summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* build-appliance-image: Update to kirkstone head revisionyocto-4.0.20kirkstone-4.0.20Steve Sakoman2024-07-151-1/+1
| | | | | | (From OE-Core rev: 5d97b0576e98a2cf402abab1a1edcab223545d87) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* poky.conf: bump version for 4.0.20Steve Sakoman2024-07-151-1/+1
| | | | | | (From meta-yocto rev: c4c74d1e575217ddc4b74759cd83186a70940ef9) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc-tests: Add missing bash ptest dependencyPoonam Jadhav2024-07-092-2/+2
| | | | | | | | | | | | | | | The script has a bashism and needs bash to execute correctly. Mark it as such and add the missing bash dependency so it executes in minimal images. (From OE-Core rev: a1b5afac108d9c94e8fc2ad8cfebfee16f6f243b) (From OE-Core rev: 8e650506885bc4465f9569b3ccdc327eb83d90db) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 28b8d57a88849f7f024d13c5c901f3621f5166c7) Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc-tests: correctly pull in the actual tests when installing -ptest packagePoonam Jadhav2024-07-091-1/+1
| | | | | | | | | | | | | | | | | The tests are packaged into the main glibc-tests package which is fine, but then glibc-tests-ptest package needs to depend on that. Which is what this commit addresses. (From OE-Core rev: d37c2d428b09b9d0cbb875f083c6a1e9883a7fed) (From OE-Core rev: c09335a23025ff78a6d3eb41c483b5a479b1c3be) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 644914efa83a289da154c888b5661b9d16eaa35b) Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* linuxloader: add -armhf on arm only for TARGET_FPU 'hard'Jonas Gorski2024-07-091-1/+1
| | | | | | | | | | | | | | | | | | There are two types of soft FPU options for arm, soft and softfp, and if using the latter the wrong dynamic loader will be used. E.g. go will link against ld-linux-armhf.so.3, but libc6 will only ship a ld-linux.so.3, so go programs will fail to start. Fix this by instead checking for TARGET_FPU being 'hard' and then applying the suffix. (From OE-Core rev: c7426629245db2ea8d9f3cf25b575ac31b5a83b0) Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 07b4c7a2bd23f8645810e13439e814caaaf9cd94) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* openssh: fix CVE-2024-6387Jose Quaresma2024-07-092-0/+28
| | | | | | | | | | | | | | | | | | | | | | | | sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive). Race condition resulting in potential remote code execution. A race condition in sshd(8) could allow remote code execution as root on non-OpenBSD systems. This attack could be prevented by disabling the login grace timeout (LoginGraceTime=0 in sshd_config) though this makes denial-of service against sshd(8) considerably easier. For more information, please refer to the release notes [1] and the report from the Qualys Security Advisory Team [2] who discovered the bug. [1] https://www.openssh.com/txt/release-9.8 [2] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt References: https://www.openssh.com/security.html (From OE-Core rev: ddb998d16fd869acb00a1cd8038ada20fd32aa8b) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> v2: include the missing cve tag: CVE: CVE-2024-6387 v3: add the Signed-off-by on the CVE-2024-6387.patch Signed-off-by: Steve Sakoman <steve@sakoman.com>
* OpenSSL: Security fix for CVE-2024-5535Siddharth Doshi2024-07-0910-0/+2196
| | | | | | | | | | | | Upstream-Status: Backport from [https://github.com/openssl/openssl/commit/cf6f91f6121f4db167405db2f0de410a456f260c] CVE's Fixed: CVE-2024-5535 openssl: SSL_select_next_proto buffer overread (From OE-Core rev: 2f4ac382a76e093a3eac6e74fbe2d136094cedf1) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gstreamer1.0-plugins-base: fix CVE-2024-4453Archana Polampalli2024-07-092-0/+66
| | | | | | | | | | | | | | | | GStreamer EXIF Metadata Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of EXIF metadata. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. . Was ZDI-CAN-23896. (From OE-Core rev: 6708631c89d1cb0d7e0e1b888c51826b3939f8af) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* wget: Fix for CVE-2024-38428Vijay Anusuri2024-07-092-0/+80
| | | | | | | | | | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/wget.git/commit/?id=ed0c7c7e0e8f7298352646b2fd6e06a11e242ace] (From OE-Core rev: 4f7fb1cf937b0cefa5b0079417859b56c3171c0a) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* man-pages: remove conflict pagesChangqing Li2024-06-261-9/+4
| | | | | | | | | | | | | | | | | | | | Remove the pages which libxcrypt and shadow already have to avoid following conflicts during install man-pages and libxcrypt/shadow at the same time. Error: Transaction test error: file /usr/share/man/man3/crypt.3 from install of libcrypt-doc-4.4.33-r0.x86_64 conflicts with file from package man-pages-6.04-r0.x86_64 (From OE-Core rev: fbc8f5381e8e1da0d06f7f8e5b8c63a49b1858c2) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 605b4a91dc44d33bd4742841e71645275bc039e8) Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* man-pages: add an alternative link name for crypt_r.3Thomas Perrot2024-06-261-3/+4
| | | | | | | | | | | | | Because crypt_r.3 is also provided by libxcrypt-doc. (From OE-Core rev: 5160fb6bf6ef49c0c33b000f377a56effd398fd0) Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ae5a8629ea72d6b3567047c7b858deae28623aba) Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gobject-introspection: Do not hardcode objdump nameKhem Raj2024-06-261-1/+1
| | | | | | | | | | | | | | | Use OBJDUMP variable in the script, this helps in using the lddwrapper with recipes which maybe using different objdump tools e.g.l llvm-objdump or vice-versa (From OE-Core rev: bbbb515f7df240b8679567cd3e04d6b4ccc65f6d) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c04b3e0e371859c159b76bff87a5b1299b51d0c8) Signed-off-by: Daiane Angolini <daiane.angolini@foundries.io> Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* openssl: Upgrade 3.0.13 -> 3.0.14Siddharth2024-06-263-305/+1
| | | | | | | | | | | | | | | | | | CVE's Fixed by upgrade: CVE-2024-4741: Fixed potential use after free after SSL_free_buffers() is called CVE-2024-4603: Fixed an issue where checking excessively long DSA keys or parameters may be very slow CVE-2024-2511: Fixed unbounded memory growth with session handling in TLSv1.3 Removed backports of CVE-2024-2511 and CVE-2024-4603 as they are already fixed. Detailed Information: https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#changes-between-3013-and-3014-4-jun-2024 (From OE-Core rev: 8f51bac2a05747ea186e928eda2358f2e6295883) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc: stable 2.35 branch updatesDeepthi Hemraj2024-06-261-1/+1
| | | | | | | | | | Below commit on glibc-2.35 stable branch is updated. 72abffe225 Force DT_RPATH for --enable-hardcoded-path-in-tests (From OE-Core rev: 8accff90a850265ecc8570cfa15e8e5963d2a5d7) Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: fix CVE-2024-27280Yogita Urade2024-06-262-0/+88
| | | | | | | | | | | | | | | | | | | A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fixed version; however, for Ruby 3.0 users, a fixed version is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version is stringio 3.0.1.2. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-27280 (From OE-Core rev: 729310d17310dff955c51811ff3339fdbc017b95) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* acpica: fix CVE-2024-24856Yogita Urade2024-06-262-1/+36
| | | | | | | | | | | | | | | | | The memory allocation function ACPI_ALLOCATE_ZEROED does not guarantee a successful allocation, but the subsequent code directly dereferences the pointer that receives it, which may lead to null pointer dereference. To fix this issue, a null pointer check should be added. If it is null, return exception code AE_NO_MEMORY. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-24856 (From OE-Core rev: 0920aacb2a042e10e54db949428471ef9b20c96d) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: Security fix for CVE-2024-34459Siddharth Doshi2024-06-262-0/+31
| | | | | | | | | | | | Upstream-Status: Backport from [https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac5392a4e891b81e40e592c3ac6cb46016ce] CVE's Fixed: CVE-2024-34459 libxml2: buffer over-read in xmlHTMLPrintFileContext in xmllint.c (From OE-Core rev: b9f46d058854c0a6104a928b7b0b30d65fb87c2e) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glib-2.0: patch CVE-2024-34397Peter Marko2024-06-2619-0/+3374
| | | | | | | | | | | | This is taken from https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4047 That MR was not merged as 2.72 is inactive branch now. But it can be used by distributions, like Ubuntu did under https://git.launchpad.net/ubuntu/+source/glib2.0/commit/?h=applied/ubuntu/jammy-security&id=94425c909b037c63c9dbbf72015f628ed4ad4aea (From OE-Core rev: 95e8507848e3143eca83621f6572439e22f60bd4) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* migration-guides: add release notes for 4.0.19Lee Chee Yang2024-06-242-0/+160
| | | | | | | | | | | add release notes for 4.0.19. (From yocto-docs rev: b15b1d369edf33cd91232fefa0278e7e89653a01) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Reviewed-by: Michael Opdenacker <michael@opdenacker.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: tests/fetch: Tweak test to match upstream repo url change Upstream ↵Steve Sakoman2024-06-241-1/+1
| | | | | | | | | changed their urls, update our test to match. (Bitbake rev: 734b0ea3dfe45eb16ee60f0c2c388e22af4040e0) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* build-appliance-image: Update to kirkstone head revisionyocto-4.0.19kirkstone-4.0.19Steve Sakoman2024-06-021-1/+1
| | | | | | (From OE-Core rev: ab2649ef6c83f0ae7cac554a72e6bea4dcda0e99) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* poky.conf: bump version for 4.0.19Steve Sakoman2024-06-011-1/+1
| | | | | | (From meta-yocto rev: 6518f291d692997632304451695b6c194fec6fa6) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* git: Fix multiple CVEsSoumya Sambu2024-06-0112-0/+1498
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CVE-2024-32002: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources. CVE-2024-32004: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. CVE-2024-32020: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a "proper" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. CVE-2024-32021: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. CVE-2024-32465: Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources. References: https://nvd.nist.gov/vuln/detail/CVE-2024-32002 https://nvd.nist.gov/vuln/detail/CVE-2024-32004 https://nvd.nist.gov/vuln/detail/CVE-2024-32020 https://nvd.nist.gov/vuln/detail/CVE-2024-32021 https://nvd.nist.gov/vuln/detail/CVE-2024-32465 (From OE-Core rev: 209c41377abf6853455b00af3923f1b244a3766b) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* util-linux: Fix CVE-2024-28085Soumya Sambu2024-06-016-0/+672
| | | | | | | | | | | | | | | | | | | | | wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover. CVE-2024-28085-0005 is the CVE fix and CVE-2024-28085-0001, CVE-2024-28085-0002, CVE-2024-28085-0003, CVE-2024-28085-0004 are dependent commits to fix the CVE. References: https://nvd.nist.gov/vuln/detail/CVE-2024-28085 (From OE-Core rev: 28d9f948536dfee2330e4cfd225c932d20d688f1) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: fix CVE-2023-52722Archana Polampalli2024-06-012-0/+44
| | | | | | | (From OE-Core rev: 66228a9e8177e70a5653b61742836a3ad83e78af) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: fix CVE-2024-29510Archana Polampalli2024-06-012-0/+85
| | | | | | | (From OE-Core rev: 18e03cadcad0b416ef9fe65627e2e5c2924e3f26) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: fix CVE-2024-33871Archana Polampalli2024-06-013-0/+4908
| | | | | | | | | | | Added dependent patch [1] for backporting this CVE [1] https://github.com/ArtifexSoftware/ghostpdl/commit/8b47f269b83b172b22606806fe5ec272d974e797 (From OE-Core rev: edcaa55aa53d51528ae77d1f4b544309c8e1e48e) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: fix CVE-2024-33869Archana Polampalli2024-06-013-0/+93
| | | | | | | (From OE-Core rev: fb0271a2d4e847764816b673aa37ea03ee4b3325) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ghostscript: fix CVE-2024-33870Archana Polampalli2024-06-012-0/+93
| | | | | | | (From OE-Core rev: 9f0c63b568312da93daeb31eeb2874b98d1e3eea) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* initscripts: Add custom mount args for /var/libColin McAllister2024-05-292-2/+4
| | | | | | | | | | | | | | Adds bitbake variable to set additional mount flags for the /var/lib overlayfs or bind mount when using a read-only root filesystem. This can be used to set additional options like "-o nodev". (From OE-Core rev: c3109e40e2c2c881996dd3fcc95fca74f098646d) (From OE-Core rev: e0a1ed7aa1f2b12d985414db9a75d6e151ae8d21) Signed-off-by: Colin McAllister <colin.mcallister@garmin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* systemd-systemctl: Fix WantedBy processingBob Henz2024-05-291-0/+11
| | | | | | | | | | | | | | | | An empty string assignment to WantedBy should clear all prior WantedBy settings. This matches behavior of the current systemd implementation. (From OE-Core rev: 8ede0083c28fadf1e83c9256618190b931edd306) (From OE-Core rev: 9e3a2e143ef2aaab335439ddbe1ab976aeeed35d) Signed-off-by: Bob Henz <robert_henz@jabil.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c653bfc68b06bfd4fa07ba18322599a130b1c59a) Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* classes: go-mod: do not pack go mod cacheStefan Herbrechtsmeier2024-05-291-0/+4
| | | | | | | | | | | | | Clean go module cache from builddir to prevent it of beeing packed. (From OE-Core rev: c850931590ff22da4d38756f957b88e04078c76c) Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com> Signed-off-by: Lukas Funke <lukas.funke@weidmueller.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 328bea56dec8f83b5c118f567e122510f9243087) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go.bbclass: fix path to linker in native Go buildsDmitry Baryshkov2024-05-291-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Building native Go tools results in the tool pointing to the wrong location of dynamic linker (see below). The linker is looked up in the temporary dir, which can be removed if rm_work is inherited. This results in being unable to execute the program with the 'No such file or directory' error. Override linker specificiation for native recipes (and let Go build environment to pick up a correct one on it's own). The error is observed in case the distro doesn't use uninative.bbclass. If uninative.bbclass is used, the binary will be patched automatically to use the uninative loader instead of the system one. Without this patch: $ ldd tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man linux-vdso.so.1 (0x00007ffe945ec000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3a7490e000) /home/lumag/Projects/RPB/build-rpb/tmp-rpb-glibc/work/x86_64-linux/go-md2man-native/1.0.10+gitAUTOINC+f79a8a8ca6-r0/recipe-sysroot-native/usr/lib/ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2 (0x00007f3a74d13000) $ tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man --help -bash: tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man: No such file or directory With the patch $ ldd tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man linux-vdso.so.1 (0x00007ffd19dbf000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f2d44181000) /lib64/ld-linux-x86-64.so.2 (0x00007f2d44586000) $ tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man --help Usage of tmp-rpb-glibc/sysroots-components/x86_64/go-md2man-native/usr/bin/go-md2man: -in string Path to file to be processed (default: stdin) -out string Path to output processed file (default: stdout) (From OE-Core rev: b611c77e4883ad81a8f40cbee3fea006500735ed) Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 44b397daa68b4d0a461225fe9ff7db8b5fcfdb7b) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: Always pass interpreter to linkerJoerg Vehlow2024-05-291-1/+2
| | | | | | | | | | | | | | | | | | | | | When gos internal linker is used, it uses hardcoded paths to the interpreter (dynamic linker). For x86_64 this hardcoded path is /lib64/ld-linux-x86-64.so.2, but yocto's default dynamic linker path is /lib64/ld-linux-x86-64.so.2. Most of the time, the internal linker is not used and binutils linker sets the correct path, but sometimes the internal linker is used and the resulting binary will not work on x86_64. To ensure the path is always correct, pass it to the linker. (From OE-Core rev: 69128ca66991b13358f2552fcd5a7cfa6dda4952) Signed-off-by: Joerg Vehlow <joerg.vehlow@aox.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 6b54215074d7f3dbba07f096f16b9c0acf51527c) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Rename CVE-2022-38126 patch to CVE-2022-35205Vijay Anusuri2024-05-292-2/+3
| | | | | | | | | | | | | | | | CVE-2022-38126 has been marked "REJECT" in the CVE List by NVD. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-38126 As commit changes in 0016-CVE-2022-38126.patch fixes CVE-2022-35205. Hence renamed the patch. Link: https://ubuntu.com/security/CVE-2022-35205 (From OE-Core rev: d91af23e4fef0f1999c18fc3a43085b70e98dfd5) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* openssl: patch CVE-2024-4603Peter Marko2024-05-292-0/+181
| | | | | | | | | Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46 (From OE-Core rev: 601b81350c0f8487439885a576c4d7d883619a6d) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libarchive: fix CVE-2024-26256Yogita Urade2024-05-292-2/+32
| | | | | | | | | | | | | libarchive Remote Code Execution Vulnerability References: https://nvd.nist.gov/vuln/detail/CVE-2024-26256 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-26256 (From OE-Core rev: 1ee5ba41cab2ce490fa0ddf67b83f57af1206c35) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bitbake: parse: Improve/fix cache invalidation via mtimeRichard Purdie2024-05-291-3/+6
| | | | | | | | | | | | | | | | | | | | We have been seeing obscure failures in devtool, particularly on newer autobuilder workers where it appears the cache is assumed to be valid when it shouldn't be. We're using the 'seconds' granulation mtime field which is not really a good way of telling if a file has changed. We can switch to the "ns" version which is better however also add in inode number and size as precautions. We already have all this data and tuples are fast so there isn't really any cost to do so. This hopefully fixes [YOCTO #15318]. (Bitbake rev: 5a90927f31c4f9fccbe5d9d07d08e6e69485baa8) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit d9e5d313c79500e3c70ab9c3239b6b2180194f67) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libpciaccess: Remove duplicated license entryBhabu Bindu2024-05-161-1/+1
| | | | | | | | | | | | | Remove duplicated MIT license entry for libpciaccess Duplication was done as part of below commit: Link: https://git.yoctoproject.org/poky/commit/meta/recipes-graphics/xorg-lib/libpciaccess_0.16.bb?h=kirkstone&id=b0130fcf91daee0d905af755302fabe608da141c (From OE-Core rev: f85d5dfc91d536a00669ca3148d8c3b2727b183d) Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc: Update to latest on stable 2.35 branchPeter Marko2024-05-163-30/+41
| | | | | | | | | | | | | | | | | | | | | | | | | Adresses CVEs: CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602 Changes: 54a666dc5c elf: Disable some subtests of ifuncmain1, ifuncmain5 for !PIE 3a38600cc7 malloc: Exit early on test failure in tst-realloc 924a98402a nscd: Use time_t for return type of addgetnetgrentX 396f065496 login: structs utmp, utmpx, lastlog _TIME_BITS independence (bug 30701) 77d8f49058 login: Check default sizes of structs utmp, utmpx, lastlog 8e7f0eba01 sparc: Remove 64 bit check on sparc32 wordsize (BZ 27574) 55771aba9d elf: Also compile dl-misc.os with $(rtld-early-cflags) 7a5864cac6 CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX (bug 31680) bafadc589f CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response (bug 31678) 4370bef52b CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bug 31678) 7a95873543 CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache (bug 31677) Since glibc introduced file sysdeps/arm/bits/wordsize.h our multilib patch needed to be updated. (From OE-Core rev: 10b57ae56e6205414a44531728f691fda59a16c7) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gstreamer1.0-plugins-bad: fix CVE-2023-50186Vijay Anusuri2024-05-162-0/+71
| | | | | | | | | | Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/a46737a73155fe1c19fa5115df40da35426f9fb5] (From OE-Core rev: ce2d6ba5d69867471919fe698467e243d5f0e73c) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* bluez5: Fix CVE-2023-27349 CVE-2023-50229 & CVE-2023-50230Vijay Anusuri2024-05-163-0/+117
| | | | | | | | | | | | Upstream-Status: Backport [https://github.com/bluez/bluez/commit/f54299a850676d92c3dafd83e9174fcfe420ccc9 & https://github.com/bluez/bluez/commit/5ab5352531a9cc7058cce569607f3a6831464443] (From OE-Core rev: adaebd54ea6f53bfbc093c3bdac4f02b0975cb15) Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: fix CVE-2024-31083Archana Polampalli2024-05-163-0/+195
| | | | | | | | | | | FreeGlyph() function declared in render/glyphstr_priv.h, it is not present in current recipe version and introduced in later versions, added this change to render/glyphstr.h (From OE-Core rev: cc2d9275203ad9489da43ff4e1f0983c00f235fd) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* xserver-xorg: fix CVE-2024-31082Archana Polampalli2024-05-162-0/+53
| | | | | | | (From OE-Core rev: 32fc43f0c3c5481b2c38c2136706758dba054b6e) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: update releases.svgMichael Opdenacker2024-05-151-38/+61
| | | | | | | | | | - Make Scarthgap a current release - Add Styhead (From yocto-docs rev: 78b8d5b18274a41ffec43ca4e136abc717585f6d) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* migration-notes: add release notes for 4.0.18Lee Chee Yang2024-05-152-0/+192
| | | | | | | | | | add release notes for 4.0.18 (rc1). (From yocto-docs rev: 59ef7dc0f3b6636fbc98c0d232fe8879efc325c6) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* documentation/poky.yaml.in: drop mesa/sdl from essential host packagesAlexander Kanavin2024-05-151-8/+8
| | | | | | | | | | | They used to be required for qemu graphics support, but neither is being for anything anymore. (From yocto-docs rev: 41db85d4d429f06548e14617e05d045958e8566d) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* documentation: standards.md: align with master branchMichael Opdenacker2024-05-151-3/+94
| | | | | | | (From yocto-docs rev: ecc1731d6bd2f3bce40010bbfa3b608dcf25dd04) Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dev-manual: update custom distribution sectionPaul Eggleton2024-05-151-4/+30
| | | | | | | | | | | | | | In keeping with the addition of the motd message pointing out that the poky DISTRO is a reference distribution, adjust the opening of the Creating Your Own Distribution section to match. Additionally, add a section on the end pointing out what users need to consider if they just take a copy of the poky distribution and modify it. (From yocto-docs rev: 30bdf5a101466acdf63027bbdfb69ee18ed707ab) Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com> Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ref-manual: variables: Update default INHERIT_DISTRO valueGeoff Parker2024-05-151-1/+1
| | | | | | | | | | | Add remove-libtool to INHERIT_DISTRO defaults per meta/conf/distro/defaultsetup.conf (From yocto-docs rev: 94646665637d30d700e78598e0955815572c466c) Signed-off-by: Geoff Parker <geoffrey.parker@arthrex.com> Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>