* [scarthgap][PATCH 00/24] Scarthgap pull request
@ 2025-09-23 11:57 Anuj Mittal
2025-09-23 11:57 ` [scarthgap][PATCH 01/24] libssh: fix CVE-2025-4878 Anuj Mittal
` (24 more replies)
0 siblings, 25 replies; 32+ messages in thread
From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw)
To: openembedded-devel
Please consider merging these changes for scarthgap. Tested with
autobuilder and locally with qemux86-64 and qemuarm64:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/944
The following changes since commit b9fb6556a3c8a3e477dce334205b658cb79ad501:
protobuf 4.25.8: Mark CVE-2024-7254 as patched (2025-09-12 08:15:13 +0800)
are available in the Git repository at:
https://git.openembedded.org/meta-openembedded-contrib anujm/scarthgap
https://git.openembedded.org/meta-openembedded-contrib/log/?h=anujm/scarthgap
Anil Dongare (1):
libssh 0.10.6: Fix CVE-2025-8114
Archana Polampalli (1):
apache2: upgrade 2.4.64 - 2.4.65
AshishKumar Mishra (1):
meta-oe: image: optionally remove RAW image after sparse image
creation
Divya Chellam (2):
libssh: fix CVE-2025-4878
libssh: fix CVE-2025-5987
Gyorgy Sarvari (1):
mod-dnssd: update SRC_URI
Haixiao Yan (1):
python3-posix-ipc: fix runtime error
Hitendra Prajapati (1):
openjpeg: fix for CVE-2025-54874
Jef Driesen (1):
lcov: Add missing RDEPENDS for nativesdk
Jeroen Knoops (1):
nng: Rename default branch of github.com:nanomsg/nng.git
Khem Raj (2):
gtkwave: Add libtirpc to depends
ssmping: Use debian mirror for SRC_URI
Marc Ferland (1):
libvncserver: fix generated LibVNCServerTargets.cmake
Martin Jansa (1):
nodejs: fix build with gcc-15 on host
Peter Marko (2):
fontforge: patch CVE-2024-25081 and CVE-2024-25082
fcgi: patch CVE-2025-23016
Shubham Pushpkar (1):
cjson 1.7.18: Fix CVE-2025-57052
Wang Mingyu (2):
geoip: fix do_fetch error
rp-pppoe: update SRC_URI
Yi Zhao (1):
wxwidgets: upgrade 3.2.1 -> 3.2.6
Yoann Congal (1):
gutenprint: fix a build race-condition
Zhang Peng (2):
iperf3: fix CVE-2025-54350
wxwidgets: fix CVE-2024-58249
Zoltán Böszörményi (1):
gutenprint: 5.3.5
.../recipes-connectivity/nanomsg/nng_1.7.3.bb | 2 +-
.../rp-pppoe/rp-pppoe_3.15.bb | 2 +-
.../recipes-support/geoip/geoip_1.6.12.bb | 8 +-
.../recipes-support/ssmping/ssmping_0.9.1.bb | 3 +-
meta-oe/classes/image_types_sparse.bbclass | 6 +
.../iperf3/iperf3/CVE-2025-54350.patch | 39 +
.../recipes-benchmark/iperf3/iperf3_3.18.bb | 1 +
.../cjson/cjson/CVE-2025-57052.patch | 33 +
.../recipes-devtools/cjson/cjson_1.7.18.bb | 1 +
.../0001-src-fix-build-with-GCC-15.patch | 33 +
.../recipes-devtools/nodejs/nodejs_20.18.2.bb | 1 +
...using-glibc-specific-defines-on-musl.patch | 26 -
...able-cross-magic-it-does-not-work-fo.patch | 8 +-
...tch => 0002-fix-libdir-for-multilib.patch} | 35 +-
...003-create-links-with-relative-path.patch} | 22 +-
...-not-append-system-name-to-lib-name.patch} | 12 +-
...5-wx-config-fix-libdir-for-multilib.patch} | 29 +-
...-l.patch => 0006-Fix-locale-on-musl.patch} | 18 +-
...E_LARGEFILE_SUPPORT-to-1-explicitly.patch} | 9 +-
.../wxwidgets/wxwidgets/CVE-2024-58249.patch | 178 ++
...{wxwidgets_3.2.1.bb => wxwidgets_3.2.6.bb} | 18 +-
.../CVE-2024-25081_CVE-2024-25082.patch | 181 ++
.../fontforge/fontforge_20230101.bb | 1 +
.../gtkwave/gtkwave_3.3.119.bb | 1 +
.../libvncserver/libvncserver_0.9.14.bb | 4 +-
.../openjpeg/openjpeg/CVE-2025-54874.patch | 44 +
.../openjpeg/openjpeg_2.5.3.bb | 1 +
...-race-condition-around-empty-directo.patch | 60 +
...utenprint_5.3.4.bb => gutenprint_5.3.5.bb} | 6 +-
meta-oe/recipes-support/lcov/lcov_1.16.bb | 6 +
.../libssh/libssh/CVE-2025-4878-0001.patch | 2552 +++++++++++++++++
.../libssh/libssh/CVE-2025-4878-0002.patch | 34 +
.../libssh/libssh/CVE-2025-5987.patch | 37 +
.../libssh/libssh/CVE-2025-8114.patch | 49 +
.../recipes-support/libssh/libssh_0.10.6.bb | 4 +
...ndle-runtime-errors-and-return-None-.patch | 47 +
.../python/python3-posix-ipc_1.2.0.bb | 1 +
.../recipes-httpd/apache-mod/mod-dnssd_0.6.bb | 2 +-
.../{apache2_2.4.64.bb => apache2_2.4.65.bb} | 2 +-
.../fcgi/fcgi/CVE-2025-23016.patch | 40 +
.../recipes-support/fcgi/fcgi_git.bb | 1 +
41 files changed, 3467 insertions(+), 90 deletions(-)
create mode 100644 meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54350.patch
create mode 100644 meta-oe/recipes-devtools/cjson/cjson/CVE-2025-57052.patch
create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-src-fix-build-with-GCC-15.patch
delete mode 100644 meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-locale-Avoid-using-glibc-specific-defines-on-musl.patch
rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{fix-libdir-for-multilib.patch => 0002-fix-libdir-for-multilib.patch} (82%)
rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{create-links-with-relative-path.patch => 0003-create-links-with-relative-path.patch} (72%)
rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{not-append-system-name-to-lib-name.patch => 0004-don-not-append-system-name-to-lib-name.patch} (73%)
rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{wx-config-fix-libdir-for-multilib.patch => 0005-wx-config-fix-libdir-for-multilib.patch} (74%)
rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{musl-locale-l.patch => 0006-Fix-locale-on-musl.patch} (70%)
rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{0001-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch => 0007-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch} (83%)
create mode 100644 meta-oe/recipes-extended/wxwidgets/wxwidgets/CVE-2024-58249.patch
rename meta-oe/recipes-extended/wxwidgets/{wxwidgets_3.2.1.bb => wxwidgets_3.2.6.bb} (89%)
create mode 100644 meta-oe/recipes-graphics/fontforge/fontforge/CVE-2024-25081_CVE-2024-25082.patch
create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-54874.patch
create mode 100644 meta-oe/recipes-printing/gutenprint/gutenprint/0001-cups-fix-a-build-race-condition-around-empty-directo.patch
rename meta-oe/recipes-printing/gutenprint/{gutenprint_5.3.4.bb => gutenprint_5.3.5.bb} (91%)
create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0001.patch
create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0002.patch
create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch
create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch
create mode 100644 meta-python/recipes-devtools/python/python3-posix-ipc/0004-build_support-handle-runtime-errors-and-return-None-.patch
rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.64.bb => apache2_2.4.65.bb} (99%)
create mode 100644 meta-webserver/recipes-support/fcgi/fcgi/CVE-2025-23016.patch
^ permalink raw reply [flat|nested] 32+ messages in thread* [scarthgap][PATCH 01/24] libssh: fix CVE-2025-4878 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 02/24] libssh: fix CVE-2025-5987 Anuj Mittal ` (23 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Divya Chellam <divya.chellam@windriver.com> A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption. Reference: https://security-tracker.debian.org/tracker/CVE-2025-4878 Upstream-patches: https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1 https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- .../libssh/libssh/CVE-2025-4878-0001.patch | 2552 +++++++++++++++++ .../libssh/libssh/CVE-2025-4878-0002.patch | 34 + .../recipes-support/libssh/libssh_0.10.6.bb | 2 + 3 files changed, 2588 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0001.patch create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0002.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0001.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0001.patch new file mode 100644 index 0000000000..22f8733a69 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0001.patch @@ -0,0 +1,2552 @@ +From 697650caa97eaf7623924c75f9fcfec6dd423cd1 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <jjelen@redhat.com> +Date: Wed, 23 Apr 2025 17:57:11 +0200 +Subject: [PATCH] CVE-2025-4878 Initialize pointers where possible + +This is mostly mechanical change initializing all the pointers I was able to +find with some grep and manual review of sources and examples. + +Used the following greps (which yield some false positives though): + + git grep " \w* *\* *\w*;$" + git grep " ssh_session \w*;" + git grep " ssh_channel \w*;" + git grep " struct ssh_iterator \*\w*;" + git grep " ssh_bind \w*;" + git grep " ssh_key \w*;" + git grep " ssh_string \w*;" + git grep " ssh_buffer \w*;" + git grep " HMACCTX \w*;" + git grep " SHACTX \w*;" + grep -rinP '^(?!.*=)\s*(?:\w+\s+)*\w+\s*\*\s*\w+\s*;' + +Signed-off-by: Jakub Jelen <jjelen@redhat.com> +Reviewed-by: Andreas Schneider <asn@cryptomilk.org> + +CVE: CVE-2025-4878 + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1] + +Signed-off-by: Divya Chellam <divya.chellam@windriver.com> +--- + doc/authentication.dox | 10 +++---- + doc/command.dox | 2 +- + doc/forwarding.dox | 4 +-- + doc/guided_tour.dox | 14 ++++----- + doc/shell.dox | 2 +- + examples/authentication.c | 12 ++++---- + examples/connect_ssh.c | 2 +- + examples/exec.c | 4 +-- + examples/knownhosts.c | 2 +- + examples/libssh_scp.c | 11 ++++---- + examples/proxy.c | 18 ++++++------ + examples/samplesshd-cb.c | 10 +++---- + examples/samplesshd-kbdint.c | 16 +++++------ + examples/scp_download.c | 4 +-- + examples/senddata.c | 4 +-- + examples/ssh_client.c | 8 +++--- + examples/sshd_direct-tcpip.c | 14 ++++----- + examples/sshnetcat.c | 6 ++-- + src/agent.c | 13 +++++---- + src/auth.c | 7 +++-- + src/bind.c | 11 ++++---- + src/bind_config.c | 4 +-- + src/buffer.c | 9 +++--- + src/callbacks.c | 2 +- + src/chachapoly.c | 2 +- + src/channels.c | 55 ++++++++++++++++++------------------ + src/client.c | 2 +- + src/config.c | 4 +-- + src/config_parser.c | 12 ++++---- + src/connect.c | 4 +-- + src/connector.c | 5 ++-- + src/dh_crypto.c | 2 +- + src/ecdh_gcrypt.c | 4 +-- + src/gcrypt_missing.c | 2 +- + src/getpass.c | 4 +-- + src/gssapi.c | 28 +++++++++--------- + src/kex.c | 4 +-- + src/known_hosts.c | 41 ++++++++++++++------------- + src/knownhosts.c | 18 ++++++------ + src/legacy.c | 43 +++++++++++++++------------- + src/libmbedcrypto.c | 2 +- + src/log.c | 2 +- + src/messages.c | 18 ++++++------ + src/misc.c | 24 ++++++++-------- + src/options.c | 18 ++++++------ + src/packet.c | 6 ++-- + src/packet_crypt.c | 2 +- + src/pki.c | 50 ++++++++++++++++---------------- + src/pki_container_openssh.c | 14 ++++----- + src/pki_crypto.c | 8 +++--- + src/pki_ed25519.c | 6 ++-- + src/pki_ed25519_common.c | 2 +- + src/pki_gcrypt.c | 12 ++++---- + src/pki_mbedcrypto.c | 12 ++++---- + src/poll.c | 10 +++---- + src/server.c | 23 ++++++++------- + src/session.c | 14 ++++----- + src/sftpserver.c | 12 ++++---- + src/string.c | 6 ++-- + src/threads/winlocks.c | 2 +- + src/wrapper.c | 2 +- + 61 files changed, 340 insertions(+), 324 deletions(-) + +diff --git a/doc/authentication.dox b/doc/authentication.dox +index 7d0ab81d..a0b2df84 100644 +--- a/doc/authentication.dox ++++ b/doc/authentication.dox +@@ -105,7 +105,7 @@ Here is a small example of password authentication: + @code + int authenticate_password(ssh_session session) + { +- char *password; ++ char *password = NULL; + int rc; + + password = getpass("Enter your password: "); +@@ -218,7 +218,7 @@ int authenticate_kbdint(ssh_session session) + rc = ssh_userauth_kbdint(session, NULL, NULL); + while (rc == SSH_AUTH_INFO) + { +- const char *name, *instruction; ++ const char *name = NULL, *instruction = NULL; + int nprompts, iprompt; + + name = ssh_userauth_kbdint_getname(session); +@@ -231,7 +231,7 @@ int authenticate_kbdint(ssh_session session) + printf("%s\n", instruction); + for (iprompt = 0; iprompt < nprompts; iprompt++) + { +- const char *prompt; ++ const char *prompt = NULL; + char echo; + + prompt = ssh_userauth_kbdint_getprompt(session, iprompt, &echo); +@@ -251,7 +251,7 @@ int authenticate_kbdint(ssh_session session) + } + else + { +- char *ptr; ++ char *ptr = NULL; + + ptr = getpass(prompt); + if (ssh_userauth_kbdint_setanswer(session, iprompt, ptr) < 0) +@@ -354,7 +354,7 @@ The following example shows how to retrieve and dispose the issue banner: + int display_banner(ssh_session session) + { + int rc; +- char *banner; ++ char *banner = NULL; + + /* + *** Does not work without calling ssh_userauth_none() first *** +diff --git a/doc/command.dox b/doc/command.dox +index 588151c6..e82748ce 100644 +--- a/doc/command.dox ++++ b/doc/command.dox +@@ -22,7 +22,7 @@ a SSH session that uses this channel: + @code + int show_remote_files(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + + channel = ssh_channel_new(session); +diff --git a/doc/forwarding.dox b/doc/forwarding.dox +index 2b202b4d..3ca3aa8a 100644 +--- a/doc/forwarding.dox ++++ b/doc/forwarding.dox +@@ -100,7 +100,7 @@ used to retrieve google's home page from the remote SSH server. + @code + int direct_forwarding(ssh_session session) + { +- ssh_channel forwarding_channel; ++ ssh_channel forwarding_channel = NULL; + int rc = SSH_ERROR; + char *http_get = "GET / HTTP/1.1\nHost: www.google.com\n\n"; + int nbytes, nwritten; +@@ -161,7 +161,7 @@ local libssh application, which handles them: + int web_server(ssh_session session) + { + int rc; +- ssh_channel channel; ++ ssh_channel channel = NULL; + char buffer[256]; + int nbytes, nwritten; + int port = 0; +diff --git a/doc/guided_tour.dox b/doc/guided_tour.dox +index 69576f18..60f4087e 100644 +--- a/doc/guided_tour.dox ++++ b/doc/guided_tour.dox +@@ -79,7 +79,7 @@ Here is a small example of how to use it: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int verbosity = SSH_LOG_PROTOCOL; + int port = 22; + +@@ -126,7 +126,7 @@ Here's an example: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int rc; + + my_ssh_session = ssh_new(); +@@ -190,8 +190,8 @@ int verify_knownhost(ssh_session session) + ssh_key srv_pubkey = NULL; + size_t hlen; + char buf[10]; +- char *hexa; +- char *p; ++ char *hexa = NULL; ++ char *p = NULL; + int cmp; + int rc; + +@@ -317,9 +317,9 @@ The example below shows an authentication with password: + + int main() + { +- ssh_session my_ssh_session; ++ ssh_session my_ssh_session = NULL; + int rc; +- char *password; ++ char *password = NULL; + + // Open session and set options + my_ssh_session = ssh_new(); +@@ -380,7 +380,7 @@ The example below shows how to execute a remote command: + @code + int show_remote_processes(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + char buffer[256]; + int nbytes; +diff --git a/doc/shell.dox b/doc/shell.dox +index d770f27a..54d97888 100644 +--- a/doc/shell.dox ++++ b/doc/shell.dox +@@ -26,7 +26,7 @@ The code sample below achieves these tasks: + @code + int shell_session(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + + channel = ssh_channel_new(session); +diff --git a/examples/authentication.c b/examples/authentication.c +index 7c47c8bd..31de7cfc 100644 +--- a/examples/authentication.c ++++ b/examples/authentication.c +@@ -30,8 +30,8 @@ int authenticate_kbdint(ssh_session session, const char *password) + + err = ssh_userauth_kbdint(session, NULL, NULL); + while (err == SSH_AUTH_INFO) { +- const char *instruction; +- const char *name; ++ const char *instruction = NULL; ++ const char *name = NULL; + char buffer[128]; + int i, n; + +@@ -48,8 +48,8 @@ int authenticate_kbdint(ssh_session session, const char *password) + } + + for (i = 0; i < n; i++) { +- const char *answer; +- const char *prompt; ++ const char *answer = NULL; ++ const char *prompt = NULL; + char echo; + + prompt = ssh_userauth_kbdint_getprompt(session, i, &echo); +@@ -58,7 +58,7 @@ int authenticate_kbdint(ssh_session session, const char *password) + } + + if (echo) { +- char *p; ++ char *p = NULL; + + printf("%s", prompt); + +@@ -143,7 +143,7 @@ int authenticate_console(ssh_session session) + int rc; + int method; + char password[128] = {0}; +- char *banner; ++ char *banner = NULL; + + // Try to authenticate + rc = ssh_userauth_none(session, NULL); +diff --git a/examples/connect_ssh.c b/examples/connect_ssh.c +index c9e4ef6e..06094272 100644 +--- a/examples/connect_ssh.c ++++ b/examples/connect_ssh.c +@@ -22,7 +22,7 @@ clients must be made or how a client should react. + #include <stdio.h> + + ssh_session connect_ssh(const char *host, const char *user,int verbosity){ +- ssh_session session; ++ ssh_session session = NULL; + int auth=0; + + session=ssh_new(); +diff --git a/examples/exec.c b/examples/exec.c +index 77d3be47..f90df364 100644 +--- a/examples/exec.c ++++ b/examples/exec.c +@@ -5,8 +5,8 @@ + #include "examples_common.h" + + int main(void) { +- ssh_session session; +- ssh_channel channel; ++ ssh_session session = NULL; ++ ssh_channel channel = NULL; + char buffer[256]; + int rbytes, wbytes, total = 0; + int rc; +diff --git a/examples/knownhosts.c b/examples/knownhosts.c +index 0726bfa8..2857a085 100644 +--- a/examples/knownhosts.c ++++ b/examples/knownhosts.c +@@ -38,7 +38,7 @@ int verify_knownhost(ssh_session session) + char buf[10]; + unsigned char *hash = NULL; + size_t hlen; +- ssh_key srv_pubkey; ++ ssh_key srv_pubkey = NULL; + int rc; + + rc = ssh_get_server_publickey(session, &srv_pubkey); +diff --git a/examples/libssh_scp.c b/examples/libssh_scp.c +index 6fdf8a4f..a332e0d2 100644 +--- a/examples/libssh_scp.c ++++ b/examples/libssh_scp.c +@@ -26,9 +26,9 @@ program. + #define BUF_SIZE 16384 + #endif + +-static char **sources; ++static char **sources = NULL; + static int nsources; +-static char *destination; ++static char *destination = NULL; + static int verbosity = 0; + + struct location { +@@ -114,9 +114,10 @@ static void location_free(struct location *loc) + } + } + +-static struct location *parse_location(char *loc) { +- struct location *location; +- char *ptr; ++static struct location *parse_location(char *loc) ++{ ++ struct location *location = NULL; ++ char *ptr = NULL; + + location = malloc(sizeof(struct location)); + if (location == NULL) { +diff --git a/examples/proxy.c b/examples/proxy.c +index 159a37e5..25451789 100644 +--- a/examples/proxy.c ++++ b/examples/proxy.c +@@ -35,8 +35,8 @@ clients must be made or how a client should react. + static int authenticated=0; + static int tries = 0; + static int error = 0; +-static ssh_channel chan=NULL; +-static char *username; ++static ssh_channel chan = NULL; ++static char *username = NULL; + static ssh_gssapi_creds client_creds = NULL; + + static int auth_password(ssh_session session, const char *user, +@@ -216,11 +216,12 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_event mainloop; +- ssh_session client_session; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_event mainloop = NULL; ++ ssh_session client_session = NULL; + + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, +@@ -231,7 +232,7 @@ int main(int argc, char **argv){ + + char buf[BUF_SIZE]; + char host[128]=""; +- char *ptr; ++ char *ptr = NULL; + int i,r, rc; + + sshbind=ssh_bind_new(); +@@ -348,4 +349,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/samplesshd-cb.c b/examples/samplesshd-cb.c +index e5b48994..693b040d 100644 +--- a/examples/samplesshd-cb.c ++++ b/examples/samplesshd-cb.c +@@ -257,10 +257,11 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_event mainloop; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_event mainloop = NULL; + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, + .auth_none_function = auth_none, +@@ -353,4 +354,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/samplesshd-kbdint.c b/examples/samplesshd-kbdint.c +index 6608306c..141088c2 100644 +--- a/examples/samplesshd-kbdint.c ++++ b/examples/samplesshd-kbdint.c +@@ -187,8 +187,8 @@ static error_t parse_opt (int key, char *arg, struct argp_state *state) { + static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + #endif /* HAVE_ARGP_H */ + +-static const char *name; +-static const char *instruction; ++static const char *name = NULL; ++static const char *instruction = NULL; + static const char *prompts[2]; + static char echo[] = { 1, 0 }; + +@@ -292,11 +292,12 @@ static int authenticate(ssh_session session) { + return 0; + } + +-int main(int argc, char **argv){ +- ssh_session session; +- ssh_bind sshbind; +- ssh_message message; +- ssh_channel chan=0; ++int main(int argc, char **argv) ++{ ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; ++ ssh_message message = NULL; ++ ssh_channel chan = NULL; + char buf[BUF_SIZE]; + int auth=0; + int shell=0; +@@ -426,4 +427,3 @@ int main(int argc, char **argv){ + ssh_finalize(); + return 0; + } +- +diff --git a/examples/scp_download.c b/examples/scp_download.c +index e6c1e796..dcaa2cb7 100644 +--- a/examples/scp_download.c ++++ b/examples/scp_download.c +@@ -108,7 +108,7 @@ static int fetch_files(ssh_session session){ + int size; + char buffer[BUF_SIZE]; + int mode; +- char *filename; ++ char *filename = NULL; + int r; + ssh_scp scp=ssh_scp_new(session, SSH_SCP_READ | SSH_SCP_RECURSIVE, "/tmp/libssh_tests/*"); + if(ssh_scp_init(scp) != SSH_OK){ +@@ -167,7 +167,7 @@ static int fetch_files(ssh_session session){ + } + + int main(int argc, char **argv){ +- ssh_session session; ++ ssh_session session = NULL; + if(opts(argc,argv)<0) + return EXIT_FAILURE; + session=connect_ssh(host,NULL,verbosity); +diff --git a/examples/senddata.c b/examples/senddata.c +index 21181fb9..78383a2b 100644 +--- a/examples/senddata.c ++++ b/examples/senddata.c +@@ -6,7 +6,7 @@ + #define LIMIT 0x100000000UL + + int main(void) { +- ssh_session session; ++ ssh_session session = NULL; + ssh_channel channel; + char buffer[1024*1024]; + int rc; +@@ -47,7 +47,7 @@ int main(void) { + if(total > LIMIT) + break; + } +- ++ + if (rc < 0) { + printf("error : %s\n",ssh_get_error(session)); + ssh_channel_close(channel); +diff --git a/examples/ssh_client.c b/examples/ssh_client.c +index aaf0cb5b..896890c3 100644 +--- a/examples/ssh_client.c ++++ b/examples/ssh_client.c +@@ -53,7 +53,7 @@ static struct termios terminal; + + static char *pcap_file = NULL; + +-static char *proxycommand; ++static char *proxycommand = NULL; + + static int auth_callback(const char *prompt, + char *buf, +@@ -252,7 +252,7 @@ static void select_loop(ssh_session session,ssh_channel channel) + + static void shell(ssh_session session) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + struct termios terminal_local; + int interactive=isatty(0); + +@@ -324,7 +324,7 @@ static void batch_shell(ssh_session session) + static int client(ssh_session session) + { + int auth = 0; +- char *banner; ++ char *banner = NULL; + int state; + + if (user) { +@@ -408,7 +408,7 @@ static void cleanup_pcap(void) + + int main(int argc, char **argv) + { +- ssh_session session; ++ ssh_session session = NULL; + + ssh_init(); + session = ssh_new(); +diff --git a/examples/sshd_direct-tcpip.c b/examples/sshd_direct-tcpip.c +index b0e29796..152377e9 100644 +--- a/examples/sshd_direct-tcpip.c ++++ b/examples/sshd_direct-tcpip.c +@@ -358,7 +358,7 @@ my_fd_data_function(UNUSED_PARAM(socket_t fd), + { + struct event_fd_data_struct *event_fd_data = (struct event_fd_data_struct *)userdata; + ssh_channel channel = event_fd_data->channel; +- ssh_session session; ++ ssh_session session = NULL; + int len, i, wr; + char buf[BUF_SIZE]; + int blocking; +@@ -452,8 +452,8 @@ open_tcp_socket(ssh_message msg) + { + struct sockaddr_in sin; + int forwardsock = -1; +- struct hostent *host; +- const char *dest_hostname; ++ struct hostent *host = NULL; ++ const char *dest_hostname = NULL; + int dest_port; + + forwardsock = socket(AF_INET, SOCK_STREAM, 0); +@@ -496,8 +496,8 @@ message_callback(UNUSED_PARAM(ssh_session session), + UNUSED_PARAM(void *userdata)) + { + ssh_channel channel; +- int socket_fd, *pFd; +- struct ssh_channel_callbacks_struct *cb_chan; ++ int socket_fd, *pFd = NULL; ++ struct ssh_channel_callbacks_struct *cb_chan = NULL; + struct event_fd_data_struct *event_fd_data; + + _ssh_log(SSH_LOG_PACKET, "=== message_callback", "Message type: %d", +@@ -665,8 +665,8 @@ static struct argp argp = {options, parse_opt, args_doc, doc, NULL, NULL, NULL}; + int + main(int argc, char **argv) + { +- ssh_session session; +- ssh_bind sshbind; ++ ssh_session session = NULL; ++ ssh_bind sshbind = NULL; + struct ssh_server_callbacks_struct cb = { + .userdata = NULL, + .auth_password_function = auth_password, +diff --git a/examples/sshnetcat.c b/examples/sshnetcat.c +index 59b0a289..8a1153a6 100644 +--- a/examples/sshnetcat.c ++++ b/examples/sshnetcat.c +@@ -39,7 +39,7 @@ clients must be made or how a client should react. + #define BUF_SIZE 4096 + #endif + +-char *host; ++char *host = NULL; + const char *desthost="localhost"; + const char *port="22"; + +@@ -193,7 +193,7 @@ static void forwarding(ssh_session session){ + + static int client(ssh_session session){ + int auth=0; +- char *banner; ++ char *banner = NULL; + int state; + + if (ssh_options_set(session, SSH_OPTIONS_HOST ,host) < 0) +@@ -246,7 +246,7 @@ void cleanup_pcap(void) + #endif + + int main(int argc, char **argv){ +- ssh_session session; ++ ssh_session session = NULL; + + session = ssh_new(); + +diff --git a/src/agent.c b/src/agent.c +index 6e3d7d79..c81b0805 100644 +--- a/src/agent.c ++++ b/src/agent.c +@@ -424,8 +424,9 @@ ssh_key ssh_agent_get_first_ident(struct ssh_session_struct *session, + + /* caller has to free comment */ + ssh_key ssh_agent_get_next_ident(struct ssh_session_struct *session, +- char **comment) { +- struct ssh_key_struct *key; ++ char **comment) ++{ ++ struct ssh_key_struct *key = NULL; + struct ssh_string_struct *blob = NULL; + struct ssh_string_struct *tmp = NULL; + int rc; +@@ -494,10 +495,10 @@ ssh_string ssh_agent_sign_data(ssh_session session, + const ssh_key pubkey, + struct ssh_buffer_struct *data) + { +- ssh_buffer request; +- ssh_buffer reply; +- ssh_string key_blob; +- ssh_string sig_blob; ++ ssh_buffer request = NULL; ++ ssh_buffer reply = NULL; ++ ssh_string key_blob = NULL; ++ ssh_string sig_blob = NULL; + unsigned int type = 0; + unsigned int flags = 0; + uint32_t dlen; +diff --git a/src/auth.c b/src/auth.c +index 4feb6558..98022311 100644 +--- a/src/auth.c ++++ b/src/auth.c +@@ -195,8 +195,9 @@ static int ssh_userauth_get_response(ssh_session session) + * + * This banner should be shown to user prior to authentication + */ +-SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) { +- ssh_string banner; ++SSH_PACKET_CALLBACK(ssh_packet_userauth_banner) ++{ ++ ssh_string banner = NULL; + (void)type; + (void)user; + +@@ -1398,7 +1399,7 @@ int ssh_userauth_agent_pubkey(ssh_session session, + const char *username, + ssh_public_key publickey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + key = ssh_key_new(); +diff --git a/src/bind.c b/src/bind.c +index a91e6747..c331006a 100644 +--- a/src/bind.c ++++ b/src/bind.c +@@ -74,7 +74,7 @@ + static socket_t bind_socket(ssh_bind sshbind, const char *hostname, + int port) { + char port_c[6]; +- struct addrinfo *ai; ++ struct addrinfo *ai = NULL; + struct addrinfo hints; + int opt = 1; + socket_t s; +@@ -132,8 +132,9 @@ static socket_t bind_socket(ssh_bind sshbind, const char *hostname, + return s; + } + +-ssh_bind ssh_bind_new(void) { +- ssh_bind ptr; ++ssh_bind ssh_bind_new(void) ++{ ++ ssh_bind ptr = NULL; + + ptr = calloc(1, sizeof(struct ssh_bind_struct)); + if (ptr == NULL) { +@@ -251,7 +252,7 @@ static int ssh_bind_import_keys(ssh_bind sshbind) { + } + + int ssh_bind_listen(ssh_bind sshbind) { +- const char *host; ++ const char *host = NULL; + socket_t fd; + int rc; + +@@ -475,7 +476,7 @@ int ssh_bind_accept_fd(ssh_bind sshbind, ssh_session session, socket_t fd) + return SSH_ERROR; + } + } else { +- char *p; ++ char *p = NULL; + /* If something was set to the session prior to calling this + * function, keep only what is allowed by the options set in + * sshbind */ +diff --git a/src/bind_config.c b/src/bind_config.c +index 27c42c95..ed42cbe3 100644 +--- a/src/bind_config.c ++++ b/src/bind_config.c +@@ -200,7 +200,7 @@ local_parse_file(ssh_bind bind, + uint8_t *seen, + unsigned int depth) + { +- FILE *f; ++ FILE *f = NULL; + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; + int rv; +@@ -626,7 +626,7 @@ int ssh_bind_config_parse_file(ssh_bind bind, const char *filename) + { + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; +- FILE *f; ++ FILE *f = NULL; + uint32_t parser_flags; + int rv; + +diff --git a/src/buffer.c b/src/buffer.c +index 8991e006..62fda334 100644 +--- a/src/buffer.c ++++ b/src/buffer.c +@@ -371,7 +371,8 @@ int ssh_buffer_allocate_size(struct ssh_buffer_struct *buffer, + */ + void *ssh_buffer_allocate(struct ssh_buffer_struct *buffer, uint32_t len) + { +- void *ptr; ++ void *ptr = NULL; ++ + buffer_verify(buffer); + + if (buffer->used + len < len) { +@@ -925,7 +926,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, + va_list ap) + { + int rc = SSH_ERROR; +- const char *p; ++ const char *p = NULL; + union { + uint8_t byte; + uint16_t word; +@@ -934,7 +935,7 @@ int ssh_buffer_pack_va(struct ssh_buffer_struct *buffer, + ssh_string string; + void *data; + } o; +- char *cstring; ++ char *cstring = NULL; + bignum b; + size_t len; + size_t count; +@@ -1093,7 +1094,7 @@ int ssh_buffer_unpack_va(struct ssh_buffer_struct *buffer, + va_list ap) + { + int rc = SSH_ERROR; +- const char *p = format, *last; ++ const char *p = format, *last = NULL; + union { + uint8_t *byte; + uint16_t *word; +diff --git a/src/callbacks.c b/src/callbacks.c +index 3ed2f11c..6bfed62a 100644 +--- a/src/callbacks.c ++++ b/src/callbacks.c +@@ -113,7 +113,7 @@ int ssh_add_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb) + + int ssh_remove_channel_callbacks(ssh_channel channel, ssh_channel_callbacks cb) + { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + + if (channel == NULL || channel->callbacks == NULL){ + return SSH_ERROR; +diff --git a/src/chachapoly.c b/src/chachapoly.c +index 2cd23854..354a0d26 100644 +--- a/src/chachapoly.c ++++ b/src/chachapoly.c +@@ -42,7 +42,7 @@ static int chacha20_set_encrypt_key(struct ssh_cipher_struct *cipher, + void *key, + void *IV) + { +- struct chacha20_poly1305_keysched *sched; ++ struct chacha20_poly1305_keysched *sched = NULL; + uint8_t *u8key = key; + (void)IV; + +diff --git a/src/channels.c b/src/channels.c +index ab6915a2..8290dbd1 100644 +--- a/src/channels.c ++++ b/src/channels.c +@@ -165,7 +165,7 @@ uint32_t ssh_channel_new_id(ssh_session session) + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_open_conf){ + uint32_t channelid=0; +- ssh_channel channel; ++ ssh_channel channel = NULL; + int rc; + (void)type; + (void)user; +@@ -226,7 +226,7 @@ error: + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_open_fail){ + +- ssh_channel channel; ++ ssh_channel channel = NULL; + char *error = NULL; + uint32_t code; + int rc; +@@ -386,7 +386,7 @@ end: + /* return channel with corresponding local id, or NULL if not found */ + ssh_channel ssh_channel_from_local(ssh_session session, uint32_t id) { + struct ssh_iterator *it; +- ssh_channel channel; ++ ssh_channel channel = NULL; + + for (it = ssh_list_get_iterator(session->channels); it != NULL ; it=it->next) { + channel = ssh_iterator_value(ssh_channel, it); +@@ -471,7 +471,7 @@ error: + */ + static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) + { +- ssh_channel channel; ++ ssh_channel channel = NULL; + uint32_t chan; + int rc; + +@@ -493,7 +493,7 @@ static ssh_channel channel_from_msg(ssh_session session, ssh_buffer packet) + } + + SSH_PACKET_CALLBACK(channel_rcv_change_window) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + uint32_t bytes; + int rc; + (void)user; +@@ -632,7 +632,7 @@ SSH_PACKET_CALLBACK(channel_rcv_data){ + } + + SSH_PACKET_CALLBACK(channel_rcv_eof) { +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)user; + (void)type; + +@@ -676,8 +676,9 @@ static bool ssh_channel_has_unread_data(ssh_channel channel) + return false; + } + +-SSH_PACKET_CALLBACK(channel_rcv_close) { +- ssh_channel channel; ++SSH_PACKET_CALLBACK(channel_rcv_close) ++{ ++ ssh_channel channel = NULL; + (void)user; + (void)type; + +@@ -902,7 +903,7 @@ int channel_default_bufferize(ssh_channel channel, + void *data, uint32_t len, + bool is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + + if(channel == NULL) { + return -1; +@@ -1041,7 +1042,7 @@ int ssh_channel_open_auth_agent(ssh_channel channel) + int ssh_channel_open_forward(ssh_channel channel, const char *remotehost, + int remoteport, const char *sourcehost, int localport) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + ssh_string str = NULL; + int rc = SSH_ERROR; +@@ -1179,7 +1180,7 @@ error: + */ + void ssh_channel_free(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + + if (channel == NULL) { + return; +@@ -1280,7 +1281,7 @@ void ssh_channel_do_free(ssh_channel channel) + */ + int ssh_channel_send_eof(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + int rc = SSH_ERROR; + int err; + +@@ -1341,7 +1342,7 @@ error: + */ + int ssh_channel_close(ssh_channel channel) + { +- ssh_session session; ++ ssh_session session = NULL; + int rc = 0; + + if(channel == NULL) { +@@ -1437,7 +1438,7 @@ static int channel_write_common(ssh_channel channel, + const void *data, + uint32_t len, int is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + uint32_t origlen = len; + size_t effectivelen; + size_t maxpacketlen; +@@ -1694,7 +1695,7 @@ void ssh_channel_set_blocking(ssh_channel channel, int blocking) + * @brief handle a SSH_CHANNEL_SUCCESS packet and set the channel state. + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_success){ +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)type; + (void)user; + +@@ -1724,7 +1725,7 @@ SSH_PACKET_CALLBACK(ssh_packet_channel_success){ + * @brief Handle a SSH_CHANNEL_FAILURE packet and set the channel state. + */ + SSH_PACKET_CALLBACK(ssh_packet_channel_failure){ +- ssh_channel channel; ++ ssh_channel channel = NULL; + (void)type; + (void)user; + +@@ -1863,7 +1864,7 @@ error: + int ssh_channel_request_pty_size(ssh_channel channel, const char *terminal, + int col, int row) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer buffer = NULL; + int rc = SSH_ERROR; + +@@ -2174,7 +2175,7 @@ static ssh_channel ssh_channel_accept(ssh_session session, int channeltype, + #endif + ssh_message msg = NULL; + ssh_channel channel = NULL; +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + int t; + + /* +@@ -2838,7 +2839,7 @@ error: + int channel_read_buffer(ssh_channel channel, ssh_buffer buffer, uint32_t count, + int is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + char *buffer_tmp = NULL; + int r; + uint32_t total=0; +@@ -2979,7 +2980,7 @@ int ssh_channel_read_timeout(ssh_channel channel, + int is_stderr, + int timeout_ms) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer stdbuf; + uint32_t len; + struct ssh_channel_read_termination_struct ctx; +@@ -3103,7 +3104,7 @@ int ssh_channel_read_nonblocking(ssh_channel channel, + uint32_t count, + int is_stderr) + { +- ssh_session session; ++ ssh_session session = NULL; + uint32_t to_read; + int rc; + int blocking; +@@ -3213,8 +3214,8 @@ int ssh_channel_poll(ssh_channel channel, int is_stderr) + */ + int ssh_channel_poll_timeout(ssh_channel channel, int timeout, int is_stderr) + { +- ssh_session session; +- ssh_buffer stdbuf; ++ ssh_session session = NULL; ++ ssh_buffer stdbuf = NULL; + struct ssh_channel_read_termination_struct ctx; + size_t len; + int rc; +@@ -3341,7 +3342,7 @@ channel_protocol_select(ssh_channel *rchans, ssh_channel *wchans, + ssh_channel *echans, ssh_channel *rout, + ssh_channel *wout, ssh_channel *eout) + { +- ssh_channel chan; ++ ssh_channel chan = NULL; + int i; + int j = 0; + +@@ -3422,7 +3423,7 @@ static size_t count_ptrs(ssh_channel *ptrs) + int ssh_channel_select(ssh_channel *readchans, ssh_channel *writechans, + ssh_channel *exceptchans, struct timeval * timeout) + { +- ssh_channel *rchans, *wchans, *echans; ++ ssh_channel *rchans = NULL, *wchans = NULL, *echans = NULL; + ssh_channel dummy = NULL; + ssh_event event = NULL; + int rc; +@@ -3615,7 +3616,7 @@ int ssh_channel_write_stderr(ssh_channel channel, const void *data, uint32_t len + int ssh_channel_open_reverse_forward(ssh_channel channel, const char *remotehost, + int remoteport, const char *sourcehost, int localport) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + int rc = SSH_ERROR; + +@@ -3679,7 +3680,7 @@ error: + int ssh_channel_open_x11(ssh_channel channel, + const char *orig_addr, int orig_port) + { +- ssh_session session; ++ ssh_session session = NULL; + ssh_buffer payload = NULL; + int rc = SSH_ERROR; + +diff --git a/src/client.c b/src/client.c +index e912090e..0cfca1c4 100644 +--- a/src/client.c ++++ b/src/client.c +@@ -748,7 +748,7 @@ ssh_session_set_disconnect_message(ssh_session session, const char *message) + void + ssh_disconnect(ssh_session session) + { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + int rc; + + if (session == NULL) { +diff --git a/src/config.c b/src/config.c +index c5c40125..d4d8d419 100644 +--- a/src/config.c ++++ b/src/config.c +@@ -203,7 +203,7 @@ local_parse_file(ssh_session session, + unsigned int depth, + bool global) + { +- FILE *f; ++ FILE *f = NULL; + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; + int rv; +@@ -1201,7 +1201,7 @@ int ssh_config_parse_file(ssh_session session, const char *filename) + { + char line[MAX_LINE_SIZE] = {0}; + unsigned int count = 0; +- FILE *f; ++ FILE *f = NULL; + int parsing, rv; + bool global = 0; + +diff --git a/src/config_parser.c b/src/config_parser.c +index b8b94611..e55c76d0 100644 +--- a/src/config_parser.c ++++ b/src/config_parser.c +@@ -39,8 +39,8 @@ + */ + char *ssh_config_get_cmd(char **str) + { +- register char *c; +- char *r; ++ register char *c = NULL; ++ char *r = NULL; + + /* Ignore leading spaces */ + for (c = *str; *c; c++) { +@@ -67,7 +67,7 @@ out: + */ + char *ssh_config_get_token(char **str) + { +- register char *c; ++ register char *c = NULL; + bool had_equal = false; + char *r = NULL; + +@@ -116,7 +116,7 @@ out: + + long ssh_config_get_long(char **str, long notfound) + { +- char *p, *endp; ++ char *p = NULL, *endp = NULL; + long i; + + p = ssh_config_get_token(str); +@@ -133,7 +133,7 @@ long ssh_config_get_long(char **str, long notfound) + + const char *ssh_config_get_str_tok(char **str, const char *def) + { +- char *p; ++ char *p = NULL; + + p = ssh_config_get_token(str); + if (p && *p) { +@@ -145,7 +145,7 @@ const char *ssh_config_get_str_tok(char **str, const char *def) + + int ssh_config_get_yesno(char **str, int notfound) + { +- const char *p; ++ const char *p = NULL; + + p = ssh_config_get_str_tok(str, NULL); + if (p == NULL) { +diff --git a/src/connect.c b/src/connect.c +index 15cae644..2d09af5e 100644 +--- a/src/connect.c ++++ b/src/connect.c +@@ -194,8 +194,8 @@ socket_t ssh_connect_host_nonblocking(ssh_session session, const char *host, + } + + if (bind_addr) { +- struct addrinfo *bind_ai; +- struct addrinfo *bind_itr; ++ struct addrinfo *bind_ai = NULL; ++ struct addrinfo *bind_itr = NULL; + + SSH_LOG(SSH_LOG_PACKET, "Resolving %s", bind_addr); + +diff --git a/src/connector.c b/src/connector.c +index 56716749..6632cca1 100644 +--- a/src/connector.c ++++ b/src/connector.c +@@ -637,8 +637,9 @@ error: + return rc; + } + +-int ssh_connector_remove_event(ssh_connector connector) { +- ssh_session session; ++int ssh_connector_remove_event(ssh_connector connector) ++{ ++ ssh_session session = NULL; + + if (connector->in_poll != NULL) { + ssh_event_remove_poll(connector->event, connector->in_poll); +diff --git a/src/dh_crypto.c b/src/dh_crypto.c +index 9ff7ad3c..4dd9b507 100644 +--- a/src/dh_crypto.c ++++ b/src/dh_crypto.c +@@ -404,7 +404,7 @@ done: + */ + int ssh_dh_init_common(struct ssh_crypto_struct *crypto) + { +- struct dh_ctx *ctx; ++ struct dh_ctx *ctx = NULL; + int rc; + + ctx = calloc(1, sizeof(*ctx)); +diff --git a/src/ecdh_gcrypt.c b/src/ecdh_gcrypt.c +index 3d9d426f..73fcd50f 100644 +--- a/src/ecdh_gcrypt.c ++++ b/src/ecdh_gcrypt.c +@@ -132,9 +132,9 @@ int ecdh_build_k(ssh_session session) + #else + size_t k_len = 0; + enum ssh_key_exchange_e kex_type = session->next_crypto->kex_type; +- ssh_string s; ++ ssh_string s = NULL; + #endif +- ssh_string pubkey_raw; ++ ssh_string pubkey_raw = NULL; + gcry_sexp_t pubkey = NULL; + ssh_string privkey = NULL; + int rc = SSH_ERROR; +diff --git a/src/gcrypt_missing.c b/src/gcrypt_missing.c +index e931ec5b..56dcfb6d 100644 +--- a/src/gcrypt_missing.c ++++ b/src/gcrypt_missing.c +@@ -47,7 +47,7 @@ int ssh_gcry_dec2bn(bignum *bn, const char *data) { + + char *ssh_gcry_bn2dec(bignum bn) { + bignum bndup, num, ten; +- char *ret; ++ char *ret = NULL; + int count, count2; + int size, rsize; + char decnum; +diff --git a/src/getpass.c b/src/getpass.c +index 6be33c77..c19c4bc0 100644 +--- a/src/getpass.c ++++ b/src/getpass.c +@@ -46,7 +46,7 @@ + */ + static int ssh_gets(const char *prompt, char *buf, size_t len, int verify) + { +- char *tmp; ++ char *tmp = NULL; + char *ptr = NULL; + int ok = 0; + +@@ -78,7 +78,7 @@ static int ssh_gets(const char *prompt, char *buf, size_t len, int verify) + } + + if (verify) { +- char *key_string; ++ char *key_string = NULL; + + key_string = calloc(1, len); + if (key_string == NULL) { +diff --git a/src/gssapi.c b/src/gssapi.c +index 5325ac72..fd7b25af 100644 +--- a/src/gssapi.c ++++ b/src/gssapi.c +@@ -196,7 +196,7 @@ ssh_gssapi_handle_userauth(ssh_session session, const char *user, + gss_name_t server_name; /* local server fqdn */ + OM_uint32 maj_stat, min_stat; + size_t i; +- char *ptr; ++ char *ptr = NULL; + gss_OID_set supported; /* oids supported by server */ + gss_OID_set both_supported; /* oids supported by both client and server */ + gss_OID_set selected; /* oid selected for authentication */ +@@ -341,7 +341,7 @@ static char *ssh_gssapi_name_to_char(gss_name_t name) + { + gss_buffer_desc buffer; + OM_uint32 maj_stat, min_stat; +- char *ptr; ++ char *ptr = NULL; + maj_stat = gss_display_name(&min_stat, name, &buffer, NULL); + ssh_gssapi_log_error(SSH_LOG_WARNING, + "converting name", +@@ -359,9 +359,10 @@ static char *ssh_gssapi_name_to_char(gss_name_t name) + + } + +-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){ +- ssh_string token; +- char *hexa; ++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server) ++{ ++ ssh_string token = NULL; ++ char *hexa = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER; + gss_name_t client_name = GSS_C_NO_NAME; +@@ -385,7 +386,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_server){ + } + + if (ssh_callbacks_exists(session->server_callbacks, gssapi_accept_sec_ctx_function)){ +- ssh_string out_token=NULL; ++ ssh_string out_token = NULL; + rc = session->server_callbacks->gssapi_accept_sec_ctx_function(session, + token, &out_token, session->server_callbacks->userdata); + if (rc == SSH_ERROR){ +@@ -507,7 +508,7 @@ static ssh_buffer ssh_gssapi_build_mic(ssh_session session) + + SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_mic) + { +- ssh_string mic_token; ++ ssh_string mic_token = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc mic_buf = GSS_C_EMPTY_BUFFER; + gss_buffer_desc mic_token_buf = GSS_C_EMPTY_BUFFER; +@@ -670,7 +671,7 @@ static int ssh_gssapi_match(ssh_session session, gss_OID_set *valid_oids) + gss_name_t client_id = GSS_C_NO_NAME; + gss_OID oid; + unsigned int i; +- char *ptr; ++ char *ptr = NULL; + int ret; + + if (session->gssapi->client.client_deleg_creds == NULL) { +@@ -866,11 +867,11 @@ static gss_OID ssh_gssapi_oid_from_string(ssh_string oid_s) + + SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_response){ + int rc; +- ssh_string oid_s; ++ ssh_string oid_s = NULL; + gss_uint32 maj_stat, min_stat; + gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; + gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; +- char *hexa; ++ char *hexa = NULL; + (void)type; + (void)user; + +@@ -987,10 +988,11 @@ static int ssh_gssapi_send_mic(ssh_session session) + return ssh_packet_send(session); + } + +-SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client){ ++SSH_PACKET_CALLBACK(ssh_packet_userauth_gssapi_token_client) ++{ + int rc; +- ssh_string token; +- char *hexa; ++ ssh_string token = NULL; ++ char *hexa = NULL; + OM_uint32 maj_stat, min_stat; + gss_buffer_desc input_token, output_token = GSS_C_EMPTY_BUFFER; + (void)user; +diff --git a/src/kex.c b/src/kex.c +index fbc70cf4..ecfc0120 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -330,7 +330,7 @@ static int cmp_first_kex_algo(const char *client_str, + size_t client_kex_len; + size_t server_kex_len; + +- char *colon; ++ char *colon = NULL; + + int is_wrong = 1; + +@@ -762,7 +762,7 @@ char *ssh_client_select_hostkeys(ssh_session session) + int ssh_set_client_kex(ssh_session session) + { + struct ssh_kex_struct *client = &session->next_crypto->client_kex; +- const char *wanted; ++ const char *wanted = NULL; + int ok; + int i; + +diff --git a/src/known_hosts.c b/src/known_hosts.c +index 84e15572..f660a6f3 100644 +--- a/src/known_hosts.c ++++ b/src/known_hosts.c +@@ -79,8 +79,8 @@ static struct ssh_tokens_st *ssh_get_knownhost_line(FILE **file, + const char **found_type) + { + char buffer[MAX_LINE_SIZE] = {0}; +- char *ptr; +- struct ssh_tokens_st *tokens; ++ char *ptr = NULL; ++ struct ssh_tokens_st *tokens = NULL; + + if (*file == NULL) { + *file = fopen(filename,"r"); +@@ -149,7 +149,7 @@ static struct ssh_tokens_st *ssh_get_knownhost_line(FILE **file, + static int check_public_key(ssh_session session, char **tokens) { + ssh_string pubkey_blob = NULL; + ssh_buffer pubkey_buffer; +- char *pubkey_64; ++ char *pubkey_64 = NULL; + int rc; + + /* ssh-dss or ssh-rsa */ +@@ -205,11 +205,11 @@ static int match_hashed_host(const char *host, const char *sourcehash) + * hash := HMAC_SHA1(key=salt,data=host) + */ + unsigned char buffer[256] = {0}; +- ssh_buffer salt; +- ssh_buffer hash; +- HMACCTX mac; +- char *source; +- char *b64hash; ++ ssh_buffer salt = NULL; ++ ssh_buffer hash = NULL; ++ HMACCTX mac = NULL; ++ char *source = NULL; ++ char *b64hash = NULL; + int match, rc; + size_t size; + +@@ -304,14 +304,14 @@ static int match_hashed_host(const char *host, const char *sourcehash) + int ssh_is_server_known(ssh_session session) + { + FILE *file = NULL; +- char *host; +- char *hostport; +- const char *type; ++ char *host = NULL; ++ char *hostport = NULL; ++ const char *type = NULL; + int match; + int i = 0; +- char *files[3]; ++ char *files[3] = {0}; + +- struct ssh_tokens_st *tokens; ++ struct ssh_tokens_st *tokens = NULL; + + int ret = SSH_SERVER_NOT_KNOWN; + +@@ -443,12 +443,13 @@ int ssh_is_server_known(ssh_session session) + * @deprecated Please use ssh_session_export_known_hosts_entry() + * @brief This function is deprecated. + */ +-char * ssh_dump_knownhost(ssh_session session) { ++char *ssh_dump_knownhost(ssh_session session) ++{ + ssh_key server_pubkey = NULL; +- char *host; +- char *hostport; +- char *buffer; +- char *b64_key; ++ char *host = NULL; ++ char *hostport = NULL; ++ char *buffer = NULL; ++ char *b64_key = NULL; + int rc; + + if (session->opts.host == NULL) { +@@ -513,9 +514,9 @@ char * ssh_dump_knownhost(ssh_session session) { + */ + int ssh_write_knownhost(ssh_session session) + { +- FILE *file; ++ FILE *file = NULL; + char *buffer = NULL; +- char *dir; ++ char *dir = NULL; + int rc; + + if (session->opts.knownhosts == NULL) { +diff --git a/src/knownhosts.c b/src/knownhosts.c +index 9f978096..109b4f06 100644 +--- a/src/knownhosts.c ++++ b/src/knownhosts.c +@@ -61,7 +61,7 @@ static int hash_hostname(const char *name, + size_t *hash_size) + { + int rc; +- HMACCTX mac_ctx; ++ HMACCTX mac_ctx = NULL; + + mac_ctx = hmac_init(salt, salt_size, SSH_HMAC_SHA1); + if (mac_ctx == NULL) { +@@ -81,8 +81,8 @@ static int hash_hostname(const char *name, + + static int match_hashed_hostname(const char *host, const char *hashed_host) + { +- char *hashed; +- char *b64_hash; ++ char *hashed = NULL; ++ char *b64_hash = NULL; + ssh_buffer salt = NULL; + ssh_buffer hash = NULL; + unsigned char hashed_buf[256] = {0}; +@@ -229,7 +229,7 @@ static int ssh_known_hosts_read_entries(const char *match, + char line[MAX_LINE_SIZE]; + size_t lineno = 0; + size_t len = 0; +- FILE *fp; ++ FILE *fp = NULL; + int rc; + + fp = fopen(filename, "r"); +@@ -288,7 +288,7 @@ static int ssh_known_hosts_read_entries(const char *match, + for (it = ssh_list_get_iterator(*entries); + it != NULL; + it = it->next) { +- struct ssh_knownhosts_entry *entry2; ++ struct ssh_knownhosts_entry *entry2 = NULL; + int cmp; + entry2 = ssh_iterator_value(struct ssh_knownhosts_entry *, it); + cmp = ssh_known_hosts_entries_compare(entry, entry2); +@@ -312,8 +312,8 @@ error: + + static char *ssh_session_get_host_port(ssh_session session) + { +- char *host_port; +- char *host; ++ char *host_port = NULL; ++ char *host = NULL; + + if (session->opts.host == NULL) { + ssh_set_error(session, +@@ -537,7 +537,7 @@ char *ssh_known_hosts_get_algorithms_names(ssh_session session) + char *host_port = NULL; + size_t count; + bool needcomma = false; +- char *names; ++ char *names = NULL; + + int rc; + +@@ -645,7 +645,7 @@ int ssh_known_hosts_parse_line(const char *hostname, + { + struct ssh_knownhosts_entry *e = NULL; + char *known_host = NULL; +- char *p; ++ char *p = NULL; + char *save_tok = NULL; + enum ssh_keytypes_e key_type; + int match = 0; +diff --git a/src/legacy.c b/src/legacy.c +index 7b165dbe..7359040c 100644 +--- a/src/legacy.c ++++ b/src/legacy.c +@@ -48,7 +48,7 @@ int ssh_auth_list(ssh_session session) { + int ssh_userauth_offer_pubkey(ssh_session session, const char *username, + int type, ssh_string publickey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + (void) type; /* unused */ +@@ -70,7 +70,7 @@ int ssh_userauth_pubkey(ssh_session session, + ssh_string publickey, + ssh_private_key privatekey) + { +- ssh_key key; ++ ssh_key key = NULL; + int rc; + + (void) publickey; /* unused */ +@@ -389,10 +389,11 @@ void publickey_free(ssh_public_key key) { + SAFE_FREE(key); + } + +-ssh_public_key publickey_from_privatekey(ssh_private_key prv) { +- struct ssh_public_key_struct *p; +- ssh_key privkey; +- ssh_key pubkey; ++ssh_public_key publickey_from_privatekey(ssh_private_key prv) ++{ ++ struct ssh_public_key_struct *p = NULL; ++ ssh_key privkey = NULL; ++ ssh_key pubkey = NULL; + int rc; + + privkey = ssh_key_new(); +@@ -434,8 +435,8 @@ ssh_private_key privatekey_from_file(ssh_session session, + const char *passphrase) { + ssh_auth_callback auth_fn = NULL; + void *auth_data = NULL; +- ssh_private_key privkey; +- ssh_key key; ++ ssh_private_key privkey = NULL; ++ ssh_key key = NULL; + int rc; + + (void) type; /* unused */ +@@ -510,7 +511,7 @@ void privatekey_free(ssh_private_key prv) { + + ssh_string publickey_from_file(ssh_session session, const char *filename, + int *type) { +- ssh_key key; ++ ssh_key key = NULL; + ssh_string key_str = NULL; + int rc; + +@@ -543,9 +544,10 @@ int ssh_type_from_name(const char *name) { + return ssh_key_type_from_name(name); + } + +-ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) { +- struct ssh_public_key_struct *pubkey; +- ssh_key key; ++ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) ++{ ++ struct ssh_public_key_struct *pubkey = NULL; ++ ssh_key key = NULL; + int rc; + + (void) session; /* unused */ +@@ -579,9 +581,10 @@ ssh_public_key publickey_from_string(ssh_session session, ssh_string pubkey_s) { + return pubkey; + } + +-ssh_string publickey_to_string(ssh_public_key pubkey) { +- ssh_key key; +- ssh_string key_blob; ++ssh_string publickey_to_string(ssh_public_key pubkey) ++{ ++ ssh_key key = NULL; ++ ssh_string key_blob = NULL; + int rc; + + if (pubkey == NULL) { +@@ -624,11 +627,11 @@ int ssh_publickey_to_file(ssh_session session, + ssh_string pubkey, + int type) + { +- FILE *fp; +- char *user; ++ FILE *fp = NULL; ++ char *user = NULL; + char buffer[1024]; + char host[256]; +- unsigned char *pubkey_64; ++ unsigned char *pubkey_64 = NULL; + size_t len; + int rc; + if(session==NULL) +@@ -695,9 +698,9 @@ int ssh_try_publickey_from_file(ssh_session session, + const char *keyfile, + ssh_string *publickey, + int *type) { +- char *pubkey_file; ++ char *pubkey_file = NULL; + size_t len; +- ssh_string pubkey_string; ++ ssh_string pubkey_string = NULL; + int pubkey_type; + + if (session == NULL || keyfile == NULL || publickey == NULL || type == NULL) { +diff --git a/src/libmbedcrypto.c b/src/libmbedcrypto.c +index caa3b6e9..422d5ae2 100644 +--- a/src/libmbedcrypto.c ++++ b/src/libmbedcrypto.c +@@ -133,7 +133,7 @@ cipher_init(struct ssh_cipher_struct *cipher, + void *IV) + { + const mbedtls_cipher_info_t *cipher_info = NULL; +- mbedtls_cipher_context_t *ctx; ++ mbedtls_cipher_context_t *ctx = NULL; + size_t key_bitlen = 0; + size_t iv_size = 0; + int rc; +diff --git a/src/log.c b/src/log.c +index 5bae18b8..fabbe945 100644 +--- a/src/log.c ++++ b/src/log.c +@@ -44,7 +44,7 @@ + + static LIBSSH_THREAD int ssh_log_level; + static LIBSSH_THREAD ssh_logging_callback ssh_log_cb; +-static LIBSSH_THREAD void *ssh_log_userdata; ++static LIBSSH_THREAD void *ssh_log_userdata = NULL; + + /** + * @defgroup libssh_log The SSH logging functions +diff --git a/src/messages.c b/src/messages.c +index 3f969536..6dadabf0 100644 +--- a/src/messages.c ++++ b/src/messages.c +@@ -479,7 +479,7 @@ static void ssh_message_queue(ssh_session session, ssh_message message) + */ + ssh_message ssh_message_pop_head(ssh_session session){ + ssh_message msg=NULL; +- struct ssh_iterator *i; ++ struct ssh_iterator *i = NULL; + if(session->ssh_message_list == NULL) + return NULL; + i=ssh_list_get_iterator(session->ssh_message_list); +@@ -493,7 +493,7 @@ ssh_message ssh_message_pop_head(ssh_session session){ + /* Returns 1 if there is a message available */ + static int ssh_message_termination(void *s){ + ssh_session session = s; +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + if(session->session_state == SSH_SESSION_STATE_ERROR) + return 1; + it = ssh_list_get_iterator(session->ssh_message_list); +@@ -694,7 +694,7 @@ static ssh_buffer ssh_msg_userauth_build_digest(ssh_session session, + ssh_string algo) + { + struct ssh_crypto_struct *crypto = NULL; +- ssh_buffer buffer; ++ ssh_buffer buffer = NULL; + ssh_string str=NULL; + int rc; + +@@ -933,9 +933,9 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_request){ + #ifdef WITH_GSSAPI + if (strcmp(method, "gssapi-with-mic") == 0) { + uint32_t n_oid; +- ssh_string *oids; +- ssh_string oid; +- char *hexa; ++ ssh_string *oids = NULL; ++ ssh_string oid = NULL; ++ char *hexa = NULL; + int i; + ssh_buffer_get_u32(packet, &n_oid); + n_oid=ntohl(n_oid); +@@ -1019,7 +1019,7 @@ SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){ + SSH_PACKET_CALLBACK(ssh_packet_userauth_info_response){ + uint32_t nanswers; + uint32_t i; +- ssh_string tmp; ++ ssh_string tmp = NULL; + int rc; + + ssh_message msg = NULL; +@@ -1251,7 +1251,7 @@ end: + * @returns SSH_OK on success, SSH_ERROR if an error occurred. + */ + int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_channel chan) { +- ssh_session session; ++ ssh_session session = NULL; + int rc; + + if (msg == NULL) { +@@ -1302,7 +1302,7 @@ int ssh_message_channel_request_open_reply_accept_channel(ssh_message msg, ssh_c + * @returns NULL in case of error + */ + ssh_channel ssh_message_channel_request_open_reply_accept(ssh_message msg) { +- ssh_channel chan; ++ ssh_channel chan = NULL; + int rc; + + if (msg == NULL) { +diff --git a/src/misc.c b/src/misc.c +index 7081f12a..f371f332 100644 +--- a/src/misc.c ++++ b/src/misc.c +@@ -393,7 +393,7 @@ int ssh_is_ipaddr(const char *str) + + char *ssh_lowercase(const char* str) + { +- char *new, *p; ++ char *new = NULL, *p = NULL; + + if (str == NULL) { + return NULL; +@@ -447,7 +447,7 @@ char *ssh_hostport(const char *host, int port) + char *ssh_get_hexa(const unsigned char *what, size_t len) + { + const char h[] = "0123456789abcdef"; +- char *hexa; ++ char *hexa = NULL; + size_t i; + size_t hlen = len * 3; + +@@ -716,7 +716,7 @@ struct ssh_list *ssh_list_new(void) + + void ssh_list_free(struct ssh_list *list) + { +- struct ssh_iterator *ptr, *next; ++ struct ssh_iterator *ptr = NULL, *next = NULL; + if (!list) + return; + ptr = list->root; +@@ -737,7 +737,7 @@ struct ssh_iterator *ssh_list_get_iterator(const struct ssh_list *list) + + struct ssh_iterator *ssh_list_find(const struct ssh_list *list, void *value) + { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + + for (it = ssh_list_get_iterator(list); it != NULL ; it = it->next) + if (it->data == value) +@@ -826,7 +826,7 @@ int ssh_list_prepend(struct ssh_list *list, const void *data) + + void ssh_list_remove(struct ssh_list *list, struct ssh_iterator *iterator) + { +- struct ssh_iterator *ptr, *prev; ++ struct ssh_iterator *ptr = NULL, *prev = NULL; + + if (list == NULL) { + return; +@@ -967,7 +967,7 @@ char *ssh_dirname (const char *path) + char *ssh_basename (const char *path) + { + char *new = NULL; +- const char *s; ++ const char *s = NULL; + size_t len; + + if (path == NULL || *path == '\0') { +@@ -1105,8 +1105,8 @@ int ssh_mkdirs(const char *pathname, mode_t mode) + */ + char *ssh_path_expand_tilde(const char *d) + { +- char *h = NULL, *r; +- const char *p; ++ char *h = NULL, *r = NULL; ++ const char *p = NULL; + size_t ld; + size_t lh = 0; + +@@ -1121,7 +1121,7 @@ char *ssh_path_expand_tilde(const char *d) + #ifdef _WIN32 + return strdup(d); + #else +- struct passwd *pw; ++ struct passwd *pw = NULL; + size_t s = p - d; + char u[128]; + +@@ -1182,7 +1182,7 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) + char *buf = NULL; + char *r = NULL; + char *x = NULL; +- const char *p; ++ const char *p = NULL; + size_t i, l; + + r = ssh_path_expand_tilde(s); +@@ -1335,8 +1335,8 @@ char *ssh_path_expand_escape(ssh_session session, const char *s) + */ + int ssh_analyze_banner(ssh_session session, int server) + { +- const char *banner; +- const char *openssh; ++ const char *banner = NULL; ++ const char *openssh = NULL; + + if (server) { + banner = session->clientbanner; +diff --git a/src/options.c b/src/options.c +index 38511455..b641b34f 100644 +--- a/src/options.c ++++ b/src/options.c +@@ -67,7 +67,7 @@ + */ + int ssh_options_copy(ssh_session src, ssh_session *dest) + { +- ssh_session new; ++ ssh_session new = NULL; + struct ssh_iterator *it = NULL; + struct ssh_list *list = NULL; + char *id = NULL; +@@ -499,8 +499,8 @@ int ssh_options_set_algo(ssh_session session, + int ssh_options_set(ssh_session session, enum ssh_options_e type, + const void *value) + { +- const char *v; +- char *p, *q; ++ const char *v = NULL; ++ char *p = NULL, *q = NULL; + long int i; + unsigned int u; + int rc; +@@ -1170,7 +1170,7 @@ int ssh_options_get_port(ssh_session session, unsigned int* port_target) { + */ + int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value) + { +- char* src = NULL; ++ char *src = NULL; + + if (session == NULL) { + return SSH_ERROR; +@@ -1192,7 +1192,7 @@ int ssh_options_get(ssh_session session, enum ssh_options_e type, char** value) + break; + } + case SSH_OPTIONS_IDENTITY: { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + it = ssh_list_get_iterator(session->opts.identity); + if (it == NULL) { + it = ssh_list_get_iterator(session->opts.identity_non_exp); +@@ -1445,7 +1445,7 @@ int ssh_options_getopt(ssh_session session, int *argcptr, char **argv) + */ + int ssh_options_parse_config(ssh_session session, const char *filename) + { +- char *expanded_filename; ++ char *expanded_filename = NULL; + int r; + + if (session == NULL) { +@@ -1491,7 +1491,7 @@ out: + + int ssh_options_apply(ssh_session session) + { +- char *tmp; ++ char *tmp = NULL; + int rc; + + if (session->opts.sshdir == NULL) { +@@ -2204,7 +2204,7 @@ static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s) + char *buf = NULL; + char *r = NULL; + char *x = NULL; +- const char *p; ++ const char *p = NULL; + size_t i, l; + + r = ssh_path_expand_tilde(s); +@@ -2310,7 +2310,7 @@ static char *ssh_bind_options_expand_escape(ssh_bind sshbind, const char *s) + int ssh_bind_options_parse_config(ssh_bind sshbind, const char *filename) + { + int rc = 0; +- char *expanded_filename; ++ char *expanded_filename = NULL; + + if (sshbind == NULL) { + return -1; +diff --git a/src/packet.c b/src/packet.c +index ea73f9ad..4b4d0dc3 100644 +--- a/src/packet.c ++++ b/src/packet.c +@@ -1430,8 +1430,8 @@ error: + static void ssh_packet_socket_controlflow_callback(int code, void *userdata) + { + ssh_session session = userdata; +- struct ssh_iterator *it; +- ssh_channel channel; ++ struct ssh_iterator *it = NULL; ++ ssh_channel channel = NULL; + + if (code == SSH_SOCKET_FLOW_WRITEWONTBLOCK) { + SSH_LOG(SSH_LOG_TRACE, "sending channel_write_wontblock callback"); +@@ -1894,7 +1894,7 @@ int ssh_packet_send(ssh_session session) + + /* We finished the key exchange so we can try to send our queue now */ + if (rc == SSH_OK && type == SSH2_MSG_NEWKEYS) { +- struct ssh_iterator *it; ++ struct ssh_iterator *it = NULL; + + if (session->flags & SSH_SESSION_FLAG_KEX_STRICT) { + /* reset packet sequence number when running in strict kex mode */ +diff --git a/src/packet_crypt.c b/src/packet_crypt.c +index fe3f489e..96e9586c 100644 +--- a/src/packet_crypt.c ++++ b/src/packet_crypt.c +@@ -262,7 +262,7 @@ int ssh_packet_hmac_verify(ssh_session session, + { + struct ssh_crypto_struct *crypto = NULL; + unsigned char hmacbuf[DIGEST_MAX_LEN] = {0}; +- HMACCTX ctx; ++ HMACCTX ctx = NULL; + size_t hmaclen = DIGEST_MAX_LEN; + uint32_t seq; + int cmp; +diff --git a/src/pki.c b/src/pki.c +index a7c84c5e..cf4176fb 100644 +--- a/src/pki.c ++++ b/src/pki.c +@@ -369,7 +369,7 @@ enum ssh_digest_e ssh_key_hash_from_name(const char *name) + */ + int ssh_key_algorithm_allowed(ssh_session session, const char *type) + { +- const char *allowed_list; ++ const char *allowed_list = NULL; + + if (session->client) { + allowed_list = session->opts.pubkey_accepted_types; +@@ -729,7 +729,7 @@ int ssh_key_cmp(const ssh_key k1, + + ssh_signature ssh_signature_new(void) + { +- struct ssh_signature_struct *sig; ++ struct ssh_signature_struct *sig = NULL; + + sig = malloc(sizeof(struct ssh_signature_struct)); + if (sig == NULL) { +@@ -821,7 +821,7 @@ int ssh_pki_import_privkey_base64(const char *b64_key, + void *auth_data, + ssh_key *pkey) + { +- ssh_key key; ++ ssh_key key = NULL; + char *openssh_header = NULL; + + if (b64_key == NULL || pkey == NULL) { +@@ -944,8 +944,8 @@ int ssh_pki_import_privkey_file(const char *filename, + void *auth_data, + ssh_key *pkey) { + struct stat sb; +- char *key_buf; +- FILE *file; ++ char *key_buf = NULL; ++ FILE *file = NULL; + off_t size; + int rc; + char err_msg[SSH_ERRNO_MSG_MAX] = {0}; +@@ -1046,7 +1046,7 @@ int ssh_pki_export_privkey_file(const ssh_key privkey, + void *auth_data, + const char *filename) + { +- ssh_string blob; ++ ssh_string blob = NULL; + FILE *fp; + int rc; + +@@ -1093,8 +1093,8 @@ int ssh_pki_export_privkey_file(const ssh_key privkey, + /* temporary function to migrate seamlessly to ssh_key */ + ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key) + { +- ssh_public_key pub; +- ssh_key tmp; ++ ssh_public_key pub = NULL; ++ ssh_key tmp = NULL; + + if (key == NULL) { + return NULL; +@@ -1131,7 +1131,7 @@ ssh_public_key ssh_pki_convert_key_to_publickey(const ssh_key key) + + ssh_private_key ssh_pki_convert_key_to_privatekey(const ssh_key key) + { +- ssh_private_key privkey; ++ ssh_private_key privkey = NULL; + + privkey = calloc(1, sizeof(struct ssh_private_key_struct)); + if (privkey == NULL) { +@@ -1521,9 +1521,9 @@ static int pki_import_cert_buffer(ssh_buffer buffer, + enum ssh_keytypes_e type, + ssh_key *pkey) + { +- ssh_buffer cert; +- ssh_string tmp_s; +- const char *type_c; ++ ssh_buffer cert = NULL; ++ ssh_string tmp_s = NULL; ++ const char *type_c = NULL; + ssh_key key = NULL; + int rc; + +@@ -2067,7 +2067,7 @@ error: + int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey, + ssh_key *pkey) + { +- ssh_key pubkey; ++ ssh_key pubkey = NULL; + + if (privkey == NULL || !ssh_key_is_private(privkey)) { + return SSH_ERROR; +@@ -2105,7 +2105,7 @@ int ssh_pki_export_privkey_to_pubkey(const ssh_key privkey, + int ssh_pki_export_pubkey_blob(const ssh_key key, + ssh_string *pblob) + { +- ssh_string blob; ++ ssh_string blob = NULL; + + if (key == NULL) { + return SSH_OK; +@@ -2135,8 +2135,8 @@ int ssh_pki_export_pubkey_blob(const ssh_key key, + int ssh_pki_export_pubkey_base64(const ssh_key key, + char **b64_key) + { +- ssh_string key_blob; +- unsigned char *b64; ++ ssh_string key_blob = NULL; ++ unsigned char *b64 = NULL; + + if (key == NULL || b64_key == NULL) { + return SSH_ERROR; +@@ -2175,9 +2175,9 @@ int ssh_pki_export_pubkey_file(const ssh_key key, + { + char key_buf[MAX_LINE_SIZE]; + char host[256]; +- char *b64_key; +- char *user; +- FILE *fp; ++ char *b64_key = NULL; ++ char *user = NULL; ++ FILE *fp = NULL; + int rc; + + if (key == NULL || filename == NULL || *filename == '\0') { +@@ -2238,7 +2238,7 @@ int ssh_pki_export_pubkey_file(const ssh_key key, + * @returns SSH_OK on success, SSH_ERROR otherwise. + **/ + int ssh_pki_copy_cert_to_privkey(const ssh_key certkey, ssh_key privkey) { +- ssh_buffer cert_buffer; ++ ssh_buffer cert_buffer = NULL; + int rc; + + if (certkey == NULL || privkey == NULL) { +@@ -2273,7 +2273,7 @@ int ssh_pki_export_signature_blob(const ssh_signature sig, + ssh_string *sig_blob) + { + ssh_buffer buf = NULL; +- ssh_string str; ++ ssh_string str = NULL; + int rc; + + if (sig == NULL || sig_blob == NULL) { +@@ -2337,7 +2337,7 @@ int ssh_pki_import_signature_blob(const ssh_string sig_blob, + enum ssh_keytypes_e type; + enum ssh_digest_e hash_type; + ssh_string algorithm = NULL, blob = NULL; +- ssh_buffer buf; ++ ssh_buffer buf = NULL; + const char *alg = NULL; + uint8_t flags = 0; + uint32_t counter = 0; +@@ -2697,9 +2697,9 @@ ssh_string ssh_pki_do_sign_agent(ssh_session session, + const ssh_key pubkey) + { + struct ssh_crypto_struct *crypto = NULL; +- ssh_string session_id; +- ssh_string sig_blob; +- ssh_buffer sig_buf; ++ ssh_string session_id = NULL; ++ ssh_string sig_blob = NULL; ++ ssh_buffer sig_buf = NULL; + int rc; + + crypto = ssh_packet_get_current_crypto(session, SSH_DIRECTION_BOTH); +diff --git a/src/pki_container_openssh.c b/src/pki_container_openssh.c +index 4314c5b7..f2776c2c 100644 +--- a/src/pki_container_openssh.c ++++ b/src/pki_container_openssh.c +@@ -234,12 +234,12 @@ ssh_pki_openssh_import(const char *text_key, + bool private) + { + const char *ptr = text_key; +- const char *end; +- char *base64; ++ const char *end = NULL; ++ char *base64 = NULL; + int cmp; + int rc; + int i; +- ssh_buffer buffer = NULL, privkey_buffer=NULL; ++ ssh_buffer buffer = NULL, privkey_buffer = NULL; + char *magic = NULL, *ciphername = NULL, *kdfname = NULL; + uint32_t nkeys = 0, checkint1 = 0, checkint2 = 0xFFFF; + ssh_string kdfoptions = NULL; +@@ -538,14 +538,14 @@ ssh_string ssh_pki_openssh_privkey_export(const ssh_key privkey, + { + ssh_buffer buffer; + ssh_string str = NULL; +- ssh_string pubkey_s=NULL; ++ ssh_string pubkey_s = NULL; + ssh_buffer privkey_buffer = NULL; + uint32_t rnd; + uint32_t rounds = 16; +- ssh_string salt=NULL; +- ssh_string kdf_options=NULL; ++ ssh_string salt = NULL; ++ ssh_string kdf_options = NULL; + int to_encrypt=0; +- unsigned char *b64; ++ unsigned char *b64 = NULL; + uint32_t str_len, len; + uint8_t padding = 1; + int ok; +diff --git a/src/pki_crypto.c b/src/pki_crypto.c +index aec49544..0fc69121 100644 +--- a/src/pki_crypto.c ++++ b/src/pki_crypto.c +@@ -382,7 +382,7 @@ int pki_pubkey_build_ecdsa(ssh_key key, int nid, ssh_string e) + #else + int rc; + const char *group_name = OSSL_EC_curve_nid2name(nid); +- OSSL_PARAM_BLD *param_bld; ++ OSSL_PARAM_BLD *param_bld = NULL; + #endif /* OPENSSL_VERSION_NUMBER */ + + key->ecdsa_nid = nid; +@@ -2299,7 +2299,7 @@ static ssh_string pki_ecdsa_signature_to_blob(const ssh_signature sig) + const unsigned char *raw_sig_data = NULL; + size_t raw_sig_len; + +- ECDSA_SIG *ecdsa_sig; ++ ECDSA_SIG *ecdsa_sig = NULL; + + int rc; + +@@ -2616,8 +2616,8 @@ static int pki_signature_from_ecdsa_blob(UNUSED_PARAM(const ssh_key pubkey), + ECDSA_SIG *ecdsa_sig = NULL; + BIGNUM *pr = NULL, *ps = NULL; + +- ssh_string r; +- ssh_string s; ++ ssh_string r = NULL; ++ ssh_string s = NULL; + + ssh_buffer buf = NULL; + uint32_t rlen; +diff --git a/src/pki_ed25519.c b/src/pki_ed25519.c +index 6a5a4a8a..0674fb63 100644 +--- a/src/pki_ed25519.c ++++ b/src/pki_ed25519.c +@@ -62,7 +62,7 @@ int pki_ed25519_sign(const ssh_key privkey, + size_t hlen) + { + int rc; +- uint8_t *buffer; ++ uint8_t *buffer = NULL; + uint64_t dlen = 0; + + buffer = malloc(hlen + ED25519_SIG_LEN); +@@ -104,8 +104,8 @@ int pki_ed25519_verify(const ssh_key pubkey, + size_t hlen) + { + uint64_t mlen = 0; +- uint8_t *buffer; +- uint8_t *buffer2; ++ uint8_t *buffer = NULL; ++ uint8_t *buffer2 = NULL; + int rc; + + if (pubkey == NULL || sig == NULL || +diff --git a/src/pki_ed25519_common.c b/src/pki_ed25519_common.c +index bdc6f6bb..59a3b03c 100644 +--- a/src/pki_ed25519_common.c ++++ b/src/pki_ed25519_common.c +@@ -213,7 +213,7 @@ int pki_ed25519_public_key_to_blob(ssh_buffer buffer, ssh_key key) + */ + ssh_string pki_ed25519_signature_to_blob(ssh_signature sig) + { +- ssh_string sig_blob; ++ ssh_string sig_blob = NULL; + int rc; + + #ifdef HAVE_OPENSSL_ED25519 +diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c +index 418a46b3..cb4de325 100644 +--- a/src/pki_gcrypt.c ++++ b/src/pki_gcrypt.c +@@ -152,7 +152,7 @@ static ssh_string asn1_get_int(ssh_buffer buffer) { + + static ssh_string asn1_get_bit_string(ssh_buffer buffer) + { +- ssh_string str; ++ ssh_string str = NULL; + unsigned char type; + uint32_t size; + unsigned char unused, last, *p; +@@ -1882,9 +1882,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig) + case SSH_KEYTYPE_ECDSA_P521: + #ifdef HAVE_GCRYPT_ECC + { +- ssh_string R; +- ssh_string S; +- ssh_buffer b; ++ ssh_string R = NULL; ++ ssh_string S = NULL; ++ ssh_buffer b = NULL; + + b = ssh_buffer_new(); + if (b == NULL) { +@@ -2054,8 +2054,8 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, + case SSH_KEYTYPE_SK_ECDSA: + #ifdef HAVE_GCRYPT_ECC + { /* build ecdsa siganature */ +- ssh_buffer b; +- ssh_string r, s; ++ ssh_buffer b = NULL; ++ ssh_string r = NULL, s = NULL; + uint32_t rlen; + + b = ssh_buffer_new(); +diff --git a/src/pki_mbedcrypto.c b/src/pki_mbedcrypto.c +index cb9d3228..01813702 100644 +--- a/src/pki_mbedcrypto.c ++++ b/src/pki_mbedcrypto.c +@@ -1078,9 +1078,9 @@ ssh_string pki_signature_to_blob(const ssh_signature sig) + case SSH_KEYTYPE_ECDSA_P256: + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: { +- ssh_string r; +- ssh_string s; +- ssh_buffer b; ++ ssh_string r = NULL; ++ ssh_string s = NULL; ++ ssh_buffer b = NULL; + int rc; + + b = ssh_buffer_new(); +@@ -1234,9 +1234,9 @@ ssh_signature pki_signature_from_blob(const ssh_key pubkey, + case SSH_KEYTYPE_ECDSA_P384: + case SSH_KEYTYPE_ECDSA_P521: + case SSH_KEYTYPE_SK_ECDSA: { +- ssh_buffer b; +- ssh_string r; +- ssh_string s; ++ ssh_buffer b = NULL; ++ ssh_string r = NULL; ++ ssh_string s = NULL; + size_t rlen; + + b = ssh_buffer_new(); +diff --git a/src/poll.c b/src/poll.c +index 8f81c11c..d0f9726d 100644 +--- a/src/poll.c ++++ b/src/poll.c +@@ -560,8 +560,8 @@ void ssh_poll_ctx_free(ssh_poll_ctx ctx) + + static int ssh_poll_ctx_resize(ssh_poll_ctx ctx, size_t new_size) + { +- ssh_poll_handle *pollptrs; +- ssh_pollfd_t *pollfds; ++ ssh_poll_handle *pollptrs = NULL; ++ ssh_pollfd_t *pollfds = NULL; + + pollptrs = realloc(ctx->pollptrs, sizeof(ssh_poll_handle) * new_size); + if (pollptrs == NULL) { +@@ -862,7 +862,7 @@ ssh_event_add_fd(ssh_event event, socket_t fd, short events, + ssh_event_callback cb, void *userdata) + { + ssh_poll_handle p; +- struct ssh_event_fd_wrapper *pw; ++ struct ssh_event_fd_wrapper *pw = NULL; + + if(event == NULL || event->ctx == NULL || cb == NULL + || fd == SSH_INVALID_SOCKET) { +@@ -932,7 +932,7 @@ int ssh_event_add_session(ssh_event event, ssh_session session) + { + ssh_poll_handle p; + #ifdef WITH_SERVER +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + #endif + + if(event == NULL || event->ctx == NULL || session == NULL) { +@@ -1079,7 +1079,7 @@ int ssh_event_remove_session(ssh_event event, ssh_session session) + register size_t i, used; + int rc = SSH_ERROR; + #ifdef WITH_SERVER +- struct ssh_iterator *iterator; ++ struct ssh_iterator *iterator = NULL; + #endif + + if (event == NULL || event->ctx == NULL || session == NULL) { +diff --git a/src/server.c b/src/server.c +index 70b90899..89f8d8b0 100644 +--- a/src/server.c ++++ b/src/server.c +@@ -85,8 +85,8 @@ int server_set_kex(ssh_session session) + { + struct ssh_kex_struct *server = &session->next_crypto->server_kex; + int i, j, rc; +- const char *wanted, *allowed; +- char *kept; ++ const char *wanted = NULL, *allowed = NULL; ++ char *kept = NULL; + char hostkeys[128] = {0}; + enum ssh_keytypes_e keytype; + size_t len; +@@ -219,9 +219,10 @@ int ssh_server_init_kex(ssh_session session) { + return server_set_kex(session); + } + +-static int ssh_server_send_extensions(ssh_session session) { ++static int ssh_server_send_extensions(ssh_session session) ++{ + int rc; +- const char *hostkey_algorithms; ++ const char *hostkey_algorithms = NULL; + + SSH_LOG(SSH_LOG_PACKET, "Sending SSH_MSG_EXT_INFO"); + +@@ -286,8 +287,8 @@ ssh_get_key_params(ssh_session session, + ssh_key *privkey, + enum ssh_digest_e *digest) + { +- ssh_key pubkey; +- ssh_string pubkey_blob; ++ ssh_key pubkey = NULL; ++ ssh_string pubkey_blob = NULL; + int rc; + + switch(session->srv.hostkey) { +@@ -723,8 +724,9 @@ static int ssh_message_service_request_reply_default(ssh_message msg) { + * + * @returns SSH_OK when success otherwise SSH_ERROR + */ +-int ssh_message_service_reply_success(ssh_message msg) { +- ssh_session session; ++int ssh_message_service_reply_success(ssh_message msg) ++{ ++ ssh_session session = NULL; + int rc; + + if (msg == NULL) { +@@ -1132,8 +1134,9 @@ int ssh_message_auth_reply_pk_ok(ssh_message msg, ssh_string algo, ssh_string pu + * + * @returns SSH_OK on success, otherwise SSH_ERROR + */ +-int ssh_message_auth_reply_pk_ok_simple(ssh_message msg) { +- ssh_string algo; ++int ssh_message_auth_reply_pk_ok_simple(ssh_message msg) ++{ ++ ssh_string algo = NULL; + ssh_string pubkey_blob = NULL; + int ret; + +diff --git a/src/session.c b/src/session.c +index 8c509699..0e0f622b 100644 +--- a/src/session.c ++++ b/src/session.c +@@ -58,7 +58,7 @@ + */ + ssh_session ssh_new(void) + { +- ssh_session session; ++ ssh_session session = NULL; + char *id = NULL; + int rc; + +@@ -280,7 +280,7 @@ void ssh_free(ssh_session session) + + /* options */ + if (session->opts.identity) { +- char *id; ++ char *id = NULL; + + for (id = ssh_list_pop_head(char *, session->opts.identity); + id != NULL; +@@ -291,7 +291,7 @@ void ssh_free(ssh_session session) + } + + if (session->opts.identity_non_exp) { +- char *id; ++ char *id = NULL; + + for (id = ssh_list_pop_head(char *, session->opts.identity_non_exp); + id != NULL; +@@ -1157,7 +1157,7 @@ int ssh_get_publickey_hash(const ssh_key key, + unsigned char **hash, + size_t *hlen) + { +- ssh_string blob; ++ ssh_string blob = NULL; + unsigned char *h = NULL; + int rc; + +@@ -1169,7 +1169,7 @@ int ssh_get_publickey_hash(const ssh_key key, + switch (type) { + case SSH_PUBLICKEY_HASH_SHA1: + { +- SHACTX ctx; ++ SHACTX ctx = NULL; + + h = calloc(1, SHA_DIGEST_LEN); + if (h == NULL) { +@@ -1201,7 +1201,7 @@ int ssh_get_publickey_hash(const ssh_key key, + break; + case SSH_PUBLICKEY_HASH_SHA256: + { +- SHA256CTX ctx; ++ SHA256CTX ctx = NULL; + + h = calloc(1, SHA256_DIGEST_LEN); + if (h == NULL) { +@@ -1233,7 +1233,7 @@ int ssh_get_publickey_hash(const ssh_key key, + break; + case SSH_PUBLICKEY_HASH_MD5: + { +- MD5CTX ctx; ++ MD5CTX ctx = NULL; + + /* In FIPS mode, we cannot use MD5 */ + if (ssh_fips_mode()) { +diff --git a/src/sftpserver.c b/src/sftpserver.c +index b3349e16..528ef6f9 100644 +--- a/src/sftpserver.c ++++ b/src/sftpserver.c +@@ -299,8 +299,8 @@ void sftp_client_message_free(sftp_client_message msg) { + + int sftp_reply_name(sftp_client_message msg, const char *name, + sftp_attributes attr) { +- ssh_buffer out; +- ssh_string file; ++ ssh_buffer out = NULL; ++ ssh_string file = NULL; + + out = ssh_buffer_new(); + if (out == NULL) { +@@ -369,7 +369,7 @@ int sftp_reply_attr(sftp_client_message msg, sftp_attributes attr) { + + int sftp_reply_names_add(sftp_client_message msg, const char *file, + const char *longname, sftp_attributes attr) { +- ssh_string name; ++ ssh_string name = NULL; + + name = ssh_string_from_char(file); + if (name == NULL) { +@@ -435,8 +435,8 @@ int sftp_reply_names(sftp_client_message msg) { + + int sftp_reply_status(sftp_client_message msg, uint32_t status, + const char *message) { +- ssh_buffer out; +- ssh_string s; ++ ssh_buffer out = NULL; ++ ssh_string s = NULL; + + out = ssh_buffer_new(); + if (out == NULL) { +@@ -492,7 +492,7 @@ int sftp_reply_data(sftp_client_message msg, const void *data, int len) { + * valid info (or worse). + */ + ssh_string sftp_handle_alloc(sftp_session sftp, void *info) { +- ssh_string ret; ++ ssh_string ret = NULL; + uint32_t val; + uint32_t i; + +diff --git a/src/string.c b/src/string.c +index 44403487..0ab9310c 100644 +--- a/src/string.c ++++ b/src/string.c +@@ -106,7 +106,7 @@ int ssh_string_fill(struct ssh_string_struct *s, const void *data, size_t len) { + * @note The null byte is not copied nor counted in the output string. + */ + struct ssh_string_struct *ssh_string_from_char(const char *what) { +- struct ssh_string_struct *ptr; ++ struct ssh_string_struct *ptr = NULL; + size_t len; + + if(what == NULL) { +@@ -180,7 +180,7 @@ const char *ssh_string_get_char(struct ssh_string_struct *s) + */ + char *ssh_string_to_char(struct ssh_string_struct *s) { + size_t len; +- char *new; ++ char *new = NULL; + + if (s == NULL) { + return NULL; +@@ -219,7 +219,7 @@ void ssh_string_free_char(char *s) { + * @return Newly allocated copy of the string, NULL on error. + */ + struct ssh_string_struct *ssh_string_copy(struct ssh_string_struct *s) { +- struct ssh_string_struct *new; ++ struct ssh_string_struct *new = NULL; + size_t len; + + if (s == NULL) { +diff --git a/src/threads/winlocks.c b/src/threads/winlocks.c +index da600418..e63635e7 100644 +--- a/src/threads/winlocks.c ++++ b/src/threads/winlocks.c +@@ -82,7 +82,7 @@ static struct ssh_threads_callbacks_struct ssh_threads_winlock = + + void ssh_mutex_lock(SSH_MUTEX *mutex) + { +- void *rc; ++ void *rc = NULL; + + CRITICAL_SECTION *mutex_tmp = NULL; + +diff --git a/src/wrapper.c b/src/wrapper.c +index d317dc4c..43bf2137 100644 +--- a/src/wrapper.c ++++ b/src/wrapper.c +@@ -152,7 +152,7 @@ static void cipher_free(struct ssh_cipher_struct *cipher) { + + struct ssh_crypto_struct *crypto_new(void) + { +- struct ssh_crypto_struct *crypto; ++ struct ssh_crypto_struct *crypto = NULL; + + crypto = malloc(sizeof(struct ssh_crypto_struct)); + if (crypto == NULL) { +-- +2.40.0 + diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0002.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0002.patch new file mode 100644 index 0000000000..2c280d258d --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-4878-0002.patch @@ -0,0 +1,34 @@ +From b35ee876adc92a208d47194772e99f9c71e0bedb Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <jjelen@redhat.com> +Date: Mon, 28 Apr 2025 11:04:55 +0200 +Subject: [PATCH] CVE-2025-4878 legacy: Properly check return value to avoid + NULL pointer dereference + +Signed-off-by: Jakub Jelen <jjelen@redhat.com> +Reviewed-by: Andreas Schneider <asn@cryptomilk.org> + +CVE: CVE-2025-4878 + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb] + +Signed-off-by: Divya Chellam <divya.chellam@windriver.com> +--- + src/legacy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/legacy.c b/src/legacy.c +index 7359040c..f73ef6cc 100644 +--- a/src/legacy.c ++++ b/src/legacy.c +@@ -452,7 +452,7 @@ ssh_private_key privatekey_from_file(ssh_session session, + auth_fn, + auth_data, + &key); +- if (rc == SSH_ERROR) { ++ if (rc != SSH_OK) { + return NULL; + } + +-- +2.40.0 + diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index 48cb47d4c0..6932da5175 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb @@ -14,6 +14,8 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://CVE-2025-5351.patch \ file://CVE-2025-5372.patch \ file://CVE-2025-4877.patch \ + file://CVE-2025-4878-0001.patch \ + file://CVE-2025-4878-0002.patch \ " SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 02/24] libssh: fix CVE-2025-5987 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 01/24] libssh: fix CVE-2025-4878 Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 03/24] nodejs: fix build with gcc-15 on host Anuj Mittal ` (22 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Divya Chellam <divya.chellam@windriver.com> A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidentiality and integrity or crashes. Reference: https://security-tracker.debian.org/tracker/CVE-2025-5987 Upstream-patch: https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=90b4845e0c98574bbf7bea9e97796695f064bf57 Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- .../libssh/libssh/CVE-2025-5987.patch | 37 +++++++++++++++++++ .../recipes-support/libssh/libssh_0.10.6.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch new file mode 100644 index 0000000000..08395e0e7d --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-5987.patch @@ -0,0 +1,37 @@ +From 90b4845e0c98574bbf7bea9e97796695f064bf57 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <jjelen@redhat.com> +Date: Tue, 6 May 2025 22:51:41 +0200 +Subject: [PATCH] CVE-2025-5987 libcrypto: Correctly detect failures of chacha + initialization + +Signed-off-by: Jakub Jelen <jjelen@redhat.com> +Reviewed-by: Andreas Schneider <asn@cryptomilk.org> + +CVE: CVE-2025-5987 + +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=90b4845e0c98574bbf7bea9e97796695f064bf57] + +Signed-off-by: Divya Chellam <divya.chellam@windriver.com> +--- + src/libcrypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libcrypto.c b/src/libcrypto.c +index 76e067d3..69a850de 100644 +--- a/src/libcrypto.c ++++ b/src/libcrypto.c +@@ -771,9 +771,9 @@ chacha20_poly1305_set_key(struct ssh_cipher_struct *cipher, + SSH_LOG(SSH_LOG_WARNING, "EVP_CIPHER_CTX_new failed"); + goto out; + } +- ret = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL, ++ rv = EVP_EncryptInit_ex(ctx->header_evp, EVP_chacha20(), NULL, + u8key + CHACHA20_KEYLEN, NULL); +- if (ret != 1) { ++ if (rv != 1) { + SSH_LOG(SSH_LOG_WARNING, "EVP_CipherInit failed"); + goto out; + } +-- +2.40.0 + diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index 6932da5175..bf91e69bc8 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb @@ -16,6 +16,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://CVE-2025-4877.patch \ file://CVE-2025-4878-0001.patch \ file://CVE-2025-4878-0002.patch \ + file://CVE-2025-5987.patch \ " SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 03/24] nodejs: fix build with gcc-15 on host 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 01/24] libssh: fix CVE-2025-4878 Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 02/24] libssh: fix CVE-2025-5987 Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 04/24] iperf3: fix CVE-2025-54350 Anuj Mittal ` (21 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- .../0001-src-fix-build-with-GCC-15.patch | 33 +++++++++++++++++++ .../recipes-devtools/nodejs/nodejs_20.18.2.bb | 1 + 2 files changed, 34 insertions(+) create mode 100644 meta-oe/recipes-devtools/nodejs/nodejs/0001-src-fix-build-with-GCC-15.patch diff --git a/meta-oe/recipes-devtools/nodejs/nodejs/0001-src-fix-build-with-GCC-15.patch b/meta-oe/recipes-devtools/nodejs/nodejs/0001-src-fix-build-with-GCC-15.patch new file mode 100644 index 0000000000..9d09f4f482 --- /dev/null +++ b/meta-oe/recipes-devtools/nodejs/nodejs/0001-src-fix-build-with-GCC-15.patch @@ -0,0 +1,33 @@ +From bade7a1866618b9e46358b839fe5fdf16b1db2be Mon Sep 17 00:00:00 2001 +From: tjuhaszrh <tjuhasz@redhat.com> +Date: Sat, 25 Jan 2025 10:34:54 +0100 +Subject: [PATCH] src: fix build with GCC 15 + +Added cstdint to worker_inspector as on more recent version of gcc +the build was failing due to changes to libstdc++ and the removal +of transitive includes. + +PR-URL: https://github.com/nodejs/node/pull/56740 +Fixes: https://github.com/nodejs/node/issues/56731 +Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> +Reviewed-By: Chengzhong Wu <legendecas@gmail.com> +Reviewed-By: Richard Lau <rlau@redhat.com> +Reviewed-By: James M Snell <jasnell@gmail.com> + +Upstream-Status: Backport [https://github.com/nodejs/node/commit/bade7a1866618b9e46358b839fe5fdf16b1db2be] +--- + src/inspector/worker_inspector.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/inspector/worker_inspector.h b/src/inspector/worker_inspector.h +index d3254d5aa0ebe4..24403bb1704c40 100644 +--- a/src/inspector/worker_inspector.h ++++ b/src/inspector/worker_inspector.h +@@ -5,6 +5,7 @@ + #error("This header can only be used when inspector is enabled") + #endif + ++#include <cstdint> + #include <memory> + #include <string> + #include <unordered_map> diff --git a/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb b/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb index bef62f88eb..8af90e782a 100644 --- a/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb +++ b/meta-oe/recipes-devtools/nodejs/nodejs_20.18.2.bb @@ -27,6 +27,7 @@ SRC_URI = "http://nodejs.org/dist/v${PV}/node-v${PV}.tar.xz \ file://libatomic.patch \ file://182d9c05e78.patch \ file://zlib-fix-pointer-alignment.patch \ + file://0001-src-fix-build-with-GCC-15.patch \ file://run-ptest \ " SRC_URI:append:class-target = " \ ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 04/24] iperf3: fix CVE-2025-54350 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (2 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 03/24] nodejs: fix build with gcc-15 on host Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 05/24] python3-posix-ipc: fix runtime error Anuj Mittal ` (20 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Zhang Peng <peng.zhang1.cn@windriver.com> CVE-2025-54350: In iperf before 3.19.1, iperf_auth.c has a Base64Decode assertion failure and application exit upon a malformed authentication attempt. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2025-54350] Upstream patches: [https://github.com/esnet/iperf/commit/4eab661da0bbaac04493fa40164e928c6df7934a] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- .../iperf3/iperf3/CVE-2025-54350.patch | 39 +++++++++++++++++++ .../recipes-benchmark/iperf3/iperf3_3.18.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54350.patch diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54350.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54350.patch new file mode 100644 index 0000000000..e6de0e810c --- /dev/null +++ b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54350.patch @@ -0,0 +1,39 @@ +From 4cd6c8e85376a33bddd01fac143e27436d41f2b9 Mon Sep 17 00:00:00 2001 +From: "Bruce A. Mah" <bmah@es.net> +Date: Tue, 24 Jun 2025 15:58:21 -0700 +Subject: [PATCH] Prevent crash due to assertion failures on malformed + authentication attempt. + +Reported by Han Lee (Apple Information Security) +CVE-2025-54350 + +CVE: CVE-2025-54350 +Upstream-Status: Backport [https://github.com/esnet/iperf/commit/4eab661da0bbaac04493fa40164e928c6df7934a] +Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> +--- + src/iperf_auth.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/iperf_auth.c b/src/iperf_auth.c +index 86b4eba..632f03d 100644 +--- a/src/iperf_auth.c ++++ b/src/iperf_auth.c +@@ -28,7 +28,6 @@ + #include "iperf_config.h" + + #include <string.h> +-#include <assert.h> + #include <time.h> + #include <sys/types.h> + /* FreeBSD needs _WITH_GETLINE to enable the getline() declaration */ +@@ -152,7 +151,6 @@ int Base64Decode(const char* b64message, unsigned char** buffer, size_t* length) + + BIO_set_flags(bio, BIO_FLAGS_BASE64_NO_NL); //Do not use newlines to flush buffer + *length = BIO_read(bio, *buffer, strlen(b64message)); +- assert(*length == decodeLen); //length should equal decodeLen, else something went horribly wrong + BIO_free_all(bio); + + return (0); //success +-- +2.50.0 + diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb index e96d5f084b..7fb2c52d08 100644 --- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb +++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.18.bb @@ -16,6 +16,7 @@ SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \ file://0002-Remove-pg-from-profile_CFLAGS.patch \ file://0001-configure.ac-check-for-CPP-prog.patch \ file://CVE-2025-54349.patch \ + file://CVE-2025-54350.patch \ " SRCREV = "2a2984488d6de8f7a2d1f5938e03ca7be57e227c" ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 05/24] python3-posix-ipc: fix runtime error 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (3 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 04/24] iperf3: fix CVE-2025-54350 Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 06/24] wxwidgets: upgrade 3.2.1 -> 3.2.6 Anuj Mittal ` (19 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Haixiao Yan <haixiao.yan.cn@windriver.com> Fix follow runtime error: ./build_support/src/sniff_mq_prio_max: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./build_support/src/sniff_mq_prio_max) Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- ...ndle-runtime-errors-and-return-None-.patch | 47 +++++++++++++++++++ .../python/python3-posix-ipc_1.2.0.bb | 1 + 2 files changed, 48 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-posix-ipc/0004-build_support-handle-runtime-errors-and-return-None-.patch diff --git a/meta-python/recipes-devtools/python/python3-posix-ipc/0004-build_support-handle-runtime-errors-and-return-None-.patch b/meta-python/recipes-devtools/python/python3-posix-ipc/0004-build_support-handle-runtime-errors-and-return-None-.patch new file mode 100644 index 0000000000..e84345a397 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-posix-ipc/0004-build_support-handle-runtime-errors-and-return-None-.patch @@ -0,0 +1,47 @@ +From b079074048bc33b206b21f73fecb8173cf8adaf0 Mon Sep 17 00:00:00 2001 +From: Haixiao Yan <haixiao.yan.cn@windriver.com> +Date: Mon, 15 Sep 2025 21:15:45 +0800 +Subject: [PATCH] build_support: handle runtime errors and return None for + invalid max_priority + +When cross-compiling, test binaries may fail to execute on the host system if +the target toolchain was built against a newer glibc version than what is +available on the host. + +For example, on Ubuntu 20.04 the following error occurs: + +./build_support/src/sniff_mq_prio_max: /lib/x86_64-linux-gnu/libc.so.6: version +`GLIBC_2.34' not found (required by ./build_support/src/sniff_mq_prio_max) + +This change ensures that such runtime errors are gracefully handled, and +max_priority is set to None when the test binary cannot be executed. + +Upstream-Status: Pending + +Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com> +--- + build_support/discover_system_info.py | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/build_support/discover_system_info.py b/build_support/discover_system_info.py +index f6e6c8cbe6ba..4fec48b5529d 100644 +--- a/build_support/discover_system_info.py ++++ b/build_support/discover_system_info.py +@@ -75,8 +75,12 @@ def compile_and_run(filename, linker_options=""): + if does_build_succeed(filename, linker_options=""): + try: + s = subprocess.Popen(["./build_support/src/%s" % filename[:-2]], +- stdout=subprocess.PIPE).communicate()[0] +- return s.strip().decode() ++ stdout=subprocess.PIPE, stderr=subprocess.PIPE) ++ stdout, stderr = s.communicate() ++ if s.returncode != 0: ++ # runtime error ++ return None ++ return stdout.strip().decode() + except Exception: + # execution resulted in an error + return None +-- +2.25.1 + diff --git a/meta-python/recipes-devtools/python/python3-posix-ipc_1.2.0.bb b/meta-python/recipes-devtools/python/python3-posix-ipc_1.2.0.bb index 8147e4108b..cad1403813 100644 --- a/meta-python/recipes-devtools/python/python3-posix-ipc_1.2.0.bb +++ b/meta-python/recipes-devtools/python/python3-posix-ipc_1.2.0.bb @@ -12,5 +12,6 @@ SRC_URI += " \ file://0001-build_support-use-source-filename-instead-of-foo-for.patch \ file://0002-build_support-handle-empty-max_priority-value-as-Non.patch \ file://0003-build_support-use-does_build_succeed-in-compile_and_.patch \ + file://0004-build_support-handle-runtime-errors-and-return-None-.patch \ " inherit pypi python_setuptools_build_meta ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 06/24] wxwidgets: upgrade 3.2.1 -> 3.2.6 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (4 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 05/24] python3-posix-ipc: fix runtime error Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 07/24] wxwidgets: fix CVE-2024-58249 Anuj Mittal ` (18 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Yi Zhao <yi.zhao@windriver.com> ChangeLog: https://raw.githubusercontent.com/wxWidgets/wxWidgets/v3.2.6/docs/changes.txt * Drop 0001-locale-Avoid-using-glibc-specific-defines-on-musl.patch as it has been merged upstream * Refresh patches * Add UPSTREAM_CHECK_GITTAGREGEX Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (master rev: 903ed68669550ccae20bcd0c18c26d0c336da810) Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- ...using-glibc-specific-defines-on-musl.patch | 26 -------------- ...able-cross-magic-it-does-not-work-fo.patch | 8 ++--- ...tch => 0002-fix-libdir-for-multilib.patch} | 35 ++++++++++++------- ...003-create-links-with-relative-path.patch} | 22 ++++++++---- ...-not-append-system-name-to-lib-name.patch} | 12 +++++-- ...5-wx-config-fix-libdir-for-multilib.patch} | 29 +++++++++------ ...-l.patch => 0006-Fix-locale-on-musl.patch} | 18 ++++++++-- ...E_LARGEFILE_SUPPORT-to-1-explicitly.patch} | 9 ++--- ...{wxwidgets_3.2.1.bb => wxwidgets_3.2.6.bb} | 17 ++++----- 9 files changed, 100 insertions(+), 76 deletions(-) delete mode 100644 meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-locale-Avoid-using-glibc-specific-defines-on-musl.patch rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{fix-libdir-for-multilib.patch => 0002-fix-libdir-for-multilib.patch} (82%) rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{create-links-with-relative-path.patch => 0003-create-links-with-relative-path.patch} (72%) rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{not-append-system-name-to-lib-name.patch => 0004-don-not-append-system-name-to-lib-name.patch} (73%) rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{wx-config-fix-libdir-for-multilib.patch => 0005-wx-config-fix-libdir-for-multilib.patch} (74%) rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{musl-locale-l.patch => 0006-Fix-locale-on-musl.patch} (70%) rename meta-oe/recipes-extended/wxwidgets/wxwidgets/{0001-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch => 0007-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch} (83%) rename meta-oe/recipes-extended/wxwidgets/{wxwidgets_3.2.1.bb => wxwidgets_3.2.6.bb} (90%) diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-locale-Avoid-using-glibc-specific-defines-on-musl.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-locale-Avoid-using-glibc-specific-defines-on-musl.patch deleted file mode 100644 index 52f4449339..0000000000 --- a/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-locale-Avoid-using-glibc-specific-defines-on-musl.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 72c3b7324f00047e6dc5d8380ed2f6ff2494a6f9 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Sun, 18 Dec 2022 14:51:34 -0800 -Subject: [PATCH] locale: Avoid using glibc specific defines on musl - -musl does not provide some glibc-only enum members e.g. _NL_ADDRESS_LANG_NAME - -Upstream-Status: Submitted [https://github.com/wxWidgets/wxWidgets/pull/23050] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - src/unix/uilocale.cpp | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/unix/uilocale.cpp b/src/unix/uilocale.cpp -index 57773e17f5..86816ba896 100644 ---- a/src/unix/uilocale.cpp -+++ b/src/unix/uilocale.cpp -@@ -619,7 +619,7 @@ wxString - wxUILocaleImplUnix::GetLocalizedName(wxLocaleName name, wxLocaleForm form) const - { - wxString str; --#if defined(HAVE_LANGINFO_H) && defined(__LINUX__) -+#if defined(HAVE_LANGINFO_H) && defined(__LINUX__) && defined(__GLIBC__) - switch (name) - { - case wxLOCALE_NAME_LOCALE: diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-wx-config.in-Disable-cross-magic-it-does-not-work-fo.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-wx-config.in-Disable-cross-magic-it-does-not-work-fo.patch index b3b9e79c53..a3b8d0c0ee 100644 --- a/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-wx-config.in-Disable-cross-magic-it-does-not-work-fo.patch +++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-wx-config.in-Disable-cross-magic-it-does-not-work-fo.patch @@ -1,4 +1,4 @@ -From a071243763f4b06fc7e71f541c49cecf380b6f27 Mon Sep 17 00:00:00 2001 +From 8f582c0ea40ccdb2d439b7614459d752f3606e15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20M=C3=BCller?= <schnitzeltony@gmail.com> Date: Sun, 11 Oct 2020 22:16:55 +0200 Subject: [PATCH] wx-config.in: Disable cross magic - it does not work for us @@ -18,10 +18,10 @@ Signed-off-by: Andreas Müller <schnitzeltony@gmail.com> 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wx-config.in b/wx-config.in -index d132e3182f..d0d162e8a3 100755 +index 4df8571d28..1173d89685 100755 --- a/wx-config.in +++ b/wx-config.in -@@ -396,7 +396,7 @@ get_mask() +@@ -394,7 +394,7 @@ get_mask() } # Returns true if this script is for a cross compiled config. @@ -31,5 +31,5 @@ index d132e3182f..d0d162e8a3 100755 # Determine the base directories we require. -- -2.26.2 +2.25.1 diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/fix-libdir-for-multilib.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0002-fix-libdir-for-multilib.patch similarity index 82% rename from meta-oe/recipes-extended/wxwidgets/wxwidgets/fix-libdir-for-multilib.patch rename to meta-oe/recipes-extended/wxwidgets/wxwidgets/0002-fix-libdir-for-multilib.patch index ea204ed3b1..b599f38871 100644 --- a/meta-oe/recipes-extended/wxwidgets/wxwidgets/fix-libdir-for-multilib.patch +++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0002-fix-libdir-for-multilib.patch @@ -1,12 +1,18 @@ -wxWidgets hardcodes libdir with 'lib' and does not support multilib which will -change it. Respect variable wxPLATFORM_LIB_DIR to support libdir be configurable. +From 9487fe5cd271a4bee96ab590509ef38f6972887a Mon Sep 17 00:00:00 2001 +From: Kai Kang <kai.kang@windriver.com> +Date: Sat, 12 Oct 2024 18:43:25 +0800 +Subject: [PATCH] fix libdir for multilib + +wxWidgets hardcodes libdir with 'lib' and does not support multilib +which will change it. Respect variable wxPLATFORM_LIB_DIR to support +libdir be configurable. Upstream-Status: Pending Signed-off-by: Kai Kang <kai.kang@windriver.com> -Rebase for wxWidgets 3.2.1. Replace wxPLATFORM_LIB_DIR with LIB_SUFFIX in this -patch that LIB_SUFFIX has been passed to cmake in cmake.bbclass. +Rebase for wxWidgets 3.2.1. Replace wxPLATFORM_LIB_DIR with LIB_SUFFIX +in this patch that LIB_SUFFIX has been passed to cmake in cmake.bbclass. Signed-off-by: Kai Kang <kai.kang@windriver.com> --- @@ -17,36 +23,36 @@ Signed-off-by: Kai Kang <kai.kang@windriver.com> 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt -index a49ecd3883..d469471f38 100644 +index f6ae7f6210..2a13e448db 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -45,7 +45,7 @@ include(build/cmake/policies.cmake NO_POLICY_SCOPE) # Initialize variables for quick access to wx root dir in sub dirs set(wxSOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR}) - set(wxBINARY_DIR ${CMAKE_BINARY_DIR}) + set(wxBINARY_DIR ${CMAKE_CURRENT_BINARY_DIR}) -set(wxOUTPUT_DIR ${wxBINARY_DIR}/lib) +set(wxOUTPUT_DIR ${wxBINARY_DIR}/lib${LIB_SUFFIX}) # parse the version number from wx/version.h and include in wxMAJOR_VERSION and wxMINOR_VERSION file(READ "${wxSOURCE_DIR}/include/wx/version.h" WX_VERSION_H_CONTENTS) diff --git a/build/cmake/config.cmake b/build/cmake/config.cmake -index b359560bc0..c59ea60923 100644 +index addd8d6b81..9ec677534b 100644 --- a/build/cmake/config.cmake +++ b/build/cmake/config.cmake -@@ -76,7 +76,7 @@ function(wx_write_config_inplace) +@@ -100,7 +100,7 @@ function(wx_write_config_inplace) execute_process( COMMAND "${CMAKE_COMMAND}" -E ${COPY_CMD} -- "${CMAKE_CURRENT_BINARY_DIR}/lib/wx/config/inplace-${TOOLCHAIN_FULLNAME}" -+ "${CMAKE_CURRENT_BINARY_DIR}/lib${LIB_SUFFIX}/wx/config/inplace-${TOOLCHAIN_FULLNAME}" - "${CMAKE_CURRENT_BINARY_DIR}/wx-config" +- "${wxBINARY_DIR}/lib/wx/config/inplace-${TOOLCHAIN_FULLNAME}" ++ "${wxBINARY_DIR}/lib${LIB_SUFFIX}/wx/config/inplace-${TOOLCHAIN_FULLNAME}" + "${wxBINARY_DIR}/wx-config" ) endfunction() diff --git a/build/cmake/functions.cmake b/build/cmake/functions.cmake -index 7182364e5e..55fbebc7ee 100644 +index 72a34f0b4f..81ede7d8ae 100644 --- a/build/cmake/functions.cmake +++ b/build/cmake/functions.cmake -@@ -435,8 +435,8 @@ macro(wx_add_library name) +@@ -462,8 +462,8 @@ macro(wx_add_library name) endif() wx_install(TARGETS ${name} EXPORT wxWidgetsTargets @@ -105,3 +111,6 @@ index 384c6837b8..d3303faabb 100644 ) # uninstall target +-- +2.25.1 + diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/create-links-with-relative-path.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0003-create-links-with-relative-path.patch similarity index 72% rename from meta-oe/recipes-extended/wxwidgets/wxwidgets/create-links-with-relative-path.patch rename to meta-oe/recipes-extended/wxwidgets/wxwidgets/0003-create-links-with-relative-path.patch index 6eef0b6790..dbede0304f 100644 --- a/meta-oe/recipes-extended/wxwidgets/wxwidgets/create-links-with-relative-path.patch +++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0003-create-links-with-relative-path.patch @@ -1,18 +1,23 @@ +From b86806ef34d4c9171165c1533064bf34ad822e20 Mon Sep 17 00:00:00 2001 +From: Kai Kang <kai.kang@windriver.com> +Date: Sat, 12 Oct 2024 18:43:25 +0800 +Subject: [PATCH] create links with relative path + It fails to build python3-wxgtk4 which depends on wxwidgets: | ERROR: wxwidgets-native-3.2.1-r0 do_populate_sysroot: sstate found an absolute path symlink /path/to/build/tmp-glibc/work/x86_64-linux - /wxwidgets-native/3.2.1-r0/sysroot-destdir/path/to/build/tmp-glibc/work - /x86_64-linux/wxwidgets-native/3.2.1-r0/recipe-sysroot-native/usr/bin/wx-config + /wxwidgets-native/3.2.1-r0/sysroot-destdir/path/to/build/tmp-glibc/work + /x86_64-linux/wxwidgets-native/3.2.1-r0/recipe-sysroot-native/usr/bin/wx-config pointing at /path/to/build/tmp-glibc/work/x86_64-linux/wxwidgets-native/3.2.1-r0 - /recipe-sysroot-native/usr/lib/wx/config/gtk3-unicode-3.2. + /recipe-sysroot-native/usr/lib/wx/config/gtk3-unicode-3.2. Please replace this with a relative link. | ERROR: wxwidgets-native-3.2.1-r0 do_populate_sysroot: sstate found an absolute path symlink /path/to/build/tmp-glibc/work/x86_64-linux/wxwidgets-native - /3.2.1-r0/sysroot-destdir/path/to/build/tmp-glibc/work/x86_64-linux/wxwidgets-native - /3.2.1-r0/recipe-sysroot-native/usr/bin/wxrc pointing at /path/to/build/tmp-glibc - /work/x86_64-linux/wxwidgets-native/3.2.1-r0/recipe-sysroot-native/usr/bin/wxrc-3.2. - Please replace this with a relative link. + /3.2.1-r0/sysroot-destdir/path/to/build/tmp-glibc/work/x86_64-linux/wxwidgets-native + /3.2.1-r0/recipe-sysroot-native/usr/bin/wxrc pointing at /path/to/build/tmp-glibc + /work/x86_64-linux/wxwidgets-native/3.2.1-r0/recipe-sysroot-native/usr/bin/wxrc-3.2. + Please replace this with a relative link. Create symlink with relative path to fix the issues. @@ -50,3 +55,6 @@ index dbed8cc9b3..1dbc3261d3 100644 \"\$ENV{DESTDIR}${CMAKE_INSTALL_PREFIX}/bin/wxrc${EXE_SUFFIX}\" \ )" ) +-- +2.25.1 + diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/not-append-system-name-to-lib-name.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0004-don-not-append-system-name-to-lib-name.patch similarity index 73% rename from meta-oe/recipes-extended/wxwidgets/wxwidgets/not-append-system-name-to-lib-name.patch rename to meta-oe/recipes-extended/wxwidgets/wxwidgets/0004-don-not-append-system-name-to-lib-name.patch index 6329256b0c..e3463ba170 100644 --- a/meta-oe/recipes-extended/wxwidgets/wxwidgets/not-append-system-name-to-lib-name.patch +++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0004-don-not-append-system-name-to-lib-name.patch @@ -1,3 +1,8 @@ +From 5e9725c1151e2b029066d61ef5dccf1f3e6cb323 Mon Sep 17 00:00:00 2001 +From: Kai Kang <kai.kang@windriver.com> +Date: Sat, 12 Oct 2024 18:43:25 +0800 +Subject: [PATCH] don not append system name to lib name + It appends system name to library names for cross compile. For example, the library name is libwx_baseu-3.1-Linux.so rather than libwx_baseu-3.1.so. It is not appropriate for oe. @@ -14,10 +19,10 @@ Signed-off-by: Kai Kang <kai.kang@windriver.com> 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build/cmake/functions.cmake b/build/cmake/functions.cmake -index e374d9a273..c6b1908bd6 100644 +index 81ede7d8ae..23eebeb914 100644 --- a/build/cmake/functions.cmake +++ b/build/cmake/functions.cmake -@@ -219,9 +219,9 @@ function(wx_set_target_properties target_name) +@@ -243,9 +243,9 @@ function(wx_set_target_properties target_name) endif() set(cross_target) @@ -30,3 +35,6 @@ index e374d9a273..c6b1908bd6 100644 set(lib_prefix "lib") if(MSVC OR (WIN32 AND wxBUILD_SHARED)) +-- +2.25.1 + diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/wx-config-fix-libdir-for-multilib.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0005-wx-config-fix-libdir-for-multilib.patch similarity index 74% rename from meta-oe/recipes-extended/wxwidgets/wxwidgets/wx-config-fix-libdir-for-multilib.patch rename to meta-oe/recipes-extended/wxwidgets/wxwidgets/0005-wx-config-fix-libdir-for-multilib.patch index 628f8dee56..b650c50386 100644 --- a/meta-oe/recipes-extended/wxwidgets/wxwidgets/wx-config-fix-libdir-for-multilib.patch +++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0005-wx-config-fix-libdir-for-multilib.patch @@ -1,8 +1,14 @@ -It sets 'libdir' with path element 'lib' directly which is not suitable for -multilib. Add an option '--baselib' for wx-config to support multilib when -cross compile. And set default value of baselib with "lib${wxPLATFORM_LIB_DIR}". +From 4230cd84f156f9eb5c9b80ffbc69dd55fa7c7ca7 Mon Sep 17 00:00:00 2001 +From: Kai Kang <kai.kang@windriver.com> +Date: Sat, 12 Oct 2024 18:43:25 +0800 +Subject: [PATCH] wx-config: fix libdir for multilib -Upstream-Status: Pending [oe specific] +It sets 'libdir' with path element 'lib' directly which is not suitable +for multilib. Add an option '--baselib' for wx-config to support +multilib when cross compile. And set default value of baselib with +"lib${wxPLATFORM_LIB_DIR}". + +Upstream-Status: Inappropriate [oe specific] Signed-off-by: Kai Kang <kai.kang@windriver.com> @@ -15,10 +21,10 @@ Signed-off-by: Kai Kang <kai.kang@windriver.com> 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/build/cmake/config.cmake b/build/cmake/config.cmake -index 52ae69d3f6..28aa733eb0 100644 +index 9ec677534b..ee61cf7572 100644 --- a/build/cmake/config.cmake +++ b/build/cmake/config.cmake -@@ -86,7 +86,7 @@ function(wx_write_config) +@@ -110,7 +110,7 @@ function(wx_write_config) set(prefix ${CMAKE_INSTALL_PREFIX}) set(exec_prefix "\${prefix}") set(includedir "\${prefix}/include") @@ -26,9 +32,9 @@ index 52ae69d3f6..28aa733eb0 100644 + set(libdir "\${exec_prefix}/\${baselib}") set(bindir "\${exec_prefix}/bin") - find_program(EGREP egrep) + if(wxBUILD_MONOLITHIC) diff --git a/wx-config.in b/wx-config.in -index e3f7d115bb..0e78af03c7 100755 +index 1173d89685..8364a33e9d 100755 --- a/wx-config.in +++ b/wx-config.in @@ -42,7 +42,8 @@ usage() @@ -41,7 +47,7 @@ index e3f7d115bb..0e78af03c7 100755 [--list] [--selected-config] [--host=HOST] [--toolkit=TOOLKIT] [--universal[=yes|no]] [--unicode[=yes|no]] [--static[=yes|no]] [--debug[=yes|no]] [--version[=VERSION]] [--flavour=FLAVOUR] -@@ -137,7 +138,7 @@ wxconfig_output_options="prefix exec_prefix +@@ -133,7 +134,7 @@ wxconfig_output_options="prefix exec_prefix # Options that permit the user to supply hints that may affect the output. # These options all accept arbitrary values, to interpret as they please. @@ -50,7 +56,7 @@ index e3f7d115bb..0e78af03c7 100755 # Input options that accept only a yes or no argument. # -@@ -404,6 +405,7 @@ is_cross() { [ "x@cross_compiling@" = "xyes" ]; } +@@ -400,6 +401,7 @@ is_cross() { [ "xno" = "xyes" ]; } # Determine the base directories we require. prefix=${input_option_prefix-${this_prefix:-@prefix@}} exec_prefix=${input_option_exec_prefix-${input_option_prefix-${this_exec_prefix:-@exec_prefix@}}} @@ -58,3 +64,6 @@ index e3f7d115bb..0e78af03c7 100755 wxconfdir="@libdir@/wx/config" installed_configs=`cd "$wxconfdir" 2> /dev/null && ls | grep -v "^inplace-"` +-- +2.25.1 + diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/musl-locale-l.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0006-Fix-locale-on-musl.patch similarity index 70% rename from meta-oe/recipes-extended/wxwidgets/wxwidgets/musl-locale-l.patch rename to meta-oe/recipes-extended/wxwidgets/wxwidgets/0006-Fix-locale-on-musl.patch index e4ca6579f8..37d61dcb3f 100644 --- a/meta-oe/recipes-extended/wxwidgets/wxwidgets/musl-locale-l.patch +++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0006-Fix-locale-on-musl.patch @@ -1,8 +1,19 @@ -Upstream-Status: Pending +From 64d5d7f68cde208c6f8a5e0b71da93f98e4720f7 Mon Sep 17 00:00:00 2001 +From: Khem Raj <raj.khem@gmail.com> +Date: Sat, 12 Oct 2024 20:30:16 +0800 +Subject: [PATCH] Fix locale on musl these macro'd away functions don't exist in musl (yet) + +Upstream-Status: Pending + +Signed-off-by: Khem Raj <raj.khem@gmail.com> +--- + include/wx/xlocale.h | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + diff --git a/include/wx/xlocale.h b/include/wx/xlocale.h -index c433d25..3ab9d84 100644 +index c433d25d05..794cf0b66b 100644 --- a/include/wx/xlocale.h +++ b/include/wx/xlocale.h @@ -33,6 +33,26 @@ @@ -32,3 +43,6 @@ index c433d25..3ab9d84 100644 // The platform-specific locale type // If wxXLocale_t is not defined, then only "C" locale support is provided #ifdef wxHAS_XLOCALE_SUPPORT +-- +2.25.1 + diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0007-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch similarity index 83% rename from meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch rename to meta-oe/recipes-extended/wxwidgets/wxwidgets/0007-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch index 5160f2e1fe..ef94e3551b 100644 --- a/meta-oe/recipes-extended/wxwidgets/wxwidgets/0001-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch +++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/0007-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch @@ -1,4 +1,4 @@ -From e108aff9d6dae613f486c1b1681f4a3cdf17b845 Mon Sep 17 00:00:00 2001 +From 22f70d5bd039b20bfdad522341412ca001c639db Mon Sep 17 00:00:00 2001 From: Khem Raj <raj.khem@gmail.com> Date: Mon, 19 Dec 2022 15:07:55 -0800 Subject: [PATCH] Set HAVE_LARGEFILE_SUPPORT to 1 explicitly @@ -6,16 +6,17 @@ Subject: [PATCH] Set HAVE_LARGEFILE_SUPPORT to 1 explicitly nothing sets this to 0, but for some reason it gets undef'd Upstream-Status: Pending + Signed-off-by: Khem Raj <raj.khem@gmail.com> --- build/cmake/setup.h.in | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/build/cmake/setup.h.in b/build/cmake/setup.h.in -index bce33a73f3..22afb4cfa0 100644 +index fcc282980d..767adbf658 100644 --- a/build/cmake/setup.h.in +++ b/build/cmake/setup.h.in -@@ -869,8 +869,7 @@ +@@ -867,8 +867,7 @@ /* * Define if large (64 bit file offsets) files are supported. */ @@ -26,5 +27,5 @@ index bce33a73f3..22afb4cfa0 100644 * Use OpenGL */ -- -2.39.0 +2.25.1 diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.1.bb b/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb similarity index 90% rename from meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.1.bb rename to meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb index 91653e2852..71e2a60e0c 100644 --- a/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.1.bb +++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb @@ -20,17 +20,18 @@ DEPENDS += " \ SRC_URI = "gitsm://github.com/wxWidgets/wxWidgets.git;branch=3.2;protocol=https \ file://0001-wx-config.in-Disable-cross-magic-it-does-not-work-fo.patch \ - file://fix-libdir-for-multilib.patch \ - file://create-links-with-relative-path.patch \ - file://not-append-system-name-to-lib-name.patch \ - file://wx-config-fix-libdir-for-multilib.patch \ - file://0001-locale-Avoid-using-glibc-specific-defines-on-musl.patch \ - file://musl-locale-l.patch \ - file://0001-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch \ + file://0002-fix-libdir-for-multilib.patch \ + file://0003-create-links-with-relative-path.patch \ + file://0004-don-not-append-system-name-to-lib-name.patch \ + file://0005-wx-config-fix-libdir-for-multilib.patch \ + file://0006-Fix-locale-on-musl.patch \ + file://0007-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch \ " -SRCREV= "97e99707c5d2271a70cb686720b48dbf34ced496" +SRCREV = "5ff25322553c1870cf20a2e1ba6f20ed50d9fe9a" S = "${WORKDIR}/git" +UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" + # These can be either 'builtin' or 'sys' and builtin means cloned soures are # build. So these cannot be PACKAGECONFIGs and let's use libs where we can (see # DEPENDS) ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 07/24] wxwidgets: fix CVE-2024-58249 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (5 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 06/24] wxwidgets: upgrade 3.2.1 -> 3.2.6 Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 08/24] gutenprint: fix a build race-condition Anuj Mittal ` (17 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Zhang Peng <peng.zhang1.cn@windriver.com> CVE-2024-58249: In wxWidgets before 3.2.7, a crash can be triggered in wxWidgets apps when connections are refused in wxWebRequestCURL. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-58249] Upstream patches: [https://github.com/wxWidgets/wxWidgets/commit/f2918a9ac823074901ce27de939baa57788beb3d] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (walnascar rev: d3d3df49d5f6e8747c0b04100c4f708b4cafbbd4) Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- .../wxwidgets/wxwidgets/CVE-2024-58249.patch | 178 ++++++++++++++++++ .../wxwidgets/wxwidgets_3.2.6.bb | 1 + 2 files changed, 179 insertions(+) create mode 100644 meta-oe/recipes-extended/wxwidgets/wxwidgets/CVE-2024-58249.patch diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets/CVE-2024-58249.patch b/meta-oe/recipes-extended/wxwidgets/wxwidgets/CVE-2024-58249.patch new file mode 100644 index 0000000000..8ba9cc1b04 --- /dev/null +++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets/CVE-2024-58249.patch @@ -0,0 +1,178 @@ +From e440b3a6097546a8aca66bd4c7a21be25e89d340 Mon Sep 17 00:00:00 2001 +From: Vadim Zeitlin <vadim@wxwidgets.org> +Date: Sun, 27 Oct 2024 00:56:21 +0200 +Subject: [PATCH] Fix crash when connection is refused in wxWebRequestCURL + +Avoid deleting wxEventLoopSourceHandler which may be still in use, as is +the case when we get write IO notification just before an error one: if +we delete the handler while handling the former, we crash when getting +the latter one. + +Use a hack to avoid deleting the handlers for which write notification +is being processed and delete them later, when we get the error one. + +See #24885. + +(cherry picked from commit 4e0fca8ab9756989598d07b41e672af86eac7092) + +CVE: CVE-2024-58249 +Upstream-Status: Backport [https://github.com/wxWidgets/wxWidgets/commit/f2918a9ac823074901ce27de939baa57788beb3d] + +Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> +--- + src/common/webrequest_curl.cpp | 80 +++++++++++++++++++++++++--------- + 1 file changed, 60 insertions(+), 20 deletions(-) + +diff --git a/src/common/webrequest_curl.cpp b/src/common/webrequest_curl.cpp +index f50acf4f8d..64650ab6b4 100644 +--- a/src/common/webrequest_curl.cpp ++++ b/src/common/webrequest_curl.cpp +@@ -704,10 +704,13 @@ SocketPollerImpl* SocketPollerImpl::Create(wxEvtHandler* hndlr) + + // SocketPollerSourceHandler - a source handler used by the SocketPoller class. + ++class SourceSocketPoller; ++ + class SocketPollerSourceHandler: public wxEventLoopSourceHandler + { + public: +- SocketPollerSourceHandler(curl_socket_t, wxEvtHandler*); ++ SocketPollerSourceHandler(curl_socket_t sock, SourceSocketPoller* poller) ++ : m_socket(sock), m_poller(poller) {} + + void OnReadWaiting() wxOVERRIDE; + void OnWriteWaiting() wxOVERRIDE; +@@ -716,16 +719,9 @@ public: + private: + void SendEvent(int); + curl_socket_t m_socket; +- wxEvtHandler* m_handler; ++ SourceSocketPoller* const m_poller; + }; + +-SocketPollerSourceHandler::SocketPollerSourceHandler(curl_socket_t sock, +- wxEvtHandler* hndlr) +-{ +- m_socket = sock; +- m_handler = hndlr; +-} +- + void SocketPollerSourceHandler::OnReadWaiting() + { + SendEvent(SocketPoller::READY_FOR_READ); +@@ -741,14 +737,6 @@ void SocketPollerSourceHandler::OnExceptionWaiting() + SendEvent(SocketPoller::HAS_ERROR); + } + +-void SocketPollerSourceHandler::SendEvent(int result) +-{ +- wxThreadEvent event(wxEVT_SOCKET_POLLER_RESULT); +- event.SetPayload<curl_socket_t>(m_socket); +- event.SetInt(result); +- m_handler->ProcessEvent(event); +-} +- + // SourceSocketPoller - a SocketPollerImpl based on event loop sources. + + class SourceSocketPoller: public SocketPollerImpl +@@ -760,6 +748,8 @@ public: + void StopPolling(curl_socket_t) wxOVERRIDE; + void ResumePolling(curl_socket_t) wxOVERRIDE; + ++ void SendEvent(curl_socket_t sock, int result); ++ + private: + WX_DECLARE_HASH_MAP(curl_socket_t, wxEventLoopSource*, wxIntegerHash,\ + wxIntegerEqual, SocketDataMap); +@@ -768,11 +758,25 @@ private: + + SocketDataMap m_socketData; + wxEvtHandler* m_handler; ++ ++ // The socket for which we're currently processing a write IO notification. ++ curl_socket_t m_activeWriteSocket; ++ ++ // The sockets that we couldn't clean up yet but should do if/when we get ++ // an error notification for them. ++ wxVector<curl_socket_t> m_socketsToCleanUp; + }; + ++// This function must be implemented after full SourceSocketPoller declaration. ++void SocketPollerSourceHandler::SendEvent(int result) ++{ ++ m_poller->SendEvent(m_socket, result); ++} ++ + SourceSocketPoller::SourceSocketPoller(wxEvtHandler* hndlr) + { + m_handler = hndlr; ++ m_activeWriteSocket = 0; + } + + SourceSocketPoller::~SourceSocketPoller() +@@ -822,9 +826,7 @@ bool SourceSocketPoller::StartPolling(curl_socket_t sock, int pollAction) + } + else + { +- // Otherwise create a new source handler. +- srcHandler = +- new SocketPollerSourceHandler(sock, m_handler); ++ srcHandler = new SocketPollerSourceHandler(sock, this); + } + + // Get a new source object for these polling checks. +@@ -858,6 +860,15 @@ bool SourceSocketPoller::StartPolling(curl_socket_t sock, int pollAction) + + void SourceSocketPoller::StopPolling(curl_socket_t sock) + { ++ if ( sock == m_activeWriteSocket ) ++ { ++ // We can't clean up the socket while we're inside OnWriteWaiting() for ++ // it because it could be followed by OnExceptionWaiting() and we'd ++ // crash if we deleted it already. ++ m_socketsToCleanUp.push_back(sock); ++ return; ++ } ++ + SocketDataMap::iterator it = m_socketData.find(sock); + + if ( it != m_socketData.end() ) +@@ -871,6 +882,35 @@ void SourceSocketPoller::ResumePolling(curl_socket_t WXUNUSED(sock)) + { + } + ++void SourceSocketPoller::SendEvent(curl_socket_t sock, int result) ++{ ++ if ( result == SocketPoller::READY_FOR_WRITE ) ++ { ++ // Prevent the handler from this socket from being deleted in case we ++ // get a HAS_ERROR event for it immediately after this one. ++ m_activeWriteSocket = sock; ++ } ++ ++ wxThreadEvent event(wxEVT_SOCKET_POLLER_RESULT); ++ event.SetPayload<curl_socket_t>(sock); ++ event.SetInt(result); ++ m_handler->ProcessEvent(event); ++ ++ m_activeWriteSocket = 0; ++ ++ if ( result == SocketPoller::HAS_ERROR ) ++ { ++ // Check if we have any sockets to clean up and do it now, it should be ++ // safe. ++ for ( size_t n = 0; n < m_socketsToCleanUp.size(); ++n ) ++ { ++ StopPolling(m_socketsToCleanUp[n]); ++ } ++ ++ m_socketsToCleanUp.clear(); ++ } ++} ++ + void SourceSocketPoller::CleanUpSocketSource(wxEventLoopSource* source) + { + wxEventLoopSourceHandler* srcHandler = source->GetHandler(); +-- +2.50.0 + diff --git a/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb b/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb index 71e2a60e0c..1cf44bbfa3 100644 --- a/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb +++ b/meta-oe/recipes-extended/wxwidgets/wxwidgets_3.2.6.bb @@ -26,6 +26,7 @@ SRC_URI = "gitsm://github.com/wxWidgets/wxWidgets.git;branch=3.2;protocol=https file://0005-wx-config-fix-libdir-for-multilib.patch \ file://0006-Fix-locale-on-musl.patch \ file://0007-Set-HAVE_LARGEFILE_SUPPORT-to-1-explicitly.patch \ + file://CVE-2024-58249.patch \ " SRCREV = "5ff25322553c1870cf20a2e1ba6f20ed50d9fe9a" S = "${WORKDIR}/git" ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 08/24] gutenprint: fix a build race-condition 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (6 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 07/24] wxwidgets: fix CVE-2024-58249 Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 09/24] gutenprint: 5.3.5 Anuj Mittal ` (16 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Yoann Congal <yoann.congal@smile.fr> Gutenprint install hooks run in parallel but depend on each other. This is a race condition and might trigger a build failure (e.g on AB [0]): | chmod 700 $WORKDIR/image/usr/libexec/cups/backend/backend_gutenprint | chmod: cannot access '$WORKDIR/image/usr/libexec/cups/backend/backend_gutenprint': Not a directory | make[5]: *** [Makefile:2166: install-exec-hook] Error 1 Fixes this by adding an explicit dependency between the dependent targets. [0]: https://autobuilder.yoctoproject.org/valkyrie/#/builders/87/builds/46/steps/33/logs/stdio Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- ...-race-condition-around-empty-directo.patch | 60 +++++++++++++++++++ .../gutenprint/gutenprint_5.3.4.bb | 4 +- 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-printing/gutenprint/gutenprint/0001-cups-fix-a-build-race-condition-around-empty-directo.patch diff --git a/meta-oe/recipes-printing/gutenprint/gutenprint/0001-cups-fix-a-build-race-condition-around-empty-directo.patch b/meta-oe/recipes-printing/gutenprint/gutenprint/0001-cups-fix-a-build-race-condition-around-empty-directo.patch new file mode 100644 index 0000000000..758acfe6be --- /dev/null +++ b/meta-oe/recipes-printing/gutenprint/gutenprint/0001-cups-fix-a-build-race-condition-around-empty-directo.patch @@ -0,0 +1,60 @@ +From e3b0952fe936f90cfda9cbed368fae2143b72089 Mon Sep 17 00:00:00 2001 +From: Yoann Congal <yoann.congal@smile.fr> +Date: Thu, 3 Jul 2025 15:27:04 +0200 +Subject: [PATCH] cups: fix a build race-condition around empty directories + removal + +In automake, install-exec and install-data happen in parallel. +install-exec installs executables and install-data finishes with +install-data-hook that removes empty directories. If install-data-hook +happen before install-exec finishes, it might remove a directory while +it is used by the install process and make it fail. + +Fix this by adding an explicit dependency between install-data-hook and +install-exec. + +For example, here is the log of such a failure: +| make install-data-hook +| hosttools/mkdir -p 'image/usr/libexec/cups/backend' +| make[5]: Entering directory '$WORKDIR/build/src/cups' +| Expect a number of "rmdir: Directory not empty" warnings +| /bin/bash ../../libtool --mode=install $HOSTTOOLS/install -c backend_gutenprint '$WORKDIR/image/usr/libexec/cups/backend' + # Start of the install process (from install-exec) +| These messages are harmless and should be ignored. +... +| rmdir $WORKDIR/image/usr/libexec/cups/backend + # empty /usr/libexec/cups/backend is removed (from install-data-hook) +... +| libtool: install: $HOSTTOOLS/install -c backend_gutenprint $WORKDIR/image/usr/libexec/cups/backend + # install in a non-existing directory: backend_gutenprint is installed + # as /usr/libexec/cups/backend (this is now a file instead of a + # directory) +| make install-exec-hook +| make[5]: Entering directory '$WORKDIR/build/src/cups' +| chmod 700 $WORKDIR/image/usr/libexec/cups/backend/backend_gutenprint +| chmod: cannot access '$WORKDIR/image/usr/libexec/cups/backend/backend_gutenprint': Not a directory + # chmod fails because /usr/libexec/cups/backend is a file and not a + # directory +| make[5]: *** [Makefile:2166: install-exec-hook] Error 1 + +Signed-off-by: Yoann Congal <yoann.congal@smile.fr> +Upstream-Status: Submitted [https://sourceforge.net/p/gimp-print/mailman/gimp-print-devel/thread/20250703164244.1120340-1-yoann.congal%40smile.fr/#msg59202153] +--- + src/cups/Makefile.am | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/cups/Makefile.am b/src/cups/Makefile.am +index 7928ee3..fe45c92 100644 +--- a/src/cups/Makefile.am ++++ b/src/cups/Makefile.am +@@ -206,8 +206,9 @@ uninstall-local: $(INSTALL_DATA_LOCAL_DEPS) $(INSTALL_BLACKLIST) + $(RM) -f "$(DESTDIR)$(cupsdata_blacklistdir)/net.sf.gimp-print.usb-quirks" + $(RM) -f "$(DESTDIR)$(pkglibdir)/backend/gutenprint$(GUTENPRINT_MAJOR_VERSION)$(GUTENPRINT_MINOR_VERSION)+usb" + +-install-data-hook: ++install-data-hook: install-exec + # Remove unused directories in install tree ++# Note: it removes "exec" directories, so it must happen after install-exec. + -@echo 'Expect a number of "rmdir: Directory not empty" warnings' + -@echo 'These messages are harmless and should be ignored.' + -rmdir $(DESTDIR)$(cups_modeldir) diff --git a/meta-oe/recipes-printing/gutenprint/gutenprint_5.3.4.bb b/meta-oe/recipes-printing/gutenprint/gutenprint_5.3.4.bb index 5263890239..f90a123293 100644 --- a/meta-oe/recipes-printing/gutenprint/gutenprint_5.3.4.bb +++ b/meta-oe/recipes-printing/gutenprint/gutenprint_5.3.4.bb @@ -14,7 +14,9 @@ HOMEPAGE = "http://gimp-print.sourceforge.net/" LICENSE = "GPL-2.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552" -SRC_URI = "https://downloads.sourceforge.net/gimp-print/${BP}.tar.xz" +SRC_URI = "https://downloads.sourceforge.net/gimp-print/${BP}.tar.xz \ + file://0001-cups-fix-a-build-race-condition-around-empty-directo.patch \ + " SRC_URI[sha256sum] = "db44a701d2b8e6a8931c83cec06c91226be266d23e5c189d20a39dd175f2023b" inherit autotools gettext pkgconfig ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 09/24] gutenprint: 5.3.5 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (7 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 08/24] gutenprint: fix a build race-condition Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 10/24] meta-oe: image: optionally remove RAW image after sparse image creation Anuj Mittal ` (15 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Zoltán Böszörményi <zboszor@gmail.com> This fixes an installation error: | make[5]: Entering directory '.../tmp/work/corei7-64-oe-linux/gutenprint/5.3.4/build/src/cups' | chmod 700 .../tmp/work/corei7-64-oe-linux/gutenprint/5.3.4/image/usr/libexec/cups/backend/backend_gutenprint | chmod: cannot access '.../tmp/work/corei7-64-oe-linux/gutenprint/5.3.4/image/usr/libexec/cups/backend/backend_gutenprint': No such file or directory Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- .../gutenprint/{gutenprint_5.3.4.bb => gutenprint_5.3.5.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-oe/recipes-printing/gutenprint/{gutenprint_5.3.4.bb => gutenprint_5.3.5.bb} (96%) diff --git a/meta-oe/recipes-printing/gutenprint/gutenprint_5.3.4.bb b/meta-oe/recipes-printing/gutenprint/gutenprint_5.3.5.bb similarity index 96% rename from meta-oe/recipes-printing/gutenprint/gutenprint_5.3.4.bb rename to meta-oe/recipes-printing/gutenprint/gutenprint_5.3.5.bb index f90a123293..82953b798c 100644 --- a/meta-oe/recipes-printing/gutenprint/gutenprint_5.3.4.bb +++ b/meta-oe/recipes-printing/gutenprint/gutenprint_5.3.5.bb @@ -17,7 +17,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552" SRC_URI = "https://downloads.sourceforge.net/gimp-print/${BP}.tar.xz \ file://0001-cups-fix-a-build-race-condition-around-empty-directo.patch \ " -SRC_URI[sha256sum] = "db44a701d2b8e6a8931c83cec06c91226be266d23e5c189d20a39dd175f2023b" +SRC_URI[sha256sum] = "f5a9f47de28530b1ae2069cfbc647a9a641baeeabe809bb0ef2b3ec5b9668d70" inherit autotools gettext pkgconfig ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 10/24] meta-oe: image: optionally remove RAW image after sparse image creation 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (8 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 09/24] gutenprint: 5.3.5 Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 11/24] libssh 0.10.6: Fix CVE-2025-8114 Anuj Mittal ` (14 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: AshishKumar Mishra <emailaddress.ashish@gmail.com> When creating sparse images, the RAW image is no longer needed in some workflows such as Android and CI pipelines. These RAW images can be multi-GB artifacts and consume significant disk space. This change introduces a configuration option `DELETE_RAWIMAGE_AFTER_SPARSE_CMD` which, when set to "1", removes the RAW image after sparse image generation. This reduces disk usage in builds where sparse images are the final deliverables and RAW images are not required. Default behavior is unchanged: RAW images are kept unless the variable is explicitly enabled: DELETE_RAWIMAGE_AFTER_SPARSE_CMD = "1" # Delete RAW image DELETE_RAWIMAGE_AFTER_SPARSE_CMD = "0" # Default behavior (cherry-picked from f5246b7df447ac76ec04c6e5add398862d1c9ccd in master ) Signed-off-by: AshishKumar Mishra <emailaddress.ashish@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- meta-oe/classes/image_types_sparse.bbclass | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/meta-oe/classes/image_types_sparse.bbclass b/meta-oe/classes/image_types_sparse.bbclass index d6ea68968e..5416c2a019 100644 --- a/meta-oe/classes/image_types_sparse.bbclass +++ b/meta-oe/classes/image_types_sparse.bbclass @@ -9,9 +9,15 @@ SPARSE_BLOCK_SIZE ??= "4096" CONVERSIONTYPES += "sparse" +DELETE_RAWIMAGE_AFTER_SPARSE_CMD ??= "0" + CONVERSION_CMD:sparse = " \ truncate --no-create --size=%${SPARSE_BLOCK_SIZE} "${IMAGE_NAME}.${type}"; \ img2simg -s "${IMAGE_NAME}.${type}" "${IMAGE_NAME}.${type}.sparse" ${SPARSE_BLOCK_SIZE}; \ + if [ "${DELETE_RAWIMAGE_AFTER_SPARSE_CMD}" = "1" ]; then \ + rm -f ${IMAGE_NAME}.${type};\ + bbwarn "Raw file ${IMAGE_NAME}.${type} removed" ;\ + fi;\ " CONVERSION_DEPENDS_sparse = "android-tools-native" ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 11/24] libssh 0.10.6: Fix CVE-2025-8114 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (9 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 10/24] meta-oe: image: optionally remove RAW image after sparse image creation Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 12/24] apache2: upgrade 2.4.64 - 2.4.65 Anuj Mittal ` (13 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Anil Dongare <adongare@cisco.com> Upstream Repository: https://git.libssh.org/projects/libssh.git/ Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-8114 Type: Security Fix CVE: CVE-2025-8114 Score: 4.7 Patch: https://git.libssh.org/projects/libssh.git/commit/?id=53ac23ded4cb Signed-off-by: Anil Dongare <adongare@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- .../libssh/libssh/CVE-2025-8114.patch | 49 +++++++++++++++++++ .../recipes-support/libssh/libssh_0.10.6.bb | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch diff --git a/meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch b/meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch new file mode 100644 index 0000000000..10bbbcb114 --- /dev/null +++ b/meta-oe/recipes-support/libssh/libssh/CVE-2025-8114.patch @@ -0,0 +1,49 @@ +From 5f4950367c027aa91fcea240df354a856a4a0025 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider <asn@cryptomilk.org> +Date: Wed, 6 Aug 2025 15:17:59 +0200 +Subject: [PATCH] CVE-2025-8114: Fix NULL pointer dereference after allocation + failure + +CVE: CVE-2025-8114 +Upstream-Status: Backport [https://git.libssh.org/projects/libssh.git/commit/?id=53ac23ded4cb] + +Signed-off-by: Andreas Schneider <asn@cryptomilk.org> +Reviewed-by: Jakub Jelen <jjelen@redhat.com> +(cherry picked from commit 53ac23ded4cb2c5463f6c4cd1525331bd578812d) +Signed-off-by: Anil Dongare <adongare@cisco.com> +--- + src/kex.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/kex.c b/src/kex.c +index fbc70cf4..b4bab277 100644 +--- a/src/kex.c ++++ b/src/kex.c +@@ -1391,6 +1391,8 @@ int ssh_make_sessionid(ssh_session session) + ssh_log_hexdump("hash buffer", ssh_buffer_get(buf), ssh_buffer_get_len(buf)); + #endif + ++ /* Set rc for the following switch statement in case we goto error. */ ++ rc = SSH_ERROR; + switch (session->next_crypto->kex_type) { + case SSH_KEX_DH_GROUP1_SHA1: + case SSH_KEX_DH_GROUP14_SHA1: +@@ -1450,6 +1452,7 @@ int ssh_make_sessionid(ssh_session session) + session->next_crypto->secret_hash); + break; + } ++ + /* During the first kex, secret hash and session ID are equal. However, after + * a key re-exchange, a new secret hash is calculated. This hash will not replace + * but complement existing session id. +@@ -1458,6 +1461,7 @@ int ssh_make_sessionid(ssh_session session) + session->next_crypto->session_id = malloc(session->next_crypto->digest_len); + if (session->next_crypto->session_id == NULL) { + ssh_set_error_oom(session); ++ rc = SSH_ERROR; + goto error; + } + memcpy(session->next_crypto->session_id, session->next_crypto->secret_hash, +-- +2.43.5 + diff --git a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb index bf91e69bc8..602e01fce6 100644 --- a/meta-oe/recipes-support/libssh/libssh_0.10.6.bb +++ b/meta-oe/recipes-support/libssh/libssh_0.10.6.bb @@ -17,6 +17,7 @@ SRC_URI = "git://git.libssh.org/projects/libssh.git;protocol=https;branch=stable file://CVE-2025-4878-0001.patch \ file://CVE-2025-4878-0002.patch \ file://CVE-2025-5987.patch \ + file://CVE-2025-8114.patch \ " SRCREV = "10e09e273f69e149389b3e0e5d44b8c221c2e7f6" ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 12/24] apache2: upgrade 2.4.64 - 2.4.65 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (10 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 11/24] libssh 0.10.6: Fix CVE-2025-8114 Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 13/24] cjson 1.7.18: Fix CVE-2025-57052 Anuj Mittal ` (12 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Archana Polampalli <archana.polampalli@windriver.com> fixes CVE-2025-54090 Changelog: https://downloads.apache.org/httpd/CHANGES_2.4.65 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- .../apache2/{apache2_2.4.64.bb => apache2_2.4.65.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-webserver/recipes-httpd/apache2/{apache2_2.4.64.bb => apache2_2.4.65.bb} (99%) diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.64.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.65.bb similarity index 99% rename from meta-webserver/recipes-httpd/apache2/apache2_2.4.64.bb rename to meta-webserver/recipes-httpd/apache2/apache2_2.4.65.bb index f587935b8f..34526fc78e 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.64.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.65.bb @@ -27,7 +27,7 @@ SRC_URI:append:class-target = " \ " LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3" -SRC_URI[sha256sum] = "120b35a2ebf264f277e20f9a94f870f2063342fbff0861404660d7dd0ab1ac29" +SRC_URI[sha256sum] = "58b8be97d9940ec17f7656c0c6b9f41b618aac468b894b534148e3296c53b8b3" S = "${WORKDIR}/httpd-${PV}" ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 13/24] cjson 1.7.18: Fix CVE-2025-57052 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (11 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 12/24] apache2: upgrade 2.4.64 - 2.4.65 Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 14/24] openjpeg: fix for CVE-2025-54874 Anuj Mittal ` (11 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Shubham Pushpkar <spushpka@cisco.com> Upstream Repository: https://github.com/DaveGamble/cJSON.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-57052 Type: Security Fix CVE: CVE-2025-57052 Score: 9.8 Patch: https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa Signed-off-by: Shubham Pushpkar <spushpka@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- .../cjson/cjson/CVE-2025-57052.patch | 33 +++++++++++++++++++ .../recipes-devtools/cjson/cjson_1.7.18.bb | 1 + 2 files changed, 34 insertions(+) create mode 100644 meta-oe/recipes-devtools/cjson/cjson/CVE-2025-57052.patch diff --git a/meta-oe/recipes-devtools/cjson/cjson/CVE-2025-57052.patch b/meta-oe/recipes-devtools/cjson/cjson/CVE-2025-57052.patch new file mode 100644 index 0000000000..ed3d4a7eba --- /dev/null +++ b/meta-oe/recipes-devtools/cjson/cjson/CVE-2025-57052.patch @@ -0,0 +1,33 @@ +From e53a1413304382d562176bed91609e00b4fcf87e Mon Sep 17 00:00:00 2001 +From: Lee <peteralfredlee@gmail.com> +Date: Fri, 5 Sep 2025 14:53:20 +0800 +Subject: [PATCH] fix the incorrect check in decode_array_index_from_pointer + (#957) + +this fixes CVE-2025-57052 + +CVE: CVE-2025-57052 +Upstream-Status: Backport [https://github.com/DaveGamble/cJSON/commit/74e1ff4994aa] + +(cherry picked from commit 74e1ff4994aa4139126967f6d289b675b4b36fef) +Signed-off-by: Shubham Pushpkar <spushpka@cisco.com> +--- + cJSON_Utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cJSON_Utils.c b/cJSON_Utils.c +index 63651df..8fa24f8 100644 +--- a/cJSON_Utils.c ++++ b/cJSON_Utils.c +@@ -282,7 +282,7 @@ static cJSON_bool decode_array_index_from_pointer(const unsigned char * const po + return 0; + } + +- for (position = 0; (pointer[position] >= '0') && (pointer[0] <= '9'); position++) ++ for (position = 0; (pointer[position] >= '0') && (pointer[position] <= '9'); position++) + { + parsed_index = (10 * parsed_index) + (size_t)(pointer[position] - '0'); + +-- +2.44.1 + diff --git a/meta-oe/recipes-devtools/cjson/cjson_1.7.18.bb b/meta-oe/recipes-devtools/cjson/cjson_1.7.18.bb index bdeab3055c..67d536cf24 100644 --- a/meta-oe/recipes-devtools/cjson/cjson_1.7.18.bb +++ b/meta-oe/recipes-devtools/cjson/cjson_1.7.18.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=218947f77e8cb8e2fa02918dc41c50d0" SRC_URI = "git://github.com/DaveGamble/cJSON.git;branch=master;protocol=https \ file://run-ptest \ + file://CVE-2025-57052.patch \ " SRCREV = "acc76239bee01d8e9c858ae2cab296704e52d916" ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 14/24] openjpeg: fix for CVE-2025-54874 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (12 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 13/24] cjson 1.7.18: Fix CVE-2025-57052 Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 15/24] fontforge: patch CVE-2024-25081 and CVE-2024-25082 Anuj Mittal ` (10 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Hitendra Prajapati <hprajapati@mvista.com> Upstream-Status: Backport https://github.com/uclouvain/openjpeg/commit/f809b80c67717c152a5ad30bf06774f00da4fd2d Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit 5d0643f194e9a7ed77eddbdc1d106536df2eb488) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- .../openjpeg/openjpeg/CVE-2025-54874.patch | 44 +++++++++++++++++++ .../openjpeg/openjpeg_2.5.3.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-54874.patch diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-54874.patch b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-54874.patch new file mode 100644 index 0000000000..187557a35c --- /dev/null +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg/CVE-2025-54874.patch @@ -0,0 +1,44 @@ +From f809b80c67717c152a5ad30bf06774f00da4fd2d Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen <sebras@gmail.com> +Date: Thu, 16 Jan 2025 02:13:43 +0100 +Subject: [PATCH] opj_jp2_read_header: Check for error after parsing header. + +Consider the case where the caller has not set the p_image +pointer to NULL before calling opj_read_header(). + +If opj_j2k_read_header_procedure() fails while obtaining the rest +of the marker segment when calling opj_stream_read_data() because +the data stream is too short, then opj_j2k_read_header() will +never have the chance to initialize p_image, leaving it +uninitialized. + +opj_jp2_read_header() will check the p_image value whether +opj_j2k_read_header() suceeded or failed. This may be detected as +an error in valgrind or ASAN. + +The fix is to check whether opj_j2k_read_header() suceeded before +using the output argument p_image. + +CVE: CVE-2025-54874 +Upstream-Status: Backport [https://github.com/uclouvain/openjpeg/commit/f809b80c67717c152a5ad30bf06774f00da4fd2d] +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + src/lib/openjp2/jp2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/openjp2/jp2.c b/src/lib/openjp2/jp2.c +index 4df055a5..da506318 100644 +--- a/src/lib/openjp2/jp2.c ++++ b/src/lib/openjp2/jp2.c +@@ -2873,7 +2873,7 @@ OPJ_BOOL opj_jp2_read_header(opj_stream_private_t *p_stream, + p_image, + p_manager); + +- if (p_image && *p_image) { ++ if (ret && p_image && *p_image) { + /* Set Image Color Space */ + if (jp2->enumcs == 16) { + (*p_image)->color_space = OPJ_CLRSPC_SRGB; +-- +2.50.1 + diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.3.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.3.bb index 231bf84573..586bfeaf1f 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.3.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.5.3.bb @@ -7,6 +7,7 @@ DEPENDS = "libpng tiff lcms zlib" SRC_URI = "git://github.com/uclouvain/openjpeg.git;branch=master;protocol=https \ file://0001-Do-not-ask-cmake-to-export-binaries-they-don-t-make-.patch \ + file://CVE-2025-54874.patch \ " SRCREV = "210a8a5690d0da66f02d49420d7176a21ef409dc" S = "${WORKDIR}/git" ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 15/24] fontforge: patch CVE-2024-25081 and CVE-2024-25082 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (13 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 14/24] openjpeg: fix for CVE-2025-54874 Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 16/24] fcgi: patch CVE-2025-23016 Anuj Mittal ` (9 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Peter Marko <peter.marko@siemens.com> Pick commit from PR [1] linked from [2] and [3] which mlso entions both these CVEs. [1] https://github.com/fontforge/fontforge/pull/5367 [2] https://nvd.nist.gov/vuln/detail/CVE-2024-25081 [3] https://nvd.nist.gov/vuln/detail/CVE-2024-25082 Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit 1e6dbd183bc7e5dd7681fd5ae65f043cc8641a1d) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- .../CVE-2024-25081_CVE-2024-25082.patch | 181 ++++++++++++++++++ .../fontforge/fontforge_20230101.bb | 1 + 2 files changed, 182 insertions(+) create mode 100644 meta-oe/recipes-graphics/fontforge/fontforge/CVE-2024-25081_CVE-2024-25082.patch diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2024-25081_CVE-2024-25082.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2024-25081_CVE-2024-25082.patch new file mode 100644 index 0000000000..40f85e9f33 --- /dev/null +++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2024-25081_CVE-2024-25082.patch @@ -0,0 +1,181 @@ +From 216eb14b558df344b206bf82e2bdaf03a1f2f429 Mon Sep 17 00:00:00 2001 +From: Peter Kydas <pk@canva.com> +Date: Tue, 6 Feb 2024 20:03:04 +1100 +Subject: [PATCH] fix splinefont shell command injection (#5367) + +CVE: CVE-2024-25081 +CVE: CVE-2024-25082 +Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + fontforge/splinefont.c | 123 +++++++++++++++++++++++++++++------------ + 1 file changed, 89 insertions(+), 34 deletions(-) + +diff --git a/fontforge/splinefont.c b/fontforge/splinefont.c +index 239fdc035..647daee10 100644 +--- a/fontforge/splinefont.c ++++ b/fontforge/splinefont.c +@@ -788,11 +788,14 @@ return( name ); + + char *Unarchive(char *name, char **_archivedir) { + char *dir = getenv("TMPDIR"); +- char *pt, *archivedir, *listfile, *listcommand, *unarchivecmd, *desiredfile; ++ char *pt, *archivedir, *listfile, *desiredfile; + char *finalfile; + int i; + int doall=false; + static int cnt=0; ++ gchar *command[5]; ++ gchar *stdoutresponse = NULL; ++ gchar *stderrresponse = NULL; + + *_archivedir = NULL; + +@@ -827,18 +830,30 @@ return( NULL ); + listfile = malloc(strlen(archivedir)+strlen("/" TOC_NAME)+1); + sprintf( listfile, "%s/" TOC_NAME, archivedir ); + +- listcommand = malloc( strlen(archivers[i].unarchive) + 1 + +- strlen( archivers[i].listargs) + 1 + +- strlen( name ) + 3 + +- strlen( listfile ) +4 ); +- sprintf( listcommand, "%s %s %s > %s", archivers[i].unarchive, +- archivers[i].listargs, name, listfile ); +- if ( system(listcommand)!=0 ) { +- free(listcommand); free(listfile); +- ArchiveCleanup(archivedir); +-return( NULL ); ++ command[0] = archivers[i].unarchive; ++ command[1] = archivers[i].listargs; ++ command[2] = name; ++ command[3] = NULL; // command args need to be NULL-terminated ++ ++ if ( g_spawn_sync( ++ NULL, ++ command, ++ NULL, ++ G_SPAWN_SEARCH_PATH, ++ NULL, ++ NULL, ++ &stdoutresponse, ++ &stderrresponse, ++ NULL, ++ NULL ++ ) == FALSE) { // did not successfully execute ++ ArchiveCleanup(archivedir); ++ return( NULL ); + } +- free(listcommand); ++ // Write out the listfile to be read in later ++ FILE *fp = fopen(listfile, "wb"); ++ fwrite(stdoutresponse, strlen(stdoutresponse), 1, fp); ++ fclose(fp); + + desiredfile = ArchiveParseTOC(listfile, archivers[i].ars, &doall); + free(listfile); +@@ -847,22 +862,28 @@ return( NULL ); + return( NULL ); + } + +- /* I tried sending everything to stdout, but that doesn't work if the */ +- /* output is a directory file (ufo, sfdir) */ +- unarchivecmd = malloc( strlen(archivers[i].unarchive) + 1 + +- strlen( archivers[i].listargs) + 1 + +- strlen( name ) + 1 + +- strlen( desiredfile ) + 3 + +- strlen( archivedir ) + 30 ); +- sprintf( unarchivecmd, "( cd %s ; %s %s %s %s ) > /dev/null", archivedir, +- archivers[i].unarchive, +- archivers[i].extractargs, name, doall ? "" : desiredfile ); +- if ( system(unarchivecmd)!=0 ) { +- free(unarchivecmd); free(desiredfile); +- ArchiveCleanup(archivedir); +-return( NULL ); ++ command[0] = archivers[i].unarchive; ++ command[1] = archivers[i].extractargs; ++ command[2] = name; ++ command[3] = doall ? "" : desiredfile; ++ command[4] = NULL; ++ ++ if ( g_spawn_sync( ++ (gchar*)archivedir, ++ command, ++ NULL, ++ G_SPAWN_SEARCH_PATH, ++ NULL, ++ NULL, ++ &stdoutresponse, ++ &stderrresponse, ++ NULL, ++ NULL ++ ) == FALSE) { // did not successfully execute ++ free(desiredfile); ++ ArchiveCleanup(archivedir); ++ return( NULL ); + } +- free(unarchivecmd); + + finalfile = malloc( strlen(archivedir) + 1 + strlen(desiredfile) + 1); + sprintf( finalfile, "%s/%s", archivedir, desiredfile ); +@@ -885,20 +906,54 @@ struct compressors compressors[] = { + + char *Decompress(char *name, int compression) { + char *dir = getenv("TMPDIR"); +- char buf[1500]; + char *tmpfn; +- ++ gchar *command[4]; ++ gint stdout_pipe; ++ gchar buffer[4096]; ++ gssize bytes_read; ++ GByteArray *binary_data = g_byte_array_new(); ++ + if ( dir==NULL ) dir = P_tmpdir; + tmpfn = malloc(strlen(dir)+strlen(GFileNameTail(name))+2); + strcpy(tmpfn,dir); + strcat(tmpfn,"/"); + strcat(tmpfn,GFileNameTail(name)); + *strrchr(tmpfn,'.') = '\0'; +- snprintf( buf, sizeof(buf), "%s < %s > %s", compressors[compression].decomp, name, tmpfn ); +- if ( system(buf)==0 ) +-return( tmpfn ); +- free(tmpfn); +-return( NULL ); ++ ++ command[0] = compressors[compression].decomp; ++ command[1] = "-c"; ++ command[2] = name; ++ command[3] = NULL; ++ ++ // Have to use async because g_spawn_sync doesn't handle nul-bytes in the output (which happens with binary data) ++ if (g_spawn_async_with_pipes( ++ NULL, ++ command, ++ NULL, ++ G_SPAWN_DO_NOT_REAP_CHILD | G_SPAWN_SEARCH_PATH, ++ NULL, ++ NULL, ++ NULL, ++ NULL, ++ &stdout_pipe, ++ NULL, ++ NULL) == FALSE) { ++ //command has failed ++ return( NULL ); ++ } ++ ++ // Read binary data from pipe and output to file ++ while ((bytes_read = read(stdout_pipe, buffer, sizeof(buffer))) > 0) { ++ g_byte_array_append(binary_data, (guint8 *)buffer, bytes_read); ++ } ++ close(stdout_pipe); ++ ++ FILE *fp = fopen(tmpfn, "wb"); ++ fwrite(binary_data->data, sizeof(gchar), binary_data->len, fp); ++ fclose(fp); ++ g_byte_array_free(binary_data, TRUE); ++ ++ return(tmpfn); + } + + static char *ForceFileToHaveName(FILE *file, char *exten) { diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20230101.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20230101.bb index 31dd495fd7..d470ff12d4 100644 --- a/meta-oe/recipes-graphics/fontforge/fontforge_20230101.bb +++ b/meta-oe/recipes-graphics/fontforge/fontforge_20230101.bb @@ -20,6 +20,7 @@ SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \ file://0001-fontforgeexe-Use-env-to-find-fontforge.patch \ file://0001-cmake-Use-alternate-way-to-detect-libm.patch \ file://0001-Fix-Translations-containing-invalid-directives-hs.patch \ + file://CVE-2024-25081_CVE-2024-25082.patch \ " S = "${WORKDIR}/git" ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 16/24] fcgi: patch CVE-2025-23016 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (14 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 15/24] fontforge: patch CVE-2024-25081 and CVE-2024-25082 Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 17/24] lcov: Add missing RDEPENDS for nativesdk Anuj Mittal ` (8 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Peter Marko <peter.marko@siemens.com> Pick commit referencing this CVE. Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit 6e86e0dd54e1ca7459f3e1afebf24f5437d8b586) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- .../fcgi/fcgi/CVE-2025-23016.patch | 40 +++++++++++++++++++ .../recipes-support/fcgi/fcgi_git.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta-webserver/recipes-support/fcgi/fcgi/CVE-2025-23016.patch diff --git a/meta-webserver/recipes-support/fcgi/fcgi/CVE-2025-23016.patch b/meta-webserver/recipes-support/fcgi/fcgi/CVE-2025-23016.patch new file mode 100644 index 0000000000..b763d7651c --- /dev/null +++ b/meta-webserver/recipes-support/fcgi/fcgi/CVE-2025-23016.patch @@ -0,0 +1,40 @@ +From b0eabcaf4d4f371514891a52115c746815c2ff15 Mon Sep 17 00:00:00 2001 +From: Pycatchown <39068868+Pycatchown@users.noreply.github.com> +Date: Tue, 8 Apr 2025 17:39:30 +0200 +Subject: [PATCH] Update fcgiapp.c + +Fixing an integer overflow (CVE-2025-23016) + +CVE: CVE-2025-23016 +Upstream-Status: Backport [https://github.com/FastCGI-Archives/fcgi2/commit/b0eabcaf4d4f371514891a52115c746815c2ff15] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + libfcgi/fcgiapp.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/libfcgi/fcgiapp.c b/libfcgi/fcgiapp.c +index 4ffe318..99c3630 100644 +--- a/libfcgi/fcgiapp.c ++++ b/libfcgi/fcgiapp.c +@@ -1173,6 +1173,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream) + } + nameLen = ((nameLen & 0x7f) << 24) + (lenBuff[0] << 16) + + (lenBuff[1] << 8) + lenBuff[2]; ++ if (nameLen >= INT_MAX) { ++ SetError(stream, FCGX_PARAMS_ERROR); ++ return -1; ++ } + } + if((valueLen = FCGX_GetChar(stream)) == EOF) { + SetError(stream, FCGX_PARAMS_ERROR); +@@ -1185,6 +1189,10 @@ static int ReadParams(Params *paramsPtr, FCGX_Stream *stream) + } + valueLen = ((valueLen & 0x7f) << 24) + (lenBuff[0] << 16) + + (lenBuff[1] << 8) + lenBuff[2]; ++ if (valueLen >= INT_MAX) { ++ SetError(stream, FCGX_PARAMS_ERROR); ++ return -1; ++ } + } + /* + * nameLen and valueLen are now valid; read the name and value diff --git a/meta-webserver/recipes-support/fcgi/fcgi_git.bb b/meta-webserver/recipes-support/fcgi/fcgi_git.bb index 61ef6073e0..d327d435d5 100644 --- a/meta-webserver/recipes-support/fcgi/fcgi_git.bb +++ b/meta-webserver/recipes-support/fcgi/fcgi_git.bb @@ -7,6 +7,7 @@ SRCREV = "382aa2b0d53a87c27f2f647dfaf670375ba0b85f" PV = "2.4.2" SRC_URI = "git://github.com/FastCGI-Archives/fcgi2.git;protocol=https;branch=master \ + file://CVE-2025-23016.patch \ " S = "${WORKDIR}/git" ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 17/24] lcov: Add missing RDEPENDS for nativesdk 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (15 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 16/24] fcgi: patch CVE-2025-23016 Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 18/24] libvncserver: fix generated LibVNCServerTargets.cmake Anuj Mittal ` (7 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Jef Driesen <jefdriesen@telenet.be> When building an SDK with lcov included, gcov isn't included in the SDK by default. Running lcov to generate coverage fails, because it tries to use the gcov binary from the host system instead and that cause problems if the gcc versions do not match. Signed-off-by: Jef Driesen <jefdriesen@telenet.be> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit 0cd6283a4174453ac8d927d917268ba0c3161a02) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- meta-oe/recipes-support/lcov/lcov_1.16.bb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/meta-oe/recipes-support/lcov/lcov_1.16.bb b/meta-oe/recipes-support/lcov/lcov_1.16.bb index 81b80790fe..6b8c105d3e 100755 --- a/meta-oe/recipes-support/lcov/lcov_1.16.bb +++ b/meta-oe/recipes-support/lcov/lcov_1.16.bb @@ -50,6 +50,12 @@ RDEPENDS:${PN}:append:class-target = " \ gcov \ gcov-symlinks \ " + +RDEPENDS:${PN}:append:class-nativesdk = " \ + nativesdk-gcov \ + nativesdk-gcov-symlinks \ +" + SRC_URI = "https://github.com/linux-test-project/lcov/releases/download/v${PV}/lcov-${PV}.tar.gz" SRC_URI[md5sum] = "bfee0cef50d7b7bd1df03bfadf68dcef" SRC_URI[sha256sum] = "987031ad5528c8a746d4b52b380bc1bffe412de1f2b9c2ba5224995668e3240b" ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 18/24] libvncserver: fix generated LibVNCServerTargets.cmake 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (16 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 17/24] lcov: Add missing RDEPENDS for nativesdk Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 19/24] gtkwave: Add libtirpc to depends Anuj Mittal ` (6 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Marc Ferland <marc.ferland@sonatest.com> The currently generated LibVNCServerTargets.cmake will include the following 'set_target_properties': set_target_properties(LibVNCServer::vncclient PROPERTIES INTERFACE_INCLUDE_DIRECTORIES "${_IMPORT_PREFIX}/include" INTERFACE_LINK_LIBRARIES "systemd;/usr/lib/libz.so;/usr/lib/liblzo2.so;/usr/lib/libjpeg.so;/usr/lib/libgcrypt.so;/usr/lib/libgnutls.so" ) INTERFACE_LINK_LIBRARIES here points to absolute paths which hardcodes the library paths. From CMake doc [1]: Note that it is not advisable to populate the INTERFACE_LINK_LIBRARIES of a target with absolute paths to dependencies. That would hard-code into installed packages the library file paths for dependencies as found on the machine the package was made on. This breaks krfb build (kde desktop sharing server) since CMake cannot find these libraries. Removing the absolute paths solves the issue. Note: I also added a 'inherit pkgconfig' since libvncserver uses it to detect libsystemd presence. 1: https://cmake.org/cmake/help/latest/prop_tgt/INTERFACE_LINK_LIBRARIES.html Signed-off-by: Marc Ferland <marc.ferland@sonatest.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 215694286716cf83bf9e52c5e61b4cbc861098fc) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb index ce01593b8b..6f271ee0d3 100644 --- a/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb +++ b/meta-oe/recipes-graphics/libvncserver/libvncserver_0.9.14.bb @@ -42,7 +42,7 @@ PACKAGECONFIG[zlib] = "-DWITH_ZLIB=ON,-DWITH_ZLIB=OFF,zlib" PACKAGE_BEFORE_PN = "libvncclient" FILES:libvncclient = "${libdir}/libvncclient.*" -inherit cmake +inherit cmake pkgconfig SRC_URI = "git://github.com/LibVNC/libvncserver;branch=master;protocol=https" SRCREV = "10e9eb75f73e973725dc75c373de5d89807af028" @@ -52,5 +52,5 @@ S = "${WORKDIR}/git" EXTRA_OECMAKE = "-DMAKE_INSTALL_LIBDIR=${libdir}" do_install:append() { - sed -i -e 's|${STAGING_DIR_HOST}||g' ${D}${libdir}/cmake/LibVNCServer/LibVNCServerTargets.cmake + sed -i -e 's|${STAGING_DIR_HOST}${libdir}/||g' ${D}${libdir}/cmake/LibVNCServer/LibVNCServerTargets.cmake } ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 19/24] gtkwave: Add libtirpc to depends 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (17 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 18/24] libvncserver: fix generated LibVNCServerTargets.cmake Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 20/24] geoip: fix do_fetch error Anuj Mittal ` (5 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Khem Raj <raj.khem@gmail.com> It was missing as the recipe is using --with-tirpc Signed-off-by: Khem Raj <raj.khem@gmail.com> Adapted for Walnascar Signed-off-by: Gyorgy Sarvari <gyorgy.sarvari@gmail.com> (cherry picked from commit 8832aa3ca83d6a2f705d4aa48496f8bd12c9cc15) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- meta-oe/recipes-graphics/gtkwave/gtkwave_3.3.119.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-oe/recipes-graphics/gtkwave/gtkwave_3.3.119.bb b/meta-oe/recipes-graphics/gtkwave/gtkwave_3.3.119.bb index 0b1b054041..1b16a22a44 100644 --- a/meta-oe/recipes-graphics/gtkwave/gtkwave_3.3.119.bb +++ b/meta-oe/recipes-graphics/gtkwave/gtkwave_3.3.119.bb @@ -13,6 +13,7 @@ DEPENDS = " \ gperf-native \ gtk+3 \ gdk-pixbuf \ + libtirpc \ tcl \ tk \ bzip2 \ ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 20/24] geoip: fix do_fetch error 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (18 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 19/24] gtkwave: Add libtirpc to depends Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 21/24] nng: Rename default branch of github.com:nanomsg/nng.git Anuj Mittal ` (4 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Wang Mingyu <wangmy@fujitsu.com> Change the SRC_URI to the correct value due to the following error: ERROR: geoip-1.6.12-r0 do_fetch: Bitbake Fetcher Error: FetchError('Unable to fetch URL from any source.', 'http://sources.openembedded.org/GeoIP.dat.20181205.gz;apply=no;name=GeoIP-dat;') Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit aadc2ac9dc49dfb5a2066401f22e7b553b324313) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- meta-networking/recipes-support/geoip/geoip_1.6.12.bb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb index 429cd69d6d..12599f97de 100644 --- a/meta-networking/recipes-support/geoip/geoip_1.6.12.bb +++ b/meta-networking/recipes-support/geoip/geoip_1.6.12.bb @@ -11,10 +11,10 @@ SECTION = "libdevel" GEOIP_DATABASE_VERSION = "20181205" SRC_URI = "git://github.com/maxmind/geoip-api-c.git;branch=main;protocol=https \ - http://sources.openembedded.org/GeoIP.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIP-dat; \ - http://sources.openembedded.org/GeoIPv6.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIPv6-dat; \ - http://sources.openembedded.org/GeoLiteCity.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoLiteCity-dat; \ - http://sources.openembedded.org/GeoLiteCityv6.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoLiteCityv6-dat; \ + https://downloads.yoctoproject.org/mirror/sources/GeoIP.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIP-dat; \ + https://downloads.yoctoproject.org/mirror/sources/GeoIPv6.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoIPv6-dat; \ + https://downloads.yoctoproject.org/mirror/sources/GeoLiteCity.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoLiteCity-dat; \ + https://downloads.yoctoproject.org/mirror/sources/GeoLiteCityv6.dat.${GEOIP_DATABASE_VERSION}.gz;apply=no;name=GeoLiteCityv6-dat; \ file://run-ptest \ " SRCREV = "4b526e7331ca1d692b74a0509ddcc725622ed31a" ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 21/24] nng: Rename default branch of github.com:nanomsg/nng.git 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (19 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 20/24] geoip: fix do_fetch error Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 22/24] rp-pppoe: update SRC_URI Anuj Mittal ` (3 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Jeroen Knoops <jeroen.knoops@philips.com> Default branch is renamed from `master` to `main`. Commitshas are the same. Signed-off-by: Jeroen Knoops <jeroen.knoops@philips.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 58679b6a515b51d28c480836ad598fca6f0cc655) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- meta-networking/recipes-connectivity/nanomsg/nng_1.7.3.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-networking/recipes-connectivity/nanomsg/nng_1.7.3.bb b/meta-networking/recipes-connectivity/nanomsg/nng_1.7.3.bb index a6556249b7..9ae3b89371 100644 --- a/meta-networking/recipes-connectivity/nanomsg/nng_1.7.3.bb +++ b/meta-networking/recipes-connectivity/nanomsg/nng_1.7.3.bb @@ -5,7 +5,7 @@ SECTION = "libs/networking" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=a41e579bb4326c21c774f8e51e41d8a3" -SRC_URI = "git://github.com/nanomsg/nng.git;branch=master;protocol=https" +SRC_URI = "git://github.com/nanomsg/nng.git;branch=main;protocol=https" SRCREV = "85fbe7f9e4642b554d0d97f2e3ff2aa12978691a" S = "${WORKDIR}/git" ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 22/24] rp-pppoe: update SRC_URI 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (20 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 21/24] nng: Rename default branch of github.com:nanomsg/nng.git Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 23/24] mod-dnssd: " Anuj Mittal ` (2 subsequent siblings) 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Wang Mingyu <wangmy@fujitsu.com> Upstream repository url changed. Fixes unsuccessful fetch warning. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit c400aca52a19d74bcc05873eaad8265ecd024d9b) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- meta-networking/recipes-protocols/rp-pppoe/rp-pppoe_3.15.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-networking/recipes-protocols/rp-pppoe/rp-pppoe_3.15.bb b/meta-networking/recipes-protocols/rp-pppoe/rp-pppoe_3.15.bb index 4dfdb8fc21..1bfa4d1e2c 100644 --- a/meta-networking/recipes-protocols/rp-pppoe/rp-pppoe_3.15.bb +++ b/meta-networking/recipes-protocols/rp-pppoe/rp-pppoe_3.15.bb @@ -5,7 +5,7 @@ LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=a194eaefae2be54ee3221339b10d0581" -SRC_URI = "https://dianne.skoll.ca/projects/rp-pppoe/download/OLD/rp-pppoe-${PV}.tar.gz \ +SRC_URI = "https://downloads.uls.co.za/rp-pppoe/rp-pppoe-${PV}.tar.gz \ file://top-autoconf.patch \ file://configure_in_cross.patch \ file://update-config.patch \ ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 23/24] mod-dnssd: update SRC_URI 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (21 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 22/24] rp-pppoe: update SRC_URI Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 24/24] ssmping: Use debian mirror for SRC_URI Anuj Mittal 2025-09-23 14:46 ` [oe] [scarthgap][PATCH 00/24] Scarthgap pull request Gyorgy Sarvari 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Gyorgy Sarvari <skandigraun@gmail.com> Upstream repository url changed. Fixes unsuccessful fetch warning. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 10c13bf1fbe18ee51b27d6538df5058879ef1d3b) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- meta-webserver/recipes-httpd/apache-mod/mod-dnssd_0.6.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-webserver/recipes-httpd/apache-mod/mod-dnssd_0.6.bb b/meta-webserver/recipes-httpd/apache-mod/mod-dnssd_0.6.bb index 5fac0a6ed4..6f2a2330ae 100644 --- a/meta-webserver/recipes-httpd/apache-mod/mod-dnssd_0.6.bb +++ b/meta-webserver/recipes-httpd/apache-mod/mod-dnssd_0.6.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" DEPENDS = "apache2 avahi" -SRC_URI = "git://git.0pointer.de/mod_dnssd;protocol=git;branch=master" +SRC_URI = "git://git.0pointer.net/mod_dnssd.git;protocol=https;branch=master" SRCREV = "be2fb9f6158f800685de7a1bc01c39b6cf1fa12c" S = "${WORKDIR}/git" ^ permalink raw reply related [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 24/24] ssmping: Use debian mirror for SRC_URI 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (22 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 23/24] mod-dnssd: " Anuj Mittal @ 2025-09-23 11:57 ` Anuj Mittal 2025-09-23 14:46 ` [oe] [scarthgap][PATCH 00/24] Scarthgap pull request Gyorgy Sarvari 24 siblings, 0 replies; 32+ messages in thread From: Anuj Mittal @ 2025-09-23 11:57 UTC (permalink / raw) To: openembedded-devel From: Khem Raj <raj.khem@gmail.com> Original URI is not accessible anymore Drop md5sum Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit ceb91603415c6e059d866666574dd1be5b93867a) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> --- meta-networking/recipes-support/ssmping/ssmping_0.9.1.bb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/meta-networking/recipes-support/ssmping/ssmping_0.9.1.bb b/meta-networking/recipes-support/ssmping/ssmping_0.9.1.bb index 0531ffe640..307120dc75 100644 --- a/meta-networking/recipes-support/ssmping/ssmping_0.9.1.bb +++ b/meta-networking/recipes-support/ssmping/ssmping_0.9.1.bb @@ -4,10 +4,9 @@ SECTION = "net" LICENSE = "ISC" LIC_FILES_CHKSUM = "file://asmping.c;beginline=2;endline=11;md5=1ca8d1a1ca931e5cfe604ebf20a78b71" -SRC_URI = "http://www.venaas.no/multicast/ssmping/${BP}.tar.gz \ +SRC_URI = "${DEBIAN_MIRROR}/main/s/${BPN}/${BPN}_${PV}.orig.tar.gz;downloadfilename=${BP}.tar.gz \ file://0001-Makefile-tweak-install-dir.patch \ " -SRC_URI[md5sum] = "ad8e3d13f6d72918f73be7e7975d7fad" SRC_URI[sha256sum] = "22103a37eaa28489169a0927bc01e0596c3485fc4d29fc8456c07fd2c70fca6d" CFLAGS += "-D_GNU_SOURCE " ^ permalink raw reply related [flat|nested] 32+ messages in thread
* Re: [oe] [scarthgap][PATCH 00/24] Scarthgap pull request 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal ` (23 preceding siblings ...) 2025-09-23 11:57 ` [scarthgap][PATCH 24/24] ssmping: Use debian mirror for SRC_URI Anuj Mittal @ 2025-09-23 14:46 ` Gyorgy Sarvari 2025-09-24 4:01 ` Mittal, Anuj 24 siblings, 1 reply; 32+ messages in thread From: Gyorgy Sarvari @ 2025-09-23 14:46 UTC (permalink / raw) To: anuj.mittal, openembedded-devel On 9/23/25 13:57, Anuj Mittal via lists.openembedded.org wrote: > Please consider merging these changes for scarthgap. Tested with > autobuilder and locally with qemux86-64 and qemuarm64: > > https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/944 > Is this the correct link? This build has failed. ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [oe] [scarthgap][PATCH 00/24] Scarthgap pull request 2025-09-23 14:46 ` [oe] [scarthgap][PATCH 00/24] Scarthgap pull request Gyorgy Sarvari @ 2025-09-24 4:01 ` Mittal, Anuj 2025-09-24 6:13 ` Khem Raj 0 siblings, 1 reply; 32+ messages in thread From: Mittal, Anuj @ 2025-09-24 4:01 UTC (permalink / raw) To: openembedded-devel@lists.openembedded.org, skandigraun@gmail.com On Tue, 2025-09-23 at 16:46 +0200, Gyorgy Sarvari wrote: > On 9/23/25 13:57, Anuj Mittal via lists.openembedded.org wrote: > > Please consider merging these changes for scarthgap. Tested with > > autobuilder and locally with qemux86-64 and qemuarm64: > > > > https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/944 > > > > Is this the correct link? This build has failed. Yes, correct link but I should have added more details. It uses a custom configuration that also attempts to build world for qemuarm64. I had seen these failures - they are not related to this set of patches, so I didn't want to hold the queue and was planning to address these later. But, I've included the fixes for these failures in current batch now. Latest build passes with the patches I just sent. https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/951 Thanks, Anuj ^ permalink raw reply [flat|nested] 32+ messages in thread
* Re: [oe] [scarthgap][PATCH 00/24] Scarthgap pull request 2025-09-24 4:01 ` Mittal, Anuj @ 2025-09-24 6:13 ` Khem Raj 0 siblings, 0 replies; 32+ messages in thread From: Khem Raj @ 2025-09-24 6:13 UTC (permalink / raw) To: anuj.mittal Cc: openembedded-devel@lists.openembedded.org, skandigraun@gmail.com On Tue, Sep 23, 2025 at 9:01 PM Anuj Mittal via lists.openembedded.org <anuj.mittal=intel.com@lists.openembedded.org> wrote: > > On Tue, 2025-09-23 at 16:46 +0200, Gyorgy Sarvari wrote: > > On 9/23/25 13:57, Anuj Mittal via lists.openembedded.org wrote: > > > Please consider merging these changes for scarthgap. Tested with > > > autobuilder and locally with qemux86-64 and qemuarm64: > > > > > > https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/944 > > > > > > > Is this the correct link? This build has failed. > > Yes, correct link but I should have added more details. > > It uses a custom configuration that also attempts to build world for > qemuarm64. I had seen these failures - they are not related to this set > of patches, so I didn't want to hold the queue and was planning to > address these later. > > But, I've included the fixes for these failures in current batch now. > Latest build passes with the patches I just sent. > > https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/951 > Thanks for adding more context, I am fine with this patchset and thusly installed. > Thanks, > > Anuj > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#119749): https://lists.openembedded.org/g/openembedded-devel/message/119749 > Mute This Topic: https://lists.openembedded.org/mt/115392513/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 00/24] Scarthgap pull request
@ 2025-10-30 1:13 Anuj Mittal
2025-10-30 4:20 ` Khem Raj
0 siblings, 1 reply; 32+ messages in thread
From: Anuj Mittal @ 2025-10-30 1:13 UTC (permalink / raw)
To: openembedded-devel, raj.khem
This is an older set of changes that I wasn't able to send but
had tested earlier:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1034
This mostly includes CVE fixes sent to list and some SRC_URI and host gcc
version relat changes.
The following changes since commit e621da947048842109db1b4fd3917a02e0501aa2:
procmail: Add -Wno-implicit-int to fix error of do_compile (2025-09-24 10:04:48 +0800)
are available in the Git repository at:
https://git.openembedded.org/meta-openembedded-contrib anujm/scarthgap
https://git.openembedded.org/meta-openembedded-contrib/log/?h=anujm/scarthgap
Adrian Freihofer (1):
thrift: fix build with gcc 15
Changqing Li (1):
mariadb: correct STACK_DIRECTION setting
Grygorii Tertychnyi (1):
libusbgx: fix gadget-stop install
Gyorgy Sarvari (6):
mosh: set working SRC_URI
psqlodbc: set valid SRC_URI
collectd: set working SRC_URI
apache2: ignore irrelevant CVEs
civetweb: patch CVE-2025-55763
dovecot: patch CVE-2022-30550
Jeroen Hofstee (2):
php: ignore CVE-2024-3566
nodejs: ignore CVE-2024-3566
Khem Raj (1):
uim: Stick to C17
Peter Marko (6):
ace: ignore CVE-2009-1147
audiofile: fix multiple CVEs
audiofile: patch CVE-2017-6829
audiofile: fix multiple CVEs
audiofile: patch CVE-2017-6831
audiofile: patch CVE-2017-6839
Praveen Kumar (1):
polkit: fix CVE-2025-7519
Saravanan (1):
udisks2: upgrade 2.10.1 -> 2.10.2
Sunil Dora (1):
layer.conf: add bpftrace to NON_MULTILIB_RECIPES
Yogita Urade (1):
indent: fix CVE-2023-40305
hongxu (1):
indent: fix CVE-2024-0911
mark.yang (1):
srecord: fix build failure with gcc-15
...w-in-directory-URI-slash-redirection.patch | 57 +
.../civetweb/civetweb_1.16.bb | 1 +
...g-passdbs-with-identical-driver-args.patch | 137 +
.../recipes-support/dovecot/dovecot_2.3.21.bb | 1 +
meta-oe/conf/layer.conf | 2 +-
.../recipes-connectivity/ace/ace_6.5.19.bb | 2 +
.../recipes-connectivity/mosh/mosh_1.4.0.bb | 5 +-
...missing-cstdint-include-for-int64_t-.patch | 51 +
.../thrift/thrift_0.20.0.bb | 3 +-
meta-oe/recipes-dbs/mysql/mariadb.inc | 1 -
.../psqlodbc/psqlodbc_16.00.0000.bb | 2 +-
.../recipes-devtools/nodejs/nodejs_20.18.2.bb | 1 +
meta-oe/recipes-devtools/php/php_8.2.29.bb | 1 +
.../collectd/collectd_5.12.0.bb | 4 +-
...ap-buffer-underread-in-set_buf_break.patch | 123 +
.../indent/indent/CVE-2023-40305_0001.patch | 4196 ++++++++++++++++
.../indent/indent/CVE-2023-40305_0002.patch | 4254 +++++++++++++++++
.../recipes-extended/indent/indent_2.2.12.bb | 3 +
.../polkit/files/CVE-2025-7519.patch | 34 +
meta-oe/recipes-extended/polkit/polkit_124.bb | 5 +-
.../audiofile/audiofile_0.3.6.bb | 5 +
...ays-check-the-number-of-coefficients.patch | 45 +
...ues-to-fix-index-overflow-in-IMA.cpp.patch | 43 +
...multiplication-overflow-in-sfconvert.patch | 79 +
...ail-when-error-occurs-in-parseFormat.patch | 46 +
...lication-overflow-in-MSADPCM-decodeS.patch | 126 +
.../recipes-support/libusbgx/libusbgx_git.bb | 2 +-
...e-with-gcc-15-by-adding-cstdint-head.patch | 36 +
.../recipes-support/srecord/srecord_1.65.0.bb | 4 +-
.../udisks/udisks2/CVE-2025-6019.patch | 51 -
.../{udisks2_2.10.1.bb => udisks2_2.10.2.bb} | 3 +-
meta-oe/recipes-support/uim/uim_1.8.8.bb | 2 +
.../recipes-httpd/apache2/apache2_2.4.65.bb | 12 +
33 files changed, 9273 insertions(+), 64 deletions(-)
create mode 100644 meta-networking/recipes-connectivity/civetweb/civetweb/0001-Fix-heap-overflow-in-directory-URI-slash-redirection.patch
create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0001-auth-Fix-handling-passdbs-with-identical-driver-args.patch
create mode 100644 meta-oe/recipes-connectivity/thrift/thrift/0001-THRIFT-5842-Add-missing-cstdint-include-for-int64_t-.patch
create mode 100644 meta-oe/recipes-extended/indent/indent/0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch
create mode 100644 meta-oe/recipes-extended/indent/indent/CVE-2023-40305_0001.patch
create mode 100644 meta-oe/recipes-extended/indent/indent/CVE-2023-40305_0002.patch
create mode 100644 meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch
create mode 100644 meta-oe/recipes-multimedia/audiofile/files/0004-Always-check-the-number-of-coefficients.patch
create mode 100644 meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
create mode 100644 meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch
create mode 100644 meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch
create mode 100644 meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch
create mode 100644 meta-oe/recipes-support/srecord/files/0001-fix-build-failure-with-gcc-15-by-adding-cstdint-head.patch
delete mode 100644 meta-oe/recipes-support/udisks/udisks2/CVE-2025-6019.patch
rename meta-oe/recipes-support/udisks/{udisks2_2.10.1.bb => udisks2_2.10.2.bb} (95%)
^ permalink raw reply [flat|nested] 32+ messages in thread* Re: [scarthgap][PATCH 00/24] Scarthgap pull request 2025-10-30 1:13 Anuj Mittal @ 2025-10-30 4:20 ` Khem Raj 0 siblings, 0 replies; 32+ messages in thread From: Khem Raj @ 2025-10-30 4:20 UTC (permalink / raw) To: Anuj Mittal; +Cc: openembedded-devel merged now, thanks Anuj On Wed, Oct 29, 2025 at 6:13 PM Anuj Mittal <anuj.mittal@intel.com> wrote: > > This is an older set of changes that I wasn't able to send but > had tested earlier: > https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1034 > > This mostly includes CVE fixes sent to list and some SRC_URI and host gcc > version relat changes. > > The following changes since commit e621da947048842109db1b4fd3917a02e0501aa2: > > procmail: Add -Wno-implicit-int to fix error of do_compile (2025-09-24 10:04:48 +0800) > > are available in the Git repository at: > > https://git.openembedded.org/meta-openembedded-contrib anujm/scarthgap > https://git.openembedded.org/meta-openembedded-contrib/log/?h=anujm/scarthgap > > Adrian Freihofer (1): > thrift: fix build with gcc 15 > > Changqing Li (1): > mariadb: correct STACK_DIRECTION setting > > Grygorii Tertychnyi (1): > libusbgx: fix gadget-stop install > > Gyorgy Sarvari (6): > mosh: set working SRC_URI > psqlodbc: set valid SRC_URI > collectd: set working SRC_URI > apache2: ignore irrelevant CVEs > civetweb: patch CVE-2025-55763 > dovecot: patch CVE-2022-30550 > > Jeroen Hofstee (2): > php: ignore CVE-2024-3566 > nodejs: ignore CVE-2024-3566 > > Khem Raj (1): > uim: Stick to C17 > > Peter Marko (6): > ace: ignore CVE-2009-1147 > audiofile: fix multiple CVEs > audiofile: patch CVE-2017-6829 > audiofile: fix multiple CVEs > audiofile: patch CVE-2017-6831 > audiofile: patch CVE-2017-6839 > > Praveen Kumar (1): > polkit: fix CVE-2025-7519 > > Saravanan (1): > udisks2: upgrade 2.10.1 -> 2.10.2 > > Sunil Dora (1): > layer.conf: add bpftrace to NON_MULTILIB_RECIPES > > Yogita Urade (1): > indent: fix CVE-2023-40305 > > hongxu (1): > indent: fix CVE-2024-0911 > > mark.yang (1): > srecord: fix build failure with gcc-15 > > ...w-in-directory-URI-slash-redirection.patch | 57 + > .../civetweb/civetweb_1.16.bb | 1 + > ...g-passdbs-with-identical-driver-args.patch | 137 + > .../recipes-support/dovecot/dovecot_2.3.21.bb | 1 + > meta-oe/conf/layer.conf | 2 +- > .../recipes-connectivity/ace/ace_6.5.19.bb | 2 + > .../recipes-connectivity/mosh/mosh_1.4.0.bb | 5 +- > ...missing-cstdint-include-for-int64_t-.patch | 51 + > .../thrift/thrift_0.20.0.bb | 3 +- > meta-oe/recipes-dbs/mysql/mariadb.inc | 1 - > .../psqlodbc/psqlodbc_16.00.0000.bb | 2 +- > .../recipes-devtools/nodejs/nodejs_20.18.2.bb | 1 + > meta-oe/recipes-devtools/php/php_8.2.29.bb | 1 + > .../collectd/collectd_5.12.0.bb | 4 +- > ...ap-buffer-underread-in-set_buf_break.patch | 123 + > .../indent/indent/CVE-2023-40305_0001.patch | 4196 ++++++++++++++++ > .../indent/indent/CVE-2023-40305_0002.patch | 4254 +++++++++++++++++ > .../recipes-extended/indent/indent_2.2.12.bb | 3 + > .../polkit/files/CVE-2025-7519.patch | 34 + > meta-oe/recipes-extended/polkit/polkit_124.bb | 5 +- > .../audiofile/audiofile_0.3.6.bb | 5 + > ...ays-check-the-number-of-coefficients.patch | 45 + > ...ues-to-fix-index-overflow-in-IMA.cpp.patch | 43 + > ...multiplication-overflow-in-sfconvert.patch | 79 + > ...ail-when-error-occurs-in-parseFormat.patch | 46 + > ...lication-overflow-in-MSADPCM-decodeS.patch | 126 + > .../recipes-support/libusbgx/libusbgx_git.bb | 2 +- > ...e-with-gcc-15-by-adding-cstdint-head.patch | 36 + > .../recipes-support/srecord/srecord_1.65.0.bb | 4 +- > .../udisks/udisks2/CVE-2025-6019.patch | 51 - > .../{udisks2_2.10.1.bb => udisks2_2.10.2.bb} | 3 +- > meta-oe/recipes-support/uim/uim_1.8.8.bb | 2 + > .../recipes-httpd/apache2/apache2_2.4.65.bb | 12 + > 33 files changed, 9273 insertions(+), 64 deletions(-) > create mode 100644 meta-networking/recipes-connectivity/civetweb/civetweb/0001-Fix-heap-overflow-in-directory-URI-slash-redirection.patch > create mode 100644 meta-networking/recipes-support/dovecot/dovecot/0001-auth-Fix-handling-passdbs-with-identical-driver-args.patch > create mode 100644 meta-oe/recipes-connectivity/thrift/thrift/0001-THRIFT-5842-Add-missing-cstdint-include-for-int64_t-.patch > create mode 100644 meta-oe/recipes-extended/indent/indent/0001-Fix-a-heap-buffer-underread-in-set_buf_break.patch > create mode 100644 meta-oe/recipes-extended/indent/indent/CVE-2023-40305_0001.patch > create mode 100644 meta-oe/recipes-extended/indent/indent/CVE-2023-40305_0002.patch > create mode 100644 meta-oe/recipes-extended/polkit/files/CVE-2025-7519.patch > create mode 100644 meta-oe/recipes-multimedia/audiofile/files/0004-Always-check-the-number-of-coefficients.patch > create mode 100644 meta-oe/recipes-multimedia/audiofile/files/0005-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch > create mode 100644 meta-oe/recipes-multimedia/audiofile/files/0006-Check-for-multiplication-overflow-in-sfconvert.patch > create mode 100644 meta-oe/recipes-multimedia/audiofile/files/0007-Actually-fail-when-error-occurs-in-parseFormat.patch > create mode 100644 meta-oe/recipes-multimedia/audiofile/files/0008-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch > create mode 100644 meta-oe/recipes-support/srecord/files/0001-fix-build-failure-with-gcc-15-by-adding-cstdint-head.patch > delete mode 100644 meta-oe/recipes-support/udisks/udisks2/CVE-2025-6019.patch > rename meta-oe/recipes-support/udisks/{udisks2_2.10.1.bb => udisks2_2.10.2.bb} (95%) > ^ permalink raw reply [flat|nested] 32+ messages in thread
* [scarthgap][PATCH 00/24] Scarthgap pull request
@ 2025-09-12 9:06 Anuj Mittal
2025-09-15 5:00 ` Khem Raj
0 siblings, 1 reply; 32+ messages in thread
From: Anuj Mittal @ 2025-09-12 9:06 UTC (permalink / raw)
To: raj.khem, openembedded-devel
Please merge these changes. Tested using qemux86-64 and qemuarm64.
The following changes since commit c29a18fa39ede952f3f6108ec007c1906e2d9a0d:
mbedtls: drop tag parameter from SRC_URI. (2025-08-18 08:35:05 -0700)
are available in the Git repository at:
https://git.openembedded.org/meta-openembedded-contrib anujm/scarthgap
https://git.openembedded.org/meta-openembedded-contrib/log/?h=anujm/scarthgap
Alexandre Truong (1):
hunspell-dictionaries: switch branch from master to main
Changqing Li (1):
luajit: fix several CVEs
Deepak Rathore (1):
protobuf 4.25.8: Mark CVE-2024-7254 as patched
Gyorgy Sarvari (1):
poppler: fix typos in CVE-2025-52886-0001.patch
Hitendra Prajapati (1):
libssh: fix CVE-2025-4877
Jan Vermaete (1):
python3-werkzeug: added python3-difflib as RDEPENDS
Jiaying Song (1):
v4l-utils: Fix QA and build errors related to _TIME_BITS on 32-bit
Martin Jansa (1):
abseil-cpp: fix build with gcc-15 on host
Martin Schwan (1):
linuxptp: Add systemd instance specifier for ptp4l dependency
Michael Opdenacker (1):
kernel-hardening-checker: backport recipe
Peter Marko (1):
nginx: patch CVE-2025-53859
Praveen Kumar (1):
php: upgrade 8.2.28 -> 8.2.29
Randolph Sapp (1):
vulkan-cts: allow vulkan versions > 1.3
Roland Kovacs (1):
jq: add Upstream-Status and CVE tags into .patch files
Yogita Urade (2):
poppler: fix CVE-2025-50420
postgresql: upgrade 16.9 -> 16.10
Zhang Peng (8):
gnuplot: fix CVE-2025-3359
gnuplot: fix CVE-2025-31176
gnuplot: fix CVE-2025-31177
gnuplot: fix CVE-2025-31178
gnuplot: fix CVE-2025-31179
gnuplot: fix CVE-2025-31180
gnuplot: fix CVE-2025-31181
iperf3: fix CVE-2025-54349
.../iperf3/iperf3/CVE-2025-54349.patch | 97 +++++++++++
.../recipes-benchmark/iperf3/iperf3_3.18.bb | 1 +
.../linuxptp/systemd/phc2sys@.service.in | 4 +-
...c-bypass-autoconf-2.69-version-check.patch | 4 +-
...postgresql_16.9.bb => postgresql_16.10.bb} | 4 +-
...r-internal-Explicitly-include-cstdin.patch | 34 ++++
.../abseil-cpp/abseil-cpp_20240116.3.bb | 1 +
.../jq/jq/CVE-2024-23337.patch | 3 +
.../jq/jq/CVE-2024-53427.patch | 3 +
.../jq/jq/CVE-2025-48060.patch | 3 +
.../luajit/luajit/CVE-2024-25176.patch | 32 ++++
.../luajit/luajit/CVE-2024-25177.patch | 47 +++++
.../luajit/luajit/CVE-2024-25178.patch | 162 ++++++++++++++++++
meta-oe/recipes-devtools/luajit/luajit_git.bb | 3 +
.../php/{php_8.2.28.bb => php_8.2.29.bb} | 2 +-
.../protobuf/protobuf_4.25.8.bb | 2 +
.../gnuplot/gnuplot/CVE-2025-31176.patch | 86 ++++++++++
.../gnuplot/gnuplot/CVE-2025-31177.patch | 40 +++++
.../gnuplot/gnuplot/CVE-2025-31178.patch | 95 ++++++++++
.../gnuplot/gnuplot/CVE-2025-31179.patch | 35 ++++
.../gnuplot/gnuplot/CVE-2025-31180.patch | 43 +++++
.../gnuplot/gnuplot/CVE-2025-31181.patch | 43 +++++
.../gnuplot/gnuplot/CVE-2025-3359.patch | 67 ++++++++
.../recipes-extended/gnuplot/gnuplot_5.4.3.bb | 7 +
...e-CTS-with-unknown-versions-of-Vulka.patch | 41 +++++
.../vk-gl-cts/vulkan-cts_1.3.7.3.bb | 1 +
...on.build-fix-arm-_TIME_BITS-64-error.patch | 38 ++++
.../v4l2apps/v4l-utils_1.26.1.bb | 5 +-
...ject.toml-fix-up-license-information.patch | 31 ++++
...-relax-setuptool-version-requirement.patch | 29 ++++
.../kernel-hardening-checker_0.6.10.2.bb | 41 +++++
.../hunspell/hunspell-dictionaries.bb | 2 +-
.../libssh/libssh/CVE-2025-4877.patch | 57 ++++++
.../recipes-support/libssh/libssh_0.10.6.bb | 1 +
.../poppler/poppler/CVE-2025-50420.patch | 38 ++++
.../poppler/poppler/CVE-2025-52886-0001.patch | 144 ++++++++--------
.../poppler/poppler_23.04.0.bb | 1 +
.../python/python3-werkzeug_3.0.6.bb | 1 +
.../nginx/files/CVE-2025-53859.patch | 131 ++++++++++++++
meta-webserver/recipes-httpd/nginx/nginx.inc | 1 +
40 files changed, 1293 insertions(+), 87 deletions(-)
create mode 100644 meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch
rename meta-oe/recipes-dbs/postgresql/{postgresql_16.9.bb => postgresql_16.10.bb} (75%)
create mode 100644 meta-oe/recipes-devtools/abseil-cpp/abseil-cpp/0001-PR-1739-container-internal-Explicitly-include-cstdin.patch
create mode 100644 meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch
create mode 100644 meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch
create mode 100644 meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178.patch
rename meta-oe/recipes-devtools/php/{php_8.2.28.bb => php_8.2.29.bb} (99%)
create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31176.patch
create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31177.patch
create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31178.patch
create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31179.patch
create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31180.patch
create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31181.patch
create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-3359.patch
create mode 100644 meta-oe/recipes-graphics/vk-gl-cts/vulkan-cts/0001-Allow-running-the-CTS-with-unknown-versions-of-Vulka.patch
create mode 100644 meta-oe/recipes-multimedia/v4l2apps/v4l-utils/0003-meson.build-fix-arm-_TIME_BITS-64-error.patch
create mode 100644 meta-oe/recipes-security/kernel-hardening-checker/files/0001-pyproject.toml-fix-up-license-information.patch
create mode 100644 meta-oe/recipes-security/kernel-hardening-checker/files/0002-pyproject.toml-relax-setuptool-version-requirement.patch
create mode 100644 meta-oe/recipes-security/kernel-hardening-checker/kernel-hardening-checker_0.6.10.2.bb
create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch
create mode 100644 meta-oe/recipes-support/poppler/poppler/CVE-2025-50420.patch
create mode 100755 meta-webserver/recipes-httpd/nginx/files/CVE-2025-53859.patch
^ permalink raw reply [flat|nested] 32+ messages in thread* Re: [scarthgap][PATCH 00/24] Scarthgap pull request 2025-09-12 9:06 Anuj Mittal @ 2025-09-15 5:00 ` Khem Raj 0 siblings, 0 replies; 32+ messages in thread From: Khem Raj @ 2025-09-15 5:00 UTC (permalink / raw) To: Anuj Mittal; +Cc: openembedded-devel Merged now, Thanks Anuj On Fri, Sep 12, 2025 at 2:06 AM Anuj Mittal <anuj.mittal@intel.com> wrote: > > Please merge these changes. Tested using qemux86-64 and qemuarm64. > > The following changes since commit c29a18fa39ede952f3f6108ec007c1906e2d9a0d: > > mbedtls: drop tag parameter from SRC_URI. (2025-08-18 08:35:05 -0700) > > are available in the Git repository at: > > https://git.openembedded.org/meta-openembedded-contrib anujm/scarthgap > https://git.openembedded.org/meta-openembedded-contrib/log/?h=anujm/scarthgap > > Alexandre Truong (1): > hunspell-dictionaries: switch branch from master to main > > Changqing Li (1): > luajit: fix several CVEs > > Deepak Rathore (1): > protobuf 4.25.8: Mark CVE-2024-7254 as patched > > Gyorgy Sarvari (1): > poppler: fix typos in CVE-2025-52886-0001.patch > > Hitendra Prajapati (1): > libssh: fix CVE-2025-4877 > > Jan Vermaete (1): > python3-werkzeug: added python3-difflib as RDEPENDS > > Jiaying Song (1): > v4l-utils: Fix QA and build errors related to _TIME_BITS on 32-bit > > Martin Jansa (1): > abseil-cpp: fix build with gcc-15 on host > > Martin Schwan (1): > linuxptp: Add systemd instance specifier for ptp4l dependency > > Michael Opdenacker (1): > kernel-hardening-checker: backport recipe > > Peter Marko (1): > nginx: patch CVE-2025-53859 > > Praveen Kumar (1): > php: upgrade 8.2.28 -> 8.2.29 > > Randolph Sapp (1): > vulkan-cts: allow vulkan versions > 1.3 > > Roland Kovacs (1): > jq: add Upstream-Status and CVE tags into .patch files > > Yogita Urade (2): > poppler: fix CVE-2025-50420 > postgresql: upgrade 16.9 -> 16.10 > > Zhang Peng (8): > gnuplot: fix CVE-2025-3359 > gnuplot: fix CVE-2025-31176 > gnuplot: fix CVE-2025-31177 > gnuplot: fix CVE-2025-31178 > gnuplot: fix CVE-2025-31179 > gnuplot: fix CVE-2025-31180 > gnuplot: fix CVE-2025-31181 > iperf3: fix CVE-2025-54349 > > .../iperf3/iperf3/CVE-2025-54349.patch | 97 +++++++++++ > .../recipes-benchmark/iperf3/iperf3_3.18.bb | 1 + > .../linuxptp/systemd/phc2sys@.service.in | 4 +- > ...c-bypass-autoconf-2.69-version-check.patch | 4 +- > ...postgresql_16.9.bb => postgresql_16.10.bb} | 4 +- > ...r-internal-Explicitly-include-cstdin.patch | 34 ++++ > .../abseil-cpp/abseil-cpp_20240116.3.bb | 1 + > .../jq/jq/CVE-2024-23337.patch | 3 + > .../jq/jq/CVE-2024-53427.patch | 3 + > .../jq/jq/CVE-2025-48060.patch | 3 + > .../luajit/luajit/CVE-2024-25176.patch | 32 ++++ > .../luajit/luajit/CVE-2024-25177.patch | 47 +++++ > .../luajit/luajit/CVE-2024-25178.patch | 162 ++++++++++++++++++ > meta-oe/recipes-devtools/luajit/luajit_git.bb | 3 + > .../php/{php_8.2.28.bb => php_8.2.29.bb} | 2 +- > .../protobuf/protobuf_4.25.8.bb | 2 + > .../gnuplot/gnuplot/CVE-2025-31176.patch | 86 ++++++++++ > .../gnuplot/gnuplot/CVE-2025-31177.patch | 40 +++++ > .../gnuplot/gnuplot/CVE-2025-31178.patch | 95 ++++++++++ > .../gnuplot/gnuplot/CVE-2025-31179.patch | 35 ++++ > .../gnuplot/gnuplot/CVE-2025-31180.patch | 43 +++++ > .../gnuplot/gnuplot/CVE-2025-31181.patch | 43 +++++ > .../gnuplot/gnuplot/CVE-2025-3359.patch | 67 ++++++++ > .../recipes-extended/gnuplot/gnuplot_5.4.3.bb | 7 + > ...e-CTS-with-unknown-versions-of-Vulka.patch | 41 +++++ > .../vk-gl-cts/vulkan-cts_1.3.7.3.bb | 1 + > ...on.build-fix-arm-_TIME_BITS-64-error.patch | 38 ++++ > .../v4l2apps/v4l-utils_1.26.1.bb | 5 +- > ...ject.toml-fix-up-license-information.patch | 31 ++++ > ...-relax-setuptool-version-requirement.patch | 29 ++++ > .../kernel-hardening-checker_0.6.10.2.bb | 41 +++++ > .../hunspell/hunspell-dictionaries.bb | 2 +- > .../libssh/libssh/CVE-2025-4877.patch | 57 ++++++ > .../recipes-support/libssh/libssh_0.10.6.bb | 1 + > .../poppler/poppler/CVE-2025-50420.patch | 38 ++++ > .../poppler/poppler/CVE-2025-52886-0001.patch | 144 ++++++++-------- > .../poppler/poppler_23.04.0.bb | 1 + > .../python/python3-werkzeug_3.0.6.bb | 1 + > .../nginx/files/CVE-2025-53859.patch | 131 ++++++++++++++ > meta-webserver/recipes-httpd/nginx/nginx.inc | 1 + > 40 files changed, 1293 insertions(+), 87 deletions(-) > create mode 100644 meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2025-54349.patch > rename meta-oe/recipes-dbs/postgresql/{postgresql_16.9.bb => postgresql_16.10.bb} (75%) > create mode 100644 meta-oe/recipes-devtools/abseil-cpp/abseil-cpp/0001-PR-1739-container-internal-Explicitly-include-cstdin.patch > create mode 100644 meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25176.patch > create mode 100644 meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25177.patch > create mode 100644 meta-oe/recipes-devtools/luajit/luajit/CVE-2024-25178.patch > rename meta-oe/recipes-devtools/php/{php_8.2.28.bb => php_8.2.29.bb} (99%) > create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31176.patch > create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31177.patch > create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31178.patch > create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31179.patch > create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31180.patch > create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-31181.patch > create mode 100644 meta-oe/recipes-extended/gnuplot/gnuplot/CVE-2025-3359.patch > create mode 100644 meta-oe/recipes-graphics/vk-gl-cts/vulkan-cts/0001-Allow-running-the-CTS-with-unknown-versions-of-Vulka.patch > create mode 100644 meta-oe/recipes-multimedia/v4l2apps/v4l-utils/0003-meson.build-fix-arm-_TIME_BITS-64-error.patch > create mode 100644 meta-oe/recipes-security/kernel-hardening-checker/files/0001-pyproject.toml-fix-up-license-information.patch > create mode 100644 meta-oe/recipes-security/kernel-hardening-checker/files/0002-pyproject.toml-relax-setuptool-version-requirement.patch > create mode 100644 meta-oe/recipes-security/kernel-hardening-checker/kernel-hardening-checker_0.6.10.2.bb > create mode 100644 meta-oe/recipes-support/libssh/libssh/CVE-2025-4877.patch > create mode 100644 meta-oe/recipes-support/poppler/poppler/CVE-2025-50420.patch > create mode 100755 meta-webserver/recipes-httpd/nginx/files/CVE-2025-53859.patch > ^ permalink raw reply [flat|nested] 32+ messages in thread
end of thread, other threads:[~2025-10-30 4:30 UTC | newest] Thread overview: 32+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-09-23 11:57 [scarthgap][PATCH 00/24] Scarthgap pull request Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 01/24] libssh: fix CVE-2025-4878 Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 02/24] libssh: fix CVE-2025-5987 Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 03/24] nodejs: fix build with gcc-15 on host Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 04/24] iperf3: fix CVE-2025-54350 Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 05/24] python3-posix-ipc: fix runtime error Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 06/24] wxwidgets: upgrade 3.2.1 -> 3.2.6 Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 07/24] wxwidgets: fix CVE-2024-58249 Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 08/24] gutenprint: fix a build race-condition Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 09/24] gutenprint: 5.3.5 Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 10/24] meta-oe: image: optionally remove RAW image after sparse image creation Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 11/24] libssh 0.10.6: Fix CVE-2025-8114 Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 12/24] apache2: upgrade 2.4.64 - 2.4.65 Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 13/24] cjson 1.7.18: Fix CVE-2025-57052 Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 14/24] openjpeg: fix for CVE-2025-54874 Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 15/24] fontforge: patch CVE-2024-25081 and CVE-2024-25082 Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 16/24] fcgi: patch CVE-2025-23016 Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 17/24] lcov: Add missing RDEPENDS for nativesdk Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 18/24] libvncserver: fix generated LibVNCServerTargets.cmake Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 19/24] gtkwave: Add libtirpc to depends Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 20/24] geoip: fix do_fetch error Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 21/24] nng: Rename default branch of github.com:nanomsg/nng.git Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 22/24] rp-pppoe: update SRC_URI Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 23/24] mod-dnssd: " Anuj Mittal 2025-09-23 11:57 ` [scarthgap][PATCH 24/24] ssmping: Use debian mirror for SRC_URI Anuj Mittal 2025-09-23 14:46 ` [oe] [scarthgap][PATCH 00/24] Scarthgap pull request Gyorgy Sarvari 2025-09-24 4:01 ` Mittal, Anuj 2025-09-24 6:13 ` Khem Raj -- strict thread matches above, loose matches on Subject: below -- 2025-10-30 1:13 Anuj Mittal 2025-10-30 4:20 ` Khem Raj 2025-09-12 9:06 Anuj Mittal 2025-09-15 5:00 ` Khem Raj
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.