Extend the wic selftests to cover recursive directory copying
into ext partitions.
Previously, copying a directory into an ext partition could
appear to succeed, but attempting to access the directory
contents would fail with:
-l: Ext2 inode is not a directory
This was fixed in commit 4fc3b42774 ("wic/engine: fix copying
directories into wic image with ext* partition").
This test now verifies that directories copied with "wic cp"
into an ext4 partition:
- are created with correct inode types
- can be listed recursively with "wic ls"
- preserve files and subdirectories
- can be copied back out of the image without data loss
A simple directory structure is used in this test:
wic-test-cp-ext-dir/
├── topfile.txt
└── subdir/
└── subfile.txt
(From OE-Core rev: 1e051c02bc05367d6b911ac9486403029f6f7cd8)
Signed-off-by: Daniel Dragomir <daniel.dragomir@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6de3d2602f4f4a8192d6a6040e89e814187dcf93)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
wic uses debugfs to write on ext* partitions, but debugfs can only
write to the current working directory and it cannot copy complete
directory trees. Running 'wic ls' on a copied directory show this:
-l: Ext2 inode is not a directory
Fix this by creating a command list for debugfs (-f parameter) when
recursive parsing the host directory in order to create a similar
directory structure (mkdir) and copy files (write) on each level
into the destination directory from the wic's ext* partition.
(From OE-Core rev: 67f08884b98576c06db8db01b093ebeee760aba0)
Signed-off-by: Daniel Dragomir <daniel.dragomir@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1ed38aff5f810d064c87aff9cbd310906833b6ba)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We're seeing occasional autobuilder failures with tar issues related to openat2.
It appears there are definitions missing on debian 11 and opensuse 15.5 systems
which mean the openat2 syscall intercept isn't compiled in. This then triggers
on systems using the openat2 syscall, such as alma9 where it is used in a tar
CVE fix.
This updates to include the fix from upstream pseudo (along with a compile warning
fix).
This was tested by taking sstate for pseudo-native from a debian 11 system and using
it in a build of "bitbake nativesdk-git -c install" on a alma9 system where that task
failed. After this fix, it completes.
(From OE-Core rev: 34b74540ee497e2cc89211d7aa2772097b6fa79b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2c20c05b324e5d6564c8554381019170839509bb)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Pulls in the following changes:
Makefile.in: Bump version to 1.9.3
configure: Minor code quality changes
pseudo: code quality scan - resolved various potential issues
makewrappers: improve error handling and robustness
Update COPYRIGHT files
ports/linux/pseudo_wrappers.c: Call the wrappers where possible
ports/linux/pseudo_wrappers.c: Workaround compile error on Debian 11
ports/linux/pseudo_wrappers.c: Reorder the syscall operations
ports/unix/guts/realpath.c: Fix indents
pseudo_util.c: Skip realpath like expansion for /proc on Linux
test/test-proc-pipe.sh: Add test case for proc pipes
ports/unix/guts/realpath.c: realpath fails if the resolved path doesn't exist
(From OE-Core rev: 7a05347a6418bfb6126e3a601489dc71efb0d2fc)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 524f4bbb11f9c7e0126e8bd46af217b452d48f5e)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fixes [YOCTO #16128]
Backport of upstream bug fix from lighttpd-1.4.75. Version 1.4.74 introduced a bug that
would append a trailing slash to files in a directory listing. When the user attempts to
download one of these files, the web browser could not save the file with a trailing
slash. As a consequence, every web browser tested would generate a random character string
for the saved file name.
(From OE-Core rev: 797f15116901328a9a58868edeea44614dc29043)
Signed-off-by: Fred Bacon <bacon@aerodyne.com>
[Yoann: Fixed Upstream-Status: Backport URL]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Adding postprocessing script to process data from linux CNA that includes more accurate metadata and it is updated directly by the source.
Example of enhanced CVE from a report from cve-check:
{
"id": "CVE-2024-26710",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710",
"summary": "In the Linux kernel, the following vulnerability [...]",
"scorev2": "0.0",
"scorev3": "5.5",
"scorev4": "0.0",
"modified": "2025-03-17T15:36:11.620",
"vector": "LOCAL",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"detail": "not-applicable-config",
"description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']"
},
And same from a report generated with vex:
{
"id": "CVE-2024-26710",
"status": "Ignored",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710",
"detail": "not-applicable-config",
"description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']"
},
For unpatched CVEs, provide more context in the description:
Tested with 6.12.22 kernel
{
"id": "CVE-2025-39728",
"status": "Unpatched",
"link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39728",
"summary": "In the Linux kernel, the following vulnerability has been [...],
"scorev2": "0.0",
"scorev3": "0.0",
"scorev4": "0.0",
"modified": "2025-04-21T14:23:45.950",
"vector": "UNKNOWN",
"vectorString": "UNKNOWN",
"detail": "version-in-range",
"description": "Needs backporting (fixed from 6.12.23)"
},
CC: Peter Marko <peter.marko@siemens.com>
CC: Marta Rybczynska <rybczynska@gmail.com>
(From OE-Core rev: 7637af0a94764ac0c6c4f02f383992bcb4753af0)
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e60b1759c1aea5b8f5317e46608f0a3e782ecf57)
Signed-off-by: Suresh H A <suresh.ha@bmwtechworks.in>
[Yoann: Stable policy exception: This change is clearly a new feature
and thus should be rejected from stables by policy. But, since this is
contrib/ an exception can be made]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Several CVE helper functions (get_patched_cves() and decode_cve_status())
implicitly depend on the CVE_STATUS and CVE_CHECK_STATUSMAP variables, but
these were not declared in the vardeps of their callers.
On Scarthgap, the upstream fix (2cc43c72ff28aa39a417dd8d57cd7c8741c0e541)
cannot be cherry-picked cleanly, as it also requires BitBake changes.
As a workaround, explicitly add CVE_STATUS and CVE_CHECK_STATUSMAP to the
vardeps of all tasks invoking these helpers, ensuring correct task
re-execution when CVE status changes.
This keeps CVE-related metadata generation consistent without requiring
BitBake modifications.
(From OE-Core rev: 111e1f2febade3c34649f33676f7f7e7cc8e0bd0)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
git log --oneline 58cbbd43fe82910cf8ae9008351b0b0665104500..ce65d944e38a20cb70af2a48a4b8aa5d8fabe1cc
ce65d944e3 (HEAD -> release/2.39/master, origin/release/2.39/master) posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281 / BZ 33814)
831f63b94c resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915)
fb22fd3f5b memalign: reinstate alignment overflow check (CVE-2026-0861)
10c0bcb3d3 support: Exit on consistency check failure in resolv_response_add_name
f47dd22366 support: Fix FILE * leak in check_for_unshare_hints in test-container
4a53354eaf sprof: fix -Wformat warnings on 32-bit hosts
beb8267909 sprof: check pread size and offset for overflow
c07002038f getaddrinfo.c: Avoid uninitialized pointer access [BZ #32465]
ae5fb93559 nptl: Optimize trylock for high cache contention workloads (BZ #33704)
efff7cb659 ppc64le: Power 10 rawmemchr clobbers v20 (bug #33091)
f6becd8ae8 ppc64le: Restore optimized strncmp for power10
0daa4e46b8 ppc64le: Restore optimized strcmp for power10
28c1de6580 AArch64: Fix instability in AdvSIMD tan
03d0393343 AArch64: Optimise SVE scalar callbacks
0d05a895f1 aarch64: fix includes in SME tests
c1dc4412f8 aarch64: fix cfi directives around __libc_arm_za_disable
d60f15dc89 aarch64: tests for SME
d1d0d09e9e aarch64: clear ZA state of SME before clone and clone3 syscalls
dbe1904b7c aarch64: define macro for calling __libc_arm_za_disable
58cf4aa421 aarch64: update tests for SME
1b3bd9a9a6 aarch64: Disable ZA state of SME in setjmp and sigsetjmp
38942a336b linux: Also check pkey_get for ENOSYS on tst-pkey (BZ 31996)
c74d59a656 aarch64: Do not link conform tests with -Wl,-z,force-bti (bug 33601)
323ad087a1 x86: fix wmemset ifunc stray '!' (bug 33542)
Testing Results:
Before After Diff
PASS 4926 4921 -5
XPASS 4 4 0
FAIL 223 229 +6
XFAIL 16 16 0
UNSUPPORTED 224 224 0
Changes in failed testcases:
testcase-name before after
elf/tst-audit21 PASS FAIL
malloc/tst-malloc-too-large PASS FAIL
malloc/tst-malloc-too-large-malloc-check PASS FAIL
malloc/tst-malloc-too-large-malloc-hugetlb1 PASS FAIL
malloc/tst-malloc-too-large-malloc-hugetlb2 PASS FAIL
malloc/tst-malloc-too-large-mcheck PASS FAIL
(From OE-Core rev: a49b898ed6d571391d90cc3ba150a0421642be23)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
[Yoann: When run on the autobuilder, all those new FAIL tests are PASS:
https://valkyrie.yocto.io/pub/non-release/20260209-10/testresults/qemux86-64-tc/testresults.json]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2023-45853: Version is now higher than NVD CPE
This is a partial cherry-pick from 73ee9789183a ("recipes: cleanup
CVE_STATUS which are resolved now").
Cc: Peter Marko <peter.marko@siemens.com>
(From OE-Core rev: 2e05844a70f97399e323f967e926075428cb5233)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
To avoid false positives (such as CVE-2023-6992, cloudflare:zlib), add a
CVE_PRODUCT to identify the vendors that have been used.
Removing the present existing CVE_STATUS for CVE-2023-6992.
(From OE-Core rev: 85427d225416b3b12bf05513c9427370309b2127)
Signed-off-by: Het Patel <hetpat@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 119b775b36dfd51286493763cffb6e965893b8fd)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
curl's websocket code did not update the 32 bit mask pattern
for each new outgoing frame as the specification says. Instead
it used a fixed mask that persisted and was used throughout
the entire connection.
A predictable mask pattern allows for a malicious server to induce
traffic between the two communicating parties that could be
interpreted by an involved proxy (configured or transparent) as
genuine, real, HTTP traffic with content and thereby poison its
cache. That cached poisoned content could then be served to all
users of that proxy.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-10148
Upstream patch:
https://github.com/curl/curl/commit/84db7a9eae8468c0445b15aa806fa
(From OE-Core rev: 3793ee12d8da4f8f90a0ffcad180ef8122251491)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Python 3.14 complains about these:
Traceback (most recent call last):
File "/mnt2/zozo/yocto-5.3/bitbake/lib/bb/ui/knotty.py", line 722, in main
termfilter.updateFooter()
~~~~~~~~~~~~~~~~~~~~~~~^^
File "/mnt2/zozo/yocto-5.3/bitbake/lib/bb/ui/knotty.py", line 339, in updateFooter
lines = self.getlines(content)
File "/mnt2/zozo/yocto-5.3/bitbake/lib/bb/ui/knotty.py", line 370, in getlines
lines = lines + 1 + int(len(line) / (self.columns + 1))
~~~~~~~~~~~~~^~~
TypeError: can only concatenate str (not "int") to str
and
Traceback (most recent call last):
File "/mnt2/zozo/yocto-5.3/bitbake/lib/bb/ui/knotty.py", line 722, in main
termfilter.updateFooter()
~~~~~~~~~~~~~~~~~~~~~~~^^
File "/mnt2/zozo/yocto-5.3/bitbake/lib/bb/ui/knotty.py", line 341, in updateFooter
for tasknum, task in enumerate(tasks[:(self.rows - 1 - lines)]):
~~~~~~~~~~^~~
TypeError: unsupported operand type(s) for -: 'str' and 'int'
Make sure getting the number of rows and columns from the terminal
via the environment variables LINES and COLUMNS are returned as a
pair of integers. This matches the return value of ioctl_GWINSZ().
(Bitbake rev: 10118785e4a670bce4980e1044c0888a8b6e84af)
Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a4e0b6f8077276a0bfb9d05c759bc752a84d1f76)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Python 3.14 enforces stricter type and size checking for fcntl.ioctl()
buffer arguments. The previous code passed a short 4-byte string ('1234')
to TIOCGWINSZ, which worked by accident in older Python versions but causes
a SystemError ("buffer overflow") in 3.14.
TIOCGWINSZ expects an 8-byte (4x 16-bit) buffer corresponding to
(rows, cols, xpix, ypix). Use an 8-byte bytes literal instead and unpack
the first two values.
Tested with Python 3.11, 3.13, and 3.14.
(Bitbake rev: 9127359eb116827a1e0debe69f84e57717436847)
Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 415e9e329cf8cc0c2caa01cba80c21cfac9e2414)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The example recipe taken above is hello-world on version 1.0 (because
PV equals "1.0+git". Fix this issue.
(From yocto-docs rev: 2d765587de2a2f3383a400d9bdecf64d9b182af9)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 411122812ced4ec32127a823896a73aacf6eb97c)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When we don't have a PR server enabled, we don't have leading ".0" to
the PKGR variable, as this is added by the PR server.
(From yocto-docs rev: e5aaccf54494978bc8c24b4920dad7135837edb7)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 7a0324b6a10e64ee250945747db10ca88040b1ce)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The current example of the SRCREV change triggering a gitX bump is
wrong, as both gitX and r0.X get incremented.
Why this is happening is explained in bug 15729, which I copy here:
> +gitX+ is indeed related to changes in the source code.
>
> r0.X is bumped each time the checksum of the do_package task of the
> simple-hello-world-git recipe changes. This happens here:
> https://git.openembedded.org/openembedded-core/tree/meta/classes-global/package.bbclass?id=235e6d49e5888ad04416219e10b6df91a738661a#n306
>
> This line sets the value of PRAUTO and represents the number X found in
> r0.X. It will in the end make it into EXTENDPRAUTO, which itself makes
> to PKGR == r0.X.
>
> This line calls getPR(version, pkgarch, checksum). Between test case 5
> and 6, only the checksum changes. This checksum is the checksum of the
> do_package task (gotten from get_do_package_hash() above).
>
> Now, let's dump what changed with regards to this task between two
> consecutive runs, using the sigdata file in build/tmp/stamps/:
>
> ```
> [...]
> Variable fetcher_hashes_dummyfunc value changed from '2650ad6714c3f3248abfe9d3daf1196f307ed494' to '4af682a50174f5deb0397847da97d7cdba4ad067'
> ```
>
> The last line shows that the value of fetcher_hashes_dummyfunc changed
> from '2650ad6714c3f3248abfe9d3daf1196f307ed494' to
> '4af682a50174f5deb0397847da97d7cdba4ad067'. Those are the commit hashes
> in the git history of the simple-hello-world-git repository.
>
> Now you can see why this 0.X gets bumped, is because of the SRCREV change.
Fix the example, and detail what gets changed and why.
[YOCTO #15729]
Cc: Robert Berger <pokylinux@reliableembeddedsystems.com>
(From yocto-docs rev: 11fe7dbc49a8062cda8062d320dcb2be70a3b6f3)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 09f0430bc69024b9854c31ba6783ddd807aa4f19)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The eSDK installer script installs in poky_sdk directory but under the
user's home directory so let's make that explicit.
(From yocto-docs rev: 9811bee2e33002b449d073a3f3be1889e249ee2a)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 52ec12522bad3bbdff937f1c66224aa9b2d299cd)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
I'm pretty sure we meant to use the DISTRO poky.yaml.in placeholder
which can only be replaced when surrounding by & and ; characters.
Therefore let's fix this oversight.
Also, the example isn't actually pointing at the snapshot, but the
actual release, so let's reword that as well so it matches the example.
I decided to do that instead of adding +snapshot to the filename because
the example in the next section is actually using that same filename so
for consistency it seemed more appropriate.
(From yocto-docs rev: 27f259434f5bc3914d2c2b74961d744f7bffbcdc)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit ede411d70ffc837e5bea4666da9706e67960b0f2)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It's easier on the eye to use a parsed-literal block for highlighting
things that must be changed than simply stating the word, so this makes
use of a parsed-literal block instead of a simple inline code-block and
also highlight in italic which words are placeholders.
Also make the explanation below the literal-block use the same
highlighting (italic).
(From yocto-docs rev: 648b3c3e80a3916917763e3892a5e8c8d8a72162)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 41ee642c33cc2e7435e6037bf49fe7495ffa6133)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Bruce Ashfield
Dragomir, Daniel
Ankur Tyagi
Peter Marko
Amaury Couderc
Yoann Congal
Richard Purdie
Ken Kurematsu
Khai Dang
Fred Bacon
Daniel Turull
Benjamin Robin (Schneider Electric)
Het Patel
Adarsh Jagadish Kamini
Hugo SIMELIERE
Vijay Anusuri
Hitendra Prajapati
Zoltan Boszormenyi
Enrico Scholz
Lee Chee Yang
Antonin Godard
Quentin Schulz