Cobalt 25.LTS.40 Stable Release

The Cobalt team has published updates to the Cobalt 25.lts.stable branch with tag 25.lts.40 (25.lts.40.1035033).

The Evergreen binaries are available on GitHub (5.40.2).

Cobalt Changes

Critical Bug Fixes

  • Network & I/O: Fixed DNS lookups for IPv6 addresses. Resolved potential infinite loops by correcting file read offsets. Avoided process crashes and URL leaks associated with poor network constraints. (#8053, #5360, #7589)
  • Media & Sockets: Refined AVC parameter sets handling. Fixed potential SIGSEGV in SbSocketWaiterPrivate initialization. (#5326, #8464)
  • Tests: Improved test execution by normalizing newline characters, adding a 1µs delay for cookie timestamps, sorting cookies for deterministic ordering in network unit tests, and refining SbPlayerGetMediaTimeTest. (#5215, #5216, #5217, #4835)

Android

  • Fixed incorrect mute status detection during Key Event handling. (#5195)
  • Corrected logic to reset the operating frame rate during flushes to prevent sync issues. (#8461)

RDK

  • Toolchain & Setup: Added extensive support for building Cobalt using an external RDK toolchain, integrated the RDK repository subtrees, and unified the Docker and developer RDK setups. (#5166, #5621, #5926, #6166, #6345)
  • Build Instructions & Integrations: Formalized build instructions for Cobalt 25 on RDK, created a robust BSP installer, and added gn.py testing arguments. (#5671, #5672, #7079)
  • Testing & CI: Enabled essential unit tests, disabled non-applicable failing tests, integrated test_runner.py execution, and introduced initial RDK CI framework support. (#5338, #5689, #5959, #6016)

Security Fixes

  • libxml2: Addressed multiple CVEs including CVE-2024-25062, CVE-2024-31852, CVE-2021-3116, CVE-2022-23308, and CVE-2023-5217. Fixed integer overflows, null dereferences, and dictionary corruption caused by entity reference cycles. (#4988, #4989, #4990, #5009, #5010, #5011, #5012, #5028, #5029, #5090, #5091)
  • libvpx & harfbuzz-ng: Mitigated CVE-2023-44488 in libvpx and CVE-2024-56732 in harfbuzz-ng. (#4991, #4970)
  • Fixed Skia OOB issue when glyph mask format is mismatched with atlas format. (#9546)

Updates/Improvements

  • Added ScopedJobThreadPtr class for improved job threading management. (#4275)
  • Added smaps tagging support for V8 memory allocation, improving memory profiling capabilities. (#9199)
  • Added tvOS foundational code. (#6514)
  • Updated SSL certificates. (#8574, #8649, #5256, #5258)
  • Updated Linux setup documentation to clarify LTS version checkouts. (#5243)
  • Fixed Raspberry Pi fallback Docker build configuration. (#4994)
  • Ensure GCS buckets are publicly accessible mirrors. (#5255)

Contact Points

Please contact our support channels if you have any problems, questions, or feedback.