Fix an out-of-bounds read triggered by a malicious rsync client
acting as a receiver. The issue can be exploited with read access
to an rsync module.
CVE: CVE-2025-10158
(From OE-Core rev: 110933506d7a1177d1a074866d08fe0b0da612d7)
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This reverts commit e6de433ccb2784581d6c775cce97f414ef9334b1.
This introduced a breaking change which is not suitable for backport to
stable LTS branches.
(From OE-Core rev: 2b3d2b671a149cbeea2bdc9ba42192da2015c3b7)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Introduce new packageconfig to explicitly avoid compilation of
experimental code. Note that the code was not compiled by default also
before this patch, this now makes it explicit and makes it possible to
check for the flags in cve-check code.
This is less intrusive change than a patch removing the code which was
rejected in patch review.
This will solve CVE-2025-59777 and CVE-2025-62689 as the vulnerable code
is not compiled by default.
Set appropriate CVE status for these CVEs based on new packageconfig.
(From OE-Core rev: 9e3c0ae261afb7b9ff9528dbc147fb6c89d5a624)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
SPDX_VERSION is used in DEPLOY_DIR_SPDX but if is not defined,
will default to SPDX-1.1
Define SPDX_VERSION to have the correct deploy path, to align
with master branch behaviour.
The change in path was introduced in 8996d0899d
CC: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>
CC: JPEWhacker@gmail.com
(From OE-Core rev: 04cc49593a0ba2c51e4f4d477d4587079735b624)
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Due to what looks like a copy'n'paste mistake, the environment setup script
might override 'CURL_CA_BUNDLE' from the host env instead of leaving it
untouched. Fix that.
(cherry picked from commit 545e43a7a45be02fda8fc3af69faa20e889f58c4)
CC: changqing.li@windriver.com
CC: raj.khem@gmail.com
CC: Peter.Marko@siemens.com
(From OE-Core rev: ef198b0c6063ede32cb93fe44eb89937c076a073)
Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit per NVD report.
Add two patches to apply it cleanly.
(From OE-Core rev: 4e03bed20bceb455cb46dcf9564ad5a8525b207d)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit per NVD report.
(From OE-Core rev: e8fbb7521e0113c467e07ba473a46612709c5311)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit per NVD report.
(From OE-Core rev: f3bdbd782eed2b597927df489a7d38a22fbba5ed)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit per NVD report.
Add two patches to apply it cleanly.
(From OE-Core rev: 285a495b8b0e8fa93a0a0884f466f1adca76a28a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Rootfs VEX file is created by gathering files from CVE_CHECK_DIR
(deploy directory), however recipes generate the files only in
CVE_CHECK_DIR (log directory).
This make the rootfs VEX be always empty without any message.
The code is copied from cve_check class, which writes to both, so let
keep them aligned and make also vex write both files.
Also add a warning for case that a cve file would be still missing.
(From OE-Core rev: 7493eeed6d53bc704f558a0ccf8a0b5195381873)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ee6541d0940c65685aaafd7d41a59a9406392e7d)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If spdx is generated without inheriting cve/vex classes (which is poky
default), only explicitly set CVE_STATUS fields are handled.
Calculated ones (e.g. from CVE_STATUS_GROUPS) are ignored.
Fix this by expanding the CVE_STATUS in spdx classes.
(From OE-Core rev: 23a4e02542252657fa45fd4a605aec0af9178e0b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ead9c6a8770463c21210a57cc5320f44f7754dd3)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The same code for extending CVE_STATUS by CVE_CHECK_IGNORE and
CVE_STATUS_GROUPS is used on multiple places.
Create a library function to have the code on single place and ready for
reuse by additional classes.
Conflicts:
meta/classes/cve-check.bbclass
meta/lib/oe/cve_check.py
(From OE-Core rev: ddd295c7d4c313fbbb24f7a5e633d4adfea4054a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 45e18f4270d084d81c21b1e5a4a601ce975d8a77)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The "vex" class generates the minimum information that is necessary
for VEX generation by an external CVE checking tool. It is a drop-in
replacement of "cve-check". It uses the same variables from recipes
to make the migration and backporting easier.
The goal of this class is to allow generation of the CVE list of
an image or distribution on-demand, including the latest information
from vulnerability databases. Vulnerability data changes every day,
so a status generated at build becomes out-of-date very soon.
Research done for this work shows that the current VEX formats (CSAF
and OpenVEX) do not provide enough information to generate such
rolling information. Instead, we extract the needed data from recipe
annotations (package names, CPEs, versions, CVE patches applied...)
and store for later use in the format that is an extension of the
CVE-check JSON output format.
This output can be then used (separately or with SPDX of the same
build) by an external tool to generate the vulnerability annotation
and VEX statements in standard formats.
When back-porting this feature, the do_generate_vex() had to be modified
to use the "old" get_patched_cves() API.
(From OE-Core rev: 123a60bc19987e99d511b1f515e118022949be7e)
Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Samantha Jalabert <samantha.jalabert@syslinbit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6352ad93a72e67d6dfa82e870222518a97c426fa)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In scarthgap, the `oe.cve_check.get_patched_cves()` method only returns
CVEs with a "Patched" status. We want to retrieve all annotations,
including those with an "Ignored" status. Therefore, to avoid modifying
the current API, we integrate the logic for retrieving all CVE_STATUS
values directly into `spdx30_task`.
(From OE-Core rev: 9a204670b1c0daedf1ed8ff944f8e5443b39c8f7)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This reverts part of commit 4859cdf97fd9a260036e148e25f0b78eb393df1e.
Modification of meta/classes/create-spdx-2.2.bbclass is not backported,
so no need to consider it.
In the commit, it updates spdx according to bitbake change. But the
bitbake commit
* 2515fbd10 fetch: Drop multiple branch/revision support for single git urls
doesn't backport for scarthgap.
So revert the other parts of the commit 4859cdf97fd9a260036e148e25f0b.
(From OE-Core rev: f3bfb98d1cf928678d9931308c116e9e6ec64ba5)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Currently meson inside eSDKs only works with fully populated eSDKs,
but our testing uses minimal eSDKS, so skip the test if the eSDK is a
minimal build. A bug has been filed to resolve this.
This is minimal change extracted from OE-Core commit which has this only
as a minor comment: 575e0bf52db0467d88af4b5fe467b682f10ca62a
(From OE-Core rev: 7cfacaee1b3319e561036512a849e762d0f68a5e)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The tests do not use scp command, so openssh-scp is not needed.
(From OE-Core rev: 4e10e7848cb10307f133f181b41563c995df032a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The test are skipped if architecture contains dash because TARGET_ARCH
contains underscore while package name contains dash. Here the
translation needs to be done.
Note that poky distro default arch has dash:
MACHINE="qemux86-64"
TARGET_ARCH="x86_64"
ERROR: Nothing PROVIDES 'go-cross-canadian-x86_64'. Close matches:
gcc-cross-canadian-x86-64
gdb-cross-canadian-x86-64
go-cross-canadian-x86-64
TRANSLATED_TARGET_ARCH="x86-64"
Quoting meta/classes-recipe/cross-canadian.bbclass:
TRANSLATED_TARGET_ARCH is added into PN
(From OE-Core rev: 82a46b70bfba7c4ce4fd20e2658b182b03e55037)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
extend go runtime test with a simple test file, and simple
go module test to validate go compilation and execution on
target.
(From OE-Core rev: e3b2b9170f76f4bbdc41ea6ba7bccffc17d01968)
(From OE-Core rev: bda3e3711f84394423c15f48fb4e75258fec199a)
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
- Add meta/lib/oeqa/sdk/cases/go.py with GoCompileTest and GoHostCompileTest classes
- Test validates Go cross-compilation toolchain functionality
- Includes native compilation, cross-compilation, and Go module support
- Uses dynamic architecture detection for portability
(From OE-Core rev: 17015f692a6bf3697a89db51bbc4673a5efa1497)
(From OE-Core rev: 506f4e8c99b164673ba7d1c19e10d240f4df0376)
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The default assignments look like this:
TARGET_GO386 = "${@go_map_386(d.getVar('TARGET_ARCH'), d.getVar('TUNE_FEATURES'), d)}"
TUNE_FEATURES is a target-specific variable, and so should be used
only for target builds. The change is similar to what is already done
for native packages.
(From OE-Core rev: cfff8e968257c44880caa3605e158764ed5c6a2a)
(From OE-Core rev: e8d475b9b6d7b1ac3b0cfe367faabc07deb663b0)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add a comment explaining what this function does and where the values
come from.
If the architecture isn't know, instead of returning an empty string
which could fail mysteriously, raise a KeyError so it fails quickly.
(From OE-Core rev: 025414c16319b068df1cd757ad9a3c987a6b871d)
(From OE-Core rev: e6de433ccb2784581d6c775cce97f414ef9334b1)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The SDK manifests are generated by listing the sstate was that used, but
it hardcodes that the sstate data filenames end in .tgz.
This has not been the case since sstate switched to Zstd[1] in 2021,
which meant that all of the tests which checked for packages existing
were being skipped as the manifests were empty. For example, see a
representative core-image-sato eSDK test run[2]:
RESULTS - cmake.CMakeTest.test_assimp: SKIPPED (0.00s)
RESULTS - gtk3.GTK3Test.test_galculator: SKIPPED (0.00s)
RESULTS - kmod.KernelModuleTest.test_cryptodev: SKIPPED (0.00s)
RESULTS - maturin.MaturinDevelopTest.test_maturin_develop: SKIPPED (0.00s)
RESULTS - maturin.MaturinTest.test_maturin_list_python: SKIPPED (0.00s)
RESULTS - meson.MesonTest.test_epoxy: SKIPPED (0.00s)
RESULTS - perl.PerlTest.test_perl: SKIPPED (0.00s)
RESULTS - python.Python3Test.test_python3: SKIPPED (0.00s)
All of those tests should have been ran.
Solve this by generalising the filename check so that it doesn't care
what specfic compression algorithm is used.
[1] oe-core 0710e98f40e ("sstate: Switch to ZStandard compressor support")
[2] https://autobuilder.yoctoproject.org/valkyrie/#/builders/16/builds/1517/steps/15/logs/stdio
(From OE-Core rev: 062a525bd36c672f372dabe8d9f0fbe355c7e58b)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Following the usage of TEST_SUITES in testimage, add TESTSDK_SUITES to
specify the list of tests to execute. By default the variable is empty,
which means to run all discovered tests.
This makes it easier to work on a single test without having to run all
of the tests.
(From OE-Core rev: 28d437c52c77889b2ede0fc2f2d6777c5b0a553d)
(From OE-Core rev: a93e21419476658f24220193fb0183efeb7a184f)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport a patch that fixes a compilation failure with gcc15:
| .../git/SPIRV/SpvBuilder.h:238:30: error: ‘uint32_t’ has not been declared
| 238 | Id makeDebugLexicalBlock(uint32_t line);
| | ^~~~~~~~
| .../git/SPIRV/SpvBuilder.h:64:1: note: ‘uint32_t’ is defined in header ‘<cstdint>’; this is probably fixable by adding ‘#include <cstdint>’
(From OE-Core rev: cd0039c22d7aa3d6983ac6fe917b648930355849)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If TCLIBC='baremetal' is set in local.conf, nativesdk-libstd-rs build fails
with:
| error[E0412]: cannot find type `c_char` in the crate root
| --> /usr/src/debug/libstd-rs/1.75.0/rustc-1.75.0-src/vendor/libc/src/unix/mod.rs:56:29
| |
| 6 | pub type c_schar = i8;
| | ---------------------- similarly named type alias `c_schar` defined here
| ...
| 56 | pub gr_name: *mut ::c_char,
| | ^^^^^^
This happens because rust_gen_target() sets os="none" when TCLIBC is
'baremetal' - even for nativesdk targets. However, nativesdk packages are
built against glibc, so the correct 'os' value should be "linux".
Fix this by setting the os field based on {TARGET,HOST,BUILD}_OS variables,
as it is already done in rust_base_triple(), instead of relying on TCLIBC.
(From OE-Core rev: 4c3f321304f2aa8b75cb58699b59fea80a23690c)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(master rev: 3eaf2cd5647585a1e6df03fc20e2753da27bb692) -- backport
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was identified in the X.Org X serverâ\x80\x99s X Keyboard
(Xkb) extension where improper bounds checking in the XkbSetCompatMap()
function can cause an unsigned short overflow. If an attacker sends
specially crafted input data, the value calculation may overflow,
leading to memory corruption or a crash.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-62231
Upstream patch:
3baad99f9c
(From OE-Core rev: 97326be553f3fec8fbda63a8b38d18f656425b2c)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was discovered in the X.Org X serverâ\x80\x99s X Keyboard
(Xkb) extension when handling client resource cleanup. The software
frees certain data structures without properly detaching related
resources, leading to a use-after-free condition. This can cause
memory corruption or a crash when affected clients disconnect.
Reference:
3baad99f9c
Upstream patches:
865089ca7087fe255393
(From OE-Core rev: 5d98bca7ca76964a6bf7efb7cf8331b9f518ad00)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in the X.Org X server and Xwayland when processing
X11 Present extension notifications. Improper error handling during
notification creation can leave dangling pointers that lead to a
use-after-free condition. This can cause memory corruption or a crash,
potentially allowing an attacker to execute arbitrary code or cause a
denial of service.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-62229
Upstream patch:
5a4286b13f
(From OE-Core rev: 3d606cc94e5ce42b836878578fa271a72bc76015)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
>From https://lists.x.org/archives/xorg-announce/2025-October/003635.html:
1) CVE-2025-62229: Use-after-free in XPresentNotify structures creation
Using the X11 Present extension, when processing and adding the
notifications after presenting a pixmap, if an error occurs, a dangling
pointer may be left in the error code path of the function causing a
use-after-free when eventually destroying the notification structures
later.
Introduced in: Xorg 1.15
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b1
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
2) CVE-2025-62230: Use-after-free in Xkb client resource removal
When removing the Xkb resources for a client, the function
XkbRemoveResourceClient() will free the XkbInterest data associated
with the device, but not the resource associated with it.
As a result, when the client terminates, the resource delete function
triggers a use-after-free.
Introduced in: X11R6
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/99790a2chttps://gitlab.freedesktop.org/xorg/xserver/-/commit/10c94238
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
3) CVE-2025-62231: Value overflow in Xkb extension XkbSetCompatMap()
The XkbCompatMap structure stores some of its values using an unsigned
short, but fails to check whether the sum of the input data might
overflow the maximum unsigned short value.
Introduced in: X11R6
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/475d9f49
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
(From OE-Core rev: 50b9c34ba932761fab9035a54e58466d72b097bf)
(From OE-Core rev: f5a10c4950ccb5570c72eb0a09618b7b3523bc39)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit fixes commit 08595b39b46ef2bf3a928d4528292ee31a990c98
which adapts vex creation between function create_spdx where all changes
were backported and funtion get_patched_cves where changes were not
backported.
CVE patches were previously ignored as they cannot be decoded from
CVE_STATUS variables and each caused a warning like:
WARNING: ncurses-native-6.4-r0 do_create_spdx: Skipping CVE-2023-50495 — missing or unknown CVE status
Master branch uses fix-file-included for CVE patches however since
cve-check-map.conf was not part of spdx-3.0 backport, closest one
available (backported-patch) was implemented.
(From OE-Core rev: 8d14b2bb02861612130f02c445392f34090ba5d9)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When combining an SPDX document, the package list might be empty (e.g.
a baremetal image). Handle this case instead of erroring out
(From OE-Core rev: 1f7326799c33d2a734c58d360773b87d7b86b0ec)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
