Line directives ("//line") can be used to bypass the restrictions on
"//go:cgo_" directives, allowing blocked linker and compiler flags to
be passed during compilation. This can result in unexpected execution
of arbitrary code when running "go build". The line directive requires
the absolute path of the file in which the directive lives, which makes
exploiting this issue significantly more complex.
Made below changes for Go 1.17 backport:
- drop the modifications of test codes
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39323
Upstream-patch:
e7c142a19d
(From OE-Core rev: 62f4c3aec8f80a259472ce19104596d08741c101)
Signed-off-by: Libo Chen <libo.chen.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
CVE-2025-10158:
A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.
Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2025-10158]
Upstream patch:
[797e17fc4a]
(From OE-Core rev: fe4bea86b27551edbe7440ff47041b6d45b2f4e1)
Signed-off-by: Liyin Zhang <liyin.zhang.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport patch to fix CVE-2025-12464.
Reference: https://gitlab.com/qemu-project/qemu/-/commit/a01344d9d7
(From OE-Core rev: 7ef40090719cab3fb9bda3f87a9d700d9b503e3e)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Since x86 .eh_frame section may reference _GLOBAL_OFFSET_TABLE_, keep
_GLOBAL_OFFSET_TABLE_ if there is dynamic section and the output
.eh_frame section is non-empty.
Backport a patch from upstream to fix CVE-2025-11494
Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a]
(From OE-Core rev: aa67c21a07dc180a0582be46e239dafd40017ba0)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Introduce new packageconfig to explicitly avoid compilation of
experimental code. Note that the code was not compiled by default also
before this patch, this now makes it explicit and makes it possible to
check for the flags in cve-check code.
This is less intrusive change than a patch removing the code which was
rejected in patch review.
This will solve CVE-2025-59777 and CVE-2025-62689 as the vulnerable code
is not compiled by default.
Set appropriate CVE status for these CVEs based on new packageconfig.
(From OE-Core rev: 1d8e646aebe75b8ede51d4de9e0003a822992a33)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
ssh in OpenSSH before 10.1 allows control characters in usernames that
originate from certain possibly untrusted sources, potentially leading
to code execution when a ProxyCommand is used. The untrusted sources
are the command line and %-sequence expansion of a configuration file.
Note:
openssh does not support variable expansion until 10.0, so backport
adapts for this.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-61984
Upstream-Status: Backport from 35d5917652
(From OE-Core rev: 7ca0c7a4d17c707658669e255689ecd4183c7e9b)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The branch was renamed from master to main.
(From OE-Core rev: 80c7fd87fd95a79c6eb5f41b95cf70ccc70d9615)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The Reader.ReadResponse function constructs a response string through repeated
string concatenation of lines. When the number of lines in a response is large,
this can cause excessive CPU consumption.
(From OE-Core rev: 188dbac037809d6e8f0e1667f563fea997ea04b8)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The processing time for parsing some invalid inputs scales non-linearly with
respect to the size of the input. This affects programs which parse untrusted PEM inputs.
(From OE-Core rev: cfafebef95330e531ab7bb590e5fb566dd5a3dce)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled
information (the ALPN protocols sent by the client) which is not escaped.
(From OE-Core rev: b3f055df67cf345c9a17c5c1c874c778d538ba9e)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Due to the design of the name constraint checking algorithm, the processing time
of some inputs scale non-linearly with respect to the size of the certificate.
This affects programs which validate arbitrary certificate chains.
(From OE-Core rev: cea9fcf1b21b1b35b88986b676d712ab8ffa9d67)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commits per NVD report.
(From OE-Core rev: c46f841cdc8f7c1b0cce7da8fb587f65320a2163)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit per NVD report.
(From OE-Core rev: 9694df176a13eeac174c7da2bcf8243969dbcda6)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit per NVD report.
(From OE-Core rev: eb4af9b4cea963b650be217d33bc12f560ed84a6)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit per NVD report.
Add two patches to apply it cleanly.
(From OE-Core rev: 1470546924765d134c83b50e62974f048614b121)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
While working on audiofile recipe from meta-oe, a test that is using flac
to convert a flac file failed with this particular version of the recipe.
Bisecting the issue pointed to a code snippet that later was modifed with the
patch that is introduced here: in version 1.3.4 there is a bug with seeking
in flac files, returning incorrect pointers.
This backported patch fixes this (and fixes the ptest also, that triggered this).
(From OE-Core rev: ceef3cde9b761b7b5de6f7b6b1fb8e99663af9ca)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If the value passed to os.path.expandvars() is user-controlled a
performance degradation is possible when expanding environment variables.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-6075
Upstream-patch:
892747b4cf
(From OE-Core rev: 9a7f33d85355ffbe382aa175c04c64541e77b441)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS
vulnerabilities when it parses an XML that has many specific characters
such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later
include the patches to fix these vulnerabilities.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41123
Upstream-patches:
2c39c91a654444a04eceebc3e85bfa6cac15d458e2546e6eca
(From OE-Core rev: 6b2a2e689a69deef6098f6c266542234e46fb24b)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some
DoS vulnerabilities when it parses an XML that has many specific characters
such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be
impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the
patches to fix these vulnerabilities. Users are advised to upgrade. Users
unable to upgrade should avoid parsing untrusted XML strings.
Reference:
https://security-tracker.debian.org/tracker/CVE-2024-39908
Upstream-patches:
f1df7d13b3d146162e9ab5bf109a59b8a5f4cd5c0af55fa49dc1b64c174e9f1415a261c33ea49810a79ac8b4b467efb5951e1f1e6e9b40910e5a2b48
(From OE-Core rev: 6e0b70843422cd7cdb25a9e1520dd64bf701fea6)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a
denial of service vulnerability when it parses an XML that has many
`<`s in an attribute value. Those who need to parse untrusted XMLs
may be impacted to this vulnerability. The REXML gem 3.2.7 or later
include the patch to fix this vulnerability. As a workaround, don't
parse untrusted XMLs.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-35176
Upstream-patch:
4325835f92
(From OE-Core rev: a89fcaf0c3ac2afd95e836bc1356832296135696)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
As the poky repository is no longer used, measurements are indexed using
the oe-core commit. But as bitbake, oe-core and meta-yocto are now
retrieved from separate gits, while measuring performances for a given branch
at some time interval, we can get the same commit for oe-core but
different ones for bitbake or meta-yocto. As a consequence, metadata
associated with the same index (oe-core commit) might differ.
To work around this, relax the equality checks for commit, commit_time
and commit_count since they might no longer match.
Ideally we'd group them into separate results but for now, treat them
as being the same.
[Based on work from Mathieu Dubois-Briand but fixed differently]
(From OE-Core rev: ff72b41a3f0bf1820405b8782f0d125cd10e3406)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e7dc42e30c76bf0fbb4d3cc019bbec675bac55fa)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability, which was classified as problematic, has been found in GNU elfutils
0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the
component eu-strip. The manipulation leads to denial of service. The attack needs to
be approached locally. The exploit has been disclosed to the public and may be used.
The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is
recommended to apply a patch to fix this issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-1377
Upstream patch:
https://sourceware.org/git/?p=elfutils.git;a=commit;h=fbf1df9ca286de3323ae541973b08449f8d03aba
(From OE-Core rev: e4e8392e688ceb0d8e68fe48118383c031178b5e)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A vulnerability classified as problematic was found in GNU elfutils 0.192. This
vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c
of the component eu-strip. The manipulation leads to denial of service. It is
possible to launch the attack on the local host. The complexity of an attack is
rather high. The exploitation appears to be difficult. The exploit has been
disclosed to the public and may be used. The name of the patch is
b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to
fix this issue.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-1376
Upstream patch:
https://sourceware.org/git/?p=elfutils.git;a=commit;h=b16f441cca0a4841050e3215a9f120a6d8aea918
(From OE-Core rev: 1126e5c1e63b876499c78ac403d1327645edf1c7)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
We have a machine-generated Releases page[1] which is preferable to the
wiki.
[1] https://www.yoctoproject.org/development/releases/
(From yocto-docs rev: 492619059cbbe2d1ebc347c3e86072f32d7d064a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 46a9172fd17aa518028e35b8c874e74889079094)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The original PNG had a typo (YP-Comptible instead of YP-Compatible).
Instead of patching a PNG, let's migrate to an SVG with the typo already
fixed.
[AG: fix conflicts]
Reported-by: Robert P. J. Day <rpjday@crashcourse.ca>
(From yocto-docs rev: bb9887a98bb64ebaa23b772fd0f3c22f13e996e7)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 9f3c2a9113b329f7efdd22d3b3fbe272a44bc654)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
We should recommend using bitbake-getvar command wherever possible as
its output is much less confusing and overwhelming than bitbake -e.
Unfortunately, bitbake-getvar currently doesn't list Python tasks or
functions, unlike bitbake -e, so keep the latter for some corner cases.
[AG: Moroever -> Moreover typo fix]
(From yocto-docs rev: 382c8eee275eb4773d4e2183f5fe19837a6a3b0b)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 41e4e05369c4e028c679749b7b62434327927a09)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Wherever possible, we should use bitbake-getvar as it's the recommended
tool so let's do that.
(From yocto-docs rev: 7981bc2bd09b2d618563710474525febabaf6103)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 2293a3f2767895e9fb5c3e8f3ec11bb4951a7127)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
It's recommended to use bitbake-getvar for a few releases now so let's
use that instead of bitbake -e.
While at it, use a cross-reference for "OpenEmbedded Build System".
(From yocto-docs rev: 7f6dc007a888784a678859690dbfddd5a1fe28a0)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 54585646d8220f8de1ba2c7246cb3f2fcbc59583)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Makes it more clear that the configuration fragment can also be used to
disable a configuration.
(From yocto-docs rev: c4bfc16b2e13444547342204a6f75fd1cf343533)
Signed-off-by: Walter Werner SCHNEIDER <contact@schnwalter.eu>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit d38ef467081ee73bf23f240ace54b849a3a87612)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fix typo "whith", should be "which".
(From yocto-docs rev: 1a54d05d8bd5484e17cbc060fc57fd2f7afb683f)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit f98b25f7f7522cf223beb001cabef870d6dd8c10)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Replace the legacy call to 'bitbake -e' to get the value of a recipe's
variable with the newer call to 'bitbake-getvar'.
(From yocto-docs rev: d7ef362307daf2e8d9b62ec895e080654abfef8b)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit ed7c0766ef5f13b90943a69e64f8e8713d05e864)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The "show-machines" subcommand is not mentioned in the docs; add it.
[AG: fix conflicts]
(From yocto-docs rev: 09bbdc6bc5f9ae77f120185d1324f1166ac1f9d5)
Signed-off-by: Robert P. J. Day <Crpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit b4320cdc4df08c59a24d5247b3895dd602554fa0)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update the output of "recipetool -h" to include the missing "edit"
subcommand.
(From yocto-docs rev: 2a85eab0c51a78ab00168e23274d479cf3aedb24)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 092d688349b0b6bb10ae6fbbab7d82801964daf5)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
