summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools
Commit message (Collapse)AuthorAgeFilesLines
* python3: fix CVE-2023-24329Joe Slater2023-03-232-0/+51
| | | | | | | | | | Backport fix from cpython 3.11 branch. (From OE-Core rev: 37defd828cc6a8267139928730d766167905d21a) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* pkgconf: fix CVE-2023-24056Hongxu Jia2023-03-232-0/+76
| | | | | | | | | | Backport from https://gitea.treehouse.systems/ariadne/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059 (From OE-Core rev: 5c156d8c06267b7a733aca11c53c2905e03e4a58) Signed-off-by: Hongxu Jia <hongxu.jia@eng.windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vala: Fix install conflict when enable multilib.Wang Mingyu2023-03-201-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Error: Transaction test error: file /usr/bin/vala-gen-introspect-0.56 conflicts between attempted installs of lib32-vala-0.56.3-r0.armv7ahf_neon and vala-0.56.3-r0.aarch64 file /usr/bin/vapigen-wrapper conflicts between attempted installs of lib32-vala-0.56.3-r0.armv7ahf_neon and vala-0.56.3-r0.aarch64 The differences of vala-gen-introspect-0.56 are as follows: @@ -2,7 +2,7 @@ prefix=/usr exec_prefix=/usr -libdir=/usr/lib64 +libdir=/usr/lib pkglibdir=${libdir}/vala-0.56 if [ $# -ne 2 ] The wrapper isn't used on target so we can simply delete it. (From OE-Core rev: 8b41b5d2e423636942e34723ad940f6f143640c9) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 3cf894b8a9c4fa14fcc7c7445e85e9ae3192b398) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* lua: Fix install conflict when enable multilib.Wang Mingyu2023-03-201-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | Error: Transaction test error: file /usr/include/luaconf.h conflicts between attempted installs of lua-dev-5.4.4-r0.aarch64 and lib32-lua-dev-5.4.4-r0.armv7ahf_neon The differences between the two files are as follows: @@ -219,7 +219,7 @@ #define LUA_ROOT "/usr/" #define LUA_LDIR LUA_ROOT "share/lua/" LUA_VDIR "/" -#define LUA_CDIR LUA_ROOT "lib64/lua/" LUA_VDIR "/" +#define LUA_CDIR LUA_ROOT "lib/lua/" LUA_VDIR "/" #if !defined(LUA_PATH_DEFAULT) #define LUA_PATH_DEFAULT \ (From OE-Core rev: b2892b3b6fa1d396f845539c0256ca0f71378b94) Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit b58d86f9902a7eb7a821a3e36ba298c082c0f1f1) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meson: Fix wrapper handling of implicit setup commandTom Hochstein2023-03-201-9/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | From an SDK, running a meson setup build without an explicit setup command can result in a native build when a cross build is expected. The problem is in meson-wrapper where it tries to detect whether a setup command is being used. The logic looks through all arguments for a command, and the first argument it finds that doesn't start with a - is treated as the command. This doesn't work for an implicit setup command if any option with a space-separated argument exists. In this case, the argument is incorrectly selected as the command, causing the setup command options for the cross build to be excluded from the command line, and thus a native build. Improve the logic by just looking at the first argument. If it is a known comand, then record it. Otherwise just assume it is the implicit setup command. Note that this fix does not address the possibility of a new meson command. Two new echo statements are included to help the user in case of trouble: ``` ~/git/weston-imx$ meson --warnlevel 3 --prefix=/usr -Ddoc=false -Dbackend-drm-screencast-vaapi=false -Dcolor-management-lcms=false -Dpipewire=false -Dbackend-x11=false -Dxwayland=true -Dsimple-clients=all -Dbackend-wayland=false -Dbackend-default=drm -Dbackend-rdp=false -Dtest-junit-xml=false -Dlauncher-libseat=false -Dimage-jpeg=false -Dimage-webp=false -Drenderer-g2d=true build meson-wrapper: Implicit setup command assumed meson-wrapper: Running meson with setup options: " --cross-file=/opt/fsl-imx-internal-xwayland/6.1-langdale/sysroots/x86_64-pokysdk-linux/usr/share/meson/aarch64-poky-linux-meson.cross --native-file=/opt/fsl-imx-internal-xwayland/6.1-langdale/sysroots/x86_64-pokysdk-linux/usr/share/meson/meson.native " The Meson build system Version: 0.63.3 ``` (From OE-Core rev: 1f30dedee80669475557d9de5f130b7a23eaa7ec) Signed-off-by: Tom Hochstein <tom.hochstein@nxp.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 9338bd66a3c9ab5cb781f2ee588306c5b31a3cb5) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3-setuptools-rust-native: Add direct dependency of native python3 modulesPoonam2023-03-201-3/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add direct dependency of below native python3 modules to fix the compile issue  python3-semantic-version-native python3-setuptools-native python3-setuptools-scm-native python3-toml-native python3-typing-extensions-native python3-wheel-native This issue is not seen in the upstream yocto but in the project, where the python modules are not built by any other dependency. They have to be explicitly pulled. This fixes below error: File "<path to file>/python3-setuptools-rust-native/1.1.2-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/setuptools/config.py", line 422, in _parse_attr     module = importlib.import_module(module_name)   File "<path to file>/python3-setuptools-rust-native/1.1.2-r0/recipe-sysroot-native/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module     return _bootstrap._gcd_import(name[level:], package, level)   File "<frozen importlib._bootstrap>", line 1050, in _gcd_import   File "<frozen importlib._bootstrap>", line 1027, in _find_and_load   File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked   File "<frozen importlib._bootstrap>", line 688, in _load_unlocked   File "<frozen importlib._bootstrap_external>", line 883, in exec_module   File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed   File "<path to file>/python3-setuptools-rust-native/1.1.2-r0/setuptools-rust-1.1.2/setuptools_rust/__init__.py", line 1, in <module>     from .build import build_rust   File "<path to file>/python3-setuptools-rust-native/1.1.2-r0/setuptools-rust-1.1.2/setuptools_rust/build.py", line 23, in <module>     from typing_extensions import Literal ModuleNotFoundError: No module named 'typing_extensions' (From OE-Core rev: 0ae1ed426e97d9d53fb31a9751de5a3f1898b16b) Signed-off-by: Poonam Jadhav <Poonam.Jadhav@kpit.com> Signed-off-by: Poonam Jadhav <ppjadhav456@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* binutils: Fix nativesdk ld.so searchRichard Purdie2023-03-201-1/+1
| | | | | | | | | | | | | Currently binutils in buildtools is searching for /etc/etc/ld.so.conf which makes no sense. ld_sysconfdir already contains /etc so we need to drop the /etc from the fixed string. (From OE-Core rev: 47528fa2aa590b3e04e4cc2b66704143419a92d1) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit ccd28c418ab8390118d738fbe914395b5c2a1f75) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* binutils : Fix CVE-2023-22608Yash Shinde2023-03-094-0/+751
| | | | | | | | | | Upstream-Status: Backport [https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=8af23b30edbaedf009bc9b243cd4dfa10ae1ac09] (From OE-Core rev: 3dd27bbe8c19aa358916de940453de81d3831510) Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: fix compile errorKai Kang2023-02-243-0/+276
| | | | | | | | | | | | | | | | | | | Backport 2 patches and rebase 0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch to fix compile error: ../qemu-6.2.0/hw/display/qxl.c: In function 'qxl_phys2virt': ../qemu-6.2.0/hw/display/qxl.c:1477:67: error: 'size' undeclared (first use in this function); did you mean 'gsize'? 1477 | if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) { | ^~~~ | gsize ../qemu-6.2.0/hw/display/qxl.c:1477:67: note: each undeclared identifier is reported only once for each function it appears in (From OE-Core rev: b3f42317c1932253e7e6b2fd7a263bdbd6c2f69a) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* git: upgrade 2.35.6 -> 2.35.7Sakib Sajal2023-02-241-1/+1
| | | | | | | | | | | Upgrade git to latest 2.37.x release to address security issues CVE-2022-23521 and CVE-2022-41903. (From OE-Core rev: 0e7de5066491bc9b860ad4d65965d6f848898aff) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bootchart2: Fix usrmerge supportHarald Seiler2023-02-152-44/+4
| | | | | | | | | | | | | | | | | | | | | | | bootchart2 introduced a variable EARLY_PREFIX for supporting systems with usrmerge [1]. Right now, the recipe here is sidestepping this feature and trying to replicate it by overwriting other variables and even patching the sources. This wasn't enough, however, as there are still problems: For example, some setup code in the bootchart-collector fails because it expects EARLY_PREFIX to be used [2]. Cleanup the recipe to set EARLY_PREFIX and remove the other workarounds. [1]: https://github.com/xrmx/bootchart/commit/56a638ace1d172163b6d636c89892446b8add4b6 [2]: https://github.com/xrmx/bootchart/blob/3d2136d0335718fbe1a8e2370ccbc30123a6e593/collector/collector.c#L670-L672 Fixes: 4157600d3122 ("bootchart2: switch to add patch from change source in do_install") (From OE-Core rev: 5d2e5abd098ae0b4f904cd7270daa1eb61708fa6) Signed-off-by: Harald Seiler <hws@denx.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 7031bc65b10040877392ed774a0cdddef85c12e0) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* apt: fix do_package_qa failureChangqing Li2023-02-151-0/+1
| | | | | | | | | | | | | | | | | bitbake nativesdk-apt failed with error: ERROR: nativesdk-apt-2.4.5-r0 do_package_qa: QA Issue: nativesdk-apt installs files in /usr/local/oe-sdk-hardcoded-buildpath/sysroots/x86_64-pokysdk-linux/var/volatile, but it is expected to be empty [empty-dirs] an empty dir apt is installed under /var/log/, fix the failure by removing the empty dir apt as what we have done for target. apt will create it when it does not exist. (From OE-Core rev: a7b4578296d584b53ae156cb23dbe5d2e0591569) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 5b035a59d7915da784f1e6678ee130f30d7ceb8a) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: remove True option to getVar and getVarFlag calls (again)Martin Jansa2023-02-153-13/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | * True is default since 2016 and most layers were already updated not to pass this parameter where not necessary, e.g. oe-core was updated couple times, first in: https://git.openembedded.org/openembedded-core/commit/?id=7c552996597faaee2fbee185b250c0ee30ea3b5f Updated with the same regexp as later oe-core update: https://git.openembedded.org/openembedded-core/commit/?id=9f551d588693328e4d99d33be94f26684eafcaba with small modification to replace not only d.getVar, but also data.getVar as in e.g.: e.data.getVar('ERR_REPORT_USERNAME', True) and for getVarFlag: sed -e 's|\(d\.getVarFlag \?\)( \?\([^,()]*, \?[^,()]*\), \?True)|\1(\2)|g' \ -i $(git grep -E 'getVarFlag ?\( ?([^,()]*), ?([^,()]*), ?True\)' \ | cut -d':' -f1 \ | sort -u) (From OE-Core rev: de7bf6689a19dc614ce4b39c84ffd825bee1b962) Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 26c74fd10614582e177437608908eb43688ab510) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit 24a86d0c55ee89ae0dc77975e1d0ee02898d2289) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* git: ignore CVE-2022-41953Ross Burton2023-02-151-0/+2
| | | | | | | | | | | | This is specific to Git-for-Windows. (From OE-Core rev: 72438f0a54296a12cfd770c5c67b1e038f019dee) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c8849af809e0213d43e18e5d01067eeeb61b330d) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* git: upgrade to 2.35.6Chee Yang Lee2023-02-151-1/+1
| | | | | | | | | | upgrade include fix for CVE-2022-23521 and CVE-2022-41903 (From OE-Core rev: d21b033c2f8890989729bc1468254c9298f9a518) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3-pytest: depend on python3-tomli instead of python3-tomlArnout Vandecappelle2023-02-151-1/+1
| | | | | | | | | | | | | | | | | | Since version 7.0.0 [1], pytest switched from the toml package to the tomli package for parsing pyproject.toml configuration files [2]. This change is not immediately noticable during tests, because the toml/tomli module is only important if a pyproject.toml is actually present in a project. [1] https://docs.pytest.org/en/latest/changelog.html#pytest-7-0-0rc1-2021-12-06 [2] https://github.com/pytest-dev/pytest/issues/8789 (From OE-Core rev: e5e590ed9e118283ad67bcfb059b3375cf847b33) Signed-off-by: Arnout Vandecappelle <arnout@mind.be> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3-certifi: fix for CVE-2022-23491Narpat Mali2023-02-152-0/+232
| | | | | | | | | | | | | | | | | | | Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-23491 (From OE-Core rev: 8ee4adb8675c690962e5820669098a95f74c07c7) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* quilt: use upstreamed faildiff.test fixRoss Burton2023-02-041-17/+30
| | | | | | | | | | | (From OE-Core rev: 135a9094fc9e2a525b568960a909cb55ec1d25c5) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 50b81a263187af4452d3b99967bffd01c6ddb476) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* quilt: fix intermittent failure in faildiff.testRoss Burton2023-02-042-0/+29
| | | | | | | | | | | | | | | | | | | This test assumes that if a child process writes one line to stderr and then another line to stdout, and stderr is redirected to stdout, that the order the lines will be read is stable. This isn't the case and occasionally the lines will be read in a different order. Change the test to ignore line ordering. [ YOCTO #14469 ] (From OE-Core rev: 9f72693736a3a7a06a83022d98b389f1218532f1) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 1ddbe4d2bd8d8da10dac8a054f130fcd1d242219) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gcc: Refactor linker patches and fix linker on arm with usrmergePavel Zhukov2023-01-265-149/+245
| | | | | | | | | | | | | | Backport fix from master to allow gcc to use proper linker path for musl [Yocto #14977]. Fixes: | qemu-arm: Could not open '/lib/ld-musl-armhf.so.1': No such file or directory (From OE-Core rev: d821a602c56a8d0c8171ee0d2ce31613121be3a6) Signed-off-by: Pavel Zhukov <pavel@zhukoff.net> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: fix CVE-2022-41717 Excessive memory use in got serverHitendra Prajapati2023-01-262-0/+90
| | | | | | | | | | Upstream-Status: Backport from https://github.com/golang/go/commit/618120c165669c00a1606505defea6ca755cdc27 (From OE-Core rev: f4d179aab7c8f55669ac652a0668644859ec2eb7) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3-git: fix for CVE-2022-24439Narpat Mali2023-01-263-0/+589
| | | | | | | | | | | | | | | | | | | | | | All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. CVE: CVE-2022-24439 Upstream-Status: Backport Reference: https://github.com/gitpython-developers/GitPython/discussions/1529 https://github.com/gitpython-developers/GitPython/pull/1518 https://github.com/gitpython-developers/GitPython/pull/1521 (From OE-Core rev: 55f93e3786290dfa5ac72b5969bb2793f6a98bde) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3-wheel: fix for CVE-2022-40898Narpat Mali2023-01-262-1/+35
| | | | | | | | | | | | | | | An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli. CVE: CVE-2022-40898 Upstream-Status: Backport [https://github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0] (From OE-Core rev: 0974291e545aec68755dfb634c75dca37cca1ea9) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3-setuptools: fix for CVE-2022-40897Narpat Mali2023-01-262-0/+32
| | | | | | | | | | | | | | | | Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. CVE: CVE-2022-40897 Upstream-Status: Backport [https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be] (From OE-Core rev: f574d8d57ff3fbc38e350e7a90913993081c4fdf) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: Fix CVE-2022-4144Bhabu Bindu2023-01-262-0/+100
| | | | | | | | | | | | Add patch to fix CVE-2022-4144 Link: https://security-tracker.debian.org/tracker/CVE-2022-4144 (From OE-Core rev: 4cb3874abf4fdeb04337a48a14c765ba9b2269d4) Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* valgrind: skip the boost_thread test on armRandy MacLeod2023-01-061-0/+1
| | | | | | | | | | | | | This test is failing on the arm workers only so skip there until the issue can be worked on and resolved. The bug #14311 will remain open for tracking. (From OE-Core rev: c35db8b7ac2eaeff36afb43a0c3f54b5866c8305) Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit d98deec9e4aed9e05343d2758f3a3892e2044616) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go-crosssdk: avoid host contamination by GOCACHERobert Andersson2023-01-061-0/+2
| | | | | | | | | | | | | | | | | | By default GOCACHE is set to $HOME/.cache. Same issue for all other go recipes had been fixed by commit 9a6d208b: [ go: avoid host contamination by GOCACHE ] but that commit missed go-crosssdk recipe. (From OE-Core rev: 803b754c64c8ee923cc02c17cf80798c93e3811c) Signed-off-by: Robert Andersson <robert.m.andersson@atlascopco.com> Signed-off-by: Ming Liu <liu.ming50@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit e5fd10c647ac4baad65f9efa964c3380aad7dd10) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ruby: update 3.1.2 -> 3.1.3Alexander Kanavin2023-01-062-38/+1
| | | | | | | | | | (From OE-Core rev: 3e43f3925bce640999a25ceb855a77d8cd0afd26) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 402254a5f841520b132508c21465111d33b6eb1a) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ruby: merge .inc into .bbAlexander Kanavin2023-01-062-44/+40
| | | | | | | | | | (From OE-Core rev: 22d6559bc30897a82f4519ac463f12f01fea18bc) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit d88ff809b2e78ee49d5da42bb08ff5244e6101af) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* binutils : Fix CVE-2022-4285Yash.Shinde@windriver.com2023-01-062-0/+38
| | | | | | | | | | Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=5c831a3c7f3ca98d6aba1200353311e1a1f84c70] (From OE-Core rev: 1f269e532a8fd463de2869be2768feb79ad36bd7) Signed-off-by: Yash Shinde <Yash.Shinde@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: upgrade 3.10.8 -> 3.10.9Florin Diaconescu2022-12-233-180/+1
| | | | | | | | | | | | | | | | | | | Security and bug fixes. Drop patch for CVE-2022-42919 and CVE-2022-37454 which were merged in 3.10.9 Fixes: * CVE-2022-45061 (gh-98433) https://nvd.nist.gov/vuln/detail/CVE-2022-45061 List of changes: https://docs.python.org/3.10/whatsnew/changelog.html#python-3-10-9-final (From OE-Core rev: f98b9c71686eb5ce5115ee73155a7d0389831ef0) Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* golang: CVE-2022-41715 regexp/syntax: limit memory used by parsing regexpsHitendra Prajapati2022-12-232-0/+271
| | | | | | | | | | Upstream-Status: Backport from https://github.com/golang/go/commit/e9017c2416ad0ef642f5e0c2eab2dbf3cba4d997 (From OE-Core rev: d5a533b86ce68b4c3cd2d3c3dd198c2897d37587) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* valgrind: remove most hidden tests for arm64Qiu, Zheng2022-12-131-224/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | An earlier version of valgrind fixed the defunct processes bug, so those tests that were skipped specifically for arm can pass now in master, kirkstone, honister, hardknott, and dunfell. Detailed test result with remove-for-aarch64 skipped on qemuarm64: Commit Pass Fail Skip master 624 9 21 kirkstone 618 10 20 honister 616 10 19 hardknott 609 13 18 dunfell 598 16 17 zeus Out of memory: Killed (with many defunct processes) There are now only 12 skipped by remove-for-aarch64 because 9 fail on qemuarm64 and 3 more fail on raspberry pi. These are tracked by: https://bugzilla.yoctoproject.org/show_bug.cgi?id=14960 (From OE-Core rev: 1101e877d818144ac64bab3d50364a1343c09d16) Signed-off-by: Zheng Qiu <zheng.qiu@windriver.com> Signed-off-by: Randy MacLeod <randy.macleod@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit cbeb9418c43ec834868aa65b774dc09e983d26d9) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* opkg: Set correct info_dir and status_file in opkg.confHarald Seiler2022-12-131-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | Distros can customize the location of OPKG data using OPKGLIBDIR. In OE-Core commit 11f1956cf5d7 ("package_manager.py: define info_dir and status_file when OPKGLIBDIR isn't the default"), a fix was applied to correctly set the info_dir and status_file options relative to OPKGLIBDIR. However, as the commit message notes, the opkg.conf file deployed as part of the opkg package must also be adjusted to correctly reflect the changed location. Otherwise, opkg running inside the image cannot find its data. Fix this by also setting the info_dir and status_file options in opkg.conf to the correct location relative to OPKGLIBDIR. Fixes: 11f1956cf5d7 ("package_manager.py: define info_dir and status_file when OPKGLIBDIR isn't the default") (From OE-Core rev: 658c9901be38a322770f3445ba2bc2fa01dc0aab) Signed-off-by: Harald Seiler <hws@denx.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit adb939ae3635de6e02208859fbf29cf0ed39f565) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: advance to version 3.10.8Joe Slater2022-12-132-2/+110
| | | | | | | | | | Fixes CVE-2022-37460. Also add patch to fix CVE-2022-37454. (From OE-Core rev: b446dd69b79783ea232514e1c5212595ec28e553) Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* vala: install vapigen-wrapper into /usr/bin/crosscripts and stage only thatAlexander Kanavin2022-12-011-5/+5
| | | | | | | | | | | | | | Staging the whole /usr/bin is not correct, as it pulls in also all the vala's cross binaries, which may be discovered by other recipes and things will go wrong then. (From OE-Core rev: 66bdef9f5cae941c5067d88b1d26b2d6236ec56d) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 52629d9db0344146ff4734632b17bd731e247fd5) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu-helper-native: Correctly pass program name as argv[0]Joshua Watt2022-12-011-11/+4
| | | | | | | | | | | | | | | The previous version of this wasn't correctly passing the program name as argv[0], and was also over-complicated anyway because argv[] is guaranteed to be terminated with a NULL pointer, so it can be passed directly to the execv'd process without needing to be copied. (From OE-Core rev: c8b7a0570903fc7916530c2fcffaee3b61f27301) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 6edf38add3c20c44efe0588e2815bb280d22e0c4) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu-helper-native: Re-write bridge helper as C programJoshua Watt2022-12-013-28/+44
| | | | | | | | | | | | | | | | | | | | | | | The bridge helper program is invoked directly from QEMU when it needs to attach to a network bridge. As such, it is subject to the environment of QEMU itself. Specifically, if bridging is enabled with direct rendering acceleration, QEMU is run with an LD_PRELOAD that attempts to preload several uninative libraries; however /bin/sh doesn't use the uninative loader which means it can fail to start with an error like: /bin/sh: symbol lookup error: sysroots-uninative/x86_64-linux/lib/librt.so.1: undefined symbol: __libc_unwind_link_get, version GLIBC_PRIVATE Converting the helper program to a C program resolves this problem because it will now use the uninative loader so the preload doesn't cause errors. (From OE-Core rev: 428a0be91eafb961f0fe92d2abccde5352c54c54) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit f698e98f2f09952b34488b8cf9e73e82bd7aea07) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* mtd-utils: upgrade 2.1.4 -> 2.1.5Alexander Kanavin2022-12-011-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Raw short log since the 2.1.4 release: Alex Henrie (1): mkfs.jffs2: fix spelling of --compression-mode parameter in help text Andrew Mellor (1): ubinfo: Fix --vol_id return code for absent volume id Christophe Kerello (1): nandflipbits: fix corrupted oob David Oberhollenzer (1): Release mtd-utils-2.1.5 Enrico Jorns (1): libmtd: do not ignore non-zero eraseblock size when MTD_NO_ERASE is set Frederic Germain (2): .gitignore: add new ubiscan utility Fix warning about unaligned pointer in jffs2reader Khem Raj (1): tests: Remove unused linux/fs.h header from includes Michael Walle (1): mtd-utils: flash_otp_dump make offset optional Mike Frysinger (1): fix test bashism Rafał Miłecki (1): nandwrite: warn about writing 0xff blocks Sascha Hauer (1): mtd-utils: nanddump: fix writing big images on 32bit machines liaohua (1): nor-utils: fix memory leak (From OE-Core rev: 7f2503ef132634431b28207c51b3fd18de076eb9) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit a3289c988764e5b864873b4adc7656c101a5b9c0) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* go: fix CVE-2022-2880Sakib Sajal2022-12-012-0/+179
| | | | | | | | | | Backport patch to fix CVE-2022-2880. (From OE-Core rev: a38f8316fdd0c9fc6fc7af195973028370935ba3) Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3: fix CVE-2022-42919 local privilege escalation via the ↵Vivek Kumbhar2022-12-012-0/+71
| | | | | | | | | | | | multiprocessing forkserver start method Upstream-Status: Backport from https://github.com/python/cpython/commit/eae692eed18892309bcc25a2c0f8980038305ea2 (From OE-Core rev: 9ed7184930707c98afabca8c6b712df874ad659f) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gcc-source: Ensure deploy_source_date_epoch sstate hash doesn't changeRichard Purdie2022-11-241-0/+7
| | | | | | | | | | | | | | | | | | Currently if you switch machines, gcc-source do_deploy_source_date_epoch would re-run as the stamps are tune specific. This hasn't caused much of an issue until now, however if we fix the gcc recipes to reuse the timestamp from this task, it does then create problems. Copy code from allarch to ensure this task hash doesn't change between machines/tunes. (From OE-Core rev: 1511cb3bae2d6e2dad48269108e68967ae302efc) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 7e052d03464ba5e880a6c5a0e45ff2f467ef97e8) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gcc-source: Drop gengtype manipulationRichard Purdie2022-11-241-2/+0
| | | | | | | | | | | | | | | | Whilst we patch gengtype.cc, we don't patch gengtype-lex.cc which would be the file which would trigger regeneration of files. The real bug that was likely the cause for this fix is probably SDE issues with gcc shared workdir so this code can now be dropped. (From OE-Core rev: 8a49626bb32b40a2cf97fd8b80564b494ae38698) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 7ab82b5db2a737c2a0266280b15d343a27c0e1d5) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gcc-source: Fix gengtypes raceRichard Purdie2022-11-241-1/+1
| | | | | | | | | | | | | | | | | | | | gcc renamed .c files to .cc files: https://gcc.gnu.org/git/?p=gcc.git;a=commitdiff;h=5c69acb32329d49e58c26fa41ae74229a52b9106 but we didn't fix this reference which meant we re-introduced a race around gengtypes-lex.c. This lead to the race reappearing on the autobuilder. Fix the naming to avoid the problem again. [YOCTO #14953] (From OE-Core rev: ac7d5ea832c880002fd466360294ffb357e9c56c) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit dbca40ed399405b663dbc3894e35596a2615f47d) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* gcc-shared-source: Fix source date epoch handlingRichard Purdie2022-11-241-0/+10
| | | | | | | | | | | | | | | | | | | | | | | The source date epoch for gcc isn't being transferred from the shared workdir to the current WORKDIR for the specific recipe. This results in the clamping code within sstate.bbclass using a value from 2011 which changes the timestamps of many files. Since this happens part way through the build, if pieces of gcc haven't built, or build/rebuild later, we see things rebuilding when they should not and for generated files, races are possible. Fix this by copying the SDE from the shared workdir into the recipe workdir. [YOCTO #14953] (From OE-Core rev: 0511f24264bcc27d6b61edd2e16f899c985eb8ad) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit b996293b4c8ab7ff3ed852045d17290df29205df) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* get_module_deps3.py: Check attribute '__file__'Leon Anavi2022-11-241-1/+1
| | | | | | | | | | | | | | | Check if the module object has attribute '__file__' to fix and avoid errors like: AttributeError: module '_abc' has no attribute '__file__'. Did you mean: '__name__'? (From OE-Core rev: 1684457df9fb7029a276df4438c8fc4a17e3e1e9) Signed-off-by: Leon Anavi <leon.anavi@konsulko.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 8acce12c1a4cf37ac312c92d62a6ae93a349dddf) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* tcl: correct patch statusAlexander Kanavin2022-11-241-1/+1
| | | | | | | | | | | (From OE-Core rev: ccb7df0d61792bbc6fd5ef62848035207a63cf5d) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 9f37e5b83db662bba92605c8741516108aad3c5e) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* qemu: add io_uring PACKAGECONFIGRoss Burton2022-11-201-0/+1
| | | | | | | | | | | | | io_uring is enabled or disabled depending on whether liburing is available, so add a PACKAGECONFIG to make this explicit, disabled by default. (From OE-Core rev: 3243b069db7629d15e4b8c25b4133f824d18520c) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit daee79639c39ac6278855b35e0ddf71e52dd13f8) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* quilt: backport a patch to address grep 3.8 failuresAlexander Kanavin2022-11-202-0/+145
| | | | | | | | | | (From OE-Core rev: 97e522c83965777eb5faa1098ddee921e1c7fe79) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit b5001af5c711a373bd2f1ea108c8b597dd40faca) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* python3-mako: backport fix for CVE-2022-40023Narpat Mali2022-11-202-0/+121
| | | | | | | | | | | | | | | | | Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-40023 Reference to Upstream Patch: https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c (From OE-Core rev: 34727812b54fd52f85806f4f95702286d551b5fd) Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>