Ivan Nestlerode [Mon, 4 May 2026 21:28:43 +0000 (17:28 -0400)]
glibc: Fix recipe bug that disabled stack protector
Fixes [YOCTO #16265]
The glibc recipe is supposed to be building with
--enable-stack-protector=strong, but some CACHED_CONFIGVARS values are
actually breaking this, causing glibc to be built with no stack
protector at all.
Remove these CACHED_CONFIGVARS values so that stack protector support is
detected properly in do_configure and then enabled properly during
do_compile.
Full details are here:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=16265
Signed-off-by: Ivan Nestlerode <ivan.nestlerode@sonos.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 43f0602ede37428f3c35cf665bba934b84355240) Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Moritz Haase [Thu, 7 May 2026 05:38:48 +0000 (07:38 +0200)]
devtool: Disable gpg signing when setting up source tree repos
This stops 'devtool modify foo' from failing with an error message like
ERROR: Execution of 'git -c user.name=\"OpenEmbedded\" -c
user.email=\"oe.patch@oe\" commit -q -m "Initial commit from upstream at
version 1.90.0"' failed with exit code 128:
error: cannot run ssh-keygen: No such file or directory
error:
fatal: failed to write commit object
when GPG signing is enabled in the git configuration.
Peter Marko [Tue, 5 May 2026 20:52:01 +0000 (22:52 +0200)]
coreutils: set CVE_PRODUCT
This removes rust uutils coreutils CVEs from reports.
Comparing sbom-cve-check shows that only
CVE-2026-35338..CVE-2026-35381 are removed and all of them contained
reference to uutils.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 5c39687f62e5864ea783cbed497c2eb5387dcf96)
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Grub would report an error message in boot stage as below:
"error: no such device: ((hd0,gpt1)/EFI/BOOT)/EFI/BOOT/grub.cfg"
Consequently, the root variable is not set, and the intended protection
against cross-device configuration loading (the purpose of the original 2014 commit)
is lost.
The most robust fix is to use the --hint parameter.
This separates the search target from the device hint, avoiding
fragile string concatenation and supporting both prefixed and
non-prefixed $cmdpath formats.
Martin Jansa [Tue, 28 Apr 2026 07:04:47 +0000 (10:04 +0300)]
ghostscript: fix build with gcc-15 on host
Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 02e282f6417274a93c6f01978bf33e2d171297b0) Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Fabien Thomas [Thu, 30 Apr 2026 14:34:48 +0000 (16:34 +0200)]
ghostscript: Pin to C17 std
The code defines a custom 'bool' type (as an 'int'), which is incompatible
with C23 in which bool is a keyword, and trying to use <stdbool.h> fails
because 'int' and 'bool' are used interchangeably in the code.
Add the flag to CC variable, since CFLAGS is used by both c and c++ compilers
and clang++ is less forgiving when C compiler only option is used on its
cmdline so it complains about -std=gnu17 and bails out.
Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 49657089ef215824f8f79a81deb7baf4f27d0030) Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
- Keep both the older deprecated debian:apt alias and the active
debian:advanced_package_tool identity in CVE_PRODUCT.
- This preserves completeness and avoids missing CVEs in case older
aliases are still used in NVD records.
Signed-off-by: Himanshu Jadon <hjadon@cisco.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4c777220ee5740b800f4128da79c24f7e42c7b88) Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
[FT: Rebase onto scarthgap-next] Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Hongxu Jia [Mon, 5 Jan 2026 06:13:36 +0000 (14:13 +0800)]
ovmf: fix CVE-2024-38798
According to [1],
EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of
Sensitive Information to an Unauthorized Actor” by local access. Successful
exploitation of this vulnerability will lead to possible information disclosure
or escalation of privilege and impact Confidentiality.
Backport a patch [2] from upstream to fix CVE-2024-38798
Hongxu Jia [Mon, 5 Jan 2026 07:20:04 +0000 (15:20 +0800)]
ovmf: fix CVE-2025-2296
According to [1], EDK2 contains a vulnerability in BIOS where an attacker may
cause “ Improper Input Validation” by local access. Successful exploitation of
this vulnerability could alter control flow in unexpected ways, potentially
allowing arbitrary command execution and impacting Confidentiality, Integrity,
and Availability.
Backport patches from upstream [2] to fix CVE-2025-2296
Note: backport 0001-AmdSev-Halt-on-failed-blob-allocation.patch to apply
the CVE patches without confliction
Hongxu Jia [Mon, 5 Jan 2026 07:32:25 +0000 (15:32 +0800)]
u-boot: fix CVE-2025-24857
According to [1], Improper access control for volatile memory containing boot
code in Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019,
IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 could allow an attacker
to execute arbitrary code.
Backport a patch [2] from upstream to fix CVE-2025-24857
Signed-off-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Signed-off-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
dbus: gate user-session PACKAGECONFIG on systemd in DISTRO_FEATURES
On scarthgap images built without systemd in DISTRO_FEATURES, dbus
still shipped dbus.socket and dbus.service under
${systemd_user_unitdir} (/usr/lib/systemd/user), because the
'user-session' PACKAGECONFIG was always enabled and passed
--enable-user-session --with-systemduserunitdir=... to configure.
In dbus-1.14.10 the user-session autoconf option (configure.ac and
bus/Makefile.am 'if DBUS_ENABLE_USER_SESSION') only installs systemd
user units; it has no non-systemd effect. Enabling it on a sysvinit
image has no benefit and produces the stale unit files.
Make user-session a systemd-gated PACKAGECONFIG by using
bb.utils.contains in the default, so it is enabled when systemd is
in DISTRO_FEATURES and disabled otherwise. No changes to the
PACKAGECONFIG[user-session] or PACKAGECONFIG[systemd] entries are
needed: --disable-user-session is passed on sysvinit builds, which
prevents the configure/Makefile machinery from ever setting up the
user-unit install step.
This is the scarthgap equivalent of master commit a296b0623eb2
("dbus: use the systemd class to handle the unit files"), adapted
to the autotools 1.14.10 recipe. The master fix was broader because
the meson 1.16.2 build handles unit-file install differently, which
let that commit drop the manual do_install unit block, the
systemctl mask postinst, and PACKAGE_WRITE_DEPS. On 1.14.10 those
pieces are still needed; the minimal correct gate here is the
user-session default.
Fixes [YOCTO #15779]
Signed-off-by: Jhonata Poma-Hansen <jhonata.poma@gmail.com> Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
Daniel Turull [Thu, 9 Apr 2026 09:29:35 +0000 (11:29 +0200)]
liburcu: upgrade 0.14.0 -> 0.14.2
Changelog for liburcu: 0.14.0 -> 0.14.2
============================================================
2026-01-26 Userspace RCU 0.14.2
* Fix: Only include linux/time_types.h when __NR_futex_time64 is defined
* Use __NR_futex_time64 in futex syscall wrapper
* Cleanup: Remove useless declarations from urcu-qsbr
* src/urcu-bp.c: assert => urcu_posix_assert
2024-08-28 Userspace RCU 0.14.1
* Fix: missing typename in URCU_FORCE_CAST
* Allow building with GCC >= 13.3 on RISC-V
* pointer.h: Fix the rcu_cmpxchg_pointer documentation
* Adjust shell script to allow Bash in other locations
* fix: handle EINTR correctly in get_cpu_mask_from_sysfs
* Relicense src/compat-smp.h to MIT
* ppc.h: use mftb on ppc
* Fix: allow clang to build liburcu on RISC-V
* Fix -Walloc-size
* urcu/uatomic/riscv: Mark RISC-V as broken
* Fix: urcu-bp: misaligned reader accesses
* LoongArch: Document that byte and short atomics are implemented with LL/SC
* Add LoongArch support
* tests/regression/rcutorture: Add wait state
* urcu-wait: Initialize node in URCU_WAIT_NODE_INIT
* Fix: urcu-wait: add missing futex.h include
* Adjust shell scripts to allow Bash in other locations
* Add support for OpenBSD
* Revert compiler.h: Introduce caa_unqual_scalar_typeof
* rculfhash: Use caa_container_of_check_null in cds_lfht_entry
* compiler.h: Introduce caa_container_of_check_null
* compiler.h: Introduce caa_unqual_scalar_typeof
* Avoid calling caa_container_of on NULL pointer in cds_lfht macros
* Fix: revise urcu_read_lock_update() comment
* Fix: uatomic powerpc comment about lwsync
* fix: aarch64: allow RHEL7 gcc 4.8.5-11
* fix: warning 'noreturn' function does return on ppc
* Fix: use __noreturn__ for C11-compatibility
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Daniel Turull [Thu, 9 Apr 2026 09:29:34 +0000 (11:29 +0200)]
libatomic-ops: upgrade 7.8.2 -> 7.8.4
Changelog for libatomic-ops: 7.8.2 -> 7.8.4
============================================================
== [7.8.4] 2025-09-05 ==
* Document Win32-specific AO_NO_ASM_XADD macro in README
* Eliminate 'atomic_thread_fence is unsupported with tsan' gcc-11 warning
* Eliminate 'munmap argument 1 from incompatible pointer type' gcc warning
* Eliminate 'uninitialized memory use' gcc-13 warning in test_atomic
* Fix all broken URLs in comments
* Fix atomic_ops_sysdeps.S compilation for SunPro compiler in CMake script
* Update URLs after repository transfer to bdwgc organization
* Update CMake minimum required version to 3.10
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
(cherry picked from commit 02d66279071cbd043474dc44f44d348ec3228583) Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Daniel Turull [Thu, 9 Apr 2026 09:29:33 +0000 (11:29 +0200)]
lttng-ust: upgrade 2.13.8 -> 2.13.10
Changelog for lttng-ust: 2.13.8 -> 2.13.10
============================================================
2026-02-13 lttng-ust 2.13.10
* Fix: ustctl: sigbus handling: statement with no effect
2025-04-14 (National Gardening Day) lttng-ust 2.13.9
* Fix: Use UATOMIC_HAS_ATOMIC_{BYTE,SHORT} for counter atomics
* Fix: lttng-ust-tp regex warnings
* lttng-ust-java: Load lttng-ust-context-jni before other JNI libraries
* doc/examples: set minimal CMake version to 3.5.0
* Fix: Update get_mempolicy check to handle EPERM
* Fix: Correct numa_available return code checks
* Fix: test_benchmark: do not match CPU(s) scaling MHz:
* Tests: Fix abi conflict test when building with clang
* Fix: Build examples when rpath is stripped from in-build-tree libs
* ust-fd: Add close_range declaration
* docs: Correct GitHub URLs in lttng-ust.3
* fix: handle EINTR correctly in get_cpu_mask_from_sysfs
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
* src/exec_ptrace.c:
ptrace_readv_string: properly handle reads of more than one page
When the intercept and intercept_verify options are enabled and
either argv[] or envp[] contains a string larger than the page size
(usually 4096), ptrace_readv_string() would fill the buffer with
mutiple copies of the same string. Fixes GitHub issue #453.
[2e93eabed]
2025-07-14 Todd C. Miller <Todd.Miller@sudo.ws>
* src/exec_pty.c:
revoke_pty: use killpg() not kill() to send HUP to the process group
Also make sure we never call killpg(-1, SIGHUP), which would send
SIGHUP to process 1 (init). It is possible for cmnd_pid to be -1 in
certain error conditions where sudo killed the command itself. This
may explain GitHub issue #458.
[fb208d383]
2025-07-08 Todd C. Miller <Todd.Miller@sudo.ws>
* etc/sudo-logsrvd.pp, etc/sudo-python.pp, etc/sudo.pp, scripts/pp:
Don't assume RHEL major version is only a single digit
Sunil Dora [Fri, 27 Mar 2026 13:46:35 +0000 (19:16 +0530)]
license.py: Drop visit_Str from SeenVisitor in selftest
ast.Str was deprecated in Python 3.8 and removed in Python 3.14.
In [1], visit_Str was already removed from the LicenseVisitor
subclasses (FlattenVisitor, ListVisitor) in oe/license.py since
bitbake now requires Python 3.8+.
However, the test-only SeenVisitor class in the selftest was
missed at that time and still uses visit_Str/node.s. On Python
3.14, ast.Str is fully removed so visit_Str is never called,
causing test_single_licenses to return [] instead of the
expected license list.
Replace visit_Str/node.s with visit_Constant/node.value in
SeenVisitor.
selftest/minidebuginfo: extract files from tar archive using tarfile module
Python 3.14 added security checks around archive extraction, and by
default will refuse to handle symlinks with absolute paths. It's possible
to handle this using 'filter' argument, but it is not always available
in older Python versions on various host distributions we need to support,
so let's extract only the needed files directly using tarfile module.
busybox is itself a symlink to busybox.nosuid, so both are extracted.
[YOCTO #16195]
Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d52d00a3bb4a1ba93e88f1d24d8bb99d6aa321eb) Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Richard Purdie [Wed, 1 Apr 2026 21:27:45 +0000 (22:27 +0100)]
archiver: Don't try to preserve all attributes when copying files
Similar to https://git.openembedded.org/bitbake/commit/?id=2f35dac0c821ab231459922ed98e1b2cc599ca9a
there is a problem in this code when copying from an NFS mount.
We currently use cp -p, which is a shortcut for --preserve=mode,ownership,timestamps.
We shouldn't need to preserve mode/ownership, only timestamps. Update the code
in the same way the bitbake fetcher was fixed for consistency.
This fixes build failures on OpenSUSE 16.0.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6e8313688fa994c82e4c846993ed8da0d1f4db0e) Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3ed1cef082b8ef0fa05684f7a41f0842150811bd)
[YC: bitbake commit was backported as 15d7448e04aa ("Use a "fork" multiprocessing context")
in the 2.8(scarthgap) branch] Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
GCC-15 has switched to using C23 by default, we have been selectively
disabling warnings as errors to get by, however with autoconf 2.72 adding
-std=gnu23 it now gets enabled for every compiler and clang-22 is more
obidient and has dropped support for K&R C completely. db5 code has a lot
of K&R C prototypes and it starts to fail vigorously. We can not keep
working around with out uplifting sources to be compliant with newer C
standard like C23.
Therefore pin the cflags to use C99 standard as this package expects.
Drop the code to disable warnings as errors selectively instead add a
fix for addressing implicit int warnings
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
(cherry picked from commit 8615b3388b97a56096b959dea4d7499e03187100)
[YC: switched from CFLAGS += to CFLAGS:append] Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
We use QEMU QMP python module to drive qemu in testimage. QMP uses
asyncIO and the method to get the event loop changed.
Backport the patches handling the depreciation to fix the error:
ERROR: core-image-minimal-1.0-r0 do_testimage: Error executing a python function in exec_func_python() autogenerated:
The stack trace of python calls that resulted in this exception/failure was:
File: 'exec_func_python() autogenerated', lineno: 2, function: <module>
*** 0002:do_testimage(d)
...
File: '.../openembedded-core/meta/lib/oeqa/utils/qemurunner.py', lineno: 332, function: launch
0331: from qmp.legacy import QEMUMonitorProtocol
*** 0332: self.qmp = QEMUMonitorProtocol(os.path.basename(qmp_port))
File: '.../build-ubuntu2604/tmp-glibc/work/qemux86_64-oe-linux/core-image-minimal/1.0/recipe-sysroot-native/usr/lib/qemu-python/qmp/legacy.py', lineno: 89, function: __init__
*** 0089: self._aloop = asyncio.get_event_loop()
File: '/usr/lib/python3.14/asyncio/events.py', lineno: 715, function: get_event_loop
0711:
0712: Returns an instance of EventLoop or raises an exception.
0713: """
0714: if self._local._loop is None:
*** 0715: raise RuntimeError('There is no current event loop in thread %r.'
0716: % threading.current_thread().name)
0717:
0718: return self._local._loop
Exception: RuntimeError: There is no current event loop in thread 'MainThread'.
Both patches are in Qemu 10.2 (OE Core master version)
texinfo: Backport patches for hosts with newer GCC
On Ubuntu 26.04 (Gcc 15.2), texinfo-native fails to build.
Note: it is usually ASSUME_PROVIDED via bitbake.conf.
Backport patches (all included in texinfo-7.3, OE-Core's version) to fix
these errors:
| ../../texinfo-7.0.3/system.h:69:14: error: conflicting types for ‘strerror’; have ‘char *(void)’
| 69 | extern char *strerror ();
| | ^~~~~~~~
| In file included from ../gnulib/lib/string.h:41,
| from ../../texinfo-7.0.3/system.h:34:
| /usr/include/string.h:451:14: note: previous declaration of ‘strerror’ with type ‘char *(int)’
| 451 | extern char *strerror (int __errnum) __THROW;
| | ^~~~~~~~
========================================================
| ../../../../../../../workspace/sources/texinfo-native/info/echo-area.c:176:12: error: too many arguments to function ‘cmd’; expected 0, have 2
| 176 | (*cmd) (the_echo_area, count);
| | ~^~~~~ ~~~~~~~~~~~~~
========================================================
| ../../../../../../../workspace/sources/texinfo-native/info/m-x.c:140:8: error: too many arguments to function ‘command->func’; expected 0, have 3
| 140 | (*command->func) (active_window, count, 0);
| | ~^~~~~~~~~~~~~~~ ~~~~~~~~~~~~~
========================================================
Martin Jansa [Tue, 21 Apr 2026 05:42:39 +0000 (07:42 +0200)]
elfutils: don't add -Werror to avoid discarded-qualifiers
With glibc-2.43 on host elfutils-native fails with:
elfutils-0.191/libcpu/riscv_disasm.c:1259:46: error: initialization discards â\80\98constâ\80\99 qualifier from pointer target type [-Werror=discarded-qualifiers]
elfutils-0.194 in master doesn't have this issue thanks to this patch avoiding -Werror from:
https://git.openembedded.org/openembedded-core/commit/?id=1d6ac3c811798732e6addc798656bbe104661d77
Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Michael Halstead [Thu, 12 Mar 2026 23:46:48 +0000 (16:46 -0700)]
yocto-uninative: Update to 5.1 for glibc 2.43
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c1fb515f2a88fa0a0e95529afc07a99db001af0e)
[YC: Remove duplicated line in commit message] Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Michael Halstead [Tue, 21 Apr 2026 05:42:37 +0000 (07:42 +0200)]
yocto-uninative: Update to 5.0 for needed patchelf updates
Solves some segfaults on relocated qemu-img binaries.
[YOCTO #16003]
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[YC: removed extra line from commit message
upstream commit b322bc5387f3 ("meta/conf/distro/include/yocto-uninative.inc")] Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Richard Purdie [Wed, 8 Apr 2026 06:45:09 +0000 (07:45 +0100)]
selftest/scripts: Update old git protocol references
git protocol accesses to our infrastructure are currently struggling and this
has highlighted a number of places we're making those obsolete access forms.
Update them to use https instead of the git protocol since it is preferred
and more reliable.
The devtool test needed quoting to handle the ';' in the url. The -f option
to devtool also shows a deprecation warning so remove that.
There were internal references to git protocol urls inside the nested git
submodules test report, which means those repos need updating to use
new git revisions.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1ceba42623c5187d2f5a100d6a523abcdc75d34e) Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
oeqa/sdk: Default to https git protocol for YP/OE repos
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
meta/files/layers.example.json: switch to https clone URIs
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
oeqa/selftest/git-submodule-test: Default to https git protocol for YP/OE repos
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
Use ";protocol=https" for the parent git submodule and, also, update the
SRCREV to point to a commit where submodules are reference through a
https:// URL instead of a git:// one.
scripts: Default to https git protocol for YP/OE repos
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 74dd04549624b1d3ba6d4febe51fa9ba1c86944c)
build-appliance-image: switch SRC_URI to https protocol
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
Martin Jansa [Fri, 17 Apr 2026 08:24:42 +0000 (10:24 +0200)]
dbus: use ${PN} in pkg_postinst instead of 'dbus'
All pkg_postinst in oe-core where the package name matches the recipe
name use ${PN} already.
We have a bbclass used by some recipes which does:
pkg_postinst:${PN}:append()
which works reasonably well for most of the recipes, except for dbus
where it causes:
the related kernel patch was already merged into yocto linux:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2e467a48287c868818085aa35389a224d226732
Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Martin Jansa [Sun, 12 Apr 2026 08:08:13 +0000 (10:08 +0200)]
ovmf: backport a fix for build with gcc-16
Fixes build on host with gcc-16:
StringFuncs.c: In function ‘SplitStringByWhitespace’:
StringFuncs.c:113:15: error: variable ‘Item’ set but not used [-Werror=unused-but-set-variable=]
113 | UINTN Item;
| ^~~~
and
EfiRom.c: In function ‘main’:
EfiRom.c:78:17: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
78 | if ((Ptr0 = strstr ((CONST CHAR8 *) mOptions.FileList->FileName, DEFAULT_OUTPUT_EXTENSION)) != NULL) {
| ^
and one more for older version used in scarthgap
main.c: In function ‘ProcessArgs’:
main.c:163:42: error: too many arguments to function ‘p->process’; expected 0, have 2
163 | (*p->process)( *argv, *(argv+1) );
| ~^~~~~~~~~~~~ ~~~~~
main.c:120:34: note: declared here
120 | WildFunc process;
| ^~~~~~~
main.c:168:42: error: too many arguments to function ‘p->process’; expected 0, have 1
168 | (*p->process)( *argv );
| ~^~~~~~~~~~~~ ~~~~~
main.c:120:34: note: declared here
120 | WildFunc process;
| ^~~~~~~
Changelog:
* Update Mozilla certificate authority bundle to version 2.82
The following certificate authorities were added (+):
+ TrustAsia TLS ECC Root CA
+ TrustAsia TLS RSA Root CA
+ SwissSign RSA TLS Root CA 2022 - 1
+ OISTE Server Root ECC G1
+ OISTE Server Root RSA G1
The following certificate authorities were removed (-):
- GlobalSign Root CA
- Entrust.net Premium 2048 Secure Server CA
- Baltimore CyberTrust Root (closes: #1121936)
- Comodo AAA Services root
- XRamp Global CA Root
- Go Daddy Class 2 CA
- Starfield Class 2 CA
- CommScope Public Trust ECC Root-01
- CommScope Public Trust ECC Root-02
- CommScope Public Trust RSA Root-01
- CommScope Public Trust RSA Root-02
* Use dh_usrlocal to create /usr/local/share/ca-certificates
Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 738e08718e31de19c1c8db5e162a4a00e2b0c0e6) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
libxcrypt: Use configure knob to disable warnings as errors
Passing Wno-error via environment flags for target and nativesdk
is intended but is not effective due to command line ordering and
as a result some patches have been added to disable particular kind
of warning as error. Given the scenario, warnings as errors should
be disabled for all builds, this makes it portable across hosts and
across compilers ( gcc, clang ) and glibc versions.
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 25f26861ddc8d71af5381d1acc883ad948bddace) Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
latest glibc has better C23 support and exposes this problem
Fixes following errors seen in nativesdk-libxcrypt
| ../sources/libxcrypt-4.5.2/lib/crypt-sm3-yescrypt.c:139:9: error: initializing 'char *' with an expression of type 'const char *' discards qualifiers [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
| 139 | char *hptr = strchr ((const char *) intbuf->retval + 3, '$');
| | ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6 errors generated.
Compared to wrynose remove lib/crypt-sm3-yescrypt.c change, because
the file doesn't exist in the version used in scarthgap, it was failing
only in lib/crypt-gost-yescrypt.c
libxcrypt: avoid discarded-qualifiers build failure with glibc 2.43
With the glibc 2.43 upgrade, building nativesdk-libxcrypt triggers a
-Wdiscarded-qualifiers warning in crypt-gost-yescrypt.c and
crypt-sm3-yescrypt.c which becomes a build failure due to -Werror.
Signed-off-by: Hemanth Kumar M D <Hemanth.KumarMD@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8340d4be03646f0b4b599f768ddc88f502f93615) Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Jiaying Song [Thu, 9 Apr 2026 06:16:32 +0000 (14:16 +0800)]
python3-pyasn1: fix CVE-2026-23490
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a
Denial-of-Service issue has been found that leads to memory exhaustion
from malformed RELATIVE-OID with excessive continuation octets. This
vulnerability is fixed in 0.6.2.
CVE-2025-11687:
A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the
context of the page — enabling DOM access, session cookie theft and other client-side attacks — via
a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS).
Peter Marko [Wed, 8 Apr 2026 05:57:30 +0000 (07:57 +0200)]
openssl: upgrade 3.5.5 -> 3.5.6
Release information [1]:
OpenSSL 3.5.6 is a security patch release. The most severe CVE fixed in this release is Medium.
This release incorporates the following bug fixes and mitigations:
* Fixed incorrect failure handling in RSA KEM RSASVE encapsulation. (CVE-2026-31790)
* Fixed loss of key agreement group tuple structure when the DEFAULT keyword is used in
the server-side configuration of the key-agreement group list. (CVE-2026-2673)
* Fixed potential use-after-free in DANE client code. (CVE-2026-28387)
* Fixed NULL pointer dereference when processing a delta CRL. (CVE-2026-28388)
* Fixed possible NULL dereference when processing CMS KeyAgreeRecipientInfo. (CVE-2026-28389)
* Fixed possible NULL dereference when processing CMS KeyTransportRecipientInfo. (CVE-2026-28390)
* Fixed heap buffer overflow in hexadecimal conversion. (CVE-2026-31789)
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fc25ce383ddcb1185c193ff2b10f9116741eb316) Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Release information:
* https://www.python.org/downloads/release/python-31213/
* The release you're looking at is Python 3.12.13, a security bugfix
release for the legacy 3.12 series.
linux/generate-cve-exclusions: backport script from master branch
The current version of this script in Scarthgap is outdated, since it
still uses data from linux_kernel_cves. This repository was archived in
2024.
To avoid any risks of conflicts, and/or a patch series longer than it
needs to be, I copied the generate-cve-exclusions.py script from
oe-core's master branch (rev. "e954a94b5b528b2430e8da331107d7d58287f89b") as-is.
Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Pick patch from [1] also mentioned in [2]
[1] https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-27135
When running glibc tests under user mode NFS, tst-syslog was causing a hang. The
hang was traced to unfsd exitting with a buffer overflow being detected.
This was traced down to mksocket() where we'd see:
socket path '/media/build/poky/build/build-st-2118464/tmp/work/x86-64-v3-poky-linux/glibc-testsuite/2.42+git/build-x86_64-poky-linux/testroot.root/dev/log' is too long at 141 vs 108
There is a length check in mknod_args() but obj may not be setup at this point by
cat_name() since the functions can be executed out of order according to C.
To avoid this, make the order explict. This means the length is checked and we
avoid the buffer overflow. This will likely cause the glibc test to fail however
it won't hang, which is a win.
[YOCTO #16113]
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Hemanth Kumar M D <Hemanth.KumarMD@windriver.com>
(cherry picked from commit e51d5e19cb1ba1d5ad7442064b64821d178bc9ca) Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Pick patch from [1] also mentioned in NVD report with [2]
[1] https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7ddbb6edee79577e9a
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-33412
Pick patch from [1] also mentioned in [2]
[1] https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-26269
Pick patch from [1] also mentioned in [2]
[1] https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-25749
binutils: mark CVE-2025-69650 and CVE-2025-69651 as disputed
Both CVEs are disputed by third parties. The observed behavior
(double free / invalid pointer free in readelf) only occurred in
pre-release code and did not affect any tagged version [1][2].
CVE_STATUS[CVE-2025-69650] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
CVE_STATUS[CVE-2025-69651] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
projects / thirdparty / openembedded / openembedded-core.git / log
