Issue is seen with nodejs ending with Illegal instruction on OE
Its also in QT5base and perhaps many other packages using 64bit
atomics.
Thanks to jeroen (oe IRC) to report and help reduce the problem.
(From OE-Core rev: bd62158946e214076686e0709d24771acb60665f)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Below commits on glibc-2.41 stable branch are updated.
5cb575ca9a elf: tst-audit10: split AVX512F code into dedicated functions [BZ #32882]
046b33800c x86: Detect Intel Diamond Rapids
a53e764657 x86: Handle unknown Intel processor with default tuning
aca31d2712 x86: Add ARL/PTL/CWF model detection support
f68b407d4b x86: Optimize xstate size calculation
d6d56af6e7 elf: Fix arm-linux-gnueabihf build break from b861755a84
b861755a84 elf: Extend glibc.rtld.execstack tunable to force executable stack (BZ 32653)
200d20123c x86: Link tst-gnu2-tls2-x86-noxsave{,c,xsavec} with libpthread
80cd656649 x86: Use separate variable for TLSDESC XSAVE/XSAVEC state size (bug 32810)
a282e2c0ae x86: Skip XSAVE state size reset if ISA level requires XSAVE
bcd4cf9d5f x86_64: Add atanh with FMA
7e72fa7577 x86_64: Add sinh with FMA
6a3a4a5e58 x86_64: Add tanh with FMA
ce9b765522 nptl: Check if thread is already terminated in sigcancel_handler (BZ 32782)
98c712855d nptl: PTHREAD_COND_INITIALIZER compatibility with pre-2.41 versions (bug 32786)
e22c132484 nptl: clear the whole rseq area before registration
33bfd9020f Linux: Remove attribute access from sched_getattr (bug 32781)
66fc3bd758 math: Remove an extra semicolon in math function declarations
1a3083b999 posix: Move environ helper variables next to environ definition (bug 32541)
91f8cff2c4 configure: Fix spelling of -Wl,--no-error-execstack option
fd202462c5 elf: Check if __attribute__ ((aligned (65536))) is supported
746ef8e939 static-pie: Skip the empty PT_LOAD segment at offset 0 [BZ #32763]
56609f8df1 Pass -Wl,--no-error-execstack for tests where -Wl,-z,execstack is used [PR32717]
89be78704e AArch64: Use prefer_sve_ifuncs for SVE memset
c47c3890f1 AArch64: Add SVE memset
e0bc5f64ea math: Improve layout of exp/exp10 data
009c5a2dca aarch64: Add GCS test with signal handler
8d98ee8d70 aarch64: Add GCS tests for dlopen
61ba3cdfa9 aarch64: Add GCS tests for transitive dependencies
fda5730898 aarch64: Add tests for Guarded Control Stack
6d1f97bb06 aarch64: Add configure checks for GCS support
7774a9d07a AArch64: Improve codegen for SVE powf
2025e27a81 AArch64: Improve codegen for SVE pow
f3d9c116cb AArch64: Improve codegen for SVE erfcf
94859e8680 Aarch64: Improve codegen in SVE exp and users, and update expf_inline
7c9a086807 Aarch64: Improve codegen in SVE asinh
30992cb5e9 RISC-V: Fix IFUNC resolver cannot access gp pointer
07288c7445 math: Add optimization barrier to ensure a1 + u.d is not reused [BZ #30664]
2cb04444b9 math: Fix `unknown type name '__float128'` for clang 3.4 to 3.8.1 (bug 32694)
a900dbaf70 x86 (__HAVE_FLOAT128): Defined to 0 for Intel SYCL compiler [BZ #32723]
1e0e33e1b1 Fix tst-aarch64-pkey to handle ENOSPC as not supported
69fda28279 assert: Add test for CVE-2025-0395
cf88351b68 math: Fix tanf for some inputs (BZ 32630)
cb7f206537 nptl: Correct stack size attribute when stack grows up [BZ #32574]
d85a771953 math: Fix sinhf for some inputs (BZ 32627)
bdccbfbc52 math: Fix log10p1f internal table value (BZ 32626)
Testresults:
Before update |After update |Difference
PASS: 5816 |PASS: 5826 |PASS: +10
FAIL: 239 |FAIL: 239 |FAIL: 0
XPASS: 4 |XPASS: 4 |XPASS: 0
XFAIL: 16 |XFAIL: 16 |XFAIL: 0
UNSUPPORTED: 164|UNSUPPORTED: 164|UNSUPPORTED: 0
(From OE-Core rev: 60fb9e5200e641d0d108f283d23a7c79b09966d1)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This includes CVE-fix for CVE-2025-27219, CVE-2025-27220 and
CVE-2025-27221
Changes between 3.4.2 -> 3.4.3
==============================
https://github.com/ruby/ruby/compare/v3_4_2...v3_4_3
(From OE-Core rev: 37747c99ee32153120b67e65a2f3da34c6d58b0f)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d739c52558af986c2ce4c65e1197e8d524d14d22)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
ChangeLog:
https://github.com/makedumpfile/makedumpfile/releases/tag/1.7.7
This version supports the following new kernels:
- 6.12, 6.13, 6.14
Drop backport patch.
(From OE-Core rev: 364e15aadcbb3ac754c2c484f7920420b4cb3138)
(From OE-Core rev: f2100e704b06913805d0d6d21df0cd73c8199388)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the
documentation stating that it disables X11 and agent forwarding.
(From OE-Core rev: fff41e824bb56d4879c65d6dec3605fabb406071)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2025-47268
ping in iputils through 20240905 allows a denial of service (application
error or incorrect data collection) via a crafted ICMP Echo Reply
packet, because of a signed 64-bit integer overflow in timestamp
multiplication.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47268
Patch from:
070cfacd73
(From OE-Core rev: 59f0d3befe0c828bdc16664af1f8b64b7f3911e7)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length
that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen)
and memcpy(response+offset,*end,*rdlen) without a check for whether
the sum of *end and *rdlen exceeds max. Consequently, *rdlen may be
larger than the amount of remaining packet data in the current state
of parsing. Values of stack memory locations may be sent over the
network in a response.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32366
Upstream-patch:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4
(From OE-Core rev: 1c908b1c44a006b6707a1f0da59781a6750cf8ce)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Generating SPDX is enabled by default in poky but
it can take a lot of build time resources so document
how to disable it.
(From yocto-docs rev: d26a3f2ed8f24e1b72f58ecb8b7cdba7007ba77b)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit bcd58b7a9455fbb0ea5944089d663e327f0eb38f)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add a section after the 'git format-patch' information encouraging developers
to add patch version changelogs to their patch updates.
(From yocto-docs rev: dff4d470193c1b5c961f4725b796050fb79b2b5c)
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 2e3a37c4607b296956993e557d1786c4876e5722)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Since scarthgap [1], the default will be overridden when using
'systemd' as INIT_MANAGER. Reflect this in the documentation.
* The distro configuration is probably the better place for
customization, thus at least mention this together with the
local.conf.
* While at it, drop the probably redundant description on how to
override weak default variables.
The example on how to set "/root" is still given indirectly, anyway.
[1] ebafe463 ("systemd: upgrade to 255.1")
(From yocto-docs rev: 84c55a224f16644a42e51294a6ad0b2568f84ea2)
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 50e92009d309fc4ae406174feb8f6578142748cc)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
- Add the future "Whinlatter" (5.3) and "Wrynose" (6.0) releases.
- Make the "Walnascar" release a current release.
- Update the month in Current.
(From yocto-docs rev: 63d00925b77a723750ee1126a1242e332d052689)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit adb8573b54626e033921a9f4e3db259312b79207)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fix links to files in git by adding a leading / to the path.
(From yocto-docs rev: 20447dbf40b07f6b7493dee0b4c4082376d96796)
Signed-off-by: Leonard Anderweit <l.anderweit@phytec.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit cc5daf15f5999bc217f8729e259ae720736beaaa)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The version has changed now (3.10.12 as of writing). Avoid having to
maintain this information by removing the version info from the intro.
Also fix a typo ("uses now uses") and give a link to yocto-autobuilder2.
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: cdfa58f08ab98b233c466501e1a3567b869d312b)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 1ed64dbdf4a60b000305cdc2c67dc24f4bc97ef7)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This recipe takes longer time >20min when bitbake for package
write stage. When cross-verified for longer time duration, found
that do_check() stage taking 20min while other stages completes
before 6min.
This recipe gives only below two test binaries in the packages to
test (ptest: glibc-y2038-tests):
io/ftwtest
io/ftwtest-time64
The above test binaries are already included for testing in recipe
glibc-testsuite_2.41.bb.
It is by now well established that glibc itself works as it should,
that all affected 32 bit targets are configured to use 64 bit time_t,
and that any lingering y2038 issues are in components other than the c
library, and usually come from C programming mistakes (e.g. storing
timestamps in long). Maybe we can simply remove the recipe?
Review comments for fixing above longer time duration ended up in
removing this recipe as a proposal is below
https://lists.openembedded.org/g/openembedded-core/topic/112188476#msg214636
Removed lines having reference to glibc-y2038-tests in the files.
(From OE-Core rev: dea859e904d9eacede147a627f4c176433ac9efc)
Signed-off-by: rajmohan r <semc.2042@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fbe3679ba3c12c52a502511f5dde91fb4de7a6b6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
icu will check program install path during do_configure, eg:
checking for a BSD-compatible install... /path/to/install -c
And this path will be writen into pkgdata.inc:
INSTALL_CMD=$(INSTALL-L)
Decided by if install is installed into recipe-sysroot-native during
do_configure stage, the INSTALL_CMD could be
/build/tmp/work/corei7-64-wrs-linux/icu/76-1/recipe-sysroot-native/usr/bin/install
or /build/tmp/hosttools/install if the build is rerun after the sysroot was
extended.
set ac_cv_path_install to install under hosttools to make a deterministic
result of INSTALL_CMD, avoid vary caused by the execute sequence of
another task which DEPENDS on coreutils-native and independent with
do_configure
[RP: Removed paths from ac_cv_path_install to simplify and avoid QA error too]
(From OE-Core rev: 208143e060cda6e22ae1e8c618e033fa9144b323)
(From OE-Core rev: 60a38959a5b740b16044bf8644046b3ed4816ae7)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Below commits on binutils-2.44 stable branch are updated.
33578177adc dwarf: Dump .debug_loclists only for DWARF-5
fe459e33c67 PR 32603, revert message changes in 0b7f992b78fe and 31e9e2e8d109
37d12dd25d8 gdb/compile: add missing entry in bfd_link_callbacks array
31e9e2e8d10 PR 32603, more ld -w misbehaviour
0b7f992b78f PR 32603, ld -w misbehaviour
8cb98edf123 s390: Add support for z17 as CPU name
ed70d86b491 x86: Remove AVX10.2 256 bit rounding support
e1af7e590a5 elf: Clear the SEC_ALLOC bit for NOLOAD note sections
35db8c6dd2f ld: Pass -Wl,-z,lazy to compiler for i386 lazy binding tests
cc7ec316a45 Updated translations for bfd and gold
bf088ee09a7 PR 32731 ub sanitizer accessing filenames_reversed
78082591ec7 score-elf gas SEGV
d4c7ee9fbc1 gas: fix rs_fill_nop listing
a68d096a0ab Open the 2.44 branch for further development
Dropped: 0015-CVE-2025-1153.patch
Testing was done and there were no regressions found
(From OE-Core rev: e06b23897d51d075327012440afbabfe2d5a3de0)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
https://metacpan.org/pod/perldelta
This provides a fix for CVE-2024-56406
(From OE-Core rev: 8e91cd8293a13d21eb1df5b9b750d9b498bb3530)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Provide support for Perl 5.40.2
https://github.com/arsv/perl-cross/releases/tag/1.6.2
(From OE-Core rev: 9fde5d3657a5842dcdac20eea140077b1e8ae06b)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Includes fix for CVE-2024-54551, CVE-2025-24208, CVE-2025-24209,
CVE-2025-24213, CVE-2025-24216, CVE-2025-24264 and CVE-2025-30427
Changelog:
=========
- Limit the data stored in session state.
- Remove the empty area below the title bar in Web Inspector when not docked.
- Fix the build with GST_DISABLE_GST_DEBUG.
- Fix the build with GStreamer < 1.20.
- Fix the build with video disabled.
- Fix the build with clang 20.
Drop 0001-EnumTraits.h-error-no-matching-function-for-call-to-.patch
and 0001-Cherry-pick-292304-main-7ffc29624258-.-https-bugs.we.patch
which are part of upgrade.
(From OE-Core rev: 2a1fd538e42a8721b4f49135e14771cc1d646588)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update to the 5.2 release of the 5.2 series for buildtools
(From OE-Core rev: 23d9713bd16a042fdb4c15ff1dfaf7a0637da95e)
Signed-off-by: Aleksandar Nikolic <aleksandar.nikolic@zeiss.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2024-52532:
GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption.
during the reading of certain patterns of WebSocket data from clients.
Refer:
https://nvd.nist.gov/vuln/detail/CVE-2024-52532
(From OE-Core rev: e91fb129f132aae628b3a942afe9259c25f1b539)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation
violation via the component /libavcodec/jpeg2000dec.c.
(From OE-Core rev: 0c6561cc7a5ca9e82ce3f17a9d0e68a7c1c88c84)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The current MULTILIB_SCRIPTS entry incorrectly assigns
g-ir-annotation-tool and g-ir-scanner to the ${PN} package. However,
these scripts are actually installed in the gobject-introspection-tools
package. This leads to incorrect symlinks being created when multilib is
enabled. Therefore, this patch correctly moves them to the ${PN}-tools
package.
Error log:
root@intel-x86-64:~# ls -l /usr/bin/g-ir-scanner
lrwxrwxrwx 1 root root 27 Mar 9 2018 /usr/bin/g-ir-scanner -> /usr/bin/g-ir-scanner-lib64
root@intel-x86-64:~# ls -l /usr/bin/g-ir-scanner-lib64
ls: cannot access '/usr/bin/g-ir-scanner-lib64': No such file or directory
(From OE-Core rev: 5e594b3d074900580fa83ca50f7d837937c17856)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Due to commit [cdrtools-native: fix booting EFI ISO live failed]
applied to improve mkisofs to fix nsectors exceeds 0xffff situation
which set selection criteria type = 2 and save extra nsectors to
vendor unique selection criteria
In following case, add 64MB extra space to bootable image efi.img,
and the partition table of EFI is truncated to 32M
$ echo 'IMAGE_FSTYPES:pn-core-image-minimal = " live"' >> conf/local.conf
$ echo 'MACHINE_FEATURES:append = " efi pcbios"' >> conf/local.conf
$ echo '# 64MB extra space to bootable image efi.img' >> conf/local.conf
$ echo 'BOOTIMG_EXTRA_SPACE = "65535"' >> conf/local.conf
$ bitbake core-image-minimal
$ fdisk -l tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso
...
Device Boot Start End Sectors Size Id Type
tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso1 * 0 376831 376832 184M 0 Empty
tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso2 120 65654 65535 32M ef EFI (FAT-12/16/32)
After applying this patch to process extra sector count, the partition
table of EFI is 90.3M
$ fdisk -l tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso
...
Device Boot Start End Sectors Size Id Type
tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso1 * 0 376831 376832 184M 0 Empty
tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso2 120 185151 185032 90.3M ef EFI (FAT-12/16/32)
[1]https://pdos.csail.mit.edu/6.828/2017/readings/boot-cdrom.pdf
(From OE-Core rev: b4e112ed7e6ba5a6c6df530d696485a588831851)
(From OE-Core rev: 741d5ed1b906b8763d9f346481e980e2041c9c2a)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In ISO live, if the size of efi.img > 32MB, and copy EFI application
(bootx64.efi) to efi.img behind of kernel and initrd, UEFI system
could not find EFI application bootx64.efi
Using QEMU+OVMF to boot ISO live image, press ESC to enter UEFI shell:
...
Shell> ls FS0:\
Directory of: FS0:\
04/05/2011 23:00 12,985,344 bzImage
04/05/2011 23:00 <DIR> 2,048 EFI
04/05/2011 23:00 20,494,696 initrd
04/05/2011 23:00 26 startup.nsh
3 File(s) 33,480,066 bytes
1 Dir(s)
Shell> ls FS0:\EFI
Directory of: FS0:\EFI
0 File(s) 0 bytes
0 Dir(s)
...
In following case, add 64MB extra space to bootable image efi.img,
and the partition table of EFI is truncated to 26.3M
$ echo 'IMAGE_FSTYPES:pn-core-image-minimal = " live"' >> conf/local.conf
$ echo 'MACHINE_FEATURES:append = " efi pcbios"' >> conf/local.conf
$ echo '# 64MB extra space to bootable image efi.img' >> conf/local.conf
$ echo 'BOOTIMG_EXTRA_SPACE = "65535"' >> conf/local.conf
$ bitbake core-image-minimal
$ fdisk -l tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso
...
Device Boot Start End Sectors Size Id Type
tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso1 * 0 376831 376832 184M 0 Empty
tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso2 120 54079 53960 26.3M ef EFI (FAT-12/16/32)
According to page 11: `Figure 5 - Section Entry' in El Torito Bootable
CD-ROM Format Specification [1]. The sector count takes 2 byte which
means max sector count is 0xffff (65535), for 512-byte sector, the
size of bootable image is no more than 32MB (65536 * 512 / 1024 / 1024)
This commit truncate to 32MB if image size larger than 32MB, and
report a warning, then save the extra image sector count to
vendor unique selection criteria
After apply this commit, the partition table of EFI is truncated to 32M
$ fdisk -l tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso
...
Device Boot Start End Sectors Size Id Type
tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso1 * 0 376831 376832 184M 0 Empty
tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso2 120 65654 65535 32M ef EFI (FAT-12/16/32)
[1]https://pdos.csail.mit.edu/6.828/2017/readings/boot-cdrom.pdf
(From OE-Core rev: 259bb8907d8bfe1217e88a3b6935c160e5a92f8d)
(From OE-Core rev: d184f119c26983c2f15b47a25204049d0525c871)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
To adapt user network enviroment, buildtools should first try to use
the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these
envs is not set, then use the auto-detected ca file and ca path, and
finally use the CA certificates in buildtools.
nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work
nativesdk-curl don't set default ca file, need
SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work
nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO
also works
nativesdk-python3-requests will use cacert.pem under python module certifi by
default, need to set REQUESTS_CA_BUNDLE
(From OE-Core rev: 0d5f241eee19c0dff9f9f59949485414935edaa2)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Here is one testcase:
For recipe tensorflow-lite-host-tools_2.18.0.bb, refer [1],
do_configure[network] = "1"
and it will git clone some repos in CMakeLists.txt
When buildtools is used and nativesdk-git is installed into sdk,
do_configure failed with error:
[1/9] Performing download step (git clone) for 'protobuf-populate'
Cloning into 'protobuf'...
fatal: unable to access 'https://github.com/protocolbuffers/protobuf/': error setting certificate file: /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-wrlinuxsdk-linux/etc/ssl/certs/ca-certificates.crt
Fix by adding GIT_SSL_CAINFO in BB_ENV_PASSTHROUGH_ADDITIONS, so that
user can export GIT_SSL_CAINFO=${GIT_SSL_CAINFO} in their
do_configure:prepend() to fix above do_configure failure
CURL_CA_BUNDLE and REQUESTS_CA_BUNDLE is similar envvars, so all add
into BB_ENV_PASSTHROUGH_ADDITIONS
[1] https://github.com/nxp-imx/meta-imx/blob/styhead-6.12.3-1.0.0/meta-imx-ml/recipes-libraries/tensorflow-lite/tensorflow-lite-host-tools_2.18.0.bb
(From OE-Core rev: 5fa8cb40395977722d0d5a2271c8044598fb1f01)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* make git,curl,python3-requests align with openssl, move the setting of
envvars into respective envfile
* for environment.d-openssl.sh, also check if ca-certificates.crt exist
before export envvars
(From OE-Core rev: 5c915fcada5868bdbb8aa3e28c18a26cfc41914f)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When PATCHTOOL is set to 'git', and user don't setup
user.name and user.email for git, do_patch fail with
the following error, fix by passing -c options.
CmdError("git notes --ref refs/notes/devtool append -m 'original patch: 0001-PATCH-increase-to-cpp17-version.patch' HEAD", 0, 'stdout:
stderr: Author identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
(From OE-Core rev: 2d202462cf85e92cc18bc07cffdb0f335e524256)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Rather than reporting each invalid PACKAGECONFIG with a separate error
message, report them all with one error message.
(From OE-Core rev: c311d5ddc102f26ac1813c540520175cfed3a5a6)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This makes sure invalid PACKAGECONFIGs are reported also for recipes
that have no do_configure task, e.g., packagegroups.
(From OE-Core rev: ed0e8f5142bc9c3a5c2fca7068135b2dc11ec3db)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This change will prevent these tools from being installed if the image doesn't install bluez5-noinst-tools package.
BlueZ 5.66: tools/mesh-tester
BlueZ 5.66: tools/ioctl-tester
BlueZ 5.65: tools/iso-tester
BlueZ 5.56: tools/btpclientctl
BlueZ 5.51: tools/bcmfw
BlueZ 5.49: tools/rtlfw
BlueZ 5.47: tools/btconfig (not a new tool, but it was moved from bin_PROGRAMS to noinst_PROGRAMS)
(From OE-Core rev: 5f7c43913812bcb80d6dba67da3fc62a8efecfb8)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
can be NULL or an empty string when the TC (Truncated) bit is set in
a DNS response. This allows attackers to cause a denial of service
(application crash) or possibly execute arbitrary code, because those
lookup values lead to incorrect length calculations and incorrect
memcpy operations.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32743
Upstream-patch:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f
(From OE-Core rev: 61610f57c6b9ee2b6002decc037db049e9ddfe51)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2025-32911:
A use-after-free type vulnerability was found in libsoup, in the
soup_message_headers_get_content_disposition() function. This flaw
allows a malicious HTTP client to cause memory corruption in the libsoup
server.
Backport patches to fix it
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-32911
[2] https://gitlab.gnome.org/GNOME/libsoup/-/issues/433
(From OE-Core rev: 75f1c57a5171859d1bfc58d69b3923d017b14303)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Upstream Repository: https://gitlab.com/qemu-project/qemu.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1386
Type: Security Advisory
CVE: CVE-2023-1386
Score: 3.3
Analysis:
- According to redhat[1] this CVE has closed as not a bug.
Reference:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2223985
(From OE-Core rev: 962cf064df6db243c182c6b53d06a4fd087cd3f2)
Signed-off-by: Madhu Marri <madmarri@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 6a5d9e3821246c39ec57fa483802e1bb74fca724)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
