Vulnerability in the MySQL Client product of Oracle MySQL (component:
Client: mysqldump). Supported versions that are affected are 8.0.0-8.0.41,
8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploit vulnerability allows low
privileged attacker with network access via multiple protocols to compromise
MySQL Client. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all MySQL Client
accessible data as well as unauthorized update, insert or delete access to
some of MySQL Client accessible data. CVSS 3.1 Base Score 5.9 (Confidentiality
and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N).
Reference:
https://security-tracker.debian.org/tracker/CVE-2025-30722
Upstream-patch:
https://github.com/MariaDB/server/commit/6aa860be27480db134a3c71065b9b47d15b72674
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This removes false positive CVE-2024-21485 from cve reports.
$ sqlite3 nvdcve_2-2.db
sqlite> select * from products where product = 'dash';
CVE-2009-0854|dash|dash|0.5.4|=||
CVE-2024-21485|plotly|dash|||2.13.0|<
CVE-2024-21485|plotly|dash|2.14.0|>=|2.15.0|<
Our dash:dash did not reach major version 1 yet.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e1427013e0)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The vendored argon library comes with Apache-2.0 or CC0
license, which hasn't been indicated in the license variable.
This change fixes this.
Reported-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The run-ptest script had incorrect output: instead of PASS/FAIL, it
is outputting OK/FAILED - that cannot be interpreted by the logparser.
This patch sets the correct run-ptest output.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Setting the RDEPENDS with "=" erased the base dependencies
(notably ${PN} itself) from the list, making the tests fail, unless
the dependencies were installed explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The recipe inherits the ptest class, however installs no tests nor
run-ptest script.
This change rectifies this.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The original content of the ptest package, manette-test, is a helper demo
application (like evtest), and not a test suite. Also, the recipe did not
provide a run-ptest script.
Fix it by installing the actual tests, and adding a run-ptest script.
Note that the test folder structure looks like a gnome desktop test suite
(and the application is under the gnome umbrella), however the project
doesn't provide all necessary scaffolding for gnome-desktop-test to work, so
the tests are executed directly from the run-ptest script.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Some files are not installed with the testsuite, making it fail.
Both of these were fixed upstream, however only one patch applies cleanly.
The other is fixed with a single "install" command.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The test cases in jemalloc require the appropriate value to be exported
to MALLOC_CONF, which is stored in shell scripts.
The privious script just ran the test cases without exporting value, causing
the tests to fail.
Include the missing shell scripts, and source them before running the test
cases now.
Signed-off-by: Wentao Zhang <wentao.zhang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b3274b4e90)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
All the ptest cases are failed since error "+++ Can't Determine Endianness",
update the regex for matching the endianness to fix this issue.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 6de9b46cc7)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The run-ptest script was trying to call test_align executable, which
doesn't exist (anymore?).
Instead align more to master branch, and execute the selftests themselves.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The recipe has inherited the ptest class, however it did not install
not execute any tests.
This change installs the tests and add a script to execute them.
The tests are quick, execution takes single digit seconds.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The recipe has inherited the ptest class, however it did not install
not execute any tests.
This change installs the tests and add a script to execute them.
The tests are quick, execution takes single digit seconds.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The recipe inherits the ptest class, however it doesn't install
the actual tests, nor executes them.
This change installs the tests, and add a run-ptest script to
execute them also.
The tests are fairly quick, it takes single digit seconds on my
machine to execute.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Poppler ia a library for rendering PDF files, and examining or
modifying their structure. A use-after-free (write) vulnerability
has been detected in versions Poppler prior to 25.10.0 within the
StructTreeRoot class. The issue arises from the use of raw pointers
to elements of a `std::vector`, which can lead to dangling pointers
when the vector is resized. The vulnerability stems from the way that
refToParentMap stores references to `std::vector` elements using raw
pointers. These pointers may become invalid when the vector is resized.
This vulnerability is a common security problem involving the use of
raw pointers to `std::vectors`. Internally, `std::vector `stores its
elements in a dynamically allocated array. When the array reaches its
capacity and a new element is added, the vector reallocates a larger
block of memory and moves all the existing elements to the new location.
At this point if any pointers to elements are stored before a resize
occurs, they become dangling pointers once the reallocation happens.
Version 25.10.0 contains a patch for the issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-52885
Upstream patch:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/4ce27cc826bf90cc8dbbd8a8c87bd913cccd7ec0
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This will remove false-positive CVE-2024-50655 from reports.
There are different emlog components from other vendors around.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d8d45d9093)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
These CVEs are for iperf3 - which is a similar application in its goals (and name),
but an independent project from this, and the projects are independent implementations
also, they share no common code.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit aedf74e082)
Reworked for Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE))
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Peter Marko
Gyorgy Sarvari
Divya Chellam
Praveen Kumar
Khem Raj
Wentao Zhang
Changqing Li
Vijay Anusuri
Yogita Urade
Saravanan
Ninette Adhikari
Soumya Sambu
virendra thakur
Sana Kazi