We're seeing occasional autobuilder failures with tar issues related to openat2.
It appears there are definitions missing on debian 11 and opensuse 15.5 systems
which mean the openat2 syscall intercept isn't compiled in. This then triggers
on systems using the openat2 syscall, such as alma9 where it is used in a tar
CVE fix.
This updates to include the fix from upstream pseudo (along with a compile warning
fix).
This was tested by taking sstate for pseudo-native from a debian 11 system and using
it in a build of "bitbake nativesdk-git -c install" on a alma9 system where that task
failed. After this fix, it completes.
(From OE-Core rev: 2759db87db7529d60a5b2344dc1db7720e3518d6)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c20c05b324e5d6564c8554381019170839509bb)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Pulls in the following changes:
Makefile.in: Bump version to 1.9.3
configure: Minor code quality changes
pseudo: code quality scan - resolved various potential issues
makewrappers: improve error handling and robustness
Update COPYRIGHT files
ports/linux/pseudo_wrappers.c: Call the wrappers where possible
ports/linux/pseudo_wrappers.c: Workaround compile error on Debian 11
ports/linux/pseudo_wrappers.c: Reorder the syscall operations
ports/unix/guts/realpath.c: Fix indents
pseudo_util.c: Skip realpath like expansion for /proc on Linux
test/test-proc-pipe.sh: Add test case for proc pipes
ports/unix/guts/realpath.c: realpath fails if the resolved path doesn't exist
(From OE-Core rev: 322ce7900cf25f3a8d96a75360af56815e32ad7e)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 524f4bbb11f9c7e0126e8bd46af217b452d48f5e)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Pick patch for this CVE merged into 3.10 branch.
(From OE-Core rev: 8888cd14eb102574d530b6c683ce5beaad1aaa39)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Pick patch from 3.12 branch per NVD report.
(From OE-Core rev: cfbac1d5edae4b0204ec4c01b5f710d100ceb2ad)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The pseudo update was causing hangs in builds, pull in the fix.
(From OE-Core rev: e514b1ac74ae8a69b15e3459cb3b327a35cabff8)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8acdbefd0a148c8b7713f46066ae8489984c5d2d)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Pulls in the following fixes:
* makewrappers: Enable a new efault option
* ports/linux/openat2: Add dummy wrapper
* test-syscall: Add a syscall test
* ports/linux/pseudo_wrappers: Avoid openat2 usage via syscall
which should fix issues with the tar CVE fix on Centos/Alma/Rocky 9 distros
that uses openat2 as well as the efault issue breaking rust based uutils.
(From OE-Core rev: edc8c8e0ae511b03cb9d0501d472bb42fbea2c8b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 51f1388dd1679a28ec3ca468cf16aa0ea32bccf9)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Where a task (such as do_package) runs under fakeroot, the corresponding
setscene task (do_package_setscene) will also run under fakeroot when
restoring from sstate. Assuming pseudo is used as the fakeroot
implementation, we need pseudo-native and all its runtime dependencies
to be available in the sysroot before running any setscene tasks under
fakeroot.
We already add a hard dependency from all do_package_setscene tasks to
virtual/fakeroot-native:do_populate_sysroot in base.bbclass, but this
does not cover transitive dependencies. So, extend the dependencies of
pseudo-native:do_populate_sysroot_setscene to ensure that the sqlite3
library is also available in the sysroot before running fakeroot
setscene tasks.
[YOCTO #15963]
(From OE-Core rev: e3c07672d22343cd7ac68cb84716b05ec7cd438b)
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c146ca657440550e00bc5e53d13502ef7aa945b)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Line directives ("//line") can be used to bypass the restrictions on
"//go:cgo_" directives, allowing blocked linker and compiler flags to
be passed during compilation. This can result in unexpected execution
of arbitrary code when running "go build". The line directive requires
the absolute path of the file in which the directive lives, which makes
exploiting this issue significantly more complex.
Made below changes for Go 1.17 backport:
- drop the modifications of test codes
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39323
Upstream-patch:
e7c142a19d
(From OE-Core rev: 62f4c3aec8f80a259472ce19104596d08741c101)
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2025-10158:
A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.
Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-10158]
Upstream patch:
[797e17fc4a]
(From OE-Core rev: fe4bea86b27551edbe7440ff47041b6d45b2f4e1)
Signed-off-by: Liyin Zhang <liyin.zhang.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The branch was renamed from master to main.
(From OE-Core rev: 80c7fd87fd95a79c6eb5f41b95cf70ccc70d9615)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The Reader.ReadResponse function constructs a response string through repeated
string concatenation of lines. When the number of lines in a response is large,
this can cause excessive CPU consumption.
(From OE-Core rev: 188dbac037809d6e8f0e1667f563fea997ea04b8)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The processing time for parsing some invalid inputs scales non-linearly with
respect to the size of the input. This affects programs which parse untrusted PEM inputs.
(From OE-Core rev: cfafebef95330e531ab7bb590e5fb566dd5a3dce)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled
information (the ALPN protocols sent by the client) which is not escaped.
(From OE-Core rev: b3f055df67cf345c9a17c5c1c874c778d538ba9e)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Due to the design of the name constraint checking algorithm, the processing time
of some inputs scale non-linearly with respect to the size of the certificate.
This affects programs which validate arbitrary certificate chains.
(From OE-Core rev: cea9fcf1b21b1b35b88986b676d712ab8ffa9d67)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS
vulnerabilities when it parses an XML that has many specific characters
such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later
include the patches to fix these vulnerabilities.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41123
Upstream-patches:
2c39c91a654444a04eceebc3e85bfa6cac15d458e2546e6eca
(From OE-Core rev: 6b2a2e689a69deef6098f6c266542234e46fb24b)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a
denial of service vulnerability when it parses an XML that has many
`<`s in an attribute value. Those who need to parse untrusted XMLs
may be impacted to this vulnerability. The REXML gem 3.2.7 or later
include the patch to fix this vulnerability. As a workaround, don't
parse untrusted XMLs.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-35176
Upstream-patch:
4325835f92
(From OE-Core rev: a89fcaf0c3ac2afd95e836bc1356832296135696)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability, which was classified as problematic, has been found in GNU elfutils
0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the
component eu-strip. The manipulation leads to denial of service. The attack needs to
be approached locally. The exploit has been disclosed to the public and may be used.
The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is
recommended to apply a patch to fix this issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-1377
Upstream patch:
https://sourceware.org/git/?p=elfutils.git;a=commit;h=fbf1df9ca286de3323ae541973b08449f8d03aba
(From OE-Core rev: e4e8392e688ceb0d8e68fe48118383c031178b5e)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability classified as problematic was found in GNU elfutils 0.192. This
vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c
of the component eu-strip. The manipulation leads to denial of service. It is
possible to launch the attack on the local host. The complexity of an attack is
rather high. The exploitation appears to be difficult. The exploit has been
disclosed to the public and may be used. The name of the patch is
b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to
fix this issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-1376
Upstream patch:
https://sourceware.org/git/?p=elfutils.git;a=commit;h=b16f441cca0a4841050e3215a9f120a6d8aea918
(From OE-Core rev: 1126e5c1e63b876499c78ac403d1327645edf1c7)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Ignore CVE-2024-43402 as its not applicable.
CVEs are specific to Microsoft Windows.
(From OE-Core rev: 3044ae9e6e84faada8c1425238e9e9c3060b1a3a)
Signed-off-by: Saquib Iltaf <saquib.iltaf@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE: CVE-2025-8225
It is possible with fuzzed files to have num_debug_info_entries zero
after allocating space for debug_information, leading to multiple
allocations.
* dwarf.c (process_debug_info): Don't test num_debug_info_entries
to determine whether debug_information has been allocated,
test alloc_num_debug_info_entries.
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4]
(From OE-Core rev: 9b5bb098b542a43a7aa97cc376c358f0a38778e3)
Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Drop upstreamed patch and refresh remaining patches.
Release information:
* https://www.python.org/downloads/release/python-31019/
* The release you're looking at is Python 3.10.19, a security bugfix
release for the legacy 3.10 series.
Handles CVE-2025-59375, CVE-2025-47273 and CVE-2024-6345.
(From OE-Core rev: 9b3dbd691f6ebdbdfe88cef3d3a676ddd1399c63)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit per [1].
(From OE-Core rev: bebd1b24473e3480ae6c4ae2897fbfdf4942ea11)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
