summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* glib-2.0: patch regression of CVE-2023-32665Peter Marko2024-11-152-0/+69
| | | | | | | | | | | | | | | | Official CVE-2023-32665 patch introduced a regression for big-endian architectures. This code was backported in CVE-2023-32665-0003.patch Reported in [1] and fixed by [2] where this patch is picked from. [1] https://gitlab.gnome.org/GNOME/glib/-/issues/2839 [2] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3136 (From OE-Core rev: 2400e143477cc93d4698df921bd89ef4b8b4692b) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* expat: patch CVE-2024-50602Peter Marko2024-11-153-0/+96
| | | | | | | | | | | | | Pick commits from https://github.com/libexpat/libexpat/pull/915 Not picking test is suboptimal, but test structure was changed meanwhile so we'd have to invent new code. Skipping tests was already done in previous expat/kirkstone CVE patches. (From OE-Core rev: 2cf8325876aa4d43151f5a327a21834db37bf0cb) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gstreamer1.0: ignore CVE-2024-0444Peter Marko2024-11-151-0/+3
| | | | | | | | | | This CVE is patched in gstreamer1.0-plugins-bad. cpe product is set to gstreamer, they share source git repository. (From OE-Core rev: e64d90d4c52f2e236dbe3b24b7deffce10452671) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* curl: patch CVE-2024-9681Peter Marko2024-11-152-0/+86
| | | | | | | | | | | | Picked commit [1] per solution described in [2]. [1] https://github.com/curl/curl/commit/a94973805df96269bf [2] https://curl.se/docs/CVE-2024-9681.html (From OE-Core rev: fbb8928ea85980bb866febd66e5e18ad843dbef8) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: fix CVE-2023-46361Archana Polampalli2024-11-152-0/+33
| | | | | | | | | | Artifex Software jbig2dec v0.20 was discovered to contain a SEGV vulnerability via jbig2_error at /jbig2dec/jbig2.c. (From OE-Core rev: 3e9018fb14466495be7472a8620918347c732e86) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: codeparser: Fix handling of string AST nodes with older Python versionsPhilip Lorenz2024-11-151-13/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Commits 4591011449212c8e494ea42348acb2d27a82a51b and 6c19b6cf105ac321ec89da1a876a317020c45ab7 unconditionally changed codeparser to rely on CPython 3.8 semantics. However, kirkstone continues to support CPython versions >= 3.6.0 and as such string AST nodes were no longer correctly identified. Fix this by continuing to use `ast.Str` for Python versions < 3.8.0 and only using the new code path for more recent versions. Detecting which version of the AST API to use seems to be non-trivial so the Python feature version is used instead. Instances of this issue can be identified when executing bitbake with debug logging: while parsing MACHINE_ARCH, in call of d.getVar, argument ''TUNE_PKGARCH'' is not a string literal As a consequence of these parsing issues, bitbake may assume that task inputs haven't changed and as such erroneously reuse sstate objects when it shouldn't. (Bitbake rev: fb73c495c45d1d4107cfd60b67a5b4f11a99647b) Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: variables: add SIGGEN_LOCKEDSIGS* variablesJulien Stephan2024-11-111-0/+44
| | | | | | | | | | | | | | | | Variables SIGGEN_LOCKEDSIGS, SIGGEN_LOCKEDSIGS_TASKSIG_CHECK and SIGGEN_LOCKEDSIGS_TYPES are used to lock specific tasks to specific signatures. They are used by bitbake -S <lockedsigs> and bblock, so add documentation for them. (From yocto-docs rev: 1f61cd4a3e9c5bf75910559ddf2372f921c2a4ef) Signed-off-by: Julien Stephan <jstephan@baylibre.com> Reviewed-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 32e3995bed2836f549866ec3b8ad254bdda37dbf) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* styles: vocabularies: Yocto: add sstateJulien Stephan2024-11-111-0/+1
| | | | | | | | | | | | | | Add sstate as an accepted word to avoid errors when runnign make stylecheck. (From yocto-docs rev: 7bd247bb3d8ff78757de1dedf1f87d86b3e3e08b) Signed-off-by: Julien Stephan <jstephan@baylibre.com> Reviewed-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 1c50726296e876747ea3f862729e953f025ce619) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* documentation: Makefile: add SPHINXLINTDOCS to specify subset to sphinx-lintJulien Stephan2024-11-112-12/+21
| | | | | | | | | | | | | | | | | | | | | make sphinx-lint runs sphinx-lint on the whole documentation which can be long and reports a lot or errors/warnings. Let's add a new SHPINXLINTDOCS variable to allow specifying a subset, just as VALEDOCS does. Keep variable assignment aligned and also use $(SOURCEDIR) by default for SPHINXLINTDOCS and VALEDOCS variables. Also update the README file and fix a typo in Link checking section title. (From yocto-docs rev: ae46746897361d4177f3c4284f46753e3aa8c3c3) Signed-off-by: Julien Stephan <jstephan@baylibre.com> Reviewed-by: Antonin Godard <antonin.godard@bootlin.com> Tested-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 3dfe7b5c746af31de74f67cf88214e5d52bdb65d) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* README: add instruction to run Vale on a subsetJulien Stephan2024-11-111-0/+8
| | | | | | | | | | | | | | | | make stylecheck runs Vale on the whole documentation which can be long and reports a lot of errors/warnings. We can run Vale on a subset using the VALEDOCS variable, so update documentation to highlight it. (From yocto-docs rev: 038cc992af79718787a70dd620eb195c84a847dd) Signed-off-by: Julien Stephan <jstephan@baylibre.com> Reviewed-by: Antonin Godard <antonin.godard@bootlin.com> Tested-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 262237f72534c983e178231cb6839ed69709c443) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: add description for the "sysroot" termMichael Opdenacker2024-11-111-0/+25
| | | | | | | | | | This term is used throughout the manual but is not properly introduced anywhere. (From yocto-docs rev: ced1bbb88a8046b1307376cd88ea85110677c9fc) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* conf.py: rename :cve: role to :cve_nist:Antonin Godard2024-11-1130-466/+466
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Newer versions of Sphinx already define a :cve: role that points to cve.org, instead of the role we defined in conf.py that points to nvd.nist.gov. Rename our role to :cve_nist: to avoid warnings (treated as errors). This is also backwards compatible, meaning we can build the doc with an older Sphinx if needed. The file were automatically replaced with following command: find . -name '*.rst' -exec sed -i 's/:cve:/:cve_nist:/g' {} \+ Cherry pick: * Changes on following files removed from cherry pick (not part of kirkstone): documentation/migration-guides/release-notes-4.1.1.rst documentation/migration-guides/release-notes-4.1.2.rst documentation/migration-guides/release-notes-4.1.3.rst documentation/migration-guides/release-notes-4.1.4.rst documentation/migration-guides/release-notes-4.1.rst documentation/migration-guides/release-notes-4.2.1.rst documentation/migration-guides/release-notes-4.2.2.rst documentation/migration-guides/release-notes-4.2.3.rst documentation/migration-guides/release-notes-4.2.4.rst documentation/migration-guides/release-notes-4.2.rst documentation/migration-guides/release-notes-4.3.1.rst documentation/migration-guides/release-notes-4.3.2.rst documentation/migration-guides/release-notes-4.3.3.rst documentation/migration-guides/release-notes-4.3.4.rst documentation/migration-guides/release-notes-4.3.rst documentation/migration-guides/release-notes-5.0.2.rst documentation/migration-guides/release-notes-5.0.3.rst documentation/migration-guides/release-notes-5.0.rst documentation/migration-guides/release-notes-5.1.rst * Fix minor conflicts in following files: documentation/migration-guides/release-notes-3.4.2.rst: missing :term: before CVE_PRODUCT documentation/migration-guides/release-notes-4.0.2.rst: missing :term: before PACKAGECONFIG documentation/migration-guides/release-notes-4.0.7.rst: missing cve 2022-32912 on webkitgtk Suggested-By: Quentin Schulz <quentin.schulz@cherry.de> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> (From yocto-docs rev: f432e78fef82c5e5bfdfff08bb18757dc3479465) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 15fa3b7e85dde50d7236c1738ad607531cc654b8) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: devtool-reference: document missing commandsAntonin Godard2024-11-111-1/+31
| | | | | | | | | | | | | | | Give a brief description for important commands that made it into devtool or that were missing from this quick reference document. Cherry pick: Remove devtool ide-sdk from commit, this command was not backported to kirkstone. (From yocto-docs rev: 8a5111c406be9c4bf1cc78a34dd2174a227ca79c) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 6238adae1b072c9e09c558038d397dfac6ec109f) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xmlto: backport a patch to fix build with gcc-14 on hostMartin Jansa2024-11-114-0/+1344
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | * need to add dependency on flex-native because now when the .l file is modified by the .patch file it will try to regenerate the c code and fail: | make[1]: Entering directory 'work/x86_64-linux/xmlto-native/0.0.28-r0/build' | /bin/bash ../xmlto-0.0.28/ylwrap ../xmlto-0.0.28/xmlif/xmlif.l .c xmlif/xmlif.c -- /bin/bash 'work/x86_64-linux/xmlto-native/0.0.28-r0/xmlto-0.0.28/missing' flex | work/x86_64-linux/xmlto-native/0.0.28-r0/xmlto-0.0.28/missing: line 81: flex: command not found | WARNING: 'flex' is missing on your system. | You should only need it if you modified a '.l' file. | You may want to install the Fast Lexical Analyzer package: | <https://github.com/westes/flex> * backport https://pagure.io/xmlto/c/32376c053733c6c0ebaca3c25c0725509342fdf3?branch=master as well, so that patched xmlif/xmlif.c is newer than xmlif/xmlif.l and the build won't try to regenerate it with flex as that leads to random build failures reported in: https://lists.openembedded.org/g/openembedded-core/message/206412 https://errors.yoctoproject.org/Errors/Details/810853/ https://lists.openembedded.org/g/openembedded-core/message/206496 https://valkyrie.yoctoproject.org/#/builders/29/builds/355 (From OE-Core rev: 2e8819c0b9ada2b600aecc40c974a18eb7c0a666) Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* package: Switch debug source handling to use prefix mapRichard Purdie2024-11-111-40/+28
| | | | | | | | | | | | | | | | | | Reproducible builds are no longer a configuration option but are required. We also rely on the prefix mapping capability of the compilers now. As such, rewrite the source locating code to use the prefix maps instead of taking a guess about WORKDIR which isn't correct for kernels, gcc, externalsrc and probably more. Instead, iterate the maps to locate any matching source code, keeping in mind that multiple maps may map to one target location. (From OE-Core rev: 80289f49d0c5ca98da1d1558728b8a468aab4326) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit cbd6144a9769d21371ae0fe04db2adc05f6eed02) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gcc: restore a patch for Neoverse N2 coreRuiqiang Hao2024-11-112-0/+41
| | | | | | | | | | | | Commit 7806e21e7d47 ("gcc: upgrade to v11.5") removed one patch named 0001-aarch64-Update-Neoverse-N2-core-defini.patch by mistake, this will cause the Neoverse N2 core to be identified as the armv8.5 architecture, restore this patch to avoid related compilation issues. (From OE-Core rev: 4c75edda8ec28fb8dee19ca90a1ea7f33ba80999) Signed-off-by: Ruiqiang Hao <Ruiqiang.Hao@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve_check: Use a local copy of the database during buildsRichard Purdie2024-11-112-8/+17
| | | | | | | | | | | Rtaher than trying to use a sqlite database over NFS from DL_DIR, work from a local copy in STAGING DIR after fetching. (From OE-Core rev: 9b6363994e5715f1d08b98956befd8915c128e85) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 03596904392d257572a905a182b92c780d636744) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* zstd: patch CVE-2022-4899Peter Marko2024-11-113-1/+153
| | | | | | | | | | | | | Pick commits from [1] linked from [2] via [3]. [1] https://github.com/facebook/zstd/pull/3220 [2] https://nvd.nist.gov/vuln/detail/CVE-2022-4899 [3] https://github.com/facebook/zstd/issues/3200 (From OE-Core rev: eb9c9818088105f9bf20b7fdc04a380ce488a5e6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* local.conf.sample: update BB_HASHSERVE_UPSTREAM for new infrastructureSteve Sakoman2024-11-061-1/+1
| | | | | | | | Public hashserver is now at hashserv.yoctoproject.org:8686 (From meta-yocto rev: d56ba3e1ec46668999e64e967765f186e287d792) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* release-notes-4.0,brief-yoctoprojectqs: update BB_HASHSERVE_UPSTREAM for new ↵Steve Sakoman2024-11-062-2/+2
| | | | | | | | | | | | infrastructure Public hashserver is now at hashserv.yoctoproject.org:8686 (From yocto-docs rev: fe98cb44fd52e2e455255be33aacf60f12dd5bad) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: devtool-reference: refresh example outputsAntonin Godard2024-11-061-11/+7
| | | | | | | | | | | | Previous outputs were missing some commands and options, some others were obsolete. (From yocto-docs rev: e3245843543361f8eeda0fcc583fb3f7a36eaeb5) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 1c83037707b4c981a70c968ba04ded502f9bffbf) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: release-process: add a reference to the doc's releaseAntonin Godard2024-11-061-0/+2
| | | | | | | | | | | | | | When reading the stable releases section, we want to know for which release the documentation was built. Use &DISTRO_NAME; to refer to the current release. Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> (From yocto-docs rev: 0f21321d8b30478ed07f0387f4b88cd0a5c03fd1) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 05ee6844d710beb844bbdac892888879847f6d22) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: release-process: update releases.svg with month after "Current"Antonin Godard2024-11-061-9/+9
| | | | | | | | | | | | | | | | This way we put a timestamp on the image, so that someone looking at the image on an old release tarball has a representation of the release "as of <date>". Here set "Oct. 24" as it was the last time the file was updated. Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> (From yocto-docs rev: 108b53abd96fa7fd82107de07a46ae77a6f9269f) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 7b62bbec900bc84a31e4686839e774ba7bd5ae9f) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* util-linux: Define pidfd_* function signaturesKhem Raj2024-11-022-0/+51
| | | | | | | | | | | | | | glibc 2.36 has added sys/pidfd.h and APIs for pidfd_send_signal and pidfd_open, therefore check for this header and include it if it exists (From OE-Core rev: 2c913a7b66ea756ebc65a573e1b5bb5dba6834d2) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* at-spi2-core: backport a patch to fix build with gcc-14 on hostMartin Jansa2024-11-022-0/+28
| | | | | | | | | | | | | | | | | | * fixes: | ../at-spi2-core-2.42.0/atspi/atspi-device-listener.c: In function ?atspi_device_listener_new_simple?: | ../at-spi2-core-2.42.0/atspi/atspi-device-listener.c:252:37: error: passing argument 1 of ?atspi_device_listener_new? from incompatible pointer type [-Wincompatible-pointer-types] | 252 | return atspi_device_listener_new (device_remove_datum, callback, callback_destroyed); | | ^~~~~~~~~~~~~~~~~~~ | | | | | gboolean (*)(const AtspiDeviceEvent *, void *) {aka int (*)(const struct _AtspiDeviceEvent *, void *)} | ../at-spi2-core-2.42.0/atspi/atspi-device-listener.c:222:50: note: expected ?AtspiDeviceListenerCB? {aka ?int (*)(struct _AtspiDeviceEvent *, void *)?} but argument is of type ?gboolean (*)(const AtspiDeviceEvent *, void *)? {aka ?int (*)(const struct _AtspiDeviceEvent *, void *)?} | 222 | atspi_device_listener_new (AtspiDeviceListenerCB callback, | | ~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~ (From OE-Core rev: e361d9e1021d7715d2b4e3af95832c910de67cad) Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libffi: backport a fix to build libffi-native with gcc-14Martin Jansa2024-11-022-0/+48
| | | | | | | (From OE-Core rev: 1054417a217417ab192dc4aee8307133451fb0e4) Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cracklib: Modify patch to compile with GCC 14Zoltan Boszormenyi2024-11-021-1/+1
| | | | | | | | | | | | | | | | | | | | | | | GCC 14 implicitly turns a warning into a compiler error: | ../../git/src/lib/packlib.c: In function ‘PWClose’: | ../../git/src/lib/packlib.c:554:40: error: passing argument 1 of ‘HwmsHostToBigEndian’ from incompatible pointer type [-Wincompatible-pointer-types] | 554 | HwmsHostToBigEndian(tmp_pwp.hwms, sizeof(tmp_pwp.hwms), en_is32); | | ~~~~~~~^~~~~ | | | | | uint32_t * {aka unsigned int *} | ../../git/src/lib/packlib.c:142:27: note: expected ‘char *’ but argument is of type ‘uint32_t *’ {aka ‘unsigned int *’} | 142 | HwmsHostToBigEndian(char *pHwms, int nLen,int nBitType) | | ~~~~~~^~~~~ Add the cast to (char *) to silence it. (From OE-Core rev: 7cca344feaa16cfabbaa2f34e4aab91cc1af39ee) Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vala: add -Wno-error=incompatible-pointer-types work aroundMartin Jansa2024-11-021-0/+4
| | | | | | | | | | | | * to allow building vala-native on hosts with gcc-14 * we could backport: https://gitlab.gnome.org/GNOME/vala/-/commit/23ec71b1a5c4cead3d1bdac82e184d0a63fa7b79 which is already included in scarthgap, but that's big patch doing almost the same (From OE-Core rev: 0f850f213071d4bc3a7065334debabd32c7bd9a1) Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* zip: Fix build with gcc-14Khem Raj2024-11-023-36/+46
| | | | | | | | | | | | | | | | | | | | | | | | zip's configure fails to link this piece of test code: int main() { return closedir(opendir(".")); } with GCC-14 because it now treats implicit declaration of function as error, unline older GCC version where it was just a warning and this test would build fine. Remove 0002-unix.c-Do-not-redefine-DIR-as-FILE.patch which is now unnecessary (MJ: this part wasn't applicable for kirkstone). (From OE-Core rev: fd31dd1abc8199a1865801259e6f96b78a17d994) Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 3422411eb750c7e960b81676637cfb321dbadefb) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* zip: Make configure checks to be more robustKhem Raj2024-11-023-0/+171
| | | | | | | | | | | | | | Newer compilers are strict and have turned some warnings into hard errors which results in subtle configure check failures. Therefore fix these tests and also enable largefile support via cflags when its desired (From OE-Core rev: 03b7a44e2ff4364cb85758f91d78efa0cf85682d) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* nativesdk-intercept: Fix bad intercept chgrp/chown logicEilís 'pidge' Ní Fhlannagáin2024-11-022-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | Running either of these ends up corrupting the os.execv args. If we run: ./scripts/nativesdk-intercept/chown -R foo:foo bar The loop here ends up missing the conversion of foo:foo to root:root because it sees sys.argv[0] and assumes that it's the user:group argument and that we should convert that. We end up a os.execv(path, args) that have the following args: ['root:root', '-R', 'foo:foo', 'bar'] As os.execv ignores args[0], we can just populate it with sys.argv[0] and then loop through sys.argv[1:]. As both chgrp and chown would have either flags and USER[:GROUP] next, this fixes the issue. (Backported from OE-Core rev: 2a75f647ec7696d353f4b09099d777ba53f34d36) (From OE-Core rev: ed009b5d58914582c0770222115fc5c5a16bf16d) Signed-off-by: Eilís 'pidge' Ní Fhlannagáin <pidge@baylibre.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bmap-tools: update HOMEPAGE and SRC_URISteve Sakoman2024-11-021-2/+2
| | | | | | | | | | | The bmaptool (previously: bmap-tools, bmap-tool, bmaptool) has been moved to be under the Yocto Project umbrella and is now hosted at: github.com/yoctoproject/bmaptool (From OE-Core rev: 7678ae7fc255621d91271599b5f4491520387279) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* overlayfs-etc: add option to skip creation of mount dirsbaruch@tkos.co.il2024-11-022-8/+13
| | | | | | | | | | | | | | The 'preinit' script can't create mount directories when rootfs is read-only. Add an option to skip this step. The user must make sure that all required directories are already in the rootfs directory layout. Cc: Vyacheslav Yurkov <uvv.mail@gmail.com> (From OE-Core rev: 302dd4a63f97e23631a62a0b902cc253f6843ab0) Signed-off-by: Baruch Siach <baruch@tkos.co.il> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 3d433d8559467d255bd19af2d0999c65ea24a48d) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* orc: upgrade 0.4.39 -> 0.4.40Wang Mingyu2024-11-021-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: =========== - Security: Minor follow-up fixes for CVE-2024-40897 - powerpc: fix div255w which still used the inexact substitution - x86: work around old GCC versions (pre 9.0) having broken xgetbv implementations - x86: consider MSYS2/Cygwin as Windows for ABI purposes only - x86: handle unnatural and misaligned array pointers - orccodemem: Assorted memory mapping fixes - Fix include header use from C++ - Some compatibility fixes for Musl - ppc: Disable VSX and ISA 2.07 for Apple targets - ppc: Allow detection of ppc64 in Mac OS - x86: Fix non-C11 typedefs - meson: Fix detecting XSAVE on older AppleClang - x86: try fixing AVX detection again by adding check for XSAVE - Check return values of malloc() and realloc() (From OE-Core rev: ec300eadd0ab51583502b833798a6b46956f0f47) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ed7e4eb12491968c5f962b7e89d557c2c6d86a33) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.1.0698 -> 9.1.0764Rohini Sangam2024-11-021-2/+2
| | | | | | | | | | | | | | | | | This includes CVE-fix for CVE-2024-45306 and CVE-2024-47814 Changes between 9.1.0698 -> 9.1.0764 ==================================== https://github.com/vim/vim/compare/v9.1.0698...v9.1.0764 (From OE-Core rev: 774fae9cb522683f722f3075531075be9fa36770) Signed-off-by: Rohini Sangam <rsangam@mvista.com> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 2f0e5e63399e544063c79b0b1f9555c820b0604c) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.1.0682 -> 9.1.0698Siddharth Doshi2024-11-021-2/+2
| | | | | | | | | | | | | | | This includes CVE-fix for CVE-2024-43790 and CVE-2024-43802 Changes between 9.1.0682 -> 9.1.0698 ==================================== https://github.com/vim/vim/compare/v9.1.0682...v9.1.0698 (From OE-Core rev: 45ef5c80b1085d88d08679025bab13161c1f1fb2) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e530265415d93e3f49ec7874cf720aad18ab2e22) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-check: add support for cvss v4.0Peter Marko2024-11-022-8/+17
| | | | | | | | | | | | | | | | | | | | | | | | https://nvd.nist.gov/general/news/cvss-v4-0-official-support CVSS v4.0 was released in November 2023 NVD announced support for it in June 2024 Current stats are: * cvss v4 provided, but also v3, so cve-check showed a value sqlite> select count(*) from nvd where scorev4 != 0.0 and scorev3 != 0.0; 2069 * only cvss v4 provided, so cve-check did not show any sqlite> select count(*) from nvd where scorev4 != 0.0 and scorev3 = 0.0; 260 (From OE-Core rev: 358dbfcd80ae1fa414d294c865dd293670c287f0) (From OE-Core rev: 8c20a7badb6e5d6c6c90176e45e90f776df25298) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-check: add CVSS vector string to CVE database and reportsAntoine Lubineau2024-11-022-4/+12
| | | | | | | | | | | | | | | This allows building detailed vulnerability analysis tools without relying on external resources. (From OE-Core rev: 048ff0ad927f4d37cc5547ebeba9e0c221687ea6) (From OE-Core rev: 3e47644d24d97c2541ccb70d91c144cf6530d5b0) Signed-off-by: Antoine Lubineau <antoine.lubineau@easymile.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: ignore fixed CVEsPeter Marko2024-11-021-0/+2
| | | | | | | | | | | | These CVEs were fixed in 3.10.15 Commit 487e8cdf1df6feba6d88fa29e11791f4ebaaa362 removed patches in favor of version upgrade, which caused the CVEs to re-appear in reports. (From OE-Core rev: 2cf10084c56c83da3deff4e65e619afab80e08e1) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: fix CVE-2023-3019Yogita Urade2024-11-023-8/+723
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. CVE-2023-3019-0002 is the CVE fix and CVE-2023-3019-0001 is dependent CVE fix. fix indent issue in qemu.inc file. CVE-2023-3019 patch required Mem ReenttranceyGuard structure definition, it's defined in commit: https://github.com/qemu/qemu/commit/a2e1753b8054344f32cf94f31c6399a58794a380 but the patch is causing errors: Failed: qemux86 does not shutdown within timeout(120) so backported only required structure definition. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-3019 Upstream patches: https://github.com/qemu/qemu/commit/7d0fefdf81f5973334c344f6b8e1896c309dff66 https://github.com/qemu/qemu/commit/3c0463a650008aec7de29cf84540652730510921 (From OE-Core rev: 3782e1b21882ffc5e4cc466418e066179470241e) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* openssl: patch CVE-2024-9143Peter Marko2024-11-022-0/+203
| | | | | | | | | Pick patch from branch openssl-3.0. (From OE-Core rev: 75e1dedf85ac093fc43eb88a59bfe980bb363bf9) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: Backport CVE-2024-29508Ashish Sharma2024-11-023-0/+339
| | | | | | | | | | | | | Import patch from ubuntu to fix CVE-2024-29508 Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/ghostscript/commit/?h=ubuntu/focal-security&id=22b23aa6de7613a4d9c1da9c84d72427c9d0cf1a] Upstream commit: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ff1013a0ab485b66783b70145e342a82c670906a (From OE-Core rev: c5a85dfe661543137e40976e832ac22e4815406a) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* migration-guide: add release notes for 4.0.22Lee Chee Yang2024-11-022-0/+197
| | | | | | | | | | | (From yocto-docs rev: f08f4c664ffd49d23c7318d88604d1c940f0298a) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Reviewed-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 9563855ccd92e21fb6f8320c96a3a83e115c947e) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: release-process: refresh the current LTS releasesAntonin Godard2024-11-021-6/+9
| | | | | | | | | | | | | | Mention that Scarthgap the latest LTS in a bullet list next to Kirkstone. Reword the parapraph a bit to make it clearer after this change. Reviewed-by: Michael Opdenacker <michael.opdenacker@rootcommit.com> (From yocto-docs rev: 23c4ca4fdfffb7793cf4ffaea365e042e1a25325) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit afeded9939777d88bf4cb9ebf7a61aadd476642d) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: release-process: update releases.svgAntonin Godard2024-11-021-561/+346
| | | | | | | | | | | | | * Add Walnascar release. * Remove dunfell, gatesgarth, hardknott, honister: these release are not supported anymore. Start from kirkstone, which is still supported. (From yocto-docs rev: 1955aa1052d16a05cc7d493d5e7c0fe113141812) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit aa9a580c8c57af4baa4fb24a43487fb7afc258e5) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* overview-manual: concepts: add details on package splittingAntonin Godard2024-11-021-5/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | The package splitting section of the overview manual currently lacks any explanation of how package splitting is implemented and redirects to the package class, which is not really understandable for newcomers to the project. This patch adds a short explanation of what is done: * How the PACKAGES variable is defined. * How the FILES variable is defined. * How the two work together. * How to add a custom package. This should give enough details to a new user on what package splitting achieves and how to add a custom package. Adresses [YOCTO #13225] Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> (From yocto-docs rev: ef4150029d377ce1c35645971502ae56345915a6) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 143c3cacdec36c9d7ab81c89bbcc12c0c3936bd9) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: tests/fetch: Use our own mirror of mobile-broadband-provider to ↵Richard Purdie2024-11-021-1/+1
| | | | | | | | | | | | | | decouple from gnome gitlab GNOME gitlab has occasional downtime which impacts bitbake-selftest and causes autobuilder failures. Switch to our own mirror for test purposes to avoid those issues. (Bitbake rev: 0c30e9aadd30fc6f0dcf811eb8340687b52eb00b) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 91e268b11ed683bd197026f9b36001f6d54ee05c) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: tests/fetch: Use our own mirror of sysprof to decouple from gnome ↵Richard Purdie2024-11-021-1/+1
| | | | | | | | | | | | | | gitlab GNOME gitlab has occasional downtime which impacts bitbake-selftest and causes autobuilder failures. Switch to our own mirror for test purposes to avoid those issues. (Bitbake rev: e4ec4267e4c0818a1682f8a1a4bf3d1419e509a1) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 008808755ed6cfeb6c41273e69ce718f0833c26c) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: gitsm: Remove downloads/tmpdir when failedRobert Yang2024-11-021-3/+5
| | | | | | | | | | | The tmpdir such as downloads/tmplp3cnemv won't be removed without this fix. (Bitbake rev: 15582daed9a18330bcf1ad316a57d46571bbf7c6) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 2ba8d3214759142afc11f0a88d80eb30a8bcde3a) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: gitsm: Add call_process_submodules() to remove duplicated codeRobert Yang2024-11-021-28/+14
| | | | | | | | | | | There are 14 lines can be removed, and can make it easy to maintain. (Bitbake rev: ff2dfda55258d8034ea748d87222e51124a03f02) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 0ea2c1ac079d63349407a69172ff80cd9acc7252) Signed-off-by: Steve Sakoman <steve@sakoman.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-08-07 20:42:06 +0000