Ross Burton [Thu, 16 Apr 2026 10:30:59 +0000 (11:30 +0100)]
libsoup: mark CVEs which have been resolved upstream
These issues have all been fixed in the 3.6.6 release that we have, but
the CPEs are unversioned. I've contacted NIST to update the database but
until that happens we can mark them as fixed.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Thu, 16 Apr 2026 10:30:58 +0000 (11:30 +0100)]
libsoup: actually apply patches for CVE-2025-32049 and CVE-2026-1539
The patches were added to SRC_URI before inheriting gnomebase, which
does SRC_URI = "...". This means the patches were never actually part of
SRC_URI, so never applied.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade the firmware package to latest release. Add qupv3fw
firmware for qcs615 and shikra, add adreno, audio and compute
package for DELL XPS13 9345, add audioreach firmware for Glymur
and arduino monza, add ISH firmware for Intel Wildcat Lake platform,
add lenovo ish firmware for X9-15 2025, X1 Carbon (Gen 14) and
X1 2-in-1 (Gen 11).
oeqa/selftest/sstatetests: add wayland feature check for test needing it
When run with a distro without 'wayland' DISTRO_FEATURES:
2026-04-14 17:42:00,568 - oe-selftest - INFO - FAIL: test_sstate_32_64_same_hash (sstatetests.SStateHashSameSigs.test_sstate_32_64_same_hash)
2026-04-14 17:42:00,568 - oe-selftest - INFO - ----------------------------------------------------------------------
2026-04-14 17:42:00,568 - oe-selftest - INFO - Traceback (most recent call last):
File ".../openembedded-core/meta/lib/oeqa/selftest/cases/sstatetests.py", line 407, in test_sstate_32_64_same_hash
self.sstate_hashtest("i686")
~~~~~~~~~~~~~~~~~~~~^^^^^^^^
File ".../openembedded-core/meta/lib/oeqa/core/decorator/__init__.py", line 35, in wrapped_f
return func(*args, **kwargs)
File ".../openembedded-core/meta/lib/oeqa/selftest/cases/sstatetests.py", line 371, in sstate_hashtest
bitbake("core-image-weston -S none")
~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...
AssertionError: Command 'bitbake core-image-weston -S none' returned non-zero exit status 1:
...
ERROR: Nothing PROVIDES 'core-image-weston'
core-image-weston was skipped: using DISTRO 'nodistro', which is missing required DISTRO_FEATURES: 'wayland'
This is caused by core-image-weston being skipped because it needs the
wayland DISTRO_FEATURES.
Note that this is not seen in testing because nodistro has wayland
enabled by default since 2e1e7c86064 (bitbake.conf: Enable opengl ptest multiarch wayland vulkan in DISTRO_FEATURES by default, 2026-02-21)
Ross Burton [Tue, 14 Apr 2026 16:15:30 +0000 (17:15 +0100)]
glib-networking: backport fixes for CVE-2025-60018 and CVE-2025-60019
CVE-2025-60018:
glib-networking's OpenSSL backend fails to properly check the return
value of a call to BIO_write(), resulting in an out of bounds read.
CVE-2205-60019:
glib-networking's OpenSSL backend fails to properly check the return
value of memory allocation routines. An out of memory condition could
potentially result in writing to an invalid memory location.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
| aarch64-yoe-linux-ld.lld: error: version script assignment of 'NSSMDNS_0' to symbol '_nss_mdns_gethostbyaddr_r' failed: symbol not defined
| aarch64-yoe-linux-ld.lld: error: version script assignment of 'NSSMDNS_0' to symbol '_nss_mdns_gethostbyaddr_r' failed: symbol not defined
| aarch64-yoe-linux-ld.lld: error: version script assignment of 'NSSMDNS_0' to symbol '_nss_mdns4_gethostbyaddr_r' failed: symbol not defined
| aarch64-yoe-linux-ld.lld: error: version script assignment of 'NSSMDNS_0' to symbol '_nss_mdns6_gethostbyaddr_r' failed: symbol not defined
| aarch64-yoe-linux-ld.lld: error: version script assignment of 'NSSMDNS_0' to symbol '_nss_mdns_minimal_gethostbyaddr_r' failed: symbol not defined
weston-init: set require-outputs=none to allow startup without connected display
By default, Weston exits at startup if no output connector is reported
as connected by the DRM subsystem. On platforms where displays are
connected after boot via HPD (Hot Plug Detect), this causes the weston
service to be killed during early boot and remain down until manually
restarted.
Setting require-outputs=none in the [core] section instructs Weston to
start and remain running even when no connector is active at boot time.
When a display is subsequently hotplugged and HPD is asserted, Weston
automatically picks up the new connector and brings up the output without
requiring a service restart.
kernel-fit-image: Fix support for initramfs multiconfig
In the transition from kernel-fitimage.bbclass a fix for initramfs
multiconfig was partly reverted, maybe because the default value for
INITRAMFS_DEPLOY_DIR_IMAGE is only set in kernel.bbclass and therefore
not accessible in kernel-fit-image.bbclass.
This fix introduces INITRAMFS_DEPLOY_DIR_IMAGE in kernel-fit-image.bbclass,
so initramfs multiconfig works as expected.
LLD is stricter with version scripts
This is a classic LLD vs GNU ld compatibility issue with
version scripts. LLD is stricter than GNU ld — by default
it treats unmatched version script symbols as hard
errors, whereas GNU ld silently ignores them.
What's happening is that the version script
e.g. map.pa, declares symbols like pa_glib_mainloop_new
under PULSE_0, but those symbols aren't being compiled
into the current library target.
Sunil Dora [Mon, 13 Apr 2026 07:04:57 +0000 (00:04 -0700)]
rust: enable fully static linking with TCLIBC=musl
Fixes [YOCTO #16076]
Rust binaries built with TCLIBC=musl and
-C target-feature=+crt-static were still dynamically linked.
Fix this by addressing three issues:
1) Set crt-static-respected in the generated musl target spec
so rustc honors +crt-static. [1]
2) Add the target sysroot library path to the linker flags so
libunwind.a can be found.
3) Use LLVM libunwind for musl:
- GNU libunwind does not provide static libraries in OE
and lacks required _Unwind_* symbols on some architectures [2]
- libgcc_eh depends on pthread and cannot be used for fully
static linking with musl
- LLVM libunwind provides the required symbols without
additional dependencies
Install LLVM libunwind from libcxx and switch libstd-rs
to depend on libcxx for musl.
Also remove the obsolete DEPENDS:remove:riscv32/riscv64 = "libunwind"
lines added in 2021 when riscv musl support was still being patched.
LLVM libunwind supports both riscv32 and riscv64 - verified locally.
riscv32 support was upstreamed at [3].
Add a selftest to verify that produced binaries are statically linked.
Martin Jansa [Fri, 10 Apr 2026 08:26:54 +0000 (10:26 +0200)]
dbus: use ${PN} in pkg_postinst instead of 'dbus'
All pkg_postinst in oe-core where the package name matches the recipe
name use ${PN} already.
We have a bbclass used by some recipes which does:
pkg_postinst:${PN}:append()
which works reasonably well for most of the recipes, except for dbus
where it causes:
oe-pkgdata-util: improve lookup-pkg error for RPROVIDES packages
When a package is not found by 'oe-pkgdata-util lookup-pkg', the error
message provides no guidance on what went wrong or where to look.
Improve the error message by checking the runtime-rprovides directory
for the missing package. If the package exists in RPROVIDES:
- If the provider package was generated, suggest looking up the actual
package name instead.
- If the provider package was not generated (e.g. empty package or
disabled by PACKAGECONFIG), inform the user which recipe provides it
and that it was not generated.
This helps users quickly identify the correct package name or
understand why a package is missing from their build.
Before:
ERROR: The following packages could not be found: eglibc
After:
ERROR: eglibc is in the RPROVIDES of glibc (recipe: glibc), try
looking up 'glibc' instead
Peter Marko [Tue, 14 Apr 2026 14:32:54 +0000 (16:32 +0200)]
mpg123: set status for CVE-2006-3355
This CVE has only cpe version which is considered invalid:
* cpe:2.3:a:mpg123:mpg123:pre0.59s_r11:*:*:*:*:*:*:*
This means that the fixed version is unknown and thus all versions are
considered to be vulnerable.
Since the vulnerability was fixed in old version 0.59s_r11, mark it as
fixed.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oeqa/selftest/devtool: add vulkan feature check for test needing it
When run with a distro without 'vulkan' DISTRO_FEATURES:
$ oe-selftest -r devtool.DevtoolUpdateTests.test_devtool_git_submodules
2026-04-14 14:36:57,036 - oe-selftest - INFO - test_devtool_git_submodules (devtool.DevtoolUpdateTests.test_devtool_git_submodules)
vulkan-samples is unavailable:
vulkan-samples was skipped: using DISTRO 'nodistro', which is missing required DISTRO_FEATURES: 'vulkan'
2026-04-14 14:37:13,002 - oe-selftest - INFO - ... ERROR
2026-04-14 14:37:13,002 - oe-selftest - INFO - Traceback (most recent call last):
File "/.../openembedded-core/meta/lib/oeqa/selftest/cases/devtool.py", line 1695, in test_devtool_git_submodules
self.assertIn('gitsm://', src_uri, 'This test expects the %s recipe to be a git recipe with submodules' % recipe)
~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/unittest/case.py", line 1171, in assertIn
if member not in container:
^^^^^^^^^^^^^^^^^^^^^^^
TypeError: argument of type 'NoneType' is not iterable
This is caused by vulkan-samples being skipped because it needs the
vulkan DISTRO_FEATURES.
Note that this is not seen in testing because nodistro has vulkan
enabled by default since 2e1e7c86064 (bitbake.conf: Enable opengl ptest multiarch wayland vulkan in DISTRO_FEATURES by default, 2026-02-21)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Replace patches 0008 and 0033 with a single consolidated patch (0041)
that fixes native build breakage.
The original patches unconditionally changed the runtime library search
base from ResourceDir to SysRoot, which breaks native/standalone builds
where SysRoot is empty (e.g., PGO bootstrap fails to find
libclang_rt.profile.a). The new patch uses SysRoot-based paths only
during cross-compilation and falls back to the upstream default
ResourceDir for native builds.
Signed-off-by: mark.yang <mark.yang@lge.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Mon, 13 Apr 2026 21:14:46 +0000 (23:14 +0200)]
ovmf: set status for CVE-2024-1298
cvelistV5 uses full tag name (edk2-stable202405) while NVD uses only
version (202405).
Since NVD CPE is not yet available, cvelistV5 marks it at not patched
yet because the string sorts after the version.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Wed, 15 Apr 2026 18:09:34 +0000 (20:09 +0200)]
kea: upgrade 3.0.2 -> 3.0.3
Solves CVE-2026-3608.
License-Update: copyright years refreshed
Release notes [1]:
Welcome to Kea 3.0.3, a vulnerability release of the stable 3.0 series.
This supersedes the previous release, version 3.0.2.
1. **Vulnerability**: We addressed an issue, which was assigned
CVE-2026-3608, where a large number of bracket pairs in a JSON payload
directed to any endpoint would result in a stack overflow, due to
recursive calls when parsing the JSON [#4275, #4288, #4387]. Since the
exploit does not require the JSON request to have the full syntax of a
valid command, it bypasses RBAC and the command filters on the
High-Availability endpoints.
2. **Security**: A null dereference is now no longer possible when
configuring the Control Agent with a socket that lacks the mandatory
socket-name entry [#4388, #4365].
3. **Permissions**: UNIX sockets are now created as group-writable
[#4398, #4260]. This allows users belonging to the group to send
commands to the UNIX sockets. In particular, it allows Stork 2.4.0 and
above to detect the Kea daemon.
Ross Burton [Wed, 15 Apr 2026 15:27:41 +0000 (16:27 +0100)]
rsync: always use the system zlib
There's nothing gained by adding an option to use the vendored zlib
apart from the chance of accidentally not using it, so remove the
PACKAGECONFIG and just explicitly depend on zlib.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Wed, 15 Apr 2026 20:14:42 +0000 (22:14 +0200)]
grub: set status for 6 CVEs fixed in 2.14
These CVEs were fixed in 2.14, however Redhat CNA does not fill any
version to CPEs.
References for fixes are in Debian security tracker:
* https://security-tracker.debian.org/tracker/CVE-2025-54770
* https://security-tracker.debian.org/tracker/CVE-2025-54771
* https://security-tracker.debian.org/tracker/CVE-2025-61661
* https://security-tracker.debian.org/tracker/CVE-2025-61662
* https://security-tracker.debian.org/tracker/CVE-2025-61663
* https://security-tracker.debian.org/tracker/CVE-2025-61664
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Tue, 14 Apr 2026 15:56:52 +0000 (16:56 +0100)]
perl: link to the system bzip2 instead of a vendored copy
The perl module Compress-Raw-Bzip2 defaults to using a vendored copy of
the bzip2 sources. We should be building perl against the system bzip2
recipe to avoid potential security issues.
This is a little fiddly in the DEPENDS as bzip2-native is assume-provided
so we need to depend on bzip2-replacement-native for the native build.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Tue, 14 Apr 2026 15:56:51 +0000 (16:56 +0100)]
perl: link to the system zlib instead of a vendored copy
The perl module Compress-Raw-Zlib defaults to using a vendored copy of
the zlib sources which has a number of CVEs. A newer version of perl
updates this to zlib 1.3.2 to resolve them, but we should be linking to
our zlib recipe instead of the vendored code.
This mitigates CVE-2026-4176 so mark it as not appropriate.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Tue, 14 Apr 2026 15:56:47 +0000 (16:56 +0100)]
graphene: ignore CVE-2024-1984
This CVE is for a WordPress theme called Graphene. It's likely that the
CPE for this graphene will be gnome:graphene but this hasn't been
formally documented, so exclude this one CVE for now.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Wed, 15 Apr 2026 19:07:17 +0000 (21:07 +0200)]
libexif: upgrade 0.6.25 -> 0.6.26
Release notes [1]:
libexif-0.6.26 (2026-04-14):
* Security issues fixed:
* CVE-2026-40386: An unsigned integer underflow in Fuji and Olympus makernote handling
* CVE-2026-40385: An unsigned integer overflow on 32bit systems in Nikon makernote handling
* CVE-2026-32775: A buffer overwrite via integer underflow in makernote handling
Martin Jansa [Tue, 14 Apr 2026 12:42:10 +0000 (14:42 +0200)]
apr: remove space before the -std=gnu23 from apr_rules.mk
When -std=gnu23 is added to CC_FOR_BUILD it's with additional space
we need to remove the space as well to avoid the difference between
the build where -std=gnu23 was added and removed by sed and wasn't
added at all like in:
https://valkyrie.yocto.io/pub/repro-fail/oe-reproducible-20260414-82oogy25/packages/diff-html/
Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Tue, 14 Apr 2026 11:01:23 +0000 (12:01 +0100)]
strace: Fix reproducibility issue
With the updated ax_prog_cc_for_build.m4 CC_FOR_BUILD can include a
" -std=gnu23" option on some hosts. We don't need this on target and
it leads to a reproducibility issue, so remove it.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
StringFuncs.c: In function ‘SplitStringByWhitespace’:
StringFuncs.c:113:15: error: variable ‘Item’ set but not used [-Werror=unused-but-set-variable=]
113 | UINTN Item;
| ^~~~
- A new sample demonstrating the rasterization order attachment access extension (#1492).
- Broken documentation link to GitHub repo fixed (#1506).
- Vulkan SDK updated to 1.4.341 (#1477).
Benjamin Robin [Fri, 10 Apr 2026 13:10:46 +0000 (15:10 +0200)]
webkitgtk: Remove escaping of the plus sign in `CVE_PRODUCT`
The `+` character is now properly escaped by `cve_check.cpe_escape()`
Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Benjamin Robin [Fri, 10 Apr 2026 13:10:45 +0000 (15:10 +0200)]
gtk+: Remove escaping of the plus sign in `CVE_PRODUCT`
The `+` character is now properly escaped by `cve_check.cpe_escape()`
Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Benjamin Robin [Fri, 10 Apr 2026 13:10:44 +0000 (15:10 +0200)]
cve_check: do not break old CVE_PRODUCT with escaped +
For now, until all layer are fixed, replace already escaped plus (+)
with a simple + before doing the escaping.
Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Benjamin Robin [Fri, 10 Apr 2026 13:10:43 +0000 (15:10 +0200)]
cve_check: Improve escaping of special characters in CPE 2.3
According to the NISTIR 7695 specification [1], multiple characters
require escaping when using formatted strings (e.g., `cpe:2.3:...`),
which use backslash escaping. In "Figure 6-3. ABNF for Formatted String
Binding"", the characters that need escaping are referenced by "escape",
"special", and "punc". More characters must be escaped than just
`\`, `?`, `*`, `:`, and `+`.
Additionally, use `maketrans()` with `translate()`, which is more
efficient than a simple `replace()`.
Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Sun, 12 Apr 2026 15:03:23 +0000 (17:03 +0200)]
libpng: upgrade 1.6.55 -> 1.6.56
Release notes [1]:
* Fixed CVE-2026-33416 (high severity):
Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`.
(Reported by Halil Oktay and Ryo Shimada;
fixed by Halil Oktay and Cosmin Truta.)
* Fixed CVE-2026-33636 (high severity):
Out-of-bounds read/write in the palette expansion on ARM Neon.
(Reported by Taegu Ha; fixed by Taegu Ha and Cosmin Truta.)
* Fixed uninitialized reads beyond `num_trans` in `trans_alpha` buffers.
(Contributed by Halil Oktay.)
* Fixed stale `info_ptr->palette` after in-place gamma and background
transforms.
* Fixed wrong channel indices in `png_image_read_and_map` RGB_ALPHA path.
(Contributed by Yuelin Wang.)
* Fixed wrong background color in colormap read.
(Contributed by Yuelin Wang.)
* Fixed dead loop in sPLT write.
(Contributed by Yuelin Wang.)
* Added missing null pointer checks in four public API functions.
(Contributed by Yuelin Wang.)
* Validated shift bit depths in `png_set_shift` to prevent infinite loop.
(Contributed by Yuelin Wang.)
* Avoided undefined behavior in library and tests.
* Deprecated the hardly-ever-tested POINTER_INDEXING config option.
* Added negative-stride test coverage for the simplified API.
* Fixed memory leaks and API misuse in oss-fuzz.
(Contributed by Owen Sanzas.)
* Implemented various fixes and improvements in oss-fuzz.
(Contributed by Bob Friesenhahn and Philippe Antoine.)
* Performed various refactorings and cleanups.
Martin Jansa [Sun, 12 Apr 2026 10:57:50 +0000 (12:57 +0200)]
apr: remove -std=gnu23 from apr_rules.mk to fix reproducibility
With the updated ax_prog_cc_for_build.m4 from
apr: fix build with autoconf-2.73
it now correctly detects -std=gnu23 usability on host gcc and doesn't
try to use it e.g. with gcc-13 which doesn't support it, but that causes
build reproducibility issue between builds on such hosts as
CC_FOR_BUILD is included in installed /usr/share/build-1/apr_rules.mk
https://valkyrie.yocto.io/pub/repro-fail/oe-reproducible-20260412-a5w4mcrk/packages/diff-html/
Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
useradd.bbclass: allow inheriting with only USERADD_DEPENDS set
When a recipe inherits useradd and only sets USERADD_DEPENDS (to depend
on users/groups created by another recipe), without creating any
users/groups itself, the parse-time sanity check incorrectly throws a
fatal error about missing USERADD_PACKAGES.
Skip the USERADD_PACKAGES/USERADD_PARAM validation when USERADD_DEPENDS
is set but USERADD_PACKAGES is not, since the recipe only needs build
dependency tracking, not user/group creation.
gstreamer1.0-plugins-bad: Add fdkaac as a package feature
This adds support for building gstfdkaac, which is the GStreamer element
that wraps the fdk-aac AAC encoding library from Fraunhofer. fdk-aac is
available in meta-multimedia.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
weston: backport gl-shaders fix to avoid shader compiler crashes
Some GPU shader compilers do not optimize away unused YUV shader
uniforms, even when the associated code paths are unreachable. This can cause
Weston to hit assertion failures at runtime on non-Mesa platforms, despite
working correctly on Mesa-based drivers.
Backport the upstream gl-shaders fix to restore stable behavior across
GPU drivers.
oe-selftest/cpp-example: fix conf file ownership with static UIDs/GIDs
test_devtool_ide_sdk_none_qemu builds an image containing both
cmake-example and meson-example, starts a QEMU instance, then uses
devtool ide-sdk + devtool deploy-target to rebuild and redeploy each
recipe in turn. The test verifies that /etc/<recipe>.conf is owned by
the matching user both before and after each deploy cycle.
The test was failing with:
/etc/meson-example.conf not owned by user meson-example: got cmake-example
During do_install, pseudo resolves ${BPN} to a UID by looking up
/etc/passwd in the recipe's own isolated RECIPE_SYSROOT. Since the
sysroots are independent, both cmake-example and meson-example each
see themselves as the first --system user and get the same UID (e.g.
100). Both ${D} trees therefore contain files with UID 100. In the
final rootfs cmake-example is allocated UID 100 and meson-example UID
101. Files packaged for meson-example still carry UID 100, so stat
reports them as owned by cmake-example.
A pkg_postinst chown would fix the rootfs, but devtool deploy-target
is a plain tar pipe over SSH with no package-manager involvement - it
never runs pkg_postinst. Whatever UID is embedded in ${D} is what
lands on the target. Not sure how this could be fixed with dynamic UIDs.
A clean solution is to make every recipe sysroot and the final image
agree on the same UIDs from the start, i.e. static IDs.
Fix:
- Enable USERADDEXTENSION = "useradd-staticids" in _write_bb_config so
the test builds with static IDs for the duration of the test.
- Add cmake-example (UID/GID 533) and meson-example (UID/GID 534) to
meta-selftest/files/static-passwd and static-group.
- Expand the comment in cpp-example.inc's do_install to document the
static-ID requirement so future readers understand why the -o/-g
flags work correctly only under useradd-staticids.
- Fix a copy-paste error in the in-test comment (said
"meson-example.conf ... cmake-example user" for the cmake block).
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oe-selftest: devtool: use assertRegex to match test output for meson
Replace strict string matching with assertRegex to allow for flexible
whitespace in the "Fail: 0" output from meson tests. This improves test
robustness against formatting changes.
This issue was discovered with scarthgap.
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oe-selftest: devtool: GDB breakpoint after std::vector is constructed
Change the GDB breakpoint from line 55 to 56 in cpp-example.cpp so that
the std::vector constructor has already executed when GDB stops. This
ensures that inspecting the vector with GDB works as intended also with
older GDB versions (e.g. on scarthgap).
Signed-off-by: Adrian Freihofer <adrian.freihofer@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This does not build on hosts with gcc <= 13 which does not have std=gnu23
dialect option e.g. ubuntu 24.04, especially with clang which does not
default to gnu23 yet like gcc-15, so autoconf 2.73 decided to enforce the
standard with clang which then spills into CC_FOR_BUILD as well without
this patch
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This does not build on hosts with gcc <= 13 which does not have std=gnu23
dialect option e.g. ubuntu 24.04, especially with clang which does not
default to gnu23 yet like gcc-15, so autoconf 2.73 decided to enforce the
standard with clang which then spills into CC_FOR_BUILD as well without
this patch
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This does not build on hosts with gcc <= 13 which does not have std=gnu23
dialect option e.g. ubuntu 24.04, especially with clang which does not
default to gnu23 yet like gcc-15, so autoconf 2.73 decided to enforce the
standard with clang which then spills into CC_FOR_BUILD as well without
this patch
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
GCC-15 has switched to using C23 by default, we have been selectively
disabling warnings as errors to get by, however with autoconf 2.72 adding
-std=gnu23 it now gets enabled for every compiler and clang-22 is more
obidient and has dropped support for K&R C completely. db5 code has a lot
of K&R C prototypes and it starts to fail vigorously. We can not keep
working around with out uplifting sources to be compliant with newer C
standard like C23.
Therefore pin the cflags to use C99 standard as this package expects.
Drop the code to disable warnings as errors selectively instead add a
fix for addressing implicit int warnings
- 0001-gh-144787-tests-Allow-TLS-v1.2-to-be-minimum-version.patch since
it was a backport and is now included in 3.14.4.
- 0001-test_pyrepl-skip-test_pyrepl_eio.patch, the test for which was
determined flaky and dropped upstream in commit 9743d88334ad.
e9846648fd61 [RISCV] Use a vector MemVT when converting store+extractelt into a vector store. (#190107) c55c1c1140e1 [TargetLowering] Speculative fix for a non-determinism issue between different compilers. (#190219) 151b4a3bafdd [clang-repl] Use canonical types in QualTypeToString (#190528) 0fecbff69a53 [clang] Fix issues with const/pure on varargs function. (#190252) ae980d3b4df7 [lldb] Iterate over a copy of the ModuleList in SearchFilter (#189009) 307a11d7aa62 [Flang] Fix lowering failure for some constructs inside a CHANGE TEAM (#184342) cd7f7379a016 [AArch64][llvm] Fix encoding for `stshh` instruction (#189588) 4250a0fc5de9 [RISCV] Fix stackmap shadow trimming NOP size for compressed targets (#189774) da8a5b950c7d [flang] Update Flang Extension doc to reflect previous change (#188088) 0626016c5b90 [LoongArch] Implement canMergeStoresTo to avoid crash while NoImplicitFloat attribute is set (#188005) bc44e9b80349 [Hexagon] Use __HVX_IEEE_FP__ to guard protos that need -mhvx-ieee-fp (#184422) e6e59749af18 [Hexagon] Define __HVX_IEEE_FP__ when -mhvx-ieee-fp is enabled (#183829) dc9d64aad7a9 [lld][COFF] Restore `lto-embed-bitcode` and `-fembed-bitcode` Bitcode Embedding Features (#188398) 8fef0fb1a2de [clang-repl] Fix C89 incompatible keywords (#189432) 7b6514cd3089 [sanitizer_common] [Darwin] Adopt _dyld_get_dyld_header (#182943) 24b53fbc67d9 [X86] Improve illegal return type handling in FastISel (#186723) cc87fcfeef54 [AccelTable] Pre-compute entry pool offsets for DW_IDX_parent. NFC (#188915) 561944ebcbd1 [lit] Explicitly unset timer to free thread stack (#188717) 58468775a5e2 [lit] dealloc ApplyResult objects as they're waited on (#188642) 719a040bf13f [lit] Stop holding subprocess objects open in TimeoutHelper (#186712) b8918e6248a8 [LoongArch] Fix incorrect reciprocal sqrt estimate semantics (#187621) 62b14a88906d [MC,clang] Fix -Wa,--noexecstack not emitting .note.GNU-stack (#187880) 4bae0d33b2a4 [ARM] Fix incorrect post increment from Or (#188036) d033ffe4eeb4 [ARM] Regenerate vld2.ll test. NFC 5f04300518b5 [AArch64] Use an unknown size for memcpy ops with non-constant sizes. (#187445) f6198f61b2bd [Hexagon] Fix truncation to boolean vector that need widening (#182528) 240f42d95f51 [Hexagon] Fix 64-bit funnel shift miscompilation with register shift amounts (#183669) a6cd46b239c7 [Hexagon] Fix B0 macro conflict between hexagon_types.h and termios.h (#184539) 4592b0b6388d [libunwind] Fix building on OpenBSD / FreeBSD aarch64 (#188397) cf542a3d9c00 [lldb] use the Py_REFCNT() macro instead of directly accessing member (#188161) d40e60759077 [LoongArch] Fix incorrect indexing of incoming byval arguments in tail call eligibility check (#188006) b68aafeb0dc1 [clang][AST] Preserve qualifiers in getFullyQualifiedType for AutoType (#187717) 55b442495879 [Clang] Fix a concept subsumption bug when template depths are adjusted (#186735) 7b593cd6c0df Bump version to 22.1.3
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Wed, 8 Apr 2026 05:57:30 +0000 (07:57 +0200)]
openssl: upgrade 3.5.5 -> 3.5.6
Release information [1]:
OpenSSL 3.5.6 is a security patch release. The most severe CVE fixed in this release is Medium.
This release incorporates the following bug fixes and mitigations:
* Fixed incorrect failure handling in RSA KEM RSASVE encapsulation. (CVE-2026-31790)
* Fixed loss of key agreement group tuple structure when the DEFAULT keyword is used in
the server-side configuration of the key-agreement group list. (CVE-2026-2673)
* Fixed potential use-after-free in DANE client code. (CVE-2026-28387)
* Fixed NULL pointer dereference when processing a delta CRL. (CVE-2026-28388)
* Fixed possible NULL dereference when processing CMS KeyAgreeRecipientInfo. (CVE-2026-28389)
* Fixed possible NULL dereference when processing CMS KeyTransportRecipientInfo. (CVE-2026-28390)
* Fixed heap buffer overflow in hexadecimal conversion. (CVE-2026-31789)
autoconf 2.73 enforces C23 and adds -std=gnu23 but it leaks it into
CC_FOR_BUILD as well, which bites on systems with GCC < 14 where this
option does not exist.
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ce1013a197 tests: fix tst-rseq with Linux 7.0 60cabd0464 riscv: Resolve calls to memcpy using memcpy-generic in early startup 02ffd413cf elf: Use dl-symbol-redir-ifunc.h instead _dl_strlen 2695314378 elf: parse /proc/self/maps as the last resort to find the gap for tst-link-map-contiguous-ldso dd9945c0ba resolv: Check hostname for validity (CVE-2026-4438) 5c6fca0c62 resolv: Count records correctly (CVE-2026-4437) 2be6cf2e75 posix: Run tst-wordexp-reuse-mem test 305ce0b588 aarch64: Tests for locking GCS 2ee41ba6ec aarch64: Lock GCS status at startup fa4a40c7d4 tests: aarch64: fix makefile dependencies for dlopen tests for BTI 9898ea58b5 malloc: Avoid accessing /sys/kernel/mm files c3ceb93dc4 Add BZ 33904 entry to NEWS 911bd469f8 debug: Fix build with --enable-fortify-source=1 (BZ 33904) 48f5a05a7a nss: Missing checks in __nss_configure_lookup, __nss_database_get (bug 28940) d6cb7ce0e9 Linux: In getlogin_r, use utmp fallback only for specific errors 140c760d71 nss: Introduce dedicated struct nss_database_for_fork type
commit - 2be6cf2e75 posix: Run tst-wordexp-reuse-mem test
Fixes Makefile dependency to ensure the testcase is executed.
Passing new testcase:
+PASS: posix/tst-wordexp-reuse-mem
commit - dd9945c0ba resolv: Check hostname for validity (CVE-2026-4438)
Adds validation for hostname parsing and introduces a regression test.
Passing new testcase:
+PASS: resolv/tst-resolv-invalid-ptr
commit - 5c6fca0c62 resolv: Count records correctly (CVE-2026-4437)
Fixes DNS answer section parsing and adds a regression test.
Passing new testcase:
+PASS: resolv/tst-resolv-dns-section
commit - 48f5a05a7a nss: Missing checks in __nss_configure_lookup, __nss_database_get (bug 28940)
Fixes null pointer dereference and improves NSS handling.
Added testcase:
UNSUPPORTED: nss/tst-nss-malloc-failure-getlogin_r
Signed-off-by: Hemanth Kumar M D <Hemanth.KumarMD@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Tue, 31 Mar 2026 13:24:29 +0000 (14:24 +0100)]
classes/cve-check: remove class
It's been long known that the cve-check class in oe-core is not that
usable in the real world, for more details see "Future of CVE scanning
in Yocto"[1]. This mail proposed an alternative direction that included
a CVE scanning tool that can be ran both during the build and afterwards,
so that periodic scans of a previously build image is possible.
Last year, Bootlin wrote sbom-cve-check[2] and I compared this to my
proposal in "Comparing cve-check with sbom-cve-check"[3], concluding
that this is likely the missing piece.
Support for sbom-cve-check has been merged into oe-core, and the
cve-check class is now obsolete. So that we don't have to maintain it for
the four-year lifecycle of the Wrynose release, delete it.
This patch also deletes the database fetcher recipes, and the test cases
that were specific to cve-check. Note that the oe.cve_check library
still exists as this is used by the SPDX classes.
classes-global/package: Ensure -src package is handled in signatures
populate_packages() will automatically insert a -src package if
PACKAGE_DEBUG_SPLIT_STYLE is "debug-with-srcpkg", even if there is not
-src package in PACKAGES. However, when the -src package is not in
PACKAGES, it is not accounted for in the task signatures which results
in errors.
[YOCTO #16238]
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Thu, 9 Apr 2026 16:26:22 +0000 (17:26 +0100)]
classes/sbom-cve-check: add variable to control the scope of the CVE scan
Unless told otherwise, sbom-cve-check will only report on issues found
in target recipes. Whilst this is the behaviour we want for image-based
scanning, it's not the designed bevhaviour for recipe-based scanning.
Add a new variable SBOM_CVE_CHECK_SCAN_SCOPE that is used as the value
passed with --export-process-native. Default this to "target" so the
normal behaviour is unchanged, but set it to "both" in the
sbom-cve-check-recipe class.
Richard Purdie [Wed, 8 Apr 2026 07:13:13 +0000 (08:13 +0100)]
oeqa: Drop /git/ from our urls
Using /git/ in our urls is rather old school and not the preferred format now.
Update the urls to the preferred form even if the other ones still work.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Wed, 8 Apr 2026 06:45:09 +0000 (07:45 +0100)]
selftest/scripts: Update old git protocol references
git protocol accesses to our infrastructure are currently struggling and this
has highlighted a number of places we're making those obsolete access forms.
Update them to use https instead of the git protocol since it is preferred
and more reliable.
The devtool test needed quoting to handle the ';' in the url. The -f option
to devtool also shows a deprecation warning so remove that.
There were internal references to git protocol urls inside the nested git
submodules test report, which means those repos need updating to use
new git revisions.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
docbook-xsl-stylesheets: Use str:replace from exslt.org to implement string.subst
Developement for docbook stylesheets has moved to github
there are newer releases available too which include this fix, however
for now nearing 6.0 release this is least intrusive way to move forward
Cargo Changes:
https://doc.rust-lang.org/nightly/cargo/CHANGELOG.html#cargo-1941-2026-03-26 Fixes: CVE-2026-33055 and CVE-2026-33056
Test results:
No changes
Matt Madison [Sun, 5 Apr 2026 13:40:49 +0000 (06:40 -0700)]
systemd: fix packaging of 'run0'
The 'run0' command was introduced with systemd v256. Its
implementation is in the 'systemd-run' program, with
${bindir}/run0 installed as a symlink to that program.
However, when the upgrade to v256 was done (in commit 89b75b46371d5e9172cb496b461824d8551a2af5), the run0 symlink
wasn't packaged into systemd-extra-utils (where systemd-run
is packaged), introducing a hard RDEPENDS from systemd ->
systemd-extra-utils due to the symlink.
Fix this, and return to the softer RRECOMMENDS dependency
between systemd and systemd-extra-utils, by packaging run0
into systemd-extra-utils.
Signed-off-by: Matt Madison <matt@madison.systems> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes since 1.28.0:
* b2a3b2e: Back to development after 1.28.0
* 6ec50ef: tutorials/android: bump up ndkVersion to 29
* 4f6b36b: gst-examples/webrtc: fix error reported with android NDK 29
* 425d36f: gst-examples: webrtc: Update Rust dependencies
* dcb37e2: Release 1.28.1
* 32113a6: Back to development after 1.28.1
* 43421c2: Release 1.28.2
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes since 1.28.0
* b2a3b2e: Back to development after 1.28.0
* 835da19: modules: Remove NEWS from git which is generated from full
release notes
* 201b14e: modules: remove RELEASE from git, will be generated from
template on dist
* 6376a84: modules: dist common files from monorepo root
* 57be895: devtools: dots-viewer: Update Rust dependencies
* dcb37e2: Release 1.28.1
* 32113a6: Back to development after 1.28.1
* 43421c2: Release 1.28.2
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes since 1.28.0
* b2a3b2e: Back to development after 1.28.0
* 835da19: modules: Remove NEWS from git which is generated from full
release notes
* 201b14e: modules: remove RELEASE from git, will be generated from
template on dist
* 6376a84: modules: dist common files from monorepo root
* 012b257: rtspclientsink: don't error out when stream transport
notifies timeout
* dcb37e2: Release 1.28.1
* 32113a6: Back to development after 1.28.1
* c2ef75a: rtsp-stream: Clear send_thread when it's freed
* 20d3e66: rtsp-client: Lock media when unlinking session medias
* 0882b60: gst: Fix a couple of const correctness bugs around strchr()
usage
* 43421c2: Release 1.28.2
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes since 1.28.0
* b2a3b2e: Back to development after 1.28.0
* 539aaa1: python: Caps constructor has a single optional argument
* 18d4781: python: Structure constructor has a single required argument
* 6f21099: python: Add type hints for MapInfo members
* 0df78d0: python: Remove duplicated TestDoubleRange
* d4af24c: python: Add type hint for public fields
* 5f4fe17: python: int|float type is redundant and cause linter issue
* 835da19: modules: Remove NEWS from git which is generated from full
release notes
* 201b14e: modules: remove RELEASE from git, will be generated from
template on dist
* 7694a7d: modules: remove subproject README.md from git
* 6376a84: modules: dist common files from monorepo root
* dcb37e2: Release 1.28.1
* 32113a6: Back to development after 1.28.1
* c43f2b2: python: Add item type annotation to Iterator class
* 49ca53f: python: Make Gst.Bin iterable
* 43421c2: Release 1.28.2
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes since 1.28.0
* b2a3b2e: Back to development after 1.28.0
* be2f846: avviddec: Allow stride changes for some decoders
* f0bfd0c: avviddec: Handle field/order changes in mixed interlace mode
* f717c6e: avviddec: Simplify picture_changed helper function
* 0f77771: gst: fix author name: add missing closing angle bracket
* d125725: gst: also adapt author names in the gst_plugins_cache.json
files
* 92ba6c2: avviddec: Don't increment the AVCodecContext frame counter
* 529e7a6: avauddec: Don't increment the AVCodecContext frame counter
* aa02005: avviddec: Forward any ready video frames on gap events
* 0a6950d: gst-libav: avvidcmp: set colorimetry on AVFrame
* adc82d2: libav: Don't process lines that won't be outputted
* 835da19: modules: Remove NEWS from git which is generated from full
release notes
* 201b14e: modules: remove RELEASE from git, will be generated from
template on dist
* 7694a7d: modules: remove subproject README.md from git
* 6376a84: modules: dist common files from monorepo root
* 60c9be9: avviddec: Simplify conditional code in context handling
* b6fbaaf: avviddec: Improve renegotiation debug message
* d94518f: avviddec: Fix handling of mixed interlaced content
* dcb37e2: Release 1.28.1
* 32113a6: Back to development after 1.28.1
* 80cd0ee: avviddec: Refcount codec frame associated with video frame
* 43421c2: Release 1.28.2
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
projects / thirdparty / openembedded / openembedded-core-contrib.git / log
