[OE-core][scarthgap 00/21] Patch review

[OE-core][scarthgap 00/21] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Wednesday, May 22

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6937

The following changes since commit 294a7dbe44f6b7c8d3a1de8c2cc182af37c4f916:

  build-appliance-image: Update to scarthgap head revision (2024-05-09 04:47:57 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Adriaan Schmidt (1):
  libcgroup_3.1.0: fix build on non-systemd systems

Jose Quaresma (2):
  go: Drop the linkmode completely
  Revert "goarch: disable dynamic linking globally"

Kai Kang (1):
  webkitgtk: 2.44.0 -> 2.44.1

Martin Hundebøll (1):
  classes: image_types: apply EXTRA_IMAGECMD:squashfs* in
    oe_mksquashfs()

Mingli Yu (1):
  ncurses: Fix CVE-2023-50495

Peter Marko (6):
  openssl: patch CVE-2024-4603
  glib-2.0: Upgrade 2.78.4 -> 2.78.5
  glib-2.0: Upgrade 2.78.5 -> 2.78.6
  glibc: Update to latest on stable 2.39 branch
  glibc: Update to latest on stable 2.39 branch
  glibc: correct license

Ralph Siemsen (1):
  uboot-sign: fix loop in do_uboot_assemble_fitimage

Ross Burton (3):
  lib/oe/package-manager: allow including self in create_packages_dir
  selftest/classes: add localpkgfeed class
  oeqa/selftest/debuginfod: use localpkgfeed to speed server startup

Sven Schwermer (2):
  recipetool: Handle unclean response in go resolver
  recipetool: Handle several go-import tags in go resolver

Trevor Gamblin (1):
  patchtest: test_metadata: fix invalid escape sequences

Wang Mingyu (1):
  llvm: upgrade 18.1.2 -> 18.1.3

Zev Weiss (1):
  bash: Fix file-substitution error-handling bug

 meta-selftest/classes/localpkgfeed.bbclass    |  27 ++
 meta/classes-recipe/go.bbclass                |   2 -
 meta/classes-recipe/goarch.bbclass            |  14 +-
 meta/classes-recipe/image_types.bbclass       |  20 +-
 meta/classes-recipe/uboot-sign.bbclass        |   2 +-
 meta/lib/oe/package_manager/__init__.py       |   9 +-
 meta/lib/oeqa/selftest/cases/debuginfod.py    |  14 +-
 meta/lib/patchtest/tests/test_metadata.py     |   4 +-
 .../openssl/openssl/CVE-2024-4603.patch       | 179 +++++++++++
 .../openssl/openssl_3.2.1.bb                  |   1 +
 .../glib-2.0/glib-2.0/fix-regex.patch         |  54 ----
 ...{glib-2.0_2.78.4.bb => glib-2.0_2.78.6.bb} |   3 +-
 meta/recipes-core/glibc/glibc-common.inc      |   2 +-
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 ...y-the-header-between-arm-and-aarch64.patch |  47 ++-
 ...e-Pass-mcpu-along-with-march-to-dete.patch |  62 ----
 ...ss.patch => 0023-qemu-stale-process.patch} |   0
 meta/recipes-core/glibc/glibc_2.39.bb         |   7 +-
 ...akefile-install-systemd.h-by-default.patch |  37 +++
 .../recipes-core/libcgroup/libcgroup_3.1.0.bb |   1 +
 .../ncurses/files/CVE-2023-50495.patch        | 301 ++++++++++++++++++
 meta/recipes-core/ncurses/ncurses_6.4.bb      |   1 +
 meta/recipes-devtools/go/go-runtime.inc       |   2 +-
 ...r-sort-ClassInfo-lists-by-name-as-we.patch |   6 +-
 .../bash/bash/fix-filesubst-errexit.patch     |  34 ++
 meta/recipes-extended/bash/bash_5.2.21.bb     |   1 +
 ...af379dc70b4b1a63b01d67179eb431f03ac4.patch |  38 ---
 ...ebkitgtk_2.44.0.bb => webkitgtk_2.44.1.bb} |   3 +-
 scripts/lib/recipetool/create_go.py           |  34 +-
 29 files changed, 685 insertions(+), 222 deletions(-)
 create mode 100644 meta-selftest/classes/localpkgfeed.bbclass
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
 delete mode 100644 meta/recipes-core/glib-2.0/glib-2.0/fix-regex.patch
 rename meta/recipes-core/glib-2.0/{glib-2.0_2.78.4.bb => glib-2.0_2.78.6.bb} (95%)
 delete mode 100644 meta/recipes-core/glibc/glibc/0023-aarch64-configure-Pass-mcpu-along-with-march-to-dete.patch
 rename meta/recipes-core/glibc/glibc/{0024-qemu-stale-process.patch => 0023-qemu-stale-process.patch} (100%)
 create mode 100644 meta/recipes-core/libcgroup/libcgroup/0001-include-Makefile-install-systemd.h-by-default.patch
 create mode 100644 meta/recipes-core/ncurses/files/CVE-2023-50495.patch
 create mode 100644 meta/recipes-extended/bash/bash/fix-filesubst-errexit.patch
 delete mode 100644 meta/recipes-sato/webkit/webkitgtk/2922af379dc70b4b1a63b01d67179eb431f03ac4.patch
 rename meta/recipes-sato/webkit/{webkitgtk_2.44.0.bb => webkitgtk_2.44.1.bb} (98%)

-- 
2.34.1

[OE-core][scarthgap 01/21] ncurses: Fix CVE-2023-50495

[Steve Sakoman]

From: Mingli Yu <mingli.yu@windriver.com>

Backport a patch [1] to fix CVE-2023-50495.

[1] http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=7723dd6799ab10b32047ec73b14df9f107bafe99

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit bdf7b7460a4816e3d447264730a2814209667fb0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ncurses/files/CVE-2023-50495.patch        | 301 ++++++++++++++++++
 meta/recipes-core/ncurses/ncurses_6.4.bb      |   1 +
 2 files changed, 302 insertions(+)
 create mode 100644 meta/recipes-core/ncurses/files/CVE-2023-50495.patch

diff --git a/meta/recipes-core/ncurses/files/CVE-2023-50495.patch b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch
new file mode 100644
index 0000000000..7d90ddd30f
--- /dev/null
+++ b/meta/recipes-core/ncurses/files/CVE-2023-50495.patch
@@ -0,0 +1,301 @@
+From 7daae3f2139a678fe0ae0b42fcf8d807cbff485c Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Sun, 4 Feb 2024 13:42:38 +0800
+Subject: [PATCH] parse_entry.c: check return value of _nc_save_str
+
+* check return value of _nc_save_str(), in special case for tic where
+extended capabilities are processed but the terminal description was
+not initialized (report by Ziqiao Kong).
+
+* regenerate llib-* files.
+
+CVE: CVE-2023-50495
+
+Upstream-Status: Backport [http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=7723dd6799ab10b32047ec73b14df9f107bafe99]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ ncurses/llib-lncurses       | 15 +++++++++++++++
+ ncurses/llib-lncursest      | 15 +++++++++++++++
+ ncurses/llib-lncursestw     | 15 +++++++++++++++
+ ncurses/llib-lncursesw      | 15 +++++++++++++++
+ ncurses/llib-ltinfo         | 15 +++++++++++++++
+ ncurses/llib-ltinfot        | 15 +++++++++++++++
+ ncurses/llib-ltinfotw       | 15 +++++++++++++++
+ ncurses/llib-ltinfow        | 15 +++++++++++++++
+ ncurses/tinfo/parse_entry.c | 23 ++++++++++++++++-------
+ 9 files changed, 136 insertions(+), 7 deletions(-)
+
+diff --git a/ncurses/llib-lncurses b/ncurses/llib-lncurses
+index 211cf3b7..e4190aa2 100644
+--- a/ncurses/llib-lncurses
++++ b/ncurses/llib-lncurses
+@@ -3656,6 +3656,21 @@ char	*tiparm(
+ 		...)
+ 		{ return(*(char **)0); }
+ 
++#undef tiparm_s
++char	*tiparm_s(
++		int	num_expected,
++		int	tparm_type,
++		const char *string,
++		...)
++		{ return(*(char **)0); }
++
++#undef tiscan_s
++int	tiscan_s(
++		int	*num_expected,
++		int	*tparm_type,
++		const char *string)
++		{ return(*(int *)0); }
++
+ #undef _nc_tiparm
+ char	*_nc_tiparm(
+ 		int	expected,
+diff --git a/ncurses/llib-lncursest b/ncurses/llib-lncursest
+index 1b09d676..e07abba6 100644
+--- a/ncurses/llib-lncursest
++++ b/ncurses/llib-lncursest
+@@ -3741,6 +3741,21 @@ char	*tiparm(
+ 		...)
+ 		{ return(*(char **)0); }
+ 
++#undef tiparm_s
++char	*tiparm_s(
++		int	num_expected,
++		int	tparm_type,
++		const char *string,
++		...)
++		{ return(*(char **)0); }
++
++#undef tiscan_s
++int	tiscan_s(
++		int	*num_expected,
++		int	*tparm_type,
++		const char *string)
++		{ return(*(int *)0); }
++
+ #undef _nc_tiparm
+ char	*_nc_tiparm(
+ 		int	expected,
+diff --git a/ncurses/llib-lncursestw b/ncurses/llib-lncursestw
+index 4576e0fc..747c6be8 100644
+--- a/ncurses/llib-lncursestw
++++ b/ncurses/llib-lncursestw
+@@ -4702,6 +4702,21 @@ char	*tiparm(
+ 		...)
+ 		{ return(*(char **)0); }
+ 
++#undef tiparm_s
++char	*tiparm_s(
++		int	num_expected,
++		int	tparm_type,
++		const char *string,
++		...)
++		{ return(*(char **)0); }
++
++#undef tiscan_s
++int	tiscan_s(
++		int	*num_expected,
++		int	*tparm_type,
++		const char *string)
++		{ return(*(int *)0); }
++
+ #undef _nc_tiparm
+ char	*_nc_tiparm(
+ 		int	expected,
+diff --git a/ncurses/llib-lncursesw b/ncurses/llib-lncursesw
+index 127350d2..862305d9 100644
+--- a/ncurses/llib-lncursesw
++++ b/ncurses/llib-lncursesw
+@@ -4617,6 +4617,21 @@ char	*tiparm(
+ 		...)
+ 		{ return(*(char **)0); }
+ 
++#undef tiparm_s
++char	*tiparm_s(
++		int	num_expected,
++		int	tparm_type,
++		const char *string,
++		...)
++		{ return(*(char **)0); }
++
++#undef tiscan_s
++int	tiscan_s(
++		int	*num_expected,
++		int	*tparm_type,
++		const char *string)
++		{ return(*(int *)0); }
++
+ #undef _nc_tiparm
+ char	*_nc_tiparm(
+ 		int	expected,
+diff --git a/ncurses/llib-ltinfo b/ncurses/llib-ltinfo
+index a5cd7cd3..31e5e9a6 100644
+--- a/ncurses/llib-ltinfo
++++ b/ncurses/llib-ltinfo
+@@ -927,6 +927,21 @@ char	*tiparm(
+ 		...)
+ 		{ return(*(char **)0); }
+ 
++#undef tiparm_s
++char	*tiparm_s(
++		int	num_expected,
++		int	tparm_type,
++		const char *string,
++		...)
++		{ return(*(char **)0); }
++
++#undef tiscan_s
++int	tiscan_s(
++		int	*num_expected,
++		int	*tparm_type,
++		const char *string)
++		{ return(*(int *)0); }
++
+ #undef _nc_tiparm
+ char	*_nc_tiparm(
+ 		int	expected,
+diff --git a/ncurses/llib-ltinfot b/ncurses/llib-ltinfot
+index bd3de812..48e5c25a 100644
+--- a/ncurses/llib-ltinfot
++++ b/ncurses/llib-ltinfot
+@@ -1003,6 +1003,21 @@ char	*tiparm(
+ 		...)
+ 		{ return(*(char **)0); }
+ 
++#undef tiparm_s
++char	*tiparm_s(
++		int	num_expected,
++		int	tparm_type,
++		const char *string,
++		...)
++		{ return(*(char **)0); }
++
++#undef tiscan_s
++int	tiscan_s(
++		int	*num_expected,
++		int	*tparm_type,
++		const char *string)
++		{ return(*(int *)0); }
++
+ #undef _nc_tiparm
+ char	*_nc_tiparm(
+ 		int	expected,
+diff --git a/ncurses/llib-ltinfotw b/ncurses/llib-ltinfotw
+index 4d35a1e1..64dfdfa5 100644
+--- a/ncurses/llib-ltinfotw
++++ b/ncurses/llib-ltinfotw
+@@ -1025,6 +1025,21 @@ char	*tiparm(
+ 		...)
+ 		{ return(*(char **)0); }
+ 
++#undef tiparm_s
++char	*tiparm_s(
++		int	num_expected,
++		int	tparm_type,
++		const char *string,
++		...)
++		{ return(*(char **)0); }
++
++#undef tiscan_s
++int	tiscan_s(
++		int	*num_expected,
++		int	*tparm_type,
++		const char *string)
++		{ return(*(int *)0); }
++
+ #undef _nc_tiparm
+ char	*_nc_tiparm(
+ 		int	expected,
+diff --git a/ncurses/llib-ltinfow b/ncurses/llib-ltinfow
+index db846764..7e17a35f 100644
+--- a/ncurses/llib-ltinfow
++++ b/ncurses/llib-ltinfow
+@@ -949,6 +949,21 @@ char	*tiparm(
+ 		...)
+ 		{ return(*(char **)0); }
+ 
++#undef tiparm_s
++char	*tiparm_s(
++		int	num_expected,
++		int	tparm_type,
++		const char *string,
++		...)
++		{ return(*(char **)0); }
++
++#undef tiscan_s
++int	tiscan_s(
++		int	*num_expected,
++		int	*tparm_type,
++		const char *string)
++		{ return(*(int *)0); }
++
+ #undef _nc_tiparm
+ char	*_nc_tiparm(
+ 		int	expected,
+diff --git a/ncurses/tinfo/parse_entry.c b/ncurses/tinfo/parse_entry.c
+index 14bcb67e..0a0b5637 100644
+--- a/ncurses/tinfo/parse_entry.c
++++ b/ncurses/tinfo/parse_entry.c
+@@ -110,7 +110,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
+ 	/* Well, we are given a cancel for a name that we don't recognize */
+ 	return _nc_extend_names(entryp, name, STRING);
+     default:
+-	return 0;
++	return NULL;
+     }
+ 
+     /* Adjust the 'offset' (insertion-point) to keep the lists of extended
+@@ -142,6 +142,11 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
+ 	for (last = (unsigned) (max - 1); last > tindex; last--)
+ 
+     if (!found) {
++	char *saved;
++
++	if ((saved = _nc_save_str(name)) == NULL)
++	    return NULL;
++
+ 	switch (token_type) {
+ 	case BOOLEAN:
+ 	    tp->ext_Booleans++;
+@@ -169,7 +174,7 @@ _nc_extend_names(ENTRY * entryp, const char *name, int token_type)
+ 	TYPE_REALLOC(char *, actual, tp->ext_Names);
+ 	while (--actual > offset)
+ 	    tp->ext_Names[actual] = tp->ext_Names[actual - 1];
+-	tp->ext_Names[offset] = _nc_save_str(name);
++	tp->ext_Names[offset] = saved;
+     }
+ 
+     temp.nte_name = tp->ext_Names[offset];
+@@ -364,6 +369,8 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+ 	bool is_use = (strcmp(_nc_curr_token.tk_name, "use") == 0);
+ 	bool is_tc = !is_use && (strcmp(_nc_curr_token.tk_name, "tc") == 0);
+ 	if (is_use || is_tc) {
++	    char *saved;
++
+ 	    if (!VALID_STRING(_nc_curr_token.tk_valstring)
+ 		|| _nc_curr_token.tk_valstring[0] == '\0') {
+ 		_nc_warning("missing name for use-clause");
+@@ -377,11 +384,13 @@ _nc_parse_entry(ENTRY * entryp, int literal, bool silent)
+ 			    _nc_curr_token.tk_valstring);
+ 		continue;
+ 	    }
+-	    entryp->uses[entryp->nuses].name = _nc_save_str(_nc_curr_token.tk_valstring);
+-	    entryp->uses[entryp->nuses].line = _nc_curr_line;
+-	    entryp->nuses++;
+-	    if (entryp->nuses > 1 && is_tc) {
+-		BAD_TC_USAGE
++	    if ((saved = _nc_save_str(_nc_curr_token.tk_valstring)) != NULL) {
++			entryp->uses[entryp->nuses].name = saved;
++			entryp->uses[entryp->nuses].line = _nc_curr_line;
++			entryp->nuses++;
++			if (entryp->nuses > 1 && is_tc) {
++			    BAD_TC_USAGE
++		    }
+ 	    }
+ 	} else {
+ 	    /* normal token lookup */
+-- 
+2.25.1
+
diff --git a/meta/recipes-core/ncurses/ncurses_6.4.bb b/meta/recipes-core/ncurses/ncurses_6.4.bb
index 2c621525f9..31f18bbadc 100644
--- a/meta/recipes-core/ncurses/ncurses_6.4.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.4.bb
@@ -6,6 +6,7 @@ SRC_URI += "file://0001-tic-hang.patch \
            file://exit_prototype.patch \
            file://0001-Fix-CVE-2023-29491.patch \
            file://0001-Updating-reset-code-ncurses-6.4-patch-20231104.patch \
+           file://CVE-2023-50495.patch \
            "
 # commit id corresponds to the revision in package version
 SRCREV = "79b9071f2be20a24c7be031655a5638f6032f29f"
-- 
2.34.1

[OE-core][scarthgap 02/21] openssl: patch CVE-2024-4603

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Advisory: https://github.com/advisories/GHSA-85xr-ghj6-6m46

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssl/openssl/CVE-2024-4603.patch       | 179 ++++++++++++++++++
 .../openssl/openssl_3.2.1.bb                  |   1 +
 2 files changed, 180 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
new file mode 100644
index 0000000000..50fb969c03
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
@@ -0,0 +1,179 @@
+From da343d0605c826ef197aceedc67e8e04f065f740 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Wed, 8 May 2024 15:23:45 +0200
+Subject: [PATCH] Check DSA parameters for excessive sizes before validating
+
+This avoids overly long computation of various validation
+checks.
+
+Fixes CVE-2024-4603
+
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/24346)
+
+(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)
+
+<dropped CHANGES.md modifications as it would need backport of all previous changes>
+
+CVE: CVE-2024-4603
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/da343d0605c826ef197aceedc67e8e04f065f740]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ crypto/dsa/dsa_check.c                        | 44 ++++++++++++--
+ .../invalid/p10240_q256_too_big.pem           | 57 +++++++++++++++++++
+ 2 files changed, 97 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c
+index fb0e9129a2..122449a7bf 100644
+--- a/crypto/dsa/dsa_check.c
++++ b/crypto/dsa/dsa_check.c
+@@ -19,8 +19,34 @@
+ #include "dsa_local.h"
+ #include "crypto/dsa.h"
+ 
++static int dsa_precheck_params(const DSA *dsa, int *ret)
++{
++    if (dsa->params.p == NULL || dsa->params.q == NULL) {
++        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
++        *ret = FFC_CHECK_INVALID_PQ;
++        return 0;
++    }
++
++    if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
++        *ret = FFC_CHECK_INVALID_PQ;
++        return 0;
++    }
++
++    if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
++        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
++        *ret = FFC_CHECK_INVALID_PQ;
++        return 0;
++    }
++
++    return 1;
++}
++
+ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
+ {
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
+     if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
+         return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
+                                                FFC_PARAM_TYPE_DSA, ret);
+@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
+  */
+ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+ {
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
+     return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret)
+            && *ret == 0;
+ }
+@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+  */
+ int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+ {
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
+     return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret)
+            && *ret == 0;
+ }
+@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret)
+ {
+     *ret = 0;
+ 
+-    return (dsa->params.q != NULL
+-            && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
++    if (!dsa_precheck_params(dsa, ret))
++        return 0;
++
++    return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
+ }
+ 
+ /*
+@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *dsa)
+     BN_CTX *ctx = NULL;
+     BIGNUM *pub_key = NULL;
+ 
+-    if (dsa->params.p == NULL
+-        || dsa->params.g == NULL
++    if (!dsa_precheck_params(dsa, &ret))
++        return 0;
++
++    if (dsa->params.g == NULL
+         || dsa->priv_key == NULL
+         || dsa->pub_key == NULL)
+         return 0;
+diff --git a/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+new file mode 100644
+index 0000000000..e85e2953b7
+--- /dev/null
++++ b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+@@ -0,0 +1,57 @@
++-----BEGIN DSA PARAMETERS-----
++MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja
++p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil
++XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF
++x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk
++oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW
++dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb
++Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O
++pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ
++P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5
++hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2
++UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB
++koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN
++TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl
++RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ
++4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg
++c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG
++cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE
++DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN
++Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2
++rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8
++PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd
++UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW
++5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9
++wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7
++R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s
++xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs
++0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN
++uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy
++9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx
++TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36
++gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2
++ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B
++R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8
++F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W
++SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl
+++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX
++UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq
++fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX
++qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot
++B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK
++hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco
++4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD
++vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3
++k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy
++i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct
++9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+
++ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd
++Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG
++KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E
++x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk
++XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF
++YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d
++ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa
++4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D
++vKuje86bePD6kD/LH3wmkA==
++-----END DSA PARAMETERS-----
+-- 
+2.30.2
+
diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.1.bb b/meta/recipes-connectivity/openssl/openssl_3.2.1.bb
index d37b68abbb..9bdf7e1ec6 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.2.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.2.1.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://0001-Added-handshake-history-reporting-when-test-fails.patch \
            file://bti.patch \
            file://CVE-2024-2511.patch \
+           file://CVE-2024-4603.patch \
            "
 
 SRC_URI:append:class-nativesdk = " \
-- 
2.34.1

[OE-core][scarthgap 03/21] glib-2.0: Upgrade 2.78.4 -> 2.78.5

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Handle CVE-2024-34397

Remove backported patch included in this release.

News (https://gitlab.gnome.org/GNOME/glib/-/commit/d18807b5ffc6dedc2db5225b044063f65720bf56):
Overview of changes in GLib 2.78.5, 2024-05-07
==============================================
* Fix CVE-2024-34397: GDBus signal subscriptions for well-known names are
  vulnerable to unicast spoofing (#3268, work by Simon McVittie, reported by
  Alicia Boya García)
* Bugs fixed:
  - #3168 gvfs-udisks2-volume-monitor SIGSEGV in g_content_type_guess_for_tree()
    due to filename with bad encoding (Ondrej Holy)
  - #3268 CVE-2024-34397: GDBus signal subscriptions for well-known names are
    vulnerable to unicast spoofing (Simon McVittie)
  - !3825 glib-2-78: ci: Drop FreeBSD 12 CI runner as it’s EOL
  - !3960 gcontenttype: Make filename valid utf-8 string before processing
  - !4040 Backport !4038 “gdbusconnection: Don't deliver signals if the sender
    doesn't match” to glib-2-78
  - !4043 CI: Ignore MSYS2 CI failures for this older stable-branch
* Translation updates:
  - English (United Kingdom) (Andi Chandler)
  - Georgian (Ekaterine Papava)
  - Portuguese (Brazil) (Juliano de Souza Camargo)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../glib-2.0/glib-2.0/fix-regex.patch         | 54 -------------------
 ...{glib-2.0_2.78.4.bb => glib-2.0_2.78.5.bb} |  3 +-
 2 files changed, 1 insertion(+), 56 deletions(-)
 delete mode 100644 meta/recipes-core/glib-2.0/glib-2.0/fix-regex.patch
 rename meta/recipes-core/glib-2.0/{glib-2.0_2.78.4.bb => glib-2.0_2.78.5.bb} (95%)

diff --git a/meta/recipes-core/glib-2.0/glib-2.0/fix-regex.patch b/meta/recipes-core/glib-2.0/glib-2.0/fix-regex.patch
deleted file mode 100644
index bdfbd55899..0000000000
--- a/meta/recipes-core/glib-2.0/glib-2.0/fix-regex.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From cce3ae98a2c1966719daabff5a4ec6cf94a846f6 Mon Sep 17 00:00:00 2001
-From: Philip Withnall <pwithnall@gnome.org>
-Date: Mon, 26 Feb 2024 16:55:44 +0000
-Subject: [PATCH] tests: Remove variable-length lookbehind tests for GRegex
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-PCRE2 10.43 has now introduced support for variable-length lookbehind,
-so these tests now fail if GLib is built against PCRE2 10.43 or higher.
-
-See
-https://github.com/PCRE2Project/pcre2/blob/e8db6fa7137f4c6f66cb87e0a3c9467252ec1ef7/ChangeLog#L94.
-
-Rather than making the tests conditional on the version of PCRE2 in use,
-just remove them. They are mostly testing the PCRE2 code rather than
-any code in GLib, so don’t have much value.
-
-This should fix CI runs on msys2-mingw32, which updated to PCRE2 10.43 2
-days ago.
-
-Signed-off-by: Philip Withnall <pwithnall@gnome.org>
-
-Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/cce3ae98a2c1966719daabff5a4ec6cf94a846f6]
-Signed-off-by: Alexander Kanavin <alex@linutronix.de>
----
- glib/tests/regex.c | 10 ----------
- 1 file changed, 10 deletions(-)
-
-diff --git a/glib/tests/regex.c b/glib/tests/regex.c
-index 1082526292..d7a698ec67 100644
---- a/glib/tests/regex.c
-+++ b/glib/tests/regex.c
-@@ -1885,16 +1885,6 @@ test_lookbehind (void)
-   g_match_info_free (match);
-   g_regex_unref (regex);
- 
--  regex = g_regex_new ("(?<!dogs?|cats?) x", G_REGEX_OPTIMIZE, G_REGEX_MATCH_DEFAULT, &error);
--  g_assert (regex == NULL);
--  g_assert_error (error, G_REGEX_ERROR, G_REGEX_ERROR_VARIABLE_LENGTH_LOOKBEHIND);
--  g_clear_error (&error);
--
--  regex = g_regex_new ("(?<=ab(c|de)) foo", G_REGEX_OPTIMIZE, G_REGEX_MATCH_DEFAULT, &error);
--  g_assert (regex == NULL);
--  g_assert_error (error, G_REGEX_ERROR, G_REGEX_ERROR_VARIABLE_LENGTH_LOOKBEHIND);
--  g_clear_error (&error);
--
-   regex = g_regex_new ("(?<=abc|abde)foo", G_REGEX_OPTIMIZE, G_REGEX_MATCH_DEFAULT, &error);
-   g_assert (regex);
-   g_assert_no_error (error);
--- 
-GitLab
-
-
diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.4.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.5.bb
similarity index 95%
rename from meta/recipes-core/glib-2.0/glib-2.0_2.78.4.bb
rename to meta/recipes-core/glib-2.0/glib-2.0_2.78.5.bb
index b1669ead75..d0aac737f7 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.4.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.5.bb
@@ -16,14 +16,13 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \
            file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \
            file://0001-Switch-from-the-deprecated-distutils-module-to-the-p.patch \
            file://memory-monitor.patch \
-           file://fix-regex.patch \
            file://skip-timeout.patch \
            "
 SRC_URI:append:class-native = " file://relocate-modules.patch \ 
                                 file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \
                               "
 
-SRC_URI[sha256sum] = "24b8e0672dca120cc32d394bccb85844e732e04fe75d18bb0573b2dbc7548f63"
+SRC_URI[sha256sum] = "39b26044bd44dc30f427202add4997f554723c30017e92ff36da4197a2c916aa"
 
 # Find any meson cross files in FILESPATH that are relevant for the current
 # build (using siteinfo) and add them to EXTRA_OEMESON.
-- 
2.34.1

[OE-core][scarthgap 04/21] glib-2.0: Upgrade 2.78.5 -> 2.78.6

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Handle regression of CVE-2024-34397 fix.

News (https://gitlab.gnome.org/GNOME/glib/-/commit/d40f72e98e4734ba826ba9a278814530720ba760):

Overview of changes in GLib 2.78.6, 2024-05-08
==============================================
* Fix a regression with IBus caused by the fix for CVE-2024-34397 (#3353,
  work by Simon McVittie)
* Bugs fixed:
  - #3353 Fixing CVE-2024-34397 caused regressions for ibus (Simon McVittie)
  - !4056 Backport !4053 “gdbusconnection: Allow name owners to have the syntax
    of a well-known name” to glib-2-78

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../glib-2.0/{glib-2.0_2.78.5.bb => glib-2.0_2.78.6.bb}         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-core/glib-2.0/{glib-2.0_2.78.5.bb => glib-2.0_2.78.6.bb} (96%)

diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.78.5.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
similarity index 96%
rename from meta/recipes-core/glib-2.0/glib-2.0_2.78.5.bb
rename to meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
index d0aac737f7..1a4278b1bc 100644
--- a/meta/recipes-core/glib-2.0/glib-2.0_2.78.5.bb
+++ b/meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb
@@ -22,7 +22,7 @@ SRC_URI:append:class-native = " file://relocate-modules.patch \
                                 file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \
                               "
 
-SRC_URI[sha256sum] = "39b26044bd44dc30f427202add4997f554723c30017e92ff36da4197a2c916aa"
+SRC_URI[sha256sum] = "244854654dd82c7ebcb2f8e246156d2a05eb9cd1ad07ed7a779659b4602c9fae"
 
 # Find any meson cross files in FILESPATH that are relevant for the current
 # build (using siteinfo) and add them to EXTRA_OEMESON.
-- 
2.34.1

[OE-core][scarthgap 05/21] glibc: Update to latest on stable 2.39 branch

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Adresses CVE-2024-2961

Remove backported patch included in hash update.

Changes:
31da30f23c iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961)
423099a032 x86_64: Exclude SSE, AVX and FMA4 variants in libm multiarch
04df8652eb Apply the Makefile sorting fix
edb9a76e30 powerpc: Fix ld.so address determination for PCREL mode (bug 31640)
7b92f46f04 x86-64: Simplify minimum ISA check ifdef conditional with if
9883f4304c x86-64: Don't use SSE resolvers for ISA level 3 or above
9d92452c70 AArch64: Check kernel version for SVE ifuncs
395a89f61e aarch64: fix check for SVE support in assembler
b0e0a07018 aarch64/fpu: Sync libmvec routines from 2.39 and before with AOR
31c7d69af5 i386: Use generic memrchr in libc (bug 31316)
5d070d12b3 x86: Expand the comment on when REP STOSB is used on memset
6484a92698 x86: Do not prefer ERMS for memset on Zen3+
aa4249266e x86: Fix Zen3/Zen4 ERMS selection (BZ 30994)
5a461f2949 Add tst-gnu2-tls2mod1 to test-internal-extras
aded2fc004 elf: Enable TLS descriptor tests on aarch64
a8ba52bde5 arm: Update _dl_tlsdesc_dynamic to preserve caller-saved registers (BZ 31372)
15aebdbada Ignore undefined symbols for -mtls-dialect=gnu2
354cabcb26 x86-64: Allocate state buffer space for RDI, RSI and RBX
853e915fdd x86-64: Update _dl_tlsdesc_dynamic to preserve AMX registers
a364304718 x86: Update _dl_tlsdesc_dynamic to preserve caller-saved registers
7fc8242bf8 x86-64: Save APX registers in ld.so trampoline
983f34a125 LoongArch: Correct {__ieee754, _}_scalb -> {__ieee754, _}_scalbf
aad45c8ac3 powerpc: Placeholder and infrastructure/build support to add Power11 related changes.
ee7f4c54e1 powerpc: Add HWCAP3/HWCAP4 data to TCB for Power Architecture.
71fcdba577 linux: Use rseq area unconditionally in sched_getcpu (bug 31479)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8b0124782510389bdc376fab645a0920b3fb94c8)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/glibc/glibc-version.inc     |  2 +-
 ...e-Pass-mcpu-along-with-march-to-dete.patch | 62 -------------------
 ...ss.patch => 0023-qemu-stale-process.patch} |  0
 meta/recipes-core/glibc/glibc_2.39.bb         |  7 ++-
 4 files changed, 6 insertions(+), 65 deletions(-)
 delete mode 100644 meta/recipes-core/glibc/glibc/0023-aarch64-configure-Pass-mcpu-along-with-march-to-dete.patch
 rename meta/recipes-core/glibc/glibc/{0024-qemu-stale-process.patch => 0023-qemu-stale-process.patch} (100%)

diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index 618a574566..4fc6986ffc 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.39/master"
 PV = "2.39+git"
-SRCREV_glibc ?= "1b9c1a0047fb26a65a9b2a7b8cd977243f7d353c"
+SRCREV_glibc ?= "31da30f23cddd36db29d5b6a1c7619361b271fb4"
 SRCREV_localedef ?= "fab74f31b3811df543e24b6de47efdf45b538abc"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https"
diff --git a/meta/recipes-core/glibc/glibc/0023-aarch64-configure-Pass-mcpu-along-with-march-to-dete.patch b/meta/recipes-core/glibc/glibc/0023-aarch64-configure-Pass-mcpu-along-with-march-to-dete.patch
deleted file mode 100644
index f6523c5498..0000000000
--- a/meta/recipes-core/glibc/glibc/0023-aarch64-configure-Pass-mcpu-along-with-march-to-dete.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 73c26018ed0ecd9c807bb363cc2c2ab4aca66a82 Mon Sep 17 00:00:00 2001
-From: Szabolcs Nagy <szabolcs.nagy@arm.com>
-Date: Wed, 13 Mar 2024 14:34:14 +0000
-Subject: [PATCH] aarch64: fix check for SVE support in assembler
-
-Due to GCC bug 110901 -mcpu can override -march setting when compiling
-asm code and thus a compiler targetting a specific cpu can fail the
-configure check even when binutils gas supports SVE.
-
-The workaround is that explicit .arch directive overrides both -mcpu
-and -march, and since that's what the actual SVE memcpy uses the
-configure check should use that too even if the GCC issue is fixed
-independently.
-
-Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=73c26018ed0ecd9c807bb363cc2c2ab4aca66a82]
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
-Reviewed-by: Florian Weimer <fweimer@redhat.com>
----
- sysdeps/aarch64/configure    | 5 +++--
- sysdeps/aarch64/configure.ac | 5 +++--
- 2 files changed, 6 insertions(+), 4 deletions(-)
- mode change 100644 => 100755 sysdeps/aarch64/configure
-
-diff --git a/sysdeps/aarch64/configure b/sysdeps/aarch64/configure
-old mode 100644
-new mode 100755
-index ca57edce47..9606137e8d
---- a/sysdeps/aarch64/configure
-+++ b/sysdeps/aarch64/configure
-@@ -325,9 +325,10 @@ then :
-   printf %s "(cached) " >&6
- else $as_nop
-   cat > conftest.s <<\EOF
--        ptrue p0.b
-+	.arch armv8.2-a+sve
-+	ptrue p0.b
- EOF
--if { ac_try='${CC-cc} -c -march=armv8.2-a+sve conftest.s 1>&5'
-+if { ac_try='${CC-cc} -c conftest.s 1>&5'
-   { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5
-   (eval $ac_try) 2>&5
-   ac_status=$?
-diff --git a/sysdeps/aarch64/configure.ac b/sysdeps/aarch64/configure.ac
-index 27874eceb4..56d12d661d 100644
---- a/sysdeps/aarch64/configure.ac
-+++ b/sysdeps/aarch64/configure.ac
-@@ -90,9 +90,10 @@ LIBC_CONFIG_VAR([aarch64-variant-pcs], [$libc_cv_aarch64_variant_pcs])
- # Check if asm support armv8.2-a+sve
- AC_CACHE_CHECK([for SVE support in assembler], [libc_cv_aarch64_sve_asm], [dnl
- cat > conftest.s <<\EOF
--        ptrue p0.b
-+	.arch armv8.2-a+sve
-+	ptrue p0.b
- EOF
--if AC_TRY_COMMAND(${CC-cc} -c -march=armv8.2-a+sve conftest.s 1>&AS_MESSAGE_LOG_FD); then
-+if AC_TRY_COMMAND(${CC-cc} -c conftest.s 1>&AS_MESSAGE_LOG_FD); then
-   libc_cv_aarch64_sve_asm=yes
- else
-   libc_cv_aarch64_sve_asm=no
--- 
-2.44.0
-
diff --git a/meta/recipes-core/glibc/glibc/0024-qemu-stale-process.patch b/meta/recipes-core/glibc/glibc/0023-qemu-stale-process.patch
similarity index 100%
rename from meta/recipes-core/glibc/glibc/0024-qemu-stale-process.patch
rename to meta/recipes-core/glibc/glibc/0023-qemu-stale-process.patch
diff --git a/meta/recipes-core/glibc/glibc_2.39.bb b/meta/recipes-core/glibc/glibc_2.39.bb
index 9122472689..988e43c014 100644
--- a/meta/recipes-core/glibc/glibc_2.39.bb
+++ b/meta/recipes-core/glibc/glibc_2.39.bb
@@ -16,6 +16,10 @@ CVE_STATUS[CVE-2019-1010025] = "disputed: \
 Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow \
 easier access for another. 'ASLR bypass itself is not a vulnerability.'"
 
+CVE_STATUS_GROUPS += "CVE_STATUS_STABLE_BACKPORTS"
+CVE_STATUS_STABLE_BACKPORTS = "CVE-2024-2961"
+CVE_STATUS_STABLE_BACKPORTS[status] = "cpe-stable-backport: fix available in used git hash"
+
 DEPENDS += "gperf-native bison-native"
 
 NATIVESDKFIXES ?= ""
@@ -48,8 +52,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0020-tzselect.ksh-Use-bin-sh-default-shell-interpreter.patch \
            file://0021-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \
            file://0022-Avoid-hardcoded-build-time-paths-in-the-output-binar.patch \
-           file://0023-aarch64-configure-Pass-mcpu-along-with-march-to-dete.patch \
-           file://0024-qemu-stale-process.patch \
+           file://0023-qemu-stale-process.patch \
 "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
-- 
2.34.1

[OE-core][scarthgap 06/21] glibc: Update to latest on stable 2.39 branch

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Adresses CVEs: CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602

Changes:
273a835fe7 time: Allow later version licensing.
acc56074b0 nscd: Use time_t for return type of addgetnetgrentX
836d43b989 login: structs utmp, utmpx, lastlog _TIME_BITS independence (bug 30701)
9831f98c26 login: Check default sizes of structs utmp, utmpx, lastlog
fd658f026f elf: Also compile dl-misc.os with $(rtld-early-cflags)
a9a8d3eebb CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX (bug 31680)
c99f886de5 CVE-2024-33600: nscd: Avoid null pointer crashes after notfound response (bug 31678)
5a508e0b50 CVE-2024-33600: nscd: Do not send missing not-found response in addgetnetgrentX (bug 31678)
1263d583d2 CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache (bug 31677)
2f8f157eb0 x86: Define MINIMUM_X86_ISA_LEVEL in config.h [BZ #31676]
e701c7d761 i386: ulp update for SSE2 --disable-multi-arch configurations
e828914cf9 nptl: Fix tst-cancel30 on kernels without ppoll_time64 support

Since glibc introduced file sysdeps/arm/bits/wordsize.h
our multilib patch needed to be updated.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/glibc/glibc-version.inc     |  2 +-
 ...y-the-header-between-arm-and-aarch64.patch | 47 +++++++++++++++----
 meta/recipes-core/glibc/glibc_2.39.bb         |  2 +-
 3 files changed, 40 insertions(+), 11 deletions(-)

diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index 4fc6986ffc..1e4a323d64 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.39/master"
 PV = "2.39+git"
-SRCREV_glibc ?= "31da30f23cddd36db29d5b6a1c7619361b271fb4"
+SRCREV_glibc ?= "273a835fe7c685cc54266bb8b502787bad5e9bae"
 SRCREV_localedef ?= "fab74f31b3811df543e24b6de47efdf45b538abc"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git;protocol=https"
diff --git a/meta/recipes-core/glibc/glibc/0016-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch b/meta/recipes-core/glibc/glibc/0016-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch
index 066c3b1ea2..9bdfa76318 100644
--- a/meta/recipes-core/glibc/glibc/0016-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch
+++ b/meta/recipes-core/glibc/glibc/0016-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch
@@ -11,16 +11,15 @@ Upstream-Status: Inappropriate [ OE-Specific ]
 
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 ---
- sysdeps/aarch64/bits/wordsize.h | 8 ++++++--
- sysdeps/arm/bits/wordsize.h     | 1 +
- 2 files changed, 7 insertions(+), 2 deletions(-)
- create mode 120000 sysdeps/arm/bits/wordsize.h
+ sysdeps/aarch64/bits/wordsize.h | 11 +++++++++--
+ sysdeps/arm/bits/wordsize.h     | 22 +---------------------
+ 2 files changed, 10 insertions(+), 23 deletions(-)
 
 diff --git a/sysdeps/aarch64/bits/wordsize.h b/sysdeps/aarch64/bits/wordsize.h
-index 118e59172d..b4b0692eb5 100644
+index 118e59172d..ff86359fe8 100644
 --- a/sysdeps/aarch64/bits/wordsize.h
 +++ b/sysdeps/aarch64/bits/wordsize.h
-@@ -17,12 +17,16 @@
+@@ -17,12 +17,19 @@
     License along with the GNU C Library; if not, see
     <https://www.gnu.org/licenses/>.  */
  
@@ -33,12 +32,42 @@ index 118e59172d..b4b0692eb5 100644
  # define __WORDSIZE32_SIZE_ULONG	1
  # define __WORDSIZE32_PTRDIFF_LONG	1
 +#else
-+# define __WORDSIZE			32
-+# define __WORDSIZE32_SIZE_ULONG	0
-+# define __WORDSIZE32_PTRDIFF_LONG	0
++#define __WORDSIZE			32
++#define __WORDSIZE_TIME64_COMPAT32	1
++#define __WORDSIZE32_SIZE_ULONG		0
++#define __WORDSIZE32_PTRDIFF_LONG	0
  #endif
  
++#ifdef __aarch64__
  #define __WORDSIZE_TIME64_COMPAT32	0
++#endif
+diff --git a/sysdeps/arm/bits/wordsize.h b/sysdeps/arm/bits/wordsize.h
+deleted file mode 100644
+index 6ecbfe7c86..0000000000
+--- a/sysdeps/arm/bits/wordsize.h
++++ /dev/null
+@@ -1,21 +0,0 @@
+-/* Copyright (C) 1999-2024 Free Software Foundation, Inc.
+-   This file is part of the GNU C Library.
+-
+-   The GNU C Library is free software; you can redistribute it and/or
+-   modify it under the terms of the GNU Lesser General Public
+-   License as published by the Free Software Foundation; either
+-   version 2.1 of the License, or (at your option) any later version.
+-
+-   The GNU C Library is distributed in the hope that it will be useful,
+-   but WITHOUT ANY WARRANTY; without even the implied warranty of
+-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+-   Lesser General Public License for more details.
+-
+-   You should have received a copy of the GNU Lesser General Public
+-   License along with the GNU C Library; if not, see
+-   <https://www.gnu.org/licenses/>.  */
+-
+-#define __WORDSIZE			32
+-#define __WORDSIZE_TIME64_COMPAT32	1
+-#define __WORDSIZE32_SIZE_ULONG		0
+-#define __WORDSIZE32_PTRDIFF_LONG	0
 diff --git a/sysdeps/arm/bits/wordsize.h b/sysdeps/arm/bits/wordsize.h
 new file mode 120000
 index 0000000000..4c4a788ec2
diff --git a/meta/recipes-core/glibc/glibc_2.39.bb b/meta/recipes-core/glibc/glibc_2.39.bb
index 988e43c014..2484ae1cd9 100644
--- a/meta/recipes-core/glibc/glibc_2.39.bb
+++ b/meta/recipes-core/glibc/glibc_2.39.bb
@@ -17,7 +17,7 @@ Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, m
 easier access for another. 'ASLR bypass itself is not a vulnerability.'"
 
 CVE_STATUS_GROUPS += "CVE_STATUS_STABLE_BACKPORTS"
-CVE_STATUS_STABLE_BACKPORTS = "CVE-2024-2961"
+CVE_STATUS_STABLE_BACKPORTS = "CVE-2024-2961 CVE-2024-33599 CVE-2024-33600 CVE-2024-33601 CVE-2024-33602"
 CVE_STATUS_STABLE_BACKPORTS[status] = "cpe-stable-backport: fix available in used git hash"
 
 DEPENDS += "gperf-native bison-native"
-- 
2.34.1

[OE-core][scarthgap 07/21] glibc: correct license

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

The license per [1] is LGPL-2.1-or-later and
[2] converted last LGPL-2.1-only references.

License-Update: corrected from LGPL-2.1-only to LGPL-2.1-or-later based on [1] and [2]

[1] https://www.gnu.org/software/libc/
[2] https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=273a835fe7c685cc54266bb8b502787bad5e9bae

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b7ad15a59d048ca7561a03cb0fc8e2c24680ce5c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/glibc/glibc-common.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/glibc/glibc-common.inc b/meta/recipes-core/glibc/glibc-common.inc
index b9516e77f0..91a3f5bcd5 100644
--- a/meta/recipes-core/glibc/glibc-common.inc
+++ b/meta/recipes-core/glibc/glibc-common.inc
@@ -2,7 +2,7 @@ SUMMARY = "GLIBC (GNU C Library)"
 DESCRIPTION = "The GNU C Library is used as the system C library in most systems with the Linux kernel."
 HOMEPAGE = "http://www.gnu.org/software/libc/libc.html"
 SECTION = "libs"
-LICENSE = "GPL-2.0-only & LGPL-2.1-only"
+LICENSE = "GPL-2.0-only & LGPL-2.1-or-later"
 
 LIC_FILES_CHKSUM ?= "file://LICENSES;md5=f77e878d320e99e94ae9a4aea7f491d1 \
       file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-- 
2.34.1

[OE-core][scarthgap 08/21] llvm: upgrade 18.1.2 -> 18.1.3

[Steve Sakoman]

From: Wang Mingyu <wangmy@fujitsu.com>

0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch
refreshed for 18.1.3

Changelog:
============
-DFixes tsan failures for glibc's LoongArch and certain RISC-V ports when
 fstat is used.
-transform.structured.convert_to_loops now properly deletes its target op.
-Fix a llvm.usub.with.overflow.i128 wrong code generation regression that
 was introduced with LLVM 18.1.0.
-MemorySanitizer on Linux can now run even when maximum-entropy address-space
 layout randomization is configured globally
-Fixed a Clang 18.x regression which increased binary size and stack usage with
 -ftrivial-auto-var-init.

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit d2159f92ddbb6b999c1d14ac62647b4a35360377)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...mMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-devtools/llvm/llvm/0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch b/meta/recipes-devtools/llvm/llvm/0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch
index 48af6fc283..a5c53b6657 100644
--- a/meta/recipes-devtools/llvm/llvm/0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch
+++ b/meta/recipes-devtools/llvm/llvm/0001-AsmMatcherEmitter-sort-ClassInfo-lists-by-name-as-we.patch
@@ -1,4 +1,4 @@
-From 86940d87026432683fb6741cd8a34d3b9b18e40d Mon Sep 17 00:00:00 2001
+From 3b30a9bda88374e8f03bf96e972aee5bd214b98b Mon Sep 17 00:00:00 2001
 From: Alexander Kanavin <alex.kanavin@gmail.com>
 Date: Fri, 27 Nov 2020 10:11:08 +0000
 Subject: [PATCH] AsmMatcherEmitter: sort ClassInfo lists by name as well
@@ -14,10 +14,10 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
  1 file changed, 4 insertions(+), 1 deletion(-)
 
 diff --git a/llvm/utils/TableGen/AsmMatcherEmitter.cpp b/llvm/utils/TableGen/AsmMatcherEmitter.cpp
-index ccf0959389b..1f801e83b7d 100644
+index 73724e662f9e..1ca9c73415db 100644
 --- a/llvm/utils/TableGen/AsmMatcherEmitter.cpp
 +++ b/llvm/utils/TableGen/AsmMatcherEmitter.cpp
-@@ -359,7 +359,10 @@ public:
+@@ -361,7 +361,10 @@ public:
      // name of a class shouldn't be significant. However, some of the backends
      // accidentally rely on this behaviour, so it will have to stay like this
      // until they are fixed.
-- 
2.34.1

[OE-core][scarthgap 09/21] webkitgtk: 2.44.0 -> 2.44.1

[Steve Sakoman]

From: Kai Kang <kai.kang@windriver.com>

Update webkitgtk from 2.44.0 to the first bug fix release in the stable
2.44 series 2.44.1.

* remove backported patch

What's new in the WebKitGTK 2.44.1 release?
===========================================

  - Fix handling of lifetime of web view child dialogs in GTK4.
  - Do not schedule layer flushes when drawing area size is empty.
  - Fix videos with alpha when using the DMA-BUF sink.
  - Fix the build with USE_GBM=OFF.
  - Fix the build in 32bit platforms
  - Fix several crashes and rendering issues.

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit c129c47cf9fa119005ea6e3946ebdee0da1db7e0)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...af379dc70b4b1a63b01d67179eb431f03ac4.patch | 38 -------------------
 ...ebkitgtk_2.44.0.bb => webkitgtk_2.44.1.bb} |  3 +-
 2 files changed, 1 insertion(+), 40 deletions(-)
 delete mode 100644 meta/recipes-sato/webkit/webkitgtk/2922af379dc70b4b1a63b01d67179eb431f03ac4.patch
 rename meta/recipes-sato/webkit/{webkitgtk_2.44.0.bb => webkitgtk_2.44.1.bb} (98%)

diff --git a/meta/recipes-sato/webkit/webkitgtk/2922af379dc70b4b1a63b01d67179eb431f03ac4.patch b/meta/recipes-sato/webkit/webkitgtk/2922af379dc70b4b1a63b01d67179eb431f03ac4.patch
deleted file mode 100644
index 3067500447..0000000000
--- a/meta/recipes-sato/webkit/webkitgtk/2922af379dc70b4b1a63b01d67179eb431f03ac4.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 2922af379dc70b4b1a63b01d67179eb431f03ac4 Mon Sep 17 00:00:00 2001
-From: Michael Catanzaro <mcatanzaro@redhat.com>
-Date: Mon, 18 Mar 2024 11:14:54 -0700
-Subject: [PATCH] REGRESSION(274077@main): failure to build on i586 (and likely
- other 32bit arches): static assertion failed: Timer should stay small
- https://bugs.webkit.org/show_bug.cgi?id=271108
-
-Unreviewed build fix. This changes SameSizeOfTimer to ensure it matches
-the size of Timer on 32-bit platforms.
-
-* Source/WebCore/platform/Timer.cpp:
-
-Canonical link: https://commits.webkit.org/276282@main
-
-Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/2922af379dc70b4b1a63b01d67179eb431f03ac4]
-
-Signed-off-by: Markus Volk <f_l_k@t-online.de>
----
- Source/WebCore/platform/Timer.cpp | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/Source/WebCore/platform/Timer.cpp b/Source/WebCore/platform/Timer.cpp
-index 4f7c0f5c39ca9..0f3734cca2474 100644
---- a/Source/WebCore/platform/Timer.cpp
-+++ b/Source/WebCore/platform/Timer.cpp
-@@ -263,7 +263,11 @@ struct SameSizeAsTimer {
- 
-     WeakPtr<TimerAlignment> timerAlignment;
-     double times[2];
--    void* pointers[3];
-+    void* pointers[2];
-+#if CPU(ADDRESS32)
-+    uint8_t bitfields;
-+#endif
-+    void* pointer;
- };
- 
- static_assert(sizeof(Timer) == sizeof(SameSizeAsTimer), "Timer should stay small");
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.44.0.bb b/meta/recipes-sato/webkit/webkitgtk_2.44.1.bb
similarity index 98%
rename from meta/recipes-sato/webkit/webkitgtk_2.44.0.bb
rename to meta/recipes-sato/webkit/webkitgtk_2.44.1.bb
index 0819f6de0d..29e12bb8c5 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.44.0.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.44.1.bb
@@ -16,9 +16,8 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
            file://no-musttail-arm.patch \
            file://t6-not-declared.patch \
            file://30e1d5e22213fdaca2a29ec3400c927d710a37a8.patch \
-           file://2922af379dc70b4b1a63b01d67179eb431f03ac4.patch \
            "
-SRC_URI[sha256sum] = "c66530e41ba59b1edba4ee89ef20b2188e273bed0497e95084729e3cfbe30c87"
+SRC_URI[sha256sum] = "425b1459b0f04d0600c78d1abb5e7edfa3c060a420f8b231e9a6a2d5d29c5561"
 
 inherit cmake pkgconfig gobject-introspection perlnative features_check upstream-version-is-even gi-docgen
 
-- 
2.34.1

[OE-core][scarthgap 10/21] uboot-sign: fix loop in do_uboot_assemble_fitimage

[Steve Sakoman]

From: Ralph Siemsen <ralph.siemsen@linaro.org>

When using multiple u-boot configurations in UBOOT_CONFIG, the helper
function uboot_assemble_fitimage_helper() was not called with all
combinations of type & binary, due to a copy-n-paste indexing error.

Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 2d338548a4b745a71eaf6c29231adc93c4165778)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes-recipe/uboot-sign.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index 7a0b8047e4..c8e097f2f2 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -367,7 +367,7 @@ do_uboot_assemble_fitimage() {
 			done
 
 			for binary in ${UBOOT_BINARIES}; do
-				k=$(expr $j + 1);
+				k=$(expr $k + 1);
 				if [ $k -eq $i ]; then
 					break;
 				fi
-- 
2.34.1

[OE-core][scarthgap 11/21] go: Drop the linkmode completely

[Steve Sakoman]

From: Jose Quaresma <quaresma.jose@gmail.com>

This will make possible to restore the default dynamic linking globally
which is what we had before the 1.20.X release.

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6ad90fc2fc49c4199a59dfb1c1d81a7ba184a522)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes-recipe/go.bbclass          | 2 --
 meta/recipes-devtools/go/go-runtime.inc | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/meta/classes-recipe/go.bbclass b/meta/classes-recipe/go.bbclass
index cc3564c36a..d32509aa6d 100644
--- a/meta/classes-recipe/go.bbclass
+++ b/meta/classes-recipe/go.bbclass
@@ -48,8 +48,6 @@ GO_RPATH:class-native = "${@'-r ${STAGING_LIBDIR_NATIVE}/go/pkg/${TARGET_GOTUPLE
 GO_RPATH_LINK:class-native = "${@'-Wl,-rpath-link=${STAGING_LIBDIR_NATIVE}/go/pkg/${TARGET_GOTUPLE}_dynlink' if d.getVar('GO_DYNLINK') else ''}"
 GO_EXTLDFLAGS ?= "${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS} ${GO_RPATH_LINK} ${LDFLAGS}"
 GO_LINKMODE ?= ""
-GO_LINKMODE:class-nativesdk = "--linkmode=external"
-GO_LINKMODE:class-native = "--linkmode=external"
 GO_EXTRA_LDFLAGS ?= ""
 GO_LINUXLOADER ?= "-I ${@get_linuxloader(d)}"
 # Use system loader. If uninative is used, the uninative loader will be patched automatically
diff --git a/meta/recipes-devtools/go/go-runtime.inc b/meta/recipes-devtools/go/go-runtime.inc
index 3f1e795dd9..413cf6d33f 100644
--- a/meta/recipes-devtools/go/go-runtime.inc
+++ b/meta/recipes-devtools/go/go-runtime.inc
@@ -15,7 +15,7 @@ export CGO_LDFLAGS = "${@ ' '.join(filter(lambda f: not f.startswith('-fdebug-pr
 export GOCACHE = "${B}/.cache"
 
 GO_EXTLDFLAGS ?= "${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS} ${LDFLAGS}"
-GO_SHLIB_LDFLAGS ?= '-ldflags="--linkmode=external -extldflags '${GO_EXTLDFLAGS}'"'
+GO_SHLIB_LDFLAGS ?= '-ldflags="-extldflags '${GO_EXTLDFLAGS}'"'
 
 do_configure() {
 	:
-- 
2.34.1

[OE-core][scarthgap 12/21] Revert "goarch: disable dynamic linking globally"

[Steve Sakoman]

From: Jose Quaresma <quaresma.jose@gmail.com>

This reverts commit 827c60b79e7fcafd14e68870f6b69dcc48ac9c39.

Fixed with the drop of the linkmode

Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8f46f60a703defc3e74adad382320c129cef0b06)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes-recipe/goarch.bbclass | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/meta/classes-recipe/goarch.bbclass b/meta/classes-recipe/goarch.bbclass
index 6899ec28e4..1ebe03864f 100644
--- a/meta/classes-recipe/goarch.bbclass
+++ b/meta/classes-recipe/goarch.bbclass
@@ -38,13 +38,13 @@ BASE_GOARM:armv5 = '5'
 # Go supports dynamic linking on a limited set of architectures.
 # See the supportsDynlink function in go/src/cmd/compile/internal/gc/main.go
 GO_DYNLINK = ""
-GO_DYNLINK:arm = ""
-GO_DYNLINK:aarch64 = ""
-GO_DYNLINK:x86 = ""
-GO_DYNLINK:x86-64 = ""
-GO_DYNLINK:powerpc64 = ""
-GO_DYNLINK:powerpc64le = ""
-GO_DYNLINK:class-native = ""
+GO_DYNLINK:arm ?= "1"
+GO_DYNLINK:aarch64 ?= "1"
+GO_DYNLINK:x86 ?= "1"
+GO_DYNLINK:x86-64 ?= "1"
+GO_DYNLINK:powerpc64 ?= "1"
+GO_DYNLINK:powerpc64le ?= "1"
+GO_DYNLINK:class-native ?= ""
 GO_DYNLINK:class-nativesdk = ""
 
 # define here because everybody inherits this class
-- 
2.34.1

[OE-core][scarthgap 13/21] classes: image_types: apply EXTRA_IMAGECMD:squashfs* in oe_mksquashfs()

[Steve Sakoman]

From: Martin Hundebøll <martin@geanix.com>

Since commit c991f9d6031 ("image_types: Set SOURCE_DATE_EPOCH for squashfs"),
I assume, the EXTRA_IMAGECMD:squashfs* variable(s) has been ignored.
This is due to the override magic, which isn't applied to functions
called by IMAGE_CMD:<type>, but only to the IMAGE_CMD:<type> itself.

Other image types (e.g. ext*) works around this by passing the
EXTRA_IMAGECMD variable as an argument to the called function.

To do the same for oe_mksquashfs(), the number of mandatory arguments is
fixed to one (with a little logic to handle the zstd filename). This
allows passing ${EXTRA_IMAGECMD} as an argument to oe_mksquashfs(),
which makes the variable functional again.

Signed-off-by: Martin Hundebøll <martin@geanix.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes-recipe/image_types.bbclass | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/meta/classes-recipe/image_types.bbclass b/meta/classes-recipe/image_types.bbclass
index 913cb8788c..b4a83ae284 100644
--- a/meta/classes-recipe/image_types.bbclass
+++ b/meta/classes-recipe/image_types.bbclass
@@ -112,18 +112,22 @@ IMAGE_CMD:btrfs () {
 }
 
 oe_mksquashfs () {
-    local comp=$1
-    local suffix=$2
+    local comp=$1; shift
+    local extra_imagecmd=$@
+
+    if [ "$comp" = "zstd" ]; then
+        suffix="zst"
+    fi
 
     # Use the bitbake reproducible timestamp instead of the hardcoded squashfs one
     export SOURCE_DATE_EPOCH=$(stat -c '%Y' ${IMAGE_ROOTFS})
-    mksquashfs ${IMAGE_ROOTFS} ${IMGDEPLOYDIR}/${IMAGE_NAME}.squashfs${comp:+-}${suffix:-$comp} ${EXTRA_IMAGECMD} -noappend ${comp:+-comp }$comp
+    mksquashfs ${IMAGE_ROOTFS} ${IMGDEPLOYDIR}/${IMAGE_NAME}.squashfs${comp:+-}${suffix:-$comp} -noappend ${comp:+-comp }$comp $extra_imagecmd
 }
-IMAGE_CMD:squashfs = "oe_mksquashfs"
-IMAGE_CMD:squashfs-xz = "oe_mksquashfs xz"
-IMAGE_CMD:squashfs-lzo = "oe_mksquashfs lzo"
-IMAGE_CMD:squashfs-lz4 = "oe_mksquashfs lz4"
-IMAGE_CMD:squashfs-zst = "oe_mksquashfs zstd zst"
+IMAGE_CMD:squashfs = "oe_mksquashfs '' ${EXTRA_IMAGECMD}"
+IMAGE_CMD:squashfs-xz = "oe_mksquashfs xz ${EXTRA_IMAGECMD}"
+IMAGE_CMD:squashfs-lzo = "oe_mksquashfs lzo ${EXTRA_IMAGECMD}"
+IMAGE_CMD:squashfs-lz4 = "oe_mksquashfs lz4 ${EXTRA_IMAGECMD}"
+IMAGE_CMD:squashfs-zst = "oe_mksquashfs zstd ${EXTRA_IMAGECMD}"
 
 IMAGE_CMD:erofs = "mkfs.erofs ${EXTRA_IMAGECMD} ${IMGDEPLOYDIR}/${IMAGE_NAME}.erofs ${IMAGE_ROOTFS}"
 IMAGE_CMD:erofs-lz4 = "mkfs.erofs -zlz4 ${EXTRA_IMAGECMD} ${IMGDEPLOYDIR}/${IMAGE_NAME}.erofs-lz4 ${IMAGE_ROOTFS}"
-- 
2.34.1

[OE-core][scarthgap 14/21] libcgroup_3.1.0: fix build on non-systemd systems

[Steve Sakoman]

From: Adriaan Schmidt <adriaan.schmidt@siemens.com>

backport upstream commit 592dcdcf243576bd2517d3da9bc18990de08e37e
to fix packaging when building with --enable-systemd=no

Signed-off-by: Adriaan Schmidt <adriaan.schmidt@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...akefile-install-systemd.h-by-default.patch | 37 +++++++++++++++++++
 .../recipes-core/libcgroup/libcgroup_3.1.0.bb |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-core/libcgroup/libcgroup/0001-include-Makefile-install-systemd.h-by-default.patch

diff --git a/meta/recipes-core/libcgroup/libcgroup/0001-include-Makefile-install-systemd.h-by-default.patch b/meta/recipes-core/libcgroup/libcgroup/0001-include-Makefile-install-systemd.h-by-default.patch
new file mode 100644
index 0000000000..4b743f9b33
--- /dev/null
+++ b/meta/recipes-core/libcgroup/libcgroup/0001-include-Makefile-install-systemd.h-by-default.patch
@@ -0,0 +1,37 @@
+From 592dcdcf243576bd2517d3da9bc18990de08e37e Mon Sep 17 00:00:00 2001
+From: Kamalesh Babulal <kamalesh.babulal@oracle.com>
+Date: Mon, 27 Nov 2023 20:07:33 +0530
+Subject: [PATCH 1/1] include/Makefile: install systemd.h by default
+
+Install systemd.h header file by default, as we have stub and defined
+versions of the systemd functions for both non-systemd and systemd
+enabled configurations.  This will help packagers to ship package
+without systemd support (--enable-systemd=no).
+
+Signed-off-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
+Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
+
+Upstream-Status: Backport [https://github.com/libcgroup/libcgroup/commit/592dcdcf243576bd2517d3da9bc18990de08e37e]
+
+Signed-off-by: Adriaan Schmidt <adriaan.schmidt@siemens.com>
+---
+ include/Makefile.am | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/include/Makefile.am b/include/Makefile.am
+index 23cebaac..4cb05529 100644
+--- a/include/Makefile.am
++++ b/include/Makefile.am
+@@ -2,8 +2,4 @@
+ nobase_include_HEADERS = libcgroup.h libcgroup/error.h libcgroup/init.h \
+ 			 libcgroup/groups.h libcgroup/tasks.h \
+ 			 libcgroup/iterators.h libcgroup/config.h \
+-			 libcgroup/log.h libcgroup/tools.h
+-
+-if WITH_SYSTEMD
+-nobase_include_HEADERS += libcgroup/systemd.h
+-endif
++			 libcgroup/log.h libcgroup/tools.h libcgroup/systemd.h
+-- 
+2.39.2
+
diff --git a/meta/recipes-core/libcgroup/libcgroup_3.1.0.bb b/meta/recipes-core/libcgroup/libcgroup_3.1.0.bb
index 4b4f19e36f..a1d27c7e7f 100644
--- a/meta/recipes-core/libcgroup/libcgroup_3.1.0.bb
+++ b/meta/recipes-core/libcgroup/libcgroup_3.1.0.bb
@@ -13,6 +13,7 @@ DEPENDS = "bison-native flex-native"
 DEPENDS:append:libc-musl = " fts"
 
 SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/${BP}.tar.gz \
+           file://0001-include-Makefile-install-systemd.h-by-default.patch \
 "
 UPSTREAM_CHECK_URI = "https://github.com/libcgroup/libcgroup/tags"
 
-- 
2.34.1

[OE-core][scarthgap 15/21] patchtest: test_metadata: fix invalid escape sequences

[Steve Sakoman]

From: Trevor Gamblin <tgamblin@baylibre.com>

Clear up the following warnings seen during patchtest runs:

|/workspace/yocto/poky/meta/lib/patchtest/tests/test_metadata.py:21: SyntaxWarning: invalid escape sequence '\+'
|  add_mark = pyparsing.Regex('\+ ')
|/workspace/yocto/poky/meta/lib/patchtest/tests/test_metadata.py:26: SyntaxWarning: invalid escape sequence '\:'
|  git_regex = pyparsing.Regex('^git\:\/\/.*')

Signed-off-by: Trevor Gamblin <tgamblin@baylibre.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 2d64317835a768898aac592b24fcbdfaf6c8357a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/patchtest/tests/test_metadata.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/lib/patchtest/tests/test_metadata.py b/meta/lib/patchtest/tests/test_metadata.py
index be609dbd04..f5dbcf01ed 100644
--- a/meta/lib/patchtest/tests/test_metadata.py
+++ b/meta/lib/patchtest/tests/test_metadata.py
@@ -18,12 +18,12 @@ class TestMetadata(base.Metadata):
     lictag_re  = pyparsing.AtLineStart("License-Update:")
     lic_chksum_added = pyparsing.AtLineStart("+" + metadata_chksum)
     lic_chksum_removed = pyparsing.AtLineStart("-" + metadata_chksum)
-    add_mark = pyparsing.Regex('\+ ')
+    add_mark = pyparsing.Regex('\\+ ')
     max_length = 200
     metadata_src_uri  = 'SRC_URI'
     md5sum    = 'md5sum'
     sha256sum = 'sha256sum'
-    git_regex = pyparsing.Regex('^git\:\/\/.*')
+    git_regex = pyparsing.Regex('^git\\:\\/\\/.*')
     metadata_summary = 'SUMMARY'
     cve_check_ignore_var = 'CVE_CHECK_IGNORE'
     cve_status_var = 'CVE_STATUS'
-- 
2.34.1

[OE-core][scarthgap 16/21] bash: Fix file-substitution error-handling bug

[Steve Sakoman]

From: Zev Weiss <zev@bewilderbeest.net>

This is part of a patch that's been upstream for a while but hasn't yet
been released.  The bug is causing some downstream difficulties, so a
local patch to tide us over until the next release makes things a bit
easier.

Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit bf384d6618780dea2df24adac88ba4364cb65b9b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../bash/bash/fix-filesubst-errexit.patch     | 34 +++++++++++++++++++
 meta/recipes-extended/bash/bash_5.2.21.bb     |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 meta/recipes-extended/bash/bash/fix-filesubst-errexit.patch

diff --git a/meta/recipes-extended/bash/bash/fix-filesubst-errexit.patch b/meta/recipes-extended/bash/bash/fix-filesubst-errexit.patch
new file mode 100644
index 0000000000..60f1852316
--- /dev/null
+++ b/meta/recipes-extended/bash/bash/fix-filesubst-errexit.patch
@@ -0,0 +1,34 @@
+From 59ddfda14e3c9aa6286bb4c4c0748f7c1324a65a Mon Sep 17 00:00:00 2001
+From: Chet Ramey <chet.ramey@case.edu>
+Date: Fri, 7 Apr 2023 00:28:46 -0700
+Subject: [PATCH] $(<nosuchfile) is no longer a fatal error with errexit
+ enabled
+
+This is a trimmed-down version of a commit in the bash 'devel' branch
+[1] that contains this fix as well as other unrelated ones.
+
+[1] https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=ec9447ce9392a0f93d96789c3741285fede8a150
+
+Upstream-Status: Backport
+
+Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
+---
+ builtins/evalstring.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/builtins/evalstring.c b/builtins/evalstring.c
+index df3dd68e2a7e..6612081cd646 100644
+--- a/builtins/evalstring.c
++++ b/builtins/evalstring.c
+@@ -753,7 +753,7 @@ open_redir_file (r, fnp)
+   fd = open(fn, O_RDONLY);
+   if (fd < 0)
+     {
+-      file_error (fn);
++      internal_error ("%s: %s", fn, strerror (errno));
+       free (fn);
+       if (fnp)
+ 	*fnp = 0;
+-- 
+2.40.0
+
diff --git a/meta/recipes-extended/bash/bash_5.2.21.bb b/meta/recipes-extended/bash/bash_5.2.21.bb
index 46d921bbe6..532adf4c1a 100644
--- a/meta/recipes-extended/bash/bash_5.2.21.bb
+++ b/meta/recipes-extended/bash/bash_5.2.21.bb
@@ -13,6 +13,7 @@ SRC_URI = "${GNU_MIRROR}/bash/${BP}.tar.gz;name=tarball \
            file://fix-run-builtins.patch \
            file://use_aclocal.patch \
            file://0001-changes-to-SIGINT-handler-while-waiting-for-a-child-.patch \
+           file://fix-filesubst-errexit.patch \
            "
 
 SRC_URI[tarball.sha256sum] = "c8e31bdc59b69aaffc5b36509905ba3e5cbb12747091d27b4b977f078560d5b8"
-- 
2.34.1

[OE-core][scarthgap 17/21] recipetool: Handle unclean response in go resolver

[Steve Sakoman]

From: Sven Schwermer <sven.schwermer@disruptive-technologies.com>

It appears that some go modules repond with a 404 error when trying to
resolve them dynamically. The response body may still contain the
go-import meta tag. An example for such behaviour is gonum.org/v1/gonum.

Signed-off-by: Sven Schwermer <sven.schwermer@disruptive-technologies.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 8f2e14ab6562a9a68819a960c66a258ea9dbe246)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 scripts/lib/recipetool/create_go.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/scripts/lib/recipetool/create_go.py b/scripts/lib/recipetool/create_go.py
index c560831442..0fb7115e26 100644
--- a/scripts/lib/recipetool/create_go.py
+++ b/scripts/lib/recipetool/create_go.py
@@ -16,7 +16,7 @@ from html.parser import HTMLParser
 from recipetool.create import RecipeHandler, handle_license_vars
 from recipetool.create import guess_license, tidy_licenses, fixup_license
 from recipetool.create import determine_from_url
-from urllib.error import URLError
+from urllib.error import URLError, HTTPError
 
 import bb.utils
 import json
@@ -251,15 +251,18 @@ class GoRecipeHandler(RecipeHandler):
         req = urllib.request.Request(url)
 
         try:
-            resp = urllib.request.urlopen(req)
-
+            body = urllib.request.urlopen(req).read()
+        except HTTPError as http_err:
+            logger.warning(
+                "Unclean status when fetching page from [%s]: %s", url, str(http_err))
+            body = http_err.fp.read()
         except URLError as url_err:
             logger.warning(
                 "Failed to fetch page from [%s]: %s", url, str(url_err))
             return None
 
         parser = GoImportHTMLParser()
-        parser.feed(resp.read().decode('utf-8'))
+        parser.feed(body.decode('utf-8'))
         parser.close()
 
         return GoImport(parser.import_prefix, parser.vcs, parser.repourl, None)
-- 
2.34.1

[OE-core][scarthgap 18/21] recipetool: Handle several go-import tags in go resolver

[Steve Sakoman]

From: Sven Schwermer <sven.schwermer@disruptive-technologies.com>

When dynamically resolving go modules, the HTML page may contain several
go-import meta tags. We must handle all and pick the correct one based
on the module name. An example for such a behaviour is
gonum.org/v1/gonum:

<meta name="go-import" content="gonum.org/v1/exp git https://github.com/gonum/exp">
<meta name="go-import" content="gonum.org/v1/gonum git https://github.com/gonum/gonum">
<meta name="go-import" content="gonum.org/v1/hdf5 git https://github.com/gonum/hdf5">
<meta name="go-import" content="gonum.org/v1/netlib git https://github.com/gonum/netlib">
<meta name="go-import" content="gonum.org/v1/plot git https://github.com/gonum/plot">
<meta name="go-import" content="gonum.org/v1/tools git https://github.com/gonum/tools">

Signed-off-by: Sven Schwermer <sven.schwermer@disruptive-technologies.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 9c36a61e29359067165bddc7f2accdf2c4c8a761)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 scripts/lib/recipetool/create_go.py | 23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)

diff --git a/scripts/lib/recipetool/create_go.py b/scripts/lib/recipetool/create_go.py
index 0fb7115e26..a85a2f2786 100644
--- a/scripts/lib/recipetool/create_go.py
+++ b/scripts/lib/recipetool/create_go.py
@@ -225,7 +225,7 @@ class GoRecipeHandler(RecipeHandler):
 
             def __init__(self):
                 super().__init__()
-                self.__srv = []
+                self.__srv = {}
 
             def handle_starttag(self, tag, attrs):
                 if tag == 'meta' and list(
@@ -233,19 +233,14 @@ class GoRecipeHandler(RecipeHandler):
                     content = list(
                         filter(lambda a: (a[0] == 'content'), attrs))
                     if content:
-                        self.__srv = content[0][1].split()
+                        srv = content[0][1].split()
+                        self.__srv[srv[0]] = srv
 
-            @property
-            def import_prefix(self):
-                return self.__srv[0] if len(self.__srv) else None
-
-            @property
-            def vcs(self):
-                return self.__srv[1] if len(self.__srv) else None
-
-            @property
-            def repourl(self):
-                return self.__srv[2] if len(self.__srv) else None
+            def go_import(self, modulepath):
+                if modulepath in self.__srv:
+                    srv = self.__srv[modulepath]
+                    return GoImport(srv[0], srv[1], srv[2], None)
+                return None
 
         url = url.geturl() + "?go-get=1"
         req = urllib.request.Request(url)
@@ -265,7 +260,7 @@ class GoRecipeHandler(RecipeHandler):
         parser.feed(body.decode('utf-8'))
         parser.close()
 
-        return GoImport(parser.import_prefix, parser.vcs, parser.repourl, None)
+        return parser.go_import(modulepath)
 
     def __resolve_from_golang_proxy(self, modulepath, version):
         """
-- 
2.34.1

[OE-core][scarthgap 19/21] lib/oe/package-manager: allow including self in create_packages_dir

[Steve Sakoman]

From: Ross Burton <ross.burton@arm.com>

This function is typically used to construct a limited feed for image
creation, but there are other cases when you might want a limited feed
and include the current recipe's packages in it.

To ensure that existing behaviour is preserved, add a boolean to control
this behaviour and default it to False.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit aada7fda2b118152d82b1ab295d92b8251afe4ac)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oe/package_manager/__init__.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/meta/lib/oe/package_manager/__init__.py b/meta/lib/oe/package_manager/__init__.py
index 6774cdb794..d3b2317894 100644
--- a/meta/lib/oe/package_manager/__init__.py
+++ b/meta/lib/oe/package_manager/__init__.py
@@ -449,7 +449,7 @@ class PackageManager(object, metaclass=ABCMeta):
             return res
         return _append(uris, base_paths)
 
-def create_packages_dir(d, subrepo_dir, deploydir, taskname, filterbydependencies):
+def create_packages_dir(d, subrepo_dir, deploydir, taskname, filterbydependencies, include_self=False):
     """
     Go through our do_package_write_X dependencies and hardlink the packages we depend
     upon into the repo directory. This prevents us seeing other packages that may
@@ -486,14 +486,17 @@ def create_packages_dir(d, subrepo_dir, deploydir, taskname, filterbydependencie
         bb.fatal("Couldn't find ourself in BB_TASKDEPDATA?")
     pkgdeps = set()
     start = [start]
-    seen = set(start)
+    if include_self:
+        seen = set()
+    else:
+        seen = set(start)
     # Support direct dependencies (do_rootfs -> do_package_write_X)
     # or indirect dependencies within PN (do_populate_sdk_ext -> do_rootfs -> do_package_write_X)
     while start:
         next = []
         for dep2 in start:
             for dep in taskdepdata[dep2][3]:
-                if taskdepdata[dep][0] != pn:
+                if include_self or taskdepdata[dep][0] != pn:
                     if "do_" + taskname in dep:
                         pkgdeps.add(dep)
                 elif dep not in seen:
-- 
2.34.1

[OE-core][scarthgap 20/21] selftest/classes: add localpkgfeed class

[Steve Sakoman]

From: Ross Burton <ross.burton@arm.com>

This class can be used to construct a subset of a deployed package feed
for use in tests which iterate the deploy directory, and as such a huge
feed of 30K+ packages can result in very slow tests.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c5486d6ad32457f09c104d5dd31314bd570912d3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta-selftest/classes/localpkgfeed.bbclass | 27 ++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 meta-selftest/classes/localpkgfeed.bbclass

diff --git a/meta-selftest/classes/localpkgfeed.bbclass b/meta-selftest/classes/localpkgfeed.bbclass
new file mode 100644
index 0000000000..b796375e55
--- /dev/null
+++ b/meta-selftest/classes/localpkgfeed.bbclass
@@ -0,0 +1,27 @@
+# Create a subset of the package feed that just contain the
+# packages depended on by this recipe.
+
+LOCALPKGFEED_DIR = "${WORKDIR}/localpkgfeed"
+
+addtask localpkgfeed after do_build
+do_localpkgfeed[cleandirs] = "${LOCALPKGFEED_DIR}"
+do_localpkgfeed[nostamp] = "1"
+
+def get_packaging_class(d):
+    package_class = d.getVar("PACKAGE_CLASSES").split()[0]
+    return package_class.replace("package_", "")
+
+python () {
+    packaging = get_packaging_class(d)
+    d.setVarFlag("do_localpkgfeed", "rdeptask", "do_package_write_" + packaging)
+}
+
+python do_localpkgfeed() {
+    import oe.package_manager
+
+    packaging = get_packaging_class(d)
+    deploydir = d.getVar("DEPLOY_DIR_" + packaging.upper())
+    task = "package_write_" + packaging
+
+    oe.package_manager.create_packages_dir(d, d.getVar("LOCALPKGFEED_DIR"), deploydir, task, True, True)
+}
-- 
2.34.1

[OE-core][scarthgap 21/21] oeqa/selftest/debuginfod: use localpkgfeed to speed server startup

[Steve Sakoman]

From: Ross Burton <ross.burton@arm.com>

Sometimes the debuginfod selftest fails due to a timeout, because it
spends too long scanning a huge deploy directory that due to what tests
were ran previously can contain 30K packages.

The test only needs a subset of the feed, so use the new localpkgfeed
class to construct a minimal feed before running the test.

[ YOCTO #14937 ]

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 855376f518b28248ccd82ef5b2e89e6a8c970542)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oeqa/selftest/cases/debuginfod.py | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/debuginfod.py b/meta/lib/oeqa/selftest/cases/debuginfod.py
index 505b4be837..46c0cd87bb 100644
--- a/meta/lib/oeqa/selftest/cases/debuginfod.py
+++ b/meta/lib/oeqa/selftest/cases/debuginfod.py
@@ -62,7 +62,7 @@ class Debuginfod(OESelftestTestCase):
 
         raise TimeoutError("Cannot connect debuginfod, still %d scan jobs running" % latest)
 
-    def start_debuginfod(self):
+    def start_debuginfod(self, feed_dir):
         # We assume that the caller has already bitbake'd elfutils-native:do_addto_recipe_sysroot
 
         # Save some useful paths for later
@@ -82,7 +82,7 @@ class Debuginfod(OESelftestTestCase):
             # Disable rescanning, this is a one-shot test
             "--rescan-time=0",
             "--groom-time=0",
-            get_bb_var("DEPLOY_DIR"),
+            feed_dir,
         ]
 
         format = get_bb_var("PACKAGE_CLASSES").split()[0]
@@ -114,11 +114,12 @@ class Debuginfod(OESelftestTestCase):
         self.write_config("""
 TMPDIR = "${TOPDIR}/tmp-debuginfod"
 DISTRO_FEATURES:append = " debuginfod"
+INHERIT += "localpkgfeed"
 """)
-        bitbake("elfutils-native:do_addto_recipe_sysroot xz xz:do_package")
+        bitbake("elfutils-native:do_addto_recipe_sysroot xz xz:do_package xz:do_localpkgfeed")
 
         try:
-            self.start_debuginfod()
+            self.start_debuginfod(get_bb_var("LOCALPKGFEED_DIR", "xz"))
 
             env = os.environ.copy()
             env["DEBUGINFOD_URLS"] = "http://localhost:%d/" % self.port
@@ -141,12 +142,13 @@ DISTRO_FEATURES:append = " debuginfod"
         self.write_config("""
 TMPDIR = "${TOPDIR}/tmp-debuginfod"
 DISTRO_FEATURES:append = " debuginfod"
+INHERIT += "localpkgfeed"
 CORE_IMAGE_EXTRA_INSTALL += "elfutils xz"
         """)
-        bitbake("core-image-minimal elfutils-native:do_addto_recipe_sysroot")
+        bitbake("core-image-minimal elfutils-native:do_addto_recipe_sysroot xz:do_localpkgfeed")
 
         try:
-            self.start_debuginfod()
+            self.start_debuginfod(get_bb_var("LOCALPKGFEED_DIR", "xz"))
 
             with runqemu("core-image-minimal", runqemuparams="nographic") as qemu:
                 cmd = "DEBUGINFOD_URLS=http://%s:%d/ debuginfod-find debuginfo /usr/bin/xz" % (qemu.server_ip, self.port)
-- 
2.34.1

[OE-core][scarthgap 00/21] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, June 4

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6993

with two exceptions, the first a known reproducibility issue also present
on master:

https://bugzilla.yoctoproject.org/show_bug.cgi?id=15491

and the second is a failure on meta-agl-core, which will require an update
to the ptest-runner override in meta-agl once "ptest-runner: Bump to 2.4.4 (95f528c)"
merges.


The following changes since commit 0795169be206f1d4d140fe378e2476a44d0ce02b:

  oeqa/selftest/debuginfod: use localpkgfeed to speed server startup (2024-05-19 13:50:01 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Archana Polampalli (5):
  ghostscript: fix CVE-2024-33870
  ghostscript: fix CVE-2024-33869
  ghostscript: fix CVE-2024-33871
  ghostscript: fix CVE-2024-29510
  xserver-xorg: upgrade 21.1.11 -> 21.1.12

Changqing Li (1):
  ptest-runner: Bump to 2.4.4 (95f528c)

Julien Stephan (2):
  devtool: standard: update-recipe/finish: fix update localfile in
    another layer
  oeqa/selftest/devtool: add test for updating local files into another
    layer

Khem Raj (3):
  llvm: Upgrade to 18.1.4
  llvm: Upgrade to 18.1.5
  llvm: Switch to using release tarballs

Marek Vasut (1):
  gstreamer1.0-plugins-good: Include qttools-native during the build
    with qt5 PACKAGECONFIG

Mark Hatle (1):
  gcc: Fix for CVE-2024-0151

Peter Marko (2):
  ttyrun: define CVE_PRODUCT
  update-rc.d: add +git to PV

Philip Lorenz (2):
  lib/package_manager/ipk: Do not hardcode payload compression algorithm
  ipk: Fix clean up of extracted IPK payload

Rasmus Villemoes (1):
  git: set --with-gitconfig=/etc/gitconfig for -native builds

Ricardo Simoes (1):
  libusb1: Set CVE_PRODUCT

Soumya Sambu (1):
  ncurses: Fix CVE-2023-45918

Yogita Urade (1):
  libarchive: upgrade 3.7.2 -> 3.7.4

 meta/lib/oe/package_manager/ipk/__init__.py   |  14 +-
 meta/lib/oeqa/selftest/cases/devtool.py       |  20 +-
 .../ncurses/files/CVE-2023-45918.patch        | 180 ++++++++++
 meta/recipes-core/ncurses/ncurses_6.4.bb      |   1 +
 meta/recipes-core/ttyrun/ttyrun_2.31.0.bb     |   2 +
 .../update-rc.d/update-rc.d_0.8.bb            |   1 +
 meta/recipes-devtools/gcc/gcc-13.2.inc        |   1 +
 .../gcc/gcc/CVE-2024-0151.patch               | 315 ++++++++++++++++++
 meta/recipes-devtools/git/git_2.44.0.bb       |   1 +
 .../llvm/{llvm_git.bb => llvm_18.1.5.bb}      |  13 +-
 .../ghostscript/CVE-2024-29510.patch          |  84 +++++
 .../ghostscript/CVE-2024-33869-0001.patch     |  39 +++
 .../ghostscript/CVE-2024-33869-0002.patch     |  52 +++
 .../ghostscript/CVE-2024-33870.patch          |  99 ++++++
 .../ghostscript/CVE-2024-33871.patch          |  43 +++
 .../ghostscript/ghostscript_10.02.1.bb        |   5 +
 .../libarchive/libarchive/configurehack.patch |  19 +-
 ...ibarchive_3.7.2.bb => libarchive_3.7.4.bb} |   2 +-
 ...org_21.1.11.bb => xserver-xorg_21.1.12.bb} |   2 +-
 .../gstreamer1.0-plugins-good_1.22.11.bb      |   2 +-
 meta/recipes-support/libusb/libusb1_1.0.27.bb |   2 +
 ...-runner_2.4.3.bb => ptest-runner_2.4.4.bb} |   2 +-
 scripts/lib/devtool/standard.py               |  23 +-
 23 files changed, 888 insertions(+), 34 deletions(-)
 create mode 100644 meta/recipes-core/ncurses/files/CVE-2023-45918.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc/CVE-2024-0151.patch
 rename meta/recipes-devtools/llvm/{llvm_git.bb => llvm_18.1.5.bb} (93%)
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33871.patch
 rename meta/recipes-extended/libarchive/{libarchive_3.7.2.bb => libarchive_3.7.4.bb} (96%)
 rename meta/recipes-graphics/xorg-xserver/{xserver-xorg_21.1.11.bb => xserver-xorg_21.1.12.bb} (92%)
 rename meta/recipes-support/ptest-runner/{ptest-runner_2.4.3.bb => ptest-runner_2.4.4.bb} (95%)

-- 
2.34.1

[OE-core][scarthgap 00/21] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Monday, July 8

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7104

The following changes since commit 9abcb18014020804738dfc7d278d7097679f4d19:

  classes/create-spdx-2.2: Fix SPDX Namespace Prefix (2024-06-28 06:28:58 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Antonin Godard (1):
  devtool: ide-sdk: correct help typo

Archana Polampalli (1):
  gstreamer: upgrade 1.22.11 -> 1.22.12

Bruce Ashfield (3):
  linux-yocto/6.6: update to v6.6.34
  linux-yocto/6.6: update to v6.6.35
  linux-yocto/6.6: fix AMD boot trace

Deepthi Hemraj (1):
  llvm: Fix CVE-2024-0151

Guðni Már Gilbert (4):
  python3-requests: cleanup RDEPENDS
  python3-setuptools: drop python3-2to3 from RDEPENDS
  python3-bcrypt: drop python3-six from RDEPENDS
  python3-pyopenssl: drop python3-six from RDEPENDS

Hitendra Prajapati (1):
  QEMU: Fix CVE-2024-3446 & CVE-2024-3567

Jose Quaresma (1):
  openssh: fix CVE-2024-6387

Khem Raj (1):
  pcmanfm: Disable incompatible-pointer-types warning as error

Martin Jansa (1):
  rng-tools: ignore incompatible-pointer-types errors for now

Mingli Yu (1):
  ruby: Fix CVE-2023-36617

Richard Purdie (3):
  python3-jinja2: Upgrade 3.1.3 -> 3.1.4
  oeqa/selftest/recipetool: Fix for usrmerge in DISTRO_FEATURES
  oeqa/selftest/devtool: Fix for usrmerge in DISTRO_FEATURES

Ross Burton (1):
  curl: locale-base-en-us isn't glibc-specific

Siddharth Doshi (1):
  OpenSSL: Security fix for CVE-2024-5535

Yi Zhao (1):
  libpam: fix runtime error in pam_pwhistory moudle

 meta/lib/oeqa/selftest/cases/devtool.py       |    2 +
 meta/lib/oeqa/selftest/cases/recipetool.py    |   16 +-
 .../openssh/openssh/CVE-2024-6387.patch       |   27 +
 .../openssh/openssh_9.6p1.bb                  |    1 +
 .../openssl/openssl/CVE-2024-5535_1.patch     |  113 ++
 .../openssl/openssl/CVE-2024-5535_10.patch    |  203 +++
 .../openssl/openssl/CVE-2024-5535_2.patch     |   43 +
 .../openssl/openssl/CVE-2024-5535_3.patch     |   38 +
 .../openssl/openssl/CVE-2024-5535_4.patch     |   82 ++
 .../openssl/openssl/CVE-2024-5535_5.patch     |  176 +++
 .../openssl/openssl/CVE-2024-5535_6.patch     | 1173 +++++++++++++++++
 .../openssl/openssl/CVE-2024-5535_7.patch     |   43 +
 .../openssl/openssl/CVE-2024-5535_8.patch     |   66 +
 .../openssl/openssl/CVE-2024-5535_9.patch     |  271 ++++
 .../openssl/openssl_3.2.2.bb                  |   10 +
 .../llvm/0002-llvm-Fix-CVE-2024-0151.patch    | 1086 +++++++++++++++
 meta/recipes-devtools/llvm/llvm_18.1.5.bb     |    1 +
 .../python/python3-bcrypt_4.1.2.bb            |    1 -
 ...inja2_3.1.3.bb => python3-jinja2_3.1.4.bb} |    8 +-
 .../python/python3-pyopenssl_24.0.0.bb        |    1 -
 .../python/python3-requests_2.31.0.bb         |    6 +-
 .../python/python3-setuptools_69.1.1.bb       |    1 -
 meta/recipes-devtools/qemu/qemu.inc           |    5 +
 .../qemu/qemu/CVE-2024-3446-01.patch          |   73 +
 .../qemu/qemu/CVE-2024-3446-02.patch          |   48 +
 .../qemu/qemu/CVE-2024-3446-03.patch          |   47 +
 .../qemu/qemu/CVE-2024-3446-04.patch          |   52 +
 .../qemu/qemu/CVE-2024-3567.patch             |   48 +
 .../ruby/ruby/CVE-2023-36617_1.patch          |   56 +
 .../ruby/ruby/CVE-2023-36617_2.patch          |   52 +
 meta/recipes-devtools/ruby/ruby_3.2.2.bb      |    2 +
 ...x-passing-NULL-filename-argument-to-.patch |   69 +
 meta/recipes-extended/pam/libpam_1.5.3.bb     |    1 +
 .../linux/linux-yocto-rt_6.6.bb               |    6 +-
 .../linux/linux-yocto-tiny_6.6.bb             |    6 +-
 meta/recipes-kernel/linux/linux-yocto_6.6.bb  |   28 +-
 ...ols_1.22.11.bb => gst-devtools_1.22.12.bb} |    2 +-
 ...22.11.bb => gstreamer1.0-libav_1.22.12.bb} |    2 +-
 ...1.22.11.bb => gstreamer1.0-omx_1.22.12.bb} |    2 +-
 ...bb => gstreamer1.0-plugins-bad_1.22.12.bb} |    2 +-
 ...b => gstreamer1.0-plugins-base_1.22.12.bb} |    2 +-
 ...b => gstreamer1.0-plugins-good_1.22.12.bb} |    2 +-
 ...b => gstreamer1.0-plugins-ugly_1.22.12.bb} |    2 +-
 ...2.11.bb => gstreamer1.0-python_1.22.12.bb} |    2 +-
 ...bb => gstreamer1.0-rtsp-server_1.22.12.bb} |    2 +-
 ...22.11.bb => gstreamer1.0-vaapi_1.22.12.bb} |    2 +-
 ...1.0_1.22.11.bb => gstreamer1.0_1.22.12.bb} |    2 +-
 meta/recipes-sato/pcmanfm/pcmanfm_1.3.2.bb    |    2 +
 meta/recipes-support/curl/curl_8.7.1.bb       |    2 +-
 .../rng-tools/rng-tools_6.16.bb               |    4 +
 scripts/lib/devtool/ide_sdk.py                |    2 +-
 51 files changed, 3844 insertions(+), 49 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_10.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch
 create mode 100644 meta/recipes-devtools/llvm/llvm/0002-llvm-Fix-CVE-2024-0151.patch
 rename meta/recipes-devtools/python/{python3-jinja2_3.1.3.bb => python3-jinja2_3.1.4.bb} (79%)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-01.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-02.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-03.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3446-04.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-3567.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2023-36617_1.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2023-36617_2.patch
 create mode 100644 meta/recipes-extended/pam/libpam/0001-pam_pwhistory-fix-passing-NULL-filename-argument-to-.patch
 rename meta/recipes-multimedia/gstreamer/{gst-devtools_1.22.11.bb => gst-devtools_1.22.12.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-libav_1.22.11.bb => gstreamer1.0-libav_1.22.12.bb} (91%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-omx_1.22.11.bb => gstreamer1.0-omx_1.22.12.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-bad_1.22.11.bb => gstreamer1.0-plugins-bad_1.22.12.bb} (98%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-base_1.22.11.bb => gstreamer1.0-plugins-base_1.22.12.bb} (98%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-good_1.22.11.bb => gstreamer1.0-plugins-good_1.22.12.bb} (97%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-plugins-ugly_1.22.11.bb => gstreamer1.0-plugins-ugly_1.22.12.bb} (94%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-python_1.22.11.bb => gstreamer1.0-python_1.22.12.bb} (91%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-rtsp-server_1.22.11.bb => gstreamer1.0-rtsp-server_1.22.12.bb} (90%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0-vaapi_1.22.11.bb => gstreamer1.0-vaapi_1.22.12.bb} (95%)
 rename meta/recipes-multimedia/gstreamer/{gstreamer1.0_1.22.11.bb => gstreamer1.0_1.22.12.bb} (97%)

-- 
2.34.1

[OE-core][scarthgap 00/21] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, November 25

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2755

The following changes since commit 471adaa5f77fa3b974eab60a2ded48e360042828:

  build-appliance-image: Update to scarthgap head revision (2025-11-17 17:00:25 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Alexander Kanavin (1):
  goarch.bbclass: do not leak TUNE_FEATURES into crosssdk task
    signatures

Gyorgy Sarvari (2):
  musl: patch CVE-2025-26519
  glslang: fix compiling with gcc15

Hongxu Jia (1):
  spdx30: Provide software_packageUrl field in SPDX 3.0 SBOM

Hugo SIMELIERE (1):
  sqlite3: patch CVE-2025-7709

Osama Abdelkader (3):
  go: add sdk test
  go: extend runtime test
  go: remove duplicate arch map in sdk test

Ovidiu Panait (1):
  rust-target-config: fix nativesdk-libstd-rs build with baremetal

Peter Marko (4):
  spdx30: fix cve status for patch files in VEX
  oeqa: fix package detection in go sdk tests
  oeqa: drop unnecessary dependency from go runtime tests
  oeqa/sdk/buildepoxy: skip test in eSDK

Ross Burton (5):
  xserver-xorg: remove redundant patch
  xserver-xorg: fix CVE-2025-62229 CVE-2025-62230 CVE-2025-62231
  testsdk: allow user to specify which tests to run
  oe/sdk: fix empty SDK manifests
  lib/oe/go: document map_arch, and raise an error on unknown
    architecture

Yogita Urade (3):
  xwayland: fix CVE-2025-62229
  xwayland: fix CVE-2025-62230
  xwayland: fix CVE-2025-62231

 meta/classes-recipe/goarch.bbclass            |   3 +
 .../classes-recipe/rust-target-config.bbclass |   3 +-
 meta/classes-recipe/testsdk.bbclass           |   3 +
 meta/classes/create-spdx-3.0.bbclass          |   5 +
 meta/lib/oe/go.py                             |   6 +-
 meta/lib/oe/sdk.py                            |   3 +-
 meta/lib/oe/spdx30_tasks.py                   |  16 ++-
 meta/lib/oeqa/files/test.go                   |   7 ++
 meta/lib/oeqa/runtime/cases/go.py             |  66 +++++++++++
 meta/lib/oeqa/sdk/cases/buildepoxy.py         |   4 +
 meta/lib/oeqa/sdk/cases/go.py                 | 107 ++++++++++++++++++
 meta/lib/oeqa/sdk/testsdk.py                  |   3 +-
 meta/lib/oeqa/sdkext/testsdk.py               |   3 +-
 .../musl/musl/CVE-2025-26519-1.patch          |  39 +++++++
 .../musl/musl/CVE-2025-26519-2.patch          |  38 +++++++
 meta/recipes-core/musl/musl_git.bb            |   4 +-
 ...uilder.h-add-missing-cstdint-include.patch |  30 +++++
 .../glslang/glslang_1.3.275.0.bb              |   1 +
 ...-duplicate-definitions-of-IOPortBase.patch |  28 -----
 ...after-free-in-present_create_notifie.patch |  91 +++++++++++++++
 ...ke-the-RT_XKBCLIENT-resource-private.patch |  63 +++++++++++
 ...KB-resource-when-freeing-XkbInterest.patch |  92 +++++++++++++++
 ...-Prevent-overflow-in-XkbSetCompatMap.patch |  53 +++++++++
 .../xorg-xserver/xserver-xorg_21.1.18.bb      |   7 +-
 .../xwayland/xwayland/CVE-2025-62229.patch    |  89 +++++++++++++++
 .../xwayland/CVE-2025-62230-0001.patch        |  60 ++++++++++
 .../xwayland/CVE-2025-62230-0002.patch        |  89 +++++++++++++++
 .../xwayland/xwayland/CVE-2025-62231.patch    |  50 ++++++++
 .../xwayland/xwayland_23.2.5.bb               |   4 +
 .../sqlite/sqlite3/CVE-2025-7709.patch        |  33 ++++++
 meta/recipes-support/sqlite/sqlite3_3.45.3.bb |   1 +
 31 files changed, 964 insertions(+), 37 deletions(-)
 create mode 100644 meta/lib/oeqa/files/test.go
 create mode 100644 meta/lib/oeqa/sdk/cases/go.py
 create mode 100644 meta/recipes-core/musl/musl/CVE-2025-26519-1.patch
 create mode 100644 meta/recipes-core/musl/musl/CVE-2025-26519-2.patch
 create mode 100644 meta/recipes-graphics/glslang/glslang/0001-SPIRV-SpvBuilder.h-add-missing-cstdint-include.patch
 delete mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-Avoid-duplicate-definitions-of-IOPortBase.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-present-Fix-use-after-free-in-present_create_notifie.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0002-xkb-Make-the-RT_XKBCLIENT-resource-private.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0003-xkb-Free-the-XKB-resource-when-freeing-XkbInterest.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0004-xkb-Prevent-overflow-in-XkbSetCompatMap.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-62229.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-0001.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-0002.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-62231.patch
 create mode 100644 meta/recipes-support/sqlite/sqlite3/CVE-2025-7709.patch

-- 
2.43.0