Pick patch mentioned in NVD links for this CVE.
Tested by runniing ptest and CVE reproducer (before&after).
Ptest fails on test dist/threads/t/join, however the same test also
fails without this patch.
(From OE-Core rev: 8e3c821e9ce8f3a9667847a284bc5a6f4973ea13)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Upstream Repository: https://gitlab.com/qemu-project/qemu.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1386
Type: Security Advisory
CVE: CVE-2023-1386
Score: 3.3
Analysis:
- According to redhat[1] this CVE has closed as not a bug.
Reference:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2223985
(From OE-Core rev: 6a5d9e3821246c39ec57fa483802e1bb74fca724)
(From OE-Core rev: f7c8877395d4ec0a91cd5cf54e6c2858495746fb)
Signed-off-by: Madhu Marri <madmarri@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(Converted to old CVE_CHECK_IGNORE syntax)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
can be NULL or an empty string when the TC (Truncated) bit is set in
a DNS response. This allows attackers to cause a denial of service
(application crash) or possibly execute arbitrary code, because those
lookup values lead to incorrect length calculations and incorrect
memcpy operations.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32743
Upstream-patch:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f
(From OE-Core rev: ece0fb01bf28fa114f0a6e479491b4b6f565c80c)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This CVE only impacts codepaths relevant for Windows builds.
Se [1] from Debian which marks it as not applicable.
[1] https://security-tracker.debian.org/tracker/CVE-2025-27837
(From OE-Core rev: fb5dc4a476bc4054493d6a7eb64a423e3665afb9)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
After introducing the DISTRO_LATEST_TAG and DISTRO_REL_LATEST_TAG
macros, use them in links that currently use DISTRO/DISTRO_REL_TAG. When
building for the tip of a branch, this will replace the current A.B.999
in links to the latest existing tag.
The links were found across the documentation by running 'grep -r
"http.*5\.2\.999"' inside the _build/html output after building the
docs.
[YOCTO #14802]
(From yocto-docs rev: 0d51e553d5f83eea6634e03ddc9c7740bf72fcea)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 29be069ebbf2c55d72fc51d99ed5a558af37c05e)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Introduce the DISTRO_LATEST_TAG macro, which should always point to the
latest existing tag in the documentation, unlike DISTRO which may point
to A.B.999 to represent the tip of a branch.
This variable is needed to fix dead links in the documentation that
currently use the DISTRO macro.
Also, make DISTRO_REL_TAG use the DISTRO macro directly, to avoid
repetition, and add a DISTRO_REL_LATEST_TAG macro that has the same role
as DISTRO_LATEST_TAG but with "yocto-" prepended to it.
In set_versions.py, run the "git describe --abbrev=0 --tags
--match='yocto-*'" command to get the latest existing tag on the
currently checked out commit. Fallback to ourversion in case we didn't
find any.
(From yocto-docs rev: 9fabb08405601646fd9b00326442e03d43f68804)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit a85b0e500c94921f77fa7b7dbb877e4945f96d1e)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The word "modern" appears twice, remove the extra one.
(From yocto-docs rev: db02bc7eb59feaece5d2a07b3586fd41c7a73a1e)
Signed-off-by: Andrew Kreimer <algonell@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Document the AUTOTOOLS_SCRIPT_PATH and the CONFIGURE_SCRIPT variables.
(From yocto-docs rev: f7721ff5312b1ebf87dd374db22b254913879ff0)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This reverts commit 7adaec468d.
It does not seem to fix the issue it was supposed to fix.
Additionally it breaks code which decides in full/partial update,
because it manipulates timestamp that code is relying on.
(From OE-Core rev: 25ba9895b98715adb66a06e50f644aea2e2c9eb6)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ebc65fdddd7ce51f0f1008baa30d0ae7918ae0bb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A LogNamespace error for systemd v250:
"""
Apr 28 17:44:00 a-rinline2b systemd[467]:
systemd-journald@tester.service: Failed to set up special execution
directory in /var/log: Not a directory
Apr 28 17:44:00 a-rinline2b systemd[467]:
systemd-journald@tester.service: Failed at step LOGS_DIRECTORY spawning
/lib/systemd/systemd-journald: Not a directory
"""
That's because that "/var/log/journal" couldn't be created during
program runtime.
(From OE-Core rev: 8eb185024f9a9e57a9b710c70f09552729558892)
Signed-off-by: Haitao Liu <haitao.liu@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport a patch to fix systemd journal issue about
sd_journal_next not behaving correctly after sd_journal_seek_tail.
(From OE-Core rev: ea59aed1ff7dbfb28d1e2cd55adca80dad2502e2)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1
allows for remote code execution via its download functions. These functions, which
are used to download packages from URLs provided by users or retrieved from package
index servers, are susceptible to code injection. If these functions are exposed to
user-controlled inputs, such as package URLs, they can execute arbitrary commands on
the system. The issue is fixed in version 70.0.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-6345https://ubuntu.com/security/CVE-2024-6345
Upstream patch:
88807c7062
(From OE-Core rev: 238c305ba2c513a070818de4b6ad4316b54050a7)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Prevent an abort in the bfd linker when attempting to
generate dynamic relocs for a corrupt input file.
PR 32638
Backport a patch from upstream to fix CVE-2025-1178
Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=75086e9de1707281172cc77f178e7949a4414ed0]
(From OE-Core rev: e820e5364c4b3ec52796a77842b480fea8bc7967)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit from 2.13 branch as 2.9 branch is unmaintained now.
(From OE-Core rev: 7777cd6b28988a0981b990d9da9d448dcdfe7b8b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit from 2.12 branch as 2.9 branch is unmaintained now.
(From OE-Core rev: fbd708438aba0381a6c4f3d6cfbbd743f89a4f97)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fix for this CVE [1] is patchong code introduced by [2] in v3.7.5.
So v3.6.2 is not affected yet and the CVE can be safely ignored.
Also Debian tracker [3] contains this statement.
[1] 565b5aea49
[2] 2d8a5760c5
[3] https://security-tracker.debian.org/tracker/CVE-2024-48615
(From OE-Core rev: 60390a3a28242efba32360426b0a3be6af5fb54b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport patch to remove vulnerable component.
This is a breaking change, but there will be no other fix for this CVE
as upstream did the deletion without providing a fix first.
If someone really needs this feature, which the commit message describes
as deprecated, bbappend with patch removal is possible.
License-Update: passprompt plugin removed
(From OE-Core rev: d04a2b5f4899845429e1c5893535f5df1221fcbf)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Initially, PAM community fixed CVE-2024-10041 in the version v1.6.0 via commit b3020da.
But not all cases were covered with this fix and issues were reported after the release.
In the v1.6.1 release, PAM community fixed these issues via commit b7b9636.
Backport this commit b7b9636, which
Fixes: b3020da ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
Backport from b7b9636208
(From OE-Core rev: 71035c8c5907f7103ce40b92490a10bd3dde7226)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS
vulnerability when it parses an XML that has many deep elements that have
same local name attributes. If you need to parse untrusted XMLs with tree
parser API like REXML::Document.new, you may be impacted to this vulnerability.
If you use other parser APIs such as stream parser API and SAX2 parser API,
this vulnerability is not affected. The REXML gem 3.3.6 or later include the
patch to fix the vulnerability.
Reference:
https://security-tracker.debian.org/tracker/CVE-2024-43398
Upstream-patch:
7cb5eaeb22
(From OE-Core rev: f23d1bfca0ea57150c397bc2e495191fb61423d0)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Upgrade from 250.5 to 250.14 removed patches for these CVEs because they
were interated in the new version.
However NVD DB does not contain information about these backports to
v250 branch, so they need to be ignored.
(From OE-Core rev: b86129da823c55a3e08ee72c99675301948949f8)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
NVD responses changed to an invalid json between:
* April 5, 2025 at 3:03:44 AM GMT+2
* April 5, 2025 at 4:19:48 AM GMT+2
The last response is since then in format
{
"resultsPerPage": 625,
"startIndex": 288000,
"totalResults": 288625,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2025-04-07T07:17:17.534",
"vulnerabilities": [
{...},
...
{...},
]
}
Json does not allow trailing , in responses, that is json5 format.
So cve-update-nvd2-native do_Fetch task fails with log backtrace ending:
...
File: '/builds/ccp/meta-siemens/projects/ccp/../../poky/meta/recipes-core/meta/cve-update-nvd2-native.bb', lineno: 234, function: update_db_file
0230: if raw_data is None:
0231: # We haven't managed to download data
0232: return False
0233:
*** 0234: data = json.loads(raw_data)
0235:
0236: index = data["startIndex"]
0237: total = data["totalResults"]
0238: per_page = data["resultsPerPage"]
...
File: '/usr/lib/python3.11/json/decoder.py', lineno: 355, function: raw_decode
0351: """
0352: try:
0353: obj, end = self.scan_once(s, idx)
0354: except StopIteration as err:
*** 0355: raise JSONDecodeError("Expecting value", s, err.value) from None
0356: return obj, end
Exception: json.decoder.JSONDecodeError: Expecting value: line 1 column 1442633 (char 1442632)
...
There was no announcement about json format of API v2.0 by nvd.
Also this happens only if whole database is queried (database update is
fine, even when multiple pages as queried).
And lastly it's only the cve list, all other lists inside are fine.
So this looks like a bug in NVD 2.0 introduced with some update.
Patch this with simple character deletion for now and let's monitor the
situation and possibly switch to json5 in the future.
Note that there is no native json5 support in python, we'd have to use
one of external libraries for it.
(From OE-Core rev: cee817c0c3653cc96833815bfe2c87d2d85cc19e)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6e526327f5c9e739ac7981e4a43a4ce53a908945)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update SRC_URI for mesa.
The the tarball of mesa has been changed
from:
https://mesa.freedesktop.org/archive/
to:
https://archive.mesa3d.org/
(From OE-Core rev: 6397cd1ad55927c312051cbd42d5825fa8ed969b)
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(From OE-Core rev: eb89509bfb976cfb62369b05f55534615afaf886)
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
From [1]:
An out of bounds write exists in FreeType versions 2.13.0 and below
(newer versions of FreeType are not vulnerable) when attempting to
parse font subglyph structures related to TrueType GX and variable font
files. The vulnerable code assigns a signed short value to an unsigned
long and then adds a static value causing it to wrap around and
allocate too small of a heap buffer. The code then writes up to 6
signed long integers out of bounds relative to this buffer. This may
result in arbitrary code execution. This vulnerability may have been
exploited in the wild.
Per [2] patches [3] and [4] are needed.
Unfortunately, the code changed since 2.11.1 and it's not possible to do
backport without significant changes. Since Debian and Ubuntu have
already patched this CVE, take the patch from them - [5]/[6].
The patch is a combination of patch originally proposed in [7] and
follow-up patch [4].
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-27363
[2] https://gitlab.freedesktop.org/freetype/freetype/-/issues/1322
[3] ef63669652
[4] 73720c7c99
[5] https://git.launchpad.net/ubuntu/+source/freetype/commit/?h=applied/ubuntu/jammy-devel&id=fc406fb02653852dfa5979672e3d8d56ed329186
[6] 13295227b5
[7] https://www.openwall.com/lists/oss-security/2025/03/14/3
(From OE-Core rev: 5a8d4c7a9a0e099da0294141cf5590b55f0503cd)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fix for this CVE was backported to 5.34.2 in
12c313ce49
This commit is listed in
https://security-tracker.debian.org/tracker/CVE-2023-47038
(From OE-Core rev: 46fd9acd6b0e418009f4cec747ae82af60acbc6b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
As already mentioned in [1] when backporting commit including fix for
this CVE, this vulnerability applies only from libarchive 3.7.0 commit
[2] which introduced bsdunzip which contains this vulnerability.
[1] https://git.openembedded.org/openembedded-core/commit/?h=kirkstone&id=ec837d3b21b4f8b98abac53e2833f1490ba6bf1e
[2] c157e4ce8e
(From OE-Core rev: bf7654877ba99f0b18a1cf6f83032af5ecabd01f)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Directory traversal vulnerability in the do_extract_currentfile
function in miniunz.c in miniunzip in minizip before 1.1-5 might
allow remote attackers to write to arbitrary files via a crafted
entry in a ZIP archive.
Reference:
https://security-tracker.debian.org/tracker/CVE-2014-9485
Upstream-patch:
14a5f8f266
(From OE-Core rev: 32c4b28fc06e39ab8ef86aebc5e1e1ae19934495)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There is a new CVE which is missing vulnStatus field:
https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-2682
This leads to:
File: '<snip>/poky/meta/recipes-core/meta/cve-update-nvd2-native.bb', lineno: 336, function: update_db
0332:
0333: accessVector = None
0334: vectorString = None
0335: cveId = elt['cve']['id']
*** 0336: if elt['cve']['vulnStatus'] == "Rejected":
0337: c = conn.cursor()
0338: c.execute("delete from PRODUCTS where ID = ?;", [cveId])
0339: c.execute("delete from NVD where ID = ?;", [cveId])
0340: c.close()
Exception: KeyError: 'vulnStatus'
(From OE-Core rev: 453c5c8d9031be2b3a25e2a04e0f5f6325ef7298)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
