This version of libcomps does wrong pointer assignment, and on GCC14
hosts (e.g. Fedora 41), this fails to build with:
| build/tmp-glibc/work/x86_64-linux/libcomps-native/0.1.18-r0/git/libcomps/tests/check_parse.c:588:11: error: assignment to ‘COMPS_DocGroup *’ from incompatible pointer type ‘COMPS_DocCategory *’ [-Wincompatible-pointer-types]
| 588 | g = (COMPS_DocCategory*)it->comps_obj;
Backport a patch making the assignment correct.
(From OE-Core rev: 1853a4b2e22aaa1e8e7929bb13eaddbdd4542c71)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Update to the 4.0.33 release of the 4.0 series for buildtools
(From OE-Core rev: a082e65235520a888c1413d33f08c9966f3e0e43)
Signed-off-by: Aleksandar Nikolic <aleksandar.nikolic22@pm.me>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
In gentoo the file looks like this:
NAME='Gentoo'
ID='gentoo'
PRETTY_NAME='Gentoo Linux'
VERSION='2.18'
VERSION_ID='2.18'
HOME_URL='https://www.gentoo.org/'
SUPPORT_URL='https://www.gentoo.org/support/'
BUG_REPORT_URL='https://bugs.gentoo.org/'
ANSI_COLOR='1;32'
' were added with:
2f590e35c9
before that the os-release file looked like this:
NAME=Gentoo
ID=gentoo
PRETTY_NAME="Gentoo Linux"
ANSI_COLOR="1;32"
HOME_URL="https://www.gentoo.org/"
SUPPORT_URL="https://www.gentoo.org/support/"
BUG_REPORT_URL="https://bugs.gentoo.org/"
VERSION_ID="2.18"
The ' is stripped from the ID later in distro_identifier with:
# Filter out any non-alphanumerics and convert to lowercase
distro_id = re.sub(r'\W', '', distro_id).lower()
but not from version which results in a weird NATIVELSBSTRING like:
NATIVELSBSTRING = "gentoo-'2.18'"
And similarly the directory name in sstate-cache:
oe-core $ ls -d sstate-cache/gentoo-*
"sstate-cache/gentoo-'2.18'" sstate-cache/gentoo-2.18
(From OE-Core rev: 5786749670fc1fa17e32b9eed286630739ddbc16)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
It was added by original commit for CVE-2025-6020-01.patch
475bd60c55 (diff-05f443e6acbe32a148a45648148739bf6f02f13acc5c20c6037bf933223d4d77)
but removed here in the rebase, causing:
../../../Linux-PAM-1.5.3/modules/pam_namespace/pam_namespace.c:326:11: error: call to undeclared function 'dirname'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
326 | parent = dirname(buf);
| ^
../../../Linux-PAM-1.5.3/modules/pam_namespace/pam_namespace.c:326:9: error: incompatible integer to pointer conversion assigning to 'char*' from 'int' [-Wint-conversion]
326 | parent = dirname(buf);
| ^ ~~~~~~~~~~~~
Backport 6d88a28ac7b6ff61808eb46e5c85dabd17c77f2e from scarthgap.
It's reproducible with clang-18 from kirkstone-clang18 branch of
meta-clang.
(From OE-Core rev: 6888cb09ad069cd937ac4498640fdd5bed2e7a51)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Pick up "Mitigated by" patch from Debian security tracker.
[0]: https://security-tracker.debian.org/tracker/CVE-2024-10963
patch[1] which fixes this vulnerability as mentioned in Debian report.
[1] 940747f88c
(From OE-Core rev: 5a9c3998d4924360e0c6a967adfc4b7628a6fa4e)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
[YC: Debian security tracker: "The vulnerable code was introduced in
1.5.3" but the vulnerable code was backported in commit 399d4986a7
(libpam: fix CVE-2022-28321, 2022-10-28)]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Backport 2 patchs to fix incompatible-pointer-types error when building
gtk+3-native on Fedora 41 host:
tests/testinput.c:197:79: error: passing argument 1 of ‘gdk_event_get_source_device’ from incompatible pointer type [-Wincompatible-pointer-types]
gtk/gtklabel.c:4235:32: error: passing argument 1 of ‘gtk_widget_queue_resize’ from incompatible pointer type [-Wincompatible-pointer-types]
On autobuilder: fedora41-vk-1:~$ gcc --version
gcc (GCC) 14.3.1 20251022 (Red Hat 14.3.1-4)
GCC 14 notoriously restricted how pointer types are converted:
https://gcc.gnu.org/gcc-14/porting_to.html#incompatible-pointer-types
Suggested-by: Fabien Thomas <fabien.thomas@smile.fr>
(From OE-Core rev: 99c8e2def939f0801a67fb8384c57d08732dd020)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Gitlab issues for these two CVEs mentioned in NVD inks lead to the same
merge request.
(From OE-Core rev: 5c1ca090597aefa55f23ce714409137461dd7dab)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Backport the fix for CVE-2025-6199
Add below patch to fix
CVE-2025-6199.patch
Reference: In Ubuntu and debian, fixed patch is given -> [c4986342b2]
(From OE-Core rev: 214b7bc0d2325ab1f8a5c567abd2851c07f45942)
Signed-off-by: Shaik Moin <moins@kpit.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
[YC: removed the extra ".patch" in patches Backport URL]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Pick patch mentioned in NVD report.
It also includes CVE ID in commit message.
Use older SNDERR funtion as new one is not yet available.
This was copied from Debian patch.
(From OE-Core rev: 2bcdcd8471d9769eaf9304809d9b8e0893cae8e0)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
We have a new SVG figure for the Yocto Project workflow figure, which
was updated with d2aaf54bee49 ("overview-manual: convert
YP-flow-diagram.png to SVG"). The one in the "What I wish I’d known
about Yocto Project" is the same. Remove the PNG and make a reference to
the new one.
(From yocto-docs rev: 7c348dd67cfd169b1a56bf969606b03dccb76c56)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 4023c47cb6628971b0a142067c4a910420408bb9)
[Antonin Godard: fix conflicts]
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Some distros were removed from the autobuilder 5 months ago:
* 070e6bf (config.py: Drop ubuntu2004 workers, 2025-10-01)
* 8238327 (config.py: ubuntu24010 was replaced with ubuntu2504, 2025-10-01)
Update their status in the supported distros list.
(From yocto-docs rev: cca4e1c6127f06d63124c67a14a8921dbb3a5409)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 2c9de0d74659fef6d7b0054dfd76905fba6ef81d)
[AG: fix cherry-pick conflicts]
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Commit f5b980ad added CVE-2024-42040.patch to the base U-Boot
SRC_URI in u-boot-common.inc as opposed to adding it in the
u-boot recipe where all the other patch additions are. This
breaks at least one downstream BSP that reuses u-boot-common.inc
(meta-sifive), so move that patch addition to the recipe file
with all the others.
(From OE-Core rev: 5db1bffe13ec881b7fa4ebf4ed30493e8714d7f2)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Patch [1] linked in NVD report fixes issue in cache code introduced only
in v6.0.0 (as can be seen in tags containind that commit).
[1] 1265ff8d99
[2] 7a004a7ac2
(From OE-Core rev: 1d7c87fa2e499927cb6a26e4b2ad99e6127b6e33)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
We're seeing occasional autobuilder failures with tar issues related to openat2.
It appears there are definitions missing on debian 11 and opensuse 15.5 systems
which mean the openat2 syscall intercept isn't compiled in. This then triggers
on systems using the openat2 syscall, such as alma9 where it is used in a tar
CVE fix.
This updates to include the fix from upstream pseudo (along with a compile warning
fix).
This was tested by taking sstate for pseudo-native from a debian 11 system and using
it in a build of "bitbake nativesdk-git -c install" on a alma9 system where that task
failed. After this fix, it completes.
(From OE-Core rev: 2759db87db7529d60a5b2344dc1db7720e3518d6)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c20c05b324e5d6564c8554381019170839509bb)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Pulls in the following changes:
Makefile.in: Bump version to 1.9.3
configure: Minor code quality changes
pseudo: code quality scan - resolved various potential issues
makewrappers: improve error handling and robustness
Update COPYRIGHT files
ports/linux/pseudo_wrappers.c: Call the wrappers where possible
ports/linux/pseudo_wrappers.c: Workaround compile error on Debian 11
ports/linux/pseudo_wrappers.c: Reorder the syscall operations
ports/unix/guts/realpath.c: Fix indents
pseudo_util.c: Skip realpath like expansion for /proc on Linux
test/test-proc-pipe.sh: Add test case for proc pipes
ports/unix/guts/realpath.c: realpath fails if the resolved path doesn't exist
(From OE-Core rev: 322ce7900cf25f3a8d96a75360af56815e32ad7e)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 524f4bbb11f9c7e0126e8bd46af217b452d48f5e)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This change adds the --no-gpg-sign option to prevent buildhistory
commits from failing due to GPG signing issues. Depending on the setup,
buildhistory may fail to create a commit if the user has the
commit.gpgsign option enabled.
For example, if the user creates a signing key that requires a password,
the commit won't be created and will fail with the following error:
/
|error: Enter passphrase: Load key "/home/<user>/.ssh/id_ed25519":
|incorrect passphrase supplied to decrypt private key?
|fatal: failed to write commit object
\
The bitbake command won't fail, but buildhistory won't have a commit.
Also, the commit may silently fail when building inside a container due
to missing packages or issues with accessing the GPG agent.
This is similar to [1], and signing the buildhistory commit
should be avoided to prevent such issues.
1 - https://git.openembedded.org/openembedded-core/commit/?id=7595a0a63a933af9dd9d1e458dc34a4ba80d9eae
(From OE-Core rev: 5294d15737e176ee96d9b590808ded2164386362)
Signed-off-by: Fabio Berton <fabio.berton@ctw.bmwgroup.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a5e18714aee52db898aaf9d222fb5a4168bde96e)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
