Fixes build on host with gcc-16:
StringFuncs.c: In function ‘SplitStringByWhitespace’:
StringFuncs.c:113:15: error: variable ‘Item’ set but not used [-Werror=unused-but-set-variable=]
113 | UINTN Item;
| ^~~~
and
EfiRom.c: In function ‘main’:
EfiRom.c:78:17: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
78 | if ((Ptr0 = strstr ((CONST CHAR8 *) mOptions.FileList->FileName, DEFAULT_OUTPUT_EXTENSION)) != NULL) {
| ^
and one more for older version used in scarthgap
main.c: In function ‘ProcessArgs’:
main.c:163:42: error: too many arguments to function ‘p->process’; expected 0, have 2
163 | (*p->process)( *argv, *(argv+1) );
| ~^~~~~~~~~~~~ ~~~~~
main.c:120:34: note: declared here
120 | WildFunc process;
| ^~~~~~~
main.c:168:42: error: too many arguments to function ‘p->process’; expected 0, have 1
168 | (*p->process)( *argv );
| ~^~~~~~~~~~~~ ~~~~~
main.c:120:34: note: declared here
120 | WildFunc process;
| ^~~~~~~
(From OE-Core rev: 7de54889b3547a94bc7c6015731ec1c099e4d629)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
[YC: upstream commit a1db482ecd2824a4ae67a3c2a8e607b607ab4a43]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Changelog:
* Update Mozilla certificate authority bundle to version 2.82
The following certificate authorities were added (+):
+ TrustAsia TLS ECC Root CA
+ TrustAsia TLS RSA Root CA
+ SwissSign RSA TLS Root CA 2022 - 1
+ OISTE Server Root ECC G1
+ OISTE Server Root RSA G1
The following certificate authorities were removed (-):
- GlobalSign Root CA
- Entrust.net Premium 2048 Secure Server CA
- Baltimore CyberTrust Root (closes: #1121936)
- Comodo AAA Services root
- XRamp Global CA Root
- Go Daddy Class 2 CA
- Starfield Class 2 CA
- CommScope Public Trust ECC Root-01
- CommScope Public Trust ECC Root-02
- CommScope Public Trust RSA Root-01
- CommScope Public Trust RSA Root-02
* Use dh_usrlocal to create /usr/local/share/ca-certificates
(From OE-Core rev: 219ca927c9cd31a200b2ab4bed17937af4e5afc8)
Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 738e08718e31de19c1c8db5e162a4a00e2b0c0e6)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Passing Wno-error via environment flags for target and nativesdk
is intended but is not effective due to command line ordering and
as a result some patches have been added to disable particular kind
of warning as error. Given the scenario, warnings as errors should
be disabled for all builds, this makes it portable across hosts and
across compilers ( gcc, clang ) and glibc versions.
(From OE-Core rev: 2151e4824bb45200173e95e2a08eab9057cea29d)
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 25f26861ddc8d71af5381d1acc883ad948bddace)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
latest glibc has better C23 support and exposes this problem
Fixes following errors seen in nativesdk-libxcrypt
| ../sources/libxcrypt-4.5.2/lib/crypt-sm3-yescrypt.c:139:9: error: initializing 'char *' with an expression of type 'const char *' discards qualifiers [-Werror,-Wincompatible-pointer-types-discards-qualifiers]
| 139 | char *hptr = strchr ((const char *) intbuf->retval + 3, '$');
| | ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| 6 errors generated.
Compared to wrynose remove lib/crypt-sm3-yescrypt.c change, because
the file doesn't exist in the version used in scarthgap, it was failing
only in lib/crypt-gost-yescrypt.c
(From OE-Core rev: caab28b10a1f45981ab605d36a8707b63212e1f6)
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a666b8e71ecda97db58c90d5af137671f9823f38)
[YC: fixed patch format]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
With the glibc 2.43 upgrade, building nativesdk-libxcrypt triggers a
-Wdiscarded-qualifiers warning in crypt-gost-yescrypt.c and
crypt-sm3-yescrypt.c which becomes a build failure due to -Werror.
(From OE-Core rev: 5538c6c4dd64e1360428a98e4a45beab826eec3c)
Signed-off-by: Hemanth Kumar M D <Hemanth.KumarMD@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8340d4be03646f0b4b599f768ddc88f502f93615)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a
Denial-of-Service issue has been found that leads to memory exhaustion
from malformed RELATIVE-OID with excessive continuation octets. This
vulnerability is fixed in 0.6.2.
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-23490
(From OE-Core rev: 205d360b49c7bbaa8709cb5a0b2e57457c32ad22)
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Release information [1]:
OpenSSL 3.5.6 is a security patch release. The most severe CVE fixed in this release is Medium.
This release incorporates the following bug fixes and mitigations:
* Fixed incorrect failure handling in RSA KEM RSASVE encapsulation. (CVE-2026-31790)
* Fixed loss of key agreement group tuple structure when the DEFAULT keyword is used in
the server-side configuration of the key-agreement group list. (CVE-2026-2673)
* Fixed potential use-after-free in DANE client code. (CVE-2026-28387)
* Fixed NULL pointer dereference when processing a delta CRL. (CVE-2026-28388)
* Fixed possible NULL dereference when processing CMS KeyAgreeRecipientInfo. (CVE-2026-28389)
* Fixed possible NULL dereference when processing CMS KeyTransportRecipientInfo. (CVE-2026-28390)
* Fixed heap buffer overflow in hexadecimal conversion. (CVE-2026-31789)
[1] https://github.com/openssl/openssl/blob/openssl-3.5/NEWS.md#major-changes-between-openssl-355-and-openssl-356-7-apr-2026
(From OE-Core rev: a8cf6e078aa7967dde5f950e3e6f9b212b748dcf)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fc25ce383ddcb1185c193ff2b10f9116741eb316)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The current version of this script in Scarthgap is outdated, since it
still uses data from linux_kernel_cves. This repository was archived in
2024.
To avoid any risks of conflicts, and/or a patch series longer than it
needs to be, I copied the generate-cve-exclusions.py script from
oe-core's master branch (rev. "e954a94b5b528b2430e8da331107d7d58287f89b") as-is.
(From OE-Core rev: 66a13f93403533b95ed27eed24931aa310f8ce79)
Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
When running glibc tests under user mode NFS, tst-syslog was causing a hang. The
hang was traced to unfsd exitting with a buffer overflow being detected.
This was traced down to mksocket() where we'd see:
socket path '/media/build/poky/build/build-st-2118464/tmp/work/x86-64-v3-poky-linux/glibc-testsuite/2.42+git/build-x86_64-poky-linux/testroot.root/dev/log' is too long at 141 vs 108
There is a length check in mknod_args() but obj may not be setup at this point by
cat_name() since the functions can be executed out of order according to C.
To avoid this, make the order explict. This means the length is checked and we
avoid the buffer overflow. This will likely cause the glibc test to fail however
it won't hang, which is a win.
[YOCTO #16113]
(From OE-Core rev: 34f34512e5eeefc24b36b102a36fc90f14e2f7d2)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Hemanth Kumar M D <Hemanth.KumarMD@windriver.com>
(cherry picked from commit e51d5e19cb1ba1d5ad7442064b64821d178bc9ca)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Both CVEs are disputed by third parties. The observed behavior
(double free / invalid pointer free in readelf) only occurred in
pre-release code and did not affect any tagged version [1][2].
CVE_STATUS[CVE-2025-69650] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
CVE_STATUS[CVE-2025-69651] = "disputed: observed behavior only in pre-release code, does not affect any tagged version"
[1] https://www.cve.org/CVERecord?id=CVE-2025-69650
[2] https://www.cve.org/CVERecord?id=CVE-2025-69651
(From OE-Core rev: 55a0d8abad8a81f7d900557c2eb2d9327ee115df)
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
(cherry picked from commit 9c6df56fe18237880c391798c2083dca595566f4)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Considering that *detail* is an actual variable, not a string, remove the
quotes to make the 'in' statement coherent.
(From OE-Core rev: 8071a93c6b619dc9fcc2a7f1bcf94994499defbe)
Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com>
Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The description incorrectly stated that the sysroots are set up for
use during the packaging phase. In fact, do_prepare_recipe_sysroot
runs before do_configure, and the sysroots are consumed by
do_configure and do_compile.
Refer to do_configure and do_compile as the tasks that consume
prepared sysroots. Briefly describe the role of each sysroot.
Link do_configure, do_compile, and do_populate_sysroot via
:ref: to ease navigation.
Suggested-by: Alexander Kanavin <alex.kanavin@gmail.com>
Suggested-by: Antonin Godard <antonin.godard@bootlin.com>
(From yocto-docs rev: 1c5e7f136d7460fa5ad4c8a49ab1de31bd670e59)
Signed-off-by: Dawid Bijak <bijak.dawid@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit b50e8d36bdab53b004711ebc284d8ce8be593859)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
To properly fetch all the sources as suggested by the docs, one should
use "--runall=fetch".
(From yocto-docs rev: eb6a87177cec679eae9b2dfae86f49d9789c0ab1)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 0be8663d1f9e910c304e0960dd9e024e38646480)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Add that the RSUGGESTS variable would be processed only by a
supporting package manager when installing packages from a
package feed, and add a link to the appropriate section in
the Developers Manual.
(From yocto-docs rev: 2c80b891d85e0a7d9b70fc7b4a9c032325b56eca)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 48c832376cc3d33785d790a3e76b52ed2f8895bf)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Change the css rules of our theme to have a fixed-width documentation
instead of it taking the full width of the page. I believe this makes it
much more readable compared to having long lines with few line returns,
especially on high-resolution displays. Set the width to 1000px instead
of the previous 800px, which felt slightly too thin.
I think the removed comment here does not make that much sense for us.
It was added by commit 0c1e108bc6c4 ("sphinx: add CSS theme override"),
and I believe is a simply copy and paste of what was is set in the Linux
kernel, added by commit 9abaf979abb2 ("doc-rst: customize RTD theme,
table & full width") [1].
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9abaf979abb2
(From yocto-docs rev: 680edf7ffdf2286c64c32de74be5b6353294122f)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 98234c9d3a0846d719630914bea8599da9f51374)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The reference to STAGING_DIR* variables in the description of
DEPENDS was misleading, as it pointed at STAGING_DIR which is
unrelated in this context.
(From yocto-docs rev: 48d15a62ed7c004fd6e1dced03923bac529c435e)
Signed-off-by: Adam Blank <adam.blank.g@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 2da8e6334e3d3362c9177f78a1216156417903fc)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Slightly reword to emphasize the sysroots' roles during the build.
Drop double back-quote from the uses of '-native' to make it a bit
easier on the eyes.
(From yocto-docs rev: e98b2231e76243734820efc28895ab11d20b0330)
Signed-off-by: Adam Blank <adam.blank.g@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 15bbfeee88eee706e06b63116c9bf0cbfb2fd91c)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Slightly reword to emphasise the order of steps during staging.
Further clarify those variables' relation to STAGING_DIR* variables.
(From yocto-docs rev: 4b219d437a5674aa71b6b2544d1548987202203f)
Signed-off-by: Adam Blank <adam.blank.g@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit eeb22235d5310ed440692914851df0b7aac056a4)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Don't refer to it as temporary. Update the default value.
(From yocto-docs rev: 3786a02e4478c4e73531479d50d1be6e8dd8b4c7)
Signed-off-by: Adam Blank <adam.blank.g@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit a1432f24c94a26b372164704cf18b3c6a73b34f5)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Make it more evident, that it is first populated by files from
some recipes, and later used as source of those files for the
others (staging and sharing files).
(From yocto-docs rev: 156c7c685b97943bcfa5309f9656a4b9e05e44a3)
Signed-off-by: Adam Blank <adam.blank.g@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit cad256411e2bc380e27e2fc4ea3140476596c823)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
STAGING_DIR is not in direct relation to recipe-sysroot*
directries. Also it does not participate in packaging, but rather
in staging and sharing files among recipes.
(From yocto-docs rev: 0838936ad05a8d5ed410767f389d4fd1a4e379b3)
Signed-off-by: Adam Blank <adam.blank.g@gmail.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 0ff189fcb82f5e845951c939197835d0a1daf87b)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Martin Jansa
Andrej Kozemcak
Khem Raj
Hemanth Kumar M D
Daniel Turull
Mingli Yu
Guocai He
Jiaying Song
Zhang Peng
Peter Marko
Hitendra Prajapati
Vijay Anusuri
João Marcos Costa (Schneider Electric)
Anil Dongare
Adarsh Jagadish Kamini
Ross Burton
Jinfeng Wang
Dawid Bijak
Robert P. J. Day
Johan Anderholm
Trevor Gamblin
Antonin Godard
Lee Chee Yang
Adam Blank