meta-openembedded: scarthgap merge#99
Closed
usercw88 wants to merge 34 commits into
Closed
Conversation
A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption. Reference: https://security-tracker.debian.org/tracker/CVE-2025-4878 Upstream-patches: https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1 https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidentiality and integrity or crashes. Reference: https://security-tracker.debian.org/tracker/CVE-2025-5987 Upstream-patch: https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=90b4845e0c98574bbf7bea9e97796695f064bf57 Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
CVE-2025-54350: In iperf before 3.19.1, iperf_auth.c has a Base64Decode assertion failure and application exit upon a malformed authentication attempt. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2025-54350] Upstream patches: [esnet/iperf@4eab661] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Fix follow runtime error: ./build_support/src/sniff_mq_prio_max: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./build_support/src/sniff_mq_prio_max) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
ChangeLog: https://raw.githubusercontent.com/wxWidgets/wxWidgets/v3.2.6/docs/changes.txt * Drop 0001-locale-Avoid-using-glibc-specific-defines-on-musl.patch as it has been merged upstream * Refresh patches * Add UPSTREAM_CHECK_GITTAGREGEX Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (master rev: 903ed68) Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
CVE-2024-58249: In wxWidgets before 3.2.7, a crash can be triggered in wxWidgets apps when connections are refused in wxWebRequestCURL. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-58249] Upstream patches: [wxWidgets/wxWidgets@f2918a9] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (walnascar rev: d3d3df4) Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Gutenprint install hooks run in parallel but depend on each other. This is a race condition and might trigger a build failure (e.g on AB [0]): | chmod 700 $WORKDIR/image/usr/libexec/cups/backend/backend_gutenprint | chmod: cannot access '$WORKDIR/image/usr/libexec/cups/backend/backend_gutenprint': Not a directory | make[5]: *** [Makefile:2166: install-exec-hook] Error 1 Fixes this by adding an explicit dependency between the dependent targets. [0]: https://autobuilder.yoctoproject.org/valkyrie/#/builders/87/builds/46/steps/33/logs/stdio Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
This fixes an installation error: | make[5]: Entering directory '.../tmp/work/corei7-64-oe-linux/gutenprint/5.3.4/build/src/cups' | chmod 700 .../tmp/work/corei7-64-oe-linux/gutenprint/5.3.4/image/usr/libexec/cups/backend/backend_gutenprint | chmod: cannot access '.../tmp/work/corei7-64-oe-linux/gutenprint/5.3.4/image/usr/libexec/cups/backend/backend_gutenprint': No such file or directory Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
When creating sparse images, the RAW image is no longer needed in
some workflows such as Android and CI pipelines. These RAW images
can be multi-GB artifacts and consume significant disk space.
This change introduces a configuration option
`DELETE_RAWIMAGE_AFTER_SPARSE_CMD` which, when set to "1",
removes the RAW image after sparse image generation.
This reduces disk usage in builds where sparse images are the
final deliverables and RAW images are not required.
Default behavior is unchanged: RAW images are kept unless the
variable is explicitly enabled:
DELETE_RAWIMAGE_AFTER_SPARSE_CMD = "1" # Delete RAW image
DELETE_RAWIMAGE_AFTER_SPARSE_CMD = "0" # Default behavior
(cherry-picked from f5246b7 in master )
Signed-off-by: AshishKumar Mishra <emailaddress.ashish@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Upstream Repository: https://git.libssh.org/projects/libssh.git/ Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8114 Type: Security Fix CVE: CVE-2025-8114 Score: 4.7 Patch: https://git.libssh.org/projects/libssh.git/commit/?id=53ac23ded4cb Signed-off-by: Anil Dongare <adongare@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
fixes CVE-2025-54090 Changelog: https://downloads.apache.org/httpd/CHANGES_2.4.65 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Upstream Repository: https://github.com/DaveGamble/cJSON.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-57052 Type: Security Fix CVE: CVE-2025-57052 Score: 9.8 Patch: DaveGamble/cJSON@74e1ff4994aa Signed-off-by: Shubham Pushpkar <spushpka@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Upstream-Status: Backport uclouvain/openjpeg@f809b80 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit 5d0643f) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Pick commit from PR [1] linked from [2] and [3] which mlso entions both these CVEs. [1] fontforge/fontforge#5367 [2] https://nvd.nist.gov/vuln/detail/CVE-2024-25081 [3] https://nvd.nist.gov/vuln/detail/CVE-2024-25082 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit 1e6dbd1) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Pick commit referencing this CVE. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit 6e86e0d) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
When building an SDK with lcov included, gcov isn't included in the SDK by default. Running lcov to generate coverage fails, because it tries to use the gcov binary from the host system instead and that cause problems if the gcc versions do not match. Signed-off-by: Jef Driesen <jefdriesen@telenet.be> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit 0cd6283) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
The currently generated LibVNCServerTargets.cmake will include the
following 'set_target_properties':
set_target_properties(LibVNCServer::vncclient PROPERTIES
INTERFACE_INCLUDE_DIRECTORIES "${_IMPORT_PREFIX}/include"
INTERFACE_LINK_LIBRARIES "systemd;/usr/lib/libz.so;/usr/lib/liblzo2.so;/usr/lib/libjpeg.so;/usr/lib/libgcrypt.so;/usr/lib/libgnutls.so"
)
INTERFACE_LINK_LIBRARIES here points to absolute paths which hardcodes
the library paths. From CMake doc [1]:
Note that it is not advisable to populate the INTERFACE_LINK_LIBRARIES
of a target with absolute paths to dependencies. That would hard-code
into installed packages the library file paths for dependencies as
found on the machine the package was made on.
This breaks krfb build (kde desktop sharing server) since CMake cannot
find these libraries. Removing the absolute paths solves the issue.
Note: I also added a 'inherit pkgconfig' since libvncserver uses it to
detect libsystemd presence.
1: https://cmake.org/cmake/help/latest/prop_tgt/INTERFACE_LINK_LIBRARIES.html
Signed-off-by: Marc Ferland <marc.ferland@sonatest.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2156942)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
It was missing as the recipe is using --with-tirpc Signed-off-by: Khem Raj <raj.khem@gmail.com> Adapted for Walnascar Signed-off-by: Gyorgy Sarvari <gyorgy.sarvari@gmail.com> (cherry picked from commit 8832aa3) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Change the SRC_URI to the correct value due to the following error:
ERROR: geoip-1.6.12-r0 do_fetch: Bitbake Fetcher Error: FetchError('Unable to fetch URL from any source.', 'http://sources.openembedded.org/GeoIP.dat.20181205.gz;apply=no;name=GeoIP-dat;')
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit aadc2ac)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Default branch is renamed from `master` to `main`. Commitshas are the same. Signed-off-by: Jeroen Knoops <jeroen.knoops@philips.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 58679b6) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Upstream repository url changed. Fixes unsuccessful fetch warning. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit c400aca) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Upstream repository url changed. Fixes unsuccessful fetch warning. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 10c13bf) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Original URI is not accessible anymore Drop md5sum Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit ceb9160) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Some portions are built using host CC, which is important when doing cross compile to pass correct flags otherwise it fails when using newer host compiler e.g. gcc-14 Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 32eb262) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Newer compilers e.g. clang19+ will treat implicit function prototypes
as errors, therefore define main() with a valid return type
Fixes
ckwart.c:531:1: error: return type defaults to ‘int’ [-Wimplicit-int]
531 | main(argc,argv) int argc; char **argv; {
| ^~~~
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9813fb5)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Also fix native pieces to build with gcc-14 while here Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit f8ece96) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit a7d9829) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Take patch from Debian. https://sources.debian.org/data/main/p/procmail/3.22-20%2Bdeb7u1/debian/patches/CVE-2014-3618.patch Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 8378820) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Take patch from Debian. https://sources.debian.org/data/main/p/procmail/3.22-26%2Bdeb10u1/debian/patches/30 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 3d97f4c) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
aids building on newer build hosts which now have moved to gcc-14 as well, so using cmdline option just for target compile is not enough as it runs tests using host compiler as well Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 6d13c58) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Without the option -Wno-implicit-int , the following error will occur and the command procmail will not be installed to target.
lmtp.c:54:8: error: type defaults to 'int' in declaration of 'ctopfd' [-Wimplicit-int]
54 | static ctopfd;
| ^~~~~~
make[1]: [Makefile:239: lmtp.o] Error 1 (ignored)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit d23de74)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Can Wong <can.wong@emerson.com>
This reverts commit d9e2cae. [cawong: CVE-2025-57052 patch only required for cjson version 1.7.18 and older. Removing for 1.7.19] Signed-off-by: Can Wong <can.wong@emerson.com>
usercw88
force-pushed
the
dev/automerge/ni
branch
from
695c346 to
07e70e2
Compare
Author
|
@chaitu236 As a part of this PR, I "Manually reverted cjson 1.7.18: Fix - repo contains cjson 1.7.19" |
|
Merged #98 instead of this as we want to keep upstream's version to avoid merge conflicts in cjson in future. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
18 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is the periodic merge with nilrt/master/scarthgap. The merge was performed manually and there were no conflicts.
No merge conflicts.
Manually reverted cjson 1.7.18: Fix - repo contains cjson 1.7.19
AB#3262134
Testing
Procedure