[OE-core][kirkstone 0/7] Patch review

[OE-core][kirkstone 0/7] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back
by end of day Sunday.

This should be the almost final set of patches for the 4.0.3 release -
there remains an intermittent linux-yocto reproducibility issue that
needs to get fixed.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/4015

The following changes since commit 3564ce3d9b2030dd420362c66147bd327090915c:

  initscripts: run umountnfs as a KILL script (2022-07-28 05:32:25 -1000)

are available in the Git repository at:

  git://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alex Kiernan (1):
  openssh: Add openssh-sftp-server to openssh RDEPENDS

Dmitry Baryshkov (1):
  linux-firwmare: restore WHENCE_CHKSUM variable

Khem Raj (1):
  libgcc: Fix standalone target builds with usrmerge distro feature

Martin Jansa (1):
  kernel.bbclass: pass LD also in savedefconfig

Mingli Yu (1):
  strace: set COMPATIBLE_HOST for riscv32

Shruthi Ravichandran (1):
  package_manager/ipk: do not pipe stderr to stdout

Sundeep KOKKONDA (1):
  binutils: stable 2.38 branch updates

 meta/classes/kernel.bbclass                   |  2 +-
 meta/lib/oe/package_manager/ipk/__init__.py   | 23 +++++++++++--------
 .../openssh/openssh_8.9p1.bb                  |  2 +-
 .../binutils/binutils-2.38.inc                |  2 +-
 meta/recipes-devtools/gcc/libgcc-common.inc   |  8 +++++--
 meta/recipes-devtools/strace/strace_5.16.bb   |  3 +++
 .../linux-firmware/linux-firmware_20220708.bb |  5 +++-
 7 files changed, 29 insertions(+), 16 deletions(-)

-- 
2.25.1

[OE-core][kirkstone 0/7] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Tuesday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5185

The following changes since commit ff4b57ffff903a93b710284c7c7f916ddd74712f:

  uninative: Upgrade to 3.9 to include glibc 2.37 (2023-04-04 05:32:01 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Hitendra Prajapati (2):
  curl: CVE-2023-27533 TELNET option IAC injection
  curl: CVE-2023-27534 SFTP path resolving discrepancy

Joe Slater (1):
  go: fix CVE-2022-41724, 41725

Mark Hatle (1):
  openssl: Move microblaze to linux-latomic config

Pawan Badganchi (1):
  tiff: Add fix for CVE-2022-4645

Peter Marko (1):
  package.bbclass: correct check for /build in copydebugsources()

Yash Shinde (1):
  binutils : Fix CVE-2023-1579

 meta/classes/package.bbclass                  |    2 +-
 .../openssl/openssl_3.0.8.bb                  |    4 +-
 .../binutils/binutils-2.38.inc                |    4 +
 .../binutils/0021-CVE-2023-1579-1.patch       |  459 ++++
 .../binutils/0021-CVE-2023-1579-2.patch       | 2127 +++++++++++++++
 .../binutils/0021-CVE-2023-1579-3.patch       |  156 ++
 .../binutils/0021-CVE-2023-1579-4.patch       |   37 +
 meta/recipes-devtools/go/go-1.17.13.inc       |    5 +-
 .../go/go-1.19/add_godebug.patch              |   84 +
 .../go/go-1.19/cve-2022-41724.patch           | 2391 +++++++++++++++++
 .../go/go-1.19/cve-2022-41725.patch           |  652 +++++
 ...-of-TIFFTAG_INKNAMES-and-related-TIF.patch |    5 +-
 .../curl/curl/CVE-2023-27533.patch            |  208 ++
 .../curl/curl/CVE-2023-27534.patch            |  122 +
 meta/recipes-support/curl/curl_7.82.0.bb      |    2 +
 15 files changed, 6252 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-1.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-2.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-3.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0021-CVE-2023-1579-4.patch
 create mode 100644 meta/recipes-devtools/go/go-1.19/add_godebug.patch
 create mode 100644 meta/recipes-devtools/go/go-1.19/cve-2022-41724.patch
 create mode 100644 meta/recipes-devtools/go/go-1.19/cve-2022-41725.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27533.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-27534.patch

-- 
2.34.1

[OE-core][kirkstone 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, October 31

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6115

The following changes since commit 7681436190354b5c5b6c3a82b3094badd81113de:

  vim: Upgrade 9.0.2009 -> 9.0.2048 (2023-10-20 06:38:00 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (2):
  curl: fix CVE-2023-38545
  curl: fix CVE-2023-38546

Fahad Arslan (2):
  linux-firmware: create separate package for cirrus and cnm firmwares
  linux-firmware: create separate packages

Niko Mauno (1):
  package_rpm: Allow compression mode override

Peter Marko (1):
  openssl: Upgrade 3.0.11 -> 3.0.12

Steve Sakoman (1):
  cve-exclusion_5.10.inc: update for 5.10.197

 meta/classes/package_rpm.bbclass              |   6 +-
 .../{openssl_3.0.11.bb => openssl_3.0.12.bb}  |   2 +-
 .../linux-firmware/linux-firmware_20230804.bb | 260 +++++++++++++++++-
 .../linux/cve-exclusion_5.10.inc              | 123 +++++++--
 .../curl/curl/CVE-2023-38545.patch            | 133 +++++++++
 .../curl/curl/CVE-2023-38546.patch            | 137 +++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |   2 +
 7 files changed, 633 insertions(+), 30 deletions(-)
 rename meta/recipes-connectivity/openssl/{openssl_3.0.11.bb => openssl_3.0.12.bb} (99%)
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-38545.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-38546.patch

-- 
2.34.1

[OE-core][kirkstone 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, November 10

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6158

The following changes since commit 0eb8e67aa6833df0cde29833568a70e65c21d7e5:

  build-appliance-image: Update to kirkstone head revision (2023-11-03 04:27:49 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Narpat Mali (1):
  python3-jinja2: Fixed ptest result output as per the standard

Ross Burton (3):
  cve-check: sort the package list in the JSON report
  cve-check: slightly more verbose warning when adding the same package
    twice
  cve-check: don't warn if a patch is remote

Sanjana (1):
  binutils: Fix CVE-2022-47010

Soumya Sambu (1):
  libwebp: Fix CVE-2023-4863

Vijay Anusuri (1):
  xserver-xorg: Fix for CVE-2023-5367 and CVE-2023-5380

 meta/classes/cve-check.bbclass                |   2 +
 meta/lib/oe/cve_check.py                      |  13 +--
 .../binutils/binutils-2.38.inc                |   1 +
 .../binutils/0032-CVE-2022-47010.patch        |  38 +++++++
 .../python/python3-jinja2/run-ptest           |   2 +-
 .../xserver-xorg/CVE-2023-5367.patch          |  84 +++++++++++++++
 .../xserver-xorg/CVE-2023-5380.patch          | 102 ++++++++++++++++++
 .../xorg-xserver/xserver-xorg_21.1.8.bb       |   2 +
 ...23-5129.patch => CVE-2023-4863-0001.patch} |  20 ++--
 .../webp/files/CVE-2023-4863-0002.patch       |  53 +++++++++
 meta/recipes-multimedia/webp/libwebp_1.2.4.bb |   3 +-
 11 files changed, 303 insertions(+), 17 deletions(-)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0032-CVE-2022-47010.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5367.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-5380.patch
 rename meta/recipes-multimedia/webp/files/{CVE-2023-5129.patch => CVE-2023-4863-0001.patch} (97%)
 create mode 100644 meta/recipes-multimedia/webp/files/CVE-2023-4863-0002.patch

-- 
2.34.1

[OE-core][kirkstone 0/7] Patch review

[Steve Sakoman]

Please reviwe this set of changes for kirkstone and have comments back by
end of day Friday, January 19

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6458

The following changes since commit 8e27f96c0befbbb5cf8a2f7076b7a1ffd79addb6:

  linux-firmware: upgrade 20230804 -> 20231030 (2024-01-09 05:50:24 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Hitendra Prajapati (1):
  systemd: fix CVE-2023-7008

Martin Jansa (1):
  pybootchartgui: fix 2 SyntaxWarnings

Peter Marko (2):
  sqlite3: backport patch for CVE-2023-7104
  zlib: ignore CVE-2023-6992

Poonam Jadhav (1):
  Revert "curl: Backport fix CVE-2023-32001"

Soumya Sambu (1):
  cpio: upgrade to 2.14

Vivek Kumbhar (1):
  openssl: Backport fix for CVE-2023-6129

 .../openssl/openssl/CVE-2023-6129.patch       | 113 ++++
 .../openssl/openssl_3.0.12.bb                 |   1 +
 .../systemd/systemd/CVE-2023-7008.patch       |  40 ++
 meta/recipes-core/systemd/systemd_250.5.bb    |   1 +
 meta/recipes-core/zlib/zlib_1.2.11.bb         |   3 +
 ...charset_alias-when-building-for-musl.patch |  30 -
 ...ove-superfluous-declaration-of-progr.patch |  28 -
 ...-calculation-of-CRC-in-copy-out-mode.patch |  58 --
 ...appending-to-archives-bigger-than-2G.patch | 312 ----------
 .../cpio/cpio-2.13/CVE-2021-38185.patch       | 581 ------------------
 .../cpio/{cpio_2.13.bb => cpio_2.14.bb}       |   9 +-
 ...e-needed-header-for-major-minor-macr.patch |  47 ++
 .../curl/curl/CVE-2023-32001.patch            |  39 --
 meta/recipes-support/curl/curl_7.82.0.bb      |   1 -
 .../sqlite/files/CVE-2023-7104.patch          |  44 ++
 meta/recipes-support/sqlite/sqlite3_3.38.5.bb |   1 +
 scripts/pybootchartgui/pybootchartgui/draw.py |   4 +-
 17 files changed, 254 insertions(+), 1058 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch
 create mode 100644 meta/recipes-core/systemd/systemd/CVE-2023-7008.patch
 delete mode 100644 meta/recipes-extended/cpio/cpio-2.13/0001-Unset-need_charset_alias-when-building-for-musl.patch
 delete mode 100644 meta/recipes-extended/cpio/cpio-2.13/0002-src-global.c-Remove-superfluous-declaration-of-progr.patch
 delete mode 100644 meta/recipes-extended/cpio/cpio-2.13/0003-Fix-calculation-of-CRC-in-copy-out-mode.patch
 delete mode 100644 meta/recipes-extended/cpio/cpio-2.13/0004-Fix-appending-to-archives-bigger-than-2G.patch
 delete mode 100644 meta/recipes-extended/cpio/cpio-2.13/CVE-2021-38185.patch
 rename meta/recipes-extended/cpio/{cpio_2.13.bb => cpio_2.14.bb} (74%)
 create mode 100644 meta/recipes-extended/cpio/files/0001-configure-Include-needed-header-for-major-minor-macr.patch
 delete mode 100644 meta/recipes-support/curl/curl/CVE-2023-32001.patch
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2023-7104.patch

-- 
2.34.1

[OE-core][kirkstone 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, February 8

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6539

The following changes since commit 60d88989698968c13f8e641f0ba1a82fcf700fb7:

  image-live.bbclass: LIVE_ROOTFS_TYPE support compression (2024-01-30 07:10:42 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Deepthi Hemraj (4):
  binutils: internal gdb: Fix CVE-2023-39129
  binutils: internal gdb: Fix CVE-2023-39130
  gdb: Fix CVE-2023-39129
  gdb: Fix CVE-2023-39130

Peter Marko (3):
  curl: ignore CVE-2023-42915
  gcc-shared-source: ignore CVE-2023-4039
  openssl: Upgrade 3.0.12 -> 3.0.13

 .../openssl/openssl/CVE-2023-5678.patch       | 180 ----------
 .../openssl/openssl/CVE-2023-6129.patch       | 113 ------
 .../openssl/openssl/CVE-2023-6237.patch       | 127 -------
 .../{openssl_3.0.12.bb => openssl_3.0.13.bb}  |   6 +-
 .../binutils/binutils-2.38.inc                |   2 +
 .../binutils/0035-CVE-2023-39129.patch        |  50 +++
 .../binutils/0036-CVE-2023-39130.patch        | 326 ++++++++++++++++++
 .../gcc/gcc-shared-source.inc                 |   3 +
 meta/recipes-devtools/gdb/gdb.inc             |   2 +
 .../gdb/gdb/0012-CVE-2023-39129.patch         |  50 +++
 .../gdb/gdb/0013-CVE-2023-39130.patch         | 326 ++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |   3 +
 12 files changed, 764 insertions(+), 424 deletions(-)
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.0.12.bb => openssl_3.0.13.bb} (97%)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0035-CVE-2023-39129.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0036-CVE-2023-39130.patch
 create mode 100644 meta/recipes-devtools/gdb/gdb/0012-CVE-2023-39129.patch
 create mode 100644 meta/recipes-devtools/gdb/gdb/0013-CVE-2023-39130.patch

-- 
2.34.1

[OE-core][kirkstone 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, April 19

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6817

The following changes since commit f94c74cee8b2650dd3211a49dc7e88bf60d2e6a7:

  tcl: skip async and event tests in run-ptest (2024-04-16 05:00:24 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Harish Sadineni (1):
  rust: add CVE_CHECK_IGNORE for CVE-2024-24576

Meenali Gupta (1):
  libssh2: fix CVE-2023-48795

Poonam Jadhav (1):
  ppp: Add RSA-MD in LICENSE

Sana Kazi (1):
  systemd: Fix vlan qos mapping

Soumya Sambu (1):
  nghttp2: Fix CVE-2024-28182

Steve Sakoman (1):
  valgrind: skip intermittently failing ptest

Yogita Urade (1):
  ruby: fix CVE-2024-27281

 meta/recipes-connectivity/ppp/ppp_2.4.9.bb    |   2 +-
 .../systemd/fix-vlan-qos-mapping.patch        | 140 ++++++
 meta/recipes-core/systemd/systemd_250.5.bb    |   1 +
 .../ruby/ruby/CVE-2024-27281.patch            |  97 ++++
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |   1 +
 meta/recipes-devtools/rust/rust-source.inc    |   3 +
 .../valgrind/valgrind/remove-for-all          |   2 +
 .../libssh2/libssh2/CVE-2023-48795.patch      | 459 ++++++++++++++++++
 .../recipes-support/libssh2/libssh2_1.10.0.bb |   1 +
 .../nghttp2/nghttp2/CVE-2024-28182-0001.patch | 110 +++++
 .../nghttp2/nghttp2/CVE-2024-28182-0002.patch | 105 ++++
 .../recipes-support/nghttp2/nghttp2_1.47.0.bb |   2 +
 12 files changed, 922 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-core/systemd/systemd/fix-vlan-qos-mapping.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-27281.patch
 create mode 100644 meta/recipes-support/libssh2/libssh2/CVE-2023-48795.patch
 create mode 100644 meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0001.patch
 create mode 100644 meta/recipes-support/nghttp2/nghttp2/CVE-2024-28182-0002.patch

-- 
2.34.1

[OE-core][kirkstone 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for kirktsone and have comments back by
end of day Saturday, June 1

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6984

The following changes since commit e0a1ed7aa1f2b12d985414db9a75d6e151ae8d21:

  initscripts: Add custom mount args for /var/lib (2024-05-22 05:07:30 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (5):
  ghostscript: fix CVE-2024-33870
  ghostscript: fix CVE-2024-33869
  ghostscript: fix CVE-2024-33871
  ghostscript: fix CVE-2024-29510
  ghostscript: fix CVE-2023-52722

Soumya Sambu (2):
  util-linux: Fix CVE-2024-28085
  git: Fix multiple CVEs

 meta/recipes-core/util-linux/util-linux.inc   |    5 +
 .../util-linux/CVE-2024-28085-0001.patch      |  202 +
 .../util-linux/CVE-2024-28085-0002.patch      |  172 +
 .../util-linux/CVE-2024-28085-0003.patch      |  223 +
 .../util-linux/CVE-2024-28085-0004.patch      |   36 +
 .../util-linux/CVE-2024-28085-0005.patch      |   34 +
 .../git/git/CVE-2024-32002-0001.patch         |   69 +
 .../git/git/CVE-2024-32002-0002.patch         |  213 +
 .../git/git/CVE-2024-32002-0003.patch         |  141 +
 .../git/git/CVE-2024-32002-0004.patch         |  150 +
 .../git/git/CVE-2024-32004-0001.patch         |   95 +
 .../git/git/CVE-2024-32004-0002.patch         |  187 +
 .../git/git/CVE-2024-32004-0003.patch         |  158 +
 .../git/git/CVE-2024-32020.patch              |  114 +
 .../git/git/CVE-2024-32021-0001.patch         |   89 +
 .../git/git/CVE-2024-32021-0002.patch         |   65 +
 .../git/git/CVE-2024-32465.patch              |  206 +
 meta/recipes-devtools/git/git_2.35.7.bb       |   11 +
 .../ghostscript/CVE-2023-52722.patch          |   43 +
 .../ghostscript/CVE-2024-29510.patch          |   84 +
 .../ghostscript/CVE-2024-33869-0001.patch     |   39 +
 .../ghostscript/CVE-2024-33869-0002.patch     |   52 +
 .../ghostscript/CVE-2024-33870.patch          |   92 +
 .../ghostscript/CVE-2024-33871-0001.patch     | 4863 +++++++++++++++++
 .../ghostscript/CVE-2024-33871-0002.patch     |   43 +
 .../ghostscript/ghostscript_9.55.0.bb         |    7 +
 26 files changed, 7393 insertions(+)
 create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0001.patch
 create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0002.patch
 create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0003.patch
 create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0004.patch
 create mode 100644 meta/recipes-core/util-linux/util-linux/CVE-2024-28085-0005.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-32002-0001.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-32002-0002.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-32002-0003.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-32002-0004.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-32004-0001.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-32004-0002.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-32004-0003.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-32020.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-32021-0001.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-32021-0002.patch
 create mode 100644 meta/recipes-devtools/git/git/CVE-2024-32465.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2023-52722.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-29510.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0001.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33869-0002.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33870.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33871-0001.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2024-33871-0002.patch

-- 
2.34.1

[OE-core][kirkstone 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Monday, July 8

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7103

The following changes since commit fbc8f5381e8e1da0d06f7f8e5b8c63a49b1858c2:

  man-pages: remove conflict pages (2024-06-21 12:37:32 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (1):
  gstreamer1.0-plugins-base: fix CVE-2024-4453

Jonas Gorski (1):
  linuxloader: add -armhf on arm only for TARGET_FPU 'hard'

Jose Quaresma (1):
  openssh: fix CVE-2024-6387

Poonam Jadhav (2):
  glibc-tests: correctly pull in the actual tests when installing -ptest
    package
  glibc-tests: Add missing bash ptest dependency

Siddharth Doshi (1):
  OpenSSL: Security fix for CVE-2024-5535

Vijay Anusuri (1):
  wget: Fix for CVE-2024-38428

 meta/classes/linuxloader.bbclass              |    2 +-
 .../openssh/openssh/CVE-2024-6387.patch       |   27 +
 .../openssh/openssh_8.9p1.bb                  |    1 +
 .../openssl/openssl/CVE-2024-5535_1.patch     |  115 ++
 .../openssl/openssl/CVE-2024-5535_2.patch     |   44 +
 .../openssl/openssl/CVE-2024-5535_3.patch     |   84 ++
 .../openssl/openssl/CVE-2024-5535_4.patch     |  178 +++
 .../openssl/openssl/CVE-2024-5535_5.patch     | 1175 +++++++++++++++++
 .../openssl/openssl/CVE-2024-5535_6.patch     |   45 +
 .../openssl/openssl/CVE-2024-5535_7.patch     |   68 +
 .../openssl/openssl/CVE-2024-5535_8.patch     |  273 ++++
 .../openssl/openssl/CVE-2024-5535_9.patch     |  205 +++
 .../openssl/openssl_3.0.14.bb                 |    9 +
 meta/recipes-core/glibc/glibc-tests_2.35.bb   |    4 +-
 meta/recipes-core/glibc/glibc/run-ptest       |    2 +-
 .../wget/wget/CVE-2024-38428.patch            |   79 ++
 meta/recipes-extended/wget/wget_1.21.4.bb     |    1 +
 .../CVE-2024-4453.patch                       |   65 +
 .../gstreamer1.0-plugins-base_1.20.7.bb       |    1 +
 19 files changed, 2374 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2024-6387.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_1.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_2.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_3.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_4.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_5.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_6.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_7.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_8.patch
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-5535_9.patch
 create mode 100644 meta/recipes-extended/wget/wget/CVE-2024-38428.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base/CVE-2024-4453.patch

-- 
2.34.1

[OE-core][kirkstone 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, September 3

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7295

The following changes since commit 963085afced737863cf4ff8515a1cf08365d5d87:

  libsoup: fix compile error on centos7 (2024-08-23 14:34:03 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Divya Chellam (1):
  bind: Upgrade 9.18.24 -> 9.18.28

Hitendra Prajapati (1):
  vim: upgrade from 9.0.2190 -> 9.1.0114

Hugo SIMELIERE (1):
  cryptodev-module: Fix build for linux 5.10.220

Ming Liu (1):
  grub: fs/fat: Don't error when mtime is 0

Peter Marko (2):
  libyaml: Ignore CVE-2024-35325
  curl: Ignore CVE-2024-32928

Siddharth Doshi (1):
  vim: Upgrade 9.1.0114 -> 9.1.0682

 ...1-fs-fat-Don-t-error-when-mtime-is-0.patch | 70 +++++++++++++++++++
 meta/recipes-bsp/grub/grub2.inc               |  1 +
 .../bind/{bind_9.18.24.bb => bind_9.18.28.bb} |  2 +-
 .../cryptodev/cryptodev-module_1.12.bb        |  1 +
 .../0001-Fix-build-for-linux-5.10.220.patch   | 32 +++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |  2 +
 meta/recipes-support/libyaml/libyaml_0.2.5.bb |  2 +
 ...m-add-knob-whether-elf.h-are-checked.patch | 39 -----------
 .../vim/{vim-tiny_9.0.bb => vim-tiny_9.1.bb}  |  0
 meta/recipes-support/vim/vim.inc              |  5 +-
 .../vim/{vim_9.0.bb => vim_9.1.bb}            |  0
 11 files changed, 111 insertions(+), 43 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/0001-fs-fat-Don-t-error-when-mtime-is-0.patch
 rename meta/recipes-connectivity/bind/{bind_9.18.24.bb => bind_9.18.28.bb} (97%)
 create mode 100644 meta/recipes-kernel/cryptodev/files/0001-Fix-build-for-linux-5.10.220.patch
 delete mode 100644 meta/recipes-support/vim/files/vim-add-knob-whether-elf.h-are-checked.patch
 rename meta/recipes-support/vim/{vim-tiny_9.0.bb => vim-tiny_9.1.bb} (100%)
 rename meta/recipes-support/vim/{vim_9.0.bb => vim_9.1.bb} (100%)

-- 
2.34.1

[OE-core][kirkstone 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, December 13

Passed a-full on autobuilder:

https://valkyrie.yoctoproject.org/#/builders/29/builds/615

The following changes since commit e42b6a40a3a01e328966bb5ee1bb3e0993975b15:

  resulttool: Improve repo layout for oeselftest results (2024-12-04 05:50:49 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alexander Kanavin (1):
  dbus: disable assertions and enable only modular tests

Divya Chellam (1):
  libpam: fix CVE-2024-10041

Jiaying Song (1):
  python3-requests: fix CVE-2024-35195

Khem Raj (1):
  unzip: Fix configure tests to use modern C

Peter Marko (2):
  libsdl2: ignore CVE-2020-14409 and CVE-2020-14410
  rootfs-postcommands.bbclass: make opkg status reproducible

Ross Burton (1):
  sanity: check for working user namespaces

 meta/classes/rootfs-postcommands.bbclass      |   4 +
 meta/classes/sanity.bbclass                   |  24 ++++
 meta/recipes-core/dbus/dbus_1.14.8.bb         |   3 +-
 .../python3-requests/CVE-2024-35195.patch     | 121 ++++++++++++++++++
 .../python/python3-requests_2.27.1.bb         |   4 +-
 .../pam/libpam/CVE-2024-10041.patch           |  98 ++++++++++++++
 meta/recipes-extended/pam/libpam_1.5.2.bb     |   1 +
 ...rrect-system-headers-and-prototypes-.patch | 112 ++++++++++++++++
 meta/recipes-extended/unzip/unzip_6.0.bb      |   1 +
 .../libsdl2/libsdl2_2.0.20.bb                 |   3 +
 10 files changed, 368 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python3-requests/CVE-2024-35195.patch
 create mode 100644 meta/recipes-extended/pam/libpam/CVE-2024-10041.patch
 create mode 100644 meta/recipes-extended/unzip/unzip/0001-configure-Add-correct-system-headers-and-prototypes-.patch

-- 
2.34.1

[OE-core][kirkstone 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, February 14

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1001

The following changes since commit a397c152abf4f3da1323594e79ebac844a2c9f45:

  glibc: stable 2.35 branch updates (2025-01-30 08:17:32 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Bruce Ashfield (2):
  linux-yocto/5.15: update to v5.15.176
  linux-yocto/5.15: update to v5.15.178

Khem Raj (1):
  python3: Treat UID/GID overflow as failure

Nikhil R (1):
  glibc: Suppress GCC -Os warning on user2netname for sunrpc

Pedro Ferreira (1):
  rust-common.bbclass: soft assignment for RUSTLIB path

Peter Marko (1):
  cmake: apply parallel build settings to ptest tasks

Praveen Kumar (1):
  go: Fix CVE-2024-45336

 meta/classes/cmake.bbclass                    |   2 +
 meta/classes/rust-common.bbclass              |   2 +-
 ...press-gcc-os-warning-on-user2netname.patch |  61 +++
 meta/recipes-core/glibc/glibc_2.35.bb         |   1 +
 meta/recipes-devtools/go/go-1.17.13.inc       |   1 +
 .../go/go-1.21/CVE-2024-45336.patch           | 394 ++++++++++++++++++
 ...e-treat-overflow-in-UID-GID-as-failu.patch |  40 ++
 .../python/python3_3.10.16.bb                 |   1 +
 .../linux/linux-yocto-rt_5.15.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.15.bb            |   6 +-
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |  26 +-
 11 files changed, 520 insertions(+), 20 deletions(-)
 create mode 100644 meta/recipes-core/glibc/glibc/0003-sunrpc-suppress-gcc-os-warning-on-user2netname.patch
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2024-45336.patch
 create mode 100644 meta/recipes-devtools/python/python3/0001-gh-107811-tarfile-treat-overflow-in-UID-GID-as-failu.patch

-- 
2.43.0

[OE-core][kirkstone 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, March 18

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1187

The following changes since commit 0216c229d5c60d0023b0a7d6e8ee41bdfa16f8ef:

  tzcode-native: Fix compiler setting from 2023d version (2025-03-07 07:00:55 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Ashish Sharma (1):
  ruby: Fix CVE-2025-27219

Divya Chellam (1):
  vim: Upgrade 9.1.1043 -> 9.1.1115

Hitendra Prajapati (2):
  grub: Fix multiple CVEs
  grub: Fix multiple CVEs

Peter Marko (2):
  puzzles: ignore three new CVEs for a different puzzles
  libarchive: patch CVE-2025-25724

Zhang Peng (1):
  mpg123: fix CVE-2024-10573

 .../0001-misc-Implement-grub_strlcpy.patch    |  68 ++
 .../grub/files/CVE-2024-45774.patch           |  40 +
 .../grub/files/CVE-2024-45775.patch           |  41 +
 .../grub/files/CVE-2024-45776.patch           |  42 +
 .../grub/files/CVE-2024-45777.patch           |  60 ++
 .../files/CVE-2024-45778_CVE-2024-45779.patch |  58 ++
 .../grub/files/CVE-2024-45780.patch           |  96 ++
 .../grub/files/CVE-2024-45781.patch           |  38 +
 .../files/CVE-2024-45782_CVE-2024-56737.patch |  39 +
 .../grub/files/CVE-2024-45783.patch           |  42 +
 .../grub/files/CVE-2025-0622-01.patch         |  39 +
 .../grub/files/CVE-2025-0622-02.patch         |  44 +
 .../grub/files/CVE-2025-0622-03.patch         |  41 +
 .../grub/files/CVE-2025-0624.patch            |  87 ++
 ...025-0685_CVE-2025-0686_CVE-2025-0689.patch | 380 +++++++
 .../files/CVE-2025-0678_CVE-2025-1125.patch   |  90 ++
 .../grub/files/CVE-2025-0690.patch            |  75 ++
 .../grub/files/CVE-2025-1118.patch            |  40 +
 meta/recipes-bsp/grub/grub2.inc               |  18 +
 .../ruby/ruby/CVE-2025-27219.patch            |  31 +
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |   1 +
 .../libarchive/CVE-2025-25724.patch           |  40 +
 .../libarchive/libarchive_3.6.2.bb            |   1 +
 .../mpg123/mpg123/CVE-2024-10573.patch        | 978 ++++++++++++++++++
 .../mpg123/mpg123_1.29.3.bb                   |   4 +-
 meta/recipes-sato/puzzles/puzzles_git.bb      |   2 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 27 files changed, 2396 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45774.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45775.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45776.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45777.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45780.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45781.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45783.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0624.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0690.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-1118.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-25724.patch
 create mode 100644 meta/recipes-multimedia/mpg123/mpg123/CVE-2024-10573.patch

-- 
2.43.0

[OE-core][kirkstone 1/7] puzzles: ignore three new CVEs for a different puzzles

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

As we just match on product by default, ignore three CVEs which are
for the "Puzzles" WordPress theme by ThemeREX (CPE themerex:puzzles).

(From OE-Core rev: 87326573c82ac1e8dc335319442236ef2341501e)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Adapted to different kirkstone CVE_STATUS format.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-sato/puzzles/puzzles_git.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-sato/puzzles/puzzles_git.bb b/meta/recipes-sato/puzzles/puzzles_git.bb
index 0104f2672a..436d444896 100644
--- a/meta/recipes-sato/puzzles/puzzles_git.bb
+++ b/meta/recipes-sato/puzzles/puzzles_git.bb
@@ -47,3 +47,5 @@ STOP
     done
 }
 
+# cpe-incorrect: issue in ThemeREX's Wordpress theme Puzzles
+CVE_CHECK_IGNORE += "CVE-2024-13769 CVE-2024-13770 CVE-2025-0837"
-- 
2.43.0

[OE-core][kirkstone 2/7] libarchive: patch CVE-2025-25724

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Pick commit referencing this MR which was merged to master.
Note that this commit also patched CVE-2025-1632 in bsdunzip, however
that utility was introduced only in 3.7.0, so that part is not
applicable in kirkstone.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libarchive/CVE-2025-25724.patch           | 40 +++++++++++++++++++
 .../libarchive/libarchive_3.6.2.bb            |  1 +
 2 files changed, 41 insertions(+)
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-25724.patch

diff --git a/meta/recipes-extended/libarchive/libarchive/CVE-2025-25724.patch b/meta/recipes-extended/libarchive/libarchive/CVE-2025-25724.patch
new file mode 100644
index 0000000000..fe489e852f
--- /dev/null
+++ b/meta/recipes-extended/libarchive/libarchive/CVE-2025-25724.patch
@@ -0,0 +1,40 @@
+From c9bc934e7e91d302e0feca6e713ccc38d6d01532 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Peter=20K=C3=A4stle?= <peter@piie.net>
+Date: Mon, 10 Mar 2025 16:43:04 +0100
+Subject: [PATCH] fix CVE-2025-1632 and CVE-2025-25724 (#2532)
+
+Hi,
+
+please find my approach to fix the CVE-2025-1632 and CVE-2025-25724
+vulnerabilities in this pr.
+As both error cases did trigger a NULL pointer deref (and triggered
+hopefully everywhere a coredump), we can safely replace the actual
+information by a predefined invalid string without breaking any
+functionality.
+
+CVE: CVE-2025-25724
+Upstream-Status: Backport [https://github.com/libarchive/libarchive/commit/c9bc934e7e91d302e0feca6e713ccc38d6d01532]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---------
+
+Signed-off-by: Peter Kaestle <peter@piie.net>
+---
+ tar/util.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tar/util.c b/tar/util.c
+index 3b099cb5..f3cbdf0b 100644
+--- a/tar/util.c
++++ b/tar/util.c
+@@ -758,7 +758,10 @@ list_item_verbose(struct bsdtar *bsdtar, FILE *out, struct archive_entry *entry)
+ #else
+ 	ltime = localtime(&tim);
+ #endif
+-	strftime(tmp, sizeof(tmp), fmt, ltime);
++	if (ltime)
++		strftime(tmp, sizeof(tmp), fmt, ltime);
++	else
++		sprintf(tmp, "-- -- ----");
+ 	fprintf(out, " %s ", tmp);
+ 	safe_fprintf(out, "%s", archive_entry_pathname(entry));
+ 
diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
index 6af01cf408..4ceb0df2c0 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://libarchive.org/downloads/libarchive-${PV}.tar.gz \
            file://CVE-2024-48957.patch \
            file://CVE-2024-48958.patch \
            file://CVE-2024-20696.patch \
+           file://CVE-2025-25724.patch \
            "
 UPSTREAM_CHECK_URI = "http://libarchive.org/"
 
-- 
2.43.0

[OE-core][kirkstone 3/7] grub: Fix multiple CVEs

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

Backport fixes for:

* CVE-2024-45774 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2c34af908ebf4856051ed29e46d88abd2b20387f
* CVE-2024-45775 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=05be856a8c3aae41f5df90cab7796ab7ee34b872
* CVE-2024-45776 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=09bd6eb58b0f71ec273916070fa1e2de16897a91
* CVE-2024-45777 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b970a5ed967816bbca8225994cd0ee2557bad515
* CVE-2024-45778_CVE-2024-45779 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=26db6605036bd9e5b16d9068a8cc75be63b8b630
* CVE-2024-45780 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0087bc6902182fe5cedce2d034c75a79cf6dd4f3
* CVE-2024-45781 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba
* CVE-2024-45782_CVE-2024-56737 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=417547c10410b714e43f08f74137c24015f8f4c3
* CVE-2024-45783 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f7c070a2e28dfab7137db0739fb8db1dc02d8898

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../0001-misc-Implement-grub_strlcpy.patch    | 68 +++++++++++++
 .../grub/files/CVE-2024-45774.patch           | 40 ++++++++
 .../grub/files/CVE-2024-45775.patch           | 41 ++++++++
 .../grub/files/CVE-2024-45776.patch           | 42 ++++++++
 .../grub/files/CVE-2024-45777.patch           | 60 ++++++++++++
 .../files/CVE-2024-45778_CVE-2024-45779.patch | 58 +++++++++++
 .../grub/files/CVE-2024-45780.patch           | 96 +++++++++++++++++++
 .../grub/files/CVE-2024-45781.patch           | 38 ++++++++
 .../files/CVE-2024-45782_CVE-2024-56737.patch | 39 ++++++++
 .../grub/files/CVE-2024-45783.patch           | 42 ++++++++
 meta/recipes-bsp/grub/grub2.inc               | 10 ++
 11 files changed, 534 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45774.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45775.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45776.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45777.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45780.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45781.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-45783.patch

diff --git a/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch b/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch
new file mode 100644
index 0000000000..0ff6dff33a
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/0001-misc-Implement-grub_strlcpy.patch
@@ -0,0 +1,68 @@
+From ea703528a8581a2ea7e0bad424a70fdf0aec7d8f Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sat, 15 Jun 2024 02:33:08 +0100
+Subject: [PATCH 1/2] misc: Implement grub_strlcpy()
+
+grub_strlcpy() acts the same way as strlcpy() does on most *NIX,
+returning the length of src and ensuring dest is always NUL
+terminated except when size is 0.
+
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=ea703528a8581a2ea7e0bad424a70fdf0aec7d8f]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/include/grub/misc.h b/include/grub/misc.h
+index 1578f36c3..14d8f37ac 100644
+--- a/include/grub/misc.h
++++ b/include/grub/misc.h
+@@ -64,6 +64,45 @@ grub_stpcpy (char *dest, const char *src)
+   return d - 1;
+ }
+ 
++static inline grub_size_t
++grub_strlcpy (char *dest, const char *src, grub_size_t size)
++{
++  char *d = dest;
++  grub_size_t res = 0;
++  /*
++   * We do not subtract one from size here to avoid dealing with underflowing
++   * the value, which is why to_copy is always checked to be greater than one
++   * throughout this function.
++   */
++  grub_size_t to_copy = size;
++
++  /* Copy size - 1 bytes to dest. */
++  if (to_copy > 1)
++    while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1)
++      ;
++
++  /*
++   * NUL terminate if size != 0. The previous step may have copied a NUL byte
++   * if it reached the end of the string, but we know dest[size - 1] must always
++   * be a NUL byte.
++   */
++  if (size != 0)
++    dest[size - 1] = '\0';
++
++  /* If there is still space in dest, but are here, we reached the end of src. */
++  if (to_copy > 1)
++    return res;
++
++  /*
++   * If we haven't reached the end of the string, iterate through to determine
++   * the strings total length.
++   */
++  while (*src++ != '\0' && ++res)
++   ;
++
++  return res;
++}
++
+ /* XXX: If grub_memmove is too slow, we must implement grub_memcpy.  */
+ static inline void *
+ grub_memcpy (void *dest, const void *src, grub_size_t n)
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45774.patch b/meta/recipes-bsp/grub/files/CVE-2024-45774.patch
new file mode 100644
index 0000000000..f4cbd50022
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45774.patch
@@ -0,0 +1,40 @@
+From 2c34af908ebf4856051ed29e46d88abd2b20387f Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Fri, 8 Mar 2024 22:47:20 +1100
+Subject: [PATCH] video/readers/jpeg: Do not permit duplicate SOF0 markers in
+ JPEG
+
+Otherwise a subsequent header could change the height and width
+allowing future OOB writes.
+
+Fixes: CVE-2024-45774
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2024-45774
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2c34af908ebf4856051ed29e46d88abd2b20387f]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/video/readers/jpeg.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
+index 6019b6a..5e5e39c 100644
+--- a/grub-core/video/readers/jpeg.c
++++ b/grub-core/video/readers/jpeg.c
+@@ -330,6 +330,10 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
+   if (grub_errno != GRUB_ERR_NONE)
+     return grub_errno;
+ 
++  if (data->image_height != 0 || data->image_width != 0)
++    return grub_error (GRUB_ERR_BAD_FILE_TYPE,
++		       "jpeg: cannot have duplicate SOF0 markers");
++
+   if (grub_jpeg_get_byte (data) != 8)
+     return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ 		       "jpeg: only 8-bit precision is supported");
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45775.patch b/meta/recipes-bsp/grub/files/CVE-2024-45775.patch
new file mode 100644
index 0000000000..4328e4249f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45775.patch
@@ -0,0 +1,41 @@
+From 05be856a8c3aae41f5df90cab7796ab7ee34b872 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:55 +0000
+Subject: [PATCH] commands/extcmd: Missing check for failed allocation
+
+The grub_extcmd_dispatcher() calls grub_arg_list_alloc() to allocate
+a grub_arg_list struct but it does not verify the allocation was successful.
+In case of failed allocation the NULL state pointer can be accessed in
+parse_option() through grub_arg_parse() which may lead to a security issue.
+
+Fixes: CVE-2024-45775
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+
+CVE: CVE-2024-45775
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=05be856a8c3aae41f5df90cab7796ab7ee34b872]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/commands/extcmd.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
+index 90a5ca2..c236be1 100644
+--- a/grub-core/commands/extcmd.c
++++ b/grub-core/commands/extcmd.c
+@@ -49,6 +49,9 @@ grub_extcmd_dispatcher (struct grub_command *cmd, int argc, char **args,
+     }
+ 
+   state = grub_arg_list_alloc (ext, argc, args);
++  if (state == NULL)
++    return grub_errno;
++
+   if (grub_arg_parse (ext, argc, args, state, &new_args, &new_argc))
+     {
+       context.state = state;
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45776.patch b/meta/recipes-bsp/grub/files/CVE-2024-45776.patch
new file mode 100644
index 0000000000..66b997dd69
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45776.patch
@@ -0,0 +1,42 @@
+From 09bd6eb58b0f71ec273916070fa1e2de16897a91 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:56 +0000
+Subject: [PATCH] gettext: Integer overflow leads to heap OOB write or read
+
+Calculation of ctx->grub_gettext_msg_list size in grub_mofile_open() may
+overflow leading to subsequent OOB write or read. This patch fixes the
+issue by replacing grub_zalloc() and explicit multiplication with
+grub_calloc() which does the same thing in safe manner.
+
+Fixes: CVE-2024-45776
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+
+CVE: CVE-2024-45776
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=09bd6eb58b0f71ec273916070fa1e2de16897a91]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/gettext/gettext.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 4d02e62..55d8b67 100644
+--- a/grub-core/gettext/gettext.c
++++ b/grub-core/gettext/gettext.c
+@@ -323,8 +323,8 @@ grub_mofile_open (struct grub_gettext_context *ctx,
+   for (ctx->grub_gettext_max_log = 0; ctx->grub_gettext_max >> ctx->grub_gettext_max_log;
+        ctx->grub_gettext_max_log++);
+ 
+-  ctx->grub_gettext_msg_list = grub_zalloc (ctx->grub_gettext_max
+-					    * sizeof (ctx->grub_gettext_msg_list[0]));
++  ctx->grub_gettext_msg_list = grub_calloc (ctx->grub_gettext_max,
++					    sizeof (ctx->grub_gettext_msg_list[0]));
+   if (!ctx->grub_gettext_msg_list)
+     {
+       grub_file_close (fd);
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45777.patch b/meta/recipes-bsp/grub/files/CVE-2024-45777.patch
new file mode 100644
index 0000000000..2591609760
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45777.patch
@@ -0,0 +1,60 @@
+From b970a5ed967816bbca8225994cd0ee2557bad515 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:57 +0000
+Subject: [PATCH] gettext: Integer overflow leads to heap OOB write
+
+The size calculation of the translation buffer in
+grub_gettext_getstr_from_position() may overflow
+to 0 leading to heap OOB write. This patch fixes
+the issue by using grub_add() and checking for
+an overflow.
+
+Fixes: CVE-2024-45777
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+
+CVE: CVE-2024-45777
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=b970a5ed967816bbca8225994cd0ee2557bad515]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/gettext/gettext.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 55d8b67..85ea44a 100644
+--- a/grub-core/gettext/gettext.c
++++ b/grub-core/gettext/gettext.c
+@@ -26,6 +26,7 @@
+ #include <grub/file.h>
+ #include <grub/kernel.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
+   char *translation;
+   struct string_descriptor desc;
+   grub_err_t err;
++  grub_size_t alloc_sz;
+ 
+   internal_position = (off + position * sizeof (desc));
+ 
+@@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
+   length = grub_cpu_to_le32 (desc.length);
+   offset = grub_cpu_to_le32 (desc.offset);
+ 
+-  translation = grub_malloc (length + 1);
++  if (grub_add (length, 1, &alloc_sz))
++    return NULL;
++
++  translation = grub_malloc (alloc_sz);
+   if (!translation)
+     return NULL;
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch b/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch
new file mode 100644
index 0000000000..e224c41776
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45778_CVE-2024-45779.patch
@@ -0,0 +1,58 @@
+From 26db6605036bd9e5b16d9068a8cc75be63b8b630 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Sat, 23 Mar 2024 15:59:43 +1100
+Subject: [PATCH] fs/bfs: Disable under lockdown
+
+The BFS is not fuzz-clean. Don't allow it to be loaded under lockdown.
+This will also disable the AFS.
+
+Fixes: CVE-2024-45778
+Fixes: CVE-2024-45779
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2024-45778
+CVE: CVE-2024-45779
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=26db6605036bd9e5b16d9068a8cc75be63b8b630]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/bfs.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/fs/bfs.c b/grub-core/fs/bfs.c
+index 47dbe20..8d704e2 100644
+--- a/grub-core/fs/bfs.c
++++ b/grub-core/fs/bfs.c
+@@ -30,6 +30,7 @@
+ #include <grub/types.h>
+ #include <grub/i18n.h>
+ #include <grub/fshelp.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -1104,7 +1105,10 @@ GRUB_MOD_INIT (bfs)
+ {
+   COMPILE_TIME_ASSERT (1 << LOG_EXTENT_SIZE ==
+ 		       sizeof (struct grub_bfs_extent));
+-  grub_fs_register (&grub_bfs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_bfs_fs);
++    }
+ }
+ 
+ #ifdef MODE_AFS
+@@ -1113,5 +1117,6 @@ GRUB_MOD_FINI (afs)
+ GRUB_MOD_FINI (bfs)
+ #endif
+ {
+-  grub_fs_unregister (&grub_bfs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_bfs_fs);
+ }
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45780.patch b/meta/recipes-bsp/grub/files/CVE-2024-45780.patch
new file mode 100644
index 0000000000..91d1e11005
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45780.patch
@@ -0,0 +1,96 @@
+From 0087bc6902182fe5cedce2d034c75a79cf6dd4f3 Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Fri, 22 Nov 2024 06:27:58 +0000
+Subject: [PATCH] fs/tar: Integer overflow leads to heap OOB write
+
+Both namesize and linksize are derived from hd.size, a 12-digit octal
+number parsed by read_number(). Later direct arithmetic calculation like
+"namesize + 1" and "linksize + 1" may exceed the maximum value of
+grub_size_t leading to heap OOB write. This patch fixes the issue by
+using grub_add() and checking for an overflow.
+
+Fixes: CVE-2024-45780
+
+Reported-by: Nils Langius <nils@langius.de>
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
+
+CVE: CVE-2024-45780
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0087bc6902182fe5cedce2d034c75a79cf6dd4f3]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/tar.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c
+index c551ed6..a9e39b0 100644
+--- a/grub-core/fs/tar.c
++++ b/grub-core/fs/tar.c
+@@ -25,6 +25,7 @@
+ #include <grub/mm.h>
+ #include <grub/dl.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -76,6 +77,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+ {
+   struct head hd;
+   int reread = 0, have_longname = 0, have_longlink = 0;
++  grub_size_t sz;
+ 
+   data->hofs = data->next_hofs;
+ 
+@@ -97,7 +99,11 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+ 	{
+ 	  grub_err_t err;
+ 	  grub_size_t namesize = read_number (hd.size, sizeof (hd.size));
+-	  *name = grub_malloc (namesize + 1);
++
++	  if (grub_add (namesize, 1, &sz))
++	    return grub_error (GRUB_ERR_BAD_FS, N_("name size overflow"));
++
++	  *name = grub_malloc (sz);
+ 	  if (*name == NULL)
+ 	    return grub_errno;
+ 	  err = grub_disk_read (data->disk, 0,
+@@ -117,15 +123,19 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+ 	{
+ 	  grub_err_t err;
+ 	  grub_size_t linksize = read_number (hd.size, sizeof (hd.size));
+-	  if (data->linkname_alloc < linksize + 1)
++
++	  if (grub_add (linksize, 1, &sz))
++	    return grub_error (GRUB_ERR_BAD_FS, N_("link size overflow"));
++
++	  if (data->linkname_alloc < sz)
+ 	    {
+ 	      char *n;
+-	      n = grub_calloc (2, linksize + 1);
++	      n = grub_calloc (2, sz);
+ 	      if (!n)
+ 		return grub_errno;
+ 	      grub_free (data->linkname);
+ 	      data->linkname = n;
+-	      data->linkname_alloc = 2 * (linksize + 1);
++	      data->linkname_alloc = 2 * (sz);
+ 	    }
+ 
+ 	  err = grub_disk_read (data->disk, 0,
+@@ -148,7 +158,10 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
+ 	  while (extra_size < sizeof (hd.prefix)
+ 		 && hd.prefix[extra_size])
+ 	    extra_size++;
+-	  *name = grub_malloc (sizeof (hd.name) + extra_size + 2);
++
++	  if (grub_add (sizeof (hd.name) + 2, extra_size, &sz))
++	    return grub_error (GRUB_ERR_BAD_FS, N_("long name size overflow"));
++	  *name = grub_malloc (sz);
+ 	  if (*name == NULL)
+ 	    return grub_errno;
+ 	  if (hd.prefix[0])
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45781.patch b/meta/recipes-bsp/grub/files/CVE-2024-45781.patch
new file mode 100644
index 0000000000..fb91fa45c7
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45781.patch
@@ -0,0 +1,38 @@
+From c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sun, 12 May 2024 02:03:33 +0100
+Subject: [PATCH 2/2] fs/ufs: Fix a heap OOB write
+
+grub_strcpy() was used to copy a symlink name from the filesystem
+image to a heap allocated buffer. This led to a OOB write to adjacent
+heap allocations. Fix by using grub_strlcpy().
+
+Fixes: CVE-2024-45781
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2024-45781
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=c1a291b01f4f1dcd6a22b61f1c81a45a966d16ba]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/ufs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c
+index 34a698b..4727266 100644
+--- a/grub-core/fs/ufs.c
++++ b/grub-core/fs/ufs.c
+@@ -463,7 +463,7 @@ grub_ufs_lookup_symlink (struct grub_ufs_data *data, int ino)
+   /* Check against zero is paylindromic, no need to swap.  */
+   if (data->inode.nblocks == 0
+       && INODE_SIZE (data) <= sizeof (data->inode.symlink))
+-    grub_strcpy (symlink, (char *) data->inode.symlink);
++    grub_strlcpy (symlink, (char *) data->inode.symlink, sz);
+   else
+     {
+       if (grub_ufs_read_file (data, 0, 0, 0, sz, symlink) < 0)
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch b/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch
new file mode 100644
index 0000000000..5ba779f9ee
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45782_CVE-2024-56737.patch
@@ -0,0 +1,39 @@
+From 417547c10410b714e43f08f74137c24015f8f4c3 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sun, 12 May 2024 02:48:33 +0100
+Subject: [PATCH] fs/hfs: Fix stack OOB write with grub_strcpy()
+
+Replaced with grub_strlcpy().
+
+Fixes: CVE-2024-45782
+Fixes: CVE-2024-56737
+Fixes: https://savannah.gnu.org/bugs/?66599
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2024-45782
+CVE: CVE-2024-56737
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=417547c10410b714e43f08f74137c24015f8f4c3]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/hfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c
+index f419965..bb7af5f 100644
+--- a/grub-core/fs/hfs.c
++++ b/grub-core/fs/hfs.c
+@@ -379,7 +379,7 @@ grub_hfs_mount (grub_disk_t disk)
+      volume name.  */
+   key.parent_dir = grub_cpu_to_be32_compile_time (1);
+   key.strlen = data->sblock.volname[0];
+-  grub_strcpy ((char *) key.str, (char *) (data->sblock.volname + 1));
++  grub_strlcpy ((char *) key.str, (char *) (data->sblock.volname + 1), sizeof (key.str));
+ 
+   if (grub_hfs_find_node (data, (char *) &key, data->cat_root,
+ 			  0, (char *) &dir, sizeof (dir)) == 0)
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2024-45783.patch b/meta/recipes-bsp/grub/files/CVE-2024-45783.patch
new file mode 100644
index 0000000000..793192d05a
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2024-45783.patch
@@ -0,0 +1,42 @@
+From f7c070a2e28dfab7137db0739fb8db1dc02d8898 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sun, 12 May 2024 06:22:51 +0100
+Subject: [PATCH] fs/hfsplus: Set a grub_errno if mount fails
+
+It was possible for mount to fail but not set grub_errno. This led to
+a possible double decrement of the module reference count if the NULL
+page was mapped.
+
+Fixing in general as a similar bug was fixed in commit 61b13c187
+(fs/hfsplus: Set grub_errno to prevent NULL pointer access) and there
+are likely more variants around.
+
+Fixes: CVE-2024-45783
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2024-45783
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f7c070a2e28dfab7137db0739fb8db1dc02d8898]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/hfsplus.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
+index 19c7b33..e7fd98a 100644
+--- a/grub-core/fs/hfsplus.c
++++ b/grub-core/fs/hfsplus.c
+@@ -393,7 +393,7 @@ grub_hfsplus_mount (grub_disk_t disk)
+ 
+  fail:
+ 
+-  if (grub_errno == GRUB_ERR_OUT_OF_RANGE)
++  if (grub_errno == GRUB_ERR_OUT_OF_RANGE || grub_errno == GRUB_ERR_NONE)
+     grub_error (GRUB_ERR_BAD_FS, "not a HFS+ filesystem");
+ 
+   grub_free (data);
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 3e96426b82..259a0a4c3d 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -41,6 +41,16 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
 	   file://CVE-2023-4692.patch \
            file://CVE-2023-4693.patch \
            file://0001-fs-fat-Don-t-error-when-mtime-is-0.patch \
+           file://0001-misc-Implement-grub_strlcpy.patch \
+           file://CVE-2024-45774.patch \
+           file://CVE-2024-45775.patch \
+           file://CVE-2024-45776.patch \
+           file://CVE-2024-45777.patch \
+           file://CVE-2024-45778_CVE-2024-45779.patch \
+           file://CVE-2024-45780.patch \
+           file://CVE-2024-45781.patch \
+           file://CVE-2024-45782_CVE-2024-56737.patch \
+           file://CVE-2024-45783.patch \
 "
 
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
-- 
2.43.0

[OE-core][kirkstone 4/7] grub: Fix multiple CVEs

[Steve Sakoman]

From: Hitendra Prajapati <hprajapati@mvista.com>

Backport fixes for :

* CVE-2025-0622 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2123c5bca7e21fbeb0263df4597ddd7054700726 && https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c16197734ada8d0838407eebe081117799bfe67 && https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7580addfc8c94cedb0cdfd7a1fd65b539215e637
* CVE-2025-0624 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5eef88152833062a3f7e017535372d64ac8ef7e1
* CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=47b2dfc7953f70f98ddf35dfdd6e7f4f20283b10
* CVE-2025-0678_CVE-2025-1125 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=84bc0a9a68835952ae69165c11709811dae7634e
* CVE-2025-0690 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc
* CVE-2025-1118 - Upstream-Status: Backport from https://git.savannah.gnu.org/cgit/grub.git/commit/?id=34824806ac6302f91e8cabaa41308eaced25725f

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../grub/files/CVE-2025-0622-01.patch         |  39 ++
 .../grub/files/CVE-2025-0622-02.patch         |  44 ++
 .../grub/files/CVE-2025-0622-03.patch         |  41 ++
 .../grub/files/CVE-2025-0624.patch            |  87 ++++
 ...025-0685_CVE-2025-0686_CVE-2025-0689.patch | 380 ++++++++++++++++++
 .../files/CVE-2025-0678_CVE-2025-1125.patch   |  90 +++++
 .../grub/files/CVE-2025-0690.patch            |  75 ++++
 .../grub/files/CVE-2025-1118.patch            |  40 ++
 meta/recipes-bsp/grub/grub2.inc               |   8 +
 9 files changed, 804 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0624.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-0690.patch
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2025-1118.patch

diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch b/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch
new file mode 100644
index 0000000000..9b300c7224
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0622-01.patch
@@ -0,0 +1,39 @@
+From 2123c5bca7e21fbeb0263df4597ddd7054700726 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 1 Nov 2024 19:24:29 +0000
+Subject: [PATCH 1/3] commands/pgp: Unregister the "check_signatures" hooks on
+ module unload
+
+If the hooks are not removed they can be called after the module has
+been unloaded leading to an use-after-free.
+
+Fixes: CVE-2025-0622
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0622
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=2123c5bca7e21fbeb0263df4597ddd7054700726]
+
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/commands/pgp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
+index 5daa1e9..1abdea6 100644
+--- a/grub-core/commands/pgp.c
++++ b/grub-core/commands/pgp.c
+@@ -1010,6 +1010,8 @@ GRUB_MOD_INIT(pgp)
+ 
+ GRUB_MOD_FINI(pgp)
+ {
++  grub_register_variable_hook ("check_signatures", NULL, NULL);
++  grub_env_unset ("check_signatures");
+   grub_verifier_unregister (&grub_pubkey_verifier);
+   grub_unregister_extcmd (cmd);
+   grub_unregister_extcmd (cmd_trust);
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch b/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch
new file mode 100644
index 0000000000..17800dd7c4
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0622-02.patch
@@ -0,0 +1,44 @@
+From 9c16197734ada8d0838407eebe081117799bfe67 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 1 Nov 2024 23:46:55 +0000
+Subject: [PATCH 2/3] normal: Remove variables hooks on module unload
+
+The normal module does not entirely cleanup after itself in
+its GRUB_MOD_FINI() leaving a few variables hooks in place.
+It is not possible to unload normal module now but fix the
+issues for completeness.
+
+On the occasion replace 0s with NULLs for "pager" variable
+hooks unregister.
+
+Fixes: CVE-2025-0622
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0622
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c16197734ada8d0838407eebe081117799bfe67]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/normal/main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index c4ebe9e..31c53a6 100644
+--- a/grub-core/normal/main.c
++++ b/grub-core/normal/main.c
+@@ -581,7 +581,9 @@ GRUB_MOD_FINI(normal)
+   grub_xputs = grub_xputs_saved;
+ 
+   grub_set_history (0);
+-  grub_register_variable_hook ("pager", 0, 0);
++  grub_register_variable_hook ("pager", NULL, NULL);
++  grub_register_variable_hook ("color_normal", NULL, NULL);
++  grub_register_variable_hook ("color_highlight", NULL, NULL);
+   grub_fs_autoload_hook = 0;
+   grub_unregister_command (cmd_clear);
+ }
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch b/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch
new file mode 100644
index 0000000000..c3147cdb1f
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0622-03.patch
@@ -0,0 +1,41 @@
+From 7580addfc8c94cedb0cdfd7a1fd65b539215e637 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 1 Nov 2024 23:52:06 +0000
+Subject: [PATCH 3/3] gettext: Remove variables hooks on module unload
+
+The gettext module does not entirely cleanup after itself in
+its GRUB_MOD_FINI() leaving a few variables hooks in place.
+It is not possible to unload gettext module because normal
+module depends on it. Though fix the issues for completeness.
+
+Fixes: CVE-2025-0622
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0622
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=7580addfc8c94cedb0cdfd7a1fd65b539215e637]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/gettext/gettext.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
+index 85ea44a..7a25c9d 100644
+--- a/grub-core/gettext/gettext.c
++++ b/grub-core/gettext/gettext.c
+@@ -540,6 +540,10 @@ GRUB_MOD_INIT (gettext)
+ 
+ GRUB_MOD_FINI (gettext)
+ {
++  grub_register_variable_hook ("locale_dir", NULL, NULL);
++  grub_register_variable_hook ("secondary_locale_dir", NULL, NULL);
++  grub_register_variable_hook ("lang", NULL, NULL);
++
+   grub_gettext_delete_list (&main_context);
+   grub_gettext_delete_list (&secondary_context);
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0624.patch b/meta/recipes-bsp/grub/files/CVE-2025-0624.patch
new file mode 100644
index 0000000000..02f270a033
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0624.patch
@@ -0,0 +1,87 @@
+From 5eef88152833062a3f7e017535372d64ac8ef7e1 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Fri, 15 Nov 2024 13:12:09 +0000
+Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file()
+
+The function included a call to grub_strcpy() which copied data from an
+environment variable to a buffer allocated in grub_cmd_normal(). The
+grub_cmd_normal() didn't consider the length of the environment variable.
+So, the copy operation could exceed the allocation and lead to an OOB
+write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
+pass the underlying buffers size to the grub_net_search_config_file().
+
+Fixes: CVE-2025-0624
+
+Reported-by: B Horn <b@horn.uk>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0624
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5eef88152833062a3f7e017535372d64ac8ef7e1]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/net/net.c     | 7 ++++---
+ grub-core/normal/main.c | 2 +-
+ include/grub/net.h      | 2 +-
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index 4d3eb5c..ec7f01c 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -1773,14 +1773,15 @@ grub_config_search_through (char *config, char *suffix,
+ }
+ 
+ grub_err_t
+-grub_net_search_config_file (char *config)
++grub_net_search_config_file (char *config, grub_size_t config_buf_len)
+ {
+-  grub_size_t config_len;
++  grub_size_t config_len, suffix_len;
+   char *suffix;
+ 
+   config_len = grub_strlen (config);
+   config[config_len] = '-';
+   suffix = config + config_len + 1;
++  suffix_len = config_buf_len - (config_len + 1);
+ 
+   struct grub_net_network_level_interface *inf;
+   FOR_NET_NETWORK_LEVEL_INTERFACES (inf)
+@@ -1806,7 +1807,7 @@ grub_net_search_config_file (char *config)
+ 
+       if (client_uuid)
+         {
+-          grub_strcpy (suffix, client_uuid);
++          grub_strlcpy (suffix, client_uuid, suffix_len);
+           if (grub_config_search_through (config, suffix, 1, 0) == 0)
+             return GRUB_ERR_NONE;
+         }
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index 31c53a6..a95c25e 100644
+--- a/grub-core/normal/main.c
++++ b/grub-core/normal/main.c
+@@ -344,7 +344,7 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
+ 
+           if (grub_strncmp (prefix + 1, "tftp", sizeof ("tftp") - 1) == 0 &&
+               !disable_net_search)
+-            grub_net_search_config_file (config);
++            grub_net_search_config_file (config, config_len);
+ 
+ 	  grub_enter_normal_mode (config);
+ 	  grub_free (config);
+diff --git a/include/grub/net.h b/include/grub/net.h
+index 7ae4b6b..d6ba8b1 100644
+--- a/include/grub/net.h
++++ b/include/grub/net.h
+@@ -570,7 +570,7 @@ void
+ grub_net_remove_dns_server (const struct grub_net_network_level_address *s);
+ 
+ grub_err_t
+-grub_net_search_config_file (char *config);
++grub_net_search_config_file (char *config, grub_size_t config_buf_len);
+ 
+ extern char *grub_net_default_server;
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch b/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch
new file mode 100644
index 0000000000..f955611d9d
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch
@@ -0,0 +1,380 @@
+From 47b2dfc7953f70f98ddf35dfdd6e7f4f20283b10 Mon Sep 17 00:00:00 2001
+From: Daniel Axtens <dja@axtens.net>
+Date: Sat, 23 Mar 2024 16:20:45 +1100
+Subject: [PATCH] fs: Disable many filesystems under lockdown
+
+The idea is to permit the following: btrfs, cpio, exfat, ext, f2fs, fat,
+hfsplus, iso9660, squash4, tar, xfs and zfs.
+
+The JFS, ReiserFS, romfs, UDF and UFS security vulnerabilities were
+reported by Jonathan Bar Or <jonathanbaror@gmail.com>.
+
+Fixes: CVE-2025-0677
+Fixes: CVE-2025-0684
+Fixes: CVE-2025-0685
+Fixes: CVE-2025-0686
+Fixes: CVE-2025-0689
+
+Suggested-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0677
+CVE: CVE-2025-0684
+CVE: CVE-2025-0685
+CVE: CVE-2025-0686
+CVE: CVE-2025-0689
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=47b2dfc7953f70f98ddf35dfdd6e7f4f20283b10]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/affs.c     | 9 +++++++--
+ grub-core/fs/cbfs.c     | 9 +++++++--
+ grub-core/fs/jfs.c      | 9 +++++++--
+ grub-core/fs/minix.c    | 9 +++++++--
+ grub-core/fs/nilfs2.c   | 9 +++++++--
+ grub-core/fs/ntfs.c     | 9 +++++++--
+ grub-core/fs/reiserfs.c | 9 +++++++--
+ grub-core/fs/romfs.c    | 9 +++++++--
+ grub-core/fs/sfs.c      | 9 +++++++--
+ grub-core/fs/udf.c      | 9 +++++++--
+ grub-core/fs/ufs.c      | 9 +++++++--
+ 11 files changed, 77 insertions(+), 22 deletions(-)
+
+diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
+index cafcd0f..d676532 100644
+--- a/grub-core/fs/affs.c
++++ b/grub-core/fs/affs.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -699,11 +700,15 @@ static struct grub_fs grub_affs_fs =
+ 
+ GRUB_MOD_INIT(affs)
+ {
+-  grub_fs_register (&grub_affs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_affs_fs);
++    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI(affs)
+ {
+-  grub_fs_unregister (&grub_affs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_affs_fs);
+ }
+diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c
+index 581215e..477a14e 100644
+--- a/grub-core/fs/cbfs.c
++++ b/grub-core/fs/cbfs.c
+@@ -26,6 +26,7 @@
+ #include <grub/dl.h>
+ #include <grub/i18n.h>
+ #include <grub/cbfs_core.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -390,12 +391,16 @@ GRUB_MOD_INIT (cbfs)
+ #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN)
+   init_cbfsdisk ();
+ #endif
+-  grub_fs_register (&grub_cbfs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_cbfs_fs);
++    }
+ }
+ 
+ GRUB_MOD_FINI (cbfs)
+ {
+-  grub_fs_unregister (&grub_cbfs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_cbfs_fs);
+ #if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN)
+   fini_cbfsdisk ();
+ #endif
+diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
+index 6f7c439..c0bbab8 100644
+--- a/grub-core/fs/jfs.c
++++ b/grub-core/fs/jfs.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/charset.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -963,11 +964,15 @@ static struct grub_fs grub_jfs_fs =
+ 
+ GRUB_MOD_INIT(jfs)
+ {
+-  grub_fs_register (&grub_jfs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_jfs_fs);
++    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI(jfs)
+ {
+-  grub_fs_unregister (&grub_jfs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_jfs_fs);
+ }
+diff --git a/grub-core/fs/minix.c b/grub-core/fs/minix.c
+index 3cd18c8..7588835 100644
+--- a/grub-core/fs/minix.c
++++ b/grub-core/fs/minix.c
+@@ -25,6 +25,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -732,7 +733,10 @@ GRUB_MOD_INIT(minix)
+ #endif
+ #endif
+ {
+-  grub_fs_register (&grub_minix_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_minix_fs);
++    }
+   my_mod = mod;
+ }
+ 
+@@ -754,5 +758,6 @@ GRUB_MOD_FINI(minix)
+ #endif
+ #endif
+ {
+-  grub_fs_unregister (&grub_minix_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_minix_fs);
+ }
+diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c
+index 3c248a9..3f8e495 100644
+--- a/grub-core/fs/nilfs2.c
++++ b/grub-core/fs/nilfs2.c
+@@ -34,6 +34,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -1231,11 +1232,15 @@ GRUB_MOD_INIT (nilfs2)
+ 				  grub_nilfs2_dat_entry));
+   COMPILE_TIME_ASSERT (1 << LOG_INODE_SIZE
+ 		       == sizeof (struct grub_nilfs2_inode));
+-  grub_fs_register (&grub_nilfs2_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_nilfs2_fs);
++    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI (nilfs2)
+ {
+-  grub_fs_unregister (&grub_nilfs2_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_nilfs2_fs);
+ }
+diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
+index 8f63c83..713e24d 100644
+--- a/grub-core/fs/ntfs.c
++++ b/grub-core/fs/ntfs.c
+@@ -27,6 +27,7 @@
+ #include <grub/fshelp.h>
+ #include <grub/ntfs.h>
+ #include <grub/charset.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -1254,11 +1255,15 @@ static struct grub_fs grub_ntfs_fs =
+ 
+ GRUB_MOD_INIT (ntfs)
+ {
+-  grub_fs_register (&grub_ntfs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_ntfs_fs);
++    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI (ntfs)
+ {
+-  grub_fs_unregister (&grub_ntfs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_ntfs_fs);
+ }
+diff --git a/grub-core/fs/reiserfs.c b/grub-core/fs/reiserfs.c
+index af6a226..76cb231 100644
+--- a/grub-core/fs/reiserfs.c
++++ b/grub-core/fs/reiserfs.c
+@@ -39,6 +39,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -1417,11 +1418,15 @@ static struct grub_fs grub_reiserfs_fs =
+ 
+ GRUB_MOD_INIT(reiserfs)
+ {
+-  grub_fs_register (&grub_reiserfs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_reiserfs_fs);
++    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI(reiserfs)
+ {
+-  grub_fs_unregister (&grub_reiserfs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_reiserfs_fs);
+ }
+diff --git a/grub-core/fs/romfs.c b/grub-core/fs/romfs.c
+index d97b8fb..d174449 100644
+--- a/grub-core/fs/romfs.c
++++ b/grub-core/fs/romfs.c
+@@ -23,6 +23,7 @@
+ #include <grub/disk.h>
+ #include <grub/fs.h>
+ #include <grub/fshelp.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -475,10 +476,14 @@ static struct grub_fs grub_romfs_fs =
+ 
+ GRUB_MOD_INIT(romfs)
+ {
+-  grub_fs_register (&grub_romfs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_romfs_fs);
++    }
+ }
+ 
+ GRUB_MOD_FINI(romfs)
+ {
+-  grub_fs_unregister (&grub_romfs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_romfs_fs);
+ }
+diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
+index 983e880..f64bdd2 100644
+--- a/grub-core/fs/sfs.c
++++ b/grub-core/fs/sfs.c
+@@ -26,6 +26,7 @@
+ #include <grub/types.h>
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
++#include <grub/lockdown.h>
+ #include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+@@ -779,11 +780,15 @@ static struct grub_fs grub_sfs_fs =
+ 
+ GRUB_MOD_INIT(sfs)
+ {
+-  grub_fs_register (&grub_sfs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_sfs_fs);
++    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI(sfs)
+ {
+-  grub_fs_unregister (&grub_sfs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_sfs_fs);
+ }
+diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
+index 2ac5c1d..f89c6b0 100644
+--- a/grub-core/fs/udf.c
++++ b/grub-core/fs/udf.c
+@@ -27,6 +27,7 @@
+ #include <grub/fshelp.h>
+ #include <grub/charset.h>
+ #include <grub/datetime.h>
++#include <grub/lockdown.h>
+ #include <grub/udf.h>
+ #include <grub/safemath.h>
+ 
+@@ -1382,11 +1383,15 @@ static struct grub_fs grub_udf_fs = {
+ 
+ GRUB_MOD_INIT (udf)
+ {
+-  grub_fs_register (&grub_udf_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_udf_fs);
++    }
+   my_mod = mod;
+ }
+ 
+ GRUB_MOD_FINI (udf)
+ {
+-  grub_fs_unregister (&grub_udf_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_udf_fs);
+ }
+diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c
+index 4727266..90fda07 100644
+--- a/grub-core/fs/ufs.c
++++ b/grub-core/fs/ufs.c
+@@ -25,6 +25,7 @@
+ #include <grub/dl.h>
+ #include <grub/types.h>
+ #include <grub/i18n.h>
++#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -899,7 +900,10 @@ GRUB_MOD_INIT(ufs1)
+ #endif
+ #endif
+ {
+-  grub_fs_register (&grub_ufs_fs);
++  if (!grub_is_lockdown ())
++    {
++      grub_fs_register (&grub_ufs_fs);
++    }
+   my_mod = mod;
+ }
+ 
+@@ -913,6 +917,7 @@ GRUB_MOD_FINI(ufs1)
+ #endif
+ #endif
+ {
+-  grub_fs_unregister (&grub_ufs_fs);
++  if (!grub_is_lockdown ())
++    grub_fs_unregister (&grub_ufs_fs);
+ }
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch b/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch
new file mode 100644
index 0000000000..5e06a64969
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0678_CVE-2025-1125.patch
@@ -0,0 +1,90 @@
+From 84bc0a9a68835952ae69165c11709811dae7634e Mon Sep 17 00:00:00 2001
+From: Lidong Chen <lidong.chen@oracle.com>
+Date: Tue, 21 Jan 2025 19:02:37 +0000
+Subject: [PATCH] fs: Prevent overflows when allocating memory for arrays
+
+Use grub_calloc() when allocating memory for arrays to ensure proper
+overflow checks are in place.
+
+The HFS+ and squash4 security vulnerabilities were reported by
+Jonathan Bar Or <jonathanbaror@gmail.com>.
+
+Fixes: CVE-2025-0678
+Fixes: CVE-2025-1125
+
+Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0678
+CVE: CVE-2025-1125
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=84bc0a9a68835952ae69165c11709811dae7634e]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/fs/btrfs.c       | 4 ++--
+ grub-core/fs/hfspluscomp.c | 9 +++++++--
+ grub-core/fs/squash4.c     | 8 ++++----
+ 3 files changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
+index 6320303..3b8b2f0 100644
+--- a/grub-core/fs/btrfs.c
++++ b/grub-core/fs/btrfs.c
+@@ -1197,8 +1197,8 @@ grub_btrfs_mount (grub_device_t dev)
+     }
+ 
+   data->n_devices_allocated = 16;
+-  data->devices_attached = grub_malloc (sizeof (data->devices_attached[0])
+-					* data->n_devices_allocated);
++  data->devices_attached = grub_calloc (data->n_devices_allocated,
++					sizeof (data->devices_attached[0]));
+   if (!data->devices_attached)
+     {
+       grub_free (data);
+diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c
+index d76f3f1..4965ef1 100644
+--- a/grub-core/fs/hfspluscomp.c
++++ b/grub-core/fs/hfspluscomp.c
+@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node)
+ 	  return 0;
+ 	}
+       node->compress_index_size = grub_le_to_cpu32 (index_size);
+-      node->compress_index = grub_malloc (node->compress_index_size
+-					  * sizeof (node->compress_index[0]));
++      node->compress_index = grub_calloc (node->compress_index_size,
++					  sizeof (node->compress_index[0]));
+       if (!node->compress_index)
+ 	{
+ 	  node->compressed = 0;
+ 	  grub_free (attr_node);
+ 	  return grub_errno;
+ 	}
++
++      /*
++       * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here
++       * due to relevant checks done in grub_calloc() above.
++       */
+       if (grub_hfsplus_read_file (node, 0, 0,
+ 				  0x104 + sizeof (index_size),
+ 				  node->compress_index_size
+diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
+index 6dd731e..f79fc75 100644
+--- a/grub-core/fs/squash4.c
++++ b/grub-core/fs/squash4.c
+@@ -804,10 +804,10 @@ direct_read (struct grub_squash_data *data,
+ 	  break;
+ 	}
+       total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz);
+-      ino->block_sizes = grub_malloc (total_blocks
+-				      * sizeof (ino->block_sizes[0]));
+-      ino->cumulated_block_sizes = grub_malloc (total_blocks
+-						* sizeof (ino->cumulated_block_sizes[0]));
++      ino->block_sizes = grub_calloc (total_blocks,
++				      sizeof (ino->block_sizes[0]));
++      ino->cumulated_block_sizes = grub_calloc (total_blocks,
++						sizeof (ino->cumulated_block_sizes[0]));
+       if (!ino->block_sizes || !ino->cumulated_block_sizes)
+ 	{
+ 	  grub_free (ino->block_sizes);
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-0690.patch b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch
new file mode 100644
index 0000000000..9a2ca50d02
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-0690.patch
@@ -0,0 +1,75 @@
+From dad8f502974ed9ad0a70ae6820d17b4b142558fc Mon Sep 17 00:00:00 2001
+From: Jonathan Bar Or <jonathanbaror@gmail.com>
+Date: Thu, 23 Jan 2025 19:17:05 +0100
+Subject: [PATCH] commands/read: Fix an integer overflow when supplying more
+ than 2^31 characters
+
+The grub_getline() function currently has a signed integer variable "i"
+that can be overflown when user supplies more than 2^31 characters.
+It results in a memory corruption of the allocated line buffer as well
+as supplying large negative values to grub_realloc().
+
+Fixes: CVE-2025-0690
+
+Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
+Signed-off-by: Jonathan Bar Or <jonathanbaror@gmail.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-0690
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=dad8f502974ed9ad0a70ae6820d17b4b142558fc]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/commands/read.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c
+index fe3e88b..f3ff826 100644
+--- a/grub-core/commands/read.c
++++ b/grub-core/commands/read.c
+@@ -25,19 +25,21 @@
+ #include <grub/types.h>
+ #include <grub/command.h>
+ #include <grub/i18n.h>
++#include <grub/safemath.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+ static char *
+ grub_getline (void)
+ {
+-  int i;
++  grub_size_t i;
+   char *line;
+   char *tmp;
+   char c;
++  grub_size_t alloc_size;
+ 
+   i = 0;
+-  line = grub_malloc (1 + i + sizeof('\0'));
++  line = grub_malloc (1 + sizeof('\0'));
+   if (! line)
+     return NULL;
+ 
+@@ -50,8 +52,17 @@ grub_getline (void)
+       line[i] = c;
+       if (grub_isprint (c))
+ 	grub_printf ("%c", c);
+-      i++;
+-      tmp = grub_realloc (line, 1 + i + sizeof('\0'));
++      if (grub_add (i, 1, &i))
++        {
++          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++          return NULL;
++        }
++      if (grub_add (i, 1 + sizeof('\0'), &alloc_size))
++        {
++          grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
++          return NULL;
++        }
++      tmp = grub_realloc (line, alloc_size);
+       if (! tmp)
+ 	{
+ 	  grub_free (line);
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/files/CVE-2025-1118.patch b/meta/recipes-bsp/grub/files/CVE-2025-1118.patch
new file mode 100644
index 0000000000..e26b5c8752
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2025-1118.patch
@@ -0,0 +1,40 @@
+From 34824806ac6302f91e8cabaa41308eaced25725f Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Thu, 18 Apr 2024 20:29:39 +0100
+Subject: [PATCH] commands/minicmd: Block the dump command in lockdown mode
+
+The dump enables a user to read memory which should not be possible
+in lockdown mode.
+
+Fixes: CVE-2025-1118
+
+Reported-by: B Horn <b@horn.uk>
+Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+CVE: CVE-2025-1118
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=34824806ac6302f91e8cabaa41308eaced25725f]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ grub-core/commands/minicmd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
+index fa49893..903af33 100644
+--- a/grub-core/commands/minicmd.c
++++ b/grub-core/commands/minicmd.c
+@@ -203,8 +203,8 @@ GRUB_MOD_INIT(minicmd)
+     grub_register_command ("help", grub_mini_cmd_help,
+ 			   0, N_("Show this message."));
+   cmd_dump =
+-    grub_register_command ("dump", grub_mini_cmd_dump,
+-			   N_("ADDR [SIZE]"), N_("Show memory contents."));
++    grub_register_command_lockdown ("dump", grub_mini_cmd_dump,
++				    N_("ADDR [SIZE]"), N_("Show memory contents."));
+   cmd_rmmod =
+     grub_register_command ("rmmod", grub_mini_cmd_rmmod,
+ 			   N_("MODULE"), N_("Remove a module."));
+-- 
+2.25.1
+
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 259a0a4c3d..cb61080aeb 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -51,6 +51,14 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
            file://CVE-2024-45781.patch \
            file://CVE-2024-45782_CVE-2024-56737.patch \
            file://CVE-2024-45783.patch \
+           file://CVE-2025-0622-01.patch \
+           file://CVE-2025-0622-02.patch \
+           file://CVE-2025-0622-03.patch \
+           file://CVE-2025-0624.patch \
+           file://CVE-2025-0677_CVE-2025-0684_CVE-2025-0685_CVE-2025-0686_CVE-2025-0689.patch \
+           file://CVE-2025-0678_CVE-2025-1125.patch \
+           file://CVE-2025-0690.patch \
+           file://CVE-2025-1118.patch \
 "
 
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
-- 
2.43.0

[OE-core][kirkstone 5/7] ruby: Fix CVE-2025-27219

[Steve Sakoman]

From: Ashish Sharma <asharma@mvista.com>

Upstream-Status: Backport [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab]

Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ruby/ruby/CVE-2025-27219.patch            | 31 +++++++++++++++++++
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |  1 +
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch
new file mode 100644
index 0000000000..7813a6143c
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27219.patch
@@ -0,0 +1,31 @@
+From 9907b76dad0777ee300de236dad4b559e07596ab Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 16:01:17 +0900
+Subject: [PATCH] Use String#concat instead of String#+ for reducing cpu usage
+
+Co-authored-by: "Yusuke Endoh" <mame@ruby-lang.org>
+
+Upstream-Status: Backport [https://github.com/ruby/cgi/commit/9907b76dad0777ee300de236dad4b559e07596ab]
+CVE: CVE-2025-27219
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ lib/cgi/cookie.rb | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/lib/cgi/cookie.rb b/lib/cgi/cookie.rb
+index 9498e2f..1c4ef6a 100644
+--- a/lib/cgi/cookie.rb
++++ b/lib/cgi/cookie.rb
+@@ -190,9 +190,10 @@ def self.parse(raw_cookie)
+         values ||= ""
+         values = values.split('&').collect{|v| CGI.unescape(v,@@accept_charset) }
+         if cookies.has_key?(name)
+-          values = cookies[name].value + values
++          cookies[name].concat(values)
++        else
++          cookies[name] = Cookie.new(name, *values)
+         end
+-        cookies[name] = Cookie.new(name, *values)
+       end
+ 
+       cookies
diff --git a/meta/recipes-devtools/ruby/ruby_3.1.3.bb b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
index ac9dec3514..76e5ac81ed 100644
--- a/meta/recipes-devtools/ruby/ruby_3.1.3.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.1.3.bb
@@ -47,6 +47,7 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
            file://CVE-2024-49761-0009.patch \
            file://CVE-2024-41946.patch \
            file://CVE-2025-27220.patch \
+           file://CVE-2025-27219.patch \
            "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
 
-- 
2.43.0

[OE-core][kirkstone 6/7] mpg123: fix CVE-2024-10573

[Steve Sakoman]

From: Zhang Peng <peng.zhang1.cn@windriver.com>

CVE-2024-10573:
An out-of-bounds write flaw was found in mpg123 when handling crafted streams.
When decoding PCM, the libmpg123 may write past the end of a heap-located buffer.
Consequently, heap corruption may happen, and arbitrary code execution is not
discarded. The complexity required to exploit this flaw is considered high as
the payload must be validated by the MPEG decoder and the PCM synth before execution.
Additionally, to successfully execute the attack, the user must scan through the
stream, making web live stream content (such as web radios) a very unlikely attack vector.

Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-10573]

Upstream patches: [svn://scm.orgis.org/mpg123/branches/1.31-fixes@5442]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../mpg123/mpg123/CVE-2024-10573.patch        | 978 ++++++++++++++++++
 .../mpg123/mpg123_1.29.3.bb                   |   4 +-
 2 files changed, 981 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-multimedia/mpg123/mpg123/CVE-2024-10573.patch

diff --git a/meta/recipes-multimedia/mpg123/mpg123/CVE-2024-10573.patch b/meta/recipes-multimedia/mpg123/mpg123/CVE-2024-10573.patch
new file mode 100644
index 0000000000..ef7b84027d
--- /dev/null
+++ b/meta/recipes-multimedia/mpg123/mpg123/CVE-2024-10573.patch
@@ -0,0 +1,978 @@
+From 89d1e6cfbfa5f34a4ba706cad1034e6ad7373726 Mon Sep 17 00:00:00 2001
+From: thor <thor@35dc7657-300d-0410-a2e5-dc2837fedb53>
+Date: Sat, 26 Oct 2024 16:23:36 +0000
+Subject: [PATCH] backport Frankenstein's Monster fix
+
+git-svn-id: svn://scm.orgis.org/mpg123/branches/1.31-fixes@5442 35dc7657-300d-0410-a2e5-dc2837fedb53
+
+CVE: CVE-2024-10573
+Upstream-Status: Backport [svn://scm.orgis.org/mpg123/branches/1.31-fixes@5442]
+
+The original patch is adjusted to fit for the current version.
+
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ src/libmpg123/frame.c     |  15 +--
+ src/libmpg123/frame.h     |  46 +++++---
+ src/libmpg123/layer1.c    |   2 +-
+ src/libmpg123/layer2.c    |   6 +-
+ src/libmpg123/layer3.c    |  42 +++----
+ src/libmpg123/libmpg123.c |  22 ++--
+ src/libmpg123/parse.c     | 241 ++++++++++++++++++++++----------------
+ 7 files changed, 211 insertions(+), 163 deletions(-)
+
+diff --git a/src/libmpg123/frame.c b/src/libmpg123/frame.c
+index b14908f2..20d56931 100644
+--- a/src/libmpg123/frame.c
++++ b/src/libmpg123/frame.c
+@@ -515,6 +515,7 @@ static void frame_fixed_reset(mpg123_handle *fr)
+ {
+ 	frame_icy_reset(fr);
+ 	open_bad(fr);
++	memset(&(fr->hdr), 0, sizeof(fr->hdr));
+ 	fr->to_decode = FALSE;
+ 	fr->to_ignore = FALSE;
+ 	fr->metaflags = 0;
+@@ -528,15 +529,12 @@ static void frame_fixed_reset(mpg123_handle *fr)
+ 	fr->clip = 0;
+ 	fr->oldhead = 0;
+ 	fr->firsthead = 0;
+-	fr->lay = 0;
+ 	fr->vbr = MPG123_CBR;
+ 	fr->abr_rate = 0;
+ 	fr->track_frames = 0;
+ 	fr->track_samples = -1;
+-	fr->framesize=0; 
+ 	fr->mean_frames = 0;
+ 	fr->mean_framesize = 0;
+-	fr->freesize = 0;
+ 	fr->lastscale = -1;
+ 	fr->rva.level[0] = -1;
+ 	fr->rva.level[1] = -1;
+@@ -571,8 +569,7 @@ static void frame_fixed_reset(mpg123_handle *fr)
+ 	fr->icy.next = 0;
+ #endif
+ 	fr->halfphase = 0; /* here or indeed only on first-time init? */
+-	fr->error_protection = 0;
+-	fr->freeformat_framesize = fr->p.freeformat_framesize;
++	fr->hdr.freeformat_framesize = fr->p.freeformat_framesize;
+ 	fr->enc_delay = -1;
+ 	fr->enc_padding = -1;
+ 	memset(fr->id3buf, 0, sizeof(fr->id3buf));
+@@ -637,7 +634,7 @@ int attribute_align_arg mpg123_framedata(mpg123_handle *mh, unsigned long *heade
+ 
+ 	if(header    != NULL) *header    = mh->oldhead;
+ 	if(bodydata  != NULL) *bodydata  = mh->bsbuf;
+-	if(bodybytes != NULL) *bodybytes = mh->framesize;
++	if(bodybytes != NULL) *bodybytes = mh->hdr.framesize;
+ 
+ 	return MPG123_OK;
+ }
+@@ -906,9 +903,9 @@ static off_t ignoreframe(mpg123_handle *fr)
+ {
+ 	off_t preshift = fr->p.preframes;
+ 	/* Layer 3 _really_ needs at least one frame before. */
+-	if(fr->lay==3 && preshift < 1) preshift = 1;
++	if(fr->hdr.lay==3 && preshift < 1) preshift = 1;
+ 	/* Layer 1 & 2 reall do not need more than 2. */
+-	if(fr->lay!=3 && preshift > 2) preshift = 2;
++	if(fr->hdr.lay!=3 && preshift > 2) preshift = 2;
+ 
+ 	return fr->firstframe - preshift;
+ }
+@@ -953,7 +950,7 @@ void frame_set_frameseek(mpg123_handle *fr, off_t fe)
+ void frame_skip(mpg123_handle *fr)
+ {
+ #ifndef NO_LAYER3
+-	if(fr->lay == 3) set_pointer(fr, 1, 512);
++	if(fr->hdr.lay == 3) set_pointer(fr, 1, 512);
+ #endif
+ }
+ 
+diff --git a/src/libmpg123/frame.h b/src/libmpg123/frame.h
+index e34ea16f..fcdae8a8 100644
+--- a/src/libmpg123/frame.h
++++ b/src/libmpg123/frame.h
+@@ -96,6 +96,33 @@ enum frame_state_flags
+ 	,FRAME_DECODER_LIVE  = 0x8  /**<     1000 Decoder can be used. */
+ };
+ 
++// separate frame header structure for safe decoding of headers without
++// modifying the main frame struct before we are sure that we can read a
++// frame into it
++struct frame_header
++{
++	int lay;
++	// lots of flags that could share storage, should reform that
++	int lsf; /* 0: MPEG 1.0; 1: MPEG 2.0/2.5 -- both used as bool and array index! */
++	int mpeg25;
++	int error_protection;
++	int bitrate_index;
++	int sampling_frequency;
++	int padding;
++	int extension;
++	int mode;
++	int mode_ext;
++	int copyright;
++	int original;
++	int emphasis;
++	// Even 16 bit int is enough for MAXFRAMESIZE
++	int framesize; /* computed framesize */
++	int freeformat;
++	int freeformat_framesize;
++	// Derived from header and checked against the above.
++	int ssize;
++};
++
+ /* There is a lot to condense here... many ints can be merged as flags; though the main space is still consumed by buffers. */
+ struct mpg123_handle_struct
+ {
+@@ -199,26 +226,12 @@ struct mpg123_handle_struct
+ 	int single;
+ 	int II_sblimit;
+ 	int down_sample_sblimit;
+-	int lsf; /* 0: MPEG 1.0; 1: MPEG 2.0/2.5 -- both used as bool and array index! */
+ 	/* Many flags in disguise as integers... wasting bytes. */
+-	int mpeg25;
+ 	int down_sample;
+ 	int header_change;
+-	int lay;
++	struct frame_header hdr;
+ 	long spf; /* cached count of samples per frame */
+ 	int (*do_layer)(mpg123_handle *);
+-	int error_protection;
+-	int bitrate_index;
+-	int sampling_frequency;
+-	int padding;
+-	int extension;
+-	int mode;
+-	int mode_ext;
+-	int copyright;
+-	int original;
+-	int emphasis;
+-	int framesize; /* computed framesize */
+-	int freesize;  /* free format frame size */
+ 	enum mpg123_vbr vbr; /* 1 if variable bitrate was detected */
+ 	off_t num; /* frame offset ... */
+ 	off_t input_offset; /* byte offset of this frame in input stream */
+@@ -227,8 +240,6 @@ struct mpg123_handle_struct
+ 	int state_flags;
+ 	char silent_resync; /* Do not complain for the next n resyncs. */
+ 	unsigned char* xing_toc; /* The seek TOC from Xing header. */
+-	int freeformat;
+-	long freeformat_framesize;
+ 
+ 	/* bitstream info; bsi */
+ 	int bitindex;
+@@ -255,7 +266,6 @@ struct mpg123_handle_struct
+ 	double mean_framesize;
+ 	off_t mean_frames;
+ 	int fsizeold;
+-	int ssize;
+ 	unsigned int bitreservoir;
+ 	unsigned char bsspace[2][MAXFRAMESIZE+512+4]; /* MAXFRAMESIZE */
+ 	unsigned char *bsbuf;
+diff --git a/src/libmpg123/layer1.c b/src/libmpg123/layer1.c
+index c5bfc75d..048611e1 100644
+--- a/src/libmpg123/layer1.c
++++ b/src/libmpg123/layer1.c
+@@ -217,7 +217,7 @@ int do_layer1(mpg123_handle *fr)
+ 	real (*fraction)[SBLIMIT] = fr->layer1.fraction; /* fraction[2][SBLIMIT] */
+ 	int single = fr->single;
+ 
+-	fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ? (fr->mode_ext<<2)+4 : 32;
++	fr->jsbound = (fr->hdr.mode == MPG_MD_JOINT_STEREO) ? (fr->hdr.mode_ext<<2)+4 : 32;
+ 
+ 	if(stereo == 1 || single == SINGLE_MIX) /* I don't see mixing handled here */
+ 	single = SINGLE_LEFT;
+diff --git a/src/libmpg123/layer2.c b/src/libmpg123/layer2.c
+index 0f2071b5..910f0bf9 100644
+--- a/src/libmpg123/layer2.c
++++ b/src/libmpg123/layer2.c
+@@ -313,10 +313,10 @@ static void II_select_table(mpg123_handle *fr)
+ 	const struct al_table *tables[5] = { alloc_0, alloc_1, alloc_2, alloc_3 , alloc_4 };
+ 	const int sblims[5] = { 27 , 30 , 8, 12 , 30 };
+ 
+-	if(fr->sampling_frequency >= 3)	/* Or equivalent: (fr->lsf == 1) */
++	if(fr->hdr.sampling_frequency >= 3)	/* Or equivalent: (fr->lsf == 1) */
+ 	table = 4;
+ 	else
+-	table = translate[fr->sampling_frequency][2-fr->stereo][fr->bitrate_index];
++	table = translate[fr->hdr.sampling_frequency][2-fr->stereo][fr->hdr.bitrate_index];
+ 
+ 	sblim = sblims[table];
+ 	fr->alloc      = tables[table];
+@@ -337,7 +337,7 @@ int do_layer2(mpg123_handle *fr)
+ 	int single = fr->single;
+ 
+ 	II_select_table(fr);
+-	fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ? (fr->mode_ext<<2)+4 : fr->II_sblimit;
++	fr->jsbound = (fr->hdr.mode == MPG_MD_JOINT_STEREO) ? (fr->hdr.mode_ext<<2)+4 : fr->II_sblimit;
+ 
+ 	if(fr->jsbound > fr->II_sblimit)
+ 	{
+diff --git a/src/libmpg123/layer3.c b/src/libmpg123/layer3.c
+index a25ef098..83912503 100644
+--- a/src/libmpg123/layer3.c
++++ b/src/libmpg123/layer3.c
+@@ -127,16 +127,16 @@ static int III_get_side_info(mpg123_handle *fr, struct III_sideinfo *si,int ster
+ 	int powdiff = (single == SINGLE_MIX) ? 4 : 0;
+ 
+ 	const int tabs[2][5] = { { 2,9,5,3,4 } , { 1,8,1,2,9 } };
+-	const int *tab = tabs[fr->lsf];
++	const int *tab = tabs[fr->hdr.lsf];
+ 
+ 	{ /* First ensure we got enough bits available. */
+ 		unsigned int needbits = 0;
+ 		needbits += tab[1]; /* main_data_begin */
+ 		needbits += stereo == 1 ? tab[2] : tab[3]; /* private */
+-		if(!fr->lsf)
++		if(!fr->hdr.lsf)
+ 			needbits += stereo*4; /* scfsi */
+ 		/* For each granule for each channel ... */
+-		needbits += tab[0]*stereo*(29+tab[4]+1+22+(!fr->lsf?1:0)+2);
++		needbits += tab[0]*stereo*(29+tab[4]+1+22+(!fr->hdr.lsf?1:0)+2);
+ 		if(fr->bits_avail < needbits) \
+ 		{
+ 			if(NOQUIET)
+@@ -154,7 +154,7 @@ static int III_get_side_info(mpg123_handle *fr, struct III_sideinfo *si,int ster
+ 
+ 		/*  overwrite main_data_begin for the really available bit reservoir */
+ 		backbits(fr, tab[1]);
+-		if(fr->lsf == 0)
++		if(fr->hdr.lsf == 0)
+ 		{
+ 			fr->wordpointer[0] = (unsigned char) (fr->bitreservoir >> 1);
+ 			fr->wordpointer[1] = (unsigned char) ((fr->bitreservoir & 1) << 7);
+@@ -163,7 +163,7 @@ static int III_get_side_info(mpg123_handle *fr, struct III_sideinfo *si,int ster
+ 
+ 		/* zero "side-info" data for a silence-frame
+ 		without touching audio data used as bit reservoir for following frame */
+-		memset(fr->wordpointer+2, 0, fr->ssize-2);
++		memset(fr->wordpointer+2, 0, fr->hdr.ssize-2);
+ 
+ 		/* reread the new bit reservoir offset */
+ 		si->main_data_begin = getbits(fr, tab[1]);
+@@ -171,11 +171,11 @@ static int III_get_side_info(mpg123_handle *fr, struct III_sideinfo *si,int ster
+ 
+ 	/* Keep track of the available data bytes for the bit reservoir.
+ 	   CRC is included in ssize already. */
+-	fr->bitreservoir = fr->bitreservoir + fr->framesize - fr->ssize;
++	fr->bitreservoir = fr->bitreservoir + fr->hdr.framesize - fr->hdr.ssize;
+ 
+ 	/* Limit the reservoir to the max for MPEG 1.0 or 2.x . */
+-	if(fr->bitreservoir > (unsigned int) (fr->lsf == 0 ? 511 : 255))
+-	fr->bitreservoir = (fr->lsf == 0 ? 511 : 255);
++	if(fr->bitreservoir > (unsigned int) (fr->hdr.lsf == 0 ? 511 : 255))
++	fr->bitreservoir = (fr->hdr.lsf == 0 ? 511 : 255);
+ 
+ 	/* Now back into less commented territory. It's code. It works. */
+ 
+@@ -184,7 +184,7 @@ static int III_get_side_info(mpg123_handle *fr, struct III_sideinfo *si,int ster
+ 	else 
+ 	si->private_bits = getbits(fr, tab[3]);
+ 
+-	if(!fr->lsf) for(ch=0; ch<stereo; ch++)
++	if(!fr->hdr.lsf) for(ch=0; ch<stereo; ch++)
+ 	{
+ 		si->ch[ch].gr[0].scfsi = -1;
+ 		si->ch[ch].gr[1].scfsi = getbits(fr, 4);
+@@ -249,14 +249,14 @@ static int III_get_side_info(mpg123_handle *fr, struct III_sideinfo *si,int ster
+ 			}
+ 
+ 			/* region_count/start parameters are implicit in this case. */       
+-			if( (!fr->lsf || (gr_info->block_type == 2)) && !fr->mpeg25)
++			if( (!fr->hdr.lsf || (gr_info->block_type == 2)) && !fr->hdr.mpeg25)
+ 			{
+ 				gr_info->region1start = 36>>1;
+ 				gr_info->region2start = 576>>1;
+ 			}
+ 			else
+ 			{
+-				if(fr->mpeg25)
++				if(fr->hdr.mpeg25)
+ 				{ 
+ 					int r0c,r1c;
+ 					if((gr_info->block_type == 2) && (!gr_info->mixed_block_flag) ) r0c = 5;
+@@ -291,7 +291,7 @@ static int III_get_side_info(mpg123_handle *fr, struct III_sideinfo *si,int ster
+ 			gr_info->block_type = 0;
+ 			gr_info->mixed_block_flag = 0;
+ 		}
+-		if(!fr->lsf) gr_info->preflag = get1bit(fr);
++		if(!fr->hdr.lsf) gr_info->preflag = get1bit(fr);
+ 
+ 		gr_info->scalefac_scale = get1bit(fr);
+ 		gr_info->count1table_select = get1bit(fr);
+@@ -1717,7 +1717,7 @@ int do_layer3(mpg123_handle *fr)
+ 	int stereo = fr->stereo;
+ 	int single = fr->single;
+ 	int ms_stereo,i_stereo;
+-	int sfreq = fr->sampling_frequency;
++	int sfreq = fr->hdr.sampling_frequency;
+ 	int stereo1,granules;
+ 
+ 	if(stereo == 1)
+@@ -1730,14 +1730,14 @@ int do_layer3(mpg123_handle *fr)
+ 	else
+ 	stereo1 = 2;
+ 
+-	if(fr->mode == MPG_MD_JOINT_STEREO)
++	if(fr->hdr.mode == MPG_MD_JOINT_STEREO)
+ 	{
+-		ms_stereo = (fr->mode_ext & 0x2)>>1;
+-		i_stereo  = fr->mode_ext & 0x1;
++		ms_stereo = (fr->hdr.mode_ext & 0x2)>>1;
++		i_stereo  = fr->hdr.mode_ext & 0x1;
+ 	}
+ 	else ms_stereo = i_stereo = 0;
+ 
+-	granules = fr->lsf ? 1 : 2;
++	granules = fr->hdr.lsf ? 1 : 2;
+ 
+ 	/* quick hack to keep the music playing */
+ 	/* after having seen this nasty test file... */
+@@ -1752,7 +1752,7 @@ int do_layer3(mpg123_handle *fr)
+ 	if(fr->pinfo)
+ 	{
+ 		fr->pinfo->maindata = sideinfo.main_data_begin;
+-		fr->pinfo->padding  = fr->padding;
++		fr->pinfo->padding  = fr->hdr.padding;
+ 	}
+ #endif
+ 	for(gr=0;gr<granules;gr++)
+@@ -1773,7 +1773,7 @@ int do_layer3(mpg123_handle *fr)
+ 					,	gr_info->part2_3_length, fr->bits_avail );
+ 				return clip;
+ 			}
+-			if(fr->lsf)
++			if(fr->hdr.lsf)
+ 			part2bits = III_get_scale_factors_2(fr, scalefacs[0],gr_info,0);
+ 			else
+ 			part2bits = III_get_scale_factors_1(fr, scalefacs[0],gr_info,0,gr);
+@@ -1813,7 +1813,7 @@ int do_layer3(mpg123_handle *fr)
+ 		{
+ 			struct gr_info_s *gr_info = &(sideinfo.ch[1].gr[gr]);
+ 			long part2bits;
+-			if(fr->lsf) 
++			if(fr->hdr.lsf) 
+ 			part2bits = III_get_scale_factors_2(fr, scalefacs[1],gr_info,i_stereo);
+ 			else
+ 			part2bits = III_get_scale_factors_1(fr, scalefacs[1],gr_info,1,gr);
+@@ -1863,7 +1863,7 @@ int do_layer3(mpg123_handle *fr)
+ 				}
+ 			}
+ 
+-			if(i_stereo) III_i_stereo(hybridIn,scalefacs[1],gr_info,sfreq,ms_stereo,fr->lsf);
++			if(i_stereo) III_i_stereo(hybridIn,scalefacs[1],gr_info,sfreq,ms_stereo,fr->hdr.lsf);
+ 
+ 			if(ms_stereo || i_stereo || (single == SINGLE_MIX) )
+ 			{
+diff --git a/src/libmpg123/libmpg123.c b/src/libmpg123/libmpg123.c
+index f175a5c9..8ad068b1 100644
+--- a/src/libmpg123/libmpg123.c
++++ b/src/libmpg123/libmpg123.c
+@@ -434,7 +434,7 @@ int attribute_align_arg mpg123_getstate(mpg123_handle *mh, enum mpg123_state key
+ 			theval = mh->enc_padding;
+ 		break;
+ 		case MPG123_DEC_DELAY:
+-			theval = mh->lay == 3 ? GAPLESS_DELAY : -1;
++			theval = mh->hdr.lay == 3 ? GAPLESS_DELAY : -1;
+ 		break;
+ 		default:
+ 			mh->err = MPG123_BAD_KEY;
+@@ -1154,10 +1154,10 @@ static int init_track(mpg123_handle *mh)
+ 	b = init_track(mh); \
+ 	if(b < 0) return b; \
+  \
+-	mi->version = mh->mpeg25 ? MPG123_2_5 : (mh->lsf ? MPG123_2_0 : MPG123_1_0); \
+-	mi->layer = mh->lay; \
++	mi->version = mh->hdr.mpeg25 ? MPG123_2_5 : (mh->hdr.lsf ? MPG123_2_0 : MPG123_1_0); \
++	mi->layer = mh->hdr.lay; \
+ 	mi->rate = frame_freq(mh); \
+-	switch(mh->mode) \
++	switch(mh->hdr.mode) \
+ 	{ \
+ 		case 0: mi->mode = MPG123_M_STEREO; break; \
+ 		case 1: mi->mode = MPG123_M_JOINT;  break; \
+@@ -1165,14 +1165,14 @@ static int init_track(mpg123_handle *mh)
+ 		case 3: mi->mode = MPG123_M_MONO;   break; \
+ 		default: mi->mode = 0; /* Nothing good to do here. */ \
+ 	} \
+-	mi->mode_ext = mh->mode_ext; \
+-	mi->framesize = mh->framesize+4; /* Include header. */ \
++	mi->mode_ext = mh->hdr.mode_ext; \
++	mi->framesize = mh->hdr.framesize+4; /* Include header. */ \
+ 	mi->flags = 0; \
+-	if(mh->error_protection) mi->flags |= MPG123_CRC; \
+-	if(mh->copyright)        mi->flags |= MPG123_COPYRIGHT; \
+-	if(mh->extension)        mi->flags |= MPG123_PRIVATE; \
+-	if(mh->original)         mi->flags |= MPG123_ORIGINAL; \
+-	mi->emphasis = mh->emphasis; \
++	if(mh->hdr.error_protection) mi->flags |= MPG123_CRC; \
++	if(mh->hdr.copyright)        mi->flags |= MPG123_COPYRIGHT; \
++	if(mh->hdr.extension)        mi->flags |= MPG123_PRIVATE; \
++	if(mh->hdr.original)         mi->flags |= MPG123_ORIGINAL; \
++	mi->emphasis = mh->hdr.emphasis; \
+ 	mi->bitrate  = frame_bitrate(mh); \
+ 	mi->abr_rate = mh->abr_rate; \
+ 	mi->vbr = mh->vbr; \
+diff --git a/src/libmpg123/parse.c b/src/libmpg123/parse.c
+index c2efd3dc..a026d6fb 100644
+--- a/src/libmpg123/parse.c
++++ b/src/libmpg123/parse.c
+@@ -63,9 +63,10 @@ static const int tabsel_123[2][3][16] =
+ 
+ static const long freqs[9] = { 44100, 48000, 32000, 22050, 24000, 16000 , 11025 , 12000 , 8000 };
+ 
+-static int decode_header(mpg123_handle *fr,unsigned long newhead, int *freeformat_count);
+-static int skip_junk(mpg123_handle *fr, unsigned long *newheadp, long *headcount);
+-static int do_readahead(mpg123_handle *fr, unsigned long newhead);
++static int decode_header(mpg123_handle *fr, struct frame_header *hdr, unsigned long newhead, int *freeformat_count);
++static void apply_header(mpg123_handle *fr, struct frame_header *hdr);
++static int skip_junk(mpg123_handle *fr, unsigned long *newheadp, long *headcount, struct frame_header *nhdr);
++static int do_readahead(mpg123_handle *fr, struct frame_header *nhdr, unsigned long newhead);
+ static int wetwork(mpg123_handle *fr, unsigned long *newheadp);
+ 
+ /* These two are to be replaced by one function that gives all the frame parameters (for outsiders).*/
+@@ -73,12 +74,12 @@ static int wetwork(mpg123_handle *fr, unsigned long *newheadp);
+ 
+ int frame_bitrate(mpg123_handle *fr)
+ {
+-	return tabsel_123[fr->lsf][fr->lay-1][fr->bitrate_index];
++	return tabsel_123[fr->hdr.lsf][fr->hdr.lay-1][fr->hdr.bitrate_index];
+ }
+ 
+ long frame_freq(mpg123_handle *fr)
+ {
+-	return freqs[fr->sampling_frequency];
++	return freqs[fr->hdr.sampling_frequency];
+ }
+ 
+ /* compiler is smart enought to inline this one or should I really do it as macro...? */
+@@ -141,8 +142,8 @@ static int check_lame_tag(mpg123_handle *fr)
+ 		Mono                                17       9
+ 	*/
+ 	int lame_offset = (fr->stereo == 2)
+-	? (fr->lsf ? 17 : 32)
+-	: (fr->lsf ? 9  : 17);
++	? (fr->hdr.lsf ? 17 : 32)
++	: (fr->hdr.lsf ? 9  : 17);
+ 
+ 	if(fr->p.flags & MPG123_IGNORE_INFOFRAME) goto check_lame_tag_no;
+ 
+@@ -154,7 +155,7 @@ static int check_lame_tag(mpg123_handle *fr)
+ 		for the actual data, have to check if each byte of information is present.
+ 		But: 4 B Info/Xing + 4 B flags is bare minimum.
+ 	*/
+-	if(fr->framesize < lame_offset+8) goto check_lame_tag_no;
++	if(fr->hdr.framesize < lame_offset+8) goto check_lame_tag_no;
+ 
+ 	/* only search for tag when all zero before it (apart from checksum) */
+ 	for(i=2; i < lame_offset; ++i) if(fr->bsbuf[i] != 0) goto check_lame_tag_no;
+@@ -190,7 +191,7 @@ static int check_lame_tag(mpg123_handle *fr)
+ 
+ 	/* From now on, I have to carefully check if the announced data is actually
+ 	   there! I'm always returning 'yes', though.  */
+-	#define check_bytes_left(n) if(fr->framesize < lame_offset+n) \
++	#define check_bytes_left(n) if(fr->hdr.framesize < lame_offset+n) \
+ 		goto check_lame_tag_yes
+ 	if(xing_flags & 1) /* total bitstream frames */
+ 	{
+@@ -443,10 +444,10 @@ static int head_compatible(unsigned long fred, unsigned long bret)
+ static void halfspeed_prepare(mpg123_handle *fr)
+ {
+ 	/* save for repetition */
+-	if(fr->p.halfspeed && fr->lay == 3)
++	if(fr->p.halfspeed && fr->hdr.lay == 3)
+ 	{
+ 		debug("halfspeed - reusing old bsbuf ");
+-		memcpy (fr->ssave, fr->bsbuf, fr->ssize);
++		memcpy (fr->ssave, fr->bsbuf, fr->hdr.ssize);
+ 	}
+ }
+ 
+@@ -462,8 +463,8 @@ static int halfspeed_do(mpg123_handle *fr)
+ 			fr->to_decode = fr->to_ignore = TRUE;
+ 			--fr->halfphase;
+ 			set_pointer(fr, 0, 0);
+-			if(fr->lay == 3) memcpy (fr->bsbuf, fr->ssave, fr->ssize);
+-			if(fr->error_protection) fr->crc = getbits(fr, 16); /* skip crc */
++			if(fr->hdr.lay == 3) memcpy (fr->bsbuf, fr->ssave, fr->hdr.ssize);
++			if(fr->hdr.error_protection) fr->crc = getbits(fr, 16); /* skip crc */
+ 			return 1;
+ 		}
+ 		else
+@@ -496,10 +497,11 @@ int read_frame(mpg123_handle *fr)
+ 	/* TODO: rework this thing */
+ 	int freeformat_count = 0;
+ 	unsigned long newhead;
++	/* Start with current frame header state as copy for roll-back ability. */
++	struct frame_header nhdr = fr->hdr;
+ 	off_t framepos;
+ 	int ret;
+ 	/* stuff that needs resetting if complete frame reading fails */
+-	int oldsize  = fr->framesize;
+ 	int oldphase = fr->halfphase;
+ 
+ 	/* The counter for the search-first-header loop.
+@@ -507,11 +509,12 @@ int read_frame(mpg123_handle *fr)
+ 	   when repeatedly headers are found that do not have valid followup headers. */
+ 	long headcount = 0;
+ 
+-	fr->fsizeold=fr->framesize;       /* for Layer3 */
++	fr->fsizeold=fr->hdr.framesize;       /* for Layer3 */
+ 
+ 	if(halfspeed_do(fr) == 1) return 1;
+ 
+ 	/* From now on, old frame data is tainted by parsing attempts. */
++	// Handling premature effects of decode_header now, more decoupling would be welcome.
+ 	fr->to_decode = fr->to_ignore = FALSE;
+ 
+ 	if( fr->p.flags & MPG123_NO_FRANKENSTEIN &&
+@@ -540,13 +543,13 @@ init_resync:
+ #ifdef SKIP_JUNK
+ 	if(!fr->firsthead && !head_check(newhead))
+ 	{
+-		ret = skip_junk(fr, &newhead, &headcount);
++		ret = skip_junk(fr, &newhead, &headcount, &nhdr);
+ 		JUMP_CONCLUSION(ret);
+ 	}
+ #endif
+ 
+ 	ret = head_check(newhead);
+-	if(ret) ret = decode_header(fr, newhead, &freeformat_count);
++	if(ret) ret = decode_header(fr, &nhdr, newhead, &freeformat_count);
+ 
+ 	JUMP_CONCLUSION(ret); /* That only continues for ret == PARSE_BAD or PARSE_GOOD. */
+ 	if(ret == PARSE_BAD)
+@@ -561,7 +564,7 @@ init_resync:
+ 	{
+ 		ret = fr->p.flags & MPG123_NO_READAHEAD
+ 		?	PARSE_GOOD
+-		:	do_readahead(fr, newhead);
++		:	do_readahead(fr, &nhdr, newhead);
+ 		/* readahead can fail mit NEED_MORE, in which case we must also make the just read header available again for next go */
+ 		if(ret < 0) fr->rd->back_bytes(fr, 4);
+ 		JUMP_CONCLUSION(ret);
+@@ -585,8 +588,8 @@ init_resync:
+ 	{
+ 		unsigned char *newbuf = fr->bsspace[fr->bsnum]+512;
+ 		/* read main data into memory */
+-		debug2("read frame body of %i at %"OFF_P, fr->framesize, framepos+4);
+-		if((ret=fr->rd->read_frame_body(fr,newbuf,fr->framesize))<0)
++		debug2("read frame body of %i at %"PRIi64, nhdr.framesize, framepos+4);
++		if((ret=fr->rd->read_frame_body(fr,newbuf,nhdr.framesize))<0)
+ 		{
+ 			/* if failed: flip back */
+ 			debug1("%s", ret == MPG123_NEED_MORE ? "need more" : "read error");
+@@ -597,6 +600,10 @@ init_resync:
+ 	}
+ 	fr->bsnum = (fr->bsnum + 1) & 1;
+ 
++	// We read the frame body, time to apply the matching header.
++	// Even if erroring out later, the header state needs to match the body.
++	apply_header(fr, &nhdr);
++
+ 	if(!fr->firsthead)
+ 	{
+ 		fr->firsthead = newhead; /* _now_ it's time to store it... the first real header */
+@@ -608,7 +615,7 @@ init_resync:
+ 			fr->audio_start = framepos;
+ 			/* Only check for LAME  tag at beginning of whole stream
+ 			   ... when there indeed is one in between, it's the user's problem. */
+-			if(fr->lay == 3 && check_lame_tag(fr) == 1)
++			if(fr->hdr.lay == 3 && check_lame_tag(fr) == 1)
+ 			{ /* ...in practice, Xing/LAME tags are layer 3 only. */
+ 				if(fr->rd->forget != NULL) fr->rd->forget(fr);
+ 
+@@ -624,6 +631,8 @@ init_resync:
+ 
+ 	set_pointer(fr, 0, 0);
+ 
++	// No use of nhdr from here on. It is fr->hdr now!
++
+ 	/* Question: How bad does the floating point value get with repeated recomputation?
+ 	   Also, considering that we can play the file or parts of many times. */
+ 	if(++fr->mean_frames != 0)
+@@ -632,7 +641,7 @@ init_resync:
+ 	}
+ 	++fr->num; /* 0 for first frame! */
+ 	debug4("Frame %"OFF_P" %08lx %i, next filepos=%"OFF_P, 
+-	(off_p)fr->num, newhead, fr->framesize, (off_p)fr->rd->tell(fr));
++	(off_p)fr->num, newhead, fr->hdr.framesize, (off_p)fr->rd->tell(fr));
+ 	if(!(fr->state_flags & FRAME_FRANKENSTEIN) && (
+ 		(fr->track_frames > 0 && fr->num >= fr->track_frames)
+ #ifdef GAPLESS
+@@ -664,7 +673,7 @@ init_resync:
+ 	if(fr->rd->forget != NULL) fr->rd->forget(fr);
+ 
+ 	fr->to_decode = fr->to_ignore = TRUE;
+-	if(fr->error_protection) fr->crc = getbits(fr, 16); /* skip crc */
++	if(fr->hdr.error_protection) fr->crc = getbits(fr, 16); /* skip crc */
+ 
+ 	/*
+ 		Let's check for header change after deciding that the new one is good
+@@ -711,7 +720,6 @@ read_frame_bad:
+ 
+ 	fr->silent_resync = 0;
+ 	if(fr->err == MPG123_OK) fr->err = MPG123_ERR_READER;
+-	fr->framesize = oldsize;
+ 	fr->halfphase = oldphase;
+ 	/* That return code might be inherited from some feeder action, or reader error. */
+ 	return ret;
+@@ -725,9 +733,9 @@ read_frame_bad:
+  * <0: error codes, possibly from feeder buffer (NEED_MORE)
+  *  PARSE_BAD: cannot get the framesize for some reason and shall silentry try the next possible header (if this is no free format stream after all...)
+  */
+-static int guess_freeformat_framesize(mpg123_handle *fr, unsigned long oldhead)
++static int guess_freeformat_framesize(mpg123_handle *fr, unsigned long oldhead, int *framesize)
+ {
+-	long i;
++	int i;
+ 	int ret;
+ 	unsigned long head;
+ 	if(!(fr->rdat.flags & (READER_SEEKABLE|READER_BUFFERED)))
+@@ -748,7 +756,7 @@ static int guess_freeformat_framesize(mpg123_handle *fr, unsigned long oldhead)
+ 		if((head & HDR_SAMEMASK) == (oldhead & HDR_SAMEMASK))
+ 		{
+ 			fr->rd->back_bytes(fr,i+1);
+-			fr->framesize = i-3;
++			*framesize = i-3;
+ 			return PARSE_GOOD; /* Success! */
+ 		}
+ 	}
+@@ -765,8 +773,13 @@ static int guess_freeformat_framesize(mpg123_handle *fr, unsigned long oldhead)
+  *  0: no valid header
+  * <0: some error
+  * You are required to do a head_check() before calling!
++ *
++ * This now only operates on a frame header struct, not the full frame structure.
++ * The scope is limited to parsing header information and determining the size of
++ * the frame body to read. Everything else belongs into a later stage of applying
++ * header information to the main decoder frame structure.
+  */
+-static int decode_header(mpg123_handle *fr,unsigned long newhead, int *freeformat_count)
++static int decode_header(mpg123_handle *fr, struct frame_header *fh, unsigned long newhead, int *freeformat_count)
+ {
+ #ifdef DEBUG /* Do not waste cycles checking the header twice all the time. */
+ 	if(!head_check(newhead))
+@@ -777,43 +790,42 @@ static int decode_header(mpg123_handle *fr,unsigned long newhead, int *freeforma
+ 	/* For some reason, the layer and sampling freq settings used to be wrapped
+ 	   in a weird conditional including MPG123_NO_RESYNC. What was I thinking?
+ 	   This information has to be consistent. */
+-	fr->lay = 4 - HDR_LAYER_VAL(newhead);
++	fh->lay = 4 - HDR_LAYER_VAL(newhead);
+ 
+ 	if(HDR_VERSION_VAL(newhead) & 0x2)
+ 	{
+-		fr->lsf = (HDR_VERSION_VAL(newhead) & 0x1) ? 0 : 1;
+-		fr->mpeg25 = 0;
+-		fr->sampling_frequency = HDR_SAMPLERATE_VAL(newhead) + (fr->lsf*3);
++		fh->lsf = (HDR_VERSION_VAL(newhead) & 0x1) ? 0 : 1;
++		fh->mpeg25 = 0;
++		fh->sampling_frequency = HDR_SAMPLERATE_VAL(newhead) + (fh->lsf*3);
+ 	}
+ 	else
+ 	{
+-		fr->lsf = 1;
+-		fr->mpeg25 = 1;
+-		fr->sampling_frequency = 6 + HDR_SAMPLERATE_VAL(newhead);
++		fh->lsf = 1;
++		fh->mpeg25 = 1;
++		fh->sampling_frequency = 6 + HDR_SAMPLERATE_VAL(newhead);
+ 	}
+ 
+ 	#ifdef DEBUG
+ 	/* seen a file where this varies (old lame tag without crc, track with crc) */
+-	if((HDR_CRC_VAL(newhead)^0x1) != fr->error_protection) debug("changed crc bit!");
++	if((HDR_CRC_VAL(newhead)^0x1) != fh->error_protection) debug("changed crc bit!");
+ 	#endif
+-	fr->error_protection = HDR_CRC_VAL(newhead)^0x1;
+-	fr->bitrate_index    = HDR_BITRATE_VAL(newhead);
+-	fr->padding          = HDR_PADDING_VAL(newhead);
+-	fr->extension        = HDR_PRIVATE_VAL(newhead);
+-	fr->mode             = HDR_CHANNEL_VAL(newhead);
+-	fr->mode_ext         = HDR_CHANEX_VAL(newhead);
+-	fr->copyright        = HDR_COPYRIGHT_VAL(newhead);
+-	fr->original         = HDR_ORIGINAL_VAL(newhead);
+-	fr->emphasis         = HDR_EMPHASIS_VAL(newhead);
+-	fr->freeformat       = !(newhead & HDR_BITRATE);
+-
+-	fr->stereo = (fr->mode == MPG_MD_MONO) ? 1 : 2;
++	fh->error_protection = HDR_CRC_VAL(newhead)^0x1;
++	fh->bitrate_index    = HDR_BITRATE_VAL(newhead);
++	fh->padding          = HDR_PADDING_VAL(newhead);
++	fh->extension        = HDR_PRIVATE_VAL(newhead);
++	fh->mode             = HDR_CHANNEL_VAL(newhead);
++	fh->mode_ext         = HDR_CHANEX_VAL(newhead);
++	fh->copyright        = HDR_COPYRIGHT_VAL(newhead);
++	fh->original         = HDR_ORIGINAL_VAL(newhead);
++	fh->emphasis         = HDR_EMPHASIS_VAL(newhead);
++	fh->freeformat       = !(newhead & HDR_BITRATE);
++
+ 
+ 	/* we can't use tabsel_123 for freeformat, so trying to guess framesize... */
+-	if(fr->freeformat)
++	if(fh->freeformat)
+ 	{
+ 		/* when we first encounter the frame with freeformat, guess framesize */
+-		if(fr->freeformat_framesize < 0)
++		if(fh->freeformat_framesize < 0)
+ 		{
+ 			int ret;
+ 			if(fr->p.flags & MPG123_NO_READAHEAD)
+@@ -828,12 +840,12 @@ static int decode_header(mpg123_handle *fr,unsigned long newhead, int *freeforma
+ 				if(VERBOSE3) error("You fooled me too often. Refusing to guess free format frame size _again_.");
+ 				return PARSE_BAD;
+ 			}
+-			ret = guess_freeformat_framesize(fr, newhead);
++			ret = guess_freeformat_framesize(fr, newhead, &(fh->framesize));
+ 			if(ret == PARSE_GOOD)
+ 			{
+-				fr->freeformat_framesize = fr->framesize - fr->padding;
++				fh->freeformat_framesize = fh->framesize - fh->padding;
+ 				if(VERBOSE2)
+-				fprintf(stderr, "Note: free format frame size %li\n", fr->freeformat_framesize);
++				fprintf(stderr, "Note: free format frame size %i\n", fh->freeformat_framesize);
+ 			}
+ 			else
+ 			{
+@@ -848,81 +860,110 @@ static int decode_header(mpg123_handle *fr,unsigned long newhead, int *freeforma
+ 		/* freeformat should be CBR, so the same framesize can be used at the 2nd reading or later */
+ 		else
+ 		{
+-			fr->framesize = fr->freeformat_framesize + fr->padding;
++			fh->framesize = fh->freeformat_framesize + fh->padding;
+ 		}
+ 	}
+ 
+-	switch(fr->lay)
++	switch(fh->lay)
+ 	{
+ #ifndef NO_LAYER1
+ 		case 1:
+-			fr->spf = 384;
+-			fr->do_layer = do_layer1;
+-			if(!fr->freeformat)
++			if(!fh->freeformat)
+ 			{
+-				long fs = (long) tabsel_123[fr->lsf][0][fr->bitrate_index] * 12000;
+-				fs /= freqs[fr->sampling_frequency];
+-				fs = ((fs+fr->padding)<<2)-4;
+-				fr->framesize = (int)fs;
++				long fs = (long) tabsel_123[fh->lsf][0][fh->bitrate_index] * 12000;
++				fs /= freqs[fh->sampling_frequency];
++				fs = ((fs+fh->padding)<<2)-4;
++				fh->framesize = (int)fs;
+ 			}
+ 		break;
+ #endif
+ #ifndef NO_LAYER2
+ 		case 2:
+-			fr->spf = 1152;
+-			fr->do_layer = do_layer2;
+-			if(!fr->freeformat)
++			if(!fh->freeformat)
+ 			{
+-				debug2("bitrate index: %i (%i)", fr->bitrate_index, tabsel_123[fr->lsf][1][fr->bitrate_index] );
+-				long fs = (long) tabsel_123[fr->lsf][1][fr->bitrate_index] * 144000;
+-				fs /= freqs[fr->sampling_frequency];
+-				fs += fr->padding - 4;
+-				fr->framesize = (int)fs;
++				debug2("bitrate index: %i (%i)", fh->bitrate_index, tabsel_123[fh->lsf][1][fh->bitrate_index] );
++				long fs = (long) tabsel_123[fh->lsf][1][fh->bitrate_index] * 144000;
++				fs /= freqs[fh->sampling_frequency];
++				fs += fh->padding - 4;
++				fh->framesize = (int)fs;
+ 			}
+ 		break;
+ #endif
+ #ifndef NO_LAYER3
+ 		case 3:
+-			fr->spf = fr->lsf ? 576 : 1152; /* MPEG 2.5 implies LSF.*/
+-			fr->do_layer = do_layer3;
+-			if(fr->lsf)
+-			fr->ssize = (fr->stereo == 1) ? 9 : 17;
++			if(fh->lsf)
++			fh->ssize = (fh->mode == MPG_MD_MONO) ? 9 : 17;
+ 			else
+-			fr->ssize = (fr->stereo == 1) ? 17 : 32;
++			fh->ssize = (fh->mode == MPG_MD_MONO) ? 17 : 32;
+ 
+-			if(fr->error_protection)
+-			fr->ssize += 2;
++			if(fh->error_protection)
++			fh->ssize += 2;
+ 
+-			if(!fr->freeformat)
++			if(!fh->freeformat)
+ 			{
+-				long fs = (long) tabsel_123[fr->lsf][2][fr->bitrate_index] * 144000;
+-				fs /= freqs[fr->sampling_frequency]<<(fr->lsf);
+-				fs += fr->padding - 4;
+-				fr->framesize = fs;
++				long fs = (long) tabsel_123[fh->lsf][2][fh->bitrate_index] * 144000;
++				fs /= freqs[fh->sampling_frequency]<<(fh->lsf);
++				fs += fh->padding - 4;
++				fh->framesize = fs;
+ 			}
+-			if(fr->framesize < fr->ssize)
++			if(fh->framesize < fh->ssize)
+ 			{
+ 				if(NOQUIET)
+ 					error2( "Frame smaller than mandatory side info (%i < %i)!"
+-					,	fr->framesize, fr->ssize );
++					,	fh->framesize, fh->ssize );
+ 				return PARSE_BAD;
+ 			}
+ 		break;
+ #endif 
+ 		default:
+-			if(NOQUIET) error1("Layer type %i not supported in this build!", fr->lay); 
++			if(NOQUIET) error1("Layer type %i not supported in this build!", fh->lay); 
+ 
+ 			return PARSE_BAD;
+ 	}
+-	if (fr->framesize > MAXFRAMESIZE)
++	if (fh->framesize > MAXFRAMESIZE)
+ 	{
+-		if(NOQUIET) error1("Frame size too big: %d", fr->framesize+4-fr->padding);
++		if(NOQUIET) error1("Frame size too big: %d", fh->framesize+4-fh->padding);
+ 
+ 		return PARSE_BAD;
+ 	}
+ 	return PARSE_GOOD;
+ }
+ 
++// Apply decoded header structure to frame struct, including
++// main decoder function pointer.
++static void apply_header(mpg123_handle *fr, struct frame_header *hdr)
++{
++	// copy the whole struct, do some postprocessing
++	fr->hdr = *hdr;
++	fr->stereo = (fr->hdr.mode == MPG_MD_MONO) ? 1 : 2;
++	switch(fr->hdr.lay)
++	{
++#ifndef NO_LAYER1
++		case 1:
++			fr->spf = 384;
++			fr->do_layer = INT123_do_layer1;
++		break;
++#endif
++#ifndef NO_LAYER2
++		case 2:
++			fr->spf = 1152;
++			fr->do_layer = INT123_do_layer2;
++		break;
++#endif
++#ifndef NO_LAYER3
++		case 3:
++			fr->spf = fr->hdr.lsf ? 576 : 1152; /* MPEG 2.5 implies LSF.*/
++			fr->do_layer = INT123_do_layer3;
++#endif 
++		break;
++		default:
++			// No error checking/message here, been done in decode_header().
++			fr->spf = 0;
++			fr->do_layer = NULL;
++	}
++}
++
++
+ /* Prepare for bit reading. Two stages:
+   0. Layers 1 and 2, side info for layer 3
+   1. Second call for possible bit reservoir for layer 3 part 2,3.
+@@ -934,26 +975,26 @@ static int decode_header(mpg123_handle *fr,unsigned long newhead, int *freeforma
+ void set_pointer(mpg123_handle *fr, int part2, long backstep)
+ {
+ 	fr->bitindex = 0;
+-	if(fr->lay == 3)
++	if(fr->hdr.lay == 3)
+ 	{
+ 		if(part2)
+ 		{
+-			fr->wordpointer = fr->bsbuf + fr->ssize - backstep;
++			fr->wordpointer = fr->bsbuf + fr->hdr.ssize - backstep;
+ 			if(backstep)
+ 				memcpy( fr->wordpointer, fr->bsbufold+fr->fsizeold-backstep
+ 				,	backstep );
+-			fr->bits_avail = (long)(fr->framesize - fr->ssize + backstep)*8;
++			fr->bits_avail = (long)(fr->hdr.framesize - fr->hdr.ssize + backstep)*8;
+ 		}
+ 		else
+ 		{
+ 			fr->wordpointer = fr->bsbuf;
+-			fr->bits_avail  = fr->ssize*8;
++			fr->bits_avail  = fr->hdr.ssize*8;
+ 		}
+ 	}
+ 	else
+ 	{
+ 		fr->wordpointer = fr->bsbuf;
+-		fr->bits_avail  = fr->framesize*8;
++		fr->bits_avail  = fr->hdr.framesize*8;
+ 	}
+ }
+ 
+@@ -961,7 +1002,7 @@ void set_pointer(mpg123_handle *fr, int part2, long backstep)
+ 
+ double compute_bpf(mpg123_handle *fr)
+ {
+-	return (fr->framesize > 0) ? fr->framesize + 4.0 : 1.0;
++	return (fr->hdr.framesize > 0) ? fr->hdr.framesize + 4.0 : 1.0;
+ }
+ 
+ int attribute_align_arg mpg123_spf(mpg123_handle *mh)
+@@ -977,8 +1018,8 @@ double attribute_align_arg mpg123_tpf(mpg123_handle *fr)
+ 	double tpf;
+ 	if(fr == NULL || !fr->firsthead) return MPG123_ERR;
+ 
+-	tpf = (double) bs[fr->lay];
+-	tpf /= freqs[fr->sampling_frequency] << (fr->lsf);
++	tpf = (double) bs[fr->hdr.lay];
++	tpf /= freqs[fr->hdr.sampling_frequency] << (fr->hdr.lsf);
+ 	return tpf;
+ }
+ 
+@@ -1062,7 +1103,7 @@ int get_songlen(mpg123_handle *fr,int no)
+ }
+ 
+ /* first attempt of read ahead check to find the real first header; cannot believe what junk is out there! */
+-static int do_readahead(mpg123_handle *fr, unsigned long newhead)
++static int do_readahead(mpg123_handle *fr, struct frame_header *nhdr, unsigned long newhead)
+ {
+ 	unsigned long nexthead = 0;
+ 	int hd = 0;
+@@ -1074,9 +1115,9 @@ static int do_readahead(mpg123_handle *fr, unsigned long newhead)
+ 
+ 	start = fr->rd->tell(fr);
+ 
+-	debug2("doing ahead check with BPF %d at %"OFF_P, fr->framesize+4, (off_p)start);
++	debug2("doing ahead check with BPF %d at %"OFF_P, nhdr->framesize+4, (off_p)start);
+ 	/* step framesize bytes forward and read next possible header*/
+-	if((oret=fr->rd->skip_bytes(fr, fr->framesize))<0)
++	if((oret=fr->rd->skip_bytes(fr, nhdr->framesize))<0)
+ 	{
+ 		if(oret==READER_ERROR && NOQUIET) error("cannot seek!");
+ 
+@@ -1211,7 +1252,7 @@ static int forget_head_shift(mpg123_handle *fr, unsigned long *newheadp, int for
+ }
+ 
+ /* watch out for junk/tags on beginning of stream by invalid header */
+-static int skip_junk(mpg123_handle *fr, unsigned long *newheadp, long *headcount)
++static int skip_junk(mpg123_handle *fr, unsigned long *newheadp, long *headcount, struct frame_header *nhdr)
+ {
+ 	int ret;
+ 	int freeformat_count = 0;
+@@ -1267,7 +1308,7 @@ static int skip_junk(mpg123_handle *fr, unsigned long *newheadp, long *headcount
+ 		if(++forgetcount > FORGET_INTERVAL) forgetcount = 0;
+ 		if((ret=forget_head_shift(fr, &newhead, !forgetcount))<=0) return ret;
+ 
+-		if(head_check(newhead) && (ret=decode_header(fr, newhead, &freeformat_count))) break;
++		if(head_check(newhead) && (ret=decode_header(fr, nhdr, newhead, &freeformat_count))) break;
+ 	} while(1);
+ 	if(ret<0) return ret;
+ 
+-- 
+2.43.0
+
diff --git a/meta/recipes-multimedia/mpg123/mpg123_1.29.3.bb b/meta/recipes-multimedia/mpg123/mpg123_1.29.3.bb
index 0baa7aa4a1..62c6564cec 100644
--- a/meta/recipes-multimedia/mpg123/mpg123_1.29.3.bb
+++ b/meta/recipes-multimedia/mpg123/mpg123_1.29.3.bb
@@ -9,7 +9,9 @@ SECTION = "multimedia"
 LICENSE = "LGPL-2.1-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=e7b9c15fcfb986abb4cc5e8400a24169"
 
-SRC_URI = "https://www.mpg123.de/download/${BP}.tar.bz2"
+SRC_URI = "https://www.mpg123.de/download/${BP}.tar.bz2 \
+           file://CVE-2024-10573.patch \
+           "
 SRC_URI[sha256sum] = "963885d8cc77262f28b77187c7d189e32195e64244de2530b798ddf32183e847"
 
 UPSTREAM_CHECK_REGEX = "mpg123-(?P<pver>\d+(\.\d+)+)\.tar"
-- 
2.43.0

[OE-core][kirkstone 7/7] vim: Upgrade 9.1.1043 -> 9.1.1115

[Steve Sakoman]

From: Divya Chellam <divya.chellam@windriver.com>

This includes CVE-fix for CVE-2025-26603 and CVE-2025-1215

Changes between 9.1.1043 -> 9.1.1115
====================================
https://github.com/vim/vim/compare/v9.1.1043...v9.1.1115

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/vim/vim.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 4ac9c58c80..823cfe24c7 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -18,8 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
            file://no-path-adjust.patch \
            "
 
-PV .= ".1043"
-SRCREV = "9d1bed5eccdbb46a26b8a484f5e9163c40e63919"
+PV .= ".1115"
+SRCREV = "c0f0e2380e5954f4a52a131bf6b8499838ad1dae"
 
 # Do not consider .z in x.y.z, as that is updated with every commit
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+)\.0"
-- 
2.43.0

[OE-core][kirkstone 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone ande have comments back by
end of day Thursday, October 2

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2467

The following changes since commit d381eeb5e70bd0ce9e78032c909e4a23564f4dd7:

  build-appliance-image: Update to kirkstone head revision (2025-09-19 07:04:23 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Divya Chellam (1):
  vim: upgrade 9.1.1652 -> 9.1.1683

Gyorgy Sarvari (1):
  libhandy: update git branch name

Praveen Kumar (1):
  go: fix CVE-2025-47907

Soumya Sambu (1):
  python3-jinja2: upgrade 3.1.4 -> 3.1.6

Yogita Urade (3):
  grub2: fix CVE-2024-56738
  curl: fix CVE-2025-9086
  tiff: fix CVE-2025-9900

 .../grub/files/CVE-2024-56738.patch           |  75 ++++
 meta/recipes-bsp/grub/grub2.inc               |   1 +
 meta/recipes-devtools/go/go-1.17.13.inc       | 125 ++++---
 .../go/go-1.21/CVE-2025-47907-pre-0001.patch  | 354 ++++++++++++++++++
 .../go/go-1.21/CVE-2025-47907-pre-0002.patch  | 232 ++++++++++++
 .../go/go-1.21/CVE-2025-47907.patch           | 327 ++++++++++++++++
 ...inja2_3.1.4.bb => python3-jinja2_3.1.6.bb} |   5 +-
 meta/recipes-gnome/libhandy/libhandy_1.5.0.bb |   2 +-
 .../libtiff/tiff/CVE-2025-9900.patch          |  57 +++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |   1 +
 .../curl/curl/CVE-2025-9086.patch             |  55 +++
 meta/recipes-support/curl/curl_7.82.0.bb      |   1 +
 meta/recipes-support/vim/vim.inc              |   4 +-
 13 files changed, 1174 insertions(+), 65 deletions(-)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2024-56738.patch
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2025-47907-pre-0001.patch
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2025-47907-pre-0002.patch
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2025-47907.patch
 rename meta/recipes-devtools/python/{python3-jinja2_3.1.4.bb => python3-jinja2_3.1.6.bb} (82%)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2025-9900.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-9086.patch

-- 
2.43.0

[OE-core][kirkstone 0/7] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, November 21

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2748

The following changes since commit 8aad87c12a809d790175b9848f5802d0a28eecac:

  goarch.bbclass: do not leak TUNE_FEATURES into crosssdk task signatures (2025-11-13 08:39:38 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Gyorgy Sarvari (1):
  musl: patch CVE-2025-26519

Richard Purdie (1):
  oe-build-perf-report: relax metadata matching rules

Soumya Sambu (2):
  elfutils: Fix CVE-2025-1376
  elfutils: Fix CVE-2025-1377

Vijay Anusuri (3):
  xwayland: Fix for CVE-2025-62229
  xwayland: Fix for CVE-2025-62230
  xwayland: Fix for CVE-2025-62231

 .../musl/musl/CVE-2025-26519-1.patch          | 39 ++++++++
 .../musl/musl/CVE-2025-26519-2.patch          | 38 ++++++++
 meta/recipes-core/musl/musl_git.bb            |  4 +-
 .../elfutils/elfutils_0.186.bb                |  2 +
 .../elfutils/files/CVE-2025-1376.patch        | 58 ++++++++++++
 .../elfutils/files/CVE-2025-1377.patch        | 68 ++++++++++++++
 .../xwayland/xwayland/CVE-2025-62229.patch    | 89 ++++++++++++++++++
 .../xwayland/xwayland/CVE-2025-62230-1.patch  | 63 +++++++++++++
 .../xwayland/xwayland/CVE-2025-62230-2.patch  | 92 +++++++++++++++++++
 .../xwayland/xwayland/CVE-2025-62231.patch    | 53 +++++++++++
 .../xwayland/xwayland_22.1.8.bb               |  4 +
 scripts/lib/build_perf/report.py              |  9 +-
 12 files changed, 515 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-core/musl/musl/CVE-2025-26519-1.patch
 create mode 100644 meta/recipes-core/musl/musl/CVE-2025-26519-2.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1376.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/CVE-2025-1377.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-62229.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-1.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-62230-2.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-62231.patch

-- 
2.43.0