The SRC_URI is changed to git://gitlab.eclipse.org/eclipse/tcf/tcf.agent.git
(From OE-Core rev: f359677709aba80735a38578475a34e1b83d321c)
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
libnsl2 and libtirpc were build dependencies for the nis module.
The nis module was deprecated in Python 3.11 and removed in Python 3.13
(From OE-Core rev: cbc7b1ed7747ef69d8bcbaee27c90560ded713d6)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
setuptools is a package that allows users to download, build, install,
upgrade, and uninstall Python packages. A path traversal vulnerability
in `PackageIndex` is present in setuptools prior to version 78.1.1. An
attacker would be allowed to write files to arbitrary locations on the
filesystem with the permissions of the process running the Python code,
which could escalate to remote code execution depending on the context.
Version 78.1.1 fixes the issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47273
Upstream-patch:
d8390feaa9250a6d1797
(From OE-Core rev: cfb2d77f841ae21cae0ba7d6263dc3e1e0280400)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
urllib3 is a user-friendly HTTP client library for Python. Prior
to 2.5.0, urllib3 does not control redirects in browsers and
Node.js. urllib3 supports being used in a Pyodide runtime utilizing
the JavaScript Fetch API or falling back on XMLHttpRequest. This
means Python libraries can be used to make HTTP requests from a
browser or Node.js. Additionally, urllib3 provides a mechanism to
control redirects, but the retries and redirect parameters are
ignored with Pyodide; the runtime itself determines redirect
behavior. This issue has been patched in version 2.5.0.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-50182
Upstream patch:
7eb4a2aafe
(From OE-Core rev: 082b865d9814e7e7aca4466551a035199aa8b563)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
urllib3 is a user-friendly HTTP client library for Python. Prior to
2.5.0, it is possible to disable redirects for all requests by
instantiating a PoolManager and specifying retries in a way that
disable redirects. By default, requests and botocore users are not
affected. An application attempting to mitigate SSRF or open redirect
vulnerabilities by disabling redirects at the PoolManager level will
remain vulnerable. This issue has been patched in version 2.5.0.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-50181
Upstream patch:
f05b132912
(From OE-Core rev: 819273b5b8b9279c01035cb72377fd8cbb51a198)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
ctest automatically optimizes the order of (parallel) test execution based on
historic test case runtime via the COST property (see [0]), which can have a
significant impact on overall test run times. Sadly this feature is broken in
CMake < 4.0.0 for test cases that have spaces in their name (see [1]).
This commit backports the upstream fix. As repeated test runs are expected to
mainly take place inside the SDK, the patch is only applied to 'nativesdk'
builds.
[0]: https://cmake.org/cmake/help/latest/prop_test/COST.html
[1]: https://gitlab.kitware.com/cmake/cmake/-/issues/26594
Reported-By: John Drouhard <john@drouhard.dev>
(From OE-Core rev: ead0d06d6335fb74c1ae0dc7bdcf414c66b3e4ab)
Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dcbaf42dd74cc0bda7254856589613718ed3f057)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
NVD ([1]) tracks this as:
cpe:2.3🅰️golang:go:*:*:*:*:*:*:*:*
Running on/with
cpe:2.3⭕microsoft:windows:-:*:*:*:*:*:*:*
Yocto cve-check ignores the "Running on/with", so it needs to be ignored
explicitly.
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-3566
(From OE-Core rev: c43a9f7ca85f1c25a72f7b1efa494e30d6cf4906)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
GCC 14.3 is a bug-fix release from the GCC 14 branch
containing important fixes for regressions and serious bugs in
GCC 14.2 with more than 211 bugs fixed since the previous release.
https://gcc.gnu.org/bugzilla/buglist.cgi?bug_status=RESOLVED&resolution=FIXED&target_milestone=14.3
Dropped the below patches:
0026-gcc-Fix-c-tweak-for-Wrange-loop-construct.patch
a9f88741a9
0027-gcc-backport-patch-to-fix-data-relocation-to-ENDBR-s.patch
aa4cd61445
0028-fix-incorrect-preprocessor-line-numbers.patch
8cbe033a8a
0001-arm-Fix-LDRD-register-overlap-PR117675.patch
9366c32851
gcc.git-ab884fffe3fc82a710bea66ad651720d71c938b8.patch
ab884fffe3
(From OE-Core rev: aa59bbbbedb25d772648c4cb1498b34b43efb0fb)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Upgrade to latest 1.24.x release [1]:
$ git --no-pager log --oneline go1.24.3..go1.24.4
6796ebb2cb [release-branch.go1.24] go1.24.4
85897ca220 [release-branch.go1.24] net/http: strip sensitive proxy headers from redirect requests
9f9cf28f8f [release-branch.go1.24] os: don't follow symlinks on Windows when O_CREATE|O_EXCL
a31c931adf [release-branch.go1.24] cmd/link: allow linkname reference to a TEXT symbol regardless of size
03811ab1b3 [release-branch.go1.24] crypto/x509: decouple key usage and policy validation
04a9473847 [release-branch.go1.24] lib/fips140: set inprocess.txt to v1.0.0
db8f1dc948 [release-branch.go1.24] hash/maphash: hash channels in purego version of maphash.Comparable
664cf832ec [release-branch.go1.24] runtime/debug: document DefaultGODEBUG as a BuildSetting
431f75a0b9 [release-branch.go1.24] os: fix Root.Mkdir permission bits on OpenBSD
Fixes CVE-2025-4673, CVE-2025-0913 and CVE-2025-22874 [2].
[1] https://github.com/golang/go/compare/go1.24.3...go1.24.4
[2] https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A
(From OE-Core rev: 50fe0b3832f741bc7f9ea0b996a7e99c5696c0ba)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Refresh patches.
* https://www.python.org/downloads/release/python-3134/
Security content in this release
* gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330]
[CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed
tarfile extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
* gh-133767: Fix use-after-free in the “unicode-escape” decoder with a
non-“strict” error handler.
* gh-128840: Short-circuit the processing of long IPv6 addresses early
in ipaddress to prevent excessive memory consumption and a minor
denial-of-service.
gh-133767 got meawhile CVE-2025-4516 assigned.
(From OE-Core rev: 55a9cd748531c75d46f5d6d53af692a38c6b6716)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Even with our fixes in deterministic_imports.patch the
importlib.metadata package scan was still returning Distribution objects
for empty directories. This interacts badly with rebuilds when recipes
are changing as when a recipe is removed from the sysroot directories
are not removed[1].
In particular this breaks python3-meson-python-native rebuilds when
Meson upgrades from 1.7 to 1.8: the site-packages directory has an empty
meson-1.7.dist-info/ and populated meson-1.8.dist-info/. Whilst it's
deterministic to return the empty 1.7 first, this breaks pypa/build as
it looks through the distributions in order.
We had discussed this with upstream previously and there's a more
comprehensive fix upstream (actually in importlib_metadata, not cpython)
which ensures that valid distribution objects are listed first. So we
can drop our patch and replace it with a backport to fix these rebuilds.
[1] oe-core 4f94d929639 ("sstate/staging: Handle directory creation race issue")
(From OE-Core rev: 73de8daa6293403f5b92d313af32882c47bce396)
(From OE-Core rev: 1c1b651038e15445c495d87c38beeb92f00d9919)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These .pyc files were non-deterministic because they used frozensets[1],
but this has been fixed in 3.11 onwards.
[1] https://github.com/python/cpython/issues/81777
[2] 51999c960e
(From OE-Core rev: c8c391ed3e0598a3bea7bc0981126d870315063d)
(From OE-Core rev: 75758dc92003892edc32cccb3c830926b5c4942a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
PR32858 ld segfault on fuzzed object
We missed one place where it is necessary to check for empty groups.
Backport a patch from upstream to fix CVE-2025-5244
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d1458933830456e54223d9fc61f0d9b3a19256f5]
(From OE-Core rev: 81e5831ea48e9d1e4b37e4ef6af11d382d7f1df8)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Since 3.51.0, python3-pygobject depends on libgirepository 2.0 provided
by glib-2.0 instead of libgirepository 1.0 provided by
gobject-introspection[1]. It still needs the typelib files from
libgirepository-1.0 package. Add gobject-introspection as a runtime
dependency.
Fixes:
$ python3
Python 3.13.2 (main, Feb 4 2025, 14:51:09) [GCC 14.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import gi
>>> from gi.repository import Gtk
Traceback (most recent call last):
File "/usr/lib64/python3.13/site-packages/gi/importer.py", line 139, in create_module
introspection_module = get_introspection_module(namespace)
File "/usr/lib64/python3.13/site-packages/gi/module.py", line 243, in get_introspection_module
module = IntrospectionModule(namespace, version)
File "/usr/lib64/python3.13/site-packages/gi/module.py", line 111, in __init__
repository.require(namespace, version)
~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
gi.RepositoryError: Typelib file for namespace 'xlib', version '2.0' not found
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "<python-input-1>", line 1, in <module>
from gi.repository import Gtk
File "/usr/lib64/python3.13/site-packages/gi/importer.py", line 141, in create_module
raise ImportError(e) from e
ImportError: Typelib file for namespace 'xlib', version '2.0' not found
[1] https://gitlab.gnome.org/GNOME/pygobject/-/merge_requests/320
(From OE-Core rev: 6f9e02292c9305e795f2651c3bb6ef5b671e1c74)
(From OE-Core rev: e3fa9ef3239e8bc113e211f5258f84d08284872a)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Resolve static assertion failures caused by incorrect line numbers
after #include directives, introduced by the backport of PR108900 to GCC.
Update line map handling to correctly compute locations in large files,
including fixes for both LC_ENTER and LC_LEAVE to ensure accurate
line number resolution in rare edge cases.
https://gcc.gnu.org/cgit/gcc/commit/?id=edf745dc519ddbfef127e2789bf11bfbacd300b7
(From OE-Core rev: bc868507927fb21637e0ed63bb7ac86d69998d42)
Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Prevent an abort in the bfd linker when attempting to
generate dynamic relocs for a corrupt input file.
PR 32638
Backport a patch from upstream to fix CVE-2025-1178
Upstream-Status: Backport from [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=75086e9de1707281172cc77f178e7949a4414ed0]
(From OE-Core rev: 3325b9dfd7a0da2236c96630b67ac2c6d4375840)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
We had this CVE patched but the patch was removed with last 2.44 branch
updates as it is now included.
Since there is no new version which could be set in NVD DB, this needs
to be explicitly handled.
(From OE-Core rev: 32f18145dee54f61203506daef339cd132908287)
(From OE-Core rev: b8ed40864e664e1cd50b2015569a406f49a0125e)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
NVD has CVE-2023-25584 listed as < 2.40, so we don't need to ignore it
for version 2.44 anymore.
(From OE-Core rev: eaf80096f96e5bebed53076c1dfe7e35e539f383)
(From OE-Core rev: a0ffc4e44ba5e06eccf6d87fb16898454efcb1b2)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Issue is seen with nodejs ending with Illegal instruction on OE
Its also in QT5base and perhaps many other packages using 64bit
atomics.
Thanks to jeroen (oe IRC) to report and help reduce the problem.
(From OE-Core rev: bd62158946e214076686e0709d24771acb60665f)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This includes CVE-fix for CVE-2025-27219, CVE-2025-27220 and
CVE-2025-27221
Changes between 3.4.2 -> 3.4.3
==============================
https://github.com/ruby/ruby/compare/v3_4_2...v3_4_3
(From OE-Core rev: 37747c99ee32153120b67e65a2f3da34c6d58b0f)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d739c52558af986c2ce4c65e1197e8d524d14d22)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Below commits on binutils-2.44 stable branch are updated.
33578177adc dwarf: Dump .debug_loclists only for DWARF-5
fe459e33c67 PR 32603, revert message changes in 0b7f992b78fe and 31e9e2e8d109
37d12dd25d8 gdb/compile: add missing entry in bfd_link_callbacks array
31e9e2e8d10 PR 32603, more ld -w misbehaviour
0b7f992b78f PR 32603, ld -w misbehaviour
8cb98edf123 s390: Add support for z17 as CPU name
ed70d86b491 x86: Remove AVX10.2 256 bit rounding support
e1af7e590a5 elf: Clear the SEC_ALLOC bit for NOLOAD note sections
35db8c6dd2f ld: Pass -Wl,-z,lazy to compiler for i386 lazy binding tests
cc7ec316a45 Updated translations for bfd and gold
bf088ee09a7 PR 32731 ub sanitizer accessing filenames_reversed
78082591ec7 score-elf gas SEGV
d4c7ee9fbc1 gas: fix rs_fill_nop listing
a68d096a0ab Open the 2.44 branch for further development
Dropped: 0015-CVE-2025-1153.patch
Testing was done and there were no regressions found
(From OE-Core rev: e06b23897d51d075327012440afbabfe2d5a3de0)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
https://metacpan.org/pod/perldelta
This provides a fix for CVE-2024-56406
(From OE-Core rev: 8e91cd8293a13d21eb1df5b9b750d9b498bb3530)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Provide support for Perl 5.40.2
https://github.com/arsv/perl-cross/releases/tag/1.6.2
(From OE-Core rev: 9fde5d3657a5842dcdac20eea140077b1e8ae06b)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Due to commit [cdrtools-native: fix booting EFI ISO live failed]
applied to improve mkisofs to fix nsectors exceeds 0xffff situation
which set selection criteria type = 2 and save extra nsectors to
vendor unique selection criteria
In following case, add 64MB extra space to bootable image efi.img,
and the partition table of EFI is truncated to 32M
$ echo 'IMAGE_FSTYPES:pn-core-image-minimal = " live"' >> conf/local.conf
$ echo 'MACHINE_FEATURES:append = " efi pcbios"' >> conf/local.conf
$ echo '# 64MB extra space to bootable image efi.img' >> conf/local.conf
$ echo 'BOOTIMG_EXTRA_SPACE = "65535"' >> conf/local.conf
$ bitbake core-image-minimal
$ fdisk -l tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso
...
Device Boot Start End Sectors Size Id Type
tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso1 * 0 376831 376832 184M 0 Empty
tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso2 120 65654 65535 32M ef EFI (FAT-12/16/32)
After applying this patch to process extra sector count, the partition
table of EFI is 90.3M
$ fdisk -l tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso
...
Device Boot Start End Sectors Size Id Type
tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso1 * 0 376831 376832 184M 0 Empty
tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso2 120 185151 185032 90.3M ef EFI (FAT-12/16/32)
[1]https://pdos.csail.mit.edu/6.828/2017/readings/boot-cdrom.pdf
(From OE-Core rev: b4e112ed7e6ba5a6c6df530d696485a588831851)
(From OE-Core rev: 741d5ed1b906b8763d9f346481e980e2041c9c2a)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In ISO live, if the size of efi.img > 32MB, and copy EFI application
(bootx64.efi) to efi.img behind of kernel and initrd, UEFI system
could not find EFI application bootx64.efi
Using QEMU+OVMF to boot ISO live image, press ESC to enter UEFI shell:
...
Shell> ls FS0:\
Directory of: FS0:\
04/05/2011 23:00 12,985,344 bzImage
04/05/2011 23:00 <DIR> 2,048 EFI
04/05/2011 23:00 20,494,696 initrd
04/05/2011 23:00 26 startup.nsh
3 File(s) 33,480,066 bytes
1 Dir(s)
Shell> ls FS0:\EFI
Directory of: FS0:\EFI
0 File(s) 0 bytes
0 Dir(s)
...
In following case, add 64MB extra space to bootable image efi.img,
and the partition table of EFI is truncated to 26.3M
$ echo 'IMAGE_FSTYPES:pn-core-image-minimal = " live"' >> conf/local.conf
$ echo 'MACHINE_FEATURES:append = " efi pcbios"' >> conf/local.conf
$ echo '# 64MB extra space to bootable image efi.img' >> conf/local.conf
$ echo 'BOOTIMG_EXTRA_SPACE = "65535"' >> conf/local.conf
$ bitbake core-image-minimal
$ fdisk -l tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso
...
Device Boot Start End Sectors Size Id Type
tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso1 * 0 376831 376832 184M 0 Empty
tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso2 120 54079 53960 26.3M ef EFI (FAT-12/16/32)
According to page 11: `Figure 5 - Section Entry' in El Torito Bootable
CD-ROM Format Specification [1]. The sector count takes 2 byte which
means max sector count is 0xffff (65535), for 512-byte sector, the
size of bootable image is no more than 32MB (65536 * 512 / 1024 / 1024)
This commit truncate to 32MB if image size larger than 32MB, and
report a warning, then save the extra image sector count to
vendor unique selection criteria
After apply this commit, the partition table of EFI is truncated to 32M
$ fdisk -l tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso
...
Device Boot Start End Sectors Size Id Type
tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso1 * 0 376831 376832 184M 0 Empty
tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.iso2 120 65654 65535 32M ef EFI (FAT-12/16/32)
[1]https://pdos.csail.mit.edu/6.828/2017/readings/boot-cdrom.pdf
(From OE-Core rev: 259bb8907d8bfe1217e88a3b6935c160e5a92f8d)
(From OE-Core rev: d184f119c26983c2f15b47a25204049d0525c871)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
To adapt user network enviroment, buildtools should first try to use
the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these
envs is not set, then use the auto-detected ca file and ca path, and
finally use the CA certificates in buildtools.
nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work
nativesdk-curl don't set default ca file, need
SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work
nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO
also works
nativesdk-python3-requests will use cacert.pem under python module certifi by
default, need to set REQUESTS_CA_BUNDLE
(From OE-Core rev: 0d5f241eee19c0dff9f9f59949485414935edaa2)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Here is one testcase:
For recipe tensorflow-lite-host-tools_2.18.0.bb, refer [1],
do_configure[network] = "1"
and it will git clone some repos in CMakeLists.txt
When buildtools is used and nativesdk-git is installed into sdk,
do_configure failed with error:
[1/9] Performing download step (git clone) for 'protobuf-populate'
Cloning into 'protobuf'...
fatal: unable to access 'https://github.com/protocolbuffers/protobuf/': error setting certificate file: /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-wrlinuxsdk-linux/etc/ssl/certs/ca-certificates.crt
Fix by adding GIT_SSL_CAINFO in BB_ENV_PASSTHROUGH_ADDITIONS, so that
user can export GIT_SSL_CAINFO=${GIT_SSL_CAINFO} in their
do_configure:prepend() to fix above do_configure failure
CURL_CA_BUNDLE and REQUESTS_CA_BUNDLE is similar envvars, so all add
into BB_ENV_PASSTHROUGH_ADDITIONS
[1] https://github.com/nxp-imx/meta-imx/blob/styhead-6.12.3-1.0.0/meta-imx-ml/recipes-libraries/tensorflow-lite/tensorflow-lite-host-tools_2.18.0.bb
(From OE-Core rev: 5fa8cb40395977722d0d5a2271c8044598fb1f01)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* make git,curl,python3-requests align with openssl, move the setting of
envvars into respective envfile
* for environment.d-openssl.sh, also check if ca-certificates.crt exist
before export envvars
(From OE-Core rev: 5c915fcada5868bdbb8aa3e28c18a26cfc41914f)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Upstream Repository: https://gitlab.com/qemu-project/qemu.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2023-1386
Type: Security Advisory
CVE: CVE-2023-1386
Score: 3.3
Analysis:
- According to redhat[1] this CVE has closed as not a bug.
Reference:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2223985
(From OE-Core rev: 962cf064df6db243c182c6b53d06a4fd087cd3f2)
Signed-off-by: Madhu Marri <madmarri@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 6a5d9e3821246c39ec57fa483802e1bb74fca724)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The patch works for rust-native but not other recipes which change ${S}.
Set it to use the correct path so it works for llvm-rust, cargo and others,
maximising the space saving.
(From OE-Core rev: 1aee0bc109c1457159440c279ddc1fe5a8d89586)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ignore the failing unit test.
The tidy check failed due to a typo, which was already reported and
fixed in the Rust upstream.
Upstream-Status: Backport [8e77349782]
(From OE-Core rev: 94a244a14075ead1b3b5e966c0fe713cd448cad8)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When multilibs are enabled, building rust is failing because of the following commit
68034f837a
with stage1/rustc cannot able to find dependent *.so files. The issue is
been fixed inrust-master with the following commit by passing the necessary library
paths before executing stage1/rustc
Upstream-Status: Backport [139d6ba054]
(From OE-Core rev: ab29b970ba7e08eabca92018d103af5f249ed2c5)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Rust stable version updated to 1.84.1.
https://blog.rust-lang.org/2025/01/30/Rust-1.84.1.html
Renamed and modified the below patch to adapt the new version.
rv32-cargo-rustix-0.38.37-fix.patch->rv32-cargo-rustix-0.38.38-fix.patch
Modified the below patches to adapt the new version.
repro-issue-fix-with-cc-crate-hashmap.patch
revert-link-std-statically-in-rustc_driver-feature.patch
Dropped the below patches :
0001-NFC-fix-build-failure-100993.patch
6ee49080e4
revert-Zdual-proc-macros-additional-check.patch
Issue is fixed in rust-master and the fix is backported in the
subsequent patch of the series.
(From OE-Core rev: 4265f668de8c6708cb3a003ad655559031724149)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>From Rust 1.84, the download-rustc and llvm-tools options were set to True
(previously they were False)
cce6f03754
(download-rustc)
38f0c099b2
(llvm-tools)
For tarball sources, the download-rustc option should be False, so it has been
reverted back to False.
Setting llvm-tools to True caused issues with finding llvm-objcopy, so this
has been changed back to False.
Upstream-Status: https://github.com/rust-lang/rust/pull/134240/
(From OE-Core rev: 2eb952d839e72c24a4180a57631c77910a0da980)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove the "src/gcc" directory from the Rust source code to reduce the
filesystem build space.
In Rust 1.83 (and 1.84), a full GCC-14 tree was included, which caused
the tar.xz archive to increase by 128 MB and the unpacked sources to
grow by 1.3 GB. This was an upstream error that has been resolved in
Rust 1.85.
After updating to Rust 1.85 we can revert this removal of "src/gcc"
(From OE-Core rev: 26a345adc8e050657bfa0b51ea92a3d89e698d9a)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
GNU Make 4.4 has added --shuffle, which randomly orders build jobs and
is great at exposing missing dependencies. Using this the known problem
with the flex test suite build was found and resolved, so remove the
workaround of doing a non-parallel build and apply a patch.
Also remove redundant Make variables that shouldn't be needed to build
the test suite.
(From OE-Core rev: 1bc37e10690dc906da41b9592bc8776bddf4b90b)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We added this because automake was causing things to be built, but now
this doesn't seem to be the case:
all: all-am
all-am: Makefile $(SCRIPTS)
SCRIPTS = $(dist_noinst_SCRIPTS)
dist_noinst_SCRIPTS = tableopts.sh
tableopts.sh is a source file that is both in the tarballs and git.
Thus, remove the patch.
(From OE-Core rev: 13e8a2831abcb9edd352fcdc6d1f3be0670b1242)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These dependencies are in the source but the dependency generator does
not see them.
(From OE-Core rev: 0099694d561dd7cde4a60d6e1410f92f070cdd1e)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
syslinux uses -nostdinc to build freestanding, which makes sense, however
it also tried to latch its own copy of stdarg.h to include system stdarg.h
via "include_next" compiler magic, so it poses to provide own stdarg.h but
then secretly include system version behind the scenes :)
It uses -nostdinc -iwithprefix include
hoping that gcc is uses and gcc has its include-fixed abstraction which
also contains stdarg.h so in the end it will find a version of stdarg.h
from system (even though it is from the compiler install ) and things will
work.
On musl, include-fixed is not expected and system includes are simplified
so that everyone can look into <sysroot>/usr/include to find them. This
can throw syslinux compilation into problems as now it does not find
the header from -iprefix and ends up with errors like
/mnt/b/yoe/master/sources/poky/build/tmp/work/core2-32-poky-linux-musl/syslinux/6.04-pre2/syslinux-6.04-pre2/com32/lib/../include/stdarg.h:9:15: fatal error: stdarg.h: No such file or directory
9 | #include_next <stdarg.h>
| ^~~~~~~~~~
compilation terminated.
Therefore, we use -idirafter to point it into target sysroot as fallback
for system headers if it needs them, its added at the very last in search
order. It also keeps working with glibc based toolchains as usual and
also works with musl toolchains.
(From OE-Core rev: 40413233429ceb902d8eb30ccc56aa7a182db772)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
