We use QEMU QMP python module to drive qemu in testimage. QMP uses
asyncIO and the method to get the event loop changed.
Backport the patches handling the depreciation to fix the error:
ERROR: core-image-minimal-1.0-r0 do_testimage: Error executing a python function in exec_func_python() autogenerated:
The stack trace of python calls that resulted in this exception/failure was:
File: 'exec_func_python() autogenerated', lineno: 2, function: <module>
*** 0002:do_testimage(d)
...
File: '.../openembedded-core/meta/lib/oeqa/utils/qemurunner.py', lineno: 332, function: launch
0331: from qmp.legacy import QEMUMonitorProtocol
*** 0332: self.qmp = QEMUMonitorProtocol(os.path.basename(qmp_port))
File: '.../build-ubuntu2604/tmp-glibc/work/qemux86_64-oe-linux/core-image-minimal/1.0/recipe-sysroot-native/usr/lib/qemu-python/qmp/legacy.py', lineno: 89, function: __init__
*** 0089: self._aloop = asyncio.get_event_loop()
File: '/usr/lib/python3.14/asyncio/events.py', lineno: 715, function: get_event_loop
0711:
0712: Returns an instance of EventLoop or raises an exception.
0713: """
0714: if self._local._loop is None:
*** 0715: raise RuntimeError('There is no current event loop in thread %r.'
0716: % threading.current_thread().name)
0717:
0718: return self._local._loop
Exception: RuntimeError: There is no current event loop in thread 'MainThread'.
Both patches are in Qemu 10.2 (OE Core master version)
(From OE-Core rev: 28bab00b35af8bbe3455c8266e4c792fa2367c5d)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Update to add a fix for a function definition to work with glibc 2.43.
(From OE-Core rev: 689bd1811c2300263a8a86ba3b46bbc6b1622323)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 7d35b0e7929d666af783db835a3a809f8f6ce429)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a
Denial-of-Service issue has been found that leads to memory exhaustion
from malformed RELATIVE-OID with excessive continuation octets. This
vulnerability is fixed in 0.6.2.
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-23490
(From OE-Core rev: 205d360b49c7bbaa8709cb5a0b2e57457c32ad22)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
When running glibc tests under user mode NFS, tst-syslog was causing a hang. The
hang was traced to unfsd exitting with a buffer overflow being detected.
This was traced down to mksocket() where we'd see:
socket path '/media/build/poky/build/build-st-2118464/tmp/work/x86-64-v3-poky-linux/glibc-testsuite/2.42+git/build-x86_64-poky-linux/testroot.root/dev/log' is too long at 141 vs 108
There is a length check in mknod_args() but obj may not be setup at this point by
cat_name() since the functions can be executed out of order according to C.
To avoid this, make the order explict. This means the length is checked and we
avoid the buffer overflow. This will likely cause the glibc test to fail however
it won't hang, which is a win.
[YOCTO #16113]
(From OE-Core rev: 34f34512e5eeefc24b36b102a36fc90f14e2f7d2)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Hemanth Kumar M D <Hemanth.KumarMD@windriver.com>
(cherry picked from commit e51d5e19cb1ba1d5ad7442064b64821d178bc9ca)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Both CVEs are disputed by third parties. The observed behavior
(double free / invalid pointer free in readelf) only occurred in
pre-release code and did not affect any tagged version [1][2].
CVE_STATUS[CVE-2025-69650] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
CVE_STATUS[CVE-2025-69651] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
[1] https://www.cve.org/CVERecord?id=CVE-2025-69650
[2] https://www.cve.org/CVERecord?id=CVE-2025-69651
(From OE-Core rev: 55a0d8abad8a81f7d900557c2eb2d9327ee115df)
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
(cherry picked from commit 9c6df56fe18237880c391798c2083dca595566f4)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
CVE-2026-26007 is fixed upstream in version 46.0.5.
Our current version (42.0.5, scarthgap) is still reported as vulnerable
by NVD.
Backport the upstream fix to address this CVE.
Upstream commit:
0eebb9dbb6
CVE report:
https://nvd.nist.gov/vuln/detail/CVE-2026-26007
(From OE-Core rev: a363958725430237160b0a83a6a6acbe8380fba3)
Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
pip vendors distlib which ships Windows launcher template binaries
(*.exe) under pip/_vendor/distlib. These files are only used on
Windows systems but are installed and packaged for target, native,
and nativesdk builds.
Remove the distlib *.exe templates when not building for a mingw
(mingw32/mingw64) host to avoid shipping unused Windows binaries and
reduce package noise.
(From OE-Core rev: 9f2a6cfda6a2305f52411ca8121f27c8a5a91fa2)
Signed-off-by: Krupal Ka Patel <krkapate@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 90d208fbb06b6e6b5aaddb0048fd6e2e1d46c8bd)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
setuptools installs Windows launcher executables (cli*.exe, gui*.exe)
into site-packages. These binaries are only used on Windows platforms
but are packaged for target, native, and nativesdk builds.
Remove the Windows launcher executables when not building for a mingw
(mingw32/mingw64) host to avoid shipping unused Windows binaries.
(From OE-Core rev: a618c504ba69d20eec08944c577b15a48b1ac578)
Signed-off-by: Krupal Ka Patel <krkapate@cisco.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cf7c79f3962f2be99cfda47e8cc730091e6a18cb)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Commit 6a1ae4e792 (go 1.22.12: Fix CVE-2025-61726, 2026-02-11)
introduced a patch backporting a fix for CVE-2025-61726, but
this patch also introduced a bug.
From Go's source code[1], they say that the 'All' table from 'godebugs'
should be populated alphabetically by Name. And 'Lookup'[2] function uses
binary search to try and find the variable.
Here's the trace:
Mar 06 11:33:33 toradex-smarc-imx95-12594035 systemd[1]: Started Docker Application Container Engine.
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: 2026/03/06 11:34:53 http: panic serving @: godebug: Value of name not listed in godeb
ugs.All: urlmaxqueryparams
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: goroutine 78 [running]:
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*conn).serve.func1()
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http/server.go:1903 +0xb0
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?})
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: runtime/panic.go:770 +0x124
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End.deferwrap1()
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:383 +0x2c
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk/trace.(*recordingSpan).End(0x40011b4a80, {0x0, 0x0, 0x40
006441c0?})
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: go.opentelemetry.io/otel/sdk@v1.19.0/trace/span.go:421 +0x898
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: panic({0x55743e8740?, 0x4000b526c0?})
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: runtime/panic.go:770 +0x124
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value.func1()
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug/godebug.go:141 +0xd8
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).doSlow(0x22?, 0x55748a9b60?)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync/once.go:74 +0x100
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync.(*Once).Do(...)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: sync/once.go:65
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug.(*Setting).Value(0x5575b21be0)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: internal/godebug/godebug.go:138 +0x50
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.urlParamsWithinMax(0x1)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:968 +0x3c
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.parseQuery(0x400069a630, {0x0, 0x0})
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:985 +0xdc
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url.ParseQuery(...)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/url/url.go:958
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http.(*Request).ParseForm(0x4000bdab40)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: net/http/request.go:1317 +0x33c
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: github.com/docker/docker/api/server/httputils.ParseForm(0x0?)
Mar 06 11:34:53 toradex-smarc-imx95-12594035 dockerd[839]: github.com/docker/docker/api/server/httputils/httputils.go:104 +0x20
The 'Lookup' function was failing due to the wrong ordering and returning 'nil',
which was not being checked properly and caused this issue.
The fix was to just reorder the line where 'urlmaxqueryparams' is being
added to respect the alphabetical ordering. And for that the whole CVE
patch was generated again.
This change was validated with docker-moby (original issue), where a container
run successfully and no traces in the logs.
[1] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L20
[2] https://github.com/golang/go/blob/master/src/internal/godebugs/table.go#L100
(From OE-Core rev: b670b11ff4845b64f861041681ace9c21db16eed)
Signed-off-by: Eduardo Ferreira <eduardo.barbosa@toradex.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
We're seeing occasional autobuilder failures with tar issues related to openat2.
It appears there are definitions missing on debian 11 and opensuse 15.5 systems
which mean the openat2 syscall intercept isn't compiled in. This then triggers
on systems using the openat2 syscall, such as alma9 where it is used in a tar
CVE fix.
This updates to include the fix from upstream pseudo (along with a compile warning
fix).
This was tested by taking sstate for pseudo-native from a debian 11 system and using
it in a build of "bitbake nativesdk-git -c install" on a alma9 system where that task
failed. After this fix, it completes.
(From OE-Core rev: 34b74540ee497e2cc89211d7aa2772097b6fa79b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c20c05b324e5d6564c8554381019170839509bb)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Pulls in the following changes:
Makefile.in: Bump version to 1.9.3
configure: Minor code quality changes
pseudo: code quality scan - resolved various potential issues
makewrappers: improve error handling and robustness
Update COPYRIGHT files
ports/linux/pseudo_wrappers.c: Call the wrappers where possible
ports/linux/pseudo_wrappers.c: Workaround compile error on Debian 11
ports/linux/pseudo_wrappers.c: Reorder the syscall operations
ports/unix/guts/realpath.c: Fix indents
pseudo_util.c: Skip realpath like expansion for /proc on Linux
test/test-proc-pipe.sh: Add test case for proc pipes
ports/unix/guts/realpath.c: realpath fails if the resolved path doesn't exist
(From OE-Core rev: 7a05347a6418bfb6126e3a601489dc71efb0d2fc)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 524f4bbb11f9c7e0126e8bd46af217b452d48f5e)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The pseudo update was causing hangs in builds, pull in the fix.
(From OE-Core rev: a845c75096c381f45c13451b1baedc7774e4eff2)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8acdbefd0a148c8b7713f46066ae8489984c5d2d)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Pulls in the following fixes:
* makewrappers: Enable a new efault option
* ports/linux/openat2: Add dummy wrapper
* test-syscall: Add a syscall test
* ports/linux/pseudo_wrappers: Avoid openat2 usage via syscall
which should fix issues with the tar CVE fix on Centos/Alma/Rocky 9 distros
that uses openat2 as well as the efault issue breaking rust based uutils.
(From OE-Core rev: a872357343b29530d05823368cfc8863a798412d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 51f1388dd1679a28ec3ca468cf16aa0ea32bccf9)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Where a task (such as do_package) runs under fakeroot, the corresponding
setscene task (do_package_setscene) will also run under fakeroot when
restoring from sstate. Assuming pseudo is used as the fakeroot
implementation, we need pseudo-native and all its runtime dependencies
to be available in the sysroot before running any setscene tasks under
fakeroot.
We already add a hard dependency from all do_package_setscene tasks to
virtual/fakeroot-native:do_populate_sysroot in base.bbclass, but this
does not cover transitive dependencies. So, extend the dependencies of
pseudo-native:do_populate_sysroot_setscene to ensure that the sqlite3
library is also available in the sysroot before running fakeroot
setscene tasks.
[YOCTO #15963]
(From OE-Core rev: c73e9513f26cd9e073fc2eb0a67378ad7864d677)
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c146ca657440550e00bc5e53d13502ef7aa945b)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Per ruby maintenance policy [1], the 3.3.x branch should be still in normal
maintenance, so upgrade to the latest version 3.3.10 to fix many security
issues and bugs.
Remove the fix for CVE-2025-27219, CVE-2025-27220 and CVE-2025-27221 as
these fixes have been included in the new version.
[1] https://www.ruby-lang.org/en/downloads/branches/
(From OE-Core rev: bad372ad8ec33334c6a74c077bf975851c1e59d2)
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
