[OE-core][scarthgap 00/11] Patch review

[OE-core][scarthgap 00/11] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Friday, May 30

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1672

The following changes since commit 29d920f4c2249df7a69f00100924b4525e03c0d9:

  libatomic-ops: Update GITHUB_BASE_URI (2025-05-20 08:59:39 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Ashish Sharma (1):
  libsoup: patch CVE-2025-4476

Divya Chellam (1):
  ruby: fix CVE-2025-27221

Divyanshu Rathore (1):
  ffmpeg: upgrade 6.1.1 -> 6.1.2

Harish Sadineni (2):
  binutils: Fix CVE-2025-1179
  binutils: set CVE_STATUS for CVE-2025-1180

Rogerio Guerra Borin (1):
  u-boot: ensure keys are generated before assembling U-Boot FIT image

Vijay Anusuri (4):
  libsoup-2.4: Fix CVE-2025-32910
  libsoup-2.4: Fix CVE-2025-32911 & CVE-2025-32913
  libsoup-2.4: Fix CVE-2025-32912
  libsoup-2.4: Fix CVE-2025-32914

Virendra Thakur (1):
  util-linux: Add fix to isolate test fstab entries using CUSTOM_FSTAB

 meta/classes-recipe/uboot-sign.bbclass        |    2 +
 meta/recipes-core/util-linux/util-linux.inc   |    1 +
 .../util-linux/fstab-isolation.patch          |  448 +++++++
 .../binutils/binutils-2.42.inc                |    3 +
 .../binutils/binutils/CVE-2025-1179-pre.patch | 1086 +++++++++++++++++
 .../binutils/binutils/CVE-2025-1179.patch     |  269 ++++
 .../ruby/ruby/CVE-2025-27221-0001.patch       |   57 +
 .../ruby/ruby/CVE-2025-27221-0002.patch       |   73 ++
 meta/recipes-devtools/ruby/ruby_3.3.5.bb      |    2 +
 .../ffmpeg/ffmpeg/CVE-2024-32230.patch        |   36 -
 .../ffmpeg/ffmpeg/CVE-2024-35366.patch        |   35 -
 .../ffmpeg/ffmpeg/CVE-2024-36613.patch        |   37 -
 .../ffmpeg/ffmpeg/CVE-2024-36616.patch        |   35 -
 .../ffmpeg/ffmpeg/CVE-2024-36617.patch        |   36 -
 .../ffmpeg/ffmpeg/CVE-2024-36619.patch        |   36 -
 .../ffmpeg/ffmpeg/CVE-2024-7055.patch         |   38 -
 .../ffmpeg/ffmpeg/vulkan_av1_stable_API.patch |   40 +-
 .../{ffmpeg_6.1.1.bb => ffmpeg_6.1.2.bb}      |    9 +-
 .../libsoup-2.4/CVE-2025-32910-1.patch        |   97 ++
 .../libsoup-2.4/CVE-2025-32910-2.patch        |  148 +++
 .../libsoup-2.4/CVE-2025-32910-3.patch        |   26 +
 .../CVE-2025-32911_CVE-2025-32913-1.patch     |   72 ++
 .../CVE-2025-32911_CVE-2025-32913-2.patch     |   44 +
 .../libsoup-2.4/CVE-2025-32912-1.patch        |   41 +
 .../libsoup-2.4/CVE-2025-32912-2.patch        |   30 +
 .../libsoup/libsoup-2.4/CVE-2025-32914.patch  |  137 +++
 .../libsoup/libsoup-2.4_2.74.3.bb             |    8 +
 .../libsoup/libsoup-3.4.4/CVE-2025-4476.patch |   38 +
 meta/recipes-support/libsoup/libsoup_3.4.4.bb |    1 +
 29 files changed, 2604 insertions(+), 281 deletions(-)
 create mode 100644 meta/recipes-core/util-linux/util-linux/fstab-isolation.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-1179-pre.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-1179.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-32230.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36619.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-7055.patch
 rename meta/recipes-multimedia/ffmpeg/{ffmpeg_6.1.1.bb => ffmpeg_6.1.2.bb} (96%)
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4476.patch

-- 
2.43.0

[OE-core][scarthgap 01/11] libsoup-2.4: Fix CVE-2025-32910

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

import patch from debian to fix
 CVE-2025-32910

Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/tree/debian/bullseye/debian/patches?ref_type=heads
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe
&
https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a
&
https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]

Reference:
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/417
https://security-tracker.debian.org/tracker/CVE-2025-32910

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libsoup-2.4/CVE-2025-32910-1.patch        |  97 ++++++++++++
 .../libsoup-2.4/CVE-2025-32910-2.patch        | 148 ++++++++++++++++++
 .../libsoup-2.4/CVE-2025-32910-3.patch        |  26 +++
 .../libsoup/libsoup-2.4_2.74.3.bb             |   3 +
 4 files changed, 274 insertions(+)
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
new file mode 100644
index 0000000000..de4faf5380
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-1.patch
@@ -0,0 +1,97 @@
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Sun, 8 Dec 2024 20:00:35 -0600
+Subject: auth-digest: Handle missing realm in authenticate header
+
+(cherry picked from commit e40df6d48a1cbab56f5d15016cc861a503423cfe)
+
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-1.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/e40df6d48a1cbab56f5d15016cc861a503423cfe]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-auth-digest.c |  3 +++
+ tests/auth-test.c          | 50 ++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index e8ba990..263a15a 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -142,6 +142,9 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ 	guint qop_options;
+ 	gboolean ok = TRUE;
+ 
++        if (!soup_auth_get_realm (auth))
++                return FALSE;
++
+ 	g_free (priv->domain);
+ 	g_free (priv->nonce);
+ 	g_free (priv->opaque);
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index 8295ec3..dfc6b09 100644
+--- a/tests/auth-test.c
++++ b/tests/auth-test.c
+@@ -1549,6 +1549,55 @@ do_cancel_after_retry_test (void)
+         soup_test_session_abort_unref (session);
+ }
+ 
++static void
++on_request_read_for_missing_realm (SoupServer        *server,
++                                   SoupServerMessage *msg,
++                                   gpointer           user_data)
++{
++        SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
++        soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
++}
++
++static void
++do_missing_realm_test (void)
++{
++        SoupSession *session;
++        SoupMessage *msg;
++        SoupServer *server;
++        SoupAuthDomain *digest_auth_domain;
++        gint status;
++        GUri *uri;
++
++        server = soup_test_server_new (SOUP_TEST_SERVER_IN_THREAD);
++	soup_server_add_handler (server, NULL,
++				 server_callback, NULL, NULL);
++	uri = soup_test_server_get_uri (server, "http", NULL);
++
++	digest_auth_domain = soup_auth_domain_digest_new (
++		"realm", "auth-test",
++		"auth-callback", server_digest_auth_callback,
++		NULL);
++        soup_auth_domain_add_path (digest_auth_domain, "/");
++	soup_server_add_auth_domain (server, digest_auth_domain);
++        g_object_unref (digest_auth_domain);
++
++        g_signal_connect (server, "request-read",
++                          G_CALLBACK (on_request_read_for_missing_realm),
++                          NULL);
++
++        session = soup_test_session_new (NULL);
++        msg = soup_message_new_from_uri ("GET", uri);
++        g_signal_connect (msg, "authenticate",
++                          G_CALLBACK (on_digest_authenticate),
++                          NULL);
++
++        status = soup_test_session_send_message (session, msg);
++
++        g_assert_cmpint (status, ==, SOUP_STATUS_UNAUTHORIZED);
++	g_uri_unref (uri);
++	soup_test_server_quit_unref (server);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -1576,6 +1625,7 @@ main (int argc, char **argv)
+ 	g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
+ 	g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
+ 	g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
++        g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
+ 
+ 	ret = g_test_run ();
+ 
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
new file mode 100644
index 0000000000..0d72afa1d6
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-2.patch
@@ -0,0 +1,148 @@
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Thu, 26 Dec 2024 18:18:35 -0600
+Subject: auth-digest: Handle missing nonce
+
+(cherry picked from commit 405a8a34597a44bd58c4759e7d5e23f02c3b556a)
+
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-2.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/405a8a34597a44bd58c4759e7d5e23f02c3b556a]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-auth-digest.c | 45 +++++++++++++++++++++++++++++++++++----------
+ tests/auth-test.c          | 19 +++++++++++--------
+ 2 files changed, 46 insertions(+), 18 deletions(-)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index 263a15a..393adb6 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -132,6 +132,19 @@ soup_auth_digest_get_qop (SoupAuthDigestQop qop)
+ 	return g_string_free (out, FALSE);
+ }
+ 
++static gboolean
++validate_params (SoupAuthDigest *auth_digest)
++{
++        SoupAuthDigestPrivate *priv = soup_auth_digest_get_instance_private (auth_digest);
++
++        if (priv->qop || priv->algorithm == SOUP_AUTH_DIGEST_ALGORITHM_MD5_SESS) {
++                if (!priv->nonce)
++                        return FALSE;
++        }
++
++        return TRUE;
++}
++
+ static gboolean
+ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ 			 GHashTable *auth_params)
+@@ -169,16 +182,21 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ 	if (priv->algorithm == -1)
+ 		ok = FALSE;
+ 
+-	stale = g_hash_table_lookup (auth_params, "stale");
+-	if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
+-		recompute_hex_a1 (priv);
+-	else {
+-		g_free (priv->user);
+-		priv->user = NULL;
+-		g_free (priv->cnonce);
+-		priv->cnonce = NULL;
+-		memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+-		memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
++        if (!validate_params (auth_digest))
++                ok = FALSE;
++
++        if (ok) {
++                stale = g_hash_table_lookup (auth_params, "stale");
++                if (stale && !g_ascii_strcasecmp (stale, "TRUE") && *priv->hex_urp)
++                        recompute_hex_a1 (priv);
++                else {
++                        g_free (priv->user);
++                        priv->user = NULL;
++                        g_free (priv->cnonce);
++                        priv->cnonce = NULL;
++                        memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
++                        memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
++                }
+         }
+ 
+ 	return ok;
+@@ -269,6 +287,8 @@ soup_auth_digest_compute_hex_a1 (const char              *hex_urp,
+ 
+ 		/* In MD5-sess, A1 is hex_urp:nonce:cnonce */
+ 
++                g_assert (nonce && cnonce);
++
+ 		checksum = g_checksum_new (G_CHECKSUM_MD5);
+ 		g_checksum_update (checksum, (guchar *)hex_urp, strlen (hex_urp));
+ 		g_checksum_update (checksum, (guchar *)":", 1);
+@@ -359,6 +379,8 @@ soup_auth_digest_compute_response (const char        *method,
+ 	if (qop) {
+ 		char tmp[9];
+ 
++                g_assert (cnonce);
++
+ 		g_snprintf (tmp, 9, "%.8x", nc);
+ 		g_checksum_update (checksum, (guchar *)tmp, strlen (tmp));
+ 		g_checksum_update (checksum, (guchar *)":", 1);
+@@ -422,6 +444,9 @@ soup_auth_digest_get_authorization (SoupAuth *auth, SoupMessage *msg)
+ 	g_return_val_if_fail (uri != NULL, NULL);
+ 	url = soup_uri_to_string (uri, TRUE);
+ 
++        g_assert (priv->nonce);
++        g_assert (!priv->qop || priv->cnonce);
++
+ 	soup_auth_digest_compute_response (msg->method, url, priv->hex_a1,
+ 					   priv->qop, priv->nonce,
+ 					   priv->cnonce, priv->nc,
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index dfc6b09..6fb1e4a 100644
+--- a/tests/auth-test.c
++++ b/tests/auth-test.c
+@@ -1550,16 +1550,17 @@ do_cancel_after_retry_test (void)
+ }
+ 
+ static void
+-on_request_read_for_missing_realm (SoupServer        *server,
+-                                   SoupServerMessage *msg,
+-                                   gpointer           user_data)
++on_request_read_for_missing_params (SoupServer        *server,
++                                      SoupServerMessage *msg,
++                                      gpointer           user_data)
+ {
++        const char *auth_header = user_data;
+         SoupMessageHeaders *response_headers = soup_server_message_get_response_headers (msg);
+-        soup_message_headers_replace (response_headers, "WWW-Authenticate", "Digest qop=\"auth\"");
++        soup_message_headers_replace (response_headers, "WWW-Authenticate", auth_header);
+ }
+ 
+ static void
+-do_missing_realm_test (void)
++do_missing_params_test (gconstpointer auth_header)
+ {
+         SoupSession *session;
+         SoupMessage *msg;
+@@ -1582,8 +1583,8 @@ do_missing_realm_test (void)
+         g_object_unref (digest_auth_domain);
+ 
+         g_signal_connect (server, "request-read",
+-                          G_CALLBACK (on_request_read_for_missing_realm),
+-                          NULL);
++                          G_CALLBACK (on_request_read_for_missing_params),
++                          (gpointer)auth_header);
+ 
+         session = soup_test_session_new (NULL);
+         msg = soup_message_new_from_uri ("GET", uri);
+@@ -1625,7 +1626,9 @@ main (int argc, char **argv)
+ 	g_test_add_func ("/auth/async-message-do-not-use-auth-cache", do_async_message_do_not_use_auth_cache_test);
+ 	g_test_add_func ("/auth/authorization-header-request", do_message_has_authorization_header_test);
+ 	g_test_add_func ("/auth/cancel-after-retry", do_cancel_after_retry_test);
+-        g_test_add_func ("/auth/missing-realm", do_missing_realm_test);
++        g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
++        g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
++        g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
+ 
+ 	ret = g_test_run ();
+ 
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
new file mode 100644
index 0000000000..ab0f650804
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32910-3.patch
@@ -0,0 +1,26 @@
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Fri, 27 Dec 2024 13:52:52 -0600
+Subject: auth-digest: Fix leak
+
+(cherry picked from commit ea16eeacb052e423eb5c3b0b705e5eab34b13832)
+
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32910-3.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/ea16eeacb052e423eb5c3b0b705e5eab34b13832]
+CVE: CVE-2025-32910
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-auth-digest.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index 393adb6..a1db188 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -66,6 +66,7 @@ soup_auth_digest_finalize (GObject *object)
+ 	g_free (priv->nonce);
+ 	g_free (priv->domain);
+ 	g_free (priv->cnonce);
++        g_free (priv->opaque);
+ 
+ 	memset (priv->hex_urp, 0, sizeof (priv->hex_urp));
+ 	memset (priv->hex_a1, 0, sizeof (priv->hex_a1));
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index fa4dece0e9..b27c56895b 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -23,6 +23,9 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2025-32906-2.patch \
            file://CVE-2025-32909.patch \
            file://CVE-2025-46420.patch \
+           file://CVE-2025-32910-1.patch \
+           file://CVE-2025-32910-2.patch \
+           file://CVE-2025-32910-3.patch \
           "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
 
-- 
2.43.0

[OE-core][scarthgap 02/11] libsoup-2.4: Fix CVE-2025-32911 & CVE-2025-32913

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from
https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34
& https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../CVE-2025-32911_CVE-2025-32913-1.patch     | 72 +++++++++++++++++++
 .../CVE-2025-32911_CVE-2025-32913-2.patch     | 44 ++++++++++++
 .../libsoup/libsoup-2.4_2.74.3.bb             |  2 +
 3 files changed, 118 insertions(+)
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch
new file mode 100644
index 0000000000..4652635294
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-1.patch
@@ -0,0 +1,72 @@
+From 7b4ef0e004ece3a308ccfaa714c284f4c96ade34 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Fri, 27 Dec 2024 17:53:50 -0600
+Subject: [PATCH] soup_message_headers_get_content_disposition: Fix NULL deref
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/7b4ef0e004ece3a308ccfaa714c284f4c96ade34]
+CVE: CVE-2025-32911 CVE-2025-32913 #Dependency Patch
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-message-headers.c | 13 +++++++++----
+ tests/header-parsing-test.c    | 14 ++++++++++++++
+ 2 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
+index 56cc1e9d..04f4c302 100644
+--- a/libsoup/soup-message-headers.c
++++ b/libsoup/soup-message-headers.c
+@@ -1660,10 +1660,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders  *hdrs,
+ 	 */
+ 	if (params && g_hash_table_lookup_extended (*params, "filename",
+ 						    &orig_key, &orig_value)) {
+-		char *filename = strrchr (orig_value, '/');
+-
+-		if (filename)
+-			g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
++                if (orig_value) {
++                        char *filename = strrchr (orig_value, '/');
++
++                        if (filename)
++                                g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
++                } else {
++                        /* filename with no value isn't valid. */
++                        g_hash_table_remove (*params, "filename");
++                }
+ 	}
+ 	return TRUE;
+ }
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index 5e423d2b..d0b360c8 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -1039,6 +1039,7 @@ do_param_list_tests (void)
+ #define RFC5987_TEST_HEADER_FALLBACK "attachment; filename*=Unknown''t%FF%FF%FFst.txt; filename=\"test.txt\""
+ #define RFC5987_TEST_HEADER_NO_TYPE  "filename=\"test.txt\""
+ #define RFC5987_TEST_HEADER_NO_TYPE_2  "filename=\"test.txt\"; foo=bar"
++#define RFC5987_TEST_HEADER_EMPTY_FILENAME ";filename"
+ 
+ static void
+ do_content_disposition_tests (void)
+@@ -1139,6 +1140,19 @@ do_content_disposition_tests (void)
+         g_assert_cmpstr (parameter2, ==, "bar");
+ 	g_hash_table_destroy (params);
+ 
++        /* Empty filename */
++        soup_message_headers_clear (hdrs);
++        soup_message_headers_append (hdrs, "Content-Disposition",
++				     RFC5987_TEST_HEADER_EMPTY_FILENAME);
++	if (!soup_message_headers_get_content_disposition (hdrs,
++							   &disposition,
++							   &params)) {
++		soup_test_assert (FALSE, "empty filename decoding FAILED");
++		return;
++	}
++        g_assert_false (g_hash_table_contains (params, "filename"));
++	g_hash_table_destroy (params);
++
+ 	soup_message_headers_free (hdrs);
+ 
+ 	/* Ensure that soup-multipart always quotes filename */
+-- 
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch
new file mode 100644
index 0000000000..5d9f33c736
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32911_CVE-2025-32913-2.patch
@@ -0,0 +1,44 @@
+From f4a761fb66512fff59798765e8ac5b9e57dceef0 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Fri, 27 Dec 2024 18:00:39 -0600
+Subject: [PATCH] soup_message_headers_get_content_disposition: strdup
+ truncated filenames
+
+This table frees the strings it contains.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/f4a761fb66512fff59798765e8ac5b9e57dceef0]
+CVE: CVE-2025-32911 CVE-2025-32913
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-message-headers.c | 2 +-
+ tests/header-parsing-test.c    | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
+index 04f4c302..ee7a3cb1 100644
+--- a/libsoup/soup-message-headers.c
++++ b/libsoup/soup-message-headers.c
+@@ -1664,7 +1664,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders  *hdrs,
+                         char *filename = strrchr (orig_value, '/');
+ 
+                         if (filename)
+-                                g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
++                                g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1));
+                 } else {
+                         /* filename with no value isn't valid. */
+                         g_hash_table_remove (*params, "filename");
+diff --git a/tests/header-parsing-test.c b/tests/header-parsing-test.c
+index d0b360c8..07ea2866 100644
+--- a/tests/header-parsing-test.c
++++ b/tests/header-parsing-test.c
+@@ -1150,6 +1150,7 @@ do_content_disposition_tests (void)
+ 		soup_test_assert (FALSE, "empty filename decoding FAILED");
+ 		return;
+ 	}
++        g_free (disposition);
+         g_assert_false (g_hash_table_contains (params, "filename"));
+ 	g_hash_table_destroy (params);
+ 
+-- 
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index b27c56895b..8d974c2d59 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -26,6 +26,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2025-32910-1.patch \
            file://CVE-2025-32910-2.patch \
            file://CVE-2025-32910-3.patch \
+           file://CVE-2025-32911_CVE-2025-32913-1.patch \
+           file://CVE-2025-32911_CVE-2025-32913-2.patch \
           "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
 
-- 
2.43.0

[OE-core][scarthgap 03/11] libsoup-2.4: Fix CVE-2025-32912

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

Upstream-Status: Backport from
https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992
& https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libsoup-2.4/CVE-2025-32912-1.patch        | 41 +++++++++++++++++++
 .../libsoup-2.4/CVE-2025-32912-2.patch        | 30 ++++++++++++++
 .../libsoup/libsoup-2.4_2.74.3.bb             |  2 +
 3 files changed, 73 insertions(+)
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch
new file mode 100644
index 0000000000..2a6f37cb58
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-1.patch
@@ -0,0 +1,41 @@
+From cd077513f267e43ce4b659eb18a1734d8a369992 Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Wed, 5 Feb 2025 14:03:05 -0600
+Subject: [PATCH 1/2] auth-digest: Handle missing nonce
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/cd077513f267e43ce4b659eb18a1734d8a369992]
+CVE: CVE-2025-32912
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-auth-digest.c | 2 +-
+ tests/auth-test.c          | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index a1db188..f0edb81 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ 	guint qop_options;
+ 	gboolean ok = TRUE;
+ 
+-        if (!soup_auth_get_realm (auth))
++        if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
+                 return FALSE;
+ 
+ 	g_free (priv->domain);
+diff --git a/tests/auth-test.c b/tests/auth-test.c
+index 6fb1e4a..343d7a5 100644
+--- a/tests/auth-test.c
++++ b/tests/auth-test.c
+@@ -1629,6 +1629,7 @@ main (int argc, char **argv)
+         g_test_add_data_func ("/auth/missing-params/realm", "Digest qop=\"auth\"", do_missing_params_test);
+         g_test_add_data_func ("/auth/missing-params/nonce", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\"", do_missing_params_test);
+         g_test_add_data_func ("/auth/missing-params/nonce-md5-sess", "Digest realm=\"auth-test\", qop=\"auth,auth-int\", opaque=\"5ccc069c403ebaf9f0171e9517f40e41\" algorithm=\"MD5-sess\"", do_missing_params_test);
++	g_test_add_data_func ("/auth/missing-params/nonce-and-qop", "Digest realm=\"auth-test\"", do_missing_params_test);
+ 
+ 	ret = g_test_run ();
+ 
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch
new file mode 100644
index 0000000000..4898068115
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32912-2.patch
@@ -0,0 +1,30 @@
+From 910ebdcd3dd82386717a201c13c834f3a63eed7f Mon Sep 17 00:00:00 2001
+From: Patrick Griffis <pgriffis@igalia.com>
+Date: Sat, 8 Feb 2025 12:30:13 -0600
+Subject: [PATCH 2/2] digest-auth: Handle NULL nonce
+
+`contains` only handles a missing nonce, `lookup` handles both missing and empty.
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/910ebdcd3dd82386717a201c13c834f3a63eed7f]
+CVE: CVE-2025-32912
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-auth-digest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-auth-digest.c b/libsoup/soup-auth-digest.c
+index f0edb81..c49ffd9 100644
+--- a/libsoup/soup-auth-digest.c
++++ b/libsoup/soup-auth-digest.c
+@@ -156,7 +156,7 @@ soup_auth_digest_update (SoupAuth *auth, SoupMessage *msg,
+ 	guint qop_options;
+ 	gboolean ok = TRUE;
+ 
+-        if (!soup_auth_get_realm (auth) || !g_hash_table_contains (auth_params, "nonce"))
++        if (!soup_auth_get_realm (auth) || !g_hash_table_lookup (auth_params, "nonce"))
+                 return FALSE;
+ 
+ 	g_free (priv->domain);
+-- 
+2.25.1
+
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index 8d974c2d59..509026c4ff 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -28,6 +28,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2025-32910-3.patch \
            file://CVE-2025-32911_CVE-2025-32913-1.patch \
            file://CVE-2025-32911_CVE-2025-32913-2.patch \
+           file://CVE-2025-32912-1.patch \
+           file://CVE-2025-32912-2.patch \
           "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
 
-- 
2.43.0

[OE-core][scarthgap 04/11] libsoup-2.4: Fix CVE-2025-32914

[Steve Sakoman]

From: Vijay Anusuri <vanusuri@mvista.com>

import patch from debian to fix
 CVE-2025-32914

Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/tree/debian/bullseye/debian/patches?ref_type=heads
Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf]

Reference:
https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/450
https://security-tracker.debian.org/tracker/CVE-2025-32914

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libsoup/libsoup-2.4/CVE-2025-32914.patch  | 137 ++++++++++++++++++
 .../libsoup/libsoup-2.4_2.74.3.bb             |   1 +
 2 files changed, 138 insertions(+)
 create mode 100644 meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch

diff --git a/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch
new file mode 100644
index 0000000000..e6d4607b5e
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-2.4/CVE-2025-32914.patch
@@ -0,0 +1,137 @@
+From: Milan Crha <mcrha@redhat.com>
+Date: Tue, 15 Apr 2025 09:03:00 +0200
+Subject: multipart: Fix read out of buffer bounds under
+ soup_multipart_new_from_message()
+
+This is CVE-2025-32914, special crafted input can cause read out of buffer bounds
+of the body argument.
+
+Closes #436
+
+(cherry picked from commit 5bfcf8157597f2d327050114fb37ff600004dbcf)
+
+Upstream-Status: Backport [import from debian https://salsa.debian.org/gnome-team/libsoup/-/blob/debian/bullseye/debian/patches/CVE-2025-32914.patch?ref_type=heads
+Upstream commit https://gitlab.gnome.org/GNOME/libsoup/-/commit/5bfcf8157597f2d327050114fb37ff600004dbcf]
+CVE: CVE-2025-32914
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ libsoup/soup-multipart.c |  2 +-
+ tests/multipart-test.c   | 85 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 86 insertions(+), 1 deletion(-)
+
+diff --git a/libsoup/soup-multipart.c b/libsoup/soup-multipart.c
+index a7e550f..dd93973 100644
+--- a/libsoup/soup-multipart.c
++++ b/libsoup/soup-multipart.c
+@@ -181,7 +181,7 @@ soup_multipart_new_from_message (SoupMessageHeaders *headers,
+ 			return NULL;
+ 		}
+ 
+-		split = strstr (start, "\r\n\r\n");
++		split = g_strstr_len (start, body_end - start, "\r\n\r\n");
+ 		if (!split || split > end) {
+ 			soup_multipart_free (multipart);
+ 			soup_buffer_free (flattened);
+diff --git a/tests/multipart-test.c b/tests/multipart-test.c
+index 64a5ebf..834b181 100644
+--- a/tests/multipart-test.c
++++ b/tests/multipart-test.c
+@@ -479,6 +479,89 @@ test_multipart (gconstpointer data)
+ 	g_main_loop_unref (loop);
+ }
+ 
++static void
++test_multipart_bounds_good (void)
++{
++	#define TEXT "line1\r\nline2"
++	SoupMultipart *multipart;
++	SoupMessageHeaders *headers, *set_headers = NULL;
++	//GBytes *bytes, *set_bytes = NULL;
++	GBytes *bytes;
++	const char *raw_data = "--123\r\nContent-Type: text/plain;\r\n\r\n" TEXT "\r\n--123--\r\n";
++	gboolean success;
++	SoupMessageBody *body = soup_message_body_new ();
++	SoupBuffer *set_buffer = NULL;
++	gconstpointer data;
++	gsize size;
++
++	headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
++	soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
++
++	bytes = g_bytes_new (raw_data, strlen (raw_data));
++
++	data = g_bytes_get_data(bytes, NULL);
++	size = g_bytes_get_size(bytes);
++
++	soup_message_body_append(body, SOUP_MEMORY_STATIC, data, size);
++
++	//multipart = soup_multipart_new_from_message (headers, bytes);
++	multipart = soup_multipart_new_from_message (headers, body);
++
++	soup_message_body_free (body);
++
++	g_assert_nonnull (multipart);
++	g_assert_cmpint (soup_multipart_get_length (multipart), ==, 1);
++	success = soup_multipart_get_part (multipart, 0, &set_headers, &set_buffer);
++	g_assert_true (success);
++	g_assert_nonnull (set_headers);
++	//g_assert_nonnull (set_bytes);
++	g_assert_nonnull (set_buffer);
++	//g_assert_cmpint (strlen (TEXT), ==, g_bytes_get_size (set_bytes));
++	g_assert_cmpint (strlen (TEXT), ==, set_buffer->length);
++	g_assert_cmpstr ("text/plain", ==, soup_message_headers_get_content_type (set_headers, NULL));
++	//g_assert_cmpmem (TEXT, strlen (TEXT), g_bytes_get_data (set_bytes, NULL), g_bytes_get_size (set_bytes));
++	g_assert_cmpmem(TEXT, strlen(TEXT), set_buffer->data, set_buffer->length);
++
++	soup_message_headers_free (headers);
++	g_bytes_unref (bytes);
++
++	soup_multipart_free (multipart);
++
++	#undef TEXT
++}
++
++static void
++test_multipart_bounds_bad (void)
++{
++	SoupMultipart *multipart;
++	SoupMessageHeaders *headers;
++	GBytes *bytes;
++	const char *raw_data = "--123\r\nContent-Type: text/plain;\r\nline1\r\nline2\r\n--123--\r\n";
++	SoupMessageBody *body = soup_message_body_new ();
++	gconstpointer data;
++	gsize size;
++
++	headers = soup_message_headers_new (SOUP_MESSAGE_HEADERS_MULTIPART);
++	soup_message_headers_append (headers, "Content-Type", "multipart/mixed; boundary=\"123\"");
++
++	bytes = g_bytes_new (raw_data, strlen (raw_data));
++
++	data = g_bytes_get_data(bytes, NULL);
++	size = g_bytes_get_size(bytes);
++
++	soup_message_body_append(body, SOUP_MEMORY_STATIC, data, size);
++
++	/* it did read out of raw_data/bytes bounds */
++	//multipart = soup_multipart_new_from_message (headers, bytes);
++	multipart = soup_multipart_new_from_message (headers, body);
++	g_assert_null (multipart);
++
++	soup_message_body_free (body);
++
++	soup_message_headers_free (headers);
++	g_bytes_unref (bytes);
++}
++
+ int
+ main (int argc, char **argv)
+ {
+@@ -508,6 +591,8 @@ main (int argc, char **argv)
+ 	g_test_add_data_func ("/multipart/sync", GINT_TO_POINTER (SYNC_MULTIPART), test_multipart);
+ 	g_test_add_data_func ("/multipart/async", GINT_TO_POINTER (ASYNC_MULTIPART), test_multipart);
+ 	g_test_add_data_func ("/multipart/async-small-reads", GINT_TO_POINTER (ASYNC_MULTIPART_SMALL_READS), test_multipart);
++	g_test_add_func ("/multipart/bounds-good", test_multipart_bounds_good);
++	g_test_add_func ("/multipart/bounds-bad", test_multipart_bounds_bad);
+ 
+ 	ret = g_test_run ();
+ 
diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
index 509026c4ff..b986e2eea2 100644
--- a/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
+++ b/meta/recipes-support/libsoup/libsoup-2.4_2.74.3.bb
@@ -30,6 +30,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2025-32911_CVE-2025-32913-2.patch \
            file://CVE-2025-32912-1.patch \
            file://CVE-2025-32912-2.patch \
+           file://CVE-2025-32914.patch \
           "
 SRC_URI[sha256sum] = "e4b77c41cfc4c8c5a035fcdc320c7bc6cfb75ef7c5a034153df1413fa1d92f13"
 
-- 
2.43.0

[OE-core][scarthgap 05/11] binutils: Fix CVE-2025-1179

[Steve Sakoman]

From: Harish Sadineni <Harish.Sadineni@windriver.com>

CVE-2025-1179-pre.patch is dependency patch for CVE-2025-1179.patch

Upstream-Status: Submitted [https://sourceware.org/pipermail/binutils/2025-May/141322.html &&
https://sourceware.org/pipermail/binutils/2025-May/141321.html]
CVE: CVE-2025-1179

cherry picked from upstream commit:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=67e30b15212adc1502b898a1ca224fdf65dc110d
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1d68a49ac5d71b648304f69af978fce0f4413800

Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../binutils/binutils-2.42.inc                |    2 +
 .../binutils/binutils/CVE-2025-1179-pre.patch | 1086 +++++++++++++++++
 .../binutils/binutils/CVE-2025-1179.patch     |  269 ++++
 3 files changed, 1357 insertions(+)
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-1179-pre.patch
 create mode 100644 meta/recipes-devtools/binutils/binutils/CVE-2025-1179.patch

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index bc826753cf..6d0390b5a9 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -48,5 +48,7 @@ SRC_URI = "\
      file://0019-CVE-2025-1153-1.patch \
      file://0020-CVE-2025-1153-2.patch \
      file://0021-CVE-2025-1153-3.patch \
+     file://CVE-2025-1179-pre.patch \
+     file://CVE-2025-1179.patch \
 "
 S  = "${WORKDIR}/git"
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-1179-pre.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-1179-pre.patch
new file mode 100644
index 0000000000..b5bf27ec6d
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-1179-pre.patch
@@ -0,0 +1,1086 @@
+From 1d68a49ac5d71b648304f69af978fce0f4413800 Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Tue, 23 Jul 2024 23:39:50 -0700
+Subject: [PATCH 1/2] x86: Improve TLS transition error check
+
+Provide detailed TLS transition errors when unsupported instructions are
+used.  Treat R_X86_64_CODE_4_GOTTPOFF and R_X86_64_CODE_6_GOTTPOFF as
+R_X86_64_GOTTPOFF when performing TLS transition.
+
+bfd/
+
+	PR ld/32017
+	* elf32-i386.c (elf_i386_check_tls_transition): Return different
+	enums for different errors.
+	(elf_i386_tls_transition): Change argument from r_symndx to sym.
+	Call _bfd_x86_elf_link_report_tls_transition_error to report TLS
+	transition errors.
+	(elf_i386_scan_relocs): Pass isym instead of r_symndx to
+	elf_i386_tls_transition.
+	(elf_i386_relocate_section): Pass sym instead of r_symndx to
+	elf_i386_tls_transition.
+	* elf64-x86-64.c (elf_x86_64_check_tls_transition): Return
+	different enums for different errors.
+	(elf_x86_64_tls_transition): Change argument from r_symndx to sym.
+	Treat R_X86_64_CODE_4_GOTTPOFF and R_X86_64_CODE_6_GOTTPOFF as
+	R_X86_64_GOTTPOFF.  Call
+	_bfd_x86_elf_link_report_tls_transition_error to report TLS
+	transition errors.
+	(elf_x86_64_scan_relocs): Pass isym instead of r_symndx to
+	elf_x86_64_tls_transition.
+	(elf_x86_64_relocate_section): Pass sym instead of r_symndx to
+	elf_x86_64_tls_transition.
+	* elfxx-x86.c (_bfd_x86_elf_link_report_tls_transition_error): New.
+	* elfxx-x86.h (elf_x86_tls_error_type): Likewise.
+	(_bfd_x86_elf_link_report_tls_transition_error): Likewise.
+
+ld/
+
+	PR ld/32017
+	* testsuite/ld-i386/i386.exp: Run tlsgdesc1 and tlsgdesc2.
+	* testsuite/ld-i386/tlsie2.d: Updated.
+	* testsuite/ld-i386/tlsie3.d: Likewise.
+	* testsuite/ld-i386/tlsie4.d: Likewise.
+	* testsuite/ld-i386/tlsie5.d: Likewise.
+	* testsuite/ld-x86-64/tlsie2.d: Likewise.
+	* testsuite/ld-x86-64/tlsie3.d: Likewise.
+	* testsuite/ld-i386/tlsgdesc1.d: New file.
+	* testsuite/ld-i386/tlsgdesc1.s: Likewise.
+	* testsuite/ld-i386/tlsgdesc2.d: Likewise.
+	* testsuite/ld-i386/tlsgdesc2.s: Likewise.
+	* testsuite/ld-x86-64/tlsdesc3.d: Likewise.
+	* testsuite/ld-x86-64/tlsdesc3.s: Likewise.
+	* testsuite/ld-x86-64/tlsdesc4.d: Likewise.
+	* testsuite/ld-x86-64/tlsdesc4.s: Likewise.
+	* testsuite/ld-x86-64/tlsie5.d: Likewise.
+	* testsuite/ld-x86-64/tlsie5.s: Likewise.
+	* testsuite/ld-x86-64/x86-64.exp: Run tlsie5, tlsdesc3 and
+	tlsdesc4.
+
+(cherry picked from commit:1d68a49ac5d71b648304f69af978fce0f4413800)
+Upstream-Status: Submitted [https://sourceware.org/pipermail/binutils/2025-May/141322.html]
+CVE: CVE-2025-1179
+
+Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
+---
+ bfd/elf32-i386.c                  | 118 +++++++++++++-------------
+ bfd/elf64-x86-64.c                | 133 ++++++++++++++++--------------
+ bfd/elfxx-x86.c                   |  85 +++++++++++++++++++
+ bfd/elfxx-x86.h                   |  18 ++++
+ ld/testsuite/ld-i386/i386.exp     |   2 +
+ ld/testsuite/ld-i386/tlsgdesc1.d  |   4 +
+ ld/testsuite/ld-i386/tlsgdesc1.s  |  11 +++
+ ld/testsuite/ld-i386/tlsgdesc2.d  |   4 +
+ ld/testsuite/ld-i386/tlsgdesc2.s  |  11 +++
+ ld/testsuite/ld-i386/tlsie2.d     |   2 +-
+ ld/testsuite/ld-i386/tlsie3.d     |   2 +-
+ ld/testsuite/ld-i386/tlsie4.d     |   2 +-
+ ld/testsuite/ld-i386/tlsie5.d     |   2 +-
+ ld/testsuite/ld-x86-64/tlsdesc3.d |   4 +
+ ld/testsuite/ld-x86-64/tlsdesc3.s |  13 +++
+ ld/testsuite/ld-x86-64/tlsdesc4.d |   4 +
+ ld/testsuite/ld-x86-64/tlsdesc4.s |  13 +++
+ ld/testsuite/ld-x86-64/tlsie2.d   |   2 +-
+ ld/testsuite/ld-x86-64/tlsie3.d   |   2 +-
+ ld/testsuite/ld-x86-64/tlsie5.d   |   4 +
+ ld/testsuite/ld-x86-64/tlsie5.s   |  12 +++
+ ld/testsuite/ld-x86-64/x86-64.exp |   3 +
+ 22 files changed, 319 insertions(+), 132 deletions(-)
+ create mode 100644 ld/testsuite/ld-i386/tlsgdesc1.d
+ create mode 100644 ld/testsuite/ld-i386/tlsgdesc1.s
+ create mode 100644 ld/testsuite/ld-i386/tlsgdesc2.d
+ create mode 100644 ld/testsuite/ld-i386/tlsgdesc2.s
+ create mode 100644 ld/testsuite/ld-x86-64/tlsdesc3.d
+ create mode 100644 ld/testsuite/ld-x86-64/tlsdesc3.s
+ create mode 100644 ld/testsuite/ld-x86-64/tlsdesc4.d
+ create mode 100644 ld/testsuite/ld-x86-64/tlsdesc4.s
+ create mode 100644 ld/testsuite/ld-x86-64/tlsie5.d
+ create mode 100644 ld/testsuite/ld-x86-64/tlsie5.s
+
+diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c
+index e2f88a11487..18a28d2491c 100644
+--- a/bfd/elf32-i386.c
++++ b/bfd/elf32-i386.c
+@@ -839,7 +839,7 @@ static const struct elf_x86_non_lazy_plt_layout elf_i386_non_lazy_ibt_plt =
+ /* Return TRUE if the TLS access code sequence support transition
+    from R_TYPE.  */
+ 
+-static bool
++static enum elf_x86_tls_error_type
+ elf_i386_check_tls_transition (asection *sec,
+ 			       bfd_byte *contents,
+ 			       Elf_Internal_Shdr *symtab_hdr,
+@@ -861,7 +861,7 @@ elf_i386_check_tls_transition (asection *sec,
+     case R_386_TLS_GD:
+     case R_386_TLS_LDM:
+       if (offset < 2 || (rel + 1) >= relend)
+-	return false;
++	return elf_x86_tls_error_yes;
+ 
+       indirect_call = false;
+       call = contents + offset + 4;
+@@ -884,19 +884,19 @@ elf_i386_check_tls_transition (asection *sec,
+ 	     can transit to different access model.  */
+ 	  if ((offset + 10) > sec->size
+ 	      || (type != 0x8d && type != 0x04))
+-	    return false;
++	    return elf_x86_tls_error_yes;
+ 
+ 	  if (type == 0x04)
+ 	    {
+ 	      /* leal foo@tlsgd(,%ebx,1), %eax
+ 		 call ___tls_get_addr@PLT  */
+ 	      if (offset < 3)
+-		return false;
++		return elf_x86_tls_error_yes;
+ 
+ 	      if (*(call - 7) != 0x8d
+ 		  || val != 0x1d
+ 		  || call[0] != 0xe8)
+-		return false;
++		return elf_x86_tls_error_yes;
+ 	    }
+ 	  else
+ 	    {
+@@ -914,7 +914,7 @@ elf_i386_check_tls_transition (asection *sec,
+ 		 is used to pass parameter to ___tls_get_addr.  */
+ 	      reg = val & 7;
+ 	      if ((val & 0xf8) != 0x80 || reg == 4 || reg == 0)
+-		return false;
++		return elf_x86_tls_error_yes;
+ 
+ 	      indirect_call = call[0] == 0xff;
+ 	      if (!(reg == 3 && call[0] == 0xe8 && call[5] == 0x90)
+@@ -922,7 +922,7 @@ elf_i386_check_tls_transition (asection *sec,
+ 		  && !(indirect_call
+ 		       && (call[1] & 0xf8) == 0x90
+ 		       && (call[1] & 0x7) == reg))
+-		return false;
++		return elf_x86_tls_error_yes;
+ 	    }
+ 	}
+       else
+@@ -937,13 +937,13 @@ elf_i386_check_tls_transition (asection *sec,
+ 		addr32 call ___tls_get_addr
+ 	     can transit to different access model.  */
+ 	  if (type != 0x8d || (offset + 9) > sec->size)
+-	    return false;
++	    return elf_x86_tls_error_yes;
+ 
+ 	  /* %eax can't be used as the GOT base register since it is
+ 	     used to pass parameter to ___tls_get_addr.  */
+ 	  reg = val & 7;
+ 	  if ((val & 0xf8) != 0x80 || reg == 4 || reg == 0)
+-	    return false;
++	    return elf_x86_tls_error_yes;
+ 
+ 	  indirect_call = call[0] == 0xff;
+ 	  if (!(reg == 3 && call[0] == 0xe8)
+@@ -951,23 +951,27 @@ elf_i386_check_tls_transition (asection *sec,
+ 	      && !(indirect_call
+ 		   && (call[1] & 0xf8) == 0x90
+ 		   && (call[1] & 0x7) == reg))
+-	    return false;
++	    return elf_x86_tls_error_yes;
+ 	}
+ 
+       r_symndx = ELF32_R_SYM (rel[1].r_info);
+       if (r_symndx < symtab_hdr->sh_info)
+-	return false;
++	return elf_x86_tls_error_yes;
+ 
+       h = sym_hashes[r_symndx - symtab_hdr->sh_info];
+       if (h == NULL
+ 	  || !((struct elf_x86_link_hash_entry *) h)->tls_get_addr)
+-	return false;
++	return elf_x86_tls_error_yes;
+       else if (indirect_call)
+-	return (ELF32_R_TYPE (rel[1].r_info) == R_386_GOT32X
+-		|| ELF32_R_TYPE (rel[1].r_info) == R_386_GOT32);
++	return ((ELF32_R_TYPE (rel[1].r_info) == R_386_GOT32X
++		 || ELF32_R_TYPE (rel[1].r_info) == R_386_GOT32)
++		? elf_x86_tls_error_none
++		: elf_x86_tls_error_yes);
+       else
+-	return (ELF32_R_TYPE (rel[1].r_info) == R_386_PC32
+-		|| ELF32_R_TYPE (rel[1].r_info) == R_386_PLT32);
++	return ((ELF32_R_TYPE (rel[1].r_info) == R_386_PC32
++		|| ELF32_R_TYPE (rel[1].r_info) == R_386_PLT32)
++		? elf_x86_tls_error_none
++		: elf_x86_tls_error_yes);
+ 
+     case R_386_TLS_IE:
+       /* Check transition from IE access model:
+@@ -977,20 +981,23 @@ elf_i386_check_tls_transition (asection *sec,
+        */
+ 
+       if (offset < 1 || (offset + 4) > sec->size)
+-	return false;
++	return elf_x86_tls_error_yes;
+ 
+       /* Check "movl foo@tpoff(%rip), %eax" first.  */
+       val = bfd_get_8 (abfd, contents + offset - 1);
+       if (val == 0xa1)
+-	return true;
++	return elf_x86_tls_error_none;
+ 
+       if (offset < 2)
+-	return false;
++	return elf_x86_tls_error_yes;
+ 
+       /* Check movl|addl foo@tpoff(%rip), %reg.   */
+       type = bfd_get_8 (abfd, contents + offset - 2);
+-      return ((type == 0x8b || type == 0x03)
+-	      && (val & 0xc7) == 0x05);
++      if (type != 0x8b && type != 0x03)
++	return elf_x86_tls_error_add_mov;
++      return ((val & 0xc7) == 0x05
++	      ? elf_x86_tls_error_none
++	      : elf_x86_tls_error_yes);
+ 
+     case R_386_TLS_GOTIE:
+     case R_386_TLS_IE_32:
+@@ -1001,14 +1008,16 @@ elf_i386_check_tls_transition (asection *sec,
+        */
+ 
+       if (offset < 2 || (offset + 4) > sec->size)
+-	return false;
++	return elf_x86_tls_error_yes;
+ 
+       val = bfd_get_8 (abfd, contents + offset - 1);
+       if ((val & 0xc0) != 0x80 || (val & 7) == 4)
+-	return false;
++	return elf_x86_tls_error_yes;
+ 
+       type = bfd_get_8 (abfd, contents + offset - 2);
+-      return type == 0x8b || type == 0x2b || type == 0x03;
++      return (type == 0x8b || type == 0x2b || type == 0x03
++	      ? elf_x86_tls_error_none
++	      : elf_x86_tls_error_add_sub_mov);
+ 
+     case R_386_TLS_GOTDESC:
+       /* Check transition from GDesc access model:
+@@ -1019,13 +1028,15 @@ elf_i386_check_tls_transition (asection *sec,
+ 	 going to be eax.  */
+ 
+       if (offset < 2 || (offset + 4) > sec->size)
+-	return false;
++	return elf_x86_tls_error_yes;
+ 
+       if (bfd_get_8 (abfd, contents + offset - 2) != 0x8d)
+-	return false;
++	return elf_x86_tls_error_lea;
+ 
+       val = bfd_get_8 (abfd, contents + offset - 1);
+-      return (val & 0xc7) == 0x83;
++      return ((val & 0xc7) == 0x83
++	      ? elf_x86_tls_error_none
++	      : elf_x86_tls_error_yes);
+ 
+     case R_386_TLS_DESC_CALL:
+       /* Check transition from GDesc access model:
+@@ -1035,10 +1046,12 @@ elf_i386_check_tls_transition (asection *sec,
+ 	{
+ 	  /* Make sure that it's a call *x@tlsdesc(%eax).  */
+ 	  call = contents + offset;
+-	  return call[0] == 0xff && call[1] == 0x10;
++	  return (call[0] == 0xff && call[1] == 0x10
++		  ? elf_x86_tls_error_none
++		  : elf_x86_tls_error_indirect_call);
+ 	}
+ 
+-      return false;
++      return elf_x86_tls_error_yes;
+ 
+     default:
+       abort ();
+@@ -1057,7 +1070,7 @@ elf_i386_tls_transition (struct bfd_link_info *info, bfd *abfd,
+ 			 const Elf_Internal_Rela *rel,
+ 			 const Elf_Internal_Rela *relend,
+ 			 struct elf_link_hash_entry *h,
+-			 unsigned long r_symndx,
++			 Elf_Internal_Sym *sym,
+ 			 bool from_relocate_section)
+ {
+   unsigned int from_type = *r_type;
+@@ -1142,43 +1155,24 @@ elf_i386_tls_transition (struct bfd_link_info *info, bfd *abfd,
+     return true;
+ 
+   /* Check if the transition can be performed.  */
++  enum elf_x86_tls_error_type tls_error;
+   if (check
+-      && ! elf_i386_check_tls_transition (sec, contents,
+-					  symtab_hdr, sym_hashes,
+-					  from_type, rel, relend))
++      && ((tls_error = elf_i386_check_tls_transition (sec, contents,
++						      symtab_hdr,
++						      sym_hashes,
++						      from_type, rel,
++						      relend))
++	  != elf_x86_tls_error_none))
+     {
+       reloc_howto_type *from, *to;
+-      const char *name;
+ 
+       from = elf_i386_rtype_to_howto (from_type);
+       to = elf_i386_rtype_to_howto (to_type);
+ 
+-      if (h)
+-	name = h->root.root.string;
+-      else
+-	{
+-	  struct elf_x86_link_hash_table *htab;
+-
+-	  htab = elf_x86_hash_table (info, I386_ELF_DATA);
+-	  if (htab == NULL)
+-	    name = "*unknown*";
+-	  else
+-	    {
+-	      Elf_Internal_Sym *isym;
+-
+-	      isym = bfd_sym_from_r_symndx (&htab->elf.sym_cache,
+-					    abfd, r_symndx);
+-	      name = bfd_elf_sym_name (abfd, symtab_hdr, isym, NULL);
+-	    }
+-	}
++      _bfd_x86_elf_link_report_tls_transition_error
++	(info, abfd, sec, symtab_hdr, h, sym, rel, from->name,
++	 to->name, tls_error);
+ 
+-      _bfd_error_handler
+-	/* xgettext:c-format */
+-	(_("%pB: TLS transition from %s to %s against `%s'"
+-	   " at %#" PRIx64 " in section `%pA' failed"),
+-	 abfd, from->name, to->name, name,
+-	 (uint64_t) rel->r_offset, sec);
+-      bfd_set_error (bfd_error_bad_value);
+       return false;
+     }
+ 
+@@ -1600,7 +1594,7 @@ elf_i386_scan_relocs (bfd *abfd,
+       if (! elf_i386_tls_transition (info, abfd, sec, contents,
+ 				     symtab_hdr, sym_hashes,
+ 				     &r_type, GOT_UNKNOWN,
+-				     rel, rel_end, h, r_symndx, false))
++				     rel, rel_end, h, isym, false))
+ 	goto error_return;
+ 
+       /* Check if _GLOBAL_OFFSET_TABLE_ is referenced.  */
+@@ -2875,7 +2869,7 @@ elf_i386_relocate_section (bfd *output_bfd,
+ 					 input_section, contents,
+ 					 symtab_hdr, sym_hashes,
+ 					 &r_type_tls, tls_type, rel,
+-					 relend, h, r_symndx, true))
++					 relend, h, sym, true))
+ 	    return false;
+ 
+ 	  expected_tls_le = htab->elf.target_os == is_solaris
+@@ -3365,7 +3359,7 @@ elf_i386_relocate_section (bfd *output_bfd,
+ 					 input_section, contents,
+ 					 symtab_hdr, sym_hashes,
+ 					 &r_type, GOT_UNKNOWN, rel,
+-					 relend, h, r_symndx, true))
++					 relend, h, sym, true))
+ 	    return false;
+ 
+ 	  if (r_type != R_386_TLS_LDM)
+diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
+index 2ed120af780..f116e423f61 100644
+--- a/bfd/elf64-x86-64.c
++++ b/bfd/elf64-x86-64.c
+@@ -1120,7 +1120,7 @@ elf32_x86_64_elf_object_p (bfd *abfd)
+ /* Return TRUE if the TLS access code sequence support transition
+    from R_TYPE.  */
+ 
+-static bool
++static enum elf_x86_tls_error_type
+ elf_x86_64_check_tls_transition (bfd *abfd,
+ 				 struct bfd_link_info *info,
+ 				 asection *sec,
+@@ -1147,7 +1147,7 @@ elf_x86_64_check_tls_transition (bfd *abfd,
+     case R_X86_64_TLSGD:
+     case R_X86_64_TLSLD:
+       if ((rel + 1) >= relend)
+-	return false;
++	return elf_x86_tls_error_yes;
+ 
+       if (r_type == R_X86_64_TLSGD)
+ 	{
+@@ -1184,7 +1184,7 @@ elf_x86_64_check_tls_transition (bfd *abfd,
+ 	  static const unsigned char leaq[] = { 0x66, 0x48, 0x8d, 0x3d };
+ 
+ 	  if ((offset + 12) > sec->size)
+-	    return false;
++	    return elf_x86_tls_error_yes;
+ 
+ 	  call = contents + offset + 4;
+ 	  if (call[0] != 0x66
+@@ -1208,20 +1208,20 @@ elf_x86_64_check_tls_transition (bfd *abfd,
+ 		  || call[14] != 0xd0
+ 		  || !((call[10] == 0x48 && call[12] == 0xd8)
+ 		       || (call[10] == 0x4c && call[12] == 0xf8)))
+-		return false;
++		return elf_x86_tls_error_yes;
+ 	      largepic = true;
+ 	    }
+ 	  else if (ABI_64_P (abfd))
+ 	    {
+ 	      if (offset < 4
+ 		  || memcmp (contents + offset - 4, leaq, 4) != 0)
+-		return false;
++		return elf_x86_tls_error_yes;
+ 	    }
+ 	  else
+ 	    {
+ 	      if (offset < 3
+ 		  || memcmp (contents + offset - 3, leaq + 1, 3) != 0)
+-		return false;
++		return elf_x86_tls_error_yes;
+ 	    }
+ 	  indirect_call = call[2] == 0xff;
+ 	}
+@@ -1250,10 +1250,10 @@ elf_x86_64_check_tls_transition (bfd *abfd,
+ 	  static const unsigned char lea[] = { 0x48, 0x8d, 0x3d };
+ 
+ 	  if (offset < 3 || (offset + 9) > sec->size)
+-	    return false;
++	    return elf_x86_tls_error_yes;
+ 
+ 	  if (memcmp (contents + offset - 3, lea, 3) != 0)
+-	    return false;
++	    return elf_x86_tls_error_yes;
+ 
+ 	  call = contents + offset + 4;
+ 	  if (!(call[0] == 0xe8
+@@ -1268,7 +1268,7 @@ elf_x86_64_check_tls_transition (bfd *abfd,
+ 		  || call[14] != 0xd0
+ 		  || !((call[10] == 0x48 && call[12] == 0xd8)
+ 		       || (call[10] == 0x4c && call[12] == 0xf8)))
+-		return false;
++		return elf_x86_tls_error_yes;
+ 	      largepic = true;
+ 	    }
+ 	  indirect_call = call[0] == 0xff;
+@@ -1276,22 +1276,30 @@ elf_x86_64_check_tls_transition (bfd *abfd,
+ 
+       r_symndx = htab->r_sym (rel[1].r_info);
+       if (r_symndx < symtab_hdr->sh_info)
+-	return false;
++	return elf_x86_tls_error_yes;
+ 
+       h = sym_hashes[r_symndx - symtab_hdr->sh_info];
+       if (h == NULL
+ 	  || !((struct elf_x86_link_hash_entry *) h)->tls_get_addr)
+-	return false;
++	return elf_x86_tls_error_yes;
+       else
+ 	{
+ 	  r_type = (ELF32_R_TYPE (rel[1].r_info)
+ 		    & ~R_X86_64_converted_reloc_bit);
+ 	  if (largepic)
+-	    return r_type == R_X86_64_PLTOFF64;
++	    return (r_type == R_X86_64_PLTOFF64
++		    ? elf_x86_tls_error_none
++		    : elf_x86_tls_error_yes);
+ 	  else if (indirect_call)
+-	    return (r_type == R_X86_64_GOTPCRELX || r_type == R_X86_64_GOTPCREL);
++	    return ((r_type == R_X86_64_GOTPCRELX
++		     || r_type == R_X86_64_GOTPCREL)
++		    ? elf_x86_tls_error_none
++		    : elf_x86_tls_error_yes);
+ 	  else
+-	    return (r_type == R_X86_64_PC32 || r_type == R_X86_64_PLT32);
++	    return ((r_type == R_X86_64_PC32
++		     || r_type == R_X86_64_PLT32)
++		    ? elf_x86_tls_error_none
++		    : elf_x86_tls_error_yes);
+ 	}
+ 
+     case R_X86_64_CODE_4_GOTTPOFF:
+@@ -1303,7 +1311,7 @@ elf_x86_64_check_tls_transition (bfd *abfd,
+       if (offset < 4
+ 	  || (offset + 4) > sec->size
+ 	  || contents[offset - 4] != 0xd5)
+-	return false;
++	return elf_x86_tls_error_yes;
+ 
+       goto check_gottpoff;
+ 
+@@ -1315,14 +1323,16 @@ elf_x86_64_check_tls_transition (bfd *abfd,
+       if (offset < 6
+ 	  || (offset + 4) > sec->size
+ 	  || contents[offset - 6] != 0x62)
+-	return false;
++	return elf_x86_tls_error_yes;
+ 
+       val = bfd_get_8 (abfd, contents + offset - 2);
+       if (val != 0x01 && val != 0x03)
+-	return false;
++	return elf_x86_tls_error_add;
+ 
+       val = bfd_get_8 (abfd, contents + offset - 1);
+-      return (val & 0xc7) == 5;
++      return ((val & 0xc7) == 5
++	      ? elf_x86_tls_error_none
++	      : elf_x86_tls_error_yes);
+ 
+     case R_X86_64_GOTTPOFF:
+       /* Check transition from IE access model:
+@@ -1338,25 +1348,27 @@ elf_x86_64_check_tls_transition (bfd *abfd,
+ 	    {
+ 	      /* X32 may have 0x44 REX prefix or no REX prefix.  */
+ 	      if (ABI_64_P (abfd))
+-		return false;
++		return elf_x86_tls_error_yes;
+ 	    }
+ 	}
+       else
+ 	{
+ 	  /* X32 may not have any REX prefix.  */
+ 	  if (ABI_64_P (abfd))
+-	    return false;
++	    return elf_x86_tls_error_yes;
+ 	  if (offset < 2 || (offset + 3) > sec->size)
+-	    return false;
++	    return elf_x86_tls_error_yes;
+ 	}
+ 
+  check_gottpoff:
+       val = bfd_get_8 (abfd, contents + offset - 2);
+       if (val != 0x8b && val != 0x03)
+-	return false;
++	return elf_x86_tls_error_add_mov;
+ 
+       val = bfd_get_8 (abfd, contents + offset - 1);
+-      return (val & 0xc7) == 5;
++      return ((val & 0xc7) == 5
++	      ? elf_x86_tls_error_none
++	      : elf_x86_tls_error_yes);
+ 
+     case R_X86_64_CODE_4_GOTPC32_TLSDESC:
+       /* Check transition from GDesc access model:
+@@ -1366,7 +1378,7 @@ elf_x86_64_check_tls_transition (bfd *abfd,
+       if (offset < 4
+ 	  || (offset + 4) > sec->size
+ 	  || contents[offset - 4] != 0xd5)
+-	return false;
++	return elf_x86_tls_error_yes;
+ 
+       goto check_tlsdesc;
+ 
+@@ -1380,19 +1392,21 @@ elf_x86_64_check_tls_transition (bfd *abfd,
+ 	 going to be rax.  */
+ 
+       if (offset < 3 || (offset + 4) > sec->size)
+-	return false;
++	return elf_x86_tls_error_yes;
+ 
+       val = bfd_get_8 (abfd, contents + offset - 3);
+       val &= 0xfb;
+       if (val != 0x48 && (ABI_64_P (abfd) || val != 0x40))
+-	return false;
++	return elf_x86_tls_error_yes;
+ 
+  check_tlsdesc:
+       if (bfd_get_8 (abfd, contents + offset - 2) != 0x8d)
+-	return false;
++	return elf_x86_tls_error_lea;
+ 
+       val = bfd_get_8 (abfd, contents + offset - 1);
+-      return (val & 0xc7) == 0x05;
++      return ((val & 0xc7) == 0x05
++	      ? elf_x86_tls_error_none
++	      : elf_x86_tls_error_yes);
+ 
+     case R_X86_64_TLSDESC_CALL:
+       /* Check transition from GDesc access model:
+@@ -1411,14 +1425,16 @@ elf_x86_64_check_tls_transition (bfd *abfd,
+ 		{
+ 		  prefix = 1;
+ 		  if (offset + 3 > sec->size)
+-		    return false;
++		    return elf_x86_tls_error_yes;
+ 		}
+ 	    }
+ 	  /* Make sure that it's a call *x@tlsdesc(%rax).  */
+-	  return call[prefix] == 0xff && call[1 + prefix] == 0x10;
++	  return (call[prefix] == 0xff && call[1 + prefix] == 0x10
++		  ? elf_x86_tls_error_none
++		  : elf_x86_tls_error_indirect_call);
+ 	}
+ 
+-      return false;
++      return elf_x86_tls_error_yes;
+ 
+     default:
+       abort ();
+@@ -1437,7 +1453,7 @@ elf_x86_64_tls_transition (struct bfd_link_info *info, bfd *abfd,
+ 			   const Elf_Internal_Rela *rel,
+ 			   const Elf_Internal_Rela *relend,
+ 			   struct elf_link_hash_entry *h,
+-			   unsigned long r_symndx,
++			   Elf_Internal_Sym *sym,
+ 			   bool from_relocate_section)
+ {
+   unsigned int from_type = *r_type;
+@@ -1488,7 +1504,12 @@ elf_x86_64_tls_transition (struct bfd_link_info *info, bfd *abfd,
+ 	  /* We checked the transition before when we were called from
+ 	     elf_x86_64_scan_relocs.  We only want to check the new
+ 	     transition which hasn't been checked before.  */
+-	  check = new_to_type != to_type && from_type == to_type;
++	  check = (new_to_type != to_type
++		   && (from_type == to_type
++		       || (from_type == R_X86_64_CODE_4_GOTTPOFF
++			   && to_type == R_X86_64_GOTTPOFF)
++		       || (from_type == R_X86_64_CODE_6_GOTTPOFF
++			   && to_type == R_X86_64_GOTTPOFF)));
+ 	  to_type = new_to_type;
+ 	}
+ 
+@@ -1512,13 +1533,18 @@ elf_x86_64_tls_transition (struct bfd_link_info *info, bfd *abfd,
+     return true;
+ 
+   /* Check if the transition can be performed.  */
++  enum elf_x86_tls_error_type tls_error;
+   if (check
+-      && ! elf_x86_64_check_tls_transition (abfd, info, sec, contents,
+-					    symtab_hdr, sym_hashes,
+-					    from_type, rel, relend))
++      && ((tls_error = elf_x86_64_check_tls_transition (abfd, info, sec,
++							contents,
++							symtab_hdr,
++							sym_hashes,
++							from_type, rel,
++							relend))
++	  != elf_x86_tls_error_none))
++
+     {
+       reloc_howto_type *from, *to;
+-      const char *name;
+ 
+       from = elf_x86_64_rtype_to_howto (abfd, from_type);
+       to = elf_x86_64_rtype_to_howto (abfd, to_type);
+@@ -1526,31 +1552,10 @@ elf_x86_64_tls_transition (struct bfd_link_info *info, bfd *abfd,
+       if (from == NULL || to == NULL)
+ 	return false;
+ 
+-      if (h)
+-	name = h->root.root.string;
+-      else
+-	{
+-	  struct elf_x86_link_hash_table *htab;
+-
+-	  htab = elf_x86_hash_table (info, X86_64_ELF_DATA);
+-	  if (htab == NULL)
+-	    name = "*unknown*";
+-	  else
+-	    {
+-	      Elf_Internal_Sym *isym;
++      _bfd_x86_elf_link_report_tls_transition_error
++	(info, abfd, sec, symtab_hdr, h, sym, rel, from->name,
++	 to->name, tls_error);
+ 
+-	      isym = bfd_sym_from_r_symndx (&htab->elf.sym_cache,
+-					    abfd, r_symndx);
+-	      name = bfd_elf_sym_name (abfd, symtab_hdr, isym, NULL);
+-	    }
+-	}
+-
+-      _bfd_error_handler
+-	/* xgettext:c-format */
+-	(_("%pB: TLS transition from %s to %s against `%s' at %#" PRIx64
+-	   " in section `%pA' failed"),
+-	 abfd, from->name, to->name, name, (uint64_t) rel->r_offset, sec);
+-      bfd_set_error (bfd_error_bad_value);
+       return false;
+     }
+ 
+@@ -2198,7 +2203,7 @@ elf_x86_64_scan_relocs (bfd *abfd, struct bfd_link_info *info,
+       if (! elf_x86_64_tls_transition (info, abfd, sec, contents,
+ 				       symtab_hdr, sym_hashes,
+ 				       &r_type, GOT_UNKNOWN,
+-				       rel, rel_end, h, r_symndx, false))
++				       rel, rel_end, h, isym, false))
+ 	goto error_return;
+ 
+       /* Check if _GLOBAL_OFFSET_TABLE_ is referenced.  */
+@@ -3648,7 +3653,7 @@ elf_x86_64_relocate_section (bfd *output_bfd,
+ 					   input_section, contents,
+ 					   symtab_hdr, sym_hashes,
+ 					   &r_type_tls, tls_type, rel,
+-					   relend, h, r_symndx, true))
++					   relend, h, sym, true))
+ 	    return false;
+ 
+ 	  if (r_type_tls == R_X86_64_TPOFF32)
+@@ -4308,7 +4313,7 @@ elf_x86_64_relocate_section (bfd *output_bfd,
+ 					   input_section, contents,
+ 					   symtab_hdr, sym_hashes,
+ 					   &r_type, GOT_UNKNOWN, rel,
+-					   relend, h, r_symndx, true))
++					   relend, h, sym, true))
+ 	    return false;
+ 
+ 	  if (r_type != R_X86_64_TLSLD)
+diff --git a/bfd/elfxx-x86.c b/bfd/elfxx-x86.c
+index 508fd771da3..b17dad759c8 100644
+--- a/bfd/elfxx-x86.c
++++ b/bfd/elfxx-x86.c
+@@ -3202,6 +3202,91 @@ _bfd_x86_elf_link_report_relative_reloc
+        asect, abfd);
+ }
+ 
++/* Report TLS transition error.  */
++
++void
++_bfd_x86_elf_link_report_tls_transition_error
++  (struct bfd_link_info *info, bfd *abfd, asection *asect,
++   Elf_Internal_Shdr *symtab_hdr, struct elf_link_hash_entry *h,
++   Elf_Internal_Sym *sym, const Elf_Internal_Rela *rel,
++   const char *from_reloc_name, const char *to_reloc_name,
++   enum elf_x86_tls_error_type tls_error)
++{
++  const char *name;
++
++  if (h)
++    name = h->root.root.string;
++  else
++    {
++      const struct elf_backend_data *bed
++       = get_elf_backend_data (abfd);
++      struct elf_x86_link_hash_table *htab
++       = elf_x86_hash_table (info, bed->target_id);
++      if (htab == NULL)
++       name = "*unknown*";
++      else
++       name = bfd_elf_sym_name (abfd, symtab_hdr, sym, NULL);
++    }
++
++  switch (tls_error)
++    {
++    case elf_x86_tls_error_yes:
++      info->callbacks->einfo
++       /* xgettext:c-format */
++       (_("%pB: TLS transition from %s to %s against `%s' at 0x%v in "
++          "section `%pA' failed"),
++        abfd, from_reloc_name, to_reloc_name, name, rel->r_offset,
++        asect);
++      break;
++
++    case elf_x86_tls_error_add:
++      info->callbacks->einfo
++       /* xgettext:c-format */
++       (_("%pB(%pA+0x%v): relocation %s against `%s' must be used "
++          "in ADD only"),
++        abfd, asect, rel->r_offset, from_reloc_name, name);
++      break;
++
++    case elf_x86_tls_error_add_mov:
++      info->callbacks->einfo
++       /* xgettext:c-format */
++       (_("%pB(%pA+0x%v): relocation %s against `%s' must be used "
++          "in ADD or MOV only"),
++        abfd, asect, rel->r_offset, from_reloc_name, name);
++      break;
++
++    case elf_x86_tls_error_add_sub_mov:
++      info->callbacks->einfo
++       /* xgettext:c-format */
++       (_("%pB(%pA+0x%v): relocation %s against `%s' must be used "
++          "in ADD, SUB or MOV only"),
++        abfd, asect, rel->r_offset, from_reloc_name, name);
++      break;
++
++    case elf_x86_tls_error_indirect_call:
++      info->callbacks->einfo
++       /* xgettext:c-format */
++       (_("%pB(%pA+0x%v): relocation %s against `%s' must be used "
++          "in indirect CALL only"),
++        abfd, asect, rel->r_offset, from_reloc_name, name);
++      break;
++
++    case elf_x86_tls_error_lea:
++      info->callbacks->einfo
++       /* xgettext:c-format */
++       (_("%pB(%pA+0x%v): relocation %s against `%s' must be used "
++          "in LEA only"),
++        abfd, asect, rel->r_offset, from_reloc_name, name);
++      break;
++
++    default:
++      abort ();
++      break;
++    }
++
++  bfd_set_error (bfd_error_bad_value);
++}
++
+ /* Return TRUE if symbol should be hashed in the `.gnu.hash' section.  */
+ 
+ bool
+diff --git a/bfd/elfxx-x86.h b/bfd/elfxx-x86.h
+index 110bcb9ad71..02e2efa6c56 100644
+--- a/bfd/elfxx-x86.h
++++ b/bfd/elfxx-x86.h
+@@ -767,6 +767,18 @@ struct elf_x86_plt
+   long count;
+ };
+ 
++enum elf_x86_tls_error_type
++{
++  elf_x86_tls_error_none,
++  elf_x86_tls_error_add,
++  elf_x86_tls_error_add_mov,
++  elf_x86_tls_error_add_sub_mov,
++  elf_x86_tls_error_indirect_call,
++  elf_x86_tls_error_lea,
++  elf_x86_tls_error_yes
++};
++
++
+ /* Set if a relocation is converted from a GOTPCREL relocation.  */
+ #define R_X86_64_converted_reloc_bit (1 << 7)
+ 
+@@ -908,6 +920,12 @@ extern void _bfd_x86_elf_link_fixup_ifunc_symbol
+ extern void _bfd_x86_elf_link_report_relative_reloc
+   (struct bfd_link_info *, asection *, struct elf_link_hash_entry *,
+    Elf_Internal_Sym *, const char *, const void *);
++extern void _bfd_x86_elf_link_report_tls_transition_error
++  (struct bfd_link_info *, bfd *, asection *, Elf_Internal_Shdr *,
++   struct elf_link_hash_entry *, Elf_Internal_Sym *,
++   const Elf_Internal_Rela *, const char *, const char *,
++   enum elf_x86_tls_error_type);
++
+ 
+ #define bfd_elf64_mkobject \
+   _bfd_x86_elf_mkobject
+diff --git a/ld/testsuite/ld-i386/i386.exp b/ld/testsuite/ld-i386/i386.exp
+index 18d1c9198ca..a8db2c713f3 100644
+--- a/ld/testsuite/ld-i386/i386.exp
++++ b/ld/testsuite/ld-i386/i386.exp
+@@ -541,6 +541,8 @@ run_dump_test "tlsdesc2"
+ run_dump_test "report-reloc-1"
+ run_dump_test "pr27998a"
+ run_dump_test "pr27998b"
++run_dump_test "tlsgdesc1"
++run_dump_test "tlsgdesc2"
+ 
+ proc undefined_weak {cflags ldflags} {
+     set testname "Undefined weak symbol"
+diff --git a/ld/testsuite/ld-i386/tlsgdesc1.d b/ld/testsuite/ld-i386/tlsgdesc1.d
+new file mode 100644
+index 00000000000..2a70e81c444
+--- /dev/null
++++ b/ld/testsuite/ld-i386/tlsgdesc1.d
+@@ -0,0 +1,4 @@
++#name: TLS GDesc->LE transition check (LEA)
++#as: --32
++#ld: -melf_i386
++#error: .*: relocation R_386_TLS_GOTDESC against `foo' must be used in LEA only
+diff --git a/ld/testsuite/ld-i386/tlsgdesc1.s b/ld/testsuite/ld-i386/tlsgdesc1.s
+new file mode 100644
+index 00000000000..c30f7523462
+--- /dev/null
++++ b/ld/testsuite/ld-i386/tlsgdesc1.s
+@@ -0,0 +1,11 @@
++	.text
++	.globl _start
++_start:
++	movl	foo@tlsdesc(%ebx), %eax
++	call	*foo@tlscall(%eax)
++	.section	.tdata,"awT",@progbits
++	.align 4
++	.type	foo, @object
++	.size	foo, 4
++foo:
++	.long	100
+diff --git a/ld/testsuite/ld-i386/tlsgdesc2.d b/ld/testsuite/ld-i386/tlsgdesc2.d
+new file mode 100644
+index 00000000000..2e6a66d372c
+--- /dev/null
++++ b/ld/testsuite/ld-i386/tlsgdesc2.d
+@@ -0,0 +1,4 @@
++#name: TLS GDesc->LE transition check (indirect CALL)
++#as: --32
++#ld: -melf_i386
++#error: .*: relocation R_386_TLS_DESC_CALL against `foo' must be used in indirect CALL only
+diff --git a/ld/testsuite/ld-i386/tlsgdesc2.s b/ld/testsuite/ld-i386/tlsgdesc2.s
+new file mode 100644
+index 00000000000..7d9d556e2ab
+--- /dev/null
++++ b/ld/testsuite/ld-i386/tlsgdesc2.s
+@@ -0,0 +1,11 @@
++	.text
++	.globl _start
++_start:
++	leal	foo@tlsdesc(%ebx), %eax
++	jmp	*foo@tlscall(%eax)
++	.section	.tdata,"awT",@progbits
++	.align 4
++	.type	foo, @object
++	.size	foo, 4
++foo:
++	.long	100
+diff --git a/ld/testsuite/ld-i386/tlsie2.d b/ld/testsuite/ld-i386/tlsie2.d
+index ebb85fde7e7..9f9e63029d6 100644
+--- a/ld/testsuite/ld-i386/tlsie2.d
++++ b/ld/testsuite/ld-i386/tlsie2.d
+@@ -1,4 +1,4 @@
+ #name: TLS IE->LE transition check (R_386_TLS_GOTIE with %eax)
+ #as: --32
+ #ld: -melf_i386
+-#error: .*TLS transition from R_386_TLS_GOTIE to R_386_TLS_LE_32 against `foo'.*failed.*
++#error: .*: relocation R_386_TLS_GOTIE against `foo' must be used in ADD, SUB or MOV only
+diff --git a/ld/testsuite/ld-i386/tlsie3.d b/ld/testsuite/ld-i386/tlsie3.d
+index d993f303c25..506f1a02605 100644
+--- a/ld/testsuite/ld-i386/tlsie3.d
++++ b/ld/testsuite/ld-i386/tlsie3.d
+@@ -1,4 +1,4 @@
+ #name: TLS IE->LE transition check (R_386_TLS_GOTIE)
+ #as: --32
+ #ld: -melf_i386
+-#error: .*TLS transition from R_386_TLS_GOTIE to R_386_TLS_LE_32 against `foo'.*failed.*
++#error: .*: relocation R_386_TLS_GOTIE against `foo' must be used in ADD, SUB or MOV only
+diff --git a/ld/testsuite/ld-i386/tlsie4.d b/ld/testsuite/ld-i386/tlsie4.d
+index 3ca8fddf5dd..a516d002660 100644
+--- a/ld/testsuite/ld-i386/tlsie4.d
++++ b/ld/testsuite/ld-i386/tlsie4.d
+@@ -1,4 +1,4 @@
+ #name: TLS IE->LE transition check (R_386_TLS_IE with %eax)
+ #as: --32
+ #ld: -melf_i386
+-#error: .*TLS transition from R_386_TLS_IE to R_386_TLS_LE_32 against `foo'.*failed.*
++#error: .*: relocation R_386_TLS_IE against `foo' must be used in ADD or MOV only
+diff --git a/ld/testsuite/ld-i386/tlsie5.d b/ld/testsuite/ld-i386/tlsie5.d
+index 3febeb159a9..d3447182e19 100644
+--- a/ld/testsuite/ld-i386/tlsie5.d
++++ b/ld/testsuite/ld-i386/tlsie5.d
+@@ -1,4 +1,4 @@
+ #name: TLS IE->LE transition check (R_386_TLS_IE)
+ #as: --32
+ #ld: -melf_i386
+-#error: .*TLS transition from R_386_TLS_IE to R_386_TLS_LE_32 against `foo'.*failed.*
++#error: .*: relocation R_386_TLS_IE against `foo' must be used in ADD or MOV only
+diff --git a/ld/testsuite/ld-x86-64/tlsdesc3.d b/ld/testsuite/ld-x86-64/tlsdesc3.d
+new file mode 100644
+index 00000000000..bbf22ebeafe
+--- /dev/null
++++ b/ld/testsuite/ld-x86-64/tlsdesc3.d
+@@ -0,0 +1,4 @@
++#name: TLS GDesc->LE transition check (LEA)
++#as: --64
++#ld: -melf_x86_64
++#error: .*: relocation R_X86_64_GOTPC32_TLSDESC against `foo' must be used in LEA only
+diff --git a/ld/testsuite/ld-x86-64/tlsdesc3.s b/ld/testsuite/ld-x86-64/tlsdesc3.s
+new file mode 100644
+index 00000000000..45310654ffc
+--- /dev/null
++++ b/ld/testsuite/ld-x86-64/tlsdesc3.s
+@@ -0,0 +1,13 @@
++	.text
++	.globl	_start
++	.type	_start,@function
++_start:
++	movq	foo@tlsdesc(%rip), %rax
++	call	*foo@tlscall(%rax)
++	.globl foo
++	.section	.tdata,"awT",@progbits
++	.align 8
++	.type	foo, @object
++	.size	foo, 8
++foo:
++	.quad	100
+diff --git a/ld/testsuite/ld-x86-64/tlsdesc4.d b/ld/testsuite/ld-x86-64/tlsdesc4.d
+new file mode 100644
+index 00000000000..b50115c7178
+--- /dev/null
++++ b/ld/testsuite/ld-x86-64/tlsdesc4.d
+@@ -0,0 +1,4 @@
++#name: TLS GDesc->LE transition check (indirect CALL)
++#as: --64
++#ld: -melf_x86_64
++#error: .*: relocation R_X86_64_TLSDESC_CALL against `foo' must be used in indirect CALL only
+diff --git a/ld/testsuite/ld-x86-64/tlsdesc4.s b/ld/testsuite/ld-x86-64/tlsdesc4.s
+new file mode 100644
+index 00000000000..b3d6c12d4fc
+--- /dev/null
++++ b/ld/testsuite/ld-x86-64/tlsdesc4.s
+@@ -0,0 +1,13 @@
++	.text
++	.globl	_start
++	.type	_start,@function
++_start:
++	leaq	foo@tlsdesc(%rip), %rax
++	jmp	*foo@tlscall(%rax)
++	.globl foo
++	.section	.tdata,"awT",@progbits
++	.align 8
++	.type	foo, @object
++	.size	foo, 8
++foo:
++	.quad	100
+diff --git a/ld/testsuite/ld-x86-64/tlsie2.d b/ld/testsuite/ld-x86-64/tlsie2.d
+index 97dcc288a3d..bf8a8198b5b 100644
+--- a/ld/testsuite/ld-x86-64/tlsie2.d
++++ b/ld/testsuite/ld-x86-64/tlsie2.d
+@@ -1,4 +1,4 @@
+ #name: TLS IE->LE transition check
+ #as: --64
+ #ld: -melf_x86_64
+-#error: .*TLS transition from R_X86_64_GOTTPOFF to R_X86_64_TPOFF32 against `foo'.*failed.*
++#error: .*: relocation R_X86_64_GOTTPOFF against `foo' must be used in ADD or MOV only
+diff --git a/ld/testsuite/ld-x86-64/tlsie3.d b/ld/testsuite/ld-x86-64/tlsie3.d
+index 8c982a69838..49d8464fbaf 100644
+--- a/ld/testsuite/ld-x86-64/tlsie3.d
++++ b/ld/testsuite/ld-x86-64/tlsie3.d
+@@ -1,4 +1,4 @@
+ #name: TLS IE->LE transition check (%r12)
+ #as: --64
+ #ld: -melf_x86_64
+-#error: .*TLS transition from R_X86_64_GOTTPOFF to R_X86_64_TPOFF32 against `foo'.*failed.*
++#error: .*: relocation R_X86_64_GOTTPOFF against `foo' must be used in ADD or MOV only
+diff --git a/ld/testsuite/ld-x86-64/tlsie5.d b/ld/testsuite/ld-x86-64/tlsie5.d
+new file mode 100644
+index 00000000000..29de1cebf8e
+--- /dev/null
++++ b/ld/testsuite/ld-x86-64/tlsie5.d
+@@ -0,0 +1,4 @@
++#name: TLS IE->LE transition check (APX)
++#as: --64
++#ld: -melf_x86_64
++#error: .*: relocation R_X86_64_CODE_6_GOTTPOFF against `foo' must be used in ADD only
+diff --git a/ld/testsuite/ld-x86-64/tlsie5.s b/ld/testsuite/ld-x86-64/tlsie5.s
+new file mode 100644
+index 00000000000..c39e46fd97b
+--- /dev/null
++++ b/ld/testsuite/ld-x86-64/tlsie5.s
+@@ -0,0 +1,12 @@
++	.text
++	.globl _start
++_start:
++	xorq	%rax, foo@GOTTPOFF(%rip), %rax
++	movq	(%rax), %rax
++	.globl	foo
++	.section	.tdata,"awT",@progbits
++	.align 4
++	.type	foo, @object
++	.size	foo, 4
++foo:
++	.long	100
+diff --git a/ld/testsuite/ld-x86-64/x86-64.exp b/ld/testsuite/ld-x86-64/x86-64.exp
+index 2a40f0b095b..811813466f8 100644
+--- a/ld/testsuite/ld-x86-64/x86-64.exp
++++ b/ld/testsuite/ld-x86-64/x86-64.exp
+@@ -741,6 +741,9 @@ run_dump_test "pr27016b"
+ run_dump_test "report-reloc-1"
+ run_dump_test "report-reloc-1-x32"
+ run_dump_test "pr29820"
++run_dump_test "tlsie5"
++run_dump_test "tlsdesc3"
++run_dump_test "tlsdesc4"
+ 
+ proc undefined_weak {cflags ldflags} {
+     set testname "Undefined weak symbol"
+-- 
+2.49.0
+
diff --git a/meta/recipes-devtools/binutils/binutils/CVE-2025-1179.patch b/meta/recipes-devtools/binutils/binutils/CVE-2025-1179.patch
new file mode 100644
index 0000000000..89312d8501
--- /dev/null
+++ b/meta/recipes-devtools/binutils/binutils/CVE-2025-1179.patch
@@ -0,0 +1,269 @@
+From 67e30b15212adc1502b898a1ca224fdf65dc110d Mon Sep 17 00:00:00 2001
+From: "H.J. Lu" <hjl.tools@gmail.com>
+Date: Thu, 29 Aug 2024 08:47:00 -0700
+Subject: [PATCH] x86: Check invalid TLS descriptor call TLS descriptor
+ call,
+
+call *x@tlsdesc(%rax)
+
+or
+
+call *x@tlsdesc(%eax)
+
+calls _dl_tlsdesc_return which expects that RAX/EAX points to the TLS
+descriptor.  Update x86 linker to issue an error with or without TLS
+transition.
+
+bfd/
+
+	PR ld/32123
+	* elf32-i386.c (elf_i386_check_tls_transition): Move
+	R_386_TLS_DESC_CALL to ...
+	(elf_i386_tls_transition): Here.
+	* elf64-x86-64.c (elf_x86_64_check_tls_transition): Move.
+	R_X86_64_TLSDESC_CALL check to ...
+	(elf_x86_64_tls_transition): Here.
+
+ld/
+
+	PR ld/32123
+	* testsuite/ld-i386/i386.exp: Run tlsgdesc3.
+	* testsuite/ld-i386/tlsgdesc3.d: New file.
+	* testsuite/ld-x86-64/tlsdesc5.d: Likewise.
+	* testsuite/ld-x86-64/x86-64.exp: Run tlsdesc5.
+
+(cherry picked from commit:67e30b15212adc1502b898a1ca224fdf65dc110d)
+Upstream-Status: Submitted [https://sourceware.org/pipermail/binutils/2025-May/141321.html]
+CVE: CVE-2025-1179
+
+Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
+---
+ bfd/elf32-i386.c                  | 44 +++++++++++++------
+ bfd/elf64-x86-64.c                | 71 +++++++++++++++++++------------
+ ld/testsuite/ld-i386/i386.exp     |  1 +
+ ld/testsuite/ld-i386/tlsgdesc3.d  |  5 +++
+ ld/testsuite/ld-x86-64/tlsdesc5.d |  5 +++
+ ld/testsuite/ld-x86-64/x86-64.exp |  1 +
+ 6 files changed, 86 insertions(+), 41 deletions(-)
+ create mode 100644 ld/testsuite/ld-i386/tlsgdesc3.d
+ create mode 100644 ld/testsuite/ld-x86-64/tlsdesc5.d
+
+diff --git a/bfd/elf32-i386.c b/bfd/elf32-i386.c
+index 18a28d2491c..9dea465f721 100644
+--- a/bfd/elf32-i386.c
++++ b/bfd/elf32-i386.c
+@@ -1039,19 +1039,8 @@ elf_i386_check_tls_transition (asection *sec,
+ 	      : elf_x86_tls_error_yes);
+ 
+     case R_386_TLS_DESC_CALL:
+-      /* Check transition from GDesc access model:
+-		call *x@tlsdesc(%eax)
+-       */
+-      if (offset + 2 <= sec->size)
+-	{
+-	  /* Make sure that it's a call *x@tlsdesc(%eax).  */
+-	  call = contents + offset;
+-	  return (call[0] == 0xff && call[1] == 0x10
+-		  ? elf_x86_tls_error_none
+-		  : elf_x86_tls_error_indirect_call);
+-	}
+-
+-      return elf_x86_tls_error_yes;
++      /* It has been checked in elf_i386_tls_transition.  */
++      return elf_x86_tls_error_none;
+ 
+     default:
+       abort ();
+@@ -1077,6 +1066,8 @@ elf_i386_tls_transition (struct bfd_link_info *info, bfd *abfd,
+   unsigned int to_type = from_type;
+   bool check = true;
+   unsigned int to_le_type, to_ie_type;
++  bfd_vma offset;
++  bfd_byte *call;
+ 
+   /* Skip TLS transition for functions.  */
+   if (h != NULL
+@@ -1098,9 +1089,34 @@ elf_i386_tls_transition (struct bfd_link_info *info, bfd *abfd,
+ 
+   switch (from_type)
+     {
++    case R_386_TLS_DESC_CALL:
++      /* Check valid GDesc call:
++		call *x@tlsdesc(%eax)
++       */
++      offset = rel->r_offset;
++      call = NULL;
++      if (offset + 2 <= sec->size)
++	{
++	  /* Make sure that it's a call *x@tlsdesc(%eax).  */
++	  call = contents + offset;
++	  if (call[0] != 0xff || call[1] != 0x10)
++	    call = NULL;
++	}
++
++      if (call == NULL)
++	{
++	  _bfd_x86_elf_link_report_tls_transition_error
++	    (info, abfd, sec, symtab_hdr, h, sym, rel,
++	     "R_386_TLS_DESC_CALL", NULL,
++	     elf_x86_tls_error_indirect_call);
++
++	  return false;
++	}
++
++      /* Fall through.  */
++
+     case R_386_TLS_GD:
+     case R_386_TLS_GOTDESC:
+-    case R_386_TLS_DESC_CALL:
+     case R_386_TLS_IE_32:
+     case R_386_TLS_IE:
+     case R_386_TLS_GOTIE:
+diff --git a/bfd/elf64-x86-64.c b/bfd/elf64-x86-64.c
+index f116e423f61..7af2e607b02 100644
+--- a/bfd/elf64-x86-64.c
++++ b/bfd/elf64-x86-64.c
+@@ -1409,32 +1409,8 @@ elf_x86_64_check_tls_transition (bfd *abfd,
+ 	      : elf_x86_tls_error_yes);
+ 
+     case R_X86_64_TLSDESC_CALL:
+-      /* Check transition from GDesc access model:
+-		call *x@tlsdesc(%rax) <--- LP64 mode.
+-		call *x@tlsdesc(%eax) <--- X32 mode.
+-       */
+-      if (offset + 2 <= sec->size)
+-	{
+-	  unsigned int prefix;
+-	  call = contents + offset;
+-	  prefix = 0;
+-	  if (!ABI_64_P (abfd))
+-	    {
+-	      /* Check for call *x@tlsdesc(%eax).  */
+-	      if (call[0] == 0x67)
+-		{
+-		  prefix = 1;
+-		  if (offset + 3 > sec->size)
+-		    return elf_x86_tls_error_yes;
+-		}
+-	    }
+-	  /* Make sure that it's a call *x@tlsdesc(%rax).  */
+-	  return (call[prefix] == 0xff && call[1 + prefix] == 0x10
+-		  ? elf_x86_tls_error_none
+-		  : elf_x86_tls_error_indirect_call);
+-	}
+-
+-      return elf_x86_tls_error_yes;
++      /* It has been checked in elf_x86_64_tls_transition.  */
++      return elf_x86_tls_error_none;
+ 
+     default:
+       abort ();
+@@ -1459,6 +1435,8 @@ elf_x86_64_tls_transition (struct bfd_link_info *info, bfd *abfd,
+   unsigned int from_type = *r_type;
+   unsigned int to_type = from_type;
+   bool check = true;
++  bfd_vma offset;
++  bfd_byte *call;
+ 
+   /* Skip TLS transition for functions.  */
+   if (h != NULL
+@@ -1468,10 +1446,49 @@ elf_x86_64_tls_transition (struct bfd_link_info *info, bfd *abfd,
+ 
+   switch (from_type)
+     {
++    case R_X86_64_TLSDESC_CALL:
++      /* Check valid GDesc call:
++		call *x@tlsdesc(%rax) <--- LP64 mode.
++		call *x@tlsdesc(%eax) <--- X32 mode.
++       */
++      offset = rel->r_offset;
++      call = NULL;
++      if (offset + 2 <= sec->size)
++	{
++	  unsigned int prefix;
++	  call = contents + offset;
++	  prefix = 0;
++	  if (!ABI_64_P (abfd))
++	    {
++	      /* Check for call *x@tlsdesc(%eax).  */
++	      if (call[0] == 0x67)
++		{
++		  prefix = 1;
++		  if (offset + 3 > sec->size)
++		    call = NULL;
++		}
++	    }
++
++	  /* Make sure that it's a call *x@tlsdesc(%rax).  */
++	  if (call != NULL
++	      && (call[prefix] != 0xff || call[1 + prefix] != 0x10))
++	    call = NULL;
++	}
++
++      if (call == NULL)
++	{
++	  _bfd_x86_elf_link_report_tls_transition_error
++	    (info, abfd, sec, symtab_hdr, h, sym, rel,
++	     "R_X86_64_TLSDESC_CALL", NULL,
++	     elf_x86_tls_error_indirect_call);
++	  return false;
++	}
++
++      /* Fall through.  */
++
+     case R_X86_64_TLSGD:
+     case R_X86_64_GOTPC32_TLSDESC:
+     case R_X86_64_CODE_4_GOTPC32_TLSDESC:
+-    case R_X86_64_TLSDESC_CALL:
+     case R_X86_64_GOTTPOFF:
+     case R_X86_64_CODE_4_GOTTPOFF:
+     case R_X86_64_CODE_6_GOTTPOFF:
+diff --git a/ld/testsuite/ld-i386/i386.exp b/ld/testsuite/ld-i386/i386.exp
+index a8db2c713f3..41e8725d059 100644
+--- a/ld/testsuite/ld-i386/i386.exp
++++ b/ld/testsuite/ld-i386/i386.exp
+@@ -543,6 +543,7 @@ run_dump_test "pr27998a"
+ run_dump_test "pr27998b"
+ run_dump_test "tlsgdesc1"
+ run_dump_test "tlsgdesc2"
++run_dump_test "tlsgdesc3"
+ 
+ proc undefined_weak {cflags ldflags} {
+     set testname "Undefined weak symbol"
+diff --git a/ld/testsuite/ld-i386/tlsgdesc3.d b/ld/testsuite/ld-i386/tlsgdesc3.d
+new file mode 100644
+index 00000000000..f2c29d880f2
+--- /dev/null
++++ b/ld/testsuite/ld-i386/tlsgdesc3.d
+@@ -0,0 +1,5 @@
++#source: tlsgdesc2.s
++#name: TLS GDesc call (indirect CALL)
++#as: --32
++#ld: -shared -melf_i386
++#error: .*: relocation R_386_TLS_DESC_CALL against `foo' must be used in indirect CALL with EAX register only
+diff --git a/ld/testsuite/ld-x86-64/tlsdesc5.d b/ld/testsuite/ld-x86-64/tlsdesc5.d
+new file mode 100644
+index 00000000000..6a0158b44b7
+--- /dev/null
++++ b/ld/testsuite/ld-x86-64/tlsdesc5.d
+@@ -0,0 +1,5 @@
++#source: tlsdesc4.s
++#name: TLS GDesc call (indirect CALL)
++#as: --64
++#ld: -shared -melf_x86_64
++#error: .*: relocation R_X86_64_TLSDESC_CALL against `foo' must be used in indirect CALL with RAX register only
+diff --git a/ld/testsuite/ld-x86-64/x86-64.exp b/ld/testsuite/ld-x86-64/x86-64.exp
+index 811813466f8..82b0520c52a 100644
+--- a/ld/testsuite/ld-x86-64/x86-64.exp
++++ b/ld/testsuite/ld-x86-64/x86-64.exp
+@@ -744,6 +744,7 @@ run_dump_test "pr29820"
+ run_dump_test "tlsie5"
+ run_dump_test "tlsdesc3"
+ run_dump_test "tlsdesc4"
++run_dump_test "tlsdesc5"
+ 
+ proc undefined_weak {cflags ldflags} {
+     set testname "Undefined weak symbol"
+-- 
+2.49.0
+
-- 
2.43.0

[OE-core][scarthgap 06/11] ruby: fix CVE-2025-27221

[Steve Sakoman]

From: Divya Chellam <divya.chellam@windriver.com>

In the URI gem before 1.0.3 for Ruby, the URI handling methods
(URI.join, URI#merge, URI#+) have an inadvertent leakage of
authentication credentials because userinfo is retained even
after changing the host.

Reference:
https://security-tracker.debian.org/tracker/CVE-2025-27221

Upstream-patches:
https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495
https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ruby/ruby/CVE-2025-27221-0001.patch       | 57 +++++++++++++++
 .../ruby/ruby/CVE-2025-27221-0002.patch       | 73 +++++++++++++++++++
 meta/recipes-devtools/ruby/ruby_3.3.5.bb      |  2 +
 3 files changed, 132 insertions(+)
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
 create mode 100644 meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch

diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
new file mode 100644
index 0000000000..95802d04f9
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0001.patch
@@ -0,0 +1,57 @@
+From 3675494839112b64d5f082a9068237b277ed1495 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 16:29:36 +0900
+Subject: [PATCH] Truncate userinfo with URI#join, URI#merge and URI#+
+
+CVE: CVE-2025-27221
+
+Upstream-Status: Backport [https://github.com/ruby/uri/commit/3675494839112b64d5f082a9068237b277ed1495]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ lib/uri/generic.rb       |  6 +++++-
+ test/uri/test_generic.rb | 11 +++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
+index f3540a2..ecc78c5 100644
+--- a/lib/uri/generic.rb
++++ b/lib/uri/generic.rb
+@@ -1141,7 +1141,11 @@ module URI
+       end
+ 
+       # RFC2396, Section 5.2, 7)
+-      base.set_userinfo(rel.userinfo) if rel.userinfo
++      if rel.userinfo
++        base.set_userinfo(rel.userinfo)
++      else
++        base.set_userinfo(nil)
++      end
+       base.set_host(rel.host)         if rel.host
+       base.set_port(rel.port)         if rel.port
+       base.query = rel.query       if rel.query
+diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
+index e661937..17ba2b6 100644
+--- a/test/uri/test_generic.rb
++++ b/test/uri/test_generic.rb
+@@ -164,6 +164,17 @@ class URI::TestGeneric < Test::Unit::TestCase
+     # must be empty string to identify as path-abempty, not path-absolute
+     assert_equal('', url.host)
+     assert_equal('http:////example.com', url.to_s)
++
++    # sec-2957667
++    url = URI.parse('http://user:pass@example.com').merge('//example.net')
++    assert_equal('http://example.net', url.to_s)
++    assert_nil(url.userinfo)
++    url = URI.join('http://user:pass@example.com', '//example.net')
++    assert_equal('http://example.net', url.to_s)
++    assert_nil(url.userinfo)
++    url = URI.parse('http://user:pass@example.com') + '//example.net'
++    assert_equal('http://example.net', url.to_s)
++    assert_nil(url.userinfo)
+   end
+ 
+   def test_parse_scheme_with_symbols
+-- 
+2.40.0
+
diff --git a/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
new file mode 100644
index 0000000000..4435b87c34
--- /dev/null
+++ b/meta/recipes-devtools/ruby/ruby/CVE-2025-27221-0002.patch
@@ -0,0 +1,73 @@
+From 2789182478f42ccbb62197f952eb730e4f02bfc5 Mon Sep 17 00:00:00 2001
+From: Hiroshi SHIBATA <hsbt@ruby-lang.org>
+Date: Fri, 21 Feb 2025 18:16:28 +0900
+Subject: [PATCH] Fix merger of URI with authority component
+
+https://hackerone.com/reports/2957667
+
+Co-authored-by: Nobuyoshi Nakada <nobu@ruby-lang.org>
+
+CVE: CVE-2025-27221
+
+Upstream-Status: Backport [https://github.com/ruby/uri/commit/2789182478f42ccbb62197f952eb730e4f02bfc5]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ lib/uri/generic.rb       | 19 +++++++------------
+ test/uri/test_generic.rb |  7 +++++++
+ 2 files changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb
+index ecc78c5..2c0a88d 100644
+--- a/lib/uri/generic.rb
++++ b/lib/uri/generic.rb
+@@ -1133,21 +1133,16 @@ module URI
+       base.fragment=(nil)
+ 
+       # RFC2396, Section 5.2, 4)
+-      if !authority
+-        base.set_path(merge_path(base.path, rel.path)) if base.path && rel.path
+-      else
+-        # RFC2396, Section 5.2, 4)
+-        base.set_path(rel.path) if rel.path
++      if authority
++        base.set_userinfo(rel.userinfo)
++        base.set_host(rel.host)
++        base.set_port(rel.port || base.default_port)
++        base.set_path(rel.path)
++      elsif base.path && rel.path
++        base.set_path(merge_path(base.path, rel.path))
+       end
+ 
+       # RFC2396, Section 5.2, 7)
+-      if rel.userinfo
+-        base.set_userinfo(rel.userinfo)
+-      else
+-        base.set_userinfo(nil)
+-      end
+-      base.set_host(rel.host)         if rel.host
+-      base.set_port(rel.port)         if rel.port
+       base.query = rel.query       if rel.query
+       base.fragment=(rel.fragment) if rel.fragment
+ 
+diff --git a/test/uri/test_generic.rb b/test/uri/test_generic.rb
+index 17ba2b6..1a70dd4 100644
+--- a/test/uri/test_generic.rb
++++ b/test/uri/test_generic.rb
+@@ -267,6 +267,13 @@ class URI::TestGeneric < Test::Unit::TestCase
+     assert_equal(u0, u1)
+   end
+ 
++  def test_merge_authority
++    u = URI.parse('http://user:pass@example.com:8080')
++    u0 = URI.parse('http://new.example.org/path')
++    u1 = u.merge('//new.example.org/path')
++    assert_equal(u0, u1)
++  end
++
+   def test_route
+     url = URI.parse('http://hoge/a.html').route_to('http://hoge/b.html')
+     assert_equal('b.html', url.to_s)
+-- 
+2.40.0
+
diff --git a/meta/recipes-devtools/ruby/ruby_3.3.5.bb b/meta/recipes-devtools/ruby/ruby_3.3.5.bb
index c91c51657f..b37f0d03e7 100644
--- a/meta/recipes-devtools/ruby/ruby_3.3.5.bb
+++ b/meta/recipes-devtools/ruby/ruby_3.3.5.bb
@@ -28,6 +28,8 @@ SRC_URI = "http://cache.ruby-lang.org/pub/ruby/${SHRT_VER}/ruby-${PV}.tar.gz \
            file://0001-vm_dump.c-Define-REG_S1-and-REG_S2-for-musl-riscv.patch \
            file://CVE-2025-27219.patch \
            file://CVE-2025-27220.patch \
+           file://CVE-2025-27221-0001.patch \
+           file://CVE-2025-27221-0002.patch \
            "
 UPSTREAM_CHECK_URI = "https://www.ruby-lang.org/en/downloads/"
 
-- 
2.43.0

[OE-core][scarthgap 07/11] libsoup: patch CVE-2025-4476

[Steve Sakoman]

From: Ashish Sharma <asharma@mvista.com>

Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c]

Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../libsoup/libsoup-3.4.4/CVE-2025-4476.patch | 38 +++++++++++++++++++
 meta/recipes-support/libsoup/libsoup_3.4.4.bb |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4476.patch

diff --git a/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4476.patch b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4476.patch
new file mode 100644
index 0000000000..cd5619d620
--- /dev/null
+++ b/meta/recipes-support/libsoup/libsoup-3.4.4/CVE-2025-4476.patch
@@ -0,0 +1,38 @@
+From e64c221f9c7d09b48b610c5626b3b8c400f0907c Mon Sep 17 00:00:00 2001
+From: Michael Catanzaro <mcatanzaro@redhat.com>
+Date: Thu, 8 May 2025 09:27:01 -0500
+Subject: [PATCH] auth-digest: fix crash in
+ soup_auth_digest_get_protection_space()
+
+We need to validate the Domain parameter in the WWW-Authenticate header.
+
+Unfortunately this crash only occurs when listening on default ports 80
+and 443, so there's no good way to test for this. The test would require
+running as root.
+
+Fixes #440
+
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libsoup/-/commit/e64c221f9c7d09b48b610c5626b3b8c400f0907c]
+CVE: CVE-2025-4476
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+
+ libsoup/auth/soup-auth-digest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsoup/auth/soup-auth-digest.c b/libsoup/auth/soup-auth-digest.c
+index d8bb2910..292f2045 100644
+--- a/libsoup/auth/soup-auth-digest.c
++++ b/libsoup/auth/soup-auth-digest.c
+@@ -220,7 +220,7 @@ soup_auth_digest_get_protection_space (SoupAuth *auth, GUri *source_uri)
+ 			if (uri &&
+                             g_strcmp0 (g_uri_get_scheme (uri), g_uri_get_scheme (source_uri)) == 0 &&
+ 			    g_uri_get_port (uri) == g_uri_get_port (source_uri) &&
+-			    !strcmp (g_uri_get_host (uri), g_uri_get_host (source_uri)))
++			    !g_strcmp0 (g_uri_get_host (uri), g_uri_get_host (source_uri)))
+ 				dir = g_strdup (g_uri_get_path (uri));
+ 			else
+ 				dir = NULL;
+-- 
+GitLab
+
diff --git a/meta/recipes-support/libsoup/libsoup_3.4.4.bb b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
index 8cca980faf..d3a0840044 100644
--- a/meta/recipes-support/libsoup/libsoup_3.4.4.bb
+++ b/meta/recipes-support/libsoup/libsoup_3.4.4.bb
@@ -30,6 +30,7 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \
            file://CVE-2025-32906-2.patch \
            file://CVE-2025-46420.patch \
            file://CVE-2025-32914.patch \
+           file://CVE-2025-4476.patch \
           "
 SRC_URI[sha256sum] = "291c67725f36ed90ea43efff25064b69c5a2d1981488477c05c481a3b4b0c5aa"
 
-- 
2.43.0

[OE-core][scarthgap 08/11] binutils: set CVE_STATUS for CVE-2025-1180

[Steve Sakoman]

From: Harish Sadineni <Harish.Sadineni@windriver.com>

CVE-2025-1180 is fixed with patch from CVE-2025-1176.
More details about CVE is here: https://nvd.nist.gov/vuln/detail/CVE-2025-1179

Signed-off-by: Harish Sadineni <Harish.Sadineni@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/binutils/binutils-2.42.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-devtools/binutils/binutils-2.42.inc b/meta/recipes-devtools/binutils/binutils-2.42.inc
index 6d0390b5a9..16db8bc05e 100644
--- a/meta/recipes-devtools/binutils/binutils-2.42.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.42.inc
@@ -19,6 +19,7 @@ SRCBRANCH ?= "binutils-2_42-branch"
 UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)"
 
 CVE_STATUS[CVE-2023-25584] = "cpe-incorrect: Applies only for version 2.40 and earlier"
+CVE_STATUS[CVE-2025-1180] = "patched: fixed by patch for CVE-2025-1176" 
 
 SRCREV ?= "6558f9f5f0ccc107a083ae7fbf106ebcb5efa817"
 BINUTILS_GIT_URI ?= "git://sourceware.org/git/binutils-gdb.git;branch=${SRCBRANCH};protocol=https"
-- 
2.43.0

[OE-core][scarthgap 09/11] ffmpeg: upgrade 6.1.1 -> 6.1.2

[Steve Sakoman]

From: Divyanshu Rathore <divyanshurathore2022@gmail.com>

ffmpeg_6.1.2 is the newest available stable release for 6.1.
It introduces quite a few bug and CVE fixes, which should help all.

CVEs that are fixed in the upgrade:
CVE-2024-32230
CVE-2024-35366
CVE-2024-36613
CVE-2024-36616
CVE-2024-36617
CVE-2024-36619
CVE-2024-7055

During upgrade it was noticed that the CVE scan doesn't pick up the CVEs as unpatched
(CVE-2025-0518, CVE-2025-22919, CVE-2025-22921, CVE-2025-25473,
CVE-2024-36618, CVE-2024-35369, CVE-2024-35368, CVE-2024-35367,
CVE-2024-35365, CVE-2024-28661, CVE-2023-50007, CVE-2023-49528,
CVE-2023-49501), due to improper versioning in NVD,
they are affecting 6.1.2 and hence we are leaving the patches in.

check the changelog mention below for information about fixes.
changelog: https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n6.1.2

This upgrade fixes CVE's hence remove those patches.
Refresh vulkan_av1_stable_API.patch as per new codebase.

Signed-off-by: Divyanshu Rathore <divyanshurathore2022@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../ffmpeg/ffmpeg/CVE-2024-32230.patch        | 36 -----------------
 .../ffmpeg/ffmpeg/CVE-2024-35366.patch        | 35 ----------------
 .../ffmpeg/ffmpeg/CVE-2024-36613.patch        | 37 -----------------
 .../ffmpeg/ffmpeg/CVE-2024-36616.patch        | 35 ----------------
 .../ffmpeg/ffmpeg/CVE-2024-36617.patch        | 36 -----------------
 .../ffmpeg/ffmpeg/CVE-2024-36619.patch        | 36 -----------------
 .../ffmpeg/ffmpeg/CVE-2024-7055.patch         | 38 ------------------
 .../ffmpeg/ffmpeg/vulkan_av1_stable_API.patch | 40 +++++++++----------
 .../{ffmpeg_6.1.1.bb => ffmpeg_6.1.2.bb}      |  9 +----
 9 files changed, 21 insertions(+), 281 deletions(-)
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-32230.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36619.patch
 delete mode 100644 meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-7055.patch
 rename meta/recipes-multimedia/ffmpeg/{ffmpeg_6.1.1.bb => ffmpeg_6.1.2.bb} (96%)

diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-32230.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-32230.patch
deleted file mode 100644
index 0f30c9ecf5..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-32230.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 96449cfeaeb95fcfd7a2b8d9ccf7719e97471ed1 Mon Sep 17 00:00:00 2001
-From: Michael Niedermayer <michael@niedermayer.cc>
-Date: Mon, 8 Apr 2024 18:38:42 +0200
-Subject: [PATCH]  avcodec/mpegvideo_enc: Fix 1 line and one column images
-
-Fixes: Ticket10952
-Fixes: poc21ffmpeg
-Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
-CVE: CVE-2024-32230
-
-Upstream-Status: Backport [https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=96449cfeaeb95fcfd7a2b8d9ccf7719e97471ed1]
-
-Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
----
- libavcodec/mpegvideo_enc.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libavcodec/mpegvideo_enc.c b/libavcodec/mpegvideo_enc.c
-index e460ca4..fb4aaa2 100644
---- a/libavcodec/mpegvideo_enc.c
-+++ b/libavcodec/mpegvideo_enc.c
-@@ -1198,8 +1198,8 @@ static int load_input_picture(MpegEncContext *s, const AVFrame *pic_arg)
-                 int dst_stride = i ? s->uvlinesize : s->linesize;
-                 int h_shift = i ? s->chroma_x_shift : 0;
-                 int v_shift = i ? s->chroma_y_shift : 0;
--                int w = s->width  >> h_shift;
--                int h = s->height >> v_shift;
-+                int w = AV_CEIL_RSHIFT(s->width , h_shift);
-+                int h = AV_CEIL_RSHIFT(s->height, v_shift);
-                 const uint8_t *src = pic_arg->data[i];
-                 uint8_t *dst = pic->f->data[i];
-                 int vpad = 16;
--- 
-2.40.0
-
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch
deleted file mode 100644
index f7f16a5b92..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-35366.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 0bed22d597b78999151e3bde0768b7fe763fc2a6 Mon Sep 17 00:00:00 2001
-From: Michael Niedermayer <michael@niedermayer.cc>
-Date: Tue, 26 Mar 2024 00:39:49 +0100
-Subject: [PATCH] avformat/sbgdec: Check for negative duration
-
-Fixes: signed integer overflow: 9223372036854775807 - -8000000 cannot be represented in type 'long'
-Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_SBG_fuzzer-5133181743136768
-
-Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
-Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
-CVE: CVE-2024-35366
-
-Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6]
-
-Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
----
- libavformat/sbgdec.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libavformat/sbgdec.c b/libavformat/sbgdec.c
-index b2662ea..281fe62 100644
---- a/libavformat/sbgdec.c
-+++ b/libavformat/sbgdec.c
-@@ -386,7 +386,7 @@ static int parse_options(struct sbg_parser *p)
-                 case 'L':
-                     FORWARD_ERROR(parse_optarg(p, opt, &oarg));
-                     r = str_to_time(oarg.s, &p->scs.opt_duration);
--                    if (oarg.e != oarg.s + r) {
-+                    if (oarg.e != oarg.s + r || p->scs.opt_duration < 0) {
-                         snprintf(p->err_msg, sizeof(p->err_msg),
-                                  "syntax error for option -L");
-                         return AVERROR_INVALIDDATA;
---
-2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch
deleted file mode 100644
index 0061b7ad98..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36613.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 50d8e4f27398fd5778485a827d7a2817921f8540 Mon Sep 17 00:00:00 2001
-From: Michael Niedermayer <michael@niedermayer.cc>
-Date: Sat, 30 Sep 2023 00:51:29 +0200
-Subject: [PATCH] avformat/dxa: Adjust order of operations around block align
-
-Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_DXA_fuzzer-5730576523198464
-Fixes: signed integer overflow: 2147483566 + 82 cannot be represented in type 'int'
-
-Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
-Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-(cherry picked from commit 50d8e4f27398fd5778485a827d7a2817921f8540)
-Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
-CVE: CVE-2024-36613
-
-Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/50d8e4f27398fd5778485a827d7a2817921f8540]
-
-Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
----
- libavformat/dxa.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libavformat/dxa.c b/libavformat/dxa.c
-index 474b852..b4d9d00 100644
---- a/libavformat/dxa.c
-+++ b/libavformat/dxa.c
-@@ -122,7 +122,7 @@ static int dxa_read_header(AVFormatContext *s)
-         if(ast->codecpar->block_align) {
-             if (c->bpc > INT_MAX - ast->codecpar->block_align + 1)
-                 return AVERROR_INVALIDDATA;
--            c->bpc = ((c->bpc + ast->codecpar->block_align - 1) / ast->codecpar->block_align) * ast->codecpar->block_align;
-+            c->bpc = ((c->bpc - 1 + ast->codecpar->block_align) / ast->codecpar->block_align) * ast->codecpar->block_align;
-         }
-         c->bytes_left = fsize;
-         c->wavpos = avio_tell(pb);
---
-2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch
deleted file mode 100644
index 3f02c45b33..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36616.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 86f73277bf014e2ce36dd2594f1e0fb8b3bd6661 Mon Sep 17 00:00:00 2001
-From: Michael Niedermayer <michael@niedermayer.cc>
-Date: Tue, 26 Mar 2024 01:00:13 +0100
-Subject: [PATCH] avformat/westwood_vqa: Fix 2g packets
-
-Fixes: signed integer overflow: 2147483424 * 2 cannot be represented in type 'int'
-Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_WSVQA_fuzzer-4576211411795968
-
-Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
-Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
-CVE: CVE-2024-36616
-
-Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/86f73277bf014e2ce36dd2594f1e0fb8b3bd6661]
-
-Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
----
- libavformat/westwood_vqa.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libavformat/westwood_vqa.c b/libavformat/westwood_vqa.c
-index 03b2d9e..024f5d3 100644
---- a/libavformat/westwood_vqa.c
-+++ b/libavformat/westwood_vqa.c
-@@ -262,7 +262,7 @@ static int wsvqa_read_packet(AVFormatContext *s,
-                     break;
-                 case SND2_TAG:
-                     /* 2 samples/byte, 1 or 2 samples per frame depending on stereo */
--                    pkt->duration = (chunk_size * 2) / wsvqa->channels;
-+                    pkt->duration = (chunk_size * 2LL) / wsvqa->channels;
-                     break;
-                 }
-                 break;
---
-2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch
deleted file mode 100644
index 5d751213e3..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36617.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From d973fcbcc2f944752ff10e6a76b0b2d9329937a7 Mon Sep 17 00:00:00 2001
-From: Michael Niedermayer <michael@niedermayer.cc>
-Date: Sat, 30 Sep 2023 00:38:17 +0200
-Subject: [PATCH] avformat/cafdec: dont seek beyond 64bit
-
-Fixes: signed integer overflow: 64 + 9223372036854775807 cannot be represented in type 'long long'
-Fixes: 51896/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064
-Fixes: 62276/clusterfuzz-testcase-minimized-ffmpeg_dem_CAF_fuzzer-6418242730328064
-
-Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
-Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
-CVE: CVE-2024-36617
-
-Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/d973fcbcc2f944752ff10e6a76b0b2d9329937a7]
-
-Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
----
- libavformat/cafdec.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libavformat/cafdec.c b/libavformat/cafdec.c
-index f5ba0f4..e92e327 100644
---- a/libavformat/cafdec.c
-+++ b/libavformat/cafdec.c
-@@ -271,7 +271,7 @@ static int read_pakt_chunk(AVFormatContext *s, int64_t size)
-         }
-     }
-
--    if (avio_tell(pb) - ccount > size) {
-+    if (avio_tell(pb) - ccount > size || size > INT64_MAX - ccount) {
-         av_log(s, AV_LOG_ERROR, "error reading packet table\n");
-         return AVERROR_INVALIDDATA;
-     }
---
-2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36619.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36619.patch
deleted file mode 100644
index 63d08eabcc..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-36619.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 28c7094b25b689185155a6833caf2747b94774a4 Mon Sep 17 00:00:00 2001
-From: Michael Niedermayer <michael@niedermayer.cc>
-Date: Thu, 4 Apr 2024 00:15:27 +0200
-Subject: [PATCH] avcodec/wavarc: fix signed integer overflow in block type
- 6/19
-
-Fixes: signed integer overflow: -2088796289 + -91276551 cannot be represented in type 'int'
-Fixes: 67772/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-6533568953122816
-
-Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
-Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
-CVE: CVE-2024-36619
-
-Upstream-Status: Backport [https://github.com/ffmpeg/ffmpeg/commit/28c7094b25b689185155a6833caf2747b94774a4]
-
-Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
----
- libavcodec/wavarc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
-index 09ed4d4..51d91a4 100644
---- a/libavcodec/wavarc.c
-+++ b/libavcodec/wavarc.c
-@@ -648,7 +648,7 @@ static int decode_5elp(AVCodecContext *avctx,
-                 for (int o = 0; o < order; o++)
-                     sum += s->filter[ch][o] * (unsigned)samples[n + 70 - o - 1];
-
--                samples[n + 70] += ac_out[n] + (sum >> 4);
-+                samples[n + 70] += ac_out[n] + (unsigned)(sum >> 4);
-             }
-
-             for (int n = 0; n < 70; n++)
---
-2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-7055.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-7055.patch
deleted file mode 100644
index afd857ceac..0000000000
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/CVE-2024-7055.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 587acd0d4020859e67d1f07aeff2c885797ebcce Mon Sep 17 00:00:00 2001
-From: Michael Niedermayer <michael@niedermayer.cc>
-Date: Thu, 18 Jul 2024 21:12:54 +0200
-Subject: [PATCH] avcodec/pnmdec: Use 64bit for input size check
-
-Fixes: out of array read
-Fixes: poc3
-
-Reported-by: VulDB CNA Team
-Found-by: CookedMelon
-Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-(cherry picked from commit 3faadbe2a27e74ff5bb5f7904ec27bb1f5287dc8)
-Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-
-CVE: CVE-2024-7055
-
-Upstream-Status: Backport [https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=587acd0d4020859e67d1f07aeff2c885797ebcce]
-
-Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
----
- libavcodec/pnmdec.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libavcodec/pnmdec.c b/libavcodec/pnmdec.c
-index acd77ea..40cc2ae 100644
---- a/libavcodec/pnmdec.c
-+++ b/libavcodec/pnmdec.c
-@@ -264,7 +264,7 @@ static int pnm_decode_frame(AVCodecContext *avctx, AVFrame *p,
-         break;
-     case AV_PIX_FMT_GBRPF32:
-         if (!s->half) {
--            if (avctx->width * avctx->height * 12 > s->bytestream_end - s->bytestream)
-+            if (avctx->width * avctx->height * 12LL > s->bytestream_end - s->bytestream)
-                 return AVERROR_INVALIDDATA;
-             scale = 1.f / s->scale;
-             if (s->endian) {
---
-2.40.0
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg/vulkan_av1_stable_API.patch b/meta/recipes-multimedia/ffmpeg/ffmpeg/vulkan_av1_stable_API.patch
index 74db148b3b..be6c6b7416 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg/vulkan_av1_stable_API.patch
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg/vulkan_av1_stable_API.patch
@@ -6,6 +6,9 @@ Subject: [PATCH] vulkan_av1: port to the new stable API
 Co-Authored-by: Dave Airlie <airlied@redhat.com>
 Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
 Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/ecdc94b97f809d5f2b88640842fd0541951ad295]
+
+Comment: Patch is refreshed as per codebase of 6.1.2
+Signed-off-by: Divyanshu Rathore <divyanshu.rathore@kpit.com>
 ---
  configure                                     |   4 +-
  libavcodec/Makefile                           |   5 +-
@@ -26,7 +29,7 @@ diff --git a/configure b/configure
 index e853deb51d..9fa639fca6 100755
 --- a/configure
 +++ b/configure
-@@ -7300,8 +7300,8 @@ enabled vdpau &&
+@@ -7160,8 +7160,8 @@ enabled crystalhd && check_lib crystalhd
           "in maintaining it."
  
  if enabled vulkan; then
@@ -41,21 +44,19 @@ diff --git a/libavcodec/Makefile b/libavcodec/Makefile
 index 7ef2e03ca6..9ce6d445c1 100644
 --- a/libavcodec/Makefile
 +++ b/libavcodec/Makefile
-@@ -1258,8 +1258,7 @@ SKIPHEADERS                            += %_tablegen.h                  \
+@@ -1284,7 +1284,6 @@ SKIPHEADERS                            +
                                            aacenc_quantization.h         \
                                            aacenc_quantization_misc.h    \
                                            bitstream_template.h          \
--                                          vulkan_video_codec_av1std.h   \
--                                          $(ARCH)/vpx_arith.h          \
-+                                          $(ARCH)/vpx_arith.h           \
+-                                          vulkan_video_codec_av1std_mesa.h \
+                                           $(ARCH)/vpx_arith.h          \
  
  SKIPHEADERS-$(CONFIG_AMF)              += amfenc.h
- SKIPHEADERS-$(CONFIG_D3D11VA)          += d3d11va.h dxva2_internal.h
-@@ -1280,7 +1279,7 @@ SKIPHEADERS-$(CONFIG_QSVENC)           += qsvenc.h
+@@ -1306,7 +1305,7 @@ SKIPHEADERS-$(CONFIG_XVMC)             +
  SKIPHEADERS-$(CONFIG_VAAPI)            += vaapi_decode.h vaapi_hevc.h vaapi_encode.h
  SKIPHEADERS-$(CONFIG_VDPAU)            += vdpau.h vdpau_internal.h
  SKIPHEADERS-$(CONFIG_VIDEOTOOLBOX)     += videotoolbox.h vt_internal.h
--SKIPHEADERS-$(CONFIG_VULKAN)           += vulkan.h vulkan_video.h vulkan_decode.h vulkan_video_codec_av1std_decode.h
+-SKIPHEADERS-$(CONFIG_VULKAN)           += vulkan.h vulkan_video.h vulkan_decode.h vulkan_video_codec_av1std_decode_mesa.h
 +SKIPHEADERS-$(CONFIG_VULKAN)           += vulkan.h vulkan_video.h vulkan_decode.h
  SKIPHEADERS-$(CONFIG_V4L2_M2M)         += v4l2_buffers.h v4l2_context.h v4l2_m2m.h
  SKIPHEADERS-$(CONFIG_ZLIB)             += zlib_wrapper.h
@@ -866,19 +867,19 @@ diff --git a/libavcodec/vulkan_video.h b/libavcodec/vulkan_video.h
 index bb69e920bb..01a1de7d9d 100644
 --- a/libavcodec/vulkan_video.h
 +++ b/libavcodec/vulkan_video.h
-@@ -22,8 +22,6 @@
+@@ -23,8 +23,6 @@
  #include "vulkan.h"
  
  #include <vk_video/vulkan_video_codecs_common.h>
--#include "vulkan_video_codec_av1std.h"
--#include "vulkan_video_codec_av1std_decode.h"
+-#include "vulkan_video_codec_av1std_mesa.h"
+-#include "vulkan_video_codec_av1std_decode_mesa.h"
  
  #define CODEC_VER_MAJ(ver) (ver >> 22)
  #define CODEC_VER_MIN(ver) ((ver >> 12) & ((1 << 10) - 1))
-diff --git a/libavcodec/vulkan_video_codec_av1std_decode.h b/libavcodec/vulkan_video_codec_av1std_decode.h
+diff --git a/libavcodec/vulkan_video_codec_av1std_decode_mesa.h b/libavcodec/vulkan_video_codec_av1std_decode_mesa.h
 deleted file mode 100644
 index e2f37b4e6e..0000000000
---- a/libavcodec/vulkan_video_codec_av1std_decode.h
+--- a/libavcodec/vulkan_video_codec_av1std_decode_mesa.h
 +++ /dev/null
 @@ -1,36 +0,0 @@
 -/* Copyright 2023 Lynne
@@ -897,8 +898,8 @@ index e2f37b4e6e..0000000000
 - * limitations under the License.
 - */
 -
--#ifndef VULKAN_VIDEO_CODEC_AV1STD_DECODE_H_
--#define VULKAN_VIDEO_CODEC_AV1STD_DECODE_H_ 1
+-#ifndef VULKAN_VIDEO_CODEC_AV1STD_DECODE_MESA_H_
+-#define VULKAN_VIDEO_CODEC_AV1STD_DECODE_MESA_H_ 1
 -
 -/*
 -** This header is NOT YET generated from the Khronos Vulkan XML API Registry.
@@ -917,10 +918,10 @@ index e2f37b4e6e..0000000000
 -#endif
 -
 -#endif
-diff --git a/libavcodec/vulkan_video_codec_av1std.h b/libavcodec/vulkan_video_codec_av1std.h
+diff --git a/libavcodec/vulkan_video_codec_av1std_mesa.h b/libavcodec/vulkan_video_codec_av1std_mesa.h
 deleted file mode 100644
 index c91589eee2..0000000000
---- a/libavcodec/vulkan_video_codec_av1std.h
+--- a/libavcodec/vulkan_video_codec_av1std_mesa.h
 +++ /dev/null
 @@ -1,403 +0,0 @@
 -/* Copyright 2023 Lynne
@@ -939,8 +940,8 @@ index c91589eee2..0000000000
 - * limitations under the License.
 - */
 -
--#ifndef VULKAN_VIDEO_CODEC_AV1STD_H_
--#define VULKAN_VIDEO_CODEC_AV1STD_H_ 1
+-#ifndef VULKAN_VIDEO_CODEC_AV1STD_MESA_H_
+-#define VULKAN_VIDEO_CODEC_AV1STD_MESA_H_ 1
 -
 -/*
 -** This header is NOT YET generated from the Khronos Vulkan XML API Registry.
@@ -1379,4 +1380,3 @@ diff --git a/libavcodec/vulkan_video.c b/libavcodec/vulkan_video.c
  
 -- 
 2.25.1
-
diff --git a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.2.bb
similarity index 96%
rename from meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
rename to meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.2.bb
index 3d766c3fc7..04356b9932 100644
--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_6.1.2.bb
@@ -31,21 +31,14 @@ SRC_URI = " \
     file://CVE-2024-31578.patch \
     file://CVE-2024-31582.patch \
     file://CVE-2023-50008.patch \
-    file://CVE-2024-32230.patch \
     file://CVE-2023-49501.patch \
     file://CVE-2024-28661.patch \
     file://CVE-2023-50007.patch \
     file://CVE-2023-49528.patch \
-    file://CVE-2024-7055.patch \
-    file://CVE-2024-35366.patch \
     file://CVE-2024-35367.patch \
     file://CVE-2024-35368.patch \
     file://CVE-2024-35365.patch \
-    file://CVE-2024-36613.patch \
-    file://CVE-2024-36616.patch \
-    file://CVE-2024-36617.patch \
     file://CVE-2024-36618.patch \
-    file://CVE-2024-36619.patch \
     file://CVE-2024-35369.patch \
     file://CVE-2025-25473.patch \
     file://CVE-2025-22919.patch \
@@ -53,7 +46,7 @@ SRC_URI = " \
     file://CVE-2025-0518.patch \
 "
 
-SRC_URI[sha256sum] = "8684f4b00f94b85461884c3719382f1261f0d9eb3d59640a1f4ac0873616f968"
+SRC_URI[sha256sum] = "3b624649725ecdc565c903ca6643d41f33bd49239922e45c9b1442c63dca4e38"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-39018
 # https://github.com/bramp/ffmpeg-cli-wrapper/issues/291
-- 
2.43.0

[OE-core][scarthgap 10/11] util-linux: Add fix to isolate test fstab entries using CUSTOM_FSTAB

[Steve Sakoman]

From: Virendra Thakur <thakur.virendra1810@gmail.com>

During ptest execution, util-linux adds mount entries in /etc/fstab
and runs `mount -a`, which mounts all available entries from
/etc/fstab. This can cause unintended mounts that are unrelated to
the test, leading to incorrect test behavior.

To avoid this, upstream util-linux introduced a mechanism using
CUSTOM_FSTAB,which isolates test-specific fstab entries. Only entries
listed in CUSTOM_FSTAB are mounted during test execution, ensuring
tests do not interfere with or depend on the system's /etc/fstab.

This commit backports below upstream changes to use CUSTOM_FSTAB.
https://github.com/util-linux/util-linux/commit/ed3d33faff17fb702a3acfca2f9f24e69f4920de
https://github.com/util-linux/util-linux/commit/b1580bd760519a2cf052f023057846e54de47484
https://github.com/util-linux/util-linux/commit/6aa8d17b6b53b86a46c5da68c02a893113130496

Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/util-linux/util-linux.inc   |   1 +
 .../util-linux/fstab-isolation.patch          | 448 ++++++++++++++++++
 2 files changed, 449 insertions(+)
 create mode 100644 meta/recipes-core/util-linux/util-linux/fstab-isolation.patch

diff --git a/meta/recipes-core/util-linux/util-linux.inc b/meta/recipes-core/util-linux/util-linux.inc
index 48520ef951..1ecf5c7b39 100644
--- a/meta/recipes-core/util-linux/util-linux.inc
+++ b/meta/recipes-core/util-linux/util-linux.inc
@@ -42,6 +42,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/util-linux/v${MAJOR_VERSION}/util-lin
            file://fcntl-lock.c \
            file://CVE-2024-28085-0001.patch \
            file://CVE-2024-28085-0002.patch \
+	   file://fstab-isolation.patch \
            "
 
 SRC_URI[sha256sum] = "7b6605e48d1a49f43cc4b4cfc59f313d0dd5402fa40b96810bd572e167dfed0f"
diff --git a/meta/recipes-core/util-linux/util-linux/fstab-isolation.patch b/meta/recipes-core/util-linux/util-linux/fstab-isolation.patch
new file mode 100644
index 0000000000..51d209ec60
--- /dev/null
+++ b/meta/recipes-core/util-linux/util-linux/fstab-isolation.patch
@@ -0,0 +1,448 @@
+From 51f1e56cc8b6843bf65ceadc5eca1545258bf020 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <thomas@t-8ch.de>
+Date: Sat, 22 Apr 2023 17:48:58 +0200
+Subject: [PATCH 1/3] tests: (functions.sh) create variable for test fstab
+ location
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
+(cherry picked from commit ed3d33faff17fb702a3acfca2f9f24e69f4920de)
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/ed3d33faff17fb702a3acfca2f9f24e69f4920de]
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ tests/functions.sh          | 13 +++++++------
+ tests/ts/mount/fstab-broken |  2 +-
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/tests/functions.sh b/tests/functions.sh
+index 5a562a39a..c2e2f33ae 100644
+--- a/tests/functions.sh
++++ b/tests/functions.sh
+@@ -386,6 +386,7 @@ function ts_init_env {
+ 		TS_ENABLE_UBSAN="yes"
+ 	fi
+ 
++	TS_FSTAB="/etc/fstab"
+ 	BLKID_FILE="$TS_OUTDIR/${TS_TESTNAME}.blkidtab"
+ 
+ 	declare -a TS_SUID_PROGS
+@@ -824,12 +825,12 @@ function ts_is_mounted {
+ }
+ 
+ function ts_fstab_open {
+-	echo "# <!-- util-linux test entry" >> /etc/fstab
++	echo "# <!-- util-linux test entry" >> "$TS_FSTAB"
+ }
+ 
+ function ts_fstab_close {
+-	echo "# -->" >> /etc/fstab
+-	sync /etc/fstab 2>/dev/null
++	echo "# -->" >> "$TS_FSTAB"
++	sync "$TS_FSTAB" 2>/dev/null
+ }
+ 
+ function ts_fstab_addline {
+@@ -838,7 +839,7 @@ function ts_fstab_addline {
+ 	local FS=${3:-"auto"}
+ 	local OPT=${4:-"defaults"}
+ 
+-	echo "$SPEC   $MNT   $FS   $OPT   0   0" >> /etc/fstab
++	echo "$SPEC   $MNT   $FS   $OPT   0   0" >> "$TS_FSTAB"
+ }
+ 
+ function ts_fstab_lock {
+@@ -862,9 +863,9 @@ function ts_fstab_clean {
+   ba
+ }
+ s/# <!-- util-linux.*-->//;
+-/^$/d" /etc/fstab
++/^$/d" "$TS_FSTAB"
+ 
+-	sync /etc/fstab 2>/dev/null
++	sync "$TS_FSTAB" 2>/dev/null
+ 	ts_unlock "fstab"
+ }
+ 
+diff --git a/tests/ts/mount/fstab-broken b/tests/ts/mount/fstab-broken
+index 19edc5fe3..3b7a1ee9d 100755
+--- a/tests/ts/mount/fstab-broken
++++ b/tests/ts/mount/fstab-broken
+@@ -34,7 +34,7 @@ mkdir -p $MNT
+ 
+ ts_fstab_lock
+ ts_fstab_open
+-echo "tmpd $MNT tmpfs" >> /etc/fstab
++echo "tmpd $MNT tmpfs" >> "$TS_FSTAB"
+ ts_fstab_close
+ 
+ ts_init_subtest "mount"
+-- 
+2.34.1
+
+
+From 1e4a9141ca7d310030311e09123a81591f994f83 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <thomas@t-8ch.de>
+Date: Sat, 22 Apr 2023 17:20:45 +0200
+Subject: [PATCH 2/3] tests: (functions.sh) use per-test fstab file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
+(cherry picked from commit 6aa8d17b6b53b86a46c5da68c02a893113130496)
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/6aa8d17b6b53b86a46c5da68c02a893113130496]
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ tests/functions.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/functions.sh b/tests/functions.sh
+index c2e2f33ae..3089e8cda 100644
+--- a/tests/functions.sh
++++ b/tests/functions.sh
+@@ -386,7 +386,7 @@ function ts_init_env {
+ 		TS_ENABLE_UBSAN="yes"
+ 	fi
+ 
+-	TS_FSTAB="/etc/fstab"
++	TS_FSTAB="$TS_OUTDIR/${TS_TESTNAME}.fstab"
+ 	BLKID_FILE="$TS_OUTDIR/${TS_TESTNAME}.blkidtab"
+ 
+ 	declare -a TS_SUID_PROGS
+-- 
+2.34.1
+
+
+From 02c483f982e23a86d58cd7c6a4eb4b6e4d5def1a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <thomas@t-8ch.de>
+Date: Sat, 22 Apr 2023 17:34:28 +0200
+Subject: [PATCH 3/3] mount: (tests) explicitly use test fstab location
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
+(cherry picked from commit b1580bd760519a2cf052f023057846e54de47484)
+Upstream-Status: Backport [https://github.com/util-linux/util-linux/commit/b1580bd760519a2cf052f023057846e54de47484]
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+---
+ tests/ts/mount/fslists             | 2 +-
+ tests/ts/mount/fstab-bind          | 2 +-
+ tests/ts/mount/fstab-broken        | 4 ++--
+ tests/ts/mount/fstab-btrfs         | 8 ++++----
+ tests/ts/mount/fstab-devname       | 4 ++--
+ tests/ts/mount/fstab-devname2label | 2 +-
+ tests/ts/mount/fstab-devname2uuid  | 2 +-
+ tests/ts/mount/fstab-label         | 6 +++---
+ tests/ts/mount/fstab-label2devname | 4 ++--
+ tests/ts/mount/fstab-label2uuid    | 4 ++--
+ tests/ts/mount/fstab-loop          | 4 ++--
+ tests/ts/mount/fstab-none          | 2 +-
+ tests/ts/mount/fstab-symlink       | 2 +-
+ tests/ts/mount/fstab-uuid          | 6 +++---
+ tests/ts/mount/fstab-uuid2devname  | 4 ++--
+ tests/ts/mount/fstab-uuid2label    | 4 ++--
+ 16 files changed, 30 insertions(+), 30 deletions(-)
+
+diff --git a/tests/ts/mount/fslists b/tests/ts/mount/fslists
+index 230186a1e..6ac72c3ce 100755
+--- a/tests/ts/mount/fslists
++++ b/tests/ts/mount/fslists
+@@ -61,7 +61,7 @@ ts_finalize_subtest
+ ts_init_subtest "more-types-fstab"
+ [ -d "$TS_MOUNTPOINT" ] || mkdir -p $TS_MOUNTPOINT
+ ts_fstab_add $DEVICE $TS_MOUNTPOINT "foo,bar,ext2"
+-$TS_CMD_MOUNT $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_fstab_clean
+ ts_is_mounted $DEVICE || ts_die "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $TS_MOUNTPOINT
+diff --git a/tests/ts/mount/fstab-bind b/tests/ts/mount/fstab-bind
+index 2c799df78..cae016dd2 100755
+--- a/tests/ts/mount/fstab-bind
++++ b/tests/ts/mount/fstab-bind
+@@ -20,7 +20,7 @@ ts_fstab_add $MY_SOURCE "$TS_MOUNTPOINT" "none" "bind,default,noauto"
+ mkdir -p $MY_SOURCE
+ mkdir -p $TS_MOUNTPOINT
+ 
+-$TS_CMD_MOUNT $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
+ [ "$?" = "0" ] || ts_log "error: mount $TS_MOUNTPOINT"
+ 
+ $TS_CMD_FINDMNT --mountpoint "$TS_MOUNTPOINT" &> /dev/null
+diff --git a/tests/ts/mount/fstab-broken b/tests/ts/mount/fstab-broken
+index 3b7a1ee9d..ec4c34241 100755
+--- a/tests/ts/mount/fstab-broken
++++ b/tests/ts/mount/fstab-broken
+@@ -38,7 +38,7 @@ echo "tmpd $MNT tmpfs" >> "$TS_FSTAB"
+ ts_fstab_close
+ 
+ ts_init_subtest "mount"
+-$TS_CMD_MOUNT $MNT &> /dev/null
++$TS_CMD_MOUNT -T "$TS_FSTAB" $MNT &> /dev/null
+ [ "$?" = "0" ] || ts_log "error: mount $MNT"
+ $TS_CMD_FINDMNT --kernel --mountpoint "$MNT" &> /dev/null
+ if [ "$?" != "0" ]; then
+@@ -57,7 +57,7 @@ ts_finalize_subtest
+ 
+ 
+ ts_init_subtest "mount-all"
+-$TS_CMD_MOUNT -a &> /dev/null
++$TS_CMD_MOUNT -T "$TS_FSTAB" -a &> /dev/null
+ [ "$?" = "0" ] || ts_log "error: mount -a"
+ $TS_CMD_FINDMNT --kernel --mountpoint "$MNT" &> /dev/null
+ if [ "$?" != "0" ]; then
+diff --git a/tests/ts/mount/fstab-btrfs b/tests/ts/mount/fstab-btrfs
+index a1003ab52..8e76dbba6 100755
+--- a/tests/ts/mount/fstab-btrfs
++++ b/tests/ts/mount/fstab-btrfs
+@@ -94,8 +94,8 @@ ts_fstab_addline "$DEVICE" "$TS_MOUNTPOINT_SUBVOLID" "btrfs" "subvolid=$NON_DEFA
+ ts_fstab_addline "$TS_MOUNTPOINT_SUBVOLID" "$TS_MOUNTPOINT_BIND" "auto" "bind"
+ ts_fstab_close
+ 
+-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG
+-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG
+ 
+ $TS_CMD_UMOUNT "$TS_MOUNTPOINT_BIND" >> $TS_OUTPUT 2>> $TS_ERRLOG
+ $TS_CMD_UMOUNT "$TS_MOUNTPOINT_DEFAULT" >> $TS_OUTPUT 2>> $TS_ERRLOG
+@@ -124,8 +124,8 @@ ts_fstab_addline "$DEVICE" "$TS_MOUNTPOINT_SUBVOLID" "auto" "subvolid=$NON_DEFAU
+ ts_fstab_addline "$TS_MOUNTPOINT_SUBVOL/bind-mnt" "$TS_MOUNTPOINT_BIND" "auto" "bind"
+ ts_fstab_close
+ 
+-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG
+-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG
+ 
+ $TS_CMD_UMOUNT "$TS_MOUNTPOINT_BIND" >> $TS_OUTPUT 2>> $TS_ERRLOG
+ $TS_CMD_UMOUNT "$TS_MOUNTPOINT_DEFAULT" >> $TS_OUTPUT 2>> $TS_ERRLOG
+diff --git a/tests/ts/mount/fstab-devname b/tests/ts/mount/fstab-devname
+index 5b64a32a6..6ac03b5a7 100755
+--- a/tests/ts/mount/fstab-devname
++++ b/tests/ts/mount/fstab-devname
+@@ -42,13 +42,13 @@ MOUNTPOINT=$TS_MOUNTPOINT
+ ts_fstab_add $DEVICE
+ 
+ ts_init_subtest "mountpoint"
+-$TS_CMD_MOUNT $MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_finalize_subtest
+ 
+ ts_init_subtest "device-name"
+-$TS_CMD_MOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_finalize_subtest
+diff --git a/tests/ts/mount/fstab-devname2label b/tests/ts/mount/fstab-devname2label
+index 1d8562109..44066e153 100755
+--- a/tests/ts/mount/fstab-devname2label
++++ b/tests/ts/mount/fstab-devname2label
+@@ -41,7 +41,7 @@ ts_device_has "LABEL" $LABEL $DEVICE \
+ ts_fstab_add "LABEL=$LABEL"
+ ts_udevadm_settle "$DEVICE" "LABEL"
+ 
+-$TS_CMD_MOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "Cannot umount $DEVICE"
+ 
+diff --git a/tests/ts/mount/fstab-devname2uuid b/tests/ts/mount/fstab-devname2uuid
+index 8105fa028..503959103 100755
+--- a/tests/ts/mount/fstab-devname2uuid
++++ b/tests/ts/mount/fstab-devname2uuid
+@@ -39,7 +39,7 @@ UUID=$(ts_uuid_by_devname "$DEVICE") || ts_die "Cannot find UUID on $DEVICE"
+ ts_fstab_add "UUID=$UUID"
+ ts_udevadm_settle "$DEVICE" "UUID"
+ 
+-$TS_CMD_MOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE || ts_die "Cannot umount $DEVICE"
+ 
+diff --git a/tests/ts/mount/fstab-label b/tests/ts/mount/fstab-label
+index 4b23e7fee..a3cc06d52 100755
+--- a/tests/ts/mount/fstab-label
++++ b/tests/ts/mount/fstab-label
+@@ -42,19 +42,19 @@ ts_fstab_add "LABEL=$LABEL"
+ ts_udevadm_settle "$DEVICE" "LABEL"
+ 
+ ts_init_subtest "no-option"
+-$TS_CMD_MOUNT $MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_finalize_subtest
+ 
+ ts_init_subtest "L-option"
+-$TS_CMD_MOUNT -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG 
+ ts_finalize_subtest
+ 
+ ts_init_subtest "LABEL-option"
+-$TS_CMD_MOUNT LABEL=$LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" LABEL=$LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_finalize_subtest
+diff --git a/tests/ts/mount/fstab-label2devname b/tests/ts/mount/fstab-label2devname
+index 75ca05e8c..fddbfa0ba 100755
+--- a/tests/ts/mount/fstab-label2devname
++++ b/tests/ts/mount/fstab-label2devname
+@@ -44,13 +44,13 @@ ts_udevadm_settle "$DEVICE" "LABEL"
+ [ -d "$TS_MOUNTPOINT" ] || mkdir -p $TS_MOUNTPOINT
+ 
+ ts_init_subtest "L-option"
+-$TS_CMD_MOUNT -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_finalize_subtest
+ 
+ ts_init_subtest "LABEL-option"
+-$TS_CMD_MOUNT "LABEL=$LABEL" >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" "LABEL=$LABEL" >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_finalize_subtest
+diff --git a/tests/ts/mount/fstab-label2uuid b/tests/ts/mount/fstab-label2uuid
+index 4bfcae4b9..927cde9aa 100755
+--- a/tests/ts/mount/fstab-label2uuid
++++ b/tests/ts/mount/fstab-label2uuid
+@@ -46,13 +46,13 @@ ts_udevadm_settle "$DEVICE" "LABEL" "UUID"
+ [ -d "$TS_MOUNTPOINT" ] || mkdir -p $TS_MOUNTPOINT
+ 
+ ts_init_subtest "L-option"
+-$TS_CMD_MOUNT -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -L $LABEL >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_finalize_subtest
+ 
+ ts_init_subtest "LABEL-option"
+-$TS_CMD_MOUNT "LABEL=$LABEL" >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" "LABEL=$LABEL" >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_finalize_subtest
+diff --git a/tests/ts/mount/fstab-loop b/tests/ts/mount/fstab-loop
+index 7cc589fd2..0541e3a74 100755
+--- a/tests/ts/mount/fstab-loop
++++ b/tests/ts/mount/fstab-loop
+@@ -39,10 +39,10 @@ ts_fstab_lock
+ ts_fstab_open
+ 
+ ts_fstab_addline "$IMG" "$TS_MOUNTPOINT-1" "ext2" "loop"
+-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG
+ 
+ ts_fstab_addline "$IMG" "$TS_MOUNTPOINT-2" "ext2" "loop"
+-$TS_CMD_MOUNT -a >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -a >> $TS_OUTPUT 2>> $TS_ERRLOG
+ 
+ ts_fstab_close
+ 
+diff --git a/tests/ts/mount/fstab-none b/tests/ts/mount/fstab-none
+index 6a4d05b62..95daa6cee 100755
+--- a/tests/ts/mount/fstab-none
++++ b/tests/ts/mount/fstab-none
+@@ -17,7 +17,7 @@ ts_fstab_add "none" "$TS_MOUNTPOINT" "tmpfs" "rw,nosuid,nodev,relatime"
+ 
+ mkdir -p $TS_MOUNTPOINT
+ 
+-$TS_CMD_MOUNT $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $TS_MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
+ [ "$?" = "0" ] || ts_log "error: mount $TS_MOUNTPOINT"
+ 
+ $TS_CMD_FINDMNT --mountpoint "$TS_MOUNTPOINT" &> /dev/null
+diff --git a/tests/ts/mount/fstab-symlink b/tests/ts/mount/fstab-symlink
+index 4d3e37b19..6d419f9fe 100755
+--- a/tests/ts/mount/fstab-symlink
++++ b/tests/ts/mount/fstab-symlink
+@@ -46,7 +46,7 @@ ln -s $DEVICE $LINKNAME
+ ts_fstab_add $LINKNAME $TS_MOUNTPOINT "auto" "defaults,user"
+ 
+ # variant A) -- UID=0
+-$TS_CMD_MOUNT $LINKNAME >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $LINKNAME >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_die "A) Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $LINKNAME || ts_die "A) Cannot umount $LINKNAME"
+ 
+diff --git a/tests/ts/mount/fstab-uuid b/tests/ts/mount/fstab-uuid
+index 03917b782..f51bb294e 100755
+--- a/tests/ts/mount/fstab-uuid
++++ b/tests/ts/mount/fstab-uuid
+@@ -42,19 +42,19 @@ ts_fstab_add "UUID=$UUID"
+ ts_udevadm_settle "$DEVICE" "UUID"
+ 
+ ts_init_subtest "no-option"
+-$TS_CMD_MOUNT $MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" $MOUNTPOINT >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_finalize_subtest
+ 
+ ts_init_subtest "U-option"
+-$TS_CMD_MOUNT -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_finalize_subtest
+ 
+ ts_init_subtest "UUID-option"
+-$TS_CMD_MOUNT UUID=$UUID >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" UUID=$UUID >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_finalize_subtest
+diff --git a/tests/ts/mount/fstab-uuid2devname b/tests/ts/mount/fstab-uuid2devname
+index 9bf165e16..2b338acb1 100755
+--- a/tests/ts/mount/fstab-uuid2devname
++++ b/tests/ts/mount/fstab-uuid2devname
+@@ -42,13 +42,13 @@ ts_udevadm_settle "$DEVICE" "UUID"
+ [ -d "$TS_MOUNTPOINT" ] || mkdir -p $TS_MOUNTPOINT
+ 
+ ts_init_subtest "U-option"
+-$TS_CMD_MOUNT -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_finalize_subtest
+ 
+ ts_init_subtest "UUID-option"
+-$TS_CMD_MOUNT "UUID=$UUID" >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" "UUID=$UUID" >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_finalize_subtest
+diff --git a/tests/ts/mount/fstab-uuid2label b/tests/ts/mount/fstab-uuid2label
+index de10ff0b0..02eb6b985 100755
+--- a/tests/ts/mount/fstab-uuid2label
++++ b/tests/ts/mount/fstab-uuid2label
+@@ -45,13 +45,13 @@ ts_udevadm_settle "$DEVICE" "LABEL" "UUID"
+ [ -d "$TS_MOUNTPOINT" ] || mkdir -p $TS_MOUNTPOINT
+ 
+ ts_init_subtest "U-option"
+-$TS_CMD_MOUNT -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" -U $UUID >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_finalize_subtest
+ 
+ ts_init_subtest "UUID-option"
+-$TS_CMD_MOUNT "UUID=$UUID" >> $TS_OUTPUT 2>> $TS_ERRLOG
++$TS_CMD_MOUNT -T "$TS_FSTAB" "UUID=$UUID" >> $TS_OUTPUT 2>> $TS_ERRLOG
+ ts_is_mounted $DEVICE || ts_log "Cannot find $DEVICE in /proc/mounts"
+ $TS_CMD_UMOUNT $DEVICE >> $TS_OUTPUT 2>>$TS_ERRLOG
+ ts_finalize_subtest
+-- 
+2.34.1
+
-- 
2.43.0

[OE-core][scarthgap 11/11] u-boot: ensure keys are generated before assembling U-Boot FIT image

[Steve Sakoman]

From: Rogerio Guerra Borin <rogerio.borin@toradex.com>

Add the task dependency:

do_uboot_assemble_fitimage -> virtual/kernel:do_kernel_generate_rsa_keys

to ensure the kernel FIT image signing keys are available when creating
the U-Boot DTB. This is done only if the signing of the kernel FIT image
is enabled (UBOOT_SIGN_ENABLE="1").

The lack of the dependency causes build errors when executing a build
with no kernel FIT keys initially present in the keys directory. In such
cases one would see an output like this in the Bitbake logs:

Log data follows:
| DEBUG: Executing shell function do_uboot_assemble_fitimage
| Couldn't open RSA private key: '/workdir/build/keys/fit/dev.key': No such file or directory
| Failed to sign 'signature' signature node in 'conf-1' conf node
| FIT description: Kernel Image image with one or more FDT blobs
| ...

This issue was introduced by commit 259bfa86f384 where the dependency
between U-Boot and the kernel was removed (for good reasons). Before
that commit the dependency was set via DEPENDS so that, in terms of
tasks, one had:

u-boot:do_configure -> virtual/kernel:do_populate_sysroot

and the chain leading to the key generation was:

virtual/kernel:do_populate_sysroot -> virtual/kernel:do_install
virtual/kernel:do_install -> virtual/kernel:do_assemble_fitimage
virtual/kernel:do_assemble_fitimage -> virtual/kernel:do_kernel_generate_rsa_keys

With the removal of the first dependency, no more guarantees exist that
the keys would be present when assembling the U-Boot FIT image. That's
the situation we are solving with the present commit.

(From OE-Core rev: 036f20156b3c7d0a8b912e90aa29a9b986106d5a)

Fixes: d7bd9c627661 ("u-boot: kernel-fitimage: Fix dependency loop if UBOOT_SIGN_ENABLE and UBOOT_ENV enabled")
Signed-off-by: Rogerio Guerra Borin <rogerio.borin@toradex.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes-recipe/uboot-sign.bbclass | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/classes-recipe/uboot-sign.bbclass b/meta/classes-recipe/uboot-sign.bbclass
index 5c579a9fb0..699db248e1 100644
--- a/meta/classes-recipe/uboot-sign.bbclass
+++ b/meta/classes-recipe/uboot-sign.bbclass
@@ -94,6 +94,8 @@ python() {
     sign = d.getVar('UBOOT_SIGN_ENABLE') == '1'
     if d.getVar('UBOOT_FITIMAGE_ENABLE') == '1' or sign:
         d.appendVar('DEPENDS', " u-boot-tools-native dtc-native")
+    if d.getVar('FIT_GENERATE_KEYS') == '1' and sign:
+        d.appendVarFlag('do_uboot_assemble_fitimage', 'depends', ' virtual/kernel:do_kernel_generate_rsa_keys')
 }
 
 concat_dtb() {
-- 
2.43.0

[OE-core][scarthgap 00/11] Patch review

[Yoann Congal]

Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, March 31.

Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3546
Note: This particular build had a gnutls patch that I removed because it needed a small change[0].
Build (currently running) without the gnutls patch: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3551

[0]: https://lore.kernel.org/openembedded-core/DHFLXG1K82R7.3EOQRZ2H6KW8Q@smile.fr/T/#t

The following changes since commit 41597b5260fb5ca811d0fb4ae7e65246d61734eb:

  Revert "scripts/install-buildtools: Update to 5.0.16" (2026-03-26 09:48:20 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

for you to fetch changes up to e6f3b2e043259650d80fb6f761797c5cf5587eb5:

  python3-pyopenssl: Fix CVE-2026-27459 (2026-03-30 00:09:38 +0200)

----------------------------------------------------------------

João Marcos Costa (Schneider Electric) (1):
  spdx: add option to include only compiled sources

Martin Jansa (3):
  dtc: backport fix for build with glibc-2.43
  elfutils: don't add -Werror to avoid discarded-qualifiers
  binutils: backport patch to fix build with glibc-2.43 on host

Michael Halstead (2):
  yocto-uninative: Update to 5.0 for needed patchelf updates
  yocto-uninative: Update to 5.1 for glibc 2.43

Nguyen Dat Tho (1):
  python3-cryptography: Fix CVE-2026-26007

Paul Barker (1):
  tzdata,tzcode-native: Upgrade 2025b -> 2025c

Richard Purdie (1):
  pseudo: Add fix for glibc 2.43

Vijay Anusuri (2):
  python3-pyopenssl: Fix CVE-2026-27448
  python3-pyopenssl: Fix CVE-2026-27459

 meta/classes/spdx-common.bbclass              |   3 +
 meta/conf/distro/include/yocto-uninative.inc  |  10 +-
 meta/lib/oe/spdx30_tasks.py                   |  12 ++
 .../binutils/binutils-2.42.inc                |   1 +
 ...tect-against-standard-library-macros.patch |  31 ++++
 .../elfutils/elfutils_0.191.bb                |   1 +
 ...001-config-eu.am-do-not-force-Werror.patch |  34 ++++
 meta/recipes-devtools/pseudo/pseudo_git.bb    |   2 +-
 .../python3-cryptography/CVE-2026-26007.patch | 149 ++++++++++++++++++
 .../python/python3-cryptography_42.0.5.bb     |   1 +
 .../python3-pyopenssl/CVE-2026-27448.patch    | 124 +++++++++++++++
 .../python3-pyopenssl/CVE-2026-27459.patch    | 109 +++++++++++++
 .../python/python3-pyopenssl_24.0.0.bb        |   5 +
 meta/recipes-extended/timezone/timezone.inc   |   6 +-
 .../0001-Fix-discarded-const-qualifiers.patch |  85 ++++++++++
 meta/recipes-kernel/dtc/dtc_1.7.0.bb          |   1 +
 16 files changed, 565 insertions(+), 9 deletions(-)
 create mode 100644 meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
 create mode 100644 meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
 create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
 create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
 create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
 create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch

Re: [OE-core][scarthgap 00/11] Patch review

[Yoann Congal]

On Mon Mar 30, 2026 at 12:46 AM CEST, Yoann Congal wrote:
> Please review this set of changes for scarthgap and have comments back by
> end of day Tuesday, March 31.
>
> Passed a-full on autobuilder:
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3546
> Note: This particular build had a gnutls patch that I removed because it needed a small change[0].
> Build (currently running) without the gnutls patch: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3551

That second build is successful. (Only a warning from VNC integration on
autobuilder, I'll send a patch)

> [0]: https://lore.kernel.org/openembedded-core/DHFLXG1K82R7.3EOQRZ2H6KW8Q@smile.fr/T/#t
>
> The following changes since commit 41597b5260fb5ca811d0fb4ae7e65246d61734eb:
>
>   Revert "scripts/install-buildtools: Update to 5.0.16" (2026-03-26 09:48:20 +0000)
>
> are available in the Git repository at:
>
>   https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
>   https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
>
> for you to fetch changes up to e6f3b2e043259650d80fb6f761797c5cf5587eb5:
>
>   python3-pyopenssl: Fix CVE-2026-27459 (2026-03-30 00:09:38 +0200)
>
> ----------------------------------------------------------------
>
> João Marcos Costa (Schneider Electric) (1):
>   spdx: add option to include only compiled sources
>
> Martin Jansa (3):
>   dtc: backport fix for build with glibc-2.43
>   elfutils: don't add -Werror to avoid discarded-qualifiers
>   binutils: backport patch to fix build with glibc-2.43 on host
>
> Michael Halstead (2):
>   yocto-uninative: Update to 5.0 for needed patchelf updates
>   yocto-uninative: Update to 5.1 for glibc 2.43
>
> Nguyen Dat Tho (1):
>   python3-cryptography: Fix CVE-2026-26007
>
> Paul Barker (1):
>   tzdata,tzcode-native: Upgrade 2025b -> 2025c
>
> Richard Purdie (1):
>   pseudo: Add fix for glibc 2.43
>
> Vijay Anusuri (2):
>   python3-pyopenssl: Fix CVE-2026-27448
>   python3-pyopenssl: Fix CVE-2026-27459
>
>  meta/classes/spdx-common.bbclass              |   3 +
>  meta/conf/distro/include/yocto-uninative.inc  |  10 +-
>  meta/lib/oe/spdx30_tasks.py                   |  12 ++
>  .../binutils/binutils-2.42.inc                |   1 +
>  ...tect-against-standard-library-macros.patch |  31 ++++
>  .../elfutils/elfutils_0.191.bb                |   1 +
>  ...001-config-eu.am-do-not-force-Werror.patch |  34 ++++
>  meta/recipes-devtools/pseudo/pseudo_git.bb    |   2 +-
>  .../python3-cryptography/CVE-2026-26007.patch | 149 ++++++++++++++++++
>  .../python/python3-cryptography_42.0.5.bb     |   1 +
>  .../python3-pyopenssl/CVE-2026-27448.patch    | 124 +++++++++++++++
>  .../python3-pyopenssl/CVE-2026-27459.patch    | 109 +++++++++++++
>  .../python/python3-pyopenssl_24.0.0.bb        |   5 +
>  meta/recipes-extended/timezone/timezone.inc   |   6 +-
>  .../0001-Fix-discarded-const-qualifiers.patch |  85 ++++++++++
>  meta/recipes-kernel/dtc/dtc_1.7.0.bb          |   1 +
>  16 files changed, 565 insertions(+), 9 deletions(-)
>  create mode 100644 meta/recipes-devtools/binutils/binutils/0022-gprofng-protect-against-standard-library-macros.patch
>  create mode 100644 meta/recipes-devtools/elfutils/files/0001-config-eu.am-do-not-force-Werror.patch
>  create mode 100644 meta/recipes-devtools/python/python3-cryptography/CVE-2026-26007.patch
>  create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27448.patch
>  create mode 100644 meta/recipes-devtools/python/python3-pyopenssl/CVE-2026-27459.patch
>  create mode 100644 meta/recipes-kernel/dtc/dtc/0001-Fix-discarded-const-qualifiers.patch


-- 
Yoann Congal
Smile ECS

Re: [OE-core][scarthgap 00/11] Patch review

[Joao Marcos Costa]

Hello, Yoan


On 3/30/26 00:46, Yoann Congal via lists.openembedded.org wrote:
> Please review this set of changes for scarthgap and have comments back by
> end of day Tuesday, March 31.
> 
> Passed a-full on autobuilder:
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3546
> Note: This particular build had a gnutls patch that I removed because it needed a small change[0].
> Build (currently running) without the gnutls patch: https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3551
> 
> [0]: https://lore.kernel.org/openembedded-core/DHFLXG1K82R7.3EOQRZ2H6KW8Q@smile.fr/T/#t
> 
> The following changes since commit 41597b5260fb5ca811d0fb4ae7e65246d61734eb:
> 
>    Revert "scripts/install-buildtools: Update to 5.0.16" (2026-03-26 09:48:20 +0000)
> 
> are available in the Git repository at:
> 
>    https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
>    https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
> 
> for you to fetch changes up to e6f3b2e043259650d80fb6f761797c5cf5587eb5:
> 
>    python3-pyopenssl: Fix CVE-2026-27459 (2026-03-30 00:09:38 +0200)
> 
> ----------------------------------------------------------------
> 
> João Marcos Costa (Schneider Electric) (1):
>    spdx: add option to include only compiled sources
> 
> Martin Jansa (3):
>    dtc: backport fix for build with glibc-2.43
>    elfutils: don't add -Werror to avoid discarded-qualifiers
>    binutils: backport patch to fix build with glibc-2.43 on host
> 
> Michael Halstead (2):
>    yocto-uninative: Update to 5.0 for needed patchelf updates
>    yocto-uninative: Update to 5.1 for glibc 2.43
> 
> Nguyen Dat Tho (1):
>    python3-cryptography: Fix CVE-2026-26007
> 
> Paul Barker (1):
>    tzdata,tzcode-native: Upgrade 2025b -> 2025c
> 
> Richard Purdie (1):
>    pseudo: Add fix for glibc 2.43
> 
> Vijay Anusuri (2):
>    python3-pyopenssl: Fix CVE-2026-27448
>    python3-pyopenssl: Fix CVE-2026-27459
(...)

Was the commit below not picked, or am I missing something?

commit b24d5cda19136fb8120154279eedd55d162b4640
Author: João Marcos Costa (Schneider Electric) 
<joaomarcos.costa@bootlin.com>
Date:   Fri Apr 3 11:32:30 2026 +0200

     linux-yocto/6.6: update CVE exclusions (6.6.123)

     This new version of cve-exclusion_6.6.inc was generated with oe-core's
     latest version of the generate-cve-exclusions.py.

     Regarding the database used and how this file was generated:

     Generated at 2026-04-03 09:30:32.247568+00:00 for kernel version 
6.6.123
     From cvelistV5 cve_2026-04-03_0700Z

     The backporting of the generate-cve-exclusions.py script from master to
     Scarthgap is handled in a different patch.

     Signed-off-by: João Marcos Costa (Schneider Electric) 
<joaomarcos.costa@bootlin.com>

However, I see the commit below, prior to this one, was kept:

linux/generate-cve-exclusions: backport script from master branch

I'm not really used to the backports schedule/workflow, so please excuse 
me if I misinterpreted something.

Thanks!

-- 
Best regards,
João Marcos Costa

Re: [OE-core][scarthgap 00/11] Patch review

[Yoann Congal]

On Mon Apr 20, 2026 at 10:44 AM CEST, Joao Marcos Costa wrote:
> Hello, Yoan
>
>
> On 3/30/26 00:46, Yoann Congal via lists.openembedded.org wrote:
>> Please review this set of changes for scarthgap and have comments back by
>> end of day Tuesday, March 31.
> (...)
>
> Was the commit below not picked, or am I missing something?
>
> commit b24d5cda19136fb8120154279eedd55d162b4640
> Author: João Marcos Costa (Schneider Electric) 
> <joaomarcos.costa@bootlin.com>
> Date:   Fri Apr 3 11:32:30 2026 +0200
>
>      linux-yocto/6.6: update CVE exclusions (6.6.123)
>
>      This new version of cve-exclusion_6.6.inc was generated with oe-core's
>      latest version of the generate-cve-exclusions.py.
>
>      Regarding the database used and how this file was generated:
>
>      Generated at 2026-04-03 09:30:32.247568+00:00 for kernel version 
> 6.6.123
>      From cvelistV5 cve_2026-04-03_0700Z
>
>      The backporting of the generate-cve-exclusions.py script from master to
>      Scarthgap is handled in a different patch.
>
>      Signed-off-by: João Marcos Costa (Schneider Electric) 
> <joaomarcos.costa@bootlin.com>
>
> However, I see the commit below, prior to this one, was kept:
>
> linux/generate-cve-exclusions: backport script from master branch
>
> I'm not really used to the backports schedule/workflow, so please excuse 
> me if I misinterpreted something.
>
> Thanks!

This patch triggered a problem in our infra. I received it directly from
you but it is missing from lore. And lore feeds patchwork, and I use
patchwork to prepare my review branch...

This is a known problem: 16167 – Missing (big) patch in patchwork
https://bugzilla.yoctoproject.org/show_bug.cgi?id=16167

I've reopened and added your patch to the bug log.

I will now integrate your patch in my review branch.

Thanks for the report, otherwise I would have missed it.

I'll try to check for this issue in the future but this will be hard to
spot. If you send a similar patch in the future don't hesitate to ping
me if you see it missing during the patch review period.

Regards,
-- 
Yoann Congal
Smile ECS

Re: [OE-core][scarthgap 00/11] Patch review

[Joao Marcos Costa]

Hello,

On 4/20/26 11:21, Yoann Congal via lists.openembedded.org wrote:
> On Mon Apr 20, 2026 at 10:44 AM CEST, Joao Marcos Costa wrote:
>> Hello, Yoan
>>
>>
>> On 3/30/26 00:46, Yoann Congal via lists.openembedded.org wrote:
>>> Please review this set of changes for scarthgap and have comments back by
>>> end of day Tuesday, March 31.
>> (...)
>>
>> Was the commit below not picked, or am I missing something?
>>
>> commit b24d5cda19136fb8120154279eedd55d162b4640
>> Author: João Marcos Costa (Schneider Electric)
>> <joaomarcos.costa@bootlin.com>
>> Date:   Fri Apr 3 11:32:30 2026 +0200
>>
>>       linux-yocto/6.6: update CVE exclusions (6.6.123)
>>
>>       This new version of cve-exclusion_6.6.inc was generated with oe-core's
>>       latest version of the generate-cve-exclusions.py.
>>
>>       Regarding the database used and how this file was generated:
>>
>>       Generated at 2026-04-03 09:30:32.247568+00:00 for kernel version
>> 6.6.123
>>       From cvelistV5 cve_2026-04-03_0700Z
>>
>>       The backporting of the generate-cve-exclusions.py script from master to
>>       Scarthgap is handled in a different patch.
>>
>>       Signed-off-by: João Marcos Costa (Schneider Electric)
>> <joaomarcos.costa@bootlin.com>
>>
>> However, I see the commit below, prior to this one, was kept:
>>
>> linux/generate-cve-exclusions: backport script from master branch
>>
>> I'm not really used to the backports schedule/workflow, so please excuse
>> me if I misinterpreted something.
>>
>> Thanks!
> 
> This patch triggered a problem in our infra. I received it directly from
> you but it is missing from lore. And lore feeds patchwork, and I use
> patchwork to prepare my review branch...
> 
> This is a known problem: 16167 – Missing (big) patch in patchwork
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=16167
> 
> I've reopened and added your patch to the bug log.
> 
> I will now integrate your patch in my review branch.
> 
> Thanks for the report, otherwise I would have missed it.
> 
> I'll try to check for this issue in the future but this will be hard to
> spot. If you send a similar patch in the future don't hesitate to ping
> me if you see it missing during the patch review period.
> 
> Regards,

Ack. Thanks!


-- 
Best regards,
João Marcos Costa

[OE-core][scarthgap 00/11] Patch review

[Yoann Congal]

Note: this series contains a major OpenSSL upgrade (agreed by YP TSC).

Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, March 10.

Passed a-full on autobuilder:
https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3349
(Ignore the warning about Centos Stream9, its support is a work in progress for scarthgap)

I also did a full meta-oe build (to check for build failure with the
OpenSSL upgrade)
https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1342
(the warnings are unrelated to this series)

The following changes since commit a9a785d7fa0cfe2a9087dbcde0ef9f0d2a441375:

  build-appliance-image: Update to scarthgap head revision (2026-02-27 17:45:15 +0000)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

for you to fetch changes up to fd8a140eb0742bbc12a23e36c9d24378bc0f462d:

  busybox: Fixes CVE-2025-60876 (2026-03-06 23:58:42 +0100)

----------------------------------------------------------------

Hugo SIMELIERE (2):
  zlib: Fix CVE-2026-27171
  harfbuzz: Fix CVE-2026-22693

Livin Sunny (1):
  busybox: Fixes CVE-2025-60876

Paul Barker (1):
  create-pull-request: Keep commit hash to be pulled in cover email

Peter Marko (3):
  ffmpeg: set status for CVE-2025-10256
  ffmpeg: set status for CVE-2025-12343
  openssl: upgrade 3.2.6 -> 3.5.5

Shaik Moin (1):
  gdk-pixbuf: Fix CVE-2025-6199

Tom Hochstein (1):
  uboot-config: Fix devtool modify

Yoann Congal (2):
  scripts/install-buildtools: Update to 5.0.16
  README: Add scarthgap subject-prefix to git-send-email suggestion

 README.OE-Core.md                             |  2 +-
 meta/classes-recipe/uboot-config.bbclass      |  2 +-
 .../openssl/files/environment.d-openssl.sh    |  9 ++-
 ...ke-history-reporting-when-test-fails.patch | 32 ++++----
 ...1-Configure-do-not-tweak-mips-cflags.patch |  4 +-
 ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++---
 .../0001-extend-check_cwm-test-timeout.patch  | 32 ++++++++
 .../openssl/openssl/CVE-2024-41996.patch      | 44 -----------
 .../openssl/openssl/CVE-2025-15468.patch      | 39 ----------
 .../openssl/openssl/CVE-2025-69419.patch      | 61 ---------------
 .../{openssl_3.2.6.bb => openssl_3.5.5.bb}    | 75 ++++++++++++-------
 .../busybox/busybox/CVE-2025-60876.patch      | 42 +++++++++++
 meta/recipes-core/busybox/busybox_1.36.1.bb   |  1 +
 .../zlib/zlib/CVE-2026-27171.patch            | 63 ++++++++++++++++
 meta/recipes-core/zlib/zlib_1.3.1.bb          |  1 +
 .../gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch | 36 +++++++++
 .../gdk-pixbuf/gdk-pixbuf_2.42.12.bb          |  1 +
 .../harfbuzz/files/CVE-2026-22693.patch       | 33 ++++++++
 .../harfbuzz/harfbuzz_8.3.0.bb                |  4 +-
 .../recipes-multimedia/ffmpeg/ffmpeg_6.1.4.bb |  2 +-
 scripts/create-pull-request                   |  2 +-
 scripts/install-buildtools                    |  4 +-
 22 files changed, 305 insertions(+), 210 deletions(-)
 create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15468.patch
 delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-69419.patch
 rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb => openssl_3.5.5.bb} (76%)
 create mode 100644 meta/recipes-core/busybox/busybox/CVE-2025-60876.patch
 create mode 100644 meta/recipes-core/zlib/zlib/CVE-2026-27171.patch
 create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-6199.patch
 create mode 100644 meta/recipes-graphics/harfbuzz/files/CVE-2026-22693.patch

Re: [OE-core][scarthgap 00/11] Patch review

[Paul Barker]

[-- Attachment #1: Type: text/plain, Size: 2171 bytes --]

On Sat, 2026-03-07 at 23:52 +0100, Yoann Congal via
lists.openembedded.org wrote:
> Note: this series contains a major OpenSSL upgrade (agreed by YP TSC).
> 
> Please review this set of changes for scarthgap and have comments back by
> end of day Tuesday, March 10.
> 
> Passed a-full on autobuilder:
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/3349
> (Ignore the warning about Centos Stream9, its support is a work in progress for scarthgap)
> 
> I also did a full meta-oe build (to check for build failure with the
> OpenSSL upgrade)
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/81/builds/1342
> (the warnings are unrelated to this series)
> 
> The following changes since commit a9a785d7fa0cfe2a9087dbcde0ef9f0d2a441375:
> 
>   build-appliance-image: Update to scarthgap head revision (2026-02-27 17:45:15 +0000)
> 
> are available in the Git repository at:
> 
>   https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
>   https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut
> 
> for you to fetch changes up to fd8a140eb0742bbc12a23e36c9d24378bc0f462d:
> 
>   busybox: Fixes CVE-2025-60876 (2026-03-06 23:58:42 +0100)
> 
> ----------------------------------------------------------------
> 
> Hugo SIMELIERE (2):
>   zlib: Fix CVE-2026-27171
>   harfbuzz: Fix CVE-2026-22693
> 
> Livin Sunny (1):
>   busybox: Fixes CVE-2025-60876
> 
> Paul Barker (1):
>   create-pull-request: Keep commit hash to be pulled in cover email
> 
> Peter Marko (3):
>   ffmpeg: set status for CVE-2025-10256
>   ffmpeg: set status for CVE-2025-12343
>   openssl: upgrade 3.2.6 -> 3.5.5
> 
> Shaik Moin (1):
>   gdk-pixbuf: Fix CVE-2025-6199
> 
> Tom Hochstein (1):
>   uboot-config: Fix devtool modify
> 
> Yoann Congal (2):
>   scripts/install-buildtools: Update to 5.0.16
>   README: Add scarthgap subject-prefix to git-send-email suggestion

Hi Yoann,

We need to make sure that the openssl update is clearly announced in the
weekly status and the release notes for 5.0.17. Otherwise, all LGTM!

Best regards,

-- 
Paul Barker


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

[OE-core][scarthgap 00/11] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Monday, September 29

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2436

The following changes since commit 4cf131ebd157b79226533b5a5074691dd0e1a4ab:

  buildtools-tarball: fix unbound variable issues under 'set -u' (2025-09-17 09:32:52 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Adrian Freihofer (2):
  llvm: update from 18.1.6 to 18.1.8
  llvm: fix build with gcc-15

AshishKumar Mishra (2):
  systemd: backport fix for handle USE_NLS from master
  p11-kit: backport fix for handle USE_NLS from master

Chris Laplante (1):
  util-linux: use ${B} instead of ${WORKDIR}/build, to fix building
    under devtool

Martin Jansa (2):
  sanity.conf: Update minimum bitbake version to 2.8.1
  lib/oe/utils: use multiprocessing from bb

Nitin Wankhade (1):
  examples: genl: fix wrong attribute size

Philip Lorenz (1):
  shared-mime-info: Handle USE_NLS

Ross Burton (1):
  libxslt: apply patch for CVE-2025-7424

Yogita Urade (1):
  curl: fix CVE-2025-9086

 meta/conf/sanity.conf                         |   2 +-
 meta/lib/oe/utils.py                          |   3 +-
 meta/recipes-core/systemd/systemd_255.21.bb   |   1 +
 .../util-linux/util-linux_2.39.3.bb           |   2 +-
 ...36-Add-cstdint-to-SmallVector-101761.patch |  28 +++++
 ...cstdint-in-AMDGPUMCTargetDesc-101766.patch |  23 ++++
 ...-include-to-X86MCTargetDesc.h-123320.patch |  32 ++++++
 .../llvm/{llvm_18.1.6.bb => llvm_18.1.8.bb}   |   5 +-
 ...amples-genl-fix-wrong-attribute-size.patch |  44 ++++++++
 meta/recipes-extended/libmnl/libmnl_1.0.5.bb  |   5 +-
 .../curl/curl/CVE-2025-9086.patch             |  55 ++++++++++
 meta/recipes-support/curl/curl_8.7.1.bb       |   1 +
 .../gnome-libxslt-bug-139-apple-fix.diff      | 103 ++++++++++++++++++
 .../recipes-support/libxslt/libxslt_1.1.43.bb |   3 +-
 .../recipes-support/p11-kit/p11-kit_0.25.3.bb |   1 +
 .../shared-mime-info/shared-mime-info_2.4.bb  |   5 +-
 16 files changed, 306 insertions(+), 7 deletions(-)
 create mode 100644 meta/recipes-devtools/llvm/llvm/0036-Add-cstdint-to-SmallVector-101761.patch
 create mode 100644 meta/recipes-devtools/llvm/llvm/0037-Include-cstdint-in-AMDGPUMCTargetDesc-101766.patch
 create mode 100644 meta/recipes-devtools/llvm/llvm/0038-Add-missing-include-to-X86MCTargetDesc.h-123320.patch
 rename meta/recipes-devtools/llvm/{llvm_18.1.6.bb => llvm_18.1.8.bb} (94%)
 create mode 100644 meta/recipes-extended/libmnl/files/0001-examples-genl-fix-wrong-attribute-size.patch
 create mode 100644 meta/recipes-support/curl/curl/CVE-2025-9086.patch
 create mode 100644 meta/recipes-support/libxslt/files/gnome-libxslt-bug-139-apple-fix.diff

-- 
2.43.0

[OE-core][scarthgap 00/11] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Friday, August 1

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2114

The following changes since commit c374e6cfcdd2c8ba17d82ffcfdeb97d21144e2bf:

  mtools: upgrade 4.0.48 -> 4.0.49 (2025-07-25 06:13:34 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Aleksandar Nikolic (1):
  scripts/install-buildtools: Update to 5.0.11

Fabio Berton (1):
  linux-libc-headers: Fix invalid conversion in cn_proc.h

Peter Marko (9):
  gnutls: patch CVE-2025-32989
  gnutls: patch read buffer overrun in the "pre_shared_key" extension
  gnutls: patch reject zero-length version in certificate request
  gnutls: patch CVE-2025-32988
  gnutls: patch CVE-2025-32990
  gnutls: patch CVE-2025-6395
  ncurses: patch CVE-2025-6141
  libxml2: patch CVE-2025-6170
  glibc: fix CVE-2025-8058

 meta/recipes-core/glibc/glibc-version.inc     |    2 +-
 meta/recipes-core/glibc/glibc_2.39.bb         |    2 +-
 .../libxml/libxml2/CVE-2025-6170.patch        |  103 +
 meta/recipes-core/libxml/libxml2_2.12.10.bb   |    1 +
 .../ncurses/files/CVE-2025-6141.patch         |   25 +
 meta/recipes-core/ncurses/ncurses_6.4.bb      |    1 +
 ...-Fix-invalid-conversion-in-cn_proc.h.patch |   40 +
 .../linux-libc-headers_6.6.bb                 |    1 +
 ...fer-overrun-in-the-pre_shared_key-ex.patch |   34 +
 ...-length-version-in-certificate-reque.patch |   37 +
 .../04939b75417cc95b7372c6f208c4bda4579bdc34  |  Bin 0 -> 1782 bytes
 .../3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2  |  Bin 0 -> 830 bytes
 .../5477db1bb507a35e8833c758ce344f4b5b246d8e  |  Bin 0 -> 111 bytes
 .../gnutls/gnutls/CVE-2025-32988.patch        |   58 +
 .../gnutls/gnutls/CVE-2025-32989.patch        |   50 +
 .../gnutls/gnutls/CVE-2025-32990.patch        | 2109 +++++++++++++++++
 .../gnutls/gnutls/CVE-2025-6395.patch         |  299 +++
 meta/recipes-support/gnutls/gnutls_3.8.4.bb   |   15 +
 scripts/install-buildtools                    |    4 +-
 19 files changed, 2777 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-core/libxml/libxml2/CVE-2025-6170.patch
 create mode 100644 meta/recipes-core/ncurses/files/CVE-2025-6141.patch
 create mode 100644 meta/recipes-kernel/linux-libc-headers/linux-libc-headers/0001-connector-Fix-invalid-conversion-in-cn_proc.h.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/0001-psk-fix-read-buffer-overrun-in-the-pre_shared_key-ex.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/0001-x509-reject-zero-length-version-in-certificate-reque.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/04939b75417cc95b7372c6f208c4bda4579bdc34
 create mode 100644 meta/recipes-support/gnutls/gnutls/3e94dcdff862ef5d6db8b5cc8e59310b5f0cdfe2
 create mode 100644 meta/recipes-support/gnutls/gnutls/5477db1bb507a35e8833c758ce344f4b5b246d8e
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-32988.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-32989.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-32990.patch
 create mode 100644 meta/recipes-support/gnutls/gnutls/CVE-2025-6395.patch

-- 
2.43.0

[OE-core][scarthgap 00/11] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, July 8

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/1948

The following changes since commit 175cd54fd57266d7dea07121861a4f15be00a882:

  tcf-agent: correct the SRC_URI (2025-07-03 09:01:28 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Archana Polampalli (6):
  xwayland: fix CVE-2025-49175
  xwayland: fix CVE-2025-49176
  xwayland: fix CVE-2025-49177
  xwayland: fix CVE-2025-49178
  xwayland: fix CVE-2025-49179
  xwayland: fix CVE-2025-49180

Divya Chellam (5):
  libarchive: fix CVE-2025-5914
  libarchive: fix CVE-2025-5915
  libarchive: fix CVE-2025-5916
  libarchive: fix CVE-2025-5917
  libarchive: fix CVE-2025-5918

 .../libarchive/libarchive/CVE-2025-5914.patch |  48 +++
 .../libarchive/libarchive/CVE-2025-5915.patch | 217 ++++++++++++
 .../libarchive/libarchive/CVE-2025-5916.patch | 116 +++++++
 .../libarchive/libarchive/CVE-2025-5917.patch |  54 +++
 .../libarchive/CVE-2025-5918-0001.patch       | 326 ++++++++++++++++++
 .../libarchive/CVE-2025-5918-0002.patch       | 222 ++++++++++++
 .../libarchive/libarchive_3.7.9.bb            |   6 +
 .../xwayland/xwayland/CVE-2025-49175.patch    |  92 +++++
 .../xwayland/CVE-2025-49176-0001.patch        |  93 +++++
 .../xwayland/CVE-2025-49176-0002.patch        |  38 ++
 .../xwayland/xwayland/CVE-2025-49177.patch    |  55 +++
 .../xwayland/xwayland/CVE-2025-49178.patch    |  50 +++
 .../xwayland/xwayland/CVE-2025-49179.patch    |  69 ++++
 .../xwayland/xwayland/CVE-2025-49180.patch    |  45 +++
 .../xwayland/xwayland_23.2.5.bb               |   7 +
 15 files changed, 1438 insertions(+)
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5914.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5915.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5916.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5917.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0001.patch
 create mode 100644 meta/recipes-extended/libarchive/libarchive/CVE-2025-5918-0002.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49175.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0001.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49176-0002.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49177.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49178.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49179.patch
 create mode 100644 meta/recipes-graphics/xwayland/xwayland/CVE-2025-49180.patch

-- 
2.43.0

[OE-core][scarthgap 00/11] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, October 29

Passed a-full on autobuilder:

https://valkyrie.yoctoproject.org/#/builders/29/builds/332

The following changes since commit a1b28a88bc7697371ab166b18587b615d6d39c8e:

  image.bbclass: Drop support for ImageQAFailed exceptions in image_qa (2024-10-16 06:21:24 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Anuj Mittal (1):
  sqlite3: upgrade 3.45.1 -> 3.45.3

Bruce Ashfield (2):
  linux-yocto/6.6: update to v6.6.52
  linux-yocto/6.6: update to v6.6.54

Jiaying Song (1):
  liba52: fix do_fetch error

Jonas Gorski (1):
  rootfs-postcommands.bbclass: make opkg status reproducible

Peter Marko (1):
  openssl: patch CVE-2024-9143

Rohini Sangam (1):
  vim: Upgrade 9.1.0698 -> 9.1.0764

Ross Burton (1):
  icu: update patch Upstream-Status

Sergei Zhmylev (1):
  lsb-release: fix Distro Codename shell escaping

Shunsuke Tokumoto (1):
  python3-setuptools: Add "python:setuptools" to CVE_PRODUCT

aszh07 (1):
  ffmpeg: Add "libswresample libavcodec" to CVE_PRODUCT

 .../rootfs-postcommands.bbclass               |   4 +
 .../openssl/openssl/CVE-2024-9143.patch       | 202 ++++++++++++++++++
 .../openssl/openssl_3.2.3.bb                  |   1 +
 .../python/python3-setuptools_69.1.1.bb       |   2 +
 meta/recipes-extended/lsb/lsb-release_1.4.bb  |   2 +-
 .../linux/linux-yocto-rt_6.6.bb               |   6 +-
 .../linux/linux-yocto-tiny_6.6.bb             |   6 +-
 meta/recipes-kernel/linux/linux-yocto_6.6.bb  |  28 +--
 .../recipes-multimedia/ffmpeg/ffmpeg_6.1.1.bb |   2 +
 .../recipes-multimedia/liba52/liba52_0.7.4.bb |   2 +-
 .../icu/icu/fix-install-manx.patch            |   4 +-
 .../{sqlite3_3.45.1.bb => sqlite3_3.45.3.bb}  |   2 +-
 meta/recipes-support/vim/vim.inc              |   4 +-
 13 files changed, 237 insertions(+), 28 deletions(-)
 create mode 100755 meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
 rename meta/recipes-support/sqlite/{sqlite3_3.45.1.bb => sqlite3_3.45.3.bb} (69%)

-- 
2.34.1

[OE-core][scarthgap 00/11] Patch review

[Steve Sakoman]

Please review this set of changes for scarthgap and have comments back by
end of day Tuesday, September 17

Passed a-full on autobuilder:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/7330

The following changes since commit 7e11701698a9f38a5e3e0499c0c2edd98d32a85d:

  mc: fix source URL (2024-09-03 06:59:38 -0700)

are available in the Git repository at:

  https://git.openembedded.org/openembedded-core-contrib stable/scarthgap-nut
  https://git.openembedded.org/openembedded-core-contrib/log/?h=stable/scarthgap-nut

Michael Halstead (1):
  yocto-uninative: Update to 4.6 for glibc 2.40

Niko Mauno (7):
  iw: Fix LICENSE
  dejagnu: Fix LICENSE
  unzip: Fix LICENSE
  zip: Fix LICENSE
  tiff: Fix LICENSE
  gcr: Fix LICENSE
  python3-maturin: Fix cross compilation issue for armv7l, mips64, ppc

Richard Purdie (2):
  expat: 2.6.2 -> 2.6.3
  ruby: Make docs generation deterministic

Siddharth Doshi (1):
  vim: Upgrade 9.1.0682 -> 9.1.0698

 meta/conf/distro/include/yocto-uninative.inc  |  10 +-
 meta/recipes-connectivity/iw/iw_6.7.bb        |   2 +-
 .../expat/{expat_2.6.2.bb => expat_2.6.3.bb}  |   2 +-
 .../recipes-devtools/dejagnu/dejagnu_1.6.3.bb |   2 +-
 ...n-architecture-name-resolvation-code.patch | 107 ++++++++++++++++++
 ...ation-issue-with-linux-armv7l-archit.patch |  76 +++++++++++++
 ...n-ABI-name-resolvation-code-as-helpe.patch |  98 ++++++++++++++++
 ...ation-issue-with-linux-ppc-architect.patch |  68 +++++++++++
 ...ation-issue-with-linux-mips64-archit.patch |  82 ++++++++++++++
 .../python/python3-maturin_1.4.0.bb           |   7 ++
 meta/recipes-devtools/ruby/ruby_3.2.2.bb      |   1 +
 meta/recipes-extended/unzip/unzip_6.0.bb      |   2 +-
 meta/recipes-extended/zip/zip_3.0.bb          |   2 +-
 meta/recipes-gnome/gcr/gcr_4.2.1.bb           |   2 +-
 meta/recipes-multimedia/libtiff/tiff_4.6.0.bb |   2 +-
 meta/recipes-support/vim/vim.inc              |   4 +-
 16 files changed, 453 insertions(+), 14 deletions(-)
 rename meta/recipes-core/expat/{expat_2.6.2.bb => expat_2.6.3.bb} (92%)
 create mode 100644 meta/recipes-devtools/python/python3-maturin/0001-Extract-extension-architecture-name-resolvation-code.patch
 create mode 100644 meta/recipes-devtools/python/python3-maturin/0002-Fix-cross-compilation-issue-with-linux-armv7l-archit.patch
 create mode 100644 meta/recipes-devtools/python/python3-maturin/0003-Extract-extension-ABI-name-resolvation-code-as-helpe.patch
 create mode 100644 meta/recipes-devtools/python/python3-maturin/0004-Fix-cross-compilation-issue-with-linux-ppc-architect.patch
 create mode 100644 meta/recipes-devtools/python/python3-maturin/0005-Fix-cross-compilation-issue-with-linux-mips64-archit.patch

-- 
2.34.1