Pick commit mentioning this CVE.
Additionally fix test broken by the CVE fix.
(From OE-Core rev: e348e10f35cc082ebfe22c890c5f64c4a06dcea3)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This change already exists on master, but it was made as part of the
larger migration to ${UNPACKDIR} and is not cherry-pickable.
See: d73595df696 (recipes: Update WORKDIR references to UNPACKDIR)
(From OE-Core rev: 378f87f087651bacdb6efc6b98168bc6ba865070)
Signed-off-by: Chris Laplante <chris.laplante@agilent.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Do not build translations when NLS is disabled.
(From OE-Core rev: 83795ef6c3fa12a863cd20b7ec1a2607606987b6)
This change corresponds to upstream d848b454e6
from master .
Since the systemd version are different between master & scarthgap
applied the patch manually
(From OE-Core rev: 780b902a0fd124420f00ee5e55f4fd362d2d8913)
Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: AshishKumar Mishra <emailaddress.ashish@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Newer snapshots of ncurses have the fixes but they are many needed to get
C23 going. Until next release lets stick with C17 even while GCC 15 switches
to C23 defaults.
For scarthgap also add it in BUILD_CFLAGS.
(From OE-Core rev: 2ee706f58a96f30904ac3d292c0ac532739c91ea)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The code maintainer disputes the CVE as the issue can only be triggered with
untrusted SGML catalogs and it makes absolutely no sense to use untrusted
catalogs.
The issue triggers a crash if an invalid file is provided.
Source: https://gitlab.gnome.org/GNOME/libxml2/-/issues/958"
(From OE-Core rev: 348ce728af1cea4f909de5c3597801b5612719e4)
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Based on Debian patch for this CVE, pick the same commits as mentioned
in kirkstone for this CVE except those already included in 2022.83.
7f48e75892
(From OE-Core rev: 6d287785611c344aa0c97048c3bfc280b1787ff5)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This is a single commit bump containing only CVE fix
$ git log --oneline cff1042cceec3502269947e96cf7023451af22f3..b027d5b145f1b2908f370bdb96dfe40180d0fcb6
b027d5b145 posix: Fix double-free after allocation failure in regcomp (bug 33185)
Test results didn't change except newly added test succeeding.
(tst-regcomp-bracket-free)
(From OE-Core rev: c2b63f171719e2b1c12ba049cbe776adf9e0244b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit referencing this CVE from 2.13 branch.
(From OE-Core rev: 061610dfca8a72b71e1baca3ad4aa2c9fb64449b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A NULL pointer dereference vulnerability was found in libxml2 when processing
XPath XML expressions. This flaw allows an attacker to craft a malicious XML
input to libxml2, leading to a denial of service.
(From OE-Core rev: b144c3ef3ba1797d925ea44d9450a6ec0fe32047)
Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport a fix to address the dbus SetNTP response timing issue.
Fix is already available since systemd v256-rc1.
(From OE-Core rev: 4db0483cfd14e31c3e7cc87d538d73275fd51bbf)
Signed-off-by: Michal Seben <michal.seben@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport patch referencing this CVE.
Note that the hardening is not activated by default, it adds defconfig
option to enable it.
Since it introduces a breaking change, it shouldn't be enabled in LTS
release by default.
This patch makes busybox cpio equivalent in this release to what is
currently in master and in kirkstone.
Also note that gnu cpio also does not have this hardening, but the CVE
is created only against busybox.
(From OE-Core rev: 3f2b235526d135094408e3895c01bff7b5b938fb)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
$ git log --oneline 3463100f2d47f2897a24ba8023a5c7aaf2d26550..06a70769fd0b2e1f2a3085ad50ab620282bd77b3
06a70769fd ppc64le: Revert "powerpc: Optimized strcmp for power10" (CVE-2025-5702)
3875045da5 ppc64le: Revert "powerpc : Add optimized memchr for POWER10" (Bug 33059)
c6240a11f7 ppc64le: Revert "powerpc: Fix performance issues of strcmp power10" (CVE-2025-5702)
2caef2827f elf: Fix subprocess status handling for tst-dlopen-sgid (bug 32987)
9e25c0f445 x86_64: Fix typo in ifunc-impl-list.c.
ca99d55315 elf: Test case for bug 32976 (CVE-2025-4802)
71ddb11ccd support: Add support_record_failure_barrier
abdeb4b520 support: Use const char * argument in support_capture_subprogram_self_sgid
147bed0a71 elf: Keep using minimal malloc after early DTV resize (bug 32412)
4e5ee49a43 sysdeps/unix/sysv/linux/x86_64/Makefile: Add the end marker
37b30b6a68 sysdeps/x86_64/Makefile (tests): Add the end marker
9fe51d34bb sort-makefile-lines.py: Allow '_' in name and "^# name"
14ec225d85 libio: Correctly link tst-popen-fork against libpthread
1dcfb9479d libio: Fix a deadlock after fork in popen
e31ac9a639 libio: Sort test variables in Makefile
68f3f1a1d0 Linux: Switch back to assembly syscall wrapper for prctl (bug 29770)
d33d10642f nptl: PTHREAD_COND_INITIALIZER compatibility with pre-2.41 versions (bug 32786)
b1eb369aee nptl: Use all of g1_start and g_signals
ac5da3c0e4 nptl: rename __condvar_quiesce_and_switch_g1
2fdc0afd07 nptl: Fix indentation
582c99b2c0 nptl: Use a single loop in pthread_cond_wait instaed of a nested loop
fc2a25417d nptl: Remove g_refs from condition variables
6f5ba03968 nptl: Remove unnecessary quadruple check in pthread_cond_wait
d0da34ad30 nptl: Remove unnecessary catch-all-wake in condvar group switch
ea13a35e37 nptl: Update comments and indentation for new condvar implementation
2451ef5c4a pthreads NPTL: lost wakeup fix 2
test results:
Before After Diff
FAIL 207 207 0
PASS 4912 4915 +3
UNSUPPORTED 230 230 0
XFAIL 16 16 0
XPASS 4 4 0
(From OE-Core rev: c94b6686a1edcaa1bea1ff5e716df96da8e36b7c)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The recipe was accidentally renamed with a 'v'
prefix in 29e623b2ad00555788412fa520fbb9ffec794cbb.
(From OE-Core rev: db02a4cc542d0e7e563ec46c91bf9a7313a71d02)
Signed-off-by: Savvas Etairidis <setairidis@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
During ptest execution, util-linux adds mount entries in /etc/fstab
and runs `mount -a`, which mounts all available entries from
/etc/fstab. This can cause unintended mounts that are unrelated to
the test, leading to incorrect test behavior.
To avoid this, upstream util-linux introduced a mechanism using
CUSTOM_FSTAB,which isolates test-specific fstab entries. Only entries
listed in CUSTOM_FSTAB are mounted during test execution, ensuring
tests do not interfere with or depend on the system's /etc/fstab.
This commit backports below upstream changes to use CUSTOM_FSTAB.
ed3d33faffb1580bd7606aa8d17b6b
(From OE-Core rev: e7420db0d77611140149ccfefefc8becfad4f34b)
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If extra-utils package is not included in the image, you'll always
see a warning that password agent is missing whenever you start/stop a
service:
Failed to execute /usr/bin/systemd-tty-ask-password-agent: No such file or directory
(From OE-Core rev: 180455ee76a3819933f45ddd6ce9a5610b3ba947)
Signed-off-by: Vyacheslav Yurkov <uvv.mail@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This recipe takes longer time >20min when bitbake for package
write stage. When cross-verified for longer time duration, found
that do_check() stage taking 20min while other stages completes
before 6min.
This recipe gives only below two test binaries in the packages to
test (ptest: glibc-y2038-tests):
io/ftwtest
io/ftwtest-time64
The above test binaries are already included for testing in recipe
glibc-testsuite_2.39.bb.
It is by now well established that glibc itself works as it should,
that all affected 32 bit targets are configured to use 64 bit time_t,
and that any lingering y2038 issues are in components other than the c
library, and usually come from C programming mistakes (e.g. storing
timestamps in long). So this recipe seems to be redundant and
can be removed.
Review comments for fixing above longer time duration ended up in
removing this recipe as a proposal is below
https://lists.openembedded.org/g/openembedded-core/topic/112188476#msg214636
Removed lines having reference to glibc-y2038-tests in the files.
For master branch requested for integration and below is the link
https://lists.openembedded.org/g/openembedded-core/message/215655
(From OE-Core rev: b214cc84a922f7a3fb7ebbc501189ce25e8bd2bd)
Signed-off-by: rajmohan r <semc.2042@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3463100f2d x86: Detect Intel Diamond Rapids
e09436c2cb x86: Handle unknown Intel processor with default tuning
7620d98186 x86: Add ARL/PTL/CWF model detection support
765ff3d0d4 x86: Optimize xstate size calculation
65ae73be01 x86: Use `Avoid_Non_Temporal_Memset` to control non-temporal path
2be36448c4 x86: Tunables may incorrectly set Prefer_PMINUB_for_stringop (bug 32047)
bde201e92c x86: Disable non-temporal memset on Skylake Server
38a7632f2d x86: Fix value for `x86_memset_non_temporal_threshold` when it is undesirable
cc59fa5dbc x86: Enable non-temporal memset tunable for AMD
0da58e8be0 x86: Add seperate non-temporal tunable for memset
837a36c371 x86: Link tst-gnu2-tls2-x86-noxsave{,c,xsavec} with libpthread
87ab0c7f7f x86: Use separate variable for TLSDESC XSAVE/XSAVEC state size (bug 32810)
60cd7123a6 x86: Skip XSAVE state size reset if ISA level requires XSAVE
4cf3f9df54 x86_64: Add atanh with FMA
01ed435e2e x86_64: Add sinh with FMA
0edcc77fe7 x86_64: Add tanh with FMA
7ecf0d3bde x86-64: Exclude FMA4 IFUNC functions for -mapxf
e1fe22368e nptl: clear the whole rseq area before registration
dd8c0c3bbd math: Improve layout of exp/exp10 data
a1b09e59e2 AArch64: Use prefer_sve_ifuncs for SVE memset
d0e2133470 AArch64: Add SVE memset
0cc12d9c47 math: Improve layout of expf data
0cd10047bf AArch64: Remove zva_128 from memset
dd1e63ab58 AArch64: Optimize memset
65a96a6f2b AArch64: Improve generic strlen
4073e4ee2c AArch64: Improve codegen for SVE logs
78abd3ef6e AArch64: Improve codegen in SVE tans
a10183b633 AArch64: Improve codegen of AdvSIMD atan(2)(f)
dcd1229e5b AArch64: Improve codegen of AdvSIMD logf function family
72156cb90b AArch64: Improve codegen in AdvSIMD logs
5e354bf4e2 AArch64: Simplify rounding-multiply pattern in several AdvSIMD routines
80df456112 aarch64: Avoid redundant MOVs in AdvSIMD F32 logs
d591876303 aarch64: Fix AdvSIMD libmvec routines for big-endian
f6d48470ae assert: Add test for CVE-2025-0395
Testresults:
Before update |After update |Difference
PASS: 5068 |PASS: 5072 |PASS: +4
FAIL: 120 |FAIL: 120 |FAIL: 0
XPASS: 4 |XPASS: 4 |XPASS: 0
XFAIL: 16 |XFAIL: 16 |XFAIL: 0
UNSUPPORTED: 157|UNSUPPORTED: 157|UNSUPPORTED: 0
(From OE-Core rev: f14c2e6a6ba72673a0e30cde48ec1d5573be3e01)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This reverts commit 7adaec468d.
It does not seem to fix the issue it was supposed to fix.
Additionally it breaks code which decides in full/partial update,
because it manipulates timestamp that code is relying on.
(From OE-Core rev: 00dd4901e364d16d96cfab864823a9cfdd336eeb)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ebc65fdddd7ce51f0f1008baa30d0ae7918ae0bb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
To adapt user network enviroment, buildtools should first try to use
the user configured envs like SSL_CERT_FILE/CURL_CA_BUNDLE/..., if these
envs is not set, then use the auto-detected ca file and ca path, and
finally use the CA certificates in buildtools.
nativesdk-openssl set OPENSSLDIR as "/not/builtin", need set SSL_CERT_FILE/SSL_CERT_DIR to work
nativesdk-curl don't set default ca file, need
SSL_CERT_FILE/SSL_CERT_DIR or CURL_CA_BUNDLE/CURL_CA_PATH to work
nativesdk-git actually use libcurl, and GIT_SSL_CAPATH/GIT_SSL_CAINFO
also works
nativesdk-python3-requests will use cacert.pem under python module certifi by
default, need to set REQUESTS_CA_BUNDLE
(From OE-Core rev: 0653b96bac6d0800dc5154557706a323418808be)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* make git,curl,python3-requests align with openssl, move the setting of
envvars into respective envfile
* for environment.d-openssl.sh, also check if ca-certificates.crt exist
before export envvars
(From OE-Core rev: 5f4fd544d3df7365224599c9efdce4e545f51d5e)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit from 2.13 branch as 2.12 branch is unmaintained now.
(From OE-Core rev: 2335d4f0d1826647eaee224c469331980fc84ed2)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit which has been backported to 2.12 release branch.
(From OE-Core rev: 187052ce4ddd43b46b8335cc955a63ca19ee6994)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The update includes 82 commits. Full list of changes can be found on Github [1]
All patches were refreshed with devtool.
[1] systemd/systemd-stable@v255.17...v255.18
(From OE-Core rev: 121e1fb42c4c909115bc550585b2ebcb3a13e0a5)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
NVD responses changed to an invalid json between:
* April 5, 2025 at 3:03:44 AM GMT+2
* April 5, 2025 at 4:19:48 AM GMT+2
The last response is since then in format
{
"resultsPerPage": 625,
"startIndex": 288000,
"totalResults": 288625,
"format": "NVD_CVE",
"version": "2.0",
"timestamp": "2025-04-07T07:17:17.534",
"vulnerabilities": [
{...},
...
{...},
]
}
Json does not allow trailing , in responses, that is json5 format.
So cve-update-nvd2-native do_Fetch task fails with log backtrace ending:
...
File: '/builds/ccp/meta-siemens/projects/ccp/../../poky/meta/recipes-core/meta/cve-update-nvd2-native.bb', lineno: 234, function: update_db_file
0230: if raw_data is None:
0231: # We haven't managed to download data
0232: return False
0233:
*** 0234: data = json.loads(raw_data)
0235:
0236: index = data["startIndex"]
0237: total = data["totalResults"]
0238: per_page = data["resultsPerPage"]
...
File: '/usr/lib/python3.11/json/decoder.py', lineno: 355, function: raw_decode
0351: """
0352: try:
0353: obj, end = self.scan_once(s, idx)
0354: except StopIteration as err:
*** 0355: raise JSONDecodeError("Expecting value", s, err.value) from None
0356: return obj, end
Exception: json.decoder.JSONDecodeError: Expecting value: line 1 column 1442633 (char 1442632)
...
There was no announcement about json format of API v2.0 by nvd.
Also this happens only if whole database is queried (database update is
fine, even when multiple pages as queried).
And lastly it's only the cve list, all other lists inside are fine.
So this looks like a bug in NVD 2.0 introduced with some update.
Patch this with simple character deletion for now and let's monitor the
situation and possibly switch to json5 in the future.
Note that there is no native json5 support in python, we'd have to use
one of external libraries for it.
(From OE-Core rev: 4358fdfdd7a8908df98f7c4def2c8c1a6efb7256)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6e526327f5c9e739ac7981e4a43a4ce53a908945)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport https://github.com/libexpat/libexpat/pull/973
Patch created by:
git diff 2fc36833334340ff7ddca374d86daa8744c1dfa3..99529768b4a722f46c69b04b874c1d45b3eb819c
Additional backport (containing changes in tests only) was needed to
apply it cleanly.
Additional backport https://github.com/libexpat/libexpat/pull/989
which has fixed regression of the first fix.
Patch created by:
git diff 91ca72e913af94ed44ef2a80a9dd542be3e5766c..308c31ed647f2c6aebe33ca3a4fa9e1436f461e2
(From OE-Core rev: 3ece58813faaf4e5f66c7b52f736e84615ccfef6)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There is a new CVE which is missing vulnStatus field:
https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2025-2682
This leads to:
File: '<snip>/poky/meta/recipes-core/meta/cve-update-nvd2-native.bb', lineno: 336, function: update_db
0332:
0333: accessVector = None
0334: vectorString = None
0335: cveId = elt['cve']['id']
*** 0336: if elt['cve']['vulnStatus'] == "Rejected":
0337: c = conn.cursor()
0338: c.execute("delete from PRODUCTS where ID = ?;", [cveId])
0339: c.execute("delete from NVD where ID = ?;", [cveId])
0340: c.close()
Exception: KeyError: 'vulnStatus'
(From OE-Core rev: 2f242f2a269bb18aab703f685e27f9c3ba761db8)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The libpcre2 is now dlopen'ed, so it is not automatically added to the
RDEPENDS anymore. Add it to the RRECOMMENDS list (and not RDEPENDS as
systemd tags the library as "suggested").
This issue is not on master, the systemd v257 recipe uses a tool that
systemd provides to get this kind of dependencies. But this cannot be
backported to scarthgap as systemd v255 does not have this tool yet.
Cc: Yoann Congal <yoann.congal@smile.fr>
(From OE-Core rev: 45fc7048c511c433ecc23840fe6fdd61f6366a47)
Signed-off-by: Alexis Cellier <alexis.cellier@smile.fr>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
