[OE-core][PATCH 1/5] avahi: patch CVE-2026-24401

[OE-core][PATCH 1/5] avahi: patch CVE-2026-24401

[ankur.tyagi85]

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details https://nvd.nist.gov/vuln/detail/CVE-2026-24401

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |  1 +
 .../avahi/files/CVE-2026-24401.patch          | 74 +++++++++++++++++++
 2 files changed, 75 insertions(+)
 create mode 100644 meta/recipes-connectivity/avahi/files/CVE-2026-24401.patch

diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index bd61c39dbf..35f779c914 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -38,6 +38,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/avahi-${PV}.tar.gz \
            file://CVE-2024-52616.patch \
            file://CVE-2024-52615.patch \
            file://CVE-2025-68276.patch \
+           file://CVE-2026-24401.patch \
            "
 
 GITHUB_BASE_URI = "https://github.com/avahi/avahi/releases/"
diff --git a/meta/recipes-connectivity/avahi/files/CVE-2026-24401.patch b/meta/recipes-connectivity/avahi/files/CVE-2026-24401.patch
new file mode 100644
index 0000000000..1a442966fc
--- /dev/null
+++ b/meta/recipes-connectivity/avahi/files/CVE-2026-24401.patch
@@ -0,0 +1,74 @@
+From 5eea2640324928c15936b7a2bcbf8ea0de7b08f7 Mon Sep 17 00:00:00 2001
+From: Hugo Muis <198191869+friendlyhugo@users.noreply.github.com>
+Date: Sun, 2 Mar 2025 18:06:24 +0100
+Subject: [PATCH] core: fix uncontrolled recursion bug using a simple loop
+ detection algorithm
+
+Closes https://github.com/avahi/avahi/issues/501
+
+CVE: CVE-2026-24401
+Upstream-Status: Backport [https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524]
+(cherry picked from commit 78eab31128479f06e30beb8c1cbf99dd921e2524)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ avahi-core/browse.c | 40 ++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 40 insertions(+)
+
+diff --git a/avahi-core/browse.c b/avahi-core/browse.c
+index f461083..975b3e9 100644
+--- a/avahi-core/browse.c
++++ b/avahi-core/browse.c
+@@ -401,6 +401,40 @@ static int lookup_go(AvahiSRBLookup *l) {
+     return n;
+ }
+ 
++static int lookup_exists_in_path(AvahiSRBLookup* lookup, AvahiSRBLookup* from, AvahiSRBLookup* to) {
++    AvahiRList* rl;
++    if (from == to)
++        return 0;
++    for (rl = from->cname_lookups; rl; rl = rl->rlist_next) {
++        int r = lookup_exists_in_path(lookup, rl->data, to);
++        if (r == 1) {
++            /* loop detected, propagate result */
++            return r;
++        } else if (r == 0) {
++            /* is loop detected? */
++            return lookup == from;
++        } else {
++	        /* `to` not found, continue */
++            continue;
++        }
++    }
++    /* no path found */
++    return -1;
++}
++
++static int cname_would_create_loop(AvahiSRBLookup* l, AvahiSRBLookup* n) {
++    int ret;
++    if (l == n)
++        /* Loop to self */
++        return 1;
++
++    ret = lookup_exists_in_path(n, l->record_browser->root_lookup, l);
++
++    /* Path to n always exists */
++    assert(ret != -1);
++    return ret;
++}
++
+ static void lookup_handle_cname(AvahiSRBLookup *l, AvahiIfIndex interface, AvahiProtocol protocol, AvahiLookupFlags flags, AvahiRecord *r) {
+     AvahiKey *k;
+     AvahiSRBLookup *n;
+@@ -420,6 +454,12 @@ static void lookup_handle_cname(AvahiSRBLookup *l, AvahiIfIndex interface, Avahi
+         return;
+     }
+ 
++    if (cname_would_create_loop(l, n)) {
++        /* CNAME loops are not allowed */
++        lookup_unref(n);
++        return;
++    }
++
+     l->cname_lookups = avahi_rlist_prepend(l->cname_lookups, lookup_ref(n));
+ 
+     lookup_go(n);

[OE-core][PATCH 2/5] vim: ignore CVE-2025-66476

[ankur.tyagi85]

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details https://nvd.nist.gov/vuln/detail/CVE-2025-66476

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 meta/recipes-support/vim/vim_9.1.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-support/vim/vim_9.1.bb b/meta/recipes-support/vim/vim_9.1.bb
index fee9f055e9..c492342ffb 100644
--- a/meta/recipes-support/vim/vim_9.1.bb
+++ b/meta/recipes-support/vim/vim_9.1.bb
@@ -21,3 +21,5 @@ ALTERNATIVE_LINK_NAME[xxd] = "${bindir}/xxd"
 # in many places for _FORTIFY_SOURCE=2.  Security flags become part of CC.
 #
 lcl_maybe_fortify = "${@oe.utils.conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=1',d)}"
+
+CVE_STATUS[CVE-2025-66476] = "not-applicable-platform: Issue only applies on Windows"

[OE-core][PATCH 3/5] mpg123: upgrade 1.33.3 -> 1.33.4

[ankur.tyagi85]

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Changelog:
mpg123: In terminal control, ignore 7-bit escape sequences to avoid spurious actions, e.g. when hitting cursor keys.
ports/cmake: Avoid possibly conflicting use of SIZEOF_OFF_T CMake variable when embedding mpg123 with other projects using cmake and different off_t semantics.

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../mpg123/{mpg123_1.33.3.bb => mpg123_1.33.4.bb}               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-multimedia/mpg123/{mpg123_1.33.3.bb => mpg123_1.33.4.bb} (96%)

diff --git a/meta/recipes-multimedia/mpg123/mpg123_1.33.3.bb b/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb
similarity index 96%
rename from meta/recipes-multimedia/mpg123/mpg123_1.33.3.bb
rename to meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb
index b1897fe95d..648eb21500 100644
--- a/meta/recipes-multimedia/mpg123/mpg123_1.33.3.bb
+++ b/meta/recipes-multimedia/mpg123/mpg123_1.33.4.bb
@@ -10,7 +10,7 @@ LICENSE = "LGPL-2.1-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=e7b9c15fcfb986abb4cc5e8400a24169"
 
 SRC_URI = "https://www.mpg123.de/download/${BP}.tar.bz2"
-SRC_URI[sha256sum] = "6a0c6472dd156e213c2068f40115ebbb73978c2d873e66bae2a250e2d2198d26"
+SRC_URI[sha256sum] = "3ae8c9ff80a97bfc0e22e89fbcd74687eca4fc1db315b12607f27f01cb5a47d9"
 
 UPSTREAM_CHECK_REGEX = "mpg123-(?P<pver>\d+(\.\d+)+)\.tar"
 

[OE-core][PATCH 4/5] utfcpp: upgrade 4.0.8 -> 4.0.9

[ankur.tyagi85]

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

A minor release: removing static asserts for C++98/03 builds

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../recipes-support/utfcpp/{utfcpp_4.0.8.bb => utfcpp_4.0.9.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-support/utfcpp/{utfcpp_4.0.8.bb => utfcpp_4.0.9.bb} (94%)

diff --git a/meta/recipes-support/utfcpp/utfcpp_4.0.8.bb b/meta/recipes-support/utfcpp/utfcpp_4.0.9.bb
similarity index 94%
rename from meta/recipes-support/utfcpp/utfcpp_4.0.8.bb
rename to meta/recipes-support/utfcpp/utfcpp_4.0.9.bb
index 628e8ee0ce..55780b1c7c 100644
--- a/meta/recipes-support/utfcpp/utfcpp_4.0.8.bb
+++ b/meta/recipes-support/utfcpp/utfcpp_4.0.9.bb
@@ -11,7 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e4224ccaecb14d942c71d31bef20d78c \
 SRC_URI = "git://github.com/nemtrif/utfcpp;protocol=https;branch=master;tag=v${PV} \
            file://run-ptest"
 
-SRCREV = "f9319195dfddf369f68f18e7c0039b3f351797fd"
+SRCREV = "63d64de49fd6b829f7c8694df5ab2ee625cb7134"
 
 inherit cmake ptest
 

[OE-core][PATCH 5/5] harfbuzz: upgrade 12.3.1 -> 12.3.2

[ankur.tyagi85]

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Changelog:
https://github.com/harfbuzz/harfbuzz/releases/tag/12.3.2

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../harfbuzz/{harfbuzz_12.3.1.bb => harfbuzz_12.3.2.bb}         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-graphics/harfbuzz/{harfbuzz_12.3.1.bb => harfbuzz_12.3.2.bb} (95%)

diff --git a/meta/recipes-graphics/harfbuzz/harfbuzz_12.3.1.bb b/meta/recipes-graphics/harfbuzz/harfbuzz_12.3.2.bb
similarity index 95%
rename from meta/recipes-graphics/harfbuzz/harfbuzz_12.3.1.bb
rename to meta/recipes-graphics/harfbuzz/harfbuzz_12.3.2.bb
index c22d6bd4b1..12bebc4bee 100644
--- a/meta/recipes-graphics/harfbuzz/harfbuzz_12.3.1.bb
+++ b/meta/recipes-graphics/harfbuzz/harfbuzz_12.3.2.bb
@@ -9,7 +9,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b98429b8e8e3c2a67cfef01e99e4893d \
                     "
 
 SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BPN}-${PV}.tar.xz"
-SRC_URI[sha256sum] = "3ee7133f7f160b27bc34c058e147a559bb781c2b8208bc760db9fa9fa69cea07"
+SRC_URI[sha256sum] = "6f6db164359a2da5a84ef826615b448b33e6306067ad829d85d5b0bf936f1bb8"
 
 DEPENDS += "glib-2.0-native"
 

RE: [OE-core][PATCH 2/5] vim: ignore CVE-2025-66476

[Marko, Peter]

This patch is not needed because vim was upgraded on master.
https://git.openembedded.org/openembedded-core/commit/?id=cf63518d20c3c4a61b0e726edf1df2201e88e8ab

Peter

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Ankur Tyagi via
> lists.openembedded.org
> Sent: Friday, February 6, 2026 11:43
> To: openembedded-core@lists.openembedded.org
> Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
> Subject: [OE-core][PATCH 2/5] vim: ignore CVE-2025-66476
> 
> From: Ankur Tyagi <ankur.tyagi85@gmail.com>
> 
> Details https://nvd.nist.gov/vuln/detail/CVE-2025-66476
> 
> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
> ---
>  meta/recipes-support/vim/vim_9.1.bb | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/meta/recipes-support/vim/vim_9.1.bb b/meta/recipes-
> support/vim/vim_9.1.bb
> index fee9f055e9..c492342ffb 100644
> --- a/meta/recipes-support/vim/vim_9.1.bb
> +++ b/meta/recipes-support/vim/vim_9.1.bb
> @@ -21,3 +21,5 @@ ALTERNATIVE_LINK_NAME[xxd] = "${bindir}/xxd"
>  # in many places for _FORTIFY_SOURCE=2.  Security flags become part of CC.
>  #
>  lcl_maybe_fortify = "${@oe.utils.conditional('DEBUG_BUILD','1','','-
> D_FORTIFY_SOURCE=1',d)}"
> +
> +CVE_STATUS[CVE-2025-66476] = "not-applicable-platform: Issue only applies on
> Windows"

Re: [OE-core][PATCH 2/5] vim: ignore CVE-2025-66476

[Ankur Tyagi]

On Fri, Feb 6, 2026 at 11:49 PM Marko, Peter <Peter.Marko@siemens.com> wrote:
>
> This patch is not needed because vim was upgraded on master.
> https://git.openembedded.org/openembedded-core/commit/?id=cf63518d20c3c4a61b0e726edf1df2201e88e8ab
>

Got it, thanks Peter.

> Peter
>
> > -----Original Message-----
> > From: openembedded-core@lists.openembedded.org <openembedded-
> > core@lists.openembedded.org> On Behalf Of Ankur Tyagi via
> > lists.openembedded.org
> > Sent: Friday, February 6, 2026 11:43
> > To: openembedded-core@lists.openembedded.org
> > Cc: Ankur Tyagi <ankur.tyagi85@gmail.com>
> > Subject: [OE-core][PATCH 2/5] vim: ignore CVE-2025-66476
> >
> > From: Ankur Tyagi <ankur.tyagi85@gmail.com>
> >
> > Details https://nvd.nist.gov/vuln/detail/CVE-2025-66476
> >
> > Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
> > ---
> >  meta/recipes-support/vim/vim_9.1.bb | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/meta/recipes-support/vim/vim_9.1.bb b/meta/recipes-
> > support/vim/vim_9.1.bb
> > index fee9f055e9..c492342ffb 100644
> > --- a/meta/recipes-support/vim/vim_9.1.bb
> > +++ b/meta/recipes-support/vim/vim_9.1.bb
> > @@ -21,3 +21,5 @@ ALTERNATIVE_LINK_NAME[xxd] = "${bindir}/xxd"
> >  # in many places for _FORTIFY_SOURCE=2.  Security flags become part of CC.
> >  #
> >  lcl_maybe_fortify = "${@oe.utils.conditional('DEBUG_BUILD','1','','-
> > D_FORTIFY_SOURCE=1',d)}"
> > +
> > +CVE_STATUS[CVE-2025-66476] = "not-applicable-platform: Issue only applies on
> > Windows"