[OE-core][scarthgap 0/7] Patch review

[OE-core][scarthgap 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Thursday, July 11

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7115

The following changes since commit 1cab8d06ce5df7a8d00cff8531965a84d90d265a:

  curl: locale-base-en-us isn't glibc-specific (2024-07-03 07:09:47 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Changqing Li (2):
  apt-native: don't let dpkg overwrite files by default
  apt: runtime error: filename too long (tmpdir length)

Hitendra Prajapati (1):
  ghostscript: upgrade 10.02.1 -> 10.03.1

Peter Marko (2):
  flac: fix buildpaths warnings
  cargo: remove True option to getVar calls

Xiangyu Chen (1):
  qemu: Upgrade 8.2.1 -> 8.2.2

aszh07 (1):
  xz: Update LICENSE variable for xz packages

 meta/classes-recipe/cargo_common.bbclass      |  4 +-
 meta/classes-recipe/ptest-cargo.bbclass       | 18 ++--
 ...he-filename-can-t-be-longer-than-255.patch | 40 ++++++++
 meta/recipes-devtools/apt/apt_2.6.1.bb        |  3 +-
 ...u-native_8.2.1.bb => qemu-native_8.2.2.bb} |  0
 ...e_8.2.1.bb => qemu-system-native_8.2.2.bb} |  0
 meta/recipes-devtools/qemu/qemu.inc           |  3 +-
 .../qemu/qemu/CVE-2023-6683.patch             | 91 -----------------
 .../qemu/{qemu_8.2.1.bb => qemu_8.2.2.bb}     |  0
 .../ghostscript/CVE-2024-29510.patch          | 84 ----------------
 .../ghostscript/CVE-2024-33869-0001.patch     | 39 --------
 .../ghostscript/CVE-2024-33869-0002.patch     | 52 ----------
 .../ghostscript/CVE-2024-33870.patch          | 99 -------------------
 .../ghostscript/CVE-2024-33871.patch          | 43 --------
 .../avoid-host-contamination.patch            | 11 +--
 ...dd-option-to-explicitly-disable-neon.patch | 99 -------------------
 ...ript_10.02.1.bb => ghostscript_10.03.1.bb} |  8 +-
 meta/recipes-extended/xz/xz_5.4.6.bb          |  6 +-
 meta/recipes-multimedia/flac/flac_1.4.3.bb    |  7 ++
 19 files changed, 69 insertions(+), 538 deletions(-)
 create mode 100644 meta/recipes-devtools/apt/apt/0001-strutl.cc-the-filename-can-t-be-longer-than-255.patch
 rename meta/recipes-devtools/qemu/{qemu-native_8.2.1.bb => qemu-native_8.2.2.bb} (100%)
 rename meta/recipes-devtools/qemu/{qemu-system-native_8.2.1.bb => qemu-system-native_8.2.2.bb} (100%)
 delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
 rename meta/recipes-devtools/qemu/{qemu_8.2.1.bb => qemu_8.2.2.bb} (100%)
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33871.patch
 delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/configure.ac-add-option-to-explicitly-disable-neon.patch
 rename meta/recipes-extended/ghostscript/{ghostscript_10.02.1.bb => ghostscript_10.03.1.bb} (88%)

-- 
2.34.1

[OE-core][scarthgap 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Thursday, February 20

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1037

The following changes since commit 61880aac34ff408a8bc5060c6140bfd086b27524:

  base-files: Drop /bin/sh dependency (2025-02-11 05:51:35 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Aleksandar Nikolic (1):
  scripts/install-buildtools: Update to 5.0.7

Divya Chellam (1):
  vim: Upgrade 9.1.0764 -> 9.1.1043

Johannes Schneider (1):
  ppp: Revert lock path to /var/lock

Oleksandr Hnatiuk (1):
  icu: remove host references in nativesdk to fix reproducibility

Peter Marko (3):
  subversion: ignore CVE-2024-45720
  gnutls: patch CVE-2024-12243
  openssl: upgrade 3.2.3 -> 3.2.4

 ...ke-history-reporting-when-test-fails.patch |   40 +-
 ...1-Configure-do-not-tweak-mips-cflags.patch |    2 +-
 ...sysroot-and-debug-prefix-map-from-co.patch |    4 +-
 .../openssl/openssl/CVE-2024-13176.patch      |  126 --
 .../openssl/openssl/CVE-2024-9143.patch       |  202 ---
 .../{openssl_3.2.3.bb => openssl_3.2.4.bb}    |    4 +-
 ...001-Revert-lock-path-to-var-lock-435.patch |   63 +
 meta/recipes-connectivity/ppp/ppp_2.5.0.bb    |    1 +
 .../subversion/subversion_1.14.3.bb           |    2 +
 .../gnutls/gnutls/CVE-2024-12243.patch        | 1149 +++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.8.4.bb   |    1 +
 meta/recipes-support/icu/icu_74-2.bb          |   33 +-
 meta/recipes-support/vim/vim.inc              |    4 +-
 scripts/install-buildtools                    |    4 +-
 14 files changed, 1268 insertions(+), 367 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
 delete mode 100755 meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.2.3.bb => openssl_3.2.4.bb} (98%)
 create mode 100644 meta/recipes-connectivity/ppp/ppp/0001-Revert-lock-path-to-var-lock-435.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch

-- 
2.43.0

[OE-core][scarthgap 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Thursday, May 8

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1529

The following changes since commit 00dd4901e364d16d96cfab864823a9cfdd336eeb:

  Revert "cve-update-nvd2-native: Tweak to work better with NFS DL_DIR" (2025-04-29 10:21:16 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Ashish Sharma (1):
  libsoup: patch CVE-2025-46420

Deepesh Varatharajan (2):
  glibc: stable 2.39 branch updates
  binutils: stable 2.42 branch updates

Jeroen Hofstee (2):
  bluez5: make media control a PACKAGECONFIG option
  bluez5: backport a patch to fix btmgmt -i

Peter Marko (1):
  sqlite3: mark CVE-2025-29087 as patched

Soumya Sambu (1):
  elfutils: Fix CVE-2025-1371

 meta/recipes-connectivity/bluez5/bluez5.inc   |  3 +
 ...ndex-option-for-non-interactive-mode.patch | 29 +++++++++
 meta/recipes-core/glibc/glibc-version.inc     |  2 +-
 .../binutils/binutils-2.42.inc                |  2 +-
 .../elfutils/elfutils_0.191.bb                |  1 +
 .../elfutils/files/CVE-2025-1371.patch        | 41 +++++++++++++
 .../libsoup-3.4.4/CVE-2025-46420.patch        | 60 +++++++++++++++++++
 meta/recipes-support/libsoup/libsoup_3.4.4.bb |  1 +
 .../sqlite/sqlite3/CVE-2025-3277.patch        |  1 +
 9 files changed, 138 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/toolsbtmgmt-fix-index-option-for-non-interactive-mode.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1371.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-46420.patch

-- 
2.43.0

[OE-core][scarthgap 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Friday, May 23

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1625

The following changes since commit b214cc84a922f7a3fb7ebbc501189ce25e8bd2bd:

  glibc-y2038-tests: remove glibc-y2038-tests_2.39.bb recipe (2025-05-15 09:42:55 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Ashish Sharma (1):
  libsoup-2.4: Fix CVE-2025-46420

Nguyen Dat Tho (1):
  libatomic-ops: Update GITHUB_BASE_URI

Praveen Kumar (2):
  connman :fix CVE-2025-32366
  glib-2.0: fix CVE-2025-4373

Sunil Dora (1):
  binutils: Fix CVE-2025-1153

Vijay Anusuri (1):
  openssh: Fix for CVE-2025-32728

Vyacheslav Yurkov (1):
  systemd: Password agents shouldn't be optional

 .../connman/connman/CVE-2025-32366.patch      |   41 +
 .../connman/connman_1.42.bb                   |    1 +
 .../openssh/openssh/CVE-2025-32728.patch      |   44 +
 .../openssh/openssh_9.6p1.bb                  |    1 +
 .../glib-2.0/glib-2.0/CVE-2025-4373-01.patch  |  120 +
 .../glib-2.0/glib-2.0/CVE-2025-4373-02.patch  |   29 +
 meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb |    2 +
 meta/recipes-core/systemd/systemd_255.18.bb   |   10 -
 .../binutils/binutils-2.42.inc                |    3 +
 .../binutils/0019-CVE-2025-1153-1.patch       | 3207 ++++++++++++++
 .../binutils/0020-CVE-2025-1153-2.patch       |  840 ++++
 .../binutils/0021-CVE-2025-1153-3.patch       | 3756 +++++++++++++++++
 .../libatomic-ops/libatomic-ops_7.8.2.bb      |    4 +-
 .../libsoup/libsoup-2.4/CVE-2025-46420.patch  |   60 +
 .../libsoup/libsoup-2.4_2.74.3.bb             |    1 +
 15 files changed, 8107 insertions(+), 12 deletions(-)
 create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0019-CVE-2025-1153-1.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0020-CVE-2025-1153-2.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0021-CVE-2025-1153-3.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch

-- 
2.43.0

[OE-core][scarthgap 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Thursday, November 6

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2676

The following changes since commit 4cb834388759540ea5bf7265389b9f1b2e15333a:

  bind: upgrade 9.18.33 -> 9.18.41 (2025-10-29 07:13:09 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Bastian Krause (1):
  util-linux: fix pointer usage in hwclock param handling

Michael Haener (1):
  Remove empty file

Peter Marko (4):
  wpa-supplicant: patch CVE-2025-24912
  binutils: patch CVE-2025-11414
  binutils: patch CVE-2025-11412
  binutils: patch CVE-2025-11413

Yannic Moog (1):
  perf: add arm64 source files for unistd_64.h

 .../wpa-supplicant/CVE-2025-24912-01.patch    | 79 +++++++++++++++++
 .../wpa-supplicant/CVE-2025-24912-02.patch    | 70 ++++++++++++++++
 .../wpa-supplicant/wpa-supplicant_2.10.bb     |  2 +
 meta/recipes-core/util-linux/util-linux.inc   |  1 +
 ...-utils-hwclock-rtc-fix-pointer-usage.patch | 27 ++++++
 .../binutils/binutils-2.42.inc                |  3 +
 .../binutils/binutils/CVE-2025-11412.patch    | 35 ++++++++
 .../binutils/binutils/CVE-2025-11413.patch    | 38 +++++++++
 .../binutils/binutils/CVE-2025-11414.patch    | 84 +++++++++++++++++++
 meta/recipes-kernel/perf/perf.bb              |  3 +-
 test                                          |  0
 11 files changed, 341 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch
 create mode 100644 meta/recipes-core/util-linux/util-linux/sys-utils-hwclock-rtc-fix-pointer-usage.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch
 delete mode 100644 test

-- 
2.43.0

[OE-core][scarthgap 1/7] wpa-supplicant: patch CVE-2025-24912

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Pick patches as listed in NVD CVE report.

Note that Debian lists one of the patches as introducing the
vulnerability. This is against what the original report [1] says.
Also the commit messages provide hints that the first patch fixes this
issue and second is fixing problem with the first patch.

[1] https://jvn.jp/en/jp/JVN19358384/

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../wpa-supplicant/CVE-2025-24912-01.patch    | 79 +++++++++++++++++++
 .../wpa-supplicant/CVE-2025-24912-02.patch    | 70 ++++++++++++++++
 .../wpa-supplicant/wpa-supplicant_2.10.bb     |  2 +
 3 files changed, 151 insertions(+)
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch
new file mode 100644
index 0000000000..8976047f68
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch
@@ -0,0 +1,79 @@
+From 726432d7622cc0088ac353d073b59628b590ea44 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sat, 25 Jan 2025 11:21:16 +0200
+Subject: [PATCH] RADIUS: Drop pending request only when accepting the response
+
+The case of an invalid authenticator in a RADIUS response could imply
+that the response is not from the correct RADIUS server and as such,
+such a response should be discarded without changing internal state for
+the pending request. The case of an unknown response (RADIUS_RX_UNKNOWN)
+is somewhat more complex since it could have been indicated before
+validating the authenticator. In any case, it seems better to change the
+state for the pending request only when we have fully accepted the
+response.
+
+Allowing the internal state of pending RADIUS request to change based on
+responses that are not fully validation could have allow at least a
+theoretical DoS attack if an attacker were to have means for injecting
+RADIUS messages to the network using the IP address of the real RADIUS
+server and being able to do so more quickly than the real server and
+with the matching identifier from the request header (i.e., either by
+flooding 256 responses quickly or by having means to capture the RADIUS
+request). These should not really be realistic options in a properly
+protected deployment, but nevertheless it is good to be more careful in
+processing RADIUS responses.
+
+Remove a pending RADIUS request from the internal list only when having
+fully accepted a matching RADIUS response, i.e., after one of the
+registered handlers has confirmed that the authenticator is valid and
+processing of the response has succeeded.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+
+CVE: CVE-2025-24912
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=726432d7622cc0088ac353d073b59628b590ea44]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/radius/radius_client.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/src/radius/radius_client.c b/src/radius/radius_client.c
+index 2a7f36170..7909b29a7 100644
+--- a/src/radius/radius_client.c
++++ b/src/radius/radius_client.c
+@@ -922,13 +922,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 		       roundtrip / 100, roundtrip % 100);
+ 	rconf->round_trip_time = roundtrip;
+ 
+-	/* Remove ACKed RADIUS packet from retransmit list */
+-	if (prev_req)
+-		prev_req->next = req->next;
+-	else
+-		radius->msgs = req->next;
+-	radius->num_msgs--;
+-
+ 	for (i = 0; i < num_handlers; i++) {
+ 		RadiusRxResult res;
+ 		res = handlers[i].handler(msg, req->msg, req->shared_secret,
+@@ -939,6 +932,13 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 			radius_msg_free(msg);
+ 			/* fall through */
+ 		case RADIUS_RX_QUEUED:
++			/* Remove ACKed RADIUS packet from retransmit list */
++			if (prev_req)
++				prev_req->next = req->next;
++			else
++				radius->msgs = req->next;
++			radius->num_msgs--;
++
+ 			radius_client_msg_free(req);
+ 			return;
+ 		case RADIUS_RX_INVALID_AUTHENTICATOR:
+@@ -960,7 +960,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 		       msg_type, hdr->code, hdr->identifier,
+ 		       invalid_authenticator ? " [INVALID AUTHENTICATOR]" :
+ 		       "");
+-	radius_client_msg_free(req);
+ 
+  fail:
+ 	radius_msg_free(msg);
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch
new file mode 100644
index 0000000000..f3cecd6d5f
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch
@@ -0,0 +1,70 @@
+From 339a334551ca911187cc870f4f97ef08e11db109 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <quic_jouni@quicinc.com>
+Date: Wed, 5 Feb 2025 19:23:39 +0200
+Subject: [PATCH] RADIUS: Fix pending request dropping
+
+A recent change to this moved the place where the processed RADIUS
+request was removed from the pending list to happen after the message
+handler had been called. This did not take into account possibility of
+the handler adding a new pending request in the list and the prev_req
+pointer not necessarily pointing to the correct entry anymore. As such,
+some of the pending requests could have been lost and that would result
+in not being able to process responses to those requests and also, to a
+memory leak.
+
+Fix this by determining prev_req at the point when the pending request
+is being removed, i.e., after the handler function has already added a
+new entry.
+
+Fixes: 726432d7622c ("RADIUS: Drop pending request only when accepting the response")
+Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
+
+CVE: CVE-2025-24912
+Upstream-Status: Backport [https://w1.fi/cgit/hostap/commit/?id=339a334551ca911187cc870f4f97ef08e11db109]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/radius/radius_client.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/radius/radius_client.c b/src/radius/radius_client.c
+index 7909b29a7..d4faa7936 100644
+--- a/src/radius/radius_client.c
++++ b/src/radius/radius_client.c
+@@ -824,7 +824,7 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 	struct radius_hdr *hdr;
+ 	struct radius_rx_handler *handlers;
+ 	size_t num_handlers, i;
+-	struct radius_msg_list *req, *prev_req;
++	struct radius_msg_list *req, *prev_req, *r;
+ 	struct os_reltime now;
+ 	struct hostapd_radius_server *rconf;
+ 	int invalid_authenticator = 0;
+@@ -887,7 +887,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 		break;
+ 	}
+ 
+-	prev_req = NULL;
+ 	req = radius->msgs;
+ 	while (req) {
+ 		/* TODO: also match by src addr:port of the packet when using
+@@ -899,7 +898,6 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 		    hdr->identifier)
+ 			break;
+ 
+-		prev_req = req;
+ 		req = req->next;
+ 	}
+ 
+@@ -933,6 +931,12 @@ static void radius_client_receive(int sock, void *eloop_ctx, void *sock_ctx)
+ 			/* fall through */
+ 		case RADIUS_RX_QUEUED:
+ 			/* Remove ACKed RADIUS packet from retransmit list */
++			prev_req = NULL;
++			for (r = radius->msgs; r; r = r->next) {
++				if (r == req)
++					break;
++				prev_req = r;
++			}
+ 			if (prev_req)
+ 				prev_req->next = req->next;
+ 			else
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
index fd98bdcc36..f939945b08 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
@@ -36,6 +36,8 @@ SRC_URI = "http://w1.fi/releases/wpa_supplicant-${PV}.tar.gz \
            file://CVE-2022-37660-0003.patch \
            file://CVE-2022-37660-0004.patch \
            file://CVE-2022-37660-0005.patch \
+           file://CVE-2025-24912-01.patch \
+           file://CVE-2025-24912-02.patch \
            "
 SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7e17b2f"
 
-- 
2.43.0

[OE-core][scarthgap 2/7] binutils: patch CVE-2025-11414

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Pick commit per NVD CVE report.

(From OE-Core rev: cd7ce80fa1a99916aa2f93c4d9591c5496c3ef71)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.42.inc                |  1 +
 .../binutils/binutils/CVE-2025-11414.patch    | 84 +++++++++++++++++++
 2 files changed, 85 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index dcd3325ecc..21f0f7e3a7 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -63,5 +63,6 @@ SRC_URI = "\
      file://0025-CVE-2025-11083.patch \
      file://0026-CVE-2025-11081.patch \
      file://0027-CVE-2025-8225.patch \
+     file://CVE-2025-11414.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch
new file mode 100644
index 0000000000..c6e45c3091
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch
@@ -0,0 +1,84 @@
+From aeaaa9af6359c8e394ce9cf24911fec4f4d23703 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Tue, 23 Sep 2025 08:52:26 +0800
+Subject: [PATCH] elf: Return error on unsorted symbol table if not allowed
+
+Normally ELF symbol table should be sorted, i.e., local symbols precede
+global symbols.  Irix 6 is an exception and its elf_bad_symtab is set
+to true.  Issue an error if elf_bad_symtab is false and symbol table is
+unsorted.
+
+	PR ld/33450
+	* elflink.c (set_symbol_value): Change return type to bool and
+	return false on error.  Issue an error on unsorted symbol table
+	if not allowed.
+	(elf_link_input_bfd): Return false if set_symbol_value reurns
+	false.
+
+Signed-off-by: H.J. Lu <hjl.tools@gmail.com>
+
+CVE: CVE-2025-11414
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aeaaa9af6359c8e394ce9cf24911fec4f4d23703]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ bfd/elflink.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 66982f82b94..54f0d6e957e 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -8914,7 +8914,7 @@ struct elf_outext_info
+    <binary-operator> := as in C
+    <unary-operator> := as in C, plus "0-" for unambiguous negation.  */
+ 
+-static void
++static bool
+ set_symbol_value (bfd *bfd_with_globals,
+ 		  Elf_Internal_Sym *isymbuf,
+ 		  size_t locsymcount,
+@@ -8935,9 +8935,15 @@ set_symbol_value (bfd *bfd_with_globals,
+ 	     "absolute" section and give it a value.  */
+ 	  sym->st_shndx = SHN_ABS;
+ 	  sym->st_value = val;
+-	  return;
++	  return true;
++	}
++      if (!elf_bad_symtab (bfd_with_globals))
++	{
++	  _bfd_error_handler (_("%pB: corrupt symbol table"),
++			      bfd_with_globals);
++	  bfd_set_error (bfd_error_bad_value);
++	  return false;
+ 	}
+-      BFD_ASSERT (elf_bad_symtab (bfd_with_globals));
+       extsymoff = 0;
+     }
+ 
+@@ -8947,11 +8953,12 @@ set_symbol_value (bfd *bfd_with_globals,
+   if (h == NULL)
+     {
+       /* FIXMEL What should we do ?  */
+-      return;
++      return false;
+     }
+   h->root.type = bfd_link_hash_defined;
+   h->root.u.def.value = val;
+   h->root.u.def.section = bfd_abs_section_ptr;
++  return true;
+ }
+ 
+ static bool
+@@ -11641,8 +11648,10 @@ elf_link_input_bfd (struct elf_final_link_info *flinfo, bfd *input_bfd)
+ 		    return false;
+ 
+ 		  /* Symbol evaluated OK.  Update to absolute value.  */
+-		  set_symbol_value (input_bfd, isymbuf, locsymcount,
+-				    r_symndx, val);
++		  if (!set_symbol_value (input_bfd, isymbuf, locsymcount, r_symndx,
++					 val))
++		    return false;
++
+ 		  continue;
+ 		}
+ 
-- 
2.43.0

[OE-core][scarthgap 3/7] binutils: patch CVE-2025-11412

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Pick commit per NVD CVE report.

(From OE-Core rev: 6b94ff6c584a31d2b1e06d1e1dc19392d759b4b7)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.42.inc                |  1 +
 .../binutils/binutils/CVE-2025-11412.patch    | 35 +++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 21f0f7e3a7..b13c31717d 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -64,5 +64,6 @@ SRC_URI = "\
      file://0026-CVE-2025-11081.patch \
      file://0027-CVE-2025-8225.patch \
      file://CVE-2025-11414.patch \
+     file://CVE-2025-11412.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch
new file mode 100644
index 0000000000..e2a2b10c18
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch
@@ -0,0 +1,35 @@
+From 047435dd988a3975d40c6626a8f739a0b2e154bc Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 25 Sep 2025 08:22:24 +0930
+Subject: [PATCH] PR 33452 SEGV in bfd_elf_gc_record_vtentry
+
+Limit addends on vtentry relocs, otherwise ld might attempt to
+allocate a stupidly large array.  This also fixes the expression
+overflow leading to pr33452.  A vtable of 33M entries on a 64-bit
+host is surely large enough, especially considering that VTINHERIT
+and VTENTRY relocations are to support -fvtable-gc that disappeared
+from gcc over 20 years ago.
+
+	PR ld/33452
+	* elflink.c (bfd_elf_gc_record_vtentry): Sanity check addend.
+
+CVE: CVE-2025-11412
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ bfd/elflink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 54f0d6e957e..0a0456177c2 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -14613,7 +14613,7 @@ bfd_elf_gc_record_vtentry (bfd *abfd, asection *sec,
+   const struct elf_backend_data *bed = get_elf_backend_data (abfd);
+   unsigned int log_file_align = bed->s->log_file_align;
+ 
+-  if (!h)
++  if (!h || addend > 1u << 28)
+     {
+       /* xgettext:c-format */
+       _bfd_error_handler (_("%pB: section '%pA': corrupt VTENTRY entry"),
-- 
2.43.0

[OE-core][scarthgap 4/7] binutils: patch CVE-2025-11413

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Pick commit per NVD CVE report.

Note that there were two patches for this, first [1] and then [2].
The second patch moved the original patch to different location.
Cherry-pick of second patch is successful leaving out the code removing
the code from first location, so the patch attached here is not
identical to the upstream commit but is identical to applying both and
merging them to a single patch.

[1] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=1108620d7a521f1c85d2f629031ce0fbae14e331
[2] https://sourceware.org/git/?p=binutils-gdb.git;a=commitdiff;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0

(From OE-Core rev: 98df728e6136d04af0f4922b7ffbeffb704de395)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.42.inc                |  1 +
 .../binutils/binutils/CVE-2025-11413.patch    | 38 +++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index b13c31717d..60b0d03ccd 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -65,5 +65,6 @@ SRC_URI = "\
      file://0027-CVE-2025-8225.patch \
      file://CVE-2025-11414.patch \
      file://CVE-2025-11412.patch \
+     file://CVE-2025-11413.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch
new file mode 100644
index 0000000000..a7697d247f
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch
@@ -0,0 +1,38 @@
+From 72efdf166aa0ed72ecc69fc2349af6591a7a19c0 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Thu, 25 Sep 2025 10:41:32 +0930
+Subject: [PATCH] Re: elf: Disallow the empty global symbol name
+
+sparc64-linux-gnu  +FAIL: selective2
+sparc64-linux-gnu  +FAIL: selective3
+
+	PR ld/33456
+	* elflink.c (elf_link_add_object_symbols): Move new check later
+	to give the backend add_symbol_hook a chance to remove symbols
+	with empty names.
+
+CVE: CVE-2025-11413
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ bfd/elflink.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/bfd/elflink.c b/bfd/elflink.c
+index 0a0456177c2..5c8b822e36a 100644
+--- a/bfd/elflink.c
++++ b/bfd/elflink.c
+@@ -5015,6 +5015,13 @@ elf_link_add_object_symbols (bfd *abfd, struct bfd_link_info *info)
+ 	    continue;
+ 	}
+ 
++      if (name[0] == '\0')
++	{
++	  _bfd_error_handler (_("%pB: corrupt symbol table"), abfd);
++	  bfd_set_error (bfd_error_bad_value);
++	  goto error_free_vers;
++	}
++
+       /* Sanity check that all possibilities were handled.  */
+       if (sec == NULL)
+ 	abort ();
-- 
2.43.0

[OE-core][scarthgap 5/7] Remove empty file

[Steve Sakoman]

From: Michael Haener <michael.haener@siemens.com>

An error occurred in backport commit
649147913e89cd8f7390cb17cd0be94c9710ffa6. The test file
is empty and has no functionality at all.

Signed-off-by: Michael Haener <michael.haener@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 test | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 test

diff --git a/test b/test
deleted file mode 100644
index e69de29bb2..0000000000
-- 
2.43.0

[OE-core][scarthgap 6/7] util-linux: fix pointer usage in hwclock param handling

[Steve Sakoman]

From: Bastian Krause <bst@pengutronix.de>

Passing params as numbers to hwclock is broken in util-linux 2.39.3 due
to wrong pointer handling. So backport the fix from upstream included
since util-linux 2.41.

Signed-off-by: Bastian Krause <bst@pengutronix.de>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/util-linux/util-linux.inc   |  1 +
 ...-utils-hwclock-rtc-fix-pointer-usage.patch | 27 +++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 meta/recipes-core/util-linux/util-linux/sys-utils-hwclock-rtc-fix-pointer-usage.patch

diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index 1ecf5c7b39..ccab4b17f4 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -43,6 +43,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
            file://CVE-2024-28085-0001.patch \
            file://CVE-2024-28085-0002.patch \
 	   file://fstab-isolation.patch \
+           file://sys-utils-hwclock-rtc-fix-pointer-usage.patch \
            "
 
 SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f"
diff --git a/meta/recipes-core/util-linux/util-linux/sys-utils-hwclock-rtc-fix-pointer-usage.patch b/meta/recipes-core/util-linux/util-linux/sys-utils-hwclock-rtc-fix-pointer-usage.patch
new file mode 100644
index 0000000000..d98509d6ac
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/sys-utils-hwclock-rtc-fix-pointer-usage.patch
@@ -0,0 +1,27 @@
+From 7064cd275607a43223b2dbaef75c610f33f432ff Mon Sep 17 00:00:00 2001
+From: Karthikeyan Krishnasamy <karthikeyan@linumiz.com>
+Date: Sat, 23 Mar 2024 13:39:55 +0530
+Subject: [PATCH] sys-utils: hwclock-rtc: fix pointer usage
+
+passing double pointer doesn't fill param value
+
+Signed-off-by: Karthikeyan Krishnasamy <karthikeyan@linumiz.com>
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/1064a53e4ff357dc649a8c4a0a41dfb5a1191bba]
+Signed-off-by: Bastian Krause <bst@pengutronix.de>
+---
+ sys-utils/hwclock-rtc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sys-utils/hwclock-rtc.c b/sys-utils/hwclock-rtc.c
+index 7094cd0..c797397 100644
+--- a/sys-utils/hwclock-rtc.c
++++ b/sys-utils/hwclock-rtc.c
+@@ -424,7 +424,7 @@ static int resolve_rtc_param_alias(const char *alias, __u64 *value)
+ /* kernel uapi __u64 can be defined differently than uint64_t */
+ static int strtoku64(const char *str, __u64 *num, int base)
+ {
+-	return ul_strtou64(str, (uint64_t *) &num, base);
++	return ul_strtou64(str, (uint64_t *) num, base);
+ }
+ 
+ /*
-- 
2.43.0

[OE-core][scarthgap 7/7] perf: add arm64 source files for unistd_64.h

[Steve Sakoman]

From: Yannic Moog <y.moog@phytec.de>

kernel commit bfb713ea53c7 ("perf tools: Fix arm64 build by generating unistd_64.h")
introduces a new dependency on source files for arm64, specifically
include/uapi/asm-generic.

Build fails with:
[..]/perf/1.0/perf-1.0/scripts/Makefile.asm-headers:33: [...]/perf/1.0/perf-1.0/include/uapi/asm-generic/Kbuild: No such file or directory
make[4]: *** No rule to make target '[...]/perf/1.0/perf-1.0/include/uapi/asm-generic/Kbuild'.  Stop.

Add the directory to PERF_SRC.
Fix whitespace error while at it.

Signed-off-by: Yannic Moog <y.moog@phytec.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-kernel/perf/perf.bb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-kernel/perf/perf.bb b/meta/recipes-kernel/perf/perf.bb
index 11fa917649..2d432f3f40 100644
--- a/meta/recipes-kernel/perf/perf.bb
+++ b/meta/recipes-kernel/perf/perf.bb
@@ -145,6 +145,7 @@ PERF_SRC ?= "Makefile \
              arch/arm64/tools \
              ${PERF_BPF_EVENT_SRC} \
              arch/${ARCH}/Makefile \
+             include/uapi/asm-generic/Kbuild \
 "
 
 PERF_EXTRA_LDFLAGS = ""
@@ -202,7 +203,7 @@ python copy_perf_source_from_kernel() {
 do_configure:prepend () {
     # If building a multlib based perf, the incorrect library path will be
     # detected by perf, since it triggers via: ifeq ($(ARCH),x86_64). In a 32 bit
-    # build, with a 64 bit multilib, the arch won't match and the detection of a 
+    # build, with a 64 bit multilib, the arch won't match and the detection of a
     # 64 bit build (and library) are not exected. To ensure that libraries are
     # installed to the correct location, we can use the weak assignment in the
     # config/Makefile.
-- 
2.43.0

[OE-core][scarthgap 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, December 16

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2849

The following changes since commit ef198b0c6063ede32cb93fe44eb89937c076a073:

  curl: Ensure 'CURL_CA_BUNDLE' from host env is indeed respected (2025-12-05 07:08:31 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Daniel Turull (1):
  classes/create-spdx-2.2: Define SPDX_VERSION to 2.2

Hitendra Prajapati (1):
  libxml2: Security fix for CVE-2025-7425

Peter Marko (3):
  libpng: patch CVE-2025-66293
  libmicrohttpd: disable experimental code by default
  Revert "lib/oe/go: document map_arch, and raise an error on unknown
    architecture"

Vijay Anusuri (2):
  libssh2: upgrade 1.11.0 -> 1.11.1
  libssh2: fix regression in KEX method validation (GH-1553)

 meta/classes/create-spdx-2.2.bbclass          |   2 +
 meta/lib/oe/go.py                             |   6 +-
 .../libxml/libxml2/CVE-2025-7425.patch        | 802 ++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.12.10.bb   |   1 +
 .../libpng/files/CVE-2025-66293-01.patch      |  60 ++
 .../libpng/files/CVE-2025-66293-02.patch      | 125 +++
 .../libpng/libpng_1.6.42.bb                   |   2 +
 .../libmicrohttpd/libmicrohttpd_1.0.1.bb      |   4 +
 ...rror-if-user-KEX-methods-are-invalid.patch |  73 ++
 .../libssh2/libssh2/CVE-2023-48795.patch      | 466 ----------
 .../{libssh2_1.11.0.bb => libssh2_1.11.1.bb}  |   6 +-
 11 files changed, 1073 insertions(+), 474 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-7425.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch
 create mode 100644 meta/recipes-support/libssh2/libssh2/0001-Return-error-if-user-KEX-methods-are-invalid.patch
 delete mode 100644 meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch
 rename meta/recipes-support/libssh2/{libssh2_1.11.0.bb => libssh2_1.11.1.bb} (87%)

-- 
2.43.0