The recipe currently indicates that the cukinia package is licensed
under both GPLv3 AND Apache 2.0 licenses, but the upstream specifies
using it under GPLv3 OR Apache 2.0 license, is user's choice.
Signed-off-by: Philip-Dylan Gleonec <philip-dylan.gleonec@savoirfairelinux.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit cb8908b91ead37c5d74b44f949c12c33354956a7)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
* it rdepends on TUNE_PKGARCH libgpiod-tools so it cannot be allarch
(or cukinia->libgpiod-tools needs to be added to SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS)
bitbake-diffsigs \
sstate-before/mako/all-webos-linux/cukinia/0.6.2.do_package_write_ipk.sigdata.630262028cb276fdac170d30a265aa72d4249f84a264e11ea676a5ab38f1cacc \
sstate-before/qemux86-64/all-webos-linux/cukinia/0.6.2.do_package_write_ipk.sigdata.5d193e43c71f1270d36075be6124bb70585bb682771cff644349c4a7ffd13605
Hash for task dependency libgpiod:do_packagedata changed from d3dffb55884b89470065c3eaf046563e2f306706400be396b022a470ceca1916 to 76e47aed399fdbd14db3c4b75ef2b83298322429f111175d4ca4f3f4c67eebf0
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1db563c31023bb64d94d34807547baf1d4f2923c)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The cukinia statement `cukinia_gpio_libgpiod` requires the `gpioinfo`
command. Alternatively, the deprecated sysfs GPIO API can be used with
`cukinia_gpio_sysfs`.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit deaa4c111fd3cb12dd7d6cba0550316d71dd8b07)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The recipe installs a shell script which does not depend on the
architecture. Inheriting allarch will make sure that the recipe is
built only once accross different architectures.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 97c9e5c38d87785c80f824969eb530bcafcbf401)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Changes:
cukinia: add /proc/cmdline parameter check
cukinia: add test suite and class to csv
cukinia: add kernel config check in boot partition
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit daf73e7279da15ad2c29d95f9a8f01658a81f5d5)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
v2.13.10:
Fixes:
-Fixed issue with catch_discover_tests when there is multiple of 256 tests (#2401, #2503)
-Catch2-provided main and wmain are explicitly marked as __cdecl when compiled with MSVC (#2486, #2487)
-Improved break-into-debugger behaviour for ARM Macs. It should now be possible to step execution after the break (#2422)
-Replaced deprecated std::aligned_storage (#2419, #2420)
v2.13.9:
Fixes:
-Fixed issue with -# (filename-as-tag) flag when __FILE__ expands into filename without directories (#2328, #2393)
-Fixed CAPTURE macro not being variadic when disabled through CATCH_CONFIG_DISABLE (#2316, #2378)
v2.13.8:
Fixes:
-Made Approx::operator() const (#2288)
-Improved pkg-config files (#2284)
-Fixed warning suppression leaking out of Catch2 when compiled with clang.exe (#2280)
-The macro-generated names for things like TEST_CASE no longer create reserved identifiers (#2336)
Improvements:
-Clang-tidy should no longer warn about missing virtual dispatch in FilterGenerator's constructor (#2314)
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1bdab916b1fd70ce9196aedac319df5dd8b6dd15)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Use sed to change scripts to reference ${baselib}. The
former set of scripts modified was incomplete.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 1cc72c41af0c6a55a10be9158a2f856b02a56282)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Twisted is an event-based framework for internet applications. Prior to version
23.10.0rc1, when sending multiple HTTP requests in one TCP packet, twisted.web
will process the requests asynchronously without guaranteeing the response order.
If one of the endpoints is controlled by an attacker, the attacker can delay the
response on purpose to manipulate the response of the second request when a
victim launched two requests using HTTP pipeline. Version 23.10.0rc1 contains a
patch for this issue.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-46137https://security-tracker.debian.org/tracker/CVE-2023-46137
Upstream patch:
1e6e9d23ca
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Twisted is an event-based framework for internet applications, supporting Python 3.6+.
The `twisted.web.util.redirectTo` function contains an HTML injection vulnerability.
If application code allows an attacker to control the redirect URL this vulnerability
may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body.
This vulnerability is fixed in 24.7.0rc1.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41810
Upstream patch:
046a164f89
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
In case the iso_639_xml and iso_3166_xml files are not present on the build machine,
then meson fails the compilation - however these files are used only during runtime.
To avoid this, add a patch not to check the existence of these files during building,
but also specify where these files will be located using build arguments.
This patch is a backport from master branch 73c46b265d1cb35c43956d1723c338a137f6ef56
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Poppler is a PDF rendering library. Versions prior to 25.06.0
use `std::atomic_int` for reference counting. Because
`std::atomic_int` is only 32 bits, it is possible to overflow
the reference count and trigger a use-after-free. Version 25.06.0
patches the issue.
CVE-2025-52886-0001 and CVE-2025-52886-0002 are dependent commits
while rest are actual CVE fixes.
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-52886https://security-tracker.debian.org/tracker/CVE-2025-52886
Upstream patches:
d35e11a8f8af3e1e1a353449a16d3bac36affcc8
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Null Pointer Dereference in mask_cidr6 component at cidr.c in Tcpreplay 4.4.4
allows attackers to crash the application via crafted tcprewrite command.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The packagegroup has to be arch dependent to address build failure:
ERROR: packagegroup-meta-filesystems-1.0-r0 do_package_write_rpm: An allarch packagegroup shouldn't depend on packages which are dynamically renamed (fuse to libfuse2)
ERROR: packagegroup-meta-filesystems-1.0-r0 do_package_write_rpm: An allarch packagegroup shouldn't depend on packages which are dynamically renamed (fuse-dev to libfuse-dev)
Signed-off-by: Vyacheslav Yurkov <Vyacheslav.Yurkov@bruker.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Backport [1] to fix the do_configure error like below:
checking for packet socket (PF_PACKET)... ./pf_packet-test:
/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found
[1] 19979c4541
Signed-off-by: Qi Chen <Qi.Chen@windriver.com>
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The build process currently succeeds but the odbc.pc file is not correctly
generated.
The error message is like below in log.do_compile and log.do_install:
/bin/bash: line 1: ../exe/odbc_config: cannot execute binary file: Exec format error
I can see the message comes from the following line in exe/Makefile.am:
@sed "s![@]ODBC_ULEN[@]!`$(top_builddir)/exe/odbc_config$(EXEEXT) --ulen`!" \
$(top_builddir)/DriverManager/odbc.pc > $(top_builddir)/exe/odbc.pc.tmp
It's running the exe/odbc_config program we built out. But the binary is for the target
platform and if we run it on the build host, we get that error message. The resulting ulen
and build_cflags in the final odbc.pc file are also empty.
Fix the issue by using qemu usermode to launch the target binary.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(master rev: 4cbd72f7b942af44da0704f66c1b0feef8699fe6)
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Error: Transaction test error:
file /usr/include/unixODBC/config.h conflicts between attempted installs of unixodbc-dev-2.3.11-r0.aarch64 and lib32-unixodbc-dev-2.3.11-r0.armv7ahf_neon
file /usr/include/unixODBC/unixodbc_conf.h conflicts between attempted installs of unixodbc-dev-2.3.11-r0.aarch64 and lib32-unixodbc-dev-2.3.11-r0.armv7ahf_neon
file /usr/include/unixodbc.h conflicts between attempted installs of unixodbc-dev-2.3.11-r0.aarch64 and lib32-unixodbc-dev-2.3.11-r0.armv7ahf_neon
The differences of config.h are as follows:
@@ -14,7 +14,7 @@
/* #undef C_ALLOCA */
/* Lib directory */
-#define DEFLIB_PATH "/usr/lib64"
+#define DEFLIB_PATH "/usr/lib"
/* Using perdriver iconv */
/* #undef ENABLE_DRIVER_ICONV */
@@ -275,7 +275,7 @@
#define INCLUDE_PREFIX "/usr/include"
/* Lib directory */
-#define LIB_PREFIX "/usr/lib64"
+#define LIB_PREFIX "/usr/lib"
/* Define to the sub-directory where libtool stores uninstalled libraries. */
#define LT_OBJDIR ".libs/"
@@ -311,7 +311,7 @@
#define PACKAGE_VERSION "2.3.11"
/* Platform is 64 bit */
-#define PLATFORM64 /**/
+/* #undef PLATFORM64 */
/* Install prefix */
#define PREFIX "/usr"
@@ -323,10 +323,10 @@
#define SHLIBEXT ".so"
/* The size of `long', as computed by sizeof. */
-#define SIZEOF_LONG 8
+#define SIZEOF_LONG 4
/* The size of `long int', as computed by sizeof. */
-#define SIZEOF_LONG_INT 8
+#define SIZEOF_LONG_INT 4
/* If using the C implementation of alloca, define if you know the
direction of stack growth for your system; otherwise it will be
@@ -351,7 +351,7 @@
#define SYSTEM_FILE_PATH "/etc"
/* Lib path */
-#define SYSTEM_LIB_PATH "/usr/lib64"
+#define SYSTEM_LIB_PATH "/usr/lib"
/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. This
macro is obsolete. */
@@ -383,7 +383,7 @@
/* #undef _ALL_SOURCE */
/* Number of bits in a file offset, on hosts where this is settable. */
-/* #undef _FILE_OFFSET_BITS */
+#define _FILE_OFFSET_BITS 64
/* Define to 1 to make fseeko visible on some hosts (e.g. glibc 2.2). */
/* #undef _LARGEFILE_SOURCE */
The differences of unixodbc_conf.h are as follows:
@@ -19,7 +19,7 @@
/* #undef C_ALLOCA */
/* Lib directory */
-#define DEFLIB_PATH "/usr/lib64"
+#define DEFLIB_PATH "/usr/lib"
/* Using perdriver iconv */
/* #undef ENABLE_DRIVER_ICONV */
@@ -342,7 +342,7 @@
#define INCLUDE_PREFIX "/usr/include"
/* Lib directory */
-#define LIB_PREFIX "/usr/lib64"
+#define LIB_PREFIX "/usr/lib"
/* Define if the OS needs help to load dependent libraries for dlopen(). */
/* #undef LTDL_DLOPEN_DEPLIBS */
@@ -396,7 +396,7 @@
/* Define to the version of this package. */
/* Platform is 64 bit */
-#define PLATFORM64 /**/
+/* #undef PLATFORM64 */
/* Install prefix */
#define PREFIX "/usr"
@@ -408,7 +408,7 @@
#define SHLIBEXT ".so"
/* The size of `long', as computed by sizeof. */
-#define SIZEOF_LONG 8
+#define SIZEOF_LONG 4
/* If using the C implementation of alloca, define if you know the
direction of stack growth for your system; otherwise it will be
@@ -431,7 +431,7 @@
#define SYSTEM_FILE_PATH "/etc"
/* Lib path */
-#define SYSTEM_LIB_PATH "/usr/lib64"
+#define SYSTEM_LIB_PATH "/usr/lib"
/* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */
#define TIME_WITH_SYS_TIME 1
The differences of unixodbc.h are as follows:
@@ -14,4 +14,4 @@
#define HAVE_UNISTD_H 1
/* Define to the value of sizeof(long) */
-#define SIZEOF_LONG_INT 8
+#define SIZEOF_LONG_INT 4
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(master rev: b3d875df4d6023835e2272a630df3b90c48f5bb9)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Can't found properly in the sysroot dir due to the absolute path in
INSTALL_CMAKE_DIR.
Fixes:
The imported target "nlohmann_json_schema_validator" references the file
"/usr/lib/libnlohmann_json_schema_validator.so.2.1.0"
but this file does not exist.
Signed-off-by: Youngseok Jeong <youngseok1.jeong@lge.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
An issue in the pdfseparate utility of freedesktop poppler
v25.04.0 allows attackers to cause an infinite recursion via
supplying a crafted PDF file. This can lead to a Denial of
Service (DoS).
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-50420
Upstream patch:
a7025904e3
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This CVE fix was added to protobuf recipe but since it's patching python
code, it should have been submitted to python3-protobuf.
Take the patch from protobuf recipe and adapt to python3-protobuf.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
We're seeing errors like below in log.do_configure:
./conftest: cannot execute binary file: Exec format error
The tcprelay's configure have two places to execute ./conftest.
And the result happens to be correct even with the error above.
Instead of leaving the errors as they are, we explicitly skip
running ./conftest in case of cross compiling. The build will
continue to succeed and result will remain the same.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(master rev: 8cf55e279fd08f71f281fc8e5f2dabd638d3fa79)
Signed-off-by: Guocai He <guocai.he.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
fix CVE-2024-25176, CVE-2024-25177, CVE-2024-25178
For apply CVE-2024-25178-0003.patch more smoothly,
CVE-2024-25178-0001.patch and CVE-2024-25178-0002.patch is backported.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
- Fix CVE-2025-53643:
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and
Python. Prior to version 3.12.14, the Python parser is vulnerable to a
request smuggling vulnerability due to not parsing trailer sections of
an HTTP request. If a pure Python version of aiohttp is installed (i.e.
without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled,
then an attacker may be able to execute a request smuggling attack to
bypass certain firewalls or proxy protections. Version 3.12.14 contains
a patch for this issue.
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-53643
- Drop CVE-2024-42367.patch:
According to upstream discussion and advisory [1][2], aiohttp 3.8.6 is
not affected by CVE-2024-42367, and the patch is therefore no longer
needed.
[1] https://github.com/advisories/GHSA-jwhx-xcg6-8xhj
[2] https://github.com/aio-libs/aiohttp/issues/11149
Signed-off-by: Jiaying Song <jiaying.song.cn@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Refresh fix-cipher-leak.patch to fix patch-fuzz issue.
Signed-off-by: Sana Kazi <sanakazi720@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
testrunners file was coming out to be empty after anon python was turned
into a prepend to populate_packages which is executed during do_package
and hence POCO_TESTRUNNERS was not populated when it was used during
do_ptest_install now. Therefore alter the logic to collect the list of
tests to run into testrunners file. Also package the ignore file which
is platform specific, here the lnx version is packaged and specified
using -ignore cmd to tests
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This could be worked out without needing to add bash dependency
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Pick commit mentioned in [1].
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-6375
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
tcpreplay v4.4.4 was discovered to contain an infinite loop via the tcprewrite function at get.c.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Fix following CVEs for imagemagick:
CVE-2023-5341, CVE-2022-1114, CVE-2023-1289 and CVE-2023-34474
Signed-off-by: Sana Kazi <sanakazi720@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2025-6019:
A Local Privilege Escalation (LPE) vulnerability was found in
libblockdev. Generally, the "allow_active" setting in Polkit permits a
physically present user to take certain actions based on the session
type. Due to the way libblockdev interacts with the udisks daemon, an
"allow_active" user on a system may be able escalate to full root
privileges on the target host. Normally, udisks mounts user-provided
filesystem images with security flags like nosuid and nodev to prevent
privilege escalation. However, a local attacker can create a specially
crafted XFS image containing a SUID-root shell, then trick udisks into
resizing it. This mounts their malicious filesystem with root
privileges, allowing them to execute their SUID-root shell and gain
complete control of the system.
Refer:
https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Vulnerability in the MySQL Server product of Oracle MySQL (component:
Client: mysqldump). Supported versions that are affected are 8.0.36
and prior and 8.3.0 and prior. Difficult to exploit vulnerability
allows unauthenticated attacker with logon to the infrastructure
where MySQL Server executes to compromise MySQL Server. Successful
attacks of this vulnerability can result in unauthorized update,
insert or delete access to some of MySQL Server accessible data as
well as unauthorized read access to a subset of MySQL Server accessible
data and unauthorized ability to cause a partial denial of service
(partial DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Confidentiality,
Integrity and Availability impacts).
CVE-2024-21096-0001, CVE-2024-21096-0002 are CVE fixes and rest are
regression fixes.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-21096https://security-tracker.debian.org/tracker/CVE-2024-21096
Upstream patches:
13663cb5c41c425a8d8577c4c0f256d60f5c11ead20518168a
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2023-52969:
MariaDB Server 10.4 through 10.5., 10.6 through 10.6., 10.7
through 10.11., and 11.0 through 11.0. can sometimes crash
with an empty backtrace log. This may be related to
make_aggr_tables_info and optimize_stage2.
CVE-2023-52970:
MariaDB Server 10.4 through 10.5., 10.6 through 10.6., 10.7
through 10.11., 11.0 through 11.0., and 11.1 through 11.4.*
crashes in Item_direct_view_ref::derived_field_transformer_for_where.
CVE-2023-52969-CVE-20230-52970-0001 and CVE-2023-52969-CVE-20230-52970-0002
are dependent commits while CVE-2023-52969-CVE-20230-52970-0003 and
CVE-2023-52969-CVE-20230-52970-0004 are actual CVE fixes.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-52969https://nvd.nist.gov/vuln/detail/CVE-2023-52970
Upstream patches:
e640373389https://github.com/MariaDB/server/commit/d98ac8511e39770ef3d8b42937c84e876d1459e9b313d2de14fc9dc84b0
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
