- new features:
* support product-obsoletes() provides in the product autopackage
generation code
(From OE-Core rev: 2f83491f69116c5d606f801a619a5389fc97ea64)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This includes CVE-fix for CVE-2025-46805, CVE-2025-46804,
CVE-2025-46803, CVE-2025-46802 and CVE-2025-23395.
Changelog:
=========
https://cgit.git.savannah.gnu.org/cgit/screen.git/tree/src/ChangeLog?h=v.5.0.1
* Fixes:
- CVE-2025-46805: do NOT send signals with root privileges
- CVE-2025-46804: avoid file existence test information leaks
- CVE-2025-46803: apply safe PTY default mode of 0620
- CVE-2025-46802: prevent temporary 0666 mode on PTYs in attacher
- CVE-2025-23395: reintroduce lf_secreopen() for logfile
- buffer overflow due bad strncpy()
- uninitialized variables warnings
- typos
- combining char handling that could lead to a segfault
(From OE-Core rev: 9e608022b287bfdb4f547f5e2d418536758bc82f)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
* Fixed CVE-2025-32462. Sudo's -h (--host) option could be specified
when running a command or editing a file. This could enable a
local privilege escalation attack if the sudoers file allows the
user to run commands on a different host.
* Fixed CVE-2025-32463. An attacker can leverage sudo's -R
(--chroot) option to run arbitrary commands as root, even if
they are not listed in the sudoers file. The chroot support has
been deprecated an will be removed entirely in a future release.
(From OE-Core rev: 4ac42eefe6c1b5895a3334d7f90004fdc8a3267f)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
0001-meson.build-correct-check-for-existence-of-two-prepr.patch
removed since it's included in 1.7.1
Changelog:
===============
* pam_access: do not resolve ttys or display variables as hostnames.
* pam_access: added "nodns" option to disallow resolving of tokens as hostnames
(CVE-2024-10963).
* pam_limits: added support for rttime (RLIMIT_RTTIME).
* pam_namespace: fixed potential privilege escalation (CVE-2025-6020).
* meson: added support of elogind as a logind provider.
* Multiple minor bug fixes, build fixes, portability fixes,
documentation improvements, and translation updates.
(From OE-Core rev: 5e77c48e074a20e58a233ab5ed6d8ef09bbd55c8)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The directory index is missing the latest release:
https://www.libarchive.org/downloads/
Ticket (which I do not believe will be quickly fixed, considering
other similar open tickets):
https://github.com/libarchive/libarchive/issues/2693
(From OE-Core rev: e3b3c85f026ffba772c1cc6918113274e13002e5)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Reproduce steps(Under the same project dir):
1. enable DISTRO_FEATURES usrmerge, bitbake mingetty
2. disable DISTRO_FEATURES usrmerge, bitbake mingetty
Result in step 2:
WARNING: mingetty-1.08-r3 do_package: mingetty: NOT adding alternative provide /usr/sbin/getty: /usr/sbin/mingetty does not exist
WARNING: mingetty-1.08-r3 do_package: QA Issue: mingetty: Files/directories were installed but not shipped in any package:
/sbin
/usr/sbin
In step1, Line SBINDIR=/sbin is replaced to SBINDIR=/usr/sbin, in step2,
since do_fetch does not rerun, Makefile still has SBINDIR=/usr/sbin, so
sed not works as expected, SBINDIR still equal to /usr/sbin when disable
usrmerge. And cause above two warnings.
(From OE-Core rev: 12539d529c6af3d4a56ff4f1e1420e7e4d169804)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add tag to SRC_URI to fix runtime version when using git shallow
tarball.
Before the fix:
root@intel-x86-64:~# pslog -V
pslog (PSmisc) UNKNOWN
After the fix:
root@intel-x86-64:~# pslog -V
pslog (PSmisc) 23.7
(From OE-Core rev: f149a9541789286299c1afb84f61df0484d0f72e)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add tag to SRC_URI to fix runtime version when using git shallow
tarball.
Before the fix:
root@intel-x86-64:~# ps -V
ps from procps-ng UNKNOWN
root@intel-x86-64:~# sysctl -V
sysctl from procps-ng UNKNOWN
After the fix:
root@intel-x86-64:~# ps -V
ps from procps-ng 4.0.5
root@intel-x86-64:~# sysctl -V
sysctl from procps-ng 4.0.5
(From OE-Core rev: 02f944088430c7cc023366d7cb5f92d7dcb62dfb)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Includes bugfixes for issues introduced in 3.8.0
License-Update: Public Domain file changed from libarchive/archive_getdate.c
to libarchive/archive_parse_date.c
c26f037745
(From OE-Core rev: 49d07ca1e4f41e33e82666dadbaedcec7f2822cd)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some of them were introduced by mass-removal of S = WORKDIR/git assignments;
rather than try to fix up (or redo) just these, I've run this sed command over
the whole tree:
sed -i -z -E 's/([ \t\f\v\r]*\n){3,}/\n\n/g' `find . -name *.bb -o -name *.inc`
The rationale is that more than one empty line is wasting vertical screen space, and
does nothing for readability.
(From OE-Core rev: cedc4ff7c9bcfb22a20e43e47f9759f4007a4f1a)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There is no need to have two assignments; also setting S from
UNPACKDIR (and not vice versa) is more logical as unpack
task comes first, and tasks that come after unpack use S to access
unpack results.
Also adjust reference test data in selftest/recipeutils to reflect changes in test recipes.
(From OE-Core rev: f64b7e5fb3181734c8dde87b27e872a026261a74)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Removing all the S = ${WORKDIR}/git assignments works because BB_GIT_DEFAULT_DESTSUFFIX
is set to match S from bitbake.conf (which itself is set to match typical tarball
releases).
A few recipes are setting S to a sub-directory of the git tree and need
to be adjusted accordingly.
bzip2 recipe is fetching a tarball and separately cloning tests;
adjust the recipe to put the latter into 'bzip2-tests', instead of 'git'.
devupstream.bbclass no longer needs to rewrite S, and is adjusted accordingly.
Adjust scripts/lib/recipetool/append.py to not hardcode 'git' as unpack
destination.
Adjust kernel-yocto.bbclass to use the git unpack variable instead
of hardcoding 'git' (there's also removal of repetition of
string constants and a correction of workdir/unpackdir mismatch in
one of the if-else branches).
Ensure build-appliance-image recipe does not use 'git' as checkout directory for
poky repo, but rather explicitly name it 'poky'.
Ensure reproducible.py code that looks for git repositories does not
hardcode 'git' but uses the destination set by BB_GIT_DEFAULT_DESTSUFFIX.
Ensure recipetool does not write out unneeded S settings into newly
created recipes that fetch from git.
Adjust selftest to not hardcode 'git' as unpack directory.
(From OE-Core rev: f80c07019ddadaf9c5fb890faabfda7920ecd15e)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
- selected bug fixes:
* improve transaction ordering by allowing more uninst->uninst
edges
* implement color filtering when adding update targets
- new features:
* support orderwithrequires dependencies in susedata.xml
(From OE-Core rev: 000d105135c6ae871bfa8699d9008a1f4324c7f7)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport patch for this CVE and also patch for its regression.
(From OE-Core rev: 2d7662e5359b7490b3028ae2e7b002de5faa84da)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Having findutils depending on coreutils-getlimits makes it harder to replace GNU coreutils with uutils-coreutils
using PREFERRED_PROVIDER.
Also, the findutils repository contains a version of getlimits used for the tests, so there is no need to depend
on coreutils's version of getlimits.
(From OE-Core rev: 4e4149c13adda3dd3b07712b1025ef077dd460b4)
Signed-off-by: Etienne Cordonnier <ecordonnier@snap.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Passing compiler options via CC is error prone when we allow toolchain
selection. Use TARGET_CFLAGS instead.
(From OE-Core rev: 2091ebf845004040a6227d18cfa6bb508d1b9c9f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes:
- Remove last vestages of K&R C; this allows gcc-15+ to compile
the code without special options.
- Some typo and formatting fixes in the documentation.
The above change also allowed dropping the relevant patch, that fixed
gcc15 compatibility: 0001-getopt-Add-missing-params-to-getopt-getenv-signature.patch
License-Update: added copyright years to the file header.
(From OE-Core rev: 83886335bd08f5fa147694e957b2467b19aea6bd)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
To quote the maintainer, "md5 implementation was vendored in s20200821" so this
dependency hasn't been needed for a while.
(From OE-Core rev: bb33b4edf0f4aed3d61203b0bf428661f925b981)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We don't need to run 'make check' across the source tree.
Forcibly regenerate tests/testsuite so it supports the --am-fmt option
that we patch into autoconf.
Add coreutils to ptest RDEPENDS as the symlink-bad-length test needs
base64.
Clean up run-ptest: there's no need to run atconfig manually, and use
--am-fmt instead of manually sedding the output.
(From OE-Core rev: 6829e353dd5a68c8d6b3ed07ae14bfe817e2156a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
I'm not sure why the script was running ./atconfig ./atlocal ./testsuite,
as atconfig just sets some variables and ignores the arguments.
(From OE-Core rev: 0e2c41724197de3de89d762cb1b648c09839af53)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The following line is added to fix cross-compilation issue in do_configure.
EXTRA_OECONF += "gl_cv_func_strcasecmp_works=yes"
The error message is as below:
configure: error: cannot run test program while cross compiling
(From OE-Core rev: c465fbbe4bfa90f7eed5e84c4149d656204481c8)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ChangeLog:
https://greenwoodsoftware.com/less/news.678.html
License-Update: Copyright year updated to 2025
(From OE-Core rev: ccaaee96b4f6f7c6e096b9e682ecac048cda941c)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When the input compiler enables AVX, stack realignment requirements
causes gcc to fail to omit %rbp use, due to which the test fails to
clobber %rbp in inline asm. Disable AVX to build the test on x86_64 so
that the test continues working.
(From OE-Core rev: bbd3e7886e2ec5ab3578d618b28d007a80d917aa)
Signed-off-by: Yogesh Tyagi <yogesh.tyagi@intel.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A "buffer overflow detected" issue was observed as follows:
| *** buffer overflow detected ***: terminated
|
| zip error: Interrupted (aborting)
This issue is addressed by:
https://bugzilla.redhat.com/show_bug.cgi?id=2165653
Port the fix.
(From OE-Core rev: e2f3eeaedc0ea896f5f5b23f756056331b1647cf)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2025-47268
ping in iputils through 20240905 allows a denial of service (application
error or incorrect data collection) via a crafted ICMP Echo Reply
packet, because of a signed 64-bit integer overflow in timestamp
multiplication.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47268
Patch from:
070cfacd73
(From OE-Core rev: a4a58d3f6cd49a54a8c271abaad8098958d4f27f)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
0001-check-for-_nl_msg_cat_cntr-in-configure.patch
flex.patch
removed since they're included in 2.13.1
(From OE-Core rev: b0314975312d10dd80fba77a53383425c85addc9)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
===========
- GnuTLS follows system crypto policies now
- Added 'NoSystem' SSLOptions value
- Now we raise alert for certificate issues
- Added Kyocera USB quirk
- The scheduler now logs a job's debugging history if the backend fails
- Fixed a potential timing issue with 'cupsEnumDests'
- Fixed a potential "lost PPD" condition in the scheduler
- Fixed a compressed file error handling bug
- Fixed a bug in the make-and-model whitespace trimming code
- Fixed a removal of IPP Everywhere permanent queue if installation failed
- Fixed 'ServerToken None' in scheduler
- Fixed invalid IPP keyword values created from PPD option names
- Fixed handling of "media" and "PageSize" in the same print request
- Fixed client raster printing from macOS
- Fixed the default User-Agent string.
- Fixed a recursion issue in 'ippReadIO'.
- Fixed handling incorrect radix in 'scan_ps()'
- Fixed validation of dateTime values with time zones more than UTC+11
- Fixed attributes returned by the Create-Xxx-Subscriptions requests
- Fixed 'ippDateToTime' when using a non GMT/UTC timezone
- Fixed 'job-completed' event notifications for jobs that are cancelled before
started
- Fixed DNS-SD discovery with 'ippfind'
(From OE-Core rev: caab5dd2dd8705a58b2878a8d295117931114e65)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Brings these changes
- build both static and dynamic libraries on new suse distros
- require cmake >= 3.5
- new features:
* support the apk package and repository format (both v2 and v3)
* new dataiterator_final_{repo,solvable} functions
- Enable static libs for OE as well, this fixes a crash/signsegv seen
in stringpool_strn2id () especially when multithreading is in play,
this is brought forward with clang merge patchset when using ipk
backend
(From OE-Core rev: 50d5ac2199af7b35e18c0015fcc14078e4d1fd2a)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We have long since obsoleted md5sum in favour of sha256sum. Drop the remaining
56 entries (which were showing many recipes hadn't been touched in a long time).
They all do have the corresponding sha256sum entries as is clear from the diff.
(From OE-Core rev: 7e4bfcc9706fa8a09f6a0004174a2c3b21c90df3)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* fixes builds on host with gcc-15:
http://errors.yoctoproject.org/Errors/Details/853016/
../../bash-5.2.37/builtins/mkbuiltins.c:268:29: error: too many arguments to function ‘xmalloc’; expected 0, have 1
268 | error_directory = xmalloc (2 + strlen (argv[arg_index]));
| ^~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(From OE-Core rev: 663a79bbf2f2e113992e457244964b7582d9caaf)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libpcre is obsolete and unmaintained, as wget supports libpcre2 now we
should use that instead.
(From OE-Core rev: c287a6c6365c9e30beebebeb5cd936d3c22829db)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
File index works now:
http://libarchive.org/downloads/
(From OE-Core rev: 11dfb88badcbb0daf3744eb3ab82bf9290ae5981)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ptest is only meaningful for target. So we need to specify class-target
override to ensure correct dependency.
Also, the above DEPENDS:append:class-targets lacks a leading whitespace,
add it.
(From OE-Core rev: ef705f6969845aa4b28cb2cfb95b0aa0c67c11e3)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Package metainfo xml to ${PN}, fix the issue that:
| ERROR: ethtool-6.14-r0 do_package: QA Issue: ethtool: Files/directories were installed but not shipped in any package:
| /usr/share/metainfo
| /usr/share/metainfo/org.kernel.software.network.ethtool.metainfo.xml
| Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
| ethtool: 2 installed and not shipped files. [installed-vs-shipped]
(From OE-Core rev: 6c35f3dee3a8d9a32243b96060d07cccc24df52e)
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
https://github.com/libarchive/libarchive/releases/tag/v3.7.9
Libarchive 3.7.9 is a bugfix release
Important bugfixes:
* a regression in libarchive 3.7.8 regarding GNU sparse entries was fixed (#2558)
Also remove CVE_STATUS which was obsolete already before this upgrade.
(From OE-Core rev: 670f3fa028f3e873acf4c5265d3f5e4a3aa0ec89)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Handle CVE-2025-31115
License-Update: add help note [1] and remove note for old releases [2]
[1] 6bbec3bda0
[2] 70f1f20378
(From OE-Core rev: cbea6f21d8fd96b0d7475fb3946ecaf666aec79d)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
