summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
Commit message (Collapse)AuthorAgeFilesLines
...
* gcc: remove paths to sysroot from configargs.h and checksum-options for ↵Oleksandr Hnatiuk2025-03-195-28/+29
| | | | | | | | | | | | | | | | | | | | | | | gcc-cross-canadian Apply fixes from gcc-cross (84a78f46d594 and 0ead8cbdfb96) to gcc-cross-canadian. This will improve (but not fix) reproducibility of gcc-cross-canadian. Also move this code to functions to avoid code duplication. [RP: Tweak patch to make the function parameters clear and fix quoting issues ensuring the code exactly matches the original replacements with an additional parameter.] (From OE-Core rev: 350ff7d53f7506de2bc01f0efc569b8294b9afea) (From OE-Core rev: b1aa13b9f656666458189d4dae0c25564abe2f25) Signed-off-by: Oleksandr Hnatiuk <ohnatiuk@cisco.com> Signed-off-by: Denys Dmytriyenko <denys@konsulko.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f1ad5be4337c5d45c0f1bed48184336e9ab1fad8) Signed-off-by: Sana Kazi <sanakazi720@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ruby: Fix CVE-2025-27219Ashish Sharma2025-03-152-0/+32
| | | | | | | | | Upstream-Status: Backport from [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab] (From OE-Core rev: 7e0a96b5c0b7a5ca593df83861086d0980ea72e9) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2025-0840Deepesh Varatharajan2025-03-082-0/+54
| | | | | | | | | | | | PR32560 stack-buffer-overflow at objdump disassemble_bytes Backport a patch from upstream to fix CVE-2025-0840 Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893] (From OE-Core rev: 338a2a95eb9a99c8e56dfb1f6336497ddd654372) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* elfutils: Fix multiple CVEsHitendra Prajapati2025-03-054-0/+357
| | | | | | | | | | | | | Backport fixes for: * CVE-2025-1352 - Upstream-Status: Backport from https://sourceware.org/git/?p=elfutils.git;a=commit;h=2636426a091bd6c6f7f02e49ab20d4cdc6bfc753 * CVE-2025-1365 - Upstream-Status: Backport from https://sourceware.org/git/?p=elfutils.git;a=commit;h=5e5c0394d82c53e97750fe7b18023e6f84157b81 * CVE-2025-1372 - Upstream-Status: Backport from https://sourceware.org/git/?p=elfutils.git;a=commit;h=73db9d2021cab9e23fd734b0a76a612d52a6f1db (From OE-Core rev: 938676089fb5da383b7daf6c5e6348079ecf5674) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-setuptools-scm: respect GIT_CEILING_DIRECTORIESEtienne Cordonnier2025-02-282-0/+37
| | | | | | | | | | | | | | | | | | | | | | | | | Fixes https://bugzilla.yoctoproject.org/show_bug.cgi?id=15740 python3-setuptools-scm was ignoring GIT_CEILING_DIRECTORIES which is set by poky, and it was thus finding a wrong value of "toplevel" in ./src/setuptools_scm/_file_finders/git.py The code is supposed to generate the list of files contained in python3-setuptools-scm, but it was instead running "git archive" on whatever git repository was above the build directory, because the tarball containing the sources of python3-setuptools-scm does not contain a .git directory. This is barely noticeable when building as a subdirectory of poky which is only 48MB, but this was causing serious slowdowns of python3-setuptools-scm:do_compile when building inside a big git repository with files tracked using git-lfs (50 minutes in my use-case). Reported upstream as https://github.com/pypa/setuptools-scm/issues/1103 (From OE-Core rev: 4ebe72477484cf68165b6f736ce10373e97d0e6d) (From OE-Core rev: 369eebad4f38c3641be73dbc0490c87636e0912d) Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* subversion: ignore CVE-2024-45720Peter Marko2025-02-211-0/+2
| | | | | | | | | | | | | Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45720 This CVE is relevant only for subversion running on Windows. (From OE-Core rev: 6a22c704c5236c7b893135dca53cc5d2b6f78e03) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Reviewed-by: Sofiane Hamam <sofiane.hamam@smile.fr> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: Do not define sched_attr with glibc >= 2.41Khem Raj2025-02-142-0/+48
| | | | | | | | | | | | * backporting, because it's also needed also for qemu-native builds on hosts with glibc >= 2.41 (From OE-Core rev: d34b38ecc2571fae0d58a34db1358dff2505148d) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: upgrade 1.22.11 -> 1.22.12Peter Marko2025-02-147-4/+4
| | | | | | | | | | | | | | | | | | | | | | Upgrade to latest 1.22.x release [1]: $ git --no-pager log --oneline go1.22.11..go1.22.12 5817e65094 (tag: go1.22.12) [release-branch.go1.22] go1.22.12 0cc45e7ca6 [release-branch.go1.22] crypto/internal/fips140/nistec: make p256NegCond constant time on ppc64le c3c6a50095 [release-branch.go1.22] cmd/go/internal/modfetch: do not trust server to send all tags in shallow fetch e0a01acd04 [release-branch.go1.22] cmd/compile: fix write barrier coalescing Fixes CVE-2025-22866 [1] https://github.com/golang/go/compare/go1.22.11...go1.22.12 (From OE-Core rev: 423ad5a67768738dac454b1e2aa27746f74511c5) (From OE-Core rev: 9862cb44ad0f85eebbd9c7f6bcbf22df9cc10d0f) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: upgrade 3.12.8 -> 3.12.9Peter Marko2025-02-148-13/+67
| | | | | | | | | | | | | | | Release notes: https://docs.python.org/release/3.12.9/whatsnew/changelog.html#python-3-12-9 Solves CVE-2025-0938, CVE-2024-12254 and 3 other vulnerabilities without CVE number assigment. Add a patch to fix failure of a new test. (From OE-Core rev: 685b2719ae9b44c238e63942efabe52e5df7d640) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rust: remove redundant cargo config fileHarish Sadineni2025-02-121-14/+0
| | | | | | | | | | | | | YOCTO [#15061] The rust target and linker are getting setting from the sdk environment and so the config file is not needed. The redundant config file geneartion is removed. Backport from oe-core master: https://git.openembedded.org/openembedded-core/commit/?id=d5f78816d2ad0f3e43ce883eef199d1683cfcbb4 (From OE-Core rev: 12fd08cf4009d0284ab951cc48a479dcbc74db42) Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rust: fix for rust multilib sdk configurationHarish Sadineni2025-02-123-9/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | YOCTO [#15061] The rust sdk installs both 'rust.sh' and 'cargo.sh' for lib32 and lib64 in the same location. This causes below error while installing the lib32 & lib64 binaries: Error: Transaction test error: file /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-pokysdk-linux/environment-setup.d/cargo.sh conflicts between attempted installs of rust-cross-canadian-arm-1.67.1-r0.x86_64_nativesdk and rust-cross-canadian-aarch64-1.67.1-r0.x86_64_nativesdk file /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-pokysdk-linux/environment-setup.d/rust.sh conflicts between attempted installs of rust-cross-canadian-arm-1.67.1-r0.x86_64_nativesdk and rust-cross-canadian-aarch64-1.67.1-r0.x86_64_nativesdk ERROR: Task (virtual:multilib:lib32:/media/build/poky/meta/recipes-sato/images/core-image-sato.bb:do_populate_sdk) failed with exit code '1' The change includes: - Prepending '${RUST_TARGET_SYS}' to 'rust.sh' to differentiate between target systems. - Moving the non-target-specific environment variables to 'nativesdk-cargo' and 'nativesdk-rust', instead of being managed by the cross-canadian recipe. Backport from oe-core master: https://git.openembedded.org/openembedded-core/commit/?id=40eb4bfe2f100ba5301046ca25110fcc55a640bb (From OE-Core rev: 889cda30baccd43e5c82b38752b462aef4ce626c) Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* pkg-config-native: pick additional search paths from ↵Alexander Kanavin2025-02-122-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | $EXTRA_NATIVE_PKGCONFIG_PATH This was prompted by working on librsvg update: the new meson-driven version wants to query values from .pc files residing in its own build directory, and modifies PKG_CONFIG_PATH accordingly. When using the pkg-config-native wrapper such modifications have no effect, and we have to pass them in manually from the recipe via EXTRA_NATIVE_PKGCONFIG_PATH variable. This variable is already defined (with an empty value) and appended to PKG_CONFIG_PATH export in the native class, so this simply extends its use to the wrapper. (Appending to PKG_CONFIG_PATH in the wrapper, instead of resetting it, is not an option as that can lead to contamination with the cross values). (From OE-Core rev: 2bc050146d47b14d890a1b0db2b55f9057a08b65) (From OE-Core rev: 104737073bd553b9cf93db7ed9575fd50ba6c973) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Chris Laplante <chris.laplante@agilent.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: File name too long causing failure to open temporary head file in ↵Jiaying Song2025-02-122-0/+209
| | | | | | | | | | | | | | | | | | | | | | | | | dlltool During the execution of the command: i686-w64-mingw32-dlltool --input-def $def_filepath --output-delaylib $filepath --dllname qemu.exe An error occurred: i686-w64-mingw32-dlltool: failed to open temporary head file: ..._w64_mingw32_nativesdk_qemu_8_2_2_build_plugins_libqemu_plugin_api_a_h.s Due to the path length exceeding the Linux system's file name length limit (NAME_MAX=255), the temporary file name generated by the i686-w64-mingw32-dlltool command becomes too long to open. To address this, a new temporary file name prefix is generated using tmp_prefix = prefix_encode ("d", getpid()), ensuring that the file name does not exceed the system's length limit. Allow for "snnnnn.o" suffix when testing against NAME_MAX, and tidy TMP_STUB handling by overwriting a prior nnnnn.o string rather than copying the entire name. (From OE-Core rev: 617df4ee1d6523ded43f156af8206dfca2c0c8ee) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: stable 2.42 branch updateDeepesh Varatharajan2025-02-121-1/+1
| | | | | | | | | | | | | | | Below commits on binutils-2.42 stable branch are updated. 758a2290dbd PR32387 ppc64 TLS optimization bug with -fno-plt code ed489bf1574 s390: Add arch15 Concurrent-Functions Facility insns 64e8e16a906 s390: Add arch15 instruction names Tested on qemux86_64. There were no additional PASS or FAIL after the update (From OE-Core rev: 6ce232df15834cae44f3eda0f786132086afb76e) Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: upgrade 1.22.10 -> 1.22.11Peter Marko2025-02-037-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | Upgrade to latest 1.22.x release [1]: $ git --no-pager log --oneline go1.22.10..go1.22.11 f072884354 (tag: go1.22.11) [release-branch.go1.22] go1.22.11 b72d56f98d [release-branch.go1.22] net/http: persist header stripping across repeated redirects 19d2103415 [release-branch.go1.22] crypto/x509: properly check for IPv6 hosts in URIs ae9996f965 [release-branch.go1.22] runtime: hold traceAcquire across casgstatus in injectglist 223260bc63 [release-branch.go1.22] crypto/tls: fix Config.Time in tests using expired certificates Fixes CVE-2024-45336 and CVE-2024-45341 [1] https://github.com/golang/go/compare/go1.22.10...go1.22.11 (From OE-Core rev: 4589986602319f9ed61e381b333bb53b731eb8d8) (From OE-Core rev: 35bf053cd41d53a764ef3a2de3e7cb1e6c81109f) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: upgrade 1.22.9 -> 1.22.10Peter Marko2025-02-037-4/+4
| | | | | | | | | | | | | | | | | | | | | Upgrade to latest 1.22.x release [1]: $ git --no-pager log --oneline go1.22.9..go1.22.10 8f3f22eef8 (tag: go1.22.10) [release-branch.go1.22] go1.22.10 6d7a95abca [release-branch.go1.22] runtime: reserve 4kB for system stack on windows-386 6f05fa7a4f [release-branch.go1.22] syscall: mark SyscallN as noescape 3355db9690 [release-branch.go1.22] time: accept "+01" in TestLoadFixed on OpenBSD [1] https://github.com/golang/go/compare/go1.22.9...go1.22.10 (From OE-Core rev: e357c93b39df938dc36195dbd779a58b2951b8e6) (From OE-Core rev: 4d35279eed634f5e2b25c23dddbfb213c4943c30) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* go: upgrade 1.22.8 -> 1.22.9Peter Marko2025-02-037-4/+4
| | | | | | | | | | | | | | | | | | | | Upgrade to latest 1.22.x release [1]: $ git --no-pager log --oneline go1.22.8..go1.22.9 8af39d30a4 (tag: go1.22.9) [release-branch.go1.22] go1.22.9 c19e5887f4 [release-branch.go1.22] cmd/cgo/internal/testcarchive: remove 1-minute timeout e3fd4ba7f9 [release-branch.go1.22] cmd/link: generate Mach-O UUID when -B flag is specified 29252e4c5a [release-branch.go1.22] runtime: fix TestGdbAutotmpTypes on gdb version 15 [1] https://github.com/golang/go/compare/go1.22.8...go1.22.9 (From OE-Core rev: 4f2f202506bcefb4d6c46a11738e159e261a4a4b) (From OE-Core rev: a424422df978e267f21938bb290f35035e658d0a) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rust: correctly link rust-snapshot into build/stage0Alexander Kanavin2025-01-263-42/+2
| | | | | | | | | | | | | | | | | | | | This does not seem to be used in regular builds, but is beneficial in rust selftest, where it allows dropping a custom patch that is unsuitable for upstream (and was rejected by them). Also remove an obsolete comment that seems related to the code but describes something that was resolved long time ago. I have confirmed that the rust selftest continues to pass with just this one commit on top of master (as the following changes do break the selftest). (From OE-Core rev: 9b23f995fbc1886c36f02b0c6e1ccaf2ee0f6daa) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit bf5732e2b235ce06fa1f24fe8f0dbcbc068500e3) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rust: use rust-snapshot binaries only in rust-nativeAlexander Kanavin2025-01-261-2/+12
| | | | | | | | | | | | | | | | | | | | | | Otherwise, use rust-native and cargo-native binaries as that allows our native tweaks in them to be used for target/nativesdk rust - same as for everything else written in rust. In particular, this allows building target rust with cargo-native that includes important reproducibility tweaks. Unfortunately, this also breaks rust selftest, and that is partially addressed by the following commit. [YOCTO #15185] (From OE-Core rev: d592bc02b0846411796c1d481c09833559d1d29f) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8f2230cb51fe22ef4711a56fecfab4858c04e35b) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rust: build the default set of toolsAlexander Kanavin2025-01-261-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | Setting it explicitly replaces rust's default choice which is rustdoc (needed for example in selftests and otherwise expected to be present in typical rust installations): https://github.com/rust-lang/rust/blob/master/config.example.toml#L320 This addresses some of the rust selftest failures but not all. Help is appreciate to restore the selftest. Unfortunately, this also breaks rust reproducibility (or rather exposes that it was never properly fixed, as explained here: https://lists.openembedded.org/g/openembedded-core/message/199288 ) (From OE-Core rev: 4d739fe248d1023eb2c3c040fc4d33273dd16bc1) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 58eaf2ee6c0809bf0a0d3c1d177e62bda7241651) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Revert "rust: Add new varaible RUST_ENABLE_EXTRA_TOOLS"Steve Sakoman2025-01-261-5/+1
| | | | | | This reverts commit 136a25567499191b23a4d000a06bf83a473224ca. Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rsync: fix CVE-2024-12747Archana Polampalli2025-01-252-0/+193
| | | | | | | | | | | | | | A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation. (From OE-Core rev: e85beb88add5e94567d7221e00cabfb3d5010be7) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rsync: fix CVE-2024-12088Archana Polampalli2025-01-252-0/+142
| | | | | | | | | | | | A flaw was found in rsync. When using the `--safe-links` option, rsync fails to properly verify if a symbolic link destination contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory. (From OE-Core rev: dad4a83c011310872cce07fc4141e66a98439cb1) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rsync: fix CVE-2024-12087Archana Polampalli2025-01-254-0/+123
| | | | | | | | | | | | | | | | A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client. (From OE-Core rev: c34cbef572e18c60bb7600fda370d6c46688c7b3) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rsync: fix CVE-2024-12086Archana Polampalli2025-01-255-0/+303
| | | | | | | | | | | | | | | A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client. (From OE-Core rev: 19f4e7bd965c63f19cc756e6e2bf8f58d9e1dc8d) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rsync: fix CVE-2024-12085Archana Polampalli2025-01-252-0/+33
| | | | | | | | | | | | A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time. (From OE-Core rev: fb8439e856d5ea10d12180020a14442c3b101e56) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rsync: fix CVE-2024-12084Archana Polampalli2025-01-253-0/+201
| | | | | | | | | | | | A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer. (From OE-Core rev: ad0e13912b17ca19ffbd7ea6a366f7c968517fb2) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* libgfortran: fix buildpath QA issueChen Qi2025-01-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The '-fdebug-prefix-map' options are used to map source files locations, otherwise, DW_AT_comp_dir will contain buildpath. The '-gno-record-gcc-switches' option is used to fix the buildpath introduced by '-fintrinsic-modules-path' option, which is automatically added by fortran. Here's some output from 'readelf --debug-dump libgfortran.so.5.0.0' when this option is not added: """ <0><1a37d3>: Abbrev Number: 4 (DW_TAG_compile_unit) <1a37d4> DW_AT_producer : (indirect string, offset: 0xd653): GNU Fortran2008 14.2.0 -m64 -march=core2 -mtune=core2 -msse3 -mfpmath=sse -mshstk -g -O2 -O2 -fstack-protector-strong -fimplicit-none -fno-repack-arrays -fno-underscoring -fcf-protection=full -fallow-leading-underscore -fbuilding-libgfortran -fPIC -fintrinsic-modules-path /ala-lpggp72/qichen/Yocto/builds/build-poky/tmp/work/ core2-64-poky-linux/libgfortran/14.2.0/recipe-sysroot-native/usr/bin/x86_64-poky-linux /../../lib/x86_64-poky-linux/gcc/x86_64-poky-linux/14.2.0/finclude -fpre-include=../../../../recipe-sysroot/usr/include/finclude/math-vector-fortran.h """ See https://gcc.gnu.org/pipermail/fortran/2024-October/061204.html for more detailed information. (From OE-Core rev: 660e00469f9c99fe733cc8b37f67438a96ff2e97) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* classes/qemu: use tune to select QEMU_EXTRAOPTIONS, not package architectureRoss Burton2025-01-241-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | Using the package architecture to select the right qemu options to pass to qemu-user is incorrect, and fails for recipes that set PACKAGE_ARCH to MACHINE_ARCH (as the qemuppc workarounds suggest) because there are not typically any options set for the machine name. Solve this by using TUNE_PKGARCH instead: for the majority of recipes this is the same value, but for machine-specific recipes it remains the same instead of changing to the machine name. This means we can remove the qemuppc workarounds, as they're obsolete. Also update the gcc-testsuite recipe which uses the same pattern to use TUNE_PKGARCH, and generalise the else codepath to avoid needing to update the list of architectures. [ YOCTO #15647 ] (From OE-Core rev: 972ca555ff3aa41d32980477850c92915b6395ed) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 414b754a6cbb9cc354b1180efd5c3329568a2537) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-requests: upgrade 2.32.0 -> 2.32.3Soumya Sambu2025-01-091-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog: https://requests.readthedocs.io/en/latest/community/updates/#release-history 2.32.3 (2024-05-29) * Bugfixes - Fixed bug breaking the ability to specify custom SSLContexts in sub-classes of HTTPAdapter. (#6716) * Fixed issue where Requests started failing to run on Python versions compiled without the ssl module. (#6724) 2.32.2 (2024-05-21) * Deprecations - To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we’ve renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0. * A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710) 2.32.1 (2024-05-20) * Bugfixes - Add missing test certs to the sdist distributed on PyPI. https://github.com/psf/requests/compare/v2.32.0...v2.32.3 Also transition to using python_setuptools_build_meta. (From OE-Core rev: e1787271b07c605df2843d82d65e1c3d2e2114e6) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: upgrade 3.12.7 -> 3.12.8Guðni Már Gilbert2025-01-0923-53/+53
| | | | | | | | | | Changelog: https://docs.python.org/release/3.12.8/whatsnew/changelog.html#python-3-12-8 (From OE-Core rev: db5081254adacf6c87269fd43af7199267ad535c) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: upgrade 3.12.6 -> 3.12.7Guðni Már Gilbert2025-01-0923-87/+65
| | | | | | | | | | Changelog: https://docs.python.org/release/3.12.7/whatsnew/changelog.html#python-3-12-7 (From OE-Core rev: 197048667f69ed559baf54831eb7b1606320f3e8) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* rust: add reproducibility patch to eliminate host leakageAlexander Kanavin2024-12-232-0/+52
| | | | | | | | | | | | [YOCTO #15185] (From OE-Core rev: 01423828248b75e1f5afe2e5959ccd971df875cd) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 924df18b47e9a69fa295bafe37bdb39d8eaea2bb) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: add dependency on -compression to -coreRoss Burton2024-12-231-1/+1
| | | | | | | | | | | | | | | | importlib.metadata is part of -core, but that will import zipfile which is part of -compression. Obviously this shows that our packaging of the Python modules is not optimal. I plan to follow up with a redesign of the splitting which focuses on simply pulling out the larger or esoteric modules and having a more featureful core. (From OE-Core rev: 05166eafb99cf8c7adb6879277069ab384a2f8df) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3: Drop empty patchKhem Raj2024-12-232-27/+0
| | | | | | | | | | | The fix brought by this patch is already part of python 3.12.3 therefore drop it. (From OE-Core rev: 555623d2378138fdcfae95c04e06ba384cebab5b) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gcc: Fix c++: tweak for Wrange-loop-constructSunil Dora2024-12-232-0/+114
| | | | | | | | | | | | | | | | | | | | This commit updates the warning to use a check for "trivially constructible" instead of "trivially copyable." The original check was incorrect, as "trivially copyable" only applies to types that can be copied trivially, whereas "trivially constructible" is the correct check for types that can be trivially default-constructed. This change ensures the warning is more accurate and aligns with the proper type traits. LLVM accepted a similar fix: https://github.com/llvm/llvm-project/issues/47355 PR c++/116731 [https://gcc.gnu.org/bugzilla/show_bug.cgi?id=116731] (From OE-Core rev: 614a8e3a06003dfcbf1f32dc2d6f4d18f74b71a4) Signed-off-by: Marek Polacek <polacek@redhat.com> Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* subversion: fix CVE-2024-46901Jiaying Song2024-12-232-1/+163
| | | | | | | | | | | | | | | | | | | | | | Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, leading to disruption for users of the repository. All versions of Subversion up to and including Subversion 1.14.4 are affected if serving repositories via mod_dav_svn. Users are recommended to upgrade to version 1.14.5, which fixes this issue. Repositories served via other access methods are not affected. References: https://nvd.nist.gov/vuln/detail/CVE-2024-46901 Upstream patches: https://subversion.apache.org/security/CVE-2024-46901-advisory.txt (From OE-Core rev: 16c212bd9a9e9c35256ff308da72a518c76ce11d) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* binutils: Fix CVE-2024-53589Yash Shinde2024-12-232-0/+93
| | | | | | | | | | | | | | | | A buffer overflow vulnerability exists in GNU Binutils’ objdump utility when processing tekhex format files. The vulnerability occurs in the Binary File Descriptor (BFD) library’s tekhex parser during format identification. Specifically, the issue manifests when attempting to read 8 bytes at an address that precedes the global variable ‘_bfd_std_section’, resulting in an out-of-bounds read. Backport a patch from upstream to fix CVE-2024-53589. Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e0323071916878e0634a6e24d8250e4faff67e88] (From OE-Core rev: 15635eb807ea1cbf0fd04e0cbe9cf169df107a05) Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* dnf: drop python3-iniparse from DEPENDS and RDEPENDSGuðni Már Gilbert2024-12-131-2/+1
| | | | | | | | | | | | | | | python3-iniparse dependency was dropped 2019, see the following commit as reference: https://github.com/rpm-software-management/dnf/pull/1329/commits/d7d0e0e2f9d8c7d021c794821ad0b56a39ebc01f When looking at the Git history, this happened around tag 4.2.1 (From OE-Core rev: 3273ace1e5e4b0573ceaa44f2710f651db9ae525) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-poetry-core: drop python3-six from RDEPENDSGuðni Már Gilbert2024-12-131-1/+0
| | | | | | | | | | | | | | | | Looking at the history, python3-six was removed as a dependency in the poetry.lock file in v1.5.2 Even before v1.5.2 and until now (v1.9.1) there is no code in the package which imports the six module. So it can be safely dropped from the recipe. (From OE-Core rev: 09378088bba46b6e505f69381496da0ecd0ecf2c) Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: set CVE-2024-6505 to fixedPeter Marko2024-12-131-0/+3
| | | | | | | | | | | | | | | | | CVE patch was removed on last upgrade as fixing commit was backported to stable 8.2.x branch. NVD DB has this CVE as version-less (with "-"). So explicit status set is needed to mark it as fixed. (From OE-Core rev: 64359ec3b60ae68d39c2e6444f903fd20e397cff) (From OE-Core rev: 33050bf82add43409675122a8f29acbcda4e8439) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* ninja: fix build with python 3.13Markus Volk2024-12-062-1/+66
| | | | | | | | | | | python 3.13 removed the pipes module. Thus build fails for host machines that run python 3.13 This commit adds a backport patch to use subprocess module instead (From OE-Core rev: f357486da3374f7b49d6956260b5b3200f562e02) Signed-off-by: Markus Volk <f_l_k@t-online.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* gcc: add a backport patch to fix an issue with tzdata 2024bMarkus Volk2024-12-062-0/+550
| | | | | | | | | | | | | There is an issue in the std::chrono::tzdb parser that causes problems since the tzdata-2024b release started using %z in the main format. As a real world problem I encounter an issue with the waybar clock module, which ignores the timezone setting and only shows system time. (From OE-Core rev: 05d05d9c199de6ec81d2ee9b06f0bff84a9144be) Signed-off-by: Markus Volk <f_l_k@t-online.de> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* qemu: upgrade 8.2.3 -> 8.2.7Yogita Urade2024-12-0616-2550/+1
| | | | | | | | | | | | | | | | | This includes fix for: CVE-2024-4693, CVE-2024-6505 and CVE-2024-7730 General changelog for 8.2: https://wiki.qemu.org/ChangeLog/8.2 Droped: 0001-target-riscv-kvm-change-KVM_REG_RISCV_FP_F-to-u32.patch 0002-target-riscv-kvm-change-KVM_REG_RISCV_FP_D-to-u64.patch 0003-target-riscv-kvm-change-timer-regs-size-to-u64.patch CVE-2024-4467 and CVE-2024-7409 since already contained the fix. (From OE-Core rev: 7983ad282c37f8c1125da5bab96489e5d0039948) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-requests: upgrade 2.32.1 -> 2.32.2Soumya Sambu2024-12-061-1/+1
| | | | | | | | | | | | | | | | | | | | | | https://requests.readthedocs.io/en/latest/community/updates/#id2 2.32.2 (2024-05-21) * Deprecations - To provide a more stable migration for custom HTTPAdapters impacted by the CVE changes in 2.32.0, we’ve renamed _get_connection to a new public API, get_connection_with_tls_context. Existing custom HTTPAdapters will need to migrate their code to use this new API. get_connection is considered deprecated in all versions of Requests>=2.32.0. * A minimal (2-line) example has been provided in the linked PR to ease migration, but we strongly urge users to evaluate if their custom adapter is subject to the same issue described in CVE-2024-35195. (#6710) https://github.com/psf/requests/compare/v2.32.1...v2.32.2 (From OE-Core rev: 5b420f3526729809f11b187f48469a7a86d6a93a) Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-urllib3: upgrade 2.2.1 -> 2.2.2Trevor Gamblin2024-12-061-1/+1
| | | | | | | | | | | | (From OE-Core rev: 32fdd5673c25084af4ba295b271455cd92ca09d5) (From OE-Core rev: ee42ec7146a7c3ceb25c1e0f5afee93849cf9143) Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* python3-zipp: fix CVE-2024-5569Jiaying Song2024-12-062-0/+139
| | | | | | | | | | | | | | | | | | | | | | | | | | | | A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp. References: https://nvd.nist.gov/vuln/detail/CVE-2024-5569 Upstream patches: https://github.com/jaraco/zipp/pull/120/commits/79a309fe54dc6b7934fb72e9f31bcb58f2e9f547 https://github.com/jaraco/zipp/pull/120/commits/564fcc10cdbfdaecdb33688e149827465931c9e0 https://github.com/jaraco/zipp/pull/120/commits/58115d2be968644ce71ce6bcc9b79826c82a1806 https://github.com/jaraco/zipp/pull/120/commits/c18417ed2953e181728a7dac07bff88a2190abf7 (From OE-Core rev: ec77cfe12f0790c7e3cf2d9bf00e47b4c653997c) Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
* llvm: reduce size of -dbg packageSteve Sakoman2024-11-261-0/+2
| | | | | | | | | | | | | | | | | Unless DEBUG_BUILD is enabled, pass -g1 to massively reduce the size of the debug symbols Level 1 produces minimal information, enough for making backtraces in parts of the program that you don't plan to debug. This includes descriptions of functions and external variables, and line number tables, but no information about local variables. This makes the sstate objects a lot more manageable, and packaging faster. (From OE-Core rev: dac630ab5ee7aa6c5c7c294093adbd11b116c765) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* tcl: skip io-13.6 test caseRoss Burton2024-11-261-0/+2
| | | | | | | | | | | | | | | | | | | | | ---- Result was: {abcdefghj 01234} 0 ---- Result should have been (exact matching): {abcdefghj } 1 01234 0 ==== io-13.6 FAILED This test is documented as failing on slow machines, so just skip it. [ YOCTO #15407 ] (From OE-Core rev: 2a44845ab1ca7d10e64d09fd5feb5becfc16aabe) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f69183586655294c9aed6687cebe57767c2f3eb8) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* strace: download release tarballs from GitHubRoss Burton2024-11-261-2/+2
| | | | | | | | | | | | | Switch to downloading the release tarballs from GitHub. Their CDN is rock solid, and strace.io is hosted inside Russia which some networks are blocking. (From OE-Core rev: 0ed862a612af7a6389e68cdcb2e94bd005bf64c2) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit bbdbd6d943a64e5b0dae4c2ee705d017fb7ef80e) Signed-off-by: Steve Sakoman <steve@sakoman.com>