An integer overflow in sqfs_inode_size in Das U-Boot before
2025.01-rc1 occurs in the symlink size calculation via a
crafted squashfs filesystem.
https://nvd.nist.gov/vuln/detail/CVE-2024-57254
Signed-off-by: Hongxu Jia
---
.../u-boot/files/CVE-2024-57254.patch | 47 +++
sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error
and resultant heap memory corruption for squashfs directory listing because the
path separator is not considered in a size calculation.
https://nvd.nist.gov/vuln/detail/CVE-2024-57259
Signed-off-by: Hongxu Jia
---
...
A stack consumption issue in sqfs_size in Das U-Boot before 2025.01-rc1
occurs via a crafted squashfs filesystem with deep symlink nesting.
https://nvd.nist.gov/vuln/detail/CVE-2024-57257
Signed-off-by: Hongxu Jia
---
.../u-boot/files/CVE-2024-57257.patch | 227 ++
meta/
Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1
occur for a crafted squashfs filesystem via sbrk, via request2size,
or because ptrdiff_t is mishandled on x86_64.
https://nvd.nist.gov/vuln/detail/CVE-2024-57258
Signed-off-by: Hongxu Jia
---
.../u-boot/files/CVE-2024-57258
An integer overflow in sqfs_resolve_symlink in Das U-Boot before 2025.01-rc1
occurs via a crafted squashfs filesystem with an inode size of 0x,
resulting in a malloc of zero and resultant memory overwrite.
https://nvd.nist.gov/vuln/detail/CVE-2024-57255
Signed-off-by: Hongxu Jia
---
...
An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1
occurs for zalloc (adding one to an le32 variable) via a crafted ext4
filesystem with an inode size of 0x, resulting in a malloc of
zero and resultant memory overwrite.
https://nvd.nist.gov/vuln/detail/CVE-2024-572
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch
/home/patchtest/share/mboxes/1-2-python3-Ignore-locale2-tests-on-musl.patch
FAIL: test max line length: Patch line too long (current length 258,
We use editline by default and test_write_read_append also fails especially on
musl
since this needs to be fixed upstream, extend the skip for
test_write_read_append along
with other history manipulation tests being skipped.
Signed-off-by: Khem Raj
---
...1-test_readline-skip-limited-history-t
These tests require additional locales not supported in musl
Signed-off-by: Khem Raj
---
meta/recipes-devtools/python/python3_3.13.2.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/python/python3_3.13.2.bb
b/meta/recipes-devtools/python/python3_3.13.
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6
Release notes
Security
[CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements
[CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd
pattern: Fix compilation of explicit child axis
Regressions
xmllint:
From: Wang Mingyu
License-Update:
- LICENCE renamed to LICENCE.md
- format changed
- add "SPDX-License-Identifier: BSD-3-Clause WITH PCRE2-exception" to the top
of LICENCE file
- add contribution information
Signed-off-by: Wang Mingyu
---
.../libpcre/{libpcre2_10.44.bb => libpcre2_10.45.bb}
On 2/18/25 21:47, Alexander Kanavin wrote:
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know
the content is safe.
On Tue, 18 Feb 2025 at 14:37, hongxu via lists.openembedded.org
wrote:
Explicitly set
Could you please let me know the build options? I have selected machine x86-64
and bitbake panggo, but this issue did not occur.
--
Best Regards
---
Wang Mingyu
FUJITSU NANJING SOFTWARE TECHNOLOGY CO., LTD. (FNST)
No.6 Wenzhu Road, Nanjing, 210012
From: Divya Chellam
REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS
vulnerability when it parses an XML that has many entity expansions
with SAX2 or pull parser API. The REXML gem 3.3.3 or later include
the patch to fix the vulnerability.
Reference:
https://nvd.nist.gov/vuln/deta
From: Peter Marko
Release information:
https://github.com/openssl/openssl/blob/openssl-3.2/NEWS.md#major-changes-between-openssl-323-and-openssl-324-11-feb-2025
Handles CVE-2024-12797 in addition to already patched CVEs.
Refresh patches and remove CVE patches included in the new version.
Signe
From: Aleksandar Nikolic
Update to the 5.0.7 release of the 5.0 series for buildtools.
Signed-off-by: Aleksandar Nikolic
Signed-off-by: Steve Sakoman
---
scripts/install-buildtools | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/scripts/install-buildtools b/scripts/ins
From: Peter Marko
Backport following patch to address this CVE:
https://gitlab.com/gnutls/gnutls/-/commit/4760bc63531e3f5039e70ede91a20e1194410892
Signed-off-by: Peter Marko
Signed-off-by: Steve Sakoman
---
.../gnutls/gnutls/CVE-2024-12243.patch| 1149 +
meta/recipes-s
From: Oleksandr Hnatiuk
Fix is only done for target. Use same code for nativesdk.
Backport from poky master:
https://git.yoctoproject.org/poky/commit/?id=c63b8f28ac52047fad689b78d605aa792baf1ad8
(From OE-Core rev: dc6306883cc2c7d4d98d595442e5bf4037a160c5)
Signed-off-by: Oleksiy Obitotskyy
Si
From: Divya Chellam
This includes CVE-fix for CVE-2025-22134 and CVE-2025-24014
Changes between 9.1.0764 -> 9.1.1043
https://github.com/vim/vim/compare/v9.1.0764...v9.1.1043
Signed-off-by: Divya Chellam
Signed-off-by: Steve Sakoman
---
meta/recipes-suppor
From: Johannes Schneider
ppp version 2.5.0 fails to run properly if an expected /run/pppd/lock
directory does not exist, which is not usually created in a yocto
built OS.
Backport the patch from upstream version 2.5.1 that fixes the issue by
reverting back to /var/lock.
The related github issue
From: Peter Marko
Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45720
This CVE is relevant only for subversion running on Windows.
Signed-off-by: Peter Marko
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools/subversion/subversion_1.14.3.bb | 2 ++
1 file changed, 2 insertions(+)
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, February 20
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1037
The following changes since commit 61880aac34ff408a8bc5060c6140bfd086b27524:
base-fi
From: Richard Purdie
I have a theory that some of the console boot issues we're seeing are due to
starting images with three serial ports yet only starting gettys on two of them.
This means that occasionally, depending on the port numbering we may not get
a login prompt on the console we expect
From: Archana Polampalli
Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read
Sensitive Constants Within an Executable. This vulnerability is associated with
program files https://github.Com/FFmpeg/FFmpeg/blob/master/libavfilter/af_pan.C
.
This issue affects FFmpeg: 7.1
From: Aleksandar Nikolic
Update to the 4.0.24 release of the 4.0 series for buildtools.
Signed-off-by: Aleksandar Nikolic
Signed-off-by: Steve Sakoman
---
scripts/install-buildtools | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/scripts/install-buildtools b/scripts/in
From: Mingli Yu
This patch is ported from a merge request shown below,
and the following represents the original commit text.
--
top: In the bye_bye function, replace fputs with the write interface.
When top calls malloc, if a signal is receiv
From: Archana Polampalli
FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF decoder.
Signed-off-by: Archana Polampalli
Signed-off-by: Steve Sakoman
---
.../ffmpeg/ffmpeg/CVE-2024-36617.patch| 38 +++
.../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb | 1
From: Archana Polampalli
An integer overflow in the component /libavformat/westwood_vqa.c of FFmpeg
n6.1.1
allows attackers to cause a denial of service in the application via a crafted
VQA file.
Signed-off-by: Archana Polampalli
Signed-off-by: Steve Sakoman
---
.../ffmpeg/ffmpeg/CVE-2024-3
From: Archana Polampalli
A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing.
Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded
certificate
data can take excessive time, leading to increased resource consumption.
This flaw allows a remote attack
From: Archana Polampalli
FFmpeg n6.1.1 has a vulnerability in the DXA demuxer of the libavformat library
allowing for an integer overflow, potentially resulting in a denial-of-service
(DoS)
condition or other undefined behavior.
Signed-off-by: Archana Polampalli
Signed-off-by: Steve Sakoman
-
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, February 20
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1038
The following changes since commit 5a794fd244f7fdeb426bd5e3def6b4effc0e8c62:
build-a
From: Peter Marko
Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45720
This CVE is relevant only for subversion running on Windows.
Signed-off-by: Peter Marko
Signed-off-by: Steve Sakoman
---
meta/recipes-devtools/subversion/subversion_1.14.2.bb | 3 +++
1 file changed, 3 insertions(+)
From: Peter Marko
This CVE is fixed in 10.40
NVD wrongly changed <10.40 to =10.40 when adding debian_linux=10.0
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-1586#VulnChangeHistorySection
Signed-off-by: Peter Marko
Signed-off-by: Steve Sakoman
---
meta/recipes-support/libpcre/libpcre2
From: Vijay Anusuri
Upstream-Status: Backport
[https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b]
Reference:
https://access.redhat.com/security/cve/cve-2022-49043
Signed-off-by: Vijay Anusuri
Signed-off-by: Steve Sakoman
---
.../libxml/libxml2/CVE-2022
NVD uses westes:flex for recent CVEs in flex, based on the GitHub repo
Signed-off-by: Marta Rybczynska
---
meta/recipes-devtools/flex/flex_2.6.4.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb
b/meta/recipes-devtools/flex/flex_2.6.
On Mon, Feb 17, 2025 at 12:29 PM Richard Purdie <
richard.pur...@linuxfoundation.org> wrote:
> FWIW I did try and discuss this in the OE TSC meeting today but it is a
> US holiday. There were only two people who showed up.
>
Also a Canadian Holiday! I was one of the missing attendees, so I'll fol
On Tue Feb 18, 2025 at 8:39 AM CET, wangmy via lists.openembedded.org wrote:
> From: Wang Mingyu
>
> Changelog:
> ==
> - Avoid criticals when there are no fonts
> - fontconfig: Handle lack of FC_FONT_WRAPPER in font cache
> - fontconfig: Prefer application fonts even if they are older
> -
On Tue, 2025-02-18 at 16:46 +0100, Etienne Cordonnier wrote:
> Hi Richard,
> I've seen that the patch is reverted in master-next. Was an issue
> discovered?
Yes, it failed in testing. I've added a new version though so hopefully
better this time.
Cheers,
Richard
-=-=-=-=-=-=-=-=-=-=-=-
Links: Y
From: Divya Chellam
xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a
use-after-free.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-49043
Upstream-patch:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b
Signed-off-by: Divya Chellam
On 12 Feb 2025, at 19:12, Dan McGregor via lists.openembedded.org
wrote:
>
> Change the sysvinit script to start at the S runlevel, this matches
> Debian, and prevents systemd from generating a unit file for it.
> Also have the nfsd systemd service request the nfsd kernel filesystem
> mountpoint
Current Dev Position: YP 5.2 M3
Next Deadline: YP 5.2 M3 Build date 2025-03-03 - Feature Freeze
Next Team Meetings:
-
Bug Triage meeting Thursday Feb. 20th 7:30 am PST (
https://zoom.us/j/454367603?pwd=ZGxoa2ZXL3FkM3Y0bFd5aVpHVVZ6dz09)
-
Weekly Project Engineering Sync Tuesday F
Hi Richard,
I've seen that the patch is reverted in master-next. Was an issue
discovered?
Étienne
On Tue, Feb 18, 2025 at 4:22 PM Richard Purdie via lists.openembedded.org
wrote:
> Firstly, just include xz support in all gdb configurations to simplify
> config.
> Most systems would already hav
From: Etienne Cordonnier
Fixes https://bugzilla.yoctoproject.org/show_bug.cgi?id=15740
python3-setuptools-scm was ignoring GIT_CEILING_DIRECTORIES which is set by
poky,
and it was thus finding a wrong value of "toplevel" in
./src/setuptools_scm/_file_finders/git.py
The code is supposed to gene
Firstly, just include xz support in all gdb configurations to simplify config.
Most systems would already have the shared library so this isn't a big problem
for a larger debugging tool.
The PACKAGECONFIG duplication is also confusing. The only PACKAGECONFIG which
needs special handking is the pyt
We don't have many cross recipes that use PACKAGECONFIG but gdb-cross does,
so correctly remap dependencies for that case allowing the gdb recipe to be
simplified.
Signed-off-by: Richard Purdie
---
meta/classes-global/base.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
On 18-02-2025 19:14, Alexander Kanavin wrote:
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know
the content is safe.
On Tue, 18 Feb 2025 at 14:34, Varatharajan, Deepesh via
lists.openembedded.org
wrot
On Mon, Feb 17, 2025 at 6:20 PM Khem Raj wrote:
>
> On Mon, Feb 17, 2025 at 10:10 AM Alex Kiernan via
> lists.openembedded.org
> wrote:
> >
> > On Mon, Feb 17, 2025 at 5:05 PM Quentin Schulz
> > wrote:
> > >
> > > Hi Alex,
> > >
> > > On 2/17/25 12:16 PM, Alex Kiernan wrote:
> > > > On Mon, Feb
On 18 Feb 2025, at 13:37, hongxu via lists.openembedded.org
wrote:
>
> The environment variable SETUPTOOLS_SCM_SUBPROCESS_TIMEOUT allows to override
> the subprocess timeout. The default is 40 seconds and should work for most
> needs.[1] However, it was not enough while using git shallow tarball
On 18-Feb-25 19:14, Alexander Kanavin via lists.openembedded.org wrote:
CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know
the content is safe.
On Tue, 18 Feb 2025 at 14:34, Varatharajan, Deepesh via
li
From: Sebastian Zenker
When specifying the dependencies of do_bundle_initramfs the current
multiconfig might not be the default. This fixes the dependencies between
the multiconfigs if the current differs to default.
Signed-off-by: Mueller, Daniel
---
Your right, handling 'default' isn't requir
On Tue, 18 Feb 2025 at 14:43, Fabio Estevam via lists.openembedded.org
wrote:
> .../0001-makefile-Fix-build-on-linux.patch| 61 ++
> ...piler-errors-found-with-newer-gcc-cl.patch | 81 +++
Can you submit these upstream please?
Alex
-=-=-=-=-=-=-=-=-=-=-=-
Links:
On Tue, 18 Feb 2025 at 14:37, hongxu via lists.openembedded.org
wrote:
> Explicitly set variable SETUPTOOLS_SCM_SUBPROCESS_TIMEOUT to 600s in bbclass,
> and we could override it in local.conf
This hasn't been accepted in master yet. And there's a strong
opposition, as this is felt to be something
On Tue, 2025-02-18 at 15:39 +0800, wangmy via lists.openembedded.org
wrote:
> From: Wang Mingyu
>
> Changelog:
> ===
> * mkfs:
> * new option to enable compression
> * updated summary (subvolumes, compression)
> * completely remove option --leafsize, deprecated long ago
> * btrfstun
On Tue, 18 Feb 2025 at 14:34, Varatharajan, Deepesh via
lists.openembedded.org
wrote:
> Rust stable version updated to 1.82.0.
> https://blog.rust-lang.org/2024/10/17/Rust-1.82.0.html
Thanks. While it's good to have working recipes for each major rust
release, we're kind of falling behind upstrea
Upgrade to mtd-utils 2.3.0.
Details about the 2.3.0 release:
https://lore.kernel.org/linux-mtd/1b7a55a6-1c5b-4e86-8006-e2010e543...@sigma-star.at/T/#u
Signed-off-by: Fabio Estevam
---
Changes since v1:
- Fixed musl build errors.
...-ubifs-utils-ubifs.h-Include-fcntl.h.patch | 48 +
Move the libexecinfo recipe from meta-openembedded to meta-oe.
The motivation for doing this is building mtd-utils 2.3.0 with musl.
Musl requires an external libexecinfo to provide backtrace support.
Signed-off-by: Fabio Estevam
---
Changes since v1:
- Newly introduced.
meta/conf/distro/inclu
The environment variable SETUPTOOLS_SCM_SUBPROCESS_TIMEOUT allows to override
the subprocess timeout. The default is 40 seconds and should work for most
needs.[1] However, it was not enough while using git shallow tarball and
starting
multiple Yocto world builds in one host.
| File "tmp/work/x8
Backport patch from upstream to add subprocess timeout control env var
Signed-off-by: Hongxu Jia
---
.../0001-fix-957-add-subprocess-timeout.patch | 78 +++
.../python/python3-setuptools-scm_8.0.4.bb| 4 +
2 files changed, 82 insertions(+)
create mode 100644
meta/recipes-d
From: Deepesh Varatharajan
A new feature "Link std statically in rustc_driver" was introduced
in rust_1.82 [https://github.com/rust-lang/rust/pull/122362],and
which is causing the below failure in oe-selftest.
Running unittests src/main.rs (build/x86_64-unknown-linux-gnu/stage1-rustc/
x86_64-pok
From: Deepesh Varatharajan
A few tests are getting failed with x86 arch.The unsupported/failing tests
are added to the exclude list and ignore the failing unit tests.
Upstream-Status: Pending
Signed-off-by: Deepesh Varatharajan
---
meta/lib/oeqa/selftest/cases/rust.py | 1 +
.../rus
On 18 Feb 2025, at 10:55, Ross Burton via lists.openembedded.org
wrote:
>
> On 3 Feb 2025, at 23:25, Simone Weiß via lists.openembedded.org
> wrote:
>>
>> From: Simone Weiß
>>
>> Add sassc-native as in libadwaita the handling wrt to pre build artifacts
>> changed and sassc is now needed.
>
Hi,
On Tue, Feb 18, 2025 at 12:56:47PM +0100, uvv.m...@gmail.com wrote:
> From: Vyacheslav Yurkov
>
> The tests don't need it. On top of that, this extra requirement
> creates a dependency loop between systemd-systemctl-native and util-linux.
Yes, this is the right thing to do.
Reviewed-by: Mi
From: Vyacheslav Yurkov
Instead of the python re-implementation build the actual systemctl from
the systemd source tree. The python script was used when systemd didn't
provide an option to build individual executables. It is possible in the
meantime, so instead of always adapting the script when
From: Vyacheslav Yurkov
The tests don't need it. On top of that, this extra requirement
creates a dependency loop between systemd-systemctl-native and util-linux.
Signed-off-by: Vyacheslav Yurkov
---
meta/lib/oeqa/selftest/cases/uki.py | 1 -
meta/lib/oeqa/selftest/cases/wic.py | 1 -
2 files
On Tue Feb 18, 2025 at 8:39 AM CET, wangmy via lists.openembedded.org wrote:
> From: Wang Mingyu
>
> Changelog:
> ===
> * mkfs:
> * new option to enable compression
> * updated summary (subvolumes, compression)
> * completely remove option --leafsize, deprecated long ago
> * btrfstun
On Fri, Feb 14, 2025 at 3:28 PM Niko Mauno via lists.openembedded.org
wrote:
> From: Niko Mauno
>
> According to Yocto reference manual, in description of the
> IMAGE_LINK_NAME variable, it is said that
>
> It is possible to set this to "" to disable symlink creation,
> however, you also nee
On 3 Feb 2025, at 23:25, Simone Weiß via lists.openembedded.org
wrote:
>
> From: Simone Weiß
>
> Add sassc-native as in libadwaita the handling wrt to pre build artifacts
> changed and sassc is now needed.
This seemed odd to me, and I just successfully did a build of 1.6.4 without
sassc pres
This test checks for an IP address and then tests if interface aliases work. We
don't run it on any of our automated testing as it only applies for non-qemu.
The connectivity test is unrealted to connman and pretty pointless as it depends
on ssh being working, so networking is probably ok.
The al
ifconfig is obsolete and being removed, convert to use ip instead.
Signed-off-by: Richard Purdie
---
meta/lib/oeqa/utils/qemurunner.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/lib/oeqa/utils/qemurunner.py
b/meta/lib/oeqa/utils/qemurunner.py
index 6cab9aa6b20..04e
Firstly, just include xz support in all gdb configurations to simplify config.
Most systems would already have the shared library so this isn't a big problem
for a larger debugging tool.
The PACKAGECONFIG duplication is also confusing. The only PACKAGECONFIG which
needs special handking is the pyt
ifconfig is obsolete, drop the call and replace with ip instead.
Signed-off-by: Richard Purdie
---
meta/recipes-core/udev/udev-extraconf/network.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-core/udev/udev-extraconf/network.sh
b/meta/recipes-core/udev/udev-
On Tue, 18 Feb 2025 at 08:41, wangmy via lists.openembedded.org
wrote:
> License-Update: LICENCE renamed to LICENCE.md
> -LIC_FILES_CHKSUM = "file://LICENCE;md5=321a5eb46acae6b6c1ff2c7a866d836a"
> +LIC_FILES_CHKSUM = "file://LICENCE.md;md5=8446a1fd12e40d9d64c79234fbb1f812"
There is also a differe
4.3.91 is a beta pre-release. We need to set the upstream regex to
exclude x.y.9z versions.
Alex
On Tue, 18 Feb 2025 at 08:41, wangmy via lists.openembedded.org
wrote:
>
> From: Wang Mingyu
>
> Changelog:
> ===
> - Several updates to the CI
> - gcr: Implement Certificate Policies extens
73 matches
Mail list logo
