[OE-core][scarthgap 0/7] Patch review

[OE-core][scarthgap 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Thursday, July 11

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7115

The following changes since commit 1cab8d06ce5df7a8d00cff8531965a84d90d265a:

  curl: locale-base-en-us isn't glibc-specific (2024-07-03 07:09:47 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Changqing Li (2):
  apt-native: don't let dpkg overwrite files by default
  apt: runtime error: filename too long (tmpdir length)

Hitendra Prajapati (1):
  ghostscript: upgrade 10.02.1 -> 10.03.1

Peter Marko (2):
  flac: fix buildpaths warnings
  cargo: remove True option to getVar calls

Xiangyu Chen (1):
  qemu: Upgrade 8.2.1 -> 8.2.2

aszh07 (1):
  xz: Update LICENSE variable for xz packages

 meta/classes-recipe/cargo_common.bbclass      |  4 +-
 meta/classes-recipe/ptest-cargo.bbclass       | 18 ++--
 ...he-filename-can-t-be-longer-than-255.patch | 40 ++++++++
 meta/recipes-devtools/apt/apt_2.6.1.bb        |  3 +-
 ...u-native_8.2.1.bb => qemu-native_8.2.2.bb} |  0
 ...e_8.2.1.bb => qemu-system-native_8.2.2.bb} |  0
 meta/recipes-devtools/qemu/qemu.inc           |  3 +-
 .../qemu/qemu/CVE-2023-6683.patch             | 91 -----------------
 .../qemu/{qemu_8.2.1.bb => qemu_8.2.2.bb}     |  0
 .../ghostscript/CVE-2024-29510.patch          | 84 ----------------
 .../ghostscript/CVE-2024-33869-0001.patch     | 39 --------
 .../ghostscript/CVE-2024-33869-0002.patch     | 52 ----------
 .../ghostscript/CVE-2024-33870.patch          | 99 -------------------
 .../ghostscript/CVE-2024-33871.patch          | 43 --------
 .../avoid-host-contamination.patch            | 11 +--
 ...dd-option-to-explicitly-disable-neon.patch | 99 -------------------
 ...ript_10.02.1.bb => ghostscript_10.03.1.bb} |  8 +-
 meta/recipes-extended/xz/xz_5.4.6.bb          |  6 +-
 meta/recipes-multimedia/flac/flac_1.4.3.bb    |  7 ++
 19 files changed, 69 insertions(+), 538 deletions(-)
 create mode 100644 meta/recipes-devtools/apt/apt/0001-strutl.cc-the-filename-can-t-be-longer-than-255.patch
 rename meta/recipes-devtools/qemu/{qemu-native_8.2.1.bb => qemu-native_8.2.2.bb} (100%)
 rename meta/recipes-devtools/qemu/{qemu-system-native_8.2.1.bb => qemu-system-native_8.2.2.bb} (100%)
 delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
 rename meta/recipes-devtools/qemu/{qemu_8.2.1.bb => qemu_8.2.2.bb} (100%)
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33871.patch
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/configure.ac-add-option-to-explicitly-disable-neon.patch
 rename meta/recipes-extended/ghostscript/{ghostscript_10.02.1.bb => ghostscript_10.03.1.bb} (88%)

-- 
2.34.1

[OE-core][scarthgap 1/7] ghostscript: upgrade 10.02.1 -> 10.03.1

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

avoid-host-contamination.patch refreshed for 10.03.1

Below patches are no longer needed as it's included in this upgrade.

1. CVE-2024-29510.patch
2. CVE-2024-33869-0001.patch
3. CVE-2024-33869-0002.patch
4. CVE-2024-33870.patch
5. CVE-2024-33871.patch
6. configure.ac-add-option-to-explicitly-disable-neon.patch

other patch release to address security bugs:
CVE-2024-29506
CVE-2024-29507
CVE-2024-29508
CVE-2024-29509
CVE-2024-29511

(From OE-Core rev: 9a424fbcdc0c792ff3b99bf0e8a5e380582f53bc)

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ghostscript/CVE-2024-29510.patch          | 84 ----------------
 .../ghostscript/CVE-2024-33869-0001.patch     | 39 --------
 .../ghostscript/CVE-2024-33869-0002.patch     | 52 ----------
 .../ghostscript/CVE-2024-33870.patch          | 99 -------------------
 .../ghostscript/CVE-2024-33871.patch          | 43 --------
 .../avoid-host-contamination.patch            | 11 +--
 ...dd-option-to-explicitly-disable-neon.patch | 99 -------------------
 ...ript_10.02.1.bb => ghostscript_10.03.1.bb} |  8 +-
 8 files changed, 5 insertions(+), 430 deletions(-)
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33871.patch
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/configure.ac-add-option-to-explicitly-disable-neon.patch
 rename meta/recipes-extended/ghostscript/{ghostscript_10.02.1.bb => ghostscript_10.03.1.bb} (88%)

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
deleted file mode 100644
index 692d35157f..0000000000
--- a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 3b1735085ecef20b29e8db3416ab36de93e86d1f Mon Sep 17 00:00:00 2001
-From: Ken Sharp <Ken.Sharp@artifex.com>
-Date: Thu, 21 Mar 2024 09:01:15 +0000
-Subject: [PATCH 5/5] Uniprint device - prevent string configuration changes
- when SAFER
-
-Bug #707662
-
-We cannot sanitise the string arguments used by the Uniprint device
-because they can potentially include anything.
-
-This commit ensures that these strings are locked and cannot be
-changed by PostScript once SAFER is activated. Full configuration from
-the command line is still possible (see the *.upp files in lib).
-
-This addresses CVE-2024-29510
-
-CVE: CVE-2024-29510
-
-Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=3b1735085ecef20b29e]
-
-Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
----
- devices/gdevupd.c | 31 +++++++++++++++++++++++++++++++
- 1 file changed, 31 insertions(+)
-
-diff --git a/devices/gdevupd.c b/devices/gdevupd.c
-index 740dae0..a50571a 100644
---- a/devices/gdevupd.c
-+++ b/devices/gdevupd.c
-@@ -1887,6 +1887,16 @@ out on this copies.
-       if(!upd_strings[i]) continue;
-       UPD_PARAM_READ(param_read_string,upd_strings[i],value,udev->memory);
-       if(0 == code) {
-+        if (gs_is_path_control_active(udev->memory)) {
-+            if (strings[i].size != value.size)
-+              error = gs_error_invalidaccess;
-+            else {
-+                if (strings[i].data && memcmp(strings[i].data, value.data, strings[i].size) != 0)
-+                    error = gs_error_invalidaccess;
-+            }
-+            if (error < 0)
-+                goto exit;
-+        }
-          if(0 <= error) error |= UPD_PUT_STRINGS;
-          UPD_MM_DEL_PARAM(udev->memory, strings[i]);
-          if(!value.size) {
-@@ -1904,6 +1914,26 @@ out on this copies.
-       if(!upd_string_a[i]) continue;
-       UPD_PARAM_READ(param_read_string_array,upd_string_a[i],value,udev->memory);
-       if(0 == code) {
-+          if (gs_is_path_control_active(udev->memory)) {
-+              if (string_a[i].size != value.size)
-+                  error = gs_error_invalidaccess;
-+              else {
-+                  int loop;
-+                  for (loop = 0;loop < string_a[i].size;loop++) {
-+                      gs_param_string *tmp1 = (gs_param_string *)&(string_a[i].data[loop]);
-+                      gs_param_string *tmp2 = (gs_param_string *)&value.data[loop];
-+
-+                      if (tmp1->size != tmp2->size)
-+                          error = gs_error_invalidaccess;
-+                      else {
-+                          if (tmp1->data && memcmp(tmp1->data, tmp2->data, tmp1->size) != 0)
-+                              error = gs_error_invalidaccess;
-+                      }
-+                  }
-+              }
-+            if (error < 0)
-+                goto exit;
-+          }
-          if(0 <= error) error |= UPD_PUT_STRING_A;
-          UPD_MM_DEL_APARAM(udev->memory, string_a[i]);
-          if(!value.size) {
-@@ -2098,6 +2128,7 @@ transferred into the device-structure. In the case of "uniprint", this may
-       if(0 > code) error = code;
-    }
-
-+exit:
-    if(0 < error) { /* Actually something loaded without error */
-
-       if(!(upd = udev->upd)) {
---
-2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch
deleted file mode 100644
index 2f20c66ea3..0000000000
--- a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 5ae2e320d69a7d0973011796bd388cd5befa1a43 Mon Sep 17 00:00:00 2001
-From: Ken Sharp <Ken.Sharp@artifex.com>
-Date: Tue, 26 Mar 2024 12:02:57 +0000
-Subject: [PATCH 2/5] Bug #707691
-
-Part 1; when stripping a potential Current Working Dirctory specifier
-from a path, make certain it really is a CWD, and not simply large
-ebough to be a CWD.
-
-Reasons are in the bug thread, this is not (IMO) serious.
-
-This is part of the fix for CVE-2024-33869
-
-CVE: CVE-2024-33869
-
-Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973]
-
-Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
----
- base/gpmisc.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/base/gpmisc.c b/base/gpmisc.c
-index c4a69b0..1d4d5d8 100644
---- a/base/gpmisc.c
-+++ b/base/gpmisc.c
-@@ -1164,8 +1164,8 @@ gp_validate_path_len(const gs_memory_t *mem,
-
-             continue;
-         }
--        else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
--            buffer = bufferfull + cdirstrl + dirsepstrl;
-+        else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull
-+            && memcmp(buffer, cdirstr, cdirstrl) && !memcmp(buffer + cdirstrl, dirsepstr, dirsepstrl)) {
-             continue;
-         }
-         break;
---
-2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch
deleted file mode 100644
index 5dcbcca998..0000000000
--- a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From f5336e5b4154f515ac83bc5b9eba94302e6618d4 Mon Sep 17 00:00:00 2001
-From: Ken Sharp <Ken.Sharp@artifex.com>
-Date: Tue, 26 Mar 2024 12:07:18 +0000
-Subject: [PATCH 3/5] Bug 707691 part 2
-
-See bug thread for details
-
-This is the second part of the fix for CVE-2024-33869
-
-CVE: CVE-2024-33869
-
-Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83]
-
-Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
----
- base/gpmisc.c | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/base/gpmisc.c b/base/gpmisc.c
-index 1d4d5d8..b0d5c71 100644
---- a/base/gpmisc.c
-+++ b/base/gpmisc.c
-@@ -1090,6 +1090,27 @@ gp_validate_path_len(const gs_memory_t *mem,
-         rlen = len;
-     }
-     else {
-+        char *test = (char *)path, *test1;
-+        uint tlen = len, slen;
-+
-+        /* Look for any pipe (%pipe% or '|' specifications between path separators
-+         * Reject any path spec which has a %pipe% or '|' anywhere except at the start.
-+         */
-+        while (tlen > 0) {
-+            if (test[0] == '|' || (tlen > 5 && memcmp(test, "%pipe", 5) == 0)) {
-+                code = gs_note_error(gs_error_invalidfileaccess);
-+                goto exit;
-+            }
-+            test1 = test;
-+            slen = search_separator((const char **)&test, path + len, test1, 1);
-+            if(slen == 0)
-+                break;
-+            test += slen;
-+            tlen -= test - test1;
-+            if (test >= path + len)
-+                break;
-+        }
-+
-         rlen = len+1;
-         bufferfull = (char *)gs_alloc_bytes(mem->thread_safe_memory, rlen + prefix_len, "gp_validate_path");
-         if (bufferfull == NULL)
---
-2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
deleted file mode 100644
index 9c2b9dcfa2..0000000000
--- a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 79aef19c685984dc3da2dc090450407d9fbcff80 Mon Sep 17 00:00:00 2001
-From: Ken Sharp <Ken.Sharp@artifex.com>
-Date: Tue, 26 Mar 2024 12:00:14 +0000
-Subject: [PATCH 1/5] Bug #707686
-
-See bug thread for details
-
-In addition to the noted bug; an error path (return from
-gp_file_name_reduce not successful) could elad to a memory leak as we
-did not free 'bufferfull'. Fix that too.
-
-This addresses CVE-2024-33870
-
-CVE: CVE-2024-33870
-
-Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc]
-
-Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
----
- base/gpmisc.c | 36 ++++++++++++++++++++++++++++++++----
- 1 file changed, 32 insertions(+), 4 deletions(-)
-
-diff --git a/base/gpmisc.c b/base/gpmisc.c
-index 2b0064b..c4a69b0 100644
---- a/base/gpmisc.c
-+++ b/base/gpmisc.c
-@@ -1,4 +1,4 @@
--/* Copyright (C) 2001-2023 Artifex Software, Inc.
-+/* Copyright (C) 2001-2024 Artifex Software, Inc.
-    All Rights Reserved.
-
-    This software is provided AS-IS with no warranty, either express or
-@@ -1042,7 +1042,7 @@ gp_validate_path_len(const gs_memory_t *mem,
-                      const uint         len,
-                      const char        *mode)
- {
--    char *buffer, *bufferfull;
-+    char *buffer, *bufferfull = NULL;
-     uint rlen;
-     int code = 0;
-     const char *cdirstr = gp_file_name_current();
-@@ -1096,8 +1096,10 @@ gp_validate_path_len(const gs_memory_t *mem,
-             return gs_error_VMerror;
-
-         buffer = bufferfull + prefix_len;
--        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success)
--            return gs_error_invalidfileaccess;
-+        if (gp_file_name_reduce(path, (uint)len, buffer, &rlen) != gp_combine_success) {
-+            code = gs_note_error(gs_error_invalidfileaccess);
-+            goto exit;
-+        }
-         buffer[rlen] = 0;
-     }
-     while (1) {
-@@ -1132,9 +1134,34 @@ gp_validate_path_len(const gs_memory_t *mem,
-             code = gs_note_error(gs_error_invalidfileaccess);
-         }
-         if (code < 0 && prefix_len > 0 && buffer > bufferfull) {
-+            uint newlen = rlen + cdirstrl + dirsepstrl;
-+            char *newbuffer;
-+            int code;
-+
-             buffer = bufferfull;
-             memcpy(buffer, cdirstr, cdirstrl);
-             memcpy(buffer + cdirstrl, dirsepstr, dirsepstrl);
-+
-+            /* We've prepended a './' or similar for the current working directory. We need
-+             * to execute file_name_reduce on that, to eliminate any '../' or similar from
-+             * the (new) full path.
-+             */
-+            newbuffer = (char *)gs_alloc_bytes(mem->thread_safe_memory, newlen + 1, "gp_validate_path");
-+            if (newbuffer == NULL) {
-+                code = gs_note_error(gs_error_VMerror);
-+                goto exit;
-+            }
-+
-+            memcpy(newbuffer, buffer, rlen + cdirstrl + dirsepstrl);
-+            newbuffer[newlen] = 0x00;
-+
-+            code = gp_file_name_reduce(newbuffer, (uint)newlen, buffer, &newlen);
-+            gs_free_object(mem->thread_safe_memory, newbuffer, "gp_validate_path");
-+            if (code != gp_combine_success) {
-+                code = gs_note_error(gs_error_invalidfileaccess);
-+                goto exit;
-+            }
-+
-             continue;
-         }
-         else if (code < 0 && cdirstrl > 0 && prefix_len == 0 && buffer == bufferfull) {
-@@ -1153,6 +1180,7 @@ gp_validate_path_len(const gs_memory_t *mem,
-                                            gs_path_control_flag_is_scratch_file);
-     }
-
-+exit:
-     gs_free_object(mem->thread_safe_memory, bufferfull, "gp_validate_path");
- #ifdef EACCES
-     if (code == gs_error_invalidfileaccess)
---
-2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33871.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33871.patch
deleted file mode 100644
index abe6384997..0000000000
--- a/meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33871.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 7145885041bb52cc23964f0aa2aec1b1c82b5908 Mon Sep 17 00:00:00 2001
-From: Zdenek Hutyra <zhutyra@centrum.cz>
-Date: Mon, 22 Apr 2024 13:33:47 +0100
-Subject: [PATCH 4/5] OPVP device - prevent unsafe parameter change with SAFER
-
-Bug #707754 "OPVP device - Arbitrary code execution via custom Driver library"
-
-The "Driver" parameter for the "opvp"/"oprp" device specifies the name
-of a dynamic library and allows any library to be loaded.
-
-The patch does not allow changing this parameter after activating path
-control.
-
-This addresses CVE-2024-33871
-
-CVE: CVE-2024-33871
-
-Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc2396]
-
-Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
----
- contrib/opvp/gdevopvp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/contrib/opvp/gdevopvp.c b/contrib/opvp/gdevopvp.c
-index 74200cf..80eb23b 100644
---- a/contrib/opvp/gdevopvp.c
-+++ b/contrib/opvp/gdevopvp.c
-@@ -3456,6 +3456,12 @@ _put_params(gx_device *dev, gs_param_list *plist)
-     code = param_read_string(plist, pname, &vdps);
-     switch (code) {
-     case 0:
-+        if (gs_is_path_control_active(dev->memory)
-+            && (!opdev->globals.vectorDriver || strlen(opdev->globals.vectorDriver) != vdps.size
-+                || memcmp(opdev->globals.vectorDriver, vdps.data, vdps.size) != 0)) {
-+            param_signal_error(plist, pname, gs_error_invalidaccess);
-+            return_error(gs_error_invalidaccess);
-+        }
-         buff = realloc(buff, vdps.size + 1);
-         memcpy(buff, vdps.data, vdps.size);
-         buff[vdps.size] = 0;
---
-2.40.0
diff --git a/meta/recipes-extended/ghostscript/ghostscript/avoid-host-contamination.patch b/meta/recipes-extended/ghostscript/ghostscript/avoid-host-contamination.patch
index 15c7eb5a77..67f14bd368 100644
--- a/meta/recipes-extended/ghostscript/ghostscript/avoid-host-contamination.patch
+++ b/meta/recipes-extended/ghostscript/ghostscript/avoid-host-contamination.patch
@@ -1,7 +1,7 @@
-From 0ccbaa134093bf6afc79f2d20d061bca5a8754ed Mon Sep 17 00:00:00 2001
+From b36713c8f1ba0e5755b78845a433354a63663b1a Mon Sep 17 00:00:00 2001
 From: Kai Kang <kai.kang@windriver.com>
 Date: Thu, 29 Mar 2018 16:02:05 +0800
-Subject: [PATCH 04/10] avoid host contamination
+Subject: [PATCH] avoid host contamination
 
 Remove hardcode path refer to host to avoid host contamination.
 
@@ -15,10 +15,10 @@ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/devices/devs.mak b/devices/devs.mak
-index 846aa50..9570182 100644
+index 186f704..88ab8c9 100644
 --- a/devices/devs.mak
 +++ b/devices/devs.mak
-@@ -393,7 +393,7 @@ $(DEVOBJ)gdevxalt.$(OBJ) : $(DEVSRC)gdevxalt.c $(GDEVX) $(math__h) $(memory__h)\
+@@ -397,7 +397,7 @@ $(DEVOBJ)gdevxalt.$(OBJ) : $(DEVSRC)gdevxalt.c $(GDEVX) $(math__h) $(memory__h)\
  ### NON PORTABLE, ONLY UNIX WITH GCC SUPPORT
  
  $(DEVOBJ)X11.so : $(x11alt_) $(x11_) $(DEVS_MAK) $(MAKEDIRS)
@@ -27,6 +27,3 @@ index 846aa50..9570182 100644
  
  ###### --------------- Memory-buffered printer devices --------------- ######
  
--- 
-1.8.3.1
-
diff --git a/meta/recipes-extended/ghostscript/ghostscript/configure.ac-add-option-to-explicitly-disable-neon.patch b/meta/recipes-extended/ghostscript/ghostscript/configure.ac-add-option-to-explicitly-disable-neon.patch
deleted file mode 100644
index 7873396045..0000000000
--- a/meta/recipes-extended/ghostscript/ghostscript/configure.ac-add-option-to-explicitly-disable-neon.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From fd37229a17822c5ad21a369f670b8a6f6cc6b95b Mon Sep 17 00:00:00 2001
-From: Benjamin Bara <benjamin.bara@skidata.com>
-Date: Mon, 4 Sep 2023 12:16:39 +0200
-Subject: [PATCH] configure.ac: add option to explicitly disable neon
-
-Uncomment an already existing possibility to explicitly disable neon and
-use it on both implemented neon checks.
-
-Upstream-Status: Submitted [https://bugs.ghostscript.com/show_bug.cgi?id=707097]
-
-Signed-off-by: Benjamin Bara <benjamin.bara@skidata.com>
----
- configure.ac | 52 +++++++++++++++++++++++++++++-----------------------
- 1 file changed, 29 insertions(+), 23 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 09d881dd1..62718e15e 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -749,6 +749,33 @@ SUBCONFIG_OPTS="--build=$build --host=$host"
- #  SUBCONFIG_OPTS="$SUBCONFIG_OPTS --host=$host_alias"
- #fi
- 
-+dnl --------------------------------------------------
-+dnl Check for NEON support
-+dnl --------------------------------------------------
-+save_cflags=$CFLAGS
-+AC_MSG_CHECKING([neon support])
-+CFLAGS="$save_cflags $OPT_CFLAGS -mfpu=neon -mcpu=cortex-a53"
-+HAVE_NEON=""
-+AC_LINK_IFELSE(
-+  [AC_LANG_PROGRAM([#include "arm_neon.h"], [
-+  int32x4_t round = vdupq_n_s32(10);
-+  return(0);
-+  ])],
-+  [HAVE_NEON="-DHAVE_NEON"], [HAVE_NEON=""])
-+
-+AC_ARG_ENABLE([neon], AS_HELP_STRING([--disable-neon],
-+       [Do not use neon instrinsics]), [
-+             if test "x$enable_neon" = xno; then
-+                HAVE_NEON=""
-+             fi])
-+
-+if test "x$HAVE_NEON" != x; then
-+  AC_MSG_RESULT(yes)
-+else
-+  AC_MSG_RESULT(no)
-+fi
-+CFLAGS=$save_cflags
-+
- dnl --------------------------------------------------
- dnl Check for libraries
- dnl --------------------------------------------------
-@@ -971,11 +998,12 @@ if test x$with_tesseract != xno; then
-          [TESS_NEON="-mfpu=neon -mcpu=cortex-a53 -D__ARM_NEON__"],
-          [TESS_NEON=""])
- 
--        if test "x$TESS_NEON" != x; then
-+        if test "x$TESS_NEON" != x && test "x$enable_neon" != xno; then
-           AC_MSG_RESULT(yes)
-           TESS_CXXFLAGS="$TESS_CXXFLAGS -DHAVE_NEON"
-         else
-           AC_MSG_RESULT(no)
-+          TESS_NEON=""
-         fi
- 
-         CXXFLAGS="$save_cxxflags"
-@@ -2387,28 +2415,6 @@ if test x$WITH_CAL != x0; then
-     AC_MSG_RESULT(no)
-   fi
- 
--  AC_MSG_CHECKING([neon support])
--  CFLAGS="$save_cflags $OPT_CFLAGS -mfpu=neon -mcpu=cortex-a53"
--  HAVE_NEON=""
--  AC_LINK_IFELSE(
--    [AC_LANG_PROGRAM([#include "arm_neon.h"], [
--    int32x4_t round = vdupq_n_s32(10);
--    return(0);
--    ])],
--    [HAVE_NEON="-DHAVE_NEON"], [HAVE_NEON=""])
--
--  #AC_ARG_ENABLE([neon], AS_HELP_STRING([--disable-neon],
--  #       [Do not use neon instrinsics]), [
--  #             if test "x$enable_neon" = xno; then
--  #                HAVE_NEON=""
--  #             fi])
--
--  if test "x$HAVE_NEON" != x; then
--    AC_MSG_RESULT(yes)
--  else
--    AC_MSG_RESULT(no)
--  fi
--
-   #AC_SUBST(HAVE_SSE4_2)
-   #AC_SUBST(HAVE_NEON)
-   CFLAGS=$save_cflags
--- 
-2.34.1
-
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.03.1.bb
similarity index 88%
rename from meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb
rename to meta/recipes-extended/ghostscript/ghostscript_10.03.1.bb
index db9481816a..0504f5244f 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.02.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.03.1.bb
@@ -25,15 +25,9 @@ def gs_verdir(v):
 SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${@gs_verdir("${PV}")}/${BPN}-${PV}.tar.gz \
            file://ghostscript-9.16-Werror-return-type.patch \
            file://avoid-host-contamination.patch \
-           file://configure.ac-add-option-to-explicitly-disable-neon.patch \
-           file://CVE-2024-33870.patch \
-           file://CVE-2024-33869-0001.patch \
-           file://CVE-2024-33869-0002.patch \
-           file://CVE-2024-33871.patch \
-           file://CVE-2024-29510.patch \
            "
 
-SRC_URI[sha256sum] = "e429e4f5b01615a4f0f93a4128e8a1a4d932dff983b1774174c79c0630717ad9"
+SRC_URI[sha256sum] = "31cd01682ad23a801cc3bbc222a55f07c4ea3e068bdfb447792d54db21a2e8ad"
 
 PACKAGECONFIG ??= ""
 PACKAGECONFIG[gtk] = "--enable-gtk,--disable-gtk,gtk+3"
-- 
2.34.1

[OE-core][scarthgap 2/7] qemu: Upgrade 8.2.1 -> 8.2.2

[Steve Sakoman]

From: Xiangyu Chen <xiangyu.chen@windriver.com>

This was a bugfix release, this version fixed several important fixes
according to upstream.

Dropped CVE-2023-6683.patch since already contained the fix.

Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...u-native_8.2.1.bb => qemu-native_8.2.2.bb} |  0
 ...e_8.2.1.bb => qemu-system-native_8.2.2.bb} |  0
 meta/recipes-devtools/qemu/qemu.inc           |  3 +-
 .../qemu/qemu/CVE-2023-6683.patch             | 91 -------------------
 .../qemu/{qemu_8.2.1.bb => qemu_8.2.2.bb}     |  0
 5 files changed, 1 insertion(+), 93 deletions(-)
 rename meta/recipes-devtools/qemu/{qemu-native_8.2.1.bb => qemu-native_8.2.2.bb} (100%)
 rename meta/recipes-devtools/qemu/{qemu-system-native_8.2.1.bb => qemu-system-native_8.2.2.bb} (100%)
 delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
 rename meta/recipes-devtools/qemu/{qemu_8.2.1.bb => qemu_8.2.2.bb} (100%)

diff --git a/meta/recipes-devtools/qemu/qemu-native_8.2.1.bb b/meta/recipes-devtools/qemu/qemu-native_8.2.2.bb
similarity index 100%
rename from meta/recipes-devtools/qemu/qemu-native_8.2.1.bb
rename to meta/recipes-devtools/qemu/qemu-native_8.2.2.bb
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_8.2.1.bb b/meta/recipes-devtools/qemu/qemu-system-native_8.2.2.bb
similarity index 100%
rename from meta/recipes-devtools/qemu/qemu-system-native_8.2.1.bb
rename to meta/recipes-devtools/qemu/qemu-system-native_8.2.2.bb
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index d22bc31ce3..e121ae70cc 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,7 +39,6 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
            file://0003-linux-user-Add-strace-for-shmat.patch \
            file://0004-linux-user-Rewrite-target_shmat.patch \
            file://0005-tests-tcg-Check-that-shmat-does-not-break-proc-self-.patch \
-           file://CVE-2023-6683.patch \
            file://qemu-guest-agent.init \
            file://qemu-guest-agent.udev \
            file://CVE-2024-3446-01.patch \
@@ -63,7 +62,7 @@ SRC_URI:append:class-native = " \
 	file://0012-linux-user-workaround-for-missing-MAP_SHARED_VALIDAT.patch \
         "
 
-SRC_URI[sha256sum] = "8562751158175f9d187c5f22b57555abe3c870f0325c8ced12c34c6d987729be"
+SRC_URI[sha256sum] = "847346c1b82c1a54b2c38f6edbd85549edeb17430b7d4d3da12620e2962bc4f3"
 
 CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default."
 
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
deleted file mode 100644
index 732cb6af18..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 405484b29f6548c7b86549b0f961b906337aa68a Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Wed, 24 Jan 2024 11:57:48 +0100
-Subject: [PATCH] ui/clipboard: mark type as not available when there is no
- data
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT
-message with len=0. In qemu_clipboard_set_data(), the clipboard info
-will be updated setting data to NULL (because g_memdup(data, size)
-returns NULL when size is 0). If the client does not set the
-VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then
-the 'request' callback for the clipboard peer is not initialized.
-Later, because data is NULL, qemu_clipboard_request() can be reached
-via vdagent_chr_write() and vdagent_clipboard_recv_request() and
-there, the clipboard owner's 'request' callback will be attempted to
-be called, but that is a NULL pointer.
-
-In particular, this can happen when using the KRDC (22.12.3) VNC
-client.
-
-Another scenario leading to the same issue is with two clients (say
-noVNC and KRDC):
-
-The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and
-initializes its cbpeer.
-
-The KRDC client does not, but triggers a vnc_client_cut_text() (note
-it's not the _ext variant)). There, a new clipboard info with it as
-the 'owner' is created and via qemu_clipboard_set_data() is called,
-which in turn calls qemu_clipboard_update() with that info.
-
-In qemu_clipboard_update(), the notifier for the noVNC client will be
-called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the
-noVNC client. The 'owner' in that clipboard info is the clipboard peer
-for the KRDC client, which did not initialize the 'request' function.
-That sounds correct to me, it is the owner of that clipboard info.
-
-Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set
-the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it
-passes), that clipboard info is passed to qemu_clipboard_request() and
-the original segfault still happens.
-
-Fix the issue by handling updates with size 0 differently. In
-particular, mark in the clipboard info that the type is not available.
-
-While at it, switch to g_memdup2(), because g_memdup() is deprecated.
-
-Cc: qemu-stable@nongnu.org
-Fixes: CVE-2023-6683
-Reported-by: Markus Frank <m.frank@proxmox.com>
-Suggested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Tested-by: Markus Frank <m.frank@proxmox.com>
-Message-ID: <20240124105749.204610-1-f.ebner@proxmox.com>
-
-CVE: CVE-2023-6683
-
-Upstream-Status: Backport [https://github.com/qemu/qemu/commit/405484b29f6548c7b86549b0f961b906337aa68a]
-Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
-
----
- ui/clipboard.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/ui/clipboard.c b/ui/clipboard.c
-index 3d14bffaf80f..b3f6fa3c9e1f 100644
---- a/ui/clipboard.c
-+++ b/ui/clipboard.c
-@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer,
-     }
- 
-     g_free(info->types[type].data);
--    info->types[type].data = g_memdup(data, size);
--    info->types[type].size = size;
--    info->types[type].available = true;
-+    if (size) {
-+        info->types[type].data = g_memdup2(data, size);
-+        info->types[type].size = size;
-+        info->types[type].available = true;
-+    } else {
-+        info->types[type].data = NULL;
-+        info->types[type].size = 0;
-+        info->types[type].available = false;
-+    }
- 
-     if (update) {
-         qemu_clipboard_update(info);
diff --git a/meta/recipes-devtools/qemu/qemu_8.2.1.bb b/meta/recipes-devtools/qemu/qemu_8.2.2.bb
similarity index 100%
rename from meta/recipes-devtools/qemu/qemu_8.2.1.bb
rename to meta/recipes-devtools/qemu/qemu_8.2.2.bb
-- 
2.34.1

[OE-core][scarthgap 3/7] apt-native: don't let dpkg overwrite files by default

[Steve Sakoman]

From: Changqing Li <changqing.li@windriver.com>

With --force-overwrite (implied by --force-all), dpkg will not abort
when a package overwrites files from different packages. As this can
also lead to "The following package disappeared from your system as
all files have been overwritten by other packages: <package>" and
subsequently broken dependencies, this makes the simple case of
conflicting files hard to debug.

Instead of finding all possibly required force options, only disable
overwrite for now.

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Take back from https://git.openembedded.org/openembedded-core/commit/?id=4292387ef6c4e80428bad6a07c844a288b27d9a1
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/apt/apt_2.6.1.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/apt/apt_2.6.1.bb b/meta/recipes-devtools/apt/apt_2.6.1.bb
index fb4ff899d2..e688d30cae 100644
--- a/meta/recipes-devtools/apt/apt_2.6.1.bb
+++ b/meta/recipes-devtools/apt/apt_2.6.1.bb
@@ -111,7 +111,7 @@ Acquire
   AllowInsecureRepositories "true";
 };
 
-DPkg::Options {"--root=#ROOTFS#";"--admindir=#ROOTFS#/var/lib/dpkg";"--force-all";"--no-debsig"};
+DPkg::Options {"--root=#ROOTFS#";"--admindir=#ROOTFS#/var/lib/dpkg";"--force-all";"--no-force-overwrite";"--no-debsig"};
 DPkg::Path "";
 EOF
 }
-- 
2.34.1

[OE-core][scarthgap 4/7] apt: runtime error: filename too long (tmpdir length)

[Steve Sakoman]

From: Changqing Li <changqing.li@windriver.com>

when the tmpdir dir is longer than 220, there is no files saved in
tmp/sysroots/x86_64-linux/var/lib/apt/lists/ after run apt-get update,
this is because apt-get uses the path as the file name, but the file
name can't be longer than 255 according to /usr/include/linux/limits.h.

[YOCTO #2688]

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>

Take back from https://git.openembedded.org/openembedded-core/commit/?id=9a0c0393871eda4bbcecfdd4b595f0c1b8e42edf
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...he-filename-can-t-be-longer-than-255.patch | 40 +++++++++++++++++++
 meta/recipes-devtools/apt/apt_2.6.1.bb        |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 meta/recipes-devtools/apt/apt/0001-strutl.cc-the-filename-can-t-be-longer-than-255.patch

diff --git a/meta/recipes-devtools/apt/apt/0001-strutl.cc-the-filename-can-t-be-longer-than-255.patch b/meta/recipes-devtools/apt/apt/0001-strutl.cc-the-filename-can-t-be-longer-than-255.patch
new file mode 100644
index 0000000000..311c3664ad
--- /dev/null
+++ b/meta/recipes-devtools/apt/apt/0001-strutl.cc-the-filename-can-t-be-longer-than-255.patch
@@ -0,0 +1,40 @@
+From 918295aa1320718d342116f76c98d2289d377800 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Tue, 18 Jun 2024 10:32:55 +0800
+Subject: [PATCH] strutl.cc: the filename can't be longer than 255
+
+The URItoFileName translates the path into the filename, but the
+filename can't be longer than 255 according to
+/usr/include/linux/limits.h.
+
+Truncate it when it is longer than 240 (leave some spaces for
+".Packages" and "._Release" suffix)
+
+Upstream-Status: Submitted [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073591]
+Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ apt-pkg/contrib/strutl.cc | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/apt-pkg/contrib/strutl.cc b/apt-pkg/contrib/strutl.cc
+index 67100f1..5076b35 100644
+--- a/apt-pkg/contrib/strutl.cc
++++ b/apt-pkg/contrib/strutl.cc
+@@ -565,7 +565,12 @@ string URItoFileName(const string &URI)
+    // "\x00-\x20{}|\\\\^\\[\\]<>\"\x7F-\xFF";
+    string NewURI = QuoteString(U,"\\|{}[]<>\"^~_=!@#$%^&*");
+    replace(NewURI.begin(),NewURI.end(),'/','_');
+-   return NewURI;
++
++   // Truncate from the head when it is longer than 240
++   if(NewURI.length() > 240)
++       return NewURI.substr(NewURI.length() - 240, NewURI.length() - 1);
++   else
++       return NewURI;
+ }
+ 									/*}}}*/
+ // Base64Encode - Base64 Encoding routine for short strings		/*{{{*/
+-- 
+2.25.1
+
diff --git a/meta/recipes-devtools/apt/apt_2.6.1.bb b/meta/recipes-devtools/apt/apt_2.6.1.bb
index e688d30cae..1eec7fe7a6 100644
--- a/meta/recipes-devtools/apt/apt_2.6.1.bb
+++ b/meta/recipes-devtools/apt/apt_2.6.1.bb
@@ -14,6 +14,7 @@ SRC_URI = "${DEBIAN_MIRROR}/main/a/apt/${BPN}_${PV}.tar.xz \
            file://0001-Hide-fstatat64-and-prlimit64-defines-on-musl.patch \
            file://0001-aptwebserver.cc-Include-array.patch \
            file://0001-Remove-using-std-binary_function.patch \
+           file://0001-strutl.cc-the-filename-can-t-be-longer-than-255.patch \
            "
 
 SRC_URI:append:class-native = " \
-- 
2.34.1

[OE-core][scarthgap 5/7] flac: fix buildpaths warnings

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Generated documentation (html) contain absolute paths cources
using buildpaths warnings.
Replace them with relative links.

The file with root path to sources is in my build
/usr/share/doc/flac/api/dir_c122f5d6544f32779f55e8358fb78605.html
which does not looks as stable name, so replace it in all files.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c7d826c88933d53d550265f1cc382539c5c52994)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-multimedia/flac/flac_1.4.3.bb | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/meta/recipes-multimedia/flac/flac_1.4.3.bb b/meta/recipes-multimedia/flac/flac_1.4.3.bb
index d4e463cda5..87b67bee1f 100644
--- a/meta/recipes-multimedia/flac/flac_1.4.3.bb
+++ b/meta/recipes-multimedia/flac/flac_1.4.3.bb
@@ -34,3 +34,10 @@ PACKAGES += "libflac libflac++"
 FILES:${PN} = "${bindir}/*"
 FILES:libflac = "${libdir}/libFLAC.so.*"
 FILES:libflac++ = "${libdir}/libFLAC++.so.*"
+
+do_install:append() {
+    # make the links in documentation relative to avoid buildpaths reproducibility problem
+    sed -i "s#${S}/include#${includedir}#g" ${D}${docdir}/flac/FLAC.tag ${D}${docdir}/flac/api/*.html
+    # there is also one root path without trailing slash
+    sed -i "s#${S}#/#g" ${D}${docdir}/flac/api/*.html
+}
-- 
2.34.1

[OE-core][scarthgap 6/7] cargo: remove True option to getVar calls

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Layer cleanup similar to
https://git.openembedded.org/openembedded-core/commit/?id=26c74fd10614582e177437608908eb43688ab510

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9a2ed52473a3e4eb662509824ef8e59520ebdefb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes-recipe/cargo_common.bbclass |  4 ++--
 meta/classes-recipe/ptest-cargo.bbclass  | 18 +++++++++---------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/meta/classes-recipe/cargo_common.bbclass b/meta/classes-recipe/cargo_common.bbclass
index 0fb443edbd..19c497b8d6 100644
--- a/meta/classes-recipe/cargo_common.bbclass
+++ b/meta/classes-recipe/cargo_common.bbclass
@@ -41,7 +41,7 @@ CARGO_SRC_DIR ??= ""
 CARGO_MANIFEST_PATH ??= "${S}/${CARGO_SRC_DIR}/Cargo.toml"
 
 # Path to Cargo.lock
-CARGO_LOCK_PATH ??= "${@ os.path.join(os.path.dirname(d.getVar('CARGO_MANIFEST_PATH', True)), 'Cargo.lock')}"
+CARGO_LOCK_PATH ??= "${@ os.path.join(os.path.dirname(d.getVar('CARGO_MANIFEST_PATH')), 'Cargo.lock')}"
 
 CARGO_RUST_TARGET_CCLD ??= "${RUST_TARGET_CCLD}"
 cargo_common_do_configure () {
@@ -171,7 +171,7 @@ python cargo_common_do_patch_paths() {
     # here is better than letting cargo tell (in case the file is missing)
     # "Cargo.lock should be modified but --frozen was given"
 
-    lockfile = d.getVar("CARGO_LOCK_PATH", True)
+    lockfile = d.getVar("CARGO_LOCK_PATH")
     if not os.path.exists(lockfile):
         bb.fatal(f"{lockfile} file doesn't exist")
 
diff --git a/meta/classes-recipe/ptest-cargo.bbclass b/meta/classes-recipe/ptest-cargo.bbclass
index c46df362bf..fd1df9d7c9 100644
--- a/meta/classes-recipe/ptest-cargo.bbclass
+++ b/meta/classes-recipe/ptest-cargo.bbclass
@@ -12,10 +12,10 @@ python do_compile_ptest_cargo() {
     import subprocess
     import json
 
-    cargo = bb.utils.which(d.getVar("PATH"), d.getVar("CARGO", True))
-    cargo_build_flags = d.getVar("CARGO_BUILD_FLAGS", True)
-    rust_flags = d.getVar("RUSTFLAGS", True)
-    manifest_path = d.getVar("CARGO_MANIFEST_PATH", True)
+    cargo = bb.utils.which(d.getVar("PATH"), d.getVar("CARGO"))
+    cargo_build_flags = d.getVar("CARGO_BUILD_FLAGS")
+    rust_flags = d.getVar("RUSTFLAGS")
+    manifest_path = d.getVar("CARGO_MANIFEST_PATH")
     project_manifest_path = os.path.normpath(manifest_path)
     manifest_dir = os.path.dirname(manifest_path)
 
@@ -66,7 +66,7 @@ python do_compile_ptest_cargo() {
     if not test_bins:
         bb.fatal("Unable to find any test binaries")
 
-    cargo_test_binaries_file = d.getVar('CARGO_TEST_BINARIES_FILES', True)
+    cargo_test_binaries_file = d.getVar('CARGO_TEST_BINARIES_FILES')
     bb.note(f"Found {len(test_bins)} tests, write their paths into {cargo_test_binaries_file}")
     with open(cargo_test_binaries_file, "w") as f:
         for test_bin in test_bins:
@@ -77,10 +77,10 @@ python do_compile_ptest_cargo() {
 python do_install_ptest_cargo() {
     import shutil
 
-    dest_dir = d.getVar("D", True)
-    pn = d.getVar("PN", True)
-    ptest_path = d.getVar("PTEST_PATH", True)
-    cargo_test_binaries_file = d.getVar('CARGO_TEST_BINARIES_FILES', True)
+    dest_dir = d.getVar("D")
+    pn = d.getVar("PN")
+    ptest_path = d.getVar("PTEST_PATH")
+    cargo_test_binaries_file = d.getVar('CARGO_TEST_BINARIES_FILES')
     rust_test_args = d.getVar('RUST_TEST_ARGS') or ""
 
     ptest_dir = os.path.join(dest_dir, ptest_path.lstrip('/'))
-- 
2.34.1

[OE-core][scarthgap 7/7] xz: Update LICENSE variable for xz packages

[Steve Sakoman]

From: aszh07 <mail2szahir@gmail.com>

Update LICENSE defined for xz packages to match the license
information provided in the xz COPYING file.

The License information from PACKAGERS file of xz mentions
packages with lzma files are in public domain.They ask to
use GPLv2+, if only it's not possible to mention "PD and GPLv2+".

Include PD license with GPLv2 to packages with lzma content:
xz-dev package contains lzma header
xz-doc package contains lzma man pages
xz packages contains lzma binaries

Links: https://github.com/tukaani-project/xz/blob/v5.4.6/COPYING
       https://github.com/tukaani-project/xz/blob/v5.4.6/PACKAGERS

Signed-off-by: Bhabu Bindu <bindu.bhabu@kpit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4e5b955def5d9f305f5aba2c68b73287c03fd163)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/xz/xz_5.4.6.bb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-extended/xz/xz_5.4.6.bb b/meta/recipes-extended/xz/xz_5.4.6.bb
index da3b75a10b..3f82e476bf 100644
--- a/meta/recipes-extended/xz/xz_5.4.6.bb
+++ b/meta/recipes-extended/xz/xz_5.4.6.bb
@@ -9,10 +9,10 @@ SECTION = "base"
 # libgnu, which appears to be used for DOS builds. So we're left with
 # GPL-2.0-or-later and PD.
 LICENSE = "GPL-2.0-or-later & GPL-3.0-with-autoconf-exception & LGPL-2.1-or-later & PD"
-LICENSE:${PN} = "GPL-2.0-or-later"
-LICENSE:${PN}-dev = "GPL-2.0-or-later"
+LICENSE:${PN} = "PD & GPL-2.0-or-later"
+LICENSE:${PN}-dev = "PD & GPL-2.0-or-later"
 LICENSE:${PN}-staticdev = "GPL-2.0-or-later"
-LICENSE:${PN}-doc = "GPL-2.0-or-later"
+LICENSE:${PN}-doc = "PD & GPL-2.0-or-later"
 LICENSE:${PN}-dbg = "GPL-2.0-or-later"
 LICENSE:${PN}-locale = "GPL-2.0-or-later"
 LICENSE:liblzma = "PD"
-- 
2.34.1

[OE-core][scarthgap 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Thursday, February 20

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1037

The following changes since commit 61880aac34ff408a8bc5060c6140bfd086b27524:

  base-files: Drop /bin/sh dependency (2025-02-11 05:51:35 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Aleksandar Nikolic (1):
  scripts/install-buildtools: Update to 5.0.7

Divya Chellam (1):
  vim: Upgrade 9.1.0764 -> 9.1.1043

Johannes Schneider (1):
  ppp: Revert lock path to /var/lock

Oleksandr Hnatiuk (1):
  icu: remove host references in nativesdk to fix reproducibility

Peter Marko (3):
  subversion: ignore CVE-2024-45720
  gnutls: patch CVE-2024-12243
  openssl: upgrade 3.2.3 -> 3.2.4

 ...ke-history-reporting-when-test-fails.patch |   40 +-
 ...1-Configure-do-not-tweak-mips-cflags.patch |    2 +-
 ...sysroot-and-debug-prefix-map-from-co.patch |    4 +-
 .../openssl/openssl/CVE-2024-13176.patch      |  126 --
 .../openssl/openssl/CVE-2024-9143.patch       |  202 ---
 .../{openssl_3.2.3.bb => openssl_3.2.4.bb}    |    4 +-
 ...001-Revert-lock-path-to-var-lock-435.patch |   63 +
 meta/recipes-connectivity/ppp/ppp_2.5.0.bb    |    1 +
 .../subversion/subversion_1.14.3.bb           |    2 +
 .../gnutls/gnutls/CVE-2024-12243.patch        | 1149 +++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.8.4.bb   |    1 +
 meta/recipes-support/icu/icu_74-2.bb          |   33 +-
 meta/recipes-support/vim/vim.inc              |    4 +-
 scripts/install-buildtools                    |    4 +-
 14 files changed, 1268 insertions(+), 367 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
 delete mode 100755 meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.2.3.bb => openssl_3.2.4.bb} (98%)
 create mode 100644 meta/recipes-connectivity/ppp/ppp/0001-Revert-lock-path-to-var-lock-435.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch

-- 
2.43.0

[OE-core][scarthgap 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Thursday, May 8

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1529

The following changes since commit 00dd4901e364d16d96cfab864823a9cfdd336eeb:

  Revert "cve-update-nvd2-native: Tweak to work better with NFS DL_DIR" (2025-04-29 10:21:16 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Ashish Sharma (1):
  libsoup: patch CVE-2025-46420

Deepesh Varatharajan (2):
  glibc: stable 2.39 branch updates
  binutils: stable 2.42 branch updates

Jeroen Hofstee (2):
  bluez5: make media control a PACKAGECONFIG option
  bluez5: backport a patch to fix btmgmt -i

Peter Marko (1):
  sqlite3: mark CVE-2025-29087 as patched

Soumya Sambu (1):
  elfutils: Fix CVE-2025-1371

 meta/recipes-connectivity/bluez5/bluez5.inc   |  3 +
 ...ndex-option-for-non-interactive-mode.patch | 29 +++++++++
 meta/recipes-core/glibc/glibc-version.inc     |  2 +-
 .../binutils/binutils-2.42.inc                |  2 +-
 .../elfutils/elfutils_0.191.bb                |  1 +
 .../elfutils/files/CVE-2025-1371.patch        | 41 +++++++++++++
 .../libsoup-3.4.4/CVE-2025-46420.patch        | 60 +++++++++++++++++++
 meta/recipes-support/libsoup/libsoup_3.4.4.bb |  1 +
 .../sqlite/sqlite3/CVE-2025-3277.patch        |  1 +
 9 files changed, 138 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/toolsbtmgmt-fix-index-option-for-non-interactive-mode.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1371.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-46420.patch

-- 
2.43.0

[OE-core][scarthgap 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Friday, May 23

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1625

The following changes since commit b214cc84a922f7a3fb7ebbc501189ce25e8bd2bd:

  glibc-y2038-tests: remove glibc-y2038-tests_2.39.bb recipe (2025-05-15 09:42:55 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Ashish Sharma (1):
  libsoup-2.4: Fix CVE-2025-46420

Nguyen Dat Tho (1):
  libatomic-ops: Update GITHUB_BASE_URI

Praveen Kumar (2):
  connman :fix CVE-2025-32366
  glib-2.0: fix CVE-2025-4373

Sunil Dora (1):
  binutils: Fix CVE-2025-1153

Vijay Anusuri (1):
  openssh: Fix for CVE-2025-32728

Vyacheslav Yurkov (1):
  systemd: Password agents shouldn't be optional

 .../connman/connman/CVE-2025-32366.patch      |   41 +
 .../connman/connman_1.42.bb                   |    1 +
 .../openssh/openssh/CVE-2025-32728.patch      |   44 +
 .../openssh/openssh_9.6p1.bb                  |    1 +
 .../glib-2.0/glib-2.0/CVE-2025-4373-01.patch  |  120 +
 .../glib-2.0/glib-2.0/CVE-2025-4373-02.patch  |   29 +
 meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb |    2 +
 meta/recipes-core/systemd/systemd_255.18.bb   |   10 -
 .../binutils/binutils-2.42.inc                |    3 +
 .../binutils/0019-CVE-2025-1153-1.patch       | 3207 ++++++++++++++
 .../binutils/0020-CVE-2025-1153-2.patch       |  840 ++++
 .../binutils/0021-CVE-2025-1153-3.patch       | 3756 +++++++++++++++++
 .../libatomic-ops/libatomic-ops_7.8.2.bb      |    4 +-
 .../libsoup/libsoup-2.4/CVE-2025-46420.patch  |   60 +
 .../libsoup/libsoup-2.4_2.74.3.bb             |    1 +
 15 files changed, 8107 insertions(+), 12 deletions(-)
 create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0019-CVE-2025-1153-1.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0020-CVE-2025-1153-2.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0021-CVE-2025-1153-3.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch

-- 
2.43.0

[OE-core][scarthgap 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Thursday, November 6

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2676

The following changes since commit 4cb834388759540ea5bf7265389b9f1b2e15333a:

  bind: upgrade 9.18.33 -> 9.18.41 (2025-10-29 07:13:09 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Bastian Krause (1):
  util-linux: fix pointer usage in hwclock param handling

Michael Haener (1):
  Remove empty file

Peter Marko (4):
  wpa-supplicant: patch CVE-2025-24912
  binutils: patch CVE-2025-11414
  binutils: patch CVE-2025-11412
  binutils: patch CVE-2025-11413

Yannic Moog (1):
  perf: add arm64 source files for unistd_64.h

 .../wpa-supplicant/CVE-2025-24912-01.patch    | 79 +++++++++++++++++
 .../wpa-supplicant/CVE-2025-24912-02.patch    | 70 ++++++++++++++++
 .../wpa-supplicant/wpa-supplicant_2.10.bb     |  2 +
 meta/recipes-core/util-linux/util-linux.inc   |  1 +
 ...-utils-hwclock-rtc-fix-pointer-usage.patch | 27 ++++++
 .../binutils/binutils-2.42.inc                |  3 +
 .../binutils/binutils/CVE-2025-11412.patch    | 35 ++++++++
 .../binutils/binutils/CVE-2025-11413.patch    | 38 +++++++++
 .../binutils/binutils/CVE-2025-11414.patch    | 84 +++++++++++++++++++
 meta/recipes-kernel/perf/perf.bb              |  3 +-
 test                                          |  0
 11 files changed, 341 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch
 create mode 100644 meta/recipes-core/util-linux/util-linux/sys-utils-hwclock-rtc-fix-pointer-usage.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch
 delete mode 100644 test

-- 
2.43.0

[OE-core][scarthgap 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, December 16

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2849

The following changes since commit ef198b0c6063ede32cb93fe44eb89937c076a073:

  curl: Ensure 'CURL_CA_BUNDLE' from host env is indeed respected (2025-12-05 07:08:31 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Daniel Turull (1):
  classes/create-spdx-2.2: Define SPDX_VERSION to 2.2

Hitendra Prajapati (1):
  libxml2: Security fix for CVE-2025-7425

Peter Marko (3):
  libpng: patch CVE-2025-66293
  libmicrohttpd: disable experimental code by default
  Revert "lib/oe/go: document map_arch, and raise an error on unknown
    architecture"

Vijay Anusuri (2):
  libssh2: upgrade 1.11.0 -> 1.11.1
  libssh2: fix regression in KEX method validation (GH-1553)

 meta/classes/create-spdx-2.2.bbclass          |   2 +
 meta/lib/oe/go.py                             |   6 +-
 .../libxml/libxml2/CVE-2025-7425.patch        | 802 ++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.12.10.bb   |   1 +
 .../libpng/files/CVE-2025-66293-01.patch      |  60 ++
 .../libpng/files/CVE-2025-66293-02.patch      | 125 +++
 .../libpng/libpng_1.6.42.bb                   |   2 +
 .../libmicrohttpd/libmicrohttpd_1.0.1.bb      |   4 +
 ...rror-if-user-KEX-methods-are-invalid.patch |  73 ++
 .../libssh2/libssh2/CVE-2023-48795.patch      | 466 ----------
 .../{libssh2_1.11.0.bb => libssh2_1.11.1.bb}  |   6 +-
 11 files changed, 1073 insertions(+), 474 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-7425.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch
 create mode 100644 meta/recipes-support/libssh2/libssh2/0001-Return-error-if-user-KEX-methods-are-invalid.patch
 delete mode 100644 meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch
 rename meta/recipes-support/libssh2/{libssh2_1.11.0.bb => libssh2_1.11.1.bb} (87%)

-- 
2.43.0