Pratik Farkase [Wed, 6 May 2026 12:43:29 +0000 (14:43 +0200)]
go: ptest: improvements and multiple fixes in golang ptest
Summary of Changelog:
- run-ptest permanently modified the installed GOROOT by symlinking src/
and copying files without cleanup, corrupting the Go installation
- Sub-package skip regex used exact match (^pkg$) so subpackages like
net/http/httptest and runtime/debug were not skipped and would fail
- Test output was completely suppressed (>/dev/null 2>&1), making
failures impossible to diagnose
- go was missing from RDEPENDS, allowing ptest to be installed without
the toolchain it needs
- bash was in RDEPENDS despite the script using #!/bin/sh with no
bash-isms
- file://run-ptest was in the shared .inc, affecting go-cross and
go-native which don't inherit ptest
- cp pkg/include/* would fail if the directory was empty
Fix by saving/restoring GOROOT/src, using (/|$) in the skip regex,
printing output on failure, correcting RDEPENDS, moving run-ptest to
the target .bb, and guarding the glob.
Tested on qemux86-64: all tests pass, 0 failures (~63 min).
Signed-off-by: Pratik Farkase <pratik.farkase@est.tech> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
u-boot-tools: drop the hardlink workaround in do_compile
This workaround initially considered a host running git < v2.14, which
does not look realistic if we consider the fairly recent distros in
SANITY_TESTED_DISTROS.
Even in older build machines/distros, one can use buildtools to provide git:
$ ./x86_64-buildtools-extended-nativesdk-standalone-5.0.sh
(...)
$ which git
(...)/buildtools/sysroots/x86_64-pokysdk-linux/usr/bin/git
$ git --version
git version 2.44.0
It is harmless, but still a bit outdated, so remove it.
[RP: the earliest git version on our test builders is ~2.33 so no distros
we currently support would run into this]
Signed-off-by: João Marcos Costa <joaomarcos.costa@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Mon, 4 May 2026 19:52:44 +0000 (21:52 +0200)]
libssh2: patch CVE-2026-7598
Pick patch mentioned in both NVD and Debian report.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Mon, 4 May 2026 19:52:43 +0000 (21:52 +0200)]
sudo: patch CVE-2026-35535
Pick patch mentioned in both NVD and Debian report.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Wed, 6 May 2026 15:13:45 +0000 (16:13 +0100)]
harfbuzz: upgrade 12.3.2 -> 14.2.0
Highlights from 13.0.0:
- New public hb-vector API for vector output of glyph outlines. The only
supported output format currently is SVG.
- New public hb-raster API for rasterizing glyphs to A8 / BGRA32 images.
Highlights from 13.1.0:
- The harfbuzz-raster library can now render bitmap color glyph formats
(CBDT and sbix). It now also has an API to serialize / deserialize
images to and from PNGs. This new functionality requires libpng, and
will not be available if HarfBuzz is built without libpng.
- Install hb-raster command line utility.
Highlights from 13.1.1:
- Support gzip-compressed SVG glyphs in harfbuzz-raster
and harfbuzz-vector libraries. This new functionality requires zlib,
and will not be available if HarfBuzz is built without zlib.
Hights from 14.0.0:
- New libharfbuzz-gpu library: GPU text rasterization based on the Slug
algorithm by Eric Lengyel. Encodes glyph outlines on the CPU into
compact blobs that the GPU decodes and rasterizes directly in the
fragment shader, with no intermediate bitmap atlas.
Add PACKAGECONFIGs for the new auxiliary libraries and optional
dependencies. This includes the new option for the subset library, which
is enabled by default to preserve existing behaviour.
Based on work by Wang Mingyu <wangmy@fujitsu.com>.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Wed, 6 May 2026 15:13:44 +0000 (16:13 +0100)]
harfbuzz: improve packaging
Harfbuzz is a core library that has minimal dependencies
(libharfbuzz.so) and a number of auxiliary libraries that perform
specific functions, such as libharfbuzz-subset (generate font subsets)
and libharfbuzz-cairo (Cairo rendering).
Add a missing PACKAGECONFIG for the GObject option and organise the list
of options into logical groups to reflect what they do.
As the number of auxiliary libraries is growing, stop doing the library
packaging by hand and instead simply use do_split_packages to pull every
auxiliary library into its own package. This removes the cairo and
libgobject dependencies from the main package as they're now in separate
packages.
Stop packaging the headers and library symlinks into separate packages
and put them all into harfbuzz-dev. This ensures that if the dev headers
are requested, they are all installed.
Update the homepage and bugtracker links to reflect the current URLs.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Moritz Haase [Thu, 30 Apr 2026 09:26:36 +0000 (11:26 +0200)]
devtool: Disable gpg signing when setting up source tree repos
This stops 'devtool modify foo' from failing with an error message like
ERROR: Execution of 'git -c user.name=\"OpenEmbedded\" -c
user.email=\"oe.patch@oe\" commit -q -m "Initial commit from upstream at
version 1.90.0"' failed with exit code 128:
error: cannot run ssh-keygen: No such file or directory
error:
fatal: failed to write commit object
when GPG signing is enabled in the git configuration.
Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Briefly:
British Columbia moved to permanent -07 on 2026-03-09.
Some more overflow bugs have been fixed in zic.
Changes to future timestamps
British Columbia’s 2026-03-08 spring forward was its last
foreseeable clock change, as it moved to permanent -07 thereafter.
(Thanks to Arthur David Olson.) Although the change to permanent
-07 legally took place on 2026-03-09, temporarily model the change
to occur on 2026-11-01 at 02:00 instead. This works around a
limitation in CLDR v48.2 (2026-03-17). This temporary hack is
planned to be removed after CLDR is fixed.
Changes to code
zic no longer mishandles a last transition to a new time type.
zic no longer overflows a buffer when generating a TZ string like
"PST-167:59:58PDT-167:59:59,M11.5.6/-167:59:59,M12.5.6/-167:59:59",
which can occur with adversarial input. (Thanks to Naveed Khan.)
zic no longer generates a longer TZif file than necessary when
an earlier time zone abbreviation is a suffix of a later one.
As a nice side effect, zic no longer overflows a buffer when given
a long series of abbreviations, each a suffix of the next.
(Buffer overflow reported by Arthur Chan.)
zic no longer overflows an int when processing input like ‘Zone
Ouch 2147483648:00:00 - LMT’. The int overflow can lead to buffer
overflow in adversarial cases. (Thanks to Naveed Khan.)
Instead of returning a dict of key:value pairs, return a dict of key to
list of values and update the callers to take the first element in the
list where a single value is expected (such as the description).
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Wed, 29 Apr 2026 16:48:19 +0000 (17:48 +0100)]
linux-firmware: split out MediaTek mt7996 firmare
The firmware for the MT7996/MT7992/MT7990 devices that use the mt7996e
driver comes to 13MB. Split it out of the -mediatek catch-all as that
accounts for over 20% of the firmware:
linux-firmware: PACKAGES: added "linux-firmware-mt7996"
linux-firmware/linux-firmware-mediatek: PKGSIZE changed from 61848181 to 49149973 (-21%)
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Wed, 29 Apr 2026 16:48:18 +0000 (17:48 +0100)]
linux-firmware: delink some tegra firmware to avoid pulling in full nvidia firmware
Some Nvidia firmware is shared between products but the symlinks cross
product/driver boundaries, resulting in the -nvidia-tegra package
depending on the ~150MB -nvidia-gpu package for a few 10kb files.
If we replace the symlinks with the actual content of the files then this
dependency disappears.
Add ptest infrastructure to test the Go standard library.
- Run 'go test -short std' via run-ptest script
- Install source tree and pkg/include headers
- Create VERSION file for architecture detection
- Exclude multi-arch binary testdata to avoid QA errors
apr-util is tracked in NVD under apache:apr-util, while a smaller set
of newer CVEs also appears under apache:portable_runtime_utility.
Set CVE_PRODUCT accordingly so cve-check can cover both the historical
and current NVD product identities used for APR-util.
apr is tracked in NVD under apache:portable_runtime rather than the
recipe name apr. Set CVE_PRODUCT accordingly so cve-check uses the
correct NVD product identity for APR.
No additional alias was found to be necessary for this recipe.
Peter Marko [Tue, 28 Apr 2026 16:54:20 +0000 (18:54 +0200)]
sudo: set CVE_PRODUCT
This change removes currently open CVE-2025-64170 and CVE-2025-64517
from reports which are for "trifectatech:sudo-rs".
It also removes following "patched" ones:
* CVE-2023-42456 (memorysafety:sudo)
* CVE-2025-46717 (trifectatech:sudo)
* CVE-2025-46718 (trifectatech:sudo)
All these are also for "sudo-rs".
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Mon, 27 Apr 2026 21:51:18 +0000 (23:51 +0200)]
cups: upgrade 2.4.16 -> 2.4.19
Release notes:
* https://github.com/OpenPrinting/cups/releases/tag/v2.4.19
* CUPS 2.4.19 fixes a regression in shared printing from non-local accounts (Issue #1557)
* https://github.com/OpenPrinting/cups/releases/tag/v2.4.18
* The new release 2.4.18 contains a hotfix after the CVE-2026-27447 fix:
* Fixed cupsd crash if user does not exist (Issue #1555)
* https://github.com/OpenPrinting/cups/releases/tag/v2.4.17
* The new release 2.4.17 contains the following security fixes:
* CVE-2026-27447: The scheduler treated local user and group names as case-
insensitive.
* CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
directory.
* CVE-2026-34980: The scheduler did not filter control characters from option
values.
* CVE-2026-34979: The scheduler did not always allocate enough memory for a
job's options string.
* CVE-2026-34990: The scheduler incorrectly allowed local certificates over the
loopback interface.
* CVE-2026-39314: Fixed the range check for job password strings.
* CVE-2026-39316: Fixed a printer subscription bug in the scheduler.
* CVE-2026-NNNNN: Fixed a SNMP string conversion bug in the backends.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
projects / thirdparty / openembedded / openembedded-core.git / log
