After the migration from Mercurial to GitHub the homepage has
changed and SIP has been licensed under the BSD-2-Clause license
since Feb 9, 2024. Upgrade to version 6.8.6:
- Handle single number macOS deployment targets
- Support for architectures where `char` is unsigned
- Support for building from git archives
- Run the tests using the current Python version
The project has a proper pyproject.toml which declares the
setuptools.build.meta PEP-517 backend.
Fixes:
WARNING: sip-6.8.6-r0 do_check_backend: QA Issue: inherits
setuptools3 but has pyproject.toml with setuptools.build_meta,
use the correct class [pep517-backend]
Please note SIP version 6.8.6 is present for branch Scarthgap and
it is required for PyQt6 6.8 from layer meta-qt6 (branch 6.8).
The work was sponsored by GOVCERT.LU.
License-Update: SIP is licensed under the BSD-2-Clause license.
Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The libeigen recipe, which was the only user of this license file, now
uses the Minpack license from OE-Core instead.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Since libeigen is a header-only library, LGPL effectively has the same
properties as GPL when it comes to affecting the licensing of the code
that uses libeigen. To avoid the problem, backport a patch to remove all
LGPL-2.1 code from the library.
Switch to using "Minpack" rather than "MINPACK" as license since the
former is the official SPDX name.
Also correct the licenses for ${PN}, ${PN}-dbg and ${PN}-dev to reflect
that they do not contain any GPL code (the GPL code is only used for
benchmark tests and does not affect what is installed).
License-Update: Correct the license information
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The lvm2-udevrules package has not actually been created since commit
5d54a52fbe.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The problem with using pkg-config to find hwloc when cross-compiling was
solved by upstream in 2021.13.0. However, the upgrade in commit
d8c5a72788 missed that upstream defaults
to disabling searching for hwloc when cross-compiling.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Rewrite ebtables-legacy-save to avoid using bashisms.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
ERROR: lapack-3.12.0-r0 do_package_qa: QA Issue:
File /usr/lib/lapack/ptest/bin/xccblat3 in package lapack-ptest contains reference to TMPDIR
File /usr/lib/lapack/ptest/bin/xdcblat3 in package lapack-ptest contains reference to TMPDIR
File /usr/lib/lapack/ptest/bin/xdcblat1 in package lapack-ptest contains reference to TMPDIR
File /usr/lib/lapack/ptest/bin/xscblat1 in package lapack-ptest contains reference to TMPDIR
File /usr/lib/lapack/ptest/bin/xccblat2 in package lapack-ptest contains reference to TMPDIR
File /usr/lib/lapack/ptest/bin/xzcblat2 in package lapack-ptest contains reference to TMPDIR
File /usr/lib/lapack/ptest/bin/xzcblat1 in package lapack-ptest contains reference to TMPDIR
File /usr/lib/lapack/ptest/bin/xccblat1 in package lapack-ptest contains reference to TMPDIR
File /usr/lib/lapack/ptest/bin/xdcblat2 in package lapack-ptest contains reference to TMPDIR
File /usr/lib/lapack/ptest/bin/xscblat2 in package lapack-ptest contains reference to TMPDIR
File /usr/lib/lapack/ptest/bin/xscblat3 in package lapack-ptest contains reference to TMPDIR
File /usr/lib/lapack/ptest/bin/xzcblat3 in package lapack-ptest contains reference to TMPDIR [buildpaths]
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Per [1] this CVE is already patched by commit [2].
This can be also verified with yocto build.
Running without this patch:
root@qemux86-64:~# sfconvert poc.wav output format wave
malloc(): corrupted top size
Aborted
Running with it:
root@qemux86-64:~# sfconvert poc.wav output format wave
Audio File Library: Bad number of coefficients [error 62]
Could not open file 'poc.wav' for reading.
[1] https://github.com/mpruett/audiofile/issues/56
[2] c48e4c6503
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 68f55c158e)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This is inactive project, so no official CVE fix will be available
anymore. That however does not mean that there is no fix available.
Following tries to prove that patch provided here is valid.
NVD CVE report [1] links issue [2] where this is reported.
Based on the report, fix was proposed in [3].
There was some review however the patch autor was not active.
[4] was later created trying to adddress the comments, but the project
was not active anymore. In this PR the patch was shrunk to a one-liner
in discussion.
I have tested the poc and it is real.
The patch fixes it, while not breaking the execution if good file path
is provided as argument.
[1] https://nvd.nist.gov/vuln/detail/CVE-2023-43361
[2] https://github.com/xiph/vorbis-tools/issues/41
[3] https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/7
[4] https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/8
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 67d94fecb0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Use patch from buildroot:
844a7c6281
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 88faae83b2)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Use patch from buildroot:
bd5f84d301
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9d668989b1)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Use patch from buildroot:
434890df2a
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f29fbaa465)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
When building the `lapack` package, the following QA error occurs:
"File /usr/lib64/libblas.so.3.12.0 in package lapack contains reference to TMPDIR [buildpaths]"
The issue arises because the `xerbla.o` object file embeds the absolute host path of `xerbla.f`.
This occurs during compilation, where the build command in `build.make` (generated by CMake) specifies:
`gfortran -c <absolute path>/xerbla.f -o`.
As a result, the absolute path is included in `xerbla.o`. Unfortunately, `gfortran` does not support
flags like `-fdebug-prefix-map` or `-ffile-prefix-map` to remove such paths.
To resolve this, the fix involves replacing the absolute path of `xerbla.f` in the generated
`build.make` file with a relative path before the compilation step. This ensures that the
resulting `xerbla.o` does not contain any references to TMPDIR, passing the `do_package_qa` check.
For ptest code, the solution is to replace `${WORKDIR}` with `../../..` in the generated `build.make`
files located in the TESTING directory.
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b617496fb0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Take patch from Debian:
2366e1f23d
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit f4a6966bf0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Take patch from Debian:
38db99c12e
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 066cf35ae5)
[Fixup for styhead context]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
- Release Notes
* database
- fix integer overflows with 64-bit inode numbers
* filter
- ffmpeg: fix for filters producing no output
* support libfmt 11
* support ICU 76
- Drop ICU-76 support patch its already in this release
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e7ca3cedb0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
After fixing the TMPDIR [buildpaths] warning, a segmentation fault while
running gphoto2 command.
It seems 'sed' is primarily designed for text processing. When running
'sed' on a binary, it may overwrite or corrupt critical parts of the
binary.
> root@qemux86-64:~# gphoto2 -v
> Segmentation fault
Signed-off-by: Hieu Van Nguyen <hieu2.nguyen@lge.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
gimptool is used in GIMP plugin compilation. It does need a CC
definition, provide it as the current CC with "--sysroot=..." removed.
gimptool also need the gimp .pc file which is in gimp-dev. Split
gimptool in its own package to avoid circular dependencies.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 061f5c7f82)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
fixes:
| ../eog-47.0/help/meson.build:45:6: ERROR: Program 'itstool' not found or not executable
|
| A full log can be found at /home/flk/poky/build/tmp/work/corei7-64-poky-linux/eog/47.0/build/meson-logs/meson-log.txt
| ERROR: meson failed
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b523303f78)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
fixes:
| Configuring org.gnome.Geary.service using configuration
| Program itstool found: NO
|
| ../git/help/meson.build:21:6: ERROR: Program 'itstool' not found or not executable
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 34962ffbbe)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This will remove false-positive CVE-2024-50655 from reports.
There are different emlog components from other vendors around.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d8d45d9093)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Per [1] this is a problem of applications using memcached inproperly.
This should not be a CVE against php-memcached, but for whatever
software the issue was actually found in. php-memcached and
libmemcached provide a VERIFY_KEY flag if they're too lazy to
filter untrusted user input.
[1] https://github.com/php-memcached-dev/php-memcached/issues/519
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 889ccce684)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This CVE is officially disputed by Redhat with official statement in
https://nvd.nist.gov/vuln/detail/CVE-2007-0086
Red Hat does not consider this issue to be a security vulnerability.
The pottential attacker has to send acknowledgement packets periodically
to make server generate traffic. Exactly the same effect could be
achieved by simply downloading the file. The statement that setting the
TCP window size to arbitrarily high value would permit the attacker to
disconnect and stop sending ACKs is false, because Red Hat Enterprise
Linux limits the size of the TCP send buffer to 4MB by default.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit da2b5e8b93)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This is Debian-specific CVE.
NVD tracks this CVE as version-less.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 87a1bcc149)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This is gentoo specific CVE.
NVD tracks this as version-less CVE.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 36a7e409d8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Our hash does not point to exact tag and CVE patch is already in.
We use: 33a8a275928b186381bb0aea0f9778e330e57ec3
Fix: 60b813a770
git describe --tags --match=v0.2 33a8a275928b186381bb0aea0f9778e330e57ec3 60b813a770e42fdb0e85c1d2da7a55327784b8d6
v0.2-262-g33a8a27
v0.2-85-g60b813a
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e5a12d5252)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
NVD tracks this as version-less CVE for spice.
It was fixed by [1] and [2] included in 0.13.2.
[1] 6b32af3e17
[2] 359ac42a7a
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 073e845274)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
These were not updated on recipe upgrade.
To make maintenance easier, remove exact versions.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 0e7733f1b8)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
These CVEs are specific to Debian and MAC OS X respectively.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1b86a60f62)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This CVE is for vmware ace.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9bd6efd135)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Add exact CPE name (from NVD database) in CVE_PRODUCT in order to ensure
CVE filtering and not be disturb by futur potential false-positive CVEs.
Signed-off-by: Benjamin Bouvier <benjamin.bouvier@ekinops.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d03002f19c)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This removes false positive CVE-2024-21485 from cve reports.
$ sqlite3 nvdcve_2-2.db
sqlite> select * from products where product = 'dash';
CVE-2009-0854|dash|dash|0.5.4|=||
CVE-2024-21485|plotly|dash|||2.13.0|<
CVE-2024-21485|plotly|dash|2.14.0|>=|2.15.0|<
Our dash:dash did not reach major version 1 yet.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit e1427013e0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
