* [OE-core][scarthgap 00/19] Patch review
@ 2025-11-11 14:58 Steve Sakoman
0 siblings, 0 replies; 21+ messages in thread
From: Steve Sakoman @ 2025-11-11 14:58 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Thursday, September 13
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2708
The following changes since commit 06d4981313ce67a8d53b1c14be9845b4b5a9f4cf:
perf: add arm64 source files for unistd_64.h (2025-11-03 07:45:57 -0800)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
Alexander Kanavin (3):
ca-certificates: get sources from debian tarballs
ca-certificates: submit sysroot patch upstream, drop
default-sysroot.patch
xf86-video-intel: correct SRC_URI as freedesktop anongit is down
Ankur Tyagi (2):
webkitgtk: upgrade 2.44.3 -> 2.44.4
wireless-regdb: upgrade 2024.10.07 -> 2025.10.07
Archana Polampalli (7):
go: fix CVE-2025-58185
go: fix CVE-2025-58187
go: fix CVE-2025-58188
go: fix CVE-2025-58189
go: fix CVE-2025-47912
go: fix CVE-2025-61723
go: fix CVE-2025-61724
Gyorgy Sarvari (1):
ca-certificates: fix on-target postinstall script
Peter Marko (1):
curl: ignore CVE-2025-10966
Richard Purdie (2):
ca-certificates: upgrade 20240203 -> 20241223
oeqa/selftest/devtool: Update after upstream repo changes
Theodore A. Roth (2):
ca-certificates: update 20211016 -> 20240203
ca-certificates: Add comment for provenance of SRCREV
Wang Mingyu (1):
ca-certificates: upgrade 20241223 -> 20250419
meta/lib/oeqa/selftest/cases/devtool.py | 8 +-
meta/recipes-devtools/go/go-1.22.12.inc | 7 +
.../go/go/CVE-2025-47912.patch | 226 ++++++++++++
.../go/go/CVE-2025-58185.patch | 142 +++++++
.../go/go/CVE-2025-58187.patch | 349 ++++++++++++++++++
.../go/go/CVE-2025-58188.patch | 194 ++++++++++
.../go/go/CVE-2025-58189.patch | 50 +++
.../go/go/CVE-2025-61723.patch | 223 +++++++++++
.../go/go/CVE-2025-61724.patch | 75 ++++
.../xorg-driver/xf86-video-intel_git.bb | 2 +-
....10.07.bb => wireless-regdb_2025.10.07.bb} | 2 +-
...ebkitgtk_2.44.3.bb => webkitgtk_2.44.4.bb} | 2 +-
...ertdata2pem.py-print-a-warning-for-e.patch | 21 +-
...icates-don-t-use-Debianisms-in-run-p.patch | 20 +-
...2-update-ca-certificates-use-SYSROOT.patch | 46 ---
...icates-use-relative-symlinks-from-ET.patch | 18 +-
.../ca-certificates/default-sysroot.patch | 50 ---
...0211016.bb => ca-certificates_20250419.bb} | 19 +-
meta/recipes-support/curl/curl_8.7.1.bb | 1 +
19 files changed, 1311 insertions(+), 144 deletions(-)
create mode 100644 meta/recipes-devtools/go/go/CVE-2025-47912.patch
create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58185.patch
create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58187.patch
create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58188.patch
create mode 100644 meta/recipes-devtools/go/go/CVE-2025-58189.patch
create mode 100644 meta/recipes-devtools/go/go/CVE-2025-61723.patch
create mode 100644 meta/recipes-devtools/go/go/CVE-2025-61724.patch
rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2024.10.07.bb => wireless-regdb_2025.10.07.bb} (94%)
rename meta/recipes-sato/webkit/{webkitgtk_2.44.3.bb => webkitgtk_2.44.4.bb} (98%)
delete mode 100644 meta/recipes-support/ca-certificates/ca-certificates/0002-update-ca-certificates-use-SYSROOT.patch
delete mode 100644 meta/recipes-support/ca-certificates/ca-certificates/default-sysroot.patch
rename meta/recipes-support/ca-certificates/{ca-certificates_20211016.bb => ca-certificates_20250419.bb} (84%)
--
2.43.0
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 00/19] Patch review
@ 2026-06-29 14:19 Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 01/19] gawk: use native gawk when building glibc and grub Yoann Congal
` (18 more replies)
0 siblings, 19 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:19 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for scarthgap and have comments back by
end of day Wednesday, July 1.
Some patches are aimed at progressing toward Ubuntu 26.04 support:
* gawk: use native gawk when building glibc and grub
* grub/glibc: Bump versions to resolve hashequiv/reproducibility issues
* gawk: trim native build configuration
* gawk-native: fix gcc-15/C23 compilation issues
Improving the NVD CVE data fetching:
* cve-update-nvd2-native: allow setting resultsPerPage
NOTE: This patch does not exist in more recent branches
(cve-update-nvd2-native was drop in favor of git based fetching)
Move away from /git/ in URLs for oe/yp.org servers:
* oeqa: Drop /git/ from our urls
* recipetool: Recognise https://git. as git urls
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/4103
The following changes since commit 737293bead3e7b994347e47f09bc69437479d50c:
linux-yocto/6.6: address ltp hang (2026-06-23 20:33:35 +0200)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-review
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-review
for you to fetch changes up to 54ce24005721f5c82d42242524eaed93c8cbeafa:
recipetool: Recognise https://git. as git urls (2026-06-29 11:31:24 +0200)
----------------------------------------------------------------
Alexander Kanavin (1):
gawk: use native gawk when building glibc and grub
Amaury Couderc (1):
python3: fix CVE-2026-4224
Anil Dongare (1):
libusb1: fix CVE-2026-23679 and CVE-2026-47104
Awais B (1):
cve-update-nvd2-native: allow setting resultsPerPage
Harish Sadineni (1):
binutils: Fix for CVE-2025-69648 and CVE-2025-69646
Hitendra Prajapati (2):
libsoup: fix for CVE-2025-11021
libsoup: fix for CVE-2026-2369
Richard Purdie (3):
grub/glibc: Bump versions to resolve hashequiv/reproducibility issues
oeqa: Drop /git/ from our urls
recipetool: Recognise https://git. as git urls
Ross Burton (1):
gawk: trim native build configuration
Sudhir Dumbhare (1):
nfs-utils: fix CVE-2025-12801
Theo Gaige (Schneider Electric) (1):
go: patch CVE-2026-27145
Vijay Anusuri (5):
xwayland: Fix CVE-2026-33999
xwayland: Fix CVE-2026-34000
xwayland: Fix CVE-2026-34001
xwayland: Fix CVE-2026-34002
xwayland: Fix CVE-2026-34003
Yoann Congal (1):
gawk-native: fix gcc-15/C23 compilation issues
.../recipes-test/gitrepotest/gitrepotest.bb | 2 +-
.../gitunpackoffline/gitunpackoffline.inc | 4 +-
.../lib/oeqa/manual/toaster-managed-mode.json | 6 +-
meta/lib/oeqa/sdkext/cases/devtool.py | 4 +-
meta/lib/oeqa/selftest/cases/devtool.py | 4 +-
meta/lib/oeqa/selftest/cases/recipetool.py | 2 +-
meta/recipes-bsp/grub/grub2.inc | 6 +-
.../nfs-utils/CVE-2025-12801-build-fix.patch | 44 ++
.../CVE-2025-12801-dependent_p1.patch | 450 +++++++++++++++++
.../CVE-2025-12801-dependent_p2.patch | 81 +++
.../CVE-2025-12801-dependent_p3.patch | 181 +++++++
.../CVE-2025-12801-dependent_p4.patch | 468 ++++++++++++++++++
.../nfs-utils/nfs-utils/CVE-2025-12801.patch | 254 ++++++++++
.../nfs-utils/nfs-utils_2.6.4.bb | 6 +
meta/recipes-core/glibc/glibc.inc | 6 +-
.../meta/cve-update-nvd2-native.bb | 13 +
.../binutils/binutils-2.42.inc | 2 +-
...ch => CVE-2025-69646_CVE-2025-69648.patch} | 2 +-
meta/recipes-devtools/go/go-1.22.12.inc | 1 +
.../go/go/CVE-2026-27145.patch | 96 ++++
.../python/python3/CVE-2026-4224.patch | 121 +++++
.../python/python3_3.12.13.bb | 1 +
.../0001-Fix-some-C23-compilatio-issues.patch | 35 ++
meta/recipes-extended/gawk/gawk_5.3.0.bb | 15 +-
.../xwayland/xwayland/CVE-2026-33999.patch | 49 ++
.../xwayland/xwayland/CVE-2026-34000.patch | 72 +++
.../xwayland/xwayland/CVE-2026-34001.patch | 104 ++++
.../xwayland/xwayland/CVE-2026-34002.patch | 93 ++++
.../xwayland/xwayland/CVE-2026-34003-1.patch | 113 +++++
.../xwayland/xwayland/CVE-2026-34003-2.patch | 223 +++++++++
.../xwayland/xwayland_23.2.5.bb | 6 +
.../libsoup-3.4.4/CVE-2025-11021.patch | 57 +++
.../libsoup/libsoup-3.4.4/CVE-2026-2369.patch | 32 ++
meta/recipes-support/libsoup/libsoup_3.4.4.bb | 2 +
...-2026-23679_CVE-2026-47104-dependent.patch | 46 ++
.../CVE-2026-23679_CVE-2026-47104.patch | 88 ++++
meta/recipes-support/libusb/libusb1_1.0.27.bb | 2 +
scripts/lib/recipetool/create.py | 2 +-
38 files changed, 2676 insertions(+), 17 deletions(-)
create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch
create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch
create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch
create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch
create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch
create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch
rename meta/recipes-devtools/binutils/binutils/{CVE-2025-69648.patch => CVE-2025-69646_CVE-2025-69648.patch} (99%)
create mode 100644 meta/recipes-devtools/go/go/CVE-2026-27145.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-4224.patch
create mode 100644 meta/recipes-extended/gawk/gawk/0001-Fix-some-C23-compilatio-issues.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-33999.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34000.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34001.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34002.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-1.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-2.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-11021.patch
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2026-2369.patch
create mode 100644 meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104-dependent.patch
create mode 100644 meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch
^ permalink raw reply [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 01/19] gawk: use native gawk when building glibc and grub
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
@ 2026-06-29 14:19 ` Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 02/19] grub/glibc: Bump versions to resolve hashequiv/reproducibility issues Yoann Congal
` (17 subsequent siblings)
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:19 UTC (permalink / raw)
To: openembedded-core
From: Alexander Kanavin <alex@linutronix.de>
Different versions of gawk can produce different output,
so depending on which version is installed on the build host,
reproducibility issues can occur:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=16072
So far only glibc and grub have been identified to have
the issue; probably more fixes of similar nature will be
required going forward.
Adjust the gawk recipe to apply target-only tweaks
(particularly the removal of awk symlink to allow for alternatives)
to only target and nativesdk variants, so that native installs
both awk and gawk executables.
[YOCTO #16072]
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c5bbf0a60b1d63e68f849a63e5d3872954e7cd3f)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-bsp/grub/grub2.inc | 2 +-
meta/recipes-core/glibc/glibc.inc | 2 +-
meta/recipes-extended/gawk/gawk_5.3.0.bb | 11 ++++++++++-
3 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 3160708113e..a2173bee04b 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -51,7 +51,7 @@ CVE_STATUS[CVE-2023-4001] = "not-applicable-platform: Applies only to RHEL/Fedo
CVE_STATUS[CVE-2024-1048] = "not-applicable-platform: Applies only to RHEL/Fedora"
CVE_STATUS[CVE-2024-2312] = "not-applicable-platform: Applies only to Ubuntu"
-DEPENDS = "flex-native bison-native gettext-native"
+DEPENDS = "flex-native bison-native gettext-native gawk-replacement-native"
GRUB_COMPATIBLE_HOST = '(x86_64.*|i.86.*|arm.*|aarch64.*|riscv.*)-(linux.*|freebsd.*)'
COMPATIBLE_HOST = "${GRUB_COMPATIBLE_HOST}"
diff --git a/meta/recipes-core/glibc/glibc.inc b/meta/recipes-core/glibc/glibc.inc
index 225d0539a01..60e3daaf326 100644
--- a/meta/recipes-core/glibc/glibc.inc
+++ b/meta/recipes-core/glibc/glibc.inc
@@ -1,7 +1,7 @@
require glibc-common.inc
require glibc-ld.inc
-DEPENDS = "virtual/${HOST_PREFIX}gcc virtual/${HOST_PREFIX}binutils libgcc-initial linux-libc-headers"
+DEPENDS = "virtual/${HOST_PREFIX}gcc virtual/${HOST_PREFIX}binutils libgcc-initial linux-libc-headers gawk-replacement-native"
PROVIDES = "virtual/libc"
PROVIDES += "virtual/libintl virtual/libiconv"
diff --git a/meta/recipes-extended/gawk/gawk_5.3.0.bb b/meta/recipes-extended/gawk/gawk_5.3.0.bb
index ac9d8500d60..a05ec3b34bc 100644
--- a/meta/recipes-extended/gawk/gawk_5.3.0.bb
+++ b/meta/recipes-extended/gawk/gawk_5.3.0.bb
@@ -34,13 +34,21 @@ ALTERNATIVE:${PN} = "awk"
ALTERNATIVE_TARGET[awk] = "${bindir}/gawk"
ALTERNATIVE_PRIORITY = "100"
-do_install:append() {
+target_tweaks() {
# remove the link since we don't package it
rm ${D}${bindir}/awk
# Strip non-reproducible build flags (containing build paths)
sed -i -e 's|^CC.*|CC=""|g' -e 's|^CFLAGS.*|CFLAGS=""|g' ${D}${bindir}/gawkbug
}
+do_install:append:class-target() {
+ target_tweaks
+}
+
+do_install:append:class-nativesdk() {
+ target_tweaks
+}
+
inherit ptest
do_install_ptest() {
@@ -87,4 +95,5 @@ RDEPENDS:${PN}-ptest += "make locale-base-en-us coreutils"
RDEPENDS:${PN}-ptest:append:libc-glibc = " locale-base-en-us.iso-8859-1"
RDEPENDS:${PN}-ptest:append:libc-musl = " musl-locales"
+PROVIDES:append:class-native = " gawk-replacement-native"
BBCLASSEXTEND = "native nativesdk"
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 02/19] grub/glibc: Bump versions to resolve hashequiv/reproducibility issues
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 01/19] gawk: use native gawk when building glibc and grub Yoann Congal
@ 2026-06-29 14:19 ` Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 03/19] gawk: trim native build configuration Yoann Congal
` (16 subsequent siblings)
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:19 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
After the gawk dependency change, we need to change PR/hashequiv version
to replace the corrupted sstate/hashequiv data.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f0f7632595792a73ea0a935b924e8bdf9954ec7b)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-bsp/grub/grub2.inc | 4 ++++
meta/recipes-core/glibc/glibc.inc | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index a2173bee04b..dfc87eaa94d 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -44,6 +44,10 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
file://CVE-2025-61663_61664.patch \
"
+# remove at next version upgrade or when output changes
+PR = "r1"
+HASHEQUIV_HASH_VERSION .= ".1"
+
SRC_URI[sha256sum] = "b30919fa5be280417c17ac561bb1650f60cfb80cc6237fa1e2b6f56154cb9c91"
CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL"
diff --git a/meta/recipes-core/glibc/glibc.inc b/meta/recipes-core/glibc/glibc.inc
index 60e3daaf326..a3d0bb40713 100644
--- a/meta/recipes-core/glibc/glibc.inc
+++ b/meta/recipes-core/glibc/glibc.inc
@@ -3,6 +3,10 @@ require glibc-ld.inc
DEPENDS = "virtual/${HOST_PREFIX}gcc virtual/${HOST_PREFIX}binutils libgcc-initial linux-libc-headers gawk-replacement-native"
+# remove at next version upgrade or when output changes
+PR = "r1"
+HASHEQUIV_HASH_VERSION .= ".1"
+
PROVIDES = "virtual/libc"
PROVIDES += "virtual/libintl virtual/libiconv"
inherit autotools texinfo systemd
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 03/19] gawk: trim native build configuration
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 01/19] gawk: use native gawk when building glibc and grub Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 02/19] grub/glibc: Bump versions to resolve hashequiv/reproducibility issues Yoann Congal
@ 2026-06-29 14:19 ` Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 04/19] gawk-native: fix gcc-15/C23 compilation issues Yoann Congal
` (15 subsequent siblings)
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:19 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@arm.com>
When we build gawk-native it is only for use in builds where the host
gawk output isn't reproducible across versions[1]. As such it doesn't
need support for readline or mprf, and by removing those from gawk-native
we can get building gawk-native sooner.
[1] oe-core c5bbf0a60b ("gawk: use native gawk when building glibc and grub")
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1e6b810f60fd45856fc6a57270bf85342bcd9415)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-extended/gawk/gawk_5.3.0.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-extended/gawk/gawk_5.3.0.bb b/meta/recipes-extended/gawk/gawk_5.3.0.bb
index a05ec3b34bc..e38c1f84366 100644
--- a/meta/recipes-extended/gawk/gawk_5.3.0.bb
+++ b/meta/recipes-extended/gawk/gawk_5.3.0.bb
@@ -12,6 +12,9 @@ LICENSE = "GPL-3.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
PACKAGECONFIG ??= "readline"
+# Make native builds lean
+PACKAGECONFIG:class-native = ""
+
PACKAGECONFIG[readline] = "--with-readline,--without-readline,readline"
PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr"
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 04/19] gawk-native: fix gcc-15/C23 compilation issues
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
` (2 preceding siblings ...)
2026-06-29 14:19 ` [OE-core][scarthgap 03/19] gawk: trim native build configuration Yoann Congal
@ 2026-06-29 14:19 ` Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 05/19] libsoup: fix for CVE-2025-11021 Yoann Congal
` (14 subsequent siblings)
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:19 UTC (permalink / raw)
To: openembedded-core
From: Yoann Congal <yoann.congal@smile.fr>
On Ubuntu 26.04, GCC 15 defaults to std=c23 and that results in build
failure:
| ../gawk-5.3.0/io.c: In function ‘iop_alloc’:
| ../gawk-5.3.0/io.c:3389:31: error: assignment to ‘ssize_t (*)(int, void *, size_t)’ {aka ‘long int (*)(int, void *, long unsigned int)’} from incompatible pointer type ‘ssize_t (*)(void)’ {aka ‘long int (*)(void)’} [-Wincompatible-pointer-types]
| 3389 | iop->public.read_func = ( ssize_t(*)() ) read;
| | ^
Fix this by (partially) backporting an upstream patch.
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../0001-Fix-some-C23-compilatio-issues.patch | 35 +++++++++++++++++++
meta/recipes-extended/gawk/gawk_5.3.0.bb | 1 +
2 files changed, 36 insertions(+)
create mode 100644 meta/recipes-extended/gawk/gawk/0001-Fix-some-C23-compilatio-issues.patch
diff --git a/meta/recipes-extended/gawk/gawk/0001-Fix-some-C23-compilatio-issues.patch b/meta/recipes-extended/gawk/gawk/0001-Fix-some-C23-compilatio-issues.patch
new file mode 100644
index 00000000000..7082e62beb6
--- /dev/null
+++ b/meta/recipes-extended/gawk/gawk/0001-Fix-some-C23-compilatio-issues.patch
@@ -0,0 +1,35 @@
+From e4015d209ddc31bd1256fa568612372407e0b9c5 Mon Sep 17 00:00:00 2001
+From: Arnold D. Robbins <arnold@skeeve.com>
+Date: Mon, 12 Aug 2024 06:33:28 +0300
+Subject: [PATCH] Fix some C23 compilatio issues.
+
+
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/gawk.git/commit/?id=7a521fe4b37f8554ca53ef3236f0352e391aaa1d (in v5.3.1)]
+Backport: Only kept the code change, dropped comment changes
+Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
+---
+ io.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/io.c b/io.c
+index c595c009e..44671ebd1 100644
+--- a/io.c
++++ b/io.c
+@@ -3386,7 +3386,7 @@ iop_alloc(int fd, const char *name, int errno_val)
+
+ iop->public.fd = fd;
+ iop->public.name = name;
+- iop->public.read_func = ( ssize_t(*)() ) read;
++ iop->public.read_func = ( ssize_t(*)(int, void *, size_t) ) read;
+ iop->valid = false;
+ iop->errcode = errno_val;
+
+@@ -4446,7 +4446,7 @@ get_read_timeout(IOBUF *iop)
+ tmout = read_default_timeout; /* initialized from env. variable in init_io() */
+
+ /* overwrite read routine only if an extension has not done so */
+- if ((iop->public.read_func == ( ssize_t(*)() ) read) && tmout > 0)
++ if ((iop->public.read_func == ( ssize_t(*)(int, void *, size_t) ) read) && tmout > 0)
+ iop->public.read_func = read_with_timeout;
+
+ return tmout;
diff --git a/meta/recipes-extended/gawk/gawk_5.3.0.bb b/meta/recipes-extended/gawk/gawk_5.3.0.bb
index e38c1f84366..b1d1fe7ae47 100644
--- a/meta/recipes-extended/gawk/gawk_5.3.0.bb
+++ b/meta/recipes-extended/gawk/gawk_5.3.0.bb
@@ -21,6 +21,7 @@ PACKAGECONFIG[mpfr] = "--with-mpfr,--without-mpfr, mpfr"
SRC_URI = "${GNU_MIRROR}/gawk/gawk-${PV}.tar.gz \
file://0001-m4-readline-add-missing-includes.patch \
file://run-ptest \
+ file://0001-Fix-some-C23-compilatio-issues.patch \
"
SRC_URI[sha256sum] = "378f8864ec21cfceaa048f7e1869ac9b4597b449087caf1eb55e440d30273336"
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 05/19] libsoup: fix for CVE-2025-11021
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
` (3 preceding siblings ...)
2026-06-29 14:19 ` [OE-core][scarthgap 04/19] gawk-native: fix gcc-15/C23 compilation issues Yoann Congal
@ 2026-06-29 14:19 ` Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 06/19] libsoup: fix for CVE-2026-2369 Yoann Congal
` (13 subsequent siblings)
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:19 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Pick patch from [1] also mentioned at Debian report in [2]
[1] https://gitlab.gnome.org/GNOME/libsoup/-/commit/9e1a427d2f047439d0320defe1593e6352595788
[2] https://security-tracker.debian.org/tracker/CVE-2025-11021
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
[YC: The CVE fixing patch is d010b0bbd in 3.6.6 (current master/wrynose)]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../libsoup-3.4.4/CVE-2025-11021.patch | 57 +++++++++++++++++++
meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 +
2 files changed, 58 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-11021.patch
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-11021.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-11021.patch
new file mode 100644
index 00000000000..9bba0929b7d
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-11021.patch
@@ -0,0 +1,57 @@
+From 9e1a427d2f047439d0320defe1593e6352595788 Mon Sep 17 00:00:00 2001
+From: Alynx Zhou <alynx.zhou@gmail.com>
+Date: Sat, 11 Oct 2025 15:52:47 +0800
+Subject: [PATCH] cookies: Avoid expires attribute if date is invalid
+
+According to CVE-2025-11021, we may get invalid on processing date
+string with timezone offset, this commit will ignore it.
+
+Closes #459
+
+CVE: CVE-2025-11021
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/9e1a427d2f047439d0320defe1593e6352595788]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libsoup/cookies/soup-cookie.c | 9 +++++----
+ libsoup/soup-date-utils.c | 3 +++
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/libsoup/cookies/soup-cookie.c b/libsoup/cookies/soup-cookie.c
+index 7c41b1d..5af154d 100644
+--- a/libsoup/cookies/soup-cookie.c
++++ b/libsoup/cookies/soup-cookie.c
+@@ -726,12 +726,13 @@ serialize_cookie (SoupCookie *cookie, GString *header, gboolean set_cookie)
+
+ if (cookie->expires) {
+ char *timestamp;
+-
+- g_string_append (header, "; expires=");
+ timestamp = soup_date_time_to_string (cookie->expires,
+ SOUP_DATE_COOKIE);
+- g_string_append (header, timestamp);
+- g_free (timestamp);
++ if (timestamp) {
++ g_string_append (header, "; expires=");
++ g_string_append (header, timestamp);
++ g_free (timestamp);
++ }
+ }
+ if (cookie->path) {
+ g_string_append (header, "; path=");
+diff --git a/libsoup/soup-date-utils.c b/libsoup/soup-date-utils.c
+index 34ca995..ae5504d 100644
+--- a/libsoup/soup-date-utils.c
++++ b/libsoup/soup-date-utils.c
+@@ -95,6 +95,9 @@ soup_date_time_to_string (GDateTime *date,
+ char *date_format;
+ char *formatted_date;
+
++ if (!utcdate)
++ return NULL;
++
+ // We insert days/months ourselves to avoid locale specific formatting
+ if (format == SOUP_DATE_HTTP) {
+ /* "Sun, 06 Nov 1994 08:49:37 GMT" */
+--
+2.50.1
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
index fc4a286dcf0..8fe3775e1e4 100644
--- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
@@ -51,6 +51,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32049-2.patch \
file://CVE-2025-32049-3.patch \
file://CVE-2025-32049-4.patch \
+ file://CVE-2025-11021.patch \
"
SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 06/19] libsoup: fix for CVE-2026-2369
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
` (4 preceding siblings ...)
2026-06-29 14:19 ` [OE-core][scarthgap 05/19] libsoup: fix for CVE-2025-11021 Yoann Congal
@ 2026-06-29 14:19 ` Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 07/19] go: patch CVE-2026-27145 Yoann Congal
` (12 subsequent siblings)
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:19 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Pick patch from [1] also mentioned at Debian report in [2]
[1] https://gitlab.gnome.org/GNOME/libsoup/-/commit/af4bde990270b825b7d110a495cc65de9e2ec32f
[2] https://security-tracker.debian.org/tracker/CVE-2026-2369
Note: Issue introduced by the fix for CVE-2025-32052.
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../libsoup/libsoup-3.4.4/CVE-2026-2369.patch | 32 +++++++++++++++++++
meta/recipes-support/libsoup/libsoup_3.4.4.bb | 1 +
2 files changed, 33 insertions(+)
create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2026-2369.patch
diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2026-2369.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2026-2369.patch
new file mode 100644
index 00000000000..bee8a35323b
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2026-2369.patch
@@ -0,0 +1,32 @@
+From af4bde990270b825b7d110a495cc65de9e2ec32f Mon Sep 17 00:00:00 2001
+From: Samuel Dainard <>
+Date: Wed, 11 Feb 2026 10:19:04 -0600
+Subject: [PATCH] sniffer: Handle potential underflow
+
+Closes #498
+
+CVE: CVE-2026-2369
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/af4bde990270b825b7d110a495cc65de9e2ec32f]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ libsoup/content-sniffer/soup-content-sniffer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libsoup/content-sniffer/soup-content-sniffer.c b/libsoup/content-sniffer/soup-content-sniffer.c
+index a5e18d5..594d0bb 100644
+--- a/libsoup/content-sniffer/soup-content-sniffer.c
++++ b/libsoup/content-sniffer/soup-content-sniffer.c
+@@ -524,6 +524,10 @@ sniff_unknown (SoupContentSniffer *sniffer, GBytes *buffer,
+ if (!sniff_scriptable && type_row->scriptable)
+ continue;
+
++ /* Ensure we have data to sniff - prevents underflow in resource_length - 1 */
++ if (resource_length == 0)
++ continue;
++
+ if (type_row->has_ws) {
+ guint index_stream = 0;
+ guint index_pattern = 0;
+--
+2.50.1
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
index 8fe3775e1e4..15164d940c1 100644
--- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
@@ -52,6 +52,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
file://CVE-2025-32049-3.patch \
file://CVE-2025-32049-4.patch \
file://CVE-2025-11021.patch \
+ file://CVE-2026-2369.patch \
"
SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 07/19] go: patch CVE-2026-27145
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
` (5 preceding siblings ...)
2026-06-29 14:19 ` [OE-core][scarthgap 06/19] libsoup: fix for CVE-2026-2369 Yoann Congal
@ 2026-06-29 14:19 ` Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 08/19] binutils: Fix for CVE-2025-69648 and CVE-2025-69646 Yoann Congal
` (11 subsequent siblings)
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:19 UTC (permalink / raw)
To: openembedded-core
From: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Backport patch from [1]
[1] https://go.dev/cl/783621
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/go/go-1.22.12.inc | 1 +
.../go/go/CVE-2026-27145.patch | 96 +++++++++++++++++++
2 files changed, 97 insertions(+)
create mode 100644 meta/recipes-devtools/go/go/CVE-2026-27145.patch
diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index c825ebd25a3..99c5f8b63b6 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -61,6 +61,7 @@ SRC_URI += "\
file://CVE-2025-58183.patch \
file://CVE-2026-25679.patch \
file://CVE-2026-32288.patch \
+ file://CVE-2026-27145.patch \
"
SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
diff --git a/meta/recipes-devtools/go/go/CVE-2026-27145.patch b/meta/recipes-devtools/go/go/CVE-2026-27145.patch
new file mode 100644
index 00000000000..f231aab458b
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2026-27145.patch
@@ -0,0 +1,96 @@
+From 612753600a0184c8b792425dea62e530170ca811 Mon Sep 17 00:00:00 2001
+From: Ian Alexander <jitsu@google.com>
+Date: Wed, 27 May 2026 04:22:31 -0400
+Subject: [PATCH] crypto/x509: split candidate hostname only once
+
+(*x509.Certificate).VerifyHostname previously called matchHostnames in a
+loop over all DNS Subject Alternative Name (SAN) entries. This caused
+strings.Split(host, ".") to execute repeatedly on the same input
+hostname.
+
+With a large DNS SAN list, verification costs scaled quadratically based
+on the number of SAN entries multiplied by the hostname's label count.
+Because x509.Verify validates hostnames before building the certificate
+chain, this overhead occurred even for untrusted certificates.
+
+Thanks to Jakub Ciolek <jakub@ciolek.dev> for reporting this issue.
+
+Fixes #79694
+Fixes CVE-2026-27145
+
+Change-Id: I2788b8ee22ffd28e45bcc7b0d860549084906a74
+Reviewed-on: https://go-review.googlesource.com/c/go/+/783621
+LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: David Chase <drchase@google.com>
+Reviewed-by: Neal Patel <neal@golang.org>
+
+CVE: CVE-2026-27145
+Upstream-Status: Backport [https://github.com/golang/go/commit/d01955d5d50ccb5f46c215f88c1781742b3f117d]
+Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
+---
+ src/crypto/x509/verify.go | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
+index 1de06bc95b..4c423a5fca 100644
+--- a/src/crypto/x509/verify.go
++++ b/src/crypto/x509/verify.go
+@@ -102,7 +102,7 @@ func (h HostnameError) Error() string {
+ c := h.Certificate
+ maxNamesIncluded := 100
+
+- if !c.hasSANExtension() && matchHostnames(c.Subject.CommonName, h.Host) {
++ if !c.hasSANExtension() && matchHostnames(c.Subject.CommonName, splitHostname(h.Host)) {
+ return "x509: certificate relies on legacy Common Name field, use SANs instead"
+ }
+
+@@ -1081,16 +1081,14 @@ func matchExactly(hostA, hostB string) bool {
+ return toLowerCaseASCII(hostA) == toLowerCaseASCII(hostB)
+ }
+
+-func matchHostnames(pattern, host string) bool {
++func matchHostnames(pattern string, hostParts []string) bool {
+ pattern = toLowerCaseASCII(pattern)
+- host = toLowerCaseASCII(strings.TrimSuffix(host, "."))
+
+- if len(pattern) == 0 || len(host) == 0 {
++ if len(pattern) == 0 || len(hostParts) == 0 {
+ return false
+ }
+
+ patternParts := strings.Split(pattern, ".")
+- hostParts := strings.Split(host, ".")
+
+ if len(patternParts) != len(hostParts) {
+ return false
+@@ -1168,6 +1166,7 @@ func (c *Certificate) VerifyHostname(h string) error {
+
+ candidateName := toLowerCaseASCII(h) // Save allocations inside the loop.
+ validCandidateName := validHostnameInput(candidateName)
++ hostParts := splitHostname(candidateName)
+
+ for _, match := range c.DNSNames {
+ // Ideally, we'd only match valid hostnames according to RFC 6125 like
+@@ -1176,7 +1175,7 @@ func (c *Certificate) VerifyHostname(h string) error {
+ // always allow perfect matches, and only apply wildcard and trailing
+ // dot processing to valid hostnames.
+ if validCandidateName && validHostnamePattern(match) {
+- if matchHostnames(match, candidateName) {
++ if matchHostnames(match, hostParts) {
+ return nil
+ }
+ } else {
+@@ -1189,6 +1188,10 @@ func (c *Certificate) VerifyHostname(h string) error {
+ return HostnameError{c, h}
+ }
+
++func splitHostname(host string) []string {
++ return strings.Split(toLowerCaseASCII(strings.TrimSuffix(host, ".")), ".")
++}
++
+ func checkChainForKeyUsage(chain []*Certificate, keyUsages []ExtKeyUsage) bool {
+ usages := make([]ExtKeyUsage, len(keyUsages))
+ copy(usages, keyUsages)
+--
+2.43.0
+
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 08/19] binutils: Fix for CVE-2025-69648 and CVE-2025-69646
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
` (6 preceding siblings ...)
2026-06-29 14:19 ` [OE-core][scarthgap 07/19] go: patch CVE-2026-27145 Yoann Congal
@ 2026-06-29 14:19 ` Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 09/19] xwayland: Fix CVE-2026-33999 Yoann Congal
` (10 subsequent siblings)
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:19 UTC (permalink / raw)
To: openembedded-core
From: Harish Sadineni <Harish.Sadineni@windriver.com>
CVE-2025-69648 was marked as a duplicate of CVE-2025-69646. The
existing patch already fixes the issue associated with both CVEs.
Rename the patch and update the CVE tag to reference both identifiers.
Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/binutils/binutils-2.42.inc | 2 +-
...CVE-2025-69648.patch => CVE-2025-69646_CVE-2025-69648.patch} | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-devtools/binutils/binutils/{CVE-2025-69648.patch => CVE-2025-69646_CVE-2025-69648.patch} (99%)
diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 7e83f72632f..342229af26a 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -73,6 +73,6 @@ SRC_URI = "\
file://0029-CVE-2025-11839.patch \
file://0030-CVE-2025-11840.patch \
file://CVE-2025-69644-CVE-2025-69647.patch \
- file://CVE-2025-69648.patch \
+ file://CVE-2025-69646_CVE-2025-69648.patch \
"
S = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-69646_CVE-2025-69648.patch
similarity index 99%
rename from meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
rename to meta/recipes-devtools/binutils/binutils/CVE-2025-69646_CVE-2025-69648.patch
index e04d7ed6c21..b02b5e05317 100644
--- a/meta/recipes-devtools/binutils/binutils/CVE-2025-69648.patch
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-69646_CVE-2025-69648.patch
@@ -19,7 +19,7 @@ length field.
(display_debug_ranges): Check display_debug_rnglists_unit_header
return status. Stop output on error.
-CVE: CVE-2025-69648
+CVE: CVE-2025-69646 CVE-2025-69648
Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=598704a00cbac5e85c2bedd363357b5bf6fcee33]
(cherry picked from commit 598704a00cbac5e85c2bedd363357b5bf6fcee33)
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 09/19] xwayland: Fix CVE-2026-33999
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
` (7 preceding siblings ...)
2026-06-29 14:19 ` [OE-core][scarthgap 08/19] binutils: Fix for CVE-2025-69648 and CVE-2025-69646 Yoann Congal
@ 2026-06-29 14:19 ` Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 10/19] xwayland: Fix CVE-2026-34000 Yoann Congal
` (9 subsequent siblings)
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:19 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Pick patch according to [2]
[1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html
[2] https://security-tracker.debian.org/tracker/CVE-2026-33999
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../xwayland/xwayland/CVE-2026-33999.patch | 49 +++++++++++++++++++
.../xwayland/xwayland_23.2.5.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-33999.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-33999.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-33999.patch
new file mode 100644
index 00000000000..cd3bf47397d
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-33999.patch
@@ -0,0 +1,49 @@
+From b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b Mon Sep 17 00:00:00 2001
+From: Peter Harris <pharris2@rocketsoftware.com>
+Date: Thu, 15 Jan 2026 15:54:09 -0500
+Subject: [PATCH] xkb: fix buffer re-use in _XkbSetCompatMap
+
+If the "compat" buffer has previously been truncated, there will be
+unused space in the buffer. The code uses this space, but does not
+update the number of valid entries in the buffer.
+
+In the best case, this leads to the new compat entries being ignored. In the
+worst case, if there are any "skipped" compat entries, the number of
+valid entries will be corrupted, potentially leading to a buffer read
+overrun when processing a future request.
+
+Set the number of used "compat" entries when re-using previously
+allocated space in the buffer.
+
+CVE-2026-33999, ZDI-CAN-28593
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with TrendAI Zero Day Initiative
+
+Signed-off-by: Peter Harris <pharris2@rocketsoftware.com>
+Acked-by: Olivier Fourdan <ofourdan@redhat.com>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b024ae1749ee58c6fbf863b9a1f5dc440fee2e1b]
+CVE: CVE-2026-33999
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ xkb/xkb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 137d70d..2b9004a 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -3004,7 +3004,7 @@ _XkbSetCompatMap(ClientPtr client, DeviceIntPtr dev,
+ return BadAlloc;
+ }
+ }
+- else if (req->truncateSI) {
++ else if (req->truncateSI || req->firstSI + req->nSI > compat->num_si) {
+ compat->num_si = req->firstSI + req->nSI;
+ }
+ sym = &compat->sym_interpret[req->firstSI];
+--
+2.43.0
+
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index 362b110a0bb..65f1ed2ae07 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -35,6 +35,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-62230-0001.patch \
file://CVE-2025-62230-0002.patch \
file://CVE-2025-62231.patch \
+ file://CVE-2026-33999.patch \
"
SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 10/19] xwayland: Fix CVE-2026-34000
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
` (8 preceding siblings ...)
2026-06-29 14:19 ` [OE-core][scarthgap 09/19] xwayland: Fix CVE-2026-33999 Yoann Congal
@ 2026-06-29 14:19 ` Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 11/19] xwayland: Fix CVE-2026-34001 Yoann Congal
` (8 subsequent siblings)
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:19 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Pick patch according to [2]
[1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html
[2] https://security-tracker.debian.org/tracker/CVE-2026-34000
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../xwayland/xwayland/CVE-2026-34000.patch | 72 +++++++++++++++++++
.../xwayland/xwayland_23.2.5.bb | 1 +
2 files changed, 73 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34000.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34000.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34000.patch
new file mode 100644
index 00000000000..7ce7cfa80c0
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34000.patch
@@ -0,0 +1,72 @@
+From 81b6a34f90b28c32ad499a78a4f391b7c06daea2 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 18 Feb 2026 16:03:11 +0100
+Subject: [PATCH] xkb: Fix bounds check in _CheckSetGeom()
+
+As reported by valgrind:
+
+ == Conditional jump or move depends on uninitialised value(s)
+ == at 0x5CBE66: SrvXkbAddGeomKeyAlias (XKBGAlloc.c:585)
+ == by 0x5AC7D5: _CheckSetGeom (xkb.c:5607)
+ == by 0x5AC952: _XkbSetGeometry (xkb.c:5643)
+ == by 0x5ACB58: ProcXkbSetGeometry (xkb.c:5684)
+ == by 0x5B0DAC: ProcXkbDispatch (xkb.c:7070)
+ == by 0x4A28C5: Dispatch (dispatch.c:553)
+ == by 0x4B0B24: dix_main (main.c:274)
+ == by 0x42915E: main (stubmain.c:34)
+ == Uninitialised value was created by a heap allocation
+ == at 0x4840B26: malloc (vg_replace_malloc.c:447)
+ == by 0x5E13B0: AllocateInputBuffer (io.c:981)
+ == by 0x5E05CD: InsertFakeRequest (io.c:516)
+ == by 0x4AA860: NextAvailableClient (dispatch.c:3629)
+ == by 0x5DE0D7: AllocNewConnection (connection.c:628)
+ == by 0x5DE2C6: EstablishNewConnections (connection.c:692)
+ == by 0x5DE600: HandleNotifyFd (connection.c:809)
+ == by 0x5E2598: ospoll_wait (ospoll.c:660)
+ == by 0x5DA00C: WaitForSomething (WaitFor.c:208)
+ == by 0x4A26E5: Dispatch (dispatch.c:493)
+ == by 0x4B0B24: dix_main (main.c:274)
+ == by 0x42915E: main (stubmain.c:34)
+
+Each key alias entry contains two key names (the alias and the real key
+name), each of size XkbKeyNameLength.
+
+The current bounds check only validates the first name, allowing
+XkbAddGeomKeyAlias to potentially read uninitialized memory when
+accessing the second name at &wire[XkbKeyNameLength].
+
+To fix this, change the value to check to use 2 * XkbKeyNameLength to
+validate the bounds.
+
+CVE-2026-34000, ZDI-CAN-28679
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with TrendAI Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/81b6a34f90b28c32ad499a78a4f391b7c06daea2]
+CVE: CVE-2026-34000
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ xkb/xkb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 2b9004a..1ba638b 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -5603,7 +5603,7 @@ _CheckSetGeom(XkbGeometryPtr geom, xkbSetGeometryReq * req, ClientPtr client)
+ }
+
+ for (i = 0; i < req->nKeyAliases; i++) {
+- if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbKeyNameLength))
++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2 * XkbKeyNameLength))
+ return BadLength;
+
+ if (XkbAddGeomKeyAlias(geom, &wire[XkbKeyNameLength], wire) == NULL)
+--
+2.43.0
+
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index 65f1ed2ae07..1a076ab552f 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -36,6 +36,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-62230-0002.patch \
file://CVE-2025-62231.patch \
file://CVE-2026-33999.patch \
+ file://CVE-2026-34000.patch \
"
SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 11/19] xwayland: Fix CVE-2026-34001
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
` (9 preceding siblings ...)
2026-06-29 14:19 ` [OE-core][scarthgap 10/19] xwayland: Fix CVE-2026-34000 Yoann Congal
@ 2026-06-29 14:19 ` Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 12/19] xwayland: Fix CVE-2026-34002 Yoann Congal
` (7 subsequent siblings)
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:19 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Pick patch according to [2]
[1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html
[2] https://security-tracker.debian.org/tracker/CVE-2026-34001
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../xwayland/xwayland/CVE-2026-34001.patch | 104 ++++++++++++++++++
.../xwayland/xwayland_23.2.5.bb | 1 +
2 files changed, 105 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34001.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34001.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34001.patch
new file mode 100644
index 00000000000..a438f5ffcdd
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34001.patch
@@ -0,0 +1,104 @@
+From f19ab94ba9c891d801231654267556dc7f32b5e0 Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 18 Feb 2026 16:23:23 +0100
+Subject: [PATCH] miext/sync: Fix use-after-free in miSyncTriggerFence()
+
+As reported by valgrind:
+
+ == Invalid read of size 8
+ == at 0x568C14: miSyncTriggerFence (misync.c:140)
+ == by 0x540688: ProcSyncTriggerFence (sync.c:1957)
+ == by 0x540CCC: ProcSyncDispatch (sync.c:2152)
+ == by 0x4A28C5: Dispatch (dispatch.c:553)
+ == by 0x4B0B24: dix_main (main.c:274)
+ == by 0x42915E: main (stubmain.c:34)
+ == Address 0x17e35488 is 8 bytes inside a block of size 16 free'd
+ == at 0x4843E43: free (vg_replace_malloc.c:990)
+ == by 0x53D683: SyncDeleteTriggerFromSyncObject (sync.c:169)
+ == by 0x53F14D: FreeAwait (sync.c:1208)
+ == by 0x4DFB06: doFreeResource (resource.c:888)
+ == by 0x4DFC59: FreeResource (resource.c:918)
+ == by 0x53E349: SyncAwaitTriggerFired (sync.c:701)
+ == by 0x568C52: miSyncTriggerFence (misync.c:142)
+ == by 0x540688: ProcSyncTriggerFence (sync.c:1957)
+ == by 0x540CCC: ProcSyncDispatch (sync.c:2152)
+ == by 0x4A28C5: Dispatch (dispatch.c:553)
+ == by 0x4B0B24: dix_main (main.c:274)
+ == by 0x42915E: main (stubmain.c:34)
+ == Block was alloc'd at
+ == at 0x4840B26: malloc (vg_replace_malloc.c:447)
+ == by 0x5E50E1: XNFalloc (utils.c:1129)
+ == by 0x53D772: SyncAddTriggerToSyncObject (sync.c:206)
+ == by 0x53DCA8: SyncInitTrigger (sync.c:414)
+ == by 0x5409C7: ProcSyncAwaitFence (sync.c:2089)
+ == by 0x540D04: ProcSyncDispatch (sync.c:2160)
+ == by 0x4A28C5: Dispatch (dispatch.c:553)
+ == by 0x4B0B24: dix_main (main.c:274)
+ == by 0x42915E: main (stubmain.c:34)
+
+When walking the list of fences to trigger, miSyncTriggerFence() may
+call TriggerFence() for the current trigger, which end up calling the
+function SyncAwaitTriggerFired().
+
+SyncAwaitTriggerFired() frees the entire await resource, which removes
+all triggers from that await - including pNext which may be another
+trigger from the same await attached to the same fence.
+
+On the next iteration, ptl = pNext points to freed memory...
+
+To avoid the issue, we need to restart the iteration from the beginning
+of the list each time a trigger fires, since the callback can modify the
+list.
+
+CVE-2026-34001, ZDI-CAN-28706
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with TrendAI Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f19ab94ba9c891d801231654267556dc7f32b5e0]
+CVE: CVE-2026-34001
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ miext/sync/misync.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/miext/sync/misync.c b/miext/sync/misync.c
+index 0931803..e11eba2 100644
+--- a/miext/sync/misync.c
++++ b/miext/sync/misync.c
+@@ -131,16 +131,22 @@ miSyncDestroyFence(SyncFence * pFence)
+ void
+ miSyncTriggerFence(SyncFence * pFence)
+ {
+- SyncTriggerList *ptl, *pNext;
++ SyncTriggerList *ptl;
++ Bool triggered;
+
+ pFence->funcs.SetTriggered(pFence);
+
+ /* run through triggers to see if any fired */
+- for (ptl = pFence->sync.pTriglist; ptl; ptl = pNext) {
+- pNext = ptl->next;
+- if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0))
+- (*ptl->pTrigger->TriggerFired) (ptl->pTrigger);
+- }
++ do {
++ triggered = FALSE;
++ for (ptl = pFence->sync.pTriglist; ptl; ptl = ptl->next) {
++ if ((*ptl->pTrigger->CheckTrigger) (ptl->pTrigger, 0)) {
++ (*ptl->pTrigger->TriggerFired) (ptl->pTrigger);
++ triggered = TRUE;
++ break;
++ }
++ }
++ } while (triggered);
+ }
+
+ SyncScreenFuncsPtr
+--
+2.43.0
+
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index 1a076ab552f..800d0a8f634 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -37,6 +37,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2025-62231.patch \
file://CVE-2026-33999.patch \
file://CVE-2026-34000.patch \
+ file://CVE-2026-34001.patch \
"
SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 12/19] xwayland: Fix CVE-2026-34002
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
` (10 preceding siblings ...)
2026-06-29 14:19 ` [OE-core][scarthgap 11/19] xwayland: Fix CVE-2026-34001 Yoann Congal
@ 2026-06-29 14:19 ` Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 13/19] xwayland: Fix CVE-2026-34003 Yoann Congal
` (6 subsequent siblings)
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:19 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Pick patch according to [2]
[1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html
[2] https://security-tracker.debian.org/tracker/CVE-2026-34002
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../xwayland/xwayland/CVE-2026-34002.patch | 93 +++++++++++++++++++
.../xwayland/xwayland_23.2.5.bb | 1 +
2 files changed, 94 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34002.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34002.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34002.patch
new file mode 100644
index 00000000000..131caefcd5e
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34002.patch
@@ -0,0 +1,93 @@
+From f056ce1cc96ed9261052c31524162c78e458f98c Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Wed, 18 Feb 2026 17:02:09 +0100
+Subject: [PATCH] xkb: Fix out-of-bounds read in CheckModifierMap()
+
+As reported by valgrind:
+
+ == Conditional jump or move depends on uninitialised value(s)
+ == at 0x547E5B: CheckModifierMap (xkb.c:1972)
+ == by 0x54A086: _XkbSetMapChecks (xkb.c:2574)
+ == by 0x54A845: ProcXkbSetMap (xkb.c:2741)
+ == by 0x556EF4: ProcXkbDispatch (xkb.c:7048)
+ == by 0x454A8C: Dispatch (dispatch.c:553)
+ == by 0x462CEB: dix_main (main.c:274)
+ == by 0x405EA7: main (stubmain.c:34)
+ == Uninitialised value was created by a heap allocation
+ == at 0x4840B26: malloc (vg_replace_malloc.c:447)
+ == by 0x592D5A: AllocateInputBuffer (io.c:981)
+ == by 0x591F77: InsertFakeRequest (io.c:516)
+ == by 0x45CA27: NextAvailableClient (dispatch.c:3629)
+ == by 0x58FA81: AllocNewConnection (connection.c:628)
+ == by 0x58FC70: EstablishNewConnections (connection.c:692)
+ == by 0x58FFAA: HandleNotifyFd (connection.c:809)
+ == by 0x593F42: ospoll_wait (ospoll.c:660)
+ == by 0x58B9B6: WaitForSomething (WaitFor.c:208)
+ == by 0x4548AC: Dispatch (dispatch.c:493)
+ == by 0x462CEB: dix_main (main.c:274)
+ == by 0x405EA7: main (stubmain.c:34)
+
+The issue is that the loop in CheckModifierMap() reads from wire without
+verifying that the data is within the request bounds.
+
+The req->totalModMapKeys value could exceed the actual data provided,
+causing reads of uninitialized memory.
+
+To fix that issue, we add a bounds check using _XkbCheckRequestBounds,
+but for that, we need to also pass a ClientPtr parameter, which is not
+a problem since CheckModifierMap() is a private, static function.
+
+CVE-2026-34002, ZDI-CAN-28737
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/f056ce1cc96ed9261052c31524162c78e458f98c]
+CVE: CVE-2026-34002
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ xkb/xkb.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 1ba638b..3fcc6c4 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -1940,8 +1940,8 @@ CheckKeyExplicit(XkbDescPtr xkb,
+ }
+
+ static int
+-CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn,
+- int *errRtrn)
++CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req,
++ CARD8 **wireRtrn, int *errRtrn)
+ {
+ register CARD8 *wire = *wireRtrn;
+ CARD8 *start;
+@@ -1965,6 +1965,10 @@ CheckModifierMap(XkbDescPtr xkb, xkbSetMapReq * req, CARD8 **wireRtrn,
+ }
+ start = wire;
+ for (i = 0; i < req->totalModMapKeys; i++, wire += 2) {
++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) {
++ *errRtrn = _XkbErrCode3(0x64, req->totalModMapKeys, i);
++ return 0;
++ }
+ if ((wire[0] < first) || (wire[0] > last)) {
+ *errRtrn = _XkbErrCode4(0x63, first, last, wire[0]);
+ return 0;
+@@ -2568,7 +2572,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req,
+ return BadValue;
+ }
+ if ((req->present & XkbModifierMapMask) &&
+- (!CheckModifierMap(xkb, req, (CARD8 **) &values, &error))) {
++ (!CheckModifierMap(client, xkb, req, (CARD8 **) &values, &error))) {
+ client->errorValue = error;
+ return BadValue;
+ }
+--
+2.43.0
+
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index 800d0a8f634..e7412e20116 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -38,6 +38,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2026-33999.patch \
file://CVE-2026-34000.patch \
file://CVE-2026-34001.patch \
+ file://CVE-2026-34002.patch \
"
SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 13/19] xwayland: Fix CVE-2026-34003
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
` (11 preceding siblings ...)
2026-06-29 14:19 ` [OE-core][scarthgap 12/19] xwayland: Fix CVE-2026-34002 Yoann Congal
@ 2026-06-29 14:19 ` Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 14/19] libusb1: fix CVE-2026-23679 and CVE-2026-47104 Yoann Congal
` (5 subsequent siblings)
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:19 UTC (permalink / raw)
To: openembedded-core
From: Vijay Anusuri <vanusuri@mvista.com>
Pick patch according to [2]
[1] https://lists.x.org/archives/xorg-announce/2026-April/003679.html
[2] https://security-tracker.debian.org/tracker/CVE-2026-34003
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../xwayland/xwayland/CVE-2026-34003-1.patch | 113 +++++++++
.../xwayland/xwayland/CVE-2026-34003-2.patch | 223 ++++++++++++++++++
.../xwayland/xwayland_23.2.5.bb | 2 +
3 files changed, 338 insertions(+)
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-1.patch
create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-2.patch
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-1.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-1.patch
new file mode 100644
index 00000000000..3a1a9db8cb3
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-1.patch
@@ -0,0 +1,113 @@
+From b85b00dd7b9eee05e3c12e7ad1fce4fc6671507b Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 23 Feb 2026 15:52:49 +0100
+Subject: [PATCH] xkb: Add additional bound checking in CheckKeyTypes()
+
+The function CheckKeyTypes() will loop over the client's request but
+won't perform any additional bound checking to ensure that the data
+read remains within the request bounds.
+
+As a result, a specifically crafted request may cause CheckKeyTypes() to
+read past the request data, as reported by valgrind:
+
+ == Invalid read of size 2
+ == at 0x5A3D1D: CheckKeyTypes (xkb.c:1694)
+ == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515)
+ == by 0x5A759E: ProcXkbSetMap (xkb.c:2736)
+ == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245)
+ == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501)
+ == by 0x4A20DF: Dispatch (dispatch.c:551)
+ == by 0x4B03B4: dix_main (main.c:277)
+ == by 0x428941: main (stubmain.c:34)
+ == Address is 30 bytes after a block of size 28,672 in arena "client"
+ ==
+ == Invalid read of size 2
+ == at 0x5A3AB6: CheckKeyTypes (xkb.c:1669)
+ == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515)
+ == by 0x5A759E: ProcXkbSetMap (xkb.c:2736)
+ == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245)
+ == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501)
+ == by 0x4A20DF: Dispatch (dispatch.c:551)
+ == by 0x4B03B4: dix_main (main.c:277)
+ == by 0x428941: main (stubmain.c:34)
+ == Address is 2 bytes after a block of size 28,672 alloc'd
+ == at 0x4848897: realloc (vg_replace_malloc.c:1804)
+ == by 0x5E357A: ReadRequestFromClient (io.c:336)
+ == by 0x4A1FAB: Dispatch (dispatch.c:519)
+ == by 0x4B03B4: dix_main (main.c:277)
+ == by 0x428941: main (stubmain.c:34)
+ ==
+ == Invalid write of size 2
+ == at 0x5A3AD7: CheckKeyTypes (xkb.c:1669)
+ == by 0x5A6A9C: _XkbSetMapChecks (xkb.c:2515)
+ == by 0x5A759E: ProcXkbSetMap (xkb.c:2736)
+ == by 0x5BF832: SProcXkbSetMap (xkbSwap.c:245)
+ == by 0x5C05ED: SProcXkbDispatch (xkbSwap.c:501)
+ == by 0x4A20DF: Dispatch (dispatch.c:551)
+ == by 0x4B03B4: dix_main (main.c:277)
+ == by 0x428941: main (stubmain.c:34)
+ == Address is 2 bytes after a block of size 28,672 alloc'd
+ == at 0x4848897: realloc (vg_replace_malloc.c:1804)
+ == by 0x5E357A: ReadRequestFromClient (io.c:336)
+ == by 0x4A1FAB: Dispatch (dispatch.c:519)
+ == by 0x4B03B4: dix_main (main.c:277)
+ == by 0x428941: main (stubmain.c:34)
+ ==
+
+To avoid that issue, add additional bounds checking within the loops by
+calling _XkbCheckRequestBounds() and report an error if we are to read
+past the client's request.
+
+CVE-2026-34003, ZDI-CAN-28736
+
+This vulnerability was discovered by:
+Jan-Niklas Sohn working with TrendAI Zero Day Initiative
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/b85b00dd7b9eee05e3c12e7ad1fce4fc6671507b]
+CVE: CVE-2026-34003
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ xkb/xkb.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 3fcc6c4..0ef634b 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -1639,6 +1639,10 @@ CheckKeyTypes(ClientPtr client,
+ for (i = 0; i < req->nTypes; i++) {
+ unsigned width;
+
++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
++ *nMapsRtrn = _XkbErrCode3(0x0b, req->nTypes, i);
++ return 0;
++ }
+ if (client->swapped && doswap) {
+ swaps(&wire->virtualMods);
+ }
+@@ -1664,7 +1668,18 @@ CheckKeyTypes(ClientPtr client,
+ xkbModsWireDesc *preWire;
+
+ mapWire = (xkbKTSetMapEntryWireDesc *) &wire[1];
++ if (!_XkbCheckRequestBounds(client, req, mapWire,
++ &mapWire[wire->nMapEntries])) {
++ *nMapsRtrn = _XkbErrCode3(0x0c, i, wire->nMapEntries);
++ return 0;
++ }
+ preWire = (xkbModsWireDesc *) &mapWire[wire->nMapEntries];
++ if (wire->preserve &&
++ !_XkbCheckRequestBounds(client, req, preWire,
++ &preWire[wire->nMapEntries])) {
++ *nMapsRtrn = _XkbErrCode3(0x0d, i, wire->nMapEntries);
++ return 0;
++ }
+ for (n = 0; n < wire->nMapEntries; n++) {
+ if (client->swapped && doswap) {
+ swaps(&mapWire[n].virtualMods);
+--
+2.43.0
+
diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-2.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-2.patch
new file mode 100644
index 00000000000..15b2b946d50
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2026-34003-2.patch
@@ -0,0 +1,223 @@
+From d38c563fab5c4a554e0939da39e4d1dadef7cbae Mon Sep 17 00:00:00 2001
+From: Olivier Fourdan <ofourdan@redhat.com>
+Date: Mon, 2 Mar 2026 14:09:57 +0100
+Subject: [PATCH] xkb: Add more _XkbCheckRequestBounds()
+
+Similar to the recent fixes, add more _XkbCheckRequestBounds() to the
+functions that loop over the request data, i.e.:
+
+ * CheckKeySyms()
+ * CheckKeyActions()
+ * CheckKeyBehaviors()
+ * CheckVirtualMods()
+ * CheckKeyExplicit()
+ * CheckVirtualModMap()
+ * _XkbSetMapChecks()
+
+All these are static functions so we can add the client to the parameters
+without breaking any API.
+
+See also:
+CVE-2026-34003, ZDI-CAN-28736, CVE-2026-34002, ZDI-CAN-28737
+
+v2: Check for "nSyms != 0" in CheckKeySyms() to avoid false positives.
+
+Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
+Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
+Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2176>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/d38c563fab5c4a554e0939da39e4d1dadef7cbae]
+CVE: CVE-2026-34003
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ xkb/xkb.c | 69 ++++++++++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 55 insertions(+), 14 deletions(-)
+
+diff --git a/xkb/xkb.c b/xkb/xkb.c
+index 0ef634b..6320914 100644
+--- a/xkb/xkb.c
++++ b/xkb/xkb.c
+@@ -1752,6 +1752,11 @@ CheckKeySyms(ClientPtr client,
+ KeySym *pSyms;
+ register unsigned nG;
+
++ /* Check we received enough data to read the next xkbSymMapWireDesc */
++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
++ *errorRtrn = _XkbErrCode3(0x18, i + req->firstKeySym, i);
++ return 0;
++ }
+ if (client->swapped && doswap) {
+ swaps(&wire->nSyms);
+ }
+@@ -1790,6 +1795,12 @@ CheckKeySyms(ClientPtr client,
+ return 0;
+ }
+ pSyms = (KeySym *) &wire[1];
++ if (wire->nSyms != 0) {
++ if (!_XkbCheckRequestBounds(client, req, pSyms, &pSyms[wire->nSyms])) {
++ *errorRtrn = _XkbErrCode3(0x19, i + req->firstKeySym, wire->nSyms);
++ return 0;
++ }
++ }
+ wire = (xkbSymMapWireDesc *) &pSyms[wire->nSyms];
+ }
+
+@@ -1813,11 +1824,12 @@ CheckKeySyms(ClientPtr client,
+ }
+
+ static int
+-CheckKeyActions(XkbDescPtr xkb,
+- xkbSetMapReq * req,
+- int nTypes,
+- CARD8 *mapWidths,
+- CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn)
++CheckKeyActions(ClientPtr client,
++ XkbDescPtr xkb,
++ xkbSetMapReq * req,
++ int nTypes,
++ CARD8 *mapWidths,
++ CARD16 *symsPerKey, CARD8 **wireRtrn, int *nActsRtrn)
+ {
+ int nActs;
+ CARD8 *wire = *wireRtrn;
+@@ -1828,6 +1840,11 @@ CheckKeyActions(XkbDescPtr xkb,
+ CHK_REQ_KEY_RANGE2(0x21, req->firstKeyAct, req->nKeyActs, req, (*nActsRtrn),
+ 0);
+ for (nActs = i = 0; i < req->nKeyActs; i++) {
++ /* Check we received enough data to read the next byte on the wire */
++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
++ *nActsRtrn = _XkbErrCode3(0x24, i + req->firstKeyAct, i);
++ return 0;
++ }
+ if (wire[0] != 0) {
+ if (wire[0] == symsPerKey[i + req->firstKeyAct])
+ nActs += wire[0];
+@@ -1846,7 +1863,8 @@ CheckKeyActions(XkbDescPtr xkb,
+ }
+
+ static int
+-CheckKeyBehaviors(XkbDescPtr xkb,
++CheckKeyBehaviors(ClientPtr client,
++ XkbDescPtr xkb,
+ xkbSetMapReq * req,
+ xkbBehaviorWireDesc ** wireRtrn, int *errorRtrn)
+ {
+@@ -1872,6 +1890,11 @@ CheckKeyBehaviors(XkbDescPtr xkb,
+ }
+
+ for (i = 0; i < req->totalKeyBehaviors; i++, wire++) {
++ /* Check we received enough data to read the next behavior */
++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
++ *errorRtrn = _XkbErrCode3(0x36, first, i);
++ return 0;
++ }
+ if ((wire->key < first) || (wire->key > last)) {
+ *errorRtrn = _XkbErrCode4(0x33, first, last, wire->key);
+ return 0;
+@@ -1897,7 +1920,8 @@ CheckKeyBehaviors(XkbDescPtr xkb,
+ }
+
+ static int
+-CheckVirtualMods(XkbDescRec * xkb,
++CheckVirtualMods(ClientPtr client,
++ XkbDescRec * xkb,
+ xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn)
+ {
+ register CARD8 *wire = *wireRtrn;
+@@ -1909,12 +1933,18 @@ CheckVirtualMods(XkbDescRec * xkb,
+ if (req->virtualMods & bit)
+ nMods++;
+ }
++ /* Check we received enough data for the number of virtual mods expected */
++ if (!_XkbCheckRequestBounds(client, req, wire, wire + XkbPaddedSize(nMods))) {
++ *errorRtrn = _XkbErrCode3(0x37, nMods, i);
++ return 0;
++ }
+ *wireRtrn = (wire + XkbPaddedSize(nMods));
+ return 1;
+ }
+
+ static int
+-CheckKeyExplicit(XkbDescPtr xkb,
++CheckKeyExplicit(ClientPtr client,
++ XkbDescPtr xkb,
+ xkbSetMapReq * req, CARD8 **wireRtrn, int *errorRtrn)
+ {
+ register CARD8 *wire = *wireRtrn;
+@@ -1940,6 +1970,11 @@ CheckKeyExplicit(XkbDescPtr xkb,
+ }
+ start = wire;
+ for (i = 0; i < req->totalKeyExplicit; i++, wire += 2) {
++ /* Check we received enough data to read the next two bytes */
++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 2)) {
++ *errorRtrn = _XkbErrCode4(0x54, first, last, i);
++ return 0;
++ }
+ if ((wire[0] < first) || (wire[0] > last)) {
+ *errorRtrn = _XkbErrCode4(0x53, first, last, wire[0]);
+ return 0;
+@@ -1995,7 +2030,8 @@ CheckModifierMap(ClientPtr client, XkbDescPtr xkb, xkbSetMapReq * req,
+ }
+
+ static int
+-CheckVirtualModMap(XkbDescPtr xkb,
++CheckVirtualModMap(ClientPtr client,
++ XkbDescPtr xkb,
+ xkbSetMapReq * req,
+ xkbVModMapWireDesc ** wireRtrn, int *errRtrn)
+ {
+@@ -2019,6 +2055,11 @@ CheckVirtualModMap(XkbDescPtr xkb,
+ return 0;
+ }
+ for (i = 0; i < req->totalVModMapKeys; i++, wire++) {
++ /* Check we received enough data to read the next virtual mod map key */
++ if (!_XkbCheckRequestBounds(client, req, wire, wire + 1)) {
++ *errRtrn = _XkbErrCode3(0x74, first, i);
++ return 0;
++ }
+ if ((wire->key < first) || (wire->key > last)) {
+ *errRtrn = _XkbErrCode4(0x73, first, last, wire->key);
+ return 0;
+@@ -2563,7 +2604,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req,
+ }
+
+ if ((req->present & XkbKeyActionsMask) &&
+- (!CheckKeyActions(xkb, req, nTypes, mapWidths, symsPerKey,
++ (!CheckKeyActions(client, xkb, req, nTypes, mapWidths, symsPerKey,
+ (CARD8 **) &values, &nActions))) {
+ client->errorValue = nActions;
+ return BadValue;
+@@ -2571,18 +2612,18 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req,
+
+ if ((req->present & XkbKeyBehaviorsMask) &&
+ (!CheckKeyBehaviors
+- (xkb, req, (xkbBehaviorWireDesc **) &values, &error))) {
++ (client, xkb, req, (xkbBehaviorWireDesc **) &values, &error))) {
+ client->errorValue = error;
+ return BadValue;
+ }
+
+ if ((req->present & XkbVirtualModsMask) &&
+- (!CheckVirtualMods(xkb, req, (CARD8 **) &values, &error))) {
++ (!CheckVirtualMods(client, xkb, req, (CARD8 **) &values, &error))) {
+ client->errorValue = error;
+ return BadValue;
+ }
+ if ((req->present & XkbExplicitComponentsMask) &&
+- (!CheckKeyExplicit(xkb, req, (CARD8 **) &values, &error))) {
++ (!CheckKeyExplicit(client, xkb, req, (CARD8 **) &values, &error))) {
+ client->errorValue = error;
+ return BadValue;
+ }
+@@ -2593,7 +2634,7 @@ _XkbSetMapChecks(ClientPtr client, DeviceIntPtr dev, xkbSetMapReq * req,
+ }
+ if ((req->present & XkbVirtualModMapMask) &&
+ (!CheckVirtualModMap
+- (xkb, req, (xkbVModMapWireDesc **) &values, &error))) {
++ (client, xkb, req, (xkbVModMapWireDesc **) &values, &error))) {
+ client->errorValue = error;
+ return BadValue;
+ }
+--
+2.43.0
+
diff --git a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
index e7412e20116..8d5cb05beb9 100644
--- a/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_23.2.5.bb
@@ -39,6 +39,8 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
file://CVE-2026-34000.patch \
file://CVE-2026-34001.patch \
file://CVE-2026-34002.patch \
+ file://CVE-2026-34003-1.patch \
+ file://CVE-2026-34003-2.patch \
"
SRC_URI[sha256sum] = "33ec7ff2687a59faaa52b9b09aa8caf118e7ecb6aed8953f526a625ff9f4bd90"
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 14/19] libusb1: fix CVE-2026-23679 and CVE-2026-47104
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
` (12 preceding siblings ...)
2026-06-29 14:19 ` [OE-core][scarthgap 13/19] xwayland: Fix CVE-2026-34003 Yoann Congal
@ 2026-06-29 14:19 ` Yoann Congal
2026-06-29 14:20 ` [OE-core][scarthgap 15/19] nfs-utils: fix CVE-2025-12801 Yoann Congal
` (4 subsequent siblings)
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:19 UTC (permalink / raw)
To: openembedded-core
From: Anil Dongare <adongare@cisco.com>
- Pick the upstream patch [1] as mentioned in [2] and [3].
- To successfully apply the fixed commit, apply the dependent commits [4], which are
included in v1.0.28.
[1] https://github.com/libusb/libusb/commit/bc0886173ea15b8cc9bba2918f58a97a7f185231
[2] https://security-tracker.debian.org/tracker/CVE-2026-23679.
[3] https://security-tracker.debian.org/tracker/CVE-2026-47104.
[4] https://github.com/libusb/libusb/commit/016a0de33ac94b19c7772d6c20fbea7fec23bf68
Signed-off-by: Anil Dongare <adongare@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
...-2026-23679_CVE-2026-47104-dependent.patch | 46 ++++++++++
.../CVE-2026-23679_CVE-2026-47104.patch | 88 +++++++++++++++++++
meta/recipes-support/libusb/libusb1_1.0.27.bb | 2 +
3 files changed, 136 insertions(+)
create mode 100644 meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104-dependent.patch
create mode 100644 meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch
diff --git a/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104-dependent.patch b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104-dependent.patch
new file mode 100644
index 00000000000..04f1e684263
--- /dev/null
+++ b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104-dependent.patch
@@ -0,0 +1,46 @@
+From 2c1bb758e3b61355f50df61b6eb474d90bec2fab Mon Sep 17 00:00:00 2001
+From: Sean McBride <sean@rogue-research.com>
+Date: Sat, 3 Feb 2024 22:32:52 -0500
+Subject: [PATCH] descriptor: Fix potential offsetting of pointer by too
+ much
+
+This was checking that `size` is at least `LIBUSB_DT_CONFIG_SIZE` (9)
+bytes long, but then increments the pointer with `buf +=
+header.bLength`. That could end up pointing past of the end of the
+buffer. There is a subsequent check that would prevent dereferencing it,
+but it's still undefined behaviour to even create such a pointer.
+
+Add a check with a similar pattern as elsewhere in this file.
+
+CVE: CVE-2026-23679 CVE-2026-47104
+Upstream-Status: Backport [https://github.com/libusb/libusb/commit/016a0de33ac94b19c7772d6c20fbea7fec23bf68]
+
+Backport Changes:
+- The upstream version_nano.h bump is omitted because this is a security
+ backport to libusb 1.0.27, not a version upgrade.
+
+(cherry picked from commit 016a0de33ac94b19c7772d6c20fbea7fec23bf68)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ libusb/descriptor.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/libusb/descriptor.c b/libusb/descriptor.c
+index 4623ad1..4862c69 100644
+--- a/libusb/descriptor.c
++++ b/libusb/descriptor.c
+@@ -1233,6 +1233,11 @@ static int parse_iad_array(struct libusb_context *ctx,
+ header.bLength);
+ return LIBUSB_ERROR_IO;
+ }
++ else if (header.bLength > size) {
++ usbi_warn(ctx, "short config descriptor read %d/%u",
++ size, header.bLength);
++ return LIBUSB_ERROR_IO;
++ }
+ if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION)
+ iad_array->length++;
+ buf += header.bLength;
+--
+2.43.7
+
diff --git a/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch
new file mode 100644
index 00000000000..d868207e9aa
--- /dev/null
+++ b/meta/recipes-support/libusb/libusb1/CVE-2026-23679_CVE-2026-47104.patch
@@ -0,0 +1,88 @@
+From 0735213e5118d5c9c732b7c891446b35e0d6b8d5 Mon Sep 17 00:00:00 2001
+From: MarkLee131 <kaixuan.li@ntu.edu.sg>
+Date: Sat, 25 Apr 2026 18:33:17 +0800
+Subject: [PATCH] descriptor: Fix two memory-safety bugs in malformed
+ config descriptor handling
+
+Two issues reachable from a malformed config descriptor returned by an
+attached USB device, both surfaced by the same libFuzzer + ASan run.
+
+1) parse_interface() reads bNumEndpoints from the interface descriptor and
+ increments usb_interface->num_altsetting before entering the inner loop
+ that skips class/vendor specific descriptors ahead of the endpoint
+ array. If that loop's bLength > size short-read branch fires, the
+ function returns before the endpoint array is allocated, leaving the
+ caller with bNumEndpoints > 0 and endpoint == NULL. libusb.h documents
+ endpoint as an array sized by bNumEndpoints, and the testlibusb and
+ xusb examples both iterate it accordingly, so a NULL deref follows.
+ Reset bNumEndpoints to 0 before returning so the invariant holds.
+
+2) The first-pass loop in parse_iad_array() compares header.bLength
+ against the original size argument instead of the remaining bytes,
+ so a single descriptor with bLength == size - 1 lets consumed reach
+ size - 1 and the next iteration enters with only one byte of buffer
+ left. The buf[1] read on the second line of the loop body lands one
+ byte past the malloc allocation that backs the descriptor data. The
+ sibling parsers parse_configuration() and parse_interface() in the
+ same file already use the remaining-bytes form. Switch the IAD parser
+ loop guard and bound check to match.
+
+Both code paths are reachable from public APIs (libusb_get_*_config_descriptor
+and libusb_get_*_interface_association_descriptors), with the malformed
+input supplied by the attached device. Minimal reproducers are 20 and
+9 bytes respectively.
+
+Fixes #1813
+
+CVE: CVE-2026-23679 CVE-2026-47104
+Upstream-Status: Backport [https://github.com/libusb/libusb/commit/bc0886173ea15b8cc9bba2918f58a97a7f185231]
+
+Backport Changes:
+- The upstream version_nano.h bump is omitted because this is a security
+ backport to libusb 1.0.27, not a version upgrade.
+
+Signed-off-by: MarkLee131 <kaixuan.li@ntu.edu.sg>
+(cherry picked from commit bc0886173ea15b8cc9bba2918f58a97a7f185231)
+Signed-off-by: Anil Dongare <adongare@cisco.com>
+---
+ libusb/descriptor.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/libusb/descriptor.c b/libusb/descriptor.c
+index 4862c69..97143bb 100644
+--- a/libusb/descriptor.c
++++ b/libusb/descriptor.c
+@@ -260,6 +260,10 @@ static int parse_interface(libusb_context *ctx,
+ usbi_warn(ctx,
+ "short extra intf desc read %d/%u",
+ size, header->bLength);
++ /* Keep the invariant: bNumEndpoints > 0 implies
++ * endpoint != NULL. The endpoint array isn't
++ * allocated yet on this early return. */
++ ifp->bNumEndpoints = 0;
+ return parsed;
+ }
+
+@@ -1226,16 +1230,16 @@ static int parse_iad_array(struct libusb_context *ctx,
+
+ // First pass: Iterate through desc list, count number of IADs
+ iad_array->length = 0;
+- while (consumed < size) {
++ while (size - consumed >= DESC_HEADER_LENGTH) {
+ parse_descriptor(buf, "bb", &header);
+ if (header.bLength < 2) {
+ usbi_err(ctx, "invalid descriptor bLength %d",
+ header.bLength);
+ return LIBUSB_ERROR_IO;
+ }
+- else if (header.bLength > size) {
++ else if (header.bLength > size - consumed) {
+ usbi_warn(ctx, "short config descriptor read %d/%u",
+- size, header.bLength);
++ size - consumed, header.bLength);
+ return LIBUSB_ERROR_IO;
+ }
+ if (header.bDescriptorType == LIBUSB_DT_INTERFACE_ASSOCIATION)
+--
+2.43.7
+
diff --git a/meta/recipes-support/libusb/libusb1_1.0.27.bb b/meta/recipes-support/libusb/libusb1_1.0.27.bb
index 5bf854f95d4..3c463301644 100644
--- a/meta/recipes-support/libusb/libusb1_1.0.27.bb
+++ b/meta/recipes-support/libusb/libusb1_1.0.27.bb
@@ -14,6 +14,8 @@ BBCLASSEXTEND = "native nativesdk"
SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/libusb-${PV}.tar.bz2 \
file://run-ptest \
+ file://CVE-2026-23679_CVE-2026-47104-dependent.patch \
+ file://CVE-2026-23679_CVE-2026-47104.patch \
"
GITHUB_BASE_URI = "https://github.com/libusb/libusb/releases"
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 15/19] nfs-utils: fix CVE-2025-12801
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
` (13 preceding siblings ...)
2026-06-29 14:19 ` [OE-core][scarthgap 14/19] libusb1: fix CVE-2026-23679 and CVE-2026-47104 Yoann Congal
@ 2026-06-29 14:20 ` Yoann Congal
2026-06-29 14:20 ` [OE-core][scarthgap 16/19] cve-update-nvd2-native: allow setting resultsPerPage Yoann Congal
` (3 subsequent siblings)
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:20 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
- This patch applies the upstream fix [5] as referenced in [7].
- To successfully apply the fixed commit, apply the dependent commits [2] to [4]
which are included in v2.8.6, as referenced in [7].
- Additionally, include dependent commit [1] from v2.8.3, as referenced in [8]
under the [2.5.4-38.2] description, along with compilation fix commit [6]
from v2.7.1
- Reference:
[1] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=cd90f2925790
[2] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=7e8b36522f58
[3] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=42f01e6a78fe
[4] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=51738ae56d92
[5] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=f36bd900a899
[6] https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=a2c95e4f557a
[7] https://security-tracker.debian.org/tracker/CVE-2025-12801
[8] https://linux.oracle.com/errata/ELSA-2026-3940.html
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../nfs-utils/CVE-2025-12801-build-fix.patch | 44 ++
.../CVE-2025-12801-dependent_p1.patch | 450 +++++++++++++++++
.../CVE-2025-12801-dependent_p2.patch | 81 +++
.../CVE-2025-12801-dependent_p3.patch | 181 +++++++
.../CVE-2025-12801-dependent_p4.patch | 468 ++++++++++++++++++
.../nfs-utils/nfs-utils/CVE-2025-12801.patch | 254 ++++++++++
.../nfs-utils/nfs-utils_2.6.4.bb | 6 +
7 files changed, 1484 insertions(+)
create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch
create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch
create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch
create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch
create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch
create mode 100644 meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch
new file mode 100644
index 00000000000..d7aaca22425
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-build-fix.patch
@@ -0,0 +1,44 @@
+From 30e0f57fff545b0bb3071fa071c7b12c2923bac8 Mon Sep 17 00:00:00 2001
+From: Steve Dickson <steved@redhat.com>
+Date: Mon, 22 Jan 2024 13:23:57 -0500
+Subject: [PATCH] reexport.c: Some Distros need the following include to
+ avoid the following error
+
+reexport.c: In function ‘connect_fsid_service’:
+reexport.c:41:28: error: implicit declaration of function ‘offsetof’ [-Werror=implicit-function-declaration]
+ 41 | addr_len = offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path);
+ | ^~~~~~~~
+reexport.c:19:1: note: ‘offsetof’ is defined in header ‘<stddef.h>’; did you forget to ‘#include <stddef.h>’?
+ 18 | #include "xlog.h"
+ +++ |+#include <stddef.h>
+ 19 |
+reexport.c:41:37: error: expected expression before ‘struct’
+ 41 | addr_len = offsetof(struct sockaddr_un, sun_path) + strlen(addr.sun_path);
+ | ^~~~~~
+cc1: some warnings being treated as errors
+
+CVE: CVE-2025-12801
+Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=a2c95e4f557a71b482bb62bad6d93ddde51e5dc6]
+
+Signed-off-by: Steve Dickson <steved@redhat.com>
+(cherry picked from commit a2c95e4f557a71b482bb62bad6d93ddde51e5dc6)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ support/reexport/reexport.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/support/reexport/reexport.c b/support/reexport/reexport.c
+index 78516586..16dde0fb 100644
+--- a/support/reexport/reexport.c
++++ b/support/reexport/reexport.c
+@@ -8,6 +8,7 @@
+ #include <sys/types.h>
+ #include <sys/vfs.h>
+ #include <errno.h>
++#include <stddef.h>
+
+ #include "nfsd_path.h"
+ #include "conffile.h"
+--
+2.44.4
+
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch
new file mode 100644
index 00000000000..c1fb7c2f12e
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p1.patch
@@ -0,0 +1,450 @@
+From bbec1c68cbf9a9b3b28aad213b4573d288879a6f Mon Sep 17 00:00:00 2001
+From: Christopher Bii <christopherbii@hyub.org>
+Date: Wed, 15 Jan 2025 12:10:48 -0500
+Subject: [PATCH] NFS export symlink vulnerability fix
+
+Replaced dangerous use of realpath within support/nfs/export.c with
+nfsd_realpath variant that is executed within the chrooted thread
+rather than main thread.
+
+Implemented nfsd_path.h methods to work securely within chrooted
+thread using nfsd_run_task() help
+
+CVE: CVE-2025-12801
+Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=cd90f29257904f36509ea5a04a86f42398fbe94a]
+
+Signed-off-by: Christopher Bii <christopherbii@hyub.org>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+(cherry picked from commit cd90f29257904f36509ea5a04a86f42398fbe94a)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ support/export/cache.c | 2 +-
+ support/include/nfsd_path.h | 5 +-
+ support/misc/nfsd_path.c | 257 +++++++++++-------------------------
+ support/nfs/exports.c | 3 +-
+ 4 files changed, 83 insertions(+), 184 deletions(-)
+
+diff --git a/support/export/cache.c b/support/export/cache.c
+index 6c0a44a3..a4c339f2 100644
+--- a/support/export/cache.c
++++ b/support/export/cache.c
+@@ -65,7 +65,7 @@ static ssize_t cache_read(int fd, char *buf, size_t len)
+ return nfsd_path_read(fd, buf, len);
+ }
+
+-static ssize_t cache_write(int fd, const char *buf, size_t len)
++static ssize_t cache_write(int fd, void *buf, size_t len)
+ {
+ return nfsd_path_write(fd, buf, len);
+ }
+diff --git a/support/include/nfsd_path.h b/support/include/nfsd_path.h
+index aa1e1dd0..f600fb5a 100644
+--- a/support/include/nfsd_path.h
++++ b/support/include/nfsd_path.h
+@@ -8,6 +8,7 @@
+
+ struct file_handle;
+ struct statfs;
++struct nfsd_task_t;
+
+ void nfsd_path_init(void);
+
+@@ -23,8 +24,8 @@ int nfsd_path_statfs(const char *pathname,
+
+ char * nfsd_realpath(const char *path, char *resolved_path);
+
+-ssize_t nfsd_path_read(int fd, char *buf, size_t len);
+-ssize_t nfsd_path_write(int fd, const char *buf, size_t len);
++ssize_t nfsd_path_read(int fd, void* buf, size_t len);
++ssize_t nfsd_path_write(int fd, void* buf, size_t len);
+
+ int nfsd_name_to_handle_at(int fd, const char *path,
+ struct file_handle *fh,
+diff --git a/support/misc/nfsd_path.c b/support/misc/nfsd_path.c
+index c3dea4f0..caec33ca 100644
+--- a/support/misc/nfsd_path.c
++++ b/support/misc/nfsd_path.c
+@@ -19,7 +19,20 @@
+ #include "nfsd_path.h"
+ #include "workqueue.h"
+
+-static struct xthread_workqueue *nfsd_wq;
++static struct xthread_workqueue *nfsd_wq = NULL;
++
++struct nfsd_task_t {
++ int ret;
++ void* data;
++};
++/* Function used to offload tasks that must be ran within the correct
++ * chroot environment.
++ */
++static void
++nfsd_run_task(void (*func)(void*), void* data){
++ nfsd_wq ? xthread_work_run_sync(nfsd_wq, func, data) : func(data);
++};
++
+
+ static int
+ nfsd_path_isslash(const char *path)
+@@ -124,224 +137,119 @@ nfsd_path_init(void)
+ }
+
+ struct nfsd_stat_data {
+- const char *pathname;
+- struct stat *statbuf;
+- int ret;
+- int err;
++ const char *pathname;
++ struct stat *statbuf;
++ int (*stat_handler)(const char*, struct stat*);
+ };
+
+ static void
+-nfsd_statfunc(void *data)
+-{
+- struct nfsd_stat_data *d = data;
+-
+- d->ret = xstat(d->pathname, d->statbuf);
+- if (d->ret < 0)
+- d->err = errno;
+-}
+-
+-static void
+-nfsd_lstatfunc(void *data)
++nfsd_handle_stat(void *data)
+ {
+- struct nfsd_stat_data *d = data;
+-
+- d->ret = xlstat(d->pathname, d->statbuf);
+- if (d->ret < 0)
+- d->err = errno;
++ struct nfsd_task_t* t = data;
++ struct nfsd_stat_data* d = t->data;
++ t->ret = d->stat_handler(d->pathname, d->statbuf);
+ }
+
+ static int
+-nfsd_run_stat(struct xthread_workqueue *wq,
+- void (*func)(void *),
+- const char *pathname,
+- struct stat *statbuf)
++nfsd_run_stat(const char *pathname,
++ struct stat *statbuf,
++ int (*handler)(const char*, struct stat*))
+ {
+- struct nfsd_stat_data data = {
+- pathname,
+- statbuf,
+- 0,
+- 0
+- };
+- xthread_work_run_sync(wq, func, &data);
+- if (data.ret < 0)
+- errno = data.err;
+- return data.ret;
++ struct nfsd_task_t t;
++ struct nfsd_stat_data d = { pathname, statbuf, handler };
++ t.data = &d;
++ nfsd_run_task(nfsd_handle_stat, &t);
++ return t.ret;
+ }
+
+ int
+ nfsd_path_stat(const char *pathname, struct stat *statbuf)
+ {
+- if (!nfsd_wq)
+- return xstat(pathname, statbuf);
+- return nfsd_run_stat(nfsd_wq, nfsd_statfunc, pathname, statbuf);
++ return nfsd_run_stat(pathname, statbuf, stat);
+ }
+
+ int
+-nfsd_path_lstat(const char *pathname, struct stat *statbuf)
+-{
+- if (!nfsd_wq)
+- return xlstat(pathname, statbuf);
+- return nfsd_run_stat(nfsd_wq, nfsd_lstatfunc, pathname, statbuf);
+-}
+-
+-struct nfsd_statfs_data {
+- const char *pathname;
+- struct statfs *statbuf;
+- int ret;
+- int err;
++nfsd_path_lstat(const char* pathname, struct stat* statbuf){
++ return nfsd_run_stat(pathname, statbuf, lstat);
+ };
+
+-static void
+-nfsd_statfsfunc(void *data)
+-{
+- struct nfsd_statfs_data *d = data;
+-
+- d->ret = statfs(d->pathname, d->statbuf);
+- if (d->ret < 0)
+- d->err = errno;
+-}
+-
+-static int
+-nfsd_run_statfs(struct xthread_workqueue *wq,
+- const char *pathname,
+- struct statfs *statbuf)
+-{
+- struct nfsd_statfs_data data = {
+- pathname,
+- statbuf,
+- 0,
+- 0
+- };
+- xthread_work_run_sync(wq, nfsd_statfsfunc, &data);
+- if (data.ret < 0)
+- errno = data.err;
+- return data.ret;
+-}
+-
+ int
+-nfsd_path_statfs(const char *pathname, struct statfs *statbuf)
++nfsd_path_statfs(const char* pathname, struct statfs* statbuf)
+ {
+- if (!nfsd_wq)
+- return statfs(pathname, statbuf);
+- return nfsd_run_statfs(nfsd_wq, pathname, statbuf);
+-}
++ return nfsd_run_stat(pathname, (struct stat*)statbuf, (int (*)(const char*, struct stat*))statfs);
++};
+
+-struct nfsd_realpath_data {
+- const char *pathname;
+- char *resolved;
+- int err;
++struct nfsd_realpath_t {
++ const char* path;
++ char* resolved_buf;
++ char* res_ptr;
+ };
+
+ static void
+ nfsd_realpathfunc(void *data)
+ {
+- struct nfsd_realpath_data *d = data;
+-
+- d->resolved = realpath(d->pathname, d->resolved);
+- if (!d->resolved)
+- d->err = errno;
++ struct nfsd_realpath_t *d = data;
++ d->res_ptr = realpath(d->path, d->resolved_buf);
+ }
+
+-char *
+-nfsd_realpath(const char *path, char *resolved_path)
++char*
++nfsd_realpath(const char *path, char *resolved_buf)
+ {
+- struct nfsd_realpath_data data = {
+- path,
+- resolved_path,
+- 0
+- };
+-
+- if (!nfsd_wq)
+- return realpath(path, resolved_path);
+-
+- xthread_work_run_sync(nfsd_wq, nfsd_realpathfunc, &data);
+- if (!data.resolved)
+- errno = data.err;
+- return data.resolved;
++ struct nfsd_realpath_t realpath_buf = {
++ .path = path,
++ .resolved_buf = resolved_buf
++ };
++ nfsd_run_task(nfsd_realpathfunc, &realpath_buf);
++ return realpath_buf.res_ptr;
+ }
+
+-struct nfsd_read_data {
+- int fd;
+- char *buf;
+- size_t len;
+- ssize_t ret;
+- int err;
++struct nfsd_rw_data {
++ int fd;
++ void* buf;
++ size_t len;
++ ssize_t bytes_read;
+ };
+
+ static void
+ nfsd_readfunc(void *data)
+ {
+- struct nfsd_read_data *d = data;
+-
+- d->ret = read(d->fd, d->buf, d->len);
+- if (d->ret < 0)
+- d->err = errno;
++ struct nfsd_rw_data* t = (struct nfsd_rw_data*)data;
++ t->bytes_read = read(t->fd, t->buf, t->len);
+ }
+
+ static ssize_t
+-nfsd_run_read(struct xthread_workqueue *wq, int fd, char *buf, size_t len)
++nfsd_run_read(int fd, void* buf, size_t len)
+ {
+- struct nfsd_read_data data = {
+- fd,
+- buf,
+- len,
+- 0,
+- 0
+- };
+- xthread_work_run_sync(wq, nfsd_readfunc, &data);
+- if (data.ret < 0)
+- errno = data.err;
+- return data.ret;
++ struct nfsd_rw_data d = { .fd = fd, .buf = buf, .len = len };
++ nfsd_run_task(nfsd_readfunc, &d);
++ return d.bytes_read;
+ }
+
+ ssize_t
+-nfsd_path_read(int fd, char *buf, size_t len)
++nfsd_path_read(int fd, void* buf, size_t len)
+ {
+- if (!nfsd_wq)
+- return read(fd, buf, len);
+- return nfsd_run_read(nfsd_wq, fd, buf, len);
++ return nfsd_run_read(fd, buf, len);
+ }
+
+-struct nfsd_write_data {
+- int fd;
+- const char *buf;
+- size_t len;
+- ssize_t ret;
+- int err;
+-};
+-
+ static void
+ nfsd_writefunc(void *data)
+ {
+- struct nfsd_write_data *d = data;
+-
+- d->ret = write(d->fd, d->buf, d->len);
+- if (d->ret < 0)
+- d->err = errno;
++ struct nfsd_rw_data* d = data;
++ d->bytes_read = write(d->fd, d->buf, d->len);
+ }
+
+ static ssize_t
+-nfsd_run_write(struct xthread_workqueue *wq, int fd, const char *buf, size_t len)
++nfsd_run_write(int fd, void* buf, size_t len)
+ {
+- struct nfsd_write_data data = {
+- fd,
+- buf,
+- len,
+- 0,
+- 0
+- };
+- xthread_work_run_sync(wq, nfsd_writefunc, &data);
+- if (data.ret < 0)
+- errno = data.err;
+- return data.ret;
++ struct nfsd_rw_data d = { .fd = fd, .buf = buf, .len = len };
++ nfsd_run_task(nfsd_writefunc, &d);
++ return d.bytes_read;
+ }
+
+ ssize_t
+-nfsd_path_write(int fd, const char *buf, size_t len)
++nfsd_path_write(int fd, void* buf, size_t len)
+ {
+- if (!nfsd_wq)
+- return write(fd, buf, len);
+- return nfsd_run_write(nfsd_wq, fd, buf, len);
++ return nfsd_run_write(fd, buf, len);
+ }
+
+ #if defined(HAVE_NAME_TO_HANDLE_AT)
+@@ -352,23 +260,18 @@ struct nfsd_handle_data {
+ int *mount_id;
+ int flags;
+ int ret;
+- int err;
+ };
+
+ static void
+ nfsd_name_to_handle_func(void *data)
+ {
+ struct nfsd_handle_data *d = data;
+-
+- d->ret = name_to_handle_at(d->fd, d->path,
+- d->fh, d->mount_id, d->flags);
+- if (d->ret < 0)
+- d->err = errno;
++ d->ret = name_to_handle_at(d->fd, d->path, d->fh, d->mount_id, d->flags);
+ }
+
+ static int
+-nfsd_run_name_to_handle_at(struct xthread_workqueue *wq,
+- int fd, const char *path, struct file_handle *fh,
++nfsd_run_name_to_handle_at(int fd, const char *path,
++ struct file_handle *fh,
+ int *mount_id, int flags)
+ {
+ struct nfsd_handle_data data = {
+@@ -377,25 +280,19 @@ nfsd_run_name_to_handle_at(struct xthread_workqueue *wq,
+ fh,
+ mount_id,
+ flags,
+- 0,
+ 0
+ };
+
+- xthread_work_run_sync(wq, nfsd_name_to_handle_func, &data);
+- if (data.ret < 0)
+- errno = data.err;
++ nfsd_run_task(nfsd_name_to_handle_func, &data);
+ return data.ret;
+ }
+
+ int
+-nfsd_name_to_handle_at(int fd, const char *path, struct file_handle *fh,
++nfsd_name_to_handle_at(int fd, const char *path,
++ struct file_handle *fh,
+ int *mount_id, int flags)
+ {
+- if (!nfsd_wq)
+- return name_to_handle_at(fd, path, fh, mount_id, flags);
+-
+- return nfsd_run_name_to_handle_at(nfsd_wq, fd, path, fh,
+- mount_id, flags);
++ return nfsd_run_name_to_handle_at(fd, path, fh, mount_id, flags);
+ }
+ #else
+ int
+diff --git a/support/nfs/exports.c b/support/nfs/exports.c
+index 15dc574c..c47e3d0a 100644
+--- a/support/nfs/exports.c
++++ b/support/nfs/exports.c
+@@ -32,6 +32,7 @@
+ #include "xio.h"
+ #include "pseudoflavors.h"
+ #include "reexport.h"
++#include "nfsd_path.h"
+
+ #define EXPORT_DEFAULT_FLAGS \
+ (NFSEXP_READONLY|NFSEXP_ROOTSQUASH|NFSEXP_GATHERED_WRITES|NFSEXP_NOSUBTREECHECK)
+@@ -200,7 +201,7 @@ getexportent(int fromkernel, int fromexports)
+ return NULL;
+ }
+ /* resolve symlinks */
+- if (realpath(ee.e_path, rpath) != NULL) {
++ if (nfsd_realpath(ee.e_path, rpath) != NULL) {
+ rpath[sizeof (rpath) - 1] = '\0';
+ strncpy(ee.e_path, rpath, sizeof (ee.e_path) - 1);
+ ee.e_path[sizeof (ee.e_path) - 1] = '\0';
+--
+2.35.6
+
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch
new file mode 100644
index 00000000000..f088eadb4bd
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p2.patch
@@ -0,0 +1,81 @@
+From a6ddd0e9594884cf61816478e8c561f1b3aac709 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Mon, 10 Nov 2025 11:26:03 -0500
+Subject: [PATCH] mountd: Minor refactor of get_rootfh()
+
+Perform the mountpoint checks before checking the user path.
+
+CVE: CVE-2025-12801
+Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=7e8b36522f58657359c6842119fc516c6dd1baa4]
+
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+(cherry picked from commit 7e8b36522f58657359c6842119fc516c6dd1baa4)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ utils/mountd/mountd.c | 34 +++++++++++++++++-----------------
+ 1 file changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/utils/mountd/mountd.c b/utils/mountd/mountd.c
+index dbd5546d..39afd4aa 100644
+--- a/utils/mountd/mountd.c
++++ b/utils/mountd/mountd.c
+@@ -412,6 +412,23 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret,
+ *error = MNT3ERR_ACCES;
+ return NULL;
+ }
++ if (nfsd_path_stat(exp->m_export.e_path, &estb) < 0) {
++ xlog(L_WARNING, "can't stat export point %s: %s",
++ p, strerror(errno));
++ *error = MNT3ERR_NOENT;
++ return NULL;
++ }
++ if (exp->m_export.e_mountpoint &&
++ !check_is_mountpoint(exp->m_export.e_mountpoint[0]?
++ exp->m_export.e_mountpoint:
++ exp->m_export.e_path,
++ nfsd_path_lstat)) {
++ xlog(L_WARNING, "request to export an unmounted filesystem: %s",
++ p);
++ *error = MNT3ERR_NOENT;
++ return NULL;
++ }
++
+ if (nfsd_path_stat(p, &stb) < 0) {
+ xlog(L_WARNING, "can't stat exported dir %s: %s",
+ p, strerror(errno));
+@@ -426,12 +443,6 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret,
+ *error = MNT3ERR_NOTDIR;
+ return NULL;
+ }
+- if (nfsd_path_stat(exp->m_export.e_path, &estb) < 0) {
+- xlog(L_WARNING, "can't stat export point %s: %s",
+- p, strerror(errno));
+- *error = MNT3ERR_NOENT;
+- return NULL;
+- }
+ if (estb.st_dev != stb.st_dev
+ && !(exp->m_export.e_flags & NFSEXP_CROSSMOUNT)) {
+ xlog(L_WARNING, "request to export directory %s below nearest filesystem %s",
+@@ -439,17 +450,6 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret,
+ *error = MNT3ERR_ACCES;
+ return NULL;
+ }
+- if (exp->m_export.e_mountpoint &&
+- !check_is_mountpoint(exp->m_export.e_mountpoint[0]?
+- exp->m_export.e_mountpoint:
+- exp->m_export.e_path,
+- nfsd_path_lstat)) {
+- xlog(L_WARNING, "request to export an unmounted filesystem: %s",
+- p);
+- *error = MNT3ERR_NOENT;
+- return NULL;
+- }
+-
+ /* This will be a static private nfs_export with just one
+ * address. We feed it to kernel then extract the filehandle,
+ */
+--
+2.44.4
+
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch
new file mode 100644
index 00000000000..901069e3b9f
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p3.patch
@@ -0,0 +1,181 @@
+From 57732919d26ce523161392d688e3b67d6fc50839 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Mon, 10 Nov 2025 11:28:39 -0500
+Subject: [PATCH] mountd: Separate lookup of the exported directory and the
+ mount path
+
+When the caller asks to mount a path that does not terminate with an
+exported directory, we want to split up the lookups so that we can
+look up the exported directory using the mountd privileged credential,
+and the remaining subdirectory lookups using the RPC caller's
+credential.
+
+CVE: CVE-2025-12801
+Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=42f01e6a78fed98f12437ac8b28cfb12b6bad056]
+
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+(cherry picked from commit 42f01e6a78fed98f12437ac8b28cfb12b6bad056)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ support/include/nfsd_path.h | 1 +
+ support/misc/nfsd_path.c | 31 ++++++++++++++++++
+ utils/mountd/mountd.c | 63 +++++++++++++++++++++++++++++++------
+ 3 files changed, 86 insertions(+), 9 deletions(-)
+
+diff --git a/support/include/nfsd_path.h b/support/include/nfsd_path.h
+index f600fb5a..3e5a2f5d 100644
+--- a/support/include/nfsd_path.h
++++ b/support/include/nfsd_path.h
+@@ -18,6 +18,7 @@ char * nfsd_path_prepend_dir(const char *dir, const char *pathname);
+
+ int nfsd_path_stat(const char *pathname, struct stat *statbuf);
+ int nfsd_path_lstat(const char *pathname, struct stat *statbuf);
++int nfsd_openat(int dirfd, const char *path, int flags);
+
+ int nfsd_path_statfs(const char *pathname,
+ struct statfs *statbuf);
+diff --git a/support/misc/nfsd_path.c b/support/misc/nfsd_path.c
+index caec33ca..dfe88e4f 100644
+--- a/support/misc/nfsd_path.c
++++ b/support/misc/nfsd_path.c
+@@ -203,6 +203,37 @@ nfsd_realpath(const char *path, char *resolved_buf)
+ return realpath_buf.res_ptr;
+ }
+
++struct nfsd_openat_t {
++ const char *path;
++ int dirfd;
++ int flags;
++ int res_fd;
++ int res_error;
++};
++
++static void nfsd_openatfunc(void *data)
++{
++ struct nfsd_openat_t *d = data;
++
++ d->res_fd = openat(d->dirfd, d->path, d->flags);
++ if (d->res_fd == -1)
++ d->res_error = errno;
++}
++
++int nfsd_openat(int dirfd, const char *path, int flags)
++{
++ struct nfsd_openat_t open_buf = {
++ .path = path,
++ .dirfd = dirfd,
++ .flags = flags,
++ };
++
++ nfsd_run_task(nfsd_openatfunc, &open_buf);
++ if (open_buf.res_fd == -1)
++ errno = open_buf.res_error;
++ return open_buf.res_fd;
++}
++
+ struct nfsd_rw_data {
+ int fd;
+ void* buf;
+diff --git a/utils/mountd/mountd.c b/utils/mountd/mountd.c
+index 39afd4aa..f43ebef5 100644
+--- a/utils/mountd/mountd.c
++++ b/utils/mountd/mountd.c
+@@ -392,7 +392,10 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret,
+ struct nfs_fh_len *fh;
+ char rpath[MAXPATHLEN+1];
+ char *p = *path;
++ char *subpath;
+ char buf[INET6_ADDRSTRLEN];
++ size_t epathlen;
++ int dirfd;
+
+ if (*p == '\0')
+ p = "/";
+@@ -412,12 +415,21 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret,
+ *error = MNT3ERR_ACCES;
+ return NULL;
+ }
+- if (nfsd_path_stat(exp->m_export.e_path, &estb) < 0) {
+- xlog(L_WARNING, "can't stat export point %s: %s",
++
++ dirfd = nfsd_openat(AT_FDCWD, exp->m_export.e_path, O_PATH);
++ if (dirfd == -1) {
++ xlog(L_WARNING, "can't open export point %s: %s",
+ p, strerror(errno));
+ *error = MNT3ERR_NOENT;
+ return NULL;
+ }
++ if (fstat(dirfd, &estb) == -1) {
++ xlog(L_WARNING, "can't stat export point %s: %s",
++ p, strerror(errno));
++ *error = MNT3ERR_ACCES;
++ close(dirfd);
++ return NULL;
++ }
+ if (exp->m_export.e_mountpoint &&
+ !check_is_mountpoint(exp->m_export.e_mountpoint[0]?
+ exp->m_export.e_mountpoint:
+@@ -426,18 +438,51 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret,
+ xlog(L_WARNING, "request to export an unmounted filesystem: %s",
+ p);
+ *error = MNT3ERR_NOENT;
++ close(dirfd);
+ return NULL;
+ }
+
+- if (nfsd_path_stat(p, &stb) < 0) {
+- xlog(L_WARNING, "can't stat exported dir %s: %s",
+- p, strerror(errno));
+- if (errno == ENOENT)
+- *error = MNT3ERR_NOENT;
+- else
+- *error = MNT3ERR_ACCES;
++ epathlen = strlen(exp->m_export.e_path);
++ if (epathlen > strlen(p)) {
++ xlog(L_WARNING, "raced with change of exported path: %s", p);
++ *error = MNT3ERR_NOENT;
++ close(dirfd);
+ return NULL;
+ }
++ subpath = &p[epathlen];
++ while (*subpath == '/')
++ subpath++;
++ if (*subpath != '\0') {
++ int fd;
++
++ /* Just perform a lookup of the path */
++ fd = nfsd_openat(dirfd, subpath, O_PATH);
++ close(dirfd);
++ if (fd == -1) {
++ xlog(L_WARNING, "can't open exported dir %s: %s", p,
++ strerror(errno));
++ if (errno == ENOENT)
++ *error = MNT3ERR_NOENT;
++ else
++ *error = MNT3ERR_ACCES;
++ return NULL;
++ }
++ if (fstat(fd, &stb) == -1) {
++ xlog(L_WARNING, "can't open exported dir %s: %s", p,
++ strerror(errno));
++ if (errno == ENOENT)
++ *error = MNT3ERR_NOENT;
++ else
++ *error = MNT3ERR_ACCES;
++ close(fd);
++ return NULL;
++ }
++ close(fd);
++ } else {
++ close(dirfd);
++ stb = estb;
++ }
++
+ if (!S_ISDIR(stb.st_mode) && !S_ISREG(stb.st_mode)) {
+ xlog(L_WARNING, "%s is not a directory or regular file", p);
+ *error = MNT3ERR_NOTDIR;
+--
+2.35.6
+
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch
new file mode 100644
index 00000000000..4ef529e7373
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801-dependent_p4.patch
@@ -0,0 +1,468 @@
+From 7eef498b6bd01adc45415b03ddf321c84f82aa45 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Mon, 10 Nov 2025 12:18:38 -0500
+Subject: [PATCH] support: Add a mini-library to extract and apply RPC
+ credentials
+
+Add server functionality to extract the credentials from the client RPC
+call, and apply them. This is needed in order to perform access checking
+on the requested path in the mountd daemon.
+
+CVE: CVE-2025-12801
+Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=51738ae56d922d4961e60dad73ad1c2d97d8d99b]
+
+Backport Changes:
+- In support/misc/Makefile.am, the non-essential file.c was omitted
+ as it does not exist in the current nfs-utils version.
+
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+(cherry picked from commit 51738ae56d922d4961e60dad73ad1c2d97d8d99b)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ aclocal/libtirpc.m4 | 11 +++
+ support/include/Makefile.am | 1 +
+ support/include/nfs_ucred.h | 44 ++++++++++
+ support/misc/Makefile.am | 2 +-
+ support/misc/ucred.c | 162 ++++++++++++++++++++++++++++++++++++
+ support/nfs/Makefile.am | 2 +-
+ support/nfs/ucred.c | 147 ++++++++++++++++++++++++++++++++
+ 7 files changed, 367 insertions(+), 2 deletions(-)
+ create mode 100644 support/include/nfs_ucred.h
+ create mode 100644 support/misc/ucred.c
+ create mode 100644 support/nfs/ucred.c
+
+diff --git a/aclocal/libtirpc.m4 b/aclocal/libtirpc.m4
+index bddae022..84e18f7e 100644
+--- a/aclocal/libtirpc.m4
++++ b/aclocal/libtirpc.m4
+@@ -26,6 +26,17 @@ AC_DEFUN([AC_LIBTIRPC], [
+ [Define to 1 if your tirpc library provides libtirpc_set_debug])],,
+ [${LIBS}])])
+
++ AS_IF([test -n "${LIBTIRPC}"],
++ [AC_CHECK_LIB([tirpc], [rpc_gss_getcred],
++ [AC_DEFINE([HAVE_TIRPC_GSS_GETCRED], [1],
++ [Define to 1 if your tirpc library provides rpc_gss_getcred])],,
++ [${LIBS}])])
++
++ AS_IF([test -n "${LIBTIRPC}"],
++ [AC_CHECK_LIB([tirpc], [authdes_getucred],
++ [AC_DEFINE([HAVE_TIRPC_AUTHDES_GETUCRED], [1],
++ [Define to 1 if your tirpc library provides authdes_getucred])],,
++ [${LIBS}])])
+ AC_SUBST([AM_CPPFLAGS])
+ AC_SUBST(LIBTIRPC)
+
+diff --git a/support/include/Makefile.am b/support/include/Makefile.am
+index 1373891a..631a84f8 100644
+--- a/support/include/Makefile.am
++++ b/support/include/Makefile.am
+@@ -10,6 +10,7 @@ noinst_HEADERS = \
+ misc.h \
+ nfs_mntent.h \
+ nfs_paths.h \
++ nfs_ucred.h \
+ nfsd_path.h \
+ nfslib.h \
+ nfsrpc.h \
+diff --git a/support/include/nfs_ucred.h b/support/include/nfs_ucred.h
+new file mode 100644
+index 00000000..d58b61e4
+--- /dev/null
++++ b/support/include/nfs_ucred.h
+@@ -0,0 +1,44 @@
++#ifndef _NFS_UCRED_H
++#define _NFS_UCRED_H
++
++#include <sys/types.h>
++
++struct nfs_ucred {
++ uid_t uid;
++ gid_t gid;
++ int ngroups;
++ gid_t *groups;
++};
++
++struct svc_req;
++struct exportent;
++
++int nfs_ucred_get(struct nfs_ucred **credp, struct svc_req *rqst,
++ const struct exportent *ep);
++
++void nfs_ucred_squash_groups(struct nfs_ucred *cred,
++ const struct exportent *ep);
++int nfs_ucred_reload_groups(struct nfs_ucred *cred, const struct exportent *ep);
++int nfs_ucred_swap_effective(const struct nfs_ucred *cred,
++ struct nfs_ucred **savedp);
++
++static inline void nfs_ucred_free(struct nfs_ucred *cred)
++{
++ free(cred->groups);
++ free(cred);
++}
++
++static inline void nfs_ucred_init_groups(struct nfs_ucred *cred, gid_t *groups,
++ int ngroups)
++{
++ cred->groups = groups;
++ cred->ngroups = ngroups;
++}
++
++static inline void nfs_ucred_free_groups(struct nfs_ucred *cred)
++{
++ free(cred->groups);
++ nfs_ucred_init_groups(cred, NULL, 0);
++}
++
++#endif /* _NFS_UCRED_H */
+diff --git a/support/misc/Makefile.am b/support/misc/Makefile.am
+index 8b0e9db9..ea970064 100644
+--- a/support/misc/Makefile.am
++++ b/support/misc/Makefile.am
+@@ -2,6 +2,6 @@
+
+ noinst_LIBRARIES = libmisc.a
+ libmisc_a_SOURCES = tcpwrapper.c from_local.c mountpoint.c misc.c \
+- nfsd_path.c workqueue.c xstat.c
++ nfsd_path.c ucred.c workqueue.c xstat.c
+
+ MAINTAINERCLEANFILES = Makefile.in
+diff --git a/support/misc/ucred.c b/support/misc/ucred.c
+new file mode 100644
+index 00000000..92d97912
+--- /dev/null
++++ b/support/misc/ucred.c
+@@ -0,0 +1,162 @@
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <alloca.h>
++#include <errno.h>
++#include <pwd.h>
++#include <stdlib.h>
++#include <unistd.h>
++#include <grp.h>
++
++#include "exportfs.h"
++#include "nfs_ucred.h"
++
++#include "xlog.h"
++
++void nfs_ucred_squash_groups(struct nfs_ucred *cred, const struct exportent *ep)
++{
++ int i;
++
++ if (!(ep->e_flags & NFSEXP_ROOTSQUASH))
++ return;
++ if (cred->gid == 0)
++ cred->gid = ep->e_anongid;
++ for (i = 0; i < cred->ngroups; i++) {
++ if (cred->groups[i] == 0)
++ cred->groups[i] = ep->e_anongid;
++ }
++}
++
++static int nfs_ucred_init_effective(struct nfs_ucred *cred)
++{
++ int ngroups = getgroups(0, NULL);
++
++ if (ngroups > 0) {
++ size_t sz = ngroups * sizeof(gid_t);
++ gid_t *groups = malloc(sz);
++ if (groups == NULL)
++ return ENOMEM;
++ if (getgroups(ngroups, groups) == -1) {
++ free(groups);
++ return errno;
++ }
++ nfs_ucred_init_groups(cred, groups, ngroups);
++ } else
++ nfs_ucred_init_groups(cred, NULL, 0);
++ cred->uid = geteuid();
++ cred->gid = getegid();
++ return 0;
++}
++
++static size_t nfs_ucred_getpw_r_size_max(void)
++{
++ long buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
++
++ if (buflen == -1)
++ return 16384;
++ return buflen;
++}
++
++int nfs_ucred_reload_groups(struct nfs_ucred *cred, const struct exportent *ep)
++{
++ struct passwd pwd, *pw;
++ uid_t uid = cred->uid;
++ gid_t gid = cred->gid;
++ size_t buflen;
++ char *buf;
++ int ngroups = 0;
++ int ret;
++
++ if (ep->e_flags & (NFSEXP_ALLSQUASH | NFSEXP_ROOTSQUASH) &&
++ (int)uid == ep->e_anonuid)
++ return 0;
++ buflen = nfs_ucred_getpw_r_size_max();
++ buf = alloca(buflen);
++ ret = getpwuid_r(uid, &pwd, buf, buflen, &pw);
++ if (ret != 0)
++ return ret;
++ if (!pw)
++ return ENOENT;
++ if (getgrouplist(pw->pw_name, gid, NULL, &ngroups) == -1 &&
++ ngroups > 0) {
++ gid_t *groups = malloc(ngroups * sizeof(groups[0]));
++ if (groups == NULL)
++ return ENOMEM;
++ if (getgrouplist(pw->pw_name, gid, groups, &ngroups) == -1) {
++ free(groups);
++ return ENOMEM;
++ }
++ free(cred->groups);
++ nfs_ucred_init_groups(cred, groups, ngroups);
++ nfs_ucred_squash_groups(cred, ep);
++ } else
++ nfs_ucred_free_groups(cred);
++ return 0;
++}
++
++static int nfs_ucred_set_effective(const struct nfs_ucred *cred,
++ const struct nfs_ucred *saved)
++{
++ uid_t suid = saved ? saved->uid : geteuid();
++ gid_t sgid = saved ? saved->gid : getegid();
++ int ret;
++
++ /* Start with a privileged effective user */
++ if (setresuid(-1, 0, -1) < 0) {
++ xlog(L_WARNING, "can't change privileged user %u-%u. %s",
++ geteuid(), getegid(), strerror(errno));
++ return errno;
++ }
++
++ if (setgroups(cred->ngroups, cred->groups) == -1) {
++ xlog(L_WARNING, "can't change groups for user %u-%u. %s",
++ geteuid(), getegid(), strerror(errno));
++ return errno;
++ }
++ if (setresgid(-1, cred->gid, sgid) == -1) {
++ xlog(L_WARNING, "can't change gid for user %u-%u. %s",
++ geteuid(), getegid(), strerror(errno));
++ ret = errno;
++ goto restore_groups;
++ }
++ if (setresuid(-1, cred->uid, suid) == -1) {
++ xlog(L_WARNING, "can't change uid for user %u-%u. %s",
++ geteuid(), getegid(), strerror(errno));
++ ret = errno;
++ goto restore_gid;
++ }
++ return 0;
++restore_gid:
++ if (setresgid(-1, sgid, -1) < 0) {
++ xlog(L_WARNING, "can't restore privileged user %u-%u. %s",
++ geteuid(), getegid(), strerror(errno));
++ }
++restore_groups:
++ if (saved)
++ setgroups(saved->ngroups, saved->groups);
++ else
++ setgroups(0, NULL);
++ return ret;
++}
++
++int nfs_ucred_swap_effective(const struct nfs_ucred *cred,
++ struct nfs_ucred **savedp)
++{
++ struct nfs_ucred *saved = malloc(sizeof(*saved));
++ int ret;
++
++ if (saved == NULL)
++ return ENOMEM;
++ ret = nfs_ucred_init_effective(saved);
++ if (ret != 0) {
++ free(saved);
++ return ret;
++ }
++ ret = nfs_ucred_set_effective(cred, saved);
++ if (savedp == NULL || ret != 0)
++ nfs_ucred_free(saved);
++ else
++ *savedp = saved;
++ return ret;
++}
+diff --git a/support/nfs/Makefile.am b/support/nfs/Makefile.am
+index 2e1577cc..f6921265 100644
+--- a/support/nfs/Makefile.am
++++ b/support/nfs/Makefile.am
+@@ -7,7 +7,7 @@ libnfs_la_SOURCES = exports.c rmtab.c xio.c rpcmisc.c rpcdispatch.c \
+ xcommon.c wildmat.c mydaemon.c \
+ rpc_socket.c getport.c \
+ svc_socket.c cacheio.c closeall.c nfs_mntent.c \
+- svc_create.c atomicio.c strlcat.c strlcpy.c
++ svc_create.c atomicio.c strlcat.c strlcpy.c ucred.c
+ libnfs_la_LIBADD = libnfsconf.la
+ libnfs_la_CPPFLAGS = $(AM_CPPFLAGS) $(CPPFLAGS) -I$(top_srcdir)/support/reexport
+
+diff --git a/support/nfs/ucred.c b/support/nfs/ucred.c
+new file mode 100644
+index 00000000..6ea8efdf
+--- /dev/null
++++ b/support/nfs/ucred.c
+@@ -0,0 +1,147 @@
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#include <errno.h>
++#include <stdlib.h>
++#include <unistd.h>
++#include <rpc/rpc.h>
++
++#include "exportfs.h"
++#include "nfs_ucred.h"
++
++#ifdef HAVE_TIRPC_GSS_GETCRED
++#include <rpc/rpcsec_gss.h>
++#endif /* HAVE_TIRPC_GSS_GETCRED */
++#ifdef HAVE_TIRPC_AUTHDES_GETUCRED
++#include <rpc/auth_des.h>
++#endif /* HAVE_TIRPC_AUTHDES_GETUCRED */
++
++static int nfs_ucred_copy_cred(struct nfs_ucred *cred, uid_t uid, gid_t gid,
++ const gid_t *groups, int ngroups)
++{
++ if (ngroups > 0) {
++ size_t sz = ngroups * sizeof(groups[0]);
++ cred->groups = malloc(sz);
++ if (cred->groups == NULL)
++ return ENOMEM;
++ cred->ngroups = ngroups;
++ memcpy(cred->groups, groups, sz);
++ } else
++ nfs_ucred_init_groups(cred, NULL, 0);
++ cred->uid = uid;
++ cred->gid = gid;
++ return 0;
++}
++
++static int nfs_ucred_init_cred_squashed(struct nfs_ucred *cred,
++ const struct exportent *ep)
++{
++ cred->uid = ep->e_anonuid;
++ cred->gid = ep->e_anongid;
++ nfs_ucred_init_groups(cred, NULL, 0);
++ return 0;
++}
++
++static int nfs_ucred_init_cred(struct nfs_ucred *cred, uid_t uid, gid_t gid,
++ const gid_t *groups, int ngroups,
++ const struct exportent *ep)
++{
++ if (ep->e_flags & NFSEXP_ALLSQUASH) {
++ nfs_ucred_init_cred_squashed(cred, ep);
++ } else if (ep->e_flags & NFSEXP_ROOTSQUASH && uid == 0) {
++ nfs_ucred_init_cred_squashed(cred, ep);
++ if (gid != 0)
++ cred->gid = gid;
++ } else {
++ int ret = nfs_ucred_copy_cred(cred, uid, gid, groups, ngroups);
++ if (ret != 0)
++ return ret;
++ nfs_ucred_squash_groups(cred, ep);
++ }
++ return 0;
++}
++
++static int nfs_ucred_init_null(struct nfs_ucred *cred,
++ const struct exportent *ep)
++{
++ return nfs_ucred_init_cred_squashed(cred, ep);
++}
++
++static int nfs_ucred_init_unix(struct nfs_ucred *cred, struct svc_req *rqst,
++ const struct exportent *ep)
++{
++ struct authunix_parms *aup;
++
++ aup = (struct authunix_parms *)rqst->rq_clntcred;
++ return nfs_ucred_init_cred(cred, aup->aup_uid, aup->aup_gid,
++ aup->aup_gids, aup->aup_len, ep);
++}
++
++#ifdef HAVE_TIRPC_GSS_GETCRED
++static int nfs_ucred_init_gss(struct nfs_ucred *cred, struct svc_req *rqst,
++ const struct exportent *ep)
++{
++ rpc_gss_ucred_t *gss_ucred = NULL;
++
++ if (!rpc_gss_getcred(rqst, NULL, &gss_ucred, NULL) || gss_ucred == NULL)
++ return EINVAL;
++ return nfs_ucred_init_cred(cred, gss_ucred->uid, gss_ucred->gid,
++ gss_ucred->gidlist, gss_ucred->gidlen, ep);
++}
++#endif /* HAVE_TIRPC_GSS_GETCRED */
++
++#ifdef HAVE_TIRPC_AUTHDES_GETUCRED
++int authdes_getucred(struct authdes_cred *adc, uid_t *uid, gid_t *gid,
++ int *grouplen, gid_t *groups);
++
++static int nfs_ucred_init_des(struct nfs_ucred *cred, struct svc_req *rqst,
++ const struct exportent *ep)
++{
++ struct authdes_cred *des_cred;
++ uid_t uid;
++ gid_t gid;
++ int grouplen;
++ gid_t groups[NGROUPS];
++
++ des_cred = (struct authdes_cred *)rqst->rq_clntcred;
++ if (!authdes_getucred(des_cred, &uid, &gid, &grouplen, &groups[0]))
++ return EINVAL;
++ return nfs_ucred_init_cred(cred, uid, gid, groups, grouplen, ep);
++}
++#endif /* HAVE_TIRPC_AUTHDES_GETUCRED */
++
++int nfs_ucred_get(struct nfs_ucred **credp, struct svc_req *rqst,
++ const struct exportent *ep)
++{
++ struct nfs_ucred *cred = malloc(sizeof(*cred));
++ int ret;
++
++ *credp = NULL;
++ if (cred == NULL)
++ return ENOMEM;
++ switch (rqst->rq_cred.oa_flavor) {
++ case AUTH_UNIX:
++ ret = nfs_ucred_init_unix(cred, rqst, ep);
++ break;
++#ifdef HAVE_TIRPC_GSS_GETCRED
++ case RPCSEC_GSS:
++ ret = nfs_ucred_init_gss(cred, rqst, ep);
++ break;
++#endif /* HAVE_TIRPC_GSS_GETCRED */
++#ifdef HAVE_TIRPC_AUTHDES_GETUCRED
++ case AUTH_DES:
++ ret = nfs_ucred_init_des(cred, rqst, ep);
++ break;
++#endif /* HAVE_TIRPC_AUTHDES_GETUCRED */
++ default:
++ ret = nfs_ucred_init_null(cred, ep);
++ break;
++ }
++ if (ret == 0) {
++ *credp = cred;
++ return 0;
++ }
++ free(cred);
++ return ret;
++}
+--
+2.44.4
+
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch
new file mode 100644
index 00000000000..9f01604af0f
--- /dev/null
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils/CVE-2025-12801.patch
@@ -0,0 +1,254 @@
+From a94b2b6002f31acc5a66893b7c6d368c6b7b8806 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Thu, 5 Mar 2026 10:41:02 -0500
+Subject: [PATCH] Fix access checks when mounting subdirectories in NFSv3
+
+If a NFSv3 client asks to mount a subdirectory of one of the exported
+directories, then apply the RPC credential together with any root
+or all squash rules that would apply to the client in question.
+
+CVE: CVE-2025-12801
+Upstream-Status: Backport [https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commit;h=f36bd900a899088ca1925de079bd58d6205a1f3c]
+
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Scott Mayhew <smayhew@redhat.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+(cherry picked from commit f36bd900a899088ca1925de079bd58d6205a1f3c)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ nfs.conf | 1 +
+ support/include/nfsd_path.h | 9 ++++++++-
+ support/misc/nfsd_path.c | 32 ++++++++++++++++++++++++++++++--
+ utils/mountd/mountd.c | 28 ++++++++++++++++++++++++++--
+ utils/mountd/mountd.man | 26 ++++++++++++++++++++++++++
+ 5 files changed, 91 insertions(+), 5 deletions(-)
+
+diff --git a/nfs.conf b/nfs.conf
+index 323f072b..e08cd9a9 100644
+--- a/nfs.conf
++++ b/nfs.conf
+@@ -45,6 +45,7 @@
+ # ttl=1800
+ [mountd]
+ # debug="all|auth|call|general|parse"
++# apply-root-cred=n
+ # manage-gids=n
+ # descriptors=0
+ # port=0
+diff --git a/support/include/nfsd_path.h b/support/include/nfsd_path.h
+index 3e5a2f5d..06c0f2f4 100644
+--- a/support/include/nfsd_path.h
++++ b/support/include/nfsd_path.h
+@@ -9,6 +9,7 @@
+ struct file_handle;
+ struct statfs;
+ struct nfsd_task_t;
++struct nfs_ucred;
+
+ void nfsd_path_init(void);
+
+@@ -18,7 +19,8 @@ char * nfsd_path_prepend_dir(const char *dir, const char *pathname);
+
+ int nfsd_path_stat(const char *pathname, struct stat *statbuf);
+ int nfsd_path_lstat(const char *pathname, struct stat *statbuf);
+-int nfsd_openat(int dirfd, const char *path, int flags);
++int nfsd_cred_openat(const struct nfs_ucred *cred, int dirfd,
++ const char *path, int flags);
+
+ int nfsd_path_statfs(const char *pathname,
+ struct statfs *statbuf);
+@@ -31,4 +33,9 @@ ssize_t nfsd_path_write(int fd, void* buf, size_t len);
+ int nfsd_name_to_handle_at(int fd, const char *path,
+ struct file_handle *fh,
+ int *mount_id, int flags);
++
++static inline int nfsd_openat(int dirfd, const char *path, int flags)
++{
++ return nfsd_cred_openat(NULL, dirfd, path, flags);
++}
+ #endif
+diff --git a/support/misc/nfsd_path.c b/support/misc/nfsd_path.c
+index dfe88e4f..6466666d 100644
+--- a/support/misc/nfsd_path.c
++++ b/support/misc/nfsd_path.c
+@@ -17,6 +17,7 @@
+ #include "xstat.h"
+ #include "nfslib.h"
+ #include "nfsd_path.h"
++#include "nfs_ucred.h"
+ #include "workqueue.h"
+
+ static struct xthread_workqueue *nfsd_wq = NULL;
+@@ -204,6 +205,7 @@ nfsd_realpath(const char *path, char *resolved_buf)
+ }
+
+ struct nfsd_openat_t {
++ const struct nfs_ucred *cred;
+ const char *path;
+ int dirfd;
+ int flags;
+@@ -220,15 +222,41 @@ static void nfsd_openatfunc(void *data)
+ d->res_error = errno;
+ }
+
+-int nfsd_openat(int dirfd, const char *path, int flags)
++static void nfsd_cred_openatfunc(void *data)
++{
++ struct nfsd_openat_t *d = data;
++ struct nfs_ucred *saved = NULL;
++ int ret;
++
++ ret = nfs_ucred_swap_effective(d->cred, &saved);
++ if (ret != 0) {
++ d->res_fd = -1;
++ d->res_error = ret;
++ return;
++ }
++
++ nfsd_openatfunc(data);
++
++ if (saved != NULL) {
++ nfs_ucred_swap_effective(saved, NULL);
++ nfs_ucred_free(saved);
++ }
++}
++
++int nfsd_cred_openat(const struct nfs_ucred *cred, int dirfd, const char *path,
++ int flags)
+ {
+ struct nfsd_openat_t open_buf = {
++ .cred = cred,
+ .path = path,
+ .dirfd = dirfd,
+ .flags = flags,
+ };
+
+- nfsd_run_task(nfsd_openatfunc, &open_buf);
++ if (cred)
++ nfsd_run_task(nfsd_cred_openatfunc, &open_buf);
++ else
++ nfsd_run_task(nfsd_openatfunc, &open_buf);
+ if (open_buf.res_fd == -1)
+ errno = open_buf.res_error;
+ return open_buf.res_fd;
+diff --git a/utils/mountd/mountd.c b/utils/mountd/mountd.c
+index f43ebef5..6e6777cd 100644
+--- a/utils/mountd/mountd.c
++++ b/utils/mountd/mountd.c
+@@ -31,6 +31,7 @@
+ #include "nfsd_path.h"
+ #include "nfslib.h"
+ #include "export.h"
++#include "nfs_ucred.h"
+
+ extern void my_svc_run(void);
+
+@@ -40,6 +41,7 @@ static struct nfs_fh_len *get_rootfh(struct svc_req *, dirpath *, nfs_export **,
+
+ int reverse_resolve = 0;
+ int manage_gids;
++int apply_root_cred;
+ int use_ipaddr = -1;
+
+ /* PRC: a high-availability callout program can be specified with -H
+@@ -74,9 +76,10 @@ static struct option longopts[] =
+ { "log-auth", 0, 0, 'l'},
+ { "cache-use-ipaddr", 0, 0, 'i'},
+ { "ttl", 1, 0, 'T'},
++ { "apply-root-cred", 0, 0, 'c' },
+ { NULL, 0, 0, 0 }
+ };
+-static char shortopts[] = "o:nFd:p:P:hH:N:V:vurs:t:gliT:";
++static char shortopts[] = "o:nFd:p:P:hH:N:V:vurs:t:gliT:c";
+
+ #define NFSVERSBIT(vers) (0x1 << (vers - 1))
+ #define NFSVERSBIT_ALL (NFSVERSBIT(2) | NFSVERSBIT(3) | NFSVERSBIT(4))
+@@ -453,11 +456,27 @@ get_rootfh(struct svc_req *rqstp, dirpath *path, nfs_export **expret,
+ while (*subpath == '/')
+ subpath++;
+ if (*subpath != '\0') {
++ struct nfs_ucred *cred = NULL;
+ int fd;
+
++ /* Load the user cred */
++ if (!apply_root_cred) {
++ nfs_ucred_get(&cred, rqstp, &exp->m_export);
++ if (cred == NULL) {
++ xlog(L_WARNING, "can't retrieve credential");
++ *error = MNT3ERR_ACCES;
++ close(dirfd);
++ return NULL;
++ }
++ if (manage_gids)
++ nfs_ucred_reload_groups(cred, &exp->m_export);
++ }
++
+ /* Just perform a lookup of the path */
+- fd = nfsd_openat(dirfd, subpath, O_PATH);
++ fd = nfsd_cred_openat(cred, dirfd, subpath, O_PATH);
+ close(dirfd);
++ if (cred)
++ nfs_ucred_free(cred);
+ if (fd == -1) {
+ xlog(L_WARNING, "can't open exported dir %s: %s", p,
+ strerror(errno));
+@@ -681,6 +700,8 @@ read_mountd_conf(char **argv)
+ ttl = conf_get_num("mountd", "ttl", default_ttl);
+ if (ttl > 0)
+ default_ttl = ttl;
++ apply_root_cred = conf_get_bool("mountd", "apply-root-cred",
++ apply_root_cred);
+ }
+
+ int
+@@ -794,6 +815,9 @@ main(int argc, char **argv)
+ }
+ default_ttl = ttl;
+ break;
++ case 'c':
++ apply_root_cred = 1;
++ break;
+ case 0:
+ break;
+ case '?':
+diff --git a/utils/mountd/mountd.man b/utils/mountd/mountd.man
+index a206a3e2..f4f1fc23 100644
+--- a/utils/mountd/mountd.man
++++ b/utils/mountd/mountd.man
+@@ -242,6 +242,32 @@ can support both NFS version 2 and the newer version 3.
+ Print the version of
+ .B rpc.mountd
+ and exit.
++.TP
++.B \-c " or " \-\-apply-root-cred
++When mountd is asked to allow a NFSv3 mount to a subdirectory of the
++exported directory, then it will check if the user asking to mount has
++lookup rights to the directories below that exported directory. When
++performing the check, mountd will apply any root squash or all squash
++rules that were specified for that client.
++
++Performing lookup checks as the user requires that the mountd daemon
++be run as root or that it be given CAP_SETUID and CAP_SETGID privileges
++so that it can change its own effective user and effective group settings.
++When troubleshooting, please also note that LSM frameworks such as SELinux
++can sometimes prevent the daemon from changing the effective user/groups
++despite the capability settings.
++
++In earlier versions of mountd, the same checks were performed using the
++mountd daemon's root privileges, meaning that it could authorise access
++to directories that are not normally accessible to the user requesting
++to mount them. This option enables that legacy behaviour.
++
++.BR Note:
++If there is a need to provide access to specific subdirectories that
++are not normally accessible to a client, it is always possible to add
++export entries that explicitly grant such access. That ability does
++not depend on this option being enabled.
++
+ .TP
+ .B \-g " or " \-\-manage-gids
+ Accept requests from the kernel to map user id numbers into lists of
+--
+2.35.6
+
diff --git a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb
index 2f2644f9a83..91c74fe5ef7 100644
--- a/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb
+++ b/meta/recipes-connectivity/nfs-utils/nfs-utils_2.6.4.bb
@@ -33,6 +33,12 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/nfs-utils/${PV}/nfs-utils-${PV}.tar.x
file://0001-locktest-Makefile.am-Do-not-use-build-flags.patch \
file://0001-tools-locktest-Use-intmax_t-to-print-off_t.patch \
file://0001-reexport.h-Include-unistd.h-to-compile-with-musl.patch \
+ file://CVE-2025-12801-dependent_p1.patch \
+ file://CVE-2025-12801-dependent_p2.patch \
+ file://CVE-2025-12801-dependent_p3.patch \
+ file://CVE-2025-12801-dependent_p4.patch \
+ file://CVE-2025-12801.patch \
+ file://CVE-2025-12801-build-fix.patch \
"
SRC_URI[sha256sum] = "01b3b0fb9c7d0bbabf5114c736542030748c788ec2fd9734744201e9b0a1119d"
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 16/19] cve-update-nvd2-native: allow setting resultsPerPage
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
` (14 preceding siblings ...)
2026-06-29 14:20 ` [OE-core][scarthgap 15/19] nfs-utils: fix CVE-2025-12801 Yoann Congal
@ 2026-06-29 14:20 ` Yoann Congal
2026-06-29 14:20 ` [OE-core][scarthgap 17/19] python3: fix CVE-2026-4224 Yoann Congal
` (2 subsequent siblings)
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:20 UTC (permalink / raw)
To: openembedded-core
From: Awais B <awais.belal@gmail.com>
It is seen that during bulk updates on the NVD side the server
struggles to keep up with the default/max of 2000 entries per
page and we see a lot of incomplete read errors resulting in
proper db sync failures most of the times. Lowering the per
page value noticably increases the reliability of the process
and hence should ideally be configurable.
Signed-off-by: Awais B <awais.belal@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-core/meta/cve-update-nvd2-native.bb | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb
index 945bd1d927c..731cbb5d886 100644
--- a/meta/recipes-core/meta/cve-update-nvd2-native.bb
+++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb
@@ -34,6 +34,10 @@ CVE_DB_INCR_UPDATE_AGE_THRES ?= "10368000"
# Number of attempts for each http query to nvd server before giving up
CVE_DB_UPDATE_ATTEMPTS ?= "5"
+# Maximum number of CVE records per API response.
+# Lowering this value can help avoid incomplete read errors during bulk NVD updates.
+CVE_DB_RESULTS_PER_PAGE ?= ""
+
CVE_CHECK_DB_DLDIR_FILE ?= "${DL_DIR}/CVE_CHECK/${CVE_CHECK_DB_FILENAME}"
CVE_CHECK_DB_DLDIR_LOCK ?= "${CVE_CHECK_DB_DLDIR_FILE}.lock"
CVE_CHECK_DB_TEMP_FILE ?= "${CVE_CHECK_DB_FILE}.tmp"
@@ -217,6 +221,15 @@ def update_db_file(db_tmp_file, d, database_time):
api_key = d.getVar("NVDCVE_API_KEY") or None
attempts = int(d.getVar("CVE_DB_UPDATE_ATTEMPTS"))
+ results_per_page = d.getVar("CVE_DB_RESULTS_PER_PAGE")
+ RESULTS_PER_PAGE_MAX = 2000 # imposed by NVD
+ if results_per_page:
+ results_per_page = int(results_per_page)
+ if results_per_page > RESULTS_PER_PAGE_MAX:
+ bb.warn("CVE_DB_RESULTS_PER_PAGE exceeds maximum of %d, capping" % RESULTS_PER_PAGE_MAX)
+ results_per_page = RESULTS_PER_PAGE_MAX
+ req_args['resultsPerPage'] = results_per_page
+
# Recommended by NVD
wait_time = 6
if api_key:
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 17/19] python3: fix CVE-2026-4224
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
` (15 preceding siblings ...)
2026-06-29 14:20 ` [OE-core][scarthgap 16/19] cve-update-nvd2-native: allow setting resultsPerPage Yoann Congal
@ 2026-06-29 14:20 ` Yoann Congal
2026-06-29 14:20 ` [OE-core][scarthgap 18/19] oeqa: Drop /git/ from our urls Yoann Congal
2026-06-29 14:20 ` [OE-core][scarthgap 19/19] recipetool: Recognise https://git. as git urls Yoann Congal
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:20 UTC (permalink / raw)
To: openembedded-core
From: Amaury Couderc <amaury.couderc@est.tech>
Backport patch to fix CVE-2026-4224.
https://nvd.nist.gov/vuln/detail/CVE-2026-4224
Upstream fix:
https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785
Tested with ptest:
Before: PASSED: 40007, FAILED: 0, SKIPPED: 1877
After: PASSED: 40006, FAILED: 0, SKIPPED: 1877
Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python/python3/CVE-2026-4224.patch | 121 ++++++++++++++++++
.../python/python3_3.12.13.bb | 1 +
2 files changed, 122 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-4224.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2026-4224.patch b/meta/recipes-devtools/python/python3/CVE-2026-4224.patch
new file mode 100644
index 00000000000..09dd2dda003
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-4224.patch
@@ -0,0 +1,121 @@
+From ca301e24e20d1d9d58bbd432ff103cab2cb87128 Mon Sep 17 00:00:00 2001
+From: Stan Ulbrych <stan@python.org>
+Date: Wed, 8 Apr 2026 11:27:39 +0100
+Subject: [PATCH] gh-145986: Avoid unbound C recursion in `conv_content_model`
+ in `pyexpat.c` (CVE-2026-4224) (GH-145987) (#146000)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* [3.11] gh-145986: Avoid unbound C recursion in `conv_content_model` in `pyexpat.c` (CVE-2026-4224) (GH-145987)
+
+Fix C stack overflow (CVE-2026-4224) when an Expat parser
+with a registered `ElementDeclHandler` parses inline DTD
+containing deeply nested content model.
+
+---------
+(cherry picked from commit eb0e8be3a7e11b87d198a2c3af1ed0eccf532768)
+(cherry picked from commit e5caf45faac74b0ed869e3336420cffd3510ce6e)
+
+Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com>
+Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
+
+* Update Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
+
+---------
+
+Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
+
+CVE: CVE-2026-4224
+Upstream-Status: Backport [https://github.com/python/cpython/commit/642865ddf4b232da1f3b1f7abcfa3254c4bfe785]
+
+Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
+---
+ Lib/test/test_pyexpat.py | 18 ++++++++++++++++++
+ ...6-03-14-17-31-39.gh-issue-145986.ifSSr8.rst | 4 ++++
+ Modules/pyexpat.c | 9 ++++++++-
+ 3 files changed, 30 insertions(+), 1 deletion(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
+
+diff --git a/Lib/test/test_pyexpat.py b/Lib/test/test_pyexpat.py
+index 38f951573f0..37d9086f40a 100644
+--- a/Lib/test/test_pyexpat.py
++++ b/Lib/test/test_pyexpat.py
+@@ -675,6 +675,24 @@ class ChardataBufferTest(unittest.TestCase):
+ parser.Parse(xml2, True)
+ self.assertEqual(self.n, 4)
+
++class ElementDeclHandlerTest(unittest.TestCase):
++ def test_deeply_nested_content_model(self):
++ # This should raise a RecursionError and not crash.
++ # See https://github.com/python/cpython/issues/145986.
++ N = 500_000
++ data = (
++ b'<!DOCTYPE root [\n<!ELEMENT root '
++ + b'(a, ' * N + b'a' + b')' * N
++ + b'>\n]>\n<root/>\n'
++ )
++
++ parser = expat.ParserCreate()
++ parser.ElementDeclHandler = lambda _1, _2: None
++ with support.infinite_recursion():
++ with self.assertRaises(RecursionError):
++ parser.Parse(data)
++
++
+ class MalformedInputTest(unittest.TestCase):
+ def test1(self):
+ xml = b"\0\r\n"
+diff --git a/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst b/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
+new file mode 100644
+index 00000000000..cb9dbadb72d
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2026-03-14-17-31-39.gh-issue-145986.ifSSr8.rst
+@@ -0,0 +1,4 @@
++:mod:`xml.parsers.expat`: Fixed a crash caused by unbounded C recursion when
++converting deeply nested XML content models with
++:meth:`~xml.parsers.expat.xmlparser.ElementDeclHandler`.
++This addresses `CVE-2026-4224 <https://www.cve.org/CVERecord?id=CVE-2026-4224>`_.
+diff --git a/Modules/pyexpat.c b/Modules/pyexpat.c
+index 79492ca5c4f..8673540f358 100644
+--- a/Modules/pyexpat.c
++++ b/Modules/pyexpat.c
+@@ -3,6 +3,7 @@
+ #endif
+
+ #include "Python.h"
++#include "pycore_ceval.h" // _Py_EnterRecursiveCall()
+ #include "pycore_runtime.h" // _Py_ID()
+ #include <ctype.h>
+
+@@ -578,6 +579,10 @@ static PyObject *
+ conv_content_model(XML_Content * const model,
+ PyObject *(*conv_string)(const XML_Char *))
+ {
++ if (_Py_EnterRecursiveCall(" in conv_content_model")) {
++ return NULL;
++ }
++
+ PyObject *result = NULL;
+ PyObject *children = PyTuple_New(model->numchildren);
+ int i;
+@@ -589,7 +594,7 @@ conv_content_model(XML_Content * const model,
+ conv_string);
+ if (child == NULL) {
+ Py_XDECREF(children);
+- return NULL;
++ goto done;
+ }
+ PyTuple_SET_ITEM(children, i, child);
+ }
+@@ -597,6 +602,8 @@ conv_content_model(XML_Content * const model,
+ model->type, model->quant,
+ conv_string,model->name, children);
+ }
++done:
++ _Py_LeaveRecursiveCall();
+ return result;
+ }
+
+--
+2.34.1
diff --git a/meta/recipes-devtools/python/python3_3.12.13.bb b/meta/recipes-devtools/python/python3_3.12.13.bb
index bf0e1702d54..06dbc8e892d 100644
--- a/meta/recipes-devtools/python/python3_3.12.13.bb
+++ b/meta/recipes-devtools/python/python3_3.12.13.bb
@@ -43,6 +43,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://CVE-2026-6019_p1.patch \
file://CVE-2026-6019_p2.patch \
file://CVE-2025-13462.patch \
+ file://CVE-2026-4224.patch \
"
SRC_URI:append:class-native = " \
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 18/19] oeqa: Drop /git/ from our urls
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
` (16 preceding siblings ...)
2026-06-29 14:20 ` [OE-core][scarthgap 17/19] python3: fix CVE-2026-4224 Yoann Congal
@ 2026-06-29 14:20 ` Yoann Congal
2026-06-29 14:20 ` [OE-core][scarthgap 19/19] recipetool: Recognise https://git. as git urls Yoann Congal
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:20 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Using /git/ in our urls is rather old school and not the preferred format now.
Update the urls to the preferred form even if the other ones still work.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8ac7c0c3493a6141476093bb2c1c79004c55857d)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta-selftest/recipes-test/gitrepotest/gitrepotest.bb | 2 +-
.../recipes-test/gitunpackoffline/gitunpackoffline.inc | 4 ++--
meta/lib/oeqa/manual/toaster-managed-mode.json | 6 +++---
meta/lib/oeqa/sdkext/cases/devtool.py | 4 ++--
meta/lib/oeqa/selftest/cases/devtool.py | 4 ++--
meta/lib/oeqa/selftest/cases/recipetool.py | 2 +-
6 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/meta-selftest/recipes-test/gitrepotest/gitrepotest.bb b/meta-selftest/recipes-test/gitrepotest/gitrepotest.bb
index f1b6c55833b..fa61fdce0bc 100644
--- a/meta-selftest/recipes-test/gitrepotest/gitrepotest.bb
+++ b/meta-selftest/recipes-test/gitrepotest/gitrepotest.bb
@@ -7,7 +7,7 @@ INHIBIT_DEFAULT_DEPS = "1"
PATCHTOOL="git"
-SRC_URI = "git://git.yoctoproject.org/git/matchbox-panel-2;branch=master;protocol=https \
+SRC_URI = "git://git.yoctoproject.org/matchbox-panel-2;branch=master;protocol=https \
file://0001-testpatch.patch \
"
diff --git a/meta-selftest/recipes-test/gitunpackoffline/gitunpackoffline.inc b/meta-selftest/recipes-test/gitunpackoffline/gitunpackoffline.inc
index 602e895199b..245c0bbdeef 100644
--- a/meta-selftest/recipes-test/gitunpackoffline/gitunpackoffline.inc
+++ b/meta-selftest/recipes-test/gitunpackoffline/gitunpackoffline.inc
@@ -1,5 +1,5 @@
SUMMARY = "Test recipe for fetching git submodules"
-HOMEPAGE = "https://git.yoctoproject.org/git/matchbox-panel-2"
+HOMEPAGE = "https://git.yoctoproject.org/matchbox-panel-2"
LICENSE = "GPL-2.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
@@ -8,7 +8,7 @@ INHIBIT_DEFAULT_DEPS = "1"
TAGVALUE = "2.10"
# Deliberately have a tag which has to be resolved but ensure do_unpack doesn't access the network again.
-SRC_URI = "git://git.yoctoproject.org/git/matchbox-panel-2;branch=master;protocol=https"
+SRC_URI = "git://git.yoctoproject.org/matchbox-panel-2;branch=master;protocol=https"
SRC_URI:append:gitunpack-enable-recipe = ";tag=${TAGVALUE}"
SRCREV = "f82ca3f42510fb3ef10f598b393eb373a2c34ca7"
SRCREV:gitunpack-enable-recipe = ""
diff --git a/meta/lib/oeqa/manual/toaster-managed-mode.json b/meta/lib/oeqa/manual/toaster-managed-mode.json
index 1a71985c3c1..d1d500864e5 100644
--- a/meta/lib/oeqa/manual/toaster-managed-mode.json
+++ b/meta/lib/oeqa/manual/toaster-managed-mode.json
@@ -2176,7 +2176,7 @@
],
"execution": {
"1": {
- "action": "Clone the poky environment git clone http://git.yoctoproject.org/git/poky",
+ "action": "Clone the poky environment git clone http://git.yoctoproject.org/poky",
"expected_results": ""
},
"2": {
@@ -2458,7 +2458,7 @@
],
"execution": {
"1": {
- "action": "Clone the poky environment git clone http://git.yoctoproject.org/git/poky",
+ "action": "Clone the poky environment git clone http://git.yoctoproject.org/poky",
"expected_results": ""
},
"2": {
@@ -2496,7 +2496,7 @@
],
"execution": {
"1": {
- "action": "Clone the poky environment git clone http://git.yoctoproject.org/git/poky\n",
+ "action": "Clone the poky environment git clone http://git.yoctoproject.org/poky\n",
"expected_results": ""
},
"2": {
diff --git a/meta/lib/oeqa/sdkext/cases/devtool.py b/meta/lib/oeqa/sdkext/cases/devtool.py
index d0746e68eba..a28d5b020c5 100644
--- a/meta/lib/oeqa/sdkext/cases/devtool.py
+++ b/meta/lib/oeqa/sdkext/cases/devtool.py
@@ -71,14 +71,14 @@ class DevtoolTest(OESDKExtTestCase):
def test_extend_autotools_recipe_creation(self):
recipe = "test-dbus-wait"
self._run('devtool sdk-install dbus')
- self._run('devtool add %s https://git.yoctoproject.org/git/dbus-wait' % (recipe) )
+ self._run('devtool add %s https://git.yoctoproject.org/dbus-wait' % (recipe) )
try:
self._run('devtool build %s' % recipe)
finally:
self._run('devtool reset %s' % recipe)
def test_devtool_kernelmodule(self):
- docfile = 'https://git.yoctoproject.org/git/kernel-module-hello-world'
+ docfile = 'https://git.yoctoproject.org/kernel-module-hello-world'
recipe = 'kernel-module-hello-world'
self._run('devtool add %s %s' % (recipe, docfile) )
try:
diff --git a/meta/lib/oeqa/selftest/cases/devtool.py b/meta/lib/oeqa/selftest/cases/devtool.py
index d56696c10dd..6af3e2417a3 100644
--- a/meta/lib/oeqa/selftest/cases/devtool.py
+++ b/meta/lib/oeqa/selftest/cases/devtool.py
@@ -440,7 +440,7 @@ class DevtoolAddTests(DevtoolBase):
pn = 'dbus-wait'
srcrev = '6cc6077a36fe2648a5f993fe7c16c9632f946517'
# We choose an https:// git URL here to check rewriting the URL works
- url = 'https://git.yoctoproject.org/git/dbus-wait'
+ url = 'https://git.yoctoproject.org/dbus-wait'
# Force fetching to "noname" subdir so we verify we're picking up the name from autoconf
# instead of the directory name
result = runCmd('git clone %s noname' % url, cwd=tempdir)
@@ -467,7 +467,7 @@ class DevtoolAddTests(DevtoolBase):
checkvars['LIC_FILES_CHKSUM'] = 'file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263'
checkvars['S'] = '${WORKDIR}/git'
checkvars['PV'] = '0.1+git'
- checkvars['SRC_URI'] = 'git://git.yoctoproject.org/git/dbus-wait;protocol=https;branch=master'
+ checkvars['SRC_URI'] = 'git://git.yoctoproject.org/dbus-wait;protocol=https;branch=master'
checkvars['SRCREV'] = srcrev
checkvars['DEPENDS'] = set(['dbus'])
self._test_recipe_contents(recipefile, checkvars, [])
diff --git a/meta/lib/oeqa/selftest/cases/recipetool.py b/meta/lib/oeqa/selftest/cases/recipetool.py
index 126906df502..8c54e65ad62 100644
--- a/meta/lib/oeqa/selftest/cases/recipetool.py
+++ b/meta/lib/oeqa/selftest/cases/recipetool.py
@@ -738,7 +738,7 @@ class RecipetoolCreateTests(RecipetoolBase):
self._test_recipe_contents(recipefile, checkvars, [])
def test_recipetool_create_git_http(self):
- self._test_recipetool_create_git('http://git.yoctoproject.org/git/matchbox-keyboard')
+ self._test_recipetool_create_git('http://git.yoctoproject.org/matchbox-keyboard')
def test_recipetool_create_git_srcuri_master(self):
self._test_recipetool_create_git('git://git.yoctoproject.org/matchbox-keyboard;branch=master;protocol=https')
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [OE-core][scarthgap 19/19] recipetool: Recognise https://git. as git urls
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
` (17 preceding siblings ...)
2026-06-29 14:20 ` [OE-core][scarthgap 18/19] oeqa: Drop /git/ from our urls Yoann Congal
@ 2026-06-29 14:20 ` Yoann Congal
18 siblings, 0 replies; 21+ messages in thread
From: Yoann Congal @ 2026-06-29 14:20 UTC (permalink / raw)
To: openembedded-core
From: Richard Purdie <richard.purdie@linuxfoundation.org>
If a url has git. in it, assume it is likely to be a git cloneable url
and should be treated as such.
This allows us to switch from https://git.yoctoproject.org/git/XXX urls to
the preferred https://git.yoctoproject.org/XXX form.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cedc9209e3bae0da8d61423b16c74c49a132aa63)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
scripts/lib/recipetool/create.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/lib/recipetool/create.py b/scripts/lib/recipetool/create.py
index 8e9ff38db6c..b6005b64766 100644
--- a/scripts/lib/recipetool/create.py
+++ b/scripts/lib/recipetool/create.py
@@ -366,7 +366,7 @@ def supports_srcrev(uri):
def reformat_git_uri(uri):
'''Convert any http[s]://....git URI into git://...;protocol=http[s]'''
checkuri = uri.split(';', 1)[0]
- if checkuri.endswith('.git') or '/git/' in checkuri or re.match('https?://git(hub|lab).com/[^/]+/[^/]+/?$', checkuri):
+ if checkuri.endswith('.git') or '/git/' in checkuri or re.match('https?://git(hub|lab).com/[^/]+/[^/]+/?$', checkuri) or re.match(r'https?://git\..*', checkuri):
# Appends scheme if the scheme is missing
if not '://' in uri:
uri = 'git://' + uri
^ permalink raw reply related [flat|nested] 21+ messages in thread
end of thread, other threads:[~2026-06-29 14:20 UTC | newest]
Thread overview: 21+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-29 14:19 [OE-core][scarthgap 00/19] Patch review Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 01/19] gawk: use native gawk when building glibc and grub Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 02/19] grub/glibc: Bump versions to resolve hashequiv/reproducibility issues Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 03/19] gawk: trim native build configuration Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 04/19] gawk-native: fix gcc-15/C23 compilation issues Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 05/19] libsoup: fix for CVE-2025-11021 Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 06/19] libsoup: fix for CVE-2026-2369 Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 07/19] go: patch CVE-2026-27145 Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 08/19] binutils: Fix for CVE-2025-69648 and CVE-2025-69646 Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 09/19] xwayland: Fix CVE-2026-33999 Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 10/19] xwayland: Fix CVE-2026-34000 Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 11/19] xwayland: Fix CVE-2026-34001 Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 12/19] xwayland: Fix CVE-2026-34002 Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 13/19] xwayland: Fix CVE-2026-34003 Yoann Congal
2026-06-29 14:19 ` [OE-core][scarthgap 14/19] libusb1: fix CVE-2026-23679 and CVE-2026-47104 Yoann Congal
2026-06-29 14:20 ` [OE-core][scarthgap 15/19] nfs-utils: fix CVE-2025-12801 Yoann Congal
2026-06-29 14:20 ` [OE-core][scarthgap 16/19] cve-update-nvd2-native: allow setting resultsPerPage Yoann Congal
2026-06-29 14:20 ` [OE-core][scarthgap 17/19] python3: fix CVE-2026-4224 Yoann Congal
2026-06-29 14:20 ` [OE-core][scarthgap 18/19] oeqa: Drop /git/ from our urls Yoann Congal
2026-06-29 14:20 ` [OE-core][scarthgap 19/19] recipetool: Recognise https://git. as git urls Yoann Congal
-- strict thread matches above, loose matches on Subject: below --
2025-11-11 14:58 [OE-core][scarthgap 00/19] Patch review Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.