[OE-core][kirkstone 00/10] Patch review

[OE-core][kirkstone 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Saturday.

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5680

The following changes since commit dc2e760591c5ed3c999222f235484829426c71a7:

  util-linux: add alternative links for ipcs,ipcrm (2023-07-31 08:12:27 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (3):
  qemu: fix CVE-2023-3301
  qemu: fix CVE-2023-3255
  qemu: fix CVE-2023-2861

Peter Marko (3):
  libpcre2: patch CVE-2022-41409
  libarchive: ignore CVE-2023-30571
  openssl: Upgrade 3.0.9 -> 3.0.10

Sakib Sajal (2):
  go: fix CVE-2023-24536
  go: fix CVE-2023-24531

Sundeep KOKKONDA (1):
  gcc : upgrade to v11.4

Yuta Hayama (1):
  cve-update-nvd2-native: always pass str for json.loads()

 meta/conf/distro/include/maintainers.inc      |   2 +-
 .../{openssl_3.0.9.bb => openssl_3.0.10.bb}   |   2 +-
 .../meta/cve-update-nvd2-native.bb            |   2 +-
 .../gcc/{gcc-11.3.inc => gcc-11.4.inc}        |   6 +-
 ...ian_11.3.bb => gcc-cross-canadian_11.4.bb} |   0
 .../{gcc-cross_11.3.bb => gcc-cross_11.4.bb}  |   0
 ...-crosssdk_11.3.bb => gcc-crosssdk_11.4.bb} |   0
 ...cc-runtime_11.3.bb => gcc-runtime_11.4.bb} |   0
 ...itizers_11.3.bb => gcc-sanitizers_11.4.bb} |   0
 ...{gcc-source_11.3.bb => gcc-source_11.4.bb} |   0
 ...rch64-Update-Neoverse-N2-core-defini.patch |  20 +-
 ...rm-add-armv9-a-architecture-to-march.patch |  54 +--
 ...AMIC_LINKER-and-UCLIBC_DYNAMIC_LINKE.patch | 102 ++---
 ...s-fix-v4bx-to-linker-to-support-EABI.patch |   6 +-
 .../gcc/{gcc_11.3.bb => gcc_11.4.bb}          |   0
 ...initial_11.3.bb => libgcc-initial_11.4.bb} |   0
 .../gcc/{libgcc_11.3.bb => libgcc_11.4.bb}    |   0
 ...ibgfortran_11.3.bb => libgfortran_11.4.bb} |   0
 meta/recipes-devtools/go/go-1.17.13.inc       |   7 +-
 .../go/go-1.19/CVE-2023-24536_1.patch         | 137 +++++++
 .../go/go-1.19/CVE-2023-24536_2.patch         | 187 ++++++++++
 .../go/go-1.19/CVE-2023-24536_3.patch         | 349 ++++++++++++++++++
 .../go/go-1.21/CVE-2023-24531_1.patch         | 252 +++++++++++++
 .../go/go-1.21/CVE-2023-24531_2.patch         |  47 +++
 meta/recipes-devtools/qemu/qemu.inc           |   3 +
 .../qemu/qemu/CVE-2023-2861.patch             | 172 +++++++++
 .../qemu/qemu/CVE-2023-3255.patch             |  64 ++++
 .../qemu/qemu/CVE-2023-3301.patch             |  60 +++
 .../libarchive/libarchive_3.6.2.bb            |   3 +
 .../libpcre/libpcre2/CVE-2022-41409.patch     |  75 ++++
 .../recipes-support/libpcre/libpcre2_10.40.bb |   1 +
 31 files changed, 1451 insertions(+), 100 deletions(-)
 rename meta/recipes-connectivity/openssl/{openssl_3.0.9.bb => openssl_3.0.10.bb} (99%)
 rename meta/recipes-devtools/gcc/{gcc-11.3.inc => gcc-11.4.inc} (97%)
 rename meta/recipes-devtools/gcc/{gcc-cross-canadian_11.3.bb => gcc-cross-canadian_11.4.bb} (100%)
 rename meta/recipes-devtools/gcc/{gcc-cross_11.3.bb => gcc-cross_11.4.bb} (100%)
 rename meta/recipes-devtools/gcc/{gcc-crosssdk_11.3.bb => gcc-crosssdk_11.4.bb} (100%)
 rename meta/recipes-devtools/gcc/{gcc-runtime_11.3.bb => gcc-runtime_11.4.bb} (100%)
 rename meta/recipes-devtools/gcc/{gcc-sanitizers_11.3.bb => gcc-sanitizers_11.4.bb} (100%)
 rename meta/recipes-devtools/gcc/{gcc-source_11.3.bb => gcc-source_11.4.bb} (100%)
 rename meta/recipes-devtools/gcc/{gcc_11.3.bb => gcc_11.4.bb} (100%)
 rename meta/recipes-devtools/gcc/{libgcc-initial_11.3.bb => libgcc-initial_11.4.bb} (100%)
 rename meta/recipes-devtools/gcc/{libgcc_11.3.bb => libgcc_11.4.bb} (100%)
 rename meta/recipes-devtools/gcc/{libgfortran_11.3.bb => libgfortran_11.4.bb} (100%)
 create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-24536_1.patch
 create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-24536_2.patch
 create mode 100644 meta/recipes-devtools/go/go-1.19/CVE-2023-24536_3.patch
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-24531_1.patch
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-24531_2.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3301.patch
 create mode 100644 meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch

-- 
2.34.1

[OE-core][kirkstone 00/10] Patch review

[Steve Sakoman]

Please review this set of patches for kirkstone and have comments back by
end of day Thursday, October 5

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5984

except for the meta-aws test, which breaks due to recent commits there.  Maintainer notified.

The following changes since commit 7e177848f97eb9958619c28b5e5dadee12f67507:

  kernel.bbclass: Add force flag to rm calls (2023-09-27 06:09:46 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Bruce Ashfield (5):
  linux-yocto/5.10: update to v5.10.189
  linux-yocto/5.10: update to v5.10.191
  linux-yocto/5.10: update to v5.10.192
  linux-yocto/5.10: update to v5.10.194
  linux-yocto/5.10: update to v5.10.197

Martin Jansa (2):
  ccache: fix build with gcc-13
  fontcache.bbclass: avoid native recipes depending on target fontconfig

Narpat Mali (1):
  python3-jinja2: fix for the ptest result format

Peter Marko (1):
  json-c: define CVE_VERSION

Shubham Kulkarni (1):
  go: Update fix for CVE-2023-24538 & CVE-2023-39318

 meta/classes/fontcache.bbclass                |   1 +
 ...x-FTBFS-with-not-yet-released-GCC-13.patch |  92 +++
 meta/recipes-devtools/ccache/ccache_4.6.bb    |   4 +-
 meta/recipes-devtools/go/go-1.17.13.inc       |   3 +-
 .../go/go-1.18/CVE-2023-24538_1.patch         | 597 ++++++++++++++++++
 ...023-24538.patch => CVE-2023-24538_2.patch} | 175 ++++-
 .../go/go-1.21/CVE-2023-39318.patch           |  44 +-
 meta/recipes-devtools/json-c/json-c_0.15.bb   |   3 +
 .../python/python3-jinja2/run-ptest           |   2 +-
 .../linux/linux-yocto-rt_5.10.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.10.bb            |   8 +-
 meta/recipes-kernel/linux/linux-yocto_5.10.bb |  24 +-
 12 files changed, 921 insertions(+), 38 deletions(-)
 create mode 100644 meta/recipes-devtools/ccache/ccache/0001-build-Fix-FTBFS-with-not-yet-released-GCC-13.patch
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2023-24538_1.patch
 rename meta/recipes-devtools/go/go-1.18/{CVE-2023-24538.patch => CVE-2023-24538_2.patch} (53%)

-- 
2.34.1

[OE-core][kirkstone 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, October 20

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6064

with the exception of a known vim reproducibilty error in the vim-common
package where depending on worker we are seeing either:

"Content-Type:·text/plain;·charset=CP1251\n"

or

"Content-Type:·text/plain;·charset=cp1251\n"

The issue is still under investigation, but is unrelated to this patch set.


The following changes since commit 2572b32e729831762790ebfbf930a1140657faea:

  apt: add missing <cstdint> for uint16_t (2023-10-13 05:32:41 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Armin Kuster (1):
  binutils: CVE-2022-48063

Chaitanya Vadrevu (3):
  binutils: Fix CVE-2022-47695
  binutils: Mark CVE-2022-47673 as patched
  binutils: Mark CVE-2022-47696 as patched

Deepthi Hemraj (2):
  binutils: Fix CVE-2022-47008
  binutils: Fix CVE-2022-47011

Hitendra Prajapati (1):
  libtiff: Add fix for tiffcrop CVE-2023-1916

Quentin Schulz (1):
  uboot-extlinux-config.bbclass: fix missed override syntax migration

Siddharth Doshi (2):
  tiff: Security fix for CVE-2023-40745
  libxpm: upgrade to 3.5.17

 meta/classes/uboot-extlinux-config.bbclass    |  2 +-
 .../binutils/binutils-2.38.inc                |  4 +
 .../binutils/0022-CVE-2023-25584-3.patch      |  2 +
 .../binutils/0025-CVE-2023-25588.patch        |  2 +
 .../binutils/0027-CVE-2022-47008.patch        | 67 +++++++++++++
 .../binutils/0028-CVE-2022-47011.patch        | 35 +++++++
 .../binutils/0031-CVE-2022-47695.patch        | 58 +++++++++++
 .../binutils/binutils/CVE-2022-48063.patch    | 48 +++++++++
 .../{libxpm_3.5.16.bb => libxpm_3.5.17.bb}    |  2 +-
 .../libtiff/tiff/CVE-2023-1916.patch          | 99 +++++++++++++++++++
 .../libtiff/tiff/CVE-2023-40745.patch         | 34 +++++++
 meta/recipes-multimedia/libtiff/tiff_4.3.0.bb |  2 +
 12 files changed, 353 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0027-CVE-2022-47008.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0028-CVE-2022-47011.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0031-CVE-2022-47695.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2022-48063.patch
 rename meta/recipes-graphics/xorg-lib/{libxpm_3.5.16.bb => libxpm_3.5.17.bb} (88%)
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-1916.patch
 create mode 100644 meta/recipes-multimedia/libtiff/tiff/CVE-2023-40745.patch

-- 
2.34.1

[OE-core][kirkstone 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, April 18

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/6811

The following changes since commit 26a878cbfbb3bc7a6e892e105577ebf8138ce150:

  common-licenses: Backport missing license (2024-04-02 08:04:42 -1000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alex Stewart (1):
  perl: ignore CVE-2023-47100

Jonathan GUILLOT (1):
  cups: fix typo in CVE-2023-32360 backport patch

Khem Raj (1):
  tcl: Add a way to skip ptests

Peter Marko (2):
  openssl: patch CVE-2024-2511
  ncurses: patch CVE-2023-50495

Ross Burton (2):
  tcl: skip timing-dependent tests in run-ptest
  tcl: skip async and event tests in run-ptest

Sana Kazi (1):
  openssh: Add CVE-2023-51767 to CVE_CHECK_IGNORE

Steve Sakoman (1):
  Revert "expat: fix CVE-2023-52425"

Vijay Anusuri (1):
  xserver-xorg: Fix for CVE-2024-31080 and CVE-2024-31081

 .../openssh/openssh_8.9p1.bb                  |   5 +
 .../openssl/openssl/CVE-2024-2511.patch       | 122 ++++++++++
 .../openssl/openssl_3.0.13.bb                 |   1 +
 .../expat/expat/CVE-2023-52425-0001.patch     |  40 ----
 .../expat/expat/CVE-2023-52425-0002.patch     |  87 -------
 .../expat/expat/CVE-2023-52425-0003.patch     | 222 ------------------
 .../expat/expat/CVE-2023-52425-0004.patch     |  42 ----
 .../expat/expat/CVE-2023-52425-0005.patch     |  69 ------
 .../expat/expat/CVE-2023-52425-0006.patch     |  67 ------
 .../expat/expat/CVE-2023-52425-0007.patch     | 159 -------------
 .../expat/expat/CVE-2023-52425-0008.patch     |  95 --------
 .../expat/expat/CVE-2023-52425-0009.patch     |  52 ----
 .../expat/expat/CVE-2023-52425-0010.patch     | 111 ---------
 .../expat/expat/CVE-2023-52425-0011.patch     |  89 -------
 .../expat/expat/CVE-2023-52425-0012.patch     |  87 -------
 meta/recipes-core/expat/expat_2.5.0.bb        |  12 -
 .../ncurses/files/CVE-2023-50495.patch        |  81 +++++++
 .../ncurses/ncurses_6.3+20220423.bb           |   1 +
 meta/recipes-devtools/perl/perl_5.34.3.bb     |   3 +
 meta/recipes-devtools/tcltk/tcl/run-ptest     |   6 +-
 meta/recipes-devtools/tcltk/tcl_8.6.11.bb     |   5 +
 .../cups/cups/CVE-2023-32360.patch            |   2 +-
 .../xserver-xorg/CVE-2024-31080.patch         |  49 ++++
 .../xserver-xorg/CVE-2024-31081.patch         |  47 ++++
 .../xorg-xserver/xserver-xorg_21.1.8.bb       |   2 +
 25 files changed, 322 insertions(+), 1134 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-2511.patch
 delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0001.patch
 delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0002.patch
 delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0003.patch
 delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0004.patch
 delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0005.patch
 delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0006.patch
 delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0007.patch
 delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch
 delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0009.patch
 delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0010.patch
 delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0011.patch
 delete mode 100644 meta/recipes-core/expat/expat/CVE-2023-52425-0012.patch
 create mode 100644 meta/recipes-core/ncurses/files/CVE-2023-50495.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31080.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2024-31081.patch

-- 
2.34.1

[OE-core][kirkstone 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, April 10

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1367

The following changes since commit 1efbe1004bc82e7c14c1e8bd4ce644f5015c3346:

  build-appliance-image: Update to kirkstone head revision (2025-04-04 08:43:24 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Haixiao Yan (1):
  glibc: Add single-threaded fast path to rand()

Peter Marko (2):
  ofono: patch CVE-2024-7537
  qemu: ignore CVE-2023-1386

Vijay Anusuri (6):
  ghostscript: Fix CVE-2025-27830
  ghostscript: Fix CVE-2025-27831
  ghostscript: Fix CVE-2025-27832
  ghostscript: Fix CVE-2025-27834
  ghostscript: Fix CVE-2025-27835
  ghostscript: Fix CVE-2025-27836

Yogita Urade (1):
  curl: ignore CVE-2025-0725

 .../ofono/ofono/CVE-2024-7537.patch           | 59 +++++++++++++
 meta/recipes-connectivity/ofono/ofono_1.34.bb |  1 +
 ...dd-single-threaded-fast-path-to-rand.patch | 47 +++++++++++
 meta/recipes-core/glibc/glibc_2.35.bb         |  1 +
 meta/recipes-devtools/qemu/qemu.inc           |  3 +
 .../ghostscript/CVE-2025-27830.patch          | 79 +++++++++++++++++
 .../ghostscript/CVE-2025-27831-pre1.patch     | 50 +++++++++++
 .../ghostscript/CVE-2025-27831.patch          | 84 +++++++++++++++++++
 .../ghostscript/CVE-2025-27832.patch          | 45 ++++++++++
 .../ghostscript/CVE-2025-27834.patch          | 57 +++++++++++++
 .../ghostscript/CVE-2025-27835.patch          | 34 ++++++++
 .../ghostscript/CVE-2025-27836-1.patch        | 64 ++++++++++++++
 .../ghostscript/CVE-2025-27836-2.patch        | 46 ++++++++++
 .../ghostscript/ghostscript_9.55.0.bb         |  8 ++
 meta/recipes-support/curl/curl_7.82.0.bb      |  2 +
 15 files changed, 580 insertions(+)
 create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch
 create mode 100644 meta/recipes-core/glibc/glibc/0001-stdlib-Add-single-threaded-fast-path-to-rand.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831-pre1.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27832.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27834.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27835.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-1.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-2.patch

-- 
2.43.0

[OE-core][kirkstone 01/10] curl: ignore CVE-2025-0725

[Steve Sakoman]

From: Yogita Urade <yogita.urade@windriver.com>

CVE-2025-0725 can only trigger for curl when using a runtime
zlib version 1.2.0.3 or older and kirkstone supports
zlib 1.2.11 version, hence ignore cve for kirkstone.

Reference:
https://curl.se/docs/CVE-2025-0725.html
https://git.openembedded.org/openembedded-core/commit/?h=scarthgap&id=8c3b4a604b40260e7ca9575715dd8017e17d35c0

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/curl/curl_7.82.0.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-support/curl/curl_7.82.0.bb b/meta/recipes-support/curl/curl_7.82.0.bb
index cda42da4d3..748afc1235 100644
--- a/meta/recipes-support/curl/curl_7.82.0.bb
+++ b/meta/recipes-support/curl/curl_7.82.0.bb
@@ -73,6 +73,8 @@ CVE_PRODUCT = "haxx:curl haxx:libcurl curl:curl curl:libcurl libcurl:libcurl dan
 CVE_CHECK_IGNORE += "CVE-2023-42915"
 # ignored: CURLOPT_SSL_VERIFYPEER was disabled on google cloud services causing a potential man in the middle attack
 CVE_CHECK_IGNORE += "CVE-2024-32928"
+# ignored: gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, using zlib 1.2.0.3 or older
+CVE_CHECK_IGNORE += "CVE-2025-0725"
 
 inherit autotools pkgconfig binconfig multilib_header
 
-- 
2.43.0

[OE-core][kirkstone 02/10] ofono: patch CVE-2024-7537

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Pick commit
https://web.git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=e6d8d526d5077c0b6ab459efeb6b882c28e0fdeb

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ofono/ofono/CVE-2024-7537.patch           | 59 +++++++++++++++++++
 meta/recipes-connectivity/ofono/ofono_1.34.bb |  1 +
 2 files changed, 60 insertions(+)
 create mode 100644 meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch

diff --git a/meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch
new file mode 100644
index 0000000000..518b042d5b
--- /dev/null
+++ b/meta/recipes-connectivity/ofono/ofono/CVE-2024-7537.patch
@@ -0,0 +1,59 @@
+From e6d8d526d5077c0b6ab459efeb6b882c28e0fdeb Mon Sep 17 00:00:00 2001
+From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Date: Sun, 16 Mar 2025 12:26:42 +0200
+Subject: [PATCH] qmi: sms: Fix possible out-of-bounds read
+
+Fixes: CVE-2024-7537
+
+CVE: CVE-2024-7537
+Upstream-Status: Backport [https://web.git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=e6d8d526d5077c0b6ab459efeb6b882c28e0fdeb]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ drivers/qmimodem/sms.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/qmimodem/sms.c b/drivers/qmimodem/sms.c
+index 3e2bef6e..75863480 100644
+--- a/drivers/qmimodem/sms.c
++++ b/drivers/qmimodem/sms.c
+@@ -485,6 +485,8 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data)
+ 	const struct qmi_wms_result_msg_list *list;
+ 	uint32_t cnt = 0;
+ 	uint16_t tmp;
++	uint16_t length;
++	size_t msg_size;
+ 
+ 	DBG("");
+ 
+@@ -494,7 +496,7 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data)
+ 		goto done;
+ 	}
+ 
+-	list = qmi_result_get(result, QMI_WMS_RESULT_MSG_LIST, NULL);
++	list = qmi_result_get(result, QMI_WMS_RESULT_MSG_LIST, &length);
+ 	if (list == NULL) {
+ 		DBG("Err: get msg list empty");
+ 		goto done;
+@@ -503,6 +505,13 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data)
+ 	cnt = GUINT32_FROM_LE(list->cnt);
+ 	DBG("msgs found %d", cnt);
+ 
++	msg_size = cnt * sizeof(list->msg[0]);
++
++	if (length != sizeof(list->cnt) + msg_size) {
++		DBG("Err: invalid msg list count");
++		goto done;
++	}
++
+ 	for (tmp = 0; tmp < cnt; tmp++) {
+ 		DBG("unread type %d ndx %d", list->msg[tmp].type,
+ 			GUINT32_FROM_LE(list->msg[tmp].ndx));
+@@ -516,8 +525,6 @@ static void get_msg_list_cb(struct qmi_result *result, void *user_data)
+ 
+ 	/* save list and get 1st msg */
+ 	if (cnt) {
+-		int msg_size = cnt * sizeof(list->msg[0]);
+-
+ 		data->msg_list = g_try_malloc0(sizeof(list->cnt) + msg_size);
+ 		if (data->msg_list == NULL)
+ 			goto done;
diff --git a/meta/recipes-connectivity/ofono/ofono_1.34.bb b/meta/recipes-connectivity/ofono/ofono_1.34.bb
index 1083b91d56..9f11af9236 100644
--- a/meta/recipes-connectivity/ofono/ofono_1.34.bb
+++ b/meta/recipes-connectivity/ofono/ofono_1.34.bb
@@ -25,6 +25,7 @@ SRC_URI = "\
     file://CVE-2024-7546.patch \
     file://CVE-2024-7547.patch \
     file://CVE-2024-7540_CVE-2024-7541_CVE-2024-7542.patch \
+    file://CVE-2024-7537.patch \
 "
 SRC_URI[sha256sum] = "c0b96d3013447ec2bcb74579bef90e4e59c68dbfa4b9c6fbce5d12401a43aac7"
 
-- 
2.43.0

[OE-core][kirkstone 03/10] ghostscript: Fix CVE-2025-27830

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport
[https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8474e1d6b896e35741d3c608ea5c21deeec1078f]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ghostscript/CVE-2025-27830.patch          | 79 +++++++++++++++++++
 .../ghostscript/ghostscript_9.55.0.bb         |  1 +
 2 files changed, 80 insertions(+)
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch
new file mode 100644
index 0000000000..a516b8ad41
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27830.patch
@@ -0,0 +1,79 @@
+From 8474e1d6b896e35741d3c608ea5c21deeec1078f Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 13 Jan 2025 09:15:01 +0000
+Subject: [PATCH] Bug 708241: Fix potential Buffer overflow with DollarBlend
+
+During serializing a multiple master font for passing to Freetype.
+
+Use CVE-2025-27830
+
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8474e1d6b896e35741d3c608ea5c21deeec1078f]
+CVE: CVE-2025-27830
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ base/write_t1.c | 7 ++++---
+ psi/zfapi.c     | 9 +++++++--
+ 2 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/base/write_t1.c b/base/write_t1.c
+index 52902be..d6b2454 100644
+--- a/base/write_t1.c
++++ b/base/write_t1.c
+@@ -628,6 +628,7 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri
+     WRF_wbyte(a_fapi_font->memory, a_output, '\n');
+     if (is_MM_font(a_fapi_font)) {
+         short x, x2;
++        unsigned short ux;
+         float x1;
+         uint i, j, entries;
+         char Buffer[255];
+@@ -759,16 +760,16 @@ write_main_dictionary(gs_fapi_font * a_fapi_font, WRF_output * a_output, int Wri
+          */
+         code = a_fapi_font->get_word(a_fapi_font,
+                                    gs_fapi_font_feature_DollarBlend_length,
+-                                   0, (unsigned short *)&x);
++                                   0, &ux);
+         if (code < 0)
+             return code;
+ 
+-        if (x > 0) {
++        if (ux > 0) {
+             int len;
+             WRF_wstring(a_fapi_font->memory, a_output, "/$Blend {");
+ 
+             if (a_output->m_count)
+-                a_output->m_count += x;
++                a_output->m_count += ux;
+             len = a_fapi_font->get_proc(a_fapi_font,
+                                       gs_fapi_font_feature_DollarBlend, 0,
+                                       (char *)a_output->m_pos);
+diff --git a/psi/zfapi.c b/psi/zfapi.c
+index 0b3ab1c..1ffef47 100644
+--- a/psi/zfapi.c
++++ b/psi/zfapi.c
+@@ -682,7 +682,7 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig
+                 }
+                 for (i = 0; i < r_size(DBlend); i++) {
+                     if (array_get(ff->memory, DBlend, i, &Element) < 0) {
+-                        *ret = 0;
++                        length = 0;
+                         break;
+                     }
+                     switch (r_btype(&Element)) {
+@@ -709,7 +709,12 @@ FAPI_FF_get_word(gs_fapi_font *ff, gs_fapi_font_feature var_id, int index, unsig
+                         default:
+                             break;
+                     }
+-                }
++
++		    if (length > max_ushort) {
++			length = 0;
++			break;
++                    }
++		}
+                 *ret = length;
+                 break;
+             }
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 6d425710b5..dae8dff813 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -62,6 +62,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                 file://CVE-2024-46953.patch \
                 file://CVE-2024-46955.patch \
                 file://CVE-2024-46956.patch \
+                file://CVE-2025-27830.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \
-- 
2.43.0

[OE-core][kirkstone 04/10] ghostscript: Fix CVE-2025-27831

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport
[https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=bf79b61cb1677d6865c45d397435848a21e8a647
&
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=bf79b61cb1677d6865c45d397435848a21e8a647]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ghostscript/CVE-2025-27831-pre1.patch     | 50 +++++++++++
 .../ghostscript/CVE-2025-27831.patch          | 84 +++++++++++++++++++
 .../ghostscript/ghostscript_9.55.0.bb         |  2 +
 3 files changed, 136 insertions(+)
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831-pre1.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831.patch

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831-pre1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831-pre1.patch
new file mode 100644
index 0000000000..bdf597f38e
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831-pre1.patch
@@ -0,0 +1,50 @@
+Partial backport of:
+
+From bf79b61cb1677d6865c45d397435848a21e8a647 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Tue, 27 Sep 2022 13:03:57 +0100
+Subject: [PATCH] PCL interpreter - fix decode_glyph for Unicode
+
+The text extraction (and pdfwrite family) expect that decode_glyph
+should always return pairs of bytes (an assumption that Unicode code
+points are 2 bytes), and the return value from the routine should be
+the number of bytes required to hold the value.
+
+The PCL decode_glyph routine however was simply returning 1, which
+caused the text extraction code some difficulty since it wasn't
+expecting that.
+
+This commit firstly alters the text extraction code to cope 'better'
+with a decode_glyph routine which returns an odd value (basically
+ignore it and fall back to using the character code).
+
+We also alter the pl_decode_glyph routine to return 2 instead of 1,
+so that it correctly tells the caller that it is returning 2 bytes.
+Finally we make sure that the returned value is big-endian, because the
+text extraction code assumes it will be.
+
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=bf79b61cb1677d6865c45d397435848a21e8a647]
+CVE: CVE-2025-27831 #Dependency Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ devices/vector/doc_common.c |  8 ++++++++
+ pcl/pl/plfont.c             | 12 +++++++++---
+ 2 files changed, 17 insertions(+), 3 deletions(-)
+
+--- a/devices/vector/doc_common.c
++++ b/devices/vector/doc_common.c
+@@ -513,6 +513,14 @@ int txt_get_unicode(gx_device *dev, gs_f
+         char *b, *u;
+         int l = length - 1;
+ 
++        /* Real Unicode values should be at least 2 bytes. In fact I think the code assumes exactly
++         * 2 bytes. If we got an odd number, give up and return the character code.
++         */
++        if (length & 1) {
++            *Buffer = fallback;
++            return 1;
++        }
++
+         unicode = (ushort *)gs_alloc_bytes(dev->memory, length, "temporary Unicode array");
+         length = font->procs.decode_glyph((gs_font *)font, glyph, ch, unicode, length);
+ #if ARCH_IS_BIG_ENDIAN
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831.patch
new file mode 100644
index 0000000000..8956d276d1
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27831.patch
@@ -0,0 +1,84 @@
+From d6e713dda4f8d75c6a4ed8c7568a0d4f532dcb17 Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Thu, 21 Nov 2024 10:04:17 +0000
+Subject: Prevent Unicode decoding overrun
+
+Bug #708132 "Text buffer overflow with long characters"
+
+The txt_get_unicode function was copying too few bytes from the
+fixed glyph name to unicode mapping tables. This was probably
+causing incorrect Unicode code points in relatively rare cases but
+not otherwise a problem.
+
+However, a badly formed GlyphNames2Unicode array attached to a font
+could cause the decoding to spill over the assigned buffer.
+
+We really should rewrite the Unicode handling, but until we do just
+checking that the length is no more than 4 Unicode code points is
+enough to prevent an overrun. All the current clients allocate at least
+4 code points per character code.
+
+Added a comment to explain the magic number.
+
+CVE-2025-27831
+
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=d6e713dda4f8d75c6a4ed8c7568a0d4f532dcb17]
+CVE: CVE-2025-27831
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ devices/vector/doc_common.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/devices/vector/doc_common.c b/devices/vector/doc_common.c
+index 690f8eaed..05fb3d51f 100644
+--- a/devices/vector/doc_common.c
++++ b/devices/vector/doc_common.c
+@@ -479,7 +479,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u
+                     }
+                     if (strlen(dentry->Glyph) == gnstr.size) {
+                         if(memcmp(gnstr.data, dentry->Glyph, gnstr.size) == 0) {
+-                            memcpy(Buffer, dentry->Unicode, 2);
++                            memcpy(Buffer, dentry->Unicode, 2 * sizeof(unsigned short));
+                             return 2;
+                         }
+                     }
+@@ -497,7 +497,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u
+                     }
+                     if (strlen(tentry->Glyph) == gnstr.size) {
+                         if(memcmp(gnstr.data, tentry->Glyph, gnstr.size) == 0) {
+-                            memcpy(Buffer, tentry->Unicode, 3);
++                            memcpy(Buffer, tentry->Unicode, 3 * sizeof(unsigned short));
+                             return 3;
+                         }
+                     }
+@@ -515,7 +515,7 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u
+                     }
+                     if (strlen(qentry->Glyph) == gnstr.size) {
+                         if(memcmp(gnstr.data, qentry->Glyph, gnstr.size) == 0) {
+-                            memcpy(Buffer, qentry->Unicode, 4);
++                            memcpy(Buffer, qentry->Unicode, 4 * sizeof(unsigned short));
+                             return 4;
+                         }
+                     }
+@@ -527,12 +527,16 @@ int txt_get_unicode(gx_device *dev, gs_font *font, gs_glyph glyph, gs_char ch, u
+         return 1;
+     } else {
+         char *b, *u;
+-        int l = length - 1;
++        int l;
+ 
+         /* Real Unicode values should be at least 2 bytes. In fact I think the code assumes exactly
+          * 2 bytes. If we got an odd number, give up and return the character code.
++         *
++         * The magic number here is due to the clients calling this code. Currently txtwrite and docxwrite
++         * allow up to 4 Unicode values per character/glyph, if the length would exceed that we can't
++         * write it. For now, again, fall back to the character code.
+          */
+-        if (length & 1) {
++        if (length & 1 || length > 4 * sizeof(unsigned short)) {
+             *Buffer = fallback;
+             return 1;
+         }
+-- 
+cgit v1.2.3
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index dae8dff813..94a21d1dce 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -63,6 +63,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                 file://CVE-2024-46955.patch \
                 file://CVE-2024-46956.patch \
                 file://CVE-2025-27830.patch \
+                file://CVE-2025-27831-pre1.patch \
+                file://CVE-2025-27831.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \
-- 
2.43.0

[OE-core][kirkstone 05/10] ghostscript: Fix CVE-2025-27832

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=57291c846334f1585552010faa42d7cb2cbd5c41]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ghostscript/CVE-2025-27832.patch          | 45 +++++++++++++++++++
 .../ghostscript/ghostscript_9.55.0.bb         |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27832.patch

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27832.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27832.patch
new file mode 100644
index 0000000000..c3a328bcc9
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27832.patch
@@ -0,0 +1,45 @@
+From 57291c846334f1585552010faa42d7cb2cbd5c41 Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Wed, 20 Nov 2024 11:42:31 +0000
+Subject: Bug 708133: Avoid integer overflow leading to buffer overflow
+
+The calculation of the buffer size was being done with int values, and
+overflowing that data type. By leaving the total size calculation to the
+memory manager, the calculation ends up being done in size_t values, and
+avoiding the overflow in this case, but also meaning the memory manager
+overflow protection will be effective.
+
+CVE-2025-27832
+
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=57291c846334f1585552010faa42d7cb2cbd5c41]
+CVE: CVE-2025-27832
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ contrib/japanese/gdevnpdl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/contrib/japanese/gdevnpdl.c b/contrib/japanese/gdevnpdl.c
+index 60065bacf..4967282bd 100644
+--- a/contrib/japanese/gdevnpdl.c
++++ b/contrib/japanese/gdevnpdl.c
+@@ -587,7 +587,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
+     int code;
+     int maxY = lprn->BlockLine / lprn->nBh * lprn->nBh;
+ 
+-    if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)")))
++    if (!(lprn->CompBuf = gs_malloc(pdev->memory->non_gc_memory, line_size, maxY, "npdl_print_page_copies(CompBuf)")))
+         return_error(gs_error_VMerror);
+ 
+         /* Initialize printer */
+@@ -683,7 +683,7 @@ npdl_print_page_copies(gx_device_printer * pdev, gp_file * prn_stream, int num_c
+     /* Form Feed */
+     gp_fputs("\014", prn_stream);
+ 
+-    gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size * maxY, sizeof(byte), "npdl_print_page_copies(CompBuf)");
++    gs_free(pdev->memory->non_gc_memory, lprn->CompBuf, line_size, maxY, "npdl_print_page_copies(CompBuf)");
+     return 0;
+ }
+ 
+-- 
+cgit v1.2.3
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 94a21d1dce..284ae3a28e 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -65,6 +65,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                 file://CVE-2025-27830.patch \
                 file://CVE-2025-27831-pre1.patch \
                 file://CVE-2025-27831.patch \
+                file://CVE-2025-27832.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \
-- 
2.43.0

[OE-core][kirkstone 06/10] ghostscript: Fix CVE-2025-27834

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport
[https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ef42ff180a04926e187d40faea40d4a43e304e3b]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ghostscript/CVE-2025-27834.patch          | 57 +++++++++++++++++++
 .../ghostscript/ghostscript_9.55.0.bb         |  1 +
 2 files changed, 58 insertions(+)
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27834.patch

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27834.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27834.patch
new file mode 100644
index 0000000000..66e13ca729
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27834.patch
@@ -0,0 +1,57 @@
+From ef42ff180a04926e187d40faea40d4a43e304e3b Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 20 Jan 2025 16:13:46 +0000
+Subject: [PATCH] PDF interpreter - Guard against unsigned int overflow
+
+Bug #708253 - see bug report for details.
+
+CVE-2025-27834
+
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ef42ff180a04926e187d40faea40d4a43e304e3b]
+CVE: CVE-2025-27834
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pdf/pdf_func.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/pdf/pdf_func.c b/pdf/pdf_func.c
+index 9b7d5bb..423e544 100644
+--- a/pdf/pdf_func.c
++++ b/pdf/pdf_func.c
+@@ -153,6 +153,9 @@ pdfi_parse_type4_func_stream(pdf_context *ctx, pdf_c_stream *function_stream, in
+     byte *p = (ops ? ops + *size : NULL);
+ 
+     do {
++	if (*size > max_uint / 2)
++	    return gs_note_error(gs_error_VMerror);
++
+         code = pdfi_read_bytes(ctx, &c, 1, 1, function_stream);
+         if (code < 0)
+             break;
+@@ -318,6 +321,11 @@ pdfi_build_function_4(pdf_context *ctx, gs_function_params_t * mnDR,
+     if (code < 0)
+         goto function_4_error;
+ 
++    if (size > max_uint - 1) {
++	code = gs_note_error(gs_error_VMerror);
++	goto function_4_error;
++    }
++
+     ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_function_4(ops)");
+     if (ops == NULL) {
+         code = gs_error_VMerror;
+@@ -816,6 +824,11 @@ int pdfi_build_halftone_function(pdf_context *ctx, gs_function_t ** ppfn, byte *
+     if (code < 0)
+         goto halftone_function_error;
+ 
++    if (size > max_uint - 1) {
++	code = gs_note_error(gs_error_VMerror);
++	goto halftone_function_error;
++    }
++
+     ops = gs_alloc_string(ctx->memory, size + 1, "pdfi_build_halftone_function(ops)");
+     if (ops == NULL) {
+         code = gs_error_VMerror;
+-- 
+2.25.1
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 284ae3a28e..376d4a300e 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -66,6 +66,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                 file://CVE-2025-27831-pre1.patch \
                 file://CVE-2025-27831.patch \
                 file://CVE-2025-27832.patch \
+                file://CVE-2025-27834.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \
-- 
2.43.0

[OE-core][kirkstone 07/10] ghostscript: Fix CVE-2025-27835

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport
[https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=de900010a6f2310d1fd54e99eeba466693da0e13]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ghostscript/CVE-2025-27835.patch          | 34 +++++++++++++++++++
 .../ghostscript/ghostscript_9.55.0.bb         |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27835.patch

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27835.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27835.patch
new file mode 100644
index 0000000000..9cdefc5201
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27835.patch
@@ -0,0 +1,34 @@
+From de900010a6f2310d1fd54e99eeba466693da0e13 Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Wed, 20 Nov 2024 11:27:52 +0000
+Subject: Bug 708131: Fix confusion between bytes and shorts
+
+We were copying data from a string in multiple of shorts, rather than multiple
+of bytes, leading to both an read (probably benign, given the memory manager)
+and write buffer overflow.
+
+CVE-2025-27835
+
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=de900010a6f2310d1fd54e99eeba466693da0e13]
+CVE: CVE-2025-27835
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ psi/zbfont.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/psi/zbfont.c b/psi/zbfont.c
+index acffb39ef..5850ab54d 100644
+--- a/psi/zbfont.c
++++ b/psi/zbfont.c
+@@ -253,7 +253,7 @@ gs_font_map_glyph_to_unicode(gs_font *font, gs_glyph glyph, int ch, ushort *u, u
+                     if (l > length)
+                         return l;
+ 
+-                    memcpy(unicode_return, v->value.const_bytes, l * sizeof(short));
++                    memcpy(unicode_return, v->value.const_bytes, l);
+                     return l;
+                 }
+                 if (r_type(v) == t_integer) {
+-- 
+cgit v1.2.3
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 376d4a300e..abc0238ddc 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -67,6 +67,7 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                 file://CVE-2025-27831.patch \
                 file://CVE-2025-27832.patch \
                 file://CVE-2025-27834.patch \
+                file://CVE-2025-27835.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \
-- 
2.43.0

[OE-core][kirkstone 08/10] ghostscript: Fix CVE-2025-27836

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport
[https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8b6d19b2b4079da6863ef25f2370f25d4b054919
&
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=d84efb73723384a8b7fb3989c824cfa218060085]

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ghostscript/CVE-2025-27836-1.patch        | 64 +++++++++++++++++++
 .../ghostscript/CVE-2025-27836-2.patch        | 46 +++++++++++++
 .../ghostscript/ghostscript_9.55.0.bb         |  2 +
 3 files changed, 112 insertions(+)
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-1.patch
 create mode 100644 meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-2.patch

diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-1.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-1.patch
new file mode 100644
index 0000000000..bd32456b99
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-1.patch
@@ -0,0 +1,64 @@
+From 8b6d19b2b4079da6863ef25f2370f25d4b054919 Mon Sep 17 00:00:00 2001
+From: Zdenek Hutyra <zhutyra@centrum.cz>
+Date: Mon, 13 Jan 2025 09:07:57 +0000
+Subject: Bug 708192: Fix potential print buffer overflow
+
+CVE-2025-27836
+
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=8b6d19b2b4079da6863ef25f2370f25d4b054919]
+CVE: CVE-2025-27836
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ contrib/japanese/gdev10v.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c
+index 0bd3cec02..9d27573dc 100644
+--- a/contrib/japanese/gdev10v.c
++++ b/contrib/japanese/gdev10v.c
+@@ -199,17 +199,25 @@ bj10v_print_page(gx_device_printer *pdev, gp_file *prn_stream)
+         int bytes_per_column = bits_per_column / 8;
+         int x_skip_unit = bytes_per_column * (xres / 180);
+         int y_skip_unit = (yres / 180);
+-        byte *in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
+-        /* We need one extra byte in <out> for our sentinel. */
+-        byte *out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
++        byte *in, *out;
+         int lnum = 0;
+         int y_skip = 0;
+         int code = 0;
+         int blank_lines = 0;
+         int bytes_per_data = ((xres == 360) && (yres == 360)) ? 1 : 3;
+ 
+-        if ( in == 0 || out == 0 )
+-                return -1;
++        if (bits_per_column == 0 || line_size > (max_int - 1) / bits_per_column) {
++            code = gs_note_error(gs_error_rangecheck);
++            goto error;
++        }
++
++        in = (byte *)gs_malloc(pdev->memory->non_gc_memory, 8, line_size, "bj10v_print_page(in)");
++        /* We need one extra byte in <out> for our sentinel. */
++        out = (byte *)gs_malloc(pdev->memory->non_gc_memory, bits_per_column * line_size + 1, 1, "bj10v_print_page(out)");
++        if ( in == NULL || out == NULL ) {
++            code = gs_note_error(gs_error_VMerror);
++            goto error;
++        }
+ 
+         /* Initialize the printer. */
+         prn_puts(pdev, "\033@");
+@@ -320,8 +328,10 @@ notz:
+            }
+ 
+         /* Eject the page */
+-xit:	prn_putc(pdev, 014);	/* form feed */
++xit:
++        prn_putc(pdev, 014); /* form feed */
+         prn_flush(pdev);
++error:
+         gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");
+         gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");
+         return code;
+-- 
+cgit v1.2.3
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-2.patch b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-2.patch
new file mode 100644
index 0000000000..2e3817bdae
--- /dev/null
+++ b/meta/recipes-extended/ghostscript/ghostscript/CVE-2025-27836-2.patch
@@ -0,0 +1,46 @@
+From d84efb73723384a8b7fb3989c824cfa218060085 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <Ken.Sharp@artifex.com>
+Date: Thu, 13 Mar 2025 11:01:16 +0000
+Subject: Fix Coverity IDs 457699 and 457700
+
+Not sure if Coverity has been updated, this is ancient contrib code
+which has not changed for a long time.
+
+However, fix the warning by initialising the pointers to NULL, and then
+avoid trying to free them if they are NULL.
+
+Upstream-Status: Backport [https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=d84efb73723384a8b7fb3989c824cfa218060085]
+CVE: CVE-2025-27836
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ contrib/japanese/gdev10v.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/japanese/gdev10v.c b/contrib/japanese/gdev10v.c
+index 9d27573dc..4d47200e5 100644
+--- a/contrib/japanese/gdev10v.c
++++ b/contrib/japanese/gdev10v.c
+@@ -199,7 +199,7 @@ bj10v_print_page(gx_device_printer *pdev, gp_file *prn_stream)
+         int bytes_per_column = bits_per_column / 8;
+         int x_skip_unit = bytes_per_column * (xres / 180);
+         int y_skip_unit = (yres / 180);
+-        byte *in, *out;
++        byte *in = NULL, *out = NULL;
+         int lnum = 0;
+         int y_skip = 0;
+         int code = 0;
+@@ -332,7 +332,9 @@ xit:
+         prn_putc(pdev, 014); /* form feed */
+         prn_flush(pdev);
+ error:
+-        gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");
+-        gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");
++        if (out != NULL)
++            gs_free(pdev->memory->non_gc_memory, (char *)out, bits_per_column, line_size, "bj10v_print_page(out)");
++        if (in != NULL)
++            gs_free(pdev->memory->non_gc_memory, (char *)in, 8, line_size, "bj10v_print_page(in)");
+         return code;
+ }
+-- 
+cgit v1.2.3
+
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index abc0238ddc..8499bb3676 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -68,6 +68,8 @@ SRC_URI_BASE = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/d
                 file://CVE-2025-27832.patch \
                 file://CVE-2025-27834.patch \
                 file://CVE-2025-27835.patch \
+                file://CVE-2025-27836-1.patch \
+                file://CVE-2025-27836-2.patch \
 "
 
 SRC_URI = "${SRC_URI_BASE} \
-- 
2.43.0

[OE-core][kirkstone 09/10] qemu: ignore CVE-2023-1386

[Steve Sakoman]

From: Peter Marko <peter.marko@siemens.com>

Upstream Repository: https://gitlab.com/qemu-project/qemu.git

Bug Details:  https://nvd.nist.gov/vuln/detail/CVE-2023-1386
Type: Security Advisory
CVE: CVE-2023-1386
Score: 3.3

Analysis:
- According to redhat[1] this CVE has closed as not a bug.

Reference:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2223985

(From OE-Core rev: 6a5d9e3821246c39ec57fa483802e1bb74fca724)

Signed-off-by: Madhu Marri <madmarri@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

(Converted to old CVE_CHECK_IGNORE syntax)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/qemu/qemu.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index bee30cd56f..cae33459e6 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -161,6 +161,9 @@ CVE_CHECK_IGNORE += "CVE-2023-2680"
 #       due to the rocker device not falling within the virtualization use case.
 CVE_CHECK_IGNORE += "CVE-2022-36648"
 
+# disputed: not an issue as per https://bugzilla.redhat.com/show_bug.cgi?id=2223985
+CVE_CHECK_IGNORE += "CVE-2023-1386"
+
 COMPATIBLE_HOST:mipsarchn32 = "null"
 COMPATIBLE_HOST:mipsarchn64 = "null"
 COMPATIBLE_HOST:riscv32 = "null"
-- 
2.43.0

[OE-core][kirkstone 10/10] glibc: Add single-threaded fast path to rand()

[Steve Sakoman]

From: Haixiao Yan <haixiao.yan.cn@windriver.com>

Backport a patch [1] to improve performance of rand() and __random()[2]
by adding a single-threaded fast path.

[1] https://sourceware.org/git/?p=glibc.git;a=commit;h=be0cfd848d9ad7378800d6302bc11467cf2b514f
[2] https://sourceware.org/bugzilla/show_bug.cgi?id=32777
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 ...dd-single-threaded-fast-path-to-rand.patch | 47 +++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.35.bb         |  1 +
 2 files changed, 48 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/0001-stdlib-Add-single-threaded-fast-path-to-rand.patch

diff --git a/meta/recipes-core/glibc/glibc/0001-stdlib-Add-single-threaded-fast-path-to-rand.patch b/meta/recipes-core/glibc/glibc/0001-stdlib-Add-single-threaded-fast-path-to-rand.patch
new file mode 100644
index 0000000000..736fc51f38
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0001-stdlib-Add-single-threaded-fast-path-to-rand.patch
@@ -0,0 +1,47 @@
+From 4f54b0dfc16dbe0df86afccb90e447df5f7f571e Mon Sep 17 00:00:00 2001
+From: Wilco Dijkstra <wilco.dijkstra@arm.com>
+Date: Mon, 18 Mar 2024 15:18:20 +0000
+Subject: [PATCH] stdlib: Add single-threaded fast path to rand()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Improve performance of rand() and __random() by adding a single-threaded
+fast path.  Bench-random-lock shows about 5x speedup on Neoverse V1.
+
+Upstream-Status: Backport [be0cfd848d9ad7378800d6302bc11467cf2b514f]
+
+Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
+---
+ stdlib/random.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/stdlib/random.c b/stdlib/random.c
+index 17cc61ba8f55..5d482a857065 100644
+--- a/stdlib/random.c
++++ b/stdlib/random.c
+@@ -51,6 +51,7 @@
+    SUCH DAMAGE.*/
+ 
+ #include <libc-lock.h>
++#include <sys/single_threaded.h>
+ #include <limits.h>
+ #include <stddef.h>
+ #include <stdlib.h>
+@@ -288,6 +289,12 @@ __random (void)
+ {
+   int32_t retval;
+ 
++  if (SINGLE_THREAD_P)
++    {
++      (void) __random_r (&unsafe_state, &retval);
++      return retval;
++    }
++
+   __libc_lock_lock (lock);
+ 
+   (void) __random_r (&unsafe_state, &retval);
+-- 
+2.34.1
+
diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb
index d9cae79ac2..9073e04537 100644
--- a/meta/recipes-core/glibc/glibc_2.35.bb
+++ b/meta/recipes-core/glibc/glibc_2.35.bb
@@ -65,6 +65,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0001-Revert-Linux-Implement-a-useful-version-of-_startup_.patch \
            file://0002-get_nscd_addresses-Fix-subscript-typos-BZ-29605.patch \
            file://0003-sunrpc-suppress-gcc-os-warning-on-user2netname.patch \
+           file://0001-stdlib-Add-single-threaded-fast-path-to-rand.patch \
            "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
-- 
2.43.0

Re: [OE-core][kirkstone 09/10] qemu: ignore CVE-2023-1386

[Richard Purdie]

On Tue, 2025-04-08 at 13:51 -0700, Steve Sakoman via
lists.openembedded.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
> 
> Upstream Repository: https://gitlab.com/qemu-project/qemu.git
> 
> Bug Details:  https://nvd.nist.gov/vuln/detail/CVE-2023-1386
> Type: Security Advisory
> CVE: CVE-2023-1386
> Score: 3.3
> 
> Analysis:
> - According to redhat[1] this CVE has closed as not a bug.
> 
> Reference:
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2223985
> 
> (From OE-Core rev: 6a5d9e3821246c39ec57fa483802e1bb74fca724)
> 
> Signed-off-by: Madhu Marri <madmarri@cisco.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> 
> (Converted to old CVE_CHECK_IGNORE syntax)
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  meta/recipes-devtools/qemu/qemu.inc | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-
> devtools/qemu/qemu.inc
> index bee30cd56f..cae33459e6 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -161,6 +161,9 @@ CVE_CHECK_IGNORE += "CVE-2023-2680"
>  #       due to the rocker device not falling within the
> virtualization use case.
>  CVE_CHECK_IGNORE += "CVE-2022-36648"
>  
> +# disputed: not an issue as per
> https://bugzilla.redhat.com/show_bug.cgi?id=2223985
> +CVE_CHECK_IGNORE += "CVE-2023-1386"
> +
>  COMPATIBLE_HOST:mipsarchn32 = "null"
>  COMPATIBLE_HOST:mipsarchn64 = "null"
>  COMPATIBLE_HOST:riscv32 = "null"

This merged to master today. It isn't in walnascar though.

Cheers,

Richard

Re: [OE-core][kirkstone 10/10] glibc: Add single-threaded fast path to rand()

[Richard Purdie]

On Tue, 2025-04-08 at 13:51 -0700, Steve Sakoman via
lists.openembedded.org wrote:
> From: Haixiao Yan <haixiao.yan.cn@windriver.com>
> 
> Backport a patch [1] to improve performance of rand() and
> __random()[2]
> by adding a single-threaded fast path.
> 
> [1]
> https://sourceware.org/git/?p=glibc.git;a=commit;h=be0cfd848d9ad7378800d6302bc11467cf2b514f
> [2] https://sourceware.org/bugzilla/show_bug.cgi?id=32777
> Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  ...dd-single-threaded-fast-path-to-rand.patch | 47
> +++++++++++++++++++
>  meta/recipes-core/glibc/glibc_2.35.bb         |  1 +
>  2 files changed, 48 insertions(+)
>  create mode 100644 meta/recipes-core/glibc/glibc/0001-stdlib-Add-
> single-threaded-fast-path-to-rand.patch

This isn't in walnascar yet.

Cheers,

Richard

Re: [OE-core][kirkstone 10/10] glibc: Add single-threaded fast path to rand()

[Steve Sakoman]

On Thu, Apr 10, 2025 at 4:33 AM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Tue, 2025-04-08 at 13:51 -0700, Steve Sakoman via
> lists.openembedded.org wrote:
> > From: Haixiao Yan <haixiao.yan.cn@windriver.com>
> >
> > Backport a patch [1] to improve performance of rand() and
> > __random()[2]
> > by adding a single-threaded fast path.
> >
> > [1]
> > https://sourceware.org/git/?p=glibc.git;a=commit;h=be0cfd848d9ad7378800d6302bc11467cf2b514f
> > [2] https://sourceware.org/bugzilla/show_bug.cgi?id=32777
> > Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> >  ...dd-single-threaded-fast-path-to-rand.patch | 47
> > +++++++++++++++++++
> >  meta/recipes-core/glibc/glibc_2.35.bb         |  1 +
> >  2 files changed, 48 insertions(+)
> >  create mode 100644 meta/recipes-core/glibc/glibc/0001-stdlib-Add-
> > single-threaded-fast-path-to-rand.patch
>
> This isn't in walnascar yet.

I've got it and "qemu 8.2.7: ignore CVE-2023-1386" in my local
walnascar branch. I will hold off merging to all stable branches till
after walnascar release.

Thanks for catching this!

Steve

Re: [OE-core][kirkstone 10/10] glibc: Add single-threaded fast path to rand()

[Randy MacLeod]

[-- Attachment #1: Type: text/plain, Size: 11727 bytes --]

On 2025-04-10 9:49 a.m., Steve Sakoman via lists.openembedded.org wrote:
> On Thu, Apr 10, 2025 at 4:33 AM Richard Purdie
> <richard.purdie@linuxfoundation.org> wrote:
>> On Tue, 2025-04-08 at 13:51 -0700, Steve Sakoman via
>> lists.openembedded.org wrote:
>>> From: Haixiao Yan<haixiao.yan.cn@windriver.com>
>>>
>>> Backport a patch [1] to improve performance of rand() and
>>> __random()[2]
>>> by adding a single-threaded fast path.
>>>
>>> [1]
>>> https://sourceware.org/git/?p=glibc.git;a=commit;h=be0cfd848d9ad7378800d6302bc11467cf2b514f
>>> [2]https://sourceware.org/bugzilla/show_bug.cgi?id=32777
>>> Signed-off-by: Haixiao Yan<haixiao.yan.cn@windriver.com>
>>> Signed-off-by: Steve Sakoman<steve@sakoman.com>
>>> ---
>>>   ...dd-single-threaded-fast-path-to-rand.patch | 47
>>> +++++++++++++++++++
>>>   meta/recipes-core/glibc/glibc_2.35.bb         |  1 +
>>>   2 files changed, 48 insertions(+)
>>>   create mode 100644 meta/recipes-core/glibc/glibc/0001-stdlib-Add-
>>> single-threaded-fast-path-to-rand.patch
>> This isn't in walnascar yet.
> I've got it and "qemu 8.2.7: ignore CVE-2023-1386" in my local
> walnascar branch. I will hold off merging to all stable branches till
> after walnascar release.
>
> Thanks for catching this!

People were discussing this bug wrt adding it to walnascar's RC2 bulid.
The conclusion is to merge it to walnascar *after* GA so it can soak for 
a bit
and to minimize risk to the GA release.

This is a customer issue and they have been happy with the fix since 
March 28th but
it was only merged to our product repo on April 2nd so it's probably a 
good idea
to let it soak.

I'm not sure if it'll help but below is Haixiao's summary from our 
internal bug tracker.
It's a verbose version of the master branch commit log.
One notable comment is:
    the issue can not reproduce on modern CPU (such as Zen3/Ryzen9),
    they are smart to handle the lock for single-thread case.

I wonder how many other 'modern' targets avoid the issue at build / run 
time.

If we want more info, please rely and Haixiao can spend some time on digging
a bit more.

../Randy



Summary:

This is a generic issue, not only found on wrLinux, also met on ubuntu 
22.04.

The degradation since from glibc-2.34, until the latest glibc-2.41 is 
affected.
The fix will be included in glibc-2.42.
I have filed https://sourceware.org/bugzilla/show_bug.cgi?id=32777 
<https://sourceware.org/bugzilla/show_bug.cgi?id=32777> to the upstream.

The first bad commit is 60d5e40ab200033a982a9fd7594a1f83dcdb94a0.

commit 60d5e40ab200033a982a9fd7594a1f83dcdb94a0
Author: Florian Weimer<fweimer@redhat.com>
Date:   Wed Apr 21 19:49:51 2021 +0200

     x86: Remove low-level lock optimization
     
     The current approach is to do this optimizations at a higher level,
     in generic code, so that single-threaded cases can be specifically
     targeted.
     
     Furthermore, using IS_IN (libc) as a compile-time indicator that
     all locks are private is no longer correct once process-shared lock
     implementations are moved into libc.
     
     The generic <lowlevellock.h> is not compatible with assembler code
     (obviously), so it's necessary to remove two long-unused #includes.
     
     Reviewed-by: Adhemerval Zanella<adhemerval.zanella@linaro.org>

This commit remove the optimization for single-threaded case, such as 
mallocrandfree.
 From the perf result, random function has been called significantly 
increased from 15.5% to 42.28%.
on glibc-2.33, disassemble the random function:

(gdb) disassemble random
Dump of assembler code for function __random:
    0x00007ffff7e3dc20 <+0>:     endbr64
    0x00007ffff7e3dc24 <+4>:     sub    $0x18,%rsp
    0x00007ffff7e3dc28 <+8>:     mov    %fs:0x18,%eax
    0x00007ffff7e3dc30 <+16>:    test   %eax,%eax
    0x00007ffff7e3dc32 <+18>:    jne    0x7ffff7e3dc70 <__random+80>
    0x00007ffff7e3dc34 <+20>:    mov    $0x1,%edx
    0x00007ffff7e3dc39 <+25>:    cmpxchg %edx,0x17e708(%rip)        # 0x7ffff7fbc348 <lock>
    0x00007ffff7e3dc40 <+32>:    lea    0xc(%rsp),%rsi
    0x00007ffff7e3dc45 <+37>:    lea    0x17bb14(%rip),%rdi        # 0x7ffff7fb9760 <unsafe_state>
    0x00007ffff7e3dc4c <+44>:    call   0x7ffff7e3e070 <__random_r>
    0x00007ffff7e3dc51 <+49>:    mov    %fs:0x18,%eax
    0x00007ffff7e3dc59 <+57>:    test   %eax,%eax
    0x00007ffff7e3dc5b <+59>:    jne    0x7ffff7e3dc90 <__random+112>
    0x00007ffff7e3dc5d <+61>:    subl   $0x1,0x17e6e4(%rip)        # 0x7ffff7fbc348 <lock>
    0x00007ffff7e3dc64 <+68>:    movslq 0xc(%rsp),%rax
    0x00007ffff7e3dc69 <+73>:    add    $0x18,%rsp
    0x00007ffff7e3dc6d <+77>:    ret
    0x00007ffff7e3dc6e <+78>:    xchg   %ax,%ax
    0x00007ffff7e3dc70 <+80>:    xor    %eax,%eax
    0x00007ffff7e3dc72 <+82>:    mov    $0x1,%edx
    0x00007ffff7e3dc77 <+87>:    lock cmpxchg %edx,0x17e6c9(%rip)        # 0x7ffff7fbc348 <lock>
    0x00007ffff7e3dc7f <+95>:    je     0x7ffff7e3dc40 <__random+32>
    0x00007ffff7e3dc81 <+97>:    lea    0x17e6c0(%rip),%rdi        # 0x7ffff7fbc348 <lock>
    0x00007ffff7e3dc88 <+104>:   call   0x7ffff7e81c00 <__lll_lock_wait_private>
    0x00007ffff7e3dc8d <+109>:   jmp    0x7ffff7e3dc40 <__random+32>
    0x00007ffff7e3dc8f <+111>:   nop
    0x00007ffff7e3dc90 <+112>:   xor    %eax,%eax
    0x00007ffff7e3dc92 <+114>:   xchg   %eax,0x17e6b0(%rip)        # 0x7ffff7fbc348 <lock>
    0x00007ffff7e3dc98 <+120>:   cmp    $0x1,%eax
    0x00007ffff7e3dc9b <+123>:   jle    0x7ffff7e3dc64 <__random+68>
    0x00007ffff7e3dc9d <+125>:   xor    %r10d,%r10d
    0x00007ffff7e3dca0 <+128>:   mov    $0x1,%edx
    0x00007ffff7e3dca5 <+133>:   mov    $0x81,%esi
    0x00007ffff7e3dcaa <+138>:   mov    $0xca,%eax
    0x00007ffff7e3dcaf <+143>:   lea    0x17e692(%rip),%rdi        # 0x7ffff7fbc348 <lock>
    0x00007ffff7e3dcb6 <+150>:   syscall
    0x00007ffff7e3dcb8 <+152>:   jmp    0x7ffff7e3dc64 <__random+68>
End of assembler dump.

test %eax,%eax will check the single-threaded condition, if in 
single-threaded environments, skips locking, calls __random_r directly, 
and returns the random number.
if in multi-threaded environments, acquires a lock, calls __random_r, 
releases the lock, handles contention, and returns the random number.

on glibc-2.34, disassemble the random function:

(gdb) disassemble random
Dump of assembler code for function __random:
    0x00007ffff7c44db0 <+0>:     endbr64
    0x00007ffff7c44db4 <+4>:     sub    $0x18,%rsp
    0x00007ffff7c44db8 <+8>:     xor    %eax,%eax
    0x00007ffff7c44dba <+10>:    mov    $0x1,%edx
    0x00007ffff7c44dbf <+15>:    lock cmpxchg %edx,0x1b0641(%rip)        # 0x7ffff7df5408 <lock>
    0x00007ffff7c44dc7 <+23>:    jne    0x7ffff7c44df8 <__random+72>
    0x00007ffff7c44dc9 <+25>:    lea    0xc(%rsp),%rsi
    0x00007ffff7c44dce <+30>:    lea    0x1ada6b(%rip),%rdi        # 0x7ffff7df2840 <unsafe_state>
    0x00007ffff7c44dd5 <+37>:    call   0x7ffff7c451e0 <__random_r>
    0x00007ffff7c44dda <+42>:    xor    %eax,%eax
    0x00007ffff7c44ddc <+44>:    xchg   %eax,0x1b0626(%rip)        # 0x7ffff7df5408 <lock>
    0x00007ffff7c44de2 <+50>:    cmp    $0x1,%eax
    0x00007ffff7c44de5 <+53>:    jg     0x7ffff7c44e10 <__random+96>
    0x00007ffff7c44de7 <+55>:    movslq 0xc(%rsp),%rax
    0x00007ffff7c44dec <+60>:    add    $0x18,%rsp
    0x00007ffff7c44df0 <+64>:    ret
    0x00007ffff7c44df1 <+65>:    nopl   0x0(%rax)
    0x00007ffff7c44df8 <+72>:    lea    0x1b0609(%rip),%rdi        # 0x7ffff7df5408 <lock>
    0x00007ffff7c44dff <+79>:    call   0x7ffff7c88680 <__GI___lll_lock_wait_private>
    0x00007ffff7c44e04 <+84>:    jmp    0x7ffff7c44dc9 <__random+25>
    0x00007ffff7c44e06 <+86>:    cs nopw 0x0(%rax,%rax,1)
    0x00007ffff7c44e10 <+96>:    lea    0x1b05f1(%rip),%rdi        # 0x7ffff7df5408 <lock>
    0x00007ffff7c44e17 <+103>:   call   0x7ffff7c88750 <__GI___lll_lock_wake_private>
    0x00007ffff7c44e1c <+108>:   movslq 0xc(%rsp),%rax
    0x00007ffff7c44e21 <+113>:   add    $0x18,%rsp
    0x00007ffff7c44e25 <+117>:   ret
End of assembler dump.

Both single-threaded and multi-threaded are using atomic operations and 
lock management.
So cause the performance of single-threaded cases degradation.

The fix has been included on master branch on Feb 24, 2025.
https://sourceware.org/git/?p=glibc.git;a=commit;h=be0cfd848d9ad7378800d6302bc11467cf2b514f 
<https://sourceware.org/git/?p=glibc.git;a=commit;h=be0cfd848d9ad7378800d6302bc11467cf2b514f>

after the fix, disassemble the random function:

(gdb) disassemble random
Dump of assembler code for function __random:
    0x00007ffff7e1d0b0 <+0>:     endbr64
    0x00007ffff7e1d0b4 <+4>:     sub    $0x18,%rsp
    0x00007ffff7e1d0b8 <+8>:     cmpb   $0x0,0x199221(%rip)        # 0x7ffff7fb62e0 <__libc_single_threaded_internal>
    0x00007ffff7e1d0bf <+15>:    jne    0x7ffff7e1d100 <__random+80>
    0x00007ffff7e1d0c1 <+17>:    xor    %eax,%eax
    0x00007ffff7e1d0c3 <+19>:    mov    $0x1,%edx
    0x00007ffff7e1d0c8 <+24>:    lock cmpxchg %edx,0x1935c0(%rip)        # 0x7ffff7fb0690 <lock>
    0x00007ffff7e1d0d0 <+32>:    jne    0x7ffff7e1d130 <__random+128>
    0x00007ffff7e1d0d2 <+34>:    lea    0xc(%rsp),%rsi
    0x00007ffff7e1d0d7 <+39>:    lea    0x1917a2(%rip),%rdi        # 0x7ffff7fae880 <unsafe_state>
    0x00007ffff7e1d0de <+46>:    call   0x7ffff7e1d500 <__random_r>
    0x00007ffff7e1d0e3 <+51>:    xor    %eax,%eax
    0x00007ffff7e1d0e5 <+53>:    xchg   %eax,0x1935a5(%rip)        # 0x7ffff7fb0690 <lock>
    0x00007ffff7e1d0eb <+59>:    cmp    $0x1,%eax
    0x00007ffff7e1d0ee <+62>:    jg     0x7ffff7e1d120 <__random+112>
    0x00007ffff7e1d0f0 <+64>:    movslq 0xc(%rsp),%rax
    0x00007ffff7e1d0f5 <+69>:    add    $0x18,%rsp
    0x00007ffff7e1d0f9 <+73>:    ret
    0x00007ffff7e1d0fa <+74>:    nopw   0x0(%rax,%rax,1)
    0x00007ffff7e1d100 <+80>:    lea    0xc(%rsp),%rsi
    0x00007ffff7e1d105 <+85>:    lea    0x191774(%rip),%rdi        # 0x7ffff7fae880 <unsafe_state>
    0x00007ffff7e1d10c <+92>:    call   0x7ffff7e1d500 <__random_r>
    0x00007ffff7e1d111 <+97>:    movslq 0xc(%rsp),%rax
    0x00007ffff7e1d116 <+102>:   add    $0x18,%rsp
    0x00007ffff7e1d11a <+106>:   ret
    0x00007ffff7e1d11b <+107>:   nopl   0x0(%rax,%rax,1)
    0x00007ffff7e1d120 <+112>:   lea    0x193569(%rip),%rdi        # 0x7ffff7fb0690 <lock>
    0x00007ffff7e1d127 <+119>:   call   0x7ffff7e60360 <__GI___lll_lock_wake_private>
    0x00007ffff7e1d12c <+124>:   jmp    0x7ffff7e1d0f0 <__random+64>
    0x00007ffff7e1d12e <+126>:   xchg   %ax,%ax
    0x00007ffff7e1d130 <+128>:   lea    0x193559(%rip),%rdi        # 0x7ffff7fb0690 <lock>
    0x00007ffff7e1d137 <+135>:   call   0x7ffff7e60290 <__GI___lll_lock_wait_private>
    0x00007ffff7e1d13c <+140>:   jmp    0x7ffff7e1d0d2 <__random+34>
End of assembler dump.

cmpb $0x0,0x199221(%rip) will check single-threaded mode, which avoids 
unnecessary locking.

BTW, the issue can not reproduce on modern CPU (such as Zen3/Ryzen9), 
they are smart to handle the lock for single-thread case.


>
> Steve
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#214675):https://lists.openembedded.org/g/openembedded-core/message/214675
> Mute This Topic:https://lists.openembedded.org/mt/112161542/3616765
> Group Owner:openembedded-core+owner@lists.openembedded.org
> Unsubscribe:https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

-- 
# Randy MacLeod
# Wind River Linux

[-- Attachment #2: Type: text/html, Size: 16223 bytes --]

[OE-core][kirkstone 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, June 3

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1684

The following changes since commit a99a65632116955dc69809a14bf536b22582de72:

  gcc: AArch64 - Fix strict-align cpymem/setmem (2025-05-23 08:27:24 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Bruce Ashfield (5):
  linux-yocto/5.15: update to v5.15.180
  linux-yocto/5.15: update to v5.15.181
  linux-yocto/5.15: update to v5.15.182
  linux-yocto/5.15: update to v5.15.183
  linux-yocto/5.15: update to v5.15.184

Guocai He (1):
  sysstat: correct the SRC_URI

Harish Sadineni (2):
  binutils: Fix CVE-2025-1182
  binutils: fix CVE-2025-1180

Hitendra Prajapati (1):
  screen: Fix CVE-2025-46805

NeilBrown (1):
  nfs-utils: don't use signals to shut down nfs server.

 .../nfs-utils/nfs-utils/nfsserver             |  28 +--
 .../binutils/binutils-2.38.inc                |   1 +
 .../binutils/0040-CVE-2025-1180.patch         | 164 ++++++++++++++++++
 .../binutils/0040-CVE-2025-1182.patch         |  31 ++++
 .../screen/screen/CVE-2025-46805.patch        | 121 +++++++++++++
 meta/recipes-extended/screen/screen_4.9.0.bb  |   1 +
 meta/recipes-extended/sysstat/sysstat.inc     |   6 +-
 .../linux/linux-yocto-rt_5.15.bb              |   6 +-
 .../linux/linux-yocto-tiny_5.15.bb            |   6 +-
 meta/recipes-kernel/linux/linux-yocto_5.15.bb |  26 +--
 10 files changed, 344 insertions(+), 46 deletions(-)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0040-CVE-2025-1180.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0040-CVE-2025-1182.patch
 create mode 100644 meta/recipes-extended/screen/screen/CVE-2025-46805.patch

-- 
2.43.0

[OE-core][kirkstone 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Tuesday, July 29

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2092

The following changes since commit d9f424921179a52ffe053411c44f20e44e7deba1:

  tcf-agent: correct the SRC_URI (2025-07-15 06:42:30 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Aleksandar Nikolic (1):
  scripts/install-buildtools: Update to 4.0.28

Daniel Díaz (1):
  ffmpeg: Ignore two CVEs fixed in 5.0.3

Deepesh Varatharajan (1):
  glibc: stable 2.35 branch updates

Hitendra Prajapati (1):
  libpam: fix CVE-2025-6020

Martin Jansa (1):
  db: ignore implicit-int and implicit-function-declaration issues fatal
    with gcc-14

Peter Marko (2):
  orc: set CVE_PRODUCT
  ncurses: patch CVE-2025-6141

Rob Woolley (1):
  ruby: correct fix for CVE-2024-43398

Yash Shinde (1):
  binutils: Fix CVE-2025-7546

Yogita Urade (1):
  gnupg: fix CVE-2025-30258

 meta/recipes-core/glibc/glibc-version.inc     |    2 +-
 .../glibc/glibc/0025-CVE-2025-4802.patch      |    3 +-
 meta/recipes-core/glibc/glibc_2.35.bb         |    2 +-
 .../ncurses/files/CVE-2025-6141.patch         |   25 +
 .../ncurses/ncurses_6.3+20220423.bb           |    1 +
 .../binutils/binutils-2.38.inc                |    1 +
 .../binutils/0043-CVE-2025-7546.patch         |   44 +
 meta/recipes-devtools/orc/orc_0.4.40.bb       |    3 +
 .../ruby/ruby/CVE-2024-43398-0001.patch       |  212 +++
 .../ruby/ruby/CVE-2024-43398-0002.patch       |  130 ++
 ...-43398.patch => CVE-2024-43398-0003.patch} |   23 +-
 meta/recipes-devtools/ruby/ruby_3.1.3.bb      |    4 +-
 ...001-pam_inline-introduce-pam_asprint.patch |  102 ++
 .../0001-pam_namespace-include-stdint-h.patch |   42 +
 .../pam/libpam/CVE-2025-6020-01.patch         | 1588 +++++++++++++++++
 .../pam/libpam/CVE-2025-6020-02.patch         |  187 ++
 .../pam/libpam/CVE-2025-6020-03.patch         |   35 +
 meta/recipes-extended/pam/libpam_1.5.2.bb     |    5 +
 .../recipes-multimedia/ffmpeg/ffmpeg_5.0.3.bb |    6 +
 meta/recipes-support/db/db_5.3.28.bb          |    4 +
 .../gnupg/gnupg/CVE-2025-30258-0001.patch     |  141 ++
 .../gnupg/gnupg/CVE-2025-30258-0002.patch     |  131 ++
 .../gnupg/gnupg/CVE-2025-30258-0003.patch     |  624 +++++++
 .../gnupg/gnupg/CVE-2025-30258-0004.patch     |  193 ++
 .../gnupg/gnupg/CVE-2025-30258-0005.patch     |   36 +
 meta/recipes-support/gnupg/gnupg_2.3.7.bb     |    5 +
 scripts/install-buildtools                    |    4 +-
 27 files changed, 3534 insertions(+), 19 deletions(-)
 create mode 100644 meta/recipes-core/ncurses/files/CVE-2025-6141.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0043-CVE-2025-7546.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-43398-0001.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2024-43398-0002.patch
 rename meta/recipes-devtools/ruby/ruby/{CVE-2024-43398.patch => CVE-2024-43398-0003.patch} (87%)
 create mode 100644 meta/recipes-extended/pam/libpam/0001-pam_inline-introduce-pam_asprint.patch
 create mode 100644 meta/recipes-extended/pam/libpam/0001-pam_namespace-include-stdint-h.patch
 create mode 100644 meta/recipes-extended/pam/libpam/CVE-2025-6020-01.patch
 create mode 100644 meta/recipes-extended/pam/libpam/CVE-2025-6020-02.patch
 create mode 100644 meta/recipes-extended/pam/libpam/CVE-2025-6020-03.patch
 create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2025-30258-0001.patch
 create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2025-30258-0002.patch
 create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2025-30258-0003.patch
 create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2025-30258-0004.patch
 create mode 100644 meta/recipes-support/gnupg/gnupg/CVE-2025-30258-0005.patch

-- 
2.43.0

[OE-core][kirkstone 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Friday, August 1

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2113

The following changes since commit 277b5ec3c0212ca8600dd89d0a33f784a060131f:

  db: ignore implicit-int and implicit-function-declaration issues fatal with gcc-14 (2025-07-25 08:37:09 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Deepesh Varatharajan (1):
  binutils: Fix CVE-2025-7545

Peter Marko (8):
  dropbear: patch CVE-2025-47203
  gnutls: patch CVE-2025-32989
  gnutls: patch read buffer overrun in the "pre_shared_key" extension
  gnutls: patch reject zero-length version in certificate request
  gnutls: patch CVE-2025-32988
  gnutls: patch CVE-2025-32990
  gnutls: patch CVE-2025-6395
  libxml2: patch CVE-2025-6170

Vijay Anusuri (1):
  sqlite3: Fix CVE-2025-6965

 meta/recipes-core/dropbear/dropbear.inc       |    3 +
 ..._snprintf-that-won-t-return-negative.patch |   48 +
 ...-length-paths-and-commands-in-multih.patch |  126 +
 .../dropbear/dropbear/CVE-2025-47203.patch    |  344 +++
 .../libxml/libxml2/CVE-2025-6170.patch        |  103 +
 meta/recipes-core/libxml/libxml2_2.9.14.bb    |    1 +
 .../binutils/binutils-2.38.inc                |    1 +
 .../binutils/0043-CVE-2025-7545.patch         |   39 +
 ...fer-overrun-in-the-pre_shared_key-ex.patch |   34 +
 ...-length-version-in-certificate-reque.patch |   37 +
 .../04939b75417cc95b7372c6f208c4bda4579bdc34  |  Bin 0 -> 1782 bytes
 .../3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2  |  Bin 0 -> 830 bytes
 .../5477db1bb507a35e8833c758ce344f4b5b246d8e  |  Bin 0 -> 111 bytes
 .../gnutls/gnutls/CVE-2025-32988.patch        |   58 +
 .../gnutls/gnutls/CVE-2025-32989.patch        |   50 +
 .../gnutls/gnutls/CVE-2025-32990.patch        | 2109 +++++++++++++++++
 .../gnutls/gnutls/CVE-2025-6395.patch         |  299 +++
 meta/recipes-support/gnutls/gnutls_3.7.4.bb   |   15 +
 .../sqlite/files/CVE-2025-6965.patch          |  115 +
 meta/recipes-support/sqlite/sqlite3_3.38.5.bb |    1 +
 20 files changed, 3383 insertions(+)
 create mode 100644 meta/recipes-core/dropbear/dropbear/0001-Add-m_snprintf-that-won-t-return-negative.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/0001-Handle-arbitrary-length-paths-and-commands-in-multih.patch
 create mode 100644 meta/recipes-core/dropbear/dropbear/CVE-2025-47203.patch
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-6170.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0043-CVE-2025-7545.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/0001-x509-reject-zero-length-version-in-certificate-reque.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/04939b75417cc95b7372c6f208c4bda4579bdc34
 create mode 100644 meta/recipes-support/gnutls/gnutls/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2
 create mode 100644 meta/recipes-support/gnutls/gnutls/5477db1bb507a35e8833c758ce344f4b5b246d8e
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-32989.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-32990.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-6395.patch
 create mode 100644 meta/recipes-support/sqlite/files/CVE-2025-6965.patch

-- 
2.43.0

[OE-core][kirkstone 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Monday, November 17

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2720

The following changes since commit 1e1993b72f2b6109ce3d0ef950553b74b2b37b27:

  Don't use ftp.gnome.org (2025-11-03 09:18:14 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Alexander Kanavin (2):
  xf86-video-intel: correct SRC_URI as freedesktop anongit is down
  goarch.bbclass: do not leak TUNE_FEATURES into crosssdk task
    signatures

Gyorgy Sarvari (2):
  efibootmgr: update SRC_URI branch
  babeltrace2: fetch with https protocol

Peter Marko (1):
  curl: ignore CVE-2025-10966

Saquib Iltaf (1):
  rust-cross-canadian: Ignore CVE-2024-43402

Soumya Sambu (1):
  python3-urllib3: Upgrade 1.26.18 -> 1.26.20

Vijay Anusuri (3):
  xserver-xorg: Fix for CVE-2025-62229
  xserver-xorg: Fix for CVE-2025-62230
  xserver-xorg: Fix for CVE-2025-62231

 meta/classes/goarch.bbclass                   |  3 +
 meta/recipes-bsp/efibootmgr/efibootmgr_17.bb  |  2 +-
 ..._1.26.18.bb => python3-urllib3_1.26.20.bb} |  2 +-
 .../rust/rust-cross-canadian.inc              |  2 +
 .../xorg-driver/xf86-video-intel_git.bb       |  3 +-
 .../xserver-xorg/CVE-2025-62229.patch         | 89 ++++++++++++++++++
 .../xserver-xorg/CVE-2025-62230-1.patch       | 63 +++++++++++++
 .../xserver-xorg/CVE-2025-62230-2.patch       | 92 +++++++++++++++++++
 .../xserver-xorg/CVE-2025-62231.patch         | 53 +++++++++++
 .../xorg-xserver/xserver-xorg_21.1.8.bb       |  4 +
 .../recipes-kernel/lttng/babeltrace2_2.0.5.bb |  2 +-
 meta/recipes-support/curl/curl_7.82.0.bb      |  2 +
 12 files changed, 312 insertions(+), 5 deletions(-)
 rename meta/recipes-devtools/python/{python3-urllib3_1.26.18.bb => python3-urllib3_1.26.20.bb} (87%)
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-62229.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-62230-1.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-62230-2.patch
 create mode 100644 meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-62231.patch

-- 
2.43.0

[OE-core][kirkstone 00/10] Patch review

[Steve Sakoman]

Please review this set of changes for kirkstone and have comments back by
end of day Thursday, December 4

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2808

The following changes since commit ceef3cde9b761b7b5de6f7b6b1fb8e99663af9ca:

  flac: patch seeking bug (2025-11-24 07:34:36 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Archana Polampalli (4):
  go: fix CVE-2025-58187
  go: fix CVE-2025-58189
  go: fix CVE-2025-61723
  go: fix CVE-2025-61724

Gyorgy Sarvari (1):
  systemd-bootchart: update SRC_URI branch

Peter Marko (5):
  gnutls: patch CVE-2025-9820
  libpng: patch CVE-2025-64505
  libpng: patch CVE-2025-64506
  libpng: patch CVE-2025-64720
  libpng: patch CVE-2025-65018

 meta/recipes-devtools/go/go-1.17.13.inc       |   4 +
 .../go/go-1.18/CVE-2025-58187.patch           | 349 ++++++++++++++++++
 .../go/go-1.18/CVE-2025-58189.patch           |  51 +++
 .../go/go-1.18/CVE-2025-61723.patch           | 221 +++++++++++
 .../go/go-1.18/CVE-2025-61724.patch           |  74 ++++
 .../systemd-bootchart_234.bb                  |   2 +-
 .../libpng/files/CVE-2025-64505-01.patch      | 111 ++++++
 .../libpng/files/CVE-2025-64505-02.patch      | 163 ++++++++
 .../libpng/files/CVE-2025-64505-03.patch      |  52 +++
 .../libpng/files/CVE-2025-64506.patch         |  57 +++
 .../libpng/files/CVE-2025-64720.patch         | 103 ++++++
 .../libpng/files/CVE-2025-65018-01.patch      |  60 +++
 .../libpng/files/CVE-2025-65018-02.patch      | 163 ++++++++
 .../libpng/libpng_1.6.39.bb                   |   7 +
 .../gnutls/gnutls/CVE-2025-9820.patch         | 250 +++++++++++++
 meta/recipes-support/gnutls/gnutls_3.7.4.bb   |   1 +
 16 files changed, 1667 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-58187.patch
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-58189.patch
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-61723.patch
 create mode 100644 meta/recipes-devtools/go/go-1.18/CVE-2025-61724.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-01.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-02.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64505-03.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64506.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-64720.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-01.patch
 create mode 100644 meta/recipes-multimedia/libpng/files/CVE-2025-65018-02.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-9820.patch

-- 
2.43.0

[OE-core][kirkstone 00/10] Patch review

[Steve Sakoman]

Please review this set of hcanges for kirkstone and have comments back by
end of day Tuesday, December 30

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/?#/builders/29/builds/2920

The following changes since commit 2ed3f8b938579dbbb804e04c45a968cc57761db7:

  build-appliance-image: Update to kirkstone head revision (2025-12-12 08:52:06 -0800)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/kirkstone-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/kirkstone-nut

Aleksandar Nikolic (1):
  scripts/install-buildtools: Update to 4.0.31

Changqing Li (1):
  libsoup: fix CVE-2025-12105

Deepesh Varatharajan (1):
  binutils: Fix CVE-2025-11494

Kai Kang (1):
  qemu: fix CVE-2025-12464

Libo Chen (1):
  go: Fix CVE-2023-39323

Liyin Zhang (1):
  rsync: fix CVE-2025-10158

Martin Jansa (1):
  cross.bbclass: Propagate dependencies to outhash

Mingli Yu (1):
  libxslt: Fix CVE-2025-11731

Yash Shinde (2):
  binutils: fix CVE-2025-11839
  binutils: fix CVE-2025-11840

 meta/classes/cross.bbclass                    | 36 ++++++++++
 .../binutils/binutils-2.38.inc                |  3 +
 .../binutils/0048-CVE-2025-11494.patch        | 43 ++++++++++++
 .../binutils/0049-CVE-2025-11839.patch        | 32 +++++++++
 .../binutils/0050-CVE-2025-11840.patch        | 37 ++++++++++
 meta/recipes-devtools/go/go-1.17.13.inc       |  1 +
 .../go/go-1.21/CVE-2023-39323.patch           | 55 +++++++++++++++
 meta/recipes-devtools/qemu/qemu.inc           |  1 +
 .../qemu/qemu/CVE-2025-12464.patch            | 70 +++++++++++++++++++
 .../rsync/files/CVE-2025-10158.patch          | 36 ++++++++++
 meta/recipes-devtools/rsync/rsync_3.2.7.bb    |  1 +
 .../libsoup/libsoup/CVE-2025-12105.patch      | 34 +++++++++
 meta/recipes-support/libsoup/libsoup_3.0.7.bb |  1 +
 .../libxslt/libxslt/CVE-2025-11731.patch      | 42 +++++++++++
 .../recipes-support/libxslt/libxslt_1.1.35.bb |  1 +
 scripts/install-buildtools                    |  4 +-
 16 files changed, 395 insertions(+), 2 deletions(-)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0048-CVE-2025-11494.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0049-CVE-2025-11839.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/0050-CVE-2025-11840.patch
 create mode 100644 meta/recipes-devtools/go/go-1.21/CVE-2023-39323.patch
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2025-12464.patch
 create mode 100644 meta/recipes-devtools/rsync/files/CVE-2025-10158.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup/CVE-2025-12105.patch
 create mode 100644 meta/recipes-support/libxslt/libxslt/CVE-2025-11731.patch

-- 
2.43.0