summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* mesa: Fix missing GLES3 headers in SDK sysrootJohannes Kauffmann2025-03-081-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | Building weston with core-image-weston SDK fails: ``` ../libweston/renderer-gl/gl-shader-config-color-transformation.c:29:10: fatal error: GLES3/gl3.h: No such file or directory 29 | #include <GLES3/gl3.h> | ^~~~~~~~~~~~~ ``` Both GLES2 and GLES3 implementations are contained in libGLESv2.so.2, which is packaged in libgles2-mesa. However, the headers are split between libgles2-mesa-dev and libgles3-mesa-dev, which is why the GLES3 headers end up missing in the SDK sysroot. Add a dependency so the GLES3 headers are properly associated with the GLES3 implementation. (From OE-Core rev: 7e1308ec413e69a8427ac5998431005d9e4b8033) (From OE-Core rev: 0d9f2fcc2058407eb138297d9f8f12595851b963) Signed-off-by: Tom Hochstein <tom.hochstein@oss.nxp.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix CVE-2025-26601Vijay Anusuri2025-03-085-0/+344
| | | | | | | | | | | | | | The patches are copied from xserver-xorg recipe. CVE reported for both and patches apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d & https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f & https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989 (From OE-Core rev: 58f5a6a28d353f14c672bb99820608ec82f05e6e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix CVE-2025-26600Vijay Anusuri2025-03-082-0/+69
| | | | | | | | | | | | Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b (From OE-Core rev: b02bf5f9abb4d2a514f9ea883cd1fe6057367c92) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix CVE-2025-26599Vijay Anusuri2025-03-083-0/+197
| | | | | | | | | | | | The patches are copied from xserver-xorg recipe. CVE reported for both and patches apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8 (From OE-Core rev: d79cd91d2abc1b0e9e1e47d18af140d351dce298) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix CVE-2025-26598Vijay Anusuri2025-03-082-0/+121
| | | | | | | | | | | | Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a (From OE-Core rev: f01c281b94ff137003ef108e33a8c3230c541c46) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix CVE-2025-26597Vijay Anusuri2025-03-082-0/+47
| | | | | | | | | | | | Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949 (From OE-Core rev: a7f4c6b1946e7215d8df561340d7a1cd0b2d5c27) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix CVE-2025-26596Vijay Anusuri2025-03-082-0/+50
| | | | | | | | | | | | Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01 (From OE-Core rev: 45738e56aaf5dac1a471cb37088d3cd24764156d) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix CVE-2025-26595Vijay Anusuri2025-03-082-0/+66
| | | | | | | | | | | | Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87 (From OE-Core rev: e0768162f0ece29392d4f387d263d62dd4083836) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix CVE-2025-26594Vijay Anusuri2025-03-083-0/+107
| | | | | | | | | | | | The patches are copied from xserver-xorg recipe. CVE reported for both and patches apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6 (From OE-Core rev: 2d8bf72c892a3a6422e2a294fb6528ff67971e6d) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix CVE-2024-9632Vijay Anusuri2025-03-082-0/+60
| | | | | | | | | | | | Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ba1d14f8eff2a123bd7ff4d48c02e1d5131358e0 (From OE-Core rev: 2158a34839068b878344d214d3fc9feeb17e504a) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix CVE-2024-31083Vijay Anusuri2025-03-083-0/+197
| | | | | | | | | | | | | The patches are copied from xserver-xorg recipe. CVE reported for both and patches apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057ee & https://gitlab.freedesktop.org/xorg/xserver/-/commit/337d8d48b618d4fc (From OE-Core rev: 1c4b1e7877210243707a91d6a9d37ed4546bc8a7) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix CVE-2024-31081Vijay Anusuri2025-03-082-0/+48
| | | | | | | | | | | | Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee (From OE-Core rev: 3575ad718c8ea7d808247842df19982f00725187) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix CVE-2024-31080Vijay Anusuri2025-03-082-0/+50
| | | | | | | | | | | | Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b (From OE-Core rev: 4e41b1c8cccd3b2f359ee949cad402b9418f5983) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix CVE-2024-21886Vijay Anusuri2025-03-083-0/+133
| | | | | | | | | | | | | | The patches are copied from xserver-xorg recipe. CVE reported for both and patches apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b & https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 (From OE-Core rev: 77487fb0756951e29628f41ff00db12a5f9d7c27) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xwayland: Fix CVE-2024-21885Vijay Anusuri2025-03-082-0/+114
| | | | | | | | | | | | Patch copied from xserver-xorg recipe. CVE reported for both and patch apply on both. Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 (From OE-Core rev: 4b0f6aaa994eeab5d18211ace8034ec8b92b7419) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: mark patch as fixing CVE-2025-27113Peter Marko2025-03-082-1/+2
| | | | | | | | | This vulnerability has now a CVE assigned. (From OE-Core rev: 204ff9dd9c62a8a346e89880b2e15a4c0e9ad6e0) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* elfutils: Fix multiple CVEsHitendra Prajapati2025-03-043-0/+205
| | | | | | | | | | | | Backport fixes for: * CVE-2025-1352 - Upstream-Status: Backport from https://sourceware.org/git/?p=elfutils.git;a=commit;h=2636426a091bd6c6f7f02e49ab20d4cdc6bfc753 * CVE-2025-1372 - Upstream-Status: Backport from https://sourceware.org/git/?p=elfutils.git;a=commit;h=73db9d2021cab9e23fd734b0a76a612d52a6f1db (From OE-Core rev: 8ea258ad9c83be5d9548a796f7dda4ac820fc435) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xz: Update SRC_URIGuocai He2025-03-041-1/+1
| | | | | | | | | | | | Update SRC_URI for xz. The the tarball of xz-.tar.gz has been changed from https://tukaani.org/xz/xz-.tar.gz to https://sourceforge.net/projects/lzmautils/files/xz-.tar.gz (From OE-Core rev: 3f0803557ffa0fae557895f955ab2dcac38d7262) Signed-off-by: Guocai He <guocai.he.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tzcode: Update SRC_URIGuocai He2025-03-041-4/+4
| | | | | | | | | | Update SRC_URI for tzcode. Update the http to https in SRC_URI to fix the do_fetch issue. (From OE-Core rev: b663540d143b0e5fcb9ceeec45cde7fe3e68f9bb) Signed-off-by: Guocai He <guocai.he.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* meta: Enable '-o pipefail' for the SDK installerMoritz Haase2025-03-041-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When testing a Yocto SDK installer on Alpine 3.21, we recently ended up with a broken SDK. One of the commands the relocation script calls in a piped multi-command chain failed (see [0]), but the installer did not realize that - since it doesn't use 'set -o pipefail'. Thus, the error was never reported to the user and the installer claimed to have set up the SDK correctly - which wasn't the case. Given that the SDK installer is a POSIX-compliant shell script and that the 'pipefail' option used to be missing from the standard, it's not surprising that it isn't used. Thankfully however, in June of 2024, a new version of POSIX (POSIX.1-2024) was released - and that one finally includes the 'pipefail' option (see [1]). A number of shells already support it, so let's enable it if available to make the SDK installer more robust. The change has been tested locally using SDK installers for internal projects, based on both Kirkstone and Scarthgap. [0]: https://gitlab.alpinelinux.org/alpine/aports/-/issues/16797 [1]: https://pubs.opengroup.org/onlinepubs/9799919799.2024edition/utilities/V3_chap02.html#set (From OE-Core rev: 1cb4b41c7faf77fcc347b1276d86d4288968c926) (From OE-Core rev: 1de469f1ffb1680e3a75da2c3895fb1e4f43859f) Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 10dce263f0230f94a44a017b5614811e696c5ce9) Signed-off-by: Akash Hadke <akash.hadke27@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* virglrenderer: fix do_fetch errorLibo Chen2025-03-041-1/+1
| | | | | | | | | | | | Update SRC_URI to fix the following error: WARNING: virglrenderer-native-0.9.1-r0 do_fetch: Failed to fetch URL git://anongit.freedesktop.org/git/virglrenderer;branch=branch-0.9.1, attempting MIRRORS if available (From OE-Core rev: 72450859dd5ee5395b64917516f185a2eed52775) Signed-off-by: Libo Chen <libo.chen.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* boost: fix do_fetch errorJiaying Song2025-03-041-1/+1
| | | | | | | | | | | | | | Change the SRC_URI to the correct value due to the following error: WARNING: boost-native-1.86.0-r0 do_fetch: Checksum failure encountered with download of https://boostorg.jfrog.io/artifactory/main/release/1.86.0/source/boost_1_86_0.tar.bz2 - will attempt other sources if available (From OE-Core rev: 3b4c5ce6b89477307f3a2c30c7e275473b0c9f00) Signed-off-by: Jiaying Song <jsong-cn@ala-lpggp7.wrs.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> backport to kirkstone. Signed-off-by: Libo Chen <libo.chen.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* systemd: upgrade 250.5 -> 250.14Narpat Mali2025-03-0432-893/+187
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Latest stable branch update which includes 396 commits and the full list of changes can be found at: https://github.com/systemd/systemd-stable/compare/v250.5...v250.14 All the patches were refreshed with devtool. Backported this upstreamed patch to resolve the compile error while building systemd with qemumips machine. - 0001-core-fix-build-when-seccomp-is-off.patch These 2 below patches were modified to resolve the merge conflicts introduced by systemd v250.14 version: 1. 0001-Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-to-.patch - This patch was just adjusted based on the systemd v250.14 version. 2. 0001-pass-correct-parameters-to-getdents64.patch - For this patch, there was a commit reverted as part of the v250.8 tag: https://github.com/systemd/systemd-stable/commit/51089e007f2f45fc15e37e7a9dcf3045416e1239 These below 6 patches were dropped as systemd v250.14 already has the changes: - 0001-shared-json-allow-json_variant_dump-to-return-an-err.patch - CVE-2022-3821.patch - CVE-2022-4415-1.patch - CVE-2022-4415-2.patch - CVE-2022-45873.patch - CVE-2023-7008.patch (From OE-Core rev: 371d030a665e3c963a586ab02d10f1f36b225435) Signed-off-by: Narpat Mali <narpat.falna@gmail.com> Signed-off-by: Randy Macleod <randy.macleod@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bind: Upgrade 9.18.28 -> 9.18.33Vijay Anusuri2025-03-041-1/+1
| | | | | | | | | | | | | | | | | Includes security fixes for CVE-2024-12705 CVE-2024-11187 and other bug fixes Release Notes: https://downloads.isc.org/isc/bind9/9.18.33/doc/arm/html/notes.html#notes-for-bind-9-18-33 https://downloads.isc.org/isc/bind9/9.18.33/doc/arm/html/notes.html#notes-for-bind-9-18-32 https://downloads.isc.org/isc/bind9/9.18.33/doc/arm/html/notes.html#notes-for-bind-9-18-31 https://downloads.isc.org/isc/bind9/9.18.33/doc/arm/html/notes.html#notes-for-bind-9-18-30 https://downloads.isc.org/isc/bind9/9.18.33/doc/arm/html/notes.html#notes-for-bind-9-18-29 (From OE-Core rev: 3488171fb594a28f8e9ed110e94c6a191f8f390e) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-26601Vijay Anusuri2025-03-045-0/+344
| | | | | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/16a1242d & https://gitlab.freedesktop.org/xorg/xserver/-/commit/f52cea2f & https://gitlab.freedesktop.org/xorg/xserver/-/commit/8cbc90c8 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/c2857989 (From OE-Core rev: edc4a85c1aa5a137d4f5d8fbc74135c6805511db) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-26600Vijay Anusuri2025-03-042-0/+69
| | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b (From OE-Core rev: 4227ae54a29ca8b454e56ffd27de2bbce00b6b89) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-26599Vijay Anusuri2025-03-043-0/+197
| | | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/c1ff84be & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b07192a8 (From OE-Core rev: c013fec3e5dd86544366308f53a031b080b140c6) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-26598Vijay Anusuri2025-03-042-0/+121
| | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a (From OE-Core rev: 645ad1bcf8675873a7ab4778ffd2dd59dbb7b037) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-26597Vijay Anusuri2025-03-042-0/+47
| | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949 (From OE-Core rev: 9d095e34da2adde63358a878cfac45ea28727bdf) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-26596Vijay Anusuri2025-03-042-0/+50
| | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01 (From OE-Core rev: d510d87d9bb3e3489a4482dd0ce66e4bc7622ca0) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-26595Vijay Anusuri2025-03-042-0/+66
| | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87 (From OE-Core rev: 78d718f0a683f9fb81aa24b39f148d2acf2e1fc6) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: Fix for CVE-2025-26594Vijay Anusuri2025-03-043-0/+107
| | | | | | | | | | Upstream-Status: Backport from https://gitlab.freedesktop.org/xorg/xserver/-/commit/01642f26 & https://gitlab.freedesktop.org/xorg/xserver/-/commit/b0a09ba6 (From OE-Core rev: f45b068860b1be1b3dadd58f8f787953a2951405) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vulnerabilities/classes: remove references to cve-check text formatMarta Rybczynska2025-02-282-29/+69
| | | | | | | | | | | | | The text format has been removed, so also remove references and examples using this format. Replace with examples with the JSON format. (From yocto-docs rev: 9798689e4f4b74163c2e8594f3d1ce082d295aa1) Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> (cherry picked from commit a52cd7bcadccc53e982f90d6e170d00798322597) Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* vim: Upgrade 9.1.0764 -> 9.1.1043Divya Chellam2025-02-281-2/+2
| | | | | | | | | | | | | This includes CVE-fix for CVE-2025-22134 and CVE-2025-24014 Changes between 9.1.0764 -> 9.1.1043 ==================================== https://github.com/vim/vim/compare/v9.1.0764...v9.1.1043 (From OE-Core rev: 73b5570a16708d1e749b1ec525299d10557cbf56) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: fix CVE-2025-25473Archana Polampalli2025-02-282-0/+37
| | | | | | | | | | FFmpeg git master before commit c08d30 was discovered to contain a NULL pointer dereference via the component libavformat/mov.c. (From OE-Core rev: 599ee3f195bc66d57797c121fa0b73a901d6edfa) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: fix CVE-2024-35369Archana Polampalli2025-02-282-0/+39
| | | | | | | | | | | | | In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module, a potential security vulnerability exists due to insufficient validation of certain parameters when parsing Speex codec extradata. This vulnerability could lead to integer overflow conditions, potentially resulting in undefined behavior or crashes during the decoding process. (From OE-Core rev: 3efef582892a5a9286041837098b80aa59d1b688) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: fix CVE-2024-28661Archana Polampalli2025-02-282-0/+41
| | | | | | | (From OE-Core rev: cbe8929662f8ea873a3686517516bc5754a3cd18) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: fix CVE-2024-36618Archana Polampalli2025-02-282-0/+37
| | | | | | | | | | FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavformat library which allows for an integer overflow, potentially resulting in a denial-of-service (DoS) condition. (From OE-Core rev: 46680bed23ef6f529c7e554b5611a7c098fce8a9) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gstreamer1.0-rtsp-server: fix CVE-2024-44331Archana Polampalli2025-02-282-1/+47
| | | | | | | | | | | Incorrect Access Control in GStreamer RTSP server 1.25.0 in gst-rtsp-server/rtsp-media.c allows remote attackers to cause a denial of service via a series of specially crafted hexstream requests. (From OE-Core rev: ce328462a12eeaa59994e2236071aa17a083c263) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: ignore CVE-2024-7272Peter Marko2025-02-281-0/+5
| | | | | | | | | This vulnerability was introduced in 5.1, so 5.0.1 is not affected. (From OE-Core rev: ea6e581067cafd5f367c68871bc312d3ba11b4da) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ffmpeg: ignore 5 CVEsPeter Marko2025-02-281-0/+18
| | | | | | | | | | | | | | There is no release which is vulnerable to these CVEs. These vulnerabilities are in new features being developed and were fixed before release. NVD most likely does not accept CVE rejection from a non-maintainer and non-reporter, so ignoring this CVE should be acceptable solution. (From OE-Core rev: 220a05e27913bf838881c3f22a17d0409c5154a9) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libcap: fix CVE-2025-1390Hitendra Prajapati2025-02-282-0/+37
| | | | | | | | | Upstream-Status: Backport from https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=1ad42b66c3567481cc5fa22fc1ba1556a316d878 (From OE-Core rev: 142715b83fb2c5f4dfeeab2c6e7feccecd1ca46f) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: patch CVE-2025-24928Peter Marko2025-02-282-0/+59
| | | | | | | | | Pick commit fomr 2.12 branch. (From OE-Core rev: 3ccd936adb928612c9721768708534350aeee351) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: patch CVE-2024-56171Peter Marko2025-02-282-0/+43
| | | | | | | | | Pick commit from 2.12 branch. (From OE-Core rev: ab804cd27ecf7ee65a9feea477140502ecbc0d73) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: fix compilation of explicit child axis in patternPeter Marko2025-02-282-0/+32
| | | | | | | | | | | This was reported as sucurity fix in https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.10 https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6 (From OE-Core rev: 0dc99e25c16a1e74aa80ca20132609990bb9dff7) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Revert "ovmf: Fix CVE-2023-45236"Kai Kang2025-02-282-830/+0
| | | | | | | | | | | | This reverts commit a9cd3321558e95f61ed4c5eca0dcf5a3f4704925. The fix for CVE-2023-45237 has been reverted. And the fix for CVE-2023-45236 depends on it. So revert it too. (From OE-Core rev: c61e31f192837b05bc309a05aef95c3be5b44997) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Revert "ovmf: Fix CVE-2023-45237"Kai Kang2025-02-283-1368/+0
| | | | | | | | | | | | | | | | | | | | | | This reverts commit 6f8bdaad9d22e65108f859a695277ce1b20ef7c6. his reverts commit 4c2d3e37308cac98614dfafed79b7323423af8bc. The fix for CVE-2023-45237 causes ovmf firmware not support pxe boot any more and no boot item in OVMF menu such as UEFI PXEv4 (MAC address) It has not been fixed by ovmf upstream and an issue has been created on https://github.com/tianocore/tianocore.github.io/issues/82 Revert the fixes for now. (From OE-Core rev: d3f399f54042efc6f4ca2092dd11819ae1f7c51f) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* u-boot: fix CVE-2024-57259Hongxu Jia2025-02-282-0/+42
| | | | | | | | | | | | | sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error and resultant heap memory corruption for squashfs directory listing because the path separator is not considered in a size calculation. https://nvd.nist.gov/vuln/detail/CVE-2024-57259 (From OE-Core rev: e4b713ff07695487cc9307ffc3576a11775cde4d) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* u-boot: fix CVE-2024-57258Hongxu Jia2025-02-284-0/+133
| | | | | | | | | | | | | Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64. https://nvd.nist.gov/vuln/detail/CVE-2024-57258 (From OE-Core rev: b4bf3ba66052db7a311ac696563a8a0f9c585600) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* u-boot: fix CVE-2024-57257Hongxu Jia2025-02-282-0/+229
| | | | | | | | | | | | A stack consumption issue in sqfs_size in Das U-Boot before 2025.01-rc1 occurs via a crafted squashfs filesystem with deep symlink nesting. https://nvd.nist.gov/vuln/detail/CVE-2024-57257 (From OE-Core rev: 5ed8ad78bcce836aa8894de7a1d7fdf719e5bbca) Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>