A flaw was found in the RandR extension, where the RRChangeProviderProperty function
does not properly validate input. This issue leads to an integer overflow when
computing the total size to allocate.
(From OE-Core rev: 15881f41f8c00c5f0a68628c2d49ca1aa1999c2e)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients
function does not check for an integer overflow when computing request length,
which allows a client to bypass length checks.
(From OE-Core rev: de28bff9b54b2725d8c06c4760e0ed2b59d3fa61)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in the X server's request handling. Non-zero 'bytes to ignore'
in a client's request can cause the server to skip processing another client's
request, potentially leading to a denial of service.
(From OE-Core rev: 4c6df8320497c2ebf09902a62b6a3f3b061be917)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler
does not validate the request length, allowing a client to read unintended memory
from previous requests
(From OE-Core rev: 0b2afd59ce8c35083c1cb3596a2f7d4eaa7bd1c8)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in the Big Requests extension. The request length is multiplied
by 4 before checking against the maximum allowed size, potentially causing an
integer overflow and bypassing the size check.
(From OE-Core rev: 0a2c5179e1f08ccd0fcaccb6f95c892ebafac8a8)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in the X Rendering extension's handling of animated cursors.
If a client provides no cursors, the server assumes at least one is present,
leading to an out-of-bounds read and potential crash.
(From OE-Core rev: fec7644b70452794fabfb7d967e2124918215440)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Per [1] there are two patches needed - [2] which is already included in
3.13.1 and [3] which is only in 2.13.3.
Backport the second patch.
[1] https://gitlab.freedesktop.org/freetype/freetype/-/issues/1322
[2] ef63669652
[3] 73720c7c99
(From OE-Core rev: 41f855ea5a2018d08e0e9457d710032e96fe669b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These are tracked as versionless redhat CVEs in NVD DB.
(From OE-Core rev: 84b1631bcbead1409ff44a1ed430244784c382be)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
For reasons we have explicit xorg.conf files for a number of the qemu
machines, but not all of them. These mainly disabled screen blanking
(which is now down with a separate fragment) but also explictly set the
device driver to fbdev which meant they didn't use the modesettings
driver as they should (with the virtio framebuffer from qemu).
This is the root cause of why the xserver 21.1.16 upgrade doesn't work
on a number of machines: the /sys probing changed and the fbdev driver
now refuses to use the PCI framebuffer device as there are better
drivers, but we've explictly told xorg to use the wrong driver.
For more details, see https://gitlab.freedesktop.org/xorg/xserver/-/issues/1798.
(From OE-Core rev: ccbb0f5491e13d61015872fba93417b91c3213a2)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8c8039bf4c2d011e3d12c970ce45036b184902a9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add a configuration fragment that disables screen blanking, and add it
to all qemu machines.
(From OE-Core rev: bb16526a4a0c39b6c156edbf68c7377bfdfa0bd1)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 780a5ccaa51d5aed18200883a686387e70847e4b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Builder is a common word and there are many other builder components
which makes us to ignore CVEs for all of them.
There is already 1 ignored and currently 3 new ones.
Instead, set product to yocto to filter them.
(From OE-Core rev: 408c987e9134180616f27ae5df3f59166eeaa6d9)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Currently weston 13.0.3 with neatvnc 0.8.1 does not compile when using
VNC:
| Dependency neatvnc found: NO found 0.8.1 but need: '< 0.8.0' ;
matched: '>= 0.7.0'
However weston upstream already increased the allowed version to 0.9.0,
since neatvnc 0.8.0 does not introduce any changes that breaks API used
by the VNC backend. Therefore, backport this patch.
(From OE-Core rev: 4aa19f4444feb3968110935818d8628a95672539)
Signed-off-by: Hiago De Franco <hiago.franco@toradex.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8516496018a3ee9e81a67d4682bf9784d0eab2bd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The libsamplerate option was floating and being enabled on some systems
and not others. Fix this to be deterministic.
(From OE-Core rev: 7ee654579ccf818708989251a97662ea11218d14)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 61455a839e568a3ae7e059ea95c02a1c88d39e1a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fix int conversion related error during compilation
as some of the platforms where EGLNativeDisplayType
is an int instead of a pointer with GCC-14.
(From OE-Core rev: 17049482f0a112781026376245437c4c8343d28a)
Signed-off-by: Purushottam Choudhary <purushottam27.kumar@lge.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f71f4936a273262343e34f278e6cfcc1e419aea3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If XvFB is enabled, the CVE_STATUS for CVE-2023-5574 should be
'unpatched' rather than the empty string. Otherwise SDPX checker
complains:
xserver-xorg-2_21.1.13-r0 do_create_spdx: Unknown CVE status
(From OE-Core rev: 9965028d74b3c480f7556d299d616999822b79bf)
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0ec5dcbdd7c922df25ce90b04902d9c7c749a8c0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When xwayland PACKAGECONFIG option is set, xwayland is enabled in
weston.ini. However, if the xwayland module isn't installed, weston will
refuse to start with the following error message:
Failed to load module: /usr/lib/libweston-13/xwayland.so: cannot open shared object file: No such file or directory
Therefore, whenever the xwayland PACKAGECONFIG is set, weston-init
should depend on weston-xwayland to bring this module in.
Fixes: fdbe559c66c9 ("weston.init: enabled xwayland")
(From OE-Core rev: ba66fa75e57f94d35bfd703075ea6706879c63cb)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fa2314125318634108452af4e40c9eeee260767c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Weston 13.0.1, a bug fix release for 13.0.0 has been released.
Full changelog:
https://lists.freedesktop.org/archives/wayland-devel/2024-April/043575.html
(From OE-Core rev: 785dc256112029fcc95bcb003ab0436bee6079d1)
Signed-off-by: Denys Dmytriyenko <denis@denix.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a43f4f98aeba01f05157f7784e366a964d2f766f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changes:
render: Avoid possible double-free in ProcRenderAddGlyphs()
mi: fix rounding issues around zero in miPointerSetPosition
(From OE-Core rev: 9c00034001c27a17658ae8ae6a75d0c115a1a16b)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 78dc14599a65075a40c26df4bf9d2bb33a237ca9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When debug build is enabled(-Og is used), pixman-native do_compile
failed with error:
In function ‘combine_inner’,
inlined from ‘combine_soft_light_ca_float’ at ../pixman-0.42.2/pixman/pixman-combine-float.c:655:1:
../pixman-0.42.2/pixman/pixman-combine-float.c:370:5: error: inlining failed in call to ‘always_inline’ ‘combine_soft_light_c’: function not considered for inlining
370 | combine_ ## name ## _c (float sa, float s, float da, float d)
Refer [1], always_inline is not suggested to use with indirect function
call, replace always_inline with __inline__ to fix the issue
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107931
(From OE-Core rev: 6cd503c5e84bf8090b840c69c7569ae1a46528d0)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When debug build is enabled(-Og is used), vulkan-samples do_compile
failed with error:
In function 'ZSTD_compressBlock_lazy_generic',
inlined from 'ZSTD_compressBlock_greedy' at TOPDIR/tmp-glibc/work/core2-32-wrs-linux/vulkan-samples/git/git/third_party/ktx/lib/basisu/zstd/zstd.c:21914:12:
TOPDIR/tmp-glibc/work/core2-32-wrs-linux/vulkan-samples/git/git/third_party/ktx/lib/basisu/zstd/zstd.c:21551:30: error: inlining failed in call to 'always_inline' 'ZSTD_HcFindBestMatch_selectMLS': function not considered for inlining
| FORCE_INLINE_TEMPLATE size_t ZSTD_HcFindBestMatch_selectMLS (
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
TOPDIR/tmp-glibc/work/core2-32-wrs-linux/vulkan-samples/git/git/third_party/ktx/lib/basisu/zstd/zstd.c:21736:32: note: called from here
| size_t const ml2 = searchMax(ms, ip, iend, &offsetFound);
Refer [1], always_inline is not suggested to use with indirect function
call, replace always_inline with inline to fix the issue
[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107931
(From OE-Core rev: cfff19bb3fae45e62f77e860a4413669a6dc0e81)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 246de52fe59de0612d1145357c5e904a51363c8c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Mitigate occurrences where ':append' operator is used and leading
whitespace character is obviously missing, risking inadvertent
string concatenation.
(From OE-Core rev: 314041fd126a4800a5a5d9fcd84c525319479256)
(From OE-Core rev: eb06788f3abef4af727da7399e7e97830b2f7c8c)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0b6ca9beef)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The patch was submitted upstream
https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/28895
but further investigation revealed that the problem had been solved properly
in meson.class:
https://git.yoctoproject.org/poky/commit/?id=6bf674374d568b2419a4c6eef00d893028878881
(From OE-Core rev: 5dabb17313ed5e4e143708f0c7703cac663e9647)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 020345d63f0ffd3ed2b046bbb5e09b5359b24dd6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When building libinput with the 'gui' PACKAGECONFIG option, it fails
with:
| Run-time dependency x11 found: YES 1.8.9
| Run-time dependency wayland-client found: YES 1.22.0
| Run-time dependency wayland-protocols found: YES 1.34
| Program wayland-scanner found: NO
|
| ../git/meson.build:578:20: ERROR: Program 'wayland-scanner' not found or not executable
|
| A full log can be found at /home/marc/mnt/yocto-latest/build/tmp/work/core2-64-poky-linux/libinput/1.25.0/build/meson-logs/meson-log.txt
| ERROR: meson failed
| WARNING: exit code 1 from a shell command.
Adding a build dependency on wayland-native fixes the issue.
(From OE-Core rev: 71e49dcac0be026d12140598850e2cd38d702317)
Signed-off-by: Marc Ferland <marc.ferland@sonatest.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0e2d18e6267d26870ccbe45734bfccbc02744357)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changelog:
===========
-xlibi18n: restore parse_line1 for WIN32 builds
-Fix _XkbReadGetDeviceInfoReply for nButtons == dev->buttons
-_XimProtoIMFree:no need to check arg for Xfree()
-_XimEncodeString:no need to check arg for Xfree()
-Fix XCreateIC() memory leak (Part 2)
-_XimLocalDestroyIC:fix possible mem leak
-_XimLocalCreateIC: get rid of bzero
-_XimLocalCreateIC: minor cleanup
-_XimLocalCreateIC:no need to check arg for Xfree()
-_XimLocalDestroyIC: no need to check arg for Xfree()
-fix table width
(From OE-Core rev: 14ec9ffa949e5bc42fc04aa5a86ad3acf59d8e72)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bd8fab6937cddf3b6818e8e333b78813f0524116)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Mesa 24.0.3 is a bug fix release which fixes bugs found since the 24.0.2 release.
New features
None
Bug fixes
v3d: Line rendering broken when smoothing is enabled
DR crashes with mesa 24 and rusticl (radeonsi)
RADV: GPU crash when setting ‘RADV_DEBUG=allbos’
[intel] mesa ftbfs with time_t64
[radv] Crash when VkGraphicsPipelineCreateInfo::flags = ~0u
Gen4 assertion `force_writemask_all’ failed.
[radv] Holographic projection texture glitch in Rage 2
[build failure] [armhf] - error: #error “_TIME_BITS=64 is allowed only with _FILE_OFFSET_BITS=64”
RustiCL: Callbacks are not called upon errors
MTL: regressions in vulkancts due to BO CCS allocations
zink: spec@ext_external_objects@vk-image-overwrite fail
0001-Revert-meson-do-not-pull-in-clc-for-clover.patch
refreshed for 24.0.3
(From OE-Core rev: 78c39ef7502f91243cf09aa20f6ad30fe4f87fee)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 43240c8b2c5507fe6147ba04ec98528602c694e1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changelog:
===========
-Remove superfluous and unguarded config.h include
-XcursorXcFileLoad: plug memory leak in error paths
-Add comment about keeping libxcb-cursor copy of code in sync
-If O_CLOEXEC is defined, add "e" to fopen modes
-configure: Use LT_INIT from libtool 2 instead of deprecated AC_PROG_LIBTOOL
-gitlab CI: stop requiring Signed-off-by in commits
(From OE-Core rev: 21be5356da5f842848241aa9c17d9d2126bfdc31)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b56224f31ac4df426418ffe9fa48f4d2dea3f148)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changelog:
===========
-Fixed a regression causing SDL_WaitEvent() to return spurious failures
-Fixed X11 cursors on the latest release of GNOME
-Wayland windows automatically have OpenGL enabled again
-Fixed memory corruption when converting signed 16-bit audio to float
-Fixed audio artifacts when converting signed 8-bit audio to float
-Fixed the clip rectangle not being updated when the viewport changes in the SDL renderer
-Convert mouse wheel coordinates to the rendering view in the SDL renderer
-Fixed a crash handling controllers on macOS
-Fixed a crash setting a window fullscreen with Emscripten
-Fixed the keyboard automatically popping up when resuming an application on Android
(From OE-Core rev: 9d5bbe4389ee33e89ba419924fe82f4ce872fb26)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a17c05585a0da0166087ae0cd3cd4331a1fb2615)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Disable BlankTime, StandbyTime, SuspendTime and OffTime in X default for QEMU images
This fix addresses the issue of Xserver screensaver blanking being enabled on QEMU images by
disabling BlankTime, StandbyTime, SuspendTime, and OffTime in the Xorg default settings for QEMU images.
Reference : https://www.x.org/archive/X11R6.8.0/doc/xorg.conf.5.html
[YOCTO #15436]
Reported-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 173fb4247fdb2b7b5e6a1a604ddbbc8727b3d3bb)
Signed-off-by: K Sanjay Nayak <nayakksanjay@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
"""
This release contains the 3 security fixes that actually apply to
Xwayland reported in today's security advisory:
* CVE-2024-31080
* CVE-2024-31081
* CVE-2024-31083
Additionally, it also contains a couple of other fixes, a copy/paste
error in the DeviceStateNotify event and a fix to enable buttons with
pointer gestures for backward compatibility with legacy X11 clients.
"""
https://lists.x.org/archives/xorg/2024-April/061614.html
(From OE-Core rev: c89fea4ffb101e3d7079e126721b95fdf199b4aa)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* on some hosts (e.g. on my gentoo after recent update) it detects OpenMP in do_configure:
Run-time dependency OpenMP found: YES 4.5
but then fails in do_compile as shown in:
http://errors.yoctoproject.org/Errors/Details/754632/
gcc -o test/fetch-test test/fetch-test.p/fetch-test.c.o -LTOPDIR/tmp-glibc/work/x86_64-linux/pixman-native/0.42.2/recipe-sysroot-native/usr/lib -LTOPDIR/tmp-glibc/work/x86_64-linux/pixman-native/0.42.2/recipe-sysroot-native/lib -Wl,--as-needed -Wl,--no-undefined -Wl,--enable-new-dtags -Wl,-rpath-link,TOPDIR/tmp-glibc/work/x86_64-linux/pixman-native/0.42.2/recipe-sysroot-native/usr/lib -Wl,-rpath-link,TOPDIR/tmp-glibc/work/x86_64-linux/pixman-native/0.42.2/recipe-sysroot-native/lib -Wl,-rpath,TOPDIR/tmp-glibc/work/x86_64-linux/pixman-native/0.42.2/recipe-sysroot-native/usr/lib -Wl,-rpath,TOPDIR/tmp-glibc/work/x86_64-linux/pixman-native/0.42.2/recipe-sysroot-native/lib -Wl,-O1 '-Wl,-rpath,$ORIGIN/../pixman' -Wl,-rpath-link,TOPDIR/tmp-glibc/work/x86_64-linux/pixman-native/0.42.2/build/pixman -Wl,--start-group test/libtestutils.a pixman/libpixman-1.so.0.42.2 -pthread -fopenmp -fopenmp -lm -Wl,--end-group
gcc: fatal error: cannot read spec file ‘libgomp.spec’: No such file or directory
compilation terminated.
it's only used in tests, so should be safe to disable for native builds
* the check in meson uses /usr/include/omp.h which is provided by libomp
even when openmp support is disabled in native gcc in gentoo this happned
after switching from 17.1 profile to 23.0 which doesn't include openmp
USE flag by default, if you later run depclean it will uninstall libomp
as well which will fix this conflict in meson's OpenMP autodetection
(From OE-Core rev: b64d4e30bbd972d0665cc310bc0fdde3b49f0367)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch is no longer needed with llvm/clang 18+
(From OE-Core rev: 22174e5b64cc46e3e5b9f45d0b7796e92f20a48c)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
