* [OE-core][wrynose 00/18] Patch review
@ 2026-07-10 16:36 Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 01/18] gdb: Upgrade 17.1 -> 17.2 Yoann Congal
` (17 more replies)
0 siblings, 18 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
Please review this set of changes for wrynose and have comments back by
end of day Thursday, July 16. I'm off most of next week and back on the
17th.
Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/4187
The following changes since commit c2746a4a165fd99c2d1aafed17533555787f37ce:
clang/llvm: Upgrade to 22.1.8 release (2026-07-09 16:58:55 +0100)
are available in the Git repository at:
https://git.openembedded.org/openembedded-core-contrib stable/wrynose-nut
https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/wrynose-nut
for you to fetch changes up to 73299cef1b7cd6446c918c361fd2c47534126361:
gnutls: fix CVE-2026-33846 (2026-07-10 12:37:42 +0200)
----------------------------------------------------------------
Amaury Couderc (1):
expat: fix CVE-2026-41080
Benjamin Robin (Schneider Electric) (3):
python3: fix CVE-2026-11940
python3: fix CVE-2026-11972
glib-2.0: fix CVE-2026-58016
Deepak Rathore (1):
libcap: Fix CVE-2026-4878
Deepesh Varatharajan (1):
gdb: Upgrade 17.1 -> 17.2
Eilís 'pidge' Ní Fhlannagáin (1):
ovmf: fix tpm PACKAGECONFIG to use TPM2_ENABLE
Eric Meyers (1):
create-spdx-image-3.0: correct SSTATE_SKIP_CREATION key for
do_create_image_sbom_spdx
Gustavo Henrique Nihei (1):
opensbi: don't override ELFFLAGS, silence ldflags QA for bare-metal
ELFs
Hitendra Prajapati (1):
vim: Fix for CVE-2026-52858,CVE-2026-52859,CVE-2026-52860
Jaipaul Cheernam (1):
curl: fix CVE-2026-5773 - wrong reuse of SMB connection
Peter Marko (1):
python3: upgrade 3.14.5 -> 3.14.6
Pritam Srichandan Sahoo (1):
gnutls: fix CVE-2026-33846
Ross Burton (1):
xmlto: update SRC_URI
Siva Balasubramanian (1):
util-linux: upgrade 2.41.3 -> 2.41.5
Sudhir Dumbhare (2):
python3-urllib3: Fix CVE-2026-44431
socat: upgrade 1.8.1.1 -> 1.8.1.3
Theo Gaige (Schneider Electric) (1):
expat: patch CVE-2026-45186
.../create-spdx-image-3.0.bbclass | 2 +-
meta/classes-recipe/nospdx.bbclass | 2 +-
meta/recipes-bsp/opensbi/opensbi_1.8.1.bb | 6 +-
.../{socat_1.8.1.1.bb => socat_1.8.1.3.bb} | 2 +-
.../expat/expat/CVE-2026-41080-1.patch | 517 ++++++++++++++++++
.../expat/expat/CVE-2026-41080-2.patch | 33 ++
.../expat/expat/CVE-2026-45186-01.patch | 70 +++
.../expat/expat/CVE-2026-45186-02.patch | 318 +++++++++++
.../expat/expat/CVE-2026-45186-03.patch | 46 ++
.../expat/expat/CVE-2026-45186-04.patch | 32 ++
.../expat/expat/CVE-2026-45186-05.patch | 32 ++
.../expat/expat/CVE-2026-45186-06.patch | 87 +++
.../expat/expat/CVE-2026-45186-07.patch | 52 ++
meta/recipes-core/expat/expat_2.7.5.bb | 9 +
.../glib-2.0/files/CVE-2026-58016-1.patch | 94 ++++
.../glib-2.0/files/CVE-2026-58016-2.patch | 98 ++++
meta/recipes-core/glib-2.0/glib.inc | 2 +
meta/recipes-core/ovmf/ovmf_git.bb | 2 +-
...2.41.3.bb => util-linux-libuuid_2.41.5.bb} | 0
meta/recipes-core/util-linux/util-linux.inc | 3 +-
...DEV_FL_NOFOLLOW-to-prevent-symlink-a.patch | 114 ----
...l-linux_2.41.3.bb => util-linux_2.41.5.bb} | 0
...ian_17.1.bb => gdb-cross-canadian_17.2.bb} | 0
.../{gdb-cross_17.1.bb => gdb-cross_17.2.bb} | 0
meta/recipes-devtools/gdb/gdb.inc | 4 +-
...-ser-unix-modernize-Linux-custom-bau.patch | 248 ---------
...ux-Fix-build-failure-on-musl-systems.patch | 196 -------
.../gdb/{gdb_17.1.bb => gdb_17.2.bb} | 0
.../python3-urllib3/CVE-2026-44431.patch | 157 ++++++
.../python/python3-urllib3_2.6.3.bb | 3 +
...eadingMock-call-count-race-condition.patch | 37 --
.../python/python3/CVE-2026-11940.patch | 67 +++
.../python/python3/CVE-2026-11972.patch | 61 +++
.../{python3_3.14.5.bb => python3_3.14.6.bb} | 9 +-
meta/recipes-devtools/xmlto/xmlto_0.0.29.bb | 2 +-
.../curl/curl/CVE-2026-5773.patch | 47 ++
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
...fragments-implement-a-basic-DTLS-tes.patch | 258 +++++++++
...merge_handshake_packet-using-recv_bu.patch | 96 ++++
...s-add-more-checks-to-DTLS-reassembly.patch | 65 +++
...fragments-extend-with-a-1816-reprodu.patch | 159 ++++++
...fragments-extend-with-fragmenting-Cl.patch | 149 +++++
...ch-DTLS-datagrams-by-sequence-number.patch | 42 ++
...fragments-1839-mismatching-message_s.patch | 104 ++++
...ts-mini-dtls-framents-link-to-gnulib.patch | 27 +
meta/recipes-support/gnutls/gnutls_3.8.12.bb | 8 +
.../libcap/files/CVE-2026-4878.patch | 163 ++++++
meta/recipes-support/libcap/libcap_2.77.bb | 4 +-
.../vim/files/CVE-2026-52858.patch | 167 ++++++
.../vim/files/CVE-2026-52859.patch | 274 ++++++++++
.../vim/files/CVE-2026-52860.patch | 446 +++++++++++++++
meta/recipes-support/vim/vim.inc | 3 +
52 files changed, 3706 insertions(+), 612 deletions(-)
rename meta/recipes-connectivity/socat/{socat_1.8.1.1.bb => socat_1.8.1.3.bb} (94%)
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-41080-1.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-41080-2.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-01.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-02.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-03.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-04.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-05.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-06.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-07.patch
create mode 100644 meta/recipes-core/glib-2.0/files/CVE-2026-58016-1.patch
create mode 100644 meta/recipes-core/glib-2.0/files/CVE-2026-58016-2.patch
rename meta/recipes-core/util-linux/{util-linux-libuuid_2.41.3.bb => util-linux-libuuid_2.41.5.bb} (100%)
delete mode 100644 meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch
rename meta/recipes-core/util-linux/{util-linux_2.41.3.bb => util-linux_2.41.5.bb} (100%)
rename meta/recipes-devtools/gdb/{gdb-cross-canadian_17.1.bb => gdb-cross-canadian_17.2.bb} (100%)
rename meta/recipes-devtools/gdb/{gdb-cross_17.1.bb => gdb-cross_17.2.bb} (100%)
delete mode 100644 meta/recipes-devtools/gdb/gdb/0009-PR-gdb-33747-gdb-ser-unix-modernize-Linux-custom-bau.patch
delete mode 100644 meta/recipes-devtools/gdb/gdb/0010-GDB-aarch64-linux-Fix-build-failure-on-musl-systems.patch
rename meta/recipes-devtools/gdb/{gdb_17.1.bb => gdb_17.2.bb} (100%)
create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2026-44431.patch
delete mode 100644 meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-11940.patch
create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-11972.patch
rename meta/recipes-devtools/python/{python3_3.14.5.bb => python3_3.14.6.bb} (98%)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0001-tests-mini-dtls-fragments-implement-a-basic-DTLS-tes.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0002-buffers-shorten-merge_handshake_packet-using-recv_bu.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0003-buffers-add-more-checks-to-DTLS-reassembly.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0004-tests-mini-dtls-fragments-extend-with-a-1816-reprodu.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0005-tests-mini-dtls-fragments-extend-with-fragmenting-Cl.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0006-buffers-match-DTLS-datagrams-by-sequence-number.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0007-tests-mini-dtls-fragments-1839-mismatching-message_s.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0008-tests-mini-dtls-framents-link-to-gnulib.patch
create mode 100644 meta/recipes-support/libcap/files/CVE-2026-4878.patch
create mode 100644 meta/recipes-support/vim/files/CVE-2026-52858.patch
create mode 100644 meta/recipes-support/vim/files/CVE-2026-52859.patch
create mode 100644 meta/recipes-support/vim/files/CVE-2026-52860.patch
^ permalink raw reply [flat|nested] 20+ messages in thread
* [OE-core][wrynose 01/18] gdb: Upgrade 17.1 -> 17.2
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 02/18] curl: fix CVE-2026-5773 - wrong reuse of SMB connection Yoann Congal
` (16 subsequent siblings)
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
This is a corrective release over GDB 17.1, fixing the following issues:
* PR dap/33228 ([gdb/dap] error while listing register children)
* PR gdb/33737 (gdb --help says 'For more information, type "stream"
from within GDB', but "stream" is not a defined command)
* PR build/33747 (Incompatible with MUSL libc: no member named 'c_ospeed'
in 'termios')
* PR gdb/33748 (gdb17 regression with displaying ANSI colors)
* PR gdb/33753 (Out-of-bounds writes in string_{v}printf -- threads
and static data don't mix)
* PR cli/33761 (Setting style colors is broken on MS-Windows)
* PR gdb/33768 (Loading compressed GDB scripts from .debug_gdb_scripts fails)
* PR symtab/33775 ([gdb/symtab] data race in
dwarf2_per_cu::{set_addr_size,set_offset_size,set_ref_addr_size})
* PR symtab/33777 ([gdb/symtab] dw2_get_file_names doesn't cache result
for dummy CU)
* PR symtab/33825 ([dwz] Extremely slow symbol lookup with DWZ-compressed
debug info (thousands of partial units))
* PR testsuite/33845 (gdb: There are 4 unexpected failures in
breakpoint-in-ro-region.exp)
* PR gdb/33872 (`skip -gfile` has inverted logic)
* PR gdb/33926 (GDB 17.1 AArch64: redefinition of user_gcs struct on musl)
* PR breakpoints/34112 (rbreak `file:regex` sets breakpoints for matches
outside of `file` [reproducer attached])
Although gdb 17.2 includes the commit 17d05df7da1
("gdb/ser-unix: add POSIX cfsetispeed/cfsetospeed support for custom baud rates"),
which appears to be a feature addition, it is actually the upstream integration of
the previously carried patch
0009-PR-gdb-33747-gdb-ser-unix-modernize-Linux-custom-bau.patch for PR build/33747.
As such, it is appropriate for this corrective release.
Drop patches merged upstream:
* 0009-PR-gdb-33747-gdb-ser-unix-modernize-Linux-custom-bau.patch
* PR build/33747 (Incompatible with MUSL libc: no member named 'c_ospeed'
in 'termios')
* 0010-GDB-aarch64-linux-Fix-build-failure-on-musl-systems.patch
* PR gdb/33926 (GDB 17.1 AArch64: redefinition of user_gcs struct on musl)
Signed-off-by: Deepesh Varatharajan <Deepesh.Varatharajan@windriver.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
...ian_17.1.bb => gdb-cross-canadian_17.2.bb} | 0
.../{gdb-cross_17.1.bb => gdb-cross_17.2.bb} | 0
meta/recipes-devtools/gdb/gdb.inc | 4 +-
...-ser-unix-modernize-Linux-custom-bau.patch | 248 ------------------
...ux-Fix-build-failure-on-musl-systems.patch | 196 --------------
.../gdb/{gdb_17.1.bb => gdb_17.2.bb} | 0
6 files changed, 1 insertion(+), 447 deletions(-)
rename meta/recipes-devtools/gdb/{gdb-cross-canadian_17.1.bb => gdb-cross-canadian_17.2.bb} (100%)
rename meta/recipes-devtools/gdb/{gdb-cross_17.1.bb => gdb-cross_17.2.bb} (100%)
delete mode 100644 meta/recipes-devtools/gdb/gdb/0009-PR-gdb-33747-gdb-ser-unix-modernize-Linux-custom-bau.patch
delete mode 100644 meta/recipes-devtools/gdb/gdb/0010-GDB-aarch64-linux-Fix-build-failure-on-musl-systems.patch
rename meta/recipes-devtools/gdb/{gdb_17.1.bb => gdb_17.2.bb} (100%)
diff --git a/meta/recipes-devtools/gdb/gdb-cross-canadian_17.1.bb b/meta/recipes-devtools/gdb/gdb-cross-canadian_17.2.bb
similarity index 100%
rename from meta/recipes-devtools/gdb/gdb-cross-canadian_17.1.bb
rename to meta/recipes-devtools/gdb/gdb-cross-canadian_17.2.bb
diff --git a/meta/recipes-devtools/gdb/gdb-cross_17.1.bb b/meta/recipes-devtools/gdb/gdb-cross_17.2.bb
similarity index 100%
rename from meta/recipes-devtools/gdb/gdb-cross_17.1.bb
rename to meta/recipes-devtools/gdb/gdb-cross_17.2.bb
diff --git a/meta/recipes-devtools/gdb/gdb.inc b/meta/recipes-devtools/gdb/gdb.inc
index d367486d026..cbb58854598 100644
--- a/meta/recipes-devtools/gdb/gdb.inc
+++ b/meta/recipes-devtools/gdb/gdb.inc
@@ -13,7 +13,5 @@ SRC_URI = "${GNU_MIRROR}/gdb/gdb-${PV}.tar.xz \
file://0006-Fix-invalid-sigprocmask-call.patch \
file://0007-Define-alignof-using-_Alignof-when-using-C11-or-newe.patch \
file://0008-Add-fix-for-packages-that-are-not-compatible-with-C2.patch \
- file://0009-PR-gdb-33747-gdb-ser-unix-modernize-Linux-custom-bau.patch \
- file://0010-GDB-aarch64-linux-Fix-build-failure-on-musl-systems.patch \
"
-SRC_URI[sha256sum] = "14996f5f74c9f68f5a543fdc45bca7800207f91f92aeea6c2e791822c7c6d876"
+SRC_URI[sha256sum] = "1c036c0d72e4b3d1fb5c94c88632add6f9d76f4d7c4d2ea793c12a9f19a3228c"
diff --git a/meta/recipes-devtools/gdb/gdb/0009-PR-gdb-33747-gdb-ser-unix-modernize-Linux-custom-bau.patch b/meta/recipes-devtools/gdb/gdb/0009-PR-gdb-33747-gdb-ser-unix-modernize-Linux-custom-bau.patch
deleted file mode 100644
index 30d22b21f92..00000000000
--- a/meta/recipes-devtools/gdb/gdb/0009-PR-gdb-33747-gdb-ser-unix-modernize-Linux-custom-bau.patch
+++ /dev/null
@@ -1,248 +0,0 @@
-From 1a77c71303b552140613d49595baebdff1a4716e Mon Sep 17 00:00:00 2001
-From: Sunil Dora <sunilkumar.dora@windriver.com>
-Date: Tue, 17 Mar 2026 01:58:55 -0700
-Subject: [PATCH] PR gdb/33747: gdb/ser-unix: modernize Linux custom baud rate
- support
-
-The Linux custom baud rate implementation previously accessed the
-struct termios members c_ispeed and c_ospeed directly. These fields
-exist in glibc but are not exposed by musl, causing builds to fail on
-musl-based systems.
-
-Update set_custom_baudrate_linux to use a capability-based approach,
-with three distinct code paths:
-
-1) If POSIX cfsetispeed/cfsetospeed accept arbitrary baud rates
- (HAVE_CFSETSPEED_ARBITRARY), use them to set input and output
- speeds.
-
-2) Else if Linux termios2 interface is available (TCGETS2/BOTHER),
- use it to support arbitrary baud rates.
-
-3) Else if legacy struct termios supports c_ispeed/c_ospeed, use
- the TCGETS/TCSETS fallback (primarily for glibc on older
- architectures).
-
-4) Otherwise, emit an error indicating that custom baud rates are
- unsupported on this platform.
-
-This preserves existing behavior on glibc systems while restoring
-build compatibility with musl and other libc implementations.
-
-Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=33747
-
-Upstream-Status: Submitted [https://sourceware.org/pipermail/gdb-patches/2026-March/225952.html]
-
-Suggested-by: Kevin Buettner <kevinb@redhat.com>
-Suggested-by: Maciej W. Rozycki <macro@orcam.me.uk>
-Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
----
- gdb/config.in | 6 ++++++
- gdb/configure | 52 +++++++++++++++++++++++++++++++++++++++++++++
- gdb/configure.ac | 22 +++++++++++++++++++
- gdb/ser-unix.c | 55 ++++++++++++++++++++++++++++++++++--------------
- 4 files changed, 119 insertions(+), 16 deletions(-)
-
-diff --git a/gdb/config.in b/gdb/config.in
-index efc3100cb9e..b2469c8dabd 100644
---- a/gdb/config.in
-+++ b/gdb/config.in
-@@ -110,6 +110,9 @@
- the CoreFoundation framework. */
- #undef HAVE_CFPREFERENCESCOPYAPPVALUE
-
-+/* Define if cfsetispeed/cfsetospeed accept arbitrary baud rates */
-+#undef HAVE_CFSETSPEED_ARBITRARY
-+
- /* Define if compiling support to gdb compile. */
- #undef HAVE_COMPILE
-
-@@ -517,6 +520,9 @@
- /* Define to 1 if `st_blocks' is a member of `struct stat'. */
- #undef HAVE_STRUCT_STAT_ST_BLOCKS
-
-+/* Define to 1 if `c_ospeed' is a member of `struct termios'. */
-+#undef HAVE_STRUCT_TERMIOS_C_OSPEED
-+
- /* Define to 1 if `td_pcb' is a member of `struct thread'. */
- #undef HAVE_STRUCT_THREAD_TD_PCB
-
-diff --git a/gdb/configure b/gdb/configure
-index d0bdba6eb36..8a0e2fa2771 100755
---- a/gdb/configure
-+++ b/gdb/configure
-@@ -27336,6 +27336,58 @@ if test "$ac_res" != no; then :
- fi
-
-
-+# Check whether cfsetispeed/cfsetospeed accept arbitrary baud rates.
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether cfsetispeed/cfsetospeed accept arbitrary baud rates" >&5
-+$as_echo_n "checking whether cfsetispeed/cfsetospeed accept arbitrary baud rates... " >&6; }
-+if ${gdb_cv_cfsetspeed_arbitrary+:} false; then :
-+ $as_echo_n "(cached) " >&6
-+else
-+
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <termios.h>
-+int
-+main ()
-+{
-+
-+ #if B9600 != 9600
-+ #error B-constants are not numeric symbols
-+ #endif
-+
-+ ;
-+ return 0;
-+}
-+_ACEOF
-+if ac_fn_c_try_compile "$LINENO"; then :
-+ gdb_cv_cfsetspeed_arbitrary=yes
-+else
-+ gdb_cv_cfsetspeed_arbitrary=no
-+fi
-+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-+
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gdb_cv_cfsetspeed_arbitrary" >&5
-+$as_echo "$gdb_cv_cfsetspeed_arbitrary" >&6; }
-+
-+if test "$gdb_cv_cfsetspeed_arbitrary" = yes; then
-+
-+$as_echo "#define HAVE_CFSETSPEED_ARBITRARY 1" >>confdefs.h
-+
-+fi
-+
-+# Check for members required by the legacy Linux custom baud rate path.
-+ac_fn_c_check_member "$LINENO" "struct termios" "c_ospeed" "ac_cv_member_struct_termios_c_ospeed" "#include <termios.h>
-+"
-+if test "x$ac_cv_member_struct_termios_c_ospeed" = xyes; then :
-+
-+cat >>confdefs.h <<_ACEOF
-+#define HAVE_STRUCT_TERMIOS_C_OSPEED 1
-+_ACEOF
-+
-+
-+fi
-+
-+
-
-
- # Check whether --with-jit-reader-dir was given.
-diff --git a/gdb/configure.ac b/gdb/configure.ac
-index 52924106bca..26e8d1ee276 100644
---- a/gdb/configure.ac
-+++ b/gdb/configure.ac
-@@ -733,6 +733,28 @@ AC_CONFIG_FILES([jit-reader.h:jit-reader.in])
-
- AC_SEARCH_LIBS(dlopen, dl)
-
-+# Check whether cfsetispeed/cfsetospeed accept arbitrary baud rates.
-+AC_CACHE_CHECK([whether cfsetispeed/cfsetospeed accept arbitrary baud rates],
-+ [gdb_cv_cfsetspeed_arbitrary], [
-+ AC_COMPILE_IFELSE(
-+ [AC_LANG_PROGRAM([[#include <termios.h>]],
-+ [[
-+ #if B9600 != 9600
-+ #error B-constants are not numeric symbols
-+ #endif
-+ ]])],
-+ [gdb_cv_cfsetspeed_arbitrary=yes],
-+ [gdb_cv_cfsetspeed_arbitrary=no])
-+])
-+
-+if test "$gdb_cv_cfsetspeed_arbitrary" = yes; then
-+ AC_DEFINE([HAVE_CFSETSPEED_ARBITRARY], [1],
-+ [Define if cfsetispeed/cfsetospeed accept arbitrary baud rates])
-+fi
-+
-+# Check for members required by the legacy Linux custom baud rate path.
-+AC_CHECK_MEMBERS([struct termios.c_ospeed], [], [], [[#include <termios.h>]])
-+
- GDB_AC_WITH_DIR([JIT_READER_DIR], [jit-reader-dir],
- [directory to load the JIT readers from],
- [${libdir}/gdb])
-diff --git a/gdb/ser-unix.c b/gdb/ser-unix.c
-index 6f2766518be..fbd73970dbb 100644
---- a/gdb/ser-unix.c
-+++ b/gdb/ser-unix.c
-@@ -508,36 +508,59 @@ set_baudcode_baudrate (struct serial *scb, int baud_code)
-
- #if HAVE_CUSTOM_BAUDRATE_SUPPORT && defined(BOTHER)
-
--/* Set a custom baud rate using the termios BOTHER. */
-+/* Set a custom baud rate.
-+
-+ Prefer the POSIX cfsetispeed/cfsetospeed interface when it accepts
-+ arbitrary baud rates. Otherwise fall back to Linux-specific termios2
-+ (BOTHER) or legacy termios interfaces. */
-
- static void
- set_custom_baudrate_linux (int fd, int rate)
- {
--#ifdef TCGETS2
-- struct termios2 tio;
-- const unsigned long req_get = TCGETS2;
-- const unsigned long req_set = TCSETS2;
--#else
-+#if defined(HAVE_CFSETSPEED_ARBITRARY)
- struct termios tio;
-- const unsigned long req_get = TCGETS;
-- const unsigned long req_set = TCSETS;
--#endif
-+ if (tcgetattr (fd, &tio) < 0)
-+ perror_with_name (_("Cannot get current baud rate"));
-+
-+ cfsetispeed (&tio, rate);
-+ cfsetospeed (&tio, rate);
-+
-+ if (tcsetattr (fd, TCSANOW, &tio) < 0)
-+ perror_with_name (_("Cannot set custom baud rate"));
-+
-+#elif defined(TCGETS2)
-+ struct termios2 tio2;
-+ if (ioctl (fd, TCGETS2, &tio2) < 0)
-+ perror_with_name (_("Cannot get current baud rate"));
-+
-+ tio2.c_cflag &= ~CBAUD;
-+ tio2.c_cflag |= BOTHER;
-+ tio2.c_ospeed = rate;
-+ tio2.c_cflag &= ~(CBAUD << IBSHIFT);
-+ tio2.c_cflag |= BOTHER << IBSHIFT;
-+ tio2.c_ispeed = rate;
-
-- if (ioctl (fd, req_get, &tio) < 0)
-- perror_with_name (_("Can not get current baud rate"));
-+ if (ioctl (fd, TCSETS2, &tio2) < 0)
-+ perror_with_name (_("Cannot set custom baud rate"));
-+
-+#elif defined(HAVE_STRUCT_TERMIOS_C_OSPEED)
-+ struct termios tio;
-+ if (ioctl (fd, TCGETS, &tio) < 0)
-+ perror_with_name (_("Cannot get current baud rate"));
-
-- /* Clear the current output baud rate and fill a new value. */
- tio.c_cflag &= ~CBAUD;
- tio.c_cflag |= BOTHER;
- tio.c_ospeed = rate;
--
-- /* Clear the current input baud rate and fill a new value. */
- tio.c_cflag &= ~(CBAUD << IBSHIFT);
- tio.c_cflag |= BOTHER << IBSHIFT;
- tio.c_ispeed = rate;
-
-- if (ioctl (fd, req_set, &tio) < 0)
-- perror_with_name (_("Can not set custom baud rate"));
-+ if (ioctl (fd, TCSETS, &tio) < 0)
-+ perror_with_name (_("Cannot set custom baud rate"));
-+
-+#else
-+ error (_("Custom baud rate not supported on this platform"));
-+#endif
- }
-
- #elif HAVE_CUSTOM_BAUDRATE_SUPPORT && defined(IOSSIOSPEED)
---
-2.49.0
-
diff --git a/meta/recipes-devtools/gdb/gdb/0010-GDB-aarch64-linux-Fix-build-failure-on-musl-systems.patch b/meta/recipes-devtools/gdb/gdb/0010-GDB-aarch64-linux-Fix-build-failure-on-musl-systems.patch
deleted file mode 100644
index 2d91a351d2b..00000000000
--- a/meta/recipes-devtools/gdb/gdb/0010-GDB-aarch64-linux-Fix-build-failure-on-musl-systems.patch
+++ /dev/null
@@ -1,196 +0,0 @@
-From 654223c799910837c80d0964a971fbdf7808864a Mon Sep 17 00:00:00 2001
-From: Thiago Jung Bauermann <thiago.bauermann@linaro.org>
-Date: Tue, 17 Mar 2026 02:24:48 -0700
-Subject: [PATCH] GDB: aarch64-linux: Fix build failure on musl systems
-
-(cherry picked from commit 02090062127d59978ccc312dabf63c6ea838cd85)
-
-When building against musl (e.g. on Alpine Linux), the following error
-happens:
-
- CXX linux-aarch64-low.o
- In file included from /home/bauermann/src/binutils-gdb/gdbserver/linux-aarch64-low.cc:42:
- /home/bauermann/src/binutils-gdb/gdbserver/../gdb/arch/aarch64-gcs-linux.h:35:8: error: redefinition of 'struct user_gcs'
- 35 | struct user_gcs
- | ^~~~~~~~
- In file included from /home/bauermann/src/binutils-gdb/gdbserver/linux-aarch64-low.cc:35:
- /usr/include/asm/ptrace.h:329:8: note: previous definition of 'struct user_gcs'
- 329 | struct user_gcs {
- | ^~~~~~~~
- make[2]: *** [Makefile:565: linux-aarch64-low.o] Error 1
-
-aarch64-linux-tdep.c fails to build in the same way. This happens because
-aarch64-gcs-linux.h uses GCS_MAGIC to see whether the system headers
-have GCS-related definitions. The problem is that GCS_MAGIC is defined in
-<asm/sigcontext.h> while struct gcs_user is defined in <asm/ptrace.h>.
-It's fine on glibc systems because in the set of system headers that
-linux-aarch64-low.cc and aarch64-linux-tdep.c include, <asm/sigcontext.h>
-ends up being included implicitly as well. This doesn't happen when using
-musl's headers though.
-
-There isn't a macro in <asm/ptrace.h> whose presence is correlated with
-the presence of the struct user_gcs definition, so a configure check is
-needed to detect it and conditionally define the struct.
-
-Also, this change requires aarch64-linux-tdep.c to stop using
-struct user_gcs because target-dependent code can't include <asm/ptrace.h>
-and thus even if HAVE_STRUCT_USER_GCS is set, the file won't have the
-struct definition available. To fix this problem, also backport the
-definition of AARCH64_LINUX_SIZEOF_GCS_REGSET and use it there.
-
-Note that there's another build issue with musl, described in
-PR gdb/33747 affecting compilation of gdb/ser-unix.c. In order to be
-able to test this patch, I applied the patch in comment 11 there.
-
-Tested with a native build on an Alpine Linux aarch64 system, and also
-verified that all gdb.arch/aarch64-gcs*.exp tests pass on it.
-
-Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=33926
-
-Upstream-Status: Submitted [https://sourceware.org/pipermail/gdb-patches/2026-March/226049.html]
-
-Co-authored-by: Chris Packham <judge.packham@gmail.com>
-Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
----
- gdb/aarch64-linux-tdep.c | 5 +++--
- gdb/arch/aarch64-gcs-linux.h | 8 +++++---
- gdbsupport/config.in | 3 +++
- gdbsupport/configure | 36 ++++++++++++++++++++++++++++++++++++
- gdbsupport/configure.ac | 19 +++++++++++++++++++
- 5 files changed, 66 insertions(+), 5 deletions(-)
-
-diff --git a/gdb/aarch64-linux-tdep.c b/gdb/aarch64-linux-tdep.c
-index 76bde85188b..6c402e7ecdd 100644
---- a/gdb/aarch64-linux-tdep.c
-+++ b/gdb/aarch64-linux-tdep.c
-@@ -1684,8 +1684,9 @@ aarch64_linux_iterate_over_regset_sections (struct gdbarch *gdbarch,
- gcs_regmap, regcache_supply_regset, regcache_collect_regset
- };
-
-- cb (".reg-aarch-gcs", sizeof (user_gcs), sizeof (user_gcs),
-- &aarch64_linux_gcs_regset, "GCS registers", cb_data);
-+ cb (".reg-aarch-gcs", AARCH64_LINUX_SIZEOF_GCS_REGSET,
-+ AARCH64_LINUX_SIZEOF_GCS_REGSET, &aarch64_linux_gcs_regset,
-+ "GCS registers", cb_data);
- }
- }
-
-diff --git a/gdb/arch/aarch64-gcs-linux.h b/gdb/arch/aarch64-gcs-linux.h
-index 018ca37a522..632823a8120 100644
---- a/gdb/arch/aarch64-gcs-linux.h
-+++ b/gdb/arch/aarch64-gcs-linux.h
-@@ -27,8 +27,7 @@
- #define HWCAP_GCS (1ULL << 32)
- #endif
-
--/* Make sure we only define these if the kernel header doesn't. */
--#ifndef GCS_MAGIC
-+#ifndef HAVE_STRUCT_USER_GCS
-
- /* GCS state (NT_ARM_GCS). */
-
-@@ -39,6 +38,9 @@ struct user_gcs
- uint64_t gcspr_el0;
- };
-
--#endif /* GCS_MAGIC */
-+#endif /* HAVE_STRUCT_USER_GCS */
-+
-+/* The GCS regset consists of 3 64-bit registers. */
-+#define AARCH64_LINUX_SIZEOF_GCS_REGSET (3 * 8)
-
- #endif /* GDB_ARCH_AARCH64_GCS_LINUX_H */
-diff --git a/gdbsupport/config.in b/gdbsupport/config.in
-index 0beacf22c05..2957ee0f030 100644
---- a/gdbsupport/config.in
-+++ b/gdbsupport/config.in
-@@ -271,6 +271,9 @@
- /* Define to 1 if `st_blocks' is a member of `struct stat'. */
- #undef HAVE_STRUCT_STAT_ST_BLOCKS
-
-+/* Define to 1 if your system has struct user_gcs. */
-+#undef HAVE_STRUCT_USER_GCS
-+
- /* Define to 1 if you have the <sys/param.h> header file. */
- #undef HAVE_SYS_PARAM_H
-
-diff --git a/gdbsupport/configure b/gdbsupport/configure
-index 133ddfa7f6c..66135791aa5 100755
---- a/gdbsupport/configure
-+++ b/gdbsupport/configure
-@@ -14307,6 +14307,42 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-
-
-+# Check for `struct user_gcs`
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for struct user_gcs" >&5
-+$as_echo_n "checking for struct user_gcs... " >&6; }
-+if ${gdb_cv_struct_user_gcs+:} false; then :
-+ $as_echo_n "(cached) " >&6
-+else
-+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-+/* end confdefs.h. */
-+#include <sys/ptrace.h>
-+ #include <asm/ptrace.h>
-+int
-+main ()
-+{
-+struct user_gcs u;
-+
-+ ;
-+ return 0;
-+}
-+_ACEOF
-+if ac_fn_c_try_compile "$LINENO"; then :
-+ gdb_cv_struct_user_gcs=yes
-+else
-+ gdb_cv_struct_user_gcs=no
-+
-+fi
-+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-+
-+fi
-+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gdb_cv_struct_user_gcs" >&5
-+$as_echo "$gdb_cv_struct_user_gcs" >&6; }
-+if test "$gdb_cv_struct_user_gcs" = yes; then
-+
-+$as_echo "#define HAVE_STRUCT_USER_GCS 1" >>confdefs.h
-+
-+fi
-+
- # Set the 'development' global.
- . $srcdir/../bfd/development.sh
-
-diff --git a/gdbsupport/configure.ac b/gdbsupport/configure.ac
-index b7ccfabd6c6..d3b4c05daeb 100644
---- a/gdbsupport/configure.ac
-+++ b/gdbsupport/configure.ac
-@@ -68,6 +68,25 @@ GDB_AC_PTRACE
- AM_GDB_COMPILER_TYPE
- AM_GDB_WARNINGS
-
-+# Check for `struct user_gcs`
-+AC_CACHE_CHECK(
-+ [for struct user_gcs],
-+ [gdb_cv_struct_user_gcs],
-+ [AC_COMPILE_IFELSE(
-+ [AC_LANG_PROGRAM(
-+ [#include <sys/ptrace.h>
-+ #include <asm/ptrace.h>],
-+ [struct user_gcs u;]
-+ )],
-+ [gdb_cv_struct_user_gcs=yes],
-+ [gdb_cv_struct_user_gcs=no]
-+ )]
-+)
-+if test "$gdb_cv_struct_user_gcs" = yes; then
-+ AC_DEFINE(HAVE_STRUCT_USER_GCS, 1,
-+ [Define to 1 if your system has struct user_gcs.])
-+fi
-+
- # Set the 'development' global.
- . $srcdir/../bfd/development.sh
-
---
-2.49.0
-
diff --git a/meta/recipes-devtools/gdb/gdb_17.1.bb b/meta/recipes-devtools/gdb/gdb_17.2.bb
similarity index 100%
rename from meta/recipes-devtools/gdb/gdb_17.1.bb
rename to meta/recipes-devtools/gdb/gdb_17.2.bb
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 02/18] curl: fix CVE-2026-5773 - wrong reuse of SMB connection
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 01/18] gdb: Upgrade 17.1 -> 17.2 Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 03/18] expat: patch CVE-2026-45186 Yoann Congal
` (15 subsequent siblings)
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
Remove PROTOPT_CONN_REUSE from SMB handler flags to prevent
connection pooling. Without this, a second SMB request to the same
host reuses a connection authenticated for a different share.
Reference: https://curl.se/docs/CVE-2026-5773.html
Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../curl/curl/CVE-2026-5773.patch | 47 +++++++++++++++++++
meta/recipes-support/curl/curl_8.19.0.bb | 1 +
2 files changed, 48 insertions(+)
create mode 100644 meta/recipes-support/curl/curl/CVE-2026-5773.patch
diff --git a/meta/recipes-support/curl/curl/CVE-2026-5773.patch b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
new file mode 100644
index 00000000000..a9973712426
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2026-5773.patch
@@ -0,0 +1,47 @@
+From e5c7f93734345260820ca46b29db85f75d277399 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sun, 5 Apr 2026 18:23:35 +0200
+Subject: [PATCH] protocol: disable connection reuse for SMB(S)
+
+Connections should only be reused when using the same "share" (and
+perhaps some additional conditions), but instead of fixing this flaw,
+this change completely disables connection reuse for SMB. This protocol
+is about to get dropped soon anyway.
+
+Reported-by: Osama Hamad
+Closes #21238
+
+CVE: CVE-2026-5773
+Upstream-Status: Backport [https://github.com/curl/curl/commit/74a169575d6412dc0ff532acdf94de35a6c2a571]
+
+Note: The upstream fix targets lib/protocol.c which was introduced in
+curl 8.20.0. In 8.19.0 the SMB handler flags are still in lib/smb.c,
+so this patch removes PROTOPT_CONN_REUSE there instead. The effect is
+identical: SMB connections are no longer pooled for reuse.
+
+Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
+---
+ lib/smb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/smb.c b/lib/smb.c
+index 00297ad..c15fdce 100644
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -1242,7 +1242,7 @@ const struct Curl_scheme Curl_scheme_smb = {
+ #endif
+ CURLPROTO_SMB, /* protocol */
+ CURLPROTO_SMB, /* family */
+- PROTOPT_CONN_REUSE, /* flags */
++ PROTOPT_NONE, /* flags */
+ PORT_SMB, /* defport */
+ };
+
+@@ -1259,6 +1259,6 @@ const struct Curl_scheme Curl_scheme_smbs = {
+ #endif
+ CURLPROTO_SMBS, /* protocol */
+ CURLPROTO_SMB, /* family */
+- PROTOPT_SSL | PROTOPT_CONN_REUSE, /* flags */
++ PROTOPT_SSL, /* flags */
+ PORT_SMBS, /* defport */
+ };
diff --git a/meta/recipes-support/curl/curl_8.19.0.bb b/meta/recipes-support/curl/curl_8.19.0.bb
index d58b7740112..3326f478b5c 100644
--- a/meta/recipes-support/curl/curl_8.19.0.bb
+++ b/meta/recipes-support/curl/curl_8.19.0.bb
@@ -15,6 +15,7 @@ SRC_URI = " \
file://disable-tests \
file://no-test-timeout.patch \
file://CVE-2026-6276.patch \
+ file://CVE-2026-5773.patch \
file://mbedtls.patch \
"
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 03/18] expat: patch CVE-2026-45186
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 01/18] gdb: Upgrade 17.1 -> 17.2 Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 02/18] curl: fix CVE-2026-5773 - wrong reuse of SMB connection Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 04/18] expat: fix CVE-2026-41080 Yoann Congal
` (14 subsequent siblings)
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Backport patches from [1] also mentioned in [2].
[1] https://github.com/libexpat/libexpat/pull/1216
[2] https://security-tracker.debian.org/tracker/CVE-2026-45186
Signed-off-by: Theo Gaige (Schneider Electric) <tgaige.opensource@witekio.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../expat/expat/CVE-2026-45186-01.patch | 70 ++++
.../expat/expat/CVE-2026-45186-02.patch | 318 ++++++++++++++++++
.../expat/expat/CVE-2026-45186-03.patch | 46 +++
.../expat/expat/CVE-2026-45186-04.patch | 32 ++
.../expat/expat/CVE-2026-45186-05.patch | 32 ++
.../expat/expat/CVE-2026-45186-06.patch | 87 +++++
.../expat/expat/CVE-2026-45186-07.patch | 52 +++
meta/recipes-core/expat/expat_2.7.5.bb | 7 +
8 files changed, 644 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-01.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-02.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-03.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-04.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-05.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-06.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-45186-07.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-01.patch b/meta/recipes-core/expat/expat/CVE-2026-45186-01.patch
new file mode 100644
index 00000000000..478978f4ca2
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-45186-01.patch
@@ -0,0 +1,70 @@
+From b659bf974f29b991870ba1f66af687c73e07fbf8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= <berkay.ueruen@siemens.com>
+Date: Fri, 13 Mar 2026 13:26:45 +0100
+Subject: [PATCH 1/7] Make "counting_start_element_handler" count default attrs
+
+(cherry picked from commit 0802a5892030610144b736dec6e2f63e8600fe85)
+
+CVE: CVE-2026-45186
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/0802a5892030610144b736dec6e2f63e8600fe85]
+Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
+---
+ tests/basic_tests.c | 8 ++++----
+ tests/handlers.c | 2 +-
+ tests/handlers.h | 1 +
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/tests/basic_tests.c b/tests/basic_tests.c
+index 02d1d5f..8c025a2 100644
+--- a/tests/basic_tests.c
++++ b/tests/basic_tests.c
+@@ -2466,9 +2466,9 @@ START_TEST(test_attributes) {
+ {XCS("id"), XCS("one")},
+ {NULL, NULL}};
+ AttrInfo tag_info[] = {{XCS("c"), XCS("3")}, {NULL, NULL}};
+- ElementInfo info[] = {{XCS("doc"), 3, XCS("id"), NULL},
+- {XCS("tag"), 1, NULL, NULL},
+- {NULL, 0, NULL, NULL}};
++ ElementInfo info[] = {{XCS("doc"), 3, 0, XCS("id"), NULL},
++ {XCS("tag"), 1, 0, NULL, NULL},
++ {NULL, 0, 0, NULL, NULL}};
+ info[0].attributes = doc_info;
+ info[1].attributes = tag_info;
+
+@@ -5543,7 +5543,7 @@ START_TEST(test_deep_nested_attribute_entity) {
+ (long unsigned)(N_LINES - 1));
+
+ AttrInfo doc_info[] = {{XCS("name"), XCS("deepText")}, {NULL, NULL}};
+- ElementInfo info[] = {{XCS("foo"), 1, NULL, NULL}, {NULL, 0, NULL, NULL}};
++ ElementInfo info[] = {{XCS("foo"), 1, 0, NULL, NULL}, {NULL, 0, 0, NULL, NULL}};
+ info[0].attributes = doc_info;
+
+ XML_Parser parser = XML_ParserCreate(NULL);
+diff --git a/tests/handlers.c b/tests/handlers.c
+index e456df2..bd1b54e 100644
+--- a/tests/handlers.c
++++ b/tests/handlers.c
+@@ -137,7 +137,7 @@ counting_start_element_handler(void *userData, const XML_Char *name,
+ fail("ID does not have the correct name");
+ return;
+ }
+- for (i = 0; i < info->attr_count; i++) {
++ for (i = 0; i < info->attr_count + info->default_attr_count; i++) {
+ attr = info->attributes;
+ while (attr->name != NULL) {
+ if (! xcstrcmp(atts[0], attr->name))
+diff --git a/tests/handlers.h b/tests/handlers.h
+index fcde27a..27a53f2 100644
+--- a/tests/handlers.h
++++ b/tests/handlers.h
+@@ -88,6 +88,7 @@ typedef struct attrInfo {
+ typedef struct elementInfo {
+ const XML_Char *name;
+ int attr_count;
++ int default_attr_count;
+ const XML_Char *id_name;
+ AttrInfo *attributes;
+ } ElementInfo;
+--
+2.43.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-02.patch b/meta/recipes-core/expat/expat/CVE-2026-45186-02.patch
new file mode 100644
index 00000000000..6c90e15b47d
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-45186-02.patch
@@ -0,0 +1,318 @@
+From 32848241057dfaa4c68fae475f51fbe1a182c004 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Berkay=20Eren=20=C3=9Cr=C3=BCn?= <berkay.ueruen@siemens.com>
+Date: Fri, 13 Mar 2026 13:27:31 +0100
+Subject: [PATCH 2/7] test(attlist): Cover duplicate attribute names
+
+Co-authored-by: Sebastian Pipping <sebastian@pipping.org>
+(cherry picked from commit e569f47181c43dca5d262089e541ddf9a9c09927)
+
+CVE: CVE-2026-45186
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/e569f47181c43dca5d262089e541ddf9a9c09927]
+Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
+---
+ tests/basic_tests.c | 282 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 282 insertions(+)
+
+diff --git a/tests/basic_tests.c b/tests/basic_tests.c
+index 8c025a2..83c453c 100644
+--- a/tests/basic_tests.c
++++ b/tests/basic_tests.c
+@@ -2489,6 +2489,279 @@ START_TEST(test_attributes) {
+ }
+ END_TEST
+
++START_TEST(test_duplicate_cdata_attribute) {
++ /*
++ https://www.w3.org/TR/xml/#attdecls
++
++ Test the following statement from the linked specification:
++ When more than one definition is provided for the same attribute of a given
++ element type, the first declaration is binding and later declarations are
++ ignored.
++ */
++
++ const char *text
++ = "<!DOCTYPE doc [\n"
++ " <!ATTLIST doc attribute CDATA 'expected' attribute CDATA 'ignored'>\n"
++ "]>\n"
++ "<doc/>\n";
++ AttrInfo doc_info[] = {{XCS("attribute"), XCS("expected")}, {NULL, NULL}};
++ ElementInfo info[]
++ = {{XCS("doc"), 0, 1, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}};
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert_true(parser != NULL);
++
++ ParserAndElementInfo parserAndElementInfos = {
++ parser,
++ info,
++ };
++
++ XML_SetStartElementHandler(parser, counting_start_element_handler);
++ XML_SetUserData(parser, &parserAndElementInfos);
++
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_OK)
++ xml_failure(parser);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_duplicate_id_attribute_1) {
++ /*
++ https://www.w3.org/TR/xml/#attdecls
++
++ Test the following statement from the linked specification:
++ When more than one definition is provided for the same attribute of a given
++ element type, the first declaration is binding and later declarations are
++ ignored.
++ */
++
++ const char *text
++ = "<!DOCTYPE doc [\n"
++ " <!ATTLIST doc identifier CDATA 'expected' identifier ID #REQUIRED>\n"
++ "]>\n"
++ "<doc/>\n";
++ AttrInfo doc_info[] = {{XCS("identifier"), XCS("expected")}, {NULL, NULL}};
++ ElementInfo info[]
++ = {{XCS("doc"), 0, 1, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}};
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert_true(parser != NULL);
++
++ ParserAndElementInfo parserAndElementInfos = {
++ parser,
++ info,
++ };
++
++ XML_SetStartElementHandler(parser, counting_start_element_handler);
++ XML_SetUserData(parser, &parserAndElementInfos);
++
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_OK)
++ xml_failure(parser);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_duplicate_id_attribute_2) {
++ /*
++ https://www.w3.org/TR/xml/#attdecls
++
++ Test the following statement from the linked specification:
++ When more than one definition is provided for the same attribute of a given
++ element type, the first declaration is binding and later declarations are
++ ignored.
++ */
++
++ const char *text
++ = "<!DOCTYPE doc [\n"
++ " <!ATTLIST doc identifier ID #REQUIRED identifier CDATA 'unexpected'>\n"
++ "]>\n"
++ "<doc/>\n";
++ AttrInfo doc_info[] = {{NULL, NULL}};
++
++ ElementInfo info[]
++ = {{XCS("doc"), 0, 0, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}};
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert_true(parser != NULL);
++
++ ParserAndElementInfo parserAndElementInfos = {
++ parser,
++ info,
++ };
++
++ XML_SetStartElementHandler(parser, counting_start_element_handler);
++ XML_SetUserData(parser, &parserAndElementInfos);
++
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_OK)
++ xml_failure(parser);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_duplicate_cdata_attribute_multiple_attlistdecl) {
++ /*
++ https://www.w3.org/TR/xml/#attdecls
++
++ Test the following statement from the linked specification:
++ When more than one AttlistDecl is provided for a given element type,
++ the contents of all those provided are merged.
++ */
++ const char *text = "<!DOCTYPE doc [\n"
++ " <!ATTLIST doc attribute CDATA 'expected'>\n"
++ " <!ATTLIST doc attribute CDATA 'ignored'>\n"
++ "]>\n"
++ "<doc/>\n";
++ AttrInfo doc_info[] = {{XCS("attribute"), XCS("expected")}, {NULL, NULL}};
++ ElementInfo info[]
++ = {{XCS("doc"), 0, 1, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}};
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert_true(parser != NULL);
++
++ ParserAndElementInfo parserAndElementInfos = {
++ parser,
++ info,
++ };
++
++ XML_SetStartElementHandler(parser, counting_start_element_handler);
++ XML_SetUserData(parser, &parserAndElementInfos);
++
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_OK)
++ xml_failure(parser);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_duplicate_cdata_attribute_multiple_attlistdecl_2) {
++ /*
++ https://www.w3.org/TR/xml/#attdecls
++
++ Test the following statement from the linked specification:
++ When more than one AttlistDecl is provided for a given element type,
++ the contents of all those provided are merged.
++ */
++ const char *text = "<!DOCTYPE doc [\n"
++ " <!ATTLIST doc attribute CDATA 'expected_doc'>\n"
++ " <!ATTLIST tag attribute CDATA 'expected_tag'>\n"
++ " <!ATTLIST doc attribute CDATA 'ignored_doc'>\n"
++ "]>\n"
++ "<doc><tag></tag></doc>\n";
++ AttrInfo doc_info[] = {{XCS("attribute"), XCS("expected_doc")}, {NULL, NULL}};
++ AttrInfo tag_info[] = {{XCS("attribute"), XCS("expected_tag")}, {NULL, NULL}};
++ ElementInfo info[] = {{XCS("doc"), 0, 1, NULL, doc_info},
++ {XCS("tag"), 0, 1, NULL, tag_info},
++ {NULL, 0, 0, NULL, NULL}};
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert_true(parser != NULL);
++
++ ParserAndElementInfo parserAndElementInfos = {
++ parser,
++ info,
++ };
++
++ XML_SetStartElementHandler(parser, counting_start_element_handler);
++ XML_SetUserData(parser, &parserAndElementInfos);
++
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_OK)
++ xml_failure(parser);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_duplicate_cdata_attribute_multiple_attlistdecl_3) {
++ /*
++ https://www.w3.org/TR/xml/#attdecls
++
++ Test the following statement from the linked specification:
++ When more than one AttlistDecl is provided for a given element type,
++ the contents of all those provided are merged.
++ */
++ const char *text
++ = "<!DOCTYPE doc [\n"
++ " <!ATTLIST doc attribute CDATA 'expected_doc'>\n"
++ " <!ATTLIST tag attribute CDATA 'expected_tag'>\n"
++ " <!ATTLIST doc second_attribute CDATA 'second_expected_doc' attribute CDATA 'ignored_doc'>\n"
++ "]>\n"
++ "<doc><tag></tag></doc>\n";
++ AttrInfo doc_info[] = {{XCS("attribute"), XCS("expected_doc")},
++ {XCS("second_attribute"), XCS("second_expected_doc")},
++ {NULL, NULL}};
++ AttrInfo tag_info[] = {{XCS("attribute"), XCS("expected_tag")}, {NULL, NULL}};
++ ElementInfo info[] = {{XCS("doc"), 0, 2, NULL, doc_info},
++ {XCS("tag"), 0, 1, NULL, tag_info},
++ {NULL, 0, 0, NULL, NULL}};
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert_true(parser != NULL);
++
++ ParserAndElementInfo parserAndElementInfos = {
++ parser,
++ info,
++ };
++
++ XML_SetStartElementHandler(parser, counting_start_element_handler);
++ XML_SetUserData(parser, &parserAndElementInfos);
++
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_OK)
++ xml_failure(parser);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
++START_TEST(test_duplicate_id_attribute_multiple_attlistdecl) {
++ /*
++ https://www.w3.org/TR/xml/#attdecls
++
++ Test the following statement from the linked specification:
++ When more than one AttlistDecl is provided for a given element type,
++ the contents of all those provided are merged.
++ */
++ const char *text = "<!DOCTYPE doc [\n"
++ " <!ATTLIST doc identifier ID #REQUIRED>\n"
++ " <!ATTLIST tag identifier CDATA 'identifier_tag'>\n"
++ " <!ATTLIST doc identifier CDATA 'ignored'>\n"
++ "]>\n"
++ "<doc identifier='doc_identity'><tag></tag></doc>\n";
++ AttrInfo doc_info[]
++ = {{XCS("identifier"), XCS("doc_identity")}, {NULL, NULL}};
++ AttrInfo tag_info[]
++ = {{XCS("identifier"), XCS("identifier_tag")}, {NULL, NULL}};
++ ElementInfo info[] = {{XCS("doc"), 1, 0, XCS("identifier"), doc_info},
++ {XCS("tag"), 0, 1, NULL, tag_info},
++ {NULL, 0, 0, NULL, NULL}};
++
++ XML_Parser parser = XML_ParserCreate(NULL);
++ assert_true(parser != NULL);
++
++ ParserAndElementInfo parserAndElementInfos = {
++ parser,
++ info,
++ };
++
++ XML_SetStartElementHandler(parser, counting_start_element_handler);
++ XML_SetUserData(parser, &parserAndElementInfos);
++
++ if (_XML_Parse_SINGLE_BYTES(parser, text, (int)strlen(text), XML_TRUE)
++ != XML_STATUS_OK)
++ xml_failure(parser);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
+ /* Test reset works correctly in the middle of processing an internal
+ * entity. Exercises some obscure code in XML_ParserReset().
+ */
+@@ -6374,6 +6647,15 @@ make_basic_test_case(Suite *s) {
+ tcase_add_test__ifdef_xml_dtd(tc_basic, test_empty_foreign_dtd);
+ tcase_add_test(tc_basic, test_set_base);
+ tcase_add_test(tc_basic, test_attributes);
++ tcase_add_test(tc_basic, test_duplicate_cdata_attribute);
++ tcase_add_test(tc_basic, test_duplicate_id_attribute_1);
++ tcase_add_test(tc_basic, test_duplicate_id_attribute_2);
++ tcase_add_test(tc_basic, test_duplicate_cdata_attribute_multiple_attlistdecl);
++ tcase_add_test(tc_basic,
++ test_duplicate_cdata_attribute_multiple_attlistdecl_2);
++ tcase_add_test(tc_basic,
++ test_duplicate_cdata_attribute_multiple_attlistdecl_3);
++ tcase_add_test(tc_basic, test_duplicate_id_attribute_multiple_attlistdecl);
+ tcase_add_test__if_xml_ge(tc_basic, test_reset_in_entity);
+ tcase_add_test(tc_basic, test_resume_invalid_parse);
+ tcase_add_test(tc_basic, test_resume_resuspended);
+--
+2.43.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-03.patch b/meta/recipes-core/expat/expat/CVE-2026-45186-03.patch
new file mode 100644
index 00000000000..f3b0614b8df
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-45186-03.patch
@@ -0,0 +1,46 @@
+From 468d6f44264e7ad73f3045f6487baccc846014e6 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 20 Apr 2026 13:44:43 +0200
+Subject: [PATCH 3/7] tests: Define .attributes the first time around
+
+(cherry picked from commit 05307d352a5aa858cdda57ec53a53b597b3a4a82)
+
+CVE: CVE-2026-45186
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/05307d352a5aa858cdda57ec53a53b597b3a4a82]
+Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
+---
+ tests/basic_tests.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/tests/basic_tests.c b/tests/basic_tests.c
+index 83c453c..810ff5e 100644
+--- a/tests/basic_tests.c
++++ b/tests/basic_tests.c
+@@ -2466,11 +2466,9 @@ START_TEST(test_attributes) {
+ {XCS("id"), XCS("one")},
+ {NULL, NULL}};
+ AttrInfo tag_info[] = {{XCS("c"), XCS("3")}, {NULL, NULL}};
+- ElementInfo info[] = {{XCS("doc"), 3, 0, XCS("id"), NULL},
+- {XCS("tag"), 1, 0, NULL, NULL},
++ ElementInfo info[] = {{XCS("doc"), 3, 0, XCS("id"), doc_info},
++ {XCS("tag"), 1, 0, NULL, tag_info},
+ {NULL, 0, 0, NULL, NULL}};
+- info[0].attributes = doc_info;
+- info[1].attributes = tag_info;
+
+ XML_Parser parser = XML_ParserCreate(NULL);
+ assert_true(parser != NULL);
+@@ -5816,8 +5814,8 @@ START_TEST(test_deep_nested_attribute_entity) {
+ (long unsigned)(N_LINES - 1));
+
+ AttrInfo doc_info[] = {{XCS("name"), XCS("deepText")}, {NULL, NULL}};
+- ElementInfo info[] = {{XCS("foo"), 1, 0, NULL, NULL}, {NULL, 0, 0, NULL, NULL}};
+- info[0].attributes = doc_info;
++ ElementInfo info[]
++ = {{XCS("foo"), 1, 0, NULL, doc_info}, {NULL, 0, 0, NULL, NULL}};
+
+ XML_Parser parser = XML_ParserCreate(NULL);
+ ParserAndElementInfo parserPlusElemenInfo = {parser, info};
+--
+2.43.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-04.patch b/meta/recipes-core/expat/expat/CVE-2026-45186-04.patch
new file mode 100644
index 00000000000..d30ffa3f512
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-45186-04.patch
@@ -0,0 +1,32 @@
+From 0582bcabb773d4600d7c85516132b016f0163deb Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 13 Apr 2026 01:34:03 +0200
+Subject: [PATCH 4/7] tests: Make counting_start_element_handler enforce
+ complete attribute lists
+
+(cherry picked from commit 4176aff73840711060913e0ac6aa1168d8ba5c8d)
+
+CVE: CVE-2026-45186
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/4176aff73840711060913e0ac6aa1168d8ba5c8d]
+Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
+---
+ tests/handlers.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/tests/handlers.c b/tests/handlers.c
+index bd1b54e..8cda3a8 100644
+--- a/tests/handlers.c
++++ b/tests/handlers.c
+@@ -155,6 +155,9 @@ counting_start_element_handler(void *userData, const XML_Char *name,
+ /* Remember, two entries in atts per attribute (see above) */
+ atts += 2;
+ }
++
++ // Self-test that the test case's list of expected attributes is complete
++ assert_true(atts[0] == NULL);
+ }
+
+ void XMLCALL
+--
+2.43.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-05.patch b/meta/recipes-core/expat/expat/CVE-2026-45186-05.patch
new file mode 100644
index 00000000000..6d98a3cd091
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-45186-05.patch
@@ -0,0 +1,32 @@
+From ebe5486739006105629b0bca6022f664566e56de Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 8 Mar 2026 22:14:41 +0100
+Subject: [PATCH 5/7] lib: Extract a constant for upcoming reuse
+
+(cherry picked from commit fb35f2d2040d114f355bae8a7450942533237530)
+
+CVE: CVE-2026-45186
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/fb35f2d2040d114f355bae8a7450942533237530]
+Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
+---
+ lib/xmlparse.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 0248b66..e833520 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7719,8 +7719,9 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
+ newE->prefix = (PREFIX *)lookup(oldParser, &(newDtd->prefixes),
+ oldE->prefix->name, 0);
+ for (i = 0; i < newE->nDefaultAtts; i++) {
++ const XML_Char *const attributeName = oldE->defaultAtts[i].id->name;
+ newE->defaultAtts[i].id = (ATTRIBUTE_ID *)lookup(
+- oldParser, &(newDtd->attributeIds), oldE->defaultAtts[i].id->name, 0);
++ oldParser, &(newDtd->attributeIds), attributeName, 0);
+ newE->defaultAtts[i].isCdata = oldE->defaultAtts[i].isCdata;
+ if (oldE->defaultAtts[i].value) {
+ newE->defaultAtts[i].value
+--
+2.43.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-06.patch b/meta/recipes-core/expat/expat/CVE-2026-45186-06.patch
new file mode 100644
index 00000000000..1b47776a172
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-45186-06.patch
@@ -0,0 +1,87 @@
+From 41f9f3c8479e8f8547d5bce6355b0484c2744d1e Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 8 Mar 2026 23:05:49 +0100
+Subject: [PATCH 6/7] lib: Introduce ELEMENT_TYPE.defaultAttsNames
+
+(cherry picked from commit 7f0f1b9e70d937072d2e9e37ae9edf27784cc080)
+
+CVE: CVE-2026-45186
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/7f0f1b9e70d937072d2e9e37ae9edf27784cc080]
+Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
+---
+ lib/xmlparse.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index e833520..b7e2d72 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -388,6 +388,7 @@ typedef struct {
+ int nDefaultAtts;
+ int allocDefaultAtts;
+ DEFAULT_ATTRIBUTE *defaultAtts;
++ HASH_TABLE defaultAttsNames;
+ } ELEMENT_TYPE;
+
+ typedef struct {
+@@ -3853,6 +3854,8 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
+ sizeof(ELEMENT_TYPE));
+ if (! elementType)
+ return XML_ERROR_NO_MEMORY;
++ if (! elementType->defaultAttsNames.parser)
++ hashTableInit(&(elementType->defaultAttsNames), parser);
+ if (parser->m_ns && ! setElementTypePrefix(parser, elementType))
+ return XML_ERROR_NO_MEMORY;
+ }
+@@ -7561,6 +7564,7 @@ dtdReset(DTD *p, XML_Parser parser) {
+ ELEMENT_TYPE *e = (ELEMENT_TYPE *)hashTableIterNext(&iter);
+ if (! e)
+ break;
++ hashTableDestroy(&(e->defaultAttsNames));
+ if (e->allocDefaultAtts != 0)
+ FREE(parser, e->defaultAtts);
+ }
+@@ -7602,6 +7606,7 @@ dtdDestroy(DTD *p, XML_Bool isDocEntity, XML_Parser parser) {
+ ELEMENT_TYPE *e = (ELEMENT_TYPE *)hashTableIterNext(&iter);
+ if (! e)
+ break;
++ hashTableDestroy(&(e->defaultAttsNames));
+ if (e->allocDefaultAtts != 0)
+ FREE(parser, e->defaultAtts);
+ }
+@@ -7695,6 +7700,10 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
+ sizeof(ELEMENT_TYPE));
+ if (! newE)
+ return 0;
++
++ if (! newE->defaultAttsNames.parser)
++ hashTableInit(&(newE->defaultAttsNames), parser);
++
+ if (oldE->nDefaultAtts) {
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+@@ -7730,6 +7739,12 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
+ return 0;
+ } else
+ newE->defaultAtts[i].value = NULL;
++
++ NAMED *const nameAddedOrFound = (NAMED *)lookup(
++ parser, &(newE->defaultAttsNames), attributeName, sizeof(NAMED));
++ if (! nameAddedOrFound) {
++ return 0;
++ }
+ }
+ }
+
+@@ -8474,6 +8489,8 @@ getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr,
+ sizeof(ELEMENT_TYPE));
+ if (! ret)
+ return NULL;
++ if (! ret->defaultAttsNames.parser)
++ hashTableInit(&(ret->defaultAttsNames), getRootParserOf(parser, NULL));
+ if (ret->name != name)
+ poolDiscard(&dtd->pool);
+ else {
+--
+2.43.0
+
diff --git a/meta/recipes-core/expat/expat/CVE-2026-45186-07.patch b/meta/recipes-core/expat/expat/CVE-2026-45186-07.patch
new file mode 100644
index 00000000000..5551d10243c
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-45186-07.patch
@@ -0,0 +1,52 @@
+From 141a3c12639f9a4066293e81dbedde4c15b0881f Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 8 Mar 2026 23:06:29 +0100
+Subject: [PATCH 7/7] lib: Leverage ELEMENT_TYPE.defaultAttsNames for attribute
+ collision detection
+
+.. to resolve quadratic runtime behavior
+
+(cherry picked from commit 4cd4eb0683e04cd45a2ffc81a08ca2a2663994b5)
+
+CVE: CVE-2026-45186
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1216/commits/4cd4eb0683e04cd45a2ffc81a08ca2a2663994b5]
+Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
+---
+ lib/xmlparse.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index b7e2d72..04195cb 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7189,10 +7189,10 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
+ if (value || isId) {
+ /* The handling of default attributes gets messed up if we have
+ a default which duplicates a non-default. */
+- int i;
+- for (i = 0; i < type->nDefaultAtts; i++)
+- if (attId == type->defaultAtts[i].id)
+- return 1;
++ NAMED *const nameFound
++ = (NAMED *)lookup(parser, &(type->defaultAttsNames), attId->name, 0);
++ if (nameFound)
++ return 1;
+ if (isId && ! type->idAtt && ! attId->xmlns)
+ type->idAtt = attId;
+ }
+@@ -7239,6 +7239,12 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
+ att->isCdata = isCdata;
+ if (! isCdata)
+ attId->maybeTokenized = XML_TRUE;
++
++ NAMED *const nameAddedOrFound = (NAMED *)lookup(
++ parser, &(type->defaultAttsNames), attId->name, sizeof(NAMED));
++ if (! nameAddedOrFound)
++ return 0;
++
+ type->nDefaultAtts += 1;
+ return 1;
+ }
+--
+2.43.0
+
diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb
index 4f2578292d9..210398fb505 100644
--- a/meta/recipes-core/expat/expat_2.7.5.bb
+++ b/meta/recipes-core/expat/expat_2.7.5.bb
@@ -10,6 +10,13 @@ VERSION_TAG = "${@d.getVar('PV').replace('.', '_')}"
SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://run-ptest \
+ file://CVE-2026-45186-01.patch \
+ file://CVE-2026-45186-02.patch \
+ file://CVE-2026-45186-03.patch \
+ file://CVE-2026-45186-04.patch \
+ file://CVE-2026-45186-05.patch \
+ file://CVE-2026-45186-06.patch \
+ file://CVE-2026-45186-07.patch \
"
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 04/18] expat: fix CVE-2026-41080
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
` (2 preceding siblings ...)
2026-07-10 16:36 ` [OE-core][wrynose 03/18] expat: patch CVE-2026-45186 Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 05/18] python3: upgrade 3.14.5 -> 3.14.6 Yoann Congal
` (13 subsequent siblings)
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Amaury Couderc <amaury.couderc@est.tech>
The existing hash flooding protection (based on SipHash) only used 4 to 8
bytes of entropy for a salt, when 16 bytes of salt are supported by the
implementation of SipHash used by Expat. Now full 16 bytes of entropy are
used to improve protection against hash flooding attacks.
Introduces new API function XML_SetHashSalt16Bytes and deprecates the
legacy XML_SetHashSalt which is limited to 4-8 bytes.
The fix is split into 2 patches for reviewability:
1. Main CVE fix: migrates hash salt to 128-bit struct sipkey, extracts
16 bytes of entropy, removes dead get_hash_secret_salt function
(copy_salt_to_sipkey accesses the struct directly), adds
XML_SetHashSalt16Bytes API, deprecates XML_SetHashSalt, adds symbol
export, backport feature macro, tests, and documentation.
2. Windows/cmake: adds the missing .def export for the new symbol.
Note: the prerequisite commits that Peter Marko needed for scarthgap
(clang-tidy misc-no-recursion fix and WASI getpid removal) are already
present in expat 2.7.5, so they are not needed here.
Backport patch to fix CVE-2026-41080
https://nvd.nist.gov/vuln/detail/CVE-2026-41080
Upstream fix:
https://github.com/libexpat/libexpat/pull/1183
CVE: CVE-2026-41080
Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
[YC: This is quite invasive as a CVE fix: For reasoning, see
https://lore.kernel.org/all/2030b4435c8bc81bb4452637c0517ac33ab94d20.camel@pbarker.dev/]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../expat/expat/CVE-2026-41080-1.patch | 517 ++++++++++++++++++
.../expat/expat/CVE-2026-41080-2.patch | 33 ++
meta/recipes-core/expat/expat_2.7.5.bb | 2 +
3 files changed, 552 insertions(+)
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-41080-1.patch
create mode 100644 meta/recipes-core/expat/expat/CVE-2026-41080-2.patch
diff --git a/meta/recipes-core/expat/expat/CVE-2026-41080-1.patch b/meta/recipes-core/expat/expat/CVE-2026-41080-1.patch
new file mode 100644
index 00000000000..e93ad093f25
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-41080-1.patch
@@ -0,0 +1,517 @@
+From fa1ebd60bfcc6d32f329803e5e837251e2387ed1 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sun, 30 Mar 2025 19:26:55 +0200
+Subject: [PATCH v2 1/2] expat: fix CVE-2026-41080
+
+The existing hash flooding protection in libexpat (based on SipHash)
+only used 4 to 8 bytes of entropy for a salt, when 16 bytes are
+supported by the SipHash implementation. This allows attackers to more
+feasibly guess the hash salt and craft inputs that cause hash
+collisions, leading to denial of service.
+
+Backport upstream changes that:
+- Migrate hash salt storage to larger struct sipkey (128-bit)
+- Drop unused parameter from generate_hash_secret_salt
+- Drop unneeded void * casts in generate_hash_secret_salt
+- Extract full 16 bytes of entropy for hash flooding protection
+- Introduce internal flag m_hash_secret_salt_set
+- Remove now-dead get_hash_secret_salt function (copy_salt_to_sipkey
+ accesses the struct directly)
+- Add XML_SetHashSalt16Bytes API function
+- Deprecate XML_SetHashSalt
+- Add symbol export in libexpat.map.in (LIBEXPAT_2.7.6)
+- Add backport feature macro XML_BACKPORT_SET_HASH_SALT_16_BYTES
+- Add test_hash_salt_setter unit test
+- Update documentation and Changes file
+
+Squashed backport of upstream PR #1183 commits 909201a8, bc193afc,
+08697a9b, f5eacefb, fa1ebd60, f76124e7, e3349d85, c8c5caf4,
+592d5fa3, 8ad3ef57, ec9fcd2e, and 8017e11e.
+
+CVE: CVE-2026-41080
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/pull/1183]
+Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
+---
+ Changes | 17 ++++++
+ doc/reference.html | 55 +++++++++++++++++--
+ lib/expat.h | 15 ++++++
+ lib/internal.h | 2 +
+ lib/libexpat.map.in | 5 ++
+ lib/xmlparse.c | 124 +++++++++++++++++++++++++++++++++----------
+ tests/basic_tests.c | 25 +++++++++
+ 7 files changed, 212 insertions(+), 31 deletions(-)
+
+diff --git a/Changes b/Changes
+index 2b3704a6..1d8227ec 100644
+--- a/Changes
++++ b/Changes
+@@ -29,6 +29,23 @@
+ !! THANK YOU! Sebastian Pipping -- Berlin, 2026-03-17 !!
+ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
++Patches
++ Security fixes:
++ #47 #1183 CVE-2026-41080 -- The existing hash flooding protection
++ (based on SipHash) only used 4 to 8 bytes of entropy for
++ a salt, when 16 bytes of salt are supported by the
++ implementation of SipHash used by Expat. Now full 16 bytes
++ of entropy are used to improve protection against hash
++ flooding attacks.
++ Existing API function XML_SetHashSalt is now deprecated
++ because of its limitations, and its use should be
++ considered a vulnerability. Please either use the new API
++ function XML_SetHashSalt16Bytes (with known-high-quality
++ entropy input only!) instead, or leave the derivation of
++ a 16-bytes hash salt from high quality entropy to Expat's
++ internal machinery (by *not* calling either of the two
++ XML_SetHashSalt* functions).
++
+ Release 2.7.5 Tue March 17 2026
+ Security fixes:
+ #1158 CVE-2026-32776 -- Fix NULL function pointer dereference for
+diff --git a/doc/reference.html b/doc/reference.html
+index 5faa8d65..64b9fd67 100644
+--- a/doc/reference.html
++++ b/doc/reference.html
+@@ -404,7 +404,11 @@
+ </li>
+
+ <li>
+- <a href="#XML_SetHashSalt">XML_SetHashSalt</a>
++ <a href="#XML_SetHashSalt">XML_SetHashSalt</a> (deprecated)
++ </li>
++
++ <li>
++ <a href="#XML_SetHashSalt16Bytes">XML_SetHashSalt16Bytes</a>
+ </li>
+
+ <li>
+@@ -3449,22 +3453,35 @@ XML_SetParamEntityParsing(XML_Parser p,
+ </div>
+
+ <h4 id="XML_SetHashSalt">
+- XML_SetHashSalt
++ XML_SetHashSalt (deprecated)
+ </h4>
+
+ <pre class="fcndec">
+ int XMLCALL
+-XML_SetHashSalt(XML_Parser p,
++XML_SetHashSalt(XML_Parser parser,
+ unsigned long hash_salt);
+ </pre>
+ <div class="fcndef">
+ Sets the hash salt to use for internal hash calculations. Helps in preventing DoS
+ attacks based on predicting hash function behavior. In order to have an effect
+ this must be called before parsing has started. Returns 1 if successful, 0 when
+- called after <code>XML_Parse</code> or <code>XML_ParseBuffer</code>.
++ called after <code>XML_Parse</code> or <code>XML_ParseBuffer</code> or when
++ <code>parser</code> is <code>NULL</code>.
++ <p>
++ <b>Note:</b> Function <code>XML_SetHashSalt</code> is
++ <strong>deprecated</strong>. Please use function <code><a href=
++ "#XML_SetHashSalt16Bytes">XML_SetHashSalt16Bytes</a></code> instead for better
++ security. <code>XML_SetHashSalt</code> only provides 4 to 8 bytes of entropy
++ (depending on the size of type <code>unsigned long</code>) while the SipHash
++ implementation used by Expat can leverage up to 16 bytes of entropy — at least
++ twice as much. Function <code><a href=
++ "#XML_SetHashSalt16Bytes">XML_SetHashSalt16Bytes</a></code> of Expat >=2.7.6
++ (and where backported) matches the amount of entropy supported by SipHash.
++ </p>
++
+ <p>
+ <b>Note:</b> This call is optional, as the parser will auto-generate a new
+- random salt value if no value has been set at the start of parsing.
++ random salt value internally if no value has been set by the start of parsing.
+ </p>
+
+ <p>
+@@ -3475,6 +3492,34 @@ XML_SetHashSalt(XML_Parser p,
+ </p>
+ </div>
+
++ <h4 id="XML_SetHashSalt16Bytes">
++ XML_SetHashSalt16Bytes
++ </h4>
++
++ <pre class="fcndec">
++/* Added in Expat 2.7.6. */
++XML_Bool XMLCALL
++XML_SetHashSalt16Bytes(XML_Parser parser,
++ const uint8_t entropy[16]);
++</pre>
++ <div class="fcndef">
++ Sets the hash salt to use for internal hash calculations. Helps in preventing DoS
++ attacks based on predicting hash function behavior. In order to have an effect
++ this must be called before parsing has started. Returns <code>XML_TRUE</code> if
++ successful, <code>XML_FALSE</code> when called after <code>XML_Parse</code> or
++ <code>XML_ParseBuffer</code> or when <code>parser</code> is <code>NULL</code>.
++ <p>
++ <b>Note:</b> Setting a salt that is <em>not</em> from a source of high quality
++ entropy (like <code>getentropy(3)</code>) will make the parser vulnerable to
++ hash flooding attacks.
++ </p>
++
++ <p>
++ <b>Note:</b> This call is optional, as the parser will auto-generate a new
++ random salt value internally if no value has been set by the start of parsing.
++ </p>
++ </div>
++
+ <h4 id="XML_UseForeignDTD">
+ XML_UseForeignDTD
+ </h4>
+diff --git a/lib/expat.h b/lib/expat.h
+index 18dbaebd..7693f62c 100644
+--- a/lib/expat.h
++++ b/lib/expat.h
+@@ -45,6 +45,7 @@
+ #ifndef Expat_INCLUDED
+ # define Expat_INCLUDED 1
+
++# include <stdint.h> // for uint8_t
+ # include <stdlib.h>
+ # include "expat_external.h"
+
+@@ -917,10 +918,25 @@ XML_SetParamEntityParsing(XML_Parser parser,
+ function behavior. This must be called before parsing is started.
+ Returns 1 if successful, 0 when called after parsing has started.
+ Note: If parser == NULL, the function will do nothing and return 0.
++ DEPRECATED since Expat 2.7.6.
+ */
+ XMLPARSEAPI(int)
+ XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt);
+
++/* Sets the hash salt to use for internal hash calculations.
++ Helps in preventing DoS attacks based on predicting hash function behavior.
++ This must be called before parsing is started.
++ Returns XML_TRUE if successful, XML_FALSE when called after parsing has
++ started or when parser is NULL.
++ Added in Expat 2.7.6.
++*/
++XMLPARSEAPI(XML_Bool)
++XML_SetHashSalt16Bytes(XML_Parser parser, const uint8_t entropy[16]);
++
++/* Backport feature macro: signals that XML_SetHashSalt16Bytes is available
++ even though XML_COMBINED_VERSION < 20800. */
++# define XML_BACKPORT_SET_HASH_SALT_16_BYTES 1
++
+ /* If XML_Parse or XML_ParseBuffer have returned XML_STATUS_ERROR, then
+ XML_GetErrorCode returns information about the error.
+ */
+diff --git a/lib/internal.h b/lib/internal.h
+index 61266ebb..1995c17b 100644
+--- a/lib/internal.h
++++ b/lib/internal.h
+@@ -113,6 +113,7 @@
+ #if defined(_WIN32) \
+ && (! defined(__USE_MINGW_ANSI_STDIO) \
+ || (1 - __USE_MINGW_ANSI_STDIO - 1 == 0))
++# define EXPAT_FMT_LLX(midpart) "%" midpart "I64x"
+ # define EXPAT_FMT_ULL(midpart) "%" midpart "I64u"
+ # if defined(_WIN64) // Note: modifiers "td" and "zu" do not work for MinGW
+ # define EXPAT_FMT_PTRDIFF_T(midpart) "%" midpart "I64d"
+@@ -122,6 +123,7 @@
+ # define EXPAT_FMT_SIZE_T(midpart) "%" midpart "u"
+ # endif
+ #else
++# define EXPAT_FMT_LLX(midpart) "%" midpart "llx"
+ # define EXPAT_FMT_ULL(midpart) "%" midpart "llu"
+ # if ! defined(ULONG_MAX)
+ # error Compiler did not define ULONG_MAX for us
+diff --git a/lib/libexpat.map.in b/lib/libexpat.map.in
+index 52e59ed3..8527eb54 100644
+--- a/lib/libexpat.map.in
++++ b/lib/libexpat.map.in
+@@ -117,3 +117,8 @@ LIBEXPAT_2.7.2 {
+ @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerActivationThreshold;
+ @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerMaximumAmplification;
+ } LIBEXPAT_2.6.0;
++
++LIBEXPAT_2.7.6 {
++ global:
++ XML_SetHashSalt16Bytes;
++} LIBEXPAT_2.7.2;
+diff --git a/lib/xmlparse.c b/lib/xmlparse.c
+index 0248b665..75a7e5d0 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -604,7 +604,7 @@ static ELEMENT_TYPE *getElementType(XML_Parser parser, const ENCODING *enc,
+
+ static XML_Char *copyString(const XML_Char *s, XML_Parser parser);
+
+-static unsigned long generate_hash_secret_salt(XML_Parser parser);
++static struct sipkey generate_hash_secret_salt(void);
+ static XML_Bool startParsing(XML_Parser parser);
+
+ static XML_Parser parserCreate(const XML_Char *encodingName,
+@@ -777,7 +777,8 @@ struct XML_ParserStruct {
+ XML_Bool m_useForeignDTD;
+ enum XML_ParamEntityParsing m_paramEntityParsing;
+ #endif
+- unsigned long m_hash_secret_salt;
++ struct sipkey m_hash_secret_salt_128;
++ XML_Bool m_hash_secret_salt_set;
+ #if XML_GE == 1
+ ACCOUNTING m_accounting;
+ MALLOC_TRACKER m_alloc_tracker;
+@@ -1192,69 +1193,65 @@ gather_time_entropy(void) {
+
+ #endif /* ! defined(HAVE_ARC4RANDOM_BUF) && ! defined(HAVE_ARC4RANDOM) */
+
+-static unsigned long
+-ENTROPY_DEBUG(const char *label, unsigned long entropy) {
++static struct sipkey
++ENTROPY_DEBUG(const char *label, struct sipkey entropy_128) {
+ if (getDebugLevel("EXPAT_ENTROPY_DEBUG", 0) >= 1u) {
+- fprintf(stderr, "expat: Entropy: %s --> 0x%0*lx (%lu bytes)\n", label,
+- (int)sizeof(entropy) * 2, entropy, (unsigned long)sizeof(entropy));
++ fprintf(stderr,
++ "expat: Entropy: %s --> [0x" EXPAT_FMT_LLX(
++ "016") ", 0x" EXPAT_FMT_LLX("016") "] (16 bytes)\n",
++ label, (unsigned long long)entropy_128.k[0],
++ (unsigned long long)entropy_128.k[1]);
+ }
+- return entropy;
++ return entropy_128;
+ }
+
+-static unsigned long
+-generate_hash_secret_salt(XML_Parser parser) {
+- unsigned long entropy;
+- (void)parser;
++static struct sipkey
++generate_hash_secret_salt(void) {
++ struct sipkey entropy;
+
+ /* "Failproof" high quality providers: */
+ #if defined(HAVE_ARC4RANDOM_BUF)
+ arc4random_buf(&entropy, sizeof(entropy));
+ return ENTROPY_DEBUG("arc4random_buf", entropy);
+ #elif defined(HAVE_ARC4RANDOM)
+- writeRandomBytes_arc4random((void *)&entropy, sizeof(entropy));
++ writeRandomBytes_arc4random(&entropy, sizeof(entropy));
+ return ENTROPY_DEBUG("arc4random", entropy);
+ #else
+ /* Try high quality providers first .. */
+ # ifdef _WIN32
+- if (writeRandomBytes_rand_s((void *)&entropy, sizeof(entropy))) {
++ if (writeRandomBytes_rand_s(&entropy, sizeof(entropy))) {
+ return ENTROPY_DEBUG("rand_s", entropy);
+ }
+ # elif defined(HAVE_GETRANDOM) || defined(HAVE_SYSCALL_GETRANDOM)
+- if (writeRandomBytes_getrandom_nonblock((void *)&entropy, sizeof(entropy))) {
++ if (writeRandomBytes_getrandom_nonblock(&entropy, sizeof(entropy))) {
+ return ENTROPY_DEBUG("getrandom", entropy);
+ }
+ # endif
+ # if ! defined(_WIN32) && defined(XML_DEV_URANDOM)
+- if (writeRandomBytes_dev_urandom((void *)&entropy, sizeof(entropy))) {
++ if (writeRandomBytes_dev_urandom(&entropy, sizeof(entropy))) {
+ return ENTROPY_DEBUG("/dev/urandom", entropy);
+ }
+ # endif /* ! defined(_WIN32) && defined(XML_DEV_URANDOM) */
+ /* .. and self-made low quality for backup: */
+
+- entropy = gather_time_entropy();
++ entropy.k[0] = 0;
++ entropy.k[1] = gather_time_entropy();
+ # if ! defined(__wasi__)
+ /* Process ID is 0 bits entropy if attacker has local access */
+- entropy ^= getpid();
++ entropy.k[1] ^= getpid();
+ # endif
+
+ /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */
+ if (sizeof(unsigned long) == 4) {
+- return ENTROPY_DEBUG("fallback(4)", entropy * 2147483647);
++ entropy.k[1] *= 2147483647;
++ return ENTROPY_DEBUG("fallback(4)", entropy);
+ } else {
+- return ENTROPY_DEBUG("fallback(8)",
+- entropy * (unsigned long)2305843009213693951ULL);
++ entropy.k[1] *= 2305843009213693951ULL;
++ return ENTROPY_DEBUG("fallback(8)", entropy);
+ }
+ #endif
+ }
+
+-static unsigned long
+-get_hash_secret_salt(XML_Parser parser) {
+- const XML_Parser rootParser = getRootParserOf(parser, NULL);
+- assert(! rootParser->m_parentParser);
+-
+- return rootParser->m_hash_secret_salt;
+-}
+-
+ static enum XML_Error
+ callProcessor(XML_Parser parser, const char *start, const char *end,
+ const char **endPtr) {
+@@ -1323,8 +1320,10 @@ callProcessor(XML_Parser parser, const char *start, const char *end,
+ static XML_Bool /* only valid for root parser */
+ startParsing(XML_Parser parser) {
+ /* hash functions must be initialized before setContext() is called */
+- if (parser->m_hash_secret_salt == 0)
+- parser->m_hash_secret_salt = generate_hash_secret_salt(parser);
++ if (parser->m_hash_secret_salt_set != XML_TRUE) {
++ parser->m_hash_secret_salt_128 = generate_hash_secret_salt();
++ parser->m_hash_secret_salt_set = XML_TRUE;
++ }
+ if (parser->m_ns) {
+ /* implicit context only set for root parser, since child
+ parsers (i.e. external entity parsers) will inherit it
+@@ -1612,7 +1611,9 @@ parserInit(XML_Parser parser, const XML_Char *encodingName) {
+ parser->m_useForeignDTD = XML_FALSE;
+ parser->m_paramEntityParsing = XML_PARAM_ENTITY_PARSING_NEVER;
+ #endif
+- parser->m_hash_secret_salt = 0;
++ parser->m_hash_secret_salt_128.k[0] = 0;
++ parser->m_hash_secret_salt_128.k[1] = 0;
++ parser->m_hash_secret_salt_set = XML_FALSE;
+
+ #if XML_GE == 1
+ memset(&parser->m_accounting, 0, sizeof(ACCOUNTING));
+@@ -1779,7 +1780,8 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+ from hash tables associated with either parser without us having
+ to worry which hash secrets each table has.
+ */
+- unsigned long oldhash_secret_salt;
++ struct sipkey oldhash_secret_salt_128;
++ XML_Bool oldhash_secret_salt_set;
+ XML_Bool oldReparseDeferralEnabled;
+
+ /* Validate the oldParser parameter before we pull everything out of it */
+@@ -1825,7 +1827,8 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+ from hash tables associated with either parser without us having
+ to worry which hash secrets each table has.
+ */
+- oldhash_secret_salt = parser->m_hash_secret_salt;
++ oldhash_secret_salt_128 = parser->m_hash_secret_salt_128;
++ oldhash_secret_salt_set = parser->m_hash_secret_salt_set;
+ oldReparseDeferralEnabled = parser->m_reparseDeferralEnabled;
+
+ #ifdef XML_DTD
+@@ -1880,7 +1883,8 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
+ parser->m_externalEntityRefHandlerArg = oldExternalEntityRefHandlerArg;
+ parser->m_defaultExpandInternalEntities = oldDefaultExpandInternalEntities;
+ parser->m_ns_triplets = oldns_triplets;
+- parser->m_hash_secret_salt = oldhash_secret_salt;
++ parser->m_hash_secret_salt_128 = oldhash_secret_salt_128;
++ parser->m_hash_secret_salt_set = oldhash_secret_salt_set;
+ parser->m_reparseDeferralEnabled = oldReparseDeferralEnabled;
+ parser->m_parentParser = oldParser;
+ #ifdef XML_DTD
+@@ -2327,6 +2331,7 @@ XML_SetParamEntityParsing(XML_Parser parser,
+ #endif
+ }
+
++// DEPRECATED since Expat 2.7.6.
+ int XMLCALL
+ XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt) {
+ if (parser == NULL)
+@@ -2337,10 +2342,46 @@ XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt) {
+ /* block after XML_Parse()/XML_ParseBuffer() has been called */
+ if (parserBusy(rootParser))
+ return 0;
+- rootParser->m_hash_secret_salt = hash_salt;
++
++ rootParser->m_hash_secret_salt_128.k[0] = 0;
++ rootParser->m_hash_secret_salt_128.k[1] = hash_salt;
++
++ if (hash_salt != 0) { // to remain backwards compatible
++ rootParser->m_hash_secret_salt_set = XML_TRUE;
++
++ if (sizeof(unsigned long) == 4)
++ ENTROPY_DEBUG("explicit(4)", rootParser->m_hash_secret_salt_128);
++ else
++ ENTROPY_DEBUG("explicit(8)", rootParser->m_hash_secret_salt_128);
++ }
++
+ return 1;
+ }
+
++XML_Bool XMLCALL
++XML_SetHashSalt16Bytes(XML_Parser parser, const uint8_t entropy[16]) {
++ if (parser == NULL)
++ return XML_FALSE;
++
++ if (entropy == NULL)
++ return XML_FALSE;
++
++ const XML_Parser rootParser = getRootParserOf(parser, NULL);
++ assert(! rootParser->m_parentParser);
++
++ /* block after XML_Parse()/XML_ParseBuffer() has been called */
++ if (parserBusy(rootParser))
++ return XML_FALSE;
++
++ sip_tokey(&(rootParser->m_hash_secret_salt_128), entropy);
++
++ rootParser->m_hash_secret_salt_set = XML_TRUE;
++
++ ENTROPY_DEBUG("explicit(16)", rootParser->m_hash_secret_salt_128);
++
++ return XML_TRUE;
++}
++
+ enum XML_Status XMLCALL
+ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) {
+ if ((parser == NULL) || (len < 0) || ((s == NULL) && (len != 0))) {
+@@ -7842,8 +7883,10 @@ keylen(KEY s) {
+
+ static void
+ copy_salt_to_sipkey(XML_Parser parser, struct sipkey *key) {
+- key->k[0] = 0;
+- key->k[1] = get_hash_secret_salt(parser);
++ const XML_Parser rootParser = getRootParserOf(parser, NULL);
++ assert(! rootParser->m_parentParser);
++
++ *key = rootParser->m_hash_secret_salt_128;
+ }
+
+ static unsigned long FASTCALL
+diff --git a/tests/basic_tests.c b/tests/basic_tests.c
+index 02d1d5fd..26662fee 100644
+--- a/tests/basic_tests.c
++++ b/tests/basic_tests.c
+@@ -204,6 +204,30 @@ START_TEST(test_hash_collision) {
+ END_TEST
+ #undef COLLIDING_HASH_SALT
+
++START_TEST(test_hash_salt_setter) {
++ const uint8_t entropy[16] = {'0', '1', '2', '3', '4', '5', '6', '7',
++ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
++ XML_Parser parser = XML_ParserCreate(NULL);
++
++ // NULL parser should be rejected
++ assert_true(XML_SetHashSalt16Bytes(NULL, entropy) == XML_FALSE);
++
++ // NULL entropy should be rejected
++ assert_true(XML_SetHashSalt16Bytes(parser, NULL) == XML_FALSE);
++
++ // Setting should be allowed more than once
++ assert_true(XML_SetHashSalt16Bytes(parser, entropy) == XML_TRUE);
++ assert_true(XML_SetHashSalt16Bytes(parser, entropy) == XML_TRUE);
++
++ // But not after parsing has started
++ assert_true(XML_Parse(parser, "", 0, XML_FALSE /* isFinal */)
++ == XML_STATUS_OK);
++ assert_true(XML_SetHashSalt16Bytes(parser, entropy) == XML_FALSE);
++
++ XML_ParserFree(parser);
++}
++END_TEST
++
+ /* Regression test for SF bug #491986. */
+ START_TEST(test_danish_latin1) {
+ const char *text = "<?xml version='1.0' encoding='iso-8859-1'?>\n"
+@@ -6292,6 +6316,7 @@ make_basic_test_case(Suite *s) {
+ tcase_add_test(tc_basic, test_bom_utf16_le);
+ tcase_add_test(tc_basic, test_nobom_utf16_le);
+ tcase_add_test(tc_basic, test_hash_collision);
++ tcase_add_test(tc_basic, test_hash_salt_setter);
+ tcase_add_test(tc_basic, test_illegal_utf8);
+ tcase_add_test(tc_basic, test_utf8_auto_align);
+ tcase_add_test(tc_basic, test_utf16);
+--
+2.34.1
diff --git a/meta/recipes-core/expat/expat/CVE-2026-41080-2.patch b/meta/recipes-core/expat/expat/CVE-2026-41080-2.patch
new file mode 100644
index 00000000000..0410f8b070f
--- /dev/null
+++ b/meta/recipes-core/expat/expat/CVE-2026-41080-2.patch
@@ -0,0 +1,33 @@
+From 3cdd1df2644388aff25dd0ed7128c7bb1de1a7d8 Mon Sep 17 00:00:00 2001
+From: Christoph Reiter <reiter.christoph@gmail.com>
+Date: Wed, 10 Jun 2026 21:27:51 +0200
+Subject: [PATCH 2/2] cmake|windows: add missing export for new
+ XML_SetHashSalt16Bytes
+
+A new XML_SetHashSalt16Bytes symbol was added in #1183, but it
+wasn't added to the def file, so the export is missing when building
+libexpat on Windows with cmake.
+
+Add the new symbol to the .def template.
+
+CVE: CVE-2026-41080
+Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/3cdd1df2644388aff25dd0ed7128c7bb1de1a7d8]
+
+Signed-off-by: Christoph Reiter <reiter.christoph@gmail.com>
+Signed-off-by: Amaury Couderc <amaury.couderc@est.tech>
+---
+ lib/libexpat.def.cmake | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/libexpat.def.cmake b/lib/libexpat.def.cmake
+index 9b9e22cb..948135a5 100644
+--- a/lib/libexpat.def.cmake
++++ b/lib/libexpat.def.cmake
+@@ -83,3 +83,5 @@ EXPORTS
+ ; added with version 2.7.2
+ @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerMaximumAmplification @72
+ @_EXPAT_COMMENT_DTD_OR_GE@ XML_SetAllocTrackerActivationThreshold @73
++; added with version 2.7.6
++ XML_SetHashSalt16Bytes @74
+--
+2.34.1
diff --git a/meta/recipes-core/expat/expat_2.7.5.bb b/meta/recipes-core/expat/expat_2.7.5.bb
index 210398fb505..ae90ec04e36 100644
--- a/meta/recipes-core/expat/expat_2.7.5.bb
+++ b/meta/recipes-core/expat/expat_2.7.5.bb
@@ -17,6 +17,8 @@ SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2 \
file://CVE-2026-45186-05.patch \
file://CVE-2026-45186-06.patch \
file://CVE-2026-45186-07.patch \
+ file://CVE-2026-41080-1.patch \
+ file://CVE-2026-41080-2.patch \
"
GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 05/18] python3: upgrade 3.14.5 -> 3.14.6
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
` (3 preceding siblings ...)
2026-07-10 16:36 ` [OE-core][wrynose 04/18] expat: fix CVE-2026-41080 Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 06/18] python3: fix CVE-2026-11940 Yoann Congal
` (12 subsequent siblings)
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Peter Marko <peter.marko@siemens.com>
Release notes: [1]
Resolves following CVEs from reports:
* CVE-2026-3276
* CVE-2026-7210
* CVE-2026-7774
* CVE-2026-8328
* CVE-2026-9669
Resolves also:
* shutil.move symlink-based bypass (CVE assignment unknown)
Removed obsolete CVE_STATUS entries.
Removed patch included in this release.
[1] https://docs.python.org/3/whatsnew/changelog.html#python-3-14-6-final
[2] https://security-tracker.debian.org/tracker/CVE-2026-7210
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8ad179c8dd8809ab8861147e5967e7d199ad0fe4)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
...eadingMock-call-count-race-condition.patch | 37 -------------------
.../{python3_3.14.5.bb => python3_3.14.6.bb} | 7 +---
2 files changed, 2 insertions(+), 42 deletions(-)
delete mode 100644 meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch
rename meta/recipes-devtools/python/{python3_3.14.5.bb => python3_3.14.6.bb} (98%)
diff --git a/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch b/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch
deleted file mode 100644
index aba3188a59a..00000000000
--- a/meta/recipes-devtools/python/python3/0001-Fix-ThreadingMock-call-count-race-condition.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 388e023fe1197c1ffed374520ed45df4ac72b8f5 Mon Sep 17 00:00:00 2001
-From: Sai Sneha <saisneha196@gmail.com>
-Date: Thu, 21 May 2026 13:08:07 +0530
-Subject: [PATCH] Fix ThreadingMock call_count race condition
-
-ThreadingMock._increment_mock_call() was not thread-safe.
-Multiple threads calling the mock simultaneously could lose
-increments due to race conditions on call_count and other
-attributes.
-
-Fix by overriding _increment_mock_call in ThreadingMixin
-and wrapping it with the existing _mock_calls_events_lock.
-
-Upstream-Status: Backport [https://github.com/python/cpython/pull/150176]
-
-Signed-off-by: Sai Sneha <saisneha196@gmail.com>
----
- Lib/unittest/mock.py | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/Lib/unittest/mock.py b/Lib/unittest/mock.py
-index 16f3699e89..56cdc37942 100644
---- a/Lib/unittest/mock.py
-+++ b/Lib/unittest/mock.py
-@@ -3113,6 +3113,10 @@ def _mock_call(self, *args, **kwargs):
-
- return ret_value
-
-+ def _increment_mock_call(self, /, *args, **kwargs):
-+ with self._mock_calls_events_lock:
-+ super()._increment_mock_call(*args, **kwargs)
-+
- def wait_until_called(self, *, timeout=_timeout_unset):
- """Wait until the mock object is called.
-
---
-2.34.1
diff --git a/meta/recipes-devtools/python/python3_3.14.5.bb b/meta/recipes-devtools/python/python3_3.14.6.bb
similarity index 98%
rename from meta/recipes-devtools/python/python3_3.14.5.bb
rename to meta/recipes-devtools/python/python3_3.14.6.bb
index fd407c96035..e7db713ded1 100644
--- a/meta/recipes-devtools/python/python3_3.14.5.bb
+++ b/meta/recipes-devtools/python/python3_3.14.6.bb
@@ -35,13 +35,12 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-Skip-flaky-test_default_timeout-tests.patch \
file://0001-test_only_active_thread-skip-problematic-test.patch \
file://0001-prefer-valid-entrypoints.patch \
- file://0001-Fix-ThreadingMock-call-count-race-condition.patch \
"
SRC_URI:append:class-native = " \
file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
"
-SRC_URI[sha256sum] = "7e32597b99e5d9a39abed35de4693fa169df3e5850d4c334337ffd6a19a36db6"
+SRC_URI[sha256sum] = "143b1dddefaec3bd2e21e3b839b34a2b7fb9842272883c576420d605e9f30c63"
# exclude pre-releases for both python 2.x and 3.x
UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
@@ -531,7 +530,5 @@ py3_sysroot_cleanup () {
rm -rf ${SYSROOT_DESTDIR}${libdir}/python${PYTHON_MAJMIN}/test
}
-CVE_STATUS[CVE-2026-4786] = "cpe-stable-backport: backported to v3.14.5"
-CVE_STATUS[CVE-2026-5713] = "cpe-stable-backport: backported to v3.14.5"
CVE_STATUS[CVE-2026-6019] = "cpe-stable-backport: backported to v3.14.5"
-CVE_STATUS[CVE-2026-6100] = "cpe-stable-backport: backported to v3.14.5"
+CVE_STATUS[CVE-2026-7210] = "cpe-stable-backport: backported to v3.14.6"
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 06/18] python3: fix CVE-2026-11940
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
` (4 preceding siblings ...)
2026-07-10 16:36 ` [OE-core][wrynose 05/18] python3: upgrade 3.14.5 -> 3.14.6 Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 07/18] python3: fix CVE-2026-11972 Yoann Congal
` (11 subsequent siblings)
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
tarfile.extractall() with the 'data' or 'tar' filter could be bypassed
by a crafted archive where a hardlink references a symlink stored at a
deeper name than the hardlink itself.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 85f043e207cc59bb3d0a7d1eac5088714dcf4611)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python/python3/CVE-2026-11940.patch | 67 +++++++++++++++++++
.../recipes-devtools/python/python3_3.14.6.bb | 1 +
2 files changed, 68 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-11940.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2026-11940.patch b/meta/recipes-devtools/python/python3/CVE-2026-11940.patch
new file mode 100644
index 00000000000..05a5802c396
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-11940.patch
@@ -0,0 +1,67 @@
+From e24b4e95524fbe8cd0f46aa3292e8040f0e07c83 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Tue, 23 Jun 2026 15:58:47 +0200
+Subject: [PATCH 1/2] gh-151558: Fix symlink escape via `tarfile`
+ hardlink-extraction fallback (GH-151559)
+
+CVE: CVE-2026-11940
+Upstream-Status: Backport [https://github.com/python/cpython/commit/27dd970bf6b17ebca7c8ed486a40ab043ed7af8f]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ Lib/tarfile.py | 3 +++
+ Lib/test/test_tarfile.py | 24 ++++++++++++++++++++++++
+ 2 files changed, 27 insertions(+)
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index e6734db24f64..63f23490e8a1 100644
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -2782,6 +2782,9 @@ def makelink_with_filter(self, tarinfo, targetpath,
+ "makelink_with_filter: if filter_function is not None, "
+ + "extraction_root must also not be None")
+ try:
++ filter_function(
++ unfiltered.replace(name=tarinfo.name, deep=False),
++ extraction_root)
+ filtered = filter_function(unfiltered, extraction_root)
+ except _FILTER_ERRORS as cause:
+ raise LinkFallbackError(tarinfo, unfiltered.name) from cause
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index d974c7d46ec1..0fc7413be8db 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -4344,6 +4344,30 @@ def test_sneaky_hardlink_fallback(self):
+ self.expect_file("boom", symlink_to='../../link_here')
+ self.expect_file("c", symlink_to='b')
+
++ @symlink_test
++ def test_sneaky_hardlink_fallback_deep(self):
++ # (CVE-2026-11940)
++ with ArchiveMaker() as arc:
++ arc.add("a/b/s", symlink_to=os.path.join("..", "escape"))
++ arc.add("s", hardlink_to=os.path.join("a", "b", "s"))
++
++ with self.check_context(arc.open(), 'data'):
++ e = self.expect_exception(
++ tarfile.LinkFallbackError,
++ "link 's' would be extracted as a copy of "
++ + "'a/b/s', which was rejected")
++ self.assertIsInstance(e.__cause__,
++ tarfile.LinkOutsideDestinationError)
++
++ for filter in 'tar', 'fully_trusted':
++ with self.subTest(filter), self.check_context(arc.open(), filter):
++ if not os_helper.can_symlink():
++ self.expect_file("a/")
++ self.expect_file("a/b/")
++ else:
++ self.expect_file("a/b/s", symlink_to=os.path.join('..', 'escape'))
++ self.expect_file("s", symlink_to=os.path.join('..', 'escape'))
++
+ @symlink_test
+ def test_exfiltration_via_symlink(self):
+ # (CVE-2025-4138)
+--
+2.54.0
diff --git a/meta/recipes-devtools/python/python3_3.14.6.bb b/meta/recipes-devtools/python/python3_3.14.6.bb
index e7db713ded1..80be938ed50 100644
--- a/meta/recipes-devtools/python/python3_3.14.6.bb
+++ b/meta/recipes-devtools/python/python3_3.14.6.bb
@@ -35,6 +35,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-Skip-flaky-test_default_timeout-tests.patch \
file://0001-test_only_active_thread-skip-problematic-test.patch \
file://0001-prefer-valid-entrypoints.patch \
+ file://CVE-2026-11940.patch \
"
SRC_URI:append:class-native = " \
file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 07/18] python3: fix CVE-2026-11972
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
` (5 preceding siblings ...)
2026-07-10 16:36 ` [OE-core][wrynose 06/18] python3: fix CVE-2026-11940 Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 08/18] opensbi: don't override ELFFLAGS, silence ldflags QA for bare-metal ELFs Yoann Congal
` (10 subsequent siblings)
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
When using the "tarfile" module with a file opened in "streaming mode"
(mode="r|") the tarfile module did not properly handle EOF, making archive
parsing take exponentially longer.
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit bbd9c82298880ab61b9befea97dfe8a0a4943836)
[YC: re-added removed Co-authored-by: trailer to the patch]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python/python3/CVE-2026-11972.patch | 61 +++++++++++++++++++
.../recipes-devtools/python/python3_3.14.6.bb | 1 +
2 files changed, 62 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3/CVE-2026-11972.patch
diff --git a/meta/recipes-devtools/python/python3/CVE-2026-11972.patch b/meta/recipes-devtools/python/python3/CVE-2026-11972.patch
new file mode 100644
index 00000000000..12a79754feb
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/CVE-2026-11972.patch
@@ -0,0 +1,61 @@
+From 2d256d4bfd654bdcaf2d96733799be73b8ff8f69 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Tue, 23 Jun 2026 15:13:30 +0200
+Subject: [PATCH 2/2] gh-151981: Make tarfile._Stream.seek break at EOF
+ (GH-151982)
+
+Co-authored-by: Stan Ulbrych <stan@python.org>
+
+CVE: CVE-2026-11972
+Upstream-Status: Backport [https://github.com/python/cpython/commit/f50bf13566189c8d0ce5a814f33eff3d89951896]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ Lib/tarfile.py | 4 +++-
+ Lib/test/test_tarfile.py | 16 ++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/Lib/tarfile.py b/Lib/tarfile.py
+index 63f23490e8a1..399f906efdff 100644
+--- a/Lib/tarfile.py
++++ b/Lib/tarfile.py
+@@ -524,7 +524,9 @@ def seek(self, pos=0):
+ if pos - self.pos >= 0:
+ blocks, remainder = divmod(pos - self.pos, self.bufsize)
+ for i in range(blocks):
+- self.read(self.bufsize)
++ data = self.read(self.bufsize)
++ if not data:
++ break
+ self.read(remainder)
+ else:
+ raise StreamError("seeking backwards is not allowed")
+diff --git a/Lib/test/test_tarfile.py b/Lib/test/test_tarfile.py
+index 0fc7413be8db..045377d620cc 100644
+--- a/Lib/test/test_tarfile.py
++++ b/Lib/test/test_tarfile.py
+@@ -4786,6 +4786,22 @@ def valueerror_filter(tarinfo, path):
+ with self.check_context(arc.open(errorlevel='boo!'), filtererror_filter):
+ self.expect_exception(TypeError) # errorlevel is not int
+
++ @support.subTests('format', [tarfile.GNU_FORMAT, tarfile.PAX_FORMAT])
++ def test_getmembers_big_size(self, format):
++ # gh-151981: A loop in seek() for streaming files tried to read the
++ # declared number of blocks even at EOF
++ tinfo = tarfile.TarInfo("huge-file")
++ tinfo.size = 1 << 64
++ bio = io.BytesIO()
++ # Write header without data
++ bio.write(tinfo.tobuf(format))
++
++ # Reset & try to get contents
++ bio.seek(0)
++ with tarfile.open(fileobj=bio, mode="r|") as tar:
++ with self.assertRaises(tarfile.ReadError):
++ tar.getmembers()
++
+
+ class OverwriteTests(archiver_tests.OverwriteTests, unittest.TestCase):
+ testdir = os.path.join(TEMPDIR, "testoverwrite")
+--
+2.54.0
diff --git a/meta/recipes-devtools/python/python3_3.14.6.bb b/meta/recipes-devtools/python/python3_3.14.6.bb
index 80be938ed50..0a9e82d445f 100644
--- a/meta/recipes-devtools/python/python3_3.14.6.bb
+++ b/meta/recipes-devtools/python/python3_3.14.6.bb
@@ -36,6 +36,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
file://0001-test_only_active_thread-skip-problematic-test.patch \
file://0001-prefer-valid-entrypoints.patch \
file://CVE-2026-11940.patch \
+ file://CVE-2026-11972.patch \
"
SRC_URI:append:class-native = " \
file://0001-Lib-sysconfig.py-use-prefix-value-from-build-configu.patch \
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 08/18] opensbi: don't override ELFFLAGS, silence ldflags QA for bare-metal ELFs
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
` (6 preceding siblings ...)
2026-07-10 16:36 ` [OE-core][wrynose 07/18] python3: fix CVE-2026-11972 Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 09/18] create-spdx-image-3.0: correct SSTATE_SKIP_CREATION key for do_create_image_sbom_spdx Yoann Congal
` (9 subsequent siblings)
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Gustavo Henrique Nihei <gustavo.nihei@espressif.com>
opensbi_1.8.1.bb passes ELFFLAGS="${LDFLAGS}" via EXTRA_OEMAKE. Being a
make command-line assignment, it overrides OpenSBI's in-Makefile
"ELFFLAGS +=" and drops the mandatory firmware link flags:
-Wl,--gc-sections
-Wl,--exclude-libs,ALL
-Wl,--build-id=none
-Wl,--no-dynamic-linker -Wl,-pie
Losing --gc-sections retains unused fdt_*/atomic_* code and grows .text;
losing -pie/--no-dynamic-linker drops the M-mode firmware hardening.
The distro LDFLAGS were not reaching the link regardless: OpenSBI
rebuilds CC from CROSS_COMPILE (Makefile: CC = $(CROSS_COMPILE)gcc), so
oe's CC and its TARGET_CC_ARCH += "${LDFLAGS}" do not apply, and passing
them via ELFFLAGS was the only path in. They are also dynamic-linking
flags with no role in bare-metal firmware, so drop the override;
REPRODUCIBLE=y and CROSS_COMPILE stay.
Removing it re-exposes an ldflags QA warning that the injected
--hash-style=gnu had been satisfying. These firmware ELFs are bare-metal
M-mode binaries (--build-id=none, no dynamic linker) that legitimately
carry no GNU_HASH, so add INSANE_SKIP += "ldflags", as linux-firmware
does.
Tested on oe-core master (DISTRO=nodistro, MACHINE=qemuriscv64) via the
oe-nodistro-master bitbake-setup config:
bitbake opensbi
grep -c gc-sections .../opensbi/*/temp/log.do_compile # 0 -> 4
Before, the fw_jump.elf link carries only the LDFLAGS content (-Wl,-O1,
--hash-style=gnu, --as-needed, -z relro/now) with OpenSBI's flags absent,
and do_package_qa reports ldflags errors on all three firmware ELFs.
After, the link carries OpenSBI's flags (-Wl,--gc-sections,
--exclude-libs,ALL, --build-id=none, --no-dynamic-linker, -pie) and QA
passes. On a single-SoC defconfig, restoring --gc-sections roughly
halves fw_jump.bin.
Fixes: 9f95660886db ("opensbi: Pass CROSS_COMPILE and REPRODUCIBLE flags")
AI-Generated: Uses Cursor
Signed-off-by: Gustavo Henrique Nihei <gustavo.nihei@espressif.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9bf56df6decf3b0a07e5a0814f4ad2d6317568f9)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-bsp/opensbi/opensbi_1.8.1.bb | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-bsp/opensbi/opensbi_1.8.1.bb b/meta/recipes-bsp/opensbi/opensbi_1.8.1.bb
index 0a9652c2831..255bab2b58f 100644
--- a/meta/recipes-bsp/opensbi/opensbi_1.8.1.bb
+++ b/meta/recipes-bsp/opensbi/opensbi_1.8.1.bb
@@ -16,7 +16,7 @@ TARGET_DBGSRC_DIR = "/share/opensbi/*/generic/firmware/"
TARGET_CC_ARCH += "${LDFLAGS}"
RISCV_SBI_FW_TEXT_START ??= "0x80000000"
-EXTRA_OEMAKE += "REPRODUCIBLE=y CROSS_COMPILE=${HOST_PREFIX} ELFFLAGS="${LDFLAGS}" PLATFORM=${RISCV_SBI_PLAT} I=${D} FW_TEXT_START=${RISCV_SBI_FW_TEXT_START}"
+EXTRA_OEMAKE += "REPRODUCIBLE=y CROSS_COMPILE=${HOST_PREFIX} PLATFORM=${RISCV_SBI_PLAT} I=${D} FW_TEXT_START=${RISCV_SBI_FW_TEXT_START}"
EXTRA_OEMAKE:append:toolchain-clang = " LLVM=y"
# If RISCV_SBI_PAYLOAD is set then include it as a payload
EXTRA_OEMAKE:append = " ${@riscv_get_extra_oemake_image(d)}"
@@ -50,4 +50,8 @@ FILES:${PN} += "/share/opensbi/*/${RISCV_SBI_PLAT}/firmware/fw_jump.*"
FILES:${PN} += "/share/opensbi/*/${RISCV_SBI_PLAT}/firmware/fw_payload.*"
FILES:${PN} += "/share/opensbi/*/${RISCV_SBI_PLAT}/firmware/fw_dynamic.*"
+# OpenSBI firmware ELFs are bare-metal M-mode binaries (--build-id=none,
+# no dynamic linker) and intentionally do not carry GNU_HASH.
+INSANE_SKIP += "ldflags"
+
COMPATIBLE_HOST = "(riscv64|riscv32).*"
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 09/18] create-spdx-image-3.0: correct SSTATE_SKIP_CREATION key for do_create_image_sbom_spdx
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
` (7 preceding siblings ...)
2026-07-10 16:36 ` [OE-core][wrynose 08/18] opensbi: don't override ELFFLAGS, silence ldflags QA for bare-metal ELFs Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 10/18] python3-urllib3: Fix CVE-2026-44431 Yoann Congal
` (8 subsequent siblings)
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Eric Meyers <eric.meyers15310@gmail.com>
The override was "task-create-image-sbom" but BitBake derives it as
"task-create-image-sbom-spdx" (do_ stripped, underscores to hyphens), so
the skip was never applied. The task then cached an ${IMAGE_NAME}-stamped
SBOM in sstate, letting a stale spdx.json be restored via setscene. A
later do_sbom_cve_check would compute the current IMAGE_NAME and fail with
"No such file or directory" on the missing timestamped SBOM. Correct the
key so the image SBOM is always regenerated, never restored from sstate.
Signed-off-by: Eric Meyers <eric.meyers@arthrex.com>
Cc: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 45302ff5cfaf91ece74d4065acf710507f27da15)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/classes-recipe/create-spdx-image-3.0.bbclass | 2 +-
meta/classes-recipe/nospdx.bbclass | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/classes-recipe/create-spdx-image-3.0.bbclass b/meta/classes-recipe/create-spdx-image-3.0.bbclass
index 15a91e90e26..cf79ef5b013 100644
--- a/meta/classes-recipe/create-spdx-image-3.0.bbclass
+++ b/meta/classes-recipe/create-spdx-image-3.0.bbclass
@@ -71,7 +71,7 @@ python do_create_image_sbom_spdx() {
}
addtask do_create_image_sbom_spdx after do_create_rootfs_spdx do_create_image_spdx before do_build
SSTATETASKS += "do_create_image_sbom_spdx"
-SSTATE_SKIP_CREATION:task-create-image-sbom = "1"
+SSTATE_SKIP_CREATION:task-create-image-sbom-spdx = "1"
do_create_image_sbom_spdx[sstate-inputdirs] = "${SPDXIMAGEDEPLOYDIR}"
do_create_image_sbom_spdx[sstate-outputdirs] = "${DEPLOY_DIR_IMAGE}"
do_create_image_sbom_spdx[stamp-extra-info] = "${MACHINE_ARCH}"
diff --git a/meta/classes-recipe/nospdx.bbclass b/meta/classes-recipe/nospdx.bbclass
index 925dc7c5b7a..6ccb93ba018 100644
--- a/meta/classes-recipe/nospdx.bbclass
+++ b/meta/classes-recipe/nospdx.bbclass
@@ -11,4 +11,4 @@ deltask do_create_spdx_runtime
deltask do_create_package_spdx
deltask do_create_rootfs_spdx
deltask do_create_image_spdx
-deltask do_create_image_sbom
+deltask do_create_image_sbom_spdx
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 10/18] python3-urllib3: Fix CVE-2026-44431
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
` (8 preceding siblings ...)
2026-07-10 16:36 ` [OE-core][wrynose 09/18] create-spdx-image-3.0: correct SSTATE_SKIP_CREATION key for do_create_image_sbom_spdx Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 11/18] glib-2.0: fix CVE-2026-58016 Yoann Congal
` (7 subsequent siblings)
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
Applies the upstream fix [1] referenced in [2] and addresses the
sensitive-header redirect handling issue in proxied low-level urllib3 requests.
[1] https://github.com/urllib3/urllib3/commit/5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc
[2] https://ubuntu.com/security/CVE-2026-44431
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-44431
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
[YC: moved the new SRC_URI block up following the Recipe Style Guide]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../python3-urllib3/CVE-2026-44431.patch | 157 ++++++++++++++++++
.../python/python3-urllib3_2.6.3.bb | 3 +
2 files changed, 160 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3-urllib3/CVE-2026-44431.patch
diff --git a/meta/recipes-devtools/python/python3-urllib3/CVE-2026-44431.patch b/meta/recipes-devtools/python/python3-urllib3/CVE-2026-44431.patch
new file mode 100644
index 00000000000..d7063b136a8
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-urllib3/CVE-2026-44431.patch
@@ -0,0 +1,157 @@
+From ca72cfc9233edcf886b9e0dd187a9c4bca780f9b Mon Sep 17 00:00:00 2001
+From: Illia Volochii <illia.volochii@gmail.com>
+Date: Thu, 7 May 2026 18:40:31 +0300
+Subject: [PATCH] Merge commit from fork
+
+* Remove sensitive headers in proxy pools too
+
+* Add a changelog entry
+
+* Check retries history in tests
+
+Co-authored-by: Copilot <copilot@github.com>
+
+---------
+
+Co-authored-by: Copilot <copilot@github.com>
+
+CVE: CVE-2026-44431
+Upstream-Status: Backport [https://github.com/urllib3/urllib3/commit/5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc]
+
+Backport Changes:
+- Omitted changelog/GHSA-qccp-gfcp-xxvc.bugfix.rst because it is not
+ present in the current version.
+
+(cherry picked from commit 5ec0de499b9166ca71c65ab04f2a7e4eb0d66fcc)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ dummyserver/asgi_proxy.py | 1 +
+ src/urllib3/connectionpool.py | 12 ++++
+ .../test_proxy_poolmanager.py | 72 +++++++++++++++++++
+ 3 files changed, 85 insertions(+)
+
+diff --git a/dummyserver/asgi_proxy.py b/dummyserver/asgi_proxy.py
+index 00c0a1b8..3ff18673 100755
+--- a/dummyserver/asgi_proxy.py
++++ b/dummyserver/asgi_proxy.py
+@@ -56,6 +56,7 @@ class ProxyApp:
+ client_response = await client.request(
+ method=scope["method"],
+ url=scope["path"],
++ params=scope["query_string"].decode(),
+ headers=list(scope["headers"]),
+ content=await _read_body(receive),
+ )
+diff --git a/src/urllib3/connectionpool.py b/src/urllib3/connectionpool.py
+index 3a0685b4..0f33863c 100644
+--- a/src/urllib3/connectionpool.py
++++ b/src/urllib3/connectionpool.py
+@@ -896,6 +896,18 @@ class HTTPConnectionPool(ConnectionPool, RequestMethods):
+ body = None
+ headers = HTTPHeaderDict(headers)._prepare_for_method_change()
+
++ # Strip headers marked as unsafe to forward to the redirected location.
++ # Check remove_headers_on_redirect to avoid a potential network call within
++ # self.is_same_host() which may use socket.gethostbyname() in the future.
++ if retries.remove_headers_on_redirect and not self.is_same_host(
++ redirect_location
++ ):
++ new_headers = headers.copy() # type: ignore[union-attr]
++ for header in headers:
++ if header.lower() in retries.remove_headers_on_redirect:
++ new_headers.pop(header, None)
++ headers = new_headers
++
+ try:
+ retries = retries.increment(method, url, response=response, _pool=self)
+ except MaxRetryError:
+diff --git a/test/with_dummyserver/test_proxy_poolmanager.py b/test/with_dummyserver/test_proxy_poolmanager.py
+index 4a932c0d..6921bc6d 100644
+--- a/test/with_dummyserver/test_proxy_poolmanager.py
++++ b/test/with_dummyserver/test_proxy_poolmanager.py
+@@ -37,6 +37,7 @@ from urllib3.exceptions import (
+ SSLError,
+ )
+ from urllib3.poolmanager import ProxyManager, proxy_from_url
++from urllib3.util.retry import RequestHistory
+ from urllib3.util.ssl_ import create_urllib3_context
+ from urllib3.util.timeout import Timeout
+
+@@ -300,6 +301,77 @@ class TestHTTPProxyManager(HypercornDummyProxyTestCase):
+ assert r._pool is not None
+ assert r._pool.host != self.http_host_alt
+
++ _sensitive_headers = {
++ "Authorization": "foo",
++ "Proxy-Authorization": "bar",
++ "Cookie": "foo=bar",
++ }
++
++ @pytest.mark.parametrize(
++ "sensitive_headers",
++ (_sensitive_headers, {k.lower(): v for k, v in _sensitive_headers.items()}),
++ ids=("capitalized", "lowercase"),
++ )
++ def test_cross_host_redirect_remove_headers_via_proxy_manager(
++ self, sensitive_headers: dict[str, str]
++ ) -> None:
++ headers_url = f"{self.http_url_alt}/headers"
++ initial_url = f"{self.http_url}/redirect?target={headers_url}"
++ with proxy_from_url(self.proxy_url) as proxy_mgr:
++ r = proxy_mgr.request(
++ "GET", initial_url, headers=sensitive_headers, retries=1
++ )
++ assert r.status == 200
++ assert r.retries is not None
++ assert r.retries.history == (
++ RequestHistory(
++ method="GET",
++ url=initial_url,
++ error=None,
++ status=303,
++ redirect_location=headers_url,
++ ),
++ )
++ data = r.json()
++ for header in sensitive_headers:
++ assert header not in data
++
++ @pytest.mark.parametrize(
++ "sensitive_headers",
++ (_sensitive_headers, {k.lower(): v for k, v in _sensitive_headers.items()}),
++ ids=("capitalized", "lowercase"),
++ )
++ def test_cross_host_redirect_remove_headers_via_pool(
++ self, sensitive_headers: dict[str, str]
++ ) -> None:
++ headers_url = f"{self.http_url_alt}/headers"
++ initial_url = f"{self.http_url}/redirect?target={headers_url}"
++ with proxy_from_url(self.proxy_url) as proxy_mgr:
++ pool = proxy_mgr.connection_from_url(self.http_url)
++ r = pool.urlopen(
++ "GET",
++ initial_url,
++ headers=sensitive_headers,
++ retries=1,
++ redirect=True,
++ assert_same_host=False,
++ preload_content=True,
++ )
++ assert r.status == 200
++ assert r.retries is not None
++ assert r.retries.history == (
++ RequestHistory(
++ method="GET",
++ url=initial_url,
++ error=None,
++ status=303,
++ redirect_location=headers_url,
++ ),
++ )
++ data = r.json()
++ for header in sensitive_headers:
++ assert header not in data
++
+ def test_cross_protocol_redirect(self) -> None:
+ with proxy_from_url(self.proxy_url, ca_certs=DEFAULT_CA) as http:
+ cross_protocol_location = f"{self.https_url}/echo?a=b"
diff --git a/meta/recipes-devtools/python/python3-urllib3_2.6.3.bb b/meta/recipes-devtools/python/python3-urllib3_2.6.3.bb
index e63791a8f45..5976c5c3b44 100644
--- a/meta/recipes-devtools/python/python3-urllib3_2.6.3.bb
+++ b/meta/recipes-devtools/python/python3-urllib3_2.6.3.bb
@@ -3,6 +3,9 @@ HOMEPAGE = "https://github.com/urllib3/urllib3"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=52d273a3054ced561275d4d15260ecda"
+SRC_URI += " \
+ file://CVE-2026-44431.patch \
+"
SRC_URI[sha256sum] = "1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed"
inherit pypi python_hatchling
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 11/18] glib-2.0: fix CVE-2026-58016
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
` (9 preceding siblings ...)
2026-07-10 16:36 ` [OE-core][wrynose 10/18] python3-urllib3: Fix CVE-2026-44431 Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 12/18] util-linux: upgrade 2.41.3 -> 2.41.5 Yoann Congal
` (6 subsequent siblings)
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
A flaw was found in GLib. A state confusion issue exists in
g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when
processing malformed D-Bus introspection XML, specifically with a <node>
element nested within other elements like <method>, <signal>, <property>
or <arg>. This issue can cause an unsigned integer overflow and lead to an
out-of-bounds read, resulting in a denial of service.
The CVE NVD entry is wrong, it indicates that the CVE is fixed in 2.88.1
but the fix was realized in 2.89.0, see [1]. The fix is not present in 2.88.2.
[1] https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2
Signed-off-by: Benjamin Robin (Schneider Electric) <benjamin.robin@bootlin.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d52f4d582cc71ada3c8ebe54be1a5b70278ea1ca)
[YC: re-added the removed Signed-off-bys from the patches]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../glib-2.0/files/CVE-2026-58016-1.patch | 94 ++++++++++++++++++
.../glib-2.0/files/CVE-2026-58016-2.patch | 98 +++++++++++++++++++
meta/recipes-core/glib-2.0/glib.inc | 2 +
3 files changed, 194 insertions(+)
create mode 100644 meta/recipes-core/glib-2.0/files/CVE-2026-58016-1.patch
create mode 100644 meta/recipes-core/glib-2.0/files/CVE-2026-58016-2.patch
diff --git a/meta/recipes-core/glib-2.0/files/CVE-2026-58016-1.patch b/meta/recipes-core/glib-2.0/files/CVE-2026-58016-1.patch
new file mode 100644
index 00000000000..2c4b248b97b
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/files/CVE-2026-58016-1.patch
@@ -0,0 +1,94 @@
+From 38eee3870fbcf6bdf8e6b1281bc7a98d32b68521 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 16 Apr 2026 15:27:37 +0100
+Subject: [PATCH 1/2] gdbusintrospection: Fix XML parser state handling for
+ <node> element nesting
+
+The check for whether a `<node>` element in D-Bus introspection XML was
+nested correctly was broken. `<node>` elements can only be at the top
+level, or nested immediately within another `<node>` element.
+
+Fix the check and add some unit tests for it.
+
+Spotted by linhlhq as #YWH-PGM9867-204. The fix is mine, and the unit test
+uses example XML strings adapted from their report.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+Fixes: #3932
+
+CVE: CVE-2026-58016
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/c9da977c178fbfc0e4caf99f9fdf5dc433d6fcc2]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ gio/gdbusintrospection.c | 2 +-
+ gio/tests/gdbus-introspection.c | 33 +++++++++++++++++++++++++++++++++
+ 2 files changed, 34 insertions(+), 1 deletion(-)
+
+diff --git a/gio/gdbusintrospection.c b/gio/gdbusintrospection.c
+index c7be334ce2f7..6f722ee6153d 100644
+--- a/gio/gdbusintrospection.c
++++ b/gio/gdbusintrospection.c
+@@ -1272,7 +1272,7 @@ parser_start_element (GMarkupParseContext *context,
+ /* ---------------------------------------------------------------------------------------------------- */
+ if (strcmp (element_name, "node") == 0)
+ {
+- if (!(g_slist_length (stack) >= 1 || strcmp (stack->next->data, "node") != 0))
++ if (stack->next != NULL && strcmp (stack->next->data, "node") != 0)
+ {
+ g_set_error_literal (error,
+ G_MARKUP_ERROR,
+diff --git a/gio/tests/gdbus-introspection.c b/gio/tests/gdbus-introspection.c
+index 44cb7a96af45..daca313f77e7 100644
+--- a/gio/tests/gdbus-introspection.c
++++ b/gio/tests/gdbus-introspection.c
+@@ -299,6 +299,38 @@ test_extra_data (void)
+ g_dbus_node_info_unref (info);
+ }
+
++static void
++test_invalid (void)
++{
++ const struct
++ {
++ const char *xml;
++ GMarkupError expected_error_code;
++ }
++ vectors[] =
++ {
++ { "", G_MARKUP_ERROR_EMPTY },
++ { "<node><interface name=\"I\"><method name=\"M\"><node><interface name=\"I2\"></interface></node></method>", G_MARKUP_ERROR_INVALID_CONTENT },
++ { "<node><interface name=\"I\"><signal name=\"S\"><node><interface name=\"I2\"><signal name=\"S2\"></signal></interface></node></signal>", G_MARKUP_ERROR_INVALID_CONTENT },
++ { "<node><interface name=\"I\"><property name=\"P\" type=\"s\" access=\"read\"><node><interface name=\"I2\"></interface></node></property>", G_MARKUP_ERROR_INVALID_CONTENT },
++ { "<node><interface name=\"I\"><method name=\"M\"><arg type=\"\"><node><interface name=\"I2\"><method name=\"M2\"></method></interface></node></arg>", G_MARKUP_ERROR_INVALID_CONTENT },
++ };
++
++ for (size_t i = 0; i < G_N_ELEMENTS (vectors); i++)
++ {
++ GDBusNodeInfo *node;
++ GError *local_error = NULL;
++
++ g_test_message ("Testing parsing of %s gives an error", vectors[i].xml);
++
++ node = g_dbus_node_info_new_for_xml (vectors[i].xml, &local_error);
++ g_assert_error (local_error, G_MARKUP_ERROR, (int) vectors[i].expected_error_code);
++ g_assert_null (node);
++
++ g_clear_error (&local_error);
++ }
++}
++
+ /* ---------------------------------------------------------------------------------------------------- */
+
+ int
+@@ -316,6 +348,7 @@ main (int argc,
+ g_test_add_func ("/gdbus/introspection-generate", test_generate);
+ g_test_add_func ("/gdbus/introspection-default-direction", test_default_direction);
+ g_test_add_func ("/gdbus/introspection-extra-data", test_extra_data);
++ g_test_add_func ("/gdbus/introspection/invalid", test_invalid);
+
+ ret = session_bus_run ();
+
+--
+2.54.0
diff --git a/meta/recipes-core/glib-2.0/files/CVE-2026-58016-2.patch b/meta/recipes-core/glib-2.0/files/CVE-2026-58016-2.patch
new file mode 100644
index 00000000000..a61e35ad8a7
--- /dev/null
+++ b/meta/recipes-core/glib-2.0/files/CVE-2026-58016-2.patch
@@ -0,0 +1,98 @@
+From a75052ceeebea434f271b670766acd5416bc83b9 Mon Sep 17 00:00:00 2001
+From: Philip Withnall <pwithnall@gnome.org>
+Date: Thu, 16 Apr 2026 15:08:10 +0100
+Subject: [PATCH 2/2] gdbusintrospection: Add some assertions before array
+ dereferences
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The state handling inside the D-Bus introspection XML parser is
+complicated, and it’s possible that these dereferences of the
+`len - 1`th element might get reached when the array is empty.
+
+Make failures like that more debuggable by adding an assertion on the
+length beforehand.
+
+Signed-off-by: Philip Withnall <pwithnall@gnome.org>
+
+Helps: #3932
+
+CVE: CVE-2026-58016
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/656ad4582cb1d7a7fa8bafe3ce8aec6aa3c17da0]
+
+Signed-off-by: Benjamin Robin <benjamin.robin@bootlin.com>
+---
+ gio/gdbusintrospection.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/gio/gdbusintrospection.c b/gio/gdbusintrospection.c
+index 6f722ee6153d..ed0d291f99f0 100644
+--- a/gio/gdbusintrospection.c
++++ b/gio/gdbusintrospection.c
+@@ -1110,6 +1110,7 @@ parse_data_get_annotation (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->annotations, g_new0 (GDBusAnnotationInfo, 1));
++ g_assert (data->annotations->len > 0);
+ return data->annotations->pdata[data->annotations->len - 1];
+ }
+
+@@ -1119,6 +1120,7 @@ parse_data_get_arg (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->args, g_new0 (GDBusArgInfo, 1));
++ g_assert (data->args->len > 0);
+ return data->args->pdata[data->args->len - 1];
+ }
+
+@@ -1128,6 +1130,7 @@ parse_data_get_out_arg (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->out_args, g_new0 (GDBusArgInfo, 1));
++ g_assert (data->out_args->len > 0);
+ return data->out_args->pdata[data->out_args->len - 1];
+ }
+
+@@ -1137,6 +1140,7 @@ parse_data_get_method (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->methods, g_new0 (GDBusMethodInfo, 1));
++ g_assert (data->methods->len > 0);
+ return data->methods->pdata[data->methods->len - 1];
+ }
+
+@@ -1146,6 +1150,7 @@ parse_data_get_signal (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->signals, g_new0 (GDBusSignalInfo, 1));
++ g_assert (data->signals->len > 0);
+ return data->signals->pdata[data->signals->len - 1];
+ }
+
+@@ -1155,6 +1160,7 @@ parse_data_get_property (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->properties, g_new0 (GDBusPropertyInfo, 1));
++ g_assert (data->properties->len > 0);
+ return data->properties->pdata[data->properties->len - 1];
+ }
+
+@@ -1164,6 +1170,7 @@ parse_data_get_interface (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->interfaces, g_new0 (GDBusInterfaceInfo, 1));
++ g_assert (data->interfaces->len > 0);
+ return data->interfaces->pdata[data->interfaces->len - 1];
+ }
+
+@@ -1173,6 +1180,7 @@ parse_data_get_node (ParseData *data,
+ {
+ if (create_new)
+ g_ptr_array_add (data->nodes, g_new0 (GDBusNodeInfo, 1));
++ g_assert (data->nodes->len > 0);
+ return data->nodes->pdata[data->nodes->len - 1];
+ }
+
+--
+2.54.0
diff --git a/meta/recipes-core/glib-2.0/glib.inc b/meta/recipes-core/glib-2.0/glib.inc
index dee94ec0600..fb35f84eec5 100644
--- a/meta/recipes-core/glib-2.0/glib.inc
+++ b/meta/recipes-core/glib-2.0/glib.inc
@@ -233,6 +233,8 @@ SRC_URI += "\
file://0001-gio-tests-resources.c-comment-out-a-build-host-only-.patch \
file://0010-Do-not-hardcode-python-path-into-various-tools.patch \
file://skip-timeout.patch \
+ file://CVE-2026-58016-1.patch \
+ file://CVE-2026-58016-2.patch \
"
SRC_URI:append:class-native = " file://relocate-modules.patch \
file://0001-meson.build-do-not-enable-pidfd-features-on-native-g.patch \
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 12/18] util-linux: upgrade 2.41.3 -> 2.41.5
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
` (10 preceding siblings ...)
2026-07-10 16:36 ` [OE-core][wrynose 11/18] glib-2.0: fix CVE-2026-58016 Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-14 13:29 ` Paul Barker
2026-07-10 16:36 ` [OE-core][wrynose 13/18] ovmf: fix tpm PACKAGECONFIG to use TPM2_ENABLE Yoann Congal
` (5 subsequent siblings)
17 siblings, 1 reply; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Siva Balasubramanian <sivakumar.bs@gmail.com>
2.41.4 and 2.41.5 are point releases in the same 2.41 stable series and
contain only bug fixes and security fixes (no new features, no API/ABI
breaks), so the upgrade complies with the stable branch policy.
Among the fixes pulled in:
- Several mount(8) TOCTOU / symlink hardening fixes (incl. CVE-2026-27456)
- libblkid integer overflow in parse_dos_extended() and a use-after-free
in partition probing
- pam_lastlog2: fix libpam linking in the autotools build so
pam_lastlog2.so links against libpam (fixes the runtime "undefined
symbol: pam_syslog" / dlopen failure) [YOCTO #16320]
Drop two backports that are now part of the release:
- 0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch
(upstream f55f9906, released in 2.41.4)
- the pam_lastlog2 libpam linking backport (upstream 5683ed6320e0,
cherry-picked to the 2.41 stable branch as c8d0af0421f6, released in
2.41.5)
Full changes: https://github.com/util-linux/util-linux/compare/v2.41.3...v2.41.5
Signed-off-by: Siva Balasubramanian <sivakumar.bs@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
...2.41.3.bb => util-linux-libuuid_2.41.5.bb} | 0
meta/recipes-core/util-linux/util-linux.inc | 3 +-
...DEV_FL_NOFOLLOW-to-prevent-symlink-a.patch | 114 ------------------
...l-linux_2.41.3.bb => util-linux_2.41.5.bb} | 0
4 files changed, 1 insertion(+), 116 deletions(-)
rename meta/recipes-core/util-linux/{util-linux-libuuid_2.41.3.bb => util-linux-libuuid_2.41.5.bb} (100%)
delete mode 100644 meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch
rename meta/recipes-core/util-linux/{util-linux_2.41.3.bb => util-linux_2.41.5.bb} (100%)
diff --git a/meta/recipes-core/util-linux/util-linux-libuuid_2.41.3.bb b/meta/recipes-core/util-linux/util-linux-libuuid_2.41.5.bb
similarity index 100%
rename from meta/recipes-core/util-linux/util-linux-libuuid_2.41.3.bb
rename to meta/recipes-core/util-linux/util-linux-libuuid_2.41.5.bb
diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index 02358626669..aec8721ca32 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -20,9 +20,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
file://0001-lsfd-mkfds-foreign-sockets-skip-when-lacking-sock_di.patch \
file://0001-ts-kill-decode-use-RTMIN-from-kill-L-instead-of-hard.patch \
file://0001-tests-script-Disable-size-option-test.patch \
- file://0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch \
"
-SRC_URI[sha256sum] = "3330d873f0fceb5560b89a7dc14e4f3288bbd880e96903ed9b50ec2b5799e58b"
+SRC_URI[sha256sum] = "f586e35d320ff537aab3ffeca37e9ecd482ccbe013590db4429a414d8aa6a728"
CVE_PRODUCT = "util-linux"
diff --git a/meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch b/meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch
deleted file mode 100644
index 0951c9f5fbe..00000000000
--- a/meta/recipes-core/util-linux/util-linux/0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-From f55f9906b4f6eeb2b4a4120317df9de935253c10 Mon Sep 17 00:00:00 2001
-From: Karel Zak <kzak@redhat.com>
-Date: Thu, 19 Feb 2026 13:59:46 +0100
-Subject: [PATCH] loopdev: add LOOPDEV_FL_NOFOLLOW to prevent symlink attacks
-
-Add a new LOOPDEV_FL_NOFOLLOW flag for loop device context that
-prevents symlink following in both path canonicalization and file open.
-
-When set:
-- loopcxt_set_backing_file() uses strdup() instead of
- ul_canonicalize_path() (which calls realpath() and follows symlinks)
-- loopcxt_setup_device() adds O_NOFOLLOW to open() flags
-
-The flag is set for non-root (restricted) mount operations in
-libmount's loop device hook. This prevents a TOCTOU race condition
-where an attacker could replace the backing file (specified in
-/etc/fstab) with a symlink to an arbitrary root-owned file between
-path resolution and open().
-
-Vulnerable Code Flow:
-
- mount /mnt/point (non-root, SUID)
- mount.c: sanitize_paths() on user args (mountpoint only)
- mnt_context_mount()
- mnt_context_prepare_mount()
- mnt_context_apply_fstab() <-- source path from fstab
- hooks run at MNT_STAGE_PREP_SOURCE
- hook_loopdev.c: setup_loopdev()
- backing_file = fstab source path ("/home/user/disk.img")
- loopcxt_set_backing_file() <-- calls realpath() as ROOT
- ul_canonicalize_path() <-- follows symlinks!
- loopcxt_setup_device()
- open(lc->filename, O_RDWR|O_CLOEXEC) <-- no O_NOFOLLOW
-
-Two vulnerabilities in the path:
-
-1) loopcxt_set_backing_file() calls ul_canonicalize_path() which uses
- realpath() -- this follows symlinks as euid=0. If the attacker swaps
- the file to a symlink before this call, lc->filename becomes the
- resolved target path (e.g., /root/secret.img).
-
-2) loopcxt_setup_device() opens lc->filename without O_NOFOLLOW. Even
- if canonicalization happened correctly, the file can be swapped to a
- symlink between canonicalize and open.
-
-Addresses: https://github.com/util-linux/util-linux/security/advisories/GHSA-qq4x-vfq4-9h9g
-Signed-off-by: Karel Zak <kzak@redhat.com>
-(cherry picked from commit 5e390467b26a3cf3fecc04e1a0d482dff3162fc4)
-
-CVE: CVE-2026-27456
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
----
- include/loopdev.h | 3 ++-
- lib/loopdev.c | 7 ++++++-
- libmount/src/hook_loopdev.c | 3 ++-
- 3 files changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/include/loopdev.h b/include/loopdev.h
-index e5ec1c98a..6bdb1393a 100644
---- a/include/loopdev.h
-+++ b/include/loopdev.h
-@@ -140,7 +140,8 @@ enum {
- LOOPDEV_FL_NOIOCTL = (1 << 6),
- LOOPDEV_FL_DEVSUBDIR = (1 << 7),
- LOOPDEV_FL_CONTROL = (1 << 8), /* system with /dev/loop-control */
-- LOOPDEV_FL_SIZELIMIT = (1 << 9)
-+ LOOPDEV_FL_SIZELIMIT = (1 << 9),
-+ LOOPDEV_FL_NOFOLLOW = (1 << 10) /* O_NOFOLLOW, don't follow symlinks */
- };
-
- /*
-diff --git a/lib/loopdev.c b/lib/loopdev.c
-index 2359bf781..76685be70 100644
---- a/lib/loopdev.c
-+++ b/lib/loopdev.c
-@@ -1267,7 +1267,10 @@ int loopcxt_set_backing_file(struct loopdev_cxt *lc, const char *filename)
- if (!lc)
- return -EINVAL;
-
-- lc->filename = canonicalize_path(filename);
-+ if (lc->flags & LOOPDEV_FL_NOFOLLOW)
-+ lc->filename = strdup(filename);
-+ else
-+ lc->filename = canonicalize_path(filename);
- if (!lc->filename)
- return -errno;
-
-@@ -1408,6 +1411,8 @@ int loopcxt_setup_device(struct loopdev_cxt *lc)
-
- if (lc->config.info.lo_flags & LO_FLAGS_DIRECT_IO)
- flags |= O_DIRECT;
-+ if (lc->flags & LOOPDEV_FL_NOFOLLOW)
-+ flags |= O_NOFOLLOW;
-
- if ((file_fd = open(lc->filename, mode | flags)) < 0) {
- if (mode != O_RDONLY && (errno == EROFS || errno == EACCES))
-diff --git a/libmount/src/hook_loopdev.c b/libmount/src/hook_loopdev.c
-index 444d69d6f..34351116c 100644
---- a/libmount/src/hook_loopdev.c
-+++ b/libmount/src/hook_loopdev.c
-@@ -272,7 +272,8 @@ static int setup_loopdev(struct libmnt_context *cxt,
- }
-
- DBG(LOOP, ul_debugobj(cxt, "not found; create a new loop device"));
-- rc = loopcxt_init(&lc, 0);
-+ rc = loopcxt_init(&lc,
-+ mnt_context_is_restricted(cxt) ? LOOPDEV_FL_NOFOLLOW : 0);
- if (rc)
- goto done_no_deinit;
- if (mnt_opt_has_value(loopopt)) {
---
-2.43.0
-
diff --git a/meta/recipes-core/util-linux/util-linux_2.41.3.bb b/meta/recipes-core/util-linux/util-linux_2.41.5.bb
similarity index 100%
rename from meta/recipes-core/util-linux/util-linux_2.41.3.bb
rename to meta/recipes-core/util-linux/util-linux_2.41.5.bb
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 13/18] ovmf: fix tpm PACKAGECONFIG to use TPM2_ENABLE
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
` (11 preceding siblings ...)
2026-07-10 16:36 ` [OE-core][wrynose 12/18] util-linux: upgrade 2.41.3 -> 2.41.5 Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 14/18] libcap: Fix CVE-2026-4878 Yoann Congal
` (4 subsequent siblings)
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Eilís 'pidge' Ní Fhlannagáin <pidge@baylibre.com>
The tpm PACKAGECONFIG passed "-D TPM_ENABLE=TRUE/FALSE", but ovmf
renamed that macro to TPM2_ENABLE in edk2 commit 4de8d61bcec0
("OvmfPkg: rework TPM configuration", first released in
edk2-stable202202). Since then TPM_ENABLE has been an unknown macro
that edk2 ignores, so TPM2 support was never compiled in, even for
MACHINEs with 'tpm'/'tpm2' in MACHINE_FEATURES.
Use TPM2_ENABLE (as defined in
OvmfPkg/Include/Dsc/OvmfTpmDefines.dsc.inc and consumed by
OvmfPkgX64.dsc) so the tpm PACKAGECONFIG actually enables TPM2 support.
The same commit also added a separate TPM1_ENABLE macro (TPM 1.2
support, default TRUE), but its dsc.inc snippets are only included
inside OvmfPkgX64.dsc's "!if $(TPM2_ENABLE) == TRUE" block, so it has
no effect unless TPM2_ENABLE is TRUE. No separate PACKAGECONFIG knob is
needed.
Signed-off-by: Eilís 'pidge' Ní Fhlannagáin <pidge@baylibre.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d6b434455544e5922d75ba07a74490e6a6df7a0c)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-core/ovmf/ovmf_git.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 19bcc4a96fa..01f840c2154 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -14,7 +14,7 @@ PACKAGECONFIG += "${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'tpm', '', d)}
PACKAGECONFIG += "${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'tpm', '', d)}"
PACKAGECONFIG[debug] = ",,,"
PACKAGECONFIG[secureboot] = ",,,"
-PACKAGECONFIG[tpm] = "-D TPM_ENABLE=TRUE,-D TPM_ENABLE=FALSE,,"
+PACKAGECONFIG[tpm] = "-D TPM2_ENABLE=TRUE,-D TPM2_ENABLE=FALSE,,"
# GCC12 trips on it
#see https://src.fedoraproject.org/rpms/edk2/blob/rawhide/f/0032-Basetools-turn-off-gcc12-warning.patch
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 14/18] libcap: Fix CVE-2026-4878
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
` (12 preceding siblings ...)
2026-07-10 16:36 ` [OE-core][wrynose 13/18] ovmf: fix tpm PACKAGECONFIG to use TPM2_ENABLE Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 15/18] socat: upgrade 1.8.1.1 -> 1.8.1.3 Yoann Congal
` (3 subsequent siblings)
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Deepak Rathore <deeratho@cisco.com>
This patch applies the upstream backport for CVE-2026-4878.
Wrynose libcap 2.77 still has the path-based cap_set_file()
race fixed by upstream. The upstream fix commit is referenced in [1],
and the public CVE advisory is referenced in [2].
The fix switches named file capability updates to an opened file
descriptor and adds quicktest coverage for symlinked paths.
[1] https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=286ace1259992bd0c5d9016715833f2e148ac596
[2] https://www.cve.org/CVERecord?id=CVE-2026-4878
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../libcap/files/CVE-2026-4878.patch | 163 ++++++++++++++++++
meta/recipes-support/libcap/libcap_2.77.bb | 4 +-
2 files changed, 166 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/libcap/files/CVE-2026-4878.patch
diff --git a/meta/recipes-support/libcap/files/CVE-2026-4878.patch b/meta/recipes-support/libcap/files/CVE-2026-4878.patch
new file mode 100644
index 00000000000..955b540b8ac
--- /dev/null
+++ b/meta/recipes-support/libcap/files/CVE-2026-4878.patch
@@ -0,0 +1,163 @@
+From 286ace1259992bd0c5d9016715833f2e148ac596 Mon Sep 17 00:00:00 2001
+From: "Andrew G. Morgan" <morgan@kernel.org>
+Date: Thu, 12 Mar 2026 07:38:05 -0700
+Subject: [PATCH] Address a potential TOCTOU race condition in cap_set_file().
+
+This issue was researched and reported by Ali Raza (@locus-x64). It
+has been assigned CVE-2026-4878.
+
+The finding is that while cap_set_file() checks if a file is a regular
+file before applying or removing a capability attribute, a small
+window existed after that check when the filepath could be overwritten
+either with new content or a symlink to some other file. To do this
+would imply that the caller of cap_set_file() was directing it to a
+directory over which a local attacker has write access, and performed
+the operation frequently enough that an attacker had a non-negligible
+chance of exploiting the race condition. The code now locks onto the
+intended file, eliminating the race condition.
+
+CVE: CVE-2026-4878
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=286ace1259992bd0c5d9016715833f2e148ac596]
+
+Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
+(cherry picked from commit 286ace1259992bd0c5d9016715833f2e148ac596)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ libcap/cap_file.c | 69 +++++++++++++++++++++++++++++++++++++++-------
+ progs/quicktest.sh | 14 +++++++++-
+ 2 files changed, 72 insertions(+), 11 deletions(-)
+
+diff --git a/libcap/cap_file.c b/libcap/cap_file.c
+index 0bc07f7..f02bf9f 100644
+--- a/libcap/cap_file.c
++++ b/libcap/cap_file.c
+@@ -8,8 +8,13 @@
+ #define _DEFAULT_SOURCE
+ #endif
+
++#ifndef _GNU_SOURCE
++#define _GNU_SOURCE
++#endif
++
+ #include <sys/types.h>
+ #include <byteswap.h>
++#include <fcntl.h>
+ #include <sys/stat.h>
+ #include <unistd.h>
+
+@@ -322,26 +327,70 @@ int cap_set_file(const char *filename, cap_t cap_d)
+ struct vfs_ns_cap_data rawvfscap;
+ int sizeofcaps;
+ struct stat buf;
++ char fdpath[64];
++ int fd, ret;
++
++ _cap_debug("setting filename capabilities");
++ fd = open(filename, O_RDONLY|O_NOFOLLOW);
++ if (fd >= 0) {
++ ret = cap_set_fd(fd, cap_d);
++ close(fd);
++ return ret;
++ }
+
+- if (lstat(filename, &buf) != 0) {
+- _cap_debug("unable to stat file [%s]", filename);
++ /*
++ * Attempting to set a file capability on a file the process can't
++ * read the content of. This is considered a non-standard use case
++ * and the following (slower) code is complicated because it is
++ * trying to avoid a TOCTOU race condition.
++ */
++
++ fd = open(filename, O_PATH|O_NOFOLLOW);
++ if (fd < 0) {
++ _cap_debug("cannot find file at path [%s]", filename);
++ return -1;
++ }
++ if (fstat(fd, &buf) != 0) {
++ _cap_debug("unable to stat file [%s] descriptor %d",
++ filename, fd);
++ close(fd);
+ return -1;
+ }
+ if (S_ISLNK(buf.st_mode) || !S_ISREG(buf.st_mode)) {
+- _cap_debug("file [%s] is not a regular file", filename);
++ _cap_debug("file [%s] descriptor %d for non-regular file",
++ filename, fd);
++ close(fd);
+ errno = EINVAL;
+ return -1;
+ }
+
+- if (cap_d == NULL) {
+- _cap_debug("removing filename capabilities");
+- return removexattr(filename, XATTR_NAME_CAPS);
++ /*
++ * While the fd remains open, this named file is locked to the
++ * origin regular file. The size of the fdpath variable is
++ * sufficient to support a 160+ bit number.
++ */
++ if (snprintf(fdpath, sizeof(fdpath), "/proc/self/fd/%d", fd)
++ >= sizeof(fdpath)) {
++ _cap_debug("file descriptor too large %d", fd);
++ errno = EINVAL;
++ ret = -1;
++
++ } else if (cap_d == NULL) {
++ _cap_debug("dropping file caps on [%s] via [%s]",
++ filename, fdpath);
++ ret = removexattr(fdpath, XATTR_NAME_CAPS);
++
+ } else if (_fcaps_save(&rawvfscap, cap_d, &sizeofcaps) != 0) {
+- return -1;
+- }
++ _cap_debug("problem converting cap_d to vfscap format");
++ ret = -1;
+
+- _cap_debug("setting filename capabilities");
+- return setxattr(filename, XATTR_NAME_CAPS, &rawvfscap, sizeofcaps, 0);
++ } else {
++ _cap_debug("setting filename capabilities");
++ ret = setxattr(fdpath, XATTR_NAME_CAPS, &rawvfscap,
++ sizeofcaps, 0);
++ }
++ close(fd);
++ return ret;
+ }
+
+ /*
+diff --git a/progs/quicktest.sh b/progs/quicktest.sh
+index e6c48e6..5dc72f9 100755
+--- a/progs/quicktest.sh
++++ b/progs/quicktest.sh
+@@ -148,7 +148,19 @@ pass_capsh --caps="cap_setpcap=p" --inh=cap_chown --current
+ pass_capsh --strict --caps="cap_chown=p" --inh=cap_chown --current
+
+ # change the way the capability is obtained (make it inheritable)
++chmod 0000 ./privileged
+ ./setcap cap_setuid,cap_setgid=ei ./privileged
++if [ $? -ne 0 ]; then
++ echo "FAILED to set file capability"
++ exit 1
++fi
++chmod 0755 ./privileged
++ln -s privileged unprivileged
++./setcap -r ./unprivileged
++if [ $? -eq 0 ]; then
++ echo "FAILED by removing a capability from a symlinked file"
++ exit 1
++fi
+
+ # Note, the bounding set (edited with --drop) only limits p
+ # capabilities, not i's.
+@@ -246,7 +258,7 @@ EOF
+ pass_capsh --iab='!%cap_chown,^cap_setpcap,cap_setuid'
+ fail_capsh --mode=PURE1E --iab='!%cap_chown,^cap_setuid'
+ fi
+-/bin/rm -f ./privileged
++/bin/rm -f ./privileged ./unprivileged
+
+ echo "testing namespaced file caps"
+
+--
+2.35.6
diff --git a/meta/recipes-support/libcap/libcap_2.77.bb b/meta/recipes-support/libcap/libcap_2.77.bb
index 9968cd5f504..66ac0f1d7df 100644
--- a/meta/recipes-support/libcap/libcap_2.77.bb
+++ b/meta/recipes-support/libcap/libcap_2.77.bb
@@ -12,7 +12,9 @@ LIC_FILES_CHKSUM = "file://License;md5=2965a646645b72ecee859b43c592dcaa \
DEPENDS = "hostperl-runtime-native gperf-native"
-SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${PV}.tar.xz"
+SRC_URI = "${KERNELORG_MIRROR}/linux/libs/security/linux-privs/${BPN}2/${BPN}-${PV}.tar.xz \
+ file://CVE-2026-4878.patch \
+ "
SRC_URI:append:class-nativesdk = " \
file://0001-nativesdk-libcap-Raise-the-size-of-arrays-containing.patch \
"
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 15/18] socat: upgrade 1.8.1.1 -> 1.8.1.3
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
` (13 preceding siblings ...)
2026-07-10 16:36 ` [OE-core][wrynose 14/18] libcap: Fix CVE-2026-4878 Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 16/18] vim: Fix for CVE-2026-52858,CVE-2026-52859,CVE-2026-52860 Yoann Congal
` (2 subsequent siblings)
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Sudhir Dumbhare <sudumbha@cisco.com>
According to [1]:
this upgrade includes the fix for Socat security advisory 10, CVE-2026-56123.
The issue is a possible heap overflow in the SOCKS5 client code that can be
triggered by connecting to a malicious SOCKS5 server with knowledge of details
about the client binary code. It also introduced Test: SOCKS5_OVERFL as well.
Version 1.8.1.3 also fixes a false positive in the SOCKS5_OVERFL regression
test on platforms with a non-bash default shell.
[1] http://www.dest-unreach.org/socat/CHANGES
[2] https://nvd.nist.gov/vuln/detail/CVE-2026-56123
Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../socat/{socat_1.8.1.1.bb => socat_1.8.1.3.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-connectivity/socat/{socat_1.8.1.1.bb => socat_1.8.1.3.bb} (94%)
diff --git a/meta/recipes-connectivity/socat/socat_1.8.1.1.bb b/meta/recipes-connectivity/socat/socat_1.8.1.3.bb
similarity index 94%
rename from meta/recipes-connectivity/socat/socat_1.8.1.1.bb
rename to meta/recipes-connectivity/socat/socat_1.8.1.3.bb
index e662c79a754..636c75b1172 100644
--- a/meta/recipes-connectivity/socat/socat_1.8.1.1.bb
+++ b/meta/recipes-connectivity/socat/socat_1.8.1.3.bb
@@ -13,7 +13,7 @@ SRC_URI = "http://www.dest-unreach.org/socat/download/socat-${PV}.tar.bz2 \
file://0001-fix-compile-procan.c-failed.patch \
"
-SRC_URI[sha256sum] = "5ebc636b7f427053f98806696521653a614c7e06464910353cbf54e2327adc1b"
+SRC_URI[sha256sum] = "25bc6476292b2e614220989c77b0b6fca87bb2525d9747b31a6639b1fb602418"
inherit autotools
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 16/18] vim: Fix for CVE-2026-52858,CVE-2026-52859,CVE-2026-52860
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
` (14 preceding siblings ...)
2026-07-10 16:36 ` [OE-core][wrynose 15/18] socat: upgrade 1.8.1.1 -> 1.8.1.3 Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 17/18] xmlto: update SRC_URI Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 18/18] gnutls: fix CVE-2026-33846 Yoann Congal
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Hitendra Prajapati <hprajapati@mvista.com>
Pick patch from [1], [2] & [3] also mentioned at NVD report in [4,5 & 6]
[1] https://github.com/vim/vim/commit/4b850457e12e1a678dd209f2868154f7553cbf8d
[2] https://github.com/vim/vim/commit/63680c6d3d52477817b49cd1a66e7aabe8a7aa19
[3] https://github.com/vim/vim/commit/c8c63673bc4253212820626aeeb75999d9a539d2
[4] https://nvd.nist.gov/vuln/detail/CVE-2026-52858
[5] https://nvd.nist.gov/vuln/detail/CVE-2026-52859
[6] https://nvd.nist.gov/vuln/detail/CVE-2026-52860
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
.../vim/files/CVE-2026-52858.patch | 167 +++++++
.../vim/files/CVE-2026-52859.patch | 274 +++++++++++
.../vim/files/CVE-2026-52860.patch | 446 ++++++++++++++++++
meta/recipes-support/vim/vim.inc | 3 +
4 files changed, 890 insertions(+)
create mode 100644 meta/recipes-support/vim/files/CVE-2026-52858.patch
create mode 100644 meta/recipes-support/vim/files/CVE-2026-52859.patch
create mode 100644 meta/recipes-support/vim/files/CVE-2026-52860.patch
diff --git a/meta/recipes-support/vim/files/CVE-2026-52858.patch b/meta/recipes-support/vim/files/CVE-2026-52858.patch
new file mode 100644
index 00000000000..38d477eeb9b
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2026-52858.patch
@@ -0,0 +1,167 @@
+From 4b850457e12e1a678dd209f2868154f7553cbf8d Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Fri, 29 May 2026 19:05:53 +0000
+Subject: [PATCH] patch 9.2.0561: [security]: possible code execution with
+ python3complete
+
+Problem: [security]: possible code execution with python3complete
+Solution: Disable execution of import/from statements
+
+Github Security Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+Upstream-Status: Backport [https://github.com/vim/vim/commit/4b850457e12e1a678dd209f2868154f7553cbf8d]
+CVE: CVE-2026-52858
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ runtime/autoload/README.txt | 1 +
+ runtime/autoload/python3complete.vim | 17 ++++++++++++++---
+ runtime/autoload/pythoncomplete.vim | 17 ++++++++++++++---
+ runtime/doc/filetype.txt | 15 ++++++++++++++-
+ 4 files changed, 43 insertions(+), 7 deletions(-)
+
+diff --git a/runtime/autoload/README.txt b/runtime/autoload/README.txt
+index 3b18d3dde5..b22581963e 100644
+--- a/runtime/autoload/README.txt
++++ b/runtime/autoload/README.txt
+@@ -17,6 +17,7 @@ htmlcomplete.vim HTML
+ javascriptcomplete.vim Javascript
+ phpcomplete.vim PHP
+ pythoncomplete.vim Python
++python3complete.vim Python
+ rubycomplete.vim Ruby
+ syntaxcomplete.vim from syntax highlighting
+ xmlcomplete.vim XML (uses files in the xml directory)
+diff --git a/runtime/autoload/python3complete.vim b/runtime/autoload/python3complete.vim
+index 3e54433f41..2b6a652525 100644
+--- a/runtime/autoload/python3complete.vim
++++ b/runtime/autoload/python3complete.vim
+@@ -14,6 +14,10 @@
+ " i.e. "import url<c-x,c-o>"
+ " Continue parsing on invalid line??
+ "
++" v 0.10 by Vim project
++" * disables importing local modules, unless the global Vim variable
++" g:pythoncomplete_allow_import is set to non-zero
++"
+ " v 0.9
+ " * Fixed docstring parsing for classes and functions
+ " * Fixed parsing of *args and **kwargs type arguments
+@@ -132,11 +136,20 @@ class Completer(object):
+
+ def evalsource(self,text,line=0):
+ sc = self.parser.parse(text,line)
++ try: allow_imports = int(
++ vim.eval("get(g:, 'pythoncomplete_allow_import', 0)"))
++ except Exception:
++ allow_imports = 0
+ src = sc.get_code()
+ dbg("source: %s" % src)
+ try: exec(src,self.compldict)
+ except: dbg("parser: %s, %s" % (sys.exc_info()[0],sys.exc_info()[1]))
+ for l in sc.locals:
++ # Executing import/from statements harvested from the buffer runs
++ # arbitrary package code; only do so when the user opted in.
++ if not allow_imports and (l.startswith('import')
++ or l.startswith('from ')):
++ continue
+ try: exec(l,self.compldict)
+ except: dbg("locals: %s, %s [%s]" % (sys.exc_info()[0],sys.exc_info()[1],l))
+
+@@ -300,13 +313,11 @@ class Scope(object):
+ def get_code(self):
+ str = ""
+ if len(self.docstr) > 0: str += '"""'+self.docstr+'"""\n'
+- for l in self.locals:
+- if l.startswith('import'): str += l+'\n'
+ str += 'class _PyCmplNoType:\n def __getattr__(self,name):\n return None\n'
+ for sub in self.subscopes:
+ str += sub.get_code()
+ for l in self.locals:
+- if not l.startswith('import'): str += l+'\n'
++ if not l.startswith('import') and not l.startswith('from '): str += l+'\n'
+
+ return str
+
+diff --git a/runtime/autoload/pythoncomplete.vim b/runtime/autoload/pythoncomplete.vim
+index aa28bb721f..10147767ef 100644
+--- a/runtime/autoload/pythoncomplete.vim
++++ b/runtime/autoload/pythoncomplete.vim
+@@ -12,6 +12,10 @@
+ " i.e. "import url<c-x,c-o>"
+ " Continue parsing on invalid line??
+ "
++" v 0.10 by Vim project
++" * disables importing local modules, unless the global Vim variable
++" g:pythoncomplete_allow_import is set to non-zero
++"
+ " v 0.9
+ " * Fixed docstring parsing for classes and functions
+ " * Fixed parsing of *args and **kwargs type arguments
+@@ -146,11 +150,20 @@ class Completer(object):
+
+ def evalsource(self,text,line=0):
+ sc = self.parser.parse(text,line)
++ try: allow_imports = int(
++ vim.eval("get(g:, 'pythoncomplete_allow_import', 0)"))
++ except Exception:
++ allow_imports = 0
+ src = sc.get_code()
+ dbg("source: %s" % src)
+ try: exec(src) in self.compldict
+ except: dbg("parser: %s, %s" % (sys.exc_info()[0],sys.exc_info()[1]))
+ for l in sc.locals:
++ # Executing import/from statements harvested from the buffer runs
++ # arbitrary package code; only do so when the user opted in.
++ if not allow_imports and (l.startswith('import')
++ or l.startswith('from ')):
++ continue
+ try: exec(l) in self.compldict
+ except: dbg("locals: %s, %s [%s]" % (sys.exc_info()[0],sys.exc_info()[1],l))
+
+@@ -315,13 +328,11 @@ class Scope(object):
+ def get_code(self):
+ str = ""
+ if len(self.docstr) > 0: str += '"""'+self.docstr+'"""\n'
+- for l in self.locals:
+- if l.startswith('import'): str += l+'\n'
+ str += 'class _PyCmplNoType:\n def __getattr__(self,name):\n return None\n'
+ for sub in self.subscopes:
+ str += sub.get_code()
+ for l in self.locals:
+- if not l.startswith('import'): str += l+'\n'
++ if not l.startswith('import') and not l.startswith('from '): str += l+'\n'
+
+ return str
+
+diff --git a/runtime/doc/filetype.txt b/runtime/doc/filetype.txt
+index 461f801ccc..24d833cd54 100644
+--- a/runtime/doc/filetype.txt
++++ b/runtime/doc/filetype.txt
+@@ -982,7 +982,20 @@ By default the following options are set, in accordance with PEP8: >
+ To disable this behavior, set the following variable in your vimrc: >
+
+ let g:python_recommended_style = 0
+-
++<
++Python omni-completion |compl-omni| is provided by python3complete.vim (or
++pythoncomplete.vim) for Vim builds with the |+python|/|+python3| interpreter.
++By default it does not inspect the import / from statements found in the
++buffer. This means completion of names defined in the buffer itself (classes,
++functions, variables) works, but completion of members of imported modules is
++not offered.
++
++To enable completion of imported module members, set: >
++ let g:pythoncomplete_allow_import = 1
++<
++WARNING: enabling this causes omni-completion to execute the import statements
++found in the buffer through Python's import machinery, which runs the imported
++modules' top-level code. Only enable this for code you trust.
+
+ QF QUICKFIX *qf.vim* *ft-qf-plugin*
+
+--
+2.34.1
+
diff --git a/meta/recipes-support/vim/files/CVE-2026-52859.patch b/meta/recipes-support/vim/files/CVE-2026-52859.patch
new file mode 100644
index 00000000000..7a91dab4961
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2026-52859.patch
@@ -0,0 +1,274 @@
+From 63680c6d3d52477817b49cd1a66e7aabe8a7aa19 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Sat, 30 May 2026 16:34:40 +0000
+Subject: [PATCH] patch 9.2.0565: [security]: out-of-bounds read in
+ update_snapshot()
+
+Problem: Out-of-bounds read in update_snapshot() when a terminal cell
+ fills all VTERM_MAX_CHARS_PER_CELL slots (a base character
+ plus five combining marks): the loop over cell.chars[] has no
+ upper bound and libvterm leaves the array unterminated when full, so
+ it reads past the array and appends out-of-bounds values to a
+ buffer sized for only VTERM_MAX_CHARS_PER_CELL characters.
+Solution: Bound the loop with i < VTERM_MAX_CHARS_PER_CELL, mirroring
+ the loop in handle_pushline() (Christian Brabandt).
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+Upstream-Status: Backport [https://github.com/vim/vim/commit/63680c6d3d52477817b49cd1a66e7aabe8a7aa19]
+CVE: CVE-2026-52859
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/terminal.c | 3 +-
+ src/testdir/samples/combining_chars.txt | 200 ++++++++++++++++++++++++
+ src/testdir/test_terminal3.vim | 15 ++
+ 3 files changed, 217 insertions(+), 1 deletion(-)
+ create mode 100644 src/testdir/samples/combining_chars.txt
+
+diff --git a/src/terminal.c b/src/terminal.c
+index 6a9c286e29..f42125bf22 100644
+--- a/src/terminal.c
++++ b/src/terminal.c
+@@ -2265,7 +2265,8 @@ update_snapshot(term_T *term)
+ int i;
+ int c;
+
+- for (i = 0; (c = cell.chars[i]) > 0 || i == 0; ++i)
++ for (i = 0; i < VTERM_MAX_CHARS_PER_CELL &&
++ ((c = cell.chars[i]) > 0 || i == 0); ++i)
+ ga.ga_len += utf_char2bytes(c == NUL ? ' ' : c,
+ (char_u *)ga.ga_data + ga.ga_len);
+ }
+diff --git a/src/testdir/samples/combining_chars.txt b/src/testdir/samples/combining_chars.txt
+new file mode 100644
+index 0000000000..d9a3c171fb
+--- /dev/null
++++ b/src/testdir/samples/combining_chars.txt
+@@ -0,0 +1,200 @@
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́
++á́́́́ጁ
++á́́́́ጁ
++á́́́́ጁ
++á́́́́ጁ
++á́́́́ጁ
++á́́́́ጁ
++á́́́́ጁ
++á́́́́ጁ
++á́́́́ጁ
++á́́́́ጁ
+diff --git a/src/testdir/test_terminal3.vim b/src/testdir/test_terminal3.vim
+index 04c7c925e3..738a4c6284 100644
+--- a/src/testdir/test_terminal3.vim
++++ b/src/testdir/test_terminal3.vim
+@@ -1241,4 +1241,19 @@ func Test_terminal_csi_args_overflow()
+ call StopVimInTerminal(buf)
+ endfunc
+
++func Test_terminal_output_combining_chars()
++ CheckUnix
++ new
++ let cmd = "cat samples/combining_chars.txt"
++ let buf = term_start(cmd, {'curwin': 1, 'term_finish': 'open', 'term_rows': 10, 'term_cols': 30})
++ call WaitForAssert({-> assert_match('finished', term_getstatus(buf))})
++ call TermWait(buf)
++ let lines = getbufline(buf, 1, '$')
++ " get byte lengths to confirm combining chars present
++ let lens = map(copy(lines), 'len(v:val)')
++ let expected = repeat([11], 190) + repeat([14], 10)
++ call assert_equal(expected, lens)
++ bw!
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+--
+2.34.1
+
diff --git a/meta/recipes-support/vim/files/CVE-2026-52860.patch b/meta/recipes-support/vim/files/CVE-2026-52860.patch
new file mode 100644
index 00000000000..1e370847f63
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2026-52860.patch
@@ -0,0 +1,446 @@
+From c8c63673bc4253212820626aeeb75999d9a539d2 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Thu, 4 Jun 2026 21:06:09 +0000
+Subject: [PATCH] patch 9.2.0597: [security]: possible code execution with
+ python complete
+
+Problem: [security]: another possible code execution with python complete
+ (David Carliez)
+Solution: Strip default expressions and annotations from generated
+ source for pythoncomplete and python3complete.
+
+Github Security Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-65p9-mwwx-7468
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+Upstream-Status: Backport [https://github.com/vim/vim/commit/c8c63673bc4253212820626aeeb75999d9a539d2]
+CVE: CVE-2026-52860
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ runtime/autoload/python3complete.vim | 43 +++-
+ runtime/autoload/pythoncomplete.vim | 43 +++-
+ src/testdir/Make_all.mak | 2 +
+ src/testdir/test_plugin_python3complete.vim | 224 ++++++++++++++++++++
+ 4 files changed, 304 insertions(+), 8 deletions(-)
+ create mode 100644 src/testdir/test_plugin_python3complete.vim
+
+diff --git a/runtime/autoload/python3complete.vim b/runtime/autoload/python3complete.vim
+index 2b6a652525..c4ef19d82f 100644
+--- a/runtime/autoload/python3complete.vim
++++ b/runtime/autoload/python3complete.vim
+@@ -1,8 +1,8 @@
+ "python3complete.vim - Omni Completion for python
+ " Maintainer: <vacancy>
+ " Previous Maintainer: Aaron Griffin <aaronmgriffin@gmail.com>
+-" Version: 0.9
+-" Last Updated: 2022 Mar 30
++" Version: 0.10
++" Last Updated: 2026 Jun 04
+ "
+ " Roland Puntaier: this file contains adaptations for python3 and is parallel to pythoncomplete.vim
+ "
+@@ -17,6 +17,11 @@
+ " v 0.10 by Vim project
+ " * disables importing local modules, unless the global Vim variable
+ " g:pythoncomplete_allow_import is set to non-zero
++" * strip default values and annotations from function parameter lists
++" before exec(), and whitelist class base lists to dotted names: the
++" previous code passed buffer-supplied expressions to exec() which
++" Python evaluates at definition time, allowing arbitrary code
++" execution via crafted def/class headers
+ "
+ " v 0.9
+ " * Fixed docstring parsing for classes and functions
+@@ -100,6 +105,24 @@ warnings.simplefilter(action='ignore', category=FutureWarning)
+
+ import sys, tokenize, io, types
+ from token import NAME, DEDENT, NEWLINE, STRING
++import re
++
++# Used by Class.get_code(): a base class expression is only included in the
++# code passed to exec() if it is a pure dotted name (e.g. "Base", "mod.Base",
++# "pkg.sub.Cls"). Anything containing calls, subscripts, "=", ":" or other
++# operators is dropped, since exec()-ing it would evaluate buffer-supplied
++# expressions. See the security note in the file header.
++_DOTTED_NAME_RE = re.compile(r'^[A-Za-z_]\w*(\s*\.\s*[A-Za-z_]\w*)*$')
++
++def _strip_param(p):
++ # Return the bare parameter name from a parameter spec harvested by
++ # _parenparse(), discarding any default value or annotation. Default
++ # values and annotations would otherwise be evaluated by exec() at
++ # function-definition time. Star prefixes ("*args", "**kw") and bare
++ # "*" / "/" are preserved as written.
++ p = p.split('=', 1)[0]
++ p = p.split(':', 1)[0]
++ return p.strip()
+
+ debugstmts=[]
+ def dbg(s): debugstmts.append(s)
+@@ -347,7 +370,13 @@ class Class(Scope):
+ return c
+ def get_code(self):
+ str = '%sclass %s' % (self.currentindent(),self.name)
+- if len(self.supers) > 0: str += '(%s)' % ','.join(self.supers)
++ # Only include base class expressions that are pure dotted names.
++ # Anything else (calls, subscripts, conditionals, ...) is dropped
++ # because exec() would evaluate it at class-definition time. See
++ # the security note in the file header.
++ safe_supers = [s.strip() for s in self.supers
++ if _DOTTED_NAME_RE.match(s.strip())]
++ if len(safe_supers) > 0: str += '(%s)' % ','.join(safe_supers)
+ str += ':\n'
+ if len(self.docstr) > 0: str += self.childindent()+'"""'+self.docstr+'"""\n'
+ if len(self.subscopes) > 0:
+@@ -364,8 +393,14 @@ class Function(Scope):
+ def copy_decl(self,indent=0):
+ return Function(self.name,self.params,indent, self.docstr)
+ def get_code(self):
++ # Strip default values and annotations from each parameter before
++ # joining: exec() evaluates these at definition time and a hostile
++ # buffer could otherwise execute arbitrary code via crafted def
++ # headers. See file header for details.
++ safe_params = [_strip_param(p) for p in self.params]
++ safe_params = [p for p in safe_params if p]
+ str = "%sdef %s(%s):\n" % \
+- (self.currentindent(),self.name,','.join(self.params))
++ (self.currentindent(),self.name,','.join(safe_params))
+ if len(self.docstr) > 0: str += self.childindent()+'"""'+self.docstr+'"""\n'
+ str += "%spass\n" % self.childindent()
+ return str
+diff --git a/runtime/autoload/pythoncomplete.vim b/runtime/autoload/pythoncomplete.vim
+index 10147767ef..39b1efd299 100644
+--- a/runtime/autoload/pythoncomplete.vim
++++ b/runtime/autoload/pythoncomplete.vim
+@@ -1,8 +1,8 @@
+ "pythoncomplete.vim - Omni Completion for python
+ " Maintainer: <vacancy>
+ " Previous Maintainer: Aaron Griffin <aaronmgriffin@gmail.com>
+-" Version: 0.9
+-" Last Updated: 2020 Oct 9
++" Version: 0.10
++" Last Updated: 2026 Jun 04
+ "
+ " Changes
+ " TODO:
+@@ -15,6 +15,11 @@
+ " v 0.10 by Vim project
+ " * disables importing local modules, unless the global Vim variable
+ " g:pythoncomplete_allow_import is set to non-zero
++" * strip default values and annotations from function parameter lists
++" before exec(), and whitelist class base lists to dotted names: the
++" previous code passed buffer-supplied expressions to exec() which
++" Python evaluates at definition time, allowing arbitrary code
++" execution via crafted def/class headers
+ "
+ " v 0.9
+ " * Fixed docstring parsing for classes and functions
+@@ -95,6 +100,24 @@ function! s:DefPython()
+ python << PYTHONEOF
+ import sys, tokenize, cStringIO, types
+ from token import NAME, DEDENT, NEWLINE, STRING
++import re
++
++# Used by Class.get_code(): a base class expression is only included in the
++# code passed to exec() if it is a pure dotted name (e.g. "Base", "mod.Base",
++# "pkg.sub.Cls"). Anything containing calls, subscripts, "=", ":" or other
++# operators is dropped, since exec()-ing it would evaluate buffer-supplied
++# expressions. See the security note in the file header.
++_DOTTED_NAME_RE = re.compile(r'^[A-Za-z_]\w*(\s*\.\s*[A-Za-z_]\w*)*$')
++
++def _strip_param(p):
++ # Return the bare parameter name from a parameter spec harvested by
++ # _parenparse(), discarding any default value or annotation. Default
++ # values and annotations would otherwise be evaluated by exec() at
++ # function-definition time. Star prefixes ("*args", "**kw") and bare
++ # "*" / "/" are preserved as written.
++ p = p.split('=', 1)[0]
++ p = p.split(':', 1)[0]
++ return p.strip()
+
+ debugstmts=[]
+ def dbg(s): debugstmts.append(s)
+@@ -362,7 +385,13 @@ class Class(Scope):
+ return c
+ def get_code(self):
+ str = '%sclass %s' % (self.currentindent(),self.name)
+- if len(self.supers) > 0: str += '(%s)' % ','.join(self.supers)
++ # Only include base class expressions that are pure dotted names.
++ # Anything else (calls, subscripts, conditionals, ...) is dropped
++ # because exec() would evaluate it at class-definition time. See
++ # the security note in the file header.
++ safe_supers = [s.strip() for s in self.supers
++ if _DOTTED_NAME_RE.match(s.strip())]
++ if len(safe_supers) > 0: str += '(%s)' % ','.join(safe_supers)
+ str += ':\n'
+ if len(self.docstr) > 0: str += self.childindent()+'"""'+self.docstr+'"""\n'
+ if len(self.subscopes) > 0:
+@@ -379,8 +408,14 @@ class Function(Scope):
+ def copy_decl(self,indent=0):
+ return Function(self.name,self.params,indent, self.docstr)
+ def get_code(self):
++ # Strip default values and annotations from each parameter before
++ # joining: exec() evaluates these at definition time and a hostile
++ # buffer could otherwise execute arbitrary code via crafted def
++ # headers. See file header for details.
++ safe_params = [_strip_param(p) for p in self.params]
++ safe_params = [p for p in safe_params if p]
+ str = "%sdef %s(%s):\n" % \
+- (self.currentindent(),self.name,','.join(self.params))
++ (self.currentindent(),self.name,','.join(safe_params))
+ if len(self.docstr) > 0: str += self.childindent()+'"""'+self.docstr+'"""\n'
+ str += "%spass\n" % self.childindent()
+ return str
+diff --git a/src/testdir/Make_all.mak b/src/testdir/Make_all.mak
+index f8c7f8bb46..b06d1af431 100644
+--- a/src/testdir/Make_all.mak
++++ b/src/testdir/Make_all.mak
+@@ -250,6 +250,7 @@ NEW_TESTS = \
+ test_plugin_man \
+ test_plugin_matchparen \
+ test_plugin_netrw \
++ test_plugin_python3complete \
+ test_plugin_osc52 \
+ test_plugin_tar \
+ test_plugin_termdebug \
+@@ -528,6 +529,7 @@ NEW_TESTS_RES = \
+ test_plugin_man.res \
+ test_plugin_matchparen.res \
+ test_plugin_netrw.res \
++ test_plugin_python3complete.res \
+ test_plugin_osc52.res \
+ test_plugin_tar.res \
+ test_plugin_termdebug.res \
+diff --git a/src/testdir/test_plugin_python3complete.vim b/src/testdir/test_plugin_python3complete.vim
+new file mode 100644
+index 0000000000..e2b0c6616d
+--- /dev/null
++++ b/src/testdir/test_plugin_python3complete.vim
+@@ -0,0 +1,224 @@
++" Tests for the Python omni-completion plugin (runtime/autoload/python3complete.vim).
++"
++CheckFeature python3
++
++" Run omni-completion against the given buffer contents and assert that the
++" marker file was not created. Pre-patch behaviour exec()s reconstructed
++" def/class headers, which evaluates the buffer-supplied expression and
++" creates the marker file. Post-patch, the expressions are stripped.
++func s:CompleteAndExpectNoMarker(buffer_lines, marker_path, msg)
++ call delete(a:marker_path)
++ defer delete(a:marker_path)
++ let g:pythoncomplete_allow_import = 0
++ new
++ setfiletype python
++ call setline(1, a:buffer_lines)
++ call cursor(line('$'), col([line('$'), '$']))
++
++ " The PoC trigger -- direct invocation of the omnifunc with an empty base.
++ " This is the same path Vim takes for CTRL-X CTRL-O.
++ silent! call python3complete#Complete(0, '')
++
++ call assert_false(filereadable(a:marker_path),
++ \ a:msg . ' (marker ' . a:marker_path . ' was created)')
++
++ bwipe!
++ unlet! g:pythoncomplete_allow_import
++endfunc
++
++func Test_python3complete_no_exec_via_function_default()
++ let marker = tempname()
++ call s:CompleteAndExpectNoMarker([
++ \ 'def f(x=open(' . string(marker) . ', "w").close()):',
++ \ ' pass',
++ \ 'f.',
++ \ ], marker,
++ \ 'function default expression was evaluated during omni-completion')
++endfunc
++
++func Test_python3complete_no_exec_via_function_annotation()
++ let marker = tempname()
++ call s:CompleteAndExpectNoMarker([
++ \ 'def f(x: open(' . string(marker) . ', "w").close()):',
++ \ ' pass',
++ \ 'f.',
++ \ ], marker,
++ \ 'function annotation expression was evaluated during omni-completion')
++endfunc
++
++func Test_python3complete_no_exec_via_class_base()
++ let marker = tempname()
++ " "or object" gives the class a valid base after the side-effecting
++ " open().close() expression returns None. Without "or object" the
++ " exec would raise TypeError, but the file would still be created
++ " before the exception -- the assertion would still hold. Using
++ " "or object" keeps the buffer parseable as valid Python.
++ call s:CompleteAndExpectNoMarker([
++ \ 'class Foo(open(' . string(marker) . ', "w").close() or object):',
++ \ ' pass',
++ \ 'Foo.',
++ \ ], marker,
++ \ 'class base expression was evaluated during omni-completion')
++endfunc
++
++func Test_python3complete_no_exec_with_multiple_params()
++ " The strip must apply to every parameter, not just the first.
++ let marker = tempname()
++ call s:CompleteAndExpectNoMarker([
++ \ 'def f(a, b=1, c=open(' . string(marker) . ', "w").close(), d=2):',
++ \ ' pass',
++ \ 'f.',
++ \ ], marker,
++ \ 'non-first parameter default was evaluated during omni-completion')
++endfunc
++
++func Test_python3complete_no_exec_via_starargs_default()
++ " "*args" and "**kw" must still be preserved after stripping; ensure a
++ " default following them is also stripped.
++ let marker = tempname()
++ call s:CompleteAndExpectNoMarker([
++ \ 'def f(*args, key=open(' . string(marker) . ', "w").close(), **kw):',
++ \ ' pass',
++ \ 'f.',
++ \ ], marker,
++ \ 'keyword-only default after *args was evaluated during omni-completion')
++endfunc
++
++func Test_python3complete_normal_completion_still_works()
++ " Positive control: completion against a buffer with a legitimate class
++ " must still produce completion items. The stripping logic should not
++ " break the normal completion path.
++ let g:pythoncomplete_allow_import = 0
++
++ new
++ setfiletype python
++ call setline(1, [
++ \ 'class MyHelper:',
++ \ ' def alpha(self): pass',
++ \ ' def beta(self): pass',
++ \ 'h = MyHelper()',
++ \ 'h.',
++ \ ])
++ call cursor(5, 3)
++
++ " First call returns the column to start completion at; second returns
++ " the list of completion items.
++ let start = python3complete#Complete(1, '')
++ call assert_true(start >= 0,
++ \ 'python3complete#Complete(1, "") returned ' . start)
++
++ let items = python3complete#Complete(0, '')
++ " Items should be a list (possibly empty if the parser can't resolve "h",
++ " but should not be a parse error from our stripping changes).
++ call assert_equal(type([]), type(items),
++ \ 'python3complete#Complete(0, "") did not return a list')
++
++ bwipe!
++ unlet! g:pythoncomplete_allow_import
++endfunc
++
++func Test_python3complete_inherited_completion_via_dotted_base()
++ " Positive control for the class-base whitelist: a dotted-name base class
++ " (the common, safe case) must still be carried into the reconstructed
++ " source so that completion on a subclass can resolve inherited members.
++ let g:pythoncomplete_allow_import = 0
++
++ new
++ setfiletype python
++ call setline(1, [
++ \ 'class Base:',
++ \ ' def shared(self): pass',
++ \ 'class Derived(Base):',
++ \ ' def own(self): pass',
++ \ 'd = Derived()',
++ \ 'd.',
++ \ ])
++ call cursor(6, 3)
++
++ let items = python3complete#Complete(0, '')
++ call assert_equal(type([]), type(items),
++ \ 'completion against a subclass with a dotted base did not return a list')
++
++ bwipe!
++ unlet! g:pythoncomplete_allow_import
++endfunc
++
++" Build a tiny Python module that creates a marker file as a side effect of
++" being imported, add its directory to sys.path, run omni-completion against
++" a buffer containing `import vimtest_marker_mod`, and report whether the
++" marker file was created. Used by the two allow_import tests below.
++func s:RunImportCompletion(allow_import_value)
++ let g:pythoncomplete_allow_import = a:allow_import_value
++ let marker = tempname()
++ let module_dir = tempname()
++ call mkdir(module_dir, 'R')
++
++ call writefile([
++ \ 'open(' . string(marker) . ', "w").close()',
++ \ ], module_dir . '/vimtest_marker_mod.py')
++
++ defer delete(marker)
++
++ " Pass module_dir to Python via a g: variable so vim.eval() can read it.
++ let g:pythoncomplete_test_module_dir = module_dir
++ py3 << EOF
++import sys, vim
++_p = vim.eval('g:pythoncomplete_test_module_dir')
++if _p not in sys.path:
++ sys.path.insert(0, _p)
++# Drop any cached copy so the module body re-runs and the marker side
++# effect fires on import.
++sys.modules.pop('vimtest_marker_mod', None)
++EOF
++
++ new
++ setfiletype python
++ call setline(1, [
++ \ 'import vimtest_marker_mod',
++ \ 'vimtest_marker_mod.',
++ \ ])
++ call cursor(2, 2)
++
++ silent! call python3complete#Complete(0, '')
++
++ let ran = filereadable(marker)
++
++ bwipe!
++ unlet g:pythoncomplete_allow_import
++
++ " Teardown: restore sys.path, drop the cached module so a subsequent
++ " test run starts clean, clean up the temp module dir.
++ py3 << EOF
++import sys, vim
++_p = vim.eval('g:pythoncomplete_test_module_dir')
++if _p in sys.path:
++ sys.path.remove(_p)
++sys.modules.pop('vimtest_marker_mod', None)
++EOF
++ unlet g:pythoncomplete_test_module_dir
++ call delete(module_dir, 'rf')
++ call delete(marker)
++ unlet! g:pythoncomplete_allow_import
++
++ return ran
++endfunc
++
++func Test_python3complete_allow_import_off_blocks_imports()
++ " GHSA-52mc-rq6p-rc7c mitigation: with the default flag value (0), an
++ " `import` line harvested from the buffer must NOT be exec()'d. The
++ " marker module's side effect (creating a file when its body runs) is
++ " the observable proof that the exec did or did not happen.
++ call assert_false(s:RunImportCompletion(0),
++ \ 'g:pythoncomplete_allow_import=0 did not block the buffer import')
++endfunc
++
++func Test_python3complete_allow_import_on_runs_imports()
++ " Symmetric positive control: with the flag set to non-zero, the harvested
++ " import IS exec()'d and the module loads. Without this control the
++ " negative test above could pass for unrelated reasons (e.g. completion
++ " failing to parse the buffer at all).
++ call assert_true(s:RunImportCompletion(1),
++ \ 'g:pythoncomplete_allow_import=1 did not run the buffer import')
++endfunc
++
++" vim: shiftwidth=2 sts=2 expandtab
+--
+2.34.1
+
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 6eafc53c746..e34cc17fe57 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -20,6 +20,9 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https;tag=v${PV}
file://CVE-2026-41411.patch \
file://CVE-2026-45130.patch \
file://CVE-2026-46483.patch \
+ file://CVE-2026-52858.patch \
+ file://CVE-2026-52859.patch \
+ file://CVE-2026-52860.patch \
"
PV .= ".0340"
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 17/18] xmlto: update SRC_URI
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
` (15 preceding siblings ...)
2026-07-10 16:36 ` [OE-core][wrynose 16/18] vim: Fix for CVE-2026-52858,CVE-2026-52859,CVE-2026-52860 Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 18/18] gnutls: fix CVE-2026-33846 Yoann Congal
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Ross Burton <ross.burton@arm.com>
xmlto was previously hosted on Fedora's pagure.io server, but this is
being decomissioned. As xmlto isn't Fedora-specific the repository has
migrated to codeberg.org.
>From discussion with Michal Schorm <mschorm@redhat.com>:
I became the new maintainer of the project upstream and after a
discussion with Kevin Fenzi, migrated it to a new home on the
codeberg.org: https://codeberg.org/xmlto/xmlto
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0046c780bf612aa7946023f8993c45f0c0b65c08)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
meta/recipes-devtools/xmlto/xmlto_0.0.29.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/xmlto/xmlto_0.0.29.bb b/meta/recipes-devtools/xmlto/xmlto_0.0.29.bb
index 613d7973ec1..c26cd21dd07 100644
--- a/meta/recipes-devtools/xmlto/xmlto_0.0.29.bb
+++ b/meta/recipes-devtools/xmlto/xmlto_0.0.29.bb
@@ -7,7 +7,7 @@ LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=59530bdf33659b29e73d4adb9f9f6552"
SRCREV = "74862a684907ada3d4ed2ce0f8111adf626e1456"
-SRC_URI = "git://pagure.io/xmlto.git;protocol=https;branch=master"
+SRC_URI = "git://codeberg.org/xmlto/xmlto.git;protocol=https;branch=master"
inherit autotools
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [OE-core][wrynose 18/18] gnutls: fix CVE-2026-33846
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
` (16 preceding siblings ...)
2026-07-10 16:36 ` [OE-core][wrynose 17/18] xmlto: update SRC_URI Yoann Congal
@ 2026-07-10 16:36 ` Yoann Congal
17 siblings, 0 replies; 20+ messages in thread
From: Yoann Congal @ 2026-07-10 16:36 UTC (permalink / raw)
To: openembedded-core
From: Pritam Srichandan Sahoo <PritamSrichandan.Sahoo@windriver.com>
Backport upstream fixes for DTLS handshake fragment reassembly
vulnerability (CVE-2026-33846).
Includes:
- 4f94e5cfe1f2: add basic DTLS fragment reassembly test
- 9deffca528c2: shorten merge_handshake_packet using recv_buf
- 65ab33fa54e3: add validation checks for DTLS fragment length and bounds
- cf3f1955e58c: add reproducer for DTLS fragment reassembly bug (#1816)
- bb427ff74dba: add fragmented ClientHello test coverage
- 092c65d004e2: match DTLS datagrams by handshake sequence number
- a2b41be83a1a: add test for mismatched message_seq handling (#1839)
- 68b2fb63c8df: link mini-dtls-fragments test to gnulib
These commits are included in gnutls 3.8.13 and are backported by
both Debian (gnutls28_3.8.9-3+deb13u4) and CentOS 10-stream
(gnutls-3.8.10-4.el10) using identical commit selection.
Signed-off-by: Pritam Srichandan Sahoo <PritamSrichandan.Sahoo@windriver.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
...fragments-implement-a-basic-DTLS-tes.patch | 258 ++++++++++++++++++
...merge_handshake_packet-using-recv_bu.patch | 96 +++++++
...s-add-more-checks-to-DTLS-reassembly.patch | 65 +++++
...fragments-extend-with-a-1816-reprodu.patch | 159 +++++++++++
...fragments-extend-with-fragmenting-Cl.patch | 149 ++++++++++
...ch-DTLS-datagrams-by-sequence-number.patch | 42 +++
...fragments-1839-mismatching-message_s.patch | 104 +++++++
...ts-mini-dtls-framents-link-to-gnulib.patch | 27 ++
meta/recipes-support/gnutls/gnutls_3.8.12.bb | 8 +
9 files changed, 908 insertions(+)
create mode 100644 meta/recipes-support/gnutls/gnutls/0001-tests-mini-dtls-fragments-implement-a-basic-DTLS-tes.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0002-buffers-shorten-merge_handshake_packet-using-recv_bu.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0003-buffers-add-more-checks-to-DTLS-reassembly.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0004-tests-mini-dtls-fragments-extend-with-a-1816-reprodu.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0005-tests-mini-dtls-fragments-extend-with-fragmenting-Cl.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0006-buffers-match-DTLS-datagrams-by-sequence-number.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0007-tests-mini-dtls-fragments-1839-mismatching-message_s.patch
create mode 100644 meta/recipes-support/gnutls/gnutls/0008-tests-mini-dtls-framents-link-to-gnulib.patch
diff --git a/meta/recipes-support/gnutls/gnutls/0001-tests-mini-dtls-fragments-implement-a-basic-DTLS-tes.patch b/meta/recipes-support/gnutls/gnutls/0001-tests-mini-dtls-fragments-implement-a-basic-DTLS-tes.patch
new file mode 100644
index 00000000000..8519bb2d2d6
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0001-tests-mini-dtls-fragments-implement-a-basic-DTLS-tes.patch
@@ -0,0 +1,258 @@
+From 9dce4b38fd94997c0fb2b3e33e997d1c33256e0e Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Fri, 20 Mar 2026 16:09:40 +0100
+Subject: [PATCH 1/8] tests/mini-dtls-fragments: implement a basic DTLS test
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/4f94e5cfe1f252a431e41642b0752e7e0daf43b9]
+CVE: CVE-2026-33846
+Signed-off-by: Pritam Srichandan Sahoo <PritamSrichandan.Sahoo@windriver.com>
+---
+ tests/Makefile.am | 7 +-
+ tests/mini-dtls-fragments.c | 208 ++++++++++++++++++++++++++++++++++++
+ 2 files changed, 214 insertions(+), 1 deletion(-)
+ create mode 100644 tests/mini-dtls-fragments.c
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index db5aa4e3a..ee95198ff 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -241,7 +241,8 @@ ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniquei
+ x509cert-dntypes id-on-xmppAddr tls13-compat-mode ciphersuite-name \
+ x509-upnconstraint xts-key-check cipher-padding pkcs7-verify-double-free \
+ fips-rsa-sizes tls12-rehandshake-ticket pathbuf tls-force-ems \
+- psk-importer privkey-derive dh-compute2 ecdh-compute2
++ psk-importer privkey-derive dh-compute2 ecdh-compute2 \
++ mini-dtls-fragments
+
+ ctests += tls-channel-binding
+
+@@ -505,6 +506,10 @@ pathbuf_CPPFLAGS = $(AM_CPPFLAGS) \
+ -I$(top_srcdir)/gl \
+ -I$(top_builddir)/gl
+
++mini_dtls_fragments_CPPFLAGS = $(AM_CPPFLAGS) \
++ -I$(top_srcdir)/gl \
++ -I$(top_builddir)/gl
++
+ if ENABLE_PKCS11
+ if !WINDOWS
+ ctests += tls13/post-handshake-with-cert-pkcs11 pkcs11/tls-neg-pkcs11-no-key \
+diff --git a/tests/mini-dtls-fragments.c b/tests/mini-dtls-fragments.c
+new file mode 100644
+index 000000000..ee75feeb6
+--- /dev/null
++++ b/tests/mini-dtls-fragments.c
+@@ -0,0 +1,208 @@
++/*
++ * Copyright (C) 2026 Red Hat, Inc.
++ *
++ * Author: Alexander Sosedkin
++ *
++ * This file is part of GnuTLS.
++ *
++ * GnuTLS is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuTLS is distributed in the hope that it will be useful, but
++ * WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program. If not, see <https://www.gnu.org/licenses/>
++ */
++
++#ifdef HAVE_CONFIG_H
++#include "config.h"
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++
++#if defined(_WIN32)
++
++int main(void)
++{
++ exit(77);
++}
++
++#else
++
++#include <assert.h>
++#include <errno.h>
++#include <stdbool.h>
++#include <stdint.h>
++#include <string.h>
++#include <gnutls/gnutls.h>
++#include <gnutls/dtls.h>
++#include "cert-common.h"
++#include "utils.h"
++
++#include "attribute.h"
++
++static void server_log_func(int level, const char *str)
++{
++ fprintf(stderr, "server|<%d>| %s", level, str);
++}
++
++static void client_log_func(int level, const char *str)
++{
++ fprintf(stderr, "client|<%d>| %s", level, str);
++}
++
++#define QUEUE_SIZE 1024
++#define PACKET_SIZE 2048
++
++typedef struct {
++ uint8_t buf[PACKET_SIZE];
++ size_t len;
++} packet_t;
++typedef struct {
++ packet_t packets[QUEUE_SIZE];
++ size_t head;
++ size_t tail;
++} queue_t;
++
++static queue_t c2s, s2c;
++
++static int queue_put(queue_t *q, const void *buf, size_t len)
++{
++ assert(len <= PACKET_SIZE);
++ memcpy(q->packets[q->tail].buf, buf, len);
++ q->packets[q->tail].len = len;
++ q->tail++;
++ q->tail %= QUEUE_SIZE;
++ assert(q->tail != q->head);
++ return len;
++}
++
++static ssize_t queue_get(queue_t *q, gnutls_session_t s, void *buf, size_t len)
++{
++ if (q->head == q->tail) {
++ gnutls_transport_set_errno(s, EAGAIN);
++ return -1;
++ }
++ size_t n = q->packets[q->head].len;
++ memcpy(buf, q->packets[q->head].buf, n);
++ q->head++;
++ q->head %= QUEUE_SIZE;
++ return n;
++}
++
++static void queue_reset(queue_t *q)
++{
++ q->head = q->tail = 0;
++}
++
++static int pull_timeout(gnutls_transport_ptr_t tr, unsigned ms)
++{
++ return 1;
++}
++
++static ssize_t server_pull(gnutls_transport_ptr_t tr, void *b, size_t l)
++{
++ return queue_get(&c2s, (gnutls_session_t)tr, b, l);
++}
++
++static ssize_t client_pull(gnutls_transport_ptr_t tr, void *b, size_t l)
++{
++ return queue_get(&s2c, (gnutls_session_t)tr, b, l);
++}
++
++static ssize_t server_push(gnutls_transport_ptr_t tr, const void *b, size_t l)
++{
++ return queue_put(&s2c, b, l);
++}
++
++static ssize_t client_push_normal(gnutls_transport_ptr_t tr, const void *b,
++ size_t l)
++{
++ return queue_put(&c2s, b, l);
++}
++
++static void test(gnutls_push_func client_push)
++{
++ gnutls_session_t client, server;
++ gnutls_certificate_credentials_t ccred, scred;
++ int cr = 0, sr = 0;
++ bool cdone = false, sdone = false;
++
++ if (debug)
++ gnutls_global_set_log_level(4711);
++
++ gnutls_certificate_allocate_credentials(&scred);
++ gnutls_certificate_set_x509_key_mem(scred, &server_cert, &server_key,
++ GNUTLS_X509_FMT_PEM);
++ gnutls_certificate_allocate_credentials(&ccred);
++
++ gnutls_init(&server, GNUTLS_SERVER | GNUTLS_DATAGRAM);
++ gnutls_init(&client, GNUTLS_CLIENT | GNUTLS_DATAGRAM);
++
++ gnutls_priority_set_direct(server, "NORMAL:-VERS-ALL:+VERS-DTLS1.2",
++ NULL);
++ gnutls_priority_set_direct(client, "NORMAL:-VERS-ALL:+VERS-DTLS1.2",
++ NULL);
++
++ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred);
++ gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE, ccred);
++
++ gnutls_dtls_set_timeouts(client, get_dtls_retransmit_timeout(),
++ get_timeout());
++ gnutls_dtls_set_timeouts(server, get_dtls_retransmit_timeout(),
++ get_timeout());
++
++ gnutls_transport_set_ptr(client, client);
++ gnutls_transport_set_push_function(client, client_push);
++ gnutls_transport_set_pull_function(client, client_pull);
++ gnutls_transport_set_pull_timeout_function(client, pull_timeout);
++
++ gnutls_transport_set_ptr(server, server);
++ gnutls_transport_set_push_function(server, server_push);
++ gnutls_transport_set_pull_function(server, server_pull);
++ gnutls_transport_set_pull_timeout_function(server, pull_timeout);
++
++ while (!cdone || !sdone) {
++ gnutls_global_set_log_function(client_log_func);
++ if (!cdone)
++ cr = gnutls_handshake(client);
++ if (!cr || gnutls_error_is_fatal(cr))
++ cdone = true;
++
++ gnutls_global_set_log_function(server_log_func);
++ if (!sdone)
++ sr = gnutls_handshake(server);
++ if (!sr || gnutls_error_is_fatal(sr))
++ sdone = true;
++ }
++
++ if (cr)
++ fail("client: %s\n", gnutls_strerror(cr));
++ if (sr)
++ fail("server: %s\n", gnutls_strerror(sr));
++
++ success("OK\n");
++
++ queue_reset(&c2s);
++ queue_reset(&s2c);
++
++ gnutls_deinit(client);
++ gnutls_deinit(server);
++ gnutls_certificate_free_credentials(ccred);
++ gnutls_certificate_free_credentials(scred);
++}
++
++void doit(void)
++{
++ global_init();
++ test(client_push_normal);
++ gnutls_global_deinit();
++}
++
++#endif /* _WIN32 */
+--
+2.53.0
+
diff --git a/meta/recipes-support/gnutls/gnutls/0002-buffers-shorten-merge_handshake_packet-using-recv_bu.patch b/meta/recipes-support/gnutls/gnutls/0002-buffers-shorten-merge_handshake_packet-using-recv_bu.patch
new file mode 100644
index 00000000000..aaf51992c27
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0002-buffers-shorten-merge_handshake_packet-using-recv_bu.patch
@@ -0,0 +1,96 @@
+From 3ff7f6be9bb08463dd06765ab501430c4965ee05 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Fri, 17 Apr 2026 17:49:31 +0200
+Subject: [PATCH 2/8] buffers: shorten merge_handshake_packet using recv_buf
+
+I had vague concerns about thread-safety of this,
+but then this pattern already exists within the file.
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/9deffca528c23bbb218f5ec3bd4bb1bf4cbd1fc0]
+CVE: CVE-2026-33846
+Signed-off-by: Pritam Srichandan Sahoo <PritamSrichandan.Sahoo@windriver.com>
+---
+ lib/buffers.c | 52 +++++++++++++++++----------------------------------
+ 1 file changed, 17 insertions(+), 35 deletions(-)
+
+diff --git a/lib/buffers.c b/lib/buffers.c
+index 672380b05..d54c77022 100644
+--- a/lib/buffers.c
++++ b/lib/buffers.c
+@@ -967,9 +967,11 @@ static int merge_handshake_packet(gnutls_session_t session,
+ int exists = 0, i, pos = 0;
+ int ret;
+
++ handshake_buffer_st *recv_buf =
++ session->internals.handshake_recv_buffer;
++
+ for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) {
+- if (session->internals.handshake_recv_buffer[i].htype ==
+- hsk->htype) {
++ if (recv_buf[i].htype == hsk->htype) {
+ exists = 1;
+ pos = i;
+ break;
+@@ -1005,44 +1007,24 @@ static int merge_handshake_packet(gnutls_session_t session,
+ _gnutls_write_uint24(0, &hsk->header[6]);
+ _gnutls_write_uint24(hsk->length, &hsk->header[9]);
+
+- _gnutls_handshake_buffer_move(
+- &session->internals.handshake_recv_buffer[pos], hsk);
++ _gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
+
+ } else {
+- if (hsk->start_offset <
+- session->internals.handshake_recv_buffer[pos]
+- .start_offset &&
+- hsk->end_offset + 1 >=
+- session->internals.handshake_recv_buffer[pos]
+- .start_offset) {
+- memcpy(&session->internals.handshake_recv_buffer[pos]
+- .data.data[hsk->start_offset],
++ if (hsk->start_offset < recv_buf[pos].start_offset &&
++ hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
++ memcpy(&recv_buf[pos].data.data[hsk->start_offset],
+ hsk->data.data, hsk->data.length);
+- session->internals.handshake_recv_buffer[pos]
+- .start_offset = hsk->start_offset;
+- session->internals.handshake_recv_buffer[pos]
+- .end_offset = MIN(
+- hsk->end_offset,
+- session->internals.handshake_recv_buffer[pos]
+- .end_offset);
+- } else if (hsk->end_offset >
+- session->internals.handshake_recv_buffer[pos]
+- .end_offset &&
+- hsk->start_offset <=
+- session->internals.handshake_recv_buffer[pos]
+- .end_offset +
+- 1) {
+- memcpy(&session->internals.handshake_recv_buffer[pos]
+- .data.data[hsk->start_offset],
++ recv_buf[pos].start_offset = hsk->start_offset;
++ recv_buf[pos].end_offset =
++ MIN(hsk->end_offset, recv_buf[pos].end_offset);
++ } else if (hsk->end_offset > recv_buf[pos].end_offset &&
++ hsk->start_offset <= recv_buf[pos].end_offset + 1) {
++ memcpy(&recv_buf[pos].data.data[hsk->start_offset],
+ hsk->data.data, hsk->data.length);
+
+- session->internals.handshake_recv_buffer[pos]
+- .end_offset = hsk->end_offset;
+- session->internals.handshake_recv_buffer[pos]
+- .start_offset = MIN(
+- hsk->start_offset,
+- session->internals.handshake_recv_buffer[pos]
+- .start_offset);
++ recv_buf[pos].end_offset = hsk->end_offset;
++ recv_buf[pos].start_offset = MIN(
++ hsk->start_offset, recv_buf[pos].start_offset);
+ }
+ _gnutls_handshake_buffer_clear(hsk);
+ }
+--
+2.53.0
+
diff --git a/meta/recipes-support/gnutls/gnutls/0003-buffers-add-more-checks-to-DTLS-reassembly.patch b/meta/recipes-support/gnutls/gnutls/0003-buffers-add-more-checks-to-DTLS-reassembly.patch
new file mode 100644
index 00000000000..d9c3c0d3c68
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0003-buffers-add-more-checks-to-DTLS-reassembly.patch
@@ -0,0 +1,65 @@
+From dcd891a02e11dc13417800042d5272777fca0e97 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Fri, 17 Apr 2026 18:21:36 +0200
+Subject: [PATCH 3/8] buffers: add more checks to DTLS reassembly
+
+Previously, gnutls didn't check that DTLS fragments claimed
+a consistent message_length value.
+Additionally, a crucial array size check was missing,
+enabling an attacker to cause a heap overwrite.
+The updated version rejects fragments with mismatching length
+and adds a missing boundary check.
+
+Reported-by: Haruto Kimura (Stella)
+Reported-by: Oscar Reparaz
+Reported-by: Zou Dikai
+Fixes: #1816
+Fixes: #1838
+Fixes: #1839
+Fixes: CVE-2026-33846
+Fixes: GNUTLS-SA-2026-04-29-1
+CVSS: 7.4 High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
+CVSS: 7.5 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/65ab33fa54e34fba69d793735b7df3d383d1ff78]
+CVE: CVE-2026-33846
+Signed-off-by: Pritam Srichandan Sahoo <PritamSrichandan.Sahoo@windriver.com>
+---
+ lib/buffers.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/lib/buffers.c b/lib/buffers.c
+index d54c77022..5d4d16276 100644
+--- a/lib/buffers.c
++++ b/lib/buffers.c
+@@ -1010,6 +1010,26 @@ static int merge_handshake_packet(gnutls_session_t session,
+ _gnutls_handshake_buffer_move(&recv_buf[pos], hsk);
+
+ } else {
++ if (hsk->length != recv_buf[pos].length) {
++ /* inconsistent across fragments */
++ _gnutls_handshake_buffer_clear(hsk);
++ return gnutls_assert_val(
++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
++ }
++ /* start_offset + data.length <= hsk->length <= max_length */
++ if (hsk->length < hsk->start_offset + hsk->data.length) {
++ /* impossible claims, overflow requested */
++ _gnutls_handshake_buffer_clear(hsk);
++ return gnutls_assert_val(
++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
++ }
++ if (hsk->length > recv_buf[pos].data.max_length) {
++ /* we don't have this much allocated, overflow guard */
++ _gnutls_handshake_buffer_clear(hsk);
++ return gnutls_assert_val(
++ GNUTLS_E_UNEXPECTED_PACKET_LENGTH);
++ }
++
+ if (hsk->start_offset < recv_buf[pos].start_offset &&
+ hsk->end_offset + 1 >= recv_buf[pos].start_offset) {
+ memcpy(&recv_buf[pos].data.data[hsk->start_offset],
+--
+2.53.0
+
diff --git a/meta/recipes-support/gnutls/gnutls/0004-tests-mini-dtls-fragments-extend-with-a-1816-reprodu.patch b/meta/recipes-support/gnutls/gnutls/0004-tests-mini-dtls-fragments-extend-with-a-1816-reprodu.patch
new file mode 100644
index 00000000000..9b4760450fa
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0004-tests-mini-dtls-fragments-extend-with-a-1816-reprodu.patch
@@ -0,0 +1,159 @@
+From 2fa72585f927d340827eccdf91bb69cf60ac169e Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Wed, 1 Apr 2026 19:51:45 +0200
+Subject: [PATCH 4/8] tests/mini-dtls-fragments: extend with a #1816 reproducer
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/cf3f1955e58cbcc10373b841bb101fb058565d87]
+CVE: CVE-2026-33846
+Signed-off-by: Pritam Srichandan Sahoo <PritamSrichandan.Sahoo@windriver.com>
+---
+ tests/mini-dtls-fragments.c | 120 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 120 insertions(+)
+
+diff --git a/tests/mini-dtls-fragments.c b/tests/mini-dtls-fragments.c
+index ee75feeb6..8d5a18acd 100644
+--- a/tests/mini-dtls-fragments.c
++++ b/tests/mini-dtls-fragments.c
+@@ -106,6 +106,11 @@ static int pull_timeout(gnutls_transport_ptr_t tr, unsigned ms)
+ return 1;
+ }
+
++static int c2s_pull_timeout_once(gnutls_transport_ptr_t tr, unsigned ms)
++{
++ return c2s.head != c2s.tail ? 1 : 0;
++}
++
+ static ssize_t server_pull(gnutls_transport_ptr_t tr, void *b, size_t l)
+ {
+ return queue_get(&c2s, (gnutls_session_t)tr, b, l);
+@@ -198,10 +203,125 @@ static void test(gnutls_push_func client_push)
+ gnutls_certificate_free_credentials(scred);
+ }
+
++static void test_malicious1816(void)
++{
++ /* dgram1: msg_len=50, frag_offset=25, frag_len=25 */
++ static const uint8_t dgram1_hdr[] = {
++ 0x16, /* type: handshake */
++ 0xfe, 0xfd, /* version: DTLS 1.2 */
++ 0x00, 0x00, /* epoch: 0 */
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* seq: 0 */
++ 0x00, 0x25, /* record_length: 37 */
++ 0x01, /* msg_type: ClientHello */
++ 0x00, 0x00, 0x32, /* msg_length: 50 */
++ 0x00, 0x00, /* msg_seq: 0 */
++ 0x00, 0x00, 0x19, /* frag_offset: 25 */
++ 0x00, 0x00, 0x19, /* frag_length: 25 */
++ };
++ /* dgram2: msg_len=3000, frag_offset=0, frag_len=48 */
++ static const uint8_t dgram2_hdr[] = {
++ 0x16, /* type: handshake */
++ 0xfe, 0xfd, /* version: DTLS 1.2 */
++ 0x00, 0x00, /* epoch: 0 */
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, /* seq: 1 */
++ 0x00, 0x3c, /* record_length: 60 */
++ 0x01, /* msg_type: ClientHello */
++ 0x00, 0x0b, 0xb8, /* msg_length: 3000 */
++ 0x00, 0x00, /* msg_seq: 0 */
++ 0x00, 0x00, 0x00, /* frag_offset: 0 */
++ 0x00, 0x00, 0x30, /* frag_length: 48 */
++ };
++ /* dgram3: msg_len=3000, frag_offset=40, frag_len=1475 */
++ static const uint8_t dgram3_hdr[] = {
++ 0x16, /* type: handshake */
++ 0xfe, 0xfd, /* version: DTLS 1.2 */
++ 0x00, 0x00, /* epoch: 0 */
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, /* seq: 2 */
++ 0x05, 0xcf, /* record_length: 1487 */
++ 0x01, /* msg_type: ClientHello */
++ 0x00, 0x0b, 0xb8, /* msg_length: 3000 */
++ 0x00, 0x00, /* msg_seq: 0 */
++ 0x00, 0x00, 0x28, /* frag_offset: 40 */
++ 0x00, 0x05, 0xc3, /* frag_length: 1475 */
++ };
++ /* dgram4: msg_len=3000, frag_offset=1500, frag_len=1475 */
++ static const uint8_t dgram4_hdr[] = {
++ 0x16, /* type: handshake */
++ 0xfe, 0xfd, /* version: DTLS 1.2 */
++ 0x00, 0x00, /* epoch: 0 */
++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, /* seq: 3 */
++ 0x05, 0xcf, /* record_length: 1487 */
++ 0x01, /* msg_type: ClientHello */
++ 0x00, 0x0b, 0xb8, /* msg_length: 3000 */
++ 0x00, 0x00, /* msg_seq: 0 */
++ 0x00, 0x05, 0xdc, /* frag_offset: 1500 */
++ 0x00, 0x05, 0xc3, /* frag_length: 1475 */
++ };
++ gnutls_session_t server;
++ gnutls_certificate_credentials_t scred;
++ uint8_t dgram[1500];
++ int sr;
++
++ if (debug)
++ gnutls_global_set_log_level(4711);
++
++ gnutls_certificate_allocate_credentials(&scred);
++ gnutls_certificate_set_x509_key_mem(scred, &server_cert, &server_key,
++ GNUTLS_X509_FMT_PEM);
++
++ gnutls_init(&server, GNUTLS_SERVER | GNUTLS_DATAGRAM);
++ gnutls_priority_set_direct(server, "NORMAL:+VERS-DTLS1.2", NULL);
++ gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE, scred);
++
++ gnutls_dtls_set_timeouts(server, get_dtls_retransmit_timeout(),
++ get_timeout());
++
++ gnutls_transport_set_ptr(server, server);
++ gnutls_transport_set_push_function(server, server_push);
++ gnutls_transport_set_pull_function(server, server_pull);
++ gnutls_transport_set_pull_timeout_function(server,
++ c2s_pull_timeout_once);
++
++ memset(dgram, 0, sizeof(dgram));
++ memcpy(dgram, dgram1_hdr, 25);
++ queue_put(&c2s, dgram, 25 + 25);
++
++ memset(dgram, 0, sizeof(dgram));
++ memcpy(dgram, dgram2_hdr, 25);
++ queue_put(&c2s, dgram, 25 + 48);
++
++ memset(dgram, 0, sizeof(dgram));
++ memcpy(dgram, dgram3_hdr, 25);
++ queue_put(&c2s, dgram, 25 + 1475);
++
++ memset(dgram, 0, sizeof(dgram));
++ memcpy(dgram, dgram4_hdr, 25);
++ queue_put(&c2s, dgram, 25 + 1475);
++
++ gnutls_global_set_log_function(server_log_func);
++ do {
++ sr = gnutls_handshake(server); /* invalid write if vulnerable */
++ } while (c2s.head != c2s.tail && !gnutls_error_is_fatal(sr));
++ if (sr != GNUTLS_E_UNEXPECTED_PACKET_LENGTH)
++ fail("server: expected GNUTLS_E_UNEXPECTED_PACKET_LENGTH, "
++ "got: %s\n",
++ gnutls_strerror(sr));
++
++ success("OK\n");
++
++ queue_reset(&c2s);
++ queue_reset(&s2c);
++
++ gnutls_deinit(server);
++ gnutls_certificate_free_credentials(scred);
++}
++
+ void doit(void)
+ {
+ global_init();
+ test(client_push_normal);
++ success("malicious reassembly bug exploitation (#1816):\n");
++ test_malicious1816();
+ gnutls_global_deinit();
+ }
+
+--
+2.53.0
+
diff --git a/meta/recipes-support/gnutls/gnutls/0005-tests-mini-dtls-fragments-extend-with-fragmenting-Cl.patch b/meta/recipes-support/gnutls/gnutls/0005-tests-mini-dtls-fragments-extend-with-fragmenting-Cl.patch
new file mode 100644
index 00000000000..83c201926d1
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0005-tests-mini-dtls-fragments-extend-with-fragmenting-Cl.patch
@@ -0,0 +1,149 @@
+From cee203d6ba4d49332a49e46a7d59e9ef7b33a741 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 20 Apr 2026 16:08:11 +0200
+Subject: [PATCH 5/8] tests/mini-dtls-fragments: extend with fragmenting
+ ClientHello
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/bb427ff74dba849d40753ed9c8511e873f762743]
+CVE: CVE-2026-33846
+Signed-off-by: Pritam Srichandan Sahoo <PritamSrichandan.Sahoo@windriver.com>
+---
+ tests/mini-dtls-fragments.c | 107 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 107 insertions(+)
+
+diff --git a/tests/mini-dtls-fragments.c b/tests/mini-dtls-fragments.c
+index 8d5a18acd..93490bac2 100644
+--- a/tests/mini-dtls-fragments.c
++++ b/tests/mini-dtls-fragments.c
+@@ -132,6 +132,39 @@ static ssize_t client_push_normal(gnutls_transport_ptr_t tr, const void *b,
+ return queue_put(&c2s, b, l);
+ }
+
++static void write_u16(uint8_t *p, uint16_t val)
++{
++ p[0] = val >> 8;
++ p[1] = val & 0xff;
++}
++
++static void write_u24(uint8_t *p, uint32_t val)
++{
++ p[0] = (val >> 16) & 0xff;
++ p[1] = (val >> 8) & 0xff;
++ p[2] = val & 0xff;
++}
++
++static void write_u48(uint8_t *p, uint64_t seq)
++{
++ int i;
++ for (i = 5; i >= 0; i--) {
++ p[i] = seq & 0xff;
++ seq >>= 8;
++ }
++}
++
++static uint64_t read_u48(const uint8_t *p)
++{
++ uint64_t seq = 0;
++ int i;
++ for (i = 5; i >= 0; i--) {
++ seq <<= 8;
++ seq |= p[i];
++ }
++ return seq;
++}
++
+ static void test(gnutls_push_func client_push)
+ {
+ gnutls_session_t client, server;
+@@ -316,12 +349,86 @@ static void test_malicious1816(void)
+ gnutls_certificate_free_credentials(scred);
+ }
+
++static ssize_t queue_put_renumbered(queue_t *q, const uint8_t *data, size_t l,
++ int delta_n)
++{
++ if (delta_n == 0 || l < 13 || data[3] != 0 || data[4] != 0)
++ return queue_put(&c2s, data, l);
++
++ uint8_t *p = malloc(l);
++ assert(p);
++ memcpy(p, data, l);
++ write_u48(p + 5, read_u48(p + 5) + delta_n);
++ ssize_t ret = queue_put(q, p, l);
++ free(p);
++ return ret;
++}
++
++static void split_client_hello(const uint8_t *data, size_t len, uint8_t **frag1,
++ size_t *frag1_len, uint8_t **frag2,
++ size_t *frag2_len)
++{
++ size_t body_size = len - 25;
++ *frag1_len = 13 + 12 + 1;
++ *frag2_len = 13 + 12 + (body_size - 1);
++
++ *frag1 = malloc(13 + 12 + 1);
++ assert(*frag1);
++ *frag2 = malloc(13 + 12 + body_size - 1);
++ assert(*frag2);
++
++ /* first fragment: record header + handshake header + first body byte */
++ memcpy(*frag1, data, 13); /* record header */
++ write_u16(*frag1 + 11, 12 + 1); /* record length */
++ memcpy(*frag1 + 13, data + 13, 12); /* handshake header */
++ write_u24(*frag1 + 19, 0); /* fragment_offset = 0 */
++ write_u24(*frag1 + 22, 1); /* fragment_length = 1 */
++ (*frag1)[25] = data[25]; /* first body byte */
++
++ /* second fragment: record header + handshake header + remaining body */
++ memcpy(*frag2, data, 13); /* record header */
++ write_u16(*frag2 + 11, *frag2_len - 13); /* record length */
++ write_u48(*frag2 + 5, read_u48(*frag2 + 5) + 1); /* sequence number */
++ memcpy(*frag2 + 13, data + 13, 12); /* handshake header */
++ write_u24(*frag2 + 19, 1); /* fragment_offset = 1 */
++ write_u24(*frag2 + 22, body_size - 1); /* shortened fragment_length */
++ memcpy(*frag2 + 25, data + 26, body_size - 1); /* remaining body */
++}
++
++static ssize_t client_push_split_hello(gnutls_transport_ptr_t tr, const void *b,
++ size_t l)
++{
++ static int seq_offset = 0; /* for renumbering follow-up epoch0 ones */
++
++ const uint8_t *data = (const uint8_t *)b;
++ uint8_t *frag1, *frag2;
++ size_t frag1_len, frag2_len;
++
++ /* Pass through anything that isn't an epoch0 ClientHello with body */
++ if (l < 13 + 12 + 1 || /* too short for DTLS record header */
++ data[0] != 22 || /* not a handshake record */
++ data[3] != 0 || data[4] != 0 || /* not epoch 0 */
++ data[13] != 1) /* not ClientHello */
++ return queue_put_renumbered(&c2s, b, l, seq_offset);
++
++ /* epoch0 Client Hello: special treatment of splitting into fragments */
++ split_client_hello(data, l, &frag1, &frag1_len, &frag2, &frag2_len);
++ queue_put(&c2s, frag1, frag1_len);
++ queue_put(&c2s, frag2, frag2_len);
++ free(frag1);
++ free(frag2);
++ seq_offset++;
++ return l;
++}
++
+ void doit(void)
+ {
+ global_init();
+ test(client_push_normal);
+ success("malicious reassembly bug exploitation (#1816):\n");
+ test_malicious1816();
++ success("split client hello smoke-test\n");
++ test(client_push_split_hello);
+ gnutls_global_deinit();
+ }
+
+--
+2.53.0
+
diff --git a/meta/recipes-support/gnutls/gnutls/0006-buffers-match-DTLS-datagrams-by-sequence-number.patch b/meta/recipes-support/gnutls/gnutls/0006-buffers-match-DTLS-datagrams-by-sequence-number.patch
new file mode 100644
index 00000000000..16272915129
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0006-buffers-match-DTLS-datagrams-by-sequence-number.patch
@@ -0,0 +1,42 @@
+From bd8f76ce12a57962a62ce2818a6263fb04304c3f Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 20 Apr 2026 16:32:02 +0200
+Subject: [PATCH 6/8] buffers: match DTLS datagrams by sequence number
+
+DTLS handshake fragment reassembly previously matched incoming fragments
+by handshake type only, without checking the sequence number.
+This allowed fragments from different handshake messages
+to be merged into the same reassembly buffer.
+
+Now sequence number is accounted for during reassembly,
+ensuring fragments are only merged when they belong
+to the same handshake message.
+
+Reported-by: Zou Dikai
+Fixes: #1839
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/092c65d004e2f125f2fea3db84d801ac49a09f78]
+CVE: CVE-2026-33846
+Signed-off-by: Pritam Srichandan Sahoo <PritamSrichandan.Sahoo@windriver.com>
+---
+ lib/buffers.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/buffers.c b/lib/buffers.c
+index 5d4d16276..62f140ed3 100644
+--- a/lib/buffers.c
++++ b/lib/buffers.c
+@@ -971,7 +971,8 @@ static int merge_handshake_packet(gnutls_session_t session,
+ session->internals.handshake_recv_buffer;
+
+ for (i = 0; i < session->internals.handshake_recv_buffer_size; i++) {
+- if (recv_buf[i].htype == hsk->htype) {
++ if (recv_buf[i].htype == hsk->htype &&
++ recv_buf[i].sequence == hsk->sequence) {
+ exists = 1;
+ pos = i;
+ break;
+--
+2.53.0
+
diff --git a/meta/recipes-support/gnutls/gnutls/0007-tests-mini-dtls-fragments-1839-mismatching-message_s.patch b/meta/recipes-support/gnutls/gnutls/0007-tests-mini-dtls-fragments-1839-mismatching-message_s.patch
new file mode 100644
index 00000000000..34bae2f57bf
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0007-tests-mini-dtls-fragments-1839-mismatching-message_s.patch
@@ -0,0 +1,104 @@
+From f7a5e7f3a7d05c7d558abd2f56f86e4c201be48b Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 20 Apr 2026 16:36:08 +0200
+Subject: [PATCH 7/8] tests/mini-dtls-fragments: #1839 mismatching message_seq
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/a2b41be83a1a3529c551ccf54958da91a656550e]
+CVE: CVE-2026-33846
+Signed-off-by: Pritam Srichandan Sahoo <PritamSrichandan.Sahoo@windriver.com>
+---
+ tests/mini-dtls-fragments.c | 54 ++++++++++++++++++++++++++++++++-----
+ 1 file changed, 47 insertions(+), 7 deletions(-)
+
+diff --git a/tests/mini-dtls-fragments.c b/tests/mini-dtls-fragments.c
+index 93490bac2..499a92a92 100644
+--- a/tests/mini-dtls-fragments.c
++++ b/tests/mini-dtls-fragments.c
+@@ -165,7 +165,7 @@ static uint64_t read_u48(const uint8_t *p)
+ return seq;
+ }
+
+-static void test(gnutls_push_func client_push)
++static void test(gnutls_push_func client_push, bool expect_success)
+ {
+ gnutls_session_t client, server;
+ gnutls_certificate_credentials_t ccred, scred;
+@@ -218,12 +218,22 @@ static void test(gnutls_push_func client_push)
+ sr = gnutls_handshake(server);
+ if (!sr || gnutls_error_is_fatal(sr))
+ sdone = true;
++
++ if (c2s.head == c2s.tail && s2c.head == s2c.tail)
++ break; /* speed the test up */
+ }
+
+- if (cr)
+- fail("client: %s\n", gnutls_strerror(cr));
+- if (sr)
+- fail("server: %s\n", gnutls_strerror(sr));
++ if (expect_success) {
++ if (cr)
++ fail("client: %s\n", gnutls_strerror(cr));
++ if (sr)
++ fail("server: %s\n", gnutls_strerror(sr));
++
++ } else {
++ if (cr == 0 && sr == 0)
++ fail("handshake unexpectedly succeeded: %s / %s\n",
++ gnutls_strerror(cr), gnutls_strerror(sr));
++ }
+
+ success("OK\n");
+
+@@ -421,14 +431,44 @@ static ssize_t client_push_split_hello(gnutls_transport_ptr_t tr, const void *b,
+ return l;
+ }
+
++static ssize_t client_push_split_hello_bad_seq(gnutls_transport_ptr_t tr,
++ const void *b, size_t l)
++{
++ /* gnutls wasn't matching on message_seq on merging, see #1839 */
++ static int seq_offset = 0; /* for renumbering follow-up epoch0 ones */
++
++ const uint8_t *data = (const uint8_t *)b;
++ uint8_t *frag1, *frag2;
++ size_t frag1_len, frag2_len;
++
++ /* Pass through anything that isn't an epoch0 ClientHello with body */
++ if (l < 13 + 12 + 1 || /* too short for DTLS record header */
++ data[0] != 22 || /* not a handshake record */
++ data[3] != 0 || data[4] != 0 || /* not epoch 0 */
++ data[13] != 1) /* not ClientHello */
++ return queue_put_renumbered(&c2s, b, l, seq_offset);
++
++ /* epoch0 Client Hello: special treatment of splitting into fragments */
++ split_client_hello(data, l, &frag1, &frag1_len, &frag2, &frag2_len);
++ queue_put(&c2s, frag1, frag1_len);
++ frag2[18]++; /* WRONG, message_seq mismatch must be rejected, #1839 */
++ queue_put(&c2s, frag2, frag2_len);
++ free(frag1);
++ free(frag2);
++ seq_offset++;
++ return l;
++}
++
+ void doit(void)
+ {
+ global_init();
+- test(client_push_normal);
++ test(client_push_normal, true);
+ success("malicious reassembly bug exploitation (#1816):\n");
+ test_malicious1816();
+ success("split client hello smoke-test\n");
+- test(client_push_split_hello);
++ test(client_push_split_hello, true);
++ success("split client hello smoke-test and mangle sequence number\n");
++ test(client_push_split_hello_bad_seq, false);
+ gnutls_global_deinit();
+ }
+
+--
+2.53.0
+
diff --git a/meta/recipes-support/gnutls/gnutls/0008-tests-mini-dtls-framents-link-to-gnulib.patch b/meta/recipes-support/gnutls/gnutls/0008-tests-mini-dtls-framents-link-to-gnulib.patch
new file mode 100644
index 00000000000..9c4cfa8a944
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/0008-tests-mini-dtls-framents-link-to-gnulib.patch
@@ -0,0 +1,27 @@
+From ed40056cdcfdf9ff815f4e2df93f0a263769a563 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Thu, 30 Apr 2026 13:08:01 +0200
+Subject: [PATCH 8/8] tests/mini-dtls-framents: link to gnulib
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://github.com/gnutls/gnutls/commit/68b2fb63c8df61d1480121a859f8c955f4910c01]
+Signed-off-by: Pritam Srichandan Sahoo <PritamSrichandan.Sahoo@windriver.com>
+---
+ tests/Makefile.am | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -509,6 +509,7 @@ pathbuf_CPPFLAGS = $(AM_CPPFLAGS) \
+ mini_dtls_fragments_CPPFLAGS = $(AM_CPPFLAGS) \
+ -I$(top_srcdir)/gl \
+ -I$(top_builddir)/gl
++mini_dtls_fragments_LDADD = $(LDADD) ../gl/libgnu.la
+
+ if ENABLE_PKCS11
+ if !WINDOWS
+--
+2.53.0
+
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.12.bb b/meta/recipes-support/gnutls/gnutls_3.8.12.bb
index 8554ab943d6..b92470768c2 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.12.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.12.bb
@@ -24,6 +24,14 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://run-ptest \
file://Add-ptest-support.patch \
file://c99.patch \
+ file://0001-tests-mini-dtls-fragments-implement-a-basic-DTLS-tes.patch \
+ file://0002-buffers-shorten-merge_handshake_packet-using-recv_bu.patch \
+ file://0003-buffers-add-more-checks-to-DTLS-reassembly.patch \
+ file://0004-tests-mini-dtls-fragments-extend-with-a-1816-reprodu.patch \
+ file://0005-tests-mini-dtls-fragments-extend-with-fragmenting-Cl.patch \
+ file://0006-buffers-match-DTLS-datagrams-by-sequence-number.patch \
+ file://0007-tests-mini-dtls-fragments-1839-mismatching-message_s.patch \
+ file://0008-tests-mini-dtls-framents-link-to-gnulib.patch \
"
SRC_URI[sha256sum] = "a7b341421bfd459acf7a374ca4af3b9e06608dcd7bd792b2bf470bea012b8e51"
^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [OE-core][wrynose 12/18] util-linux: upgrade 2.41.3 -> 2.41.5
2026-07-10 16:36 ` [OE-core][wrynose 12/18] util-linux: upgrade 2.41.3 -> 2.41.5 Yoann Congal
@ 2026-07-14 13:29 ` Paul Barker
0 siblings, 0 replies; 20+ messages in thread
From: Paul Barker @ 2026-07-14 13:29 UTC (permalink / raw)
To: Yoann Congal, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 1401 bytes --]
On Fri, 2026-07-10 at 18:36 +0200, Yoann Congal wrote:
> From: Siva Balasubramanian <sivakumar.bs@gmail.com>
>
> 2.41.4 and 2.41.5 are point releases in the same 2.41 stable series and
> contain only bug fixes and security fixes (no new features, no API/ABI
> breaks), so the upgrade complies with the stable branch policy.
>
> Among the fixes pulled in:
> - Several mount(8) TOCTOU / symlink hardening fixes (incl. CVE-2026-27456)
> - libblkid integer overflow in parse_dos_extended() and a use-after-free
> in partition probing
> - pam_lastlog2: fix libpam linking in the autotools build so
> pam_lastlog2.so links against libpam (fixes the runtime "undefined
> symbol: pam_syslog" / dlopen failure) [YOCTO #16320]
>
> Drop two backports that are now part of the release:
> - 0001-loopdev-add-LOOPDEV_FL_NOFOLLOW-to-prevent-symlink-a.patch
> (upstream f55f9906, released in 2.41.4)
> - the pam_lastlog2 libpam linking backport (upstream 5683ed6320e0,
> cherry-picked to the 2.41 stable branch as c8d0af0421f6, released in
> 2.41.5)
>
> Full changes: https://github.com/util-linux/util-linux/compare/v2.41.3...v2.41.5
>
> Signed-off-by: Siva Balasubramanian <sivakumar.bs@gmail.com>
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Hi Yoann,
Please drop this, I've replied to the original patch.
Best regards,
--
Paul Barker
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]
^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2026-07-14 13:29 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-10 16:36 [OE-core][wrynose 00/18] Patch review Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 01/18] gdb: Upgrade 17.1 -> 17.2 Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 02/18] curl: fix CVE-2026-5773 - wrong reuse of SMB connection Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 03/18] expat: patch CVE-2026-45186 Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 04/18] expat: fix CVE-2026-41080 Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 05/18] python3: upgrade 3.14.5 -> 3.14.6 Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 06/18] python3: fix CVE-2026-11940 Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 07/18] python3: fix CVE-2026-11972 Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 08/18] opensbi: don't override ELFFLAGS, silence ldflags QA for bare-metal ELFs Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 09/18] create-spdx-image-3.0: correct SSTATE_SKIP_CREATION key for do_create_image_sbom_spdx Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 10/18] python3-urllib3: Fix CVE-2026-44431 Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 11/18] glib-2.0: fix CVE-2026-58016 Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 12/18] util-linux: upgrade 2.41.3 -> 2.41.5 Yoann Congal
2026-07-14 13:29 ` Paul Barker
2026-07-10 16:36 ` [OE-core][wrynose 13/18] ovmf: fix tpm PACKAGECONFIG to use TPM2_ENABLE Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 14/18] libcap: Fix CVE-2026-4878 Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 15/18] socat: upgrade 1.8.1.1 -> 1.8.1.3 Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 16/18] vim: Fix for CVE-2026-52858,CVE-2026-52859,CVE-2026-52860 Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 17/18] xmlto: update SRC_URI Yoann Congal
2026-07-10 16:36 ` [OE-core][wrynose 18/18] gnutls: fix CVE-2026-33846 Yoann Congal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.