The CVE_PRODUCT is set with a weak default assignment in the cve-check.bbclass,
which means that when the recipe uses +=, it overrides the original weak adefault
value instead of appending to it.
Set all applicable values in CVE_PRODUCT variable explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
There are multiple vendors for yasm:
$ sqlite3 ./nvdcve_2-2.db "select distinct vendor, product from products where product = 'yasm';"
tortall|yasm
yasm_project|yasm
Both products refer to the same application
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 93f85e4fd2fb124cb047f6b378cf0052a1f102aa)
Take patch from Debian from
873b07f46c
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 9f7c1e6bd101494c6cc5dad16a7fa65a13cbac70)
Adapted to Kirkstone.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
A vulnerability was determined in jqlang jq up to 1.6. Impacted is the
function run_jq_tests of the file jq_test.c of the component JSON Parser.
Executing manipulation can lead to reachable assertion. The attack
requires local access. The exploit has been publicly disclosed and may be
utilized. Other versions might be affected as well.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9403
Upstream-patch:
a4d9d54010
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This includes CVE-fix for CVE-2023-26819.
Removed CVE-2025-57052, as the issue was already resolved
in v1.7.19.
Changelog:
==========
https://github.com/DaveGamble/cJSON/blob/master/CHANGELOG.md
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
The test cases in jemalloc require the appropriate value to be exported
to MALLOC_CONF, which is stored in shell scripts.
The privious script just ran the test cases without exporting value, causing
the tests to fail.
Include the missing shell scripts, and source them before running the test
cases now.
Signed-off-by: Wentao Zhang <wentao.zhang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit b3274b4e90fad106e2e76b48afb866d81170bd6f)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
yasm commit 9defefae was discovered to contain a NULL pointer
dereference via the yasm_section_bcs_append function at section.c.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-22653
Upstream-patch:
121ab150b3
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
I noticed that xft was not getting enabled as expected because the
recipe was using pkg-config from the host.
Signed-off-by: Justin Bronder <jsbronder@cold-front.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 95c14a92544e4f0e2dc94ef6a1f26d35beb82d7e)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
With the exception of paho-mqtt-cpp, the double protocol= attributes
were added to the SRC_URIs when protocol=https was added to all SRC_URIs
fetching from github.com in commit b402a3076f (recipes: Update SRC_URI
branch and protocols).
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2e0a581bee7fc15a78f6e19ba1e596930edee414)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
By default, img2simg will only generate raw and fill chunks. This adds
support for "don't care" chunks, based on file holes. This is similar to
how bmaptool works. "don't care" chunks do not need to be written,
speeding up flashing time.
This change corresponds to upstream 9862a017fa7f88424f0670ba89af58e5051550b0
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: AshishKumar Mishra <emailaddress.ashish@gmail.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Can't found properly in the sysroot dir due to the absolute path in
INSTALL_CMAKE_DIR.
Fixes:
The imported target "nlohmann_json_schema_validator" references the file
"/usr/lib/libnlohmann_json_schema_validator.so.2.1.0"
but this file does not exist.
Signed-off-by: Youngseok Jeong <youngseok1.jeong@lge.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
fix CVE-2024-25176, CVE-2024-25177, CVE-2024-25178
For apply CVE-2024-25178-0003.patch more smoothly,
CVE-2024-25178-0001.patch and CVE-2024-25178-0002.patch is backported.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Backport patch with adjustments for 3.19.6 version to fix
CVE-2025-4565.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
1. RDEPENDS on python3-protobuf instead of python-protobuf. The
latter is not available anywhere.
2. Use use python3 interpreter.
3. Fix run-ptest to avoid test failure. An extra '\n' is needed
to break out the loop.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Backport a patch to fix CVE-2025-0838
CVE-2025-0838:
There exists a heap buffer overflow vulnerable in Abseil-cpp. The sized
constructors, reserve(), and rehash() methods of
absl::{flat,node}hash{set,map} did not impose an upper bound on their
size argument. As a result, it was possible for a caller to pass a very
large size that would cause an integer overflow when computing the size
of the container's backing store, and a subsequent out-of-bounds memory
write. Subsequent accesses to the container might also access
out-of-bounds memory. We recommend upgrading past commit
5a0e2cb5e3958dd90bb8569a2766622cb74d90c1
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-0838
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
CVE-2020-36774:
plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x
before 3.40.0 mishandles widget rebuilding for GladeGtkBox, leading to a
denial of service (application crash).
Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2020-36774]
Upstream patches:
[7acdd3c6f6]
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.
Signed-off-by: Akash Hadke <akash.hadke27@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Includes fix for CVE-2024-8929, CVE-2024-11236, CVE-2024-11234 and CVE-2024-11233
Changelog:
https://www.php.net/ChangeLog-8.php#8.1.31
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Backport patch with tweaks for the current version to fix
CVE-2024-7254.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changelog:
============
* Add NULL check to cJSON_SetValuestring()(CVE-2024-31755)
* Remove non-functional list handling of compiler flags
* Fix heap buffer overflow
* remove misused optimization flag -01
* Set free'd pointers to NULL whenever they are not reassigned immediately after
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(From meta-openembedded rev: 535822eff7647b6363225bb8f04d2d7d59a71204)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Location of the file that systemd uses to check whether to
start adbd or not has been updated from /var to /etc in
android-tools-adbd.service. This change changes the path
of creation of usb-debugging-enabled flag file in
android-tools recipes from /var/usb-debugging-enabled to
/etc/usb-debugging-enabled
Backport-of: 2a3d4be9994e ("android-tools: create flag flag file for adbd at a proper location")
Fixes: a29c6386d576 ("android-toold-adbd: Fix inconsistency between selinux configurations")
Fixes: 8106cfe769aa ("android-tools-adbd.service: Change /var to /etc in ConditionPathExists")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Raghuvarya S <quic_raghuvar@quicinc.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
To ensure android-tools-adbd.service starts at boot, the path
for ConditionPathExists must be present at build time. /etc is
more suitable for build-time files than /var, which is for
runtime files. Changed ConditionPathExists from
/var/usb-debugging-enabled to /etc/usb-debugging-enabled
Backport-of: 8106cfe769aa ("android-tools-adbd.service: Change /var to /etc in ConditionPathExists")
CC: Khem Raj <raj.khem@gmail.com>
CC: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Raghuvarya S <quic_raghuvar@quicinc.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2848cc99a186 ("php-fpm: Add support for systemd") introduced a systemd
service file, where ExecStart and ExecStop uses /etc/init.d/php-fpm,
which does not exist if systemd is enabled. Consequently, the php-fpm
service fails to start even though it is correctly installed. This is
fixed by this commit in which the service file is identical to the one
from the PHP source code except for the use of BitBake variables. Also,
use ${systemd_system_unitdir} instead of ${systemd_unitdir}/system.
Signed-off-by: Emil Kronborg <emil.kronborg@protonmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Includes fix for CVE-2024-5458, CVE-2024-2408 and other bugs
Changelog:
https://www.php.net/ChangeLog-8.php#8.1.29
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Upgrade to latest version giflib v5.2.2.
This version fixes bugs listed in link below:
Link: https://sourceforge.net/p/giflib/code/ci/5.2.2/tree/NEWS
Fixes for CVE-2023-48161, CVE-2022-28506, CVE-2023-39742
Link: https://clients.neighbourhood.ie/yocto/1-40.html#:~:text=CVE%2D2023%2D39742%3A%20giflib%3Agiflib%2Dnative
Added dependency on ImageMagick which includes "convert" utility,
to ensure availability of required tool during compilation process.
Add patch to rename binary used in Makefile from
"convert" to "convert.im7" as installed by imagemagick package.
Drop CVE-2022-28506.patch as it is fixed in this version.
Signed-off-by: Bhabu Bindu <bhabubindu@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The first version of this patch introduced a problem with python3-pyqt5.
Python emitted the following error message when one attempted to import
PyQt5.Qt:
ImportError: dynamic module does not define module export function (PyInit_Qt)
This came about due to segfault in sip when executed in do_configure of
python3-pyqt5. This resulted in a zero-length sipQtcmodule.c file being
produced. This compiled successfully which meant no build failure was
observed.
The segfault was caused by a mistake in backporting the patch from SIP 6.
The generateCompositeCpp() function uses the generate_include_sip_h()
helper function in later versions which doesn't exist in SIP 4.
We must replace the first parameter passed to isPY_SSIZE_T_CLEAN() from
mod to pt->module to account for this. The change is not necessary for
generateInternalAPIHeader()
To simplify the patch we can remove the generated lexer and parser files
and run flex and bison in do_configure instead.
Signed-off-by: Rob Woolley <rob.woolley@windriver.com>
Tested-by: Toby Flynn <campingandskiing@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
There is a heap buffer overflow in DumpScreen2RGB() in gif2rgb.c. This
occurs when a crafted gif file, where size of color table is < 256 but
image data contains pixels with color code highier than size of color
table. This causes oferflow of ColorMap->Colors array.
Fix the issue by checking if value of each pixel is within bounds of
given color table. If the value is out of color table, print error
message and exit.
Signed-off-by: Nikhil R <nikhil.r@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The following CVEs are addressed in this release.
CVE-2023-50471
CVE-2023-50472
https://github.com/DaveGamble/cJSON/releases/tag/v1.7.17
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
An unintentional breakage was made upstream in sip4 which results
in builds reporting: QtCoremod.sip:23: syntax error
This was reported in Debian, but not resolved:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998605
A backport of a fix from the upstream project fixes the parser to
prevent it from complaining about the syntax error.
Signed-off-by: Rob Woolley <rob.woolley@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>