In http://ftp.debian.org/debian/pool/main/m/minicom/, the
tarball of minicom_2.9.orig.tar.bz2 can not be found.
So the old SRC_URI should be updated.
(From OE-Core rev: 49fcec2041071d44289e03cac087de6b929d6153)
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability has been identified in the libarchive library. This flaw can be triggered whe
n file streams are piped into bsdtar, potentially allowing for reading past the end of the fi
le. This out-of-bounds read can lead to unintended consequences, including unpredictable prog
ram behavior, memory corruption, or a denial-of-service condition.
CVE-2025-5918-0001 is the dependent commit and CVE-2025-5918-0002 is the actual CVE fix.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5918
Upstream-patches:
89b8c35ff4dcbf1e0ede
(From OE-Core rev: 369c164a163b2c7f15ee5fc41130be9feaf7245e)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-
one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-
byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, lea
ding to unpredictable program behavior, crashes, or in specific circumstances, could be lever
aged as a building block for more sophisticated exploitation.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5917
Upstream-patch:
7c02cde37a
(From OE-Core rev: 2b6832b05bab414df1da7c74a0c6a5e5a9d75b29)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability has been identified in the libarchive library. This flaw
involves an integer overflow that can be triggered when processing a Web
Archive (WARC) file that claims to have more than INT64_MAX - 4 content
bytes. An attacker could craft a malicious WARC archive to induce this
overflow, potentially leading to unpredictable program behavior, memory
corruption, or a denial-of-service condition within applications that
process such archives using libarchive.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5916
Upstream-patch:
ef09372952
(From OE-Core rev: 9c74d3a096fed68d173f8711b373a42f158d6cc7)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability has been identified in the libarchive library. This flaw can lead to a heap b
uffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer
-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memo
ry buffer, which can result in unpredictable program behavior, crashes (denial of service), o
r the disclosure of sensitive information from adjacent memory regions.
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-5915
Upstream-patches:
a612bf62f8
(From OE-Core rev: 99fdc86ad57db4d8829a33033918cf78419977af)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability has been identified in the libarchive library, specifically within the archiv
e_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultim
ately lead to a double-free condition. Exploiting a double-free vulnerability can result in m
emory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service
condition.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-5914
Upstream-patch:
09685126fc
(From OE-Core rev: b7d8249bda296620a5bbf592f4cdf566b4537563)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When the input compiler enables AVX, stack realignment requirements
causes gcc to fail to omit %rbp use, due to which the test fails to
clobber %rbp in inline asm. Disable AVX to build the test on x86_64 so
that the test continues working.
Fix compilation with gcc v13.4+. Cherry picked from oe-core, master branch.
(From OE-Core rev: 54d6fa7bc9f4ae6bdb98862488e8d09200d3bc14)
Signed-off-by: Preeti Sachan <preeti.sachan@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport patch for this CVE and also patch for its regression.
(From OE-Core rev: 352525443b1844cdfd28355dfc1444046bbb76e8)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2025-47268
ping in iputils through 20240905 allows a denial of service (application
error or incorrect data collection) via a crafted ICMP Echo Reply
packet, because of a signed 64-bit integer overflow in timestamp
multiplication.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47268
Patch from:
070cfacd73
(From OE-Core rev: 6b0dd564249754ab8ec20ce69b137466e051501e)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Initially, PAM community fixed CVE-2024-10041 in the version v1.6.0 via commit b3020da.
But not all cases were covered with this fix and issues were reported after the release.
In the v1.6.1 release, PAM community fixed these issues via commit b7b9636.
Backport this commit b7b9636, which
Fixes: b3020da ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
Backport from b7b9636208
(From OE-Core rev: 78a04ce17e7d828c0cf8cae2164882683d46275e)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These is update with only bug and security releases.
On top of previous CVE patches, also CVE-2024-48615 is handled.
Also many security fixes without CVE assigment are included.
Note that upgrade to 3.7.5 on master required fix of test in
python3-libarchive-c, however that recipe does not yet have ptest in
scarthgap and the fix was in test only, not in productive code, so it is
not necessary in scarthgap.
Also remove CVE_STATUS which was obsolete already before this upgrade.
(From OE-Core rev: f20516a3ed8a39d7e4deddf11dd2acd871894048)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
License-Update: homepage update in [1]
[1] c5c091332c
(From OE-Core rev: e6565ca37da4821f8e3924fe6bc6a6f4eeedd9a9)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* in builds with zip in HOSTTOOLS mc fails with:
ERROR: mc-4.8.31-r0 do_package_qa: QA Issue: File /usr/libexec/mc/extfs.d/uzip in package mc-helpers-perl contains reference to TMPDIR [buildpaths]
and it's because of the path to zip:
mc/4.8.31/package $ grep -R styhead .
./usr/libexec/mc/extfs.d/uzip:my $app_zip = "TMPDIR/hosttools/zip";
* don't use /usr/bin/env as in other cases, because app_zip is then used e.g. with:
my $cmd_addlink = "$app_zip -g -y";
(From OE-Core rev: 4003b5faa1e5acfa025e1d0df4e021e06cf8724c)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit referencing this MR which was merged to master.
(From OE-Core rev: a4ff82c789d50a3f411170636679ce46c8f84b25)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Starting from 2023d version, tzcode makefile does not use anymore "cc"
variable for C compiler, due to Makefile refactoring.
Replacing "cc" with "CC" fixes the issue.
(From OE-Core rev: c297d2cd8d28463adca5158c9895f1492754d569)
Signed-off-by: Alessio Cascone <alessio.cascone@vimar.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b3cdfca5ef84ed2054faef9abddef3aeed930e17)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Applications that use Wget to access a remote resource using
shorthand URLs and pass arbitrary user credentials in the URL
are vulnerable. In these cases attackers can enter crafted
credentials which will cause Wget to access an arbitrary host.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-10524
Upstream-patch:
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778
(From OE-Core rev: 425c3f55bd316a563597ff6ff95f8104848e2f10)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability was found in PAM. The secret information is
stored in memory, where the attacker can trigger the victim
program to execute by sending characters to its standard
input (stdin). As this occurs, the attacker can train the
branch predictor to execute an ROP chain speculatively.
This flaw could result in leaked passwords, such as those
found in /etc/shadow while performing authentications.
References:
https://security-tracker.debian.org/tracker/CVE-2024-10041
Upstream patches:
b3020da7da
(From OE-Core rev: 0e76d9bf150ac3bf96081cc1bda07e03e16fe994)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The memory allocation function ACPI_ALLOCATE_ZEROED does not guarantee a
successful allocation, but the subsequent code directly dereferences the
pointer that receives it, which may lead to null pointer dereference. To
fix this issue, a null pointer check should be added. If it is null,
return exception code AE_NO_MEMORY.
Refer: https://nvd.nist.gov/vuln/detail/CVE-2024-24856
(From OE-Core rev: 5c590ccd1973d343f47e7b7171691400490dfc1a)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
It's possible to build the hdtbl examples before grn has been build:
groff: error: couldn't exec grn: No such file or directory
Backport a dependency fix from upstream.
[ YOCTO #15610 ]
(From OE-Core rev: 40003e1f1444f6202b068dcde632571be208594e)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d590a32423d05cefc4e7282f971f633b3fa0b941)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
cracklib was dropped as a dependency in libpam v1.5.0
See the following commit as reference:
d702ff714c
(From OE-Core rev: 7d0c32584846f6cd12e5bda046fb7ad8f8821de4)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The contents of the LICENSE file included in the current source code
package match those of Info-ZIP license, which seems to originate from
the year 2007:
This is version 2007-Mar-4 of the Info-ZIP license.
(From OE-Core rev: 3739a1af61ff6f0faca23bb565f9e71666953715)
(From OE-Core rev: c9bc2bc9c9d0482b13b27505b57df050ebe01898)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The contents of the LICENSE file included in the current source code
package match those of Info-ZIP license, which seems to originate from
the year 2009:
This is version 2009-Jan-02 of the Info-ZIP license.
(From OE-Core rev: e7c9368e56a6ad90b4ffbba1b765e2b3a331c796)
(From OE-Core rev: f4b84a234662bc8f68e54d4753d9f03e4c2e7931)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
new URL for sources: http://ftp.midnight-commander.org/
(From OE-Core rev: 7e11701698a9f38a5e3e0499c0c2edd98d32a85d)
Signed-off-by: Benjamin Szőke <egyszeregy@freemail.hu>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 03c4052718a9b8392b25e1770630317b8cf29fbe)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changelog:
===========
- Fixed error handling when reading a mixed "1setOf" attribute.
- Fixed scheduler start if there is only domain socket to listen on
0001-use-echo-only-in-init.patch
0002-don-t-try-to-run-generated-binaries.patch
0004-cups-fix-multilib-install-file-conflicts.patch
refreshed for 2.4.10.
(From OE-Core rev: 01039c35a89de4bbd1410b3ee08a99cf325adf2b)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dd7a978d2d7feb11f6c265ba812c8ca29912ebc6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
libmnl autoconf autodetects doxygen to generate manpages.
If doxygen is provided via hosttools, the build fails.
Also until now manpages were not needed.
So explicitly disable doxygen in configure step.
(From OE-Core rev: 8d7bbf4d6936d831e341e9443a6b3711be09c7ab)
(From OE-Core rev: fdce1a6f1143edc577f12c7e8fab878ec69c3c9a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
systemd started to warn about used but unset environment variables.
Let us set watchdog_module=none which is used by the watchdog.service to get
rid of the following warning:
watchdog.service: Referenced but unset environment variable evaluates to an empty string: watchdog_module
(From OE-Core rev: 953ea8fa9e3e6a34cbb42e56743fb7c6cf98ff2a)
Signed-off-by: Wadim Egorov <w.egorov@phytec.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8f1dc796c7298373e61d806e63bc121128c1c27c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit fixes a memory corruption issue when iptables (with
enabled PACKAGECONFIG libnftnl) is used to access rules created by
nft.
To reproduce the issue:
nft add chain ip filter TESTCHAIN { meta mark set 123 \;}
iptables -t filter -n -L TESTCHAIN
This produced the following output:
Chain TESTCHAIN (0 references)
target prot opt source destination
MARK 0 -- 0.0.0.0/0 0.0.0.0/0 MARK set 0x7b
malloc(): corrupted top size
Aborted (core dumped)
This commit fixes this issue.
(From OE-Core rev: fa3873cfcda862d8aad564966070af216e4903c6)
Signed-off-by: Christian Taedcke <christian.taedcke@weidmueller.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Also replace the hashbangs using /bin/gawk to use
${bindir}/gawk
This fixes issues such as
https://github.com/riscv/meta-riscv/issues/384
(From OE-Core rev: 64ae7492c69599019ef2bec62a834335539908ef)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9f58ad97f6587322b716de1c9dc409bb4e1376f0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When the libnftnl PACKAGECONFIG is enabled, the "iptables" symlink is correctly
points to xtables-nft-multi, however the "iptables-save" and
"iptables-restore" are still point to the xtables-legacy-multi.
So, when the "iptables" command is used it's using the nftables backend
where is the "iptables-save/restore" are using the legacy backend.
This is not consistent with other distros (e.g. Ubuntu).
The issue was identified when testing the UFW firewall with nftables backend.
(From OE-Core rev: 2c0d03ed7bb9c17b1c3ccefd00bf3a4ede9e291f)
Signed-off-by: Kirill Yatsenko <kiriyatsenko@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6579e4333b74232d8b576c399eab88e37da881ac)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Additionally build and package tzdata.zi info file, as e.g. Systemd expects it
to be present.
[YOCTO #15172]
(From OE-Core rev: cea6bc554f8326d1d7b680ce8e8a05f1f186b6d0)
Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a57c7062c9b70361486898974beba4682cf4a76d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
