[OE-core][scarthgap][PATCH 1/3] ffmpeg: upgrade 6.1.3 -> 6.1.4

[OE-core][scarthgap][PATCH 1/3] ffmpeg: upgrade 6.1.3 -> 6.1.4

[ankur.tyagi85]

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Dropped patches that are part of the upstream version.

Changelog:
https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/34277e12e80031c7f89494ba543684bc1dd0be8f:/Changelog

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 .../ffmpeg/ffmpeg/CVE-2024-35365.patch        |  62 -----------
 .../ffmpeg/ffmpeg/CVE-2024-36618.patch        |  36 ------
 .../ffmpeg/ffmpeg/CVE-2025-1594.patch         | 105 ------------------
 .../{ffmpeg_6.1.3.bb => ffmpeg_6.1.4.bb}      |   5 +-
 4 files changed, 1 insertion(+), 207 deletions(-)
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35365.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch
 rename meta/recipes-multimedia/ffmpeg/{ffmpeg_6.1.3.bb => ffmpeg_6.1.4.bb} (98%)

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35365.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35365.patch
deleted file mode 100644
index 2b5646e07c..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35365.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5 Mon Sep 17 00:00:00 2001
-From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
-Date: Mon, 25 Mar 2024 16:54:25 +0100
-Subject: [PATCH] fftools/ffmpeg_mux_init: Fix double-free on error
-
-MATCH_PER_STREAM_OPT iterates over all options of a given
-OptionDef and tests whether they apply to the current stream;
-if so, they are set to ost->apad, otherwise, the code errors
-out. If no error happens, ost->apad is av_strdup'ed in order
-to take ownership of this pointer.
-
-But this means that setting it originally was premature,
-as it leads to double-frees when an error happens lateron.
-This can simply be reproduced with
-ffmpeg -filter_complex anullsrc  -apad bar -apad:n baz -f null -
-This is a regression since 83ace80bfd80fcdba2c65fa1d554923ea931d5bd.
-
-Fix this by using a temporary variable instead of directly
-setting ost->apad. Also only strdup the string if it actually
-is != NULL.
-
-Reviewed-by: Marth64 <marth64@proxyid.net>
-Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
-
-CVE: CVE-2024-35365
-
-Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/ced5c5fdb8634d39ca9472a2026b2d2fea16c4e5]
-
-Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
----
- fftools/ffmpeg_mux_init.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/fftools/ffmpeg_mux_init.c b/fftools/ffmpeg_mux_init.c
-index 63a25a3..685c064 100644
---- a/fftools/ffmpeg_mux_init.c
-+++ b/fftools/ffmpeg_mux_init.c
-@@ -845,6 +845,7 @@ static int new_stream_audio(Muxer *mux, const OptionsContext *o,
-         int channels = 0;
-         char *layout = NULL;
-         char *sample_fmt = NULL;
-+        const char *apad = NULL;
-
-         MATCH_PER_STREAM_OPT(audio_channels, i, channels, oc, st);
-         if (channels) {
-@@ -882,8 +883,12 @@ static int new_stream_audio(Muxer *mux, const OptionsContext *o,
-
-         MATCH_PER_STREAM_OPT(audio_sample_rate, i, audio_enc->sample_rate, oc, st);
-
--        MATCH_PER_STREAM_OPT(apad, str, ost->apad, oc, st);
--        ost->apad = av_strdup(ost->apad);
-+        MATCH_PER_STREAM_OPT(apad, str, apad, oc, st);
-+        if (apad) {
-+            ost->apad = av_strdup(apad);
-+            if (!ost->apad)
-+                return AVERROR(ENOMEM);
-+        }
-
- #if FFMPEG_OPT_MAP_CHANNEL
-         /* check for channel mapping for this audio stream */
---
-2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch
deleted file mode 100644
index 5caca2da7c..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36618.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 7a089ed8e049e3bfcb22de1250b86f2106060857 Mon Sep 17 00:00:00 2001
-From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
-Date: Tue, 12 Mar 2024 23:23:17 +0100
-Subject: [PATCH] avformat/avidec: Fix integer overflow iff ULONG_MAX <
- INT64_MAX
-
-Affects many FATE-tests, see
-https://fate.ffmpeg.org/report.cgi?time=20240312011016&slot=ppc-linux-gcc-13.2-ubsan-altivec-qemu
-
-Reviewed-by: James Almer <jamrial@gmail.com>
-Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
-
-CVE: CVE-2024-36618
-
-Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/7a089ed8e049e3bfcb22de1250b86f2106060857]
-
-Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
----
- libavformat/avidec.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libavformat/avidec.c b/libavformat/avidec.c
-index 00bd7a9..bc95466 100644
---- a/libavformat/avidec.c
-+++ b/libavformat/avidec.c
-@@ -1696,7 +1696,7 @@ static int check_stream_max_drift(AVFormatContext *s)
-     int *idx = av_calloc(s->nb_streams, sizeof(*idx));
-     if (!idx)
-         return AVERROR(ENOMEM);
--    for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1LU) {
-+    for (min_pos = pos = 0; min_pos != INT64_MAX; pos = min_pos + 1ULL) {
-         int64_t max_dts = INT64_MIN / 2;
-         int64_t min_dts = INT64_MAX / 2;
-         int64_t max_buffer = 0;
---
-2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch
deleted file mode 100644
index af71055c02..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-1594.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From bedfb6eca402037f5cbb115fa767d106b8c14f1c Mon Sep 17 00:00:00 2001
-From: Lynne <dev@lynne.ee>
-Date: Sat, 8 Feb 2025 04:35:31 +0100
-Subject: [PATCH] aacenc_tns: clamp filter direction energy measurement
-
-The issue is that:
-
-float en[2];
-...
-tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
-for (g = 0; g < tns->n_filt[w]; g++) {
-    tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
-
-When using the AAC Main profile, n_filt = 3, and slant is by
-default 2 (normal long frames), g can go above 1.
-
-en is the evolution of energy in the frequency domain for every
-band at the given window. E.g. whether the energy is concentrated
-at the top of each band, or the bottom.
-
-For 2-pole filters, its straightforward.
-For 3-pole filters, we need more than 2 measurements.
-
-This commit properly implements support for 3-pole filters, by measuring
-the band energy across three areas.
-
-Do note that even xHE-AAC caps n_filt to 2, and only AAC Main allows
-n_filt == 3.
-
-Fixes https://trac.ffmpeg.org/ticket/11418
-
-CVE: CVE-2025-1594
-
-Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/bedfb6eca402037f5cbb115fa767d106b8c14f1c]
-
-Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
----
- libavcodec/aacenc_tns.c | 33 ++++++++++++++++++++++++---------
- 1 file changed, 24 insertions(+), 9 deletions(-)
-
-diff --git a/libavcodec/aacenc_tns.c b/libavcodec/aacenc_tns.c
-index 8dc6dfc..9ea3506 100644
---- a/libavcodec/aacenc_tns.c
-+++ b/libavcodec/aacenc_tns.c
-@@ -172,6 +172,7 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce)
-                       sce->ics.window_sequence[0] == LONG_START_SEQUENCE ? 0 : 2;
-     const int sfb_len = sfb_end - sfb_start;
-     const int coef_len = sce->ics.swb_offset[sfb_end] - sce->ics.swb_offset[sfb_start];
-+    const int n_filt = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
- 
-     if (coef_len <= 0 || sfb_len <= 0) {
-         sce->tns.present = 0;
-@@ -179,16 +180,30 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce)
-     }
- 
-     for (w = 0; w < sce->ics.num_windows; w++) {
--        float en[2] = {0.0f, 0.0f};
-+	float en[4] = {0.0f, 0.0f, 0.0f, 0.0f};
-         int oc_start = 0, os_start = 0;
-         int coef_start = sce->ics.swb_offset[sfb_start];
- 
--        for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
--            FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
--            if (g > sfb_start + (sfb_len/2))
--                en[1] += band->energy;
--            else
--                en[0] += band->energy;
-+	if (n_filt == 2) {
-+            for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
-+                FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
-+                    if (g > sfb_start + (sfb_len/2))
-+                        en[1] += band->energy; /* End */
-+                    else
-+                        en[0] += band->energy; /* Start */
-+            }
-+            en[2] = en[0];
-+        } else {
-+            for (g = sfb_start; g < sce->ics.num_swb && g <= sfb_end; g++) {
-+                FFPsyBand *band = &s->psy.ch[s->cur_channel].psy_bands[w*16+g];
-+                    if (g > sfb_start + (sfb_len/2) + (sfb_len/4))
-+                        en[2] += band->energy; /* End */
-+                    else if (g > sfb_start + (sfb_len/2) - (sfb_len/4))
-+                        en[1] += band->energy; /* Middle */
-+                    else
-+                        en[0] += band->energy; /* Start */
-+            }
-+            en[3] = en[0];
-         }
- 
-         /* LPC */
-@@ -198,9 +213,9 @@ void ff_aac_search_for_tns(AACEncContext *s, SingleChannelElement *sce)
-         if (!order || !isfinite(gain) || gain < TNS_GAIN_THRESHOLD_LOW || gain > TNS_GAIN_THRESHOLD_HIGH)
-             continue;
- 
--        tns->n_filt[w] = is8 ? 1 : order != TNS_MAX_ORDER ? 2 : 3;
-+	tns->n_filt[w] = n_filt;
-         for (g = 0; g < tns->n_filt[w]; g++) {
--            tns->direction[w][g] = slant != 2 ? slant : en[g] < en[!g];
-+	    tns->direction[w][g] = slant != 2 ? slant : en[g] < en[g + 1];
-             tns->order[w][g] = g < tns->n_filt[w] ? order/tns->n_filt[w] : order - oc_start;
-             tns->length[w][g] = g < tns->n_filt[w] ? sfb_len/tns->n_filt[w] : sfb_len - os_start;
-             quantize_coefs(&coefs[oc_start], tns->coef_idx[w][g], tns->coef[w][g],
--- 
-2.40.0
-
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.3.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb
similarity index 98%
rename from meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.3.bb
rename to meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb
index 38c6d1f2b7..8b0b7cfd6e 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.3.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb
@@ -29,15 +29,12 @@ SRC_URI = " \
     file://vulkan_fix_gcc14.patch \
     file://CVE-2024-28661.patch \
     file://CVE-2023-49528.patch \
-    file://CVE-2024-35365.patch \
-    file://CVE-2024-36618.patch \
     file://CVE-2024-35369.patch \
     file://CVE-2025-25473.patch \
     file://CVE-2025-22921.patch \
-    file://CVE-2025-1594.patch \
 "
 
-SRC_URI[sha256sum] = "bc5f1e4a4d283a6492354684ee1124129c52293bcfc6a9169193539fbece3487"
+SRC_URI[sha256sum] = "a231e3d5742c44b1cdaebfb98ad7b6200d12763e0b6db9e1e2c5891f2c083a18"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-39018
 # https://github.com/bramp/ffmpeg-cli-wrapper/issues/291

[OE-core][scarthgap][PATCH 2/3] ffmpeg: ignore CVE-2025-25469

[ankur.tyagi85]

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details https://nvd.nist.gov/vuln/detail/CVE-2025-25469

This vulnerability exists in IAMF (Immersive Audio Model and Formats demuxer)
which was introduced in version 7.0 [1]

$ git tag --contains 4ee05182b7cccfa6928dcb0a45c2b50b7d9ea39b
n7.0
n7.0.1
n7.0.2
n7.0.3
n7.1
n7.1-dev
n7.1.1
n7.1.2
n7.1.3
n7.2-dev
n8.0
n8.0.1
n8.1-dev

[1] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/4ee05182b7cccfa6928dcb0a45c2b50b7d9ea39b

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb
index 8b0b7cfd6e..c1536015d9 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb
@@ -51,6 +51,8 @@ CVE_STATUS_GROUPS += "CVE_STATUS_FIXED_61x"
 CVE_STATUS_FIXED_61x = "CVE-2023-49502 CVE-2023-50007 CVE-2023-50008 CVE-2023-50009 CVE-2023-50010 CVE-2024-31578 CVE-2024-31582 CVE-2024-31585"
 CVE_STATUS_FIXED_61x[status] = "cpe-incorrect:these CVEs are fixed in 6.1.x"
 
+CVE_STATUS[CVE-2025-25469] = "cpe-incorrect: Current version (6.1.4) is not impacted."
+
 # Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717
 ARM_INSTRUCTION_SET:armv4 = "arm"
 ARM_INSTRUCTION_SET:armv5 = "arm"

[OE-core][scarthgap][PATCH 3/3] vim: ignore CVE-2025-66476

[ankur.tyagi85]

From: Ankur Tyagi <ankur.tyagi85@gmail.com>

Details https://nvd.nist.gov/vuln/detail/CVE-2025-66476

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
---
 meta/recipes-support/vim/vim_9.1.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-support/vim/vim_9.1.bb b/meta/recipes-support/vim/vim_9.1.bb
index fee9f055e9..c492342ffb 100644
--- a/meta/recipes-support/vim/vim_9.1.bb
+++ b/meta/recipes-support/vim/vim_9.1.bb
@@ -21,3 +21,5 @@ ALTERNATIVE_LINK_NAME[xxd] = "${bindir}/xxd"
 # in many places for _FORTIFY_SOURCE=2.  Security flags become part of CC.
 #
 lcl_maybe_fortify = "${@oe.utils.conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=1',d)}"
+
+CVE_STATUS[CVE-2025-66476] = "not-applicable-platform: Issue only applies on Windows"

Re: [OE-core][scarthgap][PATCH 3/3] vim: ignore CVE-2025-66476

[Yoann Congal]

[-- Attachment #1: Type: text/plain, Size: 1563 bytes --]

Le lun. 2 févr. 2026 à 05:08, Ankur Tyagi via lists.openembedded.org
<ankur.tyagi85=gmail.com@lists.openembedded.org> a écrit :

> From: Ankur Tyagi <ankur.tyagi85@gmail.com>
>
> Details https://nvd.nist.gov/vuln/detail/CVE-2025-66476
>
> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
> ---
>  meta/recipes-support/vim/vim_9.1.bb | 2 ++
>  1 file changed, 2 insertions(+)
>

As far as I can tell, this patch is also needed on whinlatter.
Can you send it there please?

Thanks!

diff --git a/meta/recipes-support/vim/vim_9.1.bb b/meta/recipes-support/vim/
> vim_9.1.bb
> index fee9f055e9..c492342ffb 100644
> --- a/meta/recipes-support/vim/vim_9.1.bb
> +++ b/meta/recipes-support/vim/vim_9.1.bb
> @@ -21,3 +21,5 @@ ALTERNATIVE_LINK_NAME[xxd] = "${bindir}/xxd"
>  # in many places for _FORTIFY_SOURCE=2.  Security flags become part of CC.
>  #
>  lcl_maybe_fortify =
> "${@oe.utils.conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE=1',d)}"
> +
> +CVE_STATUS[CVE-2025-66476] = "not-applicable-platform: Issue only applies
> on Windows"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#230344):
> https://lists.openembedded.org/g/openembedded-core/message/230344
> Mute This Topic: https://lists.openembedded.org/mt/117591467/4316185
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> yoann.congal@smile.fr]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

-- 
Yoann Congal
Smile ECS

[-- Attachment #2: Type: text/html, Size: 3438 bytes --]

Re: [OE-core][scarthgap][PATCH 2/3] ffmpeg: ignore CVE-2025-25469

[Yoann Congal]

On Mon Feb 2, 2026 at 5:08 AM CET, Ankur Tyagi via lists.openembedded.org wrote:
> From: Ankur Tyagi <ankur.tyagi85@gmail.com>
>
> Details https://nvd.nist.gov/vuln/detail/CVE-2025-25469
>
> This vulnerability exists in IAMF (Immersive Audio Model and Formats demuxer)
> which was introduced in version 7.0 [1]
>
> $ git tag --contains 4ee05182b7cccfa6928dcb0a45c2b50b7d9ea39b
> n7.0
> n7.0.1
> n7.0.2
> n7.0.3
> n7.1
> n7.1-dev
> n7.1.1
> n7.1.2
> n7.1.3
> n7.2-dev
> n8.0
> n8.0.1
> n8.1-dev
>
> [1] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/4ee05182b7cccfa6928dcb0a45c2b50b7d9ea39b
>
> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
> ---
>  meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb | 2 ++
>  1 file changed, 2 insertions(+)

Hello, 

Thank you for the patch, I reviewed it and I'm OK with it.

Can I ask you to contact NVD to try to get the CPE fixed?

Thanks in advance,

Regards,
-- 
Yoann Congal
Smile ECS

Re: [OE-core][scarthgap][PATCH 2/3] ffmpeg: ignore CVE-2025-25469

[Yoann Congal]

On Thu Feb 5, 2026 at 4:10 PM CET, Yoann Congal wrote:
> On Mon Feb 2, 2026 at 5:08 AM CET, Ankur Tyagi via lists.openembedded.org wrote:
>> From: Ankur Tyagi <ankur.tyagi85@gmail.com>
>>
>> Details https://nvd.nist.gov/vuln/detail/CVE-2025-25469
>>
>> This vulnerability exists in IAMF (Immersive Audio Model and Formats demuxer)
>> which was introduced in version 7.0 [1]
>>
>> $ git tag --contains 4ee05182b7cccfa6928dcb0a45c2b50b7d9ea39b
>> n7.0
>> n7.0.1
>> n7.0.2
>> n7.0.3
>> n7.1
>> n7.1-dev
>> n7.1.1
>> n7.1.2
>> n7.1.3
>> n7.2-dev
>> n8.0
>> n8.0.1
>> n8.1-dev
>>
>> [1] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/4ee05182b7cccfa6928dcb0a45c2b50b7d9ea39b
>>
>> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
>> ---
>>  meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb | 2 ++
>>  1 file changed, 2 insertions(+)
>
> Hello, 
>
> Thank you for the patch, I reviewed it and I'm OK with it.

A precision though, it matches master and whinlatter patches "ffmpeg: ignore 10 CVEs".
Your patch will have to wait that the master and whinlatter patches
merge. And that will be too late for 5.0.16.

>
> Can I ask you to contact NVD to try to get the CPE fixed?
>
> Thanks in advance,
>
> Regards,


-- 
Yoann Congal
Smile ECS

Re: [OE-core][scarthgap][PATCH 2/3] ffmpeg: ignore CVE-2025-25469

[Ankur Tyagi]

On Fri, Feb 6, 2026 at 4:17 AM Yoann Congal <yoann.congal@smile.fr> wrote:
>
> On Thu Feb 5, 2026 at 4:10 PM CET, Yoann Congal wrote:
> > On Mon Feb 2, 2026 at 5:08 AM CET, Ankur Tyagi via lists.openembedded.org wrote:
> >> From: Ankur Tyagi <ankur.tyagi85@gmail.com>
> >>
> >> Details https://nvd.nist.gov/vuln/detail/CVE-2025-25469
> >>
> >> This vulnerability exists in IAMF (Immersive Audio Model and Formats demuxer)
> >> which was introduced in version 7.0 [1]
> >>
> >> $ git tag --contains 4ee05182b7cccfa6928dcb0a45c2b50b7d9ea39b
> >> n7.0
> >> n7.0.1
> >> n7.0.2
> >> n7.0.3
> >> n7.1
> >> n7.1-dev
> >> n7.1.1
> >> n7.1.2
> >> n7.1.3
> >> n7.2-dev
> >> n8.0
> >> n8.0.1
> >> n8.1-dev
> >>
> >> [1] https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/4ee05182b7cccfa6928dcb0a45c2b50b7d9ea39b
> >>
> >> Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
> >> ---
> >>  meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb | 2 ++
> >>  1 file changed, 2 insertions(+)
> >
> > Hello,
> >
> > Thank you for the patch, I reviewed it and I'm OK with it.
>
> A precision though, it matches master and whinlatter patches "ffmpeg: ignore 10 CVEs".
> Your patch will have to wait that the master and whinlatter patches
> merge. And that will be too late for 5.0.16.
>

Sure, as long as it doesn't slip through the cracks :-)

> >
> > Can I ask you to contact NVD to try to get the CPE fixed?
> >

Good idea, I will reach out to NVD.

cheers
Ankur

> > Thanks in advance,
> >
> > Regards,
>
>
> --
> Yoann Congal
> Smile ECS
>

Re: [scarthgap][PATCH 3/3] vim: ignore CVE-2025-66476

[Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)]

[-- Attachment #1: Type: text/plain, Size: 380 bytes --]

Hello,
I hope this message finds you well. I am reaching out to follow up on the patch that was submitted by Ankur concerning the update for ***CVE-2025-66476*** in the *_scarthgap_* branch.
Could you please provide us with any updates regarding when this patch is anticipated to be merged?

Thank you very much in advance for your assistance.

Best regards,
Anil Dongare

[-- Attachment #2: Type: text/html, Size: 491 bytes --]

Re: [OE-core] [scarthgap][PATCH 3/3] vim: ignore CVE-2025-66476

[Yoann Congal]

On Mon Feb 16, 2026 at 11:10 AM CET, Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> Hello,
> I hope this message finds you well. I am reaching out to follow up on
> the patch that was submitted by Ankur concerning the update for
> ***CVE-2025-66476*** in the *_scarthgap_* branch.
> Could you please provide us with any updates regarding when this patch
> is anticipated to be merged?

I got the patch for whinlatter.

I'll review this patch for the next whinlatter and scarthgap batches
(planed this week)

> Thank you very much in advance for your assistance.
>
> Best regards,
> Anil Dongare


-- 
Yoann Congal
Smile ECS