* [OE-core][scarthgap 00/11] Patch review
@ 2024-09-16 2:19 Steve Sakoman
0 siblings, 0 replies; 33+ messages in thread
From: Steve Sakoman @ 2024-09-16 2:19 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, September 17
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7330
The following changes since commit 7e11701698a9f38a5e3e0499c0c2edd98d32a85d:
mc: fix source URL (2024-09-03 06:59:38 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Michael Halstead (1):
yocto-uninative: Update to 4.6 for glibc 2.40
Niko Mauno (7):
iw: Fix LICENSE
dejagnu: Fix LICENSE
unzip: Fix LICENSE
zip: Fix LICENSE
tiff: Fix LICENSE
gcr: Fix LICENSE
python3-maturin: Fix cross compilation issue for armv7l, mips64, ppc
Richard Purdie (2):
expat: 2.6.2 -> 2.6.3
ruby: Make docs generation deterministic
Siddharth Doshi (1):
vim: Upgrade 9.1.0682 -> 9.1.0698
meta/conf/distro/include/yocto-uninative.inc | 10 +-
meta/recipes-connectivity/iw/iw_6.7.bb | 2 +-
.../expat/{expat_2.6.2.bb => expat_2.6.3.bb} | 2 +-
.../recipes-devtools/dejagnu/dejagnu_1.6.3.bb | 2 +-
...n-architecture-name-resolvation-code.patch | 107 ++++++++++++++++++
...ation-issue-with-linux-armv7l-archit.patch | 76 +++++++++++++
...n-ABI-name-resolvation-code-as-helpe.patch | 98 ++++++++++++++++
...ation-issue-with-linux-ppc-architect.patch | 68 +++++++++++
...ation-issue-with-linux-mips64-archit.patch | 82 ++++++++++++++
.../python/python3-maturin_1.4.0.bb | 7 ++
meta/recipes-devtools/ruby/ruby_3.2.2.bb | 1 +
meta/recipes-extended/unzip/unzip_6.0.bb | 2 +-
meta/recipes-extended/zip/zip_3.0.bb | 2 +-
meta/recipes-gnome/gcr/gcr_4.2.1.bb | 2 +-
meta/recipes-multimedia/libtiff/tiff_4.6.0.bb | 2 +-
meta/recipes-support/vim/vim.inc | 4 +-
16 files changed, 453 insertions(+), 14 deletions(-)
rename meta/recipes-core/expat/{expat_2.6.2.bb => expat_2.6.3.bb} (92%)
create mode 100644 meta/recipes-devtools/python/python3-maturin/0001-Extract-extension-architecture-name-resolvation-code.patch
create mode 100644 meta/recipes-devtools/python/python3-maturin/0002-Fix-cross-compilation-issue-with-linux-armv7l-archit.patch
create mode 100644 meta/recipes-devtools/python/python3-maturin/0003-Extract-extension-ABI-name-resolvation-code-as-helpe.patch
create mode 100644 meta/recipes-devtools/python/python3-maturin/0004-Fix-cross-compilation-issue-with-linux-ppc-architect.patch
create mode 100644 meta/recipes-devtools/python/python3-maturin/0005-Fix-cross-compilation-issue-with-linux-mips64-archit.patch
--
2.34.1
^ permalink raw reply [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 00/11] Patch review
@ 2024-10-25 18:29 Steve Sakoman
0 siblings, 0 replies; 33+ messages in thread
From: Steve Sakoman @ 2024-10-25 18:29 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, October 29
Passed a-full on autobuilder:
https://valkyrie.yoctoproject.org/#/builders/29/builds/332
The following changes since commit a1b28a88bc7697371ab166b18587b615d6d39c8e:
image.bbclass: Drop support for ImageQAFailed exceptions in image_qa (2024-10-16 06:21:24 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Anuj Mittal (1):
sqlite3: upgrade 3.45.1 -> 3.45.3
Bruce Ashfield (2):
linux-yocto/6.6: update to v6.6.52
linux-yocto/6.6: update to v6.6.54
Jiaying Song (1):
liba52: fix do_fetch error
Jonas Gorski (1):
rootfs-postcommands.bbclass: make opkg status reproducible
Peter Marko (1):
openssl: patch CVE-2024-9143
Rohini Sangam (1):
vim: Upgrade 9.1.0698 -> 9.1.0764
Ross Burton (1):
icu: update patch Upstream-Status
Sergei Zhmylev (1):
lsb-release: fix Distro Codename shell escaping
Shunsuke Tokumoto (1):
python3-setuptools: Add "python:setuptools" to CVE_PRODUCT
aszh07 (1):
ffmpeg: Add "libswresample libavcodec" to CVE_PRODUCT
.../rootfs-postcommands.bbclass | 4 +
.../openssl/openssl/CVE-2024-9143.patch | 202 ++++++++++++++++++
.../openssl/openssl_3.2.3.bb | 1 +
.../python/python3-setuptools_69.1.1.bb | 2 +
meta/recipes-extended/lsb/lsb-release_1.4.bb | 2 +-
.../linux/linux-yocto-rt_6.6.bb | 6 +-
.../linux/linux-yocto-tiny_6.6.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +--
.../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb | 2 +
.../recipes-multimedia/liba52/liba52_0.7.4.bb | 2 +-
.../icu/icu/fix-install-manx.patch | 4 +-
.../{sqlite3_3.45.1.bb => sqlite3_3.45.3.bb} | 2 +-
meta/recipes-support/vim/vim.inc | 4 +-
13 files changed, 237 insertions(+), 28 deletions(-)
create mode 100755 meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
rename meta/recipes-support/sqlite/{sqlite3_3.45.1.bb => sqlite3_3.45.3.bb} (69%)
--
2.34.1
^ permalink raw reply [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 00/11] Patch review
@ 2025-05-28 14:43 Steve Sakoman
0 siblings, 0 replies; 33+ messages in thread
From: Steve Sakoman @ 2025-05-28 14:43 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Friday, May 30
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1672
The following changes since commit 29d920f4c2249df7a69f00100924b4525e03c0d9:
libatomic-ops: Update GITHUB_BASE_URI (2025-05-20 08:59:39 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Ashish Sharma (1):
libsoup: patch CVE-2025-4476
Divya Chellam (1):
ruby: fix CVE-2025-27221
Divyanshu Rathore (1):
ffmpeg: upgrade 6.1.1 -> 6.1.2
Harish Sadineni (2):
binutils: Fix CVE-2025-1179
binutils: set CVE_STATUS for CVE-2025-1180
Rogerio Guerra Borin (1):
u-boot: ensure keys are generated before assembling U-Boot FIT image
Vijay Anusuri (4):
libsoup-2.4: Fix CVE-2025-32910
libsoup-2.4: Fix CVE-2025-32911 & CVE-2025-32913
libsoup-2.4: Fix CVE-2025-32912
libsoup-2.4: Fix CVE-2025-32914
Virendra Thakur (1):
util-linux: Add fix to isolate test fstab entries using CUSTOM_FSTAB
meta/classes-recipe/uboot-sign.bbclass | 2 +
meta/recipes-core/util-linux/util-linux.inc | 1 +
.../util-linux/fstab-isolation.patch | 448 +++++++
.../binutils/binutils-2.42.inc | 3 +
.../binutils/binutils/CVE-2025-1179-pre.patch | 1086 +++++++++++++++++
.../binutils/binutils/CVE-2025-1179.patch | 269 ++++
.../ruby/ruby/CVE-2025-27221-0001.patch | 57 +
.../ruby/ruby/CVE-2025-27221-0002.patch | 73 ++
meta/recipes-devtools/ruby/ruby_3.3.5.bb | 2 +
.../ffmpeg/ffmpeg/CVE-2024-32230.patch | 36 -
.../ffmpeg/ffmpeg/CVE-2024-35366.patch | 35 -
.../ffmpeg/ffmpeg/CVE-2024-36613.patch | 37 -
.../ffmpeg/ffmpeg/CVE-2024-36616.patch | 35 -
.../ffmpeg/ffmpeg/CVE-2024-36617.patch | 36 -
.../ffmpeg/ffmpeg/CVE-2024-36619.patch | 36 -
.../ffmpeg/ffmpeg/CVE-2024-7055.patch | 38 -
.../ffmpeg/ffmpeg/vulkan_av1_stable_API.patch | 40 +-
.../{ffmpeg_6.1.1.bb => ffmpeg_6.1.2.bb} | 9 +-
.../libsoup-2.4/CVE-2025-32910-1.patch | 97 ++
.../libsoup-2.4/CVE-2025-32910-2.patch | 148 +++
.../libsoup-2.4/CVE-2025-32910-3.patch | 26 +
.../CVE-2025-32911_CVE-2025-32913-1.patch | 72 ++
.../CVE-2025-32911_CVE-2025-32913-2.patch | 44 +
.../libsoup-2.4/CVE-2025-32912-1.patch | 41 +
.../libsoup-2.4/CVE-2025-32912-2.patch | 30 +
.../libsoup/libsoup-2.4/CVE-2025-32914.patch | 137 +++
.../libsoup/libsoup-2.4_2.74.3.bb | 8 +
.../libsoup/libsoup-3.4.4/CVE-2025-4476.patch | 38 +
meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 +
29 files changed, 2604 insertions(+), 281 deletions(-)
create mode 100644 meta/recipes-core/util-linux/util-linux/fstab-isolation.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-1179-pre.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-1179.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-32230.patch
delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch
delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch
delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch
delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch
delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36619.patch
delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-7055.patch
rename meta/recipes-multimedia/ffmpeg/{ffmpeg_6.1.1.bb => ffmpeg_6.1.2.bb} (96%)
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4476.patch
--
2.43.0
^ permalink raw reply [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 00/11] Patch review
@ 2025-07-04 15:10 Steve Sakoman
0 siblings, 0 replies; 33+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:10 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, July 8
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1948
The following changes since commit 175cd54fd57266d7dea07121861a4f15be00a882:
tcf-agent: correct the SRC_URI (2025-07-03 09:01:28 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Archana Polampalli (6):
xwayland: fix CVE-2025-49175
xwayland: fix CVE-2025-49176
xwayland: fix CVE-2025-49177
xwayland: fix CVE-2025-49178
xwayland: fix CVE-2025-49179
xwayland: fix CVE-2025-49180
Divya Chellam (5):
libarchive: fix CVE-2025-5914
libarchive: fix CVE-2025-5915
libarchive: fix CVE-2025-5916
libarchive: fix CVE-2025-5917
libarchive: fix CVE-2025-5918
.../libarchive/libarchive/CVE-2025-5914.patch | 48 +++
.../libarchive/libarchive/CVE-2025-5915.patch | 217 ++++++++++++
.../libarchive/libarchive/CVE-2025-5916.patch | 116 +++++++
.../libarchive/libarchive/CVE-2025-5917.patch | 54 +++
.../libarchive/CVE-2025-5918-0001.patch | 326 ++++++++++++++++++
.../libarchive/CVE-2025-5918-0002.patch | 222 ++++++++++++
.../libarchive/libarchive_3.7.9.bb | 6 +
.../xwayland/xwayland/CVE-2025-49175.patch | 92 +++++
.../xwayland/CVE-2025-49176-0001.patch | 93 +++++
.../xwayland/CVE-2025-49176-0002.patch | 38 ++
.../xwayland/xwayland/CVE-2025-49177.patch | 55 +++
.../xwayland/xwayland/CVE-2025-49178.patch | 50 +++
.../xwayland/xwayland/CVE-2025-49179.patch | 69 ++++
.../xwayland/xwayland/CVE-2025-49180.patch | 45 +++
.../xwayland/xwayland_23.2.5.bb | 7 +
15 files changed, 1438 insertions(+)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0001.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0002.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch
--
2.43.0
^ permalink raw reply [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 00/11] Patch review
@ 2025-07-30 21:28 Steve Sakoman
0 siblings, 0 replies; 33+ messages in thread
From: Steve Sakoman @ 2025-07-30 21:28 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Friday, August 1
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2114
The following changes since commit c374e6cfcdd2c8ba17d82ffcfdeb97d21144e2bf:
mtools: upgrade 4.0.48 -> 4.0.49 (2025-07-25 06:13:34 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Aleksandar Nikolic (1):
scripts/install-buildtools: Update to 5.0.11
Fabio Berton (1):
linux-libc-headers: Fix invalid conversion in cn_proc.h
Peter Marko (9):
gnutls: patch CVE-2025-32989
gnutls: patch read buffer overrun in the "pre_shared_key" extension
gnutls: patch reject zero-length version in certificate request
gnutls: patch CVE-2025-32988
gnutls: patch CVE-2025-32990
gnutls: patch CVE-2025-6395
ncurses: patch CVE-2025-6141
libxml2: patch CVE-2025-6170
glibc: fix CVE-2025-8058
meta/recipes-core/glibc/glibc-version.inc | 2 +-
meta/recipes-core/glibc/glibc_2.39.bb | 2 +-
.../libxml/libxml2/CVE-2025-6170.patch | 103 +
meta/recipes-core/libxml/libxml2_2.12.10.bb | 1 +
.../ncurses/files/CVE-2025-6141.patch | 25 +
meta/recipes-core/ncurses/ncurses_6.4.bb | 1 +
...-Fix-invalid-conversion-in-cn_proc.h.patch | 40 +
.../linux-libc-headers_6.6.bb | 1 +
...fer-overrun-in-the-pre_shared_key-ex.patch | 34 +
...-length-version-in-certificate-reque.patch | 37 +
.../04939b75417cc95b7372c6f208c4bda4579bdc34 | Bin 0 -> 1782 bytes
.../3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2 | Bin 0 -> 830 bytes
.../5477db1bb507a35e8833c758ce344f4b5b246d8e | Bin 0 -> 111 bytes
.../gnutls/gnutls/CVE-2025-32988.patch | 58 +
.../gnutls/gnutls/CVE-2025-32989.patch | 50 +
.../gnutls/gnutls/CVE-2025-32990.patch | 2109 +++++++++++++++++
.../gnutls/gnutls/CVE-2025-6395.patch | 299 +++
meta/recipes-support/gnutls/gnutls_3.8.4.bb | 15 +
scripts/install-buildtools | 4 +-
19 files changed, 2777 insertions(+), 4 deletions(-)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-6170.patch
create mode 100644 meta/recipes-core/ncurses/files/CVE-2025-6141.patch
create mode 100644 meta/recipes-kernel/linux-libc-headers/linux-libc-headers/0001-connector-Fix-invalid-conversion-in-cn_proc.h.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0001-x509-reject-zero-length-version-in-certificate-reque.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/04939b75417cc95b7372c6f208c4bda4579bdc34
create mode 100644 meta/recipes-support/gnutls/gnutls/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2
create mode 100644 meta/recipes-support/gnutls/gnutls/5477db1bb507a35e8833c758ce344f4b5b246d8e
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-32989.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-32990.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-6395.patch
--
2.43.0
^ permalink raw reply [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 00/11] Patch review
@ 2025-09-25 13:40 Steve Sakoman
0 siblings, 0 replies; 33+ messages in thread
From: Steve Sakoman @ 2025-09-25 13:40 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Monday, September 29
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2436
The following changes since commit 4cf131ebd157b79226533b5a5074691dd0e1a4ab:
buildtools-tarball: fix unbound variable issues under 'set -u' (2025-09-17 09:32:52 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Adrian Freihofer (2):
llvm: update from 18.1.6 to 18.1.8
llvm: fix build with gcc-15
AshishKumar Mishra (2):
systemd: backport fix for handle USE_NLS from master
p11-kit: backport fix for handle USE_NLS from master
Chris Laplante (1):
util-linux: use ${B} instead of ${WORKDIR}/build, to fix building
under devtool
Martin Jansa (2):
sanity.conf: Update minimum bitbake version to 2.8.1
lib/oe/utils: use multiprocessing from bb
Nitin Wankhade (1):
examples: genl: fix wrong attribute size
Philip Lorenz (1):
shared-mime-info: Handle USE_NLS
Ross Burton (1):
libxslt: apply patch for CVE-2025-7424
Yogita Urade (1):
curl: fix CVE-2025-9086
meta/conf/sanity.conf | 2 +-
meta/lib/oe/utils.py | 3 +-
meta/recipes-core/systemd/systemd_255.21.bb | 1 +
.../util-linux/util-linux_2.39.3.bb | 2 +-
...36-Add-cstdint-to-SmallVector-101761.patch | 28 +++++
...cstdint-in-AMDGPUMCTargetDesc-101766.patch | 23 ++++
...-include-to-X86MCTargetDesc.h-123320.patch | 32 ++++++
.../llvm/{llvm_18.1.6.bb => llvm_18.1.8.bb} | 5 +-
...amples-genl-fix-wrong-attribute-size.patch | 44 ++++++++
meta/recipes-extended/libmnl/libmnl_1.0.5.bb | 5 +-
.../curl/curl/CVE-2025-9086.patch | 55 ++++++++++
meta/recipes-support/curl/curl_8.7.1.bb | 1 +
.../gnome-libxslt-bug-139-apple-fix.diff | 103 ++++++++++++++++++
.../recipes-support/libxslt/libxslt_1.1.43.bb | 3 +-
.../recipes-support/p11-kit/p11-kit_0.25.3.bb | 1 +
.../shared-mime-info/shared-mime-info_2.4.bb | 5 +-
16 files changed, 306 insertions(+), 7 deletions(-)
create mode 100644 meta/recipes-devtools/llvm/llvm/0036-Add-cstdint-to-SmallVector-101761.patch
create mode 100644 meta/recipes-devtools/llvm/llvm/0037-Include-cstdint-in-AMDGPUMCTargetDesc-101766.patch
create mode 100644 meta/recipes-devtools/llvm/llvm/0038-Add-missing-include-to-X86MCTargetDesc.h-123320.patch
rename meta/recipes-devtools/llvm/{llvm_18.1.6.bb => llvm_18.1.8.bb} (94%)
create mode 100644 meta/recipes-extended/libmnl/files/0001-examples-genl-fix-wrong-attribute-size.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2025-9086.patch
create mode 100644 meta/recipes-support/libxslt/files/gnome-libxslt-bug-139-apple-fix.diff
--
2.43.0
^ permalink raw reply [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 00/11] Patch review
@ 2026-03-07 22:52 Yoann Congal
2026-03-09 8:18 ` Paul Barker
0 siblings, 1 reply; 33+ messages in thread
From: Yoann Congal @ 2026-03-07 22:52 UTC (permalink / raw)
To: openembedded-core
Note: this series contains a major OpenSSL upgrade (agreed by YP TSC).
Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, March 10.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3349
(Ignore the warning about Centos Stream9, its support is a work in progress for scarthgap)
I also did a full meta-oe build (to check for build failure with the
OpenSSL upgrade)
https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1342
(the warnings are unrelated to this series)
The following changes since commit a9a785d7fa0cfe2a9087dbcde0ef9f0d2a441375:
build-appliance-image: Update to scarthgap head revision (2026-02-27 17:45:15 +0000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
for you to fetch changes up to fd8a140eb0742bbc12a23e36c9d24378bc0f462d:
busybox: Fixes CVE-2025-60876 (2026-03-06 23:58:42 +0100)
----------------------------------------------------------------
Hugo SIMELIERE (2):
zlib: Fix CVE-2026-27171
harfbuzz: Fix CVE-2026-22693
Livin Sunny (1):
busybox: Fixes CVE-2025-60876
Paul Barker (1):
create-pull-request: Keep commit hash to be pulled in cover email
Peter Marko (3):
ffmpeg: set status for CVE-2025-10256
ffmpeg: set status for CVE-2025-12343
openssl: upgrade 3.2.6 -> 3.5.5
Shaik Moin (1):
gdk-pixbuf: Fix CVE-2025-6199
Tom Hochstein (1):
uboot-config: Fix devtool modify
Yoann Congal (2):
scripts/install-buildtools: Update to 5.0.16
README: Add scarthgap subject-prefix to git-send-email suggestion
README.OE-Core.md | 2 +-
meta/classes-recipe/uboot-config.bbclass | 2 +-
.../openssl/files/environment.d-openssl.sh | 9 ++-
...ke-history-reporting-when-test-fails.patch | 32 ++++----
...1-Configure-do-not-tweak-mips-cflags.patch | 4 +-
...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++---
.../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++
.../openssl/openssl/CVE-2024-41996.patch | 44 -----------
.../openssl/openssl/CVE-2025-15468.patch | 39 ----------
.../openssl/openssl/CVE-2025-69419.patch | 61 ---------------
.../{openssl_3.2.6.bb => openssl_3.5.5.bb} | 75 ++++++++++++-------
.../busybox/busybox/CVE-2025-60876.patch | 42 +++++++++++
meta/recipes-core/busybox/busybox_1.36.1.bb | 1 +
.../zlib/zlib/CVE-2026-27171.patch | 63 ++++++++++++++++
meta/recipes-core/zlib/zlib_1.3.1.bb | 1 +
.../gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch | 36 +++++++++
.../gdk-pixbuf/gdk-pixbuf_2.42.12.bb | 1 +
.../harfbuzz/files/CVE-2026-22693.patch | 33 ++++++++
.../harfbuzz/harfbuzz_8.3.0.bb | 4 +-
.../recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb | 2 +-
scripts/create-pull-request | 2 +-
scripts/install-buildtools | 4 +-
22 files changed, 305 insertions(+), 210 deletions(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15468.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-69419.patch
rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb => openssl_3.5.5.bb} (76%)
create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-60876.patch
create mode 100644 meta/recipes-core/zlib/zlib/CVE-2026-27171.patch
create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch
create mode 100644 meta/recipes-graphics/harfbuzz/files/CVE-2026-22693.patch
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [OE-core][scarthgap 00/11] Patch review
2026-03-07 22:52 Yoann Congal
@ 2026-03-09 8:18 ` Paul Barker
0 siblings, 0 replies; 33+ messages in thread
From: Paul Barker @ 2026-03-09 8:18 UTC (permalink / raw)
To: yoann.congal, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2171 bytes --]
On Sat, 2026-03-07 at 23:52 +0100, Yoann Congal via
lists.openembedded.org wrote:
> Note: this series contains a major OpenSSL upgrade (agreed by YP TSC).
>
> Please review this set of changes for scarthgap and have comments back by
> end of day Tuesday, March 10.
>
> Passed a-full on autobuilder:
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3349
> (Ignore the warning about Centos Stream9, its support is a work in progress for scarthgap)
>
> I also did a full meta-oe build (to check for build failure with the
> OpenSSL upgrade)
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1342
> (the warnings are unrelated to this series)
>
> The following changes since commit a9a785d7fa0cfe2a9087dbcde0ef9f0d2a441375:
>
> build-appliance-image: Update to scarthgap head revision (2026-02-27 17:45:15 +0000)
>
> are available in the Git repository at:
>
> https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
> https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
>
> for you to fetch changes up to fd8a140eb0742bbc12a23e36c9d24378bc0f462d:
>
> busybox: Fixes CVE-2025-60876 (2026-03-06 23:58:42 +0100)
>
> ----------------------------------------------------------------
>
> Hugo SIMELIERE (2):
> zlib: Fix CVE-2026-27171
> harfbuzz: Fix CVE-2026-22693
>
> Livin Sunny (1):
> busybox: Fixes CVE-2025-60876
>
> Paul Barker (1):
> create-pull-request: Keep commit hash to be pulled in cover email
>
> Peter Marko (3):
> ffmpeg: set status for CVE-2025-10256
> ffmpeg: set status for CVE-2025-12343
> openssl: upgrade 3.2.6 -> 3.5.5
>
> Shaik Moin (1):
> gdk-pixbuf: Fix CVE-2025-6199
>
> Tom Hochstein (1):
> uboot-config: Fix devtool modify
>
> Yoann Congal (2):
> scripts/install-buildtools: Update to 5.0.16
> README: Add scarthgap subject-prefix to git-send-email suggestion
Hi Yoann,
We need to make sure that the openssl update is clearly announced in the
weekly status and the release notes for 5.0.17. Otherwise, all LGTM!
Best regards,
--
Paul Barker
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
^ permalink raw reply [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 00/11] Patch review
@ 2026-03-29 22:46 Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 01/11] tzdata,tzcode-native: Upgrade 2025b -> 2025c Yoann Congal
` (12 more replies)
0 siblings, 13 replies; 33+ messages in thread
From: Yoann Congal @ 2026-03-29 22:46 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, March 31.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3546
Note: This particular build had a gnutls patch that I removed because it needed a small change[0].
Build (currently running) without the gnutls patch: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3551
[0]: https://lore.kernel.org/openembedded-core/DHFLXG1K82R7.3EOQRZ2H6KW8Q@smile.fr/T/#t
The following changes since commit 41597b5260fb5ca811d0fb4ae7e65246d61734eb:
Revert "scripts/install-buildtools: Update to 5.0.16" (2026-03-26 09:48:20 +0000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
for you to fetch changes up to e6f3b2e043259650d80fb6f761797c5cf5587eb5:
python3-pyopenssl: Fix CVE-2026-27459 (2026-03-30 00:09:38 +0200)
----------------------------------------------------------------
João Marcos Costa (Schneider Electric) (1):
spdx: add option to include only compiled sources
Martin Jansa (3):
dtc: backport fix for build with glibc-2.43
elfutils: don't add -Werror to avoid discarded-qualifiers
binutils: backport patch to fix build with glibc-2.43 on host
Michael Halstead (2):
yocto-uninative: Update to 5.0 for needed patchelf updates
yocto-uninative: Update to 5.1 for glibc 2.43
Nguyen Dat Tho (1):
python3-cryptography: Fix CVE-2026-26007
Paul Barker (1):
tzdata,tzcode-native: Upgrade 2025b -> 2025c
Richard Purdie (1):
pseudo: Add fix for glibc 2.43
Vijay Anusuri (2):
python3-pyopenssl: Fix CVE-2026-27448
python3-pyopenssl: Fix CVE-2026-27459
meta/classes/spdx-common.bbclass | 3 +
meta/conf/distro/include/yocto-uninative.inc | 10 +-
meta/lib/oe/spdx30_tasks.py | 12 ++
.../binutils/binutils-2.42.inc | 1 +
...tect-against-standard-library-macros.patch | 31 ++++
.../elfutils/elfutils_0.191.bb | 1 +
...001-config-eu.am-do-not-force-Werror.patch | 34 ++++
meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
.../python3-cryptography/CVE-2026-26007.patch | 149 ++++++++++++++++++
.../python/python3-cryptography_42.0.5.bb | 1 +
.../python3-pyopenssl/CVE-2026-27448.patch | 124 +++++++++++++++
.../python3-pyopenssl/CVE-2026-27459.patch | 109 +++++++++++++
.../python/python3-pyopenssl_24.0.0.bb | 5 +
meta/recipes-extended/timezone/timezone.inc | 6 +-
.../0001-Fix-discarded-const-qualifiers.patch | 85 ++++++++++
meta/recipes-kernel/dtc/dtc_1.7.0.bb | 1 +
16 files changed, 565 insertions(+), 9 deletions(-)
create mode 100644 meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
create mode 100644 meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
^ permalink raw reply [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 01/11] tzdata,tzcode-native: Upgrade 2025b -> 2025c
2026-03-29 22:46 [OE-core][scarthgap 00/11] Patch review Yoann Congal
@ 2026-03-29 22:46 ` Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 02/11] python3-cryptography: Fix CVE-2026-26007 Yoann Congal
` (11 subsequent siblings)
12 siblings, 0 replies; 33+ messages in thread
From: Yoann Congal @ 2026-03-29 22:46 UTC (permalink / raw)
To: openembedded-core
From: Paul Barker <paul@pbarker.dev>
This release mostly changes code and commentary. The only changed data
are leap second table expiration and pre-1976 time in Baja California.
Full release notes:
https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/TAGXKYLMAQRZRFTERQ33CEKOW7KRJVAK/
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 452334219309793ad74abd6ff390dcb06cab929b)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-extended/timezone/timezone.inc | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc
index f21bedf4fc5..35f22d5a15a 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -6,7 +6,7 @@ SECTION = "base"
LICENSE = "PD & BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
-PV = "2025b"
+PV = "2025c"
SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode;subdir=tz \
http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata;subdir=tz \
@@ -16,5 +16,5 @@ S = "${WORKDIR}/tz"
UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones"
-SRC_URI[tzcode.sha256sum] = "05f8fedb3525ee70d49c87d3fae78a8a0dbae4fe87aa565c65cda9948ae135ec"
-SRC_URI[tzdata.sha256sum] = "11810413345fc7805017e27ea9fa4885fd74cd61b2911711ad038f5d28d71474"
+SRC_URI[tzcode.sha256sum] = "697ebe6625444aef5080f58e49d03424bbb52e08bf483d3ddb5acf10cbd15740"
+SRC_URI[tzdata.sha256sum] = "4aa79e4effee53fc4029ffe5f6ebe97937282ebcdf386d5d2da91ce84142f957"
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 02/11] python3-cryptography: Fix CVE-2026-26007
2026-03-29 22:46 [OE-core][scarthgap 00/11] Patch review Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 01/11] tzdata,tzcode-native: Upgrade 2025b -> 2025c Yoann Congal
@ 2026-03-29 22:46 ` Yoann Congal
2026-03-29 23:01 ` Patchtest results for " patchtest
2026-03-30 7:58 ` Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 03/11] spdx: add option to include only compiled sources Yoann Congal
` (10 subsequent siblings)
12 siblings, 2 replies; 33+ messages in thread
From: Yoann Congal @ 2026-03-29 22:46 UTC (permalink / raw)
To: openembedded-core
From: Nguyen Dat Tho <tho3.nguyen@lge.com>
CVE-2026-26007 is fixed upstream in version 46.0.5.
Our current version (42.0.5, scarthgap) is still reported as vulnerable
by NVD.
Backport the upstream fix to address this CVE.
Upstream commit:
https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c
CVE report:
https://nvd.nist.gov/vuln/detail/CVE-2026-26007
Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python3-cryptography/CVE-2026-26007.patch | 149 ++++++++++++++++++
.../python/python3-cryptography_42.0.5.bb | 1 +
2 files changed, 150 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
new file mode 100644
index 00000000000..a78d287ccdd
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
@@ -0,0 +1,149 @@
+From 42c914929b52eb16421a4ef1f7e09c8f9fdab7db Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Wed, 18 Mar 2026 16:01:03 +0900
+Subject: [PATCH] EC check key on cofactor > 1
+
+An attacker could create a malicious public key that reveals portions of
+your private key when using certain uncommon elliptic curves (binary
+curves). This version now includes additional security checks to
+prevent this attack. This issue only affects binary elliptic curves,
+which are rarely used in real-world applications. Credit to **XlabAI
+Team of Tencent Xuanwu Lab and Atuin Automated Vulnerability Discovery
+Engine** for reporting the issue. **CVE-2026-26007**
+
+This is a partial backport of upstream commit
+0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c, to only include what's
+relevant for CVE-2026-26007.
+
+CVE: CVE-2026-26007
+
+Origin: backport, https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c
+Reference: https://salsa.debian.org/python-team/packages/python-cryptography/-/commit/464e7ca3b0b4493d5906d0c3685de71fda770c59
+
+Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
+Signed-off-by: Paul Kehrer <paul.l.kehrer@gmail.com>
+Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
+---
+Upstream-Status: Backport [Backport from https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c]
+
+ src/rust/src/backend/ec.rs | 39 ++++++++++++++++++++----------
+ tests/hazmat/primitives/test_ec.py | 37 ++++++++++++++++++++++++++++
+ 2 files changed, 63 insertions(+), 13 deletions(-)
+
+diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs
+index 6a224b49f..27fced086 100644
+--- a/src/rust/src/backend/ec.rs
++++ b/src/rust/src/backend/ec.rs
+@@ -155,12 +155,9 @@ pub(crate) fn public_key_from_pkey(
+ ) -> CryptographyResult<ECPublicKey> {
+ let ec = pkey.ec_key()?;
+ let curve = py_curve_from_curve(py, ec.group())?;
+- check_key_infinity(&ec)?;
+- Ok(ECPublicKey {
+- pkey: pkey.to_owned(),
+- curve: curve.into(),
+- })
++ ECPublicKey::new(pkey.to_owned(), curve.into())
+ }
++
+ #[pyo3::prelude::pyfunction]
+ fn generate_private_key(
+ py: pyo3::Python<'_>,
+@@ -215,10 +212,7 @@ fn from_public_bytes(
+ let ec = openssl::ec::EcKey::from_public_key(&curve, &point)?;
+ let pkey = openssl::pkey::PKey::from_ec_key(ec)?;
+
+- Ok(ECPublicKey {
+- pkey,
+- curve: py_curve.into(),
+- })
++ ECPublicKey::new(pkey, py_curve.into())
+ }
+
+ #[pyo3::prelude::pymethods]
+@@ -357,6 +351,28 @@ impl ECPrivateKey {
+ }
+ }
+
++impl ECPublicKey {
++ fn new(
++ pkey: openssl::pkey::PKey<openssl::pkey::Public>,
++ curve: pyo3::Py<pyo3::PyAny>,
++ ) -> CryptographyResult<ECPublicKey> {
++ let ec = pkey.ec_key()?;
++ check_key_infinity(&ec)?;
++ let mut bn_ctx = openssl::bn::BigNumContext::new()?;
++ let mut cofactor = openssl::bn::BigNum::new()?;
++ ec.group().cofactor(&mut cofactor, &mut bn_ctx)?;
++ let one = openssl::bn::BigNum::from_u32(1)?;
++ if cofactor != one {
++ ec.check_key().map_err(|_| {
++ pyo3::exceptions::PyValueError::new_err(
++ "Invalid EC key (key out of range, infinity, etc.)",
++ )
++ })?;
++ }
++
++ Ok(ECPublicKey { pkey, curve })
++ }
++}
+ #[pyo3::prelude::pymethods]
+ impl ECPublicKey {
+ #[getter]
+@@ -591,10 +607,7 @@ impl EllipticCurvePublicNumbers {
+
+ let pkey = openssl::pkey::PKey::from_ec_key(public_key)?;
+
+- Ok(ECPublicKey {
+- pkey,
+- curve: self.curve.clone_ref(py),
+- })
++ ECPublicKey::new(pkey, self.curve.clone_ref(py))
+ }
+
+ fn __eq__(
+diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py
+index 334e76dcc..f7f2242f6 100644
+--- a/tests/hazmat/primitives/test_ec.py
++++ b/tests/hazmat/primitives/test_ec.py
+@@ -1340,3 +1340,40 @@ class TestECDH:
+
+ with pytest.raises(ValueError):
+ key.exchange(ec.ECDH(), public_key)
++
++
++def test_invalid_sect_public_keys(backend):
++ _skip_curve_unsupported(backend, ec.SECT571K1())
++ public_numbers = ec.EllipticCurvePublicNumbers(1, 1, ec.SECT571K1())
++ with pytest.raises(ValueError):
++ public_numbers.public_key()
++
++ point = binascii.unhexlify(
++ b"0400000000000000000000000000000000000000000000000000000000000000000"
++ b"0000000000000000000000000000000000000000000000000000000000000000000"
++ b"0000000000010000000000000000000000000000000000000000000000000000000"
++ b"0000000000000000000000000000000000000000000000000000000000000000000"
++ b"0000000000000000000001"
++ )
++ with pytest.raises(ValueError):
++ ec.EllipticCurvePublicKey.from_encoded_point(ec.SECT571K1(), point)
++
++ der = binascii.unhexlify(
++ b"3081a7301006072a8648ce3d020106052b810400260381920004000000000000000"
++ b"0000000000000000000000000000000000000000000000000000000000000000000"
++ b"0000000000000000000000000000000000000000000000000000000000000100000"
++ b"0000000000000000000000000000000000000000000000000000000000000000000"
++ b"0000000000000000000000000000000000000000000000000000000000000000000"
++ b"00001"
++ )
++ with pytest.raises(ValueError):
++ serialization.load_der_public_key(der)
++
++ pem = textwrap.dedent("""-----BEGIN PUBLIC KEY-----
++ MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++ AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE=
++ -----END PUBLIC KEY-----""").encode()
++ with pytest.raises(ValueError):
++ serialization.load_pem_public_key(pem)
diff --git a/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb b/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
index 732f925d926..c4573fa6891 100644
--- a/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
+++ b/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
@@ -11,6 +11,7 @@ LDSHARED += "-pthread"
SRC_URI[sha256sum] = "6fe07eec95dfd477eb9530aef5bead34fec819b3aaf6c5bd6d20565da607bfe1"
SRC_URI += "file://0001-pyproject.toml-remove-benchmark-disable-option.patch \
+ file://CVE-2026-26007.patch \
file://check-memfree.py \
file://run-ptest \
"
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 03/11] spdx: add option to include only compiled sources
2026-03-29 22:46 [OE-core][scarthgap 00/11] Patch review Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 01/11] tzdata,tzcode-native: Upgrade 2025b -> 2025c Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 02/11] python3-cryptography: Fix CVE-2026-26007 Yoann Congal
@ 2026-03-29 22:46 ` Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 04/11] dtc: backport fix for build with glibc-2.43 Yoann Congal
` (9 subsequent siblings)
12 siblings, 0 replies; 33+ messages in thread
From: Yoann Congal @ 2026-03-29 22:46 UTC (permalink / raw)
To: openembedded-core
From: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com>
When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the
source code files that are used during compilation.
It uses debugsource information generated during do_package.
This enables an external tool to use the SPDX information to disregard
vulnerabilities that are not compiled.
As example, when used with the default config with linux-yocto, the spdx size is
reduced from 156MB to 61MB.
(From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968)
Adapted to existing files for SPDX3.0
Tested with:
- bitbake world on oe-core
- oe-selftest --run-tests spdx.SPDX30Check
Regarding SPDX2.2, the respective backport was already performed in
OE-Core rev: a2866934e58fb377a73e87576c8594988a63ad1b
Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/classes/spdx-common.bbclass | 3 +++
meta/lib/oe/spdx30_tasks.py | 12 ++++++++++++
2 files changed, 15 insertions(+)
diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass
index 713a7fc651e..ca0416d1c7f 100644
--- a/meta/classes/spdx-common.bbclass
+++ b/meta/classes/spdx-common.bbclass
@@ -26,6 +26,7 @@ SPDX_TOOL_VERSION ??= "1.0"
SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
SPDX_INCLUDE_SOURCES ??= "0"
+SPDX_INCLUDE_COMPILED_SOURCES ??= "0"
SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
@@ -40,6 +41,8 @@ SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
python () {
from oe.cve_check import extend_cve_status
extend_cve_status(d)
+ if d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1":
+ d.setVar("SPDX_INCLUDE_SOURCES", "1")
}
def create_spdx_source_deps(d):
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index a8970dcca0f..9c422d17573 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -145,6 +145,8 @@ def add_package_files(
ignore_dirs=[],
ignore_top_level_dirs=[],
):
+ import oe.spdx
+
source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
if source_date_epoch:
source_date_epoch = int(source_date_epoch)
@@ -156,6 +158,11 @@ def add_package_files(
bb.note(f"Skip {topdir}")
return spdx_files
+ check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1"
+ if check_compiled_sources:
+ compiled_sources, types = oe.spdx.get_compiled_sources(d)
+ bb.debug(1, f"Total compiled files: {len(compiled_sources)}")
+
for subdir, dirs, files in os.walk(topdir, onerror=walk_error):
dirs[:] = [d for d in dirs if d not in ignore_dirs]
if subdir == str(topdir):
@@ -171,6 +178,11 @@ def add_package_files(
filename = str(filepath.relative_to(topdir))
file_purposes = get_purposes(filepath)
+ # Check if file is compiled
+ if check_compiled_sources:
+ if not oe.spdx.is_compiled_source(filename, compiled_sources, types):
+ continue
+
spdx_file = objset.new_file(
get_spdxid(file_counter),
filename,
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 04/11] dtc: backport fix for build with glibc-2.43
2026-03-29 22:46 [OE-core][scarthgap 00/11] Patch review Yoann Congal
` (2 preceding siblings ...)
2026-03-29 22:46 ` [OE-core][scarthgap 03/11] spdx: add option to include only compiled sources Yoann Congal
@ 2026-03-29 22:46 ` Yoann Congal
2026-03-30 14:36 ` Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 05/11] pseudo: Add fix for glibc 2.43 Yoann Congal
` (8 subsequent siblings)
12 siblings, 1 reply; 33+ messages in thread
From: Yoann Congal @ 2026-03-29 22:46 UTC (permalink / raw)
To: openembedded-core
From: Martin Jansa <martin.jansa@gmail.com>
glibc-2.43 isn't used in OE builds yet, but this fixes dtc-native:
https://errors.yoctoproject.org/Errors/Details/903983/
../sources/dtc-1.7.2/libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’:
../sources/dtc-1.7.2/libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
424 | sep = memchr(fixup_str, ':', fixup_len);
| ^
../sources/dtc-1.7.2/libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
434 | sep = memchr(name, ':', fixup_len);
| ^
cc1: all warnings being treated as errors
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[YC: upstream commit 28552a7b6c94060c7ab3899619ab8afb74124d02]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../0001-Fix-discarded-const-qualifiers.patch | 85 +++++++++++++++++++
meta/recipes-kernel/dtc/dtc_1.7.0.bb | 1 +
2 files changed, 86 insertions(+)
create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
diff --git a/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
new file mode 100644
index 00000000000..c643410ae9b
--- /dev/null
+++ b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
@@ -0,0 +1,85 @@
+From 861cb43eb53afff83e28ba0e0f88ffa464ebe8ca Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 6 Jan 2026 14:19:30 -0500
+Subject: [PATCH] Fix discarded const qualifiers
+
+It's unsafe to implicitly discard the const qualifier on a pointer. In
+overlay_fixup_phandle(), this was probably just an oversight, and making
+the "sep" variable a const char * is sufficient to fix it.
+
+In create_node(), however, the "p" variable is directly modifying the
+buffer pointed to by "const char* node_name". To fix this, we need to
+actually make a duplicate of the buffer and operate on that instead.
+
+This introduces a malloc()/free() and an unbounded strdup() into the
+operation, but fdtput isn't a long-running service and the node_name
+argument comes directly from argv, so this shouldn't introduce a
+significant performance impact.
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/dtc/dtc.git/commit/libfdt/fdt_overlay.c?h=main&id=9a1c801a1a3c102bf95c5339c9e985b26b823a21]
+---
+ fdtput.c | 8 +++++---
+ libfdt/fdt_overlay.c | 3 ++-
+ meson.build | 3 ++-
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/fdtput.c b/fdtput.c
+index c2fecf4..8deec7e 100644
+--- a/fdtput.c
++++ b/fdtput.c
+@@ -230,19 +230,21 @@ static int create_paths(char **blob, const char *in_path)
+ static int create_node(char **blob, const char *node_name)
+ {
+ int node = 0;
+- char *p;
++ const char *p;
++ char *path = NULL;
+
+ p = strrchr(node_name, '/');
+ if (!p) {
+ report_error(node_name, -1, -FDT_ERR_BADPATH);
+ return -1;
+ }
+- *p = '\0';
+
+ *blob = realloc_node(*blob, p + 1);
+
+ if (p > node_name) {
+- node = fdt_path_offset(*blob, node_name);
++ path = xstrndup(node_name, (size_t)(p - node_name));
++ node = fdt_path_offset(*blob, path);
++ free(path);
+ if (node < 0) {
+ report_error(node_name, -1, node);
+ return -1;
+diff --git a/libfdt/fdt_overlay.c b/libfdt/fdt_overlay.c
+index 5c0c398..75b0619 100644
+--- a/libfdt/fdt_overlay.c
++++ b/libfdt/fdt_overlay.c
+@@ -431,7 +431,8 @@ static int overlay_fixup_phandle(void *fdt, void *fdto, int symbols_off,
+ const char *fixup_str = value;
+ uint32_t path_len, name_len;
+ uint32_t fixup_len;
+- char *sep, *endptr;
++ const char *sep;
++ char *endptr;
+ int poffset, ret;
+
+ fixup_end = memchr(value, '\0', len);
+diff --git a/meson.build b/meson.build
+index 8952e8a..ecb0ae0 100644
+--- a/meson.build
++++ b/meson.build
+@@ -14,7 +14,8 @@ add_project_arguments(
+ '-Wstrict-prototypes',
+ '-Wmissing-prototypes',
+ '-Wredundant-decls',
+- '-Wshadow'
++ '-Wshadow',
++ '-Wdiscarded-qualifiers'
+ ]),
+ language: 'c'
+ )
diff --git a/meta/recipes-kernel/dtc/dtc_1.7.0.bb b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
index 0702fc16dfa..a2f41197fda 100644
--- a/meta/recipes-kernel/dtc/dtc_1.7.0.bb
+++ b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
@@ -12,6 +12,7 @@ SRC_URI = " \
git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https \
file://0001-meson.build-bump-version-to-1.7.0.patch \
file://0002-meson-allow-building-from-shallow-clones.patch \
+ file://0001-Fix-discarded-const-qualifiers.patch \
"
SRCREV = "039a99414e778332d8f9c04cbd3072e1dcc62798"
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 05/11] pseudo: Add fix for glibc 2.43
2026-03-29 22:46 [OE-core][scarthgap 00/11] Patch review Yoann Congal
` (3 preceding siblings ...)
2026-03-29 22:46 ` [OE-core][scarthgap 04/11] dtc: backport fix for build with glibc-2.43 Yoann Congal
@ 2026-03-29 22:46 ` Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 06/11] yocto-uninative: Update to 5.0 for needed patchelf updates Yoann Congal
` (7 subsequent siblings)
12 siblings, 0 replies; 33+ messages in thread
From: Yoann Congal @ 2026-03-29 22:46 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Update to add a fix for a function definition to work with glibc 2.43.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[YC: upstream commit 7d35b0e7929d666af783db835a3a809f8f6ce429]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 0f063f18812..3ae560487bd 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -12,7 +12,7 @@ SRC_URI:append:class-nativesdk = " \
file://older-glibc-symbols.patch"
SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
-SRCREV = "43cbd8fb4914328094ccdb4bb827d74b1bac2046"
+SRCREV = "56e1f8df4761da60e41812fc32b1de797d1765e9"
S = "${WORKDIR}/git"
PV = "1.9.3+git"
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 06/11] yocto-uninative: Update to 5.0 for needed patchelf updates
2026-03-29 22:46 [OE-core][scarthgap 00/11] Patch review Yoann Congal
` (4 preceding siblings ...)
2026-03-29 22:46 ` [OE-core][scarthgap 05/11] pseudo: Add fix for glibc 2.43 Yoann Congal
@ 2026-03-29 22:46 ` Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 07/11] yocto-uninative: Update to 5.1 for glibc 2.43 Yoann Congal
` (6 subsequent siblings)
12 siblings, 0 replies; 33+ messages in thread
From: Yoann Congal @ 2026-03-29 22:46 UTC (permalink / raw)
To: openembedded-core
From: Michael Halstead <mhalstead@linuxfoundation.org>
Solves some segfaults on relocated qemu-img binaries.
[YOCTO #16003]
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b322bc5387f3baedca5c71ccecaed08d2b046eab)
[YC: fixed the commit title]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/conf/distro/include/yocto-uninative.inc | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 3ced03d4771..e9dc6c86408 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -7,9 +7,9 @@
#
UNINATIVE_MAXGLIBCVERSION = "2.42"
-UNINATIVE_VERSION = "4.9"
+UNINATIVE_VERSION = "5.0"
UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "812045d826b7fda88944055e8526b95a5a9440bfef608d5b53fd52faab49bf85"
-UNINATIVE_CHECKSUM[i686] ?= "5cc28efd0c15a75de4bcb147c6cce65f1c1c9d442173a220f08427f40a3ffa09"
-UNINATIVE_CHECKSUM[x86_64] ?= "4c03d1ed2b7b4e823aca4a1a23d8f2e322f1770fc10e859adcede5777aff4f3a"
+UNINATIVE_CHECKSUM[aarch64] ?= "a25f2174d0cefcb22af005e9bc72ac01ae83b011c5b6d6d5bf00dac979877f76"
+UNINATIVE_CHECKSUM[i686] ?= "959cc2539b692f9b9862825c7324a0fe4d061fca742f6c259f67f581c59af956"
+UNINATIVE_CHECKSUM[x86_64] ?= "96045e8b1e242c8a849426a8506c7043f354b39f2bc0035192780e8205e23e9d"
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 07/11] yocto-uninative: Update to 5.1 for glibc 2.43
2026-03-29 22:46 [OE-core][scarthgap 00/11] Patch review Yoann Congal
` (5 preceding siblings ...)
2026-03-29 22:46 ` [OE-core][scarthgap 06/11] yocto-uninative: Update to 5.0 for needed patchelf updates Yoann Congal
@ 2026-03-29 22:46 ` Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 08/11] elfutils: don't add -Werror to avoid discarded-qualifiers Yoann Congal
` (5 subsequent siblings)
12 siblings, 0 replies; 33+ messages in thread
From: Yoann Congal @ 2026-03-29 22:46 UTC (permalink / raw)
To: openembedded-core
From: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c1fb515f2a88fa0a0e95529afc07a99db001af0e)
[YC: fix duplicated line in commit message]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/conf/distro/include/yocto-uninative.inc | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index e9dc6c86408..d97c96f631f 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,10 +6,10 @@
# to the distro running on the build machine.
#
-UNINATIVE_MAXGLIBCVERSION = "2.42"
-UNINATIVE_VERSION = "5.0"
+UNINATIVE_MAXGLIBCVERSION = "2.43"
+UNINATIVE_VERSION = "5.1"
UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "a25f2174d0cefcb22af005e9bc72ac01ae83b011c5b6d6d5bf00dac979877f76"
-UNINATIVE_CHECKSUM[i686] ?= "959cc2539b692f9b9862825c7324a0fe4d061fca742f6c259f67f581c59af956"
-UNINATIVE_CHECKSUM[x86_64] ?= "96045e8b1e242c8a849426a8506c7043f354b39f2bc0035192780e8205e23e9d"
+UNINATIVE_CHECKSUM[aarch64] ?= "4166237a9dabd222dcb9627a9435dffd756764fabf76ed7ef2e93dc2964567ad"
+UNINATIVE_CHECKSUM[i686] ?= "761502cc9aef4d54d0c6fe9418beb9fdd2c6220da6f2b04128c89f47902ab9ae"
+UNINATIVE_CHECKSUM[x86_64] ?= "2b63a078c26535e0786e87f81ae69509df30f4dce40693004c527bd5e4ab2b85"
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 08/11] elfutils: don't add -Werror to avoid discarded-qualifiers
2026-03-29 22:46 [OE-core][scarthgap 00/11] Patch review Yoann Congal
` (6 preceding siblings ...)
2026-03-29 22:46 ` [OE-core][scarthgap 07/11] yocto-uninative: Update to 5.1 for glibc 2.43 Yoann Congal
@ 2026-03-29 22:46 ` Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 09/11] binutils: backport patch to fix build with glibc-2.43 on host Yoann Congal
` (4 subsequent siblings)
12 siblings, 0 replies; 33+ messages in thread
From: Yoann Congal @ 2026-03-29 22:46 UTC (permalink / raw)
To: openembedded-core
From: Martin Jansa <martin.jansa@gmail.com>
With glibc-2.43 on host elfutils-native fails with:
elfutils-0.191/libcpu/riscv_disasm.c:1259:46: error: initialization discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
elfutils-0.194 in master doesn't have this issue thanks to this patch avoiding -Werror from:
https://git.openembedded.org/openembedded-core/commit/?id=1d6ac3c811798732e6addc798656bbe104661d77
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../elfutils/elfutils_0.191.bb | 1 +
...001-config-eu.am-do-not-force-Werror.patch | 34 +++++++++++++++++++
2 files changed, 35 insertions(+)
create mode 100644 meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
diff --git a/meta/recipes-devtools/elfutils/elfutils_0.191.bb b/meta/recipes-devtools/elfutils/elfutils_0.191.bb
index 0fd6d31af19..5156e5c9f6d 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.191.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.191.bb
@@ -23,6 +23,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
file://0001-tests-Makefile.am-compile-test_nlist-with-standard-C.patch \
file://0001-debuginfod-Remove-unused-variable.patch \
file://0001-srcfiles-fix-unused-variable-BUFFER_SIZE.patch \
+ file://0001-config-eu.am-do-not-force-Werror.patch \
file://CVE-2025-1352.patch \
file://CVE-2025-1365.patch \
file://CVE-2025-1372.patch \
diff --git a/meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch b/meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
new file mode 100644
index 00000000000..d4e141927f1
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
@@ -0,0 +1,34 @@
+From e169c3fc734be1783b3e1a4768dbec05fb64cb4f Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Fri, 22 Nov 2024 12:50:48 +0100
+Subject: [PATCH] config/eu.am: do not force -Werror
+
+This is undesirable when compiler versions may not be the same
+as what upstream is using for their own testing.
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ config/eu.am | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/config/eu.am b/config/eu.am
+index 0b7dab5..5e7a03f 100644
+--- a/config/eu.am
++++ b/config/eu.am
+@@ -99,7 +99,6 @@ AM_CFLAGS = -std=gnu99 -Wall -Wshadow -Wformat=2 \
+ $(LOGICAL_OP_WARNING) $(DUPLICATED_COND_WARNING) \
+ $(NULL_DEREFERENCE_WARNING) $(IMPLICIT_FALLTHROUGH_WARNING) \
+ $(USE_AFTER_FREE3_WARNING) \
+- $(if $($(*F)_no_Werror),,-Werror) \
+ $(if $($(*F)_no_Wunused),,-Wunused -Wextra) \
+ $(if $($(*F)_no_Wstack_usage),,$(STACK_USAGE_WARNING)) \
+ $(if $($(*F)_no_Wpacked_not_aligned),$(NO_PACKED_NOT_ALIGNED_WARNING),) \
+@@ -109,7 +108,6 @@ AM_CXXFLAGS = -std=c++11 -Wall -Wshadow \
+ $(TRAMPOLINES_WARNING) \
+ $(LOGICAL_OP_WARNING) $(DUPLICATED_COND_WARNING) \
+ $(NULL_DEREFERENCE_WARNING) $(IMPLICIT_FALLTHROUGH_WARNING) \
+- $(if $($(*F)_no_Werror),,-Werror) \
+ $(if $($(*F)_no_Wunused),,-Wunused -Wextra) \
+ $(if $($(*F)_no_Wstack_usage),,$(STACK_USAGE_WARNING)) \
+ $(if $($(*F)_no_Wpacked_not_aligned),$(NO_PACKED_NOT_ALIGNED_WARNING),) \
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 09/11] binutils: backport patch to fix build with glibc-2.43 on host
2026-03-29 22:46 [OE-core][scarthgap 00/11] Patch review Yoann Congal
` (7 preceding siblings ...)
2026-03-29 22:46 ` [OE-core][scarthgap 08/11] elfutils: don't add -Werror to avoid discarded-qualifiers Yoann Congal
@ 2026-03-29 22:46 ` Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 10/11] python3-pyopenssl: Fix CVE-2026-27448 Yoann Congal
` (3 subsequent siblings)
12 siblings, 0 replies; 33+ messages in thread
From: Yoann Congal @ 2026-03-29 22:46 UTC (permalink / raw)
To: openembedded-core
From: Martin Jansa <martin.jansa@gmail.com>
Fixes:
../../../gprofng/libcollector/linetrace.c: In function ‘__collector_ext_line_install’:
../../../gprofng/libcollector/linetrace.c:219:45: error: expected identifier before ‘_Generic’
219 | if (java_follow_env != NULL && CALL_UTIL (strstr)(java_follow_env, COLLECTOR_JVMTI_OPTION))
| ^~~~~~
../../../gprofng/libcollector/linetrace.c:219:34: note: in expansion of macro ‘CALL_UTIL’
219 | if (java_follow_env != NULL && CALL_UTIL (strstr)(java_follow_env, COLLECTOR_JVMTI_OPTION))
| ^~~~~~~~~
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../binutils/binutils-2.42.inc | 1 +
...tect-against-standard-library-macros.patch | 31 +++++++++++++++++++
2 files changed, 32 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 839d31242ef..36bd49ad03d 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -43,6 +43,7 @@ SRC_URI = "\
file://0019-Fix-32097-Warnings-when-building-gprofng-with-Clang.patch \
file://0020-gprofng-fix-std-gnu23-compatibility-wrt-unprototyped.patch \
file://0021-gprofng-fix-build-with-std-gnu23.patch \
+ file://0022-gprofng-protect-against-standard-library-macros.patch \
file://0018-CVE-2025-0840.patch \
file://CVE-2025-1176.patch \
file://CVE-2025-1178.patch \
diff --git a/meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch b/meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
new file mode 100644
index 00000000000..0fa0a939918
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
@@ -0,0 +1,31 @@
+From 5f66aee7f4bec7a2d8378034116f5e5c3dc50f41 Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Sat, 22 Nov 2025 11:29:43 +0100
+Subject: [PATCH] gprofng: protect against standard library macros
+
+The CALL_UTIL macro can expand to an unparsable expression of the argument
+is a macro, like with the new const-preserving standard library macros in
+C23.
+
+ * gprofng/src/collector_module.h (CALL_UTIL): Add parens to not
+ expand its argument if it is a function-like macro.
+
+Upstream-Status: Backport [2.46 5f66aee7f4bec7a2d8378034116f5e5c3dc50f41]
+Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
+---
+ gprofng/src/collector_module.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gprofng/src/collector_module.h b/gprofng/src/collector_module.h
+index b64d69c45ab..859a6dd1f7d 100644
+--- a/gprofng/src/collector_module.h
++++ b/gprofng/src/collector_module.h
+@@ -119,7 +119,7 @@ typedef struct CollectorUtilFuncs
+ extern CollectorUtilFuncs __collector_util_funcs;
+ extern int __collector_dlsym_guard;
+
+-#define CALL_UTIL(x) __collector_util_funcs.x
++#define CALL_UTIL(x) (__collector_util_funcs.x)
+
+ /* The following constants define the meaning of the "void *arg"
+ * argument of getFrameInfo().
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 10/11] python3-pyopenssl: Fix CVE-2026-27448
2026-03-29 22:46 [OE-core][scarthgap 00/11] Patch review Yoann Congal
` (8 preceding siblings ...)
2026-03-29 22:46 ` [OE-core][scarthgap 09/11] binutils: backport patch to fix build with glibc-2.43 on host Yoann Congal
@ 2026-03-29 22:46 ` Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 11/11] python3-pyopenssl: Fix CVE-2026-27459 Yoann Congal
` (2 subsequent siblings)
12 siblings, 0 replies; 33+ messages in thread
From: Yoann Congal @ 2026-03-29 22:46 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Pick patch mentioned in NVD
[1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448
[2] https://ubuntu.com/security/CVE-2026-27448
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python3-pyopenssl/CVE-2026-27448.patch | 124 ++++++++++++++++++
.../python/python3-pyopenssl_24.0.0.bb | 4 +
2 files changed, 128 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
new file mode 100644
index 00000000000..87f46b4cb0f
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
@@ -0,0 +1,124 @@
+From d41a814759a9fb49584ca8ab3f7295de49a85aa0 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 16 Feb 2026 21:04:37 -0500
+Subject: [PATCH] Handle exceptions in set_tlsext_servername_callback callbacks
+ (#1478)
+
+When the servername callback raises an exception, call sys.excepthook
+with the exception info and return SSL_TLSEXT_ERR_ALERT_FATAL to abort
+the handshake. Previously, exceptions would propagate uncaught through
+the CFFI callback boundary.
+
+https://claude.ai/code/session_01P7y1XmWkdtC5UcmZwGDvGi
+
+Co-authored-by: Claude <noreply@anthropic.com>
+
+Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0]
+CVE: CVE-2026-27448
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ CHANGELOG.rst | 1 +
+ src/OpenSSL/SSL.py | 7 ++++++-
+ tests/test_ssl.py | 50 ++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 57 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG.rst b/CHANGELOG.rst
+index 6e23770..12e60e4 100644
+--- a/CHANGELOG.rst
++++ b/CHANGELOG.rst
+@@ -18,6 +18,7 @@ Changes:
+
+ - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to determine which SRTP profile was negotiated.
+ `#1279 <https://github.com/pyca/pyopenssl/pull/1279>`_.
++- ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded.
+
+ 23.3.0 (2023-10-25)
+ -------------------
+diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
+index 4db5240..a6263c4 100644
+--- a/src/OpenSSL/SSL.py
++++ b/src/OpenSSL/SSL.py
+@@ -1,5 +1,6 @@
+ import os
+ import socket
++import sys
+ import typing
+ from errno import errorcode
+ from functools import partial, wraps
+@@ -1567,7 +1568,11 @@ class Context:
+
+ @wraps(callback)
+ def wrapper(ssl, alert, arg):
+- callback(Connection._reverse_mapping[ssl])
++ try:
++ callback(Connection._reverse_mapping[ssl])
++ except Exception:
++ sys.excepthook(*sys.exc_info())
++ return _lib.SSL_TLSEXT_ERR_ALERT_FATAL
+ return 0
+
+ self._tlsext_servername_callback = _ffi.callback(
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index ca5bf83..55489b9 100644
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -1855,6 +1855,56 @@ class TestServerNameCallback:
+
+ assert args == [(server, b"foo1.example.com")]
+
++ def test_servername_callback_exception(
++ self, monkeypatch: pytest.MonkeyPatch
++ ) -> None:
++ """
++ When the callback passed to `Context.set_tlsext_servername_callback`
++ raises an exception, ``sys.excepthook`` is called with the exception
++ and the handshake fails with an ``Error``.
++ """
++ exc = TypeError("server name callback failed")
++
++ def servername(conn: Connection) -> None:
++ raise exc
++
++ excepthook_calls: list[
++ tuple[type[BaseException], BaseException, object]
++ ] = []
++
++ def custom_excepthook(
++ exc_type: type[BaseException],
++ exc_value: BaseException,
++ exc_tb: object,
++ ) -> None:
++ excepthook_calls.append((exc_type, exc_value, exc_tb))
++
++ context = Context(SSLv23_METHOD)
++ context.set_tlsext_servername_callback(servername)
++
++ # Necessary to actually accept the connection
++ context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
++ context.use_certificate(
++ load_certificate(FILETYPE_PEM, server_cert_pem)
++ )
++
++ # Do a little connection to trigger the logic
++ server = Connection(context, None)
++ server.set_accept_state()
++
++ client = Connection(Context(SSLv23_METHOD), None)
++ client.set_connect_state()
++ client.set_tlsext_host_name(b"foo1.example.com")
++
++ monkeypatch.setattr(sys, "excepthook", custom_excepthook)
++ with pytest.raises(Error):
++ interact_in_memory(server, client)
++
++ assert len(excepthook_calls) == 1
++ assert excepthook_calls[0][0] is TypeError
++ assert excepthook_calls[0][1] is exc
++ assert excepthook_calls[0][2] is not None
++
+
+ class TestApplicationLayerProtoNegotiation:
+ """
+--
+2.43.0
+
diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
index 116f214bfa8..bc0b568a46a 100644
--- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
+++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
@@ -10,6 +10,10 @@ SRC_URI[sha256sum] = "6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a33
PYPI_PACKAGE = "pyOpenSSL"
inherit pypi setuptools3
+SRC_URI += " \
+ file://CVE-2026-27448.patch \
+"
+
PACKAGES =+ "${PN}-tests"
FILES:${PN}-tests = "${libdir}/${PYTHON_DIR}/site-packages/OpenSSL/test"
^ permalink raw reply related [flat|nested] 33+ messages in thread
* [OE-core][scarthgap 11/11] python3-pyopenssl: Fix CVE-2026-27459
2026-03-29 22:46 [OE-core][scarthgap 00/11] Patch review Yoann Congal
` (9 preceding siblings ...)
2026-03-29 22:46 ` [OE-core][scarthgap 10/11] python3-pyopenssl: Fix CVE-2026-27448 Yoann Congal
@ 2026-03-29 22:46 ` Yoann Congal
2026-03-30 7:33 ` [OE-core][scarthgap 00/11] Patch review Yoann Congal
2026-04-20 8:44 ` Joao Marcos Costa
12 siblings, 0 replies; 33+ messages in thread
From: Yoann Congal @ 2026-03-29 22:46 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Pick patch mentioned in NVD
[1] https://nvd.nist.gov/vuln/detail/CVE-2026-27459
[2] https://ubuntu.com/security/CVE-2026-27459
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python3-pyopenssl/CVE-2026-27459.patch | 109 ++++++++++++++++++
.../python/python3-pyopenssl_24.0.0.bb | 1 +
2 files changed, 110 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
new file mode 100644
index 00000000000..f75540f96e0
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
@@ -0,0 +1,109 @@
+From 57f09bb4bb051d3bc2a1abd36e9525313d5cd408 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Wed, 18 Feb 2026 07:46:15 -0500
+Subject: [PATCH] Fix buffer overflow in DTLS cookie generation callback
+ (#1479)
+
+The cookie generate callback copied user-returned bytes into a
+fixed-size native buffer without enforcing a maximum length. A
+callback returning more than DTLS1_COOKIE_LENGTH bytes would overflow
+the OpenSSL-provided buffer, corrupting adjacent memory.
+
+Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
+
+Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408]
+CVE: CVE-2026-27459
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ CHANGELOG.rst | 1 +
+ src/OpenSSL/SSL.py | 7 +++++++
+ tests/test_ssl.py | 38 ++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 46 insertions(+)
+
+diff --git a/CHANGELOG.rst b/CHANGELOG.rst
+index 12e60e4..6041fdc 100644
+--- a/CHANGELOG.rst
++++ b/CHANGELOG.rst
+@@ -16,6 +16,7 @@ Deprecations:
+ Changes:
+ ^^^^^^^^
+
++- Properly raise an error if a DTLS cookie callback returned a cookie longer than ``DTLS1_COOKIE_LENGTH`` bytes. Previously this would result in a buffer-overflow.
+ - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to determine which SRTP profile was negotiated.
+ `#1279 <https://github.com/pyca/pyopenssl/pull/1279>`_.
+ - ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded.
+diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
+index a6263c4..2e4da78 100644
+--- a/src/OpenSSL/SSL.py
++++ b/src/OpenSSL/SSL.py
+@@ -691,11 +691,18 @@ class _CookieGenerateCallbackHelper(_CallbackExceptionHelper):
+ def __init__(self, callback):
+ _CallbackExceptionHelper.__init__(self)
+
++ max_cookie_len = getattr(_lib, "DTLS1_COOKIE_LENGTH", 255)
++
+ @wraps(callback)
+ def wrapper(ssl, out, outlen):
+ try:
+ conn = Connection._reverse_mapping[ssl]
+ cookie = callback(conn)
++ if len(cookie) > max_cookie_len:
++ raise ValueError(
++ f"Cookie too long (got {len(cookie)} bytes, "
++ f"max {max_cookie_len})"
++ )
+ out[0 : len(cookie)] = cookie
+ outlen[0] = len(cookie)
+ return 1
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index 55489b9..683e368 100644
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -4560,6 +4560,44 @@ class TestDTLS:
+ def test_it_works_with_srtp(self):
+ self._test_handshake_and_data(srtp_profile=b"SRTP_AES128_CM_SHA1_80")
+
++ def test_cookie_generate_too_long(self) -> None:
++ s_ctx = Context(DTLS_METHOD)
++
++ def generate_cookie(ssl: Connection) -> bytes:
++ return b"\x00" * 256
++
++ def verify_cookie(ssl: Connection, cookie: bytes) -> bool:
++ return True
++
++ s_ctx.set_cookie_generate_callback(generate_cookie)
++ s_ctx.set_cookie_verify_callback(verify_cookie)
++ s_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
++ s_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
++ s_ctx.set_options(OP_NO_QUERY_MTU)
++ s = Connection(s_ctx)
++ s.set_accept_state()
++
++ c_ctx = Context(DTLS_METHOD)
++ c_ctx.set_options(OP_NO_QUERY_MTU)
++ c = Connection(c_ctx)
++ c.set_connect_state()
++
++ c.set_ciphertext_mtu(1500)
++ s.set_ciphertext_mtu(1500)
++
++ # Client sends ClientHello
++ try:
++ c.do_handshake()
++ except SSL.WantReadError:
++ pass
++ chunk = c.bio_read(self.LARGE_BUFFER)
++ s.bio_write(chunk)
++
++ # Server tries DTLSv1_listen, which triggers cookie generation.
++ # The oversized cookie should raise ValueError.
++ with pytest.raises(ValueError, match="Cookie too long"):
++ s.DTLSv1_listen()
++
+ def test_timeout(self, monkeypatch):
+ c_ctx = Context(DTLS_METHOD)
+ c = Connection(c_ctx)
+--
+2.43.0
+
diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
index bc0b568a46a..94a70aa17d1 100644
--- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
+++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
@@ -12,6 +12,7 @@ inherit pypi setuptools3
SRC_URI += " \
file://CVE-2026-27448.patch \
+ file://CVE-2026-27459.patch \
"
PACKAGES =+ "${PN}-tests"
^ permalink raw reply related [flat|nested] 33+ messages in thread
* Patchtest results for [OE-core][scarthgap 02/11] python3-cryptography: Fix CVE-2026-26007
2026-03-29 22:46 ` [OE-core][scarthgap 02/11] python3-cryptography: Fix CVE-2026-26007 Yoann Congal
@ 2026-03-29 23:01 ` patchtest
2026-03-30 7:58 ` Yoann Congal
1 sibling, 0 replies; 33+ messages in thread
From: patchtest @ 2026-03-29 23:01 UTC (permalink / raw)
To: Yoann Congal; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2168 bytes --]
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch /home/patchtest/share/mboxes/scarthgap-02-11-python3-cryptography-Fix-CVE-2026-26007.patch
FAIL: test Upstream-Status presence: Upstream-Status is present only after the patch scissors. It must be placed in the patch header before the scissors line. (test_patch.TestPatch.test_upstream_status_presence_format)
PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)
SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)
---
Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [OE-core][scarthgap 00/11] Patch review
2026-03-29 22:46 [OE-core][scarthgap 00/11] Patch review Yoann Congal
` (10 preceding siblings ...)
2026-03-29 22:46 ` [OE-core][scarthgap 11/11] python3-pyopenssl: Fix CVE-2026-27459 Yoann Congal
@ 2026-03-30 7:33 ` Yoann Congal
2026-04-20 8:44 ` Joao Marcos Costa
12 siblings, 0 replies; 33+ messages in thread
From: Yoann Congal @ 2026-03-30 7:33 UTC (permalink / raw)
To: Yoann Congal, openembedded-core
On Mon Mar 30, 2026 at 12:46 AM CEST, Yoann Congal wrote:
> Please review this set of changes for scarthgap and have comments back by
> end of day Tuesday, March 31.
>
> Passed a-full on autobuilder:
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3546
> Note: This particular build had a gnutls patch that I removed because it needed a small change[0].
> Build (currently running) without the gnutls patch: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3551
That second build is successful. (Only a warning from VNC integration on
autobuilder, I'll send a patch)
> [0]: https://lore.kernel.org/openembedded-core/DHFLXG1K82R7.3EOQRZ2H6KW8Q@smile.fr/T/#t
>
> The following changes since commit 41597b5260fb5ca811d0fb4ae7e65246d61734eb:
>
> Revert "scripts/install-buildtools: Update to 5.0.16" (2026-03-26 09:48:20 +0000)
>
> are available in the Git repository at:
>
> https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
> https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
>
> for you to fetch changes up to e6f3b2e043259650d80fb6f761797c5cf5587eb5:
>
> python3-pyopenssl: Fix CVE-2026-27459 (2026-03-30 00:09:38 +0200)
>
> ----------------------------------------------------------------
>
> João Marcos Costa (Schneider Electric) (1):
> spdx: add option to include only compiled sources
>
> Martin Jansa (3):
> dtc: backport fix for build with glibc-2.43
> elfutils: don't add -Werror to avoid discarded-qualifiers
> binutils: backport patch to fix build with glibc-2.43 on host
>
> Michael Halstead (2):
> yocto-uninative: Update to 5.0 for needed patchelf updates
> yocto-uninative: Update to 5.1 for glibc 2.43
>
> Nguyen Dat Tho (1):
> python3-cryptography: Fix CVE-2026-26007
>
> Paul Barker (1):
> tzdata,tzcode-native: Upgrade 2025b -> 2025c
>
> Richard Purdie (1):
> pseudo: Add fix for glibc 2.43
>
> Vijay Anusuri (2):
> python3-pyopenssl: Fix CVE-2026-27448
> python3-pyopenssl: Fix CVE-2026-27459
>
> meta/classes/spdx-common.bbclass | 3 +
> meta/conf/distro/include/yocto-uninative.inc | 10 +-
> meta/lib/oe/spdx30_tasks.py | 12 ++
> .../binutils/binutils-2.42.inc | 1 +
> ...tect-against-standard-library-macros.patch | 31 ++++
> .../elfutils/elfutils_0.191.bb | 1 +
> ...001-config-eu.am-do-not-force-Werror.patch | 34 ++++
> meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
> .../python3-cryptography/CVE-2026-26007.patch | 149 ++++++++++++++++++
> .../python/python3-cryptography_42.0.5.bb | 1 +
> .../python3-pyopenssl/CVE-2026-27448.patch | 124 +++++++++++++++
> .../python3-pyopenssl/CVE-2026-27459.patch | 109 +++++++++++++
> .../python/python3-pyopenssl_24.0.0.bb | 5 +
> meta/recipes-extended/timezone/timezone.inc | 6 +-
> .../0001-Fix-discarded-const-qualifiers.patch | 85 ++++++++++
> meta/recipes-kernel/dtc/dtc_1.7.0.bb | 1 +
> 16 files changed, 565 insertions(+), 9 deletions(-)
> create mode 100644 meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
> create mode 100644 meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
> create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
> create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
> create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
> create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [OE-core][scarthgap 02/11] python3-cryptography: Fix CVE-2026-26007
2026-03-29 22:46 ` [OE-core][scarthgap 02/11] python3-cryptography: Fix CVE-2026-26007 Yoann Congal
2026-03-29 23:01 ` Patchtest results for " patchtest
@ 2026-03-30 7:58 ` Yoann Congal
2026-03-30 8:19 ` [scarthgap " Nguyen Dat Tho
1 sibling, 1 reply; 33+ messages in thread
From: Yoann Congal @ 2026-03-30 7:58 UTC (permalink / raw)
To: Yoann Congal, openembedded-core; +Cc: Nguyen Dat Tho
On Mon Mar 30, 2026 at 12:46 AM CEST, Yoann Congal wrote:
> From: Nguyen Dat Tho <tho3.nguyen@lge.com>
>
> CVE-2026-26007 is fixed upstream in version 46.0.5.
> Our current version (42.0.5, scarthgap) is still reported as vulnerable
> by NVD.
> Backport the upstream fix to address this CVE.
>
> Upstream commit:
> https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c
>
> CVE report:
> https://nvd.nist.gov/vuln/detail/CVE-2026-26007
>
> Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> ---
> .../python3-cryptography/CVE-2026-26007.patch | 149 ++++++++++++++++++
> .../python/python3-cryptography_42.0.5.bb | 1 +
> 2 files changed, 150 insertions(+)
> create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
>
> diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
> new file mode 100644
> index 00000000000..a78d287ccdd
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
> @@ -0,0 +1,149 @@
> +From 42c914929b52eb16421a4ef1f7e09c8f9fdab7db Mon Sep 17 00:00:00 2001
> +From: Paul Kehrer <paul.l.kehrer@gmail.com>
> +Date: Wed, 18 Mar 2026 16:01:03 +0900
> +Subject: [PATCH] EC check key on cofactor > 1
> +
> +An attacker could create a malicious public key that reveals portions of
> +your private key when using certain uncommon elliptic curves (binary
> +curves). This version now includes additional security checks to
> +prevent this attack. This issue only affects binary elliptic curves,
> +which are rarely used in real-world applications. Credit to **XlabAI
> +Team of Tencent Xuanwu Lab and Atuin Automated Vulnerability Discovery
> +Engine** for reporting the issue. **CVE-2026-26007**
> +
> +This is a partial backport of upstream commit
> +0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c, to only include what's
> +relevant for CVE-2026-26007.
> +
> +CVE: CVE-2026-26007
> +
> +Origin: backport, https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c
> +Reference: https://salsa.debian.org/python-team/packages/python-cryptography/-/commit/464e7ca3b0b4493d5906d0c3685de71fda770c59
> +
> +Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
> +Signed-off-by: Paul Kehrer <paul.l.kehrer@gmail.com>
> +Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
> +---
> +Upstream-Status: Backport [Backport from https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c]
Tho, (I hope this is the proper way to address you, if not, sorry!)
This "Upstream-Status:" after the "---" triggers a patchtest failure:
FAIL: test Upstream-Status presence: Upstream-Status is present only
after the patch scissors. It must be placed in the patch header before
the scissors line.
(test_patch.TestPatch.test_upstream_status_presence_format)
This is very minor for stables where a patch rebase following an upgrade
is a very rare event.
But, that said, if you can send a v2 patch with the "Upstream-Status"
above the "---", I'll take it.
As a side note: this particular patchtest test is not in scarthgap
patchtech, I'll try to backport it.
Thanks!
> +
> + src/rust/src/backend/ec.rs | 39 ++++++++++++++++++++----------
> + tests/hazmat/primitives/test_ec.py | 37 ++++++++++++++++++++++++++++
> + 2 files changed, 63 insertions(+), 13 deletions(-)
> +
> +diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs
> +index 6a224b49f..27fced086 100644
> +--- a/src/rust/src/backend/ec.rs
> ++++ b/src/rust/src/backend/ec.rs
> +@@ -155,12 +155,9 @@ pub(crate) fn public_key_from_pkey(
> + ) -> CryptographyResult<ECPublicKey> {
> + let ec = pkey.ec_key()?;
> + let curve = py_curve_from_curve(py, ec.group())?;
> +- check_key_infinity(&ec)?;
> +- Ok(ECPublicKey {
> +- pkey: pkey.to_owned(),
> +- curve: curve.into(),
> +- })
> ++ ECPublicKey::new(pkey.to_owned(), curve.into())
> + }
> ++
> + #[pyo3::prelude::pyfunction]
> + fn generate_private_key(
> + py: pyo3::Python<'_>,
> +@@ -215,10 +212,7 @@ fn from_public_bytes(
> + let ec = openssl::ec::EcKey::from_public_key(&curve, &point)?;
> + let pkey = openssl::pkey::PKey::from_ec_key(ec)?;
> +
> +- Ok(ECPublicKey {
> +- pkey,
> +- curve: py_curve.into(),
> +- })
> ++ ECPublicKey::new(pkey, py_curve.into())
> + }
> +
> + #[pyo3::prelude::pymethods]
> +@@ -357,6 +351,28 @@ impl ECPrivateKey {
> + }
> + }
> +
> ++impl ECPublicKey {
> ++ fn new(
> ++ pkey: openssl::pkey::PKey<openssl::pkey::Public>,
> ++ curve: pyo3::Py<pyo3::PyAny>,
> ++ ) -> CryptographyResult<ECPublicKey> {
> ++ let ec = pkey.ec_key()?;
> ++ check_key_infinity(&ec)?;
> ++ let mut bn_ctx = openssl::bn::BigNumContext::new()?;
> ++ let mut cofactor = openssl::bn::BigNum::new()?;
> ++ ec.group().cofactor(&mut cofactor, &mut bn_ctx)?;
> ++ let one = openssl::bn::BigNum::from_u32(1)?;
> ++ if cofactor != one {
> ++ ec.check_key().map_err(|_| {
> ++ pyo3::exceptions::PyValueError::new_err(
> ++ "Invalid EC key (key out of range, infinity, etc.)",
> ++ )
> ++ })?;
> ++ }
> ++
> ++ Ok(ECPublicKey { pkey, curve })
> ++ }
> ++}
> + #[pyo3::prelude::pymethods]
> + impl ECPublicKey {
> + #[getter]
> +@@ -591,10 +607,7 @@ impl EllipticCurvePublicNumbers {
> +
> + let pkey = openssl::pkey::PKey::from_ec_key(public_key)?;
> +
> +- Ok(ECPublicKey {
> +- pkey,
> +- curve: self.curve.clone_ref(py),
> +- })
> ++ ECPublicKey::new(pkey, self.curve.clone_ref(py))
> + }
> +
> + fn __eq__(
> +diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py
> +index 334e76dcc..f7f2242f6 100644
> +--- a/tests/hazmat/primitives/test_ec.py
> ++++ b/tests/hazmat/primitives/test_ec.py
> +@@ -1340,3 +1340,40 @@ class TestECDH:
> +
> + with pytest.raises(ValueError):
> + key.exchange(ec.ECDH(), public_key)
> ++
> ++
> ++def test_invalid_sect_public_keys(backend):
> ++ _skip_curve_unsupported(backend, ec.SECT571K1())
> ++ public_numbers = ec.EllipticCurvePublicNumbers(1, 1, ec.SECT571K1())
> ++ with pytest.raises(ValueError):
> ++ public_numbers.public_key()
> ++
> ++ point = binascii.unhexlify(
> ++ b"0400000000000000000000000000000000000000000000000000000000000000000"
> ++ b"0000000000000000000000000000000000000000000000000000000000000000000"
> ++ b"0000000000010000000000000000000000000000000000000000000000000000000"
> ++ b"0000000000000000000000000000000000000000000000000000000000000000000"
> ++ b"0000000000000000000001"
> ++ )
> ++ with pytest.raises(ValueError):
> ++ ec.EllipticCurvePublicKey.from_encoded_point(ec.SECT571K1(), point)
> ++
> ++ der = binascii.unhexlify(
> ++ b"3081a7301006072a8648ce3d020106052b810400260381920004000000000000000"
> ++ b"0000000000000000000000000000000000000000000000000000000000000000000"
> ++ b"0000000000000000000000000000000000000000000000000000000000000100000"
> ++ b"0000000000000000000000000000000000000000000000000000000000000000000"
> ++ b"0000000000000000000000000000000000000000000000000000000000000000000"
> ++ b"00001"
> ++ )
> ++ with pytest.raises(ValueError):
> ++ serialization.load_der_public_key(der)
> ++
> ++ pem = textwrap.dedent("""-----BEGIN PUBLIC KEY-----
> ++ MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> ++ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> ++ AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> ++ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE=
> ++ -----END PUBLIC KEY-----""").encode()
> ++ with pytest.raises(ValueError):
> ++ serialization.load_pem_public_key(pem)
> diff --git a/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb b/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
> index 732f925d926..c4573fa6891 100644
> --- a/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
> +++ b/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
> @@ -11,6 +11,7 @@ LDSHARED += "-pthread"
> SRC_URI[sha256sum] = "6fe07eec95dfd477eb9530aef5bead34fec819b3aaf6c5bd6d20565da607bfe1"
>
> SRC_URI += "file://0001-pyproject.toml-remove-benchmark-disable-option.patch \
> + file://CVE-2026-26007.patch \
> file://check-memfree.py \
> file://run-ptest \
> "
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [scarthgap 02/11] python3-cryptography: Fix CVE-2026-26007
2026-03-30 7:58 ` Yoann Congal
@ 2026-03-30 8:19 ` Nguyen Dat Tho
2026-03-30 8:33 ` [OE-core] " Yoann Congal
0 siblings, 1 reply; 33+ messages in thread
From: Nguyen Dat Tho @ 2026-03-30 8:19 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 94 bytes --]
Hello,
I just updated the patch as your comment.
Could you help me check it?
---
Tho
[-- Attachment #2: Type: text/html, Size: 183 bytes --]
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [OE-core] [scarthgap 02/11] python3-cryptography: Fix CVE-2026-26007
2026-03-30 8:19 ` [scarthgap " Nguyen Dat Tho
@ 2026-03-30 8:33 ` Yoann Congal
0 siblings, 0 replies; 33+ messages in thread
From: Yoann Congal @ 2026-03-30 8:33 UTC (permalink / raw)
To: thond2009, openembedded-core
On Mon Mar 30, 2026 at 10:19 AM CEST, Nguyen Dat Tho via lists.openembedded.org wrote:
> Hello,
>
> I just updated the patch as your comment.
> Could you help me check it?
Looks good. I took it in my branch.
Thanks!
>
> ---
> Tho
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [OE-core][scarthgap 04/11] dtc: backport fix for build with glibc-2.43
2026-03-29 22:46 ` [OE-core][scarthgap 04/11] dtc: backport fix for build with glibc-2.43 Yoann Congal
@ 2026-03-30 14:36 ` Yoann Congal
2026-03-30 14:43 ` Martin Jansa
2026-04-20 8:29 ` Martin Jansa
0 siblings, 2 replies; 33+ messages in thread
From: Yoann Congal @ 2026-03-30 14:36 UTC (permalink / raw)
To: Yoann Congal, openembedded-core; +Cc: Martin Jansa
On Mon Mar 30, 2026 at 12:46 AM CEST, Yoann Congal wrote:
> From: Martin Jansa <martin.jansa@gmail.com>
>
> glibc-2.43 isn't used in OE builds yet, but this fixes dtc-native:
> https://errors.yoctoproject.org/Errors/Details/903983/
>
> ../sources/dtc-1.7.2/libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’:
> ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
> 424 | sep = memchr(fixup_str, ':', fixup_len);
> | ^
> ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
> 434 | sep = memchr(name, ':', fixup_len);
> | ^
> cc1: all warnings being treated as errors
>
> Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> [YC: upstream commit 28552a7b6c94060c7ab3899619ab8afb74124d02]
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> ---
Hello Martin,
FYI, while it looked good, this patch and your whole series about glibc
2.43 support:
* [scarthgap 04/11] dtc: backport fix for build with glibc-2.43
* [scarthgap 05/11] pseudo: Add fix for glibc 2.43
* [scarthgap 06/11] yocto-uninative: Update to 5.0 for needed patchelf updates
* [scarthgap 07/11] yocto-uninative: Update to 5.1 for glibc 2.43
* [scarthgap 08/11] elfutils: don't add -Werror to avoid discarded-qualifiers
* [scarthgap 09/11] binutils: backport patch to fix build with glibc-2.43 on host
... will be put on hold until I can test it: So, not until Ubuntu 26.04
is released and the autobuilder gain an Ubuntu 26.04 worker (most likely
after Wrynose release).
Thanks!
Regards,
> .../0001-Fix-discarded-const-qualifiers.patch | 85 +++++++++++++++++++
> meta/recipes-kernel/dtc/dtc_1.7.0.bb | 1 +
> 2 files changed, 86 insertions(+)
> create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
>
> diff --git a/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
> new file mode 100644
> index 00000000000..c643410ae9b
> --- /dev/null
> +++ b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
> @@ -0,0 +1,85 @@
> +From 861cb43eb53afff83e28ba0e0f88ffa464ebe8ca Mon Sep 17 00:00:00 2001
> +From: Stephen Gallagher <sgallagh@redhat.com>
> +Date: Tue, 6 Jan 2026 14:19:30 -0500
> +Subject: [PATCH] Fix discarded const qualifiers
> +
> +It's unsafe to implicitly discard the const qualifier on a pointer. In
> +overlay_fixup_phandle(), this was probably just an oversight, and making
> +the "sep" variable a const char * is sufficient to fix it.
> +
> +In create_node(), however, the "p" variable is directly modifying the
> +buffer pointed to by "const char* node_name". To fix this, we need to
> +actually make a duplicate of the buffer and operate on that instead.
> +
> +This introduces a malloc()/free() and an unbounded strdup() into the
> +operation, but fdtput isn't a long-running service and the node_name
> +argument comes directly from argv, so this shouldn't introduce a
> +significant performance impact.
> +
> +Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
> +Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> +Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
> +Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/dtc/dtc.git/commit/libfdt/fdt_overlay.c?h=main&id=9a1c801a1a3c102bf95c5339c9e985b26b823a21]
> +---
> + fdtput.c | 8 +++++---
> + libfdt/fdt_overlay.c | 3 ++-
> + meson.build | 3 ++-
> + 3 files changed, 9 insertions(+), 5 deletions(-)
> +
> +diff --git a/fdtput.c b/fdtput.c
> +index c2fecf4..8deec7e 100644
> +--- a/fdtput.c
> ++++ b/fdtput.c
> +@@ -230,19 +230,21 @@ static int create_paths(char **blob, const char *in_path)
> + static int create_node(char **blob, const char *node_name)
> + {
> + int node = 0;
> +- char *p;
> ++ const char *p;
> ++ char *path = NULL;
> +
> + p = strrchr(node_name, '/');
> + if (!p) {
> + report_error(node_name, -1, -FDT_ERR_BADPATH);
> + return -1;
> + }
> +- *p = '\0';
> +
> + *blob = realloc_node(*blob, p + 1);
> +
> + if (p > node_name) {
> +- node = fdt_path_offset(*blob, node_name);
> ++ path = xstrndup(node_name, (size_t)(p - node_name));
> ++ node = fdt_path_offset(*blob, path);
> ++ free(path);
> + if (node < 0) {
> + report_error(node_name, -1, node);
> + return -1;
> +diff --git a/libfdt/fdt_overlay.c b/libfdt/fdt_overlay.c
> +index 5c0c398..75b0619 100644
> +--- a/libfdt/fdt_overlay.c
> ++++ b/libfdt/fdt_overlay.c
> +@@ -431,7 +431,8 @@ static int overlay_fixup_phandle(void *fdt, void *fdto, int symbols_off,
> + const char *fixup_str = value;
> + uint32_t path_len, name_len;
> + uint32_t fixup_len;
> +- char *sep, *endptr;
> ++ const char *sep;
> ++ char *endptr;
> + int poffset, ret;
> +
> + fixup_end = memchr(value, '\0', len);
> +diff --git a/meson.build b/meson.build
> +index 8952e8a..ecb0ae0 100644
> +--- a/meson.build
> ++++ b/meson.build
> +@@ -14,7 +14,8 @@ add_project_arguments(
> + '-Wstrict-prototypes',
> + '-Wmissing-prototypes',
> + '-Wredundant-decls',
> +- '-Wshadow'
> ++ '-Wshadow',
> ++ '-Wdiscarded-qualifiers'
> + ]),
> + language: 'c'
> + )
> diff --git a/meta/recipes-kernel/dtc/dtc_1.7.0.bb b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
> index 0702fc16dfa..a2f41197fda 100644
> --- a/meta/recipes-kernel/dtc/dtc_1.7.0.bb
> +++ b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
> @@ -12,6 +12,7 @@ SRC_URI = " \
> git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https \
> file://0001-meson.build-bump-version-to-1.7.0.patch \
> file://0002-meson-allow-building-from-shallow-clones.patch \
> + file://0001-Fix-discarded-const-qualifiers.patch \
> "
> SRCREV = "039a99414e778332d8f9c04cbd3072e1dcc62798"
>
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [OE-core][scarthgap 04/11] dtc: backport fix for build with glibc-2.43
2026-03-30 14:36 ` Yoann Congal
@ 2026-03-30 14:43 ` Martin Jansa
2026-03-30 14:54 ` Yoann Congal
2026-04-20 8:29 ` Martin Jansa
1 sibling, 1 reply; 33+ messages in thread
From: Martin Jansa @ 2026-03-30 14:43 UTC (permalink / raw)
To: Yoann Congal; +Cc: openembedded-core
On Mon, Mar 30, 2026 at 4:36 PM Yoann Congal <yoann.congal@smile.fr> wrote:
>
> On Mon Mar 30, 2026 at 12:46 AM CEST, Yoann Congal wrote:
> > From: Martin Jansa <martin.jansa@gmail.com>
> >
> > glibc-2.43 isn't used in OE builds yet, but this fixes dtc-native:
> > https://errors.yoctoproject.org/Errors/Details/903983/
> >
> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’:
> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
> > 424 | sep = memchr(fixup_str, ':', fixup_len);
> > | ^
> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
> > 434 | sep = memchr(name, ':', fixup_len);
> > | ^
> > cc1: all warnings being treated as errors
> >
> > Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
> > Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > [YC: upstream commit 28552a7b6c94060c7ab3899619ab8afb74124d02]
> > Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> > ---
>
> Hello Martin,
>
> FYI, while it looked good, this patch and your whole series about glibc
> 2.43 support:
> * [scarthgap 04/11] dtc: backport fix for build with glibc-2.43
> * [scarthgap 05/11] pseudo: Add fix for glibc 2.43
> * [scarthgap 06/11] yocto-uninative: Update to 5.0 for needed patchelf updates
> * [scarthgap 07/11] yocto-uninative: Update to 5.1 for glibc 2.43
> * [scarthgap 08/11] elfutils: don't add -Werror to avoid discarded-qualifiers
> * [scarthgap 09/11] binutils: backport patch to fix build with glibc-2.43 on host
> ... will be put on hold until I can test it: So, not until Ubuntu 26.04
> is released and the autobuilder gain an Ubuntu 26.04 worker (most likely
> after Wrynose release).
OK, I have similar 7 patch series with additional fix for m4, gettext,
systemd for whinlatter. Should I send it for review or put it on hold
as well?
I've built images with latest 26.04 snapshot in docker with scarthgap,
whinlatter, wrynose for rpi - there might be more native recipes used
for other BSPs (or included only in bitbake world), but build-wise
these 2 series should cover most of it.
Regards,
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [OE-core][scarthgap 04/11] dtc: backport fix for build with glibc-2.43
2026-03-30 14:43 ` Martin Jansa
@ 2026-03-30 14:54 ` Yoann Congal
0 siblings, 0 replies; 33+ messages in thread
From: Yoann Congal @ 2026-03-30 14:54 UTC (permalink / raw)
To: Martin Jansa; +Cc: openembedded-core
On Mon Mar 30, 2026 at 4:43 PM CEST, Martin Jansa wrote:
> On Mon, Mar 30, 2026 at 4:36 PM Yoann Congal <yoann.congal@smile.fr> wrote:
>>
>> On Mon Mar 30, 2026 at 12:46 AM CEST, Yoann Congal wrote:
>> > From: Martin Jansa <martin.jansa@gmail.com>
>> >
>> > glibc-2.43 isn't used in OE builds yet, but this fixes dtc-native:
>> > https://errors.yoctoproject.org/Errors/Details/903983/
>> >
>> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’:
>> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
>> > 424 | sep = memchr(fixup_str, ':', fixup_len);
>> > | ^
>> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
>> > 434 | sep = memchr(name, ':', fixup_len);
>> > | ^
>> > cc1: all warnings being treated as errors
>> >
>> > Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
>> > Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
>> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>> > [YC: upstream commit 28552a7b6c94060c7ab3899619ab8afb74124d02]
>> > Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
>> > ---
>>
>> Hello Martin,
>>
>> FYI, while it looked good, this patch and your whole series about glibc
>> 2.43 support:
>> * [scarthgap 04/11] dtc: backport fix for build with glibc-2.43
>> * [scarthgap 05/11] pseudo: Add fix for glibc 2.43
>> * [scarthgap 06/11] yocto-uninative: Update to 5.0 for needed patchelf updates
>> * [scarthgap 07/11] yocto-uninative: Update to 5.1 for glibc 2.43
>> * [scarthgap 08/11] elfutils: don't add -Werror to avoid discarded-qualifiers
>> * [scarthgap 09/11] binutils: backport patch to fix build with glibc-2.43 on host
>> ... will be put on hold until I can test it: So, not until Ubuntu 26.04
>> is released and the autobuilder gain an Ubuntu 26.04 worker (most likely
>> after Wrynose release).
>
> OK, I have similar 7 patch series with additional fix for m4, gettext,
> systemd for whinlatter. Should I send it for review or put it on hold
> as well?
Hold them as well. For the same reason, I won't be able to accept them
before whinlatter EOL.
> I've built images with latest 26.04 snapshot in docker with scarthgap,
> whinlatter, wrynose for rpi - there might be more native recipes used
> for other BSPs (or included only in bitbake world), but build-wise
> these 2 series should cover most of it.
That's good to know, thanks!
> Regards,
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [OE-core][scarthgap 04/11] dtc: backport fix for build with glibc-2.43
2026-03-30 14:36 ` Yoann Congal
2026-03-30 14:43 ` Martin Jansa
@ 2026-04-20 8:29 ` Martin Jansa
2026-04-20 16:54 ` Yoann Congal
1 sibling, 1 reply; 33+ messages in thread
From: Martin Jansa @ 2026-04-20 8:29 UTC (permalink / raw)
To: Yoann Congal; +Cc: openembedded-core
Hello Yoann,
some of the follow-up glibc/gcc patches for ubuntu-26.04 are now in
your contrib/stable/scarthgap-nut, but the 6 changes from this PR are
still removed, is it intentional now when similar changes are going to
be merged in whinlatter? Should I resend the 6 on top of current
stable/scarthgap-nut?
Regards,
On Mon, Mar 30, 2026 at 4:36 PM Yoann Congal <yoann.congal@smile.fr> wrote:
>
> On Mon Mar 30, 2026 at 12:46 AM CEST, Yoann Congal wrote:
> > From: Martin Jansa <martin.jansa@gmail.com>
> >
> > glibc-2.43 isn't used in OE builds yet, but this fixes dtc-native:
> > https://errors.yoctoproject.org/Errors/Details/903983/
> >
> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’:
> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
> > 424 | sep = memchr(fixup_str, ':', fixup_len);
> > | ^
> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
> > 434 | sep = memchr(name, ':', fixup_len);
> > | ^
> > cc1: all warnings being treated as errors
> >
> > Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
> > Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > [YC: upstream commit 28552a7b6c94060c7ab3899619ab8afb74124d02]
> > Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> > ---
>
> Hello Martin,
>
> FYI, while it looked good, this patch and your whole series about glibc
> 2.43 support:
> * [scarthgap 04/11] dtc: backport fix for build with glibc-2.43
> * [scarthgap 05/11] pseudo: Add fix for glibc 2.43
> * [scarthgap 06/11] yocto-uninative: Update to 5.0 for needed patchelf updates
> * [scarthgap 07/11] yocto-uninative: Update to 5.1 for glibc 2.43
> * [scarthgap 08/11] elfutils: don't add -Werror to avoid discarded-qualifiers
> * [scarthgap 09/11] binutils: backport patch to fix build with glibc-2.43 on host
> ... will be put on hold until I can test it: So, not until Ubuntu 26.04
> is released and the autobuilder gain an Ubuntu 26.04 worker (most likely
> after Wrynose release).
>
> Thanks!
>
> Regards,
>
> > .../0001-Fix-discarded-const-qualifiers.patch | 85 +++++++++++++++++++
> > meta/recipes-kernel/dtc/dtc_1.7.0.bb | 1 +
> > 2 files changed, 86 insertions(+)
> > create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
> >
> > diff --git a/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
> > new file mode 100644
> > index 00000000000..c643410ae9b
> > --- /dev/null
> > +++ b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
> > @@ -0,0 +1,85 @@
> > +From 861cb43eb53afff83e28ba0e0f88ffa464ebe8ca Mon Sep 17 00:00:00 2001
> > +From: Stephen Gallagher <sgallagh@redhat.com>
> > +Date: Tue, 6 Jan 2026 14:19:30 -0500
> > +Subject: [PATCH] Fix discarded const qualifiers
> > +
> > +It's unsafe to implicitly discard the const qualifier on a pointer. In
> > +overlay_fixup_phandle(), this was probably just an oversight, and making
> > +the "sep" variable a const char * is sufficient to fix it.
> > +
> > +In create_node(), however, the "p" variable is directly modifying the
> > +buffer pointed to by "const char* node_name". To fix this, we need to
> > +actually make a duplicate of the buffer and operate on that instead.
> > +
> > +This introduces a malloc()/free() and an unbounded strdup() into the
> > +operation, but fdtput isn't a long-running service and the node_name
> > +argument comes directly from argv, so this shouldn't introduce a
> > +significant performance impact.
> > +
> > +Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
> > +Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> > +Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
> > +Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/dtc/dtc.git/commit/libfdt/fdt_overlay.c?h=main&id=9a1c801a1a3c102bf95c5339c9e985b26b823a21]
> > +---
> > + fdtput.c | 8 +++++---
> > + libfdt/fdt_overlay.c | 3 ++-
> > + meson.build | 3 ++-
> > + 3 files changed, 9 insertions(+), 5 deletions(-)
> > +
> > +diff --git a/fdtput.c b/fdtput.c
> > +index c2fecf4..8deec7e 100644
> > +--- a/fdtput.c
> > ++++ b/fdtput.c
> > +@@ -230,19 +230,21 @@ static int create_paths(char **blob, const char *in_path)
> > + static int create_node(char **blob, const char *node_name)
> > + {
> > + int node = 0;
> > +- char *p;
> > ++ const char *p;
> > ++ char *path = NULL;
> > +
> > + p = strrchr(node_name, '/');
> > + if (!p) {
> > + report_error(node_name, -1, -FDT_ERR_BADPATH);
> > + return -1;
> > + }
> > +- *p = '\0';
> > +
> > + *blob = realloc_node(*blob, p + 1);
> > +
> > + if (p > node_name) {
> > +- node = fdt_path_offset(*blob, node_name);
> > ++ path = xstrndup(node_name, (size_t)(p - node_name));
> > ++ node = fdt_path_offset(*blob, path);
> > ++ free(path);
> > + if (node < 0) {
> > + report_error(node_name, -1, node);
> > + return -1;
> > +diff --git a/libfdt/fdt_overlay.c b/libfdt/fdt_overlay.c
> > +index 5c0c398..75b0619 100644
> > +--- a/libfdt/fdt_overlay.c
> > ++++ b/libfdt/fdt_overlay.c
> > +@@ -431,7 +431,8 @@ static int overlay_fixup_phandle(void *fdt, void *fdto, int symbols_off,
> > + const char *fixup_str = value;
> > + uint32_t path_len, name_len;
> > + uint32_t fixup_len;
> > +- char *sep, *endptr;
> > ++ const char *sep;
> > ++ char *endptr;
> > + int poffset, ret;
> > +
> > + fixup_end = memchr(value, '\0', len);
> > +diff --git a/meson.build b/meson.build
> > +index 8952e8a..ecb0ae0 100644
> > +--- a/meson.build
> > ++++ b/meson.build
> > +@@ -14,7 +14,8 @@ add_project_arguments(
> > + '-Wstrict-prototypes',
> > + '-Wmissing-prototypes',
> > + '-Wredundant-decls',
> > +- '-Wshadow'
> > ++ '-Wshadow',
> > ++ '-Wdiscarded-qualifiers'
> > + ]),
> > + language: 'c'
> > + )
> > diff --git a/meta/recipes-kernel/dtc/dtc_1.7.0.bb b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
> > index 0702fc16dfa..a2f41197fda 100644
> > --- a/meta/recipes-kernel/dtc/dtc_1.7.0.bb
> > +++ b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
> > @@ -12,6 +12,7 @@ SRC_URI = " \
> > git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https \
> > file://0001-meson.build-bump-version-to-1.7.0.patch \
> > file://0002-meson-allow-building-from-shallow-clones.patch \
> > + file://0001-Fix-discarded-const-qualifiers.patch \
> > "
> > SRCREV = "039a99414e778332d8f9c04cbd3072e1dcc62798"
> >
>
>
> --
> Yoann Congal
> Smile ECS
>
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [OE-core][scarthgap 00/11] Patch review
2026-03-29 22:46 [OE-core][scarthgap 00/11] Patch review Yoann Congal
` (11 preceding siblings ...)
2026-03-30 7:33 ` [OE-core][scarthgap 00/11] Patch review Yoann Congal
@ 2026-04-20 8:44 ` Joao Marcos Costa
2026-04-20 9:21 ` Yoann Congal
12 siblings, 1 reply; 33+ messages in thread
From: Joao Marcos Costa @ 2026-04-20 8:44 UTC (permalink / raw)
To: openembedded-core; +Cc: Yoann Congal
Hello, Yoan
On 3/30/26 00:46, Yoann Congal via lists.openembedded.org wrote:
> Please review this set of changes for scarthgap and have comments back by
> end of day Tuesday, March 31.
>
> Passed a-full on autobuilder:
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3546
> Note: This particular build had a gnutls patch that I removed because it needed a small change[0].
> Build (currently running) without the gnutls patch: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3551
>
> [0]: https://lore.kernel.org/openembedded-core/DHFLXG1K82R7.3EOQRZ2H6KW8Q@smile.fr/T/#t
>
> The following changes since commit 41597b5260fb5ca811d0fb4ae7e65246d61734eb:
>
> Revert "scripts/install-buildtools: Update to 5.0.16" (2026-03-26 09:48:20 +0000)
>
> are available in the Git repository at:
>
> https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
> https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
>
> for you to fetch changes up to e6f3b2e043259650d80fb6f761797c5cf5587eb5:
>
> python3-pyopenssl: Fix CVE-2026-27459 (2026-03-30 00:09:38 +0200)
>
> ----------------------------------------------------------------
>
> João Marcos Costa (Schneider Electric) (1):
> spdx: add option to include only compiled sources
>
> Martin Jansa (3):
> dtc: backport fix for build with glibc-2.43
> elfutils: don't add -Werror to avoid discarded-qualifiers
> binutils: backport patch to fix build with glibc-2.43 on host
>
> Michael Halstead (2):
> yocto-uninative: Update to 5.0 for needed patchelf updates
> yocto-uninative: Update to 5.1 for glibc 2.43
>
> Nguyen Dat Tho (1):
> python3-cryptography: Fix CVE-2026-26007
>
> Paul Barker (1):
> tzdata,tzcode-native: Upgrade 2025b -> 2025c
>
> Richard Purdie (1):
> pseudo: Add fix for glibc 2.43
>
> Vijay Anusuri (2):
> python3-pyopenssl: Fix CVE-2026-27448
> python3-pyopenssl: Fix CVE-2026-27459
(...)
Was the commit below not picked, or am I missing something?
commit b24d5cda19136fb8120154279eedd55d162b4640
Author: João Marcos Costa (Schneider Electric)
<joaomarcos.costa@bootlin.com>
Date: Fri Apr 3 11:32:30 2026 +0200
linux-yocto/6.6: update CVE exclusions (6.6.123)
This new version of cve-exclusion_6.6.inc was generated with oe-core's
latest version of the generate-cve-exclusions.py.
Regarding the database used and how this file was generated:
Generated at 2026-04-03 09:30:32.247568+00:00 for kernel version
6.6.123
From cvelistV5 cve_2026-04-03_0700Z
The backporting of the generate-cve-exclusions.py script from master to
Scarthgap is handled in a different patch.
Signed-off-by: João Marcos Costa (Schneider Electric)
<joaomarcos.costa@bootlin.com>
However, I see the commit below, prior to this one, was kept:
linux/generate-cve-exclusions: backport script from master branch
I'm not really used to the backports schedule/workflow, so please excuse
me if I misinterpreted something.
Thanks!
--
Best regards,
João Marcos Costa
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [OE-core][scarthgap 00/11] Patch review
2026-04-20 8:44 ` Joao Marcos Costa
@ 2026-04-20 9:21 ` Yoann Congal
2026-04-20 10:51 ` Joao Marcos Costa
0 siblings, 1 reply; 33+ messages in thread
From: Yoann Congal @ 2026-04-20 9:21 UTC (permalink / raw)
To: Joao Marcos Costa, openembedded-core
On Mon Apr 20, 2026 at 10:44 AM CEST, Joao Marcos Costa wrote:
> Hello, Yoan
>
>
> On 3/30/26 00:46, Yoann Congal via lists.openembedded.org wrote:
>> Please review this set of changes for scarthgap and have comments back by
>> end of day Tuesday, March 31.
> (...)
>
> Was the commit below not picked, or am I missing something?
>
> commit b24d5cda19136fb8120154279eedd55d162b4640
> Author: João Marcos Costa (Schneider Electric)
> <joaomarcos.costa@bootlin.com>
> Date: Fri Apr 3 11:32:30 2026 +0200
>
> linux-yocto/6.6: update CVE exclusions (6.6.123)
>
> This new version of cve-exclusion_6.6.inc was generated with oe-core's
> latest version of the generate-cve-exclusions.py.
>
> Regarding the database used and how this file was generated:
>
> Generated at 2026-04-03 09:30:32.247568+00:00 for kernel version
> 6.6.123
> From cvelistV5 cve_2026-04-03_0700Z
>
> The backporting of the generate-cve-exclusions.py script from master to
> Scarthgap is handled in a different patch.
>
> Signed-off-by: João Marcos Costa (Schneider Electric)
> <joaomarcos.costa@bootlin.com>
>
> However, I see the commit below, prior to this one, was kept:
>
> linux/generate-cve-exclusions: backport script from master branch
>
> I'm not really used to the backports schedule/workflow, so please excuse
> me if I misinterpreted something.
>
> Thanks!
This patch triggered a problem in our infra. I received it directly from
you but it is missing from lore. And lore feeds patchwork, and I use
patchwork to prepare my review branch...
This is a known problem: 16167 – Missing (big) patch in patchwork
https://bugzilla.yoctoproject.org/show_bug.cgi?id=16167
I've reopened and added your patch to the bug log.
I will now integrate your patch in my review branch.
Thanks for the report, otherwise I would have missed it.
I'll try to check for this issue in the future but this will be hard to
spot. If you send a similar patch in the future don't hesitate to ping
me if you see it missing during the patch review period.
Regards,
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [OE-core][scarthgap 00/11] Patch review
2026-04-20 9:21 ` Yoann Congal
@ 2026-04-20 10:51 ` Joao Marcos Costa
0 siblings, 0 replies; 33+ messages in thread
From: Joao Marcos Costa @ 2026-04-20 10:51 UTC (permalink / raw)
To: openembedded-core
Hello,
On 4/20/26 11:21, Yoann Congal via lists.openembedded.org wrote:
> On Mon Apr 20, 2026 at 10:44 AM CEST, Joao Marcos Costa wrote:
>> Hello, Yoan
>>
>>
>> On 3/30/26 00:46, Yoann Congal via lists.openembedded.org wrote:
>>> Please review this set of changes for scarthgap and have comments back by
>>> end of day Tuesday, March 31.
>> (...)
>>
>> Was the commit below not picked, or am I missing something?
>>
>> commit b24d5cda19136fb8120154279eedd55d162b4640
>> Author: João Marcos Costa (Schneider Electric)
>> <joaomarcos.costa@bootlin.com>
>> Date: Fri Apr 3 11:32:30 2026 +0200
>>
>> linux-yocto/6.6: update CVE exclusions (6.6.123)
>>
>> This new version of cve-exclusion_6.6.inc was generated with oe-core's
>> latest version of the generate-cve-exclusions.py.
>>
>> Regarding the database used and how this file was generated:
>>
>> Generated at 2026-04-03 09:30:32.247568+00:00 for kernel version
>> 6.6.123
>> From cvelistV5 cve_2026-04-03_0700Z
>>
>> The backporting of the generate-cve-exclusions.py script from master to
>> Scarthgap is handled in a different patch.
>>
>> Signed-off-by: João Marcos Costa (Schneider Electric)
>> <joaomarcos.costa@bootlin.com>
>>
>> However, I see the commit below, prior to this one, was kept:
>>
>> linux/generate-cve-exclusions: backport script from master branch
>>
>> I'm not really used to the backports schedule/workflow, so please excuse
>> me if I misinterpreted something.
>>
>> Thanks!
>
> This patch triggered a problem in our infra. I received it directly from
> you but it is missing from lore. And lore feeds patchwork, and I use
> patchwork to prepare my review branch...
>
> This is a known problem: 16167 – Missing (big) patch in patchwork
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=16167
>
> I've reopened and added your patch to the bug log.
>
> I will now integrate your patch in my review branch.
>
> Thanks for the report, otherwise I would have missed it.
>
> I'll try to check for this issue in the future but this will be hard to
> spot. If you send a similar patch in the future don't hesitate to ping
> me if you see it missing during the patch review period.
>
> Regards,
Ack. Thanks!
--
Best regards,
João Marcos Costa
^ permalink raw reply [flat|nested] 33+ messages in thread
* Re: [OE-core][scarthgap 04/11] dtc: backport fix for build with glibc-2.43
2026-04-20 8:29 ` Martin Jansa
@ 2026-04-20 16:54 ` Yoann Congal
0 siblings, 0 replies; 33+ messages in thread
From: Yoann Congal @ 2026-04-20 16:54 UTC (permalink / raw)
To: Martin Jansa; +Cc: openembedded-core
On Mon Apr 20, 2026 at 10:29 AM CEST, Martin Jansa wrote:
> Hello Yoann,
>
> some of the follow-up glibc/gcc patches for ubuntu-26.04 are now in
> your contrib/stable/scarthgap-nut, but the 6 changes from this PR are
> still removed, is it intentional now when similar changes are going to
> be merged in whinlatter?
I've put some patches that I could not apply directly aside to test the
others.
> Should I resend the 6 on top of current
> stable/scarthgap-nut?
Yes, please. :)
That will be easier for me.
Thanks!
>
> Regards,
>
> On Mon, Mar 30, 2026 at 4:36 PM Yoann Congal <yoann.congal@smile.fr> wrote:
>>
>> On Mon Mar 30, 2026 at 12:46 AM CEST, Yoann Congal wrote:
>> > From: Martin Jansa <martin.jansa@gmail.com>
>> >
>> > glibc-2.43 isn't used in OE builds yet, but this fixes dtc-native:
>> > https://errors.yoctoproject.org/Errors/Details/903983/
>> >
>> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’:
>> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
>> > 424 | sep = memchr(fixup_str, ':', fixup_len);
>> > | ^
>> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
>> > 434 | sep = memchr(name, ':', fixup_len);
>> > | ^
>> > cc1: all warnings being treated as errors
>> >
>> > Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
>> > Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
>> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>> > [YC: upstream commit 28552a7b6c94060c7ab3899619ab8afb74124d02]
>> > Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
>> > ---
>>
>> Hello Martin,
>>
>> FYI, while it looked good, this patch and your whole series about glibc
>> 2.43 support:
>> * [scarthgap 04/11] dtc: backport fix for build with glibc-2.43
>> * [scarthgap 05/11] pseudo: Add fix for glibc 2.43
>> * [scarthgap 06/11] yocto-uninative: Update to 5.0 for needed patchelf updates
>> * [scarthgap 07/11] yocto-uninative: Update to 5.1 for glibc 2.43
>> * [scarthgap 08/11] elfutils: don't add -Werror to avoid discarded-qualifiers
>> * [scarthgap 09/11] binutils: backport patch to fix build with glibc-2.43 on host
>> ... will be put on hold until I can test it: So, not until Ubuntu 26.04
>> is released and the autobuilder gain an Ubuntu 26.04 worker (most likely
>> after Wrynose release).
>>
>> Thanks!
>>
>> Regards,
>>
>> > .../0001-Fix-discarded-const-qualifiers.patch | 85 +++++++++++++++++++
>> > meta/recipes-kernel/dtc/dtc_1.7.0.bb | 1 +
>> > 2 files changed, 86 insertions(+)
>> > create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
>> >
>> > diff --git a/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
>> > new file mode 100644
>> > index 00000000000..c643410ae9b
>> > --- /dev/null
>> > +++ b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
>> > @@ -0,0 +1,85 @@
>> > +From 861cb43eb53afff83e28ba0e0f88ffa464ebe8ca Mon Sep 17 00:00:00 2001
>> > +From: Stephen Gallagher <sgallagh@redhat.com>
>> > +Date: Tue, 6 Jan 2026 14:19:30 -0500
>> > +Subject: [PATCH] Fix discarded const qualifiers
>> > +
>> > +It's unsafe to implicitly discard the const qualifier on a pointer. In
>> > +overlay_fixup_phandle(), this was probably just an oversight, and making
>> > +the "sep" variable a const char * is sufficient to fix it.
>> > +
>> > +In create_node(), however, the "p" variable is directly modifying the
>> > +buffer pointed to by "const char* node_name". To fix this, we need to
>> > +actually make a duplicate of the buffer and operate on that instead.
>> > +
>> > +This introduces a malloc()/free() and an unbounded strdup() into the
>> > +operation, but fdtput isn't a long-running service and the node_name
>> > +argument comes directly from argv, so this shouldn't introduce a
>> > +significant performance impact.
>> > +
>> > +Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
>> > +Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
>> > +Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
>> > +Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/dtc/dtc.git/commit/libfdt/fdt_overlay.c?h=main&id=9a1c801a1a3c102bf95c5339c9e985b26b823a21]
>> > +---
>> > + fdtput.c | 8 +++++---
>> > + libfdt/fdt_overlay.c | 3 ++-
>> > + meson.build | 3 ++-
>> > + 3 files changed, 9 insertions(+), 5 deletions(-)
>> > +
>> > +diff --git a/fdtput.c b/fdtput.c
>> > +index c2fecf4..8deec7e 100644
>> > +--- a/fdtput.c
>> > ++++ b/fdtput.c
>> > +@@ -230,19 +230,21 @@ static int create_paths(char **blob, const char *in_path)
>> > + static int create_node(char **blob, const char *node_name)
>> > + {
>> > + int node = 0;
>> > +- char *p;
>> > ++ const char *p;
>> > ++ char *path = NULL;
>> > +
>> > + p = strrchr(node_name, '/');
>> > + if (!p) {
>> > + report_error(node_name, -1, -FDT_ERR_BADPATH);
>> > + return -1;
>> > + }
>> > +- *p = '\0';
>> > +
>> > + *blob = realloc_node(*blob, p + 1);
>> > +
>> > + if (p > node_name) {
>> > +- node = fdt_path_offset(*blob, node_name);
>> > ++ path = xstrndup(node_name, (size_t)(p - node_name));
>> > ++ node = fdt_path_offset(*blob, path);
>> > ++ free(path);
>> > + if (node < 0) {
>> > + report_error(node_name, -1, node);
>> > + return -1;
>> > +diff --git a/libfdt/fdt_overlay.c b/libfdt/fdt_overlay.c
>> > +index 5c0c398..75b0619 100644
>> > +--- a/libfdt/fdt_overlay.c
>> > ++++ b/libfdt/fdt_overlay.c
>> > +@@ -431,7 +431,8 @@ static int overlay_fixup_phandle(void *fdt, void *fdto, int symbols_off,
>> > + const char *fixup_str = value;
>> > + uint32_t path_len, name_len;
>> > + uint32_t fixup_len;
>> > +- char *sep, *endptr;
>> > ++ const char *sep;
>> > ++ char *endptr;
>> > + int poffset, ret;
>> > +
>> > + fixup_end = memchr(value, '\0', len);
>> > +diff --git a/meson.build b/meson.build
>> > +index 8952e8a..ecb0ae0 100644
>> > +--- a/meson.build
>> > ++++ b/meson.build
>> > +@@ -14,7 +14,8 @@ add_project_arguments(
>> > + '-Wstrict-prototypes',
>> > + '-Wmissing-prototypes',
>> > + '-Wredundant-decls',
>> > +- '-Wshadow'
>> > ++ '-Wshadow',
>> > ++ '-Wdiscarded-qualifiers'
>> > + ]),
>> > + language: 'c'
>> > + )
>> > diff --git a/meta/recipes-kernel/dtc/dtc_1.7.0.bb b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
>> > index 0702fc16dfa..a2f41197fda 100644
>> > --- a/meta/recipes-kernel/dtc/dtc_1.7.0.bb
>> > +++ b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
>> > @@ -12,6 +12,7 @@ SRC_URI = " \
>> > git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https \
>> > file://0001-meson.build-bump-version-to-1.7.0.patch \
>> > file://0002-meson-allow-building-from-shallow-clones.patch \
>> > + file://0001-Fix-discarded-const-qualifiers.patch \
>> > "
>> > SRCREV = "039a99414e778332d8f9c04cbd3072e1dcc62798"
>> >
>>
>>
>> --
>> Yoann Congal
>> Smile ECS
>>
--
Yoann Congal
Smile ECS
^ permalink raw reply [flat|nested] 33+ messages in thread
end of thread, other threads:[~2026-04-20 16:54 UTC | newest]
Thread overview: 33+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-29 22:46 [OE-core][scarthgap 00/11] Patch review Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 01/11] tzdata,tzcode-native: Upgrade 2025b -> 2025c Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 02/11] python3-cryptography: Fix CVE-2026-26007 Yoann Congal
2026-03-29 23:01 ` Patchtest results for " patchtest
2026-03-30 7:58 ` Yoann Congal
2026-03-30 8:19 ` [scarthgap " Nguyen Dat Tho
2026-03-30 8:33 ` [OE-core] " Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 03/11] spdx: add option to include only compiled sources Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 04/11] dtc: backport fix for build with glibc-2.43 Yoann Congal
2026-03-30 14:36 ` Yoann Congal
2026-03-30 14:43 ` Martin Jansa
2026-03-30 14:54 ` Yoann Congal
2026-04-20 8:29 ` Martin Jansa
2026-04-20 16:54 ` Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 05/11] pseudo: Add fix for glibc 2.43 Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 06/11] yocto-uninative: Update to 5.0 for needed patchelf updates Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 07/11] yocto-uninative: Update to 5.1 for glibc 2.43 Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 08/11] elfutils: don't add -Werror to avoid discarded-qualifiers Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 09/11] binutils: backport patch to fix build with glibc-2.43 on host Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 10/11] python3-pyopenssl: Fix CVE-2026-27448 Yoann Congal
2026-03-29 22:46 ` [OE-core][scarthgap 11/11] python3-pyopenssl: Fix CVE-2026-27459 Yoann Congal
2026-03-30 7:33 ` [OE-core][scarthgap 00/11] Patch review Yoann Congal
2026-04-20 8:44 ` Joao Marcos Costa
2026-04-20 9:21 ` Yoann Congal
2026-04-20 10:51 ` Joao Marcos Costa
-- strict thread matches above, loose matches on Subject: below --
2026-03-07 22:52 Yoann Congal
2026-03-09 8:18 ` Paul Barker
2025-09-25 13:40 Steve Sakoman
2025-07-30 21:28 Steve Sakoman
2025-07-04 15:10 Steve Sakoman
2025-05-28 14:43 Steve Sakoman
2024-10-25 18:29 Steve Sakoman
2024-09-16 2:19 Steve Sakoman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox