Backport a patch to fix CVE-2025-0838
CVE-2025-0838:
There exists a heap buffer overflow vulnerable in Abseil-cpp. The sized
constructors, reserve(), and rehash() methods of
absl::{flat,node}hash{set,map} did not impose an upper bound on their
size argument. As a result, it was possible for a caller to pass a very
large size that would cause an integer overflow when computing the size
of the container's backing store, and a subsequent out-of-bounds memory
write. Subsequent accesses to the container might also access
out-of-bounds memory. We recommend upgrading past commit
5a0e2cb5e3958dd90bb8569a2766622cb74d90c1
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-0838
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Drop 0001-Export-of-internal-Abseil-changes.patch its already upstream
forward port abseil-ppc-fixes.patch
Changes in this release are
absl::Cord is now implemented as a b-tree. The new implementation offers improved performance in most workloads.
absl::SimpleHexAtoi() has been added to strings library for parsing hexadecimal strings.
Details here [1]
[1] https://github.com/abseil/abseil-cpp/releases/tag/20211102.0
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This patch updates SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls as generated by the conversion script
in OE-Core.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Newer gcc ( gcc11 ) will be defaulting to c++17 and abseil currently
needs work to get working with c++17, so pin to c++14 untill upstream
gets it working with c++17
Signed-off-by: Khem Raj <raj.khem@gmail.com>
abseil's cmake files can now detect execinfo's presence before depending
on it, therefore no need to link with libexecinfo on musl now
Signed-off-by: Khem Raj <raj.khem@gmail.com>
While better hardware acceleration is definitely advantageous, there is no
hard requirement defined by the upstream. Removing this will allow
builds targeting older hardware where DEFAULTTUNE can't be changed. If
found useful, this can also be backported to lower branches.
Signed-off-by: Anatol Belski <anbelski@linux.microsoft.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Most patches have been upstreamed and accepted.
We can drop the -fPIC patch and pass BUILD_SHARED_LIBS instead.
Signed-off-by: Clément Péron <peron.clem@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Needed for execinfo to work
Fixes
absl/debugging/internal/stacktrace_generic-inl.inc:14:10: fatal error: 'execinfo.h' file not found
^~~~~~~~~~~~
1 error generated.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changqing Li
Martin Jansa
Willy Tu
Khem Raj
Richard Purdie
zangrc
Jan Kaisrlik
Anatol Belski
Clément Péron
Jacob Kroon
Pierre-Jean Texier
Sinan Kaya