Building weston with core-image-weston SDK fails:
```
../libweston/renderer-gl/gl-shader-config-color-transformation.c:29:10: fatal error: GLES3/gl3.h: No such file or directory
29 | #include <GLES3/gl3.h>
| ^~~~~~~~~~~~~
```
Both GLES2 and GLES3 implementations are contained in libGLESv2.so.2,
which is packaged in libgles2-mesa. However, the headers are split
between libgles2-mesa-dev and libgles3-mesa-dev, which is why the
GLES3 headers end up missing in the SDK sysroot.
Add a dependency so the GLES3 headers are properly associated with
the GLES3 implementation.
(From OE-Core rev: 7e1308ec413e69a8427ac5998431005d9e4b8033)
(From OE-Core rev: 0d9f2fcc2058407eb138297d9f8f12595851b963)
Signed-off-by: Tom Hochstein <tom.hochstein@oss.nxp.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/6e0f332b
(From OE-Core rev: b02bf5f9abb4d2a514f9ea883cd1fe6057367c92)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bba9df1a
(From OE-Core rev: f01c281b94ff137003ef108e33a8c3230c541c46)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0e4ed949
(From OE-Core rev: a7f4c6b1946e7215d8df561340d7a1cd0b2d5c27)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/80d69f01
(From OE-Core rev: 45738e56aaf5dac1a471cb37088d3cd24764156d)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: https://gitlab.freedesktop.org/xorg/xserver/-/commit/11fcda87
(From OE-Core rev: e0768162f0ece29392d4f387d263d62dd4083836)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: ba1d14f8ef
(From OE-Core rev: 2158a34839068b878344d214d3fc9feeb17e504a)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: 3e77295f88
(From OE-Core rev: 3575ad718c8ea7d808247842df19982f00725187)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: 96798fc196
(From OE-Core rev: 4e41b1c8cccd3b2f359ee949cad402b9418f5983)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The patches are copied from xserver-xorg recipe.
CVE reported for both and patches apply on both.
Upstream-Commit:
bc1fdbe465
& 26769aa71f
(From OE-Core rev: 77487fb0756951e29628f41ff00db12a5f9d7c27)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: 4a5e9b1895
(From OE-Core rev: 4b0f6aaa994eeab5d18211ace8034ec8b92b7419)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This vulnerability has now a CVE assigned.
(From OE-Core rev: 204ff9dd9c62a8a346e89880b2e15a4c0e9ad6e0)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update SRC_URI for tzcode.
Update the http to https in SRC_URI to fix the do_fetch issue.
(From OE-Core rev: b663540d143b0e5fcb9ceeec45cde7fe3e68f9bb)
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When testing a Yocto SDK installer on Alpine 3.21, we recently ended up with a
broken SDK. One of the commands the relocation script calls in a piped
multi-command chain failed (see [0]), but the installer did not realize that -
since it doesn't use 'set -o pipefail'. Thus, the error was never reported to
the user and the installer claimed to have set up the SDK correctly - which
wasn't the case.
Given that the SDK installer is a POSIX-compliant shell script and that the
'pipefail' option used to be missing from the standard, it's not surprising that
it isn't used. Thankfully however, in June of 2024, a new version of POSIX
(POSIX.1-2024) was released - and that one finally includes the 'pipefail'
option (see [1]). A number of shells already support it, so let's enable it if
available to make the SDK installer more robust.
The change has been tested locally using SDK installers for internal projects,
based on both Kirkstone and Scarthgap.
[0]: https://gitlab.alpinelinux.org/alpine/aports/-/issues/16797
[1]: https://pubs.opengroup.org/onlinepubs/9799919799.2024edition/utilities/V3_chap02.html#set
(From OE-Core rev: 1cb4b41c7faf77fcc347b1276d86d4288968c926)
(From OE-Core rev: 1de469f1ffb1680e3a75da2c3895fb1e4f43859f)
Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 10dce263f0)
Signed-off-by: Akash Hadke <akash.hadke27@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update SRC_URI to fix the following error:
WARNING: virglrenderer-native-0.9.1-r0 do_fetch: Failed to fetch URL
git://anongit.freedesktop.org/git/virglrenderer;branch=branch-0.9.1,
attempting MIRRORS if available
(From OE-Core rev: 72450859dd5ee5395b64917516f185a2eed52775)
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Change the SRC_URI to the correct value due to the following error:
WARNING: boost-native-1.86.0-r0 do_fetch: Checksum failure encountered with download of https://boostorg.jfrog.io/artifactory/main/release/1.86.0/source/boost_1_86_0.tar.bz2 - will attempt other sources if available
(From OE-Core rev: 3b4c5ce6b89477307f3a2c30c7e275473b0c9f00)
Signed-off-by: Jiaying Song <jsong-cn@ala-lpggp7.wrs.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
backport to kirkstone.
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Latest stable branch update which includes 396 commits and the full
list of changes can be found at:
https://github.com/systemd/systemd-stable/compare/v250.5...v250.14
All the patches were refreshed with devtool.
Backported this upstreamed patch to resolve the compile error while
building systemd with qemumips machine.
- 0001-core-fix-build-when-seccomp-is-off.patch
These 2 below patches were modified to resolve the merge conflicts
introduced by systemd v250.14 version:
1. 0001-Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-to-.patch
- This patch was just adjusted based on the systemd v250.14 version.
2. 0001-pass-correct-parameters-to-getdents64.patch
- For this patch, there was a commit reverted as part of the v250.8 tag:
51089e007f
These below 6 patches were dropped as systemd v250.14 already has
the changes:
- 0001-shared-json-allow-json_variant_dump-to-return-an-err.patch
- CVE-2022-3821.patch
- CVE-2022-4415-1.patch
- CVE-2022-4415-2.patch
- CVE-2022-45873.patch
- CVE-2023-7008.patch
(From OE-Core rev: 371d030a665e3c963a586ab02d10f1f36b225435)
Signed-off-by: Narpat Mali <narpat.falna@gmail.com>
Signed-off-by: Randy Macleod <randy.macleod@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The text format has been removed, so also remove references and examples
using this format. Replace with examples with the JSON format.
(From yocto-docs rev: 9798689e4f4b74163c2e8594f3d1ce082d295aa1)
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit a52cd7bcadccc53e982f90d6e170d00798322597)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This includes CVE-fix for CVE-2025-22134 and CVE-2025-24014
Changes between 9.1.0764 -> 9.1.1043
====================================
https://github.com/vim/vim/compare/v9.1.0764...v9.1.1043
(From OE-Core rev: 73b5570a16708d1e749b1ec525299d10557cbf56)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg git master before commit c08d30 was discovered to contain a NULL pointer
dereference via the component libavformat/mov.c.
(From OE-Core rev: 599ee3f195bc66d57797c121fa0b73a901d6edfa)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c module,
a potential security vulnerability exists due to insufficient validation of
certain parameters when parsing Speex codec extradata. This vulnerability
could lead to integer overflow conditions, potentially resulting in undefined
behavior or crashes during the decoding process.
(From OE-Core rev: 3efef582892a5a9286041837098b80aa59d1b688)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavformat library
which allows for an integer overflow, potentially resulting in a denial-of-service (DoS) condition.
(From OE-Core rev: 46680bed23ef6f529c7e554b5611a7c098fce8a9)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Incorrect Access Control in GStreamer RTSP server 1.25.0 in gst-rtsp-server/rtsp-media.c
allows remote attackers to cause a denial of service via a series of specially crafted
hexstream requests.
(From OE-Core rev: ce328462a12eeaa59994e2236071aa17a083c263)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This vulnerability was introduced in 5.1, so 5.0.1 is not affected.
(From OE-Core rev: ea6e581067cafd5f367c68871bc312d3ba11b4da)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There is no release which is vulnerable to these CVEs.
These vulnerabilities are in new features being developed and were fixed
before release.
NVD most likely does not accept CVE rejection from a non-maintainer and
non-reporter, so ignoring this CVE should be acceptable solution.
(From OE-Core rev: 220a05e27913bf838881c3f22a17d0409c5154a9)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit from 2.12 branch.
(From OE-Core rev: ab804cd27ecf7ee65a9feea477140502ecbc0d73)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This reverts commit a9cd3321558e95f61ed4c5eca0dcf5a3f4704925.
The fix for CVE-2023-45237 has been reverted. And the fix for
CVE-2023-45236 depends on it. So revert it too.
(From OE-Core rev: c61e31f192837b05bc309a05aef95c3be5b44997)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This reverts commit 6f8bdaad9d22e65108f859a695277ce1b20ef7c6.
his reverts commit 4c2d3e3730.
The fix for CVE-2023-45237 causes ovmf firmware not support pxe boot
any more and no boot item in OVMF menu such as
UEFI PXEv4 (MAC address)
It has not been fixed by ovmf upstream and an issue has been created on
https://github.com/tianocore/tianocore.github.io/issues/82
Revert the fixes for now.
(From OE-Core rev: d3f399f54042efc6f4ca2092dd11819ae1f7c51f)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error
and resultant heap memory corruption for squashfs directory listing because the
path separator is not considered in a size calculation.
https://nvd.nist.gov/vuln/detail/CVE-2024-57259
(From OE-Core rev: e4b713ff07695487cc9307ffc3576a11775cde4d)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1
occur for a crafted squashfs filesystem via sbrk, via request2size,
or because ptrdiff_t is mishandled on x86_64.
https://nvd.nist.gov/vuln/detail/CVE-2024-57258
(From OE-Core rev: b4bf3ba66052db7a311ac696563a8a0f9c585600)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A stack consumption issue in sqfs_size in Das U-Boot before 2025.01-rc1
occurs via a crafted squashfs filesystem with deep symlink nesting.
https://nvd.nist.gov/vuln/detail/CVE-2024-57257
(From OE-Core rev: 5ed8ad78bcce836aa8894de7a1d7fdf719e5bbca)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
