Update SRC_URI for mesa.
The the tarball of mesa has been changed
from:
https://mesa.freedesktop.org/archive/
to:
https://archive.mesa3d.org/
(From OE-Core rev: 6397cd1ad55927c312051cbd42d5825fa8ed969b)
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
From [1]:
An out of bounds write exists in FreeType versions 2.13.0 and below
(newer versions of FreeType are not vulnerable) when attempting to
parse font subglyph structures related to TrueType GX and variable font
files. The vulnerable code assigns a signed short value to an unsigned
long and then adds a static value causing it to wrap around and
allocate too small of a heap buffer. The code then writes up to 6
signed long integers out of bounds relative to this buffer. This may
result in arbitrary code execution. This vulnerability may have been
exploited in the wild.
Per [2] patches [3] and [4] are needed.
Unfortunately, the code changed since 2.11.1 and it's not possible to do
backport without significant changes. Since Debian and Ubuntu have
already patched this CVE, take the patch from them - [5]/[6].
The patch is a combination of patch originally proposed in [7] and
follow-up patch [4].
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-27363
[2] https://gitlab.freedesktop.org/freetype/freetype/-/issues/1322
[3] ef63669652
[4] 73720c7c99
[5] https://git.launchpad.net/ubuntu/+source/freetype/commit/?h=applied/ubuntu/jammy-devel&id=fc406fb02653852dfa5979672e3d8d56ed329186
[6] 13295227b5
[7] https://www.openwall.com/lists/oss-security/2025/03/14/3
(From OE-Core rev: 5a8d4c7a9a0e099da0294141cf5590b55f0503cd)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In X.Org X server 20.11 through 21.1.16, when a client application
uses easystroke for mouse gestures, the main thread modifies various
data structures used by the input thread without acquiring a lock,
aka a race condition. In particular, AttachDevice in dix/devices.c
does not acquire an input lock.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-49737
Upstream patch:
dc7cb45482
(From OE-Core rev: 740ea9019cf5cf309c5a4ef380eac17d21078ac8)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In X.Org X server 20.11 through 21.1.16, when a client application
uses easystroke for mouse gestures, the main thread modifies various
data structures used by the input thread without acquiring a lock,
aka a race condition. In particular, AttachDevice in dix/devices.c
does not acquire an input lock.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-49737
Upstream patch:
dc7cb45482
(From OE-Core rev: c6a8ad45174a416c4129deb210eab9b7721ce01d)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Building weston with core-image-weston SDK fails:
```
../libweston/renderer-gl/gl-shader-config-color-transformation.c:29:10: fatal error: GLES3/gl3.h: No such file or directory
29 | #include <GLES3/gl3.h>
| ^~~~~~~~~~~~~
```
Both GLES2 and GLES3 implementations are contained in libGLESv2.so.2,
which is packaged in libgles2-mesa. However, the headers are split
between libgles2-mesa-dev and libgles3-mesa-dev, which is why the
GLES3 headers end up missing in the SDK sysroot.
Add a dependency so the GLES3 headers are properly associated with
the GLES3 implementation.
(From OE-Core rev: 7e1308ec413e69a8427ac5998431005d9e4b8033)
(From OE-Core rev: 0d9f2fcc2058407eb138297d9f8f12595851b963)
Signed-off-by: Tom Hochstein <tom.hochstein@oss.nxp.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b
(From OE-Core rev: b02bf5f9abb4d2a514f9ea883cd1fe6057367c92)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a
(From OE-Core rev: f01c281b94ff137003ef108e33a8c3230c541c46)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949
(From OE-Core rev: a7f4c6b1946e7215d8df561340d7a1cd0b2d5c27)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01
(From OE-Core rev: 45738e56aaf5dac1a471cb37088d3cd24764156d)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87
(From OE-Core rev: e0768162f0ece29392d4f387d263d62dd4083836)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: ba1d14f8ef
(From OE-Core rev: 2158a34839068b878344d214d3fc9feeb17e504a)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: 3e77295f88
(From OE-Core rev: 3575ad718c8ea7d808247842df19982f00725187)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: 96798fc196
(From OE-Core rev: 4e41b1c8cccd3b2f359ee949cad402b9418f5983)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The patches are copied from xserver-xorg recipe.
CVE reported for both and patches apply on both.
Upstream-Commit:
bc1fdbe465
& 26769aa71f
(From OE-Core rev: 77487fb0756951e29628f41ff00db12a5f9d7c27)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: 4a5e9b1895
(From OE-Core rev: 4b0f6aaa994eeab5d18211ace8034ec8b92b7419)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update SRC_URI to fix the following error:
WARNING: virglrenderer-native-0.9.1-r0 do_fetch: Failed to fetch URL
git://anongit.freedesktop.org/git/virglrenderer;branch=branch-0.9.1,
attempting MIRRORS if available
(From OE-Core rev: 72450859dd5ee5395b64917516f185a2eed52775)
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The patches are copied from xserver-xorg recipe.
The CVES are reported for both and patched apply on both.
(From OE-Core rev: cdcb9957a6fe1629dc3230fcdfd09322877d4038)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in the X.org server. Due to improperly
tracked allocation size in _XkbSetCompatMap, a local
attacker may be able to trigger a buffer overflow condition
via a specially crafted payload, leading to denial of service
or local privilege escalation in distributions where the
X.org server is run with root privileges.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-9632
Upstream patch:
ba1d14f8ef
(From OE-Core rev: 95027410dba7a2a7e9b93f76279272f22445399b)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This was fixed in 2.0.14, but NVD DB lists > 2.0.20 causing
false positives in CVE metrics.
NVD entries [1] and [2] list commit [3] which redirects to commit [4].
Also Debian 10 uses this commit, while Debian 11 with 2.0.14 does not
patch it and claims it's fixed.
Trying to apply the patch shows it's already applied.
Following shows git history of this commit wrt tags.
SDL$ git describe a7ff6e96155f550a5597621ebeddd03c98aa9294 --tags
release-2.0.12-305-ga7ff6e961
SDL$ git describe release-2.0.14 --tags --match=release-2.0.12
release-2.0.12-873-g4cd981609
SDL$ git describe release-2.0.20 --tags --match=release-2.0.12
release-2.0.12-3126-gb424665e0
[1] https://nvd.nist.gov/vuln/detail/CVE-2020-14409
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-14410
[3] https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9
[4] a7ff6e9615
(From OE-Core rev: 3079d562b4df69ab0ac20ec8d13a4240ce0a3514)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Same was done in newer Yocto releases.
See commit 72f2d4cf44b795f766ecdee0b8362c7e162c5efc
(From OE-Core rev: 390421edf8b6eb6031de657cdcaf0c7d50b605be)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Builder is a common word and there are many other builder components
which makes us to ignore CVEs for all of them.
There is already 1 ignored and currently 3 new ones.
Instead, set product to yocto to filter them.
(From OE-Core rev: 941a645b3b18418e020ada9ebdd19f425f03dfc8)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport the upstream buffer modifier fix for create_framebuffer to
handle the case where no valid modifiers are available.
(From OE-Core rev: 983e3efb51ab22f1fa5f90cbbfba2d701aa425fc)
Signed-off-by: Randolph Sapp <rs@ti.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
On some platforms, `EGLNativeDisplayType` is an int instead of
a pointer, in which case the void pointer will raise
a `-Wint-conversion`.
Add change as a patch instead of updating SRCREV .
if we update SRCREV might will get compatiblity issue
with current gstreamer 1.20.7 version because SRCREV brings changes
which resolves negotiation issues encountered with V4L2 stateless
hardware video decoders when using kmscube video playback option
which has gstreamer dependency requirement to 1.22.0
(From OE-Core rev: 19a899d2ec69572e0eae4576d9fc55a7ba857309)
Signed-off-by: Purushottam Choudhary <purushottam27.kumar@lge.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FreeGlyph() function declared in render/glyphstr_priv.h, it is not present in
current recipe version and introduced in later versions, added this change to
render/glyphstr.h
(From OE-Core rev: cc2d9275203ad9489da43ff4e1f0983c00f235fd)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(From OE-Core rev: 89974b7fa33f3e9d3e3a4df7ad219898fe400d3a)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(From OE-Core rev: 9c21b08c18414bb61abebcbbb8704946ea288a7b)
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Remove duplication of license MIT from pixman bbfile.
(From OE-Core rev: 76f928359f76d449de0d884c591a5d9fdba9d19c)
Signed-off-by: Poonam Jadhav <poonam.jadhav@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
