We encountered an issue when running python scripts provided by
python3-fail2ban. The shebang '#!/usr/bin/env python3' was replaced by
'#!python', which caused these scripts to fail to run.
For example:
$ head -n 1 /usr/bin/fail2ban-testcases
#!python
$ /usr/bin/fail2ban-testcases
-sh: /usr/bin/fail2ban-testcases: cannot execute: required file not found
This issue was introduced by commit[1] in python3-setuptools 75.3.2. See
the upstream issue report[2] for more information.
Backport patches from [3] to fix this issue.
[1] c71266345c
[2] https://github.com/pypa/setuptools/issues/4934
[3] https://github.com/pypa/distutils/pull/358
(From OE-Core rev: d728ec95291f05cbfb436eabe8717ebe9a0dc11d)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When Bash runs with 'set -u' (nounset), accessing an unset variable
directly (e.g. [ -z "$SSL_CERT_FILE" ]) causes a fatal "unbound variable"
error. As a result, the fallback logic to set SSL_CERT_FILE/SSL_CERT_DIR
is never triggered and the script aborts.
The current code assumes these variables may be unset or empty, but does
not guard against 'set -u'. This breaks builds in stricter shell
environments or when users explicitly enable 'set -u'.
Fix this by using parameter expansion with a default value, e.g.
"${SSL_CERT_FILE:-}", so that unset variables are treated as empty
strings. This preserves the intended logic (respect host env first, then
CAFILE/CAPATH, then buildtools defaults) and makes the script robust
under 'set -u'.
(From OE-Core rev: 3d161e94ad532f660d4a0259a32e26a32ea0c75d)
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4d880c2eccd534133a2a4e6579d955605c0956ec)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
For /usr/lib/rpm/macros, Yocto explicitly set OECMAKE_FIND_ROOT_PATH_MODE_PROGRAM
= "ONLY" [1][2] to search tools from CMAKE_FIND_ROOT_PATH [5] which locates in
native recipe sysroot or HOSTTOOLS_DIR. If found in native recipe sysroot or
HOSTTOOLS_DIR, the sed operation removed leading `/'
root@qemux86-64:~# vi /usr/lib/rpm/macros
...
%__xz usr/bin/xz
%__make usr/bin/make
%__zstd usr/bin/zstd
%__quilt usr/bin/quilt
%__patch usr/bin/patch
...
root@qemux86-64:~# rpm --eval "%{__xz} %{__make} %{__zstd} %{__quilt} %{__patch}"
usr/bin/xz usr/bin/make usr/bin/zstd usr/bin/quilt usr/bin/patch
This commit keeps leading `/' from sed operation, and similar reason for
/usr/lib/cmake/rpm/rpm-targets.cmake
After applying this commit:
root@qemux86-64:~# rpm --eval "%{__xz} %{__make} %{__zstd} %{__quilt} %{__patch}"
/usr/bin/xz /usr/bin/make /usr/bin/zstd /usr/bin/quilt /usr/bin/patch
[1] https://git.openembedded.org/openembedded-core/commit/?id=f4ea12f6635125ee793f4dd801c538c0186f9dc3
[2] https://cmake.org/cmake/help/latest/variable/CMAKE_FIND_ROOT_PATH_MODE_PROGRAM.html
(From OE-Core rev: 32486bb4c5401b0a59470a37505f60f71da6c2c7)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(master rev: 0d0773879ab9520c475c4a8c930b2e663de0e032)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
While no usrmerge in sysvinit, some tools defined in rpm macro have wrong path
$ echo 'INIT_MANAGER="sysvinit"' >> conf/local.conf
$ echo 'IMAGE_INSTALL:append = " rpm busybox"' >> conf/local.conf
$ bitbake core-image-minimal
$ runqemu tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64.rootfs.qemuboot.conf
root@qemux86-64:~# which sed tar rm mkdir cp cat chown chmod gzip grep mv
/bin/sed
/bin/tar
/bin/rm
/bin/mkdir
/bin/cp
/bin/cat
/bin/chown
/bin/chmod
/bin/gzip
/bin/grep
/bin/mv
root@qemux86-64:~# rpm --eval "%{__sed} %{__tar} %{__rm} %{__mkdir} %{__cp} %{__cat} %{__chown} %{__chmod} %{__gzip} %{__grep} %{__mv}"
/usr/bin/sed /usr/bin/tar /usr/bin/rm /usr/bin/mkdir /usr/bin/cp /usr/bin/cat /usr/bin/chown /usr/bin/chmod /usr/bin/gzip /usr/bin/grep /usr/bin/mv
Here to explain how __rm was set in rpm during build. The build system
of rpm is cmake. Take rpm rpm-4.19.x for example:
The '__RM rm' is defected by findutil [1], and function findutil
calls find_program to search for tool, if not found on host, then
hardcode with "/usr/bin" prefix [2]
Yocto explicitly set OECMAKE_FIND_ROOT_PATH_MODE_PROGRAM = "ONLY" [3][4]
to search tools from CMAKE_FIND_ROOT_PATH [5] which locates in recipe sysroot,
if not found in recipe sysroot, hardcode with "/usr/bin" prefix
If "${base_bindir}" != "${bindir}, explicitly correct tools in rpm
macros, use ${base_bindir} to instead original ${bindir}. Only do the
operation for target, it is not necessary for native and nativesdk,
because most host distribution supports usrmerge
After applying this commit, on target:
root@qemux86-64:~# rpm --eval "%{__sed} %{__tar} %{__rm} %{__mkdir} %{__cp} %{__cat} %{__chown} %{__chmod} %{__gzip} %{__grep} %{__mv}"
/bin/sed /bin/tar /bin/rm /bin/mkdir /bin/cp /bin/cat /bin/chown /bin/chmod /bin/gzip /bin/grep /bin/mv
root@qemux86-64:~# ls /bin/sed /bin/tar /bin/rm /bin/mkdir /bin/cp /bin/cat /bin/chown /bin/chmod /bin/gzip /bin/grep /bin/mv
/bin/cat /bin/chmod /bin/chown /bin/cp /bin/grep /bin/gzip /bin/mkdir /bin/mv /bin/rm /bin/sed /bin/tar
In order to save size, this commit does not add these tools to
runtime depends, user should explicitly add them if necessary
(such as use rpm to build packages)
[1] https://github.com/rpm-software-management/rpm/blob/rpm-4.19.x/CMakeLists.txt#L121
[2] https://github.com/rpm-software-management/rpm/blob/rpm-4.19.x/CMakeLists.txt#L59
[3] https://git.openembedded.org/openembedded-core/commit/?id=f4ea12f6635125ee793f4dd801c538c0186f9dc3
[4] https://cmake.org/cmake/help/latest/variable/CMAKE_FIND_ROOT_PATH_MODE_PROGRAM.html
[5] https://git.openembedded.org/openembedded-core/tree/meta/classes-recipe/cmake.bbclass?id=f4ea12f6635125ee793f4dd801c538c0186f9dc3#n123
(From OE-Core rev: 3958989d976fb429c84b12427bab3db0bc0d5d16)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(master rev: c89c7177be2df5d2be44478a6ac43b35ad46db9e)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit [1] mentioned in [2].
[1] e51fdff7d2
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-8225
Testsuite did not show any changes in results:
=== binutils Summary ===
# of expected passes 310
# of unexpected failures 1
# of untested testcases 1
# of unsupported tests 9
(From OE-Core rev: 3d79514f90a6f731a5333417641500b8e52e410a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Commit mentioned in CVE report is already included in current hash.
Can be verified by trying to cherry-pick.
(From OE-Core rev: c7297f46efa410a9204d3d386d307deada967bb6)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* on hosts with gcc-15 or whenever glib PACKAGECONFIG isn't enabled
and pkgconfig uses own old bundled glib
* fixes:
http://errors.yoctoproject.org/Errors/Details/853015/
../../../git/glib/glib/goption.c:169:14: error: two or more data types in declaration specifiers
169 | gboolean bool;
| ^~~~
../../../git/glib/glib/goption.c:169:18: warning: declaration does not declare anything
169 | gboolean bool;
| ^
(From OE-Core rev: 092ee1703d81b8aaed452189dd329320483087d3)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In binutils 2.44, application names were changed from the gp- prefix
(e.g., gp-display-text, gp-archive) to the gprofng- prefix
(e.g., gprofng-display-text, gprofng-archive). Temporary gp-*
symlinks were added to maintain compatibility with the older
gprofng-gui.
However, these compatibility symlinks did not support cross-platform
toolchain prefixes, which resulted in broken gp-* symbolic links.
Support for cross-platform prefixes are added upstream in binutils 2.45,
so this change backports that fix to resolve broken symlinks issue.
Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=90803ffdcc4d8c3d17566bf8dccadbad312f07a9]
(From OE-Core rev: 55684a63904365d8a6ab2a8ce9e091f29b0b7df5)
Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Upgrade to latest 1.24.x release [1]:
$ git --no-pager log --oneline go1.24.5..go1.24.6
7f36edc26d [release-branch.go1.24] go1.24.6
83b4a5db24 [release-branch.go1.24] database/sql: avoid closing Rows while scan is in progress
0f5133b742 [release-branch.go1.24] os/exec: fix incorrect expansion of "", "." and ".." in LookPath
6e1c4529e4 [release-branch.go1.24] cmd/compile: for arm64 epilog, do SP increment with a single instruction
731de13dc3 [release-branch.go1.24] os/user: user random name for the test user account
390ffce7d6 [release-branch.go1.24] runtime: prevent unnecessary zeroing of large objects with pointers
b454859a8a [release-branch.go1.24] runtime: stash allpSnapshot on the M
Fixes CVE-2025-47906 and CVE-2025-47907 [2].
[1] https://github.com/golang/go/compare/go1.24.5...go1.24.6
[2] https://groups.google.com/g/golang-announce/c/x5MKroML2yM
(From OE-Core rev: a348c04d449c0ba36b2ef278bea08919f0e6d19f)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
(cherry picked from commit f3072c210ac0a1e4d8046d920c3ebc29f9916b72)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability classified as problematic was found in GNU elfutils 0.192.
This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c
of the component eu-strip. The manipulation leads to denial of service. It is possible
to launch the attack on the local host. The complexity of an attack is rather high. The
exploitation appears to be difficult. The exploit has been disclosed to the public and
may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is
recommended to apply a patch to fix this issue.
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-1376https://ubuntu.com/security/CVE-2025-1376
Upstream patch:
https://sourceware.org/git/?p=elfutils.git;a=commit;h=b16f441cca0a4841050e3215a9f120a6d8aea918
(From OE-Core rev: 603881e34e3bbb7435f0ae91553036eef7f1cb06)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability has been found in GNU elfutils 0.192 and classified as critical.
This vulnerability affects the function __libdw_thread_tail in the library
libdw_alloc.c of the component eu-readelf. The manipulation of the argument w
leads to memory corruption. The attack can be initiated remotely. The complexity
of an attack is rather high. The exploitation appears to be difficult. The exploit
has been disclosed to the public and may be used. The name of the patch is
2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to
fix this issue.
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-1352https://ubuntu.com/security/CVE-2025-1352
Upstream patch:
https://sourceware.org/git/?p=elfutils.git;a=2636426a091bd6c6f7f02e49ab20d4cdc6bfc753
(From OE-Core rev: 9f104c2005975c1dce6e67b23e34ab5a2e8f85ab)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There is a defect in the CPython “tarfile” module affecting the
“TarFile” extraction and entry enumeration APIs. The tar implementation
would process tar archives with negative offsets without error,
resulting in an infinite loop and deadlock during the parsing of
maliciously crafted tar archives. This vulnerability can be mitigated
by including the following patch after importing the “tarfile” module:
https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-8194
Upstream-patch:
cdae923ffe
(From OE-Core rev: c0f1143ca3f189fc6346a445a381829aed78aae8)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Git v2.49.1 Release Notes
=========================
This release merges up the fixes that appear in v2.43.7, v2.44.4,
v2.45.4, v2.46.4, v2.47.3, and v2.48.2 to address the following CVEs:
CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835,
CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386. See the release
notes for v2.43.7 for details.
It also contains some updates to various CI bits to work around and/or
to adjust to the deprecation of use of Ubuntu 20.04 GitHub Actions CI,
updates to to Fedora base image.
(From OE-Core rev: e46903948f991eeec49567b585c7c31f3ece742a)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The rv32-cargo-rustix-0.38.38-fix.patch file contains a malformed hunk
header at line 83 (@ -71,10 +71,10 @@), where a single '@' is used
instead of the required '@@'. Due to this, the subsequent hunks are not
applied during patching.
This causes a compilation error in the rustix crate:
error[E0603]: constant import `FICLONE` is private
--> vendor/rustix-0.38.37/src/fs/ioctl.rs:82:57
|
82 | const OPCODE: ioctl::Opcode = ioctl::Opcode::old(c::FICLONE as ioctl::RawOpcode);
| ^^^^^^^ private constant import
Fixing the hunk header ensures the patch is applied correctly and
resolves the build issue.
(From OE-Core rev: 2e5234204922d08eba18812d297f469779d80c82)
Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Upgrade to latest 1.24.x release [1]:
$ git --no-pager log --oneline go1.24.4..go1.24.5
9d828e80fa (tag: go1.24.5) [release-branch.go1.24] go1.24.5
825eeee3f7 [release-branch.go1.24] cmd/go: disable support for multiple vcs in one module
dbf30d88f3 [release-branch.go1.24] cmd/link: permit a larger size BSS reference to a smaller DATA symbol
6b51660c8c [release-branch.go1.24] runtime: set mspan limit field early and eagerly
cc604130c8 [release-branch.go1.24] runtime: prevent mutual deadlock between GC stopTheWorld and suspendG
21b488bb60 [release-branch.go1.24] runtime: handle system goroutines later in goroutine profiling
e038690847 [release-branch.go1.24] cmd/go/internal/fips140: ignore GOEXPERIMENT on error
1575127ef8 [release-branch.go1.24] runtime: add missing unlock in sysReserveAlignedSbrk
7d08a16fba [release-branch.go1.24] cmd/compile/internal/ssa: fix PPC64 merging of (AND (S[RL]Dconst ...)
5f2cbe1f64 [release-branch.go1.24] cmd/compile: do nil check before calling duff functions, on arm64 and amd64
Fixes CVE-2025-4674 [2].
[1] https://github.com/golang/go/compare/go1.24.4...go1.24.5
[2] https://groups.google.com/g/golang-announce/c/gTNJnDXmn34
(From OE-Core rev: a3cc5038ea10a4857627e6f4de25bdc43023a349)
(From OE-Core rev: 631afac9d81346a5d5b2e2a073ad4664c780e9af)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There are new CVEs reported for this recipe which are not for this
componene, but for a component with same name from apache.
sqlite> select vendor, product, id, count(*) from products where product like 'orc' group by vendor, product, id;
apache|orc|CVE-2018-8015|1
apache|orc|CVE-2025-47436|4
gstreamer|orc|CVE-2024-40897|1
(From OE-Core rev: 4367e4cc527278b7e9edc08752014e71566e0068)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
- Skip the test_rm_r_no_permissions test under the root user, as
deletion always succeeds.
- Filter out tests under the -ext- directory in run-ptest. Due to the
commit [1],the packaging of .so test files under the .ext directory
was removed. As a result, adjust the test filtering rules to avoid
test failures caused by missing files.
- Add installation of rdoc.rb and did_you_mean.rb files in
do_install_ptest to ensure complete test dependencies.
[1] https://git.openembedded.org/openembedded-core/commit/meta/recipes-devtools/ruby?id=4d4485442830bb52b152f0419f4ff9f1d581d46a
(From OE-Core rev: e2686031a0ee8c6e24898b70059d1a50e956625d)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Below commits on binutils-2.44 stable branch are updated.
b09cf42d51e ld/PE: special-case relocation types only for COFF inputs
f0019390d12 s390: Prevent GOT access rewrite for misaligned symbols
452f5511154 x86: Check MODRM for call and jmp in binutils older than 2.45
4058d5a38a1 ld: fix C23 issue in vers7 test
Test Results:
Before After Diff
No. of expected passes 310 310 0
No. of unexpected failures 1 1 0
No. of untested testcases 1 1 0
No. of unsupported tests 9 9 0
Testing was done and there were no regressions found
(From OE-Core rev: bf237c02ac3f49b367601063aba28c8d09cd8be8)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There are two "new" CVEs reported for python3, their CPEs are:
* CVE-2020-1171: cpe:2.3🅰️microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
* CVE-2020-1192: cpe:2.3🅰️microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
These are for "Visual Studio Code Python extension".
Solve this by addding CVE vendor to python CVE product to avoid
confusion with Microsoft as vendor.
Examining CVE DB for historical python entries shows:
sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython'
...> or product like 'python%3' group by vendor, product;
microsoft|python|2
python|python|1054
python_software_foundation|python|2
Note that this already shows that cpython product is not used, so
CVE-2023-33595 mentioned in 62598e1138f21a16d8b1cdd1cfe902aeed854c5c
was updated.
But let's keep it for future in case new CVE starts with that again.
(From OE-Core rev: 8659e3537facbf3f5f5a5080137be4d9faf9c970)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The SRC_URI is changed to git://gitlab.eclipse.org/eclipse/tcf/tcf.agent.git
(From OE-Core rev: f359677709aba80735a38578475a34e1b83d321c)
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
libnsl2 and libtirpc were build dependencies for the nis module.
The nis module was deprecated in Python 3.11 and removed in Python 3.13
(From OE-Core rev: cbc7b1ed7747ef69d8bcbaee27c90560ded713d6)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
setuptools is a package that allows users to download, build, install,
upgrade, and uninstall Python packages. A path traversal vulnerability
in `PackageIndex` is present in setuptools prior to version 78.1.1. An
attacker would be allowed to write files to arbitrary locations on the
filesystem with the permissions of the process running the Python code,
which could escalate to remote code execution depending on the context.
Version 78.1.1 fixes the issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47273
Upstream-patch:
d8390feaa9250a6d1797
(From OE-Core rev: cfb2d77f841ae21cae0ba7d6263dc3e1e0280400)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
urllib3 is a user-friendly HTTP client library for Python. Prior
to 2.5.0, urllib3 does not control redirects in browsers and
Node.js. urllib3 supports being used in a Pyodide runtime utilizing
the JavaScript Fetch API or falling back on XMLHttpRequest. This
means Python libraries can be used to make HTTP requests from a
browser or Node.js. Additionally, urllib3 provides a mechanism to
control redirects, but the retries and redirect parameters are
ignored with Pyodide; the runtime itself determines redirect
behavior. This issue has been patched in version 2.5.0.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-50182
Upstream patch:
7eb4a2aafe
(From OE-Core rev: 082b865d9814e7e7aca4466551a035199aa8b563)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
urllib3 is a user-friendly HTTP client library for Python. Prior to
2.5.0, it is possible to disable redirects for all requests by
instantiating a PoolManager and specifying retries in a way that
disable redirects. By default, requests and botocore users are not
affected. An application attempting to mitigate SSRF or open redirect
vulnerabilities by disabling redirects at the PoolManager level will
remain vulnerable. This issue has been patched in version 2.5.0.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-50181
Upstream patch:
f05b132912
(From OE-Core rev: 819273b5b8b9279c01035cb72377fd8cbb51a198)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
ctest automatically optimizes the order of (parallel) test execution based on
historic test case runtime via the COST property (see [0]), which can have a
significant impact on overall test run times. Sadly this feature is broken in
CMake < 4.0.0 for test cases that have spaces in their name (see [1]).
This commit backports the upstream fix. As repeated test runs are expected to
mainly take place inside the SDK, the patch is only applied to 'nativesdk'
builds.
[0]: https://cmake.org/cmake/help/latest/prop_test/COST.html
[1]: https://gitlab.kitware.com/cmake/cmake/-/issues/26594
Reported-By: John Drouhard <john@drouhard.dev>
(From OE-Core rev: ead0d06d6335fb74c1ae0dc7bdcf414c66b3e4ab)
Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit dcbaf42dd74cc0bda7254856589613718ed3f057)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
NVD ([1]) tracks this as:
cpe:2.3🅰️golang:go:*:*:*:*:*:*:*:*
Running on/with
cpe:2.3⭕microsoft:windows:-:*:*:*:*:*:*:*
Yocto cve-check ignores the "Running on/with", so it needs to be ignored
explicitly.
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-3566
(From OE-Core rev: c43a9f7ca85f1c25a72f7b1efa494e30d6cf4906)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
GCC 14.3 is a bug-fix release from the GCC 14 branch
containing important fixes for regressions and serious bugs in
GCC 14.2 with more than 211 bugs fixed since the previous release.
https://gcc.gnu.org/bugzilla/buglist.cgi?bug_status=RESOLVED&resolution=FIXED&target_milestone=14.3
Dropped the below patches:
0026-gcc-Fix-c-tweak-for-Wrange-loop-construct.patch
a9f88741a9
0027-gcc-backport-patch-to-fix-data-relocation-to-ENDBR-s.patch
aa4cd61445
0028-fix-incorrect-preprocessor-line-numbers.patch
8cbe033a8a
0001-arm-Fix-LDRD-register-overlap-PR117675.patch
9366c32851
gcc.git-ab884fffe3fc82a710bea66ad651720d71c938b8.patch
ab884fffe3
(From OE-Core rev: aa59bbbbedb25d772648c4cb1498b34b43efb0fb)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Upgrade to latest 1.24.x release [1]:
$ git --no-pager log --oneline go1.24.3..go1.24.4
6796ebb2cb [release-branch.go1.24] go1.24.4
85897ca220 [release-branch.go1.24] net/http: strip sensitive proxy headers from redirect requests
9f9cf28f8f [release-branch.go1.24] os: don't follow symlinks on Windows when O_CREATE|O_EXCL
a31c931adf [release-branch.go1.24] cmd/link: allow linkname reference to a TEXT symbol regardless of size
03811ab1b3 [release-branch.go1.24] crypto/x509: decouple key usage and policy validation
04a9473847 [release-branch.go1.24] lib/fips140: set inprocess.txt to v1.0.0
db8f1dc948 [release-branch.go1.24] hash/maphash: hash channels in purego version of maphash.Comparable
664cf832ec [release-branch.go1.24] runtime/debug: document DefaultGODEBUG as a BuildSetting
431f75a0b9 [release-branch.go1.24] os: fix Root.Mkdir permission bits on OpenBSD
Fixes CVE-2025-4673, CVE-2025-0913 and CVE-2025-22874 [2].
[1] https://github.com/golang/go/compare/go1.24.3...go1.24.4
[2] https://groups.google.com/g/golang-announce/c/ufZ8WpEsA3A
(From OE-Core rev: 50fe0b3832f741bc7f9ea0b996a7e99c5696c0ba)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Refresh patches.
* https://www.python.org/downloads/release/python-3134/
Security content in this release
* gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330]
[CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed
tarfile extraction filters (filter="data" and filter="tar") to be
bypassed using crafted symlinks and hard links.
* gh-133767: Fix use-after-free in the “unicode-escape” decoder with a
non-“strict” error handler.
* gh-128840: Short-circuit the processing of long IPv6 addresses early
in ipaddress to prevent excessive memory consumption and a minor
denial-of-service.
gh-133767 got meawhile CVE-2025-4516 assigned.
(From OE-Core rev: 55a9cd748531c75d46f5d6d53af692a38c6b6716)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Even with our fixes in deterministic_imports.patch the
importlib.metadata package scan was still returning Distribution objects
for empty directories. This interacts badly with rebuilds when recipes
are changing as when a recipe is removed from the sysroot directories
are not removed[1].
In particular this breaks python3-meson-python-native rebuilds when
Meson upgrades from 1.7 to 1.8: the site-packages directory has an empty
meson-1.7.dist-info/ and populated meson-1.8.dist-info/. Whilst it's
deterministic to return the empty 1.7 first, this breaks pypa/build as
it looks through the distributions in order.
We had discussed this with upstream previously and there's a more
comprehensive fix upstream (actually in importlib_metadata, not cpython)
which ensures that valid distribution objects are listed first. So we
can drop our patch and replace it with a backport to fix these rebuilds.
[1] oe-core 4f94d929639 ("sstate/staging: Handle directory creation race issue")
(From OE-Core rev: 73de8daa6293403f5b92d313af32882c47bce396)
(From OE-Core rev: 1c1b651038e15445c495d87c38beeb92f00d9919)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Since 3.51.0, python3-pygobject depends on libgirepository 2.0 provided
by glib-2.0 instead of libgirepository 1.0 provided by
gobject-introspection[1]. It still needs the typelib files from
libgirepository-1.0 package. Add gobject-introspection as a runtime
dependency.
Fixes:
$ python3
Python 3.13.2 (main, Feb 4 2025, 14:51:09) [GCC 14.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import gi
>>> from gi.repository import Gtk
Traceback (most recent call last):
File "/usr/lib64/python3.13/site-packages/gi/importer.py", line 139, in create_module
introspection_module = get_introspection_module(namespace)
File "/usr/lib64/python3.13/site-packages/gi/module.py", line 243, in get_introspection_module
module = IntrospectionModule(namespace, version)
File "/usr/lib64/python3.13/site-packages/gi/module.py", line 111, in __init__
repository.require(namespace, version)
~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
gi.RepositoryError: Typelib file for namespace 'xlib', version '2.0' not found
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "<python-input-1>", line 1, in <module>
from gi.repository import Gtk
File "/usr/lib64/python3.13/site-packages/gi/importer.py", line 141, in create_module
raise ImportError(e) from e
ImportError: Typelib file for namespace 'xlib', version '2.0' not found
[1] https://gitlab.gnome.org/GNOME/pygobject/-/merge_requests/320
(From OE-Core rev: 6f9e02292c9305e795f2651c3bb6ef5b671e1c74)
(From OE-Core rev: e3fa9ef3239e8bc113e211f5258f84d08284872a)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Resolve static assertion failures caused by incorrect line numbers
after #include directives, introduced by the backport of PR108900 to GCC.
Update line map handling to correctly compute locations in large files,
including fixes for both LC_ENTER and LC_LEAVE to ensure accurate
line number resolution in rare edge cases.
https://gcc.gnu.org/cgit/gcc/commit/?id=edf745dc519ddbfef127e2789bf11bfbacd300b7
(From OE-Core rev: bc868507927fb21637e0ed63bb7ac86d69998d42)
Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
