* [OE-core][kirkstone 0/9] Patch review
@ 2022-05-23 13:59 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-05-23 13:59 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by end
of day Wednesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3692
The following changes since commit ec9e9497730f0a9c8ad3d696c8cdcec06267aacf:
base-passwd: Disable shell for default users (2022-05-16 13:59:44 -1000)
are available in the Git repository at:
git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (1):
mmc-utils: upgrade to latest revision
Claudius Heine (1):
classes: rootfs-postcommands: add skip option to overlayfs_qa_check
Marta Rybczynska (1):
cve-check: Fix report generation
Richard Purdie (2):
staging: Fix rare sysroot corruption issue
selftest/imagefeatures/overlayfs: Always append to DISTRO_FEATURES
Robert Joslyn (1):
curl: Backport CVE fixes
Samuli Piippo (1):
binutils: Bump to latest 2.38 release branch
Steve Sakoman (1):
python3: fix reproducibility issue with python3-core
wangmy (1):
librepo: upgrade 1.14.2 -> 1.14.3
meta/classes/cve-check.bbclass | 18 +-
meta/classes/rootfs-postcommands.bbclass | 10 +-
meta/classes/staging.bbclass | 24 +
meta/lib/oeqa/selftest/cases/imagefeatures.py | 2 +-
meta/lib/oeqa/selftest/cases/overlayfs.py | 36 +-
.../binutils/binutils-2.38.inc | 2 +-
.../{librepo_1.14.2.bb => librepo_1.14.3.bb} | 2 +-
meta/recipes-devtools/mmc/mmc-utils_git.bb | 2 +-
.../recipes-devtools/python/python3_3.10.4.bb | 5 +
.../curl/curl/CVE-2022-22576.patch | 145 ++++++
.../curl/curl/CVE-2022-27774-1.patch | 45 ++
.../curl/curl/CVE-2022-27774-2.patch | 80 +++
.../curl/curl/CVE-2022-27774-3.patch | 83 ++++
.../curl/curl/CVE-2022-27774-4.patch | 35 ++
.../curl/curl/CVE-2022-27775.patch | 37 ++
.../curl/curl/CVE-2022-27776.patch | 115 +++++
.../curl/curl/CVE-2022-27779.patch | 42 ++
.../curl/curl/CVE-2022-27780.patch | 33 ++
.../curl/curl/CVE-2022-27781.patch | 43 ++
.../curl/curl/CVE-2022-27782-1.patch | 458 ++++++++++++++++++
.../curl/curl/CVE-2022-27782-2.patch | 71 +++
.../curl/curl/CVE-2022-30115.patch | 82 ++++
meta/recipes-support/curl/curl_7.82.0.bb | 16 +-
23 files changed, 1362 insertions(+), 24 deletions(-)
rename meta/recipes-devtools/librepo/{librepo_1.14.2.bb => librepo_1.14.3.bb} (94%)
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-22576.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-2.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-3.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27774-4.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27775.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27776.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27779.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27780.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27781.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-1.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-27782-2.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2022-30115.patch
--
2.25.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2022-11-13 14:12 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2022-11-13 14:12 UTC (permalink / raw)
To: openembedded-core
Please review this set of patchesd for kirkstone and have comments back by
end of day Tuesday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4468
The following changes since commit 0c0723757fbba9a4b88c0f98477a18d1e220da2e:
mirrors.bbclass: use shallow tarball for binutils-native (2022-11-06 06:00:05 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alexander Kanavin (2):
lttng-modules: upgrade 2.13.4 -> 2.13.5
quilt: backport a patch to address grep 3.8 failures
Hitendra Prajapati (1):
QEMU: CVE-2022-3165 VNC: integer underflow in vnc_client_cut_text_ext
leads to CPU exhaustion
Michael Opdenacker (1):
create-spdx.bbclass: remove unused SPDX_INCLUDE_PACKAGED
Narpat Mali (1):
python3-mako: backport fix for CVE-2022-40023
Ross Burton (3):
pixman: backport fix for CVE-2022-44638
sanity: check for GNU tar specifically
qemu: add io_uring PACKAGECONFIG
ciarancourtney (1):
wic: swap partitions are not added to fstab
meta/classes/create-spdx.bbclass | 2 -
meta/classes/sanity.bbclass | 8 +
.../python/python3-mako/CVE-2022-40023.patch | 119 +++++++++++++++
.../python/python3-mako_1.1.6.bb | 2 +
meta/recipes-devtools/qemu/qemu.inc | 3 +-
.../qemu/qemu/CVE-2022-3165.patch | 61 ++++++++
meta/recipes-devtools/quilt/quilt.inc | 1 +
.../quilt/quilt/fix-grep-3.8.patch | 144 ++++++++++++++++++
.../xorg-lib/pixman/CVE-2022-44638.patch | 33 ++++
.../xorg-lib/pixman_0.40.0.bb | 1 +
.../lttng-modules/0001-fix-compaction.patch | 68 ---------
...c-fix-tracepoint-mm_page_alloc_zone_.patch | 106 -------------
...oduce-kfree_skb_reason-v5.15.58.v5.1.patch | 53 -------
...ags-parameter-from-aops-write_begin-.patch | 76 ---------
...Fix-type-of-cpu-in-trace-event-v5.19.patch | 124 ---------------
...ules_2.13.4.bb => lttng-modules_2.13.5.bb} | 7 +-
scripts/lib/wic/plugins/imager/direct.py | 2 +-
17 files changed, 373 insertions(+), 437 deletions(-)
create mode 100644 meta/recipes-devtools/python/python3-mako/CVE-2022-40023.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-3165.patch
create mode 100644 meta/recipes-devtools/quilt/quilt/fix-grep-3.8.patch
create mode 100644 meta/recipes-graphics/xorg-lib/pixman/CVE-2022-44638.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-compaction.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-mm-page_alloc-fix-tracepoint-mm_page_alloc_zone_.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-net-skb-introduce-kfree_skb_reason-v5.15.58.v5.1.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0002-fix-fs-Remove-flags-parameter-from-aops-write_begin-.patch
delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0003-fix-workqueue-Fix-type-of-cpu-in-trace-event-v5.19.patch
rename meta/recipes-kernel/lttng/{lttng-modules_2.13.4.bb => lttng-modules_2.13.5.bb} (78%)
--
2.25.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2023-01-17 14:08 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-01-17 14:08 UTC (permalink / raw)
To: openembedded-core
Please review this set of patches for kirkstone and have comments back by
end of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4800
The following changes since commit 4760fac939a6204e3cb7dcd3699cd9a2508f9dee:
devtool: process local files only for the main branch (2023-01-12 04:56:26 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Bhabu Bindu (1):
qemu: Fix CVE-2022-4144
Daniel Gomez (1):
gtk-icon-cache: Fix GTKIC_CMD if-else condition
KARN JYE LAU (1):
freetype:update mirror site.
Martin Jansa (1):
ffmpeg: refresh patches to apply cleanly
Narpat Mali (3):
python3-setuptools: fix for CVE-2022-40897
python3-wheel: fix for CVE-2022-40898
python3-git: fix for CVE-2022-24439
Yash Shinde (1):
glibc: stable 2.35 branch updates.
Yogita Urade (1):
libksba: fix CVE-2022-47629
meta/classes/gtk-icon-cache.bbclass | 2 +-
meta/recipes-core/glibc/glibc-version.inc | 2 +-
...-git-CVE-2022-24439-fix-from-PR-1518.patch | 97 ++++
...-git-CVE-2022-24439-fix-from-PR-1521.patch | 488 ++++++++++++++++++
.../python/python3-git_3.1.27.bb | 4 +
...-of-whitespace-to-search-backtrack.-.patch | 31 ++
.../python/python3-setuptools_59.5.0.bb | 1 +
...tential-DoS-attack-via-WHEEL_INFO_RE.patch | 32 ++
.../python/python3-wheel_0.37.1.bb | 4 +-
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2022-4144.patch | 99 ++++
.../freetype/freetype_2.11.1.bb | 2 +-
...c-stop-accessing-out-of-bounds-frame.patch | 19 +-
...c-stop-accessing-out-of-bounds-frame.patch | 7 +-
...-vp3-Add-missing-check-for-av_malloc.patch | 12 +-
...overflow-in-the-CRL-signature-parser.patch | 72 +++
meta/recipes-support/libksba/libksba_1.6.2.bb | 3 +-
17 files changed, 848 insertions(+), 28 deletions(-)
create mode 100644 meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch
create mode 100644 meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch
create mode 100644 meta/recipes-devtools/python/python3-setuptools/0001-Limit-the-amount-of-whitespace-to-search-backtrack.-.patch
create mode 100644 meta/recipes-devtools/python/python3-wheel/0001-Fixed-potential-DoS-attack-via-WHEEL_INFO_RE.patch
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-4144.patch
create mode 100644 meta/recipes-support/libksba/libksba/0001-Fix-an-integer-overflow-in-the-CRL-signature-parser.patch
--
2.25.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2023-06-20 15:37 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2023-06-20 15:37 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5492
The following changes since commit 0e17a5a4f0e3301bf78f77bb5ca4aaf3e4dbc7af:
Revert "ipk: Decode byte data to string in manifest handling" (2023-06-17 05:18:44 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (1):
nasm: fix CVE-2022-46457
Bruce Ashfield (1):
kernel: don't force PAHOLE=false
Chen Qi (1):
staging.bbclass: do not add extend_recipe_sysroot to prefuncs of
prepare_recipe_sysroot
Lorenzo Arena (1):
conf: add nice level to the hash config ignred variables
Martin Jansa (1):
go.bbclass: don't use test to check output from ls
Pavel Zhukov (1):
lib/terminal.py: Add urxvt terminal
Ranjitsinh Rathod (1):
kmscube: Correct DEPENDS to avoid overwrite
Thomas Roos (1):
oeqa/selftest/cases/devtool.py: skip all tests require folder a git
repo
Wang Mingyu (1):
iso-codes: upgrade 4.13.0 -> 4.15.0
meta/classes/go.bbclass | 2 +-
meta/classes/kernel.bbclass | 2 +-
meta/classes/staging.bbclass | 2 +-
meta/conf/bitbake.conf | 2 +-
meta/lib/oe/terminal.py | 4 ++
meta/lib/oeqa/selftest/cases/devtool.py | 8 +++
.../nasm/nasm/CVE-2022-46457.patch | 50 +++++++++++++++++++
meta/recipes-devtools/nasm/nasm_2.15.05.bb | 1 +
meta/recipes-graphics/kmscube/kmscube_git.bb | 3 +-
...so-codes_4.13.0.bb => iso-codes_4.15.0.bb} | 2 +-
10 files changed, 69 insertions(+), 7 deletions(-)
create mode 100644 meta/recipes-devtools/nasm/nasm/CVE-2022-46457.patch
rename meta/recipes-support/iso-codes/{iso-codes_4.13.0.bb => iso-codes_4.15.0.bb} (94%)
--
2.34.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2024-03-07 23:37 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2024-03-07 23:37 UTC (permalink / raw)
To: openembedded-core
Unfortunately this series of linux-yocto version bumps has caused a
number of issues with adding and resizing partitions. The problem was
introduced in 5.15.132 and has not been fixed in any of the subsequent
version bumps.
Bruce and have decided to revert this series until we have an acceptable fix.
Please have any comments back by end of day Monday, March 11.
The following changes since commit e5aae8a371717215a7d78459788ad67dfaefe37e:
golang: Fix CVE-2023-45289 & CVE-2023-45290 (2024-03-07 04:18:33 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Steve Sakoman (9):
Revert "linux-yocto/5.15: update CVE exclusions"
Revert "linux-yocto/5.15: update to v5.15.148"
Revert "linux-yocto/5.15: update CVE exclusions"
Revert "linux-yocto/5.15: update to v5.15.147"
Revert "linux-yocto/5.15: update CVE exclusions"
Revert "linux-yocto/5.15: update to v5.15.146"
Revert "linux-yocto/5.15: update to v5.15.145"
Revert "linux-yocto/5.15: update to v5.15.142"
Revert "linux-yocto/5.15: update to v5.15.141"
.../linux/cve-exclusion_5.15.inc | 372 ++----------------
.../linux/linux-yocto-rt_5.15.bb | 6 +-
.../linux/linux-yocto-tiny_5.15.bb | 6 +-
meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +-
4 files changed, 57 insertions(+), 353 deletions(-)
--
2.34.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2024-04-03 3:46 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2024-04-03 3:46 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, April 4
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6758
The following changes since commit 1b5405955c7c2579ed1f52522e2e177d0281fa33:
glibc: Fix subscript typos for get_nscd_addresses (2024-03-19 03:33:32 -1000)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Claus Stovgaard (1):
gcc: Backport sanitizer fix for 32-bit ALSR
Colin McAllister (1):
common-licenses: Backport missing license
Lee Chee Yang (2):
xwayland: fix CVE-2023-6816 CVE-2024-0408/0409
tiff: fix CVE-2023-52356 CVE-2023-6277
Meenali Gupta (1):
expat: fix CVE-2023-52425
Tan Wen Yan (1):
python3-urllib3: update to v1.26.18
Vijay Anusuri (2):
curl: backport Debian patch for CVE-2024-2398
qemu: Fix for CVE-2023-6683
aszh07 (1):
nghttp2: fix CVE-2023-44487
.../LGPL-3.0-with-zeromq-exception | 181 ++++
.../expat/expat/CVE-2023-52425-0001.patch | 40 +
.../expat/expat/CVE-2023-52425-0002.patch | 87 ++
.../expat/expat/CVE-2023-52425-0003.patch | 222 +++++
.../expat/expat/CVE-2023-52425-0004.patch | 42 +
.../expat/expat/CVE-2023-52425-0005.patch | 69 ++
.../expat/expat/CVE-2023-52425-0006.patch | 67 ++
.../expat/expat/CVE-2023-52425-0007.patch | 159 +++
.../expat/expat/CVE-2023-52425-0008.patch | 95 ++
.../expat/expat/CVE-2023-52425-0009.patch | 52 +
.../expat/expat/CVE-2023-52425-0010.patch | 111 +++
.../expat/expat/CVE-2023-52425-0011.patch | 89 ++
.../expat/expat/CVE-2023-52425-0012.patch | 87 ++
meta/recipes-core/expat/expat_2.5.0.bb | 12 +
meta/recipes-devtools/gcc/gcc-11.4.inc | 1 +
.../gcc/gcc/0031-gcc-sanitizers-fix.patch | 63 ++
..._1.26.17.bb => python3-urllib3_1.26.18.bb} | 2 +-
meta/recipes-devtools/qemu/qemu.inc | 1 +
.../qemu/qemu/CVE-2023-6683.patch | 92 ++
.../xwayland/xwayland/CVE-2023-6816.patch | 57 ++
.../xwayland/xwayland/CVE-2024-0408.patch | 65 ++
.../xwayland/xwayland/CVE-2024-0409.patch | 47 +
.../xwayland/xwayland_22.1.8.bb | 3 +
.../libtiff/tiff/CVE-2023-52356.patch | 54 +
.../libtiff/tiff/CVE-2023-6277-1.patch | 178 ++++
.../libtiff/tiff/CVE-2023-6277-2.patch | 151 +++
.../libtiff/tiff/CVE-2023-6277-3.patch | 46 +
.../libtiff/tiff/CVE-2023-6277-4.patch | 93 ++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 5 +
.../curl/curl/CVE-2024-2398.patch | 89 ++
meta/recipes-support/curl/curl_7.82.0.bb | 1 +
.../nghttp2/nghttp2/CVE-2023-44487.patch | 927 ++++++++++++++++++
.../recipes-support/nghttp2/nghttp2_1.47.0.bb | 1 +
33 files changed, 3188 insertions(+), 1 deletion(-)
create mode 100644 meta/files/common-licenses/LGPL-3.0-with-zeromq-exception
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0001.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0002.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0003.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0004.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0005.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0006.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0007.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0009.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0010.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0011.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0012.patch
create mode 100644 meta/recipes-devtools/gcc/gcc/0031-gcc-sanitizers-fix.patch
rename meta/recipes-devtools/python/{python3-urllib3_1.26.17.bb => python3-urllib3_1.26.18.bb} (86%)
create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2023-6816.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0408.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2024-0409.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-52356.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-1.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-2.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-3.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6277-4.patch
create mode 100644 meta/recipes-support/curl/curl/CVE-2024-2398.patch
create mode 100644 meta/recipes-support/nghttp2/nghttp2/CVE-2023-44487.patch
--
2.34.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2024-06-22 11:57 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2024-06-22 11:57 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and hjave comments back by
end of day Tuesday, June 25
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7065
The following changes since commit ab2649ef6c83f0ae7cac554a72e6bea4dcda0e99:
build-appliance-image: Update to kirkstone head revision (2024-06-01 19:12:27 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Changqing Li (1):
man-pages: remove conflict pages
Deepthi Hemraj (1):
glibc: stable 2.35 branch updates
Khem Raj (1):
gobject-introspection: Do not hardcode objdump name
Peter Marko (1):
glib-2.0: patch CVE-2024-34397
Siddharth (1):
openssl: Upgrade 3.0.13 -> 3.0.14
Siddharth Doshi (1):
libxml2: Security fix for CVE-2024-34459
Thomas Perrot (1):
man-pages: add an alternative link name for crypt_r.3
Yogita Urade (2):
acpica: fix CVE-2024-24856
ruby: fix CVE-2024-27280
.../openssl/openssl/CVE-2024-2511.patch | 122 ---
.../openssl/openssl/CVE-2024-4603.patch | 180 ----
.../{openssl_3.0.13.bb => openssl_3.0.14.bb} | 4 +-
.../glib-2.0/glib-2.0/CVE-2024-34397_01.patch | 129 +++
.../glib-2.0/glib-2.0/CVE-2024-34397_02.patch | 62 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_03.patch | 985 ++++++++++++++++++
.../glib-2.0/glib-2.0/CVE-2024-34397_04.patch | 253 +++++
.../glib-2.0/glib-2.0/CVE-2024-34397_05.patch | 88 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_06.patch | 263 +++++
.../glib-2.0/glib-2.0/CVE-2024-34397_07.patch | 45 +
.../glib-2.0/glib-2.0/CVE-2024-34397_08.patch | 168 +++
.../glib-2.0/glib-2.0/CVE-2024-34397_09.patch | 81 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_10.patch | 108 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_11.patch | 133 +++
.../glib-2.0/glib-2.0/CVE-2024-34397_12.patch | 173 +++
.../glib-2.0/glib-2.0/CVE-2024-34397_13.patch | 513 +++++++++
.../glib-2.0/glib-2.0/CVE-2024-34397_14.patch | 75 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_15.patch | 47 +
.../glib-2.0/glib-2.0/CVE-2024-34397_16.patch | 62 ++
.../glib-2.0/glib-2.0/CVE-2024-34397_17.patch | 121 +++
.../glib-2.0/glib-2.0/CVE-2024-34397_18.patch | 50 +
meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 18 +
meta/recipes-core/glibc/glibc-version.inc | 2 +-
.../libxml/libxml2/CVE-2024-34459.patch | 30 +
meta/recipes-core/libxml/libxml2_2.9.14.bb | 1 +
.../ruby/ruby/CVE-2024-27280.patch | 87 ++
meta/recipes-devtools/ruby/ruby_3.1.3.bb | 1 +
.../acpica/acpica/CVE-2024-24856.patch | 33 +
.../acpica/acpica_20211217.bb | 4 +-
.../man-pages/man-pages_5.13.bb | 12 +-
.../gobject-introspection_1.72.0.bb | 2 +-
31 files changed, 3536 insertions(+), 316 deletions(-)
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
rename meta/recipes-connectivity/openssl/{openssl_3.0.13.bb => openssl_3.0.14.bb} (98%)
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_02.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_03.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_04.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_05.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_06.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_07.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_08.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_09.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_10.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_11.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_12.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_13.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_14.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_15.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_16.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_17.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2024-34397_18.patch
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2024-34459.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-27280.patch
create mode 100644 meta/recipes-extended/acpica/acpica/CVE-2024-24856.patch
--
2.34.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2024-12-17 20:54 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2024-12-17 20:54 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, December 19
Passed a-full on autobuilder:
https://valkyrie.yoctoproject.org/#/builders/29/builds/663
The following changes since commit b132b817f5931b290e5348dd4a17fbfdc5c6e2c4:
dbus: disable assertions and enable only modular tests (2024-12-10 05:38:29 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Alex Kiernan (1):
base-passwd: Add the sgx group
Alexandre Belloni (1):
base-passwd: fix patchreview warning
Ernst Persson (1):
package.bbclass: Use shlex instead of deprecated pipes
Jiaying Song (1):
subversion: fix CVE-2024-46901
Louis Rannou (1):
base-passwd: add the wheel group
Peter Kjellerstedt (3):
base-passwd: Regenerate the patches
base-passwd: Update to 3.5.52
base-passwd: Update the status for two patches
Yogita Urade (1):
xserver-xorg: fix CVE-2024-9632
meta/classes/package.bbclass | 4 +-
.../0001-Add-a-shutdown-group.patch | 26 +++
.../0001-base-passwd-Add-the-sgx-group.patch | 30 ++++
...nstead-of-bin-bash-for-the-root-user.patch | 23 +++
...t-since-we-do-not-have-an-etc-shadow.patch | 21 +++
...put-group-for-the-dev-input-devices.patch} | 17 +-
.../{kvm.patch => 0005-Add-kvm-group.patch} | 2 +-
...ble-to-build-without-debconf-support.patch | 129 ++++++++++++++
...-to-disable-the-generation-of-the-do.patch | 46 +++++
.../base-passwd/0008-Add-wheel-group.patch | 20 +++
.../base-passwd/add_shutdown.patch | 19 ---
.../base-passwd/disable-docs.patch | 24 ---
.../base-passwd/disable-shell.patch | 57 -------
.../base-passwd/base-passwd/nobash.patch | 15 --
.../base-passwd/base-passwd/noshadow.patch | 14 --
...passwd_3.5.29.bb => base-passwd_3.5.52.bb} | 30 ++--
.../subversion/CVE-2024-46901.patch | 161 ++++++++++++++++++
.../subversion/subversion_1.14.2.bb | 3 +-
.../xserver-xorg/CVE-2024-9632.patch | 58 +++++++
.../xorg-xserver/xserver-xorg_21.1.8.bb | 1 +
20 files changed, 547 insertions(+), 153 deletions(-)
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-Add-a-shutdown-group.patch
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0002-Use-bin-sh-instead-of-bin-bash-for-the-root-user.patch
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0003-Remove-for-root-since-we-do-not-have-an-etc-shadow.patch
rename meta/recipes-core/base-passwd/base-passwd/{input.patch => 0004-Add-an-input-group-for-the-dev-input-devices.patch} (42%)
rename meta/recipes-core/base-passwd/base-passwd/{kvm.patch => 0005-Add-kvm-group.patch} (88%)
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0006-Make-it-possible-to-build-without-debconf-support.patch
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0007-Make-it-possible-to-disable-the-generation-of-the-do.patch
create mode 100644 meta/recipes-core/base-passwd/base-passwd/0008-Add-wheel-group.patch
delete mode 100644 meta/recipes-core/base-passwd/base-passwd/add_shutdown.patch
delete mode 100644 meta/recipes-core/base-passwd/base-passwd/disable-docs.patch
delete mode 100644 meta/recipes-core/base-passwd/base-passwd/disable-shell.patch
delete mode 100644 meta/recipes-core/base-passwd/base-passwd/nobash.patch
delete mode 100644 meta/recipes-core/base-passwd/base-passwd/noshadow.patch
rename meta/recipes-core/base-passwd/{base-passwd_3.5.29.bb => base-passwd_3.5.52.bb} (79%)
create mode 100644 meta/recipes-devtools/subversion/subversion/CVE-2024-46901.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-9632.patch
--
2.34.1
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2025-07-04 15:28 Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 1/9] libarchive: Fix CVE-2025-5914 Steve Sakoman
` (8 more replies)
0 siblings, 9 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:28 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, July 8
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1949
The following changes since commit 75e54301c5076eb0454aee33c870adf078f563fd:
build-appliance-image: Update to kirkstone head revision (2025-06-27 08:10:04 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Archana Polampalli (6):
xwayland: fix CVE-2025-49175
xwayland: fix CVE-2025-49176
xwayland: fix CVE-2025-49177
xwayland: fix CVE-2025-49178
xwayland: fix CVE-2025-49178
xwayland: fix CVE-2025-49180
Chen Qi (1):
systemd: backport patches to fix CVE-2025-4598
Colin Pinnell McAllister (1):
libarchive: Fix CVE-2025-5914
Yogita Urade (1):
python3-urllib3: fix CVE-2025-50181
.../systemd/systemd/CVE-2025-4598-0001.patch | 92 ++++++++
.../systemd/systemd/CVE-2025-4598-0002.patch | 106 +++++++++
.../systemd/systemd/CVE-2025-4598-0003.patch | 144 ++++++++++++
.../systemd/systemd/CVE-2025-4598-0004.patch | 36 +++
meta/recipes-core/systemd/systemd_250.14.bb | 4 +
.../python3-urllib3/CVE-2025-50181.patch | 214 ++++++++++++++++++
.../python/python3-urllib3_1.26.18.bb | 4 +
.../libarchive/libarchive/CVE-2025-5914.patch | 46 ++++
.../libarchive/libarchive_3.6.2.bb | 1 +
.../xwayland/xwayland/CVE-2025-49175.patch | 92 ++++++++
.../xwayland/CVE-2025-49176-0001.patch | 93 ++++++++
.../xwayland/CVE-2025-49176-0002.patch | 38 ++++
.../xwayland/xwayland/CVE-2025-49177.patch | 55 +++++
.../xwayland/xwayland/CVE-2025-49178.patch | 50 ++++
.../xwayland/xwayland/CVE-2025-49179.patch | 69 ++++++
.../xwayland/xwayland/CVE-2025-49180.patch | 45 ++++
.../xwayland/xwayland_22.1.8.bb | 7 +
17 files changed, 1096 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0001.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0002.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0004.patch
create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 1/9] libarchive: Fix CVE-2025-5914
2025-07-04 15:28 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
@ 2025-07-04 15:28 ` Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 2/9] systemd: backport patches to fix CVE-2025-4598 Steve Sakoman
` (7 subsequent siblings)
8 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:28 UTC (permalink / raw)
To: openembedded-core
From: Colin Pinnell McAllister <colin.mcallister@garmin.com>
Adds patch to backport fix for CVE-2025-5914.
Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libarchive/libarchive/CVE-2025-5914.patch | 46 +++++++++++++++++++
.../libarchive/libarchive_3.6.2.bb | 1 +
2 files changed, 47 insertions(+)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch
diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch
new file mode 100644
index 0000000000..5607420093
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch
@@ -0,0 +1,46 @@
+From cb0d2b0c9a7f1672d4edaa4beacdd96e5b53ead1 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <stoeckmann@users.noreply.github.com>
+Date: Sun, 11 May 2025 02:17:19 +0200
+Subject: [PATCH] rar: Fix double free with over 4 billion nodes (#2598)
+
+If a system is capable of handling 4 billion nodes in memory, a double
+free could occur because of an unsigned integer overflow leading to a
+realloc call with size argument of 0. Eventually, the client will
+release that memory again, triggering a double free.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+
+CVE: CVE-2025-5914
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/09685126fcec664e2b8ca595e1fc371bd494d209]
+Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com>
+---
+ libarchive/archive_read_support_format_rar.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 793e8e98..b9f5450d 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -335,8 +335,8 @@ struct rar
+ int found_first_header;
+ char has_endarc_header;
+ struct data_block_offsets *dbo;
+- unsigned int cursor;
+- unsigned int nodes;
++ size_t cursor;
++ size_t nodes;
+ char filename_must_match;
+
+ /* LZSS members */
+@@ -1186,7 +1186,7 @@ archive_read_format_rar_seek_data(struct archive_read *a, int64_t offset,
+ int whence)
+ {
+ int64_t client_offset, ret;
+- unsigned int i;
++ size_t i;
+ struct rar *rar = (struct rar *)(a->format->data);
+
+ if (rar->compression_method == COMPRESS_METHOD_STORE)
+--
+2.49.0
+
diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
index 87d3794ab7..4d0e3f7179 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
file://CVE-2024-48958.patch \
file://CVE-2024-20696.patch \
file://CVE-2025-25724.patch \
+ file://CVE-2025-5914.patch \
"
UPSTREAM_CHECK_URI = "http://libarchive.org/"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 2/9] systemd: backport patches to fix CVE-2025-4598
2025-07-04 15:28 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 1/9] libarchive: Fix CVE-2025-5914 Steve Sakoman
@ 2025-07-04 15:28 ` Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 3/9] python3-urllib3: fix CVE-2025-50181 Steve Sakoman
` (6 subsequent siblings)
8 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:28 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
Patch 0003 is the actual patch to fix CVE.
Patch 0002 is a preparation patch which systemd upstream uses for
all actively maintained branches in preparation for patch 0003.
Patch 0001 is a bug fix patch and is needed to avoid conflict introduced
by patch 0002. Note that patch 0002 claims itself to be of no functional
change, so this patch 0001 is really needed for patch 0002.
Patch 0004 is a compilation fix patch which adds a macro needed by
previous 0002 patch.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../systemd/systemd/CVE-2025-4598-0001.patch | 92 +++++++++++
.../systemd/systemd/CVE-2025-4598-0002.patch | 106 +++++++++++++
.../systemd/systemd/CVE-2025-4598-0003.patch | 144 ++++++++++++++++++
.../systemd/systemd/CVE-2025-4598-0004.patch | 36 +++++
meta/recipes-core/systemd/systemd_250.14.bb | 4 +
5 files changed, 382 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0001.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0002.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2025-4598-0004.patch
diff --git a/meta/recipes-core/systemd/systemd/CVE-2025-4598-0001.patch b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0001.patch
new file mode 100644
index 0000000000..cf27acafe9
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0001.patch
@@ -0,0 +1,92 @@
+From 2108812a76bd078a2bbd7583308ff18bf01f2383 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 29 Apr 2025 14:47:59 +0200
+Subject: [PATCH 1/3] coredump: restore compatibility with older patterns
+
+This was broken in f45b8015513d38ee5f7cc361db9c5b88c9aae704. Unfortunately
+the review does not talk about backward compatibility at all. There are
+two places where it matters:
+- During upgrades, the replacement of kernel.core_pattern is asynchronous.
+ For example, during rpm upgrades, it would be updated a post-transaction
+ file trigger. In other scenarios, the update might only happen after
+ reboot. We have a potentially long window where the old pattern is in
+ place. We need to capture coredumps during upgrades too.
+- With --backtrace. The interface of --backtrace, in hindsight, is not
+ great. But there are users of --backtrace which were written to use
+ a specific set of arguments, and we can't just break compatiblity.
+ One example is systemd-coredump-python, but there are also reports of
+ users using --backtrace to generate coredump logs.
+
+Thus, we require the original set of args, and will use the additional args if
+found.
+
+A test is added to verify that --backtrace works with and without the optional
+args.
+
+(cherry picked from commit ded0aac389e647d35bce7ec4a48e718d77c0435b)
+(cherry picked from commit f9b8b75c11bba9b63096904be98cc529c304eb97)
+(cherry picked from commit 385a33b043406ad79a7207f3906c3b15192a3333)
+(cherry picked from commit c6f79626b6d175c6a5b62b8c5d957a83eb882301)
+(cherry picked from commit 9f02346d50e33c24acf879ce4dd5937d56473325)
+(cherry picked from commit ac0aa5d1fdc21db1ef035fce562cb6fc8602b544)
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/cadd1b1a1f39fd13b1115a10f563017201d7b56a]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/coredump/coredump.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
+index 79280ab986..d598f6f59a 100644
+--- a/src/coredump/coredump.c
++++ b/src/coredump/coredump.c
+@@ -84,8 +84,12 @@ enum {
+ META_ARGV_SIGNAL, /* %s: number of signal causing dump */
+ META_ARGV_TIMESTAMP, /* %t: time of dump, expressed as seconds since the Epoch (we expand this to µs granularity) */
+ META_ARGV_RLIMIT, /* %c: core file size soft resource limit */
+- META_ARGV_HOSTNAME, /* %h: hostname */
++ _META_ARGV_REQUIRED,
++ /* The fields below were added to kernel/core_pattern at later points, so they might be missing. */
++ META_ARGV_HOSTNAME = _META_ARGV_REQUIRED, /* %h: hostname */
+ _META_ARGV_MAX,
++ /* If new fields are added, they should be added here, to maintain compatibility
++ * with callers which don't know about the new fields. */
+
+ /* The following indexes are cached for a couple of special fields we use (and
+ * thereby need to be retrieved quickly) for naming coredump files, and attaching
+@@ -96,7 +100,7 @@ enum {
+ _META_MANDATORY_MAX,
+
+ /* The rest are similar to the previous ones except that we won't fail if one of
+- * them is missing. */
++ * them is missing in a message sent over the socket. */
+
+ META_EXE = _META_MANDATORY_MAX,
+ META_UNIT,
+@@ -1278,14 +1282,17 @@ static int gather_pid_metadata_from_argv(
+ char *t;
+
+ /* We gather all metadata that were passed via argv[] into an array of iovecs that
+- * we'll forward to the socket unit */
++ * we'll forward to the socket unit.
++ *
++ * We require at least _META_ARGV_REQUIRED args, but will accept more.
++ * We know how to parse _META_ARGV_MAX args. The rest will be ignored. */
+
+- if (argc < _META_ARGV_MAX)
++ if (argc < _META_ARGV_REQUIRED)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+- "Not enough arguments passed by the kernel (%i, expected %i).",
+- argc, _META_ARGV_MAX);
++ "Not enough arguments passed by the kernel (%i, expected between %i and %i).",
++ argc, _META_ARGV_REQUIRED, _META_ARGV_MAX);
+
+- for (int i = 0; i < _META_ARGV_MAX; i++) {
++ for (int i = 0; i < MIN(argc, _META_ARGV_MAX); i++) {
+
+ t = argv[i];
+
+--
+2.34.1
+
diff --git a/meta/recipes-core/systemd/systemd/CVE-2025-4598-0002.patch b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0002.patch
new file mode 100644
index 0000000000..0520bac87c
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0002.patch
@@ -0,0 +1,106 @@
+From fb22bb743556d4d14463b0f0373c24d07d2e7b28 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 26 May 2025 12:04:44 +0200
+Subject: [PATCH 2/3] coredump: get rid of _META_MANDATORY_MAX
+
+No functional change. This change is done in preparation for future changes.
+Currently, the list of fields which are received on the command line is a
+strict subset of the fields which are always expected to be received on a
+socket. But when we add new kernel args in the future, we'll have two
+non-overlapping sets and this approach will not work. Get rid of the variable
+and enumerate the required fields. This set will never change, so this is
+actually more maintainable.
+
+The message with the hint where to add new fields is switched with
+_META_ARGV_MAX. The new order is more correct.
+
+(cherry-picked from 49f1f2d4a7612bbed5211a73d11d6a94fbe3bb69)
+(cherry-picked from aea6a631bca93e8b04a11aaced694f25f4da155e)
+(cherry picked from cf16b6b6b2e0a656531bfd73ad66be3817b155cd)
+
+(cherry picked from commit b46a4f023cd80b24c8f1aa7a95700bc0cb828cdc)
+(cherry picked from commit 5855552310ed279180c21cb803408aa2ce36053d)
+(cherry picked from commit cc31f2d4146831b9f2fe7bf584468908ff9c4de5)
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/2c81e60fe0b8c506a4fe902e45bed6f58f482b39]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/coredump/coredump.c | 29 ++++++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
+index d598f6f59a..0b27086288 100644
+--- a/src/coredump/coredump.c
++++ b/src/coredump/coredump.c
+@@ -71,7 +71,7 @@
+ * size. See DATA_SIZE_MAX in journal-importer.h. */
+ assert_cc(JOURNAL_SIZE_MAX <= DATA_SIZE_MAX);
+
+-enum {
++typedef enum {
+ /* We use these as array indexes for our process metadata cache.
+ *
+ * The first indices of the cache stores the same metadata as the ones passed by
+@@ -87,9 +87,9 @@ enum {
+ _META_ARGV_REQUIRED,
+ /* The fields below were added to kernel/core_pattern at later points, so they might be missing. */
+ META_ARGV_HOSTNAME = _META_ARGV_REQUIRED, /* %h: hostname */
+- _META_ARGV_MAX,
+ /* If new fields are added, they should be added here, to maintain compatibility
+ * with callers which don't know about the new fields. */
++ _META_ARGV_MAX,
+
+ /* The following indexes are cached for a couple of special fields we use (and
+ * thereby need to be retrieved quickly) for naming coredump files, and attaching
+@@ -97,16 +97,15 @@ enum {
+ * environment. */
+
+ META_COMM = _META_ARGV_MAX,
+- _META_MANDATORY_MAX,
+
+ /* The rest are similar to the previous ones except that we won't fail if one of
+ * them is missing in a message sent over the socket. */
+
+- META_EXE = _META_MANDATORY_MAX,
++ META_EXE,
+ META_UNIT,
+ META_PROC_AUXV,
+ _META_MAX
+-};
++} meta_argv_t;
+
+ static const char * const meta_field_names[_META_MAX] = {
+ [META_ARGV_PID] = "COREDUMP_PID=",
+@@ -1192,12 +1191,24 @@ static int process_socket(int fd) {
+ if (r < 0)
+ goto finish;
+
+- /* Make sure we received at least all fields we need. */
+- for (int i = 0; i < _META_MANDATORY_MAX; i++)
++ /* Make sure we received all the expected fields. We support being called by an *older*
++ * systemd-coredump from the outside, so we require only the basic set of fields that
++ * was being sent when the support for sending to containers over a socket was added
++ * in a108c43e36d3ceb6e34efe37c014fc2cda856000. */
++ meta_argv_t i;
++ VA_ARGS_FOREACH(i,
++ META_ARGV_PID,
++ META_ARGV_UID,
++ META_ARGV_GID,
++ META_ARGV_SIGNAL,
++ META_ARGV_TIMESTAMP,
++ META_ARGV_RLIMIT,
++ META_ARGV_HOSTNAME,
++ META_COMM)
+ if (!context.meta[i]) {
+ r = log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+- "A mandatory argument (%i) has not been sent, aborting.",
+- i);
++ "Mandatory argument %s not received on socket, aborting.",
++ meta_field_names[i]);
+ goto finish;
+ }
+
+--
+2.34.1
+
diff --git a/meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch
new file mode 100644
index 0000000000..737121af12
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0003.patch
@@ -0,0 +1,144 @@
+From 89730dea979b2d22fd548b622cd88bac99ff1d6b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 29 Apr 2025 14:47:59 +0200
+Subject: [PATCH 3/3] coredump: use %d in kernel core pattern
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The kernel provides %d which is documented as
+"dump mode—same as value returned by prctl(2) PR_GET_DUMPABLE".
+
+We already query /proc/pid/auxv for this information, but unfortunately this
+check is subject to a race, because the crashed process may be replaced by an
+attacker before we read this data, for example replacing a SUID process that
+was killed by a signal with another process that is not SUID, tricking us into
+making the coredump of the original process readable by the attacker.
+
+With this patch, we effectively add one more check to the list of conditions
+that need be satisfied if we are to make the coredump accessible to the user.
+
+Reportedy-by: Qualys Security Advisory <qsa@qualys.com>
+
+(cherry-picked from commit 0c49e0049b7665bb7769a13ef346fef92e1ad4d6)
+(cherry-picked from commit c58a8a6ec9817275bb4babaa2c08e0e35090d4e3)
+(cherry picked from commit 19d439189ab85dd7222bdd59fd442bbcc8ea99a7)
+(cherry picked from commit 254ab8d2a7866679cee006d844d078774cbac3c9)
+(cherry picked from commit 7fc7aa5a4d28d7768dfd1eb85be385c3ea949168)
+(cherry picked from commit 19b228662e0fcc6596c0395a0af8486a4b3f1627)
+
+CVE: CVE-2025-4598
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/2eb46dce078334805c547cbcf5e6462cf9d2f9f0]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ man/systemd-coredump.xml | 12 ++++++++++++
+ src/coredump/coredump.c | 21 ++++++++++++++++++---
+ sysctl.d/50-coredump.conf.in | 2 +-
+ 3 files changed, 31 insertions(+), 4 deletions(-)
+
+diff --git a/man/systemd-coredump.xml b/man/systemd-coredump.xml
+index cb9f47745b..ba7cad12bc 100644
+--- a/man/systemd-coredump.xml
++++ b/man/systemd-coredump.xml
+@@ -259,6 +259,18 @@ COREDUMP_FILENAME=/var/lib/systemd/coredump/core.Web….552351.….zst
+ </listitem>
+ </varlistentry>
+
++ <varlistentry>
++ <term><varname>COREDUMP_DUMPABLE=</varname></term>
++
++ <listitem><para>The <constant>PR_GET_DUMPABLE</constant> field as reported by the kernel, see
++ <citerefentry
++ project='man-pages'><refentrytitle>prctl</refentrytitle><manvolnum>2</manvolnum></citerefentry>.
++ </para>
++
++ <xi:include href="version-info.xml" xpointer="v258"/>
++ </listitem>
++ </varlistentry>
++
+ <varlistentry>
+ <term><varname>COREDUMP_OPEN_FDS=</varname></term>
+
+diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
+index 0b27086288..aca6a2eb6b 100644
+--- a/src/coredump/coredump.c
++++ b/src/coredump/coredump.c
+@@ -87,6 +87,7 @@ typedef enum {
+ _META_ARGV_REQUIRED,
+ /* The fields below were added to kernel/core_pattern at later points, so they might be missing. */
+ META_ARGV_HOSTNAME = _META_ARGV_REQUIRED, /* %h: hostname */
++ META_ARGV_DUMPABLE, /* %d: as set by the kernel */
+ /* If new fields are added, they should be added here, to maintain compatibility
+ * with callers which don't know about the new fields. */
+ _META_ARGV_MAX,
+@@ -115,6 +116,7 @@ static const char * const meta_field_names[_META_MAX] = {
+ [META_ARGV_TIMESTAMP] = "COREDUMP_TIMESTAMP=",
+ [META_ARGV_RLIMIT] = "COREDUMP_RLIMIT=",
+ [META_ARGV_HOSTNAME] = "COREDUMP_HOSTNAME=",
++ [META_ARGV_DUMPABLE] = "COREDUMP_DUMPABLE=",
+ [META_COMM] = "COREDUMP_COMM=",
+ [META_EXE] = "COREDUMP_EXE=",
+ [META_UNIT] = "COREDUMP_UNIT=",
+@@ -125,6 +127,7 @@ typedef struct Context {
+ const char *meta[_META_MAX];
+ size_t meta_size[_META_MAX];
+ pid_t pid;
++ unsigned dumpable;
+ bool is_pid1;
+ bool is_journald;
+ } Context;
+@@ -470,14 +473,16 @@ static int grant_user_access(int core_fd, const Context *context) {
+ if (r < 0)
+ return r;
+
+- /* We allow access if we got all the data and at_secure is not set and
+- * the uid/gid matches euid/egid. */
++ /* We allow access if dumpable on the command line was exactly 1, we got all the data,
++ * at_secure is not set, and the uid/gid match euid/egid. */
+ bool ret =
++ context->dumpable == 1 &&
+ at_secure == 0 &&
+ uid != UID_INVALID && euid != UID_INVALID && uid == euid &&
+ gid != GID_INVALID && egid != GID_INVALID && gid == egid;
+- log_debug("Will %s access (uid="UID_FMT " euid="UID_FMT " gid="GID_FMT " egid="GID_FMT " at_secure=%s)",
++ log_debug("Will %s access (dumpable=%u uid="UID_FMT " euid="UID_FMT " gid="GID_FMT " egid="GID_FMT " at_secure=%s)",
+ ret ? "permit" : "restrict",
++ context->dumpable,
+ uid, euid, gid, egid, yes_no(at_secure));
+ return ret;
+ }
+@@ -1102,6 +1107,16 @@ static int save_context(Context *context, const struct iovec_wrapper *iovw) {
+ if (r < 0)
+ return log_error_errno(r, "Failed to parse PID \"%s\": %m", context->meta[META_ARGV_PID]);
+
++ /* The value is set to contents of /proc/sys/fs/suid_dumpable, which we set to 2,
++ * if the process is marked as not dumpable, see PR_SET_DUMPABLE(2const). */
++ if (context->meta[META_ARGV_DUMPABLE]) {
++ r = safe_atou(context->meta[META_ARGV_DUMPABLE], &context->dumpable);
++ if (r < 0)
++ return log_error_errno(r, "Failed to parse dumpable field \"%s\": %m", context->meta[META_ARGV_DUMPABLE]);
++ if (context->dumpable > 2)
++ log_notice("Got unexpected %%d/dumpable value %u.", context->dumpable);
++ }
++
+ unit = context->meta[META_UNIT];
+ context->is_pid1 = streq(context->meta[META_ARGV_PID], "1") || streq_ptr(unit, SPECIAL_INIT_SCOPE);
+ context->is_journald = streq_ptr(unit, SPECIAL_JOURNALD_SERVICE);
+diff --git a/sysctl.d/50-coredump.conf.in b/sysctl.d/50-coredump.conf.in
+index 5fb551a8cf..9c10a89828 100644
+--- a/sysctl.d/50-coredump.conf.in
++++ b/sysctl.d/50-coredump.conf.in
+@@ -13,7 +13,7 @@
+ # the core dump.
+ #
+ # See systemd-coredump(8) and core(5).
+-kernel.core_pattern=|{{ROOTLIBEXECDIR}}/systemd-coredump %P %u %g %s %t %c %h
++kernel.core_pattern=|{{ROOTLIBEXECDIR}}/systemd-coredump %P %u %g %s %t %c %h %d
+
+ # Allow 16 coredumps to be dispatched in parallel by the kernel.
+ # We collect metadata from /proc/%P/, and thus need to make sure the crashed
+--
+2.34.1
+
diff --git a/meta/recipes-core/systemd/systemd/CVE-2025-4598-0004.patch b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0004.patch
new file mode 100644
index 0000000000..a3aed25e27
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2025-4598-0004.patch
@@ -0,0 +1,36 @@
+From a0c698c720441782fcf2cb7dfd01e69baf8f1f39 Mon Sep 17 00:00:00 2001
+From: Dan Streetman <ddstreet@ieee.org>
+Date: Thu, 2 Feb 2023 15:58:10 -0500
+Subject: [PATCH] basic/macro: add macro to iterate variadic args
+
+(cherry picked from commit e179f2d89c9f0c951636d74de00136b4075cd1ac)
+(cherry picked from commit cd4f43bf378ff33ce5cfeacd96f7f3726603bddc)
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/c288a3aafdf11cd93eb7a21e4d587c6fc218a29c]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ src/basic/macro.h | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/basic/macro.h b/src/basic/macro.h
+index 9e62f9c71c..16242902ec 100644
+--- a/src/basic/macro.h
++++ b/src/basic/macro.h
+@@ -454,4 +454,13 @@ typedef struct {
+
+ assert_cc(sizeof(dummy_t) == 0);
+
++/* Iterate through each variadic arg. All must be the same type as 'entry' or must be implicitly
++ * convertable. The iteration variable 'entry' must already be defined. */
++#define VA_ARGS_FOREACH(entry, ...) \
++ _VA_ARGS_FOREACH(entry, UNIQ_T(_entries_, UNIQ), UNIQ_T(_current_, UNIQ), ##__VA_ARGS__)
++#define _VA_ARGS_FOREACH(entry, _entries_, _current_, ...) \
++ for (typeof(entry) _entries_[] = { __VA_ARGS__ }, *_current_ = _entries_; \
++ ((long)(_current_ - _entries_) < (long)ELEMENTSOF(_entries_)) && ({ entry = *_current_; true; }); \
++ _current_++)
++
+ #include "log.h"
+--
+2.34.1
+
diff --git a/meta/recipes-core/systemd/systemd_250.14.bb b/meta/recipes-core/systemd/systemd_250.14.bb
index b3e31e1f23..66d20a46fd 100644
--- a/meta/recipes-core/systemd/systemd_250.14.bb
+++ b/meta/recipes-core/systemd/systemd_250.14.bb
@@ -31,6 +31,10 @@ SRC_URI += "file://touchscreen.rules \
file://0001-core-fix-build-when-seccomp-is-off.patch \
file://0001-journal-Make-sd_journal_previous-next-return-0-at-HE.patch \
file://0001-basic-do-not-warn-in-mkdir_p-when-parent-directory-e.patch \
+ file://CVE-2025-4598-0001.patch \
+ file://CVE-2025-4598-0002.patch \
+ file://CVE-2025-4598-0003.patch \
+ file://CVE-2025-4598-0004.patch \
"
# patches needed by musl
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 3/9] python3-urllib3: fix CVE-2025-50181
2025-07-04 15:28 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 1/9] libarchive: Fix CVE-2025-5914 Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 2/9] systemd: backport patches to fix CVE-2025-4598 Steve Sakoman
@ 2025-07-04 15:28 ` Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 4/9] xwayland: fix CVE-2025-49175 Steve Sakoman
` (5 subsequent siblings)
8 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:28 UTC (permalink / raw)
To: openembedded-core
From: Yogita Urade <yogita.urade@windriver.com>
urllib3 is a user-friendly HTTP client library for Python. Prior to
2.5.0, it is possible to disable redirects for all requests by
instantiating a PoolManager and specifying retries in a way that
disable redirects. By default, requests and botocore users are not
affected. An application attempting to mitigate SSRF or open redirect
vulnerabilities by disabling redirects at the PoolManager level will
remain vulnerable. This issue has been patched in version 2.5.0.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-50181
Upstream patch:
https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../python3-urllib3/CVE-2025-50181.patch | 214 ++++++++++++++++++
.../python/python3-urllib3_1.26.18.bb | 4 +
2 files changed, 218 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch
diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch
new file mode 100644
index 0000000000..61bdcc3e62
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2025-50181.patch
@@ -0,0 +1,214 @@
+From f05b1329126d5be6de501f9d1e3e36738bc08857 Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Wed, 18 Jun 2025 16:25:01 +0300
+Subject: [PATCH] Merge commit from fork
+
+* Apply Quentin's suggestion
+
+Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
+
+* Add tests for disabled redirects in the pool manager
+
+* Add a possible fix for the issue with not raised `MaxRetryError`
+
+* Make urllib3 handle redirects instead of JS when JSPI is used
+
+* Fix info in the new comment
+
+* State that redirects with XHR are not controlled by urllib3
+
+* Remove excessive params from new test requests
+
+* Add tests reaching max non-0 redirects
+
+* Test redirects with Emscripten
+
+* Fix `test_merge_pool_kwargs`
+
+* Add a changelog entry
+
+* Parametrize tests
+
+* Drop a fix for Emscripten
+
+* Apply Seth's suggestion to docs
+
+Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
+
+* Use a minor release instead of the patch one
+
+---------
+
+Co-authored-by: Quentin Pradet <quentin.pradet@gmail.com>
+Co-authored-by: Seth Michael Larson <sethmichaellarson@gmail.com>
+
+Changes:
+- skip docs/reference/contrib/emscripten.rst, dummyserver/app.py and
+test/contrib/emscripten/test_emscripten.py files which are not presented.
+
+CVE: CVE-2025-50181
+Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/f05b1329126d5be6de501f9d1e3e36738bc08857]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ src/urllib3/poolmanager.py | 18 +++-
+ test/with_dummyserver/test_poolmanager.py | 101 ++++++++++++++++++++++
+ 2 files changed, 118 insertions(+), 1 deletion(-)
+
+diff --git a/src/urllib3/poolmanager.py b/src/urllib3/poolmanager.py
+index fb51bf7..a8de7c6 100644
+--- a/src/urllib3/poolmanager.py
++++ b/src/urllib3/poolmanager.py
+@@ -170,6 +170,22 @@ class PoolManager(RequestMethods):
+
+ def __init__(self, num_pools=10, headers=None, **connection_pool_kw):
+ RequestMethods.__init__(self, headers)
++ if "retries" in connection_pool_kw:
++ retries = connection_pool_kw["retries"]
++ if not isinstance(retries, Retry):
++ # When Retry is initialized, raise_on_redirect is based
++ # on a redirect boolean value.
++ # But requests made via a pool manager always set
++ # redirect to False, and raise_on_redirect always ends
++ # up being False consequently.
++ # Here we fix the issue by setting raise_on_redirect to
++ # a value needed by the pool manager without considering
++ # the redirect boolean.
++ raise_on_redirect = retries is not False
++ retries = Retry.from_int(retries, redirect=False)
++ retries.raise_on_redirect = raise_on_redirect
++ connection_pool_kw = connection_pool_kw.copy()
++ connection_pool_kw["retries"] = retries
+ self.connection_pool_kw = connection_pool_kw
+ self.pools = RecentlyUsedContainer(num_pools)
+
+@@ -389,7 +405,7 @@ class PoolManager(RequestMethods):
+ kw["body"] = None
+ kw["headers"] = HTTPHeaderDict(kw["headers"])._prepare_for_method_change()
+
+- retries = kw.get("retries")
++ retries = kw.get("retries", response.retries)
+ if not isinstance(retries, Retry):
+ retries = Retry.from_int(retries, redirect=redirect)
+
+diff --git a/test/with_dummyserver/test_poolmanager.py b/test/with_dummyserver/test_poolmanager.py
+index 509daf2..f84f169 100644
+--- a/test/with_dummyserver/test_poolmanager.py
++++ b/test/with_dummyserver/test_poolmanager.py
+@@ -82,6 +82,89 @@ class TestPoolManager(HTTPDummyServerTestCase):
+ assert r.status == 200
+ assert r.data == b"Dummy server!"
+
++ @pytest.mark.parametrize(
++ "retries",
++ (0, Retry(total=0), Retry(redirect=0), Retry(total=0, redirect=0)),
++ )
++ def test_redirects_disabled_for_pool_manager_with_0(
++ self, retries: typing.Literal[0] | Retry
++ ) -> None:
++ """
++ Check handling redirects when retries is set to 0 on the pool
++ manager.
++ """
++ with PoolManager(retries=retries) as http:
++ with pytest.raises(MaxRetryError):
++ http.request("GET", f"{self.base_url}/redirect")
++
++ # Setting redirect=True should not change the behavior.
++ with pytest.raises(MaxRetryError):
++ http.request("GET", f"{self.base_url}/redirect", redirect=True)
++
++ # Setting redirect=False should not make it follow the redirect,
++ # but MaxRetryError should not be raised.
++ response = http.request("GET", f"{self.base_url}/redirect", redirect=False)
++ assert response.status == 303
++
++ @pytest.mark.parametrize(
++ "retries",
++ (
++ False,
++ Retry(total=False),
++ Retry(redirect=False),
++ Retry(total=False, redirect=False),
++ ),
++ )
++ def test_redirects_disabled_for_pool_manager_with_false(
++ self, retries: typing.Literal[False] | Retry
++ ) -> None:
++ """
++ Check that setting retries set to False on the pool manager disables
++ raising MaxRetryError and redirect=True does not change the
++ behavior.
++ """
++ with PoolManager(retries=retries) as http:
++ response = http.request("GET", f"{self.base_url}/redirect")
++ assert response.status == 303
++
++ response = http.request("GET", f"{self.base_url}/redirect", redirect=True)
++ assert response.status == 303
++
++ response = http.request("GET", f"{self.base_url}/redirect", redirect=False)
++ assert response.status == 303
++
++ def test_redirects_disabled_for_individual_request(self) -> None:
++ """
++ Check handling redirects when they are meant to be disabled
++ on the request level.
++ """
++ with PoolManager() as http:
++ # Check when redirect is not passed.
++ with pytest.raises(MaxRetryError):
++ http.request("GET", f"{self.base_url}/redirect", retries=0)
++ response = http.request("GET", f"{self.base_url}/redirect", retries=False)
++ assert response.status == 303
++
++ # Check when redirect=True.
++ with pytest.raises(MaxRetryError):
++ http.request(
++ "GET", f"{self.base_url}/redirect", retries=0, redirect=True
++ )
++ response = http.request(
++ "GET", f"{self.base_url}/redirect", retries=False, redirect=True
++ )
++ assert response.status == 303
++
++ # Check when redirect=False.
++ response = http.request(
++ "GET", f"{self.base_url}/redirect", retries=0, redirect=False
++ )
++ assert response.status == 303
++ response = http.request(
++ "GET", f"{self.base_url}/redirect", retries=False, redirect=False
++ )
++ assert response.status == 303
++
+ def test_cross_host_redirect(self):
+ with PoolManager() as http:
+ cross_host_location = "%s/echo?a=b" % self.base_url_alt
+@@ -136,6 +219,24 @@ class TestPoolManager(HTTPDummyServerTestCase):
+ pool = http.connection_from_host(self.host, self.port)
+ assert pool.num_connections == 1
+
++ # Check when retries are configured for the pool manager.
++ with PoolManager(retries=1) as http:
++ with pytest.raises(MaxRetryError):
++ http.request(
++ "GET",
++ f"{self.base_url}/redirect",
++ fields={"target": f"/redirect?target={self.base_url}/"},
++ )
++
++ # Here we allow more retries for the request.
++ response = http.request(
++ "GET",
++ f"{self.base_url}/redirect",
++ fields={"target": f"/redirect?target={self.base_url}/"},
++ retries=2,
++ )
++ assert response.status == 200
++
+ def test_redirect_cross_host_remove_headers(self):
+ with PoolManager() as http:
+ r = http.request(
+--
+2.40.0
diff --git a/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb
index d384b5eb2f..b26c9ad2fa 100644
--- a/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb
+++ b/meta/recipes-devtools/python/python3-urllib3_1.26.18.bb
@@ -7,6 +7,10 @@ SRC_URI[sha256sum] = "f8ecc1bba5667413457c529ab955bf8c67b45db799d159066261719e32
inherit pypi setuptools3
+SRC_URI += " \
+ file://CVE-2025-50181.patch \
+"
+
RDEPENDS:${PN} += "\
${PYTHON_PN}-certifi \
${PYTHON_PN}-cryptography \
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 4/9] xwayland: fix CVE-2025-49175
2025-07-04 15:28 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-07-04 15:28 ` [OE-core][kirkstone 3/9] python3-urllib3: fix CVE-2025-50181 Steve Sakoman
@ 2025-07-04 15:28 ` Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 5/9] xwayland: fix CVE-2025-49176 Steve Sakoman
` (4 subsequent siblings)
8 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:28 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
A flaw was found in the X Rendering extension's handling of animated cursors.
If a client provides no cursors, the server assumes at least one is present,
leading to an out-of-bounds read and potential crash.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xwayland/xwayland/CVE-2025-49175.patch | 92 +++++++++++++++++++
.../xwayland/xwayland_22.1.8.bb | 1 +
2 files changed, 93 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch
new file mode 100644
index 0000000000..bfb37fcea0
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch
@@ -0,0 +1,92 @@
+From 0885e0b26225c90534642fe911632ec0779eebee Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Fri, 28 Mar 2025 09:43:52 +0100
+Subject: [PATCH] render: Avoid 0 or less animated cursors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Animated cursors use a series of cursors that the client can set.
+
+By default, the Xserver assumes at least one cursor is specified
+while a client may actually pass no cursor at all.
+
+That causes an out-of-bound read creating the animated cursor and a
+crash of the Xserver:
+
+ | Invalid read of size 8
+ | at 0x5323F4: AnimCursorCreate (animcur.c:325)
+ | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
+ | by 0x52DC80: ProcRenderDispatch (render.c:1999)
+ | by 0x4A1E9D: Dispatch (dispatch.c:560)
+ | by 0x4B0169: dix_main (main.c:284)
+ | by 0x4287F5: main (stubmain.c:34)
+ | Address 0x59aa010 is 0 bytes after a block of size 0 alloc'd
+ | at 0x48468D3: reallocarray (vg_replace_malloc.c:1803)
+ | by 0x52D3DA: ProcRenderCreateAnimCursor (render.c:1802)
+ | by 0x52DC80: ProcRenderDispatch (render.c:1999)
+ | by 0x4A1E9D: Dispatch (dispatch.c:560)
+ | by 0x4B0169: dix_main (main.c:284)
+ | by 0x4287F5: main (stubmain.c:34)
+ |
+ | Invalid read of size 2
+ | at 0x5323F7: AnimCursorCreate (animcur.c:325)
+ | by 0x52D4C5: ProcRenderCreateAnimCursor (render.c:1817)
+ | by 0x52DC80: ProcRenderDispatch (render.c:1999)
+ | by 0x4A1E9D: Dispatch (dispatch.c:560)
+ | by 0x4B0169: dix_main (main.c:284)
+ | by 0x4287F5: main (stubmain.c:34)
+ | Address 0x8 is not stack'd, malloc'd or (recently) free'd
+
+To avoid the issue, check the number of cursors specified and return a
+BadValue error in both the proc handler (early) and the animated cursor
+creation (as this is a public function) if there is 0 or less cursor.
+
+CVE-2025-49175
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: José Expósito <jexposit@redhat.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+
+CVE: CVE-2025-49175
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/0885e0b26225c90534642fe911632ec0779eebee]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ render/animcur.c | 3 +++
+ render/render.c | 2 ++
+ 2 files changed, 5 insertions(+)
+
+diff --git a/render/animcur.c b/render/animcur.c
+index ef27bda..77942d8 100644
+--- a/render/animcur.c
++++ b/render/animcur.c
+@@ -304,6 +304,9 @@ AnimCursorCreate(CursorPtr *cursors, CARD32 *deltas, int ncursor,
+ int rc = BadAlloc, i;
+ AnimCurPtr ac;
+
++ if (ncursor <= 0)
++ return BadValue;
++
+ for (i = 0; i < screenInfo.numScreens; i++)
+ if (!GetAnimCurScreen(screenInfo.screens[i]))
+ return BadImplementation;
+diff --git a/render/render.c b/render/render.c
+index 5bc2a20..a8c2da0 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -1795,6 +1795,8 @@ ProcRenderCreateAnimCursor(ClientPtr client)
+ ncursor =
+ (client->req_len -
+ (bytes_to_int32(sizeof(xRenderCreateAnimCursorReq)))) >> 1;
++ if (ncursor <= 0)
++ return BadValue;
+ cursors = xallocarray(ncursor, sizeof(CursorPtr) + sizeof(CARD32));
+ if (!cursors)
+ return BadAlloc;
+--
+2.40.0
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index 8b1fc85aab..55d381f868 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -43,6 +43,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-26601-3.patch \
file://CVE-2025-26601-4.patch \
file://CVE-2022-49737.patch \
+ file://CVE-2025-49175.patch \
"
SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 5/9] xwayland: fix CVE-2025-49176
2025-07-04 15:28 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
` (3 preceding siblings ...)
2025-07-04 15:28 ` [OE-core][kirkstone 4/9] xwayland: fix CVE-2025-49175 Steve Sakoman
@ 2025-07-04 15:28 ` Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 6/9] xwayland: fix CVE-2025-49177 Steve Sakoman
` (3 subsequent siblings)
8 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:28 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
A flaw was found in the Big Requests extension. The request length is multiplied
by 4 before checking against the maximum allowed size, potentially causing an
integer overflow and bypassing the size check.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xwayland/CVE-2025-49176-0001.patch | 93 +++++++++++++++++++
.../xwayland/CVE-2025-49176-0002.patch | 38 ++++++++
.../xwayland/xwayland_22.1.8.bb | 2 +
3 files changed, 133 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch
new file mode 100644
index 0000000000..fd3b1d936b
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch
@@ -0,0 +1,93 @@
+From 03731b326a80b582e48d939fe62cb1e2b10400d9 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 7 Apr 2025 16:13:34 +0200
+Subject: [PATCH] os: Do not overflow the integer size with BigRequest
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The BigRequest extension allows requests larger than the 16-bit length
+limit.
+
+It uses integers for the request length and checks for the size not to
+exceed the maxBigRequestSize limit, but does so after translating the
+length to integer by multiplying the given size in bytes by 4.
+
+In doing so, it might overflow the integer size limit before actually
+checking for the overflow, defeating the purpose of the test.
+
+To avoid the issue, make sure to check that the request size does not
+overflow the maxBigRequestSize limit prior to any conversion.
+
+The caller Dispatch() function however expects the return value to be in
+bytes, so we cannot just return the converted value in case of error, as
+that would also overflow the integer size.
+
+To preserve the existing API, we use a negative value for the X11 error
+code BadLength as the function only return positive values, 0 or -1 and
+update the caller Dispatch() function to take that case into account to
+return the error code to the offending client.
+
+CVE-2025-49176
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+
+CVE: CVE-2025-49176
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/03731b326a80b582e48d939fe62cb1e2b10400d9]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ dix/dispatch.c | 9 +++++----
+ os/io.c | 4 ++++
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index 9e98d54..20473f1 100644
+--- a/dix/dispatch.c
++++ b/dix/dispatch.c
+@@ -513,9 +513,10 @@ Dispatch(void)
+
+ /* now, finally, deal with client requests */
+ result = ReadRequestFromClient(client);
+- if (result <= 0) {
+- if (result < 0)
+- CloseDownClient(client);
++ if (result == 0)
++ break;
++ else if (result == -1) {
++ CloseDownClient(client);
+ break;
+ }
+
+@@ -536,7 +537,7 @@ Dispatch(void)
+ client->index,
+ client->requestBuffer);
+ #endif
+- if (result > (maxBigRequestSize << 2))
++ if (result < 0 || result > (maxBigRequestSize << 2))
+ result = BadLength;
+ else {
+ result = XaceHookDispatch(client, client->majorOp);
+diff --git a/os/io.c b/os/io.c
+index 841a0ee..aeece86 100644
+--- a/os/io.c
++++ b/os/io.c
+@@ -296,6 +296,10 @@ ReadRequestFromClient(ClientPtr client)
+ needed = get_big_req_len(request, client);
+ }
+ client->req_len = needed;
++ if (needed > MAXINT >> 2) {
++ /* Check for potential integer overflow */
++ return -(BadLength);
++ }
+ needed <<= 2; /* needed is in bytes now */
+ }
+ if (gotnow < needed) {
+--
+2.40.0
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch
new file mode 100644
index 0000000000..6d7df79111
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch
@@ -0,0 +1,38 @@
+From 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 18 Jun 2025 08:39:02 +0200
+Subject: [PATCH] os: Check for integer overflow on BigRequest length
+
+Check for another possible integer overflow once we get a complete xReq
+with BigRequest.
+
+Related to CVE-2025-49176
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2028>
+
+CVE: CVE-2025-49176
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4fc4d76b2c7aaed61ed2653f997783a3714c4fe1]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ os/io.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/os/io.c b/os/io.c
+index aeece86..67465f9 100644
+--- a/os/io.c
++++ b/os/io.c
+@@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client)
+ needed = get_big_req_len(request, client);
+ }
+ client->req_len = needed;
++ if (needed > MAXINT >> 2)
++ return -(BadLength);
+ needed <<= 2;
+ }
+ if (gotnow < needed) {
+--
+2.40.0
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index 55d381f868..40f010865e 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -44,6 +44,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-26601-4.patch \
file://CVE-2022-49737.patch \
file://CVE-2025-49175.patch \
+ file://CVE-2025-49176-0001.patch \
+ file://CVE-2025-49176-0002.patch \
"
SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 6/9] xwayland: fix CVE-2025-49177
2025-07-04 15:28 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
` (4 preceding siblings ...)
2025-07-04 15:28 ` [OE-core][kirkstone 5/9] xwayland: fix CVE-2025-49176 Steve Sakoman
@ 2025-07-04 15:28 ` Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 7/9] xwayland: fix CVE-2025-49178 Steve Sakoman
` (2 subsequent siblings)
8 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:28 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler
does not validate the request length, allowing a client to read unintended memory
from previous requests
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xwayland/xwayland/CVE-2025-49177.patch | 55 +++++++++++++++++++
.../xwayland/xwayland_22.1.8.bb | 1 +
2 files changed, 56 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch
new file mode 100644
index 0000000000..56ae1de800
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch
@@ -0,0 +1,55 @@
+From ab02fb96b1c701c3bb47617d965522c34befa6af Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 28 Apr 2025 10:05:36 +0200
+Subject: [PATCH] xfixes: Check request length for SetClientDisconnectMode
+
+The handler of XFixesSetClientDisconnectMode does not check the client
+request length.
+
+A client could send a shorter request and read data from a former
+request.
+
+Fix the issue by checking the request size matches.
+
+CVE-2025-49177
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Fixes: e167299f6 - xfixes: Add ClientDisconnectMode
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+
+CVE: CVE-2025-49177
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ab02fb96b1c701c3bb47617d965522c34befa6af]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ xfixes/disconnect.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/xfixes/disconnect.c b/xfixes/disconnect.c
+index 28aac45..d6da1f9 100644
+--- a/xfixes/disconnect.c
++++ b/xfixes/disconnect.c
+@@ -67,6 +67,7 @@ ProcXFixesSetClientDisconnectMode(ClientPtr client)
+ ClientDisconnectPtr pDisconnect = GetClientDisconnect(client);
+
+ REQUEST(xXFixesSetClientDisconnectModeReq);
++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
+
+ pDisconnect->disconnect_mode = stuff->disconnect_mode;
+
+@@ -80,7 +81,7 @@ SProcXFixesSetClientDisconnectMode(ClientPtr client)
+
+ swaps(&stuff->length);
+
+- REQUEST_AT_LEAST_SIZE(xXFixesSetClientDisconnectModeReq);
++ REQUEST_SIZE_MATCH(xXFixesSetClientDisconnectModeReq);
+
+ swapl(&stuff->disconnect_mode);
+
+--
+2.40.0
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index 40f010865e..fefc0d4e3a 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -46,6 +46,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-49175.patch \
file://CVE-2025-49176-0001.patch \
file://CVE-2025-49176-0002.patch \
+ file://CVE-2025-49177.patch \
"
SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 7/9] xwayland: fix CVE-2025-49178
2025-07-04 15:28 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
` (5 preceding siblings ...)
2025-07-04 15:28 ` [OE-core][kirkstone 6/9] xwayland: fix CVE-2025-49177 Steve Sakoman
@ 2025-07-04 15:28 ` Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 8/9] " Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 9/9] xwayland: fix CVE-2025-49180 Steve Sakoman
8 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:28 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
A flaw was found in the X server's request handling. Non-zero 'bytes to ignore'
in a client's request can cause the server to skip processing another client's
request, potentially leading to a denial of service.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xwayland/xwayland/CVE-2025-49178.patch | 50 +++++++++++++++++++
.../xwayland/xwayland_22.1.8.bb | 1 +
2 files changed, 51 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch
new file mode 100644
index 0000000000..5ef2fea1c9
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch
@@ -0,0 +1,50 @@
+From d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 28 Apr 2025 10:46:03 +0200
+Subject: [PATCH] os: Account for bytes to ignore when sharing input buffer
+
+When reading requests from the clients, the input buffer might be shared
+and used between different clients.
+
+If a given client sends a full request with non-zero bytes to ignore,
+the bytes to ignore may still be non-zero even though the request is
+full, in which case the buffer could be shared with another client who's
+request will not be processed because of those bytes to ignore, leading
+to a possible hang of the other client request.
+
+To avoid the issue, make sure we have zero bytes to ignore left in the
+input request when sharing the input buffer with another client.
+
+CVE-2025-49178
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+
+CVE: CVE-2025-49178
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/d55c54cecb5e83eaa2d56bed5cc4461f9ba318c2]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ os/io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/os/io.c b/os/io.c
+index 67465f9..f92a40e 100644
+--- a/os/io.c
++++ b/os/io.c
+@@ -444,7 +444,7 @@ ReadRequestFromClient(ClientPtr client)
+ */
+
+ gotnow -= needed;
+- if (!gotnow)
++ if (!gotnow && !oci->ignoreBytes)
+ AvailableInput = oc;
+ if (move_header) {
+ if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
+--
+2.40.0
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index fefc0d4e3a..caca8ab0f6 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -47,6 +47,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-49176-0001.patch \
file://CVE-2025-49176-0002.patch \
file://CVE-2025-49177.patch \
+ file://CVE-2025-49178.patch \
"
SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 8/9] xwayland: fix CVE-2025-49178
2025-07-04 15:28 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
` (6 preceding siblings ...)
2025-07-04 15:28 ` [OE-core][kirkstone 7/9] xwayland: fix CVE-2025-49178 Steve Sakoman
@ 2025-07-04 15:28 ` Steve Sakoman
2025-07-05 10:01 ` Gyorgy Sarvari
2025-07-04 15:28 ` [OE-core][kirkstone 9/9] xwayland: fix CVE-2025-49180 Steve Sakoman
8 siblings, 1 reply; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:28 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
A flaw was found in the X server's request handling. Non-zero 'bytes to ignore'
in a client's request can cause the server to skip processing another client's
request, potentially leading to a denial of service.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xwayland/xwayland/CVE-2025-49179.patch | 69 +++++++++++++++++++
.../xwayland/xwayland_22.1.8.bb | 1 +
2 files changed, 70 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch
new file mode 100644
index 0000000000..48c7ed8c13
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch
@@ -0,0 +1,69 @@
+From 9d205323894af62b9726fcbaeb5fc69b3c9f61ba Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 28 Apr 2025 11:47:15 +0200
+Subject: [PATCH] record: Check for overflow in
+ RecordSanityCheckRegisterClients()
+
+The RecordSanityCheckRegisterClients() checks for the request length,
+but does not check for integer overflow.
+
+A client might send a very large value for either the number of clients
+or the number of protocol ranges that will cause an integer overflow in
+the request length computation, defeating the check for request length.
+
+To avoid the issue, explicitly check the number of clients against the
+limit of clients (which is much lower than an maximum integer value) and
+the number of protocol ranges (multiplied by the record length) do not
+exceed the maximum integer value.
+
+This way, we ensure that the final computation for the request length
+will not overflow the maximum integer limit.
+
+CVE-2025-49179
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+(cherry picked from commit 2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4)
+
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2026>
+
+CVE: CVE-2025-49179
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/9d205323894af62b9726fcbaeb5fc69b3c9f61ba]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ record/record.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/record/record.c b/record/record.c
+index e123867..018e53f 100644
+--- a/record/record.c
++++ b/record/record.c
+@@ -45,6 +45,7 @@ and Jim Haggerty of Metheus.
+ #include "inputstr.h"
+ #include "eventconvert.h"
+ #include "scrnintstr.h"
++#include "opaque.h"
+
+ #include <stdio.h>
+ #include <assert.h>
+@@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client,
+ int i;
+ XID recordingClient;
+
++ /* LimitClients is 2048 at max, way less that MAXINT */
++ if (stuff->nClients > LimitClients)
++ return BadValue;
++
++ if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange))
++ return BadValue;
++
+ if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) !=
+ 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges)
+ return BadLength;
+--
+2.40.0
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index caca8ab0f6..691b017662 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -48,6 +48,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-49176-0002.patch \
file://CVE-2025-49177.patch \
file://CVE-2025-49178.patch \
+ file://CVE-2025-49179.patch \
"
SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 9/9] xwayland: fix CVE-2025-49180
2025-07-04 15:28 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
` (7 preceding siblings ...)
2025-07-04 15:28 ` [OE-core][kirkstone 8/9] " Steve Sakoman
@ 2025-07-04 15:28 ` Steve Sakoman
8 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-04 15:28 UTC (permalink / raw)
To: openembedded-core
From: Archana Polampalli <archana.polampalli@windriver.com>
A flaw was found in the RandR extension, where the RRChangeProviderProperty function
does not properly validate input. This issue leads to an integer overflow when
computing the total size to allocate.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../xwayland/xwayland/CVE-2025-49180.patch | 45 +++++++++++++++++++
.../xwayland/xwayland_22.1.8.bb | 1 +
2 files changed, 46 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch
new file mode 100644
index 0000000000..51939acf63
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch
@@ -0,0 +1,45 @@
+From 3c3a4b767b16174d3213055947ea7f4f88e10ec6 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Tue, 20 May 2025 15:18:19 +0200
+Subject: [PATCH] randr: Check for overflow in RRChangeProviderProperty()
+
+A client might send a request causing an integer overflow when computing
+the total size to allocate in RRChangeProviderProperty().
+
+To avoid the issue, check that total length in bytes won't exceed the
+maximum integer value.
+
+CVE-2025-49180
+
+This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
+reported by Julian Suleder via ERNW Vulnerability Disclosure.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
+
+CVE: CVE-2025-49180
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ randr/rrproviderproperty.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
+index 90c5a9a..0aa35ad 100644
+--- a/randr/rrproviderproperty.c
++++ b/randr/rrproviderproperty.c
+@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
+
+ if (mode == PropModeReplace || len > 0) {
+ void *new_data = NULL, *old_data = NULL;
+-
++ if (total_len > MAXINT / size_in_bytes)
++ return BadValue;
+ total_size = total_len * size_in_bytes;
+ new_value.data = (void *) malloc(total_size);
+ if (!new_value.data && total_size) {
+--
+2.40.0
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index 691b017662..73f5a05ce7 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -49,6 +49,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-49177.patch \
file://CVE-2025-49178.patch \
file://CVE-2025-49179.patch \
+ file://CVE-2025-49180.patch \
"
SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
--
2.43.0
^ permalink raw reply related [flat|nested] 24+ messages in thread
* Re: [OE-core][kirkstone 8/9] xwayland: fix CVE-2025-49178
2025-07-04 15:28 ` [OE-core][kirkstone 8/9] " Steve Sakoman
@ 2025-07-05 10:01 ` Gyorgy Sarvari
2025-07-05 13:14 ` Steve Sakoman
0 siblings, 1 reply; 24+ messages in thread
From: Gyorgy Sarvari @ 2025-07-05 10:01 UTC (permalink / raw)
To: steve, openembedded-core
> .../xwayland/xwayland/CVE-2025-49179.patch | 69 +++++++++++++++++++
>
Minor typo-nitpick: off-by-one error in the subject. The subject says
CVE-2025-49178, but it fixes CVE-2025-49179. Wouldn't reject the patch
due to this though.
^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [OE-core][kirkstone 8/9] xwayland: fix CVE-2025-49178
2025-07-05 10:01 ` Gyorgy Sarvari
@ 2025-07-05 13:14 ` Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-07-05 13:14 UTC (permalink / raw)
To: Gyorgy Sarvari; +Cc: openembedded-core
On Sat, Jul 5, 2025 at 3:01 AM Gyorgy Sarvari <skandigraun@gmail.com> wrote:
>
> > .../xwayland/xwayland/CVE-2025-49179.patch | 69 +++++++++++++++++++
> >
> Minor typo-nitpick: off-by-one error in the subject. The subject says
> CVE-2025-49178, but it fixes CVE-2025-49179. Wouldn't reject the patch
> due to this though.
Thanks for reviewing! I've fixed this.
Steve
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2025-08-19 20:49 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-08-19 20:49 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, August 21
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2236
The following changes since commit 3d1c037a7cb7858a4e3c33a94f5d343a81aac5f7:
go-helloworld: fix license (2025-08-12 09:57:24 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Dan McGregor (1):
systemd: Fix manpage build after CVE-2025-4598
Hitendra Prajapati (3):
gstreamer1.0-plugins-base: fix CVE-2025-47806 & CVE-2025-47808
gstreamer1.0-plugins-good: fix CVE-2025-47183 & CVE-2025-47219
git: fix CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835
Peter Marko (1):
glib-2.0: ignore CVE-2025-4056
Vijay Anusuri (3):
xserver-xorg: Fix for CVE-2025-49175
xserver-xorg: Fix for CVE-2025-49176
xserver-xorg: Fix for CVE-2025-49177
Youngseok Jeong (1):
libubootenv: backport patch to fix unknown type name 'size_t'
...-Include-cstddef-in-the-header-for-C.patch | 27 +
meta/recipes-bsp/u-boot/libubootenv_0.3.2.bb | 6 +-
meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 3 +
.../systemd/systemd/CVE-2025-4598-0003.patch | 7 +-
...-27613-CVE-2025-46334-CVE-2025-46835.patch | 2500 +++++++++++++++++
meta/recipes-devtools/git/git_2.35.7.bb | 1 +
.../xserver-xorg/CVE-2025-49175.patch | 91 +
.../xserver-xorg/CVE-2025-49176-1.patch | 92 +
.../xserver-xorg/CVE-2025-49176-2.patch | 37 +
.../xserver-xorg/CVE-2025-49177.patch | 54 +
.../xorg-xserver/xserver-xorg_21.1.8.bb | 4 +
.../CVE-2025-47806.patch | 50 +
.../CVE-2025-47808.patch | 36 +
.../gstreamer1.0-plugins-base_1.20.7.bb | 2 +
.../CVE-2025-47183-001.patch | 151 +
.../CVE-2025-47183-002.patch | 80 +
.../CVE-2025-47219.patch | 40 +
.../gstreamer1.0-plugins-good_1.20.7.bb | 3 +
18 files changed, 3179 insertions(+), 5 deletions(-)
create mode 100644 meta/recipes-bsp/u-boot/files/0001-Include-cstddef-in-the-header-for-C.patch
create mode 100644 meta/recipes-devtools/git/git/CVE-2025-27614-CVE-2025-27613-CVE-2025-46334-CVE-2025-46835.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49175.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-1.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-2.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49177.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47806.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47808.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47183-001.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47183-002.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-good/CVE-2025-47219.patch
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2025-08-26 13:44 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-08-26 13:44 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, August 28
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2267
The following changes since commit e401a16d8e26d25cec95fcea98d6530036cffca1:
libubootenv: backport patch to fix unknown type name 'size_t' (2025-08-19 10:14:55 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Hitendra Prajapati (1):
gstreamer1.0-plugins-base: fix CVE-2025-47807
Jiaying Song (1):
openssl: fix CVE-2023-50781
Peter Marko (4):
qemu: ignore CVE-2024-7730
glib-2.0: patch CVE-2025-7039
dpkg: patch CVE-2025-6297
libarchive: patch regression of patch for CVE-2025-5918
Vijay Anusuri (3):
xserver-xorg: Fix for CVE-2025-49178
xserver-xorg: Fix for CVE-2025-49179
xserver-xorg: Fix for CVE-2025-49180
.../openssl/openssl/CVE-2023-50781-1.patch | 618 ++++++++++++++++++
.../openssl/openssl/CVE-2023-50781-2.patch | 358 ++++++++++
.../openssl/openssl/CVE-2023-50781-3.patch | 41 ++
.../openssl/openssl/CVE-2023-50781-4.patch | 441 +++++++++++++
.../openssl/openssl/CVE-2023-50781-5.patch | 284 ++++++++
.../openssl/openssl/CVE-2023-50781-6.patch | 57 ++
.../openssl/openssl_3.0.17.bb | 8 +-
.../glib-2.0/glib-2.0/CVE-2025-7039-01.patch | 40 ++
.../glib-2.0/glib-2.0/CVE-2025-7039-02.patch | 43 ++
meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb | 2 +
.../dpkg/dpkg/CVE-2025-6297.patch | 125 ++++
meta/recipes-devtools/dpkg/dpkg_1.21.4.bb | 1 +
meta/recipes-devtools/qemu/qemu.inc | 3 +
...2025-5918.patch => CVE-2025-5918-01.patch} | 0
.../libarchive/CVE-2025-5918-02.patch | 51 ++
.../libarchive/libarchive_3.6.2.bb | 3 +-
.../xserver-xorg/CVE-2025-49178.patch | 49 ++
.../xserver-xorg/CVE-2025-49179.patch | 67 ++
.../xserver-xorg/CVE-2025-49180-1.patch | 44 ++
.../xserver-xorg/CVE-2025-49180-2.patch | 52 ++
.../xorg-xserver/xserver-xorg_21.1.8.bb | 4 +
.../CVE-2025-47807.patch | 49 ++
.../gstreamer1.0-plugins-base_1.20.7.bb | 1 +
23 files changed, 2339 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-4.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-5.patch
create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-6.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-7039-01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-7039-02.patch
create mode 100644 meta/recipes-devtools/dpkg/dpkg/CVE-2025-6297.patch
rename meta/recipes-extended/libarchive/libarchive/{CVE-2025-5918.patch => CVE-2025-5918-01.patch} (100%)
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-02.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49178.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49179.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-1.patch
create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49180-2.patch
create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2025-47807.patch
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2025-09-03 16:14 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-09-03 16:14 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Friday, September 5
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2309
The following changes since commit 36cf6bb39df081b27306d27b20155995b73e1a01:
Revert "sqlite3: patch CVE-2025-7458" (2025-09-01 08:18:45 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Deepak Rathore (1):
default-distrovars.inc: Fix CONNECTIVITY_CHECK_URIS redirect issue
Kyungjik Min (1):
pulseaudio: Add audio group explicitly
Mingli Yu (1):
vim: not adjust script pathnames for native scripts either
Peter Marko (2):
vim: upgrade 9.1.1198 -> 9.1.1652
sudo: remove devtool FIXME comment
Praveen Kumar (1):
git: fix CVE-2025-48384
Yogita Urade (3):
tiff: fix CVE-2024-13978
tiff: fix CVE-2025-8534
tiff: fix CVE-2025-8851
meta-selftest/files/static-group | 1 +
.../distro/include/default-distrovars.inc | 2 +-
meta/lib/oeqa/sdk/buildtools-cases/https.py | 4 +-
.../git/git/CVE-2025-48384.patch | 85 +++++++++++++++++++
meta/recipes-devtools/git/git_2.35.7.bb | 1 +
meta/recipes-extended/sudo/sudo_1.9.17p1.bb | 52 ------------
.../libtiff/tiff/CVE-2024-13978.patch | 47 ++++++++++
.../libtiff/tiff/CVE-2025-8534.patch | 60 +++++++++++++
.../libtiff/tiff/CVE-2025-8851.patch | 71 ++++++++++++++++
meta/recipes-multimedia/libtiff/tiff_4.3.0.bb | 3 +
.../pulseaudio/pulseaudio.inc | 2 +-
...src-Makefile-improve-reproducibility.patch | 10 +--
.../vim/files/disable_acl_header_check.patch | 12 +--
.../vim/files/no-path-adjust.patch | 35 +++++---
meta/recipes-support/vim/vim.inc | 7 +-
15 files changed, 308 insertions(+), 84 deletions(-)
create mode 100644 meta/recipes-devtools/git/git/CVE-2025-48384.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2024-13978.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8534.patch
create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8851.patch
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
* [OE-core][kirkstone 0/9] Patch review
@ 2025-11-25 20:54 Steve Sakoman
0 siblings, 0 replies; 24+ messages in thread
From: Steve Sakoman @ 2025-11-25 20:54 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for kirkstone and have comments back by
end of day Thursday, November 27
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2776
The following changes since commit ff72b41a3f0bf1820405b8782f0d125cd10e3406:
oe-build-perf-report: relax metadata matching rules (2025-11-19 08:28:19 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
Divya Chellam (3):
ruby: fix CVE-2024-35176
ruby: fix CVE-2024-39908
ruby: fix CVE-2024-41123
Gyorgy Sarvari (1):
flac: patch seeking bug
Peter Marko (3):
libarchive: patch 3.8.3 security issue 1
libarchive: patch 3.8.3 security issue 2
libarchive: patch CVE-2025-60753
Praveen Kumar (1):
python3: fix CVE-2025-6075
Vijay Anusuri (1):
python3-idna: Fix CVE-2024-3651
.../python/python3-idna/CVE-2024-3651.patch | 2484 +++++++++++++++++
.../python/python3-idna_3.3.bb | 2 +
.../python/python3/CVE-2025-6075.patch | 364 +++
.../python/python3_3.10.19.bb | 1 +
.../ruby/ruby/CVE-2024-35176.patch | 112 +
.../ruby/ruby/CVE-2024-39908-0001.patch | 46 +
.../ruby/ruby/CVE-2024-39908-0002.patch | 130 +
.../ruby/ruby/CVE-2024-39908-0003.patch | 46 +
.../ruby/ruby/CVE-2024-39908-0004.patch | 76 +
.../ruby/ruby/CVE-2024-39908-0005.patch | 87 +
.../ruby/ruby/CVE-2024-39908-0006.patch | 44 +
.../ruby/ruby/CVE-2024-39908-0007.patch | 44 +
.../ruby/ruby/CVE-2024-39908-0008.patch | 44 +
.../ruby/ruby/CVE-2024-39908-0009.patch | 36 +
.../ruby/ruby/CVE-2024-39908-0010.patch | 53 +
.../ruby/ruby/CVE-2024-39908-0011.patch | 35 +
.../ruby/ruby/CVE-2024-39908-0012.patch | 36 +
.../ruby/ruby/CVE-2024-41123-0001.patch | 44 +
.../ruby/ruby/CVE-2024-41123-0002.patch | 37 +
.../ruby/ruby/CVE-2024-41123-0003.patch | 55 +
.../ruby/ruby/CVE-2024-41123-0004.patch | 163 ++
.../ruby/ruby/CVE-2024-41123-0005.patch | 111 +
meta/recipes-devtools/ruby/ruby_3.1.3.bb | 18 +
...ax-path-length-metadata-writing-2243.patch | 30 +
...request-2696-from-al3xtjames-mkstemp.patch | 28 +
...st-2749-from-KlaraSystems-des-tempdi.patch | 183 ++
...st-2753-from-KlaraSystems-des-temp-f.patch | 190 ++
...-request-2768-from-Commandoss-master.patch | 28 +
.../libarchive/CVE-2025-60753.patch | 76 +
.../libarchive/libarchive_3.6.2.bb | 6 +
.../flac/files/0001-Fix-seeking-bug.patch | 34 +
meta/recipes-multimedia/flac/flac_1.3.4.bb | 3 +-
32 files changed, 4645 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-devtools/python/python3-idna/CVE-2024-3651.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-6075.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-35176.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0001.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0002.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0003.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0004.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0005.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0006.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0007.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0008.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0009.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0010.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0011.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-39908-0012.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0001.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0002.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0003.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0004.patch
create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41123-0005.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Fix-max-path-length-metadata-writing-2243.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2696-from-al3xtjames-mkstemp.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2749-from-KlaraSystems-des-tempdi.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2753-from-KlaraSystems-des-temp-f.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Merge-pull-request-2768-from-Commandoss-master.patch
create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-60753.patch
create mode 100644 meta/recipes-multimedia/flac/files/0001-Fix-seeking-bug.patch
--
2.43.0
^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2025-11-25 20:55 UTC | newest]
Thread overview: 24+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-04 15:28 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 1/9] libarchive: Fix CVE-2025-5914 Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 2/9] systemd: backport patches to fix CVE-2025-4598 Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 3/9] python3-urllib3: fix CVE-2025-50181 Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 4/9] xwayland: fix CVE-2025-49175 Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 5/9] xwayland: fix CVE-2025-49176 Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 6/9] xwayland: fix CVE-2025-49177 Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 7/9] xwayland: fix CVE-2025-49178 Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 8/9] " Steve Sakoman
2025-07-05 10:01 ` Gyorgy Sarvari
2025-07-05 13:14 ` Steve Sakoman
2025-07-04 15:28 ` [OE-core][kirkstone 9/9] xwayland: fix CVE-2025-49180 Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2025-11-25 20:54 [OE-core][kirkstone 0/9] Patch review Steve Sakoman
2025-09-03 16:14 Steve Sakoman
2025-08-26 13:44 Steve Sakoman
2025-08-19 20:49 Steve Sakoman
2024-12-17 20:54 Steve Sakoman
2024-06-22 11:57 Steve Sakoman
2024-04-03 3:46 Steve Sakoman
2024-03-07 23:37 Steve Sakoman
2023-06-20 15:37 Steve Sakoman
2023-01-17 14:08 Steve Sakoman
2022-11-13 14:12 Steve Sakoman
2022-05-23 13:59 Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.