Commit Graph

79602 Commits

Author SHA1 Message Date
Peter Marko
21cedd6086 binutils: set status for CVE-2025-7545 and CVE-2025-7546
The patches linked in NVD reports are present in binutils-2_45-branch.
Technically the NVD is wrong (=2.45 should be <2.45), but fixing it in
the recipe is not problematic as all cpe-stable-backport will be
automatically removed in next upgrade so will not be "kept forever".

CVE-2025-7545
* https://nvd.nist.gov/vuln/detail/CVE-2025-7545
* https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944

CVE-2025-7546
* https://nvd.nist.gov/vuln/detail/CVE-2025-7546
* https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=41461010eb7c79fee7a9d5f6209accdaac66cc6b

(From OE-Core rev: 0fb876e247faea84dfa8fd302b80cb7afdc575d9)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-28 10:47:08 +01:00
Diego Sueiro
fb4ebd6053 wic: Fix --overhead-factor and --extra-space checks
If --overhead-factor and --extra-space are passed with =FOO the
check fails. Fix this by checking parsed.overhead_factor and
parsed.extra_space instead.

(From OE-Core rev: 46c24b67d4e9d28e7216a7394090d807cf879fa7)

Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Peter Marko
e29b37130f libxml2: mark CVE-2025-6170 as fixed
As shown in [1] when expanding tags including it.

NVD tracks this CVE as version-less.

[1] c340e41950

(From OE-Core rev: d8a9c190811ad9658a74502a371c110f4d24d68f)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Peter Marko
66e1a79063 icu: mark CVE-2025-5222 as fixed
Commit mentioned in [1] is included in 77-1.
This comit was also backported to Yocto all stable/LTS releases.

[1] https://security-tracker.debian.org/tracker/CVE-2025-5222

(From OE-Core rev: 69c2956d6af3ffdedc77649ea833dc04ab62b8d3)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Peter Marko
0a05bf16db gnutls: mark CVE-2025-32989 and CVE-2025-32990 as fixed
This is mentioned in [1].
NVD tracks this as version-less CVE.

[1] https://gitlab.com/gnutls/gnutls/-/blob/3.8.10/NEWS?ref_type=tags#L8

(From OE-Core rev: 8367ddb87a51abaa8949614faabc146f40f518a1)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Peter Marko
4ad2a935c7 cve-update-db-native: fix fetcher for CVEs missing nodes
As of now, update of CVE DB from FKIE source (which is the defailt)
fails with following error:

File: '<build>/poky/meta/recipes-core/meta/cve-update-db-native.bb', lineno: 393, function: update_db_fkie
     0389:                [cveId, cveDesc, cvssv2, cvssv3, cvssv4, date, accessVector, vectorString]).close()
     0390:
     0391:        for config in elt['configurations']:
     0392:            # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing
 *** 0393:            for node in config["nodes"]:
     0394:                parse_node_and_insert(conn, node, cveId, False)
     0395:
     0396:def update_db(d, conn, jsondata):
     0397:    if (d.getVar("NVD_DB_VERSION") == "FKIE"):
Exception: KeyError: 'nodes'

Entry for new CVE-2025-32915 is broken.

(From OE-Core rev: 152be29f6a732b2ba1c95bcf465455d2a5a3f33a)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Khem Raj
9cb33630b0 libseccomp: fix seccomp_export_bpf_mem out-of-bounds read
Fixes segfaults in ptests on musl
Failed ptests:
{'libseccomp': ['11-basic-basic_errors%%001-00001_11-basic-basic_errors_rc=139']}

(From OE-Core rev: 4f26edb6fd7e3dc5f81c56faed3a0edd9264bf66)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Khem Raj
6471b9a898 python3: Address failing ptests on musl
Take a partial patch to disable portion of test_makedev, its also applied
in alpine. NODEV does not exist on musl

Add test_null_dlsym to ignore list on musl, it needs GNU ifunc support
and musl does not implement GNU ifuncs

fixes
Failed ptests:
{'python3': ['test_null_dlsym', 'test_makedev', 'python3']}

(From OE-Core rev: c197de49d6b406be5fc79b6e17c397c834efc1b0)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Siddharth Doshi
d566c7bb8d tiff: Security fix for CVE-2024-13978, CVE-2025-8176, CVE-2025-8177
Upstream-Status: Backport from [7be20ccaab, 2ebfffb0e8, 3994cf3b3b, ce46f002ec, ecc4ddbf1f, 75d8eca6f1, e8c9d6c616]

CVE's Fixed:
CVE-2024-13978 libtiff: LibTIFF Null Pointer Dereference
CVE-2025-8176 libtiff: LibTIFF Use-After-Free Vulnerability
CVE-2025-8177 libtiff: LibTIFF Buffer Overflow

(From OE-Core rev: 16d8a873c57b174e4d6581b58d890f2157aa2f2c)

Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Tim Orling
8f2adecb3a at-spi2-core: upgrade 2.56.3 -> 2.56.4
What's new in at-spi2-core 2.56.4:

* Fix key grabs when num lock or caps lock are on under Wayland.

    atk-bridge: Don't crash when requesting a plug if not activated

* Add sanity checks for child indices received via DBus.

https://gitlab.gnome.org/GNOME/at-spi2-core/-/blob/2.56.4/NEWS?ref_type=tags

Comparing changes:
https://github.com/GNOME/at-spi2-core/compare/2.56.3...2.56.4

(From OE-Core rev: 59c9aa2411514f448cec23c0ceefeada2a103d85)

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Michael Opdenacker
4cc9096122 lighttpd: upgrade 1.4.79 -> 1.4.81
Remove "libev" configuration option, no longer in use since 1.4.80

Upstream changes

1.4.81:
- security: fix to reject disallowed trailers

1.4.80:
- detect and issue error trace for HTTP/2 MadeYouReset VU#767506 CVE-2025-8671
- stricter HTTP request/response header, trailer, and chunked validation/parsing
- support HTTP response trailers
- support HTTP request trailers merge to headers (if not streaming request body)
- bug fixes

(From OE-Core rev: 6054ad0b7a3cf8a6853bdedfdbf973742af58fea)

Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Per x Johansson
391c628379 rust-target-config: Add has-thread-local option
The "has-elf-tls" option was removed by the commit
8e1614a906086fb46c5dd7b7f2dffab91194165c. However is should have been
renamed to "has-thread-local", since it was renamed and not removed in
rust by this commit.
391332c5d9

Change-Id: Ia1fdf7698ebeef62a88052713645d5b499164353
(From OE-Core rev: 18a87dd1724e0934a669aefae36d20374c06c493)

Signed-off-by: Per x Johansson <perxjoh@axis.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Harish Sadineni
9be7072616 gcc-testsuite: Fix test failures with output pattern due to ssh warning.
when running oe-selftest for gcc some of the output pattern matchng test cases
were getting failed due to below issue.

Output line 1 was:
Warning: Permanently added '192.168.7
Should match (from /poky/poky/build-st/tmp/work-shared/gcc-15.1.0-r0/sources/
gcc-15.1.0/gcc/testsuite/gcc.dg/dg-output-file-1-lp64.txt):
This is a test output for lp64 target
Failed test for output line 1 This is a test output for lp64 target

(From OE-Core rev: 08200d7ac9d96996dbc1f913bcc0c8bee13592f8)

Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Harish Sadineni
9284af07f5 oeqa/selftest/cases/gcc.py: Increase QEMU RAM to 4GB
The test pr61599-1.c fails because it requires more than 3GB of RAM.
This change increases the allocated RAM to 4GB to prevent test failures.

(From OE-Core rev: 745eedb1afcb4f8e28ca560ae41d3297bb63cdd4)

Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Harish Sadineni
a6ce306fd3 gcc: Oe-selftest failure analysis - fix for pr90579.c test failures
When gcc build with PIE enabled the following tests
were getting failed:
 FAIL: gcc.target/i386/pr90579.c scan-assembler vaddsd\tr\\+40
 FAIL: gcc.target/i386/pr90579.c scan-assembler vaddsd\tr\\+32
 FAIL: gcc.target/i386/pr90579.c scan-assembler vaddsd\tr\\+24
 FAIL: gcc.target/i386/pr90579.c scan-assembler vaddsd\tr\\+16

Detailed bug info & upstream fix is here:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=118885

Upstream Status: Backport [https://gcc.gnu.org/cgit/gcc/commit/?id=679e24f5a751663998ff7202149a749e0f7251f9]

(From OE-Core rev: 7641e08044203ac9dde9a53b91bd01f9432d11f2)

Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Khem Raj
920334997f gettext: Force UTF-8 runtime and skip requiring ISO-8859-1
On musl, there is no real legacy (non-UTF-8) fr_FR locale.
These tests are designed for libcs that ship both fr_FR (ISO-8859-1)
and fr_FR.UTF-8. So the right thing will be to SKIP these tests

Unsetting LOCALE_FR will ensure that it does not enable ISO-8859-1
path, so reset it in run-ptest but thats not enough because it is
being set in the test's own init-env file as well so clear it in that
file as well.

Fixes
Failed ptests:
{'gettext': ['intl-2', 'intl-4', 'intl-thread-3', 'lang-sh', 'lang-bash']}

(From OE-Core rev: 0fe96efea084f4594df43f57e121cb2353bfafa7)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Khem Raj
1854cd6d37 gettext: Skip test known to fail on musl
* Use posix thread on musl and cache
* Force using system posix complaint printf
* Add coreutils to ptest dependencies

(From OE-Core rev: 16b1fff0dc3f95d2f52106b0133133d175725d52)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Khem Raj
02bf521a23 elfutils: Remove run-backtrace-dwarf from musl ptest XFAILs list
This is passing ok with gcc/libgcc on YP AB

(From OE-Core rev: c1bb95055810b272237d5a143f7e01a270e74868)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Martin Jansa
44fbbe97c6 license.py: avoid deprecated ast.Str
* it's deprecated since python-3.12 and removed in 3.14 causing:

openembedded-core/meta/lib/oe/license.py', lineno: 176, function: visit
     0172:
     0173:        LicenseVisitor.__init__(self)
     0174:
     0175:    def visit(self, node):
 *** 0176:        if isinstance(node, ast.Str):
     0177:            lic = node.s
     0178:
     0179:            if license_ok(self._canonical_license(self._d, lic),
     0180:                    self._dont_want_licenses) == True:
Exception: AttributeError: module 'ast' has no attribute 'Str'

(From OE-Core rev: 1eb2137324202107baa5cadcfdd682629a9cc269)

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Leon Anavi
e91bc261dc connman: Upgrade 1.44 -> 1.45
Upgrade to release 1.45:

- Add missing newlines on error messages
- timezone: Replace Localtime file copy with symbolic link
- Fix CVE-2025-32366 vulnerability
- Fix CVE-2025-32743 vulnerability
- vpn: Fix extracting of PrefixLength D-Bus value
- vpn: Fix mem leak of gid_list in task setup
- dchpv6: Set err to 0 when client creation succeeds

(From OE-Core rev: c5fd636aa6f310e868ea29a72913ea96edcf57c5)

Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Peter Marko
4f531677b8 vim: upgrade 9.1.1198 -> 9.1.1652
Handles CVE-2025-53905, CVE-2025-53906, CVE-2025-55157, CVE-2025-55158.

Changes between 9.1.1198 -> 9.1.1652
====================================
https://github.com/vim/vim/compare/v9.1.1198...v9.1.1652

Refresh patches.
Add tag to SRC_URI.

Disable newly introduced wayland support (in patch version 1485).
To this belongs also adding recursion in delete command for dir auto
which was newly failing as there is wayland directory inside now.
If someone is interested, this can be probably enabled, but without
additional work it results in compilation error due to function
redefinition conflicts.

(From OE-Core rev: e87d427d928234ef0441f9ce1fe8631fbe471094)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Khem Raj
851c7e56c3 findutils: Use C locale to run ptests
Ensure consistent locale setting, since we are not
using make environemnt to run the tests like
upstream does. The test scripts are run explicitly

This fixes a problem with musl ptest runs where the
locale-driven quoting ends up using C.UTF-8 quotes
in gnulib’s quotearg() end up with curly quotes
instead of ASCII quote character which is expected
and result is reported as failure even though numbers
are matching.

Fixes:

-find: invalid group name or GID argument to -group: '4294967296'
+find: invalid group name or GID argument to -group: ‘4294967296’

FAIL: tests/find/user-group-max.sh

(From OE-Core rev: 0e60d1169ee0ae0e6651951e9a917a0e24bee157)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Khem Raj
93ba61423c findutils: Drop setting gl_cv_func_wcwidth_works=yes
The issue seems to be have been fixed for long time since 4.5.3 onwards

(From OE-Core rev: 6637e59d6bc03f8eb7cf75bc506307e249809ada)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Ross Burton
672c55172d babeltrace2: don't install static modules
There's no point building or installing static plugins, so apply a patch
to only build shared plugins.

Poky passes --disable-static via no-static-libs.inc, but anyone building
babeltrace2 with nodistro or another distro that doesn't use
no-static-libs.inc will fail to build babeltrace2 because of packaging
errors around the static version of the python plugin.

(From OE-Core rev: cf5ef8a2b6f509c348b9cf800a8534a4e8702103)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Ross Burton
dae1dcaa8f nghttp2: rewrite recipe to be an idiomatic library recipe
This recipe for nghttp2 doesn't build any of the binaries, just the core
library, but is structured like a recipe that is primarily an application
that happens to ship libraries.

Remove the lib${BPN} package and put the library into PN (which will then
be debian-renamed).

Use the shorthand option to just build the library.

Add documentation enabling/disabling options so we don't install the
docs if not needed. Currently there are no extra dependencies as the
sphinx-generated manpages are pre-built in the tarballs, but this could
change.

(From OE-Core rev: 0fe1fb05cf6b36d70d43b3bd245a53ac36d389fa)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:21 +01:00
Falk Bauer
47b1a709ab psplash: Do not mount PSPLASH_FIFO_DIR if the env variable is empty
The script file psplash.sh tries to mount the PSPLASH_FIFO_DIR variable.
If the variable is empty, the mountpoint command returns a usage text
(busybox mountpoint here, util-linux mountpoint behaves the same):

BusyBox v1.37.0 () multi-call binary.
Usage: mountpoint [-q] { [-dn] DIR | -x DEVICE } :~# BusyBox v1.37.0
() multi-call binary

The return code with this console output is 0 and the mount command in the
if statement is executed.
Then this mount also fails with an empty mountpoint argument.
The source code of psplash respects an empty PSPLASH_FIFO_DIR variable
(see psplash.c) and makes a fallback to "/run". So the psplash.sh script should
also respect the empty var.

Try to mount the PSPLASH_FIFO_DIR only if the variable is not empty.

(From OE-Core rev: 85a5e562c5969c407a222966ccb3170cb41fed2f)

Signed-off-by: Falk Bauer <falkbauer.git@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:20 +01:00
Khem Raj
0a8268ebd0 python3-rpds-py: Upgrade to 0.27.0
Allow packaging of wheels for riscv64 architecture

(From OE-Core rev: 56a32c0b0294d55e75ea54046fb1508f9ff17e4b)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:20 +01:00
Khem Raj
efbba14b4d python3: Pass PLATFORM_TRIPLET explicitly when cross compiling
Do not rely on how python detects the platform triplet

We have been lucky to get it cross-compiling since our build hosts
are also using glibc, so the headers and gcc install locations match
and the values it detects are mostly what we will need for glibc
based targets, but when we use musl e.g. the problems show up where
python3 is not able to automitically discover python modules so any
python package having compiled .so modules fail to load.

Example is ptest failures with TCLIBC = "musl"
and running core-image-ptest-python3-rpds-py

This is revamp of patch [1], currently its working for glibc
based cross-compiling because we build on linux systems which are also
glibc based, but python on musl shows the problem.
When python was upgraded to 3.12 [2], this patch was wrongly dropped
and sadly regression went unnoticed, without this patch
Python's automatic module discovery does not work when it is cross-compiled
this is because it tries host tools and compiler installation during configure
to detect it. .so modules e.g. modulename.cpython-*.so are not seen as a result.

This is seen when running python3-rpds-py ptests where it should load
rpds.cpython-313-x86_64-linux-musl.so rpds.so but it does not and the module test
fail.

root@qemux86-64:/usr/lib/python3-rpds-py/ptest# python3 -c "
 import sysconfig
 import importlib.machinery
 print('Extension suffixes:', importlib.machinery.EXTENSION_SUFFIXES)
 print('Soabi:', sysconfig.get_config_var('SOABI'))
 print('Ext suffix:', sysconfig.get_config_var('EXT_SUFFIX'))
 print('Module suffix:', sysconfig.get_config_var('SO'))
 "
Extension suffixes: ['.cpython-313.so', '.abi3.so', '.so']
Soabi: cpython-313
Ext suffix: .cpython-313.so
Module suffix: None

And after fix it is.

root@qemux86-64:~# python3 -c "
 import sysconfig
 import importlib.machinery
 print('Extension suffixes:', importlib.machinery.EXTENSION_SUFFIXES)
 print('Soabi:', sysconfig.get_config_var('SOABI'))
 print('Ext suffix:', sysconfig.get_config_var('EXT_SUFFIX'))
 print('Module suffix:', sysconfig.get_config_var('SO'))
 "
Extension suffixes: ['.cpython-313-x86_64-linux-musl.so', '.abi3.so', '.so']
Soabi: cpython-313-x86_64-linux-musl
Ext suffix: .cpython-313-x86_64-linux-musl.so
Module suffix: None

[1] https://git.openembedded.org/openembedded-core/commit/?id=407744b00d702e3133304e1b43064a5634ca02cf
[2] https://git.openembedded.org/openembedded-core/commit/?id=716d82352545d3667a658b69d65d6127678dd150

(From OE-Core rev: 7bb157e48f5e5272db7506c7eb3118209dc3b35f)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:20 +01:00
Khem Raj
86f54ee3cd libc-test: Ignore fma math tests
(From OE-Core rev: 135a572cdb7c7cf487aa46ef1a5500b81593a30a)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:20 +01:00
Khem Raj
28eb7f6633 libc-test: Fix strptime and api/main tests
(From OE-Core rev: 124921683e9a0a1d981eaeea717c5dd7d35abf90)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:20 +01:00
Khem Raj
fa6f6b182c libc-test: Upgrade to tip of trunk
Brings following changes

functional: add mntent test
fix malloc-brk-fail
math: add fma(x,y,z) test cases for z=0 and x*y rounds to -0

(From OE-Core rev: 393ecfe64065aafdcc6c37d8374c9a3ece748d7a)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:20 +01:00
Khem Raj
a0c40abc3c elfutils: Add run-backtrace-{native|data}.sh to known failures
musl's thread startup/teardown sequences and frame-pointer handling
differ from glibc. elfutils can fail to terminate unwinds properly
in multithreaded musl apps which leads to truncated or bogus traces
and then the test's "must contain main" assertion fails.

Skip this test on musl systems

(From OE-Core rev: 6f89b8386b70d35cb27bb90348857ddecda5ed3e)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:20 +01:00
Khem Raj
542af25cfa lttng-tools: Fix build with libcxx runtime
(From OE-Core rev: d66afee0a040e4417db774425297ca43497f5386)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:20 +01:00
Khem Raj
fd0ba87ae0 lltng-tools: Fix build with lld linker
liblttng-ctl is exposting undefined symbols which are provided by
libcommon-gpl.a and is not linked into liblttng-ctl.so

(From OE-Core rev: a555a7525beebd4a6103755a6e6df6aa2e4ee7de)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:20 +01:00
Khem Raj
72d1535163 m4: Fix ptest on musl
Fixes
../../sources/m4-1.4.20/tests/test-c32ispunct.c:261: assertion 'is == 0' failed
./test-c32ispunct.sh: line 36:   402 Aborted
(core dumped) LC_ALL="$testlocale" ${CHECKER} ./test-c32ispunct${EXEEXT} 3

FAIL: test-c32ispunct.sh

(From OE-Core rev: f39537e8b84d0640fb8a7406ebf2396b532cdb57)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:20 +01:00
Peter Marko
16287e7cb4 Revert "dpkg: set status for CVE-2025-6297"
This reverts commit 5dce840ba8.

CVE entry was corrected in NVD DB.
It looks like NVD is now getting faster and more reliable with
annotations...

(From OE-Core rev: 3a5bfe4c4db692f10aab090a73c412eb75ea1bb5)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Cc: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:20 +01:00
Bruce Ashfield
5c6a3df824 linux-yocto/6.16: update CVE exclusions (6.16.2)
Data pulled from: https://github.com/CVEProject/cvelistV5

    1/1 [
        Author: cvelistV5 Github Action
        Email: github_action@example.com
        Subject: 2 changes (2 new | 0 updated): - 2 new CVEs: CVE-2025-9248, CVE-2025-9249 - 0 updated CVEs:
        Date: Wed, 20 Aug 2025 21:10:37 +0000

    ]

(From OE-Core rev: f7779d034bffcfacfb2c01daa6cdfbe2e412396c)

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:20 +01:00
Bruce Ashfield
9cd0057980 linux-yocto: introduce 6.16 reference kernels
Adding the 6.16 reference kernels as our latest reference for
the fall 2025 release.

This has been tested against:

  - x86, x86-64
  - ppc
  - mips, mips64
  - arm, arm64
  - riscv32, riscv64

The -standard, -rt and -tiny variantes have been validated.

For various iamges. All testing done under qemu, hardware
references will follow later.

(From OE-Core rev: 9b15846663bb4997403f3692c4b6b5a80dd90d52)

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-25 17:47:20 +01:00
Khem Raj
e7423ae09e strace: Fix uio test and ignore pwritev|pwrite64 tests on musl
The pwritev and pwrite64 are wrappers over pwritev2 syscall in
musl but strace assumes glibc behavior, ignore them for now

(From OE-Core rev: 38f4f3bfbe2f9625737af15422423b00c32ee076)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-21 10:29:56 +01:00
Liu Yiding
9bdc31dcc9 nghttp2: remove nghttp2-proxy
fix issue that:
 | nothing provides nghttp2-proxy >= 1.66.0 needed by nghttp2-1.66.0-r0.core2_64 from base

nghttp2-proxy is supposed to involve files ${bindir}/nghttpx and ${datadir}/${BPN}/fetch-ocsp-response

But now nghttp2-proxy will not be created because:
1. ENABLE_APP=OFF in EXTRA_OECMAKE makes ${bindir}/nghttpx not be produced
2. 1.66.0 version has removed fetch-ocsp-response-file according to the Changelog

| cat /tmp/work/aarch64-ubinux-linux/nghttp2/1.66.0/sources/nghttp2-1.66.0/ChangeLog
| ....
| nghttpx: Remove OCSP stapling
|
| This commit removes OCSP stapling features and the following options
| are deprecated and have no effect:
|
| - fetch-ocsp-response-file
| - no-ocsp
| - no-verify-ocsp
| - ocsp-update-interval

(From OE-Core rev: 7008e2d00165991bf218ca2f96fb34244e518456)

Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-21 10:29:56 +01:00
Khang D Nguyen
2ba3de2078 systemd.bbclass: deduplicate template and instance lines in preset file
If SYSTEMD_SERVICE contains both template and instance names, the
preset file will contain two lines: one describing the template name
and one describing the instance names.

This is problematic because systemd.preset only use the first matching
one [1], leading to the instances not getting enabled.

For example, openbmc's obmc-console recipe has the following
final SYSTEMD_SERVICE variable:

```
SYSTEMD_SERVICE:obmc-console = " \
obmc-console@.service \
obmc-console-ssh@.service \
obmc-console-ssh@2200.service \
"
```

The resulting preset file will contain lines with the same name:

```
enable obmc-console@.service
enable obmc-console-ssh@.service
enable obmc-console-ssh@.service 2200
```

Fix this by interpreting the template name as a special case of empty
instances.

Tested: preset files are generated correctly:

```
enable obmc-console@.service
enable obmc-console-ssh@.service 2200
```

[1]: https://www.freedesktop.org/software/systemd/man/257/systemd.preset.html#Preset%20File%20Format

Fixes: f33d9b1f434e ("systemd.bbclass: generate preset for templates")
(From OE-Core rev: 7cdf10840c200a327b6336775698342af7212ee4)

Signed-off-by: Khang D Nguyen <khangng@os.amperecomputing.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-21 10:29:56 +01:00
Alexander Kanavin
11817b180e fragments/autobuilder: add go to SDK_TOOLCHAIN_LANGS
For reasons unknown, only rust was listed, which means
nativesdk-go was not built or tested, which lead to
breakage like one fixed in
https://git.yoctoproject.org/poky/commit/?id=a669cd2e0c760da9d7e872daea9590fc9e86d766

Note that with this change only building and installing go
into SDKsis tested, but no tests are performed with the
toolchain itself in testsdk/testimage.

For that, a bug has been filed:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=15953

Remove go from x32 and mingw targets as it will not build for them.
(next to similar removals for rust)

(From OE-Core rev: 7f9e3c2c60a2d73b3728d07519471f0614c03130)

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-21 10:29:56 +01:00
Alexander Kanavin
5f1aeaf606 goarch.bbclass: do not leak TUNE_FEATURES into crosssdk task signatures
The default assignments look like this:
TARGET_GO386 = "${@go_map_386(d.getVar('TARGET_ARCH'), d.getVar('TUNE_FEATURES'), d)}"

TUNE_FEATURES is a target-specific variable, and so should be used
only for target builds. The change is similar to what is already done
for native packages.

(From OE-Core rev: cfff8e968257c44880caa3605e158764ed5c6a2a)

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-21 10:29:56 +01:00
Osama Abdelkader
62e64c4a64 init-system-helpers: upgrade 1.68 -> 1.69
Changes:
Add postinst to hotfix an upgrade bug on certain newly live-installed
systems built using Trixie's live-build (Closes: #1111039)

Full changelog:
https://salsa.debian.org/debian/init-system-helpers/-/blob/debian/1.69/debian/changelog

(From OE-Core rev: 99a1a0a8116eabd31bc25252fdea9aee287d158b)

Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-21 10:29:56 +01:00
Joshua Watt
02c8355a81 spdx30_tasks: Change package license to declared
Per discussion with SPDX licensing group, the package license statements
classify as declared licenses, not concluded licenses.

Note that this is the same as a change made to the recipe licenses, just
for packages.

(From OE-Core rev: 61ba0ef1400a2fa3729473e496e8459cbbba73ad)

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-21 10:29:56 +01:00
Peter Marko
a1a8e1ee3e glib-2.0: patch CVE-2025-6052
Backport commits from [1] which references this CVE.

[1] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4681

(From OE-Core rev: 4b1166dd58cfd672ae326d0a1b1f6167be4877c5)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-21 10:29:56 +01:00
Peter Marko
48b9d34450 glib-2.0: update 2.84.2 -> 2.84.4
Overview of changes in GLib 2.84.4, 2025-08-08
==============================================
* Bugs fixed:
  - #3716 (CVE-2025-7039) (#YWH-PGM9867-104) Buffer Under-read on GLib through
    glib/gfileutils.c via get_tmp_file() (Michael Catanzaro)
  - #3721 GFile leak in g_local_file_set_display_name during error handling
    (Philip Withnall, Michael Catanzaro)
  - !4668 Backport !4667 “Incorrect output parameter handling in closure helper
    of g_settings_bind_with_mapping_closures” to glib-2-84
  - !4675 Backport !4674 “gfileutils: fix computation of temporary file name” to
    glib-2-84
  - !4679 Backport !4677 and !4678 “Fix GFile leak in
    g_local_file_set_display_name()” to glib-2-84
  - !4697 Backport !4696 “gthreadpool: Catch pool_spawner creation failure” to
    glib-2-84
  - !4705 Backport !4702 “gio/filenamecompleter: Fix leaks” to glib-2-84
  - !4711 Backport !4708 “gfilenamecompleter: Fix g_object_unref() of undefined
    value” to glib-2-84

Overview of changes in GLib 2.84.3, 2025-06-13
==============================================
* Bugs fixed:
  - !4656 Backport !4655 “gstring: Fix overflow check when expanding the string”
    to glib-2-84

!4656 solves first half of CVE-2025-6052

(From OE-Core rev: 1b78742a8685b43df82b74baf4518b3437472d93)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-21 10:29:56 +01:00
Osama Abdelkader
2610ae9e28 squashfs-tools: upgrade 4.7 -> 4.7.2
Changes:
Fix build with non-static include
print_pager: make inline quoted_bs_char() static

Release notes:
https://github.com/plougher/squashfs-tools/releases/tag/4.7.2

(From OE-Core rev: ccba60186ba9b71bce8f5158b423d09d9d1bb851)

Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-21 10:29:56 +01:00
Ricardo Salveti
34df6b71b9 initramfs-framework: mount /run and move to rootfs before switch_root
Mount /run as tmpfs during early init and include it in the set of
mounts moved to $ROOTFS_DIR prior to exec switch_root.

Having /run available early lets initramfs modules stamp state that can
later influence systemd service jobs, since systemd will reuse the mount
point instead of creating a new one during boot.

This is particularly useful with ostree, as it uses /run/ostree-booted
as way to describe that the rootfs comes from an ostree deployment.

(From OE-Core rev: 3a4bd7ddefbf5b412a2b4031d491f5a50f1908cd)

Signed-off-by: Ricardo Salveti <ricardo@foundries.io>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-21 10:29:56 +01:00
Liu Yiding
81d31fbd6a gst-examples: upgrade 1.26.3 -> 1.26.5
Refer to release note, no changes this time
https://gstreamer.freedesktop.org/releases/1.26/#1.26.5

(From OE-Core rev: 72c3e493ab1899f39b89de9c41f5af2b0178f61b)

Signed-off-by: Liu Yiding <liuyd.fnst@fujitsu.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-08-21 10:29:56 +01:00