Introduce new packageconfig to explicitly avoid compilation of
experimental code. Note that the code was not compiled by default also
before this patch, this now makes it explicit and makes it possible to
check for the flags in cve-check code.
This is less intrusive change than a patch removing the code which was
rejected in patch review.
This will solve CVE-2025-59777 and CVE-2025-62689 as the vulnerable code
is not compiled by default.
Set appropriate CVE status for these CVEs based on new packageconfig.
(From OE-Core rev: 9e3c0ae261afb7b9ff9528dbc147fb6c89d5a624)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
SPDX_VERSION is used in DEPLOY_DIR_SPDX but if is not defined,
will default to SPDX-1.1
Define SPDX_VERSION to have the correct deploy path, to align
with master branch behaviour.
The change in path was introduced in 8996d0899d
CC: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>
CC: JPEWhacker@gmail.com
(From OE-Core rev: 04cc49593a0ba2c51e4f4d477d4587079735b624)
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Due to what looks like a copy'n'paste mistake, the environment setup script
might override 'CURL_CA_BUNDLE' from the host env instead of leaving it
untouched. Fix that.
(cherry picked from commit 545e43a7a45be02fda8fc3af69faa20e889f58c4)
CC: changqing.li@windriver.com
CC: raj.khem@gmail.com
CC: Peter.Marko@siemens.com
(From OE-Core rev: ef198b0c6063ede32cb93fe44eb89937c076a073)
Signed-off-by: Moritz Haase <Moritz.Haase@bmw.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit per NVD report.
Add two patches to apply it cleanly.
(From OE-Core rev: 4e03bed20bceb455cb46dcf9564ad5a8525b207d)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit per NVD report.
(From OE-Core rev: e8fbb7521e0113c467e07ba473a46612709c5311)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit per NVD report.
(From OE-Core rev: f3bdbd782eed2b597927df489a7d38a22fbba5ed)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit per NVD report.
Add two patches to apply it cleanly.
(From OE-Core rev: 285a495b8b0e8fa93a0a0884f466f1adca76a28a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If the value passed to os.path.expandvars() is user-controlled a
performance degradation is possible when expanding environment variables.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-6075
Upstream-patch:
9ab89c026a
(From OE-Core rev: 5313fa5236cd3943f90804de2af81358971894bc)
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Rootfs VEX file is created by gathering files from CVE_CHECK_DIR
(deploy directory), however recipes generate the files only in
CVE_CHECK_DIR (log directory).
This make the rootfs VEX be always empty without any message.
The code is copied from cve_check class, which writes to both, so let
keep them aligned and make also vex write both files.
Also add a warning for case that a cve file would be still missing.
(From OE-Core rev: 7493eeed6d53bc704f558a0ccf8a0b5195381873)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ee6541d0940c65685aaafd7d41a59a9406392e7d)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If spdx is generated without inheriting cve/vex classes (which is poky
default), only explicitly set CVE_STATUS fields are handled.
Calculated ones (e.g. from CVE_STATUS_GROUPS) are ignored.
Fix this by expanding the CVE_STATUS in spdx classes.
(From OE-Core rev: 23a4e02542252657fa45fd4a605aec0af9178e0b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ead9c6a8770463c21210a57cc5320f44f7754dd3)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The same code for extending CVE_STATUS by CVE_CHECK_IGNORE and
CVE_STATUS_GROUPS is used on multiple places.
Create a library function to have the code on single place and ready for
reuse by additional classes.
Conflicts:
meta/classes/cve-check.bbclass
meta/lib/oe/cve_check.py
(From OE-Core rev: ddd295c7d4c313fbbb24f7a5e633d4adfea4054a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 45e18f4270d084d81c21b1e5a4a601ce975d8a77)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The "vex" class generates the minimum information that is necessary
for VEX generation by an external CVE checking tool. It is a drop-in
replacement of "cve-check". It uses the same variables from recipes
to make the migration and backporting easier.
The goal of this class is to allow generation of the CVE list of
an image or distribution on-demand, including the latest information
from vulnerability databases. Vulnerability data changes every day,
so a status generated at build becomes out-of-date very soon.
Research done for this work shows that the current VEX formats (CSAF
and OpenVEX) do not provide enough information to generate such
rolling information. Instead, we extract the needed data from recipe
annotations (package names, CPEs, versions, CVE patches applied...)
and store for later use in the format that is an extension of the
CVE-check JSON output format.
This output can be then used (separately or with SPDX of the same
build) by an external tool to generate the vulnerability annotation
and VEX statements in standard formats.
When back-porting this feature, the do_generate_vex() had to be modified
to use the "old" get_patched_cves() API.
(From OE-Core rev: 123a60bc19987e99d511b1f515e118022949be7e)
Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Samantha Jalabert <samantha.jalabert@syslinbit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6352ad93a72e67d6dfa82e870222518a97c426fa)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
In scarthgap, the `oe.cve_check.get_patched_cves()` method only returns
CVEs with a "Patched" status. We want to retrieve all annotations,
including those with an "Ignored" status. Therefore, to avoid modifying
the current API, we integrate the logic for retrieving all CVE_STATUS
values directly into `spdx30_task`.
(From OE-Core rev: 9a204670b1c0daedf1ed8ff944f8e5443b39c8f7)
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This reverts part of commit 4859cdf97fd9a260036e148e25f0b78eb393df1e.
Modification of meta/classes/create-spdx-2.2.bbclass is not backported,
so no need to consider it.
In the commit, it updates spdx according to bitbake change. But the
bitbake commit
* 2515fbd10 fetch: Drop multiple branch/revision support for single git urls
doesn't backport for scarthgap.
So revert the other parts of the commit 4859cdf97fd9a260036e148e25f0b.
(From OE-Core rev: f3bfb98d1cf928678d9931308c116e9e6ec64ba5)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
We have a machine-generated Releases page[1] which is preferable to the
wiki.
[1] https://www.yoctoproject.org/development/releases/
(From yocto-docs rev: 5af5e64e42732c0919cad499e79ff35ca4255a86)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 46a9172fd17aa518028e35b8c874e74889079094)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The original PNG had a typo (YP-Comptible instead of YP-Compatible).
Instead of patching a PNG, let's migrate to an SVG with the typo already
fixed.
Reported-by: Robert P. J. Day <rpjday@crashcourse.ca>
(From yocto-docs rev: fd023b25026b562ff2de972a44bd2c773470208f)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 9f3c2a9113b329f7efdd22d3b3fbe272a44bc654)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
We should recommend using bitbake-getvar command wherever possible as
its output is much less confusing and overwhelming than bitbake -e.
Unfortunately, bitbake-getvar currently doesn't list Python tasks or
functions, unlike bitbake -e, so keep the latter for some corner cases.
[AG: Moroever -> Moreover typo fix]
(From yocto-docs rev: 3f1ca1c3ef60dfabe5b2a2c6e53d14edad64fb06)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 41e4e05369c4e028c679749b7b62434327927a09)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Wherever possible, we should use bitbake-getvar as it's the recommended
tool so let's do that.
(From yocto-docs rev: b9453c7ce44a6bcae7cdc05f2b2cd47b525726e9)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 2293a3f2767895e9fb5c3e8f3ec11bb4951a7127)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
It's recommended to use bitbake-getvar for a few releases now so let's
use that instead of bitbake -e.
While at it, use a cross-reference for "OpenEmbedded Build System".
(From yocto-docs rev: 29836a95c01cdb99c38802f55a92f32377b8c524)
Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 54585646d8220f8de1ba2c7246cb3f2fcbc59583)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Makes it more clear that the configuration fragment can also be used to
disable a configuration.
(From yocto-docs rev: a586a0ecacb4e40f4f3aeeb01dbefbdfcee8ae35)
Signed-off-by: Walter Werner SCHNEIDER <contact@schnwalter.eu>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit d38ef467081ee73bf23f240ace54b849a3a87612)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Fix typo "whith", should be "which".
(From yocto-docs rev: bec165a3505f298b668bcf2a0f03fb8dcfccc510)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit f98b25f7f7522cf223beb001cabef870d6dd8c10)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Replace the legacy call to 'bitbake -e' to get the value of a recipe's
variable with the newer call to 'bitbake-getvar'.
(From yocto-docs rev: 042c4cb8c6291be857a672144b573a5eb10f1ead)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit ed7c0766ef5f13b90943a69e64f8e8713d05e864)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Update the output of "recipetool -h" to include the missing "edit"
subcommand.
(From yocto-docs rev: 09039d05e485a842690f9f54930400e02eef1c2c)
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 092d688349b0b6bb10ae6fbbab7d82801964daf5)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The "show-machines" subcommand is not mentioned in the docs; add it.
(From yocto-docs rev: 98190334b2ad75421e8bf2cc84bd920311398670)
Signed-off-by: Robert P. J. Day <Crpjday@crashcourse.ca>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit b4320cdc4df08c59a24d5247b3895dd602554fa0)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Since nanbield (b34032ec "defaultsetup: Inherit create-spdx by
default"), the create-spdx class is pulled in by default, not only by
poky.
Adapt the text to reflect this and also change INHERIT to INHERIT_DISTRO
since this is the more concrete variable to modify for disabling
create-spdx.
[AG: fix conflicts]
(From yocto-docs rev: 4c47eb98e096121d71663342dde86b8c9256c9b5)
Signed-off-by: Enrico Jörns <ejo@pengutronix.de>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 2b6228943443faf76c9869a0daeccfe7f93688ca)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Currently meson inside eSDKs only works with fully populated eSDKs,
but our testing uses minimal eSDKS, so skip the test if the eSDK is a
minimal build. A bug has been filed to resolve this.
This is minimal change extracted from OE-Core commit which has this only
as a minor comment: 575e0bf52db0467d88af4b5fe467b682f10ca62a
(From OE-Core rev: 7cfacaee1b3319e561036512a849e762d0f68a5e)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The tests do not use scp command, so openssh-scp is not needed.
(From OE-Core rev: 4e10e7848cb10307f133f181b41563c995df032a)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The test are skipped if architecture contains dash because TARGET_ARCH
contains underscore while package name contains dash. Here the
translation needs to be done.
Note that poky distro default arch has dash:
MACHINE="qemux86-64"
TARGET_ARCH="x86_64"
ERROR: Nothing PROVIDES 'go-cross-canadian-x86_64'. Close matches:
gcc-cross-canadian-x86-64
gdb-cross-canadian-x86-64
go-cross-canadian-x86-64
TRANSLATED_TARGET_ARCH="x86-64"
Quoting meta/classes-recipe/cross-canadian.bbclass:
TRANSLATED_TARGET_ARCH is added into PN
(From OE-Core rev: 82a46b70bfba7c4ce4fd20e2658b182b03e55037)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
ARCH_MAP is duplicating an existing map in meta/lib/oe/go.py
use oe.go map_arch instead.
(From OE-Core rev: c2ba36f41777d347fd5ffcd9b6862638e5f35a1b)
(From OE-Core rev: 21f3a6c661307eab5530b51704c3a338013c9c5c)
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
extend go runtime test with a simple test file, and simple
go module test to validate go compilation and execution on
target.
(From OE-Core rev: e3b2b9170f76f4bbdc41ea6ba7bccffc17d01968)
(From OE-Core rev: bda3e3711f84394423c15f48fb4e75258fec199a)
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
- Add meta/lib/oeqa/sdk/cases/go.py with GoCompileTest and GoHostCompileTest classes
- Test validates Go cross-compilation toolchain functionality
- Includes native compilation, cross-compilation, and Go module support
- Uses dynamic architecture detection for portability
(From OE-Core rev: 17015f692a6bf3697a89db51bbc4673a5efa1497)
(From OE-Core rev: 506f4e8c99b164673ba7d1c19e10d240f4df0376)
Signed-off-by: Osama Abdelkader <osama.abdelkader@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The default assignments look like this:
TARGET_GO386 = "${@go_map_386(d.getVar('TARGET_ARCH'), d.getVar('TUNE_FEATURES'), d)}"
TUNE_FEATURES is a target-specific variable, and so should be used
only for target builds. The change is similar to what is already done
for native packages.
(From OE-Core rev: cfff8e968257c44880caa3605e158764ed5c6a2a)
(From OE-Core rev: e8d475b9b6d7b1ac3b0cfe367faabc07deb663b0)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Add a comment explaining what this function does and where the values
come from.
If the architecture isn't know, instead of returning an empty string
which could fail mysteriously, raise a KeyError so it fails quickly.
(From OE-Core rev: 025414c16319b068df1cd757ad9a3c987a6b871d)
(From OE-Core rev: e6de433ccb2784581d6c775cce97f414ef9334b1)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The SDK manifests are generated by listing the sstate was that used, but
it hardcodes that the sstate data filenames end in .tgz.
This has not been the case since sstate switched to Zstd[1] in 2021,
which meant that all of the tests which checked for packages existing
were being skipped as the manifests were empty. For example, see a
representative core-image-sato eSDK test run[2]:
RESULTS - cmake.CMakeTest.test_assimp: SKIPPED (0.00s)
RESULTS - gtk3.GTK3Test.test_galculator: SKIPPED (0.00s)
RESULTS - kmod.KernelModuleTest.test_cryptodev: SKIPPED (0.00s)
RESULTS - maturin.MaturinDevelopTest.test_maturin_develop: SKIPPED (0.00s)
RESULTS - maturin.MaturinTest.test_maturin_list_python: SKIPPED (0.00s)
RESULTS - meson.MesonTest.test_epoxy: SKIPPED (0.00s)
RESULTS - perl.PerlTest.test_perl: SKIPPED (0.00s)
RESULTS - python.Python3Test.test_python3: SKIPPED (0.00s)
All of those tests should have been ran.
Solve this by generalising the filename check so that it doesn't care
what specfic compression algorithm is used.
[1] oe-core 0710e98f40e ("sstate: Switch to ZStandard compressor support")
[2] https://autobuilder.yoctoproject.org/valkyrie/#/builders/16/builds/1517/steps/15/logs/stdio
(From OE-Core rev: 062a525bd36c672f372dabe8d9f0fbe355c7e58b)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Following the usage of TEST_SUITES in testimage, add TESTSDK_SUITES to
specify the list of tests to execute. By default the variable is empty,
which means to run all discovered tests.
This makes it easier to work on a single test without having to run all
of the tests.
(From OE-Core rev: 28d437c52c77889b2ede0fc2f2d6777c5b0a553d)
(From OE-Core rev: a93e21419476658f24220193fb0183efeb7a184f)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport a patch that fixes a compilation failure with gcc15:
| .../git/SPIRV/SpvBuilder.h:238:30: error: ‘uint32_t’ has not been declared
| 238 | Id makeDebugLexicalBlock(uint32_t line);
| | ^~~~~~~~
| .../git/SPIRV/SpvBuilder.h:64:1: note: ‘uint32_t’ is defined in header ‘<cstdint>’; this is probably fixable by adding ‘#include <cstdint>’
(From OE-Core rev: cd0039c22d7aa3d6983ac6fe917b648930355849)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
If TCLIBC='baremetal' is set in local.conf, nativesdk-libstd-rs build fails
with:
| error[E0412]: cannot find type `c_char` in the crate root
| --> /usr/src/debug/libstd-rs/1.75.0/rustc-1.75.0-src/vendor/libc/src/unix/mod.rs:56:29
| |
| 6 | pub type c_schar = i8;
| | ---------------------- similarly named type alias `c_schar` defined here
| ...
| 56 | pub gr_name: *mut ::c_char,
| | ^^^^^^
This happens because rust_gen_target() sets os="none" when TCLIBC is
'baremetal' - even for nativesdk targets. However, nativesdk packages are
built against glibc, so the correct 'os' value should be "linux".
Fix this by setting the os field based on {TARGET,HOST,BUILD}_OS variables,
as it is already done in rust_base_triple(), instead of relying on TCLIBC.
(From OE-Core rev: 4c3f321304f2aa8b75cb58699b59fea80a23690c)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(master rev: 3eaf2cd5647585a1e6df03fc20e2753da27bb692) -- backport
Signed-off-by: Stefan Ghinea <stefan.ghinea@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was identified in the X.Org X serverâ\x80\x99s X Keyboard
(Xkb) extension where improper bounds checking in the XkbSetCompatMap()
function can cause an unsigned short overflow. If an attacker sends
specially crafted input data, the value calculation may overflow,
leading to memory corruption or a crash.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-62231
Upstream patch:
3baad99f9c
(From OE-Core rev: 97326be553f3fec8fbda63a8b38d18f656425b2c)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was discovered in the X.Org X serverâ\x80\x99s X Keyboard
(Xkb) extension when handling client resource cleanup. The software
frees certain data structures without properly detaching related
resources, leading to a use-after-free condition. This can cause
memory corruption or a crash when affected clients disconnect.
Reference:
3baad99f9c
Upstream patches:
865089ca7087fe255393
(From OE-Core rev: 5d98bca7ca76964a6bf7efb7cf8331b9f518ad00)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A flaw was found in the X.Org X server and Xwayland when processing
X11 Present extension notifications. Improper error handling during
notification creation can leave dangling pointers that lead to a
use-after-free condition. This can cause memory corruption or a crash,
potentially allowing an attacker to execute arbitrary code or cause a
denial of service.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-62229
Upstream patch:
5a4286b13f
(From OE-Core rev: 3d606cc94e5ce42b836878578fa271a72bc76015)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
>From https://lists.x.org/archives/xorg-announce/2025-October/003635.html:
1) CVE-2025-62229: Use-after-free in XPresentNotify structures creation
Using the X11 Present extension, when processing and adding the
notifications after presenting a pixmap, if an error occurs, a dangling
pointer may be left in the error code path of the function causing a
use-after-free when eventually destroying the notification structures
later.
Introduced in: Xorg 1.15
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/5a4286b1
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
2) CVE-2025-62230: Use-after-free in Xkb client resource removal
When removing the Xkb resources for a client, the function
XkbRemoveResourceClient() will free the XkbInterest data associated
with the device, but not the resource associated with it.
As a result, when the client terminates, the resource delete function
triggers a use-after-free.
Introduced in: X11R6
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/99790a2chttps://gitlab.freedesktop.org/xorg/xserver/-/commit/10c94238
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
3) CVE-2025-62231: Value overflow in Xkb extension XkbSetCompatMap()
The XkbCompatMap structure stores some of its values using an unsigned
short, but fails to check whether the sum of the input data might
overflow the maximum unsigned short value.
Introduced in: X11R6
Fixed in: xorg-server-21.1.19 and xwayland-24.1.9
Fix: https://gitlab.freedesktop.org/xorg/xserver/-/commit/475d9f49
Found by: Jan-Niklas Sohn working with Trend Micro Zero Day Initiative.
(From OE-Core rev: 50b9c34ba932761fab9035a54e58466d72b097bf)
(From OE-Core rev: f5a10c4950ccb5570c72eb0a09618b7b3523bc39)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
