The upstream changed the branch name, moving to archive/ so we need to
update too. Take the opportunity to match the new location too to avoid
the redirect.
We could use a different branch but upstream would probably eventually
rename that too so this may last longer.
(From OE-Core rev: 1e0a64a1890a62e130595f46d93c8d08af9170f5)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 478a645bad150f04dee1b0085c4542c2eefe7007)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When the package is installed directly on the machine (instead of
installing it in the rootfs directly), the postinstall script fails with
the following error:
/usr/sbin/update-ca-certificates: line 75: shift: shift count out of range
The reason is that the "update-ca-certificates" script is executed with
the "--sysroot" argument, and as the sysroot $D is passed. However on the
target system this variable doesn't exist, so the argument is passed without
this mandatory value, and the execution fails.
To avoid this error, check if the $D variable exists, and pass the --sysroot
argument only when it does.
Reported-by: WXbet <Wxbet@proton.me>
(From OE-Core rev: 9a2bd3b6e2e53071a1463d2804d0d4fb17b1814f)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cf39461e97098a1b28693299677888ba7e8bfccf)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
0001-Revert-mozilla-certdata2pem.py-print-a-warning-for-e.patch
0001-update-ca-certificates-don-t-use-Debianisms-in-run-p.patch
refreshed for 20250419
0002-sbin-update-ca-certificates-add-a-sysroot-option.patch
removed since it's included in 20250419
(From OE-Core rev: dd05818a422c8c5be1aef06405d200280b382b91)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e39cc1fb7234bf2b37856296d3c0d10ddf8cae64)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch
was using a non-standard environment variable, and was replaced
with a patch that adds a command line option (and then this
was submitted upstream). ca-certificates recipe was tweaked accordingly,
and nothing else in core or meta-oe is using update-ca-certificates.
Drop default-sysroot.patch as the use case is unclear: sysroot
is explicitly specified in all known invocations of update-ca-certificate,
and if there's a place where it isn't, then update-ca-certificates
will error out trying to write to /etc, and should be fixed to
explicitly specify the sysroot.
(From OE-Core rev: a80185fd72a2be183783b0e464c07f1043d7dd37)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 90d9f0ba674d4fe8e9291f0513c13dff3775c545)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
git repo no longer has tags for recent versions which means
we had missed several of them, and wouldn't be able to get
notifications about any future releases.
(From OE-Core rev: 44c113497c7e3f9f06604e892df1eb717bb3410d)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 81f013fd1312551628701bf36ac62746a2606dbd)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Provide references for how the SRCREV was arrived at for the 20240203
release.
(From OE-Core rev: b1d86653f1485aa56fe8bf050931d5b8657ee499)
Signed-off-by: Theodore A. Roth <troth@openavr.org>
Signed-off-by: Theodore A. Roth <theodore_roth@trimble.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6916cdb0f05f6644edb1e432a9421595abb9f0ca)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The 20240203 version is the same as used in Ubuntu >= 24.04 and Debian
Trixie (testing).
(From OE-Core rev: 63620f034019b3b3585e263bd26b3fadd9a1692e)
Signed-off-by: Theodore A. Roth <troth@openavr.org>
Signed-off-by: Theodore A. Roth <theodore_roth@trimble.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ce19168885a04b0d77e81c1fd1c4262b195a47d4)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The Reader.ReadResponse function constructs a response string through
repeated string concatenation of lines. When the number of lines in a
response is large, this can cause excessive CPU consumption.
(From OE-Core rev: 512c36af3b9d344606b2ebf54bc2f99b88dfea63)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The processing time for parsing some invalid inputs scales non-linearly with
respect to the size of the input. This affects programs which parse untrusted PEM inputs.
(From OE-Core rev: 228e4aa70743b92eaf1abd5526827b34b33f3419)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The Parse function permits values other than IPv6 addresses to be included
in square brackets within the host component of a URL. RFC 3986 permits
IPv6 addresses to be included within the host component, enclosed within
square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames
must not appear within square brackets. Parse did not enforce this requirement.
(From OE-Core rev: c5fc59eb87d0f92ba8596b7848d16d59773582a0)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When Conn.Handshake fails during ALPN negotiation the error contains attacker
controlled information (the ALPN protocols sent by the client) which is not escaped.
(From OE-Core rev: e734cf62f24640d116c901dd97e09ddbb1f0cc4f)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Validating certificate chains which contain DSA public keys can cause
programs to panic, due to a interface cast that assumes they implement
the Equal method. This affects programs which validate arbitrary certificate chains.
(From OE-Core rev: b532fa208d0b102326642a2fba8b17661a14307e)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Due to the design of the name constraint checking algorithm, the processing
time of some inputs scals non-linearly with respect to the size of the certificate.
This affects programs which validate arbitrary certificate chains.
(From OE-Core rev: ce1626d1f1e232bc6da81e89088d0c0f5f3c52b4)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Parsing a maliciously crafted DER payload could allocate large amounts of memory,
causing memory exhaustion.
(From OE-Core rev: f27acc863ee34b56e2c49dc96ad2b58fb35e2d46)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When recreating the uri in wget's checkstatus method, we only use the
scheme, host and path. This completely strips the query parameters from
the final URI and potentially breaks the checking functionality for
URLs that require query parameters (such as the AZ fetcher with SAS
token).
This bug was resolved on master in
`096301250455e2a83bdd818a56317c62436c9981`.
This patch is adapted to the scarthgap branch.
CC: Steve Sakoman <steve@sakoman.com>
(Bitbake rev: 8dcf084522b9c66a6639b5f117f554fde9b6b45a)
Signed-off-by: Philippe-Alexandre Mathieu <pamathieu@poum.ca>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There is the following warning when executing to bitbake linux-yocto:
bitbake/lib/bb/fetch2/__init__.py:464: DeprecationWarning: 'count' is passed as positional argument
This is because the 4th parameter of re.sub(pattern, repl, string, count=0, flags=0)
is a keyword parameter. We use keyword arguments for parameters that are not positional.
(Bitbake rev: c2a54aceab4c75cea6f8be16fe6d0caed12b32c4)
Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Chris Laplante <chris.laplante@agilent.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
kernel commit bfb713ea53c7 ("perf tools: Fix arm64 build by generating unistd_64.h")
introduces a new dependency on source files for arm64, specifically
include/uapi/asm-generic.
Build fails with:
[..]/perf/1.0/perf-1.0/scripts/Makefile.asm-headers:33: [...]/perf/1.0/perf-1.0/include/uapi/asm-generic/Kbuild: No such file or directory
make[4]: *** No rule to make target '[...]/perf/1.0/perf-1.0/include/uapi/asm-generic/Kbuild'. Stop.
Add the directory to PERF_SRC.
Fix whitespace error while at it.
(From OE-Core rev: 06d4981313ce67a8d53b1c14be9845b4b5a9f4cf)
Signed-off-by: Yannic Moog <y.moog@phytec.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Passing params as numbers to hwclock is broken in util-linux 2.39.3 due
to wrong pointer handling. So backport the fix from upstream included
since util-linux 2.41.
(From OE-Core rev: 3d8f88906f5560286462eaf55226b872e2805df7)
Signed-off-by: Bastian Krause <bst@pengutronix.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
An error occurred in backport commit
649147913e89cd8f7390cb17cd0be94c9710ffa6. The test file
is empty and has no functionality at all.
(From OE-Core rev: 0539a7869c4a3e28b3e7d0ab93fe07bfb9462d13)
Signed-off-by: Michael Haener <michael.haener@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick patches as listed in NVD CVE report.
Note that Debian lists one of the patches as introducing the
vulnerability. This is against what the original report [1] says.
Also the commit messages provide hints that the first patch fixes this
issue and second is fixing problem with the first patch.
[1] https://jvn.jp/en/jp/JVN19358384/
(From OE-Core rev: a157719ab349d9393d5a640bb2e45fc2489d5338)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Added by commit e478550c8cd8 ("openssl/fontconfig/bzip2: Use relative
symlinks instead of absolute ones (using a new class)") in OE-Core.
(From yocto-docs rev: a8687e4bb2e822670b6ad110613a12fa02943d3d)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit c0dc554eba7d421023ecc68a70b7a19df38628b0)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Mention the use of USE_NLS, INHIBIT_DEFAULT_DEPS and the cross-canadian
class.
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: b16f19e8004d571e7a6eadfa34983781ba6a7634)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit d877e54f1c85cefc00dd674d60f2db81446bd95a)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Part of bitbake.conf, this variable allowing to enable or disable
translation was undocumented. Add a entry to the glossary.
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: 675b776390c8079deb8f1912dac44b574688a9c7)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 92a55345a56b5038c0344669daaa7a3a99dd0fc0)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Can be used in recipes that want to explicitly skip Ccache support when
the ccache class is enabled.
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
(From yocto-docs rev: e4fb6cd20955046a397b63bfe57f6cb4020b9cbb)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit b1b4adc8d4d9d23ff6fd91bca632bb0f5277e72b)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
- drop references to obsolete tar packaging format
- add references to apt and dpkg utilities for .deb packaging
- add reference to alternative "dnf" .rpm packaging
(From yocto-docs rev: d1331418317576b569ea2b046adf46ec7af8a15a)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit d4374ac86ebe7980908ed905018ccfb773ac666e)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This variable does not apply to the scope of a single recipe, but rather
to the scope of the entire layer.
(From yocto-docs rev: a86f2e5d291b86dbf56aefab08f4d3b0e5529801)
Signed-off-by: João Marcos Costa <joaomarcos.costa@bootlin.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit eec26e11adb6e3a9c4f53f825b9a1730c9ddee12)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The current autobuilder cluster is at valkyrie.yocto.io, published files
on autobuilder.yocto.io will be missing or out-of-date.
(From yocto-docs rev: b3b95e590248025d59a7cef311bb0abf207e72fb)
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 9ed06c070e309b52f1dbf8877867dcede79f4cb6)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This CVE is for the tool which is removed in v4.6.0 via [1] and
re-introduced again in v4.7.0 via [2].
[1] eab89a627f
[2] 9ab54a8580
(From OE-Core rev: 1ff4b39374a5b328069a928e7234c3397769dc6f)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE: CVE-2025-8225
It is possible with fuzzed files to have num_debug_info_entries zero
after allocating space for debug_information, leading to multiple
allocations.
* dwarf.c (process_debug_info): Don't test num_debug_info_entries
to determine whether debug_information has been allocated,
test alloc_num_debug_info_entries.
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4]
(From OE-Core rev: 7feed679262025b8405488d064e2c546a3ed7a0c)
Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Prevent attackers to cause a denial of service (application crash) or
possibly have unspecified other impact when the application processes
untrusted LZ4 frames. For example, LZ4F_createCDict_advanced in
lib/lz4frame.c mishandles NULL checks.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-62813
Upstream patch:
f64efec011
(From OE-Core rev: 0a63e3e120cc6958e2963a3ad510ec7c03f1adae)
Signed-off-by: David Nyström <david.nystrom@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In native/nativesdk builds, sysconfdir refers to a recipe sysroot
directory, which will disappear once the workdir is cleaned up, breaking
libcurl's HTTPS connections.
By simply not setting --with-ca-bundle at all in non-target builds, curl
defaults to the host system's CA certificates, which is desirable anyways
to allow builds in environments that require local CA certificates.
(From OE-Core rev: 4909a46e93ba774c960c3d3c277e2a669af3fea6)
(From OE-Core rev: 0f98fecda8a0436f760e6fd9f3b7eb510e5258b8)
Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When building an image including iptable built with the libnftnl
PACKAGECONFIG, one hits
Downloading file:.../oe-rootfs-repo/armv8a/libkmod2 * check_data_file_clashes: Package iptables wants to install file .../rootfs/etc/ethertypes
But that file is already provided by package * netbase
This used to be handled by
0003-Makefile.am-do-not-install-etc-ethertypes.patch, but that patch
got removed with the 1.8.9->1.8.10 upgrade (commit 4616ada82e70).
I think the rationale for dropping the patch was wrong; the commit log
talks about xtables.conf, which is indeed gone from upstream, but said
patch didn't change anything about xtables.conf, it did
-dist_conf_DATA = etc/ethertypes etc/xtables.conf
+dist_conf_DATA = etc/xtables.conf
However, instead of patching iptables to not install ethertypes, and
having to forward-port that patch, it is much simpler to just remove
the file in this do_install:append.
(From OE-Core rev: a970b6c927fb4c04473484f6e4b0a9853c8a5896)
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There is a bug in GStreamer 1.22 that prevents video playback when
some of the v4l2codecs are paired with sinks that do not support
GstVideoMeta. This is the case of the Qt 6.9 sink used by some
of the Qt components.
For example, when the v4l2codecs-vp8dec decoder is paired with
QMediaPlayer, video playback fails to start with the following error:
WARN videodecoder gstvideodecoder.c:4409:gst_video_decoder_negotiate_pool: Subclass failed to decide allocation
ERROR videodecoder gstvideodecoder.c:4635:gst_video_decoder_allocate_output_buffer: Failed to allocate the buffer..
WARN videodecoder gstvideodecoder.c:4409:gst_video_decoder_negotiate_pool: Subclass failed to decide allocation
WARN matroskademux matroska-demux.c:6131:gst_matroska_demux_loop: error: Internal data stream error.
WARN matroskademux matroska-demux.c:6131:gst_matroska_demux_loop: error: streaming stopped, reason not-negotiated (-4)
This problem is already fixed in GStreamer 1.24, so backport the fix.
This fixes the buffer allocation failure for H.264, H.265, and VP8.
CC: Steve Sakoman <steve@sakoman.com>
CC: Anuj Mittal <anuj.mittal@intel.com>
(From OE-Core rev: 1be0de000bb852f1acc9644c1cb702336d7fdd61)
Signed-off-by: Daniel Semkowicz <dse@thaumatec.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability, which was classified as problematic, has been found in GNU elfutils
0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the
component eu-strip. The manipulation leads to denial of service. The attack needs to
be approached locally. The exploit has been disclosed to the public and may be used.
The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is
recommended to apply a patch to fix this issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-1377
Upstream patch:
https://sourceware.org/git/?p=elfutils.git;a=fbf1df9ca286de3323ae541973b08449f8d03aba
(From OE-Core rev: ae89d0c2ca49c40429f787577d280b5886f42cc1)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
