[OE-core][scarthgap 00/16] Patch review

[OE-core][scarthgap 00/16] Patch review

[Yoann Congal]

Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, March 31.

Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3546
Note: This particular build had a gnutls patch that I removed because it needed a small change[0].
Build (currently running) without the gnutls patch: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3551

[0]: https://lore.kernel.org/openembedded-core/DHFLXG1K82R7.3EOQRZ2H6KW8Q@smile.fr/T/#t

The following changes since commit 41597b5260fb5ca811d0fb4ae7e65246d61734eb:

  Revert "scripts/install-buildtools: Update to 5.0.16" (2026-03-26 09:48:20 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

for you to fetch changes up to e6f3b2e043259650d80fb6f761797c5cf5587eb5:

  python3-pyopenssl: Fix CVE-2026-27459 (2026-03-30 00:09:38 +0200)

----------------------------------------------------------------

Hitendra Prajapati (2):
  libxml-parser-perl: fix for CVE-2006-10003
  busybox: fix for CVE-2026-26157, CVE-2026-26158

João Marcos Costa (Schneider Electric) (1):
  spdx: add option to include only compiled sources

Martin Jansa (3):
  dtc: backport fix for build with glibc-2.43
  elfutils: don't add -Werror to avoid discarded-qualifiers
  binutils: backport patch to fix build with glibc-2.43 on host

Michael Halstead (2):
  yocto-uninative: Update to 5.0 for needed patchelf updates
  yocto-uninative: Update to 5.1 for glibc 2.43

Nguyen Dat Tho (1):
  python3-cryptography: Fix CVE-2026-26007

Paul Barker (1):
  tzdata,tzcode-native: Upgrade 2025b -> 2025c

Richard Purdie (1):
  pseudo: Add fix for glibc 2.43

Sunil Dora (1):
  rust: Enable dynamic linking with llvm

Vijay Anusuri (3):
  python3-pyopenssl: Fix CVE-2026-27448
  python3-pyopenssl: Fix CVE-2026-27459
  gnutls: Fix CVE-2025-14831

sureshha (1):
  systemd: backport patch to fix journal-file issue

 meta/classes/spdx-common.bbclass              |   3 +
 meta/conf/distro/include/yocto-uninative.inc  |  10 +-
 meta/lib/oe/spdx30_tasks.py                   |  12 +
 .../CVE-2026-26157-CVE-2026-26158-01.patch    | 198 +++++++
 .../CVE-2026-26157-CVE-2026-26158-02.patch    |  37 ++
 meta/recipes-core/busybox/busybox_1.36.1.bb   |   2 +
 ...not-trigger-assertion-on-removed-or-.patch |  65 +++
 meta/recipes-core/systemd/systemd_255.21.bb   |   1 +
 .../binutils/binutils-2.42.inc                |   1 +
 ...tect-against-standard-library-macros.patch |  31 ++
 .../elfutils/elfutils_0.191.bb                |   1 +
 ...001-config-eu.am-do-not-force-Werror.patch |  34 ++
 .../libxml-parser-perl/CVE-2006-10003.patch   |  73 +++
 .../perl/libxml-parser-perl_2.47.bb           |   1 +
 meta/recipes-devtools/pseudo/pseudo_git.bb    |   2 +-
 .../python3-cryptography/CVE-2026-26007.patch | 149 ++++++
 .../python/python3-cryptography_42.0.5.bb     |   1 +
 .../python3-pyopenssl/CVE-2026-27448.patch    | 124 +++++
 .../python3-pyopenssl/CVE-2026-27459.patch    | 109 ++++
 .../python/python3-pyopenssl_24.0.0.bb        |   5 +
 meta/recipes-devtools/rust/rust_1.75.0.bb     |   2 +
 meta/recipes-extended/timezone/timezone.inc   |   6 +-
 .../0001-Fix-discarded-const-qualifiers.patch |  85 +++
 meta/recipes-kernel/dtc/dtc_1.7.0.bb          |   1 +
 .../gnutls/gnutls/CVE-2025-14831-1.patch      |  61 +++
 .../gnutls/gnutls/CVE-2025-14831-2.patch      |  30 ++
 .../gnutls/gnutls/CVE-2025-14831-3.patch      |  45 ++
 .../gnutls/gnutls/CVE-2025-14831-4.patch      | 200 +++++++
 .../gnutls/gnutls/CVE-2025-14831-5.patch      | 500 ++++++++++++++++++
 .../gnutls/gnutls/CVE-2025-14831-6.patch      | 119 +++++
 .../gnutls/gnutls/CVE-2025-14831-7.patch      | 150 ++++++
 .../gnutls/gnutls/CVE-2025-14831-8.patch      | 105 ++++
 .../gnutls/gnutls/CVE-2025-14831-9.patch      | 437 +++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.8.4.bb   |   9 +
 34 files changed, 2600 insertions(+), 9 deletions(-)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch
 create mode 100644 meta/recipes-core/systemd/systemd/0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
 create mode 100644 meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch
 create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
 create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
 create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
 create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch

[OE-core][scarthgap 01/16] tzdata,tzcode-native: Upgrade 2025b -> 2025c

[Yoann Congal]

From: Paul Barker <paul@pbarker.dev>

This release mostly changes code and commentary. The only changed data
are leap second table expiration and pre-1976 time in Baja California.

Full release notes:
  https://lists.iana.org/hyperkitty/list/tz-announce@iana.org/thread/TAGXKYLMAQRZRFTERQ33CEKOW7KRJVAK/

Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 452334219309793ad74abd6ff390dcb06cab929b)
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-extended/timezone/timezone.inc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-extended/timezone/timezone.inc b/meta/recipes-extended/timezone/timezone.inc
index f21bedf4fc5..35f22d5a15a 100644
--- a/meta/recipes-extended/timezone/timezone.inc
+++ b/meta/recipes-extended/timezone/timezone.inc
@@ -6,7 +6,7 @@ SECTION = "base"
 LICENSE = "PD & BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=c679c9d6b02bc2757b3eaf8f53c43fba"
 
-PV = "2025b"
+PV = "2025c"
 
 SRC_URI =" http://www.iana.org/time-zones/repository/releases/tzcode${PV}.tar.gz;name=tzcode;subdir=tz \
            http://www.iana.org/time-zones/repository/releases/tzdata${PV}.tar.gz;name=tzdata;subdir=tz \
@@ -16,5 +16,5 @@ S = "${WORKDIR}/tz"
 
 UPSTREAM_CHECK_URI = "http://www.iana.org/time-zones"
 
-SRC_URI[tzcode.sha256sum] = "05f8fedb3525ee70d49c87d3fae78a8a0dbae4fe87aa565c65cda9948ae135ec"
-SRC_URI[tzdata.sha256sum] = "11810413345fc7805017e27ea9fa4885fd74cd61b2911711ad038f5d28d71474"
+SRC_URI[tzcode.sha256sum] = "697ebe6625444aef5080f58e49d03424bbb52e08bf483d3ddb5acf10cbd15740"
+SRC_URI[tzdata.sha256sum] = "4aa79e4effee53fc4029ffe5f6ebe97937282ebcdf386d5d2da91ce84142f957"

[OE-core][scarthgap 02/16] python3-cryptography: Fix CVE-2026-26007

[Yoann Congal]

From: Nguyen Dat Tho <tho3.nguyen@lge.com>

CVE-2026-26007 is fixed upstream in version 46.0.5.
Our current version (42.0.5, scarthgap) is still reported as vulnerable
by NVD.
Backport the upstream fix to address this CVE.

Upstream commit:
  https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c

CVE report:
  https://nvd.nist.gov/vuln/detail/CVE-2026-26007

Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../python3-cryptography/CVE-2026-26007.patch | 149 ++++++++++++++++++
 .../python/python3-cryptography_42.0.5.bb     |   1 +
 2 files changed, 150 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch

diff --git a/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch b/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
new file mode 100644
index 00000000000..a78d287ccdd
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
@@ -0,0 +1,149 @@
+From 42c914929b52eb16421a4ef1f7e09c8f9fdab7db Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Wed, 18 Mar 2026 16:01:03 +0900
+Subject: [PATCH] EC check key on cofactor > 1
+
+An attacker could create a malicious public key that reveals portions of
+your private key when using certain uncommon elliptic curves (binary
+curves).  This version now includes additional security checks to
+prevent this attack.  This issue only affects binary elliptic curves,
+which are rarely used in real-world applications. Credit to **XlabAI
+Team of Tencent Xuanwu Lab and Atuin Automated Vulnerability Discovery
+Engine** for reporting the issue.  **CVE-2026-26007**
+
+This is a partial backport of upstream commit
+0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c, to only include what's
+relevant for CVE-2026-26007.
+
+CVE: CVE-2026-26007
+
+Origin: backport, https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c
+Reference: https://salsa.debian.org/python-team/packages/python-cryptography/-/commit/464e7ca3b0b4493d5906d0c3685de71fda770c59
+
+Signed-off-by: Nguyen Dat Tho <tho3.nguyen@lge.com>
+Signed-off-by: Paul Kehrer <paul.l.kehrer@gmail.com>
+Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
+---
+Upstream-Status: Backport [Backport from https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c]
+
+ src/rust/src/backend/ec.rs         | 39 ++++++++++++++++++++----------
+ tests/hazmat/primitives/test_ec.py | 37 ++++++++++++++++++++++++++++
+ 2 files changed, 63 insertions(+), 13 deletions(-)
+
+diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs
+index 6a224b49f..27fced086 100644
+--- a/src/rust/src/backend/ec.rs
++++ b/src/rust/src/backend/ec.rs
+@@ -155,12 +155,9 @@ pub(crate) fn public_key_from_pkey(
+ ) -> CryptographyResult<ECPublicKey> {
+     let ec = pkey.ec_key()?;
+     let curve = py_curve_from_curve(py, ec.group())?;
+-    check_key_infinity(&ec)?;
+-    Ok(ECPublicKey {
+-        pkey: pkey.to_owned(),
+-        curve: curve.into(),
+-    })
++    ECPublicKey::new(pkey.to_owned(), curve.into())
+ }
++
+ #[pyo3::prelude::pyfunction]
+ fn generate_private_key(
+     py: pyo3::Python<'_>,
+@@ -215,10 +212,7 @@ fn from_public_bytes(
+     let ec = openssl::ec::EcKey::from_public_key(&curve, &point)?;
+     let pkey = openssl::pkey::PKey::from_ec_key(ec)?;
+ 
+-    Ok(ECPublicKey {
+-        pkey,
+-        curve: py_curve.into(),
+-    })
++    ECPublicKey::new(pkey, py_curve.into())
+ }
+ 
+ #[pyo3::prelude::pymethods]
+@@ -357,6 +351,28 @@ impl ECPrivateKey {
+     }
+ }
+ 
++impl ECPublicKey {
++    fn new(
++        pkey: openssl::pkey::PKey<openssl::pkey::Public>,
++        curve: pyo3::Py<pyo3::PyAny>,
++    ) -> CryptographyResult<ECPublicKey> {
++        let ec = pkey.ec_key()?;
++        check_key_infinity(&ec)?;
++        let mut bn_ctx = openssl::bn::BigNumContext::new()?;
++        let mut cofactor = openssl::bn::BigNum::new()?;
++        ec.group().cofactor(&mut cofactor, &mut bn_ctx)?;
++        let one = openssl::bn::BigNum::from_u32(1)?;
++        if cofactor != one {
++            ec.check_key().map_err(|_| {
++                pyo3::exceptions::PyValueError::new_err(
++                    "Invalid EC key (key out of range, infinity, etc.)",
++                )
++            })?;
++        }
++
++        Ok(ECPublicKey { pkey, curve })
++    }
++}
+ #[pyo3::prelude::pymethods]
+ impl ECPublicKey {
+     #[getter]
+@@ -591,10 +607,7 @@ impl EllipticCurvePublicNumbers {
+ 
+         let pkey = openssl::pkey::PKey::from_ec_key(public_key)?;
+ 
+-        Ok(ECPublicKey {
+-            pkey,
+-            curve: self.curve.clone_ref(py),
+-        })
++        ECPublicKey::new(pkey, self.curve.clone_ref(py))
+     }
+ 
+     fn __eq__(
+diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py
+index 334e76dcc..f7f2242f6 100644
+--- a/tests/hazmat/primitives/test_ec.py
++++ b/tests/hazmat/primitives/test_ec.py
+@@ -1340,3 +1340,40 @@ class TestECDH:
+ 
+         with pytest.raises(ValueError):
+             key.exchange(ec.ECDH(), public_key)
++
++
++def test_invalid_sect_public_keys(backend):
++    _skip_curve_unsupported(backend, ec.SECT571K1())
++    public_numbers = ec.EllipticCurvePublicNumbers(1, 1, ec.SECT571K1())
++    with pytest.raises(ValueError):
++        public_numbers.public_key()
++
++    point = binascii.unhexlify(
++        b"0400000000000000000000000000000000000000000000000000000000000000000"
++        b"0000000000000000000000000000000000000000000000000000000000000000000"
++        b"0000000000010000000000000000000000000000000000000000000000000000000"
++        b"0000000000000000000000000000000000000000000000000000000000000000000"
++        b"0000000000000000000001"
++    )
++    with pytest.raises(ValueError):
++        ec.EllipticCurvePublicKey.from_encoded_point(ec.SECT571K1(), point)
++
++    der = binascii.unhexlify(
++        b"3081a7301006072a8648ce3d020106052b810400260381920004000000000000000"
++        b"0000000000000000000000000000000000000000000000000000000000000000000"
++        b"0000000000000000000000000000000000000000000000000000000000000100000"
++        b"0000000000000000000000000000000000000000000000000000000000000000000"
++        b"0000000000000000000000000000000000000000000000000000000000000000000"
++        b"00001"
++    )
++    with pytest.raises(ValueError):
++        serialization.load_der_public_key(der)
++
++    pem = textwrap.dedent("""-----BEGIN PUBLIC KEY-----
++    MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++    AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE=
++    -----END PUBLIC KEY-----""").encode()
++    with pytest.raises(ValueError):
++        serialization.load_pem_public_key(pem)
diff --git a/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb b/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
index 732f925d926..c4573fa6891 100644
--- a/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
+++ b/meta/recipes-devtools/python/python3-cryptography_42.0.5.bb
@@ -11,6 +11,7 @@ LDSHARED += "-pthread"
 SRC_URI[sha256sum] = "6fe07eec95dfd477eb9530aef5bead34fec819b3aaf6c5bd6d20565da607bfe1"
 
 SRC_URI += "file://0001-pyproject.toml-remove-benchmark-disable-option.patch \
+            file://CVE-2026-26007.patch \
             file://check-memfree.py \
             file://run-ptest \
            "

Patchtest results for [OE-core][scarthgap 02/16] python3-cryptography: Fix CVE-2026-26007

[patchtest]

[-- Attachment #1: Type: text/plain, Size: 2168 bytes --]

Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:

---
Testing patch /home/patchtest/share/mboxes/scarthgap-02-16-python3-cryptography-Fix-CVE-2026-26007.patch

FAIL: test Upstream-Status presence: Upstream-Status is present only after the patch scissors. It must be placed in the patch header before the scissors line. (test_patch.TestPatch.test_upstream_status_presence_format)

PASS: test CVE tag format (test_patch.TestPatch.test_cve_tag_format)
PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence)
PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence)
PASS: test author valid (test_mbox.TestMbox.test_author_valid)
PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence)
PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags)
PASS: test mbox format (test_mbox.TestMbox.test_mbox_format)
PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade)
PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format)
PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length)
PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list)

SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint)
SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format)
SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint)
SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head)

---

Please address the issues identified and
submit a new revision of the patch, or alternatively, reply to this
email with an explanation of why the patch should be accepted. If you
believe these results are due to an error in patchtest, please submit a
bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category
under 'Yocto Project Subprojects'). For more information on specific
failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank
you!

[OE-core][scarthgap 03/16] spdx: add option to include only compiled sources

[Yoann Congal]

From: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com>

When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the
source code files that are used during compilation.

It uses debugsource information generated during do_package.

This enables an external tool to use the SPDX information to disregard
vulnerabilities that are not compiled.

As example, when used with the default config with linux-yocto, the spdx size is
reduced from 156MB to 61MB.

(From OE-Core rev: c6a2f1fca76fae4c3ea471a0c63d0b453beea968)
Adapted to existing files for SPDX3.0

Tested with:
- bitbake world on oe-core
- oe-selftest --run-tests spdx.SPDX30Check

Regarding SPDX2.2, the respective backport was already performed in
OE-Core rev: a2866934e58fb377a73e87576c8594988a63ad1b

Signed-off-by: João Marcos Costa (Schneider Electric) <joaomarcos.costa@bootlin.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/classes/spdx-common.bbclass |  3 +++
 meta/lib/oe/spdx30_tasks.py      | 12 ++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass
index 713a7fc651e..ca0416d1c7f 100644
--- a/meta/classes/spdx-common.bbclass
+++ b/meta/classes/spdx-common.bbclass
@@ -26,6 +26,7 @@ SPDX_TOOL_VERSION ??= "1.0"
 SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy"
 
 SPDX_INCLUDE_SOURCES ??= "0"
+SPDX_INCLUDE_COMPILED_SOURCES ??= "0"
 
 SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org"
 SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs"
@@ -40,6 +41,8 @@ SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}"
 python () {
     from oe.cve_check import extend_cve_status
     extend_cve_status(d)
+    if d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1":
+        d.setVar("SPDX_INCLUDE_SOURCES", "1")
 }
 
 def create_spdx_source_deps(d):
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index a8970dcca0f..9c422d17573 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -145,6 +145,8 @@ def add_package_files(
     ignore_dirs=[],
     ignore_top_level_dirs=[],
 ):
+    import oe.spdx
+
     source_date_epoch = d.getVar("SOURCE_DATE_EPOCH")
     if source_date_epoch:
         source_date_epoch = int(source_date_epoch)
@@ -156,6 +158,11 @@ def add_package_files(
         bb.note(f"Skip {topdir}")
         return spdx_files
 
+    check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1"
+    if check_compiled_sources:
+        compiled_sources, types = oe.spdx.get_compiled_sources(d)
+        bb.debug(1, f"Total compiled files: {len(compiled_sources)}")
+
     for subdir, dirs, files in os.walk(topdir, onerror=walk_error):
         dirs[:] = [d for d in dirs if d not in ignore_dirs]
         if subdir == str(topdir):
@@ -171,6 +178,11 @@ def add_package_files(
             filename = str(filepath.relative_to(topdir))
             file_purposes = get_purposes(filepath)
 
+            # Check if file is compiled
+            if check_compiled_sources:
+                if not oe.spdx.is_compiled_source(filename, compiled_sources, types):
+                    continue
+
             spdx_file = objset.new_file(
                 get_spdxid(file_counter),
                 filename,

[OE-core][scarthgap 04/16] dtc: backport fix for build with glibc-2.43

[Yoann Congal]

From: Martin Jansa <martin.jansa@gmail.com>

glibc-2.43 isn't used in OE builds yet, but this fixes dtc-native:
https://errors.yoctoproject.org/Errors/Details/903983/

../sources/dtc-1.7.2/libfdt/fdt_overlay.c: In function ‘overlay_fixup_phandle’:
../sources/dtc-1.7.2/libfdt/fdt_overlay.c:424:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
  424 |                 sep = memchr(fixup_str, ':', fixup_len);
      |                     ^
../sources/dtc-1.7.2/libfdt/fdt_overlay.c:434:21: error: assignment discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
  434 |                 sep = memchr(name, ':', fixup_len);
      |                     ^
cc1: all warnings being treated as errors

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[YC: upstream commit 28552a7b6c94060c7ab3899619ab8afb74124d02]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../0001-Fix-discarded-const-qualifiers.patch | 85 +++++++++++++++++++
 meta/recipes-kernel/dtc/dtc_1.7.0.bb          |  1 +
 2 files changed, 86 insertions(+)
 create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch

diff --git a/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
new file mode 100644
index 00000000000..c643410ae9b
--- /dev/null
+++ b/meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
@@ -0,0 +1,85 @@
+From 861cb43eb53afff83e28ba0e0f88ffa464ebe8ca Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 6 Jan 2026 14:19:30 -0500
+Subject: [PATCH] Fix discarded const qualifiers
+
+It's unsafe to implicitly discard the const qualifier on a pointer. In
+overlay_fixup_phandle(), this was probably just an oversight, and making
+the "sep" variable a const char * is sufficient to fix it.
+
+In create_node(), however, the "p" variable is directly modifying the
+buffer pointed to by "const char* node_name". To fix this, we need to
+actually make a duplicate of the buffer and operate on that instead.
+
+This introduces a malloc()/free()  and an unbounded strdup() into the
+operation, but fdtput isn't a long-running service and the node_name
+argument comes directly from argv, so this shouldn't introduce a
+significant performance impact.
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/dtc/dtc.git/commit/libfdt/fdt_overlay.c?h=main&id=9a1c801a1a3c102bf95c5339c9e985b26b823a21]
+---
+ fdtput.c             | 8 +++++---
+ libfdt/fdt_overlay.c | 3 ++-
+ meson.build          | 3 ++-
+ 3 files changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/fdtput.c b/fdtput.c
+index c2fecf4..8deec7e 100644
+--- a/fdtput.c
++++ b/fdtput.c
+@@ -230,19 +230,21 @@ static int create_paths(char **blob, const char *in_path)
+ static int create_node(char **blob, const char *node_name)
+ {
+ 	int node = 0;
+-	char *p;
++	const char *p;
++	char *path = NULL;
+ 
+ 	p = strrchr(node_name, '/');
+ 	if (!p) {
+ 		report_error(node_name, -1, -FDT_ERR_BADPATH);
+ 		return -1;
+ 	}
+-	*p = '\0';
+ 
+ 	*blob = realloc_node(*blob, p + 1);
+ 
+ 	if (p > node_name) {
+-		node = fdt_path_offset(*blob, node_name);
++		path = xstrndup(node_name, (size_t)(p - node_name));
++		node = fdt_path_offset(*blob, path);
++		free(path);
+ 		if (node < 0) {
+ 			report_error(node_name, -1, node);
+ 			return -1;
+diff --git a/libfdt/fdt_overlay.c b/libfdt/fdt_overlay.c
+index 5c0c398..75b0619 100644
+--- a/libfdt/fdt_overlay.c
++++ b/libfdt/fdt_overlay.c
+@@ -431,7 +431,8 @@ static int overlay_fixup_phandle(void *fdt, void *fdto, int symbols_off,
+ 		const char *fixup_str = value;
+ 		uint32_t path_len, name_len;
+ 		uint32_t fixup_len;
+-		char *sep, *endptr;
++		const char *sep;
++		char *endptr;
+ 		int poffset, ret;
+ 
+ 		fixup_end = memchr(value, '\0', len);
+diff --git a/meson.build b/meson.build
+index 8952e8a..ecb0ae0 100644
+--- a/meson.build
++++ b/meson.build
+@@ -14,7 +14,8 @@ add_project_arguments(
+     '-Wstrict-prototypes',
+     '-Wmissing-prototypes',
+     '-Wredundant-decls',
+-    '-Wshadow'
++    '-Wshadow',
++    '-Wdiscarded-qualifiers'
+   ]),
+   language: 'c'
+ )
diff --git a/meta/recipes-kernel/dtc/dtc_1.7.0.bb b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
index 0702fc16dfa..a2f41197fda 100644
--- a/meta/recipes-kernel/dtc/dtc_1.7.0.bb
+++ b/meta/recipes-kernel/dtc/dtc_1.7.0.bb
@@ -12,6 +12,7 @@ SRC_URI = " \
     git://git.kernel.org/pub/scm/utils/dtc/dtc.git;branch=main;protocol=https \
     file://0001-meson.build-bump-version-to-1.7.0.patch \
     file://0002-meson-allow-building-from-shallow-clones.patch \
+    file://0001-Fix-discarded-const-qualifiers.patch \
 "
 SRCREV = "039a99414e778332d8f9c04cbd3072e1dcc62798"
 

[OE-core][scarthgap 05/16] pseudo: Add fix for glibc 2.43

[Yoann Congal]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Update to add a fix for a function definition to work with glibc 2.43.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
[YC: upstream commit 7d35b0e7929d666af783db835a3a809f8f6ce429]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-devtools/pseudo/pseudo_git.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb b/meta/recipes-devtools/pseudo/pseudo_git.bb
index 0f063f18812..3ae560487bd 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -12,7 +12,7 @@ SRC_URI:append:class-nativesdk = " \
     file://older-glibc-symbols.patch"
 SRC_URI[prebuilt.sha256sum] = "ed9f456856e9d86359f169f46a70ad7be4190d6040282b84c8d97b99072485aa"
 
-SRCREV = "43cbd8fb4914328094ccdb4bb827d74b1bac2046"
+SRCREV = "56e1f8df4761da60e41812fc32b1de797d1765e9"
 S = "${WORKDIR}/git"
 PV = "1.9.3+git"
 

[OE-core][scarthgap 06/16] yocto-uninative: Update to 5.0 for needed patchelf updates

[Yoann Congal]

From: Michael Halstead <mhalstead@linuxfoundation.org>

Solves some segfaults on relocated qemu-img binaries.

[YOCTO #16003]

Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b322bc5387f3baedca5c71ccecaed08d2b046eab)
[YC: fixed the commit title]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/conf/distro/include/yocto-uninative.inc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index 3ced03d4771..e9dc6c86408 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -7,9 +7,9 @@
 #
 
 UNINATIVE_MAXGLIBCVERSION = "2.42"
-UNINATIVE_VERSION = "4.9"
+UNINATIVE_VERSION = "5.0"
 
 UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "812045d826b7fda88944055e8526b95a5a9440bfef608d5b53fd52faab49bf85"
-UNINATIVE_CHECKSUM[i686] ?= "5cc28efd0c15a75de4bcb147c6cce65f1c1c9d442173a220f08427f40a3ffa09"
-UNINATIVE_CHECKSUM[x86_64] ?= "4c03d1ed2b7b4e823aca4a1a23d8f2e322f1770fc10e859adcede5777aff4f3a"
+UNINATIVE_CHECKSUM[aarch64] ?= "a25f2174d0cefcb22af005e9bc72ac01ae83b011c5b6d6d5bf00dac979877f76"
+UNINATIVE_CHECKSUM[i686] ?= "959cc2539b692f9b9862825c7324a0fe4d061fca742f6c259f67f581c59af956"
+UNINATIVE_CHECKSUM[x86_64] ?= "96045e8b1e242c8a849426a8506c7043f354b39f2bc0035192780e8205e23e9d"

[OE-core][scarthgap 07/16] yocto-uninative: Update to 5.1 for glibc 2.43

[Yoann Congal]

From: Michael Halstead <mhalstead@linuxfoundation.org>

Signed-off-by: Michael Halstead <mhalstead@linuxfoundation.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c1fb515f2a88fa0a0e95529afc07a99db001af0e)
[YC: fix duplicated line in commit message]
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/conf/distro/include/yocto-uninative.inc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/meta/conf/distro/include/yocto-uninative.inc b/meta/conf/distro/include/yocto-uninative.inc
index e9dc6c86408..d97c96f631f 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -6,10 +6,10 @@
 # to the distro running on the build machine.
 #
 
-UNINATIVE_MAXGLIBCVERSION = "2.42"
-UNINATIVE_VERSION = "5.0"
+UNINATIVE_MAXGLIBCVERSION = "2.43"
+UNINATIVE_VERSION = "5.1"
 
 UNINATIVE_URL ?= "http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/"
-UNINATIVE_CHECKSUM[aarch64] ?= "a25f2174d0cefcb22af005e9bc72ac01ae83b011c5b6d6d5bf00dac979877f76"
-UNINATIVE_CHECKSUM[i686] ?= "959cc2539b692f9b9862825c7324a0fe4d061fca742f6c259f67f581c59af956"
-UNINATIVE_CHECKSUM[x86_64] ?= "96045e8b1e242c8a849426a8506c7043f354b39f2bc0035192780e8205e23e9d"
+UNINATIVE_CHECKSUM[aarch64] ?= "4166237a9dabd222dcb9627a9435dffd756764fabf76ed7ef2e93dc2964567ad"
+UNINATIVE_CHECKSUM[i686] ?= "761502cc9aef4d54d0c6fe9418beb9fdd2c6220da6f2b04128c89f47902ab9ae"
+UNINATIVE_CHECKSUM[x86_64] ?= "2b63a078c26535e0786e87f81ae69509df30f4dce40693004c527bd5e4ab2b85"

[OE-core][scarthgap 08/16] elfutils: don't add -Werror to avoid discarded-qualifiers

[Yoann Congal]

From: Martin Jansa <martin.jansa@gmail.com>

With glibc-2.43 on host elfutils-native fails with:
elfutils-0.191/libcpu/riscv_disasm.c:1259:46: error: initialization discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]

elfutils-0.194 in master doesn't have this issue thanks to this patch avoiding -Werror from:
https://git.openembedded.org/openembedded-core/commit/?id=1d6ac3c811798732e6addc798656bbe104661d77

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../elfutils/elfutils_0.191.bb                |  1 +
 ...001-config-eu.am-do-not-force-Werror.patch | 34 +++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch

diff --git a/meta/recipes-devtools/elfutils/elfutils_0.191.bb b/meta/recipes-devtools/elfutils/elfutils_0.191.bb
index 0fd6d31af19..5156e5c9f6d 100644
--- a/meta/recipes-devtools/elfutils/elfutils_0.191.bb
+++ b/meta/recipes-devtools/elfutils/elfutils_0.191.bb
@@ -23,6 +23,7 @@ SRC_URI = "https://sourceware.org/elfutils/ftp/${PV}/${BP}.tar.bz2 \
            file://0001-tests-Makefile.am-compile-test_nlist-with-standard-C.patch \
            file://0001-debuginfod-Remove-unused-variable.patch \
            file://0001-srcfiles-fix-unused-variable-BUFFER_SIZE.patch \
+           file://0001-config-eu.am-do-not-force-Werror.patch \
            file://CVE-2025-1352.patch \
            file://CVE-2025-1365.patch \
            file://CVE-2025-1372.patch \
diff --git a/meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch b/meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
new file mode 100644
index 00000000000..d4e141927f1
--- /dev/null
+++ b/meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
@@ -0,0 +1,34 @@
+From e169c3fc734be1783b3e1a4768dbec05fb64cb4f Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Fri, 22 Nov 2024 12:50:48 +0100
+Subject: [PATCH] config/eu.am: do not force -Werror
+
+This is undesirable when compiler versions may not be the same
+as what upstream is using for their own testing.
+
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+---
+ config/eu.am | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/config/eu.am b/config/eu.am
+index 0b7dab5..5e7a03f 100644
+--- a/config/eu.am
++++ b/config/eu.am
+@@ -99,7 +99,6 @@ AM_CFLAGS = -std=gnu99 -Wall -Wshadow -Wformat=2 \
+ 	    $(LOGICAL_OP_WARNING) $(DUPLICATED_COND_WARNING) \
+ 	    $(NULL_DEREFERENCE_WARNING) $(IMPLICIT_FALLTHROUGH_WARNING) \
+ 	    $(USE_AFTER_FREE3_WARNING) \
+-	    $(if $($(*F)_no_Werror),,-Werror) \
+ 	    $(if $($(*F)_no_Wunused),,-Wunused -Wextra) \
+ 	    $(if $($(*F)_no_Wstack_usage),,$(STACK_USAGE_WARNING)) \
+ 	    $(if $($(*F)_no_Wpacked_not_aligned),$(NO_PACKED_NOT_ALIGNED_WARNING),) \
+@@ -109,7 +108,6 @@ AM_CXXFLAGS = -std=c++11 -Wall -Wshadow \
+ 	   $(TRAMPOLINES_WARNING) \
+ 	   $(LOGICAL_OP_WARNING) $(DUPLICATED_COND_WARNING) \
+ 	   $(NULL_DEREFERENCE_WARNING) $(IMPLICIT_FALLTHROUGH_WARNING) \
+-	   $(if $($(*F)_no_Werror),,-Werror) \
+ 	   $(if $($(*F)_no_Wunused),,-Wunused -Wextra) \
+ 	   $(if $($(*F)_no_Wstack_usage),,$(STACK_USAGE_WARNING)) \
+ 	   $(if $($(*F)_no_Wpacked_not_aligned),$(NO_PACKED_NOT_ALIGNED_WARNING),) \

[OE-core][scarthgap 09/16] binutils: backport patch to fix build with glibc-2.43 on host

[Yoann Congal]

From: Martin Jansa <martin.jansa@gmail.com>

Fixes:
../../../gprofng/libcollector/linetrace.c: In function ‘__collector_ext_line_install’:
../../../gprofng/libcollector/linetrace.c:219:45: error: expected identifier before ‘_Generic’
  219 |   if (java_follow_env != NULL && CALL_UTIL (strstr)(java_follow_env, COLLECTOR_JVMTI_OPTION))
      |                                             ^~~~~~
../../../gprofng/libcollector/linetrace.c:219:34: note: in expansion of macro ‘CALL_UTIL’
  219 |   if (java_follow_env != NULL && CALL_UTIL (strstr)(java_follow_env, COLLECTOR_JVMTI_OPTION))
      |                                  ^~~~~~~~~

Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../binutils/binutils-2.42.inc                |  1 +
 ...tect-against-standard-library-macros.patch | 31 +++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 839d31242ef..36bd49ad03d 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -43,6 +43,7 @@ SRC_URI = "\
      file://0019-Fix-32097-Warnings-when-building-gprofng-with-Clang.patch \
      file://0020-gprofng-fix-std-gnu23-compatibility-wrt-unprototyped.patch \
      file://0021-gprofng-fix-build-with-std-gnu23.patch \
+     file://0022-gprofng-protect-against-standard-library-macros.patch \
      file://0018-CVE-2025-0840.patch \
      file://CVE-2025-1176.patch \
      file://CVE-2025-1178.patch \
diff --git a/meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch b/meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
new file mode 100644
index 00000000000..0fa0a939918
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
@@ -0,0 +1,31 @@
+From 5f66aee7f4bec7a2d8378034116f5e5c3dc50f41 Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Sat, 22 Nov 2025 11:29:43 +0100
+Subject: [PATCH] gprofng: protect against standard library macros
+
+The CALL_UTIL macro can expand to an unparsable expression of the argument
+is a macro, like with the new const-preserving standard library macros in
+C23.
+
+	* gprofng/src/collector_module.h (CALL_UTIL): Add parens to not
+	expand its argument if it is a function-like macro.
+
+Upstream-Status: Backport [2.46 5f66aee7f4bec7a2d8378034116f5e5c3dc50f41]
+Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
+---
+ gprofng/src/collector_module.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gprofng/src/collector_module.h b/gprofng/src/collector_module.h
+index b64d69c45ab..859a6dd1f7d 100644
+--- a/gprofng/src/collector_module.h
++++ b/gprofng/src/collector_module.h
+@@ -119,7 +119,7 @@ typedef struct CollectorUtilFuncs
+ extern CollectorUtilFuncs __collector_util_funcs;
+ extern int __collector_dlsym_guard;
+ 
+-#define CALL_UTIL(x) __collector_util_funcs.x
++#define CALL_UTIL(x) (__collector_util_funcs.x)
+ 
+ /* The following constants define the meaning of the "void *arg"
+  * argument of getFrameInfo().

[OE-core][scarthgap 10/16] python3-pyopenssl: Fix CVE-2026-27448

[Yoann Congal]

From: Vijay Anusuri <vanusuri@mvista.com>

Pick patch mentioned in NVD

[1] https://nvd.nist.gov/vuln/detail/CVE-2026-27448
[2] https://ubuntu.com/security/CVE-2026-27448

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../python3-pyopenssl/CVE-2026-27448.patch    | 124 ++++++++++++++++++
 .../python/python3-pyopenssl_24.0.0.bb        |   4 +
 2 files changed, 128 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch

diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
new file mode 100644
index 00000000000..87f46b4cb0f
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
@@ -0,0 +1,124 @@
+From d41a814759a9fb49584ca8ab3f7295de49a85aa0 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Mon, 16 Feb 2026 21:04:37 -0500
+Subject: [PATCH] Handle exceptions in set_tlsext_servername_callback callbacks
+ (#1478)
+
+When the servername callback raises an exception, call sys.excepthook
+with the exception info and return SSL_TLSEXT_ERR_ALERT_FATAL to abort
+the handshake. Previously, exceptions would propagate uncaught through
+the CFFI callback boundary.
+
+https://claude.ai/code/session_01P7y1XmWkdtC5UcmZwGDvGi
+
+Co-authored-by: Claude <noreply@anthropic.com>
+
+Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/d41a814759a9fb49584ca8ab3f7295de49a85aa0]
+CVE: CVE-2026-27448
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ CHANGELOG.rst      |  1 +
+ src/OpenSSL/SSL.py |  7 ++++++-
+ tests/test_ssl.py  | 50 ++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 57 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG.rst b/CHANGELOG.rst
+index 6e23770..12e60e4 100644
+--- a/CHANGELOG.rst
++++ b/CHANGELOG.rst
+@@ -18,6 +18,7 @@ Changes:
+ 
+ - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to determine which SRTP profile was negotiated.
+   `#1279 <https://github.com/pyca/pyopenssl/pull/1279>`_.
++- ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded.
+ 
+ 23.3.0 (2023-10-25)
+ -------------------
+diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
+index 4db5240..a6263c4 100644
+--- a/src/OpenSSL/SSL.py
++++ b/src/OpenSSL/SSL.py
+@@ -1,5 +1,6 @@
+ import os
+ import socket
++import sys
+ import typing
+ from errno import errorcode
+ from functools import partial, wraps
+@@ -1567,7 +1568,11 @@ class Context:
+ 
+         @wraps(callback)
+         def wrapper(ssl, alert, arg):
+-            callback(Connection._reverse_mapping[ssl])
++            try:
++                callback(Connection._reverse_mapping[ssl])
++            except Exception:
++                sys.excepthook(*sys.exc_info())
++                return _lib.SSL_TLSEXT_ERR_ALERT_FATAL
+             return 0
+ 
+         self._tlsext_servername_callback = _ffi.callback(
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index ca5bf83..55489b9 100644
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -1855,6 +1855,56 @@ class TestServerNameCallback:
+ 
+         assert args == [(server, b"foo1.example.com")]
+ 
++    def test_servername_callback_exception(
++        self, monkeypatch: pytest.MonkeyPatch
++    ) -> None:
++        """
++        When the callback passed to `Context.set_tlsext_servername_callback`
++        raises an exception, ``sys.excepthook`` is called with the exception
++        and the handshake fails with an ``Error``.
++        """
++        exc = TypeError("server name callback failed")
++
++        def servername(conn: Connection) -> None:
++            raise exc
++
++        excepthook_calls: list[
++            tuple[type[BaseException], BaseException, object]
++        ] = []
++
++        def custom_excepthook(
++            exc_type: type[BaseException],
++            exc_value: BaseException,
++            exc_tb: object,
++        ) -> None:
++            excepthook_calls.append((exc_type, exc_value, exc_tb))
++
++        context = Context(SSLv23_METHOD)
++        context.set_tlsext_servername_callback(servername)
++
++        # Necessary to actually accept the connection
++        context.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
++        context.use_certificate(
++            load_certificate(FILETYPE_PEM, server_cert_pem)
++        )
++
++        # Do a little connection to trigger the logic
++        server = Connection(context, None)
++        server.set_accept_state()
++
++        client = Connection(Context(SSLv23_METHOD), None)
++        client.set_connect_state()
++        client.set_tlsext_host_name(b"foo1.example.com")
++
++        monkeypatch.setattr(sys, "excepthook", custom_excepthook)
++        with pytest.raises(Error):
++            interact_in_memory(server, client)
++
++        assert len(excepthook_calls) == 1
++        assert excepthook_calls[0][0] is TypeError
++        assert excepthook_calls[0][1] is exc
++        assert excepthook_calls[0][2] is not None
++
+ 
+ class TestApplicationLayerProtoNegotiation:
+     """
+-- 
+2.43.0
+
diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
index 116f214bfa8..bc0b568a46a 100644
--- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
+++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
@@ -10,6 +10,10 @@ SRC_URI[sha256sum] = "6aa33039a93fffa4563e655b61d11364d01264be8ccb49906101e02a33
 PYPI_PACKAGE = "pyOpenSSL"
 inherit pypi setuptools3
 
+SRC_URI += " \
+    file://CVE-2026-27448.patch \
+"
+
 PACKAGES =+ "${PN}-tests"
 FILES:${PN}-tests = "${libdir}/${PYTHON_DIR}/site-packages/OpenSSL/test"
 

[OE-core][scarthgap 11/16] python3-pyopenssl: Fix CVE-2026-27459

[Yoann Congal]

From: Vijay Anusuri <vanusuri@mvista.com>

Pick patch mentioned in NVD

[1] https://nvd.nist.gov/vuln/detail/CVE-2026-27459
[2] https://ubuntu.com/security/CVE-2026-27459

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../python3-pyopenssl/CVE-2026-27459.patch    | 109 ++++++++++++++++++
 .../python/python3-pyopenssl_24.0.0.bb        |   1 +
 2 files changed, 110 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch

diff --git a/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
new file mode 100644
index 00000000000..f75540f96e0
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
@@ -0,0 +1,109 @@
+From 57f09bb4bb051d3bc2a1abd36e9525313d5cd408 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Wed, 18 Feb 2026 07:46:15 -0500
+Subject: [PATCH] Fix buffer overflow in DTLS cookie generation callback
+ (#1479)
+
+The cookie generate callback copied user-returned bytes into a
+fixed-size native buffer without enforcing a maximum length. A
+callback returning more than DTLS1_COOKIE_LENGTH bytes would overflow
+the OpenSSL-provided buffer, corrupting adjacent memory.
+
+Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
+
+Upstream-Status: Backport [https://github.com/pyca/pyopenssl/commit/57f09bb4bb051d3bc2a1abd36e9525313d5cd408]
+CVE: CVE-2026-27459
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ CHANGELOG.rst      |  1 +
+ src/OpenSSL/SSL.py |  7 +++++++
+ tests/test_ssl.py  | 38 ++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 46 insertions(+)
+
+diff --git a/CHANGELOG.rst b/CHANGELOG.rst
+index 12e60e4..6041fdc 100644
+--- a/CHANGELOG.rst
++++ b/CHANGELOG.rst
+@@ -16,6 +16,7 @@ Deprecations:
+ Changes:
+ ^^^^^^^^
+ 
++- Properly raise an error if a DTLS cookie callback returned a cookie longer than ``DTLS1_COOKIE_LENGTH`` bytes. Previously this would result in a buffer-overflow.
+ - Added ``OpenSSL.SSL.Connection.get_selected_srtp_profile`` to determine which SRTP profile was negotiated.
+   `#1279 <https://github.com/pyca/pyopenssl/pull/1279>`_.
+ - ``Context.set_tlsext_servername_callback`` now handles exceptions raised in the callback by calling ``sys.excepthook`` and returning a fatal TLS alert. Previously, exceptions were silently swallowed and the handshake would proceed as if the callback had succeeded.
+diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
+index a6263c4..2e4da78 100644
+--- a/src/OpenSSL/SSL.py
++++ b/src/OpenSSL/SSL.py
+@@ -691,11 +691,18 @@ class _CookieGenerateCallbackHelper(_CallbackExceptionHelper):
+     def __init__(self, callback):
+         _CallbackExceptionHelper.__init__(self)
+ 
++        max_cookie_len = getattr(_lib, "DTLS1_COOKIE_LENGTH", 255)
++
+         @wraps(callback)
+         def wrapper(ssl, out, outlen):
+             try:
+                 conn = Connection._reverse_mapping[ssl]
+                 cookie = callback(conn)
++                if len(cookie) > max_cookie_len:
++                    raise ValueError(
++                        f"Cookie too long (got {len(cookie)} bytes, "
++                        f"max {max_cookie_len})"
++                    )
+                 out[0 : len(cookie)] = cookie
+                 outlen[0] = len(cookie)
+                 return 1
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index 55489b9..683e368 100644
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -4560,6 +4560,44 @@ class TestDTLS:
+     def test_it_works_with_srtp(self):
+         self._test_handshake_and_data(srtp_profile=b"SRTP_AES128_CM_SHA1_80")
+ 
++    def test_cookie_generate_too_long(self) -> None:
++        s_ctx = Context(DTLS_METHOD)
++
++        def generate_cookie(ssl: Connection) -> bytes:
++            return b"\x00" * 256
++
++        def verify_cookie(ssl: Connection, cookie: bytes) -> bool:
++            return True
++
++        s_ctx.set_cookie_generate_callback(generate_cookie)
++        s_ctx.set_cookie_verify_callback(verify_cookie)
++        s_ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
++        s_ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
++        s_ctx.set_options(OP_NO_QUERY_MTU)
++        s = Connection(s_ctx)
++        s.set_accept_state()
++
++        c_ctx = Context(DTLS_METHOD)
++        c_ctx.set_options(OP_NO_QUERY_MTU)
++        c = Connection(c_ctx)
++        c.set_connect_state()
++
++        c.set_ciphertext_mtu(1500)
++        s.set_ciphertext_mtu(1500)
++
++        # Client sends ClientHello
++        try:
++            c.do_handshake()
++        except SSL.WantReadError:
++            pass
++        chunk = c.bio_read(self.LARGE_BUFFER)
++        s.bio_write(chunk)
++
++        # Server tries DTLSv1_listen, which triggers cookie generation.
++        # The oversized cookie should raise ValueError.
++        with pytest.raises(ValueError, match="Cookie too long"):
++            s.DTLSv1_listen()
++
+     def test_timeout(self, monkeypatch):
+         c_ctx = Context(DTLS_METHOD)
+         c = Connection(c_ctx)
+-- 
+2.43.0
+
diff --git a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
index bc0b568a46a..94a70aa17d1 100644
--- a/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
+++ b/meta/recipes-devtools/python/python3-pyopenssl_24.0.0.bb
@@ -12,6 +12,7 @@ inherit pypi setuptools3
 
 SRC_URI += " \
     file://CVE-2026-27448.patch \
+    file://CVE-2026-27459.patch \
 "
 
 PACKAGES =+ "${PN}-tests"

[OE-core][scarthgap 12/16] gnutls: Fix CVE-2025-14831

[Yoann Congal]

From: Vijay Anusuri <vanusuri@mvista.com>

Picked commits which mentions this CVE per [1].

[1] https://ubuntu.com/security/CVE-2025-14831
[2] https://security-tracker.debian.org/tracker/CVE-2025-14831
[3] https://gitlab.com/gnutls/gnutls/-/issues/1773

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../gnutls/gnutls/CVE-2025-14831-1.patch      |  61 +++
 .../gnutls/gnutls/CVE-2025-14831-2.patch      |  30 ++
 .../gnutls/gnutls/CVE-2025-14831-3.patch      |  45 ++
 .../gnutls/gnutls/CVE-2025-14831-4.patch      | 200 +++++++
 .../gnutls/gnutls/CVE-2025-14831-5.patch      | 500 ++++++++++++++++++
 .../gnutls/gnutls/CVE-2025-14831-6.patch      | 119 +++++
 .../gnutls/gnutls/CVE-2025-14831-7.patch      | 150 ++++++
 .../gnutls/gnutls/CVE-2025-14831-8.patch      | 105 ++++
 .../gnutls/gnutls/CVE-2025-14831-9.patch      | 437 +++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.8.4.bb   |   9 +
 10 files changed, 1656 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch
new file mode 100644
index 00000000000..ae52a43a2c0
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch
@@ -0,0 +1,61 @@
+From 0b2377dfccd99be641bf3f1a0de9f0dc8dc0d4b1 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 26 Jan 2026 19:02:27 +0100
+Subject: [PATCH] x509/name_constraints: use actual zeroes in universal exclude
+ IP NC
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/0b2377dfccd99be641bf3f1a0de9f0dc8dc0d4b1]
+CVE: CVE-2025-14831
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/x509/name_constraints.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/lib/x509/name_constraints.c
++++ b/lib/x509/name_constraints.c
+@@ -61,7 +61,7 @@ struct gnutls_name_constraints_st {
+ 
+ static struct name_constraints_node_st *
+ name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type,
+-			  unsigned char *data, unsigned int size);
++			  const unsigned char *data, unsigned int size);
+ 
+ static int
+ name_constraints_node_list_add(struct name_constraints_node_list_st *list,
+@@ -285,7 +285,7 @@ static void name_constraints_node_free(s
+  -*/
+ static struct name_constraints_node_st *
+ name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type,
+-			  unsigned char *data, unsigned int size)
++			  const unsigned char *data, unsigned int size)
+ {
+ 	struct name_constraints_node_st *tmp;
+ 	int ret;
+@@ -339,6 +339,7 @@ static int name_constraints_node_list_in
+ 	struct name_constraints_node_list_st removed = { .data = NULL,
+ 							 .size = 0,
+ 							 .capacity = 0 };
++	static const unsigned char universal_ip[32] = { 0 };
+ 
+ 	/* temporary array to see, if we need to add universal excluded constraints
+ 	 * (see phase 3 for details)
+@@ -471,7 +472,7 @@ static int name_constraints_node_list_in
+ 		case GNUTLS_SAN_IPADDRESS:
+ 			// add universal restricted range for IPv4
+ 			tmp = name_constraints_node_new(
+-				nc, GNUTLS_SAN_IPADDRESS, NULL, 8);
++				nc, GNUTLS_SAN_IPADDRESS, universal_ip, 8);
+ 			if (tmp == NULL) {
+ 				gnutls_assert();
+ 				ret = GNUTLS_E_MEMORY_ERROR;
+@@ -484,7 +485,7 @@ static int name_constraints_node_list_in
+ 			}
+ 			// add universal restricted range for IPv6
+ 			tmp = name_constraints_node_new(
+-				nc, GNUTLS_SAN_IPADDRESS, NULL, 32);
++				nc, GNUTLS_SAN_IPADDRESS, universal_ip, 32);
+ 			if (tmp == NULL) {
+ 				gnutls_assert();
+ 				ret = GNUTLS_E_MEMORY_ERROR;
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch
new file mode 100644
index 00000000000..0d340325541
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch
@@ -0,0 +1,30 @@
+From 85d6348a30c74d4ee3710e0f4652f634eaad6914 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 26 Jan 2026 19:10:58 +0100
+Subject: [PATCH] tests/name-constraints-ip: stop swallowing errors...
+
+... now when it started to pass
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/85d6348a30c74d4ee3710e0f4652f634eaad6914]
+CVE: CVE-2025-14831
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ tests/name-constraints-ip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/name-constraints-ip.c b/tests/name-constraints-ip.c
+index 7a196088dc..a0cf172b7f 100644
+--- a/tests/name-constraints-ip.c
++++ b/tests/name-constraints-ip.c
+@@ -772,5 +772,5 @@ int main(int argc, char **argv)
+ 		cmocka_unit_test_setup_teardown(
+ 			check_ipv4v6_single_constraint_each, setup, teardown)
+ 	};
+-	cmocka_run_group_tests(tests, NULL, NULL);
++	return cmocka_run_group_tests(tests, NULL, NULL);
+ }
+-- 
+GitLab
+
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch
new file mode 100644
index 00000000000..ed4a7da3c7a
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch
@@ -0,0 +1,45 @@
+From c28475413f82e1f34295d5c039f0c0a4ca2ee526 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 26 Jan 2026 20:14:33 +0100
+Subject: [PATCH] x509/name_constraints: reject some malformed domain names
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/c28475413f82e1f34295d5c039f0c0a4ca2ee526]
+CVE: CVE-2025-14831
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/x509/name_constraints.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
+index d07482e3c9..9783d92851 100644
+--- a/lib/x509/name_constraints.c
++++ b/lib/x509/name_constraints.c
+@@ -159,6 +159,23 @@ static int validate_name_constraints_node(gnutls_x509_subject_alt_name_t type,
+ 			return gnutls_assert_val(GNUTLS_E_MALFORMED_CIDR);
+ 	}
+ 
++	/* Validate DNS names and email addresses for malformed input */
++	if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME) {
++		unsigned int i;
++		if (name->size == 0)
++			return GNUTLS_E_SUCCESS;
++
++		/* reject names with consecutive dots... */
++		for (i = 0; i + 1 < name->size; i++) {
++			if (name->data[i] == '.' && name->data[i + 1] == '.')
++				return gnutls_assert_val(
++					GNUTLS_E_ILLEGAL_PARAMETER);
++		}
++		/* ... or names consisting exclusively of dots */
++		if (name->size == 1 && name->data[0] == '.')
++			return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
++	}
++
+ 	return GNUTLS_E_SUCCESS;
+ }
+ 
+-- 
+GitLab
+
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch
new file mode 100644
index 00000000000..99ec9c5e9a3
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch
@@ -0,0 +1,200 @@
+From 6db7da7fcfe230f445b1edbb56e2a8346120c891 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Thu, 5 Feb 2026 13:22:10 +0100
+Subject: [PATCH] x509/name_constraints: name_constraints_node_add_{new,copy}
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/6db7da7fcfe230f445b1edbb56e2a8346120c891]
+CVE: CVE-2025-14831
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/x509/name_constraints.c | 112 ++++++++++++++++--------------------
+ 1 file changed, 51 insertions(+), 61 deletions(-)
+
+--- a/lib/x509/name_constraints.c
++++ b/lib/x509/name_constraints.c
+@@ -86,6 +86,38 @@ name_constraints_node_list_add(struct na
+ 	return 0;
+ }
+ 
++static int
++name_constraints_node_add_new(gnutls_x509_name_constraints_t nc,
++			      struct name_constraints_node_list_st *list,
++			      unsigned type, const unsigned char *data,
++			      unsigned int size)
++{
++	struct name_constraints_node_st *node;
++	int ret;
++	node = name_constraints_node_new(nc, type, data, size);
++	if (node == NULL) {
++		gnutls_assert();
++		return GNUTLS_E_MEMORY_ERROR;
++	}
++	ret = name_constraints_node_list_add(list, node);
++	if (ret < 0) {
++		gnutls_assert();
++		return ret;
++	}
++	return GNUTLS_E_SUCCESS;
++}
++
++static int
++name_constraints_node_add_copy(gnutls_x509_name_constraints_t nc,
++			       struct name_constraints_node_list_st *dest,
++			       const struct name_constraints_node_st *src)
++{
++	if (!src)
++		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++	return name_constraints_node_add_new(nc, dest, src->type,
++					     src->name.data, src->name.size);
++}
++
+ // for documentation see the implementation
+ static int name_constraints_intersect_nodes(
+ 	gnutls_x509_name_constraints_t nc,
+@@ -188,7 +220,6 @@ static int extract_name_constraints(gnut
+ 	unsigned indx;
+ 	gnutls_datum_t tmp = { NULL, 0 };
+ 	unsigned int type;
+-	struct name_constraints_node_st *node;
+ 
+ 	for (indx = 1;; indx++) {
+ 		snprintf(tmpstr, sizeof(tmpstr), "%s.?%u.base", vstr, indx);
+@@ -231,15 +262,9 @@ static int extract_name_constraints(gnut
+ 			goto cleanup;
+ 		}
+ 
+-		node = name_constraints_node_new(nc, type, tmp.data, tmp.size);
++		ret = name_constraints_node_add_new(nc, nodes, type, tmp.data,
++						    tmp.size);
+ 		_gnutls_free_datum(&tmp);
+-		if (node == NULL) {
+-			gnutls_assert();
+-			ret = GNUTLS_E_MEMORY_ERROR;
+-			goto cleanup;
+-		}
+-
+-		ret = name_constraints_node_list_add(nodes, node);
+ 		if (ret < 0) {
+ 			gnutls_assert();
+ 			goto cleanup;
+@@ -459,14 +484,7 @@ static int name_constraints_node_list_in
+ 		// Beware: also copies nodes other than DNS, email, IP,
+ 		//       since their counterpart may have been moved in phase 1.
+ 		if (!used) {
+-			tmp = name_constraints_node_new(
+-				nc, t2->type, t2->name.data, t2->name.size);
+-			if (tmp == NULL) {
+-				gnutls_assert();
+-				ret = GNUTLS_E_MEMORY_ERROR;
+-				goto cleanup;
+-			}
+-			ret = name_constraints_node_list_add(permitted, tmp);
++			ret = name_constraints_node_add_copy(nc, permitted, t2);
+ 			if (ret < 0) {
+ 				gnutls_assert();
+ 				goto cleanup;
+@@ -488,27 +506,17 @@ static int name_constraints_node_list_in
+ 		switch (type) {
+ 		case GNUTLS_SAN_IPADDRESS:
+ 			// add universal restricted range for IPv4
+-			tmp = name_constraints_node_new(
+-				nc, GNUTLS_SAN_IPADDRESS, universal_ip, 8);
+-			if (tmp == NULL) {
+-				gnutls_assert();
+-				ret = GNUTLS_E_MEMORY_ERROR;
+-				goto cleanup;
+-			}
+-			ret = name_constraints_node_list_add(excluded, tmp);
++			ret = name_constraints_node_add_new(
++				nc, excluded, GNUTLS_SAN_IPADDRESS,
++				universal_ip, 8);
+ 			if (ret < 0) {
+ 				gnutls_assert();
+ 				goto cleanup;
+ 			}
+ 			// add universal restricted range for IPv6
+-			tmp = name_constraints_node_new(
+-				nc, GNUTLS_SAN_IPADDRESS, universal_ip, 32);
+-			if (tmp == NULL) {
+-				gnutls_assert();
+-				ret = GNUTLS_E_MEMORY_ERROR;
+-				goto cleanup;
+-			}
+-			ret = name_constraints_node_list_add(excluded, tmp);
++			ret = name_constraints_node_add_new(
++				nc, excluded, GNUTLS_SAN_IPADDRESS,
++				universal_ip, 32);
+ 			if (ret < 0) {
+ 				gnutls_assert();
+ 				goto cleanup;
+@@ -516,13 +524,8 @@ static int name_constraints_node_list_in
+ 			break;
+ 		case GNUTLS_SAN_DNSNAME:
+ 		case GNUTLS_SAN_RFC822NAME:
+-			tmp = name_constraints_node_new(nc, type, NULL, 0);
+-			if (tmp == NULL) {
+-				gnutls_assert();
+-				ret = GNUTLS_E_MEMORY_ERROR;
+-				goto cleanup;
+-			}
+-			ret = name_constraints_node_list_add(excluded, tmp);
++			ret = name_constraints_node_add_new(nc, excluded, type,
++							    NULL, 0);
+ 			if (ret < 0) {
+ 				gnutls_assert();
+ 				goto cleanup;
+@@ -544,20 +547,13 @@ static int name_constraints_node_list_co
+ 	struct name_constraints_node_list_st *nodes,
+ 	const struct name_constraints_node_list_st *nodes2)
+ {
++	int ret;
++
+ 	for (size_t i = 0; i < nodes2->size; i++) {
+-		const struct name_constraints_node_st *node = nodes2->data[i];
+-		struct name_constraints_node_st *tmp;
+-		int ret;
+-
+-		tmp = name_constraints_node_new(nc, node->type, node->name.data,
+-						node->name.size);
+-		if (tmp == NULL) {
+-			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+-		}
+-		ret = name_constraints_node_list_add(nodes, tmp);
++		ret = name_constraints_node_add_copy(nc, nodes,
++						     nodes2->data[i]);
+ 		if (ret < 0) {
+-			name_constraints_node_free(tmp);
+-			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++			return gnutls_assert_val(ret);
+ 		}
+ 	}
+ 
+@@ -687,7 +683,6 @@ static int name_constraints_add(gnutls_x
+ 				gnutls_x509_subject_alt_name_t type,
+ 				const gnutls_datum_t *name, unsigned permitted)
+ {
+-	struct name_constraints_node_st *tmp;
+ 	struct name_constraints_node_list_st *nodes;
+ 	int ret;
+ 
+@@ -697,15 +692,10 @@ static int name_constraints_add(gnutls_x
+ 
+ 	nodes = permitted ? &nc->permitted : &nc->excluded;
+ 
+-	tmp = name_constraints_node_new(nc, type, name->data, name->size);
+-	if (tmp == NULL)
+-		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+-
+-	ret = name_constraints_node_list_add(nodes, tmp);
+-	if (ret < 0) {
+-		name_constraints_node_free(tmp);
++	ret = name_constraints_node_add_new(nc, nodes, type, name->data,
++					    name->size);
++	if (ret < 0)
+ 		return gnutls_assert_val(ret);
+-	}
+ 
+ 	return 0;
+ }
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch
new file mode 100644
index 00000000000..7c5ffdf6d8b
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch
@@ -0,0 +1,500 @@
+From 094accd3ebec17ead6c391757eaa18763b72d83f Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Mon, 26 Jan 2026 20:16:36 +0100
+Subject: [PATCH] x509/name_constraints: introduce a rich comparator
+
+These are preparatory changes before implementing N * log N intersection
+over sorted lists of constraints.
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/094accd3ebec17ead6c391757eaa18763b72d83f]
+CVE: CVE-2025-14831
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/x509/name_constraints.c | 411 ++++++++++++++++++++++++++++--------
+ 1 file changed, 320 insertions(+), 91 deletions(-)
+
+--- a/lib/x509/name_constraints.c
++++ b/lib/x509/name_constraints.c
+@@ -39,6 +39,9 @@
+ #include "ip.h"
+ #include "ip-in-cidr.h"
+ #include "intprops.h"
++#include "minmax.h"
++
++#include <string.h>
+ 
+ #define MAX_NC_CHECKS (1 << 20)
+ 
+@@ -63,6 +66,282 @@ static struct name_constraints_node_st *
+ name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type,
+ 			  const unsigned char *data, unsigned int size);
+ 
++/* An enum for "rich" comparisons that not only let us sort name constraints,
++ * children-before-parent, but also subsume them during intersection. */
++enum name_constraint_relation {
++	NC_SORTS_BEFORE = -2, /* unrelated constraints */
++	NC_INCLUDED_BY = -1, /* nc1 is included by nc2 / children sort first */
++	NC_EQUAL = 0, /* exact match */
++	NC_INCLUDES = 1, /* nc1 includes nc2 / parents sort last */
++	NC_SORTS_AFTER = 2 /* unrelated constraints */
++};
++
++/* A helper to compare just a pair of strings with this rich comparison */
++static enum name_constraint_relation
++compare_strings(const void *n1, size_t n1_len, const void *n2, size_t n2_len)
++{
++	int r = memcmp(n1, n2, MIN(n1_len, n2_len));
++	if (r < 0)
++		return NC_SORTS_BEFORE;
++	if (r > 0)
++		return NC_SORTS_AFTER;
++	if (n1_len < n2_len)
++		return NC_SORTS_BEFORE;
++	if (n1_len > n2_len)
++		return NC_SORTS_AFTER;
++	return NC_EQUAL;
++}
++
++/* Rich-compare DNS names. Example order/relationships:
++ * z.x.a INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x.b BEFORE y.b */
++static enum name_constraint_relation compare_dns_names(const gnutls_datum_t *n1,
++						       const gnutls_datum_t *n2)
++{
++	enum name_constraint_relation rel;
++	unsigned int i, j, i_end, j_end;
++
++	/* start from the end of each name */
++	i = i_end = n1->size;
++	j = j_end = n2->size;
++
++	/* skip the trailing dots for the comparison */
++	while (i && n1->data[i - 1] == '.')
++		i_end = i = i - 1;
++	while (j && n2->data[j - 1] == '.')
++		j_end = j = j - 1;
++
++	while (1) {
++		// rewind back to beginning or an after-dot position
++		while (i && n1->data[i - 1] != '.')
++			i--;
++		while (j && n2->data[j - 1] != '.')
++			j--;
++
++		rel = compare_strings(&n1->data[i], i_end - i, &n2->data[j],
++				      j_end - j);
++		if (rel == NC_SORTS_BEFORE) /* x.a BEFORE y.a */
++			return NC_SORTS_BEFORE;
++		if (rel == NC_SORTS_AFTER) /* y.a AFTER x.a */
++			return NC_SORTS_AFTER;
++		if (!i && j) /* x.a INCLUDES z.x.a */
++			return NC_INCLUDES;
++		if (i && !j) /* z.x.a INCLUDED_BY x.a */
++			return NC_INCLUDED_BY;
++
++		if (!i && !j) /* r == 0, we ran out of components to compare */
++			return NC_EQUAL;
++		/* r == 0, i && j: step back past a dot and keep comparing */
++		i_end = i = i - 1;
++		j_end = j = j - 1;
++
++		/* support for non-standard ".gr INCLUDES example.gr" [1] */
++		if (!i && j) /* .a INCLUDES x.a */
++			return NC_INCLUDES;
++		if (i && !j) /* x.a INCLUDED_BY .a */
++			return NC_INCLUDED_BY;
++	}
++}
++/* [1] https://mailarchive.ietf.org/arch/msg/saag/Bw6PtreW0G7aEG7SikfzKHES4VA */
++
++/* Rich-compare email name constraints. Example order/relationships:
++ * z@x.a INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x@b BEFORE y@b */
++static enum name_constraint_relation compare_emails(const gnutls_datum_t *n1,
++						    const gnutls_datum_t *n2)
++{
++	enum name_constraint_relation domains_rel;
++	unsigned int i, j, i_end, j_end;
++	gnutls_datum_t d1, d2; /* borrow from n1 and n2 */
++
++	/* start from the end of each name */
++	i = i_end = n1->size;
++	j = j_end = n2->size;
++
++	/* rewind to @s to look for domains */
++	while (i && n1->data[i - 1] != '@')
++		i--;
++	d1.size = i_end - i;
++	d1.data = &n1->data[i];
++	while (j && n2->data[j - 1] != '@')
++		j--;
++	d2.size = j_end - j;
++	d2.data = &n2->data[j];
++
++	domains_rel = compare_dns_names(&d1, &d2);
++
++	/* email constraint semantics differ from DNS
++	 * DNS: x.a INCLUDED_BY a
++	 * Email: x.a INCLUDED_BY .a BEFORE a */
++	if (domains_rel == NC_INCLUDED_BY || domains_rel == NC_INCLUDES) {
++		bool d1_has_dot = (d1.size > 0 && d1.data[0] == '.');
++		bool d2_has_dot = (d2.size > 0 && d2.data[0] == '.');
++		/* a constraint without a dot is exact, excluding subdomains */
++		if (!d2_has_dot && domains_rel == NC_INCLUDED_BY)
++			domains_rel = NC_SORTS_BEFORE; /* x.a BEFORE a */
++		if (!d1_has_dot && domains_rel == NC_INCLUDES)
++			domains_rel = NC_SORTS_AFTER; /* a AFTER x.a */
++	}
++
++	if (!i && !j) { /* both are domains-only */
++		return domains_rel;
++	} else if (i && !j) { /* n1 is email, n2 is domain */
++		switch (domains_rel) {
++		case NC_SORTS_AFTER:
++			return NC_SORTS_AFTER;
++		case NC_SORTS_BEFORE:
++			return NC_SORTS_BEFORE;
++		case NC_INCLUDES: /* n2 is more specific, a@x.a AFTER z.x.a */
++			return NC_SORTS_AFTER;
++		case NC_EQUAL: /* subdomains match, z@x.a INCLUDED_BY x.a */
++		case NC_INCLUDED_BY: /* n1 is more specific */
++			return NC_INCLUDED_BY;
++		}
++	} else if (!i && j) { /* n1 is domain, n2 is email */
++		switch (domains_rel) {
++		case NC_SORTS_AFTER:
++			return NC_SORTS_AFTER;
++		case NC_SORTS_BEFORE:
++			return NC_SORTS_BEFORE;
++		case NC_INCLUDES: /* n2 is more specific, a AFTER z@x.a */
++			return NC_SORTS_AFTER;
++		case NC_EQUAL: /* subdomains match, x.a INCLUDES z@x.a */
++			return NC_INCLUDES;
++		case NC_INCLUDED_BY: /* n1 is more specific, x.a BEFORE z@a */
++			return NC_SORTS_BEFORE;
++		}
++	} else if (i && j) { /* both are emails */
++		switch (domains_rel) {
++		case NC_SORTS_AFTER:
++			return NC_SORTS_AFTER;
++		case NC_SORTS_BEFORE:
++			return NC_SORTS_BEFORE;
++		case NC_INCLUDES: // n2 is more specific
++			return NC_SORTS_AFTER;
++		case NC_INCLUDED_BY: // n1 is more specific
++			return NC_SORTS_BEFORE;
++		case NC_EQUAL: // only case when we need to look before the @
++			break; // see below for readability
++		}
++	}
++
++	/* i && j, both are emails, domain names match, compare up to @ */
++	return compare_strings(n1->data, i - 1, n2->data, j - 1);
++}
++
++/* Rich-compare IP address constraints. Example order/relationships:
++ * 10.0.0.0/24 INCLUDED_BY 10.0.0.0/16 BEFORE 1::1/128 INCLUDED_BY 1::1/127 */
++static enum name_constraint_relation compare_ip_ncs(const gnutls_datum_t *n1,
++						    const gnutls_datum_t *n2)
++{
++	unsigned int len, i;
++	int r;
++	const unsigned char *ip1, *ip2, *mask1, *mask2;
++	unsigned char masked11[16], masked22[16], masked12[16], masked21[16];
++
++	if (n1->size < n2->size)
++		return NC_SORTS_BEFORE;
++	if (n1->size > n2->size)
++		return NC_SORTS_AFTER;
++	len = n1->size / 2; /* 4 for IPv4, 16 for IPv6 */
++
++	/* data is a concatenation of prefix and mask */
++	ip1 = n1->data;
++	ip2 = n2->data;
++	mask1 = n1->data + len;
++	mask2 = n2->data + len;
++	for (i = 0; i < len; i++) {
++		masked11[i] = ip1[i] & mask1[i];
++		masked22[i] = ip2[i] & mask2[i];
++		masked12[i] = ip1[i] & mask2[i];
++		masked21[i] = ip2[i] & mask1[i];
++	}
++
++	r = memcmp(mask1, mask2, len);
++	if (r < 0 && !memcmp(masked11, masked21, len)) /* prefix1 < prefix2 */
++		return NC_INCLUDES; /* ip1 & mask1 == ip2 & mask1 */
++	if (r > 0 && !memcmp(masked12, masked22, len)) /* prefix1 > prefix2 */
++		return NC_INCLUDED_BY; /* ip1 & mask2 == ip2 & mask2 */
++
++	r = memcmp(masked11, masked22, len);
++	if (r < 0)
++		return NC_SORTS_BEFORE;
++	else if (r > 0)
++		return NC_SORTS_AFTER;
++	return NC_EQUAL;
++}
++
++static inline bool is_supported_type(unsigned type)
++{
++	return type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME ||
++	       type == GNUTLS_SAN_IPADDRESS;
++}
++
++/* Universal comparison for name constraint nodes.
++ * Unsupported types sort before supported types to allow early handling.
++ * NULL represents end-of-list and sorts after everything else. */
++static enum name_constraint_relation
++compare_name_constraint_nodes(const struct name_constraints_node_st *n1,
++			      const struct name_constraints_node_st *n2)
++{
++	bool n1_supported, n2_supported;
++
++	if (!n1 && !n2)
++		return NC_EQUAL;
++	if (!n1)
++		return NC_SORTS_AFTER;
++	if (!n2)
++		return NC_SORTS_BEFORE;
++
++	n1_supported = is_supported_type(n1->type);
++	n2_supported = is_supported_type(n2->type);
++
++	/* unsupported types bubble up (sort first). intersect relies on this */
++	if (!n1_supported && n2_supported)
++		return NC_SORTS_BEFORE;
++	if (n1_supported && !n2_supported)
++		return NC_SORTS_AFTER;
++
++	/* next, sort by type */
++	if (n1->type < n2->type)
++		return NC_SORTS_BEFORE;
++	if (n1->type > n2->type)
++		return NC_SORTS_AFTER;
++
++	/* now look deeper */
++	switch (n1->type) {
++	case GNUTLS_SAN_DNSNAME:
++		return compare_dns_names(&n1->name, &n2->name);
++	case GNUTLS_SAN_RFC822NAME:
++		return compare_emails(&n1->name, &n2->name);
++	case GNUTLS_SAN_IPADDRESS:
++		return compare_ip_ncs(&n1->name, &n2->name);
++	default:
++		/* unsupported types: stable lexicographic order */
++		return compare_strings(n1->name.data, n1->name.size,
++				       n2->name.data, n2->name.size);
++	}
++}
++
++/* qsort-compatible wrapper */
++static int compare_name_constraint_nodes_qsort(const void *a, const void *b)
++{
++	const struct name_constraints_node_st *const *n1 = a;
++	const struct name_constraints_node_st *const *n2 = b;
++	enum name_constraint_relation rel;
++
++	rel = compare_name_constraint_nodes(*n1, *n2);
++	switch (rel) {
++	case NC_SORTS_BEFORE:
++	case NC_INCLUDED_BY:
++		return -1;
++	case NC_SORTS_AFTER:
++	case NC_INCLUDES:
++		return 1;
++	case NC_EQUAL:
++	default:
++		return 0;
++	}
++}
++
+ static int
+ name_constraints_node_list_add(struct name_constraints_node_list_st *list,
+ 			       struct name_constraints_node_st *node)
+@@ -420,9 +699,7 @@ static int name_constraints_node_list_in
+ 			}
+ 		}
+ 
+-		if (found != NULL && (t->type == GNUTLS_SAN_DNSNAME ||
+-				      t->type == GNUTLS_SAN_RFC822NAME ||
+-				      t->type == GNUTLS_SAN_IPADDRESS)) {
++		if (found != NULL && is_supported_type(t->type)) {
+ 			/* move node from PERMITTED to REMOVED */
+ 			ret = name_constraints_node_list_add(&removed, t);
+ 			if (ret < 0) {
+@@ -824,61 +1101,14 @@ cleanup:
+ 	return ret;
+ }
+ 
+-static unsigned ends_with(const gnutls_datum_t *str,
+-			  const gnutls_datum_t *suffix)
+-{
+-	unsigned char *tree;
+-	unsigned int treelen;
+-
+-	if (suffix->size >= str->size)
+-		return 0;
+-
+-	tree = suffix->data;
+-	treelen = suffix->size;
+-	if ((treelen > 0) && (tree[0] == '.')) {
+-		tree++;
+-		treelen--;
+-	}
+-
+-	if (memcmp(str->data + str->size - treelen, tree, treelen) == 0 &&
+-	    str->data[str->size - treelen - 1] == '.')
+-		return 1; /* match */
+-
+-	return 0;
+-}
+-
+-static unsigned email_ends_with(const gnutls_datum_t *str,
+-				const gnutls_datum_t *suffix)
+-{
+-	if (suffix->size >= str->size) {
+-		return 0;
+-	}
+-
+-	if (suffix->size > 0 && memcmp(str->data + str->size - suffix->size,
+-				       suffix->data, suffix->size) != 0) {
+-		return 0;
+-	}
+-
+-	if (suffix->size > 1 && suffix->data[0] == '.') { /* .domain.com */
+-		return 1; /* match */
+-	} else if (str->data[str->size - suffix->size - 1] == '@') {
+-		return 1; /* match */
+-	}
+-
+-	return 0;
+-}
+-
+ static unsigned dnsname_matches(const gnutls_datum_t *name,
+ 				const gnutls_datum_t *suffix)
+ {
+ 	_gnutls_hard_log("matching %.*s with DNS constraint %.*s\n", name->size,
+ 			 name->data, suffix->size, suffix->data);
+ 
+-	if (suffix->size == name->size &&
+-	    memcmp(suffix->data, name->data, suffix->size) == 0)
+-		return 1; /* match */
+-
+-	return ends_with(name, suffix);
++	enum name_constraint_relation rel = compare_dns_names(name, suffix);
++	return rel == NC_EQUAL || rel == NC_INCLUDED_BY;
+ }
+ 
+ static unsigned email_matches(const gnutls_datum_t *name,
+@@ -887,11 +1117,8 @@ static unsigned email_matches(const gnut
+ 	_gnutls_hard_log("matching %.*s with e-mail constraint %.*s\n",
+ 			 name->size, name->data, suffix->size, suffix->data);
+ 
+-	if (suffix->size == name->size &&
+-	    memcmp(suffix->data, name->data, suffix->size) == 0)
+-		return 1; /* match */
+-
+-	return email_ends_with(name, suffix);
++	enum name_constraint_relation rel = compare_emails(name, suffix);
++	return rel == NC_EQUAL || rel == NC_INCLUDED_BY;
+ }
+ 
+ /*-
+@@ -915,8 +1142,7 @@ static int name_constraints_intersect_no
+ 	// presume empty intersection
+ 	struct name_constraints_node_st *intersection = NULL;
+ 	const struct name_constraints_node_st *to_copy = NULL;
+-	unsigned iplength = 0;
+-	unsigned byte;
++	enum name_constraint_relation rel;
+ 
+ 	*_intersection = NULL;
+ 
+@@ -925,32 +1151,49 @@ static int name_constraints_intersect_no
+ 	}
+ 	switch (node1->type) {
+ 	case GNUTLS_SAN_DNSNAME:
+-		if (!dnsname_matches(&node2->name, &node1->name))
++		rel = compare_dns_names(&node1->name, &node2->name);
++		switch (rel) {
++		case NC_EQUAL: // equal means doesn't matter which one
++		case NC_INCLUDES: // node2 is more specific
++			to_copy = node2;
++			break;
++		case NC_INCLUDED_BY: // node1 is more specific
++			to_copy = node1;
++			break;
++		case NC_SORTS_BEFORE: // no intersection
++		case NC_SORTS_AFTER: // no intersection
+ 			return GNUTLS_E_SUCCESS;
+-		to_copy = node2;
++		}
+ 		break;
+ 	case GNUTLS_SAN_RFC822NAME:
+-		if (!email_matches(&node2->name, &node1->name))
++		rel = compare_emails(&node1->name, &node2->name);
++		switch (rel) {
++		case NC_EQUAL: // equal means doesn't matter which one
++		case NC_INCLUDES: // node2 is more specific
++			to_copy = node2;
++			break;
++		case NC_INCLUDED_BY: // node1 is more specific
++			to_copy = node1;
++			break;
++		case NC_SORTS_BEFORE: // no intersection
++		case NC_SORTS_AFTER: // no intersection
+ 			return GNUTLS_E_SUCCESS;
+-		to_copy = node2;
++		}
+ 		break;
+ 	case GNUTLS_SAN_IPADDRESS:
+-		if (node1->name.size != node2->name.size)
++		rel = compare_ip_ncs(&node1->name, &node2->name);
++		switch (rel) {
++		case NC_EQUAL: // equal means doesn't matter which one
++		case NC_INCLUDES: // node2 is more specific
++			to_copy = node2;
++			break;
++		case NC_INCLUDED_BY: // node1 is more specific
++			to_copy = node1;
++			break;
++		case NC_SORTS_BEFORE: // no intersection
++		case NC_SORTS_AFTER: // no intersection
+ 			return GNUTLS_E_SUCCESS;
+-		iplength = node1->name.size / 2;
+-		for (byte = 0; byte < iplength; byte++) {
+-			if (((node1->name.data[byte] ^
+-			      node2->name.data[byte]) // XOR of addresses
+-			     & node1->name.data[byte +
+-						iplength] // AND mask from nc1
+-			     & node2->name.data[byte +
+-						iplength]) // AND mask from nc2
+-			    != 0) {
+-				// CIDRS do not intersect
+-				return GNUTLS_E_SUCCESS;
+-			}
+ 		}
+-		to_copy = node2;
+ 		break;
+ 	default:
+ 		// for other types, we don't know how to do the intersection, assume empty
+@@ -967,20 +1210,6 @@ static int name_constraints_intersect_no
+ 		intersection = *_intersection;
+ 
+ 		assert(intersection->name.data != NULL);
+-
+-		if (intersection->type == GNUTLS_SAN_IPADDRESS) {
+-			// make sure both IP addresses are correctly masked
+-			_gnutls_mask_ip(intersection->name.data,
+-					intersection->name.data + iplength,
+-					iplength);
+-			_gnutls_mask_ip(node1->name.data,
+-					node1->name.data + iplength, iplength);
+-			// update intersection, if necessary (we already know one is subset of other)
+-			for (byte = 0; byte < 2 * iplength; byte++) {
+-				intersection->name.data[byte] |=
+-					node1->name.data[byte];
+-			}
+-		}
+ 	}
+ 
+ 	return GNUTLS_E_SUCCESS;
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch
new file mode 100644
index 00000000000..6dc599dd9f1
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch
@@ -0,0 +1,119 @@
+From bc62fbb946085527b4b1c02f337dd10c68c54690 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Wed, 4 Feb 2026 09:09:46 +0100
+Subject: [PATCH] x509/name_constraints: add sorted_view in preparation...
+
+... for actually using it later for performance gains.
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/bc62fbb946085527b4b1c02f337dd10c68c54690]
+CVE: CVE-2025-14831
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/x509/name_constraints.c | 62 ++++++++++++++++++++++++++++++-------
+ 1 file changed, 51 insertions(+), 11 deletions(-)
+
+--- a/lib/x509/name_constraints.c
++++ b/lib/x509/name_constraints.c
+@@ -54,6 +54,9 @@ struct name_constraints_node_list_st {
+ 	struct name_constraints_node_st **data;
+ 	size_t size;
+ 	size_t capacity;
++	/* sorted-on-demand view, valid only when dirty == false */
++	bool dirty;
++	struct name_constraints_node_st **sorted_view;
+ };
+ 
+ struct gnutls_name_constraints_st {
+@@ -342,6 +345,37 @@ static int compare_name_constraint_nodes
+ 	}
+ }
+ 
++/* Bring the sorted view up to date with the list data; clear the dirty flag. */
++static int ensure_sorted(struct name_constraints_node_list_st *list)
++{
++	struct name_constraints_node_st **new_data;
++
++	if (!list->dirty)
++		return GNUTLS_E_SUCCESS;
++	if (!list->size) {
++		list->dirty = false;
++		return GNUTLS_E_SUCCESS;
++	}
++
++	/* reallocate sorted view to match current size */
++	new_data =
++		_gnutls_reallocarray(list->sorted_view, list->size,
++				     sizeof(struct name_constraints_node_st *));
++	if (!new_data)
++		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++	list->sorted_view = new_data;
++
++	/* copy pointers and sort in-place */
++	memcpy(list->sorted_view, list->data,
++	       list->size * sizeof(struct name_constraints_node_st *));
++	qsort(list->sorted_view, list->size,
++	      sizeof(struct name_constraints_node_st *),
++	      compare_name_constraint_nodes_qsort);
++
++	list->dirty = false;
++	return GNUTLS_E_SUCCESS;
++}
++
+ static int
+ name_constraints_node_list_add(struct name_constraints_node_list_st *list,
+ 			       struct name_constraints_node_st *node)
+@@ -361,10 +395,23 @@ name_constraints_node_list_add(struct na
+ 		list->capacity = new_capacity;
+ 		list->data = new_data;
+ 	}
++	list->dirty = true;
+ 	list->data[list->size++] = node;
+ 	return 0;
+ }
+ 
++static void
++name_constraints_node_list_clear(struct name_constraints_node_list_st *list)
++{
++	gnutls_free(list->data);
++	gnutls_free(list->sorted_view);
++	list->data = NULL;
++	list->sorted_view = NULL;
++	list->capacity = 0;
++	list->size = 0;
++	list->dirty = false;
++}
++
+ static int
+ name_constraints_node_add_new(gnutls_x509_name_constraints_t nc,
+ 			      struct name_constraints_node_list_st *list,
+@@ -711,6 +758,7 @@ static int name_constraints_node_list_in
+ 				permitted->data[i] =
+ 					permitted->data[permitted->size - 1];
+ 			permitted->size--;
++			permitted->dirty = true;
+ 			continue;
+ 		}
+ 		i++;
+@@ -905,17 +953,9 @@ void _gnutls_x509_name_constraints_clear
+ 		struct name_constraints_node_st *node = nc->nodes.data[i];
+ 		name_constraints_node_free(node);
+ 	}
+-	gnutls_free(nc->nodes.data);
+-	nc->nodes.capacity = 0;
+-	nc->nodes.size = 0;
+-
+-	gnutls_free(nc->permitted.data);
+-	nc->permitted.capacity = 0;
+-	nc->permitted.size = 0;
+-
+-	gnutls_free(nc->excluded.data);
+-	nc->excluded.capacity = 0;
+-	nc->excluded.size = 0;
++	name_constraints_node_list_clear(&nc->nodes);
++	name_constraints_node_list_clear(&nc->permitted);
++	name_constraints_node_list_clear(&nc->excluded);
+ }
+ 
+ /**
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch
new file mode 100644
index 00000000000..846862007f0
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch
@@ -0,0 +1,150 @@
+From 80db5e90fa18d3e34bb91dd027bdf76d31e93dcd Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Wed, 4 Feb 2026 13:30:08 +0100
+Subject: [PATCH] x509/name_constraints: implement
+ name_constraints_node_list_union
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/80db5e90fa18d3e34bb91dd027bdf76d31e93dcd]
+CVE: CVE-2025-14831
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/x509/name_constraints.c | 98 ++++++++++++++++++++++++++++++++-----
+ 1 file changed, 86 insertions(+), 12 deletions(-)
+
+--- a/lib/x509/name_constraints.c
++++ b/lib/x509/name_constraints.c
+@@ -41,6 +41,7 @@
+ #include "intprops.h"
+ #include "minmax.h"
+ 
++#include <assert.h>
+ #include <string.h>
+ 
+ #define MAX_NC_CHECKS (1 << 20)
+@@ -867,22 +868,95 @@ cleanup:
+ 	return ret;
+ }
+ 
+-static int name_constraints_node_list_concat(
+-	gnutls_x509_name_constraints_t nc,
+-	struct name_constraints_node_list_st *nodes,
+-	const struct name_constraints_node_list_st *nodes2)
++static int
++name_constraints_node_list_union(gnutls_x509_name_constraints_t nc,
++				 struct name_constraints_node_list_st *nodes,
++				 struct name_constraints_node_list_st *nodes2)
+ {
+ 	int ret;
++	size_t i = 0, j = 0;
++	struct name_constraints_node_st *nc1;
++	const struct name_constraints_node_st *nc2;
++	enum name_constraint_relation rel;
++	struct name_constraints_node_list_st result = { 0 };
++
++	if (nodes2->size == 0) /* nothing to do */
++		return GNUTLS_E_SUCCESS;
++
++	ret = ensure_sorted(nodes);
++	if (ret < 0) {
++		gnutls_assert();
++		goto cleanup;
++	}
++	ret = ensure_sorted(nodes2);
++	if (ret < 0) {
++		gnutls_assert();
++		goto cleanup;
++	}
++
++	/* traverse both lists in a single pass and merge them w/o duplicates */
++	while (i < nodes->size || j < nodes2->size) {
++		nc1 = (i < nodes->size) ? nodes->sorted_view[i] : NULL;
++		nc2 = (j < nodes2->size) ? nodes2->sorted_view[j] : NULL;
+ 
+-	for (size_t i = 0; i < nodes2->size; i++) {
+-		ret = name_constraints_node_add_copy(nc, nodes,
+-						     nodes2->data[i]);
++		rel = compare_name_constraint_nodes(nc1, nc2);
++		switch (rel) {
++		case NC_SORTS_BEFORE:
++			assert(nc1 != NULL); /* comparator-guaranteed */
++			ret = name_constraints_node_list_add(&result, nc1);
++			i++;
++			break;
++		case NC_SORTS_AFTER:
++			assert(nc2 != NULL); /* comparator-guaranteed */
++			ret = name_constraints_node_add_copy(nc, &result, nc2);
++			j++;
++			break;
++		case NC_INCLUDES: /* nc1 is broader, shallow-copy it */
++			assert(nc1 != NULL && nc2 != NULL); /* comparator */
++			ret = name_constraints_node_list_add(&result, nc1);
++			i++;
++			j++;
++			break;
++		case NC_INCLUDED_BY: /* nc2 is broader, deep-copy it */
++			assert(nc1 != NULL && nc2 != NULL); /* comparator */
++			ret = name_constraints_node_add_copy(nc, &result, nc2);
++			i++;
++			j++;
++			break;
++		case NC_EQUAL:
++			assert(nc1 != NULL && nc2 != NULL); /* loop condition */
++			ret = name_constraints_node_list_add(&result, nc1);
++			i++;
++			j++;
++			break;
++		}
+ 		if (ret < 0) {
+-			return gnutls_assert_val(ret);
++			gnutls_assert();
++			goto cleanup;
+ 		}
+ 	}
+ 
+-	return 0;
++	gnutls_free(nodes->data);
++	gnutls_free(nodes->sorted_view);
++	nodes->data = result.data;
++	nodes->sorted_view = NULL;
++	nodes->size = result.size;
++	nodes->capacity = result.capacity;
++	nodes->dirty = true;
++	/* since we know it's sorted, populate sorted_view almost for free */
++	nodes->sorted_view = gnutls_calloc(
++		nodes->size, sizeof(struct name_constraints_node_st *));
++	if (!nodes->sorted_view)
++		return GNUTLS_E_SUCCESS; /* we tried, no harm done */
++	memcpy(nodes->sorted_view, nodes->data,
++	       nodes->size * sizeof(struct name_constraints_node_st *));
++	nodes->dirty = false;
++
++	result.data = NULL;
++	return GNUTLS_E_SUCCESS;
++cleanup:
++	name_constraints_node_list_clear(&result);
++	return gnutls_assert_val(ret);
+ }
+ 
+ /**
+@@ -1023,7 +1097,7 @@ static int name_constraints_add(gnutls_x
+  * @nc2: The name constraints to be merged with
+  *
+  * This function will merge the provided name constraints structures
+- * as per RFC5280 p6.1.4. That is, the excluded constraints will be appended,
++ * as per RFC5280 p6.1.4. That is, the excluded constraints will be unioned,
+  * and permitted will be intersected. The intersection assumes that @nc
+  * is the root CA constraints.
+  *
+@@ -1045,8 +1119,8 @@ int _gnutls_x509_name_constraints_merge(
+ 		return ret;
+ 	}
+ 
+-	ret = name_constraints_node_list_concat(nc, &nc->excluded,
+-						&nc2->excluded);
++	ret = name_constraints_node_list_union(nc, &nc->excluded,
++					       &nc2->excluded);
+ 	if (ret < 0) {
+ 		gnutls_assert();
+ 		return ret;
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch
new file mode 100644
index 00000000000..9beca76a352
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch
@@ -0,0 +1,105 @@
+From d0ac999620c8c0aeb6939e1e92d884ca8e40b759 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Wed, 4 Feb 2026 18:31:37 +0100
+Subject: [PATCH] x509/name_constraints: make types_with_empty_intersection a
+ bitmask
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/d0ac999620c8c0aeb6939e1e92d884ca8e40b759]
+CVE: CVE-2025-14831
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ lib/x509/name_constraints.c | 39 +++++++++++++++++++++++++++----------
+ 1 file changed, 29 insertions(+), 10 deletions(-)
+
+--- a/lib/x509/name_constraints.c
++++ b/lib/x509/name_constraints.c
+@@ -275,6 +275,7 @@ static enum name_constraint_relation com
+ 
+ static inline bool is_supported_type(unsigned type)
+ {
++	/* all of these should be under GNUTLS_SAN_MAX (intersect bitmasks) */
+ 	return type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME ||
+ 	       type == GNUTLS_SAN_IPADDRESS;
+ }
+@@ -683,6 +684,21 @@ name_constraints_node_new(gnutls_x509_na
+ 	return tmp;
+ }
+ 
++static int
++name_constraints_node_list_union(gnutls_x509_name_constraints_t nc,
++				 struct name_constraints_node_list_st *nodes,
++				 struct name_constraints_node_list_st *nodes2);
++
++#define type_bitmask_t uint8_t /* increase if GNUTLS_SAN_MAX grows */
++#define type_bitmask_set(mask, t) ((mask) |= (1u << (t)))
++#define type_bitmask_clr(mask, t) ((mask) &= ~(1u << (t)))
++#define type_bitmask_in(mask, t) ((mask) & (1u << (t)))
++/* C99-compatible compile-time assertions; gnutls_int.h undefines verify */
++typedef char assert_san_max[(GNUTLS_SAN_MAX < 8) ? 1 : -1];
++typedef char assert_dnsname[(GNUTLS_SAN_DNSNAME <= GNUTLS_SAN_MAX) ? 1 : -1];
++typedef char assert_rfc822[(GNUTLS_SAN_RFC822NAME <= GNUTLS_SAN_MAX) ? 1 : -1];
++typedef char assert_ipaddr[(GNUTLS_SAN_IPADDRESS <= GNUTLS_SAN_MAX) ? 1 : -1];
++
+ /*-
+  * @brief name_constraints_node_list_intersect:
+  * @nc: %gnutls_x509_name_constraints_t
+@@ -710,12 +726,9 @@ static int name_constraints_node_list_in
+ 							 .capacity = 0 };
+ 	static const unsigned char universal_ip[32] = { 0 };
+ 
+-	/* temporary array to see, if we need to add universal excluded constraints
+-	 * (see phase 3 for details)
+-	 * indexed directly by (gnutls_x509_subject_alt_name_t enum - 1) */
+-	unsigned char types_with_empty_intersection[GNUTLS_SAN_MAX];
+-	memset(types_with_empty_intersection, 0,
+-	       sizeof(types_with_empty_intersection));
++	/* bitmask to see if we need to add universal excluded constraints
++	 * (see phase 3 for details) */
++	type_bitmask_t types_with_empty_intersection = 0;
+ 
+ 	if (permitted->size == 0 || permitted2->size == 0)
+ 		return 0;
+@@ -741,7 +754,8 @@ static int name_constraints_node_list_in
+ 				// note the possibility of empty intersection for this type
+ 				// if we add something to the intersection in phase 2,
+ 				// we will reset this flag back to 0 then
+-				types_with_empty_intersection[t->type - 1] = 1;
++				type_bitmask_set(types_with_empty_intersection,
++						 t->type);
+ 				found = t2;
+ 				break;
+ 			}
+@@ -795,8 +809,8 @@ static int name_constraints_node_list_in
+ 						GNUTLS_E_INTERNAL_ERROR);
+ 				}
+ 				// we will not add universal excluded constraint for this type
+-				types_with_empty_intersection[tmp->type - 1] =
+-					0;
++				type_bitmask_clr(types_with_empty_intersection,
++						 tmp->type);
+ 				// add intersection node to PERMITTED
+ 				ret = name_constraints_node_list_add(permitted,
+ 								     tmp);
+@@ -824,7 +838,7 @@ static int name_constraints_node_list_in
+ 	 * excluded constraint with universal wildcard
+ 	 * (since the intersection of permitted is now empty). */
+ 	for (type = 1; type <= GNUTLS_SAN_MAX; type++) {
+-		if (types_with_empty_intersection[type - 1] == 0)
++		if (!type_bitmask_in(types_with_empty_intersection, type))
+ 			continue;
+ 		_gnutls_hard_log(
+ 			"Adding universal excluded name constraint for type %d.\n",
+@@ -868,6 +882,11 @@ cleanup:
+ 	return ret;
+ }
+ 
++#undef type_bitmask_t
++#undef type_bitmask_set
++#undef type_bitmask_clr
++#undef type_bitmask_in
++
+ static int
+ name_constraints_node_list_union(gnutls_x509_name_constraints_t nc,
+ 				 struct name_constraints_node_list_st *nodes,
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch
new file mode 100644
index 00000000000..27ed995d8df
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch
@@ -0,0 +1,437 @@
+Backport of:
+
+From d6054f0016db05fb5c82177ddbd0a4e8331059a1 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Wed, 4 Feb 2026 20:03:49 +0100
+Subject: [PATCH] x509/name_constraints: name_constraints_node_list_intersect
+ over sorted
+
+Fixes: #1773
+Fixes: GNUTLS-SA-2026-02-09-2
+Fixes: CVE-2025-14831
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/d6054f0016db05fb5c82177ddbd0a4e8331059a1]
+CVE: CVE-2025-14831
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ NEWS                        |   7 +
+ lib/x509/name_constraints.c | 350 ++++++++++++++----------------------
+ 2 files changed, 142 insertions(+), 215 deletions(-)
+
+#diff --git a/NEWS b/NEWS
+#index e506db547a..96b7484fdf 100644
+#--- a/NEWS
+#+++ b/NEWS
+#@@ -14,6 +14,13 @@ See the end for copying conditions.
+#    Reported by Jaehun Lee.
+#    [Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584]
+# 
+#+** libgnutls: Fix name constraint processing performance issue
+#+   Verifying certificates with pathological amounts of name constraints
+#+   could lead to a denial of service attack via resource exhaustion.
+#+   Reworked processing algorithms exhibit better performance characteristics.
+#+   Reported by Tim Scheckenbach.
+#+   [Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831]
+#+
+# ** libgnutls: Fix multiple unexploitable overflows
+#    Reported by Tim Rühsen (#1783, #1786).
+# 
+--- a/lib/x509/name_constraints.c
++++ b/lib/x509/name_constraints.c
+@@ -446,13 +446,6 @@ name_constraints_node_add_copy(gnutls_x5
+ 					     src->name.data, src->name.size);
+ }
+ 
+-// for documentation see the implementation
+-static int name_constraints_intersect_nodes(
+-	gnutls_x509_name_constraints_t nc,
+-	const struct name_constraints_node_st *node1,
+-	const struct name_constraints_node_st *node2,
+-	struct name_constraints_node_st **intersection);
+-
+ /*-
+  * _gnutls_x509_name_constraints_is_empty:
+  * @nc: name constraints structure
+@@ -716,129 +709,143 @@ typedef char assert_ipaddr[(GNUTLS_SAN_I
+ static int name_constraints_node_list_intersect(
+ 	gnutls_x509_name_constraints_t nc,
+ 	struct name_constraints_node_list_st *permitted,
+-	const struct name_constraints_node_list_st *permitted2,
++	struct name_constraints_node_list_st *permitted2,
+ 	struct name_constraints_node_list_st *excluded)
+ {
+-	struct name_constraints_node_st *tmp;
+-	int ret, type, used;
+-	struct name_constraints_node_list_st removed = { .data = NULL,
+-							 .size = 0,
+-							 .capacity = 0 };
++	struct name_constraints_node_st *nc1, *nc2;
++	struct name_constraints_node_list_st result = { 0 };
++	struct name_constraints_node_list_st unsupp2 = { 0 };
++	enum name_constraint_relation rel;
++	unsigned type;
++	int ret = GNUTLS_E_SUCCESS;
++	size_t i, j, p1_unsupp = 0, p2_unsupp = 0;
++	type_bitmask_t universal_exclude_needed = 0;
++	type_bitmask_t types_in_p1 = 0, types_in_p2 = 0;
+ 	static const unsigned char universal_ip[32] = { 0 };
+ 
+-	/* bitmask to see if we need to add universal excluded constraints
+-	 * (see phase 3 for details) */
+-	type_bitmask_t types_with_empty_intersection = 0;
+-
+ 	if (permitted->size == 0 || permitted2->size == 0)
+-		return 0;
++		return GNUTLS_E_SUCCESS;
+ 
+-	/* Phase 1
+-	 * For each name in PERMITTED, if a PERMITTED2 does not contain a name
+-	 * with the same type, move the original name to REMOVED.
+-	 * Do this also for node of unknown type (not DNS, email, IP) */
+-	for (size_t i = 0; i < permitted->size;) {
+-		struct name_constraints_node_st *t = permitted->data[i];
+-		const struct name_constraints_node_st *found = NULL;
+-
+-		for (size_t j = 0; j < permitted2->size; j++) {
+-			const struct name_constraints_node_st *t2 =
+-				permitted2->data[j];
+-			if (t->type == t2->type) {
+-				// check bounds (we will use 't->type' as index)
+-				if (t->type > GNUTLS_SAN_MAX || t->type == 0) {
+-					gnutls_assert();
+-					ret = GNUTLS_E_INTERNAL_ERROR;
+-					goto cleanup;
+-				}
+-				// note the possibility of empty intersection for this type
+-				// if we add something to the intersection in phase 2,
+-				// we will reset this flag back to 0 then
+-				type_bitmask_set(types_with_empty_intersection,
+-						 t->type);
+-				found = t2;
+-				break;
+-			}
++	/* make sorted views of the arrays */
++	ret = ensure_sorted(permitted);
++	if (ret < 0) {
++		gnutls_assert();
++		goto cleanup;
++	}
++	ret = ensure_sorted(permitted2);
++	if (ret < 0) {
++		gnutls_assert();
++		goto cleanup;
++	}
++
++	/* deal with the leading unsupported types first: count, then union */
++	while (p1_unsupp < permitted->size &&
++	       !is_supported_type(permitted->sorted_view[p1_unsupp]->type))
++		p1_unsupp++;
++	while (p2_unsupp < permitted2->size &&
++	       !is_supported_type(permitted2->sorted_view[p2_unsupp]->type))
++		p2_unsupp++;
++	if (p1_unsupp) { /* copy p1 unsupported type pointers into result */
++		result.data = gnutls_calloc(
++			p1_unsupp, sizeof(struct name_constraints_node_st *));
++		if (!result.data) {
++			ret = GNUTLS_E_MEMORY_ERROR;
++			gnutls_assert();
++			goto cleanup;
++		}
++		memcpy(result.data, permitted->sorted_view,
++		       p1_unsupp * sizeof(struct name_constraints_node_st *));
++		result.size = result.capacity = p1_unsupp;
++		result.dirty = true;
++	}
++	if (p2_unsupp) { /* union will make deep copies from p2 */
++		unsupp2.data = permitted2->sorted_view; /* so, just alias */
++		unsupp2.size = unsupp2.capacity = p2_unsupp;
++		unsupp2.dirty = false; /* we know it's sorted */
++		unsupp2.sorted_view = permitted2->sorted_view;
++		ret = name_constraints_node_list_union(nc, &result, &unsupp2);
++		if (ret < 0) {
++			gnutls_assert();
++			goto cleanup;
+ 		}
++	}
+ 
+-		if (found != NULL && is_supported_type(t->type)) {
+-			/* move node from PERMITTED to REMOVED */
+-			ret = name_constraints_node_list_add(&removed, t);
+-			if (ret < 0) {
+-				gnutls_assert();
+-				goto cleanup;
+-			}
+-			/* remove node by swapping */
+-			if (i < permitted->size - 1)
+-				permitted->data[i] =
+-					permitted->data[permitted->size - 1];
+-			permitted->size--;
+-			permitted->dirty = true;
+-			continue;
++	/* with that out of the way, pre-compute the supported types we have */
++	for (i = p1_unsupp; i < permitted->size; i++) {
++		type = permitted->sorted_view[i]->type;
++		if (type < 1 || type > GNUTLS_SAN_MAX) {
++			ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++			goto cleanup;
+ 		}
+-		i++;
++		type_bitmask_set(types_in_p1, type);
+ 	}
++	for (j = p2_unsupp; j < permitted2->size; j++) {
++		type = permitted2->sorted_view[j]->type;
++		if (type < 1 || type > GNUTLS_SAN_MAX) {
++			ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++			goto cleanup;
++		}
++		type_bitmask_set(types_in_p2, type);
++	}
++	/* universal excludes might be needed for types intersecting to empty */
++	universal_exclude_needed = types_in_p1 & types_in_p2;
+ 
+-	/* Phase 2
+-	 * iterate through all combinations from PERMITTED2 and PERMITTED
+-	 * and create intersections of nodes with same type */
+-	for (size_t i = 0; i < permitted2->size; i++) {
+-		const struct name_constraints_node_st *t2 = permitted2->data[i];
+-
+-		// current PERMITTED2 node has not yet been used for any intersection
+-		// (and is not in REMOVED either)
+-		used = 0;
+-		for (size_t j = 0; j < removed.size; j++) {
+-			const struct name_constraints_node_st *t =
+-				removed.data[j];
+-			// save intersection of name constraints into tmp
+-			ret = name_constraints_intersect_nodes(nc, t, t2, &tmp);
+-			if (ret < 0) {
+-				gnutls_assert();
+-				goto cleanup;
+-			}
+-			used = 1;
+-			// if intersection is not empty
+-			if (tmp !=
+-			    NULL) { // intersection for this type is not empty
+-				// check bounds
+-				if (tmp->type > GNUTLS_SAN_MAX ||
+-				    tmp->type == 0) {
+-					gnutls_free(tmp);
+-					return gnutls_assert_val(
+-						GNUTLS_E_INTERNAL_ERROR);
+-				}
+-				// we will not add universal excluded constraint for this type
+-				type_bitmask_clr(types_with_empty_intersection,
+-						 tmp->type);
+-				// add intersection node to PERMITTED
+-				ret = name_constraints_node_list_add(permitted,
+-								     tmp);
+-				if (ret < 0) {
+-					gnutls_assert();
+-					goto cleanup;
+-				}
+-			}
++	/* go through supported type NCs and intersect in a single pass */
++	i = p1_unsupp;
++	j = p2_unsupp;
++	while (i < permitted->size || j < permitted2->size) {
++		nc1 = (i < permitted->size) ? permitted->sorted_view[i] : NULL;
++		nc2 = (j < permitted2->size) ? permitted2->sorted_view[j] :
++					       NULL;
++		rel = compare_name_constraint_nodes(nc1, nc2);
++
++		switch (rel) {
++		case NC_SORTS_BEFORE:
++			assert(nc1 != NULL); /* comparator-guaranteed */
++			/* if nothing to intersect with, shallow-copy nc1 */
++			if (!type_bitmask_in(types_in_p2, nc1->type))
++				ret = name_constraints_node_list_add(&result,
++								     nc1);
++			i++; /* otherwise skip nc1 */
++			break;
++		case NC_SORTS_AFTER:
++			assert(nc2 != NULL); /* comparator-guaranteed */
++			/* if nothing to intersect with, deep-copy nc2 */
++			if (!type_bitmask_in(types_in_p1, nc2->type))
++				ret = name_constraints_node_add_copy(
++					nc, &result, nc2);
++			j++; /* otherwise skip nc2 */
++			break;
++		case NC_INCLUDED_BY: /* add nc1, shallow-copy */
++			assert(nc1 != NULL && nc2 != NULL); /* comparator */
++			type_bitmask_clr(universal_exclude_needed, nc1->type);
++			ret = name_constraints_node_list_add(&result, nc1);
++			i++;
++			break;
++		case NC_INCLUDES: /* pick nc2, deep-copy */
++			assert(nc1 != NULL && nc2 != NULL); /* comparator */
++			type_bitmask_clr(universal_exclude_needed, nc2->type);
++			ret = name_constraints_node_add_copy(nc, &result, nc2);
++			j++;
++			break;
++		case NC_EQUAL: /* pick whichever: nc1, shallow-copy */
++			assert(nc1 != NULL && nc2 != NULL); /* loop condition */
++			type_bitmask_clr(universal_exclude_needed, nc1->type);
++			ret = name_constraints_node_list_add(&result, nc1);
++			i++;
++			j++;
++			break;
+ 		}
+-		// if the node from PERMITTED2 was not used for intersection, copy it to DEST
+-		// Beware: also copies nodes other than DNS, email, IP,
+-		//       since their counterpart may have been moved in phase 1.
+-		if (!used) {
+-			ret = name_constraints_node_add_copy(nc, permitted, t2);
+-			if (ret < 0) {
+-				gnutls_assert();
+-				goto cleanup;
+-			}
++		if (ret < 0) {
++			gnutls_assert();
++			goto cleanup;
+ 		}
+ 	}
+ 
+-	/* Phase 3
+-	 * For each type: If we have empty permitted name constraints now
+-	 * and we didn't have at the beginning, we have to add a new
+-	 * excluded constraint with universal wildcard
+-	 * (since the intersection of permitted is now empty). */
++	/* finishing touch: add universal excluded constraints for types where
++	 * both lists had constraints, but all intersections ended up empty */
+ 	for (type = 1; type <= GNUTLS_SAN_MAX; type++) {
+-		if (!type_bitmask_in(types_with_empty_intersection, type))
++		if (!type_bitmask_in(universal_exclude_needed, type))
+ 			continue;
+ 		_gnutls_hard_log(
+ 			"Adding universal excluded name constraint for type %d.\n",
+@@ -871,14 +878,24 @@ static int name_constraints_node_list_in
+ 				goto cleanup;
+ 			}
+ 			break;
+-		default: // do nothing, at least one node was already moved in phase 1
+-			break;
++		default: /* unsupported type; should be unreacheable */
++			ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++			goto cleanup;
+ 		}
+ 	}
+-	ret = GNUTLS_E_SUCCESS;
+ 
++	gnutls_free(permitted->data);
++	gnutls_free(permitted->sorted_view);
++	permitted->data = result.data;
++	permitted->sorted_view = NULL;
++	permitted->size = result.size;
++	permitted->capacity = result.capacity;
++	permitted->dirty = true;
++
++	result.data = NULL;
++	ret = GNUTLS_E_SUCCESS;
+ cleanup:
+-	gnutls_free(removed.data);
++	name_constraints_node_list_clear(&result);
+ 	return ret;
+ }
+ 
+@@ -1254,100 +1271,6 @@ static unsigned email_matches(const gnut
+ 	return rel == NC_EQUAL || rel == NC_INCLUDED_BY;
+ }
+ 
+-/*-
+- * name_constraints_intersect_nodes:
+- * @nc1: name constraints node 1
+- * @nc2: name constraints node 2
+- * @_intersection: newly allocated node with intersected constraints,
+- *		 NULL if the intersection is empty
+- *
+- * Inspect 2 name constraints nodes (of possibly different types) and allocate
+- * a new node with intersection of given constraints.
+- *
+- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
+- -*/
+-static int name_constraints_intersect_nodes(
+-	gnutls_x509_name_constraints_t nc,
+-	const struct name_constraints_node_st *node1,
+-	const struct name_constraints_node_st *node2,
+-	struct name_constraints_node_st **_intersection)
+-{
+-	// presume empty intersection
+-	struct name_constraints_node_st *intersection = NULL;
+-	const struct name_constraints_node_st *to_copy = NULL;
+-	enum name_constraint_relation rel;
+-
+-	*_intersection = NULL;
+-
+-	if (node1->type != node2->type) {
+-		return GNUTLS_E_SUCCESS;
+-	}
+-	switch (node1->type) {
+-	case GNUTLS_SAN_DNSNAME:
+-		rel = compare_dns_names(&node1->name, &node2->name);
+-		switch (rel) {
+-		case NC_EQUAL: // equal means doesn't matter which one
+-		case NC_INCLUDES: // node2 is more specific
+-			to_copy = node2;
+-			break;
+-		case NC_INCLUDED_BY: // node1 is more specific
+-			to_copy = node1;
+-			break;
+-		case NC_SORTS_BEFORE: // no intersection
+-		case NC_SORTS_AFTER: // no intersection
+-			return GNUTLS_E_SUCCESS;
+-		}
+-		break;
+-	case GNUTLS_SAN_RFC822NAME:
+-		rel = compare_emails(&node1->name, &node2->name);
+-		switch (rel) {
+-		case NC_EQUAL: // equal means doesn't matter which one
+-		case NC_INCLUDES: // node2 is more specific
+-			to_copy = node2;
+-			break;
+-		case NC_INCLUDED_BY: // node1 is more specific
+-			to_copy = node1;
+-			break;
+-		case NC_SORTS_BEFORE: // no intersection
+-		case NC_SORTS_AFTER: // no intersection
+-			return GNUTLS_E_SUCCESS;
+-		}
+-		break;
+-	case GNUTLS_SAN_IPADDRESS:
+-		rel = compare_ip_ncs(&node1->name, &node2->name);
+-		switch (rel) {
+-		case NC_EQUAL: // equal means doesn't matter which one
+-		case NC_INCLUDES: // node2 is more specific
+-			to_copy = node2;
+-			break;
+-		case NC_INCLUDED_BY: // node1 is more specific
+-			to_copy = node1;
+-			break;
+-		case NC_SORTS_BEFORE: // no intersection
+-		case NC_SORTS_AFTER: // no intersection
+-			return GNUTLS_E_SUCCESS;
+-		}
+-		break;
+-	default:
+-		// for other types, we don't know how to do the intersection, assume empty
+-		return GNUTLS_E_SUCCESS;
+-	}
+-
+-	// copy existing node if applicable
+-	if (to_copy != NULL) {
+-		*_intersection = name_constraints_node_new(nc, to_copy->type,
+-							   to_copy->name.data,
+-							   to_copy->name.size);
+-		if (*_intersection == NULL)
+-			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+-		intersection = *_intersection;
+-
+-		assert(intersection->name.data != NULL);
+-	}
+-
+-	return GNUTLS_E_SUCCESS;
+-}
+-
+ /*
+  * Returns: true if the certification is acceptable, and false otherwise.
+  */
diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
index 026ae650f65..ccb6a2b4b2d 100644
--- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
@@ -34,6 +34,15 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://CVE-2025-32990.patch \
            file://CVE-2025-6395.patch \
            file://CVE-2025-9820.patch \
+           file://CVE-2025-14831-1.patch \
+           file://CVE-2025-14831-2.patch \
+           file://CVE-2025-14831-3.patch \
+           file://CVE-2025-14831-4.patch \
+           file://CVE-2025-14831-5.patch \
+           file://CVE-2025-14831-6.patch \
+           file://CVE-2025-14831-7.patch \
+           file://CVE-2025-14831-8.patch \
+           file://CVE-2025-14831-9.patch \
            "
 
 SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"

Re: [OE-core][scarthgap 12/16] gnutls: Fix CVE-2025-14831

[Yoann Congal]

On Mon Mar 30, 2026 at 12:37 AM CEST, Yoann Congal wrote:
> From: Vijay Anusuri <vanusuri@mvista.com>
>
> Picked commits which mentions this CVE per [1].
>
> [1] https://ubuntu.com/security/CVE-2025-14831
> [2] https://security-tracker.debian.org/tracker/CVE-2025-14831
> [3] https://gitlab.com/gnutls/gnutls/-/issues/1773
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> ---

I did not wanted to send that patch, please ignore.

>  .../gnutls/gnutls/CVE-2025-14831-1.patch      |  61 +++
>  .../gnutls/gnutls/CVE-2025-14831-2.patch      |  30 ++
>  .../gnutls/gnutls/CVE-2025-14831-3.patch      |  45 ++
>  .../gnutls/gnutls/CVE-2025-14831-4.patch      | 200 +++++++
>  .../gnutls/gnutls/CVE-2025-14831-5.patch      | 500 ++++++++++++++++++
>  .../gnutls/gnutls/CVE-2025-14831-6.patch      | 119 +++++
>  .../gnutls/gnutls/CVE-2025-14831-7.patch      | 150 ++++++
>  .../gnutls/gnutls/CVE-2025-14831-8.patch      | 105 ++++
>  .../gnutls/gnutls/CVE-2025-14831-9.patch      | 437 +++++++++++++++
>  meta/recipes-support/gnutls/gnutls_3.8.4.bb   |   9 +
>  10 files changed, 1656 insertions(+)
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch
>
> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch
> new file mode 100644
> index 00000000000..ae52a43a2c0
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch
> @@ -0,0 +1,61 @@
> +From 0b2377dfccd99be641bf3f1a0de9f0dc8dc0d4b1 Mon Sep 17 00:00:00 2001
> +From: Alexander Sosedkin <asosedkin@redhat.com>
> +Date: Mon, 26 Jan 2026 19:02:27 +0100
> +Subject: [PATCH] x509/name_constraints: use actual zeroes in universal exclude
> + IP NC
> +
> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> +
> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/0b2377dfccd99be641bf3f1a0de9f0dc8dc0d4b1]
> +CVE: CVE-2025-14831
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + lib/x509/name_constraints.c | 9 +++++----
> + 1 file changed, 5 insertions(+), 4 deletions(-)
> +
> +--- a/lib/x509/name_constraints.c
> ++++ b/lib/x509/name_constraints.c
> +@@ -61,7 +61,7 @@ struct gnutls_name_constraints_st {
> + 
> + static struct name_constraints_node_st *
> + name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type,
> +-			  unsigned char *data, unsigned int size);
> ++			  const unsigned char *data, unsigned int size);
> + 
> + static int
> + name_constraints_node_list_add(struct name_constraints_node_list_st *list,
> +@@ -285,7 +285,7 @@ static void name_constraints_node_free(s
> +  -*/
> + static struct name_constraints_node_st *
> + name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type,
> +-			  unsigned char *data, unsigned int size)
> ++			  const unsigned char *data, unsigned int size)
> + {
> + 	struct name_constraints_node_st *tmp;
> + 	int ret;
> +@@ -339,6 +339,7 @@ static int name_constraints_node_list_in
> + 	struct name_constraints_node_list_st removed = { .data = NULL,
> + 							 .size = 0,
> + 							 .capacity = 0 };
> ++	static const unsigned char universal_ip[32] = { 0 };
> + 
> + 	/* temporary array to see, if we need to add universal excluded constraints
> + 	 * (see phase 3 for details)
> +@@ -471,7 +472,7 @@ static int name_constraints_node_list_in
> + 		case GNUTLS_SAN_IPADDRESS:
> + 			// add universal restricted range for IPv4
> + 			tmp = name_constraints_node_new(
> +-				nc, GNUTLS_SAN_IPADDRESS, NULL, 8);
> ++				nc, GNUTLS_SAN_IPADDRESS, universal_ip, 8);
> + 			if (tmp == NULL) {
> + 				gnutls_assert();
> + 				ret = GNUTLS_E_MEMORY_ERROR;
> +@@ -484,7 +485,7 @@ static int name_constraints_node_list_in
> + 			}
> + 			// add universal restricted range for IPv6
> + 			tmp = name_constraints_node_new(
> +-				nc, GNUTLS_SAN_IPADDRESS, NULL, 32);
> ++				nc, GNUTLS_SAN_IPADDRESS, universal_ip, 32);
> + 			if (tmp == NULL) {
> + 				gnutls_assert();
> + 				ret = GNUTLS_E_MEMORY_ERROR;
> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch
> new file mode 100644
> index 00000000000..0d340325541
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch
> @@ -0,0 +1,30 @@
> +From 85d6348a30c74d4ee3710e0f4652f634eaad6914 Mon Sep 17 00:00:00 2001
> +From: Alexander Sosedkin <asosedkin@redhat.com>
> +Date: Mon, 26 Jan 2026 19:10:58 +0100
> +Subject: [PATCH] tests/name-constraints-ip: stop swallowing errors...
> +
> +... now when it started to pass
> +
> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> +
> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/85d6348a30c74d4ee3710e0f4652f634eaad6914]
> +CVE: CVE-2025-14831
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + tests/name-constraints-ip.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/tests/name-constraints-ip.c b/tests/name-constraints-ip.c
> +index 7a196088dc..a0cf172b7f 100644
> +--- a/tests/name-constraints-ip.c
> ++++ b/tests/name-constraints-ip.c
> +@@ -772,5 +772,5 @@ int main(int argc, char **argv)
> + 		cmocka_unit_test_setup_teardown(
> + 			check_ipv4v6_single_constraint_each, setup, teardown)
> + 	};
> +-	cmocka_run_group_tests(tests, NULL, NULL);
> ++	return cmocka_run_group_tests(tests, NULL, NULL);
> + }
> +-- 
> +GitLab
> +
> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch
> new file mode 100644
> index 00000000000..ed4a7da3c7a
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch
> @@ -0,0 +1,45 @@
> +From c28475413f82e1f34295d5c039f0c0a4ca2ee526 Mon Sep 17 00:00:00 2001
> +From: Alexander Sosedkin <asosedkin@redhat.com>
> +Date: Mon, 26 Jan 2026 20:14:33 +0100
> +Subject: [PATCH] x509/name_constraints: reject some malformed domain names
> +
> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> +
> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/c28475413f82e1f34295d5c039f0c0a4ca2ee526]
> +CVE: CVE-2025-14831
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + lib/x509/name_constraints.c | 17 +++++++++++++++++
> + 1 file changed, 17 insertions(+)
> +
> +diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
> +index d07482e3c9..9783d92851 100644
> +--- a/lib/x509/name_constraints.c
> ++++ b/lib/x509/name_constraints.c
> +@@ -159,6 +159,23 @@ static int validate_name_constraints_node(gnutls_x509_subject_alt_name_t type,
> + 			return gnutls_assert_val(GNUTLS_E_MALFORMED_CIDR);
> + 	}
> + 
> ++	/* Validate DNS names and email addresses for malformed input */
> ++	if (type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME) {
> ++		unsigned int i;
> ++		if (name->size == 0)
> ++			return GNUTLS_E_SUCCESS;
> ++
> ++		/* reject names with consecutive dots... */
> ++		for (i = 0; i + 1 < name->size; i++) {
> ++			if (name->data[i] == '.' && name->data[i + 1] == '.')
> ++				return gnutls_assert_val(
> ++					GNUTLS_E_ILLEGAL_PARAMETER);
> ++		}
> ++		/* ... or names consisting exclusively of dots */
> ++		if (name->size == 1 && name->data[0] == '.')
> ++			return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
> ++	}
> ++
> + 	return GNUTLS_E_SUCCESS;
> + }
> + 
> +-- 
> +GitLab
> +
> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch
> new file mode 100644
> index 00000000000..99ec9c5e9a3
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch
> @@ -0,0 +1,200 @@
> +From 6db7da7fcfe230f445b1edbb56e2a8346120c891 Mon Sep 17 00:00:00 2001
> +From: Alexander Sosedkin <asosedkin@redhat.com>
> +Date: Thu, 5 Feb 2026 13:22:10 +0100
> +Subject: [PATCH] x509/name_constraints: name_constraints_node_add_{new,copy}
> +
> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> +
> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/6db7da7fcfe230f445b1edbb56e2a8346120c891]
> +CVE: CVE-2025-14831
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + lib/x509/name_constraints.c | 112 ++++++++++++++++--------------------
> + 1 file changed, 51 insertions(+), 61 deletions(-)
> +
> +--- a/lib/x509/name_constraints.c
> ++++ b/lib/x509/name_constraints.c
> +@@ -86,6 +86,38 @@ name_constraints_node_list_add(struct na
> + 	return 0;
> + }
> + 
> ++static int
> ++name_constraints_node_add_new(gnutls_x509_name_constraints_t nc,
> ++			      struct name_constraints_node_list_st *list,
> ++			      unsigned type, const unsigned char *data,
> ++			      unsigned int size)
> ++{
> ++	struct name_constraints_node_st *node;
> ++	int ret;
> ++	node = name_constraints_node_new(nc, type, data, size);
> ++	if (node == NULL) {
> ++		gnutls_assert();
> ++		return GNUTLS_E_MEMORY_ERROR;
> ++	}
> ++	ret = name_constraints_node_list_add(list, node);
> ++	if (ret < 0) {
> ++		gnutls_assert();
> ++		return ret;
> ++	}
> ++	return GNUTLS_E_SUCCESS;
> ++}
> ++
> ++static int
> ++name_constraints_node_add_copy(gnutls_x509_name_constraints_t nc,
> ++			       struct name_constraints_node_list_st *dest,
> ++			       const struct name_constraints_node_st *src)
> ++{
> ++	if (!src)
> ++		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
> ++	return name_constraints_node_add_new(nc, dest, src->type,
> ++					     src->name.data, src->name.size);
> ++}
> ++
> + // for documentation see the implementation
> + static int name_constraints_intersect_nodes(
> + 	gnutls_x509_name_constraints_t nc,
> +@@ -188,7 +220,6 @@ static int extract_name_constraints(gnut
> + 	unsigned indx;
> + 	gnutls_datum_t tmp = { NULL, 0 };
> + 	unsigned int type;
> +-	struct name_constraints_node_st *node;
> + 
> + 	for (indx = 1;; indx++) {
> + 		snprintf(tmpstr, sizeof(tmpstr), "%s.?%u.base", vstr, indx);
> +@@ -231,15 +262,9 @@ static int extract_name_constraints(gnut
> + 			goto cleanup;
> + 		}
> + 
> +-		node = name_constraints_node_new(nc, type, tmp.data, tmp.size);
> ++		ret = name_constraints_node_add_new(nc, nodes, type, tmp.data,
> ++						    tmp.size);
> + 		_gnutls_free_datum(&tmp);
> +-		if (node == NULL) {
> +-			gnutls_assert();
> +-			ret = GNUTLS_E_MEMORY_ERROR;
> +-			goto cleanup;
> +-		}
> +-
> +-		ret = name_constraints_node_list_add(nodes, node);
> + 		if (ret < 0) {
> + 			gnutls_assert();
> + 			goto cleanup;
> +@@ -459,14 +484,7 @@ static int name_constraints_node_list_in
> + 		// Beware: also copies nodes other than DNS, email, IP,
> + 		//       since their counterpart may have been moved in phase 1.
> + 		if (!used) {
> +-			tmp = name_constraints_node_new(
> +-				nc, t2->type, t2->name.data, t2->name.size);
> +-			if (tmp == NULL) {
> +-				gnutls_assert();
> +-				ret = GNUTLS_E_MEMORY_ERROR;
> +-				goto cleanup;
> +-			}
> +-			ret = name_constraints_node_list_add(permitted, tmp);
> ++			ret = name_constraints_node_add_copy(nc, permitted, t2);
> + 			if (ret < 0) {
> + 				gnutls_assert();
> + 				goto cleanup;
> +@@ -488,27 +506,17 @@ static int name_constraints_node_list_in
> + 		switch (type) {
> + 		case GNUTLS_SAN_IPADDRESS:
> + 			// add universal restricted range for IPv4
> +-			tmp = name_constraints_node_new(
> +-				nc, GNUTLS_SAN_IPADDRESS, universal_ip, 8);
> +-			if (tmp == NULL) {
> +-				gnutls_assert();
> +-				ret = GNUTLS_E_MEMORY_ERROR;
> +-				goto cleanup;
> +-			}
> +-			ret = name_constraints_node_list_add(excluded, tmp);
> ++			ret = name_constraints_node_add_new(
> ++				nc, excluded, GNUTLS_SAN_IPADDRESS,
> ++				universal_ip, 8);
> + 			if (ret < 0) {
> + 				gnutls_assert();
> + 				goto cleanup;
> + 			}
> + 			// add universal restricted range for IPv6
> +-			tmp = name_constraints_node_new(
> +-				nc, GNUTLS_SAN_IPADDRESS, universal_ip, 32);
> +-			if (tmp == NULL) {
> +-				gnutls_assert();
> +-				ret = GNUTLS_E_MEMORY_ERROR;
> +-				goto cleanup;
> +-			}
> +-			ret = name_constraints_node_list_add(excluded, tmp);
> ++			ret = name_constraints_node_add_new(
> ++				nc, excluded, GNUTLS_SAN_IPADDRESS,
> ++				universal_ip, 32);
> + 			if (ret < 0) {
> + 				gnutls_assert();
> + 				goto cleanup;
> +@@ -516,13 +524,8 @@ static int name_constraints_node_list_in
> + 			break;
> + 		case GNUTLS_SAN_DNSNAME:
> + 		case GNUTLS_SAN_RFC822NAME:
> +-			tmp = name_constraints_node_new(nc, type, NULL, 0);
> +-			if (tmp == NULL) {
> +-				gnutls_assert();
> +-				ret = GNUTLS_E_MEMORY_ERROR;
> +-				goto cleanup;
> +-			}
> +-			ret = name_constraints_node_list_add(excluded, tmp);
> ++			ret = name_constraints_node_add_new(nc, excluded, type,
> ++							    NULL, 0);
> + 			if (ret < 0) {
> + 				gnutls_assert();
> + 				goto cleanup;
> +@@ -544,20 +547,13 @@ static int name_constraints_node_list_co
> + 	struct name_constraints_node_list_st *nodes,
> + 	const struct name_constraints_node_list_st *nodes2)
> + {
> ++	int ret;
> ++
> + 	for (size_t i = 0; i < nodes2->size; i++) {
> +-		const struct name_constraints_node_st *node = nodes2->data[i];
> +-		struct name_constraints_node_st *tmp;
> +-		int ret;
> +-
> +-		tmp = name_constraints_node_new(nc, node->type, node->name.data,
> +-						node->name.size);
> +-		if (tmp == NULL) {
> +-			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
> +-		}
> +-		ret = name_constraints_node_list_add(nodes, tmp);
> ++		ret = name_constraints_node_add_copy(nc, nodes,
> ++						     nodes2->data[i]);
> + 		if (ret < 0) {
> +-			name_constraints_node_free(tmp);
> +-			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
> ++			return gnutls_assert_val(ret);
> + 		}
> + 	}
> + 
> +@@ -687,7 +683,6 @@ static int name_constraints_add(gnutls_x
> + 				gnutls_x509_subject_alt_name_t type,
> + 				const gnutls_datum_t *name, unsigned permitted)
> + {
> +-	struct name_constraints_node_st *tmp;
> + 	struct name_constraints_node_list_st *nodes;
> + 	int ret;
> + 
> +@@ -697,15 +692,10 @@ static int name_constraints_add(gnutls_x
> + 
> + 	nodes = permitted ? &nc->permitted : &nc->excluded;
> + 
> +-	tmp = name_constraints_node_new(nc, type, name->data, name->size);
> +-	if (tmp == NULL)
> +-		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
> +-
> +-	ret = name_constraints_node_list_add(nodes, tmp);
> +-	if (ret < 0) {
> +-		name_constraints_node_free(tmp);
> ++	ret = name_constraints_node_add_new(nc, nodes, type, name->data,
> ++					    name->size);
> ++	if (ret < 0)
> + 		return gnutls_assert_val(ret);
> +-	}
> + 
> + 	return 0;
> + }
> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch
> new file mode 100644
> index 00000000000..7c5ffdf6d8b
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch
> @@ -0,0 +1,500 @@
> +From 094accd3ebec17ead6c391757eaa18763b72d83f Mon Sep 17 00:00:00 2001
> +From: Alexander Sosedkin <asosedkin@redhat.com>
> +Date: Mon, 26 Jan 2026 20:16:36 +0100
> +Subject: [PATCH] x509/name_constraints: introduce a rich comparator
> +
> +These are preparatory changes before implementing N * log N intersection
> +over sorted lists of constraints.
> +
> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> +
> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/094accd3ebec17ead6c391757eaa18763b72d83f]
> +CVE: CVE-2025-14831
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + lib/x509/name_constraints.c | 411 ++++++++++++++++++++++++++++--------
> + 1 file changed, 320 insertions(+), 91 deletions(-)
> +
> +--- a/lib/x509/name_constraints.c
> ++++ b/lib/x509/name_constraints.c
> +@@ -39,6 +39,9 @@
> + #include "ip.h"
> + #include "ip-in-cidr.h"
> + #include "intprops.h"
> ++#include "minmax.h"
> ++
> ++#include <string.h>
> + 
> + #define MAX_NC_CHECKS (1 << 20)
> + 
> +@@ -63,6 +66,282 @@ static struct name_constraints_node_st *
> + name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type,
> + 			  const unsigned char *data, unsigned int size);
> + 
> ++/* An enum for "rich" comparisons that not only let us sort name constraints,
> ++ * children-before-parent, but also subsume them during intersection. */
> ++enum name_constraint_relation {
> ++	NC_SORTS_BEFORE = -2, /* unrelated constraints */
> ++	NC_INCLUDED_BY = -1, /* nc1 is included by nc2 / children sort first */
> ++	NC_EQUAL = 0, /* exact match */
> ++	NC_INCLUDES = 1, /* nc1 includes nc2 / parents sort last */
> ++	NC_SORTS_AFTER = 2 /* unrelated constraints */
> ++};
> ++
> ++/* A helper to compare just a pair of strings with this rich comparison */
> ++static enum name_constraint_relation
> ++compare_strings(const void *n1, size_t n1_len, const void *n2, size_t n2_len)
> ++{
> ++	int r = memcmp(n1, n2, MIN(n1_len, n2_len));
> ++	if (r < 0)
> ++		return NC_SORTS_BEFORE;
> ++	if (r > 0)
> ++		return NC_SORTS_AFTER;
> ++	if (n1_len < n2_len)
> ++		return NC_SORTS_BEFORE;
> ++	if (n1_len > n2_len)
> ++		return NC_SORTS_AFTER;
> ++	return NC_EQUAL;
> ++}
> ++
> ++/* Rich-compare DNS names. Example order/relationships:
> ++ * z.x.a INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x.b BEFORE y.b */
> ++static enum name_constraint_relation compare_dns_names(const gnutls_datum_t *n1,
> ++						       const gnutls_datum_t *n2)
> ++{
> ++	enum name_constraint_relation rel;
> ++	unsigned int i, j, i_end, j_end;
> ++
> ++	/* start from the end of each name */
> ++	i = i_end = n1->size;
> ++	j = j_end = n2->size;
> ++
> ++	/* skip the trailing dots for the comparison */
> ++	while (i && n1->data[i - 1] == '.')
> ++		i_end = i = i - 1;
> ++	while (j && n2->data[j - 1] == '.')
> ++		j_end = j = j - 1;
> ++
> ++	while (1) {
> ++		// rewind back to beginning or an after-dot position
> ++		while (i && n1->data[i - 1] != '.')
> ++			i--;
> ++		while (j && n2->data[j - 1] != '.')
> ++			j--;
> ++
> ++		rel = compare_strings(&n1->data[i], i_end - i, &n2->data[j],
> ++				      j_end - j);
> ++		if (rel == NC_SORTS_BEFORE) /* x.a BEFORE y.a */
> ++			return NC_SORTS_BEFORE;
> ++		if (rel == NC_SORTS_AFTER) /* y.a AFTER x.a */
> ++			return NC_SORTS_AFTER;
> ++		if (!i && j) /* x.a INCLUDES z.x.a */
> ++			return NC_INCLUDES;
> ++		if (i && !j) /* z.x.a INCLUDED_BY x.a */
> ++			return NC_INCLUDED_BY;
> ++
> ++		if (!i && !j) /* r == 0, we ran out of components to compare */
> ++			return NC_EQUAL;
> ++		/* r == 0, i && j: step back past a dot and keep comparing */
> ++		i_end = i = i - 1;
> ++		j_end = j = j - 1;
> ++
> ++		/* support for non-standard ".gr INCLUDES example.gr" [1] */
> ++		if (!i && j) /* .a INCLUDES x.a */
> ++			return NC_INCLUDES;
> ++		if (i && !j) /* x.a INCLUDED_BY .a */
> ++			return NC_INCLUDED_BY;
> ++	}
> ++}
> ++/* [1] https://mailarchive.ietf.org/arch/msg/saag/Bw6PtreW0G7aEG7SikfzKHES4VA */
> ++
> ++/* Rich-compare email name constraints. Example order/relationships:
> ++ * z@x.a INCLUDED_BY x.a BEFORE y.a INCLUDED_BY a BEFORE x@b BEFORE y@b */
> ++static enum name_constraint_relation compare_emails(const gnutls_datum_t *n1,
> ++						    const gnutls_datum_t *n2)
> ++{
> ++	enum name_constraint_relation domains_rel;
> ++	unsigned int i, j, i_end, j_end;
> ++	gnutls_datum_t d1, d2; /* borrow from n1 and n2 */
> ++
> ++	/* start from the end of each name */
> ++	i = i_end = n1->size;
> ++	j = j_end = n2->size;
> ++
> ++	/* rewind to @s to look for domains */
> ++	while (i && n1->data[i - 1] != '@')
> ++		i--;
> ++	d1.size = i_end - i;
> ++	d1.data = &n1->data[i];
> ++	while (j && n2->data[j - 1] != '@')
> ++		j--;
> ++	d2.size = j_end - j;
> ++	d2.data = &n2->data[j];
> ++
> ++	domains_rel = compare_dns_names(&d1, &d2);
> ++
> ++	/* email constraint semantics differ from DNS
> ++	 * DNS: x.a INCLUDED_BY a
> ++	 * Email: x.a INCLUDED_BY .a BEFORE a */
> ++	if (domains_rel == NC_INCLUDED_BY || domains_rel == NC_INCLUDES) {
> ++		bool d1_has_dot = (d1.size > 0 && d1.data[0] == '.');
> ++		bool d2_has_dot = (d2.size > 0 && d2.data[0] == '.');
> ++		/* a constraint without a dot is exact, excluding subdomains */
> ++		if (!d2_has_dot && domains_rel == NC_INCLUDED_BY)
> ++			domains_rel = NC_SORTS_BEFORE; /* x.a BEFORE a */
> ++		if (!d1_has_dot && domains_rel == NC_INCLUDES)
> ++			domains_rel = NC_SORTS_AFTER; /* a AFTER x.a */
> ++	}
> ++
> ++	if (!i && !j) { /* both are domains-only */
> ++		return domains_rel;
> ++	} else if (i && !j) { /* n1 is email, n2 is domain */
> ++		switch (domains_rel) {
> ++		case NC_SORTS_AFTER:
> ++			return NC_SORTS_AFTER;
> ++		case NC_SORTS_BEFORE:
> ++			return NC_SORTS_BEFORE;
> ++		case NC_INCLUDES: /* n2 is more specific, a@x.a AFTER z.x.a */
> ++			return NC_SORTS_AFTER;
> ++		case NC_EQUAL: /* subdomains match, z@x.a INCLUDED_BY x.a */
> ++		case NC_INCLUDED_BY: /* n1 is more specific */
> ++			return NC_INCLUDED_BY;
> ++		}
> ++	} else if (!i && j) { /* n1 is domain, n2 is email */
> ++		switch (domains_rel) {
> ++		case NC_SORTS_AFTER:
> ++			return NC_SORTS_AFTER;
> ++		case NC_SORTS_BEFORE:
> ++			return NC_SORTS_BEFORE;
> ++		case NC_INCLUDES: /* n2 is more specific, a AFTER z@x.a */
> ++			return NC_SORTS_AFTER;
> ++		case NC_EQUAL: /* subdomains match, x.a INCLUDES z@x.a */
> ++			return NC_INCLUDES;
> ++		case NC_INCLUDED_BY: /* n1 is more specific, x.a BEFORE z@a */
> ++			return NC_SORTS_BEFORE;
> ++		}
> ++	} else if (i && j) { /* both are emails */
> ++		switch (domains_rel) {
> ++		case NC_SORTS_AFTER:
> ++			return NC_SORTS_AFTER;
> ++		case NC_SORTS_BEFORE:
> ++			return NC_SORTS_BEFORE;
> ++		case NC_INCLUDES: // n2 is more specific
> ++			return NC_SORTS_AFTER;
> ++		case NC_INCLUDED_BY: // n1 is more specific
> ++			return NC_SORTS_BEFORE;
> ++		case NC_EQUAL: // only case when we need to look before the @
> ++			break; // see below for readability
> ++		}
> ++	}
> ++
> ++	/* i && j, both are emails, domain names match, compare up to @ */
> ++	return compare_strings(n1->data, i - 1, n2->data, j - 1);
> ++}
> ++
> ++/* Rich-compare IP address constraints. Example order/relationships:
> ++ * 10.0.0.0/24 INCLUDED_BY 10.0.0.0/16 BEFORE 1::1/128 INCLUDED_BY 1::1/127 */
> ++static enum name_constraint_relation compare_ip_ncs(const gnutls_datum_t *n1,
> ++						    const gnutls_datum_t *n2)
> ++{
> ++	unsigned int len, i;
> ++	int r;
> ++	const unsigned char *ip1, *ip2, *mask1, *mask2;
> ++	unsigned char masked11[16], masked22[16], masked12[16], masked21[16];
> ++
> ++	if (n1->size < n2->size)
> ++		return NC_SORTS_BEFORE;
> ++	if (n1->size > n2->size)
> ++		return NC_SORTS_AFTER;
> ++	len = n1->size / 2; /* 4 for IPv4, 16 for IPv6 */
> ++
> ++	/* data is a concatenation of prefix and mask */
> ++	ip1 = n1->data;
> ++	ip2 = n2->data;
> ++	mask1 = n1->data + len;
> ++	mask2 = n2->data + len;
> ++	for (i = 0; i < len; i++) {
> ++		masked11[i] = ip1[i] & mask1[i];
> ++		masked22[i] = ip2[i] & mask2[i];
> ++		masked12[i] = ip1[i] & mask2[i];
> ++		masked21[i] = ip2[i] & mask1[i];
> ++	}
> ++
> ++	r = memcmp(mask1, mask2, len);
> ++	if (r < 0 && !memcmp(masked11, masked21, len)) /* prefix1 < prefix2 */
> ++		return NC_INCLUDES; /* ip1 & mask1 == ip2 & mask1 */
> ++	if (r > 0 && !memcmp(masked12, masked22, len)) /* prefix1 > prefix2 */
> ++		return NC_INCLUDED_BY; /* ip1 & mask2 == ip2 & mask2 */
> ++
> ++	r = memcmp(masked11, masked22, len);
> ++	if (r < 0)
> ++		return NC_SORTS_BEFORE;
> ++	else if (r > 0)
> ++		return NC_SORTS_AFTER;
> ++	return NC_EQUAL;
> ++}
> ++
> ++static inline bool is_supported_type(unsigned type)
> ++{
> ++	return type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME ||
> ++	       type == GNUTLS_SAN_IPADDRESS;
> ++}
> ++
> ++/* Universal comparison for name constraint nodes.
> ++ * Unsupported types sort before supported types to allow early handling.
> ++ * NULL represents end-of-list and sorts after everything else. */
> ++static enum name_constraint_relation
> ++compare_name_constraint_nodes(const struct name_constraints_node_st *n1,
> ++			      const struct name_constraints_node_st *n2)
> ++{
> ++	bool n1_supported, n2_supported;
> ++
> ++	if (!n1 && !n2)
> ++		return NC_EQUAL;
> ++	if (!n1)
> ++		return NC_SORTS_AFTER;
> ++	if (!n2)
> ++		return NC_SORTS_BEFORE;
> ++
> ++	n1_supported = is_supported_type(n1->type);
> ++	n2_supported = is_supported_type(n2->type);
> ++
> ++	/* unsupported types bubble up (sort first). intersect relies on this */
> ++	if (!n1_supported && n2_supported)
> ++		return NC_SORTS_BEFORE;
> ++	if (n1_supported && !n2_supported)
> ++		return NC_SORTS_AFTER;
> ++
> ++	/* next, sort by type */
> ++	if (n1->type < n2->type)
> ++		return NC_SORTS_BEFORE;
> ++	if (n1->type > n2->type)
> ++		return NC_SORTS_AFTER;
> ++
> ++	/* now look deeper */
> ++	switch (n1->type) {
> ++	case GNUTLS_SAN_DNSNAME:
> ++		return compare_dns_names(&n1->name, &n2->name);
> ++	case GNUTLS_SAN_RFC822NAME:
> ++		return compare_emails(&n1->name, &n2->name);
> ++	case GNUTLS_SAN_IPADDRESS:
> ++		return compare_ip_ncs(&n1->name, &n2->name);
> ++	default:
> ++		/* unsupported types: stable lexicographic order */
> ++		return compare_strings(n1->name.data, n1->name.size,
> ++				       n2->name.data, n2->name.size);
> ++	}
> ++}
> ++
> ++/* qsort-compatible wrapper */
> ++static int compare_name_constraint_nodes_qsort(const void *a, const void *b)
> ++{
> ++	const struct name_constraints_node_st *const *n1 = a;
> ++	const struct name_constraints_node_st *const *n2 = b;
> ++	enum name_constraint_relation rel;
> ++
> ++	rel = compare_name_constraint_nodes(*n1, *n2);
> ++	switch (rel) {
> ++	case NC_SORTS_BEFORE:
> ++	case NC_INCLUDED_BY:
> ++		return -1;
> ++	case NC_SORTS_AFTER:
> ++	case NC_INCLUDES:
> ++		return 1;
> ++	case NC_EQUAL:
> ++	default:
> ++		return 0;
> ++	}
> ++}
> ++
> + static int
> + name_constraints_node_list_add(struct name_constraints_node_list_st *list,
> + 			       struct name_constraints_node_st *node)
> +@@ -420,9 +699,7 @@ static int name_constraints_node_list_in
> + 			}
> + 		}
> + 
> +-		if (found != NULL && (t->type == GNUTLS_SAN_DNSNAME ||
> +-				      t->type == GNUTLS_SAN_RFC822NAME ||
> +-				      t->type == GNUTLS_SAN_IPADDRESS)) {
> ++		if (found != NULL && is_supported_type(t->type)) {
> + 			/* move node from PERMITTED to REMOVED */
> + 			ret = name_constraints_node_list_add(&removed, t);
> + 			if (ret < 0) {
> +@@ -824,61 +1101,14 @@ cleanup:
> + 	return ret;
> + }
> + 
> +-static unsigned ends_with(const gnutls_datum_t *str,
> +-			  const gnutls_datum_t *suffix)
> +-{
> +-	unsigned char *tree;
> +-	unsigned int treelen;
> +-
> +-	if (suffix->size >= str->size)
> +-		return 0;
> +-
> +-	tree = suffix->data;
> +-	treelen = suffix->size;
> +-	if ((treelen > 0) && (tree[0] == '.')) {
> +-		tree++;
> +-		treelen--;
> +-	}
> +-
> +-	if (memcmp(str->data + str->size - treelen, tree, treelen) == 0 &&
> +-	    str->data[str->size - treelen - 1] == '.')
> +-		return 1; /* match */
> +-
> +-	return 0;
> +-}
> +-
> +-static unsigned email_ends_with(const gnutls_datum_t *str,
> +-				const gnutls_datum_t *suffix)
> +-{
> +-	if (suffix->size >= str->size) {
> +-		return 0;
> +-	}
> +-
> +-	if (suffix->size > 0 && memcmp(str->data + str->size - suffix->size,
> +-				       suffix->data, suffix->size) != 0) {
> +-		return 0;
> +-	}
> +-
> +-	if (suffix->size > 1 && suffix->data[0] == '.') { /* .domain.com */
> +-		return 1; /* match */
> +-	} else if (str->data[str->size - suffix->size - 1] == '@') {
> +-		return 1; /* match */
> +-	}
> +-
> +-	return 0;
> +-}
> +-
> + static unsigned dnsname_matches(const gnutls_datum_t *name,
> + 				const gnutls_datum_t *suffix)
> + {
> + 	_gnutls_hard_log("matching %.*s with DNS constraint %.*s\n", name->size,
> + 			 name->data, suffix->size, suffix->data);
> + 
> +-	if (suffix->size == name->size &&
> +-	    memcmp(suffix->data, name->data, suffix->size) == 0)
> +-		return 1; /* match */
> +-
> +-	return ends_with(name, suffix);
> ++	enum name_constraint_relation rel = compare_dns_names(name, suffix);
> ++	return rel == NC_EQUAL || rel == NC_INCLUDED_BY;
> + }
> + 
> + static unsigned email_matches(const gnutls_datum_t *name,
> +@@ -887,11 +1117,8 @@ static unsigned email_matches(const gnut
> + 	_gnutls_hard_log("matching %.*s with e-mail constraint %.*s\n",
> + 			 name->size, name->data, suffix->size, suffix->data);
> + 
> +-	if (suffix->size == name->size &&
> +-	    memcmp(suffix->data, name->data, suffix->size) == 0)
> +-		return 1; /* match */
> +-
> +-	return email_ends_with(name, suffix);
> ++	enum name_constraint_relation rel = compare_emails(name, suffix);
> ++	return rel == NC_EQUAL || rel == NC_INCLUDED_BY;
> + }
> + 
> + /*-
> +@@ -915,8 +1142,7 @@ static int name_constraints_intersect_no
> + 	// presume empty intersection
> + 	struct name_constraints_node_st *intersection = NULL;
> + 	const struct name_constraints_node_st *to_copy = NULL;
> +-	unsigned iplength = 0;
> +-	unsigned byte;
> ++	enum name_constraint_relation rel;
> + 
> + 	*_intersection = NULL;
> + 
> +@@ -925,32 +1151,49 @@ static int name_constraints_intersect_no
> + 	}
> + 	switch (node1->type) {
> + 	case GNUTLS_SAN_DNSNAME:
> +-		if (!dnsname_matches(&node2->name, &node1->name))
> ++		rel = compare_dns_names(&node1->name, &node2->name);
> ++		switch (rel) {
> ++		case NC_EQUAL: // equal means doesn't matter which one
> ++		case NC_INCLUDES: // node2 is more specific
> ++			to_copy = node2;
> ++			break;
> ++		case NC_INCLUDED_BY: // node1 is more specific
> ++			to_copy = node1;
> ++			break;
> ++		case NC_SORTS_BEFORE: // no intersection
> ++		case NC_SORTS_AFTER: // no intersection
> + 			return GNUTLS_E_SUCCESS;
> +-		to_copy = node2;
> ++		}
> + 		break;
> + 	case GNUTLS_SAN_RFC822NAME:
> +-		if (!email_matches(&node2->name, &node1->name))
> ++		rel = compare_emails(&node1->name, &node2->name);
> ++		switch (rel) {
> ++		case NC_EQUAL: // equal means doesn't matter which one
> ++		case NC_INCLUDES: // node2 is more specific
> ++			to_copy = node2;
> ++			break;
> ++		case NC_INCLUDED_BY: // node1 is more specific
> ++			to_copy = node1;
> ++			break;
> ++		case NC_SORTS_BEFORE: // no intersection
> ++		case NC_SORTS_AFTER: // no intersection
> + 			return GNUTLS_E_SUCCESS;
> +-		to_copy = node2;
> ++		}
> + 		break;
> + 	case GNUTLS_SAN_IPADDRESS:
> +-		if (node1->name.size != node2->name.size)
> ++		rel = compare_ip_ncs(&node1->name, &node2->name);
> ++		switch (rel) {
> ++		case NC_EQUAL: // equal means doesn't matter which one
> ++		case NC_INCLUDES: // node2 is more specific
> ++			to_copy = node2;
> ++			break;
> ++		case NC_INCLUDED_BY: // node1 is more specific
> ++			to_copy = node1;
> ++			break;
> ++		case NC_SORTS_BEFORE: // no intersection
> ++		case NC_SORTS_AFTER: // no intersection
> + 			return GNUTLS_E_SUCCESS;
> +-		iplength = node1->name.size / 2;
> +-		for (byte = 0; byte < iplength; byte++) {
> +-			if (((node1->name.data[byte] ^
> +-			      node2->name.data[byte]) // XOR of addresses
> +-			     & node1->name.data[byte +
> +-						iplength] // AND mask from nc1
> +-			     & node2->name.data[byte +
> +-						iplength]) // AND mask from nc2
> +-			    != 0) {
> +-				// CIDRS do not intersect
> +-				return GNUTLS_E_SUCCESS;
> +-			}
> + 		}
> +-		to_copy = node2;
> + 		break;
> + 	default:
> + 		// for other types, we don't know how to do the intersection, assume empty
> +@@ -967,20 +1210,6 @@ static int name_constraints_intersect_no
> + 		intersection = *_intersection;
> + 
> + 		assert(intersection->name.data != NULL);
> +-
> +-		if (intersection->type == GNUTLS_SAN_IPADDRESS) {
> +-			// make sure both IP addresses are correctly masked
> +-			_gnutls_mask_ip(intersection->name.data,
> +-					intersection->name.data + iplength,
> +-					iplength);
> +-			_gnutls_mask_ip(node1->name.data,
> +-					node1->name.data + iplength, iplength);
> +-			// update intersection, if necessary (we already know one is subset of other)
> +-			for (byte = 0; byte < 2 * iplength; byte++) {
> +-				intersection->name.data[byte] |=
> +-					node1->name.data[byte];
> +-			}
> +-		}
> + 	}
> + 
> + 	return GNUTLS_E_SUCCESS;
> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch
> new file mode 100644
> index 00000000000..6dc599dd9f1
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch
> @@ -0,0 +1,119 @@
> +From bc62fbb946085527b4b1c02f337dd10c68c54690 Mon Sep 17 00:00:00 2001
> +From: Alexander Sosedkin <asosedkin@redhat.com>
> +Date: Wed, 4 Feb 2026 09:09:46 +0100
> +Subject: [PATCH] x509/name_constraints: add sorted_view in preparation...
> +
> +... for actually using it later for performance gains.
> +
> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> +
> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/bc62fbb946085527b4b1c02f337dd10c68c54690]
> +CVE: CVE-2025-14831
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + lib/x509/name_constraints.c | 62 ++++++++++++++++++++++++++++++-------
> + 1 file changed, 51 insertions(+), 11 deletions(-)
> +
> +--- a/lib/x509/name_constraints.c
> ++++ b/lib/x509/name_constraints.c
> +@@ -54,6 +54,9 @@ struct name_constraints_node_list_st {
> + 	struct name_constraints_node_st **data;
> + 	size_t size;
> + 	size_t capacity;
> ++	/* sorted-on-demand view, valid only when dirty == false */
> ++	bool dirty;
> ++	struct name_constraints_node_st **sorted_view;
> + };
> + 
> + struct gnutls_name_constraints_st {
> +@@ -342,6 +345,37 @@ static int compare_name_constraint_nodes
> + 	}
> + }
> + 
> ++/* Bring the sorted view up to date with the list data; clear the dirty flag. */
> ++static int ensure_sorted(struct name_constraints_node_list_st *list)
> ++{
> ++	struct name_constraints_node_st **new_data;
> ++
> ++	if (!list->dirty)
> ++		return GNUTLS_E_SUCCESS;
> ++	if (!list->size) {
> ++		list->dirty = false;
> ++		return GNUTLS_E_SUCCESS;
> ++	}
> ++
> ++	/* reallocate sorted view to match current size */
> ++	new_data =
> ++		_gnutls_reallocarray(list->sorted_view, list->size,
> ++				     sizeof(struct name_constraints_node_st *));
> ++	if (!new_data)
> ++		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
> ++	list->sorted_view = new_data;
> ++
> ++	/* copy pointers and sort in-place */
> ++	memcpy(list->sorted_view, list->data,
> ++	       list->size * sizeof(struct name_constraints_node_st *));
> ++	qsort(list->sorted_view, list->size,
> ++	      sizeof(struct name_constraints_node_st *),
> ++	      compare_name_constraint_nodes_qsort);
> ++
> ++	list->dirty = false;
> ++	return GNUTLS_E_SUCCESS;
> ++}
> ++
> + static int
> + name_constraints_node_list_add(struct name_constraints_node_list_st *list,
> + 			       struct name_constraints_node_st *node)
> +@@ -361,10 +395,23 @@ name_constraints_node_list_add(struct na
> + 		list->capacity = new_capacity;
> + 		list->data = new_data;
> + 	}
> ++	list->dirty = true;
> + 	list->data[list->size++] = node;
> + 	return 0;
> + }
> + 
> ++static void
> ++name_constraints_node_list_clear(struct name_constraints_node_list_st *list)
> ++{
> ++	gnutls_free(list->data);
> ++	gnutls_free(list->sorted_view);
> ++	list->data = NULL;
> ++	list->sorted_view = NULL;
> ++	list->capacity = 0;
> ++	list->size = 0;
> ++	list->dirty = false;
> ++}
> ++
> + static int
> + name_constraints_node_add_new(gnutls_x509_name_constraints_t nc,
> + 			      struct name_constraints_node_list_st *list,
> +@@ -711,6 +758,7 @@ static int name_constraints_node_list_in
> + 				permitted->data[i] =
> + 					permitted->data[permitted->size - 1];
> + 			permitted->size--;
> ++			permitted->dirty = true;
> + 			continue;
> + 		}
> + 		i++;
> +@@ -905,17 +953,9 @@ void _gnutls_x509_name_constraints_clear
> + 		struct name_constraints_node_st *node = nc->nodes.data[i];
> + 		name_constraints_node_free(node);
> + 	}
> +-	gnutls_free(nc->nodes.data);
> +-	nc->nodes.capacity = 0;
> +-	nc->nodes.size = 0;
> +-
> +-	gnutls_free(nc->permitted.data);
> +-	nc->permitted.capacity = 0;
> +-	nc->permitted.size = 0;
> +-
> +-	gnutls_free(nc->excluded.data);
> +-	nc->excluded.capacity = 0;
> +-	nc->excluded.size = 0;
> ++	name_constraints_node_list_clear(&nc->nodes);
> ++	name_constraints_node_list_clear(&nc->permitted);
> ++	name_constraints_node_list_clear(&nc->excluded);
> + }
> + 
> + /**
> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch
> new file mode 100644
> index 00000000000..846862007f0
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch
> @@ -0,0 +1,150 @@
> +From 80db5e90fa18d3e34bb91dd027bdf76d31e93dcd Mon Sep 17 00:00:00 2001
> +From: Alexander Sosedkin <asosedkin@redhat.com>
> +Date: Wed, 4 Feb 2026 13:30:08 +0100
> +Subject: [PATCH] x509/name_constraints: implement
> + name_constraints_node_list_union
> +
> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> +
> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/80db5e90fa18d3e34bb91dd027bdf76d31e93dcd]
> +CVE: CVE-2025-14831
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + lib/x509/name_constraints.c | 98 ++++++++++++++++++++++++++++++++-----
> + 1 file changed, 86 insertions(+), 12 deletions(-)
> +
> +--- a/lib/x509/name_constraints.c
> ++++ b/lib/x509/name_constraints.c
> +@@ -41,6 +41,7 @@
> + #include "intprops.h"
> + #include "minmax.h"
> + 
> ++#include <assert.h>
> + #include <string.h>
> + 
> + #define MAX_NC_CHECKS (1 << 20)
> +@@ -867,22 +868,95 @@ cleanup:
> + 	return ret;
> + }
> + 
> +-static int name_constraints_node_list_concat(
> +-	gnutls_x509_name_constraints_t nc,
> +-	struct name_constraints_node_list_st *nodes,
> +-	const struct name_constraints_node_list_st *nodes2)
> ++static int
> ++name_constraints_node_list_union(gnutls_x509_name_constraints_t nc,
> ++				 struct name_constraints_node_list_st *nodes,
> ++				 struct name_constraints_node_list_st *nodes2)
> + {
> + 	int ret;
> ++	size_t i = 0, j = 0;
> ++	struct name_constraints_node_st *nc1;
> ++	const struct name_constraints_node_st *nc2;
> ++	enum name_constraint_relation rel;
> ++	struct name_constraints_node_list_st result = { 0 };
> ++
> ++	if (nodes2->size == 0) /* nothing to do */
> ++		return GNUTLS_E_SUCCESS;
> ++
> ++	ret = ensure_sorted(nodes);
> ++	if (ret < 0) {
> ++		gnutls_assert();
> ++		goto cleanup;
> ++	}
> ++	ret = ensure_sorted(nodes2);
> ++	if (ret < 0) {
> ++		gnutls_assert();
> ++		goto cleanup;
> ++	}
> ++
> ++	/* traverse both lists in a single pass and merge them w/o duplicates */
> ++	while (i < nodes->size || j < nodes2->size) {
> ++		nc1 = (i < nodes->size) ? nodes->sorted_view[i] : NULL;
> ++		nc2 = (j < nodes2->size) ? nodes2->sorted_view[j] : NULL;
> + 
> +-	for (size_t i = 0; i < nodes2->size; i++) {
> +-		ret = name_constraints_node_add_copy(nc, nodes,
> +-						     nodes2->data[i]);
> ++		rel = compare_name_constraint_nodes(nc1, nc2);
> ++		switch (rel) {
> ++		case NC_SORTS_BEFORE:
> ++			assert(nc1 != NULL); /* comparator-guaranteed */
> ++			ret = name_constraints_node_list_add(&result, nc1);
> ++			i++;
> ++			break;
> ++		case NC_SORTS_AFTER:
> ++			assert(nc2 != NULL); /* comparator-guaranteed */
> ++			ret = name_constraints_node_add_copy(nc, &result, nc2);
> ++			j++;
> ++			break;
> ++		case NC_INCLUDES: /* nc1 is broader, shallow-copy it */
> ++			assert(nc1 != NULL && nc2 != NULL); /* comparator */
> ++			ret = name_constraints_node_list_add(&result, nc1);
> ++			i++;
> ++			j++;
> ++			break;
> ++		case NC_INCLUDED_BY: /* nc2 is broader, deep-copy it */
> ++			assert(nc1 != NULL && nc2 != NULL); /* comparator */
> ++			ret = name_constraints_node_add_copy(nc, &result, nc2);
> ++			i++;
> ++			j++;
> ++			break;
> ++		case NC_EQUAL:
> ++			assert(nc1 != NULL && nc2 != NULL); /* loop condition */
> ++			ret = name_constraints_node_list_add(&result, nc1);
> ++			i++;
> ++			j++;
> ++			break;
> ++		}
> + 		if (ret < 0) {
> +-			return gnutls_assert_val(ret);
> ++			gnutls_assert();
> ++			goto cleanup;
> + 		}
> + 	}
> + 
> +-	return 0;
> ++	gnutls_free(nodes->data);
> ++	gnutls_free(nodes->sorted_view);
> ++	nodes->data = result.data;
> ++	nodes->sorted_view = NULL;
> ++	nodes->size = result.size;
> ++	nodes->capacity = result.capacity;
> ++	nodes->dirty = true;
> ++	/* since we know it's sorted, populate sorted_view almost for free */
> ++	nodes->sorted_view = gnutls_calloc(
> ++		nodes->size, sizeof(struct name_constraints_node_st *));
> ++	if (!nodes->sorted_view)
> ++		return GNUTLS_E_SUCCESS; /* we tried, no harm done */
> ++	memcpy(nodes->sorted_view, nodes->data,
> ++	       nodes->size * sizeof(struct name_constraints_node_st *));
> ++	nodes->dirty = false;
> ++
> ++	result.data = NULL;
> ++	return GNUTLS_E_SUCCESS;
> ++cleanup:
> ++	name_constraints_node_list_clear(&result);
> ++	return gnutls_assert_val(ret);
> + }
> + 
> + /**
> +@@ -1023,7 +1097,7 @@ static int name_constraints_add(gnutls_x
> +  * @nc2: The name constraints to be merged with
> +  *
> +  * This function will merge the provided name constraints structures
> +- * as per RFC5280 p6.1.4. That is, the excluded constraints will be appended,
> ++ * as per RFC5280 p6.1.4. That is, the excluded constraints will be unioned,
> +  * and permitted will be intersected. The intersection assumes that @nc
> +  * is the root CA constraints.
> +  *
> +@@ -1045,8 +1119,8 @@ int _gnutls_x509_name_constraints_merge(
> + 		return ret;
> + 	}
> + 
> +-	ret = name_constraints_node_list_concat(nc, &nc->excluded,
> +-						&nc2->excluded);
> ++	ret = name_constraints_node_list_union(nc, &nc->excluded,
> ++					       &nc2->excluded);
> + 	if (ret < 0) {
> + 		gnutls_assert();
> + 		return ret;
> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch
> new file mode 100644
> index 00000000000..9beca76a352
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch
> @@ -0,0 +1,105 @@
> +From d0ac999620c8c0aeb6939e1e92d884ca8e40b759 Mon Sep 17 00:00:00 2001
> +From: Alexander Sosedkin <asosedkin@redhat.com>
> +Date: Wed, 4 Feb 2026 18:31:37 +0100
> +Subject: [PATCH] x509/name_constraints: make types_with_empty_intersection a
> + bitmask
> +
> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> +
> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/d0ac999620c8c0aeb6939e1e92d884ca8e40b759]
> +CVE: CVE-2025-14831
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + lib/x509/name_constraints.c | 39 +++++++++++++++++++++++++++----------
> + 1 file changed, 29 insertions(+), 10 deletions(-)
> +
> +--- a/lib/x509/name_constraints.c
> ++++ b/lib/x509/name_constraints.c
> +@@ -275,6 +275,7 @@ static enum name_constraint_relation com
> + 
> + static inline bool is_supported_type(unsigned type)
> + {
> ++	/* all of these should be under GNUTLS_SAN_MAX (intersect bitmasks) */
> + 	return type == GNUTLS_SAN_DNSNAME || type == GNUTLS_SAN_RFC822NAME ||
> + 	       type == GNUTLS_SAN_IPADDRESS;
> + }
> +@@ -683,6 +684,21 @@ name_constraints_node_new(gnutls_x509_na
> + 	return tmp;
> + }
> + 
> ++static int
> ++name_constraints_node_list_union(gnutls_x509_name_constraints_t nc,
> ++				 struct name_constraints_node_list_st *nodes,
> ++				 struct name_constraints_node_list_st *nodes2);
> ++
> ++#define type_bitmask_t uint8_t /* increase if GNUTLS_SAN_MAX grows */
> ++#define type_bitmask_set(mask, t) ((mask) |= (1u << (t)))
> ++#define type_bitmask_clr(mask, t) ((mask) &= ~(1u << (t)))
> ++#define type_bitmask_in(mask, t) ((mask) & (1u << (t)))
> ++/* C99-compatible compile-time assertions; gnutls_int.h undefines verify */
> ++typedef char assert_san_max[(GNUTLS_SAN_MAX < 8) ? 1 : -1];
> ++typedef char assert_dnsname[(GNUTLS_SAN_DNSNAME <= GNUTLS_SAN_MAX) ? 1 : -1];
> ++typedef char assert_rfc822[(GNUTLS_SAN_RFC822NAME <= GNUTLS_SAN_MAX) ? 1 : -1];
> ++typedef char assert_ipaddr[(GNUTLS_SAN_IPADDRESS <= GNUTLS_SAN_MAX) ? 1 : -1];
> ++
> + /*-
> +  * @brief name_constraints_node_list_intersect:
> +  * @nc: %gnutls_x509_name_constraints_t
> +@@ -710,12 +726,9 @@ static int name_constraints_node_list_in
> + 							 .capacity = 0 };
> + 	static const unsigned char universal_ip[32] = { 0 };
> + 
> +-	/* temporary array to see, if we need to add universal excluded constraints
> +-	 * (see phase 3 for details)
> +-	 * indexed directly by (gnutls_x509_subject_alt_name_t enum - 1) */
> +-	unsigned char types_with_empty_intersection[GNUTLS_SAN_MAX];
> +-	memset(types_with_empty_intersection, 0,
> +-	       sizeof(types_with_empty_intersection));
> ++	/* bitmask to see if we need to add universal excluded constraints
> ++	 * (see phase 3 for details) */
> ++	type_bitmask_t types_with_empty_intersection = 0;
> + 
> + 	if (permitted->size == 0 || permitted2->size == 0)
> + 		return 0;
> +@@ -741,7 +754,8 @@ static int name_constraints_node_list_in
> + 				// note the possibility of empty intersection for this type
> + 				// if we add something to the intersection in phase 2,
> + 				// we will reset this flag back to 0 then
> +-				types_with_empty_intersection[t->type - 1] = 1;
> ++				type_bitmask_set(types_with_empty_intersection,
> ++						 t->type);
> + 				found = t2;
> + 				break;
> + 			}
> +@@ -795,8 +809,8 @@ static int name_constraints_node_list_in
> + 						GNUTLS_E_INTERNAL_ERROR);
> + 				}
> + 				// we will not add universal excluded constraint for this type
> +-				types_with_empty_intersection[tmp->type - 1] =
> +-					0;
> ++				type_bitmask_clr(types_with_empty_intersection,
> ++						 tmp->type);
> + 				// add intersection node to PERMITTED
> + 				ret = name_constraints_node_list_add(permitted,
> + 								     tmp);
> +@@ -824,7 +838,7 @@ static int name_constraints_node_list_in
> + 	 * excluded constraint with universal wildcard
> + 	 * (since the intersection of permitted is now empty). */
> + 	for (type = 1; type <= GNUTLS_SAN_MAX; type++) {
> +-		if (types_with_empty_intersection[type - 1] == 0)
> ++		if (!type_bitmask_in(types_with_empty_intersection, type))
> + 			continue;
> + 		_gnutls_hard_log(
> + 			"Adding universal excluded name constraint for type %d.\n",
> +@@ -868,6 +882,11 @@ cleanup:
> + 	return ret;
> + }
> + 
> ++#undef type_bitmask_t
> ++#undef type_bitmask_set
> ++#undef type_bitmask_clr
> ++#undef type_bitmask_in
> ++
> + static int
> + name_constraints_node_list_union(gnutls_x509_name_constraints_t nc,
> + 				 struct name_constraints_node_list_st *nodes,
> diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch
> new file mode 100644
> index 00000000000..27ed995d8df
> --- /dev/null
> +++ b/meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch
> @@ -0,0 +1,437 @@
> +Backport of:
> +
> +From d6054f0016db05fb5c82177ddbd0a4e8331059a1 Mon Sep 17 00:00:00 2001
> +From: Alexander Sosedkin <asosedkin@redhat.com>
> +Date: Wed, 4 Feb 2026 20:03:49 +0100
> +Subject: [PATCH] x509/name_constraints: name_constraints_node_list_intersect
> + over sorted
> +
> +Fixes: #1773
> +Fixes: GNUTLS-SA-2026-02-09-2
> +Fixes: CVE-2025-14831
> +
> +Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
> +
> +Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/d6054f0016db05fb5c82177ddbd0a4e8331059a1]
> +CVE: CVE-2025-14831
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + NEWS                        |   7 +
> + lib/x509/name_constraints.c | 350 ++++++++++++++----------------------
> + 2 files changed, 142 insertions(+), 215 deletions(-)
> +
> +#diff --git a/NEWS b/NEWS
> +#index e506db547a..96b7484fdf 100644
> +#--- a/NEWS
> +#+++ b/NEWS
> +#@@ -14,6 +14,13 @@ See the end for copying conditions.
> +#    Reported by Jaehun Lee.
> +#    [Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584]
> +# 
> +#+** libgnutls: Fix name constraint processing performance issue
> +#+   Verifying certificates with pathological amounts of name constraints
> +#+   could lead to a denial of service attack via resource exhaustion.
> +#+   Reworked processing algorithms exhibit better performance characteristics.
> +#+   Reported by Tim Scheckenbach.
> +#+   [Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831]
> +#+
> +# ** libgnutls: Fix multiple unexploitable overflows
> +#    Reported by Tim Rühsen (#1783, #1786).
> +# 
> +--- a/lib/x509/name_constraints.c
> ++++ b/lib/x509/name_constraints.c
> +@@ -446,13 +446,6 @@ name_constraints_node_add_copy(gnutls_x5
> + 					     src->name.data, src->name.size);
> + }
> + 
> +-// for documentation see the implementation
> +-static int name_constraints_intersect_nodes(
> +-	gnutls_x509_name_constraints_t nc,
> +-	const struct name_constraints_node_st *node1,
> +-	const struct name_constraints_node_st *node2,
> +-	struct name_constraints_node_st **intersection);
> +-
> + /*-
> +  * _gnutls_x509_name_constraints_is_empty:
> +  * @nc: name constraints structure
> +@@ -716,129 +709,143 @@ typedef char assert_ipaddr[(GNUTLS_SAN_I
> + static int name_constraints_node_list_intersect(
> + 	gnutls_x509_name_constraints_t nc,
> + 	struct name_constraints_node_list_st *permitted,
> +-	const struct name_constraints_node_list_st *permitted2,
> ++	struct name_constraints_node_list_st *permitted2,
> + 	struct name_constraints_node_list_st *excluded)
> + {
> +-	struct name_constraints_node_st *tmp;
> +-	int ret, type, used;
> +-	struct name_constraints_node_list_st removed = { .data = NULL,
> +-							 .size = 0,
> +-							 .capacity = 0 };
> ++	struct name_constraints_node_st *nc1, *nc2;
> ++	struct name_constraints_node_list_st result = { 0 };
> ++	struct name_constraints_node_list_st unsupp2 = { 0 };
> ++	enum name_constraint_relation rel;
> ++	unsigned type;
> ++	int ret = GNUTLS_E_SUCCESS;
> ++	size_t i, j, p1_unsupp = 0, p2_unsupp = 0;
> ++	type_bitmask_t universal_exclude_needed = 0;
> ++	type_bitmask_t types_in_p1 = 0, types_in_p2 = 0;
> + 	static const unsigned char universal_ip[32] = { 0 };
> + 
> +-	/* bitmask to see if we need to add universal excluded constraints
> +-	 * (see phase 3 for details) */
> +-	type_bitmask_t types_with_empty_intersection = 0;
> +-
> + 	if (permitted->size == 0 || permitted2->size == 0)
> +-		return 0;
> ++		return GNUTLS_E_SUCCESS;
> + 
> +-	/* Phase 1
> +-	 * For each name in PERMITTED, if a PERMITTED2 does not contain a name
> +-	 * with the same type, move the original name to REMOVED.
> +-	 * Do this also for node of unknown type (not DNS, email, IP) */
> +-	for (size_t i = 0; i < permitted->size;) {
> +-		struct name_constraints_node_st *t = permitted->data[i];
> +-		const struct name_constraints_node_st *found = NULL;
> +-
> +-		for (size_t j = 0; j < permitted2->size; j++) {
> +-			const struct name_constraints_node_st *t2 =
> +-				permitted2->data[j];
> +-			if (t->type == t2->type) {
> +-				// check bounds (we will use 't->type' as index)
> +-				if (t->type > GNUTLS_SAN_MAX || t->type == 0) {
> +-					gnutls_assert();
> +-					ret = GNUTLS_E_INTERNAL_ERROR;
> +-					goto cleanup;
> +-				}
> +-				// note the possibility of empty intersection for this type
> +-				// if we add something to the intersection in phase 2,
> +-				// we will reset this flag back to 0 then
> +-				type_bitmask_set(types_with_empty_intersection,
> +-						 t->type);
> +-				found = t2;
> +-				break;
> +-			}
> ++	/* make sorted views of the arrays */
> ++	ret = ensure_sorted(permitted);
> ++	if (ret < 0) {
> ++		gnutls_assert();
> ++		goto cleanup;
> ++	}
> ++	ret = ensure_sorted(permitted2);
> ++	if (ret < 0) {
> ++		gnutls_assert();
> ++		goto cleanup;
> ++	}
> ++
> ++	/* deal with the leading unsupported types first: count, then union */
> ++	while (p1_unsupp < permitted->size &&
> ++	       !is_supported_type(permitted->sorted_view[p1_unsupp]->type))
> ++		p1_unsupp++;
> ++	while (p2_unsupp < permitted2->size &&
> ++	       !is_supported_type(permitted2->sorted_view[p2_unsupp]->type))
> ++		p2_unsupp++;
> ++	if (p1_unsupp) { /* copy p1 unsupported type pointers into result */
> ++		result.data = gnutls_calloc(
> ++			p1_unsupp, sizeof(struct name_constraints_node_st *));
> ++		if (!result.data) {
> ++			ret = GNUTLS_E_MEMORY_ERROR;
> ++			gnutls_assert();
> ++			goto cleanup;
> ++		}
> ++		memcpy(result.data, permitted->sorted_view,
> ++		       p1_unsupp * sizeof(struct name_constraints_node_st *));
> ++		result.size = result.capacity = p1_unsupp;
> ++		result.dirty = true;
> ++	}
> ++	if (p2_unsupp) { /* union will make deep copies from p2 */
> ++		unsupp2.data = permitted2->sorted_view; /* so, just alias */
> ++		unsupp2.size = unsupp2.capacity = p2_unsupp;
> ++		unsupp2.dirty = false; /* we know it's sorted */
> ++		unsupp2.sorted_view = permitted2->sorted_view;
> ++		ret = name_constraints_node_list_union(nc, &result, &unsupp2);
> ++		if (ret < 0) {
> ++			gnutls_assert();
> ++			goto cleanup;
> + 		}
> ++	}
> + 
> +-		if (found != NULL && is_supported_type(t->type)) {
> +-			/* move node from PERMITTED to REMOVED */
> +-			ret = name_constraints_node_list_add(&removed, t);
> +-			if (ret < 0) {
> +-				gnutls_assert();
> +-				goto cleanup;
> +-			}
> +-			/* remove node by swapping */
> +-			if (i < permitted->size - 1)
> +-				permitted->data[i] =
> +-					permitted->data[permitted->size - 1];
> +-			permitted->size--;
> +-			permitted->dirty = true;
> +-			continue;
> ++	/* with that out of the way, pre-compute the supported types we have */
> ++	for (i = p1_unsupp; i < permitted->size; i++) {
> ++		type = permitted->sorted_view[i]->type;
> ++		if (type < 1 || type > GNUTLS_SAN_MAX) {
> ++			ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
> ++			goto cleanup;
> + 		}
> +-		i++;
> ++		type_bitmask_set(types_in_p1, type);
> + 	}
> ++	for (j = p2_unsupp; j < permitted2->size; j++) {
> ++		type = permitted2->sorted_view[j]->type;
> ++		if (type < 1 || type > GNUTLS_SAN_MAX) {
> ++			ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
> ++			goto cleanup;
> ++		}
> ++		type_bitmask_set(types_in_p2, type);
> ++	}
> ++	/* universal excludes might be needed for types intersecting to empty */
> ++	universal_exclude_needed = types_in_p1 & types_in_p2;
> + 
> +-	/* Phase 2
> +-	 * iterate through all combinations from PERMITTED2 and PERMITTED
> +-	 * and create intersections of nodes with same type */
> +-	for (size_t i = 0; i < permitted2->size; i++) {
> +-		const struct name_constraints_node_st *t2 = permitted2->data[i];
> +-
> +-		// current PERMITTED2 node has not yet been used for any intersection
> +-		// (and is not in REMOVED either)
> +-		used = 0;
> +-		for (size_t j = 0; j < removed.size; j++) {
> +-			const struct name_constraints_node_st *t =
> +-				removed.data[j];
> +-			// save intersection of name constraints into tmp
> +-			ret = name_constraints_intersect_nodes(nc, t, t2, &tmp);
> +-			if (ret < 0) {
> +-				gnutls_assert();
> +-				goto cleanup;
> +-			}
> +-			used = 1;
> +-			// if intersection is not empty
> +-			if (tmp !=
> +-			    NULL) { // intersection for this type is not empty
> +-				// check bounds
> +-				if (tmp->type > GNUTLS_SAN_MAX ||
> +-				    tmp->type == 0) {
> +-					gnutls_free(tmp);
> +-					return gnutls_assert_val(
> +-						GNUTLS_E_INTERNAL_ERROR);
> +-				}
> +-				// we will not add universal excluded constraint for this type
> +-				type_bitmask_clr(types_with_empty_intersection,
> +-						 tmp->type);
> +-				// add intersection node to PERMITTED
> +-				ret = name_constraints_node_list_add(permitted,
> +-								     tmp);
> +-				if (ret < 0) {
> +-					gnutls_assert();
> +-					goto cleanup;
> +-				}
> +-			}
> ++	/* go through supported type NCs and intersect in a single pass */
> ++	i = p1_unsupp;
> ++	j = p2_unsupp;
> ++	while (i < permitted->size || j < permitted2->size) {
> ++		nc1 = (i < permitted->size) ? permitted->sorted_view[i] : NULL;
> ++		nc2 = (j < permitted2->size) ? permitted2->sorted_view[j] :
> ++					       NULL;
> ++		rel = compare_name_constraint_nodes(nc1, nc2);
> ++
> ++		switch (rel) {
> ++		case NC_SORTS_BEFORE:
> ++			assert(nc1 != NULL); /* comparator-guaranteed */
> ++			/* if nothing to intersect with, shallow-copy nc1 */
> ++			if (!type_bitmask_in(types_in_p2, nc1->type))
> ++				ret = name_constraints_node_list_add(&result,
> ++								     nc1);
> ++			i++; /* otherwise skip nc1 */
> ++			break;
> ++		case NC_SORTS_AFTER:
> ++			assert(nc2 != NULL); /* comparator-guaranteed */
> ++			/* if nothing to intersect with, deep-copy nc2 */
> ++			if (!type_bitmask_in(types_in_p1, nc2->type))
> ++				ret = name_constraints_node_add_copy(
> ++					nc, &result, nc2);
> ++			j++; /* otherwise skip nc2 */
> ++			break;
> ++		case NC_INCLUDED_BY: /* add nc1, shallow-copy */
> ++			assert(nc1 != NULL && nc2 != NULL); /* comparator */
> ++			type_bitmask_clr(universal_exclude_needed, nc1->type);
> ++			ret = name_constraints_node_list_add(&result, nc1);
> ++			i++;
> ++			break;
> ++		case NC_INCLUDES: /* pick nc2, deep-copy */
> ++			assert(nc1 != NULL && nc2 != NULL); /* comparator */
> ++			type_bitmask_clr(universal_exclude_needed, nc2->type);
> ++			ret = name_constraints_node_add_copy(nc, &result, nc2);
> ++			j++;
> ++			break;
> ++		case NC_EQUAL: /* pick whichever: nc1, shallow-copy */
> ++			assert(nc1 != NULL && nc2 != NULL); /* loop condition */
> ++			type_bitmask_clr(universal_exclude_needed, nc1->type);
> ++			ret = name_constraints_node_list_add(&result, nc1);
> ++			i++;
> ++			j++;
> ++			break;
> + 		}
> +-		// if the node from PERMITTED2 was not used for intersection, copy it to DEST
> +-		// Beware: also copies nodes other than DNS, email, IP,
> +-		//       since their counterpart may have been moved in phase 1.
> +-		if (!used) {
> +-			ret = name_constraints_node_add_copy(nc, permitted, t2);
> +-			if (ret < 0) {
> +-				gnutls_assert();
> +-				goto cleanup;
> +-			}
> ++		if (ret < 0) {
> ++			gnutls_assert();
> ++			goto cleanup;
> + 		}
> + 	}
> + 
> +-	/* Phase 3
> +-	 * For each type: If we have empty permitted name constraints now
> +-	 * and we didn't have at the beginning, we have to add a new
> +-	 * excluded constraint with universal wildcard
> +-	 * (since the intersection of permitted is now empty). */
> ++	/* finishing touch: add universal excluded constraints for types where
> ++	 * both lists had constraints, but all intersections ended up empty */
> + 	for (type = 1; type <= GNUTLS_SAN_MAX; type++) {
> +-		if (!type_bitmask_in(types_with_empty_intersection, type))
> ++		if (!type_bitmask_in(universal_exclude_needed, type))
> + 			continue;
> + 		_gnutls_hard_log(
> + 			"Adding universal excluded name constraint for type %d.\n",
> +@@ -871,14 +878,24 @@ static int name_constraints_node_list_in
> + 				goto cleanup;
> + 			}
> + 			break;
> +-		default: // do nothing, at least one node was already moved in phase 1
> +-			break;
> ++		default: /* unsupported type; should be unreacheable */
> ++			ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
> ++			goto cleanup;
> + 		}
> + 	}
> +-	ret = GNUTLS_E_SUCCESS;
> + 
> ++	gnutls_free(permitted->data);
> ++	gnutls_free(permitted->sorted_view);
> ++	permitted->data = result.data;
> ++	permitted->sorted_view = NULL;
> ++	permitted->size = result.size;
> ++	permitted->capacity = result.capacity;
> ++	permitted->dirty = true;
> ++
> ++	result.data = NULL;
> ++	ret = GNUTLS_E_SUCCESS;
> + cleanup:
> +-	gnutls_free(removed.data);
> ++	name_constraints_node_list_clear(&result);
> + 	return ret;
> + }
> + 
> +@@ -1254,100 +1271,6 @@ static unsigned email_matches(const gnut
> + 	return rel == NC_EQUAL || rel == NC_INCLUDED_BY;
> + }
> + 
> +-/*-
> +- * name_constraints_intersect_nodes:
> +- * @nc1: name constraints node 1
> +- * @nc2: name constraints node 2
> +- * @_intersection: newly allocated node with intersected constraints,
> +- *		 NULL if the intersection is empty
> +- *
> +- * Inspect 2 name constraints nodes (of possibly different types) and allocate
> +- * a new node with intersection of given constraints.
> +- *
> +- * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
> +- -*/
> +-static int name_constraints_intersect_nodes(
> +-	gnutls_x509_name_constraints_t nc,
> +-	const struct name_constraints_node_st *node1,
> +-	const struct name_constraints_node_st *node2,
> +-	struct name_constraints_node_st **_intersection)
> +-{
> +-	// presume empty intersection
> +-	struct name_constraints_node_st *intersection = NULL;
> +-	const struct name_constraints_node_st *to_copy = NULL;
> +-	enum name_constraint_relation rel;
> +-
> +-	*_intersection = NULL;
> +-
> +-	if (node1->type != node2->type) {
> +-		return GNUTLS_E_SUCCESS;
> +-	}
> +-	switch (node1->type) {
> +-	case GNUTLS_SAN_DNSNAME:
> +-		rel = compare_dns_names(&node1->name, &node2->name);
> +-		switch (rel) {
> +-		case NC_EQUAL: // equal means doesn't matter which one
> +-		case NC_INCLUDES: // node2 is more specific
> +-			to_copy = node2;
> +-			break;
> +-		case NC_INCLUDED_BY: // node1 is more specific
> +-			to_copy = node1;
> +-			break;
> +-		case NC_SORTS_BEFORE: // no intersection
> +-		case NC_SORTS_AFTER: // no intersection
> +-			return GNUTLS_E_SUCCESS;
> +-		}
> +-		break;
> +-	case GNUTLS_SAN_RFC822NAME:
> +-		rel = compare_emails(&node1->name, &node2->name);
> +-		switch (rel) {
> +-		case NC_EQUAL: // equal means doesn't matter which one
> +-		case NC_INCLUDES: // node2 is more specific
> +-			to_copy = node2;
> +-			break;
> +-		case NC_INCLUDED_BY: // node1 is more specific
> +-			to_copy = node1;
> +-			break;
> +-		case NC_SORTS_BEFORE: // no intersection
> +-		case NC_SORTS_AFTER: // no intersection
> +-			return GNUTLS_E_SUCCESS;
> +-		}
> +-		break;
> +-	case GNUTLS_SAN_IPADDRESS:
> +-		rel = compare_ip_ncs(&node1->name, &node2->name);
> +-		switch (rel) {
> +-		case NC_EQUAL: // equal means doesn't matter which one
> +-		case NC_INCLUDES: // node2 is more specific
> +-			to_copy = node2;
> +-			break;
> +-		case NC_INCLUDED_BY: // node1 is more specific
> +-			to_copy = node1;
> +-			break;
> +-		case NC_SORTS_BEFORE: // no intersection
> +-		case NC_SORTS_AFTER: // no intersection
> +-			return GNUTLS_E_SUCCESS;
> +-		}
> +-		break;
> +-	default:
> +-		// for other types, we don't know how to do the intersection, assume empty
> +-		return GNUTLS_E_SUCCESS;
> +-	}
> +-
> +-	// copy existing node if applicable
> +-	if (to_copy != NULL) {
> +-		*_intersection = name_constraints_node_new(nc, to_copy->type,
> +-							   to_copy->name.data,
> +-							   to_copy->name.size);
> +-		if (*_intersection == NULL)
> +-			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
> +-		intersection = *_intersection;
> +-
> +-		assert(intersection->name.data != NULL);
> +-	}
> +-
> +-	return GNUTLS_E_SUCCESS;
> +-}
> +-
> + /*
> +  * Returns: true if the certification is acceptable, and false otherwise.
> +  */
> diff --git a/meta/recipes-support/gnutls/gnutls_3.8.4.bb b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> index 026ae650f65..ccb6a2b4b2d 100644
> --- a/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> +++ b/meta/recipes-support/gnutls/gnutls_3.8.4.bb
> @@ -34,6 +34,15 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
>             file://CVE-2025-32990.patch \
>             file://CVE-2025-6395.patch \
>             file://CVE-2025-9820.patch \
> +           file://CVE-2025-14831-1.patch \
> +           file://CVE-2025-14831-2.patch \
> +           file://CVE-2025-14831-3.patch \
> +           file://CVE-2025-14831-4.patch \
> +           file://CVE-2025-14831-5.patch \
> +           file://CVE-2025-14831-6.patch \
> +           file://CVE-2025-14831-7.patch \
> +           file://CVE-2025-14831-8.patch \
> +           file://CVE-2025-14831-9.patch \
>             "
>  
>  SRC_URI[sha256sum] = "2bea4e154794f3f00180fa2a5c51fe8b005ac7a31cd58bd44cdfa7f36ebc3a9b"


-- 
Yoann Congal
Smile ECS

[OE-core][scarthgap 13/16] systemd: backport patch to fix journal-file issue

[Yoann Congal]

From: sureshha <suresh.ha@bti.bmwgroup.com>

Backport patch to fix systemd journal-file assertion on removed or corrupted files

Extracted from systemd MR:
https://github.com/systemd/systemd/pull/40378

Signed-off-by: sureshha <suresh.ha@bmwtechworks.in>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 ...not-trigger-assertion-on-removed-or-.patch | 65 +++++++++++++++++++
 meta/recipes-core/systemd/systemd_255.21.bb   |  1 +
 2 files changed, 66 insertions(+)
 create mode 100644 meta/recipes-core/systemd/systemd/0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch

diff --git a/meta/recipes-core/systemd/systemd/0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch b/meta/recipes-core/systemd/systemd/0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch
new file mode 100644
index 00000000000..5f5551870ac
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch
@@ -0,0 +1,65 @@
+From 1350f39db7e72116c3b2423db02da3ddc8e29082 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Sun, 18 Jan 2026 19:15:31 +0900
+Subject: [PATCH] journal-file: do not trigger assertion on removed or
+ corrupted journal file
+
+When a journal file is removed or corrupted, then the value `p`, which is
+read from Object.data.entry_offset, may be zero.
+
+Note, journal_file_move_to_object() checks the passed offset and return
+-EBADMSG if it is invalid.
+
+Fixes the issue reported at
+https://github.com/systemd/systemd/pull/40372#issuecomment-3762907261.
+
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/2185c30de333b09f46ef28b743b123f45e774738]
+
+Comment: Patch is refreshed as per codebase of v255
+
+Signed-off-by: sureshha <suresh.ha@bmwtechworks.in>
+---
+ src/libsystemd/sd-journal/journal-file.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c
+index 08f3b82..633de5b 100644
+--- a/src/libsystemd/sd-journal/journal-file.c
++++ b/src/libsystemd/sd-journal/journal-file.c
+@@ -3305,7 +3305,9 @@ use_extra:
+
+ static int test_object_offset(JournalFile *f, uint64_t p, uint64_t needle) {
+         assert(f);
+-        assert(p > 0);
++
++        if (p <= 0)
++                return -EBADMSG;
+
+         if (p == needle)
+                 return TEST_FOUND;
+@@ -3341,7 +3343,6 @@ static int test_object_seqnum(JournalFile *f, uint64_t p, uint64_t needle) {
+         int r;
+
+         assert(f);
+-        assert(p > 0);
+
+         r = journal_file_move_to_object(f, OBJECT_ENTRY, p, &o);
+         if (r < 0)
+@@ -3382,7 +3383,6 @@ static int test_object_realtime(JournalFile *f, uint64_t p, uint64_t needle) {
+         int r;
+
+         assert(f);
+-        assert(p > 0);
+
+         r = journal_file_move_to_object(f, OBJECT_ENTRY, p, &o);
+         if (r < 0)
+@@ -3423,7 +3423,6 @@ static int test_object_monotonic(JournalFile *f, uint64_t p, uint64_t needle) {
+         int r;
+
+         assert(f);
+-        assert(p > 0);
+
+         r = journal_file_move_to_object(f, OBJECT_ENTRY, p, &o);
+         if (r < 0)
+--
+2.34.1
diff --git a/meta/recipes-core/systemd/systemd_255.21.bb b/meta/recipes-core/systemd/systemd_255.21.bb
index 87e186bbfac..504d6cbef60 100644
--- a/meta/recipes-core/systemd/systemd_255.21.bb
+++ b/meta/recipes-core/systemd/systemd_255.21.bb
@@ -29,6 +29,7 @@ SRC_URI += " \
            file://0002-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
            file://0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch \
            file://0008-implment-systemd-sysv-install-for-OE.patch \
+           file://0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch \
            "
 
 # patches needed by musl

Re: [OE-core][scarthgap 13/16] systemd: backport patch to fix journal-file issue

[Yoann Congal]

On Mon Mar 30, 2026 at 12:37 AM CEST, Yoann Congal wrote:
> From: sureshha <suresh.ha@bti.bmwgroup.com>
>
> Backport patch to fix systemd journal-file assertion on removed or corrupted files
>
> Extracted from systemd MR:
> https://github.com/systemd/systemd/pull/40378
>
> Signed-off-by: sureshha <suresh.ha@bmwtechworks.in>
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> ---

I did not wanted to send that patch, please ignore.

>  ...not-trigger-assertion-on-removed-or-.patch | 65 +++++++++++++++++++
>  meta/recipes-core/systemd/systemd_255.21.bb   |  1 +
>  2 files changed, 66 insertions(+)
>  create mode 100644 meta/recipes-core/systemd/systemd/0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch
>
> diff --git a/meta/recipes-core/systemd/systemd/0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch b/meta/recipes-core/systemd/systemd/0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch
> new file mode 100644
> index 00000000000..5f5551870ac
> --- /dev/null
> +++ b/meta/recipes-core/systemd/systemd/0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch
> @@ -0,0 +1,65 @@
> +From 1350f39db7e72116c3b2423db02da3ddc8e29082 Mon Sep 17 00:00:00 2001
> +From: Yu Watanabe <watanabe.yu+github@gmail.com>
> +Date: Sun, 18 Jan 2026 19:15:31 +0900
> +Subject: [PATCH] journal-file: do not trigger assertion on removed or
> + corrupted journal file
> +
> +When a journal file is removed or corrupted, then the value `p`, which is
> +read from Object.data.entry_offset, may be zero.
> +
> +Note, journal_file_move_to_object() checks the passed offset and return
> +-EBADMSG if it is invalid.
> +
> +Fixes the issue reported at
> +https://github.com/systemd/systemd/pull/40372#issuecomment-3762907261.
> +
> +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/2185c30de333b09f46ef28b743b123f45e774738]
> +
> +Comment: Patch is refreshed as per codebase of v255
> +
> +Signed-off-by: sureshha <suresh.ha@bmwtechworks.in>
> +---
> + src/libsystemd/sd-journal/journal-file.c | 7 +++----
> + 1 file changed, 3 insertions(+), 4 deletions(-)
> +
> +diff --git a/src/libsystemd/sd-journal/journal-file.c b/src/libsystemd/sd-journal/journal-file.c
> +index 08f3b82..633de5b 100644
> +--- a/src/libsystemd/sd-journal/journal-file.c
> ++++ b/src/libsystemd/sd-journal/journal-file.c
> +@@ -3305,7 +3305,9 @@ use_extra:
> +
> + static int test_object_offset(JournalFile *f, uint64_t p, uint64_t needle) {
> +         assert(f);
> +-        assert(p > 0);
> ++
> ++        if (p <= 0)
> ++                return -EBADMSG;
> +
> +         if (p == needle)
> +                 return TEST_FOUND;
> +@@ -3341,7 +3343,6 @@ static int test_object_seqnum(JournalFile *f, uint64_t p, uint64_t needle) {
> +         int r;
> +
> +         assert(f);
> +-        assert(p > 0);
> +
> +         r = journal_file_move_to_object(f, OBJECT_ENTRY, p, &o);
> +         if (r < 0)
> +@@ -3382,7 +3383,6 @@ static int test_object_realtime(JournalFile *f, uint64_t p, uint64_t needle) {
> +         int r;
> +
> +         assert(f);
> +-        assert(p > 0);
> +
> +         r = journal_file_move_to_object(f, OBJECT_ENTRY, p, &o);
> +         if (r < 0)
> +@@ -3423,7 +3423,6 @@ static int test_object_monotonic(JournalFile *f, uint64_t p, uint64_t needle) {
> +         int r;
> +
> +         assert(f);
> +-        assert(p > 0);
> +
> +         r = journal_file_move_to_object(f, OBJECT_ENTRY, p, &o);
> +         if (r < 0)
> +--
> +2.34.1
> diff --git a/meta/recipes-core/systemd/systemd_255.21.bb b/meta/recipes-core/systemd/systemd_255.21.bb
> index 87e186bbfac..504d6cbef60 100644
> --- a/meta/recipes-core/systemd/systemd_255.21.bb
> +++ b/meta/recipes-core/systemd/systemd_255.21.bb
> @@ -29,6 +29,7 @@ SRC_URI += " \
>             file://0002-binfmt-Don-t-install-dependency-links-at-install-tim.patch \
>             file://0003-timedated-Respond-on-org.freedesktop.timedate1.SetNT.patch \
>             file://0008-implment-systemd-sysv-install-for-OE.patch \
> +           file://0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch \
>             "
>  
>  # patches needed by musl


-- 
Yoann Congal
Smile ECS

[OE-core][scarthgap 14/16] libxml-parser-perl: fix for CVE-2006-10003

[Yoann Congal]

From: Hitendra Prajapati <hprajapati@mvista.com>

Pick patch from [1].

[1] https://security-tracker.debian.org/tracker/CVE-2006-10003

More details :
https://nvd.nist.gov/vuln/detail/CVE-2006-10003

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../libxml-parser-perl/CVE-2006-10003.patch   | 73 +++++++++++++++++++
 .../perl/libxml-parser-perl_2.47.bb           |  1 +
 2 files changed, 74 insertions(+)
 create mode 100644 meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch

diff --git a/meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch b/meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch
new file mode 100644
index 00000000000..e9a4b692d2d
--- /dev/null
+++ b/meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch
@@ -0,0 +1,73 @@
+From 08dd37c35ec5e64e26aacb8514437f54708f7fd1 Mon Sep 17 00:00:00 2001
+From: Toddr Bot <toddbot@rinaldo.us>
+Date: Mon, 16 Mar 2026 22:16:11 +0000
+Subject: [PATCH] fix: off-by-one heap buffer overflow in st_serial_stack
+ growth check
+
+When st_serial_stackptr == st_serial_stacksize - 1, the old check
+(stackptr >= stacksize) would not trigger reallocation. The subsequent
+++stackptr then writes at index stacksize, one element past the
+allocated buffer.
+
+Fix by checking stackptr + 1 >= stacksize so the buffer is grown
+before the pre-increment write.
+
+Add a deep nesting test (600 levels) to exercise this code path.
+
+Fixes #39
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+
+CVE: CVE-2006-10003
+Upstream-Status: Backport [https://github.com/cpan-authors/XML-Parser/commit/08dd37c35ec5e64e26aacb8514437f54708f7fd1]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ Expat/Expat.xs   |  2 +-
+ t/deep_nesting.t | 22 ++++++++++++++++++++++
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+ create mode 100644 t/deep_nesting.t
+
+diff --git a/Expat/Expat.xs b/Expat/Expat.xs
+index dbad380..f04a0cf 100644
+--- a/Expat/Expat.xs
++++ b/Expat/Expat.xs
+@@ -499,7 +499,7 @@ startElement(void *userData, const char *name, const char **atts)
+     }
+   }
+ 
+-  if (cbv->st_serial_stackptr >= cbv->st_serial_stacksize) {
++  if (cbv->st_serial_stackptr + 1 >= cbv->st_serial_stacksize) {
+     unsigned int newsize = cbv->st_serial_stacksize + 512;
+ 
+     Renew(cbv->st_serial_stack, newsize, unsigned int);
+diff --git a/t/deep_nesting.t b/t/deep_nesting.t
+new file mode 100644
+index 0000000..8237b5f
+--- /dev/null
++++ b/t/deep_nesting.t
+@@ -0,0 +1,22 @@
++BEGIN { print "1..1\n"; }
++
++# Test for deeply nested elements to exercise st_serial_stack reallocation.
++# This catches off-by-one errors in the stack growth check (GH #39).
++
++use XML::Parser;
++
++my $depth = 600;
++
++my $xml = '';
++for my $i (1 .. $depth) {
++    $xml .= "<e$i>";
++}
++for my $i (reverse 1 .. $depth) {
++    $xml .= "</e$i>";
++}
++
++my $p = XML::Parser->new;
++eval { $p->parse($xml) };
++
++print "not " if $@;
++print "ok 1\n";
+-- 
+2.50.1
+
diff --git a/meta/recipes-devtools/perl/libxml-parser-perl_2.47.bb b/meta/recipes-devtools/perl/libxml-parser-perl_2.47.bb
index 803164f713d..6a36b763a83 100644
--- a/meta/recipes-devtools/perl/libxml-parser-perl_2.47.bb
+++ b/meta/recipes-devtools/perl/libxml-parser-perl_2.47.bb
@@ -8,6 +8,7 @@ DEPENDS += "expat"
 
 SRC_URI = "${CPAN_MIRROR}/authors/id/T/TO/TODDR/XML-Parser-${PV}.tar.gz \
            file://0001-Makefile.PL-make-check_lib-cross-friendly.patch \
+           file://CVE-2006-10003.patch \
            "
 
 SRC_URI[sha256sum] = "ad4aae643ec784f489b956abe952432871a622d4e2b5c619e8855accbfc4d1d8"

Re: [OE-core][scarthgap 14/16] libxml-parser-perl: fix for CVE-2006-10003

[Yoann Congal]

On Mon Mar 30, 2026 at 12:37 AM CEST, Yoann Congal wrote:
> From: Hitendra Prajapati <hprajapati@mvista.com>
>
> Pick patch from [1].
>
> [1] https://security-tracker.debian.org/tracker/CVE-2006-10003
>
> More details :
> https://nvd.nist.gov/vuln/detail/CVE-2006-10003
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> ---

I did not wanted to send that patch, please ignore.

>  .../libxml-parser-perl/CVE-2006-10003.patch   | 73 +++++++++++++++++++
>  .../perl/libxml-parser-perl_2.47.bb           |  1 +
>  2 files changed, 74 insertions(+)
>  create mode 100644 meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch
>
> diff --git a/meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch b/meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch
> new file mode 100644
> index 00000000000..e9a4b692d2d
> --- /dev/null
> +++ b/meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch
> @@ -0,0 +1,73 @@
> +From 08dd37c35ec5e64e26aacb8514437f54708f7fd1 Mon Sep 17 00:00:00 2001
> +From: Toddr Bot <toddbot@rinaldo.us>
> +Date: Mon, 16 Mar 2026 22:16:11 +0000
> +Subject: [PATCH] fix: off-by-one heap buffer overflow in st_serial_stack
> + growth check
> +
> +When st_serial_stackptr == st_serial_stacksize - 1, the old check
> +(stackptr >= stacksize) would not trigger reallocation. The subsequent
> +++stackptr then writes at index stacksize, one element past the
> +allocated buffer.
> +
> +Fix by checking stackptr + 1 >= stacksize so the buffer is grown
> +before the pre-increment write.
> +
> +Add a deep nesting test (600 levels) to exercise this code path.
> +
> +Fixes #39
> +
> +Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
> +
> +CVE: CVE-2006-10003
> +Upstream-Status: Backport [https://github.com/cpan-authors/XML-Parser/commit/08dd37c35ec5e64e26aacb8514437f54708f7fd1]
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + Expat/Expat.xs   |  2 +-
> + t/deep_nesting.t | 22 ++++++++++++++++++++++
> + 2 files changed, 23 insertions(+), 1 deletion(-)
> + create mode 100644 t/deep_nesting.t
> +
> +diff --git a/Expat/Expat.xs b/Expat/Expat.xs
> +index dbad380..f04a0cf 100644
> +--- a/Expat/Expat.xs
> ++++ b/Expat/Expat.xs
> +@@ -499,7 +499,7 @@ startElement(void *userData, const char *name, const char **atts)
> +     }
> +   }
> + 
> +-  if (cbv->st_serial_stackptr >= cbv->st_serial_stacksize) {
> ++  if (cbv->st_serial_stackptr + 1 >= cbv->st_serial_stacksize) {
> +     unsigned int newsize = cbv->st_serial_stacksize + 512;
> + 
> +     Renew(cbv->st_serial_stack, newsize, unsigned int);
> +diff --git a/t/deep_nesting.t b/t/deep_nesting.t
> +new file mode 100644
> +index 0000000..8237b5f
> +--- /dev/null
> ++++ b/t/deep_nesting.t
> +@@ -0,0 +1,22 @@
> ++BEGIN { print "1..1\n"; }
> ++
> ++# Test for deeply nested elements to exercise st_serial_stack reallocation.
> ++# This catches off-by-one errors in the stack growth check (GH #39).
> ++
> ++use XML::Parser;
> ++
> ++my $depth = 600;
> ++
> ++my $xml = '';
> ++for my $i (1 .. $depth) {
> ++    $xml .= "<e$i>";
> ++}
> ++for my $i (reverse 1 .. $depth) {
> ++    $xml .= "</e$i>";
> ++}
> ++
> ++my $p = XML::Parser->new;
> ++eval { $p->parse($xml) };
> ++
> ++print "not " if $@;
> ++print "ok 1\n";
> +-- 
> +2.50.1
> +
> diff --git a/meta/recipes-devtools/perl/libxml-parser-perl_2.47.bb b/meta/recipes-devtools/perl/libxml-parser-perl_2.47.bb
> index 803164f713d..6a36b763a83 100644
> --- a/meta/recipes-devtools/perl/libxml-parser-perl_2.47.bb
> +++ b/meta/recipes-devtools/perl/libxml-parser-perl_2.47.bb
> @@ -8,6 +8,7 @@ DEPENDS += "expat"
>  
>  SRC_URI = "${CPAN_MIRROR}/authors/id/T/TO/TODDR/XML-Parser-${PV}.tar.gz \
>             file://0001-Makefile.PL-make-check_lib-cross-friendly.patch \
> +           file://CVE-2006-10003.patch \
>             "
>  
>  SRC_URI[sha256sum] = "ad4aae643ec784f489b956abe952432871a622d4e2b5c619e8855accbfc4d1d8"


-- 
Yoann Congal
Smile ECS

[OE-core][scarthgap 15/16] busybox: fix for CVE-2026-26157, CVE-2026-26158

[Yoann Congal]

From: Hitendra Prajapati <hprajapati@mvista.com>

Pick up patch from NVD report.

More details :
[1]: https://nvd.nist.gov/vuln/detail/CVE-2026-26157
[2]: https://nvd.nist.gov/vuln/detail/CVE-2026-26158

Note:
We use patch from busybox mirror that looks trustworthy https://gogs.librecmc.org/OWEALS/busybox.

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../CVE-2026-26157-CVE-2026-26158-01.patch    | 198 ++++++++++++++++++
 .../CVE-2026-26157-CVE-2026-26158-02.patch    |  37 ++++
 meta/recipes-core/busybox/busybox_1.36.1.bb   |   2 +
 3 files changed, 237 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch

diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch
new file mode 100644
index 00000000000..cdc23947949
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch
@@ -0,0 +1,198 @@
+From 3fb6b31c716669e12f75a2accd31bb7685b1a1cb Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux@googlemail.com>
+Date: Thu, 29 Jan 2026 11:48:02 +0100
+Subject: [PATCH] tar: strip unsafe hardlink components - GNU tar does the same
+
+Defends against files like these (python reproducer):
+
+import tarfile
+ti = tarfile.TarInfo("leak_hosts")
+ti.type = tarfile.LNKTYPE
+ti.linkname = "/etc/hosts"  # or "../etc/hosts" or ".."
+ti.size = 0
+with tarfile.open("/tmp/hardlink.tar", "w") as t:
+	t.addfile(ti)
+
+function                                             old     new   delta
+skip_unsafe_prefix                                     -     127    +127
+get_header_tar                                      1752    1754      +2
+.rodata                                           106861  106856      -5
+unzip_main                                          2715    2706      -9
+strip_unsafe_prefix                                  102      18     -84
+------------------------------------------------------------------------------
+(add/remove: 1/0 grow/shrink: 1/3 up/down: 129/-98)            Total: 31 bytes
+
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+CVE: CVE-2026-26157, CVE-2026-26158
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb]
+(Alternative mirrored URL: https://gogs.librecmc.org/OWEALS/busybox/commit/3fb6b31c716669e12f75a2accd31bb7685b1a1cb)
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ archival/libarchive/data_extract_all.c      |  7 +++--
+ archival/libarchive/get_header_tar.c        | 11 ++++++--
+ archival/libarchive/unsafe_prefix.c         | 30 +++++++++++++++++----
+ archival/libarchive/unsafe_symlink_target.c |  1 +
+ archival/tar.c                              |  2 +-
+ archival/unzip.c                            |  2 +-
+ include/bb_archive.h                        |  3 ++-
+ 7 files changed, 42 insertions(+), 14 deletions(-)
+
+diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
+index 8a69711..b84b960 100644
+--- a/archival/libarchive/data_extract_all.c
++++ b/archival/libarchive/data_extract_all.c
+@@ -66,8 +66,8 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
+ 	}
+ #endif
+ #if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
+-	/* Strip leading "/" and up to last "/../" path component */
+-	dst_name = (char *)strip_unsafe_prefix(dst_name);
++	/* Skip leading "/" and past last ".." path component */
++	dst_name = (char *)skip_unsafe_prefix(dst_name);
+ #endif
+ // ^^^ This may be a problem if some applets do need to extract absolute names.
+ // (Probably will need to invent ARCHIVE_ALLOW_UNSAFE_NAME flag).
+@@ -185,8 +185,7 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
+ 
+ 		/* To avoid a directory traversal attack via symlinks,
+ 		 * do not restore symlinks with ".." components
+-		 * or symlinks starting with "/", unless a magic
+-		 * envvar is set.
++		 * or symlinks starting with "/"
+ 		 *
+ 		 * For example, consider a .tar created via:
+ 		 *  $ tar cvf bug.tar anything.txt
+diff --git a/archival/libarchive/get_header_tar.c b/archival/libarchive/get_header_tar.c
+index cc6f3f0..1c40ece 100644
+--- a/archival/libarchive/get_header_tar.c
++++ b/archival/libarchive/get_header_tar.c
+@@ -454,8 +454,15 @@ char FAST_FUNC get_header_tar(archive_handle_t *archive_handle)
+ #endif
+ 
+ 	/* Everything up to and including last ".." component is stripped */
+-	overlapping_strcpy(file_header->name, strip_unsafe_prefix(file_header->name));
+-//TODO: do the same for file_header->link_target?
++	strip_unsafe_prefix(file_header->name);
++	if (file_header->link_target) {
++		/* GNU tar 1.34 examples:
++		 * tar: Removing leading '/' from hard link targets
++		 * tar: Removing leading '../' from hard link targets
++		 * tar: Removing leading 'etc/../' from hard link targets
++		 */
++		strip_unsafe_prefix(file_header->link_target);
++	}
+ 
+ 	/* Strip trailing '/' in directories */
+ 	/* Must be done after mode is set as '/' is used to check if it's a directory */
+diff --git a/archival/libarchive/unsafe_prefix.c b/archival/libarchive/unsafe_prefix.c
+index 6670811..89a371a 100644
+--- a/archival/libarchive/unsafe_prefix.c
++++ b/archival/libarchive/unsafe_prefix.c
+@@ -5,11 +5,11 @@
+ #include "libbb.h"
+ #include "bb_archive.h"
+ 
+-const char* FAST_FUNC strip_unsafe_prefix(const char *str)
++const char* FAST_FUNC skip_unsafe_prefix(const char *str)
+ {
+ 	const char *cp = str;
+ 	while (1) {
+-		char *cp2;
++		const char *cp2;
+ 		if (*cp == '/') {
+ 			cp++;
+ 			continue;
+@@ -22,10 +22,25 @@ const char* FAST_FUNC strip_unsafe_prefix(const char *str)
+ 			cp += 3;
+ 			continue;
+ 		}
+-		cp2 = strstr(cp, "/../");
++		cp2 = cp;
++ find_dotdot:
++		cp2 = strstr(cp2, "/..");
+ 		if (!cp2)
+-			break;
+-		cp = cp2 + 4;
++			break; /* No (more) malicious components */
++
++		/* We found "/..something" */
++		cp2 += 3;
++		if (*cp2 != '/') {
++			if (*cp2 == '\0') {
++				/* Trailing "/..": malicious, return "" */
++				/* (causes harmless errors trying to create or hardlink a file named "") */
++				return cp2;
++			}
++			/* "/..name" is not malicious, look for next "/.." */
++			goto find_dotdot;
++		}
++		/* Found "/../": malicious, advance past it */
++		cp = cp2 + 1;
+ 	}
+ 	if (cp != str) {
+ 		static smallint warned = 0;
+@@ -37,3 +52,8 @@ const char* FAST_FUNC strip_unsafe_prefix(const char *str)
+ 	}
+ 	return cp;
+ }
++
++void FAST_FUNC strip_unsafe_prefix(char *str)
++{
++	overlapping_strcpy(str, skip_unsafe_prefix(str));
++}
+diff --git a/archival/libarchive/unsafe_symlink_target.c b/archival/libarchive/unsafe_symlink_target.c
+index f8dc803..d764c89 100644
+--- a/archival/libarchive/unsafe_symlink_target.c
++++ b/archival/libarchive/unsafe_symlink_target.c
+@@ -36,6 +36,7 @@ void FAST_FUNC create_links_from_list(llist_t *list)
+ 				*list->data ? "hard" : "sym",
+ 				list->data + 1, target
+ 			);
++			/* Note: GNU tar 1.34 errors out only _after_ all links are (attempted to be) created */
+ 		}
+ 		list = list->link;
+ 	}
+diff --git a/archival/tar.c b/archival/tar.c
+index 9de3759..cf8c2d1 100644
+--- a/archival/tar.c
++++ b/archival/tar.c
+@@ -475,7 +475,7 @@ static int FAST_FUNC writeFileToTarball(struct recursive_state *state,
+ 	DBG("writeFileToTarball('%s')", fileName);
+ 
+ 	/* Strip leading '/' and such (must be before memorizing hardlink's name) */
+-	header_name = strip_unsafe_prefix(fileName);
++	header_name = skip_unsafe_prefix(fileName);
+ 
+ 	if (header_name[0] == '\0')
+ 		return TRUE;
+diff --git a/archival/unzip.c b/archival/unzip.c
+index 691a2d8..5844215 100644
+--- a/archival/unzip.c
++++ b/archival/unzip.c
+@@ -853,7 +853,7 @@ int unzip_main(int argc, char **argv)
+ 		unzip_skip(zip.fmt.extra_len);
+ 
+ 		/* Guard against "/abspath", "/../" and similar attacks */
+-		overlapping_strcpy(dst_fn, strip_unsafe_prefix(dst_fn));
++		strip_unsafe_prefix(dst_fn);
+ 
+ 		/* Filter zip entries */
+ 		if (find_list_entry(zreject, dst_fn)
+diff --git a/include/bb_archive.h b/include/bb_archive.h
+index e0ef8fc..1dc77f3 100644
+--- a/include/bb_archive.h
++++ b/include/bb_archive.h
+@@ -202,7 +202,8 @@ char get_header_tar_xz(archive_handle_t *archive_handle) FAST_FUNC;
+ void seek_by_jump(int fd, off_t amount) FAST_FUNC;
+ void seek_by_read(int fd, off_t amount) FAST_FUNC;
+ 
+-const char *strip_unsafe_prefix(const char *str) FAST_FUNC;
++const char *skip_unsafe_prefix(const char *str) FAST_FUNC;
++void strip_unsafe_prefix(char *str) FAST_FUNC;
+ void create_or_remember_link(llist_t **link_placeholders,
+ 		const char *target,
+ 		const char *linkname,
+-- 
+2.50.1
+
diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch
new file mode 100644
index 00000000000..00a276fa4f8
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch
@@ -0,0 +1,37 @@
+From 599f5dd8fac390c18b79cba4c14c334957605dae Mon Sep 17 00:00:00 2001
+From: Radoslav Kolev <radoslav.kolev@suse.com>
+Date: Mon, 16 Feb 2026 11:50:04 +0200
+Subject: [PATCH] tar: only strip unsafe components from hardlinks, not
+ symlinks
+
+commit 3fb6b31c7 introduced a check for unsafe components in
+tar archive hardlinks, but it was being applied to symlinks too
+which broke "Symlinks and hardlinks coexist" tar test.
+
+Signed-off-by: Radoslav Kolev <radoslav.kolev@suse.com>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+
+CVE: CVE-2026-26157, CVE-2026-26158
+Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=599f5dd8fac390c18b79cba4c14c334957605dae]
+(Alternative mirrored URL: https://gogs.librecmc.org/OWEALS/busybox/commit/599f5dd8fac390c18b79cba4c14c334957605dae)
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ archival/libarchive/get_header_tar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/archival/libarchive/get_header_tar.c b/archival/libarchive/get_header_tar.c
+index 1c40ece..606d806 100644
+--- a/archival/libarchive/get_header_tar.c
++++ b/archival/libarchive/get_header_tar.c
+@@ -455,7 +455,7 @@ char FAST_FUNC get_header_tar(archive_handle_t *archive_handle)
+ 
+ 	/* Everything up to and including last ".." component is stripped */
+ 	strip_unsafe_prefix(file_header->name);
+-	if (file_header->link_target) {
++	if (file_header->link_target && !S_ISLNK(file_header->mode)) {
+ 		/* GNU tar 1.34 examples:
+ 		 * tar: Removing leading '/' from hard link targets
+ 		 * tar: Removing leading '../' from hard link targets
+-- 
+2.50.1
+
diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb
index d870e2ee10c..228bfdadd33 100644
--- a/meta/recipes-core/busybox/busybox_1.36.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
@@ -62,6 +62,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://CVE-2025-46394-01.patch \
            file://CVE-2025-46394-02.patch \
            file://CVE-2025-60876.patch \
+           file://CVE-2026-26157-CVE-2026-26158-01.patch \
+           file://CVE-2026-26157-CVE-2026-26158-02.patch \
            "
 SRC_URI:append:libc-musl = " file://musl.cfg "
 # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html

Re: [OE-core][scarthgap 15/16] busybox: fix for CVE-2026-26157, CVE-2026-26158

[Yoann Congal]

On Mon Mar 30, 2026 at 12:37 AM CEST, Yoann Congal wrote:
> From: Hitendra Prajapati <hprajapati@mvista.com>
>
> Pick up patch from NVD report.
>
> More details :
> [1]: https://nvd.nist.gov/vuln/detail/CVE-2026-26157
> [2]: https://nvd.nist.gov/vuln/detail/CVE-2026-26158
>
> Note:
> We use patch from busybox mirror that looks trustworthy https://gogs.librecmc.org/OWEALS/busybox.
>
> Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> ---

I did not wanted to send that patch, please ignore.

>  .../CVE-2026-26157-CVE-2026-26158-01.patch    | 198 ++++++++++++++++++
>  .../CVE-2026-26157-CVE-2026-26158-02.patch    |  37 ++++
>  meta/recipes-core/busybox/busybox_1.36.1.bb   |   2 +
>  3 files changed, 237 insertions(+)
>  create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch
>  create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch
>
> diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch
> new file mode 100644
> index 00000000000..cdc23947949
> --- /dev/null
> +++ b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch
> @@ -0,0 +1,198 @@
> +From 3fb6b31c716669e12f75a2accd31bb7685b1a1cb Mon Sep 17 00:00:00 2001
> +From: Denys Vlasenko <vda.linux@googlemail.com>
> +Date: Thu, 29 Jan 2026 11:48:02 +0100
> +Subject: [PATCH] tar: strip unsafe hardlink components - GNU tar does the same
> +
> +Defends against files like these (python reproducer):
> +
> +import tarfile
> +ti = tarfile.TarInfo("leak_hosts")
> +ti.type = tarfile.LNKTYPE
> +ti.linkname = "/etc/hosts"  # or "../etc/hosts" or ".."
> +ti.size = 0
> +with tarfile.open("/tmp/hardlink.tar", "w") as t:
> +	t.addfile(ti)
> +
> +function                                             old     new   delta
> +skip_unsafe_prefix                                     -     127    +127
> +get_header_tar                                      1752    1754      +2
> +.rodata                                           106861  106856      -5
> +unzip_main                                          2715    2706      -9
> +strip_unsafe_prefix                                  102      18     -84
> +------------------------------------------------------------------------------
> +(add/remove: 1/0 grow/shrink: 1/3 up/down: 129/-98)            Total: 31 bytes
> +
> +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
> +
> +CVE: CVE-2026-26157, CVE-2026-26158
> +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb]
> +(Alternative mirrored URL: https://gogs.librecmc.org/OWEALS/busybox/commit/3fb6b31c716669e12f75a2accd31bb7685b1a1cb)
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + archival/libarchive/data_extract_all.c      |  7 +++--
> + archival/libarchive/get_header_tar.c        | 11 ++++++--
> + archival/libarchive/unsafe_prefix.c         | 30 +++++++++++++++++----
> + archival/libarchive/unsafe_symlink_target.c |  1 +
> + archival/tar.c                              |  2 +-
> + archival/unzip.c                            |  2 +-
> + include/bb_archive.h                        |  3 ++-
> + 7 files changed, 42 insertions(+), 14 deletions(-)
> +
> +diff --git a/archival/libarchive/data_extract_all.c b/archival/libarchive/data_extract_all.c
> +index 8a69711..b84b960 100644
> +--- a/archival/libarchive/data_extract_all.c
> ++++ b/archival/libarchive/data_extract_all.c
> +@@ -66,8 +66,8 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
> + 	}
> + #endif
> + #if ENABLE_FEATURE_PATH_TRAVERSAL_PROTECTION
> +-	/* Strip leading "/" and up to last "/../" path component */
> +-	dst_name = (char *)strip_unsafe_prefix(dst_name);
> ++	/* Skip leading "/" and past last ".." path component */
> ++	dst_name = (char *)skip_unsafe_prefix(dst_name);
> + #endif
> + // ^^^ This may be a problem if some applets do need to extract absolute names.
> + // (Probably will need to invent ARCHIVE_ALLOW_UNSAFE_NAME flag).
> +@@ -185,8 +185,7 @@ void FAST_FUNC data_extract_all(archive_handle_t *archive_handle)
> + 
> + 		/* To avoid a directory traversal attack via symlinks,
> + 		 * do not restore symlinks with ".." components
> +-		 * or symlinks starting with "/", unless a magic
> +-		 * envvar is set.
> ++		 * or symlinks starting with "/"
> + 		 *
> + 		 * For example, consider a .tar created via:
> + 		 *  $ tar cvf bug.tar anything.txt
> +diff --git a/archival/libarchive/get_header_tar.c b/archival/libarchive/get_header_tar.c
> +index cc6f3f0..1c40ece 100644
> +--- a/archival/libarchive/get_header_tar.c
> ++++ b/archival/libarchive/get_header_tar.c
> +@@ -454,8 +454,15 @@ char FAST_FUNC get_header_tar(archive_handle_t *archive_handle)
> + #endif
> + 
> + 	/* Everything up to and including last ".." component is stripped */
> +-	overlapping_strcpy(file_header->name, strip_unsafe_prefix(file_header->name));
> +-//TODO: do the same for file_header->link_target?
> ++	strip_unsafe_prefix(file_header->name);
> ++	if (file_header->link_target) {
> ++		/* GNU tar 1.34 examples:
> ++		 * tar: Removing leading '/' from hard link targets
> ++		 * tar: Removing leading '../' from hard link targets
> ++		 * tar: Removing leading 'etc/../' from hard link targets
> ++		 */
> ++		strip_unsafe_prefix(file_header->link_target);
> ++	}
> + 
> + 	/* Strip trailing '/' in directories */
> + 	/* Must be done after mode is set as '/' is used to check if it's a directory */
> +diff --git a/archival/libarchive/unsafe_prefix.c b/archival/libarchive/unsafe_prefix.c
> +index 6670811..89a371a 100644
> +--- a/archival/libarchive/unsafe_prefix.c
> ++++ b/archival/libarchive/unsafe_prefix.c
> +@@ -5,11 +5,11 @@
> + #include "libbb.h"
> + #include "bb_archive.h"
> + 
> +-const char* FAST_FUNC strip_unsafe_prefix(const char *str)
> ++const char* FAST_FUNC skip_unsafe_prefix(const char *str)
> + {
> + 	const char *cp = str;
> + 	while (1) {
> +-		char *cp2;
> ++		const char *cp2;
> + 		if (*cp == '/') {
> + 			cp++;
> + 			continue;
> +@@ -22,10 +22,25 @@ const char* FAST_FUNC strip_unsafe_prefix(const char *str)
> + 			cp += 3;
> + 			continue;
> + 		}
> +-		cp2 = strstr(cp, "/../");
> ++		cp2 = cp;
> ++ find_dotdot:
> ++		cp2 = strstr(cp2, "/..");
> + 		if (!cp2)
> +-			break;
> +-		cp = cp2 + 4;
> ++			break; /* No (more) malicious components */
> ++
> ++		/* We found "/..something" */
> ++		cp2 += 3;
> ++		if (*cp2 != '/') {
> ++			if (*cp2 == '\0') {
> ++				/* Trailing "/..": malicious, return "" */
> ++				/* (causes harmless errors trying to create or hardlink a file named "") */
> ++				return cp2;
> ++			}
> ++			/* "/..name" is not malicious, look for next "/.." */
> ++			goto find_dotdot;
> ++		}
> ++		/* Found "/../": malicious, advance past it */
> ++		cp = cp2 + 1;
> + 	}
> + 	if (cp != str) {
> + 		static smallint warned = 0;
> +@@ -37,3 +52,8 @@ const char* FAST_FUNC strip_unsafe_prefix(const char *str)
> + 	}
> + 	return cp;
> + }
> ++
> ++void FAST_FUNC strip_unsafe_prefix(char *str)
> ++{
> ++	overlapping_strcpy(str, skip_unsafe_prefix(str));
> ++}
> +diff --git a/archival/libarchive/unsafe_symlink_target.c b/archival/libarchive/unsafe_symlink_target.c
> +index f8dc803..d764c89 100644
> +--- a/archival/libarchive/unsafe_symlink_target.c
> ++++ b/archival/libarchive/unsafe_symlink_target.c
> +@@ -36,6 +36,7 @@ void FAST_FUNC create_links_from_list(llist_t *list)
> + 				*list->data ? "hard" : "sym",
> + 				list->data + 1, target
> + 			);
> ++			/* Note: GNU tar 1.34 errors out only _after_ all links are (attempted to be) created */
> + 		}
> + 		list = list->link;
> + 	}
> +diff --git a/archival/tar.c b/archival/tar.c
> +index 9de3759..cf8c2d1 100644
> +--- a/archival/tar.c
> ++++ b/archival/tar.c
> +@@ -475,7 +475,7 @@ static int FAST_FUNC writeFileToTarball(struct recursive_state *state,
> + 	DBG("writeFileToTarball('%s')", fileName);
> + 
> + 	/* Strip leading '/' and such (must be before memorizing hardlink's name) */
> +-	header_name = strip_unsafe_prefix(fileName);
> ++	header_name = skip_unsafe_prefix(fileName);
> + 
> + 	if (header_name[0] == '\0')
> + 		return TRUE;
> +diff --git a/archival/unzip.c b/archival/unzip.c
> +index 691a2d8..5844215 100644
> +--- a/archival/unzip.c
> ++++ b/archival/unzip.c
> +@@ -853,7 +853,7 @@ int unzip_main(int argc, char **argv)
> + 		unzip_skip(zip.fmt.extra_len);
> + 
> + 		/* Guard against "/abspath", "/../" and similar attacks */
> +-		overlapping_strcpy(dst_fn, strip_unsafe_prefix(dst_fn));
> ++		strip_unsafe_prefix(dst_fn);
> + 
> + 		/* Filter zip entries */
> + 		if (find_list_entry(zreject, dst_fn)
> +diff --git a/include/bb_archive.h b/include/bb_archive.h
> +index e0ef8fc..1dc77f3 100644
> +--- a/include/bb_archive.h
> ++++ b/include/bb_archive.h
> +@@ -202,7 +202,8 @@ char get_header_tar_xz(archive_handle_t *archive_handle) FAST_FUNC;
> + void seek_by_jump(int fd, off_t amount) FAST_FUNC;
> + void seek_by_read(int fd, off_t amount) FAST_FUNC;
> + 
> +-const char *strip_unsafe_prefix(const char *str) FAST_FUNC;
> ++const char *skip_unsafe_prefix(const char *str) FAST_FUNC;
> ++void strip_unsafe_prefix(char *str) FAST_FUNC;
> + void create_or_remember_link(llist_t **link_placeholders,
> + 		const char *target,
> + 		const char *linkname,
> +-- 
> +2.50.1
> +
> diff --git a/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch
> new file mode 100644
> index 00000000000..00a276fa4f8
> --- /dev/null
> +++ b/meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch
> @@ -0,0 +1,37 @@
> +From 599f5dd8fac390c18b79cba4c14c334957605dae Mon Sep 17 00:00:00 2001
> +From: Radoslav Kolev <radoslav.kolev@suse.com>
> +Date: Mon, 16 Feb 2026 11:50:04 +0200
> +Subject: [PATCH] tar: only strip unsafe components from hardlinks, not
> + symlinks
> +
> +commit 3fb6b31c7 introduced a check for unsafe components in
> +tar archive hardlinks, but it was being applied to symlinks too
> +which broke "Symlinks and hardlinks coexist" tar test.
> +
> +Signed-off-by: Radoslav Kolev <radoslav.kolev@suse.com>
> +Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
> +
> +CVE: CVE-2026-26157, CVE-2026-26158
> +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=599f5dd8fac390c18b79cba4c14c334957605dae]
> +(Alternative mirrored URL: https://gogs.librecmc.org/OWEALS/busybox/commit/599f5dd8fac390c18b79cba4c14c334957605dae)
> +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
> +---
> + archival/libarchive/get_header_tar.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/archival/libarchive/get_header_tar.c b/archival/libarchive/get_header_tar.c
> +index 1c40ece..606d806 100644
> +--- a/archival/libarchive/get_header_tar.c
> ++++ b/archival/libarchive/get_header_tar.c
> +@@ -455,7 +455,7 @@ char FAST_FUNC get_header_tar(archive_handle_t *archive_handle)
> + 
> + 	/* Everything up to and including last ".." component is stripped */
> + 	strip_unsafe_prefix(file_header->name);
> +-	if (file_header->link_target) {
> ++	if (file_header->link_target && !S_ISLNK(file_header->mode)) {
> + 		/* GNU tar 1.34 examples:
> + 		 * tar: Removing leading '/' from hard link targets
> + 		 * tar: Removing leading '../' from hard link targets
> +-- 
> +2.50.1
> +
> diff --git a/meta/recipes-core/busybox/busybox_1.36.1.bb b/meta/recipes-core/busybox/busybox_1.36.1.bb
> index d870e2ee10c..228bfdadd33 100644
> --- a/meta/recipes-core/busybox/busybox_1.36.1.bb
> +++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
> @@ -62,6 +62,8 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
>             file://CVE-2025-46394-01.patch \
>             file://CVE-2025-46394-02.patch \
>             file://CVE-2025-60876.patch \
> +           file://CVE-2026-26157-CVE-2026-26158-01.patch \
> +           file://CVE-2026-26157-CVE-2026-26158-02.patch \
>             "
>  SRC_URI:append:libc-musl = " file://musl.cfg "
>  # TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html


-- 
Yoann Congal
Smile ECS

[OE-core][scarthgap 16/16] rust: Enable dynamic linking with llvm

[Yoann Congal]

From: Sunil Dora <sunilkumar.dora@windriver.com>

Fixes [Yocto #16058]

A segmentation fault occurs in rustc (e.g. in
llvm::X86ReadAdvanceTable) when reusing sstate artifacts built with
different host toolchain versions.

Issue sequence:
1. llvm-native is built with a newer toolchain
   (e.g. GCC 15/Binutils 2.45).
2. rust-native is later built with an older linker.
   (e.g. GCC 12/Binutils 2.40).
3. The older linker statically links parts of llvm-native into
   librustc_driver.
4. The resulting binary crashes at runtime inside the statically
   linked LLVM code.

The corruption happens at link time when mixing static native objects
produced by different toolchain generations.

Enable dynamic LLVM linking (link-shared = true) for rust-native so rustc
links against libLLVM.so instead of static archives, avoiding host linker
incompatibilities when reusing sstate artifacts.

Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
Suggested-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 74ba238ff1ba1e9b612aece1989b828f3a8f8770)
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
---
 meta/recipes-devtools/rust/rust_1.75.0.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-devtools/rust/rust_1.75.0.bb b/meta/recipes-devtools/rust/rust_1.75.0.bb
index b9348bf0507..f037bb33715 100644
--- a/meta/recipes-devtools/rust/rust_1.75.0.bb
+++ b/meta/recipes-devtools/rust/rust_1.75.0.bb
@@ -128,6 +128,8 @@ python do_configure() {
 
     # [llvm]
     config.add_section("llvm")
+    if d.getVar('PN') == "rust-native":
+        config.set("llvm", "link-shared", e(True))
     config.set("llvm", "static-libstdcpp", e(False))
     if "llvm" in (d.getVar('TC_CXX_RUNTIME') or ""):
         config.set("llvm", "use-libcxx", e(True))

Re: [OE-core][scarthgap 16/16] rust: Enable dynamic linking with llvm

[Yoann Congal]

On Mon Mar 30, 2026 at 12:37 AM CEST, Yoann Congal wrote:
> From: Sunil Dora <sunilkumar.dora@windriver.com>
>
> Fixes [Yocto #16058]
>
> A segmentation fault occurs in rustc (e.g. in
> llvm::X86ReadAdvanceTable) when reusing sstate artifacts built with
> different host toolchain versions.
>
> Issue sequence:
> 1. llvm-native is built with a newer toolchain
>    (e.g. GCC 15/Binutils 2.45).
> 2. rust-native is later built with an older linker.
>    (e.g. GCC 12/Binutils 2.40).
> 3. The older linker statically links parts of llvm-native into
>    librustc_driver.
> 4. The resulting binary crashes at runtime inside the statically
>    linked LLVM code.
>
> The corruption happens at link time when mixing static native objects
> produced by different toolchain generations.
>
> Enable dynamic LLVM linking (link-shared = true) for rust-native so rustc
> links against libLLVM.so instead of static archives, avoiding host linker
> incompatibilities when reusing sstate artifacts.
>
> Signed-off-by: Sunil Dora <sunilkumar.dora@windriver.com>
> Suggested-by: Alexander Kanavin <alex@linutronix.de>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit 74ba238ff1ba1e9b612aece1989b828f3a8f8770)
> Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
> ---

I did not wanted to send that patch, please ignore.

>  meta/recipes-devtools/rust/rust_1.75.0.bb | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/meta/recipes-devtools/rust/rust_1.75.0.bb b/meta/recipes-devtools/rust/rust_1.75.0.bb
> index b9348bf0507..f037bb33715 100644
> --- a/meta/recipes-devtools/rust/rust_1.75.0.bb
> +++ b/meta/recipes-devtools/rust/rust_1.75.0.bb
> @@ -128,6 +128,8 @@ python do_configure() {
>  
>      # [llvm]
>      config.add_section("llvm")
> +    if d.getVar('PN') == "rust-native":
> +        config.set("llvm", "link-shared", e(True))
>      config.set("llvm", "static-libstdcpp", e(False))
>      if "llvm" in (d.getVar('TC_CXX_RUNTIME') or ""):
>          config.set("llvm", "use-libcxx", e(True))


-- 
Yoann Congal
Smile ECS

Re: [OE-core][scarthgap 00/16] Patch review

[Yoann Congal]

On Mon Mar 30, 2026 at 12:37 AM CEST, Yoann Congal wrote:
> Please review this set of changes for scarthgap and have comments back by
> end of day Tuesday, March 31.
>
> Passed a-full on autobuilder:
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3546
> Note: This particular build had a gnutls patch that I removed because it needed a small change[0].
> Build (currently running) without the gnutls patch: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3551
>
> [0]: https://lore.kernel.org/openembedded-core/DHFLXG1K82R7.3EOQRZ2H6KW8Q@smile.fr/T/#t

*sigh* I need to check on my tooling because it did not sent the right
branch. Please ignore this series. I'll send the correct one shortly.

Sorry for the noise.

> The following changes since commit 41597b5260fb5ca811d0fb4ae7e65246d61734eb:
>
>   Revert "scripts/install-buildtools: Update to 5.0.16" (2026-03-26 09:48:20 +0000)
>
> are available in the Git repository at:
>
>   https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
>   https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
>
> for you to fetch changes up to e6f3b2e043259650d80fb6f761797c5cf5587eb5:
>
>   python3-pyopenssl: Fix CVE-2026-27459 (2026-03-30 00:09:38 +0200)
>
> ----------------------------------------------------------------
>
> Hitendra Prajapati (2):
>   libxml-parser-perl: fix for CVE-2006-10003
>   busybox: fix for CVE-2026-26157, CVE-2026-26158
>
> João Marcos Costa (Schneider Electric) (1):
>   spdx: add option to include only compiled sources
>
> Martin Jansa (3):
>   dtc: backport fix for build with glibc-2.43
>   elfutils: don't add -Werror to avoid discarded-qualifiers
>   binutils: backport patch to fix build with glibc-2.43 on host
>
> Michael Halstead (2):
>   yocto-uninative: Update to 5.0 for needed patchelf updates
>   yocto-uninative: Update to 5.1 for glibc 2.43
>
> Nguyen Dat Tho (1):
>   python3-cryptography: Fix CVE-2026-26007
>
> Paul Barker (1):
>   tzdata,tzcode-native: Upgrade 2025b -> 2025c
>
> Richard Purdie (1):
>   pseudo: Add fix for glibc 2.43
>
> Sunil Dora (1):
>   rust: Enable dynamic linking with llvm
>
> Vijay Anusuri (3):
>   python3-pyopenssl: Fix CVE-2026-27448
>   python3-pyopenssl: Fix CVE-2026-27459
>   gnutls: Fix CVE-2025-14831
>
> sureshha (1):
>   systemd: backport patch to fix journal-file issue
>
>  meta/classes/spdx-common.bbclass              |   3 +
>  meta/conf/distro/include/yocto-uninative.inc  |  10 +-
>  meta/lib/oe/spdx30_tasks.py                   |  12 +
>  .../CVE-2026-26157-CVE-2026-26158-01.patch    | 198 +++++++
>  .../CVE-2026-26157-CVE-2026-26158-02.patch    |  37 ++
>  meta/recipes-core/busybox/busybox_1.36.1.bb   |   2 +
>  ...not-trigger-assertion-on-removed-or-.patch |  65 +++
>  meta/recipes-core/systemd/systemd_255.21.bb   |   1 +
>  .../binutils/binutils-2.42.inc                |   1 +
>  ...tect-against-standard-library-macros.patch |  31 ++
>  .../elfutils/elfutils_0.191.bb                |   1 +
>  ...001-config-eu.am-do-not-force-Werror.patch |  34 ++
>  .../libxml-parser-perl/CVE-2006-10003.patch   |  73 +++
>  .../perl/libxml-parser-perl_2.47.bb           |   1 +
>  meta/recipes-devtools/pseudo/pseudo_git.bb    |   2 +-
>  .../python3-cryptography/CVE-2026-26007.patch | 149 ++++++
>  .../python/python3-cryptography_42.0.5.bb     |   1 +
>  .../python3-pyopenssl/CVE-2026-27448.patch    | 124 +++++
>  .../python3-pyopenssl/CVE-2026-27459.patch    | 109 ++++
>  .../python/python3-pyopenssl_24.0.0.bb        |   5 +
>  meta/recipes-devtools/rust/rust_1.75.0.bb     |   2 +
>  meta/recipes-extended/timezone/timezone.inc   |   6 +-
>  .../0001-Fix-discarded-const-qualifiers.patch |  85 +++
>  meta/recipes-kernel/dtc/dtc_1.7.0.bb          |   1 +
>  .../gnutls/gnutls/CVE-2025-14831-1.patch      |  61 +++
>  .../gnutls/gnutls/CVE-2025-14831-2.patch      |  30 ++
>  .../gnutls/gnutls/CVE-2025-14831-3.patch      |  45 ++
>  .../gnutls/gnutls/CVE-2025-14831-4.patch      | 200 +++++++
>  .../gnutls/gnutls/CVE-2025-14831-5.patch      | 500 ++++++++++++++++++
>  .../gnutls/gnutls/CVE-2025-14831-6.patch      | 119 +++++
>  .../gnutls/gnutls/CVE-2025-14831-7.patch      | 150 ++++++
>  .../gnutls/gnutls/CVE-2025-14831-8.patch      | 105 ++++
>  .../gnutls/gnutls/CVE-2025-14831-9.patch      | 437 +++++++++++++++
>  meta/recipes-support/gnutls/gnutls_3.8.4.bb   |   9 +
>  34 files changed, 2600 insertions(+), 9 deletions(-)
>  create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-01.patch
>  create mode 100644 meta/recipes-core/busybox/busybox/CVE-2026-26157-CVE-2026-26158-02.patch
>  create mode 100644 meta/recipes-core/systemd/systemd/0023-journal-file-do-not-trigger-assertion-on-removed-or-.patch
>  create mode 100644 meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
>  create mode 100644 meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
>  create mode 100644 meta/recipes-devtools/perl/libxml-parser-perl/CVE-2006-10003.patch
>  create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
>  create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
>  create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
>  create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-1.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-2.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-3.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-4.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-5.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-6.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-7.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-8.patch
>  create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-14831-9.patch


-- 
Yoann Congal
Smile ECS