This CVE is a use-after-free which theoretically can be an exploit
vector, but this UAF only occurs when malloc() fails. As it's
unlikely that the user can orchestrate malloc() failures at just the
place to break on _this_ malloc and not others it is disputed that this
is actually a security issue.
The underlying bug has been fixed, and will be incorporated into the
next release.
(From OE-Core rev: 8c70e7cecb1beb30a5be4ea9bbc89c2f2e11853b)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Mention CVE_STATUS_GROUPS in the development manual
(otherwise only present in the reference manual, but with
no reference to it)
- In the reference manual description of CVE_STATUS,
link back to the development manual, to provide context.
(From yocto-docs rev: cfef5fe41b6c819e783c88829448ae38141650a5)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a SECURITY.md file with hints for security researchers and other
parties who might report potential security vulnerabilities.
(Bitbake rev: 936fcec41efacc4ce988c81882a9ae6403702bea)
Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove a reference to a web resource which is clearly marked as obsolete.
Replace the unnecessarily verbose note by just links to the mentioned tools.
[YOCTO #15233]
(From yocto-docs rev: 3f979f5d2446d57d75f0c4ad2199510d533880e8)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Reported-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Make it clear that patchtest only supports openembedded-core for now
- Add a short list of instructions for installing Python module
dependencies on the host
- Add a step to add meta-selftest with bitbake layers so that all tests
can run
(From yocto-docs rev: bcd58d68e72226be1930593f5f7fb37de15b7913)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
As discussed before with Richard Purdie, the code supports this but the documentation does not.
Developers in general will not notice this or focus on it because they do not mess with the
layer.conf template file, but in my opinion I think more details can help.
(From yocto-docs rev: 15fc103d4ddd14698c8e75cc654ac157ca1ad740)
Signed-off-by: Talel BELHAJSALEM <bhstalel@gmail.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
COMPATIBLE_MACHINE is used to forbid the use of a recipe or its packages
for a specific set of machines.
In some cases, it may make more sense to have the logic inverted and
have the recipe always forbidden except for hand-picked machines. Such
could be the case for pieces of software that only support some
architectures. In that scenario, it is sometimes a bit easier on the eye
and for maintenance to use the OVERRIDES mechanism but for that, a
default should be set.
COMPATIBLE_MACHINE:aarch64 = "^(aarch64)$"
COMPATIBLE_MACHINE:mips64 = "^(mips64)$"
wouldn't do much because if COMPATIBLE_MACHINE isn't set, the recipe is
assumed compatible and therefore, if no default is provided we enter
that case.
Hence, we need to add
COMPATIBLE_MACHINE = "^$"
as default so that it only matches the empty string, which isn't
possible for MACHINEOVERRIDES.
Cc: Quentin Schulz <foss+yocto@0leil.net>
(From yocto-docs rev: 52196d39bc85de267daffb0074eb59786751f57d)
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Various aesthetic cleanups of section 1 of that manual, including:
* replace 'HOWTO' with manual
* add more examples of sdk-related images
* font fixes
(From yocto-docs rev: 608e93e13a8316a8d40e0675d4335084efa3736a)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
PACKAGECONFIG's first and second flag value will be added to PACKAGECONFIG_CONFARGS
and then it will be added to the appropriate variable (EXTRA_OECMAKE, or ...)
So we need to only mention PACKAGECONFIG_CONFARGS and it will lead to other variables.
I added a custom example that can help understanding very well PACKAGECONFIG.
(From yocto-docs rev: 7f26b0c0a08d6be9810128369265b0c494e7191b)
Signed-off-by: Talel BELHAJSALEM <bhstalel@gmail.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Integrating the following commit(s) to linux-yocto/6.5:
14f83e409308 serial: core: test for -EINPROGRESS during tx power management validation
1b5b735f311f serial: core: Fix checks for tx runtime PM state
dee98a75d75c Revert "serial-core: disable power managment for serial tx"
(From OE-Core rev: 4c9a85ed1d69e55963cd77122e5c869b30f3dbe4)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Integrating the following commit(s) to linux-yocto/.:
4531e74daf0 media/media-usb-tv.cfg: remove VIDEO_STK1160_COMMON
(From OE-Core rev: 40f2edd66afe5e5af607e110da78eb0a4a0b9cb9)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When reading patches from a directory it's important to sort the output
of os.listdir(), as that returns the files in an effectively random
order. We can't test the patches apply if they're applied in the wrong
order, and typically patch filenames are prefixed with a counter to
ensure the order is correct.
(From OE-Core rev: b2bbd5b4071d913ed24a9ffe43d4a97b0db16c6c)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[YOCTO #15243]
Avoid overwriting local changes when running patchtest by checking for
anything unstaged or uncommitted in the target repo, and logging an
error if something is found. This will provide the user helpful feedback
if (for example) they forgot to commit a change for their patch under
test, and will leave the target repository in a reasonable state (rather
than a temporary branch created by patchtest).
(From OE-Core rev: 2d24ff9568d729b17cfc746d0948e63c78d9f3ae)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This includes CVE fix for CVE-2023-5535.
(From OE-Core rev: 9292eb70a2a0871cf235e4df0257d7028f43a278)
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add a SECURITY.md file with hints for security researchers and other
parties who might report potential security vulnerabilities.
(From OE-Core rev: 4895e1892a49417fc5a806bd02c1bbac01f37253)
Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes to patchtest's command-line arguments to work with oe-core by
default do not match the selftest script's argument list. Explicitly use
the --testdir and --repodir flags in selftest so that it is compatible
them.
(From OE-Core rev: 6cd547b24896596d4e0fe57f26f553842c5560b5)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Replace full license headers with SPDX identifiers and adjust all
patchtest-related code to use GPL-2.0-only.
(From OE-Core rev: 9bea6b39074296bb8d8719a3300636e316f19d1b)
Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
