summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* ovmf: Fix CVE-2023-45231Soumya Sambu2024-12-093-0/+317
| | | | | | | | | | | | | | | | | | | EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing Neighbor Discovery Redirect message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. References: https://nvd.nist.gov/vuln/detail/CVE-2023-45231 Upstream-patches: https://github.com/tianocore/edk2/commit/bbfee34f4188ac00371abe1389ae9c9fb989a0cd https://github.com/tianocore/edk2/commit/6f77463d72807ec7f4ed6518c3dac29a1040df9f (From OE-Core rev: bdff14d8e6f4dad7b873442c813672ef0ec6fb01) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf: Fix CVE-2023-45230Soumya Sambu2024-12-093-0/+2223
| | | | | | | | | | | | | | | | | | | EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability. References: https://nvd.nist.gov/vuln/detail/CVE-2023-45230 Upstream-patches: https://github.com/tianocore/edk2/commit/f31453e8d6542461d92d835e0b79fec8b039174d https://github.com/tianocore/edk2/commit/5f3658197bf29c83b3349b0ab1d99cdb0c3814bc (From OE-Core rev: 50b50174f057a9a5fb9773e67b4f183ae942ff10) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf: Fix CVE-2022-36764Soumya Sambu2024-12-094-0/+603
| | | | | | | | | | | | | | | | | | | | EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability. References: https://nvd.nist.gov/vuln/detail/CVE-2022-36764 Upstream-patches: https://github.com/tianocore/edk2/commit/c7b27944218130cca3bbb20314ba5b88b5de4aa4 https://github.com/tianocore/edk2/commit/0d341c01eeabe0ab5e76693b36e728b8f538a40e https://github.com/tianocore/edk2/commit/8f6d343ae639fba8e4b80e45257275e23083431f (From OE-Core rev: aba14824159e549fd77cb90e3a9a327c527b366f) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf: Fix CVE-2022-36763Soumya Sambu2024-12-094-0/+1932
| | | | | | | | | | | | | | | | | | | | EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability. References: https://nvd.nist.gov/vuln/detail/CVE-2022-36763 Upstream-patches: https://github.com/tianocore/edk2/commit/224446543206450ddb5830e6abd026d61d3c7f4b https://github.com/tianocore/edk2/commit/4776a1b39ee08fc45c70c1eab5a0195f325000d3 https://github.com/tianocore/edk2/commit/1ddcb9fc6b4164e882687b031e8beacfcf7df29e (From OE-Core rev: 26db24533f9f32c32189e4621102b628a9ea6729) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gstreamer1.0: improve test reliabilityRoss Burton2024-12-021-1/+15
| | | | | | | | | | | | | | | | | | | | First, libcheck has the ability to increase all test timeouts by an arbitrary multiplier. Because we run our tests on loaded build machines, increase all timeouts by 10x to reduce the chance of load causing failures. Second, use GST_CHECKS_IGNORE to list test cases that should be skipped. Drop skip-aggregator-test.patch as this is now redundant, and also skip gstnetclientclock.c:test_functioning as this is very sensitive to load. [ YOCTO #14808 ] (From OE-Core rev: 13b13b81b91f618c13cf972067c47bd810de852f) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 669d0df81f651f7c033c8cb7872cac5bfe670a4f) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ninja: fix build with python 3.13Markus Volk2024-12-022-1/+66
| | | | | | | | | | | python 3.13 removed the pipes module. Thus build fails for host machines that run python 3.13 This commit adds a backport patch to use subprocess module instead (From OE-Core rev: 1a02cf1997216cb943d8965fe74f971a8cb2f70f) Signed-off-by: Markus Volk <f_l_k@t-online.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* package_rpm: restrict rpm to 4 threadsAlexander Kanavin2024-12-021-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TL;DR version: with this, and the previous compression level changes I am seeing drastic speedups in package_write_rpm completion times: webkitgtk goes from 78 seconds to 37 seconds glibc-locale goes from 399 seconds to 58 seconds (!) The long version: rpm uses multithreading for two purposes: - spawning compressors (which are nowadays themselves multi-threaded, so the feature is not as useful as it once was) - parallel file classification While the former behaves well on massively parallel CPUs (it was written and verified here :), the latter was then added by upstream and only benchmarked on their very old, slow laptop, apparently: https://github.com/rpm-software-management/rpm/commit/41f0e214f2266f02d6185ba11f797716de8125d4 On anything more capable it starts showing pathologic behavior, presumably from spawning massive amount of very short-lived threads, and then having to synchronize them. For example classifying glibc-locale takes 5m20s with 256 threads (default on my machine!) 1m49s with 64 threads 59s with 16 threads 48s with 8 threads Even a more typical recipe like webkitgtk is affected: 47s with 256 threads 32s with 64 threads 27s with 16 or 8 threads I have found that the optimal amount is actually four: this also means that only four compressors are running at a time, but as they're themselves using threads, and typical recipes are dominated by just two or three large packages, this does not affect overall completion time. (From OE-Core rev: 896192604d84a6f77095f23cd13232e249b7aac5) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* package_rpm: use zstd's default compression levelAlexander Kanavin2024-12-021-1/+1
| | | | | | | | | | | | | | | | | | zstd uses 3 by default, while 19 is the highest and slowest. It's not clear why 19 was picked to begin with, possibly I copy-pasted it from rpm's examples without thinking: https://git.yoctoproject.org/poky/commit/?h=master-next&id=4a4d5f78a6962dda5f63e9891825c80a8a87bf66 This brings significant speedups in rpm's compression step: for example compressing webkitgtk takes 11s instead of 36s. The rpm size increases from 175648k to 234860k. I think it's a worthy default tradeoff. (From OE-Core rev: c377ced95ef7fd060316db1325529826d0985790) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tzdata&tzcode-native: upgrade 2024a -> 2024bJinfeng Wang2024-12-025-3/+206
| | | | | | | | | (From OE-Core rev: 5aa73ec35a3c65df62f17bc8196a35f28fd3522e) Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit c8d3edb2562ea4d980186e78b4abb5a94b1d7b22) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: fix CVE-2024-7055Archana Polampalli2024-12-022-0/+39
| | | | | | | | | | | | | | A vulnerability was found in FFmpeg up to 7.0.1. It has been classified as critical. This affects the function pnm_decode_frame in the library /libavcodec/pnmdec.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0.2 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-273651. (From OE-Core rev: 7335a81112673616240f010d4930b4982b10c355) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: fix CVE-2023-51796Archana Polampalli2024-12-022-0/+40
| | | | | | | | | | | Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/f_reverse.c:269:26 in areverse_request_frame. (From OE-Core rev: ec7301d63376197ed3e89282545109f046d63888) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: fix CVE-2023-50007Archana Polampalli2024-12-022-0/+79
| | | | | | | | | | | Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via theav_samples_set_silence function in the libavutil/samplefmt.c:260:9 component. (From OE-Core rev: 88a1fc5a6445e72e6cc78c39a6feff3aa96beea6) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: fix CVE-2023-47342Archana Polampalli2024-12-022-0/+40
| | | | | | | (From OE-Core rev: 725fe951917606fe141aab4d2f1c14617b280943) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: fix CVE-2023-51798Archana Polampalli2024-12-022-0/+46
| | | | | | | | | | | Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via a floating point exception (FPE) error at libavfilter/vf_minterpolate.c:1078:60 in interpolate. (From OE-Core rev: b6c00d2c64036b2b851cdbb3b6efd60bc839fa5b) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsndfile: fix CVE-2024-50612Hitendra Prajapati2024-12-022-0/+403
| | | | | | | | | Upstream-Status: Backport from https://github.com/libsndfile/libsndfile/commit/4755f5bd7854611d92ad0f1295587b439f9950ba (From OE-Core rev: 5462005cf3feef383e4212529a8c7af827bdf0d1) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* coreutils: fix CVE-2024-0684Chen Qi2024-12-022-0/+43
| | | | | | | | | | Backport patch with tweaks for the current version to fix CVE-2024-0684. (From OE-Core rev: 3d9a4cacd5f051134f190afcab2c71b3286cf9e5) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* builder: set CVE_PRODUCTPeter Marko2024-12-021-2/+2
| | | | | | | | | | | | | Builder is a common word and there are many other builder components which makes us to ignore CVEs for all of them. There is already 1 ignored and currently 3 new ones. Instead, set product to yocto to filter them. (From OE-Core rev: 941a645b3b18418e020ada9ebdd19f425f03dfc8) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-pip: fix CVE-2023-5752Jiaying Song2024-12-022-3/+39
| | | | | | | | | | | | | | | | | | | | When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. References: https://nvd.nist.gov/vuln/detail/CVE-2023-5752 Upstream patches: https://github.com/pypa/pip/pull/12306/commits/389cb799d0da9a840749fcd14878928467ed49b4 (From OE-Core rev: 862c0338fba06077a26c775b49f993eac63762c9) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: fetch/wget: Increase timeout to 100s from 30sRichard Purdie2024-12-021-2/+2
| | | | | | | | | | | Testing shows the worst case CDN response time can be up to 100s. The wget fetcher is used for accessing sstate from the CDN so increase our timeouts there to match our worst case repsonse times. (Bitbake rev: 3f88b005244a0afb5d5c7260e54a94a453ec9b3e) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: fetch2: use persist_data context managersChris Laplante2024-12-021-31/+31
| | | | | | | | | | | | | | | | | | Python 3.13 emits a ResourceWarning for unclosed sqlite3 `Connection`s. See https://docs.python.org/3/whatsnew/3.13.html#sqlite3 The previous commit fixed persist_data's context manager to close the connection, but we were never actually using `with` in the first place. This change is not necessary on 'master' because persist_data was removed. (Bitbake rev: 9789c55ecc90ba074596061fa16e90d3e8accb02) Signed-off-by: Chris Laplante <chris.laplante@agilent.com> (cherry picked from commit 61f803c7d92a012b62837b0cdae4789a394b260e) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: persist_data: close connection in SQLTable __exit__Chris Laplante2024-12-021-0/+1
| | | | | | | | | | | | | | | A Connection's __exit__ does not close the connection, but rather deals with transactions. See https://docs.python.org/3/library/sqlite3.html#how-to-use-the-connection-context-manager This change is not necessary on 'master' because persist_data was removed. (Bitbake rev: 97856a56cbf09401b34d6c9bb5444c07a88772ce) Signed-off-by: Chris Laplante <chris.laplante@agilent.com> (cherry picked from commit b0fba0f5af555ff970406b5cf3bf8fb113d953d1) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* udev-extraconf: fix network.sh script did not configure hotplugged interfacesRegis Dargent2024-11-271-32/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | Udev script network.sh is called when a new ethernet interface is plugged (eg. USB). Due to some (old) missing files, this script does nothing, instead of configuring the interfaces with ifup. I just commented the corresponding lines to allow the script to reach the part where it calls ifup. (From OE-Core rev: 8c10f4a4dc12f65212576e6e568fa4369014aaa0) Signed-off-by: Regis Dargent <regis.dargent@gmail.com> Fixes [YOCTO 15616] network.sh relies on (long) missing files (eg. /etc/network/options, /etc/init.d/network) to decide if it should configure the new network interface (ifup) or put its name in /etc/udev_network_queue for future initialization by /etc/init.d/network service. The actual result was that the new hotplugged interface was never automatically configured. Removing the obsolete tests allows the script to do its intended job. Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 160f7139172ffdf510a0d7d4e85f7fbaac7fd000) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* toolchain-shar-extract.sh: exit when post-relocate-setup.sh failsChen Qi2024-11-271-0/+4
| | | | | | | | | | | | | | | | When LD_LIBRARY_PATH is set, post-relocate-setup.sh will fail and exit properly. But such failure is ignored and the SDK installation will continue and tell user that things succeed. This is misleading. So exit immediately if post-relocate-setup.sh fails. Fixes [Yocto #15586] (From OE-Core rev: 7050f445081801555614b264e1932e55538a7127) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c8e2dcc1f71aa33cc6e56dfdebebbe7ef010c944) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* llvm: reduce size of -dbg packageSteve Sakoman2024-11-271-0/+2
| | | | | | | | | | | | | | | | | Unless DEBUG_BUILD is enabled, pass -g1 to massively reduce the size of the debug symbols Level 1 produces minimal information, enough for making backtraces in parts of the program that you don't plan to debug. This includes descriptions of functions and external variables, and line number tables, but no information about local variables. This makes the sstate objects a lot more manageable, and packaging faster. (From OE-Core rev: 13a2f43920c53f9f1bc5ec52eba9eb48da265ef6) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* webkitgtk: reduce size of -dbg packageRoss Burton2024-11-271-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unless DEBUG_BUILD is enabled, pass -g1 to massively reduce the size of the debug symbols (4.3GB to 700M at time of writing): Level 1 produces minimal information, enough for making backtraces in parts of the program that you don't plan to debug. This includes descriptions of functions and external variables, and line number tables, but no information about local variables. This makes the sstate objects a lot more manageable, and packaging faster. On my machine: PKG TASK ABSDIFF RELDIFF WALLTIME1 -> WALLTIME2 webkitgtk do_compile -613.8s -21.7% 2823.3s -> 2209.5s webkitgtk do_package -143.4s -53.6% 267.7s -> 124.3s webkitgtk do_install -93.7s -60.1% 156.0s -> 62.3s webkitgtk do_populate_sysroot -51.6s -86.4% 59.7s -> 8.1s Cumulative walltime: -892.9s -26.5% 56:06.3 (3366.3s) -> 41:13.4 (2473.4s) (From OE-Core rev: 287584ee1068e36c7e758aa1d69ef71382c9adaa) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8361411ea0d67a2620680e2e86045799e072c80a) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* lttng-modules: fix build error after kernel update to 5.15.171Liyin Zhang2024-11-272-0/+62
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes the following build error after kernel rebase. lttng-modules-2.13.14/src/probes/../../include/lttng/define_trace.h:87, lttng-modules-2.13.14/src/probes/../../include/instrumentation/events/kmem.h:576, lttng-modules-2.13.14/src/probes/lttng-probe-kmem.c:35: ../../include/lttng/tracepoint-event-impl.h:133:6: error: conflicting types for 'trace_mm_page_alloc_zone_locked'; have 'void(struct page *, unsigned int, int)' 133 | void trace_##_name(_proto); | ^~~~~~ ../../include/instrumentation/events/kmem.h:444:1: note: in expansion of macro 'LTTNG_TRACEPOINT_EVENT_INSTANCE_MAP' 444 | LTTNG_TRACEPOINT_EVENT_INSTANCE_MAP(kmem_mm_page, mm_page_alloc_zone_locked, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ kernel-source/include/trace/events/kmem.h:9, from lttng-modules-2.13.14/src/probes/lttng-probe-kmem.c:24: kernel-source/include/linux/tracepoint.h:244:28: note: previous definition of 'trace_mm_page_alloc_zone_locked' with type 'void(struct page *, unsigned int, int, int)' 244 | static inline void trace_##name(proto) \ | ^~~~~~ kernel-source/include/linux/tracepoint.h:416:9: note: in expansion of macro '__DECLARE_TRACE' 416 | __DECLARE_TRACE(name, PARAMS(proto), PARAMS(args), \ | ^~~~~~~~~~~~~~~ kernel-source/include/linux/tracepoint.h:539:9: note: in expansion of macro 'DECLARE_TRACE' 539 | DECLARE_TRACE(name, PARAMS(proto), PARAMS(args)) | ^~~~~~~~~~~~~ kernel-source/include/trace/events/kmem.h:259:1: note: in expansion of macro 'DEFINE_EVENT' 259 | DEFINE_EVENT(mm_page, mm_page_alloc_zone_locked, | ^~~~~~~~~~~~ (From OE-Core rev: 20010748cc532261d8477d03a740a2acb7f6df76) Signed-off-by: Liyin Zhang <liyin.zhang.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* webkitgtk: fix perl-native dependencyOvidiu Panait2024-11-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | Currently, perl-native is missing from DEPENDS for webkitgtk even though perlnative bbclass is inherited. This happens because the DEPENDS variable is reassigned right after perlnative class is inherited: inherit perlnative (DEPENDS += "perl-native") ... DEPENDS = " \ ..." Adjust the DEPENDS line to use += in order to fix this. (From OE-Core rev: 76cb08195f90b36395d7ad09ab8f2654eda0d204) Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (From OE-Core rev: a207c8f42f809340e0794cd326cb5c45e32d7d56) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* webkitgtk: Fix build on 32bit armKhem Raj2024-11-272-0/+297
| | | | | | | | | | | | | | (From OE-Core rev: dbdaeb9ff6bf7ce8478f2d61f2f22f84918c26fe) Signed-off-by: Khem Raj <raj.khem@gmail.com> Cc: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (From OE-Core rev: 9294ccb9530ce70b2513b2e112644ec5e9f8e701) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* scripts/install-buildtools: Update to 4.0.22Aleksandar Nikolic2024-11-271-2/+2
| | | | | | | | | Update to the 4.0.22 release of the 4.0 series for buildtools. (From OE-Core rev: ca09d02ae7628d7d003aaaaa7b600aa6d58d515c) Signed-off-by: Aleksandar Nikolic <aleksandar.nikolic@zeiss.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* wireless-regdb: upgrade 2024.07.04 -> 2024.10.07Wang Mingyu2024-11-271-1/+1
| | | | | | | | | (From OE-Core rev: 566fc928ddbbacb59fcd62448315afa3e4de7147) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f124bb09a798d94eca5e93387bc361b147ce53f9) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: fix CVE-2023-51794Archana Polampalli2024-11-272-0/+36
| | | | | | | | | | Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/af_stereowiden.c:120:69. (From OE-Core rev: 248dc3b20971fb95f0ceb2a34959f857c89ae008) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: fix CVE-2024-31578Archana Polampalli2024-11-272-0/+50
| | | | | | | | | | FFmpeg version n6.1.1 was discovered to contain a heap use-after-free via the av_hwframe_ctx_init function. (From OE-Core rev: 072a5454fa6610fd751433c518f9beb5496851a1) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: fix CVE-2024-31582Archana Polampalli2024-11-272-0/+35
| | | | | | | | | | | FFmpeg version n6.1 was discovered to contain a heap buffer overflow vulnerability in the draw_block_rectangle function of libavfilter/vf_codecview.c. This vulnerability allows attackers to cause undefined behavior or a Denial of Service (DoS) via crafted input. (From OE-Core rev: d675ceadf5844524e9f77c2c9b76b9ca42e699fc) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: fix CVE-2023-50008Archana Polampalli2024-11-272-0/+30
| | | | | | | | | | Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the av_malloc function in libavutil/mem.c:105:9 component. (From OE-Core rev: 433c84c528bb9920399abfe9e9461d26a929bc7a) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: fix CVE-2023-51793Archana Polampalli2024-11-272-0/+68
| | | | | | | | | | Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavutil/imgutils.c:353:9 in image_copy_plane. (From OE-Core rev: be875832526636638a034680f837241c16e2b26d) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: fix CVE-2024-32230Archana Polampalli2024-11-272-0/+36
| | | | | | | | | | FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0 (From OE-Core rev: 6eb7dc3eecbbe115f95864d587fb3d5557321973) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glib-2.0: Backport fix for CVE-2024-52533Vijay Anusuri2024-11-272-0/+50
| | | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/glib/-/commit/ec0b708b981af77fef8e4bbb603cde4de4cd2e29 Reference: https://security-tracker.debian.org/tracker/CVE-2024-52533 (From OE-Core rev: c7ecdd6530e18efd651e2ea57565481f66f7b1cf) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup-2.4: Backport fix for CVE-2024-52530 and CVE-2024-52532Vijay Anusuri2024-11-274-0/+230
| | | | | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b & https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be & https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c (From OE-Core rev: 87b0badcb1d10eddae31ac7b282a4e44778d63af) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libsoup: Fix for CVE-2024-52530 and CVE-2024-52532Vijay Anusuri2024-11-274-1/+232
| | | | | | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b & https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be & https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c (From OE-Core rev: 5c96ff64b5c29e589d776d23dbbed64ad526a997) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: Backport fix for multiple CVE'sVijay Anusuri2024-11-276-0/+255
| | | | | | | | | | | | | | | | | | | | | | | | | | import patch from ubuntu to fix CVE-2024-46951 CVE-2024-46952 CVE-2024-46953 CVE-2024-46955 CVE-2024-46956 Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/ghostscript/tree/debian/patches?h=ubuntu/jammy-security Upstream commit https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ada21374f0c90cc3acf7ce0e96302394560c7aee & https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=1fb76aaddac34530242dfbb9579d9997dae41264 & https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=294a3755e33f453dd92e2a7c4cfceb087ac09d6a & https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ca1fc2aefe9796e321d0589afe7efb35063c8b2a & https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ea69a1388245ad959d31c272b5ba66d40cebba2c] (From OE-Core rev: 21a81b592a33504d90f8c53842719cb1fcf96271) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* build-appliance-image: Update to kirkstone head revisionyocto-4.0.23kirkstone-4.0.23Steve Sakoman2024-11-151-1/+1
| | | | | | (From OE-Core rev: fb45c5cf8c2b663af293acb069d446610f77ff1a) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* poky.conf: bump version for 4.0.23Steve Sakoman2024-11-151-1/+1
| | | | | | (From meta-yocto rev: 20a38f21b26408d8b2598f0709ebc9cdcf1d05e2) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Revert "sphinx-static/switchers.js.in: do not refer to URL_ROOT anymore"Antonin Godard2024-11-151-6/+0
| | | | | | | | | This reverts commit 6c16f7481b8b175271072062925959bbaba2ec5f. (From yocto-docs rev: 188d4317fc7c6ebf0e6803e3240e9e3ba2024442) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Revert "doc: Makefile: remove inkscape, replace by rsvg-convert"Antonin Godard2024-11-151-4/+4
| | | | | | | | | This reverts commit 1ecb50eacc6510e1b77215fd6af36b1f7ffdeabe. (From yocto-docs rev: fd710eb3f15ed4d6a50cab52ba25c62dcd445a96) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Revert "doc: Makefile: add support for xelatex"Antonin Godard2024-11-152-10/+2
| | | | | | | | | This reverts commit 0a6944b9f90b4d3babbdec9dee18fb8195b0db06. (From yocto-docs rev: 08fae3c2dd1dbd898c028a4e713ca4d388ccee6b) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Revert "doc: Makefile: publish pdf and epub versions too"Antonin Godard2024-11-151-3/+1
| | | | | | | | | This reverts commit 96947b5c0e79fa0e9500388585cce5f2b91e69db. (From yocto-docs rev: 26b78e1c2f63280cf228bba7349a0ca8bfdd8fd2) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Revert "doc: add a download page for epub and pdf"Antonin Godard2024-11-152-18/+0
| | | | | | | | | This reverts commit a9fc5432fdb568103ba9b719f71e66895f939792. (From yocto-docs rev: 0ba95ca4e2f714789022cafa28d582d91d50b9c3) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual: document how to provide confs from layer.confAntonin Godard2024-11-151-0/+90
| | | | | | | | | | | | | | | | | | | | | | | | Add a section on providing global level configuration from the layer.conf file. Since this file is parsed at an earlier stage in the parsing process, it's not possible to combine bb.utils.contains and {DISTRO,MACHINE}_FEATURES to conditionally set some configurations. This patch documents: - First that this file can be used for providing such configuration. - Then demonstrate how to conditionally provide them, using a technique that is currently used in meta-virtualization (https://git.yoctoproject.org/meta-virtualization/tree/conf/layer.conf#n50). Fixes [YOCTO #12688]. Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> (From yocto-docs rev: e49111c280927c922ab40547c02c11772787b731) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 31e5bd3e82e11f77da2abd96eb8c17a7c8194b7c) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* conf.py: add a bitbake_git extlinkAntonin Godard2024-11-151-0/+1
| | | | | | | | | | | | | To make references to the bitbake repo, add an extlink for it and use it in the docs with ":bitbake_git:`lib/bb/utils.py </tree/lib/bb/utils.py>`". Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> (From yocto-docs rev: 579da2e7222c1bd21948205f470d97435f3b2cc3) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 8bf3c656ec54a582c75ca7c135121a15f8e4f631) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* sphinx-static/switchers.js.in: do not refer to URL_ROOT anymoreAntonin Godard2024-11-151-0/+6
| | | | | | | | | | | | | | | | | This variable was removed from the Sphinx-generated documentation_options.js, thus breaking the current implementation of our switchers.js. Like searchtools.js, which is also generated by Sphinx, use document.documentElement.dataset.content_root as a replacement. To be backwards-compatible to get one or the other. (From yocto-docs rev: 6c16f7481b8b175271072062925959bbaba2ec5f) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit 2849690abf94872e259e712128e90413f3b9a2f2) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>