Pick commit referencing this MR which was merged to master.
Note that this commit also patched CVE-2025-1632 in bsdunzip, however
that utility was introduced only in 3.7.0, so that part is not
applicable in kirkstone.
(From OE-Core rev: ec837d3b21b4f8b98abac53e2833f1490ba6bf1e)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
As we just match on product by default, ignore three CVEs which are
for the "Puzzles" WordPress theme by ThemeREX (CPE themerex:puzzles).
(From OE-Core rev: 87326573c82ac1e8dc335319442236ef2341501e)
(From OE-Core rev: 48791ba2329ee930285e5ed8eff0f2535c70bec7)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adapted to different kirkstone CVE_STATUS format.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
file checksums are part of the data checksummed
to generate the task hash. The list of file checksums
was not ordered.
In this commit we make sure the task hash checksum takes
a list of checksum data that is ordered by unique file name
thus guaranteeing reproducibility.
(Bitbake rev: da5f41996687e18b78d9c9845e621d832115aa1e)
Signed-off-by: Paulo Neves <paulo@myneves.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Starting from 2023d version, tzcode makefile does not use anymore "cc"
variable for C compiler, due to Makefile refactoring.
Replacing "cc" with "CC" fixes the issue.
(From OE-Core rev: 0216c229d5c60d0023b0a7d6e8ee41bdfa16f8ef)
Signed-off-by: Alessio Cascone <alessio.cascone@vimar.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b3cdfca5ef84ed2054faef9abddef3aeed930e17)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* Noteworthy changes in release 4.20.0 (2025-02-01) [stable]
- The release tarball is now reproducible.
- We publish a minimal source-only tarball generated by 'git archive'.
- Update gnulib files and various build/maintenance fixes.
- Fix CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or SET
OF elements
License-Update: file COPYING.LESSER renamed to COPYING.LESSERv2 & Copyright year updated to 2025
(From OE-Core rev: 0ff5d08053d92eeae5b2a23f8e0d7a280488723c)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This was removed in 2019, so swap it for poky-altcfg.
(From yocto-docs rev: 9b4c36f7b02dd4bedfec90206744a1e90e37733c)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 7f7f6570befdda280c174a5f9776b20f53f3ea0d)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
core-image-lsb was removed in 2019[1], so remove all of the incredibly
obsolete references in the documentation.
[1] oe-core fb064356af615d67d85b65942103bf943d84d290
(From yocto-docs rev: 6001f1baa513566639abee86376dc72748f3cd34)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 062445a49919eff117b5478c1fb18d125c1f895c)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Building weston with core-image-weston SDK fails:
```
../libweston/renderer-gl/gl-shader-config-color-transformation.c:29:10: fatal error: GLES3/gl3.h: No such file or directory
29 | #include <GLES3/gl3.h>
| ^~~~~~~~~~~~~
```
Both GLES2 and GLES3 implementations are contained in libGLESv2.so.2,
which is packaged in libgles2-mesa. However, the headers are split
between libgles2-mesa-dev and libgles3-mesa-dev, which is why the
GLES3 headers end up missing in the SDK sysroot.
Add a dependency so the GLES3 headers are properly associated with
the GLES3 implementation.
(From OE-Core rev: 7e1308ec413e69a8427ac5998431005d9e4b8033)
(From OE-Core rev: 0d9f2fcc2058407eb138297d9f8f12595851b963)
Signed-off-by: Tom Hochstein <tom.hochstein@oss.nxp.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: ba1d14f8ef
(From OE-Core rev: 2158a34839068b878344d214d3fc9feeb17e504a)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: 3e77295f88
(From OE-Core rev: 3575ad718c8ea7d808247842df19982f00725187)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: 96798fc196
(From OE-Core rev: 4e41b1c8cccd3b2f359ee949cad402b9418f5983)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The patches are copied from xserver-xorg recipe.
CVE reported for both and patches apply on both.
Upstream-Commit:
bc1fdbe465
& 26769aa71f
(From OE-Core rev: 77487fb0756951e29628f41ff00db12a5f9d7c27)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Patch copied from xserver-xorg recipe.
CVE reported for both and patch apply on both.
Upstream-Commit: 4a5e9b1895
(From OE-Core rev: 4b0f6aaa994eeab5d18211ace8034ec8b92b7419)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This vulnerability has now a CVE assigned.
(From OE-Core rev: 204ff9dd9c62a8a346e89880b2e15a4c0e9ad6e0)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update SRC_URI for tzcode.
Update the http to https in SRC_URI to fix the do_fetch issue.
(From OE-Core rev: b663540d143b0e5fcb9ceeec45cde7fe3e68f9bb)
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When testing a Yocto SDK installer on Alpine 3.21, we recently ended up with a
broken SDK. One of the commands the relocation script calls in a piped
multi-command chain failed (see [0]), but the installer did not realize that -
since it doesn't use 'set -o pipefail'. Thus, the error was never reported to
the user and the installer claimed to have set up the SDK correctly - which
wasn't the case.
Given that the SDK installer is a POSIX-compliant shell script and that the
'pipefail' option used to be missing from the standard, it's not surprising that
it isn't used. Thankfully however, in June of 2024, a new version of POSIX
(POSIX.1-2024) was released - and that one finally includes the 'pipefail'
option (see [1]). A number of shells already support it, so let's enable it if
available to make the SDK installer more robust.
The change has been tested locally using SDK installers for internal projects,
based on both Kirkstone and Scarthgap.
[0]: https://gitlab.alpinelinux.org/alpine/aports/-/issues/16797
[1]: https://pubs.opengroup.org/onlinepubs/9799919799.2024edition/utilities/V3_chap02.html#set
(From OE-Core rev: 1cb4b41c7faf77fcc347b1276d86d4288968c926)
(From OE-Core rev: 1de469f1ffb1680e3a75da2c3895fb1e4f43859f)
Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 10dce263f0)
Signed-off-by: Akash Hadke <akash.hadke27@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update SRC_URI to fix the following error:
WARNING: virglrenderer-native-0.9.1-r0 do_fetch: Failed to fetch URL
git://anongit.freedesktop.org/git/virglrenderer;branch=branch-0.9.1,
attempting MIRRORS if available
(From OE-Core rev: 72450859dd5ee5395b64917516f185a2eed52775)
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Latest stable branch update which includes 396 commits and the full
list of changes can be found at:
https://github.com/systemd/systemd-stable/compare/v250.5...v250.14
All the patches were refreshed with devtool.
Backported this upstreamed patch to resolve the compile error while
building systemd with qemumips machine.
- 0001-core-fix-build-when-seccomp-is-off.patch
These 2 below patches were modified to resolve the merge conflicts
introduced by systemd v250.14 version:
1. 0001-Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-to-.patch
- This patch was just adjusted based on the systemd v250.14 version.
2. 0001-pass-correct-parameters-to-getdents64.patch
- For this patch, there was a commit reverted as part of the v250.8 tag:
51089e007f
These below 6 patches were dropped as systemd v250.14 already has
the changes:
- 0001-shared-json-allow-json_variant_dump-to-return-an-err.patch
- CVE-2022-3821.patch
- CVE-2022-4415-1.patch
- CVE-2022-4415-2.patch
- CVE-2022-45873.patch
- CVE-2023-7008.patch
(From OE-Core rev: 371d030a665e3c963a586ab02d10f1f36b225435)
Signed-off-by: Narpat Mali <narpat.falna@gmail.com>
Signed-off-by: Randy Macleod <randy.macleod@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The text format has been removed, so also remove references and examples
using this format. Replace with examples with the JSON format.
(From yocto-docs rev: 9798689e4f4b74163c2e8594f3d1ce082d295aa1)
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit a52cd7bcadccc53e982f90d6e170d00798322597)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
FFmpeg git master before commit c08d30 was discovered to contain a NULL pointer
dereference via the component libavformat/mov.c.
(From OE-Core rev: 599ee3f195bc66d57797c121fa0b73a901d6edfa)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
