Update LICENSE defined for xz packages to match the license
information provided in the xz COPYING file.
The License information from PACKAGERS file of xz mentions
packages with lzma files are in public domain.They ask to
use GPLv2+, if only it's not possible to mention "PD and GPLv2+".
Include PD license with GPLv2 to packages with lzma content:
xz-dev package contains lzma header
xz-doc package contains lzma man pages
xz packages contains lzma binaries
Links: https://github.com/tukaani-project/xz/blob/v5.4.6/COPYINGhttps://github.com/tukaani-project/xz/blob/v5.4.6/PACKAGERS
(From OE-Core rev: d511c41dac048fbdd93a54136e93b0623a18a83d)
(From OE-Core rev: a9b751f211ccfc1c8d58aba290dc8b4de5383acc)
Signed-off-by: Bhabu Bindu <bindu.bhabu@kpit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4e5b955def5d9f305f5aba2c68b73287c03fd163)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport patch for this CVE and also patch for its regression.
(From OE-Core rev: 7f2ce7ea6bd3397e4a4f3f7bb6957d14838f66c5)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
gs_lib_ctx_stash_sanitized_arg in base/gslibctx.c in Artifex Ghostscript before 10.05.1
lacks argument sanitization for the # case. A created PDF document includes
its password in cleartext.
(From OE-Core rev: 7052a81e4f9b19b5640b414c10b19f8232d81572)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2025-47268
ping in iputils through 20240905 allows a denial of service (application
error or incorrect data collection) via a crafted ICMP Echo Reply
packet, because of a signed 64-bit integer overflow in timestamp
multiplication.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47268
Patch from:
070cfacd73
(From OE-Core rev: a463c8e3950ccf58316d48241c2cd82484f25fda)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This CVE only impacts codepaths relevant for Windows builds.
Se [1] from Debian which marks it as not applicable.
[1] https://security-tracker.debian.org/tracker/CVE-2025-27837
(From OE-Core rev: fb5dc4a476bc4054493d6a7eb64a423e3665afb9)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fix for this CVE [1] is patchong code introduced by [2] in v3.7.5.
So v3.6.2 is not affected yet and the CVE can be safely ignored.
Also Debian tracker [3] contains this statement.
[1] 565b5aea49
[2] 2d8a5760c5
[3] https://security-tracker.debian.org/tracker/CVE-2024-48615
(From OE-Core rev: 60390a3a28242efba32360426b0a3be6af5fb54b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Initially, PAM community fixed CVE-2024-10041 in the version v1.6.0 via commit b3020da.
But not all cases were covered with this fix and issues were reported after the release.
In the v1.6.1 release, PAM community fixed these issues via commit b7b9636.
Backport this commit b7b9636, which
Fixes: b3020da ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
Backport from b7b9636208
(From OE-Core rev: 71035c8c5907f7103ce40b92490a10bd3dde7226)
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
As already mentioned in [1] when backporting commit including fix for
this CVE, this vulnerability applies only from libarchive 3.7.0 commit
[2] which introduced bsdunzip which contains this vulnerability.
[1] https://git.openembedded.org/openembedded-core/commit/?h=kirkstone&id=ec837d3b21b4f8b98abac53e2833f1490ba6bf1e
[2] c157e4ce8e
(From OE-Core rev: bf7654877ba99f0b18a1cf6f83032af5ecabd01f)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit referencing this MR which was merged to master.
Note that this commit also patched CVE-2025-1632 in bsdunzip, however
that utility was introduced only in 3.7.0, so that part is not
applicable in kirkstone.
(From OE-Core rev: ec837d3b21b4f8b98abac53e2833f1490ba6bf1e)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Starting from 2023d version, tzcode makefile does not use anymore "cc"
variable for C compiler, due to Makefile refactoring.
Replacing "cc" with "CC" fixes the issue.
(From OE-Core rev: 0216c229d5c60d0023b0a7d6e8ee41bdfa16f8ef)
Signed-off-by: Alessio Cascone <alessio.cascone@vimar.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b3cdfca5ef84ed2054faef9abddef3aeed930e17)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update SRC_URI for tzcode.
Update the http to https in SRC_URI to fix the do_fetch issue.
(From OE-Core rev: b663540d143b0e5fcb9ceeec45cde7fe3e68f9bb)
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This patch is ported from a merge request shown below,
and the following represents the original commit text.
------------------------------------------------------
top: In the bye_bye function, replace fputs with the write interface.
When top calls malloc, if a signal is received, it will
call sig_endpgm to process the signal. In the bye_bye function, if the
-b option is enable, the Batch variable is set, the fputs function
will calls malloc at the same time. The malloc function is not reentrant, so
it will cause the program to crash.
(From OE-Core rev: 573f5b2d8fec9f8a4ed17e836ef3feeb6de62e5a)
Signed-off-by: Shaohua Zhan <shaohua.zhan@windriver.com>
------------------------------------------------------
Reference(s):
https://gitlab.com/procps-ng/procps/-/merge_requests/127
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Applications that use Wget to access a remote resource using
shorthand URLs and pass arbitrary user credentials in the URL
are vulnerable. In these cases attackers can enter crafted
credentials which will cause Wget to access an arbitrary host.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-10524
Upstream-patch:
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778
(From OE-Core rev: eed5d59c138c210df91f31ac718383ccaf921faf)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Newer compilers end up with errors while compiling these test snippets
and build results in failures.
(From OE-Core rev: 61bd7eccd8e305e2dd95f0b0b86b09d72e99fc1a)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability was found in PAM. The secret information is
stored in memory, where the attacker can trigger the victim
program to execute by sending characters to its standard
input (stdin). As this occurs, the attacker can train the
branch predictor to execute an ROP chain speculatively.
This flaw could result in leaked passwords, such as those
found in /etc/shadow while performing authentications.
References:
https://security-tracker.debian.org/tracker/CVE-2024-10041
Upstream patches:
b3020da7da
(From OE-Core rev: 3422c2533caaa2664944315580c52a2272815305)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Same was done in newer Yocto releases.
See commit See commit 0f2cd2bbaddba3b8c80d71db274bbcd941d0e60e
(From OE-Core rev: 50d8a653104abb9b5cd8a708a7bd97446e894bcf)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Artifex Software jbig2dec v0.20 was discovered to contain a SEGV vulnerability
via jbig2_error at /jbig2dec/jbig2.c.
(From OE-Core rev: 3e9018fb14466495be7472a8620918347c732e86)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
GCC 14 implicitly turns a warning into a compiler error:
| ../../git/src/lib/packlib.c: In function ‘PWClose’:
| ../../git/src/lib/packlib.c:554:40: error: passing argument 1 of ‘HwmsHostToBigEndian’ from incompatible pointer type [-Wincompatible-pointer-types]
| 554 | HwmsHostToBigEndian(tmp_pwp.hwms, sizeof(tmp_pwp.hwms), en_is32);
| | ~~~~~~~^~~~~
| | |
| | uint32_t * {aka unsigned int *}
| ../../git/src/lib/packlib.c:142:27: note: expected ‘char *’ but argument is of type ‘uint32_t *’ {aka ‘unsigned int *’}
| 142 | HwmsHostToBigEndian(char *pHwms, int nLen,int nBitType)
| | ~~~~~~^~~~~
Add the cast to (char *) to silence it.
(From OE-Core rev: 7cca344feaa16cfabbaa2f34e4aab91cc1af39ee)
Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
zip's configure fails to link this piece of test code:
int main() { return closedir(opendir(".")); }
with GCC-14 because it now treats implicit declaration of function
as error, unline older GCC version where it was just a warning
and this test would build fine.
Remove 0002-unix.c-Do-not-redefine-DIR-as-FILE.patch which
is now unnecessary (MJ: this part wasn't applicable for kirkstone).
(From OE-Core rev: fd31dd1abc8199a1865801259e6f96b78a17d994)
Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3422411eb750c7e960b81676637cfb321dbadefb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Newer compilers are strict and have turned some warnings into hard
errors which results in subtle configure check failures. Therefore fix
these tests and also enable largefile support via cflags when its
desired
(From OE-Core rev: 03b7a44e2ff4364cb85758f91d78efa0cf85682d)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
[Backport from OE-Core: 40f85de590c188c9c3985e64a83efaf06b0b4fbc]
zstd is dual-licensed under BSD _OR_ GPLv2 which was updated in the README for v1.5.6.
License wording in the README for v1.5.2 is misleading, but license headers in the code
clearly state that there is a choice between the two licenses.
(From OE-Core rev: 4ef9b4d947b6e8ed7637cdd9e722c3f0c83990dd)
Signed-off-by: Massimiliano Minella <massimiliano.minella@se.com>
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The contents of the LICENSE file included in the current source code
package match those of Info-ZIP license, which seems to originate from
the year 2007:
This is version 2007-Mar-4 of the Info-ZIP license.
(From OE-Core rev: 3739a1af61ff6f0faca23bb565f9e71666953715)
(From OE-Core rev: 1aeb18b575ab31f779599ffd108d578012a8b800)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The contents of the LICENSE file included in the current source code
package match those of Info-ZIP license, which seems to originate from
the year 2009:
This is version 2009-Jan-02 of the Info-ZIP license.
(From OE-Core rev: e7c9368e56a6ad90b4ffbba1b765e2b3a331c796)
(From OE-Core rev: 33e92e85b1632e933c3099a45ba53c6904eb6b88)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
