRUE; -- 2.25.1 From 19f82aecd83989cde630c1f8eb119713f1574908 Mon Sep 17 00:00:00 2001 From: Maciej Rabeda <maciej.rabeda(a)linux.intel.com> Date: Wed, 1 Apr 2020 11:43:55 +0200 Subject: [PATCH 3/3] NetworkPkg/Ip6Dxe: Fix ASSERT logic in Ip6ProcessRouterAdvertise() REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2655 This patch fixes reversed logic of recently added ASSERTs which should ensure that Ip6IsNDOptionValid() implementation properly reacts to invalid packets. Cc: Jiaxin Wu <jiaxin.wu(a)intel.com> Cc: Siyuan Fu <siyuan.fu(a)intel.com> Signed-off-by: Maciej Rabeda <maciej.rabeda(a)linux.intel.com> Reviewed-by: Siyuan Fu <siyuan.fu(a)intel.com> Tested-by: Laszlo Ersek <lersek(a)redhat.com> Fixes: 9c20342eed70ec99ec50cd73cb81804299f05403 (cherry picked from commit 4deef2d865efdc61d1a53ad7bd48f9dd42560b45) --- NetworkPkg/Ip6Dxe/Ip6Nd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/NetworkPkg/Ip6Dxe/Ip6Nd.c b/NetworkPkg/Ip6Dxe/Ip6Nd.c index 1254f0fdd921..9e688b2eb728 100644 --- a/NetworkPkg/Ip6Dxe/Ip6Nd.c +++ b/NetworkPkg/Ip6Dxe/Ip6Nd.c @@ -2111,7 +2111,7 @@ Ip6ProcessRouterAdvertise ( // Option size validity ensured by Ip6IsNDOptionValid(). // ASSERT (LinkLayerOption.Length != 0); - ASSERT (Offset + (UINT32) LinkLayerOption.Length * 8 >= (UINT32) Head->PayloadLength); + ASSERT (Offset + (UINT32) LinkLayerOption.Length * 8 <= (UINT32) Head->PayloadLength); ZeroMem (&LinkLayerAddress, sizeof (EFI_MAC_ADDRESS)); CopyMem (&LinkLayerAddress, LinkLayerOption.EtherAddr, 6); @@ -2164,7 +2164,7 @@ Ip6ProcessRouterAdvertise ( // Option size validity ensured by Ip6IsNDOptionValid(). // ASSERT (PrefixOption.Length == 4); - ASSERT (Offset + (UINT32) PrefixOption.Length * 8 >= (UINT32) Head->PayloadLength); + ASSERT (Offset + (UINT32) PrefixOption.Length * 8 <= (UINT32) Head->PayloadLength); PrefixOption.ValidLifetime = NTOHL (PrefixOption.ValidLifetime); PrefixOption.PreferredLifetime = NTOHL (PrefixOption.PreferredLifetime); @@ -2334,7 +2334,7 @@ Ip6ProcessRouterAdvertise ( // Option size validity ensured by Ip6IsNDOptionValid(). // ASSERT (MTUOption.Length == 1); - ASSERT (Offset + (UINT32) MTUOption.Length * 8 >= (UINT32) Head->PayloadLength); + ASSERT (Offset + (UINT32) MTUOption.Length * 8 <= (UINT32) Head->PayloadLength); // // Use IPv6 minimum link MTU 1280 bytes as the maximum packet size in order -- 2.25.1 ++++++ ovmf-bsc1163959-PiDxeS3BootScriptLib-fix-numeric-truncation.patch ++++++ From 322ac05f8bbc1bce066af1dabd1b70ccdbe28891 Mon Sep 17 00:00:00 2001 From: Hao A Wu <hao.a.wu(a)intel.com> Date: Fri, 28 Jun 2019 14:15:55 +0800 Subject: [PATCH 1/1] MdeModulePkg/PiDxeS3BootScriptLib: Fix potential numeric truncation (CVE-2019-14563) REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2001 For S3BootScriptLib APIs: S3BootScriptSaveIoWrite S3BootScriptSaveMemWrite S3BootScriptSavePciCfgWrite S3BootScriptSavePciCfg2Write S3BootScriptSaveSmbusExecute S3BootScriptSaveInformation S3BootScriptSaveInformationAsciiString S3BootScriptLabel (happen in S3BootScriptLabelInternal()) possible numeric truncations will happen that may lead to S3 boot script entry with improper size being returned to store the boot script data. This commit will add checks to prevent this kind of issue. Please note that the remaining S3BootScriptLib APIs: S3BootScriptSaveIoReadWrite S3BootScriptSaveMemReadWrite S3BootScriptSavePciCfgReadWrite S3BootScriptSavePciCfg2ReadWrite S3BootScriptSaveStall S3BootScriptSaveDispatch2 S3BootScriptSaveDispatch S3BootScriptSaveMemPoll S3BootScriptSaveIoPoll S3BootScriptSavePciPoll S3BootScriptSavePci2Poll S3BootScriptCloseTable S3BootScriptExecute S3BootScriptMoveLastOpcode S3BootScriptCompare are not affected by such numeric truncation. Signed-off-by: Hao A Wu <hao.a.wu(a)intel.com> Reviewed-by: Laszlo Ersek <lersek(a)redhat.com> Reviewed-by: Eric Dong <eric.dong(a)intel.com> Acked-by: Jian J Wang <jian.j.wang(a)intel.com> --- .../PiDxeS3BootScriptLib/BootScriptSave.c | 52 ++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c index 9106e7d0f9f5..9315fc9f0188 100644 --- a/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c +++ b/MdeModulePkg/Library/PiDxeS3BootScriptLib/BootScriptSave.c @@ -1,7 +1,7 @@ /** @file Save the S3 data to S3 boot script. - Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved. + Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent @@ -1006,6 +1006,14 @@ S3BootScriptSaveIoWrite ( EFI_BOOT_SCRIPT_IO_WRITE ScriptIoWrite; WidthInByte = (UINT8) (0x01 << (Width & 0x03)); + + // + // Truncation check + // + if ((Count > MAX_UINT8) || + (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_IO_WRITE))) { + return RETURN_OUT_OF_RESOURCES; + } Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_IO_WRITE) + (WidthInByte * Count)); Script = S3BootScriptGetEntryAddAddress (Length); @@ -1102,6 +1110,14 @@ S3BootScriptSaveMemWrite ( EFI_BOOT_SCRIPT_MEM_WRITE ScriptMemWrite; WidthInByte = (UINT8) (0x01 << (Width & 0x03)); + + // + // Truncation check + // + if ((Count > MAX_UINT8) || + (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_MEM_WRITE))) { + return RETURN_OUT_OF_RESOURCES; + } Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_MEM_WRITE) + (WidthInByte * Count)); Script = S3BootScriptGetEntryAddAddress (Length); @@ -1206,6 +1222,14 @@ S3BootScriptSavePciCfgWrite ( } WidthInByte = (UINT8) (0x01 << (Width & 0x03)); + + // + // Truncation check + // + if ((Count > MAX_UINT8) || + (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE))) { + return RETURN_OUT_OF_RESOURCES; + } Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG_WRITE) + (WidthInByte * Count)); Script = S3BootScriptGetEntryAddAddress (Length); @@ -1324,6 +1348,14 @@ S3BootScriptSavePciCfg2Write ( } WidthInByte = (UINT8) (0x01 << (Width & 0x03)); + + // + // Truncation check + // + if ((Count > MAX_UINT8) || + (WidthInByte * Count > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE))) { + return RETURN_OUT_OF_RESOURCES; + } Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_PCI_CONFIG2_WRITE) + (WidthInByte * Count)); Script = S3BootScriptGetEntryAddAddress (Length); @@ -1549,6 +1581,12 @@ S3BootScriptSaveSmbusExecute ( return Status; } + // + // Truncation check + // + if (BufferLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE)) { + return RETURN_OUT_OF_RESOURCES; + } DataSize = (UINT8)(sizeof (EFI_BOOT_SCRIPT_SMBUS_EXECUTE) + BufferLength); Script = S3BootScriptGetEntryAddAddress (DataSize); @@ -1736,6 +1774,12 @@ S3BootScriptSaveInformation ( UINT8 *Script; EFI_BOOT_SCRIPT_INFORMATION ScriptInformation; + // + // Truncation check + // + if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)) { + return RETURN_OUT_OF_RESOURCES; + } Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLength); Script = S3BootScriptGetEntryAddAddress (Length); @@ -2195,6 +2239,12 @@ S3BootScriptLabelInternal ( UINT8 *Script; EFI_BOOT_SCRIPT_INFORMATION ScriptInformation; + // + // Truncation check + // + if (InformationLength > MAX_UINT8 - sizeof (EFI_BOOT_SCRIPT_INFORMATION)) { + return RETURN_OUT_OF_RESOURCES; + } Length = (UINT8)(sizeof (EFI_BOOT_SCRIPT_INFORMATION) + InformationLength); Script = S3BootScriptGetEntryAddAddress (Length); -- 2.25.0 ++++++ ovmf-bsc1163969-fix-DxeImageVerificationHandler.patch ++++++ ++++ 1870 lines (skipped) ++++++ ovmf-bsc1175476-fix-DxeImageVerificationLib-overflow.patch ++++++ From e4c140c87487d523bb3585e419ea9df122fd3f67 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek(a)redhat.com> Date: Tue, 1 Sep 2020 11:12:19 +0200 Subject: [PATCH 1/3] SecurityPkg/DxeImageVerificationLib: extract SecDataDirEnd, SecDataDirLeft MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The following two quantities: SecDataDir->VirtualAddress + SecDataDir->Size SecDataDir->VirtualAddress + SecDataDir->Size - OffSet are used multiple times in DxeImageVerificationHandler(). Introduce helper variables for them: "SecDataDirEnd" and "SecDataDirLeft", respectively. This saves us multiple calculations and significantly simplifies the code. Note that all three summands above have type UINT32, therefore the new variables are also of type UINT32. This patch does not change behavior. (Note that the code already handles the case when the SecDataDir->VirtualAddress + SecDataDir->Size UINT32 addition overflows -- namely, in that case, the certificate loop is never entered, and the corruption check right after the loop fires.) Cc: Jian J Wang <jian.j.wang(a)intel.com> Cc: Jiewen Yao <jiewen.yao(a)intel.com> Cc: Min Xu <min.m.xu(a)intel.com> Cc: Wenyi Xie <xiewenyi2(a)huawei.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215 Signed-off-by: Laszlo Ersek <lersek(a)redhat.com> Message-Id: <20200901091221.20948-2-lersek(a)redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd(a)redhat.com> Tested-by: Wenyi Xie <xiewenyi2(a)huawei.com> Reviewed-by: Min M Xu <min.m.xu(a)intel.com> Reviewed-by: Jiewen Yao <jiewen.yao(a)intel.com> (cherry picked from commit 503248ccdf45c14d4040ce44163facdc212e4991) --- .../DxeImageVerificationLib.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index b7fa8ea8c55c..fb3895661b5e 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1652,6 +1652,8 @@ DxeImageVerificationHandler ( UINT8 *AuthData; UINTN AuthDataSize; EFI_IMAGE_DATA_DIRECTORY *SecDataDir; + UINT32 SecDataDirEnd; + UINT32 SecDataDirLeft; UINT32 OffSet; CHAR16 *NameStr; RETURN_STATUS PeCoffStatus; @@ -1849,12 +1851,14 @@ DxeImageVerificationHandler ( // "Attribute Certificate Table". // The first certificate starts at offset (SecDataDir->VirtualAddress) from the start of the file. // + SecDataDirEnd = SecDataDir->VirtualAddress + SecDataDir->Size; for (OffSet = SecDataDir->VirtualAddress; - OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size); + OffSet < SecDataDirEnd; OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength))) { WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); - if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof (WIN_CERTIFICATE) || - (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) < WinCertificate->dwLength) { + SecDataDirLeft = SecDataDirEnd - OffSet; + if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) || + SecDataDirLeft < WinCertificate->dwLength) { break; } @@ -1948,7 +1952,7 @@ DxeImageVerificationHandler ( } } - if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size)) { + if (OffSet != SecDataDirEnd) { // // The Size in Certificate Table or the attribute certificate table is corrupted. // -- 2.28.0 From a70b1a7653b57f9f1c15e513288cfe9ab76192f8 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek(a)redhat.com> Date: Tue, 1 Sep 2020 11:12:20 +0200 Subject: [PATCH 2/3] SecurityPkg/DxeImageVerificationLib: assign WinCertificate after size check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently the (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) check only guards the de-referencing of the "WinCertificate" pointer. It does not guard the calculation of the pointer itself: WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); This is wrong; if we don't know for sure that we have enough room for a WIN_CERTIFICATE, then even creating such a pointer, not just de-referencing it, may invoke undefined behavior. Move the pointer calculation after the size check. Cc: Jian J Wang <jian.j.wang(a)intel.com> Cc: Jiewen Yao <jiewen.yao(a)intel.com> Cc: Min Xu <min.m.xu(a)intel.com> Cc: Wenyi Xie <xiewenyi2(a)huawei.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215 Signed-off-by: Laszlo Ersek <lersek(a)redhat.com> Message-Id: <20200901091221.20948-3-lersek(a)redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd(a)redhat.com> Tested-by: Wenyi Xie <xiewenyi2(a)huawei.com> Reviewed-by: Min M Xu <min.m.xu(a)intel.com> Reviewed-by: Jiewen Yao <jiewen.yao(a)intel.com> (cherry picked from commit a7632e913c1c106f436aefd5e76c394249c383a8) --- .../DxeImageVerificationLib/DxeImageVerificationLib.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index fb3895661b5e..d544ba8f0a3e 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1855,10 +1855,12 @@ DxeImageVerificationHandler ( for (OffSet = SecDataDir->VirtualAddress; OffSet < SecDataDirEnd; OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength))) { - WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); SecDataDirLeft = SecDataDirEnd - OffSet; - if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) || - SecDataDirLeft < WinCertificate->dwLength) { + if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) { + break; + } + WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); + if (SecDataDirLeft < WinCertificate->dwLength) { break; } -- 2.28.0 From ce4db99abb9f6b8afe71ed29d83fadf9560ca1b2 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek(a)redhat.com> Date: Tue, 1 Sep 2020 11:12:21 +0200 Subject: [PATCH 3/3] SecurityPkg/DxeImageVerificationLib: catch alignment overflow (CVE-2019-14562) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The DxeImageVerificationHandler() function currently checks whether "SecDataDir" has enough room for "WinCertificate->dwLength". However, for advancing "OffSet", "WinCertificate->dwLength" is aligned to the next multiple of 8. If "WinCertificate->dwLength" is large enough, the alignment will return 0, and "OffSet" will be stuck at the same value. Check whether "SecDataDir" has room left for both "WinCertificate->dwLength" and the alignment. Cc: Jian J Wang <jian.j.wang(a)intel.com> Cc: Jiewen Yao <jiewen.yao(a)intel.com> Cc: Min Xu <min.m.xu(a)intel.com> Cc: Wenyi Xie <xiewenyi2(a)huawei.com> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2215 Signed-off-by: Laszlo Ersek <lersek(a)redhat.com> Message-Id: <20200901091221.20948-4-lersek(a)redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd(a)redhat.com> Tested-by: Wenyi Xie <xiewenyi2(a)huawei.com> Reviewed-by: Min M Xu <min.m.xu(a)intel.com> Reviewed-by: Jiewen Yao <jiewen.yao(a)intel.com> (cherry picked from commit 0b143fa43e92be15d11e22f80773bcb1b2b0608f) --- .../Library/DxeImageVerificationLib/DxeImageVerificationLib.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c index d544ba8f0a3e..d8b7b15224b6 100644 --- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c +++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c @@ -1860,7 +1860,9 @@ DxeImageVerificationHandler ( break; } WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet); - if (SecDataDirLeft < WinCertificate->dwLength) { + if (SecDataDirLeft < WinCertificate->dwLength || + (SecDataDirLeft - WinCertificate->dwLength < + ALIGN_SIZE (WinCertificate->dwLength))) { break; } -- 2.28.0 ++++++ ovmf-bsc1177789-cryptopkg-fix-null-dereference.patch ++++++ From c7311c794c593745b852ee6c0bcdb8a5e71d6ace Mon Sep 17 00:00:00 2001 From: Jian J Wang <jian.j.wang(a)intel.com> Date: Thu, 25 Apr 2019 23:42:16 +0800 Subject: [PATCH 1/1] CryptoPkg/BaseCryptLib: fix NULL dereference (CVE-2019-14584) REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1914 AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded signed authenticode pkcs#7 data. when this successfully returns, a type check is done by calling PKCS7_type_is_signed() and then Pkcs7->d.sign->contents->type is used. It is possible to construct an asn1 blob that successfully decodes and have d2i_PKCS7() return a valid pointer and have PKCS7_type_is_signed() also return success but have Pkcs7->d.sign be a NULL pointer. Looking at how PKCS7_verify() [inside of OpenSSL] implements checking for pkcs7 structs it does the following: - call PKCS7_type_is_signed() - call PKCS7_get_detached() Looking into how PKCS7_get_detatched() is implemented, it checks to see if p7->d.sign is NULL or if p7->d.sign->contents->d.ptr is NULL. As such, the fix is to do the same as OpenSSL after calling d2i_PKCS7(). - Add call to PKS7_get_detached() to existing error handling Cc: Xiaoyu Lu <xiaoyux.lu(a)intel.com> Cc: Guomin Jiang <guomin.jiang(a)intel.com> Cc: Jiewen Yao <jiewen.yao(a)intel.com> Cc: Laszlo Ersek <lersek(a)redhat.com> Signed-off-by: Jian J Wang <jian.j.wang(a)intel.com> Reviewed-by: Laszlo Ersek <lersek(a)redhat.com> Reviewed-by: Jiewen Yao <Jiewen.yao(a)intel.com> (cherry picked from commit 26442d11e620a9e81c019a24a4ff38441c64ba10) --- CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c index 2772b1e2be3c..3c2d14a88bce 100644 --- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c +++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c @@ -9,7 +9,7 @@ AuthenticodeVerify() will get PE/COFF Authenticode and will do basic check for data structure. -Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved. +Copyright (c) 2011 - 2020, Intel Corporation. All rights reserved. SPDX-License-Identifier: BSD-2-Clause-Patent **/ @@ -100,7 +100,7 @@ AuthenticodeVerify ( // // Check if it's PKCS#7 Signed Data (for Authenticode Scenario) // - if (!PKCS7_type_is_signed (Pkcs7)) { + if (!PKCS7_type_is_signed (Pkcs7) || PKCS7_get_detached (Pkcs7)) { goto _Exit; } -- 2.28.0 ++++++ ovmf-disable-ia32-firmware-piepic.patch ++++++ Index: edk2-edk2-stable201905/BaseTools/Conf/tools_def.template =================================================================== --- edk2-edk2-stable201905.orig/BaseTools/Conf/tools_def.template +++ edk2-edk2-stable201905/BaseTools/Conf/tools_def.template @@ -1738,7 +1738,7 @@ DEFINE GCC_AARCH64_RC_FLAGS = -I DEFINE GCC48_ALL_CC_FLAGS = -g -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -include AutoGen.h -fno-common -DSTRING_ARRAY_NAME=$(BASE_NAME)Strings DEFINE GCC48_IA32_X64_DLINK_COMMON = -nostdlib -Wl,-n,-q,--gc-sections -z common-page-size=0x20 -DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address +DEFINE GCC48_IA32_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m32 -march=i586 -malign-double -fno-stack-protector -D EFI32 -fno-asynchronous-unwind-tables -Wno-address -fno-pic -fno-pie DEFINE GCC48_X64_CC_FLAGS = DEF(GCC48_ALL_CC_FLAGS) -m64 -fno-stack-protector "-DEFIAPI=__attribute__((ms_abi))" -maccumulate-outgoing-args -mno-red-zone -Wno-address -mcmodel=small -fpie -fno-asynchronous-unwind-tables -Wno-address DEFINE GCC48_IA32_X64_ASLDLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,ReferenceAcpiTable -u ReferenceAcpiTable DEFINE GCC48_IA32_X64_DLINK_FLAGS = DEF(GCC48_IA32_X64_DLINK_COMMON) -Wl,--entry,$(IMAGE_ENTRY_POINT) -u $(IMAGE_ENTRY_POINT) -Wl,-Map,$(DEST_DIR_DEBUG)/$(BASE_NAME).map,--whole-archive ++++++ ovmf-gdb-symbols.patch ++++++ ++++ 632 lines (skipped) ++++++ ovmf-pie.patch ++++++ Index: edk2-edk2-stable201905/BaseTools/Source/C/Makefiles/header.makefile =================================================================== --- edk2-edk2-stable201905.orig/BaseTools/Source/C/Makefiles/header.makefile +++ edk2-edk2-stable201905/BaseTools/Source/C/Makefiles/header.makefile @@ -75,7 +75,7 @@ else BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \ -fno-delete-null-pointer-checks -Wall -Werror \ -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \ --Wno-unused-result -nostdlib -g +-Wno-unused-result -nostdlib -g -fPIE endif BUILD_LFLAGS = BUILD_CXXFLAGS = -Wno-unused-result ++++++ ovmf-rpmlintrc ++++++ addFilter("unstripped-binary-or-object /usr/lib/debug/*") addFilter("statically-linked-binary /usr/lib/debug/*") addFilter("executable-stack /usr/lib/debug/*") addFilter("position-independent-executable-suggested /usr/lib/debug/*") ++++++ ovmf-set-fixed-enroll-time.patch ++++++ From c0cec3409f3abda1e2359a79ccac575b4ea1838b Mon Sep 17 00:00:00 2001 From: Gary Lin <glin(a)suse.com> Date: Tue, 21 May 2019 16:56:06 +0800 Subject: [PATCH 1/1] OvmfPkg/EnrollDefaultKeys: Set the fixed time For the reproducible build, we need to set the fixed time when setting the authenticate variables. Signed-off-by: Gary Lin <glin(a)suse.com> --- OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c index f45cb799f726..0e42e49d48f2 100644 --- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c +++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c @@ -301,6 +301,16 @@ EnrollListOfCerts ( if (EFI_ERROR (Status)) { goto FreeData; } + + // Set the fixed time for the reproducible build + // 2019-5-20 00:00:00 + SingleHeader->TimeStamp.Year = 2019; + SingleHeader->TimeStamp.Month = 5; + SingleHeader->TimeStamp.Day = 20; + SingleHeader->TimeStamp.Hour = 0; + SingleHeader->TimeStamp.Minute = 0; + SingleHeader->TimeStamp.Second = 0; + SingleHeader->TimeStamp.Pad1 = 0; SingleHeader->TimeStamp.Nanosecond = 0; SingleHeader->TimeStamp.TimeZone = 0; -- 2.21.0

1 0

commit xen for openSUSE:Leap:15.1:Update
by User for buildservice source handling 22 Dec '20

22 Dec '20

Hello community, here is the log from the commit of package xen for openSUSE:Leap:15.1:Update checked in at 2020-12-22 06:22:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.1:Update/xen (Old) and /work/SRC/openSUSE:Leap:15.1:Update/.xen.new.5145 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "xen" Tue Dec 22 06:22:44 2020 rev:12 rq:856933 version:unknown Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.sovYP5/_old 2020-12-22 06:22:48.752553625 +0100 +++ /var/tmp/diff_new_pack.sovYP5/_new 2020-12-22 06:22:48.752553625 +0100 @@ -1 +1 @@ -<link package='xen.15230' cicount='copy' /> +<link package='xen.15362' cicount='copy' />

1 0

commit 000update-repos for openSUSE:Factory
by User for buildservice source handling 21 Dec '20

21 Dec '20

Hello community, here is the log from the commit of package 000update-repos for openSUSE:Factory checked in at 2020-12-21 21:02:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/000update-repos (Old) and /work/SRC/openSUSE:Factory/.000update-repos.new.5145 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "000update-repos" Mon Dec 21 21:02:56 2020 rev:1465 rq: version:unknown Changes: -------- New Changes file: NO CHANGES FILE!!! New: ---- 15.1:update_1608525604.packages.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------

1 0

commit 000update-repos for openSUSE:Factory
by User for buildservice source handling 21 Dec '20

21 Dec '20

Hello community, here is the log from the commit of package 000update-repos for openSUSE:Factory checked in at 2020-12-21 21:02:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/000update-repos (Old) and /work/SRC/openSUSE:Factory/.000update-repos.new.5145 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "000update-repos" Mon Dec 21 21:02:42 2020 rev:1464 rq: version:unknown Changes: -------- New Changes file: NO CHANGES FILE!!! New: ---- factory:non-oss_2508.2.packages.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------

1 0

commit 000update-repos for openSUSE:Factory
by User for buildservice source handling 21 Dec '20

21 Dec '20

Hello community, here is the log from the commit of package 000update-repos for openSUSE:Factory checked in at 2020-12-21 21:02:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/000update-repos (Old) and /work/SRC/openSUSE:Factory/.000update-repos.new.5145 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "000update-repos" Mon Dec 21 21:02:39 2020 rev:1463 rq: version:unknown Changes: -------- New Changes file: NO CHANGES FILE!!! New: ---- factory_20201218.packages.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------

1 0

commit 000product for openSUSE:Factory
by User for buildservice source handling 21 Dec '20

21 Dec '20

Hello community, here is the log from the commit of package 000product for openSUSE:Factory checked in at 2020-12-21 20:08:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/000product (Old) and /work/SRC/openSUSE:Factory/.000product.new.5145 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "000product" Mon Dec 21 20:08:40 2020 rev:2509 rq: version:unknown Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ MicroOS-dvd5-dvd-x86_64.kiwi ++++++ --- /var/tmp/diff_new_pack.zuuPyR/_old 2020-12-21 20:08:55.452803371 +0100 +++ /var/tmp/diff_new_pack.zuuPyR/_new 2020-12-21 20:08:55.456803375 +0100 @@ -1,4 +1,4 @@ -<image name="OBS__MicroOS___20201218" schemaversion="4.1"> +<image name="OBS__MicroOS___20201221" schemaversion="4.1"> <description type="system"> <author>The SUSE Team</author> <contact>build(a)opensuse.org</contact> @@ -35,11 +35,11 @@ <productvar name="SEPARATE_MEDIA">true</productvar> <productvar name="SHA1OPT">-x -2</productvar> <productvar name="VENDOR">openSUSE</productvar> - <productvar name="VERSION">20201218</productvar> + <productvar name="VERSION">20201221</productvar> <productinfo name="CONTENTSTYLE">11</productinfo> - <productinfo name="DISTRO">cpe:/o:opensuse:microos:20201218,openSUSE MicroOS</productinfo> + <productinfo name="DISTRO">cpe:/o:opensuse:microos:20201221,openSUSE MicroOS</productinfo> <productinfo name="LINGUAS">en_US </productinfo> - <productinfo name="REPOID">obsproduct://build.opensuse.org/openSUSE:Factory/MicroOS/20201218/x86_64</productinfo> + <productinfo name="REPOID">obsproduct://build.opensuse.org/openSUSE:Factory/MicroOS/20201221/x86_64</productinfo> <productinfo name="VENDOR">openSUSE</productinfo> <productoption name="INI_DIR">/usr/share/kiwi/modules/plugins/tumbleweed</productoption> <productoption name="PLUGIN_DIR">/usr/share/kiwi/modules/plugins/tumbleweed</productoption> MicroOS-dvd5-kubic-dvd-x86_64.kiwi: same change ++++++ openSUSE-Addon-NonOss-ftp-ftp-i586_x86_64.kiwi ++++++ --- /var/tmp/diff_new_pack.zuuPyR/_old 2020-12-21 20:08:55.508803423 +0100 +++ /var/tmp/diff_new_pack.zuuPyR/_new 2020-12-21 20:08:55.508803423 +0100 @@ -1,4 +1,4 @@ -<image name="OBS__openSUSE-Addon-NonOss___20201218" schemaversion="4.1"> +<image name="OBS__openSUSE-Addon-NonOss___20201221" schemaversion="4.1"> <description type="system"> <author>The SUSE Team</author> <contact>build(a)opensuse.org</contact> @@ -36,11 +36,11 @@ <productvar name="SEPARATE_MEDIA">true</productvar> <productvar name="SHA1OPT">-x -2</productvar> <productvar name="VENDOR">openSUSE</productvar> - <productvar name="VERSION">20201218</productvar> + <productvar name="VERSION">20201221</productvar> <productinfo name="CONTENTSTYLE">11</productinfo> - <productinfo name="DISTRO">cpe:/o:opensuse:opensuse-addon-nonoss:20201218,openSUSE NonOSS Addon</productinfo> + <productinfo name="DISTRO">cpe:/o:opensuse:opensuse-addon-nonoss:20201221,openSUSE NonOSS Addon</productinfo> <productinfo name="LINGUAS">af ar be_BY bg br ca cy el et ga gl gu_IN he hi_IN hr ka km ko lt mk nn pa_IN rw sk sl sr_CS ss st tg th tr uk ve vi xh zu </productinfo> - <productinfo name="REPOID">obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE-Addon-NonOss/2020… obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE-Addon-NonOss/2020…</productinfo> + <productinfo name="REPOID">obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE-Addon-NonOss/2020… obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE-Addon-NonOss/2020…</productinfo> <productinfo name="VENDOR">openSUSE</productinfo> <productoption name="INI_DIR">/usr/share/kiwi/modules/plugins/tumbleweed</productoption> <productoption name="PLUGIN_DIR">/usr/share/kiwi/modules/plugins/tumbleweed</productoption> ++++++ openSUSE-cd-mini-i586.kiwi ++++++ --- /var/tmp/diff_new_pack.zuuPyR/_old 2020-12-21 20:08:55.528803441 +0100 +++ /var/tmp/diff_new_pack.zuuPyR/_new 2020-12-21 20:08:55.528803441 +0100 @@ -1,4 +1,4 @@ -<image name="OBS__openSUSE___20201218" schemaversion="4.1"> +<image name="OBS__openSUSE___20201221" schemaversion="4.1"> <description type="system"> <author>The SUSE Team</author> <contact>build(a)opensuse.org</contact> @@ -32,11 +32,11 @@ <productvar name="SEPARATE_MEDIA">true</productvar> <productvar name="SHA1OPT">-x -2</productvar> <productvar name="VENDOR">openSUSE</productvar> - <productvar name="VERSION">20201218</productvar> + <productvar name="VERSION">20201221</productvar> <productinfo name="CONTENTSTYLE">11</productinfo> - <productinfo name="DISTRO">cpe:/o:opensuse:opensuse:20201218,openSUSE Tumbleweed</productinfo> + <productinfo name="DISTRO">cpe:/o:opensuse:opensuse:20201221,openSUSE Tumbleweed</productinfo> <productinfo name="LINGUAS">cs da de el en en_GB en_US es fr hu it ja pl pt pt_BR ru zh zh_CN zh_TW </productinfo> - <productinfo name="REPOID">obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20201218/i586</productinfo> + <productinfo name="REPOID">obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20201221/i586</productinfo> <productinfo name="VENDOR">openSUSE</productinfo> <productoption name="INI_DIR">/usr/share/kiwi/modules/plugins/tumbleweed</productoption> <productoption name="PLUGIN_DIR">/usr/share/kiwi/modules/plugins/tumbleweed</productoption> ++++++ openSUSE-cd-mini-x86_64.kiwi ++++++ --- /var/tmp/diff_new_pack.zuuPyR/_old 2020-12-21 20:08:55.548803459 +0100 +++ /var/tmp/diff_new_pack.zuuPyR/_new 2020-12-21 20:08:55.552803463 +0100 @@ -1,4 +1,4 @@ -<image name="OBS__openSUSE___20201218" schemaversion="4.1"> +<image name="OBS__openSUSE___20201221" schemaversion="4.1"> <description type="system"> <author>The SUSE Team</author> <contact>build(a)opensuse.org</contact> @@ -35,11 +35,11 @@ <productvar name="SEPARATE_MEDIA">true</productvar> <productvar name="SHA1OPT">-x -2</productvar> <productvar name="VENDOR">openSUSE</productvar> - <productvar name="VERSION">20201218</productvar> + <productvar name="VERSION">20201221</productvar> <productinfo name="CONTENTSTYLE">11</productinfo> - <productinfo name="DISTRO">cpe:/o:opensuse:opensuse:20201218,openSUSE Tumbleweed</productinfo> + <productinfo name="DISTRO">cpe:/o:opensuse:opensuse:20201221,openSUSE Tumbleweed</productinfo> <productinfo name="LINGUAS">cs da de el en en_GB en_US es fr hu it ja pl pt pt_BR ru zh zh_CN zh_TW </productinfo> - <productinfo name="REPOID">obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20201218/x86_64</productinfo> + <productinfo name="REPOID">obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20201221/x86_64</productinfo> <productinfo name="VENDOR">openSUSE</productinfo> <productoption name="INI_DIR">/usr/share/kiwi/modules/plugins/tumbleweed</productoption> <productoption name="PLUGIN_DIR">/usr/share/kiwi/modules/plugins/tumbleweed</productoption> ++++++ openSUSE-dvd5-dvd-i586.kiwi ++++++ --- /var/tmp/diff_new_pack.zuuPyR/_old 2020-12-21 20:08:55.576803485 +0100 +++ /var/tmp/diff_new_pack.zuuPyR/_new 2020-12-21 20:08:55.576803485 +0100 @@ -1,4 +1,4 @@ -<image name="OBS__openSUSE___20201218" schemaversion="4.1"> +<image name="OBS__openSUSE___20201221" schemaversion="4.1"> <description type="system"> <author>The SUSE Team</author> <contact>build(a)opensuse.org</contact> @@ -32,11 +32,11 @@ <productvar name="SEPARATE_MEDIA">true</productvar> <productvar name="SHA1OPT">-x -2</productvar> <productvar name="VENDOR">openSUSE</productvar> - <productvar name="VERSION">20201218</productvar> + <productvar name="VERSION">20201221</productvar> <productinfo name="CONTENTSTYLE">11</productinfo> - <productinfo name="DISTRO">cpe:/o:opensuse:opensuse:20201218,openSUSE Tumbleweed</productinfo> + <productinfo name="DISTRO">cpe:/o:opensuse:opensuse:20201221,openSUSE Tumbleweed</productinfo> <productinfo name="LINGUAS">cs da de el en en_GB en_US es fr hu it ja pl pt pt_BR ru zh zh_CN zh_TW </productinfo> - <productinfo name="REPOID">obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20201218/i586</productinfo> + <productinfo name="REPOID">obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20201221/i586</productinfo> <productinfo name="VENDOR">openSUSE</productinfo> <productoption name="INI_DIR">/usr/share/kiwi/modules/plugins/tumbleweed</productoption> <productoption name="PLUGIN_DIR">/usr/share/kiwi/modules/plugins/tumbleweed</productoption> @@ -87,6 +87,7 @@ <repopackage name="analitza-lang"/> <repopackage name="apache-commons-logging"/> <repopackage name="apache2"/> + <repopackage name="apache2-manual"/> <repopackage name="apache2-mod_php7"/> <repopackage name="apache2-prefork"/> <repopackage name="apache2-utils"/> ++++++ openSUSE-dvd5-dvd-x86_64.kiwi ++++++ --- /var/tmp/diff_new_pack.zuuPyR/_old 2020-12-21 20:08:55.600803507 +0100 +++ /var/tmp/diff_new_pack.zuuPyR/_new 2020-12-21 20:08:55.604803511 +0100 @@ -1,4 +1,4 @@ -<image name="OBS__openSUSE___20201218" schemaversion="4.1"> +<image name="OBS__openSUSE___20201221" schemaversion="4.1"> <description type="system"> <author>The SUSE Team</author> <contact>build(a)opensuse.org</contact> @@ -35,11 +35,11 @@ <productvar name="SEPARATE_MEDIA">true</productvar> <productvar name="SHA1OPT">-x -2</productvar> <productvar name="VENDOR">openSUSE</productvar> - <productvar name="VERSION">20201218</productvar> + <productvar name="VERSION">20201221</productvar> <productinfo name="CONTENTSTYLE">11</productinfo> - <productinfo name="DISTRO">cpe:/o:opensuse:opensuse:20201218,openSUSE Tumbleweed</productinfo> + <productinfo name="DISTRO">cpe:/o:opensuse:opensuse:20201221,openSUSE Tumbleweed</productinfo> <productinfo name="LINGUAS">cs da de el en en_GB en_US es fr hu it ja pl pt pt_BR ru zh zh_CN zh_TW </productinfo> - <productinfo name="REPOID">obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20201218/x86_64</productinfo> + <productinfo name="REPOID">obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20201221/x86_64</productinfo> <productinfo name="VENDOR">openSUSE</productinfo> <productoption name="INI_DIR">/usr/share/kiwi/modules/plugins/tumbleweed</productoption> <productoption name="PLUGIN_DIR">/usr/share/kiwi/modules/plugins/tumbleweed</productoption> @@ -122,6 +122,7 @@ <repopackage name="anjuta-lang" arch="x86_64"/> <repopackage name="apache-commons-logging"/> <repopackage name="apache2"/> + <repopackage name="apache2-manual"/> <repopackage name="apache2-mod_dnssd" arch="x86_64"/> <repopackage name="apache2-mod_php7"/> <repopackage name="apache2-prefork"/> @@ -558,7 +559,6 @@ <repopackage name="fprintd" arch="x86_64"/> <repopackage name="fprintd-lang" arch="x86_64"/> <repopackage name="fprintd-pam" arch="x86_64"/> - <repopackage name="fprintd-pam-32bit" arch="x86_64"/> <repopackage name="frameworkintegration-plugin" arch="x86_64"/> <repopackage name="freecell-solver-presets"/> <repopackage name="freeipmi"/> ++++++ openSUSE-ftp-ftp-i586_x86_64.kiwi ++++++ --- /var/tmp/diff_new_pack.zuuPyR/_old 2020-12-21 20:08:55.632803536 +0100 +++ /var/tmp/diff_new_pack.zuuPyR/_new 2020-12-21 20:08:55.632803536 +0100 @@ -1,4 +1,4 @@ -<image name="OBS__openSUSE___20201218" schemaversion="4.1"> +<image name="OBS__openSUSE___20201221" schemaversion="4.1"> <description type="system"> <author>The SUSE Team</author> <contact>build(a)opensuse.org</contact> @@ -24,7 +24,7 @@ <productvar name="DISTNAME">openSUSE</productvar> <productvar name="FLAVOR">ftp</productvar> <productvar name="MAKE_LISTINGS">true</productvar> - <productvar name="MEDIUM_NAME">openSUSE-20201218-i586-x86_64</productvar> + <productvar name="MEDIUM_NAME">openSUSE-20201221-i586-x86_64</productvar> <productvar name="MULTIPLE_MEDIA">true</productvar> <productvar name="PRODUCT_DIR">/</productvar> <productvar name="PRODUCT_NAME">$DISTNAME-$FLAVOR</productvar> @@ -36,11 +36,11 @@ <productvar name="SEPARATE_MEDIA">true</productvar> <productvar name="SHA1OPT">-x -2</productvar> <productvar name="VENDOR">openSUSE</productvar> - <productvar name="VERSION">20201218</productvar> + <productvar name="VERSION">20201221</productvar> <productinfo name="CONTENTSTYLE">11</productinfo> - <productinfo name="DISTRO">cpe:/o:opensuse:opensuse:20201218,openSUSE Tumbleweed</productinfo> + <productinfo name="DISTRO">cpe:/o:opensuse:opensuse:20201221,openSUSE Tumbleweed</productinfo> <productinfo name="LINGUAS">cs da de el en en_GB en_US es fr hu it ja pl pt pt_BR ru zh zh_CN zh_TW </productinfo> - <productinfo name="REPOID">obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20201218/i586 obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20201218/x86_64</productinfo> + <productinfo name="REPOID">obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20201221/i586 obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20201221/x86_64</productinfo> <productinfo name="VENDOR">openSUSE</productinfo> <productoption name="DEBUGMEDIUM">2</productoption> <productoption name="INI_DIR">/usr/share/kiwi/modules/plugins/tumbleweed</productoption> ++++++ MicroOS.product ++++++ --- /var/tmp/diff_new_pack.zuuPyR/_old 2020-12-21 20:08:55.692803591 +0100 +++ /var/tmp/diff_new_pack.zuuPyR/_new 2020-12-21 20:08:55.692803591 +0100 @@ -6,7 +6,7 @@ <name>MicroOS</name> <releasepkgname>MicroOS-release</releasepkgname> <endoflife/> - <version>20201218</version> + <version>20201221</version>  <release>0</release> <productline>MicroOS</productline> ++++++ dvd.group ++++++ --- /var/tmp/diff_new_pack.zuuPyR/_old 2020-12-21 20:08:55.824803711 +0100 +++ /var/tmp/diff_new_pack.zuuPyR/_new 2020-12-21 20:08:55.828803715 +0100 @@ -73,6 +73,7 @@ <package name="analitza-lang" supportstatus="unsupported"/>  <package name="apache-commons-logging" supportstatus="unsupported"/>  <package name="apache2" supportstatus="unsupported"/>  + <package name="apache2-manual" supportstatus="unsupported"/>  <package name="apache2-mod_php7" supportstatus="unsupported"/>  <package name="apache2-prefork" supportstatus="unsupported"/>  <package name="apache2-utils" supportstatus="unsupported"/>  @@ -4182,7 +4183,6 @@ <package name="fprintd" supportstatus="unsupported"/>  <package name="fprintd-lang" supportstatus="unsupported"/>  <package name="fprintd-pam" supportstatus="unsupported"/>  - <package name="fprintd-pam-32bit" supportstatus="unsupported"/>  <package name="frameworkintegration-plugin" supportstatus="unsupported"/>  <package name="freerdp" supportstatus="unsupported"/>  <package name="fwupd" supportstatus="unsupported"/>  ++++++ openSUSE-Addon-NonOss.product ++++++ --- /var/tmp/diff_new_pack.zuuPyR/_old 2020-12-21 20:08:55.848803733 +0100 +++ /var/tmp/diff_new_pack.zuuPyR/_new 2020-12-21 20:08:55.852803737 +0100 @@ -4,7 +4,7 @@ <product> <vendor>openSUSE</vendor> <name>openSUSE-Addon-NonOss</name> - <version>20201218</version> + <version>20201221</version> <release>0</release> <summary>openSUSE NonOSS Addon</summary> <shortsummary>non oss addon</shortsummary> ++++++ openSUSE.product ++++++ --- /var/tmp/diff_new_pack.zuuPyR/_old 2020-12-21 20:08:55.876803759 +0100 +++ /var/tmp/diff_new_pack.zuuPyR/_new 2020-12-21 20:08:55.880803763 +0100 @@ -4,7 +4,7 @@ <product> <vendor>openSUSE</vendor> <name>openSUSE</name> - <version>20201218</version> + <version>20201221</version> <release>0</release> <productline>openSUSE</productline> ++++++ unsorted.yml ++++++ --- /var/tmp/diff_new_pack.zuuPyR/_old 2020-12-21 20:08:56.000803873 +0100 +++ /var/tmp/diff_new_pack.zuuPyR/_new 2020-12-21 20:08:56.004803876 +0100 @@ -683,7 +683,6 @@ - apache2-devel - apache2-event - apache2-icons-oxygen - - apache2-manual - apache2-mod_apparmor - apache2-mod_auth_gssapi - apache2-mod_auth_mellon @@ -3708,6 +3707,7 @@ - fprintd-doc - fprintd-lang: [i586] - fprintd-pam: [i586] + - fprintd-pam-32bit: [x86_64] - fractal - fractal-lang - frame @@ -16953,7 +16953,6 @@ - mythes-devel - mytop - naev - - naev-data - nagios-contrib - nagios-devel - nagios-rpm-macros @@ -20894,6 +20893,8 @@ - profanity - profanity-mini - profanity-standard + - profile-sync-daemon + - profile-sync-daemon-zsh-completion - proftpd - proftpd-devel - proftpd-doc @@ -21585,6 +21586,7 @@ - python3-argh - python3-argparse-manpage: [i586] - python3-args + - python3-arpack-ng: [x86_64] - python3-arrow - python3-asciimatics - python3-asciitree @@ -26913,6 +26915,9 @@ - sympol - sympol-devel - sympow + - syncplay-client + - syncplay-common + - syncplay-server - syncthing - syncthing-relaysrv - syndication-devel

1 0

commit 000release-packages for openSUSE:Factory
by User for buildservice source handling 21 Dec '20

21 Dec '20

Hello community, here is the log from the commit of package 000release-packages for openSUSE:Factory checked in at 2020-12-21 20:08:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/000release-packages (Old) and /work/SRC/openSUSE:Factory/.000release-packages.new.5145 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "000release-packages" Mon Dec 21 20:08:35 2020 rev:803 rq: version:unknown Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ MicroOS-release.spec ++++++ --- /var/tmp/diff_new_pack.fwg1f1/_old 2020-12-21 20:08:41.316790452 +0100 +++ /var/tmp/diff_new_pack.fwg1f1/_new 2020-12-21 20:08:41.316790452 +0100 @@ -17,7 +17,7 @@ Name: MicroOS-release -Version: 20201218 +Version: 20201221 Release: 0 Summary: openSUSE MicroOS License: GPL-2.0-or-later @@ -173,9 +173,9 @@ %include %{SOURCE100} Provides: %name-%version Provides: product() = MicroOS -Provides: product(MicroOS) = 20201218-0 +Provides: product(MicroOS) = 20201221-0 Provides: product-label() = openSUSE%20MicroOS -Provides: product-cpeid() = cpe%3A%2Fo%3Aopensuse%3Amicroos%3A20201218 +Provides: product-cpeid() = cpe%3A%2Fo%3Aopensuse%3Amicroos%3A20201221 Provides: product-url(releasenotes) = http%3A%2F%2Fdoc.opensuse.org%2Frelease%2Dnotes%2Fx86_64%2FopenSUSE%2FTumbleweed%2Frelease%2Dnotes%2DopenSUSE.rpm Provides: product-endoflife() Requires: product_flavor(MicroOS) @@ -191,7 +191,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(dvd) -Provides: product_flavor(MicroOS) = 20201218-0 +Provides: product_flavor(MicroOS) = 20201221-0 Summary: openSUSE MicroOS%{?betaversion: %{betaversion}} %description dvd @@ -207,7 +207,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(kubic-dvd) -Provides: product_flavor(MicroOS) = 20201218-0 +Provides: product_flavor(MicroOS) = 20201221-0 Summary: openSUSE MicroOS%{?betaversion: %{betaversion}} %description kubic-dvd @@ -223,7 +223,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(appliance) -Provides: product_flavor(MicroOS) = 20201218-0 +Provides: product_flavor(MicroOS) = 20201221-0 Summary: openSUSE MicroOS%{?betaversion: %{betaversion}} %description appliance @@ -239,7 +239,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(appliance-kubic) -Provides: product_flavor(MicroOS) = 20201218-0 +Provides: product_flavor(MicroOS) = 20201221-0 Summary: openSUSE MicroOS%{?betaversion: %{betaversion}} %description appliance-kubic @@ -298,11 +298,11 @@ <product schemeversion="0"> <vendor>openSUSE</vendor> <name>MicroOS</name> - <version>20201218</version> + <version>20201221</version> <release>0</release> <endoflife></endoflife> <arch>%{_target_cpu}</arch> - <cpeid>cpe:/o:opensuse:microos:20201218</cpeid> + <cpeid>cpe:/o:opensuse:microos:20201221</cpeid> <productline>MicroOS</productline> <register> <pool> ++++++ openSUSE-Addon-NonOss-release.spec ++++++ --- /var/tmp/diff_new_pack.fwg1f1/_old 2020-12-21 20:08:41.340790474 +0100 +++ /var/tmp/diff_new_pack.fwg1f1/_new 2020-12-21 20:08:41.344790478 +0100 @@ -1,5 +1,5 @@ # -# spec file for package openSUSE-Addon-NonOss-release (Version 20201218) +# spec file for package openSUSE-Addon-NonOss-release (Version 20201221) # # Copyright (c) 2020 openSUSE. # @@ -16,16 +16,16 @@ Name: openSUSE-Addon-NonOss-release %define product openSUSE-Addon-NonOss Summary: openSUSE NonOSS Addon%{?betaversion: %{betaversion}} -Version: 20201218 +Version: 20201221 Release: 0 License: BSD-3-Clause Group: System/Fhs Provides: %name-%version Provides: product() = openSUSE-Addon-NonOss -Provides: product(openSUSE-Addon-NonOss) = 20201218-0 +Provides: product(openSUSE-Addon-NonOss) = 20201221-0 Provides: product-label() = non%20oss%20addon -Provides: product-cpeid() = cpe%3A%2Fo%3Aopensuse%3Aopensuse%2Daddon%2Dnonoss%3A20201218 +Provides: product-cpeid() = cpe%3A%2Fo%3Aopensuse%3Aopensuse%2Daddon%2Dnonoss%3A20201221 AutoReqProv: on @@ -49,10 +49,10 @@ <product schemeversion="0"> <vendor>openSUSE</vendor> <name>openSUSE-Addon-NonOss</name> - <version>20201218</version> + <version>20201221</version> <release>0</release> <arch>%{_target_cpu}</arch> - <cpeid>cpe:/o:opensuse:opensuse-addon-nonoss:20201218</cpeid> + <cpeid>cpe:/o:opensuse:opensuse-addon-nonoss:20201221</cpeid> <register> <pool> </pool> ++++++ openSUSE-release.spec ++++++ --- /var/tmp/diff_new_pack.fwg1f1/_old 2020-12-21 20:08:41.364790496 +0100 +++ /var/tmp/diff_new_pack.fwg1f1/_new 2020-12-21 20:08:41.368790500 +0100 @@ -20,7 +20,7 @@ #define betaversion %{nil} %define codename Tumbleweed Name: openSUSE-release -Version: 20201218 +Version: 20201221 Release: 0 # 0 is the product release, not the build release of this package Summary: openSUSE Tumbleweed @@ -178,7 +178,7 @@ %include %{SOURCE100} Provides: %name-%version Provides: product() = openSUSE -Provides: product(openSUSE) = 20201218-0 +Provides: product(openSUSE) = 20201221-0 %ifarch x86_64 Provides: product-register-target() = openSUSE%2DTumbleweed%2Dx86_64 %endif @@ -192,7 +192,7 @@ Provides: product-register-target() = openSUSE%2DTumbleweed%2Daarch64 %endif Provides: product-label() = openSUSE -Provides: product-cpeid() = cpe%3A%2Fo%3Aopensuse%3Aopensuse%3A20201218 +Provides: product-cpeid() = cpe%3A%2Fo%3Aopensuse%3Aopensuse%3A20201221 Provides: product-url(releasenotes) = http%3A%2F%2Fdoc.opensuse.org%2Frelease%2Dnotes%2Fx86_64%2FopenSUSE%2FTumbleweed%2Frelease%2Dnotes%2DopenSUSE.rpm Provides: product-url(repository) = http%3A%2F%2Fdownload.opensuse.org%2Ftumbleweed%2Frepo%2Foss%2F Requires: product_flavor(openSUSE) @@ -206,7 +206,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(ftp) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description ftp @@ -221,7 +221,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(mini) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description mini @@ -236,7 +236,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(dvd) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description dvd @@ -251,7 +251,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(livecd-kde) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description livecd-kde @@ -266,7 +266,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(livecd-x11) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description livecd-x11 @@ -281,7 +281,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(livecd-gnome) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description livecd-gnome @@ -296,7 +296,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(livecd-xfce) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description livecd-xfce @@ -311,7 +311,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(usb-kde) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description usb-kde @@ -326,7 +326,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(usb-gnome) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description usb-gnome @@ -341,7 +341,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(usb-x11) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description usb-x11 @@ -356,7 +356,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(appliance) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description appliance @@ -371,7 +371,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(appliance-docker) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description appliance-docker @@ -386,7 +386,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(appliance-kvm) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description appliance-kvm @@ -401,7 +401,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(appliance-vmware) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description appliance-vmware @@ -416,7 +416,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(appliance-openstack) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description appliance-openstack @@ -431,7 +431,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(appliance-hyperv) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description appliance-hyperv @@ -446,7 +446,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(appliance-vagrant) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description appliance-vagrant @@ -461,7 +461,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(appliance-wsl) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description appliance-wsl @@ -476,7 +476,7 @@ Group: System/Fhs Provides: product_flavor() Provides: flavor(appliance-custom) -Provides: product_flavor(openSUSE) = 20201218-0 +Provides: product_flavor(openSUSE) = 20201221-0 Summary: openSUSE Tumbleweed%{?betaversion: %{betaversion}} %description appliance-custom @@ -551,10 +551,10 @@ <product schemeversion="0"> <vendor>openSUSE</vendor> <name>openSUSE</name> - <version>20201218</version> + <version>20201221</version> <release>0</release> <arch>%{_target_cpu}</arch> - <cpeid>cpe:/o:opensuse:opensuse:20201218</cpeid> + <cpeid>cpe:/o:opensuse:opensuse:20201221</cpeid> <productline>openSUSE</productline> <register> <pool> ++++++ weakremovers.inc ++++++ --- /var/tmp/diff_new_pack.fwg1f1/_old 2020-12-21 20:08:41.456790581 +0100 +++ /var/tmp/diff_new_pack.fwg1f1/_new 2020-12-21 20:08:41.460790584 +0100 @@ -3781,8 +3781,6 @@ Provides: weakremover(analyzeMFT) Provides: weakremover(android-tools) Provides: weakremover(ant-phone) -Provides: weakremover(apache2-doc) -Provides: weakremover(apache2-example-pages) Provides: weakremover(apache2-mod_auth_kerb) Provides: weakremover(apache2-mod_proxy_uwsgi) Provides: weakremover(apache2-mod_scgi) @@ -12409,6 +12407,7 @@ Provides: weakremover(mvapich2_2_3_3-gnu-hpc-doc) Provides: weakremover(mvapich2_2_3_3-gnu-hpc-macros-devel) Provides: weakremover(mxml) +Provides: weakremover(naev-data) Provides: weakremover(nagstamon) Provides: weakremover(nagvis) Provides: weakremover(nagvis-demos)

1 0

commit fpc for openSUSE:Leap:15.2:Update
by User for buildservice source handling 21 Dec '20

21 Dec '20

Hello community, here is the log from the commit of package fpc for openSUSE:Leap:15.2:Update checked in at 2020-12-21 14:22:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/fpc (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.fpc.new.5145 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "fpc" Mon Dec 21 14:22:49 2020 rev:2 rq:856869 version:unknown Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.AkcoqQ/_old 2020-12-21 14:23:09.797335320 +0100 +++ /var/tmp/diff_new_pack.AkcoqQ/_new 2020-12-21 14:23:09.797335320 +0100 @@ -1 +1 @@ -<link package='fpc.13913' cicount='copy' /> +<link package='fpc.15334' cicount='copy' />

1 0

commit fpc.15334 for openSUSE:Leap:15.2:Update
by User for buildservice source handling 21 Dec '20

21 Dec '20

Hello community, here is the log from the commit of package fpc.15334 for openSUSE:Leap:15.2:Update checked in at 2020-12-21 14:22:35 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2:Update/fpc.15334 (Old) and /work/SRC/openSUSE:Leap:15.2:Update/.fpc.15334.new.5145 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "fpc.15334" Mon Dec 21 14:22:35 2020 rev:1 rq:856869 version:3.2.0 Changes: -------- New Changes file: --- /dev/null 2020-12-09 01:05:43.965003977 +0100 +++ /work/SRC/openSUSE:Leap:15.2:Update/.fpc.15334.new.5145/fpc.changes 2020-12-21 14:23:06.633332725 +0100 @@ -0,0 +1,276 @@ +------------------------------------------------------------------- +Fri Sep 25 10:14:45 UTC 2020 - Guillaume GARDET <guillaume.gardet(a)opensuse.org> + +- Add patch to fix build on ppc64le: + * fpc-fix-library-paths-on-ppc64.patch + +------------------------------------------------------------------- +Thu Sep 24 06:30:04 UTC 2020 - Dirk Mueller <dmueller(a)suse.com> + +- add aarch64-fpc-compilation-fix.patch: pass vfp flags to + gas +- Handle fpu initialization (bsc#1122855): + * add aarch64-fpu-initialization.patch: initialize fpu properly + * aarch64: disable bootstrap mode + +------------------------------------------------------------------- +Mon Sep 21 15:02:29 UTC 2020 - Tom de Vries <tdevries(a)suse.com> + +- Backport r46209 - "@PLT is needed for calls to link it properly + with pic code" [bsc#1176706]: + * fpc-si_c-x86_64-plt.patch + +------------------------------------------------------------------- +Tue Aug 18 09:00:15 UTC 2020 - Guillaume GARDET <guillaume.gardet(a)opensuse.org> + +- Drop '%elifarch' usage for now since it is not well supported + by the source validator, see: + https://github.com/openSUSE/obs-service-source_validator/issues/85 + +------------------------------------------------------------------- +Mon Aug 17 15:38:06 UTC 2020 - Guillaume GARDET <guillaume.gardet(a)opensuse.org> + +- Fix doc building when bootstrap is used + +------------------------------------------------------------------- +Mon Aug 17 15:23:42 UTC 2020 - Guillaume GARDET <guillaume.gardet(a)opensuse.org> + +- Fix bootstrap handling + +------------------------------------------------------------------- +Tue Jun 30 08:39:31 UTC 2020 - John Paul Adrian Glaubitz <adrian.glaubitz(a)suse.com> + +- Update to 3.2.0 + * Changes see https://wiki.freepascal.org/User_Changes_3.2.0 +- Enable bootstrap for aarch64, ppc, ppc64, ppc64le + * Add bootstrap binary archives + + fpc-3.2.0-aarch64.zip + + fpc-3.2.0-ppc.zip + + fpc-3.2.0-ppc64.zip + + fpc-3.2.0-ppc64le.zip +- Drop old git snapshot source for aarch64 build + * fpcbuild.zip +- Add patch to fix library paths on aarch64 + * fpc-fix-library-paths-on-aarch64.patch +- Drop patches for issues fixed upstream + * fpc-fix_aarch64.patch + * update-fpcdocs.patch + +------------------------------------------------------------------- +Wed Aug 28 17:56:57 UTC 2019 - Stefan Brüns <stefan.bruens(a)rwth-aachen.de> + +- Use _multibuild for building the doc subpackage. This removes e.g. + TeXLive, python and X11 from the dependency chain of the main package. +- Remove noarch for doc subpackage as we need to use %ifarch + +------------------------------------------------------------------- +Mon Aug 26 18:49:28 UTC 2019 - Stefan Brüns <stefan.bruens(a)rwth-aachen.de> + +- Use separate subpackages for documentation and examples, and make + both noarch. +- Make PDF documentation build reproducible +- Use tex(foo) style BuildRequires, only request what is really needed. +- Install COPYING* in licensedir +- Drop gpm and ncurses runtime requires (not used by the compiler, + but only for some of the examples). +- Remove defattr and BuildRoot from spec file. + +------------------------------------------------------------------- +Sat Mar 16 15:57:11 UTC 2019 - termim(a)gmail.com + +- http --> https in URL + +------------------------------------------------------------------- +Mon Sep 10 13:04:54 UTC 2018 - Guillaume GARDET <guillaume.gardet(a)opensuse.org> + +- Move patches and sources out of %ifarch conditions + +------------------------------------------------------------------- +Fri Sep 7 12:32:05 UTC 2018 - Guillaume GARDET <guillaume.gardet(a)opensuse.org> + +- Remove 'fpcsrc/packages/nvapi/nvapi.pas' due to license problems + +------------------------------------------------------------------- +Tue Sep 4 11:56:51 UTC 2018 - guillaume.gardet(a)opensuse.org + +- Add patch to fix aarch64 build: + * fpc-fix_aarch64.patch + +------------------------------------------------------------------- +Tue Sep 4 07:21:34 UTC 2018 - Guillaume GARDET <guillaume.gardet(a)opensuse.org> + +- Add aarch64 support + +------------------------------------------------------------------- +Tue May 15 12:23:06 UTC 2018 - guillaume.gardet(a)opensuse.org + +- Fix %arm build +- Add ExclusiveArch for %ix86 x86_64 %arm ppc ppc64 + +------------------------------------------------------------------- +Fri Dec 15 22:06:50 UTC 2017 - markus.beth(a)web.de + +- Update to 3.0.4 + * Changes see http://wiki.freepascal.org/User_Changes_3.0.4 + +- Added update-fpcdocs.patch to fix doc generation + +------------------------------------------------------------------- +Mon Jun 27 20:03:42 UTC 2016 - termim(a)gmail.com + +- Update to 3.0.0 + * remove patch fpc-2.6.2-make-user.pdf-fix.patch as fixed upstream + * use previous fpc version instead prebuild one for build + * New features see http://wiki.freepascal.org/FPC_New_Features_3.0 + * Changes see http://wiki.freepascal.org/User_Changes_3.0 + +------------------------------------------------------------------- +Tue May 06 08:57:47 UTC 2014 - guillaume(a)opensuse.org + +- Add ARM support + +------------------------------------------------------------------- +Mon May 5 19:17:00 UTC 2014 - mihailjp(a)gmail.com + +- Update to 2.6.4 - a fixes update from the 2.6.x branch + The new features include, amongst others: + * Compiler: + - Improvements and fixes for the ARM architecture + * Packages: + - New package fpindexer (indexing engine) + - Support for observer pattern added to fcl-base (and base classes in RTL) + - Lots and lots fixes and improvements for fcl-db + * Support for JSON dataset added among others + - Fixes and improvements for fcl-passrc (and fpdoc) + - Updates for PTCPas and gtk2 + - fpmkunit improvements (better support for future switch to fpmake) + - Several fixes for x11 + - Several fixes for winunits (and winceunits) + * Platforms: + - Improvements to the NativeNT target (newly introduced as alpha in 2.6.0) + - Many fixes for OpenBSD and NetBSD (considered in beta state now) + - Internal ELF writer supported for more BSD targets + - Fixes and improvements for gba and nds + +------------------------------------------------------------------- +Fri Apr 12 09:12:12 UTC 2013 - svalx(a)svalx.net + +- Update to 2.6.2 - a fixes update from the 2.6.x branch. + The new features include, amongst others: + * Compiler: + - Improvements and fixes for the ARM architecture + * Packages: + - New package fpindexer (indexing engine) + - Support for observer pattern added to fcl-base (and base classes in RTL) + - Lots and lots fixes and improvements for fcl-db + * Support for JSON dataset added among others + - Fixes and improvements for fcl-passrc (and fpdoc) + - Updates for PTCPas and gtk2 + - Fpmkunit improvements (better support for future switch to fpmake) + - Several fixes for x11 + - Several fixes for winunits (and winceunits) + * Platforms: + - Improvements to the NativeNT target (newly introduced as alpha in 2.6.0) + - Many fixes for OpenBSD and NetBSD (considered in beta state now) + - Internal ELF writer supported for more BSD targets + - Fixes and improvements for gba and nds +- Add fpc-2.6.2-make-user.pdf-fix.patch - fix TeX broke with error when build user.pdf + +------------------------------------------------------------------- +Sun Oct 14 17:21:30 UTC 2012 - asterios.dramis(a)gmail.com + +- Enabled debuginfo in all BuildArches. +- Removed gpm build requirement (not needed). +- Removed glibc runtime requirement (it's always provided). +- Fixed some rpmlint warnings "script-without-shebang". +- Added support for "build ID" in binaries (for debuginfo support). + +------------------------------------------------------------------- +Wed Oct 3 18:03:43 UTC 2012 - asterios.dramis(a)gmail.com + +- Added texlive-float as build requirement to fix compilation in Factory. + Removed texlive-collection-basic (not needed anymore). + +------------------------------------------------------------------- +Sun Sep 16 22:18:56 UTC 2012 - termim(a)gmail.com + +- Update to 2.6.0 - a new major version of the Free Pascal compiler. ++++ 79 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.2:Update/.fpc.15334.new.5145/fpc.changes New: ---- _multibuild aarch64-fpc-compilation-fix.patch aarch64-fpu-initialization.patch fpc-3.2.0-aarch64.zip fpc-3.2.0-ppc.zip fpc-3.2.0-ppc64.zip fpc-3.2.0-ppc64le.zip fpc-fix-library-paths-on-aarch64.patch fpc-fix-library-paths-on-ppc64.patch fpc-rpmlintrc fpc-si_c-x86_64-plt.patch fpc.changes fpc.spec fpcbuild-3.2.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fpc.spec ++++++ # # spec file for package fpc # # Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %global flavor @BUILD_FLAVOR@%{nil} %if "%{flavor}" == "" %else %global psuffix -%{flavor} %endif %ifarch ppc64le ppc64 ppc # Bootstrap the compiler for a new architecture. Set this to 0 after we've bootstrapped. %bcond_without bootstrap %else %bcond_with bootstrap %endif %ifarch %arm # We use hardfloat on ARM %define fpcopt -dFPC_ARMHF -k--build-id -k-z -knoexecstack %else %ifarch ppc64le %define fpcopt -Cb- -Caelfv2 -k--build-id -k-z -knoexecstack %else %define fpcopt -k--build-id -k-z -knoexecstack %endif %endif %define fpcdebugopt -gl %ifarch aarch64 %define ppcname ppca64 %endif %ifarch %arm %define ppcname ppcarm %endif %ifarch ppc %define ppcname ppcppc %endif %ifarch x86_64 %define ppcname ppcx64 %endif %ifarch ppc64le %define ppcname ppcppc64 %endif %ifarch ppc64 %define ppcname ppcppc64 %endif %ifarch %ix86 %define ppcname ppc386 %endif Name: fpc%{?psuffix} Version: 3.2.0 Release: 0 %if "%{flavor}" == "" Summary: Free Pascal Compiler License: GPL-2.0-or-later AND LGPL-2.1-or-later Group: Documentation/Other %else Summary: Freepascal Compiler documentation License: GPL-2.0-or-later AND LGPL-2.1-or-later Group: Documentation/Other %endif URL: https://www.freepascal.org/ Source: fpcbuild-%{version}.tar.gz Source1: fpc-3.2.0-aarch64.zip Source2: fpc-3.2.0-ppc64le.zip Source3: fpc-3.2.0-ppc64.zip Source4: fpc-3.2.0-ppc.zip Source90: fpc-rpmlintrc Patch0: fpc-fix-library-paths-on-aarch64.patch Patch1: fpc-si_c-x86_64-plt.patch Patch2: aarch64-fpc-compilation-fix.patch # From https://github.com/graemeg/freepascal/commit/aad68409bec902e39f9292930238ed… Patch3: aarch64-fpu-initialization.patch Patch4: fpc-fix-library-paths-on-ppc64.patch BuildRequires: binutils %if 0%{?suse_version} BuildRequires: fdupes %endif %if %{without bootstrap} BuildRequires: fpc %else %if "%{flavor}" == "doc" BuildRequires: fpc %else BuildRequires: unzip %endif %endif BuildRequires: glibc-devel %if "%{flavor}" == "doc" BuildRequires: texlive-latex BuildRequires: texlive-makeindex BuildRequires: texlive-pdftex BuildRequires: texlive-ucs BuildRequires: tex(8r.enc) BuildRequires: tex(a4.sty) BuildRequires: tex(enumitem.sty) BuildRequires: tex(fancyhdr.sty) BuildRequires: tex(float.sty) BuildRequires: tex(hyperref.sty) BuildRequires: tex(pcrr8t.tfm) BuildRequires: tex(phvr8t.tfm) BuildRequires: tex(ptmr8t.tfm) BuildRequires: tex(syntax.sty) BuildRequires: tex(tabularx.sty) BuildRequires: tex(times.sty) %endif Requires: binutils ExclusiveArch: %ix86 x86_64 %arm aarch64 ppc ppc64 ppc64le %if "%{flavor}" == "" %description Freepascal is a free 32/64bit Pascal Compiler. It comes with a run-time library and is fully compatible with Turbo Pascal 7.0 and nearly Delphi compatible. Some extensions are added to the language, like function overloading and generics. Shared libraries can be linked. This package contains commandline compiler and utils. Provided units are the runtime library (RTL), free component library (FCL) and the base and extra packages. %else %description The fpc-doc package contains the documentation PDF files. %endif %package examples Summary: Freepascal Compiler examples Group: Documentation/Other BuildArch: noarch %description examples The fpc-examples package contains examples for Freepascal. %package src Summary: Freepascal Compiler - sources Group: Development/Languages/Other %description src The fpc-src package contains the sources of Freepascal, for documentation or automatical-code generation purposes. %prep %setup -q -n fpcbuild-%{version} %patch0 -p1 %patch1 -p0 %patch2 -p1 %patch3 -p1 %patch4 -p1 %if %{with bootstrap} %if "%{flavor}" == "" %ifarch aarch64 unzip %{SOURCE1} %endif %ifarch ppc64le unzip %{SOURCE2} %endif %ifarch ppc64 unzip %{SOURCE3} %endif %ifarch ppc unzip %{SOURCE4} %endif %endif %endif # Remove files with license problems (which are not used on Linux) rm -f fpcsrc/packages/nvapi/src/nvapi.pas # Copy needed source files by external packages in a new directory (to be included in the fpc-src subpackage) install -dm 0755 fpc-src cp -a fpcsrc/rtl fpc-src cp -a fpcsrc/packages fpc-src find fpc-src -name '*.o' | xargs rm -f rm -rf fpc-src/packages/extra/amunits rm -rf fpc-src/packages/extra/winunits # Inject reproducible date into PDF documentation date --date=@${SOURCE_DATE_EPOCH:-0} +'\date{%B %Y}' > fpcdocs/date.inc %build %if "%{flavor}" == "" %if %{with bootstrap} STARTPP=$(pwd)/fpc-%{version}-%{_arch}/bin/%{ppcname} %else STARTPP=%{ppcname} %endif pushd fpcsrc FPCDIR= NEWPP=`pwd`/compiler/%{ppcname} make %{?_smp_mflags} compiler_cycle FPC=${STARTPP} OPT='%{fpcopt} %{fpcdebugopt}' make %{?_smp_mflags} rtl_clean rtl_smart FPC=${NEWPP} OPT='%{fpcopt}' make %{?_smp_mflags} packages_smart \ FPC=${NEWPP} OPT='%{fpcopt}' make %{?_smp_mflags} utils_all \ FPC=${NEWPP} OPT='%{fpcopt} %{fpcdebugopt}' popd %else make -C fpcdocs pdf FPC=fpc %endif %install # Make available built binaries %if "%{flavor}" == "" export PATH=$PATH:%{buildroot}%{_bindir} pushd fpcsrc FPCDIR= NEWPP=`pwd`/compiler/%{ppcname} INSTALLOPTS="FPC=${NEWPP} \ INSTALL_PREFIX=%{buildroot}%{_prefix} \ INSTALL_LIBDIR=%{buildroot}%{_libdir} \ INSTALL_BASEDIR=%{buildroot}%{_libdir}/%{name}/%{version} \ CODPATH=%{buildroot}%{_libdir}/%{name}/lexyacc \ INSTALL_DOCDIR=%{buildroot}%{_defaultdocdir}/%{name} \ INSTALL_BINDIR=%{buildroot}%{_bindir} INSTALL_EXAMPLEDIR=%{buildroot}%{_defaultdocdir}/%{name}/examples" make compiler_distinstall ${INSTALLOPTS} make utils_distinstall ${INSTALLOPTS} make rtl_distinstall ${INSTALLOPTS} make packages_distinstall ${INSTALLOPTS} popd pushd install make -C doc ${INSTALLOPTS} make -C man ${INSTALLOPTS} INSTALL_MANDIR=%{buildroot}%{_mandir} popd # create link ln -sf ../%{_lib}/%{name}/%{version}/%{ppcname} %{buildroot}%{_bindir}/%{ppcname} # create a version independent config FPCMKCFGBIN=%{buildroot}%{_prefix}/bin/fpcmkcfg FPCPATH=%{_libdir}/fpc/`$NEWPP -iV` SYSFPDIRBASE=%{buildroot}%{_libdir}/fpc/`$NEWPP -iV`/ide/text ${FPCMKCFGBIN} -p -d "basepath=$FPCPATH" -o %{buildroot}%{_sysconfdir}/fpc.cfg ${FPCMKCFGBIN} -p -1 -d "basepath=$FPCPATH" -o ${SYSFPDIRBASE}/fp.cfg ${FPCMKCFGBIN} -p -2 -o ${SYSFPDIRBASE}/fp.ini ${FPCMKCFGBIN} -p -3 -d CompilerConfigDir=%{_sysconfdir}/fppkg -o %{buildroot}%{_sysconfdir}/fppkg.cfg ${FPCMKCFGBIN} -p -4 -d "GlobalPrefix=$FPCGLOBALPREFIX" -o %{buildroot}%{_sysconfdir}/fppkg/default # Add support for "build ID" in binaries (for debuginfo support) echo -e \ "\n# ----------------------\n\ # Use BuildId by default\n\ # ----------------------\n\ -k--build-id" >> %{buildroot}%{_sysconfdir}/fpc.cfg # include the COPYING-information for the compiler/rtl/fcl in the documentation install -m 644 -D fpcsrc/compiler/COPYING.txt %{buildroot}%{_licensedir}/%{name}/COPYING install -m 644 -D fpcsrc/rtl/COPYING.txt %{buildroot}%{_licensedir}/%{name}/COPYING.rtl install -m 644 -D fpcsrc/rtl/COPYING.FPC %{buildroot}%{_licensedir}/%{name}/COPYING.FPC mv %{buildroot}%{_defaultdocdir}/%{name}/../../%{name}-%{version}/ide/readme.ide %{buildroot}%{_defaultdocdir}/%{name}/readme.ide mv %{buildroot}%{_defaultdocdir}/%{name}/../../%{name}-%{version} %{buildroot}%{_defaultdocdir}/%{name}/examples # Install source files needed by external packages cp -a fpc-src/ %{buildroot}%{_datadir}/fpcsrc/ # delete lexyacc rm -rf %{buildroot}%{_libdir}/%{name}/lexyacc chmod 755 %{buildroot}%{_datadir}/fpcsrc/packages/ibase/scripts/mkdb chmod 644 %{buildroot}%{_datadir}/fpcsrc/packages/iconvenc/src/iconvenc.pas chmod 644 %{buildroot}%{_datadir}/fpcsrc/packages/iconvenc/examples/iconvtest.pp chmod 755 %{buildroot}%{_datadir}/fpcsrc/packages/libc/scripts/h2p chmod 755 %{buildroot}%{_datadir}/fpcsrc/packages/mysql/scripts/rmdb chmod 755 %{buildroot}%{_datadir}/fpcsrc/packages/postgres/scripts/mkdb chmod 755 %{buildroot}%{_datadir}/fpcsrc/packages/postgres/scripts/rmdb chmod 755 %{buildroot}%{_datadir}/fpcsrc/packages/xforms/scripts/doc2p chmod 755 %{buildroot}%{_datadir}/fpcsrc/rtl/freebsd/*/identpatch.sh chmod 755 %{buildroot}%{_datadir}/fpcsrc/rtl/netware/convertimp %if 0%{?suse_version} %fdupes -s %{buildroot}%{_datadir}/fpcsrc %fdupes -s %{buildroot}%{_libdir}/%{name} %endif %else make -C fpcdocs pdfinstall \ FPC=fpc \ INSTALL_DOCDIR=%{buildroot}%{_defaultdocdir}/fpc %endif %if "%{flavor}" == "" %files %license %{_licensedir}/%{name} %dir %{_defaultdocdir}/%{name}/ %doc %{_defaultdocdir}/%{name}/NEWS %doc %{_defaultdocdir}/%{name}/README %doc %{_defaultdocdir}/%{name}/readme.ide %doc %{_defaultdocdir}/%{name}/faq* %doc %{_mandir}/*/* %config(noreplace) %{_sysconfdir}/%{name}.cfg %config(noreplace) %{_sysconfdir}/fppkg.cfg %dir %{_sysconfdir}/fppkg %config(noreplace) %{_sysconfdir}/fppkg/default %{_bindir}/* %{_libdir}/libpas2jslib.so* %{_libdir}/%{name}/ %ifarch x86_64 aarch64 ppc64 ppc64le /usr/lib/%{name}/ %endif %files examples %docdir %{_defaultdocdir}/%{name} %dir %{_defaultdocdir}/%{name}/examples %doc %{_defaultdocdir}/%{name}/examples/* %files src %dir %{_datadir}/fpcsrc %{_datadir}/fpcsrc/* %else %files %docdir %{_defaultdocdir}/fpc %doc %{_defaultdocdir}/fpc/*.pdf %endif %changelog ++++++ _multibuild ++++++ <multibuild> <package>doc</package> </multibuild> ++++++ aarch64-fpc-compilation-fix.patch ++++++ --- fpcbuild-3.2.0/fpcsrc/compiler/arm/agarmgas.pas (Revision 46921) +++ fpcbuild-3.2.0/fpcsrc/compiler/arm/agarmgas.pas (Revision 46922) @@ -105,6 +105,12 @@ result:=inherited MakeCmdLine; if (current_settings.fputype = fpu_soft) then result:='-mfpu=softvfp '+result; + if (current_settings.fputype = fpu_fpa) then + result:='-mfpu=fpa '+result; + if (current_settings.fputype = fpu_fpa10) then + result:='-mfpu=fpa10 '+result; + if (current_settings.fputype = fpu_fpa11) then + result:='-mfpu=fpa11 '+result; if (current_settings.fputype = fpu_vfpv2) then result:='-mfpu=vfpv2 '+result; if (current_settings.fputype = fpu_vfpv3) then ++++++ aarch64-fpu-initialization.patch ++++++ --- fpcbuild-3.2.0/fpcsrc/compiler/aarch64/cgcpu.pas 2018-12-13 19:27:26.000000000 +0100 +++ fpcbuild-3.2.0/fpcsrc/compiler/aarch64/cgcpu.pas 2020-09-24 09:53:53.047492225 +0200 @@ -980,6 +980,7 @@ { Notify the register allocator that we have written a move instruction so it can try to eliminate it. } add_move_instruction(instr); + { FMOV cannot generate a floating point exception } end else begin --- fpcbuild-3.2.0/fpcsrc/rtl/aarch64/aarch64.inc 2015-02-23 23:54:03.000000000 +0100 +++ fpcbuild-3.2.0/fpcsrc/rtl/aarch64/aarch64.inc 2020-09-24 13:52:50.744053033 +0200 @@ -50,26 +50,46 @@ mrs x0,fpsr end; +const + FPSR_IOC = 1; + FPSR_DZC = 1 shl 1; + FPSR_OFC = 1 shl 2; + FPSR_UFC = 1 shl 3; + FPSR_IXC = 1 shl 4; + FPSR_IDC = 1 shl 7; + FPSR_EXCEPTIONS = FPSR_IOC or FPSR_DZC or FPSR_OFC or FPSR_UFC or FPSR_IXC or FPSR_IDC; procedure setfpsr(val: dword); nostackframe; assembler; asm msr fpsr, x0 end; - -procedure fpc_enable_fpu_exceptions; +{$define FPC_SYSTEM_HAS_SYSINITFPU} +procedure SysInitFPU; begin + softfloat_rounding_mode:=rmNearest; + { 0 is rmNearest } + setfpcr(getfpcr and $ff3fffff); { clear all "exception happened" flags we care about} - setfpsr(getfpsr and not(fpu_exception_mask shr fpu_exception_mask_to_status_mask_shift)); - { enable invalid operations and division by zero exceptions. } - setfpcr(getfpcr or fpu_exception_mask); + setfpsr(getfpsr and not(fpu_exception_mask shr fpu_exception_mask_to_status_mask_shift)); + { enable invalid operations and division by zero exceptions. } + setfpcr(((getfpcr and not(fpu_exception_mask)) or fpu_dze or fpu_ofe or fpu_ioe)); + softfloat_exception_mask:=[float_flag_underflow,float_flag_inexact,float_flag_denormal]; + softfloat_exception_flags:=[]; end; +{$define FPC_SYSTEM_HAS_SYSRESETFPU} +Procedure SysResetFPU;{$ifdef SYSTEMINLINE}inline;{$endif} +begin + softfloat_exception_flags:=[]; + setfpsr(getfpsr and not(FPSR_EXCEPTIONS)); +end; + procedure fpc_cpuinit; begin { don't let libraries influence the FPU cw set by the host program } if not IsLibrary then - fpc_enable_fpu_exceptions; + SysInitFPU; end; ++++++ fpc-fix-library-paths-on-aarch64.patch ++++++ diff -Nru fpcbuild-3.2.0.orig/fpcsrc/compiler/systems/t_linux.pas fpcbuild-3.2.0/fpcsrc/compiler/systems/t_linux.pas --- fpcbuild-3.2.0.orig/fpcsrc/compiler/systems/t_linux.pas 2019-12-05 21:11:43.000000000 +0100 +++ fpcbuild-3.2.0/fpcsrc/compiler/systems/t_linux.pas 2020-06-25 18:33:04.362536867 +0200 @@ -142,8 +142,15 @@ LibrarySearchPath.AddLibraryPath(sysrootpath,'=/lib64;=/usr/lib64;=/usr/X11R6/lib64',true) else LibrarySearchPath.AddLibraryPath(sysrootpath,'=/lib64;=/usr/lib/powerpc64le-linux-gnu;=/usr/X11R6/powerpc64le-linux-gnu',true); -{$else powerpc64} +{$else} +{$ifdef aarch64} + LibrarySearchPath.AddLibraryPath(sysrootpath,'=/usr/lib',true); + LibrarySearchPath.AddLibraryPath(sysrootpath,'=/lib',true); + LibrarySearchPath.AddLibraryPath(sysrootpath,'=/usr/lib64',true); + LibrarySearchPath.AddLibraryPath(sysrootpath,'=/lib64',true); +{$else} LibrarySearchPath.AddLibraryPath(sysrootpath,'=/lib;=/usr/lib;=/usr/X11R6/lib',true); +{$endif aarch64} {$endif powerpc64} {$endif x86_64} @@ -223,7 +230,7 @@ {$endif arm} {$ifdef aarch64} -const defdynlinker='/lib/ld-linux-aarch64.so.1'; +const defdynlinker='/lib64/ld-linux-aarch64.so.1'; {$endif aarch64} {$ifdef mips} ++++++ fpc-fix-library-paths-on-ppc64.patch ++++++ --- fpcbuild-3.2.0/fpcsrc/compiler/systems/t_linux.pas.orig 2020-09-25 07:43:31.880558566 +0000 +++ fpcbuild-3.2.0/fpcsrc/compiler/systems/t_linux.pas 2020-09-25 07:55:16.789263339 +0000 @@ -141,7 +141,7 @@ begin if target_info.abi<>abi_powerpc_elfv2 then LibrarySearchPath.AddLibraryPath(sysrootpath,'=/lib64;=/usr/lib64;=/usr/X11R6/lib64',true) else - LibrarySearchPath.AddLibraryPath(sysrootpath,'=/lib64;=/usr/lib/powerpc64le-linux-gnu;=/usr/X11R6/powerpc64le-linux-gnu',true); + LibrarySearchPath.AddLibraryPath(sysrootpath,'=/lib64;=/usr/lib64;=/usr/X11R6/lib64',true); {$else} {$ifdef aarch64} LibrarySearchPath.AddLibraryPath(sysrootpath,'=/usr/lib',true); ++++++ fpc-rpmlintrc ++++++ addFilter("statically-linked-binary") addFilter("shlib-policy-name-error") addFilter("devel-file-in-non-devel-package .*/fpc/.*/units/.*-linux/.*.a") addFilter("devel-file-in-non-devel-package .*/fpcsrc/.*/.*.a") addFilter("devel-file-in-non-devel-package .*/fpcsrc/.*/.*.c") addFilter("devel-file-in-non-devel-package .*/fpcsrc/.*/.*.cpp") addFilter("devel-file-in-non-devel-package .*/fpcsrc/.*/.*.h") ++++++ fpc-si_c-x86_64-plt.patch ++++++ Index: fpcsrc/rtl/linux/x86_64/si_c.inc =================================================================== --- fpcsrc/rtl/linux/x86_64/si_c.inc (revision 46208) +++ fpcsrc/rtl/linux/x86_64/si_c.inc (revision 46209) @@ -86,7 +86,7 @@ { start the program } xorq %rbp,%rbp - call PASCALMAIN + call PASCALMAIN@PLT {$endif FPC_HAS_INDIRECT_ENTRY_INFORMATION} hlt end; @@ -162,7 +162,7 @@ { Call the user's main function, and exit with its value. But let the libc call main. } - call libc_start_main + call libc_start_main@PLT hlt { Crash if somehow `exit' does return. } end;

1 0