summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* conf.py: rename :cve: role to :cve_nist:Antonin Godard2024-11-1130-466/+466
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Newer versions of Sphinx already define a :cve: role that points to cve.org, instead of the role we defined in conf.py that points to nvd.nist.gov. Rename our role to :cve_nist: to avoid warnings (treated as errors). This is also backwards compatible, meaning we can build the doc with an older Sphinx if needed. The file were automatically replaced with following command: find . -name '*.rst' -exec sed -i 's/:cve:/:cve_nist:/g' {} \+ Cherry pick: * Changes on following files removed from cherry pick (not part of kirkstone): documentation/migration-guides/release-notes-4.1.1.rst documentation/migration-guides/release-notes-4.1.2.rst documentation/migration-guides/release-notes-4.1.3.rst documentation/migration-guides/release-notes-4.1.4.rst documentation/migration-guides/release-notes-4.1.rst documentation/migration-guides/release-notes-4.2.1.rst documentation/migration-guides/release-notes-4.2.2.rst documentation/migration-guides/release-notes-4.2.3.rst documentation/migration-guides/release-notes-4.2.4.rst documentation/migration-guides/release-notes-4.2.rst documentation/migration-guides/release-notes-4.3.1.rst documentation/migration-guides/release-notes-4.3.2.rst documentation/migration-guides/release-notes-4.3.3.rst documentation/migration-guides/release-notes-4.3.4.rst documentation/migration-guides/release-notes-4.3.rst documentation/migration-guides/release-notes-5.0.2.rst documentation/migration-guides/release-notes-5.0.3.rst documentation/migration-guides/release-notes-5.0.rst documentation/migration-guides/release-notes-5.1.rst * Fix minor conflicts in following files: documentation/migration-guides/release-notes-3.4.2.rst: missing :term: before CVE_PRODUCT documentation/migration-guides/release-notes-4.0.2.rst: missing :term: before PACKAGECONFIG documentation/migration-guides/release-notes-4.0.7.rst: missing cve 2022-32912 on webkitgtk Suggested-By: Quentin Schulz <quentin.schulz@cherry.de> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> (From yocto-docs rev: f432e78fef82c5e5bfdfff08bb18757dc3479465) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 15fa3b7e85dde50d7236c1738ad607531cc654b8) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: devtool-reference: document missing commandsAntonin Godard2024-11-111-1/+31
| | | | | | | | | | | | | | | Give a brief description for important commands that made it into devtool or that were missing from this quick reference document. Cherry pick: Remove devtool ide-sdk from commit, this command was not backported to kirkstone. (From yocto-docs rev: 8a5111c406be9c4bf1cc78a34dd2174a227ca79c) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 6238adae1b072c9e09c558038d397dfac6ec109f) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xmlto: backport a patch to fix build with gcc-14 on hostMartin Jansa2024-11-114-0/+1344
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | * need to add dependency on flex-native because now when the .l file is modified by the .patch file it will try to regenerate the c code and fail: | make[1]: Entering directory 'work/x86_64-linux/xmlto-native/0.0.28-r0/build' | /bin/bash ../xmlto-0.0.28/ylwrap ../xmlto-0.0.28/xmlif/xmlif.l .c xmlif/xmlif.c -- /bin/bash 'work/x86_64-linux/xmlto-native/0.0.28-r0/xmlto-0.0.28/missing' flex | work/x86_64-linux/xmlto-native/0.0.28-r0/xmlto-0.0.28/missing: line 81: flex: command not found | WARNING: 'flex' is missing on your system. | You should only need it if you modified a '.l' file. | You may want to install the Fast Lexical Analyzer package: | <https://github.com/westes/flex> * backport https://pagure.io/xmlto/c/32376c053733c6c0ebaca3c25c0725509342fdf3?branch=master as well, so that patched xmlif/xmlif.c is newer than xmlif/xmlif.l and the build won't try to regenerate it with flex as that leads to random build failures reported in: https://lists.openembedded.org/g/openembedded-core/message/206412 https://errors.yoctoproject.org/Errors/Details/810853/ https://lists.openembedded.org/g/openembedded-core/message/206496 https://valkyrie.yoctoproject.org/#/builders/29/builds/355 (From OE-Core rev: 2e8819c0b9ada2b600aecc40c974a18eb7c0a666) Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* package: Switch debug source handling to use prefix mapRichard Purdie2024-11-111-40/+28
| | | | | | | | | | | | | | | | | | Reproducible builds are no longer a configuration option but are required. We also rely on the prefix mapping capability of the compilers now. As such, rewrite the source locating code to use the prefix maps instead of taking a guess about WORKDIR which isn't correct for kernels, gcc, externalsrc and probably more. Instead, iterate the maps to locate any matching source code, keeping in mind that multiple maps may map to one target location. (From OE-Core rev: 80289f49d0c5ca98da1d1558728b8a468aab4326) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit cbd6144a9769d21371ae0fe04db2adc05f6eed02) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gcc: restore a patch for Neoverse N2 coreRuiqiang Hao2024-11-112-0/+41
| | | | | | | | | | | | Commit 7806e21e7d47 ("gcc: upgrade to v11.5") removed one patch named 0001-aarch64-Update-Neoverse-N2-core-defini.patch by mistake, this will cause the Neoverse N2 core to be identified as the armv8.5 architecture, restore this patch to avoid related compilation issues. (From OE-Core rev: 4c75edda8ec28fb8dee19ca90a1ea7f33ba80999) Signed-off-by: Ruiqiang Hao <Ruiqiang.Hao@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve_check: Use a local copy of the database during buildsRichard Purdie2024-11-112-8/+17
| | | | | | | | | | | Rtaher than trying to use a sqlite database over NFS from DL_DIR, work from a local copy in STAGING DIR after fetching. (From OE-Core rev: 9b6363994e5715f1d08b98956befd8915c128e85) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 03596904392d257572a905a182b92c780d636744) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* zstd: patch CVE-2022-4899Peter Marko2024-11-113-1/+153
| | | | | | | | | | | | | Pick commits from [1] linked from [2] via [3]. [1] https://github.com/facebook/zstd/pull/3220 [2] https://nvd.nist.gov/vuln/detail/CVE-2022-4899 [3] https://github.com/facebook/zstd/issues/3200 (From OE-Core rev: eb9c9818088105f9bf20b7fdc04a380ce488a5e6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* local.conf.sample: update BB_HASHSERVE_UPSTREAM for new infrastructureSteve Sakoman2024-11-061-1/+1
| | | | | | | | Public hashserver is now at hashserv.yoctoproject.org:8686 (From meta-yocto rev: d56ba3e1ec46668999e64e967765f186e287d792) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* release-notes-4.0,brief-yoctoprojectqs: update BB_HASHSERVE_UPSTREAM for new ↵Steve Sakoman2024-11-062-2/+2
| | | | | | | | | | | | infrastructure Public hashserver is now at hashserv.yoctoproject.org:8686 (From yocto-docs rev: fe98cb44fd52e2e455255be33aacf60f12dd5bad) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: devtool-reference: refresh example outputsAntonin Godard2024-11-061-11/+7
| | | | | | | | | | | | Previous outputs were missing some commands and options, some others were obsolete. (From yocto-docs rev: e3245843543361f8eeda0fcc583fb3f7a36eaeb5) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 1c83037707b4c981a70c968ba04ded502f9bffbf) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: release-process: add a reference to the doc's releaseAntonin Godard2024-11-061-0/+2
| | | | | | | | | | | | | | When reading the stable releases section, we want to know for which release the documentation was built. Use &DISTRO_NAME; to refer to the current release. Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> (From yocto-docs rev: 0f21321d8b30478ed07f0387f4b88cd0a5c03fd1) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 05ee6844d710beb844bbdac892888879847f6d22) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: release-process: update releases.svg with month after "Current"Antonin Godard2024-11-061-9/+9
| | | | | | | | | | | | | | | | This way we put a timestamp on the image, so that someone looking at the image on an old release tarball has a representation of the release "as of <date>". Here set "Oct. 24" as it was the last time the file was updated. Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> (From yocto-docs rev: 108b53abd96fa7fd82107de07a46ae77a6f9269f) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 7b62bbec900bc84a31e4686839e774ba7bd5ae9f) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* util-linux: Define pidfd_* function signaturesKhem Raj2024-11-022-0/+51
| | | | | | | | | | | | | | glibc 2.36 has added sys/pidfd.h and APIs for pidfd_send_signal and pidfd_open, therefore check for this header and include it if it exists (From OE-Core rev: 2c913a7b66ea756ebc65a573e1b5bb5dba6834d2) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* at-spi2-core: backport a patch to fix build with gcc-14 on hostMartin Jansa2024-11-022-0/+28
| | | | | | | | | | | | | | | | | | * fixes: | ../at-spi2-core-2.42.0/atspi/atspi-device-listener.c: In function ?atspi_device_listener_new_simple?: | ../at-spi2-core-2.42.0/atspi/atspi-device-listener.c:252:37: error: passing argument 1 of ?atspi_device_listener_new? from incompatible pointer type [-Wincompatible-pointer-types] | 252 | return atspi_device_listener_new (device_remove_datum, callback, callback_destroyed); | | ^~~~~~~~~~~~~~~~~~~ | | | | | gboolean (*)(const AtspiDeviceEvent *, void *) {aka int (*)(const struct _AtspiDeviceEvent *, void *)} | ../at-spi2-core-2.42.0/atspi/atspi-device-listener.c:222:50: note: expected ?AtspiDeviceListenerCB? {aka ?int (*)(struct _AtspiDeviceEvent *, void *)?} but argument is of type ?gboolean (*)(const AtspiDeviceEvent *, void *)? {aka ?int (*)(const struct _AtspiDeviceEvent *, void *)?} | 222 | atspi_device_listener_new (AtspiDeviceListenerCB callback, | | ~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~ (From OE-Core rev: e361d9e1021d7715d2b4e3af95832c910de67cad) Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libffi: backport a fix to build libffi-native with gcc-14Martin Jansa2024-11-022-0/+48
| | | | | | | (From OE-Core rev: 1054417a217417ab192dc4aee8307133451fb0e4) Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cracklib: Modify patch to compile with GCC 14Zoltan Boszormenyi2024-11-021-1/+1
| | | | | | | | | | | | | | | | | | | | | | | GCC 14 implicitly turns a warning into a compiler error: | ../../git/src/lib/packlib.c: In function ‘PWClose’: | ../../git/src/lib/packlib.c:554:40: error: passing argument 1 of ‘HwmsHostToBigEndian’ from incompatible pointer type [-Wincompatible-pointer-types] | 554 | HwmsHostToBigEndian(tmp_pwp.hwms, sizeof(tmp_pwp.hwms), en_is32); | | ~~~~~~~^~~~~ | | | | | uint32_t * {aka unsigned int *} | ../../git/src/lib/packlib.c:142:27: note: expected ‘char *’ but argument is of type ‘uint32_t *’ {aka ‘unsigned int *’} | 142 | HwmsHostToBigEndian(char *pHwms, int nLen,int nBitType) | | ~~~~~~^~~~~ Add the cast to (char *) to silence it. (From OE-Core rev: 7cca344feaa16cfabbaa2f34e4aab91cc1af39ee) Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vala: add -Wno-error=incompatible-pointer-types work aroundMartin Jansa2024-11-021-0/+4
| | | | | | | | | | | | * to allow building vala-native on hosts with gcc-14 * we could backport: https://gitlab.gnome.org/GNOME/vala/-/commit/23ec71b1a5c4cead3d1bdac82e184d0a63fa7b79 which is already included in scarthgap, but that's big patch doing almost the same (From OE-Core rev: 0f850f213071d4bc3a7065334debabd32c7bd9a1) Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* zip: Fix build with gcc-14Khem Raj2024-11-023-36/+46
| | | | | | | | | | | | | | | | | | | | | | | | zip's configure fails to link this piece of test code: int main() { return closedir(opendir(".")); } with GCC-14 because it now treats implicit declaration of function as error, unline older GCC version where it was just a warning and this test would build fine. Remove 0002-unix.c-Do-not-redefine-DIR-as-FILE.patch which is now unnecessary (MJ: this part wasn't applicable for kirkstone). (From OE-Core rev: fd31dd1abc8199a1865801259e6f96b78a17d994) Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 3422411eb750c7e960b81676637cfb321dbadefb) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* zip: Make configure checks to be more robustKhem Raj2024-11-023-0/+171
| | | | | | | | | | | | | | Newer compilers are strict and have turned some warnings into hard errors which results in subtle configure check failures. Therefore fix these tests and also enable largefile support via cflags when its desired (From OE-Core rev: 03b7a44e2ff4364cb85758f91d78efa0cf85682d) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* nativesdk-intercept: Fix bad intercept chgrp/chown logicEilís 'pidge' Ní Fhlannagáin2024-11-022-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | Running either of these ends up corrupting the os.execv args. If we run: ./scripts/nativesdk-intercept/chown -R foo:foo bar The loop here ends up missing the conversion of foo:foo to root:root because it sees sys.argv[0] and assumes that it's the user:group argument and that we should convert that. We end up a os.execv(path, args) that have the following args: ['root:root', '-R', 'foo:foo', 'bar'] As os.execv ignores args[0], we can just populate it with sys.argv[0] and then loop through sys.argv[1:]. As both chgrp and chown would have either flags and USER[:GROUP] next, this fixes the issue. (Backported from OE-Core rev: 2a75f647ec7696d353f4b09099d777ba53f34d36) (From OE-Core rev: ed009b5d58914582c0770222115fc5c5a16bf16d) Signed-off-by: Eilís 'pidge' Ní Fhlannagáin <pidge@baylibre.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bmap-tools: update HOMEPAGE and SRC_URISteve Sakoman2024-11-021-2/+2
| | | | | | | | | | | The bmaptool (previously: bmap-tools, bmap-tool, bmaptool) has been moved to be under the Yocto Project umbrella and is now hosted at: github.com/yoctoproject/bmaptool (From OE-Core rev: 7678ae7fc255621d91271599b5f4491520387279) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* overlayfs-etc: add option to skip creation of mount dirsbaruch@tkos.co.il2024-11-022-8/+13
| | | | | | | | | | | | | | The 'preinit' script can't create mount directories when rootfs is read-only. Add an option to skip this step. The user must make sure that all required directories are already in the rootfs directory layout. Cc: Vyacheslav Yurkov <uvv.mail@gmail.com> (From OE-Core rev: 302dd4a63f97e23631a62a0b902cc253f6843ab0) Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 3d433d8559467d255bd19af2d0999c65ea24a48d) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* orc: upgrade 0.4.39 -> 0.4.40Wang Mingyu2024-11-021-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: =========== - Security: Minor follow-up fixes for CVE-2024-40897 - powerpc: fix div255w which still used the inexact substitution - x86: work around old GCC versions (pre 9.0) having broken xgetbv implementations - x86: consider MSYS2/Cygwin as Windows for ABI purposes only - x86: handle unnatural and misaligned array pointers - orccodemem: Assorted memory mapping fixes - Fix include header use from C++ - Some compatibility fixes for Musl - ppc: Disable VSX and ISA 2.07 for Apple targets - ppc: Allow detection of ppc64 in Mac OS - x86: Fix non-C11 typedefs - meson: Fix detecting XSAVE on older AppleClang - x86: try fixing AVX detection again by adding check for XSAVE - Check return values of malloc() and realloc() (From OE-Core rev: ec300eadd0ab51583502b833798a6b46956f0f47) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ed7e4eb12491968c5f962b7e89d557c2c6d86a33) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.1.0698 -> 9.1.0764Rohini Sangam2024-11-021-2/+2
| | | | | | | | | | | | | | | | | This includes CVE-fix for CVE-2024-45306 and CVE-2024-47814 Changes between 9.1.0698 -> 9.1.0764 ==================================== https://github.com/vim/vim/compare/v9.1.0698...v9.1.0764 (From OE-Core rev: 774fae9cb522683f722f3075531075be9fa36770) Signed-off-by: Rohini Sangam <rsangam@mvista.com> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 2f0e5e63399e544063c79b0b1f9555c820b0604c) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.1.0682 -> 9.1.0698Siddharth Doshi2024-11-021-2/+2
| | | | | | | | | | | | | | | This includes CVE-fix for CVE-2024-43790 and CVE-2024-43802 Changes between 9.1.0682 -> 9.1.0698 ==================================== https://github.com/vim/vim/compare/v9.1.0682...v9.1.0698 (From OE-Core rev: 45ef5c80b1085d88d08679025bab13161c1f1fb2) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e530265415d93e3f49ec7874cf720aad18ab2e22) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-check: add support for cvss v4.0Peter Marko2024-11-022-8/+17
| | | | | | | | | | | | | | | | | | | | | | | | https://nvd.nist.gov/general/news/cvss-v4-0-official-support CVSS v4.0 was released in November 2023 NVD announced support for it in June 2024 Current stats are: * cvss v4 provided, but also v3, so cve-check showed a value sqlite> select count(*) from nvd where scorev4 != 0.0 and scorev3 != 0.0; 2069 * only cvss v4 provided, so cve-check did not show any sqlite> select count(*) from nvd where scorev4 != 0.0 and scorev3 = 0.0; 260 (From OE-Core rev: 358dbfcd80ae1fa414d294c865dd293670c287f0) (From OE-Core rev: 8c20a7badb6e5d6c6c90176e45e90f776df25298) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-check: add CVSS vector string to CVE database and reportsAntoine Lubineau2024-11-022-4/+12
| | | | | | | | | | | | | | | This allows building detailed vulnerability analysis tools without relying on external resources. (From OE-Core rev: 048ff0ad927f4d37cc5547ebeba9e0c221687ea6) (From OE-Core rev: 3e47644d24d97c2541ccb70d91c144cf6530d5b0) Signed-off-by: Antoine Lubineau <antoine.lubineau@easymile.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: ignore fixed CVEsPeter Marko2024-11-021-0/+2
| | | | | | | | | | | | These CVEs were fixed in 3.10.15 Commit 487e8cdf1df6feba6d88fa29e11791f4ebaaa362 removed patches in favor of version upgrade, which caused the CVEs to re-appear in reports. (From OE-Core rev: 2cf10084c56c83da3deff4e65e619afab80e08e1) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: fix CVE-2023-3019Yogita Urade2024-11-023-8/+723
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. CVE-2023-3019-0002 is the CVE fix and CVE-2023-3019-0001 is dependent CVE fix. fix indent issue in qemu.inc file. CVE-2023-3019 patch required Mem ReenttranceyGuard structure definition, it's defined in commit: https://github.com/qemu/qemu/commit/a2e1753b8054344f32cf94f31c6399a58794a380 but the patch is causing errors: Failed: qemux86 does not shutdown within timeout(120) so backported only required structure definition. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-3019 Upstream patches: https://github.com/qemu/qemu/commit/7d0fefdf81f5973334c344f6b8e1896c309dff66 https://github.com/qemu/qemu/commit/3c0463a650008aec7de29cf84540652730510921 (From OE-Core rev: 3782e1b21882ffc5e4cc466418e066179470241e) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* openssl: patch CVE-2024-9143Peter Marko2024-11-022-0/+203
| | | | | | | | | Pick patch from branch openssl-3.0. (From OE-Core rev: 75e1dedf85ac093fc43eb88a59bfe980bb363bf9) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: Backport CVE-2024-29508Ashish Sharma2024-11-023-0/+339
| | | | | | | | | | | | | Import patch from ubuntu to fix CVE-2024-29508 Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/ghostscript/commit/?h=ubuntu/focal-security&id=22b23aa6de7613a4d9c1da9c84d72427c9d0cf1a] Upstream commit: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ff1013a0ab485b66783b70145e342a82c670906a (From OE-Core rev: c5a85dfe661543137e40976e832ac22e4815406a) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* migration-guide: add release notes for 4.0.22Lee Chee Yang2024-11-022-0/+197
| | | | | | | | | | | (From yocto-docs rev: f08f4c664ffd49d23c7318d88604d1c940f0298a) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Reviewed-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 9563855ccd92e21fb6f8320c96a3a83e115c947e) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: release-process: refresh the current LTS releasesAntonin Godard2024-11-021-6/+9
| | | | | | | | | | | | | | Mention that Scarthgap the latest LTS in a bullet list next to Kirkstone. Reword the parapraph a bit to make it clearer after this change. Reviewed-by: Michael Opdenacker <michael.opdenacker@rootcommit.com> (From yocto-docs rev: 23c4ca4fdfffb7793cf4ffaea365e042e1a25325) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit afeded9939777d88bf4cb9ebf7a61aadd476642d) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: release-process: update releases.svgAntonin Godard2024-11-021-561/+346
| | | | | | | | | | | | | * Add Walnascar release. * Remove dunfell, gatesgarth, hardknott, honister: these release are not supported anymore. Start from kirkstone, which is still supported. (From yocto-docs rev: 1955aa1052d16a05cc7d493d5e7c0fe113141812) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit aa9a580c8c57af4baa4fb24a43487fb7afc258e5) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* overview-manual: concepts: add details on package splittingAntonin Godard2024-11-021-5/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | The package splitting section of the overview manual currently lacks any explanation of how package splitting is implemented and redirects to the package class, which is not really understandable for newcomers to the project. This patch adds a short explanation of what is done: * How the PACKAGES variable is defined. * How the FILES variable is defined. * How the two work together. * How to add a custom package. This should give enough details to a new user on what package splitting achieves and how to add a custom package. Adresses [YOCTO #13225] Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> (From yocto-docs rev: ef4150029d377ce1c35645971502ae56345915a6) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 143c3cacdec36c9d7ab81c89bbcc12c0c3936bd9) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: tests/fetch: Use our own mirror of mobile-broadband-provider to ↵Richard Purdie2024-11-021-1/+1
| | | | | | | | | | | | | | decouple from gnome gitlab GNOME gitlab has occasional downtime which impacts bitbake-selftest and causes autobuilder failures. Switch to our own mirror for test purposes to avoid those issues. (Bitbake rev: 0c30e9aadd30fc6f0dcf811eb8340687b52eb00b) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 91e268b11ed683bd197026f9b36001f6d54ee05c) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: tests/fetch: Use our own mirror of sysprof to decouple from gnome ↵Richard Purdie2024-11-021-1/+1
| | | | | | | | | | | | | | gitlab GNOME gitlab has occasional downtime which impacts bitbake-selftest and causes autobuilder failures. Switch to our own mirror for test purposes to avoid those issues. (Bitbake rev: e4ec4267e4c0818a1682f8a1a4bf3d1419e509a1) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 008808755ed6cfeb6c41273e69ce718f0833c26c) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: gitsm: Remove downloads/tmpdir when failedRobert Yang2024-11-021-3/+5
| | | | | | | | | | | The tmpdir such as downloads/tmplp3cnemv won't be removed without this fix. (Bitbake rev: 15582daed9a18330bcf1ad316a57d46571bbf7c6) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 2ba8d3214759142afc11f0a88d80eb30a8bcde3a) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: gitsm: Add call_process_submodules() to remove duplicated codeRobert Yang2024-11-021-28/+14
| | | | | | | | | | | There are 14 lines can be removed, and can make it easy to maintain. (Bitbake rev: ff2dfda55258d8034ea748d87222e51124a03f02) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 0ea2c1ac079d63349407a69172ff80cd9acc7252) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: bitbake: doc/user-manual: Update the BB_HASHSERVE_UPSTREAMJose Quaresma2024-11-021-1/+1
| | | | | | | | (Bitbake rev: c092f7e6c5e07a829173b25e591ab0326e9dcb67) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: fetch2/git: Use quote from shlex, not pipesRichard Purdie2024-11-021-2/+1
| | | | | | | | | | | | The pipes module is removed in python 3.13. It was already using the quote function from shlex so use that directly instead. The module already imports shlex too so it is an easy substitution. (Bitbake rev: 53264dc14554890b3a2afc83cb1749cf10d86854) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: structure.rst: document missing tmp/ dirsAntonin Godard2024-10-241-2/+33
| | | | | | | | | | | | | | | | Document `hosttools/`, `pkgdata/` and add some more information on `work-shared/`. Adresses [YOCTO #14543]. Reported-by: Robert P. J. Day <rpjday@crashcourse.ca> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> (From yocto-docs rev: 259fce03ffab9fb588676c1e150d999d54cf6d85) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 372b5b4ca55819c294970b20aa8b8d8167144329) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: add missing OPKGBUILDCMD variableAntonin Godard2024-10-241-0/+7
| | | | | | | | | (From yocto-docs rev: 709d952ba834778015b3047f8bafca94b1c814f8) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit a6a2c8e48995200c9c3be7096f34d912427de145) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: add missing EXTERNAL_KERNEL_DEVICETREE variableAntonin Godard2024-10-241-0/+12
| | | | | | | | | | | | | This variable can be used to specify one or more compiled device tree or device tree overlays to use in addition to the one compiled by the kernel. (From yocto-docs rev: 708514ea676246ddf251ad47c95442e8ec5c0e1f) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 6566ffceab3780dc5ecbfe26f786ebe6ff17e693) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: add missing CVE_CHECK manifest variablesAntonin Godard2024-10-241-4/+11
| | | | | | | | | | | | Variables that can be used for toggling creation of manifest and specifying the path to the output in the deploy directory. (From yocto-docs rev: fb462c47bb15522cc02642fe51f39c8e15044957) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 14131a42a7ea8bbae2165c1b8dbcabd5f28b2b22) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: introduce CVE_CHECK_REPORT_PATCHED variableAleksandar Nikolic2024-10-241-0/+6
| | | | | | | | | | | (From yocto-docs rev: a7929332ade42e8511c2f47d200b3b01cb8a8987) Signed-off-by: Aleksandar Nikolic <an010@live.com> Reviewed-by: Michael Opdenacker <michael@opdenacker.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit f585a68a8f35f31814e408dd973ea7345adbbacf) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* kmscube: create_framebuffer: backport modifier fixRandolph Sapp2024-10-242-0/+32
| | | | | | | | | | Backport the upstream buffer modifier fix for create_framebuffer to handle the case where no valid modifiers are available. (From OE-Core rev: 983e3efb51ab22f1fa5f90cbbfba2d701aa425fc) Signed-off-by: Randolph Sapp <rs@ti.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* syslinux: Disable error on implicit-function-declarationKhem Raj2024-10-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | syslinux has vendored copy of ext2fs/ext2_fs.h but uses ext2fs/ext2fs.h from e2fsprogs package, however, ext2fs/ext2fs.h has dependencies on ext2fs/ext2_fs.h coming from e2fsprogs package as these both headers come from same package, here syslinux uses ext2fs.h from e2fsprogs but supplies its own copy of ext2_fs.h which maybe out of sync and that results in warnings about implicit implicit-function-declarations e.g. recipe-sysroot/usr/include/ext2fs/ext2fs.h:727:16: error: implicit declaration of function 'ext2fs_has_feature_gdt_csum' [-Wimplicit-function-declaration] | 727 | ext2fs_has_feature_gdt_csum(fs->super); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ ext2fs_has_feature_gdt_csum here comes from newer version of ext2fs/ext2_fs.h but missing from vendored copy, hence the warning. With gcc-14 this warning is treated as error by default, which breaks the build, so lets treat it as warning only. All these functions are never used in syslinux, so functionality-wise we are fine. (From OE-Core rev: 14fdee535c37aaa44898dc22149004c97b2456ca) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit a2b30108055e68b62fdad7319d7d569bc38a07b4) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* linux-firmware: upgrade 20240220 -> 20240909Macpaul Lin2024-10-241-4/+4
| | | | | | | | | License-Update: additional files (From OE-Core rev: 2f82404cde671d2898d82483cc1fff693d7720e3) Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libarchive: Fix CVE-2024-48957 & CVE-2024-48958Ashish Sharma2024-10-243-0/+72
| | | | | | | | | | | | Backport fix: * CVE-2024-48957 - Upstream-Status: Backport from https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b * CVE-2024-48958 - Upstream-Status: Backport from https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 (From OE-Core rev: 584ce77f3aae332c66e2140497506301200ec9ca) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>