* [OE-core][scarthgap 01/23] libpng: fix CVE-2026-33636
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 02/23] binutils: fix CVE-2025-69647 Fabien Thomas
` (21 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
Pick the patch [1] as mentioned in [2].
[1] https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-33636
Reference:
https://security-tracker.debian.org/tracker/CVE-2026-33636
https://www.suse.com/security/cve/CVE-2026-33636.html
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../libpng/files/CVE-2026-33636.patch | 99 +++++++++++++++++++
.../libpng/libpng_1.6.42.bb | 1 +
2 files changed, 100 insertions(+)
create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch
diff --git a/meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch b/meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch
new file mode 100644
index 0000000000..3bd6aae2a4
--- /dev/null
+++ b/meta/recipes-multimedia/libpng/files/CVE-2026-33636.patch
@@ -0,0 +1,99 @@
+From 9ff847dfcbb54f6dee3fd4e408150ae944278391 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sat, 21 Mar 2026 23:48:49 +0200
+Subject: [PATCH] fix(arm): Resolve out-of-bounds read/write in NEON palette
+ expansion
+
+Both `png_do_expand_palette_rgba8_neon` and
+`png_do_expand_palette_rgb8_neon` advanced in fixed-size chunks without
+guarding the final iteration, allowing out-of-bounds reads and writes
+when the row width is not a multiple of the chunk size.
+
+Restrict the NEON loop to full chunks only, remove the now-unnecessary
+post-loop adjustment, and undo the `*ddp` pre-adjustment before the
+pointer handoff to the scalar fallback.
+
+CVE: CVE-2026-33636
+Upstream-Status: Backport [https://github.com/pnggroup/libpng/commit/aba9f18eba870d14fb52c5ba5d73451349e339c3]
+
+Reported-by: Amemoyoi <Amemoyoi@users.noreply.github.com>
+Co-authored-by: Amemoyoi <Amemoyoi@users.noreply.github.com>
+Signed-off-by: Cosmin Truta <ctruta@gmail.com>
+(cherry picked from commit aba9f18eba870d14fb52c5ba5d73451349e339c3)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ arm/palette_neon_intrinsics.c | 29 +++++++++++++----------------
+ 1 file changed, 13 insertions(+), 16 deletions(-)
+
+diff --git a/arm/palette_neon_intrinsics.c b/arm/palette_neon_intrinsics.c
+index 92c7d6f9f..bdd15849d 100644
+--- a/arm/palette_neon_intrinsics.c
++++ b/arm/palette_neon_intrinsics.c
+@@ -1,7 +1,7 @@
+
+ /* palette_neon_intrinsics.c - NEON optimised palette expansion functions
+ *
+- * Copyright (c) 2018-2019 Cosmin Truta
++ * Copyright (c) 2018-2026 Cosmin Truta
+ * Copyright (c) 2017-2018 Arm Holdings. All rights reserved.
+ * Written by Richard Townsend <Richard.Townsend@arm.com>, February 2017.
+ *
+@@ -80,7 +80,7 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info,
+ */
+ *ddp = *ddp - ((pixels_per_chunk * sizeof(png_uint_32)) - 1);
+
+- for (i = 0; i < row_width; i += pixels_per_chunk)
++ for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk)
+ {
+ uint32x4_t cur;
+ png_bytep sp = *ssp - i, dp = *ddp - (i << 2);
+@@ -90,13 +90,12 @@ png_do_expand_palette_rgba8_neon(png_structrp png_ptr, png_row_infop row_info,
+ cur = vld1q_lane_u32(riffled_palette + *(sp - 0), cur, 3);
+ vst1q_u32((void *)dp, cur);
+ }
+- if (i != row_width)
+- {
+- /* Remove the amount that wasn't processed. */
+- i -= pixels_per_chunk;
+- }
+
+- /* Decrement output pointers. */
++ /* Undo the pre-adjustment of *ddp before the pointer handoff,
++ * so the scalar fallback in pngrtran.c receives a dp that points
++ * to the correct position.
++ */
++ *ddp = *ddp + (pixels_per_chunk * 4 - 1);
+ *ssp = *ssp - i;
+ *ddp = *ddp - (i << 2);
+ return i;
+@@ -121,7 +120,7 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info,
+ /* Seeking this back by 8 pixels x 3 bytes. */
+ *ddp = *ddp - ((pixels_per_chunk * sizeof(png_color)) - 1);
+
+- for (i = 0; i < row_width; i += pixels_per_chunk)
++ for (i = 0; i + pixels_per_chunk <= row_width; i += pixels_per_chunk)
+ {
+ uint8x8x3_t cur;
+ png_bytep sp = *ssp - i, dp = *ddp - ((i << 1) + i);
+@@ -136,13 +135,11 @@ png_do_expand_palette_rgb8_neon(png_structrp png_ptr, png_row_infop row_info,
+ vst3_u8((void *)dp, cur);
+ }
+
+- if (i != row_width)
+- {
+- /* Remove the amount that wasn't processed. */
+- i -= pixels_per_chunk;
+- }
+-
+- /* Decrement output pointers. */
++ /* Undo the pre-adjustment of *ddp before the pointer handoff,
++ * so the scalar fallback in pngrtran.c receives a dp that points
++ * to the correct position.
++ */
++ *ddp = *ddp + (pixels_per_chunk * 3 - 1);
+ *ssp = *ssp - i;
+ *ddp = *ddp - ((i << 1) + i);
+ return i;
+--
+2.44.4
+
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
index 7471315fdd..923ed79896 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.42.bb
@@ -24,6 +24,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/project/${BPN}/${BPN}${LIBV}/${PV}/${BP}.tar.xz
file://CVE-2026-22695.patch \
file://CVE-2026-22801.patch \
file://CVE-2026-25646.patch \
+ file://CVE-2026-33636.patch \
"
SRC_URI[sha256sum] = "c919dbc11f4c03b05aba3f8884d8eb7adfe3572ad228af972bb60057bdb48450"
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 02/23] binutils: fix CVE-2025-69647
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 01/23] libpng: fix CVE-2026-33636 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 03/23] binutils: fix CVE-2025-69648 Fabien Thomas
` (20 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Backport upstream fix for CVE-2025-69647 [1].
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../binutils/binutils-2.42.inc | 1 +
.../binutils/binutils/CVE-2025-69647.patch | 85 +++++++++++++++++++
2 files changed, 86 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 096ccf42c2..fcbe7fbfab 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -72,5 +72,6 @@ SRC_URI = "\
file://0028-CVE-2025-11494.patch \
file://0029-CVE-2025-11839.patch \
file://0030-CVE-2025-11840.patch \
+ file://CVE-2025-69647.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch
new file mode 100644
index 0000000000..8e3c1c79e7
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69647.patch
@@ -0,0 +1,85 @@
+From c87ed59208e1ce665f08ae2b2d8c1cdc2a653ea2 Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 22 Nov 2025 09:52:18 +1030
+Subject: [PATCH] PR 33639 .debug_loclists output
+
+The fuzzed testcase in this PR prints an almost endless table of
+offsets, due to a bogus offset count. Limit that count, and the total
+length too.
+
+ PR 33639
+ * dwarf.c (display_loclists_unit_header): Return error on
+ length too small to read header. Limit length to section
+ size. Limit offset count similarly.
+
+CVE: CVE-2025-69647
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=455446bbdc8675f34808187de2bbad4682016ff7]
+
+Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
+---
+ binutils/dwarf.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index 72bc9d7497a..06d68074046 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -7221,8 +7221,6 @@ display_loclists_unit_header (struct dwarf_section * section,
+ bool is_64bit;
+ uint32_t i;
+
+- printf (_("Table at Offset %#" PRIx64 "\n"), header_offset);
+-
+ SAFE_BYTE_GET_AND_INC (length, start, 4, end);
+ if (length == 0xffffffff)
+ {
+@@ -7231,6 +7229,11 @@ display_loclists_unit_header (struct dwarf_section * section,
+ }
+ else
+ is_64bit = false;
++ if (length < 8)
++ return (uint64_t) -1;
++
++ printf (_("Table at Offset %#" PRIx64 "\n"), header_offset);
++ header_offset = start - section->start;
+
+ SAFE_BYTE_GET_AND_INC (version, start, 2, end);
+ SAFE_BYTE_GET_AND_INC (address_size, start, 1, end);
+@@ -7243,15 +7246,21 @@ display_loclists_unit_header (struct dwarf_section * section,
+ printf (_(" Segment size: %u\n"), segment_selector_size);
+ printf (_(" Offset entries: %u\n"), *offset_count);
+
++ if (length > section->size - header_offset)
++ length = section->size - header_offset;
++
+ if (segment_selector_size != 0)
+ {
+ warn (_("The %s section contains an "
+ "unsupported segment selector size: %d.\n"),
+ section->name, segment_selector_size);
+- return (uint64_t)-1;
++ return (uint64_t) -1;
+ }
+
+- if ( *offset_count)
++ uint64_t max_off_count = length >> (is_64bit ? 3 : 2);
++ if (*offset_count > max_off_count)
++ *offset_count = max_off_count;
++ if (*offset_count)
+ {
+ printf (_("\n Offset Entries starting at %#tx:\n"),
+ start - section->start);
+@@ -7268,8 +7277,7 @@ display_loclists_unit_header (struct dwarf_section * section,
+ putchar ('\n');
+ *loclists_start = start;
+
+- /* The length field doesn't include the length field itself. */
+- return header_offset + length + (is_64bit ? 12 : 4);
++ return header_offset + length;
+ }
+
+ static int
+--
+2.34.1
+
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 03/23] binutils: fix CVE-2025-69648
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 01/23] libpng: fix CVE-2026-33636 Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 02/23] binutils: fix CVE-2025-69647 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 04/23] dbus: gate user-session PACKAGECONFIG on systemd in DISTRO_FEATURES Fabien Thomas
` (19 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Backport upstream fix for CVE-2025-69648 [1].
[1] https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33
Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../binutils/binutils-2.42.inc | 1 +
.../binutils/binutils/CVE-2025-69648.patch | 190 ++++++++++++++++++
2 files changed, 191 insertions(+)
create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index fcbe7fbfab..1a865c45f4 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -73,5 +73,6 @@ SRC_URI = "\
file://0029-CVE-2025-11839.patch \
file://0030-CVE-2025-11840.patch \
file://CVE-2025-69647.patch \
+ file://CVE-2025-69648.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
new file mode 100644
index 0000000000..e04d7ed6c2
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
@@ -0,0 +1,190 @@
+From 7df481dd76c05c89782721e9df5468be829c356b Mon Sep 17 00:00:00 2001
+From: Alan Modra <amodra@gmail.com>
+Date: Sat, 22 Nov 2025 09:22:10 +1030
+Subject: [PATCH] PR 33638, debug_rnglists output
+
+The fuzzed testcase in this PR continuously outputs an error about
+the debug_rnglists header. Fixed by taking notice of the error and
+stopping output. The patch also limits the length in all cases, not
+just when a relocation is present, and limits the offset entry count
+read from the header. I removed the warning and the test for relocs
+because the code can't work reliably with unresolved relocs in the
+length field.
+
+ PR 33638
+ * dwarf.c (display_debug_rnglists_list): Return bool. Rename
+ "inital_length" to plain "length". Verify length is large
+ enough to read header. Limit length to rest of section.
+ Similarly limit offset_entry_count.
+ (display_debug_ranges): Check display_debug_rnglists_unit_header
+ return status. Stop output on error.
+
+CVE: CVE-2025-69648
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33]
+
+(cherry picked from commit 598704a00cbac5e85c2bedd363357b5bf6fcee33)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>
+---
+ binutils/dwarf.c | 67 ++++++++++++++++++++++++------------------------
+ 1 file changed, 34 insertions(+), 33 deletions(-)
+
+diff --git a/binutils/dwarf.c b/binutils/dwarf.c
+index f4bcb677761..b4fb56351ec 100644
+--- a/binutils/dwarf.c
++++ b/binutils/dwarf.c
+@@ -8282,7 +8282,7 @@ display_debug_rnglists_list (unsigned char * start,
+ return start;
+ }
+
+-static int
++static bool
+ display_debug_rnglists_unit_header (struct dwarf_section * section,
+ uint64_t * unit_offset,
+ unsigned char * poffset_size)
+@@ -8290,7 +8290,8 @@ display_debug_rnglists_unit_header (struct dwarf_section * section,
+ uint64_t start_offset = *unit_offset;
+ unsigned char * p = section->start + start_offset;
+ unsigned char * finish = section->start + section->size;
+- uint64_t initial_length;
++ unsigned char * hdr;
++ uint64_t length;
+ unsigned char segment_selector_size;
+ unsigned int offset_entry_count;
+ unsigned int i;
+@@ -8299,66 +8300,59 @@ display_debug_rnglists_unit_header (struct dwarf_section * section,
+ unsigned char offset_size;
+
+ /* Get and check the length of the block. */
+- SAFE_BYTE_GET_AND_INC (initial_length, p, 4, finish);
++ SAFE_BYTE_GET_AND_INC (length, p, 4, finish);
+
+- if (initial_length == 0xffffffff)
++ if (length == 0xffffffff)
+ {
+ /* This section is 64-bit DWARF 3. */
+- SAFE_BYTE_GET_AND_INC (initial_length, p, 8, finish);
++ SAFE_BYTE_GET_AND_INC (length, p, 8, finish);
+ *poffset_size = offset_size = 8;
+ }
+ else
+ *poffset_size = offset_size = 4;
+
+- if (initial_length > (size_t) (finish - p))
+- {
+- /* If the length field has a relocation against it, then we should
+- not complain if it is inaccurate (and probably negative).
+- It is copied from .debug_line handling code. */
+- if (reloc_at (section, (p - section->start) - offset_size))
+- initial_length = finish - p;
+- else
+- {
+- warn (_("The length field (%#" PRIx64
+- ") in the debug_rnglists header is wrong"
+- " - the section is too small\n"),
+- initial_length);
+- return 0;
+- }
+- }
+-
+- /* Report the next unit offset to the caller. */
+- *unit_offset = (p - section->start) + initial_length;
++ if (length < 8)
++ return false;
+
+ /* Get the other fields in the header. */
++ hdr = p;
+ SAFE_BYTE_GET_AND_INC (version, p, 2, finish);
+ SAFE_BYTE_GET_AND_INC (address_size, p, 1, finish);
+ SAFE_BYTE_GET_AND_INC (segment_selector_size, p, 1, finish);
+ SAFE_BYTE_GET_AND_INC (offset_entry_count, p, 4, finish);
+
+ printf (_(" Table at Offset: %#" PRIx64 ":\n"), start_offset);
+- printf (_(" Length: %#" PRIx64 "\n"), initial_length);
++ printf (_(" Length: %#" PRIx64 "\n"), length);
+ printf (_(" DWARF version: %u\n"), version);
+ printf (_(" Address size: %u\n"), address_size);
+ printf (_(" Segment size: %u\n"), segment_selector_size);
+ printf (_(" Offset entries: %u\n"), offset_entry_count);
+
++ if (length > (size_t) (finish - hdr))
++ length = finish - hdr;
++
++ /* Report the next unit offset to the caller. */
++ *unit_offset = (hdr - section->start) + length;
++
+ /* Check the fields. */
+ if (segment_selector_size != 0)
+ {
+ warn (_("The %s section contains "
+ "unsupported segment selector size: %d.\n"),
+ section->name, segment_selector_size);
+- return 0;
++ return false;
+ }
+
+ if (version < 5)
+ {
+ warn (_("Only DWARF version 5+ debug_rnglists info "
+ "is currently supported.\n"));
+- return 0;
++ return false;
+ }
+
++ uint64_t max_off_count = (length - 8) / offset_size;
++ if (offset_entry_count > max_off_count)
++ offset_entry_count = max_off_count;
+ if (offset_entry_count != 0)
+ {
+ printf (_("\n Offsets starting at %#tx:\n"), p - section->start);
+@@ -8372,7 +8366,7 @@ display_debug_rnglists_unit_header (struct dwarf_section * section,
+ }
+ }
+
+- return 1;
++ return true;
+ }
+
+ static bool
+@@ -8404,6 +8398,7 @@ display_debug_ranges (struct dwarf_section *section,
+ uint64_t last_offset = 0;
+ uint64_t next_rnglists_cu_offset = 0;
+ unsigned char offset_size;
++ bool ok_header = true;
+
+ if (bytes == 0)
+ {
+@@ -8493,8 +8488,12 @@ display_debug_ranges (struct dwarf_section *section,
+ /* If we've moved on to the next compile unit in the rnglists section - dump the unit header(s). */
+ if (is_rnglists && next_rnglists_cu_offset < offset)
+ {
+- while (next_rnglists_cu_offset < offset)
+- display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size);
++ while (ok_header && next_rnglists_cu_offset < offset)
++ ok_header = display_debug_rnglists_unit_header (section,
++ &next_rnglists_cu_offset,
++ &offset_size);
++ if (!ok_header)
++ break;
+ printf (_(" Offset Begin End\n"));
+ }
+
+@@ -8548,10 +8547,12 @@ display_debug_ranges (struct dwarf_section *section,
+ }
+
+ /* Display trailing empty (or unreferenced) compile units, if any. */
+- if (is_rnglists)
++ if (is_rnglists && ok_header)
+ while (next_rnglists_cu_offset < section->size)
+- display_debug_rnglists_unit_header (section, &next_rnglists_cu_offset, &offset_size);
+-
++ if (!display_debug_rnglists_unit_header (section,
++ &next_rnglists_cu_offset,
++ &offset_size))
++ break;
+ putchar ('\n');
+
+ free (range_entries);
+--
+2.35.6
+
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 04/23] dbus: gate user-session PACKAGECONFIG on systemd in DISTRO_FEATURES
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (2 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 03/23] binutils: fix CVE-2025-69648 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 05/23] expat: patch CVE-2026-32776 Fabien Thomas
` (18 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Jhonata Poma-Hansen <jhonata.poma@gmail.com>
On scarthgap images built without systemd in DISTRO_FEATURES, dbus
still shipped dbus.socket and dbus.service under
${systemd_user_unitdir} (/usr/lib/systemd/user), because the
'user-session' PACKAGECONFIG was always enabled and passed
--enable-user-session --with-systemduserunitdir=... to configure.
In dbus-1.14.10 the user-session autoconf option (configure.ac and
bus/Makefile.am 'if DBUS_ENABLE_USER_SESSION') only installs systemd
user units; it has no non-systemd effect. Enabling it on a sysvinit
image has no benefit and produces the stale unit files.
Make user-session a systemd-gated PACKAGECONFIG by using
bb.utils.contains in the default, so it is enabled when systemd is
in DISTRO_FEATURES and disabled otherwise. No changes to the
PACKAGECONFIG[user-session] or PACKAGECONFIG[systemd] entries are
needed: --disable-user-session is passed on sysvinit builds, which
prevents the configure/Makefile machinery from ever setting up the
user-unit install step.
This is the scarthgap equivalent of master commit a296b0623eb2
("dbus: use the systemd class to handle the unit files"), adapted
to the autotools 1.14.10 recipe. The master fix was broader because
the meson 1.16.2 build handles unit-file install differently, which
let that commit drop the manual do_install unit block, the
systemctl mask postinst, and PACKAGE_WRITE_DEPS. On 1.14.10 those
pieces are still needed; the minimal correct gate here is the
user-session default.
Fixes [YOCTO #15779]
Signed-off-by: Jhonata Poma-Hansen <jhonata.poma@gmail.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
meta/recipes-core/dbus/dbus_1.14.10.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-core/dbus/dbus_1.14.10.bb b/meta/recipes-core/dbus/dbus_1.14.10.bb
index ffbf0780ed..e57a01478b 100644
--- a/meta/recipes-core/dbus/dbus_1.14.10.bb
+++ b/meta/recipes-core/dbus/dbus_1.14.10.bb
@@ -29,7 +29,7 @@ EXTRA_OECONF = "--disable-xml-docs \
EXTRA_OECONF:append:class-target = " SYSTEMCTL=${base_bindir}/systemctl"
PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd x11', d)} \
- user-session \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'user-session', '', d)} \
"
PACKAGECONFIG:class-native = ""
PACKAGECONFIG:class-nativesdk = ""
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 05/23] expat: patch CVE-2026-32776
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (3 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 04/23] dbus: gate user-session PACKAGECONFIG on systemd in DISTRO_FEATURES Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 06/23] expat: patch CVE-2026-32777 Fabien Thomas
` (17 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Pick patch from [1] also mentioned in [2].
[1] https://github.com/libexpat/libexpat/pull/1158
[2] https://security-tracker.debian.org/tracker/CVE-2026-32776
Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../expat/expat/CVE-2026-32776.patch | 91 +++++++++++++++++++
meta/recipes-core/expat/expat_2.6.4.bb | 1 +
2 files changed, 92 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32776.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2026-32776.patch b/meta/recipes-core/expat/expat/CVE-2026-32776.patch
new file mode 100644
index 0000000000..96a869a7c8
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-32776.patch
@@ -0,0 +1,91 @@
+From 3340f971f2f92e499adf03156024105bb9bb7ed9 Mon Sep 17 00:00:00 2001
+From: Francesco Bertolaccini <francesco.bertolaccini@trailofbits.com>
+Date: Tue, 3 Mar 2026 16:41:43 +0100
+Subject: [PATCH] Fix NULL function-pointer dereference for empty external
+ parameter entities
+
+When an external parameter entity with empty text is referenced inside
+an entity declaration value, the sub-parser created to handle it receives
+0 bytes of input. Processing enters entityValueInitProcessor which calls
+storeEntityValue() with the parser's encoding; since no bytes were ever
+processed, encoding detection has not yet occurred and the encoding is
+still the initial probing encoding set up by XmlInitEncoding(). That
+encoding only populates scanners[] (for prolog and content), not
+literalScanners[]. XmlEntityValueTok() calls through
+literalScanners[XML_ENTITY_VALUE_LITERAL] which is NULL, causing a
+SEGV.
+
+Skip the tokenization loop entirely when entityTextPtr >= entityTextEnd,
+and initialize the `next` pointer before the early exit so that callers
+(callStoreEntityValue) receive a valid value through nextPtr.
+
+CVE: CVE-2026-32776
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/5be25657583ea91b09025c858b4785834c20f59c]
+
+(cherry picked from commit 5be25657583ea91b09025c858b4785834c20f59c)
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+---
+ lib/xmlparse.c | 9 ++++++++-
+ tests/basic_tests.c | 19 +++++++++++++++++++
+ 2 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index aa5e91e4..56faf2eb 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -6777,7 +6777,14 @@ storeEntityValue(XML_Parser parser, const ENCODING *enc,
+ return XML_ERROR_NO_MEMORY;
+ }
+
+- const char *next;
++ const char *next = entityTextPtr;
++
++ /* Nothing to tokenize. */
++ if (entityTextPtr >= entityTextEnd) {
++ result = XML_ERROR_NONE;
++ goto endEntityValue;
++ }
++
+ for (;;) {
+ next
+ = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */
+diff --git a/tests/basic_tests.c b/tests/basic_tests.c
+index 2a5e43d6..023d9ce4 100644
+--- a/tests/basic_tests.c
++++ b/tests/basic_tests.c
+@@ -6210,6 +6210,24 @@ START_TEST(test_varying_buffer_fills) {
+ }
+ END_TEST
+
++START_TEST(test_empty_ext_param_entity_in_value) {
++ const char *text = "<!DOCTYPE r SYSTEM \"ext.dtd\"><r/>";
++ ExtOption options[] = {
++ {XCS("ext.dtd"), "<!ENTITY % pe SYSTEM \"empty\">"
++ "<!ENTITY ge \"%pe;\">"},
++ {XCS("empty"), ""},
++ {NULL, NULL},
++ };
++
++ XML_SetParamEntityParsing(g_parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++ XML_SetExternalEntityRefHandler(g_parser, external_entity_optioner);
++ XML_SetUserData(g_parser, options);
++ if (_XML_Parse_SINGLE_BYTES(g_parser, text, (int)strlen(text), XML_TRUE)
++ == XML_STATUS_ERROR)
++ xml_failure(g_parser);
++}
++END_TEST
++
+ void
+ make_basic_test_case(Suite *s) {
+ TCase *tc_basic = tcase_create("basic tests");
+@@ -6456,6 +6474,7 @@ make_basic_test_case(Suite *s) {
+ tcase_add_test(tc_basic, test_empty_element_abort);
+ tcase_add_test__ifdef_xml_dtd(tc_basic,
+ test_pool_integrity_with_unfinished_attr);
++ tcase_add_test__ifdef_xml_dtd(tc_basic, test_empty_ext_param_entity_in_value);
+ tcase_add_test__if_xml_ge(tc_basic, test_entity_ref_no_elements);
+ tcase_add_test__if_xml_ge(tc_basic, test_deep_nested_entity);
+ tcase_add_test__if_xml_ge(tc_basic, test_deep_nested_attribute_entity);
+--
+2.43.0
+
diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb
index 048093f010..631aebe6ca 100644
--- a/meta/recipes-core/expat/expat_2.6.4.bb
+++ b/meta/recipes-core/expat/expat_2.6.4.bb
@@ -46,6 +46,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://CVE-2026-25210-01.patch \
file://CVE-2026-25210-02.patch \
file://CVE-2026-25210-03.patch \
+ file://CVE-2026-32776.patch \
"
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 06/23] expat: patch CVE-2026-32777
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (4 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 05/23] expat: patch CVE-2026-32776 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 07/23] expat: patch CVE-2026-32778 Fabien Thomas
` (16 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Pick patches from [1] also mentioned in [2].
[1] https://github.com/libexpat/libexpat/pull/1162
[2] https://security-tracker.debian.org/tracker/CVE-2026-32777
Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../expat/expat/CVE-2026-32777-01.patch | 49 ++++++++++++++
.../expat/expat/CVE-2026-32777-02.patch | 66 +++++++++++++++++++
meta/recipes-core/expat/expat_2.6.4.bb | 2 +
3 files changed, 117 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32777-01.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32777-02.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2026-32777-01.patch b/meta/recipes-core/expat/expat/CVE-2026-32777-01.patch
new file mode 100644
index 0000000000..50ba27dcd4
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-32777-01.patch
@@ -0,0 +1,49 @@
+From a6e6cf7c30e54402b2fa3c49f9d98702e74f8c34 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 1 Mar 2026 20:16:13 +0100
+Subject: [PATCH 1/2] lib: Reject XML_TOK_INSTANCE_START infinite loop in
+ entityValueProcessor
+
+.. that OSS-Fuzz/ClusterFuzz uncovered
+
+CVE: CVE-2026-32777
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/55cda8c7125986e17d7e1825cba413bd94a35d02]
+
+(cherry picked from commit 55cda8c7125986e17d7e1825cba413bd94a35d02)
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+---
+ lib/xmlparse.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 56faf2eb..bfb8ac58 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -5077,7 +5077,7 @@ entityValueInitProcessor(XML_Parser parser, const char *s, const char *end,
+ }
+ /* If we get this token, we have the start of what might be a
+ normal tag, but not a declaration (i.e. it doesn't begin with
+- "<!"). In a DTD context, that isn't legal.
++ "<!" or "<?"). In a DTD context, that isn't legal.
+ */
+ else if (tok == XML_TOK_INSTANCE_START) {
+ *nextPtr = next;
+@@ -5166,6 +5166,15 @@ entityValueProcessor(XML_Parser parser, const char *s, const char *end,
+ /* found end of entity value - can store it now */
+ return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT, NULL);
+ }
++ /* If we get this token, we have the start of what might be a
++ normal tag, but not a declaration (i.e. it doesn't begin with
++ "<!" or "<?"). In a DTD context, that isn't legal.
++ */
++ else if (tok == XML_TOK_INSTANCE_START) {
++ *nextPtr = next;
++ return XML_ERROR_SYNTAX;
++ }
++
+ start = next;
+ }
+ }
+--
+2.43.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2026-32777-02.patch b/meta/recipes-core/expat/expat/CVE-2026-32777-02.patch
new file mode 100644
index 0000000000..a1518c9a3e
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-32777-02.patch
@@ -0,0 +1,66 @@
+From 4b91fc7eb4998c49bfd3b701a679ad6eb7ce7682 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Fri, 6 Mar 2026 18:31:34 +0100
+Subject: [PATCH 2/2] misc_tests.c: Cover XML_TOK_INSTANCE_START infinite loop
+ case
+
+.. that OSS-Fuzz/ClusterFuzz uncovered
+
+CVE: CVE-2026-32777
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/a7805c1a8a48d2ce83ef289cf55bdc8b45de76a8]
+
+(cherry picked from commit a7805c1a8a48d2ce83ef289cf55bdc8b45de76a8)
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+---
+ tests/misc_tests.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+diff --git a/tests/misc_tests.c b/tests/misc_tests.c
+index 07902d52..cdcdd507 100644
+--- a/tests/misc_tests.c
++++ b/tests/misc_tests.c
+@@ -713,6 +713,35 @@ START_TEST(test_misc_async_entity_rejected) {
+ }
+ END_TEST
+
++START_TEST(test_misc_no_infinite_loop_issue_1161) {
++ XML_Parser parser = XML_ParserCreate(NULL);
++
++ const char *text = "<!DOCTYPE d SYSTEM 'secondary.txt'>";
++
++ struct ExtOption options[] = {
++ {XCS("secondary.txt"),
++ "<!ENTITY % p SYSTEM 'tertiary.txt'><!ENTITY g '%p;'>"},
++ {XCS("tertiary.txt"), "<?xml version='1.0'?><a"},
++ {NULL, NULL},
++ };
++
++ XML_SetUserData(parser, options);
++ XML_SetParamEntityParsing(parser, XML_PARAM_ENTITY_PARSING_ALWAYS);
++ XML_SetExternalEntityRefHandler(parser, external_entity_optioner);
++
++ assert_true(_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ == XML_STATUS_ERROR);
++
++#if defined(XML_DTD)
++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_EXTERNAL_ENTITY_HANDLING);
++#else
++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NO_ELEMENTS);
++#endif
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
+ void
+ make_miscellaneous_test_case(Suite *s) {
+ TCase *tc_misc = tcase_create("miscellaneous tests");
+@@ -743,4 +772,5 @@ make_miscellaneous_test_case(Suite *s) {
+ tcase_add_test(tc_misc, test_misc_expected_event_ptr_issue_980);
+ tcase_add_test(tc_misc, test_misc_sync_entity_tolerated);
+ tcase_add_test(tc_misc, test_misc_async_entity_rejected);
++ tcase_add_test(tc_misc, test_misc_no_infinite_loop_issue_1161);
+ }
+--
+2.43.0
+
diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb
index 631aebe6ca..f78d9a8a60 100644
--- a/meta/recipes-core/expat/expat_2.6.4.bb
+++ b/meta/recipes-core/expat/expat_2.6.4.bb
@@ -47,6 +47,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://CVE-2026-25210-02.patch \
file://CVE-2026-25210-03.patch \
file://CVE-2026-32776.patch \
+ file://CVE-2026-32777-01.patch \
+ file://CVE-2026-32777-02.patch \
"
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 07/23] expat: patch CVE-2026-32778
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (5 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 06/23] expat: patch CVE-2026-32777 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 08/23] linux-yocto/6.6: update to v6.6.124 Fabien Thomas
` (15 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Pick patches from [1] also mentioned in [2].
[1] https://github.com/libexpat/libexpat/pull/1163
[2] https://security-tracker.debian.org/tracker/CVE-2026-32778
Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../expat/expat/CVE-2026-32778-01.patch | 91 +++++++++++++++++++
.../expat/expat/CVE-2026-32778-02.patch | 61 +++++++++++++
meta/recipes-core/expat/expat_2.6.4.bb | 2 +
3 files changed, 154 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32778-01.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-32778-02.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2026-32778-01.patch b/meta/recipes-core/expat/expat/CVE-2026-32778-01.patch
new file mode 100644
index 0000000000..0105fe7417
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-32778-01.patch
@@ -0,0 +1,91 @@
+From b878628b560a2ba1e11b3a12ff8df0dab7d6b8bb Mon Sep 17 00:00:00 2001
+From: laserbear <10689391+Laserbear@users.noreply.github.com>
+Date: Sun, 8 Mar 2026 17:28:06 -0700
+Subject: [PATCH 1/2] copy prefix name to pool before lookup
+
+.. so that we cannot end up with a zombie PREFIX in the pool
+that has NULL for a name.
+
+CVE: CVE-2026-32778
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/576b61e42feeea704253cb7c7bedb2eeb3754387]
+
+Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
+(cherry picked from commit 576b61e42feeea704253cb7c7bedb2eeb3754387)
+Signed-off-by: Hugo SIMELIERE <simeliere.hugo@non.se.com>
+---
+ lib/xmlparse.c | 43 +++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 35 insertions(+), 8 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index bfb8ac58..9bc67f38 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -590,6 +590,8 @@ static XML_Char *poolStoreString(STRING_POOL *pool, const ENCODING *enc,
+ static XML_Bool FASTCALL poolGrow(STRING_POOL *pool);
+ static const XML_Char *FASTCALL poolCopyString(STRING_POOL *pool,
+ const XML_Char *s);
++static const XML_Char *FASTCALL poolCopyStringNoFinish(STRING_POOL *pool,
++ const XML_Char *s);
+ static const XML_Char *poolCopyStringN(STRING_POOL *pool, const XML_Char *s,
+ int n);
+ static const XML_Char *FASTCALL poolAppendString(STRING_POOL *pool,
+@@ -7443,16 +7445,24 @@ setContext(XML_Parser parser, const XML_Char *context) {
+ else {
+ if (! poolAppendChar(&parser->m_tempPool, XML_T('\0')))
+ return XML_FALSE;
+- prefix
+- = (PREFIX *)lookup(parser, &dtd->prefixes,
+- poolStart(&parser->m_tempPool), sizeof(PREFIX));
+- if (! prefix)
++ const XML_Char *const prefixName = poolCopyStringNoFinish(
++ &dtd->pool, poolStart(&parser->m_tempPool));
++ if (! prefixName) {
+ return XML_FALSE;
+- if (prefix->name == poolStart(&parser->m_tempPool)) {
+- prefix->name = poolCopyString(&dtd->pool, prefix->name);
+- if (! prefix->name)
+- return XML_FALSE;
+ }
++
++ prefix = (PREFIX *)lookup(parser, &dtd->prefixes, prefixName,
++ sizeof(PREFIX));
++
++ const bool prefixNameUsed = prefix && prefix->name == prefixName;
++ if (prefixNameUsed)
++ poolFinish(&dtd->pool);
++ else
++ poolDiscard(&dtd->pool);
++
++ if (! prefix)
++ return XML_FALSE;
++
+ poolDiscard(&parser->m_tempPool);
+ }
+ for (context = s + 1; *context != CONTEXT_SEP && *context != XML_T('\0');
+@@ -8041,6 +8051,23 @@ poolCopyString(STRING_POOL *pool, const XML_Char *s) {
+ return s;
+ }
+
++// A version of `poolCopyString` that does not call `poolFinish`
++// and reverts any partial advancement upon failure.
++static const XML_Char *FASTCALL
++poolCopyStringNoFinish(STRING_POOL *pool, const XML_Char *s) {
++ const XML_Char *const original = s;
++ do {
++ if (! poolAppendChar(pool, *s)) {
++ // Revert any previously successful advancement
++ const ptrdiff_t advancedBy = s - original;
++ if (advancedBy > 0)
++ pool->ptr -= advancedBy;
++ return NULL;
++ }
++ } while (*s++);
++ return pool->start;
++}
++
+ static const XML_Char *
+ poolCopyStringN(STRING_POOL *pool, const XML_Char *s, int n) {
+ if (! pool->ptr && ! poolGrow(pool)) {
+--
+2.43.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2026-32778-02.patch b/meta/recipes-core/expat/expat/CVE-2026-32778-02.patch
new file mode 100644
index 0000000000..2cfda33dc8
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-32778-02.patch
@@ -0,0 +1,61 @@
+From c26728576de3850258c7762c036dd0eb7783ea15 Mon Sep 17 00:00:00 2001
+From: laserbear <10689391+Laserbear@users.noreply.github.com>
+Date: Sun, 8 Mar 2026 17:28:06 -0700
+Subject: [PATCH 2/2] test that we do not end up with a zombie PREFIX in the
+ pool
+
+CVE: CVE-2026-32778
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/d5fa769b7a7290a7e2c4a0b2287106dec9b3c030]
+
+(cherry picked from commit d5fa769b7a7290a7e2c4a0b2287106dec9b3c030)
+Signed-off-by: Hugo SIMELIERE <simeliere.hugo@non.se.com>
+---
+ tests/nsalloc_tests.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/tests/nsalloc_tests.c b/tests/nsalloc_tests.c
+index a8f5718d..d284a58a 100644
+--- a/tests/nsalloc_tests.c
++++ b/tests/nsalloc_tests.c
+@@ -1505,6 +1505,32 @@ START_TEST(test_nsalloc_prefixed_element) {
+ }
+ END_TEST
+
++/* Verify that retry after OOM in setContext() does not crash.
++ */
++START_TEST(test_nsalloc_setContext_zombie) {
++ const char *text = "<doc>Hello</doc>";
++ unsigned int i;
++ const unsigned int max_alloc_count = 30;
++
++ for (i = 0; i < max_alloc_count; i++) {
++ g_allocation_count = (int)i;
++ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_ERROR)
++ break;
++ /* Retry on the same parser — must not crash */
++ g_allocation_count = ALLOC_ALWAYS_SUCCEED;
++ XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE);
++
++ nsalloc_teardown();
++ nsalloc_setup();
++ }
++ if (i == 0)
++ fail("Parsing worked despite failing allocations");
++ else if (i == max_alloc_count)
++ fail("Parsing failed even at maximum allocation count");
++}
++END_TEST
++
+ void
+ make_nsalloc_test_case(Suite *s) {
+ TCase *tc_nsalloc = tcase_create("namespace allocation tests");
+@@ -1539,4 +1565,5 @@ make_nsalloc_test_case(Suite *s) {
+ tcase_add_test__if_xml_ge(tc_nsalloc, test_nsalloc_long_default_in_ext);
+ tcase_add_test(tc_nsalloc, test_nsalloc_long_systemid_in_ext);
+ tcase_add_test(tc_nsalloc, test_nsalloc_prefixed_element);
++ tcase_add_test(tc_nsalloc, test_nsalloc_setContext_zombie);
+ }
+--
+2.43.0
+
diff --git a/meta/recipes-core/expat/expat_2.6.4.bb b/meta/recipes-core/expat/expat_2.6.4.bb
index f78d9a8a60..151720a9e3 100644
--- a/meta/recipes-core/expat/expat_2.6.4.bb
+++ b/meta/recipes-core/expat/expat_2.6.4.bb
@@ -49,6 +49,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://CVE-2026-32776.patch \
file://CVE-2026-32777-01.patch \
file://CVE-2026-32777-02.patch \
+ file://CVE-2026-32778-01.patch \
+ file://CVE-2026-32778-02.patch \
"
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 08/23] linux-yocto/6.6: update to v6.6.124
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (6 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 07/23] expat: patch CVE-2026-32778 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 09/23] linux-yocto/6.6: update to v6.6.126 Fabien Thomas
` (14 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/6.6 to the latest korg -stable release that comprises
the following commits:
1b4ef5214f17e Linux 6.6.124
23897ece6167c ALSA: hda/realtek: Really fix headset mic for TongFang X6AR55xU.
d0a6e43d7cccc spi: tegra114: Preserve SPI mode bits in def_command1_reg
126a09f4fcd2b spi: tegra: Fix a memory leak in tegra_slink_probe()
dfc6367898077 spi: tegra210-quad: Protect curr_xfer clearing in tegra_qspi_non_combined_seq_xfer
712cde8d91688 spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer
53eba2a4a4666 spi: tegra210-quad: Protect curr_xfer assignment in tegra_qspi_setup_transfer_one
f9cafa63039b8 spi: tegra210-quad: Move curr_xfer read inside spinlock
552e3d8a8bef2 spi: tegra210-quad: Return IRQ_HANDLED when timeout already processed transfer
a168f2002b2b4 gve: Correct ethtool rx_dropped calculation
d4a81b8ec6398 btrfs: fix racy bitfield write in btrfs_clear_space_info_full()
0e0120214b5dc ASoC: amd: fix memory leak in acp3x pdm dma ops
50b7c7a255858 ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF
42c574c1504aa netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()
8c934bafd10b9 hwmon: (occ) Mark occ_init_attribute() as __printf
3f89a4ef6505a drm/mgag200: fix mgag200_bmc_stop_scanout()
9d40a85138568 net: gro: fix outer network offset
00a7512ff7195 net: ethernet: adi: adin1110: Check return value of devm_gpiod_get_optional() in adin1110_check_spi()
17d340e81c4b5 tipc: use kfree_sensitive() for session key material
b2c9edad3620f net: don't touch dev->stats in BPF redirect paths
11ba9f0dc8651 macvlan: fix error recovery in macvlan_common_newlink()
f89e33c9c37f0 dpaa2-switch: add bounds check for if_id in IRQ handler
3bf519e39b51c net: liquidio: Fix off-by-one error in VF setup_nic_devices() cleanup
a0d2389c8cdc1 net: liquidio: Fix off-by-one error in PF setup_nic_devices() cleanup
c0ed6c77ec340 net: liquidio: Initialize netdev pointer before queue setup
b97415c4362f7 dpaa2-switch: prevent ZERO_SIZE_PTR dereference when num_ifs is zero
13336a6239b9d net/sched: cls_u32: use skb_header_pointer_careful()
fcbda653b5a88 net: add skb_header_pointer_careful() helper
3a6d6b332f929 smb/client: fix memory leak in smb2_open_file()
f54886e18b856 platform/x86: hp-bioscfg: Skip empty attribute names
9423990550a2a platform/x86: intel_telemetry: Fix PSS event register mask
ca9ff71c15bc8 platform/x86: toshiba_haps: Fix memory leaks in add/remove routines
bae0565fa975d wifi: mac80211: don't increment crypto_tx_tailroom_needed_cnt twice
ccd1843b63f64 wifi: mac80211: correctly check if CSA is active
73b487d44bf4f scsi: target: iscsi: Fix use-after-free in iscsit_dec_conn_usage_count()
29fe5ff92433a ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU
11ebafffce31e scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count()
2f4f008f622d4 wifi: cfg80211: Fix bitrate calculation overflow for HE rates
d61171cf09715 regmap: maple: free entry on mas_store_gfp() failure
f9b06d28a60b3 spi: hisi-kunpeng: Fixed the wrong debugfs node name in hisi_spi debugfs initialization
254f303cd6663 ASoC: tlv320adcx140: Propagate error codes during probe
e2c03961b01a8 ASoC: amd: yc: Fix microphone on ASUS M6500RE
f532b29b0e313 nvmet-tcp: fixup hang in nvmet_tcp_listen_data_ready()
7c54d3f5ebbc5 nvme-fc: release admin tagset if init fails
1d395dae332ba ASoC: davinci-evm: Fix reference leak in davinci_evm_probe
db1bef623ae32 wifi: mac80211: collect station statistics earlier when disconnect
1fbb409652e3d ring-buffer: Avoid softlockup in ring_buffer_resize() during memory free
f63f30607dd8e HID: Apply quirk HID_QUIRK_ALWAYS_POLL to Edifier QR30 (2d99:a101)
cff3f619fd1cb HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report()
68ab5057e690e HID: quirks: Add another Chicony HP 5MP Cameras to hid_ignore_list
383bc94e90661 netfilter: replace -EEXIST with -EBUSY
a58fbeda600fe ALSA: hda/realtek: add HP Laptop 15s-eq1xxx mute LED quirk
bfcfb9e548bc1 HID: playstation: Center initial joystick axes to prevent spurious events
9edee94001b63 HID: intel-ish-hid: Reset enum_devices_done before enumeration
28b97fcbbf523 btrfs: fix reservation leak in some error paths when inserting inline extent
9ab846d8dd027 HID: multitouch: add MT_QUIRK_STICKY_FINGERS to MT_CLS_VTL
5b25505b52dff HID: intel-ish-hid: Update ishtp bus match to support device ID table
07df5ff4f6490 smb/server: fix refcount leak in parse_durable_handle_context()
73ede654d9daa LoongArch: Enable exception fixup for specific ADE subcode
2456fde2b1377 smb/server: fix refcount leak in smb2_open()
5fbdf95d2575e LoongArch: Set correct protection_map[] for VM_NONE/VM_SHARED
04dd114b682a4 smb/server: call ksmbd_session_rpc_close() on error path in create_smb2_pipe()
b03415955ed31 block,bfq: fix aux stat accumulation destination
8365785e59ea4 net: usb: sr9700: support devices with virtual driver CD
b167312390fdd wifi: wlcore: ensure skb headroom before skb_push
ffe1e19c3b0e5 wifi: mac80211: ocb: skip rx_no_sta when interface is not joined
d75245dad5cc6 tracing: Fix ftrace event field alignments
df54838ab6182 gve: Fix stats report corruption on queue count change
a8adf1ceee4e1 KVM: selftests: Add -U_FORTIFY_SOURCE to avoid some unpredictable test failures
46c93903e4c19 binderfs: fix ida_alloc_max() upper bound
ebb6aa6928d5c binder: fix BR_FROZEN_REPLY error log
9f6022b2573ae sched/rt: Fix race in push_rt_task
64c0b7e229375 ublk: fix deadlock when reading partition table
c3db89ea1ed3d hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
df524a68d9021 netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX
b61f9b2fcf181 KVM: Don't clobber irqfd routing type when deassigning irqfd
d2bddc2da2b3b Revert "drm/amd: Check if ASPM is enabled from PCIe subsystem"
7f7467be748eb ARM: 9468/1: fix memset64() on big-endian
4f9f1fdc0ebdf rbd: check for EOD after exclusive lock is ensured to be held
071159ff5c0bf pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains
7aa0c2bb0771a pmdomain: imx8mp-blk-ctrl: Keep usb phy power domain on for system wakeup
e2e1c77319d52 pmdomain: imx: gpcv2: Fix the imx8mm gpu hang due to wrong adb400 reset
1267af5b2033d pmdomain: imx8mp-blk-ctrl: Keep gpc power domain on for system wakeup
c28dcc1cb4fda pmdomain: qcom: rpmpd: fix off-by-one error in clamping to the highest state
302651ccef698 platform/x86: intel_telemetry: Fix swapped arrays in PSS output
c56b4c84b3b21 x86/kfence: fix booting on 32bit non-PAE systems
dca1a6ba0da9f nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../linux/linux-yocto-rt_6.6.bb | 6 ++--
.../linux/linux-yocto-tiny_6.6.bb | 6 ++--
meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +++++++++----------
3 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb
index 3ad8bd54fa..3c28f96906 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb
@@ -14,13 +14,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "5a49ab75e554557c1d3665b22233c4de9a2c2a75"
-SRCREV_meta ?= "17375dce1754d0783fb3fb9e684691951f9ff357"
+SRCREV_machine ?= "a32dc01f5dbce65781e06a973624a2c3572fa7cd"
+SRCREV_meta ?= "307ef96123620278563ff5b1c9fb8b7b4da26970"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https"
-LINUX_VERSION ?= "6.6.123"
+LINUX_VERSION ?= "6.6.124"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb
index 50c8e69d5c..08c176a698 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb
@@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc
# CVE exclusions
include recipes-kernel/linux/cve-exclusion_6.6.inc
-LINUX_VERSION ?= "6.6.123"
+LINUX_VERSION ?= "6.6.124"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "18a3ba79eed015d2cbd1f5af2c1417d12b369698"
-SRCREV_meta ?= "17375dce1754d0783fb3fb9e684691951f9ff357"
+SRCREV_machine ?= "a00c570459f5486c036aefc93ab323efa8c7e645"
+SRCREV_meta ?= "307ef96123620278563ff5b1c9fb8b7b4da26970"
PV = "${LINUX_VERSION}+git"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb
index 3f8b40e305..565022a615 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb
@@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base"
KBRANCH:qemuloongarch64 ?= "v6.6/standard/base"
KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64"
-SRCREV_machine:qemuarm ?= "b562777a433f835ae245e08c27df6b47e3ae2505"
-SRCREV_machine:qemuarm64 ?= "2df2455c7199cb8db4ea0118f908f952ff73eb97"
-SRCREV_machine:qemuloongarch64 ?= "af240d7d57ebf66e87bc2dff34855e630a97ead1"
-SRCREV_machine:qemumips ?= "6b9c16676cd4c8494ca7cdff355cb1cfe4d8fb3a"
-SRCREV_machine:qemuppc ?= "bf3f6c731ea41e519389b24104458870475dce20"
-SRCREV_machine:qemuriscv64 ?= "af240d7d57ebf66e87bc2dff34855e630a97ead1"
-SRCREV_machine:qemuriscv32 ?= "af240d7d57ebf66e87bc2dff34855e630a97ead1"
-SRCREV_machine:qemux86 ?= "af240d7d57ebf66e87bc2dff34855e630a97ead1"
-SRCREV_machine:qemux86-64 ?= "af240d7d57ebf66e87bc2dff34855e630a97ead1"
-SRCREV_machine:qemumips64 ?= "9fb8ff244fe5c5d6aa08457cfb9bbe4a3ef47366"
-SRCREV_machine ?= "af240d7d57ebf66e87bc2dff34855e630a97ead1"
-SRCREV_meta ?= "17375dce1754d0783fb3fb9e684691951f9ff357"
+SRCREV_machine:qemuarm ?= "225cb65775de5e687da708da8f126bf94a426c54"
+SRCREV_machine:qemuarm64 ?= "632fdc720fa54154453715becbbf57793363b62d"
+SRCREV_machine:qemuloongarch64 ?= "6e00181d086766512ef48806d649d032c479566d"
+SRCREV_machine:qemumips ?= "083f8e7fb7cacf7167aaf41b6366dc63b0b42b9a"
+SRCREV_machine:qemuppc ?= "0149565b9e2219e923ba0eebc4f7c60661778453"
+SRCREV_machine:qemuriscv64 ?= "6e00181d086766512ef48806d649d032c479566d"
+SRCREV_machine:qemuriscv32 ?= "6e00181d086766512ef48806d649d032c479566d"
+SRCREV_machine:qemux86 ?= "6e00181d086766512ef48806d649d032c479566d"
+SRCREV_machine:qemux86-64 ?= "6e00181d086766512ef48806d649d032c479566d"
+SRCREV_machine:qemumips64 ?= "3f1d938eafffaadd2fa9d9bc83446c90d8f36093"
+SRCREV_machine ?= "6e00181d086766512ef48806d649d032c479566d"
+SRCREV_meta ?= "307ef96123620278563ff5b1c9fb8b7b4da26970"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "c56aaf1a85ae918dd521fb2869028cf533d2755a"
+SRCREV_machine:class-devupstream ?= "1b4ef5214f17e671cc13f2da4a678574ce91d151"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v6.6/base"
@@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "6.6.123"
+LINUX_VERSION ?= "6.6.124"
PV = "${LINUX_VERSION}+git"
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 09/23] linux-yocto/6.6: update to v6.6.126
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (7 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 08/23] linux-yocto/6.6: update to v6.6.124 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 10/23] linux-yocto/6.6: update to v6.6.127 Fabien Thomas
` (13 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/6.6 to the latest korg -stable release that comprises
the following commits:
56865d9b7074c Linux 6.6.126
673dafb9a8634 Revert "driver core: enforce device_lock for driver_match_device()"
ae462074fde3b Linux 6.6.125
1c04c3a4de8d4 gpio: omap: do not register driver in probe()
455e882192c98 mptcp: fix race in mptcp_pm_nl_flush_addrs_doit()
2b890bc3a5774 selftests: mptcp: pm: ensure unknown flags are ignored
8df235f768cea spi: cadence-quadspi: Implement refcount to handle unbind during busy
665e570600733 vsock/test: verify socket options after setting them
a9e757473561d netfilter: nft_set_pipapo: prevent overflow in lookup table allocation
1c4f72fa96993 netfilter: nf_tables: missing objects with no memcg accounting
30405b23b4d5e nfsd: don't ignore the return code of svc_proc_register()
57770faaff8ee net: sfp: Fix quirk for Ubiquiti U-Fiber Instant SFP module
dccf7bc011d0e scsi: qla2xxx: Query FW again before proceeding with login
aed16d37696f4 scsi: qla2xxx: Free sp in error path to fix system crash
528b2f1027edf scsi: qla2xxx: Delay module unload while fabric scan in progress
ccbfcaa4b88e5 scsi: qla2xxx: Allow recovery for tape devices
949010291bb94 scsi: qla2xxx: Validate sp before freeing associated memory
71dee092903ad wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon()
df1e20796c9f3 nilfs2: Fix potential block overflow that cause system hang
dd1f6c9206385 crypto: virtio - Remove duplicated virtqueue_kick in virtio_crypto_skcipher_crypt_req
d6f0d58680868 crypto: virtio - Add spinlock protection with virtqueue notification
6edf8df4bd29f crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly
7dbeeafcb6e50 crypto: octeontx - Fix length check to avoid truncation in ucode_load_store
6dda9f0699054 Bluetooth: btusb: Add USB ID 7392:e611 for Edimax EW-7611UXB
adc1796eced46 driver core: enforce device_lock for driver_match_device()
787769c8cc504 smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection()
5accdc5b7f28a ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths
4386f6af8aaed smb: client: split cached_fid bitfields to avoid shared-byte RMW races
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../linux/linux-yocto-rt_6.6.bb | 6 ++--
.../linux/linux-yocto-tiny_6.6.bb | 6 ++--
meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +++++++++----------
3 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb
index 3c28f96906..e5f3c9b6cb 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb
@@ -14,13 +14,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "a32dc01f5dbce65781e06a973624a2c3572fa7cd"
-SRCREV_meta ?= "307ef96123620278563ff5b1c9fb8b7b4da26970"
+SRCREV_machine ?= "aaa3191196fccd0d26d55a88dcc2396ce79cfc21"
+SRCREV_meta ?= "17b54189a09494c54960a80a479098010e428f81"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https"
-LINUX_VERSION ?= "6.6.124"
+LINUX_VERSION ?= "6.6.126"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb
index 08c176a698..56b3e52003 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb
@@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc
# CVE exclusions
include recipes-kernel/linux/cve-exclusion_6.6.inc
-LINUX_VERSION ?= "6.6.124"
+LINUX_VERSION ?= "6.6.126"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "a00c570459f5486c036aefc93ab323efa8c7e645"
-SRCREV_meta ?= "307ef96123620278563ff5b1c9fb8b7b4da26970"
+SRCREV_machine ?= "3a9d8ba770fff7d27a4d2607644d9d6925329e73"
+SRCREV_meta ?= "17b54189a09494c54960a80a479098010e428f81"
PV = "${LINUX_VERSION}+git"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb
index 565022a615..b4d9452b80 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb
@@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base"
KBRANCH:qemuloongarch64 ?= "v6.6/standard/base"
KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64"
-SRCREV_machine:qemuarm ?= "225cb65775de5e687da708da8f126bf94a426c54"
-SRCREV_machine:qemuarm64 ?= "632fdc720fa54154453715becbbf57793363b62d"
-SRCREV_machine:qemuloongarch64 ?= "6e00181d086766512ef48806d649d032c479566d"
-SRCREV_machine:qemumips ?= "083f8e7fb7cacf7167aaf41b6366dc63b0b42b9a"
-SRCREV_machine:qemuppc ?= "0149565b9e2219e923ba0eebc4f7c60661778453"
-SRCREV_machine:qemuriscv64 ?= "6e00181d086766512ef48806d649d032c479566d"
-SRCREV_machine:qemuriscv32 ?= "6e00181d086766512ef48806d649d032c479566d"
-SRCREV_machine:qemux86 ?= "6e00181d086766512ef48806d649d032c479566d"
-SRCREV_machine:qemux86-64 ?= "6e00181d086766512ef48806d649d032c479566d"
-SRCREV_machine:qemumips64 ?= "3f1d938eafffaadd2fa9d9bc83446c90d8f36093"
-SRCREV_machine ?= "6e00181d086766512ef48806d649d032c479566d"
-SRCREV_meta ?= "307ef96123620278563ff5b1c9fb8b7b4da26970"
+SRCREV_machine:qemuarm ?= "746f0ca46b4fdd56ba711cf7b49b9a71d4f64acf"
+SRCREV_machine:qemuarm64 ?= "9da440425610b9335df95d76dfa2a56ea4e492eb"
+SRCREV_machine:qemuloongarch64 ?= "c6bff8c03457825a34929284be97de7fd99f0c83"
+SRCREV_machine:qemumips ?= "208bd32390022fec5948b1808e6d9ea83d88d9bd"
+SRCREV_machine:qemuppc ?= "9645b14ebe59396b0d1035c5f96ac74ae483f4c7"
+SRCREV_machine:qemuriscv64 ?= "c6bff8c03457825a34929284be97de7fd99f0c83"
+SRCREV_machine:qemuriscv32 ?= "c6bff8c03457825a34929284be97de7fd99f0c83"
+SRCREV_machine:qemux86 ?= "c6bff8c03457825a34929284be97de7fd99f0c83"
+SRCREV_machine:qemux86-64 ?= "c6bff8c03457825a34929284be97de7fd99f0c83"
+SRCREV_machine:qemumips64 ?= "b7972053efd2ad49abf9a0637dfa2b4b1bdff8a4"
+SRCREV_machine ?= "c6bff8c03457825a34929284be97de7fd99f0c83"
+SRCREV_meta ?= "17b54189a09494c54960a80a479098010e428f81"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "1b4ef5214f17e671cc13f2da4a678574ce91d151"
+SRCREV_machine:class-devupstream ?= "56865d9b7074c08d8191bc721b1e46baa650d9cd"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v6.6/base"
@@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "6.6.124"
+LINUX_VERSION ?= "6.6.126"
PV = "${LINUX_VERSION}+git"
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 10/23] linux-yocto/6.6: update to v6.6.127
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (8 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 09/23] linux-yocto/6.6: update to v6.6.126 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 11/23] rsync: fix for CVE-2026-41035 Fabien Thomas
` (12 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Bruce Ashfield <bruce.ashfield@gmail.com>
Updating linux-yocto/6.6 to the latest korg -stable release that comprises
the following commits:
7a137e9bfa0e Linux 6.6.127
f478b8239d65 net: tunnel: make skb_vlan_inet_prepare() return drop reasons
35ac888bf8ac USB: serial: option: add Telit FN920C04 RNDIS compositions
d4534a7f6c92 f2fs: fix to avoid mapping wrong physical block for swapfile
20a8bad29d18 f2fs: fix zoned block device information initialization
acc2c97fc000 f2fs: fix to avoid UAF in f2fs_write_end_io()
75e19da068ad f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes
eebd72cff518 f2fs: fix out-of-bounds access in sysfs attribute read/write
81193503af1f f2fs: fix to add gc count stat in f2fs_gc_range
0634e8d65099 fbdev: smscufx: properly copy ioctl memory to kernelspace
78daf5984d96 fbdev: rivafb: fix divide error in nv3_arb()
f42a2d49c465 LoongArch: Add writecombine support for DMW-based ioremap()
6e5eccdef67e cpuset: Fix missing adaptation for cpuset_is_populated
ff37dd18ce77 mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather
2eeca9383efe mm/hugetlb: fix two comments related to huge_pmd_unshare()
51dcf459845f mm/hugetlb: fix hugetlb_pmd_shared()
8c9a1b071051 mm/hugetlb: fix copy_hugetlb_page_range() to use ->pt_share_count
168ee1549fa2 Revert "wireguard: device: enable threaded NAPI"
78e706f9b197 LoongArch: Rework KASAN initialization for PTW-enabled systems
f507fc06c7cd LoongArch: Add WriteCombine shadow mapping in KASAN
16f137fb74c1 gpiolib: acpi: Fix gpio count with string references
61e007657bf7 ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put()
f49d2497da14 ASoC: cs42l43: Correct handling of 3-pole jack load detection
329bb274a3a9 platform/x86: panasonic-laptop: Fix sysfs group leak in error path
e8f5d1306a3a platform/x86/amd/pmc: Add quirk for MECHREVO Wujie 15X Pro
c3876edb0184 ASoC: amd: yc: Add quirk for HP 200 G2a 16
d7d7b93aca64 ASoC: Intel: sof_es8336: Add DMI quirk for Huawei BOD-WXX9
9cf4b9b8ad09 platform/x86: classmate-laptop: Add missing NULL pointer checks
e120bae4c56d drm/tegra: hdmi: sor: Fix error: variable ‘j’ set but not used
cbd9931e6456 romfs: check sb_set_blocksize() return value
79100c3bc0c4 ASoC: cs35l45: Corrects ASP_TX5 DAPM widget channel
6834804ad484 ALSA: hda/realtek: Add quirk for Inspur S14-G1
b204c5ec24a2 gpio: sprd: Change sprd_gpio lock to raw_spin_lock
4cfb1aed4753 ASoC: amd: yc: Add ASUS ExpertBook PM1503CDA to quirks list
2accd79be906 ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU
b19838402873 bus: fsl-mc: fix use-after-free in driver_override_show()
3118a9c6875b bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions
8cb905eca739 PCI: endpoint: Avoid creating sub-groups asynchronously
68c9fdb01af8 PCI: endpoint: Remove unused field in struct pci_epf_group
74e7458537cd scsi: qla2xxx: Fix bsg_done() causing double free
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../linux/linux-yocto-rt_6.6.bb | 6 ++--
.../linux/linux-yocto-tiny_6.6.bb | 6 ++--
meta/recipes-kernel/linux/linux-yocto_6.6.bb | 28 +++++++++----------
3 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb
index e5f3c9b6cb..8685e5cbf6 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb
@@ -14,13 +14,13 @@ python () {
raise bb.parse.SkipRecipe("Set PREFERRED_PROVIDER_virtual/kernel to linux-yocto-rt to enable it")
}
-SRCREV_machine ?= "aaa3191196fccd0d26d55a88dcc2396ce79cfc21"
-SRCREV_meta ?= "17b54189a09494c54960a80a479098010e428f81"
+SRCREV_machine ?= "c45743dc8dc2ddfbe7bd165997e1f7cf887fa6b7"
+SRCREV_meta ?= "45f69741c733e066ed1a12b6025e347e5cd6063e"
SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;branch=${KBRANCH};name=machine;protocol=https \
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https"
-LINUX_VERSION ?= "6.6.126"
+LINUX_VERSION ?= "6.6.127"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb
index 56b3e52003..d6a9afdf17 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb
@@ -8,7 +8,7 @@ require recipes-kernel/linux/linux-yocto.inc
# CVE exclusions
include recipes-kernel/linux/cve-exclusion_6.6.inc
-LINUX_VERSION ?= "6.6.126"
+LINUX_VERSION ?= "6.6.127"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
DEPENDS += "${@bb.utils.contains('ARCH', 'x86', 'elfutils-native', '', d)}"
@@ -17,8 +17,8 @@ DEPENDS += "openssl-native util-linux-native"
KMETA = "kernel-meta"
KCONF_BSP_AUDIT_LEVEL = "2"
-SRCREV_machine ?= "3a9d8ba770fff7d27a4d2607644d9d6925329e73"
-SRCREV_meta ?= "17b54189a09494c54960a80a479098010e428f81"
+SRCREV_machine ?= "8247922ff493e4fef938ce36562cac9c0cce86aa"
+SRCREV_meta ?= "45f69741c733e066ed1a12b6025e347e5cd6063e"
PV = "${LINUX_VERSION}+git"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.6.bb b/meta/recipes-kernel/linux/linux-yocto_6.6.bb
index b4d9452b80..92ad6afa3a 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.6.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.6.bb
@@ -18,25 +18,25 @@ KBRANCH:qemux86-64 ?= "v6.6/standard/base"
KBRANCH:qemuloongarch64 ?= "v6.6/standard/base"
KBRANCH:qemumips64 ?= "v6.6/standard/mti-malta64"
-SRCREV_machine:qemuarm ?= "746f0ca46b4fdd56ba711cf7b49b9a71d4f64acf"
-SRCREV_machine:qemuarm64 ?= "9da440425610b9335df95d76dfa2a56ea4e492eb"
-SRCREV_machine:qemuloongarch64 ?= "c6bff8c03457825a34929284be97de7fd99f0c83"
-SRCREV_machine:qemumips ?= "208bd32390022fec5948b1808e6d9ea83d88d9bd"
-SRCREV_machine:qemuppc ?= "9645b14ebe59396b0d1035c5f96ac74ae483f4c7"
-SRCREV_machine:qemuriscv64 ?= "c6bff8c03457825a34929284be97de7fd99f0c83"
-SRCREV_machine:qemuriscv32 ?= "c6bff8c03457825a34929284be97de7fd99f0c83"
-SRCREV_machine:qemux86 ?= "c6bff8c03457825a34929284be97de7fd99f0c83"
-SRCREV_machine:qemux86-64 ?= "c6bff8c03457825a34929284be97de7fd99f0c83"
-SRCREV_machine:qemumips64 ?= "b7972053efd2ad49abf9a0637dfa2b4b1bdff8a4"
-SRCREV_machine ?= "c6bff8c03457825a34929284be97de7fd99f0c83"
-SRCREV_meta ?= "17b54189a09494c54960a80a479098010e428f81"
+SRCREV_machine:qemuarm ?= "aa66687c1abe2afe2ee6c00c36bfaaf3d5d9636c"
+SRCREV_machine:qemuarm64 ?= "cf88783fdb92901d9d228afb7d700c6575742f1b"
+SRCREV_machine:qemuloongarch64 ?= "70af2998be31b72a111de67966b7816b3d54d472"
+SRCREV_machine:qemumips ?= "cbd6f9a670486dcd83ef0f8b90a75b2b7b44b447"
+SRCREV_machine:qemuppc ?= "bce75aa765505d7db3bb1bfefb5d3f524a1a5b64"
+SRCREV_machine:qemuriscv64 ?= "70af2998be31b72a111de67966b7816b3d54d472"
+SRCREV_machine:qemuriscv32 ?= "70af2998be31b72a111de67966b7816b3d54d472"
+SRCREV_machine:qemux86 ?= "70af2998be31b72a111de67966b7816b3d54d472"
+SRCREV_machine:qemux86-64 ?= "70af2998be31b72a111de67966b7816b3d54d472"
+SRCREV_machine:qemumips64 ?= "4cc6d51a6f63436a37c3ba4ea2da93c7fd3240b4"
+SRCREV_machine ?= "70af2998be31b72a111de67966b7816b3d54d472"
+SRCREV_meta ?= "45f69741c733e066ed1a12b6025e347e5cd6063e"
# set your preferred provider of linux-yocto to 'linux-yocto-upstream', and you'll
# get the <version>/base branch, which is pure upstream -stable, and the same
# meta SRCREV as the linux-yocto-standard builds. Select your version using the
# normal PREFERRED_VERSION settings.
BBCLASSEXTEND = "devupstream:target"
-SRCREV_machine:class-devupstream ?= "56865d9b7074c08d8191bc721b1e46baa650d9cd"
+SRCREV_machine:class-devupstream ?= "7a137e9bfa0e1919555d60f9dc0c05a7a5ba75d0"
PN:class-devupstream = "linux-yocto-upstream"
KBRANCH:class-devupstream = "v6.6/base"
@@ -44,7 +44,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto.git;name=machine;branch=${KBRA
git://git.yoctoproject.org/yocto-kernel-cache;type=kmeta;name=meta;branch=yocto-6.6;destsuffix=${KMETA};protocol=https"
LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
-LINUX_VERSION ?= "6.6.126"
+LINUX_VERSION ?= "6.6.127"
PV = "${LINUX_VERSION}+git"
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 11/23] rsync: fix for CVE-2026-41035
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (9 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 10/23] linux-yocto/6.6: update to v6.6.127 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 12/23] u-boot: fix CVE-2025-24857 Fabien Thomas
` (11 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Pick patch from [1] also mentioned at Debian report in [2]
[1] https://github.com/RsyncProject/rsync/commit/bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c
[2] https://security-tracker.debian.org/tracker/CVE-2026-41035
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-41035
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../rsync/files/CVE-2026-41035.patch | 39 +++++++++++++++++++
meta/recipes-devtools/rsync/rsync_3.2.7.bb | 1 +
2 files changed, 40 insertions(+)
create mode 100644 meta/recipes-devtools/rsync/files/CVE-2026-41035.patch
diff --git a/meta/recipes-devtools/rsync/files/CVE-2026-41035.patch b/meta/recipes-devtools/rsync/files/CVE-2026-41035.patch
new file mode 100644
index 0000000000..66b1b93672
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2026-41035.patch
@@ -0,0 +1,39 @@
+From bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Wed, 22 Apr 2026 09:57:45 +1000
+Subject: [PATCH] xattrs: fixed count in qsort
+
+this fixes the count passed to the sort of the xattr list. This issue
+was reported here:
+
+https://www.openwall.com/lists/oss-security/2026/04/16/2
+
+the bug is not exploitable due to the fork-per-connection design of
+rsync, the attack is the equivalent of the user closing the socket
+themselves.
+
+CVE: CVE-2026-41035
+Upstream-Status: Backport [https://github.com/RsyncProject/rsync/commit/bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ xattrs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xattrs.c b/xattrs.c
+index 26e50a6..65166ee 100644
+--- a/xattrs.c
++++ b/xattrs.c
+@@ -860,8 +860,8 @@ void receive_xattr(int f, struct file_struct *file)
+ rxa->num = num;
+ }
+
+- if (need_sort && count > 1)
+- qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names);
++ if (need_sort && temp_xattr.count > 1)
++ qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names);
+
+ ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */
+
+--
+2.50.1
+
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index 14beafb681..2a1c3d9d56 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
file://CVE-2024-12088.patch \
file://CVE-2024-12747.patch \
file://CVE-2025-10158.patch \
+ file://CVE-2026-41035.patch \
"
SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 12/23] u-boot: fix CVE-2025-24857
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (10 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 11/23] rsync: fix for CVE-2026-41035 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 13/23] ovmf: fix CVE-2025-2296 Fabien Thomas
` (10 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Hongxu Jia <hongxu.jia@windriver.com>
According to [1], Improper access control for volatile memory containing boot
code in Universal Boot Loader (U-Boot) before 2017.11 and Qualcomm chips IPQ4019,
IPQ5018, IPQ5322, IPQ6018, IPQ8064, IPQ8074, and IPQ9574 could allow an attacker
to execute arbitrary code.
Backport a patch [2] from upstream to fix CVE-2025-24857
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-24857
[2] https://source.denx.de/u-boot/u-boot/-/commit/87d85139a96a39429120cca838e739408ef971a2
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../u-boot/files/CVE-2025-24857.patch | 42 +++++++++++++++++++
meta/recipes-bsp/u-boot/u-boot-common.inc | 4 +-
2 files changed, 45 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2025-24857.patch
diff --git a/meta/recipes-bsp/u-boot/files/CVE-2025-24857.patch b/meta/recipes-bsp/u-boot/files/CVE-2025-24857.patch
new file mode 100644
index 0000000000..99acd5bab1
--- /dev/null
+++ b/meta/recipes-bsp/u-boot/files/CVE-2025-24857.patch
@@ -0,0 +1,42 @@
+From 15a46d72515c04d0eeaca19bf0356a39efc9cf93 Mon Sep 17 00:00:00 2001
+From: Tom Rini <trini@konsulko.com>
+Date: Tue, 9 Dec 2025 15:23:01 -0600
+Subject: [PATCH] fs: fat: Perform sanity checks on getsize in get_fatent()
+
+We do not perform a check on the value of getsize in get_fatent to
+ensure that it will fit within the allocated buffer. For safety sake,
+add a check now and if the value exceeds FATBUFBLOCKS use that value
+instead. While not currently actively exploitable, it was in the past so
+adding this check is worthwhile.
+
+This addresses CVE-2025-24857 and was originally reported by Harvey
+Phillips of Amazon Element55.
+
+Signed-off-by: Tom Rini <trini@konsulko.com>
+
+CVE: CVE-2025-24857
+Upstream-Status: Backport [https://source.denx.de/u-boot/u-boot/-/commit/87d85139a96a39429120cca838e739408ef971a2]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ fs/fat/fat.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/fat/fat.c b/fs/fat/fat.c
+index e2570e81676..f6dc7ed15fe 100644
+--- a/fs/fat/fat.c
++++ b/fs/fat/fat.c
+@@ -215,6 +215,11 @@ static __u32 get_fatent(fsdata *mydata, __u32 entry)
+ if (flush_dirty_fat_buffer(mydata) < 0)
+ return -1;
+
++ if (getsize > FATBUFBLOCKS) {
++ debug("getsize is too large for bufptr\n");
++ getsize = FATBUFBLOCKS;
++ }
++
+ if (disk_read(startblock, getsize, bufptr) < 0) {
+ debug("Error reading FAT blocks\n");
+ return ret;
+--
+2.49.0
+
diff --git a/meta/recipes-bsp/u-boot/u-boot-common.inc b/meta/recipes-bsp/u-boot/u-boot-common.inc
index 1f17bd7d0a..5f6bd44ab7 100644
--- a/meta/recipes-bsp/u-boot/u-boot-common.inc
+++ b/meta/recipes-bsp/u-boot/u-boot-common.inc
@@ -14,7 +14,9 @@ PE = "1"
# repo during parse
SRCREV = "866ca972d6c3cabeaf6dbac431e8e08bb30b3c8e"
-SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master"
+SRC_URI = "git://source.denx.de/u-boot/u-boot.git;protocol=https;branch=master \
+ file://CVE-2025-24857.patch \
+"
S = "${WORKDIR}/git"
B = "${WORKDIR}/build"
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 13/23] ovmf: fix CVE-2025-2296
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (11 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 12/23] u-boot: fix CVE-2025-24857 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 14/23] ovmf: fix CVE-2024-38798 Fabien Thomas
` (9 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Hongxu Jia <hongxu.jia@windriver.com>
According to [1], EDK2 contains a vulnerability in BIOS where an attacker may
cause “ Improper Input Validation” by local access. Successful exploitation of
this vulnerability could alter control flow in unexpected ways, potentially
allowing arbitrary command execution and impacting Confidentiality, Integrity,
and Availability.
Backport patches from upstream [2] to fix CVE-2025-2296
Note: backport 0001-AmdSev-Halt-on-failed-blob-allocation.patch to apply
the CVE patches without confliction
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-2296
[2] https://github.com/tianocore/edk2/pull/10628
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
...mdSev-Halt-on-failed-blob-allocation.patch | 159 ++++
.../ovmf/ovmf/CVE-2025-2296-1.patch | 762 ++++++++++++++++++
.../ovmf/ovmf/CVE-2025-2296-2.patch | 175 ++++
.../ovmf/ovmf/CVE-2025-2296-3.patch | 42 +
.../ovmf/ovmf/CVE-2025-2296-4.patch | 34 +
.../ovmf/ovmf/CVE-2025-2296-5.patch | 36 +
.../ovmf/ovmf/CVE-2025-2296-6.patch | 54 ++
.../ovmf/ovmf/CVE-2025-2296-7.patch | 124 +++
.../ovmf/ovmf/CVE-2025-2296-8.patch | 125 +++
.../ovmf/ovmf/CVE-2025-2296-9.patch | 108 +++
meta/recipes-core/ovmf/ovmf_git.bb | 10 +
11 files changed, 1629 insertions(+)
create mode 100644 meta/recipes-core/ovmf/ovmf/0001-AmdSev-Halt-on-failed-blob-allocation.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-1.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-2.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-3.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-4.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-5.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-6.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-7.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-8.patch
create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2025-2296-9.patch
diff --git a/meta/recipes-core/ovmf/ovmf/0001-AmdSev-Halt-on-failed-blob-allocation.patch b/meta/recipes-core/ovmf/ovmf/0001-AmdSev-Halt-on-failed-blob-allocation.patch
new file mode 100644
index 0000000000..181ff3376a
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/0001-AmdSev-Halt-on-failed-blob-allocation.patch
@@ -0,0 +1,159 @@
+From dbec8dc5ba6341d816ffd495fcd7eeece1716bb4 Mon Sep 17 00:00:00 2001
+From: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
+Date: Mon, 29 Apr 2024 20:07:19 +0000
+Subject: [PATCH] AmdSev: Halt on failed blob allocation
+
+A malicious host may be able to undermine the fw_cfg
+interface such that loading a blob fails.
+
+In this case rather than continuing to the next boot
+option, the blob verifier should halt.
+
+For non-confidential guests, the error should be non-fatal.
+
+Signed-off-by: Tobin Feldman-Fitzthum <tobin@linux.ibm.com>
+
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/10b4bb8d6d0c515ed9663691aea3684be8f7b0fc]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../BlobVerifierSevHashes.c | 17 ++++++++++++++++-
+ OvmfPkg/Include/Library/BlobVerifierLib.h | 11 +++++++----
+ .../BlobVerifierLibNull/BlobVerifierNull.c | 13 ++++++++-----
+ .../QemuKernelLoaderFsDxe.c | 9 ++++-----
+ 4 files changed, 35 insertions(+), 15 deletions(-)
+
+diff --git a/OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c b/OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c
+index 2e58794c3c..6477c5c3d3 100644
+--- a/OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c
++++ b/OvmfPkg/AmdSev/BlobVerifierLibSevHashes/BlobVerifierSevHashes.c
+@@ -80,6 +80,7 @@ FindBlobEntryGuid (
+ @param[in] BlobName The name of the blob
+ @param[in] Buf The data of the blob
+ @param[in] BufSize The size of the blob in bytes
++ @param[in] FetchStatus The status of the previous blob fetch
+
+ @retval EFI_SUCCESS The blob was verified successfully.
+ @retval EFI_ACCESS_DENIED The blob could not be verified, and therefore
+@@ -90,13 +91,27 @@ EFIAPI
+ VerifyBlob (
+ IN CONST CHAR16 *BlobName,
+ IN CONST VOID *Buf,
+- IN UINT32 BufSize
++ IN UINT32 BufSize,
++ IN EFI_STATUS FetchStatus
+ )
+ {
+ CONST GUID *Guid;
+ INT32 Remaining;
+ HASH_TABLE *Entry;
+
++ // Enter a dead loop if the fetching of this blob
++ // failed. This prevents a malicious host from
++ // circumventing the following checks.
++ if (EFI_ERROR (FetchStatus)) {
++ DEBUG ((
++ DEBUG_ERROR,
++ "%a: Fetching blob failed.\n",
++ __func__
++ ));
++
++ CpuDeadLoop ();
++ }
++
+ if ((mHashesTable == NULL) || (mHashesTableSize == 0)) {
+ DEBUG ((
+ DEBUG_ERROR,
+diff --git a/OvmfPkg/Include/Library/BlobVerifierLib.h b/OvmfPkg/Include/Library/BlobVerifierLib.h
+index 7e1af27574..09af1b77de 100644
+--- a/OvmfPkg/Include/Library/BlobVerifierLib.h
++++ b/OvmfPkg/Include/Library/BlobVerifierLib.h
+@@ -22,17 +22,20 @@
+ @param[in] BlobName The name of the blob
+ @param[in] Buf The data of the blob
+ @param[in] BufSize The size of the blob in bytes
++ @param[in] FetchStatus The status of fetching this blob
+
+- @retval EFI_SUCCESS The blob was verified successfully.
+- @retval EFI_ACCESS_DENIED The blob could not be verified, and therefore
+- should be considered non-secure.
++ @retval EFI_SUCCESS The blob was verified successfully or was not
++ found in the hash table.
++ @retval EFI_ACCESS_DENIED Kernel hashes not supported but the boot can
++ continue safely.
+ **/
+ EFI_STATUS
+ EFIAPI
+ VerifyBlob (
+ IN CONST CHAR16 *BlobName,
+ IN CONST VOID *Buf,
+- IN UINT32 BufSize
++ IN UINT32 BufSize,
++ IN EFI_STATUS FetchStatus
+ );
+
+ #endif
+diff --git a/OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierNull.c b/OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierNull.c
+index e817c3cc95..db5320571c 100644
+--- a/OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierNull.c
++++ b/OvmfPkg/Library/BlobVerifierLibNull/BlobVerifierNull.c
+@@ -16,18 +16,21 @@
+ @param[in] BlobName The name of the blob
+ @param[in] Buf The data of the blob
+ @param[in] BufSize The size of the blob in bytes
++ @param[in] FetchStatus The status of the fetch of this blob
+
+- @retval EFI_SUCCESS The blob was verified successfully.
+- @retval EFI_ACCESS_DENIED The blob could not be verified, and therefore
+- should be considered non-secure.
++ @retval EFI_SUCCESS The blob was verified successfully or was not
++ found in the hash table.
++ @retval EFI_ACCESS_DENIED Kernel hashes not supported but the boot can
++ continue safely.
+ **/
+ EFI_STATUS
+ EFIAPI
+ VerifyBlob (
+ IN CONST CHAR16 *BlobName,
+ IN CONST VOID *Buf,
+- IN UINT32 BufSize
++ IN UINT32 BufSize,
++ IN EFI_STATUS FetchStatus
+ )
+ {
+- return EFI_SUCCESS;
++ return FetchStatus;
+ }
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+index 3c12085f6c..cf58c97cd2 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+@@ -1042,6 +1042,7 @@ QemuKernelLoaderFsDxeEntrypoint (
+ KERNEL_BLOB *CurrentBlob;
+ KERNEL_BLOB *KernelBlob;
+ EFI_STATUS Status;
++ EFI_STATUS FetchStatus;
+ EFI_HANDLE FileSystemHandle;
+ EFI_HANDLE InitrdLoadFile2Handle;
+
+@@ -1060,15 +1061,13 @@ QemuKernelLoaderFsDxeEntrypoint (
+ //
+ for (BlobType = 0; BlobType < KernelBlobTypeMax; ++BlobType) {
+ CurrentBlob = &mKernelBlob[BlobType];
+- Status = FetchBlob (CurrentBlob);
+- if (EFI_ERROR (Status)) {
+- goto FreeBlobs;
+- }
++ FetchStatus = FetchBlob (CurrentBlob);
+
+ Status = VerifyBlob (
+ CurrentBlob->Name,
+ CurrentBlob->Data,
+- CurrentBlob->Size
++ CurrentBlob->Size,
++ FetchStatus
+ );
+ if (EFI_ERROR (Status)) {
+ goto FreeBlobs;
+--
+2.49.0
+
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-1.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-1.patch
new file mode 100644
index 0000000000..5cdbb12f19
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-1.patch
@@ -0,0 +1,762 @@
+From 459f5ffa24ae8574657c4105af0ff7dc30ac428d Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 14 Jan 2025 17:36:39 +0100
+Subject: [PATCH 01/10] OvmfPkg/QemuKernelLoaderFsDxe: rework direct kernel
+ boot filesystem
+
+Split KERNEL_BLOB struct into two:
+
+ * One (KERNEL_BLOB_ITEMS) static array describing how to load (unnamed)
+ blobs from fw_cfg.
+ * And one (KERNEL_BLOB) dynamically allocated linked list carrying the
+ data blobs for the pseudo filesystem.
+
+Also add some debug logging. Prefix most functions with 'QemuKernel'
+for consistency and easier log file grepping. Add some small helper
+functions.
+
+This refactoring prepares for loading blobs in other ways.
+No (intentional) change in filesystem protocol behavior.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/459f5ffa24ae8574657c4105af0ff7dc30ac428d]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../QemuKernelLoaderFsDxe.c | 345 +++++++++++-------
+ 1 file changed, 205 insertions(+), 140 deletions(-)
+
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+index cf58c97cd2..7ad1b3828f 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+@@ -31,13 +31,6 @@
+ //
+ // Static data that hosts the fw_cfg blobs and serves file requests.
+ //
+-typedef enum {
+- KernelBlobTypeKernel,
+- KernelBlobTypeInitrd,
+- KernelBlobTypeCommandLine,
+- KernelBlobTypeMax
+-} KERNEL_BLOB_TYPE;
+-
+ typedef struct {
+ CONST CHAR16 Name[8];
+ struct {
+@@ -45,11 +38,17 @@ typedef struct {
+ FIRMWARE_CONFIG_ITEM CONST DataKey;
+ UINT32 Size;
+ } FwCfgItem[2];
+- UINT32 Size;
+- UINT8 *Data;
+-} KERNEL_BLOB;
++} KERNEL_BLOB_ITEMS;
++
++typedef struct KERNEL_BLOB KERNEL_BLOB;
++struct KERNEL_BLOB {
++ CHAR16 Name[8];
++ UINT32 Size;
++ UINT8 *Data;
++ KERNEL_BLOB *Next;
++};
+
+-STATIC KERNEL_BLOB mKernelBlob[KernelBlobTypeMax] = {
++STATIC KERNEL_BLOB_ITEMS mKernelBlobItems[] = {
+ {
+ L"kernel",
+ {
+@@ -69,7 +68,9 @@ STATIC KERNEL_BLOB mKernelBlob[KernelBlobTypeMax] = {
+ }
+ };
+
+-STATIC UINT64 mTotalBlobBytes;
++STATIC KERNEL_BLOB *mKernelBlobs;
++STATIC UINT64 mKernelBlobCount;
++STATIC UINT64 mTotalBlobBytes;
+
+ //
+ // Device path for the handle that incorporates our "EFI stub filesystem".
+@@ -117,7 +118,7 @@ STATIC EFI_TIME mInitTime;
+ typedef struct {
+ UINT64 Signature; // Carries STUB_FILE_SIG.
+
+- KERNEL_BLOB_TYPE BlobType; // Index into mKernelBlob. KernelBlobTypeMax
++ KERNEL_BLOB *Blob; // Index into mKernelBlob. KernelBlobTypeMax
+ // denotes the root directory of the filesystem.
+
+ UINT64 Position; // Byte position for regular files;
+@@ -177,7 +178,7 @@ typedef struct {
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileOpen (
++QemuKernelStubFileOpen (
+ IN EFI_FILE_PROTOCOL *This,
+ OUT EFI_FILE_PROTOCOL **NewHandle,
+ IN CHAR16 *FileName,
+@@ -196,7 +197,7 @@ StubFileOpen (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileClose (
++QemuKernelStubFileClose (
+ IN EFI_FILE_PROTOCOL *This
+ )
+ {
+@@ -219,7 +220,7 @@ StubFileClose (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileDelete (
++QemuKernelStubFileDelete (
+ IN EFI_FILE_PROTOCOL *This
+ )
+ {
+@@ -229,18 +230,17 @@ StubFileDelete (
+
+ /**
+ Helper function that formats an EFI_FILE_INFO structure into the
+- user-allocated buffer, for any valid KERNEL_BLOB_TYPE value (including
+- KernelBlobTypeMax, which stands for the root directory).
++ user-allocated buffer, for any valid KERNEL_BLOB (including NULL,
++ which stands for the root directory).
+
+ The interface follows the EFI_FILE_GET_INFO -- and for directories, the
+ EFI_FILE_READ -- interfaces.
+
+- @param[in] BlobType The KERNEL_BLOB_TYPE value identifying the fw_cfg
++ @param[in] Blob The KERNEL_BLOB identifying the fw_cfg
+ blob backing the STUB_FILE that information is
+- being requested about. If BlobType equals
+- KernelBlobTypeMax, then information will be
+- provided about the root directory of the
+- filesystem.
++ being requested about. If Blob is NULL,
++ then information will be provided about the root
++ directory of the filesystem.
+
+ @param[in,out] BufferSize On input, the size of Buffer. On output, the
+ amount of data returned in Buffer. In both cases,
+@@ -257,10 +257,10 @@ StubFileDelete (
+ **/
+ STATIC
+ EFI_STATUS
+-ConvertKernelBlobTypeToFileInfo (
+- IN KERNEL_BLOB_TYPE BlobType,
+- IN OUT UINTN *BufferSize,
+- OUT VOID *Buffer
++QemuKernelBlobTypeToFileInfo (
++ IN KERNEL_BLOB *Blob,
++ IN OUT UINTN *BufferSize,
++ OUT VOID *Buffer
+ )
+ {
+ CONST CHAR16 *Name;
+@@ -272,17 +272,16 @@ ConvertKernelBlobTypeToFileInfo (
+ EFI_FILE_INFO *FileInfo;
+ UINTN OriginalBufferSize;
+
+- if (BlobType == KernelBlobTypeMax) {
++ if (Blob == NULL) {
+ //
+ // getting file info about the root directory
+ //
++ DEBUG ((DEBUG_INFO, "%a: file info: directory\n", __func__));
+ Name = L"\\";
+- FileSize = KernelBlobTypeMax;
++ FileSize = mKernelBlobCount;
+ Attribute = EFI_FILE_READ_ONLY | EFI_FILE_DIRECTORY;
+ } else {
+- CONST KERNEL_BLOB *Blob;
+-
+- Blob = &mKernelBlob[BlobType];
++ DEBUG ((DEBUG_INFO, "%a: file info: \"%s\"\n", __func__, Blob->Name));
+ Name = Blob->Name;
+ FileSize = Blob->Size;
+ Attribute = EFI_FILE_READ_ONLY;
+@@ -312,6 +311,23 @@ ConvertKernelBlobTypeToFileInfo (
+ return EFI_SUCCESS;
+ }
+
++STATIC
++KERNEL_BLOB *
++FindKernelBlob (
++ CHAR16 *FileName
++ )
++{
++ KERNEL_BLOB *Blob;
++
++ for (Blob = mKernelBlobs; Blob != NULL; Blob = Blob->Next) {
++ if (StrCmp (FileName, Blob->Name) == 0) {
++ return Blob;
++ }
++ }
++
++ return NULL;
++}
++
+ /**
+ Reads data from a file, or continues scanning a directory.
+
+@@ -349,25 +365,25 @@ ConvertKernelBlobTypeToFileInfo (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileRead (
++QemuKernelStubFileRead (
+ IN EFI_FILE_PROTOCOL *This,
+ IN OUT UINTN *BufferSize,
+ OUT VOID *Buffer
+ )
+ {
+- STUB_FILE *StubFile;
+- CONST KERNEL_BLOB *Blob;
+- UINT64 Left;
++ STUB_FILE *StubFile;
++ KERNEL_BLOB *Blob;
++ UINT64 Left, Pos;
+
+ StubFile = STUB_FILE_FROM_FILE (This);
+
+ //
+ // Scanning the root directory?
+ //
+- if (StubFile->BlobType == KernelBlobTypeMax) {
++ if (StubFile->Blob == NULL) {
+ EFI_STATUS Status;
+
+- if (StubFile->Position == KernelBlobTypeMax) {
++ if (StubFile->Position == mKernelBlobCount) {
+ //
+ // Scanning complete.
+ //
+@@ -375,8 +391,16 @@ StubFileRead (
+ return EFI_SUCCESS;
+ }
+
+- Status = ConvertKernelBlobTypeToFileInfo (
+- (KERNEL_BLOB_TYPE)StubFile->Position,
++ for (Pos = 0, Blob = mKernelBlobs;
++ Pos < StubFile->Position;
++ Pos++, Blob = Blob->Next)
++ {
++ }
++
++ DEBUG ((DEBUG_INFO, "%a: file list: #%d \"%s\"\n", __func__, Pos, Blob->Name));
++
++ Status = QemuKernelBlobTypeToFileInfo (
++ Blob,
+ BufferSize,
+ Buffer
+ );
+@@ -391,7 +415,7 @@ StubFileRead (
+ //
+ // Reading a file.
+ //
+- Blob = &mKernelBlob[StubFile->BlobType];
++ Blob = StubFile->Blob;
+ if (StubFile->Position > Blob->Size) {
+ return EFI_DEVICE_ERROR;
+ }
+@@ -402,6 +426,7 @@ StubFileRead (
+ }
+
+ if (Blob->Data != NULL) {
++ DEBUG ((DEBUG_INFO, "%a: file read: \"%s\", %d bytes\n", __func__, Blob->Name, *BufferSize));
+ CopyMem (Buffer, Blob->Data + StubFile->Position, *BufferSize);
+ }
+
+@@ -435,7 +460,7 @@ StubFileRead (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileWrite (
++QemuKernelStubFileWrite (
+ IN EFI_FILE_PROTOCOL *This,
+ IN OUT UINTN *BufferSize,
+ IN VOID *Buffer
+@@ -444,7 +469,7 @@ StubFileWrite (
+ STUB_FILE *StubFile;
+
+ StubFile = STUB_FILE_FROM_FILE (This);
+- return (StubFile->BlobType == KernelBlobTypeMax) ?
++ return (StubFile->Blob == NULL) ?
+ EFI_UNSUPPORTED :
+ EFI_WRITE_PROTECTED;
+ }
+@@ -466,7 +491,7 @@ StubFileWrite (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileGetPosition (
++QemuKernelStubFileGetPosition (
+ IN EFI_FILE_PROTOCOL *This,
+ OUT UINT64 *Position
+ )
+@@ -474,7 +499,7 @@ StubFileGetPosition (
+ STUB_FILE *StubFile;
+
+ StubFile = STUB_FILE_FROM_FILE (This);
+- if (StubFile->BlobType == KernelBlobTypeMax) {
++ if (StubFile->Blob == NULL) {
+ return EFI_UNSUPPORTED;
+ }
+
+@@ -501,7 +526,7 @@ StubFileGetPosition (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileSetPosition (
++QemuKernelStubFileSetPosition (
+ IN EFI_FILE_PROTOCOL *This,
+ IN UINT64 Position
+ )
+@@ -511,7 +536,7 @@ StubFileSetPosition (
+
+ StubFile = STUB_FILE_FROM_FILE (This);
+
+- if (StubFile->BlobType == KernelBlobTypeMax) {
++ if (StubFile->Blob == NULL) {
+ if (Position == 0) {
+ //
+ // rewinding a directory scan is allowed
+@@ -526,7 +551,7 @@ StubFileSetPosition (
+ //
+ // regular file seek
+ //
+- Blob = &mKernelBlob[StubFile->BlobType];
++ Blob = StubFile->Blob;
+ if (Position == MAX_UINT64) {
+ //
+ // seek to end
+@@ -583,7 +608,7 @@ StubFileSetPosition (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileGetInfo (
++QemuKernelStubFileGetInfo (
+ IN EFI_FILE_PROTOCOL *This,
+ IN EFI_GUID *InformationType,
+ IN OUT UINTN *BufferSize,
+@@ -596,8 +621,8 @@ StubFileGetInfo (
+ StubFile = STUB_FILE_FROM_FILE (This);
+
+ if (CompareGuid (InformationType, &gEfiFileInfoGuid)) {
+- return ConvertKernelBlobTypeToFileInfo (
+- StubFile->BlobType,
++ return QemuKernelBlobTypeToFileInfo (
++ StubFile->Blob,
+ BufferSize,
+ Buffer
+ );
+@@ -685,7 +710,7 @@ StubFileGetInfo (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileSetInfo (
++QemuKernelStubFileSetInfo (
+ IN EFI_FILE_PROTOCOL *This,
+ IN EFI_GUID *InformationType,
+ IN UINTN BufferSize,
+@@ -712,7 +737,7 @@ StubFileSetInfo (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileFlush (
++QemuKernelStubFileFlush (
+ IN EFI_FILE_PROTOCOL *This
+ )
+ {
+@@ -724,16 +749,16 @@ StubFileFlush (
+ //
+ STATIC CONST EFI_FILE_PROTOCOL mEfiFileProtocolTemplate = {
+ EFI_FILE_PROTOCOL_REVISION, // revision 1
+- StubFileOpen,
+- StubFileClose,
+- StubFileDelete,
+- StubFileRead,
+- StubFileWrite,
+- StubFileGetPosition,
+- StubFileSetPosition,
+- StubFileGetInfo,
+- StubFileSetInfo,
+- StubFileFlush,
++ QemuKernelStubFileOpen,
++ QemuKernelStubFileClose,
++ QemuKernelStubFileDelete,
++ QemuKernelStubFileRead,
++ QemuKernelStubFileWrite,
++ QemuKernelStubFileGetPosition,
++ QemuKernelStubFileSetPosition,
++ QemuKernelStubFileGetInfo,
++ QemuKernelStubFileSetInfo,
++ QemuKernelStubFileFlush,
+ NULL, // OpenEx, revision 2
+ NULL, // ReadEx, revision 2
+ NULL, // WriteEx, revision 2
+@@ -743,7 +768,7 @@ STATIC CONST EFI_FILE_PROTOCOL mEfiFileProtocolTemplate = {
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileOpen (
++QemuKernelStubFileOpen (
+ IN EFI_FILE_PROTOCOL *This,
+ OUT EFI_FILE_PROTOCOL **NewHandle,
+ IN CHAR16 *FileName,
+@@ -752,7 +777,7 @@ StubFileOpen (
+ )
+ {
+ CONST STUB_FILE *StubFile;
+- UINTN BlobType;
++ KERNEL_BLOB *Blob;
+ STUB_FILE *NewStubFile;
+
+ //
+@@ -774,21 +799,20 @@ StubFileOpen (
+ // Only the root directory supports opening files in it.
+ //
+ StubFile = STUB_FILE_FROM_FILE (This);
+- if (StubFile->BlobType != KernelBlobTypeMax) {
++ if (StubFile->Blob != NULL) {
+ return EFI_UNSUPPORTED;
+ }
+
+ //
+ // Locate the file.
+ //
+- for (BlobType = 0; BlobType < KernelBlobTypeMax; ++BlobType) {
+- if (StrCmp (FileName, mKernelBlob[BlobType].Name) == 0) {
+- break;
+- }
+- }
++ Blob = FindKernelBlob (FileName);
+
+- if (BlobType == KernelBlobTypeMax) {
++ if (Blob == NULL) {
++ DEBUG ((DEBUG_INFO, "%a: file not found: \"%s\"\n", __func__, FileName));
+ return EFI_NOT_FOUND;
++ } else {
++ DEBUG ((DEBUG_INFO, "%a: file opened: \"%s\"\n", __func__, FileName));
+ }
+
+ //
+@@ -800,7 +824,7 @@ StubFileOpen (
+ }
+
+ NewStubFile->Signature = STUB_FILE_SIG;
+- NewStubFile->BlobType = (KERNEL_BLOB_TYPE)BlobType;
++ NewStubFile->Blob = Blob;
+ NewStubFile->Position = 0;
+ CopyMem (
+ &NewStubFile->File,
+@@ -842,7 +866,7 @@ StubFileOpen (
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-StubFileSystemOpenVolume (
++QemuKernelStubFileSystemOpenVolume (
+ IN EFI_SIMPLE_FILE_SYSTEM_PROTOCOL *This,
+ OUT EFI_FILE_PROTOCOL **Root
+ )
+@@ -855,7 +879,7 @@ StubFileSystemOpenVolume (
+ }
+
+ StubFile->Signature = STUB_FILE_SIG;
+- StubFile->BlobType = KernelBlobTypeMax;
++ StubFile->Blob = NULL;
+ StubFile->Position = 0;
+ CopyMem (
+ &StubFile->File,
+@@ -869,13 +893,13 @@ StubFileSystemOpenVolume (
+
+ STATIC CONST EFI_SIMPLE_FILE_SYSTEM_PROTOCOL mFileSystem = {
+ EFI_SIMPLE_FILE_SYSTEM_PROTOCOL_REVISION,
+- StubFileSystemOpenVolume
++ QemuKernelStubFileSystemOpenVolume
+ };
+
+ STATIC
+ EFI_STATUS
+ EFIAPI
+-InitrdLoadFile2 (
++QemuKernelInitrdLoadFile2 (
+ IN EFI_LOAD_FILE2_PROTOCOL *This,
+ IN EFI_DEVICE_PATH_PROTOCOL *FilePath,
+ IN BOOLEAN BootPolicy,
+@@ -883,8 +907,11 @@ InitrdLoadFile2 (
+ OUT VOID *Buffer OPTIONAL
+ )
+ {
+- CONST KERNEL_BLOB *InitrdBlob = &mKernelBlob[KernelBlobTypeInitrd];
++ KERNEL_BLOB *InitrdBlob;
+
++ DEBUG ((DEBUG_INFO, "%a: initrd read\n", __func__));
++ InitrdBlob = FindKernelBlob (L"initrd");
++ ASSERT (InitrdBlob != NULL);
+ ASSERT (InitrdBlob->Size > 0);
+
+ if (BootPolicy) {
+@@ -913,17 +940,33 @@ InitrdLoadFile2 (
+ }
+
+ STATIC CONST EFI_LOAD_FILE2_PROTOCOL mInitrdLoadFile2 = {
+- InitrdLoadFile2,
++ QemuKernelInitrdLoadFile2,
+ };
+
+ //
+ // Utility functions.
+ //
+
++STATIC VOID
++QemuKernelChunkedRead (
++ UINT8 *Dest,
++ UINT32 Bytes
++ )
++{
++ UINT32 Chunk;
++
++ while (Bytes > 0) {
++ Chunk = (Bytes < SIZE_1MB) ? Bytes : SIZE_1MB;
++ QemuFwCfgReadBytes (Chunk, Dest);
++ Bytes -= Chunk;
++ Dest += Chunk;
++ }
++}
++
+ /**
+ Populate a blob in mKernelBlob.
+
+- param[in,out] Blob Pointer to the KERNEL_BLOB element in mKernelBlob that is
++ param[in,out] Blob Pointer to the KERNEL_BLOB_ITEMS that is
+ to be filled from fw_cfg.
+
+ @retval EFI_SUCCESS Blob has been populated. If fw_cfg reported a
+@@ -934,35 +977,46 @@ STATIC CONST EFI_LOAD_FILE2_PROTOCOL mInitrdLoadFile2 = {
+ **/
+ STATIC
+ EFI_STATUS
+-FetchBlob (
+- IN OUT KERNEL_BLOB *Blob
++QemuKernelFetchBlob (
++ IN KERNEL_BLOB_ITEMS *BlobItems
+ )
+ {
+- UINT32 Left;
+- UINTN Idx;
+- UINT8 *ChunkData;
++ UINT32 Size;
++ UINTN Idx;
++ UINT8 *ChunkData;
++ KERNEL_BLOB *Blob;
++ EFI_STATUS Status;
+
+ //
+ // Read blob size.
+ //
+- Blob->Size = 0;
+- for (Idx = 0; Idx < ARRAY_SIZE (Blob->FwCfgItem); Idx++) {
+- if (Blob->FwCfgItem[Idx].SizeKey == 0) {
++ for (Size = 0, Idx = 0; Idx < ARRAY_SIZE (BlobItems->FwCfgItem); Idx++) {
++ if (BlobItems->FwCfgItem[Idx].SizeKey == 0) {
+ break;
+ }
+
+- QemuFwCfgSelectItem (Blob->FwCfgItem[Idx].SizeKey);
+- Blob->FwCfgItem[Idx].Size = QemuFwCfgRead32 ();
+- Blob->Size += Blob->FwCfgItem[Idx].Size;
++ QemuFwCfgSelectItem (BlobItems->FwCfgItem[Idx].SizeKey);
++ BlobItems->FwCfgItem[Idx].Size = QemuFwCfgRead32 ();
++ Size += BlobItems->FwCfgItem[Idx].Size;
+ }
+
+- if (Blob->Size == 0) {
++ if (Size == 0) {
+ return EFI_SUCCESS;
+ }
+
++ Blob = AllocatePool (sizeof (*Blob));
++ if (Blob->Data == NULL) {
++ return EFI_OUT_OF_RESOURCES;
++ }
++
++ ZeroMem (Blob, sizeof (*Blob));
++
+ //
+ // Read blob.
+ //
++ Status = StrCpyS (Blob->Name, sizeof (Blob->Name), BlobItems->Name);
++ ASSERT (!EFI_ERROR (Status));
++ Blob->Size = Size;
+ Blob->Data = AllocatePool (Blob->Size);
+ if (Blob->Data == NULL) {
+ DEBUG ((
+@@ -972,6 +1026,7 @@ FetchBlob (
+ (INT64)Blob->Size,
+ Blob->Name
+ ));
++ FreePool (Blob);
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+@@ -984,34 +1039,48 @@ FetchBlob (
+ ));
+
+ ChunkData = Blob->Data;
+- for (Idx = 0; Idx < ARRAY_SIZE (Blob->FwCfgItem); Idx++) {
+- if (Blob->FwCfgItem[Idx].DataKey == 0) {
++ for (Idx = 0; Idx < ARRAY_SIZE (BlobItems->FwCfgItem); Idx++) {
++ if (BlobItems->FwCfgItem[Idx].DataKey == 0) {
+ break;
+ }
+
+- QemuFwCfgSelectItem (Blob->FwCfgItem[Idx].DataKey);
++ QemuFwCfgSelectItem (BlobItems->FwCfgItem[Idx].DataKey);
++ QemuKernelChunkedRead (ChunkData, BlobItems->FwCfgItem[Idx].Size);
++ ChunkData += BlobItems->FwCfgItem[Idx].Size;
++ }
+
+- Left = Blob->FwCfgItem[Idx].Size;
+- while (Left > 0) {
+- UINT32 Chunk;
++ Blob->Next = mKernelBlobs;
++ mKernelBlobs = Blob;
++ mKernelBlobCount++;
++ mTotalBlobBytes += Blob->Size;
++ return EFI_SUCCESS;
++}
+
+- Chunk = (Left < SIZE_1MB) ? Left : SIZE_1MB;
+- QemuFwCfgReadBytes (Chunk, ChunkData + Blob->FwCfgItem[Idx].Size - Left);
+- Left -= Chunk;
+- DEBUG ((
+- DEBUG_VERBOSE,
+- "%a: %Ld bytes remaining for \"%s\" (%d)\n",
+- __func__,
+- (INT64)Left,
+- Blob->Name,
+- (INT32)Idx
+- ));
+- }
++STATIC
++EFI_STATUS
++QemuKernelVerifyBlob (
++ CHAR16 *FileName,
++ EFI_STATUS FetchStatus
++ )
++{
++ KERNEL_BLOB *Blob;
++ EFI_STATUS Status;
+
+- ChunkData += Blob->FwCfgItem[Idx].Size;
++ if ((StrCmp (FileName, L"kernel") != 0) &&
++ (StrCmp (FileName, L"initrd") != 0) &&
++ (StrCmp (FileName, L"cmdline") != 0))
++ {
++ return EFI_SUCCESS;
+ }
+
+- return EFI_SUCCESS;
++ Blob = FindKernelBlob (FileName);
++ Status = VerifyBlob (
++ FileName,
++ Blob ? Blob->Data : NULL,
++ Blob ? Blob->Size : 0,
++ FetchStatus
++ );
++ return Status;
+ }
+
+ //
+@@ -1038,13 +1107,13 @@ QemuKernelLoaderFsDxeEntrypoint (
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+ {
+- UINTN BlobType;
+- KERNEL_BLOB *CurrentBlob;
+- KERNEL_BLOB *KernelBlob;
+- EFI_STATUS Status;
+- EFI_STATUS FetchStatus;
+- EFI_HANDLE FileSystemHandle;
+- EFI_HANDLE InitrdLoadFile2Handle;
++ UINTN BlobIdx;
++ KERNEL_BLOB_ITEMS *BlobItems;
++ KERNEL_BLOB *Blob;
++ EFI_STATUS Status;
++ EFI_STATUS FetchStatus;
++ EFI_HANDLE FileSystemHandle;
++ EFI_HANDLE InitrdLoadFile2Handle;
+
+ if (!QemuFwCfgIsAvailable ()) {
+ return EFI_NOT_FOUND;
+@@ -1059,26 +1128,22 @@ QemuKernelLoaderFsDxeEntrypoint (
+ //
+ // Fetch all blobs.
+ //
+- for (BlobType = 0; BlobType < KernelBlobTypeMax; ++BlobType) {
+- CurrentBlob = &mKernelBlob[BlobType];
+- FetchStatus = FetchBlob (CurrentBlob);
+-
+- Status = VerifyBlob (
+- CurrentBlob->Name,
+- CurrentBlob->Data,
+- CurrentBlob->Size,
++ for (BlobIdx = 0; BlobIdx < ARRAY_SIZE (mKernelBlobItems); ++BlobIdx) {
++ BlobItems = &mKernelBlobItems[BlobIdx];
++ FetchStatus = QemuKernelFetchBlob (BlobItems);
++
++ Status = QemuKernelVerifyBlob (
++ (CHAR16 *)BlobItems->Name,
+ FetchStatus
+ );
+ if (EFI_ERROR (Status)) {
+ goto FreeBlobs;
+ }
+-
+- mTotalBlobBytes += CurrentBlob->Size;
+ }
+
+- KernelBlob = &mKernelBlob[KernelBlobTypeKernel];
+-
+- if (KernelBlob->Data == NULL) {
++ Blob = FindKernelBlob (L"kernel");
++ if (Blob == NULL) {
++ DEBUG ((DEBUG_INFO, "%a: no kernel present -> quit\n", __func__));
+ Status = EFI_NOT_FOUND;
+ goto FreeBlobs;
+ }
+@@ -1106,7 +1171,9 @@ QemuKernelLoaderFsDxeEntrypoint (
+ goto FreeBlobs;
+ }
+
+- if (KernelBlob[KernelBlobTypeInitrd].Size > 0) {
++ Blob = FindKernelBlob (L"initrd");
++ if (Blob != NULL) {
++ DEBUG ((DEBUG_INFO, "%a: initrd setup\n", __func__));
+ InitrdLoadFile2Handle = NULL;
+ Status = gBS->InstallMultipleProtocolInterfaces (
+ &InitrdLoadFile2Handle,
+@@ -1141,13 +1208,11 @@ UninstallFileSystemHandle:
+ ASSERT_EFI_ERROR (Status);
+
+ FreeBlobs:
+- while (BlobType > 0) {
+- CurrentBlob = &mKernelBlob[--BlobType];
+- if (CurrentBlob->Data != NULL) {
+- FreePool (CurrentBlob->Data);
+- CurrentBlob->Size = 0;
+- CurrentBlob->Data = NULL;
+- }
++ while (mKernelBlobs != NULL) {
++ Blob = mKernelBlobs;
++ mKernelBlobs = Blob->Next;
++ FreePool (Blob->Data);
++ FreePool (Blob);
+ }
+
+ return Status;
+--
+2.49.0
+
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-2.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-2.patch
new file mode 100644
index 0000000000..964ee306bf
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-2.patch
@@ -0,0 +1,175 @@
+From 20df7c42bd446fe725bfc78cdb40577456c421d8 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 15 Jan 2025 00:29:52 +0100
+Subject: [PATCH 02/10] OvmfPkg/QemuKernelLoaderFsDxe: add support for named
+ blobs
+
+Load all named fw_cfg blobs with "etc/boot/" prefix into the pseudo
+filesystem.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/20df7c42bd446fe725bfc78cdb40577456c421d8]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../QemuKernelLoaderFsDxe.c | 94 ++++++++++++++++---
+ .../QemuKernelLoaderFsDxe.inf | 1 +
+ 2 files changed, 84 insertions(+), 11 deletions(-)
+
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+index 7ad1b3828f..1f63adda0b 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+@@ -21,6 +21,7 @@
+ #include <Library/DebugLib.h>
+ #include <Library/DevicePathLib.h>
+ #include <Library/MemoryAllocationLib.h>
++#include <Library/PrintLib.h>
+ #include <Library/QemuFwCfgLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
+ #include <Library/UefiRuntimeServicesTableLib.h>
+@@ -32,12 +33,12 @@
+ // Static data that hosts the fw_cfg blobs and serves file requests.
+ //
+ typedef struct {
+- CONST CHAR16 Name[8];
++ CHAR16 Name[8];
+ struct {
+- FIRMWARE_CONFIG_ITEM CONST SizeKey;
+- FIRMWARE_CONFIG_ITEM CONST DataKey;
+- UINT32 Size;
+- } FwCfgItem[2];
++ FIRMWARE_CONFIG_ITEM SizeKey;
++ FIRMWARE_CONFIG_ITEM DataKey;
++ UINT32 Size;
++ } FwCfgItem[2];
+ } KERNEL_BLOB_ITEMS;
+
+ typedef struct KERNEL_BLOB KERNEL_BLOB;
+@@ -989,15 +990,23 @@ QemuKernelFetchBlob (
+
+ //
+ // Read blob size.
++ // Size != 0 -> use size as-is
++ // SizeKey != 0 -> read size from fw_cfg
++ // both are 0 -> unused entry
+ //
+ for (Size = 0, Idx = 0; Idx < ARRAY_SIZE (BlobItems->FwCfgItem); Idx++) {
+- if (BlobItems->FwCfgItem[Idx].SizeKey == 0) {
++ if ((BlobItems->FwCfgItem[Idx].SizeKey == 0) &&
++ (BlobItems->FwCfgItem[Idx].Size == 0))
++ {
+ break;
+ }
+
+- QemuFwCfgSelectItem (BlobItems->FwCfgItem[Idx].SizeKey);
+- BlobItems->FwCfgItem[Idx].Size = QemuFwCfgRead32 ();
+- Size += BlobItems->FwCfgItem[Idx].Size;
++ if (BlobItems->FwCfgItem[Idx].SizeKey) {
++ QemuFwCfgSelectItem (BlobItems->FwCfgItem[Idx].SizeKey);
++ BlobItems->FwCfgItem[Idx].Size = QemuFwCfgRead32 ();
++ }
++
++ Size += BlobItems->FwCfgItem[Idx].Size;
+ }
+
+ if (Size == 0) {
+@@ -1083,6 +1092,55 @@ QemuKernelVerifyBlob (
+ return Status;
+ }
+
++STATIC
++EFI_STATUS
++QemuKernelFetchNamedBlobs (
++ VOID
++ )
++{
++ struct {
++ UINT32 FileSize;
++ UINT16 FileSelect;
++ UINT16 Reserved;
++ CHAR8 FileName[QEMU_FW_CFG_FNAME_SIZE];
++ } *DirEntry;
++ KERNEL_BLOB_ITEMS Items;
++ EFI_STATUS Status;
++ EFI_STATUS FetchStatus;
++ UINT32 Count;
++ UINT32 Idx;
++
++ QemuFwCfgSelectItem (QemuFwCfgItemFileDir);
++ Count = SwapBytes32 (QemuFwCfgRead32 ());
++
++ DirEntry = AllocatePool (sizeof (*DirEntry) * Count);
++ QemuFwCfgReadBytes (sizeof (*DirEntry) * Count, DirEntry);
++
++ for (Idx = 0; Idx < Count; ++Idx) {
++ if (AsciiStrnCmp (DirEntry[Idx].FileName, "etc/boot/", 9) != 0) {
++ continue;
++ }
++
++ ZeroMem (&Items, sizeof (Items));
++ UnicodeSPrint (Items.Name, sizeof (Items.Name), L"%a", DirEntry[Idx].FileName + 9);
++ Items.FwCfgItem[0].DataKey = SwapBytes16 (DirEntry[Idx].FileSelect);
++ Items.FwCfgItem[0].Size = SwapBytes32 (DirEntry[Idx].FileSize);
++
++ FetchStatus = QemuKernelFetchBlob (&Items);
++ Status = QemuKernelVerifyBlob (
++ (CHAR16 *)Items.Name,
++ FetchStatus
++ );
++ if (EFI_ERROR (Status)) {
++ FreePool (DirEntry);
++ return Status;
++ }
++ }
++
++ FreePool (DirEntry);
++ return EFI_SUCCESS;
++}
++
+ //
+ // The entry point of the feature.
+ //
+@@ -1126,10 +1184,24 @@ QemuKernelLoaderFsDxeEntrypoint (
+ }
+
+ //
+- // Fetch all blobs.
++ // Fetch named blobs.
+ //
++ DEBUG ((DEBUG_INFO, "%a: named blobs (etc/boot/*)\n", __func__));
++ Status = QemuKernelFetchNamedBlobs ();
++ if (EFI_ERROR (Status)) {
++ goto FreeBlobs;
++ }
++
++ //
++ // Fetch traditional blobs.
++ //
++ DEBUG ((DEBUG_INFO, "%a: traditional blobs\n", __func__));
+ for (BlobIdx = 0; BlobIdx < ARRAY_SIZE (mKernelBlobItems); ++BlobIdx) {
+- BlobItems = &mKernelBlobItems[BlobIdx];
++ BlobItems = &mKernelBlobItems[BlobIdx];
++ if (FindKernelBlob (BlobItems->Name)) {
++ continue;
++ }
++
+ FetchStatus = QemuKernelFetchBlob (BlobItems);
+
+ Status = QemuKernelVerifyBlob (
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+index 7b35adb8e0..a2f44bbca1 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.inf
+@@ -30,6 +30,7 @@
+ DebugLib
+ DevicePathLib
+ MemoryAllocationLib
++ PrintLib
+ QemuFwCfgLib
+ UefiBootServicesTableLib
+ UefiDriverEntryPoint
+--
+2.49.0
+
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-3.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-3.patch
new file mode 100644
index 0000000000..0ea2a70bf5
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-3.patch
@@ -0,0 +1,42 @@
+From adf385ecab69631952bdc8b774ebd77e82b94a00 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 16 Jan 2025 15:42:13 +0100
+Subject: [PATCH 03/10] OvmfPkg/QemuKernelLoaderFsDxe: allow longer file names
+
+QEMU_FW_CFG_FNAME_SIZE is 56. 'etc/boot/' prefix is minus 9. Add one
+for the terminating '\0'. Effective max size is 48.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/adf385ecab69631952bdc8b774ebd77e82b94a00]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+index 1f63adda0b..0947b6bf2d 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+@@ -33,7 +33,7 @@
+ // Static data that hosts the fw_cfg blobs and serves file requests.
+ //
+ typedef struct {
+- CHAR16 Name[8];
++ CHAR16 Name[48];
+ struct {
+ FIRMWARE_CONFIG_ITEM SizeKey;
+ FIRMWARE_CONFIG_ITEM DataKey;
+@@ -43,7 +43,7 @@ typedef struct {
+
+ typedef struct KERNEL_BLOB KERNEL_BLOB;
+ struct KERNEL_BLOB {
+- CHAR16 Name[8];
++ CHAR16 Name[48];
+ UINT32 Size;
+ UINT8 *Data;
+ KERNEL_BLOB *Next;
+--
+2.49.0
+
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-4.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-4.patch
new file mode 100644
index 0000000000..bba3b51c78
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-4.patch
@@ -0,0 +1,34 @@
+From 1111e9fe7078eed9e5c50e1808776ee40a629e16 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 16 Jan 2025 15:52:54 +0100
+Subject: [PATCH 04/10] OvmfPkg/QemuKernelLoaderFsDxe: drop bogus assert
+
+Triggers when trying to get root directory info.
+Reproducer:
+ * Use qemu -kernel with something edk2 can not load.
+ * When dropped into the efi shell try inspect the file system.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1111e9fe7078eed9e5c50e1808776ee40a629e16]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+index 0947b6bf2d..3e1a876bf0 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+@@ -290,7 +290,6 @@ QemuKernelBlobTypeToFileInfo (
+
+ NameSize = (StrLen (Name) + 1) * 2;
+ FileInfoSize = OFFSET_OF (EFI_FILE_INFO, FileName) + NameSize;
+- ASSERT (FileInfoSize >= sizeof *FileInfo);
+
+ OriginalBufferSize = *BufferSize;
+ *BufferSize = FileInfoSize;
+--
+2.49.0
+
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-5.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-5.patch
new file mode 100644
index 0000000000..e3a8292356
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-5.patch
@@ -0,0 +1,36 @@
+From 46ae4e4b9574530e5081e98af0495d6f6d28379f Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 16 Jan 2025 16:03:01 +0100
+Subject: [PATCH 05/10] OvmfPkg/QemuKernelLoaderFsDxe: accept absolute paths
+
+EFI shell looks for "\startup.nsh".
+Try "-fw_cfg name=etc/boot/startup.nsh,string='echo hello'" ;)
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/46ae4e4b9574530e5081e98af0495d6f6d28379f]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+index 3e1a876bf0..5b90420dad 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+@@ -806,6 +806,11 @@ QemuKernelStubFileOpen (
+ //
+ // Locate the file.
+ //
++ if (FileName[0] == '\\') {
++ // also accept absolute paths, i.e. '\kernel' for 'kernel'
++ FileName++;
++ }
++
+ Blob = FindKernelBlob (FileName);
+
+ if (Blob == NULL) {
+--
+2.49.0
+
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-6.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-6.patch
new file mode 100644
index 0000000000..3515efe008
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-6.patch
@@ -0,0 +1,54 @@
+From c45051450efbdae4a38f07998b3e7b77abe7173a Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 20 Jan 2025 11:28:37 +0100
+Subject: [PATCH 06/10] OvmfPkg/QemuKernelLoaderFsDxe: don't quit when named
+ blobs are present
+
+Allows to use the qemu kernel loader pseudo file system for other
+purposes than loading a linux kernel (or efi binary). Passing
+startup.nsh for EFI shell is one example.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/c45051450efbdae4a38f07998b3e7b77abe7173a]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+index 5b90420dad..add914daa8 100644
+--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
++++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+@@ -71,6 +71,7 @@ STATIC KERNEL_BLOB_ITEMS mKernelBlobItems[] = {
+
+ STATIC KERNEL_BLOB *mKernelBlobs;
+ STATIC UINT64 mKernelBlobCount;
++STATIC UINT64 mKernelNamedBlobCount;
+ STATIC UINT64 mTotalBlobBytes;
+
+ //
+@@ -1139,6 +1140,8 @@ QemuKernelFetchNamedBlobs (
+ FreePool (DirEntry);
+ return Status;
+ }
++
++ mKernelNamedBlobCount++;
+ }
+
+ FreePool (DirEntry);
+@@ -1218,8 +1221,8 @@ QemuKernelLoaderFsDxeEntrypoint (
+ }
+
+ Blob = FindKernelBlob (L"kernel");
+- if (Blob == NULL) {
+- DEBUG ((DEBUG_INFO, "%a: no kernel present -> quit\n", __func__));
++ if ((Blob == NULL) && (mKernelNamedBlobCount == 0)) {
++ DEBUG ((DEBUG_INFO, "%a: no kernel and no named blobs present -> quit\n", __func__));
+ Status = EFI_NOT_FOUND;
+ goto FreeBlobs;
+ }
+--
+2.49.0
+
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-7.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-7.patch
new file mode 100644
index 0000000000..a9d9922695
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-7.patch
@@ -0,0 +1,124 @@
+From 3da39f2cb681eb69f4eef54acd4b25d25cd7103d Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 10 Apr 2024 17:25:03 +0200
+Subject: [PATCH 07/10] OvmfPkg/X86QemuLoadImageLib: support booting via shim
+
+Try load shim first. In case that succeeded update the command line to
+list 'kernel' first so shim will fetch the kernel from the kernel loader
+file system.
+
+This allows to use direct kernel boot with distro kernels and secure
+boot enabled. Usually distro kernels can only be verified by distro
+shim using the distro keys compiled into the shim binary.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/3da39f2cb681eb69f4eef54acd4b25d25cd7103d]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../X86QemuLoadImageLib/X86QemuLoadImageLib.c | 56 ++++++++++++++++++-
+ 1 file changed, 54 insertions(+), 2 deletions(-)
+
+diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
+index a7ab43ca74..e4dbc2dc7e 100644
+--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
++++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
+@@ -57,6 +57,25 @@ STATIC CONST KERNEL_VENMEDIA_FILE_DEVPATH mKernelDevicePath = {
+ }
+ };
+
++STATIC CONST KERNEL_VENMEDIA_FILE_DEVPATH mShimDevicePath = {
++ {
++ {
++ MEDIA_DEVICE_PATH, MEDIA_VENDOR_DP,
++ { sizeof (VENDOR_DEVICE_PATH) }
++ },
++ QEMU_KERNEL_LOADER_FS_MEDIA_GUID
++ }, {
++ {
++ MEDIA_DEVICE_PATH, MEDIA_FILEPATH_DP,
++ { sizeof (KERNEL_FILE_DEVPATH) }
++ },
++ L"shim",
++ }, {
++ END_DEVICE_PATH_TYPE, END_ENTIRE_DEVICE_PATH_SUBTYPE,
++ { sizeof (EFI_DEVICE_PATH_PROTOCOL) }
++ }
++};
++
+ STATIC
+ VOID
+ FreeLegacyImage (
+@@ -339,6 +358,7 @@ QemuLoadKernelImage (
+ UINTN CommandLineSize;
+ CHAR8 *CommandLine;
+ UINTN InitrdSize;
++ BOOLEAN Shim;
+
+ //
+ // Redundant assignment to work around GCC48/GCC49 limitations.
+@@ -351,11 +371,35 @@ QemuLoadKernelImage (
+ Status = gBS->LoadImage (
+ FALSE, // BootPolicy: exact match required
+ gImageHandle, // ParentImageHandle
+- (EFI_DEVICE_PATH_PROTOCOL *)&mKernelDevicePath,
++ (EFI_DEVICE_PATH_PROTOCOL *)&mShimDevicePath,
+ NULL, // SourceBuffer
+ 0, // SourceSize
+ &KernelImageHandle
+ );
++ if (Status == EFI_SUCCESS) {
++ Shim = TRUE;
++ DEBUG ((DEBUG_INFO, "%a: booting via shim\n", __func__));
++ } else {
++ Shim = FALSE;
++ if (Status == EFI_SECURITY_VIOLATION) {
++ gBS->UnloadImage (KernelImageHandle);
++ }
++
++ if (Status != EFI_NOT_FOUND) {
++ DEBUG ((DEBUG_INFO, "%a: LoadImage(shim): %r\n", __func__, Status));
++ return Status;
++ }
++
++ Status = gBS->LoadImage (
++ FALSE, // BootPolicy: exact match required
++ gImageHandle, // ParentImageHandle
++ (EFI_DEVICE_PATH_PROTOCOL *)&mKernelDevicePath,
++ NULL, // SourceBuffer
++ 0, // SourceSize
++ &KernelImageHandle
++ );
++ }
++
+ switch (Status) {
+ case EFI_SUCCESS:
+ break;
+@@ -465,6 +509,13 @@ QemuLoadKernelImage (
+ KernelLoadedImage->LoadOptionsSize += sizeof (L" initrd=initrd") - 2;
+ }
+
++ if (Shim) {
++ //
++ // Prefix 'kernel ' in UTF-16.
++ //
++ KernelLoadedImage->LoadOptionsSize += sizeof (L"kernel ") - 2;
++ }
++
+ if (KernelLoadedImage->LoadOptionsSize == 0) {
+ KernelLoadedImage->LoadOptions = NULL;
+ } else {
+@@ -485,7 +536,8 @@ QemuLoadKernelImage (
+ UnicodeSPrintAsciiFormat (
+ KernelLoadedImage->LoadOptions,
+ KernelLoadedImage->LoadOptionsSize,
+- "%a%a",
++ "%a%a%a",
++ (Shim == FALSE) ? "" : "kernel ",
+ (CommandLineSize == 0) ? "" : CommandLine,
+ (InitrdSize == 0) ? "" : " initrd=initrd"
+ );
+--
+2.49.0
+
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-8.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-8.patch
new file mode 100644
index 0000000000..97d77883fd
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-8.patch
@@ -0,0 +1,125 @@
+From 4b507b49664514d7f09e6b7a9ca2da25a5e440fd Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Thu, 11 Apr 2024 08:15:22 +0200
+Subject: [PATCH 08/10] OvmfPkg/GenericQemuLoadImageLib: support booting via
+ shim
+
+Try load shim first. In case that succeeded update the command line to
+list 'kernel' first so shim will fetch the kernel from the kernel loader
+file system.
+
+This allows to use direct kernel boot with distro kernels and secure
+boot enabled. Usually distro kernels can only be verified by distro
+shim using the distro keys compiled into the shim binary.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/4b507b49664514d7f09e6b7a9ca2da25a5e440fd]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../GenericQemuLoadImageLib.c | 56 ++++++++++++++++++-
+ 1 file changed, 54 insertions(+), 2 deletions(-)
+
+diff --git a/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c b/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c
+index b99fb350aa..9d0ba77755 100644
+--- a/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c
++++ b/OvmfPkg/Library/GenericQemuLoadImageLib/GenericQemuLoadImageLib.c
+@@ -57,6 +57,25 @@ STATIC CONST KERNEL_VENMEDIA_FILE_DEVPATH mKernelDevicePath = {
+ }
+ };
+
++STATIC CONST KERNEL_VENMEDIA_FILE_DEVPATH mShimDevicePath = {
++ {
++ {
++ MEDIA_DEVICE_PATH, MEDIA_VENDOR_DP,
++ { sizeof (VENDOR_DEVICE_PATH) }
++ },
++ QEMU_KERNEL_LOADER_FS_MEDIA_GUID
++ }, {
++ {
++ MEDIA_DEVICE_PATH, MEDIA_FILEPATH_DP,
++ { sizeof (KERNEL_FILE_DEVPATH) }
++ },
++ L"shim",
++ }, {
++ END_DEVICE_PATH_TYPE, END_ENTIRE_DEVICE_PATH_SUBTYPE,
++ { sizeof (EFI_DEVICE_PATH_PROTOCOL) }
++ }
++};
++
+ STATIC CONST SINGLE_VENMEDIA_NODE_DEVPATH mQemuKernelLoaderFsDevicePath = {
+ {
+ {
+@@ -174,6 +193,7 @@ QemuLoadKernelImage (
+ UINTN CommandLineSize;
+ CHAR8 *CommandLine;
+ UINTN InitrdSize;
++ BOOLEAN Shim;
+
+ //
+ // Load the image. This should call back into the QEMU EFI loader file system.
+@@ -181,11 +201,35 @@ QemuLoadKernelImage (
+ Status = gBS->LoadImage (
+ FALSE, // BootPolicy: exact match required
+ gImageHandle, // ParentImageHandle
+- (EFI_DEVICE_PATH_PROTOCOL *)&mKernelDevicePath,
++ (EFI_DEVICE_PATH_PROTOCOL *)&mShimDevicePath,
+ NULL, // SourceBuffer
+ 0, // SourceSize
+ &KernelImageHandle
+ );
++ if (Status == EFI_SUCCESS) {
++ Shim = TRUE;
++ DEBUG ((DEBUG_INFO, "%a: booting via shim\n", __func__));
++ } else {
++ Shim = FALSE;
++ if (Status == EFI_SECURITY_VIOLATION) {
++ gBS->UnloadImage (KernelImageHandle);
++ }
++
++ if (Status != EFI_NOT_FOUND) {
++ DEBUG ((DEBUG_INFO, "%a: LoadImage(shim): %r\n", __func__, Status));
++ return Status;
++ }
++
++ Status = gBS->LoadImage (
++ FALSE, // BootPolicy: exact match required
++ gImageHandle, // ParentImageHandle
++ (EFI_DEVICE_PATH_PROTOCOL *)&mKernelDevicePath,
++ NULL, // SourceBuffer
++ 0, // SourceSize
++ &KernelImageHandle
++ );
++ }
++
+ switch (Status) {
+ case EFI_SUCCESS:
+ break;
+@@ -303,6 +347,13 @@ QemuLoadKernelImage (
+ KernelLoadedImage->LoadOptionsSize += sizeof (L" initrd=initrd") - 2;
+ }
+
++ if (Shim) {
++ //
++ // Prefix 'kernel ' in UTF-16.
++ //
++ KernelLoadedImage->LoadOptionsSize += sizeof (L"kernel ") - 2;
++ }
++
+ if (KernelLoadedImage->LoadOptionsSize == 0) {
+ KernelLoadedImage->LoadOptions = NULL;
+ } else {
+@@ -323,7 +374,8 @@ QemuLoadKernelImage (
+ UnicodeSPrintAsciiFormat (
+ KernelLoadedImage->LoadOptions,
+ KernelLoadedImage->LoadOptionsSize,
+- "%a%a",
++ "%a%a%a",
++ (Shim == FALSE) ? "" : "kernel ",
+ (CommandLineSize == 0) ? "" : CommandLine,
+ (InitrdSize == 0) ? "" : " initrd=initrd"
+ );
+--
+2.49.0
+
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-9.patch b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-9.patch
new file mode 100644
index 0000000000..8f0535cc4b
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2025-2296-9.patch
@@ -0,0 +1,108 @@
+From 1549bf11cc94b135b6ad8fa5ebc34bdf7c18ba9c Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 17 Dec 2024 09:59:21 +0100
+Subject: [PATCH 09/10] OvmfPkg/X86QemuLoadImageLib: make legacy loader
+ configurable.
+
+Add the 'opt/org.tianocore/EnableLegacyLoader' FwCfg option to
+enable/disable the insecure legacy linux kernel loader.
+
+For now this is enabled by default. Probably the default will be
+flipped to disabled at some point in the future.
+
+Also print a warning to the screen in case the linux kernel secure
+boot verification has failed.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+CVE: CVE-2025-2296
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/1549bf11cc94b135b6ad8fa5ebc34bdf7c18ba9c]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ .../X86QemuLoadImageLib/X86QemuLoadImageLib.c | 48 ++++++++++++++++---
+ .../X86QemuLoadImageLib.inf | 1 +
+ 2 files changed, 42 insertions(+), 7 deletions(-)
+
+diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
+index e4dbc2dc7e..2d610f6bd3 100644
+--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
++++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.c
+@@ -19,8 +19,10 @@
+ #include <Library/MemoryAllocationLib.h>
+ #include <Library/PrintLib.h>
+ #include <Library/QemuFwCfgLib.h>
++#include <Library/QemuFwCfgSimpleParserLib.h>
+ #include <Library/QemuLoadImageLib.h>
+ #include <Library/UefiBootServicesTableLib.h>
++#include <Library/UefiLib.h>
+ #include <Protocol/DevicePath.h>
+ #include <Protocol/LoadedImage.h>
+ #include <Protocol/OvmfLoadedX86LinuxKernel.h>
+@@ -421,13 +423,45 @@ QemuLoadKernelImage (
+ // Fall through
+ //
+ case EFI_ACCESS_DENIED:
+- //
+- // We are running with UEFI secure boot enabled, and the image failed to
+- // authenticate. For compatibility reasons, we fall back to the legacy
+- // loader in this case.
+- //
+- // Fall through
+- //
++ //
++ // We are running with UEFI secure boot enabled, and the image failed to
++ // authenticate. For compatibility reasons, we fall back to the legacy
++ // loader in this case (unless disabled via fw_cfg).
++ //
++ {
++ EFI_STATUS RetStatus;
++ BOOLEAN Enabled = TRUE;
++
++ AsciiPrint (
++ "OVMF: Secure boot image verification failed. Consider using the '-shim'\n"
++ "OVMF: command line switch for qemu (available in version 10.0 + newer).\n"
++ "\n"
++ );
++
++ RetStatus = QemuFwCfgParseBool (
++ "opt/org.tianocore/EnableLegacyLoader",
++ &Enabled
++ );
++ if (EFI_ERROR (RetStatus)) {
++ Enabled = TRUE;
++ }
++
++ if (!Enabled) {
++ AsciiPrint (
++ "OVMF: Fallback to insecure legacy linux kernel loader is disabled.\n"
++ "\n"
++ );
++ return EFI_ACCESS_DENIED;
++ } else {
++ AsciiPrint (
++ "OVMF: Using legacy linux kernel loader (insecure and deprecated).\n"
++ "\n"
++ );
++ //
++ // Fall through
++ //
++ }
++ }
+ case EFI_UNSUPPORTED:
+ //
+ // The image is not natively supported or cross-type supported. Let's try
+diff --git a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
+index c7ec041cb7..09babd3be8 100644
+--- a/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
++++ b/OvmfPkg/Library/X86QemuLoadImageLib/X86QemuLoadImageLib.inf
+@@ -33,6 +33,7 @@
+ LoadLinuxLib
+ PrintLib
+ QemuFwCfgLib
++ QemuFwCfgSimpleParserLib
+ ReportStatusCodeLib
+ UefiBootServicesTableLib
+
+--
+2.49.0
+
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index badde30d97..fd5ff25dc9 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -29,6 +29,16 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
file://0006-BaseTools-StringFuncs-fix-gcc-16-warning.patch \
file://0007-BaseTools-EfiRom-fix-compiler-warning.patch \
file://0008-BaseTools-Pccts-set-C-standard.patch \
+ file://0001-AmdSev-Halt-on-failed-blob-allocation.patch \
+ file://CVE-2025-2296-1.patch \
+ file://CVE-2025-2296-2.patch \
+ file://CVE-2025-2296-3.patch \
+ file://CVE-2025-2296-4.patch \
+ file://CVE-2025-2296-5.patch \
+ file://CVE-2025-2296-6.patch \
+ file://CVE-2025-2296-7.patch \
+ file://CVE-2025-2296-8.patch \
+ file://CVE-2025-2296-9.patch \
"
PV = "edk2-stable202402"
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 14/23] ovmf: fix CVE-2024-38798
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (12 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 13/23] ovmf: fix CVE-2025-2296 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 15/23] apt: Add CVE_PRODUCT to support product name Fabien Thomas
` (8 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Hongxu Jia <hongxu.jia@windriver.com>
According to [1],
EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of
Sensitive Information to an Unauthorized Actor” by local access. Successful
exploitation of this vulnerability will lead to possible information disclosure
or escalation of privilege and impact Confidentiality.
Backport a patch [2] from upstream to fix CVE-2024-38798
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-38798
[2] https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../ovmf/ovmf/CVE-2024-38798.patch | 116 ++++++++++++++++++
meta/recipes-core/ovmf/ovmf_git.bb | 1 +
2 files changed, 117 insertions(+)
create mode 100644 meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
diff --git a/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
new file mode 100644
index 0000000000..2d0a73c7a6
--- /dev/null
+++ b/meta/recipes-core/ovmf/ovmf/CVE-2024-38798.patch
@@ -0,0 +1,116 @@
+From 81263e46ad8cf2a6c7d86bc51c95342d07ec31ca Mon Sep 17 00:00:00 2001
+From: Hongxu Jia <hongxu.jia@windriver.com>
+Date: Mon, 5 Jan 2026 13:04:18 +0800
+Subject: [PATCH] MdeModulePkg : Clear keyboard queue buffer after reading
+
+There is a possibility to retrieve user input keystroke data stored in the
+queue buffer via the EFI_SIMPLE_TEXT_INPUT_PROTOCOL pointer. To prevent
+exposure of the password string, clear the queue buffer by filling it
+with zeros after reading.
+
+Signed-off-by: Nick Wang <nick.wang@insyde.com>
+
+CVE: CVE-2024-38798
+Upstream-Status: Backport [https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c | 2 ++
+ MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c | 1 +
+ MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c | 2 +-
+ .../Universal/Console/ConSplitterDxe/ConSplitter.c | 1 +
+ .../Universal/Console/TerminalDxe/TerminalConIn.c | 8 ++++++--
+ 5 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
+index 981309f..32757a7 100644
+--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdCtrller.c
+@@ -650,6 +650,8 @@ PopScancodeBufHead (
+ if (Buf != NULL) {
+ Buf[Index] = Queue->Buffer[Queue->Head];
+ }
++
++ Queue->Buffer[Queue->Head] = 0;
+ }
+
+ return EFI_SUCCESS;
+diff --git a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
+index 81d3c6e..e03c88f 100644
+--- a/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
++++ b/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe/Ps2KbdTextIn.c
+@@ -51,6 +51,7 @@ PopEfikeyBufHead (
+ CopyMem (KeyData, &Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
+ }
+
++ ZeroMem (&Queue->Buffer[Queue->Head], sizeof (EFI_KEY_DATA));
+ Queue->Head = (Queue->Head + 1) % KEYBOARD_EFI_KEY_MAX_COUNT;
+ return EFI_SUCCESS;
+ }
+diff --git a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
+index b5a6459..7df1566 100644
+--- a/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
++++ b/MdeModulePkg/Bus/Usb/UsbKbDxe/KeyBoard.c
+@@ -1840,7 +1840,7 @@ Dequeue (
+ }
+
+ CopyMem (Item, Queue->Buffer[Queue->Head], ItemSize);
+-
++ ZeroMem (Queue->Buffer[Queue->Head], ItemSize);
+ //
+ // Adjust the head pointer of the FIFO keyboard buffer.
+ //
+diff --git a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
+index 0a776f3..5c1a35e 100644
+--- a/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
++++ b/MdeModulePkg/Universal/Console/ConSplitterDxe/ConSplitter.c
+@@ -3537,6 +3537,7 @@ ConSplitterTextInExDequeueKey (
+ &Private->KeyQueue[1],
+ Private->CurrentNumberOfKeys * sizeof (EFI_KEY_DATA)
+ );
++ ZeroMem (&Private->KeyQueue[Private->CurrentNumberOfKeys], sizeof (EFI_KEY_DATA));
+ return EFI_SUCCESS;
+ }
+
+diff --git a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
+index f1d0a34..8aafb4b 100644
+--- a/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
++++ b/MdeModulePkg/Universal/Console/TerminalDxe/TerminalConIn.c
+@@ -760,7 +760,8 @@ RawFiFoRemoveOneKey (
+ return FALSE;
+ }
+
+- *Output = TerminalDevice->RawFiFo->Data[Head];
++ *Output = TerminalDevice->RawFiFo->Data[Head];
++ TerminalDevice->RawFiFo->Data[Head] = 0;
+
+ TerminalDevice->RawFiFo->Head = (UINT8)((Head + 1) % (RAW_FIFO_MAX_NUMBER + 1));
+
+@@ -881,6 +882,7 @@ EfiKeyFiFoForNotifyRemoveOneKey (
+ }
+
+ CopyMem (Output, &EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
++ ZeroMem (&EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
+
+ EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
+
+@@ -1032,6 +1034,7 @@ EfiKeyFiFoRemoveOneKey (
+ }
+
+ CopyMem (Output, &TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
++ ZeroMem (&TerminalDevice->EfiKeyFiFo->Data[Head], sizeof (EFI_INPUT_KEY));
+
+ TerminalDevice->EfiKeyFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
+
+@@ -1142,7 +1145,8 @@ UnicodeFiFoRemoveOneKey (
+ Head = TerminalDevice->UnicodeFiFo->Head;
+ ASSERT (Head < FIFO_MAX_NUMBER + 1);
+
+- *Output = TerminalDevice->UnicodeFiFo->Data[Head];
++ *Output = TerminalDevice->UnicodeFiFo->Data[Head];
++ TerminalDevice->UnicodeFiFo->Data[Head] = 0;
+
+ TerminalDevice->UnicodeFiFo->Head = (UINT8)((Head + 1) % (FIFO_MAX_NUMBER + 1));
+ }
+--
+2.34.1
+
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index fd5ff25dc9..4e6227f484 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -39,6 +39,7 @@ SRC_URI = "gitsm://github.com/tianocore/edk2.git;branch=master;protocol=https \
file://CVE-2025-2296-7.patch \
file://CVE-2025-2296-8.patch \
file://CVE-2025-2296-9.patch \
+ file://CVE-2024-38798.patch \
"
PV = "edk2-stable202402"
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 15/23] apt: Add CVE_PRODUCT to support product name
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (13 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 14/23] ovmf: fix CVE-2024-38798 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 16/23] avahi: Fix CVE-2026-34933 Fabien Thomas
` (7 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Himanshu Jadon <hjadon@cisco.com>
- Keep both the older deprecated debian:apt alias and the active
debian:advanced_package_tool identity in CVE_PRODUCT.
- This preserves completeness and avoids missing CVEs in case older
aliases are still used in NVD records.
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 4c777220ee5740b800f4128da79c24f7e42c7b88)
Signed-off-by: Himanshu Jadon <hjadon@cisco.com>
[FT: Rebase onto scarthgap-next]
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
meta/recipes-devtools/apt/apt_2.6.1.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-devtools/apt/apt_2.6.1.bb b/meta/recipes-devtools/apt/apt_2.6.1.bb
index 436e2e8cad..12915660b0 100644
--- a/meta/recipes-devtools/apt/apt_2.6.1.bb
+++ b/meta/recipes-devtools/apt/apt_2.6.1.bb
@@ -141,3 +141,6 @@ do_install:append() {
# Avoid non-reproducible -src package
sed -i -e "s,${B}/include/,,g" ${B}/apt-pkg/tagfile-keys.cc
}
+
+# Add CVE_PRODUCT to match the NVD CPE product name
+CVE_PRODUCT = "debian:apt debian:advanced_package_tool"
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 16/23] avahi: Fix CVE-2026-34933
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (14 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 15/23] apt: Add CVE_PRODUCT to support product name Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 17/23] gdk-pixbuf: Fix CVE-2026-5201 Fabien Thomas
` (6 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Pick patch according to [1]
[1] https://security-tracker.debian.org/tracker/CVE-2026-34933
[2] https://github.com/avahi/avahi/pull/891
[3] https://nvd.nist.gov/vuln/detail/CVE-2026-34933
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
meta/recipes-connectivity/avahi/avahi_0.8.bb | 2 +
.../avahi/files/CVE-2026-34933-1.patch | 108 ++++++++++++++++++
.../avahi/files/CVE-2026-34933-2.patch | 96 ++++++++++++++++
3 files changed, 206 insertions(+)
create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2026-34933-1.patch
create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2026-34933-2.patch
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index fce2d7cd56..31febc360d 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -41,6 +41,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
file://CVE-2025-68468.patch \
file://CVE-2025-68471.patch \
file://CVE-2026-24401.patch \
+ file://CVE-2026-34933-1.patch \
+ file://CVE-2026-34933-2.patch \
"
GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2026-34933-1.patch b/meta/recipes-connectivity/avahi/files/CVE-2026-34933-1.patch
new file mode 100644
index 0000000000..208345a325
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2026-34933-1.patch
@@ -0,0 +1,108 @@
+From 0be89b6bb5c3983837b5e0febcbbbf452ecf7675 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 1 Apr 2026 05:31:58 +0000
+Subject: [PATCH] core: refuse to accept publish flags where both wide_area and
+ multicast are set
+
+It fixes a bug where it was possible for unprivileged local users to
+crash avahi-daemon via D-Bus by calling EntryGroup methods accepting
+flags and passing both AVAHI_PUBLISH_USE_WIDE_AREA and
+AVAHI_PUBLISH_USE_MULTICAST there. For example when AddRecord was
+invoked like that avahi-daemon crashed with
+```
+dbus-entry-group.c: interface=org.freedesktop.Avahi.EntryGroup, path=/Client0/EntryGroup1, member=AddRecord
+avahi-daemon: entry.c:57: transport_flags_from_domain: Assertion `!((*flags & AVAHI_PUBLISH_USE_MULTICAST) && (*flags & AVAHI_PUBLISH_USE_WIDE_AREA))' failed.
+==84944==
+==84944== Process terminating with default action of signal 6 (SIGABRT)
+==84944== at 0x4B353BC: __pthread_kill_implementation (pthread_kill.c:44)
+==84944== by 0x4ADE941: raise (raise.c:26)
+==84944== by 0x4AC64AB: abort (abort.c:77)
+==84944== by 0x4AC641F: __assert_fail_base.cold (assert.c:118)
+==84944== by 0x48A9404: transport_flags_from_domain (entry.c:57)
+==84944== by 0x48A9F8F: server_add_internal (entry.c:224)
+==84944== by 0x48AA49F: avahi_server_add (entry.c:324)
+==84944== by 0x401A670: avahi_dbus_msg_entry_group_impl (dbus-entry-group.c:348)
+==84944== by 0x4A70741: ??? (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.38.3)
+==84944== by 0x4A5FB22: dbus_connection_dispatch (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.38.3)
+==84944== by 0x401D01D: dispatch_timeout_callback (dbus-watch-glue.c:105)
+==84944== by 0x488E3AE: timeout_callback (simple-watch.c:447)
+==84944==
+```
+It's a follow-up to fbce111b069aa1e4c701ed37ee1d9f6d6cefaac5 where
+those flags were introduced and consistent with the other places
+where wide_area/multicast flags are used.
+
+It was discovered by
+Guillaume Meunier - Head of Vulnerability Operations Center France - Orange Cyberdefense
+
+https://github.com/avahi/avahi/security/advisories/GHSA-w65r-6gxh-vhvc
+
+CVE-2026-34933
+
+Upstream-Status: Backport [https://github.com/avahi/avahi/commit/0be89b6bb5c3983837b5e0febcbbbf452ecf7675]
+CVE: CVE-2026-34933
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-core/entry.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/avahi-core/entry.c b/avahi-core/entry.c
+index 0d862133d..06eb12076 100644
+--- a/avahi-core/entry.c
++++ b/avahi-core/entry.c
+@@ -207,6 +207,7 @@ static AvahiEntry * server_add_internal(
+ AVAHI_PUBLISH_UPDATE|
+ AVAHI_PUBLISH_USE_WIDE_AREA|
+ AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
++ AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY_RETURN_NULL(s, avahi_is_valid_domain_name(r->key->name), AVAHI_ERR_INVALID_HOST_NAME);
+ AVAHI_CHECK_VALIDITY_RETURN_NULL(s, r->ttl != 0, AVAHI_ERR_INVALID_TTL);
+ AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !avahi_key_is_pattern(r->key), AVAHI_ERR_IS_PATTERN);
+@@ -454,6 +455,7 @@ int avahi_server_add_address(
+ AVAHI_PUBLISH_UPDATE|
+ AVAHI_PUBLISH_USE_WIDE_AREA|
+ AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
++ AVAHI_CHECK_VALIDITY(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY(s, !name || avahi_is_valid_fqdn(name), AVAHI_ERR_INVALID_HOST_NAME);
+
+ /* Prepare the host naem */
+@@ -595,6 +597,7 @@ static int server_add_service_strlst_nocopy(
+ AVAHI_PUBLISH_UPDATE|
+ AVAHI_PUBLISH_USE_WIDE_AREA|
+ AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
++ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME);
+ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE);
+ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
+@@ -754,6 +757,7 @@ static int server_update_service_txt_strlst_nocopy(
+ AVAHI_PUBLISH_NO_COOKIE|
+ AVAHI_PUBLISH_USE_WIDE_AREA|
+ AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
++ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME);
+ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE);
+ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
+@@ -843,6 +847,7 @@ int avahi_server_add_service_subtype(
+ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_IF_VALID(interface), AVAHI_ERR_INVALID_INTERFACE);
+ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_PROTO_VALID(protocol), AVAHI_ERR_INVALID_PROTOCOL);
+ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_MULTICAST|AVAHI_PUBLISH_USE_WIDE_AREA), AVAHI_ERR_INVALID_FLAGS);
++ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_name(name), AVAHI_ERR_INVALID_SERVICE_NAME);
+ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, avahi_is_valid_service_type_strict(type), AVAHI_ERR_INVALID_SERVICE_TYPE);
+ AVAHI_CHECK_VALIDITY_SET_RET_GOTO_FAIL(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
+@@ -910,6 +915,7 @@ static AvahiEntry *server_add_dns_server_name(
+ assert(name);
+
+ AVAHI_CHECK_VALIDITY_RETURN_NULL(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_WIDE_AREA|AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
++ AVAHI_CHECK_VALIDITY_RETURN_NULL(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY_RETURN_NULL(s, type == AVAHI_DNS_SERVER_UPDATE || type == AVAHI_DNS_SERVER_RESOLVE, AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY_RETURN_NULL(s, port != 0, AVAHI_ERR_INVALID_PORT);
+ AVAHI_CHECK_VALIDITY_RETURN_NULL(s, avahi_is_valid_fqdn(name), AVAHI_ERR_INVALID_HOST_NAME);
+@@ -967,6 +973,7 @@ int avahi_server_add_dns_server_address(
+ AVAHI_CHECK_VALIDITY(s, AVAHI_IF_VALID(interface), AVAHI_ERR_INVALID_INTERFACE);
+ AVAHI_CHECK_VALIDITY(s, AVAHI_PROTO_VALID(protocol) && AVAHI_PROTO_VALID(address->proto), AVAHI_ERR_INVALID_PROTOCOL);
+ AVAHI_CHECK_VALIDITY(s, AVAHI_FLAGS_VALID(flags, AVAHI_PUBLISH_USE_MULTICAST|AVAHI_PUBLISH_USE_WIDE_AREA), AVAHI_ERR_INVALID_FLAGS);
++ AVAHI_CHECK_VALIDITY(s, !(flags & AVAHI_PUBLISH_USE_WIDE_AREA) || !(flags & AVAHI_PUBLISH_USE_MULTICAST), AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY(s, type == AVAHI_DNS_SERVER_UPDATE || type == AVAHI_DNS_SERVER_RESOLVE, AVAHI_ERR_INVALID_FLAGS);
+ AVAHI_CHECK_VALIDITY(s, port != 0, AVAHI_ERR_INVALID_PORT);
+ AVAHI_CHECK_VALIDITY(s, !domain || avahi_is_valid_domain_name(domain), AVAHI_ERR_INVALID_DOMAIN_NAME);
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2026-34933-2.patch b/meta/recipes-connectivity/avahi/files/CVE-2026-34933-2.patch
new file mode 100644
index 0000000000..479d0d7e93
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2026-34933-2.patch
@@ -0,0 +1,96 @@
+From a93fdd980d2db5d453475c0aa2b39946bd6611bd Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 1 Apr 2026 05:30:58 +0000
+Subject: [PATCH] tests: make sure AVAHI_PUBLISH_USE_WIDE_AREA is refused
+
+Upstream-Status: Backport [https://github.com/avahi/avahi/commit/a93fdd980d2db5d453475c0aa2b39946bd6611bd]
+CVE: CVE-2026-34933
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ avahi-client/client-test.c | 25 +++++++++++++++++++++++++
+ avahi-core/avahi-test.c | 12 +++++++++++-
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/avahi-client/client-test.c b/avahi-client/client-test.c
+index 9a015d7..c80e12f 100644
+--- a/avahi-client/client-test.c
++++ b/avahi-client/client-test.c
+@@ -212,6 +212,28 @@ static void terminate(AVAHI_GCC_UNUSED AvahiTimeout *timeout, AVAHI_GCC_UNUSED v
+ avahi_simple_poll_quit(simple_poll);
+ }
+
++static void test_refuse_publish_flags(AvahiEntryGroup *g, AvahiPublishFlags flags, int expected) {
++ AvahiAddress a;
++ AvahiStringList *l = NULL;
++ int r;
++
++ r = avahi_entry_group_add_record(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test.local", AVAHI_DNS_CLASS_IN, AVAHI_DNS_TYPE_CNAME, 120, "\0", 1);
++ assert(r == expected);
++
++ avahi_address_parse("224.0.0.251", AVAHI_PROTO_UNSPEC, &a);
++ r = avahi_entry_group_add_address(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test.local", &a);
++ assert(r == expected);
++
++ r = avahi_entry_group_add_service_strlst(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test", "_http._tcp", NULL, NULL, 80, l);
++ assert(r == expected);
++
++ r = avahi_entry_group_update_service_txt_strlst(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test", "_http._tcp", NULL, l);
++ assert(r == expected);
++
++ r = avahi_entry_group_add_service_subtype(g, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, flags, "test", "_http._tcp", NULL, "_magic._sub._http._tcp");
++ assert(r == expected);
++}
++
+ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+ AvahiClient *avahi;
+ AvahiEntryGroup *group, *group2;
+@@ -275,6 +297,9 @@ int main (AVAHI_GCC_UNUSED int argc, AVAHI_GCC_UNUSED char *argv[]) {
+ error = avahi_entry_group_add_record (group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, "TestX", 0x01, 0x10, 120, "", 0);
+ assert(error != AVAHI_OK);
+
++ test_refuse_publish_flags(group, AVAHI_PUBLISH_USE_WIDE_AREA, AVAHI_ERR_NOT_SUPPORTED);
++ test_refuse_publish_flags(group, AVAHI_PUBLISH_USE_WIDE_AREA|AVAHI_PUBLISH_USE_MULTICAST, AVAHI_ERR_INVALID_FLAGS);
++
+ avahi_entry_group_commit (group);
+
+ domain = avahi_domain_browser_new (avahi, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, NULL, AVAHI_DOMAIN_BROWSER_BROWSE, 0, avahi_domain_browser_callback, (char*) "omghai3u");
+diff --git a/avahi-core/avahi-test.c b/avahi-core/avahi-test.c
+index 2a7872b..2bae82b 100644
+--- a/avahi-core/avahi-test.c
++++ b/avahi-core/avahi-test.c
+@@ -30,6 +30,7 @@
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+
++#include <avahi-common/error.h>
+ #include <avahi-common/malloc.h>
+ #include <avahi-common/simple-watch.h>
+ #include <avahi-common/alternative.h>
+@@ -150,6 +151,7 @@ static void remove_entries(void) {
+ static void create_entries(int new_name) {
+ AvahiAddress a;
+ AvahiRecord *r;
++ int error;
+
+ remove_entries();
+
+@@ -181,7 +183,15 @@ static void create_entries(int new_name) {
+ goto fail;
+ }
+
+- if (avahi_server_add_dns_server_address(server, group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, NULL, AVAHI_DNS_SERVER_RESOLVE, avahi_address_parse("192.168.50.1", AVAHI_PROTO_UNSPEC, &a), 53) < 0) {
++ avahi_address_parse("192.168.50.1", AVAHI_PROTO_UNSPEC, &a);
++
++ error = avahi_server_add_dns_server_address(server, group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, AVAHI_PUBLISH_USE_WIDE_AREA, NULL, AVAHI_DNS_SERVER_RESOLVE, &a, 53);
++ assert(error == AVAHI_ERR_NOT_SUPPORTED);
++
++ error = avahi_server_add_dns_server_address(server, group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, AVAHI_PUBLISH_USE_WIDE_AREA|AVAHI_PUBLISH_USE_MULTICAST, NULL, AVAHI_DNS_SERVER_RESOLVE, &a, 53);
++ assert(error == AVAHI_ERR_INVALID_FLAGS);
++
++ if (avahi_server_add_dns_server_address(server, group, AVAHI_IF_UNSPEC, AVAHI_PROTO_UNSPEC, 0, NULL, AVAHI_DNS_SERVER_RESOLVE, &a, 53) < 0) {
+ avahi_log_error("Failed to add new DNS Server address");
+ goto fail;
+ }
+--
+2.43.0
+
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 17/23] gdk-pixbuf: Fix CVE-2026-5201
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (15 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 16/23] avahi: Fix CVE-2026-34933 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 18/23] ghostscript: Pin to C17 std Fabien Thomas
` (5 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Pick patch according to [1]
[1] https://security-tracker.debian.org/tracker/CVE-2026-5201
[2] https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/304
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch | 44 +++++++++++++++++++
.../gdk-pixbuf/gdk-pixbuf_2.42.12.bb | 1 +
2 files changed, 45 insertions(+)
create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch
new file mode 100644
index 0000000000..97e0dddb62
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2026-5201.patch
@@ -0,0 +1,44 @@
+From 6cce9311e70b969cbcc6e3e1e74ae1756ed02d5b Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Mon, 30 Mar 2026 12:21:56 -0400
+Subject: [PATCH] jpeg: Reject unsupported number of components
+
+This condition was already checked for incremental loading.
+This commit adds the same check in the nonincremental
+code path.
+
+Closes: #304
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/6cce9311e70b969cbcc6e3e1e74ae1756ed02d5b]
+CVE: CVE-2026-5201
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ gdk-pixbuf/io-jpeg.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
+index 9ee1d21..d419812 100644
+--- a/gdk-pixbuf/io-jpeg.c
++++ b/gdk-pixbuf/io-jpeg.c
+@@ -625,6 +625,18 @@ gdk_pixbuf__real_jpeg_image_load (FILE *f, struct jpeg_decompress_struct *cinfo,
+ cinfo->do_fancy_upsampling = FALSE;
+ cinfo->do_block_smoothing = FALSE;
+
++ /* Reject unsupported component counts */
++ if (cinfo->output_components != 3 && cinfo->output_components != 4 &&
++ !(cinfo->output_components == 1 &&
++ cinfo->out_color_space == JCS_GRAYSCALE)) {
++ g_set_error (error,
++ GDK_PIXBUF_ERROR,
++ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++ _("Unsupported number of color components (%d)"),
++ cinfo->output_components);
++ goto out;
++ }
++
+ pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB,
+ cinfo->out_color_components == 4 ? TRUE : FALSE,
+ 8,
+--
+2.43.0
+
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
index 7c58fe1e1d..2f0de425b5 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.12.bb
@@ -22,6 +22,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \
file://CVE-2025-7345.patch \
file://CVE-2025-6199.patch \
+ file://CVE-2026-5201.patch \
"
SRC_URI[sha256sum] = "b9505b3445b9a7e48ced34760c3bcb73e966df3ac94c95a148cb669ab748e3c7"
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 18/23] ghostscript: Pin to C17 std
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (16 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 17/23] gdk-pixbuf: Fix CVE-2026-5201 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 19/23] ghostscript: fix build with gcc-15 on host Fabien Thomas
` (4 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
The code defines a custom 'bool' type (as an 'int'), which is incompatible
with C23 in which bool is a keyword, and trying to use <stdbool.h> fails
because 'int' and 'bool' are used interchangeably in the code.
Add the flag to CC variable, since CFLAGS is used by both c and c++ compilers
and clang++ is less forgiving when C compiler only option is used on its
cmdline so it complains about -std=gnu17 and bails out.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 49657089ef215824f8f79a81deb7baf4f27d0030)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
index a48ad671c7..57a1098521 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
@@ -50,6 +50,8 @@ EXTRA_OECONF:append:mipsarcho32 = " --with-large_color_index=0"
EXTRA_OECONF:append:armv7a = "${@bb.utils.contains('TUNE_FEATURES','neon','',' --disable-neon',d)}"
EXTRA_OECONF:append:armv7ve = "${@bb.utils.contains('TUNE_FEATURES','neon','',' --disable-neon',d)}"
+CC += "-std=gnu17"
+
# Uses autoconf but not automake, can't do out-of-tree
inherit autotools-brokensep pkgconfig
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 19/23] ghostscript: fix build with gcc-15 on host
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (17 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 18/23] ghostscript: Pin to C17 std Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 20/23] systemd: fix for CVE-2026-40225 Fabien Thomas
` (3 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 02e282f6417274a93c6f01978bf33e2d171297b0)
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
...Fix-compatibility-with-C23-compilers.patch | 67 +++++++++++++++++++
.../ghostscript/ghostscript_10.05.1.bb | 1 +
2 files changed, 68 insertions(+)
create mode 100644 meta/recipes-extended/ghostscript/ghostscript/0001-Bug-708160-Fix-compatibility-with-C23-compilers.patch
diff --git a/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-708160-Fix-compatibility-with-C23-compilers.patch b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-708160-Fix-compatibility-with-C23-compilers.patch
new file mode 100644
index 0000000000..78f3fc1c34
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/0001-Bug-708160-Fix-compatibility-with-C23-compilers.patch
@@ -0,0 +1,67 @@
+From c595086bfe206776676e290df98cd09e91210e27 Mon Sep 17 00:00:00 2001
+From: Alex Cherepanov <alex@coscript.biz>
+Date: Thu, 3 Apr 2025 17:19:41 +0100
+Subject: [PATCH] Bug 708160: Fix compatibility with C23 compilers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* fixes:
+ http://errors.yoctoproject.org/Errors/Details/853021/
+
+In file included from ./base/genconf.c:18:
+./base/stdpre.h:348:13: error: ‘bool’ cannot be defined via ‘typedef’
+ 348 | typedef int bool;
+ | ^~~~
+./base/stdpre.h:348:13: note: ‘bool’ is a keyword with ‘-std=c23’ onwards
+./base/stdpre.h:348:1: warning: useless type name in empty declaration
+ 348 | typedef int bool;
+ | ^~~~~~~
+
+Upstream-Status: Backport [Partial backport of https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/base/stdpre.h?id=ae940946473ceb8c5353bc6e7f04673c6e60502d]
+
+Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
+---
+ base/stdpre.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/base/stdpre.h b/base/stdpre.h
+index dda30b6..2f9c84e 100644
+--- a/base/stdpre.h
++++ b/base/stdpre.h
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2001-2023 Artifex Software, Inc.
++/* Copyright (C) 2001-2025 Artifex Software, Inc.
+ All Rights Reserved.
+
+ This software is provided AS-IS with no warranty, either express or
+@@ -341,7 +341,9 @@ typedef signed char schar;
+ * and the MetroWerks C++ compiler insists that bool be equivalent to
+ * unsigned char.
+ */
+-#ifndef __cplusplus
++
++/* C23 has bool as a builtin type. */
++#if !defined(__cplusplus) && (!defined(__STDC_VERSION__) || __STDC_VERSION__ < 202311L)
+ #ifdef __BEOS__
+ typedef unsigned char bool;
+ #else
+diff --git a/base/gp.h b/base/gp.h
+index ad5bb61..cf2c9cf 100644
+--- a/base/gp.h
++++ b/base/gp.h
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2001-2023 Artifex Software, Inc.
++/* Copyright (C) 2001-2025 Artifex Software, Inc.
+ All Rights Reserved.
+
+ This software is provided AS-IS with no warranty, either express or
+@@ -646,7 +646,7 @@ int gp_fseek_impl(FILE *strm, gs_offset_t offset, int origin);
+ /* Create a second open gp_file on the basis of a given one */
+ FILE *gp_fdup_impl(FILE *f, const char *mode);
+
+-int gp_fseekable_impl(FILE *f);
++bool gp_fseekable_impl(FILE *f);
+
+ /* Force given file into binary mode (no eol translations, etc) */
+ /* if 2nd param true, text mode if 2nd param false */
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
index 57a1098521..f7e1de734d 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/downlo
file://CVE-2025-59798.patch \
file://CVE-2025-59799.patch \
file://CVE-2025-59800.patch \
+ file://0001-Bug-708160-Fix-compatibility-with-C23-compilers.patch \
"
SRC_URI[sha256sum] = "121861b6d29b2461dec6575c9f3cab665b810bd408d4ec02c86719fa708b0a49"
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 20/23] systemd: fix for CVE-2026-40225
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (18 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 19/23] ghostscript: fix build with gcc-15 on host Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 21/23] systemd: fix for CVE-2026-40226 Fabien Thomas
` (2 subsequent siblings)
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Backport commit[0] and [1] which fixes this vulnerability as mentioned in Debian report [2].
[0] https://github.com/systemd/systemd/commit/03bb697b8df0339c37f4b845025320b261aeb7cc
[1] https://github.com/systemd/systemd/commit/5887e72ff87d3a66a4c3fa91897fbec1545f4d3d
[2] https://security-tracker.debian.org/tracker/CVE-2026-40225
More details : https://nvd.nist.gov/vuln/detail/CVE-2026-40225
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../systemd/systemd/CVE-2026-40225-01.patch | 131 ++++++++++++++++++
.../systemd/systemd/CVE-2026-40225-02.patch | 39 ++++++
meta/recipes-core/systemd/systemd_255.21.bb | 2 +
3 files changed, 172 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2026-40225-01.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2026-40225-02.patch
diff --git a/meta/recipes-core/systemd/systemd/CVE-2026-40225-01.patch b/meta/recipes-core/systemd/systemd/CVE-2026-40225-01.patch
new file mode 100644
index 0000000000..f616e636c2
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2026-40225-01.patch
@@ -0,0 +1,131 @@
+From 03bb697b8df0339c37f4b845025320b261aeb7cc Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Fri, 6 Mar 2026 19:32:35 +0000
+Subject: [PATCH] udev: check for invalid chars in various fields received from
+ the kernel
+
+(cherry picked from commit 16325b35fa6ecb25f66534a562583ce3b96d52f3)
+(cherry picked from commit 3513862eabe9ec4a6a095d7266e98f998f289ed2)
+(cherry picked from commit c20d21e0da293e715db468f9f4a15a5c8fbf8273)
+
+CVE: CVE-2026-40225
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/03bb697b8df0339c37f4b845025320b261aeb7cc]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/udev/dmi_memory_id/dmi_memory_id.c | 3 ++-
+ src/udev/scsi_id/scsi_id.c | 5 +++--
+ src/udev/udev-builtin-net_id.c | 9 +++++++++
+ src/udev/v4l_id/v4l_id.c | 5 ++++-
+ 4 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/src/udev/dmi_memory_id/dmi_memory_id.c b/src/udev/dmi_memory_id/dmi_memory_id.c
+index 52ea250af8..4f2c21b80b 100644
+--- a/src/udev/dmi_memory_id/dmi_memory_id.c
++++ b/src/udev/dmi_memory_id/dmi_memory_id.c
+@@ -51,6 +51,7 @@
+ #include "string-util.h"
+ #include "udev-util.h"
+ #include "unaligned.h"
++#include "utf8.h"
+
+ #define SUPPORTED_SMBIOS_VER 0x030300
+
+@@ -185,7 +186,7 @@ static void dmi_memory_device_string(
+
+ str = strdupa_safe(dmi_string(h, s));
+ str = strstrip(str);
+- if (!isempty(str))
++ if (!isempty(str) && utf8_is_valid(str) && !string_has_cc(str, /* ok= */ NULL))
+ printf("MEMORY_DEVICE_%u_%s=%s\n", slot_num, attr_suffix, str);
+ }
+
+diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c
+index 6308c52b7e..7e18bc755a 100644
+--- a/src/udev/scsi_id/scsi_id.c
++++ b/src/udev/scsi_id/scsi_id.c
+@@ -27,6 +27,7 @@
+ #include "strv.h"
+ #include "strxcpyx.h"
+ #include "udev-util.h"
++#include "utf8.h"
+
+ static const struct option options[] = {
+ { "device", required_argument, NULL, 'd' },
+@@ -443,8 +444,8 @@ static int scsi_id(char *maj_min_dev) {
+ }
+ if (dev_scsi.tgpt_group[0] != '\0')
+ printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group);
+- if (dev_scsi.unit_serial_number[0] != '\0')
+- printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number);
++ if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL))
++ printf("ID_SCSI_SERIAL=%s\n", serial_str);
+ goto out;
+ }
+
+diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c
+index 91b40088f4..715184e282 100644
+--- a/src/udev/udev-builtin-net_id.c
++++ b/src/udev/udev-builtin-net_id.c
+@@ -39,6 +39,7 @@
+ #include "strv.h"
+ #include "strxcpyx.h"
+ #include "udev-builtin.h"
++#include "utf8.h"
+
+ #define ONBOARD_14BIT_INDEX_MAX ((1U << 14) - 1)
+ #define ONBOARD_16BIT_INDEX_MAX ((1U << 16) - 1)
+@@ -247,6 +248,9 @@ static int get_port_specifier(sd_device *dev, bool fallback_to_dev_id, char **re
+ }
+ }
+
++ if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL))
++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
++
+ /* Otherwise, use phys_port_name as is. */
+ buf = strjoin("n", phys_port_name);
+ if (!buf)
+@@ -351,6 +355,9 @@ static int names_pci_onboard_label(sd_device *dev, sd_device *pci_dev, const cha
+ if (r < 0)
+ return log_device_debug_errno(pci_dev, r, "Failed to get PCI onboard label: %m");
+
++ if (!utf8_is_valid(label) || string_has_cc(label, /* ok= */ NULL))
++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid label");
++
+ char str[ALTIFNAMSIZ];
+ if (snprintf_ok(str, sizeof str, "%s%s",
+ naming_scheme_has(NAMING_LABEL_NOPREFIX) ? "" : prefix,
+@@ -1209,6 +1216,8 @@ static int names_netdevsim(sd_device *dev, const char *prefix, bool test) {
+ if (isempty(phys_port_name))
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "The 'phys_port_name' attribute is empty.");
++ if (!utf8_is_valid(phys_port_name) || string_has_cc(phys_port_name, /* ok= */ NULL))
++ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Invalid phys_port_name");
+
+ char str[ALTIFNAMSIZ];
+ if (snprintf_ok(str, sizeof str, "%si%un%s", prefix, addr, phys_port_name))
+diff --git a/src/udev/v4l_id/v4l_id.c b/src/udev/v4l_id/v4l_id.c
+index 30527e9556..2ec96d8d3a 100644
+--- a/src/udev/v4l_id/v4l_id.c
++++ b/src/udev/v4l_id/v4l_id.c
+@@ -29,6 +29,8 @@
+ #include "build.h"
+ #include "fd-util.h"
+ #include "main-func.h"
++#include "string-util.h"
++#include "utf8.h"
+
+ static const char *arg_device = NULL;
+
+@@ -82,7 +84,8 @@ static int run(int argc, char *argv[]) {
+ int capabilities;
+
+ printf("ID_V4L_VERSION=2\n");
+- printf("ID_V4L_PRODUCT=%s\n", v2cap.card);
++ if (utf8_is_valid((char *)v2cap.card) && !string_has_cc((char *)v2cap.card, /* ok= */ NULL))
++ printf("ID_V4L_PRODUCT=%s\n", v2cap.card);
+ printf("ID_V4L_CAPABILITIES=:");
+
+ if (v2cap.capabilities & V4L2_CAP_DEVICE_CAPS)
+--
+2.50.1
+
diff --git a/meta/recipes-core/systemd/systemd/CVE-2026-40225-02.patch b/meta/recipes-core/systemd/systemd/CVE-2026-40225-02.patch
new file mode 100644
index 0000000000..bc0a5514d4
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2026-40225-02.patch
@@ -0,0 +1,39 @@
+From 5887e72ff87d3a66a4c3fa91897fbec1545f4d3d Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Fri, 13 Mar 2026 11:10:47 +0000
+Subject: [PATCH] udev: fix review mixup
+
+The previous version in the PR changed variable and sanitized it
+in place. The second version switched to skip if CCs are in the
+string instead, but didn't move back to the original variable.
+Because it's an existing variable, no CI caught it.
+
+Follow-up for 16325b35fa6ecb25f66534a562583ce3b96d52f3
+
+(cherry picked from commit 54f880b02ecf7362e630ffc885d1466df6ee6820)
+(cherry picked from commit 4425d8523e79f3cc00b3b93a0b5e7c6cdc284a97)
+(cherry picked from commit 75c585beae60e73208941e6b3f64cf249223f53d)
+
+CVE: CVE-2026-40225
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/5887e72ff87d3a66a4c3fa91897fbec1545f4d3d]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/udev/scsi_id/scsi_id.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c
+index 7e18bc755a..b2df8d9f7f 100644
+--- a/src/udev/scsi_id/scsi_id.c
++++ b/src/udev/scsi_id/scsi_id.c
+@@ -445,7 +445,7 @@ static int scsi_id(char *maj_min_dev) {
+ if (dev_scsi.tgpt_group[0] != '\0')
+ printf("ID_TARGET_PORT=%s\n", dev_scsi.tgpt_group);
+ if (dev_scsi.unit_serial_number[0] != '\0' && utf8_is_valid(dev_scsi.unit_serial_number) && !string_has_cc(dev_scsi.unit_serial_number, /* ok= */ NULL))
+- printf("ID_SCSI_SERIAL=%s\n", serial_str);
++ printf("ID_SCSI_SERIAL=%s\n", dev_scsi.unit_serial_number);
+ goto out;
+ }
+
+--
+2.50.1
+
diff --git a/meta/recipes-core/systemd/systemd_255.21.bb b/meta/recipes-core/systemd/systemd_255.21.bb
index 87e186bbfa..fe9d699816 100644
--- a/meta/recipes-core/systemd/systemd_255.21.bb
+++ b/meta/recipes-core/systemd/systemd_255.21.bb
@@ -29,6 +29,8 @@ SRC_URI += " \
file://0002-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
file://0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch \
file://0008-implment-systemd-sysv-install-for-OE.patch \
+ file://CVE-2026-40225-01.patch \
+ file://CVE-2026-40225-02.patch \
"
# patches needed by musl
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 21/23] systemd: fix for CVE-2026-40226
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (19 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 20/23] systemd: fix for CVE-2026-40225 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 22/23] libsoup: fix CVE-2025-14523 Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 23/23] libsoup: fix CVE-2025-32049 Fabien Thomas
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Backport commit[0] and [1] which fixes this vulnerability as mentioned in Debian report [2].
[0] https://github.com/systemd/systemd/commit/773fd3b6e72e6c83cbb1cfc1cb20f3793db8649a
[1] https://github.com/systemd/systemd/commit/bfa0a842822c4f79da9d47f8a773fd128d8f8a0a
[2] https://security-tracker.debian.org/tracker/CVE-2026-40226
More details : https://nvd.nist.gov/vuln/detail/CVE-2026-40226
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../systemd/systemd/CVE-2026-40226-01.patch | 63 +++++++++++++++++++
.../systemd/systemd/CVE-2026-40226-02.patch | 39 ++++++++++++
meta/recipes-core/systemd/systemd_255.21.bb | 2 +
3 files changed, 104 insertions(+)
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2026-40226-01.patch
create mode 100644 meta/recipes-core/systemd/systemd/CVE-2026-40226-02.patch
diff --git a/meta/recipes-core/systemd/systemd/CVE-2026-40226-01.patch b/meta/recipes-core/systemd/systemd/CVE-2026-40226-01.patch
new file mode 100644
index 0000000000..6f2893cab7
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2026-40226-01.patch
@@ -0,0 +1,63 @@
+From 773fd3b6e72e6c83cbb1cfc1cb20f3793db8649a Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Wed, 11 Mar 2026 12:15:26 +0000
+Subject: [PATCH] nspawn: apply BindUser/Ephemeral from settings file only if
+ trusted
+
+Originally reported on yeswehack.com as:
+YWH-PGM9780-116
+
+Follow-up for 2f8930449079403b26c9164b8eeac78d5af2c8df
+Follow-up for a2f577fca0be79b23f61f033229b64884e7d840a
+
+(cherry picked from commit 61bceb1bff4b1f9c126b18dc971ca3e6d8c71c40)
+(cherry picked from commit 718711ed876c870a72149eea279b819cdab14e91)
+(cherry picked from commit e4db9c12957d315c0ed22c6ca87a816d0927d6dc)
+
+
+CVE: CVE-2026-40226
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/773fd3b6e72e6c83cbb1cfc1cb20f3793db8649a]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/nspawn/nspawn.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
+index 005a3d2be1..0ac0c94f06 100644
+--- a/src/nspawn/nspawn.c
++++ b/src/nspawn/nspawn.c
+@@ -4275,8 +4275,13 @@ static int merge_settings(Settings *settings, const char *path) {
+ }
+
+ if ((arg_settings_mask & SETTING_EPHEMERAL) == 0 &&
+- settings->ephemeral >= 0)
+- arg_ephemeral = settings->ephemeral;
++ settings->ephemeral >= 0) {
++
++ if (!arg_settings_trusted)
++ log_warning("Ignoring ephemeral setting, file %s is not trusted.", path);
++ else
++ arg_ephemeral = settings->ephemeral;
++ }
+
+ if ((arg_settings_mask & SETTING_DIRECTORY) == 0 &&
+ settings->root) {
+@@ -4444,8 +4449,13 @@ static int merge_settings(Settings *settings, const char *path) {
+ }
+
+ if ((arg_settings_mask & SETTING_BIND_USER) == 0 &&
+- !strv_isempty(settings->bind_user))
+- strv_free_and_replace(arg_bind_user, settings->bind_user);
++ !strv_isempty(settings->bind_user)) {
++
++ if (!arg_settings_trusted)
++ log_warning("Ignoring bind user setting, file %s is not trusted.", path);
++ else
++ strv_free_and_replace(arg_bind_user, settings->bind_user);
++ }
+
+ if ((arg_settings_mask & SETTING_NOTIFY_READY) == 0 &&
+ settings->notify_ready >= 0)
+--
+2.50.1
+
diff --git a/meta/recipes-core/systemd/systemd/CVE-2026-40226-02.patch b/meta/recipes-core/systemd/systemd/CVE-2026-40226-02.patch
new file mode 100644
index 0000000000..47f780e6c5
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/CVE-2026-40226-02.patch
@@ -0,0 +1,39 @@
+From bfa0a842822c4f79da9d47f8a773fd128d8f8a0a Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <luca.boccassi@gmail.com>
+Date: Wed, 11 Mar 2026 13:27:14 +0000
+Subject: [PATCH] nspawn: normalize pivot_root paths
+
+Originally reported on yeswehack.com as:
+YWH-PGM9780-116
+
+Follow-up for b53ede699cdc5233041a22591f18863fb3fe2672
+
+(cherry picked from commit 7b85f5498a958e5bb660c703b8f4a71cceed3373)
+(cherry picked from commit 6566dc1451089e07090f5a114ae2eb43ed39188d)
+(cherry picked from commit 1c55a0a5e26a07df828f72092ad1203e221b60db)
+
+CVE: CVE-2026-40226
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/bfa0a842822c4f79da9d47f8a773fd128d8f8a0a]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/nspawn/nspawn-mount.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
+index 470f477f22..09c442a63a 100644
+--- a/src/nspawn/nspawn-mount.c
++++ b/src/nspawn/nspawn-mount.c
+@@ -1255,7 +1255,9 @@ int pivot_root_parse(char **pivot_root_new, char **pivot_root_old, const char *s
+
+ if (!path_is_absolute(root_new))
+ return -EINVAL;
+- if (root_old && !path_is_absolute(root_old))
++ if (!path_is_normalized(root_new))
++ return -EINVAL;
++ if (root_old && (!path_is_absolute(root_old) || !path_is_normalized(root_old)))
+ return -EINVAL;
+
+ free_and_replace(*pivot_root_new, root_new);
+--
+2.50.1
+
diff --git a/meta/recipes-core/systemd/systemd_255.21.bb b/meta/recipes-core/systemd/systemd_255.21.bb
index fe9d699816..9c5f8af240 100644
--- a/meta/recipes-core/systemd/systemd_255.21.bb
+++ b/meta/recipes-core/systemd/systemd_255.21.bb
@@ -31,6 +31,8 @@ SRC_URI += " \
file://0008-implment-systemd-sysv-install-for-OE.patch \
file://CVE-2026-40225-01.patch \
file://CVE-2026-40225-02.patch \
+ file://CVE-2026-40226-01.patch \
+ file://CVE-2026-40226-02.patch \
"
# patches needed by musl
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 22/23] libsoup: fix CVE-2025-14523
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (20 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 21/23] systemd: fix for CVE-2026-40226 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
2026-05-05 16:57 ` [OE-core][scarthgap 23/23] libsoup: fix CVE-2025-32049 Fabien Thomas
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Changqing Li <changqing.li@windriver.com>
Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/work_items/472
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../libsoup-3.4.4/CVE-2025-14523.patch | 715 ++++++++++++++++++
meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 +
2 files changed, 716 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-14523.patch
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-14523.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-14523.patch
new file mode 100644
index 0000000000..1cf5c9d667
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-14523.patch
@@ -0,0 +1,715 @@
+From 70123da95418f5d6e00e8ac2d586fb6c5d02cdc6 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Wed, 7 Jan 2026 14:50:33 -0600
+Subject: [PATCH] Reject duplicate Host headers
+
+RFC 9112 section 3.2 says:
+
+A server MUST respond with a 400 (Bad Request) status code to any
+HTTP/1.1 request message that lacks a Host header field and to any
+request message that contains more than one Host header field line or a
+Host header field with an invalid field value.
+
+In addition to rejecting a duplicate header when parsing headers, also
+reject attempts to add the duplicate header using the
+soup_message_headers_append() API, and add tests for both cases.
+
+These checks will also apply to HTTP/2. I'm not sure whether this is
+actually desired or not, but the header processing code is not aware of
+which HTTP version is in use.
+
+(Note that while SoupMessageHeaders does not require the Host header to
+be present in an HTTP/1.1 request, SoupServer itself does. So we can't
+test the case of missing Host header via the header parsing test, but it
+really is enforced.)
+
+Fixes #472
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/aecd8daadc110f8561fb2d6b2806a4cacf2e4c85]
+CVE: CVE-2025-14523
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/soup-headers.c | 3 +-
+ libsoup/soup-message-headers-private.h | 4 +-
+ libsoup/soup-message-headers.c | 80 +++++++------
+ tests/header-parsing-test.c | 148 +++++++++++++++++--------
+ 4 files changed, 153 insertions(+), 82 deletions(-)
+
+diff --git a/libsoup/soup-headers.c b/libsoup/soup-headers.c
+index 155c11d..3fec9b3 100644
+--- a/libsoup/soup-headers.c
++++ b/libsoup/soup-headers.c
+@@ -139,7 +139,8 @@ soup_headers_parse (const char *str, int len, SoupMessageHeaders *dest)
+ for (p = strchr (value, '\r'); p; p = strchr (p, '\r'))
+ *p = ' ';
+
+- soup_message_headers_append_untrusted_data (dest, name, value);
++ if (!soup_message_headers_append_untrusted_data (dest, name, value))
++ goto done;
+ }
+ success = TRUE;
+
+diff --git a/libsoup/soup-message-headers-private.h b/libsoup/soup-message-headers-private.h
+index 9815464..770f3ef 100644
+--- a/libsoup/soup-message-headers-private.h
++++ b/libsoup/soup-message-headers-private.h
+@@ -10,10 +10,10 @@
+
+ G_BEGIN_DECLS
+
+-void soup_message_headers_append_untrusted_data (SoupMessageHeaders *hdrs,
++gboolean soup_message_headers_append_untrusted_data (SoupMessageHeaders *hdrs,
+ const char *name,
+ const char *value);
+-void soup_message_headers_append_common (SoupMessageHeaders *hdrs,
++gboolean soup_message_headers_append_common (SoupMessageHeaders *hdrs,
+ SoupHeaderName name,
+ const char *value);
+ const char *soup_message_headers_get_one_common (SoupMessageHeaders *hdrs,
+diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
+index d69d6e8..ce4b3b3 100644
+--- a/libsoup/soup-message-headers.c
++++ b/libsoup/soup-message-headers.c
+@@ -267,12 +267,16 @@ soup_message_headers_clean_connection_headers (SoupMessageHeaders *hdrs)
+ soup_header_free_list (tokens);
+ }
+
+-void
++gboolean
+ soup_message_headers_append_common (SoupMessageHeaders *hdrs,
+ SoupHeaderName name,
+ const char *value)
+ {
+ SoupCommonHeader header;
++ if (name == SOUP_HEADER_HOST && soup_message_headers_get_one (hdrs, "Host")) {
++ g_warning ("soup_message_headers_append_common: Rejecting duplicate Host header");
++ return FALSE;
++ }
+
+ if (!hdrs->common_headers)
+ hdrs->common_headers = g_array_sized_new (FALSE, FALSE, sizeof (SoupCommonHeader), 6);
+@@ -284,32 +288,18 @@ soup_message_headers_append_common (SoupMessageHeaders *hdrs,
+ g_hash_table_remove (hdrs->common_concat, GUINT_TO_POINTER (header.name));
+
+ soup_message_headers_set (hdrs, name, value);
++ return TRUE;
+ }
+
+-/**
+- * soup_message_headers_append:
+- * @hdrs: a #SoupMessageHeaders
+- * @name: the header name to add
+- * @value: the new value of @name
+- *
+- * Appends a new header with name @name and value @value to @hdrs.
+- *
+- * (If there is an existing header with name @name, then this creates a second
+- * one, which is only allowed for list-valued headers; see also
+- * [method@MessageHeaders.replace].)
+- *
+- * The caller is expected to make sure that @name and @value are
+- * syntactically correct.
+- **/
+-void
+-soup_message_headers_append (SoupMessageHeaders *hdrs,
+- const char *name, const char *value)
++static gboolean
++soup_message_headers_append_internal (SoupMessageHeaders *hdrs,
++ const char *name, const char *value)
+ {
+ SoupUncommonHeader header;
+ SoupHeaderName header_name;
+
+- g_return_if_fail (name != NULL);
+- g_return_if_fail (value != NULL);
++ g_return_val_if_fail (name != NULL, FALSE);
++ g_return_val_if_fail (value != NULL, FALSE);
+
+ /* Setting a syntactically invalid header name or value is
+ * considered to be a programming error. However, it can also
+@@ -317,23 +307,22 @@ soup_message_headers_append (SoupMessageHeaders *hdrs,
+ * compiled with G_DISABLE_CHECKS.
+ */
+ #ifndef G_DISABLE_CHECKS
+- g_return_if_fail (*name && strpbrk (name, " \t\r\n:") == NULL);
+- g_return_if_fail (strpbrk (value, "\r\n") == NULL);
++ g_return_val_if_fail (*name && strpbrk (name, " \t\r\n:") == NULL, FALSE);
++ g_return_val_if_fail (strpbrk (value, "\r\n") == NULL, FALSE);
+ #else
+ if (*name && strpbrk (name, " \t\r\n:")) {
+- g_warning ("soup_message_headers_append: Ignoring bad name '%s'", name);
+- return;
++ g_warning ("soup_message_headers_append: Rejecting bad name '%s'", name);
++ return FALSE;
+ }
+ if (strpbrk (value, "\r\n")) {
+- g_warning ("soup_message_headers_append: Ignoring bad value '%s'", value);
+- return;
++ g_warning ("soup_message_headers_append: Rejecting bad value '%s'", value);
++ return FALSE;
+ }
+ #endif
+
+ header_name = soup_header_name_from_string (name);
+ if (header_name != SOUP_HEADER_UNKNOWN) {
+- soup_message_headers_append_common (hdrs, header_name, value);
+- return;
++ return soup_message_headers_append_common (hdrs, header_name, value);
+ }
+
+ if (!hdrs->uncommon_headers)
+@@ -344,21 +333,48 @@ soup_message_headers_append (SoupMessageHeaders *hdrs,
+ g_array_append_val (hdrs->uncommon_headers, header);
+ if (hdrs->uncommon_concat)
+ g_hash_table_remove (hdrs->uncommon_concat, header.name);
++ return TRUE;
++}
++
++/**
++ * soup_message_headers_append:
++ * @hdrs: a #SoupMessageHeaders
++ * @name: the header name to add
++ * @value: the new value of @name
++ *
++ * Appends a new header with name @name and value @value to @hdrs.
++ *
++ * (If there is an existing header with name @name, then this creates a second
++ * one, which is only allowed for list-valued headers; see also
++ * [method@MessageHeaders.replace].)
++ *
++ * The caller is expected to make sure that @name and @value are
++ * syntactically correct.
++ **/
++void
++soup_message_headers_append (SoupMessageHeaders *hdrs,
++ const char *name, const char *value)
++{
++ soup_message_headers_append_internal (hdrs, name, value);
+ }
+
+ /*
+- * Appends a header value ensuring that it is valid UTF8.
++ * Appends a header value ensuring that it is valid UTF-8, and also checking the
++ * return value of soup_message_headers_append_internal() to report whether the
++ * headers are invalid for various other reasons.
+ */
+-void
++gboolean
+ soup_message_headers_append_untrusted_data (SoupMessageHeaders *hdrs,
+ const char *name,
+ const char *value)
+ {
+ char *safe_value = g_utf8_make_valid (value, -1);
+ char *safe_name = g_utf8_make_valid (name, -1);
+- soup_message_headers_append (hdrs, safe_name, safe_value);
++ gboolean result = soup_message_headers_append_internal (hdrs, safe_name, safe_value);
++
+ g_free (safe_value);
+ g_free (safe_name);
++ return result;
+ }
+
+ void
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index 9490559..98a22a4 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -24,6 +24,7 @@ static struct RequestTest {
+ const char *method, *path;
+ SoupHTTPVersion version;
+ Header headers[10];
++ GLogLevelFlags log_flags;
+ } reqtests[] = {
+ /**********************/
+ /*** VALID REQUESTS ***/
+@@ -33,7 +34,7 @@ static struct RequestTest {
+ "GET / HTTP/1.0\r\n", -1,
+ SOUP_STATUS_OK,
+ "GET", "/", SOUP_HTTP_1_0,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ { "Req w/ 1 header", NULL,
+@@ -42,7 +43,7 @@ static struct RequestTest {
+ "GET", "/", SOUP_HTTP_1_1,
+ { { "Host", "example.com" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Req w/ 1 header, no leading whitespace", NULL,
+@@ -51,7 +52,7 @@ static struct RequestTest {
+ "GET", "/", SOUP_HTTP_1_1,
+ { { "Host", "example.com" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Req w/ 1 header including trailing whitespace", NULL,
+@@ -60,7 +61,7 @@ static struct RequestTest {
+ "GET", "/", SOUP_HTTP_1_1,
+ { { "Host", "example.com" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Req w/ 1 header, wrapped", NULL,
+@@ -69,7 +70,7 @@ static struct RequestTest {
+ "GET", "/", SOUP_HTTP_1_1,
+ { { "Foo", "bar baz" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Req w/ 1 header, wrapped with additional whitespace", NULL,
+@@ -78,7 +79,7 @@ static struct RequestTest {
+ "GET", "/", SOUP_HTTP_1_1,
+ { { "Foo", "bar baz" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Req w/ 1 header, wrapped with tab", NULL,
+@@ -87,7 +88,7 @@ static struct RequestTest {
+ "GET", "/", SOUP_HTTP_1_1,
+ { { "Foo", "bar baz" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Req w/ 1 header, wrapped before value", NULL,
+@@ -96,7 +97,7 @@ static struct RequestTest {
+ "GET", "/", SOUP_HTTP_1_1,
+ { { "Foo", "bar baz" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Req w/ 1 header with empty value", NULL,
+@@ -105,7 +106,7 @@ static struct RequestTest {
+ "GET", "/", SOUP_HTTP_1_1,
+ { { "Host", "" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Req w/ 2 headers", NULL,
+@@ -115,7 +116,7 @@ static struct RequestTest {
+ { { "Host", "example.com" },
+ { "Connection", "close" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Req w/ 3 headers", NULL,
+@@ -126,7 +127,7 @@ static struct RequestTest {
+ { "Connection", "close" },
+ { "Blah", "blah" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Req w/ 3 headers, 1st wrapped", NULL,
+@@ -137,7 +138,7 @@ static struct RequestTest {
+ { "Foo", "bar baz" },
+ { "Blah", "blah" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Req w/ 3 headers, 2nd wrapped", NULL,
+@@ -148,7 +149,7 @@ static struct RequestTest {
+ { "Blah", "blah" },
+ { "Foo", "bar baz" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Req w/ 3 headers, 3rd wrapped", NULL,
+@@ -159,7 +160,7 @@ static struct RequestTest {
+ { "Blah", "blah" },
+ { "Foo", "bar baz" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Req w/ same header multiple times", NULL,
+@@ -168,7 +169,7 @@ static struct RequestTest {
+ "GET", "/", SOUP_HTTP_1_1,
+ { { "Foo", "bar, baz, quux" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Connection header on HTTP/1.0 message", NULL,
+@@ -178,21 +179,21 @@ static struct RequestTest {
+ { { "Connection", "Bar, Quux" },
+ { "Foo", "bar" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "GET with full URI", "667637",
+ "GET http://example.com HTTP/1.1\r\n", -1,
+ SOUP_STATUS_OK,
+ "GET", "http://example.com", SOUP_HTTP_1_1,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ { "GET with full URI in upper-case", "667637",
+ "GET HTTP://example.com HTTP/1.1\r\n", -1,
+ SOUP_STATUS_OK,
+ "GET", "HTTP://example.com", SOUP_HTTP_1_1,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ /* It's better for this to be passed through: this means a SoupServer
+@@ -202,7 +203,7 @@ static struct RequestTest {
+ "GET AbOuT: HTTP/1.1\r\n", -1,
+ SOUP_STATUS_OK,
+ "GET", "AbOuT:", SOUP_HTTP_1_1,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ /****************************/
+@@ -217,7 +218,7 @@ static struct RequestTest {
+ "GET", "/", SOUP_HTTP_1_1,
+ { { "Host", "example.com" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ /* RFC 2616 section 3.1 says we MUST accept this */
+@@ -228,7 +229,7 @@ static struct RequestTest {
+ "GET", "/", SOUP_HTTP_1_1,
+ { { "Host", "example.com" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ /* RFC 2616 section 19.3 says we SHOULD accept these */
+@@ -240,7 +241,7 @@ static struct RequestTest {
+ { { "Host", "example.com" },
+ { "Connection", "close" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "LF instead of CRLF after Request-Line", NULL,
+@@ -249,7 +250,7 @@ static struct RequestTest {
+ "GET", "/", SOUP_HTTP_1_1,
+ { { "Host", "example.com" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Mixed CRLF/LF", "666316",
+@@ -261,7 +262,7 @@ static struct RequestTest {
+ { "e", "f" },
+ { "g", "h" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Req w/ incorrect whitespace in Request-Line", NULL,
+@@ -270,7 +271,7 @@ static struct RequestTest {
+ "GET", "/", SOUP_HTTP_1_1,
+ { { "Host", "example.com" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Req w/ incorrect whitespace after Request-Line", "475169",
+@@ -279,7 +280,7 @@ static struct RequestTest {
+ "GET", "/", SOUP_HTTP_1_1,
+ { { "Host", "example.com" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ /* If the request/status line is parseable, then we
+@@ -293,7 +294,7 @@ static struct RequestTest {
+ { { "Host", "example.com" },
+ { "Bar", "two" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "First header line is continuation", "666316",
+@@ -303,7 +304,7 @@ static struct RequestTest {
+ { { "Host", "example.com" },
+ { "c", "d" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Zero-length header name", "666316",
+@@ -313,7 +314,7 @@ static struct RequestTest {
+ { { "a", "b" },
+ { "c", "d" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "CR in header name", "666316",
+@@ -323,7 +324,7 @@ static struct RequestTest {
+ { { "a", "b" },
+ { "c", "d" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "CR in header value", "666316",
+@@ -336,7 +337,7 @@ static struct RequestTest {
+ { "s", "t" }, /* CR at end is ignored */
+ { "c", "d" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Tab in header name", "666316",
+@@ -351,7 +352,7 @@ static struct RequestTest {
+ { "p", "q z: w" },
+ { "c", "d" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ { "Tab in header value", "666316",
+@@ -364,7 +365,7 @@ static struct RequestTest {
+ { "z", "w" }, /* trailing tab ignored */
+ { "c", "d" },
+ { NULL }
+- }
++ }, 0
+ },
+
+ /************************/
+@@ -375,77 +376,77 @@ static struct RequestTest {
+ "GET /\r\n", -1,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ { "HTTP 1.2 request (no such thing)", NULL,
+ "GET / HTTP/1.2\r\n", -1,
+ SOUP_STATUS_HTTP_VERSION_NOT_SUPPORTED,
+ NULL, NULL, -1,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ { "HTTP 2000 request (no such thing)", NULL,
+ "GET / HTTP/2000.0\r\n", -1,
+ SOUP_STATUS_HTTP_VERSION_NOT_SUPPORTED,
+ NULL, NULL, -1,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ { "Long HTTP version terminating at missing minor version", "https://gitlab.gnome.org/GNOME/libsoup/-/issues/404",
+ unterminated_http_version, sizeof (unterminated_http_version),
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ { "Non-HTTP request", NULL,
+ "GET / SOUP/1.1\r\nHost: example.com\r\n", -1,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ { "Junk after Request-Line", NULL,
+ "GET / HTTP/1.1 blah\r\nHost: example.com\r\n", -1,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ { "NUL in Method", NULL,
+ "G\x00T / HTTP/1.1\r\nHost: example.com\r\n", 37,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ { "NUL at beginning of Method", "666316",
+ "\x00 / HTTP/1.1\r\nHost: example.com\r\n", 35,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ { "NUL in Path", NULL,
+ "GET /\x00 HTTP/1.1\r\nHost: example.com\r\n", 38,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ { "No terminating CRLF", NULL,
+ "GET / HTTP/1.1\r\nHost: example.com", -1,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ { "Unrecognized expectation", NULL,
+ "GET / HTTP/1.1\r\nHost: example.com\r\nExpect: the-impossible\r\n", -1,
+ SOUP_STATUS_EXPECTATION_FAILED,
+ NULL, NULL, -1,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ // https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
+@@ -453,21 +454,40 @@ static struct RequestTest {
+ "GET / HTTP/1.1\r\nHost\x00: example.com\r\n", 36,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ { "NUL in header value", NULL,
+ "HTTP/1.1 200 OK\r\nFoo: b\x00" "ar\r\n", 28,
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+- { { NULL } }
++ { { NULL } }, 0
+ },
+
+ { "Only newlines", NULL,
+ only_newlines, sizeof (only_newlines),
+ SOUP_STATUS_BAD_REQUEST,
+ NULL, NULL, -1,
+- { { NULL } }
++ { { NULL } }, 0
++ },
++ { "Duplicate Host headers",
++ "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472",
++ "GET / HTTP/1.1\r\nHost: example.com\r\nHost: example.org\r\n",
++ -1,
++ SOUP_STATUS_BAD_REQUEST,
++ NULL, NULL, -1,
++ { { NULL } },
++ G_LOG_LEVEL_WARNING
++ },
++
++ { "Duplicate Host headers, case insensitive",
++ "https://gitlab.gnome.org/GNOME/libsoup/-/issues/472",
++ "GET / HTTP/1.1\r\nHost: example.com\r\nhost: example.org\r\n",
++ -1,
++ SOUP_STATUS_BAD_REQUEST,
++ NULL, NULL, -1,
++ { { NULL } },
++ G_LOG_LEVEL_WARNING
+ }
+ };
+ static const int num_reqtests = G_N_ELEMENTS (reqtests);
+@@ -915,10 +935,17 @@ do_request_tests (void)
+ len = strlen (reqtests[i].request);
+ else
+ len = reqtests[i].length;
++
++ if (reqtests[i].log_flags)
++ g_test_expect_message ("libsoup", reqtests[i].log_flags, "*");
++
+ status = soup_headers_parse_request (reqtests[i].request, len,
+ headers, &method, &path,
+ &version);
+ g_assert_cmpint (status, ==, reqtests[i].status);
++ if (reqtests[i].log_flags)
++ g_test_assert_expected_messages ();
++
+ if (SOUP_STATUS_IS_SUCCESSFUL (status)) {
+ g_assert_cmpstr (method, ==, reqtests[i].method);
+ g_assert_cmpstr (path, ==, reqtests[i].path);
+@@ -1312,6 +1339,32 @@ do_bad_header_tests (void)
+ soup_message_headers_unref (hdrs);
+ }
+
++static void
++do_append_duplicate_host_test (void)
++{
++ SoupMessageHeaders *hdrs;
++ const char *list_value;
++
++ hdrs = soup_message_headers_new (SOUP_MESSAGE_HEADERS_REQUEST);
++ soup_message_headers_append (hdrs, "Host", "a");
++
++ g_test_expect_message ("libsoup", G_LOG_LEVEL_WARNING,
++ "soup_message_headers_append_common: Rejecting duplicate Host header");
++ soup_message_headers_append (hdrs, "Host", "b");
++ g_test_assert_expected_messages ();
++
++ /* Case insensitive */
++ g_test_expect_message ("libsoup", G_LOG_LEVEL_WARNING,
++ "soup_message_headers_append_common: Rejecting duplicate Host header");
++ soup_message_headers_append (hdrs, "host", "b");
++ g_test_assert_expected_messages ();
++
++ list_value = soup_message_headers_get_list (hdrs, "Host");
++ g_assert_cmpstr (list_value, ==, "a");
++
++ soup_message_headers_unref (hdrs);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -1327,6 +1380,7 @@ main (int argc, char **argv)
+ g_test_add_func ("/header-parsing/content-type", do_content_type_tests);
+ g_test_add_func ("/header-parsing/append-param", do_append_param_tests);
+ g_test_add_func ("/header-parsing/bad", do_bad_header_tests);
++ g_test_add_func ("/header-parsing/append-duplicate-host", do_append_duplicate_host_test);
+
+ ret = g_test_run ();
+
+--
+2.34.1
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
index c09b06fec2..6be31806f1 100644
--- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
@@ -46,6 +46,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-2784.patch \
file://CVE-2025-4945.patch \
file://CVE-2025-12105.patch \
+ file://CVE-2025-14523.patch \
"
SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"
^ permalink raw reply related [flat|nested] 25+ messages in thread* [OE-core][scarthgap 23/23] libsoup: fix CVE-2025-32049
2026-05-05 16:57 [OE-core][scarthgap 00/23] Patch review Fabien Thomas
` (21 preceding siblings ...)
2026-05-05 16:57 ` [OE-core][scarthgap 22/23] libsoup: fix CVE-2025-14523 Fabien Thomas
@ 2026-05-05 16:57 ` Fabien Thomas
22 siblings, 0 replies; 25+ messages in thread
From: Fabien Thomas @ 2026-05-05 16:57 UTC (permalink / raw)
To: openembedded-core
From: Changqing Li <changqing.li@windriver.com>
Refer:
https://gitlab.gnome.org/GNOME/libsoup/-/issues/390
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Fabien Thomas <fabien.thomas@smile.fr>
---
.../libsoup-3.4.4/CVE-2025-32049-1.patch | 229 ++++++++++++++
.../libsoup-3.4.4/CVE-2025-32049-2.patch | 34 ++
.../libsoup-3.4.4/CVE-2025-32049-3.patch | 134 ++++++++
.../libsoup-3.4.4/CVE-2025-32049-4.patch | 292 ++++++++++++++++++
meta/recipes-support/libsoup/libsoup_3.4.4.bb | 4 +
5 files changed, 693 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-1.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-3.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-4.patch
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-1.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-1.patch
new file mode 100644
index 0000000000..0772c759dc
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-1.patch
@@ -0,0 +1,229 @@
+From 176cb31003252a69d3fc7908e8f505c0ee006b7a Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Wed, 24 Jul 2024 15:20:35 +0200
+Subject: [PATCH 1/4] websocket: add a way to restrict the total message size
+
+Otherwise a client could send small packages smaller than
+total-incoming-payload-size but still to break the server
+with a big allocation
+
+Fixes: #390
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/db87805ab565d67533dfed2cb409dbfd63c7fdce]
+CVE: CVE-2025-32049
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/websocket/soup-websocket-connection.c | 107 +++++++++++++++++-
+ libsoup/websocket/soup-websocket-connection.h | 7 ++
+ 2 files changed, 110 insertions(+), 4 deletions(-)
+
+diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c
+index 5eb8150..19bdd39 100644
+--- a/libsoup/websocket/soup-websocket-connection.c
++++ b/libsoup/websocket/soup-websocket-connection.c
+@@ -84,7 +84,7 @@ enum {
+ PROP_MAX_INCOMING_PAYLOAD_SIZE,
+ PROP_KEEPALIVE_INTERVAL,
+ PROP_EXTENSIONS,
+-
++ PROP_MAX_TOTAL_MESSAGE_SIZE,
+ LAST_PROPERTY
+ };
+
+@@ -126,6 +126,7 @@ typedef struct {
+ char *origin;
+ char *protocol;
+ guint64 max_incoming_payload_size;
++ guint64 max_total_message_size;
+ guint keepalive_interval;
+
+ gushort peer_close_code;
+@@ -156,6 +157,7 @@ typedef struct {
+ } SoupWebsocketConnectionPrivate;
+
+ #define MAX_INCOMING_PAYLOAD_SIZE_DEFAULT 128 * 1024
++#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT 128 * 1024
+ #define READ_BUFFER_SIZE 1024
+ #define MASK_LENGTH 4
+
+@@ -670,8 +672,8 @@ bad_data_error_and_close (SoupWebsocketConnection *self)
+ }
+
+ static void
+-too_big_error_and_close (SoupWebsocketConnection *self,
+- guint64 payload_len)
++too_big_incoming_payload_error_and_close (SoupWebsocketConnection *self,
++ guint64 payload_len)
+ {
+ SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self);
+ GError *error;
+@@ -687,6 +689,24 @@ too_big_error_and_close (SoupWebsocketConnection *self,
+ emit_error_and_close (self, error, TRUE);
+ }
+
++static void
++too_big_message_error_and_close (SoupWebsocketConnection *self,
++ guint64 len)
++{
++ SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self);
++ GError *error;
++
++ error = g_error_new_literal (SOUP_WEBSOCKET_ERROR,
++ SOUP_WEBSOCKET_CLOSE_TOO_BIG,
++ priv->connection_type == SOUP_WEBSOCKET_CONNECTION_SERVER ?
++ "Received WebSocket payload from the client larger than configured max-total-message-size" :
++ "Received WebSocket payload from the server larger than configured max-total-message-size");
++ g_debug ("%s received message of size %" G_GUINT64_FORMAT " or greater, but max supported size is %" G_GUINT64_FORMAT,
++ priv->connection_type == SOUP_WEBSOCKET_CONNECTION_SERVER ? "server" : "client",
++ len, priv->max_total_message_size);
++ emit_error_and_close (self, error, TRUE);
++}
++
+ static void
+ close_connection (SoupWebsocketConnection *self,
+ gushort code,
+@@ -918,6 +938,12 @@ process_contents (SoupWebsocketConnection *self,
+ switch (priv->message_opcode) {
+ case 0x01:
+ case 0x02:
++ /* Safety valve */
++ if (priv->max_total_message_size > 0 &&
++ (priv->message_data->len + payload_len) > priv->max_total_message_size) {
++ too_big_message_error_and_close (self, (priv->message_data->len + payload_len));
++ return;
++ }
+ g_byte_array_append (priv->message_data, payload, payload_len);
+ break;
+ default:
+@@ -1056,7 +1082,7 @@ process_frame (SoupWebsocketConnection *self)
+ /* Safety valve */
+ if (priv->max_incoming_payload_size > 0 &&
+ payload_len > priv->max_incoming_payload_size) {
+- too_big_error_and_close (self, payload_len);
++ too_big_incoming_payload_error_and_close (self, payload_len);
+ return FALSE;
+ }
+
+@@ -1363,6 +1389,10 @@ soup_websocket_connection_get_property (GObject *object,
+ g_value_set_pointer (value, priv->extensions);
+ break;
+
++ case PROP_MAX_TOTAL_MESSAGE_SIZE:
++ g_value_set_uint64 (value, priv->max_total_message_size);
++ break;
++
+ default:
+ G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+ break;
+@@ -1416,6 +1446,10 @@ soup_websocket_connection_set_property (GObject *object,
+ priv->extensions = g_value_get_pointer (value);
+ break;
+
++ case PROP_MAX_TOTAL_MESSAGE_SIZE:
++ priv->max_total_message_size = g_value_get_uint64 (value);
++ break;
++
+ default:
+ G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
+ break;
+@@ -1628,6 +1662,26 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass)
+ G_PARAM_CONSTRUCT_ONLY |
+ G_PARAM_STATIC_STRINGS);
+
++ /**
++ * SoupWebsocketConnection:max-total-message-size:
++ *
++ * The total message size for incoming packets.
++ *
++ * The protocol expects or 0 to not limit it.
++ *
++ * Since: 3.8
++ */
++ properties[PROP_MAX_TOTAL_MESSAGE_SIZE] =
++ g_param_spec_uint64 ("max-total-message-size",
++ "Max total message size",
++ "Max total message size ",
++ 0,
++ G_MAXUINT64,
++ MAX_TOTAL_MESSAGE_SIZE_DEFAULT,
++ G_PARAM_READWRITE |
++ G_PARAM_CONSTRUCT |
++ G_PARAM_STATIC_STRINGS);
++
+ g_object_class_install_properties (gobject_class, LAST_PROPERTY, properties);
+
+ /**
+@@ -2111,6 +2165,51 @@ soup_websocket_connection_set_max_incoming_payload_size (SoupWebsocketConnection
+ }
+ }
+
++/**
++ * soup_websocket_connection_get_max_total_message_size:
++ * @self: the WebSocket
++ *
++ * Gets the maximum total message size allowed for packets.
++ *
++ * Returns: the maximum total message size.
++ *
++ * Since: 3.8
++ */
++guint64
++soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *self)
++{
++ SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self);
++
++ g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), MAX_TOTAL_MESSAGE_SIZE_DEFAULT);
++
++ return priv->max_total_message_size;
++}
++
++/**
++ * soup_websocket_connection_set_max_total_message_size:
++ * @self: the WebSocket
++ * @max_total_message_size: the maximum total message size
++ *
++ * Sets the maximum total message size allowed for packets.
++ *
++ * It does not limit the outgoing packet size.
++ *
++ * Since: 3.8
++ */
++void
++soup_websocket_connection_set_max_total_message_size (SoupWebsocketConnection *self,
++ guint64 max_total_message_size)
++{
++ SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self);
++
++ g_return_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self));
++
++ if (priv->max_total_message_size != max_total_message_size) {
++ priv->max_total_message_size = max_total_message_size;
++ g_object_notify_by_pspec (G_OBJECT (self), properties[PROP_MAX_TOTAL_MESSAGE_SIZE]);
++ }
++}
++
+ /**
+ * soup_websocket_connection_get_keepalive_interval:
+ * @self: the WebSocket
+diff --git a/libsoup/websocket/soup-websocket-connection.h b/libsoup/websocket/soup-websocket-connection.h
+index eeb093d..922de56 100644
+--- a/libsoup/websocket/soup-websocket-connection.h
++++ b/libsoup/websocket/soup-websocket-connection.h
+@@ -88,6 +88,13 @@ SOUP_AVAILABLE_IN_ALL
+ void soup_websocket_connection_set_max_incoming_payload_size (SoupWebsocketConnection *self,
+ guint64 max_incoming_payload_size);
+
++SOUP_AVAILABLE_IN_3_0
++guint64 soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *self);
++
++SOUP_AVAILABLE_IN_3_0
++void soup_websocket_connection_set_max_total_message_size (SoupWebsocketConnection *self,
++ guint64 max_total_message_size);
++
+ SOUP_AVAILABLE_IN_ALL
+ guint soup_websocket_connection_get_keepalive_interval (SoupWebsocketConnection *self);
+
+--
+2.34.1
+
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-2.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-2.patch
new file mode 100644
index 0000000000..6f00fabfdb
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-2.patch
@@ -0,0 +1,34 @@
+From 81eb7cf7422878f0b78b833a3b741f734502921f Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Fri, 20 Sep 2024 12:12:38 +0200
+Subject: [PATCH 2/4] websocket-test: set the total message size
+
+This is required when sending a big amount of data
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/4904a46a2d9a014efa6be01a186ac353dbf5047b]
+CVE: CVE-2025-32049
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ tests/websocket-test.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tests/websocket-test.c b/tests/websocket-test.c
+index a0b8334..827b041 100644
+--- a/tests/websocket-test.c
++++ b/tests/websocket-test.c
+@@ -567,6 +567,11 @@ test_send_big_packets (Test *test,
+ soup_websocket_connection_set_max_incoming_payload_size (test->server, 1000 * 1000 + 1);
+ g_assert (soup_websocket_connection_get_max_incoming_payload_size (test->server) == (1000 * 1000 + 1));
+
++ soup_websocket_connection_set_max_total_message_size (test->client, 1000 * 1000 + 1);
++ g_assert (soup_websocket_connection_get_max_total_message_size (test->client) == (1000 * 1000 + 1));
++ soup_websocket_connection_set_max_total_message_size (test->server, 1000 * 1000 + 1);
++ g_assert (soup_websocket_connection_get_max_total_message_size (test->server) == (1000 * 1000 + 1));
++
+ sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000);
+ soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL));
+ WAIT_UNTIL (received != NULL);
+--
+2.34.1
+
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-3.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-3.patch
new file mode 100644
index 0000000000..29fb0d7ddb
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-3.patch
@@ -0,0 +1,134 @@
+From 25616e1a958bc1503cc24d6845a6e80ffc287727 Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Thu, 8 May 2025 16:16:25 -0500
+Subject: [PATCH] Set message size limit in SoupServer rather than
+ SoupWebsocketConnection
+
+We're not sure about the compatibility implications of having a default
+size limit for clients.
+
+Also not sure whether the server limit is actually set appropriately,
+but there is probably very little server usage of
+SoupWebsocketConnection in the wild, so it's not so likely to break
+things.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/2df34d9544cabdbfdedd3b36f098cf69233b1df7]
+CVE: CVE-2025-32049
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ libsoup/server/soup-server.c | 24 +++++++++++++----
+ libsoup/websocket/soup-websocket-connection.c | 26 +++++++++++++------
+ 2 files changed, 37 insertions(+), 13 deletions(-)
+
+diff --git a/libsoup/server/soup-server.c b/libsoup/server/soup-server.c
+index 6b486f5..c779f7d 100644
+--- a/libsoup/server/soup-server.c
++++ b/libsoup/server/soup-server.c
+@@ -186,6 +186,16 @@ static GParamSpec *properties[LAST_PROPERTY] = { NULL, };
+
+ G_DEFINE_TYPE_WITH_PRIVATE (SoupServer, soup_server, G_TYPE_OBJECT)
+
++/* SoupWebsocketConnection by default limits only maximum packet size. But a
++ * message may consist of multiple packets, so SoupServer additionally restricts
++ * total message size to mitigate denial of service attacks on the server.
++ * SoupWebsocketConnection does not do this by default because I don't know
++ * whether that would or would not cause compatibility problems for websites.
++ *
++ * This size is in bytes and it is arbitrary.
++ */
++#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT 128 * 1024
++
+ static void request_finished (SoupServerMessage *msg,
+ SoupMessageIOCompletion completion,
+ SoupServer *server);
+@@ -937,11 +947,15 @@ complete_websocket_upgrade (SoupServer *server,
+
+ g_object_ref (msg);
+ stream = soup_server_message_steal_connection (msg);
+- conn = soup_websocket_connection_new (stream, uri,
+- SOUP_WEBSOCKET_CONNECTION_SERVER,
+- soup_message_headers_get_one_common (soup_server_message_get_request_headers (msg), SOUP_HEADER_ORIGIN),
+- soup_message_headers_get_one_common (soup_server_message_get_response_headers (msg), SOUP_HEADER_SEC_WEBSOCKET_PROTOCOL),
+- handler->websocket_extensions);
++ conn = SOUP_WEBSOCKET_CONNECTION (g_object_new (SOUP_TYPE_WEBSOCKET_CONNECTION,
++ "io-stream", stream,
++ "uri", uri,
++ "connection-type", SOUP_WEBSOCKET_CONNECTION_SERVER,
++ "origin", soup_message_headers_get_one_common (soup_server_message_get_request_headers (msg), SOUP_HEADER_ORIGIN),
++ "protocol", soup_message_headers_get_one_common (soup_server_message_get_response_headers (msg), SOUP_HEADER_SEC_WEBSOCKET_PROTOCOL),
++ "extensions", handler->websocket_extensions,
++ "max-total-message-size", (guint64)MAX_TOTAL_MESSAGE_SIZE_DEFAULT,
++ NULL));
+ handler->websocket_extensions = NULL;
+ g_object_unref (stream);
+
+diff --git a/libsoup/websocket/soup-websocket-connection.c b/libsoup/websocket/soup-websocket-connection.c
+index 26476df..cbb1b72 100644
+--- a/libsoup/websocket/soup-websocket-connection.c
++++ b/libsoup/websocket/soup-websocket-connection.c
+@@ -149,7 +149,6 @@ typedef struct {
+ } SoupWebsocketConnectionPrivate;
+
+ #define MAX_INCOMING_PAYLOAD_SIZE_DEFAULT 128 * 1024
+-#define MAX_TOTAL_MESSAGE_SIZE_DEFAULT 128 * 1024
+ #define READ_BUFFER_SIZE 1024
+ #define MASK_LENGTH 4
+
+@@ -1612,9 +1611,10 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass)
+ /**
+ * SoupWebsocketConnection:max-incoming-payload-size:
+ *
+- * The maximum payload size for incoming packets.
+- *
+- * The protocol expects or 0 to not limit it.
++ * The maximum payload size for incoming packets, or 0 to not limit it.
++ *
++ * Each message may consist of multiple packets, so also refer to
++ * [property@WebSocketConnection:max-total-message-size].
+ */
+ properties[PROP_MAX_INCOMING_PAYLOAD_SIZE] =
+ g_param_spec_uint64 ("max-incoming-payload-size",
+@@ -1662,9 +1662,19 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass)
+ /**
+ * SoupWebsocketConnection:max-total-message-size:
+ *
+- * The total message size for incoming packets.
++ * The maximum size for incoming messages.
++ *
++ * Set to a value to limit the total message size, or 0 to not
++ * limit it.
++ *
++ * [method@Server.add_websocket_handler] will set this to a nonzero
++ * default value to mitigate denial of service attacks. Clients must
++ * choose their own default if they need to mitigate denial of service
++ * attacks. You also need to set your own default if creating your own
++ * server SoupWebsocketConnection without using SoupServer.
+ *
+- * The protocol expects or 0 to not limit it.
++ * Each message may consist of multiple packets, so also refer to
++ * [property@WebSocketConnection:max-incoming-payload-size].
+ *
+ * Since: 3.8
+ */
+@@ -1674,7 +1684,7 @@ soup_websocket_connection_class_init (SoupWebsocketConnectionClass *klass)
+ "Max total message size ",
+ 0,
+ G_MAXUINT64,
+- MAX_TOTAL_MESSAGE_SIZE_DEFAULT,
++ 0,
+ G_PARAM_READWRITE |
+ G_PARAM_CONSTRUCT |
+ G_PARAM_STATIC_STRINGS);
+@@ -2164,7 +2174,7 @@ soup_websocket_connection_get_max_total_message_size (SoupWebsocketConnection *s
+ {
+ SoupWebsocketConnectionPrivate *priv = soup_websocket_connection_get_instance_private (self);
+
+- g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), MAX_TOTAL_MESSAGE_SIZE_DEFAULT);
++ g_return_val_if_fail (SOUP_IS_WEBSOCKET_CONNECTION (self), 0);
+
+ return priv->max_total_message_size;
+ }
+--
+2.34.1
+
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-4.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-4.patch
new file mode 100644
index 0000000000..6f391e98e2
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-32049-4.patch
@@ -0,0 +1,292 @@
+From 3c87790a4ba141125e6ba165c478f0440e8e693e Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Fri, 16 May 2025 16:55:40 -0500
+Subject: [PATCH 4/4] Add tests for max-incoming-packet-size and
+ max-total-message-size
+
+An even better test would verify that it's possible to send big messages
+containing small packets, but libsoup doesn't offer control over packet
+size, and I don't want to take the time to learn how WebSockets work to
+figure out how to do that manually. Instead, I just check that both
+limits work, for both client and server.
+
+I didn't add deflate variants of these tests because I doubt that would
+add valuable coverage.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/4d00b45b7eebdcfa0706b58e34c40b8a0a16015b]
+CVE: CVE-2025-32049
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ tests/websocket-test.c | 214 +++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 197 insertions(+), 17 deletions(-)
+
+diff --git a/tests/websocket-test.c b/tests/websocket-test.c
+index 827b041..ec1324c 100644
+--- a/tests/websocket-test.c
++++ b/tests/websocket-test.c
+@@ -543,16 +543,9 @@ test_send_big_packets (Test *test,
+ {
+ GBytes *sent = NULL;
+ GBytes *received = NULL;
++ gulong signal_id;
+
+- g_signal_connect (test->client, "message", G_CALLBACK (on_text_message), &received);
+-
+- sent = g_bytes_new_take (g_strnfill (400, '!'), 400);
+- soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL));
+- WAIT_UNTIL (received != NULL);
+- g_assert (g_bytes_equal (sent, received));
+- g_bytes_unref (sent);
+- g_bytes_unref (received);
+- received = NULL;
++ signal_id = g_signal_connect (test->client, "message", G_CALLBACK (on_text_message), &received);
+
+ sent = g_bytes_new_take (g_strnfill (100 * 1000, '?'), 100 * 1000);
+ soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL));
+@@ -563,23 +556,174 @@ test_send_big_packets (Test *test,
+ received = NULL;
+
+ soup_websocket_connection_set_max_incoming_payload_size (test->client, 1000 * 1000 + 1);
+- g_assert (soup_websocket_connection_get_max_incoming_payload_size (test->client) == (1000 * 1000 + 1));
++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 1000 * 1000 + 1);
+ soup_websocket_connection_set_max_incoming_payload_size (test->server, 1000 * 1000 + 1);
+- g_assert (soup_websocket_connection_get_max_incoming_payload_size (test->server) == (1000 * 1000 + 1));
++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 1000 * 1000 + 1);
+
+ soup_websocket_connection_set_max_total_message_size (test->client, 1000 * 1000 + 1);
+- g_assert (soup_websocket_connection_get_max_total_message_size (test->client) == (1000 * 1000 + 1));
++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 1000 * 1000 + 1);
+ soup_websocket_connection_set_max_total_message_size (test->server, 1000 * 1000 + 1);
+- g_assert (soup_websocket_connection_get_max_total_message_size (test->server) == (1000 * 1000 + 1));
++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 1000 * 1000 + 1);
+
+ sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000);
+ soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL));
+ WAIT_UNTIL (received != NULL);
+ g_assert (g_bytes_equal (sent, received));
++ g_bytes_unref (received);
++ received = NULL;
++
++ /* Reverse the test and send the big message to the server. */
++ g_signal_handler_disconnect (test->client, signal_id);
++ g_signal_connect (test->server, "message", G_CALLBACK (on_text_message), &received);
++
++ soup_websocket_connection_send_text (test->client, g_bytes_get_data (sent, NULL));
++ WAIT_UNTIL (received != NULL);
++ g_assert_true (g_bytes_equal (sent, received));
+ g_bytes_unref (sent);
+ g_bytes_unref (received);
+ }
+
++static void
++test_send_big_packets_direct (Test *test,
++ gconstpointer data)
++{
++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 128 * 1024);
++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 0);
++
++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 128 * 1024);
++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 0);
++
++ test_send_big_packets (test, data);
++}
++
++static void
++test_send_big_packets_soup (Test *test,
++ gconstpointer data)
++{
++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 128 * 1024);
++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 0);
++
++ /* Max total message size defaults to 0 (unlimited), but SoupServer applies its own limit by default. */
++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 128 * 1024);
++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 128 * 1024);
++
++ test_send_big_packets (test, data);
++}
++
++static void
++test_send_exceeding_client_max_payload_size (Test *test,
++ gconstpointer data)
++{
++ GBytes *sent = NULL;
++ GBytes *received = NULL;
++ gboolean close_event = FALSE;
++ GError *error = NULL;
++
++ g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error);
++ g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event);
++
++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 128 * 1024);
++
++ soup_websocket_connection_set_max_incoming_payload_size (test->server, 0);
++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 0);
++
++ /* The message to the client is dropped due to the client's limit. */
++ sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000);
++ soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL));
++ g_bytes_unref (sent);
++ WAIT_UNTIL (close_event);
++ g_assert_null (received);
++ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CONNECTION_CLOSED);
++ g_assert_no_error (test->client_error);
++}
++
++static void
++test_send_exceeding_server_max_payload_size (Test *test,
++ gconstpointer data)
++{
++ GBytes *sent = NULL;
++ GBytes *received = NULL;
++ gboolean close_event = FALSE;
++ GError *error = NULL;
++
++ g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
++ g_signal_connect (test->server, "closed", G_CALLBACK (on_close_set_flag), &close_event);
++
++ soup_websocket_connection_set_max_incoming_payload_size (test->client, 0);
++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->client), ==, 0);
++
++ g_assert_cmpuint (soup_websocket_connection_get_max_incoming_payload_size (test->server), ==, 128 * 1024);
++
++ /* The message to the server is dropped due to the server's limit. */
++ sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000);
++ soup_websocket_connection_send_text (test->client, g_bytes_get_data (sent, NULL));
++ g_bytes_unref (sent);
++ WAIT_UNTIL (close_event);
++ g_assert_null (received);
++ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CONNECTION_CLOSED);
++ g_assert_no_error (test->client_error);
++}
++
++static void
++test_send_exceeding_client_max_message_size (Test *test,
++ gconstpointer data)
++{
++ GBytes *sent = NULL;
++ GBytes *received = NULL;
++ gboolean close_event = FALSE;
++ GError *error = NULL;
++
++ g_signal_connect (test->server, "error", G_CALLBACK (on_error_copy), &error);
++ g_signal_connect (test->client, "closed", G_CALLBACK (on_close_set_flag), &close_event);
++
++ soup_websocket_connection_set_max_total_message_size (test->client, 128 * 1024);
++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 128 * 1024);
++
++ soup_websocket_connection_set_max_total_message_size (test->server, 0);
++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 0);
++
++ /* The message to the client is dropped due to the client's limit. */
++ sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000);
++ soup_websocket_connection_send_text (test->server, g_bytes_get_data (sent, NULL));
++ g_bytes_unref (sent);
++ WAIT_UNTIL (close_event);
++ g_assert_null (received);
++ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CONNECTION_CLOSED);
++ g_assert_no_error (test->client_error);
++}
++
++static void
++test_send_exceeding_server_max_message_size (Test *test,
++ gconstpointer data)
++{
++ GBytes *sent = NULL;
++ GBytes *received = NULL;
++ gboolean close_event = FALSE;
++ GError *error = NULL;
++
++ g_signal_connect (test->client, "error", G_CALLBACK (on_error_copy), &error);
++ g_signal_connect (test->server, "closed", G_CALLBACK (on_close_set_flag), &close_event);
++
++ soup_websocket_connection_set_max_total_message_size (test->client, 0);
++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->client), ==, 0);
++
++ /* Set the server message total message size manually, because its
++ * default is different for direct connection vs. soup connection.
++ */
++ soup_websocket_connection_set_max_total_message_size (test->server, 128 * 1024);
++ g_assert_cmpuint (soup_websocket_connection_get_max_total_message_size (test->server), ==, 128 * 1024);
++
++ /* The message to the server is dropped due to the server's limit. */
++ sent = g_bytes_new_take (g_strnfill (1000 * 1000, '?'), 1000 * 1000);
++ soup_websocket_connection_send_text (test->client, g_bytes_get_data (sent, NULL));
++ g_bytes_unref (sent);
++ WAIT_UNTIL (close_event);
++ g_assert_null (received);
++ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_CONNECTION_CLOSED);
++ g_assert_no_error (test->client_error);
++}
++
++
+ static void
+ test_send_empty_packets (Test *test,
+ gconstpointer data)
+@@ -2064,11 +2208,47 @@ main (int argc,
+
+ g_test_add ("/websocket/direct/send-big-packets", Test, NULL,
+ setup_direct_connection,
+- test_send_big_packets,
++ test_send_big_packets_direct,
+ teardown_direct_connection);
+ g_test_add ("/websocket/soup/send-big-packets", Test, NULL,
+ setup_soup_connection,
+- test_send_big_packets,
++ test_send_big_packets_soup,
++ teardown_soup_connection);
++
++ g_test_add ("/websocket/direct/send-exceeding-client-max-payload-size", Test, NULL,
++ setup_direct_connection,
++ test_send_exceeding_client_max_payload_size,
++ teardown_direct_connection);
++ g_test_add ("/websocket/soup/send-exceeding-client-max-payload-size", Test, NULL,
++ setup_soup_connection,
++ test_send_exceeding_client_max_payload_size,
++ teardown_soup_connection);
++
++ g_test_add ("/websocket/direct/send-exceeding-server-max-payload-size", Test, NULL,
++ setup_direct_connection,
++ test_send_exceeding_server_max_payload_size,
++ teardown_direct_connection);
++ g_test_add ("/websocket/soup/send-exceeding-server-max-payload-size", Test, NULL,
++ setup_soup_connection,
++ test_send_exceeding_server_max_payload_size,
++ teardown_soup_connection);
++
++ g_test_add ("/websocket/direct/send-exceeding-client-max-message-size", Test, NULL,
++ setup_direct_connection,
++ test_send_exceeding_client_max_message_size,
++ teardown_direct_connection);
++ g_test_add ("/websocket/soup/send-exceeding-client-max-message-size", Test, NULL,
++ setup_soup_connection,
++ test_send_exceeding_client_max_message_size,
++ teardown_soup_connection);
++
++ g_test_add ("/websocket/direct/send-exceeding-server-max-message-size", Test, NULL,
++ setup_direct_connection,
++ test_send_exceeding_server_max_message_size,
++ teardown_direct_connection);
++ g_test_add ("/websocket/soup/send-exceeding-server-max-message-size", Test, NULL,
++ setup_soup_connection,
++ test_send_exceeding_server_max_message_size,
+ teardown_soup_connection);
+
+ g_test_add ("/websocket/direct/send-empty-packets", Test, NULL,
+@@ -2217,11 +2397,11 @@ main (int argc,
+
+ g_test_add ("/websocket/direct/deflate-send-big-packets", Test, NULL,
+ setup_direct_connection_with_extensions,
+- test_send_big_packets,
++ test_send_big_packets_direct,
+ teardown_direct_connection);
+ g_test_add ("/websocket/soup/deflate-send-big-packets", Test, NULL,
+ setup_soup_connection_with_extensions,
+- test_send_big_packets,
++ test_send_big_packets_soup,
+ teardown_soup_connection);
+
+ g_test_add ("/websocket/direct/deflate-send-empty-packets", Test, NULL,
+--
+2.34.1
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
index 6be31806f1..fc4a286dcf 100644
--- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
@@ -47,6 +47,10 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-4945.patch \
file://CVE-2025-12105.patch \
file://CVE-2025-14523.patch \
+ file://CVE-2025-32049-1.patch \
+ file://CVE-2025-32049-2.patch \
+ file://CVE-2025-32049-3.patch \
+ file://CVE-2025-32049-4.patch \
"
SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"
^ permalink raw reply related [flat|nested] 25+ messages in thread