[OE-core][scarthgap 00/11] Patch review

[OE-core][scarthgap 00/11] Patch review

[Yoann Congal]

Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, March 31.

Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3546
Note: This particular build had a gnutls patch that I removed because it needed a small change[0].
Build (currently running) without the gnutls patch: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3551

[0]: https://lore.kernel.org/openembedded-core/DHFLXG1K82R7.3EOQRZ2H6KW8Q@smile.fr/T/#t

The following changes since commit 41597b5260fb5ca811d0fb4ae7e65246d61734eb:

  Revert "scripts/install-buildtools: Update to 5.0.16" (2026-03-26 09:48:20 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

for you to fetch changes up to e6f3b2e043259650d80fb6f761797c5cf5587eb5:

  python3-pyopenssl: Fix CVE-2026-27459 (2026-03-30 00:09:38 +0200)

----------------------------------------------------------------

João Marcos Costa (Schneider Electric) (1):
  spdx: add option to include only compiled sources

Martin Jansa (3):
  dtc: backport fix for build with glibc-2.43
  elfutils: don't add -Werror to avoid discarded-qualifiers
  binutils: backport patch to fix build with glibc-2.43 on host

Michael Halstead (2):
  yocto-uninative: Update to 5.0 for needed patchelf updates
  yocto-uninative: Update to 5.1 for glibc 2.43

Nguyen Dat Tho (1):
  python3-cryptography: Fix CVE-2026-26007

Paul Barker (1):
  tzdata,tzcode-native: Upgrade 2025b -> 2025c

Richard Purdie (1):
  pseudo: Add fix for glibc 2.43

Vijay Anusuri (2):
  python3-pyopenssl: Fix CVE-2026-27448
  python3-pyopenssl: Fix CVE-2026-27459

 meta/classes/spdx-common.bbclass              |   3 +
 meta/conf/distro/include/yocto-uninative.inc  |  10 +-
 meta/lib/oe/spdx30_tasks.py                   |  12 ++
 .../binutils/binutils-2.42.inc                |   1 +
 ...tect-against-standard-library-macros.patch |  31 ++++
 .../elfutils/elfutils_0.191.bb                |   1 +
 ...001-config-eu.am-do-not-force-Werror.patch |  34 ++++
 meta/recipes-devtools/pseudo/pseudo_git.bb    |   2 +-
 .../python3-cryptography/CVE-2026-26007.patch | 149 ++++++++++++++++++
 .../python/python3-cryptography_42.0.5.bb     |   1 +
 .../python3-pyopenssl/CVE-2026-27448.patch    | 124 +++++++++++++++
 .../python3-pyopenssl/CVE-2026-27459.patch    | 109 +++++++++++++
 .../python/python3-pyopenssl_24.0.0.bb        |   5 +
 meta/recipes-extended/timezone/timezone.inc   |   6 +-
 .../0001-Fix-discarded-const-qualifiers.patch |  85 ++++++++++
 meta/recipes-kernel/dtc/dtc_1.7.0.bb          |   1 +
 16 files changed, 565 insertions(+), 9 deletions(-)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
 create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
 create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
 create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
 create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch

[OE-core][scarthgap 01/11] tzdata,tzcode-native: Upgrade 2025b -> 2025c

[Yoann Congal]

From: Paul Barker <paul@pbarker.dev>

This release mostly changes code and commentary. The only changed data
are leap second table expiration and pre-1976 time in Baja California.

Full release notes:
  https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/TAGXKYLMAQRZRFTERQ33CEKOW7KRJVAK/

Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 452334219309793ad74abd6ff390dcb06cab929b)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-extended/timezone/timezone.inc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc
index f21bedf4fc5..35f22d5a15a 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -6,7 +6,7 @@ SECTION = "base"
 LICENSE = "PD & BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
 
-PV = "2025b"
+PV = "2025c"
 
 SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode;subdir=tz \
            http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata;subdir=tz \
@@ -16,5 +16,5 @@ S = "${WORKDIR}/tz"
 
 UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones"
 
-SRC_URI[tzcode.sha256sum] = "05f8fedb3525ee70d49c87d3fae78a8a0dbae4fe87aa565c65cda9948ae135ec"
-SRC_URI[tzdata.sha256sum] = "11810413345fc7805017e27ea9fa4885fd74cd61b2911711ad038f5d28d71474"
+SRC_URI[tzcode.sha256sum] = "697ebe6625444aef5080f58e49d03424bbb52e08bf483d3ddb5acf10cbd15740"
+SRC_URI[tzdata.sha256sum] = "4aa79e4effee53fc4029ffe5f6ebe97937282ebcdf386d5d2da91ce84142f957"

[OE-core][scarthgap 02/11] python3-cryptography: Fix CVE-2026-26007

[Yoann Congal]

From: Nguyen Dat Tho <tho3.nguyen@lge.com>

CVE-2026-26007 is fixed upstream in version 46.0.5.
Our current version (42.0.5, scarthgap) is still reported as vulnerable
by NVD.
Backport the upstream fix to address this CVE.

Upstream commit:
  https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c

CVE report:
  https://nvd.nist.gov/vuln/detail/CVE-2026-26007

Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../python3-cryptography/CVE-2026-26007.patch | 149 ++++++++++++++++++
 .../python/python3-cryptography_42.0.5.bb     |   1 +
 2 files changed, 150 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch

diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
new file mode 100644
index 00000000000..a78d287ccdd
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
@@ -0,0 +1,149 @@
+From 42c914929b52eb16421a4ef1f7e09c8f9fdab7db Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Wed, 18 Mar 2026 16:01:03 +0900
+Subject: [PATCH] EC check key on cofactor > 1
+
+An attacker could create a malicious public key that reveals portions of
+your private key when using certain uncommon elliptic curves (binary
+curves).  This version now includes additional security checks to
+prevent this attack.  This issue only affects binary elliptic curves,
+which are rarely used in real-world applications. Credit to **XlabAI
+Team of Tencent Xuanwu Lab and Atuin Automated Vulnerability Discovery
+Engine** for reporting the issue.  **CVE-2026-26007**
+
+This is a partial backport of upstream commit
+0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c, to only include what's
+relevant for CVE-2026-26007.
+
+CVE: CVE-2026-26007
+
+Origin: backport, https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c
+Reference: https://salsa.debian.org/python-team/packages/python-cryptography/-/commit/464e7ca3b0b4493d5906d0c3685de71fda770c59
+
+Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
+Signed-off-by: Paul Kehrer <paul.l.kehrer@gmail.com>
+Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
+---
+Upstream-Status: Backport [Backport from https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c]
+
+ src/rust/src/backend/ec.rs         | 39 ++++++++++++++++++++----------
+ tests/hazmat/primitives/test_ec.py | 37 ++++++++++++++++++++++++++++
+ 2 files changed, 63 insertions(+), 13 deletions(-)
+
+diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs
+index 6a224b49f..27fced086 100644
+--- a/src/rust/src/backend/ec.rs
++++ b/src/rust/src/backend/ec.rs
+@@ -155,12 +155,9 @@ pub(crate) fn public_key_from_pkey(
+ ) -> CryptographyResult<ECPublicKey> {
+     let ec = pkey.ec_key()?;
+     let curve = py_curve_from_curve(py, ec.group())?;
+-    check_key_infinity(&ec)?;
+-    Ok(ECPublicKey {
+-        pkey: pkey.to_owned(),
+-        curve: curve.into(),
+-    })
++    ECPublicKey::new(pkey.to_owned(), curve.into())
+ }
++
+ #[pyo3::prelude::pyfunction]
+ fn generate_private_key(
+     py: pyo3::Python<'_>,
+@@ -215,10 +212,7 @@ fn from_public_bytes(
+     let ec = openssl::ec::EcKey::from_public_key(&curve, &point)?;
+     let pkey = openssl::pkey::PKey::from_ec_key(ec)?;
+ 
+-    Ok(ECPublicKey {
+-        pkey,
+-        curve: py_curve.into(),
+-    })
++    ECPublicKey::new(pkey, py_curve.into())
+ }
+ 
+ #[pyo3::prelude::pymethods]
+@@ -357,6 +351,28 @@ impl ECPrivateKey {
+     }
+ }
+ 
++impl ECPublicKey {
++    fn new(
++        pkey: openssl::pkey::PKey<openssl::pkey::Public>,
++        curve: pyo3::Py<pyo3::PyAny>,
++    ) -> CryptographyResult<ECPublicKey> {
++        let ec = pkey.ec_key()?;
++        check_key_infinity(&ec)?;
++        let mut bn_ctx = openssl::bn::BigNumContext::new()?;
++        let mut cofactor = openssl::bn::BigNum::new()?;
++        ec.group().cofactor(&mut cofactor, &mut bn_ctx)?;
++        let one = openssl::bn::BigNum::from_u32(1)?;
++        if cofactor != one {
++            ec.check_key().map_err(|_| {
++                pyo3::exceptions::PyValueError::new_err(
++                    "Invalid EC key (key out of range, infinity, etc.)",
++                )
++            })?;
++        }
++
++        Ok(ECPublicKey { pkey, curve })
++    }
++}
+ #[pyo3::prelude::pymethods]
+ impl ECPublicKey {
+     #[getter]
+@@ -591,10 +607,7 @@ impl EllipticCurvePublicNumbers {
+ 
+         let pkey = openssl::pkey::PKey::from_ec_key(public_key)?;
+ 
+-        Ok(ECPublicKey {
+-            pkey,
+-            curve: self.curve.clone_ref(py),
+-        })
++        ECPublicKey::new(pkey, self.curve.clone_ref(py))
+     }
+ 
+     fn __eq__(
+diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py
+index 334e76dcc..f7f2242f6 100644
+--- a/tests/hazmat/primitives/test_ec.py
++++ b/tests/hazmat/primitives/test_ec.py
+@@ -1340,3 +1340,40 @@ class TestECDH:
+ 
+         with pytest.raises(ValueError):
+             key.exchange(ec.ECDH(), public_key)
++
++
++def test_invalid_sect_public_keys(backend):
++    _skip_curve_unsupported(backend, ec.SECT571K1())
++    public_numbers = ec.EllipticCurvePublicNumbers(1, 1, ec.SECT571K1())
++    with pytest.raises(ValueError):
++        public_numbers.public_key()
++
++    point = binascii.unhexlify(
++        b"0400000000000000000000000000000000000000000000000000000000000000000"
++        b"0000000000000000000000000000000000000000000000000000000000000000000"
++        b"0000000000010000000000000000000000000000000000000000000000000000000"
++        b"0000000000000000000000000000000000000000000000000000000000000000000"
++        b"0000000000000000000001"
++    )
++    with pytest.raises(ValueError):
++        ec.EllipticCurvePublicKey.from_encoded_point(ec.SECT571K1(), point)
++
++    der = binascii.unhexlify(
++        b"3081a7301006072a8648ce3d020106052b810400260381920004000000000000000"
++        b"0000000000000000000000000000000000000000000000000000000000000000000"
++        b"0000000000000000000000000000000000000000000000000000000000000100000"
++        b"0000000000000000000000000000000000000000000000000000000000000000000"
++        b"0000000000000000000000000000000000000000000000000000000000000000000"
++        b"00001"
++    )
++    with pytest.raises(ValueError):
++        serialization.load_der_public_key(der)
++
++    pem = textwrap.dedent("""-----BEGIN PUBLIC KEY-----
++    MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++    AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE=
++    -----END PUBLIC KEY-----""").encode()
++    with pytest.raises(ValueError):
++        serialization.load_pem_public_key(pem)
diff --git a/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb b/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
index 732f925d926..c4573fa6891 100644
--- a/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
+++ b/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
@@ -11,6 +11,7 @@ LDSHARED += "-pthread"
 SRC_URI[sha256sum] = "6fe07eec95dfd477eb9530aef5bead34fec819b3aaf6c5bd6d20565da607bfe1"
 
 SRC_URI += "file://0001-pyproject.toml-remove-benchmark-disable-option.patch \
+            file://CVE-2026-26007.patch \
             file://check-memfree.py \
             file://run-ptest \
            "

Patchtest results for [OE-core][scarthgap 02/11] python3-cryptography: Fix CVE-2026-26007

[patchtest]

[-- Attachment #1: Type: text/plain, Size: 2168 bytes --]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch /home/patchtest/share/mboxes/scarthgap-02-11-python3-cryptography-Fix-CVE-2026-26007.patch

FAIL: test Upstream-Status presence: Upstream-Status is present only after the patch scissors. It must be placed in the patch header before the scissors line. (test_patch.TestPatch.test_upstream_status_presence_format)

PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)

SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

Re: [OE-core][scarthgap 02/11] python3-cryptography: Fix CVE-2026-26007

[Yoann Congal]

On Mon Mar 30, 2026 at 12:46 AM CEST, Yoann Congal wrote:
> From: Nguyen Dat Tho <tho3.nguyen@lge.com>
>
> CVE-2026-26007 is fixed upstream in version 46.0.5.
> Our current version (42.0.5, scarthgap) is still reported as vulnerable
> by NVD.
> Backport the upstream fix to address this CVE.
>
> Upstream commit:
>   https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c
>
> CVE report:
>   https://nvd.nist.gov/vuln/detail/CVE-2026-26007
>
> Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> ---
>  .../python3-cryptography/CVE-2026-26007.patch | 149 ++++++++++++++++++
>  .../python/python3-cryptography_42.0.5.bb     |   1 +
>  2 files changed, 150 insertions(+)
>  create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
>
> diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
> new file mode 100644
> index 00000000000..a78d287ccdd
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
> @@ -0,0 +1,149 @@
> +From 42c914929b52eb16421a4ef1f7e09c8f9fdab7db Mon Sep 17 00:00:00 2001
> +From: Paul Kehrer <paul.l.kehrer@gmail.com>
> +Date: Wed, 18 Mar 2026 16:01:03 +0900
> +Subject: [PATCH] EC check key on cofactor > 1
> +
> +An attacker could create a malicious public key that reveals portions of
> +your private key when using certain uncommon elliptic curves (binary
> +curves).  This version now includes additional security checks to
> +prevent this attack.  This issue only affects binary elliptic curves,
> +which are rarely used in real-world applications. Credit to **XlabAI
> +Team of Tencent Xuanwu Lab and Atuin Automated Vulnerability Discovery
> +Engine** for reporting the issue.  **CVE-2026-26007**
> +
> +This is a partial backport of upstream commit
> +0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c, to only include what's
> +relevant for CVE-2026-26007.
> +
> +CVE: CVE-2026-26007
> +
> +Origin: backport, https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c
> +Reference: https://salsa.debian.org/python-team/packages/python-cryptography/-/commit/464e7ca3b0b4493d5906d0c3685de71fda770c59
> +
> +Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
> +Signed-off-by: Paul Kehrer <paul.l.kehrer@gmail.com>
> +Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
> +---
> +Upstream-Status: Backport [Backport from https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c]

Tho, (I hope this is the proper way to address you, if not, sorry!)

This "Upstream-Status:" after the "---" triggers a patchtest failure:
  FAIL: test Upstream-Status presence: Upstream-Status is present only
  after the patch scissors. It must be placed in the patch header before
  the scissors line.
  (test_patch.TestPatch.test_upstream_status_presence_format)

This is very minor for stables where a patch rebase following an upgrade
is a very rare event.
But, that said, if you can send a v2 patch with the "Upstream-Status"
above the "---", I'll take it.

As a side note: this particular patchtest test is not in scarthgap
patchtech, I'll try to backport it.

Thanks!

> +
> + src/rust/src/backend/ec.rs         | 39 ++++++++++++++++++++----------
> + tests/hazmat/primitives/test_ec.py | 37 ++++++++++++++++++++++++++++
> + 2 files changed, 63 insertions(+), 13 deletions(-)
> +
> +diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs
> +index 6a224b49f..27fced086 100644
> +--- a/src/rust/src/backend/ec.rs
> ++++ b/src/rust/src/backend/ec.rs
> +@@ -155,12 +155,9 @@ pub(crate) fn public_key_from_pkey(
> + ) -> CryptographyResult<ECPublicKey> {
> +     let ec = pkey.ec_key()?;
> +     let curve = py_curve_from_curve(py, ec.group())?;
> +-    check_key_infinity(&ec)?;
> +-    Ok(ECPublicKey {
> +-        pkey: pkey.to_owned(),
> +-        curve: curve.into(),
> +-    })
> ++    ECPublicKey::new(pkey.to_owned(), curve.into())
> + }
> ++
> + #[pyo3::prelude::pyfunction]
> + fn generate_private_key(
> +     py: pyo3::Python<'_>,
> +@@ -215,10 +212,7 @@ fn from_public_bytes(
> +     let ec = openssl::ec::EcKey::from_public_key(&curve, &point)?;
> +     let pkey = openssl::pkey::PKey::from_ec_key(ec)?;
> + 
> +-    Ok(ECPublicKey {
> +-        pkey,
> +-        curve: py_curve.into(),
> +-    })
> ++    ECPublicKey::new(pkey, py_curve.into())
> + }
> + 
> + #[pyo3::prelude::pymethods]
> +@@ -357,6 +351,28 @@ impl ECPrivateKey {
> +     }
> + }
> + 
> ++impl ECPublicKey {
> ++    fn new(
> ++        pkey: openssl::pkey::PKey<openssl::pkey::Public>,
> ++        curve: pyo3::Py<pyo3::PyAny>,
> ++    ) -> CryptographyResult<ECPublicKey> {
> ++        let ec = pkey.ec_key()?;
> ++        check_key_infinity(&ec)?;
> ++        let mut bn_ctx = openssl::bn::BigNumContext::new()?;
> ++        let mut cofactor = openssl::bn::BigNum::new()?;
> ++        ec.group().cofactor(&mut cofactor, &mut bn_ctx)?;
> ++        let one = openssl::bn::BigNum::from_u32(1)?;
> ++        if cofactor != one {
> ++            ec.check_key().map_err(|_| {
> ++                pyo3::exceptions::PyValueError::new_err(
> ++                    "Invalid EC key (key out of range, infinity, etc.)",
> ++                )
> ++            })?;
> ++        }
> ++
> ++        Ok(ECPublicKey { pkey, curve })
> ++    }
> ++}
> + #[pyo3::prelude::pymethods]
> + impl ECPublicKey {
> +     #[getter]
> +@@ -591,10 +607,7 @@ impl EllipticCurvePublicNumbers {
> + 
> +         let pkey = openssl::pkey::PKey::from_ec_key(public_key)?;
> + 
> +-        Ok(ECPublicKey {
> +-            pkey,
> +-            curve: self.curve.clone_ref(py),
> +-        })
> ++        ECPublicKey::new(pkey, self.curve.clone_ref(py))
> +     }
> + 
> +     fn __eq__(
> +diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py
> +index 334e76dcc..f7f2242f6 100644
> +--- a/tests/hazmat/primitives/test_ec.py
> ++++ b/tests/hazmat/primitives/test_ec.py
> +@@ -1340,3 +1340,40 @@ class TestECDH:
> + 
> +         with pytest.raises(ValueError):
> +             key.exchange(ec.ECDH(), public_key)
> ++
> ++
> ++def test_invalid_sect_public_keys(backend):
> ++    _skip_curve_unsupported(backend, ec.SECT571K1())
> ++    public_numbers = ec.EllipticCurvePublicNumbers(1, 1, ec.SECT571K1())
> ++    with pytest.raises(ValueError):
> ++        public_numbers.public_key()
> ++
> ++    point = binascii.unhexlify(
> ++        b"0400000000000000000000000000000000000000000000000000000000000000000"
> ++        b"0000000000000000000000000000000000000000000000000000000000000000000"
> ++        b"0000000000010000000000000000000000000000000000000000000000000000000"
> ++        b"0000000000000000000000000000000000000000000000000000000000000000000"
> ++        b"0000000000000000000001"
> ++    )
> ++    with pytest.raises(ValueError):
> ++        ec.EllipticCurvePublicKey.from_encoded_point(ec.SECT571K1(), point)
> ++
> ++    der = binascii.unhexlify(
> ++        b"3081a7301006072a8648ce3d020106052b810400260381920004000000000000000"
> ++        b"0000000000000000000000000000000000000000000000000000000000000000000"
> ++        b"0000000000000000000000000000000000000000000000000000000000000100000"
> ++        b"0000000000000000000000000000000000000000000000000000000000000000000"
> ++        b"0000000000000000000000000000000000000000000000000000000000000000000"
> ++        b"00001"
> ++    )
> ++    with pytest.raises(ValueError):
> ++        serialization.load_der_public_key(der)
> ++
> ++    pem = textwrap.dedent("""-----BEGIN PUBLIC KEY-----
> ++    MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> ++    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> ++    AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> ++    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE=
> ++    -----END PUBLIC KEY-----""").encode()
> ++    with pytest.raises(ValueError):
> ++        serialization.load_pem_public_key(pem)
> diff --git a/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb b/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
> index 732f925d926..c4573fa6891 100644
> --- a/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
> +++ b/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
> @@ -11,6 +11,7 @@ LDSHARED += "-pthread"
>  SRC_URI[sha256sum] = "6fe07eec95dfd477eb9530aef5bead34fec819b3aaf6c5bd6d20565da607bfe1"
>  
>  SRC_URI += "file://0001-pyproject.toml-remove-benchmark-disable-option.patch \
> +            file://CVE-2026-26007.patch \
>              file://check-memfree.py \
>              file://run-ptest \
>             "


-- 
Yoann Congal
Smile ECS

Re: [scarthgap 02/11] python3-cryptography: Fix CVE-2026-26007

[Nguyen Dat Tho]

[-- Attachment #1: Type: text/plain, Size: 94 bytes --]

Hello,

I just updated the patch as your comment.
Could you help me check it?

---
Tho

[-- Attachment #2: Type: text/html, Size: 183 bytes --]

Re: [OE-core] [scarthgap 02/11] python3-cryptography: Fix CVE-2026-26007

[Yoann Congal]

On Mon Mar 30, 2026 at 10:19 AM CEST, Nguyen Dat Tho via lists.openembedded.org wrote:
> Hello,
>
> I just updated the patch as your comment.
> Could you help me check it?

Looks good. I took it in my branch.

Thanks!

>
> ---
> Tho


-- 
Yoann Congal
Smile ECS

[OE-core][scarthgap 03/11] spdx: add option to include only compiled sources

[Yoann Congal]

From: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com>

When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the
source code files that are used during compilation.

It uses debugsource information generated during do_package.

This enables an external tool to use the SPDX information to disregard
vulnerabilities that are not compiled.

As example, when used with the default config with linux-yocto, the spdx size is
reduced from 156MB to 61MB.

(From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968)
Adapted to existing files for SPDX3.0

Tested with:
- bitbake world on oe-core
- oe-selftest --run-tests spdx.SPDX30Check

Regarding SPDX2.2, the respective backport was already performed in
OE-Core rev: a2866934e58fb377a73e87576c8594988a63ad1b

Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/classes/spdx-common.bbclass |  3 +++
 meta/lib/oe/spdx30_tasks.py      | 12 ++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass
index 713a7fc651e..ca0416d1c7f 100644
--- a/meta/classes/spdx-common.bbclass
+++ b/meta/classes/spdx-common.bbclass
@@ -26,6 +26,7 @@ SPDX_TOOL_VERSION ??= "1.0"
 SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
 
 SPDX_INCLUDE_SOURCES ??= "0"
+SPDX_INCLUDE_COMPILED_SOURCES ??= "0"
 
 SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
 SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
@@ -40,6 +41,8 @@ SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
 python () {
     from oe.cve_check import extend_cve_status
     extend_cve_status(d)
+    if d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1":
+        d.setVar("SPDX_INCLUDE_SOURCES", "1")
 }
 
 def create_spdx_source_deps(d):
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index a8970dcca0f..9c422d17573 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -145,6 +145,8 @@ def add_package_files(
     ignore_dirs=[],
     ignore_top_level_dirs=[],
 ):
+    import oe.spdx
+
     source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
     if source_date_epoch:
         source_date_epoch = int(source_date_epoch)
@@ -156,6 +158,11 @@ def add_package_files(
         bb.note(f"Skip {topdir}")
         return spdx_files
 
+    check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1"
+    if check_compiled_sources:
+        compiled_sources, types = oe.spdx.get_compiled_sources(d)
+        bb.debug(1, f"Total compiled files: {len(compiled_sources)}")
+
     for subdir, dirs, files in os.walk(topdir, onerror=walk_error):
         dirs[:] = [d for d in dirs if d not in ignore_dirs]
         if subdir == str(topdir):
@@ -171,6 +178,11 @@ def add_package_files(
             filename = str(filepath.relative_to(topdir))
             file_purposes = get_purposes(filepath)
 
+            # Check if file is compiled
+            if check_compiled_sources:
+                if not oe.spdx.is_compiled_source(filename, compiled_sources, types):
+                    continue
+
             spdx_file = objset.new_file(
                 get_spdxid(file_counter),
                 filename,

[OE-core][scarthgap 04/11] dtc: backport fix for build with glibc-2.43

[Yoann Congal]

From: Martin Jansa <martin.jansa@gmail.com>

glibc-2.43 isn't used in OE builds yet, but this fixes dtc-native:
https://errors.yoctoproject.org/Errors/Details/903983/

../sources/dtc-1.7.2/libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’:
../sources/dtc-1.7.2/libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
  424 |                 sep = memchr(fixup_str, ':', fixup_len);
      |                     ^
../sources/dtc-1.7.2/libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
  434 |                 sep = memchr(name, ':', fixup_len);
      |                     ^
cc1: all warnings being treated as errors

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[YC: upstream commit 28552a7b6c94060c7ab3899619ab8afb74124d02]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../0001-Fix-discarded-const-qualifiers.patch | 85 +++++++++++++++++++
 meta/recipes-kernel/dtc/dtc_1.7.0.bb          |  1 +
 2 files changed, 86 insertions(+)
 create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch

diff --git a/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
new file mode 100644
index 00000000000..c643410ae9b
--- /dev/null
+++ b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
@@ -0,0 +1,85 @@
+From 861cb43eb53afff83e28ba0e0f88ffa464ebe8ca Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 6 Jan 2026 14:19:30 -0500
+Subject: [PATCH] Fix discarded const qualifiers
+
+It's unsafe to implicitly discard the const qualifier on a pointer. In
+overlay_fixup_phandle(), this was probably just an oversight, and making
+the "sep" variable a const char * is sufficient to fix it.
+
+In create_node(), however, the "p" variable is directly modifying the
+buffer pointed to by "const char* node_name". To fix this, we need to
+actually make a duplicate of the buffer and operate on that instead.
+
+This introduces a malloc()/free()  and an unbounded strdup() into the
+operation, but fdtput isn't a long-running service and the node_name
+argument comes directly from argv, so this shouldn't introduce a
+significant performance impact.
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/dtc/dtc.git/commit/libfdt/fdt_overlay.c?h=main&id=9a1c801a1a3c102bf95c5339c9e985b26b823a21]
+---
+ fdtput.c             | 8 +++++---
+ libfdt/fdt_overlay.c | 3 ++-
+ meson.build          | 3 ++-
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/fdtput.c b/fdtput.c
+index c2fecf4..8deec7e 100644
+--- a/fdtput.c
++++ b/fdtput.c
+@@ -230,19 +230,21 @@ static int create_paths(char **blob, const char *in_path)
+ static int create_node(char **blob, const char *node_name)
+ {
+ 	int node = 0;
+-	char *p;
++	const char *p;
++	char *path = NULL;
+ 
+ 	p = strrchr(node_name, '/');
+ 	if (!p) {
+ 		report_error(node_name, -1, -FDT_ERR_BADPATH);
+ 		return -1;
+ 	}
+-	*p = '\0';
+ 
+ 	*blob = realloc_node(*blob, p + 1);
+ 
+ 	if (p > node_name) {
+-		node = fdt_path_offset(*blob, node_name);
++		path = xstrndup(node_name, (size_t)(p - node_name));
++		node = fdt_path_offset(*blob, path);
++		free(path);
+ 		if (node < 0) {
+ 			report_error(node_name, -1, node);
+ 			return -1;
+diff --git a/libfdt/fdt_overlay.c b/libfdt/fdt_overlay.c
+index 5c0c398..75b0619 100644
+--- a/libfdt/fdt_overlay.c
++++ b/libfdt/fdt_overlay.c
+@@ -431,7 +431,8 @@ static int overlay_fixup_phandle(void *fdt, void *fdto, int symbols_off,
+ 		const char *fixup_str = value;
+ 		uint32_t path_len, name_len;
+ 		uint32_t fixup_len;
+-		char *sep, *endptr;
++		const char *sep;
++		char *endptr;
+ 		int poffset, ret;
+ 
+ 		fixup_end = memchr(value, '\0', len);
+diff --git a/meson.build b/meson.build
+index 8952e8a..ecb0ae0 100644
+--- a/meson.build
++++ b/meson.build
+@@ -14,7 +14,8 @@ add_project_arguments(
+     '-Wstrict-prototypes',
+     '-Wmissing-prototypes',
+     '-Wredundant-decls',
+-    '-Wshadow'
++    '-Wshadow',
++    '-Wdiscarded-qualifiers'
+   ]),
+   language: 'c'
+ )
diff --git a/meta/recipes-kernel/dtc/dtc_1.7.0.bb b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
index 0702fc16dfa..a2f41197fda 100644
--- a/meta/recipes-kernel/dtc/dtc_1.7.0.bb
+++ b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
@@ -12,6 +12,7 @@ SRC_URI = " \
     git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https \
     file://0001-meson.build-bump-version-to-1.7.0.patch \
     file://0002-meson-allow-building-from-shallow-clones.patch \
+    file://0001-Fix-discarded-const-qualifiers.patch \
 "
 SRCREV = "039a99414e778332d8f9c04cbd3072e1dcc62798"
 

Re: [OE-core][scarthgap 04/11] dtc: backport fix for build with glibc-2.43

[Yoann Congal]

On Mon Mar 30, 2026 at 12:46 AM CEST, Yoann Congal wrote:
> From: Martin Jansa <martin.jansa@gmail.com>
>
> glibc-2.43 isn't used in OE builds yet, but this fixes dtc-native:
> https://errors.yoctoproject.org/Errors/Details/903983/
>
> ../sources/dtc-1.7.2/libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’:
> ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
>   424 |                 sep = memchr(fixup_str, ':', fixup_len);
>       |                     ^
> ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
>   434 |                 sep = memchr(name, ':', fixup_len);
>       |                     ^
> cc1: all warnings being treated as errors
>
> Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> [YC: upstream commit 28552a7b6c94060c7ab3899619ab8afb74124d02]
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> ---

Hello Martin,

FYI, while it looked good, this patch and your whole series about glibc
2.43 support:
* [scarthgap 04/11] dtc: backport fix for build with glibc-2.43
* [scarthgap 05/11] pseudo: Add fix for glibc 2.43
* [scarthgap 06/11] yocto-uninative: Update to 5.0 for needed patchelf updates
* [scarthgap 07/11] yocto-uninative: Update to 5.1 for glibc 2.43
* [scarthgap 08/11] elfutils: don't add -Werror to avoid discarded-qualifiers
* [scarthgap 09/11] binutils: backport patch to fix build with glibc-2.43 on host
... will be put on hold until I can test it: So, not until Ubuntu 26.04
is released and the autobuilder gain an Ubuntu 26.04 worker (most likely
after Wrynose release).

Thanks!

Regards,

>  .../0001-Fix-discarded-const-qualifiers.patch | 85 +++++++++++++++++++
>  meta/recipes-kernel/dtc/dtc_1.7.0.bb          |  1 +
>  2 files changed, 86 insertions(+)
>  create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
>
> diff --git a/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
> new file mode 100644
> index 00000000000..c643410ae9b
> --- /dev/null
> +++ b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
> @@ -0,0 +1,85 @@
> +From 861cb43eb53afff83e28ba0e0f88ffa464ebe8ca Mon Sep 17 00:00:00 2001
> +From: Stephen Gallagher <sgallagh@redhat.com>
> +Date: Tue, 6 Jan 2026 14:19:30 -0500
> +Subject: [PATCH] Fix discarded const qualifiers
> +
> +It's unsafe to implicitly discard the const qualifier on a pointer. In
> +overlay_fixup_phandle(), this was probably just an oversight, and making
> +the "sep" variable a const char * is sufficient to fix it.
> +
> +In create_node(), however, the "p" variable is directly modifying the
> +buffer pointed to by "const char* node_name". To fix this, we need to
> +actually make a duplicate of the buffer and operate on that instead.
> +
> +This introduces a malloc()/free()  and an unbounded strdup() into the
> +operation, but fdtput isn't a long-running service and the node_name
> +argument comes directly from argv, so this shouldn't introduce a
> +significant performance impact.
> +
> +Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
> +Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> +Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
> +Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/dtc/dtc.git/commit/libfdt/fdt_overlay.c?h=main&id=9a1c801a1a3c102bf95c5339c9e985b26b823a21]
> +---
> + fdtput.c             | 8 +++++---
> + libfdt/fdt_overlay.c | 3 ++-
> + meson.build          | 3 ++-
> + 3 files changed, 9 insertions(+), 5 deletions(-)
> +
> +diff --git a/fdtput.c b/fdtput.c
> +index c2fecf4..8deec7e 100644
> +--- a/fdtput.c
> ++++ b/fdtput.c
> +@@ -230,19 +230,21 @@ static int create_paths(char **blob, const char *in_path)
> + static int create_node(char **blob, const char *node_name)
> + {
> + 	int node = 0;
> +-	char *p;
> ++	const char *p;
> ++	char *path = NULL;
> + 
> + 	p = strrchr(node_name, '/');
> + 	if (!p) {
> + 		report_error(node_name, -1, -FDT_ERR_BADPATH);
> + 		return -1;
> + 	}
> +-	*p = '\0';
> + 
> + 	*blob = realloc_node(*blob, p + 1);
> + 
> + 	if (p > node_name) {
> +-		node = fdt_path_offset(*blob, node_name);
> ++		path = xstrndup(node_name, (size_t)(p - node_name));
> ++		node = fdt_path_offset(*blob, path);
> ++		free(path);
> + 		if (node < 0) {
> + 			report_error(node_name, -1, node);
> + 			return -1;
> +diff --git a/libfdt/fdt_overlay.c b/libfdt/fdt_overlay.c
> +index 5c0c398..75b0619 100644
> +--- a/libfdt/fdt_overlay.c
> ++++ b/libfdt/fdt_overlay.c
> +@@ -431,7 +431,8 @@ static int overlay_fixup_phandle(void *fdt, void *fdto, int symbols_off,
> + 		const char *fixup_str = value;
> + 		uint32_t path_len, name_len;
> + 		uint32_t fixup_len;
> +-		char *sep, *endptr;
> ++		const char *sep;
> ++		char *endptr;
> + 		int poffset, ret;
> + 
> + 		fixup_end = memchr(value, '\0', len);
> +diff --git a/meson.build b/meson.build
> +index 8952e8a..ecb0ae0 100644
> +--- a/meson.build
> ++++ b/meson.build
> +@@ -14,7 +14,8 @@ add_project_arguments(
> +     '-Wstrict-prototypes',
> +     '-Wmissing-prototypes',
> +     '-Wredundant-decls',
> +-    '-Wshadow'
> ++    '-Wshadow',
> ++    '-Wdiscarded-qualifiers'
> +   ]),
> +   language: 'c'
> + )
> diff --git a/meta/recipes-kernel/dtc/dtc_1.7.0.bb b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
> index 0702fc16dfa..a2f41197fda 100644
> --- a/meta/recipes-kernel/dtc/dtc_1.7.0.bb
> +++ b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
> @@ -12,6 +12,7 @@ SRC_URI = " \
>      git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https \
>      file://0001-meson.build-bump-version-to-1.7.0.patch \
>      file://0002-meson-allow-building-from-shallow-clones.patch \
> +    file://0001-Fix-discarded-const-qualifiers.patch \
>  "
>  SRCREV = "039a99414e778332d8f9c04cbd3072e1dcc62798"
>  


-- 
Yoann Congal
Smile ECS

Re: [OE-core][scarthgap 04/11] dtc: backport fix for build with glibc-2.43

[Martin Jansa]

On Mon, Mar 30, 2026 at 4:36 PM Yoann Congal <yoann.congal@smile.fr> wrote:
>
> On Mon Mar 30, 2026 at 12:46 AM CEST, Yoann Congal wrote:
> > From: Martin Jansa <martin.jansa@gmail.com>
> >
> > glibc-2.43 isn't used in OE builds yet, but this fixes dtc-native:
> > https://errors.yoctoproject.org/Errors/Details/903983/
> >
> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’:
> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
> >   424 |                 sep = memchr(fixup_str, ':', fixup_len);
> >       |                     ^
> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
> >   434 |                 sep = memchr(name, ':', fixup_len);
> >       |                     ^
> > cc1: all warnings being treated as errors
> >
> > Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
> > Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > [YC: upstream commit 28552a7b6c94060c7ab3899619ab8afb74124d02]
> > Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> > ---
>
> Hello Martin,
>
> FYI, while it looked good, this patch and your whole series about glibc
> 2.43 support:
> * [scarthgap 04/11] dtc: backport fix for build with glibc-2.43
> * [scarthgap 05/11] pseudo: Add fix for glibc 2.43
> * [scarthgap 06/11] yocto-uninative: Update to 5.0 for needed patchelf updates
> * [scarthgap 07/11] yocto-uninative: Update to 5.1 for glibc 2.43
> * [scarthgap 08/11] elfutils: don't add -Werror to avoid discarded-qualifiers
> * [scarthgap 09/11] binutils: backport patch to fix build with glibc-2.43 on host
> ... will be put on hold until I can test it: So, not until Ubuntu 26.04
> is released and the autobuilder gain an Ubuntu 26.04 worker (most likely
> after Wrynose release).

OK, I have similar 7 patch series with additional fix for m4, gettext,
systemd for whinlatter. Should I send it for review or put it on hold
as well?

I've built images with latest 26.04 snapshot in docker with scarthgap,
whinlatter, wrynose for rpi - there might be more native recipes used
for other BSPs (or included only in bitbake world), but build-wise
these 2 series should cover most of it.

Regards,

Re: [OE-core][scarthgap 04/11] dtc: backport fix for build with glibc-2.43

[Yoann Congal]

On Mon Mar 30, 2026 at 4:43 PM CEST, Martin Jansa wrote:
> On Mon, Mar 30, 2026 at 4:36 PM Yoann Congal <yoann.congal@smile.fr> wrote:
>>
>> On Mon Mar 30, 2026 at 12:46 AM CEST, Yoann Congal wrote:
>> > From: Martin Jansa <martin.jansa@gmail.com>
>> >
>> > glibc-2.43 isn't used in OE builds yet, but this fixes dtc-native:
>> > https://errors.yoctoproject.org/Errors/Details/903983/
>> >
>> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’:
>> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
>> >   424 |                 sep = memchr(fixup_str, ':', fixup_len);
>> >       |                     ^
>> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
>> >   434 |                 sep = memchr(name, ':', fixup_len);
>> >       |                     ^
>> > cc1: all warnings being treated as errors
>> >
>> > Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
>> > Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
>> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>> > [YC: upstream commit 28552a7b6c94060c7ab3899619ab8afb74124d02]
>> > Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
>> > ---
>>
>> Hello Martin,
>>
>> FYI, while it looked good, this patch and your whole series about glibc
>> 2.43 support:
>> * [scarthgap 04/11] dtc: backport fix for build with glibc-2.43
>> * [scarthgap 05/11] pseudo: Add fix for glibc 2.43
>> * [scarthgap 06/11] yocto-uninative: Update to 5.0 for needed patchelf updates
>> * [scarthgap 07/11] yocto-uninative: Update to 5.1 for glibc 2.43
>> * [scarthgap 08/11] elfutils: don't add -Werror to avoid discarded-qualifiers
>> * [scarthgap 09/11] binutils: backport patch to fix build with glibc-2.43 on host
>> ... will be put on hold until I can test it: So, not until Ubuntu 26.04
>> is released and the autobuilder gain an Ubuntu 26.04 worker (most likely
>> after Wrynose release).
>
> OK, I have similar 7 patch series with additional fix for m4, gettext,
> systemd for whinlatter. Should I send it for review or put it on hold
> as well?

Hold them as well. For the same reason, I won't be able to accept them
before whinlatter EOL.

> I've built images with latest 26.04 snapshot in docker with scarthgap,
> whinlatter, wrynose for rpi - there might be more native recipes used
> for other BSPs (or included only in bitbake world), but build-wise
> these 2 series should cover most of it.

That's good to know, thanks!

> Regards,
-- 
Yoann Congal
Smile ECS

Re: [OE-core][scarthgap 04/11] dtc: backport fix for build with glibc-2.43

[Martin Jansa]

Hello Yoann,

some of the follow-up glibc/gcc patches for ubuntu-26.04 are now in
your contrib/stable/scarthgap-nut, but the 6 changes from this PR are
still removed, is it intentional now when similar changes are going to
be merged in whinlatter? Should I resend the 6 on top of current
stable/scarthgap-nut?

Regards,

On Mon, Mar 30, 2026 at 4:36 PM Yoann Congal <yoann.congal@smile.fr> wrote:
>
> On Mon Mar 30, 2026 at 12:46 AM CEST, Yoann Congal wrote:
> > From: Martin Jansa <martin.jansa@gmail.com>
> >
> > glibc-2.43 isn't used in OE builds yet, but this fixes dtc-native:
> > https://errors.yoctoproject.org/Errors/Details/903983/
> >
> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’:
> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
> >   424 |                 sep = memchr(fixup_str, ':', fixup_len);
> >       |                     ^
> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
> >   434 |                 sep = memchr(name, ':', fixup_len);
> >       |                     ^
> > cc1: all warnings being treated as errors
> >
> > Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
> > Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > [YC: upstream commit 28552a7b6c94060c7ab3899619ab8afb74124d02]
> > Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> > ---
>
> Hello Martin,
>
> FYI, while it looked good, this patch and your whole series about glibc
> 2.43 support:
> * [scarthgap 04/11] dtc: backport fix for build with glibc-2.43
> * [scarthgap 05/11] pseudo: Add fix for glibc 2.43
> * [scarthgap 06/11] yocto-uninative: Update to 5.0 for needed patchelf updates
> * [scarthgap 07/11] yocto-uninative: Update to 5.1 for glibc 2.43
> * [scarthgap 08/11] elfutils: don't add -Werror to avoid discarded-qualifiers
> * [scarthgap 09/11] binutils: backport patch to fix build with glibc-2.43 on host
> ... will be put on hold until I can test it: So, not until Ubuntu 26.04
> is released and the autobuilder gain an Ubuntu 26.04 worker (most likely
> after Wrynose release).
>
> Thanks!
>
> Regards,
>
> >  .../0001-Fix-discarded-const-qualifiers.patch | 85 +++++++++++++++++++
> >  meta/recipes-kernel/dtc/dtc_1.7.0.bb          |  1 +
> >  2 files changed, 86 insertions(+)
> >  create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
> >
> > diff --git a/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
> > new file mode 100644
> > index 00000000000..c643410ae9b
> > --- /dev/null
> > +++ b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
> > @@ -0,0 +1,85 @@
> > +From 861cb43eb53afff83e28ba0e0f88ffa464ebe8ca Mon Sep 17 00:00:00 2001
> > +From: Stephen Gallagher <sgallagh@redhat.com>
> > +Date: Tue, 6 Jan 2026 14:19:30 -0500
> > +Subject: [PATCH] Fix discarded const qualifiers
> > +
> > +It's unsafe to implicitly discard the const qualifier on a pointer. In
> > +overlay_fixup_phandle(), this was probably just an oversight, and making
> > +the "sep" variable a const char * is sufficient to fix it.
> > +
> > +In create_node(), however, the "p" variable is directly modifying the
> > +buffer pointed to by "const char* node_name". To fix this, we need to
> > +actually make a duplicate of the buffer and operate on that instead.
> > +
> > +This introduces a malloc()/free()  and an unbounded strdup() into the
> > +operation, but fdtput isn't a long-running service and the node_name
> > +argument comes directly from argv, so this shouldn't introduce a
> > +significant performance impact.
> > +
> > +Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
> > +Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
> > +Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
> > +Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/dtc/dtc.git/commit/libfdt/fdt_overlay.c?h=main&id=9a1c801a1a3c102bf95c5339c9e985b26b823a21]
> > +---
> > + fdtput.c             | 8 +++++---
> > + libfdt/fdt_overlay.c | 3 ++-
> > + meson.build          | 3 ++-
> > + 3 files changed, 9 insertions(+), 5 deletions(-)
> > +
> > +diff --git a/fdtput.c b/fdtput.c
> > +index c2fecf4..8deec7e 100644
> > +--- a/fdtput.c
> > ++++ b/fdtput.c
> > +@@ -230,19 +230,21 @@ static int create_paths(char **blob, const char *in_path)
> > + static int create_node(char **blob, const char *node_name)
> > + {
> > +     int node = 0;
> > +-    char *p;
> > ++    const char *p;
> > ++    char *path = NULL;
> > +
> > +     p = strrchr(node_name, '/');
> > +     if (!p) {
> > +             report_error(node_name, -1, -FDT_ERR_BADPATH);
> > +             return -1;
> > +     }
> > +-    *p = '\0';
> > +
> > +     *blob = realloc_node(*blob, p + 1);
> > +
> > +     if (p > node_name) {
> > +-            node = fdt_path_offset(*blob, node_name);
> > ++            path = xstrndup(node_name, (size_t)(p - node_name));
> > ++            node = fdt_path_offset(*blob, path);
> > ++            free(path);
> > +             if (node < 0) {
> > +                     report_error(node_name, -1, node);
> > +                     return -1;
> > +diff --git a/libfdt/fdt_overlay.c b/libfdt/fdt_overlay.c
> > +index 5c0c398..75b0619 100644
> > +--- a/libfdt/fdt_overlay.c
> > ++++ b/libfdt/fdt_overlay.c
> > +@@ -431,7 +431,8 @@ static int overlay_fixup_phandle(void *fdt, void *fdto, int symbols_off,
> > +             const char *fixup_str = value;
> > +             uint32_t path_len, name_len;
> > +             uint32_t fixup_len;
> > +-            char *sep, *endptr;
> > ++            const char *sep;
> > ++            char *endptr;
> > +             int poffset, ret;
> > +
> > +             fixup_end = memchr(value, '\0', len);
> > +diff --git a/meson.build b/meson.build
> > +index 8952e8a..ecb0ae0 100644
> > +--- a/meson.build
> > ++++ b/meson.build
> > +@@ -14,7 +14,8 @@ add_project_arguments(
> > +     '-Wstrict-prototypes',
> > +     '-Wmissing-prototypes',
> > +     '-Wredundant-decls',
> > +-    '-Wshadow'
> > ++    '-Wshadow',
> > ++    '-Wdiscarded-qualifiers'
> > +   ]),
> > +   language: 'c'
> > + )
> > diff --git a/meta/recipes-kernel/dtc/dtc_1.7.0.bb b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
> > index 0702fc16dfa..a2f41197fda 100644
> > --- a/meta/recipes-kernel/dtc/dtc_1.7.0.bb
> > +++ b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
> > @@ -12,6 +12,7 @@ SRC_URI = " \
> >      git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https \
> >      file://0001-meson.build-bump-version-to-1.7.0.patch \
> >      file://0002-meson-allow-building-from-shallow-clones.patch \
> > +    file://0001-Fix-discarded-const-qualifiers.patch \
> >  "
> >  SRCREV = "039a99414e778332d8f9c04cbd3072e1dcc62798"
> >
>
>
> --
> Yoann Congal
> Smile ECS
>

Re: [OE-core][scarthgap 04/11] dtc: backport fix for build with glibc-2.43

[Yoann Congal]

On Mon Apr 20, 2026 at 10:29 AM CEST, Martin Jansa wrote:
> Hello Yoann,
>
> some of the follow-up glibc/gcc patches for ubuntu-26.04 are now in
> your contrib/stable/scarthgap-nut, but the 6 changes from this PR are
> still removed, is it intentional now when similar changes are going to
> be merged in whinlatter?

I've put some patches that I could not apply directly aside to test the
others.

> Should I resend the 6 on top of current
> stable/scarthgap-nut?

Yes, please. :)
That will be easier for me.

Thanks!

>
> Regards,
>
> On Mon, Mar 30, 2026 at 4:36 PM Yoann Congal <yoann.congal@smile.fr> wrote:
>>
>> On Mon Mar 30, 2026 at 12:46 AM CEST, Yoann Congal wrote:
>> > From: Martin Jansa <martin.jansa@gmail.com>
>> >
>> > glibc-2.43 isn't used in OE builds yet, but this fixes dtc-native:
>> > https://errors.yoctoproject.org/Errors/Details/903983/
>> >
>> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’:
>> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
>> >   424 |                 sep = memchr(fixup_str, ':', fixup_len);
>> >       |                     ^
>> > ../sources/dtc-1.7.2/libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
>> >   434 |                 sep = memchr(name, ':', fixup_len);
>> >       |                     ^
>> > cc1: all warnings being treated as errors
>> >
>> > Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
>> > Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
>> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>> > [YC: upstream commit 28552a7b6c94060c7ab3899619ab8afb74124d02]
>> > Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
>> > ---
>>
>> Hello Martin,
>>
>> FYI, while it looked good, this patch and your whole series about glibc
>> 2.43 support:
>> * [scarthgap 04/11] dtc: backport fix for build with glibc-2.43
>> * [scarthgap 05/11] pseudo: Add fix for glibc 2.43
>> * [scarthgap 06/11] yocto-uninative: Update to 5.0 for needed patchelf updates
>> * [scarthgap 07/11] yocto-uninative: Update to 5.1 for glibc 2.43
>> * [scarthgap 08/11] elfutils: don't add -Werror to avoid discarded-qualifiers
>> * [scarthgap 09/11] binutils: backport patch to fix build with glibc-2.43 on host
>> ... will be put on hold until I can test it: So, not until Ubuntu 26.04
>> is released and the autobuilder gain an Ubuntu 26.04 worker (most likely
>> after Wrynose release).
>>
>> Thanks!
>>
>> Regards,
>>
>> >  .../0001-Fix-discarded-const-qualifiers.patch | 85 +++++++++++++++++++
>> >  meta/recipes-kernel/dtc/dtc_1.7.0.bb          |  1 +
>> >  2 files changed, 86 insertions(+)
>> >  create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
>> >
>> > diff --git a/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
>> > new file mode 100644
>> > index 00000000000..c643410ae9b
>> > --- /dev/null
>> > +++ b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
>> > @@ -0,0 +1,85 @@
>> > +From 861cb43eb53afff83e28ba0e0f88ffa464ebe8ca Mon Sep 17 00:00:00 2001
>> > +From: Stephen Gallagher <sgallagh@redhat.com>
>> > +Date: Tue, 6 Jan 2026 14:19:30 -0500
>> > +Subject: [PATCH] Fix discarded const qualifiers
>> > +
>> > +It's unsafe to implicitly discard the const qualifier on a pointer. In
>> > +overlay_fixup_phandle(), this was probably just an oversight, and making
>> > +the "sep" variable a const char * is sufficient to fix it.
>> > +
>> > +In create_node(), however, the "p" variable is directly modifying the
>> > +buffer pointed to by "const char* node_name". To fix this, we need to
>> > +actually make a duplicate of the buffer and operate on that instead.
>> > +
>> > +This introduces a malloc()/free()  and an unbounded strdup() into the
>> > +operation, but fdtput isn't a long-running service and the node_name
>> > +argument comes directly from argv, so this shouldn't introduce a
>> > +significant performance impact.
>> > +
>> > +Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
>> > +Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
>> > +Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
>> > +Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/dtc/dtc.git/commit/libfdt/fdt_overlay.c?h=main&id=9a1c801a1a3c102bf95c5339c9e985b26b823a21]
>> > +---
>> > + fdtput.c             | 8 +++++---
>> > + libfdt/fdt_overlay.c | 3 ++-
>> > + meson.build          | 3 ++-
>> > + 3 files changed, 9 insertions(+), 5 deletions(-)
>> > +
>> > +diff --git a/fdtput.c b/fdtput.c
>> > +index c2fecf4..8deec7e 100644
>> > +--- a/fdtput.c
>> > ++++ b/fdtput.c
>> > +@@ -230,19 +230,21 @@ static int create_paths(char **blob, const char *in_path)
>> > + static int create_node(char **blob, const char *node_name)
>> > + {
>> > +     int node = 0;
>> > +-    char *p;
>> > ++    const char *p;
>> > ++    char *path = NULL;
>> > +
>> > +     p = strrchr(node_name, '/');
>> > +     if (!p) {
>> > +             report_error(node_name, -1, -FDT_ERR_BADPATH);
>> > +             return -1;
>> > +     }
>> > +-    *p = '\0';
>> > +
>> > +     *blob = realloc_node(*blob, p + 1);
>> > +
>> > +     if (p > node_name) {
>> > +-            node = fdt_path_offset(*blob, node_name);
>> > ++            path = xstrndup(node_name, (size_t)(p - node_name));
>> > ++            node = fdt_path_offset(*blob, path);
>> > ++            free(path);
>> > +             if (node < 0) {
>> > +                     report_error(node_name, -1, node);
>> > +                     return -1;
>> > +diff --git a/libfdt/fdt_overlay.c b/libfdt/fdt_overlay.c
>> > +index 5c0c398..75b0619 100644
>> > +--- a/libfdt/fdt_overlay.c
>> > ++++ b/libfdt/fdt_overlay.c
>> > +@@ -431,7 +431,8 @@ static int overlay_fixup_phandle(void *fdt, void *fdto, int symbols_off,
>> > +             const char *fixup_str = value;
>> > +             uint32_t path_len, name_len;
>> > +             uint32_t fixup_len;
>> > +-            char *sep, *endptr;
>> > ++            const char *sep;
>> > ++            char *endptr;
>> > +             int poffset, ret;
>> > +
>> > +             fixup_end = memchr(value, '\0', len);
>> > +diff --git a/meson.build b/meson.build
>> > +index 8952e8a..ecb0ae0 100644
>> > +--- a/meson.build
>> > ++++ b/meson.build
>> > +@@ -14,7 +14,8 @@ add_project_arguments(
>> > +     '-Wstrict-prototypes',
>> > +     '-Wmissing-prototypes',
>> > +     '-Wredundant-decls',
>> > +-    '-Wshadow'
>> > ++    '-Wshadow',
>> > ++    '-Wdiscarded-qualifiers'
>> > +   ]),
>> > +   language: 'c'
>> > + )
>> > diff --git a/meta/recipes-kernel/dtc/dtc_1.7.0.bb b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
>> > index 0702fc16dfa..a2f41197fda 100644
>> > --- a/meta/recipes-kernel/dtc/dtc_1.7.0.bb
>> > +++ b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
>> > @@ -12,6 +12,7 @@ SRC_URI = " \
>> >      git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https \
>> >      file://0001-meson.build-bump-version-to-1.7.0.patch \
>> >      file://0002-meson-allow-building-from-shallow-clones.patch \
>> > +    file://0001-Fix-discarded-const-qualifiers.patch \
>> >  "
>> >  SRCREV = "039a99414e778332d8f9c04cbd3072e1dcc62798"
>> >
>>
>>
>> --
>> Yoann Congal
>> Smile ECS
>>


-- 
Yoann Congal
Smile ECS

[OE-core][scarthgap 05/11] pseudo: Add fix for glibc 2.43

[Yoann Congal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Update to add a fix for a function definition to work with glibc 2.43.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[YC: upstream commit 7d35b0e7929d666af783db835a3a809f8f6ce429]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 0f063f18812..3ae560487bd 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -12,7 +12,7 @@ SRC_URI:append:class-nativesdk = " \
     file://older-glibc-symbols.patch"
 SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
 
-SRCREV = "43cbd8fb4914328094ccdb4bb827d74b1bac2046"
+SRCREV = "56e1f8df4761da60e41812fc32b1de797d1765e9"
 S = "${WORKDIR}/git"
 PV = "1.9.3+git"
 

[OE-core][scarthgap 06/11] yocto-uninative: Update to 5.0 for needed patchelf updates

[Yoann Congal]

From: Michael Halstead <mhalstead@linuxfoundation.org>

Solves some segfaults on relocated qemu-img binaries.

[YOCTO #16003]

Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b322bc5387f3baedca5c71ccecaed08d2b046eab)
[YC: fixed the commit title]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/conf/distro/include/yocto-uninative.inc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 3ced03d4771..e9dc6c86408 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -7,9 +7,9 @@
 #
 
 UNINATIVE_MAXGLIBCVERSION = "2.42"
-UNINATIVE_VERSION = "4.9"
+UNINATIVE_VERSION = "5.0"
 
 UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "812045d826b7fda88944055e8526b95a5a9440bfef608d5b53fd52faab49bf85"
-UNINATIVE_CHECKSUM[i686] ?= "5cc28efd0c15a75de4bcb147c6cce65f1c1c9d442173a220f08427f40a3ffa09"
-UNINATIVE_CHECKSUM[x86_64] ?= "4c03d1ed2b7b4e823aca4a1a23d8f2e322f1770fc10e859adcede5777aff4f3a"
+UNINATIVE_CHECKSUM[aarch64] ?= "a25f2174d0cefcb22af005e9bc72ac01ae83b011c5b6d6d5bf00dac979877f76"
+UNINATIVE_CHECKSUM[i686] ?= "959cc2539b692f9b9862825c7324a0fe4d061fca742f6c259f67f581c59af956"
+UNINATIVE_CHECKSUM[x86_64] ?= "96045e8b1e242c8a849426a8506c7043f354b39f2bc0035192780e8205e23e9d"

[OE-core][scarthgap 07/11] yocto-uninative: Update to 5.1 for glibc 2.43

[Yoann Congal]

From: Michael Halstead <mhalstead@linuxfoundation.org>

Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c1fb515f2a88fa0a0e95529afc07a99db001af0e)
[YC: fix duplicated line in commit message]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/conf/distro/include/yocto-uninative.inc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index e9dc6c86408..d97c96f631f 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,10 +6,10 @@
 # to the distro running on the build machine.
 #
 
-UNINATIVE_MAXGLIBCVERSION = "2.42"
-UNINATIVE_VERSION = "5.0"
+UNINATIVE_MAXGLIBCVERSION = "2.43"
+UNINATIVE_VERSION = "5.1"
 
 UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "a25f2174d0cefcb22af005e9bc72ac01ae83b011c5b6d6d5bf00dac979877f76"
-UNINATIVE_CHECKSUM[i686] ?= "959cc2539b692f9b9862825c7324a0fe4d061fca742f6c259f67f581c59af956"
-UNINATIVE_CHECKSUM[x86_64] ?= "96045e8b1e242c8a849426a8506c7043f354b39f2bc0035192780e8205e23e9d"
+UNINATIVE_CHECKSUM[aarch64] ?= "4166237a9dabd222dcb9627a9435dffd756764fabf76ed7ef2e93dc2964567ad"
+UNINATIVE_CHECKSUM[i686] ?= "761502cc9aef4d54d0c6fe9418beb9fdd2c6220da6f2b04128c89f47902ab9ae"
+UNINATIVE_CHECKSUM[x86_64] ?= "2b63a078c26535e0786e87f81ae69509df30f4dce40693004c527bd5e4ab2b85"

[OE-core][scarthgap 08/11] elfutils: don't add -Werror to avoid discarded-qualifiers

[Yoann Congal]

From: Martin Jansa <martin.jansa@gmail.com>

With glibc-2.43 on host elfutils-native fails with:
elfutils-0.191/libcpu/riscv_disasm.c:1259:46: error: initialization discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]

elfutils-0.194 in master doesn't have this issue thanks to this patch avoiding -Werror from:
https://git.openembedded.org/openembedded-core/commit/?id=1d6ac3c811798732e6addc798656bbe104661d77

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../elfutils/elfutils_0.191.bb                |  1 +
 ...001-config-eu.am-do-not-force-Werror.patch | 34 +++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch

diff --git a/meta/recipes-devtools/elfutils/elfutils_0.191.bb b/meta/recipes-devtools/elfutils/elfutils_0.191.bb
index 0fd6d31af19..5156e5c9f6d 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.191.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.191.bb
@@ -23,6 +23,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
            file://0001-tests-Makefile.am-compile-test_nlist-with-standard-C.patch \
            file://0001-debuginfod-Remove-unused-variable.patch \
            file://0001-srcfiles-fix-unused-variable-BUFFER_SIZE.patch \
+           file://0001-config-eu.am-do-not-force-Werror.patch \
            file://CVE-2025-1352.patch \
            file://CVE-2025-1365.patch \
            file://CVE-2025-1372.patch \
diff --git a/meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch b/meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
new file mode 100644
index 00000000000..d4e141927f1
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
@@ -0,0 +1,34 @@
+From e169c3fc734be1783b3e1a4768dbec05fb64cb4f Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Fri, 22 Nov 2024 12:50:48 +0100
+Subject: [PATCH] config/eu.am: do not force -Werror
+
+This is undesirable when compiler versions may not be the same
+as what upstream is using for their own testing.
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ config/eu.am | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/config/eu.am b/config/eu.am
+index 0b7dab5..5e7a03f 100644
+--- a/config/eu.am
++++ b/config/eu.am
+@@ -99,7 +99,6 @@ AM_CFLAGS = -std=gnu99 -Wall -Wshadow -Wformat=2 \
+ 	    $(LOGICAL_OP_WARNING) $(DUPLICATED_COND_WARNING) \
+ 	    $(NULL_DEREFERENCE_WARNING) $(IMPLICIT_FALLTHROUGH_WARNING) \
+ 	    $(USE_AFTER_FREE3_WARNING) \
+-	    $(if $($(*F)_no_Werror),,-Werror) \
+ 	    $(if $($(*F)_no_Wunused),,-Wunused -Wextra) \
+ 	    $(if $($(*F)_no_Wstack_usage),,$(STACK_USAGE_WARNING)) \
+ 	    $(if $($(*F)_no_Wpacked_not_aligned),$(NO_PACKED_NOT_ALIGNED_WARNING),) \
+@@ -109,7 +108,6 @@ AM_CXXFLAGS = -std=c++11 -Wall -Wshadow \
+ 	   $(TRAMPOLINES_WARNING) \
+ 	   $(LOGICAL_OP_WARNING) $(DUPLICATED_COND_WARNING) \
+ 	   $(NULL_DEREFERENCE_WARNING) $(IMPLICIT_FALLTHROUGH_WARNING) \
+-	   $(if $($(*F)_no_Werror),,-Werror) \
+ 	   $(if $($(*F)_no_Wunused),,-Wunused -Wextra) \
+ 	   $(if $($(*F)_no_Wstack_usage),,$(STACK_USAGE_WARNING)) \
+ 	   $(if $($(*F)_no_Wpacked_not_aligned),$(NO_PACKED_NOT_ALIGNED_WARNING),) \

[OE-core][scarthgap 09/11] binutils: backport patch to fix build with glibc-2.43 on host

[Yoann Congal]

From: Martin Jansa <martin.jansa@gmail.com>

Fixes:
../../../gprofng/libcollector/linetrace.c: In function ‘__collector_ext_line_install’:
../../../gprofng/libcollector/linetrace.c:219:45: error: expected identifier before ‘_Generic’
  219 |   if (java_follow_env != NULL && CALL_UTIL (strstr)(java_follow_env, COLLECTOR_JVMTI_OPTION))
      |                                             ^~~~~~
../../../gprofng/libcollector/linetrace.c:219:34: note: in expansion of macro ‘CALL_UTIL’
  219 |   if (java_follow_env != NULL && CALL_UTIL (strstr)(java_follow_env, COLLECTOR_JVMTI_OPTION))
      |                                  ^~~~~~~~~

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../binutils/binutils-2.42.inc                |  1 +
 ...tect-against-standard-library-macros.patch | 31 +++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 839d31242ef..36bd49ad03d 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -43,6 +43,7 @@ SRC_URI = "\
      file://0019-Fix-32097-Warnings-when-building-gprofng-with-Clang.patch \
      file://0020-gprofng-fix-std-gnu23-compatibility-wrt-unprototyped.patch \
      file://0021-gprofng-fix-build-with-std-gnu23.patch \
+     file://0022-gprofng-protect-against-standard-library-macros.patch \
      file://0018-CVE-2025-0840.patch \
      file://CVE-2025-1176.patch \
      file://CVE-2025-1178.patch \
diff --git a/meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch b/meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
new file mode 100644
index 00000000000..0fa0a939918
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
@@ -0,0 +1,31 @@
+From 5f66aee7f4bec7a2d8378034116f5e5c3dc50f41 Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Sat, 22 Nov 2025 11:29:43 +0100
+Subject: [PATCH] gprofng: protect against standard library macros
+
+The CALL_UTIL macro can expand to an unparsable expression of the argument
+is a macro, like with the new const-preserving standard library macros in
+C23.
+
+	* gprofng/src/collector_module.h (CALL_UTIL): Add parens to not
+	expand its argument if it is a function-like macro.
+
+Upstream-Status: Backport [2.46 5f66aee7f4bec7a2d8378034116f5e5c3dc50f41]
+Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
+---
+ gprofng/src/collector_module.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gprofng/src/collector_module.h b/gprofng/src/collector_module.h
+index b64d69c45ab..859a6dd1f7d 100644
+--- a/gprofng/src/collector_module.h
++++ b/gprofng/src/collector_module.h
+@@ -119,7 +119,7 @@ typedef struct CollectorUtilFuncs
+ extern CollectorUtilFuncs __collector_util_funcs;
+ extern int __collector_dlsym_guard;
+ 
+-#define CALL_UTIL(x) __collector_util_funcs.x
++#define CALL_UTIL(x) (__collector_util_funcs.x)
+ 
+ /* The following constants define the meaning of the "void *arg"
+  * argument of getFrameInfo().

[OE-core][scarthgap 10/11] python3-pyopenssl: Fix CVE-2026-27448

[Yoann Congal]

From: Vijay Anusuri <vanusuri@mvista.com>

Pick patch mentioned in NVD

[1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448
[2] https://ubuntu.com/security/CVE-2026-27448

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../python3-pyopenssl/CVE-2026-27448.patch    | 124 ++++++++++++++++++
 .../python/python3-pyopenssl_24.0.0.bb        |   4 +
 2 files changed, 128 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch

diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
new file mode 100644
index 00000000000..87f46b4cb0f
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
@@ -0,0 +1,124 @@
+From d41a814759a9fb49584ca8ab3f7295de49a85aa0 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 16 Feb 2026 21:04:37 -0500
+Subject: [PATCH] Handle exceptions in set_tlsext_servername_callback callbacks
+ (#1478)
+
+When the servername callback raises an exception, call sys.excepthook
+with the exception info and return SSL_TLSEXT_ERR_ALERT_FATAL to abort
+the handshake. Previously, exceptions would propagate uncaught through
+the CFFI callback boundary.
+
+https://claude.ai/code/session_01P7y1XmWkdtC5UcmZwGDvGi
+
+Co-authored-by: Claude <noreply@anthropic.com>
+
+Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0]
+CVE: CVE-2026-27448
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ CHANGELOG.rst      |  1 +
+ src/OpenSSL/SSL.py |  7 ++++++-
+ tests/test_ssl.py  | 50 ++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 57 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG.rst b/CHANGELOG.rst
+index 6e23770..12e60e4 100644
+--- a/CHANGELOG.rst
++++ b/CHANGELOG.rst
+@@ -18,6 +18,7 @@ Changes:
+ 
+ - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to determine which SRTP profile was negotiated.
+   `#1279 <https://github.com/pyca/pyopenssl/pull/1279>`_.
++- ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded.
+ 
+ 23.3.0 (2023-10-25)
+ -------------------
+diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
+index 4db5240..a6263c4 100644
+--- a/src/OpenSSL/SSL.py
++++ b/src/OpenSSL/SSL.py
+@@ -1,5 +1,6 @@
+ import os
+ import socket
++import sys
+ import typing
+ from errno import errorcode
+ from functools import partial, wraps
+@@ -1567,7 +1568,11 @@ class Context:
+ 
+         @wraps(callback)
+         def wrapper(ssl, alert, arg):
+-            callback(Connection._reverse_mapping[ssl])
++            try:
++                callback(Connection._reverse_mapping[ssl])
++            except Exception:
++                sys.excepthook(*sys.exc_info())
++                return _lib.SSL_TLSEXT_ERR_ALERT_FATAL
+             return 0
+ 
+         self._tlsext_servername_callback = _ffi.callback(
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index ca5bf83..55489b9 100644
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -1855,6 +1855,56 @@ class TestServerNameCallback:
+ 
+         assert args == [(server, b"foo1.example.com")]
+ 
++    def test_servername_callback_exception(
++        self, monkeypatch: pytest.MonkeyPatch
++    ) -> None:
++        """
++        When the callback passed to `Context.set_tlsext_servername_callback`
++        raises an exception, ``sys.excepthook`` is called with the exception
++        and the handshake fails with an ``Error``.
++        """
++        exc = TypeError("server name callback failed")
++
++        def servername(conn: Connection) -> None:
++            raise exc
++
++        excepthook_calls: list[
++            tuple[type[BaseException], BaseException, object]
++        ] = []
++
++        def custom_excepthook(
++            exc_type: type[BaseException],
++            exc_value: BaseException,
++            exc_tb: object,
++        ) -> None:
++            excepthook_calls.append((exc_type, exc_value, exc_tb))
++
++        context = Context(SSLv23_METHOD)
++        context.set_tlsext_servername_callback(servername)
++
++        # Necessary to actually accept the connection
++        context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
++        context.use_certificate(
++            load_certificate(FILETYPE_PEM, server_cert_pem)
++        )
++
++        # Do a little connection to trigger the logic
++        server = Connection(context, None)
++        server.set_accept_state()
++
++        client = Connection(Context(SSLv23_METHOD), None)
++        client.set_connect_state()
++        client.set_tlsext_host_name(b"foo1.example.com")
++
++        monkeypatch.setattr(sys, "excepthook", custom_excepthook)
++        with pytest.raises(Error):
++            interact_in_memory(server, client)
++
++        assert len(excepthook_calls) == 1
++        assert excepthook_calls[0][0] is TypeError
++        assert excepthook_calls[0][1] is exc
++        assert excepthook_calls[0][2] is not None
++
+ 
+ class TestApplicationLayerProtoNegotiation:
+     """
+-- 
+2.43.0
+
diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
index 116f214bfa8..bc0b568a46a 100644
--- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
+++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
@@ -10,6 +10,10 @@ SRC_URI[sha256sum] = "6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a33
 PYPI_PACKAGE = "pyOpenSSL"
 inherit pypi setuptools3
 
+SRC_URI += " \
+    file://CVE-2026-27448.patch \
+"
+
 PACKAGES =+ "${PN}-tests"
 FILES:${PN}-tests = "${libdir}/${PYTHON_DIR}/site-packages/OpenSSL/test"
 

[OE-core][scarthgap 11/11] python3-pyopenssl: Fix CVE-2026-27459

[Yoann Congal]

From: Vijay Anusuri <vanusuri@mvista.com>

Pick patch mentioned in NVD

[1] https://nvd.nist.gov/vuln/detail/CVE-2026-27459
[2] https://ubuntu.com/security/CVE-2026-27459

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../python3-pyopenssl/CVE-2026-27459.patch    | 109 ++++++++++++++++++
 .../python/python3-pyopenssl_24.0.0.bb        |   1 +
 2 files changed, 110 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch

diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
new file mode 100644
index 00000000000..f75540f96e0
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
@@ -0,0 +1,109 @@
+From 57f09bb4bb051d3bc2a1abd36e9525313d5cd408 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Wed, 18 Feb 2026 07:46:15 -0500
+Subject: [PATCH] Fix buffer overflow in DTLS cookie generation callback
+ (#1479)
+
+The cookie generate callback copied user-returned bytes into a
+fixed-size native buffer without enforcing a maximum length. A
+callback returning more than DTLS1_COOKIE_LENGTH bytes would overflow
+the OpenSSL-provided buffer, corrupting adjacent memory.
+
+Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
+
+Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408]
+CVE: CVE-2026-27459
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ CHANGELOG.rst      |  1 +
+ src/OpenSSL/SSL.py |  7 +++++++
+ tests/test_ssl.py  | 38 ++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 46 insertions(+)
+
+diff --git a/CHANGELOG.rst b/CHANGELOG.rst
+index 12e60e4..6041fdc 100644
+--- a/CHANGELOG.rst
++++ b/CHANGELOG.rst
+@@ -16,6 +16,7 @@ Deprecations:
+ Changes:
+ ^^^^^^^^
+ 
++- Properly raise an error if a DTLS cookie callback returned a cookie longer than ``DTLS1_COOKIE_LENGTH`` bytes. Previously this would result in a buffer-overflow.
+ - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to determine which SRTP profile was negotiated.
+   `#1279 <https://github.com/pyca/pyopenssl/pull/1279>`_.
+ - ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded.
+diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
+index a6263c4..2e4da78 100644
+--- a/src/OpenSSL/SSL.py
++++ b/src/OpenSSL/SSL.py
+@@ -691,11 +691,18 @@ class _CookieGenerateCallbackHelper(_CallbackExceptionHelper):
+     def __init__(self, callback):
+         _CallbackExceptionHelper.__init__(self)
+ 
++        max_cookie_len = getattr(_lib, "DTLS1_COOKIE_LENGTH", 255)
++
+         @wraps(callback)
+         def wrapper(ssl, out, outlen):
+             try:
+                 conn = Connection._reverse_mapping[ssl]
+                 cookie = callback(conn)
++                if len(cookie) > max_cookie_len:
++                    raise ValueError(
++                        f"Cookie too long (got {len(cookie)} bytes, "
++                        f"max {max_cookie_len})"
++                    )
+                 out[0 : len(cookie)] = cookie
+                 outlen[0] = len(cookie)
+                 return 1
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index 55489b9..683e368 100644
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -4560,6 +4560,44 @@ class TestDTLS:
+     def test_it_works_with_srtp(self):
+         self._test_handshake_and_data(srtp_profile=b"SRTP_AES128_CM_SHA1_80")
+ 
++    def test_cookie_generate_too_long(self) -> None:
++        s_ctx = Context(DTLS_METHOD)
++
++        def generate_cookie(ssl: Connection) -> bytes:
++            return b"\x00" * 256
++
++        def verify_cookie(ssl: Connection, cookie: bytes) -> bool:
++            return True
++
++        s_ctx.set_cookie_generate_callback(generate_cookie)
++        s_ctx.set_cookie_verify_callback(verify_cookie)
++        s_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
++        s_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
++        s_ctx.set_options(OP_NO_QUERY_MTU)
++        s = Connection(s_ctx)
++        s.set_accept_state()
++
++        c_ctx = Context(DTLS_METHOD)
++        c_ctx.set_options(OP_NO_QUERY_MTU)
++        c = Connection(c_ctx)
++        c.set_connect_state()
++
++        c.set_ciphertext_mtu(1500)
++        s.set_ciphertext_mtu(1500)
++
++        # Client sends ClientHello
++        try:
++            c.do_handshake()
++        except SSL.WantReadError:
++            pass
++        chunk = c.bio_read(self.LARGE_BUFFER)
++        s.bio_write(chunk)
++
++        # Server tries DTLSv1_listen, which triggers cookie generation.
++        # The oversized cookie should raise ValueError.
++        with pytest.raises(ValueError, match="Cookie too long"):
++            s.DTLSv1_listen()
++
+     def test_timeout(self, monkeypatch):
+         c_ctx = Context(DTLS_METHOD)
+         c = Connection(c_ctx)
+-- 
+2.43.0
+
diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
index bc0b568a46a..94a70aa17d1 100644
--- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
+++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
@@ -12,6 +12,7 @@ inherit pypi setuptools3
 
 SRC_URI += " \
     file://CVE-2026-27448.patch \
+    file://CVE-2026-27459.patch \
 "
 
 PACKAGES =+ "${PN}-tests"

Re: [OE-core][scarthgap 00/11] Patch review

[Yoann Congal]

On Mon Mar 30, 2026 at 12:46 AM CEST, Yoann Congal wrote:
> Please review this set of changes for scarthgap and have comments back by
> end of day Tuesday, March 31.
>
> Passed a-full on autobuilder:
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3546
> Note: This particular build had a gnutls patch that I removed because it needed a small change[0].
> Build (currently running) without the gnutls patch: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3551

That second build is successful. (Only a warning from VNC integration on
autobuilder, I'll send a patch)

> [0]: https://lore.kernel.org/openembedded-core/DHFLXG1K82R7.3EOQRZ2H6KW8Q@smile.fr/T/#t
>
> The following changes since commit 41597b5260fb5ca811d0fb4ae7e65246d61734eb:
>
>   Revert "scripts/install-buildtools: Update to 5.0.16" (2026-03-26 09:48:20 +0000)
>
> are available in the Git repository at:
>
>   https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
>   https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
>
> for you to fetch changes up to e6f3b2e043259650d80fb6f761797c5cf5587eb5:
>
>   python3-pyopenssl: Fix CVE-2026-27459 (2026-03-30 00:09:38 +0200)
>
> ----------------------------------------------------------------
>
> João Marcos Costa (Schneider Electric) (1):
>   spdx: add option to include only compiled sources
>
> Martin Jansa (3):
>   dtc: backport fix for build with glibc-2.43
>   elfutils: don't add -Werror to avoid discarded-qualifiers
>   binutils: backport patch to fix build with glibc-2.43 on host
>
> Michael Halstead (2):
>   yocto-uninative: Update to 5.0 for needed patchelf updates
>   yocto-uninative: Update to 5.1 for glibc 2.43
>
> Nguyen Dat Tho (1):
>   python3-cryptography: Fix CVE-2026-26007
>
> Paul Barker (1):
>   tzdata,tzcode-native: Upgrade 2025b -> 2025c
>
> Richard Purdie (1):
>   pseudo: Add fix for glibc 2.43
>
> Vijay Anusuri (2):
>   python3-pyopenssl: Fix CVE-2026-27448
>   python3-pyopenssl: Fix CVE-2026-27459
>
>  meta/classes/spdx-common.bbclass              |   3 +
>  meta/conf/distro/include/yocto-uninative.inc  |  10 +-
>  meta/lib/oe/spdx30_tasks.py                   |  12 ++
>  .../binutils/binutils-2.42.inc                |   1 +
>  ...tect-against-standard-library-macros.patch |  31 ++++
>  .../elfutils/elfutils_0.191.bb                |   1 +
>  ...001-config-eu.am-do-not-force-Werror.patch |  34 ++++
>  meta/recipes-devtools/pseudo/pseudo_git.bb    |   2 +-
>  .../python3-cryptography/CVE-2026-26007.patch | 149 ++++++++++++++++++
>  .../python/python3-cryptography_42.0.5.bb     |   1 +
>  .../python3-pyopenssl/CVE-2026-27448.patch    | 124 +++++++++++++++
>  .../python3-pyopenssl/CVE-2026-27459.patch    | 109 +++++++++++++
>  .../python/python3-pyopenssl_24.0.0.bb        |   5 +
>  meta/recipes-extended/timezone/timezone.inc   |   6 +-
>  .../0001-Fix-discarded-const-qualifiers.patch |  85 ++++++++++
>  meta/recipes-kernel/dtc/dtc_1.7.0.bb          |   1 +
>  16 files changed, 565 insertions(+), 9 deletions(-)
>  create mode 100644 meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
>  create mode 100644 meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
>  create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
>  create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
>  create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
>  create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch


-- 
Yoann Congal
Smile ECS

Re: [OE-core][scarthgap 00/11] Patch review

[Joao Marcos Costa]

Hello, Yoan


On 3/30/26 00:46, Yoann Congal via lists.openembedded.org wrote:
> Please review this set of changes for scarthgap and have comments back by
> end of day Tuesday, March 31.
> 
> Passed a-full on autobuilder:
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3546
> Note: This particular build had a gnutls patch that I removed because it needed a small change[0].
> Build (currently running) without the gnutls patch: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3551
> 
> [0]: https://lore.kernel.org/openembedded-core/DHFLXG1K82R7.3EOQRZ2H6KW8Q@smile.fr/T/#t
> 
> The following changes since commit 41597b5260fb5ca811d0fb4ae7e65246d61734eb:
> 
>    Revert "scripts/install-buildtools: Update to 5.0.16" (2026-03-26 09:48:20 +0000)
> 
> are available in the Git repository at:
> 
>    https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
>    https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
> 
> for you to fetch changes up to e6f3b2e043259650d80fb6f761797c5cf5587eb5:
> 
>    python3-pyopenssl: Fix CVE-2026-27459 (2026-03-30 00:09:38 +0200)
> 
> ----------------------------------------------------------------
> 
> João Marcos Costa (Schneider Electric) (1):
>    spdx: add option to include only compiled sources
> 
> Martin Jansa (3):
>    dtc: backport fix for build with glibc-2.43
>    elfutils: don't add -Werror to avoid discarded-qualifiers
>    binutils: backport patch to fix build with glibc-2.43 on host
> 
> Michael Halstead (2):
>    yocto-uninative: Update to 5.0 for needed patchelf updates
>    yocto-uninative: Update to 5.1 for glibc 2.43
> 
> Nguyen Dat Tho (1):
>    python3-cryptography: Fix CVE-2026-26007
> 
> Paul Barker (1):
>    tzdata,tzcode-native: Upgrade 2025b -> 2025c
> 
> Richard Purdie (1):
>    pseudo: Add fix for glibc 2.43
> 
> Vijay Anusuri (2):
>    python3-pyopenssl: Fix CVE-2026-27448
>    python3-pyopenssl: Fix CVE-2026-27459
(...)

Was the commit below not picked, or am I missing something?

commit b24d5cda19136fb8120154279eedd55d162b4640
Author: João Marcos Costa (Schneider Electric) 
<joaomarcos.costa@bootlin.com>
Date:   Fri Apr 3 11:32:30 2026 +0200

     linux-yocto/6.6: update CVE exclusions (6.6.123)

     This new version of cve-exclusion_6.6.inc was generated with oe-core's
     latest version of the generate-cve-exclusions.py.

     Regarding the database used and how this file was generated:

     Generated at 2026-04-03 09:30:32.247568+00:00 for kernel version 
6.6.123
     From cvelistV5 cve_2026-04-03_0700Z

     The backporting of the generate-cve-exclusions.py script from master to
     Scarthgap is handled in a different patch.

     Signed-off-by: João Marcos Costa (Schneider Electric) 
<joaomarcos.costa@bootlin.com>

However, I see the commit below, prior to this one, was kept:

linux/generate-cve-exclusions: backport script from master branch

I'm not really used to the backports schedule/workflow, so please excuse 
me if I misinterpreted something.

Thanks!

-- 
Best regards,
João Marcos Costa

Re: [OE-core][scarthgap 00/11] Patch review

[Yoann Congal]

On Mon Apr 20, 2026 at 10:44 AM CEST, Joao Marcos Costa wrote:
> Hello, Yoan
>
>
> On 3/30/26 00:46, Yoann Congal via lists.openembedded.org wrote:
>> Please review this set of changes for scarthgap and have comments back by
>> end of day Tuesday, March 31.
> (...)
>
> Was the commit below not picked, or am I missing something?
>
> commit b24d5cda19136fb8120154279eedd55d162b4640
> Author: João Marcos Costa (Schneider Electric) 
> <joaomarcos.costa@bootlin.com>
> Date:   Fri Apr 3 11:32:30 2026 +0200
>
>      linux-yocto/6.6: update CVE exclusions (6.6.123)
>
>      This new version of cve-exclusion_6.6.inc was generated with oe-core's
>      latest version of the generate-cve-exclusions.py.
>
>      Regarding the database used and how this file was generated:
>
>      Generated at 2026-04-03 09:30:32.247568+00:00 for kernel version 
> 6.6.123
>      From cvelistV5 cve_2026-04-03_0700Z
>
>      The backporting of the generate-cve-exclusions.py script from master to
>      Scarthgap is handled in a different patch.
>
>      Signed-off-by: João Marcos Costa (Schneider Electric) 
> <joaomarcos.costa@bootlin.com>
>
> However, I see the commit below, prior to this one, was kept:
>
> linux/generate-cve-exclusions: backport script from master branch
>
> I'm not really used to the backports schedule/workflow, so please excuse 
> me if I misinterpreted something.
>
> Thanks!

This patch triggered a problem in our infra. I received it directly from
you but it is missing from lore. And lore feeds patchwork, and I use
patchwork to prepare my review branch...

This is a known problem: 16167 – Missing (big) patch in patchwork
https://bugzilla.yoctoproject.org/show_bug.cgi?id=16167

I've reopened and added your patch to the bug log.

I will now integrate your patch in my review branch.

Thanks for the report, otherwise I would have missed it.

I'll try to check for this issue in the future but this will be hard to
spot. If you send a similar patch in the future don't hesitate to ping
me if you see it missing during the patch review period.

Regards,
-- 
Yoann Congal
Smile ECS

Re: [OE-core][scarthgap 00/11] Patch review

[Joao Marcos Costa]

Hello,

On 4/20/26 11:21, Yoann Congal via lists.openembedded.org wrote:
> On Mon Apr 20, 2026 at 10:44 AM CEST, Joao Marcos Costa wrote:
>> Hello, Yoan
>>
>>
>> On 3/30/26 00:46, Yoann Congal via lists.openembedded.org wrote:
>>> Please review this set of changes for scarthgap and have comments back by
>>> end of day Tuesday, March 31.
>> (...)
>>
>> Was the commit below not picked, or am I missing something?
>>
>> commit b24d5cda19136fb8120154279eedd55d162b4640
>> Author: João Marcos Costa (Schneider Electric)
>> <joaomarcos.costa@bootlin.com>
>> Date:   Fri Apr 3 11:32:30 2026 +0200
>>
>>       linux-yocto/6.6: update CVE exclusions (6.6.123)
>>
>>       This new version of cve-exclusion_6.6.inc was generated with oe-core's
>>       latest version of the generate-cve-exclusions.py.
>>
>>       Regarding the database used and how this file was generated:
>>
>>       Generated at 2026-04-03 09:30:32.247568+00:00 for kernel version
>> 6.6.123
>>       From cvelistV5 cve_2026-04-03_0700Z
>>
>>       The backporting of the generate-cve-exclusions.py script from master to
>>       Scarthgap is handled in a different patch.
>>
>>       Signed-off-by: João Marcos Costa (Schneider Electric)
>> <joaomarcos.costa@bootlin.com>
>>
>> However, I see the commit below, prior to this one, was kept:
>>
>> linux/generate-cve-exclusions: backport script from master branch
>>
>> I'm not really used to the backports schedule/workflow, so please excuse
>> me if I misinterpreted something.
>>
>> Thanks!
> 
> This patch triggered a problem in our infra. I received it directly from
> you but it is missing from lore. And lore feeds patchwork, and I use
> patchwork to prepare my review branch...
> 
> This is a known problem: 16167 – Missing (big) patch in patchwork
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=16167
> 
> I've reopened and added your patch to the bug log.
> 
> I will now integrate your patch in my review branch.
> 
> Thanks for the report, otherwise I would have missed it.
> 
> I'll try to check for this issue in the future but this will be hard to
> spot. If you send a similar patch in the future don't hesitate to ping
> me if you see it missing during the patch review period.
> 
> Regards,

Ack. Thanks!


-- 
Best regards,
João Marcos Costa