Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker
to execute arbitrary code via the av_malloc function in libavutil/mem.c:105:9 component.
(From OE-Core rev: 433c84c528bb9920399abfe9e9461d26a929bc7a)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local
attacker to execute arbitrary code via the libavutil/imgutils.c:353:9 in image_copy_plane.
(From OE-Core rev: be875832526636638a034680f837241c16e2b26d)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a negative-size-param
bug at libavcodec/mpegvideo_enc.c:1216:21 in load_input_picture in FFmpeg7.0
(From OE-Core rev: 6eb7dc3eecbbe115f95864d587fb3d5557321973)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add a section on providing global level configuration from the
layer.conf file. Since this file is parsed at an earlier stage in the
parsing process, it's not possible to combine bb.utils.contains and
{DISTRO,MACHINE}_FEATURES to conditionally set some configurations.
This patch documents:
- First that this file can be used for providing such configuration.
- Then demonstrate how to conditionally provide them, using a technique
that is currently used in meta-virtualization
(https://git.yoctoproject.org/meta-virtualization/tree/conf/layer.conf#n50).
Fixes [YOCTO #12688].
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: e49111c280927c922ab40547c02c11772787b731)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 31e5bd3e82e11f77da2abd96eb8c17a7c8194b7c)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
To make references to the bitbake repo, add an extlink for it and use it
in the docs with ":bitbake_git:`lib/bb/utils.py </tree/lib/bb/utils.py>`".
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: 579da2e7222c1bd21948205f470d97435f3b2cc3)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 8bf3c656ec54a582c75ca7c135121a15f8e4f631)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This variable was removed from the Sphinx-generated
documentation_options.js, thus breaking the current implementation of
our switchers.js. Like searchtools.js, which is also generated by
Sphinx, use document.documentElement.dataset.content_root as a
replacement.
To be backwards-compatible to get one or the other.
(From yocto-docs rev: 6c16f7481b8b175271072062925959bbaba2ec5f)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 2849690abf94872e259e712128e90413f3b9a2f2)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
These files are placed in the _static directory during publish. Note
that Sphinx does not complain if files do not exist during compilation
(since they are copied at the end). This is why this was used instead of
the ":download:" role.
(From yocto-docs rev: a9fc5432fdb568103ba9b719f71e66895f939792)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 38aa55418426227203fe3a106fa1e85494a57c12)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This patch makes the "latexpdf" target compile the documentation with
xelatex instead of the default pdflatex engine.
The reason behind this is stated in [YOCTO #14357]: pdflatex does not
support compiling foreign characters, so we need to resort to another
engine, here xelatex.
It also increases the texmf config buf_size to 10000000 to avoid a
compilation error.
(From yocto-docs rev: 0a6944b9f90b4d3babbdec9dee18fb8195b0db06)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 93848842b3ad8aa6b9c9f46d60f2c2ad396c6971)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Remove inkscape as it is not part of meta/, and use librsvg so we can
ship it in a buildtools tarball for the autobuilder workers.
(From yocto-docs rev: 1ecb50eacc6510e1b77215fd6af36b1f7ffdeabe)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 0caa432b888209bd80443df230143761e1faf415)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fix pseudo with python 3.13 by adding a wrapper for posix_spawn and
fixing a NULL pointer dereference in envp handling it uncovered. This
fixes issues on Fedora 41.
(From OE-Core rev: 89b64526ac2bf0609a18c4d44b4835028f686978)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update to a new revision which includes "Bugfix for Linux open(O_CREAT|O_EXCL)"
(From OE-Core rev: cc87b332c5d09d4d7aaa2569fa046a16012597d2)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
glibc 2.40 renames some internal header variables. Update our hack to
work with the new version. These kinds of problems illustrate we need to
address the issue properly.
(From OE-Core rev: 63d7c11b46119f0c97d08f2fa837c02e633ab75f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This is needed to work with coreutils 9.5.
Also contains some README tweaks.
(From OE-Core rev: c2549844031c30d2c1a6965ee66f163878d46fab)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
rpm 4.19 now builds with LFS64 support enabled by default,
so it calls statvfs64() to get the space available on the
filesystem it is installing packages into. This is not
getting caught by pseudo, so rpm is checking the host's
root filesystem, rather than the filesystem where the
build is happening.
Merge in that fix and a gcc14 fix.
(From OE-Core rev: 1b181d1fcef45f969ef9147912995d80dbe87d87)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pulls in the changes:
Eilís 'pidge' Ní Fhlannagáin (1):
subports: Add _GNU_SOURCE for syncfs probe
Richard Purdie (1):
SECURITY.md: Add file
Wu Zhenyu (1):
pseudo.1: Fix a typo
(From OE-Core rev: 40a013f7134aec1d0e953ad4906944072cfb2ca1)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pull in:
pseudo_util.c: Open file with O_CLOEXEC to avoid fd leak
Use close-on-exec (O_CLOEXEC) flag when open log file to
make sure its file descriptor is not leaked to parent
process on fork/exec.
Fixes [YOCTO #13311]
(From OE-Core rev: b8445072f4009b3e912792931bd71a4201d541e9)
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
OE is the main user of pseudo and we've had the changes in the oe-core branch
around long enough that we're going to run with them. Swicth back to directly
using the master branch.
(From OE-Core rev: 198ff9141f94c551d2a29f3a036c209e3e554a37)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[Luca: re-add 'branch' parameter to fix "does not set any branch parameter" warning]
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
pseudo overrides certain libc functions which are aliases when LFS64 is
enabled. In anycase pseudo may not be of much use on 32bit systems
(From OE-Core rev: 215367b62ac1f48ba224e56e7b8862c0a7bdbcd0)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update to pull in:
pseudo.c: Avoid patch mismatch errors for NAMELESS file entries
In rare cases we see failures, often in linux-libc-headers for things like:
| INSTALL /XXX/linux-libc-headers/6.1-r0/image/usr/include
| abort()ing pseudo client by server request. See https://wiki.yoctoproject.org/wiki/Pseudo_Abort for more details on this.
Pseudo log:
path mismatch [2 links]: ino 46662476 db 'NAMELESS FILE' req '/XXX/linux-libc-headers/6.1-r0/image/usr'.
Setup complete, sending SIGUSR1 to pid 3630890.
Whilst this doesn't easily reproduce, the issue is that multiple different processes are
likely working on the directory and the creation in pseudo might not match accesses
made by other processes.
Ultimately, the "NAMELESS FILE" is harmless and pseudo will reconcile things
so rather than error out, we should ignore this case.
(From OE-Core rev: 77d018ce3b3a9390a5cc020bce9f9ea9017820dd)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4f30a1a74828e105cbe69677b3fbe5623f371543)
Signed-off-by: Fabio Berton <fabio.berton@criticaltechworks.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When `-pipe` is enabled, GCC passes data between its different
executables using pipes instead of temporary files. This leads to issues
when cmake attempts to infer compiler internals via the `-v` parameter
as each executable will print to `stderr` in parallel.
In turn this may lead to compilation issues down the line as for example
the system include directories could not be determined properly which
may then propagate to issues such as:
recipe-sysroot/usr/include/c++/11.3.0/cstdlib:75:15: fatal error:
stdlib.h: No such file or directory
| 75 | #include_next <stdlib.h>
| | ^~~~~~~~~~
| compilation terminated.
| ninja: build stopped: subcommand failed.
| WARNING: exit code 1 from a shell command.
Fix this stripping `-pipe` from the command line used to determine
compiler internals.
(From OE-Core rev: 8e2233fd0509b9f20c19d5006dd7ef0c2260bdba)
Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The pipe library is deprecated in Python 3.11 and will be removed in
Python 3.13. pipe.quote is just an import of shlex.quote anyway.
Clean up imports while we're at it.
(From OE-Core rev: 8eec5c4417301ea3b38e6662e7b29c9071f233e1)
Signed-off-by: Ola x Nilsson <olani@axis.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
(cherry picked from commit 5f33c7b99a991c380d1813da8248ba5470ca4d4e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commits from https://github.com/libexpat/libexpat/pull/915
Not picking test is suboptimal, but test structure was changed meanwhile
so we'd have to invent new code.
Skipping tests was already done in previous expat/kirkstone CVE patches.
(From OE-Core rev: 2cf8325876aa4d43151f5a327a21834db37bf0cb)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This CVE is patched in gstreamer1.0-plugins-bad.
cpe product is set to gstreamer, they share source git repository.
(From OE-Core rev: e64d90d4c52f2e236dbe3b24b7deffce10452671)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Artifex Software jbig2dec v0.20 was discovered to contain a SEGV vulnerability
via jbig2_error at /jbig2dec/jbig2.c.
(From OE-Core rev: 3e9018fb14466495be7472a8620918347c732e86)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Commits 4591011449212c8e494ea42348acb2d27a82a51b and
6c19b6cf105ac321ec89da1a876a317020c45ab7 unconditionally changed
codeparser to rely on CPython 3.8 semantics. However, kirkstone
continues to support CPython versions >= 3.6.0 and as such string AST
nodes were no longer correctly identified.
Fix this by continuing to use `ast.Str` for Python versions < 3.8.0 and
only using the new code path for more recent versions. Detecting which
version of the AST API to use seems to be non-trivial so the Python
feature version is used instead.
Instances of this issue can be identified when executing bitbake with
debug logging:
while parsing MACHINE_ARCH, in call of d.getVar, argument
''TUNE_PKGARCH'' is not a string literal
As a consequence of these parsing issues, bitbake may assume that task
inputs haven't changed and as such erroneously reuse sstate objects when
it shouldn't.
(Bitbake rev: fb73c495c45d1d4107cfd60b67a5b4f11a99647b)
Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Variables SIGGEN_LOCKEDSIGS, SIGGEN_LOCKEDSIGS_TASKSIG_CHECK and
SIGGEN_LOCKEDSIGS_TYPES are used to lock specific tasks to specific
signatures. They are used by bitbake -S <lockedsigs> and bblock, so add
documentation for them.
(From yocto-docs rev: 1f61cd4a3e9c5bf75910559ddf2372f921c2a4ef)
Signed-off-by: Julien Stephan <jstephan@baylibre.com>
Reviewed-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 32e3995bed2836f549866ec3b8ad254bdda37dbf)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add sstate as an accepted word to avoid errors when runnign make
stylecheck.
(From yocto-docs rev: 7bd247bb3d8ff78757de1dedf1f87d86b3e3e08b)
Signed-off-by: Julien Stephan <jstephan@baylibre.com>
Reviewed-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 1c50726296e876747ea3f862729e953f025ce619)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
make sphinx-lint runs sphinx-lint on the whole documentation which can be
long and reports a lot or errors/warnings. Let's add a new
SHPINXLINTDOCS variable to allow specifying a subset, just as VALEDOCS
does. Keep variable assignment aligned and also use $(SOURCEDIR) by
default for SPHINXLINTDOCS and VALEDOCS variables.
Also update the README file and fix a typo in Link checking section
title.
(From yocto-docs rev: ae46746897361d4177f3c4284f46753e3aa8c3c3)
Signed-off-by: Julien Stephan <jstephan@baylibre.com>
Reviewed-by: Antonin Godard <antonin.godard@bootlin.com>
Tested-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 3dfe7b5c746af31de74f67cf88214e5d52bdb65d)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
make stylecheck runs Vale on the whole documentation which can be long
and reports a lot of errors/warnings. We can run Vale on a subset using
the VALEDOCS variable, so update documentation to highlight it.
(From yocto-docs rev: 038cc992af79718787a70dd620eb195c84a847dd)
Signed-off-by: Julien Stephan <jstephan@baylibre.com>
Reviewed-by: Antonin Godard <antonin.godard@bootlin.com>
Tested-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 262237f72534c983e178231cb6839ed69709c443)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This term is used throughout the manual but is not properly
introduced anywhere.
(From yocto-docs rev: ced1bbb88a8046b1307376cd88ea85110677c9fc)
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Newer versions of Sphinx already define a :cve: role that points to
cve.org, instead of the role we defined in conf.py that points to
nvd.nist.gov.
Rename our role to :cve_nist: to avoid warnings (treated as errors).
This is also backwards compatible, meaning we can build the doc with an
older Sphinx if needed.
The file were automatically replaced with following command:
find . -name '*.rst' -exec sed -i 's/:cve:/:cve_nist:/g' {} \+
Cherry pick:
* Changes on following files removed from cherry pick (not part of kirkstone):
documentation/migration-guides/release-notes-4.1.1.rst
documentation/migration-guides/release-notes-4.1.2.rst
documentation/migration-guides/release-notes-4.1.3.rst
documentation/migration-guides/release-notes-4.1.4.rst
documentation/migration-guides/release-notes-4.1.rst
documentation/migration-guides/release-notes-4.2.1.rst
documentation/migration-guides/release-notes-4.2.2.rst
documentation/migration-guides/release-notes-4.2.3.rst
documentation/migration-guides/release-notes-4.2.4.rst
documentation/migration-guides/release-notes-4.2.rst
documentation/migration-guides/release-notes-4.3.1.rst
documentation/migration-guides/release-notes-4.3.2.rst
documentation/migration-guides/release-notes-4.3.3.rst
documentation/migration-guides/release-notes-4.3.4.rst
documentation/migration-guides/release-notes-4.3.rst
documentation/migration-guides/release-notes-5.0.2.rst
documentation/migration-guides/release-notes-5.0.3.rst
documentation/migration-guides/release-notes-5.0.rst
documentation/migration-guides/release-notes-5.1.rst
* Fix minor conflicts in following files:
documentation/migration-guides/release-notes-3.4.2.rst: missing :term:
before CVE_PRODUCT
documentation/migration-guides/release-notes-4.0.2.rst: missing :term:
before PACKAGECONFIG
documentation/migration-guides/release-notes-4.0.7.rst: missing cve
2022-32912 on webkitgtk
Suggested-By: Quentin Schulz <quentin.schulz@cherry.de>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: f432e78fef82c5e5bfdfff08bb18757dc3479465)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 15fa3b7e85dde50d7236c1738ad607531cc654b8)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Give a brief description for important commands that made it into
devtool or that were missing from this quick reference document.
Cherry pick: Remove devtool ide-sdk from commit, this command was not
backported to kirkstone.
(From yocto-docs rev: 8a5111c406be9c4bf1cc78a34dd2174a227ca79c)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 6238adae1b072c9e09c558038d397dfac6ec109f)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
