Handles CVE-2025-4598
Rebase patches
(From OE-Core rev: 11d583e4ffb8726c66da8f764d985a37a14b2699)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update to the 5.2.1 release of the 5.2.1 series for buildtools
(From OE-Core rev: 91d430e7a68a0cc819398bd05d020f850364fdf1)
Signed-off-by: Aleksandar Nikolic <aleksandar.nikolic@zeiss.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
GCC 14.3 is a bug-fix release from the GCC 14 branch
containing important fixes for regressions and serious bugs in
GCC 14.2 with more than 211 bugs fixed since the previous release.
https://gcc.gnu.org/bugzilla/buglist.cgi?bug_status=RESOLVED&resolution=FIXED&target_milestone=14.3
Dropped the below patches:
0026-gcc-Fix-c-tweak-for-Wrange-loop-construct.patch
a9f88741a9
0027-gcc-backport-patch-to-fix-data-relocation-to-ENDBR-s.patch
aa4cd61445
0028-fix-incorrect-preprocessor-line-numbers.patch
8cbe033a8a
0001-arm-Fix-LDRD-register-overlap-PR117675.patch
9366c32851
gcc.git-ab884fffe3fc82a710bea66ad651720d71c938b8.patch
ab884fffe3
(From OE-Core rev: aa59bbbbedb25d772648c4cb1498b34b43efb0fb)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Upgrade to latest 1.24.x release [1]:
$ git --no-pager log --oneline go1.24.3..go1.24.4
6796ebb2cb [release-branch.go1.24] go1.24.4
85897ca220 [release-branch.go1.24] net/http: strip sensitive proxy headers from redirect requests
9f9cf28f8f [release-branch.go1.24] os: don't follow symlinks on Windows when O_CREATE|O_EXCL
a31c931adf [release-branch.go1.24] cmd/link: allow linkname reference to a TEXT symbol regardless of size
03811ab1b3 [release-branch.go1.24] crypto/x509: decouple key usage and policy validation
04a9473847 [release-branch.go1.24] lib/fips140: set inprocess.txt to v1.0.0
db8f1dc948 [release-branch.go1.24] hash/maphash: hash channels in purego version of maphash.Comparable
664cf832ec [release-branch.go1.24] runtime/debug: document DefaultGODEBUG as a BuildSetting
431f75a0b9 [release-branch.go1.24] os: fix Root.Mkdir permission bits on OpenBSD
Fixes CVE-2025-4673, CVE-2025-0913 and CVE-2025-22874 [2].
[1] https://github.com/golang/go/compare/go1.24.3...go1.24.4
[2] https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A
(From OE-Core rev: 50fe0b3832f741bc7f9ea0b996a7e99c5696c0ba)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport patch for this CVE and also patch for its regression.
(From OE-Core rev: 0d880cdb51e47f78387b63063727fe6df1b009e6)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The js_splitter_code string contains backslashes that Python tries to
use as escape sequence but doesn't manage to, hence the following
SyntaxWarning message:
documentation/conf.py:188: SyntaxWarning: invalid escape sequence '\p'
.split(/[^\p{Letter}\p{Number}_\p{Emoji_Presentation}-]+/gu)
Considering that we want this to be sent verbatim to the JS, let's make
this a raw string instead.
Fixes: d4a98ee19e0c ("conf.py: tweak SearchEnglish to be hyphen-friendly")
(From yocto-docs rev: 1fc92ff2af72118ae041183d395d0a0323ecc1a9)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit c1056672ef45b197136eb8815728d426337a5901)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This repository is partially included in another repository: poky.
However its README isn't making it, so documentation/README pointing at
the README at the root of the git repository would lead the contributor
nowhere.
Instead, let's include the appropriate information directly in
documentation/README which does make it to the poky git repo.
(From yocto-docs rev: 1b93a4122624b554243842822e7df209cc884b27)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 0298318cea2947e65754eab97255164e64a862de)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
KCONFIG_MODE defaults to 'allnoconfig' when not set, regardless of whether
KBUILD_DEFCONFIG points to an in-tree or a meta-layer defconfig.
(From yocto-docs rev: 77e401de547a67d1654480c3fb8df3693724a69f)
Signed-off-by: Carlos Sánchez de La Lama <csanchezdll@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit f374b9c426f6c10710e011a4ad660231ee26efb8)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The project is switching the way handle our CDN provision of sstate objects,
update the URL accordingly.
(cherry picked from commit 406e8a8e30404c0538f5aa46f211540bae2b206b)
(From yocto-docs rev: 6372e5c9ed5dc6fd3f93e1059a56a002ff1b5036)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Refresh patches.
* https://www.python.org/downloads/release/python-3134/
Security content in this release
* gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330]
[CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed
tarfile extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
* gh-133767: Fix use-after-free in the “unicode-escape” decoder with a
non-“strict” error handler.
* gh-128840: Short-circuit the processing of long IPv6 addresses early
in ipaddress to prevent excessive memory consumption and a minor
denial-of-service.
gh-133767 got meawhile CVE-2025-4516 assigned.
(From OE-Core rev: 55a9cd748531c75d46f5d6d53af692a38c6b6716)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Even with our fixes in deterministic_imports.patch the
importlib.metadata package scan was still returning Distribution objects
for empty directories. This interacts badly with rebuilds when recipes
are changing as when a recipe is removed from the sysroot directories
are not removed[1].
In particular this breaks python3-meson-python-native rebuilds when
Meson upgrades from 1.7 to 1.8: the site-packages directory has an empty
meson-1.7.dist-info/ and populated meson-1.8.dist-info/. Whilst it's
deterministic to return the empty 1.7 first, this breaks pypa/build as
it looks through the distributions in order.
We had discussed this with upstream previously and there's a more
comprehensive fix upstream (actually in importlib_metadata, not cpython)
which ensures that valid distribution objects are listed first. So we
can drop our patch and replace it with a backport to fix these rebuilds.
[1] oe-core 4f94d929639 ("sstate/staging: Handle directory creation race issue")
(From OE-Core rev: 73de8daa6293403f5b92d313af32882c47bce396)
(From OE-Core rev: 1c1b651038e15445c495d87c38beeb92f00d9919)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These .pyc files were non-deterministic because they used frozensets[1],
but this has been fixed in 3.11 onwards.
[1] https://github.com/python/cpython/issues/81777
[2] 51999c960e
(From OE-Core rev: c8c391ed3e0598a3bea7bc0981126d870315063d)
(From OE-Core rev: 75758dc92003892edc32cccb3c830926b5c4942a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There was a regression introduced by the change to use
systemd-systemctl-native rather than a python fake implementation,
which caused template units to not be properly enabled when set in
the SYSTEMD_SERVICE variable. Through investigation, it seems that
the best way to re-enable template instances is to handle them
explicitly in the systemd.bbclass and enable them with `preset`, like
most units are handled[1,2].
Per the systemd.preset manpage, the format for template units is
different than for regular units[3]. We need to coalesce all the
template instances onto a single line and emit them as an additional
space-deliminated argument.
Ran this against openbmc's phosphor-ipmi-net recipe and generated
the following preset file:
```
$ cat packages-split/phosphor-ipmi-net/usr/lib/systemd/system-preset/98-phosphor-ipmi-net.preset
enable phosphor-ipmi-net@.service eth0
enable phosphor-ipmi-net@.socket eth0
```
[1]: https://lore.kernel.org/openembedded-core/Z2ch.1747051947055246176.oktf@lists.openembedded.org/
[2]: https://lore.kernel.org/openembedded-core/aDdoTVtCmElpURYD@heinlein/
[3]: https://www.freedesktop.org/software/systemd/man/latest/systemd.preset.html
Fixes: 7a580800db39 ("systemd: Build the systemctl executable")
(From OE-Core rev: f33d9b1f434e40a459614d8dc21ce45e11581008)
(From OE-Core rev: ea207dce1f5f8579d8ddde487ac9852f50bfc792)
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
PR32858 ld segfault on fuzzed object
We missed one place where it is necessary to check for empty groups.
Backport a patch from upstream to fix CVE-2025-5244
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=d1458933830456e54223d9fc61f0d9b3a19256f5]
(From OE-Core rev: 81e5831ea48e9d1e4b37e4ef6af11d382d7f1df8)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changes in libsoup from 3.6.4 to 3.6.5:
* session: Strip authentication credentials on cross-origin redirects [Patrick Griffis]
* build: Use pkg-config instead of krb5-config for the gssapi dependency [Patrick Griffis]
* http1: When using chunked encoding report an error in case of unexpected stream end [Andrzej Surdej]
* http2: When a message has no content still respect its Content-Type [Patrick Griffis]
* http2: Revert manual window size management temporarily, as it could stall [Patrick Griffis]
* sniffer: Fix potential overflows [Patrick Griffis]
* hsts: Fix minor leak [Patrick Griffis]
* headers: Fix a few parsing edge cases that could be an out of bound read [Patrick Griffis]
* connection: Avoid ever calling disconnect twice [Patrick Griffis]
* auth-digest: Fix handling when a nonce isn't present [Patrick Griffis]
* cookies: Limit max size of max-age, path, and domain attributes to 1024 bytes [Patrick Griffis]
* cookies: Limit max size of name and value to 4096 bytes [Patrick Griffis]
* docs: Remove references to old libsoup domain [Simon McVittie]
Refer:
766e175282
(From OE-Core rev: a5585378dd9a2ecd8261958d02c34ecce1be5c0f)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2025-32913 also fixed in this patch
Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/435
(From OE-Core rev: d95ddd4ebb4ea78fc64cfb025306f1f953ded3f9)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The project is switching the way handle our CDN provision of sstate objects,
update the URL accordingly.
(From meta-yocto rev: d4f018da2c709ba1135889206694148c6001cd29)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e5b8e76ba8232860943406e1c53e71b3d2790f17)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Since pmem kernel drivers were enabled as modules, the initrd
size limit is hit. On genericarm64 all kernel modules and some
firmware files get installed to initrd by default which make
the thing large. I'm working on patches to reduce the kernel drivers
installed to initrd and to make the kernel in general more modular
(btrfs 5 Mb etc built into kernel by default). For now just increase
the size limit to unblock genericarm64 builds and testing.
Fixes: https://bugzilla.yoctoproject.org/show_bug.cgi?id=15833
(From meta-yocto rev: c8b151d2d7879c2b1276824444a963a59dfcf240)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 09bef6a491c087f0f0371874e759aae08a720c4e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
