]> git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/log
thirdparty/openembedded/openembedded-core-contrib.git
3 weeks agoexpect: fix native build with GCC 15
Adrian Freihofer [Wed, 1 Oct 2025 20:58:38 +0000 (22:58 +0200)] 
expect: fix native build with GCC 15

This does not work for native builds:
  CFLAGS += "-std=gnu17"
The line from native.bbclass gets priority:
  CFLAGS = "${BUILD_CFLAGS}"

From bitbake-getvar -r expect-native CFLAGS
  ...
  append ...poky/meta/recipes-devtools/expect/expect_5.45.4.bb:44
     "-std=gnu17"
  set ...poky/meta/classes-recipe/native.bbclass:44
     "${BUILD_CFLAGS}"
  ...

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 weeks agoexpect: Fix build with GCC 15
Khem Raj [Wed, 1 Oct 2025 20:58:37 +0000 (22:58 +0200)] 
expect: Fix build with GCC 15

Stick to C17 standard as GCC 15 switches to C23

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 weeks agoexpect: cleanup do_install
Ross Burton [Wed, 1 Oct 2025 20:58:36 +0000 (22:58 +0200)] 
expect: cleanup do_install

Clean up the do_install append, and remove a long-standing unused
variable that appears to be intending to not install the scripts but
would have never actually done that as the relevant override since 2008
has been task-install.  As we've been installing the scripts, keep
instaling them.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 weeks agoexpect: don't run aclocal in do_configure
Ross Burton [Wed, 1 Oct 2025 20:58:35 +0000 (22:58 +0200)] 
expect: don't run aclocal in do_configure

expect has a hand-maintained aclocal.m4 so don't run aclocal, which has the
side effect of not deleting the aclocal.m4 file which pulls in macros.

The build works without this change more through luck and a combination
of behaviours than design.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 weeks agoexpect: update code for Tcl channel implementation
Ross Burton [Wed, 1 Oct 2025 20:58:34 +0000 (22:58 +0200)] 
expect: update code for Tcl channel implementation

Tcl 8.4.0 changed the channel implementation, take a patch submitted
upstream to update the code for the new interface and remove the silencing
of the incompatible assignment error which was due to this issue.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 weeks agoexpect: Revert "expect-native: fix do_compile failure with gcc-14"
Adrian Freihofer [Wed, 1 Oct 2025 20:58:33 +0000 (22:58 +0200)] 
expect: Revert "expect-native: fix do_compile failure with gcc-14"

In the meantime there is a cleaner fix on the master branch and we also
need to back-port more patches to support gcc-15 as well.

This reverts commit 8bfdb53247c917559e7813c2e1bd2f6eb13c811d which is
not in the master branch as a preparation for cherry-picking the newer
fixes from there.

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 weeks agogstreamer1.0-plugins-bad: Fix CVE-2025-3887
Vijay Anusuri [Tue, 30 Sep 2025 11:57:24 +0000 (17:27 +0530)] 
gstreamer1.0-plugins-bad: Fix CVE-2025-3887

Upstream-Status: Backport from
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5463f0e09768ca90aa8c58357c1f4c645db580db
& https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/bcaab3609805ea10fb3d9ac0c9d947b4c3563948

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 weeks agotiff: fix CVE-2025-9900
Yogita Urade [Tue, 30 Sep 2025 08:17:48 +0000 (13:47 +0530)] 
tiff: fix CVE-2025-9900

A flaw was found in Libtiff. This vulnerability is a "write-what-where"
condition, triggered when the library processes a specially crafted TIFF
image file.[EOL][EOL]By providing an abnormally large image height value
in the file's metadata, an attacker can trick the library into writing
attacker-controlled color data to an arbitrary memory location. This
memory corruption can be exploited to cause a denial of service (application
crash) or to achieve arbitrary code execution with the permissions of the user.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9900

Upstream patch:
https://gitlab.com/libtiff/libtiff/-/commit/3e0dcf0ec651638b2bd849b2e6f3124b36890d99

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 weeks agovim: upgrade 9.1.1652 -> 9.1.1683
Divya Chellam [Fri, 26 Sep 2025 11:13:38 +0000 (16:43 +0530)] 
vim: upgrade 9.1.1652 -> 9.1.1683

Handles CVE-2025-9389

Changes between 9.1.1652 -> 9.1.1683
====================================
https://github.com/vim/vim/compare/v9.1.1652...v9.1.1683

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
4 weeks agoutil-linux: use ${B} instead of ${WORKDIR}/build, to fix building under devtool
Chris Laplante [Tue, 23 Sep 2025 19:15:21 +0000 (15:15 -0400)] 
util-linux: use ${B} instead of ${WORKDIR}/build, to fix building under devtool

This change already exists on master, but it was made as part of the
larger migration to ${UNPACKDIR} and is not cherry-pickable.

See: d73595df696 (recipes: Update WORKDIR references to UNPACKDIR)

Signed-off-by: Chris Laplante <chris.laplante@agilent.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
4 weeks agoexamples: genl: fix wrong attribute size
Nitin Wankhade [Tue, 23 Sep 2025 11:50:20 +0000 (17:20 +0530)] 
examples: genl: fix wrong attribute size

This example no longer works on more recent kernels:

genl-family-get
error: Invalid argument

dmesg says:
netlink: 'genl-family-get': attribute type 1 has an invalid length.

Fix this and also zero out the reserved field in the genl header,
while not validated yet for dumps this could change.

Upstream-Status: Backport [https://git.netfilter.org/libmnl/patch/?id=54dea548d796653534645c6e3c8577eaf7d77411]

Reported-by: Divyanshu Rathore <Divyanshu.Rathore@bmwtechworks.in>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 54dea548d796653534645c6e3c8577eaf7d77411)
Signed-off-by: Divyanshu Rathore <divyanshu.rathore@bmwtechworks.in>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
4 weeks agop11-kit: backport fix for handle USE_NLS from master
AshishKumar Mishra [Fri, 19 Sep 2025 03:56:15 +0000 (09:26 +0530)] 
p11-kit: backport fix for handle USE_NLS from master

Disable NLS in the build when USE_NLS is off.

(From OE-Core rev: b94798ecd535956ef4565663710ea9a701ff21ed)

This change corresponds to upstream eeb3974472429a99a724f324dc8a63e435741f68
from master .
Since the p11-kit version are different between master & scarthgap
applied the patch manually

Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: AshishKumar Mishra <emailaddress.ashish@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
4 weeks agoshared-mime-info: Handle USE_NLS
Philip Lorenz [Fri, 19 Sep 2025 03:57:35 +0000 (09:27 +0530)] 
shared-mime-info: Handle USE_NLS

Skip building of translations when NLS is disabled.

(From OE-Core rev: b58a3f4e9c78522423a94821b7ba7a35eb18f75a)

Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: AshishKumar Mishra <emailaddress.ashish@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
4 weeks agosystemd: backport fix for handle USE_NLS from master
AshishKumar Mishra [Thu, 18 Sep 2025 15:48:37 +0000 (21:18 +0530)] 
systemd: backport fix for handle USE_NLS from master

Do not build translations when NLS is disabled.
(From OE-Core rev: 83795ef6c3fa12a863cd20b7ec1a2607606987b6)

This change corresponds to upstream d848b454e64ffbd642590b4bbc378619e1547ad3
from master .
Since the systemd version are different between master & scarthgap
applied the patch manually

Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: AshishKumar Mishra <emailaddress.ashish@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
4 weeks agolib/oe/utils: use multiprocessing from bb
Martin Jansa [Tue, 9 Sep 2025 17:17:35 +0000 (19:17 +0200)] 
lib/oe/utils: use multiprocessing from bb

Fixes build with python-3.14

It was added to bitbake in 62be9113d98fccb347c6aa0a10d5c4ee2857f8b6
and oe-core now requires latest bitbake already, so we can use this.

[YOCTO #15858]

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
4 weeks agosanity.conf: Update minimum bitbake version to 2.8.1
Martin Jansa [Tue, 9 Sep 2025 17:17:34 +0000 (19:17 +0200)] 
sanity.conf: Update minimum bitbake version to 2.8.1

Needed for multiprocessing module in bb used in the next commit.

It was added to bitbake in 62be9113d98fccb347c6aa0a10d5c4ee2857f8b6
which was backported to 2.8 branch and tagged as 2.8.1

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
4 weeks agollvm: fix build with gcc-15
Adrian Freihofer [Fri, 19 Sep 2025 13:50:07 +0000 (15:50 +0200)] 
llvm: fix build with gcc-15

Pick 3 patches from meta-clang's scartsgap branch to fix build with
gcc-15. These patches are already in upstream llvm but not in
18.1.8 release.

Note: the patch 0039-Fix-build-with-GCC-15.patch from meta-clang
is not needed as it targets lldb which we do not build.

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
4 weeks agollvm: update from 18.1.6 to 18.1.8
Adrian Freihofer [Fri, 19 Sep 2025 13:50:06 +0000 (15:50 +0200)] 
llvm: update from 18.1.6 to 18.1.8

Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
4 weeks agocurl: fix CVE-2025-9086
Yogita Urade [Wed, 24 Sep 2025 08:28:45 +0000 (13:58 +0530)] 
curl: fix CVE-2025-9086

1, A cookie is set using the secure keyword for https://target
2, curl is redirected to or otherwise made to speak with http://target
(same hostname, but using clear text HTTP) using the same cookie set
3, The same cookie name is set - but with just a slash as path (path="/").
Since this site is not secure, the cookie should just be ignored.
4, A bug in the path comparison logic makes curl read outside a heap buffer boundary

The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of
the secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9086

Upstream patch:
https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
4 weeks agolibxslt: apply patch for CVE-2025-7424
Ross Burton [Fri, 19 Sep 2025 10:43:37 +0000 (03:43 -0700)] 
libxslt: apply patch for CVE-2025-7424

This patch is taken from the upstream bug, and is used by Apple in their
build of WebKit.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Anil Dongare <adongare@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
5 weeks agobuildtools-tarball: fix unbound variable issues under 'set -u'
Haixiao Yan [Tue, 16 Sep 2025 13:19:18 +0000 (21:19 +0800)] 
buildtools-tarball: fix unbound variable issues under 'set -u'

When Bash runs with 'set -u' (nounset), accessing an unset variable
directly (e.g. [ -z "$SSL_CERT_FILE" ]) causes a fatal "unbound variable"
error. As a result, the fallback logic to set SSL_CERT_FILE/SSL_CERT_DIR
is never triggered and the script aborts.

The current code assumes these variables may be unset or empty, but does
not guard against 'set -u'. This breaks builds in stricter shell
environments or when users explicitly enable 'set -u'.

Fix this by using parameter expansion with a default value, e.g.
"${SSL_CERT_FILE:-}", so that unset variables are treated as empty
strings. This preserves the intended logic (respect host env first, then
CAFILE/CAPATH, then buildtools defaults) and makes the script robust
under 'set -u'.

Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4d880c2eccd534133a2a4e6579d955605c0956ec)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
5 weeks agorunqemu: fix special characters bug
Libo Chen [Wed, 6 Aug 2025 02:42:47 +0000 (19:42 -0700)] 
runqemu: fix special characters bug

Fix the bug in runqemu that happens when the file path contains
the specific words such as 'vmlinux', e.g. /home/frank/vmlinux.

runqemu - ERROR - wic doesn't need kernel

Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3c186fe7741adecb0887e36c8a9164a58fc16437)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
5 weeks agolicense.py: avoid deprecated ast.Str
Martin Jansa [Tue, 9 Sep 2025 17:17:33 +0000 (19:17 +0200)] 
license.py: avoid deprecated ast.Str

* it's deprecated since python-3.12 and removed in 3.14 causing:

openembedded-core/meta/lib/oe/license.py', lineno: 176, function: visit
     0172:
     0173:        LicenseVisitor.__init__(self)
     0174:
     0175:    def visit(self, node):
 *** 0176:        if isinstance(node, ast.Str):
     0177:            lic = node.s
     0178:
     0179:            if license_ok(self._canonical_license(self._d, lic),
     0180:                    self._dont_want_licenses) == True:
Exception: AttributeError: module 'ast' has no attribute 'Str'

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
5 weeks agosystemtap: Fix task_work_cancel build
Jinfeng Wang [Mon, 8 Sep 2025 02:44:55 +0000 (10:44 +0800)] 
systemtap: Fix task_work_cancel build

Backport a patch to fix:
 107 |         twork = task_work_cancel(task, func);
      |                                        ^~~~
      |                                        |
      |                                        task_work_func_t {aka void (*)(struct callback_head *)}
/work/rad/wrs/wrl-systemtap-demo/qemux86-64-std-23p17/build/tmp-glibc/work/x86_64-linux/systemtap-native/4.8-r0/recipe-sysroot-native/usr/share/systemtap/runtime/stp_task_work.c:107:40: note: expected 'struct callback_head *' but argument is of type 'task_work_func_t' {aka 'void (*)(struct callback_head *)'}
/work/rad/wrs/wrl-systemtap-demo/qemux86-64-std-23p17/build/tmp-glibc/work/x86_64-linux/systemtap-native/4.8-r0/recipe-sysroot-native/usr/share/systemtap/runtime/stp_task_work.c:13:26: error: incompatible types when assigning to type 'struct callback_head *' from type 'bool' {aka '_Bool'}
   13 | #define task_work_cancel (* (task_work_cancel_fn)kallsyms_task_work_cancel)
      |                          ^
/work/rad/wrs/wrl-systemtap-demo/qemux86-64-std-23p17/build/tmp-glibc/work/x86_64-linux/systemtap-native/4.8-r0/recipe-sysroot-native/usr/share/systemtap/runtime/stp_task_work.c:107:17: note: in expansion of macro 'task_work_cancel'
  107 |         twork = task_work_cancel(task, func);
      |                 ^~~~~~~~~~~~~~~~

Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
5 weeks agocups: Fix for CVE-2025-58060 and CVE-2025-58364
Vijay Anusuri [Wed, 17 Sep 2025 11:26:13 +0000 (16:56 +0530)] 
cups: Fix for CVE-2025-58060 and CVE-2025-58364

Upstream-Status: Backport from
https://github.com/OpenPrinting/cups/commit/595d691075b1d396d2edfaa0a8fd0873a0a1f221
& https://github.com/OpenPrinting/cups/commit/e58cba9d6fceed4242980e51dbd1302cf638ab1d

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
5 weeks agocups: upgrade 2.4.10 -> 2.4.11
Vijay Anusuri [Wed, 17 Sep 2025 11:26:12 +0000 (16:56 +0530)] 
cups: upgrade 2.4.10 -> 2.4.11

Removed CVE-2024-47175 patches which is fixed by upgrade
system-cups.slice added to FILES

Changelog
==========

v2.4.11

CUPS 2.4.11 brings several bug fixes regarding IPP response validation, processing PPD values, Web UI support (checkbox support, modifying printers) and others fixes.

Detailed list of changes is available in CHANGES.md

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
5 weeks agogrub2: fix CVE-2024-56738
Ross Burton [Wed, 17 Sep 2025 09:43:04 +0000 (02:43 -0700)] 
grub2: fix CVE-2024-56738

Backport an algorithmic change to grub_crypto_memcmp() so that it
completes in constant time and thus isn't susceptible to side-channel
attacks.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 30a1cc225a2bd5d044bf608d863a67df3f9c03be)
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
6 weeks agowpa-supplicant: fix CVE-2022-37660
Divya Chellam [Tue, 9 Sep 2025 10:12:41 +0000 (15:42 +0530)] 
wpa-supplicant: fix CVE-2022-37660

In hostapd 2.10 and earlier, the PKEX code remains active even after a successful
PKEX association. An attacker that successfully bootstrapped public keys with
another entity using PKEX in the past, will be able to subvert a future bootstrapping
by passively observing public keys, re-using the encrypting element Qi and subtracting
it from the captured message M (X = M - Qi). This will result in the public ephemeral
key X; the only element required to subvert the PKEX association.

CVE-2022-37660-0001, CVE-2022-37660-0002, CVE-2022-37660-0003 and  CVE-2022-37660-0004
are dependent commits while CVE-2022-37660-0005 is actual CVE fix.

Reference:
https://security-tracker.debian.org/tracker/CVE-2022-37660

Upstream-patches:
https://git.w1.fi/cgit/hostap/commit/?id=9d3f347a2b14652e767d51142600206a32676b62
https://git.w1.fi/cgit/hostap/commit/?id=80213629981a21825e4688fde1b590e4c4d4bcea
https://git.w1.fi/cgit/hostap/commit/?id=bdcccbc2755dd1a75731496782e02b5435fb9534
https://git.w1.fi/cgit/hostap/commit/?id=d7be749335f2585658cf98c4f0e7d6cd5ac06865
https://git.w1.fi/cgit/hostap/commit/?id=15af83cf1846870873a011ed4d714732f01cd2e4

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
7 weeks agopulseaudio: Add audio group explicitly
Kyungjik Min [Tue, 2 Sep 2025 06:09:20 +0000 (15:09 +0900)] 
pulseaudio: Add audio group explicitly

Since pulseaudio-server requires the audio group, we explicitly add it.

When use useradd-staticids or do not use the default group in
base-passwd, an error will occur because the audio group is not defined.

NOTE: pulseaudio: Performing useradd with [--root
TOPDIR/tmp/work/cortexa72-poky-linux/pulseaudio/17.0/recipe-sysroot
--home-dir /var/run/pulse --gid 998 --groups audio,pulse
--no-create-home --system --shell /bin/false --uid 998 pulse]
useradd: group 'audio' does not exist
ERROR: pulseaudio: useradd command did not succeed.

Signed-off-by: Kyungjik Min <dpmin7@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
7 weeks agodefault-distrovars.inc: Fix CONNECTIVITY_CHECK_URIS redirect issue
Deepak Rathore [Fri, 29 Aug 2025 12:50:22 +0000 (05:50 -0700)] 
default-distrovars.inc: Fix CONNECTIVITY_CHECK_URIS redirect issue

The default CONNECTIVITY_CHECK_URIS uses "https://yoctoproject.org/connectivity.html"
which redirect to "https://www.yoctoproject.org/connectivity.html".

Some network configurations with proxies or restricted internet access
don't handle HTTP redirects properly during the sanity check phase,
causing build failures with:

ERROR:  OE-core's config sanity checker detected a potential misconfiguration.
Either fix the cause of this error or at your own risk disable the checker (see sanity.conf).
Following is the list of potential problems / advisories:

Fetcher failure for URL: 'https://yoctoproject.org/connectivity.html'. URL doesn't work.

Updated the default URL to use the final destination directly to avoid
redirect-related connectivity check failures.

Also updated SDK test cases in https.py to use the corrected URL for
consistency.

Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 60cdf960a3560f391babd559737f1afb31fb2c5c)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
7 weeks agorpm: keep leading `/' from sed operation
Hongxu Jia [Thu, 28 Aug 2025 10:32:10 +0000 (03:32 -0700)] 
rpm: keep leading `/' from sed operation

For /usr/lib/rpm/macros, Yocto explicitly set OECMAKE_FIND_ROOT_PATH_MODE_PROGRAM
= "ONLY" [1][2] to search tools from CMAKE_FIND_ROOT_PATH [5] which locates in
native recipe sysroot or HOSTTOOLS_DIR. If found in native recipe sysroot or
HOSTTOOLS_DIR, the sed operation removed leading `/'

root@qemux86-64:~# vi /usr/lib/rpm/macros
...
%__xz                   usr/bin/xz
%__make                 usr/bin/make
%__zstd                 usr/bin/zstd
%__quilt                usr/bin/quilt
%__patch                usr/bin/patch
...

root@qemux86-64:~# rpm --eval "%{__xz} %{__make} %{__zstd} %{__quilt} %{__patch}"
usr/bin/xz usr/bin/make usr/bin/zstd usr/bin/quilt usr/bin/patch

This commit keeps leading `/' from sed operation, and similar reason for
/usr/lib/cmake/rpm/rpm-targets.cmake

After applying this commit:
root@qemux86-64:~# rpm --eval "%{__xz} %{__make} %{__zstd} %{__quilt} %{__patch}"
/usr/bin/xz /usr/bin/make /usr/bin/zstd /usr/bin/quilt /usr/bin/patch

[1] https://git.openembedded.org/openembedded-core/commit/?id=f4ea12f6635125ee793f4dd801c538c0186f9dc3
[2] https://cmake.org/cmake/help/latest/variable/CMAKE_FIND_ROOT_PATH_MODE_PROGRAM.html

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0d0773879ab9520c475c4a8c930b2e663de0e032)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
7 weeks agolibpam: fix CVE-2024-10963
Stanislav Vovk [Tue, 2 Sep 2025 14:19:16 +0000 (14:19 +0000)] 
libpam: fix CVE-2024-10963

Upstream-Status: Backport from https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628

Signed-off-by: Stanislav Vovk <stanislav.vovk@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
8 weeks agocurl: update CVE_STATUS for CVE-2025-5025
Vrushti Dabhi [Thu, 28 Aug 2025 09:18:06 +0000 (02:18 -0700)] 
curl: update CVE_STATUS for CVE-2025-5025

This CVE applies only when curl is built with wolfSSL support.
Revised CVE_STATUS description to align with CVE details.

Reference: https://github.com/openembedded/openembedded-core/commit/93ae0758ef35

Signed-off-by: Vrushti Dabhi <vdabhi@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
8 weeks agosudo: remove devtool FIXME comment
Peter Marko [Tue, 26 Aug 2025 16:30:29 +0000 (18:30 +0200)] 
sudo: remove devtool FIXME comment

This comment should not have been merged.
It shows that the license did not change.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
8 weeks agoruby-ptest : some ptest fixes
Jiaying Song [Wed, 27 Aug 2025 02:38:28 +0000 (10:38 +0800)] 
ruby-ptest : some ptest fixes

- Skip the test_rm_r_no_permissions test under the root user, as
  deletion always succeeds.
- Filter out tests under the -ext- directory in run-ptest. Due to the
  commit [1],the packaging of .so test files under the .ext directory
  was removed. As a result, adjust the test filtering rules to avoid
  test failures caused by missing files.
- Add installation of rdoc.rb and did_you_mean.rb files in
  do_install_ptest to ensure complete test dependencies.
- Add init.rb file to PTEST installation path.

Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agocpio: Pin to use C17 std
Khem Raj [Fri, 22 Aug 2025 07:40:36 +0000 (09:40 +0200)] 
cpio: Pin to use C17 std

Fixes build with GCC-15 which is defaulting to C23

For scarthgap also add it in BUILD_CFLAGS.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoyocto-uninative: Update to 4.9 for glibc 2.42
Michael Halstead [Thu, 21 Aug 2025 22:43:09 +0000 (00:43 +0200)] 
yocto-uninative: Update to 4.9 for glibc 2.42

Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoyocto-uninative: Update to 4.8 for GCC 15.1
Michael Halstead [Thu, 21 Aug 2025 22:43:08 +0000 (00:43 +0200)] 
yocto-uninative: Update to 4.8 for GCC 15.1

Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agodbus-glib: fix build with gcc-15
Martin Jansa [Thu, 21 Aug 2025 22:43:07 +0000 (00:43 +0200)] 
dbus-glib: fix build with gcc-15

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agobinutils: fix build with gcc-15
Martin Jansa [Thu, 21 Aug 2025 22:43:06 +0000 (00:43 +0200)] 
binutils: fix build with gcc-15

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoelfutils: fix build with gcc-15
Martin Jansa [Thu, 21 Aug 2025 22:43:05 +0000 (00:43 +0200)] 
elfutils: fix build with gcc-15

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agolibtirpc: Fix build with gcc-15/C23
Khem Raj [Thu, 21 Aug 2025 22:43:04 +0000 (00:43 +0200)] 
libtirpc: Fix build with gcc-15/C23

Update declarations to allow building with gcc-15 with C23 std
being default now.

Fixes:
error: conflicting types for 'xdr_opaque_auth

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agorust-llvm: fix build with gcc-15
Martin Jansa [Thu, 21 Aug 2025 22:43:03 +0000 (00:43 +0200)] 
rust-llvm: fix build with gcc-15

As in meta-clang for clang-native:
https://github.com/kraj/meta-clang/commit/f915bbfc71f7b58c38607b8407718bd8b5cefa44

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agolibgpg-error: fix build with gcc-15
Martin Jansa [Thu, 21 Aug 2025 22:43:02 +0000 (00:43 +0200)] 
libgpg-error: fix build with gcc-15

Backport a fix for native build with gcc-15 on host

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agopkgconfig: fix build with gcc-15
Martin Jansa [Thu, 21 Aug 2025 22:43:01 +0000 (00:43 +0200)] 
pkgconfig: fix build with gcc-15

* on hosts with gcc-15 or whenever glib PACKAGECONFIG isn't enabled
  and pkgconfig uses own old bundled glib

* fixes:
  http://errors.yoctoproject.org/Errors/Details/853015/
../../../git/glib/glib/goption.c:169:14: error: two or more data types in declaration specifiers
  169 |     gboolean bool;
      |              ^~~~
../../../git/glib/glib/goption.c:169:18: warning: declaration does not declare anything
  169 |     gboolean bool;
      |                  ^

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agounifdef: Don't use C23 constexpr keyword
Khem Raj [Thu, 21 Aug 2025 22:43:00 +0000 (00:43 +0200)] 
unifdef: Don't use C23 constexpr keyword

Fixes build with GCC-15

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agogdbm: Use C11 standard
Khem Raj [Thu, 21 Aug 2025 22:42:59 +0000 (00:42 +0200)] 
gdbm: Use C11 standard

GCC15 is switching defaults to C23 and gdbm is not yet ready to
compile using C23 std.

For scarthgap also add it in BUILD_CFLAGS.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agogmp: Fix build with older gcc versions
Khem Raj [Thu, 21 Aug 2025 22:42:58 +0000 (00:42 +0200)] 
gmp: Fix build with older gcc versions

The fix to make this work with GCC15/C23 caused problems with older gcc versions.
Add a fix for that.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agogmp: Fix build with GCC15/C23
Khem Raj [Thu, 21 Aug 2025 22:42:57 +0000 (00:42 +0200)] 
gmp: Fix build with GCC15/C23

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agom4: Stick to C17 standard
Khem Raj [Thu, 21 Aug 2025 22:42:56 +0000 (00:42 +0200)] 
m4: Stick to C17 standard

GCC15 imposes C23 by default and 1.4.19 release has gnulib version which
can not be compiled without errors, while new release of m4 is in progress
we might use C17 until then and use GCC15 to compile it

For scarthgap also add it in BUILD_CFLAGS.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agounzip: Fix build with GCC-15
Khem Raj [Thu, 21 Aug 2025 23:04:14 +0000 (01:04 +0200)] 
unzip: Fix build with GCC-15

Add a patch to remove redundant declarations

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agogit: fix build with gcc-15 on host
Martin Jansa [Thu, 21 Aug 2025 10:58:40 +0000 (12:58 +0200)] 
git: fix build with gcc-15 on host

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agocmake: fix build with gcc-15 on host
Martin Jansa [Thu, 21 Aug 2025 10:58:39 +0000 (12:58 +0200)] 
cmake: fix build with gcc-15 on host

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agovim: upgrade 9.1.1198 -> 9.1.1652
Peter Marko [Mon, 25 Aug 2025 19:31:51 +0000 (21:31 +0200)] 
vim: upgrade 9.1.1198 -> 9.1.1652

Handles CVE-2025-53905, CVE-2025-53906, CVE-2025-55157, CVE-2025-55158.

Changes between 9.1.1198 -> 9.1.1652
====================================
https://github.com/vim/vim/compare/v9.1.1198...v9.1.1652

Refresh patches.

Disable newly introduced wayland support (in patch version 1485).
To this belongs also adding recursion in delete command for dir auto
which was newly failing as there is wayland directory inside now.
If someone is interested, this can be probably enabled, but without
additional work it results in compilation error due to function
redefinition conflicts.

(From OE-Core rev: e87d427d928234ef0441f9ce1fe8631fbe471094)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agolibarchive: patch regression of patch for CVE-2025-5918
Peter Marko [Mon, 25 Aug 2025 16:09:52 +0000 (18:09 +0200)] 
libarchive: patch regression of patch for CVE-2025-5918

Picked commit per [1].

[1] https://security-tracker.debian.org/tracker/CVE-2025-5918

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agodpkg: patch CVE-2025-6297
Peter Marko [Sun, 24 Aug 2025 20:19:31 +0000 (22:19 +0200)] 
dpkg: patch CVE-2025-6297

Pick commit per [1] from 1.22.x branch.

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-6297

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoglib-2.0: patch CVE-2025-6052
Peter Marko [Sun, 24 Aug 2025 19:08:03 +0000 (21:08 +0200)] 
glib-2.0: patch CVE-2025-6052

Pick commit per [1].
Also pick commits from [2] which is referencing this CVE as the original
fix was not complete.

[1] https://security-tracker.debian.org/tracker/CVE-2025-6052
[2] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4681

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoglib-2.0: patch CVE-2025-7039
Peter Marko [Sun, 24 Aug 2025 19:08:02 +0000 (21:08 +0200)] 
glib-2.0: patch CVE-2025-7039

Pick commit per [1].

[1] https://security-tracker.debian.org/tracker/CVE-2025-7039

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agogo-binary-native: ignore CVE-2025-0913
Peter Marko [Sun, 24 Aug 2025 14:05:41 +0000 (16:05 +0200)] 
go-binary-native: ignore CVE-2025-0913

This was already done for all other go recipes.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoqemu: set status of CVE-2024-7730 to fixed
Peter Marko [Sun, 24 Aug 2025 14:04:45 +0000 (16:04 +0200)] 
qemu: set status of CVE-2024-7730 to fixed

This was backported to v8.2.7 and also it is mentioned in commit
upgrading qemu in oe-core.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoncurses: Pin to C17 standard
Khem Raj [Thu, 21 Aug 2025 10:58:38 +0000 (12:58 +0200)] 
ncurses: Pin to C17 standard

Newer snapshots of ncurses have the fixes but they are many needed to get
C23 going. Until next release lets stick with C17 even while GCC 15 switches
to C23 defaults.

For scarthgap also add it in BUILD_CFLAGS.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agogo: fix CVE-2025-47907
Praveen Kumar [Tue, 26 Aug 2025 03:57:43 +0000 (09:27 +0530)] 
go: fix CVE-2025-47907

Cancelling a query (e.g. by cancelling the context passed to one of
the query methods) during a call to the Scan method of the returned
Rows can result in unexpected results if other queries are being made
in parallel. This can result in a race condition that may overwrite
the expected results with those of another query, causing the call to
Scan to return either unexpected results from the other query or an
error.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-47907

Upstream-patch:
https://github.com/golang/go/commit/8a924caaf348fdc366bab906424616b2974ad4e9

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoffmpeg: fix CVE-2025-1594
Archana Polampalli [Thu, 21 Aug 2025 06:50:43 +0000 (12:20 +0530)] 
ffmpeg: fix CVE-2025-1594

A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1.
This affects the function ff_aac_search_for_tns of the file libavcodec/aacenc_tns.c
of the component AAC Encoder. The manipulation leads to stack-based buffer overflow.
It is possible to initiate the attack remotely. The exploit has been disclosed to the
public and may be used.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoffmpeg: upgrade 6.1.2 -> 6.1.3
Archana Polampalli [Wed, 20 Aug 2025 06:58:11 +0000 (12:28 +0530)] 
ffmpeg: upgrade 6.1.2 -> 6.1.3

Fixes:
CVE-2023-6604
CVE-2023-6602
CVE-2025-7700

Changelog:
https://github.com/FFmpeg/FFmpeg/blob/n6.1.3/Changelog

Removed the CVE patches which are already fixed with this upgrade

ref:
https://github.com/FFmpeg/FFmpeg/commit/c104119c6b5e00496c5ff14071c85f95c98b7ae5
https://github.com/FFmpeg/FFmpeg/commit/7d79d0a43b5533ff584249332bc1db7fedbab1d2
https://github.com/FFmpeg/FFmpeg/commit/a4b6e37ad5f50454974fa22cc8f19d83cdaff0eb
https://github.com/FFmpeg/FFmpeg/commit/efedc1d1b6aef2481cf613a11992b1dce6320055
https://github.com/FFmpeg/FFmpeg/commit/dcf34f13f516aa0e214384f3185aff306feba01d
https://github.com/FFmpeg/FFmpeg/commit/bed04417b4d38af7a1b477b24ea6e26547e32373
https://github.com/FFmpeg/FFmpeg/commit/b43a12363c1fef0efa7eac15b6b830417656db15
https://github.com/FFmpeg/FFmpeg/commit/e2b20632b8c71a4e174511f8ff6e8342e0c63bd3
https://github.com/FFmpeg/FFmpeg/commit/43f64690ad9df72976bcbd6ea9e41b2542db2464

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agogstreamer1.0-plugins-base: fix CVE-2025-47807
Hitendra Prajapati [Thu, 21 Aug 2025 06:21:49 +0000 (11:51 +0530)] 
gstreamer1.0-plugins-base: fix CVE-2025-47807

Upstream-Status: Backport from https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/9e2238adc1cad1fba5aad23bc8c2a6c2a65794d2

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agogo: fix CVE-2025-4674
Archana Polampalli [Wed, 20 Aug 2025 06:58:12 +0000 (12:28 +0530)] 
go: fix CVE-2025-4674

The go command may execute unexpected commands when operating in untrusted VCS repositories.
This occurs when possibly dangerous VCS configuration is present in repositories.
This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata
for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line,
i.e. via "go get", are not affected.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agobuild-appliance-image: Update to scarthgap head revision
Steve Sakoman [Fri, 22 Aug 2025 13:02:51 +0000 (06:02 -0700)] 
build-appliance-image: Update to scarthgap head revision

Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agobash: use -std=gnu17 also for native CFLAGS
Martin Jansa [Sun, 17 Aug 2025 22:58:16 +0000 (00:58 +0200)] 
bash: use -std=gnu17 also for native CFLAGS

* fixes builds on host with gcc-15:
  http://errors.yoctoproject.org/Errors/Details/853016/

../../bash-5.2.37/builtins/mkbuiltins.c:268:29: error: too many arguments to function ‘xmalloc’; expected 0, have 1
  268 |           error_directory = xmalloc (2 + strlen (argv[arg_index]));
      |                             ^~~~~~~  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agobash: Stick to C17 std
Khem Raj [Sun, 17 Aug 2025 22:58:15 +0000 (00:58 +0200)] 
bash: Stick to C17 std

GCC 15 defaults to C23 and bash is not yet ready for that
so keep using C17 like GCC 14 for now

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agocairo: fix build with gcc-15 on host
Martin Jansa [Sun, 17 Aug 2025 20:50:33 +0000 (22:50 +0200)] 
cairo: fix build with gcc-15 on host

* backports from 1.18.2 used since:
  https://git.openembedded.org/openembedded-core/commit/?id=070d79c8adec7e0a8862019cf61910a59b18613a

* fixes build on hosts with gcc-15 (e.g. ubuntu-25.10)

../cairo-1.18.0/test/pdiff/pdiff.h:22:13: error: â\80\98boolâ\80\99 cannot be defined via â\80\98typedefâ\80\99
   22 | typedef int bool;
      |             ^~~~
../cairo-1.18.0/test/pdiff/pdiff.h:22:13: note: â\80\98boolâ\80\99 is a keyword with â\80\98-std=c23â\80\99 onwards
../cairo-1.18.0/test/pdiff/pdiff.h:22:1: warning: useless type name in empty declaration
   22 | typedef int bool;
      | ^~~~~~~

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoparted: Fix build with GCC 15
Khem Raj [Sun, 17 Aug 2025 20:50:32 +0000 (22:50 +0200)] 
parted: Fix build with GCC 15

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoe2fsprogs: Fix build failure with gcc 15
Khem Raj [Sun, 17 Aug 2025 20:50:31 +0000 (22:50 +0200)] 
e2fsprogs: Fix build failure with gcc 15

Backport a needed fix

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agolibxml2: ignore CVE-2025-8732
Daniel Turull [Tue, 19 Aug 2025 10:47:24 +0000 (12:47 +0200)] 
libxml2: ignore CVE-2025-8732

The code maintainer disputes the CVE as the issue can only be triggered with
untrusted SGML catalogs and it makes absolutely no sense to use untrusted
catalogs.

The issue triggers a crash if an invalid file is provided.
Source: https://gitlab.gnome.org/GNOME/libxml2/-/issues/958"

Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoglib-2.0: ignore CVE-2025-4056
Peter Marko [Mon, 18 Aug 2025 18:10:48 +0000 (20:10 +0200)] 
glib-2.0: ignore CVE-2025-4056

NVD report [1] says:
A flaw was found in GLib. A denial of service on **Windows platforms**
may occur if an application attempts to spawn a program using long
command lines.

The fix [3] (linked from [2]) also changes only files
glib/gspawn-win32-helper.c
glib/gspawn-win32.c

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-4056
[2] https://gitlab.gnome.org/GNOME/glib/-/issues/3668
[3] https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4570

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoxz: ignore CVE-2024-47611
Daniel Turull [Mon, 18 Aug 2025 14:01:02 +0000 (16:01 +0200)] 
xz: ignore CVE-2024-47611

According to the NVD entry, it is only applicable when built
for native Windows (MinGW-w64 or MSVC).

Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agodropbear: patch CVE-2025-47203
Peter Marko [Fri, 15 Aug 2025 20:27:47 +0000 (22:27 +0200)] 
dropbear: patch CVE-2025-47203

Based on Debian patch for this CVE, pick the same commits as mentioned
in kirkstone for this CVE except those already included in 2022.83.

https://salsa.debian.org/debian/dropbear/-/commit/7f48e75892c40cfc6336137d62581d2c4ca7d84c

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agocve-check: Add missing call to exit_if_errors
Philip Lorenz [Fri, 15 Aug 2025 09:53:06 +0000 (11:53 +0200)] 
cve-check: Add missing call to exit_if_errors

check_cves may raise the cve_status_not_in_db QA check. Call
exit_if_errors to make sure that the task is marked as failed when the
check is categorized as an error.

cve_status_not_in_db was in the meantime dropped in OE-Core
452e605b55ad61c08f4af7089a5a9c576ca28f7d so this change is only required
on scarthgap.

Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agogo-helloworld: fix license
Quentin Schulz [Tue, 12 Aug 2025 10:46:05 +0000 (12:46 +0200)] 
go-helloworld: fix license

The example repo doesn't seem to have ever been under MIT to begin with
but rather Apache-2.0. It was then changed to the license used by the
goland projectm that is BSD-3-Clause, 2 years ago in commit 00c7068f9d83
("all: update to Go license").

The license file exists in the sources, so use that one instead of
taking it from the OE-Core license directory.

License-Update: Incorrect license is now proper

Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agocmake: Add PACKAGECONFIG option for debugger support
Nikhil R [Mon, 11 Aug 2025 04:58:02 +0000 (10:28 +0530)] 
cmake: Add PACKAGECONFIG option for debugger support

Starting from CMake version 2.27 support for interactive debugging of CMake
scripts and configurations was added. However, by default the `nativesdk-cmake`
is compiled with debugger support turned off.

This change adds debugger support for cmake

(From OE-Core rev: 8acfca456c3502f0d097ba01a2d08f83fb75ab60)

Signed-off-by: Nikhil R <nikhilr5@kpit.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agolibpam: re-add missing libgen include
Martin Jansa [Fri, 1 Aug 2025 10:07:08 +0000 (12:07 +0200)] 
libpam: re-add missing libgen include

It was added by original commit for CVE-2025-6020-01.patch
https://github.com/linux-pam/linux-pam/commit/475bd60c552b98c7eddb3270b0b4196847c0072e#diff-05f443e6acbe32a148a45648148739bf6f02f13acc5c20c6037bf933223d4d77
but removed here in the rebase, causing:

../../../Linux-PAM-1.5.3/modules/pam_namespace/pam_namespace.c:326:11: error: call to undeclared function 'dirname'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
  326 |         parent = dirname(buf);
      |                  ^
../../../Linux-PAM-1.5.3/modules/pam_namespace/pam_namespace.c:326:9: error: incompatible integer to pointer conversion assigning to 'char*' from 'int' [-Wint-conversion]
  326 |         parent = dirname(buf);
      |                ^ ~~~~~~~~~~~~

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agogstreamer1.0-plugins-good: fix multiple CVEs
Hitendra Prajapati [Thu, 14 Aug 2025 05:21:20 +0000 (10:51 +0530)] 
gstreamer1.0-plugins-good: fix multiple CVEs

* CVE-2025-47183 - Upstream-Status: Backport from https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/c4d0f4bbd9a8e97f119a4528b9f4662a6b80922c && https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/d76cae74dad89994bfcdad83da6ef1ad69074332
* CVE-2025-47219 - Upstream-Status: Backport from https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b80803943388050cb870c95934fc52feeffb94ac

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agogstreamer1.0-plugins-base: fix CVE-2025-47806
Hitendra Prajapati [Thu, 14 Aug 2025 04:40:00 +0000 (10:10 +0530)] 
gstreamer1.0-plugins-base: fix CVE-2025-47806

Upstream-Status: Backport from https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/da4380c4df0e00f8d0bad569927bfc7ea35ec37d

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agogstreamer1.0-plugins-base: fix CVE-2025-47808
Hitendra Prajapati [Mon, 11 Aug 2025 12:49:24 +0000 (18:19 +0530)] 
gstreamer1.0-plugins-base: fix CVE-2025-47808

Upstream-Status: Backport from https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/6b19f117518a765a25c99d1c4b09f2838a8ed0c9

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agogo: ignore CVE-2025-0913
Peter Marko [Sun, 10 Aug 2025 08:18:46 +0000 (10:18 +0200)] 
go: ignore CVE-2025-0913

This is problem on Windows platform only.

Per NVD report [1], CPE has "and" clause
Running on/with
 cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Also linked patch [2] changes Windows files only (and tests).

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-0913
[2] https://go-review.googlesource.com/c/go/+/672396

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agopython3: patch CVE-2025-8194
Peter Marko [Sat, 9 Aug 2025 20:37:21 +0000 (22:37 +0200)] 
python3: patch CVE-2025-8194

Pick commit from 3.12 branch mentioned in NVD report.
https://nvd.nist.gov/vuln/detail/CVE-2025-8194

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoavahi: fix CVE-2024-52615
Zhang Peng [Thu, 31 Jul 2025 06:06:42 +0000 (14:06 +0800)] 
avahi: fix CVE-2024-52615

CVE-2024-52615:
A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area
DNS queries. This issue simplifies attacks where malicious DNS responses are injected.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-52615]
[https://github.com/avahi/avahi/security/advisories/GHSA-x6vp-f33h-h32g]

Upstream patches:
[https://github.com/avahi/avahi/commit/4e2e1ea0908d7e6ad7f38ae04fdcdf2411f8b942]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agolinux-libc-headers: Fix invalid conversion in cn_proc.h
Fabio Berton [Tue, 29 Jul 2025 12:16:52 +0000 (13:16 +0100)] 
linux-libc-headers: Fix invalid conversion in cn_proc.h

Backport 'connector: Fix invalid conversion in cn_proc.h' commit to fix
error:
/
|/usr/include/linux/cn_proc.h: In function 'proc_cn_event
| valid_event(proc_cn_event)':
|/usr/include/linux/cn_proc.h:72:17: error: invalid conversion from
| 'unsigned int' to 'proc_cn_event' [-fpermissive]
|   72 |         ev_type &= PROC_EVENT_ALL;
|      |                 ^
|      |                 |
|      |                 unsigned int
\

Change is already merged in kernel branch linux-6.6.y [1].

1 - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.6.y&id=06e785aeb9ea8a43d0a3967c1ba6e69d758e82d4

Signed-off-by: Fabio Berton <fbberton@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoscripts/install-buildtools: Update to 5.0.11
Aleksandar Nikolic [Thu, 24 Jul 2025 19:53:52 +0000 (21:53 +0200)] 
scripts/install-buildtools: Update to 5.0.11

Update to the 5.0.11 release of the 5.0 series for buildtools

Signed-off-by: Aleksandar Nikolic <aleksandar.nikolic@zeiss.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoglibc: fix CVE-2025-8058
Peter Marko [Tue, 29 Jul 2025 21:45:52 +0000 (23:45 +0200)] 
glibc: fix CVE-2025-8058

This is a single commit bump containing only CVE fix
$ git log --oneline cff1042cceec3502269947e96cf7023451af22f3..b027d5b145f1b2908f370bdb96dfe40180d0fcb6
b027d5b145 posix: Fix double-free after allocation failure in regcomp (bug 33185)

Test results didn't change except newly added test succeeding.
(tst-regcomp-bracket-free)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agolibxml2: patch CVE-2025-6170
Peter Marko [Mon, 28 Jul 2025 20:19:33 +0000 (22:19 +0200)] 
libxml2: patch CVE-2025-6170

Pick commit referencing this CVE from 2.13 branch.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agoncurses: patch CVE-2025-6141
Peter Marko [Thu, 24 Jul 2025 22:14:21 +0000 (00:14 +0200)] 
ncurses: patch CVE-2025-6141

Pick relevant part of snapshot commit 20250329, see [1].

That has:
add a buffer-limit check in postprocess_termcap (report/testcase by
Yifan Zhang).

[1] https://invisible-island.net/ncurses/NEWS.html#index-t20250329

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agognutls: patch CVE-2025-6395
Peter Marko [Sun, 27 Jul 2025 17:49:19 +0000 (19:49 +0200)] 
gnutls: patch CVE-2025-6395

Pick relevant commit from 3.8.10 release MR [1].

[1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agognutls: patch CVE-2025-32990
Peter Marko [Sun, 27 Jul 2025 17:49:18 +0000 (19:49 +0200)] 
gnutls: patch CVE-2025-32990

Pick relevant commit from 3.8.10 release MR [1].

[1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agognutls: patch CVE-2025-32988
Peter Marko [Sun, 27 Jul 2025 17:49:17 +0000 (19:49 +0200)] 
gnutls: patch CVE-2025-32988

Pick relevant commit from 3.8.10 release MR [1].

[1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agognutls: patch reject zero-length version in certificate request
Peter Marko [Sun, 27 Jul 2025 17:49:16 +0000 (19:49 +0200)] 
gnutls: patch reject zero-length version in certificate request

Pick relevant commit from 3.8.10 release MR [1].
The MR contains referece to undiscoled issue, so any security relevant
patch should be picked.

Binary test file was added as separate file as binary diffs are not
supported.

[1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agognutls: patch read buffer overrun in the "pre_shared_key" extension
Peter Marko [Sun, 27 Jul 2025 17:49:15 +0000 (19:49 +0200)] 
gnutls: patch read buffer overrun in the "pre_shared_key" extension

Pick relevant commit from 3.8.10 release MR [1].
The ME contains referece to undiscoled issue, so any security relevant
patch should be picked.

Binary test file was added as separate file as binary diffs are not
supported.

[1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2 months agognutls: patch CVE-2025-32989
Peter Marko [Sun, 27 Jul 2025 17:49:14 +0000 (19:49 +0200)] 
gnutls: patch CVE-2025-32989

Pick relevant commit from 3.8.10 release MR [1].

Binary test file was added as separate file as binary diffs are not
supported.

[1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 months agomtools: upgrade 4.0.48 -> 4.0.49
Jinfeng Wang [Wed, 23 Jul 2025 03:29:33 +0000 (11:29 +0800)] 
mtools: upgrade 4.0.48 -> 4.0.49

New version includes check for overlong file names, see [1].

[1] https://lists.gnu.org/archive/html/info-mtools/2025-06/msg00005.html

Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(From OE-Core rev: 044c2bceefcc12262cb2421e8f1da5f6c2ed9f72)

Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 months agomtools: upgrade 4.0.47 -> 4.0.48
Wang Mingyu [Wed, 23 Jul 2025 03:29:32 +0000 (11:29 +0800)] 
mtools: upgrade 4.0.47 -> 4.0.48

clang_UNUSED.patch
disable-hardcoded-configs.patch
refreshed for 4.0.48

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 1d5aee7e67cd614073a15b47b832375428865260)

Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
3 months agomtools: upgrade 4.0.46 -> 4.0.47
Richard Purdie [Wed, 23 Jul 2025 03:29:31 +0000 (11:29 +0800)] 
mtools: upgrade 4.0.46 -> 4.0.47

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 14ef270cc003646e6ca97ff3405507f2b9e92736)

Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>