* fixes builds on host with gcc-15:
http://errors.yoctoproject.org/Errors/Details/853016/
../../bash-5.2.37/builtins/mkbuiltins.c:268:29: error: too many arguments to function ‘xmalloc’; expected 0, have 1
268 | error_directory = xmalloc (2 + strlen (argv[arg_index]));
| ^~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(From OE-Core rev: 55c144bd17665f70cd15e36f3405f502a962f039)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
GCC 15 defaults to C23 and bash is not yet ready for that
so keep using C17 like GCC 14 for now
(From OE-Core rev: adf63fe5f76cbd0fd93ce5fa23229a388211e992)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* backports from 1.18.2 used since:
https://git.openembedded.org/openembedded-core/commit/?id=070d79c8adec7e0a8862019cf61910a59b18613a
* fixes build on hosts with gcc-15 (e.g. ubuntu-25.10)
../cairo-1.18.0/test/pdiff/pdiff.h:22:13: error: âboolâ cannot be defined via âtypedefâ
22 | typedef int bool;
| ^~~~
../cairo-1.18.0/test/pdiff/pdiff.h:22:13: note: âboolâ is a keyword with â-std=c23â onwards
../cairo-1.18.0/test/pdiff/pdiff.h:22:1: warning: useless type name in empty declaration
22 | typedef int bool;
| ^~~~~~~
(From OE-Core rev: 6bd49cba1d7e12a6d8a4521a2097ff9f5ddc6368)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The code maintainer disputes the CVE as the issue can only be triggered with
untrusted SGML catalogs and it makes absolutely no sense to use untrusted
catalogs.
The issue triggers a crash if an invalid file is provided.
Source: https://gitlab.gnome.org/GNOME/libxml2/-/issues/958"
(From OE-Core rev: 348ce728af1cea4f909de5c3597801b5612719e4)
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
According to the NVD entry, it is only applicable when built
for native Windows (MinGW-w64 or MSVC).
(From OE-Core rev: 04ce4704e603cd66f30ffc001541c6497d84050e)
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
check_cves may raise the cve_status_not_in_db QA check. Call
exit_if_errors to make sure that the task is marked as failed when the
check is categorized as an error.
cve_status_not_in_db was in the meantime dropped in OE-Core
452e605b55ad61c08f4af7089a5a9c576ca28f7d so this change is only required
on scarthgap.
(From OE-Core rev: b3d12589c26f4e86b153bbdcda774985e4e046bd)
Signed-off-by: Philip Lorenz <philip.lorenz@bmw.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The example repo doesn't seem to have ever been under MIT to begin with
but rather Apache-2.0. It was then changed to the license used by the
goland projectm that is BSD-3-Clause, 2 years ago in commit 00c7068f9d83
("all: update to Go license").
The license file exists in the sources, so use that one instead of
taking it from the OE-Core license directory.
License-Update: Incorrect license is now proper
(From OE-Core rev: fa45d6d5bec8fe503ff6b9166a3b4af31ea95369)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Starting from CMake version 2.27 support for interactive debugging of CMake
scripts and configurations was added. However, by default the `nativesdk-cmake`
is compiled with debugger support turned off.
This change adds debugger support for cmake
(From OE-Core rev: 8acfca456c3502f0d097ba01a2d08f83fb75ab60)
(From OE-Core rev: 776846eb8aa2f5f8c1ec8842cdbaff6b6bcdfa65)
Signed-off-by: Nikhil R <nikhilr5@kpit.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
It was added by original commit for CVE-2025-6020-01.patch
https://github.com/linux-pam/linux-pam/commit/475bd60c552b98c7eddb3270b0b4196847c0072e#diff-05f443e6acbe32a148a45648148739bf6f02f13acc5c20c6037bf933223d4d77
but removed here in the rebase, causing:
../../../Linux-PAM-1.5.3/modules/pam_namespace/pam_namespace.c:326:11: error: call to undeclared function 'dirname'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
326 | parent = dirname(buf);
| ^
../../../Linux-PAM-1.5.3/modules/pam_namespace/pam_namespace.c:326:9: error: incompatible integer to pointer conversion assigning to 'char*' from 'int' [-Wint-conversion]
326 | parent = dirname(buf);
| ^ ~~~~~~~~~~~~
(From OE-Core rev: 6d88a28ac7b6ff61808eb46e5c85dabd17c77f2e)
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This is a single commit bump containing only CVE fix
$ git log --oneline cff1042cceec3502269947e96cf7023451af22f3..b027d5b145f1b2908f370bdb96dfe40180d0fcb6
b027d5b145 posix: Fix double-free after allocation failure in regcomp (bug 33185)
Test results didn't change except newly added test succeeding.
(tst-regcomp-bracket-free)
(From OE-Core rev: c2b63f171719e2b1c12ba049cbe776adf9e0244b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit referencing this CVE from 2.13 branch.
(From OE-Core rev: 061610dfca8a72b71e1baca3ad4aa2c9fb64449b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick relevant commit from 3.8.10 release MR [1].
The MR contains referece to undiscoled issue, so any security relevant
patch should be picked.
Binary test file was added as separate file as binary diffs are not
supported.
[1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979
(From OE-Core rev: d1aaef9bbaa240c83cc7d485b55570449203da0b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick relevant commit from 3.8.10 release MR [1].
The ME contains referece to undiscoled issue, so any security relevant
patch should be picked.
Binary test file was added as separate file as binary diffs are not
supported.
[1] https://gitlab.com/gnutls/gnutls/-/merge_requests/1979
(From OE-Core rev: 8f825e7f4ca36d7ac62062e452cea256f3c058aa)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commits for Minerva fix between 3.2.4 and 3.2.5 release.
Update to 3.2.5 is blocked due to problem with python ptest errors, so
use patch instead of upgrade for now.
(From OE-Core rev: 57c04a32997c1b045121aff045f3ffaa7bb0b5f5)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
As discussed in [1], this commit fixes CVE-2024-41996.
Although openssl project does not consider this a vulnerability, it got
CVE number assigned so it deserves attention.
[1] https://github.com/openssl/openssl/pull/25088
(From OE-Core rev: cb49b9e49b4561ccea4c231cac591af557b9749c)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There are new CVEs reported for this recipe which are not for this
componene, but for a component with same name from apache.
sqlite> select vendor, product, id, count(*) from products where product like 'orc' group by vendor, product, id;
apache|orc|CVE-2018-8015|1
apache|orc|CVE-2025-47436|4
gstreamer|orc|CVE-2024-40897|1
(From OE-Core rev: f5e320c0ea57ce1813ed09da703fe2b33f4976e6)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
There exists a vulnerability in SQLite versions before 3.50.2 where the
number of aggregate terms could exceed the number of columns available.
This could lead to a memory corruption issue.
(From OE-Core rev: 52499a5ea3b4ba145914aca873844ab718953289)
Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A NULL pointer dereference vulnerability was found in libxml2 when processing
XPath XML expressions. This flaw allows an attacker to craft a malicious XML
input to libxml2, leading to a denial of service.
(From OE-Core rev: b144c3ef3ba1797d925ea44d9450a6ec0fe32047)
Signed-off-by: Roland Kovacs <roland.kovacs@est.tech>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport a fix to address the dbus SetNTP response timing issue.
Fix is already available since systemd v256-rc1.
(From OE-Core rev: 4db0483cfd14e31c3e7cc87d538d73275fd51bbf)
Signed-off-by: Michal Seben <michal.seben@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Set the permissions of /var/run/kea to 750 to fix kea server startup
error:
ERROR [kea-dhcp4.dhcp4/445.140718820303936] DHCP4_INIT_FAIL failed to
initialize Kea server: configuration error using file
'/etc/kea/kea-dhcp4.conf': 'socket-name' is invalid: socket
path:/var/run/kea does not exist or does not have permssions = 750
This permission check was introduced by commit[1] in kea 2.4.2.
[1] https://gitlab.isc.org/isc-projects/kea/-/commit/f7061c4e9711f395fbc940b0cf0ddbde87e0fc13
(From OE-Core rev: 5b709e2c165bf46f4f35e1783ab7ec54fabd2ec3)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Below commit on binutils-2.42 stable branch are updated.
x86: Check MODRM for call and jmp in binutils older than 2.45
Test Results:
Before After Diff
No. of expected passes 302 302 0
No. of unexpected failures 2 2 0
No. of untested testcases 1 1 0
No. of unsupported tests 7 7 0
Testing was done and there were no regressions found
(From OE-Core rev: 412def8923a89f3c385eae25901bed0c07859029)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Changelog:
===========
* Fixed CVE-2025-32462. Sudo's -h (--host) option could be specified
when running a command or editing a file. This could enable a
local privilege escalation attack if the sudoers file allows the
user to run commands on a different host.
* Fixed CVE-2025-32463. An attacker can leverage sudo's -R
(--chroot) option to run arbitrary commands as root, even if
they are not listed in the sudoers file. The chroot support has
been deprecated an will be removed entirely in a future release.
License-Update: Copyright updated to 2025
0001-sudo.conf.in-fix-conflict-with-multilib.patch refreshed for 1.9.17
(From OE-Core rev: b04af6db102c97f3d4338dbcfdcab927b5194a69)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Steve Sakoman
Martin Jansa
Khem Raj
Daniel Turull
Peter Marko
Philip Lorenz
Quentin Schulz
Nikhil R
Hitendra Prajapati
Zhang Peng
Fabio Berton
Jinfeng Wang
Wang Mingyu
Richard Purdie
Alexander Kanavin
Vijay Anusuri
Deepesh Varatharajan
Roland Kovacs
Yash Shinde
Michal Seben
Yi Zhao
Praveen Kumar