[OE-core][kirkstone 00/12] Patch review

[OE-core][kirkstone 00/12] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, February 20

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1038

The following changes since commit 5a794fd244f7fdeb426bd5e3def6b4effc0e8c62:

  build-appliance-image: Update to kirkstone head revision (2025-02-15 06:06:50 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Aleksandar Nikolic (1):
  scripts/install-buildtools: Update to 4.0.24

Archana Polampalli (5):
  gnutls: fix CVE-2024-12243
  ffmpeg: CVE-2025-0518
  ffmpeg: fix CVE-2024-36613
  ffmpeg: fix CVE-2024-36616
  ffmpeg: fix CVE-2024-36617

Divya Chellam (1):
  ruby: fix CVE-2024-41946

Mingli Yu (1):
  procps: replaced one use of fputs(3) with a write(2) call

Peter Marko (2):
  subversion: ignore CVE-2024-45720
  libpcre2: ignore CVE-2022-1586

Richard Purdie (1):
  scritps/runqemu: Ensure we only have two serial ports

Vijay Anusuri (1):
  libxml2: Fix for CVE-2022-49043

 .../libxml/libxml2/CVE-2022-49043.patch       |   38 +
 meta/recipes-core/libxml/libxml2_2.9.14.bb    |    1 +
 .../ruby/ruby/CVE-2024-41946.patch            |  117 ++
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |    1 +
 .../subversion/subversion_1.14.2.bb           |    3 +
 ...x-for-the-bye_bye-function-merge-127.patch |   58 +
 ...e-use-of-fputs-3-with-a-write-2-call.patch |   50 +
 meta/recipes-extended/procps/procps_3.3.17.bb |    2 +
 .../ffmpeg/ffmpeg/CVE-2024-36613.patch        |   38 +
 .../ffmpeg/ffmpeg/CVE-2024-36616.patch        |   37 +
 .../ffmpeg/ffmpeg/CVE-2024-36617.patch        |   38 +
 .../ffmpeg/ffmpeg/CVE-2025-0518.patch         |   34 +
 .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb |    4 +
 .../gnutls/gnutls/CVE-2024-12243.patch        | 1160 +++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.7.4.bb   |    1 +
 .../recipes-support/libpcre/libpcre2_10.40.bb |    4 +
 scripts/install-buildtools                    |    4 +-
 scripts/runqemu                               |   17 +-
 18 files changed, 1601 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-49043.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41946.patch
 create mode 100644 meta/recipes-extended/procps/procps/0001-top-fix-a-fix-for-the-bye_bye-function-merge-127.patch
 create mode 100644 meta/recipes-extended/procps/procps/0001-top-replaced-one-use-of-fputs-3-with-a-write-2-call.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-0518.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch

-- 
2.43.0

[OE-core][kirkstone 01/12] subversion: ignore CVE-2024-45720

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-45720

This CVE is relevant only for subversion running on Windows.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/subversion/subversion_1.14.2.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-devtools/subversion/subversion_1.14.2.bb b/meta/recipes-devtools/subversion/subversion_1.14.2.bb
index 35da95f39d..a979e63c60 100644
--- a/meta/recipes-devtools/subversion/subversion_1.14.2.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.14.2.bb
@@ -19,6 +19,9 @@ inherit autotools pkgconfig gettext python3native
 
 CVE_PRODUCT = "apache:subversion"
 
+# not-applicable-platform: Issue only applies on Windows
+CVE_CHECK_IGNORE += "CVE-2024-45720"
+
 PACKAGECONFIG ?= ""
 
 PACKAGECONFIG[boost] = "--with-boost=${RECIPE_SYSROOT}${exec_prefix},--without-boost,boost"
-- 
2.43.0

[OE-core][kirkstone 02/12] libpcre2: ignore CVE-2022-1586

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

This CVE is fixed in 10.40
NVD wrongly changed <10.40 to =10.40 when adding debian_linux=10.0

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-1586#VulnChangeHistorySection

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/libpcre/libpcre2_10.40.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-support/libpcre/libpcre2_10.40.bb b/meta/recipes-support/libpcre/libpcre2_10.40.bb
index 74c12ecec2..ba5f8cff32 100644
--- a/meta/recipes-support/libpcre/libpcre2_10.40.bb
+++ b/meta/recipes-support/libpcre/libpcre2_10.40.bb
@@ -19,6 +19,10 @@ SRC_URI[sha256sum] = "14e4b83c4783933dc17e964318e6324f7cae1bc75d8f3c79bc6969f00c
 
 CVE_PRODUCT = "pcre2"
 
+# This CVE is fixed in 10.40
+# NVD wrongly changed <10.40 to =10.40 when adding debian_linux=10.0
+CVE_CHECK_IGNORE += "CVE-2022-1586"
+
 S = "${WORKDIR}/pcre2-${PV}"
 
 PROVIDES += "pcre2"
-- 
2.43.0

[OE-core][kirkstone 03/12] libxml2: Fix for CVE-2022-49043

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b]

Reference:
https://access.redhat.com/security/cve/cve-2022-49043

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libxml/libxml2/CVE-2022-49043.patch       | 38 +++++++++++++++++++
 meta/recipes-core/libxml/libxml2_2.9.14.bb    |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2022-49043.patch

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2022-49043.patch b/meta/recipes-core/libxml/libxml2/CVE-2022-49043.patch
new file mode 100644
index 0000000000..25c7bc847c
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2022-49043.patch
@@ -0,0 +1,38 @@
+From 5a19e21605398cef6a8b1452477a8705cb41562b Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 2 Nov 2022 16:13:27 +0100
+Subject: [PATCH] malloc-fail: Fix use-after-free in xmlXIncludeAddNode
+
+Found with libFuzzer, see #344.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/5a19e21605398cef6a8b1452477a8705cb41562b]
+CVE: CVE-2022-49043
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ xinclude.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/xinclude.c b/xinclude.c
+index e5fdf0f..36fa8ec 100644
+--- a/xinclude.c
++++ b/xinclude.c
+@@ -612,14 +612,15 @@ xmlXIncludeAddNode(xmlXIncludeCtxtPtr ctxt, xmlNodePtr cur) {
+     }
+     URL = xmlSaveUri(uri);
+     xmlFreeURI(uri);
+-    xmlFree(URI);
+     if (URL == NULL) {
+ 	xmlXIncludeErr(ctxt, cur, XML_XINCLUDE_HREF_URI,
+ 	               "invalid value URI %s\n", URI);
+ 	if (fragment != NULL)
+ 	    xmlFree(fragment);
++	xmlFree(URI);
+ 	return(-1);
+     }
++    xmlFree(URI);
+ 
+     if (xmlStrEqual(URL, ctxt->doc->URL))
+ 	local = 1;
+-- 
+2.25.1
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.14.bb b/meta/recipes-core/libxml/libxml2_2.9.14.bb
index 94b3b510ae..ecaae0b436 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.14.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.14.bb
@@ -33,6 +33,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20080827.tar;subdir=${BP};name=testt
            file://CVE-2023-45322-2.patch \
            file://CVE-2024-25062.patch \
            file://CVE-2024-34459.patch \
+           file://CVE-2022-49043.patch \
            "
 
 SRC_URI[archive.sha256sum] = "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
-- 
2.43.0

[OE-core][kirkstone 04/12] ruby: fix CVE-2024-41946

[Steve Sakoman]

From: Divya Chellam <divya.chellam@windriver.com>

REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS
vulnerability when it parses an XML that has many entity expansions
with SAX2 or pull parser API. The REXML gem 3.3.3 or later include
the patch to fix the vulnerability.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41946

Upstream-patch:
https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ruby/ruby/CVE-2024-41946.patch            | 117 ++++++++++++++++++
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |   1 +
 2 files changed, 118 insertions(+)
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-41946.patch

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2024-41946.patch b/meta/recipes-devtools/ruby/ruby/CVE-2024-41946.patch
new file mode 100644
index 0000000000..0da383f9b9
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2024-41946.patch
@@ -0,0 +1,117 @@
+From 033d1909a8f259d5a7c53681bcaf14f13bcf0368 Mon Sep 17 00:00:00 2001
+From: NAITOH Jun <naitoh@gmail.com>
+Date: Thu, 1 Aug 2024 09:20:31 +0900
+Subject: [PATCH] Add support for XML entity expansion limitation in SAX and 
+ pull parsers (#187)
+
+- Supported `REXML::Security.entity_expansion_limit=` in SAX and pull parsers
+- Supported `REXML::Security.entity_expansion_text_limit=` in SAX and pull parsers
+
+CVE: CVE-2024-41946
+
+Upstream-Status: Backport [https://github.com/ruby/rexml/commit/033d1909a8f259d5a7c53681bcaf14f13bcf0368]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ .../lib/rexml/parsers/baseparser.rb           | 19 ++++++++++++++++++-
+ .../lib/rexml/parsers/pullparser.rb           |  4 ++++
+ .../lib/rexml/parsers/sax2parser.rb           |  4 ++++
+ 3 files changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+index 661f0e2..e32c7f4 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/baseparser.rb
+@@ -135,6 +135,7 @@ module REXML
+       def initialize( source )
+         self.stream = source
+         @listeners = []
++        @entity_expansion_count = 0
+         @attributes_scanner = StringScanner.new('')
+       end
+ 
+@@ -143,6 +144,7 @@ module REXML
+       end
+ 
+       attr_reader :source
++      attr_reader :entity_expansion_count
+ 
+       def stream=( source )
+         @source = SourceFactory.create_from( source )
+@@ -447,7 +449,9 @@ module REXML
+       def entity( reference, entities )
+         value = nil
+         value = entities[ reference ] if entities
+-        if not value
++        if value
++          record_entity_expansion
++        else
+           value = DEFAULT_ENTITIES[ reference ]
+           value = value[2] if value
+         end
+@@ -486,12 +490,17 @@ module REXML
+         }
+         matches.collect!{|x|x[0]}.compact!
+         if matches.size > 0
++          sum = 0
+           matches.each do |entity_reference|
+             unless filter and filter.include?(entity_reference)
+               entity_value = entity( entity_reference, entities )
+               if entity_value
+                 re = Private::DEFAULT_ENTITIES_PATTERNS[entity_reference] || /&#{entity_reference};/
+                 rv.gsub!( re, entity_value )
++                sum += rv.bytesize
++                if sum > Security.entity_expansion_text_limit
++                  raise "entity expansion has grown too large"
++                end
+               else
+                 er = DEFAULT_ENTITIES[entity_reference]
+                 rv.gsub!( er[0], er[2] ) if er
+@@ -504,6 +513,14 @@ module REXML
+       end
+ 
+       private
++
++      def record_entity_expansion
++        @entity_expansion_count += 1
++        if @entity_expansion_count > Security.entity_expansion_limit
++          raise "number of entity expansions exceeded, processing aborted."
++        end
++      end
++
+       def need_source_encoding_update?(xml_declaration_encoding)
+         return false if xml_declaration_encoding.nil?
+         return false if /\AUTF-16\z/i =~ xml_declaration_encoding
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb
+index f8b232a..36b4595 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/pullparser.rb
+@@ -47,6 +47,10 @@ module REXML
+         @listeners << listener
+       end
+ 
++      def entity_expansion_count
++        @parser.entity_expansion_count
++      end
++
+       def each
+         while has_next?
+           yield self.pull
+diff --git a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb
+index 6a24ce2..01cb469 100644
+--- a/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb
++++ b/.bundle/gems/rexml-3.2.5/lib/rexml/parsers/sax2parser.rb
+@@ -22,6 +22,10 @@ module REXML
+         @parser.source
+       end
+ 
++      def entity_expansion_count
++        @parser.entity_expansion_count
++      end
++
+       def add_listener( listener )
+         @parser.add_listener( listener )
+       end
+-- 
+2.40.0
+
diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
index eec7e4684c..96873fd7fa 100644
--- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@@ -45,6 +45,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
            file://CVE-2024-49761-0007.patch \
            file://CVE-2024-49761-0008.patch \
            file://CVE-2024-49761-0009.patch \
+           file://CVE-2024-41946.patch \
            "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
 
-- 
2.43.0

[OE-core][kirkstone 05/12] gnutls: fix CVE-2024-12243

[Steve Sakoman]

From: Archana Polampalli <archana.polampalli@windriver.com>

A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing.
Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate
data can take excessive time, leading to increased resource consumption.
This flaw allows a remote attacker to send a specially crafted certificate, causing
GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../gnutls/gnutls/CVE-2024-12243.patch        | 1160 +++++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.7.4.bb   |    1 +
 2 files changed, 1161 insertions(+)
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch

diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch b/meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch
new file mode 100644
index 0000000000..c0ff21fd25
--- /dev/null
+++ b/meta/recipes-support/gnutls/gnutls/CVE-2024-12243.patch
@@ -0,0 +1,1160 @@
+From 4760bc63531e3f5039e70ede91a20e1194410892 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Mon, 18 Nov 2024 17:23:46 +0900
+Subject: [PATCH] x509: optimize name constraints processing
+
+This switches the representation name constraints from linked lists to
+array lists to optimize the lookup performance from O(n) to O(1), also
+enforces a limit of name constraint checks against subject alternative
+names.
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+
+CVE: CVE-2024-12243
+
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/4760bc63531e3f5039e70ede91a20e1194410892]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/datum.c                 |   7 +-
+ lib/x509/name_constraints.c | 594 +++++++++++++++++++++---------------
+ lib/x509/x509_ext.c         |  87 +++---
+ lib/x509/x509_ext_int.h     |   5 +
+ lib/x509/x509_int.h         |  24 +-
+ 5 files changed, 405 insertions(+), 312 deletions(-)
+
+diff --git a/lib/datum.c b/lib/datum.c
+index bd0f216..b0e8d11 100644
+--- a/lib/datum.c
++++ b/lib/datum.c
+@@ -29,6 +29,7 @@
+ #include <num.h>
+ #include <datum.h>
+ #include "errors.h"
++#include "intprops.h"
+
+ /* On error, @dat is not changed. */
+ int
+@@ -61,7 +62,11 @@ _gnutls_set_strdatum(gnutls_datum_t * dat, const void *data, size_t data_size)
+	if (data == NULL)
+		return gnutls_assert_val(GNUTLS_E_ILLEGAL_PARAMETER);
+
+-	unsigned char *m = gnutls_malloc(data_size + 1);
++	size_t capacity;
++	if (!INT_ADD_OK(data_size, 1, &capacity))
++		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++
++	unsigned char *m = gnutls_malloc(capacity);
+	if (!m)
+		return GNUTLS_E_MEMORY_ERROR;
+
+diff --git a/lib/x509/name_constraints.c b/lib/x509/name_constraints.c
+index 6c1546e..c9eab70 100644
+--- a/lib/x509/name_constraints.c
++++ b/lib/x509/name_constraints.c
+@@ -33,49 +33,99 @@
+ #include <gnutls/x509-ext.h>
+ #include <x509_b64.h>
+ #include <x509_int.h>
++#include "x509_ext_int.h"
+ #include <libtasn1.h>
+
+ #include "ip.h"
+ #include "ip-in-cidr.h"
+
++#include "intprops.h"
++
++#define MAX_NC_CHECKS (1 << 20)
++
++struct name_constraints_node_st {
++	unsigned type;
++	gnutls_datum_t name;
++};
++
++struct name_constraints_node_list_st {
++	struct name_constraints_node_st **data;
++	size_t size;
++	size_t capacity;
++};
++
++struct gnutls_name_constraints_st {
++	struct name_constraints_node_list_st nodes; /* owns elements */
++	struct name_constraints_node_list_st permitted; /* borrows elements */
++	struct name_constraints_node_list_st excluded; /* borrows elements */
++};
++
++static struct name_constraints_node_st *
++name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type,
++			  unsigned char *data, unsigned int size);
++
++static int name_constraints_node_list_add(struct name_constraints_node_list_st *list,
++			       struct name_constraints_node_st *node)
++{
++	if (!list->capacity || list->size == list->capacity) {
++		size_t new_capacity = list->capacity;
++		struct name_constraints_node_st **new_data;
++
++		if (!INT_MULTIPLY_OK(new_capacity, 2, &new_capacity) ||
++		    !INT_ADD_OK(new_capacity, 1, &new_capacity))
++			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
++		new_data = _gnutls_reallocarray(
++			list->data, new_capacity,
++			sizeof(struct name_constraints_node_st *));
++		if (!new_data)
++			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++		list->capacity = new_capacity;
++		list->data = new_data;
++	}
++	list->data[list->size++] = node;
++	return 0;
++}
++
+ // for documentation see the implementation
+-static int name_constraints_intersect_nodes(name_constraints_node_st * nc1,
+-					    name_constraints_node_st * nc2,
+-					    name_constraints_node_st ** intersection);
++static int name_constraints_intersect_nodes(
++	gnutls_x509_name_constraints_t nc,
++	const struct name_constraints_node_st *node1,
++	const struct name_constraints_node_st *node2,
++	struct name_constraints_node_st **intersection);
+
+ /*-
+- * is_nc_empty:
++ * _gnutls_x509_name_constraints_is_empty:
+  * @nc: name constraints structure
+- * @type: type (gnutls_x509_subject_alt_name_t)
++ * @type: type (gnutls_x509_subject_alt_name_t or 0)
+  *
+  * Test whether given name constraints structure has any constraints (permitted
+  * or excluded) of a given type. @nc must be allocated (not NULL) before the call.
++ * If @type is 0, type checking will be skipped.
+  *
+- * Returns: 0 if @nc contains constraints of type @type, 1 otherwise
++ * Returns: false if @nc contains constraints of type @type, true otherwise
+  -*/
+-static unsigned is_nc_empty(struct gnutls_name_constraints_st* nc, unsigned type)
++bool _gnutls_x509_name_constraints_is_empty(gnutls_x509_name_constraints_t nc,
++					    unsigned type)
+ {
+-	name_constraints_node_st *t;
++	if (nc->permitted.size == 0 && nc->excluded.size == 0)
++		return true;
+
+-	if (nc->permitted == NULL && nc->excluded == NULL)
+-		return 1;
++	if (type == 0)
++		return false;
+
+-	t = nc->permitted;
+-	while (t != NULL) {
+-		if (t->type == type)
+-			return 0;
+-		t = t->next;
++	for (size_t i = 0; i < nc->permitted.size; i++) {
++		if (nc->permitted.data[i]->type == type)
++			return false;
+	}
+
+-	t = nc->excluded;
+-	while (t != NULL) {
+-		if (t->type == type)
+-			return 0;
+-		t = t->next;
++	for (size_t i = 0; i < nc->excluded.size; i++) {
++		if (nc->excluded.data[i]->type == type)
++			return false;
++
+	}
+
+	/* no constraint for that type exists */
+-	return 1;
++	return true;
+ }
+
+ /*-
+@@ -111,21 +161,16 @@ static int validate_name_constraints_node(gnutls_x509_subject_alt_name_t type,
+	return GNUTLS_E_SUCCESS;
+ }
+
+-int _gnutls_extract_name_constraints(asn1_node c2, const char *vstr,
+-									 name_constraints_node_st ** _nc)
++static int extract_name_constraints(gnutls_x509_name_constraints_t nc,
++				    asn1_node c2, const char *vstr,
++				    struct name_constraints_node_list_st *nodes)
+ {
+	int ret;
+	char tmpstr[128];
+	unsigned indx;
+	gnutls_datum_t tmp = { NULL, 0 };
+	unsigned int type;
+-	struct name_constraints_node_st *nc, *prev;
+-
+-	prev = *_nc;
+-	if (prev != NULL) {
+-		while(prev->next != NULL)
+-			prev = prev->next;
+-	}
++	struct name_constraints_node_st *node;
+
+	for (indx=1;;indx++) {
+		snprintf(tmpstr, sizeof(tmpstr), "%s.?%u.base", vstr, indx);
+@@ -144,25 +189,19 @@ int _gnutls_extract_name_constraints(asn1_node c2, const char *vstr,
+			goto cleanup;
+		}
+
+-		nc = gnutls_malloc(sizeof(struct name_constraints_node_st));
+-		if (nc == NULL) {
++		node = name_constraints_node_new(nc, type, tmp.data, tmp.size);
++		_gnutls_free_datum(&tmp);
++		if (node == NULL) {
+			gnutls_assert();
+			ret = GNUTLS_E_MEMORY_ERROR;
+			goto cleanup;
+		}
+
+-		memcpy(&nc->name, &tmp, sizeof(gnutls_datum_t));
+-		nc->type = type;
+-		nc->next = NULL;
+-
+-		if (prev == NULL) {
+-			*_nc = prev = nc;
+-		} else {
+-			prev->next = nc;
+-			prev = nc;
++		ret = name_constraints_node_list_add(nodes, node);
++		if (ret < 0) {
++			gnutls_assert();
++			goto cleanup;
+		}
+-
+-		tmp.data = NULL;
+	}
+
+	assert(ret < 0);
+@@ -177,84 +216,102 @@ int _gnutls_extract_name_constraints(asn1_node c2, const char *vstr,
+	return ret;
+ }
+
++int _gnutls_x509_name_constraints_extract(asn1_node c2,
++					  const char *permitted_name,
++					  const char *excluded_name,
++					  gnutls_x509_name_constraints_t nc)
++{
++	int ret;
++
++	ret = extract_name_constraints(nc, c2, permitted_name, &nc->permitted);
++	if (ret < 0)
++		return gnutls_assert_val(ret);
++	ret = extract_name_constraints(nc, c2, excluded_name, &nc->excluded);
++	if (ret < 0)
++		return gnutls_assert_val(ret);
++
++	return ret;
++}
++
+ /*-
+- * _gnutls_name_constraints_node_free:
++ * name_constraints_node_free:
+  * @node: name constraints node
+  *
+- * Deallocate a list of name constraints nodes starting at the given node.
++ * Deallocate a name constraints node.
+  -*/
+-void _gnutls_name_constraints_node_free(name_constraints_node_st *node)
++static void name_constraints_node_free(struct name_constraints_node_st *node)
+ {
+-	name_constraints_node_st *next, *t;
+-
+-	t = node;
+-	while (t != NULL) {
+-		next = t->next;
+-		gnutls_free(t->name.data);
+-		gnutls_free(t);
+-		t = next;
++	if (node) {
++		gnutls_free(node->name.data);
++		gnutls_free(node);
+	}
+ }
+
+ /*-
+  * name_constraints_node_new:
+  * @type: name constraints type to set (gnutls_x509_subject_alt_name_t)
++ * @nc: a %gnutls_x509_name_constraints_t
+  * @data: name.data to set or NULL
+  * @size: name.size to set
+  *
+  * Allocate a new name constraints node and set its type, name size and name data.
+- * If @data is set to NULL, name data will be an array of \x00 (the length of @size).
+- * The .next pointer is set to NULL.
+  *
+  * Returns: Pointer to newly allocated node or NULL in case of memory error.
+  -*/
+-static name_constraints_node_st* name_constraints_node_new(unsigned type,
+-							   unsigned char *data,
+-							   unsigned int size)
++static struct name_constraints_node_st *
++name_constraints_node_new(gnutls_x509_name_constraints_t nc, unsigned type,
++			  unsigned char *data, unsigned int size)
+ {
+-	name_constraints_node_st *tmp = gnutls_malloc(sizeof(struct name_constraints_node_st));
++	struct name_constraints_node_st *tmp;
++	int ret;
++
++	tmp = gnutls_calloc(1, sizeof(struct name_constraints_node_st));
+	if (tmp == NULL)
+		return NULL;
+	tmp->type = type;
+-	tmp->next = NULL;
+-	tmp->name.size = size;
+-	tmp->name.data = NULL;
+-	if (tmp->name.size > 0) {
+-
+-		tmp->name.data = gnutls_malloc(tmp->name.size);
+-		if (tmp->name.data == NULL) {
++	if (data) {
++		ret = _gnutls_set_strdatum(&tmp->name, data, size);
++		if (ret < 0) {
++			gnutls_assert();
+			gnutls_free(tmp);
+			return NULL;
+		}
+-		if (data != NULL) {
+-			memcpy(tmp->name.data, data, size);
+-		} else {
+-			memset(tmp->name.data, 0, size);
+-		}
+	}
++	ret = name_constraints_node_list_add(&nc->nodes, tmp);
++	if (ret < 0) {
++		gnutls_assert();
++		name_constraints_node_free(tmp);
++		return NULL;
++	}
++
+	return tmp;
+ }
+
+ /*-
+- * @brief _gnutls_name_constraints_intersect:
+- * @_nc: first name constraints list (permitted)
+- * @_nc2: name constraints list to merge with (permitted)
+- * @_nc_excluded: Corresponding excluded name constraints list
++ * @brief name_constraints_node_list_intersect:
++ * @nc: %gnutls_x509_name_constraints_t
++ * @permitted: first name constraints list (permitted)
++ * @permitted2: name constraints list to merge with (permitted)
++ * @excluded: Corresponding excluded name constraints list
+  *
+- * This function finds the intersection of @_nc and @_nc2. The result is placed in @_nc,
+- * the original @_nc is deallocated. @_nc2 is not changed. If necessary, a universal
++ * This function finds the intersection of @permitted and @permitted2. The result is placed in @permitted,
++ * the original @permitted is modified. @permitted2 is not changed. If necessary, a universal
+  * excluded name constraint node of the right type is added to the list provided
+- * in @_nc_excluded.
++ * in @excluded.
+  *
+  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
+  -*/
+-static
+-int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc,
+-				       name_constraints_node_st * _nc2,
+-				       name_constraints_node_st ** _nc_excluded)
++static int name_constraints_node_list_intersect(
++	gnutls_x509_name_constraints_t nc,
++	struct name_constraints_node_list_st *permitted,
++	const struct name_constraints_node_list_st *permitted2,
++	struct name_constraints_node_list_st *excluded)
+ {
+-	name_constraints_node_st *nc, *nc2, *t, *tmp, *dest = NULL, *prev = NULL;
++	struct name_constraints_node_st *tmp;
+	int ret, type, used;
++	struct name_constraints_node_list_st removed = { .data = NULL,
++							 .size = 0,
++							 .capacity = 0 };
+
+	/* temporary array to see, if we need to add universal excluded constraints
+	 * (see phase 3 for details)
+@@ -262,61 +319,73 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc,
+	unsigned char types_with_empty_intersection[GNUTLS_SAN_MAX];
+	memset(types_with_empty_intersection, 0, sizeof(types_with_empty_intersection));
+
+-	if (*_nc == NULL || _nc2 == NULL)
++	if (permitted->size == 0 || permitted2->size == 0)
+		return 0;
+
+	/* Phase 1
+-	 * For each name in _NC, if a _NC2 does not contain a name
+-	 * with the same type, preserve the original name.
+-	 * Do this also for node of unknown type (not DNS, email, IP */
+-	t = nc = *_nc;
+-	while (t != NULL) {
+-		name_constraints_node_st *next = t->next;
+-		nc2 = _nc2;
+-		while (nc2 != NULL) {
+-			if (t->type == nc2->type) {
++	 * For each name in PERMITTED, if a PERMITTED2 does not contain a name
++	 * with the same type, move the original name to REMOVED.
++	 * Do this also for node of unknown type (not DNS, email, IP) */
++	for (size_t i = 0; i < permitted->size;) {
++		struct name_constraints_node_st *t = permitted->data[i];
++		const struct name_constraints_node_st *found = NULL;
++
++		for (size_t j = 0; j < permitted2->size; j++) {
++			const struct name_constraints_node_st *t2 =
++				permitted2->data[j];
++			if (t->type == t2->type) {
+				// check bounds (we will use 't->type' as index)
+-				if (t->type > GNUTLS_SAN_MAX || t->type == 0)
+-					return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
++				if (t->type > GNUTLS_SAN_MAX || t->type == 0) {
++					gnutls_assert();
++					ret = GNUTLS_E_INTERNAL_ERROR;
++					goto cleanup;
++				}
+				// note the possibility of empty intersection for this type
+				// if we add something to the intersection in phase 2,
+				// we will reset this flag back to 0 then
+				types_with_empty_intersection[t->type - 1] = 1;
++                                found = t2;
+				break;
+			}
+-			nc2 = nc2->next;
+		}
+-		if (nc2 == NULL ||
+-			(t->type != GNUTLS_SAN_DNSNAME &&
+-			 t->type != GNUTLS_SAN_RFC822NAME &&
+-			 t->type != GNUTLS_SAN_IPADDRESS)
+-		   ) {
+-			/* move node from NC to DEST */
+-			if (prev != NULL)
+-				prev->next = next;
+-			else
+-				prev = nc = next;
+-			t->next = dest;
+-			dest = t;
+-		} else {
+-			prev = t;
++		if (found != NULL && (t->type == GNUTLS_SAN_DNSNAME ||
++				      t->type == GNUTLS_SAN_RFC822NAME ||
++				      t->type == GNUTLS_SAN_IPADDRESS)) {
++			/* move node from PERMITTED to REMOVED */
++			ret = name_constraints_node_list_add(&removed, t);
++			if (ret < 0) {
++				gnutls_assert();
++				goto cleanup;
++			}
++			/* remove node by swapping */
++			if (i < permitted->size - 1)
++				permitted->data[i] =
++					permitted->data[permitted->size - 1];
++			permitted->size--;
++			continue;
++
+		}
+-		t = next;
++		i++;
+	}
+
+	/* Phase 2
+-	 * iterate through all combinations from nc2 and nc1
++	 * iterate through all combinations from PERMITTED2 and PERMITTED
+	 * and create intersections of nodes with same type */
+-	nc2 = _nc2;
+-	while (nc2 != NULL) {
+-		// current nc2 node has not yet been used for any intersection
+-		// (and is not in DEST either)
++	for (size_t i = 0; i < permitted2->size; i++) {
++		const struct name_constraints_node_st *t2 = permitted2->data[i];
++
++		// current PERMITTED2 node has not yet been used for any intersection
++		// (and is not in REMOVED either)
+		used = 0;
+-		t = nc;
+-		while (t != NULL) {
++		for (size_t j = 0; j < removed.size; j++) {
++			const struct name_constraints_node_st *t =
++				removed.data[j];
+			// save intersection of name constraints into tmp
+-			ret = name_constraints_intersect_nodes(t, nc2, &tmp);
+-			if (ret < 0) return gnutls_assert_val(ret);
++                        ret = name_constraints_intersect_nodes(nc, t, t2, &tmp);
++			if (ret < 0) {
++				gnutls_assert();
++				goto cleanup;
++			}
+			used = 1;
+			// if intersection is not empty
+			if (tmp != NULL) { // intersection for this type is not empty
+@@ -327,31 +396,35 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc,
+				}
+				// we will not add universal excluded constraint for this type
+				types_with_empty_intersection[tmp->type - 1] = 0;
+-				// add intersection node to DEST
+-				tmp->next = dest;
+-				dest = tmp;
++				// add intersection node to PERMITTED
++				ret = name_constraints_node_list_add(permitted,
++								     tmp);
++				if (ret < 0) {
++					gnutls_assert();
++					goto cleanup;
++				}
++
+			}
+-			t = t->next;
+		}
+-		// if the node from nc2 was not used for intersection, copy it to DEST
++		// if the node from PERMITTED2 was not used for intersection, copy it to DEST
+		// Beware: also copies nodes other than DNS, email, IP,
+		//	 since their counterpart may have been moved in phase 1.
+		if (!used) {
+-			tmp = name_constraints_node_new(nc2->type, nc2->name.data, nc2->name.size);
++			tmp = name_constraints_node_new(nc, t2->type, t2->name.data, t2->name.size);
+			if (tmp == NULL) {
+-				_gnutls_name_constraints_node_free(dest);
+-				return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++                                gnutls_assert();
++				ret = GNUTLS_E_MEMORY_ERROR;
++				goto cleanup;
++			}
++			ret = name_constraints_node_list_add(permitted, tmp);
++			if (ret < 0) {
++				gnutls_assert();
++				goto cleanup;
++
+			}
+-			tmp->next = dest;
+-			dest = tmp;
+		}
+-		nc2 = nc2->next;
+	}
+
+-	/* replace the original with the new */
+-	_gnutls_name_constraints_node_free(nc);
+-	*_nc = dest;
+-
+	/* Phase 3
+	 * For each type: If we have empty permitted name constraints now
+	 * and we didn't have at the beginning, we have to add a new
+@@ -364,60 +437,79 @@ int _gnutls_name_constraints_intersect(name_constraints_node_st ** _nc,
+		switch (type) {
+			case GNUTLS_SAN_IPADDRESS:
+				// add universal restricted range for IPv4
+-				tmp = name_constraints_node_new(GNUTLS_SAN_IPADDRESS, NULL, 8);
++				tmp = name_constraints_node_new(
++				        nc, GNUTLS_SAN_IPADDRESS, NULL, 8);
+				if (tmp == NULL) {
+-					_gnutls_name_constraints_node_free(dest);
+-					return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++					gnutls_assert();
++				        ret = GNUTLS_E_MEMORY_ERROR;
++				        goto cleanup;
++			        }
++                                ret = name_constraints_node_list_add(excluded, tmp);
++			        if (ret < 0) {
++				        gnutls_assert();
++				        goto cleanup;
++
+				}
+-				tmp->next = *_nc_excluded;
+-				*_nc_excluded = tmp;
+				// add universal restricted range for IPv6
+-				tmp = name_constraints_node_new(GNUTLS_SAN_IPADDRESS, NULL, 32);
++				tmp = name_constraints_node_new(
++				       nc, GNUTLS_SAN_IPADDRESS, NULL, 32);
+				if (tmp == NULL) {
+-					_gnutls_name_constraints_node_free(dest);
+-					return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++                                        gnutls_assert();
++                                        ret = GNUTLS_E_MEMORY_ERROR;
++                                        goto cleanup;
++			        }
++				ret = name_constraints_node_list_add(excluded, tmp);
++			        if (ret < 0) {
++				        gnutls_assert();
++				        goto cleanup;
+				}
+-				tmp->next = *_nc_excluded;
+-				*_nc_excluded = tmp;
+				break;
+			case GNUTLS_SAN_DNSNAME:
+			case GNUTLS_SAN_RFC822NAME:
+-				tmp = name_constraints_node_new(type, NULL, 0);
++				tmp = name_constraints_node_new(nc, type, NULL, 0);
+				if (tmp == NULL) {
+-					_gnutls_name_constraints_node_free(dest);
+-					return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++                                        gnutls_assert();
++				        ret = GNUTLS_E_MEMORY_ERROR;
++				        goto cleanup;
++			        }
++			        ret = name_constraints_node_list_add(excluded, tmp);
++			        if (ret < 0) {
++				        gnutls_assert();
++				        goto cleanup;
+				}
+-				tmp->next = *_nc_excluded;
+-				*_nc_excluded = tmp;
+				break;
+			default: // do nothing, at least one node was already moved in phase 1
+				break;
+		}
+	}
+-	return GNUTLS_E_SUCCESS;
+-}
+-
+-static int _gnutls_name_constraints_append(name_constraints_node_st **_nc,
+-										   name_constraints_node_st *_nc2)
+-{
+-	name_constraints_node_st *nc, *nc2;
+-	struct name_constraints_node_st *tmp;
++	ret = GNUTLS_E_SUCCESS;
+
+-	if (_nc2 == NULL)
+-		return 0;
++cleanup:
++	gnutls_free(removed.data);
++	return ret;
+
+-	nc2 = _nc2;
+-	while (nc2) {
+-		nc = *_nc;
++}
+
+-		tmp = name_constraints_node_new(nc2->type, nc2->name.data, nc2->name.size);
+-		if (tmp == NULL)
++static int name_constraints_node_list_concat(
++	gnutls_x509_name_constraints_t nc,
++	struct name_constraints_node_list_st *nodes,
++	const struct name_constraints_node_list_st *nodes2)
++{
++	for (size_t i = 0; i < nodes2->size; i++) {
++		const struct name_constraints_node_st *node = nodes2->data[i];
++		struct name_constraints_node_st *tmp;
++		int ret;
++
++		tmp = name_constraints_node_new(nc, node->type, node->name.data,
++						node->name.size);
++		if (tmp == NULL) {
+			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+-
+-		tmp->next = nc;
+-		*_nc = tmp;
+-
+-		nc2 = nc2->next;
++                }
++		ret = name_constraints_node_list_add(nodes, tmp);
++		if (ret < 0) {
++			name_constraints_node_free(tmp);
++			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
++		}
+	}
+
+	return 0;
+@@ -487,6 +579,25 @@ int gnutls_x509_crt_get_name_constraints(gnutls_x509_crt_t crt,
+
+ }
+
++void _gnutls_x509_name_constraints_clear(gnutls_x509_name_constraints_t nc)
++{
++	for (size_t i = 0; i < nc->nodes.size; i++) {
++		struct name_constraints_node_st *node = nc->nodes.data[i];
++		name_constraints_node_free(node);
++	}
++	gnutls_free(nc->nodes.data);
++	nc->nodes.capacity = 0;
++	nc->nodes.size = 0;
++
++	gnutls_free(nc->permitted.data);
++	nc->permitted.capacity = 0;
++	nc->permitted.size = 0;
++
++	gnutls_free(nc->excluded.data);
++	nc->excluded.capacity = 0;
++	nc->excluded.size = 0;
++}
++
+ /**
+  * gnutls_x509_name_constraints_deinit:
+  * @nc: The nameconstraints
+@@ -497,10 +608,9 @@ int gnutls_x509_crt_get_name_constraints(gnutls_x509_crt_t crt,
+  **/
+ void gnutls_x509_name_constraints_deinit(gnutls_x509_name_constraints_t nc)
+ {
+-	_gnutls_name_constraints_node_free(nc->permitted);
+-	_gnutls_name_constraints_node_free(nc->excluded);
+-
++	_gnutls_x509_name_constraints_clear(nc);
+	gnutls_free(nc);
++
+ }
+
+ /**
+@@ -515,12 +625,15 @@ void gnutls_x509_name_constraints_deinit(gnutls_x509_name_constraints_t nc)
+  **/
+ int gnutls_x509_name_constraints_init(gnutls_x509_name_constraints_t *nc)
+ {
+-	*nc = gnutls_calloc(1, sizeof(struct gnutls_name_constraints_st));
+-	if (*nc == NULL) {
++	struct gnutls_name_constraints_st *tmp;
++
++	tmp = gnutls_calloc(1, sizeof(struct gnutls_name_constraints_st));
++	if (tmp == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_MEMORY_ERROR;
+	}
+
++	*nc = tmp;
+	return 0;
+ }
+
+@@ -530,37 +643,23 @@ int name_constraints_add(gnutls_x509_name_constraints_t nc,
+			 const gnutls_datum_t * name,
+			 unsigned permitted)
+ {
+-	struct name_constraints_node_st * tmp, *prev = NULL;
++	struct name_constraints_node_st *tmp;
++	struct name_constraints_node_list_st *nodes;
+	int ret;
+
+	ret = validate_name_constraints_node(type, name);
+	if (ret < 0)
+		return gnutls_assert_val(ret);
+
+-	if (permitted != 0)
+-		prev = tmp = nc->permitted;
+-	else
+-		prev = tmp = nc->excluded;
++	nodes = permitted ? &nc->permitted : &nc->excluded;
+
+-	while(tmp != NULL) {
+-		tmp = tmp->next;
+-		if (tmp != NULL)
+-			prev = tmp;
++	tmp = name_constraints_node_new(nc, type, name->data, name->size);
++	ret = name_constraints_node_list_add(nodes, tmp);
++	if (ret < 0) {
++		name_constraints_node_free(tmp);
++		return gnutls_assert_val(ret);
+	}
+
+-	tmp = name_constraints_node_new(type, name->data, name->size);
+-	if (tmp == NULL)
+-		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+-	tmp->next = NULL;
+-
+-	if (prev == NULL) {
+-		if (permitted != 0)
+-			nc->permitted = tmp;
+-		else
+-			nc->excluded = tmp;
+-	} else
+-		prev->next = tmp;
+-
+	return 0;
+ }
+
+@@ -585,17 +684,15 @@ int _gnutls_x509_name_constraints_merge(gnutls_x509_name_constraints_t nc,
+ {
+	int ret;
+
+-	ret =
+-	    _gnutls_name_constraints_intersect(&nc->permitted,
+-						   nc2->permitted, &nc->excluded);
++	ret = name_constraints_node_list_intersect(
++		nc, &nc->permitted, &nc2->permitted, &nc->excluded);
+	if (ret < 0) {
+		gnutls_assert();
+		return ret;
+	}
+
+-	ret =
+-	    _gnutls_name_constraints_append(&nc->excluded,
+-					    nc2->excluded);
++	ret = name_constraints_node_list_concat(nc, &nc->excluded,
++						&nc2->excluded);
+	if (ret < 0) {
+		gnutls_assert();
+		return ret;
+@@ -767,47 +864,50 @@ static unsigned email_matches(const gnutls_datum_t *name, const gnutls_datum_t *
+  *
+  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.
+  -*/
+-static int
+-name_constraints_intersect_nodes(name_constraints_node_st * nc1,
+-				 name_constraints_node_st * nc2,
+-				 name_constraints_node_st ** _intersection)
++static int name_constraints_intersect_nodes(
++	gnutls_x509_name_constraints_t nc,
++	const struct name_constraints_node_st *node1,
++	const struct name_constraints_node_st *node2,
++	struct name_constraints_node_st **_intersection)
+ {
+	// presume empty intersection
+-	name_constraints_node_st *intersection = NULL;
+-	name_constraints_node_st *to_copy = NULL;
++	struct name_constraints_node_st *intersection = NULL;
++	const struct name_constraints_node_st *to_copy = NULL;
+	unsigned iplength = 0;
+	unsigned byte;
+
+	*_intersection = NULL;
+
+-	if (nc1->type != nc2->type) {
++	if (node1->type != node2->type) {
+		return GNUTLS_E_SUCCESS;
+	}
+-	switch (nc1->type) {
++	switch (node1->type) {
+	case GNUTLS_SAN_DNSNAME:
+-		if (!dnsname_matches(&nc2->name, &nc1->name))
++                if (!dnsname_matches(&node2->name, &node1->name))
+			return GNUTLS_E_SUCCESS;
+-		to_copy = nc2;
+		break;
+	case GNUTLS_SAN_RFC822NAME:
+-		if (!email_matches(&nc2->name, &nc1->name))
++		if (!email_matches(&node2->name, &node1->name))
+			return GNUTLS_E_SUCCESS;
+-		to_copy = nc2;
++		to_copy = node2;
+		break;
+	case GNUTLS_SAN_IPADDRESS:
+-		if (nc1->name.size != nc2->name.size)
++                if (node1->name.size != node2->name.size)
+			return GNUTLS_E_SUCCESS;
+-		iplength = nc1->name.size/2;
++		iplength = node1->name.size / 2;
+		for (byte = 0; byte < iplength; byte++) {
+-			if (((nc1->name.data[byte]^nc2->name.data[byte]) // XOR of addresses
+-				 & nc1->name.data[byte+iplength]  // AND mask from nc1
+-				 & nc2->name.data[byte+iplength]) // AND mask from nc2
++			if (((node1->name.data[byte] ^
++			      node2->name.data[byte]) // XOR of addresses
++			     & node1->name.data[byte +
++						iplength] // AND mask from nc1
++			     & node2->name.data[byte +
++						iplength]) // AND mask from nc2
+				 != 0) {
+				// CIDRS do not intersect
+				return GNUTLS_E_SUCCESS;
+			}
+		}
+-		to_copy = nc2;
++		to_copy = node2;
+		break;
+	default:
+		// for other types, we don't know how to do the intersection, assume empty
+@@ -816,7 +916,9 @@ name_constraints_intersect_nodes(name_constraints_node_st * nc1,
+
+	// copy existing node if applicable
+	if (to_copy != NULL) {
+-		*_intersection = name_constraints_node_new(to_copy->type, to_copy->name.data, to_copy->name.size);
++               *_intersection = name_constraints_node_new(nc, to_copy->type,
++							   to_copy->name.data,
++							   to_copy->name.size);
+		if (*_intersection == NULL)
+			return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+		intersection = *_intersection;
+@@ -826,10 +928,11 @@ name_constraints_intersect_nodes(name_constraints_node_st * nc1,
+		if (intersection->type == GNUTLS_SAN_IPADDRESS) {
+			// make sure both IP addresses are correctly masked
+			_gnutls_mask_ip(intersection->name.data, intersection->name.data+iplength, iplength);
+-			_gnutls_mask_ip(nc1->name.data, nc1->name.data+iplength, iplength);
++			_gnutls_mask_ip(node1->name.data,
++					node1->name.data + iplength, iplength);
+			// update intersection, if necessary (we already know one is subset of other)
+			for (byte = 0; byte < 2 * iplength; byte++) {
+-				intersection->name.data[byte] |= nc1->name.data[byte];
++				intersection->name.data[byte] |= node1->name.data[byte];
+			}
+		}
+	}
+@@ -1123,10 +1226,16 @@ int ret;
+ unsigned idx, t, san_type;
+ gnutls_datum_t n;
+ unsigned found_one;
++size_t checks;
+
+-	if (is_nc_empty(nc, type) != 0)
++	if (_gnutls_x509_name_constraints_is_empty(nc, type) != 0)
+		return 1; /* shortcut; no constraints to check */
+
++	if (!INT_ADD_OK(nc->permitted.size, nc->excluded.size, &checks) ||
++	    !INT_MULTIPLY_OK(checks, cert->san->size, &checks) ||
++	    checks > MAX_NC_CHECKS) {
++		return gnutls_assert_val(0);
++	}
+	if (type == GNUTLS_SAN_RFC822NAME) {
+		found_one = 0;
+		for (idx=0;;idx++) {
+@@ -1315,21 +1424,13 @@ int gnutls_x509_name_constraints_get_permitted(gnutls_x509_name_constraints_t nc
+					       unsigned idx,
+					       unsigned *type, gnutls_datum_t * name)
+ {
+-	unsigned int i;
+-	struct name_constraints_node_st * tmp = nc->permitted;
++	const struct name_constraints_node_st *tmp;
+
+-	for (i = 0; i < idx; i++) {
+-		if (tmp == NULL)
+-			return
+-			    gnutls_assert_val
+-			    (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+-
+-		tmp = tmp->next;
+-	}
+-
+-	if (tmp == NULL)
++	if (idx >= nc->permitted.size)
+		return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+
++	tmp = nc->permitted.data[idx];
++
+	*type = tmp->type;
+	*name = tmp->name;
+
+@@ -1359,21 +1460,12 @@ int gnutls_x509_name_constraints_get_excluded(gnutls_x509_name_constraints_t nc,
+					      unsigned idx,
+					      unsigned *type, gnutls_datum_t * name)
+ {
+-	unsigned int i;
+-	struct name_constraints_node_st * tmp = nc->excluded;
+-
+-	for (i = 0; i < idx; i++) {
+-		if (tmp == NULL)
+-			return
+-			    gnutls_assert_val
+-			    (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+-
+-		tmp = tmp->next;
+-	}
+-
+-	if (tmp == NULL)
++	const struct name_constraints_node_st *tmp;
++	if (idx >= nc->excluded.size)
+		return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+
++	tmp = nc->excluded.data[idx];
++
+	*type = tmp->type;
+	*name = tmp->name;
+
+diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
+index 8bcf183..54741c8 100644
+--- a/lib/x509/x509_ext.c
++++ b/lib/x509/x509_ext.c
+@@ -34,10 +34,6 @@
+ #include "intprops.h"
+
+ #define MAX_ENTRIES 64
+-struct gnutls_subject_alt_names_st {
+-	struct name_st *names;
+-	unsigned int size;
+-};
+
+ /**
+  * gnutls_subject_alt_names_init:
+@@ -389,24 +385,15 @@ int gnutls_x509_ext_import_name_constraints(const gnutls_datum_t * ext,
+	}
+
+	if (flags & GNUTLS_NAME_CONSTRAINTS_FLAG_APPEND &&
+-	    (nc->permitted != NULL || nc->excluded != NULL)) {
++	    !_gnutls_x509_name_constraints_is_empty(nc, 0)) {
+		ret = gnutls_x509_name_constraints_init (&nc2);
+		if (ret < 0) {
+			gnutls_assert();
+			goto cleanup;
+		}
+
+-		ret =
+-		    _gnutls_extract_name_constraints(c2, "permittedSubtrees",
+-						     &nc2->permitted);
+-		if (ret < 0) {
+-			gnutls_assert();
+-			goto cleanup;
+-		}
+-
+-		ret =
+-		    _gnutls_extract_name_constraints(c2, "excludedSubtrees",
+-						     &nc2->excluded);
++		ret = _gnutls_x509_name_constraints_extract(
++			c2, "permittedSubtrees", "excludedSubtrees", nc2);
+		if (ret < 0) {
+			gnutls_assert();
+			goto cleanup;
+@@ -418,20 +405,11 @@ int gnutls_x509_ext_import_name_constraints(const gnutls_datum_t * ext,
+			goto cleanup;
+		}
+	} else {
+-		_gnutls_name_constraints_node_free(nc->permitted);
+-		_gnutls_name_constraints_node_free(nc->excluded);
+
+-		ret =
+-		    _gnutls_extract_name_constraints(c2, "permittedSubtrees",
+-						     &nc->permitted);
+-		if (ret < 0) {
+-			gnutls_assert();
+-			goto cleanup;
+-		}
++		_gnutls_x509_name_constraints_clear(nc);
+
+-		ret =
+-		    _gnutls_extract_name_constraints(c2, "excludedSubtrees",
+-						     &nc->excluded);
++		ret = _gnutls_x509_name_constraints_extract(
++			c2, "permittedSubtrees", "excludedSubtrees", nc);
+		if (ret < 0) {
+			gnutls_assert();
+			goto cleanup;
+@@ -467,9 +445,10 @@ int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc,
+	int ret, result;
+	uint8_t null = 0;
+	asn1_node c2 = NULL;
+-	struct name_constraints_node_st *tmp;
++	unsigned rtype;
++	gnutls_datum_t rname;
+
+-	if (nc->permitted == NULL && nc->excluded == NULL)
++	if (_gnutls_x509_name_constraints_is_empty(nc, 0))
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
+	result = asn1_create_element
+@@ -479,11 +458,20 @@ int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc,
+		return _gnutls_asn2err(result);
+	}
+
+-	if (nc->permitted == NULL) {
++	ret = gnutls_x509_name_constraints_get_permitted(nc, 0, &rtype, &rname);
++	if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+		(void)asn1_write_value(c2, "permittedSubtrees", NULL, 0);
+	} else {
+-		tmp = nc->permitted;
+-		do {
++               for (unsigned i = 0;; i++) {
++			ret = gnutls_x509_name_constraints_get_permitted(
++				nc, i, &rtype, &rname);
++			if (ret < 0) {
++				if (ret ==
++				    GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
++					break;
++				gnutls_assert();
++				goto cleanup;
++			}
+			result =
+			    asn1_write_value(c2, "permittedSubtrees", "NEW", 1);
+			if (result != ASN1_SUCCESS) {
+@@ -515,22 +503,30 @@ int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc,
+			ret =
+			    _gnutls_write_general_name(c2,
+						       "permittedSubtrees.?LAST.base",
+-						       tmp->type,
+-						       tmp->name.data,
+-						       tmp->name.size);
++						       rtype,
++						       rname.data,
++						       rname.size);
+			if (ret < 0) {
+				gnutls_assert();
+				goto cleanup;
+			}
+-			tmp = tmp->next;
+-		} while (tmp != NULL);
++		}
+	}
+
+-	if (nc->excluded == NULL) {
++	ret = gnutls_x509_name_constraints_get_excluded(nc, 0, &rtype, &rname);
++	if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+		(void)asn1_write_value(c2, "excludedSubtrees", NULL, 0);
+	} else {
+-		tmp = nc->excluded;
+-		do {
++		for (unsigned i = 0;; i++) {
++			ret = gnutls_x509_name_constraints_get_excluded(
++				nc, i, &rtype, &rname);
++			if (ret < 0) {
++				if (ret ==
++				    GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
++					break;
++				gnutls_assert();
++				goto cleanup;
++			}
+			result =
+			    asn1_write_value(c2, "excludedSubtrees", "NEW", 1);
+			if (result != ASN1_SUCCESS) {
+@@ -562,15 +558,14 @@ int gnutls_x509_ext_export_name_constraints(gnutls_x509_name_constraints_t nc,
+			ret =
+			    _gnutls_write_general_name(c2,
+						       "excludedSubtrees.?LAST.base",
+-						       tmp->type,
+-						       tmp->name.data,
+-						       tmp->name.size);
++						       rtype,
++						       rname.data,
++						       rname.size);
+			if (ret < 0) {
+				gnutls_assert();
+				goto cleanup;
+			}
+-			tmp = tmp->next;
+-		} while (tmp != NULL);
++		}
+
+	}
+
+diff --git a/lib/x509/x509_ext_int.h b/lib/x509/x509_ext_int.h
+index 2e3f162..97f0abd 100644
+--- a/lib/x509/x509_ext_int.h
++++ b/lib/x509/x509_ext_int.h
+@@ -29,6 +29,11 @@ struct name_st {
+	gnutls_datum_t othername_oid;
+ };
+
++struct gnutls_subject_alt_names_st {
++	struct name_st *names;
++	unsigned int size;
++};
++
+ int _gnutls_alt_name_process(gnutls_datum_t *out, unsigned type, const gnutls_datum_t *san, unsigned raw);
+
+ #endif /* GNUTLS_LIB_X509_X509_EXT_INT_H */
+diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h
+index acbc185..bf4363e 100644
+--- a/lib/x509/x509_int.h
++++ b/lib/x509/x509_int.h
+@@ -529,20 +529,16 @@ _gnutls_x509_crt_check_revocation(gnutls_x509_crt_t cert,
+				  int crl_list_length,
+				  gnutls_verify_output_function func);
+
+-typedef struct gnutls_name_constraints_st {
+-	struct name_constraints_node_st * permitted;
+-	struct name_constraints_node_st * excluded;
+-} gnutls_name_constraints_st;
+-
+-typedef struct name_constraints_node_st {
+-	unsigned type;
+-	gnutls_datum_t name;
+-	struct name_constraints_node_st *next;
+-} name_constraints_node_st;
+-
+-int _gnutls_extract_name_constraints(asn1_node c2, const char *vstr,
+-				    name_constraints_node_st ** _nc);
+-void _gnutls_name_constraints_node_free (name_constraints_node_st *node);
++
++
++bool _gnutls_x509_name_constraints_is_empty(gnutls_x509_name_constraints_t nc,
++					    unsigned type);
++int _gnutls_x509_name_constraints_extract(asn1_node c2,
++					  const char *permitted_name,
++					  const char *excluded_name,
++					  gnutls_x509_name_constraints_t nc);
++void _gnutls_x509_name_constraints_clear(gnutls_x509_name_constraints_t nc);
++
+ int _gnutls_x509_name_constraints_merge(gnutls_x509_name_constraints_t nc,
+					gnutls_x509_name_constraints_t nc2);
+
+--
+2.40.0
diff --git a/meta/recipes-support/gnutls/gnutls_3.7.4.bb b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
index 9f502e3f7c..5cd85c5996 100644
--- a/meta/recipes-support/gnutls/gnutls_3.7.4.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.7.4.bb
@@ -28,6 +28,7 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
            file://CVE-2024-0567.patch \
            file://CVE-2024-28834.patch \
            file://CVE-2024-28835.patch \
+           file://CVE-2024-12243.patch \
            "
 
 SRC_URI[sha256sum] = "e6adbebcfbc95867de01060d93c789938cf89cc1d1f6ef9ef661890f6217451f"
-- 
2.43.0

[OE-core][kirkstone 06/12] ffmpeg: CVE-2025-0518

[Steve Sakoman]

From: Archana Polampalli <archana.polampalli@windriver.com>

Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read
Sensitive Constants Within an Executable. This vulnerability is associated with
program files https://github.Com/FFmpeg/FFmpeg/blob/master/libavfilter/af_pan.C .
This issue affects FFmpeg: 7.1. Issue was
fixed:  https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a
https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a
This issue was discovered by: Simcha Kosman

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ffmpeg/ffmpeg/CVE-2025-0518.patch         | 34 +++++++++++++++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-0518.patch

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-0518.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-0518.patch
new file mode 100644
index 0000000000..d7623a5b9d
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2025-0518.patch
@@ -0,0 +1,34 @@
+From b5b6391d64807578ab872dc58fb8aa621dcfc38a Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Mon, 6 Jan 2025 22:01:39 +0100
+Subject: [PATCH 1/4] avfilter/af_pan: Fix sscanf() use
+
+Fixes: Memory Data Leak
+
+Found-by: Simcha Kosman <simcha.kosman@cyberark.com>
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+CVE: CVE-2025-0518
+
+Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavfilter/af_pan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavfilter/af_pan.c b/libavfilter/af_pan.c
+index a8a1896..6f8d2a4 100644
+--- a/libavfilter/af_pan.c
++++ b/libavfilter/af_pan.c
+@@ -178,7 +178,7 @@ static av_cold int init(AVFilterContext *ctx)
+         sign = 1;
+         while (1) {
+             gain = 1;
+-            if (sscanf(arg, "%lf%n *%n", &gain, &len, &len))
++            if (sscanf(arg, "%lf%n *%n", &gain, &len, &len) >= 1)
+                 arg += len;
+             if (parse_channel_name(&arg, &in_ch_id, &named)){
+                 av_log(ctx, AV_LOG_ERROR,
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index 9aecdf07e0..049d9fd9ec 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -43,6 +43,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
            file://CVE-2024-35366.patch \
            file://CVE-2024-35367.patch \
            file://CVE-2024-35368.patch \
+           file://CVE-2025-0518.patch \
           "
 
 SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
-- 
2.43.0

[OE-core][kirkstone 07/12] ffmpeg: fix CVE-2024-36613

[Steve Sakoman]

From: Archana Polampalli <archana.polampalli@windriver.com>

FFmpeg n6.1.1 has a vulnerability in the DXA demuxer of the libavformat library
allowing for an integer overflow, potentially resulting in a denial-of-service (DoS)
condition or other undefined behavior.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ffmpeg/ffmpeg/CVE-2024-36613.patch        | 38 +++++++++++++++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch
new file mode 100644
index 0000000000..300b8d1e49
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch
@@ -0,0 +1,38 @@
+From 1f6fcc64179377114b4ecc3b9f63bd5774a64edf Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 30 Sep 2023 00:51:29 +0200
+Subject: [PATCH 2/4] avformat/dxa: Adjust order of operations around block
+ align
+
+Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464
+Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in type 'int'
+
+Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit 50d8e4f27398fd5778485a827d7a2817921f8540)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+CVE: CVE-2024-36613
+
+Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/1f6fcc64179377114b4ecc3b9f63bd5774a64edf]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavformat/dxa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavformat/dxa.c b/libavformat/dxa.c
+index 16fbb08..53747c8 100644
+--- a/libavformat/dxa.c
++++ b/libavformat/dxa.c
+@@ -120,7 +120,7 @@ static int dxa_read_header(AVFormatContext *s)
+         }
+         c->bpc = (fsize + c->frames - 1) / c->frames;
+         if(ast->codecpar->block_align)
+-            c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align;
++            c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align;
+         c->bytes_left = fsize;
+         c->wavpos = avio_tell(pb);
+         avio_seek(pb, c->vidpos, SEEK_SET);
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index 049d9fd9ec..91259baa5e 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -44,6 +44,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
            file://CVE-2024-35367.patch \
            file://CVE-2024-35368.patch \
            file://CVE-2025-0518.patch \
+           file://CVE-2024-36613.patch \
           "
 
 SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
-- 
2.43.0

[OE-core][kirkstone 08/12] ffmpeg: fix CVE-2024-36616

[Steve Sakoman]

From: Archana Polampalli <archana.polampalli@windriver.com>

An integer overflow in the component /libavformat/westwood_vqa.c of FFmpeg n6.1.1
allows attackers to cause a denial of service in the application via a crafted VQA file.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ffmpeg/ffmpeg/CVE-2024-36616.patch        | 37 +++++++++++++++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch
new file mode 100644
index 0000000000..5e2046dbac
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch
@@ -0,0 +1,37 @@
+From a8beef67993aa267de87599007143d9f0ba67c23 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Tue, 26 Mar 2024 01:00:13 +0100
+Subject: [PATCH 3/4] avformat/westwood_vqa: Fix 2g packets
+
+Fixes: signed integer overflow: 2147483424 * 2 cannot be represented in type 'int'
+Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4576211411795968
+
+Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit 86f73277bf014e2ce36dd2594f1e0fb8b3bd6661)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+CVE: CVE-2024-36616
+
+Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/a8beef67993aa267de87599007143d9f0ba67c23]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavformat/westwood_vqa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c
+index 9d11606..9499569 100644
+--- a/libavformat/westwood_vqa.c
++++ b/libavformat/westwood_vqa.c
+@@ -259,7 +259,7 @@ static int wsvqa_read_packet(AVFormatContext *s,
+                     break;
+                 case SND2_TAG:
+                     /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */
+-                    pkt->duration = (chunk_size * 2) / wsvqa->channels;
++                    pkt->duration = (chunk_size * 2LL) / wsvqa->channels;
+                     break;
+                 }
+                 break;
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index 91259baa5e..fc92bb2ec0 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -45,6 +45,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
            file://CVE-2024-35368.patch \
            file://CVE-2025-0518.patch \
            file://CVE-2024-36613.patch \
+           file://CVE-2024-36616.patch \
           "
 
 SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
-- 
2.43.0

[OE-core][kirkstone 09/12] ffmpeg: fix CVE-2024-36617

[Steve Sakoman]

From: Archana Polampalli <archana.polampalli@windriver.com>

FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF decoder.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ffmpeg/ffmpeg/CVE-2024-36617.patch        | 38 +++++++++++++++++++
 .../recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch
new file mode 100644
index 0000000000..8b4928d1ca
--- /dev/null
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch
@@ -0,0 +1,38 @@
+From f0e780370cc1c437d64f10d326b1d656ef490b5f Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 30 Sep 2023 00:38:17 +0200
+Subject: [PATCH 4/4] avformat/cafdec: dont seek beyond 64bit
+
+Fixes: signed integer overflow: 64 + 9223372036854775807 cannot be represented in type 'long long'
+Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064
+Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064
+
+Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+(cherry picked from commit d973fcbcc2f944752ff10e6a76b0b2d9329937a7)
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+
+CVE: CVE-2024-36617
+
+Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/f0e780370cc1c437d64f10d326b1d656ef490b5f]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ libavformat/cafdec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
+index d5668bf..aa56a5e 100644
+--- a/libavformat/cafdec.c
++++ b/libavformat/cafdec.c
+@@ -220,7 +220,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size)
+         }
+     }
+
+-    if (avio_tell(pb) - ccount > size) {
++    if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) {
+         av_log(s, AV_LOG_ERROR, "error reading packet table\n");
+         return AVERROR_INVALIDDATA;
+     }
+--
+2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
index fc92bb2ec0..b5b11496f4 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_5.0.1.bb
@@ -46,6 +46,7 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
            file://CVE-2025-0518.patch \
            file://CVE-2024-36613.patch \
            file://CVE-2024-36616.patch \
+           file://CVE-2024-36617.patch \
           "
 
 SRC_URI[sha256sum] = "ef2efae259ce80a240de48ec85ecb062cecca26e4352ffb3fda562c21a93007b"
-- 
2.43.0

[OE-core][kirkstone 10/12] scripts/install-buildtools: Update to 4.0.24

[Steve Sakoman]

From: Aleksandar Nikolic <aleksandar.nikolic@zeiss.com>

Update to the 4.0.24 release of the 4.0 series for buildtools.

Signed-off-by: Aleksandar Nikolic <aleksandar.nikolic@zeiss.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 scripts/install-buildtools | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/install-buildtools b/scripts/install-buildtools
index 01253e5f95..56b22e4270 100755
--- a/scripts/install-buildtools
+++ b/scripts/install-buildtools
@@ -57,8 +57,8 @@ logger = scriptutils.logger_create(PROGNAME, stream=sys.stdout)
 
 DEFAULT_INSTALL_DIR = os.path.join(os.path.split(scripts_path)[0],'buildtools')
 DEFAULT_BASE_URL = 'https://downloads.yoctoproject.org/releases/yocto'
-DEFAULT_RELEASE = 'yocto-4.0.23'
-DEFAULT_INSTALLER_VERSION = '4.0.23'
+DEFAULT_RELEASE = 'yocto-4.0.24'
+DEFAULT_INSTALLER_VERSION = '4.0.24'
 DEFAULT_BUILDDATE = '202110XX'
 
 # Python version sanity check
-- 
2.43.0

[OE-core][kirkstone 11/12] scritps/runqemu: Ensure we only have two serial ports

[Steve Sakoman]

From: Richard Purdie <richard.purdie@linuxfoundation.org>

I have a theory that some of the console boot issues we're seeing are due to
starting images with three serial ports yet only starting gettys on two of them.

This means that occasionally, depending on the port numbering we may not get
a login prompt on the console we expect it on.

To fix this, change the runqemu code so that if serial ports are passed in on
the commandline (as is the case in automated testing), we don't add any other
GUI serial consoles.

We do need to make sure we do have at least two serial ports since we don't want
getty timeout warnings.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1b0348535dce3b776efbcf26406b94730a51eb85)
Signed-off-by: Ming Liu <liu.ming50@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 scripts/runqemu | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/scripts/runqemu b/scripts/runqemu
index 8a417a7c24..9f7827565e 100755
--- a/scripts/runqemu
+++ b/scripts/runqemu
@@ -1408,6 +1408,19 @@ to your build configuration.
             for entry in self.get('SERIAL_CONSOLES').split(' '):
                 self.kernel_cmdline_script += ' console=%s' %entry.split(';')[1]
 
+        # We always wants ttyS0 and ttyS1 in qemu machines (see SERIAL_CONSOLES).
+        # If no serial or serialtcp options were specified, only ttyS0 is created
+        # and sysvinit shows an error trying to enable ttyS1:
+        #     INIT: Id "S1" respawning too fast: disabled for 5 minutes
+        serial_num = len(re.findall("-serial", self.qemu_opt))
+
+        # Assume if the user passed serial options, they know what they want
+        # and pad to two devices
+        if serial_num == 1:
+            self.qemu_opt += " -serial null"
+        elif serial_num >= 2:
+            return
+
         if self.serialstdio == True or self.nographic == True:
             self.qemu_opt += " -serial mon:stdio"
         else:
@@ -1419,10 +1432,6 @@ to your build configuration.
 
                 self.qemu_opt += " %s" % self.get("QB_SERIAL_OPT")
 
-        # We always wants ttyS0 and ttyS1 in qemu machines (see SERIAL_CONSOLES).
-        # If no serial or serialtcp options were specified, only ttyS0 is created
-        # and sysvinit shows an error trying to enable ttyS1:
-        #     INIT: Id "S1" respawning too fast: disabled for 5 minutes
         serial_num = len(re.findall("-serial", self.qemu_opt))
         if serial_num < 2:
             self.qemu_opt += " -serial null"
-- 
2.43.0

[OE-core][kirkstone 12/12] procps: replaced one use of fputs(3) with a write(2) call

[Steve Sakoman]

From: Mingli Yu <mingli.yu@windriver.com>

This patch is ported from a merge request shown below,
and the following represents the original commit text.

------------------------------------------------------
top: In the bye_bye function, replace fputs with the write interface.

When top calls malloc, if a signal is received, it will
call sig_endpgm to process the signal. In the bye_bye function, if the
-b option is enable, the Batch variable is set, the fputs function
will calls malloc at the same time. The malloc function is not reentrant, so
it will cause the program to crash.

Signed-off-by: Shaohua Zhan <shaohua.zhan@windriver.com>
------------------------------------------------------

Reference(s):
https://gitlab.com/procps-ng/procps/-/merge_requests/127

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...x-for-the-bye_bye-function-merge-127.patch | 58 +++++++++++++++++++
 ...e-use-of-fputs-3-with-a-write-2-call.patch | 50 ++++++++++++++++
 meta/recipes-extended/procps/procps_3.3.17.bb |  2 +
 3 files changed, 110 insertions(+)
 create mode 100644 meta/recipes-extended/procps/procps/0001-top-fix-a-fix-for-the-bye_bye-function-merge-127.patch
 create mode 100644 meta/recipes-extended/procps/procps/0001-top-replaced-one-use-of-fputs-3-with-a-write-2-call.patch

diff --git a/meta/recipes-extended/procps/procps/0001-top-fix-a-fix-for-the-bye_bye-function-merge-127.patch b/meta/recipes-extended/procps/procps/0001-top-fix-a-fix-for-the-bye_bye-function-merge-127.patch
new file mode 100644
index 0000000000..bbc137a3d8
--- /dev/null
+++ b/meta/recipes-extended/procps/procps/0001-top-fix-a-fix-for-the-bye_bye-function-merge-127.patch
@@ -0,0 +1,58 @@
+From 37f106029975e3045b0cd779525d14c55d24b74e Mon Sep 17 00:00:00 2001
+From: Jim Warner <james.warner@comcast.net>
+Date: Mon, 21 Jun 2021 00:00:00 -0500
+Subject: [PATCH] top: fix a fix for the 'bye_bye' function (merge #127)
+
+In the merge request shown below, 1 too many bytes are
+written to stdout thus including the terminating null.
+As the cure, this commit just reduces the length by 1.
+
+[ along the way, we will remove some unneeded braces ]
+[ plus add some additional comments with attribution ]
+
+Reference(s):
+https://gitlab.com/procps-ng/procps/-/merge_requests/127
+. original merged change
+commit 0bf15c004db6a3342703a3c420a5692e376c457d
+
+Signed-off-by: Jim Warner <james.warner@comcast.net>
+
+Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/37f106029975e3045b0cd779525d14c55d24b74e]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ top/top.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/top/top.c b/top/top.c
+index 4d9860d5..0d21a1a5 100644
+--- a/top/top.c
++++ b/top/top.c
+@@ -569,13 +569,21 @@ static void bye_bye (const char *str) {
+ #endif // end: OFF_HST_HASH
+ 
+    numa_uninit();
++
++   /* we'll only have a 'str' if called by error_exit() |
++      or that xalloc_our_handler() function. if we were |
++      called from a sig_endpgm(), that parm is NULL ... | */
+    if (str) {
+       fputs(str, stderr);
+       exit(EXIT_FAILURE);
+    }
+-   if (Batch) {
+-      write(fileno(stdout), "\n", sizeof("\n"));
+-   }
++   /* this could happen when called from several places |
++      including that sig_endpgm().  thus we must use an |
++      async-signal-safe write function just in case ... |
++      (thanks: Shaohua Zhan shaohua.zhan@windriver.com) | */
++   if (Batch)
++      write(fileno(stdout), "\n", sizeof("\n") - 1);
++
+    exit(EXIT_SUCCESS);
+ } // end: bye_bye
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-extended/procps/procps/0001-top-replaced-one-use-of-fputs-3-with-a-write-2-call.patch b/meta/recipes-extended/procps/procps/0001-top-replaced-one-use-of-fputs-3-with-a-write-2-call.patch
new file mode 100644
index 0000000000..4da13df047
--- /dev/null
+++ b/meta/recipes-extended/procps/procps/0001-top-replaced-one-use-of-fputs-3-with-a-write-2-call.patch
@@ -0,0 +1,50 @@
+From 6b8980a3b6279058d727377e914cfb6439d6f178 Mon Sep 17 00:00:00 2001
+From: Shaohua Zhan <shaohua.zhan@windriver.com>
+Date: Mon, 22 Mar 2021 00:00:00 +0800
+Subject: [PATCH] top: replaced one use of fputs(3) with a write(2) call
+
+This patch is ported from a merge request shown below,
+and the following represents the original commit text.
+
+------------------------------------------------------
+top: In the bye_bye function, replace fputs with the write interface.
+
+When top calls malloc, if a signal is received, it will
+call sig_endpgm to process the signal. In the bye_bye function, if the
+-b option is enable, the Batch variable is set, the fputs function
+will calls malloc at the same time. The malloc function is not reentrant, so
+it will cause the program to crash.
+
+Signed-off-by: Shaohua Zhan <shaohua.zhan@windriver.com>
+------------------------------------------------------
+
+Reference(s):
+https://gitlab.com/procps-ng/procps/-/merge_requests/127
+
+Signed-off-by: Jim Warner <james.warner@comcast.net>
+
+Upstream-Status: Backport [https://gitlab.com/procps-ng/procps/-/commit/6b8980a3b6279058d727377e914cfb6439d6f178]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ top/top.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/top/top.c b/top/top.c
+index f4f82be4..951c240c 100644
+--- a/top/top.c
++++ b/top/top.c
+@@ -417,7 +417,9 @@ static void bye_bye (const char *str) {
+       fputs(str, stderr);
+       exit(EXIT_FAILURE);
+    }
+-   if (Batch) fputs("\n", stdout);
++   if (Batch) {
++      write(fileno(stdout), "\n", sizeof("\n"));
++   }
+    exit(EXIT_SUCCESS);
+ } // end: bye_bye
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-extended/procps/procps_3.3.17.bb b/meta/recipes-extended/procps/procps_3.3.17.bb
index bbec5a543c..131063efb9 100644
--- a/meta/recipes-extended/procps/procps_3.3.17.bb
+++ b/meta/recipes-extended/procps/procps_3.3.17.bb
@@ -18,6 +18,8 @@ SRC_URI = "git://gitlab.com/procps-ng/procps.git;protocol=https;branch=master \
            file://0002-proc-escape.c-add-missing-include.patch \
            file://CVE-2023-4016.patch \
            file://CVE-2023-4016-2.patch \
+           file://0001-top-replaced-one-use-of-fputs-3-with-a-write-2-call.patch \
+           file://0001-top-fix-a-fix-for-the-bye_bye-function-merge-127.patch \
            "
 SRCREV = "19a508ea121c0c4ac6d0224575a036de745eaaf8"
 
-- 
2.43.0

[OE-core][kirkstone 00/12] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, May 27

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1647

The following changes since commit e8be08a624b2d024715a5c8b0c37f2345a02336b:

  build-appliance-image: Update to kirkstone head revision (2025-05-16 09:00:49 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Ashish Sharma (1):
  libsoup-2.4: Fix CVE-2025-46420

Divya Chellam (1):
  ruby: fix CVE-2025-27221

Praveen Kumar (2):
  connman :fix CVE-2025-32366
  glib-2.0: fix CVE-2025-4373

Sundeep KOKKONDA (1):
  gcc: AArch64 - Fix strict-align cpymem/setmem

Vijay Anusuri (5):
  openssh: Fix CVE-2025-32728
  libsoup-2.4: Fix CVE-2025-32910
  libsoup-2.4: Fix CVE-2025-32911 & CVE-2025-32913
  libsoup-2.4: Fix CVE-2025-32912
  libsoup-2.4: Fix CVE-2025-32914

Virendra Thakur (1):
  util-linux: Add fix to isolate test fstab entries using CUSTOM_FSTAB

Yi Zhao (1):
  iputils: Security fix for CVE-2025-47268

 .../connman/connman/CVE-2025-32366.patch      |  41 ++
 .../connman/connman_1.41.bb                   |   1 +
 .../openssh/openssh/CVE-2025-32728.patch      |  44 ++
 .../openssh/openssh_8.9p1.bb                  |   1 +
 .../glib-2.0/glib-2.0/CVE-2025-4373-01.patch  | 120 +++++
 .../glib-2.0/glib-2.0/CVE-2025-4373-02.patch  |  29 ++
 meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb |   2 +
 meta/recipes-core/util-linux/util-linux.inc   |   1 +
 .../util-linux/fstab-isolation.patch          | 419 ++++++++++++++++++
 meta/recipes-devtools/gcc/gcc-11.5.inc        |   1 +
 ...rch64-fix-strict-align-cpymem-setmem.patch |  45 ++
 .../ruby/ruby/CVE-2025-27221-0001.patch       |  57 +++
 .../ruby/ruby/CVE-2025-27221-0002.patch       |  73 +++
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |   2 +
 .../iputils/iputils/CVE-2025-47268.patch      | 143 ++++++
 .../iputils/iputils_20211215.bb               |   1 +
 .../libsoup-2.4/CVE-2025-32910-1.patch        |  97 ++++
 .../libsoup-2.4/CVE-2025-32910-2.patch        | 148 +++++++
 .../libsoup-2.4/CVE-2025-32910-3.patch        |  26 ++
 .../CVE-2025-32911_CVE-2025-32913-1.patch     |  72 +++
 .../CVE-2025-32911_CVE-2025-32913-2.patch     |  44 ++
 .../libsoup-2.4/CVE-2025-32912-1.patch        |  41 ++
 .../libsoup-2.4/CVE-2025-32912-2.patch        |  30 ++
 .../libsoup/libsoup-2.4/CVE-2025-32914.patch  | 137 ++++++
 .../libsoup/libsoup-2.4/CVE-2025-46420.patch  |  60 +++
 .../libsoup/libsoup-2.4_2.74.2.bb             |   9 +
 26 files changed, 1644 insertions(+)
 create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-32728.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-01.patch
 create mode 100644 meta/recipes-core/glib-2.0/glib-2.0/CVE-2025-4373-02.patch
 create mode 100644 meta/recipes-core/util-linux/util-linux/fstab-isolation.patch
 create mode 100644 meta/recipes-devtools/gcc/gcc/0032-gcc-aarch64-fix-strict-align-cpymem-setmem.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
 create mode 100644 meta/recipes-extended/iputils/iputils/CVE-2025-47268.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-46420.patch

-- 
2.43.0

[OE-core][kirkstone 00/12] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Monday.

This should be the final set of patches for the 4.0.6 release.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4600

The following changes since commit c0f3da88a9646fc5e6d549b1a2327c0823c0e5a1:

  mirrors.bbclass: update CPAN_MIRROR (2022-11-30 05:51:07 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alexey Smirnov (1):
  classes: make TOOLCHAIN more permissive for kernel

Chen Qi (1):
  psplash: consider the situation of psplash not exist for systemd

Harald Seiler (1):
  opkg: Set correct info_dir and status_file in opkg.conf

Hitendra Prajapati (1):
  libarchive: CVE-2022-36227 NULL pointer dereference in archive_write.c

Joe Slater (1):
  python3: advance to version 3.10.8

Joshua Watt (1):
  scripts: convert-overrides: Allow command-line customizations

Qiu, Zheng (2):
  vim: upgrade 9.0.0820 -> 9.0.0947
  valgrind: remove most hidden tests for arm64

Richard Purdie (1):
  oeqa/selftest/tinfoil: Add test for separate config_data with
    recipe_parse_file()

Ross Burton (1):
  xserver-xorg: backport fixes for CVE-2022-3550 and CVE-2022-3551

Xiangyu Chen (2):
  sysstat: fix CVE-2022-39377
  grub: backport patches to fix CVE-2022-28736

 meta/classes/kernel-arch.bbclass              |   2 +-
 meta/lib/oeqa/selftest/cases/tinfoil.py       |  14 ++
 ...i-chainloader-Use-grub_loader_set_ex.patch |  86 +++++++
 ...ot-Add-API-to-pass-context-to-loader.patch | 168 +++++++++++++
 ...hainloader-Simplify-the-loader-state.patch | 129 ++++++++++
 meta/recipes-bsp/grub/grub2.inc               |   3 +
 .../psplash/files/psplash-start.service       |   1 +
 .../psplash/files/psplash-systemd.service     |   1 +
 meta/recipes-devtools/opkg/opkg_0.5.0.bb      |   4 +-
 .../python/python3/cve-2022-37454.patch       | 108 +++++++++
 .../{python3_3.10.7.bb => python3_3.10.8.bb}  |   4 +-
 .../valgrind/valgrind/remove-for-aarch64      | 227 +-----------------
 .../libarchive/CVE-2022-36227.patch           |  42 ++++
 .../libarchive/libarchive_3.6.1.bb            |   4 +-
 .../sysstat/sysstat/CVE-2022-39377.patch      |  93 +++++++
 .../sysstat/sysstat_12.4.5.bb                 |   3 +-
 ...possible-memleaks-in-XkbGetKbdByName.patch |  63 +++++
 ...ntedString-against-request-length-at.patch |  38 +++
 .../xorg-xserver/xserver-xorg_21.1.4.bb       |   2 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 scripts/contrib/convert-overrides.py          | 103 ++++----
 21 files changed, 821 insertions(+), 278 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch
 create mode 100644 meta/recipes-bsp/grub/files/commands-boot-Add-API-to-pass-context-to-loader.patch
 create mode 100644 meta/recipes-bsp/grub/files/loader-efi-chainloader-Simplify-the-loader-state.patch
 create mode 100644 meta/recipes-devtools/python/python3/cve-2022-37454.patch
 rename meta/recipes-devtools/python/{python3_3.10.7.bb => python3_3.10.8.bb} (99%)
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2022-36227.patch
 create mode 100644 meta/recipes-extended/sysstat/sysstat/CVE-2022-39377.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/0001-xkb-proof-GetCountedString-against-request-length-at.patch

-- 
2.25.1