[OE-core][kirkstone 0/6] Patch review

[OE-core][kirkstone 0/6] Patch review

[Steve Sakoman]

Please review this final set of patches for the kirkstone 4.0.9 release and
have comments back by end of day Thursday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5147

The following changes since commit 3eeab90fd45a1e8de6d9d16dfdec79c72639614b:

  rsync: Turn on -pedantic-errors at the end of 'configure' (2023-03-30 08:29:50 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alexander Kanavin (1):
  patchelf: replace a rejected patch with an equivalent
    uninative.bbclass tweak

Michael Halstead (2):
  uninative: Upgrade to 3.8.1 to include libgcc
  uninative: Upgrade to 3.9 to include glibc 2.37

Shubham Kulkarni (1):
  go-runtime: Security fix for CVE-2022-41723

Simone Weiss (1):
  json-c: Add ptest for json-c

pawan (1):
  curl: Add fix for CVE-2023-23916

 meta/classes/uninative.bbclass                |   2 +
 .../distro/include/ptest-packagelists.inc     |   1 +
 meta/conf/distro/include/yocto-uninative.inc  |  10 +-
 meta/recipes-devtools/go/go-1.17.13.inc       |   1 +
 .../go/go-1.18/CVE-2022-41723.patch           | 156 +++++++++++++
 meta/recipes-devtools/json-c/json-c/run-ptest |  20 ++
 meta/recipes-devtools/json-c/json-c_0.15.bb   |  16 +-
 .../patchelf/handle-read-only-files.patch     |  65 ------
 .../patchelf/patchelf_0.14.5.bb               |   1 -
 .../curl/curl/CVE-2023-23916.patch            | 219 ++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |   1 +
 11 files changed, 419 insertions(+), 73 deletions(-)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2022-41723.patch
 create mode 100644 meta/recipes-devtools/json-c/json-c/run-ptest
 delete mode 100644 meta/recipes-devtools/patchelf/patchelf/handle-read-only-files.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2023-23916.patch

-- 
2.34.1

[OE-core][kirkstone 0/6] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, October 24

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6084

The following changes since commit 5570e49791b770271f176a4deeb5f6f1a028cb4a:

  uboot-extlinux-config.bbclass: fix missed override syntax migration (2023-10-17 12:19:37 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Lee Chee Yang (1):
  qemu: ignore RHEL specific CVE-2023-2680

Meenali Gupta (1):
  linux-firmware: upgrade 20230625 -> 20230804

Peter Marko (1):
  zlib: patch CVE-2023-45853

Siddharth Doshi (2):
  libx11: Security Fix for CVE-2023-43785, CVE-2023-43786 and
    CVE-2023-43787
  vim: Upgrade 9.0.2009 -> 9.0.2048

Vijay Anusuri (1):
  gawk: backport Debian patch to fix CVE-2023-4156

 .../zlib/zlib/CVE-2023-45853.patch            | 42 +++++++++++++
 meta/recipes-core/zlib/zlib_1.2.11.bb         |  1 +
 meta/recipes-devtools/qemu/qemu.inc           |  4 ++
 .../gawk/gawk/CVE-2023-4156.patch             | 28 +++++++++
 meta/recipes-extended/gawk/gawk_5.1.1.bb      |  1 +
 .../xorg-lib/libx11/CVE-2023-43785.patch      | 62 ++++++++++++++++++
 .../xorg-lib/libx11/CVE-2023-43786-0001.patch | 41 ++++++++++++
 .../xorg-lib/libx11/CVE-2023-43786-0002.patch | 45 +++++++++++++
 .../xorg-lib/libx11/CVE-2023-43786-0003.patch | 51 +++++++++++++++
 .../xorg-lib/libx11/CVE-2023-43787.patch      | 63 +++++++++++++++++++
 .../xorg-lib/libx11_1.7.3.1.bb                |  5 ++
 ...20230625.bb => linux-firmware_20230804.bb} |  4 +-
 meta/recipes-support/vim/vim.inc              |  4 +-
 13 files changed, 347 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-core/zlib/zlib/CVE-2023-45853.patch
 create mode 100644 meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43785.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0001.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0002.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43786-0003.patch
 create mode 100644 meta/recipes-graphics/xorg-lib/libx11/CVE-2023-43787.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230625.bb => linux-firmware_20230804.bb} (99%)

-- 
2.34.1

[OE-core][kirkstone 0/6] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, January 10

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6425

The following changes since commit 227b3d4edad31b0d0045f41133271693265240b0:

  tzdata: Upgrade to 2023d (2024-01-02 03:46:18 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Dhairya Nagodra (2):
  cve-update-nvd2-native: faster requests with API keys
  cve-update-nvd2-native: increase the delay between subsequent request
    failures

Dmitry Baryshkov (1):
  linux-firmware: upgrade 20230804 -> 20231030

Peter Marko (2):
  cve-update-nvd2-native: remove unused variable CVE_SOCKET_TIMEOUT
  cve-update-nvd2-native: make number of fetch attemtps configurable

Vijay Anusuri (1):
  xserver-xorg: Fix for CVE-2023-6377 and CVE-2023-6478

 .../meta/cve-update-nvd2-native.bb            | 27 +++++--
 .../xserver-xorg/CVE-2023-6377.patch          | 79 +++++++++++++++++++
 .../xserver-xorg/CVE-2023-6478.patch          | 63 +++++++++++++++
 .../xorg-xserver/xserver-xorg_21.1.8.bb       |  2 +
 ...20230804.bb => linux-firmware_20231030.bb} |  4 +-
 5 files changed, 165 insertions(+), 10 deletions(-)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6377.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6478.patch
 rename meta/recipes-kernel/linux-firmware/{linux-firmware_20230804.bb => linux-firmware_20231030.bb} (99%)

-- 
2.34.1

[OE-core][kirkstone 0/6] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, January 23

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6471

The following changes since commit ebd61290a644a6d9f2b3701e0e7ea050636da76c:

  pybootchartgui: fix 2 SyntaxWarnings (2024-01-16 04:10:03 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Hitendra Prajapati (2):
  openssl: fix CVE-2023-6237 Excessive time spent checking invalid RSA
    public keys
  pam: fix CVE-2024-22365 pam_namespace misses

Peter Marko (1):
  dropbear: backport patch for CVE-2023-48795

Vijay Anusuri (2):
  gnutls: Fix for CVE-2024-0553 and CVE-2024-0567
  xserver-xorg: Multiple CVE fixes

Yogita Urade (1):
  tiff: fix CVE-2023-6228

 .../openssl/openssl/CVE-2023-6237.patch       | 127 ++++++++++
 .../openssl/openssl_3.0.12.bb                 |   1 +
 meta/recipes-core/dropbear/dropbear.inc       |   1 +
 .../dropbear/dropbear/CVE-2023-48795.patch    | 234 ++++++++++++++++++
 .../pam/libpam/CVE-2024-22365.patch           |  62 +++++
 meta/recipes-extended/pam/libpam_1.5.2.bb     |   1 +
 .../xserver-xorg/CVE-2023-6816.patch          |  55 ++++
 .../xserver-xorg/CVE-2024-0229-1.patch        |  87 +++++++
 .../xserver-xorg/CVE-2024-0229-2.patch        | 221 +++++++++++++++++
 .../xserver-xorg/CVE-2024-0229-3.patch        |  41 +++
 .../xserver-xorg/CVE-2024-0229-4.patch        |  45 ++++
 .../xserver-xorg/CVE-2024-0408.patch          |  64 +++++
 .../xserver-xorg/CVE-2024-0409.patch          |  46 ++++
 .../xserver-xorg/CVE-2024-21885.patch         | 113 +++++++++
 .../xserver-xorg/CVE-2024-21886-1.patch       |  74 ++++++
 .../xserver-xorg/CVE-2024-21886-2.patch       |  57 +++++
 .../xorg-xserver/xserver-xorg_21.1.8.bb       |  10 +
 .../libtiff/tiff/CVE-2023-6228.patch          |  31 +++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |   1 +
 .../gnutls/gnutls/CVE-2024-0553.patch         | 125 ++++++++++
 .../gnutls/gnutls/CVE-2024-0567.patch         | 184 ++++++++++++++
 meta/recipes-support/gnutls/gnutls_3.7.4.bb   |   2 +
 22 files changed, 1582 insertions(+)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2023-48795.patch
 create mode 100644 meta/recipes-extended/pam/libpam/CVE-2024-22365.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2023-6816.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-1.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-2.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-3.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0229-4.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0408.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-0409.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21885.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-1.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-21886-2.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-6228.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-0553.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2024-0567.patch

-- 
2.34.1

[OE-core][kirkstone 0/6] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, May 17

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6895

The following changes since commit 24fd9b6756728a0337100f53a1c6e92aba092f9d:

  ppp: Add RSA-MD in LICENSE (2024-05-08 05:19:26 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (2):
  xserver-xorg: fix CVE-2024-31082
  xserver-xorg: fix CVE-2024-31083

Bhabu Bindu (1):
  libpciaccess: Remove duplicated license entry

Peter Marko (1):
  glibc: Update to latest on stable 2.35 branch

Vijay Anusuri (2):
  bluez5: Fix CVE-2023-27349 CVE-2023-50229 & CVE-2023-50230
  gstreamer1.0-plugins-bad: fix CVE-2023-50186

 meta/recipes-connectivity/bluez5/bluez5.inc   |   2 +
 .../bluez5/bluez5/CVE-2023-27349.patch        |  48 +++++++
 .../CVE-2023-50229_CVE-2023-50230.patch       |  67 ++++++++++
 meta/recipes-core/glibc/glibc-version.inc     |   2 +-
 ...y-the-header-between-arm-and-aarch64.patch |  64 +++++-----
 meta/recipes-core/glibc/glibc_2.35.bb         |   5 +-
 .../xorg-lib/libpciaccess_0.16.bb             |   2 +-
 .../xserver-xorg/CVE-2024-31082.patch         |  52 ++++++++
 .../xserver-xorg/CVE-2024-31083-0001.patch    | 117 ++++++++++++++++++
 .../xserver-xorg/CVE-2024-31083-0002.patch    |  76 ++++++++++++
 .../xorg-xserver/xserver-xorg_21.1.8.bb       |   3 +
 .../CVE-2023-50186.patch                      |  70 +++++++++++
 .../gstreamer1.0-plugins-bad_1.20.7.bb        |   1 +
 13 files changed, 478 insertions(+), 31 deletions(-)
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2023-27349.patch
 create mode 100644 meta/recipes-connectivity/bluez5/bluez5/CVE-2023-50229_CVE-2023-50230.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31082.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31083-0001.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31083-0002.patch
 create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/CVE-2023-50186.patch

-- 
2.34.1

[OE-core][kirkstone 0/6] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, July 23

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7158

The following changes since commit 5d97b0576e98a2cf402abab1a1edcab223545d87:

  build-appliance-image: Update to kirkstone head revision (2024-07-15 10:31:11 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Ashish Sharma (1):
  ruby: backport fix for CVE-2024-27282

Florian Amstutz (1):
  uboot-sign: Fix index error in concat_dtb_helper() with multiple
    configs

Hitendra Prajapati (1):
  busybox: Fix CVE-2023-42363

Peter Marko (2):
  busybox: Patch CVE-2021-42380
  libarchive: ignore CVE-2024-37407

Vijay Anusuri (1):
  python3-jinja2: Upgrade 3.1.3 -> 3.1.4

 meta/classes/uboot-sign.bbclass               |   6 +-
 .../busybox/busybox/CVE-2021-42380.patch      | 151 ++++++++++++++++++
 .../busybox/busybox/CVE-2023-42363.patch      |  68 ++++++++
 meta/recipes-core/busybox/busybox_1.35.0.bb   |   2 +
 ...inja2_3.1.3.bb => python3-jinja2_3.1.4.bb} |   8 +-
 .../ruby/ruby/CVE-2024-27282.patch            |  29 ++++
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |   1 +
 .../libarchive/libarchive_3.6.2.bb            |   2 +
 8 files changed, 261 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2021-42380.patch
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2023-42363.patch
 rename meta/recipes-devtools/python/{python3-jinja2_3.1.3.bb => python3-jinja2_3.1.4.bb} (82%)
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-27282.patch

-- 
2.34.1

[OE-core][kirkstone 0/6] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, August 27

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7272

The following changes since commit 6c1000a2bbfe5e618e42bc5be2058332337d4177:

  python3-pycryptodome(x): use python_setuptools_build_meta build class (2024-08-15 05:58:11 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Guocai He (1):
  libsoup: fix compile error on centos7

Leon Anavi (1):
  python3: add PACKAGECONFIG[editline]

Niko Mauno (1):
  image_types.bbclass: Use --force also with lz4,lzop

Peter Marko (1):
  libyaml: ignore CVE-2024-35326

Siddharth Doshi (2):
  Tiff: Security fix for CVE-2024-7006
  curl: Security fix for CVE-2024-7264

 meta/classes/image_types.bbclass              |   4 +-
 .../python/python3_3.10.14.bb                 |   5 +-
 .../libtiff/tiff/CVE-2024-7006.patch          |  64 ++++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |   1 +
 .../curl/curl/CVE-2024-7264_1.patch           |  66 ++++
 .../curl/curl/CVE-2024-7264_2.patch           | 320 ++++++++++++++++++
 meta/recipes-support/curl/curl_7.82.0.bb      |   2 +
 .../0001-meson.build-set-c_std-to-gnu99.patch |  44 +++
 .../libsoup/libsoup-2.4_2.74.2.bb             |   4 +-
 meta/recipes-support/libyaml/libyaml_0.2.5.bb |   2 +-
 10 files changed, 506 insertions(+), 6 deletions(-)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2024-7006.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2024-7264_1.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2024-7264_2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/0001-meson.build-set-c_std-to-gnu99.patch

-- 
2.34.1

[OE-core][kirkstone 0/6] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, September 6

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7310

The following changes since commit 6992437d725f9cc88da4261814b69aaadc5ef0f2:

  grub: fs/fat: Don't error when mtime is 0 (2024-08-29 06:13:56 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Hitendra Prajapati (1):
  qemu: fix CVE-2024-7409

Rohini Sangam (1):
  python3: Security fix for CVE-2024-8088

Vijay Anusuri (1):
  apr: upgrade 1.7.2 -> 1.7.5

Vrushti Dabhi (2):
  sqlite3: CVE-ID correction for CVE-2023-7104
  sqlite3: Rename patch for CVE-2022-35737

Wang Mingyu (1):
  wireless-regdb: upgrade 2024.05.08 -> 2024.07.04

 .../python/python3/CVE-2024-8088.patch        | 124 +++++++++++++
 .../python/python3_3.10.14.bb                 |   1 +
 meta/recipes-devtools/qemu/qemu.inc           |   4 +
 .../qemu/qemu/CVE-2024-7409-0001.patch        | 162 ++++++++++++++++
 .../qemu/qemu/CVE-2024-7409-0002.patch        | 174 ++++++++++++++++++
 .../qemu/qemu/CVE-2024-7409-0003.patch        | 122 ++++++++++++
 .../qemu/qemu/CVE-2024-7409-0004.patch        | 163 ++++++++++++++++
 ....05.08.bb => wireless-regdb_2024.07.04.bb} |   2 +-
 ...-runtime-test-for-mmap-that-can-map-.patch |   2 +-
 .../apr/{apr_1.7.2.bb => apr_1.7.5.bb}        |   2 +-
 ...lementation.patch => CVE-2022-35737.patch} |   0
 .../sqlite/files/CVE-2023-7104.patch          |  10 +-
 meta/recipes-support/sqlite/sqlite3_3.38.5.bb |   4 +-
 13 files changed, 761 insertions(+), 9 deletions(-)
 create mode 100644 meta/recipes-devtools/python/python3/CVE-2024-8088.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0001.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0002.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0003.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2024-7409-0004.patch
 rename meta/recipes-kernel/wireless-regdb/{wireless-regdb_2024.05.08.bb => wireless-regdb_2024.07.04.bb} (94%)
 rename meta/recipes-support/apr/{apr_1.7.2.bb => apr_1.7.5.bb} (98%)
 rename meta/recipes-support/sqlite/files/{0001-sqlite-Increased-the-size-of-loop-variables-in-the-printf-implementation.patch => CVE-2022-35737.patch} (100%)

-- 
2.34.1

[OE-core][kirkstone 0/6] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, March 12

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1152

The following changes since commit 0d9f2fcc2058407eb138297d9f8f12595851b963:

  mesa: Fix missing GLES3 headers in SDK sysroot (2025-03-04 08:43:39 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alessio Cascone (1):
  tzcode-native: Fix compiler setting from 2023d version

Deepesh Varatharajan (1):
  binutils: Fix CVE-2025-0840

Hitendra Prajapati (1):
  ruby: Fix CVE-2025-27220

Priyal Doshi (1):
  tzdata/tzcode-native: upgrade 2024b -> 2025a

Vijay Anusuri (2):
  openssh: Fix CVE-2025-26465
  libtasn1: upgrade 4.19.0 -> 4.20.0

 .../openssh/openssh/CVE-2025-26465.patch      | 140 ++++++++++++++++++
 .../openssh/openssh_8.9p1.bb                  |   1 +
 .../binutils/binutils-2.38.inc                |   1 +
 .../binutils/0038-CVE-2025-0840.patch         |  53 +++++++
 .../ruby/ruby/CVE-2025-27220.patch            |  76 ++++++++++
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |   1 +
 meta/recipes-extended/timezone/timezone.inc   |   6 +-
 .../timezone/tzcode-native.bb                 |   2 +-
 ...{libtasn1_4.19.0.bb => libtasn1_4.20.0.bb} |   7 +-
 9 files changed, 279 insertions(+), 8 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/CVE-2025-26465.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0038-CVE-2025-0840.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27220.patch
 rename meta/recipes-support/gnutls/{libtasn1_4.19.0.bb => libtasn1_4.20.0.bb} (63%)

-- 
2.43.0

[OE-core][kirkstone 0/6] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Wednesday, March 26

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1242

The following changes since commit acb88b244e89bc1300a24f60d0a44c21e0ab1af6:

  vim: Upgrade 9.1.1043 -> 9.1.1115 (2025-03-13 09:19:58 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Peter Marko (1):
  tiff: mark CVE-2023-30774 as patched

Robert Yang (1):
  libxcrypt-compat: Remove libcrypt.so to fix conflict with libcrypt

Vijay Anusuri (2):
  libxslt: Fix for CVE-2024-55549
  libxslt: Fix for CVE-2025-24855

Yogita Urade (2):
  xserver-xorg: fix CVE-2022-49737
  xwayland: fix CVE-2022-49737

 .../libxcrypt/libxcrypt-compat_4.4.33.bb      |   2 +-
 .../xserver-xorg/CVE-2022-49737.patch         |  90 ++++++++++++
 .../xorg-xserver/xserver-xorg_21.1.8.bb       |   1 +
 .../xwayland/xwayland/CVE-2022-49737.patch    |  90 ++++++++++++
 .../xwayland/xwayland_22.1.8.bb               |   1 +
 ...-of-TIFFTAG_INKNAMES-and-related-TIF.patch |   4 +-
 .../libxslt/libxslt/CVE-2024-55549.patch      |  49 +++++++
 .../libxslt/libxslt/CVE-2025-24855.patch      | 134 ++++++++++++++++++
 .../recipes-support/libxslt/libxslt_1.1.35.bb |   5 +-
 9 files changed, 373 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-49737.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2022-49737.patch
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2024-55549.patch
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch

-- 
2.43.0

[OE-core][kirkstone 1/6] tiff: mark CVE-2023-30774 as patched

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

[1] points tu issue [2] which was fixed by [3] together with lot of
other issues.
We already have this patch, so mark CVE-2023-30774 in it.

Also split CVE tag to separate entries.

[1] https://nvd.nist.gov/vuln/detail/CVE-2023-30774
[2] https://gitlab.com/libtiff/libtiff/-/issues/463
[3] https://gitlab.com/libtiff/libtiff/-/merge_requests/385

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch b/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch
index 17b37be041..261421b399 100644
--- a/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch
+++ b/meta/recipes-multimedia/libtiff/tiff/0001-Revised-handling-of-TIFFTAG_INKNAMES-and-related-TIF.patch
@@ -23,7 +23,9 @@ This MR will close the following issues:  #149, #150, #152, #168 (to be checked)
 
 It also fixes the old bug at http://bugzilla.maptools.org/show_bug.cgi?id=2599, for which the limitation of `NumberOfInks = SPP` was introduced, which is in my opinion not necessary and does not solve the general issue.
 
-CVE: CVE-2022-3599 CVE-2022-4645
+CVE: CVE-2022-3599
+CVE: CVE-2022-4645
+CVE: CVE-2023-30774
 Upstream-Status: Backport [https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246.patch]
 Signed-off-by: Ross Burton <ross.burton@arm.com>
 Signed-off-by: Pawan Badganchi <Pawan.Badganchi@kpit.com>
-- 
2.43.0

[OE-core][kirkstone 2/6] libxslt: Fix for CVE-2024-55549

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Commit: https://gitlab.gnome.org/GNOME/libxslt/-/commit/46041b65f2fbddf5c284ee1a1332fa2c515c0515

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libxslt/libxslt/CVE-2024-55549.patch      | 49 +++++++++++++++++++
 .../recipes-support/libxslt/libxslt_1.1.35.bb |  4 +-
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2024-55549.patch

diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2024-55549.patch b/meta/recipes-support/libxslt/libxslt/CVE-2024-55549.patch
new file mode 100644
index 0000000000..88a17a4d0c
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/CVE-2024-55549.patch
@@ -0,0 +1,49 @@
+From 46041b65f2fbddf5c284ee1a1332fa2c515c0515 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 5 Dec 2024 12:43:19 +0100
+Subject: [PATCH] [CVE-2024-55549] Fix UAF related to excluded namespaces
+
+Definitions of excluded namespaces could be deleted in
+xsltParseTemplateContent. Store excluded namespace URIs in the
+stylesheet's dictionary instead of referencing the namespace definition.
+
+Thanks to Ivan Fratric for the report!
+
+Fixes #127.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/46041b65f2fbddf5c284ee1a1332fa2c515c0515]
+CVE: CVE-2024-55549
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libxslt/xslt.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/libxslt/xslt.c b/libxslt/xslt.c
+index 69116f2..02c2e3a 100644
+--- a/libxslt/xslt.c
++++ b/libxslt/xslt.c
+@@ -153,10 +153,20 @@ xsltParseContentError(xsltStylesheetPtr style,
+  * in case of error
+  */
+ static int
+-exclPrefixPush(xsltStylesheetPtr style, xmlChar * value)
++exclPrefixPush(xsltStylesheetPtr style, xmlChar * orig)
+ {
++    xmlChar *value;
+     int i;
+ 
++    /*
++     * orig can come from a namespace definition on a node which
++     * could be deleted later, for example in xsltParseTemplateContent.
++     * Store the string in stylesheet's dict to avoid use after free.
++     */
++    value = (xmlChar *) xmlDictLookup(style->dict, orig, -1);
++    if (value == NULL)
++	return(-1);
++
+     if (style->exclPrefixMax == 0) {
+         style->exclPrefixMax = 4;
+         style->exclPrefixTab =
+-- 
+2.34.1
+
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
index 2fd777766c..1f0d845421 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
@@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458"
 SECTION = "libs"
 DEPENDS = "libxml2"
 
-SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz"
+SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz \
+           file://CVE-2024-55549.patch \
+          "
 
 SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"
 
-- 
2.43.0

[OE-core][kirkstone 3/6] libxslt: Fix for CVE-2025-24855

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Commit: https://gitlab.gnome.org/GNOME/libxslt/-/commit/c7c7f1f78dd202a053996fcefe57eb994aec8ef2

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libxslt/libxslt/CVE-2025-24855.patch      | 134 ++++++++++++++++++
 .../recipes-support/libxslt/libxslt_1.1.35.bb |   1 +
 2 files changed, 135 insertions(+)
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch

diff --git a/meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch b/meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch
new file mode 100644
index 0000000000..b8c2f5b0c8
--- /dev/null
+++ b/meta/recipes-support/libxslt/libxslt/CVE-2025-24855.patch
@@ -0,0 +1,134 @@
+From c7c7f1f78dd202a053996fcefe57eb994aec8ef2 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 17 Dec 2024 15:56:21 +0100
+Subject: [PATCH] [CVE-2025-24855] Fix use-after-free of XPath context node
+
+There are several places where the XPath context node isn't restored
+after modifying it, leading to use-after-free errors with nested XPath
+evaluations and dynamically allocated context nodes.
+
+Restore XPath context node in
+
+- xsltNumberFormatGetValue
+- xsltEvalXPathPredicate
+- xsltEvalXPathStringNs
+- xsltComputeSortResultInternal
+
+In some places, the transformation context node was saved and restored
+which shouldn't be necessary.
+
+Thanks to Ivan Fratric for the report!
+
+Fixes #128.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxslt/-/commit/c7c7f1f78dd202a053996fcefe57eb994aec8ef2]
+CVE: CVE-2025-24855
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libxslt/numbers.c   | 5 +++++
+ libxslt/templates.c | 9 ++++++---
+ libxslt/xsltutils.c | 4 ++--
+ 3 files changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/libxslt/numbers.c b/libxslt/numbers.c
+index 0e1fa136..741124d1 100644
+--- a/libxslt/numbers.c
++++ b/libxslt/numbers.c
+@@ -733,9 +733,12 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
+     int amount = 0;
+     xmlBufferPtr pattern;
+     xmlXPathObjectPtr obj;
++    xmlNodePtr oldNode;
+ 
+     pattern = xmlBufferCreate();
+     if (pattern != NULL) {
++        oldNode = context->node;
++
+ 	xmlBufferCCat(pattern, "number(");
+ 	xmlBufferCat(pattern, value);
+ 	xmlBufferCCat(pattern, ")");
+@@ -748,6 +751,8 @@ xsltNumberFormatGetValue(xmlXPathContextPtr context,
+ 	    xmlXPathFreeObject(obj);
+ 	}
+ 	xmlBufferFree(pattern);
++
++        context->node = oldNode;
+     }
+     return amount;
+ }
+diff --git a/libxslt/templates.c b/libxslt/templates.c
+index f08b9bda..1c8d96e2 100644
+--- a/libxslt/templates.c
++++ b/libxslt/templates.c
+@@ -61,6 +61,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+     int oldNsNr;
+     xmlNsPtr *oldNamespaces;
+     xmlNodePtr oldInst;
++    xmlNodePtr oldNode;
+     int oldProximityPosition, oldContextSize;
+ 
+     if ((ctxt == NULL) || (ctxt->inst == NULL)) {
+@@ -69,6 +70,7 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+         return(0);
+     }
+ 
++    oldNode = ctxt->xpathCtxt->node;
+     oldContextSize = ctxt->xpathCtxt->contextSize;
+     oldProximityPosition = ctxt->xpathCtxt->proximityPosition;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -96,8 +98,9 @@ xsltEvalXPathPredicate(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+ 	ctxt->state = XSLT_STATE_STOPPED;
+ 	ret = 0;
+     }
+-    ctxt->xpathCtxt->nsNr = oldNsNr;
+ 
++    ctxt->xpathCtxt->node = oldNode;
++    ctxt->xpathCtxt->nsNr = oldNsNr;
+     ctxt->xpathCtxt->namespaces = oldNamespaces;
+     ctxt->inst = oldInst;
+     ctxt->xpathCtxt->contextSize = oldContextSize;
+@@ -137,7 +140,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+     }
+ 
+     oldInst = ctxt->inst;
+-    oldNode = ctxt->node;
++    oldNode = ctxt->xpathCtxt->node;
+     oldPos = ctxt->xpathCtxt->proximityPosition;
+     oldSize = ctxt->xpathCtxt->contextSize;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -167,7 +170,7 @@ xsltEvalXPathStringNs(xsltTransformContextPtr ctxt, xmlXPathCompExprPtr comp,
+ 	 "xsltEvalXPathString: returns %s\n", ret));
+ #endif
+     ctxt->inst = oldInst;
+-    ctxt->node = oldNode;
++    ctxt->xpathCtxt->node = oldNode;
+     ctxt->xpathCtxt->contextSize = oldSize;
+     ctxt->xpathCtxt->proximityPosition = oldPos;
+     ctxt->xpathCtxt->nsNr = oldNsNr;
+diff --git a/libxslt/xsltutils.c b/libxslt/xsltutils.c
+index 0e9dc62f..a20da961 100644
+--- a/libxslt/xsltutils.c
++++ b/libxslt/xsltutils.c
+@@ -1065,8 +1065,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
+ 	return(NULL);
+     }
+ 
+-    oldNode = ctxt->node;
+     oldInst = ctxt->inst;
++    oldNode = ctxt->xpathCtxt->node;
+     oldPos = ctxt->xpathCtxt->proximityPosition;
+     oldSize = ctxt->xpathCtxt->contextSize;
+     oldNsNr = ctxt->xpathCtxt->nsNr;
+@@ -1137,8 +1137,8 @@ xsltComputeSortResultInternal(xsltTransformContextPtr ctxt, xmlNodePtr sort,
+ 	    results[i] = NULL;
+ 	}
+     }
+-    ctxt->node = oldNode;
+     ctxt->inst = oldInst;
++    ctxt->xpathCtxt->node = oldNode;
+     ctxt->xpathCtxt->contextSize = oldSize;
+     ctxt->xpathCtxt->proximityPosition = oldPos;
+     ctxt->xpathCtxt->nsNr = oldNsNr;
+-- 
+GitLab
+
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.35.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
index 1f0d845421..3df372b267 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.35.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
@@ -15,6 +15,7 @@ DEPENDS = "libxml2"
 
 SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz \
            file://CVE-2024-55549.patch \
+           file://CVE-2025-24855.patch \
           "
 
 SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"
-- 
2.43.0

[OE-core][kirkstone 4/6] xserver-xorg: fix CVE-2022-49737

[Steve Sakoman]

From: Yogita Urade <yogita.urade@windriver.com>

In X.Org X server 20.11 through 21.1.16, when a client application
uses easystroke for mouse gestures, the main thread modifies various
data structures used by the input thread without acquiring a lock,
aka a race condition. In particular, AttachDevice in dix/devices.c
does not acquire an input lock.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-49737

Upstream patch:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0b489500b4d0a0

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../xserver-xorg/CVE-2022-49737.patch         | 90 +++++++++++++++++++
 .../xorg-xserver/xserver-xorg_21.1.8.bb       |  1 +
 2 files changed, 91 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-49737.patch

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-49737.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-49737.patch
new file mode 100644
index 0000000000..86c9f59f8c
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2022-49737.patch
@@ -0,0 +1,90 @@
+From dc7cb45482cea6ccec22d117ca0b489500b4d0a0 Mon Sep 17 00:00:00 2001
+From: tholin <thomas.lindroth@gmail.com>
+Date: Tue, 4 Jan 2022 12:08:11 +0000
+Subject: [PATCH] dix: Hold input lock for AttachDevice()
+
+Fix the following race:
+
+Possible data race during read of size 8 at 0xA112510 by thread #6
+Locks held: 1, at address 0x366B40
+   at 0x14C8B9: GetMaster (devices.c:2691)
+   by 0x15CFC5: IsFloating (events.c:346)
+   by 0x2B9554: miPointerGetScreen (mipointer.c:527)
+   by 0x1A5136: xf86PostButtonEventM (xf86Xinput.c:1379)
+   by 0x1A52BD: xf86PostButtonEvent (xf86Xinput.c:1345)
+   by 0x485F45B: EvdevProcessEvent (in /usr/lib64/xorg/modules/input/evdev_drv.so)
+   by 0x485FDAC: EvdevReadInput (in /usr/lib64/xorg/modules/input/evdev_drv.so)
+   by 0x195427: xf86ReadInput (xf86Events.c:247)
+   by 0x2CC113: InputReady (inputthread.c:180)
+   by 0x2CE4EA: ospoll_wait (ospoll.c:657)
+   by 0x2CC077: InputThreadDoWork (inputthread.c:369)
+   by 0x484A336: mythread_wrapper (hg_intercepts.c:406)
+
+This conflicts with a previous write of size 8 by thread #1
+Locks held: none
+   at 0x14D2C6: AttachDevice (devices.c:2609)
+   by 0x15CF85: ReattachToOldMaster (events.c:1457)
+   by 0x1647DD: DeactivateKeyboardGrab (events.c:1700)
+   by 0x25D7F1: ProcXIUngrabDevice (xigrabdev.c:169)
+   by 0x2552AD: ProcIDispatch (extinit.c:398)
+   by 0x155291: Dispatch (dispatch.c:479)
+   by 0x158CBA: dix_main (main.c:276)
+   by 0x143A3D: main (stubmain.c:34)
+ Address 0xa112510 is 336 bytes inside a block of size 904 alloc'd
+   at 0x4846571: calloc (vg_replace_malloc.c:1328)
+   by 0x14A0B3: AddInputDevice (devices.c:260)
+   by 0x1A31A0: xf86ActivateDevice (xf86Xinput.c:365)
+   by 0x1A4549: xf86NewInputDevice (xf86Xinput.c:948)
+   by 0x1A4B44: NewInputDeviceRequest (xf86Xinput.c:1090)
+   by 0x1B81FE: device_added (udev.c:282)
+   by 0x1B8516: config_udev_init (udev.c:439)
+   by 0x1B7091: config_init (config.c:50)
+   by 0x197970: InitInput (xf86Init.c:814)
+   by 0x158C6B: dix_main (main.c:250)
+   by 0x143A3D: main (stubmain.c:34)
+ Block was alloc'd by thread #1
+
+The steps to trigger the race are:
+1. Main thread does cleanup at mipointer.c:360 setting the slave device's
+   miPointerPtr to null.
+2. Input thread use MIPOINTER in mipointer.c and get the slave's
+   miPointerPtr = null.
+3. Main thread updates dev->master at devices.c:2609.
+4. MIPOINTER would now return the master's miPointerPtr but the input
+   thread already got the slave's miPointerPtr in step 2 and segfaults by
+   null ptr deref.
+
+Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1260
+Signed-off-by: Thomas Lindroth <thomas.lindroth@gmail.com>
+
+CVE: CVE-2022-49737
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0b489500b4d0a0]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ dix/devices.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/dix/devices.c b/dix/devices.c
+index 459f1ed..e5a6f02 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -2671,6 +2671,8 @@ AttachDevice(ClientPtr client, DeviceIntPtr dev, DeviceIntPtr master)
+     if (IsFloating(dev) && !master && dev->enabled)
+         return Success;
+
++    input_lock();
++
+     /* free the existing sprite. */
+     if (IsFloating(dev) && dev->spriteInfo->paired == dev) {
+         screen = miPointerGetScreen(dev);
+@@ -2711,6 +2713,7 @@ AttachDevice(ClientPtr client, DeviceIntPtr dev, DeviceIntPtr master)
+         RecalculateMasterButtons(master);
+     }
+
++    input_unlock();
+     /* XXX: in theory, the MD should change back to its old, original
+      * classes when the last SD is detached. Thanks to the XTEST devices,
+      * we'll always have an SD attached until the MD is removed.
+--
+2.40.0
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
index e77b81eed6..6790eb0921 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_21.1.8.bb
@@ -35,6 +35,7 @@ SRC_URI += "file://0001-xf86pciBus.c-use-Intel-ddx-only-for-pre-gen4-hardwar.pat
            file://CVE-2025-26601-2.patch \
            file://CVE-2025-26601-3.patch \
            file://CVE-2025-26601-4.patch \
+           file://CVE-2022-49737.patch \
            "
 SRC_URI[sha256sum] = "38aadb735650c8024ee25211c190bf8aad844c5f59632761ab1ef4c4d5aeb152"
 
-- 
2.43.0

[OE-core][kirkstone 5/6] xwayland: fix CVE-2022-49737

[Steve Sakoman]

From: Yogita Urade <yogita.urade@windriver.com>

In X.Org X server 20.11 through 21.1.16, when a client application
uses easystroke for mouse gestures, the main thread modifies various
data structures used by the input thread without acquiring a lock,
aka a race condition. In particular, AttachDevice in dix/devices.c
does not acquire an input lock.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-49737

Upstream patch:
https://gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0b489500b4d0a0

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../xwayland/xwayland/CVE-2022-49737.patch    | 90 +++++++++++++++++++
 .../xwayland/xwayland_22.1.8.bb               |  1 +
 2 files changed, 91 insertions(+)
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2022-49737.patch

diff --git a/meta/recipes-graphics/xwayland/xwayland/CVE-2022-49737.patch b/meta/recipes-graphics/xwayland/xwayland/CVE-2022-49737.patch
new file mode 100644
index 0000000000..86c9f59f8c
--- /dev/null
+++ b/meta/recipes-graphics/xwayland/xwayland/CVE-2022-49737.patch
@@ -0,0 +1,90 @@
+From dc7cb45482cea6ccec22d117ca0b489500b4d0a0 Mon Sep 17 00:00:00 2001
+From: tholin <thomas.lindroth@gmail.com>
+Date: Tue, 4 Jan 2022 12:08:11 +0000
+Subject: [PATCH] dix: Hold input lock for AttachDevice()
+
+Fix the following race:
+
+Possible data race during read of size 8 at 0xA112510 by thread #6
+Locks held: 1, at address 0x366B40
+   at 0x14C8B9: GetMaster (devices.c:2691)
+   by 0x15CFC5: IsFloating (events.c:346)
+   by 0x2B9554: miPointerGetScreen (mipointer.c:527)
+   by 0x1A5136: xf86PostButtonEventM (xf86Xinput.c:1379)
+   by 0x1A52BD: xf86PostButtonEvent (xf86Xinput.c:1345)
+   by 0x485F45B: EvdevProcessEvent (in /usr/lib64/xorg/modules/input/evdev_drv.so)
+   by 0x485FDAC: EvdevReadInput (in /usr/lib64/xorg/modules/input/evdev_drv.so)
+   by 0x195427: xf86ReadInput (xf86Events.c:247)
+   by 0x2CC113: InputReady (inputthread.c:180)
+   by 0x2CE4EA: ospoll_wait (ospoll.c:657)
+   by 0x2CC077: InputThreadDoWork (inputthread.c:369)
+   by 0x484A336: mythread_wrapper (hg_intercepts.c:406)
+
+This conflicts with a previous write of size 8 by thread #1
+Locks held: none
+   at 0x14D2C6: AttachDevice (devices.c:2609)
+   by 0x15CF85: ReattachToOldMaster (events.c:1457)
+   by 0x1647DD: DeactivateKeyboardGrab (events.c:1700)
+   by 0x25D7F1: ProcXIUngrabDevice (xigrabdev.c:169)
+   by 0x2552AD: ProcIDispatch (extinit.c:398)
+   by 0x155291: Dispatch (dispatch.c:479)
+   by 0x158CBA: dix_main (main.c:276)
+   by 0x143A3D: main (stubmain.c:34)
+ Address 0xa112510 is 336 bytes inside a block of size 904 alloc'd
+   at 0x4846571: calloc (vg_replace_malloc.c:1328)
+   by 0x14A0B3: AddInputDevice (devices.c:260)
+   by 0x1A31A0: xf86ActivateDevice (xf86Xinput.c:365)
+   by 0x1A4549: xf86NewInputDevice (xf86Xinput.c:948)
+   by 0x1A4B44: NewInputDeviceRequest (xf86Xinput.c:1090)
+   by 0x1B81FE: device_added (udev.c:282)
+   by 0x1B8516: config_udev_init (udev.c:439)
+   by 0x1B7091: config_init (config.c:50)
+   by 0x197970: InitInput (xf86Init.c:814)
+   by 0x158C6B: dix_main (main.c:250)
+   by 0x143A3D: main (stubmain.c:34)
+ Block was alloc'd by thread #1
+
+The steps to trigger the race are:
+1. Main thread does cleanup at mipointer.c:360 setting the slave device's
+   miPointerPtr to null.
+2. Input thread use MIPOINTER in mipointer.c and get the slave's
+   miPointerPtr = null.
+3. Main thread updates dev->master at devices.c:2609.
+4. MIPOINTER would now return the master's miPointerPtr but the input
+   thread already got the slave's miPointerPtr in step 2 and segfaults by
+   null ptr deref.
+
+Closes: https://gitlab.freedesktop.org/xorg/xserver/-/issues/1260
+Signed-off-by: Thomas Lindroth <thomas.lindroth@gmail.com>
+
+CVE: CVE-2022-49737
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/dc7cb45482cea6ccec22d117ca0b489500b4d0a0]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ dix/devices.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/dix/devices.c b/dix/devices.c
+index 459f1ed..e5a6f02 100644
+--- a/dix/devices.c
++++ b/dix/devices.c
+@@ -2671,6 +2671,8 @@ AttachDevice(ClientPtr client, DeviceIntPtr dev, DeviceIntPtr master)
+     if (IsFloating(dev) && !master && dev->enabled)
+         return Success;
+
++    input_lock();
++
+     /* free the existing sprite. */
+     if (IsFloating(dev) && dev->spriteInfo->paired == dev) {
+         screen = miPointerGetScreen(dev);
+@@ -2711,6 +2713,7 @@ AttachDevice(ClientPtr client, DeviceIntPtr dev, DeviceIntPtr master)
+         RecalculateMasterButtons(master);
+     }
+
++    input_unlock();
+     /* XXX: in theory, the MD should change back to its old, original
+      * classes when the last SD is detached. Thanks to the XTEST devices,
+      * we'll always have an SD attached until the MD is removed.
+--
+2.40.0
diff --git a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
index 6affd80e22..8b1fc85aab 100644
--- a/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
+++ b/meta/recipes-graphics/xwayland/xwayland_22.1.8.bb
@@ -42,6 +42,7 @@ SRC_URI = "https://www.x.org/archive/individual/xserver/xwayland-${PV}.tar.xz \
            file://CVE-2025-26601-2.patch \
            file://CVE-2025-26601-3.patch \
            file://CVE-2025-26601-4.patch \
+           file://CVE-2022-49737.patch \
 "
 SRC_URI[sha256sum] = "d11eeee73290b88ea8da42a7d9350dedfaba856ce4ae44e58c045ad9ecaa2f73"
 
-- 
2.43.0

[OE-core][kirkstone 6/6] libxcrypt-compat: Remove libcrypt.so to fix conflict with libcrypt

[Steve Sakoman]

From: Robert Yang <liezhi.yang@windriver.com>

Fixed:
IMAGE_INSTALL:append = " libxcrypt-compat"

$ bitbake <image> -cpopulate_sdk
file /usr/lib/libcrypt.so from install of libxcrypt-compat-dev-4.4.33-r0.0.aarch64 conflicts with file from package libcrypt-dev-4.4.33-r0.2.aarch64

Remove libcrypt.so like other files to fix the error.

(From OE-Core rev: dc0c7a8c3d1d4f02869b7f0d42f704fd24bf0dde)

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/libxcrypt/libxcrypt-compat_4.4.33.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/libxcrypt/libxcrypt-compat_4.4.33.bb b/meta/recipes-core/libxcrypt/libxcrypt-compat_4.4.33.bb
index ec9f9f4fa3..d5546ce9ba 100644
--- a/meta/recipes-core/libxcrypt/libxcrypt-compat_4.4.33.bb
+++ b/meta/recipes-core/libxcrypt/libxcrypt-compat_4.4.33.bb
@@ -13,6 +13,6 @@ API = "--enable-obsolete-api"
 do_install:append () {
 	rm -rf ${D}${includedir}
 	rm -rf ${D}${libdir}/pkgconfig
+	rm -rf ${D}${libdir}/libcrypt.so
 	rm -rf ${D}${datadir}
 }
-
-- 
2.43.0

[OE-core][kirkstone 0/6] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, May 13

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1554

The following changes since commit 25ba9895b98715adb66a06e50f644aea2e2c9eb6:

  Revert "cve-update-nvd2-native: Tweak to work better with NFS DL_DIR" (2025-04-29 07:45:33 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Haixiao Yan (1):
  glibc: Add single-threaded fast path to rand()

Hitendra Prajapati (1):
  busybox: fix CVE-2023-39810

Peter Marko (3):
  ghostscript: ignore CVE-2025-27837
  ghostscript: ignore CVE-2024-29507
  qemu: ignore CVE-2023-1386

Praveen Kumar (1):
  connman :fix CVE-2025-32743

 .../connman/connman/CVE-2025-32743.patch      |  43 ++++++
 .../connman/connman_1.41.bb                   |   1 +
 .../busybox/busybox/CVE-2023-39810.patch      | 131 ++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.35.0.bb   |   1 +
 ...dd-single-threaded-fast-path-to-rand.patch |  47 +++++++
 meta/recipes-core/glibc/glibc_2.35.bb         |   1 +
 meta/recipes-devtools/qemu/qemu.inc           |   3 +
 .../ghostscript/ghostscript_9.55.0.bb         |   4 +-
 8 files changed, 230 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2023-39810.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0001-stdlib-Add-single-threaded-fast-path-to-rand.patch

-- 
2.43.0