[OE-core][kirkstone 0/8] Patch review

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, December 1

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6260

The following changes since commit 8726ae02d760270f9e7fe7ef5715d8f7553371ce:

  goarch: Move Go architecture mapping to a library (2023-11-21 05:32:39 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (2):
  gstreamer1.0-plugins-bad: fix CVE-2023-44429
  vim: Upgrade 9.0.2048 -> 9.0.2068

Hitendra Prajapati (1):
  grub: fix CVE-2023-4693

Li Wang (1):
  systemtap_git: fix used uninitialized error

Ninad Palsule (1):
  kernel-fitImage: Strip path component from dtb

Richard Purdie (1):
  vim: Improve locale handling

Steve Sakoman (1):
  vim: use upstream generated .po files

Vivek Kumbhar (1):
  openssl: fix CVE-2023-5678 Generating excessively long X9.42 DH keys
    or checking excessively long X9.42 DH keys or parameters may be very
    slow

 meta/classes/kernel-fitimage.bbclass          |   5 +
 .../grub/files/CVE-2023-4693.patch            |  62 ++++++
 meta/recipes-bsp/grub/grub2.inc               |   1 +
 .../openssl/openssl/CVE-2023-5678.patch       | 180 ++++++++++++++++++
 .../openssl/openssl_3.0.12.bb                 |   1 +
 ...x-Prevent-Werror-maybe-uninitialized.patch |  53 ++++++
 .../recipes-kernel/systemtap/systemtap_git.bb |   1 +
 .../CVE-2023-44429.patch                      |  38 ++++
 .../gstreamer1.0-plugins-bad_1.20.7.bb        |   1 +
 meta/recipes-support/vim/vim.inc              |  20 +-
 10 files changed, 350 insertions(+), 12 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4693.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch
 create mode 100644 meta/recipes-kernel/systemtap/systemtap/0001-bpf-translate.cxx-Prevent-Werror-maybe-uninitialized.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-44429.patch

-- 
2.34.1

[OE-core][kirkstone 1/8] gstreamer1.0-plugins-bad: fix CVE-2023-44429

[Steve Sakoman]

From: Archana Polampalli <archana.polampalli@windriver.com>

AV1 codec parser buffer overflow

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../CVE-2023-44429.patch                      | 38 +++++++++++++++++++
 .../gstreamer1.0-plugins-bad_1.20.7.bb        |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-44429.patch

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-44429.patch b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-44429.patch
new file mode 100644
index 0000000000..5070d6b865
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-44429.patch
@@ -0,0 +1,38 @@
+From 1db83d3f745332cbda6adf954b2c53a10caa205e Mon Sep 17 00:00:00 2001
+From: Benjamin Gaignard <benjamin.gaignard@collabora.com>
+Date: Wed, 4 Oct 2023 11:14:38 +0200
+Subject: [PATCH] codecparsers: av1: Clip max tile rows and cols values
+
+Clip tile rows and cols to 64 as describe in AV1 specification.
+
+Fixes ZDI-CAN-22226 / CVE-2023-44429
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3015
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5634>
+
+CVE: CVE-2023-44429
+
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1db83d3f745332cbda6adf954b2c53a10caa205e]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ gst-libs/gst/codecparsers/gstav1parser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/gst-libs/gst/codecparsers/gstav1parser.c b/gst-libs/gst/codecparsers/gstav1parser.c
+index 7b9378c..68f8a76 100644
+--- a/gst-libs/gst/codecparsers/gstav1parser.c
++++ b/gst-libs/gst/codecparsers/gstav1parser.c
+@@ -2219,6 +2219,8 @@ gst_av1_parse_tile_info (GstAV1Parser * parser, GstBitReader * br,
+       ((parser->state.mi_cols + 31) >> 5) : ((parser->state.mi_cols + 15) >> 4);
+   sb_rows = seq_header->use_128x128_superblock ? ((parser->state.mi_rows +
+           31) >> 5) : ((parser->state.mi_rows + 15) >> 4);
++  sb_cols = MIN (GST_AV1_MAX_TILE_COLS, sb_cols);
++  sb_rows = MIN (GST_AV1_MAX_TILE_ROWS, sb_rows);
+   sb_shift = seq_header->use_128x128_superblock ? 5 : 4;
+   sb_size = sb_shift + 2;
+   max_tile_width_sb = GST_AV1_MAX_TILE_WIDTH >> sb_size;
+--
+2.40.0
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
index fbaabda3f9..504cfce1fd 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad_1.20.7.bb
@@ -13,6 +13,7 @@ SRC_URI = "https://gstreamer.freedesktop.org/src/gst-plugins-bad/gst-plugins-bad
            file://CVE-2023-40474.patch \
            file://CVE-2023-40475.patch \
            file://CVE-2023-40476.patch \
+           file://CVE-2023-44429.patch \
            "
 SRC_URI[sha256sum] = "87251beebfd1325e5118cc67774061f6e8971761ca65a9e5957919610080d195"
 
-- 
2.34.1

[OE-core][kirkstone 2/8] openssl: fix CVE-2023-5678 Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow

[Steve Sakoman]

From: Vivek Kumbhar <vkumbhar@mvista.com>

Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../openssl/openssl/CVE-2023-5678.patch       | 180 ++++++++++++++++++
 .../openssl/openssl_3.0.12.bb                 |   1 +
 2 files changed, 181 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch
new file mode 100644
index 0000000000..796a4f8be9
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch
@@ -0,0 +1,180 @@
+From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Fri, 20 Oct 2023 09:18:19 +0200
+Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
+
+We already check for an excessively large P in DH_generate_key(), but not in
+DH_check_pub_key(), and none of them check for an excessively large Q.
+
+This change adds all the missing excessive size checks of P and Q.
+
+It's to be noted that behaviours surrounding excessively sized P and Q
+differ.  DH_check() raises an error on the excessively sized P, but only
+sets a flag for the excessively sized Q.  This behaviour is mimicked in
+DH_check_pub_key().
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Hugo Landau <hlandau@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/22518)
+
+(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
+
+Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017]
+CVE: CVE-2023-5678
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ crypto/dh/dh_check.c    | 12 ++++++++++++
+ crypto/dh/dh_err.c      |  3 ++-
+ crypto/dh/dh_key.c      | 12 ++++++++++++
+ crypto/err/openssl.txt  |  1 +
+ include/crypto/dherr.h  |  2 +-
+ include/openssl/dh.h    |  6 +++---
+ include/openssl/dherr.h |  3 ++-
+ 7 files changed, 33 insertions(+), 6 deletions(-)
+
+diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
+index 7ba2bea..e20eb62 100644
+--- a/crypto/dh/dh_check.c
++++ b/crypto/dh/dh_check.c
+@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
+  */
+ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
+ {
++    /* Don't do any checks at all with an excessively large modulus */
++    if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
++        *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
++        return 0;
++    }
++
++    if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
++        *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
++        return 1;
++    }
++
+     return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
+ }
+
+diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
+index 4152397..f76ac0d 100644
+--- a/crypto/dh/dh_err.c
++++ b/crypto/dh/dh_err.c
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
+     "parameter encoding error"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
++    {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
+     "unable to check generator"},
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index d84ea99..afc49f5 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
+         goto err;
+     }
+
++    if (dh->params.q != NULL
++        && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
++        goto err;
++    }
++
+     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
+         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
+         return 0;
+@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
+         return 0;
+     }
+
++    if (dh->params.q != NULL
++        && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
++        ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
++        return 0;
++    }
++
+     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
+         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
+         return 0;
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index e51504b..36de321 100644
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
+ DH_R_NO_PRIVATE_VALUE:100:no private value
+ DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
+ DH_R_PEER_KEY_ERROR:111:peer key error
++DH_R_Q_TOO_LARGE:130:q too large
+ DH_R_SHARED_INFO_ERROR:113:shared info error
+ DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
+ DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
+diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
+index bb24d13..519327f 100644
+--- a/include/crypto/dherr.h
++++ b/include/crypto/dherr.h
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+diff --git a/include/openssl/dh.h b/include/openssl/dh.h
+index 6533260..50e0cf5 100644
+--- a/include/openssl/dh.h
++++ b/include/openssl/dh.h
+@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams)
+ #   define DH_GENERATOR_3          3
+ #   define DH_GENERATOR_5          5
+
+-/* DH_check error codes */
++/* DH_check error codes, some of them shared with DH_check_pub_key */
+ /*
+  * NB: These values must align with the equivalently named macros in
+  * internal/ffc.h.
+@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams)
+ #   define DH_UNABLE_TO_CHECK_GENERATOR    0x04
+ #   define DH_NOT_SUITABLE_GENERATOR       0x08
+ #   define DH_CHECK_Q_NOT_PRIME            0x10
+-#   define DH_CHECK_INVALID_Q_VALUE        0x20
++#   define DH_CHECK_INVALID_Q_VALUE        0x20 /* +DH_check_pub_key */
+ #   define DH_CHECK_INVALID_J_VALUE        0x40
+ #   define DH_MODULUS_TOO_SMALL            0x80
+-#   define DH_MODULUS_TOO_LARGE            0x100
++#   define DH_MODULUS_TOO_LARGE            0x100 /* +DH_check_pub_key */
+
+ /* DH_check_pub_key error codes */
+ #   define DH_CHECK_PUBKEY_TOO_SMALL       0x01
+diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
+index 5d2a762..074a701 100644
+--- a/include/openssl/dherr.h
++++ b/include/openssl/dherr.h
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -50,6 +50,7 @@
+ #  define DH_R_NO_PRIVATE_VALUE                            100
+ #  define DH_R_PARAMETER_ENCODING_ERROR                    105
+ #  define DH_R_PEER_KEY_ERROR                              111
++#  define DH_R_Q_TOO_LARGE                                 130
+ #  define DH_R_SHARED_INFO_ERROR                           113
+ #  define DH_R_UNABLE_TO_CHECK_GENERATOR                   121
+
+--
+2.40.1
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.12.bb b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
index d8c9b073a2..395cace2ec 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
@@ -12,6 +12,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
            file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
            file://afalg.patch \
            file://0001-Configure-do-not-tweak-mips-cflags.patch \
+           file://CVE-2023-5678.patch \
            "
 
 SRC_URI:append:class-nativesdk = " \
-- 
2.34.1

[OE-core][kirkstone 3/8] grub: fix CVE-2023-4693

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

Upstream-Status: Backport from https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../grub/files/CVE-2023-4693.patch            | 62 +++++++++++++++++++
 meta/recipes-bsp/grub/grub2.inc               |  1 +
 2 files changed, 63 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2023-4693.patch

diff --git a/meta/recipes-bsp/grub/files/CVE-2023-4693.patch b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
new file mode 100644
index 0000000000..1b6013d86d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2023-4693.patch
@@ -0,0 +1,62 @@
+From 0ed2458cc4eff6d9a9199527e2a0b6d445802f94 Mon Sep 17 00:00:00 2001
+From: Maxim Suhanov <dfirblog@gmail.com>
+Date: Mon, 28 Aug 2023 16:32:33 +0300
+Subject: [PATCH] fs/ntfs: Fix an OOB read when reading data from the resident
+ $DATA attribute
+
+When reading a file containing resident data, i.e., the file data is stored in
+the $DATA attribute within the NTFS file record, not in external clusters,
+there are no checks that this resident data actually fits the corresponding
+file record segment.
+
+When parsing a specially-crafted file system image, the current NTFS code will
+read the file data from an arbitrary, attacker-chosen memory offset and of
+arbitrary, attacker-chosen length.
+
+This allows an attacker to display arbitrary chunks of memory, which could
+contain sensitive information like password hashes or even plain-text,
+obfuscated passwords from BS EFI variables.
+
+This fix implements a check to ensure that resident data is read from the
+corresponding file record segment only.
+
+Fixes: CVE-2023-4693
+
+Reported-by: Maxim Suhanov <dfirblog@gmail.com>
+Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0ed2458cc4eff6d9a9199527e2a0b6d445802f94]
+CVE: CVE-2023-4693
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/ntfs.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 7e43fd6..8f63c83 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -401,7 +401,18 @@ read_data (struct grub_ntfs_attr *at, grub_uint8_t *pa, grub_uint8_t *dest,
+     {
+       if (ofs + len > u32at (pa, 0x10))
+ 	return grub_error (GRUB_ERR_BAD_FS, "read out of range");
+-      grub_memcpy (dest, pa + u32at (pa, 0x14) + ofs, len);
++
++      if (u32at (pa, 0x10) > (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute too large");
++
++      if (pa >= at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR))
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++      if (u16at (pa, 0x14) + u32at (pa, 0x10) >
++	  (grub_addr_t) at->mft->buf + (at->mft->data->mft_size << GRUB_NTFS_BLK_SHR) - (grub_addr_t) pa)
++	return grub_error (GRUB_ERR_BAD_FS, "resident attribute out of range");
++
++      grub_memcpy (dest, pa + u16at (pa, 0x14) + ofs, len);
+       return 0;
+     }
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index aaee8a1e03..e6c6cd98b4 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -39,6 +39,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
            file://commands-boot-Add-API-to-pass-context-to-loader.patch \
            file://CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch \
 	   file://CVE-2023-4692.patch \
+           file://CVE-2023-4693.patch \
 "
 
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
-- 
2.34.1

[OE-core][kirkstone 4/8] vim: Improve locale handling

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

When making checkouts from git, the timestamps can vary and occasionally two files
can end up with the same stamp. This triggers make to regenerate ru.cp1251.po from
ru.po for example. If it isn't regenerated, the output isn't quite the same leading
to reproducibility issues (CP1251 vs cp1251).

Since we added all locales to buildtools tarball now, we can drop the locale
restrictions too. We need to generate a native binary for the sjis conversion
tool so also tweak that.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 042c1a501b1dae5ddb31307b461be02c3591c589)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/vim/vim.inc | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 58025828f2..38212a1fa6 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -40,22 +40,16 @@ do_configure () {
     cd src
     rm -f auto/*
     touch auto/config.mk
+    # git timestamps aren't reliable and we want to consistently regenerate these generated files
+    rm -f po/cs.cp1250.po po/ja.euc-jp.po po/ja.sjis.po po/ko.po po/pl.UTF-8.po po/pl.cp1250.po po/ru.cp1251.po po/sk.cp1250.po po/uk.cp1251.po po/zh_CN.po po/zh_CN.cp936.po po/zh_TW.po
     aclocal
     autoconf
     cd ..
     oe_runconf
     touch src/auto/configure
     touch src/auto/config.mk src/auto/config.h
-}
-
-do_compile() {
-    # We do not support fully / correctly the following locales.  Attempting
-    # to use these with msgfmt in order to update the ".desktop" files exposes
-    # this problem and leads to the compile failing.
-    for LOCALE in cs fr ko pl sk zh_CN zh_TW;do
-        echo -n > src/po/${LOCALE}.po
-    done
-    autotools_do_compile
+    # need a native tool, not a target one
+    ${BUILD_CC} src/po/sjiscorr.c -o src/po/sjiscorr
 }
 
 PACKAGECONFIG ??= "\
-- 
2.34.1

[OE-core][kirkstone 5/8] vim: use upstream generated .po files

[Steve Sakoman]

A previous commit attempted to fix reproducibility errors by forcing
regeneration of .po files. Unfortunately this triggered a different
type of reproducibility issue.

Work around this by adjusting the timestamps of the troublesome .po
files so they are not regenerated and we use the shipped upstream
versions of the files.

The shipped version of ru.cp1251.po doesn't seem to have been created
with the vim tooling and specifies CP1251 instead of cp1251, fix that.

Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 13d9551ba626f001c71bf908df16caf1d739cf13)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/vim/vim.inc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 38212a1fa6..888f8f0e5a 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -40,8 +40,10 @@ do_configure () {
     cd src
     rm -f auto/*
     touch auto/config.mk
-    # git timestamps aren't reliable and we want to consistently regenerate these generated files
-    rm -f po/cs.cp1250.po po/ja.euc-jp.po po/ja.sjis.po po/ko.po po/pl.UTF-8.po po/pl.cp1250.po po/ru.cp1251.po po/sk.cp1250.po po/uk.cp1251.po po/zh_CN.po po/zh_CN.cp936.po po/zh_TW.po
+    # git timestamps aren't reliable, so touch the shipped .po files so they aren't regenerated
+    touch -c po/cs.cp1250.po po/ja.euc-jp.po po/ja.sjis.po po/ko.po po/pl.UTF-8.po po/pl.cp1250.po po/ru.cp1251.po po/sk.cp1250.po po/uk.cp1251.po po/zh_CN.po po/zh_CN.cp936.po po/zh_TW.po
+    # ru.cp1251.po uses CP1251 rather than cp1251, fix that
+    sed -i -e s/CP1251/cp1251/ po/ru.cp1251.po
     aclocal
     autoconf
     cd ..
-- 
2.34.1

[OE-core][kirkstone 6/8] vim: Upgrade 9.0.2048 -> 9.0.2068

[Steve Sakoman]

From: Archana Polampalli <archana.polampalli@windriver.com>

This includes CVE fix for CVE-2023-46246.
9198c1f2b (tag: v9.0.2068) patch 9.0.2068: [security] overflow in :history

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-46246

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 63bc72ccb63d2f8eb591d7cc481657a538f0fd42)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 888f8f0e5a..a37310afd8 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,8 +19,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
            file://no-path-adjust.patch \
            "
 
-PV .= ".2048"
-SRCREV = "982ef16059bd163a77271107020defde0740bbd6"
+PV .= ".2068"
+SRCREV = "9198c1f2b1ddecde22af918541e0de2a32f0f45a"
 
 # Do not consider .z in x.y.z, as that is updated with every commit
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+)\.0"
-- 
2.34.1

[OE-core][kirkstone 7/8] kernel-fitImage: Strip path component from dtb

[Steve Sakoman]

From: Ninad Palsule <ninad@linux.ibm.com>

Machines that have added subdirectires to the KERNEL_DEVICETREE
recently, such as arm32 boards that were moved under subdirectories in
Linux 6.5, will have that subdirectory in the node name of the FIT. This
breaks existing systems that select a configuration in u-boot by it's
name.

Strip off the directory component from the device tree to preserve
compatibility.

(From OE-Core rev: 941ba1a132bafa9c9be855fb91fec96d8b06299f)

Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Ninad Palsule <ninad@linux.ibm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de> # backport to kirkstone
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/kernel-fitimage.bbclass | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
index 27e17db951..194d825b0e 100644
--- a/meta/classes/kernel-fitimage.bbclass
+++ b/meta/classes/kernel-fitimage.bbclass
@@ -542,6 +542,11 @@ fitimage_assemble() {
 				DTB_PATH="arch/${ARCH}/boot/$DTB"
 			fi
 
+			# Strip off the path component from the filename
+			if "${@'false' if oe.types.boolean(d.getVar('KERNEL_DTBVENDORED')) else 'true'}"; then
+				DTB=`basename $DTB`
+			fi
+
 			DTB=$(echo "$DTB" | tr '/' '_')
 
 			# Skip DTB if we've picked it up previously
-- 
2.34.1

Re: [OE-core][kirkstone 7/8] kernel-fitImage: Strip path component from dtb

[Max Krummenacher]

On Thu, Nov 30, 2023 at 12:05 AM Steve Sakoman <steve@sakoman.com> wrote:
>
> From: Ninad Palsule <ninad@linux.ibm.com>
>
> Machines that have added subdirectires to the KERNEL_DEVICETREE
> recently, such as arm32 boards that were moved under subdirectories in
> Linux 6.5, will have that subdirectory in the node name of the FIT. This
> breaks existing systems that select a configuration in u-boot by it's
> name.
>
> Strip off the directory component from the device tree to preserve
> compatibility.

This now breaks each arm64 machine (and likely mips & riscv) as they did
have the vendor subdirectories since (nearly) ever and expect those in the
fitimage.

Breaking those existing machines / kernel combination in order to have a
smooth transition for arm32 machines which bring a 6.5 kernel to kirkstone
seems wrong to me.

I think we should revert the backport to kirkstone. If someone builds a 6.5
or later kernel in kirkstone for an arm32 based machine one could cope
with the change e.g. in the kernel recipe which provides that 6.5 kernel.

Any comments? Thanks.

Sorry that I didn't notice the change on the mailing list before it got applied.

Regards
Max

>
> (From OE-Core rev: 941ba1a132bafa9c9be855fb91fec96d8b06299f)
>
> Signed-off-by: Joel Stanley <joel@jms.id.au>
> Signed-off-by: Ninad Palsule <ninad@linux.ibm.com>
> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de> # backport to kirkstone
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  meta/classes/kernel-fitimage.bbclass | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
> index 27e17db951..194d825b0e 100644
> --- a/meta/classes/kernel-fitimage.bbclass
> +++ b/meta/classes/kernel-fitimage.bbclass
> @@ -542,6 +542,11 @@ fitimage_assemble() {
>                                 DTB_PATH="arch/${ARCH}/boot/$DTB"
>                         fi
>
> +                       # Strip off the path component from the filename
> +                       if "${@'false' if oe.types.boolean(d.getVar('KERNEL_DTBVENDORED')) else 'true'}"; then
> +                               DTB=`basename $DTB`
> +                       fi
> +
>                         DTB=$(echo "$DTB" | tr '/' '_')
>
>                         # Skip DTB if we've picked it up previously
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#191471): https://lists.openembedded.org/g/openembedded-core/message/191471
> Mute This Topic: https://lists.openembedded.org/mt/102883133/3617484
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [max.oss.09@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [OE-core][kirkstone 7/8] kernel-fitImage: Strip path component from dtb

[Steve Sakoman]

On Thu, Dec 14, 2023 at 12:42 AM Max Krummenacher <max.oss.09@gmail.com> wrote:
>
> On Thu, Nov 30, 2023 at 12:05 AM Steve Sakoman <steve@sakoman.com> wrote:
> >
> > From: Ninad Palsule <ninad@linux.ibm.com>
> >
> > Machines that have added subdirectires to the KERNEL_DEVICETREE
> > recently, such as arm32 boards that were moved under subdirectories in
> > Linux 6.5, will have that subdirectory in the node name of the FIT. This
> > breaks existing systems that select a configuration in u-boot by it's
> > name.
> >
> > Strip off the directory component from the device tree to preserve
> > compatibility.
>
> This now breaks each arm64 machine (and likely mips & riscv) as they did
> have the vendor subdirectories since (nearly) ever and expect those in the
> fitimage.
>
> Breaking those existing machines / kernel combination in order to have a
> smooth transition for arm32 machines which bring a 6.5 kernel to kirkstone
> seems wrong to me.
>
> I think we should revert the backport to kirkstone. If someone builds a 6.5
> or later kernel in kirkstone for an arm32 based machine one could cope
> with the change e.g. in the kernel recipe which provides that 6.5 kernel.
>
> Any comments? Thanks.
>
> Sorry that I didn't notice the change on the mailing list before it got applied.

Since this is causing breakage I will revert it prior to the upcoming
kirkstone release build.

Steve

> > (From OE-Core rev: 941ba1a132bafa9c9be855fb91fec96d8b06299f)
> >
> > Signed-off-by: Joel Stanley <joel@jms.id.au>
> > Signed-off-by: Ninad Palsule <ninad@linux.ibm.com>
> > Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
> > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de> # backport to kirkstone
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> >  meta/classes/kernel-fitimage.bbclass | 5 +++++
> >  1 file changed, 5 insertions(+)
> >
> > diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
> > index 27e17db951..194d825b0e 100644
> > --- a/meta/classes/kernel-fitimage.bbclass
> > +++ b/meta/classes/kernel-fitimage.bbclass
> > @@ -542,6 +542,11 @@ fitimage_assemble() {
> >                                 DTB_PATH="arch/${ARCH}/boot/$DTB"
> >                         fi
> >
> > +                       # Strip off the path component from the filename
> > +                       if "${@'false' if oe.types.boolean(d.getVar('KERNEL_DTBVENDORED')) else 'true'}"; then
> > +                               DTB=`basename $DTB`
> > +                       fi
> > +
> >                         DTB=$(echo "$DTB" | tr '/' '_')
> >
> >                         # Skip DTB if we've picked it up previously
> > --
> > 2.34.1
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#191471): https://lists.openembedded.org/g/openembedded-core/message/191471
> > Mute This Topic: https://lists.openembedded.org/mt/102883133/3617484
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [max.oss.09@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >

Re: [OE-core][kirkstone 7/8] kernel-fitImage: Strip path component from dtb

[Max Krummenacher]

On Thu, Dec 14, 2023 at 03:56:13AM -1000, Steve Sakoman wrote:
> On Thu, Dec 14, 2023 at 12:42 AM Max Krummenacher <max.oss.09@gmail.com> wrote:
> >
> > On Thu, Nov 30, 2023 at 12:05 AM Steve Sakoman <steve@sakoman.com> wrote:
> > >
> > > From: Ninad Palsule <ninad@linux.ibm.com>
> > >
> > > Machines that have added subdirectires to the KERNEL_DEVICETREE
> > > recently, such as arm32 boards that were moved under subdirectories in
> > > Linux 6.5, will have that subdirectory in the node name of the FIT. This
> > > breaks existing systems that select a configuration in u-boot by it's
> > > name.
> > >
> > > Strip off the directory component from the device tree to preserve
> > > compatibility.
> >
> > This now breaks each arm64 machine (and likely mips & riscv) as they did
> > have the vendor subdirectories since (nearly) ever and expect those in the
> > fitimage.
> >
> > Breaking those existing machines / kernel combination in order to have a
> > smooth transition for arm32 machines which bring a 6.5 kernel to kirkstone
> > seems wrong to me.
> >
> > I think we should revert the backport to kirkstone. If someone builds a 6.5
> > or later kernel in kirkstone for an arm32 based machine one could cope
> > with the change e.g. in the kernel recipe which provides that 6.5 kernel.
> >
> > Any comments? Thanks.
> >
> > Sorry that I didn't notice the change on the mailing list before it got applied.
> 
> Since this is causing breakage I will revert it prior to the upcoming
> kirkstone release build.
> 
> Steve

Thanks Steve. Much appreciated.
Max

> 
> > > (From OE-Core rev: 941ba1a132bafa9c9be855fb91fec96d8b06299f)
> > >
> > > Signed-off-by: Joel Stanley <joel@jms.id.au>
> > > Signed-off-by: Ninad Palsule <ninad@linux.ibm.com>
> > > Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
> > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> > > Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de> # backport to kirkstone
> > > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > > ---
> > >  meta/classes/kernel-fitimage.bbclass | 5 +++++
> > >  1 file changed, 5 insertions(+)
> > >
> > > diff --git a/meta/classes/kernel-fitimage.bbclass b/meta/classes/kernel-fitimage.bbclass
> > > index 27e17db951..194d825b0e 100644
> > > --- a/meta/classes/kernel-fitimage.bbclass
> > > +++ b/meta/classes/kernel-fitimage.bbclass
> > > @@ -542,6 +542,11 @@ fitimage_assemble() {
> > >                                 DTB_PATH="arch/${ARCH}/boot/$DTB"
> > >                         fi
> > >
> > > +                       # Strip off the path component from the filename
> > > +                       if "${@'false' if oe.types.boolean(d.getVar('KERNEL_DTBVENDORED')) else 'true'}"; then
> > > +                               DTB=`basename $DTB`
> > > +                       fi
> > > +
> > >                         DTB=$(echo "$DTB" | tr '/' '_')
> > >
> > >                         # Skip DTB if we've picked it up previously
> > > --
> > > 2.34.1
> > >
> > >
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > > Links: You receive all messages sent to this group.
> > > View/Reply Online (#191471): https://lists.openembedded.org/g/openembedded-core/message/191471
> > > Mute This Topic: https://lists.openembedded.org/mt/102883133/3617484
> > > Group Owner: openembedded-core+owner@lists.openembedded.org
> > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [max.oss.09@gmail.com]
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > >
> 

[OE-core][kirkstone 8/8] systemtap_git: fix used uninitialized error

[Steve Sakoman]

From: Li Wang <li.wang@windriver.com>

bpf-translate.cxx: error: 'this_column_size' may be used uninitialized in this function [-Werror=maybe-uninitialized]
bpf-translate.cxx: error: 'num' may be used uninitialized in this function [-Werror=maybe-uninitialized]

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...x-Prevent-Werror-maybe-uninitialized.patch | 53 +++++++++++++++++++
 .../recipes-kernel/systemtap/systemtap_git.bb |  1 +
 2 files changed, 54 insertions(+)
 create mode 100644 meta/recipes-kernel/systemtap/systemtap/0001-bpf-translate.cxx-Prevent-Werror-maybe-uninitialized.patch

diff --git a/meta/recipes-kernel/systemtap/systemtap/0001-bpf-translate.cxx-Prevent-Werror-maybe-uninitialized.patch b/meta/recipes-kernel/systemtap/systemtap/0001-bpf-translate.cxx-Prevent-Werror-maybe-uninitialized.patch
new file mode 100644
index 0000000000..130eefab5d
--- /dev/null
+++ b/meta/recipes-kernel/systemtap/systemtap/0001-bpf-translate.cxx-Prevent-Werror-maybe-uninitialized.patch
@@ -0,0 +1,53 @@
+From df3425f51a512f65522522daf1f78c7fab0a63fd Mon Sep 17 00:00:00 2001
+From: Aaron Merey <amerey@redhat.com>
+Date: Fri, 25 Feb 2022 19:18:29 -0500
+Subject: [PATCH] bpf-translate.cxx: Prevent -Werror=maybe-uninitialized
+
+Two variables in bpf-translate.cxx can trigger -Werror=maybe-uninitialized.
+The code is designed so that uninitialized uses are not actually possible,
+but to convince gcc of this we move a throw statement and initialize one
+of the variables with a value.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=systemtap.git;a=commit;h=df3425f51a512f65522522daf1f78c7fab0a63fd]
+
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ bpf-translate.cxx | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/bpf-translate.cxx b/bpf-translate.cxx
+index 3f45c721f..1b63d6078 100644
+--- a/bpf-translate.cxx
++++ b/bpf-translate.cxx
+@@ -1203,7 +1203,7 @@ bpf_unparser::emit_asm_arg (const asm_stmt &stmt, const std::string &arg,
+     {
+       /* arg is a register number */
+       std::string reg = arg[0] == 'r' ? arg.substr(1) : arg;
+-      unsigned long num;
++      unsigned long num = ULONG_MAX;
+       bool parsed = false;
+       try {
+         num = stoul(reg, 0, 0);
+@@ -1941,8 +1941,6 @@ bpf_unparser::visit_foreach_loop(foreach_loop* s)
+   for (unsigned k = 0; k < arraydecl->index_types.size(); k++)
+     {
+       auto type = arraydecl->index_types[k];
+-      if (type != pe_long && type != pe_string)
+-        throw SEMANTIC_ERROR(_("unhandled foreach index type"), s->tok);
+       int this_column_size;
+       // PR23875: foreach should handle string keys
+       if (type == pe_long)
+@@ -1953,6 +1951,10 @@ bpf_unparser::visit_foreach_loop(foreach_loop* s)
+         {
+           this_column_size = BPF_MAXSTRINGLEN;
+         }
++      else
++        {
++          throw SEMANTIC_ERROR(_("unhandled foreach index type"), s->tok);
++        }
+       if (info.sort_column == k + 1) // record sort column
+         {
+           info.sort_column_size = this_column_size;
+-- 
+2.25.1
+
diff --git a/meta/recipes-kernel/systemtap/systemtap_git.bb b/meta/recipes-kernel/systemtap/systemtap_git.bb
index ce86d5274d..c84fc27001 100644
--- a/meta/recipes-kernel/systemtap/systemtap_git.bb
+++ b/meta/recipes-kernel/systemtap/systemtap_git.bb
@@ -9,6 +9,7 @@ require systemtap_git.inc
 SRC_URI += "file://0001-improve-reproducibility-for-c-compiling.patch \
             file://0001-staprun-address-ncurses-6.3-failures.patch \
             file://0001-gcc12-c-compatibility-re-tweak-for-rhel6-use-functio.patch \
+            file://0001-bpf-translate.cxx-Prevent-Werror-maybe-uninitialized.patch \
            "
 
 DEPENDS = "elfutils"
-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, November 5

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2677

The following changes since commit 99204008786f659ab03538cd2ae2fd23ed4164c5:

  build-appliance-image: Update to kirkstone head revision (2025-10-31 06:30:23 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (1):
  openssh: fix CVE-2025-61985

Hitendra Prajapati (1):
  go: fix CVE-2024-24783

Hongxu Jia (1):
  u-boot: fix CVE-2024-42040

Jason Schonberg (1):
  Don't use ftp.gnome.org

Peter Marko (3):
  wpa-supplicant: patch CVE-2025-24912
  binutils: patch CVE-2025-11412
  binutils: patch CVE-2025-11413

Praveen Kumar (1):
  bind: upgrade 9.18.33 -> 9.18.41

 .../u-boot/files/CVE-2024-42040.patch         | 56 +++++++++++++
 meta/recipes-bsp/u-boot/u-boot-common.inc     |  4 +-
 .../bind/{bind_9.18.33.bb => bind_9.18.41.bb} |  2 +-
 .../openssh/openssh/CVE-2025-61985.patch      | 35 ++++++++
 .../openssh/openssh_8.9p1.bb                  |  1 +
 .../wpa-supplicant/CVE-2025-24912-01.patch    | 79 ++++++++++++++++++
 .../wpa-supplicant/CVE-2025-24912-02.patch    | 70 ++++++++++++++++
 .../wpa-supplicant/wpa-supplicant_2.10.bb     |  2 +
 .../binutils/binutils-2.38.inc                |  2 +
 .../binutils/binutils/CVE-2025-11412.patch    | 35 ++++++++
 .../binutils/binutils/CVE-2025-11413.patch    | 38 +++++++++
 meta/recipes-devtools/go/go-1.17.13.inc       |  1 +
 .../go/go-1.21/CVE-2024-24783.patch           | 83 +++++++++++++++++++
 .../python/python3-pygobject_3.42.0.bb        |  2 +-
 meta/recipes-devtools/vala/vala.inc           |  2 +-
 meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb      |  2 +-
 meta/recipes-gnome/libgudev/libgudev_237.bb   |  2 +-
 .../recipes-support/libxslt/libxslt_1.1.35.bb |  2 +-
 18 files changed, 411 insertions(+), 7 deletions(-)
 create mode 100644 meta/recipes-bsp/u-boot/files/CVE-2024-42040.patch
 rename meta/recipes-connectivity/bind/{bind_9.18.33.bb => bind_9.18.41.bb} (97%)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-61985.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-01.patch
 create mode 100644 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/CVE-2025-24912-02.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11412.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-11413.patch
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-24783.patch

-- 
2.43.0

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, October 21

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2607

The following changes since commit 8f1000d9dad5e51f08a40b0f6650204425cc8efb:

  glibc: : PTHREAD_COND_INITIALIZER compatibility with pre-2.41 versions (bug 32786) (2025-10-14 10:35:12 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Bruce Ashfield (4):
  linux-yocto/5.15: update to v5.15.188
  linux-yocto/5.15: update to v5.15.189
  linux-yocto/5.15: update to v5.15.193
  linux-yocto/5.15: update to v5.15.194

Peter Marko (1):
  python3: upgrade 3.10.18 -> 3.10.19

Rajeshkumar Ramasamy (2):
  glib-networking: fix CVE-2025-60018
  glib-networking: fix CVE-2025-60019

Saravanan (1):
  cmake: fix CVE-2025-9301

 .../glib-networking/CVE-2025-60018.patch      |  83 +++++++
 .../glib-networking/CVE-2025-60019.patch      | 137 +++++++++++
 .../glib-networking/glib-networking_2.72.2.bb |   2 +
 .../cmake/cmake/CVE-2025-9301.patch           |  71 ++++++
 meta/recipes-devtools/cmake/cmake_3.22.3.bb   |   1 +
 ...e-treat-overflow-in-UID-GID-as-failu.patch |   2 +-
 .../python/python3/CVE-2025-8194.patch        | 219 ------------------
 ...{python3_3.10.18.bb => python3_3.10.19.bb} |   3 +-
 .../linux/linux-yocto-rt_5.15.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.15.bb            |   6 +-
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |  26 +--
 11 files changed, 315 insertions(+), 241 deletions(-)
 create mode 100644 meta/recipes-core/glib-networking/glib-networking/CVE-2025-60018.patch
 create mode 100644 meta/recipes-core/glib-networking/glib-networking/CVE-2025-60019.patch
 create mode 100644 meta/recipes-devtools/cmake/cmake/CVE-2025-9301.patch
 delete mode 100644 meta/recipes-devtools/python/python3/CVE-2025-8194.patch
 rename meta/recipes-devtools/python/{python3_3.10.18.bb => python3_3.10.19.bb} (99%)

-- 
2.43.0

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, August 15

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2196

The following changes since commit bd620eb14660075fd0f7476bbbb65d5da6293874:

  build-appliance-image: Update to kirkstone head revision (2025-08-08 06:31:30 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Guocai He (1):
  gnupg: disable tests to avoid running target binaries at build time

Hitendra Prajapati (1):
  libxslt: fix CVE-2023-40403

Peter Marko (3):
  python3: patch CVE-2025-8194
  go: ignore CVE-2025-0913
  libarchive: patch CVE-2025-5918

Quentin Schulz (1):
  go-helloworld: fix license

Yogita Urade (2):
  tiff: fix CVE-2025-8176
  tiff: fix CVE-2025-8177

 meta/recipes-devtools/go/go-1.17.13.inc       |   2 +-
 .../python/python3/CVE-2025-8194.patch        | 219 +++++++++++
 .../python/python3_3.10.18.bb                 |   7 +-
 .../go-examples/go-helloworld_0.1.bb          |   4 +-
 .../0001-FILE-seeking-support-2539.patch      | 190 ++++++++++
 .../0001-Improve-lseek-handling-2564.patch    | 320 ++++++++++++++++
 .../libarchive/libarchive/CVE-2025-5918.patch | 217 +++++++++++
 .../libarchive/libarchive_3.6.2.bb            |   3 +
 .../libtiff/tiff/CVE-2025-8176-0001.patch     |  61 +++
 .../libtiff/tiff/CVE-2025-8176-0002.patch     |  31 ++
 .../libtiff/tiff/CVE-2025-8176-0003.patch     |  28 ++
 .../libtiff/tiff/CVE-2025-8177.patch          |  35 ++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |   4 +
 meta/recipes-support/gnupg/gnupg_2.3.7.bb     |   1 +
 .../libxslt/libxslt/CVE-2023-40403-001.patch  | 257 +++++++++++++
 .../libxslt/libxslt/CVE-2023-40403-002.patch  | 147 ++++++++
 .../libxslt/libxslt/CVE-2023-40403-003.patch  | 231 ++++++++++++
 .../libxslt/libxslt/CVE-2023-40403-004.patch  | 349 ++++++++++++++++++
 .../libxslt/libxslt/CVE-2023-40403-005.patch  |  55 +++
 .../recipes-support/libxslt/libxslt_1.1.35.bb |   5 +
 20 files changed, 2160 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2025-8194.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-FILE-seeking-support-2539.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/0001-Improve-lseek-handling-2564.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5918.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0001.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0002.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8176-0003.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-8177.patch
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2023-40403-001.patch
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2023-40403-002.patch
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2023-40403-003.patch
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2023-40403-004.patch
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2023-40403-005.patch

-- 
2.43.0

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, April 3

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1311

The following changes since commit 453c5c8d9031be2b3a25e2a04e0f5f6325ef7298:

  cve-update-nvd2-native: handle missing vulnStatus (2025-03-31 09:13:54 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Deepesh Varatharajan (1):
  llvm : Fix CVE-2024-0151

Divya Chellam (1):
  zlib: fix CVE-2014-9485

Guocai He (1):
  mesa: Update SRC_URI

Haixiao Yan (1):
  glibc: Add single-threaded fast path to rand()

Michael Halstead (1):
  yocto-uninative: Update to 4.7 for glibc 2.41

Peter Marko (3):
  libarchive: ignore CVE-2025-1632
  perl: ignore CVE-2023-47038
  freetype: patch CVE-2025-27363

 meta/conf/distro/include/yocto-uninative.inc  |   10 +-
 ...dd-single-threaded-fast-path-to-rand.patch |   47 +
 meta/recipes-core/glibc/glibc_2.35.bb         |    1 +
 .../zlib/zlib/CVE-2014-9485.patch             |   64 +
 meta/recipes-core/zlib/zlib_1.2.11.bb         |    1 +
 .../llvm/llvm/CVE-2024-0151.patch             | 1087 +++++++++++++++++
 meta/recipes-devtools/llvm/llvm_git.bb        |    1 +
 meta/recipes-devtools/perl/perl_5.34.3.bb     |    2 +
 .../libarchive/libarchive_3.6.2.bb            |    2 +
 .../freetype/freetype/CVE-2025-27363.patch    |   44 +
 .../freetype/freetype_2.11.1.bb               |    1 +
 .../recipes-graphics/mesa/mesa-demos_8.4.0.bb |    2 +-
 meta/recipes-graphics/mesa/mesa.inc           |    2 +-
 13 files changed, 1257 insertions(+), 7 deletions(-)
 create mode 100644 meta/recipes-core/glibc/glibc/0001-stdlib-Add-single-threaded-fast-path-to-rand.patch
 create mode 100644 meta/recipes-core/zlib/zlib/CVE-2014-9485.patch
 create mode 100644 meta/recipes-devtools/llvm/llvm/CVE-2024-0151.patch
 create mode 100644 meta/recipes-graphics/freetype/freetype/CVE-2025-27363.patch

-- 
2.43.0

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, August 6

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7206

The following changes since commit c6cafd2aa50357c80fbab79741d575ff567c5766:

  gcc-runtime: remove bashism (2024-07-31 04:59:21 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Ashish Sharma (1):
  gtk+3 : backport fix for CVE-2024-6655

Bruce Ashfield (5):
  linux-yocto/5.15: update to v5.15.158
  linux-yocto/5.15: update to v5.15.160
  linux-yocto/5.15: update to v5.15.161
  linux-yocto/5.15: update to v5.15.162
  linux-yocto/5.15: update to v5.15.164

Siddharth Doshi (1):
  lttng-modules: Upgrade 2.13.9 -> 2.13.14

Soumya Sambu (1):
  go: Fix CVE-2024-24789

 meta/recipes-devtools/go/go-1.17.13.inc       |  1 +
 .../go/go-1.21/CVE-2024-24789.patch           | 78 +++++++++++++++++++
 .../gtk+/gtk+3/CVE-2024-6655.patch            | 39 ++++++++++
 meta/recipes-gnome/gtk+/gtk+3_3.24.34.bb      |  1 +
 .../linux/linux-yocto-rt_5.15.bb              |  6 +-
 .../linux/linux-yocto-tiny_5.15.bb            |  6 +-
 meta/recipes-kernel/linux/linux-yocto_5.15.bb | 26 +++----
 .../0009-Rename-genhd-wrapper-to-blkdev.patch | 19 +++--
 ...les_2.13.9.bb => lttng-modules_2.13.14.bb} |  4 +-
 9 files changed, 151 insertions(+), 29 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-24789.patch
 create mode 100644 meta/recipes-gnome/gtk+/gtk+3/CVE-2024-6655.patch
 rename meta/recipes-kernel/lttng/{lttng-modules_2.13.9.bb => lttng-modules_2.13.14.bb} (89%)

-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, May 28

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6956

The following changes since commit f85d5dfc91d536a00669ca3148d8c3b2727b183d:

  libpciaccess: Remove duplicated license entry (2024-05-10 05:05:54 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Bob Henz (1):
  systemd-systemctl: Fix WantedBy processing

Colin McAllister (1):
  initscripts: Add custom mount args for /var/lib

Dmitry Baryshkov (1):
  go.bbclass: fix path to linker in native Go builds

Joerg Vehlow (1):
  go: Always pass interpreter to linker

Peter Marko (1):
  openssl: patch CVE-2024-4603

Stefan Herbrechtsmeier (1):
  classes: go-mod: do not pack go mod cache

Vijay Anusuri (1):
  binutils: Rename CVE-2022-38126 patch to CVE-2022-35205

Yogita Urade (1):
  libarchive: fix CVE-2024-26256

 meta/classes/go-mod.bbclass                   |   4 +
 meta/classes/go.bbclass                       |   6 +-
 .../openssl/openssl/CVE-2024-4603.patch       | 180 ++++++++++++++++++
 .../openssl/openssl_3.0.13.bb                 |   1 +
 .../initscripts-1.0/read-only-rootfs-hook.sh  |   4 +-
 .../initscripts/initscripts_1.0.bb            |   2 +
 .../systemd/systemd-systemctl/systemctl       |  11 ++
 .../binutils/binutils-2.38.inc                |   2 +-
 ...-38126.patch => 0016-CVE-2022-35205.patch} |   3 +-
 .../libarchive/CVE-2024-26256.patch           |  29 +++
 .../libarchive/libarchive_3.6.2.bb            |   5 +-
 11 files changed, 240 insertions(+), 7 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
 rename meta/recipes-devtools/binutils/binutils/{0016-CVE-2022-38126.patch => 0016-CVE-2022-35205.patch} (94%)
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2024-26256.patch

-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, March 13

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6670

The following changes since commit e5aae8a371717215a7d78459788ad67dfaefe37e:

  golang: Fix CVE-2023-45289 & CVE-2023-45290 (2024-03-07 04:18:33 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Bruce Ashfield (6):
  linux-yocto/5.15: update to v5.15.149
  linux-yocto/5.15: update CVE exclusions
  linux-yocto/5.10: update to v5.10.210
  linux-yocto/5.15: update to v5.15.150
  linux-yocto/5.15: update CVE exclusions (5.15.150)
  linux-yocto/5.15: fix partion scanning

Nikhil R (1):
  librsvg: Fix do_package_qa error for librsvg

Vivek Kumbhar (1):
  go: Backport fix CVE-2024-24784 & CVE-2024-24785

 meta/recipes-devtools/go/go-1.17.13.inc       |   2 +
 .../go/go-1.18/CVE-2024-24784.patch           | 207 ++++++++++++++++++
 .../go/go-1.18/CVE-2024-24785.patch           | 196 +++++++++++++++++
 meta/recipes-gnome/librsvg/librsvg_2.52.10.bb |   2 +
 .../linux/cve-exclusion_5.15.inc              | 197 ++++++++++++++++-
 .../linux/linux-yocto-rt_5.10.bb              |   4 +-
 .../linux/linux-yocto-rt_5.15.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.10.bb            |   6 +-
 .../linux/linux-yocto-tiny_5.15.bb            |   6 +-
 meta/recipes-kernel/linux/linux-yocto_5.10.bb |  22 +-
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |  26 +--
 11 files changed, 632 insertions(+), 42 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2024-24784.patch
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2024-24785.patch

-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, February 14

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6556

The following changes since commit 2bdae590ab20dc4518ba247c903060fa67ed0fc4:

  openssl: Upgrade 3.0.12 -> 3.0.13 (2024-02-05 03:56:38 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (1):
  curl: Fix CVE-2023-46219

Bruce Ashfield (1):
  kernel: fix localversion in v6.3+

Jermain Horsman (1):
  systemd: Only add myhostname to nsswitch.conf if in PACKAGECONFIG

Kai Kang (1):
  ghostscript: correct LICENSE with AGPLv3

Narpat Mali (1):
  python3-pycryptodome: Fix CVE-2023-52323

Soumya Sambu (2):
  go: Fix CVE-2023-45285 and CVE-2023-45287
  libgit2: Fix CVE-2024-24575 and CVE-2024-24577

Vijay Anusuri (1):
  libxml2: Fix for CVE-2024-25062

 meta/classes/kernel-arch.bbclass              |    7 +
 meta/classes/kernel.bbclass                   |   10 +-
 .../libxml/libxml2/CVE-2024-25062.patch       |   33 +
 meta/recipes-core/libxml/libxml2_2.9.14.bb    |    1 +
 meta/recipes-core/systemd/systemd_250.5.bb    |   16 +-
 meta/recipes-devtools/go/go-1.17.13.inc       |    2 +
 .../go/go-1.20/CVE-2023-45285.patch           |  110 ++
 .../go/go-1.20/CVE-2023-45287.patch           | 1695 +++++++++++++++++
 .../python3-pycryptodome/CVE-2023-52323.patch |  436 +++++
 .../python/python3-pycryptodome_3.14.1.bb     |    1 +
 .../CVE-2023-52323.patch                      |  436 +++++
 .../python/python3-pycryptodomex_3.14.1.bb    |    2 +
 .../ghostscript/ghostscript_9.55.0.bb         |    2 +-
 .../curl/curl/CVE-2023-46219-0001.patch       |   42 +
 .../curl/curl/CVE-2023-46219-0002.patch       |  133 ++
 .../curl/curl/CVE-2023-46219-0003.patch       |   81 +
 meta/recipes-support/curl/curl_7.82.0.bb      |    3 +
 .../libgit2/libgit2/CVE-2024-24575.patch      |   56 +
 .../libgit2/libgit2/CVE-2024-24577.patch      |   52 +
 meta/recipes-support/libgit2/libgit2_1.4.5.bb |    5 +-
 20 files changed, 3113 insertions(+), 10 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2024-25062.patch
 create mode 100644 meta/recipes-devtools/go/go-1.20/CVE-2023-45285.patch
 create mode 100644 meta/recipes-devtools/go/go-1.20/CVE-2023-45287.patch
 create mode 100644 meta/recipes-devtools/python/python3-pycryptodome/CVE-2023-52323.patch
 create mode 100644 meta/recipes-devtools/python/python3-pycryptodomex/CVE-2023-52323.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-46219-0001.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-46219-0002.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-46219-0003.patch
 create mode 100644 meta/recipes-support/libgit2/libgit2/CVE-2024-24575.patch
 create mode 100644 meta/recipes-support/libgit2/libgit2/CVE-2024-24577.patch

-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, September 15.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5876

The following changes since commit 47a1dd7f389e3cf4ac2dc5fc21dccc870aafab4a:

  sysklogd: fix integration with systemd-journald (2023-09-05 13:34:12 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Meenali Gupta (1):
  flac: fix CVE-2020-22219

Michael Halstead (1):
  yocto-uninative: Update to 4.3

Narpat Mali (1):
  python3-pygments: Fix CVE-2022-40896

Siddharth Doshi (1):
  gdb: Fix CVE-2023-39128

Soumya Sambu (1):
  libxml2: Fix CVE-2023-39615

Yogita Urade (3):
  dropbear: fix CVE-2023-36328
  qemu: fix CVE-2021-3638
  webkitgtk: fix CVE-2022-48503

 meta/conf/distro/include/yocto-uninative.inc  |   8 +-
 meta/recipes-core/dropbear/dropbear.inc       |   1 +
 .../dropbear/dropbear/CVE-2023-36328.patch    | 144 +++++++++++
 .../libxml/libxml2/CVE-2023-39615-0001.patch  |  37 +++
 .../libxml/libxml2/CVE-2023-39615-0002.patch  |  72 ++++++
 meta/recipes-core/libxml/libxml2_2.9.14.bb    |   2 +
 meta/recipes-devtools/gdb/gdb.inc             |   1 +
 .../gdb/gdb/0011-CVE-2023-39128.patch         |  75 ++++++
 .../python3-pygments/CVE-2022-40896.patch     | 124 ++++++++++
 .../python/python3-pygments_2.11.2.bb         |   2 +
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2021-3638.patch             |  88 +++++++
 .../flac/files/CVE-2020-22219.patch           | 197 +++++++++++++++
 meta/recipes-multimedia/flac/flac_1.3.4.bb    |   1 +
 .../webkit/webkitgtk/CVE-2022-48503.patch     | 225 ++++++++++++++++++
 meta/recipes-sato/webkit/webkitgtk_2.36.8.bb  |   1 +
 16 files changed, 975 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2023-36328.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0001.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2023-39615-0002.patch
 create mode 100644 meta/recipes-devtools/gdb/gdb/0011-CVE-2023-39128.patch
 create mode 100644 meta/recipes-devtools/python/python3-pygments/CVE-2022-40896.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3638.patch
 create mode 100644 meta/recipes-multimedia/flac/files/CVE-2020-22219.patch
 create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch

-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, August 29.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5789

The following changes since commit ea920e3c8075f3a1b79039341f8c889f6197a07f:

  glibc-locale: use stricter matching for metapackages' runtime dependencies (2023-08-22 07:07:13 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Narpat Mali (2):
  ffmpeg: add CVE_CHECK_IGNORE for CVE-2023-39018
  python3-git: upgrade 3.1.27 -> 3.1.32

Ross Burton (3):
  linux-yocto: add script to generate kernel CVE_CHECK_IGNORE entries
  linux/cve-exclusion: add generated CVE_CHECK_IGNORES.
  linux/cve-exclusion: remove obsolete manual entries

Siddharth (1):
  Qemu: Resolve undefined reference issue in CVE-2023-2861

Soumya Sambu (1):
  go: Fix CVE-2023-29409

Yogita Urade (1):
  nghttp2: fix CVE-2023-35945

 meta/recipes-devtools/go/go-1.17.13.inc       |    1 +
 .../go/go-1.19/CVE-2023-29409.patch           |  175 +
 ...-git-CVE-2022-24439-fix-from-PR-1518.patch |   97 -
 ...-git-CVE-2022-24439-fix-from-PR-1521.patch |  488 --
 ...n3-git_3.1.27.bb => python3-git_3.1.32.bb} |    6 +-
 .../qemu/qemu/CVE-2023-2861.patch             |   66 +-
 meta/recipes-kernel/linux/cve-exclusion.inc   |  869 --
 .../linux/cve-exclusion_5.15.inc              | 7193 +++++++++++++++++
 .../linux/generate-cve-exclusions.py          |  101 +
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |    1 +
 .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb |    6 +
 .../nghttp2/nghttp2/CVE-2023-35945.patch      |  151 +
 .../recipes-support/nghttp2/nghttp2_1.47.0.bb |    1 +
 13 files changed, 7667 insertions(+), 1488 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-29409.patch
 delete mode 100644 meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1518.patch
 delete mode 100644 meta/recipes-devtools/python/python3-git/0001-python3-git-CVE-2022-24439-fix-from-PR-1521.patch
 rename meta/recipes-devtools/python/{python3-git_3.1.27.bb => python3-git_3.1.32.bb} (80%)
 create mode 100644 meta/recipes-kernel/linux/cve-exclusion_5.15.inc
 create mode 100755 meta/recipes-kernel/linux/generate-cve-exclusions.py
 create mode 100644 meta/recipes-support/nghttp2/nghttp2/CVE-2023-35945.patch

-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5638

The following changes since commit d877d5f07772ec4a05332068ddc03cf387313036:

  cmake: Fix CMAKE_SYSTEM_PROCESSOR setting for SDK (2023-07-17 04:45:01 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (1):
  ghostscript: fix CVE-2023-36664

Bruce Ashfield (2):
  linux-yocto/5.15: update to v5.15.119
  linux-yocto/5.15: update to v5.15.120

Richard Purdie (1):
  gcc-testsuite: Fix ppc cpu specification

Ross Burton (2):
  gcc: don't pass --enable-standard-branch-protection
  machine/arch-arm64: add -mbranch-protection=standard

Vijay Anusuri (1):
  qemu: backport Debian patch to fix CVE-2023-0330

Xiangyu Chen (1):
  package.bbclass: moving field data process before variable process in
    process_pkgconfig

 meta/classes/package.bbclass                  |  12 +-
 meta/conf/machine/include/arm/arch-arm64.inc  |   5 +
 .../gcc/gcc-configure-common.inc              |   1 -
 meta/recipes-devtools/gcc/gcc-testsuite.inc   |   5 +-
 meta/recipes-devtools/qemu/qemu.inc           |   1 +
 .../qemu/qemu/CVE-2023-0330.patch             |  75 +++++++++
 .../ghostscript/CVE-2023-36664-0001.patch     | 146 ++++++++++++++++++
 .../ghostscript/CVE-2023-36664-0002.patch     |  60 +++++++
 .../ghostscript/ghostscript_9.55.0.bb         |   2 +
 .../linux/linux-yocto-rt_5.15.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.15.bb            |   6 +-
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |  26 ++--
 12 files changed, 317 insertions(+), 28 deletions(-)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-0330.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0001.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-36664-0002.patch

-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5209

The following changes since commit b67e714b367a08fdeeeff68c2d9495ec9bc07304:

  package.bbclass: correct check for /build in copydebugsources() (2023-04-14 07:19:08 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Hitendra Prajapati (2):
  ruby: CVE-2023-28756 ReDoS vulnerability in Time
  screen: CVE-2023-24626 allows sending SIGHUP to arbitrary PIDs

Peter Marko (1):
  go: ignore CVE-2022-41716

Shubham Kulkarni (1):
  go-runtime: Security fix for CVE-2022-41722

Siddharth Doshi (1):
  curl: Security fix for CVE-2023-27535, CVE-2023-27536, CVE-2023-27538

Sundeep KOKKONDA (1):
  cargo : non vulnerable cve-2022-46176 added to excluded list

Vivek Kumbhar (1):
  go: fix CVE-2023-24537 Infinite loop in parsing

Xiangyu Chen (1):
  shadow: backport patch to fix CVE-2023-29383

 .../distro/include/cve-extra-exclusions.inc   |   5 +
 meta/recipes-devtools/go/go-1.17.13.inc       |   5 +
 .../go/go-1.18/CVE-2022-41722.patch           | 103 +++++++++
 .../go/go-1.18/CVE-2023-24537.patch           |  75 +++++++
 .../ruby/ruby/CVE-2023-28756.patch            |  73 +++++++
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |   1 +
 .../screen/screen/CVE-2023-24626.patch        |  40 ++++
 meta/recipes-extended/screen/screen_4.9.0.bb  |   1 +
 .../files/0001-Overhaul-valid_field.patch     |  65 ++++++
 .../shadow/files/CVE-2023-29383.patch         |  53 +++++
 meta/recipes-extended/shadow/shadow.inc       |   2 +
 .../curl/curl/CVE-2023-27535-pre1.patch       | 196 ++++++++++++++++++
 .../CVE-2023-27535_and_CVE-2023-27538.patch   | 170 +++++++++++++++
 .../curl/curl/CVE-2023-27536.patch            |  52 +++++
 meta/recipes-support/curl/curl_7.82.0.bb      |   3 +
 15 files changed, 844 insertions(+)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-41722.patch
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24537.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2023-28756.patch
 create mode 100644 meta/recipes-extended/screen/screen/CVE-2023-24626.patch
 create mode 100644 meta/recipes-extended/shadow/files/0001-Overhaul-valid_field.patch
 create mode 100644 meta/recipes-extended/shadow/files/CVE-2023-29383.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535-pre1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27535_and_CVE-2023-27538.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27536.patch

-- 
2.34.1

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Friday.

This should be the final set of patches for the 4.0.5 release.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4380

The following changes since commit 4781fee6aea9512b7cb390b76e6f9f0a86a5bd11:

  lttng-modules: Fix crash on powerpc64 (2022-10-17 04:30:43 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Bruce Ashfield (2):
  linux-yocto/5.10: update to v5.10.147
  linux-yocto/5.10: update to v5.10.149

Steve Sakoman (1):
  Revert "lttng-tools: Upgrade 2.13.4 -> 2.13.8"

Tim Orling (1):
  git: upgrade 2.35.4 -> 2.35.5

Vyacheslav Yurkov (2):
  files: overlayfs-etc: refactor preinit template
  classes: files: Extend overlayfs-etc class

Yash Shinde (2):
  binutils: stable 2.38 branch updates
  glibc: stable 2.35 branch updates.

 meta/classes/overlayfs-etc.bbclass            |  5 +++-
 meta/files/overlayfs-etc-preinit.sh.in        | 23 ++++++++++++++----
 meta/recipes-core/glibc/glibc-version.inc     |  2 +-
 .../binutils/binutils-2.38.inc                |  2 +-
 .../git/{git_2.35.4.bb => git_2.35.5.bb}      |  2 +-
 .../linux/linux-yocto-rt_5.10.bb              |  6 ++---
 .../linux/linux-yocto-tiny_5.10.bb            |  8 +++----
 meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +++++++++----------
 ...-tools_2.13.8.bb => lttng-tools_2.13.4.bb} |  2 +-
 9 files changed, 45 insertions(+), 29 deletions(-)
 rename meta/recipes-devtools/git/{git_2.35.4.bb => git_2.35.5.bb} (98%)
 rename meta/recipes-kernel/lttng/{lttng-tools_2.13.8.bb => lttng-tools_2.13.4.bb} (98%)

-- 
2.25.1

Re: [OE-core][kirkstone 0/8] Patch review

[Tim Orling]

[-- Attachment #1: Type: text/plain, Size: 2531 bytes --]

On Wed, Oct 26, 2022 at 7:36 PM Steve Sakoman <steve@sakoman.com> wrote:

> Please review this set of patches for kirkstone and have comments back by
> end of day Friday.
>
> This should be the final set of patches for the 4.0.5 release.


I am intentionally holding off on a Python 3.10.8 upgrade just to let this
release get out in a stable manner.


>
> Passed a-full on autobuilder:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4380
>
> The following changes since commit
> 4781fee6aea9512b7cb390b76e6f9f0a86a5bd11:
>
>   lttng-modules: Fix crash on powerpc64 (2022-10-17 04:30:43 -1000)
>
> are available in the Git repository at:
>
>   https://git.openembedded.org/openembedded-core-contrib
> stable/kirkstone-nut
>
> http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut
>
> Bruce Ashfield (2):
>   linux-yocto/5.10: update to v5.10.147
>   linux-yocto/5.10: update to v5.10.149
>
> Steve Sakoman (1):
>   Revert "lttng-tools: Upgrade 2.13.4 -> 2.13.8"
>
> Tim Orling (1):
>   git: upgrade 2.35.4 -> 2.35.5
>
> Vyacheslav Yurkov (2):
>   files: overlayfs-etc: refactor preinit template
>   classes: files: Extend overlayfs-etc class
>
> Yash Shinde (2):
>   binutils: stable 2.38 branch updates
>   glibc: stable 2.35 branch updates.
>
>  meta/classes/overlayfs-etc.bbclass            |  5 +++-
>  meta/files/overlayfs-etc-preinit.sh.in        | 23 ++++++++++++++----
>  meta/recipes-core/glibc/glibc-version.inc     |  2 +-
>  .../binutils/binutils-2.38.inc                |  2 +-
>  .../git/{git_2.35.4.bb => git_2.35.5.bb}      |  2 +-
>  .../linux/linux-yocto-rt_5.10.bb              |  6 ++---
>  .../linux/linux-yocto-tiny_5.10.bb            |  8 +++----
>  meta/recipes-kernel/linux/linux-yocto_5.10.bb | 24 +++++++++----------
>  ...-tools_2.13.8.bb => lttng-tools_2.13.4.bb} |  2 +-
>  9 files changed, 45 insertions(+), 29 deletions(-)
>  rename meta/recipes-devtools/git/{git_2.35.4.bb => git_2.35.5.bb} (98%)
>  rename meta/recipes-kernel/lttng/{lttng-tools_2.13.8.bb =>
> lttng-tools_2.13.4.bb} (98%)
>
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#172179):
> https://lists.openembedded.org/g/openembedded-core/message/172179
> Mute This Topic: https://lists.openembedded.org/mt/94596838/924729
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> ticotimo@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

[-- Attachment #2: Type: text/html, Size: 5084 bytes --]

[OE-core][kirkstone 0/8] Patch review

[Steve Sakoman]

Please review this set of patches for the kirkstone 4.0.3 release.

The following changes since commit c33eb7fb1d1e91a005b22b65d221d4b899ec69dc:

  openssh: Add openssh-sftp-server to openssh RDEPENDS (2022-08-02 12:32:44 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alexander Kanavin (1):
  lttng-modules: update 2.13.3 -> 2.13.4

Bruce Ashfield (5):
  linux-yocto/5.10: update to v5.10.135
  linux-yocto/5.15: update to v5.15.58
  linux-yocto-rt/5.15: update to -rt48 (and fix -stable merge)
  linux-yocto/5.15: update to v5.15.59
  linux-yocto/5.15: fix reproducibility issues

He Zhe (1):
  lttng-modules: Fix build failure for kernel v5.15.58

Sundeep KOKKONDA (1):
  glibc : stable 2.35 branch updates

 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 .../linux/linux-yocto-rt_5.10.bb              |   6 +-
 .../linux/linux-yocto-rt_5.15.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.10.bb            |   8 +-
 .../linux/linux-yocto-tiny_5.15.bb            |   6 +-
 meta/recipes-kernel/linux/linux-yocto_5.10.bb |  24 +--
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |  26 +--
 ...x-compaction-migratepages-event-name.patch |  37 ----
 ...oduce-kfree_skb_reason-v5.15.58.v5.1.patch |  53 +++++
 ...emove-unused-tracepoints-v5.10-v5.15.patch |  44 -----
 ...g-Append-prev_state-to-tp-args-inste.patch |  59 ------
 ...vent-allow-same-provider-and-event-n.patch |  48 -----
 ...g-Don-t-re-read-p-state-when-emittin.patch | 183 ------------------
 .../0004-fix-block-remove-genhd.h-v5.18.patch |  45 -----
 ...emove-REQ_OP_WRITE_SAME-support-v5.1.patch |  79 --------
 ...ndom-remove-unused-tracepoints-v5.18.patch |  47 -----
 ...rethook-for-kretprobe-if-possible-v5.patch |  72 -------
 ...ore-Remove-scsi-scsi_request.h-v5.18.patch |  44 -----
 ...n-cleanup-the-compaction-trace-event.patch | 106 ----------
 ...ules_2.13.3.bb => lttng-modules_2.13.4.bb} |  16 +-
 20 files changed, 95 insertions(+), 816 deletions(-)
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-Fix-compaction-migratepages-event-name.patch
 create mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-net-skb-introduce-kfree_skb_reason-v5.15.58.v5.1.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-random-remove-unused-tracepoints-v5.10-v5.15.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0001-fix-sched-tracing-Append-prev_state-to-tp-args-inste.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0002-Fix-tracepoint-event-allow-same-provider-and-event-n.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0003-fix-sched-tracing-Don-t-re-read-p-state-when-emittin.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0004-fix-block-remove-genhd.h-v5.18.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0005-fix-scsi-block-Remove-REQ_OP_WRITE_SAME-support-v5.1.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0006-fix-random-remove-unused-tracepoints-v5.18.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0007-fix-kprobes-Use-rethook-for-kretprobe-if-possible-v5.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0008-fix-scsi-core-Remove-scsi-scsi_request.h-v5.18.patch
 delete mode 100644 meta/recipes-kernel/lttng/lttng-modules/0010-fix-mm-compaction-cleanup-the-compaction-trace-event.patch
 rename meta/recipes-kernel/lttng/{lttng-modules_2.13.3.bb => lttng-modules_2.13.4.bb} (60%)

-- 
2.25.1