Michael Arndt [Fri, 17 Apr 2026 20:07:09 +0000 (22:07 +0200)]
sstate: Fail on file systems without hard link support
The sstate can only work reliably when the file system has support for hard
links. Previously this error was silenced, now the build fails and the user is
informed about the problem.
Signed-off-by: Michael Arndt <michael@rndt.dev> CC: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Peter Marko [Thu, 16 Apr 2026 22:25:26 +0000 (00:25 +0200)]
cve-exclusions: set status for CVE-2025-71145
cvelistV5 tracks hashes instead of versions.
Same hashes are also present in NVD links.
Checking those hashes, fix is already available in linux-yocto.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
devtool-source: set S variable to a sub dir of UNPACKDIR
If a recipe set UNPACKDIR to a directory that is not contained within
WORKDIR, before this modification, this generates the following error:
"S should be set relative to UNPACKDIR."
S should not be updated, otherwise the recipe may not find the extracted
sources. In all recipes, S should reference the UNPACKDIR variable.
There is an exception for the kernel to prevent infinite recursion
when expanding the STAGING_KERNEL_DIR variable.
So, only updates UNPACKDIR to be within the DEVTOOL_TEMPDIR directory.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Peter Marko [Wed, 15 Apr 2026 12:43:06 +0000 (14:43 +0200)]
go: skip recipe instead of throwing fatal error on unknown architectures
Current code means that layer which contains a golang recipe cannot be
even parsed for machine which is not in supported golang architectures.
Skipping the golang recipes instead of throwing fatal error is much
friendlier and let machines without golang support co-exist in a layer
with golang recipes.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Ross Burton [Fri, 17 Apr 2026 16:06:55 +0000 (17:06 +0100)]
python3: prefer valid dists when searching for entry points
When bitbake regenerates a sysroot due to upgrades it will remove any
previously installed files but keep the directories. This can result in
site-packages containing:
setuptools/ <-- the actual Python code
setuptools-82.0.0.dist-info <-- empty metadata directory
setuptools-82.0.1.dist-info <-- populated metadata directory
When importlib_metadata.entry_points() iterates the distributions it
will take the list of dists *in on-disk order* and then remove
duplicates. If the empty directory comes first in the unsorted directory
listing then that is the only one that is returned.
This eventually results in mysterious errors from setuptools:
error: invalid command 'egg_info'
Solve this by sorting the distribution list so that valid dists are
first.
[ YOCTO #16235 ]
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
image_types: catch exception if no CONVERSION_CMD is defined
When new conversion type is defined, BitBake assumes
that CONVERSION_CMD: is defined for the type, so it gets
the variable which returns NoneType if it is not defined.
That generates the following exception which may not be clear
for some:
--
ERROR: /../techleef-image.bb: Error executing a python function in <code>:
The stack trace of python calls that resulted in this exception/failure was:
File: '<code>', lineno: 16, function: <module>
0012:__anon_117__.._recipe_populate_sdk_base_bbclass(d)
0013:__anon_427__.._recipe_populate_sdk_base_bbclass(d)
0014:__anon_131__.._recipe_image_bbclass(d)
0015:__anon_187__.._recipe_image_bbclass(d)
*** 0016:__anon_535__.._recipe_image_bbclass(d)
0017:__anon_44__.._recipe_rootfs_ipk_bbclass(d)
0018:__anon_191__.._recipe_siteinfo_bbclass(d)
0019:__anon_17__.._recipe_license_image_bbclass(d)
0020:__anon_206__.._recipe_image_types_wic_bbclass(d)
File: '/../image.bbclass', lineno: 501, function: __anon_535__.._recipe_image_bbclass
0497: if original_type not in alltypes:
0498: rm_tmp_images.add(localdata.expand("${IMAGE_NAME}.${type}"))
0499:
0500: for bt in basetypes[t]:
*** 0501: gen_conversion_cmds(bt)
0502:
0503: localdata.setVar('type', realt)
0504: if t not in alltypes:
0505: rm_tmp_images.add(localdata.expand("${IMAGE_NAME}.${type}"))
File: '/../image.bbclass', lineno: 490, function: gen_conversion_cmds
0486: type = type[8:]
0487: # Create input image first.
0488: gen_conversion_cmds(type)
0489: localdata.setVar('type', type)
*** 0490: cmd = "\t" + localdata.getVar("CONVERSION_CMD:" + ctype)
0491: if cmd not in cmds:
0492: cmds.append(cmd)
0493: vardeps.add('CONVERSION_CMD:' + ctype)
0494: subimage = type + "." + ctype
Exception: TypeError: can only concatenate str (not "NoneType") to str
ERROR: Parsing halted due to errors, see error messages above
--
Fail with human readable error if no CONVERSION_CMD is defined for
any defined subtype.
Signed-off-by: Talel BELHAJ SALEM <bhstalel@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Fri, 17 Apr 2026 17:28:57 +0000 (19:28 +0200)]
create-spdx-3.0: rerun do_create_recipe_spdx on patch changes
Valkyrie patchmetrics from 2026-04-17 is showing two CVEs where patches
were merged the day before (2026-04-16) - inetutils/CVE-2026-32746 and
re2c/CVE-2026-2903.
Root-cause is that the CVE patches are evaluated in task
do_create_recipe_spdx which does not have any dependency on SRC_URI nor
content of the patches, so it is taken from sstate-cache which contains
old (stale) data.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oe/spdx30_task: Prevent duplication of sources in hasInput rel
If the debug_sources are already inside the build_inputs, we must not
add them again, otherwise, the source files are going to be referenced
multiple times inside the hasInput relationship.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oe/spdx30_task: Add status notes to VEX relationship
Without the status note, we are losing the reason why the CVE is
considered vulnerable or fixed.
The information provided in CVE_STATUS is otherwise lost.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oe/sbom30: Remove unneeded oe.sbom30. to reference local symbol
The class OEDocumentExtension is declared within the sbom30.py file.
There is no need to use its full package path to reference it.
Same for get_element_link_id() function.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Thu, 16 Apr 2026 10:30:57 +0000 (11:30 +0100)]
glib-networking: backport fix for CVE-2026-2574
CVE-2026-2574:
Affected versions of this package are vulnerable to Out-of-bounds Read
via improper handling of certificate authority data in the OpenSSL
backend. An attacker can cause application crashes and potentially
disclose limited heap memory by enticing a client to connect to a
malicious TLS server that advertises a specially crafted client-CA
list.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Jörg Sommer [Thu, 16 Apr 2026 16:38:13 +0000 (18:38 +0200)]
run-postinsts: Replace which by command -v
The command *which* can be provided by the packages which, debianutils,
busybox, or zsh. But if none of these are installed, the call fails. The
POSIX way to check for a command is `command -v` and suppress the output in
case of success.
Signed-off-by: Jörg Sommer <joerg.sommer@navimatix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Haiqing Bai [Wed, 15 Apr 2026 06:51:04 +0000 (06:51 +0000)]
libxml-parser-perl: patch CVE-2006-10003
XML::Parser versions through 2.47 for Perl has an off-by-one
heap buffer overflow in st_serial_stack. In the case
(stackptr == stacksize - 1), the stack will NOT be expanded.
Then the new value will be written at location (++stackptr),
which equals stacksize and therefore falls just outside the
allocated buffer. The bug can be observed when parsing an
XML file with very deep element nesting.
oeqa/sdk: Default to https git protocol for YP/OE repos
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
meta/files/layers.example.json: switch to https clone URIs
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oeqa/selftest/devtool-test-git-gitsm: Default to https git protocol for YP/OE repos
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
Use ";protocol=https" for the parent git submodule and, also, update the
SRCREV to point to a commit where submodules are reference through a
https:// URL instead of a git:// one.
Update the expected output of the archiver test.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oeqa/selftest/git-submodule-test: Default to https git protocol for YP/OE repos
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
Use ";protocol=https" for the parent git submodule and, also, update the
SRCREV to point to a commit where submodules are reference through a
https:// URL instead of a git:// one.
Update the expected output of the archiver test.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
scripts: Default to https git protocol for YP/OE repos
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
build-appliance-image: switch SRC_URI to https protocol
Following up on commit 139102a73d41 ("recipes: Default to https git protocol where possible"),
> The recommendation from server maintainers is that the https protocol
> is both faster and more reliable than the dedicated git protocol at this point.
> Switch to it where possible.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oeqa/selftest/incompatible_lic: add wayland feature check for test needing it
When run with a distro without 'wayland' DISTRO_FEATURES:
2026-04-14 17:42:00,568 - oe-selftest - INFO - FAIL: test_core_image_full_cmdline_weston (incompatible_lic.NoGPL3InImagesTests.test_core_image_full_cmdline_weston)
2026-04-14 17:42:00,568 - oe-selftest - INFO - ----------------------------------------------------------------------
2026-04-14 17:42:00,568 - oe-selftest - INFO - Traceback (most recent call last):
File ".../openembedded-core/meta/lib/oeqa/selftest/cases/incompatible_lic.py", line 153, in test_core_image_full_cmdline_weston
bitbake('core-image-full-cmdline core-image-weston')
~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...
AssertionError: Command 'bitbake core-image-full-cmdline core-image-weston' returned non-zero exit status 1:
...
ERROR: Nothing PROVIDES 'core-image-weston'
core-image-weston was skipped: using DISTRO 'nodistro', which is missing required DISTRO_FEATURES: 'wayland'
This is caused by core-image-weston being skipped because it needs the
wayland DISTRO_FEATURES.
Note that this is not seen in testing because nodistro has wayland
enabled by default since 2e1e7c86064 (bitbake.conf: Enable opengl ptest multiarch wayland vulkan in DISTRO_FEATURES by default, 2026-02-21)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Thu, 16 Apr 2026 10:30:59 +0000 (11:30 +0100)]
libsoup: mark CVEs which have been resolved upstream
These issues have all been fixed in the 3.6.6 release that we have, but
the CPEs are unversioned. I've contacted NIST to update the database but
until that happens we can mark them as fixed.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Thu, 16 Apr 2026 10:30:58 +0000 (11:30 +0100)]
libsoup: actually apply patches for CVE-2025-32049 and CVE-2026-1539
The patches were added to SRC_URI before inheriting gnomebase, which
does SRC_URI = "...". This means the patches were never actually part of
SRC_URI, so never applied.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upgrade the firmware package to latest release. Add qupv3fw
firmware for qcs615 and shikra, add adreno, audio and compute
package for DELL XPS13 9345, add audioreach firmware for Glymur
and arduino monza, add ISH firmware for Intel Wildcat Lake platform,
add lenovo ish firmware for X9-15 2025, X1 Carbon (Gen 14) and
X1 2-in-1 (Gen 11).
oeqa/selftest/sstatetests: add wayland feature check for test needing it
When run with a distro without 'wayland' DISTRO_FEATURES:
2026-04-14 17:42:00,568 - oe-selftest - INFO - FAIL: test_sstate_32_64_same_hash (sstatetests.SStateHashSameSigs.test_sstate_32_64_same_hash)
2026-04-14 17:42:00,568 - oe-selftest - INFO - ----------------------------------------------------------------------
2026-04-14 17:42:00,568 - oe-selftest - INFO - Traceback (most recent call last):
File ".../openembedded-core/meta/lib/oeqa/selftest/cases/sstatetests.py", line 407, in test_sstate_32_64_same_hash
self.sstate_hashtest("i686")
~~~~~~~~~~~~~~~~~~~~^^^^^^^^
File ".../openembedded-core/meta/lib/oeqa/core/decorator/__init__.py", line 35, in wrapped_f
return func(*args, **kwargs)
File ".../openembedded-core/meta/lib/oeqa/selftest/cases/sstatetests.py", line 371, in sstate_hashtest
bitbake("core-image-weston -S none")
~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
...
AssertionError: Command 'bitbake core-image-weston -S none' returned non-zero exit status 1:
...
ERROR: Nothing PROVIDES 'core-image-weston'
core-image-weston was skipped: using DISTRO 'nodistro', which is missing required DISTRO_FEATURES: 'wayland'
This is caused by core-image-weston being skipped because it needs the
wayland DISTRO_FEATURES.
Note that this is not seen in testing because nodistro has wayland
enabled by default since 2e1e7c86064 (bitbake.conf: Enable opengl ptest multiarch wayland vulkan in DISTRO_FEATURES by default, 2026-02-21)
Ross Burton [Tue, 14 Apr 2026 16:15:30 +0000 (17:15 +0100)]
glib-networking: backport fixes for CVE-2025-60018 and CVE-2025-60019
CVE-2025-60018:
glib-networking's OpenSSL backend fails to properly check the return
value of a call to BIO_write(), resulting in an out of bounds read.
CVE-2205-60019:
glib-networking's OpenSSL backend fails to properly check the return
value of memory allocation routines. An out of memory condition could
potentially result in writing to an invalid memory location.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
| aarch64-yoe-linux-ld.lld: error: version script assignment of 'NSSMDNS_0' to symbol '_nss_mdns_gethostbyaddr_r' failed: symbol not defined
| aarch64-yoe-linux-ld.lld: error: version script assignment of 'NSSMDNS_0' to symbol '_nss_mdns_gethostbyaddr_r' failed: symbol not defined
| aarch64-yoe-linux-ld.lld: error: version script assignment of 'NSSMDNS_0' to symbol '_nss_mdns4_gethostbyaddr_r' failed: symbol not defined
| aarch64-yoe-linux-ld.lld: error: version script assignment of 'NSSMDNS_0' to symbol '_nss_mdns6_gethostbyaddr_r' failed: symbol not defined
| aarch64-yoe-linux-ld.lld: error: version script assignment of 'NSSMDNS_0' to symbol '_nss_mdns_minimal_gethostbyaddr_r' failed: symbol not defined
weston-init: set require-outputs=none to allow startup without connected display
By default, Weston exits at startup if no output connector is reported
as connected by the DRM subsystem. On platforms where displays are
connected after boot via HPD (Hot Plug Detect), this causes the weston
service to be killed during early boot and remain down until manually
restarted.
Setting require-outputs=none in the [core] section instructs Weston to
start and remain running even when no connector is active at boot time.
When a display is subsequently hotplugged and HPD is asserted, Weston
automatically picks up the new connector and brings up the output without
requiring a service restart.
kernel-fit-image: Fix support for initramfs multiconfig
In the transition from kernel-fitimage.bbclass a fix for initramfs
multiconfig was partly reverted, maybe because the default value for
INITRAMFS_DEPLOY_DIR_IMAGE is only set in kernel.bbclass and therefore
not accessible in kernel-fit-image.bbclass.
This fix introduces INITRAMFS_DEPLOY_DIR_IMAGE in kernel-fit-image.bbclass,
so initramfs multiconfig works as expected.
LLD is stricter with version scripts
This is a classic LLD vs GNU ld compatibility issue with
version scripts. LLD is stricter than GNU ld — by default
it treats unmatched version script symbols as hard
errors, whereas GNU ld silently ignores them.
What's happening is that the version script
e.g. map.pa, declares symbols like pa_glib_mainloop_new
under PULSE_0, but those symbols aren't being compiled
into the current library target.
Sunil Dora [Mon, 13 Apr 2026 07:04:57 +0000 (00:04 -0700)]
rust: enable fully static linking with TCLIBC=musl
Fixes [YOCTO #16076]
Rust binaries built with TCLIBC=musl and
-C target-feature=+crt-static were still dynamically linked.
Fix this by addressing three issues:
1) Set crt-static-respected in the generated musl target spec
so rustc honors +crt-static. [1]
2) Add the target sysroot library path to the linker flags so
libunwind.a can be found.
3) Use LLVM libunwind for musl:
- GNU libunwind does not provide static libraries in OE
and lacks required _Unwind_* symbols on some architectures [2]
- libgcc_eh depends on pthread and cannot be used for fully
static linking with musl
- LLVM libunwind provides the required symbols without
additional dependencies
Install LLVM libunwind from libcxx and switch libstd-rs
to depend on libcxx for musl.
Also remove the obsolete DEPENDS:remove:riscv32/riscv64 = "libunwind"
lines added in 2021 when riscv musl support was still being patched.
LLVM libunwind supports both riscv32 and riscv64 - verified locally.
riscv32 support was upstreamed at [3].
Add a selftest to verify that produced binaries are statically linked.
Martin Jansa [Fri, 10 Apr 2026 08:26:54 +0000 (10:26 +0200)]
dbus: use ${PN} in pkg_postinst instead of 'dbus'
All pkg_postinst in oe-core where the package name matches the recipe
name use ${PN} already.
We have a bbclass used by some recipes which does:
pkg_postinst:${PN}:append()
which works reasonably well for most of the recipes, except for dbus
where it causes:
oe-pkgdata-util: improve lookup-pkg error for RPROVIDES packages
When a package is not found by 'oe-pkgdata-util lookup-pkg', the error
message provides no guidance on what went wrong or where to look.
Improve the error message by checking the runtime-rprovides directory
for the missing package. If the package exists in RPROVIDES:
- If the provider package was generated, suggest looking up the actual
package name instead.
- If the provider package was not generated (e.g. empty package or
disabled by PACKAGECONFIG), inform the user which recipe provides it
and that it was not generated.
This helps users quickly identify the correct package name or
understand why a package is missing from their build.
Before:
ERROR: The following packages could not be found: eglibc
After:
ERROR: eglibc is in the RPROVIDES of glibc (recipe: glibc), try
looking up 'glibc' instead
Peter Marko [Tue, 14 Apr 2026 14:32:54 +0000 (16:32 +0200)]
mpg123: set status for CVE-2006-3355
This CVE has only cpe version which is considered invalid:
* cpe:2.3:a:mpg123:mpg123:pre0.59s_r11:*:*:*:*:*:*:*
This means that the fixed version is unknown and thus all versions are
considered to be vulnerable.
Since the vulnerability was fixed in old version 0.59s_r11, mark it as
fixed.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
oeqa/selftest/devtool: add vulkan feature check for test needing it
When run with a distro without 'vulkan' DISTRO_FEATURES:
$ oe-selftest -r devtool.DevtoolUpdateTests.test_devtool_git_submodules
2026-04-14 14:36:57,036 - oe-selftest - INFO - test_devtool_git_submodules (devtool.DevtoolUpdateTests.test_devtool_git_submodules)
vulkan-samples is unavailable:
vulkan-samples was skipped: using DISTRO 'nodistro', which is missing required DISTRO_FEATURES: 'vulkan'
2026-04-14 14:37:13,002 - oe-selftest - INFO - ... ERROR
2026-04-14 14:37:13,002 - oe-selftest - INFO - Traceback (most recent call last):
File "/.../openembedded-core/meta/lib/oeqa/selftest/cases/devtool.py", line 1695, in test_devtool_git_submodules
self.assertIn('gitsm://', src_uri, 'This test expects the %s recipe to be a git recipe with submodules' % recipe)
~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/unittest/case.py", line 1171, in assertIn
if member not in container:
^^^^^^^^^^^^^^^^^^^^^^^
TypeError: argument of type 'NoneType' is not iterable
This is caused by vulkan-samples being skipped because it needs the
vulkan DISTRO_FEATURES.
Note that this is not seen in testing because nodistro has vulkan
enabled by default since 2e1e7c86064 (bitbake.conf: Enable opengl ptest multiarch wayland vulkan in DISTRO_FEATURES by default, 2026-02-21)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Replace patches 0008 and 0033 with a single consolidated patch (0041)
that fixes native build breakage.
The original patches unconditionally changed the runtime library search
base from ResourceDir to SysRoot, which breaks native/standalone builds
where SysRoot is empty (e.g., PGO bootstrap fails to find
libclang_rt.profile.a). The new patch uses SysRoot-based paths only
during cross-compilation and falls back to the upstream default
ResourceDir for native builds.
Signed-off-by: mark.yang <mark.yang@lge.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Mon, 13 Apr 2026 21:14:46 +0000 (23:14 +0200)]
ovmf: set status for CVE-2024-1298
cvelistV5 uses full tag name (edk2-stable202405) while NVD uses only
version (202405).
Since NVD CPE is not yet available, cvelistV5 marks it at not patched
yet because the string sorts after the version.
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Wed, 15 Apr 2026 18:09:34 +0000 (20:09 +0200)]
kea: upgrade 3.0.2 -> 3.0.3
Solves CVE-2026-3608.
License-Update: copyright years refreshed
Release notes [1]:
Welcome to Kea 3.0.3, a vulnerability release of the stable 3.0 series.
This supersedes the previous release, version 3.0.2.
1. **Vulnerability**: We addressed an issue, which was assigned
CVE-2026-3608, where a large number of bracket pairs in a JSON payload
directed to any endpoint would result in a stack overflow, due to
recursive calls when parsing the JSON [#4275, #4288, #4387]. Since the
exploit does not require the JSON request to have the full syntax of a
valid command, it bypasses RBAC and the command filters on the
High-Availability endpoints.
2. **Security**: A null dereference is now no longer possible when
configuring the Control Agent with a socket that lacks the mandatory
socket-name entry [#4388, #4365].
3. **Permissions**: UNIX sockets are now created as group-writable
[#4398, #4260]. This allows users belonging to the group to send
commands to the UNIX sockets. In particular, it allows Stork 2.4.0 and
above to detect the Kea daemon.
Ross Burton [Wed, 15 Apr 2026 15:27:41 +0000 (16:27 +0100)]
rsync: always use the system zlib
There's nothing gained by adding an option to use the vendored zlib
apart from the chance of accidentally not using it, so remove the
PACKAGECONFIG and just explicitly depend on zlib.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Wed, 15 Apr 2026 20:14:42 +0000 (22:14 +0200)]
grub: set status for 6 CVEs fixed in 2.14
These CVEs were fixed in 2.14, however Redhat CNA does not fill any
version to CPEs.
References for fixes are in Debian security tracker:
* https://security-tracker.debian.org/tracker/CVE-2025-54770
* https://security-tracker.debian.org/tracker/CVE-2025-54771
* https://security-tracker.debian.org/tracker/CVE-2025-61661
* https://security-tracker.debian.org/tracker/CVE-2025-61662
* https://security-tracker.debian.org/tracker/CVE-2025-61663
* https://security-tracker.debian.org/tracker/CVE-2025-61664
Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Tue, 14 Apr 2026 15:56:52 +0000 (16:56 +0100)]
perl: link to the system bzip2 instead of a vendored copy
The perl module Compress-Raw-Bzip2 defaults to using a vendored copy of
the bzip2 sources. We should be building perl against the system bzip2
recipe to avoid potential security issues.
This is a little fiddly in the DEPENDS as bzip2-native is assume-provided
so we need to depend on bzip2-replacement-native for the native build.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Tue, 14 Apr 2026 15:56:51 +0000 (16:56 +0100)]
perl: link to the system zlib instead of a vendored copy
The perl module Compress-Raw-Zlib defaults to using a vendored copy of
the zlib sources which has a number of CVEs. A newer version of perl
updates this to zlib 1.3.2 to resolve them, but we should be linking to
our zlib recipe instead of the vendored code.
This mitigates CVE-2026-4176 so mark it as not appropriate.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ross Burton [Tue, 14 Apr 2026 15:56:47 +0000 (16:56 +0100)]
graphene: ignore CVE-2024-1984
This CVE is for a WordPress theme called Graphene. It's likely that the
CPE for this graphene will be gnome:graphene but this hasn't been
formally documented, so exclude this one CVE for now.
Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Wed, 15 Apr 2026 19:07:17 +0000 (21:07 +0200)]
libexif: upgrade 0.6.25 -> 0.6.26
Release notes [1]:
libexif-0.6.26 (2026-04-14):
* Security issues fixed:
* CVE-2026-40386: An unsigned integer underflow in Fuji and Olympus makernote handling
* CVE-2026-40385: An unsigned integer overflow on 32bit systems in Nikon makernote handling
* CVE-2026-32775: A buffer overwrite via integer underflow in makernote handling
Martin Jansa [Tue, 14 Apr 2026 12:42:10 +0000 (14:42 +0200)]
apr: remove space before the -std=gnu23 from apr_rules.mk
When -std=gnu23 is added to CC_FOR_BUILD it's with additional space
we need to remove the space as well to avoid the difference between
the build where -std=gnu23 was added and removed by sed and wasn't
added at all like in:
https://valkyrie.yocto.io/pub/repro-fail/oe-reproducible-20260414-82oogy25/packages/diff-html/
Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Richard Purdie [Tue, 14 Apr 2026 11:01:23 +0000 (12:01 +0100)]
strace: Fix reproducibility issue
With the updated ax_prog_cc_for_build.m4 CC_FOR_BUILD can include a
" -std=gnu23" option on some hosts. We don't need this on target and
it leads to a reproducibility issue, so remove it.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
StringFuncs.c: In function ‘SplitStringByWhitespace’:
StringFuncs.c:113:15: error: variable ‘Item’ set but not used [-Werror=unused-but-set-variable=]
113 | UINTN Item;
| ^~~~
- A new sample demonstrating the rasterization order attachment access extension (#1492).
- Broken documentation link to GitHub repo fixed (#1506).
- Vulkan SDK updated to 1.4.341 (#1477).
Benjamin Robin [Fri, 10 Apr 2026 13:10:46 +0000 (15:10 +0200)]
webkitgtk: Remove escaping of the plus sign in `CVE_PRODUCT`
The `+` character is now properly escaped by `cve_check.cpe_escape()`
Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Benjamin Robin [Fri, 10 Apr 2026 13:10:45 +0000 (15:10 +0200)]
gtk+: Remove escaping of the plus sign in `CVE_PRODUCT`
The `+` character is now properly escaped by `cve_check.cpe_escape()`
Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Benjamin Robin [Fri, 10 Apr 2026 13:10:44 +0000 (15:10 +0200)]
cve_check: do not break old CVE_PRODUCT with escaped +
For now, until all layer are fixed, replace already escaped plus (+)
with a simple + before doing the escaping.
Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Benjamin Robin [Fri, 10 Apr 2026 13:10:43 +0000 (15:10 +0200)]
cve_check: Improve escaping of special characters in CPE 2.3
According to the NISTIR 7695 specification [1], multiple characters
require escaping when using formatted strings (e.g., `cpe:2.3:...`),
which use backslash escaping. In "Figure 6-3. ABNF for Formatted String
Binding"", the characters that need escaping are referenced by "escape",
"special", and "punc". More characters must be escaped than just
`\`, `?`, `*`, `:`, and `+`.
Additionally, use `maketrans()` with `translate()`, which is more
efficient than a simple `replace()`.
Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Peter Marko [Sun, 12 Apr 2026 15:03:23 +0000 (17:03 +0200)]
libpng: upgrade 1.6.55 -> 1.6.56
Release notes [1]:
* Fixed CVE-2026-33416 (high severity):
Use-after-free via pointer aliasing in `png_set_tRNS` and `png_set_PLTE`.
(Reported by Halil Oktay and Ryo Shimada;
fixed by Halil Oktay and Cosmin Truta.)
* Fixed CVE-2026-33636 (high severity):
Out-of-bounds read/write in the palette expansion on ARM Neon.
(Reported by Taegu Ha; fixed by Taegu Ha and Cosmin Truta.)
* Fixed uninitialized reads beyond `num_trans` in `trans_alpha` buffers.
(Contributed by Halil Oktay.)
* Fixed stale `info_ptr->palette` after in-place gamma and background
transforms.
* Fixed wrong channel indices in `png_image_read_and_map` RGB_ALPHA path.
(Contributed by Yuelin Wang.)
* Fixed wrong background color in colormap read.
(Contributed by Yuelin Wang.)
* Fixed dead loop in sPLT write.
(Contributed by Yuelin Wang.)
* Added missing null pointer checks in four public API functions.
(Contributed by Yuelin Wang.)
* Validated shift bit depths in `png_set_shift` to prevent infinite loop.
(Contributed by Yuelin Wang.)
* Avoided undefined behavior in library and tests.
* Deprecated the hardly-ever-tested POINTER_INDEXING config option.
* Added negative-stride test coverage for the simplified API.
* Fixed memory leaks and API misuse in oss-fuzz.
(Contributed by Owen Sanzas.)
* Implemented various fixes and improvements in oss-fuzz.
(Contributed by Bob Friesenhahn and Philippe Antoine.)
* Performed various refactorings and cleanups.
Martin Jansa [Sun, 12 Apr 2026 10:57:50 +0000 (12:57 +0200)]
apr: remove -std=gnu23 from apr_rules.mk to fix reproducibility
With the updated ax_prog_cc_for_build.m4 from
apr: fix build with autoconf-2.73
it now correctly detects -std=gnu23 usability on host gcc and doesn't
try to use it e.g. with gcc-13 which doesn't support it, but that causes
build reproducibility issue between builds on such hosts as
CC_FOR_BUILD is included in installed /usr/share/build-1/apr_rules.mk
https://valkyrie.yocto.io/pub/repro-fail/oe-reproducible-20260412-a5w4mcrk/packages/diff-html/
Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
useradd.bbclass: allow inheriting with only USERADD_DEPENDS set
When a recipe inherits useradd and only sets USERADD_DEPENDS (to depend
on users/groups created by another recipe), without creating any
users/groups itself, the parse-time sanity check incorrectly throws a
fatal error about missing USERADD_PACKAGES.
Skip the USERADD_PACKAGES/USERADD_PARAM validation when USERADD_DEPENDS
is set but USERADD_PACKAGES is not, since the recipe only needs build
dependency tracking, not user/group creation.
gstreamer1.0-plugins-bad: Add fdkaac as a package feature
This adds support for building gstfdkaac, which is the GStreamer element
that wraps the fdk-aac AAC encoding library from Fraunhofer. fdk-aac is
available in meta-multimedia.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
weston: backport gl-shaders fix to avoid shader compiler crashes
Some GPU shader compilers do not optimize away unused YUV shader
uniforms, even when the associated code paths are unreachable. This can cause
Weston to hit assertion failures at runtime on non-Mesa platforms, despite
working correctly on Mesa-based drivers.
Backport the upstream gl-shaders fix to restore stable behavior across
GPU drivers.
projects / thirdparty / openembedded / openembedded-core.git / log
