Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-5.2.4 2025-09-25T19:25:52+00:00 2025-09-25T19:25:52+00:00 Peter Marko peter.marko@siemens.com 2025-09-25T14:05:14+00:00 urn:sha1:639a818fd0681225e935722b500bd078ed4a816f Pick commit mentioned in [1]. [1] https://security-tracker.debian.org/tracker/CVE-2025-8961 (From OE-Core rev: c171a41e58e2f151dada61ee2a53c15ceaaa85c0) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-09-25T19:25:52+00:00 Peter Marko peter.marko@siemens.com 2025-09-25T14:05:13+00:00 urn:sha1:ac184e133bbb0e88d6aaf0584cff0304a036c562 Pick commit mentioned in NVD report. (From OE-Core rev: af4a1f0140fc7739b1bd6e39be1df28681628312) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-09-25T19:25:52+00:00 Peter Marko peter.marko@siemens.com 2025-09-25T14:05:12+00:00 urn:sha1:73a25f197b117a5c8118d28043c350be930b5399 This is fixed in v4.7.0, however cve_check cannot match it as NVD says "Up to (excluding) 2024-08-11". (From OE-Core rev: 17a71c67a8a9242e5ae8985a9ebcc51bfa112c3d) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-09-25T19:25:52+00:00 Ross Burton ross.burton@arm.com 2025-09-25T14:05:08+00:00 urn:sha1:f15ade2e8a3dc0c4552b1e712d6d08a9bcb6c01a As per the linked ticket, this issue is related to an Ubuntu-specific patch that we don't have. (From OE-Core rev: dc81fdc6bdf8ab39b7f2fd994d50256430c36558) (From OE-Core rev: 72e63e44a0c6ad5a408c4dc59a24288c36463439) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-09-25T19:25:51+00:00 Peter Marko peter.marko@siemens.com 2025-09-25T14:05:07+00:00 urn:sha1:b066c3a8cc312c2922d181890e6c5add96d8b5a9 This CVE was fixed in plugins-bad. See [1] and [2] which is included in 1.24.13. These commits are backport of [3] to 1.24. Commits fixing this CVE were copied from [4]. [1] https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/e4351ef03f1331410b0c1216a6178d885f37e495 [2] https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ed4c2ce380f7168bd4a3423f4398eb341cb931c7 [3] https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8884 [4] https://security-tracker.debian.org/tracker/CVE-2025-3887 (From OE-Core rev: 13d7e30b45e90187800ba5a383c9579ba2fa0344) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-09-25T19:25:51+00:00 Peter Marko peter.marko@siemens.com 2025-09-25T14:05:06+00:00 urn:sha1:58836a4e5d2beb25d95c90cecbb18e3be2bdab13 Copy statement from [1] that it is problem of installers (non-Linux). Also [2] linked in NVD says "Fixed in 1.25.1 Gstreamer Installer". Since Yocto builds from sources into our own packages, ignore it. [1] https://security-tracker.debian.org/tracker/CVE-2025-2759 [2] https://www.zerodayinitiative.com/advisories/ZDI-25-268/ (From OE-Core rev: 99ee1df6bde2ffd4fa2ddea44c0a9b94d9d77bae) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-09-25T19:25:51+00:00 Peter Marko peter.marko@siemens.com 2025-09-25T14:05:05+00:00 urn:sha1:72d9e1b8f469e3312995c318cb6964a6a141b4e1 These CVEs were fixed in last upgrade. See commit message for 340b182d5fc972175f1d2a89127f807073c10255 (From OE-Core rev: 20dd654a8e66ffb1cac97958547f54a52ebd587d) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-09-25T19:25:51+00:00 Archana Polampalli archana.polampalli@windriver.com 2025-09-18T10:56:28+00:00 urn:sha1:08ab8055fbc812b89f21eb4a00dc68363bbe5051 Fixes CVE-2025-7700 Changelog: https://github.com/FFmpeg/FFmpeg/blob/n7.1.2/Changelog (From OE-Core rev: b564d34603753e93fdd52fc73c901a0d423c9681) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-09-09T16:30:07+00:00 Kyungjik Min dpmin7@gmail.com 2025-09-02T07:25:50+00:00 urn:sha1:f6534ab04fc1a73c63e9b9e7bce8b43d2ee827f0 Since pulseaudio-server requires the audio group, we explicitly add it. When use useradd-staticids or do not use the default group in base-passwd, an error will occur because the audio group is not defined. NOTE: pulseaudio: Performing useradd with [--root TOPDIR/tmp/work/cortexa72-poky-linux/pulseaudio/17.0/recipe-sysroot --home-dir /var/run/pulse --gid 998 --groups audio,pulse --no-create-home --system --shell /bin/false --uid 998 pulse] useradd: group 'audio' does not exist ERROR: pulseaudio: useradd command did not succeed. (From OE-Core rev: 4fc918da4667eebbbdae3def8c38209a3d650f97) Signed-off-by: Kyungjik Min <dpmin7@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-09-09T16:30:07+00:00 Yogita Urade yogita.urade@windriver.com 2025-09-02T04:58:46+00:00 urn:sha1:ebbcc0a3c69ea7664e6f94dde2ce5d3b5d38ee6f A vulnerability classified as problematic was found in libtiff 4.6.0. This vulnerability affects the function PS_Lvl2page of the file tools/tiff2ps.c of the component tiff2ps. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 6ba36f159fd396ad11bf6b7874554197736ecc8b. It is recommended to apply a patch to fix this issue. One of the maintainers explains, that "[t]his error only occurs if DEFER_STRILE_LOAD (defer-strile-load:BOOL=ON) or TIFFOpen( .. "rD") option is used." Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-8534 Upstream patch: https://gitlab.com/libtiff/libtiff/-/commit/6ba36f159fd396ad11bf6b7874554197736ecc8b (From OE-Core rev: 6db99609f8aeca660fa01fc9e32008a2e37aae03) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>