summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
Commit message (Collapse)AuthorAgeFilesLines
* glibc: fix CVE-2025-8058Peter Marko3 days2-2/+2
| | | | | | | | | | | | | | This is a single commit bump containing only CVE fix $ git log --oneline cff1042cceec3502269947e96cf7023451af22f3..b027d5b145f1b2908f370bdb96dfe40180d0fcb6 b027d5b145 posix: Fix double-free after allocation failure in regcomp (bug 33185) Test results didn't change except newly added test succeeding. (tst-regcomp-bracket-free) (From OE-Core rev: c2b63f171719e2b1c12ba049cbe776adf9e0244b) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: patch CVE-2025-6170Peter Marko3 days2-0/+104
| | | | | | | | | Pick commit referencing this CVE from 2.13 branch. (From OE-Core rev: 061610dfca8a72b71e1baca3ad4aa2c9fb64449b) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ncurses: patch CVE-2025-6141Peter Marko3 days2-0/+26
| | | | | | | | | | | | | | | Pick relevant part of snapshot commit 20250329, see [1]. That has: add a buffer-limit check in postprocess_termcap (report/testcase by Yifan Zhang). [1] https://invisible-island.net/ncurses/NEWS.html#index-t20250329 (From OE-Core rev: 79b080eb93918431c97edbbc80de5f70a2b09a4a) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc: stable 2.39 branch updatesDeepesh Varatharajan9 days1-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | $ git log --oneline 06a70769fd0b2e1f2a3085ad50ab620282bd77b3..cff1042cceec3502269947e96cf7023451af22f3 cff1042cce Fix error reporting (false negatives) in SGID tests 1924d341c0 support: Pick group in support_capture_subprogram_self_sgid if UID == 0 Testing Results: Before After Diff PASS 5074 5082 +8 XPASS 4 4 0 FAIL 121 116 -5 XFAIL 16 16 0 UNSUPPORTED 157 154 -3 cff1042cce Fix error reporting (false negatives) in SGID tests Improved SGID test handling by unifying error reporting and using secure temporary directories. Replaced non-standard exit codes and fixed premature exits to avoid masking failures. These changes reduced false negatives, increasing overall test pass rates UNSUPPORTED tests changes -UNSUPPORTED: stdlib/tst-secure-getenv -UNSUPPORTED: elf/tst-env-setuid-static -UNSUPPORTED: elf/tst-env-setuid-tunables FAILed tests changes -FAIL: malloc/tst-aligned-alloc-random-thread-cross-malloc-check -FAIL: malloc/tst-aligned-alloc-random-thread-malloc-check -FAIL: malloc/tst-dynarray -FAIL: malloc/tst-dynarray-mem -FAIL: resolv/tst-resolv-aliases PASSed tests changes +PASS: stdlib/tst-secure-getenv +PASS: elf/tst-env-setuid-static +PASS: elf/tst-env-setuid-tunables +PASS: malloc/tst-aligned-alloc-random-thread-cross-malloc-check +PASS: malloc/tst-aligned-alloc-random-thread-malloc-check +PASS: malloc/tst-dynarray +PASS: malloc/tst-dynarray-mem +PASS: resolv/tst-resolv-aliases (From OE-Core rev: c40b9c33061c4019ed7790ccb799bb3491998b3d) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: fix CVE-2025-49795Roland Kovacs9 days2-0/+93
| | | | | | | | | | | A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service. (From OE-Core rev: b144c3ef3ba1797d925ea44d9450a6ec0fe32047) Signed-off-by: Roland Kovacs <roland.kovacs@est.tech> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* timedated: wait for jobs before SetNTP responseMichal Seben2025-07-212-0/+98
| | | | | | | | | | Backport a fix to address the dbus SetNTP response timing issue. Fix is already available since systemd v256-rc1. (From OE-Core rev: 4db0483cfd14e31c3e7cc87d538d73275fd51bbf) Signed-off-by: Michal Seben <michal.seben@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* busybox: apply patch for CVE-2023-39810Peter Marko2025-07-212-0/+137
| | | | | | | | | | | | | | | | | | Backport patch referencing this CVE. Note that the hardening is not activated by default, it adds defconfig option to enable it. Since it introduces a breaking change, it shouldn't be enabled in LTS release by default. This patch makes busybox cpio equivalent in this release to what is currently in master and in kirkstone. Also note that gnu cpio also does not have this hardening, but the CVE is created only against busybox. (From OE-Core rev: 3f2b235526d135094408e3895c01bff7b5b938fb) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: fix CVE-2025-49794 & CVE-2025-49796Hitendra Prajapati2025-07-212-0/+187
| | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libxml2/-/commit/71e1e8af5ee46dad1b57bb96cfbf1c3ad21fbd7b (From OE-Core rev: bb20ddc599314161f3bcd6d5479e81478ceaaa3a) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* build-appliance-image: Update to scarthgap head revisionyocto-5.0.11scarthgap-5.0.11Steve Sakoman2025-07-111-1/+1
| | | | | | (From OE-Core rev: 7a59dc5ee6edd9596e87c2fbcd1f2594c06b3d1b) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: fix CVE-2025-6021Hitendra Prajapati2025-07-112-0/+57
| | | | | | | | | Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0 (From OE-Core rev: 8777f1b344c7f66a7ef4291bb59af2a5fb466b6a) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* busybox: fix CVE-2022-48174Victor Giraud2025-07-072-0/+81
| | | | | | | | | | | | | shell: avoid segfault on ${0::0/0~09J}. Closes 15216 CVE: CVE-2022-48174 Upstream-Status: Backport [https://git.launchpad.net/ubuntu/+source/busybox/commit/?id=ca2afcbf42017d998ce3d6726f5ff5072a3fa853] (From OE-Core rev: a81aff7d810800ce3265422cddde26d11366d514) Signed-off-by: Victor Giraud <vgiraud.opensource@witekio.com> Signed-off-by: Bruno Vernay <bruno.vernay@se.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc: stable 2.39 branch updatesPeter Marko2025-06-255-7/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | $ git log --oneline 3463100f2d47f2897a24ba8023a5c7aaf2d26550..06a70769fd0b2e1f2a3085ad50ab620282bd77b3 06a70769fd ppc64le: Revert "powerpc: Optimized strcmp for power10" (CVE-2025-5702) 3875045da5 ppc64le: Revert "powerpc : Add optimized memchr for POWER10" (Bug 33059) c6240a11f7 ppc64le: Revert "powerpc: Fix performance issues of strcmp power10" (CVE-2025-5702) 2caef2827f elf: Fix subprocess status handling for tst-dlopen-sgid (bug 32987) 9e25c0f445 x86_64: Fix typo in ifunc-impl-list.c. ca99d55315 elf: Test case for bug 32976 (CVE-2025-4802) 71ddb11ccd support: Add support_record_failure_barrier abdeb4b520 support: Use const char * argument in support_capture_subprogram_self_sgid 147bed0a71 elf: Keep using minimal malloc after early DTV resize (bug 32412) 4e5ee49a43 sysdeps/unix/sysv/linux/x86_64/Makefile: Add the end marker 37b30b6a68 sysdeps/x86_64/Makefile (tests): Add the end marker 9fe51d34bb sort-makefile-lines.py: Allow '_' in name and "^# name" 14ec225d85 libio: Correctly link tst-popen-fork against libpthread 1dcfb9479d libio: Fix a deadlock after fork in popen e31ac9a639 libio: Sort test variables in Makefile 68f3f1a1d0 Linux: Switch back to assembly syscall wrapper for prctl (bug 29770) d33d10642f nptl: PTHREAD_COND_INITIALIZER compatibility with pre-2.41 versions (bug 32786) b1eb369aee nptl: Use all of g1_start and g_signals ac5da3c0e4 nptl: rename __condvar_quiesce_and_switch_g1 2fdc0afd07 nptl: Fix indentation 582c99b2c0 nptl: Use a single loop in pthread_cond_wait instaed of a nested loop fc2a25417d nptl: Remove g_refs from condition variables 6f5ba03968 nptl: Remove unnecessary quadruple check in pthread_cond_wait d0da34ad30 nptl: Remove unnecessary catch-all-wake in condvar group switch ea13a35e37 nptl: Update comments and indentation for new condvar implementation 2451ef5c4a pthreads NPTL: lost wakeup fix 2 test results: Before After Diff FAIL 207 207 0 PASS 4912 4915 +3 UNSUPPORTED 230 230 0 XFAIL 16 16 0 XPASS 4 4 0 (From OE-Core rev: c94b6686a1edcaa1bea1ff5e716df96da8e36b7c) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* coreutils: fix CVE-2025-5278Chen Qi2025-06-252-0/+113
| | | | | | | | | Backport patch to fix CVE-2025-5278. (From OE-Core rev: 7af711c0a31359b57903503ab37bad53aad89c22) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* systemd: Rename systemd_v255.21 to systemd_255.21Savvas Etairidis2025-06-201-0/+0
| | | | | | | | | | The recipe was accidentally renamed with a 'v' prefix in 29e623b2ad00555788412fa520fbb9ffec794cbb. (From OE-Core rev: db02a4cc542d0e7e563ec46c91bf9a7313a71d02) Signed-off-by: Savvas Etairidis <setairidis@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* systemd: upgrade 255.18 -> 255.21Guðni Már Gilbert2025-06-1128-33/+33
| | | | | | | | | | | | | | The update includes 79 commits. Full list of changes can be found on Github [1] All patches were refreshed with devtool. [1] https://github.com/systemd/systemd-stable/compare/v255.18...v255.21 (From OE-Core rev: 29e623b2ad00555788412fa520fbb9ffec794cbb) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* build-appliance-image: Update to scarthgap head revisionyocto-5.0.10scarthgap-5.0.10Steve Sakoman2025-06-021-1/+1
| | | | | | (From OE-Core rev: d5342ffc570d47a723b18297d75bd2f63c2088db) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* util-linux: Add fix to isolate test fstab entries using CUSTOM_FSTABVirendra Thakur2025-06-022-0/+449
| | | | | | | | | | | | | | | | | | | | | | During ptest execution, util-linux adds mount entries in /etc/fstab and runs `mount -a`, which mounts all available entries from /etc/fstab. This can cause unintended mounts that are unrelated to the test, leading to incorrect test behavior. To avoid this, upstream util-linux introduced a mechanism using CUSTOM_FSTAB,which isolates test-specific fstab entries. Only entries listed in CUSTOM_FSTAB are mounted during test execution, ensuring tests do not interfere with or depend on the system's /etc/fstab. This commit backports below upstream changes to use CUSTOM_FSTAB. https://github.com/util-linux/util-linux/commit/ed3d33faff17fb702a3acfca2f9f24e69f4920de https://github.com/util-linux/util-linux/commit/b1580bd760519a2cf052f023057846e54de47484 https://github.com/util-linux/util-linux/commit/6aa8d17b6b53b86a46c5da68c02a893113130496 (From OE-Core rev: e7420db0d77611140149ccfefefc8becfad4f34b) Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* systemd: Password agents shouldn't be optionalVyacheslav Yurkov2025-05-271-10/+0
| | | | | | | | | | | | | If extra-utils package is not included in the image, you'll always see a warning that password agent is missing whenever you start/stop a service: Failed to execute /usr/bin/systemd-tty-ask-password-agent: No such file or directory (From OE-Core rev: 180455ee76a3819933f45ddd6ce9a5610b3ba947) Signed-off-by: Vyacheslav Yurkov <uvv.mail@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glib-2.0: fix CVE-2025-4373Praveen Kumar2025-05-273-0/+151
| | | | | | | | | | | | | | | | | | | | A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite. References: https://nvd.nist.gov/vuln/detail/CVE-2025-4373 https://security-tracker.debian.org/tracker/CVE-2025-4373 Upstream-patches: https://gitlab.gnome.org/GNOME/glib/-/commit/cc647f9e46d55509a93498af19659baf9c80f2e3 https://gitlab.gnome.org/GNOME/glib/-/commit/4d435bb4809793c445846db8fb87e3c9184c4703 (From OE-Core rev: 02e2f5211962394ec3d66882daab240cb465ef85) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc-y2038-tests: remove glibc-y2038-tests_2.39.bb reciperajmohan r2025-05-192-156/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This recipe takes longer time >20min when bitbake for package write stage. When cross-verified for longer time duration, found that do_check() stage taking 20min while other stages completes before 6min. This recipe gives only below two test binaries in the packages to test (ptest: glibc-y2038-tests): io/ftwtest io/ftwtest-time64 The above test binaries are already included for testing in recipe glibc-testsuite_2.39.bb. It is by now well established that glibc itself works as it should, that all affected 32 bit targets are configured to use 64 bit time_t, and that any lingering y2038 issues are in components other than the c library, and usually come from C programming mistakes (e.g. storing timestamps in long). So this recipe seems to be redundant and can be removed. Review comments for fixing above longer time duration ended up in removing this recipe as a proposal is below https://lists.openembedded.org/g/openembedded-core/topic/112188476#msg214636 Removed lines having reference to glibc-y2038-tests in the files. For master branch requested for integration and below is the link https://lists.openembedded.org/g/openembedded-core/message/215655 (From OE-Core rev: b214cc84a922f7a3fb7ebbc501189ce25e8bd2bd) Signed-off-by: rajmohan r <semc.2042@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc: Add single-threaded fast path to rand()Haixiao Yan2025-05-142-0/+48
| | | | | | | | | | | | Backport a patch [1] to improve performance of rand() and __random()[2] by adding a single-threaded fast path. [1] https://sourceware.org/git/?p=glibc.git;a=commit;h=be0cfd848d9ad7378800d6302bc11467cf2b514f [2] https://sourceware.org/bugzilla/show_bug.cgi?id=32777 (From OE-Core rev: 68ee8d16fa5419acba9111d3aca285be92bd93d3) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc: stable 2.39 branch updatesDeepesh Varatharajan2025-05-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 3463100f2d x86: Detect Intel Diamond Rapids e09436c2cb x86: Handle unknown Intel processor with default tuning 7620d98186 x86: Add ARL/PTL/CWF model detection support 765ff3d0d4 x86: Optimize xstate size calculation 65ae73be01 x86: Use `Avoid_Non_Temporal_Memset` to control non-temporal path 2be36448c4 x86: Tunables may incorrectly set Prefer_PMINUB_for_stringop (bug 32047) bde201e92c x86: Disable non-temporal memset on Skylake Server 38a7632f2d x86: Fix value for `x86_memset_non_temporal_threshold` when it is undesirable cc59fa5dbc x86: Enable non-temporal memset tunable for AMD 0da58e8be0 x86: Add seperate non-temporal tunable for memset 837a36c371 x86: Link tst-gnu2-tls2-x86-noxsave{,c,xsavec} with libpthread 87ab0c7f7f x86: Use separate variable for TLSDESC XSAVE/XSAVEC state size (bug 32810) 60cd7123a6 x86: Skip XSAVE state size reset if ISA level requires XSAVE 4cf3f9df54 x86_64: Add atanh with FMA 01ed435e2e x86_64: Add sinh with FMA 0edcc77fe7 x86_64: Add tanh with FMA 7ecf0d3bde x86-64: Exclude FMA4 IFUNC functions for -mapxf e1fe22368e nptl: clear the whole rseq area before registration dd8c0c3bbd math: Improve layout of exp/exp10 data a1b09e59e2 AArch64: Use prefer_sve_ifuncs for SVE memset d0e2133470 AArch64: Add SVE memset 0cc12d9c47 math: Improve layout of expf data 0cd10047bf AArch64: Remove zva_128 from memset dd1e63ab58 AArch64: Optimize memset 65a96a6f2b AArch64: Improve generic strlen 4073e4ee2c AArch64: Improve codegen for SVE logs 78abd3ef6e AArch64: Improve codegen in SVE tans a10183b633 AArch64: Improve codegen of AdvSIMD atan(2)(f) dcd1229e5b AArch64: Improve codegen of AdvSIMD logf function family 72156cb90b AArch64: Improve codegen in AdvSIMD logs 5e354bf4e2 AArch64: Simplify rounding-multiply pattern in several AdvSIMD routines 80df456112 aarch64: Avoid redundant MOVs in AdvSIMD F32 logs d591876303 aarch64: Fix AdvSIMD libmvec routines for big-endian f6d48470ae assert: Add test for CVE-2025-0395 Testresults: Before update |After update |Difference PASS: 5068 |PASS: 5072 |PASS: +4 FAIL: 120 |FAIL: 120 |FAIL: 0 XPASS: 4 |XPASS: 4 |XPASS: 0 XFAIL: 16 |XFAIL: 16 |XFAIL: 0 UNSUPPORTED: 157|UNSUPPORTED: 157|UNSUPPORTED: 0 (From OE-Core rev: f14c2e6a6ba72673a0e30cde48ec1d5573be3e01) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Revert "cve-update-nvd2-native: Tweak to work better with NFS DL_DIR"Peter Marko2025-05-021-2/+0
| | | | | | | | | | | | | | This reverts commit 7adaec468d3a61d88c990b1b319b34850bee7e44. It does not seem to fix the issue it was supposed to fix. Additionally it breaks code which decides in full/partial update, because it manipulates timestamp that code is relying on. (From OE-Core rev: 00dd4901e364d16d96cfab864823a9cfdd336eeb) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ebc65fdddd7ce51f0f1008baa30d0ae7918ae0bb) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* buildtools-tarball: Make buildtools respects host CA certificatesChangqing Li2025-05-021-1/+22
| | | | | | | | | | | | | | | | | | | | | | | To adapt user network enviroment, buildtools should first try to use the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these envs is not set, then use the auto-detected ca file and ca path, and finally use the CA certificates in buildtools. nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work nativesdk-curl don't set default ca file, need SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO also works nativesdk-python3-requests will use cacert.pem under python module certifi by default, need to set REQUESTS_CA_BUNDLE (From OE-Core rev: 0653b96bac6d0800dc5154557706a323418808be) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* buildtools-tarball: move setting of envvars to respective envfileChangqing Li2025-05-021-6/+0
| | | | | | | | | | | | * make git,curl,python3-requests align with openssl, move the setting of envvars into respective envfile * for environment.d-openssl.sh, also check if ca-certificates.crt exist before export envvars (From OE-Core rev: 5f4fd544d3df7365224599c9efdce4e545f51d5e) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* initscripts: add function log_success_msg/log_failure_msg/log_warning_msgChangqing Li2025-05-022-1/+21
| | | | | | | | | | | | | | | | | | | | | * add function log_success_msg/log_failure_msg/log_warning_msg, some packages still use these functions, like mariadb, refer [1], without these function, with sysV init manager, mariadb will report error: root@qemux86-64:~# /etc/init.d/mysqld status /etc/init.d/mysqld: line 383: log_success_msg: command not found * remove RCONFLICTS with lsbinitscripts, LSB support already remove in [2] [1] https://github.com/MariaDB/server/blob/main/support-files/mysql.server.sh#L104 [2] https://git.openembedded.org/openembedded-core/commit/?id=fb064356af615d67d85b65942103bf943d84d290 [3] https://refspecs.linuxbase.org/LSB_4.0.0/LSB-Core-generic/LSB-Core-generic/iniscrptfunc.html (From OE-Core rev: 90cf409ba74c4bb398199667ea2819759a720373) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glib-2.0: patch CVE-2025-3360Peter Marko2025-05-027-1/+336
| | | | | | | | | | | | Backport commits from [1] fixing [2] for 2.82.x. [1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4499 [2] https://gitlab.gnome.org/GNOME/glib/-/issues/3647 (From OE-Core rev: 2047764e0126ee6273d9c340235ddc2e3cdfea2f) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: patch CVE-2025-32415Peter Marko2025-05-022-0/+40
| | | | | | | | | Pick commit from 2.13 branch as 2.12 branch is unmaintained now. (From OE-Core rev: 2335d4f0d1826647eaee224c469331980fc84ed2) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: patch CVE-2025-32414Peter Marko2025-05-022-0/+75
| | | | | | | | | Pick commit which has been backported to 2.12 release branch. (From OE-Core rev: 187052ce4ddd43b46b8335cc955a63ca19ee6994) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* systemd: upgrade 255.17 -> 255.18Guðni Már Gilbert2025-04-2828-34/+34
| | | | | | | | | | | | | The update includes 82 commits. Full list of changes can be found on Github [1] All patches were refreshed with devtool. [1] systemd/systemd-stable@v255.17...v255.18 (From OE-Core rev: 121e1fb42c4c909115bc550585b2ebcb3a13e0a5) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* build-appliance-image: Update to scarthgap head revisionyocto-5.0.9scarthgap-5.0.9Steve Sakoman2025-04-191-1/+1
| | | | | | (From OE-Core rev: 04038ecd1edd6592b826665a2b787387bb7074fa) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-update-nvd2-native: add workaround for json5 style listPeter Marko2025-04-161-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | NVD responses changed to an invalid json between: * April 5, 2025 at 3:03:44 AM GMT+2 * April 5, 2025 at 4:19:48 AM GMT+2 The last response is since then in format { "resultsPerPage": 625, "startIndex": 288000, "totalResults": 288625, "format": "NVD_CVE", "version": "2.0", "timestamp": "2025-04-07T07:17:17.534", "vulnerabilities": [ {...}, ... {...}, ] } Json does not allow trailing , in responses, that is json5 format. So cve-update-nvd2-native do_Fetch task fails with log backtrace ending: ... File: '/builds/ccp/meta-siemens/projects/ccp/../../poky/meta/recipes-core/meta/cve-update-nvd2-native.bb', lineno: 234, function: update_db_file 0230: if raw_data is None: 0231: # We haven't managed to download data 0232: return False 0233: *** 0234: data = json.loads(raw_data) 0235: 0236: index = data["startIndex"] 0237: total = data["totalResults"] 0238: per_page = data["resultsPerPage"] ... File: '/usr/lib/python3.11/json/decoder.py', lineno: 355, function: raw_decode 0351: """ 0352: try: 0353: obj, end = self.scan_once(s, idx) 0354: except StopIteration as err: *** 0355: raise JSONDecodeError("Expecting value", s, err.value) from None 0356: return obj, end Exception: json.decoder.JSONDecodeError: Expecting value: line 1 column 1442633 (char 1442632) ... There was no announcement about json format of API v2.0 by nvd. Also this happens only if whole database is queried (database update is fine, even when multiple pages as queried). And lastly it's only the cve list, all other lists inside are fine. So this looks like a bug in NVD 2.0 introduced with some update. Patch this with simple character deletion for now and let's monitor the situation and possibly switch to json5 in the future. Note that there is no native json5 support in python, we'd have to use one of external libraries for it. (From OE-Core rev: 4358fdfdd7a8908df98f7c4def2c8c1a6efb7256) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 6e526327f5c9e739ac7981e4a43a4ce53a908945) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* expat: patch CVE-2024-8176Peter Marko2025-04-074-0/+1831
| | | | | | | | | | | | | | | | | | | Backport https://github.com/libexpat/libexpat/pull/973 Patch created by: git diff 2fc36833334340ff7ddca374d86daa8744c1dfa3..99529768b4a722f46c69b04b874c1d45b3eb819c Additional backport (containing changes in tests only) was needed to apply it cleanly. Additional backport https://github.com/libexpat/libexpat/pull/989 which has fixed regression of the first fix. Patch created by: git diff 91ca72e913af94ed44ef2a80a9dd542be3e5766c..308c31ed647f2c6aebe33ca3a4fa9e1436f461e2 (From OE-Core rev: 3ece58813faaf4e5f66c7b52f736e84615ccfef6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-update-nvd2-native: handle missing vulnStatusPeter Marko2025-04-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | | There is a new CVE which is missing vulnStatus field: https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-2682 This leads to: File: '<snip>/poky/meta/recipes-core/meta/cve-update-nvd2-native.bb', lineno: 336, function: update_db 0332: 0333: accessVector = None 0334: vectorString = None 0335: cveId = elt['cve']['id'] *** 0336: if elt['cve']['vulnStatus'] == "Rejected": 0337: c = conn.cursor() 0338: c.execute("delete from PRODUCTS where ID = ?;", [cveId]) 0339: c.execute("delete from NVD where ID = ?;", [cveId]) 0340: c.close() Exception: KeyError: 'vulnStatus' (From OE-Core rev: 2f242f2a269bb18aab703f685e27f9c3ba761db8) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* build-appliance-image: Update to scarthgap head revisionyocto-5.0.8scarthgap-5.0.8Steve Sakoman2025-03-101-1/+1
| | | | | | (From OE-Core rev: cd2b6080a4c0f2ed2c9939ec0b87763aef595048) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* systemd: add libpcre2 as RRECOMMENDS if pcre2 is enabledAlexis Cellier2025-03-081-1/+1
| | | | | | | | | | | | | | | | The libpcre2 is now dlopen'ed, so it is not automatically added to the RDEPENDS anymore. Add it to the RRECOMMENDS list (and not RDEPENDS as systemd tags the library as "suggested"). This issue is not on master, the systemd v257 recipe uses a tool that systemd provides to get this kind of dependencies. But this cannot be backported to scarthgap as systemd v255 does not have this tool yet. Cc: Yoann Congal <yoann.congal@smile.fr> (From OE-Core rev: 45fc7048c511c433ecc23840fe6fdd61f6366a47) Signed-off-by: Alexis Cellier <alexis.cellier@smile.fr> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: upgrade 2.12.9 -> 2.12.10Peter Marko2025-02-281-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.10 Security * [CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements * [CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd * pattern: Fix compilation of explicit child axis Regressions * parser: Fix detection of duplicate attributes Bug fixes * xpath: Fix parsing of non-ASCII names Portability * python: Declare init func with PyMODINIT_FUNC * tests: Fix sanitizer version check on old Apple clang Build * autotools: Set AC_CONFIG_AUX_DIR * cmake: Always build Python module as shared library * cmake: Fix compatibility in package version file (From OE-Core rev: 4540dd4bb71e00b7f8c1a3f5a9e10d482e0b2abd) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* base-files: Drop /bin/sh dependencyMarek Vasut2025-02-141-23/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove /bin/sh from bash RPROVIDES as this has a side-effect which confuses rpm package manager when also busybox provides /bin/sh and base-files depend on /bin/sh . The problem is broken down below. First, bash depends on base-files and bash pkg_postinst must run after base-files was installed, because it requires /etc/shells provided by base-files to be in place. Second, base-files depends on /bin/sh, which is provided by either bash or busybox in this case. This is the actual problem here, if bash is selected as /bin/sh provider, then there is cyclic dependency between bash and base-files, and that confuses dnf which may install the packages in the wrong order, bash first and base-files second . To make this worse, if busybox is also /bin/sh provider, it can and does happen that some systems pick busybox as the /bin/sh provider, while others pick bash as the /bin/sh provider, and that cyclic dependency does not always appear. Attempt to break this dependency, remove pre-inst script from the base-files recipe, which removes its dependency on /bin/sh and allows it to be installed very early, and always before bash. (From OE-Core rev: e71b64a9b22c7db316e92e78a4bce8b9f994a4ae) (From OE-Core rev: 61880aac34ff408a8bc5060c6140bfd086b27524) Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* glibc: stable 2.39 branch updatesPeter Marko2025-02-122-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Solves CVE-2025-0395 git log: 662516aca8 stdlib: Test using setenv with updated environ [BZ #32588] 1432850ad8 malloc: obscure calloc use in tst-calloc c1f7bfbe08 Hide all malloc functions from compiler [BZ #32366] 808a84a8b8 Fix underallocation of abort_msg_s struct (CVE-2025-0395) 994b129a35 x86/string: Fixup alignment of main loop in str{n}cmp-evex [BZ #32212] 61daaa7639 x86: Improve large memset perf with non-temporal stores [RHEL-29312] 2c8a7f14fa x86: Avoid integer truncation with large cache sizes (bug 32470) 2c882bf9c1 math: Exclude internal math symbols for tests [BZ #32414] 51da74a97e malloc: add indirection for malloc(-like) functions in tests [BZ #32366] aa8768999e Pass -nostdlib -nostartfiles together with -r [BZ #31753] 350db28393 nptl: initialize cpu_id_start prior to rseq registration 9a0e174a39 nptl: initialize rseq area prior to registration test results: Before After Diff FAIL 208 210 +2 PASS 4906 4905 -1 UNSUPPORTED 230 230 0 XFAIL 16 16 0 XPASS 4 4 0 failed test changes: - nptl/tst-mutexpi8-static - stdlib/tst-qsort4 + malloc/tst-dynarray-fail-mem + malloc/tst-malloc_info + malloc/tst-malloc_info-malloc-check + malloc/tst-malloc_info-malloc-hugetlb2 (From OE-Core rev: 54181d6ca63a720dcebb241892e76e9cdd75260c) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* systemd: upgrade 255.13 -> 255.17Guðni Már Gilbert2025-02-0328-63/+68
| | | | | | | | | | | | | | | The update includes 156 commits. Full list of changes can be found on Github [1] All patches were refreshed with devtool. One patch had to be manually rebased to resolve a merge conflict introduced with 255.14 [2]. [1] https://github.com/systemd/systemd-stable/compare/v255.13...v255.17 [2] 0003-src-basic-missing.h-check-for-missing-strndupa.patch (From OE-Core rev: 57ca5a2c912fcc4836f263ff2b98c9de2130f324) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* build-appliance-image: Update to scarthgap head revisionyocto-5.0.7scarthgap-5.0.7Steve Sakoman2025-01-261-1/+1
| | | | | | (From OE-Core rev: 62cb12967391db709315820d48853ffa4c6b4740) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* build-appliance-image: Update to scarthgap head revisionSteve Sakoman2025-01-251-1/+1
| | | | | | (From OE-Core rev: 3c31639dd53e32e57af64d50ad168f5c3911c299) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* systemd: enable create-log-dirsChangqing Li2025-01-181-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | By default, create-log-dirs is enabled in systemd, and a link /var/log/README will be created, point to {{DOC_DIR}}/README.logs, but, for oe, there are two problems here, firstly, DOC_DIR is packaged in another package systemd-doc, so /var/log/README is a dead link when systemd-doc is not installed, secondly, even systemd-doc is installed, when volatile log is used, DOC_DIR is a wrong relateive path, Refer [1]. So in commit [2], we disable create-log-dirs for above issue. with this change, /var/log/journal is not created, and /run/log is used, this makes systemd log always non persistent, refer [3][4]. if user need persistent log, they need to disable volatile log, and also change journald.conf, make "Storage" to "persistent". This is a behavoir change. Previously, to make systemd log persistent, user only need to disable volatile log. This commit reenable create-log-dirs to revert the behavior change, and since README is not very userful, just remove it. [ YOCTO #15678 ] [1] https://github.com/systemd/systemd/blob/main/tmpfiles.d/legacy.conf.in#L16 [2] https://git.openembedded.org/openembedded-core/commit/?id=18d46e11d85da1f6feaba5a135931e43060024d6 [3] https://github.com/systemd/systemd/blob/main/src/journal/meson.build#L189 [4] https://www.freedesktop.org/software/systemd/man/journald.conf.html [5] https://bugzilla.yoctoproject.org/show_bug.cgi?id=15678 (From OE-Core rev: 92eea72a25e553c698bee9e3f551a5880bd4631c) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f82d9c997ba8cc23b472d44a43489c597bf452af) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-update-nvd2-native: Handle BB_NO_NETWORK and missing dbMark Hatle2025-01-181-0/+5
| | | | | | | | | | | | | | | | | | | | | The custom do_fetch routine is ignoring BB_NO_NETWORK, add a check for this as the correct behavior for the user is to set: CVE_DB_UPDATE_INTERVAL = "-1" If CVE_DB_UPDATE_INTERNAL is set to -1, check that a DB file exists, if not we need to error so the user can deal with this. Note, MIRRORs are NOT handled by this code. (From OE-Core rev: 062c125f41c3fc3fec0938b24f847ed566357c84) Signed-off-by: Mark Hatle <mark.hatle@amd.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 337c0806d2784d74bee8d6420fb8b4d48795d5fa) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit 2bc4623a910dfa3a22cd054ea1e0f2dd59d74eea) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ovmf-native: remove .pyc files from installMikko Rapeli2025-01-091-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | They break builds which share sstate files on different machines and paths: ERROR: ovmf-edk2-stable202408-r0 do_prepare_recipe_sysroot: Error executing a python function in exec_func_python() autogenerated: The stack trace of python calls that resulted in this exception/failure was: File: 'exec_func_python() autogenerated', lineno: 2, function: <module> 0001: *** 0002:extend_recipe_sysroot(d) 0003: File: '/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/meta/classes-global/staging.bbclass', lineno: 624, function: extend_recipe_sysroot 0620: 0621: # Handle deferred binfiles 0622: for l in binfiles: 0623: (targetdir, dest) = binfiles[l] *** 0624: staging_copyfile(l, targetdir, dest, postinsts, seendirs) 0625: 0626: bb.note("Installed into sysroot: %s" % str(msg_adding)) 0627: bb.note("Skipping as already exists in sysroot: %s" % str(msg_exists)) 0628: File: '/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/meta/classes-global/staging.bbclass', lineno: 165, function: staging_copyfile 0161: os.symlink(linkto, dest) 0162: #bb.warn(c) 0163: else: 0164: try: *** 0165: os.link(c, dest) 0166: except OSError as err: 0167: if err.errno == errno.EXDEV: 0168: bb.utils.copyfile(c, dest) 0169: else: Exception: FileExistsError: [Errno 17] File exists: '/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-667282/tmp/sysroots-components/x86_64/ovmf-native/usr/bin/edk2_basetools/BaseTools/Source/Python/AutoGen/__pycache__/WorkspaceAutoGen.cpython-312.pyc' -> '/srv/pokybuild/yocto-worker/oe-selftest-fedora/build/build-st-667282/tmp/work/core2-64-poky-linux/ovmf/edk2-stable202408/recipe-sysroot-native/usr/bin/edk2_basetools/BaseTools/Source/Python/AutoGen/__pycache__/WorkspaceAutoGen.cpython-312.pyc' (From OE-Core rev: d89f2533f1b394f443117d6c935ee04a3c6741e7) Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit facd9e17fa53e2fb3a828b3f179cfb659be75d37) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libxml2: Upgrade 2.12.8 -> 2.12.9Divya Chellam2025-01-091-1/+1
| | | | | | | | | | | | | | | | | Changes between 2.12.8 -> 2.12.9 ================================ https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.9 Security * [CVE-2024-40896] Fix XXE protection in downstream code Improvements * Undeprecate xmlKeepBlanksDefault. (From OE-Core rev: 774b10921b1e46d99338bb8c047d7f094d5ce7bd) Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* cve-update-nvd2-native: Tweak to work better with NFS DL_DIRRichard Purdie2024-12-181-0/+2
| | | | | | | | | | | | | | | | | After much debugging, the corruption issues on the autobuilder appear to be due to the way sqlite accesses database files. It doesn't change the file timestamp after making changes, which for reasons unknown, confuses NFS. As soon as the file is touched, NFS becomes fine again accross the whole cluster, as if by magic. We could try and debug further but putting a "touch" call into the code is easy and harmless. Lets hope this removes this annoying source of errors. (From OE-Core rev: b19b1e905d966443c4e4d17dfaeb299ae2526575) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* build-appliance-image: Update to scarthgap head revisionyocto-5.0.6scarthgap-5.0.6Steve Sakoman2024-12-131-1/+1
| | | | | | (From OE-Core rev: 336eec6808710f260a5336ca8ca98139a80ccb14) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* systemd-boot: drop intltool-native from DEPENDSGuðni Már Gilbert2024-12-131-1/+1
| | | | | | | | | | | | intltool was dropped as a dependency in v236 See commit for reference: https://github.com/systemd/systemd/pull/7313/commits/c81217920effddc93fb780cf8f9eb699d6fe1319 (From OE-Core rev: fffffc22e9cdfee5afe05baadaae941785f5a18b) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* systemd: drop intltool-native from DEPENDSGuðni Már Gilbert2024-12-131-1/+1
| | | | | | | | | | | | intltool was dropped as a dependency in v236 See commit for reference: https://github.com/systemd/systemd/pull/7313/commits/c81217920effddc93fb780cf8f9eb699d6fe1319 (From OE-Core rev: 60e6fd2b7e3adfbe4260cd266dbe245c745344a9) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>