10 files changed, 222 insertions, 22 deletions
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index 7e8f8b9ff5..6fc60a1d97 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -137,6 +137,11 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv
    spdx_files = []
    file_counter = 1
+    check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1"
+    if check_compiled_sources:
+        compiled_sources, types = oe.spdx_common.get_compiled_sources(d)
+        bb.debug(1, f"Total compiled files: {len(compiled_sources)}")
    for subdir, dirs, files in os.walk(topdir):
        dirs[:] = [d for d in dirs if d not in ignore_dirs]
        if subdir == str(topdir):
@@ -147,6 +152,10 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv
            filename = str(filepath.relative_to(topdir))
            if not filepath.is_symlink() and filepath.is_file():
+                # Check if file is compiled
+                if check_compiled_sources:
+                     if not oe.spdx_common.is_compiled_source(filename, compiled_sources, types):
+                          continue
                spdx_file = oe.spdx.SPDXFile()
                spdx_file.SPDXID = get_spdxid(file_counter)
                for t in get_types(filepath):
diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass
index 713a7fc651..ca0416d1c7 100644
--- a/meta/classes/spdx-common.bbclass
+++ b/meta/classes/spdx-common.bbclass
@@ -26,6 +26,7 @@ SPDX_TOOL_VERSION ??= "1.0"
 SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
 SPDX_INCLUDE_SOURCES ??= "0"
+SPDX_INCLUDE_COMPILED_SOURCES ??= "0"
 SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
 SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
@@ -40,6 +41,8 @@ SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
 python () {
    from oe.cve_check import extend_cve_status
    extend_cve_status(d)
+    if d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1":
+        d.setVar("SPDX_INCLUDE_SOURCES", "1")
 }
 def create_spdx_source_deps(d):
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 61d7ba45e3..beeafc2bb7 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -156,6 +156,11 @@ def add_package_files(
        bb.note(f"Skip {topdir}")
        return spdx_files
+    check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1"
+    if check_compiled_sources:
+        compiled_sources, types = oe.spdx_common.get_compiled_sources(d)
+        bb.debug(1, f"Total compiled files: {len(compiled_sources)}")
    for subdir, dirs, files in os.walk(topdir, onerror=walk_error):
        dirs[:] = [d for d in dirs if d not in ignore_dirs]
        if subdir == str(topdir):
@@ -171,6 +176,11 @@ def add_package_files(
            filename = str(filepath.relative_to(topdir))
            file_purposes = get_purposes(filepath)
+            # Check if file is compiled
+            if check_compiled_sources:
+                if not oe.spdx_common.is_compiled_source(filename, compiled_sources, types):
+                    continue
            spdx_file = objset.new_file(
                get_spdxid(file_counter),
                filename,
diff --git a/meta/lib/oe/spdx_common.py b/meta/lib/oe/spdx_common.py
index 4caefc7673..c2dec65563 100644
--- a/meta/lib/oe/spdx_common.py
+++ b/meta/lib/oe/spdx_common.py
@@ -242,3 +242,44 @@ def fetch_data_to_uri(fd, name):
        uri = uri + "@" + fd.revision
    return uri
+def is_compiled_source (filename, compiled_sources, types):
+    """
+    Check if the file is a compiled file
+    """
+    import os
+    # If we don't have compiled source, we assume all are compiled.
+    if not compiled_sources:
+        return True
+    # We return always true if the file type is not in the list of compiled files.
+    # Some files in the source directory are not compiled, for example, Makefiles,
+    # but also python .py file. We need to include them in the SPDX.
+    basename = os.path.basename(filename)
+    ext = basename.partition(".")[2]
+    if ext not in types:
+        return True
+    # Check that the file is in the list
+    return filename in compiled_sources
+def get_compiled_sources(d):
+    """
+    Get list of compiled sources from debug information and normalize the paths
+    """
+    import itertools
+    source_info = oe.package.read_debugsources_info(d)
+    if not source_info:
+        bb.debug(1, "Do not have debugsources.list. Skipping")
+        return [], []
+    # Sources are not split now in SPDX, so we aggregate them
+    sources = set(itertools.chain.from_iterable(source_info.values()))
+    # Check extensions of files
+    types = set()
+    for src in sources:
+        basename = os.path.basename(src)
+        ext = basename.partition(".")[2]
+        if ext not in types and ext:
+            types.add(ext)
+    bb.debug(1, f"Num of sources: {len(sources)} and types: {len(types)} {str(types)}")
+    return sources, types
diff --git a/meta/recipes-core/coreutils/coreutils/0001-sort-fix-buffer-under-read-CWE-127.patch b/meta/recipes-core/coreutils/coreutils/0001-sort-fix-buffer-under-read-CWE-127.patch
new file mode 100644
index 0000000000..41be1635b5
--- /dev/null
+++ b/meta/recipes-core/coreutils/coreutils/0001-sort-fix-buffer-under-read-CWE-127.patch
@@ -0,0 +1,112 @@
+From 8763c305c29d0abb7e2be4695212b42917d054b2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com>
+Date: Tue, 20 May 2025 16:03:44 +0100
+Subject: [PATCH] sort: fix buffer under-read (CWE-127)
+* src/sort.c (begfield): Check pointer adjustment
+to avoid Out-of-range pointer offset (CWE-823).
+(limfield): Likewise.
+* tests/sort/sort-field-limit.sh: Add a new test,
+which triggers with ASAN or Valgrind.
+* tests/local.mk: Reference the new test.
+* NEWS: Mention bug fix introduced in v7.2 (2009).
+Fixes https://bugs.gnu.org/78507
+CVE: CVE-2025-5278
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633]
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/sort.c                     | 12 ++++++++++--
+ tests/local.mk                 |  1 +
+ tests/sort/sort-field-limit.sh | 35 ++++++++++++++++++++++++++++++++++
+ 3 files changed, 46 insertions(+), 2 deletions(-)
+ create mode 100755 tests/sort/sort-field-limit.sh
+diff --git a/src/sort.c b/src/sort.c
+index b10183b6f..7af1a2512 100644
+--- a/src/sort.c
+++ b/src/sort.c
+@@ -1644,7 +1644,11 @@ begfield (struct line const *line, struct keyfield const *key)
+       ++ptr;
+ 
+   /* Advance PTR by SCHAR (if possible), but no further than LIM.  */
+-  ptr = MIN (lim, ptr + schar);
+  size_t remaining_bytes = lim - ptr;
+  if (schar < remaining_bytes)
+    ptr += schar;
+  else
+    ptr = lim;
+ 
+   return ptr;
+ }
+@@ -1746,7 +1750,11 @@ limfield (struct line const *line, struct keyfield const *key)
+           ++ptr;
+ 
+       /* Advance PTR by ECHAR (if possible), but no further than LIM.  */
+-      ptr = MIN (lim, ptr + echar);
+      size_t remaining_bytes = lim - ptr;
+      if (echar < remaining_bytes)
+        ptr += echar;
+      else
+        ptr = lim;
+     }
+ 
+   return ptr;
+diff --git a/tests/local.mk b/tests/local.mk
+index 4da6756ac..642d225fa 100644
+--- a/tests/local.mk
+++ b/tests/local.mk
+@@ -388,6 +388,7 @@ all_tests =                                 \
+   tests/sort/sort-debug-keys.sh                        \
+   tests/sort/sort-debug-warn.sh                        \
+   tests/sort/sort-discrim.sh                   \
+  tests/sort/sort-field-limit.sh               \
+   tests/sort/sort-files0-from.pl               \
+   tests/sort/sort-float.sh                     \
+   tests/sort/sort-h-thousands-sep.sh           \
+diff --git a/tests/sort/sort-field-limit.sh b/tests/sort/sort-field-limit.sh
+new file mode 100755
+index 000000000..52d8e1d17
+--- /dev/null
+++ b/tests/sort/sort-field-limit.sh
+@@ -0,0 +1,35 @@
+#!/bin/sh
+# From 7.2-9.7, this would trigger an out of bounds mem read
+
+# Copyright (C) 2025 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
+print_ver_ sort
+getlimits_
+
+# This issue triggers with valgrind or ASAN
+valgrind --error-exitcode=1 sort --version 2>/dev/null &&
+  VALGRIND='valgrind --error-exitcode=1'
+
+{ printf '%s\n' aa bb; } > in || framework_failure_
+
+_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || fail=1
+compare in out || fail=1
+
+_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out || fail=1
+compare in out || fail=1
+
+Exit $fail
+-- 
+2.34.1
diff --git a/meta/recipes-core/coreutils/coreutils_9.7.bb b/meta/recipes-core/coreutils/coreutils_9.7.bb
index dc9dfae26b..5a6456d65e 100644
--- a/meta/recipes-core/coreutils/coreutils_9.7.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.7.bb
@@ -15,6 +15,7 @@ inherit autotools gettext texinfo
 SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
           file://remove-usr-local-lib-from-m4.patch \
+           file://0001-sort-fix-buffer-under-read-CWE-127.patch \
           file://run-ptest \
           "
 SRC_URI[sha256sum] = "e8bb26ad0293f9b5a1fc43fb42ba970e312c66ce92c1b0b16713d7500db251bf"
diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
index 03f02d14ae..df6b2b101a 100644
--- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb
+++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -26,7 +26,7 @@ inherit core-image setuptools3 features_check
 REQUIRED_DISTRO_FEATURES += "xattr"
-SRCREV ?= "52b5f6a95de7228a12a9156a4aaa932daf54456f"
+SRCREV ?= "b1b3318eff36d4d9b2d3a935dee607c4f012f992"
 SRC_URI = "git://git.yoctoproject.org/poky;branch=master \
           file://Yocto_Build_Appliance.vmx \
           file://Yocto_Build_Appliance.vmxf \
diff --git a/meta/recipes-support/libcheck/libcheck/not-echo-compiler-info-to-check_stdint.h.patch b/meta/recipes-support/libcheck/libcheck/not-echo-compiler-info-to-check_stdint.h.patch
deleted file mode 100644
index 3c7572700d..0000000000
--- a/meta/recipes-support/libcheck/libcheck/not-echo-compiler-info-to-check_stdint.h.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Do not echo compiler info in a comment line to check_stdint.h which causes
-multilib install file conflict.
-Upstream-Status: Pending
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-diff --git a/m4/ax_create_stdint_h.m4 b/m4/ax_create_stdint_h.m4
-index 33a21f8..eacc37a 100644
--- a/m4/ax_create_stdint_h.m4
-+++ b/m4/ax_create_stdint_h.m4
-@@ -272,7 +272,6 @@ echo "#ifndef" $_ac_stdint_h >$ac_stdint
- echo "#define" $_ac_stdint_h "1" >>$ac_stdint
- echo "#ifndef" _GENERATED_STDINT_H >>$ac_stdint
- echo "#define" _GENERATED_STDINT_H '"'$PACKAGE $VERSION'"' >>$ac_stdint
-echo "/* generated $ac_cv_stdint_message */" >>$ac_stdint
- if test "_$ac_cv_header_stdint_t" != "_" ; then
- echo "#define _STDINT_HAVE_STDINT_H" "1" >>$ac_stdint
- echo "#include <stdint.h>" >>$ac_stdint
diff --git a/meta/recipes-support/libcheck/libcheck/subunit.patch b/meta/recipes-support/libcheck/libcheck/subunit.patch
new file mode 100644
index 0000000000..29c4b15601
--- /dev/null
+++ b/meta/recipes-support/libcheck/libcheck/subunit.patch
@@ -0,0 +1,43 @@
+From a6cd376b9ebcb4afc9ab06bce23b9bd909811ece Mon Sep 17 00:00:00 2001
+From: Christopher Obbard <christopher.obbard@linaro.org>
+Date: Thu, 13 Jun 2024 09:49:53 +0100
+Subject: [PATCH] Allow disabling autodetection of subunit library
+It can be useful to avoid linking to subunit when we are building the check
+library for the host, e.g. in a buildroot recipe, where the built check is
+linked into other applications which are used on the host to build images.
+These applications are built with the host's cross-compiler and can use
+the host's pkgconfig to determine if libraries are available. When check
+is linked against other libraries, it can fail this check for subunit.
+Allow disabling the autodetection of subunit with a configure flag
+-DENABLE_SUBUNIT_EXT=OFF
+Signed-off-by: Christopher Obbard <christopher.obbard@linaro.org>
+Upstream-Status: Submitted [https://github.com/libcheck/check/pull/353/]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ CMakeLists.txt | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 2ee580bc..6b36015b 100644
+--- a/CMakeLists.txt
+++ b/CMakeLists.txt
+@@ -393,7 +393,13 @@ if (HAVE_LIBRT)
+   ADD_DEFINITIONS(-DHAVE_LIBRT=1)
+ endif (HAVE_LIBRT)
+ 
+-check_library_exists(subunit subunit_test_start "" HAVE_SUBUNIT)
+# Allow disabling subunit
+IF(ENABLE_SUBUNIT_EXT)
+  check_library_exists(subunit subunit_test_start "" HAVE_SUBUNIT)
+ELSE(ENABLE_SUBUNIT_EXT)
+  set(HAVE_SUBUNIT, false)
+ENDIF(ENABLE_SUBUNIT_EXT)
+
+ if (HAVE_SUBUNIT)
+   set(SUBUNIT "subunit")
+   set(ENABLE_SUBUNIT 1)
diff --git a/meta/recipes-support/libcheck/libcheck_0.15.2.bb b/meta/recipes-support/libcheck/libcheck_0.15.2.bb
index 8455f2c748..2e56a1ab00 100644
--- a/meta/recipes-support/libcheck/libcheck_0.15.2.bb
+++ b/meta/recipes-support/libcheck/libcheck_0.15.2.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LESSER;md5=2d5025d4aa3495befef8f17206a5b0a1"
 SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/check-${PV}.tar.gz \
           file://automake-output.patch \
-           file://not-echo-compiler-info-to-check_stdint.h.patch"
+           file://subunit.patch"
 SRC_URI[sha256sum] = "a8de4e0bacfb4d76dd1c618ded263523b53b85d92a146d8835eb1a52932fa20a"
 GITHUB_BASE_URI = "https://github.com/libcheck/check/releases/"
@@ -23,6 +23,7 @@ inherit cmake pkgconfig texinfo github-releases
 RREPLACES:${PN} = "check (<= 0.9.5)"
 EXTRA_OECMAKE:append:class-target = " -DAWK_PATH=${bindir}/awk"
+EXTRA_OECMAKE = "-DENABLE_SUBUNIT_EXT=OFF"
 do_install:append:class-native() {
    create_cmdline_shebang_wrapper ${D}${bindir}/checkmk
@@ -35,4 +36,3 @@ PACKAGES =+ "checkmk"
 FILES:checkmk = "${bindir}/checkmk"
 RDEPENDS:checkmk = "gawk"

diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index 7e8f8b9ff5..6fc60a1d97 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass
@@ -137,6 +137,11 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv
137	spdx_files = []	137	spdx_files = []
138		138
139	file_counter = 1	139	file_counter = 1
		140
		141	check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1"
		142	if check_compiled_sources:
		143	compiled_sources, types = oe.spdx_common.get_compiled_sources(d)
		144	bb.debug(1, f"Total compiled files: {len(compiled_sources)}")
140	for subdir, dirs, files in os.walk(topdir):	145	for subdir, dirs, files in os.walk(topdir):
141	dirs[:] = [d for d in dirs if d not in ignore_dirs]	146	dirs[:] = [d for d in dirs if d not in ignore_dirs]
142	if subdir == str(topdir):	147	if subdir == str(topdir):
@@ -147,6 +152,10 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv
147	filename = str(filepath.relative_to(topdir))	152	filename = str(filepath.relative_to(topdir))
148		153
149	if not filepath.is_symlink() and filepath.is_file():	154	if not filepath.is_symlink() and filepath.is_file():
		155	# Check if file is compiled
		156	if check_compiled_sources:
		157	if not oe.spdx_common.is_compiled_source(filename, compiled_sources, types):
		158	continue
150	spdx_file = oe.spdx.SPDXFile()	159	spdx_file = oe.spdx.SPDXFile()
151	spdx_file.SPDXID = get_spdxid(file_counter)	160	spdx_file.SPDXID = get_spdxid(file_counter)
152	for t in get_types(filepath):	161	for t in get_types(filepath):


diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass index 713a7fc651..ca0416d1c7 100644 --- a/meta/classes/spdx-common.bbclass +++ b/meta/classes/spdx-common.bbclass
@@ -26,6 +26,7 @@ SPDX_TOOL_VERSION ??= "1.0"
26	SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"	26	SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
27		27
28	SPDX_INCLUDE_SOURCES ??= "0"	28	SPDX_INCLUDE_SOURCES ??= "0"
		29	SPDX_INCLUDE_COMPILED_SOURCES ??= "0"
29		30
30	SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"	31	SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
31	SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"	32	SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
@@ -40,6 +41,8 @@ SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
40	python () {	41	python () {
41	from oe.cve_check import extend_cve_status	42	from oe.cve_check import extend_cve_status
42	extend_cve_status(d)	43	extend_cve_status(d)
		44	if d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1":
		45	d.setVar("SPDX_INCLUDE_SOURCES", "1")
43	}	46	}
44		47
45	def create_spdx_source_deps(d):	48	def create_spdx_source_deps(d):


diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 61d7ba45e3..beeafc2bb7 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py
@@ -156,6 +156,11 @@ def add_package_files(
156	bb.note(f"Skip {topdir}")	156	bb.note(f"Skip {topdir}")
157	return spdx_files	157	return spdx_files
158		158
		159	check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1"
		160	if check_compiled_sources:
		161	compiled_sources, types = oe.spdx_common.get_compiled_sources(d)
		162	bb.debug(1, f"Total compiled files: {len(compiled_sources)}")
		163
159	for subdir, dirs, files in os.walk(topdir, onerror=walk_error):	164	for subdir, dirs, files in os.walk(topdir, onerror=walk_error):
160	dirs[:] = [d for d in dirs if d not in ignore_dirs]	165	dirs[:] = [d for d in dirs if d not in ignore_dirs]
161	if subdir == str(topdir):	166	if subdir == str(topdir):
@@ -171,6 +176,11 @@ def add_package_files(
171	filename = str(filepath.relative_to(topdir))	176	filename = str(filepath.relative_to(topdir))
172	file_purposes = get_purposes(filepath)	177	file_purposes = get_purposes(filepath)
173		178
		179	# Check if file is compiled
		180	if check_compiled_sources:
		181	if not oe.spdx_common.is_compiled_source(filename, compiled_sources, types):
		182	continue
		183
174	spdx_file = objset.new_file(	184	spdx_file = objset.new_file(
175	get_spdxid(file_counter),	185	get_spdxid(file_counter),
176	filename,	186	filename,


diff --git a/meta/lib/oe/spdx_common.py b/meta/lib/oe/spdx_common.py index 4caefc7673..c2dec65563 100644 --- a/meta/lib/oe/spdx_common.py +++ b/meta/lib/oe/spdx_common.py
@@ -242,3 +242,44 @@ def fetch_data_to_uri(fd, name):
242	uri = uri + "@" + fd.revision	242	uri = uri + "@" + fd.revision
243		243
244	return uri	244	return uri
		245
		246	def is_compiled_source (filename, compiled_sources, types):
		247	"""
		248	Check if the file is a compiled file
		249	"""
		250	import os
		251	# If we don't have compiled source, we assume all are compiled.
		252	if not compiled_sources:
		253	return True
		254
		255	# We return always true if the file type is not in the list of compiled files.
		256	# Some files in the source directory are not compiled, for example, Makefiles,
		257	# but also python .py file. We need to include them in the SPDX.
		258	basename = os.path.basename(filename)
		259	ext = basename.partition(".")[2]
		260	if ext not in types:
		261	return True
		262	# Check that the file is in the list
		263	return filename in compiled_sources
		264
		265	def get_compiled_sources(d):
		266	"""
		267	Get list of compiled sources from debug information and normalize the paths
		268	"""
		269	import itertools
		270	source_info = oe.package.read_debugsources_info(d)
		271	if not source_info:
		272	bb.debug(1, "Do not have debugsources.list. Skipping")
		273	return [], []
		274
		275	# Sources are not split now in SPDX, so we aggregate them
		276	sources = set(itertools.chain.from_iterable(source_info.values()))
		277	# Check extensions of files
		278	types = set()
		279	for src in sources:
		280	basename = os.path.basename(src)
		281	ext = basename.partition(".")[2]
		282	if ext not in types and ext:
		283	types.add(ext)
		284	bb.debug(1, f"Num of sources: {len(sources)} and types: {len(types)} {str(types)}")
		285	return sources, types


diff --git a/meta/recipes-core/coreutils/coreutils/0001-sort-fix-buffer-under-read-CWE-127.patch b/meta/recipes-core/coreutils/coreutils/0001-sort-fix-buffer-under-read-CWE-127.patch new file mode 100644 index 0000000000..41be1635b5 --- /dev/null +++ b/meta/recipes-core/coreutils/coreutils/0001-sort-fix-buffer-under-read-CWE-127.patch
@@ -0,0 +1,112 @@
		1	From 8763c305c29d0abb7e2be4695212b42917d054b2 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com>
		3	Date: Tue, 20 May 2025 16:03:44 +0100
		4	Subject: [PATCH] sort: fix buffer under-read (CWE-127)
		5
		6	* src/sort.c (begfield): Check pointer adjustment
		7	to avoid Out-of-range pointer offset (CWE-823).
		8	(limfield): Likewise.
		9	* tests/sort/sort-field-limit.sh: Add a new test,
		10	which triggers with ASAN or Valgrind.
		11	* tests/local.mk: Reference the new test.
		12	* NEWS: Mention bug fix introduced in v7.2 (2009).
		13	Fixes https://bugs.gnu.org/78507
		14
		15	CVE: CVE-2025-5278
		16
		17	Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633]
		18
		19	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
		20	---
		21	src/sort.c \| 12 ++++++++++--
		22	tests/local.mk \| 1 +
		23	tests/sort/sort-field-limit.sh \| 35 ++++++++++++++++++++++++++++++++++
		24	3 files changed, 46 insertions(+), 2 deletions(-)
		25	create mode 100755 tests/sort/sort-field-limit.sh
		26
		27	diff --git a/src/sort.c b/src/sort.c
		28	index b10183b6f..7af1a2512 100644
		29	--- a/src/sort.c
		30	+++ b/src/sort.c
		31	@@ -1644,7 +1644,11 @@ begfield (struct line const line, struct keyfield const key)
		32	++ptr;
		33
		34	/* Advance PTR by SCHAR (if possible), but no further than LIM. */
		35	- ptr = MIN (lim, ptr + schar);
		36	+ size_t remaining_bytes = lim - ptr;
		37	+ if (schar < remaining_bytes)
		38	+ ptr += schar;
		39	+ else
		40	+ ptr = lim;
		41
		42	return ptr;
		43	}
		44	@@ -1746,7 +1750,11 @@ limfield (struct line const line, struct keyfield const key)
		45	++ptr;
		46
		47	/* Advance PTR by ECHAR (if possible), but no further than LIM. */
		48	- ptr = MIN (lim, ptr + echar);
		49	+ size_t remaining_bytes = lim - ptr;
		50	+ if (echar < remaining_bytes)
		51	+ ptr += echar;
		52	+ else
		53	+ ptr = lim;
		54	}
		55
		56	return ptr;
		57	diff --git a/tests/local.mk b/tests/local.mk
		58	index 4da6756ac..642d225fa 100644
		59	--- a/tests/local.mk
		60	+++ b/tests/local.mk
		61	@@ -388,6 +388,7 @@ all_tests = \
		62	tests/sort/sort-debug-keys.sh \
		63	tests/sort/sort-debug-warn.sh \
		64	tests/sort/sort-discrim.sh \
		65	+ tests/sort/sort-field-limit.sh \
		66	tests/sort/sort-files0-from.pl \
		67	tests/sort/sort-float.sh \
		68	tests/sort/sort-h-thousands-sep.sh \
		69	diff --git a/tests/sort/sort-field-limit.sh b/tests/sort/sort-field-limit.sh
		70	new file mode 100755
		71	index 000000000..52d8e1d17
		72	--- /dev/null
		73	+++ b/tests/sort/sort-field-limit.sh
		74	@@ -0,0 +1,35 @@
		75	+#!/bin/sh
		76	+# From 7.2-9.7, this would trigger an out of bounds mem read
		77	+
		78	+# Copyright (C) 2025 Free Software Foundation, Inc.
		79	+
		80	+# This program is free software: you can redistribute it and/or modify
		81	+# it under the terms of the GNU General Public License as published by
		82	+# the Free Software Foundation, either version 3 of the License, or
		83	+# (at your option) any later version.
		84	+
		85	+# This program is distributed in the hope that it will be useful,
		86	+# but WITHOUT ANY WARRANTY; without even the implied warranty of
		87	+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
		88	+# GNU General Public License for more details.
		89	+
		90	+# You should have received a copy of the GNU General Public License
		91	+# along with this program. If not, see <https://www.gnu.org/licenses/>.
		92	+
		93	+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
		94	+print_ver_ sort
		95	+getlimits_
		96	+
		97	+# This issue triggers with valgrind or ASAN
		98	+valgrind --error-exitcode=1 sort --version 2>/dev/null &&
		99	+ VALGRIND='valgrind --error-exitcode=1'
		100	+
		101	+{ printf '%s\n' aa bb; } > in \|\| framework_failure_
		102	+
		103	+_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out \|\| fail=1
		104	+compare in out \|\| fail=1
		105	+
		106	+_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out \|\| fail=1
		107	+compare in out \|\| fail=1
		108	+
		109	+Exit $fail
		110	--
		111	2.34.1
		112


diff --git a/meta/recipes-core/coreutils/coreutils_9.7.bb b/meta/recipes-core/coreutils/coreutils_9.7.bb index dc9dfae26b..5a6456d65e 100644 --- a/meta/recipes-core/coreutils/coreutils_9.7.bb +++ b/meta/recipes-core/coreutils/coreutils_9.7.bb
@@ -15,6 +15,7 @@ inherit autotools gettext texinfo
15		15
16	SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \	16	SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
17	file://remove-usr-local-lib-from-m4.patch \	17	file://remove-usr-local-lib-from-m4.patch \
		18	file://0001-sort-fix-buffer-under-read-CWE-127.patch \
18	file://run-ptest \	19	file://run-ptest \
19	"	20	"
20	SRC_URI[sha256sum] = "e8bb26ad0293f9b5a1fc43fb42ba970e312c66ce92c1b0b16713d7500db251bf"	21	SRC_URI[sha256sum] = "e8bb26ad0293f9b5a1fc43fb42ba970e312c66ce92c1b0b16713d7500db251bf"


diff --git a/meta/recipes-core/images/build-appliance-image_15.0.0.bb b/meta/recipes-core/images/build-appliance-image_15.0.0.bb index 03f02d14ae..df6b2b101a 100644 --- a/meta/recipes-core/images/build-appliance-image_15.0.0.bb +++ b/meta/recipes-core/images/build-appliance-image_15.0.0.bb
@@ -26,7 +26,7 @@ inherit core-image setuptools3 features_check
26		26
27	REQUIRED_DISTRO_FEATURES += "xattr"	27	REQUIRED_DISTRO_FEATURES += "xattr"
28		28
29	SRCREV ?= "52b5f6a95de7228a12a9156a4aaa932daf54456f"	29	SRCREV ?= "b1b3318eff36d4d9b2d3a935dee607c4f012f992"
30	SRC_URI = "git://git.yoctoproject.org/poky;branch=master \	30	SRC_URI = "git://git.yoctoproject.org/poky;branch=master \
31	file://Yocto_Build_Appliance.vmx \	31	file://Yocto_Build_Appliance.vmx \
32	file://Yocto_Build_Appliance.vmxf \	32	file://Yocto_Build_Appliance.vmxf \


diff --git a/meta/recipes-support/libcheck/libcheck/not-echo-compiler-info-to-check_stdint.h.patch b/meta/recipes-support/libcheck/libcheck/not-echo-compiler-info-to-check_stdint.h.patch deleted file mode 100644 index 3c7572700d..0000000000 --- a/meta/recipes-support/libcheck/libcheck/not-echo-compiler-info-to-check_stdint.h.patch +++ /dev/null
@@ -1,19 +0,0 @@
1	Do not echo compiler info in a comment line to check_stdint.h which causes
2	multilib install file conflict.
3
4	Upstream-Status: Pending
5
6	Signed-off-by: Kai Kang <kai.kang@windriver.com>
7
8	diff --git a/m4/ax_create_stdint_h.m4 b/m4/ax_create_stdint_h.m4
9	index 33a21f8..eacc37a 100644
10	--- a/m4/ax_create_stdint_h.m4
11	+++ b/m4/ax_create_stdint_h.m4
12	@@ -272,7 +272,6 @@ echo "#ifndef" $_ac_stdint_h >$ac_stdint
13	echo "#define" $_ac_stdint_h "1" >>$ac_stdint
14	echo "#ifndef" _GENERATED_STDINT_H >>$ac_stdint
15	echo "#define" _GENERATED_STDINT_H '"'$PACKAGE $VERSION'"' >>$ac_stdint
16	-echo "/* generated $ac_cv_stdint_message */" >>$ac_stdint
17	if test "_$ac_cv_header_stdint_t" != "_" ; then
18	echo "#define _STDINT_HAVE_STDINT_H" "1" >>$ac_stdint
19	echo "#include <stdint.h>" >>$ac_stdint


diff --git a/meta/recipes-support/libcheck/libcheck/subunit.patch b/meta/recipes-support/libcheck/libcheck/subunit.patch new file mode 100644 index 0000000000..29c4b15601 --- /dev/null +++ b/meta/recipes-support/libcheck/libcheck/subunit.patch
@@ -0,0 +1,43 @@
		1	From a6cd376b9ebcb4afc9ab06bce23b9bd909811ece Mon Sep 17 00:00:00 2001
		2	From: Christopher Obbard <christopher.obbard@linaro.org>
		3	Date: Thu, 13 Jun 2024 09:49:53 +0100
		4	Subject: [PATCH] Allow disabling autodetection of subunit library
		5
		6	It can be useful to avoid linking to subunit when we are building the check
		7	library for the host, e.g. in a buildroot recipe, where the built check is
		8	linked into other applications which are used on the host to build images.
		9
		10	These applications are built with the host's cross-compiler and can use
		11	the host's pkgconfig to determine if libraries are available. When check
		12	is linked against other libraries, it can fail this check for subunit.
		13
		14	Allow disabling the autodetection of subunit with a configure flag
		15	-DENABLE_SUBUNIT_EXT=OFF
		16
		17	Signed-off-by: Christopher Obbard <christopher.obbard@linaro.org>
		18
		19	Upstream-Status: Submitted [https://github.com/libcheck/check/pull/353/]
		20	Signed-off-by: Ross Burton <ross.burton@arm.com>
		21	---
		22	CMakeLists.txt \| 8 +++++++-
		23	1 file changed, 7 insertions(+), 1 deletion(-)
		24
		25	diff --git a/CMakeLists.txt b/CMakeLists.txt
		26	index 2ee580bc..6b36015b 100644
		27	--- a/CMakeLists.txt
		28	+++ b/CMakeLists.txt
		29	@@ -393,7 +393,13 @@ if (HAVE_LIBRT)
		30	ADD_DEFINITIONS(-DHAVE_LIBRT=1)
		31	endif (HAVE_LIBRT)
		32
		33	-check_library_exists(subunit subunit_test_start "" HAVE_SUBUNIT)
		34	+# Allow disabling subunit
		35	+IF(ENABLE_SUBUNIT_EXT)
		36	+ check_library_exists(subunit subunit_test_start "" HAVE_SUBUNIT)
		37	+ELSE(ENABLE_SUBUNIT_EXT)
		38	+ set(HAVE_SUBUNIT, false)
		39	+ENDIF(ENABLE_SUBUNIT_EXT)
		40	+
		41	if (HAVE_SUBUNIT)
		42	set(SUBUNIT "subunit")
		43	set(ENABLE_SUBUNIT 1)


diff --git a/meta/recipes-support/libcheck/libcheck_0.15.2.bb b/meta/recipes-support/libcheck/libcheck_0.15.2.bb index 8455f2c748..2e56a1ab00 100644 --- a/meta/recipes-support/libcheck/libcheck_0.15.2.bb +++ b/meta/recipes-support/libcheck/libcheck_0.15.2.bb
@@ -12,7 +12,7 @@ LIC_FILES_CHKSUM = "file://COPYING.LESSER;md5=2d5025d4aa3495befef8f17206a5b0a1"
12		12
13	SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/check-${PV}.tar.gz \	13	SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/check-${PV}.tar.gz \
14	file://automake-output.patch \	14	file://automake-output.patch \
15	file://not-echo-compiler-info-to-check_stdint.h.patch"	15	file://subunit.patch"
16	SRC_URI[sha256sum] = "a8de4e0bacfb4d76dd1c618ded263523b53b85d92a146d8835eb1a52932fa20a"	16	SRC_URI[sha256sum] = "a8de4e0bacfb4d76dd1c618ded263523b53b85d92a146d8835eb1a52932fa20a"
17	GITHUB_BASE_URI = "https://github.com/libcheck/check/releases/"	17	GITHUB_BASE_URI = "https://github.com/libcheck/check/releases/"
18		18
@@ -23,6 +23,7 @@ inherit cmake pkgconfig texinfo github-releases
23	RREPLACES:${PN} = "check (<= 0.9.5)"	23	RREPLACES:${PN} = "check (<= 0.9.5)"
24		24
25	EXTRA_OECMAKE:append:class-target = " -DAWK_PATH=${bindir}/awk"	25	EXTRA_OECMAKE:append:class-target = " -DAWK_PATH=${bindir}/awk"
		26	EXTRA_OECMAKE = "-DENABLE_SUBUNIT_EXT=OFF"
26		27
27	do_install:append:class-native() {	28	do_install:append:class-native() {
28	create_cmdline_shebang_wrapper ${D}${bindir}/checkmk	29	create_cmdline_shebang_wrapper ${D}${bindir}/checkmk
@@ -35,4 +36,3 @@ PACKAGES =+ "checkmk"
35	FILES:checkmk = "${bindir}/checkmk"	36	FILES:checkmk = "${bindir}/checkmk"
36		37
37	RDEPENDS:checkmk = "gawk"	38	RDEPENDS:checkmk = "gawk"
38