With the current solution, using a separate task
(do_create_kernel_config_spdx) there is a dependency issue. Sometimes
the final rootfs SBOM does not contain the CONFIG_ values.
do_create_kernel_config_spdx is executed after do_create_spdx which
deploys the SPDX file. do_create_kernel_config_spdx calls
oe.sbom30.find_root_obj_in_jsonld to read from the deploy directory,
which is OK, but the do_create_kernel_config_spdx ends up writing to
this deployed file (updating it).
do_create_rootfs_spdx has an explicit dependency to all do_create_spdx
tasks, but there is nothing that prevents executing
do_create_kernel_config_spdx after do_create_rootfs_spdx.
To fix it, instead, now read from the workdir, and write to the
workdir, and do the processing from the do_create_spdx task:
we append to the do_create_spdx task.
Furthermore, update oeqa selftest to execute do_create_spdx instead
of removed function.
Also only execute this task if create-spdx-3.0 was inherited,
previously this code could be executed if create-spdx-2.2 is
inherited.
(cherry picked from commit 8417f4a186e78a9d309541f5d0e711178bb80488)
Fixes: 1fff29a04287 ("kernel.bbclass: Add task to export kernel configuration to SPDX")
(From OE-Core rev: 22e8bc2bcfe762c83c00b73a33384e63548e82c0)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Reviewed-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
CVE-2021-36217 is rejected, and should no longer be referenced.
CVE-2021-36217 is a duplicate of CVE-2021-3502 which is already
referenced in the local-ping.patch.
The CVE database indicates the following reason:
ConsultIDs: CVE-2021-3502. Reason: This candidate is a duplicate of
CVE-2021-3502. Notes: All CVE users should reference CVE-2021-3502
instead of this candidate. All references and descriptions in this
candidate have been removed to prevent accidental usage.
(cherry picked from commit bf41240132e2efa6b46aab46290eed9c53e312e9)
(From OE-Core rev: 128af716be75ec76203f1d34a8448741e6573d9e)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This is no more than a backport of the current (i.e., from 'master')
version of this same chunk in save_debugsources_info(), where BP is used
instead of PF to form the path to the kernel sources.
This replacement in package.py is followed by a similar change in
meta/classes/create-spdx-2.2.bbclass, so that 'BP' is also used in
spdx_get_src() and we don't face any regressions in SPDX v2.2. As a
matter of fact, SPDX3 also uses 'BP' in get_patched_src() (from
spdx_common.py).
Overall, this backport ensures a coherence between Scarthgap and master,
namely regarding the how the kernel sources are provided by package.py
and consumed by SPDX v2.2 and 3.0.
(From OE-Core rev: dd74c1388d5bfefd2adcdb6abd622297138e2eb1)
Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com>
Co-authored-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Jeremy Rosen <jeremy.rosen@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Pulls in fixes to rename/renameat/renameat2:
Changqing Li (1):
renameat2/renameat: only ignore when both old and new path are not in PSEUDO_INCLUDE_PATHS
Mark Hatle (4):
run_tests.sh: Allow the user to specify specific tests to run
tests: Add mv then hardlink testing
rename: only ignore when both old and new path are not in PSEUDO_INCLUDE_PATHS
Makefile.in: Bump version to 1.9.7
(From OE-Core rev: e2864ea1ac022e43af92badc701fa1e2a9571f46)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 17567738711d525d9f2b85e54ace2048901e4c34)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Pulls in the changes:
* Makefile.in: Bump version to 1.9.6
* pseudo_util.c: Fix symlink processing for symlinkat and related
* test: Add test symlinkat and related
* ports/unix: realpath: Fix chroot processing
* test: Add test cases for canonicalize functions
* ports/unix: fts_open: Fix chroot behavior
* ports/unix: fts_*: Certain functions were incorrectly returning stat data
* test: Add fts test case
* test: Add test for linkat chroot path stripping
* linkat: Avoid a segmentation fault
* Only copy xattrs on a rename if it's cross-filesystem
(From OE-Core rev: 1414f3513099a9a956ec4f602354aa00008e2aff)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 50e769a598e79ed4600f7362d5f40799a48f9273)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This adds a wrapper for the __open_2 function
This was breaking shadow and the real reason for the open() call changes.
Add the missing wrapper to properly fix this.
(From OE-Core rev: 876e6497f3323d74d9ac8ce303ed5165a7fda283)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8ea63d320aba32d3894cace9e71e850bdff1d6b2)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Update to pull in a full openat2 wrapper which works on Fedora 44.
This update includes the commits:
* Makefile.in: Bump version to 1.9.4
* test: Add renameat2 test cases
* test: Add openat2 test cases
* makewrappers/openat2: Add preserve_path option
* openat2: Implement openat2 wrapper
* ports/linux/guts/renameat2.c: Add comment why this isn't implemented
* Add b4 configuration
* pseudo_setupenvp: Handle malloc failure safely
* pseudo_setupenvp: Allocate space for new env vars if needed
(From OE-Core rev: 9075b66e1f9161407056924954b3d5507f6d8384)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b2bd1d114fafe1e797149e02e4c08194d529cfde)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The 2026b release contains the following changes:
Briefly:
British Columbia moved to permanent -07 on 2026-03-09.
Some more overflow bugs have been fixed in zic.
Changes to future timestamps
British Columbia’s 2026-03-08 spring forward was its last
foreseeable clock change, as it moved to permanent -07 thereafter.
(Thanks to Arthur David Olson.) Although the change to permanent
-07 legally took place on 2026-03-09, temporarily model the change
to occur on 2026-11-01 at 02:00 instead. This works around a
limitation in CLDR v48.2 (2026-03-17). This temporary hack is
planned to be removed after CLDR is fixed.
Changes to code
zic no longer mishandles a last transition to a new time type.
zic no longer overflows a buffer when generating a TZ string like
"PST-167:59:58PDT-167:59:59,M11.5.6/-167:59:59,M12.5.6/-167:59:59",
which can occur with adversarial input. (Thanks to Naveed Khan.)
zic no longer generates a longer TZif file than necessary when
an earlier time zone abbreviation is a suffix of a later one.
As a nice side effect, zic no longer overflows a buffer when given
a long series of abbreviations, each a suffix of the next.
(Buffer overflow reported by Arthur Chan.)
zic no longer overflows an int when processing input like ‘Zone
Ouch 2147483648:00:00 - LMT’. The int overflow can lead to buffer
overflow in adversarial cases. (Thanks to Naveed Khan.)
zic now checks for signals more often.
(From OE-Core rev: 37dab321242e06d2940c4221e4a13e68265d696f)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
(cherry picked from commit dda7d55396e0c5258cba58af7e990ab3813bf108)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Regenerated to fix this warning:
WARNING: linux-yocto-6.6.127+git-r0 do_cve_check: Kernel CVE status needs updating: generated for 6.6.123 but kernel is 6.6.127
$ ./meta/recipes-kernel/linux/generate-cve-exclusions.py .../cvelistV5/ 6.6.127 > meta/recipes-kernel/linux/cve-exclusion_6.6.inc
Generated at 2026-05-27 12:02:49.732909+00:00 for kernel version 6.6.127
From cvelistV5 cve_2026-05-27_0900Z
(From OE-Core rev: d0d02d0f45b4c5108ae648fb16d2a2a0dc1ae0e7)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Ubuntu 25.10 has changed the default coreutils implementation from GNU
coreutils to uutils/coreutils. Unfortunately this causes build problems:
couldn't allocate absolute path for 'null'.
tail: cannot open 'standard input' for reading: No such file or directory
install: failed to chown '...': Invalid argument (os error 22)
Clear build failures happen in 'install' and 'tail', but there may be
further breakage.
Luckily, Ubuntu also installs GNU coreutils with a binary prefix of
'gnu', so whilst these issues are root-caused and fixed in either pseudo
or uutils we can prefer the gnu-prefixed binaries where they are present.
[ YOCTO #16028 ]
(From OE-Core rev: b797cc729f6e6951baa988e1c04bac9fb8183a1c)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 16f2684ebeffa72b5d90525cf9102751b68c298e)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Drop one patch since change is included in the release.
Upgrade was performed using devtool
Full changelog:
https://github.com/gpg/gnupg/compare/gnupg-2.4.8...gnupg-2.4.9
Noteworthy changes in version 2.4.9 (2025-12-30)
------------------------------------------------
* gpg: Fix possible memory corruption in the armor parser. [T7906]
* gpg: Avoid potential downgrade to SHA1 in 3rd party key
signatures. [rGddb012be7f]
* gpg: Error out on unverified output for non-detached signatures.
[rG9d302f978b]
* gpg: Do not allow compressed key packets on import. [T7014]
* scd: Fix a harmless read buffer over-read in a function used by
PKCS#15 cards. [T7662]
* dirmngr: Do not require a keyserver for "gpg --fetch-key".
[T7693]
* agent: Fix ssh-agent's request_identities for skipped Brainpool
keys. [rG6bf5696c85]
Release-info: https://dev.gnupg.org/T8001
(From OE-Core rev: 5eb2cd21ac86805f5f90ea149da7de6e41342299)
Signed-off-by: Guðni Már Gilbert <gudni.m.g@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The perl module Compress-Raw-Zlib defaults to using a vendored copy of
the zlib sources which has a number of CVEs. A newer version of perl
updates this to zlib 1.3.2 to resolve them, but we should be linking to
our zlib recipe instead of the vendored code.
This mitigates CVE-2026-4176 so mark it as not appropriate.
(From OE-Core rev: 6e83e5520f415fc6ca9029a8aaa0af31cd832a90)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bf515229043685d4f00c965eb3e0236c37b6b403)
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The CVE-2025-62813 is rejected so do not reference it anymore.
So keep the patch but without referencing the CVE identifier.
The CVE database indicates the following reason:
This candidate was withdrawn by its CNA. Further investigation
showed that it was not a security issue.
(From OE-Core rev: 99706716626324605c049a9130f705f2090a9f91)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9c840a69b62a5fdffb3679a44d68dd5630b2916c)
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
These tests tend do take a bit of time, and this is probably why they
have been seen failing a few times in the past months. Rising the
timeout from 5 to 10 minutes appears to help.
Fixes [YOCTO #15999]
(From OE-Core rev: c8a94dfc3a21403e8202a4adddbae9f3bd4a4549)
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 998ebfc77db4c8d7567d82560595e0994a310ae0)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>