* [OE-core][scarthgap 0/7] Patch review
@ 2024-07-09 19:29 Steve Sakoman
0 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2024-07-09 19:29 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, July 11
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7115
The following changes since commit 1cab8d06ce5df7a8d00cff8531965a84d90d265a:
curl: locale-base-en-us isn't glibc-specific (2024-07-03 07:09:47 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Changqing Li (2):
apt-native: don't let dpkg overwrite files by default
apt: runtime error: filename too long (tmpdir length)
Hitendra Prajapati (1):
ghostscript: upgrade 10.02.1 -> 10.03.1
Peter Marko (2):
flac: fix buildpaths warnings
cargo: remove True option to getVar calls
Xiangyu Chen (1):
qemu: Upgrade 8.2.1 -> 8.2.2
aszh07 (1):
xz: Update LICENSE variable for xz packages
meta/classes-recipe/cargo_common.bbclass | 4 +-
meta/classes-recipe/ptest-cargo.bbclass | 18 ++--
...he-filename-can-t-be-longer-than-255.patch | 40 ++++++++
meta/recipes-devtools/apt/apt_2.6.1.bb | 3 +-
...u-native_8.2.1.bb => qemu-native_8.2.2.bb} | 0
...e_8.2.1.bb => qemu-system-native_8.2.2.bb} | 0
meta/recipes-devtools/qemu/qemu.inc | 3 +-
.../qemu/qemu/CVE-2023-6683.patch | 91 -----------------
.../qemu/{qemu_8.2.1.bb => qemu_8.2.2.bb} | 0
.../ghostscript/CVE-2024-29510.patch | 84 ----------------
.../ghostscript/CVE-2024-33869-0001.patch | 39 --------
.../ghostscript/CVE-2024-33869-0002.patch | 52 ----------
.../ghostscript/CVE-2024-33870.patch | 99 -------------------
.../ghostscript/CVE-2024-33871.patch | 43 --------
.../avoid-host-contamination.patch | 11 +--
...dd-option-to-explicitly-disable-neon.patch | 99 -------------------
...ript_10.02.1.bb => ghostscript_10.03.1.bb} | 8 +-
meta/recipes-extended/xz/xz_5.4.6.bb | 6 +-
meta/recipes-multimedia/flac/flac_1.4.3.bb | 7 ++
19 files changed, 69 insertions(+), 538 deletions(-)
create mode 100644 meta/recipes-devtools/apt/apt/0001-strutl.cc-the-filename-can-t-be-longer-than-255.patch
rename meta/recipes-devtools/qemu/{qemu-native_8.2.1.bb => qemu-native_8.2.2.bb} (100%)
rename meta/recipes-devtools/qemu/{qemu-system-native_8.2.1.bb => qemu-system-native_8.2.2.bb} (100%)
delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
rename meta/recipes-devtools/qemu/{qemu_8.2.1.bb => qemu_8.2.2.bb} (100%)
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33871.patch
delete mode 100644 meta/recipes-extended/ghostscript/ghostscript/configure.ac-add-option-to-explicitly-disable-neon.patch
rename meta/recipes-extended/ghostscript/{ghostscript_10.02.1.bb => ghostscript_10.03.1.bb} (88%)
--
2.34.1
^ permalink raw reply [flat|nested] 13+ messages in thread
* [OE-core][scarthgap 0/7] Patch review
@ 2025-02-18 21:15 Steve Sakoman
0 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2025-02-18 21:15 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, February 20
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1037
The following changes since commit 61880aac34ff408a8bc5060c6140bfd086b27524:
base-files: Drop /bin/sh dependency (2025-02-11 05:51:35 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Aleksandar Nikolic (1):
scripts/install-buildtools: Update to 5.0.7
Divya Chellam (1):
vim: Upgrade 9.1.0764 -> 9.1.1043
Johannes Schneider (1):
ppp: Revert lock path to /var/lock
Oleksandr Hnatiuk (1):
icu: remove host references in nativesdk to fix reproducibility
Peter Marko (3):
subversion: ignore CVE-2024-45720
gnutls: patch CVE-2024-12243
openssl: upgrade 3.2.3 -> 3.2.4
...ke-history-reporting-when-test-fails.patch | 40 +-
...1-Configure-do-not-tweak-mips-cflags.patch | 2 +-
...sysroot-and-debug-prefix-map-from-co.patch | 4 +-
.../openssl/openssl/CVE-2024-13176.patch | 126 --
.../openssl/openssl/CVE-2024-9143.patch | 202 ---
.../{openssl_3.2.3.bb => openssl_3.2.4.bb} | 4 +-
...001-Revert-lock-path-to-var-lock-435.patch | 63 +
meta/recipes-connectivity/ppp/ppp_2.5.0.bb | 1 +
.../subversion/subversion_1.14.3.bb | 2 +
.../gnutls/gnutls/CVE-2024-12243.patch | 1149 +++++++++++++++++
meta/recipes-support/gnutls/gnutls_3.8.4.bb | 1 +
meta/recipes-support/icu/icu_74-2.bb | 33 +-
meta/recipes-support/vim/vim.inc | 4 +-
scripts/install-buildtools | 4 +-
14 files changed, 1268 insertions(+), 367 deletions(-)
delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
delete mode 100755 meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
rename meta/recipes-connectivity/openssl/{openssl_3.2.3.bb => openssl_3.2.4.bb} (98%)
create mode 100644 meta/recipes-connectivity/ppp/ppp/0001-Revert-lock-path-to-var-lock-435.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch
--
2.43.0
^ permalink raw reply [flat|nested] 13+ messages in thread
* [OE-core][scarthgap 0/7] Patch review
@ 2025-05-06 15:13 Steve Sakoman
0 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2025-05-06 15:13 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, May 8
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1529
The following changes since commit 00dd4901e364d16d96cfab864823a9cfdd336eeb:
Revert "cve-update-nvd2-native: Tweak to work better with NFS DL_DIR" (2025-04-29 10:21:16 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Ashish Sharma (1):
libsoup: patch CVE-2025-46420
Deepesh Varatharajan (2):
glibc: stable 2.39 branch updates
binutils: stable 2.42 branch updates
Jeroen Hofstee (2):
bluez5: make media control a PACKAGECONFIG option
bluez5: backport a patch to fix btmgmt -i
Peter Marko (1):
sqlite3: mark CVE-2025-29087 as patched
Soumya Sambu (1):
elfutils: Fix CVE-2025-1371
meta/recipes-connectivity/bluez5/bluez5.inc | 3 +
...ndex-option-for-non-interactive-mode.patch | 29 +++++++++
meta/recipes-core/glibc/glibc-version.inc | 2 +-
.../binutils/binutils-2.42.inc | 2 +-
.../elfutils/elfutils_0.191.bb | 1 +
.../elfutils/files/CVE-2025-1371.patch | 41 +++++++++++++
.../libsoup-3.4.4/CVE-2025-46420.patch | 60 +++++++++++++++++++
meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 +
.../sqlite/sqlite3/CVE-2025-3277.patch | 1 +
9 files changed, 138 insertions(+), 2 deletions(-)
create mode 100644 meta/recipes-connectivity/bluez5/bluez5/toolsbtmgmt-fix-index-option-for-non-interactive-mode.patch
create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1371.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-46420.patch
--
2.43.0
^ permalink raw reply [flat|nested] 13+ messages in thread
* [OE-core][scarthgap 0/7] Patch review
@ 2025-05-21 14:59 Steve Sakoman
0 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2025-05-21 14:59 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Friday, May 23
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1625
The following changes since commit b214cc84a922f7a3fb7ebbc501189ce25e8bd2bd:
glibc-y2038-tests: remove glibc-y2038-tests_2.39.bb recipe (2025-05-15 09:42:55 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Ashish Sharma (1):
libsoup-2.4: Fix CVE-2025-46420
Nguyen Dat Tho (1):
libatomic-ops: Update GITHUB_BASE_URI
Praveen Kumar (2):
connman :fix CVE-2025-32366
glib-2.0: fix CVE-2025-4373
Sunil Dora (1):
binutils: Fix CVE-2025-1153
Vijay Anusuri (1):
openssh: Fix for CVE-2025-32728
Vyacheslav Yurkov (1):
systemd: Password agents shouldn't be optional
.../connman/connman/CVE-2025-32366.patch | 41 +
.../connman/connman_1.42.bb | 1 +
.../openssh/openssh/CVE-2025-32728.patch | 44 +
.../openssh/openssh_9.6p1.bb | 1 +
.../glib-2.0/glib-2.0/CVE-2025-4373-01.patch | 120 +
.../glib-2.0/glib-2.0/CVE-2025-4373-02.patch | 29 +
meta/recipes-core/glib-2.0/glib-2.0_2.78.6.bb | 2 +
meta/recipes-core/systemd/systemd_255.18.bb | 10 -
.../binutils/binutils-2.42.inc | 3 +
.../binutils/0019-CVE-2025-1153-1.patch | 3207 ++++++++++++++
.../binutils/0020-CVE-2025-1153-2.patch | 840 ++++
.../binutils/0021-CVE-2025-1153-3.patch | 3756 +++++++++++++++++
.../libatomic-ops/libatomic-ops_7.8.2.bb | 4 +-
.../libsoup/libsoup-2.4/CVE-2025-46420.patch | 60 +
.../libsoup/libsoup-2.4_2.74.3.bb | 1 +
15 files changed, 8107 insertions(+), 12 deletions(-)
create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch
create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0019-CVE-2025-1153-1.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0020-CVE-2025-1153-2.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/0021-CVE-2025-1153-3.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch
--
2.43.0
^ permalink raw reply [flat|nested] 13+ messages in thread
* [OE-core][scarthgap 0/7] Patch review
@ 2025-11-04 14:47 Steve Sakoman
0 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2025-11-04 14:47 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, November 6
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2676
The following changes since commit 4cb834388759540ea5bf7265389b9f1b2e15333a:
bind: upgrade 9.18.33 -> 9.18.41 (2025-10-29 07:13:09 -0700)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Bastian Krause (1):
util-linux: fix pointer usage in hwclock param handling
Michael Haener (1):
Remove empty file
Peter Marko (4):
wpa-supplicant: patch CVE-2025-24912
binutils: patch CVE-2025-11414
binutils: patch CVE-2025-11412
binutils: patch CVE-2025-11413
Yannic Moog (1):
perf: add arm64 source files for unistd_64.h
.../wpa-supplicant/CVE-2025-24912-01.patch | 79 +++++++++++++++++
.../wpa-supplicant/CVE-2025-24912-02.patch | 70 ++++++++++++++++
.../wpa-supplicant/wpa-supplicant_2.10.bb | 2 +
meta/recipes-core/util-linux/util-linux.inc | 1 +
...-utils-hwclock-rtc-fix-pointer-usage.patch | 27 ++++++
.../binutils/binutils-2.42.inc | 3 +
.../binutils/binutils/CVE-2025-11412.patch | 35 ++++++++
.../binutils/binutils/CVE-2025-11413.patch | 38 +++++++++
.../binutils/binutils/CVE-2025-11414.patch | 84 +++++++++++++++++++
meta/recipes-kernel/perf/perf.bb | 3 +-
test | 0
11 files changed, 341 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch
create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch
create mode 100644 meta/recipes-core/util-linux/util-linux/sys-utils-hwclock-rtc-fix-pointer-usage.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11414.patch
delete mode 100644 test
--
2.43.0
^ permalink raw reply [flat|nested] 13+ messages in thread
* [OE-core][scarthgap 0/7] Patch review
@ 2025-12-12 15:39 Steve Sakoman
2025-12-12 15:39 ` [OE-core][scarthgap 1/7] classes/create-spdx-2.2: Define SPDX_VERSION to 2.2 Steve Sakoman
` (6 more replies)
0 siblings, 7 replies; 13+ messages in thread
From: Steve Sakoman @ 2025-12-12 15:39 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, December 16
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2849
The following changes since commit ef198b0c6063ede32cb93fe44eb89937c076a073:
curl: Ensure 'CURL_CA_BUNDLE' from host env is indeed respected (2025-12-05 07:08:31 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Daniel Turull (1):
classes/create-spdx-2.2: Define SPDX_VERSION to 2.2
Hitendra Prajapati (1):
libxml2: Security fix for CVE-2025-7425
Peter Marko (3):
libpng: patch CVE-2025-66293
libmicrohttpd: disable experimental code by default
Revert "lib/oe/go: document map_arch, and raise an error on unknown
architecture"
Vijay Anusuri (2):
libssh2: upgrade 1.11.0 -> 1.11.1
libssh2: fix regression in KEX method validation (GH-1553)
meta/classes/create-spdx-2.2.bbclass | 2 +
meta/lib/oe/go.py | 6 +-
.../libxml/libxml2/CVE-2025-7425.patch | 802 ++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.12.10.bb | 1 +
.../libpng/files/CVE-2025-66293-01.patch | 60 ++
.../libpng/files/CVE-2025-66293-02.patch | 125 +++
.../libpng/libpng_1.6.42.bb | 2 +
.../libmicrohttpd/libmicrohttpd_1.0.1.bb | 4 +
...rror-if-user-KEX-methods-are-invalid.patch | 73 ++
.../libssh2/libssh2/CVE-2023-48795.patch | 466 ----------
.../{libssh2_1.11.0.bb => libssh2_1.11.1.bb} | 6 +-
11 files changed, 1073 insertions(+), 474 deletions(-)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-7425.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch
create mode 100644 meta/recipes-support/libssh2/libssh2/0001-Return-error-if-user-KEX-methods-are-invalid.patch
delete mode 100644 meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch
rename meta/recipes-support/libssh2/{libssh2_1.11.0.bb => libssh2_1.11.1.bb} (87%)
--
2.43.0
^ permalink raw reply [flat|nested] 13+ messages in thread
* [OE-core][scarthgap 1/7] classes/create-spdx-2.2: Define SPDX_VERSION to 2.2
2025-12-12 15:39 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
@ 2025-12-12 15:39 ` Steve Sakoman
2025-12-12 15:39 ` [OE-core][scarthgap 2/7] libpng: patch CVE-2025-66293 Steve Sakoman
` (5 subsequent siblings)
6 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2025-12-12 15:39 UTC (permalink / raw)
To: openembedded-core
From: Daniel Turull <daniel.turull@ericsson.com>
SPDX_VERSION is used in DEPLOY_DIR_SPDX but if is not defined,
will default to SPDX-1.1
Define SPDX_VERSION to have the correct deploy path, to align
with master branch behaviour.
The change in path was introduced in 8996d0899d
CC: Kamel Bouhara (Schneider Electric) <kamel.bouhara@bootlin.com>
CC: JPEWhacker@gmail.com
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/classes/create-spdx-2.2.bbclass | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
index 2351a3d5a1..aaa2e78fe2 100644
--- a/meta/classes/create-spdx-2.2.bbclass
+++ b/meta/classes/create-spdx-2.2.bbclass
@@ -4,6 +4,8 @@
# SPDX-License-Identifier: GPL-2.0-only
#
+SPDX_VERSION = "2.2"
+
DEPLOY_DIR_SPDX ??= "${DEPLOY_DIR}/spdx/${SPDX_VERSION}"
# The product name that the CVE database uses. Defaults to BPN, but may need to
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [OE-core][scarthgap 2/7] libpng: patch CVE-2025-66293
2025-12-12 15:39 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
2025-12-12 15:39 ` [OE-core][scarthgap 1/7] classes/create-spdx-2.2: Define SPDX_VERSION to 2.2 Steve Sakoman
@ 2025-12-12 15:39 ` Steve Sakoman
2025-12-12 15:39 ` [OE-core][scarthgap 3/7] libxml2: Security fix for CVE-2025-7425 Steve Sakoman
` (4 subsequent siblings)
6 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2025-12-12 15:39 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Pick patches per nvd report [1] and github advisory [2].
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-66293
[2] https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libpng/files/CVE-2025-66293-01.patch | 60 +++++++++
.../libpng/files/CVE-2025-66293-02.patch | 125 ++++++++++++++++++
.../libpng/libpng_1.6.42.bb | 2 +
3 files changed, 187 insertions(+)
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
new file mode 100644
index 0000000000..0b958b9f1b
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-66293-01.patch
@@ -0,0 +1,60 @@
+From 788a624d7387a758ffd5c7ab010f1870dea753a1 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sat, 29 Nov 2025 00:39:16 +0200
+Subject: [PATCH] Fix an out-of-bounds read in `png_image_read_composite`
+
+Add a defensive bounds check before calling PNG_sRGB_FROM_LINEAR to
+prevent reading up to 506 entries (1012 bytes) past `png_sRGB_base[]`.
+
+For palette images with gamma, `png_init_read_transformations`
+clears PNG_COMPOSE after compositing on the palette, but it leaves
+PNG_FLAG_OPTIMIZE_ALPHA set. The simplified API then calls
+`png_image_read_composite` with sRGB data (not linear premultiplied),
+causing the index to reach 1017. (The maximum valid index is 511.)
+
+NOTE:
+This is a defensive fix that addresses the security issue (out-of-bounds
+read) but *NOT* the correctness issue (wrong output). When the clamp
+triggers, the affected pixels are clamped to white instead of the
+correct composited color. Valid PNG images may render incorrectly with
+the simplified API.
+
+TODO:
+We already know the root cause is a flag synchronization error.
+For palette images with gamma, `png_init_read_transformations`
+clears PNG_COMPOSE but leaves PNG_FLAG_OPTIMIZE_ALPHA set, causing
+`png_image_read_composite` to misinterpret sRGB data as linear
+premultiplied. However, we have yet to implement an architectural fix
+that requires coordinating the simplified API with the transformation
+pipeline.
+
+Reported-by: flyfish101 <flyfish101@users.noreply.github.com>
+
+CVE: CVE-2025-66293
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngread.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/pngread.c b/pngread.c
+index 79917daaa..ab62edd9d 100644
+--- a/pngread.c
++++ b/pngread.c
+@@ -3406,9 +3406,14 @@ png_image_read_composite(png_voidp argument)
+ component += (255-alpha)*png_sRGB_table[outrow[c]];
+
+ /* So 'component' is scaled by 255*65535 and is
+- * therefore appropriate for the sRGB to linear
+- * conversion table.
++ * therefore appropriate for the sRGB-to-linear
++ * conversion table. Clamp to the valid range
++ * as a defensive measure against an internal
++ * libpng bug where the data is sRGB rather than
++ * linear premultiplied.
+ */
++ if (component > 255*65535)
++ component = 255*65535;
+ component = PNG_sRGB_FROM_LINEAR(component);
+ }
+
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch b/meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch
new file mode 100644
index 0000000000..ba563e1c5a
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2025-66293-02.patch
@@ -0,0 +1,125 @@
+From a05a48b756de63e3234ea6b3b938b8f5f862484a Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Mon, 1 Dec 2025 22:31:54 +0200
+Subject: [PATCH] Finalize the fix for out-of-bounds read in
+ `png_image_read_composite`
+
+Following up on commit 788a624d7387a758ffd5c7ab010f1870dea753a1.
+
+The previous commit added a defensive bounds check to address the
+security issue (out-of-bounds read), but noted that the correctness
+issue remained: when the clamp triggered, the affected pixels were
+clamped to white instead of the correct composited color.
+
+This commit addresses the correctness issue by fixing the flag
+synchronization error identified in the previous commit's TODO:
+
+1. In `png_init_read_transformations`:
+ Clear PNG_FLAG_OPTIMIZE_ALPHA when clearing PNG_COMPOSE for palette
+ images. This correctly signals that the data is sRGB, not linear
+ premultiplied.
+
+2. In `png_image_read_composite`:
+ Check PNG_FLAG_OPTIMIZE_ALPHA and use the appropriate composition
+ formula. When set, use the existing linear composition. When cleared
+ (palette composition already done), use sRGB composition to match
+ what was done to the palette.
+
+Retain the previous clamp to the valid range as belt-and-suspenders
+protection against any other unforeseen cases.
+
+CVE: CVE-2025-66293
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ pngread.c | 56 ++++++++++++++++++++++++++++++++++++------------------
+ pngrtran.c | 1 +
+ 2 files changed, 39 insertions(+), 18 deletions(-)
+
+diff --git a/pngread.c b/pngread.c
+index ab62edd9d..f8ca2b7e3 100644
+--- a/pngread.c
++++ b/pngread.c
+@@ -3340,6 +3340,7 @@ png_image_read_composite(png_voidp argument)
+ ptrdiff_t step_row = display->row_bytes;
+ unsigned int channels =
+ (image->format & PNG_FORMAT_FLAG_COLOR) != 0 ? 3 : 1;
++ int optimize_alpha = (png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0;
+ int pass;
+
+ for (pass = 0; pass < passes; ++pass)
+@@ -3396,25 +3397,44 @@ png_image_read_composite(png_voidp argument)
+
+ if (alpha < 255) /* else just use component */
+ {
+- /* This is PNG_OPTIMIZED_ALPHA, the component value
+- * is a linear 8-bit value. Combine this with the
+- * current outrow[c] value which is sRGB encoded.
+- * Arithmetic here is 16-bits to preserve the output
+- * values correctly.
+- */
+- component *= 257*255; /* =65535 */
+- component += (255-alpha)*png_sRGB_table[outrow[c]];
++ if (optimize_alpha != 0)
++ {
++ /* This is PNG_OPTIMIZED_ALPHA, the component value
++ * is a linear 8-bit value. Combine this with the
++ * current outrow[c] value which is sRGB encoded.
++ * Arithmetic here is 16-bits to preserve the output
++ * values correctly.
++ */
++ component *= 257*255; /* =65535 */
++ component += (255-alpha)*png_sRGB_table[outrow[c]];
+
+- /* So 'component' is scaled by 255*65535 and is
+- * therefore appropriate for the sRGB-to-linear
+- * conversion table. Clamp to the valid range
+- * as a defensive measure against an internal
+- * libpng bug where the data is sRGB rather than
+- * linear premultiplied.
+- */
+- if (component > 255*65535)
+- component = 255*65535;
+- component = PNG_sRGB_FROM_LINEAR(component);
++ /* Clamp to the valid range to defend against
++ * unforeseen cases where the data might be sRGB
++ * instead of linear premultiplied.
++ * (Belt-and-suspenders for GitHub Issue #764.)
++ */
++ if (component > 255*65535)
++ component = 255*65535;
++
++ /* So 'component' is scaled by 255*65535 and is
++ * therefore appropriate for the sRGB-to-linear
++ * conversion table.
++ */
++ component = PNG_sRGB_FROM_LINEAR(component);
++ }
++ else
++ {
++ /* Compositing was already done on the palette
++ * entries. The data is sRGB premultiplied on black.
++ * Composite with the background in sRGB space.
++ * This is not gamma-correct, but matches what was
++ * done to the palette.
++ */
++ png_uint_32 background = outrow[c];
++ component += ((255-alpha) * background + 127) / 255;
++ if (component > 255)
++ component = 255;
++ }
+ }
+
+ outrow[c] = (png_byte)component;
+diff --git a/pngrtran.c b/pngrtran.c
+index 2f5202255..507d11381 100644
+--- a/pngrtran.c
++++ b/pngrtran.c
+@@ -1760,6 +1760,7 @@ png_init_read_transformations(png_structrp png_ptr)
+ * transformations elsewhere.
+ */
+ png_ptr->transformations &= ~(PNG_COMPOSE | PNG_GAMMA);
++ png_ptr->flags &= ~PNG_FLAG_OPTIMIZE_ALPHA;
+ } /* color_type == PNG_COLOR_TYPE_PALETTE */
+
+ /* if (png_ptr->background_gamma_type!=PNG_BACKGROUND_GAMMA_UNKNOWN) */
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
index 2d5216cb65..6dc7ffe272 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
@@ -19,6 +19,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz
file://CVE-2025-64720.patch \
file://CVE-2025-65018-01.patch \
file://CVE-2025-65018-02.patch \
+ file://CVE-2025-66293-01.patch \
+ file://CVE-2025-66293-02.patch \
"
SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450"
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [OE-core][scarthgap 3/7] libxml2: Security fix for CVE-2025-7425
2025-12-12 15:39 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
2025-12-12 15:39 ` [OE-core][scarthgap 1/7] classes/create-spdx-2.2: Define SPDX_VERSION to 2.2 Steve Sakoman
2025-12-12 15:39 ` [OE-core][scarthgap 2/7] libpng: patch CVE-2025-66293 Steve Sakoman
@ 2025-12-12 15:39 ` Steve Sakoman
2025-12-12 15:39 ` [OE-core][scarthgap 4/7] libmicrohttpd: disable experimental code by default Steve Sakoman
` (3 subsequent siblings)
6 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2025-12-12 15:39 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
CVE-2025-7425
libxslt: heap-use-after-free in xmlFreeID caused by `atype` corruption
Origin: https://launchpad.net/ubuntu/+source/libxml2/2.9.14+dfsg-1.3ubuntu3.6
Ref : https://security-tracker.debian.org/tracker/CVE-2025-7425
Upstream-Status: Backport from https://gitlab.gnome.org/GNOME/libxslt/-/issues/140
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libxml/libxml2/CVE-2025-7425.patch | 802 ++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.12.10.bb | 1 +
2 files changed, 803 insertions(+)
create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-7425.patch
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-7425.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-7425.patch
new file mode 100644
index 0000000000..870ada53b8
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-7425.patch
@@ -0,0 +1,802 @@
+From 87786d6200ae1f5ac98d21f04d451e17ff25a216 Mon Sep 17 00:00:00 2001
+From: David Kilzer <ddkilzer@apple.com>
+Reviewed-By: Aron Xu <aron@debian.org>
+Date: Mon, 23 Jun 2025 14:41:56 -0700
+Subject: [PATCH] libxslt: heap-use-after-free in xmlFreeID caused by `atype`
+ corruption
+
+* include/libxml/tree.h:
+(XML_ATTR_CLEAR_ATYPE): Add.
+(XML_ATTR_GET_ATYPE): Add.
+(XML_ATTR_SET_ATYPE): Add.
+(XML_NODE_ADD_EXTRA): Add.
+(XML_NODE_CLEAR_EXTRA): Add.
+(XML_NODE_GET_EXTRA): Add.
+(XML_NODE_SET_EXTRA): Add.
+(XML_DOC_ADD_PROPERTIES): Add.
+(XML_DOC_CLEAR_PROPERTIES): Add.
+(XML_DOC_GET_PROPERTIES): Add.
+(XML_DOC_SET_PROPERTIES): Add.
+- Add macros for accessing fields with upper bits that may be set by
+ libxslt.
+
+* HTMLparser.c:
+(htmlNewDocNoDtD):
+* SAX2.c:
+(xmlSAX2StartDocument):
+(xmlSAX2EndDocument):
+* parser.c:
+(xmlParseEntityDecl):
+(xmlParseExternalSubset):
+(xmlParseReference):
+(xmlCtxtParseDtd):
+* runxmlconf.c:
+(xmlconfTestInvalid):
+(xmlconfTestValid):
+* tree.c:
+(xmlNewDoc):
+(xmlFreeProp):
+(xmlNodeSetDoc):
+(xmlSetNsProp):
+(xmlDOMWrapAdoptBranch):
+* valid.c:
+(xmlFreeID):
+(xmlAddIDInternal):
+(xmlValidateAttributeValueInternal):
+(xmlValidateOneAttribute):
+(xmlValidateRef):
+* xmlreader.c:
+(xmlTextReaderStartElement):
+(xmlTextReaderStartElementNs):
+(xmlTextReaderValidateEntity):
+(xmlTextReaderRead):
+(xmlTextReaderNext):
+(xmlTextReaderIsEmptyElement):
+(xmlTextReaderPreserve):
+* xmlschemas.c:
+(xmlSchemaPValAttrNodeID):
+* xmlschemastypes.c:
+(xmlSchemaValAtomicType):
+- Adopt macros by renaming the struct fields, recompiling and fixing
+ compiler failures, then changing the struct field names back.
+Origin: https://launchpad.net/ubuntu/+source/libxml2/2.9.14+dfsg-1.3ubuntu3.6
+Ref : https://security-tracker.debian.org/tracker/CVE-2025-7425
+
+CVE: CVE-2025-7425
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/issues/140]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ HTMLparser.c | 1 +
+ SAX2.c | 6 ++--
+ include/libxml/tree.h | 14 ++++++++-
+ parser.c | 8 ++---
+ runxmlconf.c | 4 +--
+ tree.c | 20 ++++++-------
+ valid.c | 68 +++++++++++++++++++++----------------------
+ xmlreader.c | 30 +++++++++----------
+ xmlschemas.c | 4 +--
+ xmlschemastypes.c | 12 ++++----
+ 10 files changed, 90 insertions(+), 77 deletions(-)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index ea6a4f2..9f439d6 100644
+--- a/HTMLparser.c
++++ b/HTMLparser.c
+@@ -2459,6 +2459,7 @@ htmlNewDocNoDtD(const xmlChar *URI, const xmlChar *ExternalID) {
+ cur->refs = NULL;
+ cur->_private = NULL;
+ cur->charset = XML_CHAR_ENCODING_UTF8;
++ XML_DOC_SET_PROPERTIES(cur, XML_DOC_HTML | XML_DOC_USERBUILT);
+ cur->properties = XML_DOC_HTML | XML_DOC_USERBUILT;
+ if ((ExternalID != NULL) ||
+ (URI != NULL))
+diff --git a/SAX2.c b/SAX2.c
+index bb72e16..08786a3 100644
+--- a/SAX2.c
++++ b/SAX2.c
+@@ -899,7 +899,7 @@ xmlSAX2StartDocument(void *ctx)
+ xmlSAX2ErrMemory(ctxt, "xmlSAX2StartDocument");
+ return;
+ }
+- ctxt->myDoc->properties = XML_DOC_HTML;
++ XML_DOC_SET_PROPERTIES(ctxt->myDoc, XML_DOC_HTML);
+ ctxt->myDoc->parseFlags = ctxt->options;
+ #else
+ xmlGenericError(xmlGenericErrorContext,
+@@ -912,9 +912,9 @@ xmlSAX2StartDocument(void *ctx)
+ } else {
+ doc = ctxt->myDoc = xmlNewDoc(ctxt->version);
+ if (doc != NULL) {
+- doc->properties = 0;
++ XML_DOC_CLEAR_PROPERTIES(doc);
+ if (ctxt->options & XML_PARSE_OLD10)
+- doc->properties |= XML_DOC_OLD10;
++ XML_DOC_ADD_PROPERTIES(doc, XML_DOC_OLD10);
+ doc->parseFlags = ctxt->options;
+ doc->standalone = ctxt->standalone;
+ } else {
+diff --git a/include/libxml/tree.h b/include/libxml/tree.h
+index a90a174..a013232 100644
+--- a/include/libxml/tree.h
++++ b/include/libxml/tree.h
+@@ -370,7 +370,6 @@ struct _xmlElement {
+ #endif
+ };
+
+-
+ /**
+ * XML_LOCAL_NAMESPACE:
+ *
+@@ -451,6 +450,10 @@ struct _xmlAttr {
+ void *psvi; /* for type/PSVI information */
+ };
+
++#define XML_ATTR_CLEAR_ATYPE(attr) (((attr)->atype) = 0)
++#define XML_ATTR_GET_ATYPE(attr) (((attr)->atype) & ~(15U << 27))
++#define XML_ATTR_SET_ATYPE(attr, type) ((attr)->atype = ((((attr)->atype) & (15U << 27)) | ((type) & ~(15U << 27))))
++
+ /**
+ * xmlID:
+ *
+@@ -512,6 +515,11 @@ struct _xmlNode {
+ unsigned short extra; /* extra data for XPath/XSLT */
+ };
+
++#define XML_NODE_ADD_EXTRA(node, type) ((node)->extra |= ((type) & ~(15U << 12)))
++#define XML_NODE_CLEAR_EXTRA(node) (((node)->extra) = 0)
++#define XML_NODE_GET_EXTRA(node) (((node)->extra) & ~(15U << 12))
++#define XML_NODE_SET_EXTRA(node, type) ((node)->extra = ((((node)->extra) & (15U << 12)) | ((type) & ~(15U << 12))))
++
+ /**
+ * XML_GET_CONTENT:
+ *
+@@ -589,6 +597,10 @@ struct _xmlDoc {
+ set at the end of parsing */
+ };
+
++#define XML_DOC_ADD_PROPERTIES(doc, type) ((doc)->properties |= ((type) & ~(15U << 27)))
++#define XML_DOC_CLEAR_PROPERTIES(doc) (((doc)->properties) = 0)
++#define XML_DOC_GET_PROPERTIES(doc) (((doc)->properties) & ~(15U << 27))
++#define XML_DOC_SET_PROPERTIES(doc, type) ((doc)->properties = ((((doc)->properties) & (15U << 27)) | ((type) & ~(15U << 27))))
+
+ typedef struct _xmlDOMWrapCtxt xmlDOMWrapCtxt;
+ typedef xmlDOMWrapCtxt *xmlDOMWrapCtxtPtr;
+diff --git a/parser.c b/parser.c
+index 6ab4bfe..19ae310 100644
+--- a/parser.c
++++ b/parser.c
+@@ -5663,7 +5663,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+ xmlErrMemory(ctxt, "New Doc failed");
+ goto done;
+ }
+- ctxt->myDoc->properties = XML_DOC_INTERNAL;
++ XML_DOC_SET_PROPERTIES(ctxt->myDoc, XML_DOC_INTERNAL);
+ }
+ if (ctxt->myDoc->intSubset == NULL)
+ ctxt->myDoc->intSubset = xmlNewDtd(ctxt->myDoc,
+@@ -5734,7 +5734,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+ xmlErrMemory(ctxt, "New Doc failed");
+ goto done;
+ }
+- ctxt->myDoc->properties = XML_DOC_INTERNAL;
++ XML_DOC_SET_PROPERTIES(ctxt->myDoc, XML_DOC_INTERNAL);
+ }
+
+ if (ctxt->myDoc->intSubset == NULL)
+@@ -7179,7 +7179,7 @@ xmlParseExternalSubset(xmlParserCtxtPtr ctxt, const xmlChar *ExternalID,
+ xmlErrMemory(ctxt, "New Doc failed");
+ return;
+ }
+- ctxt->myDoc->properties = XML_DOC_INTERNAL;
++ XML_DOC_SET_PROPERTIES(ctxt->myDoc, XML_DOC_INTERNAL);
+ }
+ if ((ctxt->myDoc != NULL) && (ctxt->myDoc->intSubset == NULL))
+ xmlCreateIntSubset(ctxt->myDoc, NULL, ExternalID, SystemID);
+@@ -7580,7 +7580,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
+ (nw != NULL) &&
+ (nw->type == XML_ELEMENT_NODE) &&
+ (nw->children == NULL))
+- nw->extra = 1;
++ XML_NODE_SET_EXTRA(nw, 1);
+
+ break;
+ }
+diff --git a/runxmlconf.c b/runxmlconf.c
+index b5c3fd8..75fcfd6 100644
+--- a/runxmlconf.c
++++ b/runxmlconf.c
+@@ -190,7 +190,7 @@ xmlconfTestInvalid(const char *id, const char *filename, int options) {
+ id, filename);
+ } else {
+ /* invalidity should be reported both in the context and in the document */
+- if ((ctxt->valid != 0) || (doc->properties & XML_DOC_DTDVALID)) {
++ if ((ctxt->valid != 0) || (XML_DOC_GET_PROPERTIES(doc) & XML_DOC_DTDVALID)) {
+ test_log("test %s : %s failed to detect invalid document\n",
+ id, filename);
+ nb_errors++;
+@@ -222,7 +222,7 @@ xmlconfTestValid(const char *id, const char *filename, int options) {
+ ret = 0;
+ } else {
+ /* validity should be reported both in the context and in the document */
+- if ((ctxt->valid == 0) || ((doc->properties & XML_DOC_DTDVALID) == 0)) {
++ if ((ctxt->valid == 0) || ((XML_DOC_GET_PROPERTIES(doc) & XML_DOC_DTDVALID) == 0)) {
+ test_log("test %s : %s failed to validate a valid document\n",
+ id, filename);
+ nb_errors++;
+diff --git a/tree.c b/tree.c
+index f89e3cd..772ca62 100644
+--- a/tree.c
++++ b/tree.c
+@@ -1160,7 +1160,7 @@ xmlNewDoc(const xmlChar *version) {
+ cur->compression = -1; /* not initialized */
+ cur->doc = cur;
+ cur->parseFlags = 0;
+- cur->properties = XML_DOC_USERBUILT;
++ XML_DOC_SET_PROPERTIES(cur, XML_DOC_USERBUILT);
+ /*
+ * The in memory encoding is always UTF8
+ * This field will never change and would
+@@ -2077,7 +2077,7 @@ xmlFreeProp(xmlAttrPtr cur) {
+ xmlDeregisterNodeDefaultValue((xmlNodePtr)cur);
+
+ /* Check for ID removal -> leading to invalid references ! */
+- if ((cur->doc != NULL) && (cur->atype == XML_ATTRIBUTE_ID)) {
++ if ((cur->doc != NULL) && (XML_ATTR_GET_ATYPE(cur) == XML_ATTRIBUTE_ID)) {
+ xmlRemoveID(cur->doc, cur);
+ }
+ if (cur->children != NULL) xmlFreeNodeList(cur->children);
+@@ -2794,7 +2794,7 @@ xmlSetTreeDoc(xmlNodePtr tree, xmlDocPtr doc) {
+ if(tree->type == XML_ELEMENT_NODE) {
+ prop = tree->properties;
+ while (prop != NULL) {
+- if (prop->atype == XML_ATTRIBUTE_ID) {
++ if (XML_ATTR_GET_ATYPE(prop) == XML_ATTRIBUTE_ID) {
+ xmlRemoveID(tree->doc, prop);
+ }
+
+@@ -6836,9 +6836,9 @@ xmlSetNsProp(xmlNodePtr node, xmlNsPtr ns, const xmlChar *name,
+ /*
+ * Modify the attribute's value.
+ */
+- if (prop->atype == XML_ATTRIBUTE_ID) {
++ if (XML_ATTR_GET_ATYPE(prop) == XML_ATTRIBUTE_ID) {
+ xmlRemoveID(node->doc, prop);
+- prop->atype = XML_ATTRIBUTE_ID;
++ XML_ATTR_SET_ATYPE(prop, XML_ATTRIBUTE_ID);
+ }
+ if (prop->children != NULL)
+ xmlFreeNodeList(prop->children);
+@@ -6858,7 +6858,7 @@ xmlSetNsProp(xmlNodePtr node, xmlNsPtr ns, const xmlChar *name,
+ tmp = tmp->next;
+ }
+ }
+- if (prop->atype == XML_ATTRIBUTE_ID)
++ if (XML_ATTR_GET_ATYPE(prop) == XML_ATTRIBUTE_ID)
+ xmlAddID(NULL, node->doc, value, prop);
+ return(prop);
+ }
+@@ -9077,7 +9077,7 @@ ns_end:
+ if (cur->type == XML_ELEMENT_NODE) {
+ cur->psvi = NULL;
+ cur->line = 0;
+- cur->extra = 0;
++ XML_NODE_CLEAR_EXTRA(cur);
+ /*
+ * Walk attributes.
+ */
+@@ -9093,11 +9093,11 @@ ns_end:
+ * Attributes.
+ */
+ if ((sourceDoc != NULL) &&
+- (((xmlAttrPtr) cur)->atype == XML_ATTRIBUTE_ID))
++ (XML_ATTR_GET_ATYPE((xmlAttrPtr) cur) == XML_ATTRIBUTE_ID))
+ {
+ xmlRemoveID(sourceDoc, (xmlAttrPtr) cur);
+ }
+- ((xmlAttrPtr) cur)->atype = 0;
++ XML_ATTR_CLEAR_ATYPE((xmlAttrPtr) cur);
+ ((xmlAttrPtr) cur)->psvi = NULL;
+ }
+ break;
+@@ -9818,7 +9818,7 @@ xmlDOMWrapAdoptAttr(xmlDOMWrapCtxtPtr ctxt,
+ }
+
+ XML_TREE_ADOPT_STR(attr->name);
+- attr->atype = 0;
++ XML_ATTR_CLEAR_ATYPE(attr);
+ attr->psvi = NULL;
+ /*
+ * Walk content.
+diff --git a/valid.c b/valid.c
+index abefdc5..ae4bb82 100644
+--- a/valid.c
++++ b/valid.c
+@@ -1736,7 +1736,7 @@ xmlScanIDAttributeDecl(xmlValidCtxtPtr ctxt, xmlElementPtr elem, int err) {
+ if (elem == NULL) return(0);
+ cur = elem->attributes;
+ while (cur != NULL) {
+- if (cur->atype == XML_ATTRIBUTE_ID) {
++ if (XML_ATTR_GET_ATYPE(cur) == XML_ATTRIBUTE_ID) {
+ ret ++;
+ if ((ret > 1) && (err))
+ xmlErrValidNode(ctxt, (xmlNodePtr) elem, XML_DTD_MULTIPLE_ID,
+@@ -2109,7 +2109,7 @@ xmlDumpAttributeDecl(xmlBufferPtr buf, xmlAttributePtr attr) {
+ xmlBufferWriteChar(buf, ":");
+ }
+ xmlBufferWriteCHAR(buf, attr->name);
+- switch (attr->atype) {
++ switch (XML_ATTR_GET_ATYPE(attr)) {
+ case XML_ATTRIBUTE_CDATA:
+ xmlBufferWriteChar(buf, " CDATA");
+ break;
+@@ -2582,7 +2582,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value,
+ return(NULL);
+ }
+ if (attr != NULL)
+- attr->atype = XML_ATTRIBUTE_ID;
++ XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_ID);
+ return(ret);
+ }
+
+@@ -2661,7 +2661,7 @@ xmlIsID(xmlDocPtr doc, xmlNodePtr elem, xmlAttrPtr attr) {
+ if ((fullelemname != felem) && (fullelemname != elem->name))
+ xmlFree(fullelemname);
+
+- if ((attrDecl != NULL) && (attrDecl->atype == XML_ATTRIBUTE_ID))
++ if ((attrDecl != NULL) && (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_ID))
+ return(1);
+ }
+ return(0);
+@@ -2702,7 +2702,7 @@ xmlRemoveID(xmlDocPtr doc, xmlAttrPtr attr) {
+
+ xmlHashRemoveEntry(table, ID, xmlFreeIDTableEntry);
+ xmlFree(ID);
+- attr->atype = 0;
++ XML_ATTR_CLEAR_ATYPE(attr);
+ return(0);
+ }
+
+@@ -2987,8 +2987,8 @@ xmlIsRef(xmlDocPtr doc, xmlNodePtr elem, xmlAttrPtr attr) {
+ elem->name, attr->name);
+
+ if ((attrDecl != NULL) &&
+- (attrDecl->atype == XML_ATTRIBUTE_IDREF ||
+- attrDecl->atype == XML_ATTRIBUTE_IDREFS))
++ (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_IDREF ||
++ XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_IDREFS))
+ return(1);
+ }
+ return(0);
+@@ -3372,7 +3372,7 @@ xmlIsMixedElement(xmlDocPtr doc, const xmlChar *name) {
+
+ static int
+ xmlIsDocNameStartChar(xmlDocPtr doc, int c) {
+- if ((doc == NULL) || (doc->properties & XML_DOC_OLD10) == 0) {
++ if ((doc == NULL) || (XML_DOC_GET_PROPERTIES(doc) & XML_DOC_OLD10) == 0) {
+ /*
+ * Use the new checks of production [4] [4a] amd [5] of the
+ * Update 5 of XML-1.0
+@@ -3402,7 +3402,7 @@ xmlIsDocNameStartChar(xmlDocPtr doc, int c) {
+
+ static int
+ xmlIsDocNameChar(xmlDocPtr doc, int c) {
+- if ((doc == NULL) || (doc->properties & XML_DOC_OLD10) == 0) {
++ if ((doc == NULL) || (XML_DOC_GET_PROPERTIES(doc) & XML_DOC_OLD10) == 0) {
+ /*
+ * Use the new checks of production [4] [4a] amd [5] of the
+ * Update 5 of XML-1.0
+@@ -3952,7 +3952,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+
+ if (attrDecl == NULL)
+ return(NULL);
+- if (attrDecl->atype == XML_ATTRIBUTE_CDATA)
++ if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_CDATA)
+ return(NULL);
+
+ ret = xmlStrdup(value);
+@@ -4014,7 +4014,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem,
+
+ if (attrDecl == NULL)
+ return(NULL);
+- if (attrDecl->atype == XML_ATTRIBUTE_CDATA)
++ if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_CDATA)
+ return(NULL);
+
+ ret = xmlStrdup(value);
+@@ -4029,7 +4029,7 @@ xmlValidateAttributeIdCallback(void *payload, void *data,
+ const xmlChar *name ATTRIBUTE_UNUSED) {
+ xmlAttributePtr attr = (xmlAttributePtr) payload;
+ int *count = (int *) data;
+- if (attr->atype == XML_ATTRIBUTE_ID) (*count)++;
++ if (XML_ATTR_GET_ATYPE(attr) == XML_ATTRIBUTE_ID) (*count)++;
+ }
+
+ /**
+@@ -4061,7 +4061,7 @@ xmlValidateAttributeDecl(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ /* Attribute Default Legal */
+ /* Enumeration */
+ if (attr->defaultValue != NULL) {
+- val = xmlValidateAttributeValueInternal(doc, attr->atype,
++ val = xmlValidateAttributeValueInternal(doc, XML_ATTR_GET_ATYPE(attr),
+ attr->defaultValue);
+ if (val == 0) {
+ xmlErrValidNode(ctxt, (xmlNodePtr) attr, XML_DTD_ATTRIBUTE_DEFAULT,
+@@ -4072,7 +4072,7 @@ xmlValidateAttributeDecl(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ }
+
+ /* ID Attribute Default */
+- if ((attr->atype == XML_ATTRIBUTE_ID)&&
++ if ((XML_ATTR_GET_ATYPE(attr) == XML_ATTRIBUTE_ID)&&
+ (attr->def != XML_ATTRIBUTE_IMPLIED) &&
+ (attr->def != XML_ATTRIBUTE_REQUIRED)) {
+ xmlErrValidNode(ctxt, (xmlNodePtr) attr, XML_DTD_ID_FIXED,
+@@ -4082,7 +4082,7 @@ xmlValidateAttributeDecl(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ }
+
+ /* One ID per Element Type */
+- if (attr->atype == XML_ATTRIBUTE_ID) {
++ if (XML_ATTR_GET_ATYPE(attr) == XML_ATTRIBUTE_ID) {
+ int nbId;
+
+ /* the trick is that we parse DtD as their own internal subset */
+@@ -4341,9 +4341,9 @@ xmlValidateOneAttribute(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ attr->name, elem->name, NULL);
+ return(0);
+ }
+- attr->atype = attrDecl->atype;
++ XML_ATTR_SET_ATYPE(attr, attrDecl->atype);
+
+- val = xmlValidateAttributeValueInternal(doc, attrDecl->atype, value);
++ val = xmlValidateAttributeValueInternal(doc, XML_ATTR_GET_ATYPE(attrDecl), value);
+ if (val == 0) {
+ xmlErrValidNode(ctxt, elem, XML_DTD_ATTRIBUTE_VALUE,
+ "Syntax of value for attribute %s of %s is not valid\n",
+@@ -4362,19 +4362,19 @@ xmlValidateOneAttribute(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ }
+
+ /* Validity Constraint: ID uniqueness */
+- if (attrDecl->atype == XML_ATTRIBUTE_ID) {
++ if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_ID) {
+ if (xmlAddID(ctxt, doc, value, attr) == NULL)
+ ret = 0;
+ }
+
+- if ((attrDecl->atype == XML_ATTRIBUTE_IDREF) ||
+- (attrDecl->atype == XML_ATTRIBUTE_IDREFS)) {
++ if ((XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_IDREF) ||
++ (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_IDREFS)) {
+ if (xmlAddRef(ctxt, doc, value, attr) == NULL)
+ ret = 0;
+ }
+
+ /* Validity Constraint: Notation Attributes */
+- if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
++ if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_NOTATION) {
+ xmlEnumerationPtr tree = attrDecl->tree;
+ xmlNotationPtr nota;
+
+@@ -4404,7 +4404,7 @@ xmlValidateOneAttribute(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+ }
+
+ /* Validity Constraint: Enumeration */
+- if (attrDecl->atype == XML_ATTRIBUTE_ENUMERATION) {
++ if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_ENUMERATION) {
+ xmlEnumerationPtr tree = attrDecl->tree;
+ while (tree != NULL) {
+ if (xmlStrEqual(tree->name, value)) break;
+@@ -4429,7 +4429,7 @@ xmlValidateOneAttribute(xmlValidCtxtPtr ctxt, xmlDocPtr doc,
+
+ /* Extra check for the attribute value */
+ ret &= xmlValidateAttributeValue2(ctxt, doc, attr->name,
+- attrDecl->atype, value);
++ XML_ATTR_GET_ATYPE(attrDecl), value);
+
+ return(ret);
+ }
+@@ -4528,7 +4528,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ return(0);
+ }
+
+- val = xmlValidateAttributeValueInternal(doc, attrDecl->atype, value);
++ val = xmlValidateAttributeValueInternal(doc, XML_ATTR_GET_ATYPE(attrDecl), value);
+ if (val == 0) {
+ if (ns->prefix != NULL) {
+ xmlErrValidNode(ctxt, elem, XML_DTD_INVALID_DEFAULT,
+@@ -4578,7 +4578,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ #endif
+
+ /* Validity Constraint: Notation Attributes */
+- if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
++ if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_NOTATION) {
+ xmlEnumerationPtr tree = attrDecl->tree;
+ xmlNotationPtr nota;
+
+@@ -4620,7 +4620,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ }
+
+ /* Validity Constraint: Enumeration */
+- if (attrDecl->atype == XML_ATTRIBUTE_ENUMERATION) {
++ if (XML_ATTR_GET_ATYPE(attrDecl) == XML_ATTRIBUTE_ENUMERATION) {
+ xmlEnumerationPtr tree = attrDecl->tree;
+ while (tree != NULL) {
+ if (xmlStrEqual(tree->name, value)) break;
+@@ -4658,10 +4658,10 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ /* Extra check for the attribute value */
+ if (ns->prefix != NULL) {
+ ret &= xmlValidateAttributeValue2(ctxt, doc, ns->prefix,
+- attrDecl->atype, value);
++ XML_ATTR_GET_ATYPE(attrDecl), value);
+ } else {
+ ret &= xmlValidateAttributeValue2(ctxt, doc, BAD_CAST "xmlns",
+- attrDecl->atype, value);
++ XML_ATTR_GET_ATYPE(attrDecl), value);
+ }
+
+ return(ret);
+@@ -6375,7 +6375,7 @@ xmlValidateRef(xmlRefPtr ref, xmlValidCtxtPtr ctxt,
+ while (IS_BLANK_CH(*cur)) cur++;
+ }
+ xmlFree(dup);
+- } else if (attr->atype == XML_ATTRIBUTE_IDREF) {
++ } else if (XML_ATTR_GET_ATYPE(attr) == XML_ATTRIBUTE_IDREF) {
+ id = xmlGetID(ctxt->doc, name);
+ if (id == NULL) {
+ xmlErrValidNode(ctxt, attr->parent, XML_DTD_UNKNOWN_ID,
+@@ -6383,7 +6383,7 @@ xmlValidateRef(xmlRefPtr ref, xmlValidCtxtPtr ctxt,
+ attr->name, name, NULL);
+ ctxt->valid = 0;
+ }
+- } else if (attr->atype == XML_ATTRIBUTE_IDREFS) {
++ } else if (XML_ATTR_GET_ATYPE(attr) == XML_ATTRIBUTE_IDREFS) {
+ xmlChar *dup, *str = NULL, *cur, save;
+
+ dup = xmlStrdup(name);
+@@ -6583,7 +6583,7 @@ xmlValidateAttributeCallback(void *payload, void *data,
+
+ if (cur == NULL)
+ return;
+- switch (cur->atype) {
++ switch (XML_ATTR_GET_ATYPE(cur)) {
+ case XML_ATTRIBUTE_CDATA:
+ case XML_ATTRIBUTE_ID:
+ case XML_ATTRIBUTE_IDREF :
+@@ -6598,7 +6598,7 @@ xmlValidateAttributeCallback(void *payload, void *data,
+ if (cur->defaultValue != NULL) {
+
+ ret = xmlValidateAttributeValue2(ctxt, ctxt->doc, cur->name,
+- cur->atype, cur->defaultValue);
++ XML_ATTR_GET_ATYPE(cur), cur->defaultValue);
+ if ((ret == 0) && (ctxt->valid == 1))
+ ctxt->valid = 0;
+ }
+@@ -6606,14 +6606,14 @@ xmlValidateAttributeCallback(void *payload, void *data,
+ xmlEnumerationPtr tree = cur->tree;
+ while (tree != NULL) {
+ ret = xmlValidateAttributeValue2(ctxt, ctxt->doc,
+- cur->name, cur->atype, tree->name);
++ cur->name, XML_ATTR_GET_ATYPE(cur), tree->name);
+ if ((ret == 0) && (ctxt->valid == 1))
+ ctxt->valid = 0;
+ tree = tree->next;
+ }
+ }
+ }
+- if (cur->atype == XML_ATTRIBUTE_NOTATION) {
++ if (XML_ATTR_GET_ATYPE(cur) == XML_ATTRIBUTE_NOTATION) {
+ doc = cur->doc;
+ if (cur->elem == NULL) {
+ xmlErrValid(ctxt, XML_ERR_INTERNAL_ERROR,
+diff --git a/xmlreader.c b/xmlreader.c
+index 5fdeb2b..5de168c 100644
+--- a/xmlreader.c
++++ b/xmlreader.c
+@@ -572,7 +572,7 @@ xmlTextReaderStartElement(void *ctx, const xmlChar *fullname,
+ if ((ctxt->node != NULL) && (ctxt->input != NULL) &&
+ (ctxt->input->cur != NULL) && (ctxt->input->cur[0] == '/') &&
+ (ctxt->input->cur[1] == '>'))
+- ctxt->node->extra = NODE_IS_EMPTY;
++ XML_NODE_SET_EXTRA(ctxt->node, NODE_IS_EMPTY);
+ }
+ if (reader != NULL)
+ reader->state = XML_TEXTREADER_ELEMENT;
+@@ -631,7 +631,7 @@ xmlTextReaderStartElementNs(void *ctx,
+ if ((ctxt->node != NULL) && (ctxt->input != NULL) &&
+ (ctxt->input->cur != NULL) && (ctxt->input->cur[0] == '/') &&
+ (ctxt->input->cur[1] == '>'))
+- ctxt->node->extra = NODE_IS_EMPTY;
++ XML_NODE_SET_EXTRA(ctxt->node, NODE_IS_EMPTY);
+ }
+ if (reader != NULL)
+ reader->state = XML_TEXTREADER_ELEMENT;
+@@ -1017,7 +1017,7 @@ skip_children:
+ xmlNodePtr tmp;
+ if (reader->entNr == 0) {
+ while ((tmp = node->last) != NULL) {
+- if ((tmp->extra & NODE_IS_PRESERVED) == 0) {
++ if ((XML_NODE_GET_EXTRA(tmp) & NODE_IS_PRESERVED) == 0) {
+ xmlUnlinkNode(tmp);
+ xmlTextReaderFreeNode(reader, tmp);
+ } else
+@@ -1265,7 +1265,7 @@ get_next_node:
+ if ((oldstate == XML_TEXTREADER_ELEMENT) &&
+ (reader->node->type == XML_ELEMENT_NODE) &&
+ (reader->node->children == NULL) &&
+- ((reader->node->extra & NODE_IS_EMPTY) == 0)
++ ((XML_NODE_GET_EXTRA(reader->node) & NODE_IS_EMPTY) == 0)
+ #ifdef LIBXML_XINCLUDE_ENABLED
+ && (reader->in_xinclude <= 0)
+ #endif
+@@ -1279,7 +1279,7 @@ get_next_node:
+ xmlTextReaderValidatePop(reader);
+ #endif /* LIBXML_REGEXP_ENABLED */
+ if ((reader->preserves > 0) &&
+- (reader->node->extra & NODE_IS_SPRESERVED))
++ (XML_NODE_GET_EXTRA(reader->node) & NODE_IS_SPRESERVED))
+ reader->preserves--;
+ reader->node = reader->node->next;
+ reader->state = XML_TEXTREADER_ELEMENT;
+@@ -1295,7 +1295,7 @@ get_next_node:
+ (reader->node->prev != NULL) &&
+ (reader->node->prev->type != XML_DTD_NODE)) {
+ xmlNodePtr tmp = reader->node->prev;
+- if ((tmp->extra & NODE_IS_PRESERVED) == 0) {
++ if ((XML_NODE_GET_EXTRA(tmp) & NODE_IS_PRESERVED) == 0) {
+ if (oldnode == tmp)
+ oldnode = NULL;
+ xmlUnlinkNode(tmp);
+@@ -1308,7 +1308,7 @@ get_next_node:
+ if ((oldstate == XML_TEXTREADER_ELEMENT) &&
+ (reader->node->type == XML_ELEMENT_NODE) &&
+ (reader->node->children == NULL) &&
+- ((reader->node->extra & NODE_IS_EMPTY) == 0)) {;
++ ((XML_NODE_GET_EXTRA(reader->node) & NODE_IS_EMPTY) == 0)) {;
+ reader->state = XML_TEXTREADER_END;
+ goto node_found;
+ }
+@@ -1317,7 +1317,7 @@ get_next_node:
+ xmlTextReaderValidatePop(reader);
+ #endif /* LIBXML_REGEXP_ENABLED */
+ if ((reader->preserves > 0) &&
+- (reader->node->extra & NODE_IS_SPRESERVED))
++ (XML_NODE_GET_EXTRA(reader->node) & NODE_IS_SPRESERVED))
+ reader->preserves--;
+ reader->node = reader->node->parent;
+ if ((reader->node == NULL) ||
+@@ -1341,7 +1341,7 @@ get_next_node:
+ #endif
+ (reader->entNr == 0) &&
+ (oldnode->type != XML_DTD_NODE) &&
+- ((oldnode->extra & NODE_IS_PRESERVED) == 0)) {
++ ((XML_NODE_GET_EXTRA(oldnode) & NODE_IS_PRESERVED) == 0)) {
+ xmlUnlinkNode(oldnode);
+ xmlTextReaderFreeNode(reader, oldnode);
+ }
+@@ -1354,7 +1354,7 @@ get_next_node:
+ #endif
+ (reader->entNr == 0) &&
+ (reader->node->last != NULL) &&
+- ((reader->node->last->extra & NODE_IS_PRESERVED) == 0)) {
++ ((XML_NODE_GET_EXTRA(reader->node->last) & NODE_IS_PRESERVED) == 0)) {
+ xmlNodePtr tmp = reader->node->last;
+ xmlUnlinkNode(tmp);
+ xmlTextReaderFreeNode(reader, tmp);
+@@ -1536,7 +1536,7 @@ xmlTextReaderNext(xmlTextReaderPtr reader) {
+ return(xmlTextReaderRead(reader));
+ if (reader->state == XML_TEXTREADER_END || reader->state == XML_TEXTREADER_BACKTRACK)
+ return(xmlTextReaderRead(reader));
+- if (cur->extra & NODE_IS_EMPTY)
++ if (XML_NODE_GET_EXTRA(cur) & NODE_IS_EMPTY)
+ return(xmlTextReaderRead(reader));
+ do {
+ ret = xmlTextReaderRead(reader);
+@@ -2956,7 +2956,7 @@ xmlTextReaderIsEmptyElement(xmlTextReaderPtr reader) {
+ if (reader->in_xinclude > 0)
+ return(1);
+ #endif
+- return((reader->node->extra & NODE_IS_EMPTY) != 0);
++ return((XML_NODE_GET_EXTRA(reader->node) & NODE_IS_EMPTY) != 0);
+ }
+
+ /**
+@@ -3818,15 +3818,15 @@ xmlTextReaderPreserve(xmlTextReaderPtr reader) {
+ return(NULL);
+
+ if ((cur->type != XML_DOCUMENT_NODE) && (cur->type != XML_DTD_NODE)) {
+- cur->extra |= NODE_IS_PRESERVED;
+- cur->extra |= NODE_IS_SPRESERVED;
++ XML_NODE_ADD_EXTRA(cur, NODE_IS_PRESERVED);
++ XML_NODE_ADD_EXTRA(cur, NODE_IS_SPRESERVED);
+ }
+ reader->preserves++;
+
+ parent = cur->parent;;
+ while (parent != NULL) {
+ if (parent->type == XML_ELEMENT_NODE)
+- parent->extra |= NODE_IS_PRESERVED;
++ XML_NODE_ADD_EXTRA(parent, NODE_IS_PRESERVED);
+ parent = parent->parent;
+ }
+ return(cur);
+diff --git a/xmlschemas.c b/xmlschemas.c
+index 428e3c8..1f54acc 100644
+--- a/xmlschemas.c
++++ b/xmlschemas.c
+@@ -5895,7 +5895,7 @@ xmlSchemaPValAttrNodeID(xmlSchemaParserCtxtPtr ctxt, xmlAttrPtr attr)
+ /*
+ * NOTE: the IDness might have already be declared in the DTD
+ */
+- if (attr->atype != XML_ATTRIBUTE_ID) {
++ if (XML_ATTR_GET_ATYPE(attr) != XML_ATTRIBUTE_ID) {
+ xmlIDPtr res;
+ xmlChar *strip;
+
+@@ -5918,7 +5918,7 @@ xmlSchemaPValAttrNodeID(xmlSchemaParserCtxtPtr ctxt, xmlAttrPtr attr)
+ NULL, NULL, "Duplicate value '%s' of simple "
+ "type 'xs:ID'", value, NULL);
+ } else
+- attr->atype = XML_ATTRIBUTE_ID;
++ XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_ID);
+ }
+ } else if (ret > 0) {
+ ret = XML_SCHEMAP_S4S_ATTR_INVALID_VALUE;
+diff --git a/xmlschemastypes.c b/xmlschemastypes.c
+index de95d94..76a7c87 100644
+--- a/xmlschemastypes.c
++++ b/xmlschemastypes.c
+@@ -2969,7 +2969,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value,
+ /*
+ * NOTE: the IDness might have already be declared in the DTD
+ */
+- if (attr->atype != XML_ATTRIBUTE_ID) {
++ if (XML_ATTR_GET_ATYPE(attr) != XML_ATTRIBUTE_ID) {
+ xmlIDPtr res;
+ xmlChar *strip;
+
+@@ -2982,7 +2982,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value,
+ if (res == NULL) {
+ ret = 2;
+ } else {
+- attr->atype = XML_ATTRIBUTE_ID;
++ XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_ID);
+ }
+ }
+ }
+@@ -3007,7 +3007,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value,
+ xmlFree(strip);
+ } else
+ xmlAddRef(NULL, node->doc, value, attr);
+- attr->atype = XML_ATTRIBUTE_IDREF;
++ XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_IDREF);
+ }
+ goto done;
+ case XML_SCHEMAS_IDREFS:
+@@ -3021,7 +3021,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value,
+ (node->type == XML_ATTRIBUTE_NODE)) {
+ xmlAttrPtr attr = (xmlAttrPtr) node;
+
+- attr->atype = XML_ATTRIBUTE_IDREFS;
++ XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_IDREFS);
+ }
+ goto done;
+ case XML_SCHEMAS_ENTITY:{
+@@ -3052,7 +3052,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value,
+ (node->type == XML_ATTRIBUTE_NODE)) {
+ xmlAttrPtr attr = (xmlAttrPtr) node;
+
+- attr->atype = XML_ATTRIBUTE_ENTITY;
++ XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_ENTITY);
+ }
+ goto done;
+ }
+@@ -3069,7 +3069,7 @@ xmlSchemaValAtomicType(xmlSchemaTypePtr type, const xmlChar * value,
+ (node->type == XML_ATTRIBUTE_NODE)) {
+ xmlAttrPtr attr = (xmlAttrPtr) node;
+
+- attr->atype = XML_ATTRIBUTE_ENTITIES;
++ XML_ATTR_SET_ATYPE(attr, XML_ATTRIBUTE_ENTITIES);
+ }
+ goto done;
+ case XML_SCHEMAS_NOTATION:{
+--
+2.50.1
+
diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb
index a155c3708e..101be545c0 100644
--- a/meta/recipes-core/libxml/libxml2_2.12.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb
@@ -24,6 +24,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
file://CVE-2025-49794-CVE-2025-49796.patch \
file://CVE-2025-49795.patch \
file://CVE-2025-6170.patch \
+ file://CVE-2025-7425.patch \
"
SRC_URI[archive.sha256sum] = "c3d8c0c34aa39098f66576fe51969db12a5100b956233dc56506f7a8679be995"
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [OE-core][scarthgap 4/7] libmicrohttpd: disable experimental code by default
2025-12-12 15:39 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
` (2 preceding siblings ...)
2025-12-12 15:39 ` [OE-core][scarthgap 3/7] libxml2: Security fix for CVE-2025-7425 Steve Sakoman
@ 2025-12-12 15:39 ` Steve Sakoman
2025-12-12 15:39 ` [OE-core][scarthgap 5/7] libssh2: upgrade 1.11.0 -> 1.11.1 Steve Sakoman
` (2 subsequent siblings)
6 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2025-12-12 15:39 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Introduce new packageconfig to explicitly avoid compilation of
experimental code. Note that the code was not compiled by default also
before this patch, this now makes it explicit and makes it possible to
check for the flags in cve-check code.
This is less intrusive change than a patch removing the code which was
rejected in patch review.
This will solve CVE-2025-59777 and CVE-2025-62689 as the vulnerable code
is not compiled by default.
Set appropriate CVE status for these CVEs based on new packageconfig.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-support/libmicrohttpd/libmicrohttpd_1.0.1.bb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/meta/recipes-support/libmicrohttpd/libmicrohttpd_1.0.1.bb b/meta/recipes-support/libmicrohttpd/libmicrohttpd_1.0.1.bb
index 0628ee71b5..a22b0c9342 100644
--- a/meta/recipes-support/libmicrohttpd/libmicrohttpd_1.0.1.bb
+++ b/meta/recipes-support/libmicrohttpd/libmicrohttpd_1.0.1.bb
@@ -19,9 +19,13 @@ PACKAGECONFIG ?= "curl https"
PACKAGECONFIG[curl] = "--enable-curl,--disable-curl,curl,"
PACKAGECONFIG[https] = "--enable-https,--disable-https,libgcrypt gnutls,"
+PACKAGECONFIG[experimental] = "--enable-experimental,--disable-experimental,"
do_compile:append() {
sed -i s:-L${STAGING_LIBDIR}::g libmicrohttpd.pc
}
BBCLASSEXTEND = "native nativesdk"
+
+CVE_STATUS[CVE-2025-59777] = "${@bb.utils.contains('PACKAGECONFIG', 'experimental', 'unpatched', 'not-applicable-config: experimental code not compiled', d)}"
+CVE_STATUS[CVE-2025-62689] = "${@bb.utils.contains('PACKAGECONFIG', 'experimental', 'unpatched', 'not-applicable-config: experimental code not compiled', d)}"
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [OE-core][scarthgap 5/7] libssh2: upgrade 1.11.0 -> 1.11.1
2025-12-12 15:39 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
` (3 preceding siblings ...)
2025-12-12 15:39 ` [OE-core][scarthgap 4/7] libmicrohttpd: disable experimental code by default Steve Sakoman
@ 2025-12-12 15:39 ` Steve Sakoman
2025-12-12 15:39 ` [OE-core][scarthgap 6/7] libssh2: fix regression in KEX method validation (GH-1553) Steve Sakoman
2025-12-12 15:40 ` [OE-core][scarthgap 7/7] Revert "lib/oe/go: document map_arch, and raise an error on unknown architecture" Steve Sakoman
6 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2025-12-12 15:39 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Changelog: https://github.com/libssh2/libssh2/releases/tag/libssh2-1.11.1
Dropped CVE-2023-48795.patch which is already included in version 1.11.1
Resolves: https://github.com/libssh2/libssh2/issues/1326
License-Update: Copyright symbols were changed from (C) to lowercase (c)
ptest results:
root@qemux86-64:~# ptest-runner libssh2
START: ptest-runner
2025-12-08T12:37
BEGIN: /usr/lib/libssh2/ptest
PASS: mansyntax.sh
PASS: test_simple
PASS: test_sshd.test
DURATION: 6
END: /usr/lib/libssh2/ptest
2025-12-08T12:37
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../libssh2/libssh2/CVE-2023-48795.patch | 466 ------------------
.../{libssh2_1.11.0.bb => libssh2_1.11.1.bb} | 5 +-
2 files changed, 2 insertions(+), 469 deletions(-)
delete mode 100644 meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch
rename meta/recipes-support/libssh2/{libssh2_1.11.0.bb => libssh2_1.11.1.bb} (88%)
diff --git a/meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch b/meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch
deleted file mode 100644
index ab0f419ac5..0000000000
--- a/meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch
+++ /dev/null
@@ -1,466 +0,0 @@
-From d4634630432594b139b3af6b9f254b890c0f275d Mon Sep 17 00:00:00 2001
-From: Michael Buckley <michael@buckleyisms.com>
-Date: Thu, 30 Nov 2023 15:08:02 -0800
-Subject: [PATCH] src: add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack"
-
-Refs:
-https://terrapin-attack.com/
-https://seclists.org/oss-sec/2023/q4/292
-https://osv.dev/list?ecosystem=&q=CVE-2023-48795
-https://github.com/advisories/GHSA-45x7-px36-x8w8
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795
-
-Fixes #1290
-Closes #1291
-
-CVE: CVE-2023-48795
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
----
- src/kex.c | 63 +++++++++++++++++++++++------------
- src/libssh2_priv.h | 18 +++++++---
- src/packet.c | 83 +++++++++++++++++++++++++++++++++++++++++++---
- src/packet.h | 2 +-
- src/session.c | 3 ++
- src/transport.c | 12 ++++++-
- 6 files changed, 149 insertions(+), 32 deletions(-)
-
-diff --git a/src/kex.c b/src/kex.c
-index d4034a0a..b4b748ca 100644
---- a/src/kex.c
-+++ b/src/kex.c
-@@ -3037,6 +3037,13 @@ kex_method_extension_negotiation = {
- 0,
- };
-
-+static const LIBSSH2_KEX_METHOD
-+kex_method_strict_client_extension = {
-+ "kex-strict-c-v00@openssh.com",
-+ NULL,
-+ 0,
-+};
-+
- static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = {
- #if LIBSSH2_ED25519
- &kex_method_ssh_curve25519_sha256,
-@@ -3055,6 +3062,7 @@ static const LIBSSH2_KEX_METHOD *libssh2_kex_methods[] = {
- &kex_method_diffie_helman_group1_sha1,
- &kex_method_diffie_helman_group_exchange_sha1,
- &kex_method_extension_negotiation,
-+ &kex_method_strict_client_extension,
- NULL
- };
-
-@@ -3307,13 +3315,13 @@ static int kexinit(LIBSSH2_SESSION * session)
- return 0;
- }
-
--/* kex_agree_instr
-+/* _libssh2_kex_agree_instr
- * Kex specific variant of strstr()
- * Needle must be preceded by BOL or ',', and followed by ',' or EOL
- */
--static unsigned char *
--kex_agree_instr(unsigned char *haystack, size_t haystack_len,
-- const unsigned char *needle, size_t needle_len)
-+unsigned char *
-+_libssh2_kex_agree_instr(unsigned char *haystack, size_t haystack_len,
-+ const unsigned char *needle, size_t needle_len)
- {
- unsigned char *s;
- unsigned char *end_haystack;
-@@ -3398,7 +3406,7 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session,
- while(s && *s) {
- unsigned char *p = (unsigned char *) strchr((char *) s, ',');
- size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
-- if(kex_agree_instr(hostkey, hostkey_len, s, method_len)) {
-+ if(_libssh2_kex_agree_instr(hostkey, hostkey_len, s, method_len)) {
- const LIBSSH2_HOSTKEY_METHOD *method =
- (const LIBSSH2_HOSTKEY_METHOD *)
- kex_get_method_by_name((char *) s, method_len,
-@@ -3432,9 +3440,9 @@ static int kex_agree_hostkey(LIBSSH2_SESSION * session,
- }
-
- while(hostkeyp && (*hostkeyp) && (*hostkeyp)->name) {
-- s = kex_agree_instr(hostkey, hostkey_len,
-- (unsigned char *) (*hostkeyp)->name,
-- strlen((*hostkeyp)->name));
-+ s = _libssh2_kex_agree_instr(hostkey, hostkey_len,
-+ (unsigned char *) (*hostkeyp)->name,
-+ strlen((*hostkeyp)->name));
- if(s) {
- /* So far so good, but does it suit our purposes? (Encrypting vs
- Signing) */
-@@ -3468,6 +3476,12 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex,
- {
- const LIBSSH2_KEX_METHOD **kexp = libssh2_kex_methods;
- unsigned char *s;
-+ const unsigned char *strict =
-+ (unsigned char *)"kex-strict-s-v00@openssh.com";
-+
-+ if(_libssh2_kex_agree_instr(kex, kex_len, strict, 28)) {
-+ session->kex_strict = 1;
-+ }
-
- if(session->kex_prefs) {
- s = (unsigned char *) session->kex_prefs;
-@@ -3475,7 +3489,7 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex,
- while(s && *s) {
- unsigned char *q, *p = (unsigned char *) strchr((char *) s, ',');
- size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
-- q = kex_agree_instr(kex, kex_len, s, method_len);
-+ q = _libssh2_kex_agree_instr(kex, kex_len, s, method_len);
- if(q) {
- const LIBSSH2_KEX_METHOD *method = (const LIBSSH2_KEX_METHOD *)
- kex_get_method_by_name((char *) s, method_len,
-@@ -3509,9 +3523,9 @@ static int kex_agree_kex_hostkey(LIBSSH2_SESSION * session, unsigned char *kex,
- }
-
- while(*kexp && (*kexp)->name) {
-- s = kex_agree_instr(kex, kex_len,
-- (unsigned char *) (*kexp)->name,
-- strlen((*kexp)->name));
-+ s = _libssh2_kex_agree_instr(kex, kex_len,
-+ (unsigned char *) (*kexp)->name,
-+ strlen((*kexp)->name));
- if(s) {
- /* We've agreed on a key exchange method,
- * Can we agree on a hostkey that works with this kex?
-@@ -3555,7 +3569,7 @@ static int kex_agree_crypt(LIBSSH2_SESSION * session,
- unsigned char *p = (unsigned char *) strchr((char *) s, ',');
- size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
-
-- if(kex_agree_instr(crypt, crypt_len, s, method_len)) {
-+ if(_libssh2_kex_agree_instr(crypt, crypt_len, s, method_len)) {
- const LIBSSH2_CRYPT_METHOD *method =
- (const LIBSSH2_CRYPT_METHOD *)
- kex_get_method_by_name((char *) s, method_len,
-@@ -3577,9 +3591,9 @@ static int kex_agree_crypt(LIBSSH2_SESSION * session,
- }
-
- while(*cryptp && (*cryptp)->name) {
-- s = kex_agree_instr(crypt, crypt_len,
-- (unsigned char *) (*cryptp)->name,
-- strlen((*cryptp)->name));
-+ s = _libssh2_kex_agree_instr(crypt, crypt_len,
-+ (unsigned char *) (*cryptp)->name,
-+ strlen((*cryptp)->name));
- if(s) {
- endpoint->crypt = *cryptp;
- return 0;
-@@ -3619,7 +3633,7 @@ static int kex_agree_mac(LIBSSH2_SESSION * session,
- unsigned char *p = (unsigned char *) strchr((char *) s, ',');
- size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
-
-- if(kex_agree_instr(mac, mac_len, s, method_len)) {
-+ if(_libssh2_kex_agree_instr(mac, mac_len, s, method_len)) {
- const LIBSSH2_MAC_METHOD *method = (const LIBSSH2_MAC_METHOD *)
- kex_get_method_by_name((char *) s, method_len,
- (const LIBSSH2_COMMON_METHOD **)
-@@ -3640,8 +3654,9 @@ static int kex_agree_mac(LIBSSH2_SESSION * session,
- }
-
- while(*macp && (*macp)->name) {
-- s = kex_agree_instr(mac, mac_len, (unsigned char *) (*macp)->name,
-- strlen((*macp)->name));
-+ s = _libssh2_kex_agree_instr(mac, mac_len,
-+ (unsigned char *) (*macp)->name,
-+ strlen((*macp)->name));
- if(s) {
- endpoint->mac = *macp;
- return 0;
-@@ -3672,7 +3687,7 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
- unsigned char *p = (unsigned char *) strchr((char *) s, ',');
- size_t method_len = (p ? (size_t)(p - s) : strlen((char *) s));
-
-- if(kex_agree_instr(comp, comp_len, s, method_len)) {
-+ if(_libssh2_kex_agree_instr(comp, comp_len, s, method_len)) {
- const LIBSSH2_COMP_METHOD *method =
- (const LIBSSH2_COMP_METHOD *)
- kex_get_method_by_name((char *) s, method_len,
-@@ -3694,8 +3709,9 @@ static int kex_agree_comp(LIBSSH2_SESSION *session,
- }
-
- while(*compp && (*compp)->name) {
-- s = kex_agree_instr(comp, comp_len, (unsigned char *) (*compp)->name,
-- strlen((*compp)->name));
-+ s = _libssh2_kex_agree_instr(comp, comp_len,
-+ (unsigned char *) (*compp)->name,
-+ strlen((*compp)->name));
- if(s) {
- endpoint->comp = *compp;
- return 0;
-@@ -3876,6 +3892,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
- session->local.kexinit = key_state->oldlocal;
- session->local.kexinit_len = key_state->oldlocal_len;
- key_state->state = libssh2_NB_state_idle;
-+ session->state &= ~LIBSSH2_STATE_INITIAL_KEX;
- session->state &= ~LIBSSH2_STATE_KEX_ACTIVE;
- session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS;
- return -1;
-@@ -3901,6 +3918,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
- session->local.kexinit = key_state->oldlocal;
- session->local.kexinit_len = key_state->oldlocal_len;
- key_state->state = libssh2_NB_state_idle;
-+ session->state &= ~LIBSSH2_STATE_INITIAL_KEX;
- session->state &= ~LIBSSH2_STATE_KEX_ACTIVE;
- session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS;
- return -1;
-@@ -3949,6 +3967,7 @@ _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
- session->remote.kexinit = NULL;
- }
-
-+ session->state &= ~LIBSSH2_STATE_INITIAL_KEX;
- session->state &= ~LIBSSH2_STATE_KEX_ACTIVE;
- session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS;
-
-diff --git a/src/libssh2_priv.h b/src/libssh2_priv.h
-index 82c3afe2..ee1d8b5c 100644
---- a/src/libssh2_priv.h
-+++ b/src/libssh2_priv.h
-@@ -699,6 +699,9 @@ struct _LIBSSH2_SESSION
- /* key signing algorithm preferences -- NULL yields server order */
- char *sign_algo_prefs;
-
-+ /* Whether to use the OpenSSH Strict KEX extension */
-+ int kex_strict;
-+
- /* (remote as source of data -- packet_read ) */
- libssh2_endpoint_data remote;
-
-@@ -870,6 +873,7 @@ struct _LIBSSH2_SESSION
- int fullpacket_macstate;
- size_t fullpacket_payload_len;
- int fullpacket_packet_type;
-+ uint32_t fullpacket_required_type;
-
- /* State variables used in libssh2_sftp_init() */
- libssh2_nonblocking_states sftpInit_state;
-@@ -910,10 +914,11 @@ struct _LIBSSH2_SESSION
- };
-
- /* session.state bits */
--#define LIBSSH2_STATE_EXCHANGING_KEYS 0x00000001
--#define LIBSSH2_STATE_NEWKEYS 0x00000002
--#define LIBSSH2_STATE_AUTHENTICATED 0x00000004
--#define LIBSSH2_STATE_KEX_ACTIVE 0x00000008
-+#define LIBSSH2_STATE_INITIAL_KEX 0x00000001
-+#define LIBSSH2_STATE_EXCHANGING_KEYS 0x00000002
-+#define LIBSSH2_STATE_NEWKEYS 0x00000004
-+#define LIBSSH2_STATE_AUTHENTICATED 0x00000008
-+#define LIBSSH2_STATE_KEX_ACTIVE 0x00000010
-
- /* session.flag helpers */
- #ifdef MSG_NOSIGNAL
-@@ -1144,6 +1149,11 @@ ssize_t _libssh2_send(libssh2_socket_t socket, const void *buffer,
- int _libssh2_kex_exchange(LIBSSH2_SESSION * session, int reexchange,
- key_exchange_state_t * state);
-
-+unsigned char *_libssh2_kex_agree_instr(unsigned char *haystack,
-+ size_t haystack_len,
-+ const unsigned char *needle,
-+ size_t needle_len);
-+
- /* Let crypt.c/hostkey.c expose their method structs */
- const LIBSSH2_CRYPT_METHOD **libssh2_crypt_methods(void);
- const LIBSSH2_HOSTKEY_METHOD **libssh2_hostkey_methods(void);
-diff --git a/src/packet.c b/src/packet.c
-index b5b41981..35d4d39e 100644
---- a/src/packet.c
-+++ b/src/packet.c
-@@ -605,14 +605,13 @@ authagent_exit:
- * layer when it has received a packet.
- *
- * The input pointer 'data' is pointing to allocated data that this function
-- * is asked to deal with so on failure OR success, it must be freed fine.
-- * The only exception is when the return code is LIBSSH2_ERROR_EAGAIN.
-+ * will be freed unless return the code is LIBSSH2_ERROR_EAGAIN.
- *
- * This function will always be called with 'datalen' greater than zero.
- */
- int
- _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
-- size_t datalen, int macstate)
-+ size_t datalen, int macstate, uint32_t seq)
- {
- int rc = 0;
- unsigned char *message = NULL;
-@@ -657,6 +656,70 @@ _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
- break;
- }
-
-+ if(session->state & LIBSSH2_STATE_INITIAL_KEX) {
-+ if(msg == SSH_MSG_KEXINIT) {
-+ if(!session->kex_strict) {
-+ if(datalen < 17) {
-+ LIBSSH2_FREE(session, data);
-+ session->packAdd_state = libssh2_NB_state_idle;
-+ return _libssh2_error(session,
-+ LIBSSH2_ERROR_BUFFER_TOO_SMALL,
-+ "Data too short extracting kex");
-+ }
-+ else {
-+ const unsigned char *strict =
-+ (unsigned char *)"kex-strict-s-v00@openssh.com";
-+ struct string_buf buf;
-+ unsigned char *algs = NULL;
-+ size_t algs_len = 0;
-+
-+ buf.data = (unsigned char *)data;
-+ buf.dataptr = buf.data;
-+ buf.len = datalen;
-+ buf.dataptr += 17; /* advance past type and cookie */
-+
-+ if(_libssh2_get_string(&buf, &algs, &algs_len)) {
-+ LIBSSH2_FREE(session, data);
-+ session->packAdd_state = libssh2_NB_state_idle;
-+ return _libssh2_error(session,
-+ LIBSSH2_ERROR_BUFFER_TOO_SMALL,
-+ "Algs too short");
-+ }
-+
-+ if(algs_len == 0 ||
-+ _libssh2_kex_agree_instr(algs, algs_len, strict, 28)) {
-+ session->kex_strict = 1;
-+ }
-+ }
-+ }
-+
-+ if(session->kex_strict && seq) {
-+ LIBSSH2_FREE(session, data);
-+ session->socket_state = LIBSSH2_SOCKET_DISCONNECTED;
-+ session->packAdd_state = libssh2_NB_state_idle;
-+ libssh2_session_disconnect(session, "strict KEX violation: "
-+ "KEXINIT was not the first packet");
-+
-+ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT,
-+ "strict KEX violation: "
-+ "KEXINIT was not the first packet");
-+ }
-+ }
-+
-+ if(session->kex_strict && session->fullpacket_required_type &&
-+ session->fullpacket_required_type != msg) {
-+ LIBSSH2_FREE(session, data);
-+ session->socket_state = LIBSSH2_SOCKET_DISCONNECTED;
-+ session->packAdd_state = libssh2_NB_state_idle;
-+ libssh2_session_disconnect(session, "strict KEX violation: "
-+ "unexpected packet type");
-+
-+ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT,
-+ "strict KEX violation: "
-+ "unexpected packet type");
-+ }
-+ }
-+
- if(session->packAdd_state == libssh2_NB_state_allocated) {
- /* A couple exceptions to the packet adding rule: */
- switch(msg) {
-@@ -1341,6 +1404,15 @@ _libssh2_packet_ask(LIBSSH2_SESSION * session, unsigned char packet_type,
-
- return 0;
- }
-+ else if(session->kex_strict &&
-+ (session->state & LIBSSH2_STATE_INITIAL_KEX)) {
-+ libssh2_session_disconnect(session, "strict KEX violation: "
-+ "unexpected packet type");
-+
-+ return _libssh2_error(session, LIBSSH2_ERROR_SOCKET_DISCONNECT,
-+ "strict KEX violation: "
-+ "unexpected packet type");
-+ }
- packet = _libssh2_list_next(&packet->node);
- }
- return -1;
-@@ -1402,7 +1474,10 @@ _libssh2_packet_require(LIBSSH2_SESSION * session, unsigned char packet_type,
- }
-
- while(session->socket_state == LIBSSH2_SOCKET_CONNECTED) {
-- int ret = _libssh2_transport_read(session);
-+ int ret;
-+ session->fullpacket_required_type = packet_type;
-+ ret = _libssh2_transport_read(session);
-+ session->fullpacket_required_type = 0;
- if(ret == LIBSSH2_ERROR_EAGAIN)
- return ret;
- else if(ret < 0) {
-diff --git a/src/packet.h b/src/packet.h
-index 79018bcf..6ea100a5 100644
---- a/src/packet.h
-+++ b/src/packet.h
-@@ -71,6 +71,6 @@ int _libssh2_packet_burn(LIBSSH2_SESSION * session,
- int _libssh2_packet_write(LIBSSH2_SESSION * session, unsigned char *data,
- unsigned long data_len);
- int _libssh2_packet_add(LIBSSH2_SESSION * session, unsigned char *data,
-- size_t datalen, int macstate);
-+ size_t datalen, int macstate, uint32_t seq);
-
- #endif /* __LIBSSH2_PACKET_H */
-diff --git a/src/session.c b/src/session.c
-index a4d602ba..f4bafb57 100644
---- a/src/session.c
-+++ b/src/session.c
-@@ -464,6 +464,8 @@ libssh2_session_init_ex(LIBSSH2_ALLOC_FUNC((*my_alloc)),
- session->abstract = abstract;
- session->api_timeout = 0; /* timeout-free API by default */
- session->api_block_mode = 1; /* blocking API by default */
-+ session->state = LIBSSH2_STATE_INITIAL_KEX;
-+ session->fullpacket_required_type = 0;
- session->packet_read_timeout = LIBSSH2_DEFAULT_READ_TIMEOUT;
- session->flag.quote_paths = 1; /* default behavior is to quote paths
- for the scp subsystem */
-@@ -1186,6 +1188,7 @@ libssh2_session_disconnect_ex(LIBSSH2_SESSION *session, int reason,
- const char *desc, const char *lang)
- {
- int rc;
-+ session->state &= ~LIBSSH2_STATE_INITIAL_KEX;
- session->state &= ~LIBSSH2_STATE_EXCHANGING_KEYS;
- BLOCK_ADJUST(rc, session,
- session_disconnect(session, reason, desc, lang));
-diff --git a/src/transport.c b/src/transport.c
-index 6d902d33..3b30ff84 100644
---- a/src/transport.c
-+++ b/src/transport.c
-@@ -187,6 +187,7 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
- struct transportpacket *p = &session->packet;
- int rc;
- int compressed;
-+ uint32_t seq = session->remote.seqno;
-
- if(session->fullpacket_state == libssh2_NB_state_idle) {
- session->fullpacket_macstate = LIBSSH2_MAC_CONFIRMED;
-@@ -318,7 +319,7 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
- if(session->fullpacket_state == libssh2_NB_state_created) {
- rc = _libssh2_packet_add(session, p->payload,
- session->fullpacket_payload_len,
-- session->fullpacket_macstate);
-+ session->fullpacket_macstate, seq);
- if(rc == LIBSSH2_ERROR_EAGAIN)
- return rc;
- if(rc) {
-@@ -329,6 +330,11 @@ fullpacket(LIBSSH2_SESSION * session, int encrypted /* 1 or 0 */ )
-
- session->fullpacket_state = libssh2_NB_state_idle;
-
-+ if(session->kex_strict &&
-+ session->fullpacket_packet_type == SSH_MSG_NEWKEYS) {
-+ session->remote.seqno = 0;
-+ }
-+
- return session->fullpacket_packet_type;
- }
-
-@@ -1091,6 +1097,10 @@ int _libssh2_transport_send(LIBSSH2_SESSION *session,
-
- session->local.seqno++;
-
-+ if(session->kex_strict && data[0] == SSH_MSG_NEWKEYS) {
-+ session->local.seqno = 0;
-+ }
-+
- ret = LIBSSH2_SEND(session, p->outbuf, total_length,
- LIBSSH2_SOCKET_SEND_FLAGS(session));
- if(ret < 0)
---
-2.34.1
-
diff --git a/meta/recipes-support/libssh2/libssh2_1.11.0.bb b/meta/recipes-support/libssh2/libssh2_1.11.1.bb
similarity index 88%
rename from meta/recipes-support/libssh2/libssh2_1.11.0.bb
rename to meta/recipes-support/libssh2/libssh2_1.11.1.bb
index 5100e6f7f9..fb63dea8b3 100644
--- a/meta/recipes-support/libssh2/libssh2_1.11.0.bb
+++ b/meta/recipes-support/libssh2/libssh2_1.11.1.bb
@@ -5,14 +5,13 @@ SECTION = "libs"
DEPENDS = "zlib"
LICENSE = "BSD-3-Clause"
-LIC_FILES_CHKSUM = "file://COPYING;md5=24a33237426720395ebb1dd1349ca225"
+LIC_FILES_CHKSUM = "file://COPYING;md5=2fbf8f834408079bf1fcbadb9814b1bc"
SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
file://run-ptest \
- file://CVE-2023-48795.patch \
"
-SRC_URI[sha256sum] = "3736161e41e2693324deb38c26cfdc3efe6209d634ba4258db1cecff6a5ad461"
+SRC_URI[sha256sum] = "d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7"
inherit autotools pkgconfig ptest
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [OE-core][scarthgap 6/7] libssh2: fix regression in KEX method validation (GH-1553)
2025-12-12 15:39 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
` (4 preceding siblings ...)
2025-12-12 15:39 ` [OE-core][scarthgap 5/7] libssh2: upgrade 1.11.0 -> 1.11.1 Steve Sakoman
@ 2025-12-12 15:39 ` Steve Sakoman
2025-12-12 15:40 ` [OE-core][scarthgap 7/7] Revert "lib/oe/go: document map_arch, and raise an error on unknown architecture" Steve Sakoman
6 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2025-12-12 15:39 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Resolves: https://github.com/libssh2/libssh2/issues/1553
Regression caused by
https://github.com/libssh2/libssh2/commit/00e2a07e824db8798d94809156e9fb4e70a42f89
Backport fix
https://github.com/libssh2/libssh2/commit/4beed7245889ba149cc372f845d5969ce5103a5d
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
...rror-if-user-KEX-methods-are-invalid.patch | 73 +++++++++++++++++++
.../recipes-support/libssh2/libssh2_1.11.1.bb | 1 +
2 files changed, 74 insertions(+)
create mode 100644 meta/recipes-support/libssh2/libssh2/0001-Return-error-if-user-KEX-methods-are-invalid.patch
diff --git a/meta/recipes-support/libssh2/libssh2/0001-Return-error-if-user-KEX-methods-are-invalid.patch b/meta/recipes-support/libssh2/libssh2/0001-Return-error-if-user-KEX-methods-are-invalid.patch
new file mode 100644
index 0000000000..9e7bb9a905
--- /dev/null
+++ b/meta/recipes-support/libssh2/libssh2/0001-Return-error-if-user-KEX-methods-are-invalid.patch
@@ -0,0 +1,73 @@
+From 4beed7245889ba149cc372f845d5969ce5103a5d Mon Sep 17 00:00:00 2001
+From: Will Cosgrove <will@panic.com>
+Date: Fri, 28 Feb 2025 09:32:30 -0800
+Subject: [PATCH] Return error if user KEX methods are invalid #1553 (#1554)
+
+Notes:
+Fixes #1553. Restores error case if user passes in invalid KEX method value to libssh2_session_method_pref.
+
+Credit:
+Amy Lin
+
+Upstream-Status: Backport [https://github.com/libssh2/libssh2/commit/4beed7245889ba149cc372f845d5969ce5103a5d]
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/kex.c | 33 +++++++++++++++++++++------------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index ebee54f987..bafda0e611 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -4196,23 +4196,11 @@ libssh2_session_method_pref(LIBSSH2_SESSION * session, int method_type,
+ char *tmpprefs = NULL;
+ size_t prefs_len = strlen(prefs);
+ const LIBSSH2_COMMON_METHOD **mlist;
+- const char *kex_extensions = "ext-info-c,kex-strict-c-v00@openssh.com,";
+- size_t kex_extensions_len = strlen(kex_extensions);
+
+ switch(method_type) {
+ case LIBSSH2_METHOD_KEX:
+ prefvar = &session->kex_prefs;
+ mlist = (const LIBSSH2_COMMON_METHOD **)libssh2_kex_methods;
+- tmpprefs = LIBSSH2_ALLOC(session, kex_extensions_len + prefs_len + 1);
+- if(!tmpprefs) {
+- return _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
+- "Error allocated space for kex method"
+- " preferences");
+- }
+- memcpy(tmpprefs, kex_extensions, kex_extensions_len);
+- memcpy(tmpprefs + kex_extensions_len, prefs, prefs_len + 1);
+- prefs = tmpprefs;
+- prefs_len = strlen(prefs);
+ break;
+
+ case LIBSSH2_METHOD_HOSTKEY:
+@@ -4314,6 +4302,27 @@ libssh2_session_method_pref(LIBSSH2_SESSION * session, int method_type,
+ "supported");
+ }
+
++ /* add method kex extension to the start of the user list */
++ if(method_type == LIBSSH2_METHOD_KEX) {
++ const char *kex_extensions =
++ "ext-info-c,kex-strict-c-v00@openssh.com,";
++ size_t kex_extensions_len = strlen(kex_extensions);
++ size_t tmp_len = kex_extensions_len + strlen(newprefs);
++ tmpprefs = LIBSSH2_ALLOC(session, tmp_len + 1);
++ if(!tmpprefs) {
++ return _libssh2_error(session, LIBSSH2_ERROR_ALLOC,
++ "Error allocated space for kex method"
++ " preferences");
++ }
++
++ memcpy(tmpprefs, kex_extensions, kex_extensions_len);
++ memcpy(tmpprefs + kex_extensions_len, newprefs, strlen(newprefs));
++ tmpprefs[tmp_len] = '\0';
++
++ LIBSSH2_FREE(session, newprefs);
++ newprefs = tmpprefs;
++ }
++
+ if(*prefvar) {
+ LIBSSH2_FREE(session, *prefvar);
+ }
diff --git a/meta/recipes-support/libssh2/libssh2_1.11.1.bb b/meta/recipes-support/libssh2/libssh2_1.11.1.bb
index fb63dea8b3..49da9698a3 100644
--- a/meta/recipes-support/libssh2/libssh2_1.11.1.bb
+++ b/meta/recipes-support/libssh2/libssh2_1.11.1.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=2fbf8f834408079bf1fcbadb9814b1bc"
SRC_URI = "http://www.libssh2.org/download/${BP}.tar.gz \
file://run-ptest \
+ file://0001-Return-error-if-user-KEX-methods-are-invalid.patch \
"
SRC_URI[sha256sum] = "d9ec76cbe34db98eec3539fe2c899d26b0c837cb3eb466a56b0f109cabf658f7"
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [OE-core][scarthgap 7/7] Revert "lib/oe/go: document map_arch, and raise an error on unknown architecture"
2025-12-12 15:39 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
` (5 preceding siblings ...)
2025-12-12 15:39 ` [OE-core][scarthgap 6/7] libssh2: fix regression in KEX method validation (GH-1553) Steve Sakoman
@ 2025-12-12 15:40 ` Steve Sakoman
6 siblings, 0 replies; 13+ messages in thread
From: Steve Sakoman @ 2025-12-12 15:40 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
This reverts commit e6de433ccb2784581d6c775cce97f414ef9334b1.
This introduced a breaking change which is not suitable for backport to
stable LTS branches.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/lib/oe/go.py | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/meta/lib/oe/go.py b/meta/lib/oe/go.py
index 4559dc63b2..dfd957d157 100644
--- a/meta/lib/oe/go.py
+++ b/meta/lib/oe/go.py
@@ -7,10 +7,6 @@
import re
def map_arch(a):
- """
- Map our architecture names to Go's GOARCH names.
- See https://github.com/golang/go/blob/master/src/internal/syslist/syslist.go for the complete list.
- """
if re.match('i.86', a):
return '386'
elif a == 'x86_64':
@@ -35,4 +31,4 @@ def map_arch(a):
return 'riscv64'
elif a == 'loongarch64':
return 'loong64'
- raise KeyError(f"Cannot map architecture {a}")
+ return ''
--
2.43.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
end of thread, other threads:[~2025-12-12 15:40 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-12 15:39 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
2025-12-12 15:39 ` [OE-core][scarthgap 1/7] classes/create-spdx-2.2: Define SPDX_VERSION to 2.2 Steve Sakoman
2025-12-12 15:39 ` [OE-core][scarthgap 2/7] libpng: patch CVE-2025-66293 Steve Sakoman
2025-12-12 15:39 ` [OE-core][scarthgap 3/7] libxml2: Security fix for CVE-2025-7425 Steve Sakoman
2025-12-12 15:39 ` [OE-core][scarthgap 4/7] libmicrohttpd: disable experimental code by default Steve Sakoman
2025-12-12 15:39 ` [OE-core][scarthgap 5/7] libssh2: upgrade 1.11.0 -> 1.11.1 Steve Sakoman
2025-12-12 15:39 ` [OE-core][scarthgap 6/7] libssh2: fix regression in KEX method validation (GH-1553) Steve Sakoman
2025-12-12 15:40 ` [OE-core][scarthgap 7/7] Revert "lib/oe/go: document map_arch, and raise an error on unknown architecture" Steve Sakoman
-- strict thread matches above, loose matches on Subject: below --
2025-11-04 14:47 [OE-core][scarthgap 0/7] Patch review Steve Sakoman
2025-05-21 14:59 Steve Sakoman
2025-05-06 15:13 Steve Sakoman
2025-02-18 21:15 Steve Sakoman
2024-07-09 19:29 Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.